You are on page 1of 91

INTERNATIONAL ATOMIC ENERGY AGENCY

VIENNA
ISBN 978–92 –0–121510–9
ISSN 1020–525X
“Governments, regulatory bodies and operators everywhere must
ensure that nuclear material and radiation sources are used
beneficially, safely and ethically. The IAEA safety standards are
designed to facilitate this, and I encourage all Member States to
make use of them.”
Yukiya Amano
Director General
Safety through international standards
IAEA Safety Standards
Safety of
Nuclear Power Plants:
Design
for protecting people and the environment
No. SSR-2/1
Specific Safety Requirements
I
A
E
A

S
a
f
e
t
y

S
t
a
n
d
a
r
d
s

S
e
r
i
e
s

N
o
.

S
S
R
-
2
/
1
11-42121_P1534_cover.indd 1 2012-02-14 16:55:30
IAEA SAFETY STANDARDS AND RELATED PUBLICATIONS
IAEA SAFETY STANDARDS
Under the terms of Article III of its Statute, the IAEA is authorized to establish or adopt
standards of safety for protection of health and minimization of danger to life and property, and
to provide for the application of these standards.
The publications by means of which the IAEA establishes standards are issued in the
IAEA Safety Standards Series. This series covers nuclear safety, radiation safety, transport
safety and waste safety. The publication categories in the series are Safety Fundamentals,
Safety Requirements and Safety Guides.
Information on the IAEA’s safety standards programme is available at the IAEA Internet
site
http://www-ns.iaea.org/standards/
The site provides the texts in English of published and draft safety standards. The texts
of safety standards issued in Arabic, Chinese, French, Russian and Spanish, the IAEA Safety
Glossary and a status report for safety standards under development are also available. For
further information, please contact the IAEA at PO Box 100, 1400 Vienna, Austria.
All users of IAEA safety standards are invited to inform the IAEA of experience in their
use (e.g. as a basis for national regulations, for safety reviews and for training courses) for the
purpose of ensuring that they continue to meet users’ needs. Information may be provided via
the IAEA Internet site or by post, as above, or by email to Official.Mail@iaea.org.
RELATED PUBLICATIONS
The IAEA provides for the application of the standards and, under the terms of Articles III
and VIII.C of its Statute, makes available and fosters the exchange of information relating
to peaceful nuclear activities and serves as an intermediary among its Member States for this
purpose.
Reports on safety and protection in nuclear activities are issued as Safety Reports,
which provide practical examples and detailed methods that can be used in support of the
safety standards.
Other safety related IAEA publications are issued as Radiological Assessment
Reports, the International Nuclear Safety Group’s INSAG Reports, Technical Reports and
TECDOCs. The IAEA also issues reports on radiological accidents, training manuals and
practical manuals, and other special safety related publications.
Security related publications are issued in the IAEA Nuclear Security Series.
The IAEA Nuclear Energy Series comprises informational publications to encourage
and assist research on, and the development and practical application of, nuclear energy for
peaceful purposes. It includes reports and guides on the status of and advances in technology,
and on experience, good practices and practical examples in the areas of nuclear power, the
nuclear fuel cycle, radioactive waste management and decommissioning.
11-42121_P1534_cover.indd 2 2012-02-14 16:55:31
SAFETY OF
NUCLEAR POWER PLANTS:
DESIGN
The following States are Members of the International Atomic Energy Agency:
The Agency’s Statute was approved on 23 October 1956 by the Conference on the Statute of the
IAEA held at United Nations Headquarters, New York; it entered into force on 29 July 1957. The
Headquarters of the Agency are situated in Vienna. Its principal objective is “to accelerate and enlarge the
contribution of atomic energy to peace, health and prosperity throughout the world’’.
AFGHANISTAN
ALBANIA
ALGERIA
ANGOLA
ARGENTINA
ARMENIA
AUSTRALIA
AUSTRIA
AZERBAIJAN
BAHRAIN
BANGLADESH
BELARUS
BELGIUM
BELIZE
BENIN
BOLIVIA
BOSNIA AND HERZEGOVINA
BOTSWANA
BRAZIL
BULGARIA
BURKINA FASO
BURUNDI
CAMBODIA
CAMEROON
CANADA
CENTRAL AFRICAN 
REPUBLIC
CHAD
CHILE
CHINA
COLOMBIA
CONGO
COSTA RICA
CÔTE D’IVOIRE
CROATIA
CUBA
CYPRUS
CZECH REPUBLIC
DEMOCRATIC REPUBLIC 
OF THE CONGO
DENMARK
DOMINICAN REPUBLIC
ECUADOR
EGYPT
EL SALVADOR
ERITREA
ESTONIA
ETHIOPIA
FINLAND
FRANCE
GABON
GEORGIA
GERMANY
GHANA
GREECE
GUATEMALA
HAITI
HOLY SEE
HONDURAS
HUNGARY
ICELAND
INDIA
INDONESIA
IRAN, ISLAMIC REPUBLIC OF
IRAQ
IRELAND
ISRAEL
ITALY
JAMAICA
JAPAN
JORDAN
KAZAKHSTAN
KENYA
KOREA, REPUBLIC OF
KUWAIT
KYRGYZSTAN
LAO PEOPLE’S DEMOCRATIC
REPUBLIC
LATVIA
LEBANON
LESOTHO
LIBERIA
LIBYA
LIECHTENSTEIN
LITHUANIA
LUXEMBOURG
MADAGASCAR
MALAWI
MALAYSIA
MALI
MALTA
MARSHALL ISLANDS
MAURITANIA
MAURITIUS
MEXICO
MONACO
MONGOLIA
MONTENEGRO
MOROCCO
MOZAMBIQUE
MYANMAR
NAMIBIA
NEPAL
NETHERLANDS
NEW ZEALAND
NICARAGUA
NIGER
NIGERIA
NORWAY
OMAN
PAKISTAN
PALAU
PANAMA
PARAGUAY
PERU
PHILIPPINES
POLAND
PORTUGAL
QATAR
REPUBLIC OF MOLDOVA
ROMANIA
RUSSIAN FEDERATION
SAUDI ARABIA
SENEGAL
SERBIA
SEYCHELLES
SIERRA LEONE
SINGAPORE
SLOVAKIA
SLOVENIA
SOUTH AFRICA
SPAIN
SRI LANKA
SUDAN
SWEDEN
SWITZERLAND
SYRIAN ARAB REPUBLIC
TAJIKISTAN
THAILAND
THE FORMER YUGOSLAV 
REPUBLIC OF MACEDONIA
TUNISIA
TURKEY
UGANDA
UKRAINE
UNITED ARAB EMIRATES
UNITED KINGDOM OF 
GREAT BRITAIN AND 
NORTHERN IRELAND
UNITED REPUBLIC 
OF TANZANIA
UNITED STATES OF AMERICA
URUGUAY
UZBEKISTAN
VENEZUELA
VIETNAM
YEMEN
ZAMBIA
ZIMBABWE
SAFETY OF
NUCLEAR POWER PLANTS:
DESIGN
SPECIFIC SAFETY REQUIREMENTS
This publication includes a CD-ROM containing the IAEA Safety Glossary:
2007 Edition (2007) and the Fundamental Safety Principles (2006),
each in Arabic, Chinese, English, French, Russian and Spanish versions.
The CD-ROM is also available for purchase separately.
See: http://www-pub.iaea.org/MTCD/publications/publications.asp
INTERNATIONAL ATOMIC ENERGY AGENCY
VIENNA, 2012
IAEA SAFETY STANDARDS SERIES No. SSR-2/1
IAEA Library Cataloguing in Publication Data
Safety of nuclear power plants : design : specific safety requirements. — Vienna :
International Atomic Energy Agency, 2012.
p. ; 24 cm. — (IAEA safety standards series, ISSN 1020–525X ;
no. SSR-2/1)
STI/PUB/1534
ISBN 978–92–0–121510–9
Includes bibliographical references.
1. Nuclear power plants — Design and construction — Safety measures.
2. Nuclear power plants — Management. 3. Nuclear power plants — Safety
regulations. I. International Atomic Energy Agency. II. Series.
IAEAL 12–00719
COPYRIGHT NOTICE
All IAEA scientific and technical publications are protected by the terms of
the Universal Copyright Convention as adopted in 1952 (Berne) and as revised in
1972 (Paris). The copyright has since been extended by the World Intellectual
Property Organization (Geneva) to include electronic and virtual intellectual
property. Permission to use whole or parts of texts contained in IAEA
publications in printed or electronic form must be obtained and is usually subject
to royalty agreements. Proposals for non-commercial reproductions and
translations are welcomed and considered on a case-by-case basis. Enquiries
should be addressed to the IAEA Publishing Section at:
Marketing and Sales Unit, Publishing Section
International Atomic Energy Agency
Vienna International Centre
PO Box 100
1400 Vienna, Austria
fax: +43 1 2600 29302
tel.: +43 1 2600 22417
email: sales.publications@iaea.org
http://www.iaea.org/books
© IAEA, 2012
Printed by the IAEA in Austria
January 2012
STI/PUB/1534
FOREWORD
by Yukiya Amano
Director General
The IAEA’s Statute authorizes the Agency to “establish or adopt…
standards of safety for protection of health and minimization of danger to life and
property” — standards that the IAEA must use in its own operations, and which
States can apply by means of their regulatory provisions for nuclear and radiation
safety. The IAEA does this in consultation with the competent organs of the
United Nations and with the specialized agencies concerned. A comprehensive
set of high quality standards under regular review is a key element of a stable and
sustainable global safety regime, as is the IAEA’s assistance in their application.
The IAEA commenced its safety standards programme in 1958. The
emphasis placed on quality, fitness for purpose and continuous improvement has
led to the widespread use of the IAEA standards throughout the world. The Safety
Standards Series now includes unified Fundamental Safety Principles, which
represent an international consensus on what must constitute a high level of
protection and safety. With the strong support of the Commission on Safety
Standards, the IAEA is working to promote the global acceptance and use of its
standards.
Standards are only effective if they are properly applied in practice. The
IAEA’s safety services encompass design, siting and engineering safety,
operational safety, radiation safety, safe transport of radioactive material and safe
management of radioactive waste, as well as governmental organization,
regulatory matters and safety culture in organizations. These safety services assist
Member States in the application of the standards and enable valuable experience
and insights to be shared.
Regulating safety is a national responsibility, and many States have decided
to adopt the IAEA’s standards for use in their national regulations. For parties to
the various international safety conventions, IAEA standards provide a
consistent, reliable means of ensuring the effective fulfilment of obligations
under the conventions. The standards are also applied by regulatory bodies and
operators around the world to enhance safety in nuclear power generation and in
nuclear applications in medicine, industry, agriculture and research.
Safety is not an end in itself but a prerequisite for the purpose of the
protection of people in all States and of the environment — now and in the future.
The risks associated with ionizing radiation must be assessed and controlled
without unduly limiting the contribution of nuclear energy to equitable and
sustainable development. Governments, regulatory bodies and operators
everywhere must ensure that nuclear material and radiation sources are used
beneficially, safely and ethically. The IAEA safety standards are designed to
facilitate this, and I encourage all Member States to make use of them.
NOTE BY THE SECRETARIAT
The IAEA safety standards reflect an international consensus on what
constitutes a high level of safety for protecting people and the environment from
harmful effects of ionizing radiation. The process of developing, reviewing and
establishing the IAEA standards involves the IAEA Secretariat and all Member
States, many of which are represented on the four IAEA safety standards
committees and the IAEA Commission on Safety Standards.
The IAEA standards, as a key element of the global safety regime, are kept
under regular review by the Secretariat, the safety standards committees and the
Commission on Safety Standards. The Secretariat gathers information on
experience in the application of the IAEA standards and information gained from
the follow-up of events for the purpose of ensuring that the standards continue to
meet users’ needs. The present publication reflects feedback and experience
accumulated until 2010 and it has been subject to the rigorous review process for
standards.
Lessons that may be learned from studying the accident at the Fukushima
Daiichi nuclear power plant in Japan following the disastrous earthquake and
tsunami of 11 March 2011 will be reflected in this IAEA safety standard as
revised and issued in the future.
THE IAEA SAFETY STANDARDS
BACKGROUND
Radioactivity is a natural phenomenon and natural sources of radiation are
features of the environment. Radiation and radioactive substances have many
beneficial applications, ranging from power generation to uses in medicine, industry
and agriculture. The radiation risks to workers and the public and to the environment
that may arise from these applications have to be assessed and, if necessary,
controlled.
Activities such as the medical uses of radiation, the operation of nuclear
installations, the production, transport and use of radioactive material, and the
management of radioactive waste must therefore be subject to standards of safety.
Regulating safety is a national responsibility. However, radiation risks may
transcend national borders, and international cooperation serves to promote and
enhance safety globally by exchanging experience and by improving capabilities to
control hazards, to prevent accidents, to respond to emergencies and to mitigate any
harmful consequences.
States have an obligation of diligence and duty of care, and are expected to
fulfil their national and international undertakings and obligations.
International safety standards provide support for States in meeting their
obligations under general principles of international law, such as those relating to
environmental protection. International safety standards also promote and assure
confidence in safety and facilitate international commerce and trade.
A global nuclear safety regime is in place and is being continuously improved.
IAEA safety standards, which support the implementation of binding international
instruments and national safety infrastructures, are a cornerstone of this global
regime. The IAEA safety standards constitute a useful tool for contracting parties to
assess their performance under these international conventions.
THE IAEA SAFETY STANDARDS
The status of the IAEA safety standards derives from the IAEA’s Statute, which
authorizes the IAEA to establish or adopt, in consultation and, where appropriate, in
collaboration with the competent organs of the United Nations and with the
specialized agencies concerned, standards of safety for protection of health and
minimization of danger to life and property, and to provide for their application.
With a view to ensuring the protection of people and the environment from
harmful effects of ionizing radiation, the IAEA safety standards establish
fundamental safety principles, requirements and measures to control the radiation
exposure of people and the release of radioactive material to the environment, to
restrict the likelihood of events that might lead to a loss of control over a nuclear
reactor core, nuclear chain reaction, radioactive source or any other source of
radiation, and to mitigate the consequences of such events if they were to occur. The
standards apply to facilities and activities that give rise to radiation risks, including
nuclear installations, the use of radiation and radioactive sources, the transport of
radioactive material and the management of radioactive waste.
Safety measures and security measures
1
have in common the aim of protecting
human life and health and the environment. Safety measures and security measures
must be designed and implemented in an integrated manner so that security measures
do not compromise safety and safety measures do not compromise security.
The IAEA safety standards reflect an international consensus on what
constitutes a high level of safety for protecting people and the environment from
harmful effects of ionizing radiation. They are issued in the IAEA Safety Standards
Series, which has three categories (see Fig. 1).
Safety Fundamentals
Safety Fundamentals present the fundamental safety objective and principles of
protection and safety, and provide the basis for the safety requirements.
Safety Requirements
An integrated and consistent set of Safety Requirements establishes the
requirements that must be met to ensure the protection of people and the environment,
both now and in the future. The requirements are governed by the objective and
principles of the Safety Fundamentals. If the requirements are not met, measures must
be taken to reach or restore the required level of safety. The format and style of the
requirements facilitate their use for the establishment, in a harmonized manner, of a
national regulatory framework. Requirements, including numbered ‘overarching’
requirements, are expressed as ‘shall’ statements. Many requirements are not
addressed to a specific party, the implication being that the appropriate parties are
responsible for fulfilling them.
Safety Guides
Safety Guides provide recommendations and guidance on how to comply with
the safety requirements, indicating an international consensus that it is necessary to
take the measures recommended (or equivalent alternative measures). The Safety
1
See also publications issued in the IAEA Nuclear Security Series.
Guides present international good practices, and increasingly they reflect best
practices, to help users striving to achieve high levels of safety. The recommendations
provided in Safety Guides are expressed as ‘should’ statements.
APPLICATION OF THE IAEA SAFETY STANDARDS
The principal users of safety standards in IAEA Member States are regulatory
bodies and other relevant national authorities. The IAEA safety standards are also
used by co-sponsoring organizations and by many organizations that design,
construct and operate nuclear facilities, as well as organizations involved in the use of
radiation and radioactive sources.
The IAEA safety standards are applicable, as relevant, throughout the entire
lifetime of all facilities and activities — existing and new — utilized for peaceful
purposes and to protective actions to reduce existing radiation risks. They can be used
by States as a reference for their national regulations in respect of facilities and
activities.
Part 1. Governmental, Legal and
Regulatory Framework for Safety
Part 2. Leadership and Management
for Safety
Part 3. Radiation Protection and
Safety of Radiation Sources
Part 4. Safety Assessment for
Facilities and Activities
Part 5. Predisposal Management
of Radioactive Waste
Part 6. Decommissioning and
Termination of Activities
Part 7. Emergency Preparedness
and Response
1. Site Evaluation for
Nuclear Installations
2. Safety of Nuclear Power Plants
2/1 Design
2/2 Commissioning and Operation
3. Safety of Research Reactors
4. Safety of Nuclear Fuel
Cycle Facilities
5. Safety of Radioactive Waste
Disposal Facilities
6. Safe Transport of
Radioactive Material
General Safety Requirements Specific Safety Requirements
Safety Fundamentals
Fundamental Safety Principles
Collection of Safety Guides
FIG. 1. The long term structure of the IAEA Safety Standards Series.
The IAEA’s Statute makes the safety standards binding on the IAEA in relation
to its own operations and also on States in relation to IAEA assisted operations.
The IAEA safety standards also form the basis for the IAEA’s safety review
services, and they are used by the IAEA in support of competence building, including
the development of educational curricula and training courses.
International conventions contain requirements similar to those in the IAEA
safety standards and make them binding on contracting parties. The IAEA safety
standards, supplemented by international conventions, industry standards and
detailed national requirements, establish a consistent basis for protecting people and
the environment. There will also be some special aspects of safety that need to be
assessed at the national level. For example, many of the IAEA safety standards, in
particular those addressing aspects of safety in planning or design, are intended to
apply primarily to new facilities and activities. The requirements established in the
IAEA safety standards might not be fully met at some existing facilities that were
built to earlier standards. The way in which IAEA safety standards are to be applied
to such facilities is a decision for individual States.
The scientific considerations underlying the IAEA safety standards provide an
objective basis for decisions concerning safety; however, decision makers must also
make informed judgements and must determine how best to balance the benefits of an
action or an activity against the associated radiation risks and any other detrimental
impacts to which it gives rise.
DEVELOPMENT PROCESS FOR THE IAEA SAFETY STANDARDS
The preparation and review of the safety standards involves the IAEA
Secretariat and four safety standards committees, for nuclear safety (NUSSC),
radiation safety (RASSC), the safety of radioactive waste (WASSC) and the safe
transport of radioactive material (TRANSSC), and a Commission on Safety
Standards (CSS) which oversees the IAEA safety standards programme (see Fig. 2).
All IAEA Member States may nominate experts for the safety standards
committees and may provide comments on draft standards. The membership of the
Commission on Safety Standards is appointed by the Director General and includes
senior governmental officials having responsibility for establishing national
standards.
A management system has been established for the processes of planning,
developing, reviewing, revising and establishing the IAEA safety standards.
It articulates the mandate of the IAEA, the vision for the future application of the
safety standards, policies and strategies, and corresponding functions and
responsibilities.
INTERACTION WITH OTHER INTERNATIONAL ORGANIZATIONS
The findings of the United Nations Scientific Committee on the Effects of
Atomic Radiation (UNSCEAR) and the recommendations of international expert
bodies, notably the International Commission on Radiological Protection (ICRP), are
taken into account in developing the IAEA safety standards. Some safety standards
are developed in cooperation with other bodies in the United Nations system or other
specialized agencies, including the Food and Agriculture Organization of the United
Nations, the United Nations Environment Programme, the International Labour
Organization, the OECD Nuclear Energy Agency, the Pan American Health
Organization and the World Health Organization.
Secretariat and
consultants:
drafting of new or revision
of existing safety standard
Draft
Endorsement
by the CSS
Final draft
Review by
safety standards
committee(s)
Member States
Comments
Draft
Outline and work plan
prepared by the Secretariat;
review by the safety standards
committees and the CSS
FIG. 2. The process for developing a new safety standard or revising an existing standard.
INTERPRETATION OF THE TEXT
Safety related terms are to be understood as defined in the IAEA Safety
Glossary (see http://www-ns.iaea.org/standards/safety-glossary.htm). Otherwise,
words are used with the spellings and meanings assigned to them in the latest edition
of The Concise Oxford Dictionary. For Safety Guides, the English version of the text
is the authoritative version.
The background and context of each standard in the IAEA Safety Standards
Series and its objective, scope and structure are explained in Section 1, Introduction,
of each publication.
Material for which there is no appropriate place in the body text (e.g. material
that is subsidiary to or separate from the body text, is included in support of
statements in the body text, or describes methods of calculation, procedures or limits
and conditions) may be presented in appendices or annexes.
An appendix, if included, is considered to form an integral part of the safety
standard. Material in an appendix has the same status as the body text, and the IAEA
assumes authorship of it. Annexes and footnotes to the main text, if included, are used
to provide practical examples or additional information or explanation. Annexes and
footnotes are not integral parts of the main text. Annex material published by the
IAEA is not necessarily issued under its authorship; material under other authorship
may be presented in annexes to the safety standards. Extraneous material presented in
annexes is excerpted and adapted as necessary to be generally useful.
CONTENTS
1. INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Background (1.1–1.3). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Objective (1.4–1.5) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Scope (1.6–1.8) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Structure (1.9) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. APPLYING THE SAFETY PRINCIPLES AND CONCEPTS
(2.1–2.5) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Radiation protection (2.6–2.7) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Safety in design (2.8–2.11) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
The concept of defence in depth (2.12–2.14). . . . . . . . . . . . . . . . . . . . 6
Maintaining the integrity of design of the plant throughout
the lifetime of the plant (2.15–2.18). . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3. MANAGEMENT OF SAFETY IN DESIGN . . . . . . . . . . . . . . . . . . . 10
Requirement 1: Responsibilities in the management of safety
in plant design (3.1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Requirement 2: Management system for plant design (3.2–3.4) . . . . . . 10
Requirement 3: Safety of the plant design throughout the lifetime
of the plant (3.5–3.6) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
4. PRINCIPAL TECHNICAL REQUIREMENTS . . . . . . . . . . . . . . . . . 12
Requirement 4: Fundamental safety functions (4.1–4.2) . . . . . . . . . . . . 12
Requirement 5: Radiation protection (4.3–4.4) . . . . . . . . . . . . . . . . . . . . 12
Requirement 6: Design for a nuclear power plant (4.5–4.8) . . . . . . . . . . 13
Requirement 7: Application of defence in depth (4.9–4.13). . . . . . . . . . 14
Requirement 8: Interfaces of safety with security and safeguards . . . . 15
Requirement 9: Proven engineering practices (4.14–4.16) . . . . . . . . . . . 15
Requirement 10: Safety assessment (4.17–4.18). . . . . . . . . . . . . . . . . . . 16
Requirement 11: Provision for construction (4.19) . . . . . . . . . . . . . . . . . 17
Requirement 12: Features to facilitate radioactive waste management
and decommissioning (4.20) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
5. GENERAL PLANT DESIGN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Design basis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Requirement 13: Categories of plant states (5.1–5.2) . . . . . . . . . . . . . . . 17
Requirement 14: Design basis for items important to safety (5.3) . . . . . 18
Requirement 15: Design limits (5.4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Requirement 16: Postulated initiating events (5.5–5.15) . . . . . . . . . . . . 18
Requirement 17: Internal and external hazards (5.16–5.22) . . . . . . . . . . 20
Requirement 18: Engineering design rules (5.23) . . . . . . . . . . . . . . . . . . 22
Requirement 19: Design basis accidents (5.24–5.26) . . . . . . . . . . . . . . . 22
Requirement 20: Design extension conditions (5.27–5.32) . . . . . . . . . . 23
Requirement 21: Physical separation and independence
of safety systems (5.33) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Requirement 22: Safety classification (5.34–5.36) . . . . . . . . . . . . . . . . . 25
Requirement 23: Reliability of items important to safety
(5.37–5.38) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Requirement 24: Common cause failures . . . . . . . . . . . . . . . . . . . . . . . . 26
Requirement 25: Single failure criterion (5.39–5.40) . . . . . . . . . . . . . . . 26
Requirement 26: Fail-safe design (5.41) . . . . . . . . . . . . . . . . . . . . . . . . . 27
Requirement 27: Support service systems (5.42–5.43) . . . . . . . . . . . . . 27
Requirement 28: Operational limits and conditions for safe operation
(5.44) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Design for safe operation over the lifetime of the plant . . . . . . . . . . . 28
Requirement 29: Calibration, testing, maintenance, repair,
replacement, inspection and monitoring of items important
to safety (5.45–5.47) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Requirement 30: Qualification of items important to safety
(5.48–5.50) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Requirement 31: Ageing management (5.51–5.52) . . . . . . . . . . . . . . . . 29
Human factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Requirement 32: Design for optimal operator performance
(5.53–5.62) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Other design considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Requirement 33: Sharing of safety systems between multiple units
of a nuclear power plant (5.63) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Requirement 34: Systems containing fissile material or radioactive
material . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Requirement 35: Nuclear power plants used for cogeneration of heat
and power, heat generation or desalination . . . . . . . . . . . . . . . . . . . . . 32
Requirement 36: Escape routes from the plant (5.64–5.65) . . . . . . . . . . 32
Requirement 37: Communication systems at the plant (5.66–5.67) . . . 32
Requirement 38: Control of access to the plant (5.68) . . . . . . . . . . . . . . 33
Requirement 39: Prevention of unauthorized access to, or interference
with, items important to safety . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Requirement 40: Prevention of harmful interactions of systems
important to safety (5.69–5.70) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Requirement 41: Interactions between the electrical power grid
and the plant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Safety analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Requirement 42: Safety analysis of the plant design (5.71–5.76). . . . . . 34
6. DESIGN OF SPECIFIC PLANT SYSTEMS . . . . . . . . . . . . . . . . . . . 36
Reactor core and associated features . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Requirement 43: Performance of fuel elements and assemblies 
(6.1–6.3) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Requirement 44: Structural capability of the reactor core . . . . . . . . . . . 36
Requirement 45: Control of the reactor core (6.4–6.6) . . . . . . . . . . . . . 37
Requirement 46: Reactor shutdown (6.7–6.12) . . . . . . . . . . . . . . . . . . . 37
Reactor coolant systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Requirement 47: Design of reactor coolant systems (6.13–6.16) . . . . . 38
Requirement 48: Overpressure protection of the reactor coolant
pressure boundary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Requirement 49: Inventory of reactor coolant . . . . . . . . . . . . . . . . . . . . 39
Requirement 50: Cleanup of reactor coolant (6.17) . . . . . . . . . . . . . . . . 39
Requirement 51: Removal of residual heat from the reactor core . . . . . 39
Requirement 52: Emergency cooling of the reactor core
(6.18–6.19) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Requirement 53: Heat transfer to an ultimate heat sink . . . . . . . . . . . . . 40
Containment structure and containment system . . . . . . . . . . . . . . . . . 40
Requirement 54: Containment system for the reactor . . . . . . . . . . . . . . 40
Requirement 55: Control of radioactive releases from the containment
(6.20–6.21) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Requirement 56: Isolation of the containment (6.22–6.24). . . . . . . . . . . 41
Requirement 57: Access to the containment (6.25–6.26) . . . . . . . . . . . 42
Requirement 58: Control of containment conditions (6.27–6.30) . . . . . 42
Instrumentation and control systems . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Requirement 59: Provision of instrumentation (6.31). . . . . . . . . . . . . . . 43
Requirement 60: Control systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Requirement 61: Protection system (6.32–6.33) . . . . . . . . . . . . . . . . . . . 44
Requirement 62: Reliability and testability of instrumentation and
control systems (6.34–6.36) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Requirement 63: Use of computer based equipment in systems
important to safety (6.37) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Requirement 64: Separation of protection systems and
control systems (6.38) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Requirement 65: Control room (6.39–6.40) . . . . . . . . . . . . . . . . . . . . . . 46
Requirement 66: Supplementary control room (6.41). . . . . . . . . . . . . . . 46
Requirement 67: Emergency control centre (6.42) . . . . . . . . . . . . . . . . . 47
Emergency power supply . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Requirement 68: Emergency power supply (6.43–6.45). . . . . . . . . . . . . 47
Supporting systems and auxiliary systems . . . . . . . . . . . . . . . . . . . . . 48
Requirement 69: Performance of supporting systems and
auxiliary systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Requirement 70: Heat transport systems (6.46) . . . . . . . . . . . . . . . . . . . 48
Requirement 71: Process sampling systems and post-accident
sampling systems (6.47). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Requirement 72: Compressed air systems . . . . . . . . . . . . . . . . . . . . . . . 49
Requirement 73: Air conditioning systems and ventilation systems
(6.48–6.49) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Requirement 74: Fire protection systems (6.50–6.54) . . . . . . . . . . . . . . 50
Requirement 75: Lighting systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Requirement 76: Overhead lifting equipment (6.55). . . . . . . . . . . . . . . . 51
Other power conversion systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Requirement 77: Steam supply system, feedwater system and
turbine generators (6.56–6.58) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Treatment of radioactive effluents and radioactive waste . . . . . . . . . . 52
Requirement 78: Systems for treatment and control of waste
(6.59–6.60) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Requirement 79: Systems for treatment and control of effluents
(6.61–6.63) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Fuel handling and storage systems . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Requirement 80: Fuel handling and storage systems (6.64–6.68) . . . . . 53
Radiation protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Requirement 81: Design for radiation protection (6.69–6.76) . . . . . . . . 54
Requirement 82: Means of radiation monitoring (6.77–6.84) . . . . . . . . 55
REFERENCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
DEFINITIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
CONTRIBUTORS TO DRAFTING AND REVIEW . . . . . . . . . . . . . . . . . 61
BODIES FOR THE ENDORSEMENT OF
IAEA SAFETY STANDARDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
.
1
1. INTRODUCTION
BACKGROUND
1.1. The present publication supersedes the Safety Requirements publication on
Safety of Nuclear Power Plants: Design (IAEA Safety Standards Series No. NS-
R-1) issued in 2000. Account has been taken of the publication in 2006 of the
Fundamental Safety Principles [1]. Requirements for nuclear sadfety are intended
to ensure the highest level of safety that can reasonably be achieved for the
protection of workers, the public and the environment from harmful effects of
ionizing radiation arising from nuclear power plants and other nuclear facilities.
It is recognized that technology and scientific knowledge advance, and that
nuclear safety and the adequacy of protection against radiation risks need to be
considered in the context of the present state of knowledge. Safety requirements
will change over time; this Safety Requirements publication reflects the present
consensus.
1.2. The designs of many existing nuclear power plants, as well as the designs
for new nuclear power plants, have been enhanced to include additional measures
to mitigate the consequences of complex accident sequences involving multiple
failures and of severe accidents. Complementary systems and equipment with
new capabilities have been backfitted to many existing nuclear power plants to
aid in the prevention of severe accidents and the mitigation of their consequences.
Guidance on the mitigation of the consequences of severe accidents has been
provided at most existing nuclear power plants. The design of new nuclear power
plants now explicitly includes the consideration of severe accident scenarios and
strategies for their management. Requirements related to the State system of
accounting for, and control of, nuclear material and security related requirements
are also taken into account in the design of nuclear power plants. Integration of
safety measures and security measures will help to ensure that neither
compromise the other.
1.3. It might not be practicable to apply all the requirements of this Safety
Requirements publication to nuclear power plants that are already in operation or
under construction; in addition, it might not be feasible to modify designs that
have already been approved by regulatory bodies. For the safety analysis of such
designs, it is expected that a comparison will be made with the current standards,
for example as part of the periodic safety review for the plant, to determine
whether the safe operation of the plant could be further enhanced by means of
reasonably practicable safety improvements.
2
OBJECTIVE
1.4. This publication establishes design requirements for the structures, systems
and components of a nuclear power plant, as well as for procedures and
organizational processes important to safety, that are required to be met for safe
operation and for preventing events that could compromise safety, or for
mitigating the consequences of such events, were they to occur.
1.5. This publication is intended for use by organizations involved in design,
manufacture, construction, modification, maintenance, operation and
decommissioning for nuclear power plants, in analysis, verification and review
and in the provision of technical support, as well as by regulatory bodies.
SCOPE
1.6. It is expected that this publication will be used primarily for land based
stationary nuclear power plants with water cooled reactors designed for
electricity generation or for other heat production applications (such as district
heating or desalination). This publication may also be applied, with judgement, to
other reactor types, to determine the requirements that have to be considered in
developing the design.
1.7. This publication does not address:
(a) Requirements that are specifically covered in other IAEA Safety
Requirements publications (e.g. Ref. [2]);
(b) Matters relating to nuclear security or to the State system of accounting for,
and control of, nuclear material;
(c) Conventional industrial safety that under no circumstances could affect the
safety of the nuclear power plant;
(d) Non-radiological impacts arising from the operation of nuclear power
plants.
1.8. Terms in this publication are to be understood as defined and explained in
the IAEA Safety Glossary [3], unless otherwise stated here (see under
Definitions).
3
STRUCTURE
1.9. This Safety Requirements publication follows the relationship between the
safety objective and safety principles, and between requirements for nuclear
safety functions and design criteria for safety. Section 2 elaborates on the safety
objective, safety principles and concepts that form the basis for deriving the
safety function requirements that must be met for the nuclear power plant, as well
as the safety design criteria. Sections 3–6 establish numbered overarching
requirements (shown in bold type), with additional requirements as appropriate.
Section 3 establishes the general requirements to be satisfied by the design
organization in the management of safety in the design process. Section 4
establishes requirements for the principal technical design criteria for safety,
including requirements for the fundamental safety functions, the application of
defence in depth and provision for construction, and requirements for interfaces
of safety with nuclear security and with the State system of accounting for, and
control of, nuclear material, and for ensuring that radiation risks arising from the
plant are maintained as low as reasonably achievable. Section 5 establishes
requirements for general plant design that supplement the requirements for
principal technical design criteria to ensure that safety objectives are met and the
safety principles are applied. The requirements for general plant design apply to
all items (i.e. structures, systems and components) important to safety. Section 6
establishes requirements for the design of specific plant systems such as the
reactor core, reactor coolant systems, containment system, and instrumentation
and control systems.
2. APPLYING THE SAFETY PRINCIPLES AND CONCEPTS
2.1. The Fundamental Safety Principles [1] establish one fundamental safety
objective and ten safety principles that provide the basis for requirements and
measures for the protection of people and the environment against radiation risks
and for the safety of facilities and activities that give rise to radiation risks.
2.2. This fundamental safety objective has to be achieved, and the ten safety
principles have to be applied, without unduly limiting the operation of facilities
or the conduct of activities that give rise to radiation risks. To ensure that nuclear
power plants are operated and activities are conducted so as to achieve the highest
4
standards of safety that can reasonably be achieved, measures have to be taken to
achieve the following (see Ref. [1], para. 2.1):
(a) To control the radiation exposure of people and the release of radioactive
material to the environment during operational states;
(b) To restrict the likelihood of events that might lead to a loss of control over a
nuclear reactor core, nuclear chain reaction, radioactive source, spent
nuclear fuel, radioactive waste or any other source of radiation at a nuclear
power plant;
(c) To mitigate the consequences of such events, were they to occur.
2.3. The fundamental safety objective applies for all stages in the lifetime of a
nuclear power plant, including planning, siting, design, manufacture,
construction, commissioning and operation, as well as decommissioning. This
includes the associated transport of radioactive material and the management of
spent nuclear fuel and radioactive waste (see Ref. [1], para. 2.2).
2.4. The Fundamental Safety Principles (Ref. [1], para. 2.3) state that:
“Ten safety principles have been formulated, on the basis of which safety
requirements are developed and safety measures are to be implemented in order
to achieve the fundamental safety objective. The safety principles form a set that
is applicable in its entirety; although in practice different principles may be more
or less important in relation to particular circumstances, the appropriate
application of all relevant principles is required.”
