You are on page 1of 60

AERB Code No.



Issued on December 23, 1989

Atomic Energy Regulatory Board

Vikram Sarabhai Bhavan,
Fourth Floor, North Wing,
Anushakti Nagar,
Bombay -400 094, INDIA.
Assurance of safety of public and occupational workers, and
protection of the environment are important needs to be met in the pursuance of
activities for economic and social progress. These activities include the
establishment and utilization of nuclear facilities and use of radioactive sources
and they have to be carried out in accordance with relevant provisions in the
Atomic Energy Act 1962 (33 of 62).

Since the inception of nuclear power development in the

country, maintaining high safety standards has been of prime importance.
Recognising this aspect of nuclear power development Government of India
constituted Atomic Energy Regulatory Board (AERB) in November 1983 vide
Standing Order No. 4772 notified in Gazette of India dated 31.12.1983. AERB
has been entrusted with the responsibility of laying down safety standards and
frame rules and regulations in respect of regulatory and safety functions
envisaged under the Atomic Energy Act 1962. Under its programme of
developing Codes and Safety Guides AERB at present proposes to issue four
codes of practice covering the following topics:

Safety in Nuclear Power Plant Sitting

Safety in Nuclear Power Plant Design

Safety in Nuclear Power Plant Operation

Quality Assurance for Safety in Nuclear Power Plants

These codes would establish the objectives and minimum

requirements that shall be fulfilled to provide adequate assurance for safety of
Nuclear Power Plants in India.

The Safety Guides will be issued in due course to describe and

make available methods of implementing specific parts of relevant Codes of
Practice, as acceptable to AERB. Methods and solutions varying from those set
out in the Guides may be acceptable if they provide atleast comparable
assurance that Nuclear Power Plants can be operated without undue risks to the
health and safety of the general public and plant personnel.

The Codes and Safety Guides will be subject to revision as and

when necessary in light of experience as well as the current state of the art in
science and technology. When an appendix is included in a document it is
considered to be integral part of the document whereas annexures, foot notes,
lists of participants and bibliography where included are only to provide
information that might be helpful to the user.
In preparation of the Codes and Guides emphasis is on
protection of site personnel and public from undue radiological hazard.
However for other aspects not covered in this Code applicable and acceptable
national and international Codes and standards shall be followed. Industrial
Safety shall be assured through good engineering practice.

This Code of Practice on Design for Safety in Pressurised

Heavy Water based Nuclear Power Plants states the minimum requirements to
be met during design of pressurised heavy water based nuclear power plant in
India for assuring safety. It is intended for use by organizations and individuals
responsible for safety related functions in Design. Consistent with accepted
practice for codes and guides “shall” and “should” are used to distinguish for the
potential user between firm requirement and desirable option. The principles
and objectives stated in this Code can be usefully applied to other nuclear
facilities and to non-safety related activities of NPPs.

This Code of Practice does not address all requirements for

ensuring physical security of the plant or consequences arising from breach of
provisions of physical security. As details of requirements of this aspect are
meant for restricted usage, they would be dealt with in other documents by
appropriate authority.

This Code of Practice has been prepared by the staff of AERB

and other professionals taking into account the following statement of Dr. H. J.
Bhabha of outlining the principle of Radiation Safety: “Radioactive materials
and sources of radiation should be handled in the Atomic Energy Establishment
in a manner which not only ensures that no harm can come to the workers in the
Establishment or anyone else, but also in an exemplary manner, so as to set a
standard which other organisations in the country may be asked to emulate”.
The draft prepared by the DAE Committee on Safety Codes and Guides and the
relevant International Atomic Energy Agency (IAEA) documents under the
NUSS Programme specially the Code on Safety of Nuclear Power Plants :
Design (50-C-D of IAEA) have been utilised extensively in the preparation. It
has been reviewed by experts and amended by the Advisory Committee before
issue. AERB wishes to thank all individuals and organizations who have
contributed in the preparation, review and amendment of the Code. List of
persons who have participated in the Committee meetings and their
organisations is included for information.

(A. K. DE)
Chairman, AERB
Page No.


0100 SCOPE ( 101-108) 1



General Principles (0301-0303) 9

Defence in depth (0304 -0307) 9
Safety functions (0308-0311) 10
Design basis (0312) 11
Servere accidents (0313-0315) 11
Quality Requirements (0316-0319) 12
In-service Inspection, Testing, Maintenance monitoring(0320-321) 13
System and component reliability (0322-0336) 16
Design for optimised operator performance (0337-0341) 16
Heat transfer to an ultimate heat sink ( 0342) 17
Inspection and testing (0343-0344) 18
Monitoring of radioactive release (0345) 18
Effects associated with equipment failure (0346) 18
Sharing of structures, systems and components (0347) 19
Escape routes and means of communication (0348-0350) 19
Control of access to plant (0351) 19
Protection against fire and explosions (0352-0353) 19
Materials ( 0354-0355) 20
Protection against Natural Phenomena (0356) 20
Protection against Man-Made Events (0357 -0359) 21
Combination of events (0360-0361) 21
Environment (0362) 21
Systems storage capacity (0363) 22
Decommissioning (0364) 22


Core components (0402-0403) 23
Fuel Assemblies (0404-0407) 23
Nuclear Design and Core Control (0408-0414) 24
Reactor shutdown (0415-0420) 25
0500 REACTOR COOLANT SYSTEM (0501-0503) 27
General requirements (0504 - 0507) 27
In-service Inspection of Reactor Coolant Boundary (0508 -0510) 28
Reactor Coolant Make up (0511) 28
Reactor Coolant Cleanup (0512) 28
Residual Heat Removal (0513-0516) 29
Emergency Core Cooling (0517-0518) 29
Testing and Inspection of Emergency Core Cooling System (0519) 29
Auxiliary Feed Water System (0520) 30
Fuelling system (0521-0523) 30


General requirements (0601-0603) 31
Periodic Testing and Maintenance (0604) 31
Instrument Power Supply Systems (0605) 31
Control Room (0606 - 0607) 32
Emergency Control Room (0608) 32
0700 PROTECTION SYSTEM (0701) 33
General requirements (0702-0703) 33
Protection System Reliability and Testability (0704-0705) 33
Separation of Protection and Control Systems (0706) 34


General Requirements (0801 -0802) 35
Off-site Power System (0803) 35
Emergency Power Supply System (0804-0806) 35
Inspection and Emergency Power Supply Systems (0807) 36


Containment Design (0902-0904) 37
Containment Leakage (0905-0907) 38
Containment Penetration (0908-0909) 38
Containment Isolation (0910-0912) 38
Containment Air Locks (0913) 39
Pressure Suppression System (0914) 39
Containment Intra-Connections (0915-0917) 39
Containment Heat Removal (0918) 40
Containment Atmosphere Clean up (0919-0922) 40
Coverings and Coatings (0923) 41
Containment Testing and Inspection (0924) 41
General Requirements (1001-1002) 42
Design for Radiological Protection (1003-1008) 42
Radiation Monitoring ( 1009) 43
Radioactive Waste Treatment (1010-1012) 44
Control of Release of Liquid Radioactive Material
to the Environment (1013) 44
Control of Airborne Radioactive Material (1014-1015) 45


Fresh Fuel Handling and Storage (1103) 46
Spent Irradiated Fuel Handling and Storage (1104) 46


Safety Analysis (1201-1203) 48
Probabilistic Safety Assessment (1204-1205) 48
Equipment Qualification ( 1206) 48




0100 SCOPE

0101 This Code of Practice describes design approaches and design require-ments for
structures, systems and components that shall be met for safe operation
and in order to prevent or mitigate the consequences of Postulated
Initiating Events (PIEs), which could jeopardise safety.

0102 PIEs include many factors, which singly or in combination may affect safety
and which may:

(1) be connected with the site of the plant and its environment;

(2) be caused by human action; and,

(3) originate in the operation of the Plant itself.

0103 Certain other events such as the following are not considered in this code :

(1) events that are extremely unlikely. However, some consideration is

given to severe accidents (refer para. 0314 and 0315);

(2) events, either man-made or natural, which by themselves would

lead to a general destruction of the region in which the Nuclear
Power Plant has been erected and against which it cannot be
protected; and,

(3) accidents of an industrial nature that, under no circumstances,

could affect the safety of the Plant.

0104 This Code describes the requirements for safe design of the proposed NPP at
the site selected and approved by the competent authority, in the
context of safety of operating personnel, public, and environment
around the site. These requirements call for consideration of
site dependent characteristics including geography, geology, hydrology,
meteorology, seismology, demography, patterns of land and water use, traffic
routes and water ways.
0105 This Code also describes the requirements for safety from radiation and
radioactivity released from within the NPP and received by the
operating personnel, public and environment in vicinity of the NPP
during normal operation and under the PIEs considered credible.

0106 This Code of Practice does not deal with non-radiological effects of
plant on environment.

0107 In this Code references have been made to other Codes of Practice (for example,
on Sitting, Operation and Quality Assurance) and Safety Guides (which
detail the underlying safety design principles, etc.).

0108 It should be recognized that the requirements given in this document will be
subject to revision in the light of experience.

0201 The following definitions apply to this Code and may not necessarily conform to
definitions adopted elsewhere for national or international use.

Acceptable Limits
Limits acceptable to the AERB for Accident Conditions.

