Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Bremerton Safety Council Camera Subsystem Hazards Frank O’Neill Safety Support August 18, 2015.

Published byEileen Lyons Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Bremerton Safety Council Camera Subsystem Hazards Frank O’Neill Safety Support August 18, 2015."— Presentation transcript:

1 1 Bremerton Safety Council Camera Subsystem Hazards Frank O’Neill Safety Support August 18, 2015

2 2 Camera Subsystem Hazard Review Camera Body and Shutter Sensor and Science Raft Corner Raft Electronics Filter Exchange System Optics Cryostat Integration and Test

3 LSST Camera CD-3 Review Brookhaven National Laboratory, Brookhaven, NY 20153 LSST Camera CD-3 Review Brookhaven National Laboratory, Brookhaven, NY 2015 Camera Body and Shutter Subsystem Martin Nordby Camera Body and Shutter Engineering Manager LSST Camera DOE CD-3 Review August 4-6, 2015 R2

4 Hazard Analysis

5 LSST Camera CD-3 Review Brookhaven National Laboratory, Brookhaven, NY 20155 Camera body and shutter system safety and control of hazards is managed using project processes Camera safety plans used by the shutter: –LCA-138, Performance Safety Assurance Plan –LCA-31, System Safety Program Plan –LCA-14, Camera Hazard Analysis Report: describes camera and subsystem hazards and plans for mitigating them through design efforts and/or use of active controls –LCA-15, Camera Hazard List: detailed list of specific hazards associated with subsystem hardware design and operations plans The camera Hazard List (LCA-15) tabulates all of our identified hazards, mitigation plans and verification plans, using a semi-quantitative analysis There are 13 hazards associated with the camera body and shutter Mitigations/controls for all hazards are included in the design baseline for the subsystem Hazard analysis methodology

6 LSST Camera CD-3 Review Brookhaven National Laboratory, Brookhaven, NY 20156 Camera body hazards—all 6 Un-Mitigated Hazard and Risk Level Mitigation Method / Updated Hazard and Risk Level #TitleHazard Description Risk Category Mitigation Strategy Mitigation Description Risk Category1 CB&M-008 Camera volume low- oxygen Dry nitrogen is used as the purge gas, so the camera volume will be oxygen-deficient and a hazard for personnel accessing the camera for servicing Serious Procedure, training 1. Analyze oxygen level around camera during maintenance to set access req's; 2. Use an ODM during any access; 3. Contain opening with blow-down clean-air tent to flush GN2 and keep air clean Medium CB&M-011 Glycol leak in purge unit Glycol coolant is used for cooling purge gas air in the purge unit, located in the utility trunk; if a glycol line leaks, it could contaminate many camera components Serious Safety feature 1. Use high-integrity fittings for glycol lines 2. Make the purge unit cabinet water-tight; 3. Add a hygrometer in the purge unit Medium CB&M-012 Purge unit re- heater over- current If a purge gas re-heater in the purge unit shorts to ground or over-heats, it could start an electrical fire in the utility trunk Serious Safety device 1. Add over-current protection on the heater circuit; 2. Add smoke detectors in Utility Trunk interlocked to power supplies Medium CB&M-006 Housing structural failure The camera housing and back flange provide the primary structural support for the camera; over-stressing or failure of one structural element could result in large-scale damage or collapse Serious Eliminate hazard 1. Use multiply-redundant bolted connections to ensure that no single failure can endanger the camera structure; 2. Design back flange and housing with conservative factors of safety, even under seismic loads, per LCA-280, "Camera Mech Std's" Medium CB&M-005 Housing over- pressure The camera housing, shroud, and L1-L2 Assembly form an enclosure that is pressurized at a slight positive pressure. If this were over- pressured, the structure would be stressed above its normal operating stresses Medium Control hazard 1. Use a pressure-relief device to ensure that camera volume pressure never exceeds its limits 2. Use a pressure switch to turn off purge flow if pressure increases Medium CB&M-007 Camera volume contamination Failure of any one of the housing seals could introduce contaminants into the camera volume Medium Control hazard 1. Over-pressured camera volume to ensure that any leaks result in a net outward flow; 2. Use instrumentation to monitor internal pressure and flow rate of purge gas, to identify any leaks Medium