2.5. This Safety Requirements publication establishes requirements that apply
those safety principles, which are particularly important in the design of nuclear
power plants.
RADIATION PROTECTION
2.6. In order to satisfy the safety principles, it is required to ensure that for all
operational states of a nuclear power plant and for any associated activities, doses
from exposure to radiation within the installation or exposure due to any planned
radioactive release from the installation are kept below the dose limits and kept as
low as reasonably achievable. In addition, it is required to implement measures
for mitigating the radiological consequences of any accidents, were they to occur.
5
2.7. To apply the safety principles, it is also required that nuclear power plants
be designed and operated so as to keep all sources of radiation under strict
technical and administrative control. However, this principle does not preclude
limited exposures or the release of authorized amounts of radioactive substances
to the environment from nuclear power plants in operational states. Such
exposures and radioactive releases are required to be strictly controlled and to be
kept as low as reasonably achievable, in compliance with regulatory and
operational limits as well as radiation protection requirements [4].
SAFETY IN DESIGN
2.8. To achieve the highest level of safety that can reasonably be achieved in the
design of a nuclear power plant, measures shall be taken to do the following,
consistent with national acceptance criteria and safety objectives [1]:
(a) To prevent accidents with harmful consequences resulting from a loss of
control over the reactor core or other sources of radiation, and to mitigate
the consequences of any accidents that do occur;
(b) To ensure that for all accidents taken into account in the design of the
installation, any radiological consequences would be below the relevant
limits and would be kept as low as reasonably achievable;
(c) To ensure that the likelihood of occurrence of an accident with serious
radiological consequences is extremely low and that the radiological
consequences of such an accident would be mitigated to the fullest extent
practicable.
2.9. To demonstrate that the fundamental safety objective [1] is achieved in the
design of a nuclear power plant, a comprehensive safety assessment [2] of the
design is required to be carried out to identify all possible sources of radiation and
to evaluate the possible doses that could be received by workers at the installation
and by members of the public, as well as the possible effects on the environment,
as a result of operation of the plant. The safety assessment is required in order to
examine: (i) normal operation of the plant, (ii) the performance of the plant in
anticipated operational occurrences, and (iii) accident conditions. On the basis of
this analysis, the capability of the design to withstand postulated initiating events
and accidents can be established, the effectiveness of the items important to
safety can be demonstrated and the inputs (prerequisites) for emergency planning
can be established.
6
2.10. Measures shall be taken to control exposure for all operational states at
levels that are as low as reasonably achievable and to minimize the likelihood of
an accident that could lead to the loss of control over a source of radiation.
Nevertheless, there will remain a possibility that an accident could happen.
Measures shall be taken to ensure that the radiological consequences of an
accident would be mitigated. Such measures include the provision of safety
features and safety systems, the establishment of accident management
procedures by the operating organization and, possibly, the establishment of off-
site intervention measures by the appropriate authorities, supported as necessary
by the operating organization, to mitigate exposures if an accident has occurred.
2.11. The design for safety of a nuclear power plant applies the safety principle
that practical measures must be taken to mitigate the consequences for human life
and health and the environment of nuclear or radiation incidents (Ref. [1],
Principle 9): plant event sequences that could result in high radiation doses or
radioactive releases must be practically eliminated
1
and plant event sequences
with a significant frequency of occurrence must have no or only minor potential
radiological consequences. An essential objective is that the necessity for off-site
intervention measures to mitigate radiological consequences be limited or even
eliminated in technical terms, although such measures might still be required by
the responsible authorities.
THE CONCEPT OF DEFENCE IN DEPTH
2.12. The primary means of preventing accidents in a nuclear power plant and
mitigating the consequences of accidents if they do occur is the application of the
concept of defence in depth [1, 5, 6]. This concept is applied to all safety related
activities, whether organizational, behavioural or design related, and whether in
full power, low power or various shutdown states. This is to ensure that all safety
related activities are subject to independent layers of provisions, so that if a
failure were to occur, it would be detected and compensated for or corrected by
appropriate measures. Application of the concept of defence in depth throughout
design and operation provides protection against anticipated operational
occurrences and accidents, including those resulting from equipment failure or
1
The possibility of certain conditions occurring is considered to have been practically
eliminated if it is physically impossible for the conditions to occur or if the conditions can be
considered with a high level of confidence to be extremely unlikely to arise.
7
human induced events within the plant, and against consequences of events that
originate outside the plant.
2.13. Application of the concept of defence in depth in the design of a nuclear
power plant provides several levels of defence (inherent features, equipment and
procedures) aimed at preventing harmful effects of radiation on people and the
environment, and ensuring adequate protection from harmful effects and
mitigation of the consequences in the event that prevention fails. The independent
effectiveness of each of the different levels of defence is an essential element of
defence in depth at the plant and this is achieved by incorporating measures to
avoid the failure of one level of defence causing the failure of other levels. There
are five levels of defence:
(1) The purpose of the first level of defence is to prevent deviations from
normal operation and the failure of items important to safety. This leads to
requirements that the plant be soundly and conservatively sited, designed,
constructed, maintained and operated in accordance with quality
management and appropriate and proven engineering practices. To meet
these objectives, careful attention is paid to the selection of appropriate
design codes and materials, and to the quality control of the manufacture of
components and construction of the plant, as well as to its commissioning.
Design options that reduce the potential for internal hazards contribute to
the prevention of accidents at this level of defence. Attention is also paid to
the processes and procedures involved in design, manufacture, construction
and in-service inspection, maintenance and testing, to the ease of access for
these activities, and to the way the plant is operated and to how operating
experience is utilized. This process is supported by a detailed analysis that
determines the requirements for operation and maintenance of the plant and
the requirements for quality management for operational and maintenance
practices.
(2) The purpose of the second level of defence is to detect and control
deviations from normal operational states in order to prevent anticipated
operational occurrences at the plant from escalating to accident conditions.
This is in recognition of the fact that postulated initiating events are likely
to occur over the operating lifetime of a nuclear power plant, despite the
care taken to prevent them. This second level of defence necessitates the
provision of specific systems and features in the design, the confirmation of
their effectiveness through safety analysis, and the establishment of
operating procedures to prevent such initiating events, or else to minimize
their consequences, and to return the plant to a safe state.
8
(3) For the third level of defence, it is assumed that, although very unlikely, the
escalation of certain anticipated operational occurrences or postulated
initiating events might not be controlled at a preceding level and that an
accident could develop. In the design of the plant, such accidents are
postulated to occur. This leads to the requirement that inherent and/or
engineered safety features, safety systems and procedures be provided that
are capable of preventing damage to the reactor core or significant off-site
releases and returning the plant to a safe state.
(4) The purpose of the fourth level of defence is to mitigate the consequences
of accidents that result from failure of the third level of defence in depth.
The most important objective for this level is to ensure the confinement
function, thus ensuring that radioactive releases are kept as low as
reasonably achievable.
(5) The purpose of the fifth and final level of defence is to mitigate the
radiological consequences of radioactive releases that could potentially
result from accident conditions. This requires the provision of an
adequately equipped emergency control centre and emergency plans and
emergency procedures for on-site and off-site emergency response.
2.14. A relevant aspect of the implementation of defence in depth for a nuclear
power plant is the provision in the design of a series of physical barriers, as well
as a combination of active, passive and inherent safety features that contribute to
the effectiveness of the physical barriers in confining radioactive material at
specified locations. The number of barriers that will be necessary will depend
upon the initial source term in terms of amount and isotopic composition of
radionuclides, the effectiveness of the individual barriers, the possible internal
and external hazards, and the potential consequences of failures.
MAINTAINING THE INTEGRITY OF DESIGN OF THE PLANT
THROUGHOUT THE LIFETIME OF THE PLANT
2.15. The design, construction and commissioning of a nuclear power plant might
be shared between a number of organizations: the architect–engineer, the vendor
of the reactor and its supporting systems, the suppliers of major components, the
designer of electrical systems, and the suppliers of other systems that are
important to the safety of the plant.
2.16. The prime responsibility for safety rests with the person or organization
responsible for facilities and activities that give rise to radiation risks (i.e. the
operating organization) [1]. The International Nuclear Safety Advisory Group [7]
9
has suggested that the operating organization could set up a formal process to
maintain the integrity of design of the plant throughout the lifetime of the plant
(i.e. during the operating lifetime and into the decommissioning stage). A
formally designated entity within the operating organization would take
responsibility for this process.
2.17. In practice, the design of a nuclear power plant is complete only when the
full plant specification (including site details) is produced for its procurement and
licensing. Reference [7] emphasizes the need for a formally designated entity that
has overall responsibility for the design process and is responsible for approving
design changes and for ensuring that the requisite knowledge is maintained.
Reference [7] also introduces the concept of ‘responsible designers’ to whom this
formally designated entity could assign specific responsibilities for the design of
parts of the plant. Prior to an application for authorization of a plant, the
responsibility for the design will rest with the design organization (e.g. the
vendor). Once an application for authorization of a plant has been made, the
prime responsibility for safety will lie with the applicant, although detailed
knowledge of the design will rest with the responsible designers. This balance
will change as the plant is put into operation, since much of this detailed
knowledge, such as the knowledge embodied in the safety analysis report, design
manuals and other design documentation, will be transferred to the operating
organization. To facilitate this transfer of knowledge, the structure of the formally
designated entity that has overall responsibility for the design process would be
established at an early stage.
2.18. The management system requirements that are placed on this formally
designated entity would also apply to the responsible designers. However, the
overall responsibility for maintaining the integrity of design of the plant would
rest with the formally designated entity, and hence, ultimately, with the operating
organization.
10
3. MANAGEMENT OF SAFETY IN DESIGN
Requirement 1: Responsibilities in the management of safety in plant design
An applicant for a licence to construct and/or operate a nuclear power plant
shall be responsible for ensuring that the design submitted to the regulatory
body meets all applicable safety requirements.
3.1. All organizations, including the design organization
2
, engaged in activities
important to the safety of the design of a nuclear power plant shall be responsible
for ensuring that safety matters are given the highest priority.
Requirement 2: Management system
3
for plant design
The design organization shall establish and implement a management
system for ensuring that all safety requirements established for the design of
the plant are considered and implemented in all phases of the design process
and that they are met in the final design.
3.2. The management system shall include provision for ensuring the quality of
the design of each structure, system and component, as well as of the overall
design of the nuclear power plant, at all times. This includes the means for
identifying and correcting design deficiencies, for checking the adequacy of the
design and for controlling design changes.
3.3. The design of the plant, including subsequent changes, modifications or
safety improvements, shall be in accordance with established procedures that call
on appropriate engineering codes and standards and shall incorporate relevant
requirements and design bases. Interfaces shall be identified and controlled.
3.4. The adequacy of the plant design, including design tools and design inputs
and outputs, shall be verified and validated by individuals or groups separate
from those who originally performed the design work. Verification, validation
and approval of the plant design shall be completed as soon as is practicable in
2
The design organization is the organization responsible for preparation of the final
detailed design of the plant to be built.
3
Requirements on management systems are established in Ref. [8].
11
the design and construction processes, and in any case before operation of the
plant is commenced.
Requirement 3: Safety of the plant design throughout the lifetime of the
plant
The operating organization shall establish a formal system for ensuring the
continuing safety of the plant design throughout the lifetime of the nuclear
power plant.
3.5. The formal system for ensuring the continuing safety of the plant design
shall include a formally designated entity responsible for the safety of the plant
design within the operating organization’s management system. Tasks that are
assigned to external organizations (referred to as responsible designers) for the
design of specific parts of the plant shall be taken into account in the
arrangements.
3.6. The formally designated entity shall ensure that the plant design meets the
acceptance criteria for safety, reliability and quality in accordance with relevant
national and international codes and standards, laws and regulations. A series of
tasks and functions shall be established and implemented to ensure the following:
(a) That the plant design is fit for purpose and meets the requirement for the
optimization of protection and safety by keeping radiation risks as low as
reasonably achievable;
(b) That the design verification, definition of engineering codes and standards
and requirements, use of proven engineering practices, provision for
feedback of information on construction and experience, approval of key
engineering documents, conduct of safety assessments and maintaining a
safety culture are included in the formal system for ensuring the continuing
safety of the plant design;
(c) That the knowledge of the design that is needed for safe operation,
maintenance (including adequate intervals for testing) and modification of
the plant is available, that this knowledge is maintained up to date by the
operating organization, and that due account is taken of past operating
experience and validated research findings;
(d) That management of design requirements and configuration control are
maintained;
(e) That the necessary interfaces with responsible designers and suppliers
engaged in design work are established and controlled;
12
(f) That the necessary engineering expertise and scientific and technical
knowledge are maintained within the operating organization;
(g) That all design changes to the plant are reviewed, verified, documented and
approved;
(h) That adequate documentation is maintained to facilitate future
decommissioning of the plant.
4. PRINCIPAL TECHNICAL REQUIREMENTS
Requirement 4: Fundamental safety functions
Fulfilment of the following fundamental safety functions for a nuclear power
plant shall be ensured for all plant states: (i) control of reactivity, (ii) removal
of heat from the reactor and from the fuel store and (iii) confinement of
radioactive material, shielding against radiation and control of planned
radioactive releases, as well as limitation of accidental radioactive releases.
4.1. A systematic approach shall be taken to identifying those items important to
safety that are necessary to fulfil the fundamental safety functions and to
identifying the inherent features that are contributing to fulfilling, or that are
affecting, the fundamental safety functions for all plant states.
4.2. Means of monitoring the status of the plant shall be provided for ensuring
that the required safety functions are fulfilled.
Requirement 5: Radiation protection
4
The design of a nuclear power plant shall be such as to ensure that radiation
doses to workers at the plant and to members of the public do not exceed the
dose limits, that they are kept as low as reasonably achievable in operational
states for the entire lifetime of the plant, and that they remain below
4
Requirements on radiation protection and the safety of radiation sources for facilities
and activities are established in Ref. [9].
13
acceptable limits and as low as reasonably achievable in, and following,
accident conditions.
4.3. The design shall be such as to ensure that plant states that could lead to high
radiation doses or large radioactive releases are practically eliminated (see
footnote 1) and that there are no, or only minor, potential radiological
consequences for plant states with a significant likelihood of occurrence.
4.4. Acceptable limits for radiation protection associated with the relevant
categories of plant states shall be established, consistent with the regulatory
requirements.
Requirement 6: Design for a nuclear power plant
The design for a nuclear power plant shall ensure that the plant and items
important to safety have the appropriate characteristics to ensure that safety
functions can be performed with the necessary reliability, that the plant can
be operated safely within the operational limits and conditions for the full
duration of its design life and can be safely decommissioned, and that
impacts on the environment are minimized.
4.5. The design for a nuclear power plant shall be such as to ensure that the
safety requirements of the operating organization, the requirements of the
regulatory body and the requirements of relevant legislation, as well as applicable
national and international codes and standards, are all met, and that due account is
taken of human capabilities and limitations and of factors that could influence
human performance. Adequate information on the design shall be provided for
ensuring the safe operation and maintenance of the plant, and to allow subsequent
plant modifications to be made. Recommended practices shall be provided for
incorporation into the administrative and operational procedures for the plant (i.e.
the operational limits and conditions).
4.6. The design shall take due account of relevant available experience that has
been gained in the design, construction and operation of other nuclear power
plants, and of the results of relevant research programmes.
4.7. The design shall take due account of the results of deterministic safety
analyses and probabilistic safety analyses, to ensure that due consideration has
been given to the prevention of accidents and to mitigation of the consequences
of any accidents that do occur.
14
4.8. The design shall be such as to ensure that the generation of radioactive
waste and discharges are kept to the minimum practicable in terms of both
activity and volume, by means of appropriate design measures and operational
and decommissioning practices.
Requirement 7: Application of defence in depth
The design of a nuclear power plant shall incorporate defence in depth. The
levels of defence in depth shall be independent as far as is practicable.
4.9. The defence in depth concept shall be applied to provide several levels of
defence that are aimed at preventing consequences of accidents that could lead to
harmful effects on people and the environment, and ensuring that appropriate
measures are taken for the protection of people and the environment and for the
mitigation of consequences in the event that prevention fails.
4.10. The design shall take due account of the fact that the existence of multiple
levels of defence is not a basis for continued operation in the absence of one level
of defence. All levels of defence in depth shall be kept available at all times and
any relaxations shall be justified for specific modes of operation.
4.11. The design:
(a) Shall provide for multiple physical barriers to the release of radioactive
material to the environment;
(b) Shall be conservative, and the construction shall be of high quality, so as to
provide assurance that failures and deviations from normal operation are
minimized, that accidents are prevented as far as is practicable and that a
small deviation in a plant parameter does not lead to a cliff edge effect
5
;
(c) Shall provide for the control of plant behaviour by means of inherent and
engineered features, such that failures and deviations from normal
operation requiring actuation of safety systems are minimized or excluded
by design, to the extent possible;
(d) Shall provide for supplementing the control of the plant by means of
automatic actuation of safety systems, such that failures and deviations
5
A cliff edge effect, in a nuclear power plant, is an instance of severely abnormal plant
behaviour caused by an abrupt transition from one plant status to another following a small
deviation in a plant parameter, and thus a sudden large variation in plant conditions in response
to a small variation in an input.
15
from normal operation that exceed the capability of control systems can be
controlled with a high level of confidence, and the need for operator actions
in the early phase of these failures or deviations from normal operation is
minimized;
(e) Shall provide for systems, structures and components and procedures to
control the course of and, as far as practicable, to limit the consequences of
failures and deviations from normal operation that exceed the capability of
safety systems;
(f) Shall provide multiple means for ensuring that each of the fundamental
safety functions is performed, thereby ensuring the effectiveness of the
barriers and mitigating the consequences of any failure or deviation from
normal operation.
4.12. To ensure that the concept of defence in depth is maintained, the design
shall prevent, as far as is practicable:
(a) Challenges to the integrity of physical barriers;
(b) Failure of one or more barriers;
(c) Failure of a barrier as a consequence of the failure of another barrier;
(d) The possibility of harmful consequences of errors in operation and
maintenance.
4.13. The design shall be such as to ensure, as far as is practicable, that the first,
or at most the second, level of defence is capable of preventing an escalation to
accident conditions for all failures or deviations from normal operation that are
likely to occur over the operating lifetime of the nuclear power plant.
Requirement 8: Interfaces of safety with security and safeguards
Safety measures, nuclear security measures and arrangements for the State
system of accounting for, and control of, nuclear material for a nuclear
power plant shall be designed and implemented in an integrated manner so
that they do not compromise one another.
Requirement 9: Proven engineering practices
Items important to safety for a nuclear power plant shall be designed in
accordance with the relevant national and international codes and
standards.
16
4.14. Items important to safety for a nuclear power plant shall preferably be of a
design that has previously been proven in equivalent applications, and if not, shall
be items of high quality and of a technology that has been qualified and tested.
4.15. National and international codes and standards that are used as design rules
for items important to safety shall be identified and evaluated to determine their
applicability, adequacy and sufficiency, and shall be supplemented or modified as
necessary to ensure that the quality of the design is commensurate with the
associated safety function.
4.16. Where an unproven design or feature is introduced or where there is a
departure from an established engineering practice, safety shall be demonstrated
by means of appropriate supporting research programmes, performance tests with
specific acceptance criteria or the examination of operating experience from other
relevant applications. The new design or feature or new practice shall also be
adequately tested to the extent practicable before being brought into service, and
shall be monitored in service to verify that the behaviour of the plant is as
expected.
Requirement 10: Safety assessment
6
Comprehensive deterministic safety assessments and probabilistic safety
assessments shall be carried out throughout the design process for a nuclear
power plant to ensure that all safety requirements on the design of the plant
are met throughout all stages of the lifetime of the plant, and to confirm that
the design, as delivered, meets requirements for manufacture and for
construction, and as built, as operated and as modified.
4.17. The safety assessments shall be commenced at an early point in the design
process, with iterations between design activities and confirmatory analytical
activities, and shall increase in scope and level of detail as the design programme
progresses.
4.18. The safety assessments shall be documented in a form that facilitates
independent evaluation.
6
Requirements on safety assessment for facilities and activities are established in
Ref. [2].
17
Requirement 11: Provision for construction
Items important to safety for a nuclear power plant shall be designed so that
they can be manufactured, constructed, assembled, installed and erected in
accordance with established processes that ensure the achievement of the
design specifications and the required level of safety.
4.19. In the provision for construction and operation, due account shall be taken
of relevant experience that has been gained in the construction of other similar
plants and their associated structures, systems and components. Where best
practices from other relevant industries are adopted, such practices shall be
shown to be appropriate to the specific nuclear application.
Requirement 12: Features to facilitate radioactive waste management and
decommissioning
Special consideration shall be given at the design stage of a nuclear power
plant to the incorporation of features to facilitate radioactive waste
management and the future decommissioning and dismantling of the plant.
4.20. In particular, the design shall take due account of:
(a) The choice of materials, so that amounts of radioactive waste will be
minimized to the extent practicable and decontamination will be facilitated;
(b) The access capabilities and the means of handling that might be necessary;
(c) The facilities necessary for the treatment and storage of radioactive waste
generated in operation and provision for managing the radioactive waste
that will be generated in the decommissioning of the plant.
5. GENERAL PLANT DESIGN
DESIGN BASIS
Requirement 13: Categories of plant states
Plant states shall be identified and shall be grouped into a limited number of
categories primarily on the basis of their frequency of occurrence at the
nuclear power plant.
18
5.1. Plant states shall typically cover:
(a) Normal operation;
(b) Anticipated operational occurrences, which are expected to occur over the
operating lifetime of the plant;
(c) Design basis accidents;
(d) Design extension conditions, including accidents with significant
degradation of the reactor core.
5.2. Criteria shall be assigned to each plant state, such that frequently occurring
plant states shall have no, or only minor, radiological consequences and plant
states that could give rise to serious consequences shall have a very low
frequency of occurrence.
Requirement 14: Design basis for items important to safety
The design basis for items important to safety shall specify the necessary
capability, reliability and functionality for the relevant operational states,
for accident conditions and for conditions arising from internal and external
hazards, to meet the specific acceptance criteria over the lifetime of the
nuclear power plant.
5.3. The design basis for each item important to safety shall be systematically
justified and documented. The documentation shall provide the necessary
information for the operating organization to operate the plant safely.
Requirement 15: Design limits
A set of design limits consistent with the key physical parameters for each
item important to safety for the nuclear power plant shall be specified for all
operational states and for accident conditions.
5.4. The design limits shall be specified and shall be consistent with relevant
national and international standards and codes, as well as with relevant regulatory
requirements.
Requirement 16: Postulated initiating events
The design for the nuclear power plant shall apply a systematic approach to
identifying a comprehensive set of postulated initiating events such that all
foreseeable events with the potential for serious consequences and all
19
foreseeable events with a significant frequency of occurrence are anticipated
and are considered in the design.
5.5. The postulated initiating events shall be identified on the basis of
engineering judgement and a combination of deterministic assessment and
probabilistic assessment. A justification of the extent of usage of deterministic
safety analysis and probabilistic safety analysis shall be provided, to show that all
foreseeable events have been considered.
5.6. The postulated initiating events shall include all foreseeable failures of
structures, systems and components of the plant, as well as operating errors and
possible failures arising from internal and external hazards, whether in full power,
low power or shutdown states.
5.7. An analysis of the postulated initiating events for the plant shall be made to
establish the preventive measures and protective measures that are necessary to
ensure that the required safety functions will be performed.
5.8. The expected behaviour of the plant in any postulated initiating event shall
be such that the following conditions can be achieved, in order of priority:
(1) A postulated initiating event would produce no safety significant effects or
would produce only a change towards safe plant conditions by means of
inherent characteristics of the plant.
(2) Following a postulated initiating event, the plant would be rendered safe by
means of passive safety features or by the action of systems that are
operating continuously in the state necessary to control the postulated
initiating event.
(3) Following a postulated initiating event, the plant would be rendered safe by
the actuation of safety systems that need to be brought into operation in
response to the postulated initiating event.
(4) Following a postulated initiating event, the plant would be rendered safe by
following specified procedures.
5.9. The postulated initiating events used for developing the performance
requirements for the items important to safety in the overall safety assessment
and the detailed analysis of the plant shall be grouped into a specified number of
representative event sequences that identify bounding cases and that provide the
basis for the design and the operational limits for items important to safety.
20
5.10. A technically supported justification shall be provided for exclusion from
the design of any initiating event that is identified in accordance with the
comprehensive set of postulated initiating events.
5.11. Where prompt and reliable action would be necessary in response to a
postulated initiating event, provision shall be made in the design for automatic
safety actions for the necessary actuation of safety systems, to prevent
progression to more severe plant conditions.
5.12. Where prompt action in response to a postulated initiating event would not
be necessary, it is permissible for reliance to be placed on the manual initiation of
systems or on other operator actions. For such cases, the time interval between
detection of the abnormal event or accident and the required action shall be
sufficiently long, and adequate procedures (such as administrative, operational
and emergency procedures) shall be specified to ensure the performance of such
actions. An assessment shall be made of the potential for an operator to worsen an
event sequence through erroneous operation of equipment or incorrect diagnosis
of the necessary recovery process.
5.13. The operator actions that would be necessary to diagnose the state of the
plant following a postulated initiating event and to put it into a stable long term
shutdown condition in a timely manner shall be facilitated by the provision of
adequate instrumentation to monitor the status of the plant, and adequate controls
for the manual operation of equipment.
5.14. The design shall specify the necessary provision of equipment and the
procedures necessary to provide the means for keeping control over the plant and
for mitigating any harmful consequences of a loss of control.
5.15. Any equipment that is necessary for actions to be taken in manual response
and recovery processes shall be placed at the most suitable location to ensure its
availability at the time of need and to allow safe access to it under the
environmental conditions anticipated.
Requirement 17: Internal and external hazards
All foreseeable internal hazards and external hazards, including the
potential for human induced events directly or indirectly to affect the safety
of the nuclear power plant, shall be identified and their effects shall be
evaluated. Hazards shall be considered for determination of the postulated
21
initiating events and generated loadings for use in the design of relevant
items important to safety for the plant.
Internal hazards
5.16. The design shall take due account of internal hazards such as fire,
explosion, flooding, missile generation, collapse of structures and falling objects,
pipe whip, jet impact and release of fluid from failed systems or from other
installations on the site. Appropriate features for prevention and mitigation shall
be provided to ensure that safety is not compromised.
External hazards
7
5.17. The design shall include due consideration of those natural and human
induced external events (i.e. events of origin external to the plant) that have been
identified in the site evaluation process. Natural external events shall be
addressed, including meteorological, hydrological, geological and seismic
events. Human induced external events arising from nearby industries and
transport routes shall be addressed. In the short term, the safety of the plant shall
not be permitted to be dependent on the availability of off-site services such as
electricity supply and fire fighting services. The design shall take due account of
site specific conditions to determine the maximum delay time by which off-site
services need to be available.
5.18. Items important to safety shall be designed and located to minimize,
consistent with other safety requirements, the likelihood of external events and
their possible harmful consequences.
5.19. Features shall be provided to minimize any interactions between buildings
containing items important to safety (including power cabling and control
cabling) and any other plant structure as a result of external events considered in
the design.
5.20. The design shall be such as to ensure that items important to safety are
capable of withstanding the effects of external events considered in the design,
and if not, other features such as passive barriers shall be provided to protect the
plant and to ensure that the required safety function will be performed.
7
Requirements on site evaluation for nuclear installations are established in Ref. [10].
22
5.21. The seismic design of the plant shall provide for a sufficient safety margin
to protect against seismic events and to avoid cliff edge effects (see footnote 5).
5.22. For multiple unit plant sites, the design shall take due account of the
potential for specific hazards giving rise to simultaneous impacts on several units
on the site.
Requirement 18: Engineering design rules
The engineering design rules for items important to safety at a nuclear
power plant shall be specified and shall comply with the relevant national or
international codes and standards and with proven engineering practices,
with due account taken of their relevance to nuclear power technology.
5.23. Methods to ensure a robust design shall be applied, and proven engineering
practices shall be adhered to in the design of a nuclear power plant to ensure that
the fundamental safety functions are achieved for all operational states and for all
accident conditions.
Requirement 19: Design basis accidents
A set of accident conditions that are to be considered in the design shall be
derived from postulated initiating events for the purpose of establishing the
boundary conditions for the nuclear power plant to withstand, without
acceptable limits for radiation protection being exceeded.
5.24. Design basis accidents shall be used to define the design bases, including
performance criteria, for safety systems and for other items important to safety that
are necessary to control design basis accident conditions, with the objective of
returning the plant to a safe state and mitigating the consequences of any accidents.
5.25. The design shall be such that for design basis accident conditions, key plant
parameters do not exceed the specified design limits. A primary objective shall be
to manage all design basis accidents so that they have no, or only minor,
radiological impacts, on or off the site, and do not necessitate any off-site
intervention measures.
5.26. The design basis accidents shall be analysed in a conservative manner. This
approach involves postulating certain failures in safety systems, specifying
design criteria and using conservative assumptions, models and input parameters
in the analysis.
23
Requirement 20: Design extension conditions
A set of design extension conditions shall be derived on the basis of
engineering judgement, deterministic assessments and probabilistic
assessments for the purpose of further improving the safety of the nuclear
power plant by enhancing the plant’s capabilities to withstand, without
unacceptable radiological consequences, accidents that are either more
severe than design basis accidents or that involve additional failures. These
design extension conditions shall be used to identify the additional accident
scenarios to be addressed in the design and to plan practicable provisions for
the prevention of such accidents or mitigation of their consequences if they
do occur.
5.27. An analysis of design extension conditions for the plant shall be
performed
8
. The main technical objective of considering the design extension
conditions is to provide assurance that the design of the plant is such as to prevent
accident conditions not considered design basis accident conditions, or to
mitigate their consequences, as far as is reasonably practicable. This might
require additional safety features for design extension conditions, or extension of
the capability of safety systems to maintain the integrity of the containment.
These additional safety features for design extension conditions, or this extension
of the capability of safety systems, shall be such as to ensure the capability for
managing accident conditions in which there is a significant amount of
radioactive material in the containment (including radioactive material resulting
from severe degradation of the reactor core). The plant shall be designed so that it
can be brought into a controlled state and the containment function can be
maintained, with the result that significant radioactive releases would be
practically eliminated (see footnote 1). The effectiveness of provisions to ensure
the functionality of the containment could be analysed on the basis of the best
estimate approach.
5.28. The design extension conditions shall be used to define the design basis for
safety features and for the design of all other items important to safety that are
necessary for preventing such conditions from arising, or, if they do arise, for
controlling them and mitigating their consequences.
8
This could be done with a best estimate approach (more stringent approaches may be
used according to States’ requirements).
24
5.29. The analysis undertaken shall include identification of the features that are
designed for use in, or that are capable
9
of preventing or mitigating, events
considered in the design extension conditions. These features:
(a) Shall be independent, to the extent practicable, of those used in more
