Keywords

5.1 The Occupational Safety Process

Occupational safety shall guarantee the safety of workers, the public and the environment from harm. Harm can manifest itself in form of occupational accidents and occupational illness for the workers, nuisance, and potentially illness for members of the public, and as environmental damage. The prevention of these harmful effects takes the form of

  • Reduction of the probability that a harmful event occurs;

  • Reduction of the severity of consequences if the harmful event occurs.

For standard industries and services many best-practice solutions for occupational safety exist, based on decades of experience with harmful effects and their mitigation. The management of these facilities can apply proven solutions from similar plants. This is only partially possible in an accelerator facility with complex technical installations making use of leading-edge technology. Frequently, no comparative industry exists from where ready-made solutions for occupational safety can be adopted.

Instead, to develop suitable methods of risk control, as a first step the hazards and risks from a particle accelerator or one of its components or operating procedures must be addressed with help of a seven-step occupational safety process:

  1. 1.

    Definition of scope

  2. 2.

    Hazard register

  3. 3.

    Application of Standard Best Practice

  4. 4.

    Risk assessment

  5. 5.

    Definition and implementation of controls

  6. 6.

    Documentation

  7. 7.

    Review

Phases one to five constitute the occupational safety assessment, the last phase inserts occupational safety in the lifecycle of the facility, equipment, or procedure by demanding periodic reviews of the validity of the original assessment. An important result of the safety process is the description of hazards and risks at the accelerator facility, in steps 2 and 4. This permits to identify similar harmful situations in “standard” industries, and to adopt their mitigation strategies, suitably modified where necessary, to the accelerator facility.

The occupational safety process can be conducted in the planning stage after the decision for a new facility, component or operational procedure has been taken. It should also be applied when legacy equipment is taken back into operation, which occurs sometimes in research establishments. The earlier the process is begun, the better are the chances to control hazards by design. A safety process team is formed by engineers, physicists and other experts from the design or operational team, complemented by one or more specialists in occupation health and safety.

5.1.1 Definition of Scope

The starting point of each occupational safety assessment is a clear definition of its scope. This can be a single workplace (a mechanical workshop, a chemical laboratory), an equipment (a magnet, a machine tool) or an activity (installing an accelerator magnet, testing a radiofrequency device). In some cases, the safety process covers a whole project, for example a new accelerator facility in the planning stage. Most appropriately, the safety assessment for a large project follows a project breakdown structure and progresses by work packages and their contributions to the whole endeavour.

5.1.2 Hazard Register

The second step of the occupational safety process is the establishment of a hazard register. A hazard register is the result of a systematic identification of activities, equipment, and substances with their associated hazards for workers, public or environment. A systematic list of hazards serves as a reminder to not overlook any danger and unifies the terminology among different assessors. Such lists are available from different occupational safety organisms [e.g. [11]] or can be downloaded from the internet. As they are targeted to manufacturing industries and services, they must be enlarged for particle accelerators, or for research establishments in general, to include hazards unique to these environments. Table 5.1 shows the headlines of a hazard register for particle accelerators and Annex A gives a detailed hazard list, tailored to particle accelerators. The adaptation of the hazard list to the local workplace, by adding hazards specific to equipment, activities, or substances in use, or suppressing superfluous hazards, precedes establishing the register.

Table 5.1 Hazard domains for a hazard register, with examples. A detailed hazard list is given in the Annex.
Full size table

Depending on the phase of a project in its lifecycle, a hazard register will assess different subjects. In the planning stage, one will look for hazards which can be controlled by design, for example by adopting standards. In the operational phase, workplace hazards will become more important, for example related to the organisation of work or to physiological constraints. A specific hazard register may be called for if vulnerable persons are employed, for example apprentices with little experience, or physically handicapped individuals. In the end, no two finalised hazard registers for a specific activity or equipment will look the same, and only the identified hazards will be written; the register will thus be more specific and shorter than the full list in the Annex.

5.1.3 Application of Standard Best Practice

For many occupational hazards, standard best practice exists to effectively protect persons, the public and the environment. The measures under this heading are often borne from common sense and they may be easy to apply, making further risk assessment superfluous. Sometimes, national legislation requests the implementation of protective measures once a certain hazard is incurred. Other sources for standard best practice are product documentation from manufacturers, recommendations in international standards and the websites and publications of occupational safety organisms [2, 5, 6]. Finally, every organisation will build up over time a wealth of Return of experience from accidents and incidents, helping to avoid similar occurrences. The material constituting standard best practice can be systematically collected and classified in a Safety management system.

