10 CFR Part 53, Risk-Informed, Technology-Inclusive Regulatory Framework for Commercial Nuclear Plants

The U.S. Nuclear Regulatory Commission (NRC) staff is providing this draft interim staff guidance (ISG) to facilitate staff understanding of an acceptable method for developing a scalable (i.e., application-specific) plan for the review of commercial nuclear plant applications submitted under Part 53 for compliance with applicable human factors engineering (HFE) requirements. New reactor technologies are expected to have significant diversity compared to operating reactors. Accommodating such diversity demands an approach that is flexible yet sensitive to the important differences in these technologies. To address this need, this ISG provides a process to focus NRC HFE reviews on aspects of facility design and operation that are most risk-important or safety-significant and present likely challenges to the correct and reliable performance of human actions necessary for maintaining plant operational safety. Use of this guidance will provide NRC staff review plans that support focused and efficient HFE technical reviews.

BACKGROUND

NUREG-0711, Revision 3, “Human Factors Engineering Program Review Model,” issued November 2012 (NRC, 2012), provides guidance for the NRC staff to use in its review of the HFE programs of applicants for construction permits (CPs), operating licenses (OLs), standard design certifications (DCs), combined operating licenses (COLs), and license amendments. The guidance and criteria of NUREG-0711 were developed for reviews associated with large light-water reactors (LLWRs). Consequently, use of NUREG-0711 for reviews of non-light-water reactors, stationary microreactors, and SMRs, without substantial modification, could result in reviews that may not be commensurate with the lower risk anticipated from advanced reactors and may not be adequately focused on the unique characteristics of their design and operation. This ISG provides guidance for the development and implementation of application-specific HFE review plans to address this concern. The anticipated benefit is a more efficient review than that resulting from the use of NUREG-0800, “Standard Review Plan for the Review of Safety Analysis for Nuclear Power Plants: LWR Edition,” Chapter 18, “Human Factors Engineering,” issued December 2016 (NRC, 2016), for reactors that differ substantively from conventional LLWRs, while continuing to support a reasonable assurance of safety determination.

RATIONALE

Proposed new reactor designs represent a more diverse range of technologies than the LLWRs that characterize the fleet of commercial nuclear reactors operating as of 2023. These technologies include SMRs, non-light-water reactors, microreactors, and fusion reactors. This diversity is reflected in many design and operational characteristics, including, but not limited to, the following:

Some may be constructed in a factory and transported to the site using the existing transportation infrastructure (e.g., road, rail, or waterway).

Some may rely on simpler designs, involving fewer systems and moving parts.
Some may be constructed using a modular approach to simplify maintenance, so that when maintenance is needed, modules are instead replaced.
Some may be self-contained and designed to operate for many years without shutting down, being refueled, or maintained.
Some may rely on design features that make them inherently safe, such as natural physical processes that do not need automatic or human intervention.
Some may have postulated accident sequences that are analyzed to be less frequent and have lower public exposure consequences than those of current reactors.
Some may operate at higher temperatures than LLWRs and thus can support new missions (e.g., the production of multiple products in addition to electricity, such as industrial process heat). New missions may create new systems, personnel tasks, and workload.
Some may be operated in load-following mode.
Some may be operated in an SMR configuration and therefore are scalable to meet energy demands. In an SMR configuration, there may be shared systems.
Some may be highly automated, including reactors that may operate in a fully autonomous mode and not need much, if any, human monitoring, control, and intervention.
Some may not have a control room in the traditional sense. Reactor monitoring and control may be accomplished from simple panels either locally or remotely.
Some may involve important human actions taking place outside of a control room.
Some may need few, if any, operators on site to safely operate the plant.
Some may rely on staffing organizational structures that are quite different than those described in current regulations and may include different staff positions, possibly involving no licensed operators or credited human actions.

These characteristics reflect significant differences among new reactor technologies, their operations, and applications. These differences mean that an approach to HFE licensing reviews needs the flexibility to accommodate such diversity while ensuring that each review is sensitive to the unique characteristics of the specific application. To address this need, this ISG details a process for scaling HFE reviews that has the following characteristics:

technology inclusive

risk informed
performance based
staged
based on process and methods rather than prescriptive guidance
within the bounds of existing regulations

flexible
supportive of preapplication interactions that occur early and often¹

APPLICABILITY

This ISG applies to the HFE review of applications for OLs, COLs, CPs, DCs, standard design approvals (SDAs), and manufacturing licenses (MLs) for commercial nuclear plants submitted under proposed Title 10 of the Code of Federal Regulations (10 CFR) Part 53, “Risk-Informed, Technology-Inclusive Regulatory Framework for Commercial Nuclear Plants.” For the review of risk‑informed applications for non-light-water reactors, stationary microreactors, and small modular reactors (SMRs) requesting a construction permit or OL under 10 CFR Part 50, “Domestic Licensing of Production and Utilization Facilities,” or for a DC, COL, or SDA under 10 CFR Part 52, “Licenses, Certifications, and Approvals for Nuclear Power Plants,” the reviewer should consult DANU-ISG-2022-05, “Advanced Reactor Content of Application Project Chapter 11, ‘Organization and Human-System Considerations,’” dated March 2024 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML23277A143) (NRC, 2024a).

ACCEPTANCE CRITERIA

The NRC staff reviewer should develop a review plan that verifies the application meets those requirements relevant to the HFE of the facility and its operations. Acceptance criteria for the review should be based on meeting the relevant requirements of the Commission’s regulations. Tables 1 and 2² list the requirements establishing the regulatory basis for an NRC HFE technical review of an application submitted under 10 CFR Part 53. The applicability of the requirements depends on the type of application under review (e.g., CP, DC, SDA, ML, COL, OL). Accordingly, table 1 lists HFE and HFE‑related requirements for CP, DC, SDA and ML applications. Table 2 lists HFE and HFE‑related requirements for OL and COL applications.

As noted previously, the tables include both HFE and HFE-related requirements. HFE requirements are those for which the NRC HFE technical staff provides the primary review. HFE‑related requirements are those for which other technical disciplines have primary review responsibility, but the outcomes of the applicant’s implementation of the requirements may have direct implications for the HFE technical review. For example, the required analyses of licensing‑basis and design-basis events are not within the scope of the HFE technical review, but these analyses may credit human actions that could be subject to the requirements within the HFE scope of review. The notes column in tables 1 and 2 provides numerical annotations to aid the reviewer in understanding the relevance of the listed requirement to the HFE review.

Table 1. HFE and Related Requirements for CP, DC, SDA and ML Applications

Construction Permit, Standard Design, Design Certification and Manufacturing License Applications
CFR Citation	Topic	Notes
§ 53.240	licensing‑basis events	1, 2
§ 53.250	defense in depth	1
§ 53.400	design features for licensing‑basis events	1
§ 53.425	design features and functional design criteria for normal operations	1
§ 53.430	design features and functional design criteria for protection of plant workers	1
§ 53.450(b)	specific use of analyses	2
§ 53.450(e)	analysis of licensing‑basis events other than design-basis accidents	2
§ 53.450(f)	analysis of design-basis accidents	2
§ 53.460(c)	human actions needed to prevent or mitigate licensing‑basis events	1
§ 53.470	maintaining analytical safety margins used to justify operational flexibilities	1
§ 53.1209(b)(2)	role of personnel (SDA content of application pointer to § 53.1239(a)(27))	6
§ 53.1210(a)(1)	availability controls (if not included in the FSAR)	6
§ 53.1239(a)(19)	analyses	6
§ 53.1239(a)(27)	role of personnel	6
§ 53.1279(a)(2)	design information (ML content of application pointer to § 53.1239(a)(27))	6
§ 53.1309(a)(2)	design information (CP content of application pointer to § 53.1239(a)(27))	6

Notes:

Potential functional requirements implications for plant personnel, programs, or both
May result in the identification of important human actions
Supporting or foundational requirements for HFE
HFE technical staff provide primary review
Supporting human-system interface requirement
HFE-related contents of applications requirement

Table 2. HFE and Related Requirements for COL and
OL Applications

Combined and Operating License Applications
CFR Citation	Topic	Notes
§ 53.240	licensing‑basis events	1, 2
§ 53.250	defense in depth	1
§ 53.400	design features for licensing‑basis events	1
§ 53.425	design features and functional design criteria for normal operations	1
§ 53.430	design features and functional design criteria for protection of plant workers	1
§ 53.450(b)	specific use of analyses	2
§ 53.450(e)	analysis of licensing‑basis events other than design-basis accidents	2
§ 53.450(f)	analysis of design-basis accidents	2
§ 53.460(c)	human actions needed to prevent or mitigate licensing‑basis events	1
§ 53.470	maintaining analytical safety margins used to justify operational flexibilities	1
§ 53.710	maintaining capabilities and availability of SSCs	1
§ 53.725	general staffing, training, personnel qualifications, and human factors requirements	3
§ 53.726	communications	3
§ 53.727	information collection requirements: OMB approval	3
§ 53.730(a)	HFE design requirements	4
§ 53.730(b)(1)	display of safety parameters	5
§ 53.730(b)(2)	automatic indication of the bypassed and operable status of safety systems	5
§ 53.730(b)(3)	direct indication of SSC status that relates to the ability of the SSC to perform its safety function	5
§ 53.730(b)(4)	instrumentation to measure, record, and display key plant parameters related to the performance of SSCs and integrity of barriers important to fulfilling safety functions	5
§ 53.730(b)(5)	leakage control and detection	5
§ 53.730(b)6)	monitoring of in-plant radiation and airborne radioactivity	5
§ 53.730(b)(7)	specific capabilities for generally licensed reactor operators at self-reliant-mitigation facilities	5
§ 53.730(c)	concept of operations	4
§ 53.730(d)	functional requirements analysis and function allocation	4
§ 53.730(e)	operating experience	4
§ 53.730(f)	staffing plan	4
	Note: Operator licensing requirements are applicable but not included in this table.
§ 53.845	programs	1
§ 53.910	procedures and guidelines	3
§ 53.1369(g)	role of personnel (applicable to operating licenses)	6
§ 53.1369(h)(2)	description of the training program (applicable to operating licenses)	3
§ 53.1416(a)(7)	role of personnel (applicable to combined licenses)	6
§ 53.1416(a)(8)(ii)	description of the training program (applicable to combined licenses)	3

Notes:

Potential functional requirements implications for plant personnel, programs, or both
May result in the identification of important human actions
Supporting or foundational requirements for HFE
Primary focus of HFE review
Supporting human-system interface requirement
HFE-related contents of applications requirement

GUIDANCE

Overview

Given the diversity of designs for which the NRC anticipates receiving applications submitted under 10 CFR Part 53, the NRC staff’s HFE review plans should be tailored to the specific application to ensure an effective and efficient review. To tailor HFE reviews, the NRC staff should follow the five-step process described in this guidance and referred to here as development of a “scaled” or “scalable” HFE review. The five steps for developing a scaled HFE review are as follows:

facility characterization—establishing an understanding of the design and its operation from an HFE perspective
targeting—identifying aspects of the design and operation that may warrant HFE review
screening—identifying the applicant’s HFE activities that may warrant review

grading—selecting specific standards and guidelines to be applied to the review
assembling the review plan—selecting for review aspects of the facility, its operation, and the HFE activities supporting their design, identifying the methods and resources for conducting the reviews, and the schedule for their completion and documentation

Timeline for Development of a Scaled Human Factors Engineering Review Plan

A scaled HFE review plan should be developed during the application acceptance review to guide the staff’s HFE technical review activities. The NRC HFE technical reviewer should begin gaining the necessary insights for the development of the scaled HFE plan during the period of preapplication engagements but should complete initial development of the plan during the staff acceptance review using docketed material.³ Appendix A to DANU-ISG-2022-01, “Review of Risk-Informed, Technology-Inclusive Advanced Reactor Applications—Roadmap” (NRC, 2024b) provides guidance for preapplication engagement.⁴ The guidance recommends that the applicant submit topical reports on key subjects (e.g., principal design criteria if relevant to the application; selection of licensing‑basis events; classification and treatment of structures, systems, and components (SSCs); and safety and accident analysis methodologies and associated validation) for review during the preapplication phase. The guidance also recommends meetings, audits, and white papers on key topics, such as (1) probabilistic risk assessments (PRAs), (2) analysis of applicable regulations, (3) policy issues, (4) novel design features or approaches, and (5) consensus codes and standards and code cases. Engagements of these types should give the HFE reviewer opportunities to identify and discuss with the applicant information important to the development of the scaled review plan.

Discussing the information that will be needed for development of a scaled HFE plan during preapplication engagements with the applicant will facilitate receipt of an application that includes the information needed to complete the plan during the acceptance review. Discussions of facility characterization (i.e., the first step of the plan development described below) can identify information that may be necessary but missing, areas where there may be differences in understanding or expectations, or areas where the schedule of activities or submittals⁵ may present challenges.

Application Acceptance Review

The contents of application requirements for applications submitted under 10 CFR Part 53 are specified in Subpart H, “Licenses, Certifications, and Approvals.” During the acceptance review, the staff reviewer should verify that the application (1) meets the applicable requirements for content and (2) includes sufficient information to enable a sound understanding of the facility design and its intended operation and assessment of compliance with the relevant NRC requirements providing the basis for the HFE technical review (see table 1 or 2, as applicable).

The content of applications requirements will differ based on the type of application (i.e., CP, SDA, ML, standard DC, OL, COL) under review. Additionally, with respect to HFE, the scope and detail of information necessary to satisfy these requirements will be contingent on the extent to which the facility design features and operations will be dependent on human actions. For example, applications pertaining to designs with limited reliance on human action for the performance of safety functions may focus on analyses supporting the limited role of human actions. By contrast, applications pertaining to designs with greater dependence on human action may have a greater focus on ensuring that such actions are feasible and reliable.

Developing a Scaled Human Factors Engineering Review Plan

The sections below contain general guidance for conducting each of the five steps for scaling an HFE review plan. The appendices include additional detailed guidance. Once the HFE reviewer or review team has completed development of the review plan in accordance with this guidance, the staff will have a plan that should support an effective and efficient HFE review tailored to the specific application under review.

Facility Characterization

The first step in developing a scaled HFE review plan is to review materials provided by the applicant to identify those facility characteristics that are important to the HFE of the design and its operation.⁶ Characteristics identified as important are documented in a facility characterization. The facility characterization is the starting point for the subsequent steps of targeting and screening, which will further focus the HFE review. The facility characterization can also serve as a useful reference for the conduct of related reviews, such as those for facility staffing, training, and operator licensing. As such, facility characterizations are an important tool in establishing a common frame of reference for interdependent reviews and should be developed with an eye toward establishing a sound understanding of the facility and the design features, programs, and human activities important to its safe operation.

Objective

The objective of the facility characterization is for the staff to identify and catalog, by summary or reference, facility characteristics important to the HFE of the facility design and its operation.

Process

The characterization should include the following information:

Concept of Operations: A concept of operations (ConOps) refers to the high-level facility missions and goals and the functions and operational practices needed to manage both normal and off-normal situations, the expectations related to human performance, and the interactions of personnel with a facility that help ensure that safety systems will function correctly when needed. It is expected that a 10 CFR Part 53 application will address the following seven ConOps dimensions:
- facility missions (goals)
- roles and responsibilities of operating personnel and automation (or any combination thereof) that are responsible for completing plant functions
- staffing, qualifications, and training
- management of normal operations
- management of off-normal conditions and emergencies
- management of maintenance and modifications
- management of tests, inspections, and surveillances

Section A-1 of appendix A describes these dimensions in detail. Applicants may have their own ConOps model that differs from the one described here, which may be acceptable provided that their ConOps document addresses the considerations reflected in the dimensions listed above.

Safety Analyses Methods and Results: The application should include the methods and results of safety analyses as required by Subpart C, “Design and Analysis Requirements,” of 10 CFR Part 53. Analysis assumptions and results to be considered in the characterization include significant facility and external hazards; licensing‑basis events, including design‑basis accidents; primary and additional safety functions; and the design features that fulfill the primary and additional safety functions. Where PRA is required, event sequences deemed significant, their probabilities, and human errors identified in the analyses, if any, should be considered.

Identification of Human Actions Important to Safety: The applicant should identify all human actions necessary for performing or supporting the continued availability of plant safety or emergency response functions. In addition to credited operator actions, such actions may include, for example, those by maintenance personnel (e.g., ensuring the continued availability of a safety function) and emergency response personnel performing emergency response functions. The application should describe the methodologies used to identify the important human actions and how they were addressed to ensure that they will be reliably performed when needed. Important human actions can be identified through many types of risk and deterministic analyses (see section C‑3.3 of appendix C). Information to be considered for the characterization includes the functional requirements for personnel and programs as confirmed through the analysis of licensing‑basis events and the human actions and programmatic controls credited in meeting regulatory requirements addressed by the safety analyses. This includes actions credited in analyses of defense in depth (DID) and large commercial aircraft impacts; safety-significant actions (i.e., safety related and nonsafety related but safety significant) as identified through PRA or other analyses (e.g., integrated safety analysis); the environmental conditions under which the actions must be performed; and human errors, as identified through a PRA, that challenge plant control and safety systems whose failure could lead to the uncontrolled release of radioactive material to the environment.

Design Process—Nature, Scope, and Timing of HFE Activities Conducted or Planned: The applicant’s design should reflect state-of-the-art HFE in all locations where human actions are expected for performing or supporting the continued availability of plant safety or emergency response functions. The application should describe how this objective has been or will be achieved through HFE activities. The reviewer should include information in the characterization about the nature, scope, and timing of any HFE activities completed or yet to be conducted during the design process. Including HFE activity information in the characterization will support the reviewer’s determination of which activities to include in the scope of the review (i.e., the screening process) and development of the review plan. Appendix C describes the major elements or activities of HFE, as described in NUREG-0711, Revision 3. The list of activities in appendix C is not all-inclusive, and applicants are not required to conduct the specific activities listed. Accordingly, the characterization should reflect the application‑specific HFE activities, including any not listed in appendix C. HFE also uses analyses performed by other disciplines, such as PRA. The characterization should identify such supporting analyses and their role in HFE activities.

Compliance with HFE Requirements in the Code of Federal Regulations: The applicant should describe how the design complies with the HFE requirements in 10 CFR Part 53. In cases of noncompliance, the applicant should include an exemption request in its application. Understanding whether and how the applicant claims to meet applicable HFE requirements in the Code of Federal Regulations will enable the reviewer to include provisions in the review plan for considering exemption requests or alternatives to methods described in NRC guidance for meeting NRC requirements.

Reviewer Responsibilities

Catalog each characteristic the reviewer identifies as important to the HFE of the designs and its operation, including identification of the source document(s).
Document the projected schedule for any HFE activities yet to be performed.
Identify any gaps in the information that may be necessary to understanding the facility, its design, operation, or HFE activities conducted or planned.
Document any methods used by the applicant to identify pertinent information (e.g., important human actions).
Document any special considerations with potential implications for the review (e.g., material will not be provided until later, an exemption will be required).
Document any deficiencies in the submittal that may necessitate a supplement to the application.
Update the characterization throughout the review as new or modified portions of an application are docketed.

Targeting

The second step in developing a scaled HFE review plan is targeting.

Objective

The objective of targeting is to identify those specific aspects of the applicant’s design and operations that may warrant an HFE review.

Process

In the characterization process, the focus was on identifying and cataloging facility characteristics and HFE activities important to the HFE of the facility design and its operation. In targeting, the focus shifts to identifying aspects of the characterization that may be important for the NRC’s HFE regulatory review. Targeting is the primary means within the process of developing a scalable HFE review for focusing the review on the information that may be needed in the HFE safety evaluation. Section B‑1 of appendix B provides guidance for a risk-informed selection of candidate targets for review. One notable exception to the process of risk-informing the selection of targets is any aspect of the design for which the applicant is seeking an exemption from a requirement. Exemptions must be specifically assessed and must be included in the scope of the review.

The reviewer should also note that at this stage the objective is to identify candidate targets that may be included in the review of the application. Although the selected targets should be those most important to safety, collectively the targets should be a set of characteristics that is sufficient to support the safety determination. At a later stage, when assembling the review plan, the reviewer may determine that the target sample can be reduced (e.g., because of redundancy), needs to be increased (e.g., for adequacy), or should be revised (e.g., for efficiency).

Section B-2 of appendix B lists characteristics of the facility design and operations that may warrant targeting for review. The characteristics are each briefly described along with their potential human performance implications. The list is not intended to be exhaustive but rather to guide the reviewer in selecting the types of characteristics that should be considered in the targeting phase. Whether any of the characteristics listed in section B-2 are present in a design and the significance of individual characteristics to the safety determination will depend on the facility design under review.

Reviewer Responsibilities

Identify candidate targets for review.
Identify the basis for targeting (i.e., brief statement of why the characteristic is important to the safety evaluation).
Identify the source document(s) where the target is identified or additional information can be obtained.
Document the targets, bases, and source documents identified in steps 1–3 for use in subsequent steps in developing a scaled review plan.
Document any deficiencies of the submittal that may necessitate supplements to the application.⁷

Screening

The third step in developing a scaled HFE review plan is screening.

Objective

The objective of the screening stage is to select which of the applicant’s HFE activities, such as task analyses, to include in the scope of the review.

Process

In the targeting phase, the reviewer identified aspects of the facility design and operation that may warrant HFE review. The recommended criteria for selecting the targets, as described in appendix B, are the risk importance, safety significance, and uncertainty (e.g., due to limited operating experience) associated with the selected target. If applicable, aspects of the design for which the applicant may be seeking an exemption from applicable requirements will also be included as targets. The targeting process therefore serves to focus the review on aspects of the facility design and its operation that are important to the safety evaluation. The screening process should be used in a complementary fashion to focus the review on the applicant’s HFE activities that are most important to the effective development and implementation of the facility design or operations aspects that have been targeted for review.

Appendix C presents additional guidance for the screening process. Section C-1 of that appendix provides general guidance for screening. Section C-2 briefly summarizes HFE activities as described in NUREG-0711, Revision 3, and the objectives of those activities. Review of the objectives can guide the application-specific selection of HFE activities. Section C-3 discusses several analytical challenges the reviewer might anticipate when reviewing HFE activities as applied to new reactor technologies.

Although appendix C provides general guidance for selecting HFE activities for review, all plans for review of an application for an operating license or combined license under 10 CFR Part 53 should address the following three HFE activities, unless the associated regulatory requirements are determined not to apply:

10 CFR 53.730(d) would require a functional requirement analysis and function allocation. These analyses are fundamental to understanding the role of plant personnel in accomplishing plant safety and emergency response functions.

10 CFR 53.730(f) would require a staffing plan. Note that DRO-ISG-2023-02, “Interim Staff Guidance Augmenting NUREG-1791, ‘Guidance for Assessing Exemption Requests from the Nuclear Power Plant Licensed Operator Staffing Requirements Specified in 10 CFR 50.54(m),’ for Licensing Advanced Reactors under 10 CFR Part 53,” draft issued September 2022, (NRC, 2022) will identify specific HFE activities of the applicant that should be considered as part of the staffing plan review.

Applications submitted under 10 CFR Part 53 would be able to seek to credit human actions for meeting the requirements of 10 CFR 53.400, “Design features for licensing-basis events,” 10 CFR 53.425, “Design features and functional design criteria for normal operations,” and 10 CFR 53.430 “Design features and functional design criteria for protection of plant workers.” Applicants may also identify risk-important human actions when conducting the analyses required by 10 CFR 53.450, “Analysis requirements,” and categorize them for special treatment as would be required by 10 CFR 53.460 “Safety categorization and special treatments.” Even if the applicant has determined that no human actions are important, the review plan should verify that the methods used by the applicant in reaching such a determination were sound, so that there is assurance that important human actions do not exist. The scope of this verification should include probabilistic safety analyses, as applicable, and deterministic analyses, including the potential for required human actions being relied on for DID, diverse safety system actuations, and safe shutdown.

Reviewer Responsibilities

For each facility characteristic targeted for potential review, identify the HFE activities most important to the development or implementation of that aspect of the facility design or operation.
Review the applicant’s submittal(s) to identify the applicant’s documentation of, or plans for, conducting each HFE activity targeted for review.
Document the source document(s) (e.g., implementation plan, results summary report) for each targeted HFE activity and the applicant’s planned schedule for conducting any forecasted HFE activity associated with development or implementation of the target.
Assess whether the HFE activities identified by the applicant are sufficient to establish a technical basis for design and implementation of each targeted characteristic. For example, if the applicant proposes a new staffing model, assess whether it has conducted or plans to conduct a staffing plan validation.
Document, as part of the acceptance review, any deficiencies of the submittal that may necessitate supplements to the application.⁸

Grading

The fourth step in developing a scaled HFE review plan is grading.

Objective

The objective of the grading stage is to select HFE review standards and guidance documents that will be applied to the assessment of each target and the HFE activity to be included in the scope of the review.

Process

In the targeting phase, the reviewer identified candidate characteristics of the design and operations to be included in the scope of the review. In the screening phase, the reviewer selected for review the HFE activities associated with each target. In the grading phase, the reviewer determines the standards and guidance documents to be applied to the review of each target and HFE activity in the scope of the review.

An important consideration in the grading process is the applicant’s use of HFE standards and guidance. In the application, the applicant may identify the specific HFE standards and guidance documents that were applied, or will be applied, to the development and implementation of the design under review. If these documents have been endorsed through regulatory guides as acceptable means for meeting the applicable HFE requirements, the reviewer can focus on assessing whether the applicant has effectively implemented the cited standard or guidance. Otherwise, the reviewer will be responsible for assessing whether the cited standard or guidance is an acceptable method for meeting NRC requirements when no NRC guidance is currently available.

The NRC has established a substantive body of guidance to support the HFE review of nuclear facilities (e.g., NUREG-0711 (NRC, 2012); NUREG-0700 (NRC, 2020); NUREG-1791 (NRC, 2005); NUREG-1764 (NRC, 2007)). However, most NRC HFE guidance was developed with LLWRs in mind, and few guidance documents specifically address HFE for new reactor technologies. As a result, existing NRC guidance may not adequately address some advanced reactor characteristics that the reviewer may target. In other instances, the characteristic may be addressed, but assumptions underlying the guidance about the context (e.g., ConOps, associated hazards, or risk) may not be valid for the current application.

The reviewer addresses such concerns in the grading stage by identifying the standards and guidance documents that best support the HFE review for each facility characteristic and HFE activity to be reviewed. This will likely be most effectively accomplished by selectively using current NRC guidance (e.g., applicable portions of NUREG guidance) and augmenting this guidance with the use of consensus standards, where necessary, to address gaps, or recent developments not yet incorporated, in agency guidance. For example, a reviewer may elect to target the applicant’s computer-based procedure system; use Institute of Electrical and Electronics Engineers (IEEE)-1786, “Guide for Human Factors Applications of Computerized Operating Procedure Systems (COPS) at Nuclear Power Generating Stations and Other Nuclear Facilities,” issued June 2022 (IEEE, 2022), to review the design of the system; and use NUREG‑0711 to guide the review of the applicant’s operating experience review and validation of that system. Appendix D provides additional guidance for the selection of applicable standards and guidance documents.

Table D‑1 in appendix D contains more information on standards and guidance documents that the reviewer may find useful for conducting an HFE review of an application under 10 CFR Part 53.

Reviewer Responsibilities

Review the application to identify any HFE standards or guidance documents the applicant cites as a basis for the design or implementation of targeted characteristics or supporting HFE activities.
Assess the adequacy of the cited standards and guidance documents for supporting development and implementation of a design that would meet NRC HFE requirements.
If the reviewer identifies inadequacies in the cited standards or guidance (e.g., inadequate scope or criteria) for assessing the design for compliance with NRC HFE requirements, the reviewer should identify acceptable alternative standards or guidance documents to be applied during the review and document the basis for the selected documents.
Document for inclusion in the review plan the standards and guidance documents to be applied to the staff’s HFE review of the application.

Assembling the Review Plan

The last step in the process of developing a scalable HFE plan is assembling and documenting the review plan.

Objective

The objective when assembling the review plan is to develop an approach to the review that leverages the results of the characterization, targeting, screening, and grading activities to support an efficient and effective HFE safety evaluation of the proposed design.

