14 february 2007 lhc safety system review/detlef swoboda review of safety systems for the lhc...
TRANSCRIPT
14 February 2007 LHC safety system review/Detlef Swoboda
Review of Safety Systemsfor the LHC Experiments and Experimental Areas
Supplied by TS Department
Conclusions
14 February 2007 LHC safety system review/Detlef Swoboda
Safety Review Scope
PROJECT SPECIFICATION AND STATUS - THE PROVIDERS a) Requirements and Functional Specifications b) Status of Implementation c) Installation Planning d) Communication and links between Safety Systems and the
experiments & CCC e) Issues of Concern
REQUIREMENTS FROM AND TREATMENT OF SIGNALS BY THE EXPERIMENTS - THE CLIENTS a) Their position on the baseline specifications for each of the
Safety Systems and any additional needs. b) Actions to be taken by the experiments upon reception of signals
from the Safety Systems.
14 February 2007 LHC safety system review/Detlef Swoboda
Safety Systems ReviewedCan be classified into 3 categories:
1. Alarm an Monitoring: CSAM (CERN Safety Alarm Monitoring System) RAMSES (Radiation Monitoring System for the Environment
and Safety) Sniffer System Fire Detection and Oxygen Deficiency Monitor 2. Protection: LACS & LASS (LHC Access Control System & LHC Access
Safety System) Experiment Access Control Sub-sectorisation General Electrical Protection (AUG, AUL) 3. Damage Limitation: Associated Systems - Foam Extinguisher, Smoke
Extraction, Flood Detection
14 February 2007 LHC safety system review/Detlef Swoboda
CSAM
Local monitoring from each safety zone. Transmission of alarms to the Safety Control Room (Fire Brigade)
and to the CERN Control Center (via TIM). Non-interruptible 24h/365d system based on redundant
communication networks. Availability requirement of 99.8%, Safety Integrity Level 2. INB compliant system based on redundant transmission paths. Flexible architecture to for the integration of the existing CERN-
wide safety alarms and capacity to integrate new, additional alarms from new accelerators and experiments using both software and hardware features.
The system integrates today about 1500 level-3 alarms acquired via dry contacts from the detection devices. In addition, system manages about 6500 alarms acquired through a high level communication protocol with the detection devices, thus providing a detailed information about alarm location.
14 February 2007 LHC safety system review/Detlef Swoboda
CSAM Synoptic
14 February 2007 LHC safety system review/Detlef Swoboda
Communication CSAM to DSS
How do experiments interface?Does CSAM accept experiment data?What is the latency of transmission of
info?
14 February 2007 LHC safety system review/Detlef Swoboda
RAMSES Provide LHC, and finally CERN, with an Integrated radiation monitoring system for the Environment and
Safety Acquisition, transmission, logging and display for the LHC
machine, LHC experiments and experimental areas. Operational 24/24 hours a day, 365/365 days per year 90% of the equipment installed and being interconnected. Final site acceptance and hardware commissioning in
preparation. For the experiments,
all the sensors in the baseline have been integrated. Few sensors need still to be installed after the completion of the
works in the experimental areas.
14 February 2007 LHC safety system review/Detlef Swoboda
RAMSES (cnt’d)
Monitoring radiation variables (real-time) ~ 350 radiation detectors for the monitoring of radiation
variables (real-time) Generation of interlocks Monitoring of conventional parameters
~ 50 detectors for the environment for the monitoring of conventional parameters
Generation of remote alarms in case of deviation from normal range
Monitoring non-ionising radiation fields Long term data storage
14 February 2007 LHC safety system review/Detlef Swoboda
RAMSES data access
Integrates RAMSES in the CERN control infrastructure and control rooms
Sends radiation alarms to the LHC control room (LASER)
Sends technical alarms to the CCC (LASER) Provides displays for radiation monitoring in the LHC
control room Provides displays for monitoring conventional
parameters in water releases Shares measured values with external system (DIP) Offers a secure WEB interface to display radiation
measurements
14 February 2007 LHC safety system review/Detlef Swoboda
14 February 2007 LHC safety system review/Detlef Swoboda
LACS / LASS INSTALLATION STRATEGY
I &C of a POINT to be finished at the latest before the 1st cool-down of adjacent sectors
HEAD PITS Access points: according to contractor's planning (~3 weeks/point). No constraints IC/HC granted access control ensured.
