[ RadSafe ] Interlock question

Ted de Castro tdc at xrayted.com
Wed Oct 29 18:43:58 CDT 2014 

Yes indeed - another person recently reminded me of this incident ---- 
only 7 years BTW after an incident where I worked where a failed 
mechanical replay was replaced with a solid state relay by an 
electronics engineer who was SURE it was an improvement - but without 
consulting the x-ray safety officer (because in 1977 he wasn't required 
to).  The SSR was misapplied in several ways and failed in a completely 
expected manner.

The exposed person lost 3 fingers (~50 Krad) (Its all written up in the 
Journal) and it cost my company 1.5 million plus legal fees.

So you might understand my reluctance to accept these design components.

Some good DID come out of this accident ... as any safety person knows - 
when the the gets killed at the intersection - you get your crosswalk.  
So I knew to "strike while the iron was hot" and got essentially cart 
blanch to install my own x-ray safety program - including elements I'd 
been unsuccessfully fighting for for years. The program was entirely 
rewritten and favored complete hardware control, complete enclosure of 
ALL machines and other elements as "lessons learned" from studying the 
history of x-ray machine accidents.  (in the 3 papers I presented at the 
Denver X-Ray Conference - '85 I think)

Unfortunately I couldn't get rid of some vestigial administrative 
requirements like periodic surveys (which I'd rendered obsolete), but it 
worked and there hasn't been even a near miss there since the program 
was completed for a population of approx 25 machines.