frequent accidents;
(b) Shall be capable of performing in the environmental conditions pertaining
to these design extension conditions, including design extension conditions
in severe accidents, where appropriate;
(c) Shall have a reliability commensurate with the function that they are
required to fulfil.
5.30. In particular, the containment and its safety features shall be able to
withstand extreme scenarios that include, among other things, melting of the
reactor core. These scenarios shall be selected using engineering judgement and
input from probabilistic safety assessments.
5.31. The design shall be such that design extension conditions that could lead to
significant radioactive releases are practically eliminated (see footnote 1). If not,
for design extension conditions that cannot be practically eliminated, only
protective measures that are of limited scope in terms of area and time shall be
necessary for protection of the public, and sufficient time shall be made available
to implement these measures.
Combinations of events and failures
5.32. Where the results of engineering judgement, deterministic safety
assessments and probabilistic safety assessments indicate that combinations of
events could lead to anticipated operational occurrences or to accident conditions,
such combinations of events shall be considered to be design basis accidents or
shall be included as part of design extension conditions, depending mainly on
their likelihood of occurrence. Certain events might be consequences of other
events, such as a flood following an earthquake. Such consequential effects shall
be considered to be part of the original postulated initiating event.
9
For returning the plant to a safe state or for mitigating the consequences of an accident,
consideration could be given to the full design capabilities of the plant and to the temporary use
of additional systems.
25
Requirement 21: Physical separation and independence of safety systems
Interference between safety systems or between redundant elements of a
system shall be prevented by means such as physical separation, electrical
isolation, functional independence and independence of communication
(data transfer), as appropriate.
5.33. Safety system equipment (including cables and raceways) shall be readily
identifiable in the plant for each redundant element of a safety system.
Requirement 22: Safety classification
All items important to safety shall be identified and shall be classified on the
basis of their function and their safety significance.
5.34. The method for classifying the safety significance of items important to
safety shall be based primarily on deterministic methods complemented, where
appropriate, by probabilistic methods, with due account taken of factors such as:
(a) The safety function(s) to be performed by the item;
(b) The consequences of failure to perform a safety function;
(c) The frequency with which the item will be called upon to perform a safety
function;
(d) The time following a postulated initiating event at which, or the period for
which, the item will be called upon to perform a safety function.
5.35. The design shall be such as to ensure that any interference between items
important to safety will be prevented, and in particular that any failure of items
important to safety in a system in a lower safety class will not propagate to a
system in a higher safety class.
5.36. Equipment that performs multiple functions shall be classified in a safety
class that is consistent with the most important function performed by the
equipment.
26
Requirement 23: Reliability of items important to safety
The reliability of items important to safety shall be commensurate with their
safety significance.
5.37. The design of items important to safety shall be such as to ensure that the
equipment can be qualified, procured, installed, commissioned, operated and
maintained to be capable of withstanding, with sufficient reliability and
effectiveness, all conditions specified in the design basis for the items.
5.38. In the selection of equipment, consideration shall be given to both spurious
operation and unsafe failure modes. Preference shall be given in the selection
process to equipment that exhibits a predictable and revealed mode of failure and
for which the design facilitates repair or replacement.
Requirement 24: Common cause failures
The design of equipment shall take due account of the potential for common
cause failures of items important to safety, to determine how the concepts of
diversity, redundancy, physical separation and functional independence
have to be applied to achieve the necessary reliability.
Requirement 25: Single failure criterion
The single failure criterion shall be applied to each safety group
incorporated in the plant design.
10
5.39. Spurious action shall be considered to be one mode of failure when
applying the concept to a safety group or safety system.
5.40. The design shall take due account of the failure of a passive component,
unless it has been justified in the single failure analysis with a high level of
confidence that a failure of that component is very unlikely and that its function
would remain unaffected by the postulated initiating event.
10
A single failure is a failure that results in the loss of capability of a system or
component to perform its intended safety function(s) and any consequential failure(s) that
result from it. The single failure criterion is a criterion (or requirement) applied to a system
such that it must be capable of performing its task in the presence of any single failure.
27
Requirement 26: Fail-safe design
The concept of fail-safe design shall be incorporated, as appropriate, into the
design of systems and components important to safety.
5.41. Systems and components important to safety shall be designed for fail-safe
behaviour, as appropriate, so that their failure or the failure of a support feature
does not prevent the performance of the intended safety function.
Requirement 27: Support service systems
Support service systems that ensure the operability of equipment forming
part of a system important to safety shall be classified accordingly.
5.42. The reliability, redundancy, diversity and independence of support service
systems and the provision of features for their isolation and for testing their
functional capability shall be commensurate with the significance to safety of the
system being supported.
5.43. It shall not be permissible for a failure of a support service system to be
capable of simultaneously affecting redundant parts of a safety system or a
system fulfilling diverse safety functions and compromising the capability of
these systems to fulfil their safety functions.
Requirement 28: Operational limits and conditions for safe operation
The design shall establish a set of operational limits and conditions for safe
operation of the nuclear power plant.
5.44. The requirements and operational limits and conditions established in the
design for the nuclear power plant shall include (Req. 6, Ref. [4]):
(a) Safety limits;
(b) Limiting settings for safety systems;
(c) Operational limits and conditions for operational states;
(d) Control system constraints and procedural constraints on process variables
and other important parameters;
(e) Requirements for surveillance, maintenance, testing and inspection of the
plant to ensure that structures, systems and components function as
intended in the design, to comply with the requirement for optimization by
keeping radiation risks as low as reasonably achievable;
28
(f) Specified operational configurations, including operational restrictions in
the event of the unavailability of safety systems or safety related systems;
(g) Action statements, including completion times for actions in response to
deviations from the operational limits and conditions.
DESIGN FOR SAFE OPERATION OVER THE LIFETIME OF THE PLANT
Requirement 29: Calibration, testing, maintenance, repair, replacement,
inspection and monitoring of items important to safety
Items important to safety for a nuclear power plant shall be designed to be
calibrated, tested, maintained, repaired or replaced, inspected and
monitored as required to ensure their capability of performing their
functions and to maintain their integrity in all conditions specified in their
design basis.
5.45. The plant layout shall be such that activities for calibration, testing,
maintenance, repair or replacement, inspection and monitoring are facilitated and
can be performed to relevant national and international codes and standards. Such
activities shall be commensurate with the importance of the safety functions to be
performed, and shall be performed without undue exposure of workers.
5.46. Where items important to safety are planned to be calibrated, tested or
maintained during power operation, the respective systems shall be designed for
performing such tasks with no significant reduction in the reliability of
performance of the safety functions. Provisions for calibration, testing,
maintenance, repair, replacement or inspection of items important to safety
during shutdown shall be included in the design so that such tasks can be
performed with no significant reduction in the reliability of performance of the
safety functions.
5.47. If an item important to safety cannot be designed to be capable of being
tested, inspected or monitored to the extent desirable, a robust technical
justification shall be provided that incorporates the following approach:
(a) Other proven alternative and/or indirect methods such as surveillance
testing of reference items or use of verified and validated calculational
methods shall be specified.
(b) Conservative safety margins shall be applied or other appropriate
precautions shall be taken to compensate for possible unanticipated failures.
29
Requirement 30: Qualification of items important to safety
A qualification programme for items important to safety shall be
implemented to verify that items important to safety at a nuclear power
plant are capable of performing their intended functions when necessary,
and in the prevailing environmental conditions, throughout their design life,
with due account taken of plant conditions during maintenance and testing.
5.48. The environmental conditions considered in the qualification programme
for items important to safety at a nuclear power plant shall include the variations
in ambient environmental conditions that are anticipated in the design basis for
the plant.
5.49. The qualification programme for items important to safety shall include the
consideration of ageing effects caused by environmental factors (such as
conditions of vibration, irradiation, humidity or temperature) over the expected
service life of the items important to safety. When the items important to safety
are subject to natural external events and are required to perform a safety function
during or following such an event, the qualification programme shall replicate as
far as is practicable the conditions imposed on the items important to safety by
the natural event, either by test or by analysis or by a combination of both.
5.50. Any environmental conditions that could reasonably be anticipated and that
could arise in specific operational states, such as in periodic testing of the
containment leak rate, shall be included in the qualification programme.
Requirement 31: Ageing management
The design life of items important to safety at a nuclear power plant shall be
determined. Appropriate margins shall be provided in the design to take due
account of relevant mechanisms of ageing, neutron embrittlement and wear
out and of the potential for age related degradation, to ensure the capability
of items important to safety to perform their necessary safety functions
throughout their design life.
5.51. The design for a nuclear power plant shall take due account of ageing and
wear out effects in all operational states for which a component is credited,
including testing, maintenance, maintenance outages, plant states during a
postulated initiating event and plant states following a postulated initiating event.
30
5.52. Provision shall be made for monitoring, testing, sampling and inspection to
assess ageing mechanisms predicted at the design stage and to help identify
unanticipated behaviour of the plant or degradation that might occur in service.
HUMAN FACTORS
Requirement 32: Design for optimal operator performance
Systematic consideration of human factors, including the human–machine
interface, shall be included at an early stage in the design process for a
nuclear power plant and shall be continued throughout the entire design
process.
5.53. The design for a nuclear power plant shall specify the minimum number of
operating personnel required to perform all the simultaneous operations
necessary to bring the plant into a safe state.
5.54. Operating personnel who have gained operating experience in similar
plants shall, as far as is practicable, be actively involved in the design process
conducted by the design organization, in order to ensure that consideration is
given as early as possible in the process to the future operation and maintenance
of equipment.
5.55. The design shall support operating personnel in the fulfilment of their
responsibilities and in the performance of their tasks, and shall limit the effects of
operating errors on safety. The design process shall pay attention to plant layout
and equipment layout, and to procedures, including procedures for maintenance
and inspection, to facilitate interaction between the operating personnel and the
plant.
5.56. The human–machine interface shall be designed to provide the operators
with comprehensive but easily manageable information, in accordance with the
necessary decision times and action times. The information necessary for the
operator to make a decision to act shall be simply and unambiguously presented.
5.57. The operator shall be provided with the necessary information:
(a) To assess the general state of the plant in any condition;
(b) To operate the plant within the specified limits on parameters associated
with plant systems and equipment (operational limits and conditions);
31
(c) To confirm that safety actions for the actuation of safety systems are
automatically initiated when needed and that the relevant systems perform
as intended;
(d) To determine both the need for and the time for manual initiation of the
specified safety actions.
5.58. The design shall be such as to promote the success of operator actions with
due regard for the time available for action, the conditions to be expected and the
psychological demands being made on the operator.
5.59. The need for intervention by the operator on a short time scale shall be kept
to a minimum, and it shall be demonstrated that the operator has sufficient time to
make a decision and sufficient time to act.
5.60. The design shall be such as to ensure that, following an event affecting the
plant, environmental conditions in the control room or the supplementary control
room and in locations on the access route to the supplementary control room do
not compromise the protection and safety of the operating personnel.
5.61. The design of workplaces and the working environment of the operating
personnel shall be in accordance with ergonomic concepts.
5.62. Verification and validation, including by the use of simulators, of features
relating to human factors shall be included at appropriate stages to confirm that
necessary actions by the operator have been identified and can be correctly
performed.
OTHER DESIGN CONSIDERATIONS
Requirement 33: Sharing of safety systems between multiple units of a
nuclear power plant
Safety systems shall not be shared between multiple units unless this
contributes to enhanced safety.
5.63. Safety system support features and safety related items shall be permitted to
be shared between several units of a nuclear power plant if this contributes to
safety. Such sharing shall not be permitted if it would increase either the
likelihood or the consequences of an accident at any unit of the plant.
32
Requirement 34: Systems containing fissile material or radioactive material
All systems in a nuclear power plant that could contain fissile material or
radioactive material shall be so designed as: to prevent the occurrence of
events that could lead to an uncontrolled radioactive release to the
environment; to prevent accidental criticality and overheating; to ensure
that radioactive releases of material are kept below authorized limits on
discharges in normal operation and below acceptable limits in accident
conditions, and are kept as low as reasonably achievable; and to facilitate
mitigation of radiological consequences of accidents.
Requirement 35: Nuclear power plants used for cogeneration of heat and
power, heat generation or desalination
Nuclear power plants coupled with heat utilization units (such as for district
heating) and/or water desalination units shall be designed to prevent
processes that transport radionuclides from the nuclear plant to the
desalination unit or the district heating unit under conditions of operational
states and in accident conditions.
Requirement 36: Escape routes from the plant
A nuclear power plant shall be provided with a sufficient number of escape
routes, clearly and durably marked, with reliable emergency lighting,
ventilation and other services essential to the safe use of these escape routes.
5.64. Escape routes from the nuclear power plant shall meet the relevant national
and international requirements for radiation zoning and fire protection, and the
relevant national requirements for industrial safety and plant security.
5.65. At least one escape route shall be available from workplaces and other
occupied areas following an internal event or an external event or following
combinations of events considered in the design.
Requirement 37: Communication systems at the plant
Effective means of communication shall be provided throughout the nuclear
power plant to facilitate safe operation in all modes of normal operation and
to be available for use following all postulated initiating events and in
accident conditions.
33
5.66. Suitable alarm systems and means of communication shall be provided so
that all persons present at the nuclear power plant and on the site can be given
warnings and instructions, in operational states and in accident conditions.
5.67. Suitable and diverse means of communication necessary for safety within
the nuclear power plant and in the immediate vicinity, and for communication
with relevant off-site agencies shall be provided.
Requirement 38: Control of access to the plant
The nuclear power plant shall be isolated from its surroundings with a
suitable layout of the various structural elements so that access to it can be
controlled.
5.68. Provision shall be made in the design of the buildings and the layout of the
site for the control of access to the nuclear power plant by operating personnel
and/or for equipment, including emergency response personnel and vehicles, with
particular consideration given to guarding against the unauthorized entry of
persons and goods to the plant.
Requirement 39: Prevention of unauthorized access to, or interference with,
items important to safety
Unauthorized access to, or interference with, items important to safety,
including computer hardware and software, shall be prevented.
Requirement 40: Prevention of harmful interactions of systems important to
safety
The potential for harmful interactions of systems important to safety at the
nuclear power plant that might be required to operate simultaneously shall
be evaluated, and effects of any harmful interactions shall be prevented.
5.69. In the analysis of the potential for harmful interactions of systems important
to safety, due account shall be taken of physical interconnections and of the
possible effects of one system’s operation, maloperation or malfunction on local
environmental conditions of other essential systems, to ensure that changes in
environmental conditions do not affect the reliability of systems or components in
functioning as intended.
34
5.70. If two fluid systems important to safety are interconnected and are
operating at different pressures, either the systems shall both be designed to
withstand the higher pressure, or provision shall be made to prevent the design
pressure of the system operating at the lower pressure from being exceeded.
Requirement 41: Interactions between the electrical power grid and the
plant
The functionality of items important to safety at the nuclear power plant
shall not be compromised by disturbances in the electrical power grid,
including anticipated variations in the voltage and frequency of the grid
supply.
SAFETY ANALYSIS
Requirement 42: Safety analysis of the plant design
A safety analysis of the design for the nuclear power plant shall be conducted
in which methods of both deterministic analysis and probabilistic analysis
shall be applied to enable the challenges to safety in the various categories of
plant states to be evaluated and assessed.
5.71. On the basis of a safety analysis, the design basis for items important to
safety and their links to initiating events and event sequences shall be confirmed
(see footnote 6). It shall be demonstrated that the nuclear power plant as designed
is capable of complying with authorized limits on discharges with regard to
radioactive releases and with the dose limits in all operational states, and is
capable of meeting acceptable limits for accident conditions.
5.72. The safety analysis shall provide assurance that defence in depth has been
implemented in the design of the plant.
5.73. The safety analysis shall provide assurance that uncertainties have been
given adequate consideration in the design of the plant.
5.74. The applicability of the analytical assumptions, methods and degree of
conservatism used in the design of the plant shall be updated and verified for the
current or as built design.
35
Deterministic approach
5.75. The deterministic safety analysis shall mainly provide:
(a) Establishment and confirmation of the design bases for all items important
to safety;
(b) Characterization of the postulated initiating events that are appropriate for
the site and the design of the plant;
(c) Analysis and evaluation of event sequences that result from postulated
initiating events, to confirm the qualification requirements;
(d) Comparison of the results of the analysis with dose limits and acceptable
limits, and with design limits;
(e) Demonstration that the management of anticipated operational occurrences
and design basis accident conditions is possible by safety actions for the
automatic actuation of safety systems in combination with prescribed
actions by the operator;
(f) Demonstration that the management of design extension conditions is
possible by the automatic actuation of safety systems and the use of safety
features in combination with expected actions by the operator.
Probabilistic approach
5.76. The design shall take due account of the probabilistic safety analysis of the
plant for all modes of operation and for all plant states, including shutdown, with
particular reference to:
(a) Establishing that a balanced design has been achieved such that no
particular feature or postulated initiating event makes a disproportionately
large or significantly uncertain contribution to the overall risks, and that, to
the extent practicable, the levels of defence in depth are independent;
(b) Providing assurance that small deviations in plant parameters that could
give rise to large variations in plant conditions (cliff edge effects) will be
prevented (see footnote 5);
(c) Comparing the results of the analysis with the acceptance criteria for risk
where these have been specified.
36
6. DESIGN OF SPECIFIC PLANT SYSTEMS
REACTOR CORE AND ASSOCIATED FEATURES
Requirement 43: Performance of fuel elements and assemblies
Fuel elements and assemblies for the nuclear power plant shall be designed
to maintain their structural integrity, and to withstand satisfactorily the
anticipated radiation levels and other conditions in the reactor core, in
combination with all the processes of deterioration that could occur in
operational states.
6.1. The processes of deterioration to be considered shall include those arising
from: differential expansion and deformation; external pressure of the coolant;
additional internal pressure due to fission products and the buildup of helium in
fuel elements; irradiation of fuel and other materials in the fuel assembly;
variations in pressure and temperature resulting from variations in power
demand; chemical effects; static and dynamic loading, including flow induced
vibrations and mechanical vibrations; and variations in performance in relation to
heat transfer that could result from distortions or chemical effects. Allowance
shall be made for uncertainties in data, in calculations and in manufacture.
6.2. Fuel design limits shall include limits on the permissible leakage of fission
products from the fuel in anticipated operational occurrences so that the fuel
remains suitable for continued use.
6.3. Fuel elements and fuel assemblies shall be capable of withstanding the
loads and stresses associated with fuel handling.
Requirement 44: Structural capability of the reactor core
The fuel elements and fuel assemblies and their supporting structures for the
nuclear power plant shall be designed so that, in operational states and in
accident conditions other than severe accidents, a geometry that allows for
adequate cooling is maintained and the insertion of control rods is not
impeded.
37
Requirement 45: Control of the reactor core
Distributions of neutron flux that can arise in any state of the reactor core in
the nuclear power plant, including states arising after shutdown and during
or after refuelling, and states arising from anticipated operational
occurrences and from accident conditions not involving degradation of the
reactor core, shall be inherently stable. The demands made on the control
system for maintaining the shapes, levels and stability of the neutron flux
within specified design limits in all operational states shall be minimized.
6.4. Adequate means of detecting the neutron flux distributions in the reactor
core and their changes shall be provided for the purpose of ensuring that there are
no regions of the core in which the design limits could be exceeded.
6.5. In the design of reactivity control devices, due account shall be taken of
wear out and of the effects of irradiation, such as burnup, changes in physical
properties and production of gas.
6.6. The maximum degree of positive reactivity and its rate of increase by
insertion in operational states and accident conditions not involving degradation
of the reactor core shall be limited or compensated for to prevent any resultant
failure of the pressure boundary of the reactor coolant systems, to maintain the
capability for cooling and to prevent any significant damage to the reactor core.
Requirement 46: Reactor shutdown
Means shall be provided to ensure that there is a capability to shut down the
reactor of the nuclear power plant in operational states and in accident
conditions, and that the shutdown condition can be maintained even for the
most reactive conditions of the reactor core.
6.7. The effectiveness, speed of action and shutdown margin of the means of
shutdown of the reactor shall be such that the specified design limits for fuel are
not exceeded.
6.8. In judging the adequacy of the means of shutdown of the reactor,
consideration shall be given to failures arising anywhere in the plant that could
render part of the means of shutdown inoperative (such as failure of a control rod
to insert) or that could result in a common cause failure.
38
6.9. The means for shutting down the reactor shall consist of at least two diverse
and independent systems.
6.10. At least one of the two different shutdown systems shall be capable, on its
own, of maintaining the reactor subcritical by an adequate margin and with high
reliability, even for the most reactive conditions of the reactor core.
6.11. The means of shutdown shall be adequate to prevent any foreseeable
increase in reactivity leading to unintentional criticality during the shutdown, or
during refuelling operations or other routine or non-routine operations in the
shutdown state.
6.12. Instrumentation shall be provided and tests shall be specified for ensuring
that the means of shutdown are always in the state stipulated for a given plant
state.
REACTOR COOLANT SYSTEMS
Requirement 47: Design of reactor coolant systems
The components of the reactor coolant systems for the nuclear power plant
shall be designed and constructed so that the risk of faults due to inadequate
quality of materials, inadequate design standards, insufficient capability for
inspection or inadequate quality of manufacture is minimized.
6.13. Pipework connected to the pressure boundary of the reactor coolant systems
for the nuclear power plant shall be equipped with adequate isolation devices to
limit any loss of radioactive fluid (primary coolant) and to prevent the loss of
coolant through interfacing systems.
6.14. The design of the reactor coolant pressure boundary shall be such that flaws
are very unlikely to be initiated, and any flaws that are initiated would propagate
in a regime of high resistance to unstable fracture and to rapid crack propagation,
thereby permitting the timely detection of flaws.
6.15. The design of the reactor coolant systems shall be such as to ensure that
plant states in which components of the reactor coolant pressure boundary could
exhibit embrittlement are avoided.
39
6.16. The design of the components contained inside the reactor coolant pressure
boundary, such as pump impellers and valve parts, shall be such as to minimize
the likelihood of failure and consequential damage to other components of the
primary coolant system that are important to safety, in all operational states and in
design basis accident conditions, with due allowance made for deterioration that
might occur in service.
Requirement 48: Overpressure protection of the reactor coolant pressure
boundary
Provision shall be made to ensure that the operation of pressure relief
devices will protect the pressure boundary of the reactor coolant systems
against overpressure and will not lead to the release of radioactive material
from the nuclear power plant directly to the environment.
Requirement 49: Inventory of reactor coolant
Provision shall be made for controlling the inventory, temperature and
pressure of the reactor coolant to ensure that specified design limits are not
exceeded in any operational state of the nuclear power plant, with due
account taken of volumetric changes and leakage.
Requirement 50: Cleanup of reactor coolant
Adequate facilities shall be provided at the nuclear power plant for the
removal from the reactor coolant of radioactive substances, including
activated corrosion products and fission products deriving from the fuel, and
non-radioactive substances.
6.17. The capabilities of the necessary plant systems shall be based on the
specified design limit on permissible leakage of the fuel, with a conservative
margin to ensure that the plant can be operated with a level of circuit activity that
is as low as reasonably practicable, and to ensure that the requirements are met
for radioactive releases to be as low as reasonably achievable and below the
authorized limits on discharges.
Requirement 51: Removal of residual heat from the reactor core
Means shall be provided for the removal of residual heat from the reactor
core in the shutdown state of the nuclear power plant such that the design
40
limits for fuel, the reactor coolant pressure boundary and structures
important to safety are not exceeded.
Requirement 52: Emergency cooling of the reactor core
Means of cooling the reactor core shall be provided to restore and maintain
cooling of the fuel under accident conditions at the nuclear power plant even
if the integrity of the pressure boundary of the primary coolant system is not
maintained.
6.18. The means provided for cooling of the reactor core shall be such as to
ensure that:
(a) The limiting parameters for the cladding or for integrity of the fuel (such as
temperature) will not be exceeded;
(b) Possible chemical reactions are kept to an acceptable level;
(c) The effectiveness of the means of cooling of the reactor core compensates for
possible changes in the fuel and in the internal geometry of the reactor core;
(d) Cooling of the reactor core will be ensured for a sufficient time.
6.19. Design features (such as leak detection systems, appropriate interconnections
and capabilities for isolation) and suitable redundancy and diversity shall be
provided to fulfil the requirements of para. 6.18 with adequate reliability for each
postulated initiating event.
Requirement 53: Heat transfer to an ultimate heat sink
Systems shall be provided to transfer residual heat from items important to
safety at the nuclear power plant to an ultimate heat sink. This function shall
be carried out with very high levels of reliability for all plant states.
CONTAINMENT STRUCTURE AND CONTAINMENT SYSTEM
Requirement 54: Containment system for the reactor
A containment system shall be provided to ensure, or to contribute to, the
fulfilment of the following safety functions at the nuclear power plant:
(i) confinement of radioactive substances in operational states and in
accident conditions, (ii) protection of the reactor against natural external
41
events and human induced events and (iii) radiation shielding in operational
states and in accident conditions.
Requirement 55: Control of radioactive releases from the containment
The design of the containment shall be such as to ensure that any release of
radioactive material from the nuclear power plant to the environment is as
low as reasonably achievable, is below the authorized limits on discharges in
operational states and is below acceptable limits in accident conditions.
6.20. The containment structure and the systems and components affecting the
leaktightness of the containment system shall be designed and constructed so that
the leak rate can be tested after all penetrations through the containment have
been installed and, if necessary, during the operating lifetime of the plant, so that
the leak rate can be tested at the containment design pressure.
6.21. The number of penetrations through the containment shall be kept to a
practical minimum and all penetrations shall meet the same design requirements
as the containment structure itself. The penetrations shall be protected against
reaction forces caused by pipe movement or accidental loads such as those due to
missiles caused by external or internal events, jet forces and pipe whip.
Requirement 56: Isolation of the containment
Each line that penetrates the containment at a nuclear power plant as part of
the reactor coolant pressure boundary or that is connected directly to the
containment atmosphere shall be automatically and reliably sealable in the
event of an accident in which the leaktightness of the containment is essential
to preventing radioactive releases to the environment that exceed acceptable
limits.
6.22. Lines that penetrate the containment as part of the reactor coolant pressure
boundary and lines that are connected directly to the containment atmosphere
shall be fitted with at least two adequate containment isolation valves or check
valves arranged in series
11
and shall be provided with suitable leak detection
systems. Containment isolation valves or check valves shall be located as close to
11
In most cases, one containment isolation valve or check valve is outside the
containment and the other is inside the containment. Other arrangements might be acceptable,
however, depending on the design.
42
the containment as is practicable, and each valve shall be capable of reliable and
independent actuation and of being periodically tested.
6.23. Exceptions to the requirements for containment isolation stated in para.
6.22 shall be permissible for specific classes of lines such as instrumentation
lines, or in cases in which application of the methods of containment isolation
specified in para. 6.22 would reduce the reliability of a safety system that
includes a penetration of the containment.
6.24. Each line that penetrates the containment and is neither part of the reactor
coolant pressure boundary nor connected directly to the containment atmosphere
shall have at least one adequate containment isolation valve. The containment
isolation valves shall be located outside the containment and as close to the
containment as is practicable.
Requirement 57: Access to the containment
Access by operating personnel to the containment at a nuclear power plant
shall be through airlocks equipped with doors that are interlocked to ensure
that at least one of the doors is closed during reactor power operation and in
accident conditions.
6.25. Where provision is made for entry of operating personnel for surveillance
purposes, provision for ensuring protection and safety for operating personnel
shall be specified in the design. Where equipment airlocks are provided,
provision for ensuring protection and safety for operating personnel shall be
specified in the design.
6.26. Containment openings for the movement of equipment or material through
the containment shall be designed to be closed quickly and reliably in the event
that isolation of the containment is required.
Requirement 58: Control of containment conditions
Provision shall be made to control the pressure and temperature in the
containment at a nuclear power plant and to control any buildup of fission
products or other gaseous, liquid or solid substances that might be released
inside the containment and that could affect the operation of systems
important to safety.
43
6.27. The design shall provide for sufficient flow routes between separate
compartments inside the containment. The cross-sections of openings between
compartments shall be of such dimensions as to ensure that the pressure
differentials occurring during pressure equalization in accident conditions do not
result in unacceptable damage to the pressure bearing structure or to systems that
are important in mitigating the effects of accident conditions.
6.28. The capability to remove heat from the containment shall be ensured, in
order to reduce the pressure and temperature in the containment, and to maintain
them at acceptably low levels after any accidental release of high energy fluids.
The systems performing the function of removal of heat from the containment
shall have sufficient reliability and redundancy to ensure that this function can be
fulfilled.
6.29. Design features to control fission products, hydrogen, oxygen and other
substances that might be released into the containment shall be provided as
necessary:
(a) To reduce the amounts of fission products that could be released to the
environment in accident conditions;
(b) To control the concentrations of hydrogen, oxygen and other substances in the
containment atmosphere in accident conditions so as to prevent deflagration
or detonation loads that could challenge the integrity of the containment.
6.30. Coverings, thermal insulations and coatings for components and structures
within the containment system shall be carefully selected and methods for their
application shall be specified to ensure the fulfilment of their safety functions and
to minimize interference with other safety functions in the event of deterioration
of the coverings, thermal insulations and coatings.
INSTRUMENTATION AND CONTROL SYSTEMS
Requirement 59: Provision of instrumentation
Instrumentation shall be provided for determining the values of all the main
variables that can affect the fission process, the integrity of the reactor core,
the reactor coolant systems and the containment at the nuclear power plant,
for obtaining essential information on the plant that is necessary for its safe
and reliable operation, for determining the status of the plant in accident
conditions and for making decisions for the purposes of accident management.
44
6.31. Instrumentation and recording equipment shall be provided to ensure that
essential information is available for monitoring the status of essential equipment
and the course of accidents, for predicting the locations of release and the amount
of radioactive material that could be released from the locations that are so
intended in the design, and for post-accident analysis.
Requirement 60: Control systems
Appropriate and reliable control systems shall be provided at the nuclear
power plant to maintain and limit the relevant process variables within the
specified operational ranges.
Requirement 61: Protection system
A protection system shall be provided at the nuclear power plant that has the
capability to detect unsafe plant conditions and to initiate safety actions
automatically to actuate the safety systems necessary for achieving and
maintaining safe plant conditions.
6.32. The protection system shall be designed:
(a) To be capable of overriding unsafe actions of the control system;
(b) With fail-safe characteristics to achieve safe plant conditions in the event of
failure of the protection system.
6.33. The design:
(a) Shall prevent operator actions that could compromise the effectiveness of
the protection system in operational states and in accident conditions, but
not counteract correct operator actions in accident conditions;
(b) Shall automate various safety actions to actuate safety systems so that
operator action is not necessary within a justified period of time from the
onset of anticipated operational occurrences or accident conditions;
(c) Shall make relevant information available to the operator for monitoring the
effects of automatic actions.
Requirement 62: Reliability and testability of instrumentation and control
systems
Instrumentation and control systems for items important to safety at the
nuclear power plant shall be designed for high functional reliability and
45
periodic testability commensurate with the safety function(s) to be
performed.
6.34. Design techniques such as testability, including a self-checking capability
where necessary, fail-safe characteristics, functional diversity and diversity in
component design and in concepts of operation shall be used to the extent
practicable to prevent loss of a safety function.
6.35. Safety systems shall be designed to permit periodic testing of their
functionality when the plant is in operation, including the possibility of testing
channels independently for the detection of failures and losses of redundancy.
