Implementation of Safety Aspects in IFMIF-DONES Design

: Integration of safety aspects in IFMIF-DONES design is a main objective of EUROfusion and European Commission projects. IFMIF-DONES will be a radioactive facility of the ﬁrst category, and stringent safety objectives must be achieved and demonstrated. A very low acceptable risk for the worker, the public and the environment is the main principle in the design phase. The progress of safety activities is performed iteratively as detailed engineering develops, taking into account the uniqueness of the facility: a high-power deuterons accelerator (125 mA, 40 MeV), a target of ﬂowing liquid lithium, traps for activation products, a dedicated-design module for irradiated samples, a massive shielding cooled room with conﬁnement function, and a number of conventional systems with safety functions. Several phases are developed: (i) identiﬁcation of sources and materials at risk, radioactive and nonradioactive, subject to potential mobilization, (ii) failure mode analysis and effects of systems, starting at the functional level, and support with probabilistic analysis, (iii) identiﬁcation of scenarios leading to unacceptable risk if unmitigated, (iv) proposal of layers of defense by means of safety-credited components and design features, (v) deterministic analysis of scenarios in support of requirements, and (vi) deﬁnition and demonstration of safety requirements charged to components.


Introduction
IFMIF-DONES will be a neutron source facility, operating by accelerating deuterons to 40 MeV and using a 125 mA current to impact a liquid lithium layer inside a dedicated target to produce neutrons.The installation is proposed to be built in Escúzar, close to Granada, Spain, and it will be classified as a first-class radioactive facility.Many administrative regulations and standards for radiological and nuclear facilities are being applied in order to obtain a high-quality safety design as well as high reliability of systems, structures, and components.Details of the regulatory framework can be found in a previous paper [1] which still provides reference information, while the purpose of this paper is looking a step ahead.
IFMIF-DONES design progressed in previous years under the EUROfusion projects WPENS (Work Package Early Neutron Source) of Euratom FP8 (Framework Program No.8) (2015-21) and FP9 (2021-25) as well as Specific Contracts No. 4 and No.11 of the European Commission Framework Contract (FWC) RTD/2019/OP/D4/FWC/010 "Framework Contract for services of expert industrial competences for the preconceptual design activities of the European fusion demonstration reactor".
While a more detailed description of the facility and status of the project can be found in other publications [2,3], the first-level large systems are mentioned here for consistency of the paper.Many of the 36 s level systems will implement safety-credited features:

•
Accelerator systems (AS).The linear accelerator is divided into the following subsystems: injector, radiofrequency quadrupoles (RFQ) cavities, medium energy beam transport module, superconductor RF cavities along five cryomodules, high-energy beam transport line (with beam scraper and collimator, sources of secondary neutrons), and the beam dump device.RF power systems and ancillaries for water cooling circuits, cryoplant or vacuum are the main ancillary associated systems.

•
Lithium systems (LS).These include target systems (the intense source of neutrons), Li loop for heat removal, impurity control system (with traps for activation products and for activated corrosion products), and secondary and tertiary organic oil circuits.
There are ancillaries for heating, electric supply, and Li and oil recovery, among others.

•
Test systems (TS).These include the test cell (TC), which is a complex system made of several pieces of equipment (a steel liner, upper and lateral shielding blocks), the high flux test module (HFTM, carrying the material samples under irradiation), and TC ancillary systems (for He atmosphere provision as an inerting gas and for equipment purification, He coolant for HFTM, water coolant of the liner).

•
Plant systems (PS).A number of important systems are included here, such as remote handling; service gas (argon supply); heating, ventilation, and air conditioning system (HVAC, with particle filtering and room-isolation capabilities); solid, liquid and gaseous radioactive waste treatment systems; and fire protection system, among others.

•
Central instrumentation and control systems (CICS).These include the safety control system (safety dedicated), machine protection system (investment protection), and control, data access, and communication (CODAC) system.

