APPENDIX 1A, General Comparison of the Scope of US NRC 10 ... · Final Report, ENCO FR-(11)-26, Rev.1, Appendix 1A,B Page 2 US NRC 10 CFR PART 50--DOMESTIC LICENSING OF PRODUCTION

R403.1 Nuclear Power Plant Design Requirement References © ENCO Final Report, ENCO FR-(11)-26, Rev.1, Appendix 1A,B Page 1

APPENDIX 1A, General Comparison of the Scope of US NRC 10 CFR Part 50 and the CNSC RD-337

US NRC 10 CFR PART 50--DOMESTIC LICENSING OF PRODUCTION AND UTILIZATION FACILITIES

Comments on the applicability of the review given the scope of CNSC RD-337

Part Index General Provisions 50.1 Basis, purpose, and procedures applicable. Not under the scope of RD-337 50.2 Definitions. Not under the scope of RD-337 50.3 Interpretations. Not under the scope of RD-337 50.4 Written communications. Not under the scope of RD-337 50.5 Deliberate misconduct. Not under the scope of RD-337 50.7 Employee protection. Not under the scope of RD-337 50.8 Information collection requirements: OMB approval.

Not under the scope of RD-337

50.9 Completeness and accuracy of information. Not under the scope of RD-337 Requirement of License, Exceptions Not under the scope of RD-337 50.10 License required; limited work authorization. Not under the scope of RD-337 50.11 Exceptions and exemptions from licensing requirements.


50.12 Specific exemptions. Not under the scope of RD-337 50.13 Attacks and destructive acts by enemies of the United States; and defence activities.

10 CFR 50.13 states that “An applicant for a license to construct and operate a production or utilization facility, or for an amendment to such license, is not required to provide for design features or other measures for the specific purpose of protection against the effects of (a) attacks and destructive acts, including sabotage, directed against the facility by an enemy of the United States, whether a foreign government or other person, or (b) use or deployment of weapons incident to U.S. defence activities.” RD-337, in Section 7.22 Robustness against Malevolent Acts, requires for design features specifically provided for protection against design basis threats (DBTs), in accordance with the requirements of the Nuclear Security Regulations in force in Canada.

Classification and Description of Licenses 50.20 Two classes of licenses. Not under the scope of RD-337 50.21 Class 104 licenses; for medical therapy and research and development facilities.


50.22 Class 103 licenses; for commercial and industrial facilities.


50.23 Construction permits. Not under the scope of RD-337 Applications for Licenses, Certifications, and Regulatory Approvals; Form; Contents; Ineligibility of Certain Applicants




50.30 Filing of applications for licenses; oath or affirmation.


50.31 Combining applications. Not under the scope of RD-337 50.32 Elimination of repetition. Not under the scope of RD-337 50.33 Contents of applications; general information. Not under the scope of RD-337 50.34 Contents of applications; technical information. Not under the scope of RD-337 – Except for the dose

limits to be used in the safety assessment. Comparison provided in Appendix 1B.

50.34a Design objectives for equipment to control releases of radioactive material in effluents—nuclear power reactors.

Not under the scope of RD-337 (refers to information provided in license applications)

50.35 Issuance of construction permits. Not under the scope of RD-337 50.36 Technical specifications. Applicable. Detailed review provided in Appendix 1B. 50.36a Technical specifications on effluents from nuclear power reactors.

Not under the scope of RD-337 (does not include technical requirements)

50.36b Environmental conditions. Not under the scope of RD-337 (does not include technical requirements)

50.37 Agreement limiting access to Classified Information.


50.38 Ineligibility of certain applicants. Not under the scope of RD-337 50.39 Public inspection of applications. Not under the scope of RD-337 Standards for Licenses, Certifications and Regulatory Approvals

50.40 Common standards. Not under the scope of RD-337 50.41 Additional standards for class 104 licenses. Not under the scope of RD-337 50.42 Additional standard for class 103 licenses. Not under the scope of RD-337 50.43 Additional standards and provisions affecting class 103 licenses and certifications for commercial power.


50.44 Combustible gas control for nuclear power reactors.

Applicable – the requirements in 10 CFR 50.44 are more prescriptive than the corresponding requirements in RD-337. Detailed review provided in Appendix 1B

50.45 Standards for construction permits, operating licenses, and combined licenses.


50.46 Acceptance criteria for emergency core cooling systems for light-water nuclear power reactors.

LWR specific. There are no equivalent requirements of such detail in RD-337.

50.46a Acceptance criteria for reactor coolant system venting systems.

Applicable – no equivalent requirement in RD-337

50.47 Emergency plans. Not under the scope of RD-337 50.48 Fire protection. Requires a fire protection plan that satisfies Criterion 3

of appendix A (see Section 3.2.4 and Appendix 1B of this report for comparison of Appendix A with RD-337). References a national US Standard: National Fire Protection Association (NFPA) Standard 805, "Performance-Based Standard for Fire Protection for Light Water Reactor Electric Generating Plants, 2001 Edition" (NFPA 805).




Comparison of the NFPA standard with the relevant CSA standard is not under the scope of the existing benchmark.

50.49 Environmental qualification of electric equipment important to safety for nuclear power plants.

10 CFR 50.49 includes comprehensive requirements on the environmental qualification of electric equipment important to safety. There are no equivalent requirements in RD-337, since only general requirements are provided in Section 7.8 Equipment Environmental Qualification. However, 10 CFR 50.49 does not address environmental qualification for severe accident conditions.

Issuance, Limitations, and Conditions of Licenses and Construction Permits

50.50 Issuance of licenses and construction permits. Not under the scope of RD-337 50.51 Continuation of license. Not under the scope of RD-337 50.52 Combining licenses. Not under the scope of RD-337 50.53 Jurisdictional limitations. Not under the scope of RD-337 50.54 Conditions of licenses. Not under the scope of RD-337 50.55 Conditions of construction permits, early site permits, combined licenses, and manufacturing licenses.


50.55a Codes and standards. Prescribes the use of national US standards applicable to nuclear power plants. The comparison of US and Canadian standards is not under the scope of this study.

50.56 Conversion of construction permit to license; or amendment of license.


50.57 Issuance of operating license. Not under the scope of RD-337 50.58 Hearings and report of the Advisory Committee on Reactor Safeguards.


50.59 Changes, tests and experiments. Not under the scope of RD-337 50.60 Acceptance criteria for fracture prevention measures for light water nuclear power reactors for normal operation.

No equivalent requirements in RD-337

50.61 Fracture toughness requirements for protection against pressurized thermal shock events.

LWR specific. No equivalent requirements in RD-337

50.61a Alternate fracture toughness requirements for protection against pressurized thermal shock events.


50.62 Requirements for reduction of risk from anticipated transients without scram (ATWS) events for light-water-cooled nuclear power plants.


50.63 Loss of all alternating current power. Applicable. RD-337 does not include any specific requirements / expectations for capability to withstand a station black-out. Section 8.9 Emergency Power Supply includes a very general requirement: “The EPS system has sufficient capacity and capability, within a specified mission time, to support severe accident management actions”.

50.64 Limitations on the use of highly enriched Not under the scope of RD-337




uranium (HEU) in domestic non-power reactors. 50.65 Requirements for monitoring the effectiveness of maintenance at nuclear power plants.


50.66 Requirements for thermal annealing of the reactor pressure vessel.


50.67 Accident source term. Applicable (however, the guidance for calculating the source term are LWR specific); comparison of numerical / quantitative safety objectives is provided in Appendix 1B. RD-337 limits the doses from design basis accidents to 20 mSv (calculated over 30 days). The limit of 250 mSv for 2 hours in 10 CFR 50.67 is based on the assumption of an accident involving significant core melt (see 10 CFR 100.11 ). The dose criteria in RD-337 are more stringent than those in 10 CFR. However, RD-337 does not specify a dose limit for the control room staff in an accident (the US regulations specify a limit of 50 mSv for the whole duration of the accident).

50.68 Criticality accident requirements. Applicable. The US requirements are more detailed and prescriptive than those in RD-337 Section 8.12 Fuel Handling and Storage. See also 10 CFR 70.24 (http://www.nrc.gov/reading-rm/doc-collections/cfr/part070/part070-0024.html )

Inspections, Records, Reports, Notifications 50.69 Risk-informed categorization and treatment of structures, systems and components for nuclear power reactors.

The classification required by RD-337 is not risk-informed to the extent specified in the US NRC regulations, although PSA input to safety classification is required, in addition to deterministic and engineering judgement considerations.

50.70 Inspections. Not under the scope of RD-337 50.71 Maintenance of records, making of reports. Not under the scope of RD-337 50.72 Immediate notification requirements for operating nuclear power reactors.


50.73 License event report system. Not under the scope of RD-337 50.74 Notification of change in operator or senior operator status.


50.75 Reporting and recordkeeping for decommissioning planning.


50.76. Licensee's change of status; financial qualifications.


US/IAEA Safeguards Agreement RD-377 mentions that NPP design is subject to the obligations arising from Canada’s international agreements, and to requirements pertaining to safeguards and non-proliferation.

50.78 Facility information and verification. Not under the scope of RD-337 Transfers of Licenses--Creditors' Rights--Surrender of Licenses

50.80 Transfer of licenses. Not under the scope of RD-337




50.81 Creditor regulations. Not under the scope of RD-337 50.82 Termination of license. Not under the scope of RD-337 50.83 Release of part of a power reactor facility or site for unrestricted use.


Amendment of License or Construction Permit at Request of Holder

50.90 Application for amendment of license, construction permit, or early site permit.


50.91 Notice for public comment; State consultation. Not under the scope of RD-337 50.92 Issuance of amendment. Not under the scope of RD-337 Revocation, Suspension, Modification, Amendment of Licenses and Construction Permits, Emergency Operations by the Commission

50.100 Revocation, suspension, modification of licenses, permits, and approvals for cause.


50.101 Retaking possession of special nuclear material.


50.102 Commission order for operation after revocation.


50.103 Suspension and operation in war or national emergency.


Backfitting 50.109 Backfitting. Not under the scope of RD-337 Enforcement 50.110 Violations. Not under the scope of RD-337 50.111 Criminal penalties. Not under the scope of RD-337 Additional Standards for Licenses, Certifications, and Regulatory Approvals

50.120 Training and qualification of nuclear power plant personnel.


50.150 Aircraft impact assessment. Applicable. RD-337 does not explicitly require an aircraft impact assessment. In RD-337 Section 7.4.2 External Hazards, potential aircraft crashes are mentioned as human-induced external events identified in the site evaluation. It is required that “The design considers all natural and human-induced external events that may be linked with significant radiological risk. The subset of external events that the plant is designed to withstand is selected, and design basis events are determined from this subset.” 10 CFR 50.150 requires that “The assessment must be based on the beyond-design-basis impact of a large, commercial aircraft used for long distance flights in the United States, with aviation fuel loading typically used in such flights, and an impact speed and angle of impact considering the ability of both experienced and inexperienced pilots to control large, commercial




aircraft at the low altitude representative of a nuclear power plant’s low profile”. “Using realistic analyses, the applicant shall identify and incorporate into the design those design features and functional capabilities to show that, with reduced use of operator actions: (i) The reactor core remains cooled, or the containment remains intact; and (ii) Spent fuel cooling or spent fuel pool integrity is maintained.”

Appendix A to Part 50--General Design Criteria for Nuclear Power Plants

Applicable – detailed review provided in Appendix 1B.

Appendix B to Part 50--Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants

The requirements in RD-337 Section 5.0 are more comprehensive than the requirements on Design Control in Appendix B to Part 50. Detailed review provided in Appendix 1B to this report.

Appendix C to Part 50—A Guide for the Financial Data and Related Information Required To Establish Financial Qualifications for Construction Permits and Combined Licenses


Appendix D to Part 50--[Reserved] - Appendix E to Part 50--Emergency Planning and Preparedness for Production and Utilization Facilities


Appendix F to Part 50--Policy Relating to the Siting of Fuel Reprocessing Plants and Related Waste Management Facilities


Appendix G to Part 50--Fracture Toughness Requirements

This appendix specifies fracture toughness requirements for ferritic materials of pressure-retaining components of the reactor coolant pressure boundary of light water nuclear power reactors. There are no equivalent requirements in RD-337.

Appendix H to Part 50--Reactor Vessel Material Surveillance Program Requirements

LWR specific. There are no equivalent requirements in RD-337.

Appendix I to Part 50--Numerical Guides for Design Objectives and Limiting Conditions for Operation to Meet the Criterion "As Low as is Reasonably Achievable" for Radioactive Material in Light-Water-Cooled Nuclear Power Reactor Effluents

The design objectives refer to doses from normal operation. There are no equivalent requirements in RD-337. RD-337 Section 6.4 “Radiation Protection and Acceptance Criteria” makes reference to the limits prescribed for normal operation in the Radiation Protection Regulations. See details provided in Appendix 1B to this report.

Appendix J to Part 50--Primary Reactor Containment Leakage Testing for Water-Cooled Power Reactors


Appendix K to Part 50--ECCS Evaluation Models LWR Specific. There are no equivalent requirements in RD-337

Appendix L to Part 50-- [Reserved] - Appendix M to Part 50--[Reserved] - Appendix N to Part 50—Standardization of Nuclear Power Plant Designs: Permits To Construct and Licenses To Operate Nuclear Power Reactors of Identical Design at Multiple Sites





Appendix O to Part 50--[Reserved] - Appendix P to Part 50--[Reserved] - Appendix Q to Part 50--Pre-application Early Review of Site Suitability Issues


Appendix R to Part 50--Fire Protection Program for Nuclear Power Facilities Operating Prior to January 1, 1979

This appendix applies to licensed nuclear power electric generating stations that were operating prior to January 1, 1979. It outlines criteria (fire damage limits) for SSCs important to safety (for hot shutdown, cold shutdown and DBAs). It requires a fire hazard analysis (section 9.3 of RD-337 treats hazard analysis in general, but does not address in particular the fire hazard analysis required to demonstrate that the general provisions in section 7.12.1 are met). Includes prescriptive requirements (“Specific Requirements”) on: A. Water supplies for fire suppression systems. B. Sectional isolation valves. C. Hydrant isolation valves. D. Manual fire suppression. E. Hydrostatic hose tests. F. Automatic fire detection. G. Fire protection of safe shutdown capability. (including values for the rating of fire barriers and for separation by distance) […] J. Emergency lighting. (specifies capacity of battery power supply for emergency lighting units) M. Fire barrier cable penetration seal qualification. N. Fire doors. O. Oil collection system for reactor coolant pump. While RD-337 does not include such detailed and prescriptive requirements, it is likely that they are covered in the industrial standards (e.g. CSA) accepted by CNSC for use in the design of fire protection for NPPs.

Appendix S to Part 50--Earthquake Engineering Criteria for Nuclear Power Plants

RD-337, in Section 7.13 Seismic Qualification, specifies that “The seismic qualification of all SSCs aligns with the requirements of Canadian national—or equivalent—standards.” It also gives the categories of SSCs that have to be qualified to DBE. 10 CFR Part 50 Appendix S does not specify the SSCs. DBE corresponds to SSE. 10 CFR Part 50 Appendix S prescribes a minimum horizontal PGA of 0.1g. RD-337 does not specify PGA values, so it should be checked whether the Canadian standards have more stringent requirements (CSA N289.1-08 which specifies a probability of exceedance for the DBE of 1E-4/year)




Appendix S and RD-337 Section 7.13 differ in scope and level of detail. An assessment of the differences between US and Canadian requirements on seismic qualification would require a comparison of standards and review criteria.


APPENDIX 1B, Detailed Comparison of Design Requirements in US NRC 10 CFR Part 50 and CNSC RD-337

1.B.1 Review of dose criteria and safety goals

US NRC 10 CFR Part 50 Correspondence with CNSC RD-337 Comments/Deltas

Appendix I to Part 50 — Numerical Guides for Design Objectives and Limiting Conditions for Operation to Meet the Criterion "As Low as is Reasonably Achievable" for Radioactive Material in Light-Water-Cooled Nuclear Power Reactor Effluents

SECTION I. Introduction. Section 50.34a provides that an application for a construction permit shall include a description of the preliminary design of equipment to be installed to maintain control over radioactive materials in gaseous and liquid effluents produced during normal conditions, including expected occurrences.

