safety classification of the iter fusion power shutdown system and resulting safety requirements

Fusion Engineering and Design 54 (2001) 361–374

Safety classification of the ITER fusion power shutdownsystem and resulting safety requirements

M. Costa *Commissariat a l’Energie Atomique, Direction des Reacteurs Nucleaires, Departement d’Etudes des Reacteurs,

Centre de Cadarache, Bat. 212, 13108 St Paul lez Durance Cedex, France

Abstract

The paper presents an application of a new safety classification approach, which is founded upon the Lines ofDefence (LODs) method for the organisation of the plant safety architecture needed to assure the confinement ofradioactive materials and, therefore, to meet the general safety objectives. The International ThermonuclearExperimental Reactor-Fusion Power Shutdown System (ITER-FPSS) was the system selected for the applicationbecause of its fusion-specific character. The performed application substantially confirms the level of safetyimportance classification (SIC) assigned to the FPSS by the ITER team (SIC level 3). A set of safety requirements,concerning aspects of reliability and performance, has been defined for the FPSS. These requirements integrate andspecify, for the FPSS, the generic implications currently imposed by the ITER team on the safety systems classifiedSIC-3. Some FPSS design specifications are also suggested to address the burden of proof requested to justify that itssafety requirements can be met by the design and can be maintained over the life-time of ITER. © 2001 Publishedby Elsevier Science B.V.

Keywords: Fusion-specific system; Plant safety architecture; Gas-injection system

www.elsevier.com/locate/fusengdes

Abbre6iations: ALARA, as low as reasonably achievable; CCF, common cause failure; DDD, design description document; DEC,design extension condition; EUR, European utility requirements; FMEA, failure mode and effect analysis; FPSS, Fusion PowerShutdown System; FS, fuelling system; IAEA, International Atomic Energy Agency; INES, International Nuclear Event Scale;ITER-EDA, International Thermonuclear Experimental Reactor-Engineering Design Activity; ITER-FEAT, International Ther-monuclear Experimental Reactor-Fusion Energy Advanced Tokamak; LOCA, loss of coolant accident; LOD, Line of Defence;LOFA, loss of flow accident; LOHS, loss of heat sink; PHTS, primary heat transfer system; PIE, postulated initiating event; PPC,plausible plant condition; RR, residual risk; SCS, system, component or structure; SFC, single failure criterion; SIC, safetyimportance classification; VV, vacuum vessel.

* C.E.N Cadarache, SERSI/LEFS Bat. 212, 13108-St. Paul-lez-Durance Cedex, France. Tel.: +33-4-42254202; fax: +33-4-42253635.

E-mail address: [email protected] (M. Costa).

0920-3796/01/$ - see front matter © 2001 Published by Elsevier Science B.V.

PII: S0 920 -3796 (00 )00555 -X

M. Costa / Fusion Engineering and Design 54 (2001) 361–374362

1. Introduction

Safety classification of systems, components orstructures (SCSs) represents a necessary step forthe safety analyses of any nuclear installation.

The safety classification approach, adopted inthis paper, follows a new classification scheme,which is of general applicability, so that it doesnot depend upon fission-related issues (e.g. criti-cality and core melting). This approach is basedon the Lines of Defence (LODs) method for theorganisation of the plant safety architectureneeded to assure the confinement of radioactivematerials and, therefore, to meet the generalsafety objectives.

The paper performs an application of the abovesafety classification approach to the InternationalThermonuclear Experimental Reactor-Fusionpower shutdown system (ITER-FPSS). This sys-tem has been selected because of its fusion-specificcharacter, indeed no similar components or sys-tems exist in fission industry.

The main goal of the paper is to clearly demon-strate that the application of the proposed safetyclassification approach achieves results, which in-tegrate and specify the ITER requirements for thesafety classified SCSs with respect to the currentupdated ITER document of reference [1].

2. Safety classification approach

The safety classification approach described inthe paper is applicable to any basic nuclear instal-lation. Its application enables safety analysts totake into account the specific characteristics asso-ciated with each type of nuclear plant (e.g. powerplant, experimental facility, research reactor, etc).The safety classification approach should be car-ried out on the basis of the following steps [2].1. The approach starts with the classification of the

safety function under study. A safety functionmay be defined as follows: a safety function isa function that is implemented in the design toensure that the doses (or other consequences) inthe case of an event sequence of category (cat.)II, III or IV1 do not exceed the admitted limitsfor that category [3].