Process

Assembling the review plan involves (1) selecting for review aspects of the facility, its operation, and the HFE activities supporting their design, (2) identifying the methods, standards, guidance, and resources for conducting the reviews, and (3) establishing the schedule for their completion and documentation.

Selecting aspects of facility design, operations, and associated HFE activities for review:

In conducting the targeting process, the reviewer will have identified aspects of the facility design and its operations that may warrant an HFE review. In conducting the screening process, the reviewer will have identified the applicant’s HFE activities important to the development of these targeted aspects of the design and operation. It is possible that the review plan may not include all items identified in the targeting and screening process, as the reviewer may find redundancy in the type of information that can be gleaned from reviewing each of the items. Accordingly, in assembling the review plan, the primary objective should be to select from the results of the targeting and screening processes a sufficient set of items for review that will collectively provide a sound basis for the staff to make a reasonable assurance determination concerning the operational safety of the applicant’s design. Alternatively, the reviewer may find that the application provides insufficient information to support an HFE review. Such instances should be addressed with the project manager (e.g., as part of the application acceptance review). Appendix E provides additional guidance, including two strategy alternatives for selecting aspects of the design for review and assessing the adequacy of the sample for supporting the safety evaluation.

Identifying methods, standards, guidance, and resources:

The second key element of the review plan is establishing the methods, standards, and guidance documents to be used for conducting the technical review (i.e., those staff activities to be conducted following the acceptance review) and the staff resources to be applied.

In most cases, the technical review methods will either be desktop reviews of documents or direct observation of an applicant’s implementation of an HFE activity (e.g., integrated system validation testing, staffing plan validation testing, or other testing such as in a multistage validation).

For desktop reviews, the reviewer should identify in the plan the specific documents or portions of documents to be reviewed for each target, the HFE activity to be reviewed, and whether the information is part of the docketed application or is not docketed (e.g., proprietary information provided via an electronic reading room) and would be reviewed via an audit. In the latter case, the reviewer should plan to ensure that information necessary for the safety evaluation becomes a docketed record.

For technical review activities that are to be conducted through direct observation, the review plan should identify the scope of the activities to be observed, the anticipated dates and location of the observations, the communications necessary to ensure coordination with the applicant, the staff resources required (i.e., the number and qualifications of technical and inspection staff), plans for development of the observation plan(s), and how the observations will be documented.

Whether conducting desktop reviews or direct observations, the reviewer will perform each activity using one or more standards or guidance documents (e.g., consensus standard, NUREG). The applicable standards and guidance documents will likely vary for the different review activities in the review plan. The review plan should therefore specify the standards and guidance document(s), or sections thereof, for conducting each technical review activity. The results of the grading process should inform the selection of the standards and guidance documents.

Establishing the schedule for review and documentation:

Establishing a timetable for conducting the individual review activities included in the plan is essential to ensuring not only that the review can be completed within the time allotted for the overall licensing action, but that interim milestones are realistic and achievable. This includes ensuring that information required for the review will be available in time to allow for staff review (e.g., results summary reports submitted as supplements to the application) and that the applicant’s HFE activities that are to be observed (e.g., validation tests) will be conducted at a time that will allow for staff observation, assessment, and incorporation in the safety evaluation. For each review activity, the plan should specify (1) the availability, or planned submittal date, of the documentation to be reviewed, (2) the planned implementation dates of HFE activities to be observed and the period during which the review or observations are to be conducted, and (3) the dates by which documentation of the review activity is to be completed and the projected date for completion of the HFE safety evaluation.

Reviewer Responsibilities

Review the results of the characterization, targeting, and screening processes.
Consider the results of these processes to formulate a review scope that will support an efficient and effective safety evaluation.
Verify that the scope is sufficient to assess compliance with the applicable HFE requirements.
Identify the review activities that will be conducted for each item (e.g., aspect of the design) that will be included in the scope of the review.
Identify the standards and guidance documents or portions thereof selected during the grading process that will be used for each review activity.
Establish a schedule for completion of the review activities.
Inform management of any potential schedule conflicts between the applicant’s plan for HFE activities and the proposed review schedule as soon as they are identified.
Document the review activities, applicable guidance, planned staff resources, and implementation schedule in a draft technical review plan.
Obtain management approval of the draft plan and ensure alignment between project manager and technical reviewer management.
Update the plan as necessary during the review. No substantive changes to the scope, methods or schedule of the plan should be made without justification and management review.

Implementation

The NRC staff will use the information discussed in this ISG to review commercial nuclear plant applications for OLs, COLs, CPs, SDAs, DCs, and MLs under 10 CFR Part 53. The NRC intends to incorporate feedback obtained during the public comment period for the Part 53 proposed rule and associated guidance into a final version of this ISG, which would be issued along with the issuance of the final rule for Part 53.

Backfitting and Issue Finality Discussion

DRO-ISG-2023-03, if finalized, would not constitute backfitting as defined under proposed 10 CFR 53.1590, “Backfitting,” and as described in Management Directive 8.4, “Management of Backfitting, Forward Fitting, Issue Finality, and Information Requests” (NRC, 2019). It would not constitute forward fitting as that term is defined and described in MD 8.4 or affect the issue finality of any approval issued under proposed Part 53. The guidance would not apply to any current licensees or applicants or existing or requested approvals under proposed Part 53. Therefore its issuance cannot be a backfit or forward fit or affect issue finality. Further, applicants and licensees would not be required to comply with the positions stated in this ISG.

CONGRESSIONAL REVIEW ACT

Discussion to be provided in the final ISG.

PAPERWORK REDUCTION ACT

This ISG provides voluntary guidance for implementing the mandatory information collections in 10 CFR Part 53 that are subject to the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et. seq.). These information collections were approved by the Office of Management and Budget (OMB), under control number 3150-XXXX, respectively. Send comments regarding this information collection to the FOIA, Library, and Information Collections Branch (T6-A10M), U.S. Nuclear Regulatory Commission, Washington, DC 20555 0001, or by e-mail to [email protected], and to the OMB Office of Information and Regulatory Affairs, Attn: Desk Officer for the Nuclear Regulatory Commission, 725 17th Street, NW Washington, DC 20503.

PUBLIC PROTECTION NOTIFICATION

The NRC may not conduct or sponsor, and a person is not required to respond to, a collection of information unless the document requesting or requiring the collection displays a currently valid OMB control number.

FINAL RESOLUTION

The NRC staff will incorporate the information and guidance in this ISG into the regulatory guide or NUREG series, as appropriate. Following the transition of all pertinent information and guidance in this document into the regulatory guide or NUREG series, or other appropriate guidance, this ISG will be closed.

REFERENCES

IEEE (2022). “IEEE Guide for Human Factors Applications of Computerized Operating Procedure Systems (COPS) at Nuclear Power Generating Stations and Other Nuclear Facilities,” in IEEE Std 1786-2022, June 10, 2022.

NRC (2022). “Draft Interim Staff Guidance Augmenting NUREG-1791, ‘Guidance for Assessing Exemption Requests from the Nuclear Power Plant Licensed Operator Staffing Requirements Specified in 10 CFR 50.54(m)’ for Licensing Commercial Nuclear Plants under Part 53.” DRO-ISG-2023-02, (Draft Interim Staff Guidance). Washington, DC: U.S. Nuclear Regulatory Commission. Access and Management System (ADAMS) Accession No. ML22266A068.

NRC (2024a). “Advanced Reactor Content of Applications Project Chapter 11, ‘Organization and Human-System Considerations’” (DANU-ISG-2022-05). Washington, DC: U.S. Nuclear Regulatory Commission, March 2024. ML23277A143.

NRC (2021). “Pre-application Engagement to Optimize Advanced Reactors Application Reviews” (draft). Washington, DC: U.S. Nuclear Regulatory Commission, May 2021. No. ML21145A106.

NRC (2024b). “Review of Risk-Informed, Technology-Inclusive Advanced Reactor Applications—Roadmap” (DANU-ISG-2022-01). Washington, DC: U.S. Nuclear Regulatory Commission. March 2024. ML23277A139.

NRC (2020). “Human-System Interface Design Review Guidelines” (NUREG-0700, Rev. 3). Washington, DC: U.S. Nuclear Regulatory Commission, July 2020. ML20162A214

NRC (2019), “Management of Backfitting, Forward Fitting, Issue Finality, and Information Requests,” (MD 8.4). Washington, DC: U.S. Nuclear Regulatory Commission, September 2019. ML18093B087.

NRC (2016). “Standard Review Plan for the Review of Safety Analysis for Nuclear Power Plants: LWR Edition,” Chapter 18, “Human Factors Engineering, Rev. 3” (NUREG-0800). Washington, DC: U.S. Nuclear Regulatory Commission, December 2016. ML16125A114

NRC (2012). “Human Factors Engineering Program Review Model” (NUREG-0711, Rev. 3). Washington, DC: U.S. Nuclear Regulatory Commission, November 2012. ML12324A013

NRC (2008). “Policy Statement on the Regulation of Advanced Reactors.” Washington, DC: U.S. Nuclear Regulatory Commission, October 7, 2008. ML082750370.

NRC (2007). “Guidance for the Review of Changes to Human Actions” (NUREG‑1764, Rev. 1). Washington, DC: U.S. Nuclear Regulatory Commission, September 2007. ML072640413

NRC (2005). “Guidance for Assessing Exemption Requests from the Nuclear Power Plant Licensed Operator Staffing Requirements Specified in 10 CFR 50.54m” (NUREG-1791). Washington, DC: U.S. Nuclear Regulatory Commission, July 2005. ML052080125

APPENDIX A—CHARACTERIZATION

Identifying Key Characteristics of Facility Design and Operation

Development of a human factors engineering (HFE) review plan for a commercial nuclear plant application submitted under Title 10 of the Code of Federal Regulations (10 CFR) Part 53, “Risk-Informed, Technology-Inclusive Regulatory Framework for Commercial Nuclear Plants,” begins with establishing a sound understanding of the basic facility design and its intended operation. It is also helpful to know the nature, scope, and timing of any HFE activities conducted or planned during the design process, any human actions identified as important to safety, and whether and how the applicant claims to meet applicable HFE requirements in the Code of Federal Regulations. Such an understanding will facilitate the HFE reviewer or review team’s identification of characteristics of the design and operation relevant to the role of human performance in relation to nuclear safety and security. This understanding will aid in the development of an efficient and effective review plan tailored to the details of the application.

Uses

This guidance document refers to the process of developing and documenting this understanding as “HFE characterization” of the facility design and operation or, in brief, “characterization.” The facility characterization will be used as the starting point for the subsequent steps of targeting and screening, which will further focus development of the HFE review plan. The facility characterization can also serve as a useful reference for the conduct of related reviews, such as those for facility staffing, training, and operator licensing. Thus, facility characterizations can be an important tool for coordination and communication between interdependent human-system reviews under 10 CFR Part 53.

Objective and Scope

The characterization should be developed with an eye toward establishing a sound understanding of the facility and the design features, programs, and human activities important to its safe operation. The objective is to identify, as part of the characterization, those characteristics that are important to the HFE of the facility design and its operation, as it will serve as the basis for targeting, in which specific characteristics will be selected for review. Effective targeting will require additional contextual information, such as safety and risk insights and the facility concept of operations (ConOps), which should also be captured as part of the characterization. The applicant’s HFE activities should also be included in the characterization, as they will be the focus of the screening phase of review plan development.

Organization

To guide the characterization process, this appendix proposes that the initial characterization encompass the facility ConOps. A ConOps can provide an organizing framework for the characterization and identification of key characteristics that may be targeted for HFE review as further described in appendix B.

According to the Institute of Electrical and Electronics Engineers (IEEE), a ConOps—

…describes system characteristics of the to-be-delivered system from the user’s viewpoint. The ConOps document is used to communicate overall quantitative and qualitative system characteristics to the user, buyer, developer, and other organizational elements (e.g., training, facilities, staffing, and maintenance). It describes the user organization(s), mission(s), and organizational objectives from an integrated systems point of view. [IEEE, 2007, p. 1]

From an HFE perspective, a ConOps identifies the design’s high-level goals and the functions and operational practices needed to manage both normal and off-normal situations. It is used to identify expectations related to human performance (Pew & Mavor, 2007). A ConOps covers all facets of the interactions of personnel with a complex system and guides the formation of requirements, the details of design, and the evaluation of the system (AIAA, 1992; DOD, 1995, 2000; Fairley & Thayer, 1977; IEEE, 2007). Increasingly, many industries are employing ConOps documents to provide a vision of how personnel are integrated into a new design or major modification (Thronesbery et al., 2009). Section A-1 of this appendix describes a ConOps model that can be used to guide an HFE characterization.

As noted above, in addition to the basic facility design and operation, other items that should be known when developing an HFE review plan include the following:

the nature, scope, and timing of any HFE activities conducted or planned during the design process
any human actions identified as important to safety
whether and how the applicant claims to meet applicable HFE requirements in the Code of Federal Regulations.

The preceding three items can facilitate development of a focused and efficient HFE review by providing the context for how and why design decisions were made and which, if any, human actions the applicant has identified as important to safety. Section A-2 of this appendix provides guidance for augmenting the characterization of facility design and operation with this additional information.

A-1. ConOps Model for Characterizing a Facility and Its Operation

Applicants and holders of combined and operating licenses under 10 CFR Part 53 would be required to develop, implement, and maintain a ConOps (i.e., 10 CFR 53.730(c)). In addition, contents of applications would be required to include a written description of the role of personnel in ensuring safe operations, including an assessment of their ConOps (see 10 CFR 53.1369(g)(1)(iii) or 10 CFR 53.1416(a)(7)(i)(C) for operating or combined license applicants, respectively; 10 CFR 53.1209(b)(2) or 10 CFR 53.1239(a)(27)(iii) for standard design approval or design certification applicants, respectively; or 10 CFR 53.1279(a)(2) or 10 CFR 53.1309(a)(2) for manufacturing license for construction permit applicants, respectively).

NUREG/CR-7126, “Human-Performance Issues Related to the Design and Operation of Small Modular Reactors,” issued June 2012 (NRC, 2012) presents a six-dimensional ConOps model. Although originally developed to obtain information about small modular reactors, the dimensions of the model are at a level to have generic applicability to a wide range of nuclear facilities. Figure A-1 shows the following six dimensions of the model:

facility mission
agents’ roles and responsibilities
staffing, qualifications, and training
management of normal operations
management of off-normal conditions and emergencies
management of maintenance and modifications

In developing 10 CFR Part 53, the U.S. Nuclear Regulatory Commission (NRC) recognized the potential need to add a seventh dimension—“management of tests, inspections, and surveillance tasks”—to clarify the scope of the sixth dimension, “management of maintenance and modifications.” Specifically, this dimension could be interpreted as including management of tests, inspections, and surveillances, and alternatively, these activities could be viewed as a separate function or group of functions. Including the seventh dimension clarifies that the management of tests, inspections, and surveillances should be addressed in a ConOps, and their explicit listing is consistent with the importance of these activities to the safety management of a commercial nuclear plant. Accordingly, the following are the seven dimensions of a ConOps as identified in proposed 10 CFR 53.730(c):

plant goals
the roles and responsibilities of operating personnel and automation (or any combination thereof) that are responsible for completing plant functions
staffing, qualifications, and training
management of normal operations
management of off-normal conditions and emergencies
management of maintenance and modifications
management of tests, inspections, and surveillance tasks

Reviewers should note that although the terminology for describing the ConOps dimensions in 10 CFR Part 53 differs slightly from the terminology in NUREG/CR-7126, the differences in the 10 CFR Part 53 language are intended to clarify the dimensions in the context of 10 CFR Part 53, not to impart a different meaning than described in NUREG/CR‑7126 and summarized here.

A-1.1 Facility Mission, Goals, and Characteristics

A ConOps reflects top-down design considerations. At the top is the facility’s mission and the high‑level goals that drive all aspects of the design, including the technological infrastructure needed to support them and the roles and responsibilities of the crew. The mission should be described in terms of the following:

Goals and Objectives—The purposes for which the facility was designed (e.g., electrical generation and safety).
Evolutionary Context—The design of the predecessor facilities and the operating experience that set the foundation for the new design and the technological and operational changes and improvements that the new plant seeks to achieve.
High-Level Functions—The functions (e.g., reactivity control) that must be performed to achieve the goals and objectives.
Boundary Conditions—The conditions that clearly identify the operating envelope of the design (i.e., the general performance characteristics within which the design is expected to operate, such as temperature and pressure limits). Clearly identifying boundary conditions helps define the design’s scope and interface requirements.
Constraints—Aspects that influences the design (e.g., a specific staffing plan or the use of specific technology).

The facility mission and characteristics can provide insights that may be important to the review such as (1) whether the facility will be co-located with another facility that could introduce hazards or emergency response, evacuation, or security challenges, (2) the complexity of the design and the extent to which operations may be complicated by the use of shared systems, (3) the size and characteristics of the source term, and (4) the characteristics of hazards (e.g., operating temperatures and pressures) and their potential implications for accident dynamics (e.g., magnitude and speed of progression, event mitigation).

A-1.2 Roles and Responsibilities of Personnel and Automation

This dimension clarifies the relative roles and responsibilities of the system’s agents—namely, personnel and automation—and their relationship.

Defining human roles and responsibilities is the first step toward integrating humans and systems, from which other aspects of the ConOps and design should flow. This dimension is usually specified at a preliminary level before beginning design work, based on the operating experience from earlier designs and the goals for developing the new one. The preliminary or fundamental description of agents’ roles and responsibilities may be reflected in the applicant’s philosophy or objectives for design and operation of the facility. Such objectives may include, for example, minimizing the need for human action through automation or design simplicity. In reviewing the ConOps, the reviewer should identify the applicant’s philosophy or objectives regarding the role of humans in the operation of the plant and note the implications for the type and level of HFE activities necessary to support the philosophy and objectives. For example, the reviewer should consider how HFE program activities will be used to refine human roles and support human performance through design of human-system interfaces (HSIs) or development of administrative controls.

A-1.3 Staffing, Qualifications, and Training

This dimension addresses the expected number and capabilities of staff needed to accomplish the human roles and responsibilities. Staffing should consider organizational functions, including operations, maintenance, and security. Staff positions, the qualifications necessary for each, and their primary work location(s) should be defined. The ConOps should identify how any crews or teams will be structured and the types and means of interaction between their members and other organizational functions. The training needed to meet qualification requirements and to perform the human roles and responsibilities should be specified. This dimension of the ConOps should provide the reviewer with insights such as onsite staffing levels, whether operators might be specifically licensed or generally licensed, and the scope and nature of the training that would be necessary for personnel with duties important to safety.

A-1.4 Management of Normal Operations

This dimension encompasses three main considerations: (1) identifying key scenarios, (2) identifying the tasks needed to perform them, and (3) identifying the HSIs and procedures necessary to support personnel tasks.

Key scenarios include those reflecting the plant’s normal evolutions, such as startup, low power, full power, refueling, and shutdown. For each one, the ConOps should identify the tasks that personnel must accomplish to fulfill their roles and responsibilities; the locations and ways in which personnel interact with the plant’s functions, systems, and components to complete them; and any support automation provides in monitoring and controlling the plant through these evolutions.

The design of HSIs and procedures should support personnel with their task and job assignments. For example, the following concepts for how personnel interact with HSI resources may be specified:

information distribution (e.g., the types of information that individual crew members access and the types that are displayed to the entire crew)
the determination of the location of HSIs (e.g., either in the main control room or at local or other control stations)
configuration of personnel workplaces, such as a single large workstation, individual ones, or large overview displays

The ConOps for management of normal operations can provide insights such as the planned operating modes (e.g., steady state, load-following) and their potential implications for HSI requirements and workload demands.

A-1.5 Management of Off-Normal Conditions and Emergencies

This dimension addresses many of the same considerations discussed for normal operations (key scenarios, tasks, and supporting HSI resources), except the conditions are atypical. Such atypical conditions include the following:

loss of facility systems for which compensation is needed, such as the failure of a decay heat removal system
failed equipment, such as pumps and valves
degraded instrumentation and control (I&C) and HSI conditions (e.g., a faulty sensor, loss of an aspect of automation, or degradation of a workstation)
emergencies that may impact safety, such as a loss of primary heat sink

This ConOps dimension should provide insights into the safety features and characteristics of the design (e.g., active, passive, inherent), their complexity, and implications for human performance related to event diagnosis and mitigation.

A-1.6 Management of Maintenance and Modifications

This dimension encompasses the installation of facility upgrades, maintenance, and configuration management. As for the previous two dimensions, personnel tasks and how the HSIs and procedures support those tasks are considered. For example, much of the maintenance of advanced digital I&C systems typically occurs at a workstation through changes in software. Such activities may be more extensive in new designs relying heavily on digital systems and automation. Required maintenance activities that are significant in scope or importance to safety (e.g., movement of a reactor module in a small modular reactor) should be identified. Whether such maintenance is principally performed while the reactor is at power or shut down and whether the maintenance is performed on site or off site should be specified.

A-1.7 Management of Tests, Inspections, and Surveillances

This dimension encompasses condition monitoring and predictive maintenance activities. Support activities are important to ensuring the continued availability and functioning of safety systems. For advanced commercial reactors, reduction in the use of active safety systems, simplicity of design, high levels of automation, passive safety systems, and lower accident consequences can shift the human role from the active performance of safety functions to a role in ensuring the readiness of passive and automated safety systems through test, inspection, and surveillance activities. In addition, advanced commercial reactor facilities are likely to have a degree of instrumentation that will be able to support a broad range of diagnostic and prognostic assessments of plant structures, systems, and components important to safety from remote locations, such as a main control room or an offsite monitoring facility. Applicants’ descriptions of this ConOps dimension will provide information important to understanding the human role in ensuring the readiness of safety systems through tests, inspections, and surveillances and how these functions may be physically and organizationally distributed.

A-2. Human Factors Engineering Activities, Important Human Actions, and Use of Exemptions or Alternative Methods

A-2.1 HFE Activity Descriptions

HFE activities, such as those described in NUREG-0711, Revision 3, “Human Factors Engineering Program Review Model,” issued November 2012 (NRC, 2012) (e.g., operating experience review, functional requirements analysis, task analysis, task support verification, and integrated system validation) support the development and implementation of nuclear facility characteristics in ways that leverage human capabilities and accommodate human limitations to achieve design objectives, including plant operational safety. As such, information concerning the applicant’s HFE activities can substantially aid the HFE review. This information is often submitted as part of the application as an implementation plan (IP) or results summary report (RSR). As described in NUREG-0711, Revision 3, section 1.2.2, an IP describes the applicant’s methodology for conducting an HFE element. An RSR summarizes the results of a completed HFE activity and cites documents or files that contain the complete results. If the applicant completed the HFE activity before the NRC’s review of the applicant’s methodology, then the IP should describe the methodology used. Whether the information is formally identified by the applicant as an IP or RSR, information concerning the applicant’s HFE activities should be included in the facility characterization for consideration for inclusion in the scope of the review, specifically as part of the screening stage of developing a scaled review plan.

There are additional benefits to capturing HFE activities as part of the characterization. Understanding the nature, scope, and timing of any HFE activities conducted or planned during the design process increases the flexibility of the review process by identifying the opportunities for the reviewer to evaluate the design through design processes. Other benefits include opportunities to review design products and manage technical review resources consistent with the timing of planned HFE activities. This information can also increase effectiveness by enabling the reviewer to include HFE activities in the scope of the review when assessment of design products alone (e.g., HSIs) may be inefficient or provide insufficient information to support an integrated or performance-based assessment of the design and its operation.

A-2.2 Important Human Actions

Actions identified by the applicant as credited in facility safety analyses, necessary for defense in depth, or risk important should be documented as part of the facility characterization. The documentation should identify the setting in which the actions are taken. Understanding which actions, if any, the applicant has identified as important to safety will support the efficiency of the review by enabling the reviewer to focus on actions identified through deterministic and risk analyses as important to safety. This documentation will also aid the reviewer in identifying any potential gaps in the identification of important human actions.

A.2.3 Exemptions and Alternative Methods

Understanding whether or how the applicant claims to meet applicable HFE requirements in the Code of Federal Regulations will enable the reviewer to include provisions in the review plan for considering exemption requests or alternatives to methods described in NRC guidance for meeting NRC requirements. The use of alternative methods can inform the grading process in which the reviewer will identify criteria to be used in the review. If the applicant proposes to use standards or guidance documents other than those previously endorsed by the NRC, noting this use in the characterization will facilitate consideration of these alternative standards or guidance documents to determine whether they can be used as an alternative to meeting the applicable NRC requirements.

A-3. Documenting the Characterization

The characterization should be documented using a method that facilitates efficient summarization of each characteristic the reviewer identifies as important, with references recorded for the source(s) within the application where the original or additional information can be found. Concise descriptions of the characteristics will contribute to efficient documentation. Citations to source documents will increase the efficiency of the targeting and screening processes during plan development, as well as facilitate efficient implementation of the review plan. A suggested method for documenting the characterization is the development of a table or spreadsheet in which facility characteristics are recorded to formulate the rows of the table. Categories of information such as the location of source material (including revision numbers or document dates), HFE activities, risk and safety insights, and reviewer observations can be formulated as the columns of the table. The resulting table would support the documentation of each characteristic along with information important to the review of each characteristic. Table A‑1 shows an example of this approach.

Table A-1. Example Format for Documentation of Facility Characterization

Facility Characteristic	Source	HFE Activity	Safety/Risk Insights	Notes
Brief description of characteristic 1	Document, page(s)	Type of program/activity used in design or implementation	Brief description of safety significance or risk importance	Implications for inclusion in scope of review or conduct of review
Brief description of characteristic 2	Document, page(s)	Type of program/activity used in design or implementation	Brief description of safety significance or risk importance	Implications for inclusion in scope of review or conduct of review

A-4. References

AIAA (1992). “AIAA Recommended Technical Practice—Operational Concept Document Preparation Guidelines.” Reston, Virginia: American Institute of Aeronautics and Astronautics, May 2018.

DOD (2000). “Operational Concept Description” (DI-IPSC-81430A). Washington, DC: U.S. Department of Defense, January 2000.

DOD (1995). “Software Development and Documentation Standard” (MIL-STD-498). Washington, DC: U.S. Department of Defense. January 1995.

Fairley, R. & R. Thayer (1977). “The Concept of Operations: The Bridge from Operational Requirements to Technical Specifications.” Annals of Software Engineering, 3, 417–432, January 1997.

IEEE (2007). “IEEE Guide for Information Technology—System Definition—Concept of Operations (ConOps) Document” (IEEE Std 1362-1998; R2007). Piscataway, New Jersey: IEEE December 2007.

NRC (2012). “Human Factors Engineering Program Review Model” (NUREG-0711, Rev. 3). Washington, DC: U.S. Nuclear Regulatory Commission, November 2012. ML12324A013

O’Hara, J., J. Higgins, & M. Pena (2012). “Human-Performance Issues Related to the Design and Operation of Small Modular Reactors” (NUREG/CR-7126). Washington, DC: U.S. Nuclear Regulatory Commission, June 2012.

Pew, R. & A. Mavor (2007). Human-System Integration in the System Development Process: A New Look. Washington, DC: The National Academies Press.

Thronesbery, C., D. Schreckenghost, & A. Molin (2009). “Concept of Operations Storyboard Tool.” In Proceedings of the Human Factors and Ergonomics Society 53rd Annual Meeting. Santo Monica, California: Human Factors and Ergonomics Society, October 2009.

APPENDIX B—TARGETING

Selecting Characteristics for Review

Targeting is the process by which the human factors engineering (HFE) reviewer identifies aspects of the applicant’s design and operations that may warrant an HFE review. It is the primary means in the process of developing a scalable HFE review focused on the information necessary for the HFE safety evaluation. Section B-1 of this appendix describes general criteria and principles that the reviewer should consider in targeting characteristics of the facility design and operation for review. Section B-2 lists and discusses prospective characteristics of an application and a rationale for why each might be considered for targeting. Section B-3 lists and discusses additional considerations for NRC review of the HFE activities an applicant may have conducted in support of its advanced reactor license application.

