Technical Specifications (In-Cash Procurement) Plant Control Design Handbook for Nuclear control systems

Transcription

1 IDM UID 2YNEFU VERSION CREATED ON / VERSION / STATUS 29 Aug 2013 / 3.2 / Approved EXTERNAL REFERENCE Technical Specifications (In-Cash Procurement) Plant Control Design Handbook for Nuclear control systems This Plant Control Design Handbook Nuclear (PCDH-N) document defines standards for all ITER plant system instrumentation and control (I&C) Nuclear Plant Safety Systems (PSS-N). Approval Process Name Action Affiliation Author Petitpas P. 29-Aug-2013:signed IO/DG/DIP/CHD/CSD/PCI Co-Authors Reviewers Yonekawa I. 29-Aug-2013:recommended IO/DG/DIP/CHD/CSD/PCI Previous Versions Reviews Wallander A. Fernandez Robles C. (Fast Track) 26-Aug-2013:recommended v Aug-2013:recommended v3.1 IO/DG/DIP/CHD/CSD IO/DG/DIP/CHD/CSD/PCI Approver Thomas P. 14-Sep-2013:approved IO/DG/DIP/CHD Document Security: level 1 (IO unclassified) RO: Fourneron Jean-Marc Read Access LG: PA project team, LG: PA Schedulers, LG: KEPCO E&C, LG: Reviewers, LG: [CCS] CCS-All for Ext AM, LG: [CCS] CCS-Section Leaders, LG: [CCS] CCS-Doc Control, LG: [CCS] F4E, AD: ITER, AD: External Collaborators, AD: Division - Control System Division - EXT, AD: Section - CODAC - EXT, AD: Section - CO... PDF generated on 14-Sep-2013 DISCLAIMER : UNCONTROLLED WHEN PRINTED PLEASE CHECK THE STATUS OF THE DOCUMENT IN IDM

2 Title (Uid) Plant Control Design Handbook for Nuclear control systems (2YNEFU_v3_2) Plant Control Design Handbook for Nuclear control systems (2YNEFU_v3_1) Plant Control Design Handbook for Nuclear control systems (2YNEFU_v3_0) Plant Control Design Handbook for Nuclear control systems (2YNEFU_v2_1) Plant Control Design Handbook for Nuclear control systems (2YNEFU_v2_0) Plant Control Design Handbook for Nuclear control systems (2YNEFU_v1_1) Plant Control Design Handbook for Nuclear control systems (2YNEFU_v1_0) Plant Control Design Handbook for Nuclear control systems (2YNEFU_v0_0) Change Log Latest Status Issue Date Description of Change Versio n v3.2 Approved 29 Aug 2013 Page 11: cross reference to Report (RPrS) [1] corrected. v3.1 Approved 15 Jul Definition of the technology to be used to implement I&C functions for SIC-1 category A and SIC-2 category B. This technology is based on HIMA Planar 4 modules; - Definition of the qualification process and reference to the SCS-N Overall Qualification plan - minor typo corrected v3.0 Approved 30 Jan 2013 v2.1 Approved 11 Feb 2011 v2.0 Signed 05 Jan 2011 v1.1 Approved 01 Feb 2010 v1.0 Signed 16 Dec 2009 v0.0 In Work 10 Nov 2009 Document updated according to the evolution of the design of the SCS-N. Comments from PCDH review process taken into account. See PCDH v6 review report. Updated version taking into account the outcomes of the Central Safety System outcomes. This version reference the standards to take into account and complement them with ITER specific requirements. Version 1.1 First version PDF generated on 14-Sep-2013 DISCLAIMER : UNCONTROLLED WHEN PRINTED PLEASE CHECK THE STATUS OF THE DOCUMENT IN IDM

3 Table of Contents 1. Introduction Purpose Scope Acronyms Reference documents and standards Standards for the Safety I&C system Nuclear Safety I&C system design philosophy PSS-N Safety lifecycle Quality PSS-N Lifecycle...8 PSS-N Specifications Functional Specifications Safety requirements Requirements related to design Functional tests PSS-N Architecture SCS-N subsystems General architecture for SIC-1 and SIC-2 Cat. B systems General architecture for SIC-2 Cat C system General architecture for SR Cat C system Powering Cabling Sensor sharing Actuator sharing Safety I&C naming conventions PSS-N Hardware specifications Class 1 system: SIC-1 and SIC-2 Cat B Class 3 systems: SIC-2 Cat C and SR Cat C Cubicles Sensors Qualification Nuclear qualification Applicable standards PSS-N qualification...24 Application of PCDH to Nuclear safety systems...25 Page 1 of 26

