Reliability Analysis of the CERN Radiation Monitoring Electronic System CROME

For the new in-house developed CERN Radiation Monitoring Electronic System (CROME) a reliability analysis is necessary to ensure compliance with the statu-tory requirements regarding the Safety Integrity Level. The required Safety Integrity Level by IEC 60532 standard is SIL 2 (for the Safety Integrated Functions Measurement, Alarm Triggering and Interlock Triggering). The first step of the reliability analysis was a system and functional analysis which served as basis for the implementation of the CROME system in the software “Iso-graph”. In the “Prediction” module of Isograph the failure rates of all components were calculated. Failure rates for passive components were calculated by the Military Standard 217 and failure rates for active components were obtained from lifetime tests by the manufacturers. The FMEA was carried out together with the board designers and implemented in the “FMECA” module of Isograph. The FMEA served as basis for the Fault Tree Analysis and the detection of weak points of the system. A Fault Tree has been created for each Safety Integrated Function for the calculation of the Safety Integrity Level. The part, which is responsible for the data processing and is included in all safety functions, has been considered separately in a Fault Tree. It contains the software for calculating the equivalent dose rate, generation of alarm signals and safety interlocks. The result of the Data Processing Function is equivalent to SIL 1. The Microzed Board (processing board), which is part of the Data Processing Function and contains the FPGA with the software, has a failure probability which also corresponds to SIL 1. This board is bought from an external manufacturer and cannot be changed. Therefore, SIL 2 is not possible for all Safety Integrated Functions in the current configuration. The results of the Fault Tree Analysis for the Safety Integrated Functions without the Data Processing Function also showed, that improvements on the in-house designed boards must be made in order to reach SIL 2. On the basis of the obtained results, component changes and structural changes on the circuits have already be made for the Alarm Triggering Function and are still under development for the Measurement Function. A complete redundancy for the Microzed Board will be developed by an external company in order to make SIL 2 possible for all Safety Integrated Functions.