ML080720443

From kanterella
Jump to navigation Jump to search
Draft Regulatory Guide DG-1190, Manual Initiation of Protective Actions
ML080720443
Person / Time
Issue date: 12/01/2008
From:
NRC/RES/DE
To:
O'Donnell, Edward, RES/DE/RGB, x6265
Shared Package
ML080720441 List:
References
DG-1190 RG-1.062
Download: ML080720443 (10)


Text

U.S. NUCLEAR REGULATORY COMMISSION December 2008 OFFICE OF NUCLEAR REGULATORY RESEARCH Division 1 DRAFT REGULATORY GUIDE

Contact:

K. Nguyen (301) 251-7453 DRAFT REGULATORY GUIDE DG-1190 (Proposed Revision 1 of Regulatory Guide 1.62, dated October 1973)

MANUAL INITIATION OF PROTECTIVE ACTIONS A. INTRODUCTION This guide describes a method that the staff of the U.S. Nuclear Regulatory Commission (NRC) considers acceptable for use in complying with the NRCs regulations with respect to the means for manual initiation of protective actions provided by otherwise automatically initiated safety systems. To meet these objectives, the means for manual initiation of protective actions must serve a safety-related function to complete all required protective actions for the safety system.

The regulatory framework that the NRC has established for nuclear power plants consists of a number of regulations and supporting guidelines applicable to manual initiation of protective actions, including, but not limited to, General Design Criterion (GDC) 1, Quality Standards and Records, GDC 13, Instrumentation and Control, GDC 21, Protection System Reliability and Testability, and GDC 22, Protection System Independence, as set forth in Appendix A, General Design Criteria for Nuclear Power Plants, to Title 10, Part 50, Domestic Licensing of Production and Utilization Facilities, of the Code of Federal Regulations (10 CFR Part 50) (Ref. 1). GDC 13 requires that appropriate controls shall be provided to maintain variables and systems that can affect the fission process, the integrity of the reactor core, the reactor coolant pressure boundary, and the containment and its associated systems within prescribed operating ranges. GDC 21 requires that the protection system shall be designed for high functional reliability. GDC 22 requires that design techniques, such as functional diversity or diversity in component design and principles of operation, shall be used to the extent practical to prevent loss of the This regulatory guide is being issued in draft form to involve the public in the early stages of the development of a regulatory position in this area. It has not received final staff review or approval and does not represent an official NRC final staff position.

Public comments are being solicited on this draft guide (including any implementation schedule) and its associated regulatory analysis or value/impact statement. Comments should be accompanied by appropriate supporting data. Written comments may be submitted to the Rulemaking, Directives, and Editing Branch, Office of Administration, U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001; e-mailed to nrcrep.resource@nrc.gov; submitted through the NRCs interactive rulemaking Web page at http://www.nrc.gov or faxed to (301) 415-5144. Copies of comments received may be examined at the NRCs Public Document Room, 11555 Rockville Pike, Rockville, MD. Comments will be most helpful if received by February 20, 2009.

Electronic copies of this draft regulatory guide are available through the NRCs interactive rulemaking Web page (see above); the NRCs public Web site under Draft Regulatory Guides in the Regulatory Guides document collection of the NRCs Electronic Reading Room at http://www.nrc.gov/reading-rm/doc-collections/; and the NRCs Agencywide Documents Access and Management System (ADAMS) at http://www.nrc.gov/reading-rm/adams.html, under Accession No. ML080720443.

protection function.

In 10 CFR 50.55a(h), the NRC requires compliance with Institute of Electrical and Electronics Engineers (IEEE) Std 603-1991, IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations, and the correction sheet dated January 30, 1995 (Ref. 2). For nuclear power plants with construction permits issued before January 1, 1971, the applicant/licensee may elect to comply instead with its plant-specific licensing basis. For nuclear power plants with construction permits issued between January 1, 1971, and May 13, 1999, the applicant/licensee may elect to comply instead with the requirements stated in IEEE Std 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations (Ref. 3).

