Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Engineered and Administrative Safety Systems for the Control of Prompt Radiation Hazards at Accelerator Facilities James C. Liu ([email protected]) Stanford Linear Accelerator Center (SLAC) Vashek Vylet Thomas Jefferson National Accelerator Facility (TJNAF) Lawrence S. Walker Los Alamos National Laboratory (LANL) 1 Radiation Safety System (RSS) • RSS: Engineered and/or administrative safety systems to monitor, mitigate and control prompt radiation hazards. • RSS = ACS + RCS • ACS keeps people away from radiation – Ropes, signs, barrier and access controls • RCS keeps radiation away from people – Shielding, beam and radiation interlocks 2 ANSI N43.1 Standard Draft • N43.1 Standard “Radiation safety for the design and operations of particle accelerators” American National Standards Institute (2008?) • Chapters 4, 5 and 6 of the N43.1 Standard draft, as well as some U.S. regulations and standards, are the main basis for this presentation. 3 N43.1 Committee • • • • • • • • • • • Ted de Castro (LBNL) Roger Kloepping (LBNL) Robert May (TJNAF) Norman Rohrig (INEEL) Olin Van Dyck (LANL) Paula Trinoskey (LLNL) John Drozdoff (TRIUMF, Canada) Albert Evans (DOE) Wesley Dunn (Texas DHS) Vashek Vylet (Duke University) Larry Larson (Sematech) Reviewers • • • • • • • • • DOE NRC states CAMD FNAL CERN KEK, JAPRC PAL NSRRC, AEC 4 Disclaimer • N43.1 Standard is not yet approved. Requirements (shall) and recommendations (should) in this chapter should not be quoted as official ANSI positions. • Authors take full responsibility for any errors of this chapter and any discrepancies with the N43.1 standard. • Contributions by N43.1 members and the reviewers are acknowledged. 5 Goals of Presentation • • • Successful RSS needs a multidisciplinary team Presented from a health physicist’s, not a system engineer’s, perspective Health physicist roles for RSS – Analyze radiation hazards; develop policies, requirements and procedures for systems – For interlocked systems • Review and/or approve design, changes, use, and associated operating and testing procedures • Design, install and/or maintain the systems, if limited facility size 6 Contents • • • • • U.S. regulations and standards Radiation Safety System (RSS) Access Control System (ACS) Radiation Control System (RCS) Examples of RSS policies and practices at some accelerator facilities 7 U.S. Federal and State Regulations • • • 10CFR20 “Standards for protection against radiation” U.S. NRC (1991) NUREG-1736 “Consolidated guidance for 10CFR20” U.S. NRC (2001) CRCPD Suggested State Regulations (SSR) “Radiation safety requirements for particle accelerators” (1991) 8 U.S. DOE Regulations • • • • 10CFR835 “Occupational radiation protection” (1998, 2007) DOE O 420.2B “Safety of accelerator facilities” (2004) DOE G 420.2.1 “Implementation guide for DOE O 420.2B” (2005) DOE G 441.5-5 “Radiation-generating devices guide for use with 10CFR835” (1999) 9 Main U.S. Standards • • • • NCRP-88 “Radiation alarms and access control systems” (1986) ANSI N43.3 “American National Standard for general radiation safety - installations using nonmedical X-ray and sealed gamma-ray sources, energies up to 10 MeV” (1993, in revision) IEC-61508 “Functional safety of electrical, electronic, programmable electronic safetyrelated systems” (1998) ANSI/ISA-84.01/IEC-61511 “Functional safety Safety Instrumented Systems for the process industry sector” (1996, 2004) - does not cover nuclear power facilities 10 Radiation Safety System (RSS) Systems that Protect People from Prompt Radiation Hazards 11 Radiation Safety System (RSS) • RSS is defined as a combination of engineered (passive and active elements) and/or administrative safety systems to monitor, mitigate and control prompt radiation hazards in a graded approach. • Technical, operational and management aspects • RSS = ACS + RCS – ACS keeps people away from radiation – RCS keeps radiation away from people 12 ACS and RCS • Access Control System (ACS) – Ropes and warning signs – Door or gate with locks – Interlocked access control – Beam inhibiting devices (BID) • Radiation Control System (RCS) – Passive systems: shielding, fence – Active systems: beam interlocks and radiation interlocks 13 Facility Safety Assessment and Controls • • • • • Identify accelerator beam parameters, facility operation modes (normal and abnormal beam losses), and personnel occupancy Analyze associated radiation hazards Develop RSS requirements for risk mitigation and controls Define Safety Envelope and Operation Envelope Experience from peer labs 14 15 RSS Interlock Functional Relationship INPUT INPUT Area Secure Signal Radiation Detectors Beam Inhibiting Devices OUTPUT Access Control Warnings System Logic Operate Permission Radiation Control System Logic Area Safe Signal Operate