•
The main building (MB) is a specific large structure with safety functions such as structural confinement, shielding, and provision of infrastructure supporting safety systems.
Activities for safety implementation during the engineering design stage are driven by the main principle of protecting the public, workers, and environment.Their progress in previous years is explained in the following paragraphs.
Demonstration of safety implementation is an important aspect, and related efforts are focused on the preparation of a 'Safety Analysis Report' (SAR), which is presently an internal project document but is advanced enough to initiate interactions with the regulatory body (CSN, 'Consejo de Seguridad Nuclear').In fact, a working group with CSN has been already established, which regularly meets with WPENS and Specific Contract 11 safety analysts and designers.One objective related to safety demonstration in the SAR is to link the top-level regulations for nuclear or radioactive facilities to low-level requirements at component level, that will be supported by safety analyses.

Identification of Material at Risk
The identification of the radiological risk is based on a systematic application of MCNP analyses to quantify radioactivity in components as well as potential direct exposures, including shielding design.It is an iterative task continuously adapted to changes in design, new proposals, and evolution of computational tools.The neutronic analyses are being extended over time with more detailed models including constructive aspects that may play a role: more precise geometry of structures and circuits, refinement of predictions for neutron fluxes, consideration of penetrations for pipes, for HVAC, gaps, doors, etc.
Figure 1 summarizes the computational tools being applied to neutronic analyses, based on recommendations provided in [4].
in design, new proposals, and evolution of computational tools.The neutronic analyses are being extended over time with more detailed models including constructive aspects that may play a role: more precise geometry of structures and circuits, refinement of predictions for neutron fluxes, consideration of penetrations for pipes, for HVAC, gaps, doors, etc.
Figure 1 summarizes the computational tools being applied to neutronic analyses, based on recommendations provided in [4].On the other hand, nonradiological material at risk (MAR) and nonradiological hazards are also identified, such as potential asphyxiating gas, toxic material, electric and magnetic hazards, etc.As long as they require dedicated safety systems in the design stage, they are conveniently addressed in a similar way to the radiological risk.In addition, the impact of nonradiological sources on radiological ones is addressed.
Energy sources potentially leading to MAR mobilization is another important area of investigation.Excessive beam losses, beam mis-steering and impact on structures, loss of liquid target and heat transfer, consequences of lithium fires, or heavy load falls during maintenance are examples of energy sources that must be under control.The volatility of radionuclides and hazardous material is an additional aspect under study, including chemical processes or reactions expected during postulated scenarios.Gas phase and aerosols source terms are developed to estimate consequences in terms of dose or chemical exposure and to be appropriately mitigated if justified.
Ref. [1] still provides representative orders of magnitude concerning the radiological MAR.The main figures are that some 3.9 g of tritium will be generated after one year of target irradiation and 150 mg Be-7, equilibrium value.They will be distributed in traps (3 traps for tritium and 3 traps for Be-7 and activated corrosion products (ACP) in the present design) and will remain in the Li main flow in lower amounts.Several replaceable metallic structures (target, HFTM, liner) are estimated to be activated in the order of some 10 15 Bq, maximum accumulation when replaced, while atmospheres will reach lower values, some 2 × 10 10 Bq for Ar-41 in the target interface room, and N-16, C-14, and H-3 in minor amounts.

Failure Mode Analysis and Top-Down Approaches
During the last few years, the outcomes of safety analyses have been consolidated after frequent interaction with system design teams.Failure modes and effect analysis On the other hand, nonradiological material at risk (MAR) and nonradiological hazards are also identified, such as potential asphyxiating gas, toxic material, electric and magnetic hazards, etc.As long as they require dedicated safety systems in the design stage, they are conveniently addressed in a similar way to the radiological risk.In addition, the impact of nonradiological sources on radiological ones is addressed.
Energy sources potentially leading to MAR mobilization is another important area of investigation.Excessive beam losses, beam mis-steering and impact on structures, loss of liquid target and heat transfer, consequences of lithium fires, or heavy load falls during maintenance are examples of energy sources that must be under control.The volatility of radionuclides and hazardous material is an additional aspect under study, including chemical processes or reactions expected during postulated scenarios.Gas phase and aerosols source terms are developed to estimate consequences in terms of dose or chemical exposure and to be appropriately mitigated if justified.
Ref. [1] still provides representative orders of magnitude concerning the radiological MAR.The main figures are that some 3.9 g of tritium will be generated after one year of target irradiation and 150 mg Be-7, equilibrium value.They will be distributed in traps (3 traps for tritium and 3 traps for Be-7 and activated corrosion products (ACP) in the present design) and will remain in the Li main flow in lower amounts.Several replaceable metallic structures (target, HFTM, liner) are estimated to be activated in the order of some 10 15 Bq, maximum accumulation when replaced, while atmospheres will reach lower values, some 2 × 10 10 Bq for Ar-41 in the target interface room, and N-16, C-14, and H-3 in minor amounts.