B-1. General Criteria and Principles for Target Selection

There are precedents for targeting or screening in NRC guidance documents, and several approaches have been described. As examples, NUREG-0800, Revision 3, “Standard Review Plan for the Review of Safety Analysis for Nuclear Power Plants: LWR Edition,” Chapter 18, “Human Factors Engineering,” issued December 2016 (NRC, 2016), and NUREG‑0711, Revision 3, “Human Factors Engineering Program Review Model,” issued November 2012 (NRC, 2012), include guidance for alternative approaches to a full HFE review. The considerations used to guide more focused reviews in these guidance documents and recommended here for targeting reviews in accordance with this interim staff guidance (ISG) are risk importance, safety significance, and uncertainty.

In keeping with the objective of “risk-informing” NRC review activities, the reviewer should use risk insights, to the maximum extent that risk information is available, to guide the targeting process.⁰ Such information may be available through quantitative and qualitative risk analyses and can be particularly helpful for identifying human actions (HAs) important to safety. Section C‑3.3 of appendix C discusses the use of risk information to identify important HAs in more detail.

In addition to risk importance, safety significance should inform the selection of facility characteristics or operations for targeting. As the objective is to be risk-informed, rather than risk-based, deterministic and qualitative analyses provide insights concerning facility characteristics and operations that may not be readily amenable to risk analysis but may be important to the assurance of safety (e.g., defense in depth (DID)).

Characteristics of the design and its operation that introduce uncertainty should also be considered for targeting. The characterization process is likely to identify characteristics of the designs and its operation that are well known from reviews and operation of similar nuclear facilities and, conversely, characteristics that are new or novel. New or novel characteristics may represent, or be associated with, advances in design or operations or means for addressing unique circumstances. However, new and novel characteristics can introduce uncertainty as they tend to have limited validation through diverse or extended operating experience. Uncertainty may also be introduced through limited development of design detail. The introduction of uncertainty from either of these sources can affect the completeness and accuracy of the analyses used to identify risk‑important and safety‑significant characteristics and operations. Focusing reviews by targeting characteristics that introduce uncertainty can improve the efficiency of the review and better calibrate confidence in the reviewer’s safety assessment.

B-2. Prospective Characteristics for Targeting

NUREG/CR-7126, “Human-Performance Issues Related to the Design and Operation of Small Modular Reactors,” issued June 2012 (O’Hara et al., 2012), and Brookhaven National Laboratory (BNL) Technical Letter Report No. F0028-04, “Development of HFE Review Guidance for Advanced Reactors” (O’Hara et al., 2021), identified characteristics of facility design and operation that present potential challenges to human performance. The insights derived from these two efforts have been integrated in this appendix and organized in accordance with the concept of operations (ConOps) model described in appendix A.

The reviewer should keep in mind that this appendix is not an exhaustive list nor does inclusion in the list constitute a sufficient basis for concluding that a challenge to human performance exists or that a characteristic should be targeted for review. Rather, the characteristics identified in this section of appendix B should be considered for their relevance to the application under review and as examples to aid in identifying characteristics of the design and operation that are not identified here but may present challenges to human performance. Facility design and operations characteristics of concern to the reviewer that are not listed in this appendix should be discussed with the reviewer’s branch chief to assess whether they should be included in the scope of the review and, if so, how they might be addressed. Facility design and operations characteristics identified through this characterization process should be considered in conjunction with the general criteria and principles described in section B‑1 to select characteristics for targeting.

The reviewer will find dependencies between some of the issues discussed in this section of the appendix, often reflecting their hierarchal relationships. For example, “new missions” may lead to new staffing approaches that necessitate new designs for control rooms and human‑system interfaces (HSIs). Consequently, the guidance provided for the characteristics described in this appendix will often cross reference the guidance for characteristics that may be closely related or interdependent. Reviewers should consider the implications of such relationships when developing a review strategy and target sample.

Table B-1 lists the characteristics by ConOps dimension. This organization is used to order the characteristics in a manner that may be useful in developing a review plan, but it does not imply that any of the characteristics listed are solely associated with the one dimension of ConOps with which it is listed. To the contrary, reviewers should actively consider potential implications of a characteristic for all dimensions of the applicant’s ConOps.

The characteristics are discussed in more detail below, including their potential implications for facility designs, human performance, and HFE design reviews. In some instances, additional resources are cited that can provide guidance, including questions that an NRC reviewer should consider or could ask applicants whose designs have the identified characteristics. The characteristics included in table B-1 are also provided in the form of a reviewer aid at the end of this appendix as exhibit B-1.

Table B-1. Example Design and Operational Characteristics with
Human Performance Implications

ConOps Dimension	Characteristic of Design or Operation
Plant Mission/Goals	New Missions
Plant Mission/Goals	Novel Designs and Limited Operating Experience from Predecessor Systems
Roles and Responsibilities of Personnel and Automation	High Levels of Automation for All Operations
	Autonomous Operations
	Multiunit Operations and Teamwork
Staffing, Qualifications, and Training	New Tasks and Jobs
	New Staffing Positions
	Decentralization of Duties
	Operator Licensing Options
	New Plant Staffing Models
	Staffing Levels
	Alternative Training Methods/Programs
Management of Normal Operations	Managing Non-LWR Processes and Reactivity Effects
	Load-Following Operations
	Novel Refueling Methods
	HSIs for New Missions (e.g., steam production, hydrogen)
	No Traditional Control Room
	Remote Operations
	Different Unit States of Operation
	Unit Design Differences
	Control Systems for Shared Aspects of Multiunit Reactor Facilities
	Adding New Units While Other Units Are Operating
	Control Room Configuration and Workstation Design for Multiunit Operations and Teams
	HSI Design for Multiunit Monitoring and Control
Management of Off-Normal Conditions and Emergencies	Inherent Safety Characteristics
	Passive Safety Systems
	New Safety Functions
	New Hazards
	Common Control Room for Multiple Units–Loss of HSIs
	Common Control Room for Multiple Units–Handling Off-Normal Conditions
	Multiple Units with Shared Systems–Potential Impacts of Unplanned Shutdowns or Degraded Conditions
	One Operator/Crew Managing Multiple Reactors—Design of Emergency Operating Procedures for Multiunit Disturbances
	One Operator/Crew Managing Multiple Reactors—Identification of Risk-Important Human Actions
Management of Maintenance and Modifications	Modular Construction and Component Replacement
	New Maintenance Operations
	Managing Novel Maintenance Hazards
Management of Tests, Inspections, and Surveillances	Management of Tests, Inspections, and Surveillances

B-2.1 Plant Mission and Goals

B-2.1.1 New Missions

Description

The primary mission of current U.S. nuclear power plants (NPPs) is to safely generate electrical power. Some advanced reactors are designed to accomplish additional missions, such as producing hydrogen and steam for industrial applications (e.g., heating or manufacturing).

Implications

Achieving these missions will require having the necessary plant systems to accomplish them, and personnel tasks will likely be associated with operating these systems. As a result, there may be workload associated with the new missions, in addition to workload associated with achieving the primary mission of safely generating electrical power. Questions important in multimission operations include the following:

If process-heat applications are envisioned for multiunit sites, will different applications be allowed at the same facility (e.g., hydrogen production, steam production, desalination, refining, and electricity production)?
Will the new processes associated with these missions create new hazards and safety issues, such as fires and explosions from hydrogen, methane, or natural gas?
How will plant staff manage these new missions and the associated workload?

Will new process applications use the same or different operators as the NPP?
Will new staffing positions be created?
Will plant operators be trained to deal with upset conditions in process-heat applications and other interfacing requirements?
Will the new missions require additional tasks and interfaces that complicate the job of the operator? The reviewer should be aware that increasing the range of processes an operator must understand and interact with could increase the potential for error. For this reason, the reviewer may decide it is necessary to target these new missions to assess whether the potential for errors has been adequately addressed (e.g., through sufficient HSI design or training and procedures).

The reviewer should consider targeting the applicant’s treatment of new missions to verify that the applicant has effectively addressed any potential impacts on safe operation of the facility. For additional questions to consider in the HFE review of applications involving new missions, the reviewer should consult section 2.1 of NUREG/CR-7202, “NRC Reviewer Aid for Evaluating the Human‑Performance Aspects Related to the Design and Operation of Small Modular Reactors,” issued June 2015 (NRC, 2015).

B-2.1.2 Novel Designs and Limited Operating Experience from Predecessor Systems

Description

Commercial NPPs evolved gradually, with new designs improving on prior ones. Using operating experience from predecessor plants has been an important aspect of plant design, licensing reviews, and operational improvements for years. By contrast, reactor facilities that differ substantively from large light-water reactors (LLWRs) represent a category of plant design for which there may be little or no operating experience. In some instances, reviewers may have to consider the experience of similar designs of nonnuclear systems (e.g., alarm systems for petrochemical plants, control systems for unmanned aerial vehicles, monitoring systems for hospital emergency wards).

Implications

The NRC’s “Policy Statement on the Regulation of Advanced Reactors,” (first issued in 1986 and revised in 2008, (NRC, 2008)), addresses the role of supporting technology in advanced reactor designs, and the NRC staff’s position on development and use of the policy statement found in NUREG‑1226, “Development and Utilization of Advanced Nuclear Power Plants,” issued June 1988 (NRC, 1988) discusses and encourages the use of operating experience. NUREG-1226 states, “The available sources of operating experience should be used whenever possible. It is emphasized that sources of useful operating experience are not limited to reactors.” NUREG-1226 also discusses the use of information and data developed from foreign sources: “The use of foreign data to support a U.S. advanced reactor design is acceptable provided the staff has sufficient access to the design, analysis and experimental data being used.”

The staff’s review of HFE described in NUREG-0711 already incorporates this approach to the use of operating experience in new light-water reactor (LWR) designs. Review criterion 3.4.1(1), “Predecessor/Related Plants and Systems,” in NUREG-0711 states, “For applicants proposing to use new technology or systems that were not used in the predecessor plants, the operating experience review should review and describe the operating experience of any other facilities that already use that technology.”

For advanced reactors, data relating to heat pipes, supercriticalcarbon dioxide, and other potential components are expected to be gathered from nonnuclear experience. Since the operating environment of the available data may be different than that for small modular reactors (SMRs), its relevance should be assessed.

The reviewer should evaluate the extent to which operating experience is lacking, identify the uncertainties created in relationship to the risk/safety analyses for the design, and assess the applicant’s HFE activities with respect to how, and how well, they address these uncertainties (e.g., whether tests and evaluations sufficiently compensate for lack of operational experience). The reviewer should also consider any areas where the available operating experience indicates potential safety issues. For additional questions to consider in the HFE review of applications involving novel designs and limited operating experience, the reviewer should consult section 2.2 of NUREG/CR-7202.

B-2.2 Roles and Responsibilities of Personnel and Automation

B-2.2.1 High Levels of Automation for All Operations

Description

The “automate all you can automate” philosophy often dominates programs for developing advanced reactors to improve their performance and decrease operational costs. However, there is a complex relationship between automation and human performance, which often fails to confirm common-sense expectations. For example, it is expected that high levels of automation will lower workload. However, it often shifts workload and creates other human performance difficulties (O’Hara & Higgins, 2010).

Implications

The degree of automation of a system can be conceptualized as a point on a scale extending from tasks that are performed completely by manual operations (all actions performed by human crews) to full autonomy in which monitoring and control of reactor operations are performed by automated systems with no human intervention. There are many points between these extremes where the level of human involvement decreases and the reliance on automation increases. The characterization of automation in NUREG-0700, Revision 3, “Human-System Interface Design Review Guidelines,” issued July 2020 (NRC, 2020d), includes a dimension for “Levels of Automation” along which autonomy is one endpoint.

Automation often involves cooperation and sharing of responsibilities between automatic systems and plant personnel. Intermediate levels of automation are characterized where the relative responsibilities of humans and automation in carrying out tasks vary. Table B‑2 (adopted from NUREG-0700, Revision 3) illustrates one approach to classifying the levels of automation in NPP applications and identifies the general responsibilities of both automation and personnel.

Table B-2. Example of Levels of Automation for NPP Applications

Level	Automation Tasks	Human Tasks
Manual Operation	No automation.	Operators manually perform all tasks.
Shared Operation	Automatic performance of some tasks.	Operators perform some tasks manually.
Operation by Consent	Automatic performance when directed by operators to do so, under close monitoring and supervision.	Operators monitor closely, approve actions, and may intervene to provide supervisory commands that automation follows.
Operation by Exception	Essentially autonomous operation unless specific situations or circumstances are encountered.	Operators must approve of critical decisions and may intervene.
Autonomous Operation	Fully autonomous operation. System cannot normally be disabled but may be started manually.	Operators may monitor performance and perform backup if necessary, feasible, and permitted.

Source: NUREG-0700, Revision 3, table 9.1.

NPP systems are sometimes characterized at one level and, at other times, another level. Levels can be changed by predefined conditions or operator decision.

The pitfalls of high levels of automation for human performance are well documented, as are some of the design characteristics that generate them. The NRC published guidance on human‑automation interactions (O’Hara & Higgins, 2010). This guidance has been integrated into NUREG-0700, Revision 3, and should support HFE reviewers in addressing automation in advanced reactor designs

Licensing reviews should determine whether the applicant has reasonably assured the effective integration of automation and operators and that the design supports safe operations. The balance between automation and human involvement should ensure plant safety, in part by supporting operators in maintaining situation awareness and managing workload demands. The reliability of automation also is an important consideration. As automation’s reliability declines, operator’s performance and trust in the automation are degraded.

Concerns about the negative effects of over-automation has led to an increase in the use of more interactive automation, such as adaptive automation (AA) (O’Hara & Higgins, 2020; O’Hara, Higgins, & Hughes, 2022). In AA, the level of automation is dynamic and changes with personnel needs and plant conditions. Whether a task is performed by personnel or automation is based on situational considerations, such as the overall workload of personnel. Such an approach may assist operators in managing changing attentional and workload demands in supervising multiple plants.

The guidance in NUREG-0711 and NUREG-0700 is sufficient to review some aspects of AA, such as the monitoring of AA systems, detection of AA system failure, and the general evaluation and validation of AA systems (O’Hara, Higgins, & Hughes, 2022). However, there are many areas that the guidance does not address, such as the design of AA configurations and triggering conditions. Research Information Letter (RIL) 2020-05, “Adaptive Automation: Current Status and Challenges,” dated November 16, 2020 (O’Hara & J. Higgins, 2020), includes a characterization of AA, summarizes research on the effects of AA on human performance, and discusses the state of HFE guidance for designing and evaluating AA systems. For additional questions to consider in the HFE review of applications involving high levels of automation, the reviewer should consult section 2.4 of NUREG/CR‑7202.

B-2.2.2 Autonomous Operations

Description

“Autonomous operations” refers to performing plant operations (e.g., startup, shutdown) with limited human involvement (e.g., without the need for an operator to initiate or control changes in reactivity).

Implications

Microreactor developers have expressed interest in the possibilities of autonomous and remote operation (see for example, SECY-11-0098, “Operator Staffing for Small or Multi-Module Nuclear Power Plant Facilities,” dated July 22, 2011 (NRC, 2011), and SECY-20-0093, “Policy and Licensing Considerations Related to Micro-Reactors,” dated October 6, 2020 (NRC, 2020a)). Although autonomous and remote operations are characteristics of operation that are often discussed in tandem, applications may propose to include either or both characteristics. Accordingly, this guidance addresses these characteristics separately (i.e., section B‑2.4.6 discusses remote operations).

For facilities licensed under Title 10 of the Code of Federal Regulations (10 CFR) Part 50, “Domestic Licensing of Production and Utilization Facilities,” only licensed operators may operate reactivity controls, and manipulation of other HSIs that can affect power level are permitted only if authorized by a licensed operator, in accordance with 10 CFR 50.54(i), (j), (k), and (m). Under 10 CFR 53.740, “Facility licensee requirements – General,” load-following, which can be a limited form of autonomous reactivity control, is permitted under conditions specified by regulation to ensure the capability to refuse demands from the grid operator when they could challenge the safe operation of the plant or when precluded by the plant equipment conditions. 10 CFR 53.740 requires that one of the following must be immediately capable of refusing the load demand: (1) the actuation of an automatic protection system that utilizes setpoints more conservative than those otherwise credited for the purposes of reactor protection, or (2) an automated control system, or (3) an operator or senior operator.

Operation of a reactor without human intervention would be a significant shift from current operational practices and is a complex issue with many human performance considerations:

allocation of function decisions
identification of HAs needed to support autonomy
management of degraded conditions and automation failures
staffing decisions related to autonomous operations
HSI designs to support automation-related HAs

Additionally, autonomous operation can have broader implication for how reactor safety is maintained and the facility is designed, such as the following:

Human operators could be eliminated as a diverse means of DID for the assurance of reactor safety.
The facility designs may not have a control room from which individuals would be able to operate the facility.

As listed above, the decision to use a fully autonomous design has several human performance considerations.

Function Allocation

One aspect of this issue is the allocation of function process used to identify autonomy as a desirable choice for level of automation of an SMR. An allocation of function process examines the relative roles of humans and automation in the task performance needed to monitor and control the reactor under normal and off-normal conditions. Tasks that are better performed by humans are allocated to them, while tasks that are better performed by automation are allocated to automation. However, limitations in the allocation of function process have been noted (O’Hara & Higgins, 2020; O’Hara et al., 2022). The reviewer should evaluate the technical process used for allocation of function and how it addresses limitations of this HFE activity. Section C‑3 of appendix C contains additional discussion of function allocation to support automation decisions.

Identification of Human Actions Needed to Support Autonomy

Another aspect of this issue is that some HAs are likely to be necessary for plant operational safety, even in fully autonomous designs. For example, although 10 CFR Part 53, “Risk‑Informed, Technology‑Inclusive Regulatory Framework for Commercial Nuclear Plants,” would not require specifically licensed operators for facilities meeting the conditions specified in 10 CFR 53.800, “Facility licensees for self-reliant-mitigation facilities” (i.e., applicable safety criteria can be met without reliance on operator action for event mitigation; required safety functions can be met without reliance on operator action for event mitigation; DID requirements can be met without reliance on operator action for event mitigation; and the evaluation criteria for licensing‑basis events can be met without reliance on operator action for event mitigation), this exception would require generally licensed reactor operators (GLROs), in lieu of specifically licensed operators, to perform other administrative actions necessary for the reasonable assurance of plant operational safety (e.g., authorizing an emergency-related departure from license conditions, compliance with technical specifications, operability determinations, NRC notifications, emergency declarations, risk assessment, maintenance oversight, and radiological release limit compliance). Monitoring the performance of autonomous reactors is likely to be necessary, whether on site or remotely. For example, automated control of reactivity in the form of load-following would be permitted only under conditions specified in 10 CFR 53.740(f) and may require that the operation be monitored by a licensed operator. Such HAs need to be identified, and the reviewer should evaluate the applicant’s treatment of them.

Management of Degraded Conditions and Automation Failures

Another human performance aspect of this issue is the management of degraded conditions and failure modes of the autonomous systems. Applicants should look at the need for HAs in those scenarios and the HSIs, procedures, and training needed to accomplish these tasks. These analyses have implications for staffing and control room and HSI design. Reviewers should evaluate the applicant’s treatment of degraded conditions and the identification of HAs to manage them.

Staffing Decisions Related to Autonomous Operations

Applicants may propose automated reactivity control and, in conjunction, propose elimination of specifically licensed operators or GLROs for their staffing plan. Whereas 10 CFR Part 53 would not preclude automated reactivity control, 10 CFR 53.740 specifies that a licensed operator would monitor such operations. Accordingly, requests for exemptions from the applicable requirements would need to accompany applicant proposals for staffing plans that would not include specifically licensed operators or GLROs. The reviewer would need to evaluate the rationale used for autonomous operation without specifically licensed operators or GLROs and the analyses in support of that decision.

Applications for highly automated facilities may propose to use HAs as a DID measure. In such instances, the reviewer should consider the qualifications of the personnel performing the credited action. As an example, 10 CFR 53.740(f) specifies the conditions that would need to be met for load-following, including the capability to reject load demands. Among the accepted means for refusing load demands is the use of a licensed operator. Operators may be used to reject load demands that are judged not prudent. Whereas this use of operators would be a barrier to operations that could challenge safety systems, such applications would not consider the use of operators as a DID measure in the traditional sense, because such actions instead help prevent the event in the first place. This is consistent with the conditions stated in 10 CFR 53.800(a), specifically 10 CFR 53.800(a)(5), which would preclude the use of HA for meeting the DID requirements of 10 CFR 53.250, “Defense in depth,” in self‑mitigating facilities (i.e., facilities permitted to use GLROs as described in 10 CFR 53.805). Conversely, if an application proposes to credit HA for DID, the staffing plan for the facility would need to include specifically licensed operators, as 10 CFR Part 53 requires that such actions be performed by specifically licensed operators.

Human-System Interface Designs to Support Automation-Related Human Actions

An autonomous design also has implications for the HSI design for the support of related HAs. Even when the facility design does not include a traditional control room, some monitoring and possibly control capability may be necessary. The reviewer should evaluate the applicant’s assessment of the need for HSIs in support of HAs in autonomous systems, their HFE design, and location for personnel access. Considerations include maintaining operator situation awareness, the potential for mode confusion errors, and calibration of operator trust in the automation.

Suitability of Current Guidance

In the near term, guidance is available in NUREG-0700, Revision 3, Section 9, “Automation Systems,” to review levels of automation. While no unique guidance for fully automated systems is provided, the review guidance in the other automation sections does apply. However, the guidance is incomplete. For example, the available guidance is sufficient to review some aspects of AA, such as the monitoring of AA systems, detection of AA system failure, and the general evaluation and validation of AA systems (O’Hara et al., 2022). However, in many areas, the guidance is insufficient to review the unique design characteristics of AA systems, such as the design of AA configurations and triggering conditions (O’Hara & Higgins, 2020). Additional research is needed to provide more comprehensive guidance for use in evaluating these unique characteristics.

Applications submitting designs for fully autonomous operations may trigger exemption requests from a variety of regulations, such as the use of nonlicensed personnel to perform activities for which the regulations require licensed personnel. Although guidance is provided for the review of staffing plans (see DRO-ISG-2023-02, “Interim Staff Guidance Augmenting NUREG‑1791, ‘Guidance for Assessing Exemption Requests from the Nuclear Power Plant Licensed Operator Staffing Requirements Specified in 10 CFR 50.54(m)’ for Licensing Commercial Nuclear Plants under Part 53,” issued September 2022 (NRC, 2022)), the guidance is for the review of plans proposing the use of licensed operators and may be used in part for the review of staffing plans for GLROs. No guidance is available for reviewing the use of nonlicensed personnel to perform activities limited by NRC regulation to licensed personnel.

In addition to the above, technical reviews should consider “Function Allocation-Methodology to Support Automation Decisions” (see section C-3.1 of appendix C), and “High Levels of Automation for All Operations” (see section B-2.2.1 of this appendix).

B-2.2.3 Multiunit Operations and Teamwork

Description

For some multiunit common control room designs, a single crew or operator may simultaneously monitor and control multiple units from one control room.

Implications

Multiunit monitoring and control is a new type of operation in the commercial nuclear power industry.

Key issues in effectively and reliably accomplishing this task are teamwork, situation awareness (SA), control room and HSI design, and operator workload. Maintaining enough awareness of the status of multiple units may tax crews and individual operators. For example, unmanned aerial vehicle studies found that operators sometimes focus on a particular vehicle and may neglect others (“unit neglect”) or fail to notice important changes to the other vehicles (“change blindness”).

When operators are focused on a problem in current plants, other operators can take over their other tasks. Such cooperation may be difficult when each operator is responsible for multiple units. In refineries, this situation is addressed by augmenting the crew with additional staff during times of high workload or special evolutions. This is a different operational practice than is used in most LLWR control rooms where the on-shift crew manages all aspects of the plant’s condition (except accidents).

Maintaining SA may be further challenged when other factors intervene (separately identified as issues below):

Individual units can be in different operating states (e.g., different power levels or different states such as shutdown, startup, transients, accidents, refueling, and various types of maintenance and testing (see section B-2.4.7)).

Unit design differences often exist (see section B-2.4.8).

It will be important to understand the contribution of situational factors such as these to multiunit monitoring and control tasks and operator SA in safety reviews.

In addition, shift turnovers occur two to three times a day when a new crew relieves the old crew. An effective way is needed to convey the status of each unit, ongoing maintenance, and trends in operation from one crew to another.

HFE reviewers should request that applicants justify their proposed multiunit operational strategy (e.g., by simulations). For additional questions to consider in the HFE review of applications involving multiunit operations and teamwork, the reviewer should consult section 2.3 of NUREG/CR-7202.

B-2.3 Staffing, Qualifications, and Training

B-2.3.1 New Tasks and Jobs

Description

Advanced reactor designs and operations may introduce the need for tasks or jobs⁰ that do not have a precedent in LLWRs. Examples include movement of reactor modules in an SMR, monitoring the status of co-located industrial facilities or processes at a reactor facility producing process heat, monitoring parameters important to the management of new hazards, and online refueling.

Implications

In addition to having implications for new HSIs (see, for example, sections B-2.4.4 and B‑2.5.4), the introduction of new jobs will affect personnel staffing, training, and qualification requirements. Reviewers should verify that applicants have identified any new jobs to be performed by personnel making up the minimum staffing complement, their potential impact (e.g., workload, job conflicts) on plant operational safety, and the qualifications and training needed to perform those jobs.

B-2.3.2 New Staffing Positions

Description

As described in section B-2.3.1, advanced reactor ConOps may include staffing positions that are similar to those at LLWRs, or they may find it advantageous to create completely new or modified positions.

Implications

Advanced reactor facilities may employ technologies that enable new concepts of operation. Such technologies include computer-based procedures, automation, and those that enable surveillance and maintenance activities to be performed from a remote workstation rather than at the site of the equipment. The use of such technologies and associated changes in ConOps may include the reallocation of responsibilities and authorities among personnel positions. Such reallocations may cause sufficient changes to redefine personnel positions as they are known in LLWRs. Additionally, certain advanced reactor design characteristics, such as automation, design simplicity, and small source terms may enable the elimination of traditional staff positions (e.g., shift technical advisors).

Staffing and qualifications analyses and training program development should address the creation of new positions and the elimination or redefinition of existing positions. When evaluating the staffing plan, reviewers should consider targeting the creation of new positions or the elimination of positions that introduce uncertainty in the ability of the staff to safely operate the facility. As part of the targeting process, reviewers should also consider information on operations support staffing as required by 10 CFR 53.730(f)(4) for the potential implications that the proposed numbers and responsibilities of support staffing may have on the scope of responsibilities of operators and how, or how well, operators will be able to perform their duties. (Section B-2.3.5 contains additional information.) The reviewer should note that applications proposing the use of GLROs, as defined in 10 CFR 53.725(c), may not include supporting HFE analyses. (Section B-2.3.4 includes further discussion.) For additional questions to consider in the HFE review of applications involving new staffing positions, the reviewer should consult section 2.6 of NUREG/CR-7202.

B-2.3.3 Decentralization of Duties

Description

As described in section B-2.3.2, staffing concepts for advanced reactors may include new positions or the redefinition of traditional positions. These new positions may result from the ability to consolidate functions in one position that were previously distributed across disparate personnel and locations. At the same time, automation and technologies such as hand‑held interfaces for monitoring and control may reduce or eliminate the need for a traditional control room or workstation. Such advances could result in the ability of personnel to roam a facility rather than work from a fixed location.

Implications

Staffing concepts that increase the diversity of the job responsibilities within a position should be assessed for potential challenges (e.g., ability to satisfy credited operator action response times) including the possibility that an individual in the position needs to be in two places at one time or do two jobs concurrently. Staffing assessments should account for the full scope of jobs performed by personnel with responsibility for facility safety, security, and emergency response functions. In addition, when facility design characteristics (e.g., no main control room) cause an increase in the diversity of work locations for a position, staffing analyses should account for the range of work locations and physical distribution of staff that may be required to communicate and coordinate to perform tasks required for safe operation of the facility under normal and off‑normal or emergency conditions.

B-2.3.4 Operator Licensing Options

Description

Applicants for, or holders of, operating licenses or combined licenses under 10 CFR Part 53 may propose the use of GLROs, as defined in 10 CFR 53.725(c), in lieu of specifically licensed operators.