Permission 16 RSS Interlock Design Considerations • • • • ACS versus RCS (hazards and mitigation) Both preventive and reactive system types Develop system functional specification (what) Develop system integrity specification (well) 17 RSS Interlock Design Considerations • Reliable and high performance – No single-point failures (redundancy) – No common-mode failures (separation and diversification) – Sufficiently fast response time – Protection for harsh environment (radiation, humidity, temperature, vibration, power, etc) – Negligible false or nuisance trips 18 RSS Interlock Design Considerations • • • • • Testability Simple and modular design Tamper resistance (e.g., concealed door microswitches, protected devices, cables and equipment, locked cabinets) Ergonomic (easy to use and understand, prevent human error, interface) Life-time cost and resource 19 RSS Interlock Design Considerations • • • Interlocked-type ACS (and active RCS) are dormant systems, i.e., no response or action under normal conditions Self-checking Fail-safe 20 Fail-safe Design • Definition: One in which the credible failure modes leave the system in a safe condition • Examples of failure: – Loss of AC or DC power – Loss of air pressure – Open or short circuit – Ground fault – Likely circuit element failure modes • Relay - coil burnout • PLC – software bug, uncertain 21 Engineered RSS Operational Requirements and Guidance • • • • • Quality assurance (QA) program – Components, workmanship – Design, installation, testing, commissioning and operations Configuration control (CC) program Maintenance, repair and modification program Periodic certification and check programs Safety systems independent and separated from non-safety systems 22 Engineered RSS Operational Requirements and Guidance • • • • • Trained, qualified and authorized individuals System readiness review Document and record management program (transferable and auditable) Self assessment Peer (internal and external) review 23 RSS for Non-Beam Radiation • • • • Radiation from dark current due to HV and/or RF fields (e.g., cavity, klystron) Exposure from induced radioactivity in machine components (e.g., beam stops, collimators) Shielding to reduce activation to air, soil, groundwater Engineered controls for exposure to activated air 24 RSS Interlock Bypass or Variance • • • • • • • • Governed by policies and procedures Justified Alternative protection, e.g., radiation source inhibited, tight administrative controls Written approval via authorized channels Detailed documentation Affected systems or areas posted Involved parties communicated Normal interlocks restored and verified ASAP 25 RSS Accident • • • • 1982, A fatal exposure to Co-60 irradiator in Norway (due to a series of 5 failures!) Conveyor belt jammed at night (failure #1) Sources failed to automatically retract into the shielded position (failure #2). First person arriving at work in the morning found a green indicator light (failure #3) and an unlocked interlocked door (failure #4). A interlocked radiation monitor normally located in the maze was out for repair (failure #5). 26 27 Access Control System (ACS) Control Personnel Occupancy in Areas with Prompt Radiation above the Acceptable Levels 28 29 N43.1 Access Control System (ACS) • Entry and access control modules – Enclosures (ropes and/or barriers) – Personnel entry gates – Warnings and signs – Communication and monitoring features – Exclusion Area (> 10 mSv/h) needs Area Secure System – Emergency response features 30 ACS Entry Module 31 N43.1 Access Control System (ACS) • Beam Inhibiting Devices (BID) – Power supply for gun or RF, beam safety shutter, electromagnet, etc – Normal access control function – Fault-response beam removal function 32 ACS Mechanical BID (Beam Shutters) 33 N43.1 ACS Graded Approach Dose in 1-h (mSv) Dose Category Start-up Warning Enclosure Personnel Entryway Gate 0.05–1 Minimum None Rope No Restriction 1–10 Low 10–100 Moderate > 100 1) 2) 3) High Locked or Interlocked Visible & Audible Visible/Audible; Emergency Off Barrier Area Secure System Not Required Locked; Interlock Also Required Recommended (Exclusion Area) Locked & Interlocked Tighter than NCRP-88 Access to areas ≤ 0.05 mSv/h is governed by general RPP. Interlock redundancy is required for High dose category. 34 Additional Functional Requirements for Interlock-type ACS • • • • • Redundancy via independent chains (from sensors to control devices) A single mechanical beam shutter is acceptable. Reliability, maintainability, testability, simplicity Interlocks not used as normal on-off devices Must have a manual emergency shutdown mode to override interlocks 35 Certification and Checks for Interlocked-type ACS • • • Extensive certification and check programs are needed and shall be developed. Certification, check and maintenance shall be conducted following formal, written procedures by authorized personnel. Activities shall be properly documented. 