Standard Review Plan: NRO - SRP@NRC - Gov

NUREG-0800
U.S. NUCLEAR REGULATORY COMMISSION
STANDARD REVIEW PLAN

APPENDIX 7.1-A ACCEPTANCE CRITERIA AND GUIDELINES FOR
INSTRUMENTATION AND CONTROL SYSTEMS IMPORTANT TO
SAFETY
REVIEW RESPONSIBILITIES
Primary - Organization responsible for the review of instrumentation and controls
Secondary - None
Review Note: The revision numbers of Regulatory Guides (RG) and the years of endorsed
industry standards referenced in this Standard Review Plan (SRP) section are centrally
maintained in SRP Section 7.1-T (Table 7-1). Therefore, the individual revision numbers of RGs
(except RG 1.97) and years of endorsed industry standards are not shown in this section.
References to industry standards incorporated by reference into regulation (IEEE Std 279-1971
and IEEE Std 603-1991) and industry standards that are not endorsed by the agency do include
the associated year in this section. See Table 7-1 to ensure that the appropriate RGs and
endorsed industry standards are used for the review.
Draft Revision 6 – August 2015
USNRC STANDARD REVIEW PLAN
This Standard Review Plan (SRP), NUREG 0800, has been prepared to establish criteria that the U.S. Nuclear Regulatory
Commission (NRC) staff responsible for the review of applications to construct and operate nuclear power plants intends to use in
evaluating whether an applicant/licensee meets the NRC regulations. The SRP is not a substitute for the NRC regulations, and
compliance with it is not required. However, an applicant is required to identify differences between the design features, analytical
techniques, and procedural measures proposed for its facility and the SRP acceptance criteria and evaluate how the proposed
alternatives to the SRP acceptance criteria provide an acceptable method of complying with the NRC regulations.
The SRP sections are numbered in accordance with corresponding sections in Regulatory Guide (RG) 1.70, "Standard Format and
Content of Safety Analysis Reports for Nuclear Power Plants (LWR Edition)." Not all sections of RG 1.70 have a corresponding
review plan section. The SRP sections applicable to a combined license application for a new light-water reactor (LWR) are based
on RG 1.206, "Combined License Applications for Nuclear Power Plants (LWR Edition)."
These documents are made available to the public as part of the NRC policy to inform the nuclear industry and the general public of
regulatory procedures and policies. Individual sections of NUREG-0800 will be revised periodically, as appropriate, to
accommodate comments and to reflect new information and experience. Comments may be submitted electronically by email to
[email protected].
Requests for single copies of SRP sections (which may be reproduced) should be made to the U.S. Nuclear Regulatory
Commission, Washington, DC 20555, Attention: Reproduction and Distribution Services Section by fax to (301) 415 2289; or by
email to [email protected]. Electronic copies of this section are available through the NRC public Web site at
http://www.nrc.gov/reading rm/doc collections/nuregs/staff/sr0800/, or in the NRC Agencywide Documents Access and Management
System (ADAMS), at http://www.nrc.gov/reading rm/adams.html under ADAMS Accession No. ML15159A207.
ACCEPTANCE CRITERIA
The acceptance criteria and guidelines for instrumentation and control (I&C) systems
important to safety are divided into five categories: (1) regulations including paragraph
Title 10 of the Code of Federal Regulations (10 CFR) 50.55a(a)(2), which incorporates by
reference the Institute of Electrical and Electronics Engineers (IEEE) Standard (Std) 603-1991,
“IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations,” and IEEE
Std 279 1971, “Criteria for Protection Systems for Nuclear Power Generating Stations,” and
10 CFR 50.55a(h), “Protection And Safety Systems,” which references IEEE Std 603-1991 and
IEEE Std 279-1971, (2) the General Design Criteria of 10 CFR Part 50, “Domestic Licensing of
Production and Utilization Facilities,” Appendix A, “General Design Criteria for Nuclear Power
Plants,” (3) Commission Papers (SECY) and Staff Requirements Memoranda (SRM), (4) RGs
(including endorsed industry codes and standards), and (5) SRP branch technical positions
(BTPs).
An applicability statement describes how each criterion and guideline applies to the review of
I&C systems. Conformance to the requirements of General Design Criterion (GDC) 1,
“Quality Standards and Records,” and 10 CFR 50.54(jj) and 10 CFR 50.55(i), which addresses
quality standards for structures, systems, and components subject to the codes and standards
in 10 CFR 50.55a is evaluated in the review of Section 7.1 of the safety analysis report (SAR).
Conformance to the remaining requirements of 10 CFR Part 50 applicable to I&C systems is
evaluated on a system basis in the review of Sections 7.2 through 7.9 of the SAR. Likewise, the
degree of conformance to the guidelines provided in the SRP RGs, and industry codes and
standards is evaluated on a system basis in the review of Sections 7.2 through 7.9 of the SAR.
Exceptions taken to the guidance provided by RGs and endorsed industry codes and standards
should be evaluated as a part of the review of the applicability of these criteria. The evaluation
findings should be provided as a part of the review of Section 7.1 of the SAR, or the exception
should be noted and a reference provided to the section where it is addressed.
Three Mile Island (TMI) Action Plan requirements for I&C systems important to safety are
imposed by 10 CFR 50.34(f) for applications pending as of February 16, 1982. For operating
reactors that had approved construction permits prior to February 16, 1982, the TMI Action Plan
requirements were imposed by orders that required conformance to NUREG-0718, “Licensing
Requirements for Pending Applications for Construction Permits and Manufacturing License”;
NUREG-0737, “Clarification of TMI Action Plan Requirements”; NUREG-0737, Supplement 1,
“Clarification of TMI Action Plan Requirements: Requirements for Emergency Response
Capability”; and NUREG-0694, “TMI-Related Requirements for New Operating Reactor
Licenses.” Applicants under 10 CFR Part 52, “Licenses, Certifications, and Approvals for
Nuclear Power Plants,” should address the technically relevant portions of the requirements
in paragraphs 10 CFR 50.34(f)(1)-(3) except for paragraphs 10 CFR 50.34(f)(1)(xii),
10 CFR 50.34(f)(2)(ix) and 10 CFR 50.34(f)(3)(v). This appendix identifies both the 10 CFR
Part 50 and TMI Action Plan reference numbers for the TMI Action Plan requirements relevant
to Chapter 7 of the SAR. The action plan references are given in brackets following the
reference to the equivalent requirement of 10 CFR 50.34(f). This appendix presents specific
acceptance criteria for TMI Action Plan items; however, important context information is found in
the concepts contained in the referenced reports.
Inspections, Tests, Analyses, and Acceptance Criteria (ITAAC). For design certification (DC)
and combined license (COL) reviews, the staff reviews the applicant’s proposed ITAAC
associated with the structures, systems, and components (SSCs) related to this SRP section in
accordance with SRP Section 14.3, “Inspections, Tests, Analyses, and Acceptance Criteria.”
Appendix 7.1-A-2 Draft Revision 6 – August 2015

The staff recognizes that the review of ITAAC cannot be completed until after the rest of this
portion of the application has been reviewed against acceptance criteria contained in this SRP
section. Furthermore, the staff reviews the ITAAC to ensure that all SSCs in this area of review
are identified and addressed as appropriate in accordance with SRP Section 14.3.
COL Action Items and Certification Requirements and Restrictions. For a DC application, the
review will also address COL action items and requirements and restrictions (e.g., interface
requirements and site parameters).
For a COL application referencing a DC, a COL applicant must address COL action items
(referred to as COL license information in certain DCs) included in the referenced DC.
Additionally, a COL applicant must address requirements and restrictions (e.g., interface
requirements and site parameters) included in the referenced DC.
1. Regulations - 10 CFR Part 50
(a) 10 CFR 50.54(jj) and 10 CFR 50.55(i): Addresses Quality Standards for
Systems Important to Safety
“Structures, systems, and components subject to the codes and standards in

10 CFR 50.55a must be designed, fabricated, erected, constructed, tested, and
inspected to quality standards commensurate with the importance of the safety
function to be performed.”
Applicability - All I&C systems
Review Methods - The applicant or licensee should commit to conformance to

the RGs and standards referenced in SRP Sections 7.1 through 7.9 and the
BTPs in SRP Appendix 7-A. The design should conform to all RGs and
standards committed to by the applicant or licensee.
(b) 10 CFR 50.55a(h), “Protection and Safety Systems”
“For nuclear power plants with construction permits issued after January 1, 1971,
but before May 13, 1999, protection systems must meet the requirements stated
in either IEEE Std 279-1971, “Criteria for Protection Systems for Nuclear Power
Generating Stations,” or IEEE Std 603-1991, “Criteria for Safety Systems for
Nuclear Power Generating Stations,” and the correction sheet dated January 30,
1995. For nuclear power plants with construction permits issued before
January 1, 1971, protection systems must be consistent with their licensing basis
or may meet the requirements of IEEE Std 603-1991 and the correction sheet
dated January 30, 1995.”
Applicability - The protection systems: reactor trip system (RTS), engineered

safety features actuation system (ESFAS), auxiliary supporting features and
other supporting features, and supporting data communications systems.
One part of each IEEE standard also applies to all I&C systems, and one part of
each standard applies to information systems important to safety. The parts
applicable to all I&C systems are the following:

• IEEE Std 603-1991, Clause 5.6.3, “Independence Between Safety
Systems and Other Systems”
• IEEE Std 279-1971, Clause 4.7.2, “Isolation Devices”
The parts applicable to information systems important to safety are:
• IEEE Std 603-1991, Clause 5.8.2, “Indication of Bypasses”
• IEEE Std 279-1971, Clause 4.13, “Indication of Bypasses”
Review Methods - SRP Appendix 7.1-C provides guidance for evaluating

conformance to the requirements of IEEE Std 603-1991, including the applicable
RGs. SRP Appendix 7.1-B provides similar guidance for evaluating conformance
to the requirements of IEEE Std 279-1971.
(c) 10 CFR 50.55a(h)(3), “Safety Systems”
“Applications filed on or after May 13, 1999, for construction permits and
operating licenses under this part, and for design approvals, design certifications,
and combined licenses under part 52 of this chapter, must meet the requirements
for safety systems in IEEE Std. 603–1991 and the correction sheet dated
January 30, 1995.
Applicability - The I&C safety systems including safety portions of engineered

safety feature (ESF) control systems; and supporting data communications
systems, safe shutdown systems, information systems, interlock systems,
auxiliary supporting features and other auxiliary features, and supporting data
communications systems.
One part of the IEEE standard also applies to all I&C systems, and one part of
the standard applies to information systems important to safety. The part
applicable to all I&C systems is:
• IEEE Std 603-1991, Clause 5.6.3
The part applicable to information systems important to safety is:
• IEEE Std 603-1991, Clause 5.8.2
Review Methods - SRP Appendix 7.1-C provides guidance for evaluating

conformance to the requirements of IEEE Std 603-1991, including the applicable
RGs.
(d) 10 CFR 50.34(f)(2)(v): Addressing (TMI Action Plan Item I.D.3) Bypass and
Inoperable Status Indication
“Provide for automatic indication of the bypassed and operable status of safety
systems.”

