160 likes | 171 Views
Discussing existing hazard assessment criteria, policy history, and proposed changes to anticipate beam spill events and ensure safety at LANSCE Accelerator.
E N D
LANL Proposal for Hazard Assessment Beam Spill Criteria Charles Kelsey, Mike Baumgartner, Kevin Jones, Mike Fanning, Bruce Takala, and Doug Gilpatrick Los Alamos Neutron Science Center DOE Accelerator Safety Workshop August 12, 2008
Los Alamos Neutron Science Center (LANSCE)Design Basis Accident Shielding Policy • LANSCE is an 800 MeV proton accelerator that operates a variety of user target facilities. • Policy since early 1990s has been to assume that one hour, full power beam spills are anticipated events and identify required controls based on probabilistic risk analysis. • Full power is accelerator capability unless limited by fail-safe current limiters. 8 kW Area A 120 kW 8 kW 1 MW
General Risk Analysis • Credit fail-safe beam loss detection interlocks for reducing event likelihood by one bin, to unlikely. • Where they provide coverage shielding must limit consequence to 25 rem to be acceptable otherwise shielding must limit consequence to 5 rem. • Policy also is to identify additional controls to limit anticipated event consequences to less than 100 mrem.
Policy History and Present Issues • Consistent with 1993 DOE O 5480.25 implementation guidance and recommendations of 1991 prompt radiation protection workshop held at LANL. • Resulted in very costly shielding upgrades during the mid 1990s. • To this day still finding occupiable areas that do not comply with the policy and continue to require upgrades. • Policy is also greatly limiting options for correcting egress issues where fire protection requirements are not being met. • Plans are being made to return to high power operations in Area A and expect more shielding upgrades to be necessary to support this. • A new 2 MW beam line and target station is presently being designed for Area A and there are concerns that beam line shielding costs are unnecessarily high because the policy may be too conservative.
Hazard Analysis • Hazard analysis is supposed to be predominantly qualitative and should not require exhaustive quantitative analysis. • Reasonable engineering judgment should be sufficient. • Recognize that there are infinite number of possible spill scenarios. • Over long periods high power spills are clearly less likely than low power spills because they are more likely to cause damage that shuts down the beam and to be noticed and stopped by active machine protections or operators. • It does not seem credible that one hour at 1 MW could be endured by any accelerator or beam line component not designed for it, i.e. targets and beam stops. • At the other end of the event spectrum, at a few kilowatts or less, it seems credible that spills might last much longer than one hour. • Our draconian use of one hour at full power does not seem appropriate.
Proposal for Anticipated Events • Propose that the amount of spilled energy should define the likelihood of the events. • Start with a bound for the anticipated bin, pick 30 MJ, a one hour event on our 8 kW beam lines, and consider its reasonableness. • Based on analysis done for the LANSCE beam plug design standard spill over about 8 kW is expected to result in failure in a finite time on the order of an hour or less as power increases. • 30 MJ is enough energy to raise 30 Kg of steel, about 2 meters of 4 inch beam pipe, to the melting point.
Additional Physical Considerations • Spills in bends are high angle and maybe only a small fraction of the beam energy is deposited in the beam pipe, but it is comparably localized in a very small mass of material. • Spills of misfocused beams can occur over long lengths of beam pipe but are small angle and most of the energy can be assumed to deposited in the beam pipe. • Do not actually need to melt beam pipe for failure to occur because strength is lost at lower temperatures and seals are aluminum which melts and looses strength much more quickly than steel. • 30 MJ is believed to be a conservative estimate for what beam transport lines could be anticipated to survive.
Other Events • Define other event likelihood thresholds based on assumption that if you adequately shield anticipated events you should adequately be shielding events of any likelihood. • In other words, ratio between energy likelihood bounds and consequence bin limits on the risk matrix diagonal are the same, implying 0.6 MJ frequent, 150 MJ unlikely, 600 MJ extremely unlikely. • Limit consequences to 100 mrem for frequent events, 5 rem for anticipated, 25 rem for unlikely and 100 rem for beyond extremely unlikely. • Implications are that shielding requirement is 0.17 rem/MJ regardless of which set of events is called the design basis accident and is equivalent to the Maximum Credible Event (MCI), the 600 MJ spill. • Note that proposal does not say that the one hour full power spill is impossible, it just tries to bin its likelihood more appropriately.
