Subscribe options

Select your newsletters:


Please enter your email address:

@

News & Media

Latest ITER Newsline

  • Computer-Aided Design | A new platform with Australia

    In September 2016, the signature of a Cooperation Agreement between the Australian Nuclear Science and Technology Organisation (ANSTO) and the ITER Organization [...]

    Read more

  • ITER Council | Project metrics confirm performance

    The governing body of the ITER Organization, the ITER Council, met for the twenty-first time on 15 and 16 November 2017 under the chairmanship of Won Namkung (K [...]

    Read more

  • COP 23 | Placing ITER on the global scene

    On the western bank of theRhine and not far from the seat of the UN Climate Change Secretariat, world leaders are discussing how to push ahead for international [...]

    Read more

  • Japan's MEXT Minister | Seeing is believing

    On 4 November, ITER received Yoshimasa Hayashi, the Japanese Minister of MEXT—the Ministry of Education, Culture, Sports, Science and Technology with oversight [...]

    Read more

  • Architect Engineer | ENGAGE receives prestigious award

    Since 2006, the French 'Grand Prix de l'Ingénierie' has recognized engineering projects and/or teams that are remarkable in terms of scope, innovation, complexi [...]

    Read more

Of Interest

See archived articles

Safety programmable controllers qualified for ITER

JM. Fourneron, P. Petitpas, C. Fernandez Robles, Bin Li, Control System Division

Bin Li, Carlos Fernandez Robles, Jean-Marc Fourneron and Pierre Petitpas from the Plant Control & Instrumentation Section are pictured next to an example of the Siemens S7 400 F/FH range of programmable controllers that has been certified for ITER. (Click to view larger version...)
Bin Li, Carlos Fernandez Robles, Jean-Marc Fourneron and Pierre Petitpas from the Plant Control & Instrumentation Section are pictured next to an example of the Siemens S7 400 F/FH range of programmable controllers that has been certified for ITER.
It's only a one-page certificate but the symbolic value is strong. Delivered after three years of work and partnership with industry, the certificate confirms that a best-in-class safety programmable controller—the Siemens S7 400 F/FH range—is also suitable for the implementation of nuclear safety I&C functions in ITER at intermediate safety level "category C."

Although category C is not the highest safety level (category A is the highest) it represents by far the biggest number of safety signals and commands in the ITER safety instrumentation and control (I&C) system. That's about 20,000 pieces of information on the safety status of the ITER machine and on automatic or manual safety controls that must reach the operators in the control rooms to inform their decisions and actions.

For such a huge amount of information engineers rely on programmable controllers and network technologies, however this means using complex software that is difficult to test in an exhaustive way. But by implementing a stringent quality process, formalized lifecycle, robust design principles, and a comprehensive verification and validation process, software can be demonstrated to be suitable for some safety I&C applications. The rules for such certification are well defined in international standards, with detailed requirements for both classic industry and nuclear environments.

Looking for cost effectiveness, the ITER Organization selected best-in-class industrial products through international call for tender and is now performing the pre-qualification activities. The selected Siemens S7 400 F/FH range of programmable controllers was already certified as suitable for safety applications in industry (SIL3 according to IEC 615018)—now the bridge to certifying the software for nuclear safety I&C standard requirements had to be built. In the end, it took more than two years.

The qualities that must be demonstrated for certification are related to the design and manufacturing of the products and the core know-how of the manufacturer. Along the way, it was necessary to build confidence with the manufacturer, including management, sales, R&D, quality assurance, and intellectual property teams. Non-Disclosure Agreements also had to be negotiated and signed. Siemens set up a specific organization to drive the process internally and sought out the right people for the job. It was then necessary to agree on the exact scope of the compliance demonstration and the level of detail. Would the demonstration be developed in house or would a third party be retained?

TÜV Sud, a renowned certification body with expertise in nuclear applications, was finally selected by Siemens to assess the compliance of the S7 400 F/FH range to category C of the nuclear safety I&C standards. The ten-month certification process, which included the assessment of 85 documents and a three-day audit with 25 people in attendance, resulted in a 50-page qualification report and a final certificate of compliance.

The exercise demonstrated the importance of establishing a partnership with manufacturers when products need to be qualified for nuclear applications. The extensive involvement of Siemens France over three years and the collaboration of Siemens Germany for the last two was greatly appreciated.

Now that we have certification that the Siemens S7 400 F/FH range of programmable controllers is suitable for our applications, we are pursuing the effort to qualify the control logic hardware to the ITER environmental conditions. Ageing tests have already been performed and these will be followed by stringent electromagnetic compatibility tests—representative of lightning striking the buildings—and magnetic field tests. In 2016, the consortium Empresarios Agrupados/Inabensa will be charged with final seismic tests on full-size control logic cubicles.

Jean-Paul Vion and Michael Rosemeyer from Siemens collaborated on this article.


return to the latest published articles