CERN - European Organization for Nuclear Research
Protection against internal Hazards in
the Review of Nuclear Physics
Experiments
Fabio Corsanego
CERN SC/GS
5th International High Energy Physics Technical Safety Forum
SLAC 11-15 May 2005
How can we make safety discussion more
efficient?
Milestones for the realization of an experiment
1. Approval of the research board
2. Appointment of GLIMOS (group leader in
matter of safety= Mr. Safety)
3. ISIEC (Initial Safety Information on
Experiments at CERN)
4. Safety talks
5.
6.
7.
8.
Risk analyses
Early safety inspections
Safety Reception
Exercise
..world wide collaborations.. (Example: list of Collaborators to (N-TOF 11))
•
•
•
•
•
•
•
•
Japan, Tsukuba (Ibaraki-Ken)
High Energy Accelerator Research Organization (KEK)
Spain, Barcelona
Universidad Politecnica de Cataluña
Spain, Sevilla
Universidad de Sevilla Dept. de Fisica Atómica Molecular y
Nuclear
Switzerland, Geneve
European Organization for Nuclear Research (CERN)
United Kingdom, Didcot, Oxon
Rutherford Appleton Laboratory
United States of America, Oak Ridge, Tn
Oak Ridge National Laboratory (ORNL)
United States of America, Princeton, Nj Princeton
University
Joseph Henry Laboratories
United States of America, Upton, Ny
Brookhaven National Laboratory (BNL)
We propose to perform a proof-of-principle test of a target station suitable for a Neutrino Factory or Muon
Collider source using a 24-GeV proton beam incident on a target consisting of a free mercury jet that is
inside a 15- T capture solenoid magnet. This test could be performed in the TT2A tunnel of the nTOF proton
line (upstream of the spallation target). The tests would require only
100 fast-extracted pulses of full PS
intensity, delivered in a pulse-on-demand mode of operation over about 2 weeks. The main piece of
apparatus is the LN2-precooled, 15- T copper magnet of total volume slightly over 1 m with a 15-cmdiameter warm bore. The principle diagnostic is a high-speed optical camera. The mercury jet is part of a
closed mercury loop that includes an insert into the bore of the magnet
…Collaborators to CMS Detector
Safety talks
”…a discussion between the GLIMOS and the safety authorities about hazards, based on the information
given on the ISIEC Form”
The main risks of the discussion on risk:
too much focus on too few
topics
lack of perception of the
accident interaction
between different system
lack of perception of the
concurrent play of
countermeasures
What are the basic subsystems of an
experiment?
Cryogenic system
Isotopes
Supervisory
Control And Data
Acquisition
Cooling system
Electric System
Beam
Gas supply system
….
Magnets
So what to make sure that all safety
aspects are covered since first talks?
• Checklists
– interesting but one-dimensional
and sequential: difficult to
formalize concurrences and
correlations between topics
•Can we imagine something
intermediate?
• HAZOP, FMECA
– nice tools, but need to know
already the design in details, and
take months to give results
Major Accident Scenarios
•
•
•
•
•
•
•
Fire
Explosion
Chemical accident
Cryogenic accident
Nuclear accident
Collapse
….
•
•
•
•
•
Wrong operation
Control system failure
Electric failure
Mechanical failure
Earthquake
Failure Causes
• Where could each scenario come
from?
Cranes
Missile or rotor
fragment impact
Construction
Design
usage
SCADA
malfunctioning
and
overpressures
Ice formation
Nuclear induced ageing, fragility, gas
overpressures etc
Causes
List of possible causes for mechanical
failure of a vessel
“Independent” mechanical failure (..all that is related to bad
design, bad construction and exercise, independent from the rest of the
environment)
Fall of static loads located above or aside
Collision with crane bridges, vehicles or other mobile
loads
Earthquake
Missile, high speed flying fragment
Formation of ice in piping or cryogenic embrittlement
Overpressures induced by nuclear transmutation
Overpressures induced by SCADA faults
….
