Text

Technical Letter Report for Subtask D: Hfe Review Strategy for Advanced Reactors
	ML21266A192
Person / Time
Issue date:	09/08/2021
From:	David Desaulniers; NRC/NRR/DRO
To:	;
	Desaulniers D
References
	31310019N002, 31310020F0028 F0028-03
	Download: ML21266A192 (104)
	v • d • e

NRC Agreement Number: 31310019N002 NRC Task Order Number: 31310020F0028 Technical Letter Report No. F0028-03 Human Factors Engineering Technical Support Services Guidance Development:

Process and Guidance Development for Technical Review of Non-Large Light-Water Reactors Technical Letter Report for Subtask D HFE Review Strategy for Advanced Reactors Prepared For:

Division of Risk Analysis Office of Nuclear Regulatory Research U.S. Nuclear Regulatory Commission Washington, DC 20555-0001 Prepared By:

John OHara1, Stephen Fleger2, David Desaulniers2, Brian Green2, Jesse Seymour2 & Amy D'Agostino2 1 Brookhaven National Laboratory Upton, NY 11798 2 U.S. Nuclear Regulatory Commission Washington, DC 20555-0001 This report has been prepared and is being released to support ongoing public discussions. This report has not been subject to NRC management and legal reviews and approvals, and its contents are subject to change and should not be interpreted as official agency positions.

September 8, 2021

ii List of Figures ................................................................................................................................................................. v List of Tables ................................................................................................................................................................. vi Acronyms ..................................................................................................................................................................... vii 1 Background ...........................................................................................................................................................1 1.1 Characteristics of Advanced Nuclear Reactors .............................................................................................1 1.2 The Current LLWR HFE Review Strategy .......................................................................................................4 1.3 NRCs General Approach to Advanced Reactors Reviews .......................................................................... 10 2 Purpose ...............................................................................................................................................................15 3 General Approach to the New Review Strategy .................................................................................................16 4 HFE Review Strategy and Steps ..........................................................................................................................17 4.1 General Approach ......................................................................................................................................17 4.2 Objectives ...................................................................................................................................................20 4.3 Review Responsibility .................................................................................................................................21 4.4 Definitions ..................................................................................................................................................21 4.5 Applicant Submittals ..................................................................................................................................22 4.5.1 Concept of Operations ...........................................................................................................................23 4.5.2 Approach to Plant Safety .......................................................................................................................25 4.5.3 Important Human Actions .....................................................................................................................26 4.5.4 Facility Characteristics ...........................................................................................................................28 4.5.5 Facility Operations .................................................................................................................................29 4.5.6 HFE Requirements in the Code of Federal Regulation........................................................................... 29 4.5.7 Design Process .......................................................................................................................................31 4.5.8 Technical Issues .....................................................................................................................................32 4.6 Conduct Targeting Process .........................................................................................................................33 4.7 Conduct Screening Process .........................................................................................................................36 4.8 Conduct Grading Process ...........................................................................................................................37 4.9 Assemble Review Plan and Conduct Review ..............................................................................................38 5 Discussion ...........................................................................................................................................................39 6 References ..........................................................................................................................................................42 Appendix A: HFE Activities ..........................................................................................................................................49 Appendix B: Concept of Operations Dimensions ........................................................................................................53 Appendix C: Advanced Reactor Technical Issues ........................................................................................................57 C.1 Identification of Important Human Actions ...............................................................................................57 iii

C.2 Autonomous Operations ............................................................................................................................61 C.3 Approaches to Staffing ...............................................................................................................................64 C.4 HSIs for Monitoring and Controlling the Reactor and Interfacing Systems ................................................68 C.5 Remote Operations ....................................................................................................................................71 Appendix D: Small Modular Reactor Technical Issues ................................................................................................72 D.1 Plant Mission ..............................................................................................................................................73 D.1.1 New Missions .........................................................................................................................................74 D.1.2 Novel Designs and Limited Operating Experience from Predecessor Systems .....................................75 D.2 Agents Roles and Responsibilities .............................................................................................................76 D.2.1 Multi-Unit Operations and Teamwork...................................................................................................76 D.2.2 High Levels of Automation for All Operations and its Implementation.................................................77 D.2.3 Function Allocation Methodology to Support Automation Decisions ...................................................78 D.3 Staffing, Qualifications, and Training.........................................................................................................79 D.3.1 New Staffing Positions ...........................................................................................................................79 D.3.2 Staffing Models ......................................................................................................................................80 D.3.3 Staffing Levels ........................................................................................................................................81 D.4 Management of Normal Operations ..........................................................................................................82 D.4.1 Different Unit States of Operation.........................................................................................................82 D.4.2 Unit Design Differences .........................................................................................................................82 D.4.3 Operational Impact of Control Systems for Shared Aspects of SMRs....................................................84 D.4.4 Impact of Adding New Units While Other Units are Operating .............................................................85 D.4.5 Managing Non-LWR Processes and Reactivity Effects ........................................................................... 85 D.4.6 Load-Following Operations ....................................................................................................................86 D.4.7 Novel Refuelling Methods .....................................................................................................................87 D.4.8 Control Room Configuration and Workstation Design for Multi-Unit Teams .......................................87 D.4.9 HSI Design for Multi-Unit Monitoring and Control ................................................................................88 D.4.10 HSIs for New Missions .......................................................................................................................89 D.5 Management of Off-Normal Conditions and Emergencies ........................................................................89 D.5.1 Safety Function Monitoring ...................................................................................................................89 D.5.2 Potential Impacts of Unplanned Shutdowns or Degraded Conditions of One Unit on Other Units ....90 D.5.3 Handling Off-Normal Conditions at Multiple Units ...............................................................................90 D.5.4 Design of Emergency Operating Procedures (EOPs) for Multi-Unit Disturbances.................................91 D.5.5 New Hazards ..........................................................................................................................................92 D.5.6 Passive Safety Systems ..........................................................................................................................92 D.5.7 Loss of HSIs and Control Room ..............................................................................................................93 D.5.8 PRA Evaluation of Site-Wide Risk...........................................................................................................94 D.5.9 Identification of Risk-Important Human Actions when One Operator/Crew is Managing Multiple SMRs 94 D.6 Management of Maintenance and Modifications .....................................................................................95 D.6.1 Modular Construction and Component Replacement...........................................................................95 D.6.2 New Maintenance Operations ...............................................................................................................95 D.6.3 Managing Maintenance Hazards ...........................................................................................................96 iv

List of Figures Figure 1.1 Process Model Architecture.........................................................................................................................5 Figure 1.2 NUREG-0711 Key Elements/Activities .........................................................................................................6 Figure 1.3 ISO 11064-7 Depiction of HFE in the Design Process ...................................................................................8 Figure 1.4 IEC 60694 Depiction of HFE in the Design Process ......................................................................................9 Figure 3.1 HFE Review Strategy Development ...........................................................................................................16 Figure 4.1 HFE Review Strategy ..................................................................................................................................18 Figure 4.2 Use of Detailed Supporting Information ....................................................................................................20 Figure 4.3 Generic Design Process Stages ..................................................................................................................23 Figure 5.1 Review Strategy Evolution .........................................................................................................................41 Figure B.1 Concept of Operations Model ...................................................................................................................54 v

List of Tables Table 1.1 Designs Included in the Reactor Characterization Evaluation . 3 Table 4.1 HFE Requirements in the Code of Federal .29 Table C.1 Example of Levels of Automation for NPP Applications ..............................................................................62 Table D.1 Potential SMR Human-Performance Issues ................................................................................................73 vi

Acronyms AA adaptive automation AC alternating current ADAMS Agencywide Documents Access and Management System (NRC)

ANSI American National Standards Institute ARDC advanced reactor design criteria BOP balance of plant CBP computer-based procedure CD core damage CDF core damage frequency CFR Code of Federal Regulations ConOps concepts of operations DC direct current DID defense-in-depth DoD Department of Defense (US)

DRACS Direct Reactor Auxiliary Cooling Systems EBR experimental breeder reactor EM2 Energy Multiplier Module EOP emergency operating procedure EP emergency planning ESF engineered safety feature FMEA failure mode and effects analysis FRA functional requirements analysis FSAR final safety analysis report FSRP Spent Fuel Dry Storage Facilities FV Fussell-Vesely GDC General Design Criterion GA General Atomics HA human action HED human engineering discrepancy HFE human factors engineering HRA human reliability analysis HSI human-system interfaces HTGR high-temperature, gas-cooled reactors I&C instrumentation and control IAEA International Atomic Energy Agency ICCDP integrated conditional core damage probability IMSR Integral Molten Salt Reactor IN information notice iPWR Integral PWR IROFS item relied on for safety ISA integrated safety analysis ISFSI independent spent fuel storage installations ISG interim staff guidance KP-FHR Kairos Fluoride Salt-Cooled High Temperature Reactor kWe kilowatts electric LANL Los Alamos National Laboratory LBE licensing basis event LERF large early release frequency LLWR large light-water reactor vii

LMP Licensing Modernization Project LMR liquid-metal reactors LSMR light-water SMR MCFR molten chloride fast reactor MHA maximum hypothetical accident MOX mixed oxide (fuel)

MSR molten salt reactor MWe megawatts electric NEI Nuclear Energy Institute NEIMA Nuclear Energy Innovation and Modernization Act NPP nuclear power plant NRC U.S. Nuclear Regulatory Commission NSRST non-safety-related with special treatment O&M operations and maintenance OER operating experience review PBMR Pebble Bed Modular Reactor PDC Principal Design Criteria PIRT Phenomena Identification and Ranking Table PRA probabilistic risk assessment PWR pressurized water reactor RAW Risk Achievement Worth RCS reactor control system RES NRCs Office of Nuclear Regulatory Research RG regulatory guide RIHA risk-important human action RO reactor operators RPS reactor protection system RTR research and test reactor S&Gs standards and guidelines SA situation awareness SECY Commission Paper SER safety evaluation report SME subject matter expert SMR small modular reactor SPDS safety-parameter display system SRP standard review plan SR safety related SRO senior reactor operator SRP standard review plan SSC structure, system, and component STA shift technical advisor TEDE total effective dose equivalent TRISO TRi-structural ISOtropic (fuel)

TWRS-P tank waste remediation system privatization UAV unmanned aerial vehicle V&V verification and validation viii

1 Background 1.1 Characteristics of Advanced Nuclear Reactors In 2019, Congress passed Public Law 115-439, the Nuclear Energy Innovation and Modernization Act (NEIMA) that defined the characteristics of a review process for advanced nuclear reactors. NEIMA defines advanced nuclear reactors as nuclear fission or fusion reactors1 with significant improvements compared to current commercial nuclear reactors.

Improvements include characteristics such as:

additional inherent safety features

significantly lower levelized cost of electricity

lower waste yields

greater fuel utilization

enhanced reliability

increased proliferation resistance

increased thermal efficiency

the ability to integrate into electric and nonelectric applications Advanced reactors represent a much more diverse range of technologies than the large light-water reactors (LLWRs) that characterize the current fleet of commercial nuclear reactors.

Advanced reactors include small light-water reactors, non-light-water reactor, small modular reactors, microreactors, and fusion reactors.

Microreactors provide one example of the diversity and the differences of small, advanced reactors when compared with current reactors. Microreactors are small. While LLWRs produce a 1000 or more megawatts electric (MWe); small, advanced reactors generally produce less than a few hundred MWes and often much less than that, e.g., power levels on the order of tens of MWe or less (NRC, 2020c). Hence, relative to LLWRs, they are small in terms of electrical production. According to the classification adopted by the International Atomic Energy Agency (IAEA), a small reactor is one with a total possible electrical power of 300 MWe or less. Those delivering between 300-700 MWe are called medium sized reactors (IAEA, 2005, 2006).2 Many microreactors are transportable, largely self-contained, and require less human control and intervention. Their small and simple design leads to a lower potential for significant accident consequences than LLWRs; thus, the exposure to the public from postulated accidents may be very small (Samanata, Diamond & OHara, 2020).

These characteristics make them attractive to users in locations where the nuclear infrastructure is very limited or does not exist at all; thus, providing electricity to locations not on a power grid, like remote communities. Other applications include:

providing power to areas where power is needed to deal with emergencies, 1

The NRC discusses its regulation of fusion reactors in SECY-09-0064, Regulation of Fusion Based Power Generation Devices (NRC, 2009).

2 The IAEA uses the abbreviation SMR to mean small and medium reactors.

1

military applications (where needs for the reactor may not be confined to one place),

space applications (where no energy infrastructure exists and little to no maintenance can be performed)

Small modular reactors (SMRs) are another category of the advanced designs. SMRs are modular. They can be fabricated in a factory and transported to the plant site for assembly.

SMR designs allow individual units to be grouped together to scale up to the energy output needed to meet local demands. For example, if an SMR produces 100 MWe, a utility needing 200 MWe can install two units at a site, while a second one needing 400 MWe can install four, and so on. As future electrical demands change, additional units can be added (or removed) as needed, thereby scaling their number to meet the needs of different communities. SMRs can also serve purposes other than power generation, e.g., hydrogen production.

Advanced reactors include designs that are non-LWR reactors. These reactors do not use light water as a coolant and instead use alternative coolants, such as high-temperature gas, liquid metal, or molten salt.

In addition to advances in reactor technologies, there have been significant increases in the capabilities of digital instrumentation and control (I&C) systems, and the design of human-system interfaces (HSIs) used by operators to monitor and control NPPs. These advances have provided a technology basis for the development of novel concepts of operations (ConOps) that are very different from those used for the previous half century of nuclear power plant (NPP) operations.

Just as technology has continued to advance, so have the methods and tools used by human factors engineering (HFE) practitioners to integrate personnel into plant operations, analyze personnel tasks, design control rooms and HSIs, and evaluate/validate designs.

So, when considering a review process for advanced reactors, all these advances must be addressed.

In addition to the advanced reactor characteristics from NEIMA listed above, we developed an additional characterization of the technical aspects of these reactors based on an evaluation of the reactor designs and the ConOps of eight advanced reactors (OHara, 2020a). Table 1.1 contains a list of the designs grouped by reactor technology.

Table 1.1 Designs Included in the Reactor Characterization Evaluation Reactor Technology Design Heat Pipe Reactors Los Alamos National Laboratory MegaPower Westinghouse eVinci Mobile Nuclear Power Plant Oklo Power Aurora Helium-Cooled Fast Reactors General Atomics Energy Multiplier Module (EM2)

High-Temperature Gas Cooled Reactors XE-100 Molten Salt Reactors Kairos Power Fluoride Salt-Cooled High Temperature Reactor (KP-FHR)

Terrestrial Energy Integral Molten Salt Reactor TerraPower Molten Chloride Fast Reactor The small, advanced reactor characterization developed is general and may not apply to all designs. Thus, in addition to the characteristics identified in NEIMA, the following 2

characteristics were identified:

Some are constructed in a factory and transported to the site where needed using the existing transportation infrastructure (e.g., road, rail, or waterway).

Some rely on simpler designs, involving fewer systems and moving parts.

Some are constructed using a modular approach to simplify maintenance; so when maintenance is needed, modules are instead replaced.

Some are self-contained and designed to operate for many years without shutting down, being refuelled, or maintained.

Some rely on design features that make them inherently safe, such as natural physical processes that do not require automatic or human intervention.

Some produce public exposure to postulated accidents that is much lower than current reactors.

Some may operate at higher temperatures than LLWRs and thus can support new missions, e.g., the production of multiple products in addition to electricity, such as industrial process heat (new missions create new systems, personnel tasks, and workload).

Some can be operated in load-following mode.

Some can be operated in an SMR configuration and therefore scalable to meet energy demands - in an SMR configuration there may be shared systems.

Some are highly automated, including some that may operate in a fully autonomous mode, and may not require much, if any, human monitoring, control, and intervention.

Some may not have a control room in the traditional sense; reactor monitoring and control may be accomplished from simple panels either locally or remotely.

Some may be staffed by few or no onsite personnel.

Some may rely on staffing organizational structures that are quite different than that described in current regulations and may include different staff positions possibly involving no licensed operators or credited human actions.

These characteristics reflect the significant differences between advanced reactors and the current fleet of LLWRs. They also reflect safety improvements.

Taken together, these differences signify the need for a new approach to licensing reviews (NEIMA, 2019). NEIMA identifies several defining characteristics of a review process for advanced reactors:

For commercial advanced nuclear reactors, the NRC must (1) establish stages within the licensing process; (2) increase the use of risk-informed, performance-based licensing 3

evaluation techniques and guidance; and (3) establish by the end of 2027 a technology-inclusive regulatory framework that encourages greater technological innovation.

1.2 The Current LLWR HFE Review Strategy In this section, we will briefly review the current LLWR HFE review strategy. The safety review begins when an applicant provides a submittal for NRCs review. The NRC staff will use NUREG-0800, Standard Review Plan (SRP) for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR Edition, as guidance for conducting the regulatory review of the applicants submittal. The staff will use SRP Chapter 18, Human Factors Engineering, as guidance for the HFE review. Chapter 18 references NUREG-0711, Human Factors Engineering Program Review Model, along with other documents, for detailed review criteria.

The overall purpose of the HFE review is to verify that:

The applicant integrates HFE into the development, design, and evaluation of the plant.

The applicant provides HFE products (e.g., HSIs) that facilitate the safe, and reliable performance of operations, maintenance, tests, inspections, and surveillance tasks.

The HFE program and its products reflect state-of-the-art human factors engineering principles and satisfy the applicable regulatory requirements.

As discussed in NUREG-0711, an applicants HFE program provides reasonable assurance of plant safety when it conforms to the following high-level principles:

The HFE program is developed and carried out by a qualified HFE design team, using an acceptable HFE program plan.

The design is derived from suitable HFE studies and analyses that afford accurate and complete inputs to the assessment criteria for the design process, and the verification and validation (V&V) process.

The design is based on proven technology incorporating accepted HFE standards and guidelines and evaluated with a thorough V&V test program.

The design is implemented such that it effectively supports operations.

The human-machine system is monitored during operation to detect changes in human performance.

NUREG-0711 provides the detailed review criteria to assess whether these high-level principles are achieved. NUREG-0711 is not a design guideline. It is a design process assessment guideline in the same family as other process assessment guidelines and standards, e.g.,

ISO/TS 18152:2010 (ISO, 2010) and ISO/TR 18529:2000 (ISO, 2000). Process assessment guides consist of a process model which is divided into key elements. Each key element has indicators that represent the best practices for the element and are used as criteria to review the applicants process. Figure 1.1 depicts a generic process model architecture.

4

HFE Process Model Process Process Process Process Element 1 Element 2 Element 3 Element n Practice 1a Practice 2a Practice 3a Practice na Practice 1b Practice 2b Practice 3b Practice nb Practice 1c Practice 2c Practice 3c Practice nc Practice 1n Practice 2n Practice 3n Practice nn Figure 1.1 Process Model Architecture NUREG-0711s HFE process model is rooted in systems engineering. Systems engineering provides a broad approach to design that is based on a series of clearly defined developmental steps, each with defined goals and with specific management processes to attain them. The development of the HFE model and elements for NUREG-07113 is based on this approach. To begin the NUREGs development, a technical review of HFE guidance and practices was conducted to identify important HFE program elements relevant to the technical basis of a design process review. Several types of documents were assessed:

Systems theory and engineering literature representing the theoretical basis for systems engineering, generally applicable to the design and evaluation of complex systems.

NPP regulations, NPP HFE standards, guidance, and recommended practices developed by the NPP industry, including the NRC.

From this review, an HFE development, design, and evaluation model was defined. Once specified, the key HFE elements were identified and general criteria with which each can be assessed were developed.

The effective integration of HFE considerations into the design is accomplished by providing a structured top-down approach to system development that is iterative, integrative, and interdisciplinary. It controls the total system development effort for the purpose of achieving an optimum balance of all system elements, including human roles and responsibilities. The approach is consistent with the recognition in the nuclear industry that HFE issues and problems emerge throughout the NPP design and evaluation process and, therefore, HFE issues are best addressed with a comprehensive top-down approach.

Since its original development, NUREG-0711 has been updated three times4 to improve the comprehensiveness and completeness of the guidance.

3 See NRC,1994 for a more complete description of the models development and for the references for the discussion to follow.

4 Rev 0, 1994; Rev 1, 2002 ; Rev 2, 2004; and Rev 3, 2012 5

NUREG-0711 contains 12 HFE elements as shown in Figure 1.2. For each key element, best practices are provided and serve as review criteria for evaluating the applicants HFE activities.

A brief description of each element is given in Appendix A, HFE Activities.5 Planning and Design Verification Implementation Analysis and Validation and Operation HFE Program Management Operating Experience Review Human -System Interface Design Function Design Analysis & Implementation Human Factors Allocation Procedure Verification and Development Validation Human Task Analysis Performance Monitoring Training Program Development Staffing &

Qualification Treatment of Important Human Actions Figure 1.2 NUREG-0711 Key Elements/Activities NUREG-0711 is also consistent with other HFE process models in the literature. Applicants use a design process model that is typically based on national and international HFE standards and guidance (S&Gs) documents. HFE S&Gs play an important role in the design and evaluation of complex systems (Karwowski, 2006). Many HFE S&Gs are developed by professional organizations using a consensus process. These organizations include the Institute of Electrical and Electronics Engineers (IEEE), the International Organization for Standardization (ISO), the International Electrotechnical Commission (IEC), and government organizations such as the Department of Defense (DoD) and the Federal Aviation Administration (FAA). Typically, S&Gs are periodically updated to keep them current with lessons learned, new research, and technological developments.

The IEEE is a significant contributor to HFE standards and guidelines. An overview of their recent development efforts is provided by Desaulniers and Fleger (2019). IEEE 1023-2004 (IEEE, 2004) provides a model of the HFE design process. It states that the implementation of HFE in the life cycle activities of nuclear facilities should employ an integrated, systematic approach that considers the human as an integral part of the overall system. The standard provides a generic engineering process model with the following stages:

Planning

Analysis

Specification 5

See NUREG-0711 for detailed information about each of these elements and their review criteria.

6

Testing and evaluation

Operations and maintenance As a generic model, any of the specific stages require more detailed guidance for implementation, e.g., designers need more detailed guidance to conduct analyses such as function analysis and task analysis. The standard notes that the HFE activities documented should be tailored to the needs and constraints of the specific facility.

