Page 443 - Fundamentals of Magnetic Thermonuclear Reactor Design
P. 443
420 Fundamentals of Magnetic Thermonuclear Reactor Design
given the approximate character of such estimates, and the inevitable uncertain-
ties associated with the number of operational man-hours. For this reason, the
reduction of the staff exposure is one of the key objectives of the ongoing ITER
design optimisation.
An important part of the comprehensive safety analysis for an off-normal
operation conditions is the identification of the so-called postulated IEs that may,
under certain conditions, lead to accidents within design basis. Because in prac-
tice only a limited list of event sequences is generally addressed, one should make
sure that the selected events may give rise to the worst possible damages. In this
sense, the analysis should exhaustively reflect the severity of possible accidents.
ITER operational safety was analysed using the top–down and the bottom–
up approaches. The top–down analysis involved the construction of a global
fault tree (in the form of a Master Logic Diagram) and identification of con-
ditions and events that may potentially lead to a release of harmful effluents
outside the facility. The bottom–up analysis used information about conceivable
failures in every plant component and system involved in a sequence of events.
Each identified fault was assigned a frequency, which was used as a basis for
−1
categorising an event sequence as an incident (if the frequency f > 0.01 year )
−6
−2
or AWDB (if the frequency 10 /year > f > 10 /year). Faults with frequencies
−6
lower than 10 /year were qualified as hypothetical. More than a hundred pos-
sible event sequences, analysed during the ITER design phase, were grouped by
similar consequences, that is, by the facility’s ultimate condition. The outcome
of the analysis was a list of IEs, identified for each of the groups.
Twenty-five ‘reference’ events were identified for the numerical analysis pur-
poses (see Appendix A14.2). Estimates were made using fusion-specific or mod-
ified computer codes (see Appendix A14.3). The results are summed up next.
Total releases of tritium, activated cooling system corrosion products and
activated IVC dust—estimated by individual species and overall—are below
the design limits (in most cases by several orders of magnitude). The highest
2
releases are expected under a rupture of the largest pipe (0.34 m flow area)
of the divertor cooling loop in a heat transfer system vault outside the vacuum
vessel (∼15% of the design limit) and at the loss of vacuum under the failure of
window/valves leak-tightness in a vacuum vessel penetration line (from 0.02 to
2
0.2 m cross-sectional area) (∼12%) [19].
For hypothetical events, worst-case scenarios are considered, such as termi-
nation of removal of residual heat released by RMs due to loss of cooling or fail-
ure of the plasma discharge suppression system. As illustrated by Table 14.4, the
ITER design has sufficient safety margins to meet the no-evacuation criterion
in all cases. There are no low-probability event scenarios, in which the 50 mSv
threshold is passed. The worst postulated IE is the break of the pipes in the three
loops of the IVC cooling system followed by ingress of steam containing tri-
tium and activated dust into the premises through depressurised windows of the
additional heating system. The ventilation/detritiation system allows reducing
pressure in contaminated premises to 100 kPa in around 1 h. Such a situation