4 1. Introduction 1.1 Purpose This Plant Control Design Handbook for Nuclear Safety (PCDH-N) defines standards for all ITER Plant Safety Systems for Nuclear Safety (PSS-N). These standards are essential in order to achieve an integrated and licensable system to provide ITER nuclear safety I&C functions. These standards are applicable to the development process and comprise deliverables and quality assurance requirements as well as catalogues of standard software and hardware components. PCDH-N must be followed by everyone involved in the development of ITER plant systems I&C which will perform nuclear safety I&C functions, i.e. plant system responsible officers (RO), plant system I&C designers and plant system I&C suppliers, regardless of their affiliation (i.e. ITER Organization (IO), Domestic Agency (DA), or industry). PCDH-N is a living document, which is released at regular intervals throughout the lifetime of ITER. Versions of standards and products are subject to updates and extensions as the ITER project progresses. Obsolescence management is of particular importance due to the long timeline for ITER construction and operation. 1.2 Scope The Nuclear Safety I&C functions of ITER are performed by the Safety Control System Nuclear (SCS-N). This system is composed of: The CSS-N: Central Safety System Nuclear The PSS-N: Plant Safety Systems Nuclear, which are parts of the different plant systems. PSS-N is the part of the Plant System I&C which implements nuclear safety I&C functions. A PSS-N interfaces the CSS-N. The CSS-N coordinates the individual protection provided by locally distributed safety systems in order to bring and keep ITER in a safe state and to prevent, detect or mitigate incidents or accidents. Sensors and actuators (including any signal conditioning device) are out of the scope of the PSS-N, although it is connected to them. The interface point with sensors and actuators is the terminal block inside the PSS-N cubicle. This document defines rules and guidelines to be followed by the PSS-N designers. Note: Occupational safety systems are covered by the PCDH. 1.3 ASN CSN-N CSS-N ICS PCDH-N Acronyms Autorité de Sureté Nucléaire (French nuclear safety authority) Central Safety Network for Nuclear Safety Central Safety System for Nuclear Safety Interlock Control System Plant Control Design Handbook for Nuclear Safety Page 2 of 26

5 PSS-N SCS-N SCS-OS SIC 1.4 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] [19] [20] [21] [22] [23] [24] Plant Safety System for Nuclear Safety Safety Control System for Nuclear Safety Safety Control System for Occupational Safety Safety Importance Class Reference documents and standards Preliminary Safety Report (RPrS) (ITER_D_3ZR2NC) Overall requirements specification of Safety Control System Nuclear (ITER_D_3LU3NF) Safety Important Functions and Components Classification Criteria and Methodology (ITER_D_347SF3) IEC standard Nuclear power plants Instrumentation and control for systems important to safety General requirements for systems IEC Nuclear power plants Instrumentation and control systems important to safety Separation IEC Nuclear power plants - Instrumentation and control important to safety - Classification of instrumentation and control functions Order dated 7 February 2012 relating to the general technical regulations applicable to BNI (Arrêté du 7 février 2012 fixant les règles generals relatives aux installations nucléaires de base) (ITER_D_7GJHSE). English translation for guidance is available (ITER_D_7M2YKF) ITER Project Management and Quality Program ITER Quality Assurance Program ( ITER_D_22K4QX) Nuclear Safety Control System - Overall Quality Plan (ITER_D_48Y3CS) IEC 60780, Nuclear power plants Electrical equipment of the safety system Qualification IEC 60980, Recommended practices for seismic qualification of electrical equipment of the safety system for nuclear generating stations IO cabling rules (ITER_D_335VF9). Electrical Design Handbook Part 4: Electromagnetic compatibility (ITER_D_2ELREB) RCC-E (Design and construction rules for electrical components of nuclear islands) (2005) Quality Classification Determination (ITER_D_24VQES) Safety Functions, Systems, Signals Definition for I&C CSS Design (ITER_D_3R7ECW) IEC (all parts), Electromagnetic Compatibility Testing and measurement techniques IEC , Electromagnetic compatibility (EMC) Part 6-2: Generic standards Immunity for industrial environments IEC 60812, Technical Analysis for system reliability Procedure for failure mode and effects analysis (FMEA) IEC 62138, Nuclear power plants Instrumentation and control important for safety Software aspects for computer-based systems performing category B or C functions ITER Seismic Nuclear Safety Approach (ITER_D_2DRVPE) ITER catalogue for I&C products Slow controllers PLC (ITER_D_333J63) ITER catalogue for I&C products Hardwired controllers (ITER_D_JHQLDP) SCS-N Overall Qualification Plan (ITER_D_JHQU5M) Page 3 of 26

6 1.5 Standards for the Safety I&C system The design and manufacturing of a PSS-N will have to comply with the following standards: For all categories: o IEC 61226, Nuclear power plants Instrumentation and control systems important for safety Classification [6], o IEC 61513, Nuclear power plants Instrumentation and control for systems important to safety General requirements for systems [4], o IEC 60709, Nuclear Power Plants Instrumentation and Control systems important to safety Separation [5], except for some cabling rules which will be replaced by RCC-E rules [14], according to ITER document IO cabling rules [12], which defines the cabling separation rules to be applied, o IEC (all parts), Electromagnetic Compatibility Testing and measurement techniques [17], o IEC , Electromagnetic compatibility (EMC) Part 6-2: Generic standards Immunity for industrial environments [18]. For Category A: o IEC 60780, Nuclear power plants Electrical equipment of the safety system Qualification [10], o IEC 60812, Technical Analysis for system reliability Procedure for failure mode and effects analysis (FMEA) [19], o Seismic events: IEC 60980, Recommended practices for seismic qualification of electrical equipment of the safety system for nuclear generating stations [11], or RCC-E adapted to ITER project [14] (see section 5). For Category B: o IEC 60780, Nuclear power plants Electrical equipment of the safety system Qualification [10] or RCC-E [14] (see section 5.2), o Seismic events: IEC 60980, Recommended practices for seismic qualification of electrical equipment of the safety system for nuclear generating stations [11], or RCC-E adapted to ITER project [14] (see section 5.2). For Category C: o IEC 62138, Nuclear power plants Instrumentation and control important for safety Software aspects for computer-based systems performing category B or C functions [20]. o For category C systems for which specific environmental qualification is required (e.g. resistance to seismic conditions, or operation under specific environmental conditions), may be qualified to industrial standards according to IEC [4]. However, the use of IEC might be required under certain circumstances. Please refer to section 5.6 of IEC [4] for a detailed explanation. Page 4 of 26

