PDF generated on 05 Sep 2016DISCLAIMER : UNCONTROLLED WHEN PRINTED – PLEASE CHECK THE STATUS OF THE DOCUMENT IN IDM

Memorandum / Note

Plant Control Design Handbook for Nuclear control systems

This Plant Control Design Handbook –Nuclear (PCDH-N) document defines standards for all ITER plant system instrumentation and control (I&C) Nuclear Plant Safety Systems (PSS-N).

Approval Process Name Action AffiliationAuthor Li B. 05 Sep 2016:signed IO/DG/COO/SCOD/CSD/PCICo-AuthorsReviewers Bou M. 05 Sep 2016:recommended (Fast

Track)IO/DG/RCO/SD/EPNS/SAA

Previous Versions Reviews

Wallander A. Fernandez Robles C. Fourneron J.- M.Delong J. Petitpas P.

12 Aug 2016:recommended v4.009 Aug 2016:recommended v4.010 Aug 2016:recommended v4.017 Aug 2016:recommended v4.012 Aug 2016:recommended v4.0

IO/DG/COO/SCOD/CSDIO/DG/COO/SCOD/CSD/PCIIO/DG/COO/SCOD/CSD/PCIIO/DG/COO/SCOD/CSD/PCIIO/DG/COO/SCOD/CSD/PCI

Approver Campbell D. 05 Sep 2016:approved IO/DG/COO/SCODDocument Security: Internal Use

RO: Petitpas PierreRead Access AD: ITER, AD: External Collaborators, AD: IO_Director-General, AD: EMAB, AD: OBS - CODAC Section

(CDC), AD: OBS - Plant Control and Instrumentation Section (PCI), AD: Auditors, AD: ITER Management Assessor, project administrator, RO, AD: OBS - Remote Handling and Hot Cell Complex Section (RHHC), AD:...

IDM UID

2YNEFUVERSION CREATED ON / VERSION / STATUS

05 Sep 2016 / 4.1 / Approved

EXTERNAL REFERENCE / VERSION

PDF generated on 05 Sep 2016DISCLAIMER : UNCONTROLLED WHEN PRINTED – PLEASE CHECK THE STATUS OF THE DOCUMENT IN IDM

Change Log

Plant Control Design Handbook for Nuclear control systems (2YNEFU)

Version Latest Status Issue Date Description of Change

v0.0 In Work 10 Nov 2009

v1.0 Signed 16 Dec 2009 First versionv1.1 Approved 01 Feb 2010 Version 1.1v2.0 Signed 05 Jan 2011 Updated version taking into account the outcomes of the Central Safety

System outcomes. This version reference the standards to take into account and complement them with ITER specific requirements.

v2.1 Approved 11 Feb 2011 Comments from PCDH review process taken into account. See PCDH v6 review report.

v3.0 Approved 30 Jan 2013 Document updated according to the evolution of the design of the SCS-N.v3.1 Approved 15 Jul 2013 - Definition of the technology to be used to implement I&C functions for

SIC-1 category A and SIC-2 category B. This technology is based on HIMA Planar 4 modules;- Definition of the qualification process and reference to the SCS-N Overall Qualification plan- minor typo corrected

v3.2 Approved 29 Aug 2013 Page 11: cross reference to Report (RPrS) [1] corrected.v3.3 In Work 09 Aug 2016 - To change the terminology SIC to PIC/SIC;

- In Section 1.2, to add a chapter indicating the applicable of PCDH-N for those PSS-N inside/outside PCR707;- In Section 2, more precise name definition: PSS is changed to PSS-N; CSS is changed to CSS-N;- In Figure 1 and 2, to remove the data flow from CSS-N to CODAC/CIS and to modify the corresponding description in Section 2;- In Section 3, to add the PSS-N deliverables (Section 3.3) according to IEC61513 lifecycle;- In Section 4.1, to address the process of safety function specification with reference document;- In Table 1, to change the safety system level class to “2” which is corresponding to PIC/SIC-2 system and the Note (1) remains; to add the Cat B function for SIC-1 systems, which shall be implemented as Cat A function;- In Section 4.2.1.2, to add the SIC-2 Cat C function implementation at “system level” or “functional level” if SFC is required;- In Section 4.2.1.4, to add the power supply definition for SIC I&C systems; to add the reference of LV power supply quality;- In Section 4.2.1.5, to add the reference of safety roombook requirement for ambient conditions of nuclear safety I&C systems; to add the requirement reference from IEC 61000-6-4 and MIL-STD-461F;- In Section 4.2.1.6, to indicate the seismic classification refer to SL-2 earthquake;- In Section 4.2.1.8, to precise the description in order to align with Project Requirement- Section 7.3.5; to impose design guideline which requests not allocate non SIC cubicles into SIC room (SIC-2 cubicles don’t share the SIC room with SR Cat C and Non Safety cubicles).- In Figure 6, to revise the link of “System monitoring”;- In Section 4.3, to add the reference of “ SCS-N architecture design”; to simplify the representative of CSS-N part in the figures of general architecture; - In Section 4.3.2, to add the description of connections between PSS-N cubicle and CSS-N network cubicle; to remove the description of CSS-N architecture part;

PDF generated on 05 Sep 2016DISCLAIMER : UNCONTROLLED WHEN PRINTED – PLEASE CHECK THE STATUS OF THE DOCUMENT IN IDM

- In Section 4.3.3, to update the architecture of SIC-2C system (fully independent between Train A and Train B); to add the description of connections between PSS-N cubicle and CSS-N network cubicle; to remove the description of CSS-N architecture part;- In Section 4.3.4, to update the architecture of SR-C system (connection with Main Server Room only); to add the description of connections between PSS-N cubicle and CNP; to remove the description of CSS-N architecture part;- In Section 4.3.5, to add the new section to describe “Interface of PSS-N in the architecture”;- In Section 4.3.6, to add the new section to describe the network of the SCS-N architecture;- To move the Sections of “Powering”, “Cabling”, “Sensor sharing” and “Actuator sharing” to the Section “PSS-N Hardwire specifications”;- In Section 4.4, to change the reference document of “Safety I&C naming convention”;- In Section 4.5.1, to change the reference document of the HW catalogue; - In Section 4.5.2, to change the reference document of the HW catalogue; - In Section 4.5.3, to add the reference for the cubicle catalogue; to precise the description of the “cubicle monitoring”; to remove the fuzzy requirement “The cubicles might be painted differently depending on the safety train”;- In Section 4.5.4, to highlight the cable requirement from the reference [12];- In Section 4.5.5, to add the “Spare I/O” requirement;- In Section 4.5.6, to add the reference for the signal types and ranges;- In Section 4.5.7 and 4.5.8, to add the reference of signal duplicator and priority module for the implementation of sensor/actuator sharing;- In Section 4.6, to add the new section for “PSS-N software specifications”;- In Section 5.3, to highlight the PSS-N responsibility for qualification assessment even PSS-N uses the same products of CSS-N qualified;- To remove the Section 6 “Application of PCDH to Nuclear Safety systems” as most applicable contents from PCDH are already included in the new version of PCDH-N.

v4.0 Signed 09 Aug 2016 - To change the terminology SIC to PIC/SIC;- In Section 1.2, to add a chapter indicating the applicable of PCDH-N for those PSS-N inside/outside PCR707;- In Section 2, more precise name definition: PSS is changed to PSS-N; CSS is changed to CSS-N;- In Figure 1 and 2, to remove the data flow from CSS-N to CODAC/CIS and to modify the corresponding description in Section 2;- In Section 3, to add the PSS-N deliverables (Section 3.3) according to IEC61513 lifecycle;- In Section 4.1, to address the process of safety function specification with reference document;- In Table 1, to change the safety system level class to “2” which is corresponding to PIC/SIC-2 system and the Note (1) remains; to add the Cat B function for SIC-1 systems, which shall be implemented as Cat A function;- In Section 4.2.1.2, to add the SIC-2 Cat C function implementation at “system level” or “functional level” if SFC is required;- In Section 4.2.1.4, to add the power supply definition for SIC I&C systems; to add the reference of LV power supply quality;

