1 Bremerton Safety Council Camera Hazard List Frank O’Neill Safety Support August 18, 2015

1

Bremerton Safety Council

Camera Hazard List

Frank O’NeillSafety Support

August 18, 2015

2

Corner Rafts/Science Rafts/Sensors

3


4


5


6


7


8


9


10


11


12


13


14


15


16

Corner Raft

17


18


19


20


21


22


23


24

Cryostat

25

Cryostat

26

Cryostat

27

Cryostat

28

Filter Exchange System

29


30


31


32


33


34


35


36


37


38


39


40


41


42


43


44


45


46


47

L3

48

L3

49

L3

50

L3

51

L3

52

L1/L2

53

L1/L2

54

L1/L2

55

L1/L2

56

L1/L2

57

LSST CRYOSTAT FDR • SLAC, Menlo Park, CA • June 9-10, 2015 58LSST CRYOSTAT FDR • SLAC, Menlo Park, CA • June 9-10, 2015

Cryostat Final Design Review

Safety-Hazards

J. LangtonSubsystem Engineering Manager

June 9-10, 2015

LSST CRYOSTAT FDR • SLAC, Menlo Park, CA • June 9-10, 2015 59

Cryostat Hazard Analysis Report

• The Camera has drafted a Hazard Analysis Report (LCA-0014)– LCA -0014 explores and explains, in detail, the integrated camera and individual

subsystems design and function and identifies potential hazards.• The cryostat chapter of the HAR evaluates the associated hazards in detail.

– Cryostat HAR provides the cryostat physical description and function.– Cryostat HAR evaluates each hazard area in detail and provides definition and

explanation of the related controls and mitigations.• Cryostat hazard areas:

– Thermal and Cryogenic– Pressure and Vacuum– Structural– Electrical– Control– Environmental– Fire– Materials and Substances


Cryostat Hazard Analysis

• The camera has a drafted a hazard lists (LCA-15 & O&SHA)– Operating and support hazard analysis tabluate hazards associsted with camera

operations phase.– Lists tabulate all of our identified hazards, plans to mitigate them, and plans to

verify that the mitigation is, in fact, operating as required.– The Hazard List uses a semi-quantitative analysis to rank hazards by probability of

occurrence and severity of impact.• The cryostat system carries:

– A total of 24 hazards– No “High” hazards– 3 “Serious” hazards (unmitigated)

• Cryostat vacuum-pressure failure.• Overpressure failure of cryostat.• Asphyxiation due to release of refrigerant

– All hazards are medium and Low assessment after mitigation• Why not all hazards mitigated to “low”?• Because, with very few exceptions, the severity of a hazard cannot be reduced. Only the

probability of a hazard occurring can be addressed by mitigation and that sets a certain lower bound for any specific hazard.


Hazard Definition & Assessment Methodology

Hazard Assessment

Hazard Severity ClassificationClass Description Potential Consequences

Injury: may cause death or permanently-disabling injuryProperty damage: near-complete loss of camera systemEnvironment: irreversible severe environmental damageInjury: severe injury, occupational illness, or permanent partial disability

Property damage: major damage to system; loss of major subsystem(s)

Environment: significant reversible environmental damageMishap Risk Assessment

ValueInjury: minor injury or occupational illness

Property damage: minor damage to camera or subsystem, recoverable with minimal impact on program

A—Frequent 1 3 7 13

Environment: mitigatible environmental damage, where restoration activities can be accomplished

B—Probable 2 5 9 16

Injury: minor first aid treatment; personal health not affected C—Possible 4 6 11 18

Property damage: more than normal wear and tear; easily recoverable within scope of standard maintenance

D—Remote 8 10 14 19

Environment: minimal environmental damage E—Improbable 12 15 17 20

Hazard Probability Level

LevelFrequency of Occurrence

Definition Mishap Risk Categories

A Frequent Likely to occur often in the life of the CameraRisk Assessment

ValueDescription

B Probable Will occur several times in the life of the Camera 1-5 High

C Possible Likely to occur sometime in the life of the Camera 6-9 Serious

D Remote Unlikely but possible to occur in the life of the Camera 10-17 Medium

E Improbable So unlikely, it can be assumed occurrence may not be experienced 18-20 Low

4 Negligible Prb

oab

ilit

y

2 Critical

3 Marginal

2—C

riti

cal

3—M

arg

inal

4—N

egli

gib

le

Severity

1—C

atas

tro

ph

ic

1 Catastrophic

• Hazards can be defined as a failure of a component, system or function that could lead to personal injury or damage to hardware.– Hazards are NOT risks.


