MICE Hydrogen Safety Functions IEC 61508 Compliance Emergency

MICE Hydrogen Safety Functions IEC 61508 Compliance & Emergency Procedures MICE Safety Review Meeting 4 th Oct 2011 PJ Warburton - Daresbury Lab

IEC 61508 • Functional Safety of electrical / electronic / programmable electronic safety – related systems • Functional safety is part of the overall safety that depends on a system or equipment operating correctly in response to its inputs • Neither safety nor functional safety can be determined without considering the systems as a whole and the environment with which they interact • Safety – The freedom from unacceptable risk of harm

SIL Rating • Tolerable Risk 10 -5 Fatalities per Year From RAL Safety • How Safe is H 2 System 10 -4 10 -3 10 -2 SIL 1 PFD 10 -1 SIL 2 PFD 10 -2 SIL 3 PFD 10 -3

IEC 61508 Compliance Process • LOPA Study conducted Nov 2010 based on HAZOP Report from Serco June 2006 • Panel consisted of representatives from FSC, MICE project at RAL & DL and RAL Safety • Identified 2 Systems requiring SIL Functions • Plus 2 to be considered but not requiring formal SIL Ratings

SIL Rated Safety Functions • Following LOPA study the following events were found to require SIL rated safety systems • Buffer Tank Over Pressure • Leading to a release of hydrogen and ignition leading to multiple deaths • Build up of impurities in Cryostat (Ins Vac) • Build up of impurities over a period of time, pressurisation and heating of hydrogen leading to a rupture & Explosion leading to multiple deaths

Not Quite SIL Rated • Following LOPA study the following events were found Not to require SIL rated safety systems • Hydride Bed Over Pressure • Over heating of Metal Hydride Bed Leading to a release of hydrogen and ignition leading to multiple deaths • Temperature Rise in Absorber Volume • Causing pressurisation and heating of hydrogen leading to a rupture & Explosion leading to multiple deaths • Same outcome as Buffer Tank Over Pressure

Buffer Tank Over Pressure • Build up of pressure causing leaks in pipework and Hydrogen to escape • SIL 1 Required PFD 1. 00 E-01 (1 out 10) • • • Solution detect the H 2 before it reaches explosive levels Install a gas Detection System alarm 50% LEL 2 Detectors / Beacons per location on separate loops Detection system subject to annual checks PFD Achieved 1. 51 E-02 (<2 out 100) = SIL 1 • • PFD = Probability of Failure on Demand H 2 LEL = 4%

SIL Block Diagram

Build up of impurities in Cryostat (Insulation Vacuum) • Over time Cryostat insulation vacuum may build up impurities. - O 2 Leaking In – H 2 Leaking Out • Depending on Temperature / Pressure an Explosive atmosphere may form • Temp & Level Sensors are Ex i • Heaters are not so operation needs to be prevented if vacuum is not good – below 10 -3

Build up of impurities in Cryostat (Insulation Vacuum) • SIL 2 Required PFD 6. 73 E-03 (~7 out 1000) • • Solution interlock heater power supply Use 1 Set Point on existing Vac Gauge & Controller Additional Set Point from new Vac Gauge & Controller Guard Line A & B Relays to turn of heater power supply Hardwired I/L • Guard Line A & B inputs also into PLC for Software I/L • PFD Achieved 3. 76 E-03 (~4 out 1000) = SIL 2

SIL Block Diagram

Emergency Actions • Return hydrogen to Bed if possible • Vent hydrogen to atmosphere via vent line • IF PLC goes off – Vacuum pumps stay on – Hydride Bed set to ‘chill’

Questions