Approved by

Order of the Federal

Environmental, Industrial
and Nuclear Supervision Service
No. 483 dated 16.11.2016

FEDERAL RULES AND REGULATIONS

IN THE FIELD OF ATOMIC ENERGY USE "REQUIREMENTS
FOR SAFETY-RELATED CONTROL SYSTEMS
OF NUCLEAR POWER PLANTS"
(NP-026-16)

I. Purpose and scope

1. These Federal rules and regulations in the field of atomic energy use "Requirements for safety-
related control systems of nuclear power plants" (NP-026-16) (hereinafter - the Rules) are developed in
accordance with Federal Law No. 170-FZ dated 21 November 1995 "On atomic energy use" (Collected
Acts of the Russian Federation, 1995, N 48, art. 4552; 1997, N 7, art. 808; 2001, N 29, art. 2949; 2002, N
1, art. 2; N 13, art. 1180; 2003, N 46, art. 4436; 2004, N 35, art. 3607; 2006, N 52, art. 5498; 2007, N 7,
art. 834; N 49, art. 6079; 2008, N 29, art. 3418; N 30, art. 3616; 2009, N 1, art. 17; N 52, art. 6450; 2011,
N 29, art. 4281; N 30, art. 4590, art. 4596; N 45, art. 6333; N 48, art. 6732; N 49, art. 7025; 2012, N 26,
art. 3446; 2013, N 27, art. 3451; 2016, N 14, art. 1904; N 15, art. 2066; N 27, art. 4289), Decree of the
Government of the Russian Federation No. 1511 dated 1 December 1997 "On approval of the Regulation
on development and approval of Federal rules and regulations in the field of atomic energy use"
(Collected Acts of the Russian Federation, 1997, N 49, art. 5600; 1999, N 27, art. 3380; 2000, N 28, art.
2981; 2002, N 4, art. 325; N 44, art. 4392; 2003, N 40, art. 3899; 2005, N 23, art. 2278; 2006, N 50, art.
5346; 2007, N 14, art. 1692; N 46, art. 5583; 2008, N 15, art. 1549; 2012, N 51, art. 7203).

2. The requirements of these Rules shall be applicable to the full extent to designed power units of
nuclear power plants.

3. Operating conditions for the power units of existing nuclear power plants as well as constructed
power units of nuclear power plants with the construction licenses issued prior to entry of these Rules
into effect shall be brought to compliance with these Rules with simultaneous introduction of changes
to the construction or operation license conditions.

4. The list of used abbreviations is given in Appendix 1, terms and definitions are given in Appendix
2 to these Rules.

II. General requirements for safety-related

control systems

5. Configuration and functions of the safety-related control systems shall be defined in the NPP
design documentation (hereinafter - the NPP design) in compliance with the requirements of federal
rules and regulations in the field of atomic energy use. The following safety-related control systems shall
be provided for each NPP power unit:

SR NOCS;

CSS;

control systems belonging to safety-related special-purpose hardware for beyond design basis
accident management.

Safety-related normal operation control systems perform the functions referred to the first and
the second levels of defense-in-depth; control safety systems perform the functions referred to the third
level of defense-in-depth; control systems belonging to safety-related special-purpose hardware for
beyond design basis accident management perform the functions referred to the fourth level of
defense-in-depth.

6. The requirements for each safety-related control system shall be specified in the terms of
reference for development of this system included into the NPP design. Compliance with the
requirements specified in the terms of reference for the relevant system development and the
requirements of the NPP design shall be confirmed in the SAR for each safety-related control system.

7. All components of safety-related control systems shall be referred to functional groups in the
NPP design.

8. One of the categories - A, B or C - shall be assigned in the NPP design to the control and
information functions performed by the functional groups.

9. Category A shall be assigned to the following control and information functions:

performed by the CSS (including emergency protection of the reactor, control of the emergency
core cooling systems, control of the localizing safety systems);

intended to provide the NPP personnel with information and the control possibilities necessary in
case of any initiating event of a design basis accident in order to perform any actions aimed to achieve
controlled safe state of the NPP.

