Nuclear Energy Ordinance
(NEO)

¹ The fol­low­ing prin­ciples ap­ply to nuc­le­ar power plants:

a.

Safety func­tions must also re­main ef­fect­ive even if a single fail­ure oc­curs in­de­pend­ently of an ini­ti­at­ing event, and also if a com­pon­ent is not avail­able due to main­ten­ance or re­pair. Such sep­ar­ate single fail­ures in­clude the ran­dom fail­ure of a com­pon­ent that res­ults in its in­ca­pa­city to per­form its in­ten­ded safety func­tion. Sub­sequent fail­ures arising from such ran­dom fail­ures are also re­garded as part of the ori­gin­al single fail­ure.

b.

Wherever pos­sible, safety func­tions must be im­ple­men­ted in ac­cord­ance with the prin­ciples of re­dund­ancy and di­versity. Re­dund­ancy refers to the ex­ist­ence of a lar­ger num­ber of func­tion­al devices than are re­quired for ful­filling the in­ten­ded safety func­tion. Di­versity refers to the use of dif­fer­ent types of phys­ic­al or tech­nic­al prin­ciples.

c.

Re­dund­ant trains of safety sys­tems in­stalled for per­form­ing safety func­tions must as far as pos­sible be in­de­pend­ent of one an­oth­er in terms of func­tion and in terms of both mech­an­ic­al and sup­port sys­tems such as in­stru­ment­a­tion and con­trol and pro­vi­sion of en­ergy, cool­ing and vent­il­a­tion.

d.

Each re­dund­ant train of a safety sys­tem in­stalled for per­form­ing a safety func­tion must as far as pos­sible be spa­tially sep­ar­ated from the oth­er trains.

e.

Re­dund­ant devices in­stalled for per­form­ing safety func­tions must be test­able, as far as pos­sible in their en­tirety, or oth­er­wise sub­divided in­to the broad­est pos­sible sub­parts, both manu­ally and through sim­u­lated auto­mat­ic ac­tiv­a­tion, in­clud­ing un­der emer­gency power sup­ply.

f.

Safety func­tions must be auto­mated so that, in the event of ac­ci­dents in ac­cord­ance with Art­icle 8, no in­ter­ven­tions im­port­ant to safety by per­son­nel are re­quired dur­ing the first 30 minutes fol­low­ing the ini­ti­at­ing event.

g.

The design of sys­tems and com­pon­ents must take suf­fi­cient ac­count of ap­pro­pri­ate safety mar­gins.

h.

As far as pos­sible, sys­tems should be de­signed to en­sure safety-ori­ented sys­tem be­ha­viour in the event of equip­ment fail­ures.

i.

Pref­er­ence must be giv­en to pass­ive rather than act­ive safety func­tions.

j.

Work sta­tions and pro­cesses for the op­er­a­tion and main­ten­ance of the in­stall­a­tion must be de­signed so that they take ac­count of hu­man cap­ab­il­it­ies and their lim­its.

k.

While en­sur­ing the same de­gree of safety, pref­er­ence must be giv­en to meas­ures to pre­vent ac­ci­dents in ac­cord­ance with Art­icle 7 let­ter d over meas­ures to mit­ig­ate their con­sequences.

² EN­SI shall spe­cify de­tailed design prin­ciples for light-wa­ter re­act­ors in guidelines.¹⁰