Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Full Scale Thermosiphon Risk Assessment Lukasz Zwalinski PH/DT/PO - Cooling Introduction • Document prepared on 23rd of March 2011 • Main references: P&I Diagram and Part List of the Full Scale Thermosiphon March 2011 EDMS 1101188 CERN Safety Guideline OHS-0-0-1 – Risk Assessment EDMS 1114042 ISO 12100 Safety of machinery – General principles for design – Risk assessment and risk reduction 2010-11-01 ISO 31000 Risk management – Principles and guidelines 2009-11-15 ISO/TR 14121-2 Safety of machinery – Risk assessment 2007-12-15 ISO 13849-2 Safety of machinery – Safety related parts of control systems 2003-08-15 Thermosiphon workshop §5 20th October 2011 L.Zwalinski – PH/DT/PO Definitions Hazard The intrinsic property or ability of something (e.g. work materials, equipment, work methods and practices) with the potential to cause harm. Hazardous event Occurrence leading to undesired consequences and arising from the triggering by one (or more) initiator events /causes of one (or more) hazards. Risk The likelihood that the potential for harm will be attained under the conditions of use and/or exposure, and the possible extent of the harm. Effect of uncertainty on objectives. Severity Classification of a failure or undesired event according to the magnitude of its possible consequences. Risk assessment The process of evaluating the risk to the health and safety of workers while at work arising from the circumstances of the occurrence of a hazard at the workplace. Overall process of risk identification, risk analysis and risk evaluation. Thermosiphon workshop §5 20th October 2011 L.Zwalinski – PH/DT/PO Definitions Risk assessment process It is based on a systematic examination of all aspects of work that considers: • what could cause injury or harm, • whether the hazards could be eliminated and, if not, • what preventive or protective measures are, or should be, in place to control the risks. [OHSAS 18001 Occupational Health and Safety] Thermosiphon workshop §5 20th October 2011 L.Zwalinski – PH/DT/PO Risk assessment activities ISO 12100:2010 1. Usage limits Operating phases and procedures (2kW Thermosiphon) Control system (overall architecture) System users (accesses control) 2. Time limits (continues operation) 3. Space limits (Point 1, USA15, B3184 roof) 4. Other limits (properties of cooling fluids) Brine circuit C6F14 Brine circuit / main cooling loop Vertical liquid line, PX15 and roof of B3184 By-pass dummy load, USA15 Detector liquid supply line, USA15 By-pass, USA15 Detector vapor return line, Thermosiphon workshop §5 20th October 2011 L.Zwalinski – PH/DT/PO Risk estimation OHS-0-0-1 The probability of occurrence of harm Probability Occurrence of the hazardous event Very low [1] Extremely unlikely to occur during task; once per year or less. Low [2] Unlikely to occur during task; more than once per year, maximum of once per month. Medium [3] Incident may occur during task; several times per month, maximum of once per week. High [4] Likely to occur several times during task; several times per week The Severity of harm Severity Minimal [A] People Environment Property People Low [B] Environment Property People Medium [C] High [D] Environment Property People Environment Property Thermosiphon workshop §5 Severity description Slight injuries, no treatment needed. Not applicable. Not applicable. Injuries or temporary, reversible illnesses not resulting in hospitalization and requiring only minor supportive treatment. Isolated and minor, but measurable, impact on some component(s) of a public resource. Minor property damage in the facility. Injuries or temporary, reversible illnesses resulting in hospitalization of variable but limited period of disability. Serious impairment of the functioning of a public resource. Major property damage in the facility. Death from injury or illness, permanent disability or chronic irreversible illness. Permanent or long term loss of a public resource (drinking water, air, etc.). Loss of facility. 20th October 2011 L.Zwalinski – PH/DT/PO Risk evaluation OHS-0-0-1 Selected risk matrices method. Risk = Probability of occurrence of a hazardous event x Severity of consequences Risk estimation – risk related to the considered hazard is a function of severity of harm and probability of occurrence Risk evaluation determine if risk reduction is required. If risk reduction is required, the appropriate protective measures shall be selected and applied. Risk evaluation Potential severity Risk evaluation Minimal [A] Low [B] Medium [C] High [D] Probability of the hazardous event Very low [1] Low [2] Medium [3] High [4] [A1] [A2] [A3] [A4] [B1] [B2] [B3] [B4] [C1] [C2] [C3] [C4] [D1] [D2] [D3] [D4] Risk levels Risk level Low [A1, A2, B1] Medium [A3, A4, B2, B3, C1, C2, D1] High [B4, C3, C4, D2, D3, D4] Thermosiphon workshop §5 Action Acceptable risk: no actions need to be taken. Unacceptable risk: actions are necessary to reduce the risk. Unacceptable risk: immediate actions are necessary to reduce the risk promptly. 