10. Category B shall be assigned to the following control and information functions:

control of the systems maintaining the reactor in sub-critical state after actuation of the reactor
emergency protection;

control of the systems for heat removal from the shut-down reactor and the fuel pool (or other
spent nuclear fuel storage facilities);

functions which, failing to perform under normal NPP operation conditions, require
implementation of any control or information function of category A in order to prevent any pre-
accident situation or accident;

intended to provide the NPP personnel with information and (or) control possibilities necessary to
perform any actions aimed to limit the accident consequences after achievement of the NPP controlled
safe state;

intended to provide the NPP personnel with information in relation to compliance with the safe
operation limits and conditions as well as information on performance of safety functions in case of
accidents.

11. Category C shall be assigned to the following control and information functions:

control of the NPP process within the operation limits and prevention of any deviations from the
safe operation limits;

detection of dangerous events (fires, flooding) and (or) limitation of their impact on the NPP
safety (for example control of fire extinguishing systems, localization of flooding);

performed by the control systems belonging to safety-related special-purpose hardware for

beyond design basis accident management;

radiological control.
 12. In case several classification criteria specified in par. 9-11 of these Rules may be applied to any
control or information function at the same time it shall be referred to the higher category from among
those defined by these criteria; in this case category A shall be considered as the highest.

13. Organizations performing their activities at any stage of the SR CS life cycle shall carry out
these activities in accordance with the quality assurance programs developed in these organizations.

14. Verification shall be performed in relation to the results of activities at all stages of the SR CS
life cycle. All non-conformities detected in the course of verification shall be documented and
eliminated.

15. Requirements for reliable performance of control and information functions by safety-related
control systems shall be specified in the NPP design.

Compliance with the reliability requirements specified in the NPP design shall be confirmed by
calculations of the reliability parameters for each control and information function (in particular with
due regard for the operation experience); in this case the possibility for any apparent and hidden
failures (including software errors and failures of diagnostic devices), common cause failures, human
errors as well as frequency of maintenance, testing (verification) and repair shall be taken into account.

16. Criteria and the procedure for assessment of limit state for safety-related control system
components as well as data on their specified lifetime shall be provided in the NPP design.

17. Consequences of any failures of the SR CS components (including common cause failures in
particular due to software errors) shall be analyzed in the NPP design, and measures aimed to ensure
the NPP safety in case of the above-mentioned failures shall be provided.

18. Safe operation conditions, the disabling procedure, performance of periodic inspections,
testing and the procedure for activation of the system components (channels), the requirements for the
scope and frequency of maintenance and repair, the size and qualification of the maintenance personnel
shall be specified and substantiated in the NPP design for each safety-related control system.

19. The NPP design shall provide for generation of the signal for the NPP personnel upon disabling
of any SR CS channels (components) or functional groups.

20. The NPP design shall provide for continuous automatic monitoring (self-diagnostics) of
operability for safety-related control systems. Besides periodic verification of safety-related control
systems shall be provided in order to detect any hidden failures not revealed in the course of continuous
automatic monitoring during operation.

21. Safety-related control systems shall include archiving and display means (with the regularity
substantiated in the NPP design) for diagnostic information on the technical condition of the SR CS
components and adjacent systems including data on any failures detected in the course of continuous
automatic monitoring during operation in any cases prescribed in the NPP design.

22. All information at the NPP power unit shall be recorded in the time-standard system.

23. The NPP design for safety-related control systems shall provide measures aimed to ensure that
performance of any control or information function and (or) failure to perform any control or
information function of lower category would not result in failure to perform any control or information
function of higher category.

24. In case any control or information function is performed with involvement of the NPP
personnel it should be demonstrated in the NPP design that conditions are created for the NPP
personnel in order to perform this control or information function. Measures aimed to reduce
probability of human errors shall be specified and substantiated in the NPP design.
 25. Functional groups performing control or information functions of category A shall comply with
the principles of redundancy, independence and diversity. Selection of diversity type (types) shall be
based on the analysis of potential causes of failures to perform any control or information function of
the functional group and the expected consequences. In case any programmable digital devices are used
within the functional group performing any control or information function of category A several
diversity types shall be applied in order to comply with the principle of diversity.