Implications

Applications proposing the use of GLROs might not include supporting HFE analyses as the facility design is required to meet the safety design criteria of 10 CFR 53.800, “Facility licensees for self-reliant-mitigation facilities,” and therefore should not rely on HA for event mitigation. In such instances, the staffing review may be limited to verifying that the design meets the criteria of 10 CFR 53.800 and that individuals in GLRO positions will be able to reliably perform those duties important to the protection of public health and safety (e.g., ensure compliance with applicable technical specifications, make timely notifications to the NRC as required by regulations, and authorize deviations from procedures when this action is immediately needed to protect the public health and safety and no action consistent with license conditions and technical specifications that can provide adequate or equivalent protection is immediately apparent). The staff should consider targeting for review the responsibilities, decision-making authorities, qualification criteria, and training for GLROs to assess whether the GLRO position has been adequately defined and that necessary programmatic support has been identified and will be established.

B-2.3.5 New Plant Staffing Models

Description

A facility “staffing model” addresses the general approaches to fulfilling the organizational functions necessary to operate an NPP, including operations, maintenance, engineering, administration, and security (O’Hara et al., 2008). To meet these responsibilities, utilities employ a combination of onsite staff and offsite personnel. The staffing model chosen is a significant design decision as it drives many other aspects of the plant’s design, including degree of automation, the HSI design, and personnel training.

Implications

LLWR facilities in the United States have been staffed with many onsite personnel organized into functional groups. Shifts of reactor operators licensed by the NRC manage reactor and balance of plant (BOP) systems. Each shift is expected to manage all phases of plant operations including normal (e.g., startup, changing power levels, and shutdown) and off‑normal conditions (e.g., equipment failures, transients, and accidents). In certain emergencies, additional staff are brought in to assist. While day-to-day maintenance is handled by onsite staff, outside organizations often come on site during outages to undertake major maintenance.

Advanced reactor facilities, particularly small non-light-water reactor (non-LWR) facilities are likely to use different staffing models than the models typically used at LLWRs. Designs that are smaller and simpler are likely to require fewer onsite personnel and possibly fewer personnel during refueling and maintenance outages. Refueling outages may be less frequent or unnecessary (e.g., for facilities with online refueling), and these differences will also influence staffing models. It is possible that some staffing models may reduce the number of onsite staff by using a centralized work force that services multiple facilities. The division of responsibility among personnel may also differ from the division of responsibilities observed at LLWRs. Some positions may become more specialized or limited in their scope of responsibility, while others may be a hybrid of traditional positions at LLWRs. Additional factors that can affect the staffing model are whether the reactor has an alternative or secondary mission (e.g., hydrogen production) to electricity production, the shift work and staffing implications of functions that must be performed 24/7, and the associated training demands for these individuals (NRC, 2010).

Staffing models that support crew flexibility in managing off-normal situations, such as the ability to transfer responsibilities for reactors in off-normal states to a person or team specialized in dealing with them, may be part of the ConOps for certain advanced reactors, such as SMRs.

After defining personnel responsibilities for a particular reactor design, the associated tasks should be assigned to specific staff positions for both normal operations and off-normal or emergency conditions. Depending on the use of automation, these tasks may include the monitoring and control of multiple individual units, shared systems, reactor transfer, online refueling, new missions, and monitoring and backing up the automation. Applicants will have to determine the allocations of operator roles that best support overall system performance and safety and consider the impact on teamwork (e.g., on the peer-checking process).

SECY‑20-0093 points out that while the NRC has developed guidance (e.g., NUREG-1791, “Guidance for Assessing Exemption Requests from the Nuclear Power Plant Licensed Operator Staffing Requirements Specified in 10 CFR 50.54(m),” issued July 2005 (NRC, 2005)) for reviewing staffing exemption requests, the guidance pertains to control room staffing. In addition, the process described in NUREG-1791 is based on the assumption that an applicant has an HFE program that can provide the necessary supporting analyses. When reviewing applications that propose staffing models that differ from those of LLWRs, reviewers should consider whether the guidance of NUREG-1791 would be sufficient and whether the necessary HFE analyses by the applicant would be available.

The staff has drafted DRO-ISG-2023-02 to provide a flexible review process and a set of systematic methods to evaluate the range of staffing plans that may be submitted under 10 CFR Part 53. These methods focus on the development and validation of staffing plans for personnel who are responsible for the safe operation of a nuclear power facility, regardless of the location at which they perform their tasks. The review process relies on the following HFE activities and products: (1) a ConOps document, (2) operating experience, (3) functional requirements and function allocation, (4) task analysis, (5) job definition, and (6) staffing plan validation.

Staffing plan validation includes methods such as tabletop analysis, simulator studies, and human performance modeling. The staff should review the staffing plan and supporting analyses to verify that the applicant has followed a systematic process to determine the number of qualified personnel necessary to operate the plant safely under the operational conditions analyzed. The staff should also review the staffing plan validation results and evaluate whether the results support the applicant’s proposed minimum staffing level. For additional questions to consider in the HFE review of applications involving new plant staffing models, the reviewer should consult section 2.7 of NUREG/CR-7202.

B-2.3.6 Staffing Levels

Description

For licenses issued under 10 CFR Part 50 or 10 CFR Part 52, “Licenses, Certifications, and Approvals for Nuclear Power Plants,” 10 CFR 50.54(m) governs the minimum onsite staffing levels for licensed operators. Applications for an operating license or combined license under 10 CFR Part 53 are required to develop, implement, and maintain a staffing plan in accordance with 10 CFR 53.730(f). The staffing plan may propose staffing levels below those specified in 10 CFR 50.54(m).

Implications

The control room staffing requirements under 10 CFR 50.54(m) are appropriate for the size, complexity, and ConOps of LLWR facilities. Advanced reactor characteristics supporting smaller control room crews include smaller reactor size, simplicity of design, higher degree of automation, modern HSIs, and slower plant response to transients. Such design attributes tend to result in fewer operator actions being credited for maintaining plant safety and more time for such operator actions to be completed. Advanced reactor designs are not uniform with respect to these and other characteristics important to the determination of adequate staffing levels. The staffing levels needed to safely and reliably monitor and control all reactor units operated by a crew for a given design should be determined and reviewed. These reviews may need to address new staff positions (see section B-2.3.2) and new plant staffing models (see section B‑2.3.5).

As noted above, staffing levels are identified in 10 CFR 50.54(m). Hence, for 10 CFR Part 50 applicants or licensees, an exemption is needed to deviate from the minimum established levels. NUREG‑1791 provides guidance for reviewing staffing exemptions. Reviewers should note that after the publication of NUREG-1791, NUREG-0711 was revised and additional research concerning human performance at advanced reactors was published (e.g., NUREG/CR-7202).

For applications submitted under 10 CFR Part 53 that propose the use of specifically licensed operators, the staffing plan must describe how the staffing will be sufficient to ensure that plant safety functions can be maintained. The description must be supported by HFE analysis and assessments. To guide reviews of licensed operator staffing plans, the staff has developed DRO-ISG-2023-02. The objective of the staff’s review using the ISG is to determine whether the staffing plan provides assurance that plant safety functions can be maintained. Section B‑2.3.4 relates to applications submitted under 10 CFR Part 53 that propose the use of GLROs. For additional questions to consider in the HFE review of applications involving staffing levels, the reviewer should consult section 2.8 of NUREG/CR-7202.

B-2.3.7 Alternative Training Methods and Programs

Description

Applicants may seek accreditation of their training programs from the National Academy of Nuclear Training. This process has historically been considered to represent one acceptable means of meeting specific training-related regulatory requirements. However, in the absence of such training program accreditation on the part of the applicant, the NRC staff would need to perform reviews and inspections of these training programs to directly determine whether the programs conform with the applicable regulatory requirements. Importantly, regulations require training programs to apply a systems approach to training (SAT).

Implications

Applications proposing the use of nonaccredited training programs for required facility personnel should be reviewed for acceptability. A key consideration in determining acceptability is the applicant’s ability to demonstrate that SAT-based training can be implemented effectively for the required training programs.

B-2.4 Management of Normal Operations

Some aspects of normal operations with human performance implications may be present in either advanced single‑unit designs or multiunit designs operated from a common control room (e.g., modular advanced reactor designs). Other normal operations considerations are uniquely associated with multiunit designs operated from a single control room. Aspects of normal operations that may be associated with either single-unit or multiunit common control room (MUCCR) designs include the following:

managing non-LWR processes and reactivity effects
load-following operations
novel refueling methods
HSIs for new plant missions (e.g., steam production, hydrogen)
no traditional control room
remote operations

These aspects of normal operations will be described in further detail first, followed by aspects of normal operations that are uniquely associated with MUCCR designs, which include the following:

different unit states of operation
unit design differences
control systems for shared aspects of multiunit reactor facilities
adding new units while other units are operating
control room configuration and workstation design for multiunit operations and teams
HSI design for multiunit monitoring and control

B-2.4.1 Managing Non-Light‑Water Reactor Processes and Reactivity Effects

Description

Non-LWR designs incorporate the unique systems and features of their processes and may have reactivity effects that differ from LWRs. For example, the presence of lead in the core area of a hydrogen-moderated, self-regulating power module, a lead-cooled fast reactor, will involve reactivity effects different from those in LWRs. It will exhibit little neutron thermalization, it will have lower Doppler effects, the temperature coefficient of reactivity will be less negative, and the neutron lifetime will be shorter. These features all quicken the dynamics of core power and transient operations. The operators’ control of both reactivity effects and overall reactor safety depends on their understanding of these effects.

Implications

To understand these differences, operators familiar only with LWRs, but transitioning to non‑LWR plants, will need special training both in the classroom and on simulators. In addition, the design of the HSI and procedures should particularly aim to support operator performance. For additional questions to consider in the HFE review of applications involving non‑LWR processes and reactivity effects, the reviewer should consult section 2.13 of NUREG/CR‑7202.

B-2.4.2 Load-Following Operations

Description

Current NPPs typically operate at 100 percent power and provide a base load to the utility’s electrical distribution system (i.e., the plants produce electricity for the grid, and other producers of electricity compensate for changes in demand). Load-following is an operating procedure that matches the power output generated by the NPP to the varying load demanded by the distribution system. It involves more transients, so the plant can increase or decrease both reactor and turbine power in response to the external demand. In turn, this requires more actions from operators and increased monitoring of the response of the automatic systems. In addition, for a multiunit site, load-following may involve the startup and shutdown of units to meet large changes in load demand. Hence, there is more opportunity for equipment failures and operator errors.

Implications

There are two general approaches to load-following:

Method A—A load dispatcher contacts the NPP’s shift supervisor for all changes.

Method B—A load dispatcher dials in the requested change, and the NPP automatically responds, while the load dispatcher and licensed reactor operator or senior reactor operator monitor for the proper response. The reactor operator or senior reactor operator monitor is responsible for intervening if an unsafe condition is expected or detected.

Each of the two approaches has its own issues. Method A creates greater workload and more distractions for the operators. While manual control of a single unit is well within an operator’s capability, simultaneously controlling several may be much more difficult and lead to errors.

Method B permits a person not trained in NPP systems and not licensed to change reactivity and power level in the reactor to do so. Under 10 CFR Part 50 and 10 CFR Part 52 the NRC has not permitted plants to be operated by an automatic load-following scheme or for nonlicensed personnel to change reactivity. Under 10 CFR 53.740(f), load-following is permitted under conditions specified by regulation to ensure the capability to refuse demands from the grid operator when they could challenge the safe operation of the plant or when precluded by the plant equipment conditions. For ConOps that include load-following, designers will need to define the operator tasks needed to properly manage load-following operations and to provide HSIs, procedures, and training to support them. For additional questions to consider in the HFE review of applications involving load-following operations, the reviewer should consult section 2.14 of NUREG/CR-7202.

B-2.4.3 Novel Refueling Methods

Description

Several designs allow for refueling the reactor on line or continuously. While there is international experience with such refueling operations, it will be a new practice in the United States. Further, in some circumstances, specific approaches to refueling will be novel (O’Hara et al., 2012). The effects of such novel approaches on human performance and plant safety need to be assessed.

Implications

Vendors will have to define the methods for refueling reactors and assess their impacts on operator performance, particularly for operators with concurrent responsibilities for other operating units.

Additional considerations will include the need for associated HSIs, procedures, and training. For additional questions to consider in the HFE review of applications involving novel refueling methods, the reviewer should consult section 2.15 of NUREG/CR-7202.

B-2.4.4 Human-System Interfaces for New Plant Missions

Description

The ConOps for advanced reactors may include new missions, such as hydrogen production, or the industrial use of steam, that must be managed in conjunction with reactor safety.

Implications

Management of new plant missions will create a need for HSIs for their monitoring and control. How vendors integrate these HSIs into a design and their operation in the ConOps could have important implications for operator performance. The guidance in NUREG-0700 can likely support the review of the new HSIs, but the interplay between these new missions and reactor safety functions should be addressed in the functional analysis and function allocation, and the implications for operator training, workload, and SA should be assessed. See also section B‑2.1.1. For additional questions to consider in the HFE review of applications involving HSIs for new plant missions, the reviewer should consult section 2.18 of NUREG/CR‑7202.

B-2.4.5 No Traditional Control Room

Description

Small advanced reactor designs may have few or no safety-related HAs and may propose facility designs that do not include a traditional control room.

Implications

For applications submitted under 10 CFR Part 50 or 10 CFR Part 52, NRC regulations require applicants to provide, for Commission review, a control room design that reflects state‑of‑the‑art human factors principles. Applications submitted under these regulatory frameworks would require an exemption from 10 CFR 50.34(f)(2)(iii) if they do not include a control room in the facility design. For applications submitted under 10 CFR Part 53, the regulation in 10 CFR 53.730, “Defining, fulfilling, and maintaining the role of personnel in ensuring safe operations,” states the requirements for human factors engineering (10 CFR 53.730(a)) and HSIs (10 CFR 53.730(b)). These requirements do not presume or stipulate that the facility design incorporate a main control room. The HSIs required under 10 CFR 53.730(b) can presumably be provided elsewhere (e.g., at local or remote control stations). However, 10 CFR 53.730(a) requires that the facility design must reflect state-of-the-art human factors principles for safe and reliable performance in all locations where HAs are expected for performing or supporting the continued availability of plant safety or emergency response functions. For applications that do not propose a traditional (i.e., centralized) control room, then the reviewer should consider targeting this characteristic of the design and its implications for safe operation of the facility.

The NRC review of applicant submittals without control rooms is not unprecedented. NUREG‑1567, “Standard Review Plan for Spent Fuel Dry Storage Facilities,” issued March 2000 (NRC, 2000), and NUREG‑2215, “Standard Review Plan for Spent Fuel Dry Storage Systems and Facilities,” issued April 2020 (NRC, 2020c), indicate that the NRC has accepted omission of a control room for independent spent fuel storage installation operations that have not involved use of a powered cooling system for material in storage. The NRC has required applicants to provide a justification for control room exclusion. Justifications could include the following:

a description of functions and procedures that provide for performance without the need for a centralized control room
the acceptability of accident and off-normal event or condition analyses that show acceptable levels of maximum response and safety without use of a control room
the use of passive safety features or inherent safety characteristics to avoid damage and provide mitigation

The technical basis for a determination that a control room is not necessary should address the HAs (tasks), HSIs, and training for performing or supporting the continued availability of plant safety functions. Additional functions to consider include those required by regulation because of their importance to the reasonable assurance of public health and safety (e.g., ensuring compliance with the applicable technical specifications, making timely required notifications to NRC). Accordingly, the analysis should also consider workload, communication, and timing requirements.

If an applicant’s submittal does not include a control room, the range of alternatives that might be proposed is broad and could include design solutions such as the following:

simplified HSIs providing limited displays and controls, like local control stations in current plants

portable, and possibly wearable, HSIs that are not tied to a specific location in the plant but are taken by personnel to a location where they are needed (NEI, 2019)

HSIs located at a site remote from the facility (this design option is discussed under “Remote Operations” in section B-2.4.6)

Applicants will have to provide the technical basis for the approach to HSI design proposed in their application.

B-2.4.6 Remote Operations

Description

The ConOps for some small, advanced reactors may include the use of remote operations. At a general level, “remote operations” refers to controlling the operation of plant systems from a location outside the site boundary. The capability to control plant systems engenders additional considerations beyond those of remote monitoring. These additional considerations include whether the control capability includes the capability to control reactivity, and if so, whether that control is direct (i.e., through the manipulation of plant controls) or indirect (i.e., through the control of other plant systems).

Implications

Remote operation of NPP systems is addressed in 10 CFR Part 53 only to the extent that remote control of reactivity would be permitted subject to the requirements of 10 CFR 53.740(f)(1) pertaining to load following (section B-2.4.2 discusses load-following operations). This requirement would limit the use of load-following to circumstances in which one of the following actions can immediately refuse demands from the grid operator when they could challenge the safe operation of the plant or when precluded by the plant equipment conditions: (i) the actuation of an automatic protection system, or (ii) an automated control system, or (iii) an individual who is a licensed operator, senior reactor operator, or GLRO pursuant to this part. Given that the function of rejecting unsafe load demands may be allocated to either automation or a human operator, the design decision will have implications for HSIs, staffing, and operator workload.

Remote control of reactivity in the form of load-following will have implications for the HSIs necessary to support determinations of whether a load demand would be safe or should be refused, including the status and functioning of systems required to preclude unsafe responses to load demands. The definition of load-following in 10 CFR 53.725(c) (i.e., “Load following means a commercial nuclear plant automatically changing its output to match expected demand in response to externally originated instructions or signals”) does not address whether externally generated instructions or signals are for the direct control of reactivity or control other plant systems that indirectly affect reactivity. Decisions on whether load-following is accomplished by direct or indirect means would also likely have implications for the HSIs that will be needed to support safe operations.

Remote control of reactivity will affect the location of HSIs for controlling a nuclear facility and the type of functionality provided. A decision for remote operations may be related to a decision for a design to not include a traditional control room (see section B-2.4.5). In such cases, the decision for remote operations would likely be informed by the analysis supporting the decision to not include a traditional control room as part of the onsite facility design.

Remote control of reactivity may also be associated with a ConOps in which a reactor is controlled from an offsite control center (potentially a regional center) from which multiple reactor facilities are controlled. One paradigm within this broader remote operations ConOps would be remote monitoring of a facility that is controlled by onsite automation with an independent capability to shut down the reactor facility from a remote operations center. Control of a reactor facility from an offsite control center has not been permitted for facilities licensed under 10 CFR Part 50 or 10 CFR Part 52. As a result, there is currently no operating experience in the United States with remote operation of a commercial nuclear power facility.

Autonomy is a type of operation that is often conflated with remote operations, in that there may be a presumption that a remotely operated reactor would also be autonomous. “Autonomous operations,” as discussed in section B-2.2.2, means the reactor does not require human intervention for most normal and safety operations. Although it is possible that a design can be both autonomous and operated remotely, to operate a reactor remotely does not imply that the reactor is autonomous. The reactor and plant may need full-time monitoring and control yet still be operated remotely. For reactor ConOps proposals that include autonomous operations, they are still likely to need some infrequent HAs, possibly to be handled from a remote control center. However, as noted above, 10 CFR Part 53 addresses remote operation only to the extent that remote control of apparatus and mechanisms that indirectly affect the reactivity or power level of a reactor (e.g., changes in plant electrical output) may be permitted subject to the requirements of 10 CFR 53.740. Other matters concerning remote operation would likely necessitate exemptions from applicable 10 CFR Part 53 requirements.

Remote operations can be expected to have implications for the HFE aspects of instrumentation and control (I&C) and HSIs. For example, at facilities where the control room is co-located with the reactor and plant, operators receive sensory feedback (e.g., auditory, olfactory, haptic) from the sounds, smells, and vibrations of the plant produced during certain system operations (e.g., turbine trip, opening of a safety relief valve). This feedback augments that obtained through the facility I&C to provide informal validation of information about the plant state, as represented through the I&C. This sensory feedback can also indicate potential I&C failure, degradation, or corruption when there is a mismatch between the representation of the plant state through the I&C and the operators’ direct sensing of system operations. The absence of such sensory information may cause new operational challenges unless appropriate HSIs are developed to support the operators.

An additional consideration for remote operations is whether the facility would be staffed with personnel who would be capable of augmenting the facility I&C by making field observations to verify available indications, provide observations or measurements in the absence of facility I&C, and take actions when the capability for remote operation was not provided or has been lost.

Designers will need to consider and address whether remote control rooms will require new or different HSIs from a control room located on site. As part of this, designers should consider what HAs and associated HSIs would be needed for monitoring and control of the interfacing systems, such as BOP systems and those of other missions such as generation of industrial heat. Although the NRC has begun to research the fundamental principles that should guide the design and acceptance of a remotely operated NPP (NRC, 2021a), at present, HFE guidance for remote NPP operations has not been developed. As a result, HFE review of remote operations would entail reviewers identifying HFE guidance developed for remote operations of other types of facilities (e.g., deep sea oil and gas drilling platforms, satellite control centers) and using significant engineering judgment to assess the applicability and suitability of such guidance for the review of remote NPP operations.

Sections B-2.4.7–B-2.4.9 address aspects of normal operations that are uniquely associated with MUCCR designs, such as those envisioned for some SMR designs. Note that these considerations may apply whether the control facility is on site or remote.

B-2.4.7 Different Unit States of Operation

Description

Individual reactor units of an MUCCR facility may be in different operating conditions (e.g., different power levels or different states, such as shutdown, startup, transients, accidents, refueling, and various types of maintenance and testing). Depending on the staffing model used and the assignments of units to individual operators, these differences can affect operator workload and SA.

Implications

An MUCCR ConOps should address how the crew will manage units in different states (e.g., will one operator continue to monitor multiple units in different states, or will units in states other than steady state operations be transferred to a different operator or crew). The ability of operators and crews to maintain SA of units in different states and to act appropriately as different states arise for each unit should be validated, based on unit state and the ability of operators to respond to off‑normal conditions. For additional questions to consider in the HFE review of applications involving multiple units in different states of operation, the reviewer should consult section 2.9 of NUREG/CR-7202.

B-2.4.8 Unit Design Differences

Description

As units are added to a multiunit facility over time, as envisioned for SMRs, differences among the units may be introduced because of the evolution of the design or modification of existing units to improve reliability, lower cost, or deal with obsolescence issues. There may be differences between the individual units at a given site, between units at different sites, or both.

Implications

Such differences can have both positive and negative effects on human performance. In some instances, differences can aid monitoring by helping operators to distinguish between the units, but differences can also complicate operations and make situational assessment and response planning more difficult. For example, if the disparities in the units lead to a different interpretation of their status based on parameter displays, it may impair the operator’s recognition of performance that deviates from what it should be. Further, if these unit differences lead to the need for different responses, then they may compromise the operator’s response. For example, an operator’s response to a disturbance in Unit 2 may be appropriate to Unit 1 but inappropriate to Unit 2. This issue may also affect the review of procedures and HSIs.

The review should consider how these differences are depicted in control room HSIs. NUREG‑0700 lacks guidance on this issue. Depicting differences with no impact on the operator’s performance could needlessly complicate displays, and failing to depict those that do impact operator performance may lead to difficulty in situation assessment and operator error. The review should also consider how the applicant has addressed unit differences in procedures and training. For example, are the procedures common for all units with the differences noted in the appropriate places, or are the procedures separate and different for each unit? Operators should be thoroughly trained in recognizing the differences between units. For additional questions to consider in the HFE review of applications involving multiple units in different states of operation, the reviewer should consult section 2.10 of NUREG/CR‑7202.

B-2.4.9 Control Systems for Shared Aspects of Multiunit Reactor Facilities

Description

Advanced multiunit reactor facilities may employ control systems that manage multiple units in an integrated fashion. This could include systems that the units share, such as those for circulating water, for the ultimate heat sink for removing decay heat, and systems for instrument air, service-water cooling, and alternating and direct current electric power. It may also include common control of systems that are similar but not shared between units, such as BOP systems.

Implications

The integrated control of multiple reactors and their shared systems can be an operational and I&C challenge. The challenge to operators lies in monitoring such a control system to confirm that individual units and shared systems are performing properly and that there are not degradations of the I&C system.

There are several additional challenges. The first is that SMR scalability can make multiunit operations even more complex as new units are added to the control system. NUREG/CR‑6812, “Emerging Technologies in Instrumentation and Controls,” issued March 2003 (Wood et al., 2003), noted that “…this may result in a control room that is less optimal for human factors at all levels than would otherwise be possible if all the modules simultaneously completed construction” (p. 59).

The second challenge is that SMRs may serve multiple missions. That is, systems must be flexibly reconfigured to meet electricity production and other objectives, such as hydrogen production. Designing operational practices and control rooms to effectively support operators is an important issue to address in the design and licensing of multiunit SMRs.

The HFE implications of this characteristic pertain mainly to HSI design. While NUREG‑0700 offers guidance on controls, it does not consider how multiunit and shared system controls should be implemented at operator’s workstations. Another question, from an HSI design perspective, is how to address controls for shared systems when different operators at different workstations monitor the units sharing those systems or how to handle errors that may occur when responsibilities are transferred. There may also be increased opportunities for wrong‑unit/wrong-train types of errors that need resolution and increased human and system dependency considerations.

Additional implications are the outcomes of degradation of the control system on the operator’s detection of malfunctions and SA of the status of units and shared systems. The different ways that a plant may select to implement procedures for each unit may, in turn, impact the HSI design, particularly if the choice is separate procedures for each unit. For additional questions to consider in the HFE review of applications involving the control of shared systems at multiunit reactor facilities, the reviewer should consult section 2.11 of NUREG/CR-7202.

B-2.4.10 Adding New Units While Other Units Are Operating

Description

MUCCR facilities (e.g., SMRs) may propose to add units while existing units remain at power.

Implications

If construction activities on subsequent units cannot be completely separated from operating units, they might distract operators. Even if separated, there likely will be mechanical and I&C tie‑in activities that could cause trips or other operational problems for the operating units. This may be a particular issue in designing the workstation and HSI displays that will be used to monitor and control existing operating units and the new ones under construction.

The application should address the operational impact of adding new units on a site with existing units and whether or how workstations would be added to a control room to accommodate new units. The practice for LLWRs has been to erect a wall between the operating control room and the control room being built. The wall controls access to the new unit and limits noise, fumes, dust, the potential for construction-related fires, and electromagnetic interference from radios, along with other construction work and tests. The shared or common systems typically are included in the operating control room’s boundaries. For additional questions to consider in the HFE review of applications involving the addition of new units while other units are operating at a multiunit reactor facility, the reviewer should consult section 2.12 of NUREG/CR-7202.

B-2.4.11 Control Room Configuration and Workstation Design for Multiunit Operations and Teams

Description

An applicant may propose a single control room to support operations encompassing multiple reactors (e.g., a single person may be responsible for a reactor and its secondary systems for multiple units).

Implications

Operating more than two units from a single control room is a new practice for which there is limited operating experience. Such ConOps have implications for workstation and control room configuration and operator performance, including SA and teamwork. Allocation of the crew’s responsibilities will be a key consideration. Multiunit modular designs may need to accommodate new tasks, such as moving reactors for refueling, as well as new missions, such as hydrogen production.

Another consideration is whether situational factors associated with a single unit, such as alarms and using emergency procedures, may impact the operators monitoring other units. However, accommodating operational staff in one room allows them to help each other more easily and facilitates supervision. If individual unit control stations are in separate control rooms, overall supervision, teamwork, and the transitions needed in high workload situations may be more difficult to manage.

Sections B-2.2.3 and B-2.4.12 also discuss HFE implications of multiunit operations. For additional questions to consider in the HFE review of applications involving control room configuration and workstation design for multiunit teams, the reviewer should consult section 2.16 of NUREG/CR‑7202.

B-2.4.12 Human-Systems Interface Design for Multiunit Monitoring and Control

Description

Facility designs and ConOps that use a single operator to manage one or more units present an HSI design challenge as the design may need to support the ability to monitor the overall status of the unit(s), as well as easy retrieval of detailed information on an individual unit.

Implications

Designs that rely on single operator control of one or more reactor units should address the associated challenge of ensuring that the HSIs and ConOps support maintenance of operator SA. If the unit HSIs are separated, and an operator is focusing on one of them, awareness of the status of the other units may be lost. If the information is integrated, it might be a challenge to ensure that operators do not confuse information about one unit with that about the others.

Alarm design is especially important in MUCCR designs to ensure that operators are aware of important disturbances, thereby minimizing the effects of change blindness and unit neglect.

