Engineered and Administrative Safety Systems for the Control of - - PowerPoint PPT Presentation

1

Engineered and Administrative Safety Systems for the Control of Prompt Radiation Hazards at Accelerator Facilities

James C. Liu (james@slac.stanford.edu) Stanford Linear Accelerator Center (SLAC) Vashek Vylet Thomas Jefferson National Accelerator Facility (TJNAF) Lawrence S. Walker Los Alamos National Laboratory (LANL)

2

Radiation Safety System (RSS)

• RSS: Engineered and/or administrative safety

systems to monitor, mitigate and control prompt radiation hazards.

• RSS = ACS + RCS
• ACS keeps people away from radiation

– Ropes, signs, barrier and access controls

• RCS keeps radiation away from people

– Shielding, beam and radiation interlocks

3

ANSI N43.1 Standard Draft

• N43.1 Standard “Radiation safety for the

design and operations of particle accelerators” American National Standards Institute (2008?)

• Chapters 4, 5 and 6 of the N43.1 Standard

draft, as well as some U.S. regulations and standards, are the main basis for this presentation.

4

N43.1 Committee

• Ted de Castro (LBNL)
• Roger Kloepping (LBNL)
• Robert May (TJNAF)
• Norman Rohrig (INEEL)
• Olin Van Dyck (LANL)
• Paula Trinoskey (LLNL)
• John Drozdoff (TRIUMF, Canada)
• Albert Evans (DOE)
• Wesley Dunn (Texas DHS)
• Vashek Vylet (Duke University)
• Larry Larson (Sematech)
• DOE
• NRC
• states
• CAMD
• FNAL
• CERN
• KEK,

JAPRC

• PAL
• NSRRC,

AEC

Reviewers

5

Disclaimer

• N43.1 Standard is not yet approved.

Requirements (shall) and recommendations (should) in this chapter should not be quoted as official ANSI positions.

• Authors take full responsibility for any errors
• f this chapter and any discrepancies with the

N43.1 standard.

• Contributions by N43.1 members and the

reviewers are acknowledged.

6

Goals of Presentation

• Successful RSS needs a multidisciplinary team
• Presented from a health physicist’s, not a

system engineer’s, perspective

• Health physicist roles for RSS

– Analyze radiation hazards; develop policies, requirements and procedures for systems – For interlocked systems

• Review and/or approve design,

changes, use, and associated operating and testing procedures

• Design, install and/or maintain the

systems, if limited facility size

7

Contents

• U.S. regulations and standards
• Radiation Safety System (RSS)
• Access Control System (ACS)
• Radiation Control System (RCS)
• Examples of RSS policies and

practices at some accelerator facilities

8

U.S. Federal and State Regulations

• 10CFR20 “Standards for protection against

radiation” U.S. NRC (1991)

• NUREG-1736 “Consolidated guidance for

10CFR20” U.S. NRC (2001)

• CRCPD Suggested State Regulations (SSR)

“Radiation safety requirements for particle accelerators” (1991)

9

U.S. DOE Regulations

• 10CFR835 “Occupational radiation protection”

(1998, 2007)

• DOE O 420.2B “Safety of accelerator facilities”

(2004)

• DOE G 420.2.1 “Implementation guide for

DOE O 420.2B” (2005)

• DOE G 441.5-5 “Radiation-generating devices

guide for use with 10CFR835” (1999)

10

Main U.S. Standards

• NCRP-88 “Radiation alarms and access control

systems” (1986)

• ANSI N43.3 “American National Standard for

general radiation safety - installations using non- medical X-ray and sealed gamma-ray sources, energies up to 10 MeV” (1993, in revision)

• IEC-61508 “Functional safety of electrical,

electronic, programmable electronic safety- related systems” (1998)

• ANSI/ISA-84.01/IEC-61511 “Functional safety -

Safety Instrumented Systems for the process industry sector” (1996, 2004) - does not cover nuclear power facilities

11

Radiation Safety System (RSS) Systems that Protect People from Prompt Radiation Hazards

12

Radiation Safety System (RSS)

• RSS is defined as a combination of

engineered (passive and active elements) and/or administrative safety systems to monitor, mitigate and control prompt radiation hazards in a graded approach.