An important source of Standard Best Practice, and often obligatory to apply, are legal regulations for hazardous equipment, activities, and practices. They may be codified in national labour law, in regulations from professional bodies or in mandatory requirements from insurance companies. A hazard is often considered “under control” when such obligatory regulations are implemented and applied.

In the European Union, an important body of obligatory regulations are published in the form of European Directives. Numerous types of consumer and industrial products are subject to European Directives, including chapters on Essential Health- and Safety Requirements (EHSR). Their purpose is to guarantee equal safety standards for workers and for consumers (buying and using products) throughout the 27 member states of the Union. Only under this condition, goods can be freely traded among the members. Suppliers from third countries who introduce their products to the common market must also apply the European safety standards. These regulations probably make the EU member states the area on the globe with the highest developed safety conformity regulations. Annex B gives an overview of the European Directives pertaining to technologies and products pertaining to the construction and operation of particle accelerators.

5.1.4 Risk Assessment

Risk assessment is the next refinement stage in the occupational safety process.

It becomes necessary when technologies are employed carrying hazards not covered by standard best practice. In a particle accelerator facility, using built-to-purpose high-tech equipment, this is frequently the case. Parts of accelerator hardware may be designed and built in-house or they are a legacy from a time before the applicability of present-day international standards or directives. In special cases, the application of non-compulsory standard best practice may turn out to be too complicated, or too costly. In all these cases a proper risk assessment must be conducted, including an estimation of the likelihood of the hazard causing harm, and of the severity of the consequences.

A second use of a risk assessment is the management of resources. The safety budget for a facility is spent most effectively at those places, where risks can be either eliminated or mitigated with the highest cost-to-benefit ratio by taking appropriate control measures. A correctly conducted risk assessment will identify the areas where the safety budget is spent with the highest effect.

Depending on the complexity of the hazard’s source, a risk assessment can vary from a simple judgement of risk on a scale with three or more levels to a full probabilistic risk assessment, requiring man-years of work by experts and recorded on thousands of pages.

5.1.4.1 Semi-quantitative Risk Assessment

A semi-quantitative risk assessment gauges the size of risk by using a two-dimensional risk matrix. Risk is quantified by grading both the probability of a hazardous event and the severity of its consequences on scales with three to five levels. A simple example is given in Table 5.2.

Table 5.2 Example of a risk matrix (adapted from [3]). Probability of occurrence and severity of harm are graded on a 3-level scale, the product yields a quantified risk, which is symbolised by the degree of shading.
Full size table

Risk matrices seem straightforward to apply when one has found agreement with the colleagues participating in the process on a common interpretation of the descriptive terms for the probability and potential severity.

Drawbacks of the semi-empirical method with risk matrices are that unexperienced assessors may find it difficult to judge the level of probability or severity of a hazardous event where no statistical accident data exist. This may lead to a schematic application of the risk matrix, giving the impression of scientific accuracy, while the resulting measure of risk is biased by bad input estimates, leading to under- or overestimation [1].

Since the scales of probability and severity in semi-quantitative risk assessment are non-numeric, they must be adapted to the domain from where the hazard comes. The scale of probabilities for an accident with a standard tool may range from “once a day” for frequent occurrences to “once a year” for unlikely events, whereas the probability scale for accidental releases of environmentally hazardous products may range over much longer periods, from 1 per year to 10−4 per year and even 10−6 per year for accidents in hazardous industries with lethal effects in the general population. In practice, one will use a different matrix for each domain of application with adapted scales of probability and severity, which leaves the question how their results compare with each other and how they can be combined.

The difficulties of obtaining reliable estimates of the frequency of adverse events and judging their severity of consequences limits the usefulness of risk matrices and it may turn out to be simpler and more reliable to simply apply standard best practice to control a specific hazard.

5.1.4.2 Quantitative Risk Assessment

In some cases, quantitative risk assessments, quoting failure probabilities and resulting in combined probabilities of accident scenarios are required by law. This is the case in chemical facilities classified as “Seveso III” (after the north-Italian town where 1975 a release of dioxin from a chemical plant contaminated the surrounding towns and villages [4] and in facilities belonging to the nuclear fuel cycle.

A widely introduced method of quantitative risk assessment is Probabilistic Safety Assessment (PSA). This method is based on a functional description of the system which is analysed in form of fault- and event tree diagrams.

A Fault-tree (Fig. 5.1) places a system fault (a state in which the system no longer fulfils its purpose) at the top of the diagram. The causes of the fault extend to the bottom, until the diagram stops at the root causes, which cannot be further reduced. In some cases, two causes have to occur simultaneously to trigger a fault (AND relationship), in other cases they act independently from each other (OR relationship) By assigning a failure probability to every element in the fault tree and by applying the rules of Boolean algebra one can evaluate the overall probability of the fault at the top of the diagram.