MUCCR personnel may also need more advanced I&C and HSI capabilities than currently used to support their tasks. For example, systems that provide diagnostics and prognostics support for monitoring and situation assessment activities may be needed. How personnel manage and understand these capabilities is an important factor in overall personnel performance.

The ConOps for multiunit monitoring might employ crews of operators and the allocation of responsibilities among crew members might be dynamic, based on unit states or other conditions that vary. As a result, the organization of information in supporting teamwork in MUCCR facilities is another important HSI design consideration (e.g., deciding what information crew members need to have access to individually, and as a crew, to promote teamwork). If the allocation of operator responsibilities is dynamic, the design should address the HSIs needed for shifting control for one unit or function from one operator to another.

Sections B-2.2.3 and B‑2.4.11 also discuss the HFE implications of multiunit designs for teamwork, control room configuration and workstation design. For additional questions to consider in the HFE review of applications involving HSI design for multiunit monitoring and control, the reviewer should consult section 2.17 of NUREG/CR‑7202.

B-2.5 Management of Off-Normal Conditions and Emergencies

As with normal operations, there are off-normal operations that may present human performance considerations in either advanced single-unit designs or multiunit designs operated from a common control (e.g., modular advanced reactor designs). Other off-normal operations issues are uniquely associated with multiunit designs operated from a common control room. Off‑normal operations considerations for both single-unit or MUCCR designs include the following:

inherent safety characteristics
passive safety systems
new safety functions
new hazards

These issues will be described in further detail first, followed by human performance issues uniquely associated with off-normal operations of MUCCR designs. These include the following:

common control room for multiple units
multiple units with shared systems—potential impacts of unplanned shutdowns or degraded conditions handling off-normal conditions at multiple units
one operator or crew managing multiple reactors—emergency operating procedures (EOPs) for multiunit disturbances
one operator or crew managing multiple reactors—identification of risk-important HAs

B-2.5.1 Inherent Safety Characteristics

Description

“Inherent safety” refers to the achievement of safety by eliminating inherent hazards through the fundamental conceptual design choices made for the nuclear plant (IAEA, 1991).

Implications

Potential NPP hazards include factors such as radioactive fission products and their associated decay heat, excess reactivity and its associated potential for power excursions, and energy releases due to high temperatures, high pressures, and energetic chemical reactions. When a hazard is eliminated by design, the plant is inherently safe with respect to that hazard. The hazard cannot become a safety concern in any way through internal or external events (Bochkarev et al., 2017). For example, a plant in which no combustible materials are used would be inherently safe against fire, regardless of whatever else happened during an accident. An inherent safety characteristic is not subject to failure of any kind; thus, it is absolutely reliable. Since the inherently safe function is not subject to failure, no HAs are needed to ensure its availability, participate in its execution, or back it up. The HFE reviewer should note, however, that although the use of inherent safety characteristics in a nuclear plant design may eliminate the need for HA relative to the mitigation of a particular hazard, the reviewer will need to be mindful as to which hazards are addressed through inherent safety characteristics as other hazards may be addressed through other means. In addition, despite the use of inherent safety characteristics, it is possible that HAs may be credited in analyses for purposes of DID.

“Risk-Informed and Performance-Based Human‑System Considerations for Advanced Reactors” (NRC, 2021b), issued March 2021, discusses DID in advanced reactors, as shown in the following excerpt:

In RG 1.233, the NRC staff endorsed the principles and methodology described in Nuclear Energy Institute (NEI) 18-04, Revision 1, “Risk-Informed Performance‑Based Guidance for Non-Light Water Reactor Licensing Basis Development” as an acceptable means of informing the licensing basis of non‑LWRs. This RG outlines that “[d]efense-in-depth, or the use of multiple independent but complementary methods for protecting the public from potential harm from nuclear reactor operation, is an important part of the design, licensing, and operation of nuclear power plants (NRC, 2020b, p. 18).

NEI 18-04 provides a set of guidelines for establishing the adequacy of overall DID capabilities at non-LWR plants. These guidelines express DID in the form of layers according to the following progression:

1. Prevent off-normal operation and AOOs [Anticipated Operational Occurrences]

2. Control abnormal operation, detect failures, and prevent DBEs [Design-Basis Event]

3. Control DBEs within the analyzed design-basis conditions and prevent BDBEs [Beyond-Design-Basis Event]

4. Control severe plant conditions and mitigate consequences of BDBEs

5. Deploy adequate off-site protective actions and prevent adverse impact on public health and safety (p. 61).

In outlining this layered approach to DID, NEI 18-04 also reinforced the principle that, from a qualitative standpoint, “no single design or operational feature, no matter how robust, is exclusively relied upon to satisfy the five layers of defense” (p. 61). Going further, NEI also clarified that the no single design or operational feature criterion is noted within this context to imply “no excessive reliance on programmatic activities or human actions and that at least two independent means are provided to meet this objective.”

Given this approach to DID and the hazard-specific nature of inherent safety characteristics, applications that use inherent safety characteristics may still include important HAs.

B-2.5.2 Passive Safety Systems

Description

In response to transients and accidents, some advanced reactors employ passive safety systems that depend on physical processes (e.g., convection, gravity) rather than active components, such as pumps. For example, if an excessively high temperature is reached, the temperature gradient increases natural circulation and cooling. Other passive technologies include heat pipes and elevated gravity drain tanks (IAEA, 2009). Some passive systems use one or two valves to initiate the process.

Implications

The IAEA raised concerns about passive systems based on the limited experience with reactor designs using such systems (IAEA, 2009):

The reliability of passive safety systems may not be understood as well as that of active ones.
There may be undesired interaction between active and passive safety systems.
It may be difficult to “turn off” an activated passive safety system after it was passively activated.
Incorporating passive safety features and systems into advanced reactor designs to achieve targeted safety goals must be proven as effective.

Passive safety systems depend on physical processes that are not as amenable to routine testing as are active ones (e.g., there are no components to easily test, or no pumps to start). Additionally, operating passive systems with valves would not fully test the process in the absence of the physical condition that initiates it. Thus, operators may not become as familiar with their use as they are with current generation active systems, nor will they know from operational experience how to verify the system’s proper automatic initiation and operation in a real event. For example, there may not be the same observable initiation signals to start systems. Flow rates and temperatures typically are much lower and perhaps not as easily verified.

Operational aspects of monitoring and verifying the success of passive systems should be defined, along with any operator actions needed to initiate or back them up if they fail to operate as designed. Active safety systems should be tested periodically, thereby giving operators the opportunity to become familiar with them. However, there may not be an equivalent opportunity with passive safety systems. In addition, verification of system alignments and examinations of passive system condition may be of greater significance, as periodic operational tests may not be possible. Thus, greater reliance on simulators may be needed to ensure that the operators are familiar with and trained on passive safety systems.

Procedures should be written to specify the operator’s actions for monitoring, backing up, and securing passive systems, and the NRC’s guidance must be updated to address them. Additionally, the control room verification and validation program should address these aspects of operator interaction with passive systems. Another implication is that verification of system alignments and examinations of passive system condition may be of greater significance as periodic operational tests may not be possible. For additional questions to consider in the HFE review of applications involving passive safety systems, the reviewer should consult section 2.24 of NUREG/CR-7202.

B-2.5.3 New Safety Functions

Description

Advanced reactor designs using non-LWR technology, such as high‑temperature gas-cooled reactors and liquid metal-cooled reactors, may demand safety functions that differ from those of LWRs.

Implications

One action taken by the NRC after the accident at the Three Mile Island NPP was to improve the operating crews’ ability to monitor critical safety functions by requiring each plant to install a safety parameter display system (SPDS) through 10 CFR 50.34(f)(2)(iv). The NRC also published guidance on the characteristics of SPDS in NUREG-0835, “Human Factors Acceptance Criteria for the Safety Parameter Display System,” issued October 1981 (NRC, 1981); NUREG‑1342, “A Status Report Regarding Industry Implementation of Safety Parameter Display Systems,” issued April 1989 (NRC, 1989); and NUREG‑0737, “Clarification of TMI Action Plan Requirements,” Supplement 1, issued January 1983 (NRC, 1983). The HFE aspects of the NRC’s SPDS guidance were integrated into NUREG-0700, section 5.

The specific safety functions and parameters identified in the SPDS documents cited above are based on conventional LWRs. However, designs using non-LWR technology, such as high‑temperature gas-cooled reactors and liquid metal reactors, may demand different safety functions and the monitoring of different parameters to effectively maintain the plant’s safety. This was partly addressed in the Revision 3 update to NUREG-0700, which modified the treatment of SPDS functions to make the review guidance technology neutral. Applications involving new safety functions should have analyses (e.g., task analyses) and HFE products (e.g., HSIs) that support monitoring of the new safety function(s). For additional questions to consider in the HFE review of applications involving the monitoring of new safety functions, the reviewer should consult section 2.19 of NUREG/CR-7202.

B-2.5.4 New Hazards

Description

Many advanced reactor designs are based on non-LWR technology. In contrast to LWR designs, non-LWR technologies potentially involve a different set of hazards to nuclear operations safety. Examples include the following:

Under some circumstances, graphite cores are flammable and could create radiologically hazardous fumes, such as graphite corrosion (due to air or water ingress).

For molten salt reactors—

phenomena that could complicate operations (e.g., freezing, blockage, stagnation of the salt)
tritium production, as lithium salts can produce significant quantities of tritium under irradiation (Grabaskas et al., 2020)

For gas-cooled reactors—corrosion (Lee & Pint, 2021)

For sodium fast reactors—

any reactions between the sodium and air or water that could lead to explosions
corrosion (Romedenne & Pint, 2021)

For fusion reactors—tritium production and storage

For heat pipe reactors—catastrophic failures in which the heat exchanger no longer functions and heat from the heat pipes cannot exchange with the air. Loss of structural integrity of one or more heat pipes can occur through different means. Failure of a single heat pipe could potentially propagate and lead to the failure of multiple heat pipes. Alternatively, failure of multiple heat pipes could occur because of a common-mode failure due to, for example, defects introduced during manufacturing. The heat pipes are embedded within the heat exchanger, so alternate heat removal may not be possible (Clark et al., 2020).

Implications

Applicants will need to address any new hazards related to nuclear safety for NRC review as part of the licensing process. Specifically, for new hazards that have potential consequences for nuclear safety (i.e., are possible initiators of events that challenge safety systems, security, or emergency response, or complicate the response to such events), the reviewer should consider how the applicant proposes to address the following:

the HSIs for monitoring the systems that detect the hazards
the procedures identifying appropriate operator actions
the training for the understanding, monitoring, and overall management of hazards

Reviewers should be aware that existing guidance in NUREG-0711 and NUREG-0700 may not fully address the new hazards of the advanced reactor design under review and that it may be necessary to consult additional sources of guidance. For additional questions to consider in the HFE review of applications involving new hazards, the reviewer should consult section 2.23 of NUREG/CR‑7202.

B-2.5.5 Common Control Room for Multiple Units—Loss of Human-System Interfaces

Description

Advanced reactor designs such as SMRs may propose to operate multiple reactors from a single control room. Failures or conditions affecting HSIs could impact the monitoring and control of multiple reactor units.

Implications

The design of a multimodular SMR control room should address the potential loss of HSIs and the entire control room, considering 10 CFR Part 53 requirements for the capability to shut down the reactor. The reviewer should verify that the applicant’s safety analyses, including probabilistic risk assessment (PRA), where applicable, have addressed the potential loss of control room and HSIs, including the following:

potential loss of the main control room and how to use backup facilities
operator errors at one operator workstation that may affect multiple units rather than just one
potential loss of one operator workstation that impacts multiple units
a sitewide initiating event that likely will impact all units similarly

NUREG-0711 includes guidance concerning analyses and evaluations of degraded I&C and HSI conditions. For additional questions to consider in the HFE review of applications involving the loss of HSIs or the control room in an MUCCR facility, the reviewer should consult section 2.25 of NUREG/CR-7202.

B-2.5.6 Common Control Room for Multiple Units—Handling Off-Normal Conditions

Description

This section addresses situations in which a single operator or crew holds responsibility for operation of multiple units during off-normal conditions.

Implications

The number of reactor units for which an operator or crew is responsible can be a primary determinant of workload, SA, and the potential for operational errors (e.g., correct action implemented on the wrong unit). This is likely to be particularly true for the handling of off‑normal conditions. As with current plants, changes in the crew, including their augmentation, may be needed to handle off-normal situations. Most SMRs propose having operators or crews monitoring and controlling multiple units. With a large number of operating units on a site (e.g., 12), a transient frequency of once per reactor-year becomes once per calendar-month for the site. Addressing such events poses several issues:

With operators controlling multiple reactors, do they need relief if a transient occurs in one of their units? If so, how will it be provided? By on-shift or on-call operators?
Will the designated transient relief be for the site or per unit?
Will this relief consist of an operator or a crew?

In addressing these questions, the reviewer should consider the potential for common‑cause initiating events that could affect multiple or even all onsite units. Examples are loss of offsite power and “external events” such as fire, flood, and earthquakes.

A related question discussed in section B-2.4.11 pertains to the control location(s) where the affected units are managed. Will the affected unit be controlled from the same workstation as unaffected units, or will operations of the affected and unaffected units be segregated?

Monitoring of safety functions is also an important consideration. For applications proposing multiple units, the reviewer should consider how the HSI design enables the quick assessment of individual unit status and how details of units at risk can be quickly determined.

This operational characteristic also has significant implications for staffing of operations and emergency preparedness personnel, since any increase per reactor unit is multiplied by the number of reactors on site.

The discussion in section B-2.5.7 also contains relevant information. For additional questions to consider in the HFE review of applications involving the handling of off-normal conditions at an MUCCR facility, the reviewer should consult section 2.21 of NUREG/CR-7202.

B.2.5.7 Multiple Units with Shared Systems—Potential Impacts of Unplanned Shutdowns or Degraded Conditions

Description

Some multiunit reactor facilities may have designs that include shared systems.

Implications

For multiunit facilities, unplanned shutdowns or degraded conditions in one unit may affect other units, especially those sharing systems. Operators should be able to detect and assess these impacts; therefore, HSIs are needed to support their management of the situation (O’Hara et al., 2019). Clear criteria should signal the conditions under which additional personnel must be brought in. At facilities with a common control room, the ConOps should address whether the affected unit is transferred to another operator or crew. If so, the design of the control room and the HSI must support the effective transfer of the affected unit(s). For an example, see the NuScale SMR concept of operations (NRC, 2016).

Guidance is currently limited on the operator’s tasks, HSIs, procedures, and training essential to successfully manage such situations. For additional questions to consider in the HFE review of applications involving the potential unplanned shutdown or degraded condition at MUCCR facilities, the reviewer should consult section 2.20 of NUREG/CR-7202.

B-2.5.8 One Operator/Crew Managing Multiple Reactors—Emergency Operating Procedures for Multiunit Disturbances

Description

EOPs should address multiunit reactor events.

Implications

The potential for disturbances at multiple units, particularly ones sharing systems, may necessitate developing EOPs that consider strategies for responding to multiunit emergencies from external events, such as loss of grid, earthquakes, high winds, and floods, or from failures of shared systems, such as the ultimate cooling or the switchyard. Responses should be evaluated carefully to account for unit interactions, and procedures should ensure the critical safety functions of each unit. Questions to consider include the following:

Will each unit have independent procedures, or will they be integrated?
How will procedures address differences between units?
Will a set of common procedures apply to all units?
How will the execution of common procedures be managed?

Most new reactor designs have computer-based procedure (CBP) systems to support crews in managing emergency conditions. Their use in managing multiunit emergencies should ensure the operators’ awareness of all units. The procedures likely will have to support use by multiple crew members. CBPs are relatively new operator-support systems in NPPs. The many new demands imposed by multiunit EOPs will entail new functionalities that may warrant review.

For LWRs, the NRC has reviewed the design and content of EOPs and their implementation in CBP applications using the guidance in NUREG-0800, Chapter 13, “Conduct of Operations,” and Chapter 18 “Human Factors Engineering.” This guidance does not address EOPs that cover multiunit disturbances. In addition, NUREG-0700 contains detailed design review guidelines for CBP systems, but the guidance does not address multiunit applications. For additional questions to consider in the HFE review of applications involving EOPs for MUCCR facilities, the reviewer should consult section 2.22 of NUREG/CR-7202.

B-2.5.9 One Operator/Crew Managing Multiple Reactors—Identification of Risk-Important Human Actions

Description

Human reliability analyses for multiunit reactor facilities can present challenges for the identification of important human actions.

Implications

Identification of risk-important human actions (RIHAs) may be more challenging for multiunit operation by a single operator or crew. Even when the units themselves are deemed independent (i.e., no shared systems and the units are separated physically), there is increased potential for dependencies resulting from human error if the same operator monitors them. In addition, such facilities may have new or unfamiliar systems, and thus, analysts may have little or no operating experience to draw on. These challenges may make it harder to accurately identify RIHAs. HFE reviewers should consult with their PRA counterparts on the review team to verify that the applicant has considered the potential interactions between the units in the identification of important HAs.

The discussion in section C-3.2 also contains relevant information. For additional questions to consider in the HFE review of applications involving the identification of important HAs when one crew is managing multiple units for an MUCCR reactor facility, the reviewer should consult section 2.22 of NUREG/CR‑7202.

B-2.6 Management of Maintenance and Modifications

Plant maintenance is very important to plant safety and very dependent on HAs. NUREG‑0711, section 1.2.1, “Purpose of an HFE Safety Review,” states that one of the purposes of the review is to verify that “the applicant provides HFE products (e.g., HSIs) that facilitate the safe, efficient, and reliable performance of operations, maintenance, tests, inspections, and surveillance tasks.” Maintenance is identified in many NUREG-0711 review elements. Perhaps the most important is task analysis.

There are three issues for this aspect of advanced reactor ConOps:

modular construction and component replacement
new maintenance operations

(3) managing novel maintenance hazards

B-2.6.1 Modular Construction and Component Replacement

Description

This section addresses offsite fabrication of reactor modules and components.

Implications

Many SMRs are designed for modular construction and component replacement. Some advanced reactor designs will be fabricated at the factory, transported to the plant site, and assembled there. Previously, plant personnel participated in the onsite construction, component-level testing of installed components, and preoperational testing. Hence, they gained a thorough knowledge of structures, systems, and components. Physics testing may also be conducted at the fabrication facility to reduce the potential need to return a module to the fabrication facility following unsatisfactory testing results at the intended site of operations. Fabricating and testing reactor modules at factories will necessitate changing how personnel obtain knowledge of systems and components that historically was gained (at least partially) via the construction process. These fabrication, testing, and construction methods may also have implications for the conduct of preoperational testing and inspections. For additional questions to consider in the HFE review of applications involving modular construction and component replacement, the reviewer should consult section 2.28 of NUREG/CR-7202.

B-2.6.2 New Maintenance Operations

Description

This section addresses novel maintenance activities.

Implications

Some advanced reactors will necessitate new maintenance operations whose impact on safety must be assessed. For SMRs, these include operations such as disconnecting a reactor and moving it past other operating reactors to a maintenance location. This operation may involve decoupling the reactor from all the electrical and mechanical systems normally used for monitoring and controlling the reactor.

In addition, current practices take on new meaning when applying them to advanced reactors. Current operating practices led to the increase in capacity factors to over 90 percent from about 63 percent several decades ago. These practices include online maintenance. Online maintenance for advanced reactors is likely and may in some instances be more extensive because of the increased durations between refueling.

For multiunit facilities (e.g., SMRs), one outcome of online maintenance is that the operator will be faced with several units, each potentially in a different configuration because of normal maintenance and surveillance. Operators are responsible for safe operation of the plant including establishing and maintaining it in a condition safe for maintenance personnel.

Operators take a system out of service, ensure that it is safely isolated during maintenance, and return it to service. Control of maintenance for multimodule facilities is likely to be challenging, both from a logistical and operator SA perspective, and should be evaluated. Systems are taken out of and returned to service under the direction of the control room, typically through a system of locks and tags that signal to maintenance personnel and others when the component and system cannot be operated. Operators will need accurate situational awareness of each unit’s status. Displays may be necessary to show the important differences in the configurations of the units they are monitoring and the acceptable operations.

For additional questions to consider in the HFE review of applications involving new maintenance operations, the reviewer should consult section 2.29 of NUREG/CR‑7202.

B-2.6.3 Managing Novel Maintenance Hazards

Description

Advanced reactors may present unique hazards during maintenance operations.

Implications

Advanced reactors may present unique hazards that may challenge the ability of personnel to perform maintenance activities necessary for maintaining plant operational safety. NUREG‑7126, section 3.4, identified the following examples (O’Hara et al., 2012):

The International Reactor Innovative and Secure (IRIS) design has eight in-vessel reactor coolant pumps. Pump seals are replaced in-vessel, likely considered as a confined space, with work on contaminated and activated components that are person‑rem intensive. This arrangement may increase the difficulty of maintenance and create the potential for delays in needed maintenance, errors in completing the work, and higher exposures to the workers.

IRIS’s in-vessel electrical wiring, such as to the reactor coolant pumps and internal control rods, may demand specially qualified staff, periodic testing for enhanced aging, or both, because it will be operating in a very harsh radiation environment.

The operations and the maintenance staffs of the Gas Turbine Modular Helium Reactor (GT-MHR) and the Pebble Bed Modular Reactor (PBMR) need extensive training on the hazards of helium leaks and their detection.
Sodium is the primary coolant in the 4S and Power Reactor Innovative Small Modular (PRISM) designs. Accordingly, maintenance of the two external steam generators is hazardous and will entail specific training because operators must wear specialized personal protective equipment and work in an inert atmosphere.
Lead/bismuth is the primary coolant in the Hydrogen-Moderated Self-Regulating Power Module, so working on the external steam generators may be hazardous, requiring specialized training and the use of particular personal protective equipment. This issue can most likely be addressed by industry research and vendors’ HFE programs evaluating maintenance design and planning.

New maintenance practices should be analyzed to understand the potential risk they may pose to plant operational safety. For additional questions to consider in the HFE review of applications involving the management of novel maintenance hazards, the reviewer should consult section 2.30 of NUREG/CR-7202.

B-2.7 Management of Tests, Inspections, and Surveillances

Description

HAs may have an important role in ensuring the readiness of safety systems and the assurance of plant safety functions through support activities such as conducting tests, calibrations, inspection actions, and surveillances.

Implications

Support activities are important to ensuring the continued availability and functioning of safety systems. For advanced commercial reactors, reduction in the use of active safety systems, simplicity of design, high levels of automation, passive safety systems, and lower accident consequences can shift the human role from the active performance of safety functions to a role in ensuring the readiness of passive and automated safety systems through testing, inspection, and surveillance.

Quality assurance measures should ensure that the safety controls implemented at the plant satisfy the design criteria. Training measures should confirm that the personnel called on to operate or interact with the controls are properly trained. Maintenance and equipment inspection measures should ensure that the engineered controls are reliable and maintained in proper working order. Audits and inspections are conducted to determine whether standard operating procedures are being followed.

In choosing the controls needed to protect against the occurrence of a particular event sequence, both the number and the effectiveness of such controls should be considered. For engineered controls, in addition to their inherent effectiveness, maintenance, calibration, and surveillance measures ensure that the controls are in place and in working order. Note how HAs are needed to provide this assurance. Similarly, for administrative controls, training measures and audit and inspection measures should be tailored to ensure the reliability of each control.

The reviewer should verify that the applicant analyzed the human role in passive and automated safety system readiness by identifying HAs associated with surveillance, testing, calibration, and maintenance activities.

Analyses to Ensure the Readiness of Safety Systems

With the shift in the human role in safety function management, applicants should identify their technical support actions. These can include actions such as performing and verifying system lineups necessary for the performance of safety functions. They may also include maintenance actions, post-maintenance tests, and surveillances required for verifying and maintaining the capabilities of systems supporting facility safety. HAs may be applicable to fully autonomous systems and passive systems to ensure their performance of safety functions. HFE contributes to processes designed to ensure the reliability of these HAs.

Passive Safety Systems

Passive safety systems may depend on physical processes that are not as amenable to routine testing as are active ones (SMR Issue D.5.6, Passive Safety Systems; see O’Hara et al., 2021). There are no components to easily test (e.g., no pumps to start). Operating passive systems with valves would not fully test the process in the absence of the physical condition that initiates it. Thus, operators may not become as familiar using them as they are with current generation active systems, nor know from operational experience how to verify the system’s proper automatic initiation and operation in a real event. For example, there may not be the same observable initiation signals to start systems. Flow rates and temperatures typically are much lower and perhaps not as easily verified.

Operational aspects of monitoring and verifying the success of passive systems should be defined, along with any HAs needed to initiate or back them up should they fail to operate as designed.

Active safety systems are tested periodically, thereby giving operators the opportunity to become familiar with them. However, there may not be an equivalent opportunity with passive safety systems. In addition, verification of system alignments and examinations of passive system condition may be of greater significance as periodic operational tests may not be possible. Thus, higher reliance on simulators may be needed to ensure the operators’ familiarity with, and training on, passive safety systems.

Procedures need to be written to specify the HAs necessary for monitoring, backing up, and securing passive systems. Another implication is that verification of system alignments and examinations of passive system condition may be of greater significance as periodic operational tests may not be possible.

In summary, many small, advanced reactors are designed to use passive safety systems that will rely on few if any active components (such as valves). There are several categories of passive systems (IAEA, 1991). The categories differ with respect to which passive system they rely on to accomplish their functions.

The degree to which passive systems may rely on HAs is a function of their performance and reliability. However, there are technical issues that make it difficult to determine their performance and reliability. A passive system may depend on an HA for DID if an active component fails to operate or if the system does not achieve its goals.

Automated Systems

Another issue complicating the identification of important HAs is that applicants may not have the supporting HFE analyses, such as a task analysis, used to identify HAs and tasks. For example, in highly automated plants, potentially important HAs include the monitoring of systems to detect failure conditions or degraded conditions and the need to initiate backup automation if it fails. It is also important to evaluate support tasks such as aligning system components, as well as inspections, tests, and maintenance. At issue is whether applicants use methods that can identify these types of HAs. HFE reviewers should consult with their PRA counterpart on the review team to understand the capabilities and limitations of the applicant’s methods in this area. Additional guidance appears in section C-3.3 of appendix C.

Exhibit B-1 Example Reviewer Aid for Documenting Characterization

 Note: The reviewer may find it helpful to develop a spreadsheet modeled after this example, adding rows and columns as needed for recording information important to the facility characterization and review plan development.

ConOps Dimension	Characteristic of Design or Operation	Reviewer Notes
Plant Mission/Goals	New Missions	In this and additional columns, as needed, the reviewer can record observations, source documents, related HFE activities and their schedules, potential review activities, etc.
Plant Mission/Goals	Novel Designs and Limited Operating Experience from Predecessor Systems
Roles and Responsibilities of Personnel and Automation	High Levels of Automation for All Operations
	Autonomous Operations
	Multiunit Operations and Teamwork
Staffing, Qualifications, and Training	New Tasks and Jobs
	New Staffing Positions
	Decentralization of Duties
	Operator Licensing Options
	New Plant Staffing Models
	Staffing Levels
	Alternative Training Methods/Programs
Management of Normal Operations	Managing Non-LWR Processes and Reactivity Effects
	Load-Following Operations
	Novel Refueling Methods
	HSIs for New Missions (e.g., steam production, hydrogen)
	No Traditional Control Room
	Remote Operations
	Different Unit States of Operation
	Unit Design Differences
	Control Systems for Shared Aspects of Multiunit Reactor Facilities
	Adding New Units While Other Units Are Operating
	Control Room Configuration and Workstation Design for Multiunit Operations and Teams
	HSI Design for Multiunit Monitoring and Control
Management of Off‑Normal Conditions and Emergencies	Inherent Safety Characteristics
	Passive Safety Systems
	New Safety Functions
	New Hazards
	Common Control Room for Multiple Units—Loss of HSIs
	Common Control Room for Multiple Units—Handling Off-Normal Conditions
	Multiple Units with Shared Systems—Potential Impacts of Unplanned Shutdowns or Degraded Conditions
	One Operator/Crew Managing Multiple Reactors—Design of Emergency Operating Procedures for Multiunit Disturbances
	One Operator/Crew Managing Multiple Reactors—Identification of Risk‑Important Human Actions
Management of Maintenance and Modifications	Modular Construction and Component Replacement
	New Maintenance Operations
	Managing Novel Maintenance Hazards
Management of Tests, Inspections, and Surveillances	Management of Tests, Inspections, and Surveillances

B-3 References

Bochkarev, A.S., A.S. Korsun, V.S. Kharitonov, & P.N. Alekseev (2017). “Inherent Safety Characteristics of Advanced Fast Reactors.” Journal of Physics: Conference Series (Vol. 781, No. 1, p. 012001). IOP Publishing.

