ESS Target Station Hazards Analysis and Safety Classification Process Linda R. Coney European Spallation Source (ESS) HPTW April 13, 2016

Outline Hazard Analysis purpose and scope Hazard Analysis Procedure – Qualitative HA – Accident Analyses (Quantitative HA) – Selection of mitigation and/or prevention measures Safety classification – SSC selection – Engineering design features, PSS, TSS Conclusions 2

Hazard Analysis Purpose & Scope Protect ESS workers and the public from accidents with potential radiological consequences Hazard Analysis is a systematic process to identify, evaluate, and control potential hazards and accidents related to the Target Station. – Identify hazardous events associated with the facility processes, operations, work activities, and natural phenomena High power beam impacting the tungsten target will create an inventory of nuclides 3000 kg of tungsten, 5 MW beam, 5 year target wheel lifetime – Understand potential hazardous scenarios – Define necessary mitigating measures Input to system design requirements – Target systems, building features, PSS, TSS Identify need for safety functions Identify  evaluate  control these events 3

ESS Target Station Parameters –5 MW long pulse spallation source –2.86 ms proton bunch at 14 Hz rep rate –Raster pattern where protons incident upon Target wheel –Rotating tungsten target –5.4 tons (4900 kg) wheel only, (11 tons wheel + shaft) –rotating at 23.3 rpm (sector receives beam pulse every 2.4 seconds) –5 year lifetime, He gas cooled –Cold Moderators –Liquid hydrogen with 2-5 year lifetime –Inventories –High power beam impacting the tungsten target will create an inventory of nuclides –Primary inventory is in wheel (monolith and storage in active cells) 4 –Keeping in Mind: –450 – 500 employees, 2000 – 3000 users/year –facility is located in 100,000 inhabitant region

Hazard Analysis Scope 5 Remote Handling Systems Active Cells Operations Fluid Systems Active Liquid Purification system Primary Water Cooling Systems Intermediate Water Cooling Systems Intermediate Water Cooling for Water Systems Contaminated Tanks Gas Delay Tanks Target Systems Target Wheel & He Cooling He Purification Target HVAC System Monolith Systems Monolith vessel incl. covers and penetrations, NBW, PBW Shielding systems Tuning Beam Dump Moderator Systems Water Moderator Reflector System Cold Moderator Target Moderator Cryoplant System

HA Scope – Monolith Systems 6 Proton accelerator beam tube connection Proton beam window Neutron beam extraction Target wheel Upper and lower moderator and reflector Monolith vessel Target wheel drive

HA Scope Utility Block: Helium Cooling, Fluid Systems 7

Hazard Analysis Overview 8 SSM; Nuclear Authority Design Facility Hazard Analysis Systems Buildings Operation Systems Buildings Operation Events (Severity & Probability) PIEs and Top Enveloping Events (Severity & Probability) PIEs and Top Enveloping Scenario Analyses Radiological impact Inventory Dose Factors Radiological impact Inventory Dose Factors Safety Functions Classification Physical evolution Release Factors Leaks, diffusion Internal spread External spread Physical evolution Release Factors Leaks, diffusion Internal spread External spread 1.Unmitigated 2.Mitigated 1.Unmitigated 2.Mitigated Severity Probability< >10 0 mSv H1 Normal H2 Expected H3 Unexpected H4 Unlikely H5 Very unlikely Dose to public (SSM) SSCs: - Safety - Safety-related Disciplines: - Mechanical - Ventilation - Electrical … SSCs: - Safety - Safety-related Disciplines: - Mechanical - Ventilation - Electrical …

Accident Analyses – Quantitative HA Identify set of formalized design basis accidents from hazard analysis – 350 Top Events from qualitative HAs – Selected 21 bounding scenarios for further study  Accident Analyses – At least one event from each of the major types identified in HA – If prevented or mitigated, the group does not require additional safety functions Accident Analysis inputs – Inventories Tungsten ✔ Target cooling helium ✔ Moderator water ✔ Reflector beryllium ✔ Reflector water ✔ – Dose calculation procedures (ESH) ✔ For both dose to worker and to reference member of the public – Allowable dose limits ✔ Workers (ESS) and public (SSM) 9

Accident Analysis Input – Dose Limits 10 ESS Safety Objectives Operating conditions Initiating event likelihood Workers limit (effective dose) Public limit (effective dose) Normal operation - H110 mSv/year0,1 mSv/year Incidents – H2 F > mSv/event0,1 mSv/event Unexpected events – H < F < mSv/event1 mSv/event Design Basis Accident – H4A < F < mSv/event20 mSv/event Highly improbable events – H < F < Ex : plane crashes, major earthquake 100 mSv/event 10 Protect workers and public from unsafe levels of radiation Prevent the release of radioactive material beyond permissible levels Defining consequence = dose to public and workers