Applicability - The protection systems, RTS, ESFAS, information systems
important to safety, interlock systems, and supporting data communication
systems.
Review Methods – The review of compliance with 10 CFR 50.34(f)(2)(v) should

address the characteristics listed in the table below. These characteristics are
described in IEEE Std 279-1971 and IEEE Std 603-1991, and methods for
reviewing them are discussed in SRP Appendix 7.1-B and SRP Appendix 7.1-C
(see table below for sections).
Review Guidance
Characteristic
SRP SRP
Appendix 7.1-B Appendix 7.1-C
Auxiliary features Subsection 4.5 Subsection 5.1
Indication of bypasses Subsection 4.13 Subsection 5.8
Control and protection system Subsections 5.6 and

Subsection 4.7
interaction 6.3
Independence Subsection 4.6 Subsection 5.6
The evaluation of conformance to this requirement should be addressed in the

review of Sections 7.2, 7.3, and 7.6 of the SAR. A bypass and inoperable status
indication is required only for selected information system and interlock functions,
as discussed in SRP Sections 7.5 and 7.6.
(e) 10 CFR 50.34(f)(2)(xi): Addressing (TMI Action Plan Item II.D.3) Direct Indication
of Relief and Safety Valve Position
“Provide direct indication of relief and safety valve position (open or closed) in the
control room.”
Applicability - Information systems important to safety.
Review Methods – A relief and safety valve position indication should be included
in the information systems important to safety and reviewed in accordance with
the review guidance provided in SRP Section 7.5. The Position indication should
be derived from a reliable valve-position detection device or a reliable indication
of flow in the discharge pipe. Both a position indication and an alarm should be
provided in the control room. The valve-position indication may be safety grade.
If the position indication is not safety grade, a reliable single-channel direct
indication powered from a vital instrument bus may be provided if backup
methods of determining the valve position are available and are discussed in the
emergency procedures as an aid to the operator diagnosis of an action. The
position indication should also be seismically and environmentally qualified.
NUREG-0737 provides additional guidance on conformance to this requirement.

review of Section 7.5 of the SAR.
(f) 10 CFR 50.34(f)(2)(xii): Addressing (TMI Action Plan Item II.E.1.2) Auxiliary
Feedwater System Automatic Initiation and Flow Indication
“Provide automatic and manual auxiliary feedwater (AFW) system initiation, and
provide auxiliary feedwater system flow indication in the control room.
(Applicable to pressurized water reactors (PWRs) only).”
Applicability - ESFAS and information systems important to safety in PWRs.
Review Methods - AFW initiation and flow indication should conform with the
requirements applicable to the ESFAS and instrumentation systems.
review of Sections 7.3 and 7.5 of the SAR.
(g) 10 CFR 50.34(f)(2)(xvii): Addressing (TMI Action Plan Item II.F.1) Accident
Monitoring Instrumentation
“Provide instrumentation to measure, record and readout in the control room:

(A) containment pressure, (B) containment water level, (C) containment
hydrogen concentration, (D) containment radiation intensity (high level), and (E)
noble gas effluents at all potential, accident release points. Provide for
continuous sampling of radioactive iodines and particulates in gaseous effluents
from all potential accident release points, and for onsite capability to analyze and
measure these samples.”
Review Methods - The accident monitoring instrumentation functions required by

10 CFR 50.34(f)(2)(xvii) should be included in the information systems important
to safety and reviewed in accordance with the review guidance provided in SRP
Section 7.5.
(h) 10 CFR 50.34(f)(2)(xviii): Addressing (TMI Action Plan Item II.F.2)

Instrumentation for the Detection of Inadequate Core Cooling
“Provide instruments that provide in the control room an unambiguous indication

of inadequate core cooling, such as primary coolant saturation meters in PWRs,
and a suitable combination of signals from indicators of coolant level in the
reactor vessel and in-core thermocouples in PWRs and boiling water reactors
(BWRs).”
Review Methods - Instrumentation for the detection of inadequate core cooling

should be included in the information systems important to safety and reviewed
in accordance with the review guidance provided in SRP Section 7.5.
Inadequate core cooling instrumentation should provide an unambiguous

indication of these conditions. It should provide the operator with sufficient
information during accident situations to take planned manual actions, and to
determine whether safety systems are operating properly. In addition, the
instrumentation should also provide sufficient data for the operator to be able to
evaluate the potential for core uncovery and a gross breach of protective
barriers, including the resultant release of radioactivity to the environment.
The evaluation of conformance with to this requirement should be addressed in
the review of Section 7.5 of the SAR.
(i) 10 CFR 50.34(f)(2)(xiv): Addressing (TMI Action Plan Item II.E.4.2) Containment
Isolation Systems
“Provide containment isolation systems that (A) ensure all non-essential systems
are isolated automatically by the containment isolation system; (B) for each non-
essential penetration (except instrument lines) have two isolation barriers in
series; (C) do not result in reopening of the containment isolation valves on
resetting of the isolation signal; (D) utilize a containment set point pressure for
initiating containment isolation as low as is compatible with normal operation; and
(E) include automatic closing on a high radiation signal for all systems that
provide a path to the environs.”
Applicability - ESFAS - note that item (B) is not included in the scope for the
organization responsible for I&C systems.
Review Methods - The containment isolation functions of the ESFAS should be

reviewed to confirm that the ESFAS automatically closes each isolation device
on each nonessential penetration. Signal diversity should be provided for the
containment isolation function. For plants with digital-computer-based ESFAS,
signal diversity can be confirmed by the review of the licensee or applicant’s
diversity and defense-in-depth analysis.
Reopening of isolation valves should be performed on a valve-by-valve or line-

by-line basis, provided that electrical independence and the single-failure
criterion for the ESFAS functions continue to be satisfied. Ganged reopening of
containment isolation valves is not acceptable.
RG 1.105, “Setpoints for Safety-Related Instrumentation,” and SRP BTP 7-12

provide guidance on establishing and maintaining instrument setpoints. For
isolation of nonessential containment penetrations, however, the trip setpoint
should be established by adding measurement error terms to the highest
pressure value expected during normal plant operations, rather than subtracting
error terms from an accident analysis analytical limit. The setpoint should also
be shown to be low enough to ensure that protection system functions are
actuated before analytical limits are reached. The pressure setpoint selected
should be far enough above the maximum observed, or expected, pressure
inside containment during normal operation so that inadvertent containment
isolation does not occur during normal operation from instrument drift or
fluctuations due to the accuracy of the pressure sensor. The containment
pressure history during normal operation should be used as a basis for arriving at
an appropriate minimum pressure setpoint for initiating containment isolation.

Applicants for new licenses should use pressure history data from similar plants
that have operated for more than 1 year, if possible, to arrive at a minimum
containment setpoint pressure.
Containment purge lines and other penetrations that provide a path to the
environment should be isolated on a high radiation signal as one of the diverse
isolation functions.
The review of these design provisions to address 10 CFR 50.34(f)(2)(xiv) should

be addressed in the review of Section 7.3 of the SAR and should be coordinated
with the organization responsible for the review of containment systems.
NUREG-0737 provides additional guidance on conformance to these
requirements.
(j) 10 CFR 50.34(f)(2)(xix): Addressing (TMI Action Plan Item II.F.3) Instruments for
Monitoring Plant Conditions Following Core Damage
“Provide instrumentation adequate for monitoring plant conditions following an

accident that includes core damage.”
Review Methods - Instrumentation for monitoring plant conditions following core

damage should be included in the information systems important to safety.
There should be instrumentation of sufficient quantity, range, availability, and
reliability to permit adequate monitoring of plant variables and systems during
and after an accident. Sufficient information should be provided to the operator
for: (1) taking planned manual actions to shut the plant down safely, (2)
determining whether the reactor trip, ESF systems, and manually initiated safety-
related systems are performing their intended safety functions (i.e., reactivity
control, core cooling, and maintaining reactor containment system and
containment integrity), and (3) determining the potential for causing a gross
breach of the barriers to radioactivity release (i.e., fuel cladding). The evaluation
of conformance to this requirement should be addressed in the review of
Section 7.5 of the SAR.
(k) 10 CFR 50.34(f)(2)(xx): Addressing (TMI Action Plan Item II.G.1) Power for
Pressurizer Level Indication and Controls for Pressurizer Relief and Block Valves
“Provide power supplies for pressurizer relief valves, block valves, and level
indicators such that: (A) level indicators are powered from vital buses, (B) motive
and control power connections to the emergency power sources are through
devices qualified in accordance with requirements applicable to systems
important to safety, and (C) electric power is provided from emergency power
sources. (Applicable to PWRs only)”
Applicability - Information systems important to safety in PWRs, and safe

shutdown systems.
Review Methods - Pressurizer level indication, block valve position indication,

and relief valve position indication should be supplied from a source of

emergency power in the event of a loss of offsite power. The power supplies
should conform to the guidance of NUREG-0737. The evaluation of
conformance to this requirement should be addressed in the review of Sections
7.4 and 7.5 of the SAR. The review of this requirement should be coordinated
with the organization responsible for the review of electrical systems.
(l) 10 CFR 50.34(f)(2)(xxii): Addressing (TMI Action Plan Item II.K.2.9) Failure
Modes and Effects Analysis of Integrated Control System
“Perform a failure modes and effects analysis of the integrated control system
(ICS) to include consideration of failures and effects of input and output signals
to the ICS. (Applicable to Babcock and Wilcox (B&W) - designed plants only.)”
Applicability - Control systems in B&W-designed plants.
Review Methods - The recommendations of the generic failure modes and

effects analysis described in BAW-1564, “Integrated Control System Reliability
Analysis,” should be incorporated into the design if this analysis applies to the
plant. Otherwise a plant-specific failure modes and effects analysis should be
conducted in accordance with U.S. Nuclear Regulatory Commission (NRC)
orders on B&W plants, and with NUREG-0694. The evaluation of conformance
to this requirement should be addressed in the review of Section 7.7 of the SAR.
(m) 10 CFR 50.34(f)(2)(xxiii): Addressing (TMI Action Plan Item II.K.2.10)

