1 / 17

NSLS-II Shielding Workshop

NSLS-II Shielding Workshop. R. Casey Critical Devices March 27, 2007. Critical Devices (as defined in DOE 420.2b). Specific accelerator or beam line devices that are used to ensure that the accelerator beam is either inhibited or can not be steered into area where people are present Examples

anicklas
Download Presentation

NSLS-II Shielding Workshop

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. NSLS-II Shielding Workshop R. Casey Critical Devices March 27, 2007

  2. Critical Devices (as defined in DOE 420.2b) • Specific accelerator or beam line devices that are used to ensure that the accelerator beam is either inhibited or can not be steered into area where people are present • Examples • Steering magnets • Beam stops • collimators • Systems that operate on the injector or ion source to inhibit the beam (i.e. eliminate the radiation source)

  3. Examples of Critical Devices in NSLS-II • Safety shutter in front end • Photon shutter in beam line • Dipole which bends beam into booster from linac • Beam shutter in transport line from linac to booster

  4. Redundancy Requirements • DOE Accelerator Safety Order – Two or more critical devices should be considered for use in interlock systems where a very high radiation area (500 rad/hr) can be produced during operations

  5. BNL Interlock Requirements

  6. Redundancy Definition – BNL ESH 1.5.3 • High Risk - > 50 rem/hr whole body • Redundant Interlock Protection Systems use multiple, independent equipment arrangements such that each interlock system is isolated from the others to perform similar safety functions such that any single failure will not result in loss of protection

  7. What is the practice at BNL? • NSLS – single critical device, but redundant monitoring of system status. i.e. two independent circuits monitor logic requirements of system • AGS & C-AD – two critical devices each monitored by redundant and independent circuits

  8. What is the practice elsewhere? • APS – 2 critical devices • SLAC - 3 critical devices • ALS – 1 critical device • TJLAB - 2 critical devices

  9. So why would you go to redundant critical devices • Assumption - redundant devices reduce risk of an unsafe failure leading to a high exposure • What is existing risk with a single critical device and is it acceptable?

  10. First Question – what is an acceptable risk of unsafe failure • Standards define interlock requirements, not risk probabilities • For example: • “The failsafe and redundant character of the interlock system is vital. The system shall be design so that the most common failure modes result in a “safe” condition and any single failure shall not result in loss of protection.” • “The probability for the interlock system to fail shall be extremely remote if High Risk hazards exist within the protected boundary.” • If you meet these design standards, it has been assumed that your risk is considered acceptable; presumably “extremely remote”.

  11. If you had numbers, what would an acceptable risk of failure be?

  12. Proposed Risk Matrix for Evaluating Interlock Failure Probability

  13. NSLS recently conducted a failure mode analysis of its interlock systems • We wanted to use it as a basis for extending our test period from 6 months to 12 months • We used an engineer from the BNL Energy Sciences and Technology Department who routinely conducts failure mode analyses for the nuclear power industry. He also has had substantial involvement with the space industry • Various failure scenarios were evaluated and the failure probability calculated. • We have learned a lot about our systems

  14. Many scenarios evaluated - one scenario of interest • Scenario – person enters hutch using proper procedure; interlock logic is satisfied, but in fact shutter did not close • Risk of this failure was calculated at: • 1.12 E-7 for 6 month test interval • 4.5 E-7 for 12 month test interval

  15. Is 1 E-7 “extremely remote” • Risk is calculated per demand • We estimate the hutch doors are opened about 1E5 times per year • Therefore risk of an unsafe failure at the NSLS is about 1 E-2 per year • A 2nd critical device would reduce failure risk by about 1000.

  16. Recommendations • Redundant critical devices are appropriate for NSLS-II • Therefore, two critical devices isolating: • linac from booster (dipole & shutter) • booster from storage ring (dipole & shutter) • first optical enclosure from storage ring (2 safety shutters) • mono hutch from first optical enclosure (2 photon shutters)

  17. A Potential Critical Device & Interlock Policy • At a minimum, a PPS shall include the following elements: • A dual redundant system from the sensor to the final critical device. Either one of the systems may independently sense a fault and terminate the radiation source. • At least two final critical devices to ensure that failure of any one device shall not prevent the system from shutting off the radiation source. • Dedicated safety interlock circuits, separate from all other control or instrumentation circuitry. • A feedback system designed to verify the safe/unsafe status of final control elements. If the status of the PPS logic and the final critical device disagree, the PPS shall drop to a safe state.

More Related