IEEE Std 603-1991 uses the term safety systems rather than protection systems to define its scope. This standard defines a safety system as a system that is relied upon to remain functional during and following design basis events to ensure: (i) the integrity of the reactor coolant pressure boundary, (ii) the capability to shut down the reactor and maintain it in a safe shutdown condition, or (iii) the capability to prevent or mitigate the consequences of accidents that could result in potential offsite exposures comparable to the 10 CFR Part 100 guidelines. In addition, IEEE Std 603-1991 defines a safety function as one of the processes or conditions (for example, emergency negative reactivity insertion, post-accident heat removal, emergency core cooling, post-accident radioactivity removal, and containment isolation) essential to maintain plant parameters within acceptable limits established for a design basis event. Finally, the standard defines a division as the designation applied to a given system or set of components that enables the establishment and maintenance of physical, electrical, and functional independence from other redundant sets of components.

IEEE Std 279-1971 states that a protection system encompasses all electric and mechanical devices and circuitry (from sensors to actuation device input terminals) involved in generating those signals associated with the protective function. These signals include those that actuate a reactor trip and that, in the event of a serious reactor accident, actuate engineered safety features such as containment isolation, core spray, safety injection, pressure reduction, and air cleaning. This standard defines protective function as the sensing of one or more variables associated with a particular generating station condition, signal processing, and the initiation and completion of the protective action at values of the variables established in the design bases.

Clause 4.17 of IEEE Std 279-1971 requires, in part, that protection systems include means for manual initiation of each protective action at the system level and that the single-failure criterion as set forth in Clause 4.2 of IEEE Std 279-1971 be met. Clause 6.2 of IEEE Std 603-1991 requires, in part, that means be provided in the control room to implement manual initiation at the division level of the automatically initiated protective actions and those protective actions identified by Clause 4.5 that have not been selected for automatic control. Clause 6.2 of IEEE Std 603-1991 further requires that means shall be provided in the control room to implement the manual actions necessary to maintain safe control after the protective actions are completed.

The NRC issues regulatory guides to describe to the public methods that the staff considers acceptable for use in implementing specific parts of the agencys regulations, to explain techniques that the staff uses in evaluating specific problems or postulated accidents, and to provide guidance to applicants.

Regulatory guides are not substitutes for regulations and compliance with them is not required.

This regulatory guide contains information collection requirements covered by 10 CFR Part 50, and that the Office of Management and Budget (OMB) approved under OMB control number 3150-0011.

The NRC may neither conduct nor sponsor, and a person is not required to respond to, an information DG-1190, Page 2

collection request or requirement unless the requesting document displays a currently valid OMB control number.

B. DISCUSSION IEEE Std 603-1991 was prepared by Working Group Subcommittee 6.3 of the IEEE Nuclear Power Engineering Committee and was approved by the IEEE Standards Board on June 27, 1991. The standard provides guidance on the minimum functional design criterion for the electrical power, instrumentation, and control portions of nuclear power plant safety systems. This standard evolved from IEEE Std 279-1971 and, through interfaces with other referenced standards, reflects advances in digital technology. Existing instrumentation and control (I&C) equipment in nuclear power plants is currently being replaced with computer-based digital I&C systems or advanced analog systems. However, these technologies may pose new vulnerabilities for the nuclear power plant in a number of aspects compared to existing I&C systems. This regulatory guide provides an acceptable method for establishing the design criteria for existing I&C systems and for establishing the design criteria for digital and advanced analog systems for the manual initiation of protective actions. IEEE Std 603-1991 defines a protective action as the initiation of a signal within the sense and command features or the operation of equipment within the execute features of the safety system for the purpose of accomplishing a safety function.

Clauses 6.2 and 7.2 of IEEE Std 603-1991 provide the general functional, design, and executive requirements for manual control. Clause 6.2 specifically requires that means shall be provided to (1) implement manual initiation at the division level of all automatically initiated protective actions while maintaining independence between redundant portions of the safety system, (2) implement manual system initiation and control of the protective actions not selected for automatic controls based on the analysis conducted in Clause 4.5 of IEEE Std 603-1991, and (3) maintain the plant in a safe condition after the protective actions are completed using manual controls. The number of discrete operator manipulations to implement manual initiation of protective actions shall be minimized and shall depend on the operation of a minimum amount of equipment. Clause 5.8.4 requires, in part, that indications required for manually controlled protective actions shall be accessible to the operator and visible from the location of the controls used to effect the actions. Clause 7.2 specifically requires that the manual controls be subject to the single-failure criterion.

