full scale thermosiphon risk assessment lukasz zwalinski ph/dt/po - cooling

Full Scale ThermosiphonRisk Assessment

Lukasz Zwalinski PH/DT/PO - Cooling

Thermosiphon workshop §5 20th October 2011 L.Zwalinski – PH/DT/PO

Introduction

• Document prepared on 23rd of March 2011

• Main references:

P&I Diagram and Part List of the Full Scale Thermosiphon March 2011 EDMS 1101188

CERN Safety Guideline OHS-0-0-1 – Risk AssessmentEDMS 1114042

ISO 12100 Safety of machinery – General principles for design – Risk assessment and risk reduction2010-11-01

ISO 31000 Risk management – Principles and guidelines2009-11-15

ISO/TR 14121-2 Safety of machinery – Risk assessment2007-12-15

ISO 13849-2 Safety of machinery – Safety related parts of control systems2003-08-15

Definitions


Hazard The intrinsic property or ability of something (e.g. work materials, equipment, work methods and practices) with the potential to cause harm.

Hazardous event Occurrence leading to undesired consequences and arising from the triggering by one (or more) initiator events /causes of one (or more) hazards.

Risk The likelihood that the potential for harm will be attained under the conditions of use and/or exposure, and the possible extent of the harm. Effect of uncertainty on objectives.

SeverityClassification of a failure or undesired event according to the magnitude of its possible consequences.

Risk assessment The process of evaluating the risk to the health and safety of workers while at work arising from the circumstances of the occurrence of a hazard at the workplace. Overall process of risk identification, risk analysis and risk evaluation.

Definitions


Risk assessment processIt is based on a systematic examination of all aspects of work that considers:

• what could cause injury or harm, • whether the hazards could be

eliminated and, if not, • what preventive or protective

measures are, or should be, in place to control the risks.

[OHSAS 18001 Occupational Health and Safety]

Risk assessment activities ISO 12100:2010


Determination of thesystem limits

Hazard identification – identifying the hazards and environmental aspects occurring in normal and

exceptional conditions

Risk estimation

Risk evaluation

1. Usage limits Operating phases and procedures (2kW Thermosiphon) Control system (overall architecture) System users (accesses control)

2. Time limits (continues operation)

3. Space limits (Point 1, USA15, B3184 roof)

4. Other limits (properties of cooling fluids)

Brine circuit C6F14

Brine circuit / main cooling loop

Vertical liquid line, PX15 and roof of B3184

By-pass dummy load, USA15

By-pass, USA15

Detector vapor return line,

Detector liquid supply line, USA15

Risk estimation OHS-0-0-1


Probability Occurrence of the hazardous eventVery low [1] Extremely unlikely to occur during task; once per year or less.

Low [2] Unlikely to occur during task; more than once per year, maximum of once per month.

Medium [3] Incident may occur during task; several times per month, maximum of once per week.

High [4] Likely to occur several times during task; several times per week

Severity Severity description

Minimal [A]People Slight injuries, no treatment needed.Environment Not applicable.Property Not applicable.

Low [B]

PeopleInjuries or temporary, reversible illnesses not resulting in hospitalization and requiring only minor supportive treatment.

Environment Isolated and minor, but measurable, impact on some component(s) of a public resource.

Property Minor property damage in the facility.

Medium [C]People Injuries or temporary, reversible illnesses resulting in hospitalization of variable

but limited period of disability.Environment Serious impairment of the functioning of a public resource.Property Major property damage in the facility.

High [D]People Death from injury or illness, permanent disability or chronic irreversible illness.Environment Permanent or long term loss of a public resource (drinking water, air, etc.).Property Loss of facility.

The probability of occurrence of harm

The Severity of harm

Risk evaluation OHS-0-0-1


Risk evaluation

Risk evaluation Probability of the hazardous eventVery low [1] Low [2] Medium [3] High [4]

Potential severity

Minimal [A] [A1] [A2] [A3] [A4]Low [B] [B1] [B2] [B3] [B4]Medium [C] [C1] [C2] [C3] [C4]High [D] [D1] [D2] [D3] [D4]

Risk level Action

Low [A1, A2, B1] Acceptable risk: no actions need to be taken.

Medium [A3, A4, B2, B3, C1, C2, D1] Unacceptable risk: actions are necessary to reduce the risk.

High [B4, C3, C4, D2, D3, D4] Unacceptable risk: immediate actions are necessary to reduce the risk promptly.

Risk levels

Selected risk matrices method.

Risk = Probability of occurrence of a hazardous event x Severity of consequences

Risk estimation – risk related to the considered hazard is a function of severity of harm and probability of occurrence

Risk evaluation determine if risk reduction is required. If risk reduction is required, the appropriate protective measures shall be selected and applied.

