ML18024A365

From kanterella
Revision as of 17:32, 3 February 2020 by StriderTol (talk | contribs) (Created page by program invented by StriderTol)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Updated Final Safety Analysis Report (Ufsar), Amendment 27, Appendix a Conformance to AEC Propose
ML18024A365
Person / Time
Site: Browns Ferry  Tennessee Valley Authority icon.png
Issue date: 10/05/2017
From:
Tennessee Valley Authority
To:
Office of Nuclear Reactor Regulation
Shared Package
ML18018A778 List: ... further results
References
Download: ML18024A365 (46)


Text

BFN-18 APPENDIX A CONFORMANCE TO AEC PROPOSED GENERAL DESIGN CRITERIA This appendix presents the interpretations, discussions, and conclusions on how the design of the Browns Ferry Nuclear Plant conformed to the AEC proposed general design criteria of draft 27 criteria and draft 70 criteria current at the time of the Browns Ferry design. It was retained for historical records.

The numbering of specific criteria and criteria groups mentioned in this discussion is from the draft 70 criteria2 and will differ in some cases from the criteria and group numbering of 10 CFR 50 Appendix A.

A.1

SUMMARY

DESCRIPTION During the construction permit licensing process, each of the three units of this plant was evaluated against the then-current draft of the AEC Proposed General Design Criteria. Units 1 and 2 were evaluated against the 27 Criteria,1 while Unit 3 was evaluated against the 70 Criteria.2 Although neither version of these proposed criteria had been adopted as regulatory requirements, the design, material procurement, and fabrication of each reactor unit was responsive to the respective applicable criteria for a construction permit. Although the later criteria (AEC-70) did not wholly complement the earlier (AEC-27), and also contained many aspects which could have been modified or clarified before their formal adoption, the design bases of each unit of this plant were reevaluated (at the time of initial FSAR preparation) against the draft of the 70 criteria current at the time of operating license application.

The design basis of each of the three units were evaluated against each of the nine groups of the proposed criteria. In each group a statement of the current interpretation of the intent of the criteria is made, with a discussion of the plant design conformance to this interpretation. A complete list of references follows each group interpretation to show where this information related to each criterion is found in the Safety Analysis Report.

Based on the understanding of the intent of the proposed criteria current at the time of operating license application, it was concluded that each unit of this plant conforms with the intent of the AEC General Design Criteria for Nuclear Power Plant Construction Permits.

1 Comment Draft of 27 General Design Criteria for Nuclear Power Plants, November 22, 1965.

2 Comment Draft of 70 General Design Criteria for Nuclear Power Plant Construction Permits, July 10, 1967.

A.0-1

BFN-18 A.2 CRITERION CONFORMANCE A.2.1 Group I - Overall Plant Requirements (Criteria 1-5)

Interpretation and

Conclusion:

The proposed criteria of this group are intended to require that quality control and assurance programs be identified, recorded, and justified in terms of their adequacy. The proposed criteria are intended to apply to the design, fabrication, erection, and performance requirements of the reactor facility's essential components and systems to ensure there is protection against environmental phenomena. In addition to protection of the essential and shared components and systems, the proposed criteria are also intended to provide the fire and explosion protection criteria for all equipment.

It was concluded the design of the plant is in conformance with the criteria of Group I based on the above interpretation of the intent of these criteria.

Discussion: The plant consists of three BWR reactor units of essentially identical design. The shared systems and components are identified, and analyses are provided to show that safety is uncompromised as a result of the sharing (Criteria 4).

The essential components and systems were designed, fabricated, and erected to perform in accordance with specified quality standards and applicable codes and regulations. These components, systems, codes, and standards have been identified (Criteria 1) in the report, and specific reference section numbers are included in the reference list. Moreover, in further accordance with Criterion 1, a quality assurance program was established to assure compliance with quality control specifications and procedures. These programs with applicable tests and inspections have been identified and specific section references are included in the reference list. In planning and executing the quality assurance programs, particular attention was given to their application to those systems, components, and structures which are important to safety. The plant equipment which is important to safety was designed to permit safe plant operation and to accommodate all design basis accidents without loss of capability for the appropriate environmental phenomena at the site (Criteria 2). The environmental resistance capability of these designs was based on the relevant site historical data, with suitable margin allowances for uncertainties. Further design provisions are included to minimize the occurrence of fire, explosions, and their effects, through the use of noncombustible and fire-resistant materials throughout the plant (Criteria 3). Records of design, fabrication, and construction of the essential components of this plant needed to comply with Criteria 5, are to be stored or maintained either under the applicant's control, or available to the applicant for inspection.

References to applicable sections of the FSAR are given in Table A.0-1 for the individual criteria of Group I.

A.0-2

BFN-18 A.2.2 Group II - Protection by Multiple Fission Product Barriers (Criteria 6-10)

Interpretation and

Conclusion:

The proposed criteria in this group are intended to assure that, through proper design, each reactor unit has been provided with multiple barriers against the release of fission products to the environs. Further, these criteria are intended to assure that these barriers remain intact during all operational transients caused by a single operator error or equipment malfunction, and that the proper barriers are available for the design basis accidents.

It was concluded the design of the plant is in conformance with the criteria of Group II based on the above interpretation of the intent of these criteria.

Discussion: The plant containment barriers are the basic features which minimize the release of radioactive materials. The design provides six means of containing and/or mitigating the release of fission products: (1) the fuel barrier, consisting of high density ceramic UO2 fuel sealed in high integrity Zircaloy cladding, (2) the nuclear system process barrier, consisting of the vessels, pipes, pumps, tubes, and similar process components which contain the steam, water, gases, and radioactive materials coming from, going to, or in communication with the reactor core, (3) the drywell-pressure suppression chamber (one for each reactor unit) primary containment, (4) the Reactor Building (secondary containment), (5) the reactor building Standby Gas Treatment System, which utilizes high efficiency absolute and charcoal filters, and (6) the elevated release point.

The primary containment system is designed, fabricated, and erected to accommodate without failure the pressures and temperatures resulting from, or subsequent to, the double-ended rupture or equivalent failure of any coolant pipe within the primary containment. The reactor building, encompassing the three individual primary containment systems, provides secondary containment when the respective primary containment is closed and in service. The reactor building further provides the primary containment function when any or all individual drywells are open. The two containment systems in combination with associated engineered safeguards are designed and maintained (Criteria 10) so that offsite doses resulting from postulated design basis accidents are below the reference values stated in 10 CFR 100. The reactor core design, in combination with the plant equipment characteristics and nuclear safety systems, is based on providing margins to ensure that fuel damage does not occur during normal operation or as a result of abnormal operational transients (Criteria 6 and 7). The reactor is designed so that the overall power coefficient (Criterion 8) in the power-operating range is not positive.

The reactor coolant system is designed to carry its dead weight and specified live loads (Criterion 9) separately or concurrently, e.g., pressure, temperature, and vibrations, with the concurrent seismic loads prescribed for the plant location.

Provisions are made to control or shut down the reactor coolant system in the event of malfunction of operating equipment or coolant leakage from the system. The A.0-3

BFN-18 reactor vessel and support structures are designed, within the limits of applicable criteria for low probability accident conditions, to withstand the forces that would be created by a full area-flow from any vessel nozzle to the containment atmosphere, with the reactor vessel at design pressure concurrent with the plant design basis earthquake loads.

References to the applicable sections of the FSAR are given in Table A.0-2 for the individual criteria of Group II.

A.2.3 Group III - Nuclear and Radiation Controls (Criteria 11-18)

Interpretation and

Conclusion:

This proposed group of criteria is intended to identify and define the instrumentation and control systems necessary to maintain the plant in a safe operational status. Further, this group of criteria is intended to define the radiation shielding and to define monitoring and fission process controls necessary to effectively sense abnormal conditions and initiate the engineered safety features.

It was concluded the design of the plant is in conformance with the criteria of Group III based on the above interpretation of the intent of these criteria.

Discussion: The plant is provided with an independent control room for reactor Unit 3, and a common control room for Units 1 and 2. These control rooms have adequate shielding, fire protection, air-conditioning, and access facilities to permit continuous occupancy under 10 CFR 20 dose limits during all design basis accident conditions. Although it should be highly unlikely to evacuate the control rooms, the plant design does not preclude the capability to bring any unit to a safe, cold shutdown from outside its respective control room (Criterion 11). The controls, instrumentation, and alarms necessary for safe and orderly operation of each unit are located in each of the respective control rooms. Included in these controls in each control room are control rod position indication, reactor core heat removal system controls, and the reactor coolant system leakage detection instrumentation (Criteria 11, 13, 16), which aid in monitoring the status and continuity of the heat generation and heat removal processes.