20th October 2011 L.Zwalinski – PH/DT/PO Hazard identification and risk evaluation example EH2102 Thermosiphon workshop §5 20th October 2011 L.Zwalinski – PH/DT/PO Hazard identification and risk evaluation example Phase operation Hazard zone User/ task/ component Component description Hazardous event Hazard Local potential consequences Global potential consequences Electrical failure - 24DC Power supply problem. The command signal from the PLC is not reaching the solid state relay. Relay stays open. Electric shock Thermosiphon workshop §5 Severity Probability Risk Level Install redundant power 24DC supply Minimal Very Low A1 Adding the back up heater Minimal Very Low A1 Very low C1 PID control is OFF or fails according to measured value IOError; the measured value is the liquid temperature entering detector and by-pass TT2202. This temperature has to be higher than 20C to avoid condensation. The controller and heater PVSS widgets will indicate the IOError. The Operator has to verify if any logic dependent sensor or calculation is in IOError. IOError propagation between related object. Controller inherit errors form heater. If coolant stops circulating the Evaporative Cooling Compressor Station have to be switched on to continue Atlas operation and avoid Inner Detector degradation. All compressor station system elements should be kept in good condition as the back-up solution in serious Thermosiphon damage. Medium Low C2 Add second temperature sensor and regulate on average temperature value. If one of the sensors is in IOError take it out form calculation. Only if both sensors are in IOError then stop the system. Minimal Very Low A1 Electrical failure - thermal switch TS2102 fails Overheating, burn of insulation and fire. Unable to continue cooling of the Inner Detector. In case of fire serious system damages all ATLAS experiment stops. The second level of heater protection and the last one is the thermal switch installed on the device which cuts the power supply independently of the PLC command. The thermal switch has it's own thermocouple installed inside the heater. In case of that failure electrical inspection is required, heater temperature sensor dismounting and thermal switch replacing. In that period system has to be stopped. High Very low D1 Software stop interlock which stops the command from the PLC with the temperature threshold set up to be lower than thermal switch threshold. The additional thermocouple should be installed in the heater to be able to detect over temperature before the thermal switch trips. The thermal switch feedback to the PLC. Additionally SET/RESET interlock condition of the thermal switch status = If the thermal switch overheating is detected the interlock should trip. When the interlock cause disappear the interlock should stay ON until the operator will reset it. No auto recovery after the thermal switch problem. Low Very low B2 Touching live parts Not possible to keep the temperature above the saturation temperature of the return vapor condensation on the return line. Unable to continue cooling of the Inner Detector. circuit breaker status is continuously monitored by the PLC. PLC trigger stop interlock which is displayed in the PVSS and it blocks the command. Necessary electrical inspection and system stop. High Very low D1 The heater is housed in the screwed metallic cover protecting user from touching the live parts during normal operation. circuit breaker monitoring and heater stop interlock. Low Very Low B1 Electrical failure - differential circuit breaker trip, residual current detection Burn of insulation Risk reduction Medium Fails to heat up coolant EH2102 Risk Level Circuit breaker status is continuously monitored by the PLC. PLC trigger stop interlock which is displayed in the PVSS and it blocks the command. If coolant stops circulating the Evaporative Cooling Compressor Station have to be switched on to continue Atlas operation and avoid Inner Detector degradation. All compressor station system elements should be kept in good condition as the back-up solution in serious Thermosiphon damage. Electrical failure - circuit breaker trip, overload Vertical liquid line, USA15 Probability Medium Electrical failure - solid state relay problem Normal operation: Run-order & (Standby OR Run OR Recovery) Severity The temperature after the heater TT2103 is not changing or stays equal to the temperature before the heater TT2102. The inspection of the control cabinet is required. 24VDC Power Supply status monitored by the status bit read by PLC and displayed in PVSS. Plant's Start Interlock. If coolant stops circulating the Evaporative Cooling Compressor Station have to be switched on to continue Atlas operation and avoid Inner Detector degradation. All compressor station system elements should be kept in good condition as the back-up solution in serious Thermosiphon damage. Electrical failure - problem with coil of the command relay or the relay switch is not changing its position (relay blockage) Heater on the liquid supply line after the vapor cooling heat exchanger and before bypass heating to ambient temperature to avoid condensation in the way to the detector Current measures Not possible to keep the temperature above the 20 C, condensation on the detector supply line. Unable to continue cooling of the Inner Detector the condensation in the detector can damage other electronic systems. 