Personnel Safety System Overview Introduction The Personnel Safety

Personnel Safety System Overview

Introduction The Personnel Safety System is an active programmable safety instrumented system primarily designed to mitigate the risk of personnel injury due to exposure to prompt ionizing radiation during accelerator operations. Other hazards, such as uncovered electromagnet conductors, gun high voltage, and high power radio frequency (RF) are also addressed by components of the PSS. Safety functions performed by the Personnel Safety Systems in the CEBAF and FEL accelerators are considered “credited controls” under the JLab Final Safety Assessment Document (FSAD). Credited Controls are a set of mitigations that are in and of themselves sufficient to allow safe operation of an accelerator facility.

Description of CEBAF • • The Continuous Electron Beam Accelerator Facility is a basic research laboratory operated for the U. S. Department of Energy by Jefferson Science Associates, LLC; The purpose of CEBAF is to explore the quark nature of the nucleus by probing materials with a very high intensity electron beam. CEBAF is unique in that the electron beam is delivered in a very high average power continuous wave (CW) beam; most other accelerators around the world use a pulsed beam with high peak but lower average power. The electron beam current, which may be up to 200 µA, is accelerated by two opposing linear accelerators (linacs) connected in a race track fashion by two 180 degree arcs. After 5 1/2 passes through the two linacs the total beam energy is up to 12 Ge. V. Each linac uses 200 superconducting radio frequency (RF) cavities to transfer energy from an RF power source to the beam. Each of the RF power sources are synchronized such that the beam is always receiving the maximum energy gain from each RF cavity.

Description of CEBAF Layout

Description of CEBAF Liquid helium is used to cool the niobium superconducting cavities to 2 Kelvin (-456� F). Each linac uses 160 niobium superconducting radio frequency (RF) cavities to transfer energy from an RF power source to the beam. Each of the RF power sources are synchronized such that the beam is always receiving the maximum energy gain from each RF cavity.

Description of CEBAF The arcs use a series of large dipole electromagnets to recirculate the beam between the linacs or to an experimental end station.

Description of the Free Electron Laser (LERF) Located inside the CEBAF footprint, the JLab LERF is a separate facility that capitalizes on JLab SRF technology to implement a low energy high current accelerator used to create a tunable laser beam. The same hazards exist in the FEL as in CEBAF and the hazard controls, including the PSS, are similar in the two facilities. One significant operational difference between the two facilities that instead of adding energy to get maximum acceleration in each pass, the FEL adds energy to the first pass then extracts that energy on the second pass. This ‘energy recovery’ process allows the FEL to operate at high peak powers with relatively low RF power. It also greatly reduces the power requirements of the beam dump. The final beam is at the same power as the injected beam.

LERF Layout

References & Standards • ANSI C 95. 1 IEEE Standard for Safety Levels with Respect to Human Exposure to Radio Frequency Electromagnetic Fields, 3 k. Hz to 300 GHz • ANSI Z 136. 1 Safe use of Lasers • IEC 61508 Parts 1 -3 Functional Safety of electrical/electronic/programmable electronic safety-related systems • IEC 61511 Part 1 Functional safety – Safety instrumented systems for the process industry sector • IEC 62061 Safety of machinery - Functional safety - Electrical, electronic and programmable electronic control systems • DOE Accelerator Safety Order 420. 2 c Guidance (DOE G 420. 2 -1 A)

References & Standards 10 CFR 835 Occupational Radiation Protection 10 CFR 851 Worker Health and Safety Program NCRP Report 88: Radiation Alarms and Access Control Systems NCRP Report 144: Radiation Protection for Particle Accelerator Facilities IAEA Report 188: Radiological Safety Aspects for the Operation of Electron Linear Accelerators IAEA Report 283: radiological Safety Aspects of the Operation of Proton Accelerators NFPA 70 E Standard for Electrical Safety in the Workplace, 2004 Edition NFPA 79 Electrical Standard for Industrial Machinery, 2007 Edition NFPA 101 Life Safety Code, 2006 Edition Jefferson Lab Final Safety Assessment Document, Revision 7 a Jefferson Lab Accelerator Safety Envelope, Revision 7