Another example of an HFE design model is the Ergonomic Design of Control Centres, ISO 11064 (ISO, 2006). ISO 1106 is a family of standards that establish HFE requirements for control centres, including those for NPPs. The standard describes a comprehensive approach to HFE that is divided into five stages or phases (see Figure 1.3):

Phase A - Clarification of goals and requirements

Phase B - Analysis (e.g., function, task, and job analysis)

Phase C - Conceptual design

Phase D - Detailed design

Phase E - Real-world validation (e.g., operating experience of the plant)

Each of these phases contains HFE activities that are like the NUREG-0711 elements.

7

Figure 1.3 ISO 11064-7 Depiction of HFE in the Design Process (Source: Figure 2 from ISO 11064-7: 2006©)

Like ISO 11064, IEC 60694, Nuclear Power Plants - Control Rooms - Design, (IEC, 2009), is a family of standards addressing the HFE aspects of NPP control room design. IEC 60694 distinguishes between functional and detailed design (see Figure 1.4). Functional design includes function allocation (the allocation of functions to personnel or machines), the relationships of personnel and automation, and task responsibilities. Detailed design includes HSIs, e.g., alarms, displays, controls, control room layout, and control room environment. HSIs are validated to ensure they support the operators' functions and tasks.

8

Figure 1.4 IEC 60694 Depiction of HFE in the Design Process (Source: Figure 2 from IEC 60694: 2009©)

These design standards identify HFE activities that are comparable to NUREG-0711s process assessment model. Different models that are based on a common set of HFE activities strengthens our use of these activities in a new review process.

As stated above, applicants use the HFE S&G documents as general guidance to develop models applicable to their needs. The standards typically lack sufficient detail to provide the how to guidance needed by designers. In our experience, applicants develop their own vendor-specific design processes (often proprietary) which detail the methodologies for conducting HFE activities.

9

For the review of LLWRs, the staff uses the full NUREG-0711 model and evaluates each HFE element using the criteria provided. Applicants can propose alternatives to the criteria but must provide justification for the alternative approach. An assessment is made as to the applicants success in complying with the review criteria for each element.

While the staffs review of LLWRs utilizes a full HFE model/acceptance criteria approach, not all SRPs do. Some use a tailored approach by identifying a subset of elements and HSIs to review. Still others identify HSIs to review without referencing the appropriate HFE review criteria to use in the assessment.6 The HF process described in NUREG-0711 can impose substantial costs to applicants when implemented in full. Given the low consequences associated with some small, advanced reactor designs, these costs may not be justified.

1.3 NRCs General Approach to Advanced Reactors Reviews The NRC is currently preparing for advanced reactor design reviews (NRC, 2020a) and has been for many years. The staff has developed a vision for a new review process (NRC, 2016b) and the plans to realize that vision (NRC, 2016c). The current application and licensing requirements, developed for LLWRs and non-power reactors as outlined in 10 CFR Part 50 and 10 CFR Part 52, do not fully consider the diversity of designs and safety characteristics of advanced reactors (NRC, 2020b). In addition, the NRC has identified policy and technical issues that need to be resolved to support review process development.

The NRC envisions a review process that effectively and efficiently addresses safety, without imposing unnecessary regulatory burden. The process should create a flexible regulatory framework, allowing potential applicants to select a best-fit path towards regulatory reviews and decisions. SECY-20-0032 (NRC, 2020b) identifies a review process that will:

continue to provide reasonable assurance of adequate protection of public health and safety and the common defense and security

promote regulatory stability, predictability, and clarity

reduce requests for exemptions from the current requirements in 10 CFR Part 50 and 10 CFR Part 52

establish new requirements to address non-light-water reactor technologies

recognize technological advancements in reactor design

credit the response of advanced nuclear reactors to postulated accidents, including slower transient response times and relatively small and slow release of fission products The NRC recognizes that while current guidance can be used, it may not be efficient when applied to advanced reactors (NRC, 2016b):

The NRC is fully capable of reviewing and reaching a safety, security, or environmental finding on a non-LWR design if an application were to be submitted today. However, the agency has 6

OHara, 2020b provides a review of these SRPs.

10

also acknowledged the potential inefficiencies for non-LWR applications submitted under 10 CFR Part 50 or Part 52 that are reviewed against existing LWR criteria, using LWR-based processes, and licensed through the use of regulatory exemptions and imposition of new requirements where design-specific review, analysis, and additional engineering judgement may be required.

The NRC has developed a vision and strategy document, along with supporting action plans (NRC, 2016c), that outline the tasks that must be undertaken to advance technical and regulatory readiness for these reviews (NRC, 2016b).

Consistent with the NEIMA requirements, the NRC is developing Part 53 of the Code of Federal Regulations (NRC, 2020d). This rulemaking would create 10 CFR Part 53, Licensing and Regulation of Advanced Nuclear Reactors, in keeping with the NRC vision and strategy report and the statutory provisions in NEIMA Section 103(a)(4).

As discussed above, several characteristics of a review process for advanced nuclear reactors were identified in NEIMA. The characteristics included the identification of stages in the review process; increase in the use of risk-informed, performance-based licensing evaluation techniques and guidance; and a technology-inclusive regulatory framework that encourages greater technological innovation. Additional characteristics are identified in NRC guidance documents. In the near term, the staff will rely on the use of existing guidance for reviews of applicant submittals (NRC, 2016b).

We have summarized the new review strategy in terms of the following characteristics:

technology inclusive

risk informed

performance based

staged

based on process and methods rather than prescriptive guidance

within the bounds of existing regulations

flexible

scalable

supportive of preapplication interactions that occur early and often Technology Inclusive The NEIMA defined technology inclusive as a regulatory framework developed using methods of evaluation that are flexible and practicable for application to a variety of reactor technologies, including, where appropriate, the use of risk-informed and performance-based techniques and other tools and methods. Thus, the review process should be applicable to all designs and not focused on specific technological approaches.

Risk Informed NEIMA characterized a review process that is risk informed. A risk informed process enables both the applicant and NRC staff to focus their attention on those aspects of the design that greatly impact facility risk. It also provides a basis to scale a regulatory review process that is more streamlined than the broad process used for LLWRs.

11

For HFE considerations, a risk-informed process is needed to (1) assess the potential contribution of human performance to risk, and (2) assess, commensurate with that risk, whether the facility design or design process adequately addresses the risk.

Recognizing that the scope, depth, and quality of applicant PRAs may vary, alternative means of gaining and applying risk-related design insights are needed as well.

Performance Based The NEIMA characterized a review process that is performance based. HFE reviews have typically relied on two types of performance-based activities: analytical evaluations and data-based evaluations. Analytical evaluations include analyses that provide estimates of human performance using tools such as human reliability analysis (HRA), task analysis, and workload analysis. An example is, SRP Chapter 18, Attachment B - provides a Methodology to Assess the Workload of Challenging Operational Conditions in Support of Minimum Staffing Level Reviews NRC (2016f)). It is an analytical approach to human performance evaluation before more data-based methods can be used.

Data-based methods are used to measure actual human performance. These methods can be used early in the design process to support design decisions, e.g., which of two alarm system designs leads to more rapid event detection. Data-based evaluations can later be performed to support validation tests and other types of evaluations. Data-based methods may use walk-throughs, prototype evaluation, and simulators to provide an environment that approximates what operators and other personnel may encounter.

Staged The NEIMA stated that the NRC must establish stages within the licensing process. In A Regulatory Review Roadmap for Non-Light Water Reactors (NRC, 2017), the NRC described a flexible non-LWR regulatory review process, including interactions during stages such as the construction permit, operating license, standard design approval, design certification, and combined license. Stages may also be defined to correspond to the applicants design process, such as conceptual design phase, preliminary design reviews, and verification and validation.

Stages designed with respect to an applicants design process enable reviews at various levels of completion or maturity.

Based on Process and Methods Rather Than Prescriptive Guidance The review process that has been used for LLWRs is largely prescriptive since its application is based on designs that had many design features in common across facilities. This will not be the case for advanced reactors. Advanced reactors will be highly diverse and based on varying nuclear system designs, widely varying support system designs, and diverse applications.

Hence, a prescriptive approach is not practical. Instead, the review guidance should be based on a process approach and not a defined set of prescriptive guidelines. In SECY 20-0010, the NRC stated that it intends to develop 10 CFR Part 53 with as few connections as possible to prescriptive or programmatic criteria specified in 10 CFR Part 50 and 10 CFR Part 52 (NRC, 2020b).

12

Within the Bounds of Existing Regulations Achieving a new review process, while maintaining the capability to review applications in the near term, will require the development of guidance for a flexible non-LWR regulatory review process within the bounds of existing regulations (NRC, 2016b). Until a new process is available, and changes are made to the existing regulations, the NRC will handle the discrepancies between regulatory requirements and plant design and operations with exemption requests. As SECY 20-0093 (NRC, 2020) states:

In the near term, the staff plans to license micro-reactors under the existing regulations for power reactor licenses in 10 CFR Part 50 and 10 CFR Part 52. Because of the significant differences between large LWRs and micro-reactors, the staff is receptive to requests for exemptions from the existing regulations in the areas above and would evaluate such exemptions on a case-by-case basis using existing agency processes.

While the guidance needs to support near-term reviews, it also needs to support the transition to a new process that meets the NRCs long-term vision. Two of the main considerations for the near-term reviews are whether the current guidance can support (1) reviews of the new characteristics of advanced reactors (see a list of characteristics in Section 1.1 above), (2) exemption requests, and (3) HFE-related technical issues associated with advanced reactors.

Based on our evaluation of available guidance, we concluded that the guidance is only partly sufficient to review advanced reactors (OHara, 2021). While guidance is available to support NRC staff reviews of many characteristics of these reactors, there remain issues defining important characteristics that need to be addressed by research. In addition, new issues and needs will also be identified based on applicant submittals. It should be noted that where guidance is somewhat lacking, the staff can perform reviews using engineering judgement, but the process would not have the predictability desired.

As these research needs are met, additional review processes and guidance can be developed and integrated into the overall review process. In this way, near-term review approaches can evolve into the type of advanced reactor review process envisioned by the NRC for long-term review needs.

Flexible The NRCs vision is to create a flexible regulatory framework, allowing potential applicants to select a best-fit path towards regulatory reviews and decisions (NRC, 2020b). A new review process needs to be flexible to address the wide range of technologies and operational practices that characterize advanced reactors.

Scalable The HFE review strategy needs to be scalable. A scalable process is one that can be designed to be a full HFE review, like HFE reviews of LLWRs; or minimal when there are few human actions, or anything in between.

13

Supportive of Preapplication Interactions That Occur Early and Often Given the diverse characteristics of advanced reactors, the NRC will encourage applicants to begin interacting with the staff early in the application process (NRC, 2017). This is consistent with a staged approach and will support a timelier understanding of the applicants design and ConOps.

14

2 Purpose The purpose of this phase of the research is to develop a technical strategy for the review of the HFE aspects of advanced reactors. Depending on the applicants submittal, some HFE activities used in typical LLWR reviews may not be needed; others may only be needed at a high-level, while others may be needed in detail.

The review strategy will provide the framework for conducting HFE reviews of advanced reactors that will be robust enough to accommodate their diverse design and operational characteristics. It will also be consistent with the characteristics envisioned for a new review process.

15

3 General Approach to the New Review Strategy HFE is an integral part of the NRCs regulatory review process. The new HFE review strategy is based on the inputs that are shown in Figure 3.1.

Inputs to the Development of Specification of an Evolution of the an HFE Review Strategy HFE Review Strategy Review Strategy Reactor Characteristics HFE Review Process Lessons Learned Performing

technology inclusive Reviews 10 CFR HFE Requirements

risk-informed

performance based Emerging Technical Basis NRC SRPs for the HFE Aspects

staged

based on process and methods Supporting Reviews from of Nuclear Facilities

within existing regulations NRC and Industry Research

flexible NEIMA Requirements

scalable New Regulatory and Industry

preapplication interactions Positions NRC Vision for Non-LWR Reactor Review Guidance HFE Review Criteria Figure 3.1 HFE Review Strategy Development The HFE review strategy is informed by the following:

The characteristics of small, advanced reactors.

HFE requirements defined in the Code of Federal Regulations (CFR) (e.g., 10 CFR 50.54(m) which specifies minimum licensed operator staffing requirements).

The guidance contained in SRPs.

The requirements set forth by NEMIA.

The NRCs general vision for advanced reactor licensing (see Section 1.3).

A review strategy consists of a process and review criteria (acceptance criteria). To develop a new HFE review strategy for advanced reactors, the review process and the acceptance criteria were decoupled to allow the strategy to be adapted to the diversity of design and operational characteristics. The review process can be applied to any reactor (and non-reactor facilities) and used to identify review criteria which can vary based on the needs of the specific design under review.

The strategy must comply with the overall characteristics of the new review strategy presented in Section 1.3 and listed under HFE review process in Figure 3.1. The strategy can also evolve as experience and new information becomes available. That is, the process is fixed, but the review criteria are not and can evolve as new information becomes available.

16

4 HFE Review Strategy and Steps This section describes the new HFE review strategy. It begins with an overview of the entire process, then presents each aspect of the process in detail. The section is intended to provide a basis for the development of interim staff guidance for advanced reactor HFE reviews. Some of the material in the previous sections of this report is repeated here where needed as part of the review process.

4.1 General Approach The HFE review is initiated when an applicant makes a submittal. The expected contents of the submittal are discussed in Section 4.5.

The HFE review consists of a series of steps culminating in the development of a facility specific review plan and HFE review using the plan (see Figure 4.1). The steps are:

Review Applicant Submittals

Conduct Targeting Process

Conduct Screening Process

Conduct Grading Process

Assemble Review Plan and Conduct Review 17

Review Process Review Applicant Submittals Conduct Targeting Process Review Criteria Conduct Screening Process Design Process Guidance

Key HFE Activities, e.g.. Task analysis

Guidance and Review Criteria

Resources: NUREGs-0800, -0711, -1764,

-1537, IEEE-1023, IEC 60694, Conduct Grading to se Process Product Guidance

Key Facility, HSIs, Procedures, Design Characteristics

Guidance and Review Criteria Assemble Review Plan and

Resources: NUREGs -0700, -1537, to se Conduct Review IEEE 1786, , ISO-11064, Figure 4.1 HFE Review Strategy Unlike LLWR reviews, the new HFE review strategy is process based and not dependent on deterministic application of a review methodology and criteria. Using this process, the NRC staff defines a review plan that is uniquely tailored to the facility being reviewed. The most significant difference between this new strategy and that used for LLWRs is the role of existing review guidance, such as NUREGs-0800, -0711, and -0700. For LLWR reviews, the guidance in these NUREGs is used to structure the review activities. As discussed above, NRC reviewers follow the guidance in them to request information from applicants and to review their submittals. In this sense, the review is largely deterministic. Applicants are expected to provide information demonstrating how their design process and products conform to the NRCs guidance or to provide justification as to why their alternative approach is acceptable.

In the new approach, the existing review elements and criteria do not structure the review process. Instead, they serve as resource material the reviewer can use, if appropriate.

However, the guidance can be omitted if the reviewer determines it is not applicable to the design being reviewed.

The approach to defining an HFE review strategy is to make the review process itself streamlined, while pointing reviewers (and applicants) to more detailed information that can be consulted to help ensure key design and operational characteristics and HFE activities are addressed. There is detailed technical information provided in four appendices (see Figure 4.2).

18

The information contained in the appendices can be consulted by the staff to support the review.

It is informative, not mandatory. Some examples follow to illustrate the relationship of the review process to the supporting information.

Reviewers can identify key HFE activities by consulting Appendix A. Appendix A provides a list of HFE activities and the purposes of each. A reviewer can consult the list to aid in identifying which are appropriate to the applicants design efforts.

Reviewers are not constrained to the list of activities in Appendix A, rather the list is intended to provide an overview of possible activities the applicants may have included in their HFE design efforts. Other HFE activities may be used as well.

An important characteristic of advanced reactors is the human role in safety function management. Reviewing this facility characteristic is supported by Appendix C.1, Identification of Important Human Actions, and Appendix D.5.6, Passive Safety Systems.

Automation is a key design feature of advanced reactors. Reviewing this characteristic is supported by Appendix C.2, Autonomous Operations and Appendix D.2, Agents Roles and Responsibilities. As used in this document, agents refers to personnel or automation (or any combination thereof) that are responsible for completing a plant function.

An advantage of separating the more detailed information about HFE activities and technical issues into appendices rather than embedding the information into the review process is that it can be revised and updated, as needed, rather than modifying the review process itself. The process can remain stable despite changes in the technical information it references.

19

Review Process Detailed Supporting Information Review Applicant Submittals Appendix A - HFE Activities Appendix B - Concept of Operations Dimensions Conduct Targeting Process Appendix C - Technical Issues Appendix D - Small Modular Reactor Human Performance Issues Conduct Screening Process Conduct Grading to se Process Assemble Review Plan and to se Conduct Review Figure 4.2 Use of Detailed Supporting Information 4.2 Objectives The overall purpose of the staffs HFE review is to verify that the applicant integrates appropriate HFE activities into the development, design, and evaluation of the facility.

The applicant provides HFE products (e.g., HSIs) that facilitate the safe and reliable performance of operations, and support tasks such as aligning system components, performing inspections, tests, maintenance, and surveillance tasks.

The applicants HFE activities and their products reflect state-of-the-art human factors principles [cf. 10 CFR 50.34(f)(2)(iii) and 10 CFR 52.47(a)(8)] and satisfy all regulatory requirements.

The state-of-the-art human factors principles are those currently accepted by human factors practitioners; here, "current" refers to the time when a plan or product is prepared. "Accepted" is regarded as a practice, method, or guide that is (1) documented in the human factors literature within a standard or guidance document that underwent a peer-review process, or (2) is justified through scientific research and/or industrial practices.

20

For applicants whose designs have multiple important human actions, the HFE activities provide reasonable assurance of facility safety when they conform to the following high-level principles:

The applicants HFE activities are developed and carried out by qualified HFE personnel, using an acceptable HFE plan.

The HFE aspects of the design are derived from HFE studies and analyses that afford accurate and complete inputs to the assessment criteria for the design process and verification and validation (V&V) of the design.

The design is based on proven technology incorporating accepted HFE standards and guidelines and evaluated with a thorough V&V test program.

The design is implemented such that it effectively supports facility operations.

The facility is monitored during operation to detect changes in human performance.

For designs that have few, if any, important human actions, the applicants HFE activities may be very limited. For such applications, the above list has to be modified as well. The review process is scalable to reflect the degree to which human actions are vital to the performance of safety functions.

4.3 Review Responsibility The HFE staff has the primary review responsibility. They are supported by other NRC technical specialists, such as I&C, accident analysis, and PRA, as necessary.

4.4 Definitions This section contains definitions of the terms used in the review strategy description. Some of these terms may be used in other documents with slightly different meanings. We recognize these definitions are somewhat arbitrary, so defining them as they are used here is important to achieve clarity.

Strategy - The high-level approach to conducting a safety review. A strategy consists of a review process, review criteria, and a means of evolving the strategy as new information becomes available.

Design process - The steps used by the applicant to design the facility.

Review process - The steps followed by an NRC staff to conduct a safety review. The process itself is independent from the review criteria used to evaluate an applicants submittal.

Review criteria - The explicit criteria used by an NRC staff to evaluate an applicants submittal.

21

Targeting - Targeting is the process by which the HFE staff identifies aspects of the applicants design and operations that warrant an HFE review.

Screening - Screening is the process by which the HFE staff identifies HFE activities, such as function analysis and task analysis, for review.

Grading - Grading is the process by which the HFE staff identifies the appropriate acceptance criteria to use for the review.

4.5 Applicant Submittals Applicant submittals initiate the review process. The submittal must have the information needed by the NRC staff to conduct the review. Characterization should be initiated during pre-application engagement and completed as part of the application acceptance review. Review of the characterization should confirm that sufficient information is available to understand the facility design for purposes of a licensing reviews. Where the application lacks sufficient detail, interactions with the applicant are necessary to obtain what is needed.

This section describes the expected content of applicant submittals. The topics include:

ConOps

Approach to Plant Safety

Identification of important human actions

Facility Characteristics

Facility Operations

Compliance with HFE Requirements in the Code of Federal Regulation

Design Process

Technical Issues Given the diversity of small, advanced reactors, flexibility is required with respect to the contents of the submittal for a specific facility design. The expected contents as described here are applicable to a facility with numerous important actions and HFE activities. The applicants description should be scaled to the extent the design relies on human action to ensure safety.

Thus, for facilities with little human involvement, the submittals contents may vary from what is described in this section. Applicants should address each topic, even to indicate that a particular topic is not applicable. The applicant should address in greater detail, those topics discussed below that are applicable to their design.

HFE-related information may be in other (non HFE) submittals as well. The applicant can provide cross reference to them as appropriate. There also may be information obtained from pre-application activities that can be identified in the applicants submittal. Early engagements between the staff and applicants are encouraged. For the NRC staff, these pre-application activities, such as audits, public meetings, and results of preliminary reviews, help to establish an understanding of the design and the applicants planned interactions with the staff. For the applicant, the pre-application activities provide an opportunity to clarify the staffs questions, and to better understand the review process so needed information to support the reviews will be provided.

22

When applicants plan multiple submittals, they should describe the expected content and timing of each. They may submit information about the design of their facility in stages. The stages can reflect regulatory stages, such as construction permit, operating license, standard design approval, design certification, and combined license. Alternatively, they may use design process stages such as requirements definition, subsystem design, and integrated system design (see Figure 4.3). Such an approach to design staging is consistent with international standards such ISO 11064-7 (ISO, 2006). In our experience, applicants are likely to have their own vendor-specific process, informed by industry standards and practices. Applicants should describe the relationship between their stages and submittals to the staff.

Concept of Design Modifications Operations Operations HFE Integrated Analyses System Design System System Definition Design Concept Subsystem Design Design Requirements Definition Figure 4.3 Generic Design Process Stages 4.5.1 Concept of Operations Applicants should describe their ConOps for the facility. A ConOps identifies the high-level facility missions and goals and the functions and operational practices needed to manage both normal and off-normal situations. It identifies expectations related to human performance. A ConOps identifies the interactions of personnel with a facility that helps ensure that safety systems will function correctly when needed. The ConOps guides the formation of requirements, the detailed design, and the evaluation of the system. Thus, the facility ConOps provides a broad view of facility purpose, design, and operations. A more detailed discussion of key HFE areas of interest is addressed in subsequent sections.