The design shall permit all aspects of functionality testing for the sensor, the input
signal, the final actuator and the display.
6.36. When a safety system, or part of a safety system, has to be taken out of
service for testing, adequate provision shall be made for the clear indication of
any protection system bypasses that are necessary for the duration of the testing
or maintenance activities.
Requirement 63: Use of computer based equipment in systems important to
safety
If a system important to safety at the nuclear power plant is dependent upon
computer based equipment, appropriate standards and practices for the
development and testing of computer hardware and software shall be
established and implemented throughout the service life of the system, and
in particular throughout the software development cycle. The entire
development shall be subject to a quality management system.
6.37. For computer based equipment in safety systems or safety related systems:
(a) A high quality of, and best practices for, hardware and software shall be
used, in accordance with the importance of the system to safety;
(b) The entire development process, including control, testing and
commissioning of design changes, shall be systematically documented and
shall be reviewable;
(c) An assessment of the equipment shall be undertaken by experts who are
independent of the design team and the supplier team to provide assurance
of its high reliability;
(d) Where safety functions are essential for achieving and maintaining safe
conditions, and the necessary high reliability of the equipment cannot be
46
demonstrated with a high level of confidence, diverse means of ensuring
fulfilment of the safety functions shall be provided;
(e) Common cause failures deriving from software shall be taken into
consideration;
(f) Protection shall be provided against accidental disruption of, or deliberate
interference with, system operation.
Requirement 64: Separation of protection systems and control systems
Interference between protection systems and control systems at the nuclear
power plant shall be prevented by means of separation, by avoiding
interconnections or by suitable functional independence.
6.38. If signals are used in common by both a protection system and any control
system, separation (such as by adequate decoupling) shall be ensured and the
signal system shall be classified as part of the protection system.
Requirement 65: Control room
A control room shall be provided at the nuclear power plant from which the
plant can be safely operated in all operational states, either automatically or
manually, and from which measures can be taken to maintain the plant in a
safe state or to bring it back into a safe state after anticipated operational
occurrences and accident conditions.
6.39. Appropriate measures shall be taken, including the provision of barriers
between the control room at the nuclear power plant and the external
environment, and adequate information shall be provided for the protection of
occupants of the control room against hazards such as high radiation levels
resulting from accident conditions, release of radioactive material, fire, or
explosive or toxic gases.
6.40. Special attention shall be paid to identifying those events, both internal and
external to the control room, that could challenge its continued operation, and the
design shall provide for reasonably practicable measures to minimize the
consequences of such events.
Requirement 66: Supplementary control room
Instrumentation and control equipment shall be kept available, preferably
at a single location (a supplementary control room) that is physically,
47
electrically and functionally separate from the control room at the nuclear
power plant. The supplementary control room shall be so equipped that the
reactor can be placed and maintained in a shutdown state, residual heat can
be removed, and essential plant variables can be monitored if there is a loss
of ability to perform these essential safety functions in the control room.
6.41. The requirements of para. 6.39 for taking appropriate measures and
providing adequate information for the protection of occupants against hazards
also apply for the supplementary control room at the nuclear power plant.
Requirement 67: Emergency control centre
An on-site emergency control centre, separate from both the plant control
room and the supplementary control room, shall be provided from which an
emergency response can be directed at the nuclear power plant.
6.42. Information about important plant parameters and radiological conditions at
the nuclear power plant and in its immediate surroundings shall be provided in
the on-site emergency control centre. The on-site emergency control centre shall
provide means of communication with the control room, the supplementary
control room and other important locations at the plant, and with on-site and off-
site emergency response organizations. Appropriate measures shall be taken to
protect the occupants of the emergency control centre for a protracted time
against hazards resulting from accident conditions. The emergency control centre
shall include the necessary systems and services to permit extended periods of
occupation and operation by emergency response personnel.
EMERGENCY POWER SUPPLY
Requirement 68: Emergency power supply
The emergency power supply at the nuclear power plant shall be capable of
supplying the necessary power in anticipated operational occurrences and
accident conditions, in the event of the loss of off-site power.
6.43. In the design basis for the emergency power supply at the nuclear power
plant, due account shall be taken of the postulated initiating events and the
associated safety functions to be performed, to determine the requirements for
capability, availability, duration of the required power supply, capacity and
continuity.
48
6.44. The combined means to provide emergency power (such as water, steam or
gas turbines, diesel engines or batteries) shall have a reliability and type that are
consistent with all the requirements of the safety systems to be supplied with
power, and their functional capability shall be testable.
6.45. The design basis for any diesel engine or other prime mover
12
that provides
an emergency power supply to items important to safety shall include:
(a) The capability of the associated fuel oil storage and supply systems to
satisfy the demand within the specified time period;
(b) The capability of the prime mover to start and to function successfully
under all specified conditions and at the required time;
(c) Auxiliary systems of the prime mover, such as coolant systems.
SUPPORTING SYSTEMS AND AUXILIARY SYSTEMS
Requirement 69: Performance of supporting systems and auxiliary systems
The design of supporting systems and auxiliary systems shall be such as to
ensure that the performance of these systems is consistent with the safety
significance of the system or component that they serve at the nuclear power
plant.
Requirement 70: Heat transport systems
Auxiliary systems shall be provided as appropriate to remove heat from
systems and components at the nuclear power plant that are required to
function in operational states and in accident conditions.
6.46. The design of heat transport systems shall be such as to ensure that non-
essential parts of the systems can be isolated.
12
A prime mover is a component (such as a motor, solenoid operator or pneumatic
operator) that converts energy into action when commanded by an actuation device.
49
Requirement 71: Process sampling systems and post-accident sampling
systems
Process sampling systems and post-accident sampling systems shall be
provided for determining, in a timely manner, the concentration of specified
radionuclides in fluid process systems, and in gas and liquid samples taken
from systems or from the environment, in all operational states and in
accident conditions at the nuclear power plant.
6.47. Appropriate means shall be provided at the nuclear power plant for the
monitoring of activity in fluid systems that have the potential for significant
contamination, and for the collection of process samples.
Requirement 72: Compressed air systems
The design basis for any compressed air system that serves an item
important to safety at the nuclear power plant shall specify the quality, flow
rate and cleanness of the air to be provided.
Requirement 73: Air conditioning systems and ventilation systems
Systems for air conditioning, air heating, air cooling and ventilation shall be
provided as appropriate in auxiliary rooms or other areas at the nuclear
power plant to maintain the required environmental conditions for systems
and components important to safety in all plant states.
6.48. Systems shall be provided for the ventilation of buildings at the nuclear
power plant with appropriate capability for the cleaning of air:
(a) To prevent unacceptable dispersion of airborne radioactive substances
within the plant;
(b) To reduce the concentration of airborne radioactive substances to levels
compatible with the need for access by personnel to the area;
(c) To keep the levels of airborne radioactive substances in the plant below
authorized limits and as low as reasonably achievable;
(d) To ventilate rooms containing inert gases or noxious gases without
impairing the capability to control radioactive effluents;
(e) To control releases of gaseous radioactive material to the environment
below the authorized limits on discharges and to keep them as low as
reasonably achievable.
50
6.49. Areas of higher contamination at the plant shall be maintained at a negative
pressure differential (partial vacuum) with respect to areas of lower
contamination and other accessible areas.
Requirement 74: Fire protection systems
Fire protection systems, including fire detection systems and fire
extinguishing systems, fire containment barriers and smoke control systems,
shall be provided throughout the nuclear power plant, with due account
taken of the results of the fire hazard analysis.
6.50. The fire protection systems installed at the nuclear power plant shall be
capable of dealing safely with fire events of the various types that are
postulated.
6.51. Fire extinguishing systems shall be capable of automatic actuation where
appropriate. Fire extinguishing systems shall be designed and located to ensure
that their rupture or spurious or inadvertent operation would not significantly
impair the capability of items important to safety.
6.52. Fire detection systems shall be designed to provide operating personnel
promptly with information on the location and spread of any fires that start.
6.53. Fire detection systems and fire extinguishing systems that are necessary
to protect against a possible fire following a postulated initiating event shall
be appropriately qualified to resist the effects of the postulated initiating
event.
6.54. Non-combustible or fire retardant and heat resistant materials shall be used
wherever practicable throughout the plant, in particular in locations such as the
containment and the control room.
Requirement 75: Lighting systems
Adequate lighting shall be provided in all operational areas of the nuclear
power plant in operational states and in accident conditions.
51
Requirement 76: Overhead lifting equipment
Overhead lifting equipment shall be provided for lifting and lowering items
important to safety at the nuclear power plant, and for lifting and lowering
other items in the proximity of items important to safety.
6.55. The overhead lifting equipment shall be designed so that:
(a) Measures are taken to prevent the lifting of excessive loads;
(b) Conservative design measures are applied to prevent any unintentional
dropping of loads that could affect items important to safety;
(c) The plant layout permits safe movement of the overhead lifting equipment
and of items being transported;
(d) Such equipment can be used only in specified plant states (by means of
safety interlocks on the crane);
(e) Such equipment for use in areas where items important to safety are located
is seismically qualified.
OTHER POWER CONVERSION SYSTEMS
Requirement 77: Steam supply system, feedwater system and turbine generators
The design of the steam supply system, feedwater system and turbine
generators for the nuclear power plant shall be such as to ensure that the
appropriate design limits of the reactor coolant pressure boundary are not
exceeded in operational states or in accident conditions.
6.56. The design of the steam supply system shall provide for appropriately rated
and qualified steam isolation valves capable of closing under the specified
conditions in operational states and in accident conditions.
6.57. The steam supply system and the feedwater systems shall be of sufficient
capacity and shall be designed to prevent anticipated operational occurrences
from escalating to accident conditions.
6.58. The turbine generators shall be provided with appropriate protection such
as overspeed protection and vibration protection, and measures shall be taken to
minimize the possible effects of turbine generated missiles on items important to
safety.
52
TREATMENT OF RADIOACTIVE EFFLUENTS
AND RADIOACTIVE WASTE
Requirement 78: Systems for treatment and control of waste
Systems shall be provided for treating solid radioactive waste and liquid
radioactive waste at the nuclear power plant to keep the amounts and
concentrations of radioactive releases below the authorized limits on
discharges and as low as reasonably achievable.
6.59. Systems and facilities shall be provided for the management and storage of
radioactive waste on the nuclear power plant site for a period of time consistent
with the availability of the relevant disposal option.
6.60. The design of the plant shall incorporate appropriate features to facilitate
the movement, transport and handling of radioactive waste. Consideration shall
be given to the provision of access to facilities and to capabilities for lifting and
for packaging.
Requirement 79: Systems for treatment and control of effluents
Systems shall be provided at the nuclear power plant for treating liquid and
gaseous radioactive effluents to keep their amounts below the authorized
limits on discharges and as low as reasonably achievable.
6.61. Liquid and gaseous radioactive effluents shall be treated at the plant so that
exposure of members of the public due to discharges to the environment is as low
as reasonably achievable.
6.62. The design of the plant shall incorporate suitable means to keep the release
of radioactive liquids to the environment as low as reasonably achievable and to
ensure that radioactive releases remain below the authorized limits on discharges.
6.63. The cleanup equipment for the gaseous radioactive substances shall provide
the necessary retention factor to keep radioactive releases below the authorized
limits on discharges. Filter systems shall be designed so that their efficiency can
be tested, their performance and function can be regularly monitored over their
service life, and filter cartridges can be replaced while maintaining the
throughput of air.
53
FUEL HANDLING AND STORAGE SYSTEMS
Requirement 80: Fuel handling and storage systems
Fuel handling and storage systems shall be provided at the nuclear power
plant to ensure that the integrity and properties of the fuel are maintained at
all times during fuel handling and storage.
6.64. The design of the plant shall incorporate appropriate features to facilitate
the lifting, movement and handling of fresh fuel and spent fuel.
6.65. The design of the plant shall be such as to prevent any significant damage to
items important to safety during the transfer of fuel or casks, or in the event of
fuel or casks being dropped.
6.66. The fuel handling and storage systems for irradiated and non-irradiated fuel
shall be designed:
(a) To prevent criticality by a specified margin, by physical means or by means
of physical processes, and preferably by use of geometrically safe
configurations, even under conditions of optimum moderation;
(b) To permit inspection of the fuel;
(c) To permit maintenance, periodic inspection and testing of components
important to safety;
(d) To prevent damage to the fuel;
(e) To prevent the dropping of fuel in transit;
(f) To provide for the identification of individual fuel assemblies;
(g) To provide proper means for meeting the relevant requirements for
radiation protection;
(h) To ensure that adequate operating procedures and a system of accounting
for, and control of, nuclear fuel can be implemented to prevent any loss of,
or loss of control over, nuclear fuel.
6.67. In addition, the fuel handling and storage systems for irradiated fuel shall be
designed:
(a) To permit adequate removal of heat from the fuel in operational states and
in accident conditions;
(b) To prevent the dropping of spent fuel in transit;
(c) To prevent causing unacceptable handling stresses on fuel elements or fuel
assemblies;
54
(d) To prevent the potentially damaging dropping on the fuel of heavy objects
such as spent fuel casks, cranes or other objects;
(e) To permit safe keeping of suspect or damaged fuel elements or fuel
assemblies;
(f) To control levels of soluble absorber if this is used for criticality safety;
(g) To facilitate maintenance and future decommissioning of fuel handling and
storage facilities;
(h) To facilitate decontamination of fuel handling and storage areas and
equipment when necessary;
(i) To accommodate, with adequate margins, all the fuel removed from the
reactor in accordance with the strategy for core management that is foreseen
and the amount of fuel in the full reactor core;
(j) To facilitate the removal of fuel from storage and its preparation for off-site
transport.
6.68. For reactors using a water pool system for fuel storage, the design of the
plant shall include the following:
(a) Means for controlling the temperature, water chemistry and activity of any
water in which irradiated fuel is handled or stored;
(b) Means for monitoring and controlling the water level in the fuel storage
pool and means for detecting leakage;
(c) Means for preventing the uncovering of fuel assemblies in the pool in the
event of a pipe break (i.e. anti-siphon measures).
RADIATION PROTECTION
Requirement 81: Design for radiation protection
Provision shall be made for ensuring that doses to operating personnel at the
nuclear power plant will be maintained below the dose limits and will be
kept as low as reasonably achievable, and that the relevant dose constraints
will be taken into consideration.
6.69. Radiation sources throughout the plant shall be comprehensively identified,
and exposures and radiation risks associated with them shall be kept as low as
reasonably achievable (see footnote 4), the integrity of the fuel cladding shall be
maintained, and the generation and transport of corrosion products and activation
products shall be controlled.
55
6.70. Materials used in the manufacture of structures, systems and components
shall be selected to minimize activation of the material as far as is reasonably
practicable.
6.71. For the purposes of radiation protection, provision shall be made for
preventing the release or the dispersion of radioactive substances, radioactive
waste and contamination at the plant.
6.72. The plant layout shall be such as to ensure that access of operating
personnel to areas with radiation hazards and areas of possible contamination is
adequately controlled, and that exposures and contamination are prevented or
reduced by this means and by means of ventilation systems.
6.73. The plant shall be divided into zones that are related to their expected
occupancy, and to radiation levels and contamination levels in operational states
(including refuelling, maintenance and inspection) and to potential radiation
levels and contamination levels in accident conditions. Shielding shall be
provided so that radiation exposure is prevented or reduced.
6.74. The plant layout shall be such that the doses received by operating
personnel during normal operation, refuelling, maintenance and inspection can be
kept as low as reasonably achievable, and due account shall be taken of the
necessity for any special equipment to be provided to meet these requirements.
6.75. Plant equipment subject to frequent maintenance or manual operation shall
be located in areas of low dose rate to reduce the exposure of workers.
6.76. Facilities shall be provided for the decontamination of operating personnel
and plant equipment.
Requirement 82: Means of radiation monitoring
Equipment shall be provided at the nuclear power plant to ensure that there is
adequate radiation monitoring in operational states and design basis accident
conditions and, as far as is practicable, in design extension conditions.
6.77. Stationary dose rate meters shall be provided for monitoring local radiation
dose rates at plant locations that are routinely accessible by operating personnel
and where the changes in radiation levels in operational states could be such that
access is allowed only for certain specified periods of time.
56
6.78. Stationary dose rate meters shall be installed to indicate the general radiation
levels at suitable plant locations in accident conditions. The stationary dose rate
meters shall provide sufficient information in the control room or in the appropriate
control position that operating personnel can initiate corrective action if necessary.
6.79. Stationary monitors shall be provided for measuring the activity of
radioactive substances in the atmosphere in those areas routinely occupied by
operating personnel and where the levels of activity of airborne radioactive
substances might be such as to necessitate protective measures. These systems
shall provide an indication in the control room or in other appropriate locations
when a high activity concentration of radionuclides is detected. Monitors shall
also be provided in areas subject to possible contamination as a result of
equipment failure or other unusual circumstances.
6.80. Stationary equipment and laboratory facilities shall be provided for
determining, in a timely manner, the concentrations of selected radionuclides in
fluid process systems, and in gas and liquid samples taken from plant systems or
from the environment, in operational states and in accident conditions.
6.81. Stationary equipment shall be provided for monitoring radioactive effluents
and effluents with possible contamination prior to or during discharges from the
plant to the environment.
6.82. Instruments shall be provided for measuring surface contamination.
Stationary monitors (e.g. portal radiation monitors, hand and foot monitors) shall
be provided at the main exit points from controlled areas and supervised areas to
facilitate the monitoring of operating personnel and equipment.
6.83. Facilities shall be provided for monitoring for exposure and contamination
of operating personnel. Processes shall be put in place for assessing and for
recording the cumulative doses to workers over time.
6.84. Arrangements shall be made to assess exposures and other radiological
impacts, if any, in the vicinity of the plant by environmental monitoring of dose
rates or activity concentrations, with particular reference to:
(a) Exposure pathways to people, including the food chain;
(b) Radiological impacts, if any, on the local environment;
(c) The possible buildup, and accumulation in the environment, of radioactive
substances;
(d) The possibility of there being any unauthorized routes for radioactive releases.
57
REFERENCES
[1] EUROPEAN ATOMIC ENERGY COMMUNITY, FOOD AND AGRICULTURE
ORGANIZATION OF THE UNITED NATIONS, INTERNATIONAL ATOMIC
ENERGY AGENCY, INTERNATIONAL LABOUR ORGANIZATION,
INTERNATIONAL MARITIME ORGANIZATION, OECD NUCLEAR ENERGY
AGENCY, PAN AMERICAN HEALTH ORGANIZATION, UNITED NATIONS
ENVIRONMENT PROGRAMME, WORLD HEALTH ORGANIZATION,
Fundamental Safety Principles, IAEA Safety Standards Series No. SF-1, IAEA,
Vienna (2006).
[2] INTERNATIONAL ATOMIC ENERGY AGENCY, Safety Assessment for Facilities
and Activities, IAEA Safety Standards Series No. GSR Part 4, IAEA, Vienna (2009).
[3] INTERNATIONAL ATOMIC ENERGY AGENCY, IAEA Safety Glossary:
Terminology Used in Nuclear Safety and Radiation Protection (2007 Edition), IAEA,
Vienna (2007).
[4] INTERNATIONAL ATOMIC ENERGY AGENCY, Safety of Nuclear Power Plants:
Commissioning and Operation, IAEA Safety Standards Series No. SSR-2/2, IAEA,
Vienna (2011).
[5] INTERNATIONAL NUCLEAR SAFETY ADVISORY GROUP, Defence in Depth in
Nuclear Safety, INSAG-10, IAEA, Vienna (1996).
[6] INTERNATIONAL NUCLEAR SAFETY ADVISORY GROUP, Basic Safety
Principles for Nuclear Power Plants, 75-INSAG-3 Rev. 1, INSAG-12, IAEA, Vienna
(1999).
[7] INTERNATIONAL NUCLEAR SAFETY ADVISORY GROUP, Maintaining the
Design Integrity of Nuclear Installations throughout their Operating Life, INSAG-19,
IAEA, Vienna (2003).
[8] INTERNATIONAL ATOMIC ENERGY AGENCY, The Management System for
Facilities and Activities, IAEA Safety Standards Series No. GS-R-3, IAEA, Vienna
(2006).
[9] INTERNATIONAL ATOMIC ENERGY AGENCY, Radiation Protection and Safety of
Radiation Sources: International Basic Safety Standards (Interim Edition), IAEA Safety
Standards Series No. GSR Part 3, IAEA, Vienna (2011).
[10] INTERNATIONAL ATOMIC ENERGY AGENCY, Site Evaluation for Nuclear
Installations, IAEA Safety Standards Series No. NS-R-3, IAEA, Vienna (2003).
.
59
DEFINITIONS
The following definitions differ from those in the IAEA Safety Glossary
(2007 Edition).
controlled state
Plant state, following an anticipated operational occurrence or accident
conditions, in which the fundamental safety functions can be ensured and which
can be maintained for a time sufficient to implement provisions to reach a safe
state.
plant states (considered in design)
accident conditions
Deviations from normal operation that are less frequent and more severe
than anticipated operational occurrences, and which include design basis
accidents and design extension conditions.
design basis accident
An accident causing accident conditions for which a facility is designed in
accordance with established design criteria and conservative methodology,
and for which releases of radioactive material are kept within acceptable
limits.
[beyond design basis accident]
This term is superseded by design extension conditions.
Operational states Accident conditions
Normal operation
Anticipated
operational
occurrences
Design basis
accidents
Design extension
conditions
60
design extension conditions
Accident conditions that are not considered for design basis accidents, but
that are considered in the design process of the facility in accordance with
best estimate methodology, and for which releases of radioactive material
are kept within acceptable limits. Design extension conditions could
include severe accident conditions.
safe state
Plant state, following an anticipated operational occurrence or accident
conditions, in which the reactor is subcritical and the fundamental safety
functions can be ensured and maintained stable for a long time.
safety feature for design extension conditions
Item designed to perform a safety function or which has a safety function in
design extension conditions.
safety system settings
The levels at which safety systems are automatically actuated in the event of
anticipated operational occurrences or design basis accidents, to prevent safety
limits from being exceeded.
61
CONTRIBUTORS TO DRAFTING AND REVIEW
Antalik, R. Nuclear Regulatory Authority of the Slovak Republic,
Slovakia
Aza, Z.M. Atomic Energy Agency Organization of Iran,
Islamic Republic of Iran
Borysova, I. World Nuclear Association
Buttery, N. British Energy Generation Ltd, United Kingdom
Carluec, B. AREVA, France
Cowley, J.S. Consultant, United Kingdom
Downing, D.J. Pebble Bed Modular Reactor, South Africa
El-Shanawany, M. International Atomic Energy Agency
Englebert, B. Suez-Tractebel, Belgium
Evrad, J.M. Institut de radioprotection et de sûreté nucléaire, France
Fiorini, G.L. Commissariat à l’énergie atomique, France
Froehmel, T. World Nuclear Association
Gasparini, M. International Atomic Energy Agency
Ghadge, S.G. Nuclear Power Corporation of India Ltd, India
Harwood, C. Canadian Nuclear Safety Commission, Canada
Järvinen, M.L. Radiation and Nuclear Safety Authority, Finland
Kajimoto, M. Japan Nuclear Energy Safety Organization, Japan
Kurkowski, L. EDF-SEPTEN, France
Le Cann, G. Federal Authority for Nuclear Regulation,
United Arab Emirates
62
Matsumoto, T. Japan Nuclear Energy Safety Organization, Japan
Mertins, M. Gesellschaft für Anlagen- und Reaktorsicherheit mbH,
Germany
Ohshima, T. Nuclear and Industrial Safety Agency, Japan
Pabarcius, R. Lithuanian Energy Institute, Lithuania
Perez, J.R. Autorité de sûreté nucléaire, France
Semenas, R. State Nuclear Power Safety Inspectorate, Lithuania
Thadani, A. Nuclear Regulatory Commission,
United States of America
Toth, C. International Atomic Energy Agency
Tronea, M. National Commission for Nuclear Activities Control,
Romania
Uhrik, P. Nuclear Regulatory Authority of the Slovak Republic,
Slovakia
Valtonen, K. Radiation and Nuclear Safety Authority, Finland
Vaughan, G.J. Nuclear Installations Inspectorate, United Kingdom
Wassilew, C. Federal Ministry for the Environment,
Nature Conservation and Nuclear Safety, Germany
Yashimura, K. Secretariat of the Nuclear Safety Commission, Japan
Zaiss, W. FORATOM, Belgium
Zemdegs, R. Atomic Energy of Canada Ltd, Canada
Ziakova, M. Nuclear Regulatory Authority of the Slovak Republic,
Slovakia
63
BODIES FOR THE ENDORSEMENT
OF IAEA SAFETY STANDARDS
An asterisk denotes a corresponding member. Corresponding members receive
drafts for comment and other documentation but they do not generally participate
in meetings. Two asterisks denote an alternate.
Commission on Safety Standards
Argentina: González, A.J.; Australia: Loy, J.; Belgium: Samain, J.-P.; Brazil:
Vinhas, L.A.; Canada: Jammal, R.; China: Liu Hua; Egypt: Barakat, M.; Finland:
Laaksonen, J.; France: Lacoste, A.-C. (Chairperson); Germany: Majer, D.; India:
Sharma, S.K.; Israel: Levanon, I.; Japan: Fukushima, A.; Korea, Republic of:
Choul-Ho Yun; Lithuania: Maksimovas, G.; Pakistan: Rahman, M.S.; Russian
Federation: Adamchik, S.; South Africa: Magugumela, M.T.; Spain: Barceló
Vernet, J.; Sweden: Larsson, C.M.; Ukraine: Mykolaichuk, O.; United Kingdom:
Weightman, M.; United States of America: Virgilio, M.; Vietnam: Le-chi Dung;
IAEA: Delattre, D. (Coordinator); Advisory Group on Nuclear Security:
Hashmi, J.A.; European Commission: Faross, P.; International Nuclear Safety
Group: Meserve, R.; International Commission on Radiological Protection:
Holm, L.-E.; OECD Nuclear Energy Agency: Yoshimura, U.; Safety Standards
Committee Chairpersons: Brach, E.W. (TRANSSC); Magnusson, S. (RASSC);
Pather, T. (WASSC); Vaughan, G.J. (NUSSC).
Nuclear Safety Standards Committee
Algeria: Merrouche, D.; Argentina: Waldman, R.; Australia: Le Cann, G.; Austria:
Sholly, S.; Belgium: De Boeck, B.; Brazil: Gromann, A.; *Bulgaria:
Gledachev, Y.; Canada: Rzentkowski, G.; China: Jingxi Li; Croatia: Valčić, I.;
*Cyprus: Demetriades, P.; Czech Republic: Šváb, M.; Egypt: Ibrahim, M.;
Finland: Järvinen, M.-L.; France: Feron, F.; Germany: Wassilew, C.; Ghana:
Emi-Reynolds, G.; *Greece: Camarinopoulos, L.; Hungary: Adorján, F.; India:
Vaze, K.; Indonesia: Antariksawan, A.; Iran, Islamic Republic of:
Asgharizadeh, F.; Israel: Hirshfeld, H.; Italy: Bava, G.; Japan: Kanda, T.; Korea,
Republic of: Hyun-Koon Kim; Libyan Arab Jamahiriya: Abuzid, O.; Lithuania:
Demčenko, M.; Malaysia: Azlina Mohammed Jais; Mexico: Carrera, A.; Morocco:
Soufi, I.; Netherlands: van der Wiel, L.; Pakistan: Habib, M.A.; Poland:
Jurkowski, M.; Romania: Biro, L.; Russian Federation: Baranaev, Y.; Slovakia:
Uhrik, P.; Slovenia: Vojnovič, D.; South Africa: Leotwane, W.; Spain:
Zarzuela, J.; Sweden: Hallman, A.; Switzerland: Flury, P.; Tunisia: Baccouche, S.;
64
Turkey: Bezdegumeli, U.; Ukraine: Shumkova, N.; United Kingdom:
Vaughan, G.J. (Chairperson); United States of America: Mayfield, M.; Uruguay:
Nader, A.; European Commission: Vigne, S.; FORATOM: Fourest, B.;
IAEA: Feige, G. (Coordinator); International Electrotechnical Commission:
Bouard, J.-P.; International Organization for Standardization: Sevestre, B.;
OECD Nuclear Energy Agency: Reig, J.; *World Nuclear Association:
Borysova, I.
Radiation Safety Standards Committee
*Algeria: Chelbani, S.; Argentina: Massera, G.; Australia: Melbourne, A.;
*Austria: Karg, V.; Belgium: van Bladel, L.; Brazil: Rodriguez Rochedo, E.R.;
*Bulgaria: Katzarska, L.; Canada: Clement, C.; China: Huating Yang; Croatia:
Kralik, I.; *Cuba: Betancourt Hernandez, L.; *Cyprus: Demetriades, P.; Czech
Republic: Petrova, K.; Denmark: Øhlenschlæger, M.; Egypt: Hassib, G.M.;
Estonia: Lust, M.; Finland: Markkanen, M.; France: Godet, J.-L.; Germany:
Helming, M.; Ghana: Amoako, J.; *Greece: Kamenopoulou, V.; Hungary:
Koblinger, L.; Iceland: Magnusson, S. (Chairperson); India: Sharma, D.N.;
Indonesia: Widodo, S.; Iran, Islamic Republic of: Kardan, M.R.; Ireland:
Colgan, T.; Israel: Koch, J.; Italy: Bologna, L.; Japan: Kiryu, Y.; Korea, Republic
of: Byung-Soo Lee; *Latvia: Salmins, A.; Libyan Arab Jamahiriya: Busitta, M.;
Lithuania: Mastauskas, A.; Malaysia: Hamrah, M.A.; Mexico: Delgado
Guardado, J.; Morocco: Tazi, S.; Netherlands: Zuur, C.; Norway: Saxebol, G.;
Pakistan: Ali, M.; Paraguay: Romero de Gonzalez, V.; Philippines: Valdezco, E.;
Poland: Merta, A.; Portugal: Dias de Oliveira, A.M.; Romania: Rodna, A.;
Russian Federation: Savkin, M.; Slovakia: Jurina, V.; Slovenia: Sutej, T.; South
Africa: Olivier, J.H.I.; Spain: Amor Calvo, I.; Sweden: Almen, A.; Switzerland:
Piller, G.; *Thailand: Suntarapai, P.; Tunisia: Chékir, Z.; Turkey: Okyar, H.B.;
Ukraine: Pavlenko, T.; United Kingdom: Robinson, I.; United States of America:
Lewis, R.; *Uruguay: Nader, A.; European Commission: Janssens, A.; Food and
Agriculture Organization of the United Nations: Byron, D.; IAEA: Boal, T.
(Coordinator); International Commission on Radiological Protection: Valentin, J.;
International Electrotechnical Commission: Thompson, I.; International Labour
Office: Niu, S.; International Organization for Standardization: Rannou, A.;
International Source Suppliers and Producers Association: Fasten, W.; OECD
Nuclear Energy Agency: Lazo, T.E.; Pan American Health Organization:
Jiménez, P.; United Nations Scientific Committee on the Effects of Atomic
Radiation: Crick, M.; World Health Organization: Carr, Z.; World Nuclear
Association: Saint-Pierre, S.
65
Transport Safety Standards Committee
Argentina: López Vietri, J.; **Capadona, N.M.; Australia: Sarkar, S.; Austria:
Kirchnawy, F.; Belgium: Cottens, E.; Brazil: Xavier, A.M.; Bulgaria:
Bakalova, A.; Canada: Régimbald, A.; China: Xiaoqing Li; Croatia:
Belamarić, N.; *Cuba: Quevedo Garcia, J.R.; *Cyprus: Demetriades, P.; Czech
Republic: Ducháček, V.; Denmark: Breddam, K.; Egypt: El-Shinawy, R.M.K.;
Finland: Lahkola, A.; France: Landier, D.; Germany: Rein, H.; *Nitsche, F.;
**Alter, U.; Ghana: Emi-Reynolds, G.; *Greece: Vogiatzi, S.; Hungary: Sáfár, J.;
India: Agarwal, S.P.; Indonesia: Wisnubroto, D.; Iran, Islamic Republic of:
Eshraghi, A.; *Emamjomeh, A.; Ireland: Duffy, J.; Israel: Koch, J.; Italy:
Trivelloni, S.; **Orsini, A.; Japan: Hanaki, I.; Korea, Republic of: Dae-Hyung
Cho; Libyan Arab Jamahiriya: Kekli, A.T.; Lithuania: Statkus, V.; Malaysia:
Sobari, M.P.M.; **Husain, Z.A.; Mexico: Bautista Arteaga, D.M.; **Delgado
Guardado, J.L.; *Morocco: Allach, A.; Netherlands: Ter Morshuizen, M.; *New
Zealand: Ardouin, C.; Norway: Hornkjøl, S.; Pakistan: Rashid, M.; *Paraguay:
More Torres, L.E.; Poland: Dziubiak, T.; Portugal: Buxo da Trindade, R.; Russian
Federation: Buchelnikov, A.E.; South Africa: Hinrichsen, P.; Spain: Zamora
Martin, F.; Sweden: Häggblom, E.; **Svahn, B.; Switzerland: Krietsch, T.;
Thailand: Jerachanchai, S.; Turkey: Ertürk, K.; Ukraine: Lopatin, S.; United
Kingdom: Sallit, G.; United States of America: Boyle, R.W.; Brach, E.W.
(Chairperson); Uruguay: Nader, A.; *Cabral, W.; European Commission: Binet, J.;
IAEA: Stewart, J.T. (Coordinator); International Air Transport Association:
Brennan, D.; International Civil Aviation Organization: Rooney, K.; International
Federation of Air Line Pilots’ Associations: Tisdall, A.; **Gessl, M.; International
Maritime Organization: Rahim, I.; International Organization for
Standardization: Malesys, P.; International Source Supplies and Producers
Association: Miller, J.J.; **Roughan, K.; United Nations Economic Commission
for Europe: Kervella, O.; Universal Postal Union: Bowers, D.G.; World Nuclear
Association: Gorlin, S.; World Nuclear Transport Institute: Green, L.
Waste Safety Standards Committee
Algeria: Abdenacer, G.; Argentina: Biaggio, A.; Australia: Williams, G.; *Austria:
Fischer, H.; Belgium: Blommaert, W.; Brazil: Tostes, M.; *Bulgaria:
Simeonov, G.; Canada: Howard, D.; China: Zhimin Qu; Croatia: Trifunovic, D.;
Cuba: Fernandez, A.; Cyprus: Demetriades, P.; Czech Republic: Lietava, P.;
Denmark: Nielsen, C.; Egypt: Mohamed, Y.; Estonia: Lust, M.; Finland: Hutri, K.;
France: Rieu, J.; Germany: Götz, C.; Ghana: Faanu, A.; Greece: Tzika, F.;
Hungary: Czoch, I.; India: Rana, D.; Indonesia: Wisnubroto, D.; Iran, Islamic
66
Republic of: Assadi, M.; *Zarghami, R.; Iraq: Abbas, H.; Israel: Dody, A.; Italy:
Dionisi, M.; Japan: Matsuo, H.; Korea, Republic of: Won-Jae Park; *Latvia:
Salmins, A.; Libyan Arab Jamahiriya: Elfawares, A.; Lithuania: Paulikas, V.;
Malaysia: Sudin, M.; Mexico: Aguirre Gómez, J.; *Morocco: Barkouch, R.;
Netherlands: van der Shaaf, M.; Pakistan: Mannan, A.; *Paraguay: Idoyaga
Navarro, M.; Poland: Wlodarski, J.; Portugal: Flausino de Paiva, M.; Slovakia:
Homola, J.; Slovenia: Mele, I.; South Africa: Pather, T. (Chairperson); Spain: Sanz
Aludan, M.; Sweden: Frise, L.; Switzerland: Wanner, H.; *Thailand: Supaokit, P.;
Tunisia: Bousselmi, M.; Turkey: Özdemir, T.; Ukraine: Makarovska, O.; United
Kingdom: Chandler, S.; United States of America: Camper, L.; *Uruguay:
Nader, A.; European Commission: Necheva, C.; European Nuclear Installations
Safety Standards: Lorenz, B.; *European Nuclear Installations Safety Standards:
Zaiss, W.; IAEA: Siraky, G. (Coordinator); International Organization for
Standardization: Hutson, G.; International Source Suppliers and Producers
Association: Fasten, W.; OECD Nuclear Energy Agency: Riotte, H.; World
Nuclear Association: Saint-Pierre, S.
@
No. 22
Where to order IAEA pubIications
In the foIIowing countries,$($SXEOLFDWLRQVPD\EHSXUFKDVHGIURPWKHVRXUFHVOLVWHGEHORZ
RUIURPPDMRUORFDOERRNVHOOHUV3D\PHQWPD\EHPDGHLQORFDOFXUUHQF\RUZLWK81(6&2FRXSRQV
AUSTRALIA
'$,QIRUPDWLRQ6HUYLFHV:KLWHKRUVH5RDG0,7&+$0
7HOHSKRQH‡)D[
(PDLOVHUYLFH#GDGLUHFWFRPDX‡:HEVLWHKWWSZZZGDGLUHFWFRPDX
BELGIUM
-HDQGH/DQQR\DYHQXHGX5RL%%UXVVHOV
7HOHSKRQH‡)D[
(PDLOMHDQGHODQQR\#LQIRERDUGEH‡:HEVLWHKWWSZZZMHDQGHODQQR\EH
CANADA
%HUQDQ$VVRFLDWHV)RUEHV%OYG6XLWH/DQKDP0'86$
7HOHSKRQH‡)D[
(PDLOFXVWRPHUFDUH#EHUQDQFRP‡:HEVLWHKWWSZZZEHUQDQFRP
5HQRXI3XEOLVKLQJ&RPSDQ\/WG&DQRWHN5G2WWDZD2QWDULR.--
7HOHSKRQH‡)D[
(PDLORUGHUGHSW#UHQRXIERRNVFRP‡:HEVLWHKWWSZZZUHQRXIERRNVFRP
CHINA
,$($3XEOLFDWLRQVLQ&KLQHVH&KLQD1XFOHDU(QHUJ\,QGXVWU\&RUSRUDWLRQ7UDQVODWLRQ6HFWLRQ32%R[%HLMLQJ
CZECH REPUBLIC
6XZHFR&=652.OHFDNRYD3UDKD
7HOHSKRQH‡)D[
(PDLOQDNXS#VXZHFRF]‡:HEVLWHKWWSZZZVXZHFRF]
FINLAND
$NDWHHPLQHQ.LUMDNDXSSD32%2;.HVNXVNDWX),1+HOVLQNL
7HOHSKRQH‡)D[
(PDLODNDWLODXV#DNDWHHPLQHQFRP‡:HEVLWHKWWSZZZDNDWHHPLQHQFRP
FRANCE
)RUP(GLWUXH-DQVVHQ32%R[)3DULV&HGH[
7HOHSKRQH‡)D[
(PDLOIRUPHGLW#IRUPHGLWIU‡:HEVLWHKWWSZZZIRUPHGLWIU
/DYRLVLHU6$6UXHGH3URYLJQ\&DFKDQ&HGH[
7HOHSKRQH‡)D[
(PDLOURPXDOGYHUULHU#ODYRLVLHUIU‡:HEVLWHKWWSZZZODYRLVLHUIU
GERMANY
8129HUODJ9HUWULHEVXQG9HUODJV*PE+$P+RIJDUWHQ'%RQQ
7HOHSKRQH‡)D[RU
(PDLOEHVWHOOXQJ#XQRYHUODJGH‡:HEVLWHKWWSZZZXQRYHUODJGH
HUNGARY
/LEURWUDGH/WG%RRN,PSRUW32%R[+%XGDSHVW
7HOHSKRQH‡)D[‡(PDLOERRNV#OLEURWUDGHKX
INDIA
$OOLHG3XEOLVKHUV*URXSVW)ORRU'XEDVK+RXVH-1+HUHGLD0DUJ%DOODUG(VWDWH0XPEDL
7HOHSKRQH‡)D[
(PDLODOOLHGSO#YVQOFRP‡:HEVLWHKWWSZZZDOOLHGSXEOLVKHUVFRP
%RRNZHOO1LUDQNDUL&RORQ\'HOKL
7HOHSKRQH‡)D[
(PDLOERRNZHOO#YVQOQHW
ITALY
/LEUHULD6FLHQWL¿FD'RWW/XFLRGL%LDVLR³$(,28´9LD&RURQHOOL,0LODQ
7HOHSKRQHRU‡)D[
(PDLOLQIR#OLEUHULDDHLRXHX‡:HEVLWHZZZOLEUHULDDHLRXHX
JAPAN
0DUX]HQ&RPSDQ\/WG1LKRQEDVKLFKRPH&KXRNX7RN\R
7HOHSKRQH‡)D[
(PDLOMRXUQDO#PDUX]HQFRMS‡:HEVLWHKWWSZZZPDUX]HQFRMS
REPUBLIC OF KOREA
.,16,QF,QIRUPDWLRQ%XVLQHVV'HSW6DPKR%OGJQG)ORRU<DQJ-DHGRQJ6HR&KR*6HRXO
7HOHSKRQH‡)D[‡:HEVLWHKWWSZZZNLQVUHNU
NETHERLANDS
'H/LQGHERRP,QWHUQDWLRQDOH3XEOLFDWLHV%90$GH5X\WHUVWUDDW$1/%=+DDNVEHUJHQ
7HOHSKRQH‡)D[
(PDLOERRNV#GHOLQGHERRPFRP‡:HEVLWHKWWSZZZGHOLQGHERRPFRP
0DUWLQXV1LMKRII,QWHUQDWLRQDO.RUDDOURRG32%R[&==RHWHUPHHU
7HOHSKRQH‡)D[
(PDLOLQIR#QLMKRIIQO‡:HEVLWHKWWSZZZQLMKRIIQO
6ZHWVDQG=HLWOLQJHUEY32%R[6=/LVVH
7HOHSKRQH‡)D[
(PDLOLQIRKR#VZHWVQO‡:HEVLWHKWWSZZZVZHWVQO
NEW ZEALAND
'$,QIRUPDWLRQ6HUYLFHV:KLWHKRUVH5RDG0,7&+$0$XVWUDOLD
7HOHSKRQH‡)D[
(PDLOVHUYLFH#GDGLUHFWFRPDX‡:HEVLWHKWWSZZZGDGLUHFWFRPDX
SLOVENIA
&DQNDUMHYD=DOR]EDGG.RSLWDUMHYD6,/MXEOMDQD
7HOHSKRQH‡)D[
(PDLOLPSRUWERRNV#FDQNDUMHYD]VL‡:HEVLWHKWWSZZZFDQNDUMHYD]VLXYR]
SPAIN
'tD]GH6DQWRV6$F-XDQ%UDYR$(0DGULG
7HOHSKRQH‡)D[
(PDLOFRPSUDV#GLD]GHVDQWRVHVFDUPHOD#GLD]GHVDQWRVHVEDUFHORQD#GLD]GHVDQWRVHVMXOLR#GLD]GHVDQWRVHV
:HEVLWHKWWSZZZGLD]GHVDQWRVHV
UNITED KINGDOM
7KH6WDWLRQHU\2I¿FH/WG,QWHUQDWLRQDO6DOHV$JHQF\32%R[1RUZLFK15*1
7HOHSKRQHRUGHUV‡HQTXLULHV‡)D[
(PDLORUGHUVERRNRUGHUV#WVRFRXN‡HQTXLULHVERRNHQTXLULHV#WVRFRXN‡:HEVLWHKWWSZZZWVRFRXN
2QOLQHRUGHUV
'(/7$,QW%RRN:KROHVDOHUV/WG$OH[DQGUD5RDG$GGOHVWRQH6XUUH\.734
(PDLOLQIR#SURIERRNVFRP‡:HEVLWHKWWSZZZSURIERRNVFRP
%RRNVRQWKH(QYLURQPHQW
(DUWKSULQW/WG32%R[6WHYHQDJH6*73
7HOHSKRQH‡)D[
(PDLORUGHUV#HDUWKSULQWFRP‡:HEVLWHKWWSZZZHDUWKSULQWFRP
UNITED NATIONS
'HSW,5RRP'&)LUVW$YHQXHDWWK6WUHHW1HZ<RUN1<86$
817HOHSKRQHRU‡)D[
(PDLOSXEOLFDWLRQV#XQRUJ‡:HEVLWHKWWSZZZXQRUJ
UNITED STATES OF AMERICA
%HUQDQ$VVRFLDWHV)RUEHV%OYG6XLWH/DQKDP0'
7HOHSKRQH‡)D[
(PDLOFXVWRPHUFDUH#EHUQDQFRPÂ:HEVLWHKWWSZZZEHUQDQFRP
5HQRXI3XEOLVKLQJ&RPSDQ\/WG3URFWRU$YH2JGHQVEXUJ1<
7HOHSKRQHWROOIUHH‡)D[WROOIUHH
(PDLORUGHUGHSW#UHQRXIERRNVFRP‡:HEVLWHKWWSZZZUHQRXIERRNVFRP
Orders and requests for informationPD\DOVREHDGGUHVVHGGLUHFWO\WR
Marketing and SaIes Unit, InternationaI Atomic Energy Agency
9LHQQD,QWHUQDWLRQDO&HQWUH 32%R[9LHQQD$XVWULD
7HOHSKRQHRU‡)D[
(PDLOVDOHVSXEOLFDWLRQV#LDHDRUJ‡:HEVLWHKWWSZZZLDHDRUJERRNV
.
1
1
-
4
2
1
2
1
INTERNATIONAL ATOMIC ENERGY AGENCY
VIENNA
ISBN 978–92 –0–121510–9
ISSN 1020–525X
“Governments, regulatory bodies and operators everywhere must
ensure that nuclear material and radiation sources are used
beneficially, safely and ethically. The IAEA safety standards are
designed to facilitate this, and I encourage all Member States to
make use of them.”
Yukiya Amano
Director General
Safety through international standards
IAEA Safety Standards
Safety of
Nuclear Power Plants:
Design
for protecting people and the environment
No. SSR-2/1
Specific Safety Requirements
I
A
E
A