26. Functional groups performing control or information functions of category B shall comply with
the principles of redundancy, independence and diversity. The need to apply or not to apply the
principles of independence, redundancy and diversity shall be substantiated in the NPP design.

27. Compliance assessment (in the form of testing) shall be provided in order to confirm capability
of the SR CS components to perform their control and information functions.

28. Each channel in a group of SR CS channels engaged in performance of the same control
(information) function of category A redundant in relation to each other shall be capable to perform the
control (information) function of the channel regardless of:

inoperability (in particular due to disabling, testing, maintenance) of other channels belonging to
this group of channels;

loss of operability in the signal and data transmission line between the channels of this group;

impact of any external natural and human-induced factors on other channels of this group as well
as impacts of design basis accidents.

III. Requirements for safety-related

normal operation systems

29. The NPP design shall provide for automatic and (or) automated control of the process
equipment of safety-related normal operation systems through the use of SR NOCSs.

30. The NPP design shall provide for transmission of control actions from the SR NOCSs to the
controlled objects in case of any deviations from the preset NPP process parameters defining the safe
operation limits (neutron and thermal power of the RP, pressure and temperature of the primary circuit
coolant, etc.). The above-mentioned control actions shall be aimed to return the controlled parameters
to the values established for normal operation and shall be transmitted to the controlled object prior to
initiation of protective actions by the control safety systems.

31. The following shall be defined and substantiated in the NPP design for safety-related normal
operation systems:

protection actuation conditions;

conditions for actuation of interlocks;

process control algorithms;

the range of controlled parameters necessary for control (including automated one);

the number of measuring channels sufficient for performance of control and information functions
by the SR NOCS;

automated control algorithms and criteria based on the set of parameter values from different
measuring channels;
 the parameter monitoring mode (continuous and periodic, the parameter monitoring frequency
shall be substantiated);

parameters controlled in the mode of indication, direct measurement and processing of the
measurement result through the use of software.

32. Protections and interlocks implemented within the SR NOCS shall be arranged with the
possibility to disable these protections and interlocks and to activate them under the conditions
prescribed in the NPP design.

33. The NPP design shall provide for automated verification of the protections implemented by
the SR NOCS.

34. The activated algorithm of any protection performed by the SR NOCS shall be implemented
without any interruptions till completion of this algorithm regardless of any changes of the initiating
condition which has caused actuation of the protection. Acceptability of any deviations from this
requirement shall be substantiated in the NPP design.

35. Cancellation of the initiation command for any protection performed by the SR NOCS after
completion of the protection algorithm shall be performed with adherence to any administrative and
technical measures prescribed in the NPP design in order to prevent erroneous cancellation of the
command (in case the NPP design provides for such cancellation performed by the NPP personnel).

IV. Requirements for control safety systems

36. Control safety systems shall ensure automatic and automated control of safety systems within
the scope established and substantiated in the NPP design.

37. Automatic actuation of the SS process equipment shall be performed upon commands from
the control safety systems in case of occurrence of any conditions specified and substantiated in the
NPP design.

38. Automated actuation of the SS process equipment shall be arranged from the MCR as well as
(in case of the MCR control failure) from the ECR.

39. The following shall be defined and substantiated in the NPP design for control safety systems:

conditions for automatic start (actuation) of safety systems;

SS control algorithms.

40. Control safety systems shall be designed in such a way so that to prevent the possibility for any
intervention of the NPP personnel to the safety system operation within 10-30 minutes after their
automatic actuation except for intervention related to the NPP personnel's actions stipulated by the
NPP operation process regulations, operation manuals, emergency operating procedures and beyond
design basis accident management guidelines.

41. Control safety systems performing the emergency protection function shall comply with the
requirements specified in the nuclear safety rules for the NPP RP.

42. Automatic control commands for safety systems generated by the CSS shall have the highest
priority compared to all other control commands.

43. The time for recovery of the CSS channel operability after any failure of the channel shall be
defined in the NPP design with regard to each function performed by this channel.
 44. Prior to activation of the CSS channels tests shall be performed in order to verify performance
of all functions specified in the NPP design by the CSS channels.

