Download Engineered and Administrative Safety Systems

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
page
47
page
48
page
49
page
50
page
51
page
52
page
53
page
54
page
55
page
56
page
57
page
58
page
59
page
60
page
61
page
62
page
63
page
64
page
65
page
66
Document related concepts

Electronic engineering wikipedia , lookup

Public address system wikipedia , lookup

Wassim Michael Haddad wikipedia , lookup

Resilient control systems wikipedia , lookup

Control system wikipedia , lookup

Fault tolerance wikipedia , lookup

Transcript 
Engineered and Administrative
Safety Systems for the Control of
Prompt Radiation Hazards
at Accelerator Facilities
James C. Liu
([email protected])
Stanford Linear Accelerator Center (SLAC)
Vashek Vylet
Thomas Jefferson National Accelerator Facility (TJNAF)
Lawrence S. Walker
Los Alamos National Laboratory (LANL)
1
Radiation Safety System (RSS)
•
RSS: Engineered and/or administrative safety
systems to monitor, mitigate and control
prompt radiation hazards.
• RSS = ACS + RCS
• ACS keeps people away from radiation
– Ropes, signs, barrier and access controls
• RCS keeps radiation away from people
– Shielding, beam and radiation interlocks
2
ANSI N43.1 Standard Draft
• N43.1 Standard “Radiation safety for the
design and operations of particle
accelerators” American National Standards
Institute (2008?)
• Chapters 4, 5 and 6 of the N43.1 Standard
draft, as well as some U.S. regulations and
standards, are the main basis for this
presentation.
3
N43.1 Committee
•
•
•
•
•
•
•
•
•
•
•
Ted de Castro (LBNL)
Roger Kloepping (LBNL)
Robert May (TJNAF)
Norman Rohrig (INEEL)
Olin Van Dyck (LANL)
Paula Trinoskey (LLNL)
John Drozdoff (TRIUMF, Canada)
Albert Evans (DOE)
Wesley Dunn (Texas DHS)
Vashek Vylet (Duke University)
Larry Larson (Sematech)
Reviewers
•
•
•
•
•
•
•
•
•
DOE
NRC
states
CAMD
FNAL
CERN
KEK,
JAPRC
PAL
NSRRC,
AEC
4
Disclaimer
• N43.1 Standard is not yet approved.
Requirements (shall) and recommendations
(should) in this chapter should not be quoted
as official ANSI positions.
• Authors take full responsibility for any errors
of this chapter and any discrepancies with the
N43.1 standard.
• Contributions by N43.1 members and the
reviewers are acknowledged.
5
Goals of Presentation
•
•
•
Successful RSS needs a multidisciplinary team
Presented from a health physicist’s, not a
system engineer’s, perspective
Health physicist roles for RSS
– Analyze radiation hazards; develop policies,
requirements and procedures for systems
– For interlocked systems
• Review and/or approve design,
changes, use, and associated operating
and testing procedures
• Design, install and/or maintain the
systems, if limited facility size
6
Contents
•
•
•
•
•
U.S. regulations and standards
Radiation Safety System (RSS)
Access Control System (ACS)
Radiation Control System (RCS)
Examples of RSS policies and
practices at some accelerator facilities
7
U.S. Federal and State Regulations
•
•
•
10CFR20 “Standards for protection against
radiation” U.S. NRC (1991)
NUREG-1736 “Consolidated guidance for
10CFR20” U.S. NRC (2001)
CRCPD Suggested State Regulations (SSR)
“Radiation safety requirements for particle
accelerators” (1991)
8
U.S. DOE Regulations
•
•
•
•
10CFR835 “Occupational radiation protection”
(1998, 2007)
DOE O 420.2B “Safety of accelerator facilities”
(2004)
DOE G 420.2.1 “Implementation guide for
DOE O 420.2B” (2005)
DOE G 441.5-5 “Radiation-generating devices
guide for use with 10CFR835” (1999)
9
Main U.S. Standards
•
•
•
•
NCRP-88 “Radiation alarms and access control
systems” (1986)
ANSI N43.3 “American National Standard for
general radiation safety - installations using nonmedical X-ray and sealed gamma-ray sources,
energies up to 10 MeV” (1993, in revision)
IEC-61508 “Functional safety of electrical,
electronic, programmable electronic safetyrelated systems” (1998)
ANSI/ISA-84.01/IEC-61511 “Functional safety Safety Instrumented Systems for the process
industry sector” (1996, 2004) - does not cover
nuclear power facilities
10
Radiation Safety System (RSS)
Systems that Protect People
from Prompt Radiation Hazards
11
Radiation Safety System (RSS)
•
RSS is defined as a combination of
engineered (passive and active elements)
and/or administrative safety systems to
monitor, mitigate and control prompt radiation
hazards in a graded approach.
