Personnel Safety Systems at ESS PLC/COTS based Interlock and Protection Systems Personnel Safety Systems at ESS Denis Paulic PLC engineer, Personnel Safety Systems ESS/ICS/PS Date: 2016-02-01
Agenda Overview PSS scope of work PSS technical: standards, target risk and basic requirements PSS subsystems Accelerator PSS Methodology and implementation PSS planning for 2016.
ESS Overview The European Spallation Source (ESS) will house the most powerful proton LINAC ever built. Parameter Value Units Max energy 2 GeV Peak current 62.5 mA Repetition rate 14 Hz Pulse length 2.86 ms Average power 5 MW RF frequency 352/704 MHz Maximum losses 1 W/m Target station Neutron science instruments Linear proton accelerator (600 m) Over 150 individual high power RF sources, based on high-power electron tubes! Spokes Medium β High β DTL MEBT RFQ LEBT Source HEBT & Contingency Target 2.4 m 4.6 m 3.8 m 39 m 56 m 77 m 179 m 75 keV 3.6 MeV 90 MeV 216 MeV 571 MeV 2000 MeV 352.21 MHz 704.42 MHz Tuning Dump
Hazards At ESS Ionising radiation hazards: Prompt Beam Induced Equipment induced (i.e. X rays in cavities) Residual Contamination Cryogenic hazards (direct exposure - burns, ODH) Electrical hazards Magnetic field hazards Laser hazards Motion hazards Gas hazards (Explosion, ODH) PSS primarily prevent both the public and workers from the facility’s ionising radiation hazards, but also identify as well as mitigate against all other hazards!
PSS Scope Of Work November 2014, approved by both Change Control Board and ESS Programme Group (EPG). 10 initial systems for first beam to target in 2019: The PSS for the on-site Cryogenic module test stand The Accelerator Personnel Safety System The Accelerator Radiation Monitoring System The Accelerator Oxygen Depletion System The Target Personnel Safety System The Target Radiation Monitoring System The Target Hot/Maintenance Cell Personnel Safety System The Neutron Instrument LoKI Personnel Safety System The Neutron Instrument NMX Personnel Safety System The Neutron Instrument ODIN Personnel Safety System First beam December 2017
PSS Scope Of Work ODIN Cryo test stand LoKI NMX Target building Accelerator tunnel
Instruments 1-15 Possible instrument 16 Guesses for future HR-NSE BIFROST SKADI ESTIA HEIMDAL Surf.Scatt. LOKI FREIA WA-NSE Mono-farm S VOR VESPA Instruments 1-15 Possible instrument 16 Guesses for future Upgrade areas MAGIC C-SPEC MIRACLES T-REX BEER NMX ODIN DREAM Sleipnir n-nbar Ken Andersen, October 2015 ANNI ESPRESSO NMX2 Mono-farm W Test
Standards The Swedish Radiation Authority (SSM) IEC 61508 : 2010 SSM2014-127-1: “Review of application for licence for activity involving ionising radiation” chapter 10 “review of control systems”, SSMFS 2008-27: The Swedish Radiation Authority’s “regulations concerning operations at accelerators and with sealed radiation sources”. IEC 61508 : 2010 IEC 61511 – new revision coming soon PSS application software E/E/PE system design requirements specification Software safety requirements specification
Standards: SSM Summary The PSS systems will be designed to take into account the following: External events Single failure Common cause failure Redundancy Diversity Separation Maintenance, design change and annual system testing of PSS will only be carried out during shutdown periods. Radiation risk analysis will be carried out before the facility is taken into operation. Design of the PSS will take into account the risk analysis. A formalised search of each PSS controlled area will be carried out before the facility is operated. Two independent technical design solutions will be used in each system. Common Cause Failure: The result of one or more events, causing concurrent failures of two or more separate channels in a multiple channel system, leading to a system failure. Diversity: Different means and/or technologies used to perform a required function. Redundancy: The existence of more than one means for performing a required function or for representing information. Separation: Physical separation of independent systems to reduce the possibility of the personnel safe-ty systems being affected by the same external event. Single failure: An occurrence, which results in the loss of capability of a component to perform its in-tended safety functions. External event: An external event such as earth-quake, flooding, fire and power failure which can directly affect the facility and cause the degradation of the ESS personnel safety systems.
