Dependable System Development Methodology and Case Study for the LHC Beam Loss Monitoring System at CERN

The Beam Loss Monitoring system acts as a protection system of the Large Hadron Collider at CERN. Its primarily ionisation detectors measure potential off-orbit particles escaping from their trajectory. Its dependable performance is of utmost interest for the operation of the collider. This primarily involves constantly protecting the machine by initiating a safe beam extraction in case of dangerous particle losses. Secondary, the system has been designed in a fail-safe architecture to always favour the safe beam extraction in order to avoid any situation comprising the risk of missing dangerous loss. Therefore, the system comprises the potential to optimise its performance, i.e. minimise its impact on the collider performance, by reducing the number of false beam extractions whilst maintaining its protection function. This work analyses the system architecture and protection strategy of the Beam Loss Monitoring system by reviewing a dependability model previously created during its design phase. Furthermore, the thesis investigates newly available performance data, remodels the current hardware configuration comprehensively bottom-up, and, based on this model, performs a Failure Mode, Effects, and Criticality Analysis in order to evaluate the dependable hardware design and review the protection function of the system. Making use of the applied methodology, in particular of the retrospectively performed analysis and the available performance data of the system operating since a decade, a methodology for dependable development and operation during the entire life cycle of systems is presented. Based on the experience gathered with a beam instrumentation system, the methodology is tailored to such accelerator systems characterised by their high functional as well as dependability requirements, large modularity and critical operation during long lifetimes in harsh environments. In five defined life cycle phases and several iterative sub-phases, dependability requirements are derived and specified, designed into the system, reviewed by according analysis methods, and validated by tests. Furthermore, the methodology covers the system installation, commissioning and dependability support during operation up to the decommissioning and potential upgrade and refurbishment to reuse the system or parts of it. The entire methodology is designed as a continuous cycle within these phases to be applied to different development projects, profiting from previous projects and operational systems. In this way, it steadily grows and enhances the dependability capability of an organisation. Therefore, a comprehensive and holistic framework for dependability application during all these phases is provided, enabling the methodology to be adjusted to the specific design project. The steady improvement of the dependability capability is established by an ever growing base of dependability data from tests, operation and decommissioning of previous systems. Furthermore, this base comprises experience gathered whilst applying and enhancing the presented design analyses, improving production and handling procedures, as well as from the operational and maintenance support of the operational systems. In a subsequently performed case study of a Beam Loss Monitoring system processing board upgrade the methodology was applied. The study entirely covers the planning and design, production and testing phases of the life cycle, as well as makes use of operational, failure and repair data of the predecessor module, hence the two remaining life cycle phases. Furthermore, considerations for the upcoming system installation and operation are described. Initially defined dependability specifications for the system influenced the design and the execution of associated dependability analysis methods, which led to defining specifications for the production and accompanying it by several tests and inspections. The output of the analyses during the planning and design phase also led to the integration and following execution of according functional and environmental validation tests for the later system application and its operational environment. Furthermore, the entire production was screened for early life failures and the reliability requirements were demonstrated by tests. Hence, the application of the developed methodology within the case study was successful in meeting the study’s objective to provide feedback to the overall procedure. This enabled to adjust the methodology and to validate it as it is presented in this work.