Reactor core performance and power levels are continuously monitored by the respective nuclear instrumentation system for each reactor unit (Criterion 13). The nuclear safety and engineered safeguards systems are mutually exclusive systems to each reactor unit, and these systems are independent of the plant process control systems. Moreover, the safety and safeguards systems override all other controls to initiate the required safety actions whenever operating conditions approach pre-established limits (Criteria 12, 13, 14, 15). Plant radiation and process monitoring systems are provided to monitor the significant process parameters and the plant environmental effluents. These systems provide alarms and signals to permit appropriate corrective actions (Criterion 17, 18).

A.0-4

BFN-18 References to the applicable sections of the FSAR are given in Table A.0-3 for the individual criteria of Group III.

A.2.4 Group IV - Reliability and Testability of Protection System (Criteria 19-26)

Interpretation and

Conclusion:

This proposed group of criteria is intended to identify and establish requirements for the functional reliability, inservice testability, redundancy, physical and electrical independence and separation. Further, this group is intended to establish a fail-safe design philosophy for the systems essential to the reactor protection functions: scram, isolation, and core standby cooling.

It was concluded the design of the plant is in conformance with the criteria of Group IV based on the above interpretation of the intent of these criteria.

Discussion: The systems which initiate scram, isolation, and core standby cooling actions are designed to automatically override normal operational controls whenever the conditions monitored by these systems exceed preestablished limits (Criterion 22). Each of the protection function actions is initiated by a variety of sensed conditions. A dual channel protection system, with complete redundancy in each channel, permits component failure or removal of channel components for maintenance or testing with no loss of protection (Criterion 20). Active components in the protection system and redundant subsystems can be tested or removed from service during reactor operation without compromising the protection function, even in the event of a subsequent single failure (Criteria 19, 20, 21, 25). A failure of any one reactor protection system input or subsystem will cause a tripped condition in one of the two protection channels; a subsequent trip signal, or a tripped condition on both channels, will initiate the protective function (Criterion 26).

Sensors and electrical circuits necessary to the functioning of the protection systems are physically and electrically separated to prevent any single event from compromising the protection function (Criteria 23, 24). Electrical power is supplied from independent redundant sources (Criterion 24): loss of all offsite power cannot prevent the reactor protection system from functioning, if required.

References to the applicable sections of the FSAR are given in Table A.0-4 for the individual criteria of Group IV.

A.2.5 Group V - Reactivity Control (Criteria 27-32)

Interpretation and

Conclusion:

This proposed group of criteria is intended to establish the reactor core reactivity insertion and withdrawal rate limitations, and establish the means to control plant operations within these limits.

It was concluded the design of the plant is in conformance with the criteria of Group V based on the above interpretation of the intent of these criteria.

A.0-5

BFN-18 Discussion: Each reactor unit contains two, independent, different principle reactivity control systems. Control of reactivity is operationally provided by a combination of movable control rods, burnable poison and reactor coolant recirculation system flow. These systems accommodate fuel burnup, load changes, and long-term reactivity changes. Reactor shutdown by the control rod drive system is sufficiently rapid to prevent exceeding fuel damage limits during either normal operation or any operational transients. A Standby Liquid Control System is provided as an independent backup shutdown system to cover emergencies of the operational reactivity control system. This system is designed to shut down the reactor from rated power and to maintain the reactor in a shutdown condition as the reactor cools (Criteria 27, 28).

Each reactor core is designed to have: (a) a reactivity response which regulates or damps changes in power level and spatial distributions of power production to a level consistent with safe and efficient operation, (b) a negative reactivity feedback consistent with the requirements of overall nuclear-hydrodynamic stability, and (c) a strong negative reactivity feedback under severe power transient conditions (Criteria 27, 31). The reactivity control system is designed to provide sufficient reactivity compensation under conditions of normal operation to make the reactor always subcritical from its most reactive condition, and means are provided for continuous regulation of the reactor core excess reactivity and reactivity distribution (Criteria 29, 30). This system is also designed to be capable of compensating for positive and negative reactivity changes resulting from nuclear coefficients, fuel depletion, and fission product transients and buildup. The system design limits control rod worths and the rate at which reactivity can be added. These design limits assure that the design basis reactivity accident is not capable of damaging the reactor coolant system, disrupting the reactor core, core support structures, or other vessel internals sufficiently to impair the Core Standby Cooling System effectiveness. Acceptable fuel damage limits will not be exceeded for any reactivity transient resulting from a single equipment malfunction or operator error (Criteria 29, 31, 32). Control of reactivity is provided by a combination of control rod movement and burnable poison to accommodate fuel burnup and long-term reactivity changes.

References to the applicable sections of the FSAR are given in Table A.0-5 for the individual criteria of Group V.

A.2.6 Group VI - Reactor Coolant Pressure Boundary (Criteria 33-36)

Interpretation and

Conclusion:

This proposed group of criteria is intended to establish the design requirements for the reactor coolant pressure boundary,3 and to identify the means to satisfy these design requirements.

3 The reactor coolant pressure boundary is called the Nuclear System Primary Barrier in the FSAR. See Definitions, Subsection 1.2.

A.0-6

BFN-18 Some of the individual criteria in this group have changed significantly since the initial publication of the respective criteria as part of the 27 General Design Criteria for Nuclear Power Plants. These changes, however, have been ones of detail rather than criteria intent. Although the material procurement orders for Units 1 and 2 were placed using the applicable 27 General Design Criteria as a guide, it was concluded that the design of all three units of the plant conforms with the intent of the criteria of Group VI from the draft 70 General Design Criteria.

Discussion: The inherent safety features of the reactor core design, in combination with certain engineered safety features and the reactivity control system, limit the consequences of the most severe potential nuclear excursion which could result from a design basis rod drop accident. These consequences are limited to prevent either motion or rupture-caused damage to the reactor coolant pressure boundary (Criterion 33). The ASME and USASI Codes are used as the established and acceptable criteria for design, fabrication, and operation of components of the reactor coolant pressure boundary. The reactor coolant pressure boundary is designed and fabricated (Criterion 34) as a minimum to meet the following codes:

1. Reactor Vessel - ASME Boiler and Pressure Vessel Code,Section III Nuclear Vessels, Subsection A, 1965 edition.
2. Pumps - ASME Boiler and Pressure Vessel Code,Section III, Nuclear Vessels, Subsection C, 1965 edition.
3. Piping and Valves - USAS-B-31.1, Code for Pressure Power Piping, 1967 edition.

The brittle fracture failure mode of the nuclear system primary barrier components is prevented by control of the notch toughness properties of the ferritic components.

This control is exercised in the selection of materials, fabrication of equipment and the components, and by limiting radiation below levels which affect NDT. In the design, appropriate consideration is given to the different notch toughness requirements of each of the various ferritic steel forms, including weld and heat-affected zones. In this way, brittle fracture is prevented under all potential service loading temperatures. A temperature-based rule was used, with modifications drawn from fracture mechanics technology, to establish the requirements for brittle fracture prevention. This approach, which is generally accepted by materials specialists, establishes brittle fracture prevention requirements. These requirements are less stringent in terms of NDT requirements for thin section materials, than for thick sections. In contrast to the first draft of Criterion 35, which treated all sections as thick sections, the recognition of NDT margin requirements which vary with section thickness provides a uniform assurance of brittle fracture-prevention from thin through thick sections.

A.0-7

BFN-18 The reactor coolant system is given a final hydrostatic test at 1560 psig in accordance with code requirements prior to initial reactor startup. A hydrostatic test, not to exceed system operating pressure, is made on the reactor coolant system following each removal and replacement of the reactor vessel head. The system is checked for leaks, and abnormal conditions are corrected before reactor startup.

The minimum vessel temperature during hydrostatic test shall be at least 60°F above the calculated NDT temperature prior to pressurizing the vessel. Extensive quality control and assurance programs are also followed during the entire fabrication of the reactor coolant system (Criterion 36). Vessel material surveillance samples are used to enable periodic monitoring of material properties with exposure.

The program includes specimens of the base metal, heat-affected zone metal, and standard specimens. Leakage from the reactor coolant system is monitored during reactor operation (Criterion 36).

References to the applicable sections of the FSAR are given in Table A.0-6 for the individual criteria of Group VI.

A.2.7 Group VII - Engineered Safety Features (Criteria 37-65)

Interpretation and

Conclusion:

This proposed group of criteria is intended to: (1) identify the nuclear safety systems and engineered safeguards, (2) examine each one for independency, redundancy, capability, testability, inspectibility, and reliability, (3) determine the suitability of each for its intended duty, and (4) justify that each safety feature's capability scope encompasses all the anticipated and credible phenomena associated with the operational transients or design basis accidents.

It was concluded the design of the plant is in conformance with the criteria of Group VII based on the above interpretation of the intent of these criteria.