Accident Analysis Risk assessment criteria: Severity Matrices H1 shaded out – indicates normal operation – limits per year – Normal operation limits and releases are handled separately from this analysis H2 – H5 dose limits are per event Limits for Public set by SSM Limits for Workers set by ESS GSO (General Safety Objectives) except for H5 limit which we chose to equal that of the public because there was no limit stated 11 Severity (mSv) Probability < >100 H1 H2 H3 H4 H5 Unacceptable Tolerable Acceptable Public Severity (mSv) Probability >100 H1 H2 H3 H4 H5 Workers

Accident Analyses – Quantitative HA Evaluate events – Describe system Determine baseline assumptions for event – Describe evolution of event Include simulations, calculation of effect on system or neighboring system – Consider all PIEs identified in Qualitative HA Quantitative determination of probability for occurrence – Identify inventory Determine source term – amount of radioactive material released during accident scenario – Calculate dose consequence to worker and/or public Identify need for risk reduction measures – prevent and/or mitigate event Control events – Determine required safety functions – Select risk reducing measures – hierarchy giving preference to passive engineered safety features over active, engineered over active controls or administrative controls and preventative over mitigative – Holistic approach – optimize selection How options fit with other analyses? Consider impact on operations Consider options to prevent and/or mitigate within other systems – Specify safety-related and safety SSCs – structures, systems and components – Reassess event evolution and dose consequences with safety measures implemented 12

Accident Analyses Selected Bounding Events 1.Target Wheel stop during beam on target 2.Beam Event: Focused and non-rastered beam on target 3.Loss of Target wheel cooling during beam on Target 4.Leakage from Target Cooling circuit into monolith, depressurization of PCool 5.Partial loss of cooling of target wheel 6.Loss of He purification function 7.Water leakage from Intermediate Water System into Target He 8.Loss of confinement in Target He system – release into Utility rooms 9.LH2 leakage with explosion/LH2 leakage with local fire 10.Water leakage in monolith (highest contamination level) 11.Water leakage into connection cell and utility rooms 12.NBG/Chopper - missile effect on monolith system 13.Beam dump – high power beam when target in maintenance mode 14.Earthquake scenario Target/monolith 15.Active Cells: Operator inside maintenance cell when sliding door unintentionally opens 16.Active Cells: Operator inside process cell next to worst case inventory 17.Active Cells: Operator inside maintenance cell next to worst case inventory 18.Loss of dynamic confinement (loss of HVAC) 19.Active Cells: Loss of confinement process/maintenance – open doors 20.Active Cells: Fire in maintenance or process cell 21.Active Cells: Earthquake scenario 13 Active Cells Facility Events Target & He Cooling Monolith In orange  completed by end of April

14 Normal Operation Wheel Stops Unbearable Thermal Load Unbearable Thermal Load Shroud Opens Moderator Breaks Monolith Pressurized Monolith Pressurized Proton BW Break Flow to Accelerator Flow to Accelerator Neutron BW Break Flow to Bunker and Instr. Halls Flow to Bunker and Conn. Cell Water Vaporization Steam Enters Hot Wheel Tungsten Oxid. / Vapor Material At Risk, Damage Ratio Leakage Paths Air Enters Hot Wheel Helium + Filter Dust Released AA1. Wheel rotation stops with beam Unmitigated Scenario Flow to Workers Flow to Workers Flow to Public Flow to Public

AA1. Wheel rotation stops with beam Unmitigated consequences 15 -Initial unmitigated dose calculations: -H2: dose to worker – over 1000 Sv -H2: dose to public – 2 mSv for release at monolith level or 0.3 at stack (without HVAC filtration) from first release of He and particles -Wheel stops rotating during Beam-ON operations -Thermal stress and temperature increase in spallation material, cassettes and shroud -Shroud breaks and releases He coolant, filter particles into Monolith -Break NBW and/or PBW -Premoderator breaks, water leak, beam continues – release of vaporized W H2 – worker limit 20 mSv H2 – public limit 0.1 mSv  Mitigation required