PDF generated on 05 Sep 2016DISCLAIMER : UNCONTROLLED WHEN PRINTED – PLEASE CHECK THE STATUS OF THE DOCUMENT IN IDM

- In Section 4.2.1.5, to add the reference of safety roombook requirement for ambient conditions of nuclear safety I&C systems; to add the requirement reference from IEC 61000-6-4 and MIL-STD-461F;- In Section 4.2.1.6, to indicate the seismic classification refer to SL-2 earthquake;- In Section 4.2.1.8, to precise the description in order to align with Project Requirement- Section 7.3.5; to impose design guideline which requests not allocate non SIC cubicles into SIC room (SIC-2 cubicles don’t share the SIC room with SR Cat C and Non Safety cubicles).- In Figure 6, to revise the link of “System monitoring”;- In Section 4.3, to add the reference of “ SCS-N architecture design”; to simplify the representative of CSS-N part in the figures of general architecture; - In Section 4.3.2, to add the description of connections between PSS-N cubicle and CSS-N network cubicle; to remove the description of CSS-N architecture part;- In Section 4.3.3, to update the architecture of SIC-2C system (fully independent between Train A and Train B); to add the description of connections between PSS-N cubicle and CSS-N network cubicle; to remove the description of CSS-N architecture part;- In Section 4.3.4, to update the architecture of SR-C system (connection with Main Server Room only); to add the description of connections between PSS-N cubicle and CNP; to remove the description of CSS-N architecture part;- In Section 4.3.5, to add the new section to describe “Interface of PSS-N in the architecture”;- In Section 4.3.6, to add the new section to describe the network of the SCS-N architecture;- To move the Sections of “Powering”, “Cabling”, “Sensor sharing” and “Actuator sharing” to the Section “PSS-N Hardwire specifications”;- In Section 4.4, to change the reference document of “Safety I&C naming convention”;- In Section 4.5.1, to change the reference document of the HW catalogue; - In Section 4.5.2, to change the reference document of the HW catalogue; - In Section 4.5.3, to add the reference for the cubicle catalogue; to precise the description of the “cubicle monitoring”; to remove the fuzzy requirement “The cubicles might be painted differently depending on the safety train”;- In Section 4.5.4, to highlight the cable requirement from the reference [12];- In Section 4.5.5, to add the “Spare I/O” requirement;- In Section 4.5.6, to add the reference for the signal types and ranges;- In Section 4.5.7 and 4.5.8, to add the reference of signal duplicator and priority module for the implementation of sensor/actuator sharing;- In Section 4.6, to add the new section for “PSS-N software specifications”;- In Section 5.3, to highlight the PSS-N responsibility for qualification assessment even PSS-N uses the same products of CSS-N qualified;- To remove the Section 6 “Application of PCDH to Nuclear Safety systems” as most applicable contents from PCDH are already included in the new version of PCDH-N.

v4.1 Approved 05 Sep 2016 - Modifications of the term "PIC" were made: 1) Section 1.3: PIC was modified by protection important component; 2) Section 4.2.1.1: to add the sentence "For PIC EIC and PIC /CMC , are at

PDF generated on 05 Sep 2016DISCLAIMER : UNCONTROLLED WHEN PRINTED – PLEASE CHECK THE STATUS OF THE DOCUMENT IN IDM

least category C, defined case by case but it will not generate additional design requirement regarding the architecture of SCS-N"; to add the acronyms EIC and CMC in Section 1.3; 3) Section 4.2.1.5: PIC/SIC 1 and PIC /SIC 2 to replace by PIC in the third paragraph; 4) Section 4.2.1.8: to replace PIC /SIC by PIC in the fourth chapter; 5) Section 4.2.1.8: to replace PIC/SIC2, SR and non PIC/SIC by PIC/SIC-2and non PIC in the third bullet

- For Class II-Safety power supply, the autonomy for the diesel is 72 h in PBS 43 defined requirement.

Page 1 of 30

Table of Contents

1. Introduction.........................................................................................................................21.1 Purpose.........................................................................................................................21.2 Scope.............................................................................................................................21.3 Acronyms.....................................................................................................................31.4 Reference documents and standards.........................................................................31.5 Standards for the Safety I&C system........................................................................4

2. Nuclear Safety I&C system design philosophy ................................................................63. PSS-N Safety lifecycle .........................................................................................................9

3.1 Quality..........................................................................................................................93.2 PSS-N Lifecycle ...........................................................................................................93.3 PSS-N deliverables ......................................................................................................9

4. PSS-N Specifications.........................................................................................................104.1 Functional Specifications .........................................................................................104.2 Safety requirements ..................................................................................................10

4.2.1 Requirements related to design...............................................................................104.2.2 Functional tests .......................................................................................................16

4.3 SCS-N Architecture ..................................................................................................164.3.1 SCS-N subsystems ..................................................................................................164.3.2 General architecture for PIC/SIC-1 and PIC/SIC-2 Cat. B systems.......................174.3.3 General architecture for PIC/SIC-2 Cat C system ..................................................214.3.4 General architecture for SR Cat C system ..............................................................224.3.5 Interfaces of PSS-N in the architecture...................................................................234.3.6 Network...................................................................................................................24

4.4 Safety I&C naming conventions ..............................................................................244.5 PSS-N Hardware specifications ...............................................................................24

4.5.1 PIC/SIC-1 and PIC/SIC-2 Cat B.............................................................................244.5.2 PIC/SIC-2 Cat C and SR Cat C ..............................................................................244.5.3 Cubicles...................................................................................................................254.5.4 Cabling....................................................................................................................254.5.5 Spare I/O .................................................................................................................254.5.6 Sensors and Actuators.............................................................................................264.5.7 Sensor sharing.........................................................................................................264.5.8 Actuator sharing......................................................................................................27

4.6 PSS-N Software specifications .................................................................................275. Qualification ......................................................................................................................28

5.1 Nuclear qualification ................................................................................................285.2 Applicable standards ................................................................................................295.3 PSS-N qualification...................................................................................................29

Page 2 of 30

1. Introduction

1.1 PurposeThis Plant Control Design Handbook for Nuclear Safety (PCDH-N) defines standards for all ITER Plant Safety Systems for Nuclear Safety (PSS-N).

These standards are essential in order to achieve an integrated and licensable system to provide ITER nuclear safety I&C functions. These standards are applicable to the development process and comprise deliverables and quality assurance requirements as well as catalogues of standard software and hardware components.

PCDH-N shall be followed by everyone involved in the development of ITER plant systems I&C which will perform nuclear safety I&C functions, i.e. plant system responsible officers (RO), plant system I&C designers and plant system I&C suppliers, regardless of their affiliation (i.e. ITER Organization (IO), Domestic Agency (DA), or industry).

PCDH-N is a living document, which is released at regular intervals throughout the lifetime of ITER. Versions of standards and products are subject to updates and extensions as the ITER project progresses. Obsolescence management is of particular importance due to the long timeline for ITER construction and operation.

1.2 ScopeThe Nuclear Safety I&C functions of ITER are performed by the Safety Control System – Nuclear (SCS-N). This system is composed of:

The CSS-N: Central Safety System – Nuclear The PSS-N: Plant Safety Systems – Nuclear, which are parts of the different plant

systems.

PSS-N is the part of the Plant System I&C which implements nuclear safety I&C functions. A PSS-N interfaces the CSS-N.

The CSS-N coordinates the individual protection provided by locally distributed safety systems in order to bring and keep ITER in a safe state and to prevent, detect or mitigate incidents or accidents.

Sensors and actuators (including any signal conditioning device) are out of the scope of the PSS-N, although it is connected to them. The interface point with sensors and actuators is the terminal block inside the PSS-N cubicle.

This document defines rules and guidelines to be followed by the PSS-N designers.

PCR707 defines the scope transfer of PSS-N from the individual PBS to PBS 48 [40]. For the PSS-N in PCR707, they will be designed by PBS48 in an integrated way

together with the CSS-N. (e.g., the functions from different PBS maybe implemented in the same controller; the initial boundary between PSS-N and CSS-N is no longer applicable and components of PSS-N and CSS-N maybe allocated in the same cubicle.) As a consequence, the architecture design for SCS-N may vary from the figures in

Page 3 of 30

PCDH-N. However, other design rules and guidelines in PCDH-N shall be still followed.

For the PSS-N out of PCR707, which are allocated to PBS62, PBS 63, PBS65, PBS64 and PBS23, the design of PSS-N shall follow all of the rules and guidelines in PCDH-N and the boundary with the CSS-N remains the same.

Note: Occupational safety systems are covered by the PCDH.

