Some practical examples of defence in depth analysis for category IV gamma irradiators

The Defence in Depth concept provides a major contribution to the safety philosophy of irradiation facilities. But problems occur when somebody tries to understand or analyse a safety system or develop a new one because there is a lack of practical examples in Safety Series 107 or other IAEA (International Atomic Energy Agency) publications for irradiation facilities. This paper tries to fill this lack of information by providing a series of practical examples and explanations about Defence in Depth concepts


INTRODUCTION
Category IV gamma irradiation facilities (Figure 1) are designed for processing large amounts of products, which are exposed to large doses of gamma radiation, in an industrial plant [1][2][3].Gamma sources with activity of TBq to PBq (kCi to MCi) are required.These unshielded sources have an amount of radioactivity that is able to deliver a fatal human dose in few seconds; therefore, shielding, safety devices and very well-trained employees are necessary to avoid accidents, such as those seen in San Salvador (El Salvador,1989) [4,5], in Soreq (Israel,1990) [4,6] and in Nesvizh (Belarus, 1991) [4,7].

International Joint Conference RADIO 2014 Gramado, RS, Brazil, August 26-29, 2014 SOCIEDADE BRASILEIRA DE PROTEÇÃO RADIOLÓGICA -SBPR
Figure 1: Category IV gamma irradiation facility example [1] The major contribution to the safety philosophy of category I to IV gamma irradiators and electron accelerators is provided by the Defence in Depth concept.This concept shall be applied to all safety activities, whether organizational, behavioural or design related, to ensure that they are covered by a series of provisions so that if a failure should occur it would be compensated for, or corrected [1,8].
There is a good and complete description of Defence in Depth concept in Safety Series 107 [1, p. 9-12], but it was replaced by the Specific Safety Guide No. 8 in 2010 and that description was not maintained, there is only a short mention [8, p.39].But that concept is very useful whenever somebody tries to understand or analyse a safety system or develop a new one, therefore it is difficult to understand why the total description of Defence in Depth was removed.
The understanding of Defence in Depth concept is not easy, mainly because there is a lack of practical examples of redundancy, diversity and independence in Safety Series 107 [1] or other IAEA (International Atomic Energy Agency) publications for gamma irradiation facilities.This information gap was partially filled in 2005 (in Portuguese) and 2007 (in English) by papers that showed several Defence in Depth practical examples for category IV tote box gamma irradiator safety systems [9,10]

DEFENCE IN DEPTH SUMMARY [1]
The design process shall incorporate defence in depth such that multiple levels of protection are provided and the necessity for human intervention is minimized.
Examples are: a) The provision of multiple means for ensuring each of the basic safety functions, i.e. access control, shielding and the confinement of radioactivity; b) The use of high integrity protective devices in addition to the inherent safety features; c) The supplementation of the facility control by automatic activation of safety systems and by operator actions; d) The provision of equipment and procedures to control the course and limit the consequences of accidents.An example of the concept of defence in depth applied to the design process is as it follows.A series of levels of defence in terms of equipment and procedures is provided in order to prevent accidents or to mitigate their consequences in the event that preventive measures fail: a) The aim of the first level of defence is to prevent deviation from normal operation.This requires that the facility be soundly and cautiously designed, constructed and operated and that an appropriate quality assurance program be established and maintained at all stages.b) The aim of the second level of defence is to detect and respond to deviations from normal operating conditions to prevent anticipated operational occurrences from escalating into accident conditions.c) The aim of the third level of defence is to mitigate the consequences of an accident.Irradiation facilities shall only be operated if all levels of defence are in place and functioning.

Redundancy, diversity and independence
If a facility project intends to achieve all levels of defence, the safety systems have to be designed in terms of redundancy, diversity and independence.