2. Subsequently, all the systems — components orstructures (SCSs, generally speaking; theLODs), involved in accomplishment of thesafety function must be identified.

3. Assignment of each SCS to a safety class shallbe carried out, generally according to thehighest safety level of safety function it has toaccomplish.

4. Finally, requirements (reliability, performance,design and construction levels, codes and stan-dards, etc.) will be assigned to each safety-classSCS in accordance with the safety levelrequired.

This process must be applied to all the safetyfunctions associated with the plant design.

The general principles on which the presentedsafety classification approach is founded, are inaccordance with the current general recommenda-tions, concerning the safety approach for nuclearplants coming from both IAEA [4–6] and Eu-ropean utility requirements (EUR) [7]. This ap-proach is also in good agreement with the safetyclassification approach currently adopted forITER-FEAT [1]. The safety classification approachpresented in this paper is new for the followingreasons:1. complete formulation of the four steps that have

to be followed for the application of the ap-proach, from the safety functions to the safetyrequirements for the systems, is presented forthe first time;

2. the scheme (see below Table 1),which defines thesafety function classification in relation to thecorresponding LODs, is new;

3. some reliability-related measures for the firsttime have been associated with the two differentkinds of LODs (a) and (b) (see Table 3).

2.1. Safety functions classification

Classification of each safety function is definedin accordance with the relative safety functiondefinition as presented in the scheme of Table 1

1 The occurrence frequency categorisation adopted is consis-tent with that used in ITER context cat. I operational events;cat. II likely sequences (with occurrence rate f: f\10−2/a);cat. III unlikely sequences (10−2/a\ f\10−4/a); cat. IV ex-tremely unlikely sequences (10−4/a\ f\10−6/a).

M. Costa / Fusion Engineering and Design 54 (2001) 361–374 363

Table 1Safety functions classification and corresponding needs in terms of LODs

Definition of the safety function SFs classification Needed LODs

1Safety function (SF) that is needed in normal operation (cat. I) or after occurrence of b+b+a (:2a)category II events, whose failure under such conditions leads to a release that exceedsthe radiological limits of cat. IV

b+aSF needed after cat. III events, whose failure leads to releases exceeding the limits of cat. 2IV

3 aSF needed after cat. IV events, whose failure leads to releases exceeding the limits of cat.IV

aSF needed after design extension conditions (DEC) events, whose failure leads to releases 3exceeding the limits of cat. DEC

SF needed after cat. I–II events, whose failure leads to releases exceeding the limits of b+b (a)(:a)3cat. III but lower than cat. IV

SF needed after cat. I–II events, whose failure leads to releases exceeding the limits of b4cat. II but lower than cat. III

SF needed after cat. III events, whose failure leads to releases exceeding the limits of cat. b4III but lower than cat. IV

Function not safety classified (b) (b)NC

a From Table 2, this safety function would require for a LOD (b+b). For most applications, two LODs (b) are consideredequivalent to one LOD (a). Obviously, this will be true only if their combined reliability is consistent with the reliability of one LOD(a).

b Sometimes one LOD (b) might be necessary for consequence minimisation or ALARA implementation.

(columns 1 and 2). The safety function classifica-tion of Table 1 can be graphically represented onthe risk plane, as shown in Fig. 1. This figure clearlyshows the kind of gradation in safety importanceadopted by the safety classification scheme for thetwo parameters — occurrence frequency and po-tential consequence (i.e. the Cartesian axes). Theconventional design basis conditions (the four cat-egories described in footnote 1) shall be completedby the integration of accidental situations gener-ated by multiple failures (e.g. the total loss of theredundant systems) or the severe accidents2. Evenif it is known that a ‘severe accident’ (using fissionlanguage) is practically impossible in fusion, regu-latory authorities will certainly require definition ofa ‘fusion severe accident’ in order to deal with thelicensing procedures.

