Upload
aubrie-parks
View
246
Download
1
Embed Size (px)
DESCRIPTION
Definitions Thermosiphon workshop §5 20 th October 2011 L.Zwalinski – PH/DT/PO Hazard The intrinsic property or ability of something (e.g. work materials, equipment, work methods and practices) with the potential to cause harm. Hazardous event Occurrence leading to undesired consequences and arising from the triggering by one (or more) initiator events /causes of one (or more) hazards. Risk The likelihood that the potential for harm will be attained under the conditions of use and/or exposure, and the possible extent of the harm. Effect of uncertainty on objectives. Severity Classification of a failure or undesired event according to the magnitude of its possible consequences. Risk assessment The process of evaluating the risk to the health and safety of workers while at work arising from the circumstances of the occurrence of a hazard at the workplace. Overall process of risk identification, risk analysis and risk evaluation.
Citation preview
Full Scale ThermosiphonRisk Assessment
Lukasz Zwalinski PH/DT/PO - Cooling
Thermosiphon workshop §5 20th October 2011 L.Zwalinski – PH/DT/PO
Introduction
• Document prepared on 23rd of March 2011
• Main references:
P&I Diagram and Part List of the Full Scale Thermosiphon March 2011 EDMS 1101188
CERN Safety Guideline OHS-0-0-1 – Risk AssessmentEDMS 1114042
ISO 12100 Safety of machinery – General principles for design – Risk assessment and risk reduction2010-11-01
ISO 31000 Risk management – Principles and guidelines2009-11-15
ISO/TR 14121-2 Safety of machinery – Risk assessment2007-12-15
ISO 13849-2 Safety of machinery – Safety related parts of control systems2003-08-15
Definitions
Thermosiphon workshop §5 20th October 2011 L.Zwalinski – PH/DT/PO
Hazard The intrinsic property or ability of something (e.g. work materials, equipment, work methods and practices) with the potential to cause harm.
Hazardous event Occurrence leading to undesired consequences and arising from the triggering by one (or more) initiator events /causes of one (or more) hazards.
Risk The likelihood that the potential for harm will be attained under the conditions of use and/or exposure, and the possible extent of the harm. Effect of uncertainty on objectives.
SeverityClassification of a failure or undesired event according to the magnitude of its possible consequences.
Risk assessment The process of evaluating the risk to the health and safety of workers while at work arising from the circumstances of the occurrence of a hazard at the workplace. Overall process of risk identification, risk analysis and risk evaluation.
Definitions
Thermosiphon workshop §5 20th October 2011 L.Zwalinski – PH/DT/PO
Risk assessment processIt is based on a systematic examination of all aspects of work that considers:
• what could cause injury or harm, • whether the hazards could be
eliminated and, if not, • what preventive or protective
measures are, or should be, in place to control the risks.
[OHSAS 18001 Occupational Health and Safety]
Risk assessment activities ISO 12100:2010
Thermosiphon workshop §5 20th October 2011 L.Zwalinski – PH/DT/PO
Determination of thesystem limits
Hazard identification – identifying the hazards and environmental aspects occurring in normal and
exceptional conditions
Risk estimation
Risk evaluation
1. Usage limits Operating phases and procedures (2kW Thermosiphon) Control system (overall architecture) System users (accesses control)
2. Time limits (continues operation)
3. Space limits (Point 1, USA15, B3184 roof)
4. Other limits (properties of cooling fluids)
Brine circuit C6F14
Brine circuit / main cooling loop
Vertical liquid line, PX15 and roof of B3184
By-pass dummy load, USA15
By-pass, USA15
Detector vapor return line,
Detector liquid supply line, USA15
Risk estimation OHS-0-0-1
Thermosiphon workshop §5 20th October 2011 L.Zwalinski – PH/DT/PO
Probability Occurrence of the hazardous eventVery low [1] Extremely unlikely to occur during task; once per year or less.
Low [2] Unlikely to occur during task; more than once per year, maximum of once per month.
Medium [3] Incident may occur during task; several times per month, maximum of once per week.