7 2. Nuclear Safety I&C system design philosophy A plant system may have specific safety functions that are implemented locally in a Plant Safety System (PSS). The Central Safety System (CSS) coordinates the individual protections provided by the PSS, enables manual control by the operator and displays data for the operator. The Safety Control System for Nuclear Safety (SCS-N) is a hierarchical system. There are two types of safety functions: Local function Control-Room Operator Safety HMI Operator command CODAC/CIS Monitoring data CSS Operator command Monitoring data PSS-1 Sensor Actuator Safety event Safety action Signal critical in function activation Signal for monitoring only Figure 1: Local function A safety function is considered as local when the event detection (sensor) and the safety action (actuator) are performed within a single plant system. In this case, the function is executed locally and autonomously inside the plant safety system. Monitoring data (e.g. safety threshold reached, safety function activation, actuators states ) are sent to CSS to be displayed on safety displays and exported to CODAC. If required, a control-room operator command is sent to PSS via CSS (depending on the importance of the role of CSS in the function, the central function model described below, may be more suitable). Page 5 of 26

8 Central function Control-Room Operator Safety HMI Operator command CODAC/CIS Monitoring data CSS Safety event Monitoring data PSS-1 Safety action PSS-2 Sensor Actuator Safety event Safety action Signal critical in function activation Signal for monitoring only Figure 2: Central function A safety function is considered as central when the event detection (sensor) and the actions (actuator) are performed by different plant systems. In this case, the event (signal for safety threshold reached) is detected by one or several PSS (PSS-1 in the figure), it is then communicated to CSS, which commands one or several PSS (PSS-2 in the figure) to perform the required actions. Monitoring data (safety threshold reached, safety function activation, actuators states ) are shown to the control-room operator on a safety display and exported to CODAC. Manual operator commands are also possible via CSS. The following figures show examples of central functions: Page 6 of 26

9 Figure 3: Example of central function 1 Figure 4: Example of central function 2 Figure 5: Example of central function 3 Page 7 of 26

10 3. PSS-N Safety lifecycle 3.1 Quality The complete PSS-N lifecycle will have to comply with the requirements of: The Order dated 7 February 2012 relating to the general technical regulations applicable to basic nuclear installations (Arrêté du 7 février 2012 fixant les règles generals relatives aux installations nucléaires de base) [7], ITER Project Management and Quality Program ITER Quality Assurance Program [8], IEC standard Nuclear power plants Instrumentation and control for systems important to safety General requirements for systems [4], Nuclear Safety Control System - Overall Quality Plan [9]. In compliance with [4], IO has developed an overall quality plan for the SCS-N [9]. The entity in charge of the design of a PSS-N will have to establish a "Specific Quality Plan", which will be the application of this "Overall Quality Plan for the SCS-N" for the PSS-N and which will have to be compliant with the above mentioned reference documents and standards. 3.2 PSS-N Lifecycle The PSS-N lifecycle will be compliant with [4] and in particular, with its section 6, which is dedicated to individual I&C systems. Whenever possible, this individual PSS-N life-cycle will be compliant with the life-cycle model proposed in PCDH. 4. PSS-N Specifications 4.1 Functional Specifications Nuclear safety functions are defined as a group of specific actions that prevent or mitigate radiological hazards. These actions can therefore prevent or mitigate dose uptake by personnel on-site and by members of the public. There are two fundamental safety functions required for the ITER facility: Radioactive material confinement: ensuring the personnel, public and the environment are protected against releases of radioactive material. This function is achieved with confinement barriers and the associated confinement systems, Limitation of internal and external exposure to ionizing radiation. Nuclear Safety Control System (SCS-N) has to provide protection of personnel and the environment with respect to radiological risks by implementing the safety I&C functions. The SCS-N provides the means to bring ITER to a safe state and maintain it there or to mitigate the consequences of an incident or accident. Monitoring information will be provided by the PSS-N to the CSS-N to indicate the status of the plant, in all operational states and in accident and post-accident conditions to indicate whether the safety functions and requirements are met and maintained. Page 8 of 26