The following six ConOps dimensions are applicable to most designs:

Facility Missions

Agents Roles and Responsibilities

Staffing, Qualifications, and Training

Management of Normal Operations

Management of Off-normal Conditions and Emergencies

Management of Maintenance and Modifications Each of the dimensions is briefly described below. More detailed descriptions are provided in Appendix B.

23

Applicants may have their own ConOps model that differs from the one described here.

Alternate ConOps may be acceptable so long as the content of their document addresses the considerations reflected in the dimensions described below.

Facility Mission A ConOps reflects top-down design considerations. At the top is the facilitys mission and the high-level goals which drive all aspects of the design, including the technological infrastructure needed to support them.

Agents Roles and Responsibilities This dimension clarifies the relative roles and responsibilities of all agents, namely, personnel and automation, and their relationship. Defining human roles and responsibilities, especially those that are important human actions, is the first step toward integrating humans and systems, and the step from which other aspects of the ConOps should flow.

Automation is a key feature of advanced reactors that can result in significant changes from the traditional role of personnel in plant operations. This is a complex issue with many human performance considerations:

allocation of functions

identification of human actions (HAs) needed to support autonomy

management of degraded conditions and automation failures

staffing decisions related to autonomous operations

HSI designs to support automation-related HAs These issues are fully described in Appendix C.2. The applicant should identify how their facilitys automation is implemented regarding these issues.

Staffing, Qualifications, and Training This dimension addresses the number and capabilities of staff needed to accomplish the human roles and responsibilities. Staffing should consider organizational functions, including operations, maintenance, and security. Staff positions and the qualifications necessary for each should be defined.

Staffing is currently prescribed by 10 CFR 50.54(m) requirements which and based on LLWRs operations. The design and operational differences between small, advanced reactors and LLWRs have led designers to propose alternative approaches to staffing. Some new approaches may raise issues with current regulations. For example, current regulations require that the operation of reactivity controls be performed only by licensed operators and that the manipulation of HSIs that can affect power level can only happen if authorized by a licensed operator [per 10 CFR 50.54(i), (j), (k), and (m)]. Some advanced reactor designs may use non-licensed personnel to perform these tasks. Others may eliminate human operators as a diverse means of defense-in-depth for the assurance of reactor safety. However, if operator action is not a means of DID, some other means of DID is still needed.

24

Issues related to staffing and qualifications for small, advanced reactors has been widely recognized as has the need for updated regulatory review guidance. Until such guidance is developed, staffing issues have to be addressed in each review. The considerations characterizing this issue include:

alternative staffing approaches

training and qualification

beyond control room staffing These issues are fully described in Appendix C.3.

Management of Normal Operations This dimension encompassed three main considerations: Identifying key scenarios; identifying the tasks needed to perform them; and identifying the HSIs and procedures necessary to support personnel tasks.

Management of Off-Normal Conditions and Emergencies This dimension addresses many of the same considerations discussed with respect to normal operations (key scenarios, tasks, and supporting HSI resources), except the conditions are atypical. Considerations include:

emergencies that may impact safety

loss of facility systems for which compensation is needed

failed equipment, such as pumps and valves

degraded I&C and HSI conditions such as a faulty sensor, loss of an aspect of automation, or degradation of a workstation

human actions needed to address these conditions Management of Maintenance and Modifications This dimension encompasses the installation of facility upgrades, maintenance, and configuration management. Like the previous two dimensions, personnel tasks and how the HSIs and procedures support those tasks is considered.

4.5.2 Approach to Plant Safety The applicant should describe the plant safety functions and the reactor and protection systems that support them. The description should include the identification of the most important transients, how rapidly they evolve, and how they are managed.

The role of automation, passive systems, and inherent safety characteristics should be identified. The applicant should also describe the role of personnel in the achievement of safety goals, whether that role includes direct or backup actions.

25

4.5.3 Important Human Actions A key input to scaling the review is the presence of important human actions in facility operations. The applicant should identify all important human actions, the methodologies used to identify them, and how they were addressed by designers to ensure they will be reliably performed when needed.

As noted earlier, one of the goals of the NRCs safety program has been to use risk analyses to prioritize activities. This helps to ensure that regulators and licensees focus efforts and resources on those activities that best support reasonable assurance of adequate protection of the publics health and safety. Risk-informing the review process is also emphasized in the NEIMA requirements. From an HFE perspective, a risk-informed process is needed to (1) assess the potential contribution of human performance to risk, and (2) commensurate with that risk, assess whether the facility design adequately addresses the risk.

A risk-informed process also provides a basis to identify a regulatory review process that is more streamlined than the broadly scoped process used by in LLWR reviews. HFE contributes to this goal by applying a tailored design review focusing greater attention on HAs most important to safety.

According to NUREG-0711, important HAs consist of those actions that meet either risk or deterministic criteria:

Risk-important human actions - Actions defined by risk criteria that plant personnel use to assure the plants safety. There are absolute and relative criteria for defining risk important actions. For absolute ones, a risk-important action is any action whose successful performance is needed to reasonably assure that predefined risk criteria are met. For relative criteria, the risk-important actions are defined as those with the greatest risk compared to all human actions. The identifications can be made quantitatively from risk analyses, and qualitatively from various criteria, such as concerns about task performance based on considering performance-shaping factors.

Deterministically-identified human actions - Deterministic engineering analyses typically are completed as part of the suite of analyses in the FSAR/DCD in Chapters 7, Instrumentation & Controls, and 15, Transient and Accident Analyses. These deterministic analyses can credit human actions.

Risk Analyses Identifying important human actions using risk models such as PRA, is based on modeling, quantification, and criterion selection. Models represent plant components and their interconnections. Human actions are included in the models where appropriate. The modeling is not an HFE activity; however, HFE can provide inputs to modelers. HFE reviewers should work with NRC risk analysis SMEs to determine the correctness and completeness of the applicants modeling of human action.

The second aspect of PRA that is important to the identification of risk-important human actions is quantification. Error probabilities are assigned to all components and human actions. Human error probabilities are determined through methods such as human reliability analysis (HRA).

The analyst evaluates the human action by examining the time available, task demands, 26

performance shaping factors, and factors such as teamwork. The human error probabilities are included in the models.

The third consideration is the determination of the selection criterion. This is the criterion for identifying a human action as important. There is no universally agreed upon criterion for determining importance, it is established on a case-by-case basis.

If the model is poor and does not adequately include human actions, if the quantification of human error probability is poor, or if the selection criterion is unreasonable, then the ability to identify risk-significant HAs is severely compromised.

In addition to standard PRAs, applicants may perform modified PRAs (see discussion in C.1, Identification of Important Human Actions) and other types of risk analyses, such as Integrated Safety Analyses (ISAs). ISAs focus on identifying items relied on for safety (IROFS). IROFS can include HAs. Both the CFR and several SRPs identify ISAs as acceptable analysis methods. An issue arises in the use of ISAs for assessing HAs. ISAs can mask HAs by identifying them as component failure, e.g., modeling a pump failure in the ISA where it is really a failure of personnel to start the pump. While specific HFE guidance is not presently available to review this type of analysis, reviewers can apply the approaches used by previous NRC reviews, such as the review of the MOX facility, to determine an appropriate review strategy for the facility currently being reviewed.

Deterministic Analyses Deterministic engineering analyses are also used. These are completed as part of the applicants transient and accident analyses. These analyses identify HAs that are credited in the analyses to prevent or mitigate the accidents and transients. These HAs may, or may not, be identified in the risk analyses. Nonetheless, all credited HAs should be considered important HAs.

Important HAs may also be identified when applicants perform diversity and defense-in-depth (D3) analyses. D3 analyses are performed to demonstrate that a design adequately addresses vulnerabilities to common cause failures in digital I&C systems (NRC, 2009). The applicant may identify backup systems involving HAs necessary for accomplishing required safety functions.

In general, the applicants analysis should identify back-up HAs for safety functions that are part of the facilitys defense-in-depth (DID). These HAs should be treated as important human actions.

Applicants should also identify technical support actions that were not picked up in other analyses. These can include actions such as performing and verifying system line-ups necessary for the performance of safety functions. They may also include maintenance actions.

post-maintenance tests, and surveillances required for verifying and maintaining the capabilities of systems supporting facility safety. Such HAs are applicable to fully autonomous systems and passive systems in performing their safety functions (even those with no credited human actions). HFE contributes to processes designed to ensure the reliability of these human actions.

Thus, important HAs can be identified through numerous types of risk and deterministic analyses. The HFE reviewer should verify that the approach used by the applicant is appropriate and complete so there is reasonable assurance that important human actions have been identified.

27

Complicating the identification of important HAs is the fact that the means of managing off-normal events is different for advanced reactors when compared to LLWRs. In current plants, managing off-normal events typically involves a combination of automation and HAs. Many advanced reactors depart from this approach. Instead, they rely on inherently safe design features and passive safety systems which do not rely on human actions.

There are several technical issues to be addressed when important human actions are identified. These issues are characterized by concern that important human actions may not be identified. The identification of important human actions may be complicated by several factors:

Use of non-traditional risk analysis methods

Lack of supporting analyses used to identify human tasks

Identifying the human role in managing safety functions in new systems These issues are fully described in Appendix C.1. The applicant should address these considerations in their application.

4.5.4 Facility Characteristics The applicant should describe the design of the HSIs, workstations, and workplaces (including local control stations and technical support centers). The HSIs are used by personnel in performing their functions and tasks. Major HSIs include alarms, information displays, and controls. Each type of HSI is characterized in terms of its important physical and functional characteristics. Use of HSIs is influenced by (1) the organization of HSIs into workstations, including consoles and panels; (2) the arrangement of workstations and supporting equipment into workplaces such as a main control room, remote shutdown station, local control station, technical support center, and emergency operations facility; and (3) the environmental conditions in which the HSIs are used, including temperature, humidity, ventilation, illumination, and noise. Also important is the siting of monitoring and control functions.

There are two aspects of facility characteristics that should be given special attention. The first are those characteristics that directly influence the performance of important human action. For example, specific alarms, displays, and controls may be necessary to perform an important HA.

The second aspect of facilities that require special attention is novel designs, such as a new alarm system that is based on novel processing techniques. Another example is a facility design with no control room or where the facility is unmanned. Novel characteristics may not be modeled well in risk analyses or evaluated deterministically. Applying HFE activities to such characteristics can help provide reasonable assurance that the novel characteristics are acceptably implemented and operationally acceptable. The applicant should identify novel characteristics and the basis for each should be described. They should also identify if any are used in the performance of important human actions.

Facility characteristics that directly influence the performance of important human action and are based on novel designs features should be given special attention.

Some small, advanced reactor designers may have few safety-related HAs and there may be an overall reduction in the HAs needed for monitoring and controlling the facility when compared with current facilities. This will have profound implications for the design of the control room and HSIs. In fact, a traditional control room may not be necessary. What also needs to be 28

considered are the HAs need for monitoring and control of the interfacing systems, such as balance of plant (BOP) systems and those of other missions like generation of industrial heat.

Applicants should describe how their facility design addresses these issues which are fully described in Appendix C.4.

4.5.5 Facility Operations The way the facility will be operated should be described. The description should include all phases of operation, including the human role in normal, off-normal, and emergency conditions.

In addition to operational phases, the description should include support tasks such as aligning system components, as well, as inspections, tests, maintenance, and surveillance.

Aspects that require special attention are those involving important HAs and novel operations, such as a unique way of responding to an emergency based on new systems to mitigate the emergency. Like novel facility characteristics, novel operations may not be modeled well in risk analyses or deterministic analyses. Applying HFE activities to such characteristics can help provide reasonable assurance that the novel operations are acceptably implemented and operationally acceptable. The applicant should identify facility operations involving important HAs and novel operations and the basis for each should be described.

Applicants should identify any remote operations. A decision to locate HSIs at a remote location may be informed by the analysis of how HSIs are used for monitoring and controlling the facility.

Such a ConOps is not addressed in current regulations or review guidance. At present, the HFE requirements for remote operations are not known and give rise to questions such as:

Will HSIs have to be modified from what they would be if located on-site?

If remote operations means that there are no operations personnel onsite, then how will the lack of local operations staff be compensated for?

If planning on remote operations, the applicant should interact with the staff early in the preapplication stage. Issues related to remote operations are fully described in Appendix C.5.

4.5.6 HFE Requirements in the Code of Federal Regulation The applicant should describe how their design complies with the HFE requirements in the Code of Federal Regulation. The requirements are summarized below. In cases of non-compliance, the applicant should include an exemption request in their application.

Federal regulations are contained in the CFR. Title 10 addresses Energy and contains the regulations pertaining to the NRC. Several of the regulations address the HFE aspects of nuclear facilities. 10 CFR Part 50, Appendix A, General Design Criteria (GDC) 19 specifies the need for and characteristics of a control room (discussed further below).

For commercial NPPs, one of the more important HFE regulations is 10 CFR 50.34(f)(2) and 10 CFR 52.47(a)(1)(ii)) (refer to Table 4.1 for a description). An applicant is required to:

(iii) Provide, for Commission review, a control room design that reflects state-of-the-art human factor principles prior to committing to fabrication or revision of fabricated control room panels and layouts.

29

Note that 50.34(f)(2)(iii) does not apply to new Part 50 applicants, whereas it does apply to Part 52 applicants. An update to this requirement is being addressed in the Part 50/52 and Part 53 rulemaking.

In addition to the general control room requirement in 10 CFR 50.34(f), there are other CFR requirements that involve HFE (see Table 4.1).

Table 4.1 HFE Requirements in the Code of Federal Regulations Regulations Addressing General Requirements Related to the Main Control Room 10 CFR 50.34(a)(6) - a preliminary plan for the applicant's organization, training of personnel, and conduct of operations 10 CFR 50.34(f)(2)(ii) - continuing improvement of HFE and procedures 10 CFR 50.34(f)(2)(iv) - safety parameter display system 10 CFR 50.34(f)(3)(i) - use of operating experience 10 CFR 50.54 (i) to (m) - staffing 10 CFR 52.47 - level of detail required in DCs 10 CFR 52.47(a)(8) - inclusion of 10 CFR 50.34(f) for Part 52 applications 10 CFR 52.79 - content of COL applications Specific Requirements Related to the Main Control Room 10 CFR 50.34(f)(2)(v) - automatic indication of the bypassed and operable status of safety systems 10 CFR 50.34(f)(2)(xi) - relief and safety valve indication 10 CFR 50.34(f)(2)(xii) - auxiliary feedwater system flow indication 10 CFR 50.34(f)(2)(xvii) - containment related indications 10 CFR 50.34(f)(2)(xviii) - core cooling indications 10 CFR 50.34(f)(2)(xix) - instrumentation for monitoring post-accident conditions that includes core damage 10 CFR 50.34(f)(2)(xxi) - auxiliary heat removal (Boiling Water Reactor only) 10 CFR 50.34(f)(2)(xxiv) - reactor vessel level monitoring (Boiling Water Reactor This table contains a list of HFE related requirements in the CFR and listed in the SRP Chapter 18.

10 CFR Part 50, Appendix A, General Design Criteria for NPPs serves as the fundamental criteria used by the NRC when reviewing the structures, systems, and components (SSCs) that make up a NPP design. The GDC requirements establish the necessary design, fabrication, construction, testing, and performance requirements for SSCs that are important to safety.

Taken together, when met they provide reasonable assurance that an NPP can be operated without undue risk to the health and safety of the public.

GDC 19 addresses the need for and characteristics of a control room. It states:

Criterion 19Control room. A control room shall be provided from which actions can be taken to operate the nuclear power unit safely under normal conditions and to maintain it in a safe condition under accident conditions, including loss-of-coolant accidents. Adequate radiation protection shall be provided to permit access and occupancy of the control room under accident conditions without personnel receiving radiation exposures in excess of 5 rem whole body, or its equivalent to any part of the body, for the duration of the accident. Equipment at appropriate locations outside the control room shall be provided (1) with a design capability for prompt hot shutdown of the reactor, including necessary instrumentation and controls to maintain the unit in a safe condition during hot shutdown, and (2) with a potential capability for subsequent cold shutdown of the reactor through the use of suitable procedures.

30

Applicants for and holders of construction permits and operating licenses under this part who apply on or after January 10, 1997, applicants for design approvals or certifications under part 52 of this chapter who apply on or after January 10, 1997, applicants for and holders of combined licenses or manufacturing licenses under part 52 of this chapter who do not reference a standard design approval or certification, or holders of operating licenses using an alternative source term under § 50.67, shall meet the requirements of this criterion, except that with regard to control room access and occupancy, adequate radiation protection shall be provided to ensure that radiation exposures shall not exceed 0.05 Sv (5 rem) total effective dose equivalent as defined in § 50.2 for the duration of the accident.

In recognition of the differences between LLWRs and the small, advanced reactors, the NRC has proposed modifications to GDC 19 in Regulatory Guide 1.232. RG 1.232 (NRC, 2018a) discusses how the GDC can be adapted to non-LWRs resulting in advanced reactor design criteria (ARDC). The revised criterion 19 still defines a control room and does not consider a situation where a control room may not be needed. It states (changes are shown in italics):

ARDC 19 - A control room shall be provided from which actions can be taken to operate the nuclear power unit safely under normal conditions and to maintain it in a safe condition under accident conditions. Adequate radiation protection shall be provided to permit access and occupancy of the control room under accident conditions without personnel receiving radiation exposures in excess of 5 rem total effective dose equivalent as defined in § 50.2 for the duration of the accident. Adequate habitability measures shall be provided to permit access and occupancy of the control room during normal operations and under accident conditions.

Equipment at appropriate locations outside the control room shall be provided (1) with a design capability for prompt hot shutdown of the reactor, including necessary instrumentation and controls to maintain the unit in a safe condition during hot shutdown, and (2) with a potential capability for subsequent cold shutdown of the reactor through the use of suitable procedures.

However, the ARDC is not a formal requirement. Applicants can modify and propose changes to the ARDC as appropriate for their facility. For instance, an applicant with a design without a control room could potentially revise ARDC 19 in a way that does not include a control room and propose a corresponding principal design criteria (PDC) to the NRC for review. Supporting evidence may be necessary that clarifies how the intent of ARDC 19 is met without a main control room. Also, there are additional HFE-related requirements addressing detailed aspects of HSIs, procedures, and training.

General human performance issues associated with the facilitys compliance with HFE regulations and facility design without a control room are discussed in Appendix C.4, HSIs for Monitoring and Controlling the Reactor and Interfacing Systems.

4.5.7 Design Process The applicant should identify the HFE activities that are used as part of the design process.

Appendix A contains descriptions of HFE activities that are commonly used in the design of HFE products, including:

31

HFE Program Management

Operating Experience Review

Functional Requirements Analysis and Function Allocation

Task Analysis

Staffing and Qualifications

Treatment of Important Human Actions

Human-System Interface Design

Procedure Development

Training Program Development

Human Factors Verification and Validation

Design Implementation The activity descriptions in Appendix A include information about how each contributes to the facility design.

This list of activities is not all encompassing. The applicant should describe their HFE activities, including those not listed in Appendix A. HFE also makes use of analyses performed by other disciplines, such as PRA. Such supporting analyses should be identified.

4.5.8 Technical Issues The applicant may have some unique issues applicable to their design. In general, an issue is:

an aspect of facility development or design for which information suggests there may be a negative impact on human performance

an aspect of reactor design that may degrade human performance; however, additional analysis is needed to better understand and quantify the effect

a technology or technique that will be used in the facility design or implementation for which there is little or no guidance The applicant should identify all human performance issues that are applicable to their design and discuss how they were addressed.

32

4.6 Conduct Targeting Process Targeting is the process by which the HFE reviewer identifies aspects of the applicants design and operations that warrant an HFE review.7 Unlike LLWR reviews, in this new approach to HFE review, not all aspects of the facility design and operations are reviewed. Thus, the reviewer must select those that will be.

There are precedents for targeting/screening in NRC guidance documents and several approaches have been described. NUREG-0800, Chapter 18 and NUREG-0711,Section IV, Review Procedures, include guidance for alternative approaches to a full HFE review. NUREG-0800, Chapter 18 states that:

The degree to which the NRC staff applies the review methodology in this SRP will reflect the specific circumstances of individual applications. For example, the review of the HFE aspects of a new plant will entail a comprehensive, detailed evaluation, while the review of individual modifications to existing designs may be less extensive. The following elements are considered when deciding the depth of review.

risk importance

the similarity of the associated HFE issues to those recently reviewed for other plants or similarity with previous approved designs

the determination of whether items of special or unique safety significance are involved (such as items deemed important to safety based on a qualitative or deterministic basis)

Similarly, NUREG-0711, Section 1.3, Use of This Document, includes guidance for risk-informed applications:

The NRC, the nuclear industry, and the public have adopted a broader consideration of risk in many activities associated with NPPs. Therefore, the concept of risk importance is integral to the guidance in this document. Applying the precepts of risk importance will help reviewers decide which particular items to review and the depth of those reviews. The level of NRC staffs review of an applicant's HFE design should also reflect the unique circumstances of the review. For example, a review of a new nuclear power plant will likely use all the elements, while a review of changes to the HSIs of an existing plant will likely use only a subset of the elements.

A more detailed approach to screening is described in NUREG-1764 (Higgins et al., 2007). It uses a two-phased approach to reviewing changes caused by plant modifications to HAs that are credited in safety analyses. An example of such a modification is the substitution of manual actions for automatic actions to perform design functions described in the SAR.

Phase 1 uses a risk screening process to determine the risk-importance of the affected HAs.

The risk screening process is based on RG 1.174 (NRC, 2002). Phase 2 is an HFE review of the HAs that are found to be risk important. The reviews ensure that the appropriate conditions are in place so the change in HA does not significantly increase the potential risk. The details of the review are commensurate with the risk and divided into three levels. A Level I review is 7

Previous NRC guidance documents did not distinguish between targeting (selecting facility design and operational characteristics) and screening (selecting HFE activities, such as task analysis). The guidance provided was applicable to both.

33

used for HAs in the high-risk category and requires the most stringent review, including most of the elements of NUREG-0711.

A Level II review is for HAs in the medium risk category. While the guidance addresses key NUREG-0711 elements, the extent of the staff's review is notably less. The Level II evaluation process addresses general deterministic review criteria, HFE analysis, HSI design, procedures, training, and HA verification. The evaluation processes for this level are less prescriptive and afford greater latitude to both the licensee and the NRC reviewers for collecting and analysing information.

