- Email: [email protected]
Application of the safety method of the lines of defence for two ITER accidents
Fusion Engineering and Design 51 – 52 (2000) 515 – 526 www.elsevier.com/locate/fusengdes
Application of the safety method of the lines of defence for two ITER accidents M. Costa *, G.L. Fiorini Commissariat a` l’Energie Atomique, Direction des Re´acteurs Nucle´aires, De´partement d’Etudes des Re´acteurs, Centre de Cadarache, Baˆt. 212, 13108, St. Paul lez Durance, France
Abstract A top–down safety evaluation for the International Thermonuclear Experimental Reactor (ITER) design has been performed through the application of the lines of defence (LODs) method for two basic reference accidents (divertor LOFA and LOCA). The results achieved in terms of LODs allotments for the two initiating events suggest two safety architectures for the ITER plant that are very similar. The results show also that the LODs method has good capability in optimising, with respect to different factors, the assignation of the LODs to the safety functions involved. By studying the elementary safety functions resulting from the functional analysis, interesting results concerning the needed reliability and performances of the ITER system/components have been found. © 2000 Published by Elsevier Science B.V. Keywords: International Thermonuclear Experimental Reactor (ITER); Lines of defence method (LODs); Divertor LOFA and LOCA; Safety evaluation
1. Introduction As well as tokamak fusion, the machines are characterised by internal radioactive and toxic materials that could represent a potential hazard for staff operators, public and the environment and they are characterised by several inherently favourable safety features. As stressed by the safety fundamentals fixed by the International Atomic Energy Agency (IAEA) [1], the general safety objective of nuclear plants is ‘‘to establish * Corresponding author. Present address: CEN/Cadarache, SERSI/LEFS Baˆt. 212, 13108-St. Paul-lez-Durance Cedex, France. Tel. + 33-4-42254202; fax: + 33-4-423635. E-mail address: [email protected] (M. Costa).
and maintain (…) effective defences against radiological hazards’’. The same objective is then applicable also to fusion installations. To meet this objective the CEA/DRN (Commissariat a` l’Energie Atomique/Direction des Re´acteurs Nucle´aires) is currently developing a safety approach for the design and assessment of future nuclear installations [2]. In the framework of this task, the lines of defence (LODs) method, evaluating the safety of innovative nuclear (fission and fusion) installations, as well as waste disposals, is being updated and applied. This has been the case for the ITER–FDR project. The article presents the LODs method applied for the assessment of the loss of flow accident
0920-3796/00/$ - see front matter © 2000 Published by Elsevier Science B.V. PII: S 0 9 2 0 - 3 7 9 6 ( 0 0 ) 0 0 4 4 8 - 8
516
M. Costa, G.L. Fiorini / Fusion Engineering and Design 51–52 (2000) 515–526
Table 1 Ideal safety architecture — minimum needed LODs to be implemented to guarantee that all the potential sequences, arising from the PPC, fall into the allowable risk domaina,b Consequence category of the sequence outcome
catcons-A catcons-B catcons-C catcons-DEC Total LODs to be implemented to prevent severe accident Total LODs to practically exclude a given sequence (i.e. to reject the sequence into the Residual Risk) a b
Frequency category of the sequence outcome catfreq-II catfreq-III catfreq-IV catfreq-DEC
Frequency category of the PPC I–II
III
IV
DEC
b b a b 2a+b
b a b 2a
a b a+b
b b
\2a+b
\2a
\a+b
\b
The frequency categorisation is corresponding to the PPC classification presented in [2]. In terms of LOD counting, b+b= a, if the independence between the different LODs is effective.
(LOFA) and loss of coolant accident (LOCA) occurring inside the ITER divertor cooling system. Starting from a functional analysis, the article discusses the LODs method applied for these two initiating events showing the needed LODs allotments. It then proposes a new approach based on a thorough study of the ITER safety functions, which determines the quality (in terms of reliability and performances) of the corresponding systems/components requested to realise those functions.
2. LODs method application to ITER LOFA and LOCA accidents
2.1. The LODs method The LODs method is based on the LOD notion, which was introduced by Tanguy et al. to assess severe accidents in fast breeder reactors [3]. Such a notion has been then integrated and developed until the current stage of maturity, in the frame of the classical logical scheme of risk analysis. The current updated definition of LOD is: ‘‘Line of defence (LOD) is an effecti7e defence. This term is used for: (1) any inherent characteristic, equipment, system, etc., implemented into the safety related plant architecture, (2) any procedure foreseen coherently with the General Rules for Plant Operation (e.g. human actions: preventive, protective, etc.); the objec-
tive of which is to accomplish a given safety function. The implemented LODs shall fulfil the missions requested to prevent abnormal situations or return the plant from the Plausible Plant Condition1 (PPC) to a controlled safe condition and maintain it in a safe state. That is these LODs, coherently with the defence-indepth principle and depending on their role, shall permit to the plant to meet the safety objectives: preventing, managing, or limiting the possible PPC consequences’’.
Two types of LODs may be distinguished: strong lines (a) and average lines (b). They are characterised by a failure probability range of (10 − 3 } 10 − 4) and (10 − 1 } 10 − 2) per year (failure frequency) or per demand (unavailability), respectively. The LODs method is devoted to the achievement (or the verification for existing installations) of a safety architecture organised with LODs [4]. The LODs method, given a postulated initiating event (PIE) in which certain safety functions of the plant are involved, leads the assignation of a given LOD (of type (a), (b) or a combination thereof) to each safety function. This LODs assignation is performed by respecting the ideal safety architecture, represented by the rationale shown
1
For PPC is intended a coupling of a postulated initiating event (e.g. LOFA) with an initial plant state (e.g. normal operation).
M. Costa, G.L. Fiorini / Fusion Engineering and Design 51–52 (2000) 515–526
517
Fig. 1. Risk domain in relation to the INES scale levels.
in Table 1 and Fig. 12, which has been conceived taking into account all the safety indications and requirements coming from the European Safety Authorities and Utilities. The rationale of Table 1 is the following. Considering that a divertor LOFA is a PPC of frequency category III, for a sequence with associated potential consequences of cat.-C (i.e. a controlled release inside the cryostat, heat transfer system HTS or suppression pool SP vaults) the ideal safety architecture requires one LOD (b) as the minimum request to respect the safety criteria. In Table 1, at the (cat.-C) line-(cat. (PPC)-III) column crossing there is one LOD (a), whose success has permitted to partially manage the accident situation reducing the PPC consequences to meet the allowable range of frequency category IV. This rationale realises the fundamental safety concept (often required by the Safety Authority) that the safety plant design is satisfactory when all the necessary LODs have been implemented to ensure that the doses in case of an event sequence 2 Definitions of Design Extension Conditions (DEC), Severe Accident and Complex Sequences are given in [5].
of category II, II or IV do not exceed the dose limits for that category. After the LODs method has been applied to all the PIEs of a given plant and all the safety functions respect the above discussed ideal safety architecture it is guaranteed that all the accident sequences fall into the allowable risk domain. In this way, the final plant safety architecture will be defined. Fig. 1 shows the allowable risk domain in relation to the frequency and consequence categorisation of Table 1. After a complete application, the LODs method can furnish to the designers useful suggestions in order to increase or decrease the number and/or the reliability of the plant LODs, while assuring the achievement of the safety criteria. In
Fig. 2. Simplified process implementing the LODs design.
