410 likes | 426 Views
This review examines the safety systems implemented for the Large Hadron Collider (LHC) experiments and experimental areas. It covers the requirements, implementation status, communication, and issues of concern for the safety systems. Specific safety systems reviewed include alarm and monitoring systems, fire detection and oxygen deficiency monitoring, access control systems, and damage limitation systems.
E N D
Review of Safety Systemsfor the LHC Experiments and Experimental AreasSupplied by TS Department Conclusions LHC safety system review/Detlef Swoboda
Safety Review Scope • PROJECT SPECIFICATION AND STATUS - THE PROVIDERS • a) Requirements and Functional Specifications • b) Status of Implementation • c) Installation Planning • d) Communication and links between Safety Systems and the experiments & CCC • e) Issues of Concern • REQUIREMENTS FROM AND TREATMENT OF SIGNALS BY THE EXPERIMENTS - THE CLIENTS • a) Their position on the baseline specifications for each of the Safety Systems and any additional needs. • b) Actions to be taken by the experiments upon reception of signals from the Safety Systems. LHC safety system review/Detlef Swoboda
Safety Systems Reviewed Can be classified into 3 categories: • Alarm an Monitoring: • CSAM (CERN Safety Alarm Monitoring System) • RAMSES (Radiation Monitoring System for the Environment and Safety) • Sniffer System • Fire Detection and Oxygen Deficiency Monitor • Protection: • LACS & LASS (LHC Access Control System & LHC Access Safety System) • Experiment Access Control Sub-sectorisation • General Electrical Protection (AUG, AUL) • Damage Limitation: • Associated Systems - Foam Extinguisher, Smoke Extraction, Flood Detection LHC safety system review/Detlef Swoboda
CSAM • Local monitoring from each safety zone. • Transmission of alarms to the Safety Control Room (Fire Brigade) and to the CERN Control Center (via TIM). • Non-interruptible 24h/365d system based on redundant communication networks. • Availability requirement of 99.8%, Safety Integrity Level 2. • INB compliant system based on redundant transmission paths. • Flexible architecture to for the integration of the existing CERN-wide safety alarms and capacity to integrate new, additional alarms from new accelerators and experiments using both software and hardware features. • The system integrates today about 1500 level-3 alarms acquired via dry contacts from the detection devices. In addition, system manages about 6500 alarms acquired through a high level communication protocol with the detection devices, thus providing a detailed information about alarm location. LHC safety system review/Detlef Swoboda
CSAM Synoptic LHC safety system review/Detlef Swoboda
Communication CSAM to DSS • How do experiments interface? • Does CSAM accept experiment data? • What is the latency of transmission of info? ? LHC safety system review/Detlef Swoboda
RAMSES • Provide LHC, and finally CERN, with an • Integrated radiation monitoring system for the Environment and Safety • Acquisition, transmission, logging and display for the LHC machine, LHC experiments and experimental areas. • Operational 24/24 hours a day, 365/365 days per year • 90% of the equipment installed and being interconnected. • Final site acceptance and hardware commissioning in preparation. • For the experiments, • all the sensors in the baseline have been integrated. • Few sensors need still to be installed after the completion of the works in the experimental areas. LHC safety system review/Detlef Swoboda
RAMSES (cnt’d) • Monitoring radiation variables (real-time) • ~ 350 radiation detectors for the monitoring of radiation variables (real-time) • Generation of interlocks • Monitoring of conventional parameters • ~ 50 detectors for the environment for the monitoring of conventional parameters • Generation of remote alarms in case of deviation from normal range • Monitoring non-ionising radiation fields • Long term data storage LHC safety system review/Detlef Swoboda
RAMSES data access • Integrates RAMSES in the CERN control infrastructure and control rooms • Sends radiation alarms to the LHC control room (LASER) • Sends technical alarms to the CCC (LASER) • Provides displays for radiation monitoring in the LHC control room • Provides displays for monitoring conventional parameters in water releases • Shares measured values with external system (DIP) • Offers a secure WEB interface to display radiation measurements LHC safety system review/Detlef Swoboda
LACS / LASS INSTALLATION STRATEGY • I &C of a POINT to be finished at the latest before the 1st cool-down of adjacent sectors • HEAD PITS Access points: according to contractor's planning (~3 weeks/point). No constraints IC/HC granted access control ensured. • Experimental head pits will be installed at the end of LHC installation LHC safety system review/Detlef Swoboda
LASSaccessibility vs. radiological classification LHC safety system review/Detlef Swoboda
