Full Scale Thermosiphon Risk Assessment Lukasz Zwalinski PH/DT/PO - Cooling

Thermosiphon workshop §5 20 th October 2011 L.Zwalinski – PH/DT/PO Introduction Document prepared on 23 rd of March 2011 Main references:  P&I Diagram and Part List of the Full Scale Thermosiphon March 2011 EDMS  CERN Safety Guideline OHS – Risk Assessment EDMS  ISO Safety of machinery – General principles for design – Risk assessment and risk reduction  ISO Risk management – Principles and guidelines  ISO/TR Safety of machinery – Risk assessment  ISO Safety of machinery – Safety related parts of control systems

Definitions Thermosiphon workshop §5 20 th October 2011 L.Zwalinski – PH/DT/PO Hazard The intrinsic property or ability of something (e.g. work materials, equipment, work methods and practices) with the potential to cause harm. Hazardous event Occurrence leading to undesired consequences and arising from the triggering by one (or more) initiator events /causes of one (or more) hazards. Risk The likelihood that the potential for harm will be attained under the conditions of use and/or exposure, and the possible extent of the harm. Effect of uncertainty on objectives. Severity Classification of a failure or undesired event according to the magnitude of its possible consequences. Risk assessment The process of evaluating the risk to the health and safety of workers while at work arising from the circumstances of the occurrence of a hazard at the workplace. Overall process of risk identification, risk analysis and risk evaluation.

Definitions Thermosiphon workshop §5 20 th October 2011 L.Zwalinski – PH/DT/PO Risk assessment process It is based on a systematic examination of all aspects of work that considers: what could cause injury or harm, whether the hazards could be eliminated and, if not, what preventive or protective measures are, or should be, in place to control the risks. [OHSAS Occupational Health and Safety]

Risk assessment activities ISO 12100:2010 Thermosiphon workshop §5 20 th October 2011 L.Zwalinski – PH/DT/PO Determination of the system limits Hazard identification – identifying the hazards and environmental aspects occurring in normal and exceptional conditions Risk estimationRisk evaluation 1. Usage limits Operating phases and procedures (2kW Thermosiphon) Control system (overall architecture) System users (accesses control) 2. Time limits (continues operation) 3. Space limits (Point 1, USA15, B3184 roof) 4. Other limits (properties of cooling fluids)

Risk estimation OHS Thermosiphon workshop §5 20 th October 2011 L.Zwalinski – PH/DT/PO ProbabilityOccurrence of the hazardous event Very low [1]Extremely unlikely to occur during task; once per year or less. Low [2]Unlikely to occur during task; more than once per year, maximum of once per month. Medium [3]Incident may occur during task; several times per month, maximum of once per week. High [4]Likely to occur several times during task; several times per week SeveritySeverity description Minimal [A] People Slight injuries, no treatment needed. EnvironmentNot applicable. PropertyNot applicable. Low [B] People Injuries or temporary, reversible illnesses not resulting in hospitalization and requiring only minor supportive treatment. Environment Isolated and minor, but measurable, impact on some component(s) of a public resource. PropertyMinor property damage in the facility. Medium [C] People Injuries or temporary, reversible illnesses resulting in hospitalization of variable but limited period of disability. EnvironmentSerious impairment of the functioning of a public resource. PropertyMajor property damage in the facility. High [D] People Death from injury or illness, permanent disability or chronic irreversible illness. EnvironmentPermanent or long term loss of a public resource (drinking water, air, etc.). PropertyLoss of facility. The probability of occurrence of harm The Severity of harm

Risk evaluation OHS Thermosiphon workshop §5 20 th October 2011 L.Zwalinski – PH/DT/PO Risk evaluation Probability of the hazardous event Very low [1]Low [2]Medium [3]High [4] Potential severity Minimal [A][A1][A2][A3][A4] Low [B][B1][B2][B3][B4] Medium [C][C1][C2][C3][C4] High [D][D1][D2][D3][D4] Risk levelAction Low [A1, A2, B1] Acceptable risk: no actions need to be taken. Medium [A3, A4, B2, B3, C1, C2, D1] Unacceptable risk: actions are necessary to reduce the risk. High [B4, C3, C4, D2, D3, D4] Unacceptable risk: immediate actions are necessary to reduce the risk promptly. Risk levels Selected risk matrices method. Risk = Probability of occurrence of a hazardous event x Severity of consequences Risk estimation – risk related to the considered hazard is a function of severity of harm and probability of occurrence Risk evaluation determine if risk reduction is required. If risk reduction is required, the appropriate protective measures shall be selected and applied.