• Technical, operational and management
aspects
• RSS = ACS + RCS
– ACS keeps people away from radiation
– RCS keeps radiation away from people
12
ACS and RCS
•
Access Control System (ACS)
– Ropes and warning signs
– Door or gate with locks
– Interlocked access control
– Beam inhibiting devices (BID)
• Radiation Control System (RCS)
– Passive systems: shielding, fence
– Active systems: beam interlocks and
radiation interlocks
13
Facility Safety Assessment and Controls
•
•
•
•
•
Identify accelerator beam parameters, facility
operation modes (normal and abnormal beam
losses), and personnel occupancy
Analyze associated radiation hazards
Develop RSS requirements for risk mitigation
and controls
Define Safety Envelope and Operation Envelope
Experience from peer labs
14
15
RSS Interlock Functional Relationship
INPUT
INPUT
Area
Secure
Signal
Radiation
Detectors
Beam
Inhibiting
Devices
OUTPUT
Access Control
Warnings
System Logic
Operate
Permission
Radiation Control
System Logic
Area Safe
Signal
Operate
Permission
16
RSS Interlock Design Considerations
•
•
•
•
ACS versus RCS (hazards and mitigation)
Both preventive and reactive system types
Develop system functional specification
(what)
Develop system integrity specification (well)
17
RSS Interlock Design Considerations
•
Reliable and high performance
– No single-point failures (redundancy)
– No common-mode failures (separation and
diversification)
– Sufficiently fast response time
– Protection for harsh environment (radiation,
humidity, temperature, vibration, power, etc)
– Negligible false or nuisance trips
18
RSS Interlock Design Considerations
•
•
•
•
•
Testability
Simple and modular design
Tamper resistance (e.g., concealed door
microswitches, protected devices, cables
and equipment, locked cabinets)
Ergonomic (easy to use and understand,
prevent human error, interface)
Life-time cost and resource
19
RSS Interlock Design Considerations
•
•
•
Interlocked-type ACS (and active RCS) are
dormant systems, i.e., no response or action
under normal conditions
Self-checking
Fail-safe
20
Fail-safe Design
•
Definition: One in which the credible failure
modes leave the system in a safe condition
• Examples of failure:
– Loss of AC or DC power
– Loss of air pressure
– Open or short circuit
– Ground fault
– Likely circuit element failure modes
• Relay - coil burnout
• PLC – software bug, uncertain
21
Engineered RSS Operational
Requirements and Guidance
•
•
•
•
•
Quality assurance (QA) program
– Components, workmanship
– Design, installation, testing, commissioning
and operations
Configuration control (CC) program
Maintenance, repair and modification program
Periodic certification and check programs
Safety systems independent and separated
from non-safety systems
22
Engineered RSS Operational
Requirements and Guidance
•
•
•
•
•
Trained, qualified and authorized individuals
System readiness review
Document and record management program
(transferable and auditable)
Self assessment
Peer (internal and external) review
23
RSS for Non-Beam Radiation
•
•
•
•
Radiation from dark current due to HV
and/or RF fields (e.g., cavity, klystron)
Exposure from induced radioactivity in
machine components (e.g., beam stops,
collimators)
Shielding to reduce activation to air, soil,
groundwater
Engineered controls for exposure to
activated air
24
RSS Interlock Bypass or Variance
•
•
•
•
•
•
•
•
Governed by policies and procedures
Justified
Alternative protection, e.g., radiation source
inhibited, tight administrative controls
Written approval via authorized channels
Detailed documentation
Affected systems or areas posted
Involved parties communicated
Normal interlocks restored and verified ASAP
25
RSS Accident
•
•
•
•
1982, A fatal exposure to Co-60 irradiator in
Norway (due to a series of 5 failures!)