On 10/29/2014 3:48 PM, Strickert, Rick (Consultant) wrote:
> The topic of electronic/software interlocks brings to mind the Chapter 1 story of Ray Cox (pp. 13-22) in Steven Casey's book, _Set Phasers on Stun and Other True Tales of Design, Technology and Human Error_ (Aegean Publishing Co., 1993), Katie Yarborough and others (http://www.ccnr.org/fatal_dose.html).
>
> Rick Strickert
> Austin, TX
>
> -----Original Message-----
> From: radsafe-bounces at health.phys.iit.edu [mailto:radsafe-bounces at health.phys.iit.edu] On Behalf Of Ted de Castro
> Sent: Wednesday, October 29, 2014 4:22 PM
> To: The International Radiation Protection (Health Physics) Mailing List
> Subject: Re: [ RadSafe ] Interlock question
>
> Thanks for getting back to me.
>
> I TRUST "relays and knife switches"  I don't trust TTL gates!  For all the reasons stated plus.
>
> As for ANSI N43.2 ..... good luck.  I was on the writing committee for the current revision and couldn't get committee concurrence on a proscription against any particular circuit element - even PLC's let alone TTL!!  In other words as per your great suggestion - I tried and I lost!
>
> Actually - I have a former associate who is an electrical engineer and very good at interlock specifications and he has ALMOST convinced me that the redundant interlock chains can be made self checking and that ANY circuit element can be used so long as the redundant chains are always in agreement.  I understand the concept - essentially continual functional testing and assurance - and maybe agree with it - but how complicated will the self testing be??  And ANYTHING that involves software .....
>
> Anyhow - he did have really good ideas and really good ways of analyzing the essentials these systems according to simple principles.  So I told him that he should write a book on it and that I'd be happy to be a proof reader.  So the long an short of it is it looks like WE are going to write that book.  Of course this plan is only 3 days old - so we'll see how far we get - but I do really want to get his principles and techniques in print SOMEWHERE - at least before the next N43.2 revision
> - especially since I am now retired and I'd be unlikely to be on that committee again and couldn't afford the travel expense if I were.
>
> Its not an easy consideration and those pushing for their so called "modern" techniques are solidly convinced of their invulnerability - yet I maintain that interlock safety is not a "fashion statement" and have no trouble sticking with tried, true and incredibly simple techniques.
> HOWEVER on the current job I am consulting on - keeping a good friendly relation with the electrical engineer who is designing the circuit and therefore the one whose "face I am in" and reminding the customer that analytical x-ray equipment comes under the legal category of "ultra hazardous equipment" and is therefore subject to "Strict Liability" - these usually allow me to prevail.
>
> Anyhow - on one instrument that they purchased complete from a European company - in reviewing the interlocks I asked that question regarding solid state devices in the interlock chain and they said Of course not since European standards didn't allow it. - so Now I am trying to track that down.
>
> Ted de Castro
>
>
> On 10/29/2014 1:50 PM, Bob Westerdale wrote:
>> Hi-
>> I've had to deal with this situation,,, we had developed an XRF
>> instrument driven by an FPGA ( Field Programmable Gate Array).
>> The whole safety network was  redundant ( 2 switches on virtually
>> everything) but the Customer feared that the FPGA's failure modes (
>> stuck bits, memory holes, etc) were too risky to accept.
>> We had to duplicate the logic with external ( ie. non-FPGA)
>> gates which ran in parallel with the PFGA logic.   This effectively gave
>> us 4 separate decision making paths for verifying the X-Ray shutter
>> was closed or the door secured. ( etc.) Each path had to be
>> in agreement.    It would be difficult to design a
>> digital control system that monitored/tested every decision making
>> element in a complex instrument without adding more unreliability in
>> the process!.
>> I haven't come across an EU standard that specifically prohibits
>> semiconductor devices in mission-critical
>> safety circuits.   I'd suggest that the next revision of the N43-2  Safety
>> Standard ( XRD and XRF systems) include some
>> basic logic/architecture guidelines.    I doubt we're going back to relays
>> and knife switch disconnects anytime soon!
>> regards
>> Bob Westerdale
>>
>>
>>
>>
>> From:   Ted de Castro <tdc at xrayted.com>
>> To:     "The International Radiation Protection (Health Physics) Mailing
>> List" <radsafe at health.phys.iit.edu>,
>> Date:   10/27/2014 09:11 PM
>> Subject:        Re: [ RadSafe ] Interlock question
>> Sent by:        radsafe-bounces at health.phys.iit.edu
>>
>>
>>
>> Specifically - analytical x-ray machine ....
>>
>> On 10/27/2014 2:27 PM, Ted de Castro wrote:
>>> I am dealing with an x-ray machine interlock design.
>>>
>>> Of course it will be redundant and failsafe and testable - but the
>>> question has come up regarding using semiconductor devices in the
>>> interlock circuit.
>>>
>>> When I was the x-ray safety officer at a national laboratory I
>>> resolved that issue by simply not accepting semiconductor devices in
>>> interlock circuits - problem solved.
>>>
>>> I maintained that when such included logic circuits that showing that
>>> its was failsafe with the failure of any single component could not
>>> be demonstrated - even disregarding issues with defining what
>>> constituted a "component".
>>>
>>> Further testing requires that each component be isolated, exercised
>>> and tested - and I maintained that is simply not possible with logic
>>> circuits.  ie. - just opening the door and observing that the x-rays
>>> turn off is most definitely NOT a test!
>>>
>>> Its not as simple anymore.
>>>
>>> I have heard however that there is a euro standard that prohibits the
>>> use of semiconductor devices in interlock circuits.  So - I was
>>> hoping someone here might know IF that were in fact so - and if so
>>> shat that standard is.
>>>
>>> Thanks
>>>
>>> Ted de Castro
>>> _______________________________________________
>>> You are currently subscribed to the RadSafe mailing list
>>>
>>> Before posting a message to RadSafe be sure to have read and
>>> understood the RadSafe rules. These can be found at:
>>> http://health.phys.iit.edu/radsaferules.html
>>>
>>> For information on how to subscribe or unsubscribe and other settings
>>> visit: http://health.phys.iit.edu
>> _______________________________________________
>> You are currently subscribed to the RadSafe mailing list
>>
>> Before posting a message to RadSafe be sure to have read and
>> understood the RadSafe rules. These can be found at:
>> http://health.phys.iit.edu/radsaferules.html
>>
>> For information on how to subscribe or unsubscribe and other settings
>> visit: http://health.phys.iit.edu
>>
>>
>>
>> _______________________________________________
>> You are currently subscribed to the RadSafe mailing list
>>
>> Before posting a message to RadSafe be sure to have read and
>> understood the RadSafe rules. These can be found at:
>> http://health.phys.iit.edu/radsaferules.html
>>
>> For information on how to subscribe or unsubscribe and other settings
>> visit: http://health.phys.iit.edu
> _______________________________________________
> You are currently subscribed to the RadSafe mailing list
>
> Before posting a message to RadSafe be sure to have read and understood the RadSafe rules. These can be found at: http://health.phys.iit.edu/radsaferules.html
>
> For information on how to subscribe or unsubscribe and other settings visit: http://health.phys.iit.edu
> _______________________________________________
> You are currently subscribed to the RadSafe mailing list
>
> Before posting a message to RadSafe be sure to have read and understood the RadSafe rules. These can be found at: http://health.phys.iit.edu/radsaferules.html
>
> For information on how to subscribe or unsubscribe and other settings visit: http://health.phys.iit.edu

More information about the RadSafe mailing list