Sec. II. Guides on design objectives for light-water-cooled nuclear power reactors licensed under 10 CFR Part 50 or part 52 of this chapter. The guides on design objectives set forth in this section may be used by an applicant for a construction permit as guidance in meeting the requirements of § 50.34a(a), or by an applicant for a combined license under part 52 of this chapter as guidance in meeting the requirements of § 50.34a(d), or by an applicant for a design approval, a design certification, or a manufacturing license as guidance in meeting the requirements of § 50.34a(e). The applicant shall provide reasonable assurance that the following design objectives will be met.

A. The calculated annual total quantity of all radioactive material above background to be released from each light-water-cooled nuclear power reactor to unrestricted areas will not result in an estimated annual dose or dose commitment from liquid effluents for any individual in an unrestricted area from all pathways of exposure in excess of 3 millirems (0.03 mSv) to the total body or 10 millirems (0.1 mSv) to any organ.

B.1. The calculated annual total quantity of all radioactive material above background to

4.2.1 Dose Acceptance Criteria

The committed whole-body dose for average members of the critical groups who are most at risk, at or beyond the site boundary is calculated in the deterministic safety analysis for a period of 30 days after the analyzed event.

This dose is less than or equal to the dose acceptance criteria of:

1. 0.5 millisievert for any anticipated operational occurrence (AOO); […]

In accordance with RD-310, AOOs include all events with frequencies of occurrence equal to or greater than 10-2 per reactor year.

RD-337 Section 6.4, Radiation Protection and Acceptance Criteria, makes reference to the limits prescribed for normal operation in the Radiation Protection Regulations.

The design objectives in Appendix I to 10 CFR Part 50 imply an ALARA annual dose (as design objective) of less than 0.05 mSv.

The annual dose limit to members of the public, set in 10 CFR Part 50, is of 1 mSv.

It appears that the design objectives in 10 CFR Part 50 Appendix A may be stricter in what regards AOOs. Further investigation is necessary for determining how these criteria are applied in practice in the review of AOO analyses.



be released from each light-water-cooled nuclear power reactor to the atmosphere will not result in an estimated annual air dose from gaseous effluents at any location near ground level which could be occupied by individuals in unrestricted areas in excess of 10 millirads (0.1Gy) for gamma radiation or 20 millirads (0.2Gy) for beta radiation.

2. Notwithstanding the guidance of paragraph B.1:

(a) The Commission may specify, as guidance on design objectives, a lower quantity of radioactive material above background to be released to the atmosphere if it appears that the use of the design objectives in paragraph B.1 is likely to result in an estimated annual external dose from gaseous effluents to any individual in an unrestricted area in excess of 5 millirems (0.05 mSv) to the total body; and

(b) Design objectives based upon a higher quantity of radioactive material above background to be released to the atmosphere than the quantity specified in paragraph B.1 will be deemed to meet the requirements for keeping levels of radioactive material in gaseous effluents as low as is reasonably achievable if the applicant provides reasonable assurance that the proposed higher quantity will not result in an estimated annual external dose from gaseous effluents to any individual in unrestricted areas in excess of 5 millirems (0.05 mSv) to the total body or 15 millirems (0.15 mSv) to the skin.

C. The calculated annual total quantity of all radioactive iodine and radioactive material in particulate form above background to be released from each light-water-cooled nuclear power reactor in effluents to the atmosphere will not result in an estimated annual dose or dose commitment from such radioactive iodine and radioactive material in particulate form for any individual in an unrestricted area from all pathways of exposure in excess of 15 millirems (0.15 mSv) to any organ.

D. In addition to the provisions of paragraphs A, B, and C above, the applicant shall include in the radwaste system all items of reasonably demonstrated technology that, when added to the system sequentially and in



order of diminishing cost-benefit return, can for a favorable cost-benefit ratio effect reductions in dose to the population reasonably expected to be within 50 miles of the reactor. As an interim measure and until establishment and adoption of better values (or other appropriate criteria), the values $1000 per total body man-rem and $1000 per man-thyroid-rem (or such lesser values as may be demonstrated to be suitable in a particular case) shall be used in this cost-benefit analysis. The requirements of this paragraph D need not be complied with by persons who have filed applications for construction permits which were docketed on or after January 2, 1971, and prior to June 4, 1976, if the radwaste systems and equipment described in the preliminary or final safety analysis report and amendments thereto satisfy the Guides on Design Objectives for Light-Water-Cooled Nuclear Power Reactors proposed in the Concluding Statement of Position of the Regulatory Staff in Docket-RM-50-2 dated February 20, 1974, pp. 25-30, reproduced in the Annex to this Appendix I.

1 Here and elsewhere in this appendix background means radioactive materials in the environment and in the effluents from light-water-cooled power reactors not generated in, or attributable to, the reactors of which specific account is required in determining design objectives.

[…]

Dose criteria in § 50.34 & 50.67 (same as in 10 CFR 100.11)

50.34

(D) The safety features that are to be engineered into the facility and those barriers that must be breached as a result of an accident before a release of radioactive material to the environment can occur. Special attention must be directed to plant design features intended to mitigate the radiological consequences of accidents. In performing this assessment, an applicant shall assume a fission product release from the core into the containment assuming that the facility is operated at the ultimate power level contemplated. The applicant shall

4.2.1 Dose Acceptance Criteria

The committed whole-body dose for average members of the critical groups who are most at risk, at or beyond the site boundary is calculated in the deterministic safety analysis for a period of 30 days after the analyzed event.

This dose is less than or equal to the dose acceptance criteria of:

1. 0.5 millisievert for any anticipated operational occurrence (AOO); or

2. 20 millisieverts for any design

Although at a first glance it appears that the dose criteria for DBA in RD-337 are more restrictive than those imposed by the NRC regulations, the comparison has no practical value since the assumptions for the analysis differ.

The 25 rem criterion in 10 CFR 100.11, 50.34 & 50.67 is often used as a de facto acceptance criterion for DBA by



perform an evaluation and analysis of the postulated fission product release, using the expected demonstrable containment leak rate and any fission product cleanup systems intended to mitigate the consequences of the accidents, together with applicable site characteristics, including site meteorology, to evaluate the offsite radiological consequences. Site characteristics must comply with part 100 of this chapter. The evaluation must determine that:

(1) An individual located at any point on the boundary of the exclusion area for any 2 hour period following the onset of the postulated fission product release, would not receive a radiation dose in excess of 25 rem total effective dose equivalent (TEDE).

(2) An individual located at any point on the outer boundary of the low population zone, who is exposed to the radioactive cloud resulting from the postulated fission product release (during the entire period of its passage) would not receive a radiation dose in excess of 25 rem total effective dose equivalent (TEDE);

The fission product release assumed for this evaluation should be based upon a major accident, hypothesized for purposes of site analysis or postulated from considerations of possible accidental events. Such accidents have generally been assumed to result in substantial meltdown of the core with subsequent release into the containment of appreciable quantities of fission products.

A whole body dose of 25 rem has been stated to correspond numerically to the once in a lifetime accidental or emergency dose for radiation workers which, according to NCRP recommendations at the time could be disregarded in the determination of their radiation exposure status (see NBS Handbook 69 dated June 5, 1959). However, its use is not intended to imply that this number constitutes an acceptable limit for an emergency dose to the public under accident conditions. Rather, this dose value has been set forth in this section as a reference value, which can be used in the evaluation of plant design features with respect to postulated reactor accidents, in order to assure that such

basis accident (DBA).

the NRC staff. However, this use is not in line with NRC Policy Statements and with the explanations provided in the footnotes in 10 CFR 100.11, 50.34 & 50.67.

NRC Policy statement on severe reactor accidents regarding future designs and existing plants (50FR32138, August8, 1985) states that ‘‘Severe nuclear accidents are those in which substantial damage is done to the reactor core, whether or not there are serious offsite consequences.’’ Based on this definition, the type of accident described in 10 CFR 100.11, 50.34 & 50.67, involving a substantial amount of core melt discharged into an intact containment is a Severe Accident, not a DBA.

Also, the accident referred to in 10 CFR 100.11, 50.34 & 50.67 is not an actual accident scenario, as the assumption of substantial core melt outside of the reactor vessel and inside the containment is the initial condition for the analysis, irrespective of the requisite sequence of events (i.e., the specifics of the other aspects of the plant



designs provide assurance of low risk of public exposure to radiation, in the event of such accidents.

50.67

(2) The NRC may issue the amendment only if the applicant's analysis demonstrates with reasonable assurance that:

(i) An individual located at any point on the boundary of the exclusion area for any 2-hour period following the onset of the postulated fission product release, would not receive a radiation dose in excess of 0.25 Sv (25 rem) total effective dose equivalent (TEDE).

(ii) An individual located at any point on the outer boundary of the low population zone, who is exposed to the radioactive cloud resulting from the postulated fission product release (during the entire period of its passage), would not receive a radiation dose in excess of 0.25 Sv (25 rem) total effective dose equivalent (TEDE).

(iii) Adequate radiation protection is provided to permit access to and occupancy of the control room under accident conditions without personnel receiving radiation exposures in excess of 0.05 Sv (5 rem) total effective dose equivalent (TEDE) for the duration of the accident.

The fission product release assumed for these calculations should be based upon a major accident, hypothesized for purposes of design analyses or postulated from considerations of possible accidental events, that would result in potential hazards not exceeded by those from any accident considered credible. Such accidents have generally been assumed to result in substantial meltdown of the core with subsequent release of appreciable quantities of fission products.

The use of 0.25 Sv (25 rem) TEDE is not intended to imply that this value constitutes an acceptable limit for emergency doses to the public under accident conditions. Rather, this 0.25 Sv (25 rem) TEDE value has been stated in this section as a reference value, which can be used in the evaluation of proposed design basis changes with respect to potential reactor accidents of exceedingly low probability of occurrence and low risk of

design) that may or could have led to such condition. The magnitude of the calculated dose itself should not be viewed in terms of acceptability or a lack thereof. It is a dose value that is used in the evaluation of containment design (and size of the Exclusion and Low Population Zones) to assure low risk of public exposure to radiation in the event of accidents involving core melt (10 CFR 50.34, Note 7) in an intact containment.



public exposure to radiation.

Safety Goals in the Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR Edition — Severe Accidents (NUREG-0800, Chapter 19)

[…]

The applicant’s PRA and severe accident evaluation are used as follows:

[…]

C. Demonstrate how the risk associated with the design compares against the Commission’s goals of less than 1x10-4/year for core damage frequency and less than 1x10-6/year for large release frequency. In addition, compare the design against the Commission’s approved use of a containment performance goal, which includes

(1) a deterministic goal that containment integrity be maintained for approximately 24 hours following the onset of core damage for the more likely severe accident challenges and

2) a probabilistic goal that the conditional containment failure probability be less than approximately 0.1 for the composite of all core damage sequences assessed in the PRA.

4.2.2 Safety Goals

[…]

Core Damage Frequency

The sum of frequencies of all event sequences that can lead to significant core degradation is less than 10-5 per reactor year.

Small Release Frequency

The sum of frequencies of all event sequences that can lead to a release to the environment of more than 1015 becquerel of iodine-131 is less than 10-5 per reactor year. A greater release may require temporary evacuation of the local population.

Large Release Frequency

The sum of frequencies of all event sequences that can lead to a release to the environment of more than 1014 becquerel of cesium-137 is less than 10-

6 per reactor year. A greater release may require long term relocation of the local population.

7.3.4 Beyond Design Basis Accidents

Severe Accidents

Containment maintains its role as a leak-tight barrier for a period that allows sufficient time for the implementation of off-site emergency procedures following the onset of core damage. Containment also prevents uncontrolled releases of radioactivity after this period.

The CDF value in RD-337 is lower than the value in NUREG-0800, by one order of magnitude.

The goals for the large release frequency cannot be compared since, although the values for the frequency are the same, the NRC documents do not define the magnitude of the large release.

In practice, the ALWRs (Advanced Light Water Reactors) offered by US vendors have been designed taking account of the guidelines provided in the EPRI ALWR Utility Requirements Document (URD).

The safety goals in EPRI ALWR URD are:

- CDF < 1 E-5/ryr

- Cumulative frequency of sequences resulting in more than 250 mSv whole body dose over 24 hours at 0.5 miles from any individual reactor < 1 E-6 / ryr [the scope of the PRA shall include internal and external events (excluding seismic events and sabotage) and including assessment for



low power and shutdown operating conditions]

- the safety goals for the containment are the same as those in NUREG-0800.

The RD-337 para. on containment integrity following onset of core damage meets the intent of the safety goals for the containment, as set in NUREG-0800 (i.e. integrity maintained for 24h and CCFP less than 0.1).

However, the time for implementation of evacuation cannot be an input to the design unless it is quantified / estimated. A designer needs a clear requirement for the performance of the containment. If such specifications are not provided, this can be interpreted as crediting accident management measures for maintaining containment integrity (it should be clarified if the containment performance is to be achieved through design features alone or accident management measures are credited).


1.B.2 Review of requirements on Operational Limits and Conditions

US NRC 10 CFR Part 50 - § 50.36 Correspondence with CNSC RD-337 Comments/Deltas

§ 50.36 Technical specifications.

[…]

(c) Technical specifications will include items in the following categories:

(1) Safety limits, limiting safety system settings, and limiting control settings. (i)(A) Safety limits for nuclear reactors are limits upon important process variables that are found to be necessary to reasonably protect the integrity of certain of the physical barriers that guard against the uncontrolled release of radioactivity. If any safety limit is exceeded, the reactor must be shut down. […]

(ii)(A) Limiting safety system settings for nuclear reactors are settings for automatic protective devices related to those variables having significant safety functions. Where a limiting safety system setting is specified for a variable on which a safety limit has been placed, the setting must be so chosen that automatic protective action will correct the abnormal situation before a safety limit is exceeded. If, during operation, it is determined that the automatic safety system does not function as required, the licensee shall take appropriate action, which may include shutting down the reactor. […]

(2) Limiting conditions for operation.

(i) Limiting conditions for operation are the lowest functional capability or performance levels of equipment required for safe operation of the facility. When a limiting condition for operation of a nuclear reactor is not met, the licensee shall shut down the reactor or follow any remedial action permitted by the technical specifications until the condition can be met. […]

(ii) A technical specification limiting condition for operation of a nuclear reactor must be established for each item meeting one or more of the following criteria:

(A) Criterion 1. Installed instrumentation that is used to detect, and indicate in the control room, a significant abnormal degradation of

4.3.3 Operational Limits and Conditions

Operational limits and conditions (OLCs) are the set of limits and conditions that can be monitored by or on behalf of the operator, and that can be controlled by the operator.

The OLCs are established to ensure that plants operate in accordance with design assumptions and intent (parameters and components), and include the limits within which the facility has been shown to be safe.

The OLCs are documented in a manner that is readily accessible for control room personnel, with the roles and responsibilities clearly identified. Some OLCs may include combinations of automatic functions and actions by personnel.

Safe operation depends on personnel as well as equipment.

OLCs therefore typically include:

1. Control system constraints and procedural constraints on important process variables;

2. Requirements for normal operation and AOOs, including shutdown states;

3. Actions to be taken and limitations to be observed by operating personnel;

4. Principal requirements for surveillance and corrective or compensatory actions; and

5. The limitations to be observed and the operational requirements to be met by SSCs in order that their intended functions, as assumed in the safety analysis, can be met.

The basis on which the OLCs are derived will be readily available in order to facilitate the ability of plant personnel to

The requirements on the content of the OLCs in 10 CFR 50.36 are more comprehensive (and prescriptive) than the corresponding requirements in Section 4.3.3 of RD-337.

In future revisions of RD-337, it may be worth including criteria for establishing OLCs.



the reactor coolant pressure boundary.

(B) Criterion 2. A process variable, design feature, or operating restriction that is an initial condition of a design basis accident or transient analysis that either assumes the failure of or presents a challenge to the integrity of a fission product barrier.