Anticipatory Trip on Loss of Main Feedwater or Turbine Trip.
“Provide, as part of the reactor protection system, an anticipatory reactor trip that
would be actuated on loss of main feedwater and on turbine trip. (Applicable to
B&W-designed plants only).”
Applicability - RTS in B&W-designed plants.
Review Methods - The design should comply with the guidance of NUREG-0694,
Item II.K.1 and either IEEE Std 279-1971 or IEEE Std 603-1991. SRP
Appendix 7.1-B, Subsection 4.5 and SRP Appendix 7.1-C, Subsection 5.12
provide guidance on the review of auxiliary features such as anticipatory trips.
review of Section 7.2 of the SAR.
(n) 10 CFR 50.34(f)(2)(xxiv): Addressing (TMI Action Plan Item II.K.3.23) Central
Reactor Vessel Water Level Recording
“Provide the capability to record reactor vessel water level in one location on
recorders that meet normal accident monitoring recording requirements.
(Applicable to BWRs only).”
Applicability - Information systems important to safety in BWRs.
Review Methods - The capability should be provided to record the water level
over the range from the top of the vessel dome to the lowest pressure tap. This
range of water level indication should be available in one location on recorders

that meet normal accident monitoring recording requirements. The evaluation of
conformance to this requirement should be addressed in the review of
(o) 10 CFR 50.62: Requirements for Reduction of Risk from Anticipated Transients
Without Scram (ATWS) Events for Light-Water-Cooled Nuclear Power Plants.
10 CFR 50.62(c)(1) “Each pressurized water reactor must have equipment from
sensor output to final actuation device, that is diverse from the reactor trip
system, to automatically initiate the auxiliary (or emergency) feedwater system
and initiate a turbine trip under conditions indicative of an ATWS. This
equipment must be designed to perform its function in a reliable manner and be
independent (from sensor output to the final actuation device) from the existing
reactor trip system. (2) Each pressurized water reactor manufactured by
Combustion Engineering or by Babcock and Wilcox must have a diverse scram
system from the sensor output to interruption of power to the control rods. This
scram system must be designed to perform its function in a reliable manner and
be independent from the existing reactor trip system (from sensor output to
interruption of power to the control rods). (3) Each boiling water reactor must
have an alternate rod injection (ARI) system that is diverse (from the reactor trip
system) from sensor output to the final actuation device. The ARI system must
have redundant scram air header exhaust valves. The ARI must be designed to
perform its function in a reliable manner and be independent (from the existing
reactor trip system) from sensor output to the final actuation device. (4) Each
boiling water reactor must have a standby liquid control system (SLCS). The
SLCS and its injection location must be designed to perform its function in a
reliable manner. The SLCS initiation must be automatic and must be designed to
perform its function in a reliable manner for plants granted a construction permit
after July 26, 1984, and for plants granted a construction permit prior to
July 26, 1984, that have already been designed and built to include this feature.
(5) Each boiling water reactor must have equipment to trip the reactor coolant
recirculating pumps automatically under conditions indicative of an ATWS.”
Applicability - Systems and equipment used for mitigating ATWS events pursuant
to the requirements of 10 CFR 50.62 and supporting data communication
systems.
Review Methods - SRP Section 7.8 provides guidance for the evaluation of
conformance to the requirements of 10 CFR 50.62.
(p) 10 CFR 52.47(b)(1): ITAAC for Standard Design Certification
“The application (for design certification) must also contain: ...The proposed
tests, inspections, analyses, and acceptance criteria that are necessary and
sufficient to provide reasonable assurance that, if the inspections, test, and
analyses are performed and the acceptance criteria met, a plant that references
the design certification is built and will operate in accordance with the design
certification...”
Applicability - All I&C systems.

Review Methods - SRP Section 14.3.5 provides guidance for the evaluation of
ITAAC.

(q) 10 CFR 52.80(a): ITAAC for Combined License Applications
“The application (for the COL) must contain: The proposed inspections, tests
and analyses...that the licensee shall perform, and the acceptance criteria which
are necessary and sufficient to provide reasonable assurance that, if the
inspections, tests, and analyses are performed and the acceptance criteria met,
the facility has been constructed and will operate in conformity with the combined
license...”
Review Methods - SRP Section 14.3.5 provides guidance for the evaluation of
ITAAC.
2. 10 CFR Part 50, Appendix A, General Design Criteria
(a) GDC 1, “Quality Standards and Records”
“Structures, systems, and components important to safety shall be designed,

fabricated, erected, and tested to quality standards commensurate with the
importance of the safety functions to be performed. Where generally recognized
codes and standards are used, they shall be identified and evaluated to
determine their applicability, adequacy, and sufficiency and shall be
supplemented or modified as necessary to ensure a quality product in keeping
with the required safety function. A quality assurance program shall be
established and implemented in order to provide adequate assurance that these
structures, systems, and components will satisfactorily perform their safety
functions. Appropriate records of the design, fabrication, erection, and testing of
structures, systems, and components important to safety shall be maintained by
or under the control of the nuclear power unit licensee throughout the life of the
unit.”
Applicability - All I&C systems and components important to safety.
Review Methods - RGs and endorsed codes and standards applicable to I&C
systems important to safety are identified in Section 4 of this appendix. These
guidelines provide the information needed to determine their applicability. The
review of Section 7.1 of the SAR should confirm that the appropriate RGs and
endorsed standards are identified as applicable for each I&C system important to
safety.
The evaluation of the quality assurance program and appropriate records is

addressed in the review of Chapter 17 of the SAR.
(b) GDC 2, “Design Bases for Protection Against Natural Phenomena”
“Structures, systems, and components important to safety shall be designed to

withstand the effects of natural phenomena such as earthquakes, tornadoes,
hurricanes, floods, tsunami, and seiches without loss of capability to perform their
safety functions. The design bases for these structures, systems, and
components shall reflect: (1) appropriate consideration of the most severe of the

natural phenomena that have been historically reported for the site and
surrounding area, with sufficient margin for the limited accuracy, quantity, and
period of time in which the historical data have been accumulated, (2)
appropriate combinations of the effects of normal and accident conditions with
the effects of the natural phenomena, and (3) the importance of the safety
functions to be performed.”
Applicability - All I&C safety systems and supporting data communication

systems.
Review Methods - The design bases for protection against natural phenomena
for I&C systems important to safety should be provided for the I&C system. The
design bases should identify those systems and components that should be
qualified to survive the effects of earthquakes and other natural phenomena.
The review should confirm that the I&C systems important to safety are qualified
for protection against natural phenomena consistent with the analysis of these
events in Chapter 3 of the SAR, and that they are located and housed in
structures consistent to these requirements.
The evaluation of the adequacy of qualification programs to demonstrate the

capability of I&C systems to withstand the effects of natural phenomena is
addressed in the review of Section 3.10 of the SAR.
The instrumentation systems needed for severe accidents must be designed so

there is reasonable assurance they will operate in the severe accident
environment for which they are intended, and over the time span for which they
are needed. They need not be subject to additional environmental or seismic
qualification testing or analysis.
The review of conformance to GDC 2 should be coordinated with the

organization responsible for review of plant systems and the organization
responsible for review of mechanical engineering topics.
(c) GDC 4, “Environmental and Dynamic Effects Design Bases”
“Structures, systems, and components important to safety shall be designed to

accommodate the effects of and to be compatible with the environmental
conditions associated with normal operation, maintenance, testing, and
postulated accidents, including loss-of-coolant accidents. These structures,
systems, and components shall be appropriately protected against dynamic
effects, including the effects of missiles, pipe whipping, and discharging fluids
that may result from equipment failures and from events and conditions outside
the nuclear power unit...”

systems.
Review Methods - The environmental and missile design bases for I&C systems
important to safety should be provided for each system in Chapter 7 of the SAR.
The design bases should identify those systems and components that are
qualified to accommodate the effects of environmental conditions and that are

protected from the dynamic effects of missiles, pipe whipping, and discharging
fluids. If systems or components are qualified to survive the environmental
effects of postulated accidents for limited periods of time, the bases for limited
operability should be provided. The review of equipment qualification for
environmental conditions should be conducted in accordance with the guidance
provided in SRP Appendix 7.1-B, Subsection 4.4 and SRP Appendix 7.1-C,
Subsection 5.4.
The I&C systems needed for severe accidents must be designed so there is
reasonable assurance they will operate in the severe accident environment for
which they are intended and over the time span for which they are needed. They
need not be subject to additional environmental qualification requirements.
The review of this requirement should be coordinated with the organization

responsible for review of environmental qualification.
(d) GDC 10, “Reactor Design”
“The reactor core and associated coolant, control, and protection systems shall
be designed with appropriate margin to ensure that specified fuel design limits
are not exceeded during any condition of normal operation, including the effects
of anticipated operational occurrences.”
Applicability - I&C protection and control systems.
Review Methods – The evaluation of I&C system contributions to the design

margin for reactor core and coolant systems should be a part of the review of the
adequacy of I&C protective and control functions. This review is coordinated with
the organization responsible for the review of reactor systems. The I&C systems
may contribute to the reactor design margin in many ways, for example, by
providing better than the minimum required performance, as conservatism in
setpoint calculations, or by system features that make the protection or control
systems more fault tolerant. Margin may also be credited in many places and
there will naturally be tradeoffs between margin in the reactor design, margin in
performance analysis assumptions and methods, and margin in the I&C design.
The reactor systems and I&C reviewers should work together to understand the
margins provided in the applicant’s design and to confirm that there is reasonable
assurance that adequate margin is provided.
(e) GDC 13, “Instrumentation and Control”
“Instrumentation shall be provided to monitor variables and systems over their

anticipated ranges for normal operation, for anticipated operational occurrences,
and for accident conditions as appropriate to ensure adequate safety, including
those variables and systems that can affect the fission process, the integrity of
the reactor core, the reactor coolant pressure boundary, and the containment
and its associated systems. Appropriate controls shall be provided to maintain
these variables and systems within prescribed operating ranges.”
Applicability - All I&C systems including supporting data communication systems.

Review Methods - Review of compliance with GDC 13 should include
consideration of the following topics.
• Instrumentation to monitor plant variables and systems - See SRP

Sections 7.5 and 7.7.
• Instrumentation to monitor the status of protection systems - See SRP

Appendix 7.1-B, Subsections 4.9, 4.13, 4.19, or SRP Appendix 7.1-C,
Subsections 5.8 and 6.5.
• I&C for manual initiation of safety functions - See SRP Appendix 7.1-B,
Subsections 4.17 and 4.19, or SRP Appendix 7.1-C, Subsections 5.8, 6.2,
and 7.2.
• I&C to support diverse actuation of safety functions - See SRP

Section 7.8.
• I&C to regulate ESF systems - See SRP Section 7.3.
• Interlocks to maintain variables and systems within safe states - See SRP
Section 7.6.
• I&C to maintain variables and systems within normal operational limits -
See SRP Section 7.7.
• Protection of instrument sensing lines from environmental extremes - See

RG 1.151, “Instrument Sensing Lines.”
• Setpoints for instrumentation system alarms and control system actions -

See SRP BTP 7-12.
• Data communications systems that support plant I&C - See SRP

Section 7.9.
I&C systems should support conformance to the regulatory requirements

applicable to the process systems that they control. Requirements to be noted in
this regard include the following GDC.
Lead Reviewer
(Organization
General Design Criterion Review Guidance
Responsible for Review)
of:
GDC 10, “Reactor Design” Reactor Systems SRP Chapter 4
GDC 12, “Suppression of
Reactor Power Reactor Systems SRP Section 4.3
Oscillations”
GDC 15, “Reactor Coolant
Reactor Systems SRP Section 5.4
System Design”

GDC 16, “Containment
Containment Systems SRP Section 6.2
Design”
GDC 33, “Reactor Coolant
Reactor Systems SRP Chapter 9
Makeup”
GDC 34, “Residual Heat SRP Subsections 5.4.6
Reactor Systems
Removal” and 5.4.7
GDC 35, “Emergency Core
Reactor Systems SRP Section 6.3
Cooling”
Containment Systems SRP Subsection 6.2.2
Heat Removal”
Plant Systems SRP Section 6.5
Atmosphere Cleanup”
GDC 44, “Cooling Water” Plant Systems SRP Chapter 9
Depending on the applicant or licensee I&C system architecture, the review of

I&C for these functions may be within the review scope of the organization
responsible for review of I&C as part of the review of SAR Chapter 7, or a
secondary responsibility supporting other organizations’ review of other SAR
sections. The review methods described in this appendix should be used
as appropriate. The review guidance of SRP Appendix 7.1-B or SRP
Appendix 7.1-C should also be applied to I&C systems required for operation of
ESF systems or their auxiliary supporting features and other auxiliary features.
(f) GDC 15, “Reactor Coolant System Design”
“The reactor coolant system and associated auxiliary, control, and protection
system shall be designed with sufficient margin to ensure that the design
conditions of the reactor coolant pressure boundary are not exceeded during any
condition of normal operation, including anticipated operational occurrences.”
Applicability - I&C protection and control systems.
Review Methods – The evaluation of I&C system contributions to the design

margin for reactor coolant systems should be a part of the review of the
adequacy of I&C protective and control functions. This review is coordinated with
the organization responsible for the review of reactor systems. The I&C systems
may contribute to reactor coolant system design margin in many ways, for
example, by providing better than the minimum required performance, as
conservatism in setpoint calculations, or by system features that make the
protection or control systems more fault tolerant. Margin may also be credited in
many places and there will naturally be tradeoffs between margin in the reactor
design, margin in performance analysis assumptions and methods, and margin in
the I&C design. The reactor systems and I&C reviewers should work together to
understand the margins provided in the applicant’s design and to confirm there is
reasonable assurance that adequate margin is provided.