• Technical, operational and management

aspects

• RSS = ACS + RCS

– ACS keeps people away from radiation – RCS keeps radiation away from people

13

ACS and RCS

• Access Control System (ACS)

– Ropes and warning signs – Door or gate with locks – Interlocked access control – Beam inhibiting devices (BID)

• Radiation Control System (RCS)

– Passive systems: shielding, fence – Active systems: beam interlocks and radiation interlocks

14

Facility Safety Assessment and Controls

• Identify accelerator beam parameters, facility
• peration modes (normal and abnormal beam

losses), and personnel occupancy

• Analyze associated radiation hazards
• Develop RSS requirements for risk mitigation

and controls

• Define Safety Envelope and Operation Envelope
• Experience from peer labs

15

16

RSS Interlock Functional Relationship

Radiation Control System Logic INPUT OUTPUT

Radiation Detectors Beam Inhibiting Devices

Access Control System Logic

Area Safe Signal Operate Permission Warnings Operate Permission Area Secure Signal

INPUT

17

RSS Interlock Design Considerations

• ACS versus RCS (hazards and mitigation)
• Both preventive and reactive system types
• Develop system functional specification

(what)

• Develop system integrity specification (well)

18

RSS Interlock Design Considerations

• Reliable and high performance

– No single-point failures (redundancy) – No common-mode failures (separation and diversification) – Sufficiently fast response time – Protection for harsh environment (radiation, humidity, temperature, vibration, power, etc) – Negligible false or nuisance trips

19

• Testability
• Simple and modular design
• Tamper resistance (e.g., concealed door

microswitches, protected devices, cables and equipment, locked cabinets)

• Ergonomic (easy to use and understand,

prevent human error, interface)

• Life-time cost and resource

RSS Interlock Design Considerations

20

• Interlocked-type ACS (and active RCS) are

dormant systems, i.e., no response or action under normal conditions

• Self-checking
• Fail-safe

RSS Interlock Design Considerations

21

Fail-safe Design

• Definition: One in which the credible failure

modes leave the system in a safe condition

• Examples of failure:

– Loss of AC or DC power – Loss of air pressure – Open or short circuit – Ground fault – Likely circuit element failure modes

• Relay - coil burnout
• PLC – software bug, uncertain

22

Engineered RSS Operational Requirements and Guidance

• Quality assurance (QA) program

– Components, workmanship – Design, installation, testing, commissioning and operations

• Configuration control (CC) program
• Maintenance, repair and modification program
• Periodic certification and check programs
• Safety systems independent and separated

from non-safety systems

23

Engineered RSS Operational Requirements and Guidance

• Trained, qualified and authorized individuals
• System readiness review
• Document and record management program

(transferable and auditable)

• Self assessment
• Peer (internal and external) review

24

RSS for Non-Beam Radiation

• Radiation from dark current due to HV

and/or RF fields (e.g., cavity, klystron)

• Exposure from induced radioactivity in

machine components (e.g., beam stops, collimators)

• Shielding to reduce activation to air, soil,

groundwater

• Engineered controls for exposure to

activated air

25

RSS Interlock Bypass or Variance

• Governed by policies and procedures
• Justified
• Alternative protection, e.g., radiation source

inhibited, tight administrative controls

• Written approval via authorized channels
• Detailed documentation
• Affected systems or areas posted
• Involved parties communicated
• Normal interlocks restored and verified ASAP

26

RSS Accident

1982, A fatal exposure to Co-60 irradiator in Norway (due to a series of 5 failures!)

• Conveyor belt jammed at night (failure #1)
• Sources failed to automatically retract into the

shielded position (failure #2).

• First person arriving at work in the morning

found a green indicator light (failure #3) and an unlocked interlocked door (failure #4).

• A interlocked radiation monitor normally located

in the maze was out for repair (failure #5).

27

28

Access Control System (ACS)

Control Personnel Occupancy in Areas with Prompt Radiation above the Acceptable Levels

29

30

N43.1 Access Control System (ACS)

• Entry and access control modules

– Enclosures (ropes and/or barriers) – Personnel entry gates – Warnings and signs – Communication and monitoring features – Exclusion Area (> 10 mSv/h) needs Area Secure System – Emergency response features

31

ACS Entry Module

32

N43.1 Access Control System (ACS)

• Beam Inhibiting Devices (BID)

– Power supply for gun or RF, beam safety shutter, electromagnet, etc – Normal access control function – Fault-response beam removal function

33

ACS Mechanical BID (Beam Shutters)

34

N43.1 ACS Graded Approach

Dose in 1-h (mSv) Dose Category Start-up Warning Enclosure Personnel Entryway Gate Area Secure System 0.05–1 Minimum None Rope No Restriction 1–10 Low Locked or Interlocked Locked; Interlock Also Recommended 10–100 Moderate > 100 High Visible/Audible; Emergency Off Locked & Interlocked Required (Exclusion Area) Visible & Audible Barrier Not Required

1) Tighter than NCRP-88 2) Access to areas ≤ 0.05 mSv/h is governed by general RPP. 3) Interlock redundancy is required for High dose category.