7 LSST Camera CD-3 Review Brookhaven National Laboratory, Brookhaven, NY 20157 Camera body and purge hazards and controls Camera body structural integrity is addressed in 2 of the hazards –CBM-005, Over-pressure: mitigated with a pressure relief device in the camera volume; pressure is also monitored by the purge unit control system  handled locally as part of the purge protection system –CBM-006, Structural failure: camera body stresses are low and bolted joints are all multiply redundant connections Purge unit failures are addressed in 2 hazards –CBM-011, Glycol leak: mitigated with high-integrity fittings, waterproof purge unit cabinet, and humidity monitoring  handled locally as part of the purge protection system –CBM-012, Purge unit heater over-current: mitigated with current monitoring on the power supply  handled locally as part of the purge protection system Camera volume –CBM-007, Contamination: mitigated through slight over-pressure of the camera volume and flow and pressure monitoring of the volume to detect leaks –CBM-008, Low-oxygen: personnel hazard during access is mitigated through use of oxygen deficiency monitoring during servicing  not part of protection system, but an administrative control

8 LSST Camera CD-3 Review Brookhaven National Laboratory, Brookhaven, NY 20158 Shutter hazards—all 6 Un-Mitigated Hazard and Risk LevelMitigation Method / Updated Hazard and Risk Level #TitleHazard Description Risk Category Mitigation StrategyMitigation Description Risk Category1 CB&M-001 Leading edge blades collide Leading-edge blades collide during activation, destroying the blades and damaging the L3 lens or filter 10/Medium Safety device Use limit switches to only enable blade motion when the opposing blade stack is in its parked position 17/Medium CB&M-002Blades collide Blades within a stack collide when a timing belt breaks, damaging the blades 10/Medium Control hazard 1. Add bumpers on blade carriages to absorb energy of leading and trailing blades colliding 2. Add capture block at blade root to prevent trailing blade to fall away from leading blade 17/Medium CB&M-003 Blade scrapes against L3 During actuation, a blade flutters or vibrates, hitting and damaging the L3 lens or filter 10/Medium Control hazard 1. Design and fabricate stiff and light blades to reduce dynamic vibration and flutter; 2. Test dynamics during prototyping to check for coupling of drive system and blade modes 17/Medium CB&M-009 Leading blade overruns end of travel Leading-edge blade runs past its end of travel during activation, damaging blades and possibly the L3 lens or filter 10/Medium Safety device 1. Use over-travel switch to cut power to blade; 2. Add garage plates to contain blades at their end of travel 15/Medium CB&M-010 Trailing blade overruns end of travel Trailing-edge blade runs past its end of travel during activation, damaging blade and the L3 lens 10/Medium Control hazard 1. Add blade stop to limit motion in the event of belt breakage; 2. Use over-travel switch to cut power to blade 15/Medium CB&M-004Pinching During access or servicing, personnel could be injured by shutter blade or carriage pinching a finger while it is closing 14/Medium Procedure, training 1. During personnel access, lock out the shutter; 2. Add rail lock to prevent pinching during shutter work 17/Medium

9 LSST Camera CD-3 Review Brookhaven National Laboratory, Brookhaven, NY 20159 Shutter hazards and control All hazards have a common theme: –5 of 6 hazards involve blade collisions with each other and neighboring components –1 of 6 hazards addresses collision of blades with personnel However, the nature of potential collision is different, requiring differing mitigation –Blade pinches a finger: rail lock to provide finger room  administrative control CBM-004: During access, personnel could be injured by shutter blade pinching a finger –Blade flutters or vibrates: blade design and prototyping  control hazard CBM-003: during actuation, a blade vibrates, hitting and damaging the L3 lens or filter –Low-speed collision between blades in a stack: add hard-stops/bumpers  control hazard CBM-002: timing belt breaks and leading blade hits another CBM-010: timing belt breaks and trailing blade hits another blade or L3 lens –High-speed collisions—mitigation is active controls to prevent over-travel  handled locally as part of the shutter protection system CBM-001: Leading-edge blades collide during activation, destroying the blades and damaging the L3 lens or filter CBM-009: Leading-edge blade runs past its end of travel, damaging blades and L3 or filter With 1 sec open/close time and 1 sec exposure time, only one blade stack is ever moving at one time, so active controls for protection are simply end-of-travel limit switches

10 LSST Camera CD-3 Review Brookhaven National Laboratory, Brookhaven, NY 201510 CB&S integration with camera protection system The Camera Protection System (CPS): –Includes all systems and components of the Camera that are used to detect hazards and actively prevent mishaps –Is fully independent of CCS control (but is monitored by CCS) CPS provides the last and strongest line of a tiered defense against mishap occurrence –1 st line: design, analysis, and testing of Camera components Developing clear understanding of functional requirements Review of design and manufacturing plans Verification test plans to ensure that the as-built hardware meets expectations –2 nd line: monitoring, communication, command, and control system (a.k.a.: CCS) Orchestrates all Camera actions Actively monitors the condition of all systems within the Camera Compares operating parameters with preset allowable limits Provides early warning of trends in hardware operation that could result in a mishap Takes immediate action to prevent a mishap if thresholds are exceeded –3 rd line: Camera Protection System Includes hardware interlocks and switches Potential hazards are monitored and controlled by PLC’s, which put systems into a safe state if the CCS fails to do so