Fig. 5.1
figure 1

Example for a fault-tree: causes for a motor overheating [7]. (Figure reproduced with permission by Elsevier Science)

Full size image

Event trees (Fig. 5.2) are similar to fault trees. They are used to analyse the consequences of an event (which may be a fault identified in a preceding analysis). The probability of the root event is given as a probability of occurrence per time unit. Each new branching of the event tree, customarily drawn from left to right, represents an alternative between two scenarios. If the relative probabilities for one or the other outcome are indicated for each branching, then the final consequences have the same dimension as the initiating event.

Fig. 5.2
figure 2

Example for an event tree: consequences of a release of liquid petrol gas [7]. (Figure reproduced with permission by Elsevier Science)

Full size image

With complex facility layouts and interdependencies of elements the method is tractable only with help of specialised computers programs, able to perform the bookkeeping of thousands of critical elements, each with an individual failure model and frequency.

A second difficulty lies in the provision of failure probabilities for the elements referenced in an accelerator facility. Such data are published for standard electronic components, and may be available for process equipment which is also used in nuclear or chemical processing plants, but must be estimated for purpose-built hardware components. Special computer programs can evaluate the failure probability pf electronic circuits based on the failure data of the individual components.

Given the limited potential of particle accelerators to harm persons and the environment in a scale similar to a nuclear power plant or a chemical processing plant, the difficulties obtaining reliable data, and the effort required to set up a full PSA for a complex facility, the method is generally not required for accelerator facilities. Exceptions are accelerators used in nuclear fuel cycle applications, like the transmutation of actinides in the Belgian MYRRHA project [8, 10]. It may also be useful to assess the probability or the consequence of failures of specific, expensive components of an accelerator, for the purpose of protecting it from failures. An introductory treatment of the method with references to further literature is given in [7]

5.1.5 Definition and Implementation of Controls

Once the hazards are identified and their associated risk level estimated, one must decide about controls for these hazards or risks. With control one designates mitigation measures which, once implemented either eliminate a hazard, or render it inoffensive, or at least reduce the risk emanating from it to an acceptable level. After applying controls, a residual risk may remain, which shall be acceptable by the workers and the society.

In the case where compulsory laws or regulations apply, the operator cannot take the decision over the controls, but must conform to the law. Furthermore, if standard best practice is available for the identified hazard, it is often the most efficient way of mitigation.

Often one can identify more than one mitigation measure which would reduce residual risk to an acceptable level, with different effectiveness and cost. Here, the hierarchy of controls , going back to the U.S. National Institute for Occupational Safety and Health (NIOSH), gives a decision aid by establishing a hierarchy of mitigation measures, from the most desirable to the just acceptable (Fig. 5.3) [9].

Fig. 5.3
figure 3

Hierarchy of controls. (Figure according to [9])

Full size image

In this hierarchy, personal protective equipment (PPE), and administrative barriers, including safety training, occupy the two lowest levels. This means that they should rarely be the main vector of risk reduction, but they can be useful to control the residual risk after other, more effective controls have been implements, such as elimination and substitution of the risk, or technical protective measures (engineering controls).

5.1.6 Documentation

The collected safety-related documentation constitutes part of the memory of the organisation operating the accelerator. It allows to retrace the assessments, judgements and decisions taken. It will ease the construction of similar equipment, for which the same mitigation may be employed. The safety-related documentation may become important to prove the good faith of the organisation, should it be accused of supposed or real damage to workers or to the environment. Documentation forms a core part of the Safety management system .

Safety documentation contains also Return of Experience (REX). These are the records of inspections, of equipment failures and of accidents, together with a cause analysis. Over time, a body of experience will accumulate and constitute precious information for new facilities or upgrades of the existing ones. The collection of reports concerning failures of accelerator-specific equipment or activities with consequences for safety is particularly important because they are not available from national statistics or accident registers.

Large bodies of documentation should be organised in a document management system to ease future retrieval. If the organisation already uses such a system for the technical documentation of the accelerator facilities, it represents the most suitable location for safety documentation. One can profit from established principles for document classification, and from review, approval, and release procedures. Safety documents relating to a certain piece of equipment should be stored together with technical documentation of this item, simplifying future searches in the archives.

If the organisation has no document management system, then the safety documentation system may proceed by different ways: relative to the equipment, to the organisational subunit, or to the accelerator facility. The important issue is to stick to the choice once made, so that a coherent safety documentation is successively built up.

