Technical Specifications (In-Cash Procurement) …static.iter.org/codac/pcdh7/Folder 1/17-Plant_Control_Design... · Technical Specifications (In-Cash Procurement) Plant Control Design

PDF generated on 07-Feb-2013DISCLAIMER : UNCONTROLLED WHEN PRINTED – PLEASE CHECK THE STATUS OF THE DOCUMENT IN IDM

Technical Specifications (In-Cash Procurement)

Plant Control Design Handbook for Nuclear control systems

This Plant Control Design Handbook –Nuclear (PCDH-N) document defines standards for all ITER plant system instrumentation and control (I&C) Nuclear Plant Safety Systems (PSS-N).

Approval Process Name Action AffiliationAuthor Fernandez Robles C. 30-Jan-2013:signed IO/DG/DIP/CHD/CSD/PCICoAuthorReviewers Wallander A.

Yonekawa I. Fourneron J.- M.

05-Feb-2013:recommended31-Jan-2013:recommended30-Jan-2013:recommended

IO/DG/DIP/CHD/CSDIO/DG/DIP/CHD/CSD/PCIIO/DG/DIP/CHD/CSD/PCI

Approver Bak J.- S. 07-Feb-2013:approved IO/DG/DIPDocument Security: level 1 (IO unclassified)

RO: Fourneron Jean-MarcRead Access LG: PA project team, LG: PA Schedulers, LG: KEPCO E&C, LG: Reviewers, AD: ITER, AD: External

Collaborators, AD: Division - Control System Division - EXT, AD: Section - CODAC - EXT, AD: Section - CODAC, AD: Section - Remote Handling, AD: Section - Remote Handling - EXT, project administrator, RO, LG: PBS48 EXT, AD: Section - Plant Control and Instrumentation

IDM UID

2YNEFUVERSION CREATED ON / VERSION / STATUS

30 Jan 2013 / 3.0/ Approved

EXTERNAL REFERENCE

PDF generated on 07-Feb-2013DISCLAIMER : UNCONTROLLED WHEN PRINTED – PLEASE CHECK THE STATUS OF THE DOCUMENT IN IDM

Change Log

Title (Uid) Version

Latest Status Issue Date Description of Change

Plant Control Design Handbook for Nuclear control systems (2YNEFU_v3_0)

v3.0 Approved 30 Jan 2013

Document updated according to the evolution of the design of the SCS-N.


v2.1 Approved 11 Feb 2011

Comments from PCDH review process taken into account. See PCDH v6 review report.


v2.0 Signed 05 Jan 2011

Updated version taking into account the outcomes of the Central Safety System outcomes. This version reference the standards to take into account and complement them with ITER specific requirements.


v1.1 Approved 01 Feb 2010

Version 1.1


v1.0 Signed 16 Dec 2009

First version


v0.0 In Work 10 Nov 2009

Page 1 of 26

Table of Contents

1. Introduction.........................................................................................................................21.1 Purpose.........................................................................................................................21.2 Scope.............................................................................................................................21.3 Definitions....................................................................................................................21.4 Reference documents and standards.........................................................................31.5 Standards for the Safety I&C system........................................................................4

2. Nuclear Safety I&C system design philosophy ................................................................53. PSS-N Safety lifecycle .........................................................................................................8

3.1 Quality..........................................................................................................................83.2 PSS-N Lifecycle ...........................................................................................................8

4. PSS-N Specifications...........................................................................................................84.1 Functional Specifications ...........................................................................................84.2 Safety requirements ....................................................................................................9

4.2.1 Requirements related to design.................................................................................94.2.2 Functional tests .......................................................................................................14

4.3 PSS-N Architecture...................................................................................................144.3.1 SCS-N subsystems ..................................................................................................144.3.2 General architecture for SIC-1 and SIC-2 Cat. B systems......................................154.3.3 General architecture for SIC-2 Cat C system .........................................................174.3.4 General architecture for SR Cat C system ..............................................................194.3.5 Powering .................................................................................................................204.3.6 Cabling....................................................................................................................204.3.7 Sensor sharing.........................................................................................................204.3.8 Actuator sharing......................................................................................................20

4.4 Safety I&C naming conventions ..............................................................................204.5 PSS-N Hardware specifications ...............................................................................21

4.5.1 Class 1 system: SIC-1 and SIC-2 Cat B .................................................................214.5.2 Class 3 systems: SIC-2 Cat C and SR Cat C ..........................................................214.5.3 Cubicles...................................................................................................................214.5.4 Sensors ....................................................................................................................22

5. Qualification ......................................................................................................................235.1 Nuclear qualification ................................................................................................235.2 Applicable standards ................................................................................................245.3 PSS-N qualification...................................................................................................24

6. Application of PCDH to Nuclear safety systems............................................................25

Page 2 of 26

1. Introduction

1.1 PurposeThis Plant Control Design Handbook for Nuclear Safety (PCDH-N) defines standards for all ITER Plant Safety Systems for Nuclear Safety (PSS-N).

These standards are essential in order to achieve an integrated and licensable system to provide ITER nuclear safety I&C functions. These standards are applicable to the development process and comprise deliverables and quality assurance requirements as well as catalogues of standard software and hardware components.

PCDH-N must be followed by everyone involved in the development of ITER plant systems I&C which will perform nuclear safety I&C functions, i.e. plant system responsible officers (RO), plant system I&C designers and plant system I&C suppliers, regardless of their affiliation (i.e. ITER Organization (IO), Domestic Agency (DA), or industry).