Failure Mode Analysis and Top-Down Approaches
During the last few years, the outcomes of safety analyses have been consolidated after frequent interaction with system design teams.Failure modes and effect analysis (FMEA) across the facility at the functional level are being reviewed and extended.Moreover, the failure modes are oriented to component level when the detailed engineering makes progress towards specific equipment and performance parameters.Dozens of tables are available which include potential consequences to the worker and public, together with prevention, detection, and mitigation proposals.Enveloping scenarios are outlined (i.e., 'Reference Accident Scenarios', candidate to 'Design-Basis Events' for 'Design Basis' of the facility).When the risk in a scenario is unacceptable (the risk is the multiplication of the probability of an event and its consequences), safety-credited components and design features are proposed.A specific chapter in SAR is dedicated to listing the identified safety important class (SIC) components and credited features.
The estimate of scenario frequency is firstly conducted on an expert judgement basis.However, support from the probabilistic techniques is also pursued, as explained in a section below.
Concerning consequences, radiological dose objectives are established for the public and the worker in four categories of plant state: normal operation, incidents, accidents, and low-probability accidents [1].Criteria for design extension conditions are also considered (avoidance of 'cliff-edge' effects).The methodology for dose estimates is based on Regulatory Guide 1.145 for accident conditions (class D weather conditions, 1 m/s wind velocity) and 1.111 for normal operation.Support with alternative methods to estimate dose consequences is also obtained based on GENII and UFOTRI (accidents) and PC-CREAM and NORMTRI (normal operation).
Another important source of information to define scenarios is a systematic comparison with reference facilities, such as USA Spallation Neutron Source, European Spallation Source, and SPIRAL2, although this task depends on the access to key reports and information from such facilities.

Radioprotection Aspects at Design Stage
Main elements of radiation protection at the design stage are classifications of rooms according to irradiation, contamination, and total radiation values, in beam-on and beamoff conditions.
Irradiation maps (direct exposure) are obtained with MCNP and are continuously improved for verification of the irradiation classification, as in Figure 2. Shielding and streamings are computed for verification of areas housing the sources and adjacent ones.A room contamination classification is also developed, taking into account airborne activation and depositions, and sinks according to system operations such as HVAC, filters, and detritiation systems.The global radiation classification was introduced in [1], and it will take into account both irradiation and contamination subclassifications.Areas are divided into supervised and controlled areas, being the controlled areas subdivided in frequent access, restricted, restricted-special, and forbidden access.
There is an additional classification being devised, closely linked to the contamination one, as it is a ventilation classification according to ISO 17873.This classification also includes considerations of accidental conditions.According to such a classification, the The global radiation classification was introduced in [1], and it will take into account both irradiation and contamination subclassifications.Areas are divided into supervised and controlled areas, being the controlled areas subdivided in frequent access, restricted, restricted-special, and forbidden access.
There is an additional classification being devised, closely linked to the contamination one, as it is a ventilation classification according to ISO 17873.This classification also includes considerations of accidental conditions.According to such a classification, the HVAC and argon supply system are designed to provide a network of rooms in the main building with negative gauge pressures, with more potentially contaminated rooms at lower pressures.The discharged effluents must be in compliance with annual dose objectives (presently, estimates are well below the provisional threshold of 50 µSv/year).
Another input for room classification is the operation and maintenance plans of occupancy inside rooms, while the ALARA principle is in consideration.Here, remote handling systems are considered in rooms with higher radiation levels, and criteria for hands-on maintenance of components are defined according to occupation hours: a threshold of 650 µSv/h equivalent dose and 20 µSv/h full body effective dose are being considered at the design stage (assuming a limit of 100 h/year exposure).
There are specific safety-credited systems related to the radioprotection approach.They are explained in the next section.