Clark, A., B.A. Beeny, K.C. Wagner, & D.L. Luxat (2020). “Technical and Licensing Considerations for Micro-Reactors” (SAND2020-4609). Albuquerque, New Mexico: Sandia National Laboratories, April 1, 2020. Agencywide Documents Access and Management System (ADAMS) Accession No. ML20156A101.

Grabaskas, D., T. Fei, & J. Jerden (2020). “Technical Letter Report on the Assessment of Tritium Detection and Control in Molten Salt Reactors: Final Report” (ANL/NSE-20-15). Argonne, Illinois: Argonne National Laboratory. May 2020. ML20157A155.

IAEA (2009). “Passive Safety Systems and Natural Circulation in Water Cooled Nuclear Power Plants” (IAEA-TECDOC-1624). Vienna, Austria: International Atomic Energy Agency.

IAEA (1991). “Safety Related Terms for Advanced Nuclear Plants” (TECDOC-626). Vienna, Austria: International Atomic Energy Agency.

Lee, J. & B.A. Pint (2021). “Corrosion in Gas-Cooled Reactors” (TLR-RES/DE/CIB-CMB-2021‑04). Oak Ridge, Tennessee: Oak Ridge National Laboratory, March 2021. ML21084A041.

NEI (2019). “Risk-Informed Performance-Based Technology Inclusive Guidance for Non-Light Water Reactor Licensing Basis Development” (NEI 18-04, Revision 1). Washington, DC: Nuclear Energy Institute. August 2019. ML19241A472

NRC (2022). “Draft Interim Staff Guidance Augmenting NUREG-1791, ‘Guidance for Assessing Exemption Requests from the Nuclear Power Plant Licensed Operator Staffing Requirements Specified in 10 CFR 50.54(m)’ for Licensing Commercial Nuclear Plants under Part 53.” DRO-ISG-2023-02, (Draft Interim Staff Guidance). Washington, DC: U.S. Nuclear Regulatory Commission, September 2022. Access and Management System (ADAMS) Accession No. ML22266A068.

NRC (2021a). “Ground Rules for Regulatory Feasibility of Remote Operations of Nuclear Power Plants.” Washington, DC: U.S. Nuclear Regulatory Commission, November 2021. ML21291A024.

NRC (2021b). “Risk-Informed and Performance-Based Human-System Considerations for Advanced Reactors.” Washington, DC: U.S. Nuclear Regulatory Commission. March 2021. ML21068A003.

NRC (2021c). “Pre-application Engagement to Optimize Advanced Reactors Application Reviews,” Washington, DC: U.S. Nuclear Regulatory Commission, draft issued May 2021. ML21145A106.

NRC (2020a). “Policy and Licensing Considerations Related to Micro-Reactors” (SECY‑20‑0093). Washington, DC: U.S. Nuclear Regulatory Commission, October 6, 2020. ML20254A363.

NRC (2020b). “Guidance for a Technology-Inclusive, Risk-Informed, and Performance-Based Methodology to Inform the Licensing Basis and Content of Applications for Licenses, Certifications, and Approvals for Non-Light-Water Reactors” (Regulatory Guide 1.233). Washington, DC: U.S. Nuclear Regulatory Commission.

NRC (2020c). “Standard Review Plan for Spent Fuel Dry Storage Systems and Facilities” (NUREG-2215). Washington, DC: U.S. Nuclear Regulatory Commission, April 2020.

NRC (2020d). “Human-System Interface Design Review Guidelines” (NUREG-0700, Rev. 3). Washington, DC: U.S. Nuclear Regulatory Commission, July 2020. ML20162A214

NRC (2019). Memorandum from M. Doane to D. Dorman, “Implementing Commission Direction on Applying Risk-Informed Principles in Regulatory Decision Making.” Washington, DC: U.S. Nuclear Regulatory Commission, November 18, 2019. ML19319C832.

NRC (2016). Letter from NuScale Power, LLC to U.S. Nuclear Regulatory Commission, “NuScale Power, LLC Submittal of Third Set of Human Factors Engineering Documentation for Design Certification Application.” December 29, 2016. ML16364A348.

NRC (2016). “Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR Edition,” Chapter 18, “Human Factors Engineering, Rev. 3” (NUREG‑0800). Washington, DC: U.S. Nuclear Regulatory Commission, December 2016. ML16125A114.

NRC (2016). “Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR Edition,” Chapter 13, “Conduct of Operations” (NUREG‑0800). Washington, DC: U.S. Nuclear Regulatory Commission, August 2016. ML15009A110.

NRC (2015). “NRC Reviewer Aid for Evaluating the Human-Performance Aspects Related to the Design and Operation of Small Modular Reactors” (NUREG/CR-7202). Washington, DC: U.S. Nuclear Regulatory Commission, June 2015. ML15182A199

NRC (2012). “Human Factors Engineering Program Review Model” (NUREG-0711, Rev. 3). Washington, DC: U.S. Nuclear Regulatory Commission, November 2012. ML12324A013

NRC (2011). “Operator Staffing for Small or Multi-Module Nuclear Power Plant Facilities” (SECY‑11-0098). Washington, DC: U.S. Nuclear Regulatory Commission, July 22, 2011. ML111870574.

NRC (2010). “Standard Review Plan for Spent Fuel Dry Storage Systems at a General License Facility” (NUREG-1536, Rev. 1). Washington, DC: U.S. Nuclear Regulatory Commission, July 2010. ML101040620

NRC (2008). “Policy Statement on the Regulation of Advanced Reactors.” Washington, DC: U.S. Nuclear Regulatory Commission, October 7, 2008. ML082750370.

NRC (2005). “Guidance for Assessing Exemption Requests from the Nuclear Power Plant Licensed Operator Staffing Requirements Specified in 10 CFR 50.54(m)” (NUREG‑1791). Washington, DC: U.S. Nuclear Regulatory Commission, July 2005. ML052080125

NRC (2000). “Standard Review Plan for Spent Fuel Dry Storage Facilities” (NUREG‑1567). Washington, DC: U.S. Nuclear Regulatory Commission, March 2000. ML003686776

NRC (1989). “A Status Report Regarding Industry Implementation of Safety Parameter Display Systems” (NUREG-1342), Washington, DC: U.S. Nuclear Regulatory Commission, April 1989. ML090060858

NRC (1988). “Development and Utilization of the NRC Policy Statement on the Regulation of Advanced Nuclear Power Plants” (NUREG-1226). Washington, DC: U.S. Nuclear Regulatory Commission, June 1988. ML13253A431

NRC (1983). “Clarification of TMI Action Plan Requirements” (NUREG-0737, Supplement 1). Washington, DC: U.S. Nuclear Regulatory Commission. January 1983. ML102560009

NRC (1981). “Human Factors Acceptance Criteria for the Safety Parameter Display System” (NUREG-0835). Washington, DC: U.S. Nuclear Regulatory Commission, October 1981. ML102520360.

O’Hara, J., J. Higgins, & N. Hughes (2022). “Safety Evaluations of Adaptive Automation: Suitability of Existing Review Guidance” (RIL-2020-06). Upton, NY: Brookhaven National Laboratory, January 13, 2022. ML22006A020.

O’Hara, J., S. Fleger, D. Desaulniers, B. Green, J. Seymour, & A. D’Agostino (2021). “Development of HFE Review Guidance for Advanced Reactors” (BNL Technical Letter Report F0028-04). Washington, DC: U.S. Nuclear Regulatory Commission, October 12, 2021. ML21287A088.

O’Hara, J. & J. Higgins (2020). “Adaptive Automation: Current Status and Challenges” (RIL‑2020-05). Upton, NY: Brookhaven National Laboratory, November 30, 2020. ML20176A199.

O’Hara, J., W. Gunther, G. Martinez-Guridi, & T. Anderson (2019). “The Development of Guidance for the Review of the Interfaces for Managing the Effects of Degraded Human-System Interface and Instrumentation and Control Conditions on Operator Performance” (NUREG/CR‑7264). Washington, DC: U.S. Nuclear Regulatory Commission.

O’Hara, J. & J. Higgins (2010). “Human-System Interfaces to Automatic Systems: Review Guidance and Technical Basis” (BNL Technical Report 91017-2010). Upton, NY: Brookhaven National Laboratory.

O'Hara, J., Higgins, J., Brown, W. & Fink, R., Persensky, J., Lewis, P., Kramer, J., Szabo, A., & Boggi, M. (NRC) (2008). “Human Factors Considerations with Respect to Emerging Technology in Nuclear Power Plants” (NUREG/CR-6947). Washington, D.C.: U. S. Nuclear Regulatory Commission. October 2008.

Romedenne, M. & B.A. Pint (2021). “Corrosion in Sodium Fast Reactors” (TLR0RES/DE/CIB‑CMB-2021-07). Oak Ridge, Tennessee: Oak Ridge National Laboratory, May 13, 2021. ML21116A231.

Wood, R., C. Antonescu, S. Arndt, C. Britton, S. Brown-VanHoozer, J. Calvert, B. Damiano, J. Easter, M. Freer, J. Mullens, J. Neal, V. Protopopescu, R. Shaffer, J. Schryver, C. Smith, R. Tucker, R. Uhrig, B. Upadhyaya, G. Wetherington, T. Wilson, J. White, & B. Whitus (2003). “Emerging Technologies in Instrumentation and Controls” (NUREG/CR-6812). Washington, DC: U.S. Nuclear Regulatory Commission, March 2003.

APPENDIX C—SCREENING

Selecting Human Factors Engineering Activities for Review

Screening is the process by which the reviewer selects for review those human factors engineering (HFE) activities that the applicant has conducted, or plans to conduct, in support of the license application. This appendix provides guidance to aid reviewers in applying the screening process to a review. Section C-1 of this appendix provides general guidance for screening. Section C-2 briefly summarizes HFE activities as described in NUREG‑0711, Revision 3, “Human Factors Engineering Program Review Model,” issued November 2012 (NRC, 2012), and the objectives of those activities. Review of the HFE activity objectives can guide the application‑specific selection of HFE activities for a given review. Section C‑3 discusses several analytical challenges the reviewer might anticipate when reviewing HFE activities for advanced reactors, and section C-4 contains an example HFE activity selection for a combination of facility characteristics.

C-1 General Screening Guidance

In selecting HFE activities for review, the primary objective should be to identify those HFE activities that are important to effective implementation of the design feature or operational characteristics being targeted for review. Because the selection of targets includes consideration of risk insights, focusing the review of HFE activities on those important to the development and implementation of the selected targets gives the review a risk-informed focus.

For each targeted characteristic, the reviewer should decide which HFE activities are fundamental to effective development or implementation and include those HFE activities in the scope of the review. For example, if an alarm system design was identified in the targeting phase as meeting the criteria for targeting, the screening phase might consider those specific HFE activities that supported development of the alarm system (e.g., operating experience review, task analysis, and human-system interface (HSI) design).

In determining which HFE activities to review for a given characteristic, the reviewer may find it useful to consult NUREG/CR-7202, “NRC Reviewer Aid for Evaluating the Human Factors Engineering Aspects of Small Modular Reactors,” issued June 2015 (NRC, 2015). NUREG/CR‑7202 is an aid for evaluating human performance considerations for small modular reactors (SMRs), but many of these considerations apply to other advanced reactors. The NUREG offers many examples of specific design and operational characteristics important to human performance, including most of those discussed in appendix B, and identifies specific HFE activity considerations for each of the characteristics. Table 2-1 of NUREG/CR‑7202 summarizes these considerations and is reproduced at the end of this section as exhibit C‑1.1 for ease of reference. The reviewer is also likely to find the candidate review questions in NUREG/CR‑7202 helpful in identifying the most important HFE activities to include in the scope of the review. Appendix B provides references to these questions for each characteristic common to both that appendix and NUREG/CR‑7202. The reviewer aid can also serve as a model for analysis of other characteristics not addressed in the NUREG but presented by the application before the reviewer.

In selecting HFE activities to include in the scope, the reviewer should also consider the following:

supporting or complementary HFE activities that would augment the reviewers’ assessment of the target

a balance of formative and summative HFE activities⁰
the assumed risk implications of an inadequate review due to excluding an HFE activity from the scope
applicable requirements

Guidance for each of these considerations is provided below. Note that these considerations are applied with respect to the individual design and operational characteristics targeted for review. Appendix E provides guidance for considering the selected targets and HFE activities collectively to ensure that the scope of review is adequate and technically balanced in ways that create a sound basis for the safety evaluation of the overall application.

C-1.1 Supporting or Complementary Human Factors Engineering Activities

The reviewer should consider supporting or complementary HFE activities that would augment the reviewer’s assessment of the target. The following includes some examples of HFE activities that are often complementary to one another and may be most efficiently addressed together.

Example 1: FRA/FA; TA; IHA

Functional requirements analysis (FRA), function allocation (FA), and task analysis (TA) are typically tightly coupled activities and can support the identification of important human actions (IHAs). The reviewer may find it useful to consider these activities together to verify that the results of these activities are logically consistent.

Example 2: Task Support Verification; ISV, HED Resolution

When reviewing any verification or validation activity, particularly an integrated system validation (ISV), the reviewer should also consider whether the priority and resolution of any resulting human engineering discrepancies (HEDs) is appropriate.

Example 3: Staffing

DRO-ISG-2023-02, “Interim Staff Guidance Augmenting NUREG-1791, ‘Guidance for Assessing Exemption Requests from the Nuclear Power Plant Licensed Operator Staffing Requirements Specified in 10 CFR 50.54(m),’ for Licensing Commercial Nuclear Plants under 10 CFR Part 53,” (NRC, 2022a), draft issued September 2022, recommends that the U.S. Nuclear Regulatory Commission (NRC) reviewer look at other HFE activities when reviewing the staff plan.

C-1.2 Balancing Formative and Summative Human Factors Engineering Activities

By balancing the review of formative and summative processes, the review will assess the applicant’s HFE activities in both early and late design development and provide a basis for verifying that the results of early analyses are reflected in design products and validated in testing.

C-1.3 Assumed Risk Implications of Human Factors Engineering Activity Exclusion (i.e., Screening Out)

The reviewer will likely find that for each characteristic identified as a target, it is possible to identify several HFE activities. Indeed, it may be possible that each of the 12 program activities described in NUREG-0711 is relevant to each of the design or operational characteristics that might be targeted. However, a review of all HFE activities associated with each target may not be warranted (e.g., considering risk importance and safety significance) nor practical.

When determining whether an HFE activity, as applied to a specific characteristic of the facility design or operation, may be excluded from the scope of review, one approach is to ask: What can go wrong? How likely is it? What are the consequences? In this context, the reviewer should consider what can go wrong if an applicant’s HFE activity is screened out and not included as part of the review. The answer to this and the other questions can be developed in terms of the objective of the review for the given HFE activity. As noted in the introduction to this appendix, section C-2 summarizes HFE activities as described in NUREG‑0711 and the review objectives for those activities.

Exhibit C‑1.2 demonstrates the use of this three-question approach to HFE activity screening for FRA/FA. As noted above, the recommended means to focus the screening process is to select and review HFE activities with respect to the characteristics of the design that were targeted based on considering the risk importance, safety significance, and uncertainty associated with the characteristic. In this example, the targeted characteristic is a computer-based procedure system capable of implementing automated sequences of procedure steps.

C-1.4 Applicable Requirements

Certain requirements of Title 10 of the Code of Federal Regulations (10 CFR) Part 53, “Risk‑Informed, Technology‑Inclusive Regulatory Framework for Commercial Nuclear Plants,” may have direct or indirect implications for performing HFE activities. Where HFE activities are required, the HFE review should verify that the application meets the requirements or that the applicant has submitted or plans to submit an exemption request for each requirement that is or would not be met. In this regard, the reviewer should note that each licensee or applicant for an operating license or combined license under 10 CFR Part 53 is required to develop, implement, and maintain (1) an FRA/FA and (2) a staffing plan, as required by 10 CFR 53.730(d) and (f), respectively. Similarly, each licensee or applicant for an operating license or combined license under 10 CFR Part 53 is required to develop, implement, and maintain a program for the review and application of operating experience and a program for plant procedures that must include HFE within its scope. Accordingly, the applicant’s HFE activities supporting compliance with these requirements should be included in the scope of the review for all applications subject to these requirements.

C-1.5 No Applicant Human Factors Engineering Activity for Selected Target

It is possible the reviewer may find that the applicant has identified no HFE activities associated with the development or implementation of a target the reviewer has selected for the scope of the review. In such instances, the reviewer should confirm the importance of the target to the review, verify that there are no applicable HFE activities, and if none, understand the applicant’s basis for no application of HFE to the development or implementation of the target. If the reviewer finds a reason to keep the target within the scope of the review plan, the reviewer should identify appropriate functional or design acceptance criteria during the grading process (as described in appendix D) to apply during the review. For example, if there is no HFE activity, the reviewer might need to rely on NUREG-0700, Revision 3, “Human-System Interface Design Review Guidelines,” issued July 2020 (NRC, 2020b), or other design standards, or if necessary, request a performance-based validation (e.g., ISV).

Exhibit C-1.1 NUREG-0711 Elements Impacted by Potential SMR Issues

(Reproduced from NUREG/CR-7202 (NRC, 2015))

NUREG-0711 Element		OER	FRA/FA	TA	S&Q	IHA	HSI	PD	TPD	V&V
ConOps Model Dimension	SMR Issue
Plant Mission	New Mission	x	x	x	x	x	x	x	x
Plant Mission
Novel Design and Limited OE	x
Agent's Roles and Responsibilities	Multi-Unit Operations and Teamwork	x			x		x	x		x

	High Levels of Automation		x	x			x			x
Function Allocation Methodology		x
Staffing, Qualifications and Training	New Staffing Positions				x				x

	Staffing Models				x					x
Staffing Levels				x					x
Management of Normal Operations	Different Unit States of Operation				x		x	x	x

	Unit Design Differences						x	x	x

	Control System for Shared Aspects of SMRs						x	x

	Impact of Adding New Units on Operations						x	x

	Non-LWR Processes and Reactivity Effects		x				x	x	x	x

Load-following Operations		x		x	x	x	x	x	x
Novel Refueling Methods		x		x	x	x	x	x	x
Control Room Configuration and Workstation Design						x			x
HSI Design for Multi-unit Monitoring and Control						x			x
HSIs for new missions						x			x
Management of Off-normal Conditions and Emergencies	Safety Function Monitoring						x	x		x

	Unplanned Shutdowns and Degraded Conditions				x		x	x	x	x

	Handling Off-normal Conditions at Multiple Sites				x		x	x	x	x

	Design of EOPs for Multi-unit Disturbances							x		x

	New Hazards			x			x	x	x	x
Passive Safety Systems			x			x	x	x	x
Loss of HSIs and Control Room						x	x	x	x
PRA evaluation of Site-wide Risk					x
Identification of RIHAs					x	x	x	x	x
Management of Maintenance and Modifications	Modular Construction and Replacement								x
Management of Maintenance and Modifications	New Maintenance Operations					x	x	x	x	x

Key to heading abbreviations: OER - operating experience review, FRA/FA – functional requirements analysis/function allocation, TA – task analysis, S&Q – staffing and qualifications, IHA – important human actions, HIS – human system interface, PD – procedure development, TPD – training program development, V&V – verification and validation

Exhibit C-1.2. Example Application of Three-Question Screening of

HFE Activities for Review

Target: Computer-Based Procedure System with Automated Step Sequencing

HFE Activity: Functional Requirements Analysis/Function Allocation

Review Objective: Verify that the applicant defined those functions that must be carried out to satisfy the facility’s safety goals and that responsibilities for those functions are assigned to personnel and automation in a way that takes advantage of human strengths and avoids human limitations.

What can go wrong (if this HFE activity is screened out of the review)? The staff could fail to identify problems it would have found with—

how the applicant defined those functions that must be carried out to satisfy the facility’s safety goals
how the applicant assigned responsibilities for those functions to personnel and automation in a way that takes advantage of human strengths and avoids human limitations.

How likely is it? The increase in likelihood that a problem in the applicant’s FRA/FA would impact the design if this activity were screened out of the NRC review would depend on the likelihood that the applicant’s FRA/FA was inadequate and the likelihood that a staff review would identify the problem(s) with the FRA/FA. These likelihoods would have qualitative elements that would be informed by knowledge of factors such as—

the novelty of the design
the complexity of HFE activity as it pertains to the targeted characteristics
the expertise and demonstrated performance of the applicant’s team conducting the HFE activity (i.e., HFE program management)
the expertise and level of resources that the staff would apply to the review
other opportunities to identify the problems before placing the design in service (e.g., design testing, validation, preoperational testing)

What are the consequences? The consequences of a decision to screen out^⁰ a review of the FRA/FA as applied to the applicant’s computer-based procedure system would be the lack of information from the review to include in the basis of the safety evaluation (a potential challenge to reaching a reasonable assurance of safety determination) and a potential increased risk of operational challenges attributable to deficiencies in function allocation.

C-2 Human Factors Engineering Activity Summaries

Below are descriptions of HFE activities that should be considered as part of the screening process. These descriptions were derived from the human factors program element descriptions in NUREG-0711. That NUREG is based on a systems engineering model that includes the HFE activities that are broadly viewed as necessary to a comprehensive HFE program. While review of all these activities may not be needed to support a specific application, during the screening process, the reviewer should consider the relevance and necessity of each to making a determination of reasonable assurance of safety. The activity descriptions include information about how each contributes to an applicant’s HFE program and the NRC reviewer’s objectives when evaluating the applicant’s performance of the activity.

C-2.1 Human Factors Engineering Program Management

In this activity, the applicant establishes an HFE design team with the responsibility, authority, placement within the organization, and composition to reasonably ensure that the plant design meets the commitment to HFE. Further, a plan should be developed to guide the team to ensure that the HFE program is properly developed, executed, overseen, and documented. The program plan describes the activities needed to ensure that HFE principles are applied to the development, design, and evaluation of HSI, procedures, and training.

The objective of the staff review of this activity is to verify that the applicant has established HFE program management to accomplish these elements.

C-2.2 Operating Experience Review

Applicants perform an operating experience review (OER) to identify HFE-related safety issues. The OER should provide information on the performance of predecessor designs. For new plants, this may be the earlier designs on which the new one is based. For plant modifications, it may be the design of the systems being changed. The issues and lessons learned from operating experience provide a basis to improve the plant’s design. Thus, the negative features of predecessor designs may be avoided, while retaining positive features. The OER should consider the predecessor systems on which the design is based, the technological approaches selected (e.g., if touch-screen interfaces are planned, their associated HFE issues should be reviewed), and the facility’s HFE issues.

The objective of this activity is to verify that the applicant identified and analyzed HFE-related problems and issues in previous designs that are similar to the one under review.

C-2.3 Functional Requirements Analysis and Function Allocation

The personnel role in facility operations is examined in two steps: functional requirements analysis and function allocation (i.e., assignment of levels of automation). A functional requirements analysis (FRA) identifies those plant functions that must be performed to satisfy the plant’s overall operating and safety objectives and goals, which include ensuring the health and safety of the public by preventing or mitigating the consequences of postulated accidents. This analysis determines the objectives, performance requirements, and constraints of the design, and sets a framework for understanding the role of controllers (personnel or system) in regulating plant processes.

Function allocation (FA) is the assignment of functions to (1) personnel, (2) automatic systems, and (3) combinations of both. Exploiting the strengths of personnel and system elements enhances the facility’s safety and reliability, including improvements achievable through assigning control to these elements with overlapping and redundant responsibilities. Function allocations should be founded on functional requirements and HFE principles in a structured, well-documented methodology that produces clear roles and responsibilities for personnel.

The purpose of the staff’s review of this activity is to verify that the applicant defined those functions that must be carried out to satisfy the facility’s safety goals and that responsibilities for those functions are assigned to personnel and automation in a way that takes advantage of human strengths and avoids human limitations.

C-2.4 Task Analysis

The functions allocated to plant personnel define the roles and responsibilities that they accomplish by human actions (HAs). HAs can be divided into tasks—a group of related activities with a common objective or goal. The results of the task analysis offer important inputs to many HFE activities: (1) the analysis of staffing and qualifications; (2) the design of HSIs, procedures, and training programs; and (3) criteria for task support verification.

The objective of this review is to verify that the applicant undertook analyses identifying the specific tasks needed to accomplish personnel functions, and the alarms, information, control, and task support required to complete those duties (see Roth et al., 2022, for additional information).

C-2.5 Staffing and Qualifications

Plant staffing and staff qualifications are important considerations throughout the design process. Initial staffing levels may be established early in the design process based on experience with previous plants, staffing goals (such as for staffing reductions), initial analyses, and NRC regulations. However, their acceptability should be examined periodically as the design of the facility evolves.

The objective of reviewing staffing and qualification analyses is to verify that the applicant has systematically analyzed the required number and necessary qualifications of personnel, in concert with task and regulatory requirements.

C-2.6 Treatment of Important Human Actions

A goal of the NRC’s safety program has been to use risk analyses to prioritize activities and to ensure that regulators and licensees focus efforts and resources on those activities that best support reasonable assurance of adequate protection of the public’s health and safety. HFE programs contribute to this goal by applying a graded approach to plant design, focusing greater attention on HAs most important to safety. The objective of this activity is to identify those HAs most important to safety for a plant design through a combination of probabilistic and deterministic analyses. The results of such analyses can be used to identify the need for design features and programmatic controls that minimize the likelihood of personnel error and help ensure that personnel can detect and recover from any errors that occur.

The review’s objectives are to verify that the applicant has (1) identified IHAs, and (2) considered human error mechanisms for IHAs in designing the HFE aspects of the plant.

C-2.7 Human-System Interface Design

In this activity, applicants translate the functional and task requirements into HSI design requirements and into the detailed design of alarms, displays, controls, and other aspects of the HSI. A structured methodology should guide designers in identifying and selecting candidate HSI approaches, defining the detailed design, and performing HSI tests and evaluations.

The objective of the staff’s review of this activity is to evaluate the process used by applicants to translate requirements into HSI design. The review should also address the formulation and use of HFE guidelines tailored to the unique aspects of the applicants’ design (e.g., a style guide to define the design-specific conventions).

C-2.8 Procedure Development

Procedures are essential to plant safety because they support and guide personnel interactions with plant systems and personnel responses to plant-related events. In the nuclear industry, procedure development is the responsibility of individual utilities. The objective of the NRC procedure review is to confirm that an operating or combined license applicant’s procedure development program incorporates HFE principles and criteria, along with all other design requirements, to develop procedures that are technically accurate, comprehensive, explicit, easy to use, validated, and in conformance with applicable regulatory requirements.

C-2.9 Training Program Development

Training plant personnel is important in ensuring the safe, reliable operation of commercial nuclear plants. Training programs contribute to reasonable assurance that plant personnel have the knowledge, skills, and abilities needed to perform their roles and responsibilities. The objective of the training program review is to verify that the applicant has used a systems approach for developing personnel training.

C-2.10 Human Factors Verification and Validation

Verification and validation (V&V) evaluations comprehensively determine that the final HFE design conforms to accepted design principles and enables personnel to successfully and safely perform their tasks to achieve operational goals. This activity involves four evaluations, with the following objectives:

HSI Task Support Verification—The applicant verifies that the HSI provides the alarms, information, controls, and task support that the task analyses defined as needed for personnel to perform their tasks.

HFE Design Verification—The applicant verifies that the design of the HSIs conforms to HFE guidelines (such as the applicant’s style guide).

Integrated System Validation—The applicant validates, using performance-based tests, that the integrated system design (i.e., hardware, software, procedures, and personnel elements) supports safe operation of the plant.

Human Engineering Discrepancy Resolution Review—The V&V evaluations above identify HEDs. In this activity, the applicant verifies HED resolutions, assesses the importance of HEDs, and checks that the corrections are acceptable.