11 The status of the safety functions will be monitored and the real positions of the actuators will be compared with the expected values during all operational states. The functional specification of the nuclear safety I&C functions will be provided by IO in a top-down process. The scope of the CSS-N and the different PSS-N participating in the function will be clearly identified for each function. The technical specification and implementation of the scope of each plant system will be under the responsibility of the plant system responsible officer. 4.2 Safety requirements This section gathers safety requirements from different reference documents and standards. It may not be exhaustive and additional requirements from other reference documents may have to be taken into account Requirements related to design Safety classification Each PSS-N may be composed of different sub-systems with different nuclear safety levels. Each PSS-N subsystem must have a safety classification compliant with the Preliminary Safety Report (RPrS) [1] Vol I chap 10 classification: SIC-1, SIC-2, SR. Safety Importance Class (SIC) describes a classification scheme for structures, systems and components that perform a safety function and contribute to the general safety objectives at ITER during incident/accident situations. Those systems and components, with a Safety Importance Class assigned should receive adequate and appropriate attention during the design, manufacture, installation, commissioning and operational stages. The objective is to ensure and demonstrate that they will meet the minimum performance and reliability requirements throughout their intended lifecycle. Document [3] defines Safety Important Functions and Components Classification Criteria and Methodology (ITER_D_347SF3). IEC [6] defines safety categories for nuclear safety I&C functions (category A, B, C). IEC also defines 3 safety classes for I&C systems (Class 1, class 2, class 3). A "Non Safety" class (NS) can be added to this classification. Based on the safety analysis, all safety I&C subsystems will be assigned to a safety class, on a case by case basis. There are four different types, which are shown in Table 1 (the last one in the table is implemented by the conventional control, interlocks or occupational safety control systems, not by the nuclear safety control system): Page 9 of 26

12 Table 1 Relation of SIC levels and function category and system class Structure System Component (ITER) Function safety level IEC category System safety level IEC class SIC-1 A 1 SIC-2 B 1(1) SIC-2 C 3 SR C 3 SR Non Safety Conventional I&C (1) Uses same technology as class 1 system. Qualification requirements are those of SIC-2 cat. B ITER will not use computerized Class 2 systems due their cost and the difficulties in licensing. Section 4.3 describes the architectures of each subsystem Single Failure Criterion Single-failure criterion: an assembly of equipment satisfies the single-failure criterion if it is able to meet its purpose despite a single random failure assumed to occur anywhere in the assembly. Consequential failures resulting from the assumed single failure are considered to be an integral part of the single failure. Single failure criterion must be taken into account for the design of the SIC-1 and SIC-2 Safety I&C systems, by using adequate solutions from all of the following: redundancy, independence, physical separation, electrical isolation. The single failure criterion must be met at the system level for SIC-1 systems (for example, a SIC-1 system has to provide redundancy). This criterion can be fulfilled at the "functional level" for SIC-2 Cat B systems (it can be achieved by two different safety functions which contribute to the same objective). Compliance of SIC-2 Cat C systems with the single failure criterion is required on a case by case basis. The functional specifications of the nuclear I&C safety functions will specify whether compliance with the single failure criterion is required or not. For safety related (SR) Cat C systems, compliance with the single failure criterion is not required. Page 10 of 26

13 Failsafe principle Safety functions should be designed as failsafe. This means that the corresponding actuators must go to a predefined position (so-called failsafe position) in case of: deactivation of the control signals, loss of the power sources or loss of communication. Technical specifications for safety I&C functions must define the fail safe state of each function. It must be defined for all operating conditions, including normal, incident or accident situations. Generally the failsafe state corresponds to the triggering of the function but there are some exceptions. In the former case the command should be designed de-energize to trip whereas in the latter it should be energize to trip. Control logic shall be intrinsically failsafe. In the case of non-compliance with this requirement, a justification must be provided to substantiate the robustness of the function towards scenarios in which there is a loss of power Power supplies The power supply of SIC I&C systems is organized in two independent trains, backed up by diesel generators SIC-1 and SIC-2 PSS-N will be powered by two independent and non-interruptible electrical trains: SIC train-a and SIC train-b. These trains supply class II AC power (uninterruptible using batteries and diesel generator). Each I&C train must be powered by the corresponding electrical train (SIC train-a or SIC train-b). This requirement guarantees that the systems will be able to fulfil their mission even in the case of loss of external power. This requirement is not applicable for safety relevant (SR) I&C systems. The power supply for SCS-N SR will have at least at the same classification level as the conventional I&C part. There will be sufficient isolation between SCS-N SIC-1 and SCS-N SIC-2 powering on each train to avoid electrical issues due to SIC-2 powering interference with SIC-1 powering Environmental conditions The environmental conditions that the system is required to withstand must be specified in accordance with the constraints imposed from the plant context. Environmental conditions to be specified include: ambient conditions, including temperature, humidity, pressure, radiation and electromagnetic interference, at operating conditions. These are the defined as the influence quantities expected as a result of normal operating requirements, the expected Page 11 of 26

14 extremes in normal operating requirements and postulated conditions appropriate for the postulated initiating events of the plant; ambient conditions imposed by potential hazards external to the system; power supply and heat removal conditions. SIC-1 and SIC-2 systems must be qualified for their environmental conditions. To protect the safety I&C systems from EMI, including changing magnetic fields and plasma disruption, the principles defined in [13], which addresses the following topics, will be applied: Equipment emission requirements, Earthing policy, EM zoning, Protection of sensors and instrumentation cubicles, Cable classification and routing segregation. This document covers the requirements from the standards [17] and [18]. The document [12] defines the rules for separation between the cable trays supporting the various categories of electrical cables (to protect the sensitive cables from perturbing cables). The environmental qualification process is described in section Seismic requirements and classification The seismic conditions (i.e. seismic spectra) that the system will be subjected to will be specified. The seismic classification of systems and components implementing safety I&C functions will be specified in the functional specifications of the functions, according to the main requirements recommended by [2]. Seismic classification is defined in [21]; there are the following seismic classes: SC1 (SF), SC1 (S), SC2 and NSC. Seismic qualification is described in section Periodic tests Periodic testing is a way to demonstrate the ability of the systems to perform as required. The design must allow the performance of periodic tests during the available periods for testing. These will be defined in the PSS-N specification Separation rules and fire protection I&C systems important to safety in nuclear facilities need to tolerate the effects of plant/equipment faults as well as internal and external hazards. Various techniques are available to increase the level of tolerance of I&C systems to such effects, including the provision of independent systems, subsystems and equipment. For claims of independence between such systems and equipment to be made, adequate separation must be provided and maintained. Page 12 of 26

