Oct 30 2006
No other Australian safety system faces the intense scrutiny focused on the country's nuclear reactor and, arguably, no Australian workplace takes safety more seriously. So, when the world's most brilliant scientists use a new Australian Nuclear Science and Technology Organisation (ANSTO) experimental facility, they will be protected from radiation exposure by a meticulously designed network of Pilz Programmable Safety Systems (PSS).
The new $350 million OPAL reactor is soon to produce neutrons for eight neutron beam instruments (NBI) that will allow scientists to investigate the atomic structure of new materials, chemical reaction kinetics and biological processes. The instruments will operate almost continuously -- research breakthroughs are expected from the $30 million Neutron Beam Instrument Project (NBIP) and demand from the international scientific community for access is already keen.
Managing both the country’s most stringent safety standards and the need for maximum uptime called for a sophisticated safety approach. ANSTO electrical project engineer Frank Darmann and his team were responsible for the solution.
The safety system begins with the science itself, which is deceptively simple at face value. Neutrons from the reactor are directed at the materials under investigation to see how they scatter, revealing the materials’ atomic structures. Three shutters control the flow of particles along the neutron beam guide. A primary shutter sits at the reactor face and a secondary shutter at the guide hall interface, which is closed when access to the shielded areas is needed. A third, sample, shutter is attached to each instrument.
Access to the instrument area is interlocked with the sample and secondary shutters, using Fortress gate locks. The positions of another 76 moveable radiation-shielding blocks are detected by dual channel limit switches. An array of light curtains, sirens, dual channel safety switches and 78 emergency stops add to the security of the NBIP. It all adds up to a highly complex system, with some 1200 inputs and outputs (I/O).
Coordinating them are five Pilz Programmable Safety Systems (or safety PLCs), each one dedicated to a separate safety zone. This impressive configuration is easily justified, says Dr Darmann, who ran the numbers to compare the operational and safety performance of traditional electro-mechanical systems with the PSS.
“The mean time between failures (MTBF) to a safe condition – that is, a failure that only affects operations, not safety -- of this myriad of devices with a Pilz PSS overseeing them would be 3.4 years,” he said.
“Otherwise, we would have needed a complex web of interconnections and the MTBF to a safe condition would have been less than six months.”
“The safety numbers were even more compelling. The MTBF to a potentially unsafe mode for an electro-mechanical system was calculated to be 5.7 years compared to 1.4 x 105 years for the Pilz safety PLC. The Pilz PSS safety PLC concept was a clear winner.”
The superior reliability of the Pilz PSS was also matched with powerful diagnostic software, so that even if a failure did occur, downtime would be minimised.
“Locating a fault in a maze of 100 relays would be difficult and time consuming but the PSS indicates the malfunctioning unit or circuit exactly on a touch screen,” Dr Darmann said. “Circuitry is automatically and continually checked for welded contacts and short circuits instead of once a year or never.”
Dr Darmann identified a host of other benefits too, including the ability of the logic-based system to be readily expanded, reconfigured and upgraded.
"You basically need much less control cabinet real estate -- about 70 per cent less in this case," he said.
"The web of complex physical wiring interconnections is also eliminated, which makes tweaking the system to match changing and demanding operational requirements much easier, and also simplifies fault finding, documentation, and change management processes.
“A legacy system is avoided. New operating rules can be programmed in a straight forward manner in software that’s not possible using hard-wired relays,” he said.
The Safety Interlock System (SIS) and Instrument Control System (ICS) remain separate for maximum safety.
“Each has independent logic elements, power supplies and cabling. Opto-isolation of logic between the two systems ensures electrical separation,” Dr Darmann said.
“There are, however, some interfaces between them to assist the smooth operation of the instrument. For example, the ICS has access to all of the logic states that exist within the NBI SIS so that computer control of the instrument does not commence until the SIS deems it is safe. In addition, the ICS can make a limited number of requests of the NBI SIS, such as closing or opening a shutter after the furnace temperature is met, which it is free to deny.”
ANSTO’s preference for specialised safety carried through to its choice of safety system, which was supplied by Pilz Safe Automation's John Skinner.
“Pilz was chosen as the main vendor for safety logic processing hardware over others because of their long experience in the field, participation in the Australian Standards 4024.1 review committee and the significant back-up and resources of the German headquarters,” Dr Darmann said.
“I found the staff to be knowledgeable of the safety standards and could give advice on choices and approaches. Other companies had safety PLC capabilities too but were principally involved with general automation and we wanted a specialist who intimately knew the intricacies of safe automation.”
The safety interlock system was installed by ANSTO electrical technicians, Dan Bartlett and Geoff Scott guided by circuit schematics drawn by Barrie Lewis. Code was programmed by Dino Ius, while human machine interfaces were drafted by John Oliver and installed by Anthony Kafes. The system is documented in design and commissioning manuals written by Dr Darmann.
The result is a safety system that complies with Australian Standards AS4024.1, the NHMRC code of practice stipulated by the regulator, ARPANSA, and state regulations, yet performs unobtrusively.
“The instruments are used by visiting scientists from overseas who might only stay a day or a few days,” Dr Darmann said. “They are interested in using the instrument for science, so the safety interlock system and the human interface must be instinctive. It also has to survive interaction with a novice user without falling over and requiring technical maintenance.”
“At similar institutions in the past, electronic safety measures were achieved with a simple chain or barricade. In fact, one scientist told me during a review of the design that ‘we used to do this safety interlocking with a $5 box of transistors’. Despite this history, there was no hesitation on the part of the scientists or the review group to approve the design or funds required. This safety system is benchmarked to be world's best but we believe any safety interlocking system should be designed along the same principles of safety, compliance and performance.”