S
a
f
e
t
y

S
t
a
n
d
a
r
d
s

S
e
r
i
e
s

N
o
.

S
S
R
-
2
/
1
11-42121_P1534_cover.indd 1 2012-02-14 16:55:30

IAEA SAFETY STANDARDS AND RELATED PUBLICATIONS
IAEA SAFETY STANDARDS Under the terms of Article III of its Statute, the IAEA is authorized to establish or adopt standards of safety for protection of health and minimization of danger to life and property, and to provide for the application of these standards. The publications by means of which the IAEA establishes standards are issued in the IAEA Safety Standards Series. This series covers nuclear safety, radiation safety, transport safety and waste safety. The publication categories in the series are Safety Fundamentals, Safety Requirements and Safety Guides. Information on the IAEA’s safety standards programme is available at the IAEA Internet site http://www-ns.iaea.org/standards/ The site provides the texts in English of published and draft safety standards. The texts of safety standards issued in Arabic, Chinese, French, Russian and Spanish, the IAEA Safety Glossary and a status report for safety standards under development are also available. For further information, please contact the IAEA at PO Box 100, 1400 Vienna, Austria. All users of IAEA safety standards are invited to inform the IAEA of experience in their use (e.g. as a basis for national regulations, for safety reviews and for training courses) for the purpose of ensuring that they continue to meet users’ needs. Information may be provided via the IAEA Internet site or by post, as above, or by email to Official.Mail@iaea.org. RELATED PUBLICATIONS The IAEA provides for the application of the standards and, under the terms of Articles III and VIII.C of its Statute, makes available and fosters the exchange of information relating to peaceful nuclear activities and serves as an intermediary among its Member States for this purpose. Reports on safety and protection in nuclear activities are issued as Safety Reports, which provide practical examples and detailed methods that can be used in support of the safety standards. Other safety related IAEA publications are issued as Radiological Assessment Reports, the International Nuclear Safety Group’s INSAG Reports, Technical Reports and TECDOCs. The IAEA also issues reports on radiological accidents, training manuals and practical manuals, and other special safety related publications. Security related publications are issued in the IAEA Nuclear Security Series. The IAEA Nuclear Energy Series comprises informational publications to encourage and assist research on, and the development and practical application of, nuclear energy for peaceful purposes. It includes reports and guides on the status of and advances in technology, and on experience, good practices and practical examples in the areas of nuclear power, the nuclear fuel cycle, radioactive waste management and decommissioning.

SAFETY OF NUCLEAR POWER PLANTS: DESIGN

New York. ISLAMIC REPUBLIC OF IRAQ IRELAND ISRAEL ITALY JAMAICA JAPAN JORDAN KAZAKHSTAN KENYA KOREA. Its principal objective is “to accelerate and enlarge the contribution of atomic energy to peace. The Headquarters of the Agency are situated in Vienna. it entered into force on 29 July 1957. . health and prosperity throughout the world’’. REPUBLIC OF KUWAIT KYRGYZSTAN LAO PEOPLE’S DEMOCRATIC REPUBLIC LATVIA LEBANON LESOTHO LIBERIA LIBYA LIECHTENSTEIN LITHUANIA LUXEMBOURG MADAGASCAR MALAWI MALAYSIA MALI MALTA MARSHALL ISLANDS MAURITANIA MAURITIUS MEXICO MONACO MONGOLIA MONTENEGRO MOROCCO MOZAMBIQUE MYANMAR NAMIBIA NEPAL NETHERLANDS NEW ZEALAND NICARAGUA NIGER NIGERIA NORWAY OMAN PAKISTAN PALAU PANAMA PARAGUAY PERU PHILIPPINES POLAND PORTUGAL QATAR REPUBLIC OF MOLDOVA ROMANIA RUSSIAN FEDERATION SAUDI ARABIA SENEGAL SERBIA SEYCHELLES SIERRA LEONE SINGAPORE SLOVAKIA SLOVENIA SOUTH AFRICA SPAIN SRI LANKA SUDAN SWEDEN SWITZERLAND SYRIAN ARAB REPUBLIC TAJIKISTAN THAILAND THE FORMER YUGOSLAV  REPUBLIC OF MACEDONIA TUNISIA TURKEY UGANDA UKRAINE UNITED ARAB EMIRATES UNITED KINGDOM OF  GREAT BRITAIN AND  NORTHERN IRELAND UNITED REPUBLIC  OF TANZANIA UNITED STATES OF AMERICA URUGUAY UZBEKISTAN VENEZUELA VIETNAM YEMEN ZAMBIA ZIMBABWE The Agency’s Statute was approved on 23 October 1956 by the Conference on the Statute of the IAEA held at United Nations Headquarters.The following States are Members of the International Atomic Energy Agency: AFGHANISTAN ALBANIA ALGERIA ANGOLA ARGENTINA ARMENIA AUSTRALIA AUSTRIA AZERBAIJAN BAHRAIN BANGLADESH BELARUS BELGIUM BELIZE BENIN BOLIVIA BOSNIA AND HERZEGOVINA BOTSWANA BRAZIL BULGARIA BURKINA FASO BURUNDI CAMBODIA CAMEROON CANADA CENTRAL AFRICAN  REPUBLIC CHAD CHILE CHINA COLOMBIA CONGO COSTA RICA CÔTE D’IVOIRE CROATIA CUBA CYPRUS CZECH REPUBLIC DEMOCRATIC REPUBLIC  OF THE CONGO DENMARK DOMINICAN REPUBLIC ECUADOR EGYPT EL SALVADOR ERITREA ESTONIA ETHIOPIA FINLAND FRANCE GABON GEORGIA GERMANY GHANA GREECE GUATEMALA HAITI HOLY SEE HONDURAS HUNGARY ICELAND INDIA INDONESIA IRAN.

IAEA SAFETY STANDARDS SERIES No. Russian and Spanish versions. SSR-2/1 SAFETY OF NUCLEAR POWER PLANTS: DESIGN SPECIFIC SAFETY REQUIREMENTS This publication includes a CD-ROM containing the IAEA Safety Glossary: 2007 Edition (2007) and the Fundamental Safety Principles (2006). Chinese. English. See: http://www-pub. each in Arabic. The CD-ROM is also available for purchase separately. 2012 .iaea.asp INTERNATIONAL ATOMIC ENERGY AGENCY VIENNA. French.org/MTCD/publications/publications.

Permission to use whole or parts of texts contained in IAEA publications in printed or electronic form must be obtained and is usually subject to royalty agreements. Series.COPYRIGHT NOTICE All IAEA scientific and technical publications are protected by the terms of the Universal Copyright Convention as adopted in 1952 (Berne) and as revised in 1972 (Paris). no. The copyright has since been extended by the World Intellectual Property Organization (Geneva) to include electronic and virtual intellectual property.org http://www. 2012 Printed by the IAEA in Austria January 2012 STI/PUB/1534 IAEA Library Cataloguing in Publication Data Safety of nuclear power plants : design : specific safety requirements. 1.publications@iaea. II. ISSN 1020–525X . Proposals for non-commercial reproductions and translations are welcomed and considered on a case-by-case basis. I. Enquiries should be addressed to the IAEA Publishing Section at: Marketing and Sales Unit. Nuclear power plants — Safety regulations. — Vienna : International Atomic Energy Agency.org/books © IAEA. 2012.iaea. 2. p.: +43 1 2600 22417 email: sales. International Atomic Energy Agency. Publishing Section International Atomic Energy Agency Vienna International Centre PO Box 100 1400 Vienna. Nuclear power plants — Management. IAEAL 12–00719 . . Nuclear power plants — Design and construction — Safety measures. — (IAEA safety standards series. SSR-2/1) STI/PUB/1534 ISBN 978–92–0–121510–9 Includes bibliographical references. Austria fax: +43 1 2600 29302 tel. 24 cm. 3.

which represent an international consensus on what must constitute a high level of protection and safety. agriculture and research. and many States have decided to adopt the IAEA’s standards for use in their national regulations. The emphasis placed on quality. The Safety Standards Series now includes unified Fundamental Safety Principles. IAEA standards provide a consistent. reliable means of ensuring the effective fulfilment of obligations under the conventions. The IAEA’s safety services encompass design. and I encourage all Member States to make use of them. The risks associated with ionizing radiation must be assessed and controlled without unduly limiting the contribution of nuclear energy to equitable and sustainable development. The IAEA does this in consultation with the competent organs of the United Nations and with the specialized agencies concerned. . safe transport of radioactive material and safe management of radioactive waste. industry. regulatory matters and safety culture in organizations. the IAEA is working to promote the global acceptance and use of its standards. safely and ethically.FOREWORD by Yukiya Amano Director General The IAEA’s Statute authorizes the Agency to “establish or adopt… standards of safety for protection of health and minimization of danger to life and property” — standards that the IAEA must use in its own operations. as is the IAEA’s assistance in their application. radiation safety. The IAEA commenced its safety standards programme in 1958. For parties to the various international safety conventions. Governments. A comprehensive set of high quality standards under regular review is a key element of a stable and sustainable global safety regime. regulatory bodies and operators everywhere must ensure that nuclear material and radiation sources are used beneficially. These safety services assist Member States in the application of the standards and enable valuable experience and insights to be shared. With the strong support of the Commission on Safety Standards. The standards are also applied by regulatory bodies and operators around the world to enhance safety in nuclear power generation and in nuclear applications in medicine. fitness for purpose and continuous improvement has led to the widespread use of the IAEA standards throughout the world. and which States can apply by means of their regulatory provisions for nuclear and radiation safety. Safety is not an end in itself but a prerequisite for the purpose of the protection of people in all States and of the environment — now and in the future. The IAEA safety standards are designed to facilitate this. as well as governmental organization. Standards are only effective if they are properly applied in practice. Regulating safety is a national responsibility. siting and engineering safety. operational safety.

are kept under regular review by the Secretariat. The Secretariat gathers information on experience in the application of the IAEA standards and information gained from the follow-up of events for the purpose of ensuring that the standards continue to meet users’ needs. Lessons that may be learned from studying the accident at the Fukushima Daiichi nuclear power plant in Japan following the disastrous earthquake and tsunami of 11 March 2011 will be reflected in this IAEA safety standard as revised and issued in the future. reviewing and establishing the IAEA standards involves the IAEA Secretariat and all Member States. The process of developing. . many of which are represented on the four IAEA safety standards committees and the IAEA Commission on Safety Standards.NOTE BY THE SECRETARIAT The IAEA safety standards reflect an international consensus on what constitutes a high level of safety for protecting people and the environment from harmful effects of ionizing radiation. as a key element of the global safety regime. The IAEA standards. The present publication reflects feedback and experience accumulated until 2010 and it has been subject to the rigorous review process for standards. the safety standards committees and the Commission on Safety Standards.

industry and agriculture. Activities such as the medical uses of radiation. Regulating safety is a national responsibility. and international cooperation serves to promote and enhance safety globally by exchanging experience and by improving capabilities to control hazards. ranging from power generation to uses in medicine. the operation of nuclear installations. the production. The IAEA safety standards constitute a useful tool for contracting parties to assess their performance under these international conventions.THE IAEA SAFETY STANDARDS BACKGROUND Radioactivity is a natural phenomenon and natural sources of radiation are features of the environment. and are expected to fulfil their national and international undertakings and obligations. controlled. THE IAEA SAFETY STANDARDS The status of the IAEA safety standards derives from the IAEA’s Statute. standards of safety for protection of health and minimization of danger to life and property. Radiation and radioactive substances have many beneficial applications. are a cornerstone of this global regime. With a view to ensuring the protection of people and the environment from harmful effects of ionizing radiation. which support the implementation of binding international instruments and national safety infrastructures. which authorizes the IAEA to establish or adopt. However. The radiation risks to workers and the public and to the environment that may arise from these applications have to be assessed and. where appropriate. transport and use of radioactive material. radiation risks may transcend national borders. the IAEA safety standards establish . in consultation and. International safety standards also promote and assure confidence in safety and facilitate international commerce and trade. to respond to emergencies and to mitigate any harmful consequences. such as those relating to environmental protection. and the management of radioactive waste must therefore be subject to standards of safety. in collaboration with the competent organs of the United Nations and with the specialized agencies concerned. A global nuclear safety regime is in place and is being continuously improved. to prevent accidents. and to provide for their application. IAEA safety standards. States have an obligation of diligence and duty of care. International safety standards provide support for States in meeting their obligations under general principles of international law. if necessary.

Safety measures and security measures must be designed and implemented in an integrated manner so that security measures do not compromise safety and safety measures do not compromise security.fundamental safety principles. 1). indicating an international consensus that it is necessary to take the measures recommended (or equivalent alternative measures). requirements and measures to control the radiation exposure of people and the release of radioactive material to the environment. measures must be taken to reach or restore the required level of safety. which has three categories (see Fig. Many requirements are not addressed to a specific party. radioactive source or any other source of radiation. Safety measures and security measures1 have in common the aim of protecting human life and health and the environment. Safety Guides Safety Guides provide recommendations and guidance on how to comply with the safety requirements. The format and style of the requirements facilitate their use for the establishment. in a harmonized manner. including nuclear installations. Safety Fundamentals Safety Fundamentals present the fundamental safety objective and principles of protection and safety. Requirements. The standards apply to facilities and activities that give rise to radiation risks. . including numbered ‘overarching’ requirements. Safety Requirements An integrated and consistent set of Safety Requirements establishes the requirements that must be met to ensure the protection of people and the environment. the transport of radioactive material and the management of radioactive waste. The IAEA safety standards reflect an international consensus on what constitutes a high level of safety for protecting people and the environment from harmful effects of ionizing radiation. and provide the basis for the safety requirements. nuclear chain reaction. to restrict the likelihood of events that might lead to a loss of control over a nuclear reactor core. They are issued in the IAEA Safety Standards Series. the implication being that the appropriate parties are responsible for fulfilling them. The Safety 1 See also publications issued in the IAEA Nuclear Security Series. both now and in the future. and to mitigate the consequences of such events if they were to occur. are expressed as ‘shall’ statements. If the requirements are not met. The requirements are governed by the objective and principles of the Safety Fundamentals. the use of radiation and radioactive sources. of a national regulatory framework.

Safe Transport of Radioactive Material Collection of Safety Guides FIG. Legal and Regulatory Framework for Safety Part 2. and increasingly they reflect best practices. Site Evaluation for Nuclear Installations 2.Safety Fundamentals Fundamental Safety Principles General Safety Requirements Part 1. The IAEA safety standards are also used by co-sponsoring organizations and by many organizations that design. construct and operate nuclear facilities. They can be used by States as a reference for their national regulations in respect of facilities and activities. throughout the entire lifetime of all facilities and activities — existing and new — utilized for peaceful purposes and to protective actions to reduce existing radiation risks. to help users striving to achieve high levels of safety. Leadership and Management for Safety Part 3. Safety Assessment for Facilities and Activities Part 5. Predisposal Management of Radioactive Waste Part 6. Emergency Preparedness and Response Specific Safety Requirements 1. as well as organizations involved in the use of radiation and radioactive sources. Radiation Protection and Safety of Radiation Sources Part 4. Decommissioning and Termination of Activities Part 7. APPLICATION OF THE IAEA SAFETY STANDARDS The principal users of safety standards in IAEA Member States are regulatory bodies and other relevant national authorities. Safety of Radioactive Waste Disposal Facilities 6. The recommendations provided in Safety Guides are expressed as ‘should’ statements. Governmental. Safety of Research Reactors 4. as relevant. . Guides present international good practices. The IAEA safety standards are applicable. The long term structure of the IAEA Safety Standards Series. Safety of Nuclear Power Plants 2/1 Design 2/2 Commissioning and Operation 3. Safety of Nuclear Fuel Cycle Facilities 5. 1.

supplemented by international conventions. The requirements established in the IAEA safety standards might not be fully met at some existing facilities that were built to earlier standards. including the development of educational curricula and training courses.The IAEA’s Statute makes the safety standards binding on the IAEA in relation to its own operations and also on States in relation to IAEA assisted operations. All IAEA Member States may nominate experts for the safety standards committees and may provide comments on draft standards. establish a consistent basis for protecting people and the environment. The membership of the Commission on Safety Standards is appointed by the Director General and includes senior governmental officials having responsibility for establishing national standards. however. in particular those addressing aspects of safety in planning or design. The IAEA safety standards also form the basis for the IAEA’s safety review services. revising and establishing the IAEA safety standards. developing. It articulates the mandate of the IAEA. The way in which IAEA safety standards are to be applied to such facilities is a decision for individual States. There will also be some special aspects of safety that need to be assessed at the national level. are intended to apply primarily to new facilities and activities. many of the IAEA safety standards. the safety of radioactive waste (WASSC) and the safe transport of radioactive material (TRANSSC). A management system has been established for the processes of planning. reviewing. for nuclear safety (NUSSC). and they are used by the IAEA in support of competence building. decision makers must also make informed judgements and must determine how best to balance the benefits of an action or an activity against the associated radiation risks and any other detrimental impacts to which it gives rise. radiation safety (RASSC). DEVELOPMENT PROCESS FOR THE IAEA SAFETY STANDARDS The preparation and review of the safety standards involves the IAEA Secretariat and four safety standards committees. The scientific considerations underlying the IAEA safety standards provide an objective basis for decisions concerning safety. industry standards and detailed national requirements. and a Commission on Safety Standards (CSS) which oversees the IAEA safety standards programme (see Fig. 2). International conventions contain requirements similar to those in the IAEA safety standards and make them binding on contracting parties. For example. The IAEA safety standards. the vision for the future application of the .

safety standards. Some safety standards are developed in cooperation with other bodies in the United Nations system or other specialized agencies. the OECD Nuclear Energy Agency. the International Labour Organization. . and corresponding functions and responsibilities. including the Food and Agriculture Organization of the United Nations.Outline and work plan prepared by the Secretariat. the United Nations Environment Programme. review by the safety standards committees and the CSS Secretariat and consultants: drafting of new or revision of existing safety standard Draft Review by safety standards committee(s) Draft Member States Comments Final draft Endorsement by the CSS FIG. 2. are taken into account in developing the IAEA safety standards. INTERACTION WITH OTHER INTERNATIONAL ORGANIZATIONS The findings of the United Nations Scientific Committee on the Effects of Atomic Radiation (UNSCEAR) and the recommendations of international expert bodies. the Pan American Health Organization and the World Health Organization. notably the International Commission on Radiological Protection (ICRP). The process for developing a new safety standard or revising an existing standard. policies and strategies.

Otherwise. procedures or limits and conditions) may be presented in appendices or annexes. of each publication. scope and structure are explained in Section 1. or describes methods of calculation. Annexes and footnotes are not integral parts of the main text.htm). Introduction. material under other authorship may be presented in annexes to the safety standards.iaea. are used to provide practical examples or additional information or explanation. if included.org/standards/safety-glossary. if included. The background and context of each standard in the IAEA Safety Standards Series and its objective.INTERPRETATION OF THE TEXT Safety related terms are to be understood as defined in the IAEA Safety Glossary (see http://www-ns. is considered to form an integral part of the safety standard. material that is subsidiary to or separate from the body text. is included in support of statements in the body text. Material in an appendix has the same status as the body text. the English version of the text is the authoritative version. Annex material published by the IAEA is not necessarily issued under its authorship. Annexes and footnotes to the main text. words are used with the spellings and meanings assigned to them in the latest edition of The Concise Oxford Dictionary. . and the IAEA assumes authorship of it. Material for which there is no appropriate place in the body text (e. For Safety Guides. Extraneous material presented in annexes is excerpted and adapted as necessary to be generally useful.g. An appendix.

. .13). . . . . . 3. . . . . . . . .3–4. . . . . . . . . . . . . . . .19) . . . . . . . . . . . . . .6) . . . Scope (1. . . . . . . . . Requirement 4: Fundamental safety functions (4. . . .7) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .CONTENTS 1. . . . . . . . . . . . .2) . . . . . . . . . . .18). . . . . . . . . APPLYING THE SAFETY PRINCIPLES AND CONCEPTS (2. . . . . . . . .5) .5–4. . . . . . . . 4. . . . . . .18). . . . . . . . . . . . . . . . .1–1. . Structure (1. . . . . . . . . . Objective (1. . . . . . . Maintaining the integrity of design of the plant throughout the lifetime of the plant (2. MANAGEMENT OF SAFETY IN DESIGN . . . . . .12–2. . . . . Requirement 12: Features to facilitate radioactive waste management and decommissioning (4. . .14). . .4) . . . . . . . . . . . . . .8) . . . . . . . . . . . . . . . . . . . 1 1 2 2 3 3 4 5 6 8 10 10 10 11 12 12 12 13 14 15 15 16 17 17 . . . .1–4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1) . . . . . . . . . . . . . . . . . 2.6–2. . Requirement 6: Design for a nuclear power plant (4. . . . . . . . . Background (1. . . . . . . . . . . . . . . . . . . . . . . . .1–2. . Safety in design (2. Requirement 9: Proven engineering practices (4. . . . . . . . . . . . . . . PRINCIPAL TECHNICAL REQUIREMENTS . . . . . .20) . . . . . . . . . . . . . . . . .14–4. . . . Requirement 11: Provision for construction (4. . . . . . .4) . Requirement 3: Safety of the plant design throughout the lifetime of the plant (3. Radiation protection (2. . Requirement 1: Responsibilities in the management of safety in plant design (3. . . . . Requirement 7: Application of defence in depth (4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15–2. . . . . . . . . . . . . . . . . . .5–3. . .2–3. . . . . . . . . . . . . . . . . . . . . . . . .4–1. . . . . . . . . . . . . .8–2. . . . . . . . . . . . . . . . .11) . . . . . .8) . . . . . . . . . . . . . . . .3). . . . . . . . . . . . . . . . . . INTRODUCTION . . . . . .16) . . . . . . . . . . . . . . . The concept of defence in depth (2. . . . Requirement 10: Safety assessment (4. . . . . . . . Requirement 8: Interfaces of safety with security and safeguards . . Requirement 2: Management system for plant design (3.5) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Requirement 5: Radiation protection (4. . . . . . . . . . . . .9) .9–4. . . . . .6–1. . . . .17–4. . .

36) . . . . . . . . . . .52) . . . . . . . . . . . . . . . . replacement. . . . . . . Requirement 14: Design basis for items important to safety (5. . . . . . . . . . . . . .42–5. .5. . Requirement 31: Ageing management (5. . . . . . . . . . . . . Requirement 24: Common cause failures . . . . . . . . . . . . . . . . . . . . .1–5. . . maintenance. . . . . . . . . . . .48–5.37–5. . . .16–5. . . . . . . . . .38) . . . . . . . .50) .34–5. . Requirement 23: Reliability of items important to safety (5. . . . . . Design for safe operation over the lifetime of the plant . . . . . . . . . . . . . . . . Requirement 19: Design basis accidents (5. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Requirement 18: Engineering design rules (5. . . . . . . . . . . . . . . Requirement 17: Internal and external hazards (5. . . . . . . . . . . . . . . . . .53–5. . . . . . . . . . . . . . . . . . . . . . . Requirement 29: Calibration.41) . . . . Human factors . . . . . . .32) . . . . . . . . . . . . . . . . . Other design considerations . . . . . . . . . . . . . . . . . . . . . . . . . Requirement 15: Design limits (5. . .43) . . . . . . . Requirement 21: Physical separation and independence of safety systems (5. . . . . . . . . .45–5. . . . . . . . . . . . . . . . . . . . . . . . 17 17 17 18 18 18 20 22 22 23 25 25 26 26 26 27 27 27 28 28 29 29 30 30 31 31 32 . . . . . . . . . . . . Requirement 28: Operational limits and conditions for safe operation (5. . .44) . . Requirement 30: Qualification of items important to safety (5. . . . .40) . . . . . Requirement 27: Support service systems (5. . . . . . . .22) .26) . . . . . . . . .33) . Requirement 33: Sharing of safety systems between multiple units of a nuclear power plant (5. . . . . . Design basis .47) . . . . . . . .27–5. . . . . . . . . . . . . . . . . . . . . . . .23) .15) . . . . . . . . . . . . . . . . .39–5. . . . . . . . . . . . inspection and monitoring of items important to safety (5. . . . . . . . . . . . . . . . . Requirement 13: Categories of plant states (5. . . . . . . . . . . . . . . . . . . . . . . .3) . . . . .62) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4) . . . . Requirement 20: Design extension conditions (5. . . . . . . Requirement 26: Fail-safe design (5. . . .63) . . . . . . . . . . . . . . . . . . . . .24–5. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Requirement 32: Design for optimal operator performance (5. . . . . . . . . . . . . . . . . . . . .51–5. . . . . . . . . . . . . . Requirement 16: Postulated initiating events (5. . . . . . . . . . . . . . . . . . . . . . . GENERAL PLANT DESIGN . . Requirement 34: Systems containing fissile material or radioactive material . . . . . . . . . . repair. Requirement 22: Safety classification (5. . . . . . . . . . . . . . . . .5–5. . . . . . . . . . . . . testing. Requirement 25: Single failure criterion (5. . . . . . . .

. .13–6. . . .1–6.3) . . Requirement 43: Performance of fuel elements and assemblies  (6. . . . . . . . . . . . Requirement 37: Communication systems at the plant (5. . . . . . . . . . . . . . . . . . . . . . . . . . . . heat generation or desalination . . . . . . . . . . . . . . . . . . . . . . . Requirement 45: Control of the reactor core (6. . . . . . . . . . . . . . . .68) .16) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20–6. . . . Requirement 55: Control of radioactive releases from the containment (6. . . Requirement 40: Prevention of harmful interactions of systems important to safety (5. . . . . . . . . . .18–6. . . . . . . . . . . . . . . . . . . . . . . . . .4–6. . . . . . . .66–5. . . . . . . . . . 6. . . . . .7–6. . . . . . . . . . . . . . . . . . . . . . . . .Requirement 35: Nuclear power plants used for cogeneration of heat and power. . . . . .70) . . . . . . . . . . . . . . . . . . . .21) . . . . . . . . . . . . . . . . . . . . . . Safety analysis . . . . . . . Requirement 41: Interactions between the electrical power grid and the plant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Requirement 49: Inventory of reactor coolant . . . . . . . . . . Requirement 36: Escape routes from the plant (5. . . . . Requirement 54: Containment system for the reactor . . . . . . . . . . Requirement 52: Emergency cooling of the reactor core (6. . . . . . Requirement 51: Removal of residual heat from the reactor core . . . . Requirement 46: Reactor shutdown (6. . . . . . . . . . . . . . . . . . . . . . . . . .19) . . . . .71–5. . . . . . . . . . . Requirement 44: Structural capability of the reactor core . . .12) . . . . . . . . . Requirement 38: Control of access to the plant (5. . Reactor coolant systems . .67) . . . . . . . . Requirement 39: Prevention of unauthorized access to. . . . . . . . . . . . . . .17) . . . . . . Requirement 50: Cleanup of reactor coolant (6. . . . . . . . . . . . . . . . . . . . . . . . . or interference with. . . . . . . . . Containment structure and containment system . . . . items important to safety . . . . . . .64–5. . . . . . Requirement 48: Overpressure protection of the reactor coolant pressure boundary . . . . . . . . . . 32 32 32 33 33 33 34 34 34 36 36 36 36 37 37 38 38 39 39 39 39 40 40 40 40 41 . . . . . . . . . . Requirement 47: Design of reactor coolant systems (6. . . . . . . . . . . . . . . . . . . . . . . .69–5. . . . . . . . . . DESIGN OF SPECIFIC PLANT SYSTEMS . . . . . . Reactor core and associated features . . .76). . . Requirement 42: Safety analysis of the plant design (5. . .65) . . . . . . . . . . . . . . . . . . .6) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Requirement 53: Heat transfer to an ultimate heat sink . . . . . .

.58) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22–6.26) . . . . . . Supporting systems and auxiliary systems . . . . . . . . . . Requirement 58: Control of containment conditions (6. . . . . . . . . . Requirement 65: Control room (6. . Requirement 66: Supplementary control room (6. . . . . . . . . . . .30) . . . . .46) . . . . . . . . . . . . . . . . . . . . .48–6. . . . . . . . . . . .27–6. . . . .Requirement 56: Isolation of the containment (6. . . .49) . . . .24). . . . . . . . . . . . . . . . . . . .42) . . Requirement 72: Compressed air systems . . . . . .47). . . . . . Emergency power supply . Requirement 64: Separation of protection systems and control systems (6. . . . . . . . . . . . . . . Requirement 61: Protection system (6. . .37) . . . . . . . . . . . . . . . . .36) . . . . Requirement 69: Performance of supporting systems and auxiliary systems . . .50–6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Requirement 63: Use of computer based equipment in systems important to safety (6. . . . . . . . . . . . . . . . . Requirement 68: Emergency power supply (6. .25–6.31). .40) . . . . . . . . . . . . . . . . Requirement 76: Overhead lifting equipment (6. . Requirement 70: Heat transport systems (6. .41). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Requirement 74: Fire protection systems (6. . . . . . . . . . . . . . . . Requirement 77: Steam supply system. Requirement 67: Emergency control centre (6. . . . . . . . . . . . . . .45). . . . . . . . . . . . . . . . . . . . . . . . . .38) . . . . . . . . . . . . . . . .33) . . . . . . . . . . . . . . . . . . . . . . . .55). . . . . . . . . . Requirement 71: Process sampling systems and post-accident sampling systems (6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Requirement 73: Air conditioning systems and ventilation systems (6. Requirement 75: Lighting systems . . . . . . . . . . . . .39–6. . . . . . . . . . . . . . . .34–6. . . . . . . . . . . . . . . . . . Requirement 62: Reliability and testability of instrumentation and control systems (6. . . . . . . . .54) . .43–6. . . . . . . . . . . . . . . . . . Requirement 60: Control systems . . . . . . . . Instrumentation and control systems . . . . . feedwater system and turbine generators (6. . . . . . . . . . . . . . Other power conversion systems . . . . Requirement 57: Access to the containment (6. . . . . . . . Requirement 59: Provision of instrumentation (6. . . . . . . . . . . .32–6. . . . . . . . . . . . . . . . . . . . .56–6. 41 42 42 43 43 44 44 44 45 46 46 46 47 47 47 48 48 48 49 49 49 50 50 51 51 51 . . . . . . . . . . . . . . . . . . . .

. . . . . . . Radiation protection . .76) . . . . . . . . . . . . . Requirement 79: Systems for treatment and control of effluents (6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59–6. . . . . . . .Treatment of radioactive effluents and radioactive waste . . . . . . . . . . . . . . . . . . . . . . . . . . Requirement 81: Design for radiation protection (6. . . . . . . . .68) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61–6. . . . . . . . Requirement 78: Systems for treatment and control of waste (6. . .60) . . . . . . . . . . . . . . . .84) . . . . . . . . . .64–6. . . . . . DEFINITIONS . . . . . . . . . . . . . . . . .63) . . . . 52 52 52 53 53 54 54 55 57 59 61 63 . . Fuel handling and storage systems . . . . . . . . . . . . . . . . . Requirement 82: Means of radiation monitoring (6. . . . . . . . . . . . . . . . . . . .69–6. . .77–6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CONTRIBUTORS TO DRAFTING AND REVIEW . . . . . . . . . . . . . . . . . . . . . . . Requirement 80: Fuel handling and storage systems (6. . BODIES FOR THE ENDORSEMENT OF IAEA SAFETY STANDARDS . . REFERENCES . . . . . .

. .

It might not be practicable to apply all the requirements of this Safety Requirements publication to nuclear power plants that are already in operation or under construction. Complementary systems and equipment with new capabilities have been backfitted to many existing nuclear power plants to aid in the prevention of severe accidents and the mitigation of their consequences. in addition.3. 1 . the public and the environment from harmful effects of ionizing radiation arising from nuclear power plants and other nuclear facilities. for example as part of the periodic safety review for the plant. as well as the designs for new nuclear power plants. 1. it is expected that a comparison will be made with the current standards. Integration of safety measures and security measures will help to ensure that neither compromise the other. The designs of many existing nuclear power plants. to determine whether the safe operation of the plant could be further enhanced by means of reasonably practicable safety improvements. The design of new nuclear power plants now explicitly includes the consideration of severe accident scenarios and strategies for their management. It is recognized that technology and scientific knowledge advance. and control of. Requirements for nuclear sadfety are intended to ensure the highest level of safety that can reasonably be achieved for the protection of workers. this Safety Requirements publication reflects the present consensus. Account has been taken of the publication in 2006 of the Fundamental Safety Principles [1]. have been enhanced to include additional measures to mitigate the consequences of complex accident sequences involving multiple failures and of severe accidents. Safety requirements will change over time. 1. The present publication supersedes the Safety Requirements publication on Safety of Nuclear Power Plants: Design (IAEA Safety Standards Series No. INTRODUCTION BACKGROUND 1.1. and that nuclear safety and the adequacy of protection against radiation risks need to be considered in the context of the present state of knowledge. NSR-1) issued in 2000.1. nuclear material and security related requirements are also taken into account in the design of nuclear power plants.2. Guidance on the mitigation of the consequences of severe accidents has been provided at most existing nuclear power plants. Requirements related to the State system of accounting for. it might not be feasible to modify designs that have already been approved by regulatory bodies. For the safety analysis of such designs.

nuclear material. systems and components of a nuclear power plant. This publication does not address: (a) (b) (c) (d) Requirements that are specifically covered in other IAEA Safety Requirements publications (e. 1. Matters relating to nuclear security or to the State system of accounting for. as well as for procedures and organizational processes important to safety.8.7. construction. maintenance. This publication is intended for use by organizations involved in design.6. modification. Conventional industrial safety that under no circumstances could affect the safety of the nuclear power plant. in analysis. to determine the requirements that have to be considered in developing the design. and control of. manufacture. Non-radiological impacts arising from the operation of nuclear power plants. SCOPE 1. It is expected that this publication will be used primarily for land based stationary nuclear power plants with water cooled reactors designed for electricity generation or for other heat production applications (such as district heating or desalination).5. 1. [2]). 2 . to other reactor types. as well as by regulatory bodies. that are required to be met for safe operation and for preventing events that could compromise safety. 1. unless otherwise stated here (see under Definitions). This publication establishes design requirements for the structures. or for mitigating the consequences of such events.OBJECTIVE 1. Terms in this publication are to be understood as defined and explained in the IAEA Safety Glossary [3]. with judgement.4. This publication may also be applied. were they to occur. Ref.g. verification and review and in the provision of technical support. operation and decommissioning for nuclear power plants.

and control of. To ensure that nuclear power plants are operated and activities are conducted so as to achieve the highest 3 . the application of defence in depth and provision for construction.9.1. Section 3 establishes the general requirements to be satisfied by the design organization in the management of safety in the design process. APPLYING THE SAFETY PRINCIPLES AND CONCEPTS 2. containment system. and the ten safety principles have to be applied. without unduly limiting the operation of facilities or the conduct of activities that give rise to radiation risks. The Fundamental Safety Principles [1] establish one fundamental safety objective and ten safety principles that provide the basis for requirements and measures for the protection of people and the environment against radiation risks and for the safety of facilities and activities that give rise to radiation risks. Section 5 establishes requirements for general plant design that supplement the requirements for principal technical design criteria to ensure that safety objectives are met and the safety principles are applied.e. and between requirements for nuclear safety functions and design criteria for safety.2. This Safety Requirements publication follows the relationship between the safety objective and safety principles. nuclear material. Section 6 establishes requirements for the design of specific plant systems such as the reactor core. 2. and for ensuring that radiation risks arising from the plant are maintained as low as reasonably achievable. with additional requirements as appropriate. as well as the safety design criteria. Section 2 elaborates on the safety objective. 2. safety principles and concepts that form the basis for deriving the safety function requirements that must be met for the nuclear power plant. Sections 3–6 establish numbered overarching requirements (shown in bold type). including requirements for the fundamental safety functions. reactor coolant systems.STRUCTURE 1. and instrumentation and control systems. This fundamental safety objective has to be achieved. The requirements for general plant design apply to all items (i. Section 4 establishes requirements for the principal technical design criteria for safety. structures. and requirements for interfaces of safety with nuclear security and with the State system of accounting for. systems and components) important to safety.

including planning. In addition. 2. para.5.1): (a) (b) To control the radiation exposure of people and the release of radioactive material to the environment during operational states. 4 .2). siting. This includes the associated transport of radioactive material and the management of spent nuclear fuel and radioactive waste (see Ref. doses from exposure to radiation within the installation or exposure due to any planned radioactive release from the installation are kept below the dose limits and kept as low as reasonably achievable.” 2. [1]. radioactive source. RADIATION PROTECTION 2. This Safety Requirements publication establishes requirements that apply those safety principles. para. were they to occur. it is required to ensure that for all operational states of a nuclear power plant and for any associated activities. The fundamental safety objective applies for all stages in the lifetime of a nuclear power plant. In order to satisfy the safety principles.3) state that: “Ten safety principles have been formulated. spent nuclear fuel. radioactive waste or any other source of radiation at a nuclear power plant. design. as well as decommissioning. (c) 2. [1]. 2. construction. commissioning and operation. The Fundamental Safety Principles (Ref. To restrict the likelihood of events that might lead to a loss of control over a nuclear reactor core. To mitigate the consequences of such events. 2.6. it is required to implement measures for mitigating the radiological consequences of any accidents. which are particularly important in the design of nuclear power plants. para. although in practice different principles may be more or less important in relation to particular circumstances. manufacture. were they to occur.3. 2. measures have to be taken to achieve the following (see Ref.4. on the basis of which safety requirements are developed and safety measures are to be implemented in order to achieve the fundamental safety objective. nuclear chain reaction. [1]. The safety principles form a set that is applicable in its entirety. the appropriate application of all relevant principles is required.standards of safety that can reasonably be achieved.

