APPENDIX E
Excerpts from Licensing Regulations

SELECTED CRITERIA FROM TITLE 10 CFR PART 50, APPENDIX A

[Reproduced below are selected criteria from the General Design Criteria (Title 10 CFR Part 50, Appendix A) of particular significance in nuclear power plant applications of digital instrumentation and control (I&C) systems.]

Criterion 1. Quality Standards and Records

Structures, systems, and components important to safety shall be designed, fabricated, erected, and tested to quality standards commensurate with the importance of the safety functions to be performed. Where generally recognized codes and standards are used, they shall be identified and evaluated to determine their applicability, adequacy, and sufficiency and shall be supplemented or modified as necessary to assure a quality product in keeping with the required safety function. A quality assurance program shall be established and implemented in order to provide adequate assurance that these structures, systems, and components will satisfactorily perform their safety functions. Appropriate records of the design, fabrication, erection, and testing of structures, systems, and components important to safety shall be maintained by or under the control of the nuclear power unit licensee throughout the life of the unit.

Criterion 10. Reactor Design

The reactor core and associated coolant, control, and protection systems shall be designed with appropriate margin to assure that specified acceptable fuel design limits are not exceeded during any condition of normal operation, including the effects of anticipated operational occurrences.

Criterion 13. Instrumentation and Control

Instrumentation shall be provided to monitor variables and systems over their anticipated ranges for normal operation, for anticipated operational occurrences, and for accident conditions as appropriate to assure adequate safety, including those variables and systems that can affect the fission process, the integrity of the reactor core, the reactor coolant pressure boundary, and the containment and its associated systems. Appropriate controls shall be provided to maintain these variables and systems within prescribed operating ranges.

Criterion 19. Control Room

A control room shall be provided from which actions can be taken to operate the nuclear power unit safely under normal conditions and to maintain it in a safe condition under accident conditions, including loss-of-coolant accidents. Adequate radiation protection shall be provided to permit access and occupancy of the control room under accident conditions without personnel receiving radiation exposures in excess of 5 rem whole body, or its equivalent to any part of the body, for the duration of the accident.

Equipment at appropriate locations outside the control room shall be provided (1) with a design capability for prompt hot shutdown of the reactor, including necessary instrumentation and controls to maintain the unit in a safe condition during hot shutdown, and (2) with a potential capability for subsequent cold shutdown of the reactor through the use of suitable procedures.

Criterion 20. Protection System Functions

The protection system shall be designed (1) to initiate automatically the operation of appropriate systems including the reactivity control systems, to assure that specified acceptable fuel design limits are not exceeded as a result of anticipated operational occurrences and (2) to sense accident conditions and to initiate the operation of systems and components important to safety.

Criterion 21. Protection System Reliability and Testability

The protection system shall be designed for high functional reliability and in-service testability commensurate



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 105
APPENDIX E Excerpts from Licensing Regulations SELECTED CRITERIA FROM TITLE 10 CFR PART 50, APPENDIX A [Reproduced below are selected criteria from the General Design Criteria (Title 10 CFR Part 50, Appendix A) of particular significance in nuclear power plant applications of digital instrumentation and control (I&C) systems.] Criterion 1. Quality Standards and Records Structures, systems, and components important to safety shall be designed, fabricated, erected, and tested to quality standards commensurate with the importance of the safety functions to be performed. Where generally recognized codes and standards are used, they shall be identified and evaluated to determine their applicability, adequacy, and sufficiency and shall be supplemented or modified as necessary to assure a quality product in keeping with the required safety function. A quality assurance program shall be established and implemented in order to provide adequate assurance that these structures, systems, and components will satisfactorily perform their safety functions. Appropriate records of the design, fabrication, erection, and testing of structures, systems, and components important to safety shall be maintained by or under the control of the nuclear power unit licensee throughout the life of the unit. Criterion 10. Reactor Design The reactor core and associated coolant, control, and protection systems shall be designed with appropriate margin to assure that specified acceptable fuel design limits are not exceeded during any condition of normal operation, including the effects of anticipated operational occurrences. Criterion 13. Instrumentation and Control Instrumentation shall be provided to monitor variables and systems over their anticipated ranges for normal operation, for anticipated operational occurrences, and for accident conditions as appropriate to assure adequate safety, including those variables and systems that can affect the fission process, the integrity of the reactor core, the reactor coolant pressure boundary, and the containment and its associated systems. Appropriate controls shall be provided to maintain these variables and systems within prescribed operating ranges. Criterion 19. Control Room A control room shall be provided from which actions can be taken to operate the nuclear power unit safely under normal conditions and to maintain it in a safe condition under accident conditions, including loss-of-coolant accidents. Adequate radiation protection shall be provided to permit access and occupancy of the control room under accident conditions without personnel receiving radiation exposures in excess of 5 rem whole body, or its equivalent to any part of the body, for the duration of the accident. Equipment at appropriate locations outside the control room shall be provided (1) with a design capability for prompt hot shutdown of the reactor, including necessary instrumentation and controls to maintain the unit in a safe condition during hot shutdown, and (2) with a potential capability for subsequent cold shutdown of the reactor through the use of suitable procedures. Criterion 20. Protection System Functions The protection system shall be designed (1) to initiate automatically the operation of appropriate systems including the reactivity control systems, to assure that specified acceptable fuel design limits are not exceeded as a result of anticipated operational occurrences and (2) to sense accident conditions and to initiate the operation of systems and components important to safety. Criterion 21. Protection System Reliability and Testability The protection system shall be designed for high functional reliability and in-service testability commensurate