Experimental head pits will be installed at the end of LHC installation
14 February 2007 LHC safety system review/Detlef Swoboda
LASSaccessibility vs. radiological classification
14 February 2007 LHC safety system review/Detlef Swoboda
ATLAS Toroid access
x3x3
x3
x3
x3
x3 x3
14 February 2007 LHC safety system review/Detlef Swoboda
interfaces avec le SSA
Baie LACS custom Toroïde
UTL
Lecteur RFId
Distributeurs de clés Toroïde (x24)
Radiation Veto Toroïde + Mode accès Toroïde
(info SSA)
BDD autorisations
LACS
Pupitre changement de modes accès Toroïde
(1 commutateur à clé + 3 boutons poussoirs lumineux)
Radiation Veto Toroïde (commutateur à clé + voyant de présence veto)
Safety Veto SSA (commutateur à clé + voyant de présence veto)
Signal « toutes les clés sont présentes »
Nota : Toutes les interfaces représentées sont câblées hormis le lien UTL-BDD.Automate SSA
Access Patrol Closed
Toroïd Access Modes
0
Set
Access Patrol Closed
Toroïd Access Modes
0
Set
VETOS
Safety - Sûreté
Radiation
No Access
Accès Interdit
ACCESS MODES – MODES D’ACCES
Closed Fermé
Patrol Patrouille
Access Accès
VETOS
Safety - Sûreté
Radiation
No Access
Accès Interdit
ACCESS MODES – MODES D’ACCES
Closed Fermé
Patrol Patrouille
Access Accès
Radiation Veto Toroïde, Safety Veto Toroïde, Mode accès Toroïde
Signal « autorisation de distribution des clés »
Set
Radiation
0 0
Set
0 0
Safety - Sûreté
Reset
Reset
14 February 2007 LHC safety system review/Detlef Swoboda
Atlas Sub Sector - Planning
Etudes / Prototypage
Programmation automate / supervision
Appros / Fabrication usine SOTEB
Appros / Fabrication équipements SSA (BdP, BdJ, Tiroir 19’’)
Essais usine
Mise à disposition baies Toroïde
Installation équipements sur site
Installation automate sur site
Essais site
Sept
2007
Juil
2007
Août
2007
Mai
2007
Juin
2007
Mar
2007
Avr
2007Tâches
Jan
2007
Fev
2007
14 February 2007 LHC safety system review/Detlef Swoboda
Control System development completed and validated
SNIFFER LHCb ready for commissioning (awaiting for LHCb request)
HMI validated
by Experiments and Fire Brigade in 2006
LHCb synoptic validated in July 2006,
ATLAS synoptic validated in January 2007
Development and maintenance platform operational in Build. 104
ATLAS modules under fabrication
Under definition DSS and CSAM alarms and contacts for ATLAS
Installation and commissioning under preparation
SNIFFER Status
14 February 2007 LHC safety system review/Detlef Swoboda
PlanningInstallation & Commissioning
ATLAS
Commissioningfrom US15 Commissioning
from UX15
Depending on access conditions and
accessibility of the tubes
Detection transport and installation
Control System, HMI and software installation
First 70 modules
Second 70 modules
June 2007
14 February 2007 LHC safety system review/Detlef Swoboda
PlanningInstallation & Commissioning
CMS
ALICE
June 2007 July 2007
14 February 2007 LHC safety system review/Detlef Swoboda
With External SystemsSniffer Interfaces
Hazard & PhenomenonDetection
and Control System
Interface withCERN Safety Alarm Monitoring
(CSAM)
Air sampling Network
Interface withDetector Safety System
(DSS)
SCR, TCRXCR & Other Control Rooms
(through DIP)
CSAM system
Interface with AccessControl System
(ACS)
Human ComputerInterface
HW
HW
PIPES
HW + SW
HW + SW
SWHW + SW
RemoteHuman Computer
Interface SW
SW
Interface withMultipurpose
Monitoring Devices(MMD)
HW
Change Alarm Threshold Matrix
KEY, (possible through ACS)
Possibility to have 2 different Alarm Threshold Matrixes
i.e: Less strict smoke alarm thresholds when welding i.e.: More strict CO2 alarm threshold levels when cavern open
14 February 2007 LHC safety system review/Detlef Swoboda
Safety actions executed by the SNIFFER
Global overview of safety actions needed before implementation
Risk of contradictory safety actions
Who triggers which safety actions ?
ventilation, power cuts, gas distribution, etc…
Previous agreement states that DSS does all safety actions
Where is the safety actions logic implemented ?