11 11 Sensors and Science Raft Chris Stubbs – Science Raft Subsystem Scientist Bill Wahl – Science Raft Subsystem Manager LSST CD-3 Review August 4 – August 6, 2015

12 LSST Camera CD3 Review Brookhaven National Laboratory, Upton, NY 201512 LSST Hazard List - LCA-15 (Current Top 5 Hazards) (Hazard Management process used to manage camera Hazards)  TOC Unmitigated hazards description and assessment Mitigation and residual assessment Top 5 Science Raft Hazards

13 LSST Camera CD3 Review Brookhaven National Laboratory, Upton, NY 201513 Current Status of the Science Raft Hazard List Pre MitigationPost Mitigation (2) High (0) High (9) Serious (0) Serious Medium (36) Medium (25) Medium (36) Medium (2) Low (2) Low Total = 38 Total = 38 There are currently 38 Hazards identified for the Science Raft Subsystem Hazards are tracked in the Camera Hazard registry, Document LCA-15 Hazards are identified at regular intervals  TOC

14 LSST Camera CD-3 Review Brookhaven National Laboratory, Brookhaven, NY 201514 LSST Camera CD-3 Review Brookhaven National Laboratory, Brookhaven, NY 2015 Corner Raft Overview Vincent Riot Corner Raft Engineering Manager LSST CD-3 Review August 4 – 6, 2015

15 Hazard Analysis & Mitigations  TOC

16 LSST Camera CD-3 Review Brookhaven National Laboratory, Brookhaven, NY 201516 TypeTitleHazard Description Severity Probability Risk Value Risk Category Mitigation Strategy Mitigation Description Severity Probability Risk Value Risk Category Verif Method Verification Plan Struc Drop raft at load transfer Cam-lock that holds the pre- load spring in place to the FEE cage or grid releases inadvertently, dropping raft on L3 or swinging it into neighboring sensors 2C6Serious Procedure, training Develop robust design and assembly procedures that can tolerate misalignment and be inspectable 2D10MediumAudit Test the procedure on prototype raft towers, then inspect engagement of cam on all raft towers as they are integrated StrucDropping a raft Failure of 1 of the 3 springs or attach pins drops raft onto L3 or swings it over into neighboring sensors 2D10Medium Control hazard Design uses compression springs and shear pins in double-shear with high margins 3E17Medium Process control Proof test all shear pins; procure pins and spring with material cert's Struc Drop sensor off raft Ceramic threaded stud fractures, dropping a sensor onto L3 2D10Medium Eliminate hazard Threaded studs are 3-for-2 redundant, and designed with high margins of safety 4E20Low Process control Run strength qualification tests on the stud design, and on the full sensor mech assembly Matl's Sensors damaged by by-products of component failure An electronic component fails catastrophically, contaminating the sensors 2D10Medium Eliminate hazard Use only electronic parts tested to failure and compared against outgassing standards; Limit max power available to actual needs 3E17Medium Process control Verify by QA records that all parts being used have passed destructive tests Elec ESD damages sensor circuits Electrostatic discharge damages/destroys electronics in raft tower 3C11Medium Safety feature Hazard Report LCA-10794 Shorting plugs are used on the CCD cables during transport and storage. All commercial controller and GREB/WREB outputs to CCD gates have protection diodes so it is necessary and sufficient to put the CCD and the controller or GREB/WREB at the same potential prior to connection using fixturing and procedure control - per LCA-10794. 3D14MediumTest Verify safety feature operates Hazard are fully identified and mitigated (see top 5 hazards below) Unmitigated hazards description and assessment Mitigation and residual assessment Top 5 Hazards  TOC

17 LSST Camera CD-3 Review Brookhaven National Laboratory, Brookhaven, NY 201517 Integrated Safety Management practices are applied and hazards are tracked through the various design and development phases Hazards are tracked in the Camera Hazard registry, Document LCA-15 Hazards are identified at regular intervals There are currently 15 hazards in the hazard registry for the corner raft Highest hazards are related to dropping corner rafts or contaminating sensors  TOC

18 LSST Camera CD-3 Review Brookhaven National Laboratory, Brookhaven, NY 201518 Corner Raft hazards are mostly mitigated by controlling the hazards at the design level or with safety features/devices. Safety devices and features address: –CCD damage due to over-current or over voltages Protection diodes Power supply safety device Design based mitigation address: –Structural/Thermal failure: Redundancy High factor of safety –Electronics failure and contamination: Testing prior to integration Procedures and Inspection: –Dropping rafts/alignment: Assembly procedures –Contamination: Cleanliness QA  TOC