The situations studied for the prevention, control

and limitation of consequences are qualified asdesign extension conditions (DEC)3. Normally,analysis of DEC leads to design additional systemsand/or to adapt existing systems in order to guar-antee that the associated safety objectives areverified. For other accidental situations, whoserelease is estimated as unacceptable, it is necessaryto demonstrate that they are either excluded bydesign, or that their occurrence frequency allowsthem to be rejected in the residual risk (RR). Thesesituations will not be analysed. This part of theapproach meets the recommendation of the exclu-sion of any ‘‘cliff edge effect4’’ leading to an earlyrelease of non-admissible source terms. Any basicnuclear installation, whose inventory is greaterthan the ‘unacceptable for the environment’, shallanswer the requirements evoked above.

2 Considering the needs for taking into account the differentreactor specificity (e.g. no core melting for the fusion facilities)we suggest the following definition: sequences with an estimatedfrequency beyond the design basis. In these accident conditions,the plant suffers damage and the potential exists for the releaseof significant radio-toxic source terms, unacceptable for theenvironment.

3 Design extension condition (DEC) is the terminology sug-gested in the European utility requirements (EUR) document[7].

4 This risk corresponds to the mobilisation of a potentiallyunacceptable source term — severe accident — with thesimultaneous loss of the containment (releases much higher thanthose, which are acceptable).


Fig. 1. Safety classes map in the risk domain.

Quantification of consequences of Fig. 1 is purelyillustrative. Consequence categories called A, B, C,DEC and RR have been defined to delimit conse-quence ranges corresponding to the frequency cat-egories discussed above. The choice of theconsequence values (e.g. in mSv/a) of the differentcategories has normally to be purposely fixed, astargets or limits, for each specific nuclear installa-tion.

In addition, in Fig. 1 a so-called Farmer curveis depicted, in fact the coloured region marked NCcorresponds to the allowable risk domain.

2.2. Relationship between safety function classesand needed LODs as function of their reliabilitycharacteristics

Table 1 (column 3) shows the correspondingLODs needed to be obtained, according to theabove definition of safety functions (see step 1). Thedirect relationship between safety function classand the corresponding set of LODs (taken as awhole) is really the ‘‘focal point’’ of the safetyclassification approach. This relationship is ob-tained by using the so-called LODs method. Twotypes of LODs may be distinguished — strong lines(a); and medium lines (b). They are characterised

by a failure probability range of (10−3–10−4) and(10−1–10−2) per year (failure frequency) or perdemand (unavailability), respectively.

2.3. Brief recall of the LODs method

The LODs method is based on the LOD notion,which may be expounded as follows: ‘‘LOD is aneffecti6e defence. This term is used for: (1) anyinherent characteristic, equipment, system, etc im-plemented into the safety related plant architecture;(2) any procedure foreseen coherently with the gen-eral rules for plant operation (e.g. human actions:pre6enti6e, protecti6e, etc), the objecti6e of which isto accomplish a gi6en safety function. The imple-mented LODs shall fulfill the missions requested topre6ent abnormal situations or return the plant fromthe plausible plant condition5 (PPC) to a controlledsafe condition and maintain it in a safe state. Thatis these LODs, coherently with the defence-in-depthprinciple and depending on their role, shall permit theplant to meet the safety objecti6es — pre6enting,managing, or limiting the possible PPC conse-quences ’’ [8].

5 With PPC intended, a coupling of an initiating event (e.g.LOCA) with an initial plant state (e.g. normal operation, forfusion facilities the plasma operation state).


Table 2Ideal safety architecture — minimum needed LODs to be implemented to guarantee that all the potential sequences, arising fromthe plausible plant condition (PPC) fall into the allowable risk domaina,b

Frequency category of theConsequence category of the sequence outcome Frequency category of the PPCsequence outcome

I–II III IV DEC

bCatfreq-IICatcons-ACatfreq-IIICatcons-B b bCatfreq-IVCatcons-C a a a

b bCatfreq-DEC bCatcons-DEC b2a+b 2aTotal LODs to be implemented to prevent severe accident a+b b\2a+b \2a \a+b \bTotal LODs to practically exclude a given sequence (i.e. to

reject the sequence into the residual risk)

a The frequency categorisation is corresponding to the PPC classification adopted in ITER context.b In terms of LODs counting, b+b=a, if the independence between the different LODs is effective.

design (i.e. the safety architecture), which is ableto maintain or to return the plant to a safecondition, and this is obtained by verifying thatthe global risk is kept allowable, i.e. the cumula-tive risk and the outcome of all the sequencesshall remain in the allowable risk domain (see Fig.1). Fig. 1 shows the risk domain in relation to theINES scale levels [9]. The LODs method assumesthat a satisfactory plant safety design should bebased on the ideal safety architecture suggested inTable 2. Table 2 proposes a safety architecturebased on the minimum needed LODs, which haveto be implemented to guarantee that all the poten-tial sequences of the plant fall into the allowablerisk domain.

