Fusion Engineering and Design 83 (2008) 1710–1714

Contents lists available at ScienceDirect

Fusion Engineering and Design

journal homepage: www.elsevier.com/locate/fusengdes

Failure Mode and Effect Analysis for remote handling transfer systems of ITER
T. Pinna a,∗ , R. Caporali b,1 , A. Tesini c
a
ENEA FPN-FUSTEC, Via E.Fermi 45, 00044 Frascati, Rome, Italy
b
ENEA consultant, Via Teano 269, 00177 Rome, Italy
c
ITER International Organization-Cadarache Joint Work Site, 13108 Saint Paul Lez Durance, France

a r t i c l e i n f o a b s t r a c t

Article history: A Failure Mode and Effect Analysis (FMEA) at component level was done to study safety-relevant impli-
Available online 15 August 2008 cations arising from possible failures in performing remote handling (RH) operations at ITER facility
[1].
Keywords: Autonomous air cushion transporter, pallet, sealed casks and tractor movers needed for port plug
FMEA mounting/dismantling operation were analysed. For each sub-system, the breakdown of significant com-
Remote handling
ponents was outlined and, for each component, possible failure modes have been investigated pointing out
Safety
possible causes, possible actions to prevent the causes, consequences and actions to prevent or mitigate
Cask
ITER
consequences.
Off-normal events which may result in hazardous consequences to the public and the environment
have been defined as Postulated Initiating Events (PIEs). Two safety-relevant PIEs have been defined by
assessing elementary failures related to the analysed system. Each PIE has been discussed in order to
qualitatively identify accident sequences arising from each of them.
As an output of this FMEA study, possible incidental scenarios, where the intervention of rescue RH
equipments is required to overcome critical situations determined by fault of RH components, were
defined as well. Being rescue scenarios of main concern for ITER remote handling activities, such fami-
lies could be helpful in defining the design requirements of port handling systems in general and on RH
transfer system in particular. Furthermore, they could be useful in defining casks and vehicles to be used
for rescue activities.
© 2008 Elsevier B.V. All rights reserved.

1. Introduction an external intervention in the port cell or the gallery has to be

It is well recognised that availability and reliability analyses play
a relevant role in design and operation/maintenance of the Interna-
tional Thermonuclear Experimental Reactor (ITER) and especially
for future commercial fusion power plants, particularly in demon-
strating safety characteristics and in setting minimal downtime.
Objective of this study was the remote handling (RH) transfer
system, made of the Autonomous Air Cushion Transporter (AACT),
pallet and cask. Failures of the double seal door have been taken
into account too, being a crucial component of the cask. Diver-
tor cassette extraction and plug removal operation have also been
considered, i.e. cassette movers and related end effectors.
Minimizing the downtime due to vacuum vessel (VV) compo-
nents repair/refurbishment activities is a critical issue for designing
RH systems. The main challenges from this point of view are sit-
uations where a fault related to RH transfer system that require
∗ Corresponding author. Tel.: +39 06 9400 5820;fax: +39 06 9400 5321.
E-mail addresses: pinna@frascati.enea.it (T. Pinna), r caporali@tin.it (R. Caporali).
1
Tel.: +39 06 2593973.
fixed. In fact, on one hand the intervention has to be a remote one
because of radiation exposure constraints, on the other hand the
allowable space for rescue vehicles is tight. For this reason this
study focused both on identification of safety issues determined by
failures of components and on identification of scenarios requiring
rescue vehicle intervention to fix the incident/accident situations.
Such rescue scenarios could be helpful in defining the design
requirements of port handling systems, in general, and of RH trans-
fer system in particular. Furthermore, it could be useful in defining
casks and vehicles to be used for rescue activities.
A systematic method, the Failure Mode and Effect Analysis
(FMEA), has been used to ensure that a full range of potential faults
and off-normal conditions have been considered.
2. Methodology
A FMEA at component level has been chosen as methodology to
study safety-relevant implications arising from possible failures in
performing remote handling (RH) operations at ITER facility. The
focus was on the identification of plant faults deriving from single
failure of components. Failure modes of the different components