Hazards present during accelerator operations • The specific hazards which can be present in the beam enclosure while CEBAF beam is running are: • Short lived beam related radiation dose rates in excess of 10’s of mrem/hr • Continuous beam related dose rates in excess of 10’s of krem/hr • RF cavity field emission dose rates in excess of 20 rem/hr • Accelerating system electromagnetic radiation in excess of 30 W/cm 2 • Exposed magnet electrical leads with over 800 V and/or 600 amps A complete hazard analysis is included in the Facility Safety Assessment Document.

First Line of Defense First line measures to prevent personnel exposure to the above hazards are to prevent access to the beam enclosure. • Security controlled access to the facility site • Passive shielding design • Locked tunnel and service building doors during beam operations • Administrative procedures for proper access • Administrative procedures for the properation of hazardous devices • Employee training on the hazards present during beam operations The first line measures minimize the need for an active access control and interlock system. The Personnel Safety System (PSS) is an active protection system designed to ensure personnel safety if one or more of the above measures fail.

Description of the Personnel Safety System The system design is based upon two complimentary principals: 1. ) Keep the hazard away from people. This is done by the use of “critical devices” which prevent beam from entering an occupied area. These critical devices are backed up by a fast response Beam Current Monitoring (BCM) system that will reach back and shut off beam if it detects current in improper paths. 2. ) Keep People away from the hazard. If an exclusion area is violated, such as if a tunnel entrance door is opened, the interlock system will immediately shut off the beam and any other device which could present a prompt ionizing radiation hazard.

PSS Design Basis Assumptions: • Unless otherwise noted, hazards are located within a limited access beam enclosure. • The enclosure provides sufficient shielding to limit radiation exposure to personnel outside of the shielding from credible beam loss • Proper staffing is maintained to perform the administrative procedures such as personnel sweeps and controlled accesses. Therefore one of the main tasks of the PSS is to help to establish and maintain exclusion areas.

Exclusion / Access Areas The PSS is designed to ensure that personnel are not exposed to prompt radiation exceeding the CEBAF administrative limits. This is accomplished by maintaining "exclusion" areas for accelerator operations. Exclusion areas are designed to maximize the amount of shielding and distance between personnel and beam operations. The exclusion states for an area are Beam Permit and Power Permit. Access areas that have no prompt radiation hazard, but where access is tightly controlled. The access states for an area are Restricted Access, Sweep, and Controlled Access.

PSS Hazard Mitigation The PSS automatically protects against the following hazards: • Entry into an exclusion area • Excessive radiation dose rate in an occupied area • Beam transport from an exclusion area to an occupied area • Beam burn-through of beam stopping devices • Operation of radiation producing devices while an area is occupied • Exposure to high power RF EMI • Electrical shock from powered arc dipoles • Beam current in excess of the CEBAF safety envelope

PSS Hazard Mitigation In addition, the PSS provides semi-automated or administrative assistance in the following areas: • Tunnel sweep (search and secure) sequence • Tunnel controlled accesses • PSS emergency crash • Public address announcements • Audio/visual status and warning indicators • Automated door locks

PSS Hazard Mitigation The PSS does not protect against: • Radiation from activated components • Electrical shock hazards other than from the operation of the large arc dipole magnets • Radiation doses less than those permissible for trained Jefferson Lab radiation workers • Beam-related damage to non-PSS machine hardware • Damage to beam dumps • Beam loss • Malicious intent to defeat or circumvent the PSS • Exposure to cryogenic hazards All of these areas are addressed by CEBAF radiological and EH&S policy and procedures and, therefore, do not require an active protection system like the Personnel Safety System