Hazard Identification Risk Management Identify Hazard Hazard Register Assess the Risk Control the Risk Is Risk acceptable Operate system Event Register Is system functioning Continue operation Decommission
Risk Model Residual Risk Tolerable Risk EUC RISK Demands Risk Risk which is accepted in a given context based on the current values of society. EUC RISK Risk arising from dangerous failures in the EUC and EUC Control System. Risk remaining after protective measures have been taken. ESS PSS Maximum Tolerable Risk will be 10-6 Demands Risk Necessary Risk Reduction Actual Risk Reduction The purpose of determining the tolerable risk for a specific hazardous event is to state what is deemed reasonable with respect to both the frequency of the hazardous event and its specific consequences. The tolerable risk will depend on many factors. For example, the severity of the consequences or injury, the number of people exposed to danger, the frequency and the duration of the exposure. Important factors will be the perception and views of those exposed to the hazardous event. Risk reduction is achieved by a combination of all the safety protective features, including any associated SIF. The necessary risk reduction to achieve the specified tolerable risk, from a starting point of the risk presented by the Equipment Under Control (EUC), is shown in Figure 4. Risk = Frequency for a specified consequence Partial risk covered by other technology Safety-related systems Partial risk covered by E/E/PE Safety-related systems Partial risk covered by external risk reduction facilities EUC = Equipment Under Control Risk reduction achieved by all safety-related systems and external risk reduction facilities
PSS Technical Stuart Birch, ESS-0047614 SSM requirements for the Radiation safety functions will be identified and categorised in accordance with ESS-0016468 document. IEC 61508 methodologies will then follow Radiation Safety Function Risk Matrix H1C, H1D, H1E… - Unacceptable under the existing circumstances H1A, H1B, H2A… - Acceptable based on risk mitigation All other safety functions will be identified in accordance with IEC61508. H3A, H4A, H4B… - Acceptable
The Radiation Monitoring System PSS Subsystems The Access Control System Ensuring safe entry into potentially hazardous areas PSS ACS Safety Interlocks RMS ODH The ODH Monitoring System The Safety Interlock System Ensuring fast switch off of the proton beam The Radiation Monitoring System
Safety Interlock System - De-energise To Trip A loss of power to the coil will result in a spurious trip and loss of production… (Safe Failure) for specified Safety Function It is the Safety Function that determines whether a failure is safe or dangerous Energise to trip A loss of power to the coil will result in a inability to trip (Dangerous Failure) for specified Safety Function Welded contacts will result in inability to start the plant (Safe Failure) for specified Safety Function Welded contacts will result in a failure to operate on demand (Dangerous Failure) for specified Safety Function
Accelerator PSS Accelerator Tunnel ZONE 7 ZONE 6 ZONE 5 ZONE 4 Zone 1 - Proton Source, LEBT, RFQ, MEBT Zone 2 - DTL’s Zone 3 - Spokes Cavities Zone 4 - Elliptical Cavities Zone 5 - Elliptical Cavities Zone 6 - HEBT Zone 7 - A2T ZONE 3 ZONE 2 ZONE 1 Gated fence between each zone.
Accelerator PSS – FBD Morteza Mansouri, August 2015
ACS - Entry Station D1 Door position monitoring SIL 3 (IEC 61508): D2 Red colour, with a window – alarm and beam status lights should be visible from outside Door position monitoring SIL 3 (IEC 61508): D1 D2 E-exit Reader 1 Reader 2 PSS controlled area Outside Normal entry D1 RFID Safety Switch + actuator Safety hinge switch D2 Magnetic Safety Key exchange system D1 cannot be unlocked at the same time as D2!