Conveyor belt jammed at night (failure #1)
Sources failed to automatically retract into the
shielded position (failure #2).
First person arriving at work in the morning
found a green indicator light (failure #3) and an
unlocked interlocked door (failure #4).
A interlocked radiation monitor normally located
in the maze was out for repair (failure #5).
26
27
Access Control System (ACS)
Control Personnel Occupancy
in Areas with Prompt Radiation
above the Acceptable Levels
28
29
N43.1 Access Control System (ACS)
•
Entry and access control modules
– Enclosures (ropes and/or barriers)
– Personnel entry gates
– Warnings and signs
– Communication and monitoring features
– Exclusion Area (> 10 mSv/h) needs Area
Secure System
– Emergency response features
30
ACS Entry Module
31
N43.1 Access Control System (ACS)
•
Beam Inhibiting Devices (BID)
– Power supply for gun or RF, beam safety
shutter, electromagnet, etc
– Normal access control function
– Fault-response beam removal function
32
ACS Mechanical BID (Beam Shutters)
33
N43.1 ACS Graded Approach
Dose
in 1-h
(mSv)
Dose
Category
Start-up
Warning
Enclosure
Personnel
Entryway Gate
0.05–1
Minimum
None
Rope
No Restriction
1–10
Low
10–100
Moderate
> 100
1)
2)
3)
High
Locked or
Interlocked
Visible &
Audible
Visible/Audible;
Emergency Off
Barrier
Area
Secure
System
Not
Required
Locked;
Interlock Also Required
Recommended (Exclusion
Area)
Locked &
Interlocked
Tighter than NCRP-88
Access to areas ≤ 0.05 mSv/h is governed by general RPP.
Interlock redundancy is required for High dose category.
34
Additional Functional Requirements
for Interlock-type ACS
•
•
•
•
•
Redundancy via independent chains (from
sensors to control devices)
A single mechanical beam shutter is
acceptable.
Reliability, maintainability, testability, simplicity
Interlocks not used as normal on-off devices
Must have a manual emergency shutdown
mode to override interlocks
35
Certification and Checks for
Interlocked-type ACS
•
•
•
Extensive certification and check programs
are needed and shall be developed.
Certification, check and maintenance shall
be conducted following formal, written
procedures by authorized personnel.
Activities shall be properly documented.
36
ACS Certification
•
Prior to accelerator commissioning or major
ACS changes, system certified to meet safety
requirement specifications via acceptance test
– Performance of sensors, logic, and control
elements
– All functions of the logic (including
unintended and bypass functions)
– Potential failure modes from errors in system
design or implementation, and component
failures
37
ACS Certification
•
•
•
•
Before accelerator operation past one year
following the last successful annual certification,
the ACS hardware/software and functionality
shall be certified to operate as intended.
Before restarting operation following ACS
modification, repair or maintenance, the
potentially affected portions shall be certified.
Certification shall be end-to-end, i.e., from inputs
to outputs.
May be the same as system acceptance test,
particularly for small systems
38
ACS Checks
•
More frequent and periodic checks by
Operations or authorized individuals should
be implemented for critical system
components that are subject to accidental
damage or potential failures caused by
frequent use or presence in a harsh physical
environment
– Micro-switches
– Emergency-off
– Keybank
39
ACS for Simple Accelerator Facility
Radiation Therapy Linac
Emergency
Exit
Video
Cameras
Operator
console,
EO,
Status Light
Radiation
Detectors
Emergency
Off
Interlocked and
locked door
40
Function Logic for Detector and Door Interlocks
41
42
Radiation Control System (RCS)
Control Prompt Radiation in
Occupiable Areas Not Exceeding
the Acceptable Levels under both
Normal and Abnormal Accelerator
Operation Conditions
43
44
Radiation Control System (RCS)
•
Passive systems
– Shielding (bulk and local) and fence
• Active systems
– Beam interlocks
– Radiation detector interlocks
– Should follow the same general requirements
as interlocked-type ACS (redundancy, failsafe, and testability)
45
RCS Performance Requirements
Normal Operations (within Operation Envelope)
• RCS ensures dose rates as Table 5.1
• Shielding design criteria
– 20% of dose limit for radiological workers
– 1 mSv/y for general employee
– 0.1 mSv/y (7200 h/y) for off-site doses
– Observe ALARA principle
46
RCS Performance Requirements
Abnormal Operations
• Exposure analysis for maximum credible
beam losses throughout facility (capabilities of
accelerator systems, modes of operation, and
the RSS features; peer lab experience)
• Dose per unlikely event ≤ 10 mSv
• Layers of hazard controls (higher levels of
radiation risk are mitigated by increasing
layers of safety controls)
47
Passive versus Active RCS
•
•
•
•
Normal beam losses shall be addressed by
passive systems.