V. Requirements for the control systems

belonging to safety-related special-purpose hardware
beyond design basis accident management

45. The scope of control performed by the control systems belonging to safety-related special-
purpose hardware for beyond design basis accident management shall be sufficient to define the state
of the basic NPP safety functions under the beyond design basis conditions (including severe ones) and
also for the NPP personnel to perform any actions for beyond design basis accident management
(including severe ones).

46. Sufficiency of the NPP control scope performed by the control systems belonging to safety-
related special-purpose hardware for beyond design basis accident management (including the list of
controlled parameters, the measurement range and accuracy, response time, independent operation
duration) shall be substantiated in the NPP design.

47. Display of the controlled RP and NPP parameters by the control systems belonging to safety-
related special-purpose hardware for beyond design basis accident management shall be ensured within
the entire duration of the accident and the post-accident period.

48. Sufficiency of the engineering features provided in the control systems belonging to safety-
related special-purpose hardware for beyond design basis accident management at a multi-unit NPP in
case of a simultaneous beyond design basis (particularly severe) accident at all NPP power units shall be
demonstrated in the design of these systems.

49. Power supply of the components of control systems belonging to safety-related special-
purpose hardware for beyond design basis accident management shall be arranged in such a way so that
these systems could retain their operability within the time period substantiated in the NPP design in
case of any failure of normal operation power supply sources as well as the second group emergency
power supply sources of the emergency power supply system.

50. The NPP design shall provide for all reasonably achievable measures aimed to ensure
independence of the control systems belonging to safety-related special-purpose hardware for beyond
design basis accident management from normal operation control systems and control safety systems.

VI. Requirements for human-machine interface

51. Systems ensuring provision of reliable information on the state of safety-related NPP systems
and components to the NPP personnel shall be arranged within safety-related control systems.

52. It should be demonstrated in the NPP design that the human-machine interface ensures
minimization of erroneous actions of the NPP personnel in the course of the NPP control.

53. The list of the NPP parameters to be controlled from the MCR shall be sufficient to provide
unambiguous information to the NPP personnel in relation to compliance with the NPP safe operation
limits, occurrence of any conditions for SS actuation as well as on automatic actuation and functioning of
safety systems. The list of the NPP parameters to be controlled from the MCR and the ECR shall be
justified in the NPP design and presented in the NPP SAR.

54. Safety-related control systems implementing protections shall include alarm systems for the
protection actuation. In case multi-channel structure is used to implement protection warning of the
NPP personnel on actuation of individual channels shall be provided.
 55. Designations (including acronyms and abbreviations) used in the safety-related control
systems for controlled objects, process parameters of safety-related systems, state parameters of
safety-related control systems and their components shall not require usage of any additional reference
documentation by the NPP personnel in order to understand the above-mentioned designations.

VII. Requirements for the SR CS interface with adjacent systems

56. The following shall be defined and substantiated in the NPP design for each safety-related
control system:

the list of systems this safety-related control system should interact with (adjacent systems) in
each NPP normal operation mode as well as in case of abnormal operation of NPP;

data that this safety-related control system shall receive from each adjacent system and (or)
transmit to each adjacent system;

the required frequency, time for updating of the input and output data and the conditions
initiating such update;

priority of the commands from adjacent systems;

methods for presentation of the input and output data in the adjacent systems;

data transmission (receiving) interface.

57. Absence of any errors in the course of data interchange between the safety-related control
system and its adjacent systems shall be checked automatically during operation of this safety-related
control system and periodically in the course of the NPP operation according to the procedure
established in the NPP design.

58. The following shall be defined in the NPP design for the purpose of the SR CS integration with
adjacent systems:

rooms for the equipment of the safety-related control system;

layout limitations in relation to the safety-related control system location at the NPP;

types of interfaces between the safety-related control system and the adjacent systems;

means for detection of any errors and malfunctions in the interfaces and communication lines.

59. The following shall be performed for the purpose of the SR CS integration with adjacent
systems:

testing of the safety-related control system and the adjacent systems in order to confirm
compliance of their functioning with the NPP design requirements;

verification of analogue and digital exchange signals between the safety-related control system
and the adjacent systems in order to confirm that signal values and logical states prescribed in the NPP
design are provided during performance of control and information functions referred to categories A, B
and C.