Hazard identification and risk evaluation example


EH2102



Phase operation

Hazard zone

User/ task/ component

Component description

Hazardous event Hazard Local potential

consequencesGlobal

potential consequences

Current measures Severity Probability Risk Level Risk reduction Severity ProbabilityRisk Level

Normal operation: Run-order & (Stand-

by OR Run OR

Recovery)

Vertical liquid line,

USA15EH2102

Heater on the liquid supply line after the vapor cooling

heat exchanger and before bypass - heating to ambient

temperature to avoid

condensation in the way to the detector

Fails to heat up coolant

Electrical failure - 24DC Power supply problem. The command

signal from the PLC is not reaching the solid state relay.

Relay stays open.

Not possible to keep the

temperature above the 20 C,

condensation on the detector supply

line.

Unable to continue cooling

of the Inner Detector the

condensation in the detector can damage other

electronic systems.

The temperature after the heater TT2103 is not changing or stays equal to the

temperature before the heater TT2102. The inspection of the control cabinet is required. 24VDC Power Supply status

monitored by the status bit read by PLC and displayed in PVSS. Plant's Start

Interlock. If coolant stops circulating the Evaporative Cooling Compressor Station have to be switched on to continue Atlas

operation and avoid Inner Detector degradation. All compressor station system elements should be kept in good condition

as the back-up solution in serious Thermosiphon damage.

Medium Very low C1

Install redundant power 24DC supply Minimal Very Low A1

Electrical failure - problem with coil of the command relay or the relay switch is not changing its

position (relay blockage)Adding the back up heater Minimal Very

Low A1

Electrical failure - solid state relay problem

Electrical failure - circuit breaker trip, overload Circuit breaker status is continuously

monitored by the PLC. PLC trigger stop interlock which is displayed in the PVSS and it blocks the command. If coolant

stops circulating the Evaporative Cooling Compressor Station have to be switched on to continue Atlas operation and avoid Inner

Detector degradation. All compressor station system elements should be kept in good condition as the back-up solution in

serious Thermosiphon damage.

Medium Very low C1

Electrical failure - differential circuit breaker trip, residual

current detection

PID control is OFF or fails according to measured value

IOError; the measured value is the liquid temperature entering detector and by-pass TT2202.

This temperature has to be higher than 20C to avoid

condensation.

The controller and heater PVSS widgets will indicate the IOError. The Operator has to

verify if any logic dependent sensor or calculation is in IOError. IOError

propagation between related object. Controller inherit errors form heater. If

coolant stops circulating the Evaporative Cooling Compressor Station have to be

switched on to continue Atlas operation and avoid Inner Detector degradation. All

compressor station system elements should be kept in good condition as the back-up

solution in serious Thermosiphon damage.

Medium Low C2

Add second temperature sensor and regulate on average temperature value. If one of the

sensors is in IOError take it out form calculation. Only if both sensors are in IOError

then stop the system.

Minimal Very Low A1

Burn of insulation

Electrical failure - thermal switch TS2102 fails

Overheating, burn of insulation and

fire.


of the Inner Detector. In case of fire

serious system damages all

ATLAS experiment

stops.

The second level of heater protection and the last one is the thermal switch installed on the device which cuts the power supply independently of the PLC command. The thermal switch has it's own thermocouple installed inside the heater. In case of that

failure electrical inspection is required, heater temperature sensor dismounting and

thermal switch replacing. In that period system has to be stopped.

High Very low D1

Software stop interlock which stops the command from the PLC with the temperature

threshold set up to be lower than thermal switch threshold. The additional thermocouple should be installed in the heater to be able to detect over temperature before the thermal switch trips. The thermal switch feedback to the PLC. Additionally SET/RESET interlock

condition of the thermal switch status = If the thermal switch overheating is detected the

interlock should trip. When the interlock cause disappear the interlock should stay ON until the operator will reset it. No auto recovery

after the thermal switch problem.

Low Very low B2

Electric shock Touching live parts

Not possible to keep the

temperature above the saturation

temperature of the return vapor -

condensation on the return line.


of the Inner Detector.

circuit breaker status is continuously monitored by the PLC. PLC trigger stop interlock which is displayed in the PVSS and it blocks the command. Necessary electrical inspection and system stop.

High Very low D1

The heater is housed in the screwed metallic cover protecting user from touching the live

parts during normal operation. circuit breaker monitoring and heater stop interlock.

Low Very Low B1



Phase operation

Hazard zone

User/ task/ component

Component description


consequences Global potential consequences Current measures Severity Probability Risk Level Risk reduction Severity Probabil

ityRisk Level

Normal operation: NO Run-

order

Vertical liquid line,

USA15EH2102

Heater on the liquid supply line after the vapor cooling heat exchanger and before bypass - heating to ambient temperature to avoid condensation in the way to the detector

Fails to OFF, Burn of insulation

Electrical failure - problem with coil of

the command relay or the relay switch is not changing its position

(relay blockage)

Unnecessary heating during stop period. Dangerous of overheating burn of insulation and fire if PLC and thermal switch fails and no coolant circulation.