518
M. Costa, G.L. Fiorini / Fusion Engineering and Design 51–52 (2000) 515–526
accordance with the LOD definition, the steps to correctly implement the LODs design can be simplified as drawn in Fig. 2. Fig. 2 can be explained as follows. Once defined as the preliminary plant design the main safety functions can be individualized. Then, also the systems that will accomplish the safety functions can be conceived and defined. These systems must be designed in such a way as to carry out the needed mission, i.e. satisfying the radiological targets of reference. Subsequently, the LODs method define all the needed LODs (as number and reliability) designed in accordance with the safety recommendations fixed by the Safety Authority and other technical safety objectives (e.g. cumulative frequency of exceeding the limiting release shall be lower than 10 − 6/reactor × year [5]) that must be met by any nuclear installations.
2.2. The accidents analysed Two ITER reference accidents [6] have been selected for the application: LOFA and LOCA in a divertor loop. The LOFA PPC consists in a loss of flow in a divertor coolant circuit because of pump seizure occurring during full power plant normal operation. The LOCA PPC, instead, consists in a rupture of a pipe of a divertor coolant circuit in the cryostat extension (heat transfer system HTS vault) also occurring during the same plant state normal operation. Under of the vacuum vessel (VV) a SP vault containing the SP of the VV is located. Both the HTS and SP vaults are equipped with rupture disks against internal overpressurisation.
2.3. LODs method application The LODs method is applied following four main phases summarised in the flow-chart shown in Fig. 3 [7]. The first phase is a functional analysis. For both the selected PPCs (LOFA and LOCA) the top function: limit second boundary (cryostat and its extensions) release has been studied to develop the relative functional analyses. By specifying in detail this top function a list of nested corresponding safety functions is produced. Within this list, some safety functions have
Fig. 3. General LODs method diagram (synthesis).
been selected as being fundamental functions to describe, using the functional event trees, the effective accident progression. These selected functions, called identified heading functions (IHFs) are nine for the LOFA and ten for the LOCA. By drawing the two functional event trees for LOFA [8] and LOCA [7] the second phase of Fig. 2 arises. In fact, the event trees contain the safety functions (i.e. the IHFs) involved during the accident progression and the whole of all the relative accident sequences. Then the LODs method determines, for each sequence of the event tree, the qualitative consequence categorisation and allotment of the minimum needed LODs in accordance with the scheme of Table 1. Then the LODs method, reducing its analysis only on that sequences strictly necessary by using a technique of grouping of sequences (the so-called «envelope sequence technique»), furnishes an allowable LODs range for each remaining sequence. This technique of envelope sequences’ identification leads simplifying event trees in terms of number of sequences that have to be analysed (reduction from 25 to 9 for LOFA and from 45 to 10 for LOCA). At this stage, by means of a cyclic process, a series of tentative LODs allotments (within the allowable range) is carried out to completely respect the ideal safety architecture for all the sequences. An example of tentative LODs allotment on the safety functions is presented in Table 2 for the LOFA. The first line of Table 2 lists the safety functions (i.e. the IHFs of the event tree) whose content is explained in Table 3. The second
× × × ×
2 b
×
3 a
× ×
4 b
×
5 a
× × ×
6 b
× ×
7 b
×
8 b
9 2a+b ×a
× placed here means that the safety function N.9 fails in the envelope sequence N.2
× × × × × × × ×
3 5 7 9 10 17 24 25
a
1 a
Safety function N.: Tentative LOD allotment: En6elope sequence N. : 2
Safety functions failed
\2a
Minimum needed LOD
a b a+b b 2a a+b 2a+b \2a a+b b 2a a+b 3a \2a 2a+b \2a Global result sufficient
2a+b
LOD counting
Table 2 Divertor LOFA: tentative LOD allotment for the involved safety functions — high homogeneity LODs distribution case
+b +a +b OK +a +b +b OK
OK
LOD verification
M. Costa, G.L. Fiorini / Fusion Engineering and Design 51–52 (2000) 515–526 519
9
2a+b
b
b b
a
2a+b
b
b b
a
b
0 0
2a+b
10
7
9
6
8
5
1 2 3 4
N.
a
b
b
a+b a b a
H.L.D.
Avoid VV thermal collapse
2a+b
2a+b
a
2a
a
b
b
a+b 2a+b 0 0
V.I.M.
LODs result
Provide HTS vault pressure control (due to 2a water/steam, etc.) Avoid H2 explosions in VV a
Maintain failed loop integrity inside VV Maintain unfailed loops integrity inside VV Provide VV tightness (PvvBPrd VV) Provide VV pressure control (due to water/steam, etc.) Provide SP vault tightness (PspBPrd SP vault) Provide HTS vault tightness (PhtsBPrd HTS) Provide SP vault pressure control
Identified heading functions
Divertor ex-vessel LOCA
H.L.D. = homogeneity of LODs distribution, V.I.M. =VV importance minimisation in terms of reliability, rd = rupture disk.
Avoid H2 production and mobilisation Limit H2 amount to have deflagration in VV and/or cryostat extensions Exclude H2 amount to have detonation in VV and/or cryostat extensions Avoid VV thermal collapse
6 7
8
Provide cryostat extension pressure control (due to water/steam, etc.)
5
a
b a
Provide VV tightness (PvvBPrd VV) Provide VV pressure control (due to water/steam, etc.) Provide cryostat extension tightness (PextBPrd cry. ext. vaults)
2 3 b
a
Provide integrity of all loops
1
4
H.L.D
Identified heading functions
N.
V.I.M
LODs result
Divertor LOFA
Table 3 LODs allotment comparison between the corresponding IHFs for divertor LOFA and divertor ex-vessel LOCAa
520 M. Costa, G.L. Fiorini / Fusion Engineering and Design 51–52 (2000) 515–526
M. Costa, G.L. Fiorini / Fusion Engineering and Design 51–52 (2000) 515–526
line of Table 2 presents the tentative allotment of LODs for the nine safety functions). In the bottom part of Table 3 the nine envelope sequences (resulting from the original 25 sequences) are listed. For example, for the envelope sequence N.5 with potential consequence of cat.-C, one LOD (b) is requested at least. The tentative LODs allotment of Table 2 results in the LODs counting of (a + b) (i.e. LOD (a) for safety function N.1 plus LOD (b) for safety function N.6 that is sufficient because (a+b) \(b).