1.3 AcronymsASN Autorité de Sureté Nucléaire (French nuclear safety authority)CSN-N Central Safety Network for Nuclear SafetyCSS-N Central Safety System for Nuclear SafetyCMC Crisis Management ComponentEIC Environment Important ComponentHMI Human Machine InterfaceICS Interlock Control SystemPCDH-N Plant Control Design Handbook for Nuclear SafetyPIC Protection Important ComponentPSS-N Plant Safety System for Nuclear SafetySCS-N Safety Control System for Nuclear SafetySCS-OS Safety Control System for Occupational SafetySIC Safety Importance ClassCNP Central I&C Network Panel

1.4 Reference documents and standards[1] Preliminary Safety Report (RPrS) (ITER_D_3ZR2NC)[2] Overall requirements specification of Safety Control System – Nuclear

(ITER_D_3LU3NF)[3] Safety Important Functions and Components Classification Criteria and

Methodology (ITER_D_347SF3)[4] IEC 61513 standard “Nuclear power plants – Instrumentation and control for

systems important to safety – General requirements for systems”[5] IEC 60709 Nuclear power plants – Instrumentation and control systems important to

safety – Separation[6] IEC 61226 Nuclear power plants - Instrumentation and control important to

safety - Classification of instrumentation and control functions[7] Order dated 7 February 2012 relating to the general technical regulations applicable to

BNI (Arrêté du 7 février 2012 fixant les règles generals relatives aux installations nucléaires de base) (ITER_D_7GJHSE). English translation for guidance is available (ITER_D_7M2YKF)

[8] ITER Project Management and Quality Program – ITER Quality Assurance Program ( ITER_D_22K4QX)

[9] Nuclear Safety Control System - Overall Quality Plan (ITER_D_48Y3CS)[10] IEC 60780, Nuclear power plants – Electrical equipment of the safety system –

Qualification

Page 4 of 30

[11] IEC 60980, Recommended practices for seismic qualification of electrical equipment of the safety system for nuclear generating stations

[12] IO cabling rules (ITER_D_335VF9).[13] Electrical Design Handbook Part 4: Electromagnetic compatibility (ITER_D_2ELREB)[14] RCC-E (Design and construction rules for electrical components of nuclear islands)

(2005)[15] Quality Classification Determination (ITER_D_24VQES)[16] Safety Functions, Systems, Signals Definition for I&C CSS Design

(ITER_D_3R7ECW)[17] IEC 61000-4 (all parts), Electromagnetic Compatibility – Testing and measurement

techniques[18] IEC 61000-6-2, Electromagnetic compatibility (EMC) – Part 6-2: Generic standards –

Immunity for industrial environments[19] IEC 60812, Technical Analysis for system reliability – Procedure for failure mode and

effects analysis (FMEA)[20] IEC 62138, Nuclear power plants – Instrumentation and control important for safety –

Software aspects for computer-based systems performing category B or C functions[21] ITER Seismic Nuclear Safety Approach (ITER_D_2DRVPE)[22] ITER catalogue for Nuclear Safety I&C products - Hardwired controllers and slow

controllers (ITER_D_JHQLDP)[23] Nuclear Safety I&C Cubicle catalogue (ITER_D_RJNURB)[24] PSS-N control logic qualification guideline (ITER_D_GULLWD)[25] I&C Safety Functions Specification Framework & process (ITER_D_4FFWN2)[26] Electrical Design Handbook Part 1: Introduction (ITER_D_2F7HD2) [27] Sensor and Actuator Interface Requirements (ITER_D_NVLJ2F)[28] IO cable catalogue (ITER_D_355QX2) [29] PSS-N deliverables list according to IEC61513 lifecycle (ITER_D_QF7P98) [30] Naming convention for safety I&C variables (SNFMR5)[31] PSS-N SIC Cubicles monitoring (S3WZQX) [32] PCR-694 - Standardization of logic solver for SIC-1 cat. A and SIC-2 cat. B safety I&C

functions (RLUDMU) [33] IC Typicals of IS-48.01-xx (RK7EPT) [34] Safety requirement Roombook (KF63PB) [35] IEC 61000-6-4, Electromagnetic compatibility (EMC) – Part 6-4: Generic Standards-

Emission Standard for Industry Environments[36] EMC conducted emission test (43QDHR)[37] MIL_STD_461F – Requirements for the control of electromagnetic interference

characteristics of subsystems and equipment[38] SCS-N Architectural Design (KQB4CE)[39] EDH Guide A: Electrical Installations for SSEN Systems (ITER_D_2EB9VT)[40] Scope transfer of PSS-N from the individual PBS to PBS 48 (ITER_D_RMKCZV)

1.5 Standards for the Safety I&C systemITER has chosen to follow the recommendations of the IEC 61513 [4] standard “Nuclearpower plants – Instrumentation and control for systems important to safety – Generalrequirements for systems” for the design, manufacturing, installation and commissioning ofits Nuclear Safety Control System.This standard is a top level standard that proposes an overall safety life cycle of the I&C andintroduces some second level standards.

Page 5 of 30

The design and manufacturing of a PSS-N shall comply with the following standards:

For all categories:o IEC 61226, Nuclear power plants – Instrumentation and control systems

important for safety – Classification [6],o IEC 61513, Nuclear power plants – Instrumentation and control for systems

important to safety – General requirements for systems [4],o IEC 60709, Nuclear Power Plants – Instrumentation and Control systems

important to safety – Separation [5], except for some cabling rules which will be replaced by RCC-E rules [14], according to ITER document IO cabling rules [12], which defines the cabling separation rules to be applied,

o IEC 61000-4 (all parts), Electromagnetic Compatibility – Testing and measurement techniques [17],

o IEC 61000-6-2, Electromagnetic compatibility (EMC) – Part 6-2: Generic standards – Immunity for industrial environments [18],

o IEC 61000-6-4, Electromagnetic compatibility (EMC) – Part 6-4: Generic Standards- Emission Standard for Industry Environments [35].

For Category A:o IEC 60780, Nuclear power plants – Electrical equipment of the safety system –

Qualification [10],o IEC 60812, Technical Analysis for system reliability – Procedure for failure

mode and effects analysis (FMEA) [19],o Seismic events: IEC 60980, Recommended practices for seismic qualification of

electrical equipment of the safety system for nuclear generating stations [11], or RCC-E adapted to ITER project [14] (see section 5).

For Category B:o IEC 60780, Nuclear power plants – Electrical equipment of the safety system –

Qualification [10] or RCC-E [14] (see section 5.2),o Seismic events: IEC 60980, Recommended practices for seismic qualification of

electrical equipment of the safety system for nuclear generating stations [11], or RCC-E adapted to ITER project [14] (see section 5.2).

For Category C:o IEC 62138, Nuclear power plants – Instrumentation and control important for

safety – Software aspects for computer-based systems performing category B or C functions [20].

o For category C systems for which specific environmental qualification is required (e.g. resistance to seismic conditions, or operation under specific environmental conditions), may be qualified to industrial standards according to IEC 61513 [4]. However, the use of IEC 60780 might be required under certain circumstances. Please refer to section 5.6 of IEC 61513 [4] for a detailed explanation.

Page 6 of 30

2. Nuclear Safety I&C system design philosophyA plant system may have specific safety functions that are implemented locally in a Plant Safety System for nuclear safety (PSS-N). The Central Safety System for nuclear safety (CSS-N) coordinates the individual protections provided by the PSS-N, enables manual control by the operator and displays data for the operator.

The Safety Control System for Nuclear Safety (SCS-N) is a hierarchical system. There are two types of safety functions:

Local function

PSS-N

CSS-N

Sensor

Safety event

Actuator

Safety action

Control-RoomOperator

Monitoring data

Monitoring data

Safety HMI

Operatorcommand

Operatorcommand

Signal critical in function activationSignal for monitoring only

Figure 1: Local function

A safety function is considered as “local” when the event detection (sensor) and the safety action (actuator) are performed within a single plant system. In this case, the function is executed locally and autonomously inside the plant safety system. Monitoring data (e.g. safety threshold reached, safety function activation, actuators states …) are sent to the control-room operator on safety HMI. If required, a control-room operator command is sent to PSS-N via CSS-N (depending on the importance of the role of CSS-N in the function, the “central function model” described below, may be more suitable).

Page 7 of 30

Central function

PSS-N

Sensor

Safety event

Actuator

Safety action

Control-RoomOperator

Safety event

PSS-N

CSS-N

Monitoring data

Safety HMI

Operator command

Monitoring data

Signal critical in function activationSignal for monitoring only

Safety action

Figure 2: Central function

A safety function is considered as central when the event detection (sensor) and the actions (actuator) are performed by different plant systems. In this case, the event (signal for safety threshold reached) is detected by one or several PSS-N; it is then communicated to CSS-N, which commands one or several PSS-N to perform the required actions. Monitoring data (safety threshold reached, safety function activation, actuators states…) are sent to the control-room operator on a safety HMI. If required, manual operator commands are also possible to be sent to PSS-N via CSS-N.