Accident Conditions
Substantial deviations from Operational States, and which could lead to release
of unacceptable quantities of radioactive materials if the relevant engineered safety
features did not function as per design intent. 1

Active Component
A component whose functioning depends on an external input, such as actua-
tion, mechanical movement, or supply of power, and which therefore influences system
process in an active manner. 2

Anticipated Operational Occurrences

All operational processes deviating from Normal Operation which are expected
to occur once or several times during the operating life of the plant and which, in view of
appropriate design provisions, do not cause any significant damage to items important to
safety nor lead to accident conditions.3

Atomic Energy Regulatory Board (AERB)

National authority designated by Government of India, assisted by technical and
other advisory bodies, and having the legal authority for conducting the authorization
process for issuing authorization and thereby regulating nuclear power plant Sitting,
Construction, Commissioning, Operation and Decommissioning or specific aspects

An arrangement of interconnected components within a system that initiate a

Asubstantial deviation may be a major fuel failure, a Loss of Coolant
Accident (LOCA),etc . Examples of engineered safety features are: an Emergency Core
Cooling System (ECCS) and containment.
Example of Active Components are pumps, fans, relays and transistor. It is
emphasised that this definition is necessarily general in nature as in the corresponding
definition of Passive Components. Certain components, such as ruputre discs, check
valves, injectors and some solid state electronic devices, have characteristics which
require special consideration before designation as an Active or Passive Component.
Examples of Anticipated Operational Occurences are loss of normal electric
power and faults such as turbine trip, malfunction of individual items, of a normally
running Plant, failure to function of individual items of Control equipment, loss of power
to main coolant pump.
single output. A channel loses its identity where single output signals are combined
with signals from other channels e.g. from a monitoring channel or a safety actuation

The process during which the Nuclear Power Plant having been constructed are
made operational and verified to be in accordance with design assumptions and to have
met the design criteria; it includes both non-nuclear and nuclear tests.

Common Cause Failure

The failure of a number of devices or components to perform their functions as
a result of a single specific event or cause.

Competent Authority
A national or state authority designated or otherwise recognized as such for a
specific purpose.

Control System
A system performing actions needed for causing Plant variables to be main-
tained within prescribed limits.

The process by which a NPP is finally taken out of operation.

The process and the results of developing the concept, detailed plans, support-
ing calculations and specifications for a Nuclear Power Plant

Design Basis Accident

Accident conditions against which the NPP is designed according to established
design criteria.

The existence of redundant components or systems to perform an identified
function, where such components collectively incorporate one or more different attrib-

Electrical Separation
Means for preventing one electric circuit from influencing another through
electrical phenomena. 4

. Examples of such attributes are: different operating conditiond of uses, differ-
ent size of equipment, different manufacturers, different working principles and types of
equipments that use different physical methods.
Emergency Electric Power Supply (EEPS)
That portion of the Emergency Power Systems provided for the purpose of
supplying electric power to a nuclear power plant’s safety systems during Operational
States as well as during and following Accident Conditions.

Fuel Assembly
An assembly of fuel elements identified as a single unit (fuel bundle).

Equipment that is independent possesses either/or both of the following
(1) Its ability to operate when required is unaffected by the operation or
failure of the other equipment.
(2) Its ability to operate when required is unaffected by the presence of the
effects resulting from any postulated initiating event.

ltems Important to Safety

The items which comprise :
(1) those structures, systems, and components whose malfunction or failure
could lead to undue radiation exposure of the site personnel or members of
the public; 5
(2) those structures, systems and components which prevent Anticipated
Operational Occurrences from leading to Accident Conditions;
(3) those features which are provided to mitigate the consequences of malfunc-
tion, or failure of structures, systems or components.

Normal Operation
Operation of a Nuclear Power Plant within specified Operational Limits and
Conditions including shutdown, power operation, shutting down, starting up, mainte-
nance, testing and refueling (see Operational States).

Nuclear Power Plant

A pressurized heavy water reactor or reactors together with all structures,
systems and components necessary for Safety and for the production of power, i.e. heat
or electricity.

Operational Limits and Conditions

A set of rules which set forth parameter limits, the functional capability and the
performance level of equipment and personnel approved by AERB for safe operation of
the nuclear power plant. 5


. This includes successive barriers set up against the release of radioactivity

from nuclear facilities.
Operational States
The states defined under Normal Operation and Anticipated Operational
occurrences together.

Passive Component
A component which has no moving part, and, for example, only experiences a
change in pressure, in temperature, or in fluid flow in performing its functions. In
addition, certain components, which function with very high reliability based on irre-
versible action or change may be assigned to this category.

Physical Separation
(1) Separation by geometry (distance, orientation, etc.) or
(2) Separation by appropriate barriers, or
(3) Separation by a combination thereof.

Postulated Initiating Events

Events that lead to Anticipated Operational Occurrences and Accident Condi-
tions, their credible causal failure effects and their credible combinations?

Protection System
A system which encompasses all electrical and mechanical devices and cir-
cuitry, from sensors to actuation device input terminals, involved in generating those
signals associated with the protective function.

Quality Assurance
Planned and systematic actions necessary to provide adequate confidence that
an item or facility will perform satisfactorily in service.

Provision of more than the minimum number of (identical or diverse) elements
or systems, so that the loss of any one does not result in the loss of the required function
of the whole.67


. Examples of Passive Components are heat exchangers, pipes, vessels, electri-

cals cables, and structures. It is emphasised that the definition is necessarily general in
nature as is the corresponding definition of Active Components. Certain components
such as rupture discs, check valves, injectors and some solid state electronic devices,
have characteristics which require special consideration before designation as an Active
or Passive Component.

. The primary cause of postulated initiating events may be credible equipment

failures and operator errors (both within and external to the Nuclear Power Plant), Design
Basis Natural Events and Design Basis External man-made Events. Specification of the
postulated initiating events should be acceptable to the Regulatory Body.
A geographical area, surrounding and including the Site, sufficiently large to
contain all the features related to a phenomenon or to the effects of a particular event.

The probability that a device, system or facility will perform its intended
function satisfactorily for a specified time under stated operating conditions.

Residual Heat
The sum of the heat originating from radioactive decay and shut down fission
and the heat stored in reactor related structures and in heat transport media.

Safety (Nuclear)
The achievement of proper operating conditions, prevention of accidents or
mitigation of accident consequences, resulting in protection of site personnel, the public
and the environment from undue radiation hazards.

Safety Function
A specific purpose that must be accomplished for safety.

Safety Group
The assembly of equipment designated to perform all actions required for a
Postulated Initiating Event to ensure that the limits specified in the design basis for the
event are not exceeded.

Safety Related Instrumentation and Control Systems

Those I & C Systems important to safety, but not included in safety systems or
systems important to safety.

Safety Systems
Systems important to Safety, provided to assure, in any condition, the safe shut
down of the reactor and the heat removal from the core and/or to limit the consequences
of Anticipated Operational Occurrences and Accident Conditions (see Anticipated Op-
erational Occurrences and Accident Conditions).

Safety System Support Features

The collection of equipment that provides services such as cooling, lubrication,
and energy supply required by the Protection system and the Safety Actuation

Severe Accidents
Nuclear Power Plant conditions beyond those of Design Basis Accident causing
significant core degradation.
Single Failure
A random failure which results in the loss of capability of a component to
perform its intended safety functions. Consequential failures resulting from a single
random occurrence are considered to be part of the single failure.

The area containing the Plant, defined by a boundary and under effective control
of the Plant Management.

Ultimate Heat Sink

The atmosphere or a body of water or the groundwater to any or all of which
residual heat is transferred during Normal Operation, Anticipated Operational Occur-
rences or Accident Conditions.
General Principles

0301 The main objective of detailed requirements given in the Code and the
documents cited herein is to ensure that radiation exposure of the a
control public and plant personnel is kept within appropriate prescribed
limits under all operational states and within acceptable limits under all
postulated accident conditions. The concept of as low as reasonably
achievable (ALARA) should be applied.

With respect to accidents the objectives are to ensure that accidents are
generally prevented; to ensure that, for all event sequences taken into
account in the design of the plant, even those that have very low
probability, radiological consequences are small; and to ensure, by both
prevention and mitigation measures, that accidents with high
consequences are extremely unlikely.

0302 Interaction between NPP and environment, including for example, such
factors as population, flora and fauna, meteorology, hydrology, and
seismology shall be taken into account.

0303 Off-site services upon which safety of the plant and protection of the public may
depend shall be carefully planned and co-ordinated with public
authorities. This may include among others, supply of cooling water
for ultimate heat sink, fire fighting, means of communication and
transport, emergency preparedness etc.

Defence in depth

0304 The design process shall incorporate defence in depth such that multiple levels
of protection are provided. Examples of these requirements are:

(1) The provision of multiple means for ensuring each of the basic
safety functions, i.e. reactivity control, heat removal and the con-
finement of radioactivity;

(2) The use of reliable protective devices in addition to the inherent

safety features;

(3) The supplementing of the control of the plant by automatic

activation of safety systems and by operator actions;
(4) The provision of equipment and procedures to back up accident
prevention measures, to control the course, and limit the conse-
quences of accident.

0305 Escape of radioactive material is restricted by providing successive physical

barriers (fuel cladding, reactor coolant boundary and contain-ment).
Protection of these physical barriers against being breached is achieved
by echelons of equipments, systems and of procedures. Implementation
of this concept of defence in depth is achieved by
(1) Preventing deviation from normal operation as the first echelon,

(2) Detecting and intercepting deviations from normal operation con-

ditions in order to prevent anticipated operational occurrences from
escalating into accident conditions, as the second echelon,

(3) Providing additional equipment, system and procedures to control

consequences of unlikely accidents as the third echelon.