The rationale that justifies the relationship be-tween the safety function class and the corre-sponding LODs (i.e. the content of column 3 ofTable 1), is founded on the scheme of the idealsafety architecture.

In this way, the safety classification approachallocates to each SCS, which accomplish a givensafety function, its own safety class. In addition,the approach consequently assigns SCS, a mini-mum number of LODs (i.e. the LODrequirements).

2.4. Correlation between reliability and designspecifications

The degree of reliability required for a safety

system as being one LOD (b) or (a) is specified interms of ‘reliability-related measures’ (i.e. simplic-ity, redundancy, diversity, etc). Table 3 uses agradation for the reliability-related measures qual-itatively expressed by three levels; desirable/rec-

Table 3Proposal for generic LOD requirements in design for reliabil-ity

LOD (a)LOD (b)LODs (reliability(10−1–10−2)target) (10−3–10−4)

Reliability-related measuresDesirableSimplicity Desirable/recomm-

endedDesirable Recommended/Diversity

requiredRequiredIndependence Required

(functionalisolation andphysicalseparation orsegregation)

Redundancy RequiredDesirable/requiredRequiredFail-safe/fault- Required

tolerantSingle failure Recommended/ Required

requiredcriterion (SFC)Testability Recommended RequiredIn-service Recommended/ Required

requiredinspectabilityNot permittedPermittedHuman corrective

actions


Table 4Safety-related items versus design, construction, operation and decommissioning

Construction OperationSafety-related items DecommissioningDesign

Performance X X XX XXSafety class

XReliability value X XXQuality assurance (QA) XX X

XPassive/activeIndependence (other systems) X

XX XRegulatory precedents (other technologies)XEnvironmental qualification X X

XXCommon cause failures (CCFs)XSeismic classification X X X

Codes and standards X X X XX XX XMonitoring and surveillance

XIn-service maintenance

ommended/required. Note that Table 3, presentedin this paper as a proposal, is the result of metic-ulous research taking into consideration, the moreinternationally credited current documentationconcerning nuclear safety. A detailed version ofTable 3, including citation of all the specific re-marks and references adopted [4–6,10,11], is pre-sented in [2].

2.5. Safety-related items assessment

Table 4 lists some safety-relevant aspects con-cerning one or more of; design, construction, op-eration and decommissioning phases. Thesesafety-relevant aspects have been selected by thejudgement of the author, as those that have to beconsidered to verify the appropriate and completefulfilment of the specific system mission. Applica-tion to the system of the requirements related tothese safety-related items, must be by a specificsystem-related analysis (i.e. a case-by-caseanalysis).

3. Fusion Power Shutdown System

3.1. Description of the system

The FPSS of ITER-EDA has been assessedconsidering its description in [12]. The FPSS dataimportant to safety classification are; the safety

function accomplished, the postulated initiatingevents (PIEs) requiring its intervention and theimplementing design features. The FPSS providesactive fusion power termination to reduce thepotential for plasma facing component damageand chemical reactions following ex-vacuum ves-sel loss of coolant accidents (LOCA), loss of flowaccidents (LOFA) or loss of heat sink (LOHS).The off-normal events are indicated by signalsfrom sensors in the primary heat transfer system(PHTS) and other plant subsystems to triggerfusion power shutdown action in the gas fuellingsystem [12].

The FPSS design features are two identicalindependent fast shutdown systems designed torespond within 3 s after receiving a signal indicat-ing an off-normal event.

Fig. 2 [12] shows the functional block diagramof the FPSS. Fig. 3 shows a detailed diagram inaccordance with the technical description of theFPSS considering; redundant and non-redundantequipment, interfacing systems and functions ofthe implementing design features.