Hazard identification and risk evaluation example Thermosiphon workshop §5 20 th October 2011 L.Zwalinski – PH/DT/PO EH2102

Hazard identification and risk evaluation example Thermosiphon workshop §5 20 th October 2011 L.Zwalinski – PH/DT/PO Phase operation Hazard zone User/ task/ component Component description Hazardous event Hazard Local potential consequences Global potential consequences Current measuresSeverity Probability Risk LevelRisk reductionSeverity Probability Risk Level Normal operation: Run-order & (Stand- by OR Run OR Recovery) Vertical liquid line, USA15 EH2102 Heater on the liquid supply line after the vapor cooling heat exchanger and before bypass - heating to ambient temperature to avoid condensation in the way to the detector Fails to heat up coolant Electrical failure - 24DC Power supply problem. The command signal from the PLC is not reaching the solid state relay. Relay stays open. Not possible to keep the temperature above the 20 C, condensation on the detector supply line. Unable to continue cooling of the Inner Detector the condensation in the detector can damage other electronic systems. The temperature after the heater TT2103 is not changing or stays equal to the temperature before the heater TT2102. The inspection of the control cabinet is required. 24VDC Power Supply status monitored by the status bit read by PLC and displayed in PVSS. Plant's Start Interlock. If coolant stops circulating the Evaporative Cooling Compressor Station have to be switched on to continue Atlas operation and avoid Inner Detector degradation. All compressor station system elements should be kept in good condition as the back-up solution in serious Thermosiphon damage. MediumVery lowC1 Install redundant power 24DC supplyMinimal Very Low A1 Electrical failure - problem with coil of the command relay or the relay switch is not changing its position (relay blockage) Adding the back up heaterMinimal Very Low A1 Electrical failure - solid state relay problem Electrical failure - circuit breaker trip, overloadCircuit breaker status is continuously monitored by the PLC. PLC trigger stop interlock which is displayed in the PVSS and it blocks the command. If coolant stops circulating the Evaporative Cooling Compressor Station have to be switched on to continue Atlas operation and avoid Inner Detector degradation. All compressor station system elements should be kept in good condition as the back-up solution in serious Thermosiphon damage. MediumVery lowC1 Electrical failure - differential circuit breaker trip, residual current detection PID control is OFF or fails according to measured value IOError; the measured value is the liquid temperature entering detector and by-pass TT2202. This temperature has to be higher than 20C to avoid condensation. The controller and heater PVSS widgets will indicate the IOError. The Operator has to verify if any logic dependent sensor or calculation is in IOError. IOError propagation between related object. Controller inherit errors form heater. If coolant stops circulating the Evaporative Cooling Compressor Station have to be switched on to continue Atlas operation and avoid Inner Detector degradation. All compressor station system elements should be kept in good condition as the back-up solution in serious Thermosiphon damage. MediumLowC2 Add second temperature sensor and regulate on average temperature value. If one of the sensors is in IOError take it out form calculation. Only if both sensors are in IOError then stop the system. Minimal Very Low A1 Burn of insulation Electrical failure - thermal switch TS2102 fails Overheating, burn of insulation and fire. Unable to continue cooling of the Inner Detector. In case of fire serious system damages all ATLAS experiment stops. The second level of heater protection and the last one is the thermal switch installed on the device which cuts the power supply independently of the PLC command. The thermal switch has it's own thermocouple installed inside the heater. In case of that failure electrical inspection is required, heater temperature sensor dismounting and thermal switch replacing. In that period system has to be stopped. HighVery lowD1 Software stop interlock which stops the command from the PLC with the temperature threshold set up to be lower than thermal switch threshold. The additional thermocouple should be installed in the heater to be able to detect over temperature before the thermal switch trips. The thermal switch feedback to the PLC. Additionally SET/RESET interlock condition of the thermal switch status = If the thermal switch overheating is detected the interlock should trip. When the interlock cause disappear the interlock should stay ON until the operator will reset it. No auto recovery after the thermal switch problem. LowVery lowB2 Electric shockTouching live parts Not possible to keep the temperature above the saturation temperature of the return vapor - condensation on the return line. Unable to continue cooling of the Inner Detector. circuit breaker status is continuously monitored by the PLC. PLC trigger stop interlock which is displayed in the PVSS and it blocks the command. Necessary electrical inspection and system stop. HighVery lowD1 The heater is housed in the screwed metallic cover protecting user from touching the live parts during normal operation. circuit breaker monitoring and heater stop interlock. Low Very Low B1