(C) Criterion 3. A structure, system, or component that is part of the primary success path and which functions or actuates to mitigate a design basis accident or transient that either assumes the failure of or presents a challenge to the integrity of a fission product barrier.

(D) Criterion 4. A structure, system, or component which operating experience or probabilistic risk assessment has shown to be significant to public health and safety.

[…]

(3) Surveillance requirements. Surveillance requirements are requirements relating to test, calibration, or inspection to assure that the necessary quality of systems and components is maintained, that facility operation will be within safety limits, and that the limiting conditions for operation will be met.

(4) Design features. Design features to be included are those features of the facility such as materials of construction and geometric arrangements, which, if altered or modified, would have a significant effect on safety and are not covered in categories described in paragraphs (c) (1), (2), and (3) of this section.

(5) Administrative controls. Administrative controls are the provisions relating to organization and management, procedures, recordkeeping, review and audit, and reporting necessary to assure operation of the facility in a safe manner. Each licensee shall submit any reports to the Commission pursuant to approved technical specifications as specified in § 50.4.

[…]

interpret, observe, and apply the OLCs.


1.B.3 Review of requirements on Management of the Design Process

US NRC 10 CFR Part 50 – Appendix B Correspondence with CNSC RD-337 Comments/Deltas

Appendix B to Part 50--Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants

[…]

III. Design Control

Measures shall be established to assure that applicable regulatory requirements and the design basis, as defined in § 50.2 and as specified in the license application, for those structures, systems, and components to which this appendix applies are correctly translated into specifications, drawings, procedures, and instructions.

These measures shall include provisions to assure that appropriate quality standards are specified and included in design documents and that deviations from such standards are controlled. Measures shall also be established for the selection and review for suitability of application of materials, parts, equipment, and processes that are essential to the safety-related functions of the structures, systems and components.

Measures shall be established for the identification and control of design interfaces and for coordination among participating design organizations. These measures shall include the establishment of procedures among participating design organizations for the review, approval, release, distribution, and revision of documents involving design interfaces.

The design control measures shall provide for verifying or checking the adequacy of design, such as by the performance of design reviews, by the use of alternate or simplified calculational methods, or by the performance of a suitable testing program. The verifying or checking process shall be performed by individuals or groups other than those who performed the original design, but who may be from the same organization.

Where a test program is used to verify the

5.0 Safety Management During Design

The NPP design:

2. Meets Canadian regulatory requirements;

3. Meets the design specifications, as confirmed by safety analysis;

4. Takes account of current safety practices;

5. Fulfills the requirements of an effective quality assurance program; and

6. Incorporates only those design changes that have been justified by technical and safety assessments.

The design process is carried out by technically qualified and appropriately trained staff at all levels, and includes such management arrangements as:

1. A clear division of responsibilities with corresponding lines of authority and communication;

2. Clear interfaces between the groups engaged in different parts of the design, and between designers, utilities, suppliers, builders, and contractors as appropriate;

3. Procedures that align with an established quality assurance program; and

4. A positive safety culture throughout all levels of the organization.

5.1 Design Authority

During the design phase, formal design authority typically rests with the organization that has overall responsibility for the design. Prior to plant start-up, this authority may be transferred to the operating organization.

The design authority may assign

The requirements in RD-337 Section 5.0 are more comprehensive than the requirements on Design Control in 10 CFR Part 50 Appendix B. For quality control requirements see also NRC GDC 1 in Section 3.2.4 and Appendix 1B, Section 1.B.4 of this report.



adequacy of a specific design feature in lieu of other verifying or checking processes, it shall include suitable qualifications testing of a prototype unit under the most adverse design conditions.

Design control measures shall be applied to items such as the following: reactor physics, stress, thermal, hydraulic, and accident analyses; compatibility of materials; accessibility for inservice inspection, maintenance, and repair; and delineation of acceptance criteria for inspections and tests.

Design changes, including field changes, shall be subject to design control measures commensurate with those applied to the original design and be approved by the organization that performed the original design unless the applicant designates another responsible organization.

[…]

responsibility for the design of specific parts of the plant to other organizations, known as responsible designers. The tasks and functions of the design authority and any responsible designer need to be established in formal documentation; however, the overall responsibility remains with the design authority.

The applicant confirms that the design authority has achieved the following objectives during the design phase:

1. Established a knowledge base of all relevant aspects of the plant design and kept it up-to-date, while taking experience and research findings into account;

2. Ensured the availability of the design information that is needed for safe plant operation and maintenance;

3. Established the requisite security clearances and associated security measures to protect prescribed, designated, and classified material;

4. Maintained design configuration control;

5. Reviewed, verified, approved (or rejected), and documented design changes;

6. Established and controlled the necessary interfaces with responsible designers or other suppliers engaged in design work;

7. Ensured that the necessary engineering and scientific skills and knowledge have been maintained; and

8. Ensured that, with respect to individual design changes or multiple changes that may have significant interdependencies, the associated impact on safety has been properly assessed and understood.

5.2 Design Management

Appropriate design management is



expected to achieve the following objectives:

1. SSCs important to safety meet their respective design requirements;

2. Due account is taken of the human capabilities and limitations of personnel;

3. Safety design information necessary for safe operation and maintenance of the plant and any subsequent plant modifications is preserved;

4. OLCs are provided for incorporation into the plant administrative and operational procedures;

5. The plant design facilitates maintenance throughout the life of the plant;

6. The results of the deterministic and probabilistic safety assessments are taken into account;

7. Due consideration is given to the prevention of accidents and mitigation of their consequences;

8. Generation of radioactive waste is limited to minimum practicable levels, in terms of both activity and volume;

9. A change control process is established to track design changes to provide configuration management during construction, commissioning, and operation; and

10. Physical protection systems are provided to address design basis threats.

5.3 Quality Assurance Program

A quality assurance program is established as part of the overall management arrangements by which the plant will function to achieve objectives. With respect to the plant design, this includes identifying all performance and assessment parameters for the design, as



well as detailed plans for each SSC to ensure consistent quality of the design and the selected components.

The quality assurance program is such that the initial design, and any subsequent change or safety improvement, is carried out in accordance with established procedures that call on appropriate standards and codes, and that incorporate applicable requirements and design bases. Appropriate quality assurance also facilitates identification and control of design interfaces.

The adequacy of the design, including design tools and design inputs and outputs, are verified or validated by individuals or groups that are independent from those who originally performed the work. Verifications, validations, and approvals are completed before the detailed design is implemented.

5.4 Proven Engineering Practices

[…]

Where a new SSC design, feature, or engineering practice is introduced, adequate safety is proven by a combination of supporting research and development programs, and by examination of relevant experience from similar applications. An adequate qualification program is established to verify that the new design meets all applicable safety expectations. New designs are tested before being brought into service, and are then monitored in service to verify that the expected behaviour is achieved.

[…]


1.B.4 Review of General Requirements on Design

US NRC 10 CFR Part 50 Appendix A

Correspondence with CNSC RD-337 Comments/Deltas

Criterion 1--Quality standards and records.

Structures, systems, and components important to safety shall be designed, fabricated, erected, and tested to quality standards commensurate with the importance of the safety functions to be performed.

Where generally recognized codes and standards are used, they shall be identified and evaluated to determine their applicability, adequacy, and sufficiency and shall be supplemented or modified as necessary to assure a quality product in keeping with the required safety function.

A quality assurance program shall be established and implemented in order to provide adequate assurance that these structures, systems, and components will satisfactorily perform their safety functions.

Appropriate records of the design, fabrication, erection, and testing of structures, systems, and components important to safety shall be maintained by or under the control of the nuclear power unit licensee throughout the life of the unit.

5.1 Design Authority

[…]

The applicant confirms that the design authority has achieved the following objectives during the design phase:

1. Established a knowledge base of all relevant aspects of the plant design and kept it up-to-date, while taking experience and research findings into account;

2. Ensured the availability of the design information that is needed for safe plant operation and maintenance;

5.2 Design Management

Appropriate design management is expected to achieve the following objectives:

3. Safety design information necessary for safe operation and maintenance of the plant and any subsequent plant modifications is preserved;

[…]

9. A change control process is established to track design changes to provide configuration management during construction, commissioning, and operation.

5.3 Quality Assurance Program

A quality assurance program is established as part of the overall management arrangements by which the plant will function to achieve objectives. With respect to the plant design, this includes identifying all performance and assessment parameters for the design, as well as detailed plans for each SSC to ensure consistent quality of the design and the selected components.

The quality assurance program is such that the initial design, and any subsequent change or safety improvement, is carried out in accordance with established procedures that call on appropriate standards and codes, and that incorporate applicable requirements and design bases.

Appropriate quality assurance also facilitates identification and control of design interfaces.

The adequacy of the design, including design tools and design inputs and outputs, are verified or validated by individuals or groups that are independent from those who originally performed the work. Verifications, validations, and approvals

Criterion 1 of US NRC 10 CFR Part 50 Appendix A, explicitly specifies that “records of the design, fabrication, erection, and testing of structures, systems, and components important to safety shall be maintained by or under the control of the nuclear power unit licensee throughout the life of the unit”

While the intent seems to be generally covered by the requirements in sections 5.1, 5.2, with regard to “design information”, and “configuration management during construction and operation”, it may worth of specifically addressing, in a future revision of RD-337, the requirements for record keeping.




are completed before the detailed design is implemented.

5.4 Proven Engineering Practices

The design authority identifies the modern standards and codes that will be used for the plant design, and evaluates those standards and codes for applicability, adequacy, and sufficiency to the design of SSCs important to safety.

Where needed, codes and standards may be supplemented or modified to ensure that the final quality of the design is commensurate with the necessary safety functions.

SSCs important to safety are of proven designs, and are designed according to the standards and codes identified for the NPP.

Where a new SSC design, feature, or engineering practice is introduced, adequate safety is proven by a combination of supporting research and development programs, and by examination of relevant experience from similar applications. An adequate qualification program is established to verify that the new design meets all applicable safety expectations. New designs are tested before being brought into service, and are then monitored in service to verify that the expected behaviour is achieved.

The design authority establishes an adequate qualification program to verify that the new design meets all applicable safety design requirements.

In the selection of equipment, due attention is given to spurious operation and to unsafe failure modes (e.g., failure to trip when necessary). Where the design has to accommodate an SSC failure, preference is given to equipment that exhibits known and predictable modes of failure, and that facilitates repair or replacement.

7.1 Classification of SSCs

The design authority classifies SSCs in a consistent and clearly defined classification scheme. The SSCs are then designed, constructed, and maintained such that their quality and reliability is commensurate with this classification. […]

Criterion 2--Design bases for protection against natural phenomena.

Structures, systems, and components important to safety shall be designed to withstand the effects of natural phenomena

7.4.2 External Hazards

The design considers all natural and human-induced external events that may be linked with significant radiological risk. The subset of external events that the plant is designed to withstand is selected, and design basis events are determined from this subset.

Various interactions between the plant and the

RD-337 does not explicitly require the design bases for the SSCs important to safety to reflect “consideration of the most severe of the natural




such as earthquakes, tornadoes, hurricanes, floods, tsunami, and seiches without loss of capability to perform their safety functions.

The design bases for these structures, systems, and components shall reflect:

(1) Appropriate consideration of the most severe of the natural phenomena that have been historically reported for the site and surrounding area, with sufficient margin for the limited accuracy, quantity, and period of time in which the historical data have been accumulated,

(2) appropriate combinations of the effects of normal and accident conditions with the effects of the natural phenomena and

(3) the importance of the safety functions to be performed.

environment, such as population in the surrounding area, meteorology, hydrology, geology and seismology are identified during the site evaluation and environmental assessment processes. These interactions are taken into account in determining the design basis for the NPP.

Applicable natural external hazards include such events as earthquakes, droughts, floods, high winds, tornadoes, tsunami, and extreme meteorological conditions.

Human-induced external events include those that are identified in the site evaluation, such as potential aircraft crashes, ship collisions, and terrorist activities.

7.4.3 Combinations of Events

Combinations of randomly occurring individual events that could credibly lead to AOOs, DBAs, or BDBAs are considered in the design. Such combinations are identified early in the design phase, and are confirmed using a systematic approach.

Events that may result from other events, such as a flood following an earthquake, are considered to be part of the original PIE.

phenomena that have been historically reported for the site and surrounding area, with sufficient margin for the limited accuracy, quantity, and period of time in which the historical data have been accumulated”.

Criterion 3--Fire protection.

Structures, systems, and components important to safety shall be designed and located to minimize, consistent with other safety requirements, the probability and effect of fires and explosions.

Noncombustible and heat resistant materials shall be used wherever practical throughout the unit, particularly in locations such as the containment and control room.

Fire detection and fighting systems of appropriate capacity and capability shall be provided and designed to minimize the adverse effects of fires on structures, systems, and components important to safety.

Firefighting systems shall be designed to assure that their rupture or inadvertent operation does not significantly impair the safety capability of these

7.12 Fire Safety

The design of the NPP, including that of external buildings and SSCs integral to plant operation, includes provisions for fire safety.

7.12.1 General Provisions

Suitable incorporation of operational procedures, redundant SSCs, physical barriers, spatial separation, fire protection systems, and design for fail-safe operation achieves the following general objectives:

1. Prevents the initiation of fires;

2. Limits the propagation and effects of fires that do occur by

a. quickly detecting and suppressing fires to limit damage, and

b. confining the spread of fires and fire by-products that have not been extinguished;

3. Prevents loss of redundancy in safety and safety support systems;

4. Provides assurance of safe shutdown;

5. Ensures that monitoring of critical safety

The provisions of RD-337 with regard to fire protection are more comprehensive (moreover since they include specific provisions for the protection of workers) than the corresponding requirements in Criterion 3 of US NRC 10 CFR Part 50 Appendix A.

However, Appendix R to Part 50--Fire Protection Program for Nuclear Power Facilities Operating Prior to January 1, 1979 includes detailed / prescriptive requirements which are not covered by




structures, systems, and components.

parameters remains available;

6. Prevents exposure, uncontrolled release, or unacceptable dispersion of hazardous substances, nuclear material, or radioactive material, due to fires;

7. Prevents the detrimental effects of event mitigation efforts, both inside and outside of containment; and

8. Ensures structural sufficiency and stability in the event of fire.

Buildings or structures are constructed using non-combustible or fire retardant and heat resistant material.

Fire is considered an internal hazard. The essential safety functions are therefore available during a fire.

Fire suppression systems are designed and located such that rupture, or spurious or inadvertent operation, will not significantly impair the capability of SSCs important to safety.

7.12.2 Safety to Life

The design provides protection to workers and the public from event sequences initiated by fire or explosion in accordance with established radiological, toxicological, and human factors criteria. With this protection:

1. Persons not intimate with the initial event (including the public, occupants, and emergency responders) are protected from injury and loss of life; and

2. Persons intimate with the initial event have a decreased risk of injury or death.

The following design provisions demonstrate that the above life safety objectives have been achieved:

1. Effective and reliable means of fire detection in all areas;

2. Effective and reliable means of emergency notification, including the nature of the emergency and protective actions to be taken;

3. Multiple and separate safe egress routes from any area;

4. Easily accessible exits;

5. Effective and reliable identification and illumination of egress routes and exits;

6. Sufficient exiting capacity for the number of workers (taking into account the

RD-337 but which are likely to be covered by industrial standards (e.g. CSA) accepted by CNSC for use in the design of the fire protection for nuclear power plants.

Appendix R specifically requires a fire hazard analysis. Section 9.3 of RD-337 treats hazard analysis in general, but does not address in particular the fire hazard analysis required to demonstrate that the general provisions in section 7.12.1 are met. In the future revisions of the RD-337 it may be worth explicitly requiring a fire hazard analysis to demonstrate the achievement of the fire protection objectives for design.




emergency movement of crowds);

7. Protection of workers from fires and fire by-products (i.e., combustion products, smoke, heat, etc.) during egress and in areas of refuge;

8. Protection of workers performing plant control and mitigation functions during or following a fire;

9. Adequate supporting infrastructure (lighting, access, etc.) for workers to perform emergency response, plant control, and mitigation activities during or following a fire;

10. Sufficient structural integrity and stability of buildings and structures to ensure safety of workers and emergency responders during and after a fire; and

11. Protection of workers from the release or dispersion of hazardous substances, radioactive material, or nuclear material as a result of fire.