High [4] Likely to occur several times during task; several times per week
Severity Severity description
Minimal [A]People Slight injuries, no treatment needed.Environment Not applicable.Property Not applicable.
Low [B]
PeopleInjuries or temporary, reversible illnesses not resulting in hospitalization and requiring only minor supportive treatment.
Environment Isolated and minor, but measurable, impact on some component(s) of a public resource.
Property Minor property damage in the facility.
Medium [C]People Injuries or temporary, reversible illnesses resulting in hospitalization of variable
but limited period of disability.Environment Serious impairment of the functioning of a public resource.Property Major property damage in the facility.
High [D]People Death from injury or illness, permanent disability or chronic irreversible illness.Environment Permanent or long term loss of a public resource (drinking water, air, etc.).Property Loss of facility.
The probability of occurrence of harm
The Severity of harm
Risk evaluation OHS-0-0-1
Thermosiphon workshop §5 20th October 2011 L.Zwalinski – PH/DT/PO
Risk evaluation
Risk evaluation Probability of the hazardous eventVery low [1] Low [2] Medium [3] High [4]
Potential severity
Minimal [A] [A1] [A2] [A3] [A4]Low [B] [B1] [B2] [B3] [B4]Medium [C] [C1] [C2] [C3] [C4]High [D] [D1] [D2] [D3] [D4]
Risk level Action
Low [A1, A2, B1] Acceptable risk: no actions need to be taken.
Medium [A3, A4, B2, B3, C1, C2, D1] Unacceptable risk: actions are necessary to reduce the risk.
High [B4, C3, C4, D2, D3, D4] Unacceptable risk: immediate actions are necessary to reduce the risk promptly.
Risk levels
Selected risk matrices method.
Risk = Probability of occurrence of a hazardous event x Severity of consequences
Risk estimation – risk related to the considered hazard is a function of severity of harm and probability of occurrence
Risk evaluation determine if risk reduction is required. If risk reduction is required, the appropriate protective measures shall be selected and applied.
Hazard identification and risk evaluation example
Thermosiphon workshop §5 20th October 2011 L.Zwalinski – PH/DT/PO
EH2102
Hazard identification and risk evaluation example
Thermosiphon workshop §5 20th October 2011 L.Zwalinski – PH/DT/PO
Phase operation
Hazard zone
User/ task/ component
Component description
Hazardous event Hazard Local potential
consequencesGlobal
potential consequences
Current measures Severity Probability Risk Level Risk reduction Severity ProbabilityRisk Level
Normal operation: Run-order & (Stand-
by OR Run OR
Recovery)
Vertical liquid line,
USA15EH2102
Heater on the liquid supply line after the vapor cooling
heat exchanger and before bypass - heating to ambient
temperature to avoid
condensation in the way to the detector
Fails to heat up coolant
Electrical failure - 24DC Power supply problem. The command
signal from the PLC is not reaching the solid state relay.
Relay stays open.
Not possible to keep the
temperature above the 20 C,
condensation on the detector supply
line.
Unable to continue cooling
of the Inner Detector the
condensation in the detector can damage other
electronic systems.
The temperature after the heater TT2103 is not changing or stays equal to the
temperature before the heater TT2102. The inspection of the control cabinet is required. 24VDC Power Supply status
monitored by the status bit read by PLC and displayed in PVSS. Plant's Start
Interlock. If coolant stops circulating the Evaporative Cooling Compressor Station have to be switched on to continue Atlas
operation and avoid Inner Detector degradation. All compressor station system elements should be kept in good condition
as the back-up solution in serious Thermosiphon damage.
Medium Very low C1
Install redundant power 24DC supply Minimal Very Low A1
Electrical failure - problem with coil of the command relay or the relay switch is not changing its
position (relay blockage)Adding the back up heater Minimal Very
Low A1
Electrical failure - solid state relay problem
Electrical failure - circuit breaker trip, overload Circuit breaker status is continuously
monitored by the PLC. PLC trigger stop interlock which is displayed in the PVSS and it blocks the command. If coolant
stops circulating the Evaporative Cooling Compressor Station have to be switched on to continue Atlas operation and avoid Inner
Detector degradation. All compressor station system elements should be kept in good condition as the back-up solution in
serious Thermosiphon damage.