OCR for page 105
with the safety functions to be performed. Redundancy and independence designed into the protection system shall be sufficient to assure that (1) no single failure results in loss of the protection function and (2) removal from service of any component or channel does not result in loss of the required minimum redundancy unless the acceptable reliability of operation of the protection system can be otherwise demonstrated. The protection system shall be designed to permit periodic testing of its functioning when the reactor is in operation, including a capability to test channels independently to determine failures and losses of redundancy that may have occurred. Criterion 22. Protection System Independence The protection system shall be designed to assure that the effects of natural phenomena, and of normal operating, maintenance, testing and postulated accident conditions on redundant channels do not result in loss of the protection function, or shall be demonstrated to be acceptable on some other defined basis. Design techniques, such as functional diversity or diversity in component design and principles of operation, shall be used to the extent practical to prevent loss of the protection function. Criterion 23. Protection System Failure Modes The protection system shall be designed to fail into a safe state or into a state demonstrated to be acceptable on some other defined basis if conditions such as disconnection of the system, loss of energy (e.g., electric power, instrument air), or postulated adverse environments (e.g., extreme heat or cold, fire, pressure, steam, water, and radiation) are experienced. Criterion 24. Separation of Protection and Control Systems The protection system shall be separated from control systems to the extent that failure of any single control system component or channel, or failure or removal from service of any single protection system component or channel which is common to the control and protection systems leaves intact a system satisfying all reliability, redundancy, and independence requirements of the protection system. Interconnection of the protection and control systems shall be limited so as to assure that safety is not significantly impaired. Criterion 25. Protection System Requirements for Reactivity Control Malfunctions The protection system shall be designed to assure that specified acceptable fuel design limits are not exceeded for any single malfunction of the reactivity control system, such as accidental withdrawal (not ejection or dropout) of control rods. Criterion 29. Protection Against Anticipated Operational Occurrences The protection and reactivity control systems shall be designed to assure an extremely high probability of accomplishing their safety function in the event of anticipated operational occurrences. 10 CFR 50.59 CHANGES, TESTS, AND EXPERIMENTS [Reproduced below are the requirements for changes, tests, and experiments (10 CFR 50.59) in nuclear power plants. These requirements hold particular significance for applications of digital I&C systems.] (a) (1) The holder of a license authorizing operation of a production or utilization facility may (i) make changes in the facility as described in the safety analysis report, (ii) make changes in the procedures as described in the safety analysis report, and (iii) conduct tests or experiments not described in the safety analysis report, without prior Commission approval, unless the proposed change, test or experiment involves a change in the technical specifications incorporated in the license or an unreviewed safety question. (2) A proposed change, test, or experiment shall be deemed to involve an unreviewed safety question (i) if the probability of occurrence or the consequences of an accident or malfunction of equipment important to safety previously evaluated in the safety analysis report may be increased; or (ii) if a possibility for an accident or malfunction of a different type than any evaluated previously in the safety analysis report may be created; or (iii) if the margin of safety as defined in the basis for any technical specification is reduced. (b) (1) The licensee shall maintain records of changes in the facility and of changes in procedures made pursuant to this section, to the extent that these changes constitute changes in the facility as described in the safety analysis report or to the extent that they constitute changes in procedures as described in the safety analysis report. The licensee shall also maintain records of tests and experiments carried out pursuant to paragraph (a) of this section. These records must include a written safety evaluation which provides the bases for the determination that the change, test, or experiment does not involve an unreviewed safety question. (2) The licensee shall submit, as specified in § 50.4, a report containing a brief description of any changes, tests and experiments, including a summary of the safety evaluation of each. The report may be submitted annually or along with the FSAR [Final Safety

OCR for page 105
Analysis Report] updates as required by § 50.71(e), or at such shorter intervals as may be specified in the license. (3) The records of changes in the facility shall be maintained until the date of termination of the license, and records of changes in procedures and records of tests and experiments shall be maintained for a period of five years. (c) The holder of a license authorizing operation of a production or utilization facility who desires (1) a change in technical specifications or (2) to make a change in the facility or the procedures described in the safety analysis report or to conduct tests or experiments not described in the safety analysis report, which involve an unreviewed safety question or a change in technical specifications, shall submit an application of amendment of his license pursuant to § 50.90.