In addition to providing means for manual initiation of each protective action on a system-level basis for each division as required by IEEE Std 603-1991, individual means should also be provided to implement manual initiation at the plant component level since manual initiation for each appropriate plant system component (e.g., start pump, open or close valve) is subsequently required to provide (1) the completion of the safety function and (2) high functional reliability for the protective system as set forth in GDC 13 and GDC 21 of Appendix A to 10 CFR Part 50.

Design analyses determine the appropriate safety functions and corresponding protective actions for each plant design. The protective actions can involve automatic controls with backup manual controls, or, in certain cases, the protective actions can be accomplished solely by manual controls. Protective actions selected to be controlled manually are subject to consideration of (1) the time available to the operator to analyze and manually respond to an adverse condition, normally 30 minutes unless specifically justified, (2) the plant conditions expected at the time for which manual controls are required, (3) the range of conditions over which manual controls are expected to be in effect, and (4) the display variables necessary to provide for effective manual control.

Once initiated, the intended sequence of protective actions should continue until completion, whether the initiation occurred through automatic controls or through manual controls as outlined in DG-1190, Page 3

Clause 5.2 of IEEE Std 603-1991. It is acceptable for protective equipment interlocks to interrupt a sequence of protective actions. In addition, when directed by procedure, it is acceptable for an operator to deliberately intervene in the intended sequence of protective actions, such as in the case of a verified spurious actuation of a protective action.

Safety-related controls and displays should be provided. Clause 5.6.3.1 of IEEE Std 603-1991 specifies that equipment that is used for both safety and non-safety functions shall be classified as part of the safety systems. In effect, these manual controls and indications must consist of safety-related devices with safety-related software and must be dedicated to specific safety divisions.

Display instrumentation provided for manually controlled actions for which no automatic control is provided and that are required for the safety systems to accomplish their safety functions shall be part of the safety systems in accordance with IEEE Std 603-1991, Clause 5.8.1. This clause requires, in part, that indications for manually controlled actions shall have the possibility for ambiguity minimized to limit the potential to confuse an operator. Indications should also be readily present during the time that manual actuation is necessary from the location of the manual controls. Regulatory Guide 1.97, Criteria for Accident Monitoring Instrumentation for Nuclear Power Plants, June 2006 (Ref. 4), endorses IEEE Std 497-2002, IEEE Standard Criteria for Accident Monitoring Instrumentation for Nuclear Power Generating Stations (Ref. 5), as an acceptable method for providing instrumentation to monitor variables for accident conditions.

The single-failure criterion of IEEE Std 603-1991, Clause 5.1, applies to safety systems whether control is by automatic or manual means. Regulatory Guide 1.53, Application of the Single-Failure Criterion to Safety Systems, issued November 2003 (Ref. 6), endorses IEEE Std 379-2000, IEEE Standard Application of the Single-Failure Criterion to Nuclear Power Generating Station Safety Systems (Ref. 7), as an acceptable method to meet the regulations concerning the application of the single-failure criterion to the electrical power, instrumentation, and control portions of nuclear power plant safety systems. Digital system common-cause failures are not treated as a single failure with respect to the single-failure criterion. IEEE Std 7-4.3.2-2003, IEEE Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations (Ref. 8), provides guidance on using diversity to address common-cause failures in computer-based safety systems. In addition, NUREG/CR-6303, Method for Performing Diversity and Defense-in-Depth Analyses of Reactor Protection Systems, issued December 1994 (Ref. 9),

describes a method for analyzing computer-based nuclear reactor protection systems to identify design vulnerabilities to common-mode failure. The potential for common-mode failure has become an important issue as the software content of protection systems has increased. Credible common-mode failures should be compensated either by diversity or defense in depth.

Maintaining independence between redundant portions of the safety system is essential to the effective use of the single-failure criterion. Regulatory Guide 1.75, Criteria for Independence of Electrical Safety Systems, issued February 2005 (Ref.10), provides guidance through the application of IEEE Std 384-1992, IEEE Standard Criteria for Independence of Class 1E Equipment and Circuits (Ref. 11), to meet the regulations with respect to the physical independence requirements of the circuits and electric equipment that comprise or are associated with safety systems. Regulatory Guide 1.152, Criteria for Use of Computers in Safety Systems of Nuclear Power Plants, issued January 2006 (Ref. 12), endorses IEEE Std 7-4.3.2-2003 as an acceptable method for addressing high functional reliability and design requirements for computers used in safety systems of nuclear power plants, including safety-related digital communications, independence, and integrity.