Discussion: The normal plant control systems maintain plant variables within operating limits. These systems are thoroughly engineered and backed up by a significant amount of experience in system design and operation. Even if an improbable maloperation or equipment failure (including a nuclear system process barrier break, up to and including a double-ended circumferential rupture of any pipe in that barrier) allowed variables to exceed their safeguards limit the effects to values well below those which are of public safety concern. These engineered safety features include those systems which are essential to the scram, isolation, and core standby cooling functions (Criterion 37). The capacity of the standby power sources are adequate to accomplish all required safety functions under postulated design basis accident conditions (Criterion 39). The engineered safety features are designed to provide high reliability and ready testability. Specific provisions are made in each system to demonstrate operability and performance capabilities (Criterion 38). The components, which are required to function after design basis accidents or abnormal operational transients, are designed to A.0-8

BFN-18 withstand the most severe forces and environmental effects, including missiles from plant equipment failures, without impairment of their performance capability (Criteria 40, 42, 43). The Core Standby Cooling Systems (CSCS) are designed to prevent excessive fuel cladding temperatures over the entire spectrum of postulated design basis reactor primary system breaks. Such capability is available concurrently with the loss of all offsite AC power. The CSCS themselves are designed to various levels of component redundancy to prevent a single active component failure, in addition to the accident, from negating the required core cooling capability (Criteria 41, 44). To assure that the CSCS will function properly, specific provisions have been made for testing the sequential operability and functional performance of each individual system (Criteria 46, 47, 48). Design provisions have also been made to enable physical and visual inspection of the CSCS components (Criterion 45). The primary containment structure, including access openings and penetrations, is designed to withstand the peak accident pressure and temperatures which could occur during the postulated design basis loss-of-coolant accident. The containment design includes considerable allowance for energy and noncondensible gas additions from metal-water or other chemical reactions beyond those which could occur during the accident (Criterion 49). Provisions are made for the removal of heat from within the primary containment for as long as necessary to maintain the integrity of the containment following the various postulated design basis accidents.

The integrity of the complete containment, in combination with other safety features, is designed and maintained so that the offsite doses resulting from postulated design basis accidents are below the guideline values stated in 10 CFR 100 (Criteria 50, 51, 54). Pipes or ducts which penetrate the primary containment and which connect to the primary system or are open to the drywell are provided with at least two isolation valves in series (Criterion 53). The plant design allows leak rate testing of the primary containment system (Criteria 54, 55). Provisions are also made for demonstrating the functional performance of containment system isolation valves and leak testing of selected penetrations (Criteria 56, 57). The pressure suppression concept and the containment spray cooling system provide two different means to rapidly condense the steam portion of the flow from the postulated design basis loss-of-coolant accident; the peak transient containment pressure would be substantially less than the primary containment design pressure (Criterion 52). The capability to test the functional performance and inspect the containment spray cooling system is provided (Criteria 58, 59, 60, 61). The Standby Gas Treatment System can be tested periodically for system performance using tracer injection and sampling (Criteria 64). This system may be physically inspected and its operability demonstrated (Criteria 62, 63, 65).

References to the applicable sections of the FSAR are given in Table A.0-7 for the individual criteria of Group VII.

A.0-9

BFN-18 A.2.8 Group VIII - Fuel and Waste Storage System (Criteria 66-69)

Interpretation and

Conclusion:

This proposed group of criteria is intended to establish safe fuel and waste storage systems and to identify the means used to satisfy these requirements.

It was concluded the design of the plant is in conformance with the criteria of Group VIII based on the above interpretation of the intent of these criteria.

Discussion: Appropriate plant fuel handling and storage facilities are provided to preclude accidental criticality and to provide sufficient cooling for spent fuel (Criteria 66, 67). The new-fuel storage vault racks (located inside the secondary containment reactor building) are top entry, and are designed to prevent an accidental critical array even in the event the vault becomes flooded. Vault drainage is provided to prevent possible water collection (Criterion 66). The handling and storage of irradiated fuel, which takes place entirely within the reactor building (the secondary containment system), is done in the spent fuel storage pool. The pool has provisions to maintain water clarity, temperature control and instrumentation to monitor water level. Water depth in the pool provides sufficient shielding for normal reactor building occupancy (10 CFR 20) by operating personnel. The spent-fuel racks are designed and arranged to ensure subcriticality in the storage pool (Criteria 66, 67, 68, 69). The Fuel Pool Cooling and Cleanup System is designed to maintain the pool water temperature, control water clarity, and reduce water radioactivity (Criteria 66, 67, 68). Accessible portions of the reactor and radwaste buildings have sufficient shielding to maintain dose rates within 10 CFR 20 (Criterion 68); the radwaste building is designed to preclude accidental release of radioactive materials to the environs (Criterion 68).

References to the applicable sections of the FSAR are given in Table A.0-8 for the individual criteria of Group VIII.

A.2.9 Group IX - Plant Effluents (Criterion 70)

Interpretation and

Conclusion:

The proposed criterion of this group is intended to establish plant effluent release limits and to identify the means of controlling the releases within these limits.

It was concluded the design of this plant is in conformance with the criterion of Group IX based on the above interpretation of the intent of the criterion.

Discussion: The plant radioactive waste control systems, which include the liquid, gaseous, and solid radwaste systems, are designed to limit the offsite radiation exposure to levels below doses set forth in 10 CFR 20. The plant engineered safeguards, including the containment barriers, are designed to limit the offsite dose under various postulated design basis accidents to levels significantly below 10 CFR A.0-10

BFN-18 100 reference values. The air ejector offgas system is designed with sufficient holdup retention capacity so that during normal plant operation the controlled release of radioactive materials does not exceed the established release limits at the elevated plant stack (Criterion 70).

References to the applicable sections of the FSAR are given in Table A.0-9 for the Group IX criterion.

A.0-11

BFN-18 ATOMIC ENERGY COMMISSION

[10 CFR PART 50]

LICENSING OF PRODUCTION AND UTILIZATION FACILITIES General Design Criteria for Nuclear Power Plant Construction Permits1 The Atomic Energy Commission has under consideration an amendment to its regulation, 10 CFR Part 50, "Licensing of Production and Utilization Facilities," which would add an Appendix A, "General Design Criteria for Nuclear Power Plant Construction Permits." The purpose of the proposed amendment would be to provide guidance to applicants in developing the principal design criteria to be included in applications for Commission construction permits. These General Design Criteria would not add any new requirements, but are intended to describe more clearly present Commission requirements to assist applicants in preparing applications.

The proposed amendment would complement other proposed amendments to Part 50 which were published for public comment in the FEDERAL REGISTER on August 16, 1966 (31 F.R. 10891).

The proposed amendments to Part 50 reflect a recommendation made by a seven-member Regulatory Review Panel, appointed by the Commission to study:

(1) the programs and procedures for the licensing and regulation of reactors and (2) the decision-making process in the Commission's regulatory program. The Panel's report recommended the development, particularly at the construction permit stage of a licensing proceeding, of design criteria for nuclear power plants. Work on the development of such criteria had been in process at the time of the Panel's study.

As a result, preliminary proposed criteria for the design of nuclear power plants were discussed with the Commission's Advisory Committee on Reactor Safeguards and were informally distributed for public comment in Commission Press Release H-252 dated November 22, 1965. In developing the proposed criteria set forth in the proposed amendments to Part 50, the Commission has taken into consideration comments and suggestions from the Advisory Committee on Reactor Safeguards, from members of industry and from the public.

1 Inasmuch as the Commission has under consideration other amendments to 10 CFR Part 50 (31 F.R. 10891), the amendment proposed herein would be a further revision to Part 50 previously published for comment in the FEDERAL REGISTER.

A.0-12

BFN-18 Section 50.34, paragraph (b), as published for comment in the FEDERAL REGISTER on August 16, 1966, would require that each application for a construction permit include a preliminary safety analysis report. The minimum information to be included in this preliminary safety analysis report is (1) a description and safety assessment of the site, (2) a summary description of the facility, (3) a preliminary design of the facility, (4) a preliminary safety analysis and evaluation of the facility, (5) an identification of subjects expected to be technical specification, and (6) a preliminary plan for the organization, training, and operation.

The following information is specified for inclusion as part of the preliminary design of the facility:

"(i) The principal design criteria for the facility; (ii) The design bases and the relation of the design bases to the principal design criteria; (iii) Information relative to materials of construction, general arrangement and approximate dimensions, sufficient to provide reasonable assurance that the final design will conform to the design bases with adequate margin for safety;"

The "General Design Criteria for Nuclear Power Plant Construction Permits" proposed to be included as Appendix A to this part are intended to aid the applicant in development item (i) above, the principal design criteria. All criteria established by an applicant and accepted by the Commission would be incorporated by reference in the construction permit. In considering the issuance of an operating license under the regulations, the Commission would assure that the criteria has been met in the detailed design and construction of the facility or that changes in such criteria have been justified.

Section 50.34 as published in the FEDERAL REGISTER on August 16, 1966, would be further amended by adding to Part 50 a new Appendix A containing the General Design Criteria applicable to the construction of nuclear power plants and by a specific reference to this Appendix in 50.34, paragraph (b).

The Commission expects that the provisions of the proposed amendments relating to General Design Criteria for Nuclear Power Plant Construction Permits will be useful as interim guidance until such time as the Commission takes further action on them.