19 LSST Camera CD-3 Review Brookhaven National Laboratory, Brookhaven, NY 201519 ISO Class 6 (Fed Std class 1K); air blown down from ceiling diffusers with return at base of walls; over-pressurization to inhibit particulate entry Temperature drift around set point: 4 deg F, full range Humidity range: 30-60 %RH Minimum lighting conditions: 70 ft-candles at bench level Floor loading capacity: 100 psf, minimum Flooring: static-dissipative floor tiles, sheet, or paint bonded to the building ground points around the perimeter of the room. Floor treatment compatible with the use of air bearings for moving equipment Grounding: connections to building ground and array of ground connection points around perimeter of each room for ESD-controlled workstations; ESD test station in Ante Room IR2 Clean Room layout and corner raft support Clean room space identified for corner raft assembly and test  TOC

20 LSST Camera CD-3 Review Brookhaven National Laboratory, Brookhaven, NY 201520 Quantifying Outgassing at SLAC MTF sample orifice Outgassing species and rates of candidate materials being measured Outgassing data is combined with material database for estimating of gas loads in cryostat Guidelines on acceptable outgassing levels in part from image quality & throughput analysis  TOC

21 LSST Camera CD-3 Review Brookhaven National Laboratory, Brookhaven, NY 201521 21 LSST Camera CD-3 Review Brookhaven National Laboratory, Brookhaven, NY 2015 Auxiliary Electronics System Electronics and Protection System Gunther Haller Auxiliary Electronics Manager Camera Electrical Project Engineer LSST DOE CD-3 Review August 4 – August 6, 2015

22 Hazard Analysis  TOC

23 LSST Camera CD-3 Review Brookhaven National Laboratory, Brookhaven, NY 201523 23 Hazards are identified and mitigated Un-Mitigated Hazard and Risk Level Mitigation Method / Updated Hazard and Risk Level #TitleHazard Description Risk CategoryMitigation StrategyMitigation Description Risk Category 1 ELX-001Loss of cooling If Utility Trunk cooling were to fail, the temperature of support electronics would rise to levels that could damage the electronics SeriousSafety device Use temperature switches on any rack with high-power electronics to shut off power if it overheats Medium ELX-002 Over Voltage/Current Raft Tower power supply produces an over voltage, damaging the supply itself or Raft Tower/RCM SeriousSafety device All power supplies are equipped with over- voltage and over-current devices Medium ELX-003 Cable Abrasion or Stress If a power or signal cable is abraded or stressed the insulation could be compromised or the connections could be broken, possibly resulting in a short circuit, overheating, and fire at worst SeriousControl hazard Design cable plant to avoid stress on joints and rub points; take great care with any moving cables Medium ELX-004Electrical Fire Local overheating of electronics components could cause fire MediumSafety device Combination of using standard fire retardant or resistant construction materials and including smoke sensing devices in the volumes where electrical and electronic devices are located which will trip off power Medium ELX-005Electrical Safety Personnel hazard from high voltages or high currents. SeriousControl hazard All voltages and available currents above "ultra-low voltages and currents" to be handled according to all applicable codes and standards, implement LOTO during maintenance and repair Medium

24 LSST Camera CD3 Review Brookhaven National Laboratory, Brookhaven,NY 201524 LSST Camera CD3 Review Brookhaven National Laboratory, Brookhaven,NY 2015 Filter Exchange System Pierre Karst Sub-System Manager (IN2P3) LSST CD-3 Review August 4-6, 2015