Hazard identification and risk evaluation example Thermosiphon workshop §5 20 th October 2011 L.Zwalinski – PH/DT/PO Phase operation Hazard zone User/ task/ component Component description Hazardous event Hazard Local potential consequences Global potential consequencesCurrent measuresSeverity Probabil ity Risk LevelRisk reductionSeverity Probabil ity Risk Level Normal operation: NO Run- order Vertical liquid line, USA15 EH2102 Heater on the liquid supply line after the vapor cooling heat exchanger and before bypass - heating to ambient temperature to avoid condensation in the way to the detector Fails to OFF, Burn of insulation Electrical failure - problem with coil of the command relay or the relay switch is not changing its position (relay blockage) Unnecessary heating during stop period. Dangerous of overheating burn of insulation and fire if PLC and thermal switch fails and no coolant circulation. Unable to restart cooling of the Inner Detector. In case of fire or serious system damages all ATLAS experiment has to be stopped until all required repairs will complete. The second level of heater protection and the last one is the thermal switch installed on the device which cuts the power supply independently of the PLC command. The thermal switch has it's own thermocouple installed inside the heater. In case of that failure electrical inspection is required, heater temperature sensor dismounting and thermal switch replacing. In that period system has to be stopped. HighVery lowD1 Software stop interlock which stops the command from the PLC with the temperature threshold set up to be lower than thermal switch threshold. The additional thermocouple should be installed in the heater to be able to detect over temperature before the thermal switch trips. The thermal switch feedback to the PLC. Additionally SET/RESET interlock condition of the thermal switch status = If the thermal switch overheating is detected the interlock should trip. When the interlock cause disappear the interlock should stay ON until the operator will reset it. No auto recovery after the thermal switch problem. LowVery lowB2 Electrical failure - solid state relay problem Unable to switch off the heater. The heater is out of use and we can't control the temperature of the vapor after the internal heat exchanger. The EH2102 temperature controller TC2102 is unable to perform correct PID control. The power to the heater has to be stopped and the solid state relay replaced. It requires the control cabinet inspection and solid state replacement. For a safety reason the system should be stopped. Additional contactor placed before the solid state relay called heater power ON. It switch on the power circuit between the solid state relay and circuit breaker. LowVery lowB1

Hazard identification and risk evaluation Thermosiphon workshop §5 20 th October 2011 L.Zwalinski – PH/DT/PO P&ID March 2011P&ID September 2011

Hazard identification and risk evaluation – supplies Thermosiphon workshop §5 20 th October 2011 L.Zwalinski – PH/DT/PO Phase operation Hazard zone User/ task/ component Component description Hazardous event Hazard Local potential consequences Global potential consequences Current measuresSeverity Probability Risk Level Risk reduction Severity Probability Risk Level Normal operation - all option modes B3184 Compresse d air line compressed air supply line in surface building Stop of three compressor stations in B3184 Uncontrolled valve closing All pneumatic valves are going to safety position. All system has to be stopped. Impossible to continue Atlas Inner Detector cooling. Festo pressure switch (Surface Pressure Switch Low), if the compressed air pressure became too low, PLC stops receiving the DI signal. DI becomes OFF. PLC trip Full Stop Interlock and all system is moved to safety position. The compressed air system is redundant and connected to UPS. MediumVery lowC1 Install battery of N2 bottles with hardwired pressure switch LowVery lowB1 Normal operation - all option modes USA15 compressed air supply line in underground area Festo pressure switch (Underground Pressure Switch Low), if the compressed air pressure became too low, PLC stops receiving the DI signal. DI becomes OFF. PLC trip Full Stop Interlock and all system is moved to safety position. The compressed air system is redundant and connected to UPS. MediumVery lowC1 Install battery of N2 bottles with hardwired pressure switch LowVery lowB1 Normal operation - all option modes B V DC power supplies 24V DC power supply in surface control cabinet Stop of 24V DC power supply Stop of all 24V DC commands, unable to read all sensors in surface area (except temperature sensors if connected directly to AI card). Unable to send any command from the PLC to the actuators. All system has to be stopped. Impossible to continue Atlas Inner Detector cooling. PLC monitors the 24V DC power supply status. In case of failure PLC has its own power supply and it can receive bad status signal form power supply. MediumVery lowC1 Use redundant 24V DC power supplies. MinimalVery LowA1 Normal operation - all option modes USA15 24V DC power supply in underground control cabinet Stop of 24V DC power supply Stop of all 24V DC commands, unable to read all sensors in underground area (except temperature sensors if connected directly to AI card). Unable to send any command from the PLC to the actuators. All system has to be stopped. Impossible to continue Atlas Inner Detector cooling. PLC monitors the 24V DC power supply status. In case of failure PLC has its own power supply and it can receive bad status signal form power supply. MediumVery lowC1 Use redundant 24V DC power supplies. MinimalVery LowA1

Summary Thermosiphon workshop §5 20 th October 2011 L.Zwalinski – PH/DT/PO Considered: 240 hazards 202 hazardous events 76 individual components in 7 groups 98 risk reduction proposals mechanical, electrical and control failures included EDMS document under approval Medium [A3, A4, B2, B3, C1, C2, D1]Unacceptable risk: actions are necessary to reduce the risk. EDMS