To ensure that the likelihood of occurrence of an accident with serious radiological consequences is extremely low and that the radiological consequences of such an accident would be mitigated to the fullest extent practicable. any radiological consequences would be below the relevant limits and would be kept as low as reasonably achievable. the capability of the design to withstand postulated initiating events and accidents can be established. as well as the possible effects on the environment. On the basis of this analysis. the effectiveness of the items important to safety can be demonstrated and the inputs (prerequisites) for emergency planning can be established.9.2. as a result of operation of the plant. To demonstrate that the fundamental safety objective [1] is achieved in the design of a nuclear power plant. (ii) the performance of the plant in anticipated operational occurrences. Such exposures and radioactive releases are required to be strictly controlled and to be kept as low as reasonably achievable. SAFETY IN DESIGN 2. and to mitigate the consequences of any accidents that do occur. in compliance with regulatory and operational limits as well as radiation protection requirements [4]. To ensure that for all accidents taken into account in the design of the installation. it is also required that nuclear power plants be designed and operated so as to keep all sources of radiation under strict technical and administrative control. this principle does not preclude limited exposures or the release of authorized amounts of radioactive substances to the environment from nuclear power plants in operational states. To achieve the highest level of safety that can reasonably be achieved in the design of a nuclear power plant. To apply the safety principles. (b) (c) 2. and (iii) accident conditions. 5 . a comprehensive safety assessment [2] of the design is required to be carried out to identify all possible sources of radiation and to evaluate the possible doses that could be received by workers at the installation and by members of the public.8. consistent with national acceptance criteria and safety objectives [1]: (a) To prevent accidents with harmful consequences resulting from a loss of control over the reactor core or other sources of radiation. The safety assessment is required in order to examine: (i) normal operation of the plant. measures shall be taken to do the following. However.7.

it would be detected and compensated for or corrected by appropriate measures.12. although such measures might still be required by the responsible authorities. supported as necessary by the operating organization. 6]. the establishment of accident management procedures by the operating organization and.11. low power or various shutdown states. whether organizational. 5. Measures shall be taken to ensure that the radiological consequences of an accident would be mitigated. This is to ensure that all safety related activities are subject to independent layers of provisions. to mitigate exposures if an accident has occurred.2. Measures shall be taken to control exposure for all operational states at levels that are as low as reasonably achievable and to minimize the likelihood of an accident that could lead to the loss of control over a source of radiation. the establishment of offsite intervention measures by the appropriate authorities. so that if a failure were to occur. behavioural or design related. there will remain a possibility that an accident could happen. [1]. THE CONCEPT OF DEFENCE IN DEPTH 2. This concept is applied to all safety related activities. The primary means of preventing accidents in a nuclear power plant and mitigating the consequences of accidents if they do occur is the application of the concept of defence in depth [1. Application of the concept of defence in depth throughout design and operation provides protection against anticipated operational occurrences and accidents. The design for safety of a nuclear power plant applies the safety principle that practical measures must be taken to mitigate the consequences for human life and health and the environment of nuclear or radiation incidents (Ref. Such measures include the provision of safety features and safety systems. Nevertheless. 2. An essential objective is that the necessity for off-site intervention measures to mitigate radiological consequences be limited or even eliminated in technical terms. Principle 9): plant event sequences that could result in high radiation doses or radioactive releases must be practically eliminated1 and plant event sequences with a significant frequency of occurrence must have no or only minor potential radiological consequences. and whether in full power. 6 . possibly.10. including those resulting from equipment failure or 1 The possibility of certain conditions occurring is considered to have been practically eliminated if it is physically impossible for the conditions to occur or if the conditions can be considered with a high level of confidence to be extremely unlikely to arise.

and to return the plant to a safe state. Application of the concept of defence in depth in the design of a nuclear power plant provides several levels of defence (inherent features. and to the quality control of the manufacture of components and construction of the plant. construction and in-service inspection.13. maintenance and testing. or else to minimize their consequences. and the establishment of operating procedures to prevent such initiating events. Design options that reduce the potential for internal hazards contribute to the prevention of accidents at this level of defence. The independent effectiveness of each of the different levels of defence is an essential element of defence in depth at the plant and this is achieved by incorporating measures to avoid the failure of one level of defence causing the failure of other levels. and ensuring adequate protection from harmful effects and mitigation of the consequences in the event that prevention fails. careful attention is paid to the selection of appropriate design codes and materials. Attention is also paid to the processes and procedures involved in design. and against consequences of events that originate outside the plant. as well as to its commissioning. maintained and operated in accordance with quality management and appropriate and proven engineering practices. This leads to requirements that the plant be soundly and conservatively sited. There are five levels of defence: (1) The purpose of the first level of defence is to prevent deviations from normal operation and the failure of items important to safety. This second level of defence necessitates the provision of specific systems and features in the design. equipment and procedures) aimed at preventing harmful effects of radiation on people and the environment. and to the way the plant is operated and to how operating experience is utilized. manufacture. designed. The purpose of the second level of defence is to detect and control deviations from normal operational states in order to prevent anticipated operational occurrences at the plant from escalating to accident conditions. (2) 7 . constructed.human induced events within the plant. to the ease of access for these activities. 2. This is in recognition of the fact that postulated initiating events are likely to occur over the operating lifetime of a nuclear power plant. This process is supported by a detailed analysis that determines the requirements for operation and maintenance of the plant and the requirements for quality management for operational and maintenance practices. the confirmation of their effectiveness through safety analysis. despite the care taken to prevent them. To meet these objectives.

The purpose of the fourth level of defence is to mitigate the consequences of accidents that result from failure of the third level of defence in depth. construction and commissioning of a nuclear power plant might be shared between a number of organizations: the architect–engineer. although very unlikely. and the potential consequences of failures. The prime responsibility for safety rests with the person or organization responsible for facilities and activities that give rise to radiation risks (i. thus ensuring that radioactive releases are kept as low as reasonably achievable. the possible internal and external hazards. the escalation of certain anticipated operational occurrences or postulated initiating events might not be controlled at a preceding level and that an accident could develop.16. The design. This leads to the requirement that inherent and/or engineered safety features. The International Nuclear Safety Advisory Group [7] 8 . such accidents are postulated to occur.(3) (4) (5) For the third level of defence. the effectiveness of the individual barriers. it is assumed that. safety systems and procedures be provided that are capable of preventing damage to the reactor core or significant off-site releases and returning the plant to a safe state. MAINTAINING THE INTEGRITY OF DESIGN OF THE PLANT THROUGHOUT THE LIFETIME OF THE PLANT 2.e.14. 2. passive and inherent safety features that contribute to the effectiveness of the physical barriers in confining radioactive material at specified locations. the operating organization) [1]. In the design of the plant. The purpose of the fifth and final level of defence is to mitigate the radiological consequences of radioactive releases that could potentially result from accident conditions. The most important objective for this level is to ensure the confinement function. 2. This requires the provision of an adequately equipped emergency control centre and emergency plans and emergency procedures for on-site and off-site emergency response. and the suppliers of other systems that are important to the safety of the plant. A relevant aspect of the implementation of defence in depth for a nuclear power plant is the provision in the design of a series of physical barriers. the designer of electrical systems.15. The number of barriers that will be necessary will depend upon the initial source term in terms of amount and isotopic composition of radionuclides. as well as a combination of active. the vendor of the reactor and its supporting systems. the suppliers of major components.

g.e. the structure of the formally designated entity that has overall responsibility for the design process would be established at an early stage. the design of a nuclear power plant is complete only when the full plant specification (including site details) is produced for its procurement and licensing. To facilitate this transfer of knowledge. 2.has suggested that the operating organization could set up a formal process to maintain the integrity of design of the plant throughout the lifetime of the plant (i. such as the knowledge embodied in the safety analysis report. The management system requirements that are placed on this formally designated entity would also apply to the responsible designers. will be transferred to the operating organization. the responsibility for the design will rest with the design organization (e. the vendor). since much of this detailed knowledge. This balance will change as the plant is put into operation. during the operating lifetime and into the decommissioning stage). with the operating organization. design manuals and other design documentation. Prior to an application for authorization of a plant. In practice. However. 2. the prime responsibility for safety will lie with the applicant. Once an application for authorization of a plant has been made. and hence. Reference [7] emphasizes the need for a formally designated entity that has overall responsibility for the design process and is responsible for approving design changes and for ensuring that the requisite knowledge is maintained.18. 9 . the overall responsibility for maintaining the integrity of design of the plant would rest with the formally designated entity. A formally designated entity within the operating organization would take responsibility for this process. although detailed knowledge of the design will rest with the responsible designers.17. ultimately. Reference [7] also introduces the concept of ‘responsible designers’ to whom this formally designated entity could assign specific responsibilities for the design of parts of the plant.

for checking the adequacy of the design and for controlling design changes.3. including design tools and design inputs and outputs. 3. modifications or safety improvements. 10 .2. 3. at all times.3. as well as of the overall design of the nuclear power plant.4. shall be in accordance with established procedures that call on appropriate engineering codes and standards and shall incorporate relevant requirements and design bases. including subsequent changes. 3 Requirements on management systems are established in Ref. The management system shall include provision for ensuring the quality of the design of each structure. The design of the plant. shall be verified and validated by individuals or groups separate from those who originally performed the design work. engaged in activities important to the safety of the design of a nuclear power plant shall be responsible for ensuring that safety matters are given the highest priority. This includes the means for identifying and correcting design deficiencies. [8]. 3. validation and approval of the plant design shall be completed as soon as is practicable in 2 The design organization is the organization responsible for preparation of the final detailed design of the plant to be built. Interfaces shall be identified and controlled. Requirement 2: Management system3 for plant design The design organization shall establish and implement a management system for ensuring that all safety requirements established for the design of the plant are considered and implemented in all phases of the design process and that they are met in the final design. 3. MANAGEMENT OF SAFETY IN DESIGN Requirement 1: Responsibilities in the management of safety in plant design An applicant for a licence to construct and/or operate a nuclear power plant shall be responsible for ensuring that the design submitted to the regulatory body meets all applicable safety requirements. All organizations. Verification. The adequacy of the plant design.1. system and component. including the design organization2.

laws and regulations. reliability and quality in accordance with relevant national and international codes and standards. and in any case before operation of the plant is commenced. maintenance (including adequate intervals for testing) and modification of the plant is available. 3. Requirement 3: Safety of the plant design throughout the lifetime of the plant The operating organization shall establish a formal system for ensuring the continuing safety of the plant design throughout the lifetime of the nuclear power plant. definition of engineering codes and standards and requirements. A series of tasks and functions shall be established and implemented to ensure the following: (a) That the plant design is fit for purpose and meets the requirement for the optimization of protection and safety by keeping radiation risks as low as reasonably achievable. The formally designated entity shall ensure that the plant design meets the acceptance criteria for safety.5. provision for feedback of information on construction and experience. That management of design requirements and configuration control are maintained.6. That the design verification. use of proven engineering practices. (b) (c) (d) (e) 11 . Tasks that are assigned to external organizations (referred to as responsible designers) for the design of specific parts of the plant shall be taken into account in the arrangements. conduct of safety assessments and maintaining a safety culture are included in the formal system for ensuring the continuing safety of the plant design. that this knowledge is maintained up to date by the operating organization. The formal system for ensuring the continuing safety of the plant design shall include a formally designated entity responsible for the safety of the plant design within the operating organization’s management system. and that due account is taken of past operating experience and validated research findings. That the knowledge of the design that is needed for safe operation. approval of key engineering documents. 3. That the necessary interfaces with responsible designers and suppliers engaged in design work are established and controlled.the design and construction processes.

4. shielding against radiation and control of planned radioactive releases. verified. Means of monitoring the status of the plant shall be provided for ensuring that the required safety functions are fulfilled. PRINCIPAL TECHNICAL REQUIREMENTS Requirement 4: Fundamental safety functions Fulfilment of the following fundamental safety functions for a nuclear power plant shall be ensured for all plant states: (i) control of reactivity. [9]. the fundamental safety functions for all plant states. 4 12 . and that they remain below Requirements on radiation protection and the safety of radiation sources for facilities and activities are established in Ref. That all design changes to the plant are reviewed. 4. A systematic approach shall be taken to identifying those items important to safety that are necessary to fulfil the fundamental safety functions and to identifying the inherent features that are contributing to fulfilling. (ii) removal of heat from the reactor and from the fuel store and (iii) confinement of radioactive material.(f) (g) (h) That the necessary engineering expertise and scientific and technical knowledge are maintained within the operating organization. documented and approved. Requirement 5: Radiation protection4 The design of a nuclear power plant shall be such as to ensure that radiation doses to workers at the plant and to members of the public do not exceed the dose limits. or that are affecting. as well as limitation of accidental radioactive releases.1. That adequate documentation is maintained to facilitate future decommissioning of the plant. that they are kept as low as reasonably achievable in operational states for the entire lifetime of the plant. 4.2.

e. potential radiological consequences for plant states with a significant likelihood of occurrence. that the plant can be operated safely within the operational limits and conditions for the full duration of its design life and can be safely decommissioned.5. 4. 4. The design shall be such as to ensure that plant states that could lead to high radiation doses or large radioactive releases are practically eliminated (see footnote 1) and that there are no. the operational limits and conditions). or only minor. as well as applicable national and international codes and standards. and to allow subsequent plant modifications to be made.3. Requirement 6: Design for a nuclear power plant The design for a nuclear power plant shall ensure that the plant and items important to safety have the appropriate characteristics to ensure that safety functions can be performed with the necessary reliability. The design for a nuclear power plant shall be such as to ensure that the safety requirements of the operating organization.4. construction and operation of other nuclear power plants.7. The design shall take due account of the results of deterministic safety analyses and probabilistic safety analyses. Recommended practices shall be provided for incorporation into the administrative and operational procedures for the plant (i.acceptable limits and as low as reasonably achievable in. Acceptable limits for radiation protection associated with the relevant categories of plant states shall be established. and that impacts on the environment are minimized. accident conditions. 4. and of the results of relevant research programmes. the requirements of the regulatory body and the requirements of relevant legislation. to ensure that due consideration has been given to the prevention of accidents and to mitigation of the consequences of any accidents that do occur. Adequate information on the design shall be provided for ensuring the safe operation and maintenance of the plant. The design shall take due account of relevant available experience that has been gained in the design. 13 . and that due account is taken of human capabilities and limitations and of factors that could influence human performance. are all met. 4.6. 4. and following. consistent with the regulatory requirements.

The design shall take due account of the fact that the existence of multiple levels of defence is not a basis for continued operation in the absence of one level of defence. is an instance of severely abnormal plant behaviour caused by an abrupt transition from one plant status to another following a small deviation in a plant parameter. All levels of defence in depth shall be kept available at all times and any relaxations shall be justified for specific modes of operation.10. Shall provide for the control of plant behaviour by means of inherent and engineered features.11. 4. in a nuclear power plant. such that failures and deviations (c) (d) A cliff edge effect. 5 14 . such that failures and deviations from normal operation requiring actuation of safety systems are minimized or excluded by design.9. The levels of defence in depth shall be independent as far as is practicable. Shall provide for supplementing the control of the plant by means of automatic actuation of safety systems. by means of appropriate design measures and operational and decommissioning practices. The defence in depth concept shall be applied to provide several levels of defence that are aimed at preventing consequences of accidents that could lead to harmful effects on people and the environment. The design: (a) (b) Shall provide for multiple physical barriers to the release of radioactive material to the environment. 4. to the extent possible. The design shall be such as to ensure that the generation of radioactive waste and discharges are kept to the minimum practicable in terms of both activity and volume. Requirement 7: Application of defence in depth The design of a nuclear power plant shall incorporate defence in depth. Shall be conservative. 4. and the construction shall be of high quality.8. and ensuring that appropriate measures are taken for the protection of people and the environment and for the mitigation of consequences in the event that prevention fails.4. that accidents are prevented as far as is practicable and that a small deviation in a plant parameter does not lead to a cliff edge effect5. so as to provide assurance that failures and deviations from normal operation are minimized. and thus a sudden large variation in plant conditions in response to a small variation in an input.

the design shall prevent. and control of. Failure of one or more barriers. To ensure that the concept of defence in depth is maintained. level of defence is capable of preventing an escalation to accident conditions for all failures or deviations from normal operation that are likely to occur over the operating lifetime of the nuclear power plant. Failure of a barrier as a consequence of the failure of another barrier. Requirement 8: Interfaces of safety with security and safeguards Safety measures. and the need for operator actions in the early phase of these failures or deviations from normal operation is minimized. that the first. 4. as far as is practicable. The possibility of harmful consequences of errors in operation and maintenance. 15 . Requirement 9: Proven engineering practices Items important to safety for a nuclear power plant shall be designed in accordance with the relevant national and international codes and standards. Shall provide multiple means for ensuring that each of the fundamental safety functions is performed. Shall provide for systems. as far as is practicable: (a) (b) (c) (d) Challenges to the integrity of physical barriers.13. The design shall be such as to ensure. nuclear security measures and arrangements for the State system of accounting for. to limit the consequences of failures and deviations from normal operation that exceed the capability of safety systems. 4. as far as practicable.(e) (f) from normal operation that exceed the capability of control systems can be controlled with a high level of confidence. thereby ensuring the effectiveness of the barriers and mitigating the consequences of any failure or deviation from normal operation.12. nuclear material for a nuclear power plant shall be designed and implemented in an integrated manner so that they do not compromise one another. structures and components and procedures to control the course of and. or at most the second.

The safety assessments shall be documented in a form that facilitates independent evaluation. [2]. and to confirm that the design. Where an unproven design or feature is introduced or where there is a departure from an established engineering practice.17. Requirements on safety assessment for facilities and activities are established in Ref. safety shall be demonstrated by means of appropriate supporting research programmes. 4. 4. and shall be supplemented or modified as necessary to ensure that the quality of the design is commensurate with the associated safety function.4. 4. 4. Requirement 10: Safety assessment6 Comprehensive deterministic safety assessments and probabilistic safety assessments shall be carried out throughout the design process for a nuclear power plant to ensure that all safety requirements on the design of the plant are met throughout all stages of the lifetime of the plant.18. as delivered. shall be items of high quality and of a technology that has been qualified and tested. and shall be monitored in service to verify that the behaviour of the plant is as expected. as operated and as modified. meets requirements for manufacture and for construction. 6 16 . and if not.14. National and international codes and standards that are used as design rules for items important to safety shall be identified and evaluated to determine their applicability. with iterations between design activities and confirmatory analytical activities. The safety assessments shall be commenced at an early point in the design process. performance tests with specific acceptance criteria or the examination of operating experience from other relevant applications. The new design or feature or new practice shall also be adequately tested to the extent practicable before being brought into service. and shall increase in scope and level of detail as the design programme progresses. adequacy and sufficiency. Items important to safety for a nuclear power plant shall preferably be of a design that has previously been proven in equivalent applications. and as built.16.15.

Requirement 11: Provision for construction Items important to safety for a nuclear power plant shall be designed so that they can be manufactured. In the provision for construction and operation. The facilities necessary for the treatment and storage of radioactive waste generated in operation and provision for managing the radioactive waste that will be generated in the decommissioning of the plant. GENERAL PLANT DESIGN DESIGN BASIS Requirement 13: Categories of plant states Plant states shall be identified and shall be grouped into a limited number of categories primarily on the basis of their frequency of occurrence at the nuclear power plant. 5. 17 . assembled. the design shall take due account of: (a) (b) (c) The choice of materials. such practices shall be shown to be appropriate to the specific nuclear application.20. installed and erected in accordance with established processes that ensure the achievement of the design specifications and the required level of safety. 4. Requirement 12: Features to facilitate radioactive waste management and decommissioning Special consideration shall be given at the design stage of a nuclear power plant to the incorporation of features to facilitate radioactive waste management and the future decommissioning and dismantling of the plant.19. In particular. so that amounts of radioactive waste will be minimized to the extent practicable and decontamination will be facilitated. 4. The access capabilities and the means of handling that might be necessary. systems and components. Where best practices from other relevant industries are adopted. due account shall be taken of relevant experience that has been gained in the construction of other similar plants and their associated structures. constructed.

Design basis accidents. reliability and functionality for the relevant operational states. including accidents with significant degradation of the reactor core. such that frequently occurring plant states shall have no. Requirement 16: Postulated initiating events The design for the nuclear power plant shall apply a systematic approach to identifying a comprehensive set of postulated initiating events such that all foreseeable events with the potential for serious consequences and all 18 . Criteria shall be assigned to each plant state.3.5. to meet the specific acceptance criteria over the lifetime of the nuclear power plant. The documentation shall provide the necessary information for the operating organization to operate the plant safely. which are expected to occur over the operating lifetime of the plant. 5.4. as well as with relevant regulatory requirements.2. Design extension conditions. Anticipated operational occurrences. Requirement 14: Design basis for items important to safety The design basis for items important to safety shall specify the necessary capability. 5. Plant states shall typically cover: (a) (b) (c) (d) Normal operation.1. radiological consequences and plant states that could give rise to serious consequences shall have a very low frequency of occurrence. 5. The design basis for each item important to safety shall be systematically justified and documented. or only minor. The design limits shall be specified and shall be consistent with relevant national and international standards and codes. for accident conditions and for conditions arising from internal and external hazards. Requirement 15: Design limits A set of design limits consistent with the key physical parameters for each item important to safety for the nuclear power plant shall be specified for all operational states and for accident conditions.

systems and components of the plant. the plant would be rendered safe by means of passive safety features or by the action of systems that are operating continuously in the state necessary to control the postulated initiating event.9. Following a postulated initiating event. Following a postulated initiating event.5. the plant would be rendered safe by following specified procedures.foreseeable events with a significant frequency of occurrence are anticipated and are considered in the design. 19 . The postulated initiating events shall include all foreseeable failures of structures. whether in full power. the plant would be rendered safe by the actuation of safety systems that need to be brought into operation in response to the postulated initiating event.6. as well as operating errors and possible failures arising from internal and external hazards.8. 5. in order of priority: (1) A postulated initiating event would produce no safety significant effects or would produce only a change towards safe plant conditions by means of inherent characteristics of the plant. The expected behaviour of the plant in any postulated initiating event shall be such that the following conditions can be achieved. The postulated initiating events shall be identified on the basis of engineering judgement and a combination of deterministic assessment and probabilistic assessment.7. 5. An analysis of the postulated initiating events for the plant shall be made to establish the preventive measures and protective measures that are necessary to ensure that the required safety functions will be performed. A justification of the extent of usage of deterministic safety analysis and probabilistic safety analysis shall be provided. to show that all foreseeable events have been considered. (2) (3) (4) 5. 5. The postulated initiating events used for developing the performance requirements for the items important to safety in the overall safety assessment and the detailed analysis of the plant shall be grouped into a specified number of representative event sequences that identify bounding cases and that provide the basis for the design and the operational limits for items important to safety. low power or shutdown states. 5. Following a postulated initiating event.

The operator actions that would be necessary to diagnose the state of the plant following a postulated initiating event and to put it into a stable long term shutdown condition in a timely manner shall be facilitated by the provision of adequate instrumentation to monitor the status of the plant. 5. 5. 5. shall be identified and their effects shall be evaluated. 5. operational and emergency procedures) shall be specified to ensure the performance of such actions.11. For such cases.5. The design shall specify the necessary provision of equipment and the procedures necessary to provide the means for keeping control over the plant and for mitigating any harmful consequences of a loss of control. An assessment shall be made of the potential for an operator to worsen an event sequence through erroneous operation of equipment or incorrect diagnosis of the necessary recovery process. 5. Where prompt action in response to a postulated initiating event would not be necessary. Any equipment that is necessary for actions to be taken in manual response and recovery processes shall be placed at the most suitable location to ensure its availability at the time of need and to allow safe access to it under the environmental conditions anticipated. and adequate procedures (such as administrative. Requirement 17: Internal and external hazards All foreseeable internal hazards and external hazards.15.13. Where prompt and reliable action would be necessary in response to a postulated initiating event.12. Hazards shall be considered for determination of the postulated 20 .10. including the potential for human induced events directly or indirectly to affect the safety of the nuclear power plant. and adequate controls for the manual operation of equipment.14. to prevent progression to more severe plant conditions. the time interval between detection of the abnormal event or accident and the required action shall be sufficiently long. provision shall be made in the design for automatic safety actions for the necessary actuation of safety systems. A technically supported justification shall be provided for exclusion from the design of any initiating event that is identified in accordance with the comprehensive set of postulated initiating events. it is permissible for reliance to be placed on the manual initiation of systems or on other operator actions.

e.20. 5. flooding. 5. missile generation. The design shall be such as to ensure that items important to safety are capable of withstanding the effects of external events considered in the design. consistent with other safety requirements. Natural external events shall be addressed.16.18. geological and seismic events. 5. hydrological. and if not. including meteorological.19. the safety of the plant shall not be permitted to be dependent on the availability of off-site services such as electricity supply and fire fighting services. 7 Requirements on site evaluation for nuclear installations are established in Ref. In the short term. The design shall include due consideration of those natural and human induced external events (i. External hazards7 5. other features such as passive barriers shall be provided to protect the plant and to ensure that the required safety function will be performed. jet impact and release of fluid from failed systems or from other installations on the site. [10]. Features shall be provided to minimize any interactions between buildings containing items important to safety (including power cabling and control cabling) and any other plant structure as a result of external events considered in the design.17. Internal hazards 5. The design shall take due account of site specific conditions to determine the maximum delay time by which off-site services need to be available. explosion. Human induced external events arising from nearby industries and transport routes shall be addressed. Appropriate features for prevention and mitigation shall be provided to ensure that safety is not compromised. the likelihood of external events and their possible harmful consequences. pipe whip.initiating events and generated loadings for use in the design of relevant items important to safety for the plant. collapse of structures and falling objects. 21 . The design shall take due account of internal hazards such as fire. events of origin external to the plant) that have been identified in the site evaluation process. Items important to safety shall be designed and located to minimize.

5.5. including performance criteria. and proven engineering practices shall be adhered to in the design of a nuclear power plant to ensure that the fundamental safety functions are achieved for all operational states and for all accident conditions.24. 5.26. Requirement 18: Engineering design rules The engineering design rules for items important to safety at a nuclear power plant shall be specified and shall comply with the relevant national or international codes and standards and with proven engineering practices. The seismic design of the plant shall provide for a sufficient safety margin to protect against seismic events and to avoid cliff edge effects (see footnote 5).23. The design shall be such that for design basis accident conditions. with due account taken of their relevance to nuclear power technology. without acceptable limits for radiation protection being exceeded. 5. for safety systems and for other items important to safety that are necessary to control design basis accident conditions. 5. Requirement 19: Design basis accidents A set of accident conditions that are to be considered in the design shall be derived from postulated initiating events for the purpose of establishing the boundary conditions for the nuclear power plant to withstand. specifying design criteria and using conservative assumptions.21. The design basis accidents shall be analysed in a conservative manner. A primary objective shall be to manage all design basis accidents so that they have no. Design basis accidents shall be used to define the design bases. 5. with the objective of returning the plant to a safe state and mitigating the consequences of any accidents. models and input parameters in the analysis. This approach involves postulating certain failures in safety systems. radiological impacts. 22 . Methods to ensure a robust design shall be applied. on or off the site. or only minor. and do not necessitate any off-site intervention measures. For multiple unit plant sites.25. key plant parameters do not exceed the specified design limits.22. the design shall take due account of the potential for specific hazards giving rise to simultaneous impacts on several units on the site.

28. or. or to mitigate their consequences. if they do arise. shall be such as to ensure the capability for managing accident conditions in which there is a significant amount of radioactive material in the containment (including radioactive material resulting from severe degradation of the reactor core). 8 23 . This could be done with a best estimate approach (more stringent approaches may be used according to States’ requirements).27. The design extension conditions shall be used to define the design basis for safety features and for the design of all other items important to safety that are necessary for preventing such conditions from arising. The main technical objective of considering the design extension conditions is to provide assurance that the design of the plant is such as to prevent accident conditions not considered design basis accident conditions. This might require additional safety features for design extension conditions. The plant shall be designed so that it can be brought into a controlled state and the containment function can be maintained.Requirement 20: Design extension conditions A set of design extension conditions shall be derived on the basis of engineering judgement. These design extension conditions shall be used to identify the additional accident scenarios to be addressed in the design and to plan practicable provisions for the prevention of such accidents or mitigation of their consequences if they do occur. An analysis of design extension conditions for the plant shall be performed8. 5. as far as is reasonably practicable. or this extension of the capability of safety systems. with the result that significant radioactive releases would be practically eliminated (see footnote 1). deterministic assessments and probabilistic assessments for the purpose of further improving the safety of the nuclear power plant by enhancing the plant’s capabilities to withstand. 5. for controlling them and mitigating their consequences. accidents that are either more severe than design basis accidents or that involve additional failures. These additional safety features for design extension conditions. without unacceptable radiological consequences. The effectiveness of provisions to ensure the functionality of the containment could be analysed on the basis of the best estimate approach. or extension of the capability of safety systems to maintain the integrity of the containment.

such combinations of events shall be considered to be design basis accidents or shall be included as part of design extension conditions. Shall have a reliability commensurate with the function that they are required to fulfil. deterministic safety assessments and probabilistic safety assessments indicate that combinations of events could lead to anticipated operational occurrences or to accident conditions. The design shall be such that design extension conditions that could lead to significant radioactive releases are practically eliminated (see footnote 1).29. consideration could be given to the full design capabilities of the plant and to the temporary use of additional systems. melting of the reactor core. depending mainly on their likelihood of occurrence. including design extension conditions in severe accidents. to the extent practicable. (c) 5. Combinations of events and failures 5. 5. events considered in the design extension conditions. Such consequential effects shall be considered to be part of the original postulated initiating event. or that are capable9 of preventing or mitigating. where appropriate.32. These scenarios shall be selected using engineering judgement and input from probabilistic safety assessments. These features: (a) (b) Shall be independent. among other things. Where the results of engineering judgement.5. In particular. only protective measures that are of limited scope in terms of area and time shall be necessary for protection of the public.30. If not. of those used in more frequent accidents. for design extension conditions that cannot be practically eliminated. the containment and its safety features shall be able to withstand extreme scenarios that include. such as a flood following an earthquake. The analysis undertaken shall include identification of the features that are designed for use in. and sufficient time shall be made available to implement these measures. 9 For returning the plant to a safe state or for mitigating the consequences of an accident. Certain events might be consequences of other events. Shall be capable of performing in the environmental conditions pertaining to these design extension conditions.31. 24 .

Requirement 21: Physical separation and independence of safety systems Interference between safety systems or between redundant elements of a system shall be prevented by means such as physical separation. as appropriate. Safety system equipment (including cables and raceways) shall be readily identifiable in the plant for each redundant element of a safety system.33. 5.36. The frequency with which the item will be called upon to perform a safety function. the item will be called upon to perform a safety function. 5.34. Requirement 22: Safety classification All items important to safety shall be identified and shall be classified on the basis of their function and their safety significance. Equipment that performs multiple functions shall be classified in a safety class that is consistent with the most important function performed by the equipment.35. The time following a postulated initiating event at which. The consequences of failure to perform a safety function. and in particular that any failure of items important to safety in a system in a lower safety class will not propagate to a system in a higher safety class. 25 . electrical isolation. 5. The design shall be such as to ensure that any interference between items important to safety will be prevented. 5. functional independence and independence of communication (data transfer). or the period for which. where appropriate. with due account taken of factors such as: (a) (b) (c) (d) The safety function(s) to be performed by the item. by probabilistic methods. The method for classifying the safety significance of items important to safety shall be based primarily on deterministic methods complemented.

5. 10 26 . unless it has been justified in the single failure analysis with a high level of confidence that a failure of that component is very unlikely and that its function would remain unaffected by the postulated initiating event. to determine how the concepts of diversity. procured. consideration shall be given to both spurious operation and unsafe failure modes. all conditions specified in the design basis for the items. In the selection of equipment. Requirement 24: Common cause failures The design of equipment shall take due account of the potential for common cause failures of items important to safety. A single failure is a failure that results in the loss of capability of a system or component to perform its intended safety function(s) and any consequential failure(s) that result from it. The single failure criterion is a criterion (or requirement) applied to a system such that it must be capable of performing its task in the presence of any single failure. physical separation and functional independence have to be applied to achieve the necessary reliability.10 5. commissioned.39. with sufficient reliability and effectiveness. redundancy.40. operated and maintained to be capable of withstanding.37. Requirement 25: Single failure criterion The single failure criterion shall be applied to each safety group incorporated in the plant design.38. The design shall take due account of the failure of a passive component. Spurious action shall be considered to be one mode of failure when applying the concept to a safety group or safety system. installed. Preference shall be given in the selection process to equipment that exhibits a predictable and revealed mode of failure and for which the design facilitates repair or replacement. 5. 5. The design of items important to safety shall be such as to ensure that the equipment can be qualified.Requirement 23: Reliability of items important to safety The reliability of items important to safety shall be commensurate with their safety significance.