Page 8 of 30

The following figures show examples of central functions:

CSS-N

PSS-N PSS-N PSS-N

Figure 3: Example of central function 1

CSS-N

PSS-N PSS-N PSS-NPSS-N

Figure 4: Example of central function 2

CSS-N

Safety HMI

PSS-N PSS-N

Figure 5: Example of central function 3

Page 9 of 30

3. PSS-N Safety lifecycle

3.1 QualityThe complete PSS-N lifecycle will have to comply with the requirements of:

The Order dated 7 February 2012 relating to the general technical regulations applicable to basic nuclear installations (Arrêté du 7 février 2012 fixant les règles generales relatives aux installations nucléaires de base) [7],

ITER Project Management and Quality Program – ITER Quality Assurance Program [8],

IEC 61513 standard “Nuclear power plants – Instrumentation and control for systems important to safety – General requirements for systems” [4],

Nuclear Safety Control System - Overall Quality Plan [9].

In compliance with [4], IO has developed an overall quality plan for the SCS-N [9]. The entity in charge of the design of a PSS-N will have to establish a "System Quality Plan", which will be the application of this "Overall Quality Plan for the SCS-N" for the PSS-N and which will have to be compliant with the above mentioned reference documents and standards.

3.2 PSS-N LifecycleThe PSS-N lifecycle will be compliant with [4] and in particular, with its section 6, which is dedicated to individual I&C systems.

Whenever possible, this individual PSS-N life-cycle will be compliant with the life-cycle model proposed in PCDH.

3.3 PSS-N deliverablesAccording to the IEC61513 lifecycle, a set of outputs shall be provided during each lifecycle phase of PSS-N development. An indicative list of the deliverables corresponding to such IEC61513 lifecycle outputs is provided by the document “PSS-N deliverables list according to IEC61513 lifecycle” [29].

Page 10 of 30

4. PSS-N Specifications

4.1 Functional SpecificationsNuclear safety functions are defined as a group of specific actions that prevent or mitigate radiological hazards. These actions can therefore prevent or mitigate dose uptake by personnel on-site and by members of the public.

There are two fundamental safety functions required for the ITER facility:• Radioactive material confinement: ensuring the personnel, public and the environment

are protected against releases of radioactive material. This function is achieved with confinement barriers and the associated confinement systems,

• Limitation of internal and external exposure to ionizing radiation.

Nuclear Safety Control System (SCS-N) has to provide protection of personnel and the environment with respect to radiological risks by implementing the safety I&C functions. The SCS-N provides the means to bring ITER to a safe state and maintain it there or to mitigate the consequences of an incident or accident.

Monitoring information will be provided by the PSS-N to the CSS-N to indicate the status of the plant, in all operational states and in accident and post-accident conditions to indicate whether the safety functions and requirements are met and maintained.

The status of the safety functions will be monitored and the real positions of the actuators will be compared with the expected values during all operational states.

The nuclear safety I&C functions are identified in a top-down process. The nuclear safety I&C functions are identified on top level by the document [16]. These identified functions will be specified individually by IO in a collaborative work performed by Controls Division, Operations, Safety Department and participating Plant Systems. The detailed process how to specify nuclear safety I&C functions is described in the document [24].

4.2 Safety requirementsThis section gathers safety requirements from different reference documents and standards. It may not be exhaustive and additional requirements from other reference documents may have to be taken into account. These requirements shall be followed by PSS-N.

4.2.1 Requirements related to design

4.2.1.1 Safety classificationEach PSS-N may be composed of different sub-systems with different nuclear safety levels. Each PSS-N subsystem shall have a safety classification compliant with the Preliminary Safety Report (RPrS) [1] Vol I chap 10 classification:

PIC/SIC-1, PIC/SIC-2, SR.

Page 11 of 30

Safety Importance Class (SIC) describes a classification scheme for structures, systems and components that perform a safety function and contribute to the general safety objectives at ITER during incident/accident situations.

Those systems and components, with a Safety Importance Class assigned should receive adequate and appropriate attention during the design, manufacture, installation, commissioning and operational stages. The objective is to ensure and demonstrate that they will meet the minimum performance and reliability requirements throughout their intended lifecycle.

Document [3] defines Safety Important Functions and Components Classification Criteria and Methodology (ITER_D_347SF3).

IEC 61226 [6] defines safety categories for nuclear safety I&C functions (category A, B, C). IEC 61513 also defines 3 safety classes for I&C systems (Class 1, class 2, class 3). A "Non Safety" class (NS) can be added to this classification.

Based on the safety analysis, all safety I&C subsystems will be assigned to a safety class, on a case by case basis. There are four different types, which are shown in Table 1(the last one in the table is implemented by the conventional control, interlocks or occupational safety control systems, not by the nuclear safety control system):

Structure System Component (ITER)

Function safety levelIEC 61226 - category

System safety levelIEC 61513 - class

PIC/SIC-1 A(2) 1

PIC/SIC-2 B 2(1)

PIC/SIC-2 C 3

SR C 3

SR Non Safety Conventional I&C

Table 1 Relation of PIC/SIC levels and function category and system class

For PIC/EIC and PIC/CMC, are at least category C, defined case by case but it will not generate additional design requirement regarding the architecture of SCS-N.

(1) Uses same technology as class 1 system. Qualification requirements are those of PIC/SIC-2 cat. B (ITER will not use computerized Class 2 systems due their cost and the difficulties in licensing. Section 4.3 describes the architectures of each subsystem.)

(2) There might be Cat B safety functions identified for SIC-1 system. These Cat B functions shall be implemented with the same technology and qualification requirements of Cat A functions.

Page 12 of 30

4.2.1.2 Single Failure CriterionSingle-failure criterion: an assembly of equipment satisfies the single-failure criterion if it is able to meet its purpose despite a single random failure assumed to occur anywhere in the assembly. Consequential failures resulting from the assumed single failure are considered to be an integral part of the single failure.Single failure criterion shall be taken into account for the design of the PIC/SIC-1 and PIC/SIC-2 Safety I&C systems, by using adequate solutions from all of the following:

redundancy, independence, physical separation, electrical isolation.

The single failure criterion shall be met at the system level for PIC/SIC-1 systems (for example, a PIC/SIC-1 system has to provide redundancy).

The single failure criterion can be fulfilled at “system level” or “functional level” for PIC/SIC-2 Cat B systems (Implementation at functional level means the criterion can be achieved by two different safety functions which contribute to the same objective).

Compliance of PIC/SIC-2 Cat C systems with the single failure criterion is required on a case by case basis. The functional specifications of the nuclear I&C safety functions will specify whether compliance with the single failure criterion is required or not. If required, the criterion can be fulfilled at “system level” or “functional level” for PIC/SIC-2 Cat C systems.

For safety related (SR) Cat C systems, compliance with the single failure criterion is not required.

4.2.1.3 Failsafe principle

Safety functions should be designed as failsafe, so that the corresponding actuators go to a predefined position (so-called failsafe position) in case of:

deactivation of the control signals, loss of the power sources or loss of communication.

Technical specifications for safety I&C functions shall define the failsafe state of each function. It shall be defined for all operating conditions, including normal, incident or accident situations.

Generally the failsafe state corresponds to the triggering of the function but there are some exceptions. In the former case the command should be designed “de-energize to trip” whereas in the latter it should be “energize to trip”. Control logic shall be intrinsically failsafe.

In the case of non-compliance with this requirement, a justification shall be provided to substantiate the robustness of the function towards scenarios in which there is a loss of power.

Page 13 of 30

4.2.1.4 Power suppliesThe power supply of PIC/SIC I&C systems is organized in two independent trains.PIC/SIC-1 and PIC/SIC-2 I&C systems shall be powered by two independent and non-interruptible electrical trains: PIC/SIC train-A and PIC/SIC train-B. The two trains supply LV Class II Safety power (230V AC, uninterruptible AC power source with backup by battery set for up to 1 hour autonomy and then by a diesel generator available up to 72 hours). Each I&C train shall be powered by the corresponding electrical train (PIC/SIC train-A or PIC/SIC train-B). This requirement guarantees that the systems will be able to fulfil their mission even in the case of loss of external power in duration.The 24V DC and other necessary low voltages for PIC/SIC I&C components shall be generated locally (inside the cubicles) using the source LV Class II Safety. The power supplies inside the PIC/SIC I&C cubicles shall be monitored. Therefore, in case of failure of power supply it can be reported and repaired.