2.4. LODs results Normally, the LODs method offers different possible solutions to ‘solve’, in terms of LODs allotments, the safety concern for a given plant. In fact, the LODs method, at the end of its application, can optimise the result by balancing the number and the reliability of the LODs in accomplishing the safety functions (i.e. IHFs). This will lead to obtain the best safety related defence architecture from different points of view. For the results presented in this paper, the LODs allotments have been optimised with respect to two alternative criteria: (1) high homogeneity of LODs distribution with respect to the minimum LODs allotment3 and (2) minimisation of the safety related importance of the VV, e.g. in terms of reliability. Grouping coherently the corresponding IHFs, Table 3 shows the LODs results for the two accidents. The needed LODs resulting by the application to the two accidents suggest two safety architectures (i.e. two plant safety designs) that are very similar. The LODs result obtained by the LODs method application to each PPC constitutes a proposal for the plant of a safety architecture adequate to ‘contain’ such a type of accident. The definitive and complete safety architecture will be thus the enveloping of the results obtained assessing all the PPCs (phases 3 and 4 of Fig. 3). Few comments to the results can be useful.
521
2.4.1. Case 1: High homogeneity of LODs distribution respect to the minimum LODs allotment Achievement of a plant design with a high homogeneity in the LODs distribution would be an important result. This would permit designers to avoid to must assign a very high reliability to certain IHFs. In addition, it could be difficult to achieve and maintain a very high reliability, for some safety systems during the plant life . Sometimes the achievement of a good homogeneity in LODs distribution could also lead to a reduction in investment costs. The first comment concerns the reliability requested to pro6ide integrity of all loops (inside VV) (Table 3IHF N.1 ). The results indicate that for the LOFA accident one strong line (a) is sufficient. Therefore, the set of systems that accomplish the IHF: Pro6ide integrity of all loops, must be globally characterised by the reliability of one LOD type (a) in the event of divertor LOFA. On the contrary, to manage the LOCA accident one line (a+ b) is requested particularly for the loop already failed outside VV (i.e. to avoid an induced in-vessel LOCA and finally a by-pass configuration). This slight difference is due to the greater gravity of LOCA than the LOFA in terms of challenge of the plant containment structure and shows that diverse PPCs may request differentiated safety architectures. Besides, the function N.5 (cryostat extension pressure control) for the LOFA requests one line type (a), while the two corresponding functions for the LOCA (NN.6 and 9) demand LODs (a) and (2a), respectively. The motivation of the (2a) LOD, requested for the HTS vault, is linked to the fact that the HTS must be considered the last barrier for the top function selected. An uncontrolled failure of the HTS vault would lead to uncontrolled release to the environment.4 2.4.2. Case 2: Minimisation of the safety related importance of the VV (in terms of reliability) The VV containment barrier is realised by metallic structures forming a geometrical toroidal chamber characterised by several penetrations and
3
High homogeneity of the LODs means to achieve that all the LODs have quite the same quality or that they are not too different, while remaining within their allowable range.
4 The ITER building containment, in fact, is only designed to withstand a normal HTS depressurisation.
522
M. Costa, G.L. Fiorini / Fusion Engineering and Design 51–52 (2000) 515–526
material discontinuities. Hence it is very difficult to associate a high reliability to such a component. In addition, no similar containment components exist in fission field to gain operating experience on its reliability. For these reasons it would be important to study the way to reduce, at the most extent possible, the reliability to allocate to the VV and to individualize which other safety systems could instead easily accept a reliability increase. As a theoretical exercise, the requested reliability for the VV related functions (NN.2 and 3 for LOFA and NN.3 and 4 for LOCA) has been reduced to zero (i.e. no safety related constraints). This limit case means that the VV integrity would not be considered in terms of reliability assessing the accident sequences. For both LOFA and LOCA accidents, the LODs redistribution to decrease the VV reliability leads to an increase in the requested reliability for the function: pro6ide integrity of all loops (inside VV). This result practically means higher reliability and performances for the systems/components implementing: detection, emergency plasma shutdown, and active decay heat removal (DHR).
3. Performance and reliability determination for the ITER systems/components Once the LODs allotment has been performed for all the IHFs, the LODs method can usefully help the definition of the safety system/components classification. The IHFs are constituted by clusters of safety sub-functions, some of which can be recognised as being elementary safety functions (ESFs). These functions are considered elementary because they can roughly correspond to (i.e. they are achieved by) the plant subsystems/main-components. Adopting the ESF notion it is possible to directly link the IHFs coming from the functional analysis, with the ITER safety functions. Tables 4 and 5 show, as an example, in columns 1, 2 and 6 the same result of Table 3 for the IHFs NN.1 and 7 for LOFA and IHFs NN.4 and 8 for LOCA. Tables 4 and 5, in addition, furnish: the ESFs constituting each IHF (column 3), the corresponding
ITER functions (column 4), and the relative ITER systems (column 5) practically accomplishing such safety functions. These results are obtained by the assessment of the ITER safety functions and sub-functions [9] (preventive, protective and mitigating actions), as well as by the necessary knowledge of the ITER machine. In such a way, the LODs method application results in a direct allotment for the ITER systems/ components quality (reliability and performances). For example, in Table 4 the set of ITER systems (column 5) that accomplish the IHF: pro6ide integrity of all loops, must be globally characterised by the reliability of one LOD type (a), i.e. (by definition) by an unavailability range of (10 − 3 } 10 − 4) per demand. Tables 4 and 5 take as a basis the option of high homogeneity of LODs distribution (see paragraph 2.4) only. These tables indicate both the requested performances (e.g. q\ q1)5 and reliability (e.g. 10 − 3 } 10 − 4). Such a result highlights, among others, the following technical consideration. Taking into account that an ITER divertor LOFA could quickly lead to an accident releasing coolant into the VV because of low design margins (the engineering judgement is a time of about 1 s [9]), it seems very difficult to imagine the existence of an emergency plasma shutdown system able to avoid an induced in-vessel LOCA within such a restricted timespan.
4. Conclusion and future work The LODs method, because of its possibility to maintain a generality (functional) level, appears to be particularly suitable for the studies concerning the safety-related design of nuclear fusion devices,
5 Performance indications are qualitative. In the functional analysis it has been assumed that q1 \q2 \q3 and t1 Bt2 B t3. For example, q B q1 for the DHR means that the specific system employed to accomplish that safety function must completely fulfil its given mission: i.e. to enable the transport of a heat amount greater than q1 (the exact value has to be defined by designers) to avoid a worsening in the accident conditions.