0920-3796/$ – see front matter © 2008 Elsevier B.V. All rights reserved.
doi:10.1016/j.fusengdes.2008.06.049
 T. Pinna et al. / Fusion Engineering and Design 83 (2008) 1710–1714
Table 1
List of operating states taken into account in the FMEA
Operating States Description
DVV Docking to vacuum vessel port
UVV Undocking from vacuum vessel port
TAC Transfer phase with activated components as payload
PAC Parking phase along the road with activated components as
payload (mainly used to change the transporter)
DHC Docking to hot cell port
UHC Undocking from hot cell port
Table 2
List of PIEs identified by the FMEA
PIEs Description
RHP Break in ‘VV + cask’ isolating boundary during RH operations, inducing
release of radioactive products (fraction of dust and T that could be
mobilized from VV) into the port cell
RHG Cask stop and leakage during RH transportation of divertor cassette to
Hot Cell, inducing release of radioactive products (fraction of dust
and T implanted in transported components) into the gallery
have been investigated and, for each failure mode, the possible
causes and consequences of the event, together with suggested mit-
igating provisions have been pointed out, to help in minimizing the
failure expected frequency.
Since a failure mode has generally different consequences
depending on the system operating state, the overall operating
states of the RH equipments have been considered. They are indi-
cated in Table 1.
The various elementary failures have been grouped both in a
Postulated Initiating Event (PIE) and in a rescue scenario category.
The grouping is done by considerations of similarity of the events or
of the consequences generated by the off-normal initiators. PIEs are
identified by representative events, which are the most challenging
amongst the accident initiators included in the families. In this way,
radiological consequences for the representative events will be the
worst that could be induced by all the events grouped on the fam-
ily, and deterministic safety analysis will be concentrated only in
the reduced set of bounding events. PIEs and representative rescue
scenarios identified by this study are shown in Tables 2 and 3.
3. Transfer system description
System descriptions have been derived mainly from the Design
Description Document of the ITER RH equipment [2] and from sev-
eral design documents related to the port handling system.
Table 3
List of recovery scenarios identified by the FMEA
RSs Description
RS0 Recovery Situation type 0: it requires use of foreseen redundancy to conclude
transfer operations. Changing of transporter or rescue vehicles do not need
RS1 Recovery Situation type 1: it requires a changing of transporter to conclude
transfer operations. The changing of the transporter can be performed
without rescue vehicles
RS2 Recovery Situation type 2: it requires a changing of transporter to conclude
transfer operations. The changing of the transporter can be performed by the
use of rescue vehicles
RS3 Recovery Situation type 3: it requires intervention of a rescue vehicle on pallet
components
RS4 Recovery Situation type 4: it requires intervention on equipments interfacing
the cask with the pallet, normally used during docking phases
RS5 Recovery Situation type 5: it requires intervention on cask equipments used to
perform the cask docking to VV or HC ports
RS6 Recovery Situation type 6: it requires intervention on cask equipments used
while the cask is docked to VV or HC ports
1711
The transfer system is made from three main parts, transporter
(AACT), the pallet and the cask. The last one has been analysed
including double seal door and plug extractor/movers.
The transfer system assembly including the transporter, the pal-
let and the cask is shown on Figs. 1 and 2.
3.1. Transporter
The AACT consists of a steel-welded frame incorporating air
compressors, air bearings and two pairs of drive wheels, which are
used to move the load whilst floating on the thin film of air. The
drive wheels are positioned along the longitudinal centre line of
the frame and equispaced from the transverse centre line. Each of
the wheels can be rotated through 200◦ .
This arrangement maximizes the manoeuvrability of the trans-
porter and facilitates the travel and the positioning of the load in
restricted areas. Two additional swivel wheels are provided to assist
the drive wheels and platform stability during the no-load transport
when the air bearings are switched off.
The AACT has a payload capacity of 90 tons.
3.2. Pallet
It is an intermediate structural element to support the cask
envelope and its payload, fitted with the actuators required for the
adjustment of the cask relative to the building and the VV port.
The AACT fits under the pallet and it is fully removable without
upsetting the pallet.
3.3. Cask
It is a container type structure made by steel framework lined
with corrugated metal sheets to withstand ±0.06 bar max pressure
difference.
The envelope is connected to a rigid base plate to carry the pay-
load and handling systems load. Its leak-tightness is <10−2 mbar/l s.
Two double seal doors are installed at the front and rear of the
cask. They are hydraulically operated. Seals to VV port flange are
provided by O-rings.
Several differently casks are provided. The present FMEA study
takes into account:
• equatorial port plug mover,
• upper port plug mover,
• rails and movers for divertor cassette.
Comment
A sample of this recovery situation is a fault in the drive/swivel wheel systems.
Redundancy will allow to conclude transfer operations
A sample of this recovery situation is a fault that requires the stop of the
transfer and the changing of the transporter, which could be changed in
autonomous manner, in the worst cases using redundancy devices
A sample of this recovery situation is a fault in the power supply system of the
transporter. Intervention of a rescue vehicle is required to provide an
external power supply
A sample of this recovery situation is a fault in the pallet supports
A sample of this recovery situation is a fault in the cask movement device (rack
and pinion)
A sample of this recovery situation is a fault in the devices used to seal the cask
at the VV port or in the DSD
A sample of this recovery situation is a fault on tractors already loaded
1712 T. Pinna et al. / Fusion Engineering and Design 83 (2008) 1710–1714