Clause 5.4 of IEEE Std 603-1991 requires that safety system equipment be environmentally qualified. Regulatory Guide 1.209, Guidelines for Environmental Qualification of Safety-Related DG-1190, Page 4

Computer-Based Instrumentation and Controls Systems in Nuclear Power Plants, issued March 2007 (Ref. 13), endorses IEEE Std 323-2003, IEEE Standard for Qualifying Class 1E Equipment for Nuclear Power Generating Stations (Ref. 14), as acceptable guidance for environmental qualification of safety-related computer-based I&C systems for service in mild environments. Regulatory Guide 1.89, Environmental Qualification of Certain Electronic Equipment Important to Safety for Nuclear Power Plants, (Ref. 15), provides guidance for environmental qualification of equipment intended for use in harsh environments. Regulatory Guide 1.180, Guidelines for Evaluating Electromagnetic and Radio-Frequency Interference in Safety-Related Instrumentation and Control Systems (Ref. 16), provides guidance for complying with the NRCs regulations on design, installation, and testing practices for addressing the effects of electromagnetic and radiofrequency interference and power surges on safety-related I&C systems. Clause 5.4 of IEEE Std 7-4.3.2-2003 provides requirements for equipment qualification of digital computers used in safety systems.

The staff made an initial statement of a four-point Diversity and Defense-in Depth (D3) position in SECY-93-087, Policy, Technical, and Licensing Issues Pertaining to Evolutionary and Advanced Light-Water Reactor (ALWR) Designs, dated April 2, 1993 (Ref. 17). In a staff requirements memorandum on SECY 93-087 dated July 21, 1993 (Ref. 18), the Commission approved a modified version of the four-point position. The fourth point of the Commissions diversity position, listed in Branch Technical Position (BTP) 7-19, Guidance for Evaluation of Diversity and Defense-In-Depth in Digital Computer-Based Instrumentation and Control Systems, of NUREG-0800, Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants (Ref. 19), states that independent and diverse displays and manual controls should be available so that operators can initiate a system-level actuation of critical safety functions. Guidance provided to NRC staff in BTP 7-19 asserts that manual controls for safety equipment should be connected downstream of the plants digital I&C safety system outputs. These connections should not compromise the integrity of interconnecting cables and interfaces between local electrical or electronic cabinets and the plants electromechanical equipment. The manual controls may be connected either to discrete hardwired components or to simple, dedicated, and diverse, software-based digital equipment that performs the coordinated actuation logic. Approaches to address D3 considerations that are incorporated into the plant I&C system architectural design may include the use of diverse non-safety manual controls. However, this regulatory guide focuses on criteria for safety-related equipment or systems and does not address diverse manual-initiation equipment that is not classified as part of a safety system.

C. REGULATORY POSITION Conformance with IEEE Std 603-1991 provides a method that the NRC staff considers acceptable for satisfying the agencys regulatory requirements concerning the manual initiation of protective actions, subject to the following:

1. Means should be provided for manual initiation of each protective action (e.g., reactor trip, containment isolation) on a system-level basis for each division, regardless of whether means are also provided to initiate the protective action at the component or channel level (e.g., individual control rod, individual isolation valve). Individual means should also be provided for manual initiation of each plant system component (i.e., start pump, open or close valve) required for (1) the completion of the safety function and (2) providing functional reliability for protective systems as set forth in of GDC 13 and GDC 21 of Appendix A to 10 CFR Part 50.
2. Manual initiation of a protective action on a system-level basis for each division should perform all actions performed by automatic initiation such as starting auxiliary or supporting systems, sending signals to appropriate valve-actuating mechanisms to ensure correct valve position, and providing DG-1190, Page 5

the required action-sequencing functions and interlocks. Multiple initiations of safety systems (autosequencing) by distinct manual control manipulations are not precluded.

