Download Risk Assessment

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
Document related concepts

Pulse-width modulation wikipedia , lookup

Switched-mode power supply wikipedia , lookup

Control system wikipedia , lookup

Light switch wikipedia , lookup

Lumped element model wikipedia , lookup

Switch wikipedia , lookup

Fault tolerance wikipedia , lookup

Thermal copper pillar bump wikipedia , lookup

Thermal runaway wikipedia , lookup

Transcript 
Full Scale Thermosiphon
Risk Assessment
Lukasz Zwalinski
PH/DT/PO - Cooling
Introduction
•
Document prepared on 23rd of March 2011
•
Main references:
 P&I Diagram and Part List of the Full Scale Thermosiphon
March 2011 EDMS 1101188
 CERN Safety Guideline OHS-0-0-1 – Risk Assessment
EDMS 1114042
 ISO 12100 Safety of machinery – General principles for design – Risk
assessment and risk reduction
2010-11-01
 ISO 31000 Risk management – Principles and guidelines
2009-11-15
 ISO/TR 14121-2 Safety of machinery – Risk assessment
2007-12-15
 ISO 13849-2 Safety of machinery – Safety related parts of control systems
2003-08-15
Thermosiphon workshop §5
20th October 2011
L.Zwalinski – PH/DT/PO
Definitions
Hazard
The intrinsic property or ability of something (e.g. work materials, equipment, work methods
and practices) with the potential to cause harm.
Hazardous event
Occurrence leading to undesired consequences and arising from the triggering by one (or
more) initiator events /causes of one (or more) hazards.
Risk
The likelihood that the potential for harm will be attained under the conditions of use and/or
exposure, and the possible extent of the harm. Effect of uncertainty on objectives.
Severity
Classification of a failure or undesired event according to the magnitude of its possible
consequences.
Risk assessment
The process of evaluating the risk to the health and safety of workers while at work arising
from the circumstances of the occurrence of a hazard at the workplace. Overall process of
risk identification, risk analysis and risk evaluation.
Thermosiphon workshop §5
20th October 2011
L.Zwalinski – PH/DT/PO
Definitions
Risk assessment process
It is based on a systematic examination
of all aspects of work that considers:
• what could cause injury or harm,
• whether the hazards could be
eliminated and, if not,
• what preventive or protective
measures are, or should be, in
place to control the risks.
[OHSAS 18001 Occupational Health and Safety]
Thermosiphon workshop §5
20th October 2011
L.Zwalinski – PH/DT/PO
Risk assessment activities ISO 12100:2010
1. Usage limits
 Operating phases and procedures (2kW Thermosiphon)
 Control system (overall architecture)
 System users (accesses control)
2. Time limits (continues operation)
3. Space limits (Point 1, USA15, B3184 roof)
4. Other limits (properties of cooling fluids)
Brine circuit C6F14
Brine circuit / main cooling loop
Vertical liquid line, PX15 and roof of B3184
By-pass dummy load, USA15
Detector liquid supply line, USA15
By-pass, USA15
Detector vapor return line,
Thermosiphon workshop §5
20th October 2011
L.Zwalinski – PH/DT/PO
Risk estimation OHS-0-0-1
The probability of occurrence of harm
Probability
Occurrence of the hazardous event
Very low [1]
Extremely unlikely to occur during task; once per year or less.
Low [2]
Unlikely to occur during task; more than once per year, maximum of once per month.
Medium [3]
Incident may occur during task; several times per month, maximum of once per week.
High [4]
Likely to occur several times during task; several times per week
The Severity of harm
Severity
Minimal [A]
People
Environment
Property
People
Low [B]
Environment
Property
People
Medium [C]
High [D]
Environment
Property
People
Environment
Property
Thermosiphon workshop §5
Severity description
Slight injuries, no treatment needed.
Not applicable.
Not applicable.
Injuries or temporary, reversible illnesses not resulting in hospitalization and
requiring only minor supportive treatment.
Isolated and minor, but measurable, impact on some component(s) of a public
resource.
Minor property damage in the facility.
Injuries or temporary, reversible illnesses resulting in hospitalization of variable
but limited period of disability.
Serious impairment of the functioning of a public resource.
Major property damage in the facility.
Death from injury or illness, permanent disability or chronic irreversible illness.
Permanent or long term loss of a public resource (drinking water, air, etc.).