0306 Beyond the third echelon there are further contributions to the protec-tion of the
public and site personnel by specific complementary plant features
which would be available to mitigate consequences of events beyond
the design basis and by plans for emergency preparedness.

0307 As a general requirement, the existenceof other levels of defence is not a

sufficient basis for continued operation in the absence of one level of
defence. All levels of defence shall be available at all times as
specified for the various operational modes.

Safety Functions

0308 To achieve adequate safety it is essential to take safety into considera-tion as an

inherent element of the overall design process. The purpose of the
safety approach presented in this Code is to maintain the plant in a
normal operating state, to ensure the proper short term response
immediately following a PIE and to facilitate the management of the
plant following accident conditions.

0309 To ensure safety the following general design requirements shall be met:

(1) Means shall be provided to safely shut down the reactor and
maintain it in the safe shutdown condition in operational states
and during and after accident conditions.
(2) Means shall be provided to remove residual heat from the core
after reactor shutdown, including accident conditions.

(3) Means shall be provided to reduce the potential for the release of
radioactive materials and to ensure that any releases are below
prescribed limits during operational states and below acceptable
limits during accident conditions.

0310 The consideration of safety functions is an approach for systematically meeting

these general requirements. The safety functions shall in-clude all
functions that the plant system must perform to ensure plant safety in
operational states and during and following accident condi-tions.

0311 An overall requirement of the plant design is that its sensitivity to PIEs shall be
reasonably low. The plant should be so designed as to bring it to one
of the the following stages following a PIE. Aim of design by defence
in depth is to bring to a stage as near to the top of the list as can
reasonably be achieved.

(1) A PIE produces no significant safety related effect or only a

change in the plant towards a safe condition by inherent character-

(2) Following a PIE, the plant is rendered safe by the action of systems
which are continuously operating in the state required to control
the PIE.

(3) Following a PIE, the plant is rendered safe by the action of

systems which need to be brought into service in response to the

Design basis

0312 The design basis shall specify the necessary capabilities of the plant to cope
with a specified range of operational states and accident condi-tions
within the defined radiation protection requirements. The design basis
typically includes the specification for normal operation, condi-tions
created by the PIEs, important assumptions and, in some cases, the
particular methods of analysis.

Severe accidents

0313 The design basis for normal operation, anticipated operational occurre-
ences and accident conditions shall provided a high degree of assur-ance that no
significant damage will occur to the reactor core and that releases of
radioactive materials will stay below prescribed limits for operational
states and acceptable limits during accident conditions.

0314 Certain (unlikely) event sequences have the potential to cause signifi-cant core
degradation. These event sequences are called severe accidents.

0315 From the safety point of view it is prudent to consider these accident in atleast
a limited way. Consideration, however, are not expected to involve the
rigorous application of conservative engineering practice used in
setting design basis, but rather could be based upon realistic analysis.
Based operating experience, associated safety analysis and results
from safety research, design activities should include the following:

(1) Important event sequences that lead to severe accidents should be

identified for a given design.

(2) Consideration should be given to the existing plant capabilities in-

cluding the possible use of some systems beyond their originally
intended function and design basis, and using some temporary
system to return the plant to a controlled state and to mitigate the
consequences of the severe accident.

(3) Potential design changes which could either reduce the likelihood
of these events or would mitigate; the consequences, should these
events take place, should be evaluated. They should be imple-
mented if an overall increase of safety can be achieved through a
commensurate effort.

(4) Accident management procedures should be established, taking

into account representative and dominant severe accidents.

Quality Requirements

0316 Structures, systems and components shall be designed, fabricated to the quality
level commensurate with the importance of safety to be performed,
(AERB/DSG-316.1). The applicable codes and standards for design,
fabrication, inspection, erection testing and inservice- inspection of all
these structures, systems and components should be identified
0317 In the selection of equipment, consideration shall be given to both spurious
operation and unsafe failure modes (e.g. failure to trip when required).
Where failure of a system or component has to be expected and
accommodated by the design, preference shall be given to equipment
which exhibits a predictable mode of failure and facilitates repair or

0318 A comprehensive quality assurance programme during design, fabrica-tion,

erection and testing (as required by the Quality Assurance Code No.
AERB/SC/QA) shall be implemented in order to provide adequate
assurance that all structures, systems and components important to
safety perform their intended safety functions throughout the life of the

0319 Necessary records of design, fabrication, inspection, erection, testing and

maintenance of structures, systems and components shall be maintained
throughout the life of the plant as per procedures outlined in the
Quality Assurance Code at the Plant site by the Responsible

In-Service Inspection, Testing, Maintenance, Monitoring

0320 Structures, systems and components important to safety shall be designed and
erected so that they can be tested, maintained, inspected and monitored
for functional capability during the life of the plant, commensurate
with applicable standards. The system layout shall in-clude
considerations like periodic inspection, testing and maintenance in the
prevailing environment (Keeping in view the principle of ALARA).

0321 If the structures, systems and components important to safety cannot be

designed to be tested, inspected or monitored to the extent desirable,
adequate safety precautions shall be taken to compensate for potential
undiscovered failures.

System and Component reliability

Single Failure Criterion

0322 This section presents several design measures that may be used, if
necessary in combination, to achieve and maintain the required relia-
bility commensurate with the importance of the safety functions to be
0323 A single failure is a random failure which results in the loss of capability of a
component to perform its intended safety function. Consequential
failures resulting from a single random occurrence are considered to be
part of the single failure.

0324 An assembly of equipment satisfies the single failure criterion if it is able to

meet its purpose despite a single random credible failure assumed to
occur anywhere in the assembly. Fluid and electric systems are
considered to be designed against an assumed single failure if neither:

(1) a single failure of any active component, nor

(2) a single failure of passive component results in a loss of capability

of the system to perform its safety function.

0325 All systems/components that are required to function following a postulated

initiating event form a safety group. A single failure shall be assumed
to occur in sequence at each element of the safety group until all
credible failures have been analysed in the Group. The analysis of each
safety group shall be conducted in sequence and credible failures have
been considered.

0326 In this document, safety functions (or systems contributing to those safety
functions), in which redundancy is necessary to achieve the required
high reliability, are identified by the statement “assuming a single
failure” .

0327 Generally, passive components have very low probability of failure and may
not have to be taken into account. Single failures, including failure of
passive components, which need not be considered in the analysis are
given in document AERB/DSG-0327.1.

0328 The single failure criterion shall be applied to classes of equipment assemblies,
as follow:

(1) To each safety group incorporated in plant design.

(2) To each safety system where application of single failure criterion

is identified in this document.

0329 Spurious action shall be considered as one mode of failure.

0330 Non-Compliance with single failure criterion may be justified for:

(1) very are postulated initiating events, or

(2) very improbable consequence of postulated initiating events, or

(3) withdrawal from service for limited periods of certain compo-

nents for purposes of maintenance, repair or periodic testing (refer
para 0336):

Redundancy and Diversity

0331 High reliability often requires, in addition to high quality, the use of redundancy
of, and, where appropriate diversity of structures, systems and
components within the assembly of equipment used either to mitigate
consequences of a postulated initiating event or to fulfill another
important safety function.

0332 The minimum required degree of redundancy shall be, that which enables the
safety requirements to be met in each postulated initiating random
event despite the assumed credible random failure of any one
component contributing to an important safety function which is
needed to mitigate the consequences of the postulated initiating event.
This requirement, and the goal of maintaining intact, to the extent
practicable, all the barriers against escape of radioactive material shall
reflect in the choice of number and capacity of redundant components.


0333 Reliability of systems can be improved by independence which means using

functional isolation and physical separation. Functional isola-tion shall
be used to reduce adverse interaction between equipment and
components of redundant or connected systems resulting from normal/
abnormal operation or failure of any component in the system.

Physical separation which can be achieved by suitable layout and barriers shall
be used as far as practicable to ensure that independence is achieved
particularly in relation to common cause failure, fire etc.

Services for Safety Systems

0334 Safety system services are those used to provide essential services for safety
purposes, such as cooling water, lubrication, compressed air, hydraulic
fluid and electric supply. They shall have reliability,
redundancy, diversity, independence and provision of features for
isolation, and testing for functional capability consistent with require-
ments for the safety systems supplied (AERB/DSG-0316.1). If safety
systems support features are shared amongst various systems, the
design shall provide for adequate redundancy to ensure uninterrupted
availability of the service to the safety system.

Common Cause Failure

0335 Common cause failure of safety systems/safety support features shall be

identified and eliminated. at the design stage by providing diversity,
physical separation, etc.

Equipment Outages

0336 In designing a plant for reliable performance, equipment outages shall be taken
into account. The impact of anticipated maintenance, tests and repair
work on the reliability of each individual safety system shall be
included in this consideration. If the resultant reliability is such that the
system no longer meets the criteria used for design and operation, the
nuclear power plant shall be shutdown or otherwise placed in a safe
state if the component temporarily out of service cannot be replaced or
restored within a specified time. This time and the actions to be taken
shall be defined for each case in advance before the start of nuclear
power plant operation.