Control system constraints and procedural constraints on process variables and other important parameters. to comply with the requirement for optimization by keeping radiation risks as low as reasonably achievable. 5. 27 . systems and components function as intended in the design. so that their failure or the failure of a support feature does not prevent the performance of the intended safety function. testing and inspection of the plant to ensure that structures. diversity and independence of support service systems and the provision of features for their isolation and for testing their functional capability shall be commensurate with the significance to safety of the system being supported.43. as appropriate. maintenance. Requirement 27: Support service systems Support service systems that ensure the operability of equipment forming part of a system important to safety shall be classified accordingly. The reliability. as appropriate. Requirements for surveillance. redundancy. Limiting settings for safety systems. into the design of systems and components important to safety. It shall not be permissible for a failure of a support service system to be capable of simultaneously affecting redundant parts of a safety system or a system fulfilling diverse safety functions and compromising the capability of these systems to fulfil their safety functions. Requirement 28: Operational limits and conditions for safe operation The design shall establish a set of operational limits and conditions for safe operation of the nuclear power plant.Requirement 26: Fail-safe design The concept of fail-safe design shall be incorporated. 5.42. 5. Ref. 5. Operational limits and conditions for operational states. The requirements and operational limits and conditions established in the design for the nuclear power plant shall include (Req. 6. [4]): (a) (b) (c) (d) (e) Safety limits. Systems and components important to safety shall be designed for fail-safe behaviour.44.41.

testing. Such activities shall be commensurate with the importance of the safety functions to be performed. replacement or inspection of items important to safety during shutdown shall be included in the design so that such tasks can be performed with no significant reduction in the reliability of performance of the safety functions. repair.47. 5. If an item important to safety cannot be designed to be capable of being tested. tested or maintained during power operation. inspection and monitoring of items important to safety Items important to safety for a nuclear power plant shall be designed to be calibrated. including operational restrictions in the event of the unavailability of safety systems or safety related systems. maintenance. testing. repair. The plant layout shall be such that activities for calibration. maintained. Where items important to safety are planned to be calibrated. including completion times for actions in response to deviations from the operational limits and conditions. and shall be performed without undue exposure of workers. a robust technical justification shall be provided that incorporates the following approach: (a) Other proven alternative and/or indirect methods such as surveillance testing of reference items or use of verified and validated calculational methods shall be specified. inspected and monitored as required to ensure their capability of performing their functions and to maintain their integrity in all conditions specified in their design basis. DESIGN FOR SAFE OPERATION OVER THE LIFETIME OF THE PLANT Requirement 29: Calibration. inspected or monitored to the extent desirable. Conservative safety margins shall be applied or other appropriate precautions shall be taken to compensate for possible unanticipated failures. testing. tested. 5. the respective systems shall be designed for performing such tasks with no significant reduction in the reliability of performance of the safety functions.45.(f) (g) Specified operational configurations. 5. maintenance. inspection and monitoring are facilitated and can be performed to relevant national and international codes and standards.46. Action statements. repair or replacement. maintenance. repaired or replaced. replacement. Provisions for calibration. (b) 28 .

shall be included in the qualification programme. such as in periodic testing of the containment leak rate. to ensure the capability of items important to safety to perform their necessary safety functions throughout their design life. The environmental conditions considered in the qualification programme for items important to safety at a nuclear power plant shall include the variations in ambient environmental conditions that are anticipated in the design basis for the plant. 29 . Appropriate margins shall be provided in the design to take due account of relevant mechanisms of ageing. humidity or temperature) over the expected service life of the items important to safety. irradiation. with due account taken of plant conditions during maintenance and testing. The design for a nuclear power plant shall take due account of ageing and wear out effects in all operational states for which a component is credited. either by test or by analysis or by a combination of both. plant states during a postulated initiating event and plant states following a postulated initiating event. When the items important to safety are subject to natural external events and are required to perform a safety function during or following such an event. maintenance.49.Requirement 30: Qualification of items important to safety A qualification programme for items important to safety shall be implemented to verify that items important to safety at a nuclear power plant are capable of performing their intended functions when necessary. Any environmental conditions that could reasonably be anticipated and that could arise in specific operational states. The qualification programme for items important to safety shall include the consideration of ageing effects caused by environmental factors (such as conditions of vibration. Requirement 31: Ageing management The design life of items important to safety at a nuclear power plant shall be determined.50. 5.48. and in the prevailing environmental conditions.51. including testing. maintenance outages. 5. throughout their design life. 5. the qualification programme shall replicate as far as is practicable the conditions imposed on the items important to safety by the natural event. 5. neutron embrittlement and wear out and of the potential for age related degradation.

5.52. Provision shall be made for monitoring, testing, sampling and inspection to assess ageing mechanisms predicted at the design stage and to help identify unanticipated behaviour of the plant or degradation that might occur in service.

HUMAN FACTORS Requirement 32: Design for optimal operator performance Systematic consideration of human factors, including the human–machine interface, shall be included at an early stage in the design process for a nuclear power plant and shall be continued throughout the entire design process. 5.53. The design for a nuclear power plant shall specify the minimum number of operating personnel required to perform all the simultaneous operations necessary to bring the plant into a safe state. 5.54. Operating personnel who have gained operating experience in similar plants shall, as far as is practicable, be actively involved in the design process conducted by the design organization, in order to ensure that consideration is given as early as possible in the process to the future operation and maintenance of equipment. 5.55. The design shall support operating personnel in the fulfilment of their responsibilities and in the performance of their tasks, and shall limit the effects of operating errors on safety. The design process shall pay attention to plant layout and equipment layout, and to procedures, including procedures for maintenance and inspection, to facilitate interaction between the operating personnel and the plant. 5.56. The human–machine interface shall be designed to provide the operators with comprehensive but easily manageable information, in accordance with the necessary decision times and action times. The information necessary for the operator to make a decision to act shall be simply and unambiguously presented. 5.57. The operator shall be provided with the necessary information: (a) (b) To assess the general state of the plant in any condition; To operate the plant within the specified limits on parameters associated with plant systems and equipment (operational limits and conditions);

30

(c)

(d)

To confirm that safety actions for the actuation of safety systems are automatically initiated when needed and that the relevant systems perform as intended; To determine both the need for and the time for manual initiation of the specified safety actions.

5.58. The design shall be such as to promote the success of operator actions with due regard for the time available for action, the conditions to be expected and the psychological demands being made on the operator. 5.59. The need for intervention by the operator on a short time scale shall be kept to a minimum, and it shall be demonstrated that the operator has sufficient time to make a decision and sufficient time to act. 5.60. The design shall be such as to ensure that, following an event affecting the plant, environmental conditions in the control room or the supplementary control room and in locations on the access route to the supplementary control room do not compromise the protection and safety of the operating personnel. 5.61. The design of workplaces and the working environment of the operating personnel shall be in accordance with ergonomic concepts. 5.62. Verification and validation, including by the use of simulators, of features relating to human factors shall be included at appropriate stages to confirm that necessary actions by the operator have been identified and can be correctly performed.

OTHER DESIGN CONSIDERATIONS Requirement 33: Sharing of safety systems between multiple units of a nuclear power plant Safety systems shall not be shared between multiple units unless this contributes to enhanced safety. 5.63. Safety system support features and safety related items shall be permitted to be shared between several units of a nuclear power plant if this contributes to safety. Such sharing shall not be permitted if it would increase either the likelihood or the consequences of an accident at any unit of the plant.

31

Requirement 34: Systems containing fissile material or radioactive material All systems in a nuclear power plant that could contain fissile material or radioactive material shall be so designed as: to prevent the occurrence of events that could lead to an uncontrolled radioactive release to the environment; to prevent accidental criticality and overheating; to ensure that radioactive releases of material are kept below authorized limits on discharges in normal operation and below acceptable limits in accident conditions, and are kept as low as reasonably achievable; and to facilitate mitigation of radiological consequences of accidents. Requirement 35: Nuclear power plants used for cogeneration of heat and power, heat generation or desalination Nuclear power plants coupled with heat utilization units (such as for district heating) and/or water desalination units shall be designed to prevent processes that transport radionuclides from the nuclear plant to the desalination unit or the district heating unit under conditions of operational states and in accident conditions. Requirement 36: Escape routes from the plant A nuclear power plant shall be provided with a sufficient number of escape routes, clearly and durably marked, with reliable emergency lighting, ventilation and other services essential to the safe use of these escape routes. 5.64. Escape routes from the nuclear power plant shall meet the relevant national and international requirements for radiation zoning and fire protection, and the relevant national requirements for industrial safety and plant security. 5.65. At least one escape route shall be available from workplaces and other occupied areas following an internal event or an external event or following combinations of events considered in the design. Requirement 37: Communication systems at the plant Effective means of communication shall be provided throughout the nuclear power plant to facilitate safe operation in all modes of normal operation and to be available for use following all postulated initiating events and in accident conditions.

32

with particular consideration given to guarding against the unauthorized entry of persons and goods to the plant. and effects of any harmful interactions shall be prevented.66. maloperation or malfunction on local environmental conditions of other essential systems. 5. shall be prevented. including emergency response personnel and vehicles. to ensure that changes in environmental conditions do not affect the reliability of systems or components in functioning as intended.69. in operational states and in accident conditions. Suitable alarm systems and means of communication shall be provided so that all persons present at the nuclear power plant and on the site can be given warnings and instructions. In the analysis of the potential for harmful interactions of systems important to safety. including computer hardware and software. Requirement 38: Control of access to the plant The nuclear power plant shall be isolated from its surroundings with a suitable layout of the various structural elements so that access to it can be controlled. 33 . due account shall be taken of physical interconnections and of the possible effects of one system’s operation. items important to safety.67. and for communication with relevant off-site agencies shall be provided. Suitable and diverse means of communication necessary for safety within the nuclear power plant and in the immediate vicinity. Provision shall be made in the design of the buildings and the layout of the site for the control of access to the nuclear power plant by operating personnel and/or for equipment. 5. Requirement 40: Prevention of harmful interactions of systems important to safety The potential for harmful interactions of systems important to safety at the nuclear power plant that might be required to operate simultaneously shall be evaluated.5. or interference with.68. 5. items important to safety Unauthorized access to. or interference with. Requirement 39: Prevention of unauthorized access to.

5.70. If two fluid systems important to safety are interconnected and are operating at different pressures, either the systems shall both be designed to withstand the higher pressure, or provision shall be made to prevent the design pressure of the system operating at the lower pressure from being exceeded. Requirement 41: Interactions between the electrical power grid and the plant The functionality of items important to safety at the nuclear power plant shall not be compromised by disturbances in the electrical power grid, including anticipated variations in the voltage and frequency of the grid supply.

SAFETY ANALYSIS Requirement 42: Safety analysis of the plant design A safety analysis of the design for the nuclear power plant shall be conducted in which methods of both deterministic analysis and probabilistic analysis shall be applied to enable the challenges to safety in the various categories of plant states to be evaluated and assessed. 5.71. On the basis of a safety analysis, the design basis for items important to safety and their links to initiating events and event sequences shall be confirmed (see footnote 6). It shall be demonstrated that the nuclear power plant as designed is capable of complying with authorized limits on discharges with regard to radioactive releases and with the dose limits in all operational states, and is capable of meeting acceptable limits for accident conditions. 5.72. The safety analysis shall provide assurance that defence in depth has been implemented in the design of the plant. 5.73. The safety analysis shall provide assurance that uncertainties have been given adequate consideration in the design of the plant. 5.74. The applicability of the analytical assumptions, methods and degree of conservatism used in the design of the plant shall be updated and verified for the current or as built design.

34

Deterministic approach 5.75. The deterministic safety analysis shall mainly provide: (a) (b) (c) (d) (e) Establishment and confirmation of the design bases for all items important to safety; Characterization of the postulated initiating events that are appropriate for the site and the design of the plant; Analysis and evaluation of event sequences that result from postulated initiating events, to confirm the qualification requirements; Comparison of the results of the analysis with dose limits and acceptable limits, and with design limits; Demonstration that the management of anticipated operational occurrences and design basis accident conditions is possible by safety actions for the automatic actuation of safety systems in combination with prescribed actions by the operator; Demonstration that the management of design extension conditions is possible by the automatic actuation of safety systems and the use of safety features in combination with expected actions by the operator.

(f)

Probabilistic approach 5.76. The design shall take due account of the probabilistic safety analysis of the plant for all modes of operation and for all plant states, including shutdown, with particular reference to: (a) Establishing that a balanced design has been achieved such that no particular feature or postulated initiating event makes a disproportionately large or significantly uncertain contribution to the overall risks, and that, to the extent practicable, the levels of defence in depth are independent; Providing assurance that small deviations in plant parameters that could give rise to large variations in plant conditions (cliff edge effects) will be prevented (see footnote 5); Comparing the results of the analysis with the acceptance criteria for risk where these have been specified.

(b)

(c)

35

6. DESIGN OF SPECIFIC PLANT SYSTEMS
REACTOR CORE AND ASSOCIATED FEATURES Requirement 43: Performance of fuel elements and assemblies Fuel elements and assemblies for the nuclear power plant shall be designed to maintain their structural integrity, and to withstand satisfactorily the anticipated radiation levels and other conditions in the reactor core, in combination with all the processes of deterioration that could occur in operational states. 6.1. The processes of deterioration to be considered shall include those arising from: differential expansion and deformation; external pressure of the coolant; additional internal pressure due to fission products and the buildup of helium in fuel elements; irradiation of fuel and other materials in the fuel assembly; variations in pressure and temperature resulting from variations in power demand; chemical effects; static and dynamic loading, including flow induced vibrations and mechanical vibrations; and variations in performance in relation to heat transfer that could result from distortions or chemical effects. Allowance shall be made for uncertainties in data, in calculations and in manufacture. 6.2. Fuel design limits shall include limits on the permissible leakage of fission products from the fuel in anticipated operational occurrences so that the fuel remains suitable for continued use. 6.3. Fuel elements and fuel assemblies shall be capable of withstanding the loads and stresses associated with fuel handling. Requirement 44: Structural capability of the reactor core The fuel elements and fuel assemblies and their supporting structures for the nuclear power plant shall be designed so that, in operational states and in accident conditions other than severe accidents, a geometry that allows for adequate cooling is maintained and the insertion of control rods is not impeded.

36

Requirement 45: Control of the reactor core Distributions of neutron flux that can arise in any state of the reactor core in the nuclear power plant. In judging the adequacy of the means of shutdown of the reactor. shall be inherently stable.4. The maximum degree of positive reactivity and its rate of increase by insertion in operational states and accident conditions not involving degradation of the reactor core shall be limited or compensated for to prevent any resultant failure of the pressure boundary of the reactor coolant systems. Adequate means of detecting the neutron flux distributions in the reactor core and their changes shall be provided for the purpose of ensuring that there are no regions of the core in which the design limits could be exceeded. including states arising after shutdown and during or after refuelling. 6. to maintain the capability for cooling and to prevent any significant damage to the reactor core. due account shall be taken of wear out and of the effects of irradiation. speed of action and shutdown margin of the means of shutdown of the reactor shall be such that the specified design limits for fuel are not exceeded.8. 37 . such as burnup.7. The demands made on the control system for maintaining the shapes.6. 6. and that the shutdown condition can be maintained even for the most reactive conditions of the reactor core. The effectiveness. and states arising from anticipated operational occurrences and from accident conditions not involving degradation of the reactor core. levels and stability of the neutron flux within specified design limits in all operational states shall be minimized. In the design of reactivity control devices. 6. changes in physical properties and production of gas. 6. 6. Requirement 46: Reactor shutdown Means shall be provided to ensure that there is a capability to shut down the reactor of the nuclear power plant in operational states and in accident conditions. consideration shall be given to failures arising anywhere in the plant that could render part of the means of shutdown inoperative (such as failure of a control rod to insert) or that could result in a common cause failure.5.

10. thereby permitting the timely detection of flaws. 6. even for the most reactive conditions of the reactor core. 6. and any flaws that are initiated would propagate in a regime of high resistance to unstable fracture and to rapid crack propagation.12. inadequate design standards. Instrumentation shall be provided and tests shall be specified for ensuring that the means of shutdown are always in the state stipulated for a given plant state. or during refuelling operations or other routine or non-routine operations in the shutdown state. At least one of the two different shutdown systems shall be capable. 6. The means for shutting down the reactor shall consist of at least two diverse and independent systems. Pipework connected to the pressure boundary of the reactor coolant systems for the nuclear power plant shall be equipped with adequate isolation devices to limit any loss of radioactive fluid (primary coolant) and to prevent the loss of coolant through interfacing systems.13.6. The means of shutdown shall be adequate to prevent any foreseeable increase in reactivity leading to unintentional criticality during the shutdown. 6. REACTOR COOLANT SYSTEMS Requirement 47: Design of reactor coolant systems The components of the reactor coolant systems for the nuclear power plant shall be designed and constructed so that the risk of faults due to inadequate quality of materials.14. insufficient capability for inspection or inadequate quality of manufacture is minimized. 38 . 6. of maintaining the reactor subcritical by an adequate margin and with high reliability. The design of the reactor coolant pressure boundary shall be such that flaws are very unlikely to be initiated. The design of the reactor coolant systems shall be such as to ensure that plant states in which components of the reactor coolant pressure boundary could exhibit embrittlement are avoided. 6. on its own.15.9.11.

shall be such as to minimize the likelihood of failure and consequential damage to other components of the primary coolant system that are important to safety.17. Requirement 48: Overpressure protection of the reactor coolant pressure boundary Provision shall be made to ensure that the operation of pressure relief devices will protect the pressure boundary of the reactor coolant systems against overpressure and will not lead to the release of radioactive material from the nuclear power plant directly to the environment. including activated corrosion products and fission products deriving from the fuel. temperature and pressure of the reactor coolant to ensure that specified design limits are not exceeded in any operational state of the nuclear power plant.6. The design of the components contained inside the reactor coolant pressure boundary. Requirement 51: Removal of residual heat from the reactor core Means shall be provided for the removal of residual heat from the reactor core in the shutdown state of the nuclear power plant such that the design 39 . Requirement 49: Inventory of reactor coolant Provision shall be made for controlling the inventory. with due allowance made for deterioration that might occur in service. and to ensure that the requirements are met for radioactive releases to be as low as reasonably achievable and below the authorized limits on discharges. 6. with due account taken of volumetric changes and leakage. such as pump impellers and valve parts.16. with a conservative margin to ensure that the plant can be operated with a level of circuit activity that is as low as reasonably practicable. The capabilities of the necessary plant systems shall be based on the specified design limit on permissible leakage of the fuel. in all operational states and in design basis accident conditions. and non-radioactive substances. Requirement 50: Cleanup of reactor coolant Adequate facilities shall be provided at the nuclear power plant for the removal from the reactor coolant of radioactive substances.

19. 6. The means provided for cooling of the reactor core shall be such as to ensure that: (a) (b) (c) (d) The limiting parameters for the cladding or for integrity of the fuel (such as temperature) will not be exceeded. CONTAINMENT STRUCTURE AND CONTAINMENT SYSTEM Requirement 54: Containment system for the reactor A containment system shall be provided to ensure.18 with adequate reliability for each postulated initiating event.18. the reactor coolant pressure boundary and structures important to safety are not exceeded. The effectiveness of the means of cooling of the reactor core compensates for possible changes in the fuel and in the internal geometry of the reactor core. Possible chemical reactions are kept to an acceptable level. 6. Design features (such as leak detection systems. Cooling of the reactor core will be ensured for a sufficient time. the fulfilment of the following safety functions at the nuclear power plant: (i) confinement of radioactive substances in operational states and in accident conditions. This function shall be carried out with very high levels of reliability for all plant states.limits for fuel. Requirement 53: Heat transfer to an ultimate heat sink Systems shall be provided to transfer residual heat from items important to safety at the nuclear power plant to an ultimate heat sink. 6. (ii) protection of the reactor against natural external 40 . appropriate interconnections and capabilities for isolation) and suitable redundancy and diversity shall be provided to fulfil the requirements of para. Requirement 52: Emergency cooling of the reactor core Means of cooling the reactor core shall be provided to restore and maintain cooling of the fuel under accident conditions at the nuclear power plant even if the integrity of the pressure boundary of the primary coolant system is not maintained. or to contribute to.

The penetrations shall be protected against reaction forces caused by pipe movement or accidental loads such as those due to missiles caused by external or internal events.events and human induced events and (iii) radiation shielding in operational states and in accident conditions. The number of penetrations through the containment shall be kept to a practical minimum and all penetrations shall meet the same design requirements as the containment structure itself.22. jet forces and pipe whip. 6. during the operating lifetime of the plant. however. The containment structure and the systems and components affecting the leaktightness of the containment system shall be designed and constructed so that the leak rate can be tested after all penetrations through the containment have been installed and. Containment isolation valves or check valves shall be located as close to 11 In most cases. 41 .20. if necessary. depending on the design.21. Requirement 55: Control of radioactive releases from the containment The design of the containment shall be such as to ensure that any release of radioactive material from the nuclear power plant to the environment is as low as reasonably achievable. Requirement 56: Isolation of the containment Each line that penetrates the containment at a nuclear power plant as part of the reactor coolant pressure boundary or that is connected directly to the containment atmosphere shall be automatically and reliably sealable in the event of an accident in which the leaktightness of the containment is essential to preventing radioactive releases to the environment that exceed acceptable limits. 6. 6. is below the authorized limits on discharges in operational states and is below acceptable limits in accident conditions. one containment isolation valve or check valve is outside the containment and the other is inside the containment. Lines that penetrate the containment as part of the reactor coolant pressure boundary and lines that are connected directly to the containment atmosphere shall be fitted with at least two adequate containment isolation valves or check valves arranged in series11 and shall be provided with suitable leak detection systems. so that the leak rate can be tested at the containment design pressure. Other arrangements might be acceptable.

22 would reduce the reliability of a safety system that includes a penetration of the containment. liquid or solid substances that might be released inside the containment and that could affect the operation of systems important to safety. 6. Requirement 58: Control of containment conditions Provision shall be made to control the pressure and temperature in the containment at a nuclear power plant and to control any buildup of fission products or other gaseous. Requirement 57: Access to the containment Access by operating personnel to the containment at a nuclear power plant shall be through airlocks equipped with doors that are interlocked to ensure that at least one of the doors is closed during reactor power operation and in accident conditions.25.22 shall be permissible for specific classes of lines such as instrumentation lines. provision for ensuring protection and safety for operating personnel shall be specified in the design. The containment isolation valves shall be located outside the containment and as close to the containment as is practicable. provision for ensuring protection and safety for operating personnel shall be specified in the design. 6. Where equipment airlocks are provided. and each valve shall be capable of reliable and independent actuation and of being periodically tested. Each line that penetrates the containment and is neither part of the reactor coolant pressure boundary nor connected directly to the containment atmosphere shall have at least one adequate containment isolation valve. Exceptions to the requirements for containment isolation stated in para.23. 6. 6. Containment openings for the movement of equipment or material through the containment shall be designed to be closed quickly and reliably in the event that isolation of the containment is required. 6. or in cases in which application of the methods of containment isolation specified in para.24. 6. 42 .26.the containment as is practicable. Where provision is made for entry of operating personnel for surveillance purposes.

29. 43 . INSTRUMENTATION AND CONTROL SYSTEMS Requirement 59: Provision of instrumentation Instrumentation shall be provided for determining the values of all the main variables that can affect the fission process. Coverings. oxygen and other substances in the containment atmosphere in accident conditions so as to prevent deflagration or detonation loads that could challenge the integrity of the containment.27. The cross-sections of openings between compartments shall be of such dimensions as to ensure that the pressure differentials occurring during pressure equalization in accident conditions do not result in unacceptable damage to the pressure bearing structure or to systems that are important in mitigating the effects of accident conditions. To control the concentrations of hydrogen. in order to reduce the pressure and temperature in the containment. oxygen and other substances that might be released into the containment shall be provided as necessary: (a) (b) To reduce the amounts of fission products that could be released to the environment in accident conditions.30. The capability to remove heat from the containment shall be ensured. for determining the status of the plant in accident conditions and for making decisions for the purposes of accident management. 6. hydrogen. The systems performing the function of removal of heat from the containment shall have sufficient reliability and redundancy to ensure that this function can be fulfilled. the integrity of the reactor core. The design shall provide for sufficient flow routes between separate compartments inside the containment. 6. thermal insulations and coatings. thermal insulations and coatings for components and structures within the containment system shall be carefully selected and methods for their application shall be specified to ensure the fulfilment of their safety functions and to minimize interference with other safety functions in the event of deterioration of the coverings. Design features to control fission products.28. and to maintain them at acceptably low levels after any accidental release of high energy fluids. for obtaining essential information on the plant that is necessary for its safe and reliable operation. 6.6. the reactor coolant systems and the containment at the nuclear power plant.

The design: (a) Shall prevent operator actions that could compromise the effectiveness of the protection system in operational states and in accident conditions. 6. With fail-safe characteristics to achieve safe plant conditions in the event of failure of the protection system. The protection system shall be designed: (a) (b) To be capable of overriding unsafe actions of the control system. 6. Shall automate various safety actions to actuate safety systems so that operator action is not necessary within a justified period of time from the onset of anticipated operational occurrences or accident conditions.31. Requirement 60: Control systems Appropriate and reliable control systems shall be provided at the nuclear power plant to maintain and limit the relevant process variables within the specified operational ranges.32.6. for predicting the locations of release and the amount of radioactive material that could be released from the locations that are so intended in the design. Shall make relevant information available to the operator for monitoring the effects of automatic actions. and for post-accident analysis.33. (b) (c) Requirement 62: Reliability and testability of instrumentation and control systems Instrumentation and control systems for items important to safety at the nuclear power plant shall be designed for high functional reliability and 44 . but not counteract correct operator actions in accident conditions. Instrumentation and recording equipment shall be provided to ensure that essential information is available for monitoring the status of essential equipment and the course of accidents. Requirement 61: Protection system A protection system shall be provided at the nuclear power plant that has the capability to detect unsafe plant conditions and to initiate safety actions automatically to actuate the safety systems necessary for achieving and maintaining safe plant conditions.

and in particular throughout the software development cycle. the input signal. 6. Safety systems shall be designed to permit periodic testing of their functionality when the plant is in operation.35. or part of a safety system. When a safety system. For computer based equipment in safety systems or safety related systems: (a) (b) A high quality of. 6. Design techniques such as testability. Requirement 63: Use of computer based equipment in systems important to safety If a system important to safety at the nuclear power plant is dependent upon computer based equipment. hardware and software shall be used. including a self-checking capability where necessary.37. and the necessary high reliability of the equipment cannot be (c) (d) 45 . and best practices for. The design shall permit all aspects of functionality testing for the sensor.34.36. including control. The entire development shall be subject to a quality management system. functional diversity and diversity in component design and in concepts of operation shall be used to the extent practicable to prevent loss of a safety function. in accordance with the importance of the system to safety. the final actuator and the display. 6. 6. Where safety functions are essential for achieving and maintaining safe conditions. fail-safe characteristics. An assessment of the equipment shall be undertaken by experts who are independent of the design team and the supplier team to provide assurance of its high reliability. has to be taken out of service for testing. The entire development process. adequate provision shall be made for the clear indication of any protection system bypasses that are necessary for the duration of the testing or maintenance activities. appropriate standards and practices for the development and testing of computer hardware and software shall be established and implemented throughout the service life of the system. shall be systematically documented and shall be reviewable. including the possibility of testing channels independently for the detection of failures and losses of redundancy.periodic testability commensurate with the safety function(s) to be performed. testing and commissioning of design changes.

including the provision of barriers between the control room at the nuclear power plant and the external environment. preferably at a single location (a supplementary control room) that is physically. Requirement 65: Control room A control room shall be provided at the nuclear power plant from which the plant can be safely operated in all operational states. and from which measures can be taken to maintain the plant in a safe state or to bring it back into a safe state after anticipated operational occurrences and accident conditions. Requirement 64: Separation of protection systems and control systems Interference between protection systems and control systems at the nuclear power plant shall be prevented by means of separation. diverse means of ensuring fulfilment of the safety functions shall be provided. 46 .39. system operation. or explosive or toxic gases. both internal and external to the control room. fire. by avoiding interconnections or by suitable functional independence. Appropriate measures shall be taken.38. If signals are used in common by both a protection system and any control system.(e) (f) demonstrated with a high level of confidence. either automatically or manually. Special attention shall be paid to identifying those events. and the design shall provide for reasonably practicable measures to minimize the consequences of such events. Requirement 66: Supplementary control room Instrumentation and control equipment shall be kept available. that could challenge its continued operation. or deliberate interference with.40. 6. separation (such as by adequate decoupling) shall be ensured and the signal system shall be classified as part of the protection system. Protection shall be provided against accidental disruption of. 6. release of radioactive material. Common cause failures deriving from software shall be taken into consideration. 6. and adequate information shall be provided for the protection of occupants of the control room against hazards such as high radiation levels resulting from accident conditions.

The requirements of para. Appropriate measures shall be taken to protect the occupants of the emergency control centre for a protracted time against hazards resulting from accident conditions. residual heat can be removed. shall be provided from which an emergency response can be directed at the nuclear power plant. capacity and continuity.39 for taking appropriate measures and providing adequate information for the protection of occupants against hazards also apply for the supplementary control room at the nuclear power plant. due account shall be taken of the postulated initiating events and the associated safety functions to be performed. 47 . and essential plant variables can be monitored if there is a loss of ability to perform these essential safety functions in the control room. availability. 6. 6.43. the supplementary control room and other important locations at the plant. Information about important plant parameters and radiological conditions at the nuclear power plant and in its immediate surroundings shall be provided in the on-site emergency control centre. duration of the required power supply. The on-site emergency control centre shall provide means of communication with the control room.42. in the event of the loss of off-site power. to determine the requirements for capability. In the design basis for the emergency power supply at the nuclear power plant.41. The emergency control centre shall include the necessary systems and services to permit extended periods of occupation and operation by emergency response personnel. EMERGENCY POWER SUPPLY Requirement 68: Emergency power supply The emergency power supply at the nuclear power plant shall be capable of supplying the necessary power in anticipated operational occurrences and accident conditions. and with on-site and offsite emergency response organizations. Requirement 67: Emergency control centre An on-site emergency control centre. The supplementary control room shall be so equipped that the reactor can be placed and maintained in a shutdown state. 6.electrically and functionally separate from the control room at the nuclear power plant. separate from both the plant control room and the supplementary control room. 6.

6. A prime mover is a component (such as a motor. SUPPORTING SYSTEMS AND AUXILIARY SYSTEMS Requirement 69: Performance of supporting systems and auxiliary systems The design of supporting systems and auxiliary systems shall be such as to ensure that the performance of these systems is consistent with the safety significance of the system or component that they serve at the nuclear power plant. The combined means to provide emergency power (such as water.46. The design of heat transport systems shall be such as to ensure that nonessential parts of the systems can be isolated. such as coolant systems. The design basis for any diesel engine or other prime mover12 that provides an emergency power supply to items important to safety shall include: (a) (b) (c) The capability of the associated fuel oil storage and supply systems to satisfy the demand within the specified time period. steam or gas turbines.45. solenoid operator or pneumatic operator) that converts energy into action when commanded by an actuation device. 12 48 . and their functional capability shall be testable. Auxiliary systems of the prime mover. diesel engines or batteries) shall have a reliability and type that are consistent with all the requirements of the safety systems to be supplied with power. 6.44. The capability of the prime mover to start and to function successfully under all specified conditions and at the required time. 6. Requirement 70: Heat transport systems Auxiliary systems shall be provided as appropriate to remove heat from systems and components at the nuclear power plant that are required to function in operational states and in accident conditions.

Requirement 73: Air conditioning systems and ventilation systems Systems for air conditioning. 6.47. in a timely manner. 49 . air heating. the concentration of specified radionuclides in fluid process systems. air cooling and ventilation shall be provided as appropriate in auxiliary rooms or other areas at the nuclear power plant to maintain the required environmental conditions for systems and components important to safety in all plant states. and for the collection of process samples. in all operational states and in accident conditions at the nuclear power plant. To keep the levels of airborne radioactive substances in the plant below authorized limits and as low as reasonably achievable. To control releases of gaseous radioactive material to the environment below the authorized limits on discharges and to keep them as low as reasonably achievable. Appropriate means shall be provided at the nuclear power plant for the monitoring of activity in fluid systems that have the potential for significant contamination.Requirement 71: Process sampling systems and post-accident sampling systems Process sampling systems and post-accident sampling systems shall be provided for determining. 6. To reduce the concentration of airborne radioactive substances to levels compatible with the need for access by personnel to the area.48. flow rate and cleanness of the air to be provided. and in gas and liquid samples taken from systems or from the environment. Systems shall be provided for the ventilation of buildings at the nuclear power plant with appropriate capability for the cleaning of air: (a) (b) (c) (d) (e) To prevent unacceptable dispersion of airborne radioactive substances within the plant. To ventilate rooms containing inert gases or noxious gases without impairing the capability to control radioactive effluents. Requirement 72: Compressed air systems The design basis for any compressed air system that serves an item important to safety at the nuclear power plant shall specify the quality.

50.52. 6.54.51. Non-combustible or fire retardant and heat resistant materials shall be used wherever practicable throughout the plant. including fire detection systems and fire extinguishing systems. Fire extinguishing systems shall be designed and located to ensure that their rupture or spurious or inadvertent operation would not significantly impair the capability of items important to safety.6. fire containment barriers and smoke control systems.49. Fire extinguishing systems shall be capable of automatic actuation where appropriate. The fire protection systems installed at the nuclear power plant shall be capable of dealing safely with fire events of the various types that are postulated. Fire detection systems shall be designed to provide operating personnel promptly with information on the location and spread of any fires that start. shall be provided throughout the nuclear power plant. with due account taken of the results of the fire hazard analysis. Requirement 75: Lighting systems Adequate lighting shall be provided in all operational areas of the nuclear power plant in operational states and in accident conditions. 6. in particular in locations such as the containment and the control room.53. 50 . Areas of higher contamination at the plant shall be maintained at a negative pressure differential (partial vacuum) with respect to areas of lower contamination and other accessible areas. 6. 6. Requirement 74: Fire protection systems Fire protection systems. 6. Fire detection systems and fire extinguishing systems that are necessary to protect against a possible fire following a postulated initiating event shall be appropriately qualified to resist the effects of the postulated initiating event.

The design of the steam supply system shall provide for appropriately rated and qualified steam isolation valves capable of closing under the specified conditions in operational states and in accident conditions. 51 . 6. 6. feedwater system and turbine generators for the nuclear power plant shall be such as to ensure that the appropriate design limits of the reactor coolant pressure boundary are not exceeded in operational states or in accident conditions.Requirement 76: Overhead lifting equipment Overhead lifting equipment shall be provided for lifting and lowering items important to safety at the nuclear power plant. Such equipment can be used only in specified plant states (by means of safety interlocks on the crane).58.57. The steam supply system and the feedwater systems shall be of sufficient capacity and shall be designed to prevent anticipated operational occurrences from escalating to accident conditions.55. OTHER POWER CONVERSION SYSTEMS Requirement 77: Steam supply system. The plant layout permits safe movement of the overhead lifting equipment and of items being transported. and measures shall be taken to minimize the possible effects of turbine generated missiles on items important to safety. 6. 6. The turbine generators shall be provided with appropriate protection such as overspeed protection and vibration protection. feedwater system and turbine generators The design of the steam supply system.56. and for lifting and lowering other items in the proximity of items important to safety. The overhead lifting equipment shall be designed so that: (a) (b) (c) (d) (e) Measures are taken to prevent the lifting of excessive loads. Such equipment for use in areas where items important to safety are located is seismically qualified. Conservative design measures are applied to prevent any unintentional dropping of loads that could affect items important to safety.

and filter cartridges can be replaced while maintaining the throughput of air. 6.TREATMENT OF RADIOACTIVE EFFLUENTS AND RADIOACTIVE WASTE Requirement 78: Systems for treatment and control of waste Systems shall be provided for treating solid radioactive waste and liquid radioactive waste at the nuclear power plant to keep the amounts and concentrations of radioactive releases below the authorized limits on discharges and as low as reasonably achievable. 52 . The design of the plant shall incorporate appropriate features to facilitate the movement.62. Systems and facilities shall be provided for the management and storage of radioactive waste on the nuclear power plant site for a period of time consistent with the availability of the relevant disposal option. 6. their performance and function can be regularly monitored over their service life.63. 6. Consideration shall be given to the provision of access to facilities and to capabilities for lifting and for packaging. Requirement 79: Systems for treatment and control of effluents Systems shall be provided at the nuclear power plant for treating liquid and gaseous radioactive effluents to keep their amounts below the authorized limits on discharges and as low as reasonably achievable.61. The design of the plant shall incorporate suitable means to keep the release of radioactive liquids to the environment as low as reasonably achievable and to ensure that radioactive releases remain below the authorized limits on discharges. The cleanup equipment for the gaseous radioactive substances shall provide the necessary retention factor to keep radioactive releases below the authorized limits on discharges. Filter systems shall be designed so that their efficiency can be tested. 6.59. 6. transport and handling of radioactive waste.60. Liquid and gaseous radioactive effluents shall be treated at the plant so that exposure of members of the public due to discharges to the environment is as low as reasonably achievable.