Fig. 1. RH transfer system: divertor cask with cassette multi-functional mover and diagnostic rack inside.

4. FMEA results: PIEs
The identified PIEs, shown on Table 2, have been analysed, as
described in the following, to qualitatively define possible accident
evolutions.
The overall elementary failures that are not leading to any pub-
lic safety-relevant consequence have been classified as Not Safety
(N/S) relevant events. Even if such failures are not important from a
safety point of view, they will be important in defining operability of
the system, maintenance strategy and eventual requests of design
updating, as well as they will be relevant to determine reliability of
the transfer system.
It has to be noted that both the events classified under one of
the two PIE families and the ones classified under the N/S events
can induce increase of radiation doses to workers.
4.1. RHP—break in “VV + cask” isolating boundary during RH
operations, inducing release of radioactive products (fraction of
dust and T that could be mobilized from VV) into the port cell.
The VV port is open and sealed to a cask during maintenance
operations, with the torus ventilation system preventing spread of
contamination outside the VV boundary. Loss of cask leak-tightness
or seal failure, or malfunctions in the torus ventilation system, could

Fig. 2. AACT, pallet and cask bottom plate (vertical cut, rear view).
 T. Pinna et al. / Fusion Engineering and Design 83 (2008) 1710–1714
imply release into the port cell of dust and tritium, taking also
into account that the cask atmosphere should slightly pressurize
because of the decay heat.
Pre-shutdown degassing and dust collection before the VV
maintenance strongly limit the possible release. In any case, vent
detritiation system operating during RH operations to depressur-
ize, filter and detritiate port cell atmosphere will prevent release of
radioactive products towards the environment.
4.2. RHG—cask stop and leakage during RH transportation of
divertor cassette to hot cell, inducing release of radioactive
products (fraction of dust and T that could be mobilized from
transported components) into the gallery
Loaded transportation cask could stop and remain blocked
between its way to the VV and the hot cell (HC) facility while it
is transferring activated and contaminated components. Several
faults could induce these conditions, such as faults of the vehicle
transport system or of the control, guidance and navigation systems
located along the gallery or of the lift transferring the cask between
different floors. Hardware failures of equipments or, hardware and
software failures of control system, as well as human errors could
be the triggering causes.
Loaded transportation cask stranded in the gallery could cause
significant delays in the activity, could induce worker overexposure
to radiation fields and could cause a radioactive release inside the
tokamak building. The decay heat of in-vessel components could
induce rising of temperature inside the transportation cask, even if
internal air cooling sub-system continues to operate. Consequently,
loss of leak-tightness and release of tritium and tokamak dust could
occur if the atmosphere pressure inside the cask rise significantly
respect to the sealing conditions. The phenomena become partic-
ularly important if the cask doors did not close correctly and the
fault was not detected, or if the cask has lost its leak-tightness as
a consequence of the event that causes the stop of the cask itself,
e.g., clash with obstacles.
In all cases, the cask looses its leak-tightness and the criti-
cal situation is monitored, to avoid spreading of contamination
inside the building, the cask should be emptied by using res-
cue cask. Clearly, if the loss of leak-tightness occurred or is
monitored when the cask is getting the hot cell, the direct
empting of the cask into the hot cell should be more straight for-
ward.
Furthermore, a fire event triggered by a short in the electrical cir-
cuit of the transporter cannot be excluded. In these circumstances,
consequences can be aggravated because beyond the extension of
the time required to restore safe conditions, the heat loads can
increase or raise the loss of leak-tightness.
The event chosen as most representative is the failure during
divertor cassette transportation because during such transfer the
cask contains the highest radioactive inventory and decay heat
with respect to other in-vessel components. A first evaluation of