HAs in the low-risk category receive a Level III review, which is generally limited to verifying that the HA is properly classified in Level Ill. Typically, no detailed HFE review is necessary.

Three SRPs for non-electricity producing facilities include a common targeting/screening process: They are NUREG-1702 (NRC, 2000a), NUREG-1718 (NRC, 2016d), and NUREG-1520 (NRC, 2015). In these SRPs, the reviewer screens each HFE activity based on (1) provisions made to address personnel activities identified in an ISA, (2) the similarity of the associated HFE issues to those for similar type plants, and (3) the determination of whether items of special or unique safety significance are involved. The screening process is design-specific in that the selection of HFE activities is based on the design and operational characteristics of the facility to be reviewed.

In summary, targeting/screening has been addressed in numerous NRC documents. The guidance ranges from high-level qualitative considerations to detailed quantitative analyses of risk importance. The NRC reviewer can conduct screening using this guidance as appropriate.

In this new review process, the identification of a human actions importance (both from risk and deterministic criteria) plays a prominent role. The targeting process is one of the main ways the review is scaled. When a lot of the facilitys design and operational characteristics are targeted, the review is likely to be larger than when only a few are targeted.

The applicants submittals should be reviewed along with additional information that may be available from preapplication activities. The submittals provide the information used in the targeting process. The reviewer should examine the submittal and supporting information to determine if the facilitys design and operations are sufficiently described to support the review.

If not, the staff should request additional information from the applicant.

If the information in the applicants submittal is sufficient, then it can be evaluated to identify areas to target. One topic that will always be targeted is the treatment of important HAs. One of the main justifications applicants can provide for minimizing HFE activities is that there are few, if any, important HAs. Before such a position can be accepted, the reviewer should determine whether the applicants methods for identifying important HAs are acceptable. Important HAs are determined through both risk and deterministic analyses. For these evaluations, the HFE reviewer should consult with other NRC SMEs as needed.

For the risk analyses, the reviewer should:

Verify that the applicants risk model correctly represents human actions, where applicable.

34

Verify that the quantification of human error probabilities was based on analyses that include factors such as task demands, performance shaping factors, and teamwork.

Verify that the applicants selection criteria for identifying risk-important HAs are reasonable.

Verify that the applicant assessed risk for all types of safety function management scenarios and that the scenarios were analysed to identify important HAs.

For deterministic analyses, the reviewer should:

Verify that applicants deterministic analyses were sufficiently comprehensive to identify important HAs.

Verify that the analysis included HAs necessary to address common cause failures and technical support actions.

If the analyses are determined to be inadequate, the staff should interact with the applicant to improve their assessments to identify important HAs.

If the analyses are found to be adequate, the reviewer should identify the procedures, HSIs, training, etc., that support important HAs. They support personnel so that the important human actions can be safely and reliably performed when needed. These should be targeted for review.

An assessment should be made of applications claiming that their facility has no important HAs.

The reviewer should determine whether the applicants analyses were sufficiently comprehensive to support that claim, e.g., ensuring that the risk and deterministic analyses are correct and that no potentially important HAs, such as backup actions (such as defense-in-depth actions, manual actuations for diversity, and safe shutdown), were overlooked.

The next area to consider is the applicants ConOps. The ConOps is very broad and touches on many aspects of facility design and operation. The reviewer should consult Appendix B for the types of information that can be provided in a ConOps document. Aspects of the applicants ConOps involving important HAs should be targeted for review. In addition, any aspect of the ConOps that is new or novel in comparison to current plants should be targeted for review.

Examples include:

facilities with mixed missions

facilities with new staffing approaches, such as the use of non-licensed personnel to perform tasks undertaken by operators in current plants

potential new hazards The reviewer should next consider the facility design, facility operations, requirements compliance, and human performance issues. Some aspects of these topics may have already arisen in the ConOps review, so they do not have to be considered again.

35

Aspects of the facility design that support important human actions should be targeted for review. Also. novel aspects of the design should be targeted, e.g., a facility design with no control room.

With respect to facility operations, the reviewer should target for review operations involving important human actions, as well as, all novel operations, such as a unique way of responding to an emergency based on new systems to mitigate the emergency.

The reviewer should examine the applicants compliance with CFR HFE requirements. Any deviations from the requirements or requests for exemptions from them should be targeted for review.

Next, the reviewer should examine the applicants treatment of technical issues applicable to their facility. The reviewer should determine whether the applicant correctly identified any technical issues and whether they were acceptably addressed.

4.7 Conduct Screening Process Screening is the process with which HFE activities, such as function and task analysis, are selected for review. Appendix A of this report provides descriptions of common HFE activities and includes information about how the activity contributes to an applicants design and the NRC reviewers objectives when evaluating the applicants performance of the activity. The screening process enables the staffs review process to flexibly adapt to the applicants HFE activities.

The selection is largely based on the reviewers assessment of which HFE activities are needed to fully support important HAs and the design of novel features. These activities should be reviewed.

The applicants use of novel HFE methods, such as a new method to model human performance, for which little is known should also be selected.

Importantly, the reviewer should identify HFE activities that the applicant should have performed but did not. For example, the applicant may have identified an important HA, but failed to analyze the task demands of the action or its HSI requirements.

36

4.8 Conduct Grading Process Grading is the process with which the HFE reviewer identifies the appropriate acceptance criteria to use for the review (see Figure 4.1). Reviewers have a great deal of flexibility in review criteria selection. The staff will select appropriate review criteria based on the considerations described in Sections 4.5, 4.6, and 4.7 of this document. These criteria may be selected from the NRC guidance documents and consensus standards such as the following:

NUREG-0711

NUREG-0700

NUREG-1537

IEEE-1023

IEEE-1786

ISO-11064 Applicants may propose alternative guidance and standards documents and the staff will consider them.

Thus, the staff can use criteria from non-NRC documents, if it is determined that the criteria better meet the needs of the review. Non-NRC documents may be preferred, for example, if the guidance is based on a more recently developed technical basis than the corresponding NRC guidance or if it addresses facility characteristics for which the NRC has no review criteria. For example, if criteria are needed to review a computer-based procedure system, the reviewer may determine the guidance in IEEEs Guide for Human Factors Applications of Computerized Operating Procedure Systems (COPS) at Nuclear Power Generating Stations and Other Nuclear Facilities (IEEE-2011) is better suited to the procedure system under review than the guidance in NUREG-0700. It is a more recent document and addresses aspects of procedure automation not addressed in the NRC review guidance.

The staff can adapt the criteria in selected documents as needed. For example, all the review criteria for a specific HFE activity may not be needed and can be eliminated from the review.

As discussed earlier, HFE S&Gs documents play an important role in the design and evaluation of complex systems like NPPs. S&Gs provide HFE SMEs with principles to help ensure that the physiological, cognitive, and social characteristics of personnel are accommodated in system design. They also support standardization and consistency of facility characteristics and functionality.

The reviewer should assess the value of diverse guidance documents, including those provided by the NRC, such as NUREG-0800, non-LLWR SRPs, such as NUREG-1537, and non-NRC guidance, such as IEEE-1023. More than one source of guidance may be selected as review criteria if warranted to meet the needs of the reviewer.

When using non-NRC guidance, there are two considerations that should be addressed:

guidance validity and independence. The NRCs HFE guidance is developed and updated using a standard methodology (O'Hara, Higgins, Brown, Fink, Persensky, Lewis, Kramer, Szabo

& Boggi, 2008). A high priority is placed on establishing the validity of the guidelines; defined along two dimensions: internal and external. Internal validity is the degree to which the guidelines are linked to a clear, well founded, and traceable technical basis. External validity is the degree to which the guidance is supported by independent peer review. Peer review is a 37

good method of screening guidelines for conformance to generally accepted HFE practices and to industry-specific considerations, i.e., for ensuring that the guidelines are appropriate based on practical operational experience in actual systems. When a reviewer selects criteria from guidance documents other than those developed using the NRC guidance development process, the validity of the guidance should be assessed.

The second consideration is the independence of the criteria. When using industry guidance, there is the possibility that the guidance is based on a specific vendors approach. Review criteria developed by the NRC has a technical basis that is largely independent from industry priorities and concerns.

The use of industry documents is supported by the NRCs endorsement (usually in Reg Guides). NRC endorsement provides joint concurrence on the value of the guidance between the staff and industry developers. It also identifies aspects of the guidance that the NRC finds exceptions to. Unfortunately, at the present time, there are not many industry HFE documents that have NRC endorsement.

4.9 Assemble Review Plan and Conduct Review In this step. the reviewer assembles the review plan for the facility. The review plan identifies the aspects of the facilitys design, operational characteristics, and HFE analyses that are to be reviewed and the review criteria to be used. The plan is uniquely tailored to the facility under review.

With respect to the facilitys design and operational characteristics, the reviewer seeks to verify that the characteristics conform to the HFE guidance selected for review. Any technical issues identified should be addressed. The reviewer can apply existing guidance that is generally applicable to the subject matter of the issue and high-level HFE principles, such as those in Appendix A of NUREG-0700.

For nonconformances, a human engineering discrepancy (HED) is identified. The applicant should either provide justification for the HEDs or analyze them to identify corrective actions. A general approach to HED analysis can be found in NUREG-0711, Section 11.4.4.

For the applicants HFE activities, the reviewer should first verify that the applicant has used the appropriate HFE activities. Where it is determined that necessary HFE activities were not performed, the applicant should either provide justification for not performing the activity or commit to performing it. Next, the reviewer should verify that the analyses were conducted correctly, e.g., determine that the applicants task analyses were performed correctly. If not, the reviewer should interact with applicant to either justify their approach or change their methodology.

Any technical issues identified should be addressed, although the guidance for reviewing them may be limited. The reviewer can apply existing guidance that is generally applicable to the subject matter of the issue and high-level HFE principles, such as those in Appendix A of NUREG-0700.

The results of the review should be documented in a Safety Evaluation Report.

38

5 Discussion The new HFE review process is consistent with NEIMA requirements and the NRC vision for advanced reactor reviews, as reflected in the review process characteristics defined in Section

1.3 above

technology inclusive

risk informed

performance based

staged

based on process and methods rather than prescriptive guidance

within the bounds of existing regulations

flexible

scalable

supportive of preapplication interactions that occur early and often The review process needs to be technology inclusive because of the wide variety of reactor technologies the review process must accommodate. The LLWR reviews were focused on only two types of LLWR technology, boiling water reactors and pressurized water reactors. The new process needs to address these technologies, but it also must be suitable for technologies such as heat pipe reactors, helium-cooled fast reactors, high-temperature gas cooled reactors, and molten salt reactors. The HFE review process is technology neutral, thus can be used no matter what the technology is used.

The process must be risk-informed to enable the safety review to focus on those aspects of the design and operation that pose the greatest challenges to plant safety. The HFE review process places great emphasis on the identification of important human actions. These actions are identified through probabilistic and deterministic methods; thus, providing a comprehensive identification process to help ensure important actions are not missed. Using both types of methods also allows the review to proceed when applicants differ in the methodological approaches used to identify important actions. For example, some applicants may use ISAs rather than PRAs to identify important actions. The review process accommodates a diversity of approaches.

The HFE review process is performance based and utilizes the results of:

analyses and simulations performed by the applicant that provide estimates of human performance

tests using operators performed by applicants as part of their design process

validations performed to ensure the final design supports reliable human performance The review process accommodates staged reviews to enable applicants to provide information to the staff at times conforming to their own design process and schedule.

The HFE review process is based on process and methods rather than prescriptive guidance.

This is one of the most significant changes in the HFE review process when compared with the LLWR review process. The NRC reviewer develops a review plan that is tailored to the applicants design and potential safety concerns. The LLWR reviews used NUREG-0711 which 39

defined the HFE activities applicants were expected to use and the review criteria for each. In the new process, the reviewer defines the HFE activities that are applicable to the design under review and the criteria to be used in the evaluation of each. The review criteria may come from NRC documents or industry document depending on which best meet the needs of the review.

This process makes the review scalable based on design and safety considerations and flexible enough to accommodate the wide diversity of designs expected.

The HFE review process is within the bounds of existing regulations and enables the staff to review applications that are like LLWRs, as well as those applications that are far different.

Finally, the process is supportive of preapplication interactions which are especially important to identify the technical information the staff needs to support the review. These interactions further help communicate to the applicant the staffs expectations and provide an opportunity to address staff concerns in a timely manner.

In sum, the new review process is consistent with the principles outlined for the NRCs vision for advanced reactor reviews.

An important aspect of a new HFE review strategy is identifying how it can evolve (1) to better conform to the NRC strategic vision for advanced reactor reviews, and (2) to address existing and emerging needs for review guidance. The capability to update the review process and review guidance will be based on the ongoing NRC activities to develop new review guidance where needed. The technical basis information needed to develop guidance can come from a variety of sources, including:

lessons learned performing reviews

results of NRC and industry research

new regulatory and industry positions Figure 5.1 illustrates this evolution in the context of the overall review strategy.

40

Review Process Review Applicant Submittals Detailed Supporting Review Strategy Conduct Targeting Process Information Evolution Appendices Technical Basis Development

ISGs Technical Issues

User Needs

Identified Technical Issues Conduct Screening Process

NRC and Industry Technical Reports Review Criteria Integrate New Research Findings into Review Processes Conduct Grading to se Process Design Process Guidance Supporting Information, and Review Criteria Product Guidance Assemble Review Plan and to se Conduct Review Figure 5.1 Review Strategy Evolution 41

6 References Ahlstrom, V., Lockett, J., Connolly, J., Russo, D. & Tillman, B. (2010). Panel Discussion of Human Factors Standards for United States Government Agencies. Proceedings of the Human Factors and Ergonomics Society 54th Annual Meeting. Santa Monica, CA: Human Factors and Ergonomics Society.

AIAA (1992). AIAA Recommended Technical Practice - Operational Concept Document Preparation Guidelines. Reston, VA: American Institute of Aeronautics and Astronautics.

ANS (2010). Interim Report of the American Nuclear Society Presidents Special Committee on Small and Medium Sized Reactor (SMR) Generic Licensing Issues. La Grange, IL:

American Nuclear Society.

Arafat, Y. & Van Wyk, J. (2019). eVinciTM Micro Reactor. Nuclear Plant Journal, March-April.

ASME (2013). Probabilistic Risk Assessment Standard for Advanced Non-LWR Nuclear Power Plants (ASME/ANS RA-S-1.4). American Society of Mechanical Engineers and American Nuclear Society Brown, F. (2019). Memorandum from F. Brown to R. Furstenau (2019). Office of Nuclear Reactor Regulation User Needs Concerning Human Factors Engineering. Washington DC:

U.S. Nuclear Regulatory Commission.

Congressional Research Service (2019). Advanced Nuclear Reactors: Technology Overview and Current Issues (R45706).

Desaulniers, D. & Fleger, S. (2019). IEEE Human Factors Standards for Nuclear Facilities: The Development Process, Available Standards, Current Activities, and the Future. In Proceedings of the Human Factors and Ergonomics Society - 2019 Annual Meeting. Santa Monica, CA: Human Factors and Ergonomics Society.

DOD (2012). DoD Design Criteria Standard: Human Engineering (MIL-STD-1472G).

Washington DC: U.S. Department of Defense.

DoD (2000). Operational Concept Description (DI-IPSC- 81430A). Washington DC: U.S.

Department of Defense.

DoD (1995). Software Development and Documentation Standard (MIL-STD-498). Washington DC: U.S. Department of Defense.

DoD HFE Technical Advisory Group (2004) Index of Government Standards on Human Engineering Design Criteria, Processes & Procedures. Retrieved 13 December 2010 from:

http://www.dtic.mil/cgibin/GetTRDoc?Location=U2&doc=GetTRDoc.pdf&AD=ADA436638 Dul, J. de Vries, H., Verschoof, S., Eveleens, W. & Feilzer, A. (2004). Combining economic and social goals in the design of production systems by using ergonomics standards. Computers and Industrial Engineering, 47, 207 - 222.

Fairley, R. & Thayer, R. (1977). The Concept of Operations: The Bridge from Operational Requirements to Technical Specifications. Annals of Software Engineering, 3, 417-432.

42

FAA (2003) Human Factors Design Standard (HF-STD-001). Washington, DC: Federal Aviation Administration.

Fleming, E., Myre-Yu, M. & Luxat, D. (2020). Human Factors Considerations for Automating MicroReactors. Albuquerque, NM: Sandia National Laboratories.

Grenci, T. & Haemer, R. (2010). Operations Staffing Issues Relating to SMRs. In ANS (Ed.)

Interim Report of the American Nuclear Society Presidents Special Committee on Small and Medium Sized Reactor (SMR) Generic Licensing Issues. La Grange, IL: American Nuclear Society.

Higgins, J., O'Hara, J., Lewis, P., Persensky, J., Bongarra, J., Cooper, S. & Parry, G. (2007).

Guidance for the Review of Changes to Human Actions (NUREG-1764, Rev 1).

Washington, D.C.: U. S. Nuclear Regulatory Commission.

Holcomb, D, & Flanagan, G. (2019) US Safety Approach for Liquid-Fueled MSRs. 29th GIF Risk and Safety Working Group IEC (2009). Nuclear Power Plants - Control Rooms - Design (IEC 60964, Edition 2.0). Geneva, Switzerland: International Electrotechnical Commission.

IEEE (2011). IEEE Guide for Human Factors Applications of Computerized Operating Procedure Systems (COPS) at Nuclear Power Generating Stations and Other Nuclear Facilities (IEEE 1786-2011). Piscataway, NJ: IEEE.

IEEE (2007). IEEE Guide for Information Technology - System Definition - Concept of Operations (ConOps) Document (IEEE Std 1362-1998; R2007). Piscataway, NJ: IEEE.

IEEE (2005). IEEE Guide to the Application of Human Factors Engineering to Systems, Equipment, and Facilities of Nuclear Power Generating Stations (IEEE Std. 1023-2004).

New York: Institute of Electrical and Electronics Engineers.

IEEE (2004). IEEE Recommended Practice for the Application of Human Factors Engineering to Systems, Equipment, and Facilities of Nuclear Power Generating Stations and Other Nuclear Facilities. (IEEE Std 1023-2004). New York, NY: Institute of Electrical and Electronic Engineers.

ISO (2010). Ergonomics of Human-System Interaction -- Specification for the Process Assessment of Human-System Issues (ISO/TS 18152:2010). Geneva: International Standards Organization.

ISO (2000). Ergonomics of Human-System Interaction: Human-Centered Lifecycle Process Descriptions (ISO/TR 18529:2000). Geneva: International Standards Organization.

ISO (2006). Ergonomic Design of Control Centres - Part 7: Principles for the Evaluation of Control Centres (ISO 11064-7:2006). Geneva, Switzerland: International Standards Organization.

Karwowski, W. (2006). Handbook of Standards and Guidelines in Ergonomics and Human Factors. Mahwah, NJ: Lawrence Erlbaum Associates.

43

Kiros Power (2020). KP-FHR Risk-Informed Performance-Based Licensing Basis Development Methodology, Revision 1 (KP-TR-009), Docket No. 99902069, Alameda, CA: Kairos Power LLC Kiros Power (2019). Reactor Coolant for the Kairos Power Fluoride Salt Cooled High Temperature Reactor Topical Report (KP-TR-005-NP). Alameda, CA: Kairos Power LLC Kiros Power (2018). Principal Design Criteria for the Kairos Power Fluoride Salt-Cooled High Temperature Reactor Topical Report (TR-003). Alameda, CA: Kairos Power LLC Maioli, A., Detar, H., Haessler, R. Friedman, B., Belovesick, C., Scobel, J., Kinnas, S., Smith, M., van Wyk, J. & Flemin, K. (2019). Modernization of Technical Requirements for Licensing of Advanced Non-Light Water Reactors Westinghouse eVinciTM Micro-Reactor Licensing Modernization Project Demonstration (EMR_LTR_190010).

McClure, P. Poston, D., Rao, D. & Reid, R. (2015). Design of Megawatt Power Level Heat Pipe Reactors (LA-UR-15-28840). LANL McFarlane, J., Taylor, P., Holcomb D. & Poore, W. (2019). Review of Hazards Associated With Molten Salt Reactor Fuel Processing Operations (ORNL/TM-2019/1195). Oak Ridge, TN:

Oak Ridge National Laboratory.

Mignacca, B., Locatelli, G. & Sainati, T. (2020). Deeds not words: Barriers and Remedies for Small Modular Nuclear Reactors. Energy, 118-137.

NASA (2011). NASA Space Flight Human-System Standard Volume 2: Human Factors, Habitability, and Environmental Health (NASA 3001, Vol. 2). Washington, DC:

Aeronautics and Space Administration.

NEI (2019). Micro-Reactor Regulatory Issues. Washington, DC: Nuclear Energy Institute..

NEI (2018). Roadmap for the Deployment of Micro-Reactors for U.S. Department of Defense Domestic Installations. Washington, DC: Nuclear Energy Institute.

NEI (2012). Identifying Systems and Assets Subject to the Cyber Security Rule (NEI 10-04, Revision 2). Washington, DC: Nuclear Energy Institute.

NEI (2011). Control Room Staffing for Small Reactors. Washington, DC: Nuclear Energy Institute.

NEIMA (2019). https://www.congress.gov/bill/115th-conqress/senate-bill/512.

NRC (2020). Questions Supporting ACRS and Public Interactions on Developing a Risk-Informed, Technology-Inclusive Regulatory Framework for Advanced Reactors, NRC Staff White Paper (NRC2019-0062; RIN 3150-AK31). Washington DC: U.S. Nuclear Regulatory Commission.

NRC (2020a). Guidance for a Technology-Inclusive, Risk-Informed, and Performance-Based Methodology to Inform the Licensing Basis and Content of Applications for Licenses, Certifications, and Approvals for Non-Light-Water Reactors (Regulatory Guide 1.233).

Washington DC: U.S. Nuclear Regulatory Commission.

44

NRC (2020b). Rulemaking Plan on Risk-Informed, Technology-Inclusive Regulatory Framework for Advanced Reactors (SECY-20-0032). Washington DC: U.S. Nuclear Regulatory Commission.