Medium Very low C1
Electrical failure - differential circuit breaker trip, residual
current detection
PID control is OFF or fails according to measured value
IOError; the measured value is the liquid temperature entering detector and by-pass TT2202.
This temperature has to be higher than 20C to avoid
condensation.
The controller and heater PVSS widgets will indicate the IOError. The Operator has to
verify if any logic dependent sensor or calculation is in IOError. IOError
propagation between related object. Controller inherit errors form heater. If
coolant stops circulating the Evaporative Cooling Compressor Station have to be
switched on to continue Atlas operation and avoid Inner Detector degradation. All
compressor station system elements should be kept in good condition as the back-up
solution in serious Thermosiphon damage.
Medium Low C2
Add second temperature sensor and regulate on average temperature value. If one of the
sensors is in IOError take it out form calculation. Only if both sensors are in IOError
then stop the system.
Minimal Very Low A1
Burn of insulation
Electrical failure - thermal switch TS2102 fails
Overheating, burn of insulation and
fire.
Unable to continue cooling
of the Inner Detector. In case of fire
serious system damages all
ATLAS experiment
stops.
The second level of heater protection and the last one is the thermal switch installed on the device which cuts the power supply independently of the PLC command. The thermal switch has it's own thermocouple installed inside the heater. In case of that
failure electrical inspection is required, heater temperature sensor dismounting and
thermal switch replacing. In that period system has to be stopped.
High Very low D1
Software stop interlock which stops the command from the PLC with the temperature
threshold set up to be lower than thermal switch threshold. The additional thermocouple should be installed in the heater to be able to detect over temperature before the thermal switch trips. The thermal switch feedback to the PLC. Additionally SET/RESET interlock
condition of the thermal switch status = If the thermal switch overheating is detected the
interlock should trip. When the interlock cause disappear the interlock should stay ON until the operator will reset it. No auto recovery
after the thermal switch problem.
Low Very low B2
Electric shock Touching live parts
Not possible to keep the
temperature above the saturation
temperature of the return vapor -
condensation on the return line.
Unable to continue cooling
of the Inner Detector.
circuit breaker status is continuously monitored by the PLC. PLC trigger stop interlock which is displayed in the PVSS and it blocks the command. Necessary electrical inspection and system stop.
High Very low D1
The heater is housed in the screwed metallic cover protecting user from touching the live
parts during normal operation. circuit breaker monitoring and heater stop interlock.
Low Very Low B1
Hazard identification and risk evaluation example
Thermosiphon workshop §5 20th October 2011 L.Zwalinski – PH/DT/PO
Phase operation
Hazard zone
User/ task/ component
Component description
Hazardous event Hazard Local potential
consequences Global potential consequences Current measures Severity Probability Risk Level Risk reduction Severity Probabil
ityRisk Level
Normal operation: NO Run-
order
Vertical liquid line,
USA15EH2102
Heater on the liquid supply line after the vapor cooling heat exchanger and before bypass - heating to ambient temperature to avoid condensation in the way to the detector
Fails to OFF, Burn of insulation
Electrical failure - problem with coil of
the command relay or the relay switch is not changing its position
(relay blockage)
Unnecessary heating during stop period. Dangerous of overheating burn of insulation and fire if PLC and thermal switch fails and no coolant circulation.
Unable to restart cooling of the Inner Detector. In case of fire or serious system damages all ATLAS experiment has to be stopped until all required repairs will complete.
The second level of heater protection and the last one is the thermal switch installed on the device which cuts the power supply independently of the PLC command. The thermal switch has it's own thermocouple installed inside the heater. In case of that failure electrical inspection is required, heater temperature sensor dismounting and thermal switch replacing. In that period system has to be stopped.
High Very low D1
Software stop interlock which stops the command from the PLC with the temperature threshold set up to be lower than thermal switch threshold. The additional thermocouple should be installed in the heater to be able to detect over temperature before the thermal switch trips. The thermal switch feedback to the PLC. Additionally SET/RESET interlock condition of the thermal switch status = If the thermal switch overheating is detected the interlock should trip. When the interlock cause disappear the interlock should stay ON until the operator will reset it. No auto recovery after the thermal switch problem.