(g) GDC 16, “Containment Design”
“Reactor containment and associated systems shall be provided to establish an

essentially leak-tight barrier against the uncontrolled release of radioactivity to
the environment and to ensure that the containment design conditions important
to safety are not exceeded for as long as postulated accident conditions require.”
Applicability - ESF I&C systems.
Review Methods - GDC 16 imposes functional requirements on ESF I&C

systems to the extent that they support the requirement that the containment
provide a leak tight barrier. Relevant I&C functions might include, for example,
initiation of containment isolation, removal of radioactive material from the
containment atmosphere (e.g., containment spray), or containment
environmental control (e.g., containment spray or containment cooling). The
review should confirm that the I&C systems provide the functions, performance,
and reliability necessary to support the containment system safety function. This
review is coordinated with the organization responsible for the review of
containment systems.
(h) GDC 19, “Control Room”
“A control room shall be provided from which actions can be taken to operate the
nuclear power unit safely under normal conditions and to maintain it in a safe
condition under accident conditions, including loss-of-coolant accidents.
Adequate radiation protection shall be provided to permit access and occupancy
of the control room under accident conditions without personnel receiving
radiation exposures in excess of 5 rem whole body, or its equivalent to any part
of the body, for the duration of the accident. Equipment at appropriate locations
outside the control room shall be provided: (1) with a design capability for
prompt hot shutdown of the reactor, including necessary instrumentation and
controls to maintain the unit in a safe condition during hot shutdown, and (2) with
a potential capability for subsequent cold shutdown of the reactor through the
use of suitable procedures ...”
Applicability - All I&C systems and supporting data communication systems.
Review Methods - The evaluation of the I&C available to operate the nuclear
power unit under normal and accident conditions is addressed in the review of
Sections 7.3, 7.5, and 7.7 of the SAR. The evaluation of reactor trip functions,
interlock functions, and diverse I&C functions that support safe operation is
addressed in the review of Sections 7.2, 7.6, and 7.8 of the SAR. The evaluation
of safe shutdown and remote shutdown capabilities is addressed in the review of
The adequacy of the human factor aspects of the control room design is
addressed in the review of Chapter 18 of the SAR. The evaluation of the
habitability aspects of GDC 19 with respect to radiation protection is addressed in

Guidelines for the review of safe shutdown capabilities, including remote
shutdown capabilities, are provided in SRP Section 7.4.
(i) GDC 20, “Protection System Functions”
“The protection system shall be designed (1) to initiate automatically the

operation of appropriate systems including the reactivity control systems, to
ensure that specified acceptable fuel design limits are not exceeded as a result
of anticipated operational occurrences, and (2) to sense accident conditions and
to initiate the operation of systems and components important to safety.”
Applicability - The protection systems, RTS, and ESFAS.
Review Methods – The review of compliance with GDC 20 should address the
characteristics listed in the table below. These characteristics are described in
IEEE Std 279-1971 and IEEE Std 603-1991, and methods for reviewing them are
discussed in SRP Appendix 7.1-B and SRP Appendix 7.1-C (see table below for
sections).
Review Guidance
Characteristic
SRP SRP
Design basis requirements Section 3 Section 4
Subsections 5, 6.1,
General functional requirements Subsection 4.1
and 7.1
System integrity Subsection 4.5 Subsection 5.5
Subsections 3 and
Setpoints Subsection 6.8
4.15

(j) GDC 21, “Protection System Reliability and Testability”
“The protection system shall be designed for high functional reliability and in-
service testability commensurate with the safety functions to be performed.
Redundancy and independence designed into the protection system shall be
sufficient to ensure that: (1) no single failure results in loss of the protection
function, and (2) removal from service of any component or channel does not
result in loss of the required minimum redundancy unless the acceptable
reliability of operation of the protection system can be otherwise demonstrated.
The protection system shall be designed to permit periodic testing of its
functioning when the reactor is in operation, including a capability to test
channels independently to determine failures and losses of redundancy that may
have occurred.”

Applicability - The protection systems, RTS, ESFAS, and supporting data
section).
Review Guidance
Characteristic
SRP SRP
Design basis requirements Section 3 Section 4
Single-failure criterion Subsection 4.2 Subsection 5.1
Subsections 5.2
Completion of protective action Subsection 4.16
and 7.3
Quality Subsection 4.3 Subsection 5.3
Physical, electrical, and Subsections 4.6 Subsections 5.6

communications independence and 4.7 and 6.3
Subsections 4.9 Subsections 5.7
Capability for test and calibration
and 4.10 and 6.5
Indication of bypass Subsection 4.13 Subsection 5.8
Control of access to safety system Subsections 4.14

Subsection 5.9
equipment and 4.18
Repair and troubleshooting
Subsection 4.21 Subsection 5.10
provisions
Identification of protection system
equipment
Multi-unit stations Subsection 4.5 Subsection 5.13
Human factors considerations Subsection 4.19 Subsection 5.14
Reliability Subsection 4.1 Subsection 5.15
Subsections 6.2
Manual controls Subsection 4.17
and 7.2

Review Guidance
Characteristic
SRP SRP
Derivation of system inputs Subsection 4.8 Subsection 6.4
Subsections 6.6
Operating bypasses Subsection 4.12
and 7.4
Subsections 6.7
Maintenance bypasses Subsection 4.11
and 7.5
Subsections 4.1
and 4.15
Power sources Subsection 4.5 Section 8

(k) GDC 22, “Protection System Independence”
“The protection system shall be designed to ensure that the effects of natural
phenomena, and of normal operating, maintenance, testing, and postulated
accident conditions on redundant channels do not result in loss of the protection
function, or shall be demonstrated to be acceptable on some other defined basis.
Design techniques, such as functional diversity or diversity in component design
and principles of operation, shall be used to the extent practical to prevent loss of
the protection function.”

communication systems.
Review Methods - The review of compliance with GDC 22 should address the
section).
Review Guidance
Characteristic
SRP SRP
Design Basis reliability requirements Section 3 Section 4
Quality Subsection 4.3 Subsection 5.3

Review Guidance
Characteristic
SRP SRP
Equipment qualification Subsection 4.4 Subsection 5.4
Physical, electrical, and Subsections 4.6 and Subsections 5.6 and

communications independence 4.7 6.3
Subsections 6.2 and
Manual controls Subsection 4.17
7.2
Subsections 4.1 and
4.15
(l) GDC 23, “Protection System Failure Modes”
“The protection system shall be designed to fail into a safe state or into a state
demonstrated to be acceptable on some other defined basis if conditions such as
disconnection of the system, loss of energy (e.g., electric power, instrument air),
or postulated adverse environments (e.g., extreme heat or cold, fire pressure,
steam, water, and radiation) are experienced.”

communication systems.
Review Methods – The review of compliance with GDC 23 is accomplished

as part of the review of system integrity requirements discussed in IEEE
Std 279-1971 and IEEE Std 603-1991. SRP Appendix 7.1-B and SRP
Appendix 7.1-C discuss methods for review of these characteristics. SRP
Appendix 7.1-B, Subsection 4.5 and SRP Appendix 7.1-C, Subsection 5.5
provide review guidance that encompasses the review with respect to
compliance with GDC 23. The evaluation of conformance to this requirement
should be addressed in the review of Sections 7.2 and 7.3 of the SAR.
(m) GDC 24, “Separation of Protection and Control Systems”
“The protection system shall be separated from control systems to the extent that
failure of any single control system component, or channel, or failure or removal
from service of any single protection system component or channel which is
common to the control and protection systems leaves intact a system satisfying
all reliability, redundancy, and independence requirements of the protection
system. Interconnection of the protection and control systems shall be limited so
as to ensure that safety is not significantly impaired.”

section).
Review Guidance
Characteristic
SRP SRP
Physical, electrical, and

communications independence
Subsections 6.6 and
Control protection interaction Subsection 4.7
6.3
The separation of protection and control systems should be considered in the

review of all sections of Chapter 7 of the SAR to confirm that all interfaces
between control systems and protection systems have been properly identified
and addressed.
(n) GDC 25, “Protection System Requirements for Reactivity Control Malfunctions”
“The protection system shall be designed to ensure that specified acceptable fuel
design limits are not exceeded for any single malfunction of the reactivity control
systems, such as accidental withdrawal (not ejection or dropout) of control rods.”
Applicability - The RTS and reactivity control system interlocks identified in SAR
Chapter 15 as required to ensure that specified acceptable fuel design limits are
not exceeded for any single malfunction of the reactivity control systems.
Review Methods - The confirmation that the protection system is designed for an
appropriate spectrum of reactivity control system malfunctions is addressed in
the review of protection system design basis requirements as discussed in IEEE
Std 279-1971 and IEEE Std 603-1991. SRP Appendix 7.1-B, Section 3 and SRP
Appendix 7.1-C, Section 4 provide review guidance for this topic. The evaluation
of conformance to this requirement should be addressed in the review of
(o) GDC 28, “Reactivity Limits”

“The reactivity control systems shall be designed with appropriate limits on the
potential amount and rate of reactivity increase to ensure that the effects of
postulated reactivity accidents can neither: (1) result in damage to the reactor
coolant pressure boundary greater than limited local yielding nor (2) sufficiently
disturb the core, its support structures or other reactor pressure vessel internals
to impair significantly the capability to cool the core....”
Applicability - I&C interlock and control systems.
Review Methods - GDC 28 imposes functional requirements on I&C interlock and

control systems to the extent they are provided to limit reactivity increases to
prevent or limit the effect of reactivity accidents. Relevant I&C systems might
include, for example, rod blocks or rod worth minimization systems. The review
should confirm that the I&C systems provide the functions, performance, and
reliability necessary to limit reactivity increases as credited for compliance with
GDC 28. This review is coordinated with the organization responsible for the
review of reactor systems.
(p) GDC 29, “Protection Against Anticipated Operational Occurrences”
“The protection and reactivity control systems shall be designed to ensure an

extremely high probability of accomplishing their safety functions in the event of
anticipated operational occurrences.”
Applicability - The protection systems, reactivity control functions of control

systems, and supporting data communications systems.
Review Methods – The evaluation with respect to the requirements of GDC 29 is

based on conformance of the protection system and reactivity control systems
with the applicable GDC discussed above. Probabilistic reliability assessments
may be performed by the NRC staff to provide a basis for the development of
deterministic criteria for specific systems. The review of these systems will
address conformance to the deterministic criteria so established. Conformance
of the reactivity control systems with GDC 29 is addressed in the review of
(q) GDC 33, “Reactor Coolant Makeup”
“A system to supply reactor coolant makeup for protection against small breaks
in the reactor coolant pressure boundary shall be provided....”
Applicability - ESF and interlock I&C systems.
Review Methods - GDC 33 imposes functional requirements on ESF I&C

systems provided to initiate, control, and protect the integrity of reactor coolant
makeup systems for protection against small breaks in the reactor coolant
pressure boundary. Relevant I&C systems might include, for example, systems
to initiate or realign the flow paths of charging systems or interlocks provided to
ensure proper system alignment during plant operation. The review should
confirm that the I&C systems provide the functions, performance, and reliability
necessary to initiate and control the reactor coolant makeup system such that the

safety functions described in GDC 33 are met. This review is coordinated with
the organization responsible for the review of reactor systems.