5.1.7 Review

With hazard and risk assessments completed and mitigation measures implemented, an equipment or a process may start operating and delivering results. In the lifetime of an equipment or a process, there are good reasons to review the safety measures decided previously:

  • In case of changes on the equipment/in the process. Here one must assure that the risk assessment remains valid despite the changes, in the contrary case, a revision of the risk assessments and of the resulting mitigation measures is necessary.

  • In case of an accident or near miss occurring with the equipment or in the process. This may be a sign that something was overlooked in the original risk assessment or that the mitigation measures were not adequate or not correctly applied.

  • The occurrence of accidents in similar facilities or with similar equipment should trigger a re-evaluation of the proper equipment and processes.

  • Changed legislation may force to re-assess risks and mitigation measures.

  • Finally, a periodic review of all risk assessments which were not reviewed for the reasons above is useful to keep all assessments and mitigation measures updated and adhering to the same standards, even for equipment which never failed within decades of operation.

Reviews inscribe the safety process into the life-cycle of the organisation and are part of its Safety Management System .

5.2 Safety Organisation and Management

Institutions operating particle accelerators tend to be large organisations with a hundred or more employees and other collaborators, for example contract workers or research scientists from other institutions. At this organisational scale it is important to clearly define the responsibilities and duties for Occupational Health and Safety (OHS) of every person working on the premises of the institution. A Safety Organisation, based on simple principles and clear rules, gives all concerned parties, managers, employees, contractors and external researchers, guidelines on how to ensure safe working conditions for themselves and others and how to react in case of accidents.

5.2.1 Employer- and Hierarchical Safety Responsibility

A founding principle of OHS is the employer’s responsibility for safe and healthy working conditions. This principle is codified in the Occupational Safety and Health Convention, No. 155 [14], to which the member states of the International Labour Organisation (ILO) mutually agreed in 1981. The ILO has been founded in 1919 as a tripartite organisation with representatives of governments, employers, and workers, with the aim of promoting social justice and internationally recognized human and labour rights. In 1946 it became a specialised agency of the United Nations, it has 187 member states and has its headquarters in Geneva, Switzerland.

Article 16 of ILO Convention 155 stipulates that employers must ensure the safety of workplaces, machinery, equipment, and processes. They must also ensure the absence of risk from chemical, physical, and biological agents when appropriate protection measures are taken, and they must supply the necessary protective equipment to the workers.

In a small enterprise, the employer is readily identifiable, but in a larger organization with a hierarchical management structure, the employer responsibility is usually extended to a model of hierarchical safety responsibility . This means that in matters of occupational health and safety, each member of the hierarchy (“manager”) acts at his level of responsibility as if he was the employer. At the lowest level of the hierarchy, each worker is responsible for his own safety and of those who may be directly harmed by his activity.

Translated to an accelerator centre the principle means that, for example, a manager in charge of maintenance assures that the workers under his control (employees and contract workers alike) have received the necessary safety instructions and equipment and apply them in the intended way while performing their duties. The workers themselves are required to follow any instructions given to them and to use the protective equipment provided to them by the manager.

In application of the principle of hierarchical responsibility, the higher levels of the hierarchy must provide the necessary means to the lower levels so that these can fulfil their obligations in matter of safety. These means comprise

  • Budget and manpower to plan, finance, and implement safety-relevant measures;

  • Authority to take decisions;

  • Internal safety regulations for situations not covered by standard industrial safety rules and;

  • An allowance of time and budget for safety training and information for all managers and workers.

A sensitive subject is the organization of OHS for contract labour and for scientists from other institutions. Both groups are external labour with employers from outside of the institution where they exercise a part of their activities. These employers bear a part of the responsibility for their occupational health and safety. The authoritative ILO document on Safety Management Systems, ILO-OSH-2001 [15] recommends, that the organization receiving external labour shall ensure that its safety and health requirements, or at least the equivalent, are applied to contractors and their workers. This may be achieved by communication and coordination between the appropriate levels of the organization and the contractor prior to commencing and during execution of work and should include provisions for communicating hazards and the measures to prevent and control them. The organization may also be required to provide relevant workplace safety and health hazard awareness and training to external labour if they may encounter specific hazards during their activity. Examples at particle accelerators are safety awareness sessions for electrical hazards or ionizing radiation, hazards which are not customarily encountered by most professionals in “conventional” industries.