Design for optimized operator performance

0337 In the interest of safety the working areas and working environment of the site
personnel shall be designed according to ergonomic principles.

0338 Systematic consideration of human factors and the man-machine interface shall
be included in the design process.

0339 In the control room the operator shall be provided with clear displays of those
parameters that indicate the current status of all equipment and systems
necessary to achieve the safety functions outlined in paras 0309 and
0310 of this Code in a coordinated manner.

0340 The operator needs information that permits him :

(1) To assess readily the general state of the plant whichever opera-
tional occurrence, or an accident condition, and confirm that the
designed automatic safety actions are being carried out;
(2) To determine the appropriate operator initiated action that should
be taken

0341 The design shall aim to promote this success of operator actions in the light of
the time available, the expected physical environment, and
psychological pressure. The need for operator intervention on a short
time scale of less than 30 minutes following a PIE should be kept to a
minimum. The design should take into account that the credit for such
operator intervention within 30 minutes of PIE is only acceptable
where the designer can demonstrate that the operator has sufficient
time to decide and to act, that the necessary information on which the
operator must base a decision to act is simply and unambiguously
presented, and that the physical environment following the event is
acceptable in the control room. However, even in such cases the
design shall not take credit for operator action within first 15 minutes
of PIE.

Heat Transfer to an ultimate heat sink

General requirements

0342 System(s) to transfer residual heat from structures, systems and com-ponents
important to safety, to an ultimate heat sink shall be provided
(AERB/DSG-0342.1 ). The system’s safety function shall be to trans-
fer combined heat load of the structures, systems and components
under normal operating, anticipated operational occurrences and acci-
dent conditions at a rate such that specified fuel design limits and the
design conditions of the reactor coolant pressure boundary are not
exceeded. This function shall be carried out at very high levels of
reliability. All systems that contribute to the transport of heat, by
supplying fluids to the heat transport systems, by conveying heat, by
providing power, shall reflect in their design the importance of their
contribution to the overall heat transfer function. Suitable redundancy
in components and systems and suitable interconnections, leak detec-
tion and isolation capabilities shall be provided to assure that the
system safety functions can be accomplished assuming a single failure
criterion. Natural phenomena and man-made events as given in
paragraphs 0356, 0357, 0358 and 0359 shall be taken into account in
the design of systems and in the possible choice of diversity in the
ultimate heat sinks and in the storage systems from which heat transfer
fluids are supplied. Availability of heat sink should be ensured under
the condition of non-availability of off-site and on-site power for
extended period.
Inspection and Testing

0343 The system shall be designed to permit appropriate periodic inspection of

important components to assure the integrity and capability of the

0344 The system shall be designed to permit appropriate periodic pressure and
functional testing to assure:

(1) the structural and leak tight integrity of its components,

(2) the operability and the performance of the active components of

the system and,

(3) the operability of the system as a whole and, under conditions as

close to design as practical, the performance of full operational
sequence that brings the system into operation for reactor shut-
down and or loss of coolant accidents; including operation of
applicable portions of the protection systems and the transfer
between normal and emergency power sources including opera-
tion under complete loss of power.

Monitoring of Radioactive Release

0345 Fluids released to the ultimate heat sink shall be monitored for radioactivity to
ensure permissible limits of radioactive release are not exceeded.

Effects Associated with Equipment Failure

0346 Structures, systems and components important to safety shall be designed to

accommodate the effects of, and to be compatible with the
environmental conditions, associated with, operational states and
accident conditions (AERB/DSG-0346.1). To avoid secondary fail-
ures that could increase the safety related consequences of the primary
event, these structures, systems and components shall be appropriately
located or protected against dynamic effects, including the effects of
missiles, pipe whipping and discharging fluids and flooding that may
result from equipment failures (AERB/DSG -0346.1). If these condi-
tions are not fulfilled, other appropriate measures shall be incorporated
in the design.
Sharing of Structures, Systems and Components

0347 Structures, systems and components important to safety shall not be normally
shared between two or more reactors unless it can be shown that such
sharing does not impair their ability to perform their intended safety
functions. In the event of an accident in one reactor system, orderly
shutdown, cool down and residual heat removal of the remain-ing
reactors shall not be impaired. Also, in long run it shall be possible to
operate the other reactor systems safely.

Escape Routes and Means of Communication

0348 The Plant shall have simple, clearly and durably marked, safe escape routes
with reliable and adequate emergency lighting and other build-ing
services essential to the safe use of these routes. Escape routes shall
have adequate redundancy.

0349 Suitable alarm systems and means of communication (audio and/or visual) shall
be provided so that all persons present in the plant can be warned and
instructed even under accident conditions.

0350 Communications necessary for safety, both within the plant and to the outside,
shall be assured at all times. This requirement shall be taken into
account in the design and in the diversity (atleast two independent
means) of the communication methods selected. Means for the safety
of plant personnel shall be provided taking into account conflicting re-
quirements from the point of view of industrial safety, radiation and
fire protection and security.

Control of Access to Plant

0351 The Plant shall be isolated from the surroundings by suitable layout of the
structural elements in such a way that access to it can be perma-nently
controlled. In particular, attention shall be paid in the design of the
buildings and site layout. Provision shall be made for supervisory
personnel and/or equipment to guard against unauthorised entry to and
exit from the plant of persons and goods. This control is required to
protect personnel from unnecessary exposures and for security of the

Protection Against Fire and Explosions

0352 Structures, systems and components important to safety shall be

designed and located to minimize, consistent with other safety requirements, the
probability and effect of the fires and explosions caused by events in
addition to those described in paragraphs 0356, 0357, 0358 and 0359.
This objective shall be achieved by suitable incorporation of redundant
parts, diverse systems, physical separation, fire barriers and design for
fail-safe operation. Noncombustible or fire-retardant and heat resistant
materials shall be used wherever practicable throughout the Plant,
particularly in locations such as containment, control room and all
safety related buildings. Fire detection and fire fighting systems of
appropriate capacity and capability shall be provided. Fire fighting
systems shall be designed and located to assure that their rupture or
spurious or inadvertent operation does not significantly impair
capability of structures, systems and components important to safety.

0353 Requirement for the design of fire protection explosion and fire- fighting system
are given in (AERB/DSG-0353.1).


0354 Selection of materials for structures, components, etc. shall be based on

considerations, among others, like:

(1) Irradiation damage :

(2) Activation & Corrosion : To ensure satisfactory
(3) Creep, fatigue : performance during
(4) Erosion : operation and accident
(5) Compatibility with other : conditions
interacting materials
(6) Thermal Effects :
(7) Resistance to brittle fracture. :

0355 Generally used materials along with their applicability, limitation etc. are given
in AERB/DSG-0355.1.

Protection Against Natural Phenomena

0356 Structures, systems and components necessary to assure the capability for
shutdown, residual heat removal and confinement of radioactive
material shall be designed to remain functional throughout the Plant
life in the event of natural phenomena such as earthquakes, cyclones
and floods. Design basis for these structures, systems and components
shall include:
(1) Consideration of the most serious of the natural phenomena or
other external events which, according to the state of art in science
and technology, must be considered at the specific sites,

(2) Consideration of the radiological effects of such events.

Design basis events of these structures, systems and components are as

described in AERB Sitting Code (AERB/SC/S).

Protection Against Man-Made Events

0357 Structures, systems and components necessary to assure the capability for
shutdown, residual heat removal and confinement of radioactive
material shall be designed to remain functional despite man-made
events that might occur due to activities at or near the site like dam
ruptures, mining operations and chemical operations etc. as identified
in AERB Siting Code (AERB/SC/S).

0358 If the likelihood of failure due to one of these events, taking into consideration
the future developments at or near the plant site can be inferred to be
extremely low, failure caused by that event need not be included in the
design basis for that Plant.

0359 To the extent possible, the design of the Plant shall include appropri-ate
provision against the possibility of sabotage.

Combination of Events

0360 The design basis for the structures, systems and components important to safety
shall reflect for each site:

(1) The combinations of man-induced events, natural phenomena,

equipment failures and operator errors which could credibly occur
simultaneously with significant probability, and

(2) The radiological consequences of such combination of events.

0361 Initiating events and combinations thereof, operator errors are given in
document AERB/DSG-0361.1.


0362 Equipment design/selection shall take into consideration the effect of local
environment prevalent in normal and accident conditions, during
fabrication, transportation, storage, commissioning and operation.
Consideration shall be given to temperature, humidity, salinity, pollut-
ants, radioactivity, etc.

System Storage Capacities

0363 Storage capacities of systems, important to safety (for example, emergency core
cooling system, instrument process air supply system, emergency
power supply system, etc.) shall be adequate to tide over the
anticipated operational occurrences and accident conditions.


0364 At the design stage, special attention shall be paid to measures facilitating the
decommissioning of the plant. Attention should be directed to keep the
exposures of personnel and the public during decommissioning “as low
as reasonably achievable (ALARA)” and to ensure adequate protection
of the environment from radioactive con-tamination. A
decommissioning report should be prepared at the design stage itself.
0401 The reactor core components and the associated coolant, moderator, control and
protective systems shall be designed with appropriate mar-gins to
assure that the specified acceptable design limits are not exceeded
during all operational states.