List of Reference Scenarios and Safety-Credited Components
Resulting from FMEA and top-down analysis, a list of reference accident scenarios, RAS, is obtained as a main work-horse for safety activities.Table 1 shows the list of reference accident scenarios identified in SAR_1.0.The list includes 34 scenarios with radiological and nonradiological risks.Others are in discussion and the list may slightly increase in a future version of SAR.The 'key' in the table, the second column, classifies the primary system involved in the scenario (LS for lithium systems, etc.) as well as the type of hazard with the first number: 1 for fires (it may be observed that Li fire risk has several scenarios, and they depend on the potential mass amount involved in scenarios and areas of concern), 2 for explosion/overpower (there are some scenarios related to overpower due to loss of beam energy control), 3 for loss of confinement (related to damage of confinement layers, which often have complex configurations and include specific components), 4 for direct exposure (it is a radiological hazard mostly related to shielding failures or wrong configuration, or it is a chemical hazard related to oxygen displacement and asphyxiation risk), 5 for criticality (not used in DONES), 6 for external hazards (an aircraft impact analysis has been developed with the most probable aircraft), 7 for natural phenomena (where seismic analysis and associated requirements are ongoing).
The second number in the key is a correlative one.
A description is available in the SAR_v1.0 by each of the RAS from two points of view: unmitigated description and mitigated description.The unmitigated description leads to the preliminary conclusion that the risk is not acceptable and must be reduced.The mitigated description should lead to the identification of safety-credited components and features to decrease the risk.Nevertheless, uncertainties are admitted at this stage, and there are ongoing activities to reduce them and consolidate descriptions.
In general, a main objective is to demonstrate that mobilization of radioactive and toxic material in the definitive design-basis scenarios involves small amounts and that only in design extension conditions scenarios can moderate amounts an occur.A short list of design extension conditions accidents is also being developed.
A number of safety-credited components and design features result from RAS analyses and normal operation radioprotection aspects.Some of them are shown in Table 2, which summarizes the present list to implement in design.Nevertheless, others are in discussion.
The main examples are further discussed below:

•
Safety beam shutdown will be achieved at the injector by means of two lines of defense: a safety-credited switch in the magnetron electric supply and insertion of a Faraday cup.Differentiation with machine protection actuators is taken into account (in principle, not safety credited in the analysis of scenarios, but in reality providing an additional safety layer on the basis of high reliability and even faster actuation).

•
A fast isolation valve will be placed in HEBT, far enough from high irradiation levels.
It will be a component contributing to providing confinement of the TC region, and it will limit air or steam progression to the target from possible breaks in the beam duct.

•
High-reliability inertization to prevent Li fires in postulated spills will be provided by the argon supply system and test cell gas inventory control system.When activated under accident conditions, the confinement function will be coincident with the inertization function.

•
Two electromagnetic pumps in the Li loop will be implemented in compliance with the redundancy requirement (see further explanations in the deterministic analysis section below).

•
A dedicated 'Personnel Access Safety System' will prevent the entrance to forbidden access areas or will control access when changed to restricted conditions during maintenance.

•
A 'Plant Safety System' (subsystem of 'Safety Control System') will provide the beamshutdown function under a number of safety signals implemented in systems involved in the RAS.

•
The RAMSES will be a dedicated system to provide safety signals related to radiation detection (also linked to beam shutdown) with credited type detectors such as, for instance, in the case of beam mis-steering events.

•
Mechanical codes such as RCC-MRx are systematically revised for application to confinement structures, when possible (pipes, TC liner), to provide robustness in the first line of defense against loss of confinement.