The power supply for SR I&C systems is provided by two independent sources: o LV Class II-IP power supply: 230V AC, Uninterruptible Power Source with backup by

battery set for up to 1 hour autonomy and then by a diesel generator available up to 24 hours;

o LV Class IV-OL power supply: 230 V AC, indefinitely interruptible power source, directly provided from the electrical supply network.

The 24V DC and other necessary low voltages shall be generated locally (inside the cubicles) by redundant power supply modules using LV Class II-IP or LV Class IV-OL sources. The power supplies inside the SR I&C cubicles shall be monitored. Therefore, in case of failure of power supply it can be reported and repaired.

LV Power Supply Classes details can be found in EDH Part 1: Introduction [26].LV Power Supply Quality is defined in the Section 4.1.1 in the reference [39]. The abnormal voltage and frequency vibration in PSS-N which are against the definition in [39] shall be qualified by PSS-N.

4.2.1.5 Environmental conditions The environmental conditions that the system is required to withstand shall be specified in accordance with the constraints imposed from the plant context. Environmental conditions to be specified include:

Ambient conditions, including temperature, humidity, pressure, radiation, static magnetic field and electromagnetic interference, at operating conditions. These conditions shall comply with the requirements defined in the safety roombook [34]. These are the defined as the influence quantities expected as a result of normal operating requirements, the expected extremes in normal operating requirements and postulated conditions appropriate for the postulated initiating events of the plant;

Ambient conditions imposed by potential hazards external to the system; Power supply and heat removal conditions.

PIC systems shall be qualified for their environmental conditions.

To protect the safety I&C systems from EMI, including changing magnetic fields and plasma transients and disruptions, the principles defined in [13], which addresses the following topics, shall be applied:

Page 14 of 30

Equipment emission requirements, Earthing policy, EM zoning, Protection of sensors and instrumentation cubicles, Cable classification and routing segregation.

This document covers the requirements from the standards [17] , [18] and [35].Additionally, according to the definition in [36], ITER has applied the MIL standard [37] as equipment conducted emission requirements, which has a wider frequency range than the one in IEC61000-6-4.

The document [12] defines the rules for separation between the cable trays supporting the various categories of electrical cables (to protect the sensitive cables from perturbing cables).

The environmental qualification process is described in section 5.

4.2.1.6 Seismic requirements and classificationThe seismic conditions (i.e. seismic spectra) that the system will be subjected to shall be specified. The seismic classification of systems and components implementing safety I&C functions shall be specified in the PBS safety defined requirements and in the corresponding functional specifications, according to the main requirements recommended by [2]. The seismic classification principle is based on the safety objective and functional requirements in the event of an SL-2 earthquake. Seismic classification is defined in [21]; there are the following seismic classes: SC1 (SF), SC1 (S), SC2 and NSC.

Seismic qualification is described in section 5.

4.2.1.7 Periodic testsPeriodic testing is a way to demonstrate the ability of the systems to perform as required.

The design shall allow the performance of periodic tests during the available periods for testing. These will be defined in the PSS-N specification.

4.2.1.8 Separation rules and fire protectionI&C systems important to safety in nuclear facilities need to tolerate the effects of plant/equipment faults as well as internal and external hazards. Various techniques are available to increase the level of tolerance of I&C systems to such effects, including the provision of independent systems, subsystems and equipment. For claims of independence between such systems and equipment to be made, adequate separation shall be provided and maintained.

Separation rules between the different parts of the I&C system should, as far as possible, be compliant with the standards [5] and [6].

Specific rules to use in the ITER project are defined in [3] and [12].

Page 15 of 30

Regarding fire, as defined in [3], specific requirements are associated with the PIC grade, such as:

The PIC/SIC-1 (redundant) systems shall be located in two independent and separate fire sectors. Each train (A and B) of the electrical supply and the I&C cabling of PIC/SIC-1 cubicles shall be routed through independent and separate fire sectors. The PIC/SIC-1 cubicles are located in dedicated rooms (not containing PIC/SIC-2 or/and SR or/and non-PIC/SIC cubicles). The PIC/SIC-1 cubicles shall be equipped with automatic fire detection and suppression systems.

The redundant PIC/SIC-2 systems shall be located in two independent and separate fire sectors. The redundant PIC/SIC-2 cubicles, can be implemented together with the SR, and non-PIC/SIC cubicles at dedicated and separate places in the same room. The minimum distance between PIC/SIC-2 cubicles and non-PIC/SIC cubicles shall be at least 2 meters. This room (and not the cubicles themselves) shall be equipped with automatic fire detection and suppression systems. Each train (A and B) of the electrical supply and the I&C cabling of PIC/SIC-2 cubicles shall be routed through different fire sectors.

Implementation of the non-redundant PIC/SIC-2 cubicles is possible in the same room as SR and non-PIC/SIC cubicles if all of the cubicles (PIC/SIC-2 and non-PIC/SIC) are equipped with automatic fire detection and suppression systems.

In one room, all the PIC/SIC-1 cubicles must be on the same Train (A or B) for power supply and I&C cabling. In one room, all the PIC/SIC-2 cubicles must be on the same Train (A or B) for power supply and I&C cabling.

As mentioned above, the rules to use in the ITER project imply: Physical separation in different fire sectors of the redundant parts of a PIC/SIC-1

function; Physical separation of a PIC/SIC-1 system from systems of lower level, in dedicated

room; Physical separation in different fire sectors of the redundant parts of a PIC/SIC-2

function; Physical separation of a PIC/SIC-2 system from systems of lower level, by a distance of

at least 2m; However, the allocation of SR Cat C and Non Safety I&C systems into the PIC/SIC room which accommodates PIC/SIC-2 systems shall be avoided as much as possible.

Cohabitation in the same cubicles of PIC/SIC-2 Cat B and PIC/SIC-2 Cat C systems is authorized;

Cohabitation in the same cubicles of SR Cat C and Non Safety I&C systems is authorized.

Separation rules for cables are defined in [3] and [12]. These rules specify the constraints between:

Two redundant trains of a safety system, PIC/SIC (PIC/SIC-1 and PIC/SIC-2) and non-PIC/SIC (SR and non-safety) systems.

Without detailing these rules here, the cabling of the two redundant parts of a PIC/SIC-1 function is performed using independent cable trays (train A and train B) to be routed through different fire sectors. To avoid common cause failure due to fire or other environmental conditions, redundant communication links within PIC/SIC I&C systems have to be routed through separate cable trays as explained in [12].

Page 16 of 30

4.2.2 Functional testsThe nuclear safety I&C systems will be tested in order to demonstrate that they meet the design requirements. The following tests will be performed:

Integration and validation tests. Hardware qualification tests when required. Functional validation tests. These tests may require partial interconnection of a few

systems and so may require dedicated test platforms.

PSS-N will not be interfaced with the mini-CODAC. Plant systems suppliers shall develop a specific test device that will interface with their PSS-N and allow the factory acceptance tests and site acceptance tests to be carried out.

After installation on site, preliminary tests will be performed on the different parts of the nuclear safety I&C system to demonstrate its correct operation. Then the safety I&C system will be used for testing of the controlled process.

4.3 SCS-N Architecture

4.3.1 SCS-N subsystemsTo meet the requirements of the nuclear safety I&C functions, the SCS-N is composed of several subsystems. Depending on the PIC/SIC level and function category, the four different possible types are:

PIC/SIC-1, PIC/SIC-2 cat B, PIC/SIC-2 cat C, SR cat C.

All these subsystems will be independent from each other. They shall be physically separated according to the rules presented in section 4.2.1.8. Appropriate electrical isolation will be implemented between systems of different safety levels according to IEC 60709 [5] and RCC-E [14].

Each subsystem will be connected by means of a different network of the Central Safety Network – Nuclear (CSN-N). The following figure presents a simplified architecture of the SCS-N.