PCDH-N is a living document, which is released at regular intervals throughout the lifetime of ITER. Versions of standards and products are subject to updates and extensions as the ITER project progresses. Obsolescence management is of particular importance due to the long timeline for ITER construction and operation.

1.2 ScopeThe Nuclear Safety I&C functions of ITER are performed by the Safety Control System – Nuclear (SCS-N). This system is composed of:

The CSS-N: Central Safety System – Nuclear The PSS-N: Plant Safety Systems – Nuclear, which are parts of the different plant

systems.

PSS-N is the part of the Plant System I&C which implements nuclear safety I&C functions. A PSS-N interfaces the CSS-N.

The CSS-N coordinates the individual protection provided by locally distributed safety systems in order to bring and keep ITER in a safe state and to prevent, detect or mitigate incidents or accidents.

Sensors and actuators (including any signal conditioning device) are out of the scope of the PSS-N, although it is connected to them. The interface point with sensors and actuators is the terminal block inside the PSS-N cubicle.

This document defines rules and guidelines to be followed by the PSS-N designers.Note: Occupational safety systems are covered by the PCDH.

1.3 DefinitionsCSN-N: Central Safety Network for Nuclear SafetyCSS-N: Central Safety System for Nuclear SafetyPCDH-N: Plant Control Design Handbook for Nuclear SafetyPSS-N: Plant Safety System for Nuclear SafetySCS-N: Safety Control System for Nuclear Safety

Page 3 of 26

1.4 Reference documents and standards[1] Preliminary Safety Report (RPrS) (ITER_D_3ZR2NC)[2]Overall requirements specification of Safety Control System – Nuclear

(ITER_D_3LU3NF)[3] Safety Important Functions and Components Classification Criteria and Methodology

(ITER_D_347SF3)[4]IEC 61513 standard “Nuclear power plants – Instrumentation and control for systems

important to safety – General requirements for systems”[5] IEC 61709 Nuclear power plants – Instrumentation and control systems important to

safety – Separation[6] IEC 61226 Nuclear power plants - Instrumentation and control important to safety -

Classification of instrumentation and control functions[7] Order dated 7 February 2012 relating to the general technical regulations applicable to

BNI (Arrêté du 7 février 2012 fixant les règles generals relatives aux installations nucléaires de base) (ITER_D_7GJHSE). English translation for guidance is available (ITER_D_7M2YKF)

[8] ITER Project Management and Quality Program – ITER Quality Assurance Program ( ITER_D_22K4QX)

[9] Nuclear Safety Control System - Overall Quality Plan (ITER_D_48Y3CS)[10] IEC 60780, Nuclear power plants – Electrical equipment of the safety system –

Qualification[11]IEC 60980, Recommended practices for seismic qualification of electrical equipment

of the safety system for nuclear generating stations[12]IO cabling rules (ITER_D_335VF9).[13]Electrical Design Handbook Part 4: Electromagnetic compatibility

(ITER_D_2ELREB)[14]RCC-E (Design and construction rules for electrical components of nuclear islands)

(2005)[15]SCS-N Preliminary Qualification Plan (ITER_D_34SAKW)[16]Quality Classification Determination (ITER_D_24VQES)[17]Safety Functions, Systems, Signals Definition for I&C CSS Design

(ITER_D_3R7ECW)[18]IEC 61000-4 (all parts), Electromagnetic Compatibility – Testing and measurement

techniques[19]IEC 61000-6-2, Electromagnetic compatibility (EMC) – Part 6-2: Generic standards –

Immunity for industrial environments[20]IEC 60812, Technical Analysis for system reliability – Procedure for failure mode and

effects analysis (FMEA)[21]IEC 62138, Nuclear power plants – Instrumentation and control important for safety –

Software aspects for computer-based systems performing category B or C functions[22]ITER Seismic Nuclear Safety Approach (ITER_D_2DRVPE)

Page 4 of 26

1.5 Standards for the Safety I&C systemThe design and manufacturing of a PSS-N will have to comply with the following standards:

For all categories:o IEC 61226, Nuclear power plants – Instrumentation and control systems

important for safety – Classification [6],o IEC 61513, Nuclear power plants – Instrumentation and control for systems

important to safety – General requirements for systems [4],o IEC 60709, Nuclear Power Plants – Instrumentation and Control systems

important to safety – Separation [5], except for some cabling rules which will be replaced by RCC-E rules [14], according to ITER document IO cabling rules [12], which defines the cabling separation rules to be applied,

o IEC 61000-4 (all parts), Electromagnetic Compatibility – Testing and measurement techniques [18],

o IEC 61000-6-2, Electromagnetic compatibility (EMC) – Part 6-2: Generic standards – Immunity for industrial environments [19].

For Category A:o IEC 60780, Nuclear power plants – Electrical equipment of the safety system –

Qualification [10],o IEC 60812, Technical Analysis for system reliability – Procedure for failure

mode and effects analysis (FMEA) [20],o Seismic events: IEC 60980, Recommended practices for seismic qualification of

electrical equipment of the safety system for nuclear generating stations [11], or RCC-E adapted to ITER project [14] (see section 5).

For Category B:o IEC 60780, Nuclear power plants – Electrical equipment of the safety system –

Qualification [10] or RCC-E [14] (see section 5.2),o Seismic events: IEC 60980, Recommended practices for seismic qualification of

electrical equipment of the safety system for nuclear generating stations [11], or RCC-E adapted to ITER project [14] (see section 5.2).