AA1. Wheel rotation stops with beam Safety SSCs 16 Safety function – Safety SSC Event Class Beam ON Beam OFF PBW or NOT Safety Group DIDSystem Op Prevent release & prevent escalation of event – Detect unacceptably slow wheel rotation rate and prevent proton beam from hitting wheel – TSS Criteria for safe shut down is 7 pulses on same sector ( 0.5 s) before exceeding level D criteria on shroud H2X BothSafetyL2-L3X Stop proton beam from hitting wheel - Remove PBW – passive beam shutdown H2X NSafetyL3X Control release – Rupture disk in monolith into Off-gas extraction system H2X NSafetyL3X Confine monolith atmosphere in order to control release of inventory (NO PBW) – Monolith vessel and NBWs H2X NSafetyL3X Prevent exposure – No access to accelerator tunnel when Beam ON – PSS H2X NSafetyL3X Limit exposure to public – Filtration in ventilation before release at stack H2X NSafetyL3X or Stop proton beam from hitting wheel - Put rupture disk in parallel with PBW (only structural) H2X YSafetyL3X Confine monolith atmosphere in order to control release of inventory (with PBW) – Monolith vessel, PBW, NBWs H2X YSafetyL3X Limit exposure to public – Filtration in ventilation before release at stack H2X YSafetyL3X Defense in depth: secondary TSS function: - Limit release & prevent escalation of event – Detect loss of helium and prevent proton beam from hitting wheel – TSS H2X Both SafetyL3-L4X Mitigated results – prevent release – H2: 0.0 mSv dose to worker – H2: 0.0 mSv dose to public

17 Normal Operation Wheel Stops Unbearable Thermal Load Unbearable Thermal Load Shroud Opens Moderator Breaks Monolith Pressurized Monolith Pressurized Proton BW Break Flow to Accelerator Flow to Accelerator Neutron BW Break Flow to Bunker and Instr. Halls Flow to Bunker and Conn. Cell Water Vaporization Steam Enters Hot Wheel Tungsten Oxid. / Vapor Air Enters Hot Wheel Helium + Filter Dust Released AA1. Wheel rotation stops with beam Mitigated Scenario Flow to Public Flow to Public Flow to Workers Flow to Workers Material At Risk, Damage Ratio Leakage Paths

18 Normal Operation Wheel Stops Unbearable Thermal Load Unbearable Thermal Load Shroud Opens Moderator Breaks Monolith Pressurized Monolith Pressurized Proton BW Break Flow to Accelerator Flow to Accelerator Neutron BW Break Flow to Bunker and Instr. Halls Flow to Bunker and Conn. Cell Water Vaporization Steam Enters Hot Wheel Tungsten Oxid. / Vapor Air Enters Hot Wheel Helium + Filter Dust Released AA1. Wheel rotation stops with beam Additional mitigations Flow to Workers Flow to Workers Flow to Public Flow to Public Material At Risk, Damage Ratio Leakage Paths Controlled Filtered Relief

Hazard Analysis – TSS Where does TSS fit within overall Target Radiation Safety Strategy? – TSS is part of our set of tools The Target Safety System (TSS) is a safety classified, active monitoring and control system that shall: – Protect workers and public from exposure to unsafe levels of radiation and prevent the release of radioactive material beyond permissible limits – Bring the target station into a safe state in case of an abnormal event from the nuclear safety point of view Outcome of Radiation Safety Hazard Analysis includes: – Identification of safety functions – Identification & classification of SSCs 19

SSC Selection – TSS Safety functions defined in Accident Analysis lead to TSS requirements Safety SSCs – Safety Group Defense in Depth levels under evaluation Current TSS functions defined during analysis of AA1, AA3, AA4, AA8 – Safe state defined as no beam on Target No TSS functions identified in AA15 or AA18 (Active Cells) 20 Safety function – TSS Safety SSC TriggerEvent Class DID Prevent release by stopping proton beam from hitting wheel – Detect unacceptably low helium flow and prevent proton beam from hitting wheel – TSS He flowH2L2-L3 Prevent release by stopping proton beam from hitting wheel – Detect unacceptably high helium temperature and prevent proton beam from hitting wheel – TSS He inlet Temp H2L2-L3 Prevent release by stopping proton beam from hitting wheel – Detect unacceptably slow wheel rotation rate and prevent proton beam from hitting wheel – TSS Wheel rotation H2L2-L3 Limit release & prevent escalation of event – Detect loss of helium and prevent proton beam from hitting wheel – TSS He pressure H2L3-L4 Under Consideration: Limit release & prevent escalation of event – Detect increase in monolith pressure and prevent proton beam from hitting wheel – TSS Monolith Pressure H2L3-L4

Conclusions The Hazard Analysis process is a well-defined, systematic way to identify, evaluate, and control potential radiation hazards and accidents related to the Target Station. – It is in alignment with the overall ESS process and regulatory body (SSM) conditions – Complex process – application to Target analysis becoming more straightforward Accelerated progress on Hazard Analyses recently – Qualitative analysis for Operations is complete – Qualitative analysis for Maintenance nearing completion – Supporting calculations, methodologies and responsibilities across ESS are in place Inventories calculated & approved Dose calculation methodology in place Classification of Target systems/components advancing – Growing list of safety-related and safety SSCs 21