Page 17 of 30

Safety Operator Desks

SIC-1 Hardwired SIC-2 Hardwired SIC-2 class 3 computerised

CSS-N SR Cat CClass 3 system

SIC-1Cat A PSSx-NControl logic

SIC-2 Cat B PSSx-N control logic

SIC-2 Cat C PSSx-N control logic

Links to CODAC, CIS, CSS-OSHardwired links

Sensors &Actuators

CSN SIC- 1 CSN SIC-2 cat B CSN SR Cat C

CSS-N SIC-2 cat CClass 3 system

SR class 3 computerised

SR Cat C PSSx-N control logic

CSN SIC-2 cat C

Networks

CSS-

NSe

nsor

s&ac

tuator

s

System monitoring

Signal conditioning

Signal conditioning

Signal conditioning

Signal conditioning

CODAC

CIS

CSS-OS

PSS-

N

CSS-N SIC-2 cat BClass 1 system

CSS-N SIC-1Class 1 system

Figure 6: SCS-N architecture (note: only one of the two operator safety desks is shown in the figure)

Accordingly, a PSS-N may be composed of different subsystems, each one part to the corresponding SCS-N subsystem (e.g. a PIC/SIC-2 Cat. B PSS-N belongs to the PIC/SIC-2 Cat. B SCS-N subsystem).

In the following Sections (4.3.2~4.3.4), general architectures for each sub-systems are depicted. However, these figures of general architecture are provided for information only.In these figures, the CSS-N part represents PBS48 cubicles and safety desks; and the PBS48 cubicles may house some of the following components: network switch, marshalling terminal block, control logic solver, SCADA server, etc. The configuration of CSS-N cubicles is not the scope of this general architecture hence not detailed here.More details about the architecture shall be subject to “SCS-N Architecture design” [38].

4.3.2 General architecture for PIC/SIC-1 and PIC/SIC-2 Cat. B systemsPIC/SIC-1 and PIC/SIC-2 Cat B systems, both class 1 systems, have the same architecture which is based on solid-state logic solvers – HIMA Planar 4. The logic solver is selected according to PCR694 [32]. The PIC/SIC-1 and PIC/SIC-2 Cat B links between the logic solvers are hardwired (i.e. two wires are required per signal). Each logic solver has a module for acquiring the monitoring data. The interface between this module and the critical logic is designed to ensure that no failure propagation from the monitoring system to the critical safety function is possible.

PIC/SIC-1 and PIC/SIC-2 Cat B systems shall comply with the single failure criterion. Therefore they are implemented in two different autonomous trains. The Train A and Train B parts of the system are fully independent. The following figures show the architecture of a PIC/SIC-1 and PIC/SIC-2 Cat B system.

Page 18 of 30

PBS.48 train B PIC/SIC-2 Cat C cubicle

PBS.48 train APIC/SIC-2 Cat C cubicle

PBS.48 train B PIC/SIC-1 network cubicle

PBS.X train A

PSS PIC/SIC-1

PBS.48 train A PIC/SIC-1 network cubicle

PBS.48 train A PIC/SIC-1 cubicle

CSS PIC/SIC-1

PIC/SIC-1 monitoring

PBS.Y train A

PSS PIC/SIC-1

PBS.X train B

PSS PIC/SIC-1

Monitoring module

PBS.48 train B PIC/SIC-1 cubicle

CSS PIC/SIC-1

PIC/SIC-1 monitoring

PBS.Y train B

PSS PIC/SIC-1

BCR

Hardwired HMI

MCR

Hardwired HMI

Computerized HMI

Computerized HMI

PIC/SIC-1 hardwired TRAIN APIC/SIC-1 hardwired TRAIN BPIC/SIC-1 monitoring TRAIN A (classed as PIC/SIC-2 Cat. C)PIC/SIC-1 monitoring TRAIN B (classed as PIC/SIC-2 Cat. C)

Monitoring module

Monitoring module

Monitoring module

Monitoring module

Monitoring module

Figure 7: Architecture of PIC/SIC-1 subsystem

Sensors &Actuators PSS-N CSS-N

Page 19 of 30

PBS.48 train B PIC/SIC-2 Cat C cubicle

PBS.48 train APIC/SIC-2 Cat C cubicle

PBS.48 train B PIC/SIC-2 network cubicle

PBS.X train A

PSS PIC/SIC-2 Cat B

PBS.48 train A PIC/SIC-2 network cubicle

PBS.48 train A PIC/SIC-2 Cat B cubicle

CSS PIC/SIC-2 Cat B

PIC/SIC-2 Cat B monitoring

PBS.Y train A

PSS PIC/SIC-2 Cat B

PBS.X train B

PSS PIC/SIC-2 Cat B

Monitoring module

PBS.48 train B PIC/SIC-2 Cat B cubicle

CSS PIC/SIC-2 Cat B

PIC/SIC-2 Cat B monitoring

PBS.Y train B

PSS PIC/SIC-2 Cat B

BCR

Hardwired HMI

MCR

Hardwired HMI

Computerized HMI

Computerized HMI

PIC/SIC-2 Cat B hardwired TRAIN APIC/SIC-2 Cat B hardwired TRAIN BPIC/SIC-2 Cat B monitoring TRAIN A (classed as PIC/SIC-2 Cat. C)PIC/SIC-2 Cat B monitoring TRAIN B (classed as PIC/SIC-2 Cat. C)

Monitoring module

Monitoring module

Monitoring module

Monitoring module

Monitoring module

Sensors &Actuators PSS-N CSS-N

Figure 8: Architecture of PIC/SIC-2 Cat. B subsystem

Page 20 of 30

In each PIC/SIC room housing PIC/SIC-1 or PIC/SIC-2 Cat B PSS-N, there will be a CSS-N network cubicle to which the PSS-N will be connected. This is the interface between the PSS-N and the CSS-N. Since the trains are fully independent, each one has its own network cubicles.

PIC/SIC-1 PSS-N, always located in PIC/SIC-1 rooms, shall be connected to PIC/SIC-1 network cubicles whereas PIC/SIC-2 Cat B PSS-N shall be connected to PIC/SIC-2 Cat B network cubicles. There are two types of connections between PSS-N cubicle and CSS-N network cubicle:

Hardwired connection between HIMA I/O modules in PSS-N cubicle and Marshalling terminals in CSS-N network cubicle;

Network connection between HIMA COM modules in PSS-N cubicle and Optical Link Module in CSS-N network cubicle. Detailed connections can be referred in [38].

The conceptual network connection is configured as follows: Each HIMA rack within the PSS-N cubicle (PIC/SIC-1 or PIC/SIC-2 Cat B) sends the diagnostic information of this rack via Profibus; The Profibus connects with OLM module inside the PSS-N cubicle; The OLM is incorporated into the optical network using optical link modules in the CSS-N Network cubicle (PIC/SIC-2 Cat C).

Profi

bus

Cone

ctor

Profi

bus

Cone

ctor

Profi

bus

Cone

ctor

HIMA Planar 4 rack

HIMA Planar 4 rack

HIMA Planar 4 rack

Module locations 1 … 20 21

Module locations 1 … 20 21

Module locations 1 … 20 21

OLM/G22

.

.

.

Profibus Network

Fiber Optic

Network Cubicle PIC/SIC-2C

OPTICAL LINK

PSS-N CubiclePIC/SIC-1 or PIC/SIC-2 Cat B To CSS-N cubicle

PIC/SIC-2C

From PSS-N cubicle PIC/SIC-1 or PIC/SIC-2B

LEGEND

From PSS-N cubicle PIC/SIC-1 or PIC/SIC-2B

From PSS-N cubicle PIC/SIC-1 or PIC/SIC-2B

Figure 9: Conceptual Network connections between PSS-N cubicle (PIC/SIC-1 or PIC/SIC-2 Cat B) and CSS-N network cubicle (PIC/SIC-2Cat C)

Plant systems responsible officers are in charge of the cabling up to the CSS-N network cubicle.

Page 21 of 30

4.3.3 General architecture for PIC/SIC-2 Cat C systemPIC/SIC-2 Cat C systems, which are class 3 systems, have an architecture based on safety programmable logic controllers - Siemens S7-400 F/FH. These PLCs communicate with each other by means of a communication network using the Ethernet protocol with a safety protocol such as Profisafe.

Compliance of PIC/SIC-2 Cat C systems with the single failure criterion is required on a case by case basis. The functional specifications of the I&C nuclear safety functions will specify whether compliance with the single failure criterion is required or not. If so, the corresponding function will be implemented in two trains following the same separations rules as PIC/SIC-2 Cat B systems.

The following figure shows the architecture of PIC/SIC-2 Cat C systems.