The staff’s review of HFE V&V is to ensure that the applicant’s verification of its methods and results followed its specified methodologies, that any corrections were appropriately resolved, and that the results support the conclusion of safe operation.

C-2.11 Design Implementation

This activity addresses the implementation of the HFE aspects of the plant design for new plants and plant modifications. For a new plant, the implementation phase is well-defined and carefully monitored through startup procedures and testing. Implementing modifications is more complex.

The objectives of the design implementation review are to verify that the applicant’s as-built design conforms to the design that was verified and validated and that implementation of plant changes considers the effect on personnel performance and affords necessary support for reasonable assurance of safe operations.

C-2.12 Human Performance Monitoring

The objective of reviewing an applicant’s human performance monitoring program is to verify that the applicant prepared a program to ensure that the conclusions drawn from the ISV remain valid with time and ensure that no significant safety degradation occurs because of any changes made in the plant.

The applicant may incorporate this monitoring program into its problem identification and resolution program and its training program.

C-3 Additional Considerations for Review of Advanced Reactor Human Factors Engineering Activities

Current methods for conducting and supporting the application of HFE have limitations that may pose challenges when applied to the design of commercial nuclear plants. Sections C‑3.1 through C-3.3 describe several recognized challenges, such as lack of guidance, and their implications for NRC review. Reviewers should anticipate that applications presenting these challenges may need additional review time and resources, and the reviewer may need to consider a means to address the uncertainty that these challenges introduce when developing a safety evaluation. Reviewers should discuss any perceived challenges with their branch chief and project manager to ensure an appropriate project schedule.

C-3.1 Function Allocation Methodology to Support Automation Decisions

Description

Current function allocation methods do not offer specific analytic tools for deciding when and how to apply new types of automation. SMR designers also noted this problem. In discussing automation for the Pebble Bed Modular Reactor, Hugo & Engela (2005) observed that most methods of function allocation are “…subjective and prone to error and in projects where human and environmental safety is a concern, it is necessary to use more rigorous methods.” More comprehensive and objective methodologies are needed to support FA analyses by designers.

Implications

NUREG-0711 gives general guidance for reviewing function allocation (see section 4, “Functional Requirements Analysis and Function Allocation”). However, modern applications of automation have much flexibility, so that operators face many different automation types and task interactions. The NRC’s characterization of automation identified six dimensions (functions, processes, modes, levels, adaptability, and reliability) that can be combined to design automation for a specific application (O’Hara & Higgins, 2010). However, designers lack methodologies to back up their decisions as to what combinations are appropriate (i.e., current FA methods do not address such choices, and reviewers lack guidance to evaluate them). Until there are advances in methods and applicable guidelines, reviewers should consider alternative methods for assessing FA (e.g., through review of relevant operating experience and performance‑based testing and validation activities).

C-3.2 Probabilistic Risk Assessment Evaluation of Sitewide Risk for Small Modular Reactors

Description

SMR sites, which may have as many as a dozen reactor modules, may have more units than current probabilistic risk assessments (PRAs) typically address. Therefore, modeling SMRs, especially those with shared systems, probably will entail explicitly modeling system interactions and human dependencies in a multiunit event. A single-unit PRA considers common or sitewide systems such as offsite power, alternating current power on site, the ultimate heat sink, and various cross-connections between units, such as air- and cooling-water systems. It also covers the effect of sitewide initiating events, such as loss of offsite power, station blackout, seismic events, and external floods.

Reviewers should be aware that PRAs may need additional modeling to encompass sitewide risk for multiple units. A sitewide PRA (i.e., a PRA covering all units on an SMR site) may evaluate potential core damage (CD) at multiple units caused by sitewide initiating events and the influences of common systems and a common control room as potential common‑cause failures. This sitewide PRA may result in CD at multiple units but may be at a lower frequency than for a single unit site. However, the PRA level 2 releases could be potentially high because of CD at multiple units.

Implications

A multiunit PRA for an SMR facility may generate more risk-important human actions (RIHAs) than a single-unit PRA. These RIHAs should be addressed as part of the applicant’s HFE program to ensure they can be reliably performed by plant staff. The treatment of RIHAs is already addressed in HFE reviews through NUREG-0711, so that new guidance for the HFE reviews may be unnecessary. However, the HFE reviewer should consult with the reviewer or organization responsible for review of the applicant’s PRA/human reliability analysis (HRA) to verify that the applicant’s identification of RIHAs has addressed system interactions and human dependencies in a manner and to a degree appropriate to the assessment of a multimodule facility. Discussion of this topic also appears in section B-2.5.9 of appendix B.

C-3.3 Identification of Important Human Actions

Description

NUREG-0711 defines “important human actions” (IHAs) as those actions that meet either risk or deterministic criteria:

Risk-important human actions (RIHAs)—Actions defined by risk criteria that plant personnel use to ensure the plant’s safety. There are absolute and relative criteria for defining risk‑important actions. For absolute criteria, a risk-important action is one that must be successfully performed to ensure that predefined risk criteria are met. For relative criteria, the risk-important actions are those that constitute the most risk‑significant human actions identified (NRC, 2007a). The identifications can be made quantitatively from risk analyses and qualitatively from various criteria, such as the consequences of a failed HA.
Deterministically identified IHAs—For light-water reactors, deterministic engineering analyses typically are completed as part of the suite of analyses in the final safety analysis report/design control document in chapter 7, “Instrumentation & Controls,” and chapter 15, “Transient and Accident Analyses.” These deterministic analyses also may credit HAs.

Implications

The identification of IHAs is significant to an HFE review because applicants may cite the number and safety significance or risk importance of such actions as the basis for the scope and focus of their HFE program. It is also important because it may become a basis for claims that no HAs are needed for safety-important actions. Accordingly, the HFE reviewer should be sensitive to potential challenges to identifying IHAs (e.g., aspects of the applicant’s design, operations, or analytical methods). Sections C-3.3.1 through C-3.3 discuss several factors that may complicate the identification of IHAs. Section C‑3.3.4 contains additional review guidelines to consider when evaluating an applicant’s identification of IHAs.

In addition to the review of RIHAs, other HAs specifically credited in design analyses should be reviewed. These deterministically identified IHAs may be found among the following:

operator actions credited in the diversity and defense-in-depth (DID) analysis
operator actions credited in the design‑bases analyses
RIHAs identified in the HRAs for severe accidents

Available NRC guidance for the review of HAs was developed for reviews of large light-water reactors (LLWRs). These guidance documents include (1) NUREG-0800, “Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR Edition,” chapter 18, “Human Factors Engineering,” including Attachment A, “Guidance for Evaluating Credited Manual Operator Actions” (NRC, 2016), (2) NUREG-0711, Revision 3, Section 7, “Treatment of Important Human Actions,” issued November 2012 (NRC, 2012), (3) NUREG‑1764, Revision 1, “Guidance for the Review of Changes to Human Actions,” issued September 2007 (NRC, 2007a), and (4) NUREG-1852, “Demonstrating the Feasibility and Reliability of Operator Manual Actions in Response to Fire,” issued October 2007 (NRC, 2007b).⁰

Thus, in the short term, there is guidance for reviewing IHAs, but the guidance may have limited application to advanced reactor designs and may necessitate greater use of engineering judgment compared to its use for LLWRs. It should also be noted that this guidance is largely focused on the treatment of important actions, but not the identification of IHAs.

In the near term, analysts are expected to be learning about the relative effectiveness and limitations of the currently available PRA methods in terms of identifying IHAs in advanced reactor designs. HFE reviewers should consult with their PRA review counterparts to ensure that potential limitations of an application with respect to the identification of IHAs are communicated among the members of the review team and accounted for in the development of the review plan and associated safety evaluation.

C-3.3.1 Use of Alternative Risk Analysis Methods

Description

It is possible that applicants may not perform traditional PRAs as are required of LLWRs. Instead, they may perform modified PRAs or other types of risk analyses, such as integrated safety analyses (ISAs)⁰ that focus on identifying items relied on for safety (IROFS) but may not focus on quantifying HAs.

Implications

Applicants for nuclear facilities other than nuclear power plants have used ISAs to identify IROFS, which can include HAs. Both the CFR and several standard review plans identify ISA as an acceptable analysis method. However, an issue arises when ISA is used to assess HAs. ISAs can mask HAs by identifying them as component failure (e.g., modeling a pump failure in the ISA when it is really a failure of HA, such as failure to start the pump). Also, ISA models HAs as isolated actions, and the event context of HAs and dependency between HAs are lost. While specific HFE review guidance is not presently available to review this type of IHA identification, reviewers can apply the approaches used by previous NRC reviews of such analyses, such as the review of the mixed‑oxide facility, to determine an appropriate review strategy for the facility currently being reviewed (NRC, 2000).

C-3.3.2 Lack of Supporting Analyses Used to Identify Human Tasks

Description

The applicant may not have the supporting HFE analyses used to identify human tasks.

Implications

Identifying IHAs may be more complicated for advanced reactors than for LLWRs. For example, in highly automated plants, potentially important HAs include the monitoring of systems to detect failure conditions, degraded conditions, and the need to back up automatic actions if they fail. It is also important to evaluate support tasks such as aligning system components, as well as inspections, tests, and maintenance. At issue is whether applicants use methods that can identify these types of HAs, and the consequences of their choice of methods for their ability to identify IHAs. HFE reviewers should consult with their PRA counterpart on the review team to understand the capabilities and limits of the applicant’s methods in this regard and to ensure that the review plan scope includes IHAs. Section C-3.3.4, item 2, discusses the sufficiency of applicants’ models.

C-3.3.3 Use of Inherent Safety Characteristics and Passive Safety Features

Description

Many advanced reactor designs propose to rely on passive safety features, inherent safety characteristics, or a combination of these approaches, for performing safety functions. These methods reduce or eliminate dependence on humans operating equipment in event mitigation. As a result, IHAs are more likely to be maintenance, surveillance, and monitoring activities that ensure safety systems can perform their safety function upon demand or are effectively performing their safety function.

Implications

The differences in safety function management are described in Fleming et al. (2020). The following excerpt from that report captures the implications of these differences:

They [advanced reactors] may rely on passive safety system. The safety function is achieved through reliance on laws of nature, material properties, and energy stored within the SSC. As a result, the typical causes of failure for active systems generally do not exist for a passive system; i.e., loss of power or failure of operator action. By contrast, passive systems can fail as a result of modes such as mechanical or structural failure of an SSC, or even malicious human intervention (IAEA, 2018) [International Atomic Energy Agency. (2018). Integrated Approach to Safety Classification of Mechanical Components for Fusion Applications (IAEA-TECDOC-1851)].

Other considerations are also relevant for assessing the reliability of passive safety systems. For example, passive cooling systems typically rely on natural circulation flows to transport heat to an ultimate heat sink. These natural circulation flows rely on small pressure gradients in the fluid that drive small flows. As a result, these circulation patterns can be susceptible to breakdown should these gradients be eroded. For example, a small reduction of heat transfer to the ultimate heat sink could lead to a breakdown of a natural circulation pattern. As a result, the overall reliability of a passive system can depend sensitively on how the governing physical process is influenced by boundary conditions.

The characterization of these boundary conditions across a range of upset conditions can be generally difficult to assess. However, a passive safety system is designed to maintain relatively controlled boundary conditions that ensure it will function to control a plant under a broad range of internally initiated upset conditions. Passive safety systems are thus very reliable when considering the provision of their safety function to defend against internal events. An active system, by contrast, has a much higher probability of failing randomly when called upon to perform its safety function. In contrast to passive safety, inherently safe systems are those which are absolutely reliable. The classification of absolute reliability must be qualified by a detailed consideration of the range of characteristics of the SSC that support the safety function. For example, control of reactivity often involves reactivity feedback mechanisms inherent to a system preventing reactivity excursions from occurring (e.g., moderator temperature feedback). In this case, it is generally difficult to postulate an external perturbation that would give rise to a loss of reactivity control. However, for cooling or containment functions, it is more likely that passive systems can exhibit failures under a range of external perturbations such that they are not absolutely reliable. Under some circumstances, however, even cooling functions may be ultimately reliable should the power level of the reactor be sufficiently low that residual heat can always be rejected to the atmosphere [Fleming et al., 2020, pp. 30–31].

Reviewers will need to assess how applicants analyze risk for safety systems relying on passive safety features and inherent safety characteristics. The reviewer should verify that the human role in ensuring the capability and monitoring the performance of such systems has been adequately identified and appropriately addressed in the application of HFE where such actions may be required. Section C-3.3.4, item 5, contains guidance concerning the applicant’s analysis of the human role in passive and automated safety system readiness.

C-3.3.4 Review Guidelines for the Identification of Important Human Actions

This section provides guidance for the review of an applicant’s identification of IHAs. While it is typically within the scope of responsibility for the PRA reviewer with training in HRA to assess the identification of IHAs, it is important for the HFE reviewer to know the relative strengths and weaknesses of the applicant’s approach when using IHAs to inform the scope of the HFE review. Thus, the following guidelines are provided to aid in that understanding. The HFE reviewer should consult with their PRA review counterpart to understand the extent to which the application conforms to the following guidelines:

(1) A knowledgeable team with the requisite expertise performs the applicant’s analysis of IHAs.

Additional Information: For example, the team should have knowledge of the following:

how safety functions are achieved
the type of modeling used
human performance
facility operations
facility maintenance

For ISAs, NUREG-1513 states that the ISA summary must include sufficient information about an accident sequence and the proposed IROFS to allow the reviewer to assess the contributions of the IROFS to prevention or mitigation. The ISA summary must contain enough information about the ISA methods and the qualifications of the team that performed the ISA and any other resources employed to give the reviewer confidence that the list of potential accidents identified is reasonably complete.

(2) The applicant’s models used to assess the risk or importance of human actions are sufficiently comprehensive and detailed to identify IHAs.

Additional Information: Identification of IHAs using models such as PRA or ISA is based on modeling, quantification, and criterion selection. Models represent plant components and their interconnections and include HAs where appropriate. Generally, the review of the modeling is not an HFE activity. HFE reviewers should work with NRC risk analysis subject matter experts to determine the comprehensiveness and level of detail of the applicant’s modeling of HAs. If the model is poor and does not adequately include HAs, if the quantification of human error probability is poor, or if the selection criterion is unreasonable, then the ability to identify IHAs is severely compromised.

(3) The applicant’s quantification of HAs uses HRA and HFE analyses to provide a basis for understanding the effects of performance‑shaping factors on human performance.

Additional Information: Quantification should be based on appropriate HFE analyses, such as HRA. The evaluation of HAs should consider factors such as the time available, task demands, performance‑shaping factors, and factors such as teamwork. The analysis of human performance is applicable to both PRAs, in which errors are quantified, and deterministic analyses, which require an understanding of HAs to evaluate their importance to facility safety.

(4) The applicant’s selection criteria are justified and reasonable for the type of modeling used.

Additional Information: There is no universally agreed-on criterion for determining importance; it is established on a case-by-case basis.

(5) The applicant analyzed the human role in passive and automated safety system readiness by identifying HAs associated with surveillance, testing, calibration, and maintenance activities.

Additional Information: The reduction in the use of active safety systems, simplicity of design, high levels of automation, passive safety systems, and lower accident consequences have shifted the focus of HAs away from an active role in safety function performance to ensuring the readiness of safety systems.

(6) The applicant identified the HAs that provide DID, including those that may be associated with passive safety systems.

Additional Information: The International Atomic Energy Agency has classified passive systems in terms of their degree of passivity and some may need human actions in a DID capacity. The applicant’s assessment of the performance and reliability of passive systems provides a basis to develop compensatory measures including HAs.

(7) The applicant identified the HAs in conjunction with human-automation interaction needed for active safety systems, if any.

Additional Information: Active safety systems depend on many human performance considerations to support not only the human tasks required for the functioning of safety systems, but tasks involving automation monitoring, control, and backup.

(8) The applicant identified the accident sequences in which human errors cause challenges to facility safety.

Additional Information: Applicants should not only identify HAs involved in safety system readiness and DID, but situations in which HAs are the causes of safety challenges.

(9) The applicant identified the relative importance of HAs with considerations of PRA uncertainty.

Additional Information: “Relative importance” means the importance of HAs compared to other actions (i.e., some important actions are more important than other important actions). Applicants using PRA to assess facility risk can calculate risk achievement worth and the Fussell-Vesely risk-importance measures. Considerations of PRA uncertainty should be included in these evaluations. Applicants performing alternative risk assessments may use an alternative means such as evaluations by subject matter experts. HAs of greater importance should be designed out or receive added attention in the applicant’s HFE program.

(10) An applicant’s finding that there are no IHAs is justified.

Additional Information: Some small, advanced reactor designs seek to minimize or eliminate HAs related to safety. Applicants should demonstrate that a comprehensive and detailed analysis to identify important actions was performed or provide justification that such an analysis is not warranted.

(11) The applicant specified how IHAs are addressed to (1) ensure that the action will be accurately and reliably performed, (2) reduce the likelihood of human error, and (3) facilitate error detection and recovery.

Additional Information: The applicant’s treatment of IHAs and known challenges to human performance (e.g., complacency and calibration of trust in human-automation interaction) will help ensure that the design supports these actions, and that they are within acceptable human performance capabilities (e.g., within time and workload requirements). The HFE program addresses IHAs through analyses such as function allocation, task analysis, HSI design, procedural development, and training program development, to reduce the likelihood of human error and facilitate error detection and recovery capability.

(12) The applicant’s analyses have been peer reviewed or self-assessed.

Additional Information: For applications under 10 CFR Part 53, a peer review of the PRA is not required. However, as noted in Nuclear Energy Institute (NEI) 18-04, Revision 1, “Risk-Informed Performance-Based Technology Inclusive Guidance for Non-Light Water Reactor Licensing Basis Development” issued August 2019 (NEI, 2019), peer reviews and regulatory reviews of the PRA provide an opportunity to challenge the completeness and treatment of uncertainties in the PRA. Such challenges ensure that the deterministic design-basis accidents and the conservative assumptions used in the design-basis accident analysis are sufficient to meet the applicable regulatory requirements. The acceptability of the PRA depends on how the PRA will be used. As discussed in Regulatory Guide 1.174, Revision 3, “An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis,” issued January 2018 (NRC, 2018), and Regulatory Guide 1.200, Revision 3, “Acceptability of Probabilistic Risk Assessment Results for Risk‑Informed Activities,” issued December 2020 (NRC, 2020a), the quality of a PRA is measured in terms of its appropriateness with respect to scope, level of detail, and technical adequacy.

C-4 References

Fleming, E., M. Myre-Yu, & D. Luxat (2020). “Human Factors Considerations for Automating Microreactors.” Albuquerque, NM: Sandia National Laboratories. June 2020. Agencywide Documents Access and Management System (ADAMS) Accession No. ML20175A117.

Hugo, J. & H. Engela (2005). “Function allocation for industrial human-system interfaces.” In Proceedings of CybErg 2005. Johannesburg, South Africa: International Ergonomics Association Press.

NEI (2019). “Risk-Informed Performance-Based Technology Inclusive Guidance for Non-Light Water Reactor Licensing Basis Development” (NEI 18-04, Rev. 1). Washington, DC: Nuclear Energy Institute, August 2019.

NRC (2022a). “Draft Interim Staff Guidance Augmenting NUREG-1791, ‘Guidance for Assessing Exemption Requests from the Nuclear Power Plant Licensed Operator Staffing Requirements Specified in 10 CFR 50.54(m)’ for Licensing Commercial Nuclear Plants under Part 53.” DRO-ISG-2023-02, (Draft Interim Staff Guidance). Washington, DC: U.S. Nuclear Regulatory Commission, September 2022. Access and Management System (ADAMS) Accession No. ML22266A068.

NRC (2020a). “Acceptability of Probabilistic Risk Assessment Results for Risk-Informed Activities” (Regulatory Guide 1.200, Rev. 3). Washington, DC: U.S. Nuclear Regulatory Commission, December 2020. ML20238B871.

NRC (2020b). “Human-System Interface Design Review Guidelines” (NUREG-0700, Rev. 3). Washington, DC: U.S. Nuclear Regulatory Commission, July 2020. ML20162A214.

NRC (2018). “An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis” (Regulatory Guide 1.174, Rev. 3). Washington, DC: U.S. Nuclear Regulatory Commission, January 2018. ML17317A256.

NRC (2016). “Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR Edition,” Chapter 18, “Human Factors Engineering, Rev. 3” (NUREG-0800). Washington, DC: U.S. Nuclear Regulatory Commission. ML16125A114.

NRC (2015). “NRC Reviewer Aid for Evaluating the Human Performance Aspects Related to the Design and Operation of Small Modular Reactors” (NUREG/CR-7202). Washington, DC: U.S. Nuclear Regulatory Commission, June 2015. ML15182A199.

NRC (2012). “Human Factors Engineering Program Review Model” (NUREG-0711, Rev. 3). Washington, DC: U.S. Nuclear Regulatory Commission, November 2012. ML12324A013.

NRC (2007a). “Guidance for the Review of Changes to Human Actions” (NUREG-1764, Rev. 1). Washington, DC: U.S. Nuclear Regulatory Commission, September 2007. ML072640413.

NRC (2007b). “Demonstrating the Feasibility and Reliability of Operator Manual Actions in Response to Fire” (NUREG-1852). Washington, DC: U.S. Nuclear Regulatory Commission, October 2007. ML073020676

NRC (2001). “Integrated Safety Analysis Guidance Document” (NUREG-1513). Washington, DC: U.S. Nuclear Regulatory Commission, May 2001. ML011440260

NRC (2000). “Standard Review Plan for the Review of an Application for a Mixed Oxide (MOX) Fuel Fabrication Facility” (NUREG-1718). Washington, DC: U.S. Nuclear Regulatory Commission, August 2000. ML003741461

O’Hara, J. & J. Higgins (2010). “Human-System Interfaces to Automatic Systems: Review Guidance and Technical Basis” (BNL Technical Report 91017-2010). Upton, NY: Brookhaven National Laboratory. ML102720251

Roth, E., J. O’Hara, K. Dickerson, & N. Hughes, N. (2022). “Cognitive Task Analysis: Technical Basis and Guidance Development” (RIL 2020-07). Washington, DC: U.S. Nuclear Regulatory Commission. ML22087A406.

APPENDIX D—GRADING

Selecting Applicable STANDARDS AND GUIDANCE DOCUMENTS

In the grading phase, the reviewer identifies the guidance documents and criteria to be applied to each target and human factors engineering (HFE) activity in the scope of the review.

D-1 Selection of Standards and Guidance Documents for the Review

The U.S. Nuclear Regulatory Commission (NRC) has established a substantive body of guidance to support the HFE review of nuclear facilities, including the following:

NUREG-0711, Revision 3, “Human Factors Engineering Program Review Model,” issued November 2012 (NRC, 2012)
NUREG-0700, Revision 3, “Human-System Interface Design Review Guidelines,” issued July 2020 (NRC, 2020)
NUREG-1791, “Guidance for Assessing Exemption Requests from the Nuclear Power Plant Licensed Operator Staffing Requirements Specified in 10 CFR 50.54m,” issued July 2005 (NRC, 2005)
NUREG-1764, Revision 1, “Guidance for the Review of Changes to Human Actions,” issued September 2007 (NRC, 2007)

However, most NRC HFE guidance was developed with large light-water reactors in mind, and few guidance documents specifically address HFE for advanced reactor technologies. As a result, existing NRC guidance may not adequately address some advanced reactor characteristics that the reviewer may target. In other instances, the characteristic may be addressed, but assumptions underlying the guidance about the context (e.g., concept of operations, associated hazard or risk) may not be valid for the current application.

The reviewer addresses such concerns in the grading stage by identifying the guidance standards and documents that best support the HFE review for each facility characteristic and HFE activity to be reviewed. This can be most effectively accomplished by selectively using current NRC guidance (e.g., applicable portions of NUREG guidance, regulatory guides, and interim staff guidance) and augmenting this guidance with consensus standards when necessary to address gaps or recent developments not yet incorporated in agency guidance.

⁰ Table D-1 lists standards and guidance documents, including several NRC NUREGs and NUREG/CRs, that the reviewer may find useful in evaluating advanced reactor applications. The table is not meant to be exhaustive, and other standards and guidance documents not listed may be relevant for a particular review. Table D-1 includes the publication title, keywords, and the domain (e.g., nuclear, aviation). The keywords listed represent principal content but may not reflect the entire scope of the document. Note that table D-1 does not include the NRC’s primary HFE guidance documents (i.e., NUREG-0711 and NUREG-0700) as the table is intended to aid the identification of alternative and supplementary guidance to these NRC guidance documents.

Although table D-1 contains documents from domains other than nuclear power, these guidance documents can be helpful to the review of advanced reactor technologies, for example, where common areas exist. However, the reviewer should be mindful of differences between the application for which the guidance was developed and the application to which it will be applied. These differences may not only be technological, but also may include differences in the concept of operations, work environments, demands on personnel, hazards, and levels of risk. In such circumstances, the reviewer should keep in mind the gaps in the guidance that may result, or the assumptions underlying the acceptance criteria that may no longer apply when using standards or guidance documents for applications other than those for which the document was developed.

The reviewer may also find that an applicant has proposed the use of standards or guidance documents not published or endorsed by the NRC. Non-NRC documents may be preferred, for example, if the document is based on a more recently developed technical basis than the corresponding NRC guidance or if it addresses facility characteristics for which the NRC has no review criteria. For example, if criteria are needed to review a computer-based procedure system, the reviewer may determine that the guidance in Institute of Electrical and Electronics Engineers “IEEE Guide for Human Factors Applications of Computerized Operating Procedure Systems (COPS) at Nuclear Power Generating Stations and Other Nuclear Facilities,” issued June 2022 (IEEE, 2022), is better suited to the procedure system under review than the guidance in NUREG‑0700. It is more recent and addresses aspects of procedure automation not covered in the NRC review guidance.

When using non-NRC guidance, the reviewer should address its validity and independence. The NRC’s HFE guidance is developed and updated using a standard methodology (NRC, 2008). A high priority is placed on establishing the internal and external validity of the guidance. “Internal validity” is the degree to which the guidelines are linked to a clear, well-founded, and traceable technical basis. “External validity” is the degree to which independent peer review supports the guidance. Peer review is a good method of screening guidelines for conformance to generally accepted HFE practices and to industry-specific considerations (i.e., for ensuring that the guidelines are appropriate based on practical operational experience in actual systems). When selecting criteria from standards or guidance documents other than those developed using the NRC guidance development process, the reviewer should assess the validity of the guidelines.

The reviewer should also consider the independence of the criteria. When using industry standards or guidance, there is the possibility that the guidelines are based on a specific vendor’s approach. Review criteria developed by the NRC has a technical basis that is largely independent from industry priorities and concerns.

In cases where an applicant has proposed the use of HFE standards or guidance other than those endorsed by the NRC, the reviewer should consider the internal and external validity of the guidelines in determining whether use of the document could reasonably be expected to support compliance with the applicable NRC HFE requirement(s). The reviewer should also consider any supporting information provided by the applicant. Consistent with appendix A to DANU‑ISG‑2022-01, “Review of Risk-Informed, Technology-Inclusive Advanced Reactor Applications—Roadmap” (NRC, 2024), during preapplication interactions, an applicant could use a white paper to identify any consensus codes and standards or code cases it intends to use and identify any standards or code cases that have not been endorsed or previously accepted by the staff. For any such standards or code cases, the applicant should engage in preapplication discussions to identify areas where additional information may be needed in the application to support the proposed approach.

Whether proposed by the applicant or selected by the reviewer, use of guidance or standards other than those developed or endorsed by the NRC should include the considerations discussed in this section and be chosen in consultation with the reviewer’s supervisor.

Table D-1 lists references reviewers may find helpful as supplements or alternatives to NUREG‑0711 and NUREG-0700. Inclusion of any non-NRC standard or guidance document in this table does not constitute endorsement by the NRC. Conversely, this list should not be considered a complete list of relevant guidance. Omission of a standard from this list does not rule out its possible use.