Identified heading functions
Provide integrity of all loops
Limit H2 amount to have deflagration in VV and/or cryostat extensions
N
1
7
Minimise transport across boundary, minimise/isolate leak, minimise leak duration Avoid hydrogen explosions and fires
Inertise cryostat extensions (tBt3)
Passive DHR (medium importance) Detection, Normal shutdown (t= several tens of seconds)
Limit (mobilisable) water inventory in VV (VBV1)
Plasma shutdown (tBt2)
DHR (q\q2)
Active DHR
DetectionEmergency shutdown (t =1 } 10 s)
Plasma shutdown (tBt1)
Avoid rupture by disruption
Active DHR
ITER protection/mitigation functions and sub-functions [9]
DHR (q\q1)
Elementary safety functions (with performances)
Table 4 Constituting ESFs and their performance indications for the LOFA IHFs NN.1 and 7
Integrity: FW, B, D, VV (structural components of VV). Flow: EP, CODACS (pumps, CODACS). Heat Sink: UHS (UHS subsystems) DIA, CODACS, DIA, AH, MG, T, PS (PC, PI, emergency safety injection) D (structure): tiles, targets of sacrificial materials Integrity: FW, B, D, VV (structural components of VV). Flow:: EP, CODACS (pumps, CODACS). Heat sink: UHS (UHS subsystems) VV (structure) by both radiation and conduction DIA, CODACS, DIA, MG, AH, T, CODACS (PC, CS, GP, PI, CODACS) Isolation valves, fast acting valves to limit released coolant below V1 volume value Inertisation atmosphere active and passive means (within the rooms jeopardised by H2 hazard)
ITER systems (subsystems/ main components) [9]
b/10−1 } 10−2
b/10−1 } 10−2
a/10−3 } 10−4
LOD result/ global equivalent reliability
M. Costa, G.L. Fiorini / Fusion Engineering and Design 51–52 (2000) 515–526 523
Identified heading functions
Provide VV pressure control (due to water/ steam, etc.)
Provide HTS vault tightness (PhtsBPrd HTS)
N
4
8
Provide internal heat sink condensation surfaces
water condensation in HTS vault (C\C1)
water cooling down by spray systems (DT1)
Minimise transport across boundary, minimise/isolate leak
Maintain cryostat (HTS vault) boundary, prevent overpressure
Detection, emergency shutdown (t=1 } 10 s)
Limit (mobilisable) water inventory in failed loop (VBV1)
Avoid rupture by disruption HTS vault tightness
Plasma shutdown (tBt1)
Active DHR
DHR (q\q1)
Passive DHR (low importance)
Maintain VV boundary, maintain loads below design loads, provide venting
ITER protection/mitigation functions and sub-functions [9]
VV controlled venting (Pvv\Prd VV, no peaks over VV design load), no VV structural damage
Elementary safety functions (with performances)
Table 5 Constituting ESFs and their performance indications for the LOCA IHFs NN.4 and 8
VV (structure), junctions, penetrations, extensions, plugs, etc., and the needed related guaranteeing procedures. VV (correct opening rupture disk), vacuum pumps, conducts versus suppression tank Integrity: FW, B, D, VV (structural components of VV). Flow: EP, CODACS (pumps, CODACS). Heat sink: UHS (UHS subsystems) VV (structure) by both radiation and conduction DIA, CODACS, DIA, AH, MG, T, PS (PC, PI, emergency safety injection) D (structure) HTS vault (structure), junctions, penetrations, extensions, rupture disk, etc., and the needed related guaranteeing procedures. Maintenance and repair Isolation valves, fast acting valves to limit released coolant below V1 volume value Water-steam condensation devices able to guarantee a condensation capability of C1 (e.g. in weight expressed) Water cooling down spray systems able to have DT1 decrease in water temperature
ITER systems (subsystems/main components) [9]
b/10−1 } 10−2
b/10−1 } 10−2
b/10−1 } 10−2
a/10−3 } 10−4
LOD result/global equivalent reliability
524 M. Costa, G.L. Fiorini / Fusion Engineering and Design 51–52 (2000) 515–526
M. Costa, G.L. Fiorini / Fusion Engineering and Design 51–52 (2000) 515–526
where often the plant is not yet designed in detail. For example, the analysis shows that a reduction of the reliability that has to be requested for the VV is only possible if an adequate level of performances and reliability can be implemented for detection, emergency plasma shutdown and active DHR. The paper shows the applicability of the LODs method to fusion plants highlighting its capability to produce the requested reliability and performances of the ITER systems/components when they are conceived as LODs. These advantages make the LODs method particularly addressed toward licensing procedures. It would be useful to apply the LODs method to all other ITER initiating events to reach a global safety evaluation related to all the safety related plant systems. The designer should be able to organise the safety related architecture in order to answer both requests, ensuring, in parallel, an adequate safety system/components classification.
5.2. Paper text
ITER ITER-FDR
Pvv Psp Phts Prd-VV Pext q1 t1 V1 C1
5. Nomenclature DT1
5.1. ITER Systems
AH B CODACS CS CV D DIA EP FW GP MG PC PI PS SP T UHS
additional heating blanket Control and Data Acquisition System central solenoid cryostat vessel divertor diagnostic (relevant to plasma chamber) electrical power supply first wall gas puffing magnet poloidal coils pellet injectors plasma shutdown suppression pool fuel cycle (tritium) ultimate heat sink
525
International Thermonuclear Experimental Reactor International Thermonuclear Experimental Reactor–Final Design Report pressure inside the vacuum vessel pressure inside the suppression pool pressure inside the heat transfer system pressure of the rupture disk of the vacuum vessel pressure inside the cryostat extension generic value of heat generic value of time generic value of coolant volume generic value of condensation capability generic value of water temperature difference
Acknowledgements This work was supported by the European Commission, Fusion Programme, under contract 5004-CT97-5009 (DG 12-MRGS) for the Grant Holder Dr M. Costa. References [1] The Safety of Nuclear Installations, Safety Fundamentals, Safety Series No. 110. IAEA, Vienna, 1993. [2] G.L. Fiorini, P. Lo Pinto, M. Costa, The current CEA/ DRN safety approach for the design and the assessment of future nuclear installations, Proceedings of the 7th International Conference on Nuclear Engineering (ICONE 99), Paper No. 7208-6, Japan, 1999. [3] F. Justin, J. Petit, P.F. Tanguy, Safety assessment for severe accidents in fast breeder reactors, Nuclear Safety 27 (3) (1986) 332 – 342.
526
M. Costa, G.L. Fiorini / Fusion Engineering and Design 51–52 (2000) 515–526
[4] G.L. Fiorini, M. Costa, The lines of defence methodology for the design and assessment of nuclear installations, CEA Report, Cadarache Centre, SERSI/ECP 99/3001, 1999. [5] European utility requirements for LWR nuclear power plants. EUR Organisation, Revision B, 1995. [6] ITER non-site specific safety report (NSSR-2), Vol. VII. Analysis of reference events, version 1 October, 1997. [7] M. Costa, G.L. Fiorini, Lines of defence method application for the plant safety related design — fusion plant
.
divertor LOCA examination, CEA Report. Cadarache Centre, SERSI/ECP 99/3004-LEFS 99/5003, 1999. [8] M. Costa, G.L. Fiorini, Lines of defence method application to an ITER divertor LOFA accident, CEA Report. Cadarache Centre, SERSI/LEFS 99/5018, 1999. [9] R. Caporali, S. Ciattaglia, G. Cambi, T. Pinna, ITER plant functional breakdown, FFMEA, IE identification, qualitative ET and preliminary list of accident sequences, ENEA Report. Frascati Centre, FUS TECN S&E TR 9/94, 1994.