For Category C:o IEC 62138, Nuclear power plants – Instrumentation and control important for

safety – Software aspects for computer-based systems performing category B or C functions [21].

o For category C systems for which specific environmental qualification is required (e.g. resistance to seismic conditions, or operation under specific environmental conditions), may be qualified to industrial standards according to IEC 61513 [4]. However, the use of IEC 60780 might be required under certain circumstances. Please refer to section 5.6 of IEC 61513 [4] for a detailed explanation.

Page 5 of 26

2. Nuclear Safety I&C system design philosophyA plant system may have specific safety functions that are implemented locally in a Plant Safety System (PSS). The Central Safety System (CSS) coordinates the individual protections provided by the PSS, enables manual control by the operator and displays data for the operator.

The Safety Control System for Nuclear Safety (SCS-N) is a hierarchical system. There are two types of safety functions:

Local function

PSS-1

CSS

CODAC/CIS

Sensor

Safety event

Actuator

Safety action

Control-RoomOperator

Monitoring data

Monitoring data

Safety HMI

Operatorcommand

Operatorcommand

Signal critical in function activationSignal for monitoring only

Figure 1: Local function

A safety function is considered as “local” when the event detection (sensor) and the safety action (actuator) are performed within a single plant system. In this case, the function is executed locally and autonomously inside the plant safety system. Monitoring data (e.g. safety threshold reached, safety function activation, actuators states …) are sent to CSS to be displayed on safety displays and exported to CODAC. If required, a control-room operator command is sent to PSS via CSS (depending on the importance of the role of CSS in the function, the “central function model” described below, may be more suitable).

Page 6 of 26

Central function

PSS-1

Sensor

Safety event

Actuator

Safety action

Control-RoomOperator

Safety event

PSS-2

CSS

CODAC/CIS

Monitoring data

Safety HMI

Operator command

Monitoring data

Signal critical in function activationSignal for monitoring only

Safety action

Figure 2: Central function

A safety function is considered as central when the event detection (sensor) and the actions (actuator) are performed by different plant systems. In this case, the event (signal for safety threshold reached) is detected by one or several PSS (PSS-1 in the figure), it is then communicated to CSS, which commands one or several PSS (PSS-2 in the figure) to perform the required actions. Monitoring data (safety threshold reached, safety function activation, actuators states…) are shown to the control-room operator on a safety display and exported to CODAC. Manual operator commands are also possible via CSS.

The following figures show examples of central functions:

Page 7 of 26

Figure 3: Example of central function 1



Page 8 of 26

3. PSS-N Safety lifecycle

3.1 QualityThe complete PSS-N lifecycle will have to comply with the requirements of:

The Order dated 7 February 2012 relating to the general technical regulations applicable to basic nuclear installations (Arrêté du 7 février 2012 fixant les règles generals relatives aux installations nucléaires de base) [7],

ITER Project Management and Quality Program – ITER Quality Assurance Program [8],

IEC 61513 standard “Nuclear power plants – Instrumentation and control for systems important to safety – General requirements for systems” [4].

Nuclear Safety Control System - Overall Quality Plan [9].

In compliance with [4], IO has developed an overall quality plan for the SCS-N [9]. The entity in charge of the design of a PSS-N will have to establish a "Specific Quality Plan", which will be the application of this "Overall Quality Plan for the SCS-N" for the PSS-N and which will have to be compliant with the above mentioned reference documents and standards.

3.2 PSS-N LifecycleThe PSS-N lifecycle will be compliant with [4] and in particular, with its section 6, which is dedicated to individual I&C systems.

Whenever possible, this individual PSS-N life-cycle will be compliant with the life-cycle model proposed in PCDH.

4. PSS-N Specifications

4.1 Functional SpecificationsNuclear safety functions are defined as a group of specific actions that prevent or mitigate radiological hazards. These actions can therefore prevent or mitigate dose uptake by personnel on-site and by members of the public.

There are two fundamental safety functions required for the ITER facility:• Radioactive material confinement: ensuring the personnel, public and the environment

are protected against releases of radioactive material. This function is achieved with confinement barriers and the associated confinement systems,

• Limitation of internal and external exposure to ionizing radiation.

Nuclear Safety Control System (SCS-N) has to provide protection of personnel and the environment with respect to radiological risks by implementing the safety I&C functions. The SCS-N provides the means to bring ITER to a safe state and maintain it there or to mitigate the consequences of an incident or accident.

Monitoring information will be provided by the PSS-N to the CSS-N to indicate the status of the plant, in all operational states and in accident and post-accident conditions to indicate whether the safety functions and requirements are met and maintained.

Page 9 of 26

The status of the safety functions will be monitored and the real positions of the actuators will be compared with the expected values during all operational states.

The functional specification of the nuclear safety I&C functions will be provided by IO in a top-down process. The scope of the CSS-N and the different PSS-N participating in the function will be clearly identified for each function. The technical specification and implementation of the scope of each plant system will be under the responsibility of the plant system responsible officer.

4.2 Safety requirementsThis section gathers safety requirements from different reference documents and standards. It may not be exhaustive and additional requirements from other reference documents may have to be taken into account.

4.2.1 Requirements related to design

4.2.1.1 Safety classificationEach PSS-N may be composed of different sub-systems with different nuclear safety levels. Each PSS-N subsystem must have a safety classification compliant with the Preliminary Safety Report (RPrS) [1] Vol I chap 10 classification:

SIC-1, SIC-2, SR.