•
Detritiation systems based on conversion to tritiated water and absorption by molecular sieves will take the permeated tritium during normal operation (vent detritiation system) and released tritium in case of accident conditions (emergency detritiation system).
Table 2. List of safety-credited systems or components and design features (safety function in second column can be consulted in ref. [1]).

SIC-1 System, Structure or Component (Examples) Safety Function Safety-Credited Features (Examples)
Plant Safety System, PSS (Safety Beam Shutdown) S3 1st line: Highly reliable cut injector magnetron, 2nd line: Injector Faraday cup (also, HV in seismic event).Precise interface of SCS and MPS to take care.Redundancy of event detectors in AS, LS, TS, PS, RAMSES

Probabilistic Analysis
The application of probabilistic risk analysis (PRA) at the design stage of IFMIF-DONES is challenging, not only because detailed engineering is not fully complete but also because the failure database for innovative components may have gaps in information such as, for example, for accelerator systems components.An implication of this is that the licensing process is expected to be completed following the deterministic approach.However, specific efforts are being made in the project to obtain a database applicable to the facility.
Nevertheless, PRA modeling is a powerful and widely used tool that can precisely inform of a system's contribution to risk, and its information is very welcome already at design stage because discussions around event trees and fault trees are very helpful.The expectation is to obtain a more mature PRA model over time and to follow risk-informed modifications or required reinforcements if justified in a later stage.
Event trees are being devised in a first step for most of the scenarios, and fault trees behind event trees are being developed in a second step based on the findings from FMEA.Modeling related to fire risk is being prioritized for confirmation of design-basis lines of defense.Examples of developed events are lithium leak from the impurity control system to the test cell, or to the lithium loop cell, but also for other above scenarios, such as lithium flow perturbation, lithium temperature increases, and loss of high-flux test module cooling.
Frequencies in the preliminary results are obtained and grouped in moderate, medium, or small releases.Another package of activities addresses several types of confinements, the beam shutdown (to highlight a clear demonstration of high reliability), and detritiation systems.However, work remains to be completed in this area.The next efforts in PRA modeling are oriented to homogenize the available analysis and to consolidate results.

Deterministic Analysis
Deterministic analyses are being performed for many scenarios.The application of MELCOR code is an important aspect of this activity [5], although analyses are possible with other computational tools (such as MCNP) or even direct modeling.However, MEL-COR code is a very convenient tool that allows estimation of key metrics in the progress of scenarios, and hence, they will bound system safety requirements, such as grace periods of time, pressure or temperature peaks in atmospheres and structures, or amounts involved in chemical reactions.The MELCOR-fusion version provides a broad collection of mechanistic models and allows a large flexibility to explore nominal cases and variations, a useful feature in design analysis.A secondary objective is that the MELCOR portfolio of applications is extended, including partial validation exercises, which is an important step to consolidate the code capabilities.It should be mentioned that the applications sometimes run around the limits of code default modeling (for instance, very low pressures, values on the edge of the equation of state).A good level of expertise, however, is a key assumption for code application, and it means that the user should have an appropriate foundation in the phenomenology of safety analysis.As MELCOR-fusion is also used in the fusion safety community (ITER, DEMO), the contribution to user development is another interesting benefit.
The following examples of deterministic analysis warrant mention: • RAS12 and 13, beam duct water ingress, and air ingress.A model of the beam duct has been prepared (Figure 3).Duct wall ruptures and the role of FIV is explored to limit the air or water transport towards the target vacuum chamber that could ignite the lithium.Small amounts are obtained (from 0.2 kg to 0.5 kg air, depending on variation in cases and negligible steam, Figure 4).Further mitigation measures are under analysis to reduce such small impact (i.e., extension of inertized Ar region around FIV).
. Nucl.Eng.2022, 3, FOR PEER REVIEW 1   • RAS1, EMP trip.A model of the Li loop was prepared [5], including prediction of steady-state parameters.Reference calculations were performed for a pump trip in several cases; in one of them the hydraulic power of the pump is reduced to 50%, and it is predicted that the Li layer remains at some 12 m/s, (Figure 5), equivalent to a thick-enough layer to accommodate the beam for an extended period of time before shutdown.• RAS1, EMP trip.A model of the Li loop was prepared [5], including prediction of steady-state parameters.Reference calculations were performed for a pump trip in several cases; in one of them the hydraulic power of the pump is reduced to 50%, and it is predicted that the Li layer remains at some 12 m/s, (Figure 5), equivalent to a thick-enough layer to accommodate the beam for an extended period of time before shutdown.
• Further applications of MELCOR code are in progress, as is the analysis of Li spill scenarios or a model for main building rooms, together with HVAC performance during normal operation and accident conditions according to leak-path methodologies [6].