ATLAS Toroid access LHC safety system review/Detlef Swoboda
interfaces avec le SSA LHC safety system review/Detlef Swoboda
Atlas Sub Sector - Planning LHC safety system review/Detlef Swoboda
SNIFFER Status • Control System development completed and validated • SNIFFER LHCb ready for commissioning (awaiting for LHCb request) • HMI validated • by Experiments and Fire Brigade in 2006 • LHCb synoptic validated in July 2006, • ATLAS synoptic validated in January 2007 • Development and maintenance platform operational in Build. 104 • ATLAS modules under fabrication • Under definition DSS and CSAM alarms and contacts for ATLAS • Installation and commissioning under preparation LHC safety system review/Detlef Swoboda
Installation & Commissioning Planning ATLAS June 2007 First 70 modules Control System, HMI and software installation Detection transport and installation Commissioning from US15 Commissioning from UX15 Depending on access conditions and accessibility of the tubes Second 70 modules LHC safety system review/Detlef Swoboda
Installation & Commissioning Planning July 2007 June 2007 CMS ALICE LHC safety system review/Detlef Swoboda
Sniffer Interfaces With External Systems Possibility to have 2 different Alarm Threshold Matrixes i.e: Less strict smoke alarm thresholds when welding i.e.: More strict CO2 alarm threshold levels when cavern open Change Alarm Threshold Matrix KEY, (possible through ACS) LHC safety system review/Detlef Swoboda
Sniffer Issues of concern New demands (ATLAS) • Safety actions executed by the SNIFFER • Global overview of safety actions needed before implementation • Risk of contradictory safety actions • Who triggers which safety actions ? • ventilation, power cuts, gas distribution, etc… • Previous agreement states that DSS does all safety actions • Where is the safety actions logic implemented ? • Adjustable alarm thresholds per smoke sensor • HMI in XCR • Reset per type of alarm • Requested HMI in English for XCR users • Specification states IHM in French only • Major modification and maintenance constraints for two languages LHC safety system review/Detlef Swoboda
Sniffer Issues of concern Clarifications required • Fire Brigade requested remote HMI in SR building • Next to AL3 fire centrals • To provide overview for AL3 interventions • Agreement from ATLAS, ALICE and LHCb ? • Add a remote HMI for CMS • Request from Fire brigade • To provide the same interface to the Fire Brigade • CMS agreement ? • Usage of 2 Alarm Threshold Matrixes to be defined • Request for all the Experiments or only ATLAS (CO2) • Not compatible with “ adjustable-alarm-thresholds-per-sensor” requirement LHC safety system review/Detlef Swoboda
Sniffer Issues of concern Others • Evaluation of SNIFFER pumps vibration on metallic structure • If required special supports on the racks => impact on the planning • Maintenance of the air sampling networks • An expert from each experiment will be required • Radiation risk in rack location • Evaluated as negligible by Experiments in 2003 (IT2891-ST) • Important consequences for the correct functioning of the system if not negligible • Humidity, Helium and FC detection is incompatible with current SNIFFER implementation, and has been abandoned. LHC safety system review/Detlef Swoboda
Automatic Fire Detection • The LHC Automatic Fire Detection (AFD) system shall be composed of detectors of various kinds, located in selected areas in order to efficiently detect the start of a potential fire. • These detectors are connected to Control and Indicating Equipment (CIE) that are located in the service areas. It generates Alarms-of-Level-3 if a fire or smoke hazard is detected. • Interfaces to CSAM, Evacuation Alarm, DSS, … • Functions: • receive signals from the connected equipment • determine whether the signals correspond to an alarm condition • indicate the location of the hazard by identification of the detector in alarm • transmit the alarm messages to CSAM • drive the luminous panels in case of alarm • monitor the correct functioning of the system and warns of any faults LHC safety system review/Detlef Swoboda
AFD Status if the installation • Automatic Fire Detection • Is being (has been) installed in case by case in agreement with the experiment contact persons • ATLAS UX15 installation is particularly complex and is still under study for location of equipment and air-sampling tubes location • Audible Evacuation System • Is existing in all LEP caverns and is being (has been) renovated according to the schedule for each experiment • ATLAS UX15 has a temporary installation • CMS installation under study LHC safety system review/Detlef Swoboda
AFD coordination issues • Potential interactions and/or interlocks between the various safety systems • Operational procedures specifying the human actions to take in case of triggering of the system. • Correspondence action matrix indicating which visual warnings should be activated and actions to take upon triggering of each individual detector • Definition of the logical combination of detectors in the same location (AND/OR) to be used for actions following an alarm LHC safety system review/Detlef Swoboda