Pursuant to the Atomic Energy Act of 1954, as amended, and the Administrative Procedure Act of 1946, as amended, notice is hereby given that adoption of the following amendments to 10 CFR Part 50 is contemplated. All interested persons who desire to submit written comments or suggestions in connection with the proposed amendments should send them to the Secretary, United States Atomic A.0-13

BFN-18 Energy Commission, Washington, D. C., 20545, within 60 days after publication of this notice in the FEDERAL REGISTER. Comments received after that period will be considered if it is practicable to do so, but assurance of consideration cannot be given except as to comments filed within the period specified. Copies of comments may be examined in the Commission's Public Document Room at 1717 H Street, N.W., Washington, D. C.

1. §50.34(b)(3)(i) of 10 CFR Part 50 is amended to read as follows: §50.34 Contents of applications; technical information safety analysis report.2 (b) Each application for a construction permit shall include a preliminary safety analysis report. The report shall cover all pertinent subjects specified in paragraph (a) of this section as fully as available information permits. The minimum information to be included shall consist of the following:
2. A new Appendix A is added to read as follows:

(3) The preliminary design of the facility, including:

(i) The principal design criteria for the facility. Appendix A, "General Design Criteria for Nuclear Power Plant Construction Permits," provides guidance for establishing the principal design criteria for nuclear power plants.

2 Inasmuch as the Commission has under consideration other amendments to §50.34 (31 F.R.

10891), the amendment proposed herein would be a further revision of 50.34(b)(3)(i) previously published for comment in the FEDERAL REGISTER.

A.0-14

BFN-18 APPENDIX A GENERAL DESIGN CRITERIA FOR NUCLEAR POWER PLANT CONSTRUCTION PERMITS3 Table of Contents INTRODUCTION Group Title Criterion No.

I. OVERALL PLANT REQUIREMENTS Quality Standards 1 Performance Standards 2 Fire Protection 3 Sharing of Systems 4 Records Requirements 5 II. PROTECTION BY MULTIPLE FISSION PRODUCT BARRIERS Reactor Core Design 6 Suppression of Power Oscillations 7 Overall Power Coefficient 8 Reactor Coolant Pressure Boundary 9 Containment 10 III. NUCLEAR AND RADIATION CONTROLS Control Room 11 Instrumentation and Control Systems 12 Fission Process Monitors and Controls 13 Core Protection Systems 14 Engineered Safety Features Protection Systems 15 Monitoring Reactor Coolant Pressure Boundary 16 Monitoring Radioactivity Releases 17 Monitoring Fuel and Waste Storage 18 3

Inasmuch as the Commission has under consideration other amendments to 10 CFR Part 50 (31 F.R. 10891), the amendment proposed herein would be a further revision to Part 50 previously published for comment in the FEDERAL REGISTER.

A.0-15

BFN-18 Appendix A IV. RELIABILITY AND TESTABILITY OF PROTECTION SYSTEMS Protection Systems Reliability 19 Protection Systems Redundancy and Independence 20 Single Failure Definition 21 Separation of Protection and Control Instrumentation Systems 22 Protection Against Multiple Disability for Protection Systems 23 Emergency Power for Protection Systems 24 Demonstration of Functional Operability of Protection Systems 25 Protection Systems Fail-Safe Design 26 V. REACTIVITY CONTROL Redundancy of Reactivity Control 27 Reactivity Hot Shutdown Capability 28 Reactivity Shutdown Capability 29 Reactivity Holddown Capability 30 Reactivity Control Systems Malfunction 31 Maximum Reactivity Worth of Control Rods 32 VI. REACTOR COOLANT PRESSURE BOUNDARY Reactor Coolant Pressure Boundary Capability 33 Reactor Coolant Pressure Boundary Rapid 34 Propagation Failure Prevention Reactor Coolant Pressure Boundary Brittle 35 Fracture Prevention Reactor Coolant Pressure Boundary Surveillance 36 VII. ENGINEERED SAFETY FEATURES A. General Requirements For Engineered Safety Features Engineered Safety Features Basis for Design 37 Reliability an Testability of Engineered 38 Safety Features Emergency Power for Engineered Safety Features 39 Missile Protection 40 Engineered Safety Features Performance Capability 41 Engineered Safety Features Components Capability 42 Accident Aggravation Prevention 43 Appendix A A.0-16

BFN-18 VII. ENGINEERED SAFETY FEATURES B. Emergency Core Cooling Systems Emergency Core Cooling Systems Capability 44 Inspection of Emergency Core Cooling Systems 45 Testing of Emergency Core Cooling Systems 46 Components Testing of Emergency Core Cooling Systems 47 Testing of Operational Sequence of Emergency 48 Core Cooling Systems C. Containment Containment Design Basis 49 NDT Requirement for Containment Material 50 Reactor Coolant Pressure Boundary Outside 51 Containment Containment Heat Removal Systems 52 Containment Isolation Valves 53 Containment Leakage Rate Testing 54 Containment Periodic Leakage Rate Testing 55 Provisions for Testing of Penetrations 56 Provisions for Testing of Isolation Valves 57 D. Containment Pressure-Reducing Systems Inspection of Containment Pressure-Reducing 58 Systems Testing of Containment Pressure-Reducing Systems 59 Testing of Containment Spray Systems 60 Testing of Operational Sequence of Containment 61 Pressure-Reducing Systems E. Air Cleanup Systems Inspection of Air Cleanup Systems 62 Testing of Air Cleanup Systems Components 63 Testing of Air Cleanup Systems 64 Testing of Operational Sequence of Air Cleanup Systems 65 A.0-17

BFN-18 Appendix A VIII. FUEL AND WASTE STORAGE SYSTEMS Prevention of Fuel Storage Criticality 66 Fuel and Waste Storage Decay Heat 67 Fuel and Waste Storage Radiation Shielding 68 Protection Against Radioactivity Release from 69 Spent Fuel and Waste Storage IX. PLANT EFFLUENTS Control of Releases of Radioactivity to the 70 Environment A.0-18

BFN-18 Appendix A INTRODUCTION Every applicant for a construction permit is required by the provisions of §50.34 to include the principal design criteria for the proposed facility in the application. These General Design Criteria are intended to be used as guidance in establishing the principal design criteria for a nuclear power plant. The General Design Criteria reflect the predominating experience with water power reactors as designed and located to date, but their applicability is not limited to these reactors.

They are considered generally applicable to all power reactors.

Under the Commission's regulations, an applicant must provide assurance that its principal design criteria encompass all those facility design features required in the interest of public health and safety. There may be some power reactor cases for which fulfillment of some of the General Design Criteria may not be necessary or appropriate. There will be other cases in which these criteria are insufficient, and additional criteria must be identified and satisfied by the design in the interest of public safety. It is expected that additional criteria will be needed particularly for unusual sites and environmental conditions, and for new and advanced types of reactors. Within this context, the General Design Criteria should be used as a reference allowing additions or deletions as an individual case may warrant.

Departures from the General Design Criteria should be justified. The criteria are designated as "General Design Criteria for Nuclear Power Plant Construction Permits" to emphasize the key role they assume at this stage of the licensing process. The criteria have been categorized as Category A or Category B.

Experience has shown that more definitive information is needed at the construction permit stage for the items listed in Category A than for these in Category B.

I. OVERALL PLANT REQUIREMENTS CRITERION 1 - QUALITY STANDARDS (Category A)

Those systems and components of reactor facilities which are essential to the prevention of accidents which could affect the public health and safety or to mitigation of their consequences shall be identified and then designed, fabricated, and erected to quality standards that reflect the importance of the safety function to be performed. Where generally recognized codes or standards on design, materials, fabrication, and inspection are used, they shall be identified. Where adherence to such codes or standards does not suffice to assure a quality product in keeping with the safety function, they shall be supplemented or modified as necessary. Quality assurance programs, test procedures, and inspection acceptance levels to be used shall be identified. A showing of sufficiency and A.0-19

BFN-18 applicability of codes, standards, quality assurance programs, test procedures, and inspection acceptance levels used is required.

CRITERION 2 - PERFORMANCE STANDARDS (Category A)

Those systems and components of reactor facilities which are essential to the prevention of accidents which could affect the public health and safety or to mitigation of their consequences shall be designed, fabricated, and erected to performance standards that will enable the facility to withstand, without loss of the capability to protect the public, the additional forces that might be imposed by natural phenomena such as earthquakes, tornadoes, flooding conditions, winds, ice, and other local site effects. The design bases so established shall reflect: (a) appropriate consideration of the most severe of these natural phenomena that have been recorded for the site and the surrounding area and (b) an appropriate margin for withstanding forces greater than those recorded to reflect uncertainties about the historical data and their suitability as a basis for design.

CRITERION 3 - FIRE PROTECTION (Category A)

The reactor facility shall be designed (1) to minimize the probability of events such as fires and explosions and (2) to minimize the potential effects of such events to safety. Noncombustible and fire resistant materials shall be used whenever practical throughout the facility, particularly in areas containing critical portions of the facility such as containment, control room, and components of engineered safety features.