Core Components

0402 The reactor core components include:

Calandria and Endshield assembly

Coolant Channel Assemblies

Other internals like shut off rods, and control rod assemblies and associated

Fuel Assemblies

0403 The design of the reactor core, pressure tubes, calandria vessel and the reactor
internal structures shall account for the static and dynamic loading
expected in the operational states and accident conditions with due
regard to the effects of temperature, pressure, irradiation, ageing, creep,
corrosion, erosion, hydriding, vibrations and fatigue. Under postulated
accident conditions, the adequate integrity of the reactor core
components shall be maintained to ensure:

(1) Safe shutdown of the reactor

(2) Coolable geometry and adequate core cooling such that fuel
design limits (AERB/DSG-0403.1) are not exceeded.

Fuel Assemblies

0404 The design of fuel assemblies shall be such that they will satisfactorily
withstand their intended exposure in the reactor core despite all
processes of deterioration that can occur.

0405 The design of fuel assemblies shall consider the coolant pressure, fission gas
pressure, swelling of fuel material, thermal expansion, pellet clad
interactions, power ramps, fuelling loads, dynamic load-ings including
flow induced vibrations, load variations, pressure drop,
sub-channel flow distribution, irradiation damage to design aspects and operational
limits for fuel assemblies (AERB/DSG-0403.1).

0406 Specified fuel design limits, including permissible fission product leakage, shall
not be exceeded in normal operation, and conditions that may be
transiently imposed during anticipated operational occur-rences shall
cause no significant additional deterioration. Fission product leakage
should be kept to a practicable minimum. In accident conditions the
fuel shall remain in position and shall not suffer distortion to an extent
that would render post-accident core cooling insufficiently effective;
specified fuel element limits for accident conditions shall not be

0407 The design of fuel assemblies shall consider post irradiation handling and
storage including those damaged during usage or handling.

Nuclear Design and Core Control

0408 The Core and its control shall be so designed that, under no circum-stances
uncontrolled increase of power occurs. The control system worth and
the insertion rates shall be sufficient to override reactivity changes
including internal dynamic reactivity coefficients during all operational
states and accident conditions. Reactivity insertion rate shall be within
permissible limits (AERB/DSG-0408.1).

0409 Isotopic purity of heavy water coolant shall be above or equal to the design
value limits of positive void coefficient.

0410 The reactor core including the associated coolant, moderator, control and
protection system shall be designed to assure that power oscilla-tions
and/or unstable core coolant flow which can result in conditions
exceeding specified acceptable fuel design limits (AERB/DSG-0403.1)
are not possible or can be readily and reliably detected and suppressed.

0411 The fuel design limits shall not be violated under any shape and level of
neutron flux that can exist in any state of the core including those at
fresh start up, after shutdown, during and after refuelling and those
arising from anticipated operational occurrences and accident condi-

0412 The flux shapes shall be detected or inferred from measurements so as to ensure
that the fuel design limits are not violated in any region of the core.
0413 The design of the core and the fuel management scheme provided should
minimize the demands made on control system for maintaining flux
shapes and levels within stipulated limits in all operational states.

0414 The analytical methods used for calculating the reactivity coefficients, excess
reactivity and control element worth shall be verified in the
commissioning experiments at different power levels before the reac-
tor is operated at regular full power (AERB/DSG-040t1.1).

Reactor Shutdown

0415 The reactor shutdown system(s) shall be capable of making and holding the
core adequately subcritical in the event of any anticipated operational
occurrences and postulated accident conditions. The shutdown function
shall be ensured even for the most reactive situation of the core.

0416 The shutdown margin (AERB/DSG-0408.1), speed of action and the

effectiveness shall be such that fuel design limits (AERB/DSG- 0403.1)
are not exceeded during anticipated operational occurrences. During
postulated accident conditions it shall be ensured that the core along
with all internals are not damaged to extent that adequate core cooling
cannot be maintained.

0417 The reactor shutdown shall be performed by two diverse systems of different
design principles. Each of the systems shall be on its own capable of
quickly rendering the nuclear reactor sub-critical by an adequate
margin from operating and accident conditions. Each of these systems
shall also be capable of reliably overriding reactivity changes resulting
from refuelling, during shutdown, and withdrawal of any control
rod/shut-off rods for maintenance during shutdown, and withdrawal
sequence of the shut-off rods for startup with reactor in cold condition.
One shutdown system shall be, on its own, capable of rendering the
reactor sub-critical from normal operating conditions and of
maintaining the reactor sub-critical by an adequate margin in the most
reactive situation of the core including the capability of reliably
overriding reactivity changes resulting from xenon decay after

0418 Redundancy, diversity and independence shall be provided in the reactor

shutdown systems such that unavailability of either of the systems is
extremely low. Adequate margins shall be given for the failures
anywhere in the Plant, as a result of which a fraction of the reactor
shutdown system could become inoperative (AERB/DSG- 0408.1).
Each shutdown system shall perform its function assuming a single failure.

0419 Instrumentation and tests shall ensure that the shutdown systems are in the state
required. Design shall ensure that periodic in-service inspec-tion,
calibration, functional testing and replacement are feasible.

0420 For the purpose of reactivity control and flux shaping during normal power
operation a portion of the shutdown means may be used if shutdown
capability is maintained at all times.
0501 Reactor coolant system includes the main coolant system, pressure control
system, residual heat removal system (shutdown cooling sys-tem),
emergency core cooling system and other associated systems.

0502 Fuelling machine and its associated control system shall also form part of
reactor coolant system during the period when it is connected to the
coolant channel.

0503 The components of reactor coolant system include pressure tubes, end fittings,
seal plugs, feeders, headers, pumps, steam generators, heat exchangers,
pressurise, accumulators, valves, connected piping and associated
component support structures.

General Requirements

0504 Components which are part of reactor coolant pressure boundary shall be
designed, fabricated, inspected, erected and tested to the quality
standards as given in Safety Guide (AERB/DSG-0504.1).

0505 The reactor coolant system and associated auxiliary, control and pressure relief
system shall be designed so that the reactor coolant pressure boundary
withstands all static and dynamic loads during all operational states and
accident conditions (AEKB/DSG-0504.1).

0506 Design shall reflect consideration of all conditions with due allowance made for
deterioration that may occur in service, such as by corrosion, erosion,
fretting, creep (limited to “pressure tubes”) fatigue, chemical
environment, radiation environment (AERB/DSG-0504.1) for any un-
certainties in determining initial state of component and in the state of
possible deterioration. In the design of the pressure retaining bound-
ary, consideration shall be given to obtaining characteristics which
ensure slow propagation of any flaw (e.g. related to delectability of
flaws: leak before break). Designs and conditions in which compo-
nents of the reactor coolant pressure boundary including coolant
channel assemblies could exhibit brittle behavior shall be avoided.

0507 The design of the components contained within the reactor coolant pressure
boundary, such as pump impellers and valve parts, shall be such as to
minimize the likelihood of failure and associated conse-quential
damage to other items of the primary coolant system impor-tant to
safety during all operational states and accident conditions with due
allowance made for deterioration that may occur in service.
In-Service Inspection of Reactor Coolant Boundary

0508 The reactor coolant boundary components shall be designed, manufac-tured and
laid out in such a way that it is possible, throughout the service life of
the Plant to carry out at appropriate intervals, adequate inspections and
tests of the boundary, wherever necessary (AERB/ DSG-0504.1).

0509 Monitoring for soundness of the reactor coolant pressure boundary shall be
provided by detection of flaws, distortion, or any abnormal behaviour
or of excessive leakage.

0510 Where the safety analysis of the Plant indicates that particular failures in the
secondary system (AERB/DSG-0361.1) may result in serious
consequences, it shall be possible to inspect the relevant parts of the
secondary cooling system.

Reactor Coolant Makeup

0511 Provision shall be made to maintain the quantity or pressure of coolant to ensure
that specified design limits are not exceeded in any opera-tional state,
taking into account volumetric changes and leakage. The systems
performing this function shall have adequate flow capacity (flow rate
and storage) to meet this requirement. They may be composed of
components needed for the processes of power genera-tion or may be
specially provided for performing this function. The system shall be
designed assuming a single-failure.

Reactor Coolant Cleanup

0512 An on-line system shall be provided to clean the reactor coolant system from
corrosion products and radioactive substances including fission
products leaking from the fuel to minimize the crud and radioactivity
level and keep it below their specified limits.

Residual Heat Removal

0513 A system for removing residual heat shall be provided. The system’s safety
function shall be to transfer fission product decay and other residual
heat (AERB/DSG-0513.1 ) from the reactor core at a rate such that
specified fuel limits and design conditions of the reactor coolant
pressure boundary are not exceeded.

0514 Adequate redundancy, diversity and design features such as suitable

interconnection, leak detection and isolation capability shall be provided to fulfill these
requirement with sufficient reliability, assuming a single failure.

0515 Main coolant system coast down characteristics coupled with suitable
layout of the system, to ensure cooling by thermosyphon, may be
considered as part of residual heat removal system.

0516 Residual heat removal system shall have provision for fast removal of
residual heat to override emergencies.

Emergency Core Cooling

0517 Adequate core cooling in the event of loss of coolant accident (LOCA) due to
rupture anywhere in the reactor coolant system shall be provided by
incorporating high pressure injection and long term recirculation
systems to limit the escape of fission products from the core (AERB/
DSG-0517.1) This means that cooling shall be of such efficiency that:

(1) the cladding temperature will not exceed the acceptable design
value for accident conditions (AERB/DSG-0403.1),

(2) possible chemical reactions are limited to an allowable value


(3) the fuel and internal structural alterations will not significantly
reduce the effectiveness of the means of emergency core cooling,

(4) cooling of the core shall be ensured for all times, in conjunction
with other systems if required.