(r) GDC 34, “Residual Heat Removal”
“A system to remove residual heat shall be provided....”
Applicability - ESF, safe shutdown, and interlock I&C systems.
Review Methods - GDC 34 imposes functional requirements on ESF, safe

shutdown, and interlock I&C systems provided to initiate, control and protect the
integrity of residual heat removal systems. Relevant I&C systems might include,
for example, systems to initiate or realign flow paths for residual heat removal
systems or interlocks provided to ensure proper system alignment during plant
operation. The review should confirm that the I&C systems provide the functions,
performance, and reliability necessary to initiate and control the residual heat
removal system such that the safety functions of GDC 34 are achieved. This
review is coordinated with the organization responsible for the review of reactor
systems.
(s) GDC 35, “Emergency Core Cooling”
“A system to provide abundant emergency core cooling shall be provided....”

integrity of emergency core cooling systems. Relevant I&C systems might
include, for example, systems to initiate or realign flow paths for emergency core
cooling systems or interlocks provided to ensure proper system alignment during
plant operation. The review should confirm that the I&C systems provide the
functions, performance, and reliability necessary to initiate and control the
emergency core cooling system such that the safety functions of GDC 35 are
achieved. This review is coordinated with the organization responsible for the
review of reactor systems.
(t) GDC 38, “Containment Heat Removal”
“A system to remove heat from the reactor containment shall be provided...”

integrity of containment heat removal systems. Relevant I&C systems might
include, for example, systems to initiate or realign flow paths for containment
heat removal systems or interlocks provided to ensure proper system alignment
during plant operation. The review should confirm that the I&C systems provide
the function, performance, and reliability necessary to initialize and control the
containment heat removal system such that the safety functions of GDC 38 are
review of containment systems.

(u) GDC 41, “Containment Atmosphere Cleanup”
“Systems to control fission products, hydrogen, oxygen, and other substances

which may be released into the reactor containment shall be provided....”
Applicability - ESF, and interlock I&C systems.
Review Methods - GDC 41 imposes functional requirements on I&C systems

provided to initiate, control and protect the integrity of containment atmosphere
cleanup systems. Relevant I&C systems might include, for example, systems to
initiate or realign flow paths for containment spray or hydrogen recombiner
performance, and reliability necessary to initiate and control the containment
atmosphere control systems such that the safety functions of GDC 41 are
(v) GDC 44, “Cooling Water”
“A system to transfer heat from structures, systems, and components important

to safety, to an ultimate heat sink shall be provided....”
Applicability - ESF, interlock, and control I&C systems.
Review Methods - GDC 44 imposes functional requirements on I&C systems

provided to initiate, control and protect the integrity of cooling water systems
important to safety. Relevant I&C systems might include, for example, systems
to initiate or realign flow paths for service water or component cooling water
performance, and reliability necessary to initiate and control the cooling water
systems such that the functions important to safety described in GDC 44 are
3. Staff Requirements Memoranda
Note: This section quotes positions that are extracted from SRM and the associated
SECY papers. Specific positions are not necessarily separated from explanatory
material in these documents. The quotes given here do not include the explanatory
material provided in the SECY or SRM. The quotes may also combine material from the
SRM and SECY to fully represent the NRC position.
(a) Item II.Q, “Defense against Common-Mode Failures in Digital Instrumentation

and Control Systems,” of SRM on SECY-93-087, “Policy, Technical, and
Licensing Issues Pertaining to Evolutionary and Advanced Light-Water Reactor
(ALWR) Designs,” dated July 21, 1993.

(1) The applicant should assess the diversity and defense-in-depth of the
proposed I&C system to demonstrate that vulnerabilities to common-
cause failures have adequately been addressed.
(2) In performing the assessment, the vendor or applicant should analyze

each postulated common-cause failure for each event that is evaluated in
the accident analysis section of the SAR using best-estimate methods.
The vendor or applicant should demonstrate adequate diversity within the
design for each of these events.
(3) If a postulated common-cause failure could disable a safety function, then

a diverse means, with a documented basis that the diverse means is
unlikely to be subject to the same common-cause failure, should be
provided to perform either the same function or a different function. The
diverse or different function may be performed by a non-safety system if
the system is of sufficient quality to perform the necessary function under
the associated event conditions.
(4) A set of displays and controls located in the main control room should be
provided for manual, system-level actuation of critical safety functions and
monitoring of parameters that support the safety functions. The displays
and controls should be independent and diverse from the safety computer
system identified in Items (1) and (3) above.
Applicability - RTS, ESFAS, control systems, diverse I&C systems, and

supporting data communications systems in plants using digital computer-
based RTS or ESFAS.
Review Methods - SRP BTP 7-19 provides guidance for the evaluation of
compliance with the SECY/SRM. SRP Sections 7.7 and 7.8 provide
guidance for the review of control system and diverse I&C system
features that are credited as nonsafety diverse means of protecting
against common-cause failure within the safety systems.
(b) Item II.T, “Control Room Annunciator (Alarm) Reliability,” of SRM on SECY-93-
087, “Policy, Technical, and Licensing Issues Pertaining to Evolutionary and
Advanced Light-Water Reactor (ALWR) Designs,” dated July 21, 1993.
The annunciator system is considered to consist of sets of alarms (which may be

displayed on tiles, video display units (VDUs), or other devices) and sound
equipment; logic and processing support; and functions to enable operators to
silence, acknowledge, reset, and test alarms.
The main control room (MCR) should contain compact, redundant operator
workstations with multiple display and control devices that provide organized,
hierarchical access to alarms, displays, and controls. Each workstation should
have the full capability to perform MCR functions as well as to support the
division of tasks between two operators.
The display and control features should be designed to satisfy existing

regulations, for example, separation and independence requirements for

Class 1E circuits (IEEE Std 384, “IEEE Standard Criteria for Independence
of Class 1E Equipment and Circuits”); criteria for protection systems (IEEE
Std 279-1971); and specifications for the manual initiation of protective actions at
the systems level (RG 1.62, “Manual Initiation of Protection Action”). The
designer should use existing defensive measures (e.g., segmentation, fault
tolerance, signal validation, self-testing, error checking, supervisory watchdog
programs), as appropriate, to ensure that alarm, display, and control functions
provided by the redundant workstations meet these criteria.
Alarms that are provided for manually controlled actions for which no automatic
control is provided, and that are required for the safety systems to accomplish
their safety functions, should meet the applicable specifications for Class 1E
equipment and circuits.
Applicability - Information systems important to safety and supporting data

communications systems in ALWRs. For nuclear power plants with construction
permits issued before January 1, 1971, the display and control features should
be consistent with their licensing basis or may meet the standards of IEEE
Std 603-1991 (including the correction sheet dated January 30, 1995). For
nuclear power plants with construction permits issued after January 1, 1971, but
before May 13, 1999, the display and control features should meet the
standards of IEEE Std 279-1971 or IEEE Std 603-1991 (including the correction
sheet dated January 30, 1995). For nuclear power plants with construction
permits issued after May 13, 1999, the display and control features should meet
the standards of IEEE Std 603-1991 (including the correction sheet dated
January 30, 1995). In addition, these features should conform, as appropriate,
to RGs that support and amplify the guidance of IEEE Std 279-1971 and IEEE
Std 603-1991.
Review Methods - Section 7.5 describes methods for review of annunciator

systems in ALWRs.
4. RGs (including endorsed industry codes and standards)
(a) RG 1.22, “Periodic Testing of Protection System Actuation Functions”
Applicability - RTS, ESFAS, diverse I&C systems, and supporting data

Review Methods - RG 1.22 provides bases for evaluating conformance to GDC

21 and IEEE Std 279-1971, Clauses 4.10 through 4.13. The guidance applies
equally to IEEE Std 603-1991, Clauses 5.7, 5.8.3, 6.5, 6.7, 7.5, and 8.3. SRP
BTP 7-8 describes the staff position on the scope of periodic testing in
protection systems. SRP BTP 7-17 provides additional guidance on acceptable
periodic testing provisions for digital computer-based systems.
(b) RG 1.47, “Bypassed and Inoperable Status Indication for Nuclear Power Plant
Safety Systems”
Applicability - RTS, ESFAS, information systems important to safety, safety

interlock systems, and supporting data communications systems.

Review Methods - RG 1.47 provides bases for evaluating conformance to GDC
21 and IEEE Std 279-1971, Clauses 4.13 and 4.20, for protection systems. The
guidance applies equally to IEEE Std 603-1991, Clauses 5.8.2 and 5.8.3. The
RG also provides bases for evaluating the adequacy of bypass and inoperable
status indication for I&C systems important to safety as addressed in the review
of Section 7.5 of the SAR.
(c) RG 1.53, “Application of the Single-Failure Criterion to Nuclear Power Plant

Protection Systems” (endorses IEEE Std 379, “Standard Application of the
Single-Failure Criterion to Nuclear Power Generating Station Safety Systems”)
Applicability - All I&C safety systems and supporting data communications

systems.
Review Methods - RG 1.53 provides a basis for evaluating conformance to GDC

21 and IEEE Std 279-1971, Clause 4.2. The guidance applies equally to IEEE
Std 603-1991, Clause 5.
(d) RG 1.62, “Manual Initiation of Protection Action”
Applicability - RTS, ESFAS, and diverse I&C systems.
Review Methods - RG 1.62 provides a basis for evaluating conformance to IEEE

Std 279-1971, Clause 4.17. The guidance applies equally to IEEE Std 603-1991,
Clauses 6.2 and 7.2. RG 1.62 also provides guidance that should be considered
in the review of manual initiation of ATWS mitigation and diverse actuation
system functions.
(e) RG 1.75, “Criteria for Independence of Electrical Safety Systems” (endorses

IEEE Std 384).