Criterion 4--Environmental and dynamic effects design bases.

Structures, systems, and components important to safety shall be designed to accommodate the effects of and to be compatible with the environmental conditions associated with normal operation, maintenance, testing, and postulated accidents, including loss-of-coolant accidents.

These structures, systems, and components shall be appropriately protected against dynamic effects, including the effects of missiles, pipe whipping, and discharging fluids, that may result from equipment failures and from events and conditions outside the nuclear power unit. However, dynamic effects associated with postulated pipe ruptures in nuclear power units may be excluded from the design basis when analyses reviewed and approved by the Commission demonstrate that the probability of fluid system piping rupture is extremely low under

7.8 Equipment Environmental Qualification

The design provides an equipment environmental qualification program. Development and implementation of this program ensures that the following functions are carried out in post-accident conditions:

1. The reactor is safely shut down and kept in a safe shutdown state during and following AOOs and DBAs;

2. Residual heat is removed from the reactor after shutdown, and also during and following AOOs and DBAs;

3. Potential for release of radioactive material from the plant is limited, and the resulting dose to the public from AOOs and DBAs is kept within prescribed limits; and

4. Post-accident conditions are monitored to indicate whether the above functions are being carried out.

The environmental conditions to be accounted for include those expected during normal operation, and those arising from AOOs and DBAs. Operational data and applicable design assist analysis tools, such as the probabilistic safety assessment, are used to determine the envelope of environmental conditions.

Equipment qualification also includes consideration of any unusual environmental conditions that can

Equivalence




conditions consistent with the design basis for the piping.

reasonably be anticipated, and that could arise during normal operation or AOOs (such as periodic testing of the containment leak rate).

Equipment credited to operate during BDBA and severe accident states is assessed for its capacity to perform its intended function under the expected environmental conditions. A justifiable extrapolation of equipment behaviour may be used to provide assurance of operability, and is typically based on design specifications, environmental qualification testing, or other considerations.

Specific consideration of dynamic loads is addressed in Section 7.7 Pressure-retaining SSCs ([…]Unless otherwise justified, all pressure boundary SSCs are designed to withstand static and dynamic loads anticipated in normal operation, AOOs, and DBAs. SSC design includes protection against postulated pipe ruptures, unless otherwise justified.), Section 8.1 Reactor Core and 8.6.2 Strength of the Containment Structure.

Relevant requirements are included also in Section 7.15 Civil Structures (7.15.1 Design).

Criterion 5--Sharing of structures, systems, and components.

Structures, systems, and components important to safety shall not be shared among nuclear power units unless it can be shown that such sharing will not significantly impair their ability to perform their safety functions, including, in the event of an accident in one unit, an orderly shutdown and cooldown of the remaining units.

7.6.5 Shared Systems - Sharing of SSCs between Reactors

SSCs important to safety are typically not shared between two or more reactors.

In exceptional cases when SSCs are shared between two or more reactors, such sharing excludes safety systems and turbine generator buildings that contain high-pressure steam and feedwater systems.

If sharing of SSCs between reactors is arranged, then the following expectations apply:

1. All safety requirements are met for all reactors during normal operation, AOOs, and DBAs; and

2. In the event of an accident involving one of the reactors, orderly shutdown, cool down, and removal of residual heat is achievable for the other reactor(s).

When an NPP is under construction adjacent to an operating plant, and sharing of SSCs between reactors has been justified, the availability of the SSCs and their capacity to meet all safety requirements for the operating units is assessed during the construction phase.

Equivalence

Criterion 10--Reactor design.

The reactor core and associated coolant, control, and protection

8.1 Reactor Core

The design provides protection against deformations to reactor structures that have the potential to

The requirements in RD-337 are more comprehensive than the requirements on




systems shall be designed with appropriate margin to assure that specified acceptable fuel design limits are not exceeded during any condition of normal operation, including the effects of anticipated operational occurrences.

adversely affect the behaviour of the core or associated systems.

The reactor core and associated structures and cooling systems:

1. Withstand static and dynamic loading, including thermal expansion and contraction;

2. Withstand vibration (such as flow-induced and acoustic vibration);

3. Ensure chemical compatibility;

4. Meet thermal material limits; and

5. Meet radiation damage limits.

The reactor core design facilitates the application of a guaranteed shutdown state as described in subsection 7.11.

The design of the core is such that:

1. The fission chain reaction is controlled during normal operation and AOOs; and

2. The maximum degree of positive reactivity and its maximum rate of increase by insertion in normal operation, AOOs, and DBAs are limited so that no resultant failure of the reactor pressure boundary will occur, cooling capability will be maintained, and no significant damage will occur to the reactor core.

The shutdown margin for all shutdown states is such that the core will remain subcritical for any credible changes in the core configuration and reactivity addition.

If operator intervention is required to keep the reactor in a shutdown state, the feasibility, timeliness, and effectiveness of such intervention is demonstrated.

8.1.1 Fuel Elements and Assemblies

Fuel assembly design includes all components in the assembly, such as the fuel matrix, cladding, spacers, support plates, movable rods inside the assembly, etc. The fuel assembly design also identifies all interfacing systems.

Fuel assemblies and the associated components are designed to withstand the anticipated irradiation and environmental conditions in the reactor core, and all processes of deterioration that can occur in normal operation and AOOs. At the design stage, consideration is given to long-term storage of irradiated fuel assemblies after discharge from the

reactor design in US NRC 10 CFR Part 50 Appendix A.




reactor.

Fuel design limits are established to include, as a minimum, limits on fuel power or temperature, limits on fuel burn-up, and limits on the leakage of fission products in the reactor cooling system. The design limits reflect the importance of preserving the cladding and fuel matrix, as these are the first barriers to fission product release.

The design accounts for all known degradation mechanisms, with allowance being made for uncertainties in data, calculations, and fuel fabrication.

Fuel assemblies are designed to permit adequate inspection of their structures and component parts prior to and following irradiation.

In DBAs, the fuel assembly and its component parts remain in position with no distortion that would prevent effective post-accident core cooling or interfere with the actions of reactivity control devices or mechanisms. The acceptance criteria for the fuel for DBAs are consistent with these expectations.

The expectations for reactor and fuel assembly design apply in the event of changes in fuel management strategy or in operating conditions over the lifetime of the plant.

Fuel design and design limits reflect a verified and auditable knowledge base. The fuel is qualified for operation, either through experience with the same type of fuel in other reactors, or through a program of experimental testing and analysis, to ensure that fuel assembly requirements are met.

Criterion 11--Reactor inherent protection.

The reactor core and associated coolant systems shall be designed so that in the power operating range the net effect of the prompt inherent nuclear feedback characteristics tends to compensate for a rapid increase in reactivity.

8.1 Reactor Core

[…] The design of the core is such that:



Equivalence

(although Criterion 11 in US NRC 10 CFR Part 50 Appendix A refers to the inherent protection through the design of the core and associated coolant systems, while the requirement in RD-337 does not necessarily ask for inherent features)

Criterion 12--Suppression of reactor power oscillations.

8.1.2 Control System

The design provides the means for detecting levels

Equivalence




The reactor core and associated coolant, control, and protection systems shall be designed to assure that power oscillations which can result in conditions exceeding specified acceptable fuel design limits are not possible or can be reliably and readily detected and suppressed.

and distributions of neutron flux. This applies to neutron flux in all regions of the core during normal operation (including after shutdown and during and after refuelling states), and during AOOs.

The reactor core control system detects and intercepts deviations from normal operation with the goal of preventing AOOs from escalating to accident conditions.

Adequate means are provided to maintain both bulk and spatial power distributions within a predetermined range.

The reactor control mechanisms limit the positive reactivity insertion rate to a level required to control reactivity changes and power manoeuvring.

The control system, combined with the inherent characteristics of the reactor and the selected operating limits and conditions, minimize the need for shutdown action.

The control system and the inherent reactor characteristics keep all critical reactor parameters within the specified limits for a wide range of AOOs.

Criterion 13--Instrumentation and control.

Instrumentation shall be provided to monitor variables and systems over their anticipated ranges for normal operation, for anticipated operational occurrences, and for accident conditions as appropriate to assure adequate safety, including those variables and systems that can affect the fission process, the integrity of the reactor core, the reactor coolant pressure boundary, and the containment and its associated systems. Appropriate controls shall be provided to maintain these variables and systems within prescribed operating ranges.

7.9 Instrumentation and Control - 7.9.1 General Considerations

The design includes provision of instrumentation to monitor plant variables and systems over the respective ranges for normal operation, AOOs, DBAs, and BDBAs, in order to ensure that adequate information can be obtained on plant status.

This includes instrumentation for measuring variables that can affect the fission process, the integrity of the reactor core, the reactor cooling systems, and containment, as well as instrumentation for obtaining any information on the plant that is necessary for its reliable and safe operation.

The design is such that the safety systems and any necessary support systems can be reliably and independently operated, either automatically or manually, when necessary.

The design also includes the capability to trend and automatically record measurement of any derived parameters that are important to safety.

Instrumentation is adequate for measuring plant parameters for emergency response purposes.

The design includes reliable controls to maintain variables within specified operational ranges.

The design minimizes the likelihood of operator

The requirements in RD-337 are more comprehensive than the requirements on reactor design in US NRC 10 CFR Part 50 Appendix A.




action defeating the effectiveness of safety and control systems in normal operation and AOOs, without negating correct operator actions following a DBA.

System control interlocks are designed to minimize the likelihood of inadvertent manual or automatic override, and to provide for situations when it is necessary to override interlocks to use equipment in a non-standard way.

Various safety actions are automated so that operator action is not necessary within a justified period of time from the onset of AOOs or DBAs. In addition, appropriate information is available to the operator to confirm the safety action.

Criterion 14--Reactor coolant pressure boundary.

The reactor coolant pressure boundary shall be designed, fabricated, erected, and tested so as to have an extremely low probability of abnormal leakage, of rapidly propagating failure, and of gross rupture.

8.2 Reactor Coolant System

The design provides the reactor coolant system and its associated components and auxiliary systems with sufficient margin to ensure that the appropriate design limits of the reactor coolant pressure boundary are not exceeded in normal operation, AOOs, or DBAs.

The design ensures that the operation of pressure relief devices will not lead to unacceptable releases of radioactive material from the plant, even in DBAs. The reactor coolant system is fitted with isolation devices to limit any loss of radioactive coolant outside containment.

The material used in the fabrication of the component parts is selected so as to minimize activation of the material.

Plant states in which components of the pressure boundary could exhibit brittle behaviour should be avoided.

The design reflects consideration of all conditions of the boundary material in normal operation (including maintenance and testing), AOOs, and DBAs, as well as expected end-of-life properties affected by ageing mechanisms, the rate of deterioration, and the initial state of the components.

The design of the moving components contained inside the reactor coolant pressure boundary, such as pump impellers and valve parts, minimizes the likelihood of failure and associated consequential damage to other items of the reactor coolant system. This applies to normal operation, AOOs, and DBAs, with allowance for deterioration that may occur in service.

The design provides a system capable of detecting and monitoring leakage from the reactor coolant

Although RD-337 includes comprehensive requirements on the design of the reactor coolant system and on the reactor coolant pressure boundary, there is no explicit requirement for “an extremely low probability of abnormal leakage, of rapidly propagating failure, and of gross rupture”. However, if such a wording is used in a regulatory requirement, it implies the existence of numerical criteria for judging compliance.




system.

Criterion 15--Reactor coolant system design.

The reactor coolant system and associated auxiliary, control, and protection systems shall be designed with sufficient margin to assure that the design conditions of the reactor coolant pressure boundary are not exceeded during any condition of normal operation, including anticipated operational occurrences.



Equivalence.

(the requirement in RD-337 refers also to DBAs, while these are not addressed in the corresponding requirement in Criterion 15)

Criterion 16--Containment design.

Reactor containment and associated systems shall be provided to establish an essentially leak-tight barrier against the uncontrolled release of radioactivity to the environment and to assure that the containment design conditions important to safety are not exceeded for as long as postulated accident conditions require.

8.6 Containment

8.6.1 General Requirements

Each nuclear power reactor is installed within a containment structure to minimize the release of radioactive materials to the environment during normal operation, AOOs, and DBAs. Containment also assists in mitigating the consequences of BDBAs.

The containment system is designed for all AOOs and DBAs, and also considers BDBAs, including severe accident conditions.

The containment is a safety system and includes complementary design features, both of which are subject to the respective design expectations provided in this regulatory document.

The design includes a clearly defined continuous leak-tight containment envelope, the boundaries of which are defined for all conditions that could exist in the operation or maintenance of the reactor, or following an accident.

All piping that is part of the main or backup reactor coolant systems is entirely within the main containment structure, or in a containment extension.

The containment design incorporates systems to assist in controlling internal pressure and the release of radioactive material to the environment following an accident.

[…]

8.6.2 Strength of the Containment Structure

The strength of the containment structure provides sufficient margins of safety based on potential internal overpressures, underpressures, temperatures, dynamic effects such as missile generation, and

Equivalence




reaction-forces anticipated to result in the event of DBAs. Application of strength margins applies to access openings, penetrations, and isolation valves, and to the containment heat removal system.

Criterion 17--Electric power systems.

An onsite electric power system and an offsite electric power system shall be provided to permit functioning of structures, systems, and components important to safety.

The safety function for each system (assuming the other system is not functioning) shall be to provide sufficient capacity and capability to assure that

(1) specified acceptable fuel design limits and design conditions of the reactor coolant pressure boundary are not exceeded as a result of anticipated operational occurrences and

(2) the core is cooled and containment integrity and other vital functions are maintained in the event of postulated accidents.

The onsite electric power supplies, including the batteries, and the onsite electric distribution system, shall have sufficient independence, redundancy, and testability to perform their safety functions assuming a single failure.

Electric power from the transmission network to the onsite electric distribution system shall be supplied by two physically independent circuits (not necessarily on separate rights of way) designed and located so as to minimize to the extent practical the likelihood of their simultaneous failure under operating and postulated accident and environmental conditions. A switchyard common to both circuits is acceptable. Each of these circuits shall be designed to

8.9 Emergency Power Supply

The emergency power supply (EPS) system has sufficient capacity and reliability, within a specified mission time, to provide the necessary power to maintain the plant in a safe state and ensure nuclear safety in the event of all DBAs.

These expectations are met following a common-cause loss of off-site power where this may occur as a result of a PIE, and in the presence of a single failure in the EPS.

The EPS system has sufficient capacity and capability, within a specified mission time, to support severe accident management actions.

The EPS system includes appropriate control, monitoring and testing facilities.

The emergency power supply:

1. Is initiated either automatically or manually following the DBAs as determined by the nuclear safety requirements of the plant; and

2. Can be tested under load conditions representing full load demand.

RD-337 includes requirements only for the emergency power supply.

The requirements on electrical systems in 10 CFR Part 50 Appendix A are more comprehensive.




be available in sufficient time following a loss of all onsite alternating current power supplies and the other offsite electric power circuit, to assure that specified acceptable fuel design limits and design conditions of the reactor coolant pressure boundary are not exceeded. One of these circuits shall be designed to be available within a few seconds following a loss-of-coolant accident to assure that core cooling, containment integrity, and other vital safety functions are maintained. Provisions shall be included to minimize the probability of losing electric power from any of the remaining supplies as a result of, or coincident with, the loss of power generated by the nuclear power unit, the loss of power from the transmission network, or the loss of power from the onsite electric power supplies.

Criterion 18--Inspection and testing of electric power systems.

Electric power systems important to safety shall be designed to permit appropriate periodic inspection and testing of important areas and features, such as wiring, insulation, connections, and switchboards, to assess the continuity of the systems and the condition of their components.

The systems shall be designed with a capability to test periodically (1) the operability and functional performance of the components of the systems, such as onsite power sources, relays, switches, and buses, and (2) the operability of the systems as a whole and, under conditions as close to design as practical, the full operation sequence that brings the systems into operation, including operation of applicable portions of the protection system, and the transfer of power among

8.9 Emergency Power Supply

[…]

The EPS system includes appropriate control, monitoring and testing facilities.