3.2. ITER safety importance classification of theFPSS

The ITER safety importance classification(SIC) scheme, described in [3], was adopted toclassify the ITER-EDA FPSS. This scheme con-sists of four classes; SIC-1, SIC-2, SIC-3 and a


Fig. 2. FPSS functional diagram.

non-safety class SIC-4, depending on the safetyfunction classification and other specific rules.ITER assigns the FPSS to the safety class SIC-3with the following rationale; ‘the FPSS function isto shutdown the fusion power under certain con-ditions. If the FPSS falls during a LOCA, LOFAor LOHS, it could allow other safety barriers suchas the vacuum vessel to be challenged, possiblyallowing release of radioactive materials outsideof this barrier. Therefore, the FPSS must be SIC-3. However, the FPSS is not SIC-2 because it isnot a primary safety barrier to the release ofradioactivity and failure of the FPSS by itself hasno public safety significance’ [12].

3.3. ITER requirements for the FPSS in relationto its safety classification

The current appropriate ITER-FEAT docu-ment [1] concerning safety classification aspects(updated version of the ITER-EDA SIC docu-ment [3]), furnishes only a generic guidance of therequirements linked to the SIC-2 and SIC-3classes. More detailed information on SIC assign-ments, using the LOD approach, are in [13]. Thegeneric guidance of [1] summarises the ‘implica-tions’ (i.e. the corresponding technical require-ments), which have to be imposed on the safetysystems in accordance with the ITER-FEAT SIC.

4. Application of the safety classificationapproach to the FPSS

Application of the safety classification ap-proach, presented in Section 2, to a generic ITERsystem may be carried out following the diagramshown in Fig. 4. This application enables theanalyst, the verification of the safety classificationassigned by the ITER team for the 1998 designand, as a consequence, to provide further safetyrequirements for the system under study. Notethat for ITER-FEAT, a very similar LOD-basedapproach has been used.

Anyway, some little differences again remainbetween the ITER-FEAT safety classification ap-proach and are proposed in this paper.� The new approach adopts an updated defini-

tion of the LOD notion and this definition isstrongly linked to the concept of safetyfunction.

� Two (not multiple) possible diverse, type (b)LODs can be considered equivalent to one type(a) LOD.

� Following exactly the enunciation of the clas-sification rules of the ITER-FEAT SIC, therelationship between the SIC-2 and SIC-3 lev-els and the corresponding needed LOD ranges;(a)–(a+b) (not simply one LOD (a)) and(b)–(a) (not simply one LOD (b)), must be


Fig. 3. Detailed functional diagram with the FPSS implementing design/features.

considered (see also Table 6). Rationale of thisstatement is given in Section 4.3

� ITER-FEAT SIC scheme refers only to theconfinement barrier quality, using the LODsmethod. This is because, the ITER-FEAT SICassuming the confinement of radioactive mate-rials is the fundamental safety function. In-stead, the presented approach is of generalapplicability for any kind of safety function(i.e. applicability for different kinds of nuclearplants).

4.1. FPSS safety classification

In order to classify the safety function accom-plished by the FPSS, it is necessary to investigatethe different types of PIEs requiring FPSS inter-vention, they are; ex-vessel LOCA, LOFA orLOHS of the plasma facing components. Table 5gives information regarding their occurrence fre-quency [14] for the 1998 ITER design (these are tobe re-evaluated for ITER-FEAT). Classificationof the FPSS safety function requires both theoccurrence frequency and consequence severity ofthe involved PIEs.

Taking into account the wide range of frequen-cies associated with the PIEs requiring FPSS in-

tervention (i.e. cat. II–IV frequencies), in aconservative way, the cat. II frequency is chosenfor this application. Regarding the level of poten-tial consequences in the event of FPSS failure, theterms of reference adopted is the rationale for theFPSS safety classification (see cited sentence inSection 3.2). In any case, assignment of the FPSSin the SIC-3 class implies that FPSS failure, evenif it may worsen the accident conditions andthreaten or degrade SIC-2 systems (e.g. the vac-uum vessel), would not cause significant conse-quences (even in combination of cat. II or IVevents) [3]. ‘Significant consequences’ are releasesexceeding the cat. IV limits.

Assuming that the possible radioactive materialreleases outside of the vacuum vessel may exceedthe limits of cat. III, the safety function accom-plished by the FPSS can be considered equivalentto a ‘‘function needed after cat. I–II events,whose failure leads to releases exceeding the limitsof cat. III but lower than cat. IV’’6, then thissafety function is classified into the safety class 3(see Table 1, fifth column).