the possible consequences in terms of radioactive release with-
out fire event was done. At any rate, further investigation could be
required to demonstrate, also in case of fire, compliance of design
features with safety limits. A fire hazard assessment should be done
to evaluate possible heat loads and consequent effects on loosing
leak-tightness with the cask blocked along the gallery or inside the
port cell. The proposed fire scenario is the one triggered on board
of the transporter.
Some consideration is needed about the impact of the use of
the air cushion transportation system in case of dust or tritium
release inside the port cell or inside the gallery. Even if the “com-
pressors + air cushions” system does not causes over-pressurization
of the rooms and, consequently, environmental release, it has the
1713
effect of mobilizing the air of the room where the transporter is
operating and, consequently, it could increase spreading of con-
tamination inside the building. The higher is the flow rate of air
coming out from the air cushions, the higher is the spreading effect
on radioactive products. Worker doses could increase because of
rising of complication of post-accident decontamination activities.
In addition, recovery scenarios can become more complicated too.
In all the circumstances of radioactive release inside the port cell or
the gallery, at first, not only the transfer system has to be stopped
to avoid scattering of radioactive products along its way, but also,
it could be necessary to stop the transporter to avoid spreading
of contamination for the air spraying effects. Restart of air cush-
ions of the failed transfer system, intervention of rescue transfer
system, as well as substitution of transporter could be prevented
because decontaminating actions have to be performed first. Ded-
icated studies have to investigate all possible situations in order to
define the better procedure to follow in case of radioactive release
along the gallery. The two opposite recovery scenarios can be:
• stop the transfer and decontaminate the room before restarting
of air cushions or before intervention of rescue transfer system
equipped with air cushions;
• start as soon as possible with recovery actions dedicated to
conclude the transfer without take care of spreading of contami-
nation.
In this context, particularly for significant stop of the trans-
fer system, making provisions for mobile connections between
the cask and the vent detritiation system should be also stud-
ied.
5. FMEA results: rescue scenarios
Rescue scenarios are indicated in Table 3 and briefly commented
in the following.
5.1. RS0 recovery situation type 0
The RH transfer system and related equipments are fitted out by
redundancies to conclude transfer operations in case of failures. RS0
includes all elementary failures that can be managed to conclude
the operations with the on-board redundancy.
5.2. RS1 recovery situation type 1
The transporter is independent from the pallet and from the
cask. Therefore, in case of some failures of its components, it can be
changed to conclude transfer operations, driving it out from under-
neath the pallet. RS1 includes all elementary failures that can be
managed to conclude the operations with the changing of the trans-
porter in autonomous manner, using on-board redundancy devices
in the worst cases.
5.3. RS2 recovery situation type 2
As for RS1, RS2 takes advantage of the independence of the
transporter from the pallet and from the cask and the chance
to change the transporter to conclude transfer operations. Differ-
ently from RS1, where failures that allow “Transporter changing
in autonomous manner” are grouped, RS2 includes all elementary
failures that can be managed to conclude the operations with the
changing of the transporter not in autonomous manner, but by
using rescue vehicles.
1714 T. Pinna et al. / Fusion Engineering and Design 83 (2008) 1710–1714
5.4. RS3 recovery situation type 3
During the stationary states (e.g., docking to VV or HC), the
cask is sustained from the pallet supports and it is electrically and
hydraulically (compressed air) supplied through the pallet connec-
tor. RS3 includes all the situations that require intervention of a
rescue vehicle on the pallet components to repair or mitigate the
fault and continue the RH operations.
5.5. RS4 recovery situation type 4
Once the cask is positioned on the pallet supports, the docking
