The safety requirements for experimental activities are described in SAPOCO/42 which defines the safety policy at CERN. As a first step toward implementation of the provisions of the codes and instructions which emerge from this policy, the CMS collaboration has established a Safety Working Group with membership mainly drawn from the technical design staff of the major subsystems. Coordination with the TIS Commission is ensured as three individuals from Technical Inspection and Safety (TIS) are members of the working group. As defined in the booklet "Safety Guide for Experiments at CERN", the goal is initiation of safety hazard analysis activities during the earliest phase of the life cycle of the detector, the conceptual design stage, to facilitate early hazard identification and elimination or control.
The hazard identification process involved a review of the HCAL technical designs by the CMS GLIMOS and an individual from the TIS Commission. The design concepts for the calorimeters were discussed and evaluated with the HCAL engineers, safety working group representative, and technical management. Hazards could arise from the design choices themselves or follow from the operational conditions implied by the designs. The process was called an Initial Safety Discussion. A detailed worksheet was filled out, and used also as a guide to ensure that the scope of the process covered all aspects of hazards at accelerator facilities. Hazards which could cause death, injury, or occupational illness, or damage to facilities, systems, equipment or the environment as well as those not routinely encountered by the public were the focus of the identification step.
The purpose of this chapter is to summarize the results of the initial hazard identification process for the hadron calorimeter (HCAL) systems, and to present the mitigation strategies used to reduce or eliminate the risks.
Electronics refers specifically to the three major signal processing functions necessary to acquire event data from the detector: front-end electronics, trigger electronics, and data acquisition systems. In addition, the high voltage systems needed for operation of photodetectors are included under electronics.
Conventional electrical systems for power, lighting, convenience outlets, etc. are not discussed here as the safety issues are well covered by CERN practice, Safety Instructions IS23, IS24, IS26, IS28 and IS33 and Safety Code C1. For electronic systems, there is no analogous code or handbook of good engineering practice. Despite the fact that electronics systems are characterized by low voltage DC power systems, typically 15 volts and lower, there is still a significant fire and thermal damage hazard because of the possible high current capability of the supplies. Low voltage power supplies in the several hundred ampere range are becoming commonplace.
Detector electronics system designs will make use of a variety of packaging strategies, location optimizations, and low-voltage power distribution techniques as dictated by the signal processing requirements and physical locations. Standard VME crate systems installed in racks are used on the surface, in the underground service room and on the forward calorimeter platform. Highly specialized front-end digitiser electronics systems will be mounted directly on the barrel and end cap calorimeters to optimize the signal to noise figure. Unique mounting, packaging, and cooling designs are necessary to meet performance within the available space as described in chapter 7 and Figs. 7.3 and 7.13. Chapter 12.2 provides details regarding the low voltage power system.
Power sources are typically low-voltage high-current types; switching supplies instead of linear supplies are used for reasons of cost, size, efficiency, weight, and cooling. For VME systems, the power supplies are located in the same rack as the crates, in some cases mounted directly on the back of the crate and in others connected to the crate by short, flexible high current conductors.
World HEP experience has shown that lack of adequate overcurrent protection and temperature monitoring in low-voltage high-current distribution networks and electronics systems were the most frequent causative factors in fires in experimental facilities. The same is true for high-tech facilities in general, from research laboratories to telephone switches
From the point of view of ease of installation, cooling, and maintenance, the simplest implementation for low voltage power supplies is to mount them physically separate from but nearby to the loads. Although this is quite natural for non crate-based systems, it can also be true for crate-based electronics when weight and cooling requirements are considered. Such a separation, while optimal for operations, introduces a low voltage distribution network between the supplies and the loads. High currents coupled with lack of adequate overcurrent protection and/or undersized conductors could lead to overheating of the conductors between the source and the load - thus presenting a fire or thermal damage hazard.
The HCAL group has elected to implement an overcurrent protection policy to ensure that designers and users of low-voltage high-current electronic systems shall take all reasonable steps to assure safe operation under foreseeable fault conditions. The underlying concept is that all current carrying conductors shall be protected in accordance with their ampacity. The policy calls for mandatory design criteria with reviews and inspections prior to initiating operations. The accompanying review and inspection procedures will be developed in conjunction with other similar controls to maintain a coherent oversight situation.