Injuries,
victims
Consequences
Air pollution
Water pollution
Blast , explosion
Nuclear
accident
Electric accident
•
For any scenario, possible
outcomes that could be
even more severe have to
be investigated
Bleeve - fireball
flooding
Example of consequences of collapse of a
pressurized component
•
•
•
•
•
•
•
•
•
Blast or Explosion
Injuries to occupants
Intoxication of occupants
Nuclear Contamination
Fluid leakage/flooding
Cryogenic fluid outbreak
Fire
Formation of secondary missiles hitting other components
…
Layer of protection analysis (LOPA)
SIS= safety interlocked system
ESD= emergency Shutdown system
In-depth defense:
• Barriers have to be:
• (Big I) Independent
• (3D) Able to Detect,
Decide, Deflect
• (3E) Fast Enough, Strong
Enough, Big Enough
Protective barriers for our example
sub-case: lift mishandling-> vessel failure-> nuclear accident
Vessel
rupture
Cranes
Nuclear
accident
Which are the
safeguards
applicable to
the cause jth
?
Which are the
safeguards
stopping the
accidents
scaling up in
the direction
ith ?
Safeguards
(Independent
Protective Layers)
Inherent safety:
does the problem
exist?
Cranes
outside?
Fork lifts?
Crane bridge
inside?
Safeguards (Independent Protective Layers)
Daily operation
Planning and backup
resource allocation
Keys managing
Procedure
Training
Safeguards
(Independent
Protective Layers)
Barriers
Protection cage
Corrective Operational
measures
Panic button
Working field
Overload limiter
Bumpers
Traffic barriers
Safeguards
(Independent
Protective Layers)
Emergency preparedness
How to summarize all this ?
Independent protective layers (to prevent accident)
origin
Design
Basic controls,
alarm, operator
Supervision
Critical alarm,
operator
supervision and
manual
intervention
Automatic
safety interlock
Emergency
shutdown
system
Physical
protection
(relieves and
barriers)
Emerge
ncy
respon
se
Collision due to
mobile loads, crane
bridges, vehicles
Can a crane bridge move
above the experiment?
Are the operators
trained and certified to
use the tools?
Are procedures for
moving loads in place?
Do crane bridge have
overload protections?
Can they be easily
bypassed?
Do the crane bridges
have an electronic
mapping of the working
field?
Do lifting and
movement
devices have
emergency
stops?
Do the crane bridges
have physical blocks
preventing movement
above the experiment?
Are protective barriers
in place above the
experiment?
Are
emergency
procedures
adapted to
the nature
of the
loads
lifted?
Can a wheeled vehicle
collide with the
experiment?
Answers:
Applicable
Not
applicable
…….
Answers:
YES / NO /
To be
investigated
Is it regularly updated
for the used space?
Are keys and controls of
lifting devices removed
after use?
Are barriers
preventing collision
with vehicles in place?
How to describe protection against the worsening of the
consequences:
•
(Table similar to the previous one, BUT with consequences)
Pressure vessel
failure
Independent Protective layers (to fight consequence scaling up)
Consequence
Design
Basic controls,
alarm,
operator
Supervision
Critical alarm,
operator
supervision and
manual intervention
Nuclear
contaminatio
n
Do vessels contain
radio nuclides that
can be ejected in
case of accident?
Is it possible to
modify their status
of aggregation in
order to limit their
dispersion
potential?
Does a
radiation level
monitoring
exist?
Does a pressure
control loop exist that
might reduce the
pressure in case of
incipient failure?
Is the operator able to
recognize
immediately an
increase of radiation
level and to give
alarms?
…..
Automati
c safety
interlock
Emergency
shutdown
system
Physical protection
(reliefs and barriers)
Emergency
response
Is a shutdown
maneuver
effective to limit
or stop the flow
incase of vessel
failure?
Does the vessel rupture
expose the content
directly to air?
Is ventilation separated
from the rest of the
building?
Do emergency relief
valves have a
recuperation system?
Do recuperation pits
exist for heavy gases or
liquids?
Are shutoff
valves located in
a position
accessible in
emergency?
Is the maximum
potential of the
the event limited
to the room or
external too?
“How many” independent
protective layers do we need?
