Dependability analysis of a safety critical system: the LHC beam dumping system at CERN

This thesis presents the dependability study of the Beam Dumping System of the Large Hadron Collider (LHC), the high energy particle accelerator to be commissioned at CERN in summer 2007. There are two identical, independent LHC Beam Dumping Systems (LBDS), one per LHC beam, each consisting of a series of magnets that extract the particle beam from the LHC ring into the extraction line leading to the absorbing block. The consequences of a failure within the LBDS can be very severe. This risk is reduced by applying redundancy to the design of the most critical components and on-line surveillance that, in case of a detected failure, issues a safe operation abort, called false beam dump. The system has been studied applying Failure Modes Effects and Criticality Analysis (FMECA) and reliability prediction. The system failure processes have been represented with a state transition diagram, governed by a Markov regenerative stochastic process, and analysed for different operational scenarios for one year of operation. The analysis of the system results in a safety level ranked SIL4 in the IEC 61508 standard and 4 (± 2) expected false beam dumps generated per LBDS. These results will be validated through a three months reliability run. Several sensitivity analyses have been made providing additional evidence on the importance of the fault tolerant design features and the achieved trade-off between safety and availability. The Beam Dumping System is part of the LHC machine Protection System for which a safety level SIL3 is required. A simplified model of the LHC Machine Protection System (MPS), including the LBDS and other critical protection systems, has been analysed. Depending on the hazards (e.g. the fast beam losses being the most critical event in the LHC) and their coverage, the safety of the MPS has been calculated between SIL2 and SIL4 with about 40 (± 6) expected false dumps per year, which is the 10% of the machine fills. In the context of the MPS the LBDS is one of the safest systems and contributes to unavailability with an acceptable fraction of false dumps.