International Joint Conference RADIO 2014 Gramado, RS, Brazil, August 26-29, 2014 SOCIEDADE BRASILEIRA DE PROTEÇÃO RADIOLÓGICA -SBPR
• Redundancy: the use of more than the minimum number of items needed to accomplish a given safety function.
• Diversity: it is applied to redundant systems or components that perform the same safety function, by incorporating different attributes into the systems or components; such attributes may be different principles of operation, different physical variables, different operating conditions, production by different manufacturers, and others.
• Independence: it is achieved in the design of systems through functional isolation and physical separation: i. Maintaining independence among redundant system components; ii.Maintaining independence between system components and the equipment designed to mitigate the effects of incidents; for example, an incident shall not cause the failure or loss of a safety system or safety function that is required to mitigate the effects of that event; iii.Maintaining appropriate independence of safety systems or components of different importance to safety; iv.Maintaining independence between items important to safety and those which are not important to safety.

DEFENCE IN DEPTH ANALYSIS
A summary about all these items could be: all system functions are assured by several interlocked devices.If an unsafe situation is detected, the safety systems will work automatically and the results from that situation will be minimized.
The depth defence goal will be achieved when the three levels listed above (a, b and c) are covered.Installation project discussions have to take into account all of them, adding the fact that the 2nd and 3rd levels should be revised periodically throughout irradiator life, because new equipment and new information may become available.For example: new safety systems and higher-tech devices may become available to better assure safety and/or better meet the concept of ALARA; lessons learned from analyses concerning incidents or accidents, at the installation or at other installations around the world, should be incorporated in the overall safety system.At the 1st level (a): after an exhausting analysis and project approval, the facility construction begins.The construction has to be guided by a quality assurance program that guarantees that the facility will be built as designed and approved.If a well designed project is not executed properly it may annul solutions, found out at the planning stage, and/or produce several potential problems.

International Joint Conference RADIO 2014 Gramado, RS, Brazil, August 26-29, 2014 SOCIEDADE BRASILEIRA DE PROTEÇÃO RADIOLÓGICA -SBPR
The 2nd level (b) application will guarantee that, when the "deviations from normal operating conditions" occur, they had been foreseen and they will not terminate in accidents.In case the "deviation" terminates in an accident, the 3rd level (c) application will mitigate its consequences.In general, this last level is thought to keep the accident inside the irradiator, protecting the workers and the public.These three levels will not be achieved just by adding safety systems to an irradiator, without rules.The safety systems have to follow the redundancy, diversity and independence concepts.Safety Series 107 presents these three concepts very clearly but, unfortunately, it does not show any practical examples.

DEFENCE IN DEPTH -SOME PRACTICAL EXAMPLES
The first step is to define the analysis objective, then the safety systems which fit the objectives are listed and described and, finally, the redundancy, diversity and independence analyses are made.The objective definition is the most important part because, if it is changed, the safety systems quantity will change, and so, the redundancy, diversity and independence analyses will be different.Analysis may vary between experts.The practical examples below are based on the author's opinion.

Entry procedure:
Objective: to ensure that the source is at the bottom of the pool and it will remain there.
Safety systems: 1. Machine key: It can be only released by the control panel with the key switch in "off" position.It is the only available key that allows the personnel access door to be opened (and to begin the internal start-up procedure); also, it is chained to a portable monitor, carried all the time by the operator, while inside the irradiator; 2. Source movement flash beacon: it is turned off when the source reaches the safe storage position (by pressing an actuator at the bottom of the pool); 3. Source movement intermittent siren: it is turned off when the source reaches the safe storage position (by pressing an actuator at the bottom of the pool); 4. "Physical sources down" visible signal on the control panel: it is turned on when the source reaches the safe storage position (by pressing an actuator at the bottom of the pool); 5. "Sources down" visible signal on the computer screen: it is displayed when the source reaches the safe storage position (by pressing an actuator at the bottom of the pool); 6. Interlock personnel access door monitor: it is turned on when the source reaches the safe storage position (by pressing an actuator at the bottom of the pool); if the radiation level inside the irradiation room is above background, an alarm will sound, an alarm monitor light will turn on, the monitor will show an unusual reading and the door will remain locked; 7. Personnel access door switch: when the door is opened, the switch cuts off the electrical power of the hoist pneumatic valve, the air inlet is blocked and any compressed air remaining in the system is vented; 8. Safety valve gate: when the gate is opened, the hoist air supply pipe is closed and any compressed air remaining in the system is vented; 9. Portable radiation monitor: audible and visual indicator of radiation levels through the maze and into the radiation room; 10.Pocket dose rate meter: audible signal of radiation levels through the maze and into the radiation room.
The source is really at the bottom of the pool: Redundancy: 1 to 6 and 9 and 10 are redundant.
Diversity: 1 to 6 and 9 and 10 are diverse.
Independence: 2 to 5 is not independent, because all of them are linked to a common "source down" detector, at the bottom of the pool.Therefore, they work only as one system in independence terms.The systems 1, 6, 9 and 10 are independent.
Assurance that the source is not going to rise: Redundancy: 7 and 8 are redundant.