Loss of facility.
20th October 2011
L.Zwalinski – PH/DT/PO
Risk evaluation OHS-0-0-1
Selected risk matrices method.
Risk = Probability of occurrence of a hazardous event x Severity of consequences
Risk estimation – risk related to the considered hazard is a function of severity of harm and
probability of occurrence
Risk evaluation determine if risk reduction is required. If risk reduction is required, the
appropriate protective measures shall be selected and applied.
Risk evaluation
Potential
severity
Risk evaluation
Minimal [A]
Low [B]
Medium [C]
High [D]
Probability of the hazardous event
Very low [1]
Low [2]
Medium [3] High [4]
[A1]
[A2]
[A3]
[A4]
[B1]
[B2]
[B3]
[B4]
[C1]
[C2]
[C3]
[C4]
[D1]
[D2]
[D3]
[D4]
Risk levels
Risk level
Low [A1, A2, B1]
Medium [A3, A4, B2, B3, C1, C2, D1]
High [B4, C3, C4, D2, D3, D4]
Thermosiphon workshop §5
Action
Acceptable risk: no actions need to be
taken.
Unacceptable risk: actions are necessary
to reduce the risk.
Unacceptable risk: immediate actions are
necessary to reduce the risk promptly.
20th October 2011
L.Zwalinski – PH/DT/PO
Hazard identification and risk evaluation example
EH2102
Thermosiphon workshop §5
20th October 2011
L.Zwalinski – PH/DT/PO
Hazard identification and risk evaluation example
Phase
operation
Hazard
zone
User/ task/
component
Component
description
Hazardous
event
Hazard
Local potential
consequences
Global potential
consequences
Electrical failure - 24DC Power
supply problem. The command
signal from the PLC is not
reaching the solid state relay.
Relay stays open.
Electric shock
Thermosiphon workshop §5
Severity
Probability
Risk
Level
Install redundant power 24DC supply
Minimal
Very
Low
A1
Adding the back up heater
Minimal
Very
Low
A1
Very low
C1
PID control is OFF or fails
according to measured value
IOError; the measured value is
the liquid temperature entering
detector and by-pass TT2202.
This temperature has to be
higher than 20C to avoid
condensation.
The controller and heater PVSS widgets will
indicate the IOError. The Operator has to
verify if any logic dependent sensor or
calculation is in IOError. IOError
propagation between related object.
Controller inherit errors form heater. If
coolant stops circulating the Evaporative
Cooling Compressor Station have to be
switched on to continue Atlas operation and
avoid Inner Detector degradation. All
compressor station system elements should
be kept in good condition as the back-up
solution in serious Thermosiphon damage.
Medium
Low
C2
Add second temperature sensor and regulate
on average temperature value. If one of the
sensors is in IOError take it out form
calculation. Only if both sensors are in IOError
then stop the system.
Minimal
Very
Low
A1
Electrical failure - thermal switch
TS2102 fails
Overheating, burn
of insulation and
fire.
Unable to
continue cooling
of the Inner
Detector. In case
of fire serious
system damages
all ATLAS
experiment
stops.
The second level of heater protection and
the last one is the thermal switch installed
on the device which cuts the power supply
independently of the PLC command. The
thermal switch has it's own thermocouple
installed inside the heater. In case of that
failure electrical inspection is required,
heater temperature sensor dismounting and
thermal switch replacing. In that period
system has to be stopped.
High
Very low
D1
Software stop interlock which stops the
command from the PLC with the temperature
threshold set up to be lower than thermal
switch threshold. The additional thermocouple
should be installed in the heater to be able to
detect over temperature before the thermal
switch trips. The thermal switch feedback to
the PLC. Additionally SET/RESET interlock
condition of the thermal switch status = If the
thermal switch overheating is detected the
interlock should trip. When the interlock cause
disappear the interlock should stay ON until
the operator will reset it. No auto recovery after
the thermal switch problem.
Low
Very low
B2
Touching live parts
Not possible to
keep the
temperature above
the saturation
temperature of the
return vapor condensation on
the return line.
Unable to
continue cooling
of the Inner
Detector.
circuit breaker status is continuously
monitored by the PLC. PLC trigger stop
interlock which is displayed in the PVSS
and it blocks the command. Necessary
electrical inspection and system stop.
High
Very low
D1
The heater is housed in the screwed metallic