Adjustable alarm thresholds per smoke sensor
HMI in XCR
Reset per type of alarm
Requested HMI in English for XCR users
Specification states IHM in French only Major modification and maintenance constraints for two languages
New demands (ATLAS)Sniffer Issues of concern
14 February 2007 LHC safety system review/Detlef Swoboda
Clarifications requiredSniffer Issues of concern
Fire Brigade requested remote HMI in SR building Next to AL3 fire centrals To provide overview for AL3 interventions Agreement from ATLAS, ALICE and LHCb ?
Add a remote HMI for CMS Request from Fire brigade To provide the same interface to the Fire Brigade CMS agreement ?
Usage of 2 Alarm Threshold Matrixes to be defined Request for all the Experiments or only ATLAS (CO2) Not compatible with “ adjustable-alarm-thresholds-per-sensor”
requirement
14 February 2007 LHC safety system review/Detlef Swoboda
Evaluation of SNIFFER pumps vibration on metallic structure
If required special supports on the racks => impact on the planning
Maintenance of the air sampling networks
An expert from each experiment will be required
Radiation risk in rack location
Evaluated as negligible by Experiments in 2003 (IT2891-ST)
Important consequences for the correct functioning of the system if not negligible
Humidity, Helium and FC detection is incompatible with current SNIFFER implementation, and has been abandoned.
OthersSniffer Issues of concern
14 February 2007 LHC safety system review/Detlef Swoboda
Automatic Fire Detection
The LHC Automatic Fire Detection (AFD) system shall be composed of detectors of various kinds, located in selected areas in order to efficiently detect the start of a potential fire.
These detectors are connected to Control and Indicating Equipment (CIE) that are located in the service areas. It generates Alarms-of-Level-3 if a fire or smoke hazard is detected.
Interfaces to CSAM, Evacuation Alarm, DSS, … Functions:
receive signals from the connected equipment determine whether the signals correspond to an alarm condition indicate the location of the hazard by identification of the detector in alarm transmit the alarm messages to CSAM drive the luminous panels in case of alarm monitor the correct functioning of the system and warns of any faults
14 February 2007 LHC safety system review/Detlef Swoboda
AFD Status if the installation Automatic Fire Detection
Is being (has been) installed in case by case in agreement with the experiment contact persons
ATLAS UX15 installation is particularly complex and is still under study for location of equipment and air-sampling tubes location
Audible Evacuation System Is existing in all LEP caverns and is being (has been)
renovated according to the schedule for each experiment ATLAS UX15 has a temporary installation CMS installation under study
14 February 2007 LHC safety system review/Detlef Swoboda
AFD coordination issues
Potential interactions and/or interlocks between the various safety systems
Operational procedures specifying the human actions to take in case of triggering of the system.
Correspondence action matrix indicating which visual warnings should be activated and actions to take upon triggering of each individual detector
Definition of the logical combination of detectors in the same location (AND/OR) to be used for actions following an alarm
14 February 2007 LHC safety system review/Detlef Swoboda
Oxygen Deficiency Monitor
The safety alarms shall be transmitted via the CERN Safety Alarm Monitoring (CSAM) system. This interface shall consist of hardwired contacts doubled by a TCP/IP or serial connection.
Upon simultaneous triggering of the alarm level on at least two detectors in the same zone, the ODH detection system shall activate, via hardwired contacts, the LHC Audible Emergency Evacuation system in the zone concerned. In the arcs of the main tunel, the zone concerned covers at least half a sector.
In case of confirmed alarm, the LHC ODH detection system can trigger other safety systems (e.g. DSS, etc…). In any case this interface shall consist of hardwired contacts.
ODH coordination issues Operational procedures specifying the human actions to take in
case of triggering of the ODH detection system.
14 February 2007 LHC safety system review/Detlef Swoboda
ODH Underground Caverns
Service & Experimental Caverns (same principle) Location
FG detection in mixing areas ODH detection where applicable Control panels located in Service Caverns with remote IHM in SY
building Alarm Transmission
AL3 SCR via CSAM, AL2 CCC via CSAM/TIM Safety actions
In case of FG same as surface (gas cut, gas extraction, flash, sirens, etc..)