PSS Safety Functions Function Safety Function ID SF 1 Prevent beam transport from exclusion to occupied areas Required SIL 3 Shut off interlocked devices when physical barriers between personnel and hazards are unsecured. Shut off interlocked devices upon activation of an ESTOP. 2 SF 4 Shut off interlocked devices in support of administrative access to a secure beam enclosure. 2 SF 5 Support search and secure operations prior to facility operations. Inhibit operation of radiation generating devices when a high radiation dose rate associated with the device is detected in an occupied area Deter unauthorized entry to exclusion areas Provide visual indications of unsecured safe, secure safe, and unsafe radiological enclosure status. Provide audible warnings of pending unsafe status of a beam enclosure 2 SF 3 SF 6 SF 7 SF 8 SF 9 2 1 1

Multiple Protection Functions In addition to physical redundancy, the PSS also incorporates functional redundancy. For example, a trip in one area may take multiple paths to shut off the injector. A trip in Hall C will not only send a signal directly to the Injector, it will also shut drop the state of the BSY, which has a completely separate connection to the Injector. In the above example, both Hall C and the BSY will also act independently to activate critical devices, preventing beam transport in to the Hall.

PSS Operations Beam operations require at least two cognizant personnel responsible for ensuring the PSS is maintaining and to react to emergency conditions that may require shutdown (ESTOP) of the accelerator or emergency. As the first line for safety on site, the Crew Chief is responsible for ensuring appropriate response and notifications if personnel are exposed to prompt ionizing radiation. Operation of the PSS involves using PSS equipment to ensure that there are no personnel present in the tunnel exclusion area when beam operations are planned, and that all hazardous devices are in a "safe" state when access to the tunnel is permitted. During tunnel access operations, the PSS is an administrative aid. For example, personnel carry out the tunnel sweep using an administrative procedure, but the PSS ensures that a predetermined pattern is followed during the sweep.

PSS Operations It is important that all personnel involved with the design, operation, management, and maintenance of the safety systems have a basic understanding of the functions performed by the PSS and how the PSS is implemented. • Personnel overseeing PSS operations are trained and qualified as Safety System Operators (SSOs. ) • SSOs are responsible for oversight of the Sweep and Controlled Access procedures as well as the transition of the PSS from access to exclusion operational modes. • The on-duty SSO will monitor all controlled accesses, including personnel both entering and exiting the accelerator tunnel and/or halls. If a controlled access condition exists during shift turnover, the onduty SSO will inform the on-coming SSO of the identity of everyone in a controlled access area and their approximate location. • The on-duty SSO's responsibility for access only ends when everyone is out of all controlled access areas or the responsibility is transferred to the on-coming SSO at shift turnover.

Safety System Operators • SSO training includes review of training material, on-the-job training under the supervision of an assigned mentor, and successful completion of a written test. • The candidate is then assigned the qualification of SSO on the recommendation of the mentor, the Group Leader for operations, and the Group Leader for Safety Systems. • SSO qualification is tracked in the JLab training database as course number SAF 141. The qualification is good for two years, at which time SSOs must complete another written test for requalification. • SSO training emphasizes both procedures and theory behind PSS operation so that they may recognize an unsafe or ambiguous PSS states. • All Operations Crew Chiefs are qualified SSOs. • In addition to the training of new operators, SSG personnel train all operators when there are changes to the PSS or there is a subject area that requires additional emphasis.

SSO Duties The Safety System Operator (SSO) plays a crucial part in ensuring that personnel remain safe during accelerator operations. The SSO duties include: • Know and follow procedures for operating the safety system outlined in the PSS procedure documents. • Configure the PSS for various accelerator modes without dropping out a machine segment, causing lost beam time. • Know how the safety system works so as to be able to recognize abnormal or unsafe PSS status. • Diagnose the cause of a safety system fault or drop. • Ensure that personnel entering a tunnel segment or experimental hall do so safely.