Consequently, because the FPSS (including thedetection sensors and the fuelling system, FS)

6 This statement should be confirmed by an effective dia-logue with the ITER designers.


Fig. 4. Safety class review process and safety requirements determination for ITER systems.

integrally realises the above safety function, it willbe classified into the same class, i.e. the FPSS issafety class 3.

4.2. LOD assignment to the FPSS

Taking into consideration the relationship be-tween the safety classes and the required LODspresented in Table 1, since the FPSS belongs tosafety class 3, it should be equivalent to LODs(b+b). As a consequence, the FPSS will have tocomply with all the requirements associated withone LOD (a). This assignment will be correct onlyif the designers guarantee that the ITER plant,under such conditions, is able to effectively avoidreleases exceeding cat. IV limits.

4.3. Verification of the ITER SIC-3 classificationfor the FPSS

In regard to both rationales of the ideal safetyarchitecture (Table 2) and the classification rulesof the ITER SIC (in particular, the rules concern-

Table 5Frequency categories of the PIEs in the 1998 ITER designrequiring FPSS intervention

PIE description PIE frequency category

III, IVEx-vessel LOCAsLOFAs II, III

IILOHS


Table 6Needs in terms of LODs for the ITER SIC scheme

Safety Needs in terms Commentsof LODsimportance

class

2aSIC-1 The safety function accomplished from SIC-1 SCSs must necessarily be achieved throughthe implementation of (2a) LODs

a�b+aSIC-2 One LOD (a) is sufficient for components whose intervention is required after cat. IVevents. On the contrary, LODs (b+a) are requested for cat. III events

SIC-3 LOD (b) or (b+b:a) must be implemented. For cat. I–II events whose consequencesb�aexceed the cat. III limits one equivalent LOD (a) is requested

SIC-4 ––

4.4. LOD requirements in terms of reliability forthe FPSS

In this section, the degree of reliability requiredfor the FPSS as being one LOD (a) is specified interms of ‘‘reliability-related measures’’ (see Section2.4). One LOD (a) is characterised (by definition)by a reliability target of 10−3–10−4 per demand(unavailability value). The LOD requirements ofTable 3 can be applied for the FPSS as being oneLOD (a).

Table 7 shows the comparison between the LODrequirements related to diversity, redundancy andsingle failure criterion (SFC), as an example, andthe FPSS. The FPSS is analysed, considering itstechnical description (Section 3.1) and the SIC-3safety implications (Section 3.3). An application ofthe LOD requirements presented in Table 3, con-sidering all the reliability-related measures, hasbeen performed in [15] and those results could beused as guidelines for the reliability requirements,which should be satisfied by the FPSS.

4.5. Specific analysis of the FPSS safety features

An analysis of the FPSS safety features is carriedout by means of the evaluation of the safety-relateditems listed in Table 4 (Section 2.5). Table 8 shows,as an example, the comparison between the safetyrequirements related to the system-related items;performance, reliability value, independenceand the FPSS. An application of the safety re-quirements related to all the safety-re-

ing the ranking of safety functions), the relationbetween SIC classes and LODs, presented in Table6, can be suggested. This relation does not com-pletely agree with that equivalently presented forITER-FEAT. Differences are explained in theintroduction of Section 4 at the third point. ForSIC-3 SCSs, one LOD (b) is requested for cat. IIIevents, whose consequences exceed the cat. IIIlimits, while for cat. I–II events, whose conse-quences exceed the cat. III limits, two LODs(b) (or one equivalent LOD (a)) are requested. Thislatter case is the case of the FPSS. This system isclassified SIC-3 (see Section 3.2) and its interven-tion will also be required after off-normal events ofcat. II. Hence, the ITER safety classification of theFPSS as SIC-3 is confirmed by the LODsanalysis. The LODs analysis leads to an exactidentification for the LOD assignment (i.e. oneLOD (a) for the FPSS) within the LODs range;(b�a) resulting from the requirement of ITERSIC-3 level.