0518 Suitable redundancy, diversity and design features such as intercon-

nection, leak detection and isolation capability shall be provided, with
sufficient reliability, assuming a single failure.

Testing and Inspection of Emergency Core Cooling System

0519 The emergency core cooling system shall be designed to permit

appropriate inspection and testing of important components (AERB/
DSG-0504.1) to ensure

(1) the structural and leak-tight integrity of its components,

(2) the operability and performance of the active components of the

system during normal operation, as far as feasible, and

(3) the operability of the system as a whole under conditions as close

to design basis as practical, e.g., the performance of the full
operational sequences that brings the system into operation,
including operation of applicable portions of the protection sys-
tem, the transfer between normal and emergency power sources,
and the operation of the associated safety system support features.

Auxiliary Feed Water System

0520 An auxiliary feed water system of high reliability shall be provided to ensure
that process parameters of the reactor coolant system during specified
operational states and accident conditions are maintained within
stipulated limits.

Appropriate provision of steam discharge from steam generator shall be made.

The system shall be designed assuming a single failure.

Fuelling system

0521 During on power refuelling, the fuelling machine is considered a part of the
reactor coolant system starting from coupling of fuelling machine (to
coolant channel) till its decoupling (from coolant chan-nel).

0522 Fuelling machine integrity requirements shall be consistent with the integrity of
reactor coolant boundary. The probability of loss of coolant and/or
ejection of spent fuel should be minimized. In order to ensure the
integrity of reactor coolant pressure boundary during fuelling
operations, means shall be provided to verify the leak tight-ness of the
system before removal and after installation of the seal plug.

0523 Since the movement of fuelling machine connected to a fuel channel could lead
to breaching of reactor coolant boundary, measures to prevent this from
occurring shall be employed. Design of emergency core cooling system
and shut down cooling system shall take congnisance of refuelling
General Requirements

0601 Instrumentation shall be provided to monitor variables and systems over their
ranges for normal operation, for anticipated operational occurrences
and for accident conditions as appropriate to assure adequate
information on plant status. Instrumentation shall be pro-vided for
measuring all main variables that can affect the fission process, the
integrity of the reactor core, the reactor cooling systems and the
containment and for obtaining any plant information required for the
reliable and safe operation of the plant. The instrumentation and
control system shall incorporate adequate redundancy and diver-sity to
achieve the required reliability, recording of measurements important
to safety shall be provided (AERB/DSG-0601.1).

0602 Appropriate controls shall be provided to maintain these variables within

prescribed operating ranges.

0603 Instrumentation and recording equipment shall be provided to ensure

that essential information is available for following the course of
accident conditions and the status of essential equipment, and for
predicting, as far as is necessary for safety, the locations and quantities
of radioactive materials possibly escaping from their design locations.
The instrumentation provision as far as practicable should provide
status of the plant during envisaged severe accident situation which
may help accident management.

Periodic Testing and Maintenance

0604 Design and layout of instrumentation systems shall be such as to permit periodic
testing and preventive maintenance, keeping the resultant radiation
exposure ALARA, in order to detect and rectify faults and incipient
failures of instruments and their components.

Instrument Power Supply System

0605 Instrument Power supplies - both pneumatic and electrical- shall be designed,
installed and tested to ensure adequate availability and reliability
Control Room

0606 A control room shall be provided from where the Plant can be safely operated in
all its operational states, and from where it can be brought and
maintained in the safe state after the onset of accident conditions and
such design basis events as are to be used in the design of Control
room. The Control Room design and layout shall ensure adequate
protection of occupants from hazards which could jeopardise neces-
sary operator actions.

0607 Displays in the Control room shall provide the operator with an adequate and
comprehensive information of the state and performance of the Plant.
The layout and design of the safety related instrumenta-tion, in
particular, shall ensure prompt attention of the operator and provide
him with accurate, complete and timely information on the states of all
safety systems during all operational states and accident conditions.
Also, if any part of the safety systems have been tempo-rarily rendered
inoperative for testing under administrative control, the bypaas shall
be automatically displayed in the Control room.

Emergency Control Room

0608 An Emergency Control Room shall be provided in the Plant design, to provide
sufficient information and control equipment, so that during a loss of
ability to perform essential safety function from the main control room,
the following operations can be carried out :

(1) Reactor can be placed and maintained in a shut down


(2) Residual heat can be removed;

(3) Essential plant variables can be monitored,

(AERB/DSG- 0608.1).

The Emergency Control Room shall be physically and elec-

trically separated from the main control room. The emer-
gency control room will meet the design requirements of the
control room.
0701 The protection system is provided to maintain safety in situations in which the
control systems do not maintain the plant variables within acceptable
values. The protection system in conjuction with safety actuation
systems and safety system support features perform all safety tasks that
may become necessary.

General Requirements

0702 The protection system shall be designed to:

(1) initiate automatically the operation of appropriate systems, as

necessary, including the reactor shutdown system to assure that
specified fuel and pressure boundary design limits are not ex-
ceeded during anticipated operational occurrences (AERB/DSG-

(2) sense accident conditions (AERB/DSG-0361.l ) and to initiate the

operation of systems required to mitigate the consequences of such

(3) be able to override unsafe actions of the regulating/control sys-tem.

0703 The design shall be such as to minimise the likelihood that operator actions
could defeat the effectiveness of the protection system.

Protection System Reliability and Testability

0704 Redundancy, diversity and independence shall be provided in the protection

system, in order to achieve reliability targets. It shall be ensured that:

(1) it performs its function assuming a single failure;

(2) removal of any component or channel does not result in loss of

required minimum redundancy or reliability;

(3) effects of natural phenomena and postulated accident conditions

on any channel do not result in loss of the protection system
function; and
(4) it is fail safe under all conditions including extreme

0705 The protection system shall be designed to provide for testing and calibrating
the channels and the devices used to derive the final output signal from
the various channel signals. The system shall be designed to permit
periodic testing of its functioning when the reactor is in operation

Separation of Protection and Control Systems

0706 Interference of the protection system and the control system shall be prevented
by avoiding interconnections or by suitable functional isolation. If
signals are used in common by both the protection system and any
control system, appropriate separation (e.g. by adequate decoupling)
shall be ensured and it shall be demonstrated that all stipulated safety
requirements of this Code are met.
General Requirements

0801 Electric power system shall comprise of off-site supplies and on-site including
emergency power supply system (AERB/DSG-0801.1). These systems
shall be designed, installed, tested, operated and main-tained to permit
functioning of structures, systems and components important to safety
during normal operation, anticipated operational occurrences and
accident conditions (AERB/DSG-0361.1).

0802 Functional adequacy of both off-site and on-site systems shall be in system
assured by having adequate capacity, redundancy, independence and
adequate testability.

Off-site Power System

0803 Electric power from the transmission network to the on-site electric distribution
system shall be supplied by two physically independent circuits
designed and located so as to minimise the probability of their
simultaneous failure during normal operation and under accident
conditions. Switchyard common to both circuits is acceptable. Each
of these circuits shall be designed to be available on a long term basis
following a loss of Plant generation and loss of the other circuit, to
ensure continued availability of off-site power.

Emergency Power Supply System

0804 After some PIEs, various systems and components important to safety will
require emergency power. The emergency power supply shall be able
to supply the necessary power during any PIE assuming the
coincidental loss of off-site power. Emergency power supply system
shall have sufficient redundancy, independence (including physical
separation between independent systems), and testability to perform
their safety functions, with high reliability assuming single failure.

0805 Various means of supplying emergency power are available, e.g., water, steam
or gas turbines, diesel engines and batteries. Power may be supplied
directly to the driven equipment or through an emergency electrical

0806 The emergency electrical loads shall be identified; the safety functions to be
performed and the type of electric power for each safety load shall be
identified (AERB/DSG-0801.1).
Inspection and Emergency Power Supply Systems

0807 The system shall be designed with a provision to test periodically:

(1) the operability and functional performance of the components of

the on-site power systems;

(2) operability of the system as a whole and the full operational

sequence that brings the system into operation.
0901 A containment system shall be provided to enclose completely the reactor
coolant system and other radioactive fluid containing systems to keep
the release of radioactivity to the environment within accept-able
limits in normal operation and accident conditions. Exempted from this
requirements are steam generator tubings and systems with low
pressure (like purification system, spent fuel storage bay and waste
storage). The containment system includes:

(1) the containment structures and appurtenances,

(2) equipment required to isolate the containment envelope, and

assure its integrity following an accident,

(3) equipment required to reduce the pressure or free radioactive

material within the containment envelope,

(4) equipment required to limit the release of radioactive material

from containment following an accident.

Containment Design

0902 The containment structure, including access openings and penetration

and isolation valves, shall be designed with sufficient margins, based
on the internal pressures and temperatures and dynamic effects such as
missiles (internal) and reaction forces resulting from the accident
conditions (AERB/DSG-0902.1)The effects of other potential energy
sources such as energy in steam generators and energy from possible
chemical and radiolytical reactions, shall also be considered. Due
consideration shall be given to protection against natural phenomena
and man-made events.

0903 The design pressure of the containment shall not be less than the peak
pressure, as calculated by accepted methods (AERB/DSG-0902.1).
The design temperature of a region of the containment shall be its
maximum space average temperature occurring in the course of the
accident. In addition, the local transient temperatures and pressures in
certain internal pockets must be accounted for.