CRITERION 4 - SHARING OF SYSTEMS (Category A)

Reactor facilities shall not share systems or components unless it is shown safety is not impaired by the sharing.

CRITERION 5 - RECORDS REQUIREMENTS (Category A)

Records of the design, fabrication, and construction of essential components of the plant shall be maintained by the reactor operator or under its control throughout the life of the reactor.

II. PROTECTION BY MULTIPLE FISSION PRODUCT BARRIERS CRITERION 6 - REACTOR CORE DESIGN (Category A)

The reactor core shall be designed to function throughout its design lifetime, without exceeding acceptable fuel damage limits which have been stipulated and justified.

The core design, together with reliable process and decay heat removal systems, shall provide for this capability under all expected conditions of normal operation A.0-20

BFN-18 with appropriate margins for uncertainties and for transient situations which can be anticipated, including the effects of the loss of power to recirculation pumps, tripping out of a turbine generator set, isolation of the reactor from its primary heat sink, and loss of all offsite power.

CRITERION 7 - SUPPRESSION OF POWER OSCILLATIONS (Category B)

The core design, together with reliable controls, shall ensure that power oscillations which could cause damage in excess of acceptable fuel damage limits are not possible or can be readily suppressed.

CRITERION 8 - OVERALL POWER COEFFICIENT (Category B)

The reactor shall be designed so that the overall power coefficient in the power operating range shall not be positive.

CRITERION 9 - REACTOR COOLANT PRESSURE BOUNDARY (Category A)

The reactor coolant pressure boundary shall be designed and constructed so as to have an exceedingly low probability of gross rupture or significant leakage throughout its design lifetime.

CRITERION 10 - CONTAINMENT (Category A)

Containment shall be provided. The containment structure shall be designed to sustain the initial effects of gross equipment failures, such as a large coolant boundary break, without loss of required integrity and, together with other engineered safety features as may be necessary, to retain for as long as the situation requires the functional capability to protect the public.

III. NUCLEAR AND RADIATION CONTROLS CRITERION 11 - CONTROL ROOM (Category B)

The facility shall be provided with a control room from which actions to maintain safe operational status of the plant can be controlled. Adequate radiation protection shall be provided to permit access, even under accident conditions, to equipment in the control room or other areas as necessary to shut down and maintain safe control of the facility without radiation exposure of personnel in excess of 10 CFR 20 limits. It shall be possible to shut the reactor down and maintain it in a safe condition if access to the control room is lost due to fire or other cause.

A.0-21

BFN-18 CRITERION 12 - INSTRUMENTATION AND CONTROL SYSTEMS (Category B)

Instrumentation and controls shall be provided as required to monitor and maintain variables within prescribed operating ranges.

CRITERION 13 - FISSION PROCESS MONITORS AND CONTROLS (Category B)

Means shall be provided for monitoring and maintaining control over the fission process throughout core life and for all conditions that can reasonably be anticipated to cause variations in reactivity of the core, such as indication of position of control rods and concentration of soluble reactivity control poisons.

CRITERION 14 - CORE PROTECTION SYSTEMS (Category B)

Core protection systems, together with associated equipment, shall be designed to act automatically to prevent or to suppress conditions that could result in exceeding acceptable fuel damage limits.

CRITERION 15 - ENGINEERED SAFETY FEATURES PROTECTION SYSTEMS (Category B)

Protection systems shall be provided for sensing accident situations and initiating the operation of necessary engineered safety features.

CRITERION 16 - MONITORING REACTOR COOLANT PRESSURE BOUNDARY (Category B)

Means shall be provided for monitoring the reactor coolant pressures boundary to detect leakage.

CRITERION 17 - MONITORING RADIOACTIVITY RELEASES (Category B)

Means shall be provided for monitoring the containment atmosphere, the facility effluent discharge paths, and the facility environs for radioactivity that could be released from normal operations, from anticipated transients, and from accident conditions.

CRITERION 18 - MONITORING FUEL AND WASTE STORAGE (Category B)

Monitoring and alarm instrumentation shall be provided for fuel and waste storage and handling areas for conditions that might contribute to loss of continuity in decay heat removal and to radiation exposures.

A.0-22

BFN-18 IV. RELIABILITY AND TESTABILITY OF PROTECTION SYSTEMS CRITERION 19 - PROTECTION SYSTEMS RELIABILITY (Category B)

Protection systems shall be designed for high functional reliability and in-service testability commensurate with the safety functions to be performed.

CRITERION 20 - PROTECTION SYSTEMS REDUNDANCY AND INDEPENDENCE (Category B)

Redundancy and independence designed into protection systems shall be sufficient to assure that no single failure or removal from service of any component or channel of a system will result in loss of the protection function. The redundancy provided shall include, as a minimum, two channels of protection for each protection function to be served. Different principles shall be used where necessary to achieve true independence of redundant instrumentation components.

CRITERION 21 - SINGLE FAILURE DEFINITION (Category B)

Multiple failures resulting from a single event shall be treated as a single failure.

CRITERION 22 - SEPARATION OF PROTECTION AND CONTROL INSTRUMENTATION SYSTEMS (Category B)

Protection systems shall be separated from control instrumentation systems to the extent that failure or removal from service of any control instrumentation system component or channel, or of those common to control instrumentation and protection circuitry, leaves intact a system satisfying all requirements for the protection channels.

CRITERION 23 - PROTECTION AGAINST MULTIPLE DISABILITY FOR PROTECTION SYSTEMS (Category B)

The effects of adverse conditions to which redundant channels or protection systems might be exposed in common, either under normal conditions or those of a accident, shall not result in loss of the protection function.

CRITERION 24 - EMERGENCY POWER FOR PROTECTION SYSTEMS (Category B)

In the event of loss of all offsite power, sufficient alternate sources of power shall be provided to permit the required functioning of the protection systems.

CRITERION 25 - DEMONSTRATION OF FUNCTIONAL OPERABILITY OF PROTECTION SYSTEMS (Category B)

A.0-23

BFN-18 Means shall be included for testing protection systems while the reactor is in operation to demonstrate that no failure or loss of redundancy has occurred.

CRITERION 26 - PROTECTION SYSTEMS FAIL-SAFE DESIGN (Category B)

The protection systems shall be designed to fail into a safe state or into a state established as tolerable on a defined basis if conditions such as disconnection of the system, loss of energy (e.g., electric power, instrument air), or adverse environments (e.g., extreme heat or cold, fire, steam, or water) are experienced.

V. REACTIVITY CONTROL CRITERION 27 - REDUNDANCY OF REACTIVITY CONTROL (Category A)

At least two independent reactivity control systems, preferably of different principles, shall be provided.

CRITERION 28 - REACTIVITY HOT SHUTDOWN CAPABILITY (Category A)

At least two of the reactivity control systems provided shall independently be capable of making and holding the core subcritical from any hot standby or hot operating condition, including those resulting from power changes, sufficiently fast to prevent exceeding acceptable fuel damage limits.

CRITERION 29 - REACTIVITY SHUTDOWN CAPABILITY (Category A)

At least one of the reactivity control systems provided shall be capable of making the core subcritical under any conditions (including anticipated operational transients) sufficiently fast to prevent exceeding acceptable fuel damage limits. Shutdown margins greater than the maximum worth of the most effective control rod when fully withdrawn shall be provided.

CRITERION 30 - REACTIVITY HOLDDOWN CAPABILITY (Category B)

At least one of the reactivity control systems provided shall be capable of making and holding the core subcritical under any conditions with appropriate margins for contingencies.

CRITERION 31 - REACTIVITY CONTROL SYSTEMS MALFUNCTION (Category B)

The reactivity control systems shall be capable of sustaining any single malfunction, such as, unplanned continuous withdrawal (not ejection) of a control rod, without A.0-24

BFN-18 causing a reactivity transient which could result in exceeding acceptable fuel damage limits.

CRITERION 32 - MAXIMUM REACTIVITY WORTH OF CONTROL RODS (Category A)

Limits, which include considerable margin, shall be placed on the maximum reactivity worth of control rods or elements and on rates at which reactivity can be increased to ensure that the potential effects of a sudden or large change of reactivity cannot (a) rupture the reactor coolant pressure boundary or (b) disrupt the core, its support structures, or other vessel internals sufficiently to impair the effectiveness of emergency core cooling.

VI. REACTOR COOLANT PRESSURE BOUNDARY CRITERION 33 - REACTOR COOLANT PRESSURE BOUNDARY CAPABILITY (Category A)

The reactor coolant pressure boundary shall be capable of accommodating without rupture, and with only limited allowance for energy absorption through plastic deformation, the static and dynamic loads imposed on any boundary component as a result of any inadvertent and sudden release of energy to the coolant. As a design reference, this sudden release shall be taken as that which would result from a sudden reactivity insertion such as rod ejection (unless prevented by positive mechanical means), rod dropout, or cold water addition.