In case of ODH Flashing lights are activated in the vicinity LHC audible evacuation system is triggered on simultaneous
detection of TWO sensors
14 February 2007 LHC safety system review/Detlef Swoboda
ODH Status of the installationOnly ATLAS is installed
UX15 is particularly complex Mobile detectors & mobile flashes left to the users
discretion are particularly worrying ODH sensors in “fosse” under detector and near
dewar FG detection in 4 mixing racks
USA15 ODH and FG installed
Other Experiments are under preparation
14 February 2007 LHC safety system review/Detlef Swoboda
ODH Open issues No “MASTER PLAN” (or Engineering Specification) for experimental
areas. We “discover” as we go. It would be better for execution if we could plan in
advance.
Safety systems are NOT part of process control Systems that detect loss of helium have been interlocked against our wishes
within ODH system and create confusion
Same open issues as for AFD and EVAC Safety actions matrixes need approval and configuration management Procedures for intervention are not clear for all involved and mostly are not
written
Risk of conflicting safety actions with Automatic Fire Detection Especially for ventilation
14 February 2007 LHC safety system review/Detlef Swoboda
Associated Systems
Smoke ventilationFlood detection/protectionHigh expansion foam systemOther fire extinction systems
N2+H2O mist high pressure (100 bar) H2O mist high pressure (70 bar) N2+H2O mist low pressure (10 bar) N2 injection
14 February 2007 LHC safety system review/Detlef Swoboda
AUG & AUL at CERN
Régis par l’instruction de sécuritéIS5 ayant force d’obligation selon SAPOCO/42 n°EDMS 335742
Définitions: Arrêts d’Urgence Locaux (AUL) coupure d’un local sans alarme de
niveau 3 (sans transmission aux pompiers) Arrêts d’Urgence Généraux (AUG) coupure générale avec alarme
de niveau 3 (avec transmission aux pompiers pour intervention immédiate)
Règle de base: «Toute personne est autorisée et a le devoir d’actionner un arrêt
d’Urgence dès qu’elle juge qu’une situation dangereuse pour les personnes ou les biens :
existe » est en train de se produire» risque de se produire de face imminente »
14 February 2007 LHC safety system review/Detlef Swoboda
Instruction de SécuritéIS5
But des AUL ou AUG «Le but des AUL ou AUG est de couper les sources d’énergie électrique
susceptibles de présenter un danger»(Tensions supérieures à la TBTS) Exigences générales pour les AUL et AUG
«Les dispositions d’AUL ou AUG doivent être telles que leur fonctionnement ne provoque pas un autre danger»
«les AUL ou AUG ne doivent pas couper les installations de sécurité(ascenseurs, éclairages de sécurité et de balisage, désenfumages, pompes de relevage, UPS dédiés à la communication, détections incendie…) »
«les équipements restant sous tension doivent être conçus de façon à ne pas créer de risque supplémentaires lors de l’intervention des pompiers»(protections mécaniques, repérages orange fluorescents…)
«Tous les AUL ou AUG d’une même zone doivent avoir la même action» «Tous les AUL ou AUG doivent être conçus à sécurité positive (fail-safe)»
14 February 2007 LHC safety system review/Detlef Swoboda
AUG & AUL Implementation
@ LHC: 20 Racks ~ 200 chains ~ 2000 AUG
Add “local” in order to avoid confusion
14 February 2007 LHC safety system review/Detlef Swoboda
AUG annual tests
Tests annuels imposés par IS5, indispensables à la sécurité des personnes
Les arcs machines sont affectés chacun 2jours de tests La procédure peut être aménagée pour ne perturber les arcs
qu’une seule fois (extension des tests tunnel des zones paires) La section Opération EL est très sollicitée pour des travaux et
tests les week-end et jours fériés.(secours, auto transfert, reconfigurations des réseaux, maintenances..) Ces tests AUG LHC doivent être réalisés en jours ouvrables.