25 Hazard Analysis & Mitigations  TOC

26 LSST Camera CD3 Review Brookhaven National Laboratory, Brookhaven,NY 201526 Hazard are fully identified and mitigated Top 5 Hazards  TOC TypeTitleHazard Description Severity Probability Risk Value Risk Category Mitigation Strategy Mitigation Description Severity1 Probability1 Risk Value1 Risk Category 1 Verif Method Verification Plan Mech Physical collision of exchange system parts Inadvertant execution of an action while the system is in a state that is not safe for that action 2B5HighSafety device See Hazard Report LCA-10743, Switches monitor the condition of all actuatable systems, with positive signal required to enable an action 2E15MediumTest Test instrumentation as part of exchange system performance verification Mech Dropping a filter Improper sequencing of clamps leaves a filter in an unsecured condition 2B5HighSafety device See Hazard Report LCA-10743, Switches monitor the position of all mechanisms, and will only open when system is in a safe state 2E15MediumTest Test instrumentation as part of exchange system performance verification Mech Uncontrolled rotation of the Carousel Inadvertant rotation of the carousel and collision of a filter by back- driving through the drive train; this can occur when an unbalanced load of filters places a torque on the Carousel 2C6Serious Eliminate hazard Use a non-back-driveable gear train, or add a power-off brake to prevent uncommanded rotation, even when the power is off 4E20LowTest Proof test the Carousel to demonstrate that gear train can not be back- driven, even under seismic loads Mech Dropping filter off Auto Changer truck Latch mechanism that holds the filter releases and drops the filter, damaging it and L2, L3, or the Shutter 2D10Medium Control hazard See Hazard Report LCA-10743, Power and an enable signal is required to unlatch a filter 2E15MediumTest Run proof tests to verify that latch can carry max load without unlatching Struc Linkage buckling Buckling or structural failure of thin linkage members, causing damage to Shutter or filter 3C11Medium Control hazard Design linkage in accordance with LCA-280, Mechanical Standard to carry loads consistent with stall force of motor 3E17Medium Process control Proof test the linkage, then run verification tests as part of Changer testing Mitigation and residual assessment Unmitigated hazards description and assessment

27 LSST Camera CD3 Review Brookhaven National Laboratory, Brookhaven,NY 201527 Hazards are tracked in the Camera Hazard registry, Document LCA-15. Hazards are identified at regular intervals. There are currently 19 hazards in the hazard registry for the Filter Exchange System. Highest hazards are an inadvertent execution of an action and the dropping of a filter.  TOC Integrated Safety Management practices are applied and hazards are tracked through the various design and development phases

28 LSST Camera CD3 Review Brookhaven National Laboratory, Brookhaven,NY 201528 Implementation of the mitigation plan in the Filter Exchange System design The local Protection System is controlled by Safety PLC. It permits the electrical power of the actuator through the monitoring of the safety relays. No action can be done without positive signal of the sensors. For the protection of operators, the safety PLC switches off the power if the maintenance hatches are open. The torques are monitored by the current of the motors. All the used controllers provide a current preset limit. All the driving rail are equipped of a power-off brakes. All the mechanisms are fixed in position in case of lost of power. All the components will be tested under load before the integration in the camera. The long duration test of the Full Scale Prototype will qualify the components for the cycling constraints and the wear behavior. Détails are given in the document LCA-10743: Filter Exchange System Hazard Report Filter clamp : Clamped with power off. It can’t be released without the permit of the Safety PLC to the actuator. Safety PLC : independent from the control/command. It receives the sensor signal and it commands the safety relays for the actuator power.  TOC

29 LSST Camera CD-3 Review Brookhaven National Laboratory, Brookhaven, NY 201529 LSST Camera CD-3 Review Brookhaven National Laboratory, Brookhaven, NY 2015 Optics Subsystem Scot Olivier Subsystem Physicist Scott Winters Subsystem Manager LSST Camera DOE CD-3 Review August 4 - 6, 2015

30 LSST Camera CD-3 Review Brookhaven National Laboratory, Brookhaven, NY 201530 Hazard Analysis and Mitigation  TOC

31 LSST Camera CD-3 Review Brookhaven National Laboratory, Brookhaven, NY 201531 Hazard are fully identified and mitigated TypeTitleHazard Description Severity Probability Risk Value Risk Category Mitigation Strategy Mitigation Description Severity Probability Risk Value Risk Category Verif Method Verification Plan Press/Vac Overpressure of the L3 lens Overload of L3 due to excessive external pressure from overpressurizing the camera volume 1C4HighSafety device 1. Design L3 lens to survive the largest pressure differential possible, using a large factor of safety (size purge system pump to limit max pressure) 2. Use pressure switch to turn off purge flow and design feature or relief valve in camera volume to limit external pressure on L3 (after I&T observatory located at approx 8000 feet ASL, atmospheric pressure is 75% of SL, this reduces press diff) 1E12MediumTest Qual test L3 Assembly at temperature and pressure; Acceptance test pressure switch and relief valve on camera Press/Vac Overpressure of the L1 lens Overload of L1 due to excessive internal pressure from overpressurizing the camera volume 2C6SeriousSafety device 1. Design L1 lens to survive the largest pressure differential possible, using a large factor of safety (size purge system pump to limit max pressure) 2. Use pressure switch to turn off purge flow and design feature or relief valve in camera volume to limit external pressure on L3 2E15MediumTest Acceptance test pressure switch and relief valve; Analyze L1 lens for max over- pressure load Struc L1-L2 Assembly strut flexure failure Failure of a flexure due to overloading during torquing or adjusting the assembly beyond the angular working range of the flexure 1D8SeriousSafety feature Design flexure to carry operational, handling and seismic loads with appropriate safety factors. Tooling design should limit torques on flexures. 1E12MediumTest Proof test flexures to worse case loading conditions Press/Vac Overpressure of the L3 lens Overload of L3 due to excessive internal pressure from within the cyrostat, due to overpressurizing the cryostat during backfill and purge operations 1D8SeriousSafety Device "1. Regulate purge pressure to less than 3kPa (TBD).2. Size purge system pump to limit max pressure. 3. Design L3 lens to survive the mas purge system pressure differential, using a large factor of safety 4. Use a pressure-relief valve in the pump/ purge lines to limit the internal pressure on L3 (Pressure relief valve on cryostat housing?)" 2E15MediumTest Qual test L3 Assembly at temperature and pressure; Test pressure-relief valve prior to every vent as part of set-up procedure Struc L1 micro-crack leads to failure A flaw or micro-crack in the glass could cause a failure of the lens, since it is under continuous stress due to pressure loads 1D8SeriousControl hazard Perform fracture analysis to determine the largest acceptable crack size; use large factors of safety 3E17Medium Process control Inspect the lens to verify that any cracks are smaller than the critical crack size Unmitigated hazards description and assessment Mitigation and residual assessment Top 5 Hazards  TOC