35

Additional Functional Requirements for Interlock-type ACS

• Redundancy via independent chains (from

sensors to control devices)

• A single mechanical beam shutter is

acceptable.

• Reliability, maintainability, testability, simplicity
• Interlocks not used as normal on-off devices
• Must have a manual emergency shutdown

mode to override interlocks

36

Certification and Checks for Interlocked-type ACS

• Extensive certification and check programs

are needed and shall be developed.

• Certification, check and maintenance shall

be conducted following formal, written procedures by authorized personnel.

• Activities shall be properly documented.

37

ACS Certification

• Prior to accelerator commissioning or major

ACS changes, system certified to meet safety requirement specifications via acceptance test – Performance of sensors, logic, and control elements – All functions of the logic (including unintended and bypass functions) – Potential failure modes from errors in system design or implementation, and component failures

38

ACS Certification

• Before accelerator operation past one year

following the last successful annual certification, the ACS hardware/software and functionality shall be certified to operate as intended.

• Before restarting operation following ACS

modification, repair or maintenance, the potentially affected portions shall be certified.

• Certification shall be end-to-end, i.e., from inputs

to outputs.

• May be the same as system acceptance test,

particularly for small systems

39

ACS Checks

• More frequent and periodic checks by

Operations or authorized individuals should be implemented for critical system components that are subject to accidental damage or potential failures caused by frequent use or presence in a harsh physical environment – Micro-switches – Emergency-off – Keybank

40

Radiation Therapy Linac

Interlocked and locked door

Operator console, EO, Status Light Emergency Exit Video Cameras

ACS for Simple Accelerator Facility

Radiation Detectors

Emergency Off

41

Function Logic for Detector and Door Interlocks

42

43

Radiation Control System (RCS)

Control Prompt Radiation in Occupiable Areas Not Exceeding the Acceptable Levels under both Normal and Abnormal Accelerator Operation Conditions

44

45

Radiation Control System (RCS)

• Passive systems

– Shielding (bulk and local) and fence

• Active systems

– Beam interlocks – Radiation detector interlocks – Should follow the same general requirements as interlocked-type ACS (redundancy, fail- safe, and testability)

46

RCS Performance Requirements

Normal Operations (within Operation Envelope)

• RCS ensures dose rates as Table 5.1
• Shielding design criteria

– 20% of dose limit for radiological workers – 1 mSv/y for general employee – 0.1 mSv/y (7200 h/y) for off-site doses – Observe ALARA principle

47

RCS Performance Requirements

Abnormal Operations

• Exposure analysis for maximum credible

beam losses throughout facility (capabilities of accelerator systems, modes of operation, and the RSS features; peer lab experience)

• Dose per unlikely event ≤ 10 mSv
• Layers of hazard controls (higher levels of

radiation risk are mitigated by increasing layers of safety controls)

48

Passive versus Active RCS

• Normal beam losses shall be addressed by

passive systems.

• Abnormal beam losses or operations shall be

controlled by passive and/or active systems.

• Balance between passive and active systems

(passive systems are preferred)

• Probabilistic Risk Analysis (PRA) with

performance data should be made when active RCS play extensive or critical roles.

49

RCS Passive Systems

• Shielding and/or fences
• Conservative shielding design for both

normal (allowed beam power) and abnormal (maximum credible beam power) operations

• Designed or reviewed by safety professional
• Verification survey for normal and likely

abnormal beam losses

• Configuration control program is crucial

50

RCS Active Systems

• Monitors/limiters for beam energy, beam current

and beam losses

• Electronic system may include:

– A beamline transducer, e.g., current toroid, secondary emission monitor, beam position monitor, repetition rate monitor, ion chamber

• r meter relay

– An electronic processing module that integrates or counts beam current pulses – A beam shut-off circuit connected to beam shutters, RF sources or high-voltage supplies

51

RCS Active Systems

• Protection for mechanical beamline safety

devices that have power ratings below the Allowed Beam Power – Coolant flow switches – Temperature sensors – Vacuum pressure sensors – Ionization chambers – Burn-Through Monitor (BTM), a pressurized chamber that ruptures on over-heating

52

RCS Active Systems

• Radiation detectors

– Inside accelerator housing and/or in

• ccupiable areas

– Effects on detector response in pulsed radiation fields, the RF/magnetic field interference, and radiation damage – Current-mode ionization chamber is generally the choice

53

Active RCS Field Devices

Sensors Logic Control Elements Radiation Current Voltage Temperature Pressure Flow etc Redundant Relay and/or PLC Power Supplies Trigger Shutter Valve (switches) Wiring

Account for 90% of safety system failures !