NRC (2020c). Policy and Licensing Considerations Related to Micro-Reactors (SECY 0093). Washington DC: U.S. Nuclear Regulatory Commission.

NRC (2020d). Questions Supporting ACRS and Public Interactions on Developing a Risk-Informed, Technology-Inclusive Regulatory Framework for Advanced Reactors (NRC-2019-0062; RIN 3150-AK31). Washington DC: U.S. Nuclear Regulatory Commission.

NRC, (2019a). Guidance for a Technology-Inclusive, Risk-informed and Performance-Based Methodology to Inform the Licensing Basis and Content of Applications for Licenses, Certifications, and Approvals for Non-Light Water Reactors (Draft Regulatory Guide 1353),

Washington DC: U.S. Nuclear Regulatory Commission.

NRC (2019b). Discussion Items on KP-FHR Risk-Informed Performance-Based Licensing Basis Development Methodology Topical Report (Docket No. 99902069). Washington DC:

U.S. Nuclear Regulatory Commission.

NRC (2018a). Guidance for Developing Principal Design Criteria for Non-Light Water Reactors (RG 1.232). Washington DC: U.S. Nuclear Regulatory Commission.

NRC (2017). A Regulatory Review Roadmap for Non-Light Water Reactors (ML17312B567).

Washington DC: U.S. Nuclear Regulatory Commission.

NRC (2016a). Vision and Strategy: Safely Achieving Effective and Efficient Non-Light Water Reactor Mission Readiness (ML16356A670). Washington DC: U.S. Nuclear Regulatory Commission.

NRC (2016b). Standard Review Plan, Chapter 18, Human Factors Engineering, Washington DC: U.S. Nuclear Regulatory Commission.

NRC (2016d) Standard Review Plan for the Review of an Application for a Mixed Oxide (MOX)

Fuel Fabrication Facility (NUREG-1718). Washington DC: U.S. Nuclear Regulatory Commission.

NRC (2016f). Attachment B - Methodology to Assess the Workload of Challenging Operational Conditions in Support of Minimum Staffing Level Reviews. In Standard Review Plan, Chapter 18, Human Factors Engineering. Washington DC: U.S. Nuclear Regulatory Commission.

NRC (2015). Standard Review Plan for Fuel Cycle Facilities License Applications (NUREG-1520, Rev 2 Washington DC: U.S. Nuclear Regulatory Commission.

NRC (2011). Operator Staffing for Small or Multi-Module Nuclear Power Plant Facilities (SECY-11-0098). Washington DC: U.S. Nuclear Regulatory Commission.

45

NRC (2002). An Approach to Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis (Regulatory Guide 1.174, Rev.

1). Washington, DC: U.S. Nuclear Regulatory Commission.

NRC (2000a). Standard Review Plan for the Review of a License Application for the Tank Waste Remediation System Privatization (TWRS-P) Project (NUREG-1702). Washington DC: U.S. Nuclear Regulatory Commission.

NRC (1997). Crediting of Operator Action in Place of Automatic Actions and Modification of Operator Actions, Including Response Times (Information Notice 97-78). Washington, DC:

U.S. Nuclear Regulatory Commission.

NRC (1996). Guidelines for Preparing and Reviewing Applications for the Licensing of Non-Power Reactors Standard Review Plan and Acceptance Criteria (NUREG-1537, Part 2).

Washington DC: U.S. Nuclear Regulatory Commission.

NRC (1994). Human Factors Engineering Program Review Model (NUREG-0711, Rev 0).

Washington DC: U.S. Nuclear Regulatory Commission.

NRR (2019). Development and Maintenance of Human Factors Engineering Review Guidance, Competencies, and Capabilities: Integrated 5-Year Timeline (19-01). Washington DC: U.S.

Nuclear Regulatory Commission.

OHara, J. (2020a). Characterization of Small, Advanced Reactors (Report No. F0028-01).

Upton, NY: Brookhaven National Laboratory.

OHara, J. (2020b). Review of Existing NRC HFE Guidance and Its Suitability for the Review of Small, advanced reactors (Report No. F0028-02). Upton, NY: Brookhaven National Laboratory.

OHara, J. (2020c). Adaptive Automation: Current Status and Challenges (RIL-2020-05).

Washington, D.C.: U. S. Nuclear Regulatory Commission.

OHara, J. (2020d). Safety Evaluations of Adaptive Automation: Suitability of Existing Guidance (RIL-2020-06). Washington, D.C.: U. S. Nuclear Regulatory Commission.

OHara, J. & Fleger, S. (2020). Human-System Interface Design Review Guidelines (NUREG-0700, Rev 3). Washington, D.C.: U.S. Nuclear Regulatory Commission.

OHara, J., Gunther, W., Martinez-Guridi, G., & Anderson, T. (2019). The Development of Guidance for the Review of the Interfaces for Managing the Effects of Degraded Human-System Interface and Instrumentation and Control Conditions on Operator Performance (NUREG/CR-7264). Washington, DC: U.S. Nuclear Regulatory Commission.

OHara, J. & Higgins, J. (2020). Adaptive Automation: Current Status and Challenges (RIL-2020-05). Washington, D.C.: U.S. Nuclear Regulatory Commission.

OHara. J. & Higgins, J. (2015). Methodology to Assess the Workload of Challenging Operational Conditions In Support of Minimum Staffing Level Reviews (BNL Technical Report No. 20918-1-2015). Upton, NY: Brookhaven National Laboratory.

46

OHara, J, & Higgins, J. (2010). Human-System Interfaces to Automatic Systems: Review Guidance and Technical Basis (BNL Technical Report 91017-2010). Upton, NY:

Brookhaven National Laboratory.

O'Hara, J. & Higgins, J. (2004). Regulatory Review of Advanced and Innovative Human-System Interface Technologies. In Fourth American Nuclear Society International Topical Meeting on Nuclear Plant Instrumentation, Controls and Human-Machine Interface Technologies (NPIC&HMIT 2004). La Grange Park, IL: American Nuclear Society.

OHara, J., Higgins, J. & DAgostino, A. (2015). NRC Reviewer Aid for Evaluating the Human Factors Engineering Aspects of Small Modular Reactors (NUREG/CR-7202). Upton, NY:

Brookhaven National Laboratory.

OHara J., Higgins, J., Fleger, S. & Pieringer, P. (2012). Human Factors Engineering Program Review Model (NUREG-0711, Rev. 3). Washington DC: U.S. Nuclear Regulatory Commission.

OHara, J., Higgins, J., & Pena, M. (2012). Human Factors Engineering Aspects of Small Modular Reactor Design and Operations (NUREG/CR-7126). Washington, D.C.: U. S.

Nuclear Regulatory Commission.

O'Hara, J., Higgins, J., Brown, W., Fink, R., Persensky, J., Lewis, P., Kramer, J., Szabo, A. &

Boggi, M. (NRC) (2008). Human Factors Considerations with Respect to Emerging Technology in Nuclear Power Plants (NUREG/CR-6947). Washington, D.C.: U. S. Nuclear Regulatory Commission.

Oklo Power (2020). Safety Analysis Report, Pew, R. & Mavor, A. (2007). Human-system Integration in the System Development Process: A New Look. Washington, D.C.: The National Academies Press.

Ramuhalli,P. & Cetiner, S. (2019). Concepts for Autonomous Operation of Microreactors (ORNL/TM-2019/1305). Oak Ridge, TN: Oak Ridge National Laboratory.

Roth, E. & OHara, J. (2020). CTA (RIL-2020-07). Washington, D.C.: U. S. Nuclear Regulatory Commission.

Samanta, P., Diamond, D. & OHara, J. (2020). Regulatory Review of Micro-Reactors - Initial Considerations (BNL-212380-2019-INRE). Upton, NY: Brookhaven National Laboratory.

Samanta, P., Diamond, D. & Horak. W. (2019). NRC Regulatory History of Non-Light Water Reactors (1950-2019) (BNL-211739-2019-INRE). Upton, NY: Brookhaven National Laboratory.

Sterbentz. J., Werner, J., McKellar, M., Hummel, A., Kennedy, J., Wright, R. & Biersdorf, J.

(2017). Special Purpose Nuclear Reactor (5 MW) for Reliable Power at Remote Sites Assessment Report Using Phenomena Identification and Ranking Tables (PIRTs) (INL/EXT-16-40741, Revision 1). Idaho Falls, ID: INL.

47

Thronesbery, C., Schreckenghost, D. & Molin, A. (2009). Concept of Operations Storyboard Tool. In Proceedings of the Human Factors and Ergonomics Society 53rd Annual Meeting.

Santo Monica, CA: Human Factors and Ergonomics Society.

Tyler, C. (2019). MegaPower. 1663. P. 3.

Westinghouse (2019); eViciTM MicroReactor (GTO-0001). Westinghouse Electric Company.

48

Appendix A: HFE Activities Below are the HFE activities that should be considered as part of the screening process. These descriptions are based on the element descriptions from NUREG-0711. As described above, NUREG-0711 is based on a systems engineering model that includes the HFE activities that are broadly viewed as necessary to a comprehensive HFE program. While all may not be needed in an applicants HFE program, especially for more modest programs, each should be considered by the reviewer during the screening process and included or excluded accordingly.

The activity descriptions include information about how each contributes to an applicants HFE program and the NRC reviewers objectives when evaluating the applicants performance of the activity.

HFE Program Management In this activity, the applicant establishes an HFE design team with the responsibility, authority, placement within the organization, and composition to reasonably assure that the plant design meets the commitment to HFE. Further, a plan should be developed to guide the team to ensure that the HFE program is properly developed, executed, overseen, and documented.

The program plan describes the activities needed to ensure that HFE principles are applied to the development, design and evaluation of HSI, procedures, and training.

The objective of the staff review of this activity is to verify that the applicant has established HFE program management to accomplish these elements.

Operating Experience Review Applicants perform an operating experience review (OER) to identify HFE-related safety issues.

The OER should provide information on the performance of predecessor designs. For new plants, this may be the earlier designs on which the new one is based. For plant modifications, it may be the design of the systems being changed. The issues and lessons learned from operating experience provide a basis to improve the plants design. Thus, the negative features of predecessor designs may be avoided, while retaining positive features. The OER should consider the predecessor systems upon which the design is based, the technological approaches selected (e.g., if touch-screen interfaces are planned, their associated HFE issues should be reviewed), and the facilitys HFE issues.

The objective of this activity is to verify that the applicant identified and analyzed HFE-related problems and issues in previous designs that are similar to the one under review.

Functional Requirements Analysis and Function Allocation The personnel role in facility operations is examined in two steps: functional requirements analysis and function allocation (assignment of levels of automation). A functional requirements analysis (FRA) identifies those plant functions that must be performed to satisfy the plants overall operating and safety objectives and goals; to ensure the health and safety of the public by preventing or mitigating the consequences of postulated accidents. This analysis determines the objectives, performance requirements, and constraints of the design, and sets a framework for understanding the role of controllers (personnel or system) in regulating plant processes.

49

Function allocation is the assignment of functions to (1) personnel, (2) automatic systems, and (3) combinations of both. Exploiting the strengths of personnel and system elements enhances the facilitys safety and reliability, including improvements achievable through assigning control to these elements with overlapping and redundant responsibilities. Function allocations should be founded on functional requirements and HFE principles in a structured, well-documented methodology that produce clear roles and responsibilities for personnel.

The purpose of the staffs review of this activity is to verify that the applicant defined those functions that must be carried out to satisfy the facilitys safety goals and that the assignment of responsibilities for those functions to personnel and automation in a way that takes advantage of human strengths and avoids human limitations.

Task Analysis The functions allocated to plant personnel define the roles and responsibilities that they accomplish by HAs. HAs can be divided into tasks, a group of related activities with a common objective or goal. The results of the task analysis offer important inputs to many HFE activities:

(1) The analysis of staffing and qualifications; (2) the design of HSIs, procedures, and training program; and (3) criteria for Task Support Verification.

The objective of this review is to verify that the applicant undertook analyses identifying the specific tasks needed to accomplish personnel functions, and the alarms, information, control, and task-support required to complete those duties. (see Roth & OHara, 2020 for additional information.)

Staffing and Qualifications Plant staffing and staff qualifications are important considerations throughout the design process. Initial staffing levels may be established early in the design process based on experience with previous plants, staffing goals (such as for staffing reductions), initial analyses, and NRC regulations. However, their acceptability should be examined periodically as the design of the facility evolves.

The objective of reviewing staffing and qualification analyses is to verify that the applicant has systematically analyzed the requirements for the number of personnel and their qualifications that includes gaining a thorough understanding of the task and regulatory requirements.

Treatment of Important Human Actions A goal of the NRCs safety program has been to use risk analyses to prioritize activities, and to ensure that regulators and licensees focus efforts and resources on those activities that best support reasonable assurance of adequate protection of the publics health and safety. HFE programs contribute to this goal by applying a graded approach to plant design, focusing greater attention on HAs most important to safety. The objective of this activity is to identify those HAs most important to safety for a plant design through a combination of probabilistic and deterministic analyses. The analyses should minimize the likelihood of personnel error and help ensure that personnel can detect and recover from any errors that occur.

50

The reviews objectives are to verify that the applicant has (1) identified important HAs, and (2) considered human-error mechanisms for important HAs in designing the HFE aspects of the plant.

Human-System Interface Design In this activity, applicants translate the functional- and task-requirements to HSI design requirements, and to the detailed design of alarms, displays, controls, and other aspects of the HSI. A structured methodology should guide designers in identifying and selecting candidate HSI approaches, defining the detailed design, and performing HSI tests and evaluations.

The objective of the staffs review of this activity is to evaluate the process used by applicants to translate requirements to HSI design. The review should also address the formulation and employment of HFE guidelines tailored to the unique aspects of the applicants design, e.g., a style guide to define the design-specific conventions.

Procedure Development Procedures are essential to plant safety because they support and guide personnel interactions with plant systems and personnel responses to plant-related events. In the nuclear industry, procedure development is the responsibility of individual utilities. The objective of the NRC procedure review is to confirm that the applicant's procedure development program incorporates HFE principles and criteria, along with all other design requirements, to develop procedures that are technically accurate, comprehensive, explicit, easy to utilize, validated, and in conformance with 10 CFR 50.34(f)(2)(ii). The procedures program is reviewed by NRC staff using SRP Chapter 13.

Training Program Development Training plant personnel is important in ensuring the safe, reliable operation of nuclear power plants. Training programs aid in offering reasonable assurance that plant personnel have the knowledge, skills, and abilities needed to perform their roles and responsibilities. The objective of the training program review is to verify that the applicant has employed a systems approach for developing personnel training. Training programs are reviewed by NRC staff using SRP Chapter 13.

Human Factors Verification and Validation V&V evaluations comprehensively determine that the final HFE design conforms to accepted design principles and enables personnel to successfully and safely perform their tasks to achieve operational goals. This activity involves four evaluations, with the following objectives:

HSI Task Support Verification - the applicant verifies that the HSI provides the alarms, information, controls, and task support that the tasks analysis defined as needed for personnel to perform their tasks.

HFE Design Verification - the applicant verifies that the design of the HSIs conforms to HFE guidelines (such as the applicants style guide).

51

Integrated System Validation - the applicant validates, using performance-based tests, that the integrated system design (i.e., hardware, software, procedures and personnel elements) supports safe operation of the plant.

Human Engineering Discrepancy Resolution Review - The V&V evaluations above identify human engineering discrepancies (HEDs). In this activity, the applicant verifies HED resolutions and assessed the importance of HEDs, and that the corrections are acceptable.

The staffs review of HFE V&V is to ensure that the applicants verification of their methods and results followed their specified methodologies, that any corrections were appropriately resolved, and that the results support the conclusion of safe operation.

Design Implementation This activity addresses the implementation of the HFE aspects of the plant design for new plants and plant modifications. For a new plant, the implementation phase is well defined and carefully monitored through start-up procedures and testing. Implementing modifications is more complex.

The objectives of the design implementation review are to verify that the applicants:

as-built design conforms to the design that was verified and validated

implementation of plant changes considers the effect on personnel performance, and affords necessary support to reasonably assure safe operations Human Performance Monitoring The objective of reviewing an applicants human performance monitoring program is to verify that the applicant prepared a program to:

adequately assure that the conclusions drawn from the integrated system validation remain valid with time

ensure that no significant safety degradation occurs because of any changes made in the plant The applicant may incorporate this monitoring program into their problem identification and resolution program and their training program.

52

Appendix B: Concept of Operations Dimensions According to the Institute of Electrical and Electronics Engineers (IEEE), a concept of operations (ConOps):

describes system characteristics of the to-be-delivered system from the users viewpoint.

The ConOps document is used to communicate overall quantitative and qualitative system characteristics to the user, buyer, developer, and other organizational elements (e.g.,

training, facilities, staffing, and maintenance). It describes the user organization(s),

mission(s), and organizational objectives from an integrated systems point of view. (IEEE, 2007, p. 1)

While this is a good definition, we developed it further into a ConOps model that delineated key ConOps dimensions. The model was used to collect information about various designs. To facilitate the models use, we developed a set of questions pertaining to each dimension of the model. We made some modifications. The Management of Off-Normal Conditions and Emergencies to explicitly incorporate important human actions. We also modified the Agents Roles and Responsibilities dimension to explicitly incorporate important human actions From an HFE perspective, a ConOps identifies the designs high-level goals and the functions and operational practices needed to manage both normal and off-normal situations. It is used to identify expectations related to human performance (Pew & Mavor, 2007). A ConOps covers all facets of the interactions of personnel with a complex system and guides the formation of requirements, the details of design, and the evaluation of the system (AIAA, 1992; DoD, 1995, 2000; Fairley & Thayer, 1977; IEEE, 2007). Increasingly, many industries are employing ConOps documents to provide a vision of how personnel are integrated into a new design or major modification (Thronesbery et al., 2009).

The model has six dimensions (see Figure B-1); each of which is briefly described below:

Facility Mission

Agents Roles and Responsibilities

Staffing, Qualifications, and Training

Management of Normal Operations

Management of Off-normal Conditions and Emergencies

Management of Maintenance and Modifications 53

Roles &

Responsibilities of all Agents Staffing, Management Qualifications, & of Maintenance Training & Modifications Plants Missions Management Management of Off-Normal of Normal Conditions &

Operations Emergencies Figure B.1 Concept of Operations Model Facility Mission A ConOps reflects top-down design considerations. At the top is the facilitys mission and the high-level goals which drive all aspects of the design, including the technological infrastructure needed to support them, and the roles/responsibilities of the crew. The mission can be described in terms of the following:

Goals and Objectives - The purposes for which the facility was designed, e.g., electrical generation and safety.

Evolutionary Context - The design of the predecessor facilitys and the operating experience that set the foundation for the new design and the technological- and operational- changes and improvements that the new plant seeks to achieve.

High-Level Functions - The functions, e.g., reactivity control, that must be undertaken to achieve the goals and objectives.

Boundary Conditions - The conditions that clearly identify the operating envelope of the design, i.e., the general performance characteristics within which the design is expected to operate, such as temperature and pressure limits. Clearly identifying boundary conditions helps define the designs scope and interface requirements.

Constraints - A constraint is an aspect of the design, e.g., a specific staffing plan or the use of specific technology. These constraints influence the design.

Agents Roles and Responsibilities This dimension clarifies the relative roles and responsibilities of systems agents, namely, personnel and automation, and their relationship. Modern approaches to human-automation interaction emphasize the value of multi-agent teams for monitoring and controlling complex 54

systems (OHara & Higgins, 2020; OHara & Higgins, 2010). The teams share and shift responsibilities to assure the facilitys overall production and safety goals are achieved. An agent will monitor the system to detect conditions indicating that a function or task must be performed. An agent will assess the situation and plan a response, and having established the response plan, will implement it. The agent will monitor the activity to assure that the function is being accomplished, and to plan again if it is not. Finally, the agent must decide when the function is completed satisfactorily. Human or automation agents can undertake any one or all these roles.

Defining human roles and responsibilities, especially important human actions, is the first step toward integrating humans and systems, from which other aspects of the ConOps and design should flow. This dimension usually is specified at a preliminary level before beginning design work, based on the operating experience from earlier designs and the goals for developing the new one. These roles then are refined though the HFE program.

Staffing, Qualifications, and Training This dimension addresses the number and capabilities of staff needed to accomplish the human roles and responsibilities. Staffing should consider organizational functions, including operations, maintenance, and security. Staff positions and the qualifications necessary for each should be defined. The ConOps should identify how teams will be structured and the types and means of interaction between their members and other organizational functions identified, including the coordination of crew member activities, how peer-checks and supervision are accomplished, and how the control-room crews coordinate work with other plant personnel. The training needed to meet qualification requirements and to perform the human roles and responsibilities should be specified.

Management of Normal Operations This dimension encompassed three main considerations: Identifying key scenarios; identifying the tasks needed to perform them; and identifying the HSIs and procedures necessary to support personnel tasks.

Key scenarios include those reflecting the plants normal evolutions, such as start-up, low power, full power, refuelling, and shutdown. For each one, the tasks personnel must accomplish to fulfill their roles and responsibilities are identified, as are the ways in which personnel interact with the plants functions, systems, and components to complete them, along with the support of automation in monitoring and controlling the plant through these evolutions. Also included is job design, i.e., the integration of tasks into jobs that specific crew members undertake.

The design of HSIs and procedures should support personnel with their task and job assignments. For example, the following concepts for how personnel interact with HSI resources may be specified:

information distribution, e.g., the types of information that individual crew member access, and the types that are displayed to the entire crew

the determination of the location of HSIs, either in the main control room or at local control stations 55

configuration of personnel workplaces, such as a single large workstation, individual ones, or large overview displays Management of Off-Normal Conditions and Emergencies This dimension addresses many of the same considerations discussed with respect to normal operations (key scenarios, tasks, and supporting HSI resources), except the conditions are atypical. Considerations include:

emergencies that may impact safety, such as a loss of coolant accident

loss of facility systems for which compensation is needed, such as the failure of a cooling-water system

failed equipment, such as pumps and valves

degraded I&C and HSI conditions (such as a faulty sensor, loss of an aspect of automation, or degradation of a workstation)

human actions determined to be important needed to address these conditions Identifying off-normal and emergency conditions and developing ways to resolve them are significant considerations affecting the planning and design of operations. There may also be differences in how safety is evaluated for small, advanced reactors and may involve methods that differ from traditional PRA/HRA methods used in applicant submittals. This ConOps dimension needs to focus on how safety significant responses, such as important human actions, to identified safety significant events are identified. For example, if a major digital I&C failure should cause a loss of the control rooms HSIs, designers must decide whether personnel should (1) shut the plant down until the condition is fixed, (2) maintain the plant in its current state, or (3) do something else. Their decisions significantly influence the types of backup resources that must be provided, the procedures that must be developed, and the training that personnel must receive. Handling off-normal conditions often requires crews to transition to a means of working together that differs from that of normal operations (OHara, Gunther, Martinez-Guridi, & Anderson, 2019).

