Safety programmable controllers qualified for ITER

29 Jan 2016 - JM. Fourneron, P. Petitpas, C. Fernandez Robles, Bin Li, Control System Division
Bin Li, Carlos Fernandez Robles, Jean-Marc Fourneron and Pierre Petitpas from the Plant Control & Instrumentation Section are pictured next to an example of the Siemens S7 400 F/FH range of programmable controllers that has been certified for ITER.
It's only a one-page certificate but the symbolic value is strong. Delivered after three years of work and partnership with industry, the certificate confirms that a best-in-class safety programmable controller—the Siemens S7 400 F/FH range—is also suitable for the implementation of nuclear safety I&C functions in ITER at intermediate safety level "category C."
 
Although category C is not the highest safety level (category A is the highest) it represents by far the biggest number of safety signals and commands in the ITER safety instrumentation and control (I&C) system. That's about 20,000 pieces of information on the safety status of the ITER machine and on automatic or manual safety controls that must reach the operators in the control rooms to inform their decisions and actions.
 
For such a huge amount of information engineers rely on programmable controllers and network technologies, however this means using complex software that is difficult to test in an exhaustive way. But by implementing a stringent quality process, formalized lifecycle, robust design principles, and a comprehensive verification and validation process, software can be demonstrated to be suitable for some safety I&C applications. The rules for such certification are well defined in international standards, with detailed requirements for both classic industry and nuclear environments.
 
Looking for cost effectiveness, the ITER Organization selected best-in-class industrial products through international call for tender and is now performing the pre-qualification activities. The selected Siemens S7 400 F/FH range of programmable controllers was already certified as suitable for safety applications in industry (SIL3 according to IEC 615018)—now the bridge to certifying the software for nuclear safety I&C standard requirements had to be built. In the end, it took more than two years.

The qualities that must be demonstrated for certification are related to the design and manufacturing of the products and the core know-how of the manufacturer. Along the way, it was necessary to build confidence with the manufacturer, including management, sales, R&D, quality assurance, and intellectual property teams. Non-Disclosure Agreements also had to be negotiated and signed. Siemens set up a specific organization to drive the process internally and sought out the right people for the job. It was then necessary to agree on the exact scope of the compliance demonstration and the level of detail. Would the demonstration be developed in house or would a third party be retained?
 
TÜV Sud, a renowned certification body with expertise in nuclear applications, was finally selected by Siemens to assess the compliance of the S7 400 F/FH range to category C of the nuclear safety I&C standards. The ten-month certification process, which included the assessment of 85 documents and a three-day audit with 25 people in attendance, resulted in a 50-page qualification report and a final certificate of compliance.
 
The exercise demonstrated the importance of establishing a partnership with manufacturers when products need to be qualified for nuclear applications. The extensive involvement of Siemens France over three years and the collaboration of Siemens Germany for the last two was greatly appreciated.
 
Now that we have certification that the Siemens S7 400 F/FH range of programmable controllers is suitable for our applications, we are pursuing the effort to qualify the control logic hardware to the ITER environmental conditions. Ageing tests have already been performed and these will be followed by stringent electromagnetic compatibility tests—representative of lightning striking the buildings—and magnetic field tests. In 2016, the consortium Empresarios Agrupados/Inabensa will be charged with final seismic tests on full-size control logic cubicles.
 
Jean-Paul Vion and Michael Rosemeyer from Siemens collaborated on this article.