CRITERION 34 - REACTOR COOLANT PRESSURE BOUNDARY RAPID PROPAGATION FAILURE PREVENTION (Category A)

The reactor coolant pressure boundary shall be designed to minimize the probability of rapidly propagating type failures. Consideration shall be given (a) to the notch-toughness properties of materials extending to the upper shelf of the Charpy transition curve, (b) to the state of stress of materials under static and transient loadings, (c) to the quality control specified for materials and component fabrication to limit flaw sizes, and (d) to the provisions for control over service temperature and irradiation effects which may require operational restrictions.

CRITERION 35 - REACTOR COOLANT PRESSURE BOUNDARY BRITTLE FRACTURE PREVENTION (Category A)

Under conditions where reactor coolant pressure boundary system components constructed of ferritic materials may be subjected to potential loadings, such as a reactivity-induced loading, service temperature shall be at least 120°F above the nil ductility transition (NDT) temperature of the component material if the resulting A.0-25

BFN-18 energy release is expected to be absorbed by plastic deformation or 60°F above the NDT temperature of the component material if the resulting energy release is expected to be absorbed within the elastic strain energy range.

CRITERION 36 - REACTOR COOLANT PRESSURE BOUNDARY SURVEILLANCE (Category A)

Reactor coolant pressure boundary components shall have provisions for inspection, testing, and surveillance by appropriate means to assess the structural and leaktight integrity of the boundary components during their service lifetime. For the reactor vessel, a material surveillance program conforming with ASTM-E-185-66 shall be provided.

VII. ENGINEERED SAFETY FEATURES CRITERION 37 - ENGINEERED SAFETY FEATURES BASIS FOR DESIGN (Category A)

Engineered safety features shall be provided in the facility to back up the safety provided by the core design, the reactor coolant pressure boundary, and their protection systems. As a minimum, such engineered safety features shall be designed to cope with any size reactor coolant pressure boundary break up to and including the circumferential rupture of any pipe in that boundary assuming unobstructed discharge from both ends.

CRITERION 38 - RELIABILITY AND TESTABILITY OF ENGINEERED SAFETY FEATURES (Category A)

All engineered safety features shall be designed to provide high functional reliability and ready testability. In determining the suitability of a facility for a proposed site, the degree of reliance upon and acceptance of the inherent and engineered safety afforded by the systems, including engineered safety features, will be influenced by the known and the demonstrated performance capability and reliability of the systems, and by the extent to which the operability of such systems can be tested and inspected where appropriate during the life of the plant.

CRITERION 39 - EMERGENCY POWER FOR ENGINEERED SAFETY FEATURES (Category A)

Alternate power systems shall be provided and designed with adequate independency, redundancy, capacity, and testability to permit the functioning required of the engineered safety features. As a minimum, the onsite power system and the offsite power system shall each, independently, provide this capacity assuming a failure of a single active component in each power system.

A.0-26

BFN-18 CRITERION 40 - MISSILE PROTECTION (Category A)

Protection for engineered safety features shall be provided against dynamic effects and missiles that might result from plant equipment failures.

CRITERION 41 - ENGINEERED SAFETY FEATURES PERFORMANCE CAPABILITY (Category A)

Engineered safety features such as emergency core cooling and containment heat removal systems shall provide sufficient performance capability to accommodate partial loss of installed capacity and still fulfill the required safety function. As a minimum, each engineered safety feature shall provide this required safety function assuming a failure of a single active component.

CRITERION 42 - ENGINEERED SAFETY FEATURES COMPONENTS CAPABILITY (Category A)

Engineered safety features shall be designed so that the capability of each component and system to perform its required function is not impaired by the effects of a loss-of-coolant accident.

CRITERION 43 - ACCIDENT AGGRAVATION PREVENTION (Category A)

Engineered safety features shall be designed so that any action of the engineered safety features which might accentuate the adverse after-effects of the loss of normal cooling is avoided.

CRITERION 44 - EMERGENCY CORE COOLING SYSTEMS CAPABILITY (Category A)

At least two emergency core cooling systems, preferably of different design principles, each with a capability for accomplishing abundant emergency core cooling, shall be provided. Each emergency core cooling system and the core shall be designed to prevent fuel and clad damage that would interfere with the emergency core cooling function and to limit the clad metal-water reaction to negligible amounts for all sizes of breaks in the reactor coolant pressure boundary, including the double-ended rupture of the largest pipe. The performance of each emergency core cooling system shall be evaluated conservatively in each area of uncertainty. The systems shall not share active components and shall not share other features or components unless it can be demonstrated that (a) the capability of the shared feature or component to perform its required function can be readily ascertained during reactor operation, (b) failure of the shared feature or component does not initiate a loss-of-coolant accident, and (c) capability of the shared feature or component to perform its required function is not impaired by the effects of a A.0-27

BFN-18 loss-of-coolant accident and is not lost during the entire period this function is required following the accident.

CRITERION 45 - INSPECTION OF EMERGENCY CORE COOLING SYSTEMS (Category A)

Design provisions shall be made to facilitate physical inspection of all critical parts of the emergency core cooling systems, including reactor vessel internals and water injection nozzles.

CRITERION 46 - TESTING OF EMERGENCY CORE COOLING SYSTEMS COMPONENTS (Category A)

Design provisions shall be made so that active components of the emergency core cooling systems, such as pumps and valves, can be tested periodically for operability and required functional performance.

CRITERION 47 - TESTING OF EMERGENCY CORE COOLING SYSTEMS (Category A)

A capability shall be provided to test periodically the delivery capability of the emergency core cooling systems at a location as close to the core as is practical.

CRITERION 48 - TESTING OF OPERATIONAL SEQUENCE OF EMERGENCY CORE COOLING SYSTEMS (Category A)

A capability shall be provided to test under conditions as close to design as practical the full operational sequence that would bring the emergency core cooling systems into action, including the transfer to alternate power sources.

CRITERION 49 - CONTAINMENT DESIGN BASIS (Category A)

The containment structure, including access openings and penetrations, and any necessary containment heat removal systems shall be designed so that the containment structure can accommodate without exceeding the design leakage rate the pressure and temperatures resulting from the largest credible energy release following a loss-of-coolant accident, including a considerable margin for effects from metal-water or other chemical reactions that could occur as a consequence of failure of emergency core cooling systems.

CRITERION 50 - NDT REQUIRED FOR CONTAINMENT MATERIAL (Category A)

Principal load carrying components of ferritic materials exposed to the external environment shall be selected so that their temperatures under normal operating A.0-28

BFN-18 and testing conditions are not less than 30°F above nil ductility transition (NDT) temperature.

CRITERION 51 - REACTOR COOLANT PRESSURE BOUNDARY OUTSIDE CONTAINMENT (Category A)

If part of the reactor coolant pressure boundary is outside the containment, appropriate features as necessary shall be provided to protect the health and safety of the public in case of an accidental rupture in that part. Determination of the appropriateness of features such as isolation valves and additional containment shall include consideration of the environmental and population conditions surrounding the site.

CRITERION 52 - CONTAINMENT HEAT REMOVAL SYSTEMS (Category A)

Where active heat removal systems are needed under accident conditions to prevent exceeding containment design pressure, at least two systems, preferably of different principles, each with full capacity, shall be provided.

CRITERION 53 - CONTAINMENT ISOLATION VALVES (Category A)

Penetrations that require closure for the containment function shall be protected by redundant valving and associated apparatus.

CRITERION 54 - CONTAINMENT LEAKAGE RATE TESTING (Category A)

Containment shall be designed so that an integrated leakage rate testing can be conducted at design pressure after completion and installation of all penetrations and the leakage rate measured over a sufficient period of time to verify its conformance with required performance.

CRITERION 55 - CONTAINMENT PERIODIC LEAKAGE RATE TESTING (Category A)

The containment shall be designed so that integrated leakage rate testing can be done periodically at design pressure during plant lifetime.

CRITERION 56 - PROVISIONS FOR TESTING OF PENETRATIONS (Category A)

Provisions shall be made for testing penetrations which have resilient seals or expansion bellows to permit leaktightness to be demonstrated at design pressure at any time.

A.0-29

BFN-18 CRITERION 57 - PROVISIONS FOR TESTING OF ISOLATION VALVES (Category A)

Capability shall be provided for testing functional operability of valves and associated apparatus essential to the containment function for establishing that no failure has occurred and for determining that valve leakage does not exceed acceptable limits.

CRITERION 58 - INSPECTION OF CONTAINMENT PRESSURE-REDUCING SYSTEMS (Category A)

Design provisions shall be made to facilitate the periodic physical inspection of all important components of the containment pressure-reducing systems, such as, pumps, valves, spray nozzles, torus, and sumps.

CRITERION 59 - TESTING OF CONTAINMENT PRESSURE-REDUCING SYSTEMS COMPONENTS (Category A)

The containment pressure-reducing systems shall be designed so that active components, such as pumps and valves, can be tested periodically for operability and required functional performance.