Des travaux de maintenances sont effectués en temps masqué pendant ces tests AUG pour ne plus vous perturber
14 February 2007 LHC safety system review/Detlef Swoboda
Levels of Availability of El. Supply
14 February 2007 LHC safety system review/Detlef Swoboda
Secure, local link
CSAM
Smoke det.in areas
ODHin areas
Flam. gasin areas
Waterflooding
Dead-mandetector
Blockedlifts
Evacuationbuttons
EmergencyStop buttons
Redtelephones
CCC (TCR) Action
Fire Brigade Action
DCS Info &SW actions
SNIFFER
OD
H
gas
smoke
DSS
Ambienttemperature
Water leakCRs
Presenceof power
Detectorspec. inputs
…
DIP (non secure)
Cut power
Evac. signal
Start pumps
Cut power
Cut power togroup of racks
Interlock equipment
Close coolingwater valves
ITS N2
Release ?
Stop flam.Gas ?
Detectorspecific action
…
Cooling watertemperature
Pre-alarms Alarms (AL3)
Cut power/gas
Local/directactions
Info in ACR
Info in ACR
???
?? ??
?
ALICE view of Alarm transmissions via CSAM and DSS
14 February 2007 LHC safety system review/Detlef Swoboda
It is fundamental that an effective link exists between the ATLAS control room (over viewing the detector premises) and the SC Fire Brigade leadership.At Fire Brigade arrival and during all Fire Brigade intervention at Point 1, the SLIMOS on shift will provide to the Fire Brigade commander the following information :
Beam status (ON or OFF), Radiations levels in the ATLAS undergrounds, from the RAMSES system and if needed by
requesting a verification from radiation piquet, Magnetic fields levels in UX15 cavern Environmental conditions in the ATLAS undergrounds : temperatures, etc.. Relevant information concerning the status of the ATLAS detectors Configuration of the detector (detector open or closed, etc…) Detailed indications to access the region of intervention Number of persons inside the ATLAS undergrounds (USA15, UX15 infrastructure area, UX15
detector area) and list of the names, Possible alarms generated by the FPIAA system (Finding People inside ATLAS Areas) which will
indicate the presence of unconscious persons, Possible pre-alarms or additional alarms indicating an evolution of the safety conditions
undergrounds coming from the detector safety system and the air sampling network system (sniffer)
The SLIMOS will stay in permanent contact with the Fire Brigade commander and will inform him about the evolution of all these parameters. The ATLAS GLIMOS will organize an ATLAS incident coordination group if necessary, with all relevant experts (see document)
Safety organization, Emergency procedure and safety actions in case of level 3 alarm in ATLAS areas
14 February 2007 LHC safety system review/Detlef Swoboda
CMS Specificities
CMS is far away from SCR (>20 min) Fire Brigade procedures have to take this into account, i.e. ATLAS and
CMS cannot be treated equally! need real training for the Point 5 crew Need to discuss with the fire chief the main intervention policy. The CMS control room has to be recognized as the primary contact (not
the SY or SR). Therefore all relevant safety information has to be bundled there. The CMS control room has to be the central point of information, where
everybody MUST pass before doing any activity at Point 5, including going into the caverns (UX and US). This is as long as the CMS has organized shifts, i.e. during data taking and short shut downs like MD.
The responsibility for the safe operation of CMS rests with the SLIMOS, which generally will be the shift leader
14 February 2007 LHC safety system review/Detlef Swoboda
LHCb Conclusions
LHCb is fine with the baseline specifications.
Objective: Complete the installation, get the systems working and keep the action matrix as diagonal (=simple) as possible.
Some specific issues (use of radioactive source, CSAM actions) will be clarified in due time with SC on a case by case basis.
Would like to get information via DIP from ALL systems, and if possible also warnings and analog values, not only L3 alarms
Open issues: Safety Condition Display around access gate, with CSAM+RAMSES summary (OK/NOT)Sonorous communication system, from CR to detector area.
14 February 2007 LHC safety system review/Detlef Swoboda
Conclusions …
CSAM synoptics are requested to be in XCRs RAMSES dto. Radiation screening for persons/material exiting HW connect CSAM DSS LACS operation: Importance of Implementation of
patrol and access procedures Sniffer display in XCRs Limitation of sniffer gas types Sniffer alarm threshold selection
14 February 2007 LHC safety system review/Detlef Swoboda
conclusions
Generally good progress of installation But number of concerns
Substantial amount of potential issues raised
Proposal: List of issues to be drawn up with names
and dates. Ad hoc WGs to be created were necessary