3. The control interfaces for manual initiation of protective actions on a plant system component basis and on a system-level basis for each division should be located in the control room. They should be easily accessible to the operator so that action can be taken in an expeditious manner at the point in time or under the plant conditions for which the protective actions of the safety system shall be initiated as required in Clause 4.10.1 of IEEE Std 603-1991. Information displays associated with manual controls should be readily present during the time that manual actuation is necessary from the location of the manual controls and should provide unambiguous indications that will not confuse the operator.
4. The amount of equipment common to manual and automatic initiation should be kept to a minimum. It is preferable to limit such common equipment to the final actuation devices and the actuated equipment. No single failure within the manual, automatic, or common portions of the protection system should prevent initiation of a protective action by manual or automatic means.

In the case of automated digital protection systems, the point at which the manual controls are connected to safety equipment should be downstream of the plants digital I&C safety system outputs. These connections should not compromise the integrity of interconnecting cables and interfaces between local electrical or electronic cabinets and the plants electromechanical equipment.

5. Manual initiation of protective actions should depend on the operation of a minimum amount of equipment, consistent with Positions 1, 2, 3, and 4 above.
6. Manual initiation of a protective action on a system-level basis for each division should be designed so that once initiated, the action will go to completion as required in Clause 5.2 of IEEE Std 603-1991.

D. IMPLEMENTATION The purpose of this section is to provide information to applicants and licensees regarding the NRCs plans for using this draft regulatory guide. The NRC does not intend or approve any imposition or backfit in connection with its issuance.

The NRC has issued this draft guide to encourage public participation in its development. The NRC will consider all public comments received in development of the final guidance document. In some cases, applicants or licensees may propose an alternative or use a previously established acceptable alternative method for complying with specified portions of the NRCs regulations. Otherwise, the methods described in this guide will be used in evaluating compliance with the applicable regulations for license applications, license amendment applications, and amendment requests.

REGULATORY ANALYSIS

1. Statement of the Problem The current revision of Regulatory Guide 1.62 (Revision 0) is dated October 1973 and is based solely on IEEE Std 279-1971. According to 10 CFR 50.55a, Codes and Standards, applications filed on or after May 13, 1999, for preliminary and final design approvals (under 10 CFR Part 52, Early Site Permits; Standard Design Certifications; and Combined Licenses for Nuclear Power Plants, Appendix O, Standardization of Design: Staff Review of Standard Designs) (Ref 20); design certification; and construction permits, operating licenses, and combined licenses must meet the requirements for safety systems in IEEE Std 603-1991 and the correction sheet dated January 30, 1995. In addition, computer-based digital I&C systems or advanced analog systems are currently replacing existing I&C equipment in DG-1190, Page 6

nuclear power plants. Regulatory Guide 1.62 (Revision 0) is silent on the application of digital I&C systems to the manual initiation of protective actions in nuclear power plants.

Therefore, revision of this regulatory guidance is necessary to incorporate the most recent IEEE standard on safety systems endorsed by the NRC and to discuss the implications of the use of digital systems on the manual initiation of protective actions in nuclear power plants.

2. Objective The objective of this regulatory action is to include appropriate references to IEEE Std 603-1991 and a discussion of computer-based digital I&C systems and advanced analog systems.
3. Alternative Approaches The NRC staff considered the following alternative approaches:

3.1 Alternative 1: Do Not Revise Regulatory Guide 1.62 Under this alternative, the NRC would not revise this guidance, and the original version of this regulatory guide would continue to be used. This alternative is considered the baseline or no action alternative and, as such, involves no value/impact considerations. This alternative would leave the NRC staff with a regulatory guide that does not reference the most recent IEEE standard on safety systems endorsed by the NRC and does not address the emerging digital I&C technology.

3.2 Alternative 2: Update Regulatory Guide 1.62 Under this alternative, the NRC would update Regulatory Guide 1.62, taking into consideration the requirements of IEEE Std 603-1991. The updated guide would include a discussion of computer-based digital I&C systems and advanced analog systems. It would continue to reference IEEE Std 279-1971, which remains applicable to plants with construction permits issued after January 1, 1971, but before May 13, 1999.

DG-1190, Page 7

One benefit of this action is that it would enhance reactor safety by addressing the most current IEEE standard on safety systems endorsed by the NRC. Consideration would also be given to important computer-based digital I&C system issues such as the single-failure criterion and communications.

The costs to the NRC would be the one-time cost of issuing the revised regulatory guide (which is expected to be relatively small). Applicants would incur little or no cost and may, in fact, achieve cost savings.