60. Information exchange between the safety-related control system and non-safety-related
normal operation systems shall be unidirectional (from the safety-related control system to non-safety-
related normal operation systems) via the gates included into the safety-related control system.

VIII. Requirements for protection of safety-related

 control systems against unauthorized access

61. Protection of safety-related control system components including communication lines and
data against any unauthorized access shall be ensured at the NPP.

62. The objects to be protected against unauthorized access include:

means used to change setpoints of protections, interlocks, warning and emergency alarms and
settings of the controllers;

switching components for connection of external (in relation to the safety-related control system)
circuits;

replaceable elements inside the SR CS components;

manual controls (for example power supply circuit breakers, operation mode switches, means for
disabling of the SR CS channels, etc.);

manual data entry and retrieval means (for example keyboards);

media and software on any media.

The particular list of objects subject to protection against unauthorized access shall be specified
and substantiated in the NPP design.

63. Measures shall be provided for safety-related control systems engaged in performance of
control or information functions of categories A or B in order to prevent unauthorized access inside the
SR CS components, to ensure protection against any program and data modification particularly from
adjacent systems and also immediate warning of the NPP personnel in case of any unauthorized access.
The NPP design shall provide for administrative and technical measures in order to restrict access to the
SR CS components.

IX. Requirements for maintenance of operability

of safety-related control systems in the course of operation

Changes of power supply parameters

64. Safety-related control systems shall maintain their operability under permissible changes of
power supply parameters: voltage and frequency changes, power supply interruptions. Permissible
values of power supply parameter changes shall be defined in the NPP design.

Permissible changes of power supply parameters for safety-related control systems must not lead
to any errors in performance of control or information functions by the safety-related control systems,
data loss in memory, spurious output signals and any malfunctions of the safety-related control systems
requiring intervention of the NPP personnel.

65. The NPP design shall provide for storage of the information on the position of valves
controlled by any safety-related control system in this control system after loss of the valve drive power
supply.

66. In the absence of power supply for the SR CS sensors any signals used in the safety-related
control systems shall be treated as invalid by this system.

67. Safety-related control systems shall be tested for stability under any changes of power supply
parameters. Test impacts in the course of the above-mentioned testing shall be determined based on
the input data specified in the NPP design with regard to any potential changes of parameters for the
auxiliary power supply network of the NPP. Parameters of electrical impacts simulated in the course of
testing shall be defined based on the experimental and (or) calculation data on actual or expected
values of these parameters in all rooms where the safety-related control system is installed.

68. Unless absence of any possible power supply loss for the SR CS components leading to inability
of this safety-related control system to perform any control or information functions of categories A and
B is substantiated in the NPP design additional internal uninterruptible power supply sources shall be
provided for this safety-related control system. The above-mentioned power supply sources shall be
subject to operability verification with the frequency substantiated in the NPP design.

Impact of the environment

69. Operability of the components of each safety-related control system shall be retained under
the environmental conditions typical for normal operation of the NPP (without any exposure time
limitations) as well as for abnormal operation of NPP including accidents (within the time period
exceeding or equal to the expected maximum duration of impact) when functioning of this safety-
related control system is necessary.

70. Environmental conditions when the safety-related control systems shall retain their operability
should be specified in the NPP design. The above-mentioned conditions shall include:

nominal (operating) values, permissible upper and lower limits of the ambient temperature;

ambient temperature change rate;

nominal and maximum humidity;

nominal and maximum barometric pressure;

absorbed dose rate limits of ionizing γ -radiation and absorbed dose within the specified service
life (for the SR CS components located in the controlled access area);

concentration limits for corrosive and other chemical agents;

dust concentration limits;

time limit of external impact within which the safety-related control system shall retain its
operability.

71. Safety-related control systems shall be resistant to mechanical impacts characterized by the
sinusoidal vibration and mechanical shock parameters and also parameters of seismic impacts specified
in the NPP design.