Design and Implementation Criteria for Low-Voltage High-Current
Power Distribution Systems - April 1997 Draft:
1) Power Source Overcurrent Protection
A power source may or may not be overcurrent protected. The
nature and level of protection, if any, shall be determined so
as to properly specify the source to load conductors. Power sources
may be internally or externally modified to exhibit a known safe
level of overcurrent protection. The external addition of overcurrent
protection shall be as close to the source as possible.
2) Power Source to Single Load Conductors
Conductors supplying power to a single load shall be adequately terminated and sized to carry the load current under all anticipated load conditions. A short circuit at any point to ground or between conductors shall not lead to overheating or damage to the conductors or the insulation. These criteria shall also apply to sense conductors, when present, between the source and the load.
a) Overcurrent Types
A short circuit may or may not result in an overcurrent trip condition at the source depending on the particular overcurrent protection at the source and the impedance of the conductors.
i) If a trip condition does occur, the conductors shall safely support the fault current necessary to cause a trip. If the overcurrent trip value is adjustable, the conductors shall be designed for the highest adjustable value.
ii) If a trip condition does not occur, the conductors shall be sized to safely support the fault current.
b) Multiple Conductors
Where several conductors are wired in parallel to provide sufficient current carrying capability as well as reduce the series impedance, the failure of a single conductor may not reach the necessary fault condition or may result in unsafe current levels in the remaining conductors. In such cases, each of the conductors shall be reasonably protected against inadvertent shorts at any point. Connections to the source and the load shall be sufficiently robust to prevent overheating, inadvertent disconnection, and failure. Special circumstances may require overcurrent protection on each of the parallel conductors in an installation.
3) Connection to Multiple Load Conductors
Connection of a single high current supply to multiple loads can result in hazardous conditions if due consideration is not given to the criteria delineated for single loads. The criteria presented in chapter 2. above shall apply to each conductor between the single source and the network of loads separately.
Use of fuses and circuit breakers between the source power bus and the individual load taps is often the most practical solution to the safe powering of multiple loads. Such measures allow the safe utilization of conductors more appropriately sized to each individual load.
Printed circuit boards and modules that are powered from a bus on a backplane that is connected to a high current source are best protected by interior fuses or current limiting devices.
4) Connection of Source to Load Conductors
Mechanical connections shall be properly tightened and lock nuts, lock washers, or Belleville washers shall be used where appropriate. Fastening hardware such as bolts or screws shall not be used as current conductors unless specifically designed for such purpose. Special caution is advised when the connection is made between dissimilar materials.
Connection of conductors between source and load shall be clearly labeled using standard colors and keyed or polarized so as to prevent any reasonable possibility of misconnection or shorting. Ribbon cables where used in part or whole for distribution of power shall be keyed or polarized.
5) Selection of Source to Load Conductors
The selection of conductor type and size is an engineering problem that has no simple answer. The designer, following good engineering practice, shall consider the overcurrent characteristics of the power source, conductor impedance, length of conductor, conductor/termination impedance, rating of the conductor insulation, the nature of the conductor path and raceways, ambient temperature and packing density. Proper consideration of these and other applicable factors is necessary for selection of a conductor size and type that will assure safe operation.
The standard NEMA relay rack is designed as a stand-alone cabinet for installation of chassis mounted electronics and crate systems. Before modification by users, the rack is fully contained with three sides, a top and a bottom; the front is closed by electronics assemblies and blank panels. Cable penetrations and cooling requirements are the usual reasons for modification. Such rack units then only present hazards in accordance with the character of the installed equipment; the most significant of these is thermal damage and fire exposures from high power density systems. Removal and control of waste heat is a primary performance and safety design concern.
CMS planning calls for removal of waste heat from rack-mounted equipment by means of embedded air-water heat exchangers and forced ventilation. It is anticipated that some racks in the data acquisition system could contain up to 9 kW of electronics and corresponding low voltage power supplies. This air/water choice is not only the most effective in controlling the operating temperatures of the equipment, but is also the most efficient when considering the alternate of adding this load to the HVAC plant. A properly designed rack cooling system could even contribute to the total air conditioning requirement by operating slightly below ambient temperature.