Safety Importance Class (SIC) describes a classification scheme for structures, systems and components that perform a safety function and contribute to the general safety objectives at ITER during incident/accident situations.

Those systems and components, with a Safety Importance Class assigned should receive adequate and appropriate attention during the design, manufacture, installation, commissioning and operational stages. The objective is to ensure and demonstrate that they will meet the minimum performance and reliability requirements throughout their intended lifecycle.

Document [3] defines Safety Important Functions and Components Classification Criteria and Methodology (ITER_D_347SF3).

IEC 61226 [6] defines safety categories for nuclear safety I&C functions (category A, B, C). IEC 61513 also defines 3 safety classes for I&C systems (Class 1, class 2, class 3). A "Non Safety" class (NS) can be added to this classification.

Based on the safety analysis, all safety I&C subsystems will be assigned to a safety class, on a case by case basis. There are four different types, which are shown in Table 1 (the last one in the table is implemented by the conventional control, interlocks or occupational safety control systems, not by the nuclear safety control system):

Page 10 of 26

Table 1 Relation of SIC levels and function category and system class

Structure System Component (ITER)

Function safety levelIEC 61226 - category

System safety levelIEC 61513 - class

SIC-1 A 1

SIC-2 B 1

SIC-2 C 3

SR C 3

SR Non Safety Conventional I&C

ITER will not use computerized Class 2 systems due their cost and the difficulties in licensing. Section 4.3 describes the architectures of each subsystem.

4.2.1.2 Single Failure CriterionSingle-failure criterion: an assembly of equipment satisfies the single-failure criterion if it is able to meet its purpose despite a single random failure assumed to occur anywhere in the assembly. Consequential failures resulting from the assumed single failure are considered to be an integral part of the single failure.

Single failure criterion must be taken into account for the design of the SIC-1 and SIC-2 Safety I&C systems, by using adequate solutions from all of the following:

redundancy, independence, physical separation, electrical isolation.

The single failure criterion must be met at the system level for SIC-1 systems (for example, a SIC-1 system has to provide redundancy).

This criterion can be fulfilled at the "functional level" for SIC-2 Cat B systems (it can be achieved by two different safety functions which contribute to the same objective).

Compliance of SIC-2 Cat C systems with the single failure criterion is required on a case by case basis. The functional specifications of the nuclear I&C safety functions will specify whether compliance with the single failure criterion is required or not.

For safety related (SR) Cat C systems, compliance with the single failure criterion is not required.

Page 11 of 26

4.2.1.3 Failsafe principle

Safety functions should be designed as failsafe. This means that the corresponding actuators must go to a predefined position (so-called failsafe position) in case of:

deactivation of the control signals, loss of the power sources or loss of communication.

Technical specifications for safety I&C functions must define the fail safe state of each function. It must be defined for all operating conditions, including normal, incident or accident situations.

Generally the failsafe state corresponds to the triggering of the function but there are some exceptions. In the former case the command should be designed “de-energize to trip” whereas in the latter it should be “energize to trip”. Control logic shall be intrinsically failsafe.

In the case of non compliance with this requirement, a justification must be provided to substantiate the robustness of the function towards scenarios in which there is a loss of power.

4.2.1.4 Power suppliesThe power supply of SIC I&C systems is organized in two independent trains, backed up by diesel generators

SIC-1 and SIC-2 PSS-N will be powered by two independent and non-interruptible electrical trains: SIC train-A and SIC train-B. These trains supply class II AC power (uninterruptible using batteries and diesel generator). Each I&C train must be powered by the corresponding electrical train (SIC train-A or SIC train-B). This requirement guarantees that the systems will be able to fulfil their mission even in the case of loss of external power.

This requirement is not applicable for safety relevant (SR) I&C systems. The power supply for SCS-N SR will have at least at the same classification level as the conventional I&C part.

There will be sufficient isolation between SCS-N SIC-1 and SCS-N SIC-2 powering on each train to avoid electrical issues due to SIC-2 powering interference with SIC-1 powering.

4.2.1.5 Environmental conditions The environmental conditions that the system is required to withstand must be specified in accordance with the constraints imposed from the plant context. Environmental conditions to be specified include:

ambient conditions, including temperature, humidity, pressure, radiation and electromagnetic interference, at operating conditions. These are the defined as the influence quantities expected as a result of normal operating requirements, the expected

Page 12 of 26

extremes in normal operating requirements and postulated conditions appropriate for the postulated initiating events of the plant;

ambient conditions imposed by potential hazards external to the system; power supply and heat removal conditions.

SIC-1 and SIC-2 systems must be qualified for their environmental conditions.

To protect the safety I&C systems from EMI, including changing magnetic fields and plasma disruption, the principles defined in [13], which addresses the following topics, will be applied:

Equipment emission requirements, Earthing policy, EM zoning, Protection of sensors and instrumentation cubicles, Cable classification and routing segregation.

This document covers the requirements from the standards [18] and [19].

The document [12] defines the rules for separation between the cable trays supporting the various categories of electrical cables (to protect the sensitive cables from perturbing cables).

The environmental qualification process is described in 5.

4.2.1.6 Seismic requirements and classificationThe seismic conditions (i.e. seismic spectra) that the system will be subjected to will be specified. The seismic classification of systems and components implementing safety I&C functions will be specified in the functional specifications of the functions, according to the main requirements recommended by [2]. Seismic classification is defined in [22], there are the following seismic classes: SC1 (SF), SC1 (S), SC2 and NSC.