Fig. 5, which has been drawn only for compari-son with Fig. 1, shows graphically the ITER SICgradation in the risk plane. When Fig. 5 is com-pared with Fig. 1, it evidently appears that the newsafety classification approach is graded into smallerregions. This fact renders the adopted approach toachieve a univocal determination of LODs withrespect to the ITER-SIC scheme, for which a rangeof LODs must be considered for some safety classes(see Table 6).

M.

Costa

/F

usionE

ngineeringand

Design

54(2001)

361–

374371

Table 7LODs reliability requirements versus the FPSS for diversity, redundancy and SFC

LOD (a) FPSS Resulting indicationsLODs(reliability (10−3–10−4)target)

SIC-3 implicationsRequirementReliability-related System descriptionmeasures

Since certain PIEs (e.g. LOFAs or LOHS)Diversity Two identical trains areRecommended/ Not consideredrequired requiring the FPSS intervention can be frequentimplemented

events (i.e. cat. II events) diversity might benecessary to guarantee the required reliability

Not consideredRequiredRedundancy Redundancy with two Evaluate the possibility to have three trains oridentical trains to introduce diversity elementsNot consideredRequired 1. The FPSS shall fulfill the SFCLess formal method than SIC-2. [Probably thisSingle failure

means that compliance with SFC is notcriterion(SFC) required]

2. Need for further details of the FPSSactuator, FPSS-FS relationship and effectiveredundancy for the complete extension of thewhole FPSS, i.e. from the detection sensors tillthe plasma chamber3. Possibility of undetected failures shall beexcluded4. Are the five independent gas puffing linesreally redundant and directly connected to theFPSS?5. Can the FPSS (including the FS) beconsidered an effective 2×l00% trainsredundant system?

M.

Costa

/F

usionE

ngineeringand

Design

54(2001)

361–

374372

Table 8Safety requirements versus the FPSS for performance, reliability value and independence

Resulting indicationsFPSSSafety-related Requirementitems

System description SIC-3 implications

Performance (time 3 s Not considered The 3 s as a time delay practicallyAvoid in-vessel LOCAs (afterachievable should be proven byLOFA or ex-vessel LOCAs) anddelay)

significant H2 production technical demonstrationThe timescale following a PIErelated to the need for the safetyfunction is a very relevantparameter for safety classification

3.0×l0−4 per yearReliability value Reliability targets may be part ofl0−3–10−4 per demand This value has been calculatedconsidering a completethe performance specification of

the safety related items. The redundancy of two trains till thefollowing are the guidelines on plasma (including the FS)the degree of proof that thesetargets can be met by the design.

This ITER implication is notLess formal methods (thanSIC-2) [i.e. FMEA, event trees or coherent with the level ofSFC are not necessary] reliability required for the FPSSUse of good industrial qualitycomponents may suffice as ajustification

Independence shall be ensuredEnsuredIndependence FPSS is independent from other Not consideredcontrol systems among all the safety systemsfrom other

systems involved during a same off-normalsequence.Investigate; FPSSlFS andFPSSlVV functional relations.The safety design of the FS shallintegrally consider the FPSS safetyfunction.Is it always possible for the FPSSto accomplish its safety functionwhen a FS failure occurs?


lated items listed in Table 4, has been performedin [15]. This complete application could be used asa guideline for the safety requirements, whichshould be satisfied by the FPSS.

5. Results

The results obtained, specified in terms of reli-ability or detailed as general safety and designrequirements, can be summarised as follows:1. The FPSS is classified as safety class 3. The

safety class SIC-3 assigned by the ITER teamto the FPSS is substantially confirmed (theFPSS is equivalent to one very reliable LOD(a));

2. The available ITER requirements (implica-tions) for the FPSS have been verified, inte-grated and specified, by furnishing furtherdesign and safety requirements (commensuratewith its safety classification) concerning alsoadditional safety aspects;

3. In particular, the FPSS reliability has beeninvestigated in detail using the LOD notion,which has produced various suggestions forreliability improvement;

4. With regard to some safety aspects, it is notpossible to give judgements due to the lack ofinformation.

By comparison between the derived reliabilityand safety requirements and the FPSS design,many system-related highlights are obtained forthe FPSS safety design. Some highlights, given asan example to demonstrate the potential of thesafety classification approach, are listed below:� Clarify the spatial distribution of the whole

system. Need for further details of the FPSSactuator.

� Is it demonstrated that a FPSS failure is fail-safe?