CRITERION 60 - TESTING OF CONTAINMENT SPRAY SYSTEMS (Category A)

A capability shall be provided to test periodically the delivery capability of the containment spray system at a position as close to the spray nozzles as is practical.

CRITERION 61 - TESTING OF OPERATIONAL SEQUENCE OF CONTAINMENT PRESSURE-REDUCING SYSTEMS (Category A)

A capability shall be provided to test under conditions as close to the design as practical the full operational sequence that would bring the containment pressure-reducing systems into action, including the transfer to alternate power sources.

CRITERION 62 - INSPECTION OF AIR CLEANUP SYSTEMS (Category A)

Design provisions shall be made to facilitate physical inspection of all critical parts of containment air cleanup systems, such as, ducts, filters, fans, and dampers.

A.0-30

BFN-18 CRITERION 63 - TESTING OF AIR CLEANUP SYSTEMS COMPONENTS (Category A)

Design provisions shall be made so that active components of the air cleanup systems, such as fans and dampers, can be tested periodically for operability and required functional performance.

CRITERION 64 - TESTING OF AIR CLEANUP SYSTEMS (Category A)

A capability shall be provided for in situ periodic testing and surveillance of the air cleanup systems to ensure (a) filter bypass paths have not developed and (b) filter and trapping materials have not deteriorated beyond acceptable limits.

CRITERION 65 - TESTING OF OPERATIONAL SEQUENCE OF AIR CLEANUP SYSTEMS (Category A)

A capability shall be provided to test under conditions as close to design as practical the full operational sequence that would bring the air cleanup systems into action, including the transfer to alternate power sources and the design air flow delivery capability.

VIII. FUEL AND WASTE STORAGE SYSTEMS CRITERION 66 - PREVENTION OF FUEL STORAGE CRITICALITY (Category B)

Criticality in new and spent fuel storage shall be prevented by physical systems or processes. Such means as geometrically safe configurations shall be emphasized over procedural controls.

CRITERION 67 - FUEL AND WASTE STORAGE DECAY HEAT (Category B)

Reliable decay heat removal systems shall be designed to prevent damage to the fuel in storage facilities that could result in radio-activity release to plant operating areas or the public environs.

CRITERION 68 - FUEL AND WASTE STORAGE RADIATION SHIELDING (Category B)

Shielding for radiation protection shall be provided in the design of spent fuel and waste storage facilities as required to meet the requirements of 10 CFR 20.

A.0-31

BFN-18 CRITERION 69 - PROTECTION AGAINST RADIOACTIVITY RELEASE FROM SPENT FUEL AND WASTE STORAGE (Category B)

Containment of fuel and waste storage shall be provided if accidents could lead to release of undue amounts of radioactivity to the public environs.

IX. PLANT EFFLUENTS CRITERION 70 - CONTROL OF RELEASES OF RADIOACTIVITY TO THE ENVIRONMENT (Category B)

The facility design shall include those means necessary to maintain control over the plant radioactive effluents, whether gaseous, liquid, or solid. Appropriate holdup capacity shall be provided for retention of gaseous, liquid, or solid effluents, particularly where unfavorable environmental conditions can be expected to require operational limitations upon the release of radioactive effluents to the environment.

In all cases, the design for radioactivity control shall be justified (a) on the basis of 10 CFR 20 requirements for normal operations and for any transient situation that might reasonably be anticipated to occur and (b) on the basis of 10 CFR 100 dosage level guidelines for potential reactor accidents of exceedingly low A.0-32

BFN-18 probability of occurrence except that reduction of the recommended dosage levels may be required where high population densities or very large cities can be affected by the radioactive effluents.

(Sec. 161, 68 Stat. 948; 42 U.S.C. 2201)

Dated at Washington, D. C. this twenty-eighth day of June 1967.

For the Atomic Energy Commission.

Original Signed By W.B. McCool W. B. McCool Secretary A.0-33

BFN-18 AEC PUBLISHES GENERAL DESIGN CRITERIA FOR NUCLEAR POWER PLANT CONSTRUCTION PERMITS The AEC is publishing for public comment a revised set of proposed General Design Criteria which have been developed to assist in the preparation of applications for nuclear power plant construction permits.

In November 1965, the AEC issued an announcement requested comments on General Design Criteria developed by its regulatory staff. These criteria were statements of design principles and objectives which have evolved over the years in licensing nuclear power plants by the AEC.

It was recognized at the time the criteria were first issued for comment that further efforts were needed to develop them more fully. The revision being published today reflects extensive public comments received from twenty groups or individuals, suggestions made at meetings with the Atomic Industrial Forum, and review within the AEC.

The regulatory staff has worked closely with the Commission's Advisory Committee on Reactor Safeguards on the development of the criteria and the revision of the proposed criteria reflects ACRS review and comment.

The General Design Criteria reflect the predominating experience to date with water reactors, but they are considered to be generally applicable to all power reactors.

The proposed criteria are intended to be used as guidance to an applicant in establishing the principal design criteria for a nuclear power plant. The framework within which the criteria are presented provides sufficient flexibility to permit applicants to establish design requirements using alternate and/or additional criteria.

In particular, additional criteria will be needed for unusual sites and environmental conditions and for new or advanced types of reactors. In each case an applicant will be required to identify its principal design criteria and provide assurance that they encompass all those facility design features required in the interest of public health and safety.

The criteria are designated as "General Design Criteria for Nuclear Power Plant Construction Permits" to emphasize the key role they assume at this stage of the licensing process. The criteria have been categorized as Category A or Category B.

Experience has shown that more definitive information has been needed at the construction permit stage for certain of the criteria; these have been designated as Category A.

Development of these criteria is part of a longer-range Commission program to develop criteria, standards, and codes for nuclear reactor plants. This includes codes and standards that industry is developing with AEC participation. The ultimate goal is the evolution of industry codes and standards based on accumulated A.0-34

BFN-18 knowledge and experience as has occurred in various fields of engineering and construction.

The provisions of the proposed amendment relating to General Design Criteria are expected to be useful as interim guidance until such time as the Commission takes further action on them.

The proposed criteria, which would become Appendix A to Part 50 of the AEC's regulations, will be published in the Federal Register on .

Interested persons may submit written comments or suggestions to the Secretary, U. S. Atomic Energy Commission, Washington, D. C., 20545, within 60 days. A copy of the proposed "General Design Criteria for Nuclear Power Plant Construction Permits" is attached.

A.0-35

BFN-18 AEC UNITED STATES ATOMIC ENERGY COMMISSION WASHINGTON, DC 20545 No. H-252 FOR IMMEDIATE RELEASE Tel. 973-3335 OR (Monday, November 22, 1965) 973-3446 AEC TAKING PUBLIC COMMENT ON PROPOSED DESIGN CRITERIA FOR NUCLEAR POWER PLANT CONSTRUCTION PERMITS The Atomic Energy Commission is seeking comment from the nuclear industry and other interested persons on proposed general design criteria which have been developed to assist in the evaluation of applications for nuclear power plant construction permits.

The proposed criteria have been developed by the AEC regulatory staff and discussed with the Commission's Advisory Committee on Reactor Safeguards (ACRS). They represent an effort to set forth design and performance criteria for reactor systems, components and structures which have evolved over the years in licensing of nuclear power plants by the AEC. As such, they reflect the predominating experience to date with water reactors but most of them are generally applicable to other reactors as well.

It is recognized that further efforts by the AEC regulatory staff and the ACRS will be necessary to fully develop these criteria. However, the criteria as now proposed are sufficiently advanced to submit for public comment. Also, they are intended to give interim guidance to applicants and reactor equipment manufacturers.

The development and publication of criteria for nuclear power plants was one of the key recommendations of the special Regulatory Review Panel which studied ways of streamlining the Commission's reactor licensing procedures.

In the further development of these criteria, the AEC intends to hold discussions with organizations in the nuclear industry and to issue from time to time explanatory information on each criterion. Following such discussions with industry and receipt of other public comment, the AEC expects to develop and publish criteria that will serve as a basis for evaluation of applicants for nuclear power plant construction permits.

(more)

A.0-36

BFN-18 It is recognized that additional criteria may also be needed, particularly for reactors other than water reactors, and that there may be instances where one or more of the presently proposed criteria may not be applicable. Application of the criteria to a specific design continues to involve a considerable amount of engineering judgment.

These proposed criteria are part of a longer-range Commission program to develop criteria, standards and codes for nuclear reactors, including identification of codes and standards that industry will be encouraged to undertake. The ultimate goal is the evolution of industry codes based on accumulated knowledge and experience, as has occurred in various fields of engineering and construction.

A copy of the proposed "General Design Criteria for Nuclear Power Plant Construction Permits" is attached. Comments should be sent to the Director of Regulation, U. S. Atomic Energy Commission, Washington, D. C. 20545, by February 15, 1966.

11/22/65 NOTE: THIS AEC NOTICE AND THE ATTACHED DESIGN CRITERIA WERE RETYPED TO ENHANCE THE EXISTING PRINT AND COPY QUALITY.