Although not explicitly called out in code specifications or safety orders, CMS has identified such high power rack systems as presenting significant risk. Rack protection, designed to mitigate against the inherent fire and thermal damage risks of 9 kW rack power densities, is included in the engineering design requirements. The mitigating strategy is based on an extension of the existing requirements for process monitoring: detection of off-normal voltages, currents, and temperatures through the Detector Control System. Detection of a minor fault would result in an off-normal condition alarm; detection of a major fault would result in complete shutdown of the rack. Among the process conditions presently planned to be monitored for operational integrity, the following have been identified as being of potential significance for automatic shutdown:
- Smoke detection in the rack air stream
- Temperatures above and below each crate
- Temperatures of power supplies
- Cooling water flow through heat exchangers
- Cooling water supply and return temperatures
- Cooling water leaks
- Overcurrent conditions in power supplies
- Overvoltage conditions in power supplies
- Ventilation fan failure
High voltage, greater than 1 KVDC, is required for operation of photomultipliers, and the hybrid photodiode devices require up to 16 KVDC. To achieve a set of practical design requirements and mitigation measures, usage of high voltage has been divided into two classifications based on life safety: those which can be directly lethal as measured by the threshold for onset of ventricular fibrillation, and those which cannot. The electrical parameters related to shock severity are the current and duration of a fault condition, and the stored energy. The duration time limit parameter is especially relevant to installations with active fault detection and shutdown (or trip) capability. The suggested limits for these parameters to distinguish between the two classes of hazard have been taken from the data on human effects contained in International Electrical Commission publication 479-1, Effects of Current Passing Through the Human Body (also see IS28). The limits presently recommended by IEC for this distinction are:
- Safe Current Limit 10 mA
- Safe Duration Limit 20 ms
- Safe Stored Energy Limit 10 joules
For installations characterized by parameter values less than the above limits, there is still the possibility for secondary accidents, e.g. falls, caused by electrical shock, and mitigation measures can be deployed to minimize such exposures. In these installations, the design shall ensure that no live parts are accessible without using tools when voltage is on. Any work on energized systems shall be controlled by a hazardous activity permit procedure, and conspicuous labeling shall be used. Finally, special care shall be taken in the selection of external high voltage connectors to ensure that the neutral/return conductor engages first, and that an unplugged energized cable cannot spark to an external object or person.
For installations with any one parameter in excess of the above limits, the following measures are required in addition to those described above. During operation, total inaccessibility of the high voltage shall be assured by physical barriers and interlocks. Access for repairs, modifications, etc. shall be controlled by a mandatory lockout/tagout procedure. In the case of stored energy hazards, remotely actuated discharge systems shall be used to make the installation safe prior to access. Each element of the installation shall be clearly labeled with adequate warnings.
The high voltage systems described in chapter 12 for the calorimeter photodetectors all have operating parameters more than two orders of magnitude below the operating parameter limits listed above
Pressurized water systems present a direct damage risk to nearby equipment, especially energized electronics. Designing with a large safety margin and installing so as to avoid induced damage vulnerabilities are essential mitigation measures against the occurrence of leaks. Parameters of the water system, mainly pressure, flow, and temperature values, shall be monitored for off-normal conditions. Shutdowns of the water system due to serious leaks shall be carefully interlocked to power shutdowns for the affected systems to preclude overheating.
Structural integrity of the hadron calorimeter detector and it's components is essential to safe and reliable operation during the life cycle of the experiment. The policy adopted by the HCAL engineering team requires that supports, components, and the principal structure of the calorimeter shall be designed and engineered with a factor of safety equal to 2 to ensure overall structural integrity. This safety factor of 2 requirement was derived from considerations of the guidance found in codes applicable to buildings and structures such as AISC "Manual of Steel Construction", ANSI A58.1 "Minimum Design Loads for Buildings and Other Structures", and Aluminum Association "Specifications for Aluminum Structures". Lifting fixture code requirements are given in ANSI/ASME B30.20 "Below-the-Hook Lifting Devices" and the HCAL fixtures will be in compliance.
In general, the adequacy of more conventional detector structure designs will be reviewed as part of the hazard analysis process for each individual subsystem. In contrast, the size and scope of the central calorimeter assemblies encompasses very large scale structural components and supports that are also complex, procedure oriented, and structurally critical. Verifying the adequacy of the design calls for a peer review.
