with the safety functions to be performed. Redundancy and independence designed into the protection system shall be sufficient to assure that (1) no single failure results in loss of the protection function and (2) removal from service of any component or channel does not result in loss of the required minimum redundancy unless the acceptable reliability of operation of the protection system can be otherwise demonstrated. The protection system shall be designed to permit periodic testing of its functioning when the reactor is in operation, including a capability to test channels independently to determine failures and losses of redundancy that may have occurred.
The protection system shall be designed to assure that the effects of natural phenomena, and of normal operating, maintenance, testing and postulated accident conditions on redundant channels do not result in loss of the protection function, or shall be demonstrated to be acceptable on some other defined basis. Design techniques, such as functional diversity or diversity in component design and principles of operation, shall be used to the extent practical to prevent loss of the protection function.
The protection system shall be designed to fail into a safe state or into a state demonstrated to be acceptable on some other defined basis if conditions such as disconnection of the system, loss of energy (e.g., electric power, instrument air), or postulated adverse environments (e.g., extreme heat or cold, fire, pressure, steam, water, and radiation) are experienced.
The protection system shall be separated from control systems to the extent that failure of any single control system component or channel, or failure or removal from service of any single protection system component or channel which is common to the control and protection systems leaves intact a system satisfying all reliability, redundancy, and independence requirements of the protection system. Interconnection of the protection and control systems shall be limited so as to assure that safety is not significantly impaired.
The protection system shall be designed to assure that specified acceptable fuel design limits are not exceeded for any single malfunction of the reactivity control system, such as accidental withdrawal (not ejection or dropout) of control rods.
The protection and reactivity control systems shall be designed to assure an extremely high probability of accomplishing their safety function in the event of anticipated operational occurrences.
[Reproduced below are the requirements for changes, tests, and experiments (10 CFR 50.59) in nuclear power plants. These requirements hold particular significance for applications of digital I&C systems.]
(a) (1) The holder of a license authorizing operation of a production or utilization facility may (i) make changes in the facility as described in the safety analysis report, (ii) make changes in the procedures as described in the safety analysis report, and (iii) conduct tests or experiments not described in the safety analysis report, without prior Commission approval, unless the proposed change, test or experiment involves a change in the technical specifications incorporated in the license or an unreviewed safety question.
(2) A proposed change, test, or experiment shall be deemed to involve an unreviewed safety question (i) if the probability of occurrence or the consequences of an accident or malfunction of equipment important to safety previously evaluated in the safety analysis report may be increased; or (ii) if a possibility for an accident or malfunction of a different type than any evaluated previously in the safety analysis report may be created; or (iii) if the margin of safety as defined in the basis for any technical specification is reduced.
(b) (1) The licensee shall maintain records of changes in the facility and of changes in procedures made pursuant to this section, to the extent that these changes constitute changes in the facility as described in the safety analysis report or to the extent that they constitute changes in procedures as described in the safety analysis report. The licensee shall also maintain records of tests and experiments carried out pursuant to paragraph (a) of this section. These records must include a written safety evaluation which provides the bases for the determination that the change, test, or experiment does not involve an unreviewed safety question.
(2) The licensee shall submit, as specified in § 50.4, a report containing a brief description of any changes, tests and experiments, including a summary of the safety evaluation of each. The report may be submitted annually or along with the FSAR [Final Safety