Start-up procedure:
Objective: to ensure that the machine is not going to be turned on, without operator participation, and nobody will be left inside or go inside the irradiator, during the starup procedure.
Safety systems: 1. Machine key: this is the only available key.It starts the delay timer relay (and turns on the machine from the control panel).It is always linked to a portable radiation monitor and it is always carried by the operator, when in the maze or radiation room; 2. Key switch delay timer: the start-up procedure begins with the activation of this device.It is placed at the end of the radiation room, therefore, the operator has to ascertain being the last person inside the irradiator before commencing this procedure.3. Internal siren: it warns other persons inside, if any, that the start-up procedure has commenced 4. Internal flash beacon: it warns other persons inside, if any, that the start-up procedure has commenced.5. Safety valve gate: it has to be manually closed by the operator; 6. Personnel access door: it has to be closed by the operator; 7. Control panel key switch: It can only be turned to the "on" position by the machine key.(It will work only if the personnel access door and the safety valve gate are closed).8. Safety delay timer: the start-up procedure will abort if it takes longer than a set up time (in general between 60 and 90 seconds, depending on the distance from the Key switch delay timer and the Control panel key switch).This is to prevent the operator from not concentrating on the start-up procedure, potentially leaving the access door open and/or the safety valve open.Under these circumstances, a person might enter the irradiator undetected.
To ensure that the machine is not going to be turned on without operator participation: Redundancy: 1, 2 and 7 are not redundant; they work as only one safety system.
Diversity: If there is no redundancy, there is no diversity.
Observation: These low levels of redundancy, diversity and independence mean that there is no alternative way of turning on the machine.Therefore, there is a high level of safety.
To ensure that nobody will be left inside the irradiator: Redundancy: 2 (its position), 3 and 4 are redundant.
To ensure that nobody will go inside during the star-up procedure: Redundancy: Number of systems that are redundant: 5; diverse: 5; independent: 5.

Someone is left inside:
Objective: in spite of the start-up procedure, if someone is left inside the irradiator, radiation exposure can be avoided.
Safety systems: 1. Emergency stop cable: if pulled, a fault signal will appear on the control panel and the start-up procedure will be automatically aborted; 2. Safety valve gate: if opened, a fault signal will appear on the control panel and the start-up procedure will be automatically aborted; 3. Personnel access door: if opened from the inside, a fault signal will appear on the control panel and the start-up procedure will be automatically aborted; 4. Maze: at its beginning (next to the personnel access door), the radiation level is at the background.Redundancy: 1 to 4 is redundant.

Cobalt-60 pencils escape through conveyors.
Objective: to ensure that the cobalt-60 does not escape through the conveyor system inside the totes.Safety systems: 1. Source module: where cobalt-60 pencils are locked; 2. Source rack: where modules are locked; 3. Source module locks: they are installed on the upper part of the source rack, above each row of modules (they prevent the modules from moving during source rack movements); 4. Shroud: stainless steel permanent metal plates surrounding the source rack, when it is in the irradiation position.The shroud prevents product boxes from interfering with the sources and ensures that displaced sealed sources fall into the pool; 5. Outlet monitor: it can sense radiation levels at the maze exit or trace contamination on the product (If there is radiation level above background detected, a fault signal will appear on control panel, all conveyance systems will be turned off, the source will go to the bottom of the pool, an audible and visual alarm will activate and everybody will be instructed to evacuate the facility).Redundancy: 1 to 5 is redundant.Diversity: 1 to 5 is diverse.Independence: 1 to 5 is independent.