.
Application of the safety method of the lines of defence for two ITER accidents M. Costa *, G.L. Fiorini Commissariat a` l’Energie Atomique, Direction des Re´acteurs Nucle´aires, De´partement d’Etudes des Re´acteurs, Centre de Cadarache, Baˆt. 212, 13108, St. Paul lez Durance, France
Abstract A top–down safety evaluation for the International Thermonuclear Experimental Reactor (ITER) design has been performed through the application of the lines of defence (LODs) method for two basic reference accidents (divertor LOFA and LOCA). The results achieved in terms of LODs allotments for the two initiating events suggest two safety architectures for the ITER plant that are very similar. The results show also that the LODs method has good capability in optimising, with respect to different factors, the assignation of the LODs to the safety functions involved. By studying the elementary safety functions resulting from the functional analysis, interesting results concerning the needed reliability and performances of the ITER system/components have been found. © 2000 Published by Elsevier Science B.V. Keywords: International Thermonuclear Experimental Reactor (ITER); Lines of defence method (LODs); Divertor LOFA and LOCA; Safety evaluation
1. Introduction As well as tokamak fusion, the machines are characterised by internal radioactive and toxic materials that could represent a potential hazard for staff operators, public and the environment and they are characterised by several inherently favourable safety features. As stressed by the safety fundamentals fixed by the International Atomic Energy Agency (IAEA) [1], the general safety objective of nuclear plants is ‘‘to establish * Corresponding author. Present address: CEN/Cadarache, SERSI/LEFS Baˆt. 212, 13108-St. Paul-lez-Durance Cedex, France. Tel. + 33-4-42254202; fax: + 33-4-423635. E-mail address: [email protected] (M. Costa).
and maintain (…) effective defences against radiological hazards’’. The same objective is then applicable also to fusion installations. To meet this objective the CEA/DRN (Commissariat a` l’Energie Atomique/Direction des Re´acteurs Nucle´aires) is currently developing a safety approach for the design and assessment of future nuclear installations [2]. In the framework of this task, the lines of defence (LODs) method, evaluating the safety of innovative nuclear (fission and fusion) installations, as well as waste disposals, is being updated and applied. This has been the case for the ITER–FDR project. The article presents the LODs method applied for the assessment of the loss of flow accident
0920-3796/00/$ - see front matter © 2000 Published by Elsevier Science B.V. PII: S 0 9 2 0 - 3 7 9 6 ( 0 0 ) 0 0 4 4 8 - 8
516
M. Costa, G.L. Fiorini / Fusion Engineering and Design 51–52 (2000) 515–526
Table 1 Ideal safety architecture — minimum needed LODs to be implemented to guarantee that all the potential sequences, arising from the PPC, fall into the allowable risk domaina,b Consequence category of the sequence outcome
catcons-A catcons-B catcons-C catcons-DEC Total LODs to be implemented to prevent severe accident Total LODs to practically exclude a given sequence (i.e. to reject the sequence into the Residual Risk) a b
Frequency category of the sequence outcome catfreq-II catfreq-III catfreq-IV catfreq-DEC
Frequency category of the PPC I–II
III
IV
DEC
b b a b 2a+b
b a b 2a
a b a+b
b b
\2a+b
\2a
\a+b
\b
The frequency categorisation is corresponding to the PPC classification presented in [2]. In terms of LOD counting, b+b= a, if the independence between the different LODs is effective.
(LOFA) and loss of coolant accident (LOCA) occurring inside the ITER divertor cooling system. Starting from a functional analysis, the article discusses the LODs method applied for these two initiating events showing the needed LODs allotments. It then proposes a new approach based on a thorough study of the ITER safety functions, which determines the quality (in terms of reliability and performances) of the corresponding systems/components requested to realise those functions.
2. LODs method application to ITER LOFA and LOCA accidents
2.1. The LODs method The LODs method is based on the LOD notion, which was introduced by Tanguy et al. to assess severe accidents in fast breeder reactors [3]. Such a notion has been then integrated and developed until the current stage of maturity, in the frame of the classical logical scheme of risk analysis. The current updated definition of LOD is: ‘‘Line of defence (LOD) is an effecti7e defence. This term is used for: (1) any inherent characteristic, equipment, system, etc., implemented into the safety related plant architecture, (2) any procedure foreseen coherently with the General Rules for Plant Operation (e.g. human actions: preventive, protective, etc.); the objec-
tive of which is to accomplish a given safety function. The implemented LODs shall fulfil the missions requested to prevent abnormal situations or return the plant from the Plausible Plant Condition1 (PPC) to a controlled safe condition and maintain it in a safe state. That is these LODs, coherently with the defence-indepth principle and depending on their role, shall permit to the plant to meet the safety objectives: preventing, managing, or limiting the possible PPC consequences’’.
Two types of LODs may be distinguished: strong lines (a) and average lines (b). They are characterised by a failure probability range of (10 − 3 } 10 − 4) and (10 − 1 } 10 − 2) per year (failure frequency) or per demand (unavailability), respectively. The LODs method is devoted to the achievement (or the verification for existing installations) of a safety architecture organised with LODs [4]. The LODs method, given a postulated initiating event (PIE) in which certain safety functions of the plant are involved, leads the assignation of a given LOD (of type (a), (b) or a combination thereof) to each safety function. This LODs assignation is performed by respecting the ideal safety architecture, represented by the rationale shown
1
For PPC is intended a coupling of a postulated initiating event (e.g. LOFA) with an initial plant state (e.g. normal operation).
M. Costa, G.L. Fiorini / Fusion Engineering and Design 51–52 (2000) 515–526
517
Fig. 1. Risk domain in relation to the INES scale levels.
in Table 1 and Fig. 12, which has been conceived taking into account all the safety indications and requirements coming from the European Safety Authorities and Utilities. The rationale of Table 1 is the following. Considering that a divertor LOFA is a PPC of frequency category III, for a sequence with associated potential consequences of cat.-C (i.e. a controlled release inside the cryostat, heat transfer system HTS or suppression pool SP vaults) the ideal safety architecture requires one LOD (b) as the minimum request to respect the safety criteria. In Table 1, at the (cat.-C) line-(cat. (PPC)-III) column crossing there is one LOD (a), whose success has permitted to partially manage the accident situation reducing the PPC consequences to meet the allowable range of frequency category IV. This rationale realises the fundamental safety concept (often required by the Safety Authority) that the safety plant design is satisfactory when all the necessary LODs have been implemented to ensure that the doses in case of an event sequence 2 Definitions of Design Extension Conditions (DEC), Severe Accident and Complex Sequences are given in [5].
of category II, II or IV do not exceed the dose limits for that category. After the LODs method has been applied to all the PIEs of a given plant and all the safety functions respect the above discussed ideal safety architecture it is guaranteed that all the accident sequences fall into the allowable risk domain. In this way, the final plant safety architecture will be defined. Fig. 1 shows the allowable risk domain in relation to the frequency and consequence categorisation of Table 1. After a complete application, the LODs method can furnish to the designers useful suggestions in order to increase or decrease the number and/or the reliability of the plant LODs, while assuring the achievement of the safety criteria. In
Fig. 2. Simplified process implementing the LODs design.