SSO Duties • Ensure that the machine segment or experimental hall is properly swept and the sweepers are out of the tunnel before allowing hazardous equipment to operate. • Understand the various PSS modes and how they affect the safety of personnel. • Keep records of personnel entering and exiting the enclosure, and changes in the state of the various segments of the PSS. • Ensure that the Crew Chief and any other on-duty staff are kept informed of the status of the PSS operations. • Make announcements for change of status of the beam enclosure. • Report suspected malfunctions or inconsistencies in the PSS to the Crew Chief.

SSO Qualifications To be qualified as an SSO one must complete the following steps: • Complete the training material • Achieve a score of 80% or better on a written Safety System Operator Test. A requalification test is given every 2 years. • Demonstrate an ability to operate the safety system through a period of on the job training under the guidance of a qualified Safety System Operator. The Accelerator Operations Directives (AOD) contains more information on the duties and qualifications of the SSO. Additional resources can be found at https: //www. jlab. org/accel/ssg/index. php? middle=info: • SSO Training • Sweep Procedures • Controlled Access Procedures • State Change Procedures

PSS Certification • Each PSS segment is currently certified twice a year and no more than 8 months may pass between certifications. • During certification each input is exercised and the outputs are observed for proper response. • PSS systems A and System B are verified independently. • Certification of the PSS is directed by an approved CEBAF Operation's Crew Chief and is conducted according to a written test procedure for each PSS segment. • There is also a series of functional tests to ensure that specific combinations of conditions or functions are properly implemented. • Any part of the PSS that is disconnected, repaired, or replaced is recertified. The recertification includes any logic associated with the device and any other devices connected to, or dependent upon, the device in question. (See PSS Configuration Control Policy for details. )

PSS Implementation Overview The PSS is composed of over 3000 elements. There are, however, a few basic design principles which are used throughout the system. Many of these principles are taken from experience at other accelerators or best industry practice. A summary of the PSS design and operations philosophy is given below. • All PSS systems are designed to be fail-safe • All inputs which can drop the system to a lower access state are sensed redundantly. • All PSS outputs (permits) which can energize a hazardous device receive redundant outputs from the PSS. • All PSS sensors and controls are maintained as independent systems as close as possible to the device which is sensed or energized. • The PSS does not share any wiring with any other system up to the device which is sensed or energized.

PSS Implementation Overview • The on/off status of any hazardous device which can be energized by the PSS is also sensed by the PSS; if the device is sensed as being energized when the tunnel access allows occupation of the beam enclosure the PSS will drop the tunnel to it's safest state. • Any segmented PSS area has control over all devices which could present a hazard to that area. • Any devices which do not serve an interlock function are not implemented redundantly. • The PSS is never used as the routine means for energizing equipment but only grants permission to operate the equipment. • The only access points to the tunnel are through designated double door access areas. All other doors are for emergency exit only. • The PSS uses programmable logic controllers (PLCs) as the primary logic devices to sense and control PSS devices.

PSS Implementation Overview • Relays may be used in areas where a PLC does not provide sufficient isolation from external equipment or other PLCs. • PLCs are programmed by two individual programmers. • All equipment not under the direct control of the Safety Systems Group is electrically isolated from PSS equipment. • PSS equipment and wiring is located in dedicated PSS racks, conduit, or cable tray. • Accelerator operations are suspended in an area before any work on a PSS device in the area starts. Operations in the area do not recommence until rectification of the PSS is complete. • Accelerator operations are suspended in any area where a PSS device is suspected of being defective. Operations may not resume until either the defective device is replaced and re-certified or it is determined the device is operable.