36 ACS Certification • Prior to accelerator commissioning or major ACS changes, system certified to meet safety requirement specifications via acceptance test – Performance of sensors, logic, and control elements – All functions of the logic (including unintended and bypass functions) – Potential failure modes from errors in system design or implementation, and component failures 37 ACS Certification • • • • Before accelerator operation past one year following the last successful annual certification, the ACS hardware/software and functionality shall be certified to operate as intended. Before restarting operation following ACS modification, repair or maintenance, the potentially affected portions shall be certified. Certification shall be end-to-end, i.e., from inputs to outputs. May be the same as system acceptance test, particularly for small systems 38 ACS Checks • More frequent and periodic checks by Operations or authorized individuals should be implemented for critical system components that are subject to accidental damage or potential failures caused by frequent use or presence in a harsh physical environment – Micro-switches – Emergency-off – Keybank 39 ACS for Simple Accelerator Facility Radiation Therapy Linac Emergency Exit Video Cameras Operator console, EO, Status Light Radiation Detectors Emergency Off Interlocked and locked door 40 Function Logic for Detector and Door Interlocks 41 42 Radiation Control System (RCS) Control Prompt Radiation in Occupiable Areas Not Exceeding the Acceptable Levels under both Normal and Abnormal Accelerator Operation Conditions 43 44 Radiation Control System (RCS) • Passive systems – Shielding (bulk and local) and fence • Active systems – Beam interlocks – Radiation detector interlocks – Should follow the same general requirements as interlocked-type ACS (redundancy, failsafe, and testability) 45 RCS Performance Requirements Normal Operations (within Operation Envelope) • RCS ensures dose rates as Table 5.1 • Shielding design criteria – 20% of dose limit for radiological workers – 1 mSv/y for general employee – 0.1 mSv/y (7200 h/y) for off-site doses – Observe ALARA principle 46 RCS Performance Requirements Abnormal Operations • Exposure analysis for maximum credible beam losses throughout facility (capabilities of accelerator systems, modes of operation, and the RSS features; peer lab experience) • Dose per unlikely event ≤ 10 mSv • Layers of hazard controls (higher levels of radiation risk are mitigated by increasing layers of safety controls) 47 Passive versus Active RCS • • • • Normal beam losses shall be addressed by passive systems. Abnormal beam losses or operations shall be controlled by passive and/or active systems. Balance between passive and active systems (passive systems are preferred) Probabilistic Risk Analysis (PRA) with performance data should be made when active RCS play extensive or critical roles. 48 RCS Passive Systems • • • • • Shielding and/or fences Conservative shielding design for both normal (allowed beam power) and abnormal (maximum credible beam power) operations Designed or reviewed by safety professional Verification survey for normal and likely abnormal beam losses Configuration control program is crucial 49 RCS Active Systems • Monitors/limiters for beam energy, beam current and beam losses • Electronic system may include: – A beamline transducer, e.g., current toroid, secondary emission monitor, beam position monitor, repetition rate monitor, ion chamber or meter relay – An electronic processing module that integrates or counts beam current pulses – A beam shut-off circuit connected to beam shutters, RF sources or high-voltage supplies 50 RCS Active Systems • Protection for mechanical beamline safety devices that have power ratings below the Allowed Beam Power – Coolant flow switches – Temperature sensors – Vacuum pressure sensors – Ionization chambers – Burn-Through Monitor (BTM), a pressurized chamber that ruptures on over-heating 51 RCS Active Systems • Radiation detectors – Inside accelerator housing and/or in occupiable areas – Effects on detector response in pulsed radiation fields, the RF/magnetic field interference, and radiation damage – Current-mode ionization chamber is generally the choice 52 Active RCS Field Devices Sensors Logic Radiation Current Voltage Temperature Pressure Flow etc Redundant Relay and/or PLC Control Elements Power Supplies Trigger Shutter Valve (switches) Wiring Account for 90% of safety system failures ! 