Preparation of design criteria, calculations and documentation is considered essential for all structural systems associated with HCAL. The adequacy of design criteria shall be the domain of the safety review process, now initiated by the Initial Safety Discussion process. The accuracy of design calculations shall be the domain of peer reviews through the CMS technical review process. Such design criteria and calculations shall be prepared, reviewed, and approved prior to commencement of fabrication or installation activities. In addition, conventional safety reviews are required to assure that non-structural safety concerns associated with assembly, detector operations, and detector maintenance have been addressed by the designs.
The technique for review of calculations is expected to vary depending on the details of the individual component design. These will range from hand calculations for relatively simple configurations to execution of a fully independent finite element analysis for a complex critical joint or bolting pattern. The working criterion for the latter, at present, is that such numerical cross checks shall deal with potential input errors, modeling errors, or math errors by using a completely different finite element analysis code or by changing both the boundary conditions and the modeling on the same code package.
Finally, the design criteria shall not be limited to static situations. A very important additional requirement follows from a determination of dynamic situations and deflections/stresses set up by the movement of extremely heavy loads during assembly and maintenance or resulting from probable failures such as that of one jack in a multijack system. Design criteria shall be developed such that supports and structures are engineered to accommodate such anticipated local dynamic deformations, including that of the floor itself, in addition to the static operational loadings. The dynamic requirement for earthquake situations in the Geneva, Switzerland area calls for resistance to 0.15 g accelerations in all three dimensions.
In fire protection at accelerator facilities, emphasis is placed on four principal areas; life safety, program continuity, property protection, and releases to the environment. The size and scope of the CMS detector presents some very important challenges to fire protection engineering. By its very mission, the detector is not capable of being partitioned into physically separate fire risk zones of lower value. Also, the deep underground location compounds problems of providing for emergency egress and smoke ejection. The situation is much like that found in many high-tech, high-value facilities where the probability for a fire incident is very low intrinsically, but the consequences could be catastrophic in the absence of protection and mitigation measures.
The most significant combustible loading in the detector is plastic scintillator in the calorimeters and muon trigger layers. Approximately 22 tonnes of polystyrene plastic scintillator is used in the end cap and barrel calorimeter systems. For the outer calorimeters, the scintillators are enclosed in metal trays (chapter 4) and attached to both sides of the inner layer of the steel return yoke. The inner calorimeter scintillators are encased in plastic trays and slid into small slots in the massive copper absorber (chapters 2 and 3) and covered by a metal skin. Readout fibers are covered by a metal protective cover. Because of these placements, the scintillator is not available as fuel in the early stages of a fire incident. It becomes available only after the temperature of the polystyrene (and the attached heat sinks) reaches the melting point and containment is no longer certain. The fuel loadings external to the calorimeter structures are not sufficient to cause such a temperature rise even if completely combusted.
The other significant combustible loading is the cable plant. The most important of the mitigation measures planned is to use cable types that comply with CERN Safety Instruction IS 23, "Criteria and Standard Test Methods for the Selection of Electrical Cables, Wires, and Insulated Parts with respect to Fire Safety and Radiation Resistance". These requirements deal with corrosive and toxic emissions as well as flame spread. The goals are to ensure that all cable fires are self-extinguishing once the heat source is removed and to minimize emissions. Essentially all fire accidents in HEP and similar high-tech facilities have had the same experience; secondary damage resulting from generation of corrosive smoke significantly can exceed the direct thermal damage of the fire itself.
Incipient detection is planned for all interior spaces within the detector and the overhead space immediately above it. An aspiration, sample-draw smoke detection system is envisaged for the different internal layers with modularity appropriate to the natural openings, maintenance accessways, and combustible loadings.
Multitiered alarming is used to take maximal advantage of the early warning from incipient detection. A low level alarm condition is responded to by local operations center personnel attempting a diagnosis of the off-normal condition. An system of TV surveillance cameras is planned to facilitate remote investigation of pre-alarms. At the high level, it is a fire alarm; all appropriate actions and annunciations are triggered.
Given that incipient detection will be installed, suppression equipment should be designed to allow for a staged response that provides for any scale incident. The goal is to allow for localized fire control appropriate to the scope of the incident that would minimize the induced damage of the fire control method. In the past, such systems have used extinguishment equipment that ranged from standard portable carbon dioxide units, to wheeled tanks of halon 1211 with hand hose lines, to water standpipes with hose cabinets, to total flooding halon 1301 systems, to full sprinklering of the collision hall. With the ban on the use of halon in new facilities, this broad range of low damage highly effective fire control agents is no longer available. Consequently, the suppression agent(s) for the inner HCAL regions of the detector cannot be identified with certainty at present.