32 LSST Camera CD-3 Review Brookhaven National Laboratory, Brookhaven, NY 201432 Integrated Safety Management practices are applied and hazards are tracked through the various design and development phases Hazards are tracked in the Camera Hazard registry, Document LCA-15 Hazards are identified at regular intervals There are currently 19 hazards in the hazard registry for the Optics Subsystem Highest hazards are the overpressure of the L3 lens and the L1 lens followed by strut failures (L1-L2 assembly to camera body) LSST Camera Optics Hazards LSST Camera Optics Hazards Types

33 LSST Camera CD-3 Review Brookhaven National Laboratory, Brookhaven, NY 201433 Optics hazards are mostly mitigated by controlling the hazards at the design level or with safety features/devices. Safety devices address: –Overpressure: Pressure switch to turn off purge flow (inside the camera volume) Relief valve in camera volume (limit overpressure) Design based mitigation address: –Flexure bond failure Large factor of safety –Over-pressure: Large factor of safety Fracture analysis –Structural failure: Large factor of safety Stress analysis Inspection address: –Glass fracture: Maximum crack size allowed on glass components LSST Camera Optics Hazards Mitigation Strategies

34 DOE LSST CD3 Review Brookhaven National Laboratory National Laboratory August 4-6, 201534 DOE LSST CD3 Review Brookhaven National Laboratory, August 4-6, 2015 Cryostat Rafe H. Schindler Sub-system Physicist J. Langton Sub-system Manager/CAM LSST Camera DOE CD-3 August 4-6, 2015

35 Hazard Analysis and Mitigation  TOC

36 DOE LSST CD3 Review Brookhaven National Laboratory National Laboratory August 4-6, 201536 Cryostat Hazard Analysis The camera has a drafted hazard lists (LCA-15 & O&SHA) –Operating and support hazard analysis tabulates hazards associated with camera operations phase. –Lists tabulate all of our identified hazards, plans to mitigate, and plans to verify that the mitigation is in fact operating as required. –The Hazard List uses a semi-quantitative analysis to rank hazards by probability of occurrence and severity of impact. The cryostat system carries: –A total of 24 hazards –No “High” hazards –3 “Serious” hazards (unmitigated) Cryostat vacuum-pressure failure. Overpressure failure of cryostat. Asphyxiation due to release of refrigerant –All hazards are medium and Low assessment after mitigation Why not all hazards mitigated to “low”? Because, with very few exceptions, the severity of a hazard cannot be reduced. Only the probability of a hazard occurring can be addressed by mitigation and that sets a certain lower bound for any specific hazard.