54

Some Active RCS Considerations

• Selection of sensors and final elements
• Sensor response accuracy and calibration
• Different action levels

– Warning to mitigate radiation – Trip to terminate beam (particularly for critical applications)

• Self-checking and Fail-safe
• Interfaces for Operator and with non-safety

systems

55

Active RCS Certification and Test

• Annual system certification and calibration
• Regular and frequent verification of active

and operational status during operation

• Self-test provisions, e.g.,

– Keep-alive radioactive source – Housekeeping pulses through toroid windings – Test buttons be provided so that each redundant path can be fully exercised

56

ACS versus Active RCS

• ACS failure ⇒ radiation hazard

– Door or BID interlocks fail ⇒ high radiation

• Active RCS failure + abnormal machine

performance ⇒ radiation hazard – Detector fails + abnormal beam loss ⇒ high radiation

• Implications: self-diagnosis, redundancy and

fail-safe

• Beam shutters are ACS and RCS
• Concept of safety critical device or system

57

RCS Administrative Controls

• Supplement the passive and active systems in

low-hazard conditions

• Configuration control (SLAC uses RSWCF)
• Operation control
• Machine parameters (beam energy, beam

current, number of integrated beam particles, pulses, and particle type) should be controlled by administrative means (computer control or operating procedures), if not by engineered means

• Safety credit?

58

Machine Protection System (MPS)

• Protect beamline components where radiation

damage or overheating would not result in personnel hazards

• Electronic systems to monitor beam

parameters, operational modes, beam loss conditions, machine performance, etc

• MPS is in general less rigorous and controlled

than RCS

• MPS credit as active RCS (MPS may provide

early detection and prevention/mitigation for events that may otherwise trigger RCS)

59

Summary

• Facility needs formal, written policies and

procedures to analyze hazards, and to develop and operate RSS in a graded approach

• SAD, Safety Envelope, Operation Envelope
• ACS and RCS: consistency and balance
• Life-cycle concept and cover technical,
• perational and management aspects
• Personnel responsibilities and training
• Documentation of activities
• Peer review and improvement for systems and

program

60

• SLAC Report 327 “Health physics manual of

good practices for accelerator facilities” (1988)

• SLAC “Radiation safety systems, technical

basis document” (2006)

• TJNAF “Jefferson Lab Personnel Safety

System, systems requirement specification” (2007)

• TRIUMF “Radiation safety system at TRIUMF”

(2001)

• LANL “Accelerator Access-Control Systems”

LS107-01.1 (1993)

Some Laboratory Reports

61

• IAEA Report 188 “Radiological safety aspects
• f the operation of electron accelerators” (1979)
• IAEA Report 283 “Radiological safety aspects
• f the operation of proton accelerators” (1988)
• NCRP Report 144 “Radiation protection for

particle accelerator facilities” (2005)

Some References

62

Useful ACS Standards

• IEC-880 “‘Software for computers in the safety

systems of nuclear power plants” (1986) and its supplements

• EWICS TC-7 Position Paper 6012 “Guidelines for

the use of programmable logic controllers in safety-related systems” (1998)

• IEC-61508 “Functional safety of electrical,

electronic, programmable electronic safety- related systems” (1998)

• ANSI/ISA-84.01/IEC-61511 “Functional safety -

Safety instrumented systems for the process industry sector” (1996, 2004)

63

Some Questions for Interlocked-type RSS

• What technology should be used: relay or PLC?
• Which system is safer? dual 1oo2 or triple 2oo3?
• How often should systems be certified or tested?
• What types of documentation are needed?
• How can peer labs’ safety system performance
• r experience be used?
• How to strike the balance in satisfying so many

sometimes competing or conflicting requirements?

• What kind of safety culture is needed?

64

Computer-Based Logic Systems

• Use Programmable Logic Controllers (PLCs),

instead of relays, to perform logic functions and monitor status signals associated with entry control

• Benefits: ease of use, handle complex and

extensive logic requirements, good immunity to electrical interference, provide automatic documentation of the logic

65

Computer-Based Logic Systems

• Safety-rated PLC systems shall be used.
• Redundancy should be achieved by using

independent PLC systems and may involve different programmers.

• Software program requirements shall follow a

determined set of specifications.

• Watchdog timers shall be incorporated into

internal processor and external systems.

• High modularity and testability
• Protection from radiation damage

66

Computer-Based Logic Systems

• Software program QA shall be performed.
• Supplement with simplified hardware second

chain.

• Integrated risk assessment of the systems

shall be made.

• Systems and procedures shall be peer-

reviewed, validated, verified prior to use.

• Management of documentation and operation
• f the software and systems