Electromagnetic compatibility

72. Requirements for electromagnetic compatibility shall be established in the NPP design
including the following:

requirements for resistance of the safety-related control systems to the impact of electromagnetic
conditions (interference) from the power supply grid, the grounding circuit, the signal and command
transmission circuits, communication lines, local networks as well as via the room space (hereinafter -
noise immunity);

limitation of any potential adverse impact of the safety-related control system components on
other systems (components) via common or electrically connected circuits as well as via the room space
due to electromagnetic processes in the course of actuation, operation, malfunctions and (or) disabling
of the safety-related control systems (hereinafter - noise emission).

73. When defining noise immunity requirements for the safety-related control systems in the NPP
design the types of potential interference, intensity of each type of interference and quality criteria for
functioning of the above-mentioned systems in the course of noise immunity testing shall be specified.

74. Noise immunity requirements for the safety-related control systems shall be specified in the
NPP design for the following types of interference:

static discharges on the casing, controls and outer cable shields;

microsecond pulse interference in the power supply circuits;

nanosecond pulse interference from external sources to the information circuits and power supply
circuits;

emitted radio frequency interference;

dynamic power supply voltage changes;

power frequency magnetic fields;

pulse magnetic fields;

short-term sinusoidal interference in the protective and signal grounding circuits;

microsecond pulse interference in the protective and signal grounding circuits.

75. The NPP design shall establish the requirements for safety-related control systems with regard
to permissible noise emission particularly to the power supply and grounding circuits.

76. Noise emission tests shall be performed for safety-related control systems. Testing conditions
including configuration of equipment and connection lines in the course of testing shall be as close to
the design conditions as possible. Use of any additional grounding and noise reduction devices not
provided in the NPP design in the course of testing is not permitted.

77. Noise emission testing of safety-related control systems shall be performed and
electromagnetic environment shall be checked in the course of the NPP power unit commissioning and
also after refurbishment of the safety-related control systems and adjacent systems directly at the
operation site upon the request of the operating organization.

78. Sufficiency of the provided electromagnetic protection measures shall be substantiated in the
NPP design.

X. Requirements for compliance assessment for the components of

safety-related control systems

79. Components of safety-related control systems supplied to the NPP shall be subject to
assessment for compliance with the requirements of federal rules and regulations in the field of atomic
energy use included into the terms of reference for development of these systems prior to
commencement of their operation.

80. Compliance assessment for the SR CS components shall be performed in the form of
acceptance and in the form of testing according to the requirements of federal rules and regulations in
the field of atomic energy use for compliance assessment of equipment, component parts, materials
and semi-finished products supplied to nuclear facilities. Operability of the above-mentioned
components within the design service life under the conditions specified in the NPP design shall be
assessed subsequent to the results of these tests.

81. Compliance assessment for the SR CS components shall include:

determination of requirements for these components (in accordance with par. 79 of these Rules);

obtaining of data on actual properties and characteristics of these components (by testing);

comparison of the actual properties and characteristics of these components with the established
requirements;

making decision on compliance or non-compliance of each component with the established

requirements.

XI. Requirements for testing of safety-related

control systems

82. Prior to commencement of operation the following shall be performed for each safety-related
control system:

independent and integrated testing of the system components and acceptance testing of the
system outside the NPP in order to make the decision on the possibility for the SR CS supply to the NPP
site;

commissioning works and independent testing at the NPP site;

integrated testing of the system at the NPP site;

trial operation of the system;

acceptance testing of the system.

83. Independent testing of the SR CS components and integrated testing of the system shall be
performed outside the NPP (for example at the testing site provided by the system manufacturer
(supplier)) in accordance with the testing programs approved by the operating organization.

Acceptance testing of the SR CS components shall be performed before the system supply to the
NPP. In case of split supply of the SR CS equipment to the NPP acceptance testing of the system may be
performed after the system equipment delivery to the NPP in accordance with a separate resolution
approved by the operating organization.

84. Independent testing of the safety-related control systems at the NPP shall be performed in
order to check and adjust all components of the system and to define readiness of the system for
integrated testing. Integrated testing of the safety-related control systems shall be performed in order
to check and adjust joint functioning of the system components. Integrated testing of the safety-related
control systems shall confirm that each control or information function of the system is performed in
accordance with the requirements of the design (terms of reference). Readiness of the safety-related
control system for trial operation shall be defined subsequent to the results of integrated testing.