In addition, the requirements in section 7.14 In-service Testing, Maintenance, Repair, Inspection, and Monitoring are applicable also to the EPS.

Equivalence in principle

The requirements on inspection and testing of electric power systems in US NRC 10 CFR Part 50 Appendix A are more detailed than the requirements in RD-337 on control, monitoring and testing of the EPS.




the nuclear power unit, the offsite power system, and the onsite power system.

Criterion 19--Control room.

A control room shall be provided from which actions can be taken to operate the nuclear power unit safely under normal conditions and to maintain it in a safe condition under accident conditions, including loss-of-coolant accidents.

Adequate radiation protection shall be provided to permit access and occupancy of the control room under accident conditions without personnel receiving radiation exposures in excess of 5 rem whole body, or its equivalent to any part of the body, for the duration of the accident.

Equipment at appropriate locations outside the control room shall be provided (1) with a design capability for prompt hot shutdown of the reactor, including necessary instrumentation and controls to maintain the unit in a safe condition during hot shutdown, and (2) with a potential capability for subsequent cold shutdown of the reactor through the use of suitable procedures.

Applicants for and holders of construction permits and operating licenses under this part who apply on or after January 10, 1997, applicants for design approvals or certifications under part 52 of this chapter who apply on or after January 10, 1997, applicants for and holders of combined licenses or manufacturing licenses under part 52 of this chapter who do not reference a standard design approval or certification, or holders of operating licenses using an alternative source term under § 50.67, shall meet the requirements of this criterion,

8.10 Control Facilities

8.10.1 Main Control Room

The design provides for a main control room (MCR) from which the plant can be safely operated, and from which measures can be taken to maintain the plant in a safe state or to bring it back into such a state after the onset of AOOs, DBAs, and, to the extent practicable, following BDBAs.

The design identifies events both internal and external to the MCR that may pose a direct threat to its continued operation, and provides practicable measures to minimize the effects of these events.

The safety functions initiated by automatic control logic in response to an accident can also be initiated manually from the main and secondary control rooms.

The layout of the controls and instrumentation, and the mode and format used to present information, provide operating personnel with an adequate overall picture of the status and performance of the plant and provide the necessary information to support operator actions. The design of the MCR is such that appropriate lighting levels and thermal environment are maintained, and noise levels are minimized to applicable standards and codes.The design of the MCR takes ergonomic factors into account to provide both physical and visual accessibility to controls and displays, without adverse impact on health and comfort. This includes hardwired display panels as well as computerized displays, with the aim of making these displays as user friendly as possible. Cabling for the instrumentation and control equipment in the MCR is arranged such that a fire in the secondary control room cannot disable the equipment in the MCR. The design provides visual and, if appropriate, audible indications of plant states and processes that have deviated from normal operation and that could affect safety. The design also allows for the display of information needed to monitor the effects of the automatic actions of all control, safety, and safety support system. The MCR is to be provided with secure communication channels to the emergency support centre and to off-site emergency response organizations, and to allow for extended operating periods.

[…]

Although the requirements in RD-337 are more extensive than those in US NRC 10 CFR Part 50 Appendix A and more demanding due to the specific provisions regarding the “secondary control room”, the radiation protection aspects are not explicitly addressed.

RD-337 requires the identification of events posing direct threat to the operation of MCR and SCR but does not specifically address radiation levels, nor does it impose a limit, such as the one in Criterion 19.




except that with regard to control room access and occupancy, adequate radiation protection shall be provided to ensure that radiation exposures shall not exceed 0.05 Sv (5 rem) total effective dose equivalent (TEDE) as defined in § 50.2 for the duration of the accident.

8.10.2 Secondary Control Room

The design provides a secondary control room (SCR) that is physically and electrically separate from the MCR, and from which the plant can be placed and kept in a safe shutdown state when the ability to perform essential safety functions from the MCR is lost.

The design identifies all events that may pose a direct threat to the continued operation of the MCR and the SCR. The design of the MCR and the SCR are such that no event can simultaneously affect both control rooms to the extent that the essential safety functions cannot be performed.

For any PIE, at least one control room is habitable, and is accessible by means of a qualified route.

Instrumentation, control equipment, and displays are available in the SCR, so that the essential safety functions can be performed, essential plant variables can be monitored, and operator actions are supported.

Safety functions initiated by automatic control logic in response to an accident can also be initiated manually from both the MCR and the SCR.

The design of the SCR ensures that appropriate lighting levels and thermal environment are maintained, and noise levels align with applicable standards and codes. Ergonomic factors apply to the design of the SCR to ensure physical and visual accessibility in relation to controls and displays, without adverse impact on health and comfort. These include hardwired display panels as well as computerized displays that are as user friendly as possible. Cabling for the instrumentation and control equipment in the SCR is such that a fire in the main control room cannot disable the equipment in the SCR.

The SCR is equipped with a safety parameter display system similar to that in the MCR. As a minimum, this display system provides the information required to facilitate the management of the reactor when the MCR is uninhabitable. The SCR is to be provided with secure communication channels to the emergency support centre and to off-site emergency response organizations. The SCR allows for extended operating periods.

Criterion 20--Protection system functions.

The protection system shall be designed

(1) to initiate automatically the

7.9 Instrumentation and Control

7.9.1 General Considerations

The design includes provision of instrumentation to monitor plant variables and systems over the respective ranges for normal operation, AOOs,

Equivalence




operation of appropriate systems including the reactivity control systems, to assure that specified acceptable fuel design limits are not exceeded as a result of anticipated operational occurrences and

(2) to sense accident conditions and to initiate the operation of systems and components important to safety.

DBAs, and BDBAs, in order to ensure that adequate information can be obtained on plant status.

This includes instrumentation for measuring variables that can affect the fission process, the integrity of the reactor core, the reactor cooling systems, and containment, as well as instrumentation for obtaining any information on the plant that is necessary for its reliable and safe operation.

The design is such that the safety systems and any necessary support systems can be reliably and independently operated, either automatically or manually, when necessary.

[…]

Various safety actions are automated so that operator action is not necessary within a justified period of time from the onset of AOOs or DBAs. In addition, appropriate information is available to the operator to confirm the safety action.

8.4 Means of Shutdown

The design provides means of reactor shutdown capable of reducing reactor power to a low value, and maintaining that power for the required duration, when the reactor power control system and the inherent characteristics are insufficient or incapable of maintaining reactor power within the requirements of the OLCs.

The design includes two separate, independent, and diverse means of shutting down the reactor.

[…]

The effectiveness of the means of shutdown (i.e., speed of action and shutdown margin) is such that specified limits are not exceeded, and the possibility of recriticality or reactivity excursion following a PIE is minimized.

8.4.1 Reactor Trip Parameters

The design authority specifies derived acceptance criteria for reactor trip parameter effectiveness for all AOOs and DBAs, and performs a safety analysis to demonstrate the effectiveness of the means of shutdown.

For each credited means of shutdown, the design specifies a direct trip parameter to initiate reactor shutdown for all AOOs and DBAs in time to meet the respective derived acceptance criteria. Where a direct trip parameter does not exist for a given credited means, there are two diverse trip parameters specified for that means.




For all AOOs and DBAs, there are at least two diverse trip parameters unless it can be shown that failure to trip will not lead to unacceptable consequences.

There is no gap in trip coverage for any operating condition (i.e., power, temperature, etc.) within the OLCs. This is ensured by providing additional trip parameters if necessary. A different level of effectiveness may be acceptable for the additional trip parameters.

The extent of trip coverage provided by all available parameters is documented for the entire spectrum of failures for each set of PIEs.

An assessment of the accuracy and the potential failure modes of the trip parameters is provided in the design documentation.

Criterion 21--Protection system reliability and testability.

The protection system shall be designed for high functional reliability and inservice testability commensurate with the safety functions to be performed. Redundancy and independence designed into the protection system shall be sufficient to assure that

(1) no single failure results in loss of the protection function and

(2) removal from service of any component or channel does not result in loss of the required minimum redundancy unless the acceptable reliability of operation of the protection system can be otherwise demonstrated.

The protection system shall be designed to permit periodic testing of its functioning when the reactor is in operation, including a capability to test channels independently to determine failures and losses of redundancy that may have occurred.

8.4.2 Reliability

The design permits ongoing demonstration that each means of shutdown is being operated and maintained in a manner that ensures continued adherence to reliability and effectiveness requirements.

Periodic testing of the systems and their components is scheduled at a frequency commensurate with applicable requirements.

7.6.2 Single Failure Criterion

All safety groups function in the presence of a single failure. The single failure criterion requires that each safety group perform all safety functions required for a PIE in the presence of any single component failure […]

7.6.4 Allowance for Equipment Outages

The design includes provisions for adequate redundancy, reliability, and effectiveness, to allow for online maintenance and online testing of systems important to safety, except where these activities are not possible due to access control restrictions.

Equivalence

The equivalence of the requirements on reliability and testability can be considered based on the general provisions in Sections 7.6.2 and 7.6.4 and on the provisions in Section 8.4.

Criterion 22--Protection system independence.

The protection system shall be designed to assure that the effects

Covered by the provisions in Sections 7.6 Design for Reliability and 8.4 Means of Shutdown

(General requirements in Section 7.6 are applicable

Equivalence




of natural phenomena, and of normal operating, maintenance, testing, and postulated accident conditions on redundant channels do not result in loss of the protection function, or shall be demonstrated to be acceptable on some other defined basis.

Design techniques, such as functional diversity or diversity in component design and principles of operation, shall be used to the extent practical to prevent loss of the protection function.

to all systems important to safety.)

Criterion 23--Protection system failure modes.

The protection system shall be designed to fail into a safe state or into a state demonstrated to be acceptable on some other defined basis if conditions such as disconnection of the system, loss of energy (e.g., electric power, instrument air), or postulated adverse environments (e.g., extreme heat or cold, fire, pressure, steam, water, and radiation) are experienced.

7.6.3 Fail-safe Design

The principle of fail-safe design is applied to the design of SSCs important to safety. To the greatest extent practicable, application of this principle enables plant systems to pass into a safe state if a system or component fails, with no necessity for any action to be taken.

[General requirements in Section 7.6 are applicable to all systems important to safety.]

Equivalence

(There is no specific requirement in RD-337 addressing in particular the application of fail-safe design to the protection system. The protection system includes the reactor protection system and the safety engineered features actuation system. However, equivalence in the requirements was considered, based on the provisions in Section 7.6)

Criterion 24--Separation of protection and control systems.

The protection system shall be separated from control systems to the extent that failure of any single control system component or channel, or failure or removal from service of any single protection system component or channel which is common to the control and protection systems leaves intact a system satisfying all reliability, redundancy, and independence requirements of the protection system.

Interconnection of the protection and control systems shall be

Relevant general provisions are set out in Section 7.6.1 Common-cause Failures and in Section 7.6.5 Shared Systems - Shared Instrumentation for Safety Systems

Equivalence

(Although there is no specific requirement in RD-337 addressing in particular the application of the separation principle in the design to the protection system, the provisions in Section 7.6.5, regarding “Shared Instrumentation for Safety Systems” are considered sufficient).




limited so as to assure that safety is not significantly impaired.

Criterion 25--Protection system requirements for reactivity control malfunctions.

The protection system shall be designed to assure that specified acceptable fuel design limits are not exceeded for any single malfunction of the reactivity control systems, such as accidental withdrawal (not ejection or dropout) of control rods.


[…]

At least one means of shutdown is independently capable of quickly rendering the nuclear reactor subcritical from normal operation, in AOOs, and in DBAs by an adequate margin, on the assumption of a single failure. For this means of shutdown, a transient recriticality may be permitted in exceptional circumstances if the specified fuel and component limits are not exceeded.

At least one means of shutdown is independently capable of rendering the reactor subcritical from normal operation, in AOOs, and in DBAs, and maintaining the reactor subcritical by an adequate margin and with high reliability for even the most reactive conditions of the core.

Redundancy is provided in the fast-acting means of shutdown if, in the event that the credited means of reactivity control fails during any AOO or DBA, inherent core characteristics are unable to maintain the reactor within specified limits.

While resetting the means of shutdown, the maximum degree of positive reactivity and the maximum rate of increase are within the capacity of the reactor control system.

To improve reliability, stored energy should be used in shutdown actuation.


Equivalence

Criterion 26--Reactivity control system redundancy and capability.

Two independent reactivity control systems of different design principles shall be provided.

One of the systems shall use control rods, preferably including a positive means for inserting the rods, and shall be capable of reliably controlling reactivity changes to assure that under conditions of normal operation, including anticipated operational


The design provides the means for detecting levels and distributions of neutron flux. This applies to neutron flux in all regions of the core during normal operation (including after shutdown and during and after refuelling states), and during AOOs.


Adequate means are provided to maintain both bulk and spatial power distributions within a predetermined range.

The reactor control mechanisms limit the positive

Equivalence

(RD-337 requirements are formulated in a technology-neutral manner and do not prescribe the design of the reactivity control systems).




occurrences, and with appropriate margin for malfunctions such as stuck rods, specified acceptable fuel design limits are not exceeded.

The second reactivity control system shall be capable of reliably controlling the rate of reactivity changes resulting from planned, normal power changes (including xenon burnout) to assure acceptable fuel design limits are not exceeded. One of the systems shall be capable of holding the reactor core subcritical under cold conditions.

reactivity insertion rate to a level required to control reactivity changes and power maneuvering.

The control system, combined with the inherent characteristics of the reactor and the selected operating limits and conditions, minimize the need for shutdown action.




The design includes two separate, independent, and diverse means of shutting down the reactor.

At least one means of shutdown is independently capable of quickly rendering the nuclear reactor subcritical from normal operation, in AOOs, and in DBAs by an adequate margin, on the assumption of a single failure. For this means of shutdown, a transient recriticality may be permitted in exceptional circumstances if the specified fuel and component limits are not exceeded.

At least one means of shutdown is independently capable of rendering the reactor subcritical from normal operation, in AOOs, and in DBAs, and maintaining the reactor subcritical by an adequate margin and with high reliability for even the most reactive conditions of the core.

Redundancy is provided in the fast-acting means of shutdown if, in the event that the credited means of reactivity control fails during any AOO or DBA, inherent core characteristics are unable to maintain the reactor within specified limits.

While resetting the means of shutdown, the maximum degree of positive reactivity and the maximum rate of increase are within the capacity of the reactor control system.

To improve reliability, stored energy should be used in shutdown actuation.

The effectiveness of the means of shutdown (i.e., speed of action and shutdown margin) is such that specified limits are not exceeded, and the possibility




of recriticality or reactivity excursion following a PIE is minimized.

Criterion 27--Combined reactivity control systems capability.

The reactivity control systems shall be designed to have a combined capability, in conjunction with poison addition by the emergency core cooling system, of reliably controlling reactivity changes to assure that under postulated accident conditions and with appropriate margin for stuck rods the capability to cool the core is maintained.

LWR specific requirement LWR specific requirement

Criterion 28--Reactivity limits.

The reactivity control systems shall be designed with appropriate limits on the potential amount and rate of reactivity increase to assure that the effects of postulated reactivity accidents can neither

(1) result in damage to the reactor coolant pressure boundary greater than limited local yielding nor

(2) sufficiently disturb the core, its support structures or other reactor pressure vessel internals to impair significantly the capability to cool the core.

These postulated reactivity accidents shall include consideration of rod ejection (unless prevented by positive means), rod dropout, steam line rupture, changes in reactor coolant temperature and pressure, and cold water addition.


[…]


8.1 Reactor Core

[…] The design of the core is such that:



Equivalence

(RD-337 does not specify the postulated reactivity accidents to be analyzed)

Criterion 29--Protection against anticipated operational occurrences.

The protection and reactivity control systems shall be designed to assure an extremely high probability of accomplishing their safety functions in the event of anticipated operational


[…]


[…]

Equivalence

(it would be interesting to verify the criteria for judging the “extremely high reliability” of the




occurrences. The control system, combined with the inherent characteristics of the reactor and the selected operating limits and conditions, minimize the need for shutdown action.