PBS.48 train APIC/SIC-2C cubicle

BCR

MCR

PBS.Y train A

PSS PIC/SIC-2 cat. C

PBS.X train A

PSS PIC/SIC-2 cat. C

PBS.Y train B

PSS PIC/SIC-2 cat. C

PBS.X train B

PSS PIC/SIC-2 cat. C

Cat. C Computerized

HMI

Cat. C Computerized

HMI

SIC-2 cat. C network cable TRAIN ASIC-2 cat. C network cable TRAIN B

PBS.48 train APIC/SIC-2C cubicle

PBS.48 train B PIC/SIC-2 network cubicle

PBS.48 train B PIC/SIC-2 network cubicle

Figure 10: Architecture of PIC/SIC-2 Cat. C subsystem, case of two trains

Sensors &Actuators

PSS-N CSS-N

Page 22 of 30

In each SIC room housing SIC-2 Cat C PSS-N, there will be a CSS-N network cubicle to which the PSS-N will be connected. This is the interface between the PSS-N and the CSS-N. Since the trains are fully independent, each one has its own network cubicles. Within each Train (A and B), the network connection is redundant configured, from the redundant CP443-1 modules in PSS-N cubicle to the redundant Network Switches in CSS-N network cubicle.

Plant systems responsible officers are in charge of the fibre optic cabling up to the CSS-N network cubicle.

4.3.4 General architecture for SR Cat C systemSR Cat C systems, which are class 3 systems, have an architecture based on safety programmable logic solvers - Siemens S7-400 F/FH. These PLCs communicate with each other by means of a communication network using the Ethernet protocol with a safety protocol such as Profisafe.

For SR Cat C systems, compliance with the single failure criterion is not required.

The following figure shows the architecture of SR Cat C systems:

Figure 11: Architecture of SR Cat. C subsystem

Be noted that the Figure 11 represents the redundant network configuration for SR Cat C system. However, the network for SR Cat C system will be configured as indicated in 4.3.6.

Sensors &Actuators PSS-N CSS-N

Page 23 of 30

SR Cat C PSS-N will be connected to the nearest communication network panel. The communication network panels are installed at strategic locations close to the conventional plant system I&C cubicles. This is the interface between the PSS-N and the CSS-N for SR Cat C systems. The network connection is configured from CP443-1 module in PSS-N cubicle to the patch panel reserved for SR Cat C PSS-N connections in CNP.

Plant systems responsible officers are in charge of the fibre optic cabling up to the communication network panel.

4.3.5 Interfaces of PSS-N in the architecture

4.3.5.1 Interface between PSS-N and CSS-N For the PIC/SIC-1 and PIC/SIC-2 I&C systems, the interface between PSS-N and CSS-N is built up via the Marshalling terminals in the Network Cubicle. The PSS-N cubicles and the connected Network cubicles are in the same SIC room. For the SR I&C system, the interface between PSS-N and CSS-N is built up on the CNP.

4.3.5.2 Interface between PSS-N and Safety desksNormally there is no direct connection between PSS-N and Safety desks and this connection shall be through CSS-N. However, it can be foreseen that the direct connection between PSS-N and Safety desks can be implemented if the connection is only for monitoring purpose.Be noted that this kind of direct connection is not presented in the diagrams of SCS-N architecture in the Section 4.3.

4.3.5.3 Interface between two PSS-N cubiclesThe interfaces between two PSS-N cubicles shall be made always through CSS-N except if both are belong to the same PSS-N. In the first case, the CSS-N shall centralise and coordinate the required action which will be sent to another PSS-N. If the PSS-N cubicles belong to the same PSS-N, the interface shall be made within the PSS-N.

4.3.5.4 Interface between PSS-N and sensor/actuatorThe connections from sensor/actuator to PSS-N shall comply with the requirements defined in the document [27] and [33]. The possible connections between sensor/actuator and the selected I/O modules are defined in the document [33].

4.3.5.5 Other interfacesIt is foreseen that there are interfaces among different systems with different safety categories. Sufficient isolation measures shall be added on the interface, which will prevent the failure of low safety category can impact the high safety category.

It is foreseen that there are connections between Train A and Train B. However, the inter-trains connections should be considered as exception and be subjected to attentive review. If the inter-trains connections can’t be avoided, sufficient isolation measures shall be added on the interface, which will prevent the failure of one train can impact another train.

Page 24 of 30

4.3.6 Network For the PIC/SIC-2 Cat C systems implemented in two trains (A and B), the redundant network shall be configured within each train (two networks per each train).For the PIC/SIC-2 Cat C systems which are not comply with Single Failure Criterion, they will be allocated in one train with redundant network configuration.The redundant network connection between PIC/SIC-2 Cat C PSS-N cubicle and CSS-N Network Cubicle shall be configured as follows:

Redundant CP443-1 modules shall be configured in the CPU rack of PSS-N cubicle; Redundant network switches shall be configured in the CSS-N Network cubicle; One of the CP443-1 module in PSS-N cubicle connects with one of the CSS-N network

switch in network cubicle; Another of the CP443-1 module in PSS-N cubicle connects with another of the network

switch in CSS-N network cubicle; This PSS-N cubicle and the connected CSS-N Network cubicle shall located in the

same PIC/SIC room.

For SR Cat C systems, the necessity of the redundant network configuration shall depends on the results of the system RAMI analyses. If the redundant network is necessary, the configuration of redundant network shall be similar as the one of PIC/SIC-2 Cat C systems, the difference is the connection for SR Cat C systems is between SR Cat C PSS-N cubicle and the CNP.

4.4 Safety I&C naming conventionsThe naming conventions for nuclear safety I&C system are defined in the document [30]. The naming conventions in this document shall be followed by the design of PSS-N and CSS-N.

4.5 PSS-N Hardware specifications

4.5.1 PIC/SIC-1 and PIC/SIC-2 Cat BPIC/SIC-1 I&C systems and PIC/SIC-2 I&C systems implementing Cat B functions shall be implemented in class 1 technology systems using solid-state, hardwired safety I&C systems of the highest safety level, as described in the document [22]. The solid-state controllers- HIMA Planner 4 shall be used to implement the SIC-1 and SIC-2 Cat B PSS-N.

4.5.2 PIC/SIC-2 Cat C and SR Cat CPIC/SIC-2 I&C systems implementing Cat C functions and SR I&C systems implementing Cat C functions shall be implemented in class 3 systems using safety PLCs as defined in the document [22]. The safety programmable logic controllers –Siemens S7-400 F/FH shall be used to implement the SIC-2 Cat C and SR Cat C PSS-N.

Page 25 of 30

4.5.3 CubiclesPSS-N control logic solver shall be installed in floor standing cubicles. The construction of PSS-N cubicles shall comply with the catalogue for the Nuclear Safety I&C Cubicle [23]. These requirements shall be followed by PSS-N cubicles:

The cubicles shall be environmentally and seismically qualified according to the specified environmental conditions (see 4.2.1.5) and seismic requirements and class (see 4.2.1.6). The qualification process is described in section 5.

The cubicles shall have front and rear access and be fitted with key-locks. The cubicles shall be fixed to the floor. There are 3 different cases: cubicles fixed to a

concrete slab, a metallic frame (for mezzanine hosted cubicles) and to a structure below a false floor.

The cubicle power supply shall comply with the requirements defined in section 4.2.1.4. Cubicles will implement electrical protections (e.g. short-circuit protection).

The cubicles shall have cable entries on the top. For rooms with false floors, cable entries will be from the bottom.

The cubicles shall be at least IP55. The following cubicle parameters shall be monitored:

o Front/Rear door status o Internal temperature high than threshold value o Power supply stateo Fire detection system state if any

This information shall be made available to the SCS-N SCADA. The technical implementation of PSS-N cubicle monitoring can be referred to [31].

The PIC/SIC-1 cubicles shall be fitted with fire detection and extinguishing capabilities. The non-redundant PIC/SIC-2 cubicles shall be fitted with fire detection and

extinguishing capabilities. The space provision for a fire detection and extinction system should be provided in

SIC-2 cubicles that may house SIC-2 Cat C functions. Cubicles, cables and all components shall be labelled.

4.5.4 CablingThe cabling must follow the requirement defined in Section 4.2.1.8 and the reference [12]. The requirements for ITER cables are highlighted in Section 5.4.4 of the reference [12], which is regarding to Reduced flame propagation, Flame retardant, Low smoke, Zero Halogen, Non toxicity. And in addition all SIC cables shall comply with the requirement of “Fire resistant”.The cable shall be selected from the catalogue [28].

4.5.5 Spare I/OSpare requirement shall be taken into account when the signals are allocated into the corresponding I/O modules.

Additional reserve I/O channels per type shall be no less than 20%. Additional reserve slots per backplane type shall be no less than 20%.

Page 26 of 30

4.5.6 Sensors and ActuatorsSensors and actuators are out of the scope of the PSS-N. However, some of the most important requirements with which they have to comply as part of the PSS-N are mentioned here.