21 and IEEE Std 279-1971, Clauses 4.6 and 4.22, and for evaluating the
adequacy of I&C systems important to safety that incorporate redundant or
diverse features to satisfy the single-failure criterion. The guidance applies
equally to IEEE Std 603-1991, Clauses 5.6 and 5.11. The I&C evaluation is
limited to the review of components and electrical wiring inside racks, panels,
and control boards for systems important to safety. The evaluation of the
physical separation of electrical cables is addressed in the review of Chapter 8 of
the SAR.
(f) RG 1.97, Revisions 2 and 3, “Instrumentation for Light-Water-Cooled Nuclear

Power Plants to Assess Plant and Environs Conditions During and Following an
Accident” (endorses American National Standards Institute (ANSI)/American
Nuclear Society (ANS) -4.5, “Criteria for Accident Monitoring Functions in Light-
Water-Cooled Reactors”), and RG 1.97, Revision 4, “Criteria for Accident
Monitoring Instrumentation for Nuclear Power Plants” (endorses IEEE Std 497,

“IEEE Standard Criteria for Accident Monitoring Instrumentation for Nuclear
Power Generating Stations”).

13. Existing plants currently reference Revision 2 or 3 of RG 1.97. Revision 4 of
RG 1.97 is intended primarily for new plants. Revision 4 may be used by the
current operating reactor licensees for modification or conversion in accordance
with Regulatory Position 1 of RG 1.97.
Revision 4 to RG 1.97 represents a significantly different approach to the topic

from the previous revisions. Revision 4 is based on IEEE Std 497, which
establishes flexible, performance-based criteria for the selection, performance,
design, qualification, display, and quality assurance of accident monitoring
variables. There is no prescriptive list of accident monitoring parameters or
associated functional requirements on a parameter-by-parameter basis.
The evaluation of instrumentation for monitoring environs conditions and

radiation monitoring systems is addressed in the review of other sections of the
SAR.
SRP Section 7.5 and BTP 7-10 describe the review of accident monitoring
instrumentation.
(g) RG 1.105 (endorses Part 1 of ISA-S67.04), “Setpoints for Nuclear Safety-Related

Instrumentation”).
Review Methods - RG 1.105 provides a basis for evaluating conformance to

GDC 13 and IEEE Std 279-1971, Clause 3. The guidance applies equally to
IEEE Std 603-1991, Clause 6.8. SRP BTP 7-12 provides guidance for
establishing and maintaining instrument setpoints.
RG 1.105 and Part 1 of ISA-S67.04 provide guidance for establishing setpoints

for trip functions. Nevertheless, their guidance is equally relevant to accounting
for measurement uncertainties when determining the indicated plant conditions at
which emergency procedures will require operator action, determining the
setpoint for interlock functions, and determining setpoints for control functions
provided to maintain plant variables and systems within prescribed operating
ranges. Therefore, the guidance of RG 1.105 is useful in reviewing all I&C
systems important to safety even if no automatic trip functions are involved.
(h) RG 1.118, “Periodic Testing of Electric Power and Protection Systems”

(endorses American National Standards Institute (ANSI)/IEEE Std 338,
“Standard Criteria for the Periodic Surveillance Testing of Nuclear Power
Generating Station Safety Systems”)
Applicability - All I&C safety systems, diverse I&C systems, and supporting data

GDC 21 and IEEE Std 279-1971, Clause 4.10. The guidance applies equally to
IEEE Std 603-1991, Clause 5.7. The I&C evaluation is limited to the review of
testing of protection systems. The evaluation of testing of electric power systems
is addressed by others in the review of Chapter 8 of the SAR. SRP BTP 7-17
discusses periodic test provisions in digital computer-based systems.
(i) RG 1.151, “Instrument Sensing Lines” (endorses ANSI/ISA-S67.02, “Nuclear

Safety-Related Instrument Sensing Line Piping and Tubing Standards for Use in
Nuclear Power Plants”).
Applicability - I&C sensing lines and sensing line environmental control systems.

GDC 13. Environmental control systems for all I&C systems are addressed in
(j) RG 1.152, “Criteria for Use of Computers in Safety Systems of Nuclear Power
Plants” (endorses IEEE Std 7-4.3.2, “IEEE Standard Criteria for Digital
Computers in Safety Systems of Nuclear Power Generating Stations”).

systems.
Review Methods - RG 1.152 provides a basis for evaluating conformance of

computers with GDC 21. SRP Appendix 7.1-D provides review guidance for the
evaluation of conformance to the guidance of RG 1.152.
(k) RG 1.168, “Verification, Validation, Reviews and Audits for Digital Computer
Software Used in Safety Systems of Nuclear Power Plants” (endorses IEEE Std
1012, “IEEE Standard for Software Verification and Validation,” and IEEE Std
1028, “IEEE Standard for Software Reviews and Audits”).

10 CFR 50.54(jj) and 10 CFR 50.55(i), 10 CFR 50.55a(h), GDC 1, and Criteria I,
II, III, XI, and XVIII of 10 CFR Part 50, Appendix B, “Quality Assurance Criteria
for Nuclear Power Plants and Fuel Reprocessing Plants,” for computer-based
systems. It endorses, with comments, IEEE Std 1012 for planning the
verification and validation of safety system software. It also endorses, with
comments, IEEE Std 1028 as providing acceptable approaches for carrying out
software reviews, inspections, walkthroughs, and audits.
SRP BTP 7-14 describes the review of planning and implementation of

verification, validation, and audits of digital computer software.
(l) RG 1.169, “Configuration Management Plans for Digital Computer Software

Used in Safety Systems of Nuclear Power Plants” (endorses IEEE Std 828,
“IEEE Standard for Software Configuration Management Plans.”

Review Methods - RG 1.169 provides a basis for evaluating conformance with

10 CFR 50.54(jj) and 10 CFR 50.55(i), 10 CFR 50.55a(h), GDC 1, and
Criterion III of 10 CFR Part 50, Appendix B for computer-based systems. It
endorses, with comments, IEEE Std 828 for planning the configuration
management of safety system software.
SRP BTP 7-14 describes the review of configuration management for digital
computer software.
(m) RG 1.170, “Software Test Documentation for Digital Computer Software Used in
Safety Systems of Nuclear Power Plants” (endorses IEEE Std 829, “IEEE
Standard for Software Test Documentation”).

10 CFR 50.55a(h), GDC 1, GDC 21, and Criteria I, III, IV, VI, XI, and XVII of
10 CFR Part 50, Appendix B for computer-based systems. It endorses, with
comments, IEEE Std 829 as providing acceptable approaches for documenting
software testing.
SRP BTP 7-14 describes the review of testing of digital computer software.
(n) RG 1.171, “Software Unit Testing for Digital Computer Software Used in Safety
Systems of Nuclear Power Plants” (endorses ANSI/IEEE Std 1008, “IEEE
Standard for Software Unit Testing”)

10 CFR 50.55a(h), GDC 1, GDC 21, and Criteria I, II, III, V, VI, XI, and XVII of
10 CFR Part 50, Appendix B for computer-based systems. It endorses, with
comments, ANSI/IEEE Std 1008 as providing acceptable approaches to unit
testing of software.
SRP BTP 7-14 describes the review of testing of digital computer software.
(o) RG 1.172, “Software Requirements Specifications for Digital Computer Software

Used in Safety Systems of Nuclear Power Plants” (endorses IEEE Std 830,
“IEEE Recommended Practice for Software Requirements Specifications”).

10 CFR 50.55a(h), GDC 1, and Criterion III of 10 CFR Part 50, Appendix B for
computer-based systems. It endorses, with comments, IEEE Std 830 as
describing an acceptable approach to the development of software requirements
specifications.

SRP BTP 7-14 describes the review of software requirements specifications.
(p) RG 1.173, “Developing Software Life Cycle Processes for Digital Computer
Software Used in Safety Systems of Nuclear Power Plants,” (endorses IEEE Std
1074, “IEEE Standard for Developing Software Life Cycle Processes”).

10 CFR 50.55a(h), GDC 1, and Criteria I, II, III, VI, XV, and XVII of 10 CFR
Part 50, Appendix B for computer-based systems. It endorses, with comments,
IEEE Std 1074 as providing acceptable approaches to defining software
development processes.
SRP BTP 7-14 describes the review of software development plans and software
project management plans that should outline the applicant’s or licensee’s
software life cycle. SRP BTP 7-14 also describes the review of each activity
group described in IEEE Std 1074.
(q) RG 1.174, “An Approach for Using Probabilistic Risk Assessment Risk-Informed
Decisions on Plant-Specific Changes to the Licensing Basis.”
Applicability - All I&C Systems.
Review Methods - RG 1.174 provides a basis for the conformance to GDC 13 as

part of the evaluation of I&C surveillance test interval changes for purposes other
than the accommodation of a 24 month fuel cycle change.
RG 1.174 provides guidance on the use of probabilistic risk assessment (PRA)

findings and risk insights in support of licensee requests for changes to a plant’s
licensing basis, as in requests for licensing amendments and technical
specification changes.
SRP BTP 7-12 provides information concerning I&C calibration intervals.
(r) RG 1.177, “An Approach for Plant-Specific, Risk-Informed Decision Making:

Technical Specifications.”

RG 1.177 provides guidance on assessing the nature and impact of proposed

technical specification changes by considering engineering issues and applying
risk insights.
SRP BTP 7-12 provides information concerning I&C calibration intervals.

(s) RG 1.180, “Guidelines for Evaluating Electromagnetic and Radio-Frequency
Interference in Safety-Related Instrumentation and Control Systems” (endorses
IEEE Std 1050, “IEEE Guide for Instrumentation and Control Equipment
Grounding in Generating Stations,” and portions of MIL-Std-461E,
“Requirements for the Control of Electromagnetic Interference Characteristics
of Subsystems and Equipment,” IEC 61000-3, “Electromagnetic
Compatibility (EMC) - Part 3: Limits,” IEC 61000-4, “Electromagnetic
Compatibility (EMC) - Part 4: Testing and Measurement Techniques,”
IEC 61000-6, “Electromagnetic Compatibility (EMC) - Part 6: Generic
Standards,” IEEE Std C62.41, “IEEE Recommended Practice on Surge Voltages
in Low-Voltage AC Power Circuits,” and IEEE Std C62.45, “IEEE Guide on Surge
Testing for Equipment Connected to Low-Voltage AC Power Circuits”).
Review Methods - RG 1.180 provides a basis for evaluating conformance of I&C

systems and components to 10 CFR 50.54(jj) and 10 CFR 50.55(i),
10 CFR 50.55a(h), GDC 1, GDC 2, GDC 4 and Criteria III and XI. RG 1.180
identifies electromagnetic environment operating envelopes, design, installation,
and test practices acceptable to the staff for addressing the effects of
electromagnetic interference-radio frequency interference, and power surges on
I&C systems and components important to safety.
RG 1.180 also endorses the applicable portions of the following standards, which
are referenced by IEEE Std 1050.
• IEEE Std 518-1982 (reaffirmed 1996), “IEEE Guide for the Installation of
Electrical Equipment to Minimize Noise Inputs to Controllers from
External Sources”
• IEEE Std 665, “IEEE Guide for Generating Station Grounding”
(t) RG 1.189, “Fire Protection for Operating Nuclear Power Plants”
Applicability - Safe shutdown I&C systems.
Review Methods - RG 1.189 compiles fire protection regulations and guidelines

into a comprehensive guide. It provides a basis for evaluating conformance of
I&C systems and components to 10 CFR Part 50, Appendix A GDC 19, GDC 25,
and 10 CFR Part 50, Appendix R, “Fire Protection Program for Nuclear Power
Facilities Operating Prior to January 1, 1979.” Regulatory Position 5 of the
RG provides performance goals for safe shutdown, alternate and dedicated
shutdown systems. This position also identifies systems and instrumentation
generally necessary for achieving hot shutdown and cold shutdown and provides
guidance on design criteria and analysis methods for these systems. The
application of RG 1.189 to the review of safe shutdown I&C systems should be
coordinated with the organization responsible for fire protection.
(u) RG 1.200, “An Approach for Determining the Technical Adequacy of Probabilistic
Risk Assessment Results for Risk-Informed Activities.”