0904 The layout and surface conditions of the containment should be so designed
that sufficient testing, and repair if necessary, can be con-ducted at
any time during life of the Plant. In case of double contain

ment, the secondary containment should completely envelop the primary

containment. The annular space between the primary and secondary
containment envelopes shall be provided with a purging arrangement to
maintain a negative pressure in the space.

Containment Leakage

0905 The reactor containment system shall be designed such that the prescribed
maximum leakage rate is not exceeded during accident conditions
throughout the service life of the Plant (AERB/DSG- 0902.1). The
design leakage rate shall be kept to a minimum in keeping with the
ALARA principle.

0906 The containment structures and other equipment and components

relevant to the leak tightness of the systems shall be designed and
constructed in such a way that the leak rate can be tested at the design
pressure after all penetrations are installed.

0907 The radioactive liquids accumulated in the reactor containment build-ing

following loss of coolant accident shall not leak to the environment by
seepage, etc.

Containment penetration

0908 All penetrations through the containment shall meet the same design
requirements as the containment structure itself. They shall be
protected against reaction forces stemming up from pipe movement or
accident loads such as missiles, jet forces, pipe whip etc.

0909 If resilient seals, expansion bellows or isolation valves are used with
penetration, they should be designed to have local leak testing capa-
bilities, independent of the overall rate determination of the contain-

Containment Isolation

0910 Each line that penetrates the containment and is directly connected to the
containment atmosphere or to the reactor coolant system shall be
automatically and reliably sealable in the accident conditions (AERB/
DSG-0361.1) in which the leak tightness of the containment is essential
to prevent the release of radioactivity to the environment above
acceptable limits. These lines should, therefore in general, be fitted
with atleast two containment isolation valves consistent with
containment design. Isolation valves shall be located as close to
containment boundary as is practical. Containment isolation shall be
accomplished assuming a single failure.

0911 If the application of this criterion reduces the reliability of a safety system (such
as ECCS) that penetrates containment, redundancy shall be provided in
such systems. Containment isolation should not jeopardise functioning
of safety systems.

0912 Each line that penetrates the primary reactor containment and is neither part of
the reactor coolant pressure boundary nor connected directly to the
containment atmosphere shall have atleast one adequate containment
isolation valve. This valve shall be outside the contain-ment and
located as close to the containment as is practical (AERB/ DSG-
0902.1 ).

Containment Air Locks

0913 Personnel and equipment access to the containment shall be through air locks
equipped with doors that are interlocked to ensure that containment
integrity is not violated during reactor operation and under accident
conditions, considering single failure criterion.

0914 Pressure suppression system shall have adequate capacity and capabil-ity to
condense under accident conditions all steam passing from volume V1
to Volume V2. (Volumes V1 and V2 refer to those parts of the
containment which are upstream and downstream respectively of the
Pressure suppression pool). During its passage steam and air mixture
shall have sufficient contact with water in the suppression pool to
dissolve soluble radioactive releases. Vent shafts shall be suitably
located in volume V 1 to equalise pressure in building compartments.
Vent shafts shall be designed to withstand dynamic loading due to flow
of fluids. (AERB/DSG-0914.1). The interface between volume V1
and V2 shall have pressure sealing such that the prescribed equivalent
leakage path area is not exceeded.

Containment Intra-Connections

0915 The design shall provide ample flow routes between separate compart-ments
inside the containment designed to act as one single intercon-nected
volume during accident conditions. The cross sections of openings
between compartments shall be sized to ensure that the
pressure differentials during accident conditions do not result in damage to the
pressure bearing structure or to other systems of importance in limiting
the effects of accident conditions.

0916 In case, during normal operational states these openings are necessary to be
sealed, the sealing arrangement shall be designed to blow open under
accident conditions so that the pressure equalization proceeds as

0917 The openable hatches, doors etc. provided between the sealed safety related
volumes shall be designed and operated to maintain adequate leak

Containment Heat Removal

0918 Capability to remove heat from the reactor containment during an accident
shall be ensured. In the event of an accident this system must be
capable of ensuring a sufficiently rapid reduction in temperature and
pressure in the containment. This system shall have adequate
reliability, diversity and redundancy to ensure that safety function can
be accomplished, assuming a single failure.

Containment Atmosphere Clean up

0919 Systems to control fission products, hydrogen, oxygen and other substances
which may be released into the reactor containment shall be provided
as necessary:

(1) To reduce the amount of fission products which might be released

to the environment during accident conditions;

(2) To control the concentration of hydrogen or oxygen and other sub-

stances in the containment atmosphere during accident conditions
to prevent explosion or deflagration which could jeopardise
containment integrity.

0920 The containment atmosphere cleanup systems shall have suitable redundancy in
components and features, to ensure that their safety functions can be
accomplished, assuming a single failure.

0921 Filter facilities intended for accident conditions should be separately located.
They should not be in continuous use during normal operation.
0922 The design of the plant shall be such that following an accident, it is possible to
isolate all sources of compressed air and other non- condensable gases
leading into the containment atmosphere, other than those required for
the operation of necessary equipment.

Coverings and Coatings

0923 The coverings and coatings for components and structures within the
containment system shall be selected and their methods of application
shall be specified, to ensure fulfillment of their safety function under
all states of operation and accident conditions and to minimize interfer-
ence with other safety functions in the event of deterioration.

Containment Testing and Inspection

0924 The containment and associated system shall be designed to permit appropriate
inspection and testing to ensure :

(1) the structural integrity and leak tightness during pneumatic

pressure tests at design condition before commissioning,

(2) leak tightness during the operational phase; this testing can be
done at a reduced pressure. The acceptable leak rate at this
reduced pressure shall be established during commissioning,

(3) functionally correct and reliable actuation of the isolation valves

and dampers and their leak tightness during the operational
(4) functional and reliable performance of other features (for ex-
ample, Building coolers), for which credit has been taken for
calculating the containment pressure rise during postulated acci-
dent conditions.
General Requirements

1001 Radiological protection is directed to avoid unnecessary radiation exposures and

to keep unavoidable exposures as low as reasonably achievable. This
objective shall be accomplished in the design by :

(1) appropriate layout and shielding of structures, systems, and com-

ponents containing radioactive materials,

(2) attention to the design of the Plant and equipment so as to reduce

the time and number of site personnel exposed to radiation or

(3) minimising leakage from systems having heavy water and associ-
ated cover gas,

(4) the provision for collection and segregation of radioactive mate-

rials in an appropriate form and condition, either for their disposal
on the site or for their removal from the site,

(5) arrangements to control, minimize the quantity and concentration

of radioactive materials spread within the Plant or released to the

1002 Full account shall be taken of the build-up of radiation levels with time in areas
of personnel occupancy and the generation of radioactive materials as
wastes (AERB/DSG-1002.1).

Design for Radiological Protection

1003 The Plant shall be designed to limit radiation exposures, both within and
outside the Plant to prescribed limits for the operational states and
acceptable levels for accident conditions.

1004 Suitable provisions shall be made in the design and layout of the Plant to
minimize exposure and contamination from all sources of radioac-
tivity. Such provisions will include shielding of radiation sources
means of monitoring, control of access to the Plant, and suitable
decontamination facilities.
1005 The shielding design shall be such that radiation levels in operating areas do not
exceed the prescribed limits and it shall facilitate maintenance so as to
reduce radiation exposure of maintenance personnel.

1006 The Plant arrangements shall provide for control of access into radiation and
contamination areas and shall also minimize contamina-tion from the
movement of radioactive materials and personnel within the Plant. The
Plant arrangements should also provide for efficient operation,
inspection, maintenance, and replacement of components, as
necessary, to minimise radiation exposure.

1007 Provision shall be made for appropriate decontamination facilities, for both
personnel and equipment, and for handling any radioactive waste
arising from decontamination activities.

1008 Areas requiring personnel occupation (during maintenance, inservice inspection,

for example) shall be easily accessible (with mobile shielding, if
required), and shall have adequate control of atmosphere and/or shall
provisions for fresh air supply, etc.

Radiation Monitoring

1009 Equipment shall be provided to ensure adequate radiation protection

surveillance in operational states, accident conditions and as practi-
cable during severe accidents. The following shall be provided:

(1) Stationary dose rate meters for monitoring the local radiation dose
rate at places routinely occupied by operating personnel and
where the changes in radiation level during normal operation or
anticipated operational occurrences may be such that access
should be limited during certain periods of time. Furthermore,
stationary dose rate meters shall be installed to indicate the
general radiation level at appropriate locations in case of accident
conditions. These instruments shall give sufficient information in
the control room and/or at the appropriate control positions so that
Plant personnel can initiate corrective action if required.

(2) Monitors for measuring the activity of radioactive substances in,

the atmosphere in those areas routinely occupied by personnel and
where the levels of airborne radioactivity may, on occasions, be
expected to require protective measures. This system shall
indicate in the control room, or other appropriate locations, when
a high concentration of radionuclides is detected.
(3) Stationary equipment and laboratory facilities determining the
concentration of selected radionuclides in fluid systems as appro-
priate and in gas and liquid samples taken from Plant systems or
the environment, during all operational states and accident condi-

(4) Stationary equipment for continuous monitoring of the effluents

discharged to the environment.

(5) Devices for measuring radioactive surface contamination.