Low Very low B2
Electrical failure - solid state relay
problem
Unable to switch off the heater.
The heater is out of use and we can't control the temperature of the vapor after the internal heat exchanger. The EH2102 temperature controller TC2102 is unable to perform correct PID control.
The power to the heater has to be stopped and the solid state relay replaced. It requires the control cabinet inspection and solid state replacement. For a safety reason the system should be stopped. Additional contactor placed before the solid state relay called heater power ON. It switch on the power circuit between the solid state relay and circuit breaker.
Low Very low B1
Hazard identification and risk evaluation
Thermosiphon workshop §5 20th October 2011 L.Zwalinski – PH/DT/PO
P&ID March 2011 P&ID September 2011
Hazard identification and risk evaluation – supplies
Thermosiphon workshop §5 20th October 2011 L.Zwalinski – PH/DT/PO
Phase operation
Hazard zone
User/ task/ componen
tComponent description
Hazardous event Hazard Local potential
consequences
Global potential
consequencesCurrent measures Severity Probability Risk Level Risk
reduction Severity Probability Risk Level
Normal operation - all option modes
B3184
Compressed air line
compressed air supply line in
surface building
Stop of three compressor
stations in B3184
Uncontrolled valve closing
All pneumatic valves are going to safety
position.
All system has to be stopped. Impossible to continue Atlas Inner Detector
cooling.
Festo pressure switch (Surface Pressure Switch Low), if the compressed air pressure became too low, PLC stops receiving the DI signal. DI becomes OFF. PLC trip Full Stop Interlock and all system is moved to safety position. The compressed air system is redundant and connected to UPS.
Medium Very low C1
Install battery of N2 bottles with hardwired pressure switch
Low Very low B1
Normal operation - all option modes
USA15compressed air supply line in
underground area
Festo pressure switch (Underground Pressure Switch Low), if the compressed air pressure became too low, PLC stops receiving the DI signal. DI becomes OFF. PLC trip Full Stop Interlock and all system is moved to safety position. The compressed air system is redundant and connected to UPS.
Medium Very low C1
Install battery of N2 bottles with hardwired pressure switch
Low Very low B1
Normal operation - all option modes
B3184
24V DC power
supplies
24V DC power supply in surface control cabinet
Stop of 24V DC power supply
Stop of all 24V DC commands,
unable to read all sensors in
surface area (except
temperature sensors if connected
directly to AI card).
Unable to send any command
from the PLC to the
actuators.
All system has to be stopped. Impossible to continue Atlas Inner Detector
cooling.
PLC monitors the 24V DC power supply status. In case of failure PLC has its own power supply and it can receive bad status signal form power supply.
Medium Very low C1
Use redundant 24V DC power
supplies.
Minimal Very Low A1
Normal operation - all option modes
USA15
24V DC power supply in
underground control cabinet
Stop of 24V DC power supply
Stop of all 24V DC commands,
unable to read all sensors in
underground area (except temperature
sensors if connected
directly to AI card).
Unable to send any command
from the PLC to the
actuators.
All system has to be stopped. Impossible to continue Atlas Inner Detector
cooling.
PLC monitors the 24V DC power supply status. In case of failure PLC has its own power supply and it can receive bad status signal form power supply.
Medium Very low C1
Use redundant 24V DC power
supplies.
Minimal Very Low A1
Summary
Thermosiphon workshop §5 20th October 2011 L.Zwalinski – PH/DT/PO
Considered: 240 hazards 202 hazardous events 76 individual components in 7 groups 98 risk reduction proposals mechanical, electrical and control failures included EDMS 1165951 document under approval
A116%
A226%
B140%
B212%
C15%
C21%
FST risk evaluation after risk reduction
A17%
A225%B1
10%
B29%
C14%
C21%
D144%
FST risk evaluation before risk reduction
Medium [A3, A4, B2, B3, C1, C2, D1] Unacceptable risk: actions are necessary to reduce the risk.
EDMS 1165951