15 Separation rules between the different parts of the I&C system must, as far as possible, be compliant with [5] IEC Nuclear power plants Instrumentation and control systems important to safety Separation and [6] IEC Nuclear power plants Instrumentation and control important to safety - Classification of instrumentation and control functions. Specific rules to use in the ITER project are defined in [3] and [12]. Regarding fire, as defined in [3], specific requirements are associated with the SIC grade, such as: The SIC-1 (redundant) systems are located in two independent and separate fire sectors. Their electrical supply and I&C trains (A and B) are routed through independent and separate fire sectors. The SIC-1 cubicles are located in dedicated rooms (not containing SIC-2 or/and SR or/and non-sic cubicles). The SIC-1 cubicles are equipped with automatic fire detection and suppression systems. The redundant SIC-2 systems are located in two independent and separate fire sectors. The redundant SIC-2 cubicles, can be implemented together with the SR, and non-sic cubicles at dedicated and separate places in the same room. The minimum distance between SIC-2 cubicles and non-sic cubicles shall be at least 2 meters. This room (and not the cubicles themselves) is equipped with several automatic fire detection and suppression systems. Only one train (A or B) goes through fire sectors. Implementation of the non-redundant SIC-2 cubicles is possible in the same room as SR and non-sic cubicles if there are automatic fire detection and suppression systems in the room. In one room, all the SIC-1 cubicles must be on the same Train (A or B) for power supply and I&C cabling. In one room, all the SIC-2 cubicles must be on the same Train (A or B) for power supply and I&C cabling. As mentioned above, the rules to use in the ITER project imply: Physical separation in different fire sectors of the redundant parts of a SIC-1 function, Physical separation of a SIC-1 system from systems of lower level, in dedicated room Physical separation in different fire sectors of the redundant parts of a SIC-2 function, Physical separation of a SIC-2 system from systems of lower level, by a distance of at least 2m. Cohabitation in the same cubicles of SIC-2 Cat B and SIC-2 Cat C systems is authorized. Cohabitation in the same cubicles of SR Cat C and Non Safety I&C systems is authorized. Separation rules for cables are defined in [3] and [12]. These rules specify the constraints between: Two redundant trains of a safety system, SIC (SIC-1 and SIC-2) and non-sic (SR and non-safety) systems. Without detailing these rules here, the cabling of the two redundant parts of a SIC-1 function is performed using independent cable trays (train A and train B) to be routed through different fire sectors. To avoid common cause failure due to fire or environmental conditions such as temperature, humidity, radiation or electromagnetic interference (EMI), redundant Page 13 of 26

16 communication links within SIC I&C systems have to be routed through separate cable trays as explained in [12] Functional tests The Safety I&C subsystems will be tested in order to demonstrate that they meet the design requirements. The following tests will be performed: Integration and validation tests. Hardware qualification tests when required. Functional validation tests. These tests may require partial interconnection of a few systems and so may require dedicated test platforms. PSS-N will not be interfaced with the mini-codac. Plant systems suppliers must develop a specific test device that will interface with their PSS-N and allow the factory acceptance tests and site acceptance tests to be carried out. After installation on site, preliminary tests will be performed on the different parts of the safety I&C system to demonstrate its correct operation. Then the safety I&C system will be used for testing of the controlled process. 4.3 PSS-N Architecture SCS-N subsystems To meet the requirements of the nuclear safety I&C functions, the SCS-N is composed of several subsystems. Depending on the SIC level and function category, the four different possible types are: SIC-1, SIC-2 cat B, SIC-2 cat C, SR cat C. All these subsystems will be independent from each other. They will be physically separated according to the rules presented in section Appropriate electrical isolation will be implemented between systems of different safety levels according to IEC [5] and RCCE [14]. Each subsystem will be connected by means of a different network of the Central Safety Network Nuclear (CSN-N). The following figure presents a simplified architecture of the SCS-N. Page 14 of 26