PSS Implementation Overview • Any PSS device which is electrically disconnected is re-certified before operations in the area may recommence. • Re-certification tests of PSS devices extend from the device itself to any function affected by the device. • Any modification to the interlock logic of a currently running PLC program requires a complete re-certification of the area monitored (exceptions noted in the PSS Configuration Control Policy). • After any modification to PLC logic, the revised logic is compared to the previous version to ensure that only the intended change took place. • The PLC program is NEVER used to temporarily bypass an active PSS element. • Bypassing of active PSS interlock devices is strictly forbidden. If a PSS device is not required for operations the PSS is reconfigured with equivalent protection measures to replace the unused device. • Only personnel approved by the Safety Systems group are authorized to work on PSS devices or wiring.

Safety Interlock System Exclusion areas are designed to maximize the amount of shielding and distance between personnel and beam operations. If an exclusion area is violated, such as if a tunnel entrance door is opened, the interlock system will immediately shut off the beam and any other device which could present a prompt ionizing radiation hazard. This system is composed of two parallel circuits. If either one of the circuits senses an unsafe condition it can turn off the electron gun or any other hazardous device the PSS has control over. In the safety interlock system the PLCs monitor the status of interlocked devices and permit or deny operation of hazardous devices. Devices which are interlocked include access points to exclusion areas, hazardous equipment such as electron guns, RF and magnets power supplies, and emergency shutdown devices such as “crash” switches.

EXAMPLE OF REDUNDANT SAFETY INTERLOCK

Access States The logic for the safety system is state oriented, i. e. the outputs of the PLCs are determined by a few well defined states which are dependent on the status of the inputs. • There are 7 states which the logic resolves to: – Restricted Access Lockdown, Restricted Access, Sweep, Sweep Complete, Controlled Access, Power Permit, and Beam Permit. • Restricted, Sweep and Controlled Access states allow for safe occupation of the tunnel enclosure. Power and Beam Permit require that the tunnel enclosure be an exclusion area. • Sweep Complete and Restricted Access Lockdown are internal modes of the PSS and are not access states. • Controlled Access, Power Permit and Beam Permit modes all require that the tunnel sweep is complete.

PSS Access States

Access Control Devices • Access control is accomplished through a combination of interlocks and administrative procedures. • All interlocks are designed to be fail-safe by ensuring that power is provided to/from the device only if it is in the "safe" state. • If power is not present the device is assumed to be in the "unsafe" state and the PSS will act accordingly. • All entrances and exits to the tunnel are monitored by the PSS systems A and B. This includes hatches and elevator shafts. • If any door is open other than a designated access point during sweep or controlled access the tunnel access state will drop to Restricted Access. • If any entrance or exit is opened when the tunnel is in Power or Beam Permit the tunnel access state will drop to Restricted Access.

Access Points There are currently 9 designated access points to the accelerator tunnel and endstation(s). • North Access Service Building • Injector Service Building • South Access Service Building • Beam Switchyard Service Building • Endstation labyrinth area (for halls A, B, C) • Tagger Truck Ramp • Hall D Counting House The access area is used to enter the tunnel either to perform a sweep or to enter under controlled access. For both of these modes it is up to the Safety System Operator to ensure that only authorized personnel enter and exit the tunnel and make sure that all personnel have exited the tunnel before switching to Power or Beam Permit.

Tunnel Access Points • Each access room has a door at each end, a controlled access exchange key bank, a video camera, and a telephone. • In addition to redundant position sensors each door has a magnetic lock. The door lock, the exchange key, and the video are all monitored at the safety system console in the control room. • The door locks are automatically activated when either PSS system A or System B is in Power or Beam Permit. They may also be manually controlled form the control console in all other modes. • Beside each door is an emergency exit maglock cutoff switch. The switch is there to allow emergency egress in case of fire or other emergency.

Tunnel Access Points

Exit Gates / Doors • All non-access doors are mechanically locked in addition to having redundant PSS interlocks. • There are currently 9 exit doors, 14 emergency exits, 9 hatches, 5 rollup doors, and 2 elevators that are interlocked. • In addition there are 9 tunnel gates/doors which separate PSS tunnel segments. – All of these gates are locked and redundantly interlocked by both segments sharing the gate. – The locks are automatically activated when the access state of either segment bordered by the gate is in “Sweep” mode or higher. • All of the Beam Switchyard gates/doors are two-way emergency exits, i. e. one must be able to egress from either side of the gate in an emergency. For that reason, each side of the gate is equipped with an emergency exit magnetic lock cutoff switch.