5.2.1.1 Safety Policy

The International Labour Organization ILO recommends in [15] that the employer, in consultation with the workers and their representatives, should set out in writing a safety policy. This policy should include as a minimum a statement that the organization commits to the following principles and objectives:

  • protecting the safety and health of all members of the organization by preventing work-related injuries, ill health, diseases, and incidents;

  • complying with relevant national OHS laws and regulations, voluntary programmes, collective agreements on OHS and other requirements to which the organization subscribes;

  • ensuring that workers and their representatives are consulted and encouraged to participate actively in all elements of the OHS management system;

  • and continually improving the performance of the OHS management system.

The policy shall contain

  • a description of the organization of health and safety, with the names and positions of the responsible managers;

  • a reminder of the duties and rights of employees, including contractors and temporary personnel;

  • the organization’s duties towards the wider public, living in the vicinity of the plant, and the environment in general;

  • health and safety performance targets which shall be attained by the organization within a set time span.

The safety policy should be specific to the organization and appropriate to its size and its activities. In a particle accelerator centre, the following statements may become part of the safety policy:

  • a commitment to equal rights and duties in matters of health and safety for employees, contract labour, students, and guest researchers

  • the priority of health and safety objectives over the availability of the beam, be it for commercial, medical or research purposes;

  • a commitment to rigorous handling and elimination of the special waste produced by the facility (chemical, radioactive).

The safety policy should not be a dead document filed in an archive, but an expression of the living commitment of the organization to health and safety. It is important that the principles of the policy are lived by the management, as an example to the employees and other personnel on the site.

5.2.1.2 Safety Support Unit

Occupational Safety and Health is a wide field requiring competencies of scientific, technical, organisational, and regulatory nature. In large organizations such as a high-energy particle accelerator centre it has shown useful to bundle the required competencies in a dedicated safety support unit which reports directly to the highest level of management. Alternatively, for a small accelerator, for example a cyclotron for radioisotope production for medical diagnostics, safety support can be given by specialised consultants.

The purpose of a safety support unit is to reinforce the hierarchical line of responsibility by providing the necessary expertise in occupational health and safety to the different levels of management and to the workers. Areas of expertise include for example

  • knowledge of international and national regulations and other Standard Best Practice;

  • use of hazard- and risk-assessment techniques;

  • scientific or technical competencies in specialised areas of OSH, such as fire prevention, ionising radiation protection or chemical safety;

  • competencies in the application of national regulations, such as transport of dangerous goods or elimination of waste.

Members of this unit should have a background in the different technical and scientific professions employed in the organization, completed by training and certification in occupational health and safety. Previous working experience in the accelerator or its supporting laboratories and workshops assures a good understanding of the needs and limits of the clients, i.e. all levels of the organization’s hierarchy.

5.2.2 Administrative Safety Controls

In the hierarchy of controls (Sect. 5.1.5), administrative controls occupy one of the last places in the ranking. In the overall safety management system of an accelerator facility they have two important roles:

  • they set the scene of the implementation of safety with regulations, procedures, and safety training;

  • they guarantee safety during exceptional circumstances when the technical safety controls are overridden, with safe systems of work.

5.2.2.1 Internal Safety Regulations

One task of OHS experts in a safety support unit is the drafting of internal safety regulations. These publications comprise, first, the safety policy of the organization, and the principles of its safety organization. Further regulations fall in two categories:

  • Specific implementation of international directives, national laws, or other pieces of standard best practice in the organization;

  • Regulations to protect workers, the environment and the public from specific hazards which are not covered by any standard best practice.

Internal regulations shall be clearly written and presented in a way that is understood by those who must use them. It is not recommended to publish safety documents in the style of European Directives or national laws. This would not only reproduce the work by the public bodies who edited these regulatory documents, but their style is also not readily understandable by the target audience.

For workers coming from global collaborations, as in international accelerator centres, the use of illustrations and cartoons may be suitable to pass safety advice. The draft of an internal regulation by the OHS experts shall be reviewed by the organization’s management and by worker’s representatives before being authorized by the general manager or director and published, for example on a dedicated web site of the internal network.

5.2.2.2 Safety Awareness and Training

Safety policy and safety regulations are only effective if they are known and adopted by the employees on all levels of the hierarchy. A channel for the communicating of safety messages are compulsory safety awareness sessions. Their purpose is to familiarise personnel with the safety policy, or with regulations for specific technical domains. In an awareness session, no hands-on practical training is given, and usually no comprehension test is required from the participants Such sessions can be given to all employees of a small unit in persona, either by the supervisor, or a safety specialist. A toolbox talk, as these sessions are also called, can be part of regular staff meetings. In large accelerator centres, the awareness sessions for general safety topics can be given as a computer-based content which employees can follow at a suitable moment in time.