Management of Maintenance and Modifications This dimension encompasses the installation of facility upgrades, maintenance, and configuration management. Like the previous two dimensions, personnel tasks and how the HSIs and procedures support those tasks is considered. For example, much of the maintenance of advanced systems typically occurs at a workstation through changes in software. Such activities may be more extensive in new designs relying heavily on digital systems and automation.

56

Appendix C: Advanced Reactor Technical Issues The design and ConOps of advanced reactors have given rise to the recognition by industry, the NRC, and research organizations of technical issues that need to be addressed. These issues include:

Identification of important human actions

Autonomous operations

Approaches to staffing

HSIs for monitoring and controlling the reactor and interfacing systems

Remote operations C.1 Identification of Important Human Actions Issue NUREG-0711 defines important HAs as those actions that meet either risk or deterministic criteria:

Risk-important human actions - Actions defined by risk criteria that plant personnel use to assure the plants safety. There are absolute and relative criteria for defining risk important actions. For absolute ones, a risk-important action is any action whose successful performance is needed to reasonably assure that predefined risk criteria are met. For relative criteria, the risk-important actions are defined as those with the greatest risk compared to all human actions. The identifications can be made quantitatively from risk analyses, and qualitatively from various criteria, such as concerns about task performance based on considering performance-shaping factors.

Deterministically identified important human actions - Deterministic engineering analyses typically are completed as part of the suite of analyses in the FSAR/DCD in Chapters 7, Instrumentation & Controls, and 15, Transient and Accident Analyses. These deterministic analyses also may credit human actions.

As discussed in the section on HFE triggers, the importance of identifying important HAs is that it is a basis for defining the HFE program. It is also important because it may become a basis for claims that no HAs are needed for safety-important actions.

This issue is characterized by concern that important human actions may not be easily identified. The identification of important human actions may be complicated by several factors, e.g.:

Use of non-traditional risk analysis methods

Lack of supporting analyses used to identify human tasks

Human role in safety function management Use of non-traditional risk analysis methods The applicants may not perform traditional PRAs as are required of LLWRs. Instead, they may perform modified PRAs or other types of risk analyses, such as ISAs that focus on identifying IROFS that may not focus on quantifying human actions.

57

Lack of supporting analyses used to identify human tasks The applicant may not have the supporting HFE analyses used to identify human tasks.

Identifying important HAs may be more complicated for advanced reactors than LLWRs. For example, in highly automated plants, potentially important human actions include the monitoring of systems to detect failure conditions, degraded conditions, and the need to backup automatic actions if they fail. Its also important to evaluate support tasks such aligning system components as well as inspections, tests, and maintenance. At issue is whether applicants use methods that can identify these types of HAs, and the consequences of not having them on their ability to identify important HAs.

Human role in safety function management Complicating the identification of important HAs is the fact that the means of managing off-normal events is different for advanced reactors when compared with LLWRs. In current plants, managing off-normal events typically involves a combination of the automatic control of safety systems and HAs. Many of the advanced reactors depart from this approach. Instead, they rely on different approaches to how safety functions are performed. In addition to the traditional role of humans as participants in active safety systems, advanced reactors may be designed to use passive or inherently safety systems which do not rely on human actions.

The differences in safety function management are described in Fleming et al. (2020). The following excerpt from the Fleming report captures the implications of these differences.

They <advanced reactors> may rely on passive safety system. The safety function is achieved through reliance on laws of nature, material properties, and energy stored within the SSC. As a result, the typical causes of failure for active systems generally do not exist for a passive system; i.e., loss of power or failure of operator action. By contrast, passive systems can fail as a result of modes such as mechanical or structural failure of an SSC, or even malicious human intervention (IAEA, 2018).

Other considerations are also relevant for assessing the reliability of passive safety systems.

For example, passive cooling systems typically rely on natural circulation flows to transport heat to an ultimate heat sink. These natural circulation flows rely on small pressure gradients in the fluid that drive small flows. As a result, these circulation patterns can be susceptible to breakdown should these gradients be eroded. For example, a small reduction of heat transfer to the ultimate heat sink could lead to a breakdown of a natural circulation pattern. As a result, the overall reliability of a passive system can depend sensitively on how the governing physical process is influenced by boundary conditions.

The characterization of these boundary conditions across a range of upset conditions can be generally difficult to assess. However, a passive safety system is designed to maintain relatively controlled boundary conditions that ensure it will function to control a plant under a broad range of internally initiated upset conditions. Passive safety systems are thus very reliable when considering the provision of their safety function to defend against internal events. An active system, by contrast, has a much higher probability of failing randomly when called upon to perform its safety function. In contrast to passive safety, inherently safe systems are those which are absolutely reliable. The classification of absolute reliability must be qualified by a detailed consideration of the range of characteristics of the SSC that support the safety function. For example, control of reactivity often involves reactivity feedback mechanisms inherent to a system preventing reactivity excursions from occurring (e.g.,

moderator temperature feedback). In this case, it is generally difficult to postulate an external 58

perturbation that would give rise to a loss of reactivity control. However, for cooling or containment functions, it is more likely that passive systems can exhibit failures under a range of external perturbations such that they are not absolutely reliable. Under some circumstances, however, even cooling functions may be ultimately reliable should the power level of the reactor be sufficiently low that residual heat can always be rejected to the atmosphere. (pp 30-31)

Reviewers will have to assess how applicants identify risk for all types of safety function management scenarios and analyze them to support the identification of important HAs.

In addition to the above, applicants should consider SMR issues in Appendix D that are directly related to this general issue:

D.5.6, Passive Safety Systems

D.5.9, Identification of Risk-Important HAs Suitability of Current Guidance In terms of near-term application reviews, once important HAs are identified, the HFE reviewers have guidance to review them, mainly in NUREG-0800, with more specific guidance in NUREG-0711, Rev 3, Section 7, Treatment of Important Human Actions. The other SRPs currently available do not specifically address criteria for evaluating important HAs identified in facility risk analyses (OHara, 2021).

However, there are limitations to the near-term identification of important HAs in so far as PRA development is needed. RG 1.233 (NRC, 2020a) provides the NRCs guidance on using a risk-informed methodology, as well as technology-inclusive and performance-based methodologies to inform the licensing basis for non-LWR reactors. The RG states that the selection of LBEs; classification and special treatments of SSCs; and assessment of DID are fundamental to the safe design of non-LWRs. Nuclear Energy Institute (NEI) 18-04 (NEI, 2019c) provides a methodology for defining these aspects of advanced reactor design. RG 1.233 endorses the guidance as one acceptable method for non-LWR designers to use when carrying out these activities. Although the technology-inclusive methodology provides a common approach to selecting LBEs, classifying SSCs, and assessing DID, the applicability of specific technical requirements in NRC regulations, or the need to define additional technical requirements arising from the safety evaluations, is made on a case-by-case basis for each non-LWR design. The NRC expects that SSCs that provide essential support (including required HAs for safety related (SR) or nonsafety-related with special treatment (NSRST) SSCs will be classified in a manner consistent with the higher-level functions, even if the supporting SSC is not explicitly modeled in the PRA. The guidance in RG 1.201 and NEI 00-04 addresses the importance of a multi-discipline panel of SMEs and the role of an integrated decision-making process in assessing limitations of the supporting PRA, modeling SSCs and human actions, and the need to identify and address uncertainties. This guidance should support the use of common approaches to PRA and risk analysis of advanced reactors that can support the identification of important HAs.

Additional guidance is also available in ASME/ANS RA-S-1.4) ASME, 2013). Guidance for the use of PRA for advanced reactors is still being developed, so its readiness to support important HAs may require development as well.

Applicants have also used integrated safety analyses (ISAs) to identify IROFS, which can include HAs. ISA has been used by applicants and both the CFR and several SRPs identify ISA as an acceptable analysis method. An issue arises in the use of ISA to assess HAs. ISAs can 59

mask HAs by identifying them as component failure, e.g., modeling a pump failure in the ISA where it is really a failure of human action, such as failure to start the pump. Also, ISA models HAs as isolated human actions and the dependence of HAs is lost. While specific HFE review guidance is not presently available to review this type of important HA identification, reviewers can apply the approaches used by previous NRC reviews of such analyses, such as the review of the MOX facility, to determine an appropriate review strategy for the facility currently being reviewed. Limitations are discussed above to the use of ISAs are discussed in conjunction with the SRPs for facilities using such an approach.

In addition to the review of risk-important human actions, there are additional HAs that should be reviewed because they are specifically credited in design analyses. These deterministically identified important human actions as identified in:

Operator actions credited in the diversity and defense in depth analysis supporting the diverse actuation system described in SRP, Chapter 7, Instrumentation and Controls.

Operator actions credited in the design bases analyses described in SRP, Chapter 15, Transient and Accident Analysis.

Risk-important human actions identified in the human reliability analysis contained in SRP, Chapter 19, Severe Accidents.

The review guidance may also be useful in reviewing operator manual actions associated with fires especially alternate safe shutdown, flooding, beyond design basis events, and decommissioning activities. See NUREG-1764, Guidance for the Review of Changes to Human Actions, and NUREG-1852, Demonstrating the Feasibility and Reliability of Operator Manual Actions in Response to Fire for specific review guidance. In addition, Chapter 18, Attachment A, Guidance for Evaluating Credited Manual Operator Actions, provides acceptance criteria for evaluating important human actions.

Thus, in the short term, there is guidance to review important HAs that are identified in risk analyses, but the guidance has limitations that will need to be addressed by the HFE reviewer until risk analysis experts enact improvements to the methods. Risk analyses should also consider HAs for degraded conditions and failure modes that may require HA backup.

In the longer term, the identification of important HAs will be improved when the modeling of advanced reactors in PRA is improved and uncertainties reduced. It will also be important for HFE guidance to be adapted to the modeling of HAs in new PRA approaches consistent with the NEI guidance and other risk analysis methodologies. For reactor designs without reliance on HAs for safety actions, a full HFE program is probably unnecessary. But a question remains as to how much of a program is necessary to achieve reasonable assurance that the overall risk analysis program will identify important HAs and treat them appropriately.

60

C.2 Autonomous Operations The issue of autonomous operations is related with the next two issues on staffing and HSI design. It is a driver for determining staffing needs, which in turn drives HSI requirements.

Issue The NRC has identified autonomous and remote operations as a technical issue. SECY 0098 (NRC, 2011b) and SECY 20-0093 (NRC, 2020c) state that microreactor developers have expressed interest in the possibilities of autonomous and remote operation. This may raise an issue in that current regulations require operation of reactivity controls be performed only by licensed operators and that the manipulation of other HSIs that can affect power level can only happen if authorized by a licensed operator [per 10 CFR 50.54(i), (j), (k), and (m)]. Thus, autonomous and remote operations are not consistent with current regulations.

The SECY identifies policy questions raised by autonomous and remote operations:

Eliminating human operators as a diverse means of defense-in-depth for the assurance of reactor safety.

The facility designs may not have a control room from which individuals would be able to operate the facility.

Applicants proposing such a ConOps will need to request exemptions from these requirements.

Operation of a reactor without human intervention is a significant shift from current regulations and operational practices and guidance will be needed for the staff to evaluate such requests.

This is a complex issue with many human performance considerations. We will discuss them below:

Allocation of function decisions

Identification of HAs needed to support autonomy

Management of degraded conditions and automation failures

Staffing decisions related to autonomous operations

HSI designs to support automation-related HAs A brief characterization of automation will be discussed to provide context for the aspects of this issue to be presented.

While a detailed ConOps of specific advanced reactors designs is not yet known, it is likely that some will include operations that are autonomous as identified in an NRC issue (see Autonomous and Remote Operations) and in Industry studies (e.g., Fleming et al., 2020; Ramuhalli & Cetiner, 2019).

Autonomy can be conceptualized as a point on a scale extending from tasks that are performed completely by manual operations (all actions performed by human crews) to full autonomy where monitoring and control of reactor operations is performed by automation systems with no human intervention. There are many waypoints between these extremes where the level of human involvement decreases and the reliance on automation systems increases. The 61

characterization of automation in NUREG-0700, Rev 3 includes a dimension for Levels of Automation along which autonomy is one endpoint.

Automation often involves cooperation and sharing of responsibilities between automatic systems and plant personnel. Intermediate levels of automation are characterized where the relative responsibilities of humans and automation in carrying out tasks varies. Table C.1, from NUREG-0700, Rev 3, illustrates one approach to classifying the levels of automation in NPP applications and identifies the general responsibilities of both automation and personnel.

Table C.1 Example of Levels of Automation for NPP Applications Level Automation Tasks Human Tasks Manual Operation No automation Operators manually perform all tasks.

Shared Operation Automatic performance of some tasks Operators perform some tasks manually.

Operation by Automatic performance when directed Operators monitor closely, approve Consent by operators to do so, under close actions, and may intervene to monitoring and supervision provide supervisory commands that automation follows.

Operation by Essentially autonomous operation Operators must approve of Exception unless specific situations or critical decisions and may circumstances are encountered intervene.

Autonomous Fully autonomous operation. System Operators may monitor performance Operation cannot normally be disabled but may and perform backup if necessary, be started manually feasible, and permitted.

Source is NUREG-0700, Rev 3, Table 9.1.

NPP systems are sometimes characterized at one level and, at other times, another level. Levels can be changed by predefined conditions or operator decision.

Applicants may implement designs where the levels of automation can change based on the current condition of the plant. Automation can be designed so the allocation of tasks is flexible (i.e., changeable). When automation is flexible, either the operator or automation can perform a task. The choice of whether a task is performed by personnel or automation is based on situational considerations, such as the overall workload of personnel. This is referred to as adaptive automation (AA).

As listed above, the decision to use a fully autonomous design has several human performance considerations:

Allocation of function decisions One aspect of this issue is the allocation of function process used to identify autonomy as a desirable choice for level of automation of a small modular reactor. An allocation of function process examines the relative roles of humans and automation in the task performance needed to monitor and control the reactor under normal and off-normal conditions. Tasks that are better performed by humans are allocated to them, while tasks that are better performed by automation are allocated to accordingly. However, limitation to the allocation of function process have been noted (OHara, 2020b, c). The reviewer should evaluate the technical process used for allocation of function and how it addresses limitations of this HFE activity.

62

Identification of HAs needed to support autonomy Another aspect of this issue is that there likely to be some human HAs even for fully autonomous designs. Monitoring of the performance of autonomous reactors is likely to be necessary, whether on-site or remotely. These HAs need to be identified and may serve as an aspect of the facilitys DID. The reviewer should evaluate the applicants treatment of these HAs.

Management of degraded conditions and automation failures Another human performance aspect of this issue is the management of degraded conditions and failure modes of the autonomous systems. Applicants need to look at the need for HAs in those scenarios and the HSIs, procedures, training needed to accomplish these tasks. These analyses have Implications for staffing and control room/HSI design. Reviewers should evaluate the applicants treatment of degraded conditions and the identification of HAs to manage them.

Staffing decisions related to autonomous operations Autonomous operations have implications for staffing, staffing position requirements, procedures, and training. Applicants may propose that HAs related to autonomous operations will be performed by non-licensed staff, thus raising policy issues (NRC, 2020c):

Autonomous operation necessitates evaluating the implications of reactivity operations being initiated and performed by automation rather than licensed operators, and potentially eliminating human operators as a diverse means of defense-in-depth for the assurance of reactor safety.

The biggest challenge with autonomous operation may be specifying the applicants rationale for employing autonomous operation without a human monitor as a DID, thus leading to the conclusion that a licensed operator is not needed. The applicant should clearly define the rationale used and the analyses in support of that decision.

Reviewers should evaluate the identification of these HAs and the applicants analyses that support their performance by non-licensed personnel.

HSI designs to support automation-related HAs An autonomous design also has implications for the HSI design needed to support related HAs. Even where the facility design does not include a traditional control room, some monitoring and possibly control capability may be necessary. The reviewer should assess the applicants assessment of the need for HSIs in support of HAs in autonomous systems, their HFE design, and location for personnel access.

Suitability of Current Guidance In the near term, guidance is available in NUREG-0700, Rev 3, Section 9, Automation Systems, to review levels of automation. While no unique guidance for fully autonomous automation is provided; the review guidance in the other automation sections does apply. However, the guidance is incomplete. For example, the available guidance is sufficient to review some 63

aspects of adaptive automation (AA), such as the monitoring of AA systems, detection of AA system failure, and the general evaluation/validation of AA systems (OHare 2020c). However, there are numerous areas where the guidance is insufficient to review the unique design characteristics of AA systems, such as the design of AA configurations and triggering conditions (OHare 2020d). Additional research is needed to provide more comprehensive guidance that can be used to evaluate these unique characteristics.

Applications submitting designs for fully autonomous operations may trigger exemption requests from a variety of regulations, such as the use of non-licensed personnel to perform activities for which the regulations require licensed personnel; NRC reviewers have guidance for reviewing some aspects of these exemption requests, but other aspects are not currently addressed.

In summary, this is a complex issue with many human performance considerations. In the near term, guidance is available to review many aspects of applicant designs and exemption requests, but not all.

In addition to the above, applicants should consider SMR issues in Appendix D that are directly related to this general issue:

D.2.3, Function Allocation Methodology to Support Automation Decisions

D.2.2, High Levels of Automation for All Operations and its Implementation C.3 Approaches to Staffing Issue Staffing is currently prescribed by 10 CFR 50.54(m) requirements and based on LLWRs.

The design and operational differences between small, advanced reactors and LLWRs have led designers to propose alternative approaches to staffing. SECY 20-0093 (NRC, 2020c) indicates that the degree of simplicity and inherent safety of small, advanced reactors may result in fewer operator actions being credited for maintaining plant safety for some designs. Other factors identified as potential justifications for fewer staff include highly automated operating systems, passive design of safety features, and large heat capacity. In fact, these design characteristics may result in few to no credited operator actions for plant safety (NRC, 2020).

The issue of staffing and qualifications for small, advanced reactors has been widely recognized. A special committee of the American Nuclear Society (ANS, 2010) evaluated the staffing of SMRs a decade ago and again in 2019 (NEI, 2019b). NEI (2019b) states that:

The industry intends to work with the NRC to develop alternative approaches to licensed operators for micro-reactors that demonstrate they do not require continuous monitoring by an operator or any safety actions by an operator. (p. B-1)

The NRC also recognizes the need for modification of existing staffing guidance (NRC, 2011b).

The considerations characterizing this issue include:

Alternative staffing approaches

Training and qualification

Beyond control room staffing 64

Alternative staffing approaches By alternative we mean a significant departure from the staffing model required of LLWRs in 10 CFR § 50.54 and related regulations. One example of such an alternative is that proposed by OKLO Aurora. The applicant proposes to use no licensed operators and few total operators at the reactor during normal operations. They justify this approach on the applicants determination that there are no credited operator actions. This is a significant departure from current NRC guidance and industry practice.

Small, advanced reactor applicants can propose a wide range of alternative staffing approaches NEI (2019b), including:

Changes to the roles of personnel. Performance of tasks by non-licensed personnel that are typically performed by licensed operators (e.g., emergency declarations, operability determinations, departures from license conditions or technical specifications)

Staffing positions that are different from current LLWRs and have different qualifications and training

No onsite personnel, personnel monitor the reactor from a remote location

The reactor is completely autonomous, having no operations personnel at all The staffing options in some cases would not meet current requirements, including too few operators and operator duties being performed by non-licensed personnel.

Training and qualification The issue of staffing includes considerations of personnel training and qualification requirements. The determination of qualification and training requirements for personnel at advanced reactors are likely to be design specific, yet a common method for staff review of exemption requests related to them will be needed.

Beyond control room staffing Staffing the plant involves more than the control room staffing addressed in the regulations.

Considerations include staffing during refuelling operations, reactor staff who interact with an interconnected manufacturing plant, supervisory staff, shift work, and training (NRC, 2010b).

SECY 20-0093 (NRC, 2020c) points out that while the NRC has developed guidance (e.g.,

NUREG-1791) for reviewing staffing exemption requests), the guidance pertains to control room staffing. The NRCs process for evaluating staffing exemption requests is predicated on the assumption that an applicant has an HFE program that can provide the necessary supporting analyses. As small, advanced reactor designers work toward reducing the number of plant personnel and their role, this assumption may need to be re-evaluated, and an alternative means for establishing an appropriate technical basis may be necessary.

Suitability of Current Guidance Like other aspects of advanced reactor licensing, the NRC will use a two-phase strategy. In the near term, the NRC will address the issue of staffing through exemption requests. In the longer 65

term, the NRC will investigate changes to the regulations that will eliminate the need for exemption requests.

In the near term, the question is whether the current guidance will support the evaluation of exemption requests. Currently, partial guidance for performing staffing exemption reviews is provided in NRC guidance documents:

NUREG-1791, Guidance for Assessing Exemption Requests from the Nuclear Power Plant Licensed Operator Staffing Requirements Specified in 10 CFR 50.54(m)

(Persensky, Szabo, Plott, Engh & Barnes, 2005)

NUREG/CR-6838, Technical Basis for Regulatory Guidance for Assessing Exemption Requests from the Nuclear Power Plant Licensed Operator Staffing Requirements Specified in 10 CFR 50.54(m) (Plott, Engh & Barnes, 2004)

An issue with the guidance is that its focus is on staffing in a dedicated control room and may not be applicable to reactor designs based on novel ConOps, such as a design without a control room.

Another significant consideration is that small, advanced reactor applicants may not have conduced HFE programs consistent with the NRCs current guidance for reviewing exemption requests (NRC, 2020c). NUREG-1791 is based on NUREG-0711 and relies on a technical basis rooted in HFE analyses. The NRC staff may not be able to review applications that are not rooted in an HFE process.