518
M. Costa, G.L. Fiorini / Fusion Engineering and Design 51–52 (2000) 515–526
accordance with the LOD definition, the steps to correctly implement the LODs design can be simplified as drawn in Fig. 2. Fig. 2 can be explained as follows. Once defined as the preliminary plant design the main safety functions can be individualized. Then, also the systems that will accomplish the safety functions can be conceived and defined. These systems must be designed in such a way as to carry out the needed mission, i.e. satisfying the radiological targets of reference. Subsequently, the LODs method define all the needed LODs (as number and reliability) designed in accordance with the safety recommendations fixed by the Safety Authority and other technical safety objectives (e.g. cumulative frequency of exceeding the limiting release shall be lower than 10 − 6/reactor × year [5]) that must be met by any nuclear installations.
2.2. The accidents analysed Two ITER reference accidents [6] have been selected for the application: LOFA and LOCA in a divertor loop. The LOFA PPC consists in a loss of flow in a divertor coolant circuit because of pump seizure occurring during full power plant normal operation. The LOCA PPC, instead, consists in a rupture of a pipe of a divertor coolant circuit in the cryostat extension (heat transfer system HTS vault) also occurring during the same plant state normal operation. Under of the vacuum vessel (VV) a SP vault containing the SP of the VV is located. Both the HTS and SP vaults are equipped with rupture disks against internal overpressurisation.
2.3. LODs method application The LODs method is applied following four main phases summarised in the flow-chart shown in Fig. 3 [7]. The first phase is a functional analysis. For both the selected PPCs (LOFA and LOCA) the top function: limit second boundary (cryostat and its extensions) release has been studied to develop the relative functional analyses. By specifying in detail this top function a list of nested corresponding safety functions is produced. Within this list, some safety functions have
Fig. 3. General LODs method diagram (synthesis).
been selected as being fundamental functions to describe, using the functional event trees, the effective accident progression. These selected functions, called identified heading functions (IHFs) are nine for the LOFA and ten for the LOCA. By drawing the two functional event trees for LOFA [8] and LOCA [7] the second phase of Fig. 2 arises. In fact, the event trees contain the safety functions (i.e. the IHFs) involved during the accident progression and the whole of all the relative accident sequences. Then the LODs method determines, for each sequence of the event tree, the qualitative consequence categorisation and allotment of the minimum needed LODs in accordance with the scheme of Table 1. Then the LODs method, reducing its analysis only on that sequences strictly necessary by using a technique of grouping of sequences (the so-called «envelope sequence technique»), furnishes an allowable LODs range for each remaining sequence. This technique of envelope sequences’ identification leads simplifying event trees in terms of number of sequences that have to be analysed (reduction from 25 to 9 for LOFA and from 45 to 10 for LOCA). At this stage, by means of a cyclic process, a series of tentative LODs allotments (within the allowable range) is carried out to completely respect the ideal safety architecture for all the sequences. An example of tentative LODs allotment on the safety functions is presented in Table 2 for the LOFA. The first line of Table 2 lists the safety functions (i.e. the IHFs of the event tree) whose content is explained in Table 3. The second
× × × ×
2 b
×
3 a
× ×
4 b
×
5 a
× × ×
6 b
× ×
7 b
×
8 b
9 2a+b ×a
× placed here means that the safety function N.9 fails in the envelope sequence N.2
× × × × × × × ×
3 5 7 9 10 17 24 25
a
1 a
Safety function N.: Tentative LOD allotment: En6elope sequence N. : 2
Safety functions failed
\2a
Minimum needed LOD
a b a+b b 2a a+b 2a+b \2a a+b b 2a a+b 3a \2a 2a+b \2a Global result sufficient
2a+b
LOD counting
Table 2 Divertor LOFA: tentative LOD allotment for the involved safety functions — high homogeneity LODs distribution case
+b +a +b OK +a +b +b OK
OK
LOD verification
M. Costa, G.L. Fiorini / Fusion Engineering and Design 51–52 (2000) 515–526 519
9
2a+b
b
b b
a
2a+b
b
b b
a
b
0 0
2a+b
10
7
9
6
8
5
1 2 3 4
N.
a
b
b
a+b a b a
H.L.D.
Avoid VV thermal collapse
2a+b
2a+b
a
2a
a
b
b
a+b 2a+b 0 0
V.I.M.
LODs result
Provide HTS vault pressure control (due to 2a water/steam, etc.) Avoid H2 explosions in VV a
Maintain failed loop integrity inside VV Maintain unfailed loops integrity inside VV Provide VV tightness (PvvBPrd VV) Provide VV pressure control (due to water/steam, etc.) Provide SP vault tightness (PspBPrd SP vault) Provide HTS vault tightness (PhtsBPrd HTS) Provide SP vault pressure control
Identified heading functions
Divertor ex-vessel LOCA
H.L.D. = homogeneity of LODs distribution, V.I.M. =VV importance minimisation in terms of reliability, rd = rupture disk.
Avoid H2 production and mobilisation Limit H2 amount to have deflagration in VV and/or cryostat extensions Exclude H2 amount to have detonation in VV and/or cryostat extensions Avoid VV thermal collapse
6 7
8
Provide cryostat extension pressure control (due to water/steam, etc.)
5
a
b a
Provide VV tightness (PvvBPrd VV) Provide VV pressure control (due to water/steam, etc.) Provide cryostat extension tightness (PextBPrd cry. ext. vaults)
2 3 b
a
Provide integrity of all loops
1
4
H.L.D
Identified heading functions
N.
V.I.M
LODs result
Divertor LOFA
Table 3 LODs allotment comparison between the corresponding IHFs for divertor LOFA and divertor ex-vessel LOCAa
520 M. Costa, G.L. Fiorini / Fusion Engineering and Design 51–52 (2000) 515–526
M. Costa, G.L. Fiorini / Fusion Engineering and Design 51–52 (2000) 515–526
line of Table 2 presents the tentative allotment of LODs for the nine safety functions). In the bottom part of Table 3 the nine envelope sequences (resulting from the original 25 sequences) are listed. For example, for the envelope sequence N.5 with potential consequence of cat.-C, one LOD (b) is requested at least. The tentative LODs allotment of Table 2 results in the LODs counting of (a + b) (i.e. LOD (a) for safety function N.1 plus LOD (b) for safety function N.6 that is sufficient because (a+b) \(b).
