N.P. Taylor(1), A.E. Poucet(1), L.C. Cadwallader(2), R. Caporali(3), and C. Girard(4)
(1) ITER Joint Central Team, 11025 North Torrey Pines Rd., La Jolla, CA 92037
(2) Lockheed Martin Idaho Technologies Co., Idaho National Engineering and Environmental Laboratory, P.O. Box 1625, Idaho Falls, Idaho 83415
(3) ANPA, Via Vitaliano Brancati 48, 00144 Roma, Italy
(4) CEA Cadarache, DER/STML BP 1 - 13108 - St Paul lez Durance, France
An essential part of the ITER Engineering Design Activities (EDA) is the assurance that the design meets strict safety criteria. This is necessary to support future submissions to a regulatory authority, should this be required once a construction site is selected. It also helps to demonstrate the very favorable safety and environmental characteristics of fusion as a power source.
In this context, analyses have been performed of postulated accidents, in order that the possible consequences can be assessed against targets for releases and other criteria. The range of events considered is based on a comprehensive hazard identification study, which seeks to ensure that the accident analyses are complete, i.e. that any events not analyzed are inconsequential to public safety.
Wherever feasible, formal systematic methodologies (e.g. Failure Modes and Effects Analysis) have been used for the hazard identification and sequence analysis. The extent to which this has been possible has depended largely on the available design detail for the plant component or sub-system under investigation.
Overall, two independent and complementary approaches have been employed. A top-down study, based on the construction of a global fault tree (master logic diagram), takes as its starting point the hazardous releases, and seeks to reveal potential accidents that could make the hazardous inventories vulnerable to release. The bottom-up studies start with detailed component-level faults, and consider all potential consequences. The resulting list of accident initiating events is screened, grouped into event families, and those with potentially more significant consequences are developed into event sequences by the use of event trees. In all cases, the aim is to show that the ultimate consequences of all identified event sequences are addressed by accident analyses which assess the outcome against acceptance criteria.
The result of these studies is a demonstration that the accident analyses performed as part of the ITER EDA safety study treat a comprehensive range of event sequences, and give confidence that the ITER engineering design will achieve its safety targets. This paper outlines the approach used in the study and summarizes the main results and conclusions.