Beam Spill Event Frequencies and Consequence Limits • Maximum credible duration of 1 MW spill is 10 minutes. • 1 MW spills are anticipated to occur for up to 30 seconds. • 100 kW spills are anticipated for up to 5 minutes and are credible to 1.7 hours. • 10 kW spills are anticipated for up to 50 minutes and are credible to 17 hours.
Comparison of 600 MJ MCI to MCIs of Other Facilities • From SNS accident analysis MCI is 2 MW (full power) for 10 minutes, 1200 MJ, nothing fails but operator intervenes. • SNS accident analysis notes this is very conservative because heating is expected to cause loss of vacuum and beam shutdown in seconds. • SLAC B-Factory (330 kW full power) accident analysis credited loss of vacuum for limiting one hour spill power to 110 kW, a 400 MJ MCI. • TRIUMF (125 kW full power) design policy is one full power hour, implying a 450 MJ MCI. • SLAC B-Factory design limit for the MCI is 25 rem while TRIUMF and proposed LANSCE policy is 100 rem. • The implied design bases are SLAC B-Factory 0.063 rem/MJ and TRIUMF 0.22 rem/MJ compared to LANSCE proposed 0.17 rem/MJ. • Considering these are effectively binning consequences for hazard analysis purposes they are very close to each other, within factor of 3.
Beam Spill Experiences • Proposed MCI appears consistent with assumptions being made at other facilities but to check reasonableness at other end the most significant beam spill events we have experienced should be below the frequent threshold. • 2004 LANSCE magnet failure resulted in a point beam spill that burned through beam pipe with only an estimated 40 J of spilled beam energy. • PSI has documented experience with vacuum seal failures occurring in seconds with spills on the order of a few kilowatts. • LANSCE has experienced seal damage with distributed beam spills of less than 0.1 kW in minutes that were stopped by operator intervention. • 2007 LANSCE operator intervention terminated a 0.1 kW spill event after a few minutes that did not result in damage. • These spills are on the order of 0.01 MJ, and in the burn through example much lower, suggesting the 0.6 MJ frequent event threshold is conservative based on experience.
Active Protection Tangent • On some LANSCE beam lines fail-safe beam loss monitors interlocked in the Radiation Security System (RSS) are installed. • Historically they have only been credited with reducing the design basis beam spill event by one frequency bin for risk analysis. • They are held to the same RSS device standards applied to interlocks used for primary beam area access control and beam current limiters. • In these cases the active protection devices are credited for 3 to 4 bins of likelihood/consequence reduction. • This appears to be fairly standard practice for access control and beam limiting devices but not for interlocked radiation monitors. • Why are RSS pedigree interlocked radiation monitors not given more credit? • There appears to be nothing fundamentally wrong with doing it except that it goes against philosophy that passive shielding is better.
Passive Versus Active • How passive is passive shielding? • Experimental, maintenance, and construction activities all routinely make temporary shielding configuration changes that must administratively controlled. • Earthen shields erode and must be monitored and maintained. • Unlike fail-safe interlocked radiation monitors that must be operable to run beam, shielding is not generally interlocked. • 10 CFR 835 requires physical controls to prevent exposure to high and very high radiation areas specifically identifying a variety of device interlocks that may be used for access and radiation source control. • Just as gate interlocks prevent people from accessing high and very high radiation areas, radiation interlocks prevent high and very high radiation areas from accessing people. • Is active protection actually more reliable than passive shielding?
LANSCE Radiation Interlock Reliability • Since 1992 LANSCE has accumulated 600 device operating years experience with its beam loss detection interlocks. • There have been approximately 200 documented instances of safe response to challenge/failure and no unsafe responses. • In the past five years there have been two LANSCE events where shielding configuration control failed, one of which actually resulted in an uncontrolled high radiation area.
Conclusions • Optimally an “appropriate” combination of active and passive protection should be used, but what is the “appropriate” combination? • Where active protection from accidental exposure to high/very high radiation areas is provided designing passive shielding to limit doses in occupiable areas to 1 rem per year and ALARA for normal beam losses appears to be the “required” combination. • Where active protection can not be provided, passive shielding alone must limit consequences to something acceptable and LANSCE is proposing that the design basis for this requirement be 0.17 rem/MJ of beam spill. • It is LANSCE top management’s responsibility to determine what is acceptable but before the determination is made feedback from this workshop is desired.