In addition. The design of the plant shall be such as to prevent any significant damage to items important to safety during the transfer of fuel or casks. 6. 6. nuclear fuel.66. or loss of control over. 6. To provide for the identification of individual fuel assemblies. The design of the plant shall incorporate appropriate features to facilitate the lifting. To permit maintenance. To prevent the dropping of fuel in transit. even under conditions of optimum moderation. The fuel handling and storage systems for irradiated and non-irradiated fuel shall be designed: (a) To prevent criticality by a specified margin. by physical means or by means of physical processes. (b) (c) (d) (e) (f) (g) (h) 6. 53 .65. and preferably by use of geometrically safe configurations.67.FUEL HANDLING AND STORAGE SYSTEMS Requirement 80: Fuel handling and storage systems Fuel handling and storage systems shall be provided at the nuclear power plant to ensure that the integrity and properties of the fuel are maintained at all times during fuel handling and storage. To ensure that adequate operating procedures and a system of accounting for. the fuel handling and storage systems for irradiated fuel shall be designed: (a) (b) (c) To permit adequate removal of heat from the fuel in operational states and in accident conditions. To prevent causing unacceptable handling stresses on fuel elements or fuel assemblies.64. nuclear fuel can be implemented to prevent any loss of. or in the event of fuel or casks being dropped. movement and handling of fresh fuel and spent fuel. periodic inspection and testing of components important to safety. To prevent damage to the fuel. and control of. To permit inspection of the fuel. To prevent the dropping of spent fuel in transit. To provide proper means for meeting the relevant requirements for radiation protection.

water chemistry and activity of any water in which irradiated fuel is handled or stored. and that the relevant dose constraints will be taken into consideration. and exposures and radiation risks associated with them shall be kept as low as reasonably achievable (see footnote 4). To facilitate maintenance and future decommissioning of fuel handling and storage facilities. with adequate margins. anti-siphon measures). RADIATION PROTECTION Requirement 81: Design for radiation protection Provision shall be made for ensuring that doses to operating personnel at the nuclear power plant will be maintained below the dose limits and will be kept as low as reasonably achievable. 54 . 6. and the generation and transport of corrosion products and activation products shall be controlled. To control levels of soluble absorber if this is used for criticality safety. the integrity of the fuel cladding shall be maintained. cranes or other objects.(d) (e) (f) (g) (h) (i) (j) To prevent the potentially damaging dropping on the fuel of heavy objects such as spent fuel casks. To accommodate.69. Radiation sources throughout the plant shall be comprehensively identified. 6. all the fuel removed from the reactor in accordance with the strategy for core management that is foreseen and the amount of fuel in the full reactor core.e. Means for preventing the uncovering of fuel assemblies in the pool in the event of a pipe break (i. To facilitate the removal of fuel from storage and its preparation for off-site transport. To permit safe keeping of suspect or damaged fuel elements or fuel assemblies. For reactors using a water pool system for fuel storage.68. the design of the plant shall include the following: (a) (b) (c) Means for controlling the temperature. To facilitate decontamination of fuel handling and storage areas and equipment when necessary. Means for monitoring and controlling the water level in the fuel storage pool and means for detecting leakage.

Requirement 82: Means of radiation monitoring Equipment shall be provided at the nuclear power plant to ensure that there is adequate radiation monitoring in operational states and design basis accident conditions and. 6. maintenance and inspection can be kept as low as reasonably achievable. Materials used in the manufacture of structures.72. provision shall be made for preventing the release or the dispersion of radioactive substances.70.74. and that exposures and contamination are prevented or reduced by this means and by means of ventilation systems. 6. Facilities shall be provided for the decontamination of operating personnel and plant equipment. and due account shall be taken of the necessity for any special equipment to be provided to meet these requirements. as far as is practicable. in design extension conditions. 6. maintenance and inspection) and to potential radiation levels and contamination levels in accident conditions. Plant equipment subject to frequent maintenance or manual operation shall be located in areas of low dose rate to reduce the exposure of workers.76. refuelling.6.75. The plant layout shall be such that the doses received by operating personnel during normal operation. 55 .77.71. radioactive waste and contamination at the plant. systems and components shall be selected to minimize activation of the material as far as is reasonably practicable. For the purposes of radiation protection. 6.73. 6. The plant layout shall be such as to ensure that access of operating personnel to areas with radiation hazards and areas of possible contamination is adequately controlled. 6. Stationary dose rate meters shall be provided for monitoring local radiation dose rates at plant locations that are routinely accessible by operating personnel and where the changes in radiation levels in operational states could be such that access is allowed only for certain specified periods of time. The plant shall be divided into zones that are related to their expected occupancy. and to radiation levels and contamination levels in operational states (including refuelling. 6. Shielding shall be provided so that radiation exposure is prevented or reduced.

Radiological impacts. 6. Stationary monitors (e.g.6.84. of radioactive substances. The possibility of there being any unauthorized routes for radioactive releases. portal radiation monitors. the concentrations of selected radionuclides in fluid process systems. Monitors shall also be provided in areas subject to possible contamination as a result of equipment failure or other unusual circumstances. including the food chain.81. 6. Stationary dose rate meters shall be installed to indicate the general radiation levels at suitable plant locations in accident conditions. Processes shall be put in place for assessing and for recording the cumulative doses to workers over time.79. Instruments shall be provided for measuring surface contamination. and accumulation in the environment.80.83. 56 .78. with particular reference to: (a) (b) (c) (d) Exposure pathways to people. Facilities shall be provided for monitoring for exposure and contamination of operating personnel. on the local environment. in the vicinity of the plant by environmental monitoring of dose rates or activity concentrations.82. 6. 6. in operational states and in accident conditions. The stationary dose rate meters shall provide sufficient information in the control room or in the appropriate control position that operating personnel can initiate corrective action if necessary. 6. in a timely manner. Stationary equipment shall be provided for monitoring radioactive effluents and effluents with possible contamination prior to or during discharges from the plant to the environment. hand and foot monitors) shall be provided at the main exit points from controlled areas and supervised areas to facilitate the monitoring of operating personnel and equipment. Stationary equipment and laboratory facilities shall be provided for determining. The possible buildup. These systems shall provide an indication in the control room or in other appropriate locations when a high activity concentration of radionuclides is detected. and in gas and liquid samples taken from plant systems or from the environment. if any. 6. Arrangements shall be made to assess exposures and other radiological impacts. if any. Stationary monitors shall be provided for measuring the activity of radioactive substances in the atmosphere in those areas routinely occupied by operating personnel and where the levels of activity of airborne radioactive substances might be such as to necessitate protective measures.

IAEA Safety Standards Series No. INSAG-10. INTERNATIONAL ATOMIC ENERGY AGENCY. Vienna (2006). GSR Part 3. GSR Part 4. INTERNATIONAL ATOMIC ENERGY AGENCY. FOOD AND AGRICULTURE ORGANIZATION OF THE UNITED NATIONS. Vienna (1999). INTERNATIONAL ATOMIC ENERGY AGENCY. Radiation Protection and Safety of Radiation Sources: International Basic Safety Standards (Interim Edition). GS-R-3. WORLD HEALTH ORGANIZATION. OECD NUCLEAR ENERGY AGENCY. IAEA. IAEA. IAEA Safety Standards Series No. [2] [3] [4] [5] [6] [7] [8] [9] [10] 57 . INSAG-12. Safety of Nuclear Power Plants: Commissioning and Operation. IAEA. IAEA Safety Standards Series No. IAEA. IAEA Safety Glossary: Terminology Used in Nuclear Safety and Radiation Protection (2007 Edition). Vienna (2011). IAEA. Vienna (2011). INTERNATIONAL ATOMIC ENERGY AGENCY. IAEA Safety Standards Series No. Vienna (1996). INTERNATIONAL ATOMIC ENERGY AGENCY. INTERNATIONAL NUCLEAR SAFETY ADVISORY GROUP. Vienna (2003). IAEA Safety Standards Series No. Safety Assessment for Facilities and Activities. Vienna (2003). Vienna (2006). INTERNATIONAL NUCLEAR SAFETY ADVISORY GROUP. The Management System for Facilities and Activities. Vienna (2007). IAEA. Vienna (2009). INTERNATIONAL ATOMIC ENERGY AGENCY. SF-1. 1. IAEA. IAEA. IAEA. INTERNATIONAL ATOMIC ENERGY AGENCY. INSAG-19. Site Evaluation for Nuclear Installations. INTERNATIONAL LABOUR ORGANIZATION. Maintaining the Design Integrity of Nuclear Installations throughout their Operating Life. INTERNATIONAL MARITIME ORGANIZATION. Basic Safety Principles for Nuclear Power Plants. PAN AMERICAN HEALTH ORGANIZATION. UNITED NATIONS ENVIRONMENT PROGRAMME.REFERENCES [1] EUROPEAN ATOMIC ENERGY COMMUNITY. Fundamental Safety Principles. 75-INSAG-3 Rev. IAEA Safety Standards Series No. Defence in Depth in Nuclear Safety. INTERNATIONAL NUCLEAR SAFETY ADVISORY GROUP. IAEA. NS-R-3. SSR-2/2.

. .

in which the fundamental safety functions can be ensured and which can be maintained for a time sufficient to implement provisions to reach a safe state. controlled state Plant state. 59 . [beyond design basis accident] This term is superseded by design extension conditions. and which include design basis accidents and design extension conditions. plant states (considered in design) Operational states Accident conditions Normal operation Anticipated operational occurrences Design basis accidents Design extension conditions accident conditions Deviations from normal operation that are less frequent and more severe than anticipated operational occurrences. following an anticipated operational occurrence or accident conditions. design basis accident An accident causing accident conditions for which a facility is designed in accordance with established design criteria and conservative methodology. and for which releases of radioactive material are kept within acceptable limits.DEFINITIONS The following definitions differ from those in the IAEA Safety Glossary (2007 Edition).

and for which releases of radioactive material are kept within acceptable limits. safe state Plant state. following an anticipated operational occurrence or accident conditions. in which the reactor is subcritical and the fundamental safety functions can be ensured and maintained stable for a long time. 60 . safety feature for design extension conditions Item designed to perform a safety function or which has a safety function in design extension conditions. but that are considered in the design process of the facility in accordance with best estimate methodology. Design extension conditions could include severe accident conditions. safety system settings The levels at which safety systems are automatically actuated in the event of anticipated operational occurrences or design basis accidents.design extension conditions Accident conditions that are not considered for design basis accidents. to prevent safety limits from being exceeded.

C. Cowley. Evrad. France Federal Authority for Nuclear Regulation. Fiorini. S. J. India Canadian Nuclear Safety Commission. R. France Commissariat à l’énergie atomique. Englebert.CONTRIBUTORS TO DRAFTING AND REVIEW Antalik.G. Ghadge. United Kingdom Pebble Bed Modular Reactor. France Consultant. Z. M.S. Borysova. Kajimoto. M. L.M. B. Kurkowski. M.J. Buttery.L. El-Shanawany. Canada Radiation and Nuclear Safety Authority. G. J. Slovakia Atomic Energy Agency Organization of Iran. Downing.L. Järvinen. France World Nuclear Association International Atomic Energy Agency Nuclear Power Corporation of India Ltd. Le Cann. 61 . D.M. N. I. M. B. Japan EDF-SEPTEN. Froehmel. Islamic Republic of Iran World Nuclear Association British Energy Generation Ltd. Belgium Institut de radioprotection et de sûreté nucléaire. Nuclear Regulatory Authority of the Slovak Republic. Finland Japan Nuclear Energy Safety Organization. United Kingdom AREVA. South Africa International Atomic Energy Agency Suez-Tractebel. United Arab Emirates Aza. G. Gasparini. Harwood. Carluec. T.

Mertins. Semenas. United States of America International Atomic Energy Agency National Commission for Nuclear Activities Control. W. Valtonen. J. Germany Nuclear and Industrial Safety Agency. C. Germany Secretariat of the Nuclear Safety Commission. Uhrik. Canada Nuclear Regulatory Authority of the Slovak Republic. G. Nature Conservation and Nuclear Safety. Ziakova. T. Tronea. K. Wassilew. Toth.und Reaktorsicherheit mbH. Japan FORATOM. Thadani. A. Zaiss. Belgium Atomic Energy of Canada Ltd. Slovakia Ohshima. Yashimura. M. Slovakia Radiation and Nuclear Safety Authority. Japan Gesellschaft für Anlagen. R. R. T.R.Matsumoto. C. M. R. Vaughan. Pabarcius. K. M. Lithuania Autorité de sûreté nucléaire. France State Nuclear Power Safety Inspectorate. Lithuania Nuclear Regulatory Commission.J. 62 . United Kingdom Federal Ministry for the Environment. Perez. Japan Nuclear Energy Safety Organization. Japan Lithuanian Energy Institute. P. Finland Nuclear Installations Inspectorate. Romania Nuclear Regulatory Authority of the Slovak Republic. Zemdegs.

W. (TRANSSC). Korea..T. F. J.-E.K.-L. J.. Argentina: Waldman.A.. D. P. L. Egypt: Ibrahim. A. Lithuania: Maksimovas. Slovakia: Uhrik. Morocco: Soufi. Corresponding members receive drafts for comment and other documentation but they do not generally participate in meetings. R. United Kingdom: Weightman. Mexico: Carrera. Pakistan: Rahman.BODIES FOR THE ENDORSEMENT OF IAEA SAFETY STANDARDS An asterisk denotes a corresponding member. Czech Republic: Šváb. Magnusson. Korea.. Y. European Commission: Faross... A. Iran. G. C. Netherlands: van der Wiel.. Indonesia: Antariksawan.. T. R. M. Japan: Fukushima..M.. F. (RASSC).. D. Australia: Le Cann. *Bulgaria: Gledachev. G. M. Hungary: Adorján. Sweden: Larsson. G. Croatia: Valčić. G.J. S. Austria: Sholly. Pather. O.. S...S. Slovenia: Vojnovič. Spain: Barceló Vernet.. M. O. Russian Federation: Adamchik... S.. Russian Federation: Baranaev. I.. (Coordinator). Commission on Safety Standards Argentina: González. *Cyprus: Demetriades..... L. (Chairperson).. Libyan Arab Jamahiriya: Abuzid. M.. Pakistan: Habib. A. Safety Standards Committee Chairpersons: Brach. R... Romania: Biro. G. Poland: Jurkowski.. Switzerland: Flury. Tunisia: Baccouche. C.... Finland: Järvinen.. P.... South Africa: Leotwane. J.... W. T. D.. (WASSC). M.. I. South Africa: Magugumela... S. H. Advisory Group on Nuclear Security: Hashmi. International Commission on Radiological Protection: Holm. Nuclear Safety Standards Committee Algeria: Merrouche. K.. P. Spain: Zarzuela. M... India: Vaze. Israel: Hirshfeld. Japan: Kanda. Two asterisks denote an alternate. B. India: Sharma. Belgium: Samain. Malaysia: Azlina Mohammed Jais. A. M. U. Germany: Wassilew. M. L. *Greece: Camarinopoulos. Australia: Loy. Islamic Republic of: Asgharizadeh.J. I.. Brazil: Vinhas. A.... L. J. A. Y. J. D.. M. S.. F. China: Jingxi Li. E. Brazil: Gromann. China: Liu Hua. P.. Italy: Bava. (NUSSC). Canada: Rzentkowski.. United States of America: Virgilio.A.. Vaughan. Finland: Laaksonen. G.-C. IAEA: Delattre. Ghana: Emi-Reynolds.. M. France: Lacoste.-P. Republic of: Choul-Ho Yun.. Republic of: Hyun-Koon Kim. Belgium: De Boeck. J. Israel: Levanon.A. Lithuania: Demčenko. M. Germany: Majer.... Vietnam: Le-chi Dung. Ukraine: Mykolaichuk. Canada: Jammal. Sweden: Hallman... France: Feron. 63 ... A. Egypt: Barakat. International Nuclear Safety Group: Meserve... OECD Nuclear Energy Agency: Yoshimura. L.

A. L. V. A. J. *Latvia: Salmins.. I. G. *Thailand: Suntarapai. Korea. L. Romania: Rodna.. N. *Cyprus: Demetriades. World Health Organization: Carr.. P. Norway: Saxebol... G. E. M. Turkey: Okyar.. *Cuba: Betancourt Hernandez. A. W. J.. Indonesia: Widodo. L... IAEA: Boal. C. Egypt: Hassib. International Organization for Standardization: Sevestre. S.I. M... Australia: Melbourne. P.. Spain: Amor Calvo.. A. J. J.. C. *Greece: Kamenopoulou... Ghana: Amoako. M. S. R. Z... International Source Suppliers and Producers Association: Fasten. Ireland: Colgan. Paraguay: Romero de Gonzalez..-L. Morocco: Tazi. D. *Bulgaria: Katzarska. United Nations Scientific Committee on the Effects of Atomic Radiation: Crick.M. (Chairperson).R... 64 . Slovenia: Sutej. *World Nuclear Association: Borysova. J. Mexico: Delgado Guardado. M.A.-P. Pakistan: Ali. India: Sharma. M. China: Huating Yang. Portugal: Dias de Oliveira. Belgium: van Bladel.. I. Ukraine: Pavlenko. V. M..N.... International Electrotechnical Commission: Bouard.B... Czech Republic: Petrova. G. Israel: Koch. Sweden: Almen. Netherlands: Zuur... A. J. I. Argentina: Massera.E. Iceland: Magnusson.M.. H. Croatia: Kralik.. T. Republic of: Byung-Soo Lee.H. Food and Agriculture Organization of the United Nations: Byron.J. A.... S.. M. Canada: Clement. World Nuclear Association: Saint-Pierre. Iran.. J. G. T.. S.. I. A. OECD Nuclear Energy Agency: Lazo. Russian Federation: Savkin. S. IAEA: Feige.. A. L. Brazil: Rodriguez Rochedo... L. Hungary: Koblinger.. S.... V. United States of America: Mayfield. International Labour Office: Niu. Japan: Kiryu. Pan American Health Organization: Jiménez. Italy: Bologna.. International Electrotechnical Commission: Thompson.. Finland: Markkanen. B. K. Uruguay: Nader. (Coordinator). *Austria: Karg... France: Godet... Ukraine: Shumkova. D.. P. Islamic Republic of: Kardan.. United States of America: Lewis. *Uruguay: Nader. G. E. Y. Malaysia: Hamrah.. Poland: Merta.. V. Lithuania: Mastauskas. U. T. Estonia: Lust. United Kingdom: Vaughan. Slovakia: Jurina. J. M.. International Organization for Standardization: Rannou.. FORATOM: Fourest. A. B.. OECD Nuclear Energy Agency: Reig..Turkey: Bezdegumeli. United Kingdom: Robinson. Libyan Arab Jamahiriya: Busitta... (Chairperson).... Switzerland: Piller. Denmark: Øhlenschlæger.. European Commission: Vigne. European Commission: Janssens. (Coordinator). G. M.. A. South Africa: Olivier. Tunisia: Chékir..R.. M. Philippines: Valdezco. S. I. Radiation Safety Standards Committee *Algeria: Chelbani.. M.... International Commission on Radiological Protection: Valentin. T. Z. Germany: Helming.. A... T.

D. M.. International Organization for Standardization: Malesys. C. Cuba: Fernandez. *Greece: Vogiatzi.. World Nuclear Association: Gorlin. Australia: Sarkar. Mexico: Bautista Arteaga. **Husain.... International Maritime Organization: Rahim. D.. A. **Delgado Guardado. Netherlands: Ter Morshuizen.W. D. Belgium: Cottens.. G. K. Portugal: Buxo da Trindade. S. W. A. Turkey: Ertürk.. International Civil Aviation Organization: Rooney. G. S.. S. C. A..M. *Austria: Fischer.. A.. G.. India: Agarwal.. I. N. Switzerland: Krietsch. *Nitsche.....G. J.. J. K.. J. C. Thailand: Jerachanchai. Belgium: Blommaert. Uruguay: Nader. France: Rieu.. Ghana: Emi-Reynolds. H... J. A... Croatia: Trifunovic. G.. E... *Cuba: Quevedo Garcia... International Source Supplies and Producers Association: Miller. Pakistan: Rashid. S.E. Indonesia: Wisnubroto. M. Austria: Kirchnawy. *Cyprus: Demetriades. Iran. India: Rana. Estonia: Lust. **Alter. Brach. Malaysia: Sobari. Islamic Republic of: Eshraghi.. China: Xiaoqing Li. T. Universal Postal Union: Bowers.E. (Chairperson)... A... (Coordinator). P. M...L.. L. Germany: Rein. *Emamjomeh. S.. Russian Federation: Buchelnikov. *Bulgaria: Simeonov. **Svahn.. Denmark: Nielsen. F. M. A... F. K. European Commission: Binet.. R. G.. **Roughan.. **Gessl. United States of America: Boyle. R.. Czech Republic: Ducháček. South Africa: Hinrichsen.. W. K. Japan: Hanaki. Islamic 65 . J. M.. E.. France: Landier.T. *New Zealand: Ardouin. Canada: Howard. Korea. R. Israel: Koch. Iran. Egypt: Mohamed.. Czech Republic: Lietava. Lithuania: Statkus. United Kingdom: Sallit. United Nations Economic Commission for Europe: Kervella... Brazil: Tostes. Z. Brazil: Xavier. Hungary: Sáfár. J. Greece: Tzika. J. Ukraine: Lopatin.M. E. Norway: Hornkjøl. D. *Paraguay: More Torres.. Y. Australia: Williams. Italy: Trivelloni. **Capadona.W. Libyan Arab Jamahiriya: Kekli.K. I. I. Indonesia: Wisnubroto. Argentina: Biaggio. A. D. U.. Croatia: Belamarić.. K.. F. Canada: Régimbald. China: Zhimin Qu.. Spain: Zamora Martin. D. World Nuclear Transport Institute: Green. M. L. Hungary: Czoch... A. J. Waste Safety Standards Committee Algeria: Abdenacer.. Bulgaria: Bakalova.T. P... Germany: Götz.P.. J. J.. N. *Cabral..Transport Safety Standards Committee Argentina: López Vietri.. Egypt: El-Shinawy. B. Poland: Dziubiak..J. A. A.P.. A. P..... **Orsini.. D. Denmark: Breddam.. P..M. F. V. H.. P.. International Air Transport Association: Brennan.. S.M.A. A. Sweden: Häggblom...R... International Federation of Air Line Pilots’ Associations: Tisdall. *Morocco: Allach. Republic of: Dae-Hyung Cho. IAEA: Stewart. S.. Ghana: Faanu. V. Ireland: Duffy. Finland: Lahkola.. A.. S.... D... O. Cyprus: Demetriades.M.. A. T. D.. Finland: Hutri..

. *European Nuclear Installations Safety Standards: Zaiss.. Poland: Wlodarski..... European Nuclear Installations Safety Standards: Lorenz. R. Israel: Dody.. G. Mexico: Aguirre Gómez.. *Thailand: Supaokit. M. Korea... J. Malaysia: Sudin. S.. V.. T.. OECD Nuclear Energy Agency: Riotte. United Kingdom: Chandler.. Lithuania: Paulikas. A. A. Spain: Sanz Aludan.. Japan: Matsuo.. United States of America: Camper.. Republic of: Won-Jae Park. H. Slovenia: Mele. European Commission: Necheva. A. Tunisia: Bousselmi. S. Portugal: Flausino de Paiva.. *Zarghami. J. M. G. J. World Nuclear Association: Saint-Pierre. C. L. *Latvia: Salmins. M.. I.. Turkey: Özdemir. M... International Source Suppliers and Producers Association: Fasten. H. (Chairperson). (Coordinator)...Republic of: Assadi.. Italy: Dionisi. South Africa: Pather.... W. H. W. *Uruguay: Nader. *Morocco: Barkouch. M. Slovakia: Homola. P.. M. Switzerland: Wanner. 66 . Ukraine: Makarovska. Libyan Arab Jamahiriya: Elfawares. *Paraguay: Idoyaga Navarro. T. International Organization for Standardization: Hutson.. H... IAEA: Siraky. M. R. B. Sweden: Frise.. O. Pakistan: Mannan. A. A... Netherlands: van der Shaaf. M. Iraq: Abbas. L.

LUMDNDXSSD 32 %2.@ $8675$/.$($ SXEOLFDWLRQV .$ %(/*.HVNXVNDWX .80 &$1$'$ 1R  :KHUH WR RUGHU .$($ SXEOLFDWLRQV PD\ EH SXUFKDVHG IURP WKH VRXUFHV OLVWHG EHORZ RU IURP PDMRU ORFDO ERRNVHOOHUV 3D\PHQW PD\ EH PDGH LQ ORFDO FXUUHQF\ RU ZLWK 81(6&2 FRXSRQV '$ .OHFDNRYD    3UDKD  7HOHSKRQH    ‡ )D[    (PDLO QDNXS#VXZHFRF] ‡ :HE VLWH KWWSZZZVXZHFRF] ).  .$($ 3XEOLFDWLRQV LQ &KLQHVH &KLQD 1XFOHDU (QHUJ\ .QGXVWU\ &RUSRUDWLRQ 7UDQVODWLRQ 6HFWLRQ 32 %R[  %HLMLQJ &=(&+ 5(38%/.1/$1' $NDWHHPLQHQ .7&+$0  7HOHSKRQH     ‡ )D[     (PDLO VHUYLFH#GDGLUHFWFRPDX ‡ :HE VLWH KWWSZZZGDGLUHFWFRPDX -HDQ GH /DQQR\ DYHQXH GX 5RL  % %UXVVHOV 7HOHSKRQH      ‡ )D[      (PDLO MHDQGHODQQR\#LQIRERDUGEH ‡ :HE VLWH KWWSZZZMHDQGHODQQR\EH %HUQDQ $VVRFLDWHV  )RUEHV %OYG 6XLWH  /DQKDP 0'  86$ 7HOHSKRQH  ‡ )D[  (PDLO FXVWRPHUFDUH#EHUQDQFRP ‡ :HE VLWH KWWSZZZEHUQDQFRP 5HQRXI 3XEOLVKLQJ &RPSDQ\ /WG  &DQRWHN 5G 2WWDZD 2QWDULR ..Q WKH IROORZLQJ FRXQWULHV .& 6XZHFR &= 652 .- 7HOHSKRQH    ‡ )D[    (PDLO RUGHUGHSW#UHQRXIERRNVFRP ‡ :HE VLWH KWWSZZZUHQRXIERRNVFRP &+.1$ .QIRUPDWLRQ 6HUYLFHV  :KLWHKRUVH 5RDG 0.

 0LODQ 7HOHSKRQH       RU     ‡ )D[       (PDLO LQIR#OLEUHULDDHLRXHX ‡ :HEVLWH ZZZOLEUHULDDHLRXHX .$ $OOLHG 3XEOLVKHUV *URXS VW )ORRU 'XEDVK +RXVH  - 1 +HUHGLD 0DUJ %DOODUG (VWDWH 0XPEDL   7HOHSKRQH    ‡ )D[    (PDLO DOOLHGSO#YVQOFRP ‡ :HE VLWH KWWSZZZDOOLHGSXEOLVKHUVFRP %RRNZHOO  1LUDQNDUL &RORQ\ 'HOKL  7HOHSKRQH       ‡ )D[    (PDLO ERRNZHOO#YVQOQHW .1 +HOVLQNL 7HOHSKRQH     ‡ )D[     (PDLO DNDWLODXV#DNDWHHPLQHQFRP ‡ :HE VLWH KWWSZZZDNDWHHPLQHQFRP )5$1&( )RUP(GLW  UXH -DQVVHQ 32 %R[  ) 3DULV &HGH[  7HOHSKRQH       ‡ )D[       (PDLO IRUPHGLW#IRUPHGLWIU ‡ :HE VLWH KWWSZZZ IRUPHGLWIU /DYRLVLHU 6$6  UXH GH 3URYLJQ\  &DFKDQ &HGH[ 7HOHSKRQH        ‡ )D[       (PDLO URPXDOGYHUULHU#ODYRLVLHUIU ‡ :HE VLWH KWWSZZZODYRLVLHUIU *(50$1< 8129HUODJ 9HUWULHEV XQG 9HUODJV *PE+ $P +RIJDUWHQ  ' %RQQ 7HOHSKRQH       ‡ )D[      RU      (PDLO EHVWHOOXQJ#XQRYHUODJGH ‡ :HE VLWH KWWSZZZXQRYHUODJGH +81*$5< /LEURWUDGH /WG %RRN . ).7$/< /LEUHULD 6FLHQWL¿FD 'RWW /XFLR GL %LDVLR ³$(.28´ 9LD &RURQHOOL  .1'.PSRUW 32 %R[  + %XGDSHVW 7HOHSKRQH     ‡ )D[     ‡ (PDLO ERRNV#OLEURWUDGHKX .

-$3$1 0DUX]HQ &RPSDQ\ /WG  1LKRQEDVKL  FKRPH &KXRNX 7RN\R  7HOHSKRQH     ‡ )D[     (PDLO MRXUQDO#PDUX]HQFRMS ‡ :HE VLWH KWWSZZZPDUX]HQFRMS 5(38%/.QF .25($ ..QWHUQDWLRQDOH 3XEOLFDWLHV %9 0$ GH 5X\WHUVWUDDW $ 1/ %= +DDNVEHUJHQ 7HOHSKRQH  .16 .QIRUPDWLRQ %XVLQHVV 'HSW 6DPKR %OGJ QG )ORRU  <DQJ -DHGRQJ 6HR&KR* 6HRXO  7HOHSKRQH    ‡ )D[    ‡ :HE VLWH KWWSZZZNLQVUHNU 1(7+(5/$1'6 'H /LQGHERRP .& 2) .

  ‡ )D[  .

RSLWDUMHYD  6.7(' . /MXEOMDQD 7HOHSKRQH      ‡ )D[      (PDLO LPSRUWERRNV#FDQNDUMHYD]VL ‡ :HE VLWH KWWSZZZFDQNDUMHYD]VLXYR] 63$.1 'tD] GH 6DQWRV 6$ F -XDQ %UDYR $ ( 0DGULG 7HOHSKRQH      ‡ )D[      (PDLO FRPSUDV#GLD]GHVDQWRVHV FDUPHOD#GLD]GHVDQWRVHV EDUFHORQD#GLD]GHVDQWRVHV MXOLR#GLD]GHVDQWRVHV :HE VLWH KWWSZZZGLD]GHVDQWRVHV 81.1*'20 7KH 6WDWLRQHU\ 2I¿FH /WG .$ &DQNDUMHYD =DOR]ED GG .7&+$0  $XVWUDOLD 7HOHSKRQH     ‡ )D[     (PDLO VHUYLFH#GDGLUHFWFRPDX ‡ :HE VLWH KWWSZZZGDGLUHFWFRPDX 6/29(1..   (PDLO ERRNV#GHOLQGHERRPFRP ‡ :HE VLWH KWWSZZZGHOLQGHERRPFRP 0DUWLQXV 1LMKRII .RUDDOURRG  32 %R[   &= =RHWHUPHHU 7HOHSKRQH     ‡ )D[     (PDLO LQIR#QLMKRIIQO ‡ :HE VLWH KWWSZZZQLMKRIIQO 6ZHWV DQG =HLWOLQJHU EY 32 %R[   6= /LVVH 7HOHSKRQH     ‡ )D[     (PDLO LQIRKR#VZHWVQO ‡ :HE VLWH KWWSZZZVZHWVQO 1(: =($/$1' '$ .QWHUQDWLRQDO 6DOHV $JHQF\ 32 %R[  1RUZLFK 15  *1 7HOHSKRQH RUGHUV.QIRUPDWLRQ 6HUYLFHV  :KLWHKRUVH 5RDG 0.QWHUQDWLRQDO .

     ‡ HQTXLULHV.

     ‡ )D[     (PDLO RUGHUV.

 ERRNRUGHUV#WVRFRXN ‡ HQTXLULHV.

 ERRNHQTXLULHV#WVRFRXN ‡ :HE VLWH KWWSZZZWVRFRXN 2QOLQH RUGHUV '(/7$ .7(' 1$7.216 'HSW . 5RRP '& )LUVW $YHQXH DW WK 6WUHHW 1HZ <RUN 1<  86$ 81.7 34 (PDLO LQIR#SURIERRNVFRP ‡ :HE VLWH KWWSZZZSURIERRNVFRP %RRNV RQ WKH (QYLURQPHQW (DUWKSULQW /WG 32 %R[  6WHYHQDJH 6* 73 7HOHSKRQH   ‡ )D[   (PDLO RUGHUV#HDUWKSULQWFRP ‡ :HE VLWH KWWSZZZHDUWKSULQWFRP 81.QW %RRN :KROHVDOHUV /WG  $OH[DQGUD 5RDG $GGOHVWRQH 6XUUH\ .

&$ %HUQDQ $VVRFLDWHV  )RUEHV %OYG 6XLWH  /DQKDP 0'  7HOHSKRQH  ‡ )D[  (PDLO FXVWRPHUFDUH#EHUQDQFRP  :HE VLWH KWWSZZZEHUQDQFRP 5HQRXI 3XEOLVKLQJ &RPSDQ\ /WG  3URFWRU $YH 2JGHQVEXUJ 1<  7HOHSKRQH    WROOIUHH.7(' 67$7(6 2) $0(5. 7HOHSKRQH   RU   ‡ )D[   (PDLO SXEOLFDWLRQV#XQRUJ ‡ :HE VLWH KWWSZZZXQRUJ 81.

‡ )D[    WROOIUHH.

(PDLO RUGHUGHSW#UHQRXIERRNVFRP ‡ :HE VLWH KWWSZZZUHQRXIERRNVFRP 2UGHUV DQG UHTXHVWV IRU LQIRUPDWLRQ PD\ DOVR EH DGGUHVVHG GLUHFWO\ WR 0DUNHWLQJ DQG 6DOHV 8QLW .QWHUQDWLRQDO $WRPLF (QHUJ\ $JHQF\ 9LHQQD .QWHUQDWLRQDO &HQWUH 32 %R[   9LHQQD $XVWULD 7HOHSKRQH     RU .

‡ )D[     (PDLO VDOHVSXEOLFDWLRQV#LDHDRUJ ‡ :HE VLWH KWWSZZZLDHDRUJERRNV .

. .

11-42121 .

and I encourage all Member States to make use of them. regulatory bodies and operators everywhere must ensure that nuclear material and radiation sources are used beneficially.Safety through international standards “Governments.” Yukiya Amano Director General INTERNATIONAL ATOMIC ENERGY AGENCY VIENNA ISBN 978–92–0–121510–9 ISSN 1020–525X . The IAEA safety standards are designed to facilitate this. safely and ethically.