4. Conclusion Based on this regulatory analysis, the staff recommends that the NRC revise Regulatory Guide 1.62. The staff concludes that the proposed action will enhance reactor safety by referencing the latest IEEE standard on safety systems endorsed by the NRC. It could also lead to cost savings for the industry, especially with regard to applications for standard plant design certifications and combined licenses.

DG-1190, Page 8

REFERENCES

1. 10 CFR Part 50, Domestic Licensing of Production and Utilization Facilities, U.S. Nuclear Regulatory Commission, Washington, DC.
2. IEEE Std 603-1991, IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations, Institute of Electrical and Electronics Engineers, Piscataway, NJ, 1991, and the correction sheet dated January 30, 1995.
3. IEEE Std 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations, Institute of Electrical and Electronics Engineers, Piscataway, NJ, 1971.
4. Regulatory Guide 1.97, Criteria for Accident Monitoring Instrumentation for Nuclear Power Plants, U.S. Nuclear Regulatory Commission, Washington, DC.
5. IEEE Std 497-2002, IEEE Standard Criteria for Accident Monitoring Instrumentation for Nuclear Power Generating Stations, Institute of Electrical and Electronics Engineers, Piscataway, NJ, 2002.
6. Regulatory Guide 1.53, Application of the Single-Failure Criterion to Safety Systems, U.S.

Nuclear Regulatory Commission, Washington, DC.

7. IEEE Std 379-2000, IEEE Standard Application of the Single-Failure Criterion to Nuclear Power Generating Station Safety Systems, Institute of Electrical and Electronics Engineers, Piscataway, NJ, 2000.
8. IEEE Std 7-4.3.2-2003, IEEE Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations, Institute of Electrical and Electronics Engineers, Piscataway, NJ, 2003.
9. NUREG/CR-6303, Method for Performing Diversity and Defense-in-Depth Analyses of Reactor Protection Systems, U.S. Nuclear Regulatory Commission, Washington, DC, December 1994.
10. Regulatory Guide 1.75, Criteria for Independence of Electrical Safety Systems, U.S. Nuclear Regulatory Commission, Washington, DC.
11. IEEE Std 384-1992, IEEE Standard Criteria for Independence of Class 1E Equipment and Circuits, Institute of Electrical and Electronics Engineers, Piscataway, NJ, 2003.
12. Regulatory Guide 1.152, Criteria for Computers in Safety Systems of Nuclear Power Plants, U.S. Nuclear Regulatory Commission, Washington, DC.
13. Regulatory Guide 1.209, Guidelines for Environmental Qualification of Safety-Related Computer-Based Instrumentation and Controls Systems in Nuclear Power Plants, U.S. Nuclear Regulatory Commission, Washington, DC.
14. IEEE Std 323-2003, IEEE Standard for Qualifying Class 1E Equipment for Nuclear Power Generating Stations, Institute of Electrical and Electronics Engineers, Piscataway, NJ, 2003.

DG-1190, Page 9

15. Regulatory Guide 1.89, Environmental Qualification of Certain Electronic Equipment Important to Safety for Nuclear Power Plants, U.S. Nuclear Regulatory Commission, Washington, DC.
16. Regulatory Guide 1.180, Guidelines for Evaluating Electromagnetic and Radio-Frequency Interference in Safety-Related Instrumentation and Control Systems, U.S. Nuclear Regulatory Commission, Washington, DC.
17. SECY-93-087, Policy, Technical, and Licensing Issues Pertaining to Evolutionary and Advanced Light-Water Reactor (ALWR) Designs, U.S. Nuclear Regulatory Commission, Washington, DC, April 2, 1993.
18. Staff Requirements Memorandum on SECY-93-087, Policy, Technical, and Licensing Issues Pertaining to Evolutionary and Advanced Light-Water Reactor (ALWR) Designs, U.S. Nuclear Regulatory Commission, Washington, DC, July 21, 1993.
19. NUREG-0800, Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants (LWR Edition), Branch Technical Position 7-19, Guidance for Evaluation of Diversity and Defense-In-Depth in Digital Computer-Based Instrumentation and Control Systems, U.S. Nuclear Regulatory Commission, Washington, DC, March 2007.
20. 10 CFR Part 52, Early Site Permits; Standard Design Certifications; and Combined Licenses for Nuclear Power Plants, U.S. Nuclear Regulatory Commission, Washington, DC.

DG-1190, Page 10