37 DOE LSST CD3 Review Brookhaven National Laboratory National Laboratory August 4-6, 201537 Cryostat hazards detail Hazard DescriptionMitigationVerification #021---Release of refrigerant in Utility Room may displace air, causing asphyxiation of personnel entering the room 1-provide ventilation of room sufficient to remove limited refrigerant quantity of system charge 2-employ oxygen deficiency monitor in utility room 1-test ventilation system for adequate (as designed) performance for air change rate 2-Test ODM periodically, verify alarm set point 3- ensure training is adequate and retraining frequency is consistent with needs. #020-Structural failure of cryostat due to overpressure during a purge-venting operation 1-Design cryostat for overpressure loads with recommended safety factors 2-include burst disk and or pressure relief valve on cryostat vacuum system 3-restrict purge and backfill connection to low pressure systems 4-restrict purge and backfill connection to low volume bottles and or dewars. 1-Proof test cryostat to overpressure 2-proof test pressure relief valve 3- verify that burst disk parameters are consistent with design specifications. test representative burst disc for proper function. 4-review documentation and training to ensure only approved bottles and components will be connected to system 5-design and or select interconnect hardware to minimize risk of unapproved hardware connections #010-Cryo or Cold Plate exceed their max operating limits 1-design hardware to survive maximum possible temperature with heaters on / refrig lower cooling capacity 2- Temp sensors on Cryo and Cold plates provide feedback; over-temp switches cut power to heaters and RCM power supplies 1-Test monitoring feedback control and over-temp switches Cryostat hazards are loosely grouped as follows: Personnel injury--e.g.: unplanned release or venting of gases or fluids Structural failure—e.g.: failure of a component due to improper system usage or thermal cycling. Control or operations failure—e.g.: damage due to incorrect or loss of transducer

38 DOE LSST CD3 Review Brookhaven National Laboratory National Laboratory August 4-6, 201538 Cryostat hazard reports The Camera Safety Officer reviews the hazard analysis. Specific hazards with causes that are particularly complex or that have significant impact are flagged and Hazard Reports completed. LCA-10742 reports on the cryostat hazard of structural failure due to overpressure. The reports details the hazard: –...If these gas supplies are not properly engineered and operated there could be a hazard buildup of pressure in the cryostat vacuum …. The controls / actions: –1-Design cryostat for overpressure loads with recommended safety factors –2-Include burst disk and / or pressure relief valve on cryostat vacuum system –3-Restrict…….. The effects: –1-ensure if an over pressure condition develops the structural integrity…….. –2- ensure if fault or failure occurs and uncontrolled supply of gas….. –3-ensure that the total pressure…… The verifications required: –1-Proof test cryostat to maximum expected overpressure…….. –2-Proof test pressure relief valve……… –3-Verify that burst disk……….

39 DOE LSST CD3 Review Brookhaven National Laboratory National Laboratory August 4-6, 201539 Cryostat Hazards Summary: Assessments and mitigations are consistent with CD-3 readiness Effect on CD-3 readiness –We have identified mitigations for all 24 hazards. –The mitigations reduce the associated risk to the lowest level achievable. –Verifications requirements for mitigations established and documented. Hazard reports and assessments have been reviewed and updated in preparation for CD-3 Cryostat hazard definition and assessment is mature. Mitigations are identified and integrated into the project execution and / or system designs. Hazard assessments and mitigations consistent with CD-3 readiness.

40 LSST Camera CD-3 Review Brookhaven National Laboratory, Brookhaven, NY 201540 LSST Camera CD-3 Review Brookhaven National Laboratory, Brookhaven, NY 2015 Integration and Testing Tim Bond Integration and Test: Engineering Manager LSST Camera CD-3 Review Aug 4 – Aug 6, 2015

41 LSST Camera CD-3 Review Brookhaven National Laboratory, Brookhaven, NY 201541 I&T: Hazard Analysis and Mitigations

42 LSST Camera CD-3 Review Brookhaven National Laboratory, Brookhaven, NY 201542 I&T Hazard Analysis As with other subsystems, the methodology for assessing hazards was spelled out in: –System Safety Program Plan (LCA-31). –Hazard Analysis Report (LCA-14). 3 main steps in addressing hazards: –Identify and rank the hazard, including probability and severity. –Develop a mitigation plan for reducing the overall impact of the hazard. –Establish a method for verifying the mitigation steps have been taken. Currently, the hazards associated with Camera I&T activities are listed in the document: –Camera Hazard List (LCA-15). In the future, these Hazards will likely be removed from Camera Hazards List (LCA-15) and placed in the Camera Operating and Support Hazards List (LCA- 11665). –This list will “live” perpetually with the camera through I&T and the ongoing operational phases. –Methodology for additional populating of this list is identified in Camera Operating and Support Hazard Analysis (LCA-11661).

43 LSST Camera CD-3 Review Brookhaven National Laboratory, Brookhaven, NY 201543 I&T hazards from LCA-15 Hazard List

44 LSST Camera CD-3 Review Brookhaven National Laboratory, Brookhaven, NY 201544 Hazards specific to the I&T process We have identified 13 hazards that are unique to the I&T process, 11 involving personnel injury. –2 involve damage to delicate equipment. –4 involve cuts from brittle materials that break. –2 involve use of cryogenic materials - frostbite. –1 involves use of LN2 - asphyxiation. –2 involve electric shock. –2 involve crushing from moving heavy loads in tight spaces. Mitigations to reduce the probability or severity of the hazard: –4 include warning devices, safety features, or safety devices already planned for in the design of the hardware. –9 involve implementing specific controls through work planning and control procedures: Most I&T activities are under strict procedural controls. 6 Incorporate Personal Protective Equipment (PPE). Procedures have been determined and are being detailed following the LSST Camera Performance Safety and Assurance Plan (See Joe Kenny’s talk). Every process within our work flow will have a detailed procedure developed, documented and reviewed by the appropriate safety representative (Joe K).