Abnormal beam losses or operations shall be
controlled by passive and/or active systems.
Balance between passive and active systems
(passive systems are preferred)
Probabilistic Risk Analysis (PRA) with
performance data should be made when
active RCS play extensive or critical roles.
48
RCS Passive Systems
•
•
•
•
•
Shielding and/or fences
Conservative shielding design for both
normal (allowed beam power) and abnormal
(maximum credible beam power) operations
Designed or reviewed by safety professional
Verification survey for normal and likely
abnormal beam losses
Configuration control program is crucial
49
RCS Active Systems
•
Monitors/limiters for beam energy, beam current
and beam losses
• Electronic system may include:
– A beamline transducer, e.g., current toroid,
secondary emission monitor, beam position
monitor, repetition rate monitor, ion chamber
or meter relay
– An electronic processing module that
integrates or counts beam current pulses
– A beam shut-off circuit connected to beam
shutters, RF sources or high-voltage supplies
50
RCS Active Systems
•
Protection for mechanical beamline safety
devices that have power ratings below the
Allowed Beam Power
– Coolant flow switches
– Temperature sensors
– Vacuum pressure sensors
– Ionization chambers
– Burn-Through Monitor (BTM), a pressurized
chamber that ruptures on over-heating
51
RCS Active Systems
•
Radiation detectors
– Inside accelerator housing and/or in
occupiable areas
– Effects on detector response in pulsed
radiation fields, the RF/magnetic field
interference, and radiation damage
– Current-mode ionization chamber is
generally the choice
52
Active RCS Field Devices
Sensors
Logic
Radiation
Current
Voltage
Temperature
Pressure
Flow
etc
Redundant
Relay
and/or
PLC
Control
Elements
Power Supplies
Trigger
Shutter
Valve
(switches)
Wiring
Account for 90% of safety system failures !
53
Some Active RCS Considerations
•
•
•
Selection of sensors and final elements
Sensor response accuracy and calibration
Different action levels
– Warning to mitigate radiation
– Trip to terminate beam (particularly for
critical applications)
• Self-checking and Fail-safe
• Interfaces for Operator and with non-safety
systems
54
Active RCS Certification and Test
•
•
Annual system certification and calibration
Regular and frequent verification of active
and operational status during operation
• Self-test provisions, e.g.,
– Keep-alive radioactive source
– Housekeeping pulses through toroid
windings
– Test buttons be provided so that each
redundant path can be fully exercised
55
ACS versus Active RCS
•
•
•
•
•
ACS failure ⇒ radiation hazard
– Door or BID interlocks fail ⇒ high radiation
Active RCS failure + abnormal machine
performance ⇒ radiation hazard
– Detector fails + abnormal beam loss ⇒ high
radiation
Implications: self-diagnosis, redundancy and
fail-safe
Beam shutters are ACS and RCS
Concept of safety critical device or system
56
RCS Administrative Controls
•
Supplement the passive and active systems in
low-hazard conditions
• Configuration control (SLAC uses RSWCF)
• Operation control
• Machine parameters (beam energy, beam
current, number of integrated beam
particles, pulses, and particle type) should
be controlled by administrative means
(computer control or operating procedures),
if not by engineered means
• Safety credit?