Additional guidance is available in Chapter 18, Attachment B, Methodology to Assess the Workload of Challenging Operational Conditions in Support of Minimum Staffing Level Reviews. This appendix provides a methodology to identify high-workload operational conditions and analyze the workload associated with them. The methodology is rooted in task analysis and relies on the identification of appropriate challenging scenarios, realistic portrayals of task performance that is complicated by separate, but often necessary, dependent and independent tasks, and the judgment of subject matter experts (SMEs) obtained in a manner conducive to obtaining realistic workload estimation. The methodology can be used before the design is ready for validation or full-mission tests using actual crews and realistic scenario simulations. Thus, it provides the NRC staff with an early means to assess the acceptability of minimum staffing requests.

However, the final acceptance of minimum staffing levels is dependent on many considerations, not all of which are addressed by the workload methodology. For example, the methodology does not address:

actual task performance

the effects of other important performance factors, such as situation awareness

the effects of under-load, which is also a concern when determining staffing levels Thus, in the short term, guidance is available to support staffing exemption request reviews.

However, the guidance has limitations and may not be applicable to some design ConOps, such as the case of a design without a control room and no operational staff.

66

As discussed above, the available guidance to support the review of staffing exemption requests is contained in several documents, e.g., NUREG-0800 (Chapters 13 and 18), NUREG-0800, Chapter 18, Appendix B, NUREG-0711, and NUREG-1791. In the short-term, there may be value to having tailored guidance for evaluating staffing exemption requests that is based on the overall HFE program guidance but presents the detailed considerations of how the HFE program addresses levels of staffing. Granting exemptions to staffing level requirements should be based on careful consideration of the technical basis of the request. That is the intent of NUREG-1791. However, as noted above, NUREG-1791 is based on Revision 2 of NUREG-0711. There have since then been significant changes to NUREG-0711 in Revision 3, especially in the task analysis and ISV areas.

Eventually the NRC might consider establishing a single source of guidance that integrates the guidance currently available. The new guidance could be a significant update of NUREG-1791, or at a minimum, the new guidance can provide a roadmap for reviewers for determining when and how to use the various staffing documents.

SECY-93-092 (NRC, 1993) recommends an approach to staffing evaluation based on HFE analyses. The SECY states:

The function and task analyses must demonstrate and confirm the following through test and evaluation: Smaller operating crews can respond effectively to a worst-case array of power manoeuvres, refuelling and maintenance activities, and accident conditions.

An accident at a single unit can be mitigated with the proposed number of licensed operators, less one, while all other units could be taken to a cold-shutdown condition from a variety of potential operating conditions, including a fire in one unit.

The units can be safely shut down with eventual progression to a safe shutdown condition under each of the following conditions: (1) a complete loss of computer control capability, (2) a complete station blackout, or (3) a design-basis seismic event.

The adequacy of these analyses shall be tested and demonstrated. The staff is currently recommending that an "actual control room prototype" be used for test and demonstration purposes.

The SECY identifies a technical basis relying on HFE analyses and simulator testing to support an applicants proposed staffing proposals. Applied to designs on an individual basis, the applicants proposed staffing plan would be evaluated as an exemption request or a new, design-specific staffing regulation.

In the long-term, changes to the regulations in 10 CFR may be necessary. Applicable regulations include:

50.54(i) - (m) on staffing levels

CRF Appendix A, GDC Criterion 19 on control room design

50.34(f)(2)(i) on simulators Regulatory guidance may need updating as well:

SRP NUREG-0800 Chapters 13 and 18. guidance on operational programs and HFE

RG 1.114 (NRC, 2008), guidance to operators at the controls

RG 1.149 (2011) and the related ANS 3.5 (2009), guidance on simulators

NUREG-1791 (Persensky, Szabo, Plott, Engh, & Barnes, 2005), guidance for staffing exemptions.

67

In addition to the above, applicants should consider SMR issues in Appendix D that are directly related to this general issue:

D.3.1, New Staffing Positions

D.3.2, Staffing Models

D.3.3, Staffing Levels C.4 HSIs for Monitoring and Controlling the Reactor and Interfacing Systems Issue Small, advanced reactor designers have suggested that they may have few safety-related HAs and that there may be an overall reduction in the HAs needed for monitoring and controlling the plant. As previously discussed, some designers suggest that no operator actions may be needed. The results of those assessments have profound implications for the design of the plant control room and HSIs A control room is currently required by NRC regulations; applicants should provide, for Commission review, a control room design that reflects state-of-the-art human factor principles.

NEI (2019b) has stated that due to advances in technology, a traditional control room may not be necessary. For micro-reactors that demonstrate the safety of the reactor can be assured without the need for operator action, and if an operator is unable to compromise the safety of the reactor through the manipulations of the controls, then there would be no need for requirements relating to the control room or for an operator-initiated shutdown.

The NRC review of applicant submittals without control rooms is not unprecedented. NUREG-1567 (NRC, 2000c) and NUREG-2215 (NRC, 2020c) indicate that the NRC has accepted omission of a control room for ISFSI operations that have not involved use of a powered cooling system for material in storage. The NRC has required applicants to provide a justification for control room exclusion. Justifications can include:

a description of functions and procedures that provide for performance without the need for a centralized control room

the acceptability of accident and off-normal event/condition analyses that show acceptable levels of maximum response and safety without use of a control room

the use of passive measures to avoid damage and provide mitigation While these are important considerations, we think important information may be missing.

Regarding the first bullet, what description/analysis is going to show this? The decision that a control room is not necessary should consider HAs (tasks), HSIs, and training, as well as what is described. The analysis should also consider workload and timing requirements as well.

Regarding the third bullet, the applicant should describe the analyses providing information contributing to decisions regarding the acceptability of passive measures and how applicants ensure the analysis covers all safety-important scenarios.

Thus, while the lack of a control room may still be inconsistent with NRC regulations, including the revised GDC-19, the NRC has considered such a design in SRPs and provided some 68

guidance for what information applicants need to provide to justify such a design, presumably as part of an exemption request. We have pointed out some additional considerations that can be used in the near term to strengthen the information available to reviewers.

SECY-10-0034 (NRC, 2010b) discussed the issue of multi-modular facilities and the use of a single control room to operate more than two reactors. The current regulations do not address situations that go beyond two reactors. In addition, the SMR units may be operated by a staff that is below current staffing requirements. The SECY identifies other potential SMR issues including the possible need for requirements on control room staffing during refuelling operations, reactor staff who interact with an interconnected manufacturing plant, supervisory staff, shift work, and training.

The SECY illustrates the complexities of the interrelated issues related to staffing a multi-unit plant and its control room design. It also addresses the need for a multidisciplinary approach to reviewing applicant submittals for alternative staffing approaches, including human factors and instrument and controls expertise.

If an applicants submittal does not include a control room, what alternatives might they propose? The range of HSI options is broad and can include design solutions such as:

No HSIs

Simplified HSIs providing limited displays and controls, like local control stations in current plants

Portable, and possibly wearable, HSIs that are not tied to a specific location in the plant but are taken by personnel to a location where they are needed (NEI 2019b)

HSIs located at a location remote from the facility (this design option is discussed in the issues of Remote Operations in Section 5.2.5 below)

Applicants will have to provide the technical basis for the approach to HSI design proposed in their application. In addition, since some advanced reactors serve multiple missions, HSIs may be needed for monitoring and controlling them as well, such as the need to address interfacing systems serving non-electricity generation missions such as the production of process heat.

This imposes control room requirements not addressed in current HSI design review guidance.

In addition to regulatory and technical concerns over the design of the HSIs themselves, another aspect of this issue is that HSIs may not be designed using an HFE program (NRC, 2020). Currently an HSI design review includes an assessment of the HSI design review process (per NUREG-0711).

Suitability of Current Guidance In the near term, acceptance criteria for an applicants HFE design are provided in Chapter 18 of the Standard Review Plan (NUREG-0800), NUREG-0711, and NUREG-0700. Current review guidance addresses the HFE process as well as the design of HSIs resulting from the process.

A small, advanced reactor may have such a simplified design that it is difficult to review using current guidance. Very simplified HSIs for small, advanced reactors may not have been designed following such an approach.

69

NRC reviewers have available other SRPs that, while not developed for power reactors, may provide guidance that better matches an applicants HSI submittals. Examples include NUREG-1537 for non-power reactors, or NUREG-1718 for the MOX facility, The guidance and review criteria for non-power reactors is contained in NUREG-1537 (see Section 4.2.3 above). Section 7.6, Control Console and Display Instruments, states that The non-power reactor control room, containing the control console and other status display instruments is the hub for reactor facility operation. It is the location to which all information necessary and sufficient for safe and effective operation of the facility is transmitted, and the primary location from which control and safety devices are actuated either manually or automatically. Acceptance criteria for control console review are provided. Similarly, NUREG-1537 Chapter 12 addresses facility staffing requirements and related considerations such as qualifications, selection, and training.

As discussed in Section 4,2.2, of RG 1.232(NRC, 2018a) discusses how the GDC can be adapted to non-LWRs resulting in an advanced reactor design criterion (ARDC). This guidance may be used by non-LWR reactor designers, applicants, and licensees to develop principal design criteria (PDC) for any non-LWR designs, as required by the NRC regulations.

NUREG-1718 has HFE review guidance that is a scaled down version of NUREG-0711 developed for a simplified HSI and one which identified important HAs using an ISA and not PRA.

The revised criterion still describes a control room and does not consider a situation where a control room may not be needed.

The RG discusses the NRCs rationale for modifications and clarifications of the GDC. ARDC 19 preserves the language of GDC 19 which states (with emphasis added by the NRC) A control room shall be provided from which actions can be taken to operate the nuclear power unit However, clarification of this language was provided in RG 1.232: The ARDC modification recognizes the need for operator decision making support and the role of advanced HSIs in supporting this need. However, as noted above, this modification does not address the possibility of a design with no control room.

The bottom line is that guidance is available for reviewing HSIs for advanced reactors; however, none of the existing guidance is a particularly good fit.

In addition to the above, applicants should consider SMR issues in Appendix D that are directly related to this general issue:

D.4.8, Control Room Configuration and Workstation Design for Multi-Unit Teams

D.2.1, Multi-Unit Operations and Teamwork;

D.4.9, HSI Design for Multi-Unit Monitoring and Control

D.4.10, HSIs for New Missions 70

C.5 Remote Operations Issue The ConOps for some small, advanced reactors may include the use of remote operations. This issue concerns where HSIs are located. A decision for remote location may be informed by the analysis of HSI for monitoring and controlling the reactor above. A reactor can be located at a desired location, while monitoring, and if necessary controlled, may be handled from a remote location. Such a ConOps is not addressed in current regulations or review guidance.

Two different types of operations are often conflated: autonomy and remote operations.

However, they are separate issues. To operate a reactor remotely does not require the reactor to be autonomous. Remote operations are operation from a location removed from the plants site boundary. The reactor and plant may still require full-time monitoring and control yet be operated remotely. Autonomous operations, as discussed above, means the reactor does not require human intervention for most normal and safety operations. Autonomous operations are still likely to require some infrequent HAs and these may be handled from a remote site.

At present, the HFE requirements for remote operations are not known, e.g., Will HSIs have to be modified from what they would be if located on-site? What also needs to be considered are the HAs need for monitoring and control of the interfacing systems, such as balance of plant (BOP) systems and those of other missions like generation of industrial heat.

Questions such as these will need to be addressed by NRC reviewers and guidance will be needed to support them. Applicants who desire to use remote operations should discuss this with staff early during pre-application meetings so that reviewers can assess what tools are available (e.g., exemptions).

Suitability of Current Guidance In the near-term, applicants will need to submit exemption requests related to control room requirements to support remote operations. However, there is no guidance currently available to support the remote aspects of the operations, e.g., the HFE requirements for remote operations. Before reviews of such an exemption request are performed, research is needed to help identify the HFE needs for remote operations. Before such research is completed, applicants can be asked to provide justification for the use of remote operations and for determining the location, such as how far from the plant site, from which operations are performed.

In the long term, the research and experience from reviews of applicant submittals can be used to suggest changes, if warranted, to the regulations and the supporting review guidance for remote operations.

To the greatest extent possible, applicants HFE programs should address issues impacting their facility design and operation to help ensure none negatively impact human performance.

71

Appendix D: Small Modular Reactor Technical Issues The issues described in this Appendix were identified in an NRC research project focusing on SMRs (OHara, Higgins & Pena, 2012). However, most are applicable to other advanced reactor designs as well.

While we reviewed information on SMR designs to obtain information, the designs were not completed and much of the design and operational information is not yet available. Nor was there information on multi-unit operations as envisioned for SMRs available in operating experience. Thus, to gain a better understanding of multi-unit operations we sought lessons learned from non-nuclear systems that have experience in multi-unit operations, specifically refineries, unmanned aerial vehicles and tele-intensive care units. The ConOps model described in OHara 2020a was used to seek and structure the information obtained. Thus, we evaluated several sources of information about SMRs and related systems to identify potential challenges to human performance.

The issues broadly addressed several technological disciplines, including HFE, I&C, plant operations, maintenance, and PRA. There is some redundancy because different sources of information often identified similar challenges. This redundancy is good because it reflects a measure of the converging validation.

There are some dependencies between the final set of issues, often reflecting their hierarchal relationships. For example, new missions lead to new staffing approaches that necessitate new designs for control rooms and HSIs. Several issues such as passive systems are not solely related to SMRs and advanced reactor technology.

Table D.1 lists the issues identified for each ConOps dimension. The issues were updated to reflect information obtained after 2012. The issues are discussed in more detail below. We first describe each one, and then address its implications for design reviews and research.

Based on these issues and their implications, a reviewer aid for evaluating the HFE aspects of SMRs was developed (OHara, Higgins & DAgostino, 2015). The document identifies questions that an NRC reviewer can ask applicants whose designs have the characteristics identified in the issues. The questions for each issue were identified and organized based on the review elements and guidance contained in Chapter 18 of the Standard Review Plan (NUREG-0800),

and the Human Factors Engineering Program Review Model (NUREG-0711).

72

Table D.1 Potential SMR Technical Issues ConOps Technical Issue Dimension Plant Mission New Missions Novel Designs and Limited Operating Experience from Predecessor Systems Agents Roles and Multi-Unit Operations and Teamwork Responsibilities High Levels of Automation for All Operations and Its Implementation Function Allocation Methodology to Support Automation Decisions Staffing, New Staffing Positions Qualifications, and Staffing Models Training Staffing Levels Management of Different Unit States of Operation Normal Operations Unit Design Differences Operational Impact of Control Systems for Shared Aspects of SMRs Impact of Adding New Units While Other Units are Operating Managing Non-LWR Processes and Reactivity Effects Load-Following Operations Novel Refueling Methods Control Room Configuration and Workstation Design for Multi-Unit Teams HSI Design for Multi-Unit Monitoring and Control HSIs for New Missions (e.g., steam production, hydrogen)

Management of Off- Safety Function Monitoring normal Conditions Potential Impacts of Unplanned Shutdowns or Degraded Conditions of and Emergencies One Unit on Other Units Handling Off-Normal Conditions at Multiple Units Design of Emergency Operating Procedures (EOPs) for Multi-Unit Disturbances New Hazards Passive Safety Systems Loss of HSIs and Control Room PRA Evaluation of Site-wide Risk (i.e., across all units)

Identification of Risk-Important Human Actions (RIHAs) when One Operator/Crew is Managing Multiple SMRs Management of Modular Construction and Component Replacement Maintenance and New Maintenance Operations Modifications Managing Novel Maintenance Hazards Source is OHara, Higgins & Pena (2012)

D.1 Plant Mission We identified two issues for this aspect of SMR ConOps:

New Missions

Novel Designs and Limited Operating Experience from Predecessor Systems 73

D.1.1 New Missions Issue Description The primary mission of current U.S. NPPs is to safely generate electrical power. Some SMRs are designed to accomplish additional missions, such as producing hydrogen and steam for industrial applications, e.g., heating or manufacturing. Demick (2010) describes these new missions for high temperature gas-cooled reactors (HTGRs) as follows:

These applications include supplying process heat and energy in the forms of steam, electricity and high temperature gas to a wide variety of industrial processes including, for example, petro-chemical and chemical processing, fertilizer production, and crude oil refining.

In addition to supplying process heat and energy the HTGR can be used to produce hydrogen and oxygen which can be used in combination with steam and electricity from the HTGR plant to produce, for example, synthetic transportation fuels, chemical feedstock, ammonia, from coal and natural gas.)

Achieving these missions will necessitate having new systems and personnel tasks, and possibly, added workload. Questions important in multi-mission operations include:

If process-heat applications are envisioned for multi-unit sites, will different ones be allowed at the same facility, e. g., hydrogen production, steam production, desalination, refining, and electricity production?

Will the new processes associated with these missions create new hazards and safety issues, such as fires and explosions from hydrogen, methane, or natural gas?

How will plant staff manage these new missions?

- Will new process applications use the same or different operators as the NPP?

- Will new staffing positions be created?

- Will plant operators be trained in dealing with upset conditions in process-heat applications, and other interfacing requirements?

- Depending on the number of process applications, how will these new responsibilities complicate operator training since they must be familiar with all application interfaces?

Implications The determination of the importance of this issue will depend upon additional information from vendors. How they answer the questions raised above will help the assessment of the extent to which the safety of reactor operations may be impacted. The operators must deal with these new hazards along with reactor-related hazards.

In the near-term, HFE reviewers of applications for SMRs that include new missions should ensure that applicants address these questions.

Additional details related to new missions are encompassed in many issues below.

74

D.1.2 Novel Designs and Limited Operating Experience from Predecessor Systems Issue Description Commercial NPPs evolved gradually, with new designs improving upon prior ones. Using operating experience from predecessor plants has been an important aspect of plant design, licensing reviews, and operational improvements for years. By contrast, SMRs represent a new category of plant design, and consequently, for many, there is little operating experience.

Those that are somewhat similar to SMRs (in terms of size and output) are research- and demonstration-plants operated as a single unit and use old technology. For example, in examining the operating experience of a demonstration plant, Beck et al. (2010) and Copinger and Moses (2004) gained only limited insights for HFE. We may have to address and assess the need for operating experience by considering the experience of similar designs of non-nuclear systems. The impact of this information gap and compensatory approaches should be evaluated.

Implications The Advanced Reactor Policy Statement (NRC, 2008b) addressed the role of supporting technology in advanced reactor designs and NRC staffs position on development and utilization of the policy statement (Williams & King, 1988) discusses and encourages use of operating experience. NUREG-1226 (Williams & King, 1988) states that The available sources of operating experience should be used whenever possible. It is emphasized that sources of useful operating experience are not limited to reactors. NUREG-1226 also discusses the use of information and data developed from foreign sources: the use of foreign data to support a U.S. advanced reactor design is acceptable provided the staff has sufficient access to the design, analysis and experimental data being used.

This approach to the use of operating experience in new LWR designs is already incorporated in the staffs review of HFE described in NUREG-0711 (OHara, et al., 2012). Review Criterion 3.4.1 (1), Predecessor/Related Plants and Systems, of NUREG-0711 states that For applicants proposing to use new technology or systems that were not used in the predecessor plants, the operating experience review should review and describe the operating experience of any other facilities that already use that technology.

For small modular reactors, data relating to heat pipes, supercritical CO2, and other potential components are expected to be gathered from non-nuclear experience. Since the operating environment of the available data may be different than that for small modular reactors, its relevance needs to be assessed.

The extent to which operating experience is lacking should be evaluated to determine the potential impact on the HFE program and to determine whether additional tests and evaluations are needed in lieu of operational experience?

Modifications of the staffs review guidance on operating experience are needed to accommodate a greater diversity of experiences at predecessor plants that likely will contribute to SMR design more than the traditional new-plant designs reviewed to date. Current guidance is based on the way large LWR were designed, and small evolutionary changes from specific predecessor plants for new designs. For addressing SMRs and small, advanced reactors, NUREG-0711, Section 3, Operating Experience Review, must be revised.

75

D.2 Agents Roles and Responsibilities We identified three issues for this aspect of SMR ConOps:

Multi-Unit Operations and Teamwork

High Levels of Automation for All Operations and its Implementation

Function Allocation Methodology to Support Automation Decisions D.2.1 Multi-Unit Operations and Teamwork Issue Description For some SMR designs, a single crew/operator may simultaneously monitor and control multiple units from one control room. Key issues in effectively and reliably accomplishing this task will be teamwork, situation awareness (SA), control room and HSI design, and operator workload.

Maintaining enough awareness of the status of multiple SMRs may tax crews and individual operators. For example, unmanned aerial vehicle studies found that operators sometimes focus on a particular vehicle and may neglect others (this has been called unit neglect), or fail to notice important changes to the other vehicles (this has been called change blindness").

When operators are focused on a problem in current plants, other operators can take over their other tasks. Such cooperation may be difficult when each operator is responsible for multiple units. In refineries, this situation was addressed by augmenting the crew with additional staff during times of high workload or special evolutions. This is a different operational practice than is used in present-day NPP control rooms where the on-shift crew manages all aspects of the plants condition (except accidents).

Maintaining SA may be further challenged when other situational factors intervene (separately identified as issues below):

individual units can be in different operating states, e.g. different power levels or different states such as shutdown, startup, transients, accidents, refuelling and various types of maintenance and testing (see Section D.4.1)

unit design differences often exist (see Section D.4.2)

An understanding of the contribution of situational factors such as these on multi-unit monitoring and control tasks will be an important consideration in safety reviews.

In addition, shift turnovers occur two to three times a day when a new crew relieves the old crew. An effective way is needed to convey the status of each unit, ongoing maintenance, and trends in operation from one crew to another.

Implications Multi-unit monitoring and control is a new type of operation in the commercial nuclear-power industry, with a limited technical basis for developing review guidance. Therefore, research is needed to address the issue and identify the considerations that must be accounted for in evaluating applicant submittals for multi-unit operations. We recommend that this research include an in-depth study of multi-unit operations in other industries, like the way surrogates 76

were used in prior NRC research (OHara, Higgins & Pena, 2012). Since there is limited literature available, site visits may be a good way to obtain this information. Having a more complete technical basis rests on identifying the enabling technologies, operational strategies for both normal and off-normal situations, control room and HSI design, and lessons learned.

Evaluations will be needed to determine whether the latter can be generalized to NPP operations.

Until such research in complete, HFE reviewers should request that applicants justify their proposed multi-unit operational strategy, e.g., by simulations. However, this is not a substitute for the research identified above. The NRC still needs an enhanced technical basis to ensure they ask the proper questions, and that the review guidance addresses those aspects of multi-unit operations impacting human performance and plant safety.