Seismic qualification is described in section 5.

4.2.1.7 Periodic testsPeriodic testing is a way to demonstrate the ability of the systems to perform as required.

The design must allow the performance of periodic tests during the available periods for testing. These will be defined in the PSS-N specification.

4.2.1.8 Separation rules and fire protectionI&C systems important to safety in nuclear facilities need to tolerate the effects of plant/equipment faults as well as internal and external hazards. Various techniques are available to increase the level of tolerance of I&C systems to such effects, including the provision of independent systems, subsystems and equipment. For claims of independence between such systems and equipment to be made, adequate separation must be provided and maintained.

Page 13 of 26

Separation rules between the different parts of the I&C system must, as far as possible, be compliant with [5] IEC 61709 Nuclear power plants – Instrumentation and control systems important to safety – Separation” and [6] “ IEC 61226 Nuclear power plants - Instrumentation and control important to safety - Classification of instrumentation and control functions”.

Specific rules to use in the ITER project are defined in [3] and [12].

Regarding fire, as defined in [3], specific requirements are associated with the SIC grade, such as:

The SIC-1 (redundant) systems are located in two independent and separate fire sectors. Their electrical supply and I&C trains (A and B) are routed through independent and separate fire sectors. The SIC-1 cubicles are located in dedicated rooms (not containing SIC-2 or/and SR or/and non-SIC cubicles). The SIC-1 cubicles are equipped with automatic fire detection and suppression systems.

The redundant SIC-2 systems are located in two independent and separate fire sectors. The redundant SIC-2 cubicles, can be implemented together with the SR, and non-SIC cubicles at dedicated and separate places in the same room. The minimum distance between SIC-2 cubicles and non-SIC cubicles a minimum of 2 m. This room (and not the cubicles themselves) is equipped with several automatic fire detection and suppression systems. Only one train (A or B) goes through fire sectors.

Implementation of the non-redundant SIC-2 cubicles is possible in the same room as SR and non-SIC cubicles if there are automatic fire detection and suppression systems in the room.

In one room, all the SIC-1 cubicles must be on the same Train (A or B) for power supply and I&C cabling. In one room, all the SIC-2 cubicles must be on the same Train (A or B) for power supply and I&C cabling.

As mentioned above, the rules to use in the ITER project imply:

Physical separation in different fire sectors of the redundant parts of a SIC-1 function, Physical separation of a SIC-1 system from systems of lower level, in dedicated room Physical separation in different fire sectors of the redundant parts of a SIC-2 function, Physical separation of a SIC-2 system from systems of lower level, by a distance of at

least 2m. Cohabitation in the same cubicles of SIC-2 Cat B and SIC-2 Cat C systems is

authorized. Cohabitation in the same cubicles of SR Cat C and Non Safety I&C systems is

authorized.

Separation rules for cables are defined in [3] and [12]. These rules specify the constraints between:

Two redundant trains of a safety system, SIC (SIC-1 and SIC-2) and non-SIC (SR and non-safety) systems.

Without detailing these rules here, the cabling of the two redundant parts of a SIC-1 function is performed using independent cable trays (train A and train B) to be routed through different fire sectors. To avoid common cause failure due to fire or environmental conditions such as temperature, humidity, radiation or electromagnetic interference (EMI), redundant

Page 14 of 26

communication links within SIC I&C systems have to be routed through separate cable trays as explained in [12].

4.2.2 Functional testsThe Safety I&C subsystems will be tested in order to demonstrate that they meet the design requirements. The following tests will be performed:

Integration and validation tests. Hardware qualification tests when required. Functional validation tests. These tests may require partial interconnection of a few

systems and so may require dedicated test platforms.

PSS-N will not be interfaced with the mini-CODAC. Plant systems suppliers must develop a specific test device that will interface with their PSS-N and allow the factory acceptance tests and site acceptance tests to be carried out.

After installation on site, preliminary tests will be performed on the different parts of the safety I&C system to demonstrate its correct operation. Then the safety I&C system will be used for testing of the controlled process.

4.3 PSS-N Architecture

4.3.1 SCS-N subsystemsTo meet the requirements of the nuclear safety I&C functions, the SCS-N is composed of several subsystems. Depending on the SIC level and function category, the four different possible types are:

SIC-1, SIC-2 cat B, SIC-2 cat C, SR cat C.

All these subsystems will be independent from each other. They will be physically separated according to the rules in section 4.2.1.8. Appropriate electrical isolation will be implemented between systems of different safety levels according to IEC 60709 [5] and RCC-E [14].

Each subsystem will be connected by means of a different network of the Central Safety Network – Nuclear (CSN-N). The following figure presents a simplified architecture of the SCS-N.

Page 15 of 26

Safety Operator Desks

SIC-1 Hardwired SIC-2 Hardwired SIC-2 class 3 computerised

CSS-N SR Cat CClass 3 system

SIC-1Cat A PSSx-NControl logic

SIC-2 Cat B PSSx-N control logic

SIC-2 Cat C PSSx-N control logic

Links to CODAC, CIS, CSS-OSHardwired links

Sensors &Actuators

CSN SIC- 1 CSN SIC-2 cat B CSN SR Cat C

CSS-N SIC-2 cat CClass 3 system

SR class 3 computerised

SR Cat C PSSx-N control logic

CSN SIC-2 cat C

Networks

CS

S-N

Sen

sors

&

actu

ator

s

System monitoring

Signal conditioning

Signal conditioning

Signal conditioning

Signal conditioning

CODAC

CIS

CSS-OS

PS

S-N

CSS-N SIC-2 cat BClass 1 system

CSS-N SIC-1Class 1 system

Figure 6: SCS-N architecture (note: only one of the two operator safety desks is shown in the figure)

Accordingly, a PSS-N may be composed of different subsystems, each one part to the corresponding SCS-N subsystem (e.g. a SIC-2 Cat. B PSS-N belongs to the SIC-2 Cat. B SCS-N subsystem).