to the VV or HC port is made by interfacing system between the cask
and the pallet, which allows the movement of the cask to the port
and the adjustment to perform the sealing of the cask to the port.
It consists of a rack and pinion system with an electrically operated
gear motor. RS4 includes all the situations that require intervention
of a rescue vehicle on these interfacing systems to repair or mitigate
the fault and continue the RH operations.
5.6. RS5 recovery situation type 5
The cask is provided by equipments dedicated to seal (and check
such sealing) the cask with the VV and HC ports, during the docking
states. RS5 includes all the situations that require intervention of
a rescue vehicle on these docking/undocking systems to repair or
mitigate the fault and continue the RH operations.
5.7. RS6 recovery situation type 6
The cask is provided with equipments dedicated to manage
VV port plugs and in-vessel components for all the operations
needed for their removal from the in-vessel locations, their load-
ing/unloading into/from the cask and, clearly, for the all the inverse
operations needed to re-install refurbished components. As men-
tioned above, the equipments considered in this study are plug
movers and divertor cassette handling devices. RS6 includes all the
situations that require intervention of a rescue vehicle on these
equipments to repair or mitigate the fault and continue the RH
operations.
6. Conclusions
A comprehensive assessment of accident initiators has been pro-
vided with a systematic approach to identify the potential hazards
arising from port handling operations and transfer of activated
components at the ITER VV [1]. A FMEA has allowed for a com-
plete screening of the various causes that could induce failures.
Also a qualitative overview of accident sequences arising from each
elementary failure could be derived from the FMEA looking at
consequences description and preventive/mitigating actions. Such
inference has been used to group elementary failures in represen-
tative PIEs.
Two, safety-relevant PIEs have been set up by assessing ele-
mentary failures related to the system analysed. Each PIE has been
discussed in order to qualitatively identify accident sequences aris-
ing from each of them. For both the two PIEs, radioactive release to
the environment of fraction of activated dust and tritium that could
be mobilized from VV or from transported components should not
be a concern. Nevertheless, further deterministic analysis could
be required to determine response of safety systems (e.g., effi-
ciency of ventilation systems, isolation of HVAC) and effectiveness
of rescue operations in mitigating the consequences and risks for
workers. Even if the two PIEs do not lead to significant radioactive
release to the environment, spreading of contamination (activated
dusts and tritium) inside the building and the operating areas or
high radiation fields can be a concern due to worker overexpo-
sures.
For one of the two PIEs, a fire hazard assessment should be done
to evaluate possible heat loads and consequent effects on loosing
cask leak-tightness if a short in the electrical circuit of the trans-
porter triggers a fire and blocks the cask along the gallery or inside
the port cell.
All elementary failures not inducing safety-relevant conse-
quences have been classified as N/S (Not Safety relevant) event.
Even if such failures are not important from a safety point of view,
they will be important on defining plant operability, maintenance
strategy and system reliability.
An additional output of this study is the definition of accident
rescue scenarios, which have been grouped in seven families. That
could be helpful in defining the design requirements for the port
handling systems, in general, and for the RH transfer system, in
particular. Furthermore, it could be useful in defining casks and
vehicles to be used for rescue activities.
Acknowledgment
This work, supported by the European Communities under the
contract of Association between EURATOM and ENEA, was carried
out within the framework of the European Fusion Development
Agreement. The views and opinions expressed herein do not nec-
essarily reflect those of the European Commission.
References
[1] R. Caporali, T.Pinna “Failure mode and effect analysis for remote handling trans-
fer systems of ITER”, ENEA FUS-TN-SA-SE-R-156, December 2006.
[2] ITER Design Description Document 23: Remote Handling Equipment, ITER Doc-
ument N 23 DDD 66 R0.3, July 2004.