Unable to restart cooling of the Inner Detector. In case of fire or serious system damages all ATLAS experiment has to be stopped until all required repairs will complete.

The second level of heater protection and the last one is the thermal switch installed on the device which cuts the power supply independently of the PLC command. The thermal switch has it's own thermocouple installed inside the heater. In case of that failure electrical inspection is required, heater temperature sensor dismounting and thermal switch replacing. In that period system has to be stopped.

High Very low D1

Software stop interlock which stops the command from the PLC with the temperature threshold set up to be lower than thermal switch threshold. The additional thermocouple should be installed in the heater to be able to detect over temperature before the thermal switch trips. The thermal switch feedback to the PLC. Additionally SET/RESET interlock condition of the thermal switch status = If the thermal switch overheating is detected the interlock should trip. When the interlock cause disappear the interlock should stay ON until the operator will reset it. No auto recovery after the thermal switch problem.

Low Very low B2

Electrical failure - solid state relay

problem

Unable to switch off the heater.

The heater is out of use and we can't control the temperature of the vapor after the internal heat exchanger. The EH2102 temperature controller TC2102 is unable to perform correct PID control.

The power to the heater has to be stopped and the solid state relay replaced. It requires the control cabinet inspection and solid state replacement. For a safety reason the system should be stopped. Additional contactor placed before the solid state relay called heater power ON. It switch on the power circuit between the solid state relay and circuit breaker.

Low Very low B1

Hazard identification and risk evaluation


P&ID March 2011 P&ID September 2011

Hazard identification and risk evaluation – supplies


Phase operation

Hazard zone

User/ task/ componen

tComponent description


consequences

Global potential

consequencesCurrent measures Severity Probability Risk Level Risk

reduction Severity Probability Risk Level

Normal operation - all option modes

B3184

Compressed air line

compressed air supply line in

surface building

Stop of three compressor

stations in B3184

Uncontrolled valve closing

All pneumatic valves are going to safety

position.

All system has to be stopped. Impossible to continue Atlas Inner Detector

cooling.

Festo pressure switch (Surface Pressure Switch Low), if the compressed air pressure became too low, PLC stops receiving the DI signal. DI becomes OFF. PLC trip Full Stop Interlock and all system is moved to safety position. The compressed air system is redundant and connected to UPS.

Medium Very low C1

Install battery of N2 bottles with hardwired pressure switch

Low Very low B1


USA15compressed air supply line in

underground area

Festo pressure switch (Underground Pressure Switch Low), if the compressed air pressure became too low, PLC stops receiving the DI signal. DI becomes OFF. PLC trip Full Stop Interlock and all system is moved to safety position. The compressed air system is redundant and connected to UPS.

Medium Very low C1

Install battery of N2 bottles with hardwired pressure switch

Low Very low B1


B3184

24V DC power

supplies

24V DC power supply in surface control cabinet

Stop of 24V DC power supply

Stop of all 24V DC commands,

unable to read all sensors in

surface area (except

temperature sensors if connected

directly to AI card).

Unable to send any command

from the PLC to the

actuators.


cooling.

PLC monitors the 24V DC power supply status. In case of failure PLC has its own power supply and it can receive bad status signal form power supply.

Medium Very low C1

Use redundant 24V DC power

supplies.

Minimal Very Low A1


USA15

24V DC power supply in

underground control cabinet

Stop of 24V DC power supply

Stop of all 24V DC commands,

unable to read all sensors in

underground area (except temperature

sensors if connected

directly to AI card).

Unable to send any command

from the PLC to the

actuators.


cooling.

PLC monitors the 24V DC power supply status. In case of failure PLC has its own power supply and it can receive bad status signal form power supply.

Medium Very low C1

Use redundant 24V DC power

supplies.

Minimal Very Low A1

Summary


Considered: 240 hazards 202 hazardous events 76 individual components in 7 groups 98 risk reduction proposals mechanical, electrical and control failures included EDMS 1165951 document under approval

A116%

A226%

B140%

B212%

C15%

C21%

FST risk evaluation after risk reduction

A17%

A225%B1

10%

B29%

C14%

C21%

D144%

FST risk evaluation before risk reduction

Medium [A3, A4, B2, B3, C1, C2, D1] Unacceptable risk: actions are necessary to reduce the risk.

EDMS 1165951

full scale thermosiphon risk assessment lukasz zwalinski ph/dt/po - cooling

Documents