ACS - Entry Sequence Entry: Swipe card - Card Reader 1 E-exit Reader 1 Reader 2 PSS controlled area Outside Normal entry Entry station empty? Enter the station and stand inside marked area Single person check or Max time inside exceeded alarm? Exit the station through D1 Confirm the questions on HMI and take the marked key Enter the controlled area
ACS - Key Exchange System PSS Control Room Front End Entrance Key Exchange Controlled Access “front End” Controlled Access “HEBT” Restricted Access Access “front End” Action of taking blue key will lock the red key in position. Red key will not be released until BOTH blue keys are returned to key exchange . Action of taking black key will lock the blue key in position. Blue key will not be released until LAST black key is returned to key exchange. HEBT Entrance Key Exchange Restricted Access “HEBT” Permit to main control system. “Power Down” via PLC. Start 60 minute timer before tunnel entry. Remove permit when Red key returned. Issue Permit to the “Run Permit” system when red key in position. Controlled Access is regular access for authorised personnel. Search is broken on entry.
Safety Interlock System - Beam OFF Station Beam-off stations installed in 76 points of the accelerator tunnel to switch off the beam in case of emergency (e.g. somebody was left inside the tunnel during the search). Oxygen deficiency hazard indicator for different zones. Search button and siren. Buzzer E-Stop pressed Area searched PSS zones ODH indicator E-Stop button Search button Beam ON warning ODH alarm
Search Patrol A predefined search of each PSS controlled area will be done prior to beam operation. Morteza Mansouri, August 2015
Implementation Total of 2200 I/O-s for Accelerator PSS, around 700 F-I/O-s. All safety equipment will be powered by Uninterruptible Power Systems (UPS). Two independent Siemens S7-1518 F-PLCs will be used for functional safety implementation, principally through safety functions in the software (TIA Portal V13). All sensors and actuators for PSS will be connected locally to the Siemens ET200SP distributed I/O stations with fail-safe I/O modules. A general safety function block will be implemented for each type of the important safety element.
Accelerator PSS – PLC Architecture ET200SP station ET200SP station ET200SP station ET200SP station ET200SP station Front End racks HMI HMI Switch ET200SP station ET200SP station IO racks Switch Switch HMI F-PLC ET200SP station Ethernet/Profinet Fiber optics PLC rack
Example: Door Position Monitoring Profinet FO Ethernet/FO Switches F-PLC RFID position switch Mechanical position switch ET200SP station ET200SP station
Door Position Monitoring - Reaction ET200SP station Contactors 1 Safety relay High voltage platform PS Power down Contactors 2 Power down Plasma chamber coils PS Feedback C2 Contactors 3 Power down RFQ 50ms delay ET200SP station Safety relay
Door Position Monitoring: SIL Evaluation F-DI F-CPU F-DO Contactors 1 Mechanical safety switch Contactors 2 F-DI F-CPU F-DO Magnetic safety switch Contactors 3 Each PSS will be a two train system. This will offer:- Diversity Separation Single failure Common Cause failure Diversity in Sensor level Separation in Evaluation Unit / Logic Solver and Final Element Common Cause failure effect is relatively small in LS unit Diversity Separation Separation CCF CCF CCF Detection Evaluation Reaction Single failure
SIF Door Position Monitoring Switch 1 Switch 2 CCF PLC 1 PLC 2 Contactors 1 Contactors 2 Contactors 3 SIF: Upon detecting abnormal entry/exit via 2 safety position switches on the door (1oo2), the safety PLC (1oo2) sends the signal to switch off proton source and RFQ power supplies (PS): High voltage platform PS (Contactors 1) Plasma chamber coils PS (Contactors 2) RFQ (Contactors 3). Stopping one of these 3 pair of contactors would stop the beam!
PSS Planning For 2016 Documentation Complete Accelerator PSS analysis Complete Accelerator PSS design Purchase all Accelerator PSS equipment Complete Target PSS analysis Complete Target PSS design Start hazard identification on 3 initial neutron instruments: LoKI, ODIN, NMX 2016 = Year Of Documents!
Thank you!