Other means of creating safety awareness are poster campaigns, the organisation a safety day, and placing safety messages in a prominent place in internal communication media

Safety awareness cannot replace formal safety training for the prevention of accidents and protection of workers. Examples for classroom courses with practical exercises are

  • Use of personal protective equipment for work at height (climbing harness, security with ropes);

  • Use of personal masks for chemical protection, including a fit-test of the mask;

  • Use of fire extinguishers;

  • Measurement of ionising radiation at the workplace, for example to control surface contamination in a laboratory for radioactive substances

  • Use of the electrical lock-out procedure.

Safety training must be given on a level which is accessible to all categories of personnel in a facility. This brings the problem that workers with higher technical education may feel that the level of the training is too low for them. However, this is often a false problem: safety training for ionising radiation protection does not need to explain the physics of the atomic nucleus, as much as training for work at height does not repeat Newton’s laws to explain free fall. As long as safety training is focussed on the safety aspects of a topic it can be made interesting and engaging for all participants, no matter their background.

5.2.2.3 Safe System of Work

In the hierarchy of safety controls (Sect. 5.1.5), technical safety measures are favoured: machine covers protect against mechanical accidents and electrical shock, an access safety system (Sect. 5.3.1) prevents unauthorised entrance to potentially hazardous areas. Most technical safety measures are designed for the normal operation of an equipment. They lose their protective function during maintenance and repair. In the above examples, machine covers are removed when a machine fault is investigated, or standard maintenance executed. In this phase, the worker in contact with the dangerous parts must be protected against sudden energisation of the machine, which would expose him to the risk of a mechanical or electrical accident. In Sect. 4.1.2.2 a solution to this problem in the domain of electrical safety has been presented in form of the lock-out process. It draws its name from the procedure to physically lock-out the energy source with a personal padlock. The five steps of a lock-out procedure are:

  1. 1.

    Identification of the power source;

  2. 2.

    Separation from the power source;

  3. 3.

    Locking the separation with a personal padlock;

  4. 4.

    Verification that the equipment is without power;

  5. 5.

    Securing the equipment, to make its re-start impossible.

The technical means to accomplish each step are different between e.g. electrical appliances and mechanical equipment, but the purpose remains the same: prevent the accidental start of the equipment while workers are in contact with it.

In large plants, to which many particle accelerators belong, the five steps cannot be executed by the maintenance worker alone. Here, a safe system of work with permits to work [12, 13] takes the relay. It is an administrative process which complements the lock-out procedure where a single person does not control each of its five steps. In a distributed electrical powering scheme, where the power sources are far from the equipment powered, and different units in control of source and equipment, the steps 1–3 are usually executed by a member of the powering unit, while 4 and 5 are the tasks of the worker on the equipment.

Before opening the protective covers of an electrical equipment, the maintenance worker will request its separation from the power source. He uses a standardised form for this request, on paper or by a network-based messaging system. After completing steps 1–3, an appointed person in the powering unit certifies to the maintenance worker, using the same standardised form, that the power source has been locked out and secured. Now the maintenance worker can accomplish steps 4 and 5, which ascertain to him that the correct equipment was separated from power, and that it cannot be started accidentally. When the work on the equipment is terminated, the worker must inform the powering unit and only then they may lift the lock-out and re-energise the equipment.

The information of the powering unit to the maintenance worker is sometimes called a work permit, and sometimes the maintenance worker may give a subsidiary work permit to a colleague who is engaged on the same equipment. In either case, all issued permits must be annulled by returning them to their source before the equipment can be powered again.

This process, which is literally preserving integrity and life of the maintenance worker, must be based on a clear, written, safety procedure, known to all participants. Persons must be appointed in written by their supervisors to the key roles in the safe system of work, and they must have received training on the overall procedure and specific to their role. The requests for separation form the source, the certification for lock-out, and the information about the end-of-work must be stated without ambiguity, using pre-printed forms or a network-based messaging system. A well-thought and rigorously maintained safe system of work represents an efficient safety mechanism to protect against accidents during periods where the technical controls are out of order.

5.3 Beam Safety

Several hazards are related to a particle accelerator operating with beam: magnetic fields (associated to high electrical currents), fluids under pressure (generating an oxygen deficiency hazard if released), and ionising and non-ionising radiation. Depending on energy and intensity of the particle beam, some or all of these hazards may have an intolerably high level of risk. Consequently, access is forbidden to the accelerator area and its operation is piloted remotely from a control-room. An accelerator safety system ascertains that persons cannot be harmed by voluntarily or accidentally getting close to the beam. Its functions are:

  • Prevent access to the accelerator area during operation.