Sweep Mode • In this state all doors must be closed, except for specified entrance doors. • Each tunnel segment has only one access entrance point and only one entrance door may be open at a time. • If both entrance doors are open at the same time the sweep will drop and will have to be restarted. • Entrance to the tunnel is controlled by a member of the operations crew, designated as the Safety System Operator, by manual control of the magnetic door locks. • After a sweep is started no door may be opened until the sweep is complete. • The sweepers carry with them a “Sweep” key taken from the safety system console. This is the same key that is used to control the accelerator access state, thus the state cannot be changed while the sweepers are in the tunnel.

Sweep Mode • During the sweep team inspects the tunnel to ensure the area is unoccupied, stopping at "Run/Safe" boxes along the way. • At each Run/Safe box the sweeper arms the box by inserting and turning the “Sweep” key, removing the key, and then moving to the next box in the sweep sequence. • The sweep pattern is stored in the PLCs. If a sweeper attempts to arm a Run/Safe box out of sequence the box will not arm. • The last box in the sweep sequence is always the box at the entrance point. This forces the sweepers to do a complete circuit. • After the last box is armed the sweepers have 30 seconds to exit the tunnel. After that if the entrance doors are opened the tunnel will drop to Restricted Access. • When the last box is armed there is an internal mode of the safety system which is called "Sweep Complete. " This mode is used as a summary of the status of the tunnel sweep.

Sweep Maps

Controlled Access • In this mode all high voltage devices must be off or the access state will drop to Restricted Access. • Tunnel access is controlled by the Safety System Operator just as in the Sweep Mode. • The SSO ensures that each person entering the tunnel has proper training and dosimetry, and that each removes an exchange key from the access key bank. • The SSO logs each persons information into the PSS logging system. • As long as any exchange key is out the PSS cannot be changed to Power or Beam Permit. • The inner tunnel access door may only be opened after the master access key is removed and inserted in the key bank. • As in “Sweep Mode” only one tunnel door may be open at a time. No controlled or critical device may be energized in the Controlled Access mode.

Controlled Access Exchange Key • Each designated access point has an exchange key bank for Controlled Access. • The exchange key system consists of a master key and 10 slave keys. If the key is out the PSS will inhibit the access state from going to Power or Beam Permit. • Each secondary key is mechanically locked into the key bank and may only be released when the master key is inserted and turned. • The master key is captured in a separate key box and can only be released by the SSO and only when the segment to be accessed is in Controlled Access mode. • Once the master key is released the personnel accessing the tunnel will insert it in the slave key bank and each take a secondary key.

PA System • The PA System allows the operator to make announcements to speakers around the site; in the tunnels and service buildings. • The PA electronics is located in the MCC equipment room and the counting house 2 nd floor PSS racks. These racks contain the switching system and audio power amplifiers. • The system is controlled through a "smart" hand set located on the safety console. • If the hand set should fail there is an emergency microphone located in the back of the safety console. • The SSO makes an announcement 15 minutes before the beginning of a sweep… “Attention, a sweep of the _____ will be taking place in 15 minutes. Please exit the area immediately. ” - This announcement is repeated at the 5 minute warning point. • The SSO always announces the change of a segment state to the exclusion modes Power Permit and Beam Permit.

Video Monitor System • The video monitor system is independent of the PLC system. • In each access area a video camera monitors the access process. • The safety system operator can switch any camera to any of two video display monitors. • Each video output displays the name of the access area as well as the phone number at that point.

Other Devices Crash Switches Run/Safe Boxes Warning Lights and Klaxons Etc.

Questions?