Experimental Program in Support of IFMIF-DONES Safety
In order to generate knowledge, reduce uncertainties, and demonstrate safety aspects, a number of facilities are expected to be developed or used in upcoming months under the EUROfusion WPENS frame and others: • IPUL University of Latvia: EMP prototyping and testing, including transients.Further applications of MELCOR code are in progress, as is the analysis of Li spill scenarios or a model for main building rooms, together with HVAC performance during normal operation and accident conditions according to leak-path methodologies [6].

Figure 1 .
Figure 1.Summary of computational tools for neutronic analyses.

Figure 1 .
Figure 1.Summary of computational tools for neutronic analyses.

Figure 2 .
Figure 2. Shutdown dose rate (µ Sv/h) inside and around the Test Cell (small lower region) and Access Cell (large upper region), 1 week cooldown: the irradiated HFTM module is stationed in the Access Cell, as transported by a crane; the Test Cell is open and activated equipment as Target Assembly and others contribute to the radiation map; an efficient shielding of walls is confirmed.

Figure 2 .
Figure 2. Shutdown dose rate (µSv/h) inside and around the Test Cell (small lower region) and Access Cell (large upper region), 1 week cooldown: the irradiated HFTM module is stationed in the Access Cell, as transported by a crane; the Test Cell is open and activated equipment as Target Assembly and others contribute to the radiation map; an efficient shielding of walls is confirmed.

Figure 3 .
Figure 3. MELCOR model for accelerator systems events.

Figure 3 .
Figure 3. MELCOR model for accelerator systems events.

Figure 4 .
Figure 4. Total mass of N2 (red color) and O2 (black color) reaching the TVC volume, 0.05 m 2 break downstream FIV.Case 3: vacuum system closed in coincidence with the break; Case 4: VS closed 1.5 s later; Int.FL-MFLOW.X_150 means 'integrated mass flow through flow path 150 of the MELCOR model', index X = 4 for O2, X = 5 for N2.

Figure 4 .
Figure 4. Total mass of N 2 (red color) and O 2 (black color) reaching the TVC volume, 0.05 m 2 break downstream FIV.Case 3: vacuum system closed in coincidence with the break; Case 4: VS closed 1.5 s later; Int.FL-MFLOW.X_150 means 'integrated mass flow through flow path 150 of the MELCOR model', index X = 4 for O 2 , X = 5 for N 2 .

Figure 5 .
Figure 5.Comparison of Li flow velocities in the target with MELCOR and an analytical predictionSolid blue: simple analytical equations or 0D approach; solid black: base case computed with a circuit MELCOR model and pump trip from 100% to 0% hydraulic power; solid red: same as previous but with an additional reservoir volume at the top of the circuit; dashed red: same as the base case but with a pump trip from 100% to 50% hydraulic power.

Figure 5 .
Figure 5.Comparison of Li flow velocities in the target with MELCOR and an analytical predictionSolid blue: simple analytical equations or 0D approach; solid black: base case computed with a circuit MELCOR model and pump trip from 100% to 0% hydraulic power; solid red: same as previous but with an additional reservoir volume at the top of the circuit; dashed red: same as the base case but with a pump trip from 100% to 50% hydraulic power.

Table 1 .
List of reference accident scenarios in SAR_v1.0 (TBC means 'to be confirmed' as analyses progress).