85. Trial operation of the safety-related control system shall be performed by the NPP personnel
in order to confirm actual quantitative and qualitative characteristics of the system and their compliance
with the requirements established in the technical design (terms of reference) for the system
development, to assess the NPP personnel preparedness for operation of the system and to assess and
update the operation documentation.

86. Acceptance testing shall be performed in order to define compliance of the safety-related
control system with the technical design (terms of reference) and also to assess the trial operation
quality and to make the decision on the possibility to accept the system for operation.

87. The operating organization shall appoint the commission in order to perform acceptance
testing of the safety-related control system with participation of the NPP (system) designer and the
system manufacturer (supplier).

88. At the NPP power unit commissioning stages the safety-related control systems shall be tested
for stability of the automatic control circuits according to the programs providing for real initiating
signals with impact on the controlled objects.

89. Information on the results of the SR CS testing performed prior to commencement of the
system operation shall be included into the NPP SAR.

90. Safety-related control systems shall be subject to checking of correct functioning in the course
of operation.

XII. Requirements for operation and refurbishment of

safety-related control systems

91. Prior to commencement of operation of a newly developed or refurbished safety-related

control system the necessary amendments shall be introduced to the NPP operation documentation.

92. Information on the service equipment kit as well as on the SPTA set used for installation,
maintenance and restoration of the system components shall be specified for each safety-related
control system in the NPP operation documentation. The list of service equipment and SPTA shall be
determined and substantiated in the NPP design.

93. Recovery of operability for any safety-related control system and its components shall be
arranged by replacement of faulty replaceable component parts with operable ones from the SPTA set.
Faulty components without any replaceable component parts shall be replaced completely. Functional
check of the relevant safety-related control system as well as calibration of the measuring channels and
alarm systems with the characteristics that could have been affected by the replacement shall be
performed after the replacement.

94. Safety-related control systems shall be operated in accordance with the operation guidelines
for these systems and also in accordance with the process regulations for the NPP power unit operation.

95. In-process and scheduled maintenance of the components shall be performed during
operation of safety-related control systems.

96. Technical condition of safety-related control systems shall be regularly checked in the course
of scheduled maintenance as well as in the course of scheduled preventive repair of the NPP power unit.
Regular checks shall include the system components for which no continuous automatic verification
(diagnostics) is provided and also characteristics of the above-mentioned systems that cannot be
controlled automatically.

97. Compatibility of the newly installed equipment with the equipment remaining in operation
shall be ensured in the course of refurbishment for safety-related control systems and their
components.

98. Assessment of the residual lifetime for the equipment and arrangements aimed to extend the
design service life of the safety-related control systems and their components shall be performed within
the framework of the lifetime management program for the NPP equipment.
 Appendix 1
to federal rules and regulations
in the field of atomic energy use
"Requirements for safety-related
control systems of nuclear power plants"
approved by Order of the Federal
Environmental, Industrial
and Nuclear Supervision Service
dated 16 November 2016 No. 483

ABBREVIATIONS

NPP - Nuclear Power Plant

MCR - Main Control Room

SPTA - Spare Parts, Tools and Accessories

SAR - Safety Analysis Report

SW - Software

ECR - Emergency Control Room

RP - Reactor Plant

SS - Safety System

CSS – Control Safety System

SR CS - Safety-Related Control System

SR NOCS - Safety-Related Normal Operation Control System

Appendix 2
to federal rules and regulations
in the field of atomic energy use
"Requirements for safety-related
control systems of nuclear power plants"
approved by Order of the Federal
Environmental, Industrial
and Nuclear Supervision Service
dated 16 November 2016 No. 483

TERMS AND DEFINITIONS

The following terms and their definitions are used

for the purposes of these rules.
 1. Automated NPP control - control performed with involvement of the personnel through the use
of the safety-related control system (systems).

2. Automatic control - control performed by the safety-related control system (systems) without
any involvement of the personnel.