17 Safety Operator Desks SIC-1 Hardwired SIC-2 Hardwired SIC-2 class 3 computerised SR class 3 computerised CSS-N CIS CSS-N SIC-1 Class 1 system CSS-N SIC-2 cat B Class 1 system CSS-N SIC-2 cat C Class 3 system CODAC CSS-N SR Cat C Class 3 system CSS-OS Sensors & actuators PSS-N CSN SIC- 1 SIC-1Cat A PSSx-N Control logic Signal conditioning CSN SR Cat C CSN SIC-2 cat C CSN SIC-2 cat B SIC-2 Cat B PSSx-N control logic SIC-2 Cat C PSSx-N control logic Signal conditioning SR Cat C PSSx-N control logic Signal conditioning Signal conditioning Sensors & Actuators Hardwired links Networks Links to CODAC, CIS, CSS-OS System monitoring Figure 6: SCS-N architecture (note: only one of the two operator safety desks is shown in the figure) Accordingly, a PSS-N may be composed of different subsystems, each one part to the corresponding SCS-N subsystem (e.g. a SIC-2 Cat. B PSS-N belongs to the SIC-2 Cat. B SCSN subsystem). In general, sensors and actuators of the SCS-N are interfaced to different PSS-N and not directly to the CSS General architecture for SIC-1 and SIC-2 Cat. B systems SIC-1 Cat A and SIC-2 Cat B systems, both class 1 systems, have the same architecture which is based on solid-state logic solvers Hima Planar 4. The SIC-1 and SIC-2 Cat B links between the logic solvers are hardwired (i.e. two wires are required per variable). Each logic solver has a module for acquiring the monitoring data. The interface between this module and the critical logic is designed to ensure that no failure propagation from the monitoring system to the critical safety function is possible. SIC-1 Cat A and SIC-2 Cat B systems must comply with the single failure criterion. Therefore they are implemented in two different autonomous trains. The Train A and Train B parts of the system are fully independent. The following figures show the architecture of a SIC-1 and SIC2 Cat B system (they are provided for information only and some details of the CSS-N part might be subject to modification): Page 15 of 26

18 Figure Figure7:6:Architecture ArchitectureofofSIC-1 SIC-1subsystem subsystem Page 16 of 26

19 Figure 7: Architecture of SIC-2 Cat. B subsystem In each room housing SIC-1 or SIC-2 PSS-N, there will be a CSS-N network cubicle to which the PSS-N will be connected. This is the interface between the PSS-N and the CSS-N. Since the trains are fully independent, each one has its own network cubicles. SIC-1 PSS-N, always located in SIC-1 rooms, will be connected to SIC-1 network cubicles whereas SIC-2 Cat B PSS-N will be connected to SIC-2 Cat B network cubicles. Then, Train A network cubicles are connected to the Back-up Server Room and Train B network cubicles are connected to the Main Server Room. Plant systems responsible officers are in charge of the cabling up to the CSS-N network cubicle. There are two types of connections: Hardwired connections for the SIC-1 or SIC-2 Cat B signals. Network cables for the monitoring, which is classed SIC-2 Cat. C General architecture for SIC-2 Cat C system SIC-2 Cat C systems, which are class 3 systems, have an architecture based on safety programmable logic controllers - Siemens S7-400 FH and F. These PLCs communicate with Page 17 of 26

20 each other by means of a communication network using the Ethernet protocol with a safety protocol such as Profisafe. Compliance of SIC-2 Cat C systems with the single failure criterion is required on a case by case basis. The functional specifications of the I&C nuclear safety functions will specify whether compliance with the single failure criterion is required or not. If so, the corresponding function will be implemented in two trains following the same separations rules as SIC-2 Cat B systems. The following figure shows the architecture of SIC-2 Cat C systems (it is provided for information only and some details of the CSS-N part might be subject to modification): Figure 8: Architecture of SIC-2 Cat. C subsystem, case of two trains Figure 8: Architecture of SIC-2 Cat. C subsystem, case of two trains There will be a CSS-N network cubicle to which the PSS-N will be connected in each room housing SIC-2 PSS-N. This is the interface between the PSS-N and the CSS-N. Since the trains are fully independent, each one has its own network cubicles. Train A network cubicles are connected to the Back-up Server Room and Train B network cubicles are connected to the Main Server Room. Page 18 of 26

21 Plant systems responsible officers are in charge of the fibre optic cabling up to the CSS-N network cubicle General architecture for SR Cat C system SR Cat C systems, which are class 3 systems, have an architecture based on safety programmable logic solvers - Siemens S7-400 FH and F. These PLCs communicate with each other by means of a communication network using the Ethernet protocol with a safety protocol such as Profisafe. For SR Cat C systems, compliance with the single failure criterion is not required. The following figure shows the architecture of SR Cat C systems (it is provided for information only and some details of the CSS-N part might be subject to modification): Figure 9: Architecture of SR Cat. C subsystem Figure 9: Architecture of SR Cat. C subsystem SR Cat C PSS-N will be connected to the nearest communication network panel. The communication network panels are installed at strategic locations close to the conventional plant system I&C cubicles. This is the interface between the PSS-N and the CSS-N for SR Cat C systems. Communication network panels are then connected to the nearest SR Cat C network cubicle, which is located in Page 19 of 26

22 a CODAC hutch. SR Cat C network cubicles are connected to both Main Server Room and Back-up Server Room. Plant systems responsible officers are in charge of the fibre optic cabling up to the communication network panel Powering PSS-N must follow the requirements defined in section Cabling PSS-N must follow the requirements defined in section and reference [12] Sensor sharing As far as is possible, each ITER I&C system has its own dedicated sensors. There are two kinds of situations: Sharing of sensors between the SCS-N and other systems such as SCS-OS, ICS or conventional control. Sharing of sensors between systems of different categories within the SCS-N (e.g. same sensor used for SIC-1 Cat A and SIC-2 Cat C). Sharing of sensors must be avoided. In the case that cannot be achieved, measures must be put in place to ensure that faults within systems of lower categories do not propagate to higher category systems. The requirements of standard IEC [5] are applicable Actuator sharing As is the case for sensors, each ITER I&C system should have its own dedicated actuators. This applies to two kinds of situations: Sharing of actuators between the SCS-N and other systems such as SCS-OS, ICS or conventional control. Sharing of actuators between systems of different categories within the SCS-N (e.g. same actuator used for SIC-1 Cat A and SIC-2 Cat C). In the case where two or more systems share the same actuator, measures must be put in place to ensure that the triggering of the actuator by a system is never prevented by any action of a system of lower category. In addition, it must be ensured that faults within systems of lower category do not propagate to higher category systems. The requirements of standard IEC [5] are applicable. 4.4 Safety I&C naming conventions The standard PCDH I&C naming conventions are applicable to nuclear safety I&C systems. Page 20 of 26