7.6 Design for Reliability

All SSCs important to safety are designed with sufficient quality and reliability to meet the design limits. A reliability analysis is performed for each of these SSCs.

[…]

The safety systems and their support systems are designed to ensure that the probability of a safety system failure on demand from all causes is lower than 10-3.

The reliability model for each system uses realistic failure criteria and best estimate failure rates, considering the anticipated demand on the system from PIEs.

[…]

safety functions)

Criterion 30--Quality of reactor coolant pressure boundary.

Components which are part of the reactor coolant pressure boundary shall be designed, fabricated, erected, and tested to the highest quality standards practical. Means shall be provided for detecting and, to the extent practical, identifying the location of the source of reactor coolant leakage.

7.7 Pressure-retaining SSCs

All pressure-retaining SSCs are protected against overpressure conditions, and are classified, designed, fabricated, erected, inspected, and tested in accordance with established standards.

[…]

The design minimizes the likelihood of flaws in pressure boundaries. This includes timely detection of flaws in pressure boundaries important to safety in a manner that supports leak-before-break detection capability.


[…]

The design provides a system capable of detecting

RD-337 does not specifically require for “the highest quality standards practical” for the quality of the reactor coolant pressure boundary. However, it is not clear how it is determined, in practice, as part of the regulatory review, what are the highest standards.

RD-337 does not require for the identification (to the




and monitoring leakage from the reactor coolant system.

extent practical) of the location of reactor coolant leakages.

Criterion 31--Fracture prevention of reactor coolant pressure boundary.

The reactor coolant pressure boundary shall be designed with sufficient margin to assure that when stressed under operating, maintenance, testing, and postulated accident conditions

(1) the boundary behaves in a nonbrittle manner and

(2) the probability of rapidly propagating fracture is minimized.

The design shall reflect consideration of service temperatures and other conditions of the boundary material under operating, maintenance, testing, and postulated accident conditions and the uncertainties in determining (1) material properties, (2) the effects of irradiation on material properties, (3) residual, steady state and transient stresses, and (4) size of flaws.



The design ensures that the operation of pressure relief devices will not lead to unacceptable releases of radioactive material from the plant, even in DBAs. The reactor coolant system is fitted with isolation devices to limit any loss of radioactive coolant outside containment.

The material used in the fabrication of the component parts is selected so as to minimize activation of the material.

Plant states in which components of the pressure boundary could exhibit brittle behaviour should be avoided.

The design reflects consideration of all conditions of the boundary material in normal operation (including maintenance and testing), AOOs, and DBAs, as well as expected end-of-life properties affected by ageing mechanisms, the rate of deterioration, and the initial state of the components.

The design of the moving components contained inside the reactor coolant pressure boundary, such as pump impellers and valve parts, minimizes the likelihood of failure and associated consequential damage to other items of the reactor coolant system. This applies to normal operation, AOOs, and DBAs, with allowance for deterioration that may occur in service.

The design provides a system capable of detecting and monitoring leakage from the reactor coolant system.


All pressure-retaining SSCs are protected against overpressure conditions, and are classified, designed, fabricated, erected, inspected, and tested in accordance with established standards.

All pressure-retaining SSCs of the reactor coolant system and auxiliaries are designed with an appropriate safety margin to ensure that the pressure boundary will not be breached, and that fuel design


RD-337 does not explicitly require for the probability of rapidly propagating fracture to be minimized. It does, however, include requirements on leak-before-break detection capability.

RD-337 does not explicitly address uncertainties in determining material properties, effects of irradiation, stresses and size of flaws. In a future revision of RD-337, it could be explicitly required that such uncertainties are catered for in the design (a similar requirement on uncertainties is provided in Section 8.1.1 on Fuel Elements and Assemblies).




limits will not be exceeded in normal operation, AOOs, or DBA conditions.

The design minimizes the likelihood of flaws in pressure boundaries. This includes timely detection of flaws in pressure boundaries important to safety in a manner that supports leak-before-break detection capability.

Unless otherwise justified, all pressure boundary SSCs are designed to withstand static and dynamic loads anticipated in normal operation, AOOs, and DBAs.

[…]

Criterion 32--Inspection of reactor coolant pressure boundary.

Components which are part of the reactor coolant pressure boundary shall be designed to permit

(1) periodic inspection and testing of important areas and features to assess their structural and leaktight integrity, and

(2) an appropriate material surveillance program for the reactor pressure vessel.

8.2.1 In-service Pressure Boundary Inspection

The components of the reactor coolant pressure boundary are designed, manufactured, and arranged in a manner that permits adequate inspections and tests of the boundary throughout the lifetime of the plant.

The design also facilitates surveillance in order to determine the metallurgical conditions of materials for which metallurgical changes are anticipated.


[…]

Pressure-retaining components whose failure will affect nuclear safety are designed to permit inspection of their pressure boundaries throughout the design life. If full inspection is not achievable, then it is augmented by indirect methods such as a program of surveillance of reference components. Leak detection is an acceptable method when the SSC is leak-before-break qualified.

Equivalence

Criterion 33--Reactor coolant makeup.

A system to supply reactor coolant makeup for protection against small breaks in the reactor coolant pressure boundary shall be provided. The system safety function shall be to assure that specified acceptable fuel design limits are not exceeded as a result of reactor coolant loss due to leakage from the reactor coolant pressure boundary and rupture of small piping or other small components which are part of the boundary.

The system shall be designed to


8.2.2 Inventory

Taking volumetric changes and leakage into account, the design provides control of coolant inventory and pressure to ensure that specified design limits are not exceeded in normal operation. This expectation extends to the provision of adequate capacity (flow rate and storage volumes) in the systems performing this function.

The inventory in the reactor coolant system and its associated systems are sufficient to support cool down from hot operating conditions to zero power cold conditions without the need for transfer from any other systems.


RD-337 does not include requirements on the power supply to the systems involved in maintaining coolant inventory.

The requirements in RD-337 are oriented towards to safety function to be accomplished, while the requirements in Criterion 33 refer to




assure that for onsite electric power system operation (assuming offsite power is not available) and for offsite electric power system operation (assuming onsite power is not available) the system safety function can be accomplished using the piping, pumps, and valves used to maintain coolant inventory during normal reactor operation.

a specific system.

Criterion 34--Residual heat removal.

A system to remove residual heat shall be provided. The system safety function shall be to transfer fission product decay heat and other residual heat from the reactor core at a rate such that specified acceptable fuel design limits and the design conditions of the reactor coolant pressure boundary are not exceeded.

Suitable redundancy in components and features, and suitable interconnections, leak detection, and isolation capabilities shall be provided to assure that for onsite electric power system operation (assuming offsite power is not available) and for offsite electric power system operation (assuming onsite power is not available) the system safety function can be accomplished, assuming a single failure.


8.2.4 Removal of Residual Heat from Reactor Core

The design provides a means (i.e., backup) of removing residual heat from the reactor for all conditions of the RCS. The backup is independent of the configuration in use.

The means of removing residual heat meets reliability requirements on the assumptions of a single failure and the loss of off-site power, by incorporating suitable redundancy, diversity, and independence. Interconnections and isolation capabilities have a degree of reliability that is commensurate with system design requirements.

Heat removal is at a rate that prevents the specified design limits of the fuel and the reactor coolant pressure boundary from being exceeded.

If a residual heat removal system is required when the RCS is hot and pressurized, it can be initiated at the normal operating conditions of the RCS.

Equivalence

However, the requirements in RD-337 may be more stringent due to the provision for RHRS to be designed to nominal conditions of RCS in case its operation is required when the RCS is hot and pressurized.




Criterion 35--Emergency core cooling.

A system to provide abundant emergency core cooling shall be provided. The system safety function shall be to transfer heat from the reactor core following any loss of reactor coolant at a rate such that (1) fuel and clad damage that could interfere with continued effective core cooling is prevented and (2) clad metal-water reaction is limited to negligible amounts.

Suitable redundancy in components and features, and suitable interconnections, leak detection, isolation, and containment capabilities shall be provided to assure that for onsite electric power system operation (assuming offsite power is not available) and for offsite electric power system operation (assuming onsite power is not available) the system safety function can be accomplished, assuming a single failure.

8.5 Emergency Core Cooling System

All water-cooled nuclear power reactors are to be equipped with an emergency core cooling system (ECCS). The function of this safety system is to transfer heat from the reactor core following a loss of reactor coolant that exceeds makeup capability. All equipment required for correct operation of the ECCS is considered part of the system or its safety support system(s).

Safety support systems include systems that supply electrical power or cooling water to equipment used in the operation of the ECCS, and are subject to all relevant requirements and expectations.

The design considers the effect on core reactivity of the mixing of ECCS water with reactor coolant water, including possible mixing due to in-leakage.

The ECCS meets the following criteria for all DBAs involving loss of coolant:

1. All fuel in the reactor and all fuel assemblies are kept in a configuration such that continued removal of the residual heat produced by the fuel can be maintained; and

2. A continued cooling flow (recovery flow) is supplied to prevent further damage to the fuel after adequate cooling of the fuel is re-established by the ECCS.

The ECCS recovery flow path is such that impediment to the recovery of coolant following a loss of coolant accident by debris or other material is avoided.

Maintenance and reliability testing that is conducted when ECCS availability is required can be carried out without a reduction in the effectiveness of the system below the OLCs.

In the event of an accident when injection of emergency coolant is required, it is not readily possible for an operator to prevent the injection from taking place.

All ECCS components that may contain radioactive material are to be located inside containment or in an extension of containment.

[…]

RD-337 does not include explicit requirements for the ECCS to limit the clad metal-water reaction.

See also IAEA NS-R-1 para. 6.35 (1) & (2).

Criterion 36--Inspection of emergency core cooling system.

The emergency core cooling system shall be designed to permit appropriate periodic

There is no specific requirement in RD-337 addressing the periodic inspection of the ECCS components.

However, this requirement can be considered as generally covered by the requirements in section





inspection of important components, such as spray rings in the reactor pressure vessel, water injection nozzles, and piping, to assure the integrity and capability of the system.

7.14 In-service Testing, Maintenance, Repair, Inspection, and Monitoring (In order to maintain the NPP within the boundaries of the design, the SSCs important to safety are calibrated, tested, maintained and repaired (or replaced), inspected, and monitored over the lifetime of the plant. These activities are performed to standards commensurate with the importance of the respective safety functions of the SSCs, with no significant reduction in system availability or undue exposure of the site personnel to radiation. […])

Criterion 37--Testing of emergency core cooling system.

The emergency core cooling system shall be designed to permit appropriate periodic pressure and functional testing to assure (1) the structural and leaktight integrity of its components, (2) the operability and performance of the active components of the system, and (3) the operability of the system as a whole and, under conditions as close to design as practical, the performance of the full operational sequence that brings the system into operation, including operation of applicable portions of the protection system, the transfer between normal and emergency power sources, and the operation of the associated cooling water system.

8.5 Emergency Core Cooling System

[…]

Maintenance and reliability testing that is conducted when ECCS availability is required can be carried out without a reduction in the effectiveness of the system below the OLCs.

In addition, the requirements in section 7.14 In-service Testing, Maintenance, Repair, Inspection, and Monitoring are applicable also to the ECCS.


(the requirements on testing of ECCS in Criterion 37 in 10 CFR Part 50 Appendix A are more detailed as regards the objectives of the testing)

Criterion 38--Containment heat removal.

A system to remove heat from the reactor containment shall be provided. The system safety function shall be to reduce rapidly, consistent with the functioning of other associated systems, the containment pressure and temperature following any loss-of-coolant accident and maintain them at acceptably low levels.

Suitable redundancy in components and features, and suitable interconnections, leak detection, isolation, and containment capabilities shall be

8.6 Containment


[…]

The containment design incorporates systems to assist in controlling internal pressure and the release of radioactive material to the environment following an accident.

The containment includes at least the following subsystems:

1. The containment structure and related components;

2. Equipment required to isolate the containment envelope and maintain its completeness and continuity following an accident;

RD-337 does not explicitly cover the requirement for the containment heat removal function to be accomplished on the assumption of single failure and the loss of off-site power




provided to assure that for onsite electric power system operation (assuming offsite power is not available) and for offsite electric power system operation (assuming onsite power is not available) the system safety function can be accomplished, assuming a single failure.

3. Equipment required to reduce the pressure and temperature of the containment and reduce the concentration of free radioactive material within the containment envelope; and

4. Equipment required for limiting the release of radioactive material from the containment envelope following an accident.

8.6.9 Containment Pressure and Energy Management

The design enables heat removal and pressure reduction in the reactor containment in all plant states. Systems designed for this purpose are considered part of the containment system, and are capable of:

1. Minimizing the pressure-assisted release of fission products to the environment;

2. Preserving containment integrity; and

3. Preserving required leak tightness.

Criterion 39--Inspection of containment heat removal system.

The containment heat removal system shall be designed to permit appropriate periodic inspection of important components, such as the torus, sumps, spray nozzles, and piping to assure the integrity and capability of the system.

There is no specific requirement in RD-337 addressing the inspection of the containment heat removal system.

However, this requirement can be considered as generally covered by the requirements in section 7.14 In-service Testing, Maintenance, Repair, Inspection, and Monitoring (In order to maintain the NPP within the boundaries of the design, the SSCs important to safety are calibrated, tested, maintained and repaired (or replaced), inspected, and monitored over the lifetime of the plant. These activities are performed to standards commensurate with the importance of the respective safety functions of the SSCs, with no significant reduction in system availability or undue exposure of the site personnel to radiation. […])


Criterion 40--Testing of containment heat removal system.

The containment heat removal system shall be designed to permit appropriate periodic pressure and functional testing to assure (1) the structural and leaktight integrity of its components, (2) the operability and performance of the active components of the system, and (3) the operability of the system

There is no specific requirement in RD-337 addressing the testing of the containment heat removal system.

However, this requirement can be considered as generally covered by the requirements in section 7.14 In-service Testing, Maintenance, Repair, Inspection, and Monitoring.





as a whole, and under conditions as close to the design as practical the performance of the full operational sequence that brings the system into operation, including operation of applicable portions of the protection system, the transfer between normal and emergency power sources, and the operation of the associated cooling water system.

Criterion 41--Containment atmosphere cleanup.

Systems to control fission products, hydrogen, oxygen, and other substances which may be released into the reactor containment shall be provided as necessary to reduce, consistent with the functioning of other associated systems, the concentration and quality of fission products released to the environment following postulated accidents, and to control the concentration of hydrogen or oxygen and other substances in the containment atmosphere following postulated accidents to assure that containment integrity is maintained.

Each system shall have suitable redundancy in components and features, and suitable interconnections, leak detection, isolation, and containment capabilities to assure that for onsite electric power system operation (assuming offsite power is not available) and for offsite electric power system operation (assuming onsite power is not available) its safety function can be accomplished, assuming a single failure.

8.6.10 Control and Cleanup of the Containment Atmosphere

The design provides systems to control the release of fission products, hydrogen, oxygen, and other substances into the reactor containment as necessary, to:

1. Reduce the amount of fission products that might be released to the environment during an accident; and

2. Prevent deflagration or detonation that could jeopardize the integrity or leak tightness of the containment.

The design also:

1. Supports isolation of all sources of compressed air and other non-condensable gases into the containment atmosphere following an accident;

2. Ensures that, in the case of ingress of non-condensable gas resulting from a PIE, containment pressure will not exceed the design limit; and

3. Provides isolation of compressed air sources to prevent any bypass of containment.

RD-337 does not explicitly cover the requirement for the containment atmosphere cleanup function to be accomplished on the assumption of single failure and the loss of off-site power.

Criterion 42--Inspection of containment atmosphere cleanup systems.

The containment atmosphere cleanup systems shall be designed to permit appropriate periodic inspection of important

There is no specific requirement in RD-337 addressing the inspection of the containment atmosphere cleanup systems.

However, this requirement can be considered as generally covered by the requirements in section 7.14 In-service Testing, Maintenance, Repair,





components, such as filter frames, ducts, and piping to assure the integrity and capability of the systems.

Inspection, and Monitoring.

Criterion 43--Testing of containment atmosphere cleanup systems.