2.4. LODs results Normally, the LODs method offers different possible solutions to ‘solve’, in terms of LODs allotments, the safety concern for a given plant. In fact, the LODs method, at the end of its application, can optimise the result by balancing the number and the reliability of the LODs in accomplishing the safety functions (i.e. IHFs). This will lead to obtain the best safety related defence architecture from different points of view. For the results presented in this paper, the LODs allotments have been optimised with respect to two alternative criteria: (1) high homogeneity of LODs distribution with respect to the minimum LODs allotment3 and (2) minimisation of the safety related importance of the VV, e.g. in terms of reliability. Grouping coherently the corresponding IHFs, Table 3 shows the LODs results for the two accidents. The needed LODs resulting by the application to the two accidents suggest two safety architectures (i.e. two plant safety designs) that are very similar. The LODs result obtained by the LODs method application to each PPC constitutes a proposal for the plant of a safety architecture adequate to ‘contain’ such a type of accident. The definitive and complete safety architecture will be thus the enveloping of the results obtained assessing all the PPCs (phases 3 and 4 of Fig. 3). Few comments to the results can be useful.
521
2.4.1. Case 1: High homogeneity of LODs distribution respect to the minimum LODs allotment Achievement of a plant design with a high homogeneity in the LODs distribution would be an important result. This would permit designers to avoid to must assign a very high reliability to certain IHFs. In addition, it could be difficult to achieve and maintain a very high reliability, for some safety systems during the plant life . Sometimes the achievement of a good homogeneity in LODs distribution could also lead to a reduction in investment costs. The first comment concerns the reliability requested to pro6ide integrity of all loops (inside VV) (Table 3IHF N.1 ). The results indicate that for the LOFA accident one strong line (a) is sufficient. Therefore, the set of systems that accomplish the IHF: Pro6ide integrity of all loops, must be globally characterised by the reliability of one LOD type (a) in the event of divertor LOFA. On the contrary, to manage the LOCA accident one line (a+ b) is requested particularly for the loop already failed outside VV (i.e. to avoid an induced in-vessel LOCA and finally a by-pass configuration). This slight difference is due to the greater gravity of LOCA than the LOFA in terms of challenge of the plant containment structure and shows that diverse PPCs may request differentiated safety architectures. Besides, the function N.5 (cryostat extension pressure control) for the LOFA requests one line type (a), while the two corresponding functions for the LOCA (NN.6 and 9) demand LODs (a) and (2a), respectively. The motivation of the (2a) LOD, requested for the HTS vault, is linked to the fact that the HTS must be considered the last barrier for the top function selected. An uncontrolled failure of the HTS vault would lead to uncontrolled release to the environment.4 2.4.2. Case 2: Minimisation of the safety related importance of the VV (in terms of reliability) The VV containment barrier is realised by metallic structures forming a geometrical toroidal chamber characterised by several penetrations and
3
High homogeneity of the LODs means to achieve that all the LODs have quite the same quality or that they are not too different, while remaining within their allowable range.
4 The ITER building containment, in fact, is only designed to withstand a normal HTS depressurisation.
522
M. Costa, G.L. Fiorini / Fusion Engineering and Design 51–52 (2000) 515–526
material discontinuities. Hence it is very difficult to associate a high reliability to such a component. In addition, no similar containment components exist in fission field to gain operating experience on its reliability. For these reasons it would be important to study the way to reduce, at the most extent possible, the reliability to allocate to the VV and to individualize which other safety systems could instead easily accept a reliability increase. As a theoretical exercise, the requested reliability for the VV related functions (NN.2 and 3 for LOFA and NN.3 and 4 for LOCA) has been reduced to zero (i.e. no safety related constraints). This limit case means that the VV integrity would not be considered in terms of reliability assessing the accident sequences. For both LOFA and LOCA accidents, the LODs redistribution to decrease the VV reliability leads to an increase in the requested reliability for the function: pro6ide integrity of all loops (inside VV). This result practically means higher reliability and performances for the systems/components implementing: detection, emergency plasma shutdown, and active decay heat removal (DHR).
3. Performance and reliability determination for the ITER systems/components Once the LODs allotment has been performed for all the IHFs, the LODs method can usefully help the definition of the safety system/components classification. The IHFs are constituted by clusters of safety sub-functions, some of which can be recognised as being elementary safety functions (ESFs). These functions are considered elementary because they can roughly correspond to (i.e. they are achieved by) the plant subsystems/main-components. Adopting the ESF notion it is possible to directly link the IHFs coming from the functional analysis, with the ITER safety functions. Tables 4 and 5 show, as an example, in columns 1, 2 and 6 the same result of Table 3 for the IHFs NN.1 and 7 for LOFA and IHFs NN.4 and 8 for LOCA. Tables 4 and 5, in addition, furnish: the ESFs constituting each IHF (column 3), the corresponding
ITER functions (column 4), and the relative ITER systems (column 5) practically accomplishing such safety functions. These results are obtained by the assessment of the ITER safety functions and sub-functions [9] (preventive, protective and mitigating actions), as well as by the necessary knowledge of the ITER machine. In such a way, the LODs method application results in a direct allotment for the ITER systems/ components quality (reliability and performances). For example, in Table 4 the set of ITER systems (column 5) that accomplish the IHF: pro6ide integrity of all loops, must be globally characterised by the reliability of one LOD type (a), i.e. (by definition) by an unavailability range of (10 − 3 } 10 − 4) per demand. Tables 4 and 5 take as a basis the option of high homogeneity of LODs distribution (see paragraph 2.4) only. These tables indicate both the requested performances (e.g. q\ q1)5 and reliability (e.g. 10 − 3 } 10 − 4). Such a result highlights, among others, the following technical consideration. Taking into account that an ITER divertor LOFA could quickly lead to an accident releasing coolant into the VV because of low design margins (the engineering judgement is a time of about 1 s [9]), it seems very difficult to imagine the existence of an emergency plasma shutdown system able to avoid an induced in-vessel LOCA within such a restricted timespan.
4. Conclusion and future work The LODs method, because of its possibility to maintain a generality (functional) level, appears to be particularly suitable for the studies concerning the safety-related design of nuclear fusion devices,
5 Performance indications are qualitative. In the functional analysis it has been assumed that q1 \q2 \q3 and t1 Bt2 B t3. For example, q B q1 for the DHR means that the specific system employed to accomplish that safety function must completely fulfil its given mission: i.e. to enable the transport of a heat amount greater than q1 (the exact value has to be defined by designers) to avoid a worsening in the accident conditions.