23 4.5 PSS-N Hardware specifications Class 1 system: SIC-1 and SIC-2 Cat B SIC-1 I&C systems and SIC-2 I&C systems implementing cat B functions will be implemented in class 1 systems using solid-state, hardwired safety I&C systems of the highest safety level, as described in the document [23] - ITER catalogue for I&C products Hardwired controllers (JHQLDP). IO will choose a technology for the logic solvers and develop and qualify systems complying with the nuclear safety requirements based on the solid-state controllers Hima Planar 4. They will be made available for the plant system responsible officers to implement their SIC-1 and SIC-2 Cat B PSS-N. Section 5 provides details about the qualification process Class 3 systems: SIC-2 Cat C and SR Cat C SIC-2 I&C systems implementing cat C functions and SR I&C systems implementing cat C functions will be implemented in class 3 systems using safety PLCs as defined in the PCDH satellite document [22] - ITER catalogue for I&C products - Slow controllers PLC (333J63). IO will develop and qualify systems complying with the nuclear safety requirements based on the safety programmable logic controllers - Siemens S7 400 FH and F. They will be made available for the plant system responsible officers to implement their SIC-2 Cat C and SR Cat C PSS-N. Section 5 provides details about the qualification process Cubicles PSS-N will be installed in floor standing cubicles. A standard for PSS-N cubicles, which will comply with the following requirements, will be defined by IO: The cubicles will be environmentally and seismically qualified according to the specified environmental conditions (see ) and seismic requirements and class (see ). The qualification process is described in section 5. The cubicles will have front and rear access and be fitted with key-locks. The cubicles will be fixed to the floor. There are 3 different cases: cubicles fixed to a concrete slab, a metallic frame (for mezzanine hosted cubicles) and to a structure below a false floor. The cubicles might be painted differently depending on the safety train. The cubicle power supply must comply with the requirements defined in section Cubicles will implement electrical protections (e.g. short-circuit protection). The cubicles will have cable entries on the top. For rooms with false floors, cable entries will be from the bottom. The cubicles will be at least IP55. The following cubicle parameters must be monitored: Page 21 of 26

24 o o o o Access to internals/door locks (front and rear) Internal temperature Power supply state Fire detection This information will be made available to the SCS-N SCADA. External lights will indicate the overall state of the cubicle. The SIC-1 cubicles must be fitted with fire extinguishing capabilities. The non-redundant SIC-2 cubicles must be fitted with fire extinguishing capabilities. The SCS-N cubicles must be fitted with fire detection sensors enabling the site fire detection system to be informed of a fire within a cubicle. Cubicles, cables and all components must be labelled Sensors Sensors and actuators are out of the scope of the PSS-N. However, some of the most important requirements with which they have to comply as part of the SCS-N are mentioned here. Sensors connected to SIC-1 and SIC-2 Cat B systems must supply binary signals, not analogue values. Smart sensors are not allowed since they use software, which would have to be qualified according to IEC and IEC Sensors connected to SIC-2 Cat C and SR Cat C systems can provide binary or analogue values. The main standards to be followed for sensors are: IEC 61513, Nuclear power plants Instrumentation and control for systems important to safety General requirements for systems [4]. IEC 61226, Nuclear power plants Instrumentation and control systems important for safety Classification [6]. IEC 60709, Nuclear Power Plants Instrumentation and Control systems important to safety Separation [5], except for some cabling rules which will be replaced by RCCE rules[14], according to ITER document IO cabling rules[12], which defines the cabling separation rules to be applied. For categories A and B: IEC60780, Nuclear power plants Electrical equipment of the safety system Qualification. Category C systems for which specific environmental qualification is required (e.g. resistance to seismic conditions, or operation under specific environmental conditions), may be qualified to industrial standards according to IEC [4]. However, the use of IEC might be required under certain circumstances. Please refer to section 5.6 of IEC [4] for a detailed explanation. For category A only: IEC 60812, Technical Analysis for system reliability Procedure for failure mode and effects analysis (FMEA) [19]. Page 22 of 26