� The FPSS shall fulfill the single failurecriterion.

� In-service inspection and testing of the FPSSare required to ensure the required reliability.

� Evaluate the possibility to have three identicalredundant trains (instead of only two) or tointroduce diversity elements.

� The FPSS-fuelling system relationship and theeffective redundancy for the complete exten-sion of the whole FPSS (i.e. from the detectionsensors till the plasma chamber) should bebetter investigated.

Fig. 5. Safety classes map in the risk domain of the ITER-SIC scheme.


� The possibility of undetected failures shall beexcluded.

6. Conclusion

This paper synthetically describes a new safetyclassification approach based on the LOD method.This approach is very similar to that used inITER-FEAT, but a complete assumption of theLODs method, as a whole could be adequatelyintegrated and improve the ITER-FEAT scheme.

An application of this approach is performed forthe ITER safety system — FPSS. Although theobtained requirements cannot represent mandatoryindications for the FPSS, it is important to notethat the safety classification approach furnishessystem-related requirements in the event of notdetailed design.

In conclusion, this safety classification approach,by means of this application to the FPSS, demon-strates its good applicability to the ITER systems(also to the strictly fusion-specific systems such asthe FPSS).

A future work of comparison between the safetyand design requirements obtained and the FPSSdesign specifications of the ITER design descrip-tion documents (DDD 4.6.D — FPSS and DDD1.8.B — Gas Injection System) will be useful forfurther improvement in the FPSS design.

A systematic application of this approach for allthe ITER safety systems could furnish a wellbalanced plant design, respecting the safety require-ments, while achieving significant optimisationfrom a cost and operability point of view.

Acknowledgements

This work was funded by the European Commis-sion (Fusion Programme) with contract no.

ERB5004-CT97-5009 for the author as GrantHolder.

References

[1] J. Raeder, Private communication, March 8, 2000.[2] M. Costa, G.L. Fiorini, Proposal for an innovative ap-

proach of safety classification, CEA Technical Note,Cadarache Centre, NT SERSI/LEFS 00/5012, June 2000.

[3] A.E Poucet, Safety Importance Classification, ITER-EDA, SEHD 8.1-B, Version 1.2, April 1997.

[4] IAEA Safety Assessment and Verification, Safety Stan-dards Series, Draft Safety Guide, Working ID NS 253,IAEA, Vienna, October 1999.

[5] IAEA The Safety of Nuclear Power Plants: Design,Safety Standards Series, Draft Requirements, WorkingID NS 181, IAEA, Vienna, November 1999.

[6] IAEA Application of the Single Failure Criterion, SafetyPractices-Safety Series no. 50-P-1, IAEA, Vienna, Sep-tember 1993.

[7] European Utility Requirements for LWR Nuclear PowerPlants, EUR Organisation, Revision B, November 1995.

[8] M. Costa, G.L. Fiorini, The safety method of lines ofdefence and its advantageous application to fusion plants,Paper presented at the ISFNT-5, Rome, 19–24 Septem-ber, 1999, in press.

[9] IAEA and Nuclear Energy Agency of the OECD, INES:The International Nuclear Event Scale, User’s Manual-1992 Edition, IAEA-INES-92/01, IAEA, Vienna, 1992.

[10] US-DOE, Safety of magnetic Fusion Facilities: GuidanceDOE-STD-6003–95, September 6, 1995.

[11] J. Mustoe, Safety Design Guide: Safety Systems Concep-tual Design and Reliability, Draft issue P01a, EFETNNC Ltd, EFET/SFS/N003/P01, September 1996.

[12] ITER Non-site Specific Safety Report (NSSR-2), ITER-EDA, Vol. II, December 1997.

[13] ITER-FEAT Plant Safety Requirements (PSR), G81 R1700-04-2000 W0.1, April 2000.

[14] ITER Non-site Specific Safety Report (NSSR-2), ITER-EDA, Vol. VII, December 1997.

[15] M. Costa, G.L. Fiorini, Safety requirements determina-tion for the ITER Fusion Power Shutdown System inaccordance with its safety classification, CEA TechnicalNote, Cadarache Centre, NT SERSI/LEFS 00/5013, June2000.

.

safety classification of the iter fusion power shutdown system and resulting safety requirements

Documents