cover protecting user from touching the live
parts during normal operation. circuit breaker
monitoring and heater stop interlock.
Low
Very
Low
B1
Electrical failure - differential
circuit breaker trip, residual
current detection
Burn of
insulation
Risk reduction
Medium
Fails to heat
up coolant
EH2102
Risk Level
Circuit breaker status is continuously
monitored by the PLC. PLC trigger stop
interlock which is displayed in the PVSS
and it blocks the command. If coolant stops
circulating the Evaporative Cooling
Compressor Station have to be switched on
to continue Atlas operation and avoid Inner
Detector degradation. All compressor
station system elements should be kept in
good condition as the back-up solution in
serious Thermosiphon damage.
Electrical failure - circuit breaker
trip, overload
Vertical
liquid
line,
USA15
Probability
Medium
Electrical failure - solid state
relay problem
Normal
operation:
Run-order
& (Standby OR Run
OR
Recovery)
Severity
The temperature after the heater TT2103 is
not changing or stays equal to the
temperature before the heater TT2102.
The inspection of the control cabinet is
required. 24VDC Power Supply status
monitored by the status bit read by PLC and
displayed in PVSS. Plant's Start Interlock. If
coolant stops circulating the Evaporative
Cooling Compressor Station have to be
switched on to continue Atlas operation and
avoid Inner Detector degradation. All
compressor station system elements should
be kept in good condition as the back-up
solution in serious Thermosiphon damage.
Electrical failure - problem with
coil of the command relay or the
relay switch is not changing its
position (relay blockage)
Heater on the
liquid supply
line after the
vapor cooling
heat
exchanger
and before
bypass heating to
ambient
temperature
to avoid
condensation
in the way to
the detector
Current measures
Not possible to
keep the
temperature above
the 20 C,
condensation on
the detector supply
line.
Unable to
continue cooling
of the Inner
Detector the
condensation in
the detector can
damage other
electronic
systems.
20th October 2011
Very low
C1
L.Zwalinski – PH/DT/PO
Hazard identification and risk evaluation example
Phase
operation
Normal
operation:
NO Runorder
Hazard
zone
Vertical
liquid
line,
USA15
User/ task/
component
EH2102
Component
description
Heater on the
liquid supply
line after the
vapor cooling
heat
exchanger
and before
bypass heating to
ambient
temperature
to avoid
condensation
in the way to
the detector
Hazardous
event
Hazard
Electrical failure problem with coil of
the command relay or
the relay switch is not
changing its position
(relay blockage)
Local potential
consequences
Global potential consequences
Unnecessary heating
during stop period.
Dangerous of overheating
burn of insulation and fire
if PLC and thermal switch
fails and no coolant
circulation.
Unable to restart cooling of the
Inner Detector. In case of fire or
serious system damages all
ATLAS experiment has to be
stopped until all required repairs
will complete.
The second level of heater
protection and the last one is the
thermal switch installed on the
device which cuts the power
supply independently of the PLC
command. The thermal switch
has it's own thermocouple
installed inside the heater. In case
of that failure electrical inspection
is required, heater temperature
sensor dismounting and thermal
switch replacing. In that period
system has to be stopped.
Unable to switch off the
heater.
The heater is out of use and we
can't control the temperature of
the vapor after the internal heat
exchanger. The EH2102
temperature controller TC2102 is
unable to perform correct PID
control.
The power to the heater has to be
stopped and the solid state relay
replaced. It requires the control
cabinet inspection and solid state
replacement. For a safety reason
the system should be stopped.
Additional contactor placed before
the solid state relay called heater
power ON. It switch on the power
circuit between the solid state
relay and circuit breaker.
Fails to OFF,
Burn of
insulation
Electrical failure solid state relay
problem
Thermosiphon workshop §5
Current measures
20th October 2011
Severity
Probabil
ity
Risk Level
Risk reduction
Severity
Probabil
ity
Risk
Level
Software stop interlock which
stops the command from the
PLC with the temperature
threshold set up to be lower
than thermal switch threshold.
The additional thermocouple
should be installed in the heater