45 LSST Camera CD-3 Review Brookhaven National Laboratory, Brookhaven, NY 201545 Example I&T Process in eTraveler (w job harness)

Download ppt "1 Bremerton Safety Council Camera Subsystem Hazards Frank O’Neill Safety Support August 18, 2015."

Similar presentations

Safety Absolutes Green Lake

Safety Absolutes Green Lake
FHM TRAINING TOOLS This training presentation is part of FHM’s commitment to creating and keeping safe workplaces. Be sure to check out all the training.

FHM TRAINING TOOLS This training presentation is part of FHM’s commitment to creating and keeping safe workplaces. Be sure to check out all the training.
East Carolina University Compressed Gas Safety Training Program

East Carolina University Compressed Gas Safety Training Program
Inspection & Preventive maintenance of breakers

Inspection & Preventive maintenance of breakers
Joe Killins & Associates, LLC Pipelines & Risk Based Management How Safe is Safe?

Joe Killins & Associates, LLC Pipelines & Risk Based Management How Safe is Safe?
Cooling System Get the engine up to optimum operating Temperature as quickly as possible and maintains it at that temperature. Controls the heat produced.

Cooling System Get the engine up to optimum operating Temperature as quickly as possible and maintains it at that temperature. Controls the heat produced.
Refrigerators.

Refrigerators.
Setup/Installation/Operation of an Environmental Control Unit (ECU)

Setup/Installation/Operation of an Environmental Control Unit (ECU)
RMM Systems, LLC By Sam Rietta RMM Systems, LLC is a manufacturer's representative firm focused on providing value added sales solutions by providing.

RMM Systems, LLC By Sam Rietta RMM Systems, LLC is a manufacturer's representative firm focused on providing value added sales solutions by providing.
General Rules Compressed gases and cylinders must be properly stored, transported and used to prevent injury and accidents. Compressed gases and cylinders.

General Rules Compressed gases and cylinders must be properly stored, transported and used to prevent injury and accidents. Compressed gases and cylinders.
NERC Lessons Learned Summary December 2014. NERC lessons learned published in December 2014 Three NERC lessons learned (LL) were published in December.

NERC Lessons Learned Summary December NERC lessons learned published in December 2014 Three NERC lessons learned (LL) were published in December.
© Blue Graphics Concept Sauer-Danfoss START-UP PROCEDURE PROPEL PUMP Instruction Sauer-Danfoss Belgium – T. Van Mossevelde.

© Blue Graphics Concept Sauer-Danfoss START-UP PROCEDURE PROPEL PUMP Instruction Sauer-Danfoss Belgium – T. Van Mossevelde.
Pneumatic Control Valves

Pneumatic Control Valves
Section 2 Safety, Tools and Equipment, Shop Practices Unit 4 General Safety Practices.

Section 2 Safety, Tools and Equipment, Shop Practices Unit 4 General Safety Practices.
Tool removed during cycle Fault #2 Conditions for setting Tool cocked prox switch goes open during cycle AND force on load cell drops below limit in fault.

Tool removed during cycle Fault #2 Conditions for setting Tool cocked prox switch goes open during cycle AND force on load cell drops below limit in fault.
Electrical Safety and Grounding Essentials Copyright © Texas Education Agency, 2011. All rights reserved.

Electrical Safety and Grounding Essentials Copyright © Texas Education Agency, All rights reserved.
Introduction Most accidents are caused by the uncontrolled release of hazardous energy. Many of these accidents can be prevented by proper lock-out/tag-out.

Introduction Most accidents are caused by the uncontrolled release of hazardous energy. Many of these accidents can be prevented by proper lock-out/tag-out.
Crane Operations Objective

Crane Operations Objective
Tank Car Specialist Training Support Package November 2014 Module 13: Transfers.

Tank Car Specialist Training Support Package November 2014 Module 13: Transfers.
ELECTRICAL SAFETY ISSUES DISCUSSION WITH SHUTTLE SMALL PAYLOADS PROJECTS (a.k.a. HITCHHIKER)

ELECTRICAL SAFETY ISSUES DISCUSSION WITH SHUTTLE SMALL PAYLOADS PROJECTS (a.k.a. HITCHHIKER)

Similar presentations

Ads by Google