Table D-1. Additional Consensus Standards and Guidance Documents

Publication	Keywords	Domain
NUREG/CR-3331, “A Methodology for Allocating Nuclear Power Plant Control Functions to Human or Automatic Control”	evaluation; functional analysis and assignment	Nuclear
IEEE-2411, “IEEE Guide for Human Factors Engineering for the Validation of System Designs and Integrated System Operations at Nuclear Facilities”	nuclear power plant; integrated systems; verification & validation (V&V); performance-based validation; human factors engineering (HFE); operation; multistage validation; integrated system validation	Nuclear
IEEE Std 1023-2004, “IEEE Recommended Practice for the Application of Human Factors Engineering to Systems, Equipment, and Facilities of Nuclear Power Generating Stations and Other Nuclear Facilities”	nuclear power plant; human‑system interface (HSI)	Nuclear
NUREG/CR-2623, “The Allocation of Functions in Man-Machine Systems: A Perspective and Literature Review”	human-system interface (HSI); automation; computer-based procedure (CBP); computer-based aids; functional analysis and assignment	Nuclear
EPRI 1008122-2004, “Human Factors Guidance for Control Room and Digital Human-System Interface Design and Modification”	human-system interface (HSI); control room; digital; modification; instrumentation and control (I&C); information display systems; soft controls; alarm; computer-based procedure (CBP)	Nuclear
IEEE 1786-2022, “IEEE Human Factors Guide for Applications of Computerized Operating Procedure Systems (COPS) at Nuclear Power Generating Stations and other Nuclear Facilities”	computerized operating procedure systems (COPS); human-system interface (HSI); procedures; implementation; software	Nuclear
IEEE Std 1289-1998, “IEEE Guide for the Application of Human Factors Engineering in the Design of Computer-Based Monitoring and Control Displays for Nuclear Power Generating Stations”	control room; computer-based procedure (CBP); human-system interface (HSI); display	Nuclear
NUREG/CR-6400, “Human Factors Engineering (HFE) Insights for Advanced Reactors Based Upon Operating Experience”	human-system interface (HSI); advanced reactors; design	Nuclear
NUREG-1791, “Guidance for Assessing Exemption Requests from the Nuclear Power Plant Licensed Operator Staffing Requirements Specified in 10 CFR 50.54(m)”	staff; advanced reactors; automation; crew; review; operational conditions; functional; task analysis; verification & validation (V&V)	Nuclear
NUREG/CR-6634, “Computer-Based Procedure Systems: Technical Basis and Human Factors Review Guidance”	decision-making; computer-based procedure (CBP); human factors design standard; emergency; operation; human-system interface (HSI); procedures	Nuclear
NUREG-1764, “Guidance for the Review of Changes to Human Actions”	modification; risk-informed; human factors engineering (HFE); data analysis	Nuclear
NUREG/CR-7190, “Workload, Situation Awareness, and Teamwork”	workload (WL); situation awareness (SA); evaluation; metrics; teamwork (TW)	Nuclear
EPRI 1003569, “Nuclear Power Plant Control Room Modernization Planning”	nuclear power plant; control room; instrumentation and control (I&C); hybrid control room	Nuclear
EPRI 1003662, “Alarm Processing Methods—Improving Alarm Management in Nuclear Power Plant Control Rooms”	nuclear power plant; control room; alarm; alarm overload	Nuclear
EPRI 1002830, “Information Display: Consideration for Designing Modern Computer-Based Display Systems”	instrumentation and control (I&C); modernization; information display systems; display; control room; human-system interface (HSI); computer-based aids; hybrid control room	Nuclear
EPRI 1003696, “Interim Human Factors Guidance for Hybrid Control Rooms and Digital I&C Systems”	control room; digital; instrumentation and control (I&C); human-system interface (HSI); modernization; implementation; hybrid control room	Nuclear
EPRI 3002004310, “Guidance for Control Room and Digital HSI Design & Modification”	digital; design; instrumentation and control (I&C); control room; modernization; human‑system interface (HSI); modification	Nuclear
IEC 62646: 2016, “Nuclear Power Plants—Control rooms—Computer based procedures”	nuclear power plant; control room; computer-based procedure (CBP); operation; digital; automation; instrumentation and control (I&C); human-system interface (HSI); procedures	Nuclear
IEC-62241: 2004, “Nuclear power plants—Main control room—Alarm functions and presentation”	alarm; human-system interface (HSI); control room; display; alarm overload; nuisance alarms	Nuclear
IEEE 1082-2017, “IEEE Guide for Incorporating Human Reliability Analysis into Probabilistic Risk Assessments for Nuclear Power Generating Stations and Other Nuclear Facilities”	human reliability analysis (HRA); probabilistic risk assessment (PRA)	Nuclear
MIL-STD-46855—Department of Defense Standard Practice: Human Engineering Requirements for Military Systems, Equipment, and Facilities	design; human-system interface (HSI)	Military
NRC Regulatory Guide 1.174, Rev. 3, “An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis”	risk-informed; proposed changes; modernization	Nuclear
IEC 61771: 1995, “Nuclear Power Plants—Main control rooms—Verification and validation of design”	nuclear power plant; main control room; design; modification; control room; remote; shutdown; safety; human-system interface (HSI); verification & validation (V&V)	Nuclear
IAEA DS492, “Human Factors Engineering in the Design of Nuclear Power Plants”	safety; nuclear power plant; operation; design; maintenance; modification; human factors engineering (HFE); human-system interface (HSI)	Nuclear
IEC-60965: 2016, “Nuclear power plants—Control rooms—Supplementary control room for reactor shutdown without access to the main control room”	nuclear power plant; design; functional; requirements; operational; safety; interfaces; staff; crew; personnel; training; procedures; modification; modernization; control room; shutdown; emergency; response; main control room; supplementary control room; human-system interface (HSI); verification & validation (V&V)	Nuclear
IEC-61227: 2008, “Nuclear power plants—Control rooms—Operator controls”	human-system interface (HSI); discrete controls; multiplexed conventional systems; soft controls; control room	Nuclear
IEC-61772: 2009, “Nuclear power plants—Main control room—Application of visual display units (VDUs)”	visual display units (VDUs); control room	Nuclear
IEC-61839: 2000, “Nuclear power plants—Design of control rooms—Functional analysis and assignment”	design; functional analysis and assignment; modification; modernization	Nuclear
IEEE Std 845-1999, “IEEE Guide for the Evaluation of Human-System Performance in Nuclear Power”	human performance measurement; human‑system interface (HSI); maintainability; training	Nuclear
IEEE 1707-2015, “IEEE Recommended Practice for the Investigation of Events at Nuclear Power Generating Stations and Other Nuclear Facilities”	event; investigation; corrective actions; root cause analysis	Nuclear
MIL-STD-1472—Department of Defense Design Criteria Standard: Human Engineering	design; human-system interface (HSI)	Military
“A Guide to Task Analysis” (Kirwan & Ainsworth, 1992)	staff; task analysis; human‑system interface (HSI)	Generic—Task Analysis
ISA-RP60.3-1985, “Human Engineering for Control Centers”	control room; design; accessibility; ergonomic; human factors engineering (HFE); human-system interface (HSI)	Generic—Process Control
EPRI 1007794, “Critical Human Factors Technology Needs for Digital Instrumentation and Control and Control Room Modernization”	control room; digital; instrumentation and control (I&C); human-system interface (HSI); main control room; modernization; hybrid control room	Nuclear
IEC-62954: 2019, “Nuclear power plants—Control rooms—Requirements for emergency response facilities”	nuclear power plant; control room	Nuclear
ANSI/HFES 200-2008, “Human Factors Engineering of Software User Interfaces”	software; accessibility; design; requirements; human-system interface (HSI)	Generic—Ergonomics
IEC-61226: 2020, “Nuclear power plants—Instrumentation and control systems important for safety—Classification”	modernization; instrumentation and control (I&C); design; functional analysis and assignment	Nuclear
ANSI/HFES 100-2007, “Human Factors Engineering of Computer Workstations”	computer workstations; design; requirements; human-system interface (HSI); display	Generic—Ergonomics
ANSI/AIAA G-035A-2000, “A Guide to Human Performance Measurement”	data collection; human performance measurement; data analysis	Aviation
IEC-60964: 2018, “Nuclear power plants—Control room—Design”	main control room; nuclear power plant; design; functional; requirements; operational; safety; interfaces; staff; crew; personnel; training; procedures; modification; modernization; control room; human-system interface (HSI); verification & validation (V&V)	Nuclear
ISO 11064-1:2000, “Ergonomic design of control centres—Part 1: Principles for the design of control centres”	ergonomic; modification; modernization; mobile; control room	Generic—Industry
ISO 11064-2:2000, “Ergonomic design of control centres—Part 2: Principles for the arrangement of control suites”	ergonomic; control room; functional areas; design	Generic—Industry
ISO 11064-3:1999, “Ergonomic design of control centres—Part 3: Control room layout”	layout; control room; design; maintenance; visual display; mobile	Generic—Industry
ISO 11064-4:2013, “Ergonomic design of control centres—Part 4: Layout and dimensions of workstations”	visual display; ergonomic; design; workstation	Generic—Industry
ISO 11064-5:2008, “Ergonomic design of control centres—Part 5: Displays and Controls”	ergonomic; hardware; software; design	Generic—Industry
ISO 11064-6:2007, “Ergonomic design of control centres—Part 6: Environmental requirements for control centres”	environmental; requirements; mobile; functional areas; design	Generic—Industry
ISO 11064-7:2006, “Ergonomic design of control centres—Part 7: Principles for the Evaluation of Control Centres”	ergonomic; assessment; display; human-system interface (HSI); control room; mobile; design	Generic—Industry
Office for Nuclear Regulation (ONR), “Safety Assessment Principles for Nuclear Plants” (2014, 2020), Technical Assessment Guides	safety; assessment; nuclear power plant; design	Nuclear
EPRI 1015089, “Minimum Inventory of Human System Interfaces”	human-system interface (HSI); design; requirements; monitoring	Nuclear
EPRI NP-4350, “Human Engineering Design Guidelines for Maintainability”	maintainability; human factors engineering (HFE); design; plant; modification; safety	Nuclear
Federal Aviation Administration (FAA) HF‑STD-001, “Human Factors Design Standard”	software; accessibility; design; requirements; human-system interface (HSI)	Aviation
ISO 9241-11:1998, “Ergonomic requirements for office work with visual display terminals (VDTs)”	tactile; haptic; physical input; ergonomic; display; human‑system interface (HSI); field assessment; assessment; voice; software; control room; environmental; workstation; design	Generic—Ergonomics
National Aeronautics and Space Administration (NASA)/SP-2010-3407, “NASA Special Publication: Human Integration Design Handbook”	design; crew; human-system interface (HSI)	Aviation
NASA-STD-3001, Vol. 1, “NASA Space Flight Human System Standard Volume 1, Revision A: Crew Health”	crew; health; medical	Aviation
NASA-STD-3001, Vol. 2, “NASA Space Flight Human System Standard Volume 2: Human Factors, Habitability, and Environmental Health”	environmental; hardware; software; procedures; human-system interface (HSI)	Aviation
US DOD-HDBK-743A: 1991, “Anthropometry of US Military Personnel”	anthropometric; ergonomic	Military
INL/EXT-16-39808, “Design Guidance for Computer-Based Procedures for Field Workers”	computer-based procedure (CBP); human-system interface (HSI); design	Nuclear
ANSI/HFES 400-2021, “Human Readiness Level Scale in the System Development Process”	integrated systems; human‑system performance; decision-making	Generic—Human Readiness for Safe/Effec-tive Use of Technology
Draft Part 53 Interim Staff Guidance—Development of Scalable Human Factors Engineering Review Plans	human factors engineering (HFE); scalable HFE; advanced reactors; 10 CFR Part 53	Nuclear
Draft Part 53 Interim Staff Guidance—Operator Licensing or Certification Program	operator licensing; advanced reactors; 10 CFR Part 53	Nuclear
Draft Part 53 Interim Staff Guidance—Augmentation of NUREG-1791 Staffing Plans	staffing; 10 CFR Part 53; advanced reactors	Nuclear

D-2 References

NRC (2024). “Review of Risk-Informed, Technology-Inclusive Advanced Reactor Applications—Roadmap” (DANU-ISG-2022-01). Washington, DC: U.S. Nuclear Regulatory Commission. March 2024. Access and Management System (ADAMS) Accession No. ML23277A139.

NRC (2020). “Human-System Interface Design Review Guidelines” (NUREG-0700, Rev. 3). Washington, DC: U.S. Nuclear Regulatory Commission, July 2020. ML20162A214

NRC (2012). “Human Factors Engineering Program Review Model” (NUREG-0711, Rev. 3). Washington, DC: U.S. Nuclear Regulatory Commission, November 2012. ML12324A013

NRC (2008). “Human Factors Considerations with Respect to Emerging Technology in Nuclear Power Plants” (NUREG/CR-6947). Washington, DC: U.S. Nuclear Regulatory Commission, October 2008. ML083090338

NRC (2005). “Guidance for Assessing Exemption Requests from the Nuclear Power Plant Licensed Operator Staffing Requirements Specified in 10 CFR 50.5m” (NUREG-1791). Washington, DC: U.S. Nuclear Regulatory Commission, July 2005. ML052080125

NRC (2004). “Guidance for the Review of Changes to Human Actions” (NUREG-1764, Rev. 1). Washington, DC: U.S. Nuclear Regulatory Commission, September 2007. ML072640413

APPENDIX E—ASSEMBLING THE REVIEW PLAN

Assembling the review plan involves (1) selecting for review aspects of the facility, its operation, and the human factors engineering (HFE) activities supporting their design, (2) identifying the methods, standards, guidance documents, and resources for conducting the reviews, and (3) establishing the schedule for their completion and documentation. The objective is to develop an approach to the review that leverages the results of the characterization, targeting, and screening activities to support an efficient and effective HFE safety evaluation of the proposed design.

In assembling the review plan, the primary objective should be to select, from the results of the targeting and screening processes, a sufficient set of items for review that will collectively provide a sound basis for the staff to make a reasonable assurance determination concerning the operational safety of the applicant’s design. This guidance provides two strategy alternatives for making these selections.

Strategy A is a matrixed approach in which the review scope includes a mix of design products and a range of design processes (i.e., HFE activities). The review addresses a range of design processes by looking at different sets of processes for different targets. The objective is to collectively sample the full range of the applicant’s HFE activities through reviews of multiple targets. This strategy makes full use of the targeting and screening processes and may be necessary or desirable for applications in which the applicant used HFE activities selectively in its design process.

Strategy B is a longitudinal, or vertical slice, approach to developing the review scope. For each design or operational characteristic (i.e., target) included in the scope of the review, the review addresses all the applicant’s HFE activities associated with each target, from early planning and analysis through implementation and operation. This approach is possible when applicants have implemented a comprehensive or programmatic approach to the application of HFE and may be desirable when the reviewer deems it important to the safety evaluation to address how the applicant implemented HFE throughout the design development process for given targets. Strategy B is similar to a review under NUREG-0711, Revision 3, “Human Factors Engineering Program Review Model,” issued November 2012 (NRC, 2012), but it leverages the targeting process to focus the review scope and the screening process to guide allocation of resources across the review of HFE activities. Strategy B can also be used in conjunction with Strategy A. In such circumstances, Strategy B would be used for selected targets within the Strategy A approach.

Both Strategies A and B ensure that the review scope addresses targets in each location where human activities are expected for performing or supporting the continued availability of the plant’s safety and emergency response functions. This scope supports development of a safety evaluation addressing the application of HFE consistent with the requirements of Title 10 of the Code of Federal Regulations (10 CFR) Part 53, “Risk‑Informed, Technology‑Inclusive Regulatory Framework for Commercial Nuclear Plants.”

E-1 Selection Strategy A (Matrixed Approach)

Select design and operations targets (e.g., interfaces and human actions) for review that collectively represent the applicant’s HFE in all locations where human activities are expected for performing or supporting the continued availability of the plant’s safety and emergency response functions.
For the selected targets, include a mix of design process (i.e., HFE activity) and design product (e.g., human-system interfaces, human actions) reviews.
Within the context of HFE design processes, balance those that are formative (e.g., the planning and analysis elements described in NUREG-0711) with those that are summative (e.g., verification and validation).

E-1.2 Strategy A Rationale

Selecting targets in all locations where human activities are expected for performing or supporting the continued availability of the plant’s safety and emergency response functions will ensure that the scope of the review will align with the scope of the 10 CFR Part 53 requirement for application of HFE. The identification of important human actions should aid the reviewer in identifying the facility locations to be included in the scope of the review plan and ensure that the review addresses the role of plant personnel in safety and emergency response functions. The relative number, frequency, and risk importance or safety significance of the credited actions can be used as a general guide for determining the relative distribution of review resources to be applied to each of the locations. The reviewer should plan to include all important human actions in the scope of the plan unless there is sufficient overlap between the reviews to provide reasonable confidence that a sample will be representative of any excluded actions.

Review of design products and summative processes is in keeping with a performance‑based approach to conducting the review. Review of design processes provides a reasonable basis for a review strategy that relies on sampling, which may be necessary for efficiency and sufficient for a finding of reasonable assurance of safety. By verifying that an applicant’s HFE processes are sound, the reviewer has a basis for confidence that observations and conclusions based on a review of a sample of design products will be representative of the broader design, and those based on a review of validation tests will be indicative of actual operations.

By balancing the review of formative and summative processes, the review will also assess the applicant’s HFE activities in both early and late design development. A balanced review provides a basis for verifying that the results of early analyses are reflected in design products and validated in testing.

E-2 Selection Strategy B (Longitudinal Approach)

Select design and operations targets (e.g., interfaces and human actions) for review that collectively represent the applicant’s HFE in all locations where human activities are expected for performing or supporting the continued availability of the plant’s safety and emergency response functions.
For each of these targets, include in the scope of the review all associated HFE activities that the applicant has planned or conducted.
Distribute review resources across the selected targets and the associated HFE activities commensurate with the results of the assessments conducted during targeting and screening.

E-2.1 Strategy B Rationale

As in Strategy A, selecting targets in all locations where human activities are expected for performing or supporting the continued availability of the plant’s safety and emergency response functions will ensure that the scope of the review will align with the scope of the 10 CFR Part 53 requirement for application of HFE. Also as in Strategy A, the reviewer should plan to include all important human actions in the scope of the plan unless there is sufficient overlap between the reviews to provide reasonable confidence that a sample will be representative of any excluded actions.

Unlike Strategy A, in Strategy B, the review would include all associated HFE activities in its scope. The rationale for this approach is to gain a vertical slice perspective on the applicants’ HFE activities by examining the treatment of the target from the planning and analysis phases of its development through to implementation.

In Strategy B, review efforts are distributed across targets and HFE activities by leveraging the assessments done during targeting and screening. As described in appendix B, the recommended criteria for selecting targets for review are risk importance, safety significance, and uncertainty. Similarly, appendix C guides the reviewer in selecting those HFE activities that are most important to the effective implementation of the aspect of the facility design or operation that is being targeted for review. Appendix C also proposes the use of risk‑informed decision‑making when eliminating HFE activities from the scope of the review. Under Strategy B, the guidance of appendix C can be used to decide the level of resources to dedicate to the review of the HFE activities associated with each of the targets.

E-3 Documenting the Review Plan

After selecting the facility characteristics and HFE activities to be included in the scope of the review, choosing the standards and guidance documents to be applied, and establishing a schedule of review activities, the reviewer should document the review plan. A documented review plan is an important tool for gaining management alignment on the proposed review activities (considering both technical review and project management), communicating plans and expectations with the applicant, coordinating with other NRC technical reviewers with interfacing reviews, and managing the review activities to ensure timely completion.

Exhibit E-3.1 provides an example template for an assembled review plan. This template provides a structured approach to documenting the results of the first four steps in developing a scaled HFE review and the method of developing the review plan. This example review plan template presents an approach to documenting the following:

the type of application
a summary of the characterization process outcomes
relevant regulatory requirements specific to the design and operation of the facility
the guidance documents from which the review criteria will be drawn
the review strategy
the scope of the review and associated review activities
technical review interfaces
the timeline including milestones for management alignment and coordination with reviewers in other technical subject matter areas

Use of the template is an optional method for documenting the review plan; however, alternative methods should include the information listed above. Once the reviewer has drafted a review plan, management approval should be obtained. After initial approval, no substantive changes to the scope, methods, or schedule of the plan should be made without justification and management review.

Exhibit E-3.1 Sample Review Plan Template

Name of Applicant:

Docket No.:

Type of Application: (e.g., Standard Design Approval, Operating License)

Technology Type:

Date Application Accepted for Review:

Targeted Review Completion Date:

Facility Characterization
Summarize or list the identified facility characteristics that are important to the HFE of the design and its operation as developed in accordance with appendix A. The characterization may be presented in either tabular or narrative format.

Regulatory Basis for Review

Document which regulations apply to the application under review, considering the type of application and the applicant’s decision to submit under 10 CFR Part 53 or another regulatory framework. The reviewer may refer to the tables of requirements listed in the Acceptance Criteria section of this ISG, which provides the regulatory basis for each type of application.

Method for Review Plan Development

Briefly describe how this ISG was used to develop the review plan, noting any substantive departures from the guidance. The description should include the strategy for selecting from the results of the targeting and screening processes a sufficient set of items for review that will collectively provide a sound basis for a reasonable assurance determination concerning the operational safety of the applicant’s design and the strategy. If the review will use an alternative approach to the two strategies described in this appendix, the alternative and rationale should be documented.

Scope of Review

Summarize the scope of the review in terms of the design characteristics, operational characteristics, and the applicant’s HFE activities to be included. The summary should demonstrate a scope of review adequate to assess conformance of the application to all regulations cited in section 2.0 of this plan as the basis for the review. The reviewer may present this information in tabular format. Suggested tables include the following:

applicable HFE requirements and corresponding review activities
- A matrix of applicable HFE requirements and corresponding review activities provides a means of ensuring that the plans include a means for verifying compliance with each applicable requirement.
locations where human activities are expected for performing or supporting the continued availability of plant safety or emergency response functions and the design and operations targets selected for review
- A matrix of facility locations for important human actions and the targets selected for review provides a means for verifying that the plan includes a review of the HFE of at least one target in each setting subject to the requirement of 10 CFR 53.730(a).
selected targets and their associated HFE activities (as applicable)
- A matrix of selected targets and the HFE activities to be reviewed in conjunction with each target provides a means for optimizing the efficiency of the plan. Such a matrix will assist the reviewer in identifying instances where the same HFE activity may have been selected for more than one target and coordinating the review efforts for these targets accordingly. If the reviewer finds that the applicant has identified no HFE activities for a target selected for review, the review plan should identify functional or design acceptance criteria. For example, if there is no HFE activity, the reviewer might need to rely on NUREG-0700, Revision 3, “Human‑System Interface Design Review Guidelines,” issued July 2020 (NRC, 2020), or other design standards, or if necessary, request a performance-based validation.

The description of the scope of the HFE review should also include a summary of any design or operational characteristics identified in the characterization as important to human performance but not included in the scope of the review and provide a basis for excluding the characteristics from the scope (e.g., lack of risk significance, reasonable inference of acceptability can be based on other review activity).

The reviewer should consider developing an outline for the HFE input to the safety evaluation report as a means of verifying that the review plan will support development of the input needed for the safety evaluation report.

Standards and Guidance Documents to Be Applied

List the standards and guidance documents that will be used to conduct the review (see table D-1 in appendix D to this guidance for a list of potential documents). The reviewer should note any instances in which the review will use standards or guidance documents that differ from those used by the applicant and the basis for the chosen acceptance criteria.

Review Interfaces

List the subject areas (e.g., operator licensing, instrumentation and control, probabilistic risk assessment) with which this review may interface and describe identified coordination activities.

Schedule of Review Activities

Identify the review activities to be conducted (e.g., document reviews and audits), the technical staff resources to conduct the review (e.g., number of hours for review, technical disciplines), and the schedule for their completion. Additional information to be provided in the schedule should include important milestones such as projected dates for completion and submission of documentation (e.g., results summary reports) for applicant HFE activities, and dates for management review and concurrence. The reviewer should consider using graphical or tabular formats to present the review schedule.

E-4 References

NRC (2020). “Human-System Interface Design Review Guidelines” (NUREG-0700, Rev. 3). Washington, DC: U.S. Nuclear Regulatory Commission, July 2020. Access and Management System (ADAMS) Accession No. ML20162A214

NRC (2012). “Human Factors Engineering Program Review Model” (NUREG-0711, Rev. 3). Washington, DC: U.S. Nuclear Regulatory Commission, November 2012. ML12324A013

APPENDIX F—RESOLUTION OF PUBLIC COMMENTS

[Note: As this interim staff guidance is intended to accompany the 10 CFR Part 53 rulemaking package, stakeholder comments, as well as the resolution of those comments, will be included in the comment resolution document associated with the 10 CFR Part 53 rule.]

1 For a discussion of the benefits of preapplication engagement, see “Pre-application Engagement to Optimize Advanced Reactors Application Reviews,” draft issued May 2021 (NRC, 2021).

2 Tables 1 and 2 are provided as a guide. Reviewers should consult the Code of Federal Regulations to ensure that the review is consistent with the current scope and details of the applicable requirements.

3 In its “Policy Statement on the Regulation of Advanced Reactors,” dated October 14, 2008 (73 FR 60612, 60616), the Commission “encourages the earliest possible interaction of applicants, vendors, other government agencies, and the NRC to provide for early identification of regulatory requirements for advanced reactors and to provide all interested parties, including the public, with a timely, independent assessment of the safety and security characteristics of advanced reactor designs” (NRC, 2008).

4Although this guidance document applies to applications submitted under 10 CFR Part 50 or 52, the staff has similar expectations for preapplication engagements for applications submitted under 10 CFR Part 53.

5 The term “submittal” as used in this document refers to materials provided to the NRC by an applicant. Submittals include applications, portions of applications, and information that is not part of an application but provided for reference.

6 Materials provided during preapplication engagements will likely be undocketed and may change without notice. Regulatory decisions are to be made using docketed information; therefore, the reviewer may need to encourage the applicant to submit materials on the docket either as a topical report, with the license application, in a supplement, or in response to a request for additional information.

7 The project manager and the reviewer’s management should be informed of any potential deficiencies, preferably during preapplication engagements, as it will reduce the need to request additional information during the technical review period.

8 The project manager and the reviewer’s management should be informed of any potential deficiencies identified during the acceptance review, and preferably during preapplication engagements, as early communication will reduce the need to request additional information during the technical review period.

0 The memorandum from M. Doane to D. Dorman, “Implementing Commission Direction on Applying Risk‑Informed Principles in Regulatory Decision Making” (NRC, 2019), gives an overview of seminal policy, guidance, and rules issued by the agency to advance the state of the art in risk-informed decision-making from the 1980s through the early 2000s.

0 The relationship between tasks, jobs, and positions as used in this guidance, and consistent with the description in NUREG-0711, is that tasks are arranged into jobs and assigned to staff positions.

0 As used in this guidance, formative activities are those associated with the planning and analysis phase and design development phase, or equivalents (see NUREG-0711, Revision 3, figure 1-1), and summative activities are those associated with the verification and validation phase and implementation and operation phase, or equivalents.

0 If the reviewer determines that review of an HFE activity is necessary for a reasonable assurance determination of safety (e.g., review of other HFE activities would not provide sufficient basis for the review), and the activity is not addressed by the application, the reviewer should engage with the applicant as early as possible to facilitate acceptance of the application.

0 Although this document focuses on HAs related to fire response, the methods described in the document can be applied to other circumstances as well. For instance, appendix A to NUREG-1852 provides an analytical method for using timelines to estimate how much time an HA will take.

0 NUREG-1513, “Integrated Safety Analysis Guidance Document,” issued May 2001 (NRC, 2001), provides guidance for fuel cycle licensees and applicants, but reviewers will find it also offers useful background on ISAs. The NUREG defines an ISA, identifies its role in a facility’s safety program, identifies and describes several generally accepted ISA methods, and provides guidance in choosing a method.

0 In selecting NRC guidance to use, the reviewer should consider whether the guidance is appropriate for application to the design under review and whether there may be limits to that applicability.

October 2024

File Type	application/vnd.openxmlformats-officedocument.wordprocessingml.document
File Title	Draft ISG Scalable HFE
Subject	July 2022
Author	Casto, Greg
File Modified	0000-00-00
File Created	2024-11-01

10 CFR Part 53, Risk-Informed, Technology-Inclusive Regulatory Framework for Commercial Nuclear Plants