In general, sensors and actuators of the SCS-N are interfaced to different PSS-N and not directly to the CSS.

4.3.2 General architecture for SIC-1 and SIC-2 Cat. B systemsSIC-1 Cat A and SIC-2 Cat B systems, both class 1 systems, have the same architecture which is based on solid-state logic solvers. The SIC-1 and SIC-2 Cat B links among the logic solvers are hardwired (i.e. two wires are required per Boolean variable). Each logic solver has a module for acquiring the monitoring data. The interface between this module and the critical logic is designed to ensure that no failure propagation from the monitoring system to the critical safety function is possible.

SIC-1 Cat A and SIC-2 Cat B systems must comply with the single failure criterion. Therefore they are implemented in two different autonomous trains. The Train A and Train B parts of the system are fully independent. The following figures show the architecture of a SIC-1 and SIC-2 Cat B system (they are provided for information only and some details of the CSS-N part might be subject to modification):

Page 16 of 26

Figure 7: Architecture of SIC-1 subsystem

Page 17 of 26

Figure 7: Architecture of SIC-2 Cat. B subsystem

In each room housing SIC-1 or SIC-2 PSS-N, there will be a CSS-N network cubicle to which the PSS-N will be connected. This is the interface between the PSS-N and the CSS-N. Since the trains are fully independent, each one has its own network cubicles.

SIC-1 PSS-N, always located in SIC-1 rooms, will be connected to SIC-1 network cubicles whereas SIC-2 Cat B PSS-N will be connected to SIC-2 Cat B network cubicles. Then, Train A network cubicles are connected to the Back-up Server Room and Train B network cubicles are connected to the Main Server Room.

Plant systems responsible officers are in charge of the cabling up to the CSS-N network cubicle. There are two types of connections:

Hardwired connections for the SIC-1 or SIC-2 Cat B signals. Network cables for the monitoring, which is classed SIC-2 Cat. C.

4.3.3 General architecture for SIC-2 Cat C systemSIC-2 Cat C systems, which are class 3 systems, have an architecture based on safety programmable logic controllers - Siemens S7 400 FH and F. These PLCs communicate with

Page 18 of 26

each other by means of a communication network using the Ethernet protocol with a safety protocol such as Profisafe.

Compliance of SIC-2 Cat C systems with the single failure criterion is required on a case by case basis. The functional specifications of the I&C nuclear safety functions will specify whether compliance with the single failure criterion is required or not. If so, the corresponding function will be implemented in two trains following the same separations rules as SIC-2 Cat B systems.

The following figure shows the architecture of SIC-2 Cat C systems (it is provided for information only and some details of the CSS-N part might be subject to modification):

Figure 8: Architecture of SIC-2 Cat. C subsystem, case of two trains There will be a CSS-N network cubicle to which the PSS-N will be connected in each room housing SIC-2 PSS-N. This is the interface between the PSS-N and the CSS-N. Since the trains are fully independent, each one has its own network cubicles. Train A network cubicles are connected to the Back-up Server Room and Train B network cubicles are connected to the Main Server Room.

Page 19 of 26

Plant systems responsible officers are in charge of the fibre optic cabling up to the CSS-N network cubicle.

4.3.4 General architecture for SR Cat C systemSR Cat C systems, which are class 3 systems, have an architecture based on safety programmable logic solvers - Siemens S7 400 FH and F. These PLCs communicate with each other by means of a communication network using the Ethernet protocol with a safety protocol such as Profisafe.

For SR Cat C systems, compliance with the single failure criterion is not required.

The following figure shows the architecture of SR Cat C systems (it is provided for information only and some details of the CSS-N part might be subject to modification):

Figure 9: Architecture of SR Cat. C subsystem

SR Cat C PSS-N will be connected to the nearest communication network panel. The communication network panels are installed at strategic locations close to the conventional plant system I&C cubicles. This is the interface between the PSS-N and the CSS-N for SR Cat C systems. Communication network panels are then connected to the nearest SR Cat C network cubicle, which is located in a CODAC hutch. SR Cat C network cubicles are connected to both Main Server Room and Back-up Server Room.

Page 20 of 26

Plant systems responsible officers are in charge of the fibre optic cabling up to the communication network panel.

4.3.5 PoweringPSS-N must follow the requirements defined in section 4.2.1.4.

4.3.6 CablingPSS-N must follow the requirements defined in section 4.2.1.8 and reference [12].

4.3.7 Sensor sharingAs far as is possible, each ITER I&C system has its own dedicated sensors. There are two kinds of situations:

Sharing of sensors between the SCS-N and other systems such as SCS-OS, ICS or conventional control.

Sharing of sensors between systems of different categories within the SCS-N (e.g. same sensor used for SIC-1 Cat A and SIC-2 Cat C).

Sharing of sensors must be avoided. In the case that cannot be achieved, measures must be put in place to ensure that faults within systems of lower categories do not propagate to higher category systems. The requirements of standard IEC 60709 [5] are applicable.