The containment atmosphere cleanup systems shall be designed to permit appropriate periodic pressure and functional testing to assure (1) the structural and leaktight integrity of its components, (2) the operability and performance of the active components of the systems such as fans, filters, dampers, pumps, and valves and (3) the operability of the systems as a whole and, under conditions as close to design as practical, the performance of the full operational sequence that brings the systems into operation, including operation of applicable portions of the protection system, the transfer between normal and emergency power sources, and the operation of associated systems.

There is no specific requirement in RD-337 addressing the testing of the containment atmosphere cleanup systems.



Criterion 44--Cooling water.

A system to transfer heat from structures, systems, and components important to safety, to an ultimate heat sink shall be provided. The system safety function shall be to transfer the combined heat load of these structures, systems, and components under normal operating and accident conditions.

Suitable redundancy in components and features, and suitable interconnections, leak detection, and isolation capabilities shall be provided to assure that for onsite electric power system operation (assuming offsite power is not available) and for offsite electric power system operation

8.7 Heat Transfer to an Ultimate Heat Sink

The design includes systems for transferring residual heat from SSCs important to safety to an ultimate heat sink. This function is subject to very high levels of reliability during normal operation, AOOs, and DBAs.

All systems that contribute to the transport of heat by conveying heat, providing power, or supplying fluids to the heat transport systems, are therefore designed in accordance with the importance of their contribution to the function of heat transfer as a whole.

Natural phenomena and human-induced events are taken into account in the design of heat transfer systems, and in the choice of diversity and redundancy, both in the ultimate heat sinks and in the storage systems from which fluids for heat transfer are supplied.

The design extends the capability to transfer residual heat from the core to an ultimate heat sink so that, in the event of a severe accident:

RD-337 does not explicitly cover the requirement for the function of heat transfer to an ultimate heat sink to be accomplished on the assumption of single failure and the loss of off-site power.

However, RD-337 requires for the heat transfer to an ultimate heat sink to be available in case of severe accidents.




(assuming onsite power is not available) the system safety function can be accomplished, assuming a single failure.

1. Acceptable conditions can be maintained in SSCs;

2. Radioactive materials can be confined; and

3. Releases to the environment can be limited.

Criterion 45--Inspection of cooling water system.

The cooling water system shall be designed to permit appropriate periodic inspection of important components, such as heat exchangers and piping, to assure the integrity and capability of the system.

There is no specific requirement in RD-337 addressing the inspection of the systems contributing to heat transfer to an ultimate heat sink.



Criterion 46--Testing of cooling water system.

The cooling water system shall be designed to permit appropriate periodic pressure and functional testing to assure (1) the structural and leaktight integrity of its components, (2) the operability and the performance of the active components of the system, and (3) the operability of the system as a whole and, under conditions as close to design as practical, the performance of the full operational sequence that brings the system into operation for reactor shutdown and for loss-of-coolant accidents, including operation of applicable portions of the protection system and the transfer between normal and emergency power sources.

There is no specific requirement in RD-337 addressing the testing of the systems contributing to heat transfer to an ultimate heat sink.



Criterion 50--Containment design basis.

The reactor containment structure, including access

8.6 Containment


Each nuclear power reactor is installed within a

The requirements in RD-337 appear to be more restrictive, since they explicitly




openings, penetrations, and the containment heat removal system shall be designed so that the containment structure and its internal compartments can accommodate, without exceeding the design leakage rate and with sufficient margin, the calculated pressure and temperature conditions resulting from any loss-of-coolant accident.

This margin shall reflect consideration of

(1) the effects of potential energy sources which have not been included in the determination of the peak conditions, such as energy in steam generators and as required by § 50.44 energy from metal-water and other chemical reactions that may result from degradation but not total failure of emergency core cooling functioning,

(2) the limited experience and experimental data available for defining accident phenomena and containment responses, and

(3) the conservatism of the calculational model and input parameters.

containment structure to minimize the release of radioactive materials to the environment during normal operation, AOOs, and DBAs. Containment also assists in mitigating the consequences of BDBAs.


The containment is a safety system and includes complementary design features, both of which are subject to the respective design expectations provided in this regulatory document.

The design includes a clearly defined continuous leak-tight containment envelope, the boundaries of which are defined for all conditions that could exist in the operation or maintenance of the reactor, or following an accident.

[…]

8.6.2 Strength of the Containment Structure

The strength of the containment structure provides sufficient margins of safety based on potential internal overpressures, underpressures, temperatures, dynamic effects such as missile generation, and reaction-forces anticipated to result in the event of DBAs. Application of strength margins applies to access openings, penetrations, and isolation valves, and to the containment heat removal system.

The margins reflect:

1. Effects of other potential energy sources, such as possible chemical reactions and radiolytic reactions;

2. Limited experience and experimental data available for defining accident phenomena and containment responses; and

3. Conservatism of the calculation model and input parameters.

The positive and negative design pressures within each part of the containment boundary include the highest and lowest pressures that could be generated in the respective parts as a result of any DBA.

[…]

8.6.12 Severe Accidents

Following onset of core damage, the containment boundary should be capable of contributing to the reduction of radioactivity releases to allow sufficient time for the implementation of off-site emergency procedures. This expectation applies to a

ask for severe accident conditions to be considered in the design of the containment system.

However, GDC 50 references § 50.44, which requires 100 % 100% fuel clad-coolant reaction to be assumed in the safety analyses.




representative set of severe accidents.

Damage to the containment structure is limited to prevent uncontrolled releases of radioactivity, and to maintain the integrity of structures that support internal components.

The ability of the containment system to withstand loads associated with severe accidents is demonstrated in design documentation, and includes the following considerations:

1. Various heat sources, including residual heat, metal-water reactions, combustion of gases, and standing flames;

2. Pressure control;

3. Control of combustible gases;

4. Sources of non-condensable gases;

5. Control of radioactive material leakage;

6. Effectiveness of isolation devices;

7. Functionality and leak tightness of air locks and containment penetrations; and

8. Effects of the accident on the integrity and functionality of internal structures.

The design authority should consider incorporation of complementary design features that will:

1. Prevent a containment melt-through or failure due to the thermal impact of the core debris;

2. Facilitate cooling of the core debris; and

3. Minimize generation of non-condensable gases and radioactive products.

Criterion 51--Fracture prevention of containment pressure boundary.

The reactor containment boundary shall be designed with sufficient margin to assure that under operating, maintenance, testing, and postulated accident conditions

(1) its ferritic materials behave in a nonbrittle manner and

(2) the probability of rapidly propagating fracture is minimized.

The design shall reflect consideration of service

There is no equivalent requirement in RD-337.

The reactor containment pressure boundary, as addressed in the NRC licensing review process, consists of those ferritic steel parts of the reactor containment system which sustain loading and provide a pressure boundary in the performance of the containment function under the operating, maintenance, testing and postulated accident conditions cited by General Design Criterion (GDC) 51. Within this context, typically reviewed are the ferritic materials of components such as freestanding containment vessels, equipment hatches, personnel airlocks, heads of primary containment drywells, tori, containment penetration sleeves, process pipes,

end closure caps and flued heads, and penetrating-piping systems connecting to penetration process

RD-337 does not include provisions on fracture prevention of the containment pressure boundary (a requirement applicable to ferritic materials that are part of the containment pressure boundary).




temperatures and other conditions of the containment boundary material during operation, maintenance, testing, and postulated accident conditions, and the uncertainties in determining (1) material properties, (2) residual, steady state, and transient stresses, and (3) size of flaws.

pipes and extending to and including the system isolation valves.

Criterion 52--Capability for containment leakage rate testing.

The reactor containment and other equipment which may be subjected to containment test conditions shall be designed so that periodic integrated leakage rate testing can be conducted at containment design pressure.

8.6 Containment

8.6.4 Leakage

Leak Rate Testing

The containment structure and the equipment and components affecting the leak tightness of the containment system are designed to allow leak rate testing:

1. For commissioning, at the containment design pressure; and

2. Over the service lifetime of the reactor, either at the containment design pressure or at reduced pressures that permit estimation of the leakage rate at the containment design pressure.

To the extent practicable, penetrations are to be designed to allow individual testing of each penetration.

The design is expected to provide for ready and reliable detection of any significant breach of the containment envelope.

Equivalence

Criterion 53--Provisions for containment testing and inspection.

The reactor containment shall be designed to permit

(1) appropriate periodic inspection of all important areas, such as penetrations,

(2) an appropriate surveillance program, and (3) periodic testing at containment design pressure of the leaktightness of penetrations which have resilient seals and expansion bellows.

8.6.5 Containment Penetrations

[…]

All penetrations are designed to allow for periodic inspection.

Leak rate testing is addressed in section 8.6.4 Leakage.

In addition, the general requirements in section 7.14 In-service Testing, Maintenance, Repair, Inspection, and Monitoring are applicable.


Criterion 54--Piping systems penetrating containment.

Piping systems penetrating

8.6 Containment


Equivalence




primary reactor containment shall be provided with leak detection, isolation, and containment capabilities having redundancy, reliability, and performance capabilities which reflect the importance to safety of isolating these piping systems.

Such piping systems shall be designed with a capability to test periodically the operability of the isolation valves and associated apparatus and to determine if valve leakage is within acceptable limits.

[…]

All piping that is part of the main or backup reactor coolant systems is entirely within the main containment structure, or in a containment extension.

[…]

8.6.4 Leakage

The containment structure and the equipment and components affecting the leak tightness of the containment system are designed to allow leak rate testing[…]

[…]

The design is expected to provide for ready and reliable detection of any significant breach of the containment envelope.

8.6.6 Containment Isolation

Piping systems that penetrate the containment system have isolation devices with redundancy, reliability, and performance capabilities that reflect the importance of isolating the various types of piping systems.

[…]

For any piping outside of containment that could contain radioactivity from the reactor core, the following expectations apply:

1. Design parameters are the same as those for a piping extension to containment, and are subject to the requirements for metal penetrations of containment;

2. All piping and components that are open to the containment atmosphere are designed for a pressure greater than the containment design pressure;

3. The piping and components are housed in a confinement structure that prevents leakage of radioactivity to the environment and to adjacent structures; and

4. This housing includes detection capability for leakage of radioactivity and the capability to return the radioactivity to the flow path.

Criterion 55--Reactor coolant pressure boundary penetrating containment.

Each line that is part of the reactor coolant pressure boundary and that penetrates primary


Each line of the reactor coolant pressure boundary that penetrates the containment, or that is connected directly to the containment atmosphere, is to be automatically and reliably sealable.


For lines that are part of the reactor




reactor containment shall be provided with containment isolation valves as follows, unless it can be demonstrated that the containment isolation provisions for a specific class of lines, such as instrument lines, are acceptable on some other defined basis:

(1) One locked closed isolation valve inside and one locked closed isolation valve outside containment; or

(2) One automatic isolation valve inside and one locked closed isolation valve outside containment; or

(3) One locked closed isolation valve inside and one automatic isolation valve outside containment. A simple check valve may not be used as the automatic isolation valve outside containment; or

(4) One automatic isolation valve inside and one automatic isolation valve outside containment. A simple check valve may not be used as the automatic isolation valve outside containment.

Isolation valves outside containment shall be located as close to containment as practical and upon loss of actuating power, automatic isolation valves shall be designed to take the position that provides greater safety.

Other appropriate requirements to minimize the probability or consequences of an accidental rupture of these lines or of lines connected to them shall be provided as necessary to assure adequate safety. Determination of the appropriateness of these requirements, such as higher quality in design, fabrication, and testing, additional provisions for inservice inspection, protection against more severe natural phenomena, and additional

This provision is essential to maintaining the leak tightness of the containment in the event of an accident, and preventing radioactive releases to the environment that exceed prescribed limits.

Automatic isolation valves are positioned to provide the greatest safety upon loss of actuating power.

Piping systems that penetrate the containment system have isolation devices with redundancy, reliability, and performance capabilities that reflect the importance of isolating the various types of piping systems. Alternative types of isolation may be used where justification is provided.

Where manual isolation valves are used, they have locking or continuous monitoring capability.

Reactor Coolant System Auxiliaries that Penetrate Containment

Each auxiliary line that is connected to the reactor coolant pressure boundary, and that penetrates the containment structure, includes two isolation valves in series. The valves are normally arranged with one inside and one outside the containment structure. Where the valves provide isolation of the heat transport system during normal operation, both valves are normally in the closed position.

Systems directly connected to the reactor coolant system that may be open during normal operation are subject to the same isolation expectations as the normally closed system, with the exception that manual isolating valves inside the containment structure will not be used.

At least one of the two isolation valves is either automatic or powered, and operable from the main and secondary control rooms.

For any piping outside of containment that could contain radioactivity from the reactor core, the following expectations apply:

1. Design parameters are the same as those for a piping extension to containment, and are subject to the requirements for metal penetrations of containment;

2. All piping and components that are open to the containment atmosphere are designed for a pressure greater than the containment design pressure;

3. The piping and components are housed in a confinement structure that prevents leakage of radioactivity to the environment and to adjacent structures; and

4. This housing includes detection capability

coolant pressure boundary that penetrate the containment, the requirement for the isolation valves to be as close as practical to the containment is not covered in RD-337.

Also, the use of check valves as automatic isolation valves outside containment is not prohibited.




isolation valves and containment, shall include consideration of the population density, use characteristics, and physical characteristics of the site environs.

for leakage of radioactivity and the capability to return the radioactivity to the flow path.

Criterion 56--Primary containment isolation.

Each line that connects directly to the containment atmosphere and penetrates primary reactor containment shall be provided with containment isolation valves as follows, unless it can be demonstrated that the containment isolation provisions for a specific class of lines, such as instrument lines, are acceptable on some other defined basis:

(1) One locked closed isolation valve inside and one locked closed isolation valve outside containment; or

(2) One automatic isolation valve inside and one locked closed isolation valve outside containment; or

(3) One locked closed isolation valve inside and one automatic isolation valve outside containment. A simple check valve may not be used as the automatic isolation valve outside containment; or

(4) One automatic isolation valve inside and one automatic isolation valve outside containment. A simple check valve may not be used as the automatic isolation valve outside containment.

Isolation valves outside containment shall be located as close to the containment as practical and upon loss of actuating power, automatic isolation valves shall be designed to take the position that provides greater safety.


[…]

Systems Connected to Containment Atmosphere

Each line that connects directly to the containment atmosphere, that penetrates the containment structure and is not part of a closed system, is to be provided with two isolation barriers that meet the following expectations:

1. Two automatic isolation valves in series for lines that may be open to the containment atmosphere;

2. Two closed isolation valves in series for lines that are normally closed to the containment atmosphere; and

3. The line up to and including the second valve is part of the containment envelope.


Note: the use of check valves as automatic isolation valves outside containment is not prohibited.




Criterion 57--Closed system isolation valves.

Each line that penetrates primary reactor containment and is neither part of the reactor coolant pressure boundary nor connected directly to the containment atmosphere shall have at least one containment isolation valve which shall be either automatic, or locked closed, or capable of remote manual operation. This valve shall be outside containment and located as close to the containment as practical. A simple check valve may not be used as the automatic isolation valve.


[…]

Closed Systems

All closed piping service systems have at least one single isolation valve on each line penetrating the containment, with the valve being located outside of, but as close as practicable to, the containment structure.

Where failure of a closed loop is assumed to be a PIE or the result of a PIE, the isolations for reactor coolant system auxiliaries apply.

Closed piping service systems inside or outside the containment structure that form part of the containment envelope need no further isolation if:

1. They meet the applicable service piping standards and codes; and

2. They can be continuously monitored for leaks.


RD-337 does not explicitly prohibit the use of a check valve. It does not specify that the isolation valve shall be either automatic, or locked closed, or capable of remote manual operation (except for cases where failure of the closed system is a PIE or occurs as the result of a PIE).

Criterion 60--Control of releases of radioactive materials to the environment.

The nuclear power unit design shall include means to control suitably the release of radioactive materials in gaseous and liquid effluents and to handle radioactive solid wastes produced during normal reactor operation, including anticipated operational occurrences.