Cobalt-60 escape through deionizer water system
Objective: to ensure that the cobalt-60 does not escape through pool deionizer water system.Safety systems: 1. Cobalt-60 pellet capsules: the pellets are encapsulated in two layers of special stainless steel sealed tubes (cobalt-60 pencils).

International Joint Conference RADIO 2014
Gramado, RS, Brazil, August 26-29, 2014 SOCIEDADE BRASILEIRA DE PROTEÇÃO RADIOLÓGICA -SBPR 2. Deionizer water system: the pool water circulates all the time through it; anions and cations are continually removed from the pool water, avoiding potential electrolytic corrosion of the pencils and other metal components in the pool; 3. Cobalt-60 density: it is higher than the water density, therefore if there is a pencil leakage, all cobalt will precipitate to the bottom of the pool; 4. Pool outlet water: the deionization system inlet water (or outlet pool water) is at the pool top.If there is loose cobalt located at the bottom of the pool, it will not be drawn into the deionization system, remaining inside the irradiator pool; 5. Deionizer monitor: it detects the presence of cobalt-60 (if there is radiation level detected above background, a fault signal will appear on the control panel, the deionizion system pump will stop, the source will go to the bottom of the pool, an audible and visual alarm will activate and everybody will be instructed to evacuate the facility).Redundancy: 1 to 5 is redundant.Diversity: 1 to 5 is diverse.Independence: 1 to 5 is independent.
Observation: At least every six months a wipe leak test is performed.In this test, a piece of isopor is fixed to a long tool (stick -shaped), therefore a person can wipe the cobalt-60 pencils at the bottom of the pool from the top rim of the pool.Afterwards, the radiation level on the isopor is measured by a calibrated portable radiation monitor.Any radiation level above background is an indication of cobalt-60 potential leak from the pencil.As this is a procedure and not a safety system, it is not considered in terms of redundancy, diversity and independence analysis.

Source rack damage by totes movement
Objective: to prevent interference and damage by items, such as product boxes or carrier.
Safety systems: 1. Guide bars: maintains the totes on their proper track; 2. Shroud: stainless steel permanent metal plates, surrounding the source rack, when it is in the irradiation position.The shroud prevents product boxes from interfering with the sources and ensures that any potentially dislodged sealed sources fall into the pool; 3. Safety valve gate: when the gate is opened, the air supply to the hoist is closed, any compressed air in the system is automatically vented and the source rack goes down; 4. Access door photocell system: it is turned on when the source is not at the bottom of the pool, detecting any non-authorized entrance and cutting off the electrical power to the hoist's pneumatic valve; the air inside the hoist is automatically vented and the source rack goes down.Redundancy: 1 to 4 is redundant.

CONCLUSION
The IAEA recommendations have been adopted in the irradiator designs (likewise nuclear and radioactive equipment and installations), but there are differences among the several existing irradiator, even though they are manufactured by the same company.There are differences concerning the quantity of the safety system devices and their working characteristics.The IAEA issues minimal guidelines so, if a manufacturer intends to add more safety systems for the same function or safety system, with different working characteristics from other manufacturers, it is free to do so, but its irradiator design should meet the minimal recommendations from the IAEA.Some differences may appear due to the demands of each national nuclear commission (in Brazil is the CNEN -National Nuclear Energy Commission).They have the autonomy and the authority to demand more safety systems, if thought to be necessary.The IAEA issues guidelines, although they are not obligatory.The national authority can adopt or not adopt these guidelines, but in general all of them adopt the IAEA recommendations "ipsis litteris".Lastly, the analyses illustrated in this paper can be used as a model to map the safety systems for any category IV irradiator, in terms of redundancy, diversity and independence, making the defence in depth easier to understand.
from MDS Nordion (Canada), because the majority of industrial irradiators in Brazil are tote box and made by that manufacturer.This paper tries to fill this lack of information by providing a series of practical examples and explanations about Defence in Depth concept.