4.3.8 Actuator sharingAs is the case for sensors, each ITER I&C system should have its own dedicated actuators. This applies to two kinds of situations:

Sharing of actuators between the SCS-N and other systems such as SCS-OS, ICS or conventional control.

Sharing of actuators between systems of different categories within the SCS-N (e.g. same actuator used for SIC-1 Cat A and SIC-2 Cat C).

In the case where two or more systems share the same actuator, measures must be put in place to ensure that the triggering of the actuator by a system is never prevented by any action of a system of lower category. In addition, it must be ensured that faults within systems of lower category do not propagate to higher category systems. The requirements of standard IEC 60709 [5] are applicable.

4.4 Safety I&C naming conventionsThe standard PCDH I&C naming conventions are applicable to nuclear safety I&C systems.

Page 21 of 26

4.5 PSS-N Hardware specifications

4.5.1 Class 1 system: SIC-1 and SIC-2 Cat BSIC-1 I&C systems and SIC-2 I&C systems implementing cat B functions will be implemented in class 1 systems using solid-state, hardwired safety I&C systems of the highest safety level.

IO will choose a technology for the logic solvers and develop and qualify systems complying with the nuclear safety requirements. They will be made available for the plant system responsible officers to implement their SIC-1 and SIC-2 Cat B PSS-N. Section 5 provides details about the qualification process.

4.5.2 Class 3 systems: SIC-2 Cat C and SR Cat CSIC-2 I&C systems implementing cat C functions and SR I&C systems implementing cat C functions will be implemented in class 3 systems using safety PLCs from the PCDH catalogue.

IO will develop and qualify systems complying with the nuclear safety requirements based on the safety programmable logic controllers - Siemens S7 400 FH and F. They will be made available for the plant system responsible officers to implement their SIC-2 Cat C and SR Cat C PSS-N. Section 5 provides details about the qualification process.

4.5.3 CubiclesPSS-N will be installed in floor standing cubicles. A standard for PSS-N cubicles, which will comply with the following requirements, will be defined by IO:

The cubicles will be environmentally and seismically qualified according to the specified environmental conditions (see 4.2.1.5) and seismic requirements and class (see 4.2.1.6). The qualification process is described in section 5.

The cubicles will have front and rear access and be fitted with key-locks.

The cubicles will be fixed to the floor. There are 3 different cases: cubicles fixed to a concrete slab, a metallic frame (for mezzanine hosted cubicles) and to a structure below a false floor.

The cubicles might be painted differently depending on the safety train.

The cubicle power supply must comply with the requirements defined in section 4.2.1.4. Cubicles will implement electrical protections (e.g. short-circuit protection).

The cubicles will have cable entries on the top. For rooms with false floors, cable entries will be from the bottom.

The cubicles will be at least IP55.

The following cubicle parameters must be monitored:o Access to internals/door locks (front and rear)o Internal temperatureo Power supply stateo Fire detection

Page 22 of 26

This information will be made available to the SCS-N SCADA. External lights will indicate the overall state of the cubicle.

The SIC-1 cubicles must be fitted with fire extinguishing capabilities.

The non-redundant SIC-2 cubicles must be fitted with fire extinguishing capabilities.

The SCS-N cubicles must be fitted with fire detection sensors enabling the site fire detection system to be informed of a fire within a cubicle.

Cubicles, cables and all components must be labelled.

4.5.4 SensorsSensors and actuators are out of the scope of the PSS-N. However, some of the most important requirements with which they have to comply as part of the SCS-N are mentioned here.

Sensors connected to SIC-1 and SIC-2 Cat B systems must supply binary signals, not analogue values. Smart sensors are not allowed since they use software, which would have to be qualified according to IEC 60880 and IEC 62138.

Sensors connected to SIC-2 Cat C and SR Cat C systems can provide binary or analogue values.

The main standards to be followed for sensors are:

IEC 61513, “Nuclear power plants – Instrumentation and control for systems important to safety – General requirements for systems” [4].

IEC 61226, “Nuclear power plants – Instrumentation and control systems important for safety – Classification” [6].

IEC 60709, “Nuclear Power Plants – Instrumentation and Control systems important to safety – Separation” [5], except for some cabling rules which will be replaced by RCC-E rules[14][14], according to ITER document IO cabling rules[12], which defines the cabling separation rules to be applied.

For categories A and B: IEC60780, “Nuclear power plants – Electrical equipment of the safety system – Qualification”.

Category C systems for which specific environmental qualification is required (e.g. resistance to seismic conditions, or operation under specific environmental conditions), may be qualified to industrial standards according to IEC 61513 [4]. However, the use of IEC 60780 might be required under certain circumstances. Please refer to section 5.6 of IEC 61513 [4] for a detailed explanation.

For category A only: IEC 60812, “Technical Analysis for system reliability – Procedure for failure mode and effects analysis (FMEA)” [20].

Page 23 of 26

5. Qualification

5.1 Nuclear qualificationThe whole of the SCS-N will be qualified. This process provides assurance that the system is capable of meeting, on a continuing basis, the design basis functional and performance requirements needed for the functions important to safety while subject to the specified environmental conditions and specified constraints. The qualification will be performed against international standards and has to be approved by the French nuclear safety authority, ASN. The qualification requirements differ depending on the safety class and category.

The qualification can be divided into three main items:

Product qualification. Environmental qualification, including seismic qualification. Application function qualification.