(6) Facilities for measuring dose and contamination of personnel.

(7) Means to measure important meteorological parameters.

(8) Provisions for continuous monitoring of the environment should

be made to determine the radiological impact, if any, in the
vicinity of the plant under anticipated operational occurrences and
normal conditions. Special instrumentation shall also be provided
for monitoring accident conditions.

Radioactive Waste Treatment

1010 Adequate systems shall be provided to treat the radioactive liquid and gaseous
effluents in order to keep the quantity and the concentration of
radioactive discharge with in prescribed limits. In addition ALARA
principle should be applied.

1011 Adequate systems shall be provided for the handling of radioactive solid or
concentrated wastes and for storing them for a reasonable period of
time, on the site. Transportation of solid wastes from the site shall be
accomplished according to the decisions of the AERB.

1012 Provisions shall be made for processing the liquid effluents that may be
generated during accident conditions.

Control of Release of Liquid Radioactive Material to the Environment

1013 The Plant shall have suitable means to process the liquid effluents, to control the
release of liquid radioactive materials to the environment and to
maintain the discharges within prescribed limits (ALARA)
Control of Airborne Radioactive Material

1014 A ventilation system with appropriate clean-up shall be provided to :

(1) prevent unacceptable dispersion of airborne radioactive sub-

stances within the Plant,

(2) reduce the concentration of airborne radioactive substances to

levels compatible with access requirements of the particular area,

(3) keep atmospheric radiological conditions in the Plant within pre-

scribed limits during normal operation, and acceptable levels
during accident conditions,

(4) ventilate rooms containing inert or noxious gases without impair-

ing the ability to control radioactive releases,

(5) keep the release of airborne radioactive substances to the environ-

ment within the prescribed limits during normal operation and
acceptable levels during accident conditions,

(6) ensure flow of air from low activity zones to high activity zones,

(7) maintain reactor containment building under negative pressure


1015 Filter systems shall be sufficiently reliable and so designed that, under the
expected prevailing conditions, the necessary retention factors are
achieved. Filter systems shall be designed such that their efficiency
can be periodically tested during normal operation of the Plant.
1101 Fuel handling and storage system includes equipment structures and tools for
fuel transfer and fuel storage.

1102 Fuel handling and storage systems shall be designed to assure adequate safety
under normal and accident conditions (AERB/DSG-1102.1).

Fresh Fuel Handling and Storage

1103 The unirradiated fuel handling and storage systems shall be designed

(1) with a capability to permit appropriate periodic inspection and

testing of components important to safety,

(2) to minimize the probability of loss or damage to the fuel,

(3) to provide for identification of fuel bundles,

(4) to prevent criticality.

Spent Irradiated Fuel Handling and Storage

1104 The spent fuel handling and storage systems shall be designed:

(1) with adequate heat removal capability under all operational

states and accident conditions,

(2) with a capability to permit appropriate periodic inspection and

testing of components important to safety (AERB/DSG-1104.1),

(3) with adequate shielding for radiation protection under all han-
dling and storage conditions during operational states and acci-
dent conditions,

(4) with appropriate systems to detect conditions that may result in

loss of heat removal capability and excessive radiation levels
and to initiate appropriate safety action (particular mention may
be made of monitoring and control of water level in the fuel
storage pool and leak detection),

(5) to prevent dropping of fuel during transit,

(6) to ensure that fuel bundle is not stuck up in fuel transfer tunnels,

(7) to prevent unacceptable handling stresses during transit,

(8) to prevent the inadvertent dropping of heavy objects like cask or

crane on the fuel,

(9) with a capability to inspect, identify and to store suspected and

damaged fuel elements,

(10) with provision for controlling clarity, the chemistry and radio-
activity of water in which the irradiated fuel is handled, in--
spected or stored,

(11) to prevent criticality,

(12) with a capacity to accommodate one full core fuel discharge,

under all conditions.
Safety Analysis

1201 A safety analysis of the plant design shall be performed to establish and confirm
in an iterative process the design basis for the items important to safety
and to ensure that the overall plant design is capable of meeting the
prescribed and acceptable limits for radiation doses and releases set by

1202 The scope of safety analysis for a nuclear plant includes:

(1) Demonstration that operational limits and conditions are satisfied

for the normal operation of the plant,

(2) Characterisation of the PIEs that are appropriate for the Plant
design and its location,

(3) Analysis and evaluation of event sequences which result from


(4) Comparison of the results of the analysis with radiological accep-

tance criteria and design limits,

(5) Establishment and confirmation of the design basis,

(6) Demonstration that the management of anticipated operational

occurrences and accident conditions is possible by automatic safety
system response in combination with prescribed operator actions.

1203 The applicability of the analysis methods shall be verified. The safety analysis
of the plant design shall be updated in the light of significant changes
of plant configuration and operating experience.

Probabilistic Safety Assessment

1204 In addition to the establishment of the design basis from the process as
described above a probabilistic safety assessment should be carried out
for identified PIEs in order :
to ensure that any design basis accident is not on a threshold of
sudden escalation of the consequences of PIEs,
to identify features that could reduce the probability of severe ac-
cidents or mitigate their consequences,
to ensure that adequate emergency procedures have been pro--
vided, and
to ensure that engineered safety features of the plant can cater to
the PIEs so as to meet the safety requirements.

1205 Such a probabilistic safety assessment may be a formal requirement of the

regulatory body.

Equipment Qualification

1206 A qualification procedure shall confirm that the equipment is capable of

meeting, throughout its operational life, the requirements for
performing intended safety functions under all operational states,
accident conditions and anticipated environmental conditions (eg:
vibration, temperature, pressure, jet impingement, radiation, humidity
etc.) existing at the time of need.

* * * * *

Advisory Committee on Codes and Guides for Design Safety in NPP

Constituted by AERB

Dates of meeting : December 19, 1985, January 13, 1986,

February 21, 1986, November 26, 1986,
April 16, 1987, April 23, 1987, June 8,
1987, June 15,1987, November 18, 1987,
February 1, 1988, August 16, 24 and 29,

Members and alternates participating in the meeting :

Shri S. K. Chatterjee (Chairman) .... N.P.C.

Shri S. Damodaran .... T.C.E.
Shri V. K. Mehra .... B.A.R.C.
Shri M. M. Manna .... N.P.C.
Shri V. K. Seth .... N.P.C.
Shri R. K. Patil .... B.A.R.C.
(Late) Shri A. K. Ray .... B.A.R.C.
Shri M. Das .... N.P.C.
Shri A. K. Asrani .... A.E.R.B.
Shri S. P. Singh (Member-Secretary) .... A.E.R.B.
Kum. Usha R. Unnithan .... A.E.R.B.
Advisory Committee on Nuclear Safety Constituted by AERB

Dates of the meeting : May 2 and 3, 1989,

November 16, 1989.

Members participating in the meeting:

Shri P. N. Arumugham (Chairman) .... Consultant

(could not attend)
Shri S. K. Chatterjee (Chairman) .... N. P. C.
Shri S. K. Guha .... Ex-Joint Director, CWPRS
Shri S. K. Mehta .... B.A.R.C
Shri R. B. Bambhani .... Larsen & Toubro
(could not attend)
Shri K. C. Vaishya .... B.H.E.L.
Shri D. K. Dave .... A.E.R.B.
Shri S. P. Singh (Member-Secretary) .... A.E.R.B.
Smt. M. Subramanian (Co-opted) .... A.E.R.B.

Safety Series No Provisional Title Year of Publication

AERB/DSG-0316.1 List of safety functions (following a PIE)-

classification of components, structures and
systems including boundaries(safety level).

AERB/DSG-0327.1 Exceptions from single failure criterion.

AERB/DSG-0342.1 Ultimate heat sink and directly associated

heat transport systems for nuclear power

AERB/DSG-0346.1 Environmental and missile design basis.

AERB/DSG-0353.1 Protection against fires and explosions.

AERB/DSG-0354.1 Applicable materials.

AERB/DSG-0361.1 Initiating events and combination thereof

including man induced events for safety

AERB/DSG-0403.1 Fuel design limits.

AERB/DSG-0408.1 Core reactivity control.

AERB/DSG-0504.1 Design basis for reactor coolant system.

AERB/DSG-0513.1 Residual heat load calulations.

AERB/DSG-0517.1 Acceptable, analytical, and experimental

methods for calculation of blow down rates
and heat transfer characteristics of reactor
coolant system during and after loss of
coolant accidents.
Safety Series No Provisional Title Year of

AERB/DSG-0517.2 Metal-water reaction during accidents (rates,

permissible levels) / (other criteria for ECCS
may be included).

AERB/DSG-0601.1 Set points selection criteria.

AERB/DSG-0608.1 Emergency Control room.

AERB/DSG-0702.1 Protection system.

AERB/DSG-0801.1 Electrical power supply systems.

AERB/DSG-0902.1 Containment design.

AERB/DSG-0914.1 Design basis for vapour suppression system.

AERB/DSG-0918.1 Containment clean up and heat removal.

AERB/DSG-1002.1 Radiological protection.

AERB/DSG-1010.1 Radioactive Waste treatment.

AERB/DSG-1014.1 Control of release of liquid radioactive ma-

terials to the environment.

AERB/DSG-1100.1 Design basis for fuel handling and storage systems.

AERB/DSG-1104.1 Testing and inservice inspection of spent fuel handling

and storage system.