  • Prevent accelerator operation as long as personnel are present in accelerator area.

  • If an access is forced during accelerator operation, the accelerator is brought rapidly to a safe state, by turning off the particle beam. The three first elements are fulfilled by the access safety system

  • In periods without particle beam, permit access only to authorised personnel. This part is played by the access control system.

An overview of the topic is given in [16, 17].

5.3.1 Accelerator Safety System

The purpose of the Accelerator Safety System (ASS) is to allow operation of the accelerator only when it cannot cause harm, in particular by preventing persons from accessing the vicinity of the accelerator during operation. The ASS consists of the following elements:

  • Barriers to make the accelerator or its components inaccessible during operation. For low-energy accelerators or for beamlines with low duty factor the barriers may consist of fences. In many cases the radiation shielding has also the role of an access barrier. The highest-energy particle accelerators are built underground and communicate with the surface with a few access shafts. In this case, the barriers are localised at these shafts.

  • Access doors through the barrier to the accelerator area. In the simplest case, the access door must be locked by the responsible operator before starting the accelerator. In contemporary facilities the doors are equipped with electronic locks operated remotely from a control room. The closed state of the doors is supervised with an interlock switch.

  • Accelerator interlocks which prevent the particle beam from circulating. Accelerator interlocks can act on different components of the accelerator: they cut the power supply to the particle source, or to a bending magnet which injects the beam into a different area. They can also consist of a beam stopper, a massive metal block with a similar lay-out as a collimator or a beam dump (Sect. 2.5) which is moved into the beam path to stop or to diffuse the particles and make them inoffensive. The status of accelerator interlocks is verified with electronic switches.

  • Interlock keys are an element of the accelerator interlocks. Every person accessing the accelerator area removes a key from a distribution panel located at the access door. Only when all keys are replaced in the corresponding locks in the distribution panel, the interlock is raised, and the accelerator can be re-started. This prevents accidentally “forgetting” a person and exposing her to the dangers of an accelerator beam.

  • Patrols of the accelerator area are organised after longer interruptions of service, for example after a shut-down. The patrol is formed by at least two experienced members of the accelerator personnel with a good knowledge of the area. They make certain that no person is present in the accelerator area before releasing it for operation.

Analogous to preventing personnel access, environmental protection considerations can enter the scope of the ASS, for example by preventing the release of harmful substances.

The status of all elements of the ASS is transmitted to the control room. Only when all monitored elements are safe for operation, the accelerator can be started. The ASS uses positive logic: if the switch is either open or not functioning, the accelerator is considered unsafe for operation. Today, an ASS can be realised by transmitting the status of the elements by Ethernet or an equivalent data bus and the logical state can be evaluated by a programmable logic controller (PLC). Special Safety PLCs are on the market which embody internal self-checking functions and redundancy. Some local legislations, however, require that the ASS be realised in “hardware”, in this case the interlock switches are wired with dedicated signal cables and the logic controller is realised by discrete electronics, without programming. The question of the reliability of the ASS is treated in Sect. 5.4.

5.3.2 Access Control System

The purpose of the Access control system (ACS) is in its name: it controls and regulates the access of persons to the accelerator area. Permission to enter an accelerator area depend on several prerequisites:

  • The person requesting access must have a permission to do so. This permission is linked to the task he or she must execute.

  • For accessing areas with particular hazards (electricity, oxygen deficiency, radiation), the person must have received adequate safety instructions or training before being allowed to work there.

The ACS is ranking below the ASS: even when the prerequisites above are met, access is only permitted in operational states of the accelerator in which safety risks are tolerable for personnel. This means generally that no beam is accelerated and that its main components (magnets and RF systems) are not powered.

Fig. 5.4
figure 4

Access doors of the Proton Synchrotron at CERN. Right, a personal door, letting only one authorized person pass at a time. Left, a material lock, in which the two doors cannot be open at the same time. Centre, the access control system with interlock key panel. (Photo: CERN)

Full size image

The access to areas with high beam loss (Sect. 3.1) may be linked to the radiation dose rate.

The ACS is materialized by the access doors, which are also part of the ASS (Fig. 5.4). In small facilities, control room personnel supervise and operate the access doors remotely, the access permission can be checked personally because the operators know each other, or they consult lists of authorised personnel. In larger facilities with dozens or hundreds of employees, this method is error-prone and inefficient. Automatic access control systems are now the standard. Personnel carry a badge with barcode or RF identifier to identify themselves at the access door. Their permits can be coded on the card, or the ACS is linked to a database with all permits. When the permits are sufficient, the door opens automatically and gives access to the area.