RG 1.200 provides guidance on determining that the quality of the PRA, in total
or the parts that are used to support an application, is sufficient to provide
confidence in the results such that the PRA can be used in regulatory decision
making for light-water reactors.
(v) RG 1.204, “Guidelines for Lightning Protection of Nuclear Power Plants”

(endorses IEEE Std 665, IEEE Std 666, “IEEE Design Guide for Electrical Power
Service Systems for Generating Stations,” IEEE Std 1050, IEEE Std C62.23,
“IEEE Application Guide for Surge Protection of Electric Generating Plants,” and
applicable portions of referenced secondary standards).
Review Methods - RG 1.204 provides a basis for evaluating conformance of I&C

systems and components with 10 CFR 50.55a, 10 CFR 50.55a(h), and GDC 2.
RG 1.204 provides guidance in the design and installation of lightning protection

systems to ensure that electrical transients resulting from lightning phenomena
do not render I&C systems important to safety inoperable or cause the spurious
operation of such systems.
RG 1.204 also endorses the applicable portions of the following standards, which
are referenced by IEEE Std 665, IEEE Std 666, IEEE Std 1050, or IEEE Std
C62.23.
• IEEE Std 80-2000, “IEEE Guide for Safety in AC Substation Grounding”
• IEEE Std 81-1983, “IEEE Guide for Measuring Earth Resistivity, Ground
Impedance, and Earth Surface Potentials of a Ground System”
• IEEE Std 81.2-1991, “IEEE Guide for Measurement of Impedance and

Safety Characteristics of Large, Extended or Interconnected Grounding
Systems”
• IEEE Std 142-1991, “IEEE Recommended Practice for Grounding of

Industrial and Commercial Power Systems” (IEEE Green Book)
• IEEE Std 367-1996, “IEEE Recommended Practice for Determining the

Electric Power Station Ground Potential Rise and Induced Voltage from a
Power Fault”
• IEEE Std 487-2000, “IEEE Recommended Practice for the Protection of

Wire-Line Communication Facilities Serving Electric Supply Locations”

• IEEE Std 1100-1999, “IEEE Recommended Practice for Powering and
Grounding Electronic Equipment” (IEEE Emerald Book)
• IEEE Std C37.101-1993, “IEEE Guide for Generator Ground Protection”
• IEEE Std C57.13.3-1983, “IEEE Guide for the Grounding of Instrument

Transformer Secondary Circuits and Cases”
• IEEE Std C62.92.1-2000, “IEEE Guide for the Application of Neutral

Grounding in Electrical Utility Systems, Part I – Introduction”

Grounding in Electrical Utility Systems, Part II - Grounding of
Synchronous Generator Systems”

Grounding in Electrical Utility Systems, Part III - Generator Auxiliary
Systems”
• IEEE Std C62.41.1-2002, “IEEE Guide on the Surge Environment in

Low-Voltage (1000 V and Less) AC Power Circuits”
• IEEE Std C62.41.2-2002, “IEEE Recommended Practice on

Characterization of Surges in Low-Voltage (1000 V and Less) AC Power
Circuits”
• IEEE Std C62.45-2002, “IEEE Recommended Practice on Surge Testing

for Equipment Connected to Low-Voltage (1000 V and Less) AC Power
Circuits”
(w) RG 1.209, “Guidelines for Environmental Qualification of Safety Related

Computer-Based Instrumentation and Control Systems in Nuclear Power Plants.”
Applicability - All I&C safety systems and supporting data communications

systems.
Review Methods - RG 1.209 provides a basis for evaluating conformance of

computers with GDC 4. RG 1.209 provides environmental qualification practices
that contribute to ensuring that computers can perform their safety-related
functions under all anticipated service conditions. RG 1.209 provides
environmental qualification procedures for computers located in a mild
environment and compliments RG 1.89, Revision 1, “Environmental Qualification
of Certain Electric Equipment Important to Safety for Nuclear Power Plants,”
which addresses environmental qualification for harsh environments. SRP
Appendix 7.1-D provides review guidance for the evaluation of environmental
qualification of computers.
5. SRP Branch Technical Positions
Applicability - As noted in SRP Table 7-1.

Review Methods - The SRP BTPs provide bases for evaluating specific review areas.
REFERENCES
1. ANSI/ANS-4.5, “Criteria for Accident Monitoring Functions in Light-Water- Cooled

Reactors.”
2. ANSI/IEEE Std 1008, “IEEE Standard for Software Unit Testing.”
3. ANSI/IEEE Std 338, “Standard Criteria for the Periodic Surveillance Testing of Nuclear
Power Generating Station Safety Systems.”
4. ANSI/ISA-S67.02.01, “Nuclear Safety-Related Instrument Sensing Line Piping and

Tubing Standards for Use in Nuclear Power Plants.”
5. BAW-1564, “Integrated Control System Reliability Analysis.” Babcock and Wilcox,

August 17, 1979.
6. IEEE Std 80-2000, “IEEE Guide for Safety in AC Substation Grounding.”
7. IEEE Std 81-1983, “IEEE Guide for Measuring Earth Resistivity, Ground Impedance,
and Earth Surface Potentials of a Ground System.”
8. IEEE Std 367-1996, “IEEE Recommended Practice for Determining the Electric Power
Station Ground Potential Rise and Induced Voltage from a Power Fault.”
9. IEEE Std 487-2000, “IEEE Recommended Practice for the Protection of Wire-Line
Communication Facilities Serving Electric Supply Locations.”
10. IEEE Std 1100-1999, “IEEE Recommended Practice for Powering and Grounding
Electronic Equipment” (IEEE Emerald Book).
11. IEEE Std C37.101-1993, “IEEE Guide for Generator Ground Protection.”
12. IEEE Std C57.13.3-1983, “IEEE Guide for the Grounding of Instrument Transformer
Secondary Circuits and Cases,” (reaffirmed 1990).
13. IEEE Std C62.92.1-2000, “IEEE Guide for the Application of Neutral Grounding in
Electrical Utility Systems, Part I - Introduction.”
Electrical Utility Systems, Part II - Grounding of Synchronous Generator Systems,”
(reaffirmed 2001).
Electrical Utility Systems, Part III - Generator Auxiliary Systems,” (reaffirmed 2000).
16. IEEE Std C62.41.1-2002, “IEEE Guide on the Surge Environment in Low-Voltage
(1000 V and Less) AC Power Circuits.”

17. IEEE Std C62.41.2-2002, “IEEE Recommended Practice on Characterization of Surges
in Low-Voltage (1000 V and Less) AC Power Circuits.”
18. IEEE Std C62.45-2002, “IEEE Recommended Practice on Surge Testing for Equipment
Connected to Low-Voltage (1000 V and Less) AC Power Circuits.”
19. IEEE Std 279-1971, “Criteria for Protection Systems for Nuclear Power Generating
Stations.”
20. IEEE Std 829, “IEEE Standard for Software Test Documentation.”
21. IEC 61000-3-2, “Electromagnetic Compatibility (EMC) - Part 3-2: Limits - Limits for
Harmonic Current Emissions,” International Electrotechnical Commission, 2001.
22. IEC 61000-3-4, “Electromagnetic Compatibility (EMC) - Part 3-4: Limits - Limitation of
Emission of Harmonic Currents in Low-Voltage Power Supply Systems for Equipment
with Rated Current Greater than 16 A,” International Electrotechnical Commission, 1998.
23. IEC 61000-4-1, “Electromagnetic Compatibility (EMC) - Part 4: Testing and

Measurement Techniques, Section 1: Overview of Immunity Tests,” International
Electrotechnical Committee, 1992.

Measurement Techniques, Section 2: Electrostatic Discharge Immunity Test,”
International Electrotechnical Committee, 1995.

Measurement Techniques, Section 3: Radiated, Radio-Frequency, Electromagnetic
Field Immunity Test,” International Electrotechnical Committee, 1995.

Measurement Techniques, Section 4: Electrical Fast Transient/Burst Immunity Test,”

Measurement Techniques, Section 5: Surge Immunity Test,” International

Measurement Techniques, Section 6: Immunity to Conducted Disturbances, Induced by
Radio-Frequency Fields,” International Electrotechnical Committee, 1996.
29. IEC 61000-4-7, “Electromagnetic Compatibility (EMC) -- Part 4: Testing and

Measurement Techniques, Section 7: General Guide on Harmonics and Interharmonics
Measurements and Instrumentation, for Power Supply Systems and Equipment
Connected Thereto,” International Electrotechnical Committee, 1991.

Measurement Techniques, Section 8: Power Frequency Magnetic Field Immunity Test,”

Measurement Techniques, Section 9: Pulse Magnetic Field Immunity Test,”

Measurement Techniques, Section 10: Damped Oscillatory Magnetic Field Immunity
Test,” International Electrotechnical Committee, 1993.

Measurement Techniques, Section 11: Voltage Dips, Short Interruptions, and Voltage
Variations Immunity Test,” International Electrotechnical Committee, 1994.

Measurement Techniques, Section 12: Oscillatory Waves Immunity Tests,” International

Measurement Techniques, Section 13: Immunity to Harmonics and Interharmonics,”

Measurement Techniques, Section 16: Test for Immunity to Conducted, Common Mode
Disturbances in the Frequency Range 0 Hz to 150 kHz,” International Electrotechnical
Committee, 1998.
37. IEC 61000-6-4, “Electromagnetic Compatibility (EMC) - Part 6: Generic Standards,

Section 4: Emission Standard for Industrial Environments,” International
38. IEEE Std 81.2-1991, “IEEE Guide for Measurement of Impedance and Safety
Characteristics of Large, Extended or Interconnected Grounding Systems.”
39. IEEE Std 142-1991, “IEEE Recommended Practice for Grounding of Industrial and
Commercial Power Systems” (IEEE Green Book).
40. IEEE Std 379, “Standard Application of the Single-Failure Criterion to Nuclear Power
Generating Station Safety Systems.”
41. IEEE Std 518-1982, “IEEE Guide for the Installation of Electrical Equipment to Minimize
Noise Inputs to Controllers from External Sources,” reaffirmed 1996.
42. IEEE Std 665, “IEEE Guide for Generating Station Grounding.”
43. IEEE Std 666, “IEEE Design Guide for Electrical Power Service Systems for Generating
Stations.”
44. IEEE Std 1050, “IEEE Guide for Instrumentation and Control Equipment Grounding in
Generating Stations.”
45. IEEE Std C62.23, “IEEE Application Guide for Surge Protection of Electric Generating
Plants.”