Cryostat Hazard List

How are you protectingagainst the failure?

What’s the failure & mode? How are you assuring protections work?

Hazard assessment before protectionHazard assessment after protection


Cryostat Hazards Detail

Hazard Description Mitigation Verification

#021-Asphyxiation due to release of refrigerant 1-provide ventilation of room suffcient to remove limiited refrigerant quantity of system charge2-employ oxygen deficiency monitor in utility room

1-test ventilation system for adequate (as designed) performance for air change rate2-Test ODM periodically, verify alarm set point.3-Ensure training is adequate and retraining frequency is consistent with needs.

#001-Failure of a vacuum seal in the cryostat leads to uncontrolled venting of the cryostat, possibly introducing contaminants and water vapor into the cryostat which could damage the detectors

1-Use double O-ring seals with an intermediate vacuum groove at all bolted joints. Failure of one seal can be detected. 2-use of all metal seals wherever possible3-ensure all valve are normally closed / fail to safe configuration4-ensure redundant valve for all critical locations,5- implement control system with valve sequencing ensuring proper operation6-test and verification of vacuum control system with double check function confirmation to ensure no unintended vent.

1-Test vacuum-tightness of each of the double O-ring seals2-design reviews of system to ensure proper component selection

#010-Cryo or Cold Plate exceed their max operating limits

1-design hardware to survive maximum possible temperature with heaters on / refrig lower cooling capacity2- Temp sensors on Cryo and Cold plates provide feedback; over-temp switches cut power to heaters and RCM power supplies

1-Test montiring feedback control and over-temp switches

• Cryostat hazards are loosely grouped as follows:Personnel injury due to unplanned release or venting of gases or fluids.Mechanical failure—failure of a component due to improper system design or usage. Control or operations failure—damage due to incorrect operation or loss of transducer.


Hazard Mitigations and Verification

• There are 6 ways to mitigate a hazard– Eliminate hazard: Remove the hazard altogether – Control hazard: Change design/manufacturing

plans to reduce risk of mishap– Safety feature: Incorporate passive or static

interveners to prevent a mishap– Safety device: Add active device or monitor to

interrupt mishap sequence– Warning device: Incorporate monitors and

warning of incipient mishap– Procedure, training: Invoke special procedures,

PPE, dedicated equipment• And 5 ways to verify those mitigations:

– Test: Functional test of installed system verifies mitigation functions correctly

– Inspection: Visual inspection or measurement verifies mitigation is applied as-req'd

– Process control: Control parts/mat'l selection; qual/proof test; fab/ass'y process controls

– Audit: Check of in situ mitigations verifies that they are being used

– Review: Review or analysis of mitigation plans indicates that they will reduce hazard level

Cryostat Mitigation Strategy4 Eliminate hazard9 Control hazard0 Safety feature5 Safety device1 Warning device4 Procedure, training

23 Total

Cryostat Verification Method11 Test1 Inspection5 Process control3 Audit3 Review

23 Total


Cryostat Hazard Reports

• The Camera Safety officer reviews the hazard analysis. Specific hazards identified as “High” or “Serious,” or with causes that are particularly complex are flagged and Hazard Reports completed.

• LCA-10742 reports on the cryostat housing hazard of structural failure due to overpressure.• The reports details the hazard:

– ...If these gas supplies are not properly engineered and operated there could be a hazard buildup of pressure in the cryostat vacuum ….

• The controls / actions:– 1-Design cryostat for overpressure loads with recommended safety factors– 2-Include burst disk and / or pressure relief valve on cryostat vacuum system– 3-Restrict……..

• The effects:– 1-ensure if an over pressure condition develops the structural integrity……..– 2- ensure if fault or failure occurs and uncontrolled supply of gas…..– 3-ensure that the total pressure……

• The verifications required:– 1-Proof test cryostat to maximum expected overpressure……..– 2-Proof test pressure relief valve………– 3-Verify that burst disk……….


Summary

• Affect on CD-2 readiness– We have identified mitigations for all 18 hazards.– The mitigations reduce hazard assessments to the lowest level achievable.– Verifications requirements for mitigations established and documented.

• Hazard reports and assessments have been reviewed and updated in preparation for FDR

• Cryostat hazard definition and assessment is mature.• Mitigations are identified and integrated into the project execution and / or system

designs.• Hazard assessments and mitigations consistent with CD-3 readiness.

End of Presentation

Documents

1 Bremerton Safety Council Camera Hazard List Frank O’Neill Safety Support August 18, 2015