25 5. Qualification 5.1 Nuclear qualification The whole SCS-N will be qualified. This process provides assurance that the system is capable of meeting, on a continuing basis, the design basis functional and performance requirements needed for the functions important to safety while subject to the specified environmental conditions and specified constraints. The qualification will be performed against international standards and has to be approved by the French nuclear safety authority, ASN. The qualification requirements differ depending on the safety class and category. The qualification can be divided into three main items: Product qualification. Environmental qualification, including seismic qualification. Application function qualification. Product qualification is related to the ability of the components composing the SCS-N (e.g. logic solver) to be part of the safety system and comply with the general safety requirements. The scope of this part is what section 5.6 of IEC [4] refers to as Product-related topics (equipment family) Generic (pre-) qualification. It relies mainly on: Third party certification, Verification of the compliance to nuclear standards, Product quality assurance inspection and Operating experience Environmental qualification refers to the evidence that the systems will perform as expected for all operating conditions. These are the defined as the quantities influencing the system that are expected as a result of normal operation, expected extremes in normal operating requirements and the conditions associated with the postulated initiating events of the plant. The need for environmental qualification depends on the system class and category. Qualification may be accomplished in several ways: Type testing, Operating experience or Analysis. These may be used individually or in any combination depending upon the particular situation. The normal and abnormal environmental conditions that the system is required to withstand must be specified in accordance with the constraints imposed from the plant context. The environmental conditions which have to be specified are provided in section and for the seismic requirements. Finally, the application function qualification ensures the compliance of the system with the specifications of the safety functions. This qualification relies mainly on extensive tests which are defined according to the safety classifications. Page 23 of 26

26 5.2 Applicable standards The main standards followed by the SCS-N are the IEC [4] and IEC [6]. They introduce the main requirements and the differences between system classes and categories. Concerning environmental qualification, the main standard to follow for categories A and B is the IEC [10]. Alternatively, these systems can also be qualified according to section B2000 of RCC-E [14]. Category C systems for which specific environmental qualification is required (e.g. resistance to seismic conditions, or operation under specific environmental conditions), may be qualified to industrial standards according to the IEC [4]. However, the use of the IEC might be required under certain circumstances. Please refer to section 5.6 of the IEC [4] for a detailed explanation. Seismic qualification should be achieved against either IEC [11] or section B4200 of RCC-E [14]. Finally, EMC qualification must be performed in accordance with the relevant requirements set in EDH part 4 [13], which is aligned with the IEC series [17]. 5.3 PSS-N qualification Plant system responsible officers are responsible for the qualification of their PSS-N, in respect with the requirements described in [24] SCS-N Overall Qualification Plan. PBS 48 (CSS) will design and qualify class 1 and class 3 systems for the SCS-N. In particular, this will cover the product qualification and the environmental qualification for all SCS-N and the application function qualification for just the CSS-N part. These systems which will be considered as the main or standard systems to be used for both CSS-N and PSS-N, will be made available to the plant system responsible officers to implement the PSS-N. This way, PSS-N will already have the product and environmental qualification. In order to make it possible for all plant systems to use the environmental qualification, this environmental qualification will be carried out for conditions enveloping the environmental conditions of all SIC rooms (except those inside the Tokamak building, due to its high magnetic field and radiation; for this reason, control logic should not be placed inside the Tokamak Building). If the environmental conditions of a PSS-N exceed those of this qualification (so-called standard environmental conditions), the corresponding plant system responsible officers must carry out the environmental qualification for these conditions. The plant system responsible officers will be responsible for performing the qualification of their part of the application function. If a plant system does not use the systems developed and qualified by CSS (PBS 48), they will have to carry out the product, environmental and application function qualification. Finally, plant systems must carry out all of the qualification concerning sensors and actuators. Summing up, PSS-N designers/suppliers must carry out: Page 24 of 26

27 Environmental qualification for the main (standard) systems used in PSS-N if their environmental conditions exceed those defined for the general environmental qualification performed by PBS 48 (standard conditions), Product and environmental qualification of specific products used by PSS-N (this includes non-standard PSS-N systems as well as sensors and actuators), The qualification part for plant system specific application functions, in all cases. As a general requirement, all SCS-N qualification plans will have to comply with [24] SCSN Overall Qualification Plan and all SCS-N qualification reports will be integrated in the Overall Qualification Report to be produced by IO. Each entity in charge of the design of a PSS-N will have to establish specific qualification plans as a result of the application of the [24] - SCS-N Overall Qualification Plan established by IO for the PSS-N. The following table presents an overview of the qualification process and responsibilities. Table 2 Qualification process 6. Application of PCDH to Nuclear safety systems As long as they are consistent with the requirements set in the previous sections, PCDH requirements and guidelines also apply to Nuclear Safety I&C systems. The following paragraph specifies which sections of PCDH are applicable to the SCS-N. It has to be noted that "Applicable" should be understood in the sense that most of the requirements of the PCDH of the corresponding section are applicable to the Nuclear Safety I&C systems; even if some are not in the list because of inconsistency with PCDH-N features (e.g. no fast controllers, no mini CODAC interface, no self-description data...). Page 25 of 26

28 PCDH section 1: Applicable PCDH section 2: Applicable PCDH section 3: PSS-N will be developed in compliance with the overall quality plan of the SCS-N [9] and specific quality plan for the PSS-N. These plans will first meet the requirements in [4], but will also be as far as possible compliant with section 3 of PCDH. PCDH section 4: o Section 4.1: Not applicable o Section 4.2: Not applicable o Section 4.3: Applicable o Section 4.4: Applicable except if stated as not applicable to PSS, or if not consistent with dedicated PCDH-N requirements above. Section concerning Self Description Data is not applicable. o Section 4.5 Applicable PCDH Section 5: not Applicable PCDH Section 6: not Applicable PCDH Section 7: not Applicable PCDH Section 8: not Applicable PCDH Section 9: not Applicable Page 26 of 26