Oxygen Deficiency Monitor • The safety alarms shall be transmitted via the CERN Safety Alarm Monitoring (CSAM) system. This interface shall consist of hardwired contacts doubled by a TCP/IP or serial connection. • Upon simultaneous triggering of the alarm level on at least two detectors in the same zone, the ODH detection system shall activate, via hardwired contacts, the LHC Audible Emergency Evacuation system in the zone concerned. In the arcs of the main tunel, the zone concerned covers at least half a sector. • In case of confirmed alarm, the LHC ODH detection system can trigger other safety systems (e.g. DSS, etc…). In any case this interface shall consist of hardwired contacts. • ODH coordination issues • Operational procedures specifying the human actions to take in case of triggering of the ODH detection system. LHC safety system review/Detlef Swoboda
ODH Underground Caverns • Service & Experimental Caverns (same principle) • Location • FG detection in mixing areas • ODH detection where applicable • Control panels located in Service Caverns with remote IHM in SY building • Alarm Transmission • AL3 SCR via CSAM, AL2 CCC via CSAM/TIM • Safety actions • In case of FG • same as surface (gas cut, gas extraction, flash, sirens, etc..) • In case of ODH • Flashing lights are activated in the vicinity • LHC audible evacuation system is triggered on simultaneous detection of TWO sensors LHC safety system review/Detlef Swoboda
ODH Status of the installation • Only ATLAS is installed • UX15 is particularly complex • Mobile detectors & mobile flashes left to the users discretion are particularly worrying • ODH sensors in “fosse” under detector and near dewar • FG detection in 4 mixing racks • USA15 • ODH and FG installed • Other Experiments are under preparation LHC safety system review/Detlef Swoboda
ODH Open issues • No “MASTER PLAN” (or Engineering Specification) for experimental areas. • We “discover” as we go. It would be better for execution if we could plan in advance. • Safety systems are NOT part of process control • Systems that detect loss of helium have been interlocked against our wishes within ODH system and create confusion • Same open issues as for AFD and EVAC • Safety actions matrixes need approval and configuration management • Procedures for intervention are not clear for all involved and mostly are not written • Risk of conflicting safety actions with Automatic Fire Detection • Especially for ventilation LHC safety system review/Detlef Swoboda
Associated Systems • Smoke ventilation • Flood detection/protection • High expansion foam system • Other fire extinction systems • N2+H2O mist high pressure (100 bar) • H2O mist high pressure (70 bar) • N2+H2O mist low pressure (10 bar) • N2 injection LHC safety system review/Detlef Swoboda
AUG & AUL at CERN • Régis par l’instruction de sécuritéIS5 ayant force d’obligation selon SAPOCO/42 n°EDMS 335742 • Définitions: • Arrêts d’Urgence Locaux (AUL) coupure d’un local sans alarme de niveau 3 (sans transmission aux pompiers) • Arrêts d’Urgence Généraux (AUG) coupure générale avec alarme de niveau 3 (avec transmission aux pompiers pour intervention immédiate) • Règle de base: • «Toute personne est autorisée et a le devoir d’actionner un arrêt d’Urgence dès qu’elle juge qu’une situation dangereuse pour les personnes ou les biens : • existe » • est en train de se produire» • risque de se produire de face imminente » LHC safety system review/Detlef Swoboda
Instruction de SécuritéIS5 • But des AUL ou AUG • «Le but des AUL ou AUG est de couper les sources d’énergie électrique susceptibles de présenter un danger»(Tensions supérieures à la TBTS) • Exigences générales pour les AUL et AUG • «Les dispositions d’AUL ou AUG doivent être telles que leur fonctionnement ne provoque pas un autre danger» • «les AUL ou AUG ne doivent pas couper les installations de sécurité(ascenseurs, éclairages de sécurité et de balisage, désenfumages, pompes de relevage, UPS dédiés à la communication, détections incendie…) » • «les équipements restant sous tension doivent être conçus de façon à ne pas créer de risque supplémentaires lors de l’intervention des pompiers»(protections mécaniques, repérages orange fluorescents…) • «Tous les AUL ou AUG d’une même zone doivent avoir la même action» • «Tous les AUL ou AUG doivent être conçus à sécurité positive (fail-safe)» LHC safety system review/Detlef Swoboda
AUG & AUL Implementation • @ LHC: • 20 Racks • ~ 200 chains • ~ 2000 AUG Add “local” in order to avoid confusion LHC safety system review/Detlef Swoboda