Identified heading functions
Provide integrity of all loops
Limit H2 amount to have deflagration in VV and/or cryostat extensions
N
1
7
Minimise transport across boundary, minimise/isolate leak, minimise leak duration Avoid hydrogen explosions and fires
Inertise cryostat extensions (tBt3)
Passive DHR (medium importance) Detection, Normal shutdown (t= several tens of seconds)
Limit (mobilisable) water inventory in VV (VBV1)
Plasma shutdown (tBt2)
DHR (q\q2)
Active DHR
DetectionEmergency shutdown (t =1 } 10 s)
Plasma shutdown (tBt1)
Avoid rupture by disruption
Active DHR
ITER protection/mitigation functions and sub-functions [9]
DHR (q\q1)
Elementary safety functions (with performances)
Table 4 Constituting ESFs and their performance indications for the LOFA IHFs NN.1 and 7
Integrity: FW, B, D, VV (structural components of VV). Flow: EP, CODACS (pumps, CODACS). Heat Sink: UHS (UHS subsystems) DIA, CODACS, DIA, AH, MG, T, PS (PC, PI, emergency safety injection) D (structure): tiles, targets of sacrificial materials Integrity: FW, B, D, VV (structural components of VV). Flow:: EP, CODACS (pumps, CODACS). Heat sink: UHS (UHS subsystems) VV (structure) by both radiation and conduction DIA, CODACS, DIA, MG, AH, T, CODACS (PC, CS, GP, PI, CODACS) Isolation valves, fast acting valves to limit released coolant below V1 volume value Inertisation atmosphere active and passive means (within the rooms jeopardised by H2 hazard)
ITER systems (subsystems/ main components) [9]
b/10−1 } 10−2
b/10−1 } 10−2
a/10−3 } 10−4
LOD result/ global equivalent reliability
M. Costa, G.L. Fiorini / Fusion Engineering and Design 51–52 (2000) 515–526 523
Identified heading functions
Provide VV pressure control (due to water/ steam, etc.)
Provide HTS vault tightness (PhtsBPrd HTS)
N
4
8
Provide internal heat sink condensation surfaces
water condensation in HTS vault (C\C1)
water cooling down by spray systems (DT1)
Minimise transport across boundary, minimise/isolate leak
Maintain cryostat (HTS vault) boundary, prevent overpressure
Detection, emergency shutdown (t=1 } 10 s)
Limit (mobilisable) water inventory in failed loop (VBV1)
Avoid rupture by disruption HTS vault tightness
Plasma shutdown (tBt1)
Active DHR
DHR (q\q1)
Passive DHR (low importance)
Maintain VV boundary, maintain loads below design loads, provide venting
ITER protection/mitigation functions and sub-functions [9]
VV controlled venting (Pvv\Prd VV, no peaks over VV design load), no VV structural damage
Elementary safety functions (with performances)
Table 5 Constituting ESFs and their performance indications for the LOCA IHFs NN.4 and 8
VV (structure), junctions, penetrations, extensions, plugs, etc., and the needed related guaranteeing procedures. VV (correct opening rupture disk), vacuum pumps, conducts versus suppression tank Integrity: FW, B, D, VV (structural components of VV). Flow: EP, CODACS (pumps, CODACS). Heat sink: UHS (UHS subsystems) VV (structure) by both radiation and conduction DIA, CODACS, DIA, AH, MG, T, PS (PC, PI, emergency safety injection) D (structure) HTS vault (structure), junctions, penetrations, extensions, rupture disk, etc., and the needed related guaranteeing procedures. Maintenance and repair Isolation valves, fast acting valves to limit released coolant below V1 volume value Water-steam condensation devices able to guarantee a condensation capability of C1 (e.g. in weight expressed) Water cooling down spray systems able to have DT1 decrease in water temperature
ITER systems (subsystems/main components) [9]
b/10−1 } 10−2
b/10−1 } 10−2
b/10−1 } 10−2
a/10−3 } 10−4
LOD result/global equivalent reliability
524 M. Costa, G.L. Fiorini / Fusion Engineering and Design 51–52 (2000) 515–526
M. Costa, G.L. Fiorini / Fusion Engineering and Design 51–52 (2000) 515–526
where often the plant is not yet designed in detail. For example, the analysis shows that a reduction of the reliability that has to be requested for the VV is only possible if an adequate level of performances and reliability can be implemented for detection, emergency plasma shutdown and active DHR. The paper shows the applicability of the LODs method to fusion plants highlighting its capability to produce the requested reliability and performances of the ITER systems/components when they are conceived as LODs. These advantages make the LODs method particularly addressed toward licensing procedures. It would be useful to apply the LODs method to all other ITER initiating events to reach a global safety evaluation related to all the safety related plant systems. The designer should be able to organise the safety related architecture in order to answer both requests, ensuring, in parallel, an adequate safety system/components classification.
5.2. Paper text
ITER ITER-FDR
Pvv Psp Phts Prd-VV Pext q1 t1 V1 C1
5. Nomenclature DT1
5.1. ITER Systems
AH B CODACS CS CV D DIA EP FW GP MG PC PI PS SP T UHS
additional heating blanket Control and Data Acquisition System central solenoid cryostat vessel divertor diagnostic (relevant to plasma chamber) electrical power supply first wall gas puffing magnet poloidal coils pellet injectors plasma shutdown suppression pool fuel cycle (tritium) ultimate heat sink
525
International Thermonuclear Experimental Reactor International Thermonuclear Experimental Reactor–Final Design Report pressure inside the vacuum vessel pressure inside the suppression pool pressure inside the heat transfer system pressure of the rupture disk of the vacuum vessel pressure inside the cryostat extension generic value of heat generic value of time generic value of coolant volume generic value of condensation capability generic value of water temperature difference
Acknowledgements This work was supported by the European Commission, Fusion Programme, under contract 5004-CT97-5009 (DG 12-MRGS) for the Grant Holder Dr M. Costa. References [1] The Safety of Nuclear Installations, Safety Fundamentals, Safety Series No. 110. IAEA, Vienna, 1993. [2] G.L. Fiorini, P. Lo Pinto, M. Costa, The current CEA/ DRN safety approach for the design and the assessment of future nuclear installations, Proceedings of the 7th International Conference on Nuclear Engineering (ICONE 99), Paper No. 7208-6, Japan, 1999. [3] F. Justin, J. Petit, P.F. Tanguy, Safety assessment for severe accidents in fast breeder reactors, Nuclear Safety 27 (3) (1986) 332 – 342.
526
M. Costa, G.L. Fiorini / Fusion Engineering and Design 51–52 (2000) 515–526
[4] G.L. Fiorini, M. Costa, The lines of defence methodology for the design and assessment of nuclear installations, CEA Report, Cadarache Centre, SERSI/ECP 99/3001, 1999. [5] European utility requirements for LWR nuclear power plants. EUR Organisation, Revision B, 1995. [6] ITER non-site specific safety report (NSSR-2), Vol. VII. Analysis of reference events, version 1 October, 1997. [7] M. Costa, G.L. Fiorini, Lines of defence method application for the plant safety related design — fusion plant
.
divertor LOCA examination, CEA Report. Cadarache Centre, SERSI/ECP 99/3004-LEFS 99/5003, 1999. [8] M. Costa, G.L. Fiorini, Lines of defence method application to an ITER divertor LOFA accident, CEA Report. Cadarache Centre, SERSI/LEFS 99/5018, 1999. [9] R. Caporali, S. Ciattaglia, G. Cambi, T. Pinna, ITER plant functional breakdown, FFMEA, IE identification, qualitative ET and preliminary list of accident sequences, ENEA Report. Frascati Centre, FUS TECN S&E TR 9/94, 1994.
.