•
Hard to say
in few
words…but
in principle
“big events”
shall be kept
under 10-6,
10-8
occurrences
per year
(same chance
as a big
asteroid
hitting our
planet)
Advantages
• All the possible sources are systematically
treated
• Failure of further multiple levels are required to
worsen the consequences
• Rudimental probabilistic assessment are
sometimes possible
• Domino effects between systems are, up to a
certain extent, treatable
• More defined focus on specific aspects to be
treated with HAZOP and FMECA further
analysis
…..Is that all?
EVENT:FIRE
Protective barriers
Origin
Design
Basic controls, alarm,
operator supervision
General, all
fires
How much is the total fire load?
How often walk downs a
re foreseen?
Does the operator have a
direct view on the experiment or a CCTV
system?
Combustion of
cables and electronics
Are there significant amounts of
cables?
Are all the cable fire rated?
Are the cables exposed to air?
Are unused cables regularly removed?
Are cables of the lines crossing the
facility fire rated?
Is the size of the cable bunches
compatible with the test method
(IEC 332-1 and IEC332-3)?
Are the printed circuit boards fire
retardant?
Are their casing fire retardant?
Are the electronics labeled CE or
certified with respect to fire propagation?
Does the control system
or the operator check
power absorption, temperatures and other relevant parameters?
Combustion of
thermal insulation, neutron
shielding
Does the experiment require combustible shielding?
Quantities? Compact or porous?
Reactive? Exposed to air?
Combustion of
stored materials
and of other
mobile equipment (racks,
vehicles, etc.)
Does the layout plan specify a storage area?
Does the experiment foresee remote
patch panels avoiding the need to
bring in test equipment?
Combustion of
processed fluids
or of hydraulic
fluids
Are flammable or combustible fluids
present?
What are quantity and nature?
Are combustion inhibitors additives
possible?
Are external counter pipes possible?
Critical alarm, operator supervision and
manual intervention
Does a fire detection
alarm exists?
Is it sensitive enough?
Is it located in critical
areas?
Beyond the alarm received by SCR and TCR,
Does the operator receive the alarm?
Do fire extinguishers
exist?
Do fire hoses exist?
Automatic safety
interlock
Emergency shutdown system
Physical protection (reliefs
and barrier)
Emergency
response
Are the power supplies
interlocked with automatic fire detection?
In case of fire suppression, does a similar
interlock exist?
Is the operator aware
of what systems have
to be shut down?
Is the shutdown system capable of preserving its function
during the initial
stages of a fire (15 to
30 min)?
Is ventilation interlocked with
automatic fire detection system?
Does a fire suppression system
exist?
Has fire suppression been
foreseen for recessed locations?
Is fire brigade
aware of the fire
suppression systems installed?
Are emergency
communication
means present?
Is an evacuation
systems present?
Are emergency shutdown buttons located
in the control room
and close to the experiment?
Are fire stoppers presents?
Are fiber optic cables and other
signal cables kept far form the
power cables?
How long does it
take to be able to
access to an experiment?
Is permanent flushing with
inert gas of the inner parts
foreseen?
Does operator check daily
removal of undue storage?
Does the operator check
the sign in and sign-out of
the material?
Does he check for the
safety of the one-day
equipment?
Does the control system
check pressure, temperatures, fluid levels and
other relevant parameters?
Does a responsible for
junk material removal
exist? How fast is its
intervention?
Does operator inspect
regularly to check for
leakages?
Do alarm thresholds in
the parameters exist?
Do specific extinguishers exist?
Do the pumps and
other active components switch down in
case of overtemperature?
(bimetallic circuit
breakers)
Does operator forbid
running of the experiment in case of
storage accumulation?
Do vehicles have a
device for immediate
power cut of the
batteries?
Are the storage far or protected
by compartment subdivision?
Does the system shut
down automatically in
case of leaks?
Does the beam stop?
Does a retention pit exist?
Can the storage vessel be protected by compartment?
Does an automatic fire suppression system exists?
Is it compatible with the fluids?
Is the fire brigade
prevented of the
nature of the
fluids?
Comments