First Risk Analysis for the LHCb Vertex Detector System

1
First Risk Analysis for the LHCb Vertex Detector
System

• Purpose
• Framework
• model taken from CERN CSAMS
• functional analysis of VDS
• estimation of downtime for various tasks
• Identified undesired events for VDS design
  (july00)
• Summary and outlook

2
Purpose of Risk Analysis

• To provide an objective basis for a constructive
  and methodical evaluation of the VDS design.
• comprehensive overview of all (major) risks
  involved
• what risk scenarios, what consequences, what
  probabilities to occur ?
• requirements/recommendations for a given design
  choice
• what tests should be performed and what results
  obtained to make the chosen option acceptable ?
• basis for a later, more detailed risk analysis
• f.i. risk of injuries to personnel are not
  assessed in details, but believed to be ??
  downtime and CHF loss risks

3
Framework of Risk Analysis
Use model defined in CERN Safety Alarms
Monitoring System Functional and Safety
Requirements, IT-2694/ST, September 2000. (1)
Identify undesired event (UE) (2) Determine the
consequence category of UE (3) Use predefined
table to fix maximum allowable frequency
(MAF) (4) Determine required frequency by
reducing MAF by factor 100
4
Framework frequency categories
Indicative frequency Category Description
level (per year) Frequent Events
which are very likely to occur gt 1 in the
facility during its life time Probable Events
which are likely to occur 10-1 - 1 in the
facility during its life time Occasional Events
which are possible and expected 10-2 -
10-1 to occur in the facility during its life
time Remote Events which are possible but not
expected 10-3 - 10-2 to occur in the
facility during its life time Improbable Events
which are unlikely to occur in the 10-4 -
10-3 facility during its life time Negligible
Events which are extremely unlikely to lt
10-4 occur in the facility during its life time
5
Framework consequence categories
Dominant criterium
Category Injury to personnel Loss in
CHF Downtime (indicative) (indicative)
(indicative) Catastrophic Events capable of
resulting gt 108 gt 3 months in multiple
fatalities Major Events capable of
resulting 106 - 108 1 week to 3 months in a
fatality Severe Events which may lead 104 -
106 4 hours to 1 week to serious, but not
fatal injury Minor Events which may lead 0
- 104 lt 4 hours to minor injuries
6
Framework risk classification table
max allowable frequency
Frequency Consequence category category
Catastrophic Major Severe
Minor Frequent I I
I II Probable
I I II
III Occasional I
II III
III Remote II III
III IV Improbable
III III IV
IV Negligible IV IV
IV IV
required frequency
Legend I intolerable risk II undesirable
but tolerable if risk reduction is out of
proportion III tolerable if risk reduction
exceeds improvement gained IV negligible risk
7
Functional Analysis
Within context of risk analysis, consider 3 main
modes of operation Normal ring valves open
full aperture of VD lt 54 mm normal running mode
for LHCb physics Standby ring valves open full
aperture of VD gt 54 mm e.g. beam filling/tuning,
scheduled dump (in some cases LHCb might take
data) Isolated ring valves closed full aperture
of VD is any e.g. hall access, remote-controlled
or in-situ maintenance
8
Assumptions

• If the NEGs are exposed to ambient air (even if
  at low pressure)
• ? heating is needed after the subsequent
  pump-down !
• This assumes that
• we need a minimum pumping capacity from
  the NEGs
• and/or
• the desorption yields of such exposed
  NEGs are not low enough
• If primary vacuum system vented with ultrapure
  Ar/Ne
• ? heating is not needed (NEGs are
  unaffected, C. Benvenuti P. Chiggiato)

check!
A. Rossi
M.P. Lozano
check!
9
Downtime estimations

• Needed to assess gravity of a given undesired
  event!
• Tasks
• granting general access to experimental zone 1
  hour ?
• granting access to VD area ? 1 shift ?
• bring VDS to atmospheric pressure (and room
  temperature) ? 1 shift ?
• preparation tasks around LHCb beam pipe for
  heating NEGs 6 shifts ?
• replacement of an LHCb beam pipe section 6
  shifts ?
• pump down to pressure appropriate for NEG
  heating 3 shifts ?
• heating of NEGs 3 shifts ?
• pump down to pressure appropriate for beam
  filling 3 shifts ?
• reverse of above preparation tasks for heating
  NEGs 6 shifts ?
• Evacuation and closing of experimental zone 1
  hour ?
• (some tasks can proceed in parallel !)