Product qualification is related to the ability of the components composing the SCS-N (e.g. logic solver) to be part of the safety system and comply with the general safety requirements. The scope of this part is what section 5.6 of IEC 61513 [4] refers to as “Product-related topics (equipment family) Generic (pre-) qualification”. It relies mainly on:

Third party certification, Verification of the compliance to nuclear standards, Product quality assurance inspection and Operating experience

Environmental qualification refers to the evidence that the systems will perform as expected for all operating conditions. These are the defined as the quantities influencing the system that are expected as a result of normal operation, expected extremes in normal operating requirements and the conditions associated with the postulated initiating events of the plant. The need for environmental qualification depends on the system class and category. Qualification may be accomplished in several ways:

Type testing, Operating experience or Analysis.

These may be used individually or in any combination depending upon the particular situation.

The normal and abnormal environmental conditions that the system is required to withstand must be specified in accordance with the constraints imposed from the plant context. The environmental conditions which have to be specified are provided in section 4.2.1.5 and 4.2.1.6 for the seismic requirements.

Finally, the application function qualification ensures the compliance of the system with the specifications of the safety functions. This qualification relies mainly on extensive tests which are defined according to the safety classifications.

Page 24 of 26

5.2 Applicable standardsThe main standards followed by the SCS-N are the IEC 61513 [4] and IEC 61226 [6]. They introduce the main requirements and the differences between system classes and categories.

Concerning environmental qualification, the main standard to follow for categories A and B is IEC 60780 [10]. Alternatively, these systems can also be qualified according to section B2000 of RCC-E [14]. Category C systems for which specific environmental qualification is required (e.g. resistance to seismic conditions, or operation under specific environmental conditions), may be qualified to industrial standards according to IEC 61513 [4]. However, the use of IEC 60780 might be required under certain circumstances. Please refer to section 5.6 of IEC 61513 [4] for a detailed explanation.

Seismic qualification should be achieved against either IEC 60980 [11] or section B4200 of RCC-E [14].

Finally, EMC qualification must be performed in accordance with the relevant requirements set in EDH part 4 [13], which is aligned with the IEC 61000-4 series [18].

5.3 PSS-N qualification

Plant system responsible officers are responsible for the qualification of their PSS-N.PBS 48 (CSS) will design and qualify class 1 and class 3 systems for the SCS-N. In particular, this will cover the product qualification and the environmental qualification for all SCS-N and the application function qualification for just the CSS-N part.

These systems which will be considered as the main or standard systems to be used for both CSS-N and PSS-N, will be made available to the plant system responsible officers to implement the PSS-N. This way, PSS-N will already have the product and environmental qualification. In order to make it possible for all plant systems to use the environmental qualification, this environmental qualification will be carried out for conditions enveloping the environmental conditions of all SIC rooms (except those inside the Tokamak building, due to its high magnetic field and radiation; for this reason, control logic should not be placed inside the Tokamak Building). If the environmental conditions of a PSS-N exceed those of this qualification (so-called standard environmental conditions), the corresponding plant system responsible officers must carry out the environmental qualification for these conditions.

The plant system responsible officers will be responsible for performing the qualification of their part of the application function.

If a plant system does not use the systems developed and qualified by CSS (PBS 48), they will have to carry out the product, environmental and application function qualification.

Finally, plant systems must carry out all of the qualification concerning sensors and actuators.

Summing up, PSS-N designers/suppliers must carry out:

Environmental qualification for the main (standard) systems used in PSS-N if their environmental conditions exceed those defined for the general environmental qualification performed by PBS 48 (standard conditions),

Page 25 of 26

Product and environmental qualification of specific products used by PSS-N (this includes non-standard PSS-N systems as well as sensors and actuators),

The qualification part for plant system specific application functions, in all cases.

As a general requirement, all SCS-N qualification plans will have to comply with the Overall Qualification Plan to be defined by IO and all SCS-N qualification reports will be integrated in the Overall Qualification Report to be produced by IO. Each entity in charge of the design of a PSS-N will have to establish specific qualification plans as a result of the application of the "Overall Qualification Plan" established by IO for the PSS-N.

The following table presents an overview of the qualification process and responsibilities.

Table 2 Qualification process

6. Application of PCDH to Nuclear safety systems

As long as they are consistent with the requirements set in the previous sections, PCDH requirements and guidelines also apply to Nuclear Safety I&C systems.

The following paragraph specifies which sections of PCDH are applicable to the SCS-N. It has to be noted that "Applicable" should be understood in the sense that most of the requirements of the PCDH of the corresponding section are applicable to the Nuclear Safety I&C systems; even if some are not in the list because of inconsistency with PCDH-N features (e.g. no fast controllers, no mini CODAC interface, no self-description data...).

PCDH section 1: Applicable

Page 26 of 26

PCDH section 2: Applicable

PCDH section 3: PSS-N will be developed in compliance with the overall quality plan of the SCS-N [9] and specific quality plan for the PSS-N. These plans will first meet the requirements in [4], but will also be as far as possible compliant with section 3 of PCDH.

PCDH section 4:o Section 4.1: Not applicableo Section 4.2: Not applicableo Section 4.3: Applicableo Section 4.4: Applicable except if stated as not applicable to PSS, or if not

consistent with dedicated PCDH-N requirements above. Section 4.4.6 concerning Self Description Data is not applicable.

o Section 4.5 Applicable

PCDH Section 5: not Applicable





Documents

Technical Specifications (In-Cash Procurement) …static.iter.org/codac/pcdh7/Folder 1/17-Plant_Control_Design... · Technical Specifications (In-Cash Procurement) Plant Control Design