57
Machine Protection System (MPS)
•
•
•
•
Protect beamline components where radiation
damage or overheating would not result in
personnel hazards
Electronic systems to monitor beam
parameters, operational modes, beam loss
conditions, machine performance, etc
MPS is in general less rigorous and controlled
than RCS
MPS credit as active RCS (MPS may provide
early detection and prevention/mitigation for
events that may otherwise trigger RCS)
58
Summary
•
•
•
•
•
•
•
Facility needs formal, written policies and
procedures to analyze hazards, and to develop
and operate RSS in a graded approach
SAD, Safety Envelope, Operation Envelope
ACS and RCS: consistency and balance
Life-cycle concept and cover technical,
operational and management aspects
Personnel responsibilities and training
Documentation of activities
Peer review and improvement for systems and
program
59
Some Laboratory Reports
• SLAC Report 327 “Health physics manual of
good practices for accelerator facilities” (1988)
• SLAC “Radiation safety systems, technical
basis document” (2006)
• TJNAF “Jefferson Lab Personnel Safety
System, systems requirement specification”
(2007)
• TRIUMF “Radiation safety system at TRIUMF”
(2001)
• LANL “Accelerator Access-Control Systems”
LS107-01.1 (1993)
60
Some References
• IAEA Report 188 “Radiological safety aspects
of the operation of electron accelerators” (1979)
• IAEA Report 283 “Radiological safety aspects
of the operation of proton accelerators” (1988)
• NCRP Report 144 “Radiation protection for
particle accelerator facilities” (2005)
61
Useful ACS Standards
•
•
•
•
IEC-880 “‘Software for computers in the safety
systems of nuclear power plants” (1986) and its
supplements
EWICS TC-7 Position Paper 6012 “Guidelines for
the use of programmable logic controllers in
safety-related systems” (1998)
IEC-61508 “Functional safety of electrical,
electronic, programmable electronic safetyrelated systems” (1998)
ANSI/ISA-84.01/IEC-61511 “Functional safety Safety instrumented systems for the process
industry sector” (1996, 2004)
62
Some Questions for Interlocked-type RSS
•
•
•
•
•
•
•
What technology should be used: relay or PLC?
Which system is safer? dual 1oo2 or triple 2oo3?
How often should systems be certified or tested?
What types of documentation are needed?
How can peer labs’ safety system performance
or experience be used?
How to strike the balance in satisfying so many
sometimes competing or conflicting
requirements?
What kind of safety culture is needed?
63
Computer-Based Logic Systems
•
•
Use Programmable Logic Controllers (PLCs),
instead of relays, to perform logic functions
and monitor status signals associated with
entry control
Benefits: ease of use, handle complex and
extensive logic requirements, good immunity
to electrical interference, provide automatic
documentation of the logic
64
Computer-Based Logic Systems
•
•
•
•
•
•
Safety-rated PLC systems shall be used.
Redundancy should be achieved by using
independent PLC systems and may involve
different programmers.
Software program requirements shall follow a
determined set of specifications.
Watchdog timers shall be incorporated into
internal processor and external systems.
High modularity and testability
Protection from radiation damage
65
Computer-Based Logic Systems
•
•
•
•
•
Software program QA shall be performed.
Supplement with simplified hardware second
chain.
Integrated risk assessment of the systems
shall be made.
Systems and procedures shall be peerreviewed, validated, verified prior to use.
Management of documentation and operation
of the software and systems
66
Related documents
Development and Role of Megavoltage Cone Beam Computed
Development and Role of Megavoltage Cone Beam Computed
ultra violet light
ultra violet light
Study Guide 5 - Microbial Control Chpt. 5
Study Guide 5 - Microbial Control Chpt. 5
What is Cancer???????????
What is Cancer???????????
Chapter 13
Chapter 13
On Board Imager - CHRISTUS St. Michael
On Board Imager - CHRISTUS St. Michael
Period 11 Exercise Answers
Period 11 Exercise Answers
External Beam Intraoperative Radiation Therapy
External Beam Intraoperative Radiation Therapy
Improving Cure of Cancer Patients
Improving Cure of Cancer Patients
Last Monday of 2012 at school!
Last Monday of 2012 at school!