A biometric identification, where the identity of the cardholder is checked with a fingerprint, an image of the iris or a photo-id may be necessary in facilities where theft or sabotage are feared, for example in nuclear facilities where fissile material is handled under regular control by the International Atomic Energy Agency (IAEA) or by EURATOM.

5.4 Functional Safety and Safety Integrity Levels

Functional safety covers situations where the safety of a system or an equipment depends on safety functions, realised by electrical, electronic, or programmable-electronic (E/E/PE) means. The safety function acts on demand, after being triggered by a sensor, or manually, and brings the system or equipment into a safe state.

The previous Sect. 5.3 on beam safety showed a few application examples of functional safety at particle accelerators. The accelerator interlocks of the Accelerator Safety System (ASS) employ electrical door contacts as sensors for an attempted entry to the accelerator tunnel. A safety control system (programmable electronics) acts on the sensor information from the door and gives commands via electrical or electronic switches to beam safety elements, hindering the injection of a particle beam as long as the presence of persons in the accelerator area has not been excluded by a patrol. Likewise, the Access Control System (ACS) relies on doors with electronic locks, personal identification with identity badges and the access to a database where access information of duly authorised personnel is stored.

Other examples of functional safety at particle accelerators are quench detection and quench protection systems in superconducting magnets (Sect. 2.2.3), and the early detection of smoke (Sect. 4.4.4) or of oxygen deficiency (Sect. 2.3.3) by sensors, triggering an evacuation alarm.

To fulfil their purpose to guarantee the safety of a system or an equipment, safety functions must work reliably when they are demanded. [18] gives an overview of the topic with a focus on accelerator applications. The fundamental reference are a series of international standards [20, 22], covering the reliability of safety functions. The standard introduces the Safety Integrity Level (SIL), which quantifies the reliability of a safety function on a scale ranging from 1 to 4. A safety system with SIL 4 has the highest probability to satisfactorily deliver its safety function on demand: a safety system with SIL n has an average probability of a dangerous failure PFD upon demand between 10−(n+1) < PFD < 10−n. Safety functions covering risks having the highest stakes, for example the protection of human lives, must have the highest safety integrity levels SIL.

The safety integrity level for a safety function is evaluated in a special type of risk assessment. One evaluates the probability of an accident under the assumption that safety functions covering this particular risk are not present. Then, the required SIL of these safety functions are determined such that they fill the gap between the failure probability of the system and the targeted maximal probability for an accident. A simplified, hypothetical example illustrates this concept:

The access safety system for a specific room in an accelerator facility consists of a door with an electronic lock, which is shut when the accelerator operates, and, independent from it, a mobile beam dump which can be moved into the beam to block it from the accessible room. The request to the accelerator safety system ASS is to prevent the exposure of a person entering the room accidentally to the beam. The failure of doing so shall be less than paccess,beam< 10−5. This system is represented in the simple fault tree in Fig. 5.5.

Fig. 5.5
figure 5

Fault tree for the simple ASS in the example for SIL determination. The two safety systems, electronic lock, and mobile dump are independent and can be represented as parallel blocks feeding an AND-gate: they must fail both to lead to a complete system failure.

Full size image

Table 5.3 shows the steps leading to the evaluation of the SIL of the mobile dump. A component with SIL 1, having a failure probability of up to 10% on demand, would not be sufficient. Therefore, the dump control system must meet the requirements of SIL 2.

Table 5.3 Failure probabilities of the components of a hypothetical accelerator safety system (ASS) and evaluation of the required SIL of a component
Full size table

In [18] a more elaborate example of functional safety for a particle accelerator safety system can be found.

In many practical applications of functional safety, it is too complicated to draw up a complete fault tree. This approach suffers from the often-incomplete knowledge of failure probabilities of components. In such a case, one can determine the required SIL of a safety function with qualitative methods or with hybrid methods combining quantitative and qualitative elements. Part 5 of [22] summarises recommended methods for SIL evaluation.

Once the required SIL of a safety function is determined, it needs to be implemented. Manufacturers offer electrical and electronic components as well as mechanical components which meet the reliability requirements of a defined SIL. These components have been tested and certified by authorised institutes. For example, in Germany, VDE offers a certification service for functional safety [24].

The concepts of functional safety are also applied to the controls of machines (Sect. 4.2.2) in [21] and to the process industry [23]. The latter standard can be used as a template for the implementation of functional safety in cryogenic systems.

For further information on the topic, the UK Health and Safety Executive maintains an informative website on functional safety [19] with many references to in-depth articles and studies.