22

Hazard Analysis Overview Perform Qualitative Hazard Analysis – Identify bounding scenarios Execute Quantitative Accident Analysis of each bounding scenario – Evaluate accident in terms of dose consequences to workers and public – Identify need for risk and/or consequence reducing measures – Identify functions that can prevent or mitigate hazardous scenario May include passive engineered safety features, active controls, and admin controls Select Structures, Systems and Components (SSCs) that perform these safety functions – Prevent or control hazard – Assign classification to SSCs – Classification mandates appropriate requirements for each SSC – Evaluate effectiveness of chosen SSCs Feed HA results into system designs & operational procedures 23

Qualitative Hazard Analysis Procedure Define the system under analysis – include drawings, schematics, etc. Identify hazards – Radioactivity, stored energy, explosion, impact (load drop) Identify initiating events and top events – Circumstances that would evolve to an accident – Postulated Initiating Event (PIE) – an event or circumstance that is an initiating step toward a top event – Top Event – undesired event that poses a potential radiological risk Describe consequences without risk reducing measures – Includes both local effects and those impacting other systems/areas – Estimate probability and severity  unmitigated risk ranking Identify possible risk reducing measures – Includes safety functions and associated triggers for active safety system – Reassess severity  mitigated risk ranking Qualitative assessment is based on expert engineering knowledge on similar systems 24

Accident Analyses Output 25 SSC important to safety Safety related SSC Safety SSC Actuation SSC Protective SSC Supportive SSC All SSC that contribute to manage H1-H5 events All SSC that contribute to manage H2-H4A events Dedicated to H1,H2, H4B and H5 Determine required safety functions Select risk reducing measures – SSCs – Structures, Systems, Components contributing to radiation safety – Equipment that implements safety functions Classify – Safety-Related SSC – Safety SSC

Safety-related SSCs: Helium Cooling & Wheel Safety function – Safety-related SSC Event Class Beam ON Beam OFF PBW or NOT Safety Group DIDSyste m Op Syste mMain t Confine helium – target shroudH1-H2XXBothOperationalL1-L2XX Confine helium – pipe system and componentsH1-H2XXBothOperationalL1-L2XX Limit inventory – helium purification systemH1-H2XXBothOperationalL1-L2X Limit inventory – getters in purification system to remove isotopes not captured by filters H1-H2XXBothOperationalL1-L2X Limit inventory – radiation monitoring in loop and filtersH1-H2XXBothOperationalL1-L2X Wheel cooling – process control system for helium cooling system functional H1-H2X BothOperationalL1-L2X Wheel cooling – helium flowing and cooling as designed, monitor process variables. H1-H2X BothOperationalL1-L2X Wheel cooling – monitor critical process variables, turn off beam – MPS H2X BothOperationalL2X Wheel cooling – internal helium channels and inner rotational seal H1X BothOperationalL1X Wheel cooling – pressure relief valve bleeds off helium into Off-gas extraction system H1-H2XXBothOperationalL1-L2XX Wheel rotates – drive motor functionalH1X BothOperationalL1X Wheel rotates – process control system for wheel drive functional H1-H2X BothOperationalL1-L2X Wheel rotates – wheel rotating as designed, monitor process variables H1-H2X BothOperationalL1-L2X Wheel rotates – Monitor rotation if fluctuates too far, turn off beam – MPS H2X BothOperationalL2X Limit exposure – Ventilation in room is functional (proper air renewal rate) H1-H2XXBothOperationalL1-L2XX 26

Safety-related SSCs: Helium Cooling & Wheel cont’d 27 Safety function – Safety-related SSC Event Class Beam ON Beam OFF PBW or NOT Safety Group DIDSyste m Op Syste mMain t Administrative Control: The workers shall be trained and educated in radiation safety. H2XXBothOperationalL2XX Confine monolith atmosphere in order to limit contamination production and to control release of inventory (with PBW) - Monolith vessel, PBW, NBWs H1-H2XXYOperationalL1-L2XX Confine monolith atmosphere in order to limit contamination production and to control release of inventory (NO PBW) - Monolith vessel and NBWs H1-H2XXNOperationalL1-L2XX Confine monolith atmosphere in order to limit contamination production and to control release of inventory (NO PBW) - Vacuum system H1-H2XXNOperationalL1-L2XX Confine monolith atmosphere in order to limit contamination production and to control release of inventory (NO PBW) - Process control system functional for vacuum system, monitoring system parameters H1-H2XXNOperationalL1-L2XX Confine monolith atmosphere in order to limit contamination production and to control release of inventory (NO PBW - Exhaust from vacuum pumps routed to stack through Off-gas extraction system H1-H2XXNOperationalL1-L2XX Prevent exposure when Beam OFF – valve in beam pipe between monolith and tunnel H1-H2 XNOperationalL1-L2XX