53 Some Active RCS Considerations • • • Selection of sensors and final elements Sensor response accuracy and calibration Different action levels – Warning to mitigate radiation – Trip to terminate beam (particularly for critical applications) • Self-checking and Fail-safe • Interfaces for Operator and with non-safety systems 54 Active RCS Certification and Test • • Annual system certification and calibration Regular and frequent verification of active and operational status during operation • Self-test provisions, e.g., – Keep-alive radioactive source – Housekeeping pulses through toroid windings – Test buttons be provided so that each redundant path can be fully exercised 55 ACS versus Active RCS • • • • • ACS failure ⇒ radiation hazard – Door or BID interlocks fail ⇒ high radiation Active RCS failure + abnormal machine performance ⇒ radiation hazard – Detector fails + abnormal beam loss ⇒ high radiation Implications: self-diagnosis, redundancy and fail-safe Beam shutters are ACS and RCS Concept of safety critical device or system 56 RCS Administrative Controls • Supplement the passive and active systems in low-hazard conditions • Configuration control (SLAC uses RSWCF) • Operation control • Machine parameters (beam energy, beam current, number of integrated beam particles, pulses, and particle type) should be controlled by administrative means (computer control or operating procedures), if not by engineered means • Safety credit? 57 Machine Protection System (MPS) • • • • Protect beamline components where radiation damage or overheating would not result in personnel hazards Electronic systems to monitor beam parameters, operational modes, beam loss conditions, machine performance, etc MPS is in general less rigorous and controlled than RCS MPS credit as active RCS (MPS may provide early detection and prevention/mitigation for events that may otherwise trigger RCS) 58 Summary • • • • • • • Facility needs formal, written policies and procedures to analyze hazards, and to develop and operate RSS in a graded approach SAD, Safety Envelope, Operation Envelope ACS and RCS: consistency and balance Life-cycle concept and cover technical, operational and management aspects Personnel responsibilities and training Documentation of activities Peer review and improvement for systems and program 59 Some Laboratory Reports • SLAC Report 327 “Health physics manual of good practices for accelerator facilities” (1988) • SLAC “Radiation safety systems, technical basis document” (2006) • TJNAF “Jefferson Lab Personnel Safety System, systems requirement specification” (2007) • TRIUMF “Radiation safety system at TRIUMF” (2001) • LANL “Accelerator Access-Control Systems” LS107-01.1 (1993) 60 Some References • IAEA Report 188 “Radiological safety aspects of the operation of electron accelerators” (1979) • IAEA Report 283 “Radiological safety aspects of the operation of proton accelerators” (1988) • NCRP Report 144 “Radiation protection for particle accelerator facilities” (2005) 61 Useful ACS Standards • • • • IEC-880 “‘Software for computers in the safety systems of nuclear power plants” (1986) and its supplements EWICS TC-7 Position Paper 6012 “Guidelines for the use of programmable logic controllers in safety-related systems” (1998) IEC-61508 “Functional safety of electrical, electronic, programmable electronic safetyrelated systems” (1998) ANSI/ISA-84.01/IEC-61511 “Functional safety Safety instrumented systems for the process industry sector” (1996, 2004) 62 Some Questions for Interlocked-type RSS • • • • • • • What technology should be used: relay or PLC? Which system is safer? dual 1oo2 or triple 2oo3? How often should systems be certified or tested? What types of documentation are needed? How can peer labs’ safety system performance or experience be used? How to strike the balance in satisfying so many sometimes competing or conflicting requirements? What kind of safety culture is needed? 63 Computer-Based Logic Systems • • Use Programmable Logic Controllers (PLCs), instead of relays, to perform logic functions and monitor status signals associated with entry control Benefits: ease of use, handle complex and extensive logic requirements, good immunity to electrical interference, provide automatic documentation of the logic 64 Computer-Based Logic Systems • • • • • • Safety-rated PLC systems shall be used. Redundancy should be achieved by using independent PLC systems and may involve different programmers. Software program requirements shall follow a determined set of specifications. Watchdog timers shall be incorporated into internal processor and external systems. High modularity and testability Protection from radiation damage 65 Computer-Based Logic Systems • • • • • Software program QA shall be performed. Supplement with simplified hardware second chain. Integrated risk assessment of the systems shall be made. Systems and procedures shall be peerreviewed, validated, verified prior to use. Management of documentation and operation of the software and systems 66