46. IEEE Std 1012, “IEEE Standard for Software Verification and Validation.”
47. IEEE Std 1028, “IEEE Standard for Software Reviews and Audits.”
48. IEEE Std 1074, “IEEE Standard for Developing Software Life Cycle Processes.”
49. IEEE Std C62.41, “IEEE Recommended Practice on Surge Voltages in Low-Voltage AC
Power Circuits.”
50. IEEE Std C62.45, “IEEE Guide on Surge Testing for Equipment Connected to Low-
Voltage AC Power Circuits.”
51. IEEE Std 384, “IEEE Standard Criteria for Independence of Class 1E Equipment and
Circuits.”
52. IEEE Std 603-1991, “IEEE Standard Criteria for Safety Systems for Nuclear Power
Generating Stations.”
53. IEEE Std 7-4.3.2, “IEEE Standard Criteria for Digital Computers in Safety Systems of
Nuclear Power Generating Stations.”
54. IEEE Std 828, “IEEE Standard for Software Configuration Management Plans.”
55. IEEE Std 830, “IEEE Recommended Practice for Software Requirements
Specifications.”
56. IEEE Std 497, “IEEE Standard Criteria for Accident Monitoring Instrumentation for
Nuclear Power Generating Stations.”
57. ISA-S67.04, Part 1, “Setpoints for Nuclear Safety-Related Instrumentation.”
58. MIL-Std-461E, “Requirements for the Control of Electromagnetic Interference

Characteristics of Subsystems and Equipment,” U.S. Department of Defense, August 20,
1999.
59. NUREG-0694, “TMI-Related Requirements for New Operating Reactor Licenses,” 1980.
60. NUREG-0718, “Licensing Requirements for Pending Applications for Construction

Permits and Manufacturing License,” 1981.
61. NUREG-0737, “Clarification of TMI Action Plan Requirements,” 1982.
62. NUREG-0737 Supplement 1, “Clarification of TMI Action Plan Requirements -

Requirements for Emergency Response Capability,” January 1983.
63. RG 1.105, “Setpoints for Safety-Related Instrumentation.”
64. RG 1.118, “Periodic Testing of Electric Power and Protection Systems.”
65. RG 1.151, “Instrument Sensing Lines.”

66. RG 1.152, “Criteria for Use of Computers in Safety Systems of Nuclear Power Plants.”
67. RG 1.168, “Verification, Validation, Reviews and Audits for Digital Computer Software
Used in Safety Systems of Nuclear Power Plants.”
68. RG 1.169, “Configuration Management Plans for Digital Computer Software Used in
Safety Systems of Nuclear Power Plants.”
69. RG 1.170, “Software Test Documentation for Digital Computer Software Used in Safety
Systems of Nuclear Power Plants.”
70. RG 1.171, “Software Unit Testing for Digital Computer Software Used in Safety Systems
of Nuclear Power Plants.”
71. RG 1.172, “Software Requirements Specifications for Digital Computer Software Used in
Safety Systems of Nuclear Power Plants.”
72. RG 1.173, “Developing Software Life Cycle Processes for Digital Computer Software
Used in Safety Systems of Nuclear Power Plants.”
73. RG 1.22, “Periodic Testing of Protection System Actuation Functions.”
74. RG 1.47, “Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety
Systems.”
75. RG 1.53, “Application of the Single-Failure Criterion to Nuclear Power Plant Protection
Systems.”
76. RG 1.62, “Manual Initiation of Protection Action.”
77. RG 1.70, “Standard Format and Content of Safety Analysis Reports for Nuclear Power
Plants.”
78. RG 1.75, “Criteria for Independence of Electrical Safety Systems.”
79. RG 1.97, Revision 2, “Instrumentation for Light-Water-Cooled Nuclear Power Plants to

Assess Plant and Environs Conditions During and Following an Accident.”
80. RG 1.97, Revision 3, “Instrumentation for Light-Water-Cooled Nuclear Power Plants to

Assess Plant and Environs Conditions During and Following an Accident.”
81. RG 1.97, Revision 4, “Criteria for Accident Monitoring Instrumentation for Nuclear Power
Plants.”
82. RG 1.180, “Guidelines for Evaluating Electromagnetic and Radio-Frequency Interference

in Safety-Related Instrumentation and Control Systems.”
83. RG 1.189, “Fire Protection for Operating Nuclear Power Plants.”
84. RG 1.204, “Guidelines for Lightning Protection of Nuclear Power Plants.”

85. RG 1.174, “An Approach for Using Probabilistic Risk Assessment in Risk-Informed
Decisions on Plant-Specific Changes to the Licensing Basis.”
86. RG 1.177, “An Approach for Plant-Specific, Risk-Informed Decision Making: Technical
Specifications.”
87. RG 1.200, “An Approach for Determining the Technical Adequacy of Probabilistic Risk
Assessment Results for Risk-Informed Activities.”
88. RG 1.206, “Combined License Applications for Nuclear Power Plants (LWR Edition).”
89. RG 1.89, “Environmental Qualification of Certain Electric Equipment Important to Safety

for Nuclear Power Plants.”
90. RG 1.209, “Guidelines for Environmental Qualification of Safety-Related Computer-

Based Instrumentation and Control Systems in Nuclear Power Plants.”

PAPERWORK REDUCTION ACT STATEMENT
The information collections contained in the Standard Review Plan are covered by the requirements of 10 CFR Part 50 and
10 CFR Part 52, and were approved by the Office of Management and Budget, approval number 3150-0011 and 3150-0151.
PUBLIC PROTECTION NOTIFICATION
The NRC may not conduct or sponsor, and a person is not required to respond to, a request for information or an information
collection requirement unless the requesting document displays a currently valid OMB control number.

APPENDIX 7.1 -A
Description of Changes
APPENDIX 7.1-A, “Acceptance Criteria and Guidelines for

Instrumentation and Control Systems Important to Safety”
This Appendix 7.1-A Section affirms the technical accuracy and adequacy of the guidance
previously provided in Appendix 7.1-A, Revision 5, dated March 2007. See ADAMS Accession
Number ML070660170.
The main purpose of this update is to incorporate the revised software Regulatory Guides and
the associated endorsed standards. For organizational purposes, the revision number of each
Regulatory Guide and year of each endorsed standard is now listed in one place, Table 7-1. As
a result, revisions of Regulatory Guides and years of endorsed standards were removed from
this section, if applicable. For standards that are incorporated by reference into regulation
(IEEE Std 279-1971 and IEEE Std 603-1991) and standards that have not been endorsed by
the agency, the associated revision number or year is still listed in the discussion.
Added Regulatory Guide 1.209, “Guidelines for Environmental Qualification of Safety Related
Computer-Based Instrumentation and Control Systems in Nuclear Power Plants.” to the list of
applicable regulatory guides for reviews under this SRP section.
Part of 10 CFR was reorganized due to a rulemaking in the fall of 2014. Quality requirement
discussions in the former 10 CFR 50.55a(a)(1) were moved to 10 CFR 50.54(jj) and 10 CFR
50.55(i). The incorporation by reference language in the former 10 CFR 50.55a(h)(1) was
moved to 10 CFR 50.55a(a)(2). There were no changes either to 10 CFR 50.55a(h)(2) or 10
CFR 50.55a(h)(3).
The footnote on page 7.1-A-2 referring to Part 50 applicants not listed in 10 CFR 50.34(f) was
deleted.
Additional changes were editorial.

Standard Review Plan: NRO - SRP@NRC - Gov

Uploaded by

Copyright:

Available Formats

Standard Review Plan: NRO - SRP@NRC - Gov

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Standard Review Plan: NRO - SRP@NRC - Gov

Uploaded by

Copyright:

Available Formats

NUREG-0800

U.S. NUCLEAR REGULATORY COMMISSION

STANDARD REVIEW PLAN

Primary - Organization responsible for the review of instrumentation and controls

Draft Revision 6 – August 2015

USNRC STANDARD REVIEW PLAN

Appendix 7.1-A-2 Draft Revision 6 – August 2015

1. Regulations - 10 CFR Part 50

“Structures, systems, and components subject to the codes and standards in

Applicability - All I&C systems

Review Methods - The applicant or licensee should commit to conformance to

(b) 10 CFR 50.55a(h), “Protection and Safety Systems”

Applicability - The protection systems: reactor trip system (RTS), engineered

Appendix 7.1-A-3 Draft Revision 6 – August 2015

• IEEE Std 279-1971, Clause 4.7.2, “Isolation Devices”

The parts applicable to information systems important to safety are:

• IEEE Std 603-1991, Clause 5.8.2, “Indication of Bypasses”

• IEEE Std 279-1971, Clause 4.13, “Indication of Bypasses”

Review Methods - SRP Appendix 7.1-C provides guidance for evaluating

(c) 10 CFR 50.55a(h)(3), “Safety Systems”

Applicability - The I&C safety systems including safety portions of engineered

• IEEE Std 603-1991, Clause 5.6.3

The part applicable to information systems important to safety is:

• IEEE Std 603-1991, Clause 5.8.2

Review Methods - SRP Appendix 7.1-C provides guidance for evaluating

Appendix 7.1-A-4 Draft Revision 6 – August 2015

Review Methods – The review of compliance with 10 CFR 50.34(f)(2)(v) should

Auxiliary features Subsection 4.5 Subsection 5.1

Indication of bypasses Subsection 4.13 Subsection 5.8

Control and protection system Subsections 5.6 and

Independence Subsection 4.6 Subsection 5.6

The evaluation of conformance to this requirement should be addressed in the

Applicability - Information systems important to safety.

Appendix 7.1-A-5 Draft Revision 6 – August 2015

Applicability - ESFAS and information systems important to safety in PWRs.

“Provide instrumentation to measure, record and readout in the control room:

Applicability - Information systems important to safety.

Review Methods - The accident monitoring instrumentation functions required by

(h) 10 CFR 50.34(f)(2)(xviii): Addressing (TMI Action Plan Item II.F.2)

“Provide instruments that provide in the control room an unambiguous indication

Applicability - Information systems important to safety.

Review Methods - Instrumentation for the detection of inadequate core cooling

Appendix 7.1-A-6 Draft Revision 6 – August 2015

Review Methods - The containment isolation functions of the ESFAS should be

Reopening of isolation valves should be performed on a valve-by-valve or line-

RG 1.105, “Setpoints for Safety-Related Instrumentation,” and SRP BTP 7-12

Appendix 7.1-A-7 Draft Revision 6 – August 2015

The review of these design provisions to address 10 CFR 50.34(f)(2)(xiv) should

“Provide instrumentation adequate for monitoring plant conditions following an

Applicability - Information systems important to safety.

Review Methods - Instrumentation for monitoring plant conditions following core

Applicability - Information systems important to safety in PWRs, and safe

Review Methods - Pressurizer level indication, block valve position indication,

Appendix 7.1-A-8 Draft Revision 6 – August 2015

Applicability - Control systems in B&W-designed plants.

Review Methods - The recommendations of the generic failure modes and

(m) 10 CFR 50.34(f)(2)(xxiii): Addressing (TMI Action Plan Item II.K.2.10)

Applicability - RTS in B&W-designed plants.