to be able to detect over
temperature before the thermal
switch trips. The thermal switch
feedback to the PLC.
Additionally SET/RESET
interlock condition of the
thermal switch status = If the
thermal switch overheating is
detected the interlock should
trip. When the interlock cause
disappear the interlock should
stay ON until the operator will
reset it. No auto recovery after
the thermal switch problem.
Low
Very low
B2
High
Very low
D1
Low
Very low
B1
L.Zwalinski – PH/DT/PO
Hazard identification and risk evaluation
P&ID March 2011
Thermosiphon workshop §5
P&ID September 2011
20th October 2011
L.Zwalinski – PH/DT/PO
Hazard identification and risk evaluation – supplies
Phase
operation
Normal
operation - all
option modes
Hazard
zone
User/ task/
component
Component
description
Normal
operation - all
option modes
Stop of three
compressor
stations in B3184
24V DC power
supply in surface
control cabinet
B3184
USA15
Local potential
consequences
Global
potential
consequences
Uncontrolled
valve closing
All pneumatic
valves are
going to
safety
position.
All system has
to be stopped.
Impossible to
continue Atlas
Inner Detector
cooling.
compressed air
supply line in
underground area
USA15
24V DC power
supply in
underground
control cabinet
Thermosiphon workshop §5
Current measures
Festo pressure switch (Surface
Pressure Switch Low), if the
compressed air pressure
became too low, PLC stops
receiving the DI signal. DI
becomes OFF. PLC trip Full
Stop Interlock and all system is
moved to safety position. The
compressed air system is
redundant and connected to
UPS.
Festo pressure switch
(Underground Pressure Switch
Low), if the compressed air
pressure became too low, PLC
stops receiving the DI signal.
DI becomes OFF. PLC trip Full
Stop Interlock and all system is
moved to safety position. The
compressed air system is
redundant and connected to
UPS.
Severity
Medium
Medium
Probability
Very low
Very low
Risk Level
Risk
reduction
Severity
Probability
Risk Level
C1
Install
battery of
N2 bottles
with
hardwired
pressure
switch
Low
Very low
B1
C1
Install
battery of
N2 bottles
with
hardwired
pressure
switch
Low
Very low
B1
Minimal
Very Low
A1
Minimal
Very Low
A1
Stop of 24V DC
power supply
Stop of all 24V
DC commands,
unable to read all
sensors in
surface area
(except
temperature
sensors if
connected
directly to AI
card).
Unable to
send any
command
from the PLC
to the
actuators.
All system has
to be stopped.
Impossible to
continue Atlas
Inner Detector
cooling.
PLC monitors the 24V DC
power supply status. In case of
failure PLC has its own power
supply and it can receive bad
status signal form power
supply.
Medium
Very low
C1
Use
redundant
24V DC
power
supplies.
Stop of 24V DC
power supply
Stop of all 24V
DC commands,
unable to read all
sensors in
underground
area (except
temperature
sensors if
connected
directly to AI
card).
Unable to
send any
command
from the PLC
to the
actuators.
All system has
to be stopped.
Impossible to
continue Atlas
Inner Detector
cooling.
PLC monitors the 24V DC
power supply status. In case of
failure PLC has its own power
supply and it can receive bad
status signal form power
supply.
Medium
Very low
C1
Use
redundant
24V DC
power
supplies.
24V DC
power
supplies
Normal
operation - all
option modes
Hazard
compressed air
supply line in
surface building
B3184
Compresse
d air line
Normal
operation - all
option modes
Hazardous
event
20th October 2011
L.Zwalinski – PH/DT/PO
Summary
Considered:
 240 hazards
 202 hazardous events
 76 individual components in 7 groups
 98 risk reduction proposals
 mechanical, electrical and control failures included
 EDMS 1165951 document under approval
FST risk evaluation before risk reduction
A1
7%
D1
44%
C2
1%
B2
9%
FST risk evaluation after risk reduction
B2
12%
A1
16%
B1
40%
A2
25%
C1
C2
5%
1%
A2
26%
B1
10%
C1
4%
Medium [A3, A4, B2, B3, C1, C2, D1]
Thermosiphon workshop §5
Unacceptable risk: actions are necessary to reduce the risk.
20th October 2011
L.Zwalinski – PH/DT/PO
Related documents
Energy Transformations - PLC-METS
Energy Transformations - PLC-METS
Document
Document
Specific Heat Capacity - Tasker Milward
Specific Heat Capacity - Tasker Milward
www.advancedsyst.com
www.advancedsyst.com
No Slide Title
No Slide Title
Specifications - Hobbielektronika
Specifications - Hobbielektronika
Communication - Do
Communication - Do
Cartwright School District
Cartwright School District
Questions
Questions