A.0-37

BFN-18 GENERAL DESIGN CRITERIA FOR NUCLEAR POWER PLANT CONSTRUCTION PERMITS Attached hereto are general design criteria used by the AEC in judging whether a proposed nuclear power facility can be built and operated without undue risk to the health and safety of the public. They represent design and performance criteria for reactor systems, components and structures which have evolved over the years in licensing of nuclear power plants by the AEC. As such they reflect the predominating experience to date with water reactors out most of them are generally applicable to other reactors as well.

It should be recognized that additional criteria will be needed for evaluation of a detailed design, particularly for unusual sites and environmental conditions, and for new and advanced types of reactors.

Moreover, there may be instances in which it can be demonstrated that one or more of the criteria need not be fulfilled. It should also be recognized that the application of these criteria to a specific design involves a considerable amount of engineering judgment.

An applicant for a construction permit should present a design approach together with data and analysis sufficient to give assurance that the design can reasonably be expected to fulfill the criteria.

FACILITY CRITERION 1 Those features of reactor facilities which are essential to the prevention of accidents or to the mitigation of their consequences must be designed, fabricated, and erected to:

(a) Quality standards that reflect the importance of the safety function to be performed. It should be required, in this respect, that design codes commonly used for nonnuclear applications may not be adequate.

A.0-38

BFN-18 (b) Performance standards that will enable the facility to withstand, without loss of the capability to protect the public, the additional forces imposed by the most severe earthquakes, flooding conditions, winds, ice and other natural phenomena anticipated at the proposed site.

CRITERION 2 Provisions must be included to limit the extent and the consequences of credible chemical reactions that could cause or materially augment the release of significant amounts of fission products from the facility.

CRITERION 3 Protection must be provided against possibilities for damage of the safeguarding features of the facility by missiles generated through equipment failures inside the containment.

REACTOR CRITERION 4 The reactor must be designed to accommodate, without fuel failure or primary system damage, deviations from steady state norm that might be occasioned by abnormal yet anticipated transient events such as tripping of the turbine-generator and loss of power to the reactor recirculation system pumps.

CRITERION 5 The reactor must be designed so that power or process variable oscillations or transients that could cause fuel failure of primary system damage are not possible or can be readily suppressed.

A.0-39

BFN-18 CRITERION 6 Clad fuel must be designed to accommodate throughout its design lifetime all normal and abnormal modes of anticipated reactor operation, including the design overpower condition, without experiencing significant cladding failures. Unclad or vented fuels must be designed with the similar objective of providing control over fission products. For unclad and vented solid fuels, normal and abnormal modes of anticipated reactor operation must be achieved without exceeding design release rates of fission products from the fuel over core lifetime.

CRITERION 7 The maximum reactivity worth of control rods or elements and the rates with which reactivity can be inserted must be held to values such that no single credible mechanical or electrical control system malfunction could cause a reactivity transient capable of damaging the primary system or causing significant fuel failure.

CRITERION 8 Reactivity shutdown capability must be provided to make and hold the core subcritical from any credible operating condition with any one control element at its position of highest reactivity.

CRITERION 9 Backup reactivity shutdown capability must be provided that is independent of normal reactivity control provisions. This system must have the capability to shut down the reactor from any operating condition.

A.0-40

BFN-18 CRITERION 10 Heat removal systems must be provided which are capable of accommodating core decay heat under all anticipated abnormal and credible accident conditions, such as isolation from the main condenser and complete or partial loss of primary coolant from the reactor.

CRITERION 11 Components of the primary coolant and containment systems must be designed and operated so that no substantial pressure or thermal stress will be imposed on the structural materials unless the temperatures are well above the nil-ductility temperatures. For ferritic materials of the coolant envelope and the containment, minimum temperatures are NDT + 60oF and NDT + 30oF, respectively.

CRITERION 12 Capability for control rod insertion under abnormal conditions must be provided.

CRITERION 13 The reactor facility must be provided with a control room from which all actions can be controlled or monitored as necessary to maintain safe operational status of the plant at all times. The control room must be provided with adequate protection to permit occupancy under the conditions described in Criterion 17 below, and with the means to shut down the plant and maintain it in a safe condition if such accident were to be experienced.

A.0-41

BFN-18 CRITERION 14 Means must be included in the control room to show the relative reactivity status of the reactor such as position indication of mechanical rods or concentrations of chemical poisons.

CRITERION 15 A reliable reactor protection system must be provided to automatically initiate appropriate action to prevent safety limits from being exceeded. Capability must be provided for testing functional operability of the system and for determining that no component or circuit failure has occurred. For instruments and control systems in vital areas where the potential consequences of failure require redundancy, the redundant channels must be independent and must be capable of being tested to determine that they remain independent. Sufficient redundancy must be provided that failure or removal from service of a single component or channel will not inhibit necessary safety action when required.

These criteria should, where applicable, be satisfied by the instrumentation associated with containment closure and isolation systems, afterheat removal and core cooling systems, systems to prevent cold-slug accidents, and other vital systems, as well as the reactor nuclear and process safety system.

CRITERION 16 The vital instrumentation systems of Criterion 15 must be designed so that no credible combination of circumstances can interfere with the performance of a safety function when it is needed. In particular, the effect of influences common to redundant channels which are intended to be independent must not negate the operability of a safety system. The effects of gross disconnection of the system, loss of energy (electric power, instrument air), and adverse environment (heat from loss of instrument cooling, extreme cold, fire, steam, water, etc.) must cause the system to go into its safest state (fail-safe) or be demonstrably tolerable on some other basis.

A.0-42

BFN-18 ENGINEERING SAFEGUARDS CRITERION 17 The containment structure, including access openings and penetrations, must be designed and fabricated to accommodate or dissipate without failure the pressures and temperatures associated with the largest credible energy release including the effects of credible metal-water or other chemical reactions uninhibited by active quenching systems. If part of the primary coolant system is outside the primary reactor containment, appropriate safeguards must be provided for that part if necessary, to protect the health and safety of the public, in case of an accidental rupture in that part of the system.

The appropriateness of safeguards such as isolation valves, additional containment, etc., will depend on environmental and population conditions surrounding the site.

CRITERION 18 Provisions must be made for the removal of heat from within the containment structure as necessary to maintain the integrity of the structure under the conditions described in Criterion 17 above.

If engineered safeguards are needed to prevent containment vessel failure due to heat released under such conditions, at least two independent systems must be provided, preferably of different principles.

Backup equipment (e.g., water and power systems) to such engineered safeguards must also be redundant.

A.0-43

BFN-18 CRITERION 19 The maximum integrated leakage from the containment structure under the conditions described in Criterion 17 above must meet the site exposure criteria set forth in 10 CFR 100. The containment structure must be designed so that the containment can be leak tested at least to design pressure conditions after completion and installation of all penetrations, and the leakage rate measured over a suitable period to verify its conformance with required performance. The plant must be designed for later tests at suitable pressures.

CRITERION 20 All containment structure penetrations subject to failure such as resilient seals and expansion bellows must be designed and constructed so that leak-tightness can be demonstrated at design pressure at any time throughout operating life of the reactor.

CRITERION 21 Sufficient normal and emergency sources of electrical power must be provided to assure a capability for prompt shutdown and continued maintenance of the reactor facility in a safe condition under all credible circumstances.

CRITERION 22 Valves and their associated apparatus that are essential to the containment function must be redundant and so arranged that no credible combination of circumstances can interfere with their necessary functioning. Such redundant valves and associated apparatus must be A.0-44

BFN-18 independent to each other. Capability must be provided for testing functional operability of these valves and associated equipment to determine that no failure has occurred and that leakage is within acceptable limits. Redundant valves and auxiliaries must be independent. Containment closure valves must be actuated by instrumentation, control circuits and energy sources which satisfy Criterion 15 and 16 above.

CRITERION 23 In determining the suitability of a facility for a proposed site the acceptance of the inherent and engineered safety afforded by the systems, materials and components, and the associated engineered safeguards built into the facility, will depend on their demonstrated performance capability and reliability and the extent to which the operability of such systems, materials, components, and engineered safeguards can be tested and inspected during the life of the plant.

RADIOACTIVITY CONTROL CRITERION 24 All fuel storage and waste handling systems must be contained if necessary to prevent the accidental release of radioactivity in amounts which could affect the health and safety of the public.

CRITERION 25 The fuel handling and storage facilities must be designed to prevent criticality and to maintain adequate shielding and cooling for spent fuel under all anticipated normal and abnormal conditions, and credible accident conditions. Variables upon which health and safety of the public depend must be monitored.

A.0-45

BFN-18 CRITERION 26 Where unfavorable environmental conditions can be expected to require limitations upon the release of operational radioactive effluents to the environment, appropriate hold-up capacity must be provided for retention of gaseous, liquid, or solid effluents.

CRITERION 27 The plant must be provided with systems capable of monitoring the release of radioactivity under accident conditions.

A.0-46