AUG annual tests • Tests annuels imposés par IS5, indispensables à la sécurité des personnes • Les arcs machines sont affectés chacun 2jours de tests • La procédure peut être aménagée pour ne perturber les arcs qu’une seule fois (extension des tests tunnel des zones paires) • La section Opération EL est très sollicitée pour des travaux et tests les week-end et jours fériés.(secours, auto transfert, reconfigurations des réseaux, maintenances..) Ces tests AUG LHC doivent être réalisés en jours ouvrables. • Des travaux de maintenances sont effectués en temps masqué pendant ces tests AUG pour ne plus vous perturber LHC safety system review/Detlef Swoboda
Levels of Availability of El. Supply LHC safety system review/Detlef Swoboda
Info in ACR ?? ? ? DIP (non secure) DCS Info & SW actions Info in ACR Pre- alarms Alarms (AL3) C S A M D S S SNIFFER ODH gas smoke Cut power togroup of racks Smoke det. in areas ? Cut power Interlock equipment ODH in areas ??? CCC (TCR) Action Flam. gas in areas Close coolingwater valves Cut power/gas Cooling water temperature Waterflooding Start pumps Detectorspecific action Ambient temperature Dead-man detector Fire Brigade Action Water leakCRs Blocked lifts … Presenceof power Evacuation buttons ITS N2 Release ? Evac. signal Detectorspec. inputs Emergency Stop buttons Cut power Stop flam. Gas ? … Red telephones Local/directactions ALICE view of Alarm transmissions via CSAM and DSS Secure, local link LHC safety system review/Detlef Swoboda
Safety organization, Emergency procedure and safety actions in case of level 3 alarm in ATLAS areas • It is fundamental that an effective link exists between the ATLAS control room (over viewing the detector premises) and the SC Fire Brigade leadership. At Fire Brigade arrival and during all Fire Brigade intervention at Point 1, the SLIMOS on shift will provide to the Fire Brigade commander the following information : • Beam status (ON or OFF), • Radiations levels in the ATLAS undergrounds, from the RAMSES system and if needed by requesting a verification from radiation piquet, • Magnetic fields levels in UX15 cavern • Environmental conditions in the ATLAS undergrounds : temperatures, etc.. • Relevant information concerning the status of the ATLAS detectors • Configuration of the detector (detector open or closed, etc…) • Detailed indications to access the region of intervention • Number of persons inside the ATLAS undergrounds (USA15, UX15 infrastructure area, UX15 detector area) and list of the names, • Possible alarms generated by the FPIAA system (Finding People inside ATLAS Areas) which will indicate the presence of unconscious persons, • Possible pre-alarms or additional alarms indicating an evolution of the safety conditions undergrounds coming from the detector safety system and the air sampling network system (sniffer) The SLIMOS will stay in permanent contact with the Fire Brigade commander and will inform him about the evolution of all these parameters. The ATLAS GLIMOS will organize an ATLAS incident coordination group if necessary, with all relevant experts (see document) LHC safety system review/Detlef Swoboda
CMS Specificities • CMS is far away from SCR (>20 min) • Fire Brigade procedures have to take this into account, i.e. ATLAS and CMS cannot be treated equally! • need real training for the Point 5 crew • Need to discuss with the fire chief the main intervention policy. • The CMS control room has to be recognized as the primary contact (not the SY or SR). • Therefore all relevant safety information has to be bundled there. • The CMS control room has to be the central point of information, where everybody MUST pass before doing any activity at Point 5, including going into the caverns (UX and US). This is as long as the CMS has organized shifts, i.e. during data taking and short shut downs like MD. • The responsibility for the safe operation of CMS rests with the SLIMOS, which generally will be the shift leader LHC safety system review/Detlef Swoboda
LHCb Conclusions • LHCb is fine with the baseline specifications. • Objective: Complete the installation, get the systems working and keep the • action matrix as diagonal (=simple) as possible. • Some specific issues (use of radioactive source, CSAM actions) will be clarified • in due time with SC on a case by case basis. • Would like to get information via DIP from ALL systems, and if possible • also warnings and analog values, not only L3 alarms • Open issues: • Safety Condition Display around access gate, with CSAM+RAMSES summary (OK/NOT) • Sonorous communication system, from CR to detector area. LHC safety system review/Detlef Swoboda
Conclusions … • CSAM synoptics are requested to be in XCRs • RAMSES dto. • Radiation screening for persons/material exiting • HW connect CSAM DSS • LACS operation: Importance of Implementation of patrol and access procedures • Sniffer display in XCRs • Limitation of sniffer gas types • Sniffer alarm threshold selection LHC safety system review/Detlef Swoboda
conclusions • Generally good progress of installation • But number of concerns • Substantial amount of potential issues raised • Proposal: • List of issues to be drawn up with names and dates. • Ad hoc WGs to be created were necessary LHC safety system review/Detlef Swoboda