Sensors connected to PIC/SIC-1 and PIC/SIC-2 Cat B systems shall supply binary signals, not analogue signals. Smart sensors are not allowed since they use software, which would have to be qualified according to IEC 60880 and IEC 62138.

Sensors connected to PIC/SIC-2 Cat C and SR Cat C systems can provide binary or analogue signals.

The complete signal types and ranges, which are used for the selected I/O modules in the catalogue [22] , are defined in the document [33]. These shall be considered as rules for PSS-N systems.

The main standards to be followed for sensors are:

IEC 61513, “Nuclear power plants – Instrumentation and control for systems important to safety – General requirements for systems” [4].

IEC 61226, “Nuclear power plants – Instrumentation and control systems important for safety – Classification” [6].

IEC 60709, “Nuclear Power Plants – Instrumentation and Control systems important to safety – Separation” [5], except for some cabling rules which will be replaced by RCC-E rules[14], according to ITER document IO cabling rules[12], which defines the cabling separation rules to be applied.

For categories A and B: IEC60780, “Nuclear power plants – Electrical equipment of the safety system – Qualification”.

Category C systems for which specific environmental qualification is required (e.g. resistance to seismic conditions, or operation under specific environmental conditions), may be qualified to industrial standards according to IEC 61513 [4]. However, the use of IEC 60780 might be required under certain circumstances. Please refer to section 5.6 of IEC 61513 [4] for a detailed explanation.

For category A only: IEC 60812, “Technical Analysis for system reliability – Procedure for failure mode and effects analysis (FMEA)” [19].

4.5.7 Sensor sharingAs far as is possible, each ITER I&C system has its own dedicated sensors. There are two kinds of situations:

Sharing of sensors between the SCS-N and other systems such as SCS-OS, ICS or conventional control.

Sharing of sensors between systems of different categories within the SCS-N (e.g. same sensor used for PIC/SIC-1 Cat A and PIC/SIC-2 Cat C).

Sharing of sensors shall be avoided. In the case that cannot be achieved, measures shall be put in place to ensure that faults within systems of lower categories do not propagate to higher category systems. As reference, the signal duplicator defined in the document [27] could be used for the sensor sharing implementation. The requirements of standard IEC 60709 [5] are applicable.

Page 27 of 30

4.5.8 Actuator sharingAs is the case for sensors, each ITER I&C system should have its own dedicated actuators. This applies to two kinds of situations:

Sharing of actuators between the SCS-N and other systems such as SCS-OS, ICS or conventional control.

Sharing of actuators between systems of different categories within the SCS-N (e.g. same actuator used for PIC/SIC-1 Cat A and PIC/SIC-2 Cat C).

In the case where two or more systems share the same actuator, measures shall be put in place to ensure that the triggering of the actuator by a system is never prevented by any action of a system of lower category. In addition, it shall be ensured that faults within systems of lower category do not propagate to higher category systems. As reference, the priority module defined in the document [27] could be used for the actuator sharing implementation. The requirements of standard IEC 60709 [5] are applicable.

4.6 PSS-N Software specificationsThere is no software development for PIC/SIC-1 and PIC/SIC-2 Cat B systems as they use solid logic solver-HIMA Planar 4. The technology is selected and defined in the PCR694.

PIC/SIC-2 Cat C and SR Cat C systems are developed based on safety programmable logic controllers - Siemens S7-400 F/FH (using the F-system libraries). The software development of PSS-N shall use the qualified Siemens software packages, which are listed in the Section 3.3 of the reference document [22].

The Software development of PSS-N shall comply with IEC 62138 [20].

Page 28 of 30

5. Qualification

5.1 Nuclear qualificationThe whole SCS-N will be qualified. This process provides assurance that the system is capable of meeting, on a continuing basis, the design basis functional and performance requirements needed for the functions important to safety while subject to the specified environmental conditions and specified constraints. The qualification will be performed against international standards and has to be approved by the French nuclear safety authority, ASN. The qualification requirements differ depending on the safety class and category.

The qualification can be divided into three main items:

Product qualification. Environmental qualification, including seismic qualification. Application function qualification.

Product qualification is related to the ability of the components composing the SCS-N (e.g. logic solver) to be part of the safety system and comply with the general safety requirements. The scope of this part is what section 5.6 of IEC 61513 [4] refers to as “Product-related topics (equipment family) Generic (pre-) qualification”. It relies mainly on:

Third party certification, Verification of the compliance to nuclear standards, Product quality assurance inspection and Operating experience

Environmental qualification refers to the evidence that the systems will perform as expected for all operating conditions. These are the defined as the quantities influencing the system that are expected as a result of normal operation, expected extremes in normal operating requirements and the conditions associated with the postulated initiating events of the plant. The need for environmental qualification depends on the system class and category. Qualification may be accomplished in several ways:

Type testing, Operating experience or Analysis.

These may be used individually or in any combination depending upon the particular situation.

The normal and abnormal environmental conditions that the system is required to withstand shall be specified in accordance with the constraints imposed from the plant context. The environmental conditions which have to be specified are provided in section 4.2.1.5 and 4.2.1.6 for the seismic requirements.

Finally, the application function qualification ensures the compliance of the system with the specifications of the safety functions. This qualification relies mainly on extensive tests which are defined according to the safety classifications.

Page 29 of 30

5.2 Applicable standardsThe main standards followed by the SCS-N are the IEC 61513 [4] and IEC 61226 [6]. They introduce the main requirements and the differences between system classes and categories.

Concerning environmental qualification, the main standard to follow for categories A and B is the IEC 60780 [10]. Alternatively, these systems can also be qualified according to section B2000 of RCC-E [14]. Category C systems for which specific environmental qualification is required (e.g. resistance to seismic conditions, or operation under specific environmental conditions), may be qualified to industrial standards according to the IEC 61513 [4]. However, the use of the IEC 60780 might be required under certain circumstances. Please refer to section 5.6 of the IEC 61513 [4] for a detailed explanation.

Seismic qualification should be achieved against either IEC 60980 [11] or section B4200 of RCC-E [14].

Finally, EMC qualification shall be performed in accordance with the relevant requirements set in EDH part 4 [13], which is aligned with the IEC 61000-4 series [17].

5.3 PSS-N qualification

Plant system responsible officers are responsible for the qualification of their PSS-N, in respect with the requirements described in [24] – SCS-N Overall Qualification Plan.

PBS 48 (CSS) will design and qualify components to be used by the SCS-N. In particular, this will cover the product qualification and the environmental qualification for all SCS-N and the application function qualification for just the CSS-N part.

These systems which will be considered as the main or standard systems to be used for both CSS-N and PSS-N, will be made available to the plant system responsible officers to implement the PSS-N. This way, PSS-N will already have the product and environmental qualification. In order to make it possible for all plant systems to use the environmental qualification, this environmental qualification will be carried out for conditions enveloping the environmental conditions of all PIC/SIC rooms (except those inside the Tokamak building, due to its high magnetic field and radiation; for this reason, control logic shall not be placed inside the Tokamak Building). If the environmental conditions of a PSS-N exceed those of this qualification (so-called standard environmental conditions), the corresponding plant system responsible officers shall carry out the environmental qualification for these conditions.

The plant system responsible officers will be responsible for performing the qualification of their part of the application function.

If a plant system does not use the systems developed and qualified by CSS (PBS 48), they will have to carry out the product, environmental and application function qualification.

Finally, plant systems shall carry out all of the qualification concerning sensors and actuators.

Summing up, PSS-N designers/suppliers shall carry out:

Page 30 of 30

An assessment to demonstrate the PSS-N components are covered by CSS-N product and environment qualification, when PSS-N uses the same products of CSS-N in the same environment conditions of CSS-N ,

Environmental qualification for the main (standard) systems used in PSS-N if their environmental conditions exceed those defined for the general environmental qualification performed by PBS 48 (standard conditions),

Product and environmental qualification of specific products used by PSS-N (this includes non-standard PSS-N systems as well as sensors and actuators),

The qualification part for plant system specific application functions, in all cases.

As a general requirement, all SCS-N qualification plans will have to comply with [24] – SCS-N Overall Qualification Plan and all SCS-N qualification reports will be integrated in the Overall Qualification Report to be produced by IO. Each entity in charge of the design of a PSS-N will have to establish specific qualification plans as a result of the application of the [24] - SCS-N Overall Qualification Plan established by IO for the PSS-N.

The following table presents an overview of the qualification process and responsibilities.

Table 2 Qualification process