In the event of a fire incident during accelerator operations, immediate access for human intervention is not possible. The beam can be aborted, but the residual radioactivity of the air can be such (depending on the beam intensity) that a cooling down period of up to an hour is necessary. Also, powering down the large solenoid coil using the fast dump takes tens of minutes. Thus, the emphasis with regard to suppression systems is on remote application techniques. Such systems should still allow for a staged response and localized application to gain maximal advantage from incipient detection.
A series of significant prevention and loss minimization measures have been identified during the Initial Safety Discussion process. These are listed and briefly described below. Decisions on these and other measures will be taken in the course of engineering and planning of fire protection for the CMS complex.
Fire alarms will automatically shut down all electrical power in the affected zone. For HCAL, this implies the capability to shut down high voltage systems in the service room in the event of an alarm from the cavern.
A fire alarm causes the HVAC equipment to switch into an active smoke ejection mode. Dampers will switch the intake to 100% outside air and the return to 100% exhaust, and the supply flow is doubled and directed to the lowest level only.
On-site support personnel will be trained to execute investigation and mitigation procedures for both pre-alarms and fire alarms.
Mandatory engineering and inspection standards are being developed for overcurrent protection of HCAL low-voltage high-current electronics systems.
A rack protection system automatically shuts down individual racks based on local sensor information including smoke detection.
A very extensive system of process monitoring is planned using the Detector Control System Those off-normal conditions that are directly relevant to fire risks will be separately alarmed as potential fire risk warnings requiring mandatory investigation.
For many reasons, including fire prevention, a strict housekeeping policy is envisaged.
Radioactive materials will be found in two areas of the HCAL detectors and the collision hall. First, the calorimetry uses a system of permanently installed 137Cs sources to maintain energy response calibrations. The activity of these sources will be less than 5 mCi. As described in chapter 10 each of the 16 separate sources planned is attached to the end of a flexible wire which is normally stored on the back of the calorimeter structure with the source itself inside of a lead storage container/shield. During calibration operations, a wire source is pushed through one of numerous small tubes which serve to guide it to precisely located calibration positions deep inside the calorimeter stack. Because of the frequency with which calibration data is taken, the source mover system is automated for remote operation.
Both Fermilab and CERN source inventory and control policies govern acquisition, packaging, personnel protection measures, and dosimetry aspects regarding the calibration sources. Design of the lead storage container shall use criteria limiting radiation fields in potential personnel access or work areas to the specified standards. Shipment of the sources or source mover assemblies is governed by these and appropriate over-the-road regulations.
Secondly, over a period of time, the steady exposure to secondary particles produced in beam-beam collisions will cause radioactivation of materials in the forward calorimeter area. This is particularly true for the part of the structure closest to the beam pipe, as well as the beam pipe itself, where significant activation levels are predicted, chapter 5. At the radius of the beam pipe in the forward/backward calorimetry regions, ionizing doses of 1000 Mrad per year are estimated at design luminosity. Dose levels decrease dramatically with distance from the beam pipe, varying as the third power of the radius, thus there is a naturally defined zone of radioactivation.
Designing for maintainability is of crucial importance to keep worker exposures as low as reasonably achievable by minimizing the frequency and duration of maintenance tasks and by maximizing the worker separation distance and self shielding potential of the structures. Portable and semi-portable shielding assemblies will be required for temporary protection in highest radiation field areas as any permanent shield would itself become activated. Use of passive and real-time dosimetry is planned both to provide a record for the exposure received by calorimeter components and to provide situation awareness information to personnel making an access.
14.1 OVERVIEW 50514.2 ELECTRONICS 50514.2.1 Introduction 50514.2.2 Overview 50514.2.3 Overcurrent protection 50614.2.4 Rack and crate protection 50814.2.5 High voltage 50814.2.6 Cooling 50914.3 MECHANICAL 50914.4 FIRE PROTECTION 51014.4.1 Overview 51014.4.2 Combustible material 51114.4.3 Detection 51114.4.4 Suppression 51114.4.5 Prevention and loss control 51214.5 RADIOACTIVE MATERIALS 513