How to design a better criticality incident detection & alarm system31 March 1999
The extension of the operating lives of existing process plants that handle fissile material has been the driver for the development of a new criticality incident detection & alarm system (CIDAS). By the combination of existing and proven principles and modern technology, a more cost effective, reliable and versatile system has been produced and is being successfully deployed. The evolution of a portable CIDAS system is also providing a valuable contribution to decommissioning safety.
There is a requirement in every plant handling fissile materials above a certain minimum quantity to consider the need for criticality incident detection and alarm systems.
Inside the reactor of a nuclear power station criticality is a controlled event and takes place behind thick shielding walls. However; wherever fissile material is refined, enriched, fabricated, used, stored, reprocessed or disposed, criticality can occur accidentally. A number of incidents have been reported: a total of 41 criticality accidents were discussed in a Department of Energy document1 while 12 incidents in the former Soviet Union were reported in 1995.2 Figures for other parts of the world are unpublished.
The effects of such incidents can be very serious, since they occur unexpectedly and possibly in areas of little or no shielding. This can lead to large dose uptakes to plant operators; 11 incidents have caused fatalities. Even the very thick shield walls of reprocessing plants may not be enough to avoid fatal dose uptakes. Plant could also be at risk of serious damage, not to mention the effects on public and industrial relations.
In addition, the rate of radiation increase, the very short durations of criticality incidents, as short as milliseconds and the very large radiation fields produced may all combine to make ‘normal’ radiation detection (gamma or neutron area detectors) ineffective.
CIDAS (Criticality Incident Detection Alarm System) is a purpose built detection and alarm system that, by means of detection and immediate area evacuation, limits the dose received from a criticality incident. This is done by:
• Providing detectors throughout the ‘Criticality Detection Area’.
• Providing audible and visual alarms throughout the ‘Criticality Evacuation Area’ to allow evacuation in accordance with the requirements of a plant Emergency Plan.
• Providing visual alarms at the entrances to the ‘Criticality Evacuation Area’ (typically doors and gates, etc).
• Providing data to management to allow site emergency procedures to be invoked.
BNFL has manufactured and used such systems for 40 years.
CRITICALITY DETECTION CRITERIA WITHIN BNFL
A number of different systems have been used by BNFL. (Brief resumés of the types are given in following table.)
For the purposes of CIDAS design and placement on plant the general objective is to attempt to detect an incident before it could have delivered an absorbed dose of 100 mGy to a plant operator. The specific criteria6 take note of the following:
• The potential yield range of criticality incidents, 1015 to 2x1019 fissions.
• The potential duration of a single incident, as short as 1.0 ms and as long as 60 s.
• The potential incident characteristics, moderated or unmoderated.
• The presence of shielding between the incident and the operator.
THE POSITION WITHIN BNFL
By August 1996, 30 CIDAS systems were operational on BNFL sites. Two BNFL-built CIDAS systems were operational on other non-BNFL sites. It was clear that although they were still ‘fit for purpose’ many of these systems were reaching the end of a useful life and would require replacement. Future de-commissioning projects also needed new CIDAS systems. Given this need, BNFL undertook a review of its CIDAS requirements.
Existing system shortcomings
The early MkIV system was a very old design. It had no ability to be ‘networked’ into a ‘zoned’ evacuation system. The individual components that the system was made from were becoming hard to obtain. The battery back-up system was out-dated and the general level of technology advance in electronics had left the previous system offering very limited functionality.
It also became clear that the previous BNFL MkV or VI designs would not be adequate for installation into new plants.
OBJECTIVES OF DEVELOPMENT PROGRAMME
BNFL embarked on a development programme to modernise the existing CIDAS design and its production methods. The name ‘Mk X’ was chosen simply to indicate how significant the changes were.
The development is based around the following broad criteria:
Value for money
A main criterion of the development and eventual production of the new Mk X CIDAS was to offer BNFL customers better value for money than the existing system. The existing Mk VI system, whilst being produced on a ‘cost-price’ basis, did incur Springfields site overhead costs in its production. That design had also reached the end of its life and would incur considerable lifetime maintenance costs as its components went out of production.
The existing CIDAS design was the product of many years of operational experience and enjoys a very high confidence level for reliability, availability and low false alarms. It was decided that the existing detector would be modified only regarding mounting, data communications and packaging. All development would reflect the very high profile CIDAS has as a trusted safety system on-site. Development would also reflect national and international safety standards to allow external sales to take place.
Accuracy & repeatability.
The development programme must evaluate and ensure the detection accuracy and detection repeatability of the existing method was not degraded. CIDAS is intended to be operated 24 hours per day for 365 days per year. Operational life is targeted at 30 years.
A Quality Plan would be prepared identifying the specific operations, activities, control procedures, inspections, testing, approvals, and certification requirements applicable. CIDAS is a ‘high visibility’ device in terms of plant safety and scrupulously thorough records would be kept during the development programme. Designing to ISO9000 was also considered essential.
Acceptability to regulators
BNFL considered possible future requirements that might be imposed by the national and international regulators. It was important to fulfil the requirements of national & international standards.3,4,6
The development programme must make it possible to assemble the CIDAS in configurations that would allow use in a variety of locations and situations. The need for a portable system for de-commissioning, able to make a ‘first entry,’ was clear. However, the ability to be a direct ‘one for one’ swap with existing CIDAS was essential.
The following are the broad specifications for the CIDAS set by BNFL:
• Detectors – BNFL prefer gamma dose detectors because emergency planning regulations reference dose (not dose rate) and they are of simple construction. (Detector response is shown in the following graph.)
• Time to respond < 200 ms.
• Fractional Dead Time (FDt) < 10-4
• False alarm rate < 1 in 10 years.
• Life span > 30 years.
• Seismic tolerance to conform to plant design earthquake requirements.
• EMC conformance to BSEN55022 ‘rescom/light’.7
• Power supplies to be triplex battery backed UPS > 2 hours.
• Logic based on 2/3 voting & conformance with IEC61508, Integrity Levels 1 to 38.
• Remaining details broadly conforming with ANS8.3, ISO7753 & IEC860.
THE NEW SYSTEM
The CIDAS MkX consists of:
• A number of Geiger-Muller gamma Detectors connected in three different ring-main circuits. The detectors are positioned such that at least one detector on two circuits will detect a criticality incident. This ‘two from three’ logic provides highly reliable detection with a low spurious alarm probability. The detectors also feature a redundant CAN-bus link to the Central Equipment Rack allowing diagnostics & self tests to be performed on the detectors. This includes automatic checking with an on-board source. Software is not used in any alarm generation.
• A Central Equipment Rack containing services and all the following equipment:
* Signal Logic Unit based on proven ‘fire and gas’ electronic shut-down units conforming to criteria set in Reference 8. This unit has comprehensive self-test and diagnostic capabilities.
* Power Supply Units complete with triplex UPS battery back-up.
* A Building Evacuation System consisting of duplicated sound generators. An intermittent ‘pip-pop’ tone is selectable to allow speaker checking and assure staff of the continued health of the system.
* Noisy Area Warning Lights are provided where ambient noise levels are high (fan rooms, etc).
* Keep-Out Warning Lights are mounted at entrances to the Criticality Evacuation Area.
* Remote Control Panel for operation & status indication in a ‘safe’ area.
USE OF NEW CIDAS
The first MkX fixed system was installed at the new fissile material store at BNFL Sellafield. Portable systems have been supplied in two decommissioning projects at BNFL Sellafield and two at the BNFL Drigg disposal site. Three fixed systems have been purchased by UKAEA(GD) Dounreay. Three further systems are being constructed, one for a plant in the USA.