10
Undesired Events
UE-1 Damaged feedthrough pin in secondary
vacuum UE-2 Loss of electrical power UE-3
CO2 cooling system goes down UE-4 Leak in CO2
cooling pipe UE-5 Uncontrolled beam
displacement UE-6 Ion-getter pump goes
down UE-7 Turbomolecular pump station goes
down UE-8 Bellow between secondary primary
vacua breaks UE-9 Jamming of detector halves
motion mechanics UE-10 Bellow between air
primary vacuum breaks . . .
11
Sample Undesired Event

• UE-1a Damaged feedthrough pin in secondary
  vacuum
• Assumptions
• due to human action ? mode Isolated (ring valves
  closed)
• leak rate into 2ary vacuum small enough that
  safety valves stay closed
• leak rate to 1ary vacuum lt outgassing rate of
  1ary vacuum
• VDS can be brought to atmospheric pressure
  according to normal
• procedure with Ar/Ne (? 1 shift)
• Estimated damage
• 1ary vacuum not exposed to air ? no NEG heating
  needed
• replace feedthrough flange (1 shift)
• pump down (6 shifts)
• ? LHC loss ? 0 CHF, LHC downtime lt 3 days
• ? category Severe
• Requirements/remarks see
• required frequency Remote (see experience with
  LEP/SPS/... ?)
• precautions countersink flange connectors,
  tighten cable connectors,
• tighten cables, use of a
  protective cage around feedthroughs, ...

Prove!
Prove!
12
Sample Undesired Event (continued)

• UE-1b as UE-1a but differential pressure
  triggers safety valves to open
• Assumptions
• as in UE-1a except that leak rate into 2ary
  vacuum is such that safety
• valves open
• leak rate to 1ary vacuum ? substantial fraction
  of leak rate to 2ary vacuum
• VDS can be brought to atmospheric pressure
  according to normal
• procedure with dry gas (N2)
• Estimated damage (compare to UE-1a)
• 1ary vacuum exposed to air ? NEG heating needed
  (3 additional days)
• service/inspect pumps, thin foil, (1
  additional day)
• ? LHC loss ? 0 CHF, LHC downtime ? 1 week
  (but longer for LHCb !)
• ? category Severe
• Requirements/remarks
• required frequency Remote
• demonstrate that breaking of feedthrough pin
  will in most cases not be followed by
• a differential pressure increase which triggers
  safety valves to open
• e.g. this probability should be lt 0.1, if
  actual frequency of UE-1a is Occasional

?
13
Sample Undesired Event (continued)

• UE-1c as UE-1b but all safety devices fail to
  protect the thin-walled box
• Assumptions
• as in UE-1b except that electrically activated
  valve, gravity-controlled safety
• valve (and rupture disc, ?pcrit ? 10 mbar)
  fail to protect the thin-walled box
• Estimated damage (compare to UE-1b)
• as in UE-1b, but the thin-walled box (and
  perhaps some Si modules ?) must
• be replaced
• debris (if any) must be collected ?
• LHCb beam pipe must be refurbished ?
• ? LHC loss ? ? CHF, LHC downtime ? ? weeks
• ? category Major
• Requirements/remarks
• required frequency Improbable
• demonstrate that probability for coincidental
  failure is lt 0.1, if actual
• frequency of UE-1b is Remote

14
Some Precautions / Recommendations(to be
discussed further)

• Closed and controlled area around VD system
  (dust-free, humidity controlled)
• All servicing and maintenance operations
  performed by qualified
• personnel exclusively
• Interlock between hall access doors and ring
  valves
• (force to close valves when hall access
  granted)
• Safety of the beam pipe foresee protection
  structures ?
• Interlocks/alarms between VD and LHC control
  systems
• Foresee spare parts for critical scenarios
  (which are allowed to hinder LHCb
• operation, if unavoidable!) so that LHC beam
  conditions can readily be restored
• dummy wake field guide to replace Si housings
• dummy beam pipe to replace VD tank RICH
  section (?)
• ...

15
Summary and Outlook

• Gather more info on
• downtime and CHF loss estimations
• Daniel Lacarrère, Juan Ramon Knaster, Martin
  Doets, et al.
• (dynamic) vacuum properties of (saturated) NEGs
• Paolo Chiggiato, Maria Pilar Lozano, et al.
• beam handling failure scenarios
• Oliver Brüning, Rudiger Schmidt, et al.
• Risk analysis will be publicized in the form of
  an LHCb note
• with only one of two possible conclusions
  (needed for TDR)
• (1) it is not a viable solution (there are
  unsurmountable obstacles)
• (2) it is an acceptable solution if this and
  this is done, checked, etc.
• Perform required tests before installation into
  LHC

This is were the work is!