3. Firmware devices - programmable digital devices where the software is an integral (inseparable)
part of the hardware (a processor containing a microcode may serve as an example of a firmware
device).

4. Interlock - a control function aimed to prevent or to stop any actions of the personnel, a safety-
related control system or a controlled object.

5. Activation of the protection (interlock) - the set of operations provided in the NPP design and
specified in the operation documentation which brings the safety-related control system into the state
when the protection (interlock) will be actuated upon occurrence of the conditions requiring its
operation in accordance with the NPP design.

6. Verification - confirmation of the fact that the result of any activity at any life cycle stage of the
safety-related NPP control system is obtained in accordance with the requirements for this system at
this stage of the system life cycle on the basis of objective evidence.

6. Disabling of the protection (interlock) - the set of operations provided in the NPP design and
specified in the operation documentation which brings the safety-related control system into the state
when the protection (interlock) will not be actuated upon occurrence of the conditions requiring its
operation in accordance with the NPP design.

8. Life cycle of the safety-related control system - the set of development stages passed by the
safety-related control system within the period of its existence including the following stages:
development of the terms of reference, design, manufacturing, testing, acceptance, installation,
adjustment and operation.

9. Protection - a control function aimed to prevent:

damages, failures, breakage of the protected equipment or components of control systems;

operation of any faulty equipment or components of control systems;

undesirable control actions of the personnel.

10. Measuring channel (control channel) - a functionally separated part of the system performing
the complete function from reception of the measured value to obtaining of the measurement result.

11. Human-machine interface - the set of technical measures prescribed in the NPP design in
order to provide the required information and opportunities for the NPP operator to control and
monitor the NPP systems and components.

12. Information function - the set of actions of safety-related control systems (functional group)
aimed to achieve a certain purpose defined in the NPP design documentation (except for the auxiliary
actions of the above-mentioned systems (functional group)) and providing information to the NPP
personnel with regard to the state and characteristics (parameters) of the NPP systems, components or
the entire NPP without direct control of any object.

13. Channel (of the system, functional group) - a part of a system (functional group) performing
the system (functional group) function within the scope defined in the NPP design.
 14. Integrated testing of the safety-related control system - testing of the safety-related control
system in its operation modes provided in the NPP design for normal operation conditions and any NPP
operational occurrences.

15. Controlled safe state of the nuclear power plant - the NPP state maintained within an infinite
period of time when all basic NPP safety functions specified in General Safety Provisions for Nuclear
Power Plants are ensured.

16. Unauthorized access - access to any NPP system equipment (components) not permitted in
accordance with the established procedure.

17. Trial operation of the safety-related control system - operation of a safety-related control
system at the NPP in order to determine actual characteristics of the safety-related control system, to
confirm their compliance with the design documentation requirements and to assess preparedness of
the NPP personnel for operation of the safety-related control system.

18. Acceptance testing of the safety-related control system - testing performed after trial
operation of the safety-related control system at the NPP in order to determine compliance of the
system with the technical design (terms of reference) and to assess the trial operation quality.

19. Programmable digital devices - components of control systems with the use of software
(including firmware devices).

20. Time-standard system - precise synchronization of clocks for all computation nodes within
safety-related control systems of the NPP.

21. Special-purpose hardware for beyond design basis accident management - control systems
(components) provided in the NPP design for management of beyond design basis accidents.

22. Control system - a NPP system performing control of any object (objects) in accordance with
the preset aims, criteria and limitations.

23. Safety-related control system - a control system classified as safety-related in accordance with
its impact on the NPP safety.

24. Control function - a set of actions of safety-related control systems (functional group) aimed to
achieve a certain purpose defined in the NPP design documentation and performing control of any
object (NPP system or component) in accordance with the preset aims, criteria and limitations.

25. Control safety systems (components) - systems (components) intended to initiate actions of
safety systems and to assure control and monitoring thereof during performance of the prescribed
functions.

26. Normal operation control systems (components) - systems (components) intended to initiate
actions of normal operation systems and to assure control and monitoring thereof during performance
of the prescribed functions.

27. Functional group - a set of the SR CS components performing a control or information function
within the scope defined in the NPP design.