20th October 2011 Very low C1 L.Zwalinski – PH/DT/PO Hazard identification and risk evaluation example Phase operation Normal operation: NO Runorder Hazard zone Vertical liquid line, USA15 User/ task/ component EH2102 Component description Heater on the liquid supply line after the vapor cooling heat exchanger and before bypass heating to ambient temperature to avoid condensation in the way to the detector Hazardous event Hazard Electrical failure problem with coil of the command relay or the relay switch is not changing its position (relay blockage) Local potential consequences Global potential consequences Unnecessary heating during stop period. Dangerous of overheating burn of insulation and fire if PLC and thermal switch fails and no coolant circulation. Unable to restart cooling of the Inner Detector. In case of fire or serious system damages all ATLAS experiment has to be stopped until all required repairs will complete. The second level of heater protection and the last one is the thermal switch installed on the device which cuts the power supply independently of the PLC command. The thermal switch has it's own thermocouple installed inside the heater. In case of that failure electrical inspection is required, heater temperature sensor dismounting and thermal switch replacing. In that period system has to be stopped. Unable to switch off the heater. The heater is out of use and we can't control the temperature of the vapor after the internal heat exchanger. The EH2102 temperature controller TC2102 is unable to perform correct PID control. The power to the heater has to be stopped and the solid state relay replaced. It requires the control cabinet inspection and solid state replacement. For a safety reason the system should be stopped. Additional contactor placed before the solid state relay called heater power ON. It switch on the power circuit between the solid state relay and circuit breaker. Fails to OFF, Burn of insulation Electrical failure solid state relay problem Thermosiphon workshop §5 Current measures 20th October 2011 Severity Probabil ity Risk Level Risk reduction Severity Probabil ity Risk Level Software stop interlock which stops the command from the PLC with the temperature threshold set up to be lower than thermal switch threshold. The additional thermocouple should be installed in the heater to be able to detect over temperature before the thermal switch trips. The thermal switch feedback to the PLC. Additionally SET/RESET interlock condition of the thermal switch status = If the thermal switch overheating is detected the interlock should trip. When the interlock cause disappear the interlock should stay ON until the operator will reset it. No auto recovery after the thermal switch problem. Low Very low B2 High Very low D1 Low Very low B1 L.Zwalinski – PH/DT/PO Hazard identification and risk evaluation P&ID March 2011 Thermosiphon workshop §5 P&ID September 2011 20th October 2011 L.Zwalinski – PH/DT/PO Hazard identification and risk evaluation – supplies Phase operation Normal operation - all option modes Hazard zone User/ task/ component Component description Normal operation - all option modes Stop of three compressor stations in B3184 24V DC power supply in surface control cabinet B3184 USA15 Local potential consequences Global potential consequences Uncontrolled valve closing All pneumatic valves are going to safety position. All system has to be stopped. Impossible to continue Atlas Inner Detector cooling. compressed air supply line in underground area USA15 24V DC power supply in underground control cabinet Thermosiphon workshop §5 Current measures Festo pressure switch (Surface Pressure Switch Low), if the compressed air pressure became too low, PLC stops receiving the DI signal. DI becomes OFF. PLC trip Full Stop Interlock and all system is moved to safety position. The compressed air system is redundant and connected to UPS. Festo pressure switch (Underground Pressure Switch Low), if the compressed air pressure became too low, PLC stops receiving the DI signal. DI becomes OFF. PLC trip Full Stop Interlock and all system is moved to safety position. The compressed air system is redundant and connected to UPS. Severity Medium Medium Probability Very low Very low Risk Level Risk reduction Severity Probability Risk Level C1 Install battery of N2 bottles with hardwired pressure switch Low Very low B1 C1 Install battery of N2 bottles with hardwired pressure switch Low Very low B1 Minimal Very Low A1 Minimal Very Low A1 Stop of 24V DC power supply Stop of all 24V DC commands, unable to read all sensors in surface area (except temperature sensors if connected directly to AI card). Unable to send any command from the PLC to the actuators. All system has to be stopped. Impossible to continue Atlas Inner Detector cooling. PLC monitors the 24V DC power supply status. In case of failure PLC has its own power supply and it can receive bad status signal form power supply. Medium Very low C1 Use redundant 24V DC power supplies. Stop of 24V DC power supply Stop of all 24V DC commands, unable to read all sensors in underground area (except temperature sensors if connected directly to AI card). Unable to send any command from the PLC to the actuators. All system has to be stopped. Impossible to continue Atlas Inner Detector cooling. PLC monitors the 24V DC power supply status. In case of failure PLC has its own power supply and it can receive bad status signal form power supply. Medium Very low C1 Use redundant 24V DC power supplies. 24V DC power supplies Normal operation - all option modes Hazard compressed air supply line in surface building B3184 Compresse d air line Normal operation - all option modes Hazardous event 20th October 2011 L.Zwalinski – PH/DT/PO Summary Considered: 240 hazards 202 hazardous events 76 individual components in 7 groups 98 risk reduction proposals mechanical, electrical and control failures included EDMS 1165951 document under approval FST risk evaluation before risk reduction A1 7% D1 44% C2 1% B2 9% FST risk evaluation after risk reduction B2 12% A1 16% B1 40% A2 25% C1 C2 5% 1% A2 26% B1 10% C1 4% Medium [A3, A4, B2, B3, C1, C2, D1] Thermosiphon workshop §5 Unacceptable risk: actions are necessary to reduce the risk. 20th October 2011 L.Zwalinski – PH/DT/PO