Sufficient holdup capacity shall be provided for retention of gaseous and liquid effluents containing radioactive materials, particularly where unfavorable site environmental conditions can be expected to impose unusual operational limitations upon the release of such effluents to the environment.

8.11 Waste Treatment and Control

The design includes provisions to treat liquid and gaseous effluents in a manner that will keep the quantities and concentrations of discharged contaminants within prescribed limits, and that will support application of the ALARA principle.

The design also includes adequate provision for the safe on-site handling and storage of radioactive and non-radioactive wastes for a period of time consistent with options for off-site management or disposal.

8.11.1 Control of Liquid Releases to the Environment

To ensure that emissions and concentrations remain within prescribed limits, the design includes suitable means for controlling liquid releases to the environment in a manner that conforms to the ALARA principle. This includes a liquid waste management system of sufficient capacity to collect, hold, mix, pump, test, treat, and sample liquid waste before discharge, taking expected waste and accidental spills or discharges into account.

8.11.2 Control of Airborne Material within the Plant

The design includes gaseous waste management systems capable of:

1. Controlling all gaseous contaminants so as to conform to the ALARA principle and ensure that concentrations remain within prescribed limits;

The requirements on control of radioactive releases to environment set out in RD-337 are more comprehensive than those in Criterion 60 of 10 CFR Part 50 Appendix A.

However, RD-337 does not explicitly require that the capacity of the waste management systems takes account of unfavorable site environmental conditions that could impose unusual operational limitations upon the release of effluents to the environment.




2. Collecting all potentially active gases, vapours, and airborne particulates for monitoring;

3. Passing all potentially active gases, vapours, and airborne particulates through pre-filters, absolute filters, charcoal filters, or high efficiency particulate air filters where applicable; and

4. Delaying releases of potential sources of noble gases by way of an off-gas system of sufficient capacity.

The design provides a ventilation system with an appropriate filtration system capable of:

1. Preventing unacceptable dispersion of all airborne contaminants within the plant;

2. Reducing the concentration of airborne radioactive substances to levels compatible with the need for access to each particular area;

3. Keeping the level of airborne radioactive substances in the plant below prescribed limits, applying the ALARA principle in normal operation; and

4. Ventilating rooms containing inert or noxious gases without impairing the capability to control radioactive releases.

8.11.3 Control of Gaseous Releases to the Environment

The ventilation system includes filtration that will:

1. Control the release of gaseous contaminants and hazardous substances to the environment;

2. Ensure conformation to the ALARA principle; and

3. Maintain airborne contaminants within prescribed limits.

The filtration system reliably achieves the necessary retention factors under the expected prevailing conditions, and is designed in a manner that facilitates appropriate efficiency testing.

Criterion 61--Fuel storage and handling and radioactivity control.

The fuel storage and handling, radioactive waste, and other systems which may contain radioactivity shall be designed to assure adequate safety under normal and postulated accident conditions.

8.12 Fuel Handling and Storage

8.12.1 Handling and Storage of Non-irradiated Fuel

The design of the fuel handling and storage systems for non-irradiated fuel:

1. Ensures nuclear criticality safety by

a. maintaining an approved subcriticality margin by physical means or processes, preferably by the use of geometrically safe

The requirements on fuel handling and storage set out in RD-337 are more comprehensive than those in Criterion 61 of 10 CFR Part 50 Appendix A.

However, the need for containment, confinement and




These systems shall be designed

(1) with a capability to permit appropriate periodic inspection and testing of components important to safety,

(2) with suitable shielding for radiation protection,

(3) with appropriate containment, confinement, and filtering systems,

(4) with a residual heat removal capability having reliability and testability that reflects the importance to safety of decay heat and other residual heat removal, and

(5) to prevent significant reduction in fuel storage coolant inventory under accident conditions.

configurations, under both normal and credible abnormal conditions,

b. minimizing on-site consequences to personnel of postulated criticality accidents, and

c. mitigating off-site consequences of postulated criticality accidents;

2. Permits appropriate maintenance, periodic inspection, and testing of components important to safety;

3. Permits inspection of non-irradiated fuel;

4. Prevents loss of or damage to the fuel; and

5. Meets Canada’s safeguards requirements for recording and reporting accountancy data, and for monitoring flows and inventories related to non-irradiated fuel containing fissile material.

8.12.2 Handling and Storage of Irradiated Fuel

The design of the handling and storage systems for irradiated fuel:


a. maintaining an approved subcriticality margin by physical means or processes, preferably by the use of geometrically safe configurations, under both normal and credible abnormal conditions,



2. Permits adequate heat removal under normal operation, AOOs, and DBAs;

3. Permits inspection of irradiated fuel;

4. Permits periodic inspection and testing of components important to safety;

5. Prevents the dropping of used fuel in transit;

6. Prevents unacceptable handling stresses on fuel elements or fuel assemblies;

7. Prevents the inadvertent dropping of heavy objects and equipment on fuel assemblies;

8. Permits inspection and safe storage of suspect or damaged fuel elements or fuel assemblies;

filtering systems is not explicitly addressed.




9. Provides proper means for radiation protection;

10. Adequately identifies individual fuel modules;

11. Facilitates maintenance and decommissioning of the fuel storage and handling facilities;

12. Facilitates decontamination of fuel handling and storage areas and equipment when necessary;

13. Ensures implementation of adequate operating and accounting procedures to prevent loss of fuel;

14. Includes measures to prevent a direct threat or sabotage to irradiated fuel; and

15. Meets Canada’s safeguards requirements for recording and reporting accountancy data, and for monitoring flows and inventories related to irradiated fuel containing fissile material.

A design for a water pool used for fuel storage is expected to include provisions for:

1. Controlling the chemistry and activity of any water in which irradiated fuel is handled or stored;

2. Monitoring and controlling the water level in the fuel storage pool;

3. Detecting leakage; and

4. Preventing the pool from emptying in the event of a pipe break.

Criterion 62--Prevention of criticality in fuel storage and handling.

Criticality in the fuel storage and handling system shall be prevented by physical systems or processes, preferably by use of geometrically safe configurations.

8.12.1 Handling and Storage of Non-irradiated Fuel

The design of the fuel handling and storage systems for non-irradiated fuel:





Equivalence




[….]

8.12.2 Handling and Storage of Irradiated Fuel

The design of the handling and storage systems for irradiated fuel:





[…]

Criterion 63--Monitoring fuel and waste storage.

Appropriate systems shall be provided in fuel storage and radioactive waste systems and associated handling areas (1) to detect conditions that may result in loss of residual heat removal capability and excessive radiation levels and (2) to initiate appropriate safety actions.

The requirements in RD-337 Section 8.12.2 address the monitoring of water pools used for fuel storage. Section 8.13.3 includes provisions on the monitoring of radiation levels.

8.13.3 Monitoring

Equipment is provided to ensure that there is adequate radiation monitoring in normal operation, AOOs, and DBAs.

Stationary alarming dose rate meters are therefore provided:

1. For monitoring the local radiation dose rate at places routinely occupied by operating personnel;

2. Where the changes in radiation levels may be such that access may be limited for periods of time;

3. To indicate the general radiation level at appropriate locations in the event of DBAs and, as far as practicable, severe accidents; and

4. To give sufficient information in the control room or at the appropriate control position to enable plant personnel to initiate corrective actions when necessary.

Monitors are to be provided for measuring the activity of radioactive substances in the atmosphere:

1. For areas routinely occupied by personnel;

2. For areas where the levels of activity of airborne radioactive materials may, on

Equivalence




occasion, be expected to necessitate protective measures; and

3. To give an indication in the control room, or in other appropriate locations, of when a high concentration of radionuclides is detected.

Criterion 64--Monitoring radioactivity releases.

Means shall be provided for monitoring the reactor containment atmosphere, spaces containing components for recirculation of loss-of-coolant accident fluids, effluent discharge paths, and the plant environs for radioactivity that may be released from normal operations, including anticipated operational occurrences, and from postulated accidents.

8.13 Radiation Protection

8.13.3 Monitoring

Equipment is provided to ensure that there is adequate radiation monitoring in normal operation, AOOs, and DBAs.

Stationary alarming dose rate meters are therefore provided:

1. For monitoring the local radiation dose rate at places routinely occupied by operating personnel;

2. Where the changes in radiation levels may be such that access may be limited for periods of time;

3. To indicate the general radiation level at appropriate locations in the event of DBAs and, as far as practicable, severe accidents; and

4. To give sufficient information in the control room or at the appropriate control position to enable plant personnel to initiate corrective actions when necessary.

Monitors are to be provided for measuring the activity of radioactive substances in the atmosphere:

1. For areas routinely occupied by personnel;

2. For areas where the levels of activity of airborne radioactive materials may, on occasion, be expected to necessitate protective measures; and

3. To give an indication in the control room, or in other appropriate locations, of when a high concentration of radionuclides is detected.

Facilities are provided for monitoring individual doses to and contamination of personnel.

Stationary equipment and laboratory facilities are to be provided to determine the concentration of selected radionuclides in fluid process systems as appropriate, and in gas and liquid samples taken from plant systems or the environment.

Stationary equipment is provided for monitoring the effluents prior to or during discharge to the

The requirements on monitoring of radioactivity releases set out in RD-337 are more comprehensive (and more prescriptive) than the requirements in Criterion 64 of 10 CFR Part 50 Appendix A..




environment.

8.13.5 Monitoring Environmental Impact

The design provides the means for monitoring radiological releases to the environment in the vicinity of the plant […]

Single failure criterion

Definition: Single failure. A single failure means an occurrence which results in the loss of capability of a component to perform its intended safety functions. Multiple failures resulting from a single occurrence are considered to be a single failure.

Fluid and electric systems are considered to be designed against an assumed single failure if neither

(1) a single failure of any active component (assuming passive components function properly) nor

(2) a single failure of a passive component (assuming active components function properly), results in a loss of the capability of the system to perform its safety functions.

Single failures of passive components in electric systems should be assumed in designing against a single failure.

The conditions under which a single failure of a passive component in a fluid system should be considered in designing the system against a single failure are under development.

7.6.2 Single Failure Criterion

All safety groups function in the presence of a single failure. The single failure criterion requires that each safety group perform all safety functions required for a PIE in the presence of any single component failure, and:

1. All failures caused by that single failure;

2. All identifiable but non-detectable failures, including those in the non-tested components; and

3. All failures and spurious system actions that cause (or are caused by) the PIE.

Each safety group is able to perform the required safety functions under the worst permissible systems configuration, taking into account such considerations as maintenance, testing, inspection and repair, and equipment outage.

Analysis of all possible single failures, and all associated consequential failures, is conducted for each element of each safety group until all safety groups have been considered.

Unintended actions and failure of passive components are considered as two of the modes of failure of a safety group.

The single failure is assumed to occur prior to the PIE, or at any time during the mission time for which the safety group is required to function following the PIE.

Passive components may be exempt from this expectation.

Exemptions for passive components apply only to those components that are designed and manufactured to high standards of quality, that are adequately inspected and maintained in service, and that remain unaffected by the PIE. Design documentation includes analytical justification of such exemptions, taking loads and environmental conditions into account, as well as the total period of time after the PIE for which the functioning of the component is necessary.

Check valves are active components if they must change state following a PIE.

In the NRC regulations, single failure criterion is required to be applied at system level. Explicit requirements in 10 CFR Part 50 Appendix A include:

- Criterion 17 - Electric power systems.

- Criterion 21 - Protection system reliability and testability.

- Criterion 34 - Residual heat removal.

- Criterion 35 - Emergency core cooling.

- Criterion 38 - Containment heat removal.

- Criterion 41 - Containment atmosphere cleanup.

- Criterion 44 - Cooling water.

In RD-337, the single failure criterion is required to be applied at “safety group” level.

RD-337 explicitly requires application of SFC at system level in sections:

- 8.2.4 Removal of Residual Heat




Exceptions to the single failure criterion are infrequent, and clearly justified.

from Reactor Core

- 8.4 Means of Shutdown

- 8.9 Emergency Power Supply


1.B.5 Review of requirements for combustible gas control


§ 50.44 Combustible gas control for nuclear power reactors.

[…]

(c) Requirements for future water-cooled reactor applicants and licensees2. The requirements in this paragraph apply to all water-cooled reactor construction permits or operating licenses under this part, and to all water-cooled reactor design approvals, design certifications, combined licenses or manufacturing licenses under part 52 of this chapter, any of which are issued after October 16, 2003.

(1) Mixed atmosphere. All containments must have a capability for ensuring a mixed atmosphere during design-basis and significant beyond design-basis accidents.

(2) Combustible gas control. All containments must have an inerted atmosphere, or must limit hydrogen concentrations in containment during and following an accident that releases an equivalent amount of hydrogen as would be generated from a 100 percent fuel clad-coolant reaction, uniformly distributed, to less than 10 percent (by volume) and maintain containment structural integrity and appropriate accident mitigating features.

(3) Equipment Survivability. Containments that do not rely upon an inerted atmosphere to control combustible gases must be able to establish and maintain safe shutdown and containment structural integrity with systems and components capable of performing their functions during and after exposure to the environmental conditions created by the burning of hydrogen. Environmental conditions caused by local detonations of hydrogen must also be included, unless such detonations can be shown unlikely to occur. The amount of hydrogen to be considered must be equivalent to that generated from a fuel clad-coolant reaction involving 100 percent of the fuel cladding surrounding the active fuel region.

(4) Monitoring.

8.6 Containment


[…]


[…]

8.6.10 Control and Cleanup of the Containment Atmosphere

The design provides systems to control the release of fission products, hydrogen, oxygen, and other substances into the reactor containment as necessary, to:

1. Reduce the amount of fission products that might be released to the environment during an accident; and

2. Prevent deflagration or detonation that could jeopardize the integrity or leak tightness of the containment.

The requirements on combustible gas control set out in 10 CRR 50.44 are more comprehensive and more prescriptive than those in RD-337.

100% fuel clad-coolant reaction is required to be assumed in the safety analyses.


(i) Equipment must be provided for monitoring oxygen in containments that use an inerted atmosphere for combustible gas control. Equipment for monitoring oxygen must be functional, reliable, and capable of continuously measuring the concentration of oxygen in the containment atmosphere following a significant beyond design-basis accident for combustible gas control and accident management, including emergency planning.

(ii) Equipment must be provided for monitoring hydrogen in the containment. Equipment for monitoring hydrogen must be functional, reliable, and capable of continuously measuring the concentration of hydrogen in the containment atmosphere following a significant beyond design-basis accident for accident management, including emergency planning.

(5) Structural analysis. An applicant must perform an analysis that demonstrates containment structural integrity. This demonstration must use an analytical technique that is accepted by the NRC and include sufficient supporting justification to show that the technique describes the containment response to the structural loads involved. The analysis must address an accident that releases hydrogen generated from 100 percent fuel clad-coolant reaction accompanied by hydrogen burning. Systems necessary to ensure containment integrity must also be demonstrated to perform their function under these conditions.

(d) Requirements for future non water-cooled reactor applicants and licensees and certain water-cooled reactor applicants and licensees. The requirements in this paragraph apply to all construction permits and operating licenses under this part, and to all design approvals, design certifications, combined licenses, or manufacturing licenses under part 52 of this chapter, for non water-cooled reactors and water-cooled reactors that do not fall within the description in paragraph (c), footnote 1 of this section, any of which are issued after October 16, 2003. Applications subject to this paragraph must include:

(1) Information addressing whether accidents involving combustible gases are technically relevant for their design, and

(2) If accidents involving combustible gases are found to be technically relevant, information (including a design-specific


probabilistic risk assessment) demonstrating that the safety impacts of combustible gases during design-basis and significant beyond design-basis accidents have been addressed to ensure adequate protection of public health and safety and common defense and security. 2 The requirements of this paragraph apply only to water-cooled reactor designs with characteristics (e.g., type and quantity of cladding materials) such that the potential for production of combustible gases is comparable to light water reactor designs licensed as of October 16, 2003.

Documents

APPENDIX 1A, General Comparison of the Scope of US NRC 10 ... · Final Report, ENCO FR-(11)-26, Rev.1, Appendix 1A,B Page 2 US NRC 10 CFR PART 50--DOMESTIC LICENSING OF PRODUCTION