Related issues are discussed below in Sections D.3.2.and D.5.3.

D.2.2 High Levels of Automation for All Operations and its Implementation Issue Description The findings from surrogate facilities emphasized automation as key enabling technology for multi-unit operations. As crews are assigned more units to manage, automation must perform tasks traditionally performed by operators. SMRs are no exception, and their degree of automation will be high as both normal- and safety-operations will be automated. The automate all you can automate philosophy often dominates programs for developing advanced reactors to improve their performance and decrease operational costs. However, there is a complex relationship between automation and human performance, which often fails to confirm common-sense expectations. For example, it is expected that high levels of automation will lower workload; instead, it shifts workload and creates other human-performance difficulties (OHara & Higgins, 2010).

Concerns about these negative effects of over-automation, has led to an increase in the usage of more interactive automation, such as adaptive automation (AA) (OHara, 2020c). In addition, flexible approaches to using different levels of automation in a single system are being explored.

In adaptive automation, its level is dynamic and changes with personnel needs and plant conditions. Therefore, this approach may assist operators in managing changing attentional-and workload demands in supervising multiple plants.

The reliability of automation also is an important consideration. As automations reliability declines, operators performance and trust in the automation is degraded.

SMR designs must find the right balance between automation and human involvement to assure plant safety, by determining the right levels of automation and flexibility to support operators in maintaining multi-unit SA and managing workload demands. Licensing reviews of SMRs must determine whether the applicant has reasonably assured the effective integration of automation and operators, and the design supports safe operations.

OHara (2020d) evaluated whether the NRCs HFE guidance is sufficiently comprehensive to support AA system reviews; and when it is not, to identify what additional guidance is needed.

To do the guidance in NUREG-0711 and NUREG-0700 was evaluated for reviewing the allocation of functions to AA systems, AA system design, and the evaluation and validation of AA systems. The results revealed that the available guidance is sufficient to review some 77

aspects of AA, such as the monitoring of AA systems, detection of AA system failure, and the general evaluation/validation of AA systems. However, there are numerous areas where the guidance is insufficient to review the unique design characteristics of AA systems, such as the design of AA configurations and triggering conditions. Additional research is needed to provide more comprehensive guidance that can be used to evaluate these unique characteristics.

Implications The pitfalls of high levels of automation for human performance are well known, as are some of the design characteristics that generate them. The NRC published guidance (OHara & Higgins, 2010) on human-automation interactions. This guidance has been integrated into NUREG-0700, Rev 3 and should support HFE reviewers in addressing automation in SMR designs.

While this guidance significantly enhances the staffs reviews, additional research is needed in some areas (OHara and Higgins, 2010 and OHara, 2020c, detail the research needs listed below):

models of teamwork

overall impact of aa on performance

reliability

processes used by automation

isolation of the effects of automations dimensions

triggering mechanisms for adaptive automation

HSI design

function allocation In addition, a lesson learned from the Department of Defenses (DoD) experience is the difficulty in automating high-level, unmanned vehicle functions. The NRCs HFE reviewers should pay special attention to applications of SMR automation that extend beyond those typically used in new reactors, since there is little experience with them.

See also the related issue in Section D.4.3, Operational Impact of Control Systems for Shared Aspects of SMRs.

D.2.3 Function Allocation Methodology to Support Automation Decisions Issue Description Under the issue of High Levels of Automation for All Operations and its Implementation, we discussed establishing various levels of automation and their flexible use by operators. Making design decisions on these two considerations generally is called function allocation. An issue facing designers and reviewers is that current allocation methods do not offer specific analytic tools for deciding when and how to apply new types of automation. SMR designers also noted this problem. In discussing automation for the Pebble Bed Modular Reactor (PBMR), Hugo and Engela (2005) observed that most methods of function allocation are subjective and prone to error and in projects where human and environmental safety is a concern, it is necessary to use more rigorous methods. More comprehensive and objective methodologies are needed to support function allocation analyses by designers.

78

Implications NUREG-0711 gives general guidance for reviewing function allocation (see Section 4, Functional Requirements Analysis and Function Allocation). However, modern applications of automation have much flexibility, so that operators face many different automation types of tasks and interactions. The NRCs characterization of automation (OHara & Higgins, 2010) identified six dimensions (functions, processes, modes, levels, adaptability, and reliability) that can be combined to design automation for a specific application. However, designers lack methodologies to back-up their decisions as to what combinations are appropriate, i.e., current function-allocation methods do not address such choices; and reviewers lack guidance to evaluate them. Additional research is needed on selecting the types of automation and levels of operator involvement to implement for specific applications; the resulting guidance should be included in NUREG-0711.

D.3 Staffing, Qualifications, and Training We identified three closely related issues for this aspect of SMR ConOps:

New Staffing Positions

Staffing Models

Staffing Levels D.3.1 New Staffing Positions Issue Description In discussing New Missions above, we noted that the industry identified SMR missions beyond safe production of electricity; hence, they may require new staffing positions as compared with current NPPs staffing. As well as the new missions, new positions may be needed to manage design differences between current plants and SMRs, such as reactor transfer and on-line refuelling.

The allocation of responsibilities for new missions and new operational activities to shift crew members, either in terms of new positions or new personnel responsibilities, must be a part of staffing and qualifications analyses, training program development, and regulatory reviews to determine their potential impact on safety.

Implications This issue has potential impact on 10 CFR 50.54, Staffing, and 50.120, Training, the implications of which are detailed in Section D.3.3, Staffing Levels.

79

D.3.2 Staffing Models Issue Description The concept of staffing model addresses the general approaches to fulfilling the organizational functions necessary to operate a NPP, including operations, maintenance, engineering, administration, and security (OHara et al., 2008).8 To meet these responsibilities, utilities employ a combination of on-site staff and off-site personnel. The staffing model chosen is a very significant design-decision as it drives many other aspects of the plants design, including degree of automation, the HSI design, and personnel training.

Current U.S. NPPs have many on-site personnel organized into functional groups. Operations are performed by shifts of reactor operators who the NRC licenses to manage reactor and balance of plant systems. Each shift is expected to manage all phases of plant operations including normal (e.g., startup, changing power levels, and shutdown) and off-normal conditions (e.g., equipment failures, transients, and accidents). In certain emergencies, additional staff are brought in to assist. While day-to-day maintenance is handled by on-site staff, outside organizations often come on-site during outages to undertake major maintenance.

However, the same model is not employed worldwide. For example, in many European NPPs, the operations shift crew divides responsibilities between a reactor operator who manages the reactor systems, and the balance-of-plant operator who manages the rest of the plant, This approach is analogous to how some unmanned vehicles and refineries are operated. UAV crews split duties between flying/navigating the vehicle, and payload operations. In the refinery, four units were managed, with each operator being responsible for a part of the process and monitored all four units for it.

The staffing models for SMRs may differ from those in currently operating plants. For example, we noted in our discussion in Section D.2.1, Multi-Unit Operations and Teamwork, that the crews in some surrogate facilities where operators monitor multiple units, are augmented with additional staff when dealing with units under high-workload situations (such as during startup or emergencies). Crew flexibility is a key to managing off-normal situations. Thus, significant organizational changes are needed to manage these situations. Being able to transfer responsibilities for reactors in off-normal states to a person or team specialized in dealing with them may benefit SMR operations.

After defining personnel responsibilities for a particular SMR design, the associated tasks must be assigned to specific staff positions for both normal operations and off-normal/emergency conditions. Depending on the use of automation, these tasks may include the monitoring and control of multiple individual units, shared systems, reactor transfer, online refuelling, new missions, and monitoring and backing-up the automation. SMR designers will have to determine the allocations of operator roles that best supports overall system performance and safety, and consider the impact on teamwork, e.g., on the peer-checking process.

8 Our use of the term staffing models should not be confused with human performance models. The latter refers to models that are (1) mathematical, programmable, and executable rather than purely explanatory; and (2) applied in the engineering design and evaluation of complex systems.

80

Implications Changes to staffing models that deviate from current practices are likely to have implications for 10 CFR 50.54 and the various staffing guidance documents, including NUREG-0711, as we further discussed next in Section D.3.3, Staffing Levels.

D.3.3 Staffing Levels Issue Description 10 CFR 50.54m governs the minimum staffing levels for licensed operators in current plants. It has a table establishing the numbers of operators for one-, two- and three-unit sites. For a one-unit site, one senior reactor operator (SRO), two reactor operators (ROs), and a shift supervisor (second SRO) are required for an operating reactor. For a two-unit site, two SROs and three ROs are needed. A three-unit site needs three SROs and five ROs. The table does not cover sites with more than three units.

Many SMRs designers propose staffing levels below these requirements and, therefore, exemptions from this staffing regulation are needed. For example, an SMR designer may assign one reactor operator to monitor and control four units, each consisting of a fully integrated reactor and turbine generator. Drivers supporting this approach include the reactors small size, its simple design, high-degree of automation, modern HSIs, and its slow response to transients. Control room staffing for the baseline configuration of one SMR design consisting of 12 units encompassing three ROs, one SRO control room supervisor, one SRO shift manager, and one shift technical advisor (STA). Thus, the staffing levels needed to safely and reliably monitor and control all SMR units must be determined and reviewed, possibly addressing new staff positions and staffing models, as described above.

Implications As we noted above, staffing levels are identified in 10 CFR 50.54(m); hence, a change in this regulation or an exemption is needed to permit SMRs to deviate from the minimum established levels. SMR staffing levels was recognized in Issue 4.1, Appropriate Requirements for Operator Staffing for Small or Multi-Module Facilities of SECY-10-0034 (NRC, 2010b) as a potential policy issue that may require changes to existing regulations. Also, staffing levels must be considered in the broader context of new staffing positions and models that might be different than those used in currently operating plants and must be reflected in NRC regulations and review guidance.

Until such regulatory changes are made, NUREG-1791 (Persensky, et. al, 2005) provides guidance for reviewing staffing exemptions. The guidance reflects the NUREG-0711 HFE review process and addresses multi-unit operations. Additional research is warranted, aimed at verifying its approach and updating it for more recent guidance in NUREG-0711 and other NRC staffing documents. If necessary, it should better address the SMR staffing issues in light of the design developments and human-performance considerations since its publication.

81

D.4 Management of Normal Operations There are 10 issues for this aspect of SMR ConOps:

Different Unit States of Operation

Unit Design Differences

Operational Impact of Control Systems for Shared Aspects of SMRs

Impact of Adding New Units While Other Units are Operating

Managing Non-LWR Processes and Reactivity Effects

Load-Following Operations

Novel Refuelling Methods

Control Room Configuration and Workstation Design for Multi-Unit Teams

HSI Design for Multi-Unit Monitoring and Control

HSIs for New Missions (e.g., steam production, hydrogen)

D.4.1 Different Unit States of Operation Issue Description Individual SMR units may be in different operating conditions, e.g., different power levels or different states, such as shutdown, startup, transients, accidents, refuelling and various types of maintenance and testing. Depending on the staffing model used and the assignments of SMR units to individual operators, the effects of these differences in operator workloads and their operators to maintain SA must be evaluated.

Implications This issue has two implications. First, applicants need to determine how the crew will manage units in different states, e.g., will one operator continue to monitor multiple units in different states, or will units in states other than at-power be transferred to a different operator or crew.

Second, the NRC and industry need research assessing the ability of operators and crews to maintain SA of units in different states and to act appropriately as they arise for each unit based on their state. In addition, the ability of operators to respond to off-normal conditions based on unit state must be investigated.

The findings will offer guidance for addressing unit states as part of the HFE program reviewed using NUREG-0711, and for depicting unit status and status changes in the control rooms HSIs, reviewed using NUREG-0700.

D.4.2 Unit Design Differences Issue Description The effect of SMR unit differences (heterogeneity) is unresolved. Every surrogate-system organization we contacted deals with unit differences, some of which were significant. At the 82

refinery, these differences aided monitoring by helping operators to distinguish between the units, but for others such as UAV operators, differences complicate operations. There may be differences between the individual units at a given site, between units at different sites, or both.

Since many SMRs are designed to be scalable, units can be added while other units are operating. While a licensee may plan to have all identical units at a particular site, this may not be achievable due to changes made to improve reliability, lower cost, or deal with obsolescence issues. The differences may impact crew and operator reliability. Thus, we need to understand and address the effect of unit differences on SMRs operations.

Implications The research questions stemming from this issue may be quantifying the extent to which differences impact performance and identifying which aspect of performance is affected. Unit differences may support the operators ability to distinguish between them when monitoring workstation displays; yet, the difference may make situational assessment and response planning more difficult. For example, if the disparities in the units lead to a different interpretation of their status based on parameter displays, it may impair the operators recognition of performance that deviates from what it should be. Further, if these unit differences lead to the need for different responses, then they may compromise the operators response. For example, an operators response to a disturbance in Unit 2 may be appropriate to Unit 1, but inappropriate to Unit 2. The results of research addressing this issue affect the review of procedures as well as HSIs.

For HSIs, guidance is needed on whether and how these differences should be depicted in control room HSIs. NUREG-0700 lacks guidance on this issue. Depicting differences with no impact on operators performance could needlessly complicate displays; failing to depict those that do impact operator performance may lead to difficulty in situation assessment and operator error.

Furthermore, once the effects on performance of unit differences are determined, the results may help resolve the needs for standardization, for evaluating unit differences using the 10 CFR 50.59 process, or for ways to address it, such as specific HSI design techniques. There are implications also for how to address these unit differences in procedures and training. Should the procedures be common for all units with the differences noted in the appropriate places, or should the procedures be completely separate and different for each unit? Operators must be thoroughly trained in recognizing the differences between units.

83

D.4.3 Operational Impact of Control Systems for Shared Aspects of SMRs Issue Description In typical plants today, the control systems manage a single unit. For SMRs, the control systems may manage multiple units in an integrated fashion. This could include systems that the units share in common, such as for circulating water, for the ultimate heat sink for removing decay heat, and systems for instrument air, service-water cooling and AC and DC electric power. It may also include common control of systems that are similar but not shared between units, such as BOP systems. Clayton and Wood (2010) noted that Multi-unit control with significant system integration and reconfigurable product streams has never before been accomplished for nuclear power, and this has profound implications for system design, construction, regulation, and operations (p. 146). The integrated control of multiple SMRs and their shared systems can be an operational and I&C challenge. The challenge to operators lies in monitoring such a control system to confirm that individual units and shared system are performing properly, and that there are not degradations of the I&C system.

There are a couple of additional challenges. The first is that SMR scalability can make multi-unit operations even more complex as new units are added to the control system. Wood et al.

(2003) noted that this may result in a control room that is less optimal for human factors at all levels than would otherwise be possible if all the modules simultaneously completed construction (p. 59).

The second challenge is that SMRs may serve multiple missions. That is, systems must be flexibly reconfigured to meet electricity production and other objectives, such as hydrogen production. For example, the operators may need to change the SMR units driving a turbine to produce electricity, so they generate hydrogen. Designing operational practices and control rooms to effectively support operators is an important issue to address in design and licensing multi-unit SMRs.

Implications The HFE implications of this issue pertain mainly to HSI design. While NUREG-0700 has guidance on controls, it does not consider how multi-unit and shared system controls should be implemented at operators workstations. Another question, from an HSI design perspective, is how to address controls for shared systems when different operators at different workstations monitor the units sharing those systems or for errors that may occur when responsibilities are transferred. There may also be increased opportunities for wrong-unit/wrong-train types of error that need resolution.

Additional implications are the outcomes of degradation of the control system on the operators detection of malfunctions and SA of the status of units and shared systems. The different ways that a plant may select to implement procedures for each unit may, in turn, impact the HSI's design, particularly if the choice is separate procedures for each unit.

Research on this issue will provide a basis for developing NUREG-0700 guidance to help ensure the SMR control room and HSIs provide the necessary information to enable detection of degradation on the control system and SA.

84

D.4.4 Impact of Adding New Units While Other Units are Operating Issue Description Most SMRs are scalable; that is, multiple units can be grouped at a site to meet a utilitys specific power needs. Current construction plans are to have ongoing installation of additional units while earlier units operate at power, in contrast to current practices at multi-unit sites where a Unit 2 under construction is clearly separated from operating Unit 1. The impact of adding new units on a site with existing units must be addressed.

Another consideration is the need to add workstations to a control room to accommodate new units. For current plants, the practice is to erect a wall between the operating control room and the control room being built. The wall controls access to the new unit, and limits noise, interruptions, fumes, dust, the potential for construction-related fires and electromagnetic interference from radios, along with other construction work and tests. The shared or common systems typically are included in the operating control rooms boundaries.

Implications If construction activities on subsequent units cannot be completely separated from operating units, they might distract operators. Even if separated, there likely will be mechanical and I&C tie-in activities that could cause trips or other operational problems for the operating units. This may be a particular issue in designing the workstation and HSI displays that will be used to monitor and control existing operating units and the new ones under construction. Research will clarify these issues and support the development of guidance to assess proposed applicant approaches to introducing new units. The new guidance is likely to impact both NUREG-0711 and NUREG-0700.

D.4.5 Managing Non-LWR Processes and Reactivity Effects Issue Description Non-LWR SMR designs incorporate the unique systems and features of their processes and may have reactivity effects that differ from LWRs. For example, the presence of lead in the core area of an HPM, a lead-cooled fast reactor, will involve different reactivity effects from those in LWRs. It will exhibit little neutron thermalization, have lower Doppler effects, the temperature coefficient of reactivity will be less negative, and the neutron lifetime shorter. These features all quicken the dynamics of core power and transient operations. The operators control of both reactivity effects and overall reactor safety depends on their understanding of these effects.

Implications To understand these differences, operators familiar only with LWRs, but transitioning to non-LWR plants, will require special training both in the classroom and on simulators. In addition, the design of the HSI and procedures should particularly aim to support the operator performance. The acceptability of the operators performance must be specifically tested as part of a thorough ISV program. Thus, the new guidance will impact both NUREG-0711 and NUREG-0700.

85

D.4.6 Load-Following Operations Issue Description Current day NPPs typically operate at 100% power and provide a base load to the utilitys electrical distribution system, i.e., the plants produce electricity for the grid and other producers of electricity compensate for changes in demand. Clayton and Wood (2010) suggested that a base-load mode of operation may not suffice for SMRs that may have to cooperate with other sources of renewable energy whose production is variable because they depend on sun and wind.

Load following is an operating procedure that allows the power output generated by the NPP to vary up or down as determined by the load demanded by the distribution system. It involves more transients, so the plant can increase or decrease both reactor- and turbine-power in response to the external demand. In turn, this requires more actions from operators, and increased monitoring of the response of the automatic systems. In addition, for a multi-unit site, load following may involve the startup and shutdown of units to meet large changes in load demand. Hence, there is more opportunity for equipment failures and operator errors.

Implications Applicants, in conjunction with the NRC, will need to decide on the method to implement load following, e.g.:

Method A - A load dispatcher contacts the NPPs shift supervisor for all changes.

Method B - A load dispatcher dials in requested change, and the NPP automatically responds, while the load dispatcher and RO/SRO monitor for the proper response. The RO/SRO monitor is responsible to intervene if an unsafe condition is expected/detected.

Each of the two approaches has its own issues. Method A creates greater workload and more distractions for the operators. While manual control of a single unit is well within an operators capability, simultaneously controlling several may be much more difficult and lead to errors.

Method B permits a person not trained in NPP systems and not licensed to change reactivity and power level in the reactor to do so.

Once an acceptable approach is determined, designers will need to define the operator tasks needed to properly manage load-following operations, and to provide HSIs, procedures and training to support them. Guidance will be needed for both NUREG-0700 and 0711 to review the applicants analyses of load-following operations and the HSI that manages them.

Such a change in operating methods might increase risk due to a higher frequency of transients and should be evaluated via PRA techniques.

86

D.4.7 Novel Refuelling Methods Issue Description Several SMRs refuel the reactor on-line or continuously. While there is international experience with such refuelling operations, it will represent a new practice in the United States. Further, in some circumstances, specific approaches to refuelling will be novel (OHara, Higgins & Pena, 2012). The effects of such novel approaches on human performance and plant safety need to be assessed.

Implications Vendors will have to define the methods by which reactors will be refuelled, and their impacts on operator performance assessed through HFE analysis and research, particularly by operators responsible for other operating units at the same time. A key policy question here is whether the NRC will allow one operator simultaneously to control both an operating unit and one undergoing refuelling.

Depending on the effects of refuelling on the operators performance, additional review guidance may be needed to support the review of the associated HSIs, procedures, and training. See also, the discussion in Section D.4.1, Different Unit States of Operation.

D.4.8 Control Room Configuration and Workstation Design for Multi-Unit Teams Issue Description For a single reactor and its secondary systems, modern computer-based control rooms typically have a large overview display, several operator workstations, a supervisors workstation, and supplemental workstations for engineering and maintenance work. The question is how to design a single control room to support SMR operations encompassing multiple reactors, and where a single person may be responsible for a reactor and its secondary systems for multiple units. The answers partly depend on the allocation of the crews responsibilities. Nevertheless, it may be demanding to design a single workstation to monitor multiple units, considering the HSI resources needed for todays control room that monitors a single unit; expanding that to multiple units may prove more challenging.

As well as considering multi-unit operations, the design will need to accommodate new tasks, such as moving reactors for refuelling, as well as new missions, such as hydrogen production.

Another question is whether the individual unit control stations should be in one room or in different ones close together. In a single control room, situational factors associated with a single unit, such as alarms and using emergency procedures, may impact the operators monitoring other units. However, accommodating operational staff in one room, allows them to help each other more easily, and they will be easier to supervise. If individual unit-control stations are in separate control rooms, overall supervision, teamwork, and the transitions needed in high workload situations may be more difficult to manage. Also, operations at each unit will be undisturbed by what happens at the others.

87

Implications Operating multiple units from a single control room is a new practice and research into the workstation and control room configuration is needed to determine an appropriate approach to ensure its support of reliable operator performance, situation awareness, and teamwork. As noted earlier, one aspect of this research is to gather experience from other industries that practice multi-unit operation.

See also the implication discussed in D.2.1, Multi-Unit Operations and Teamwork; and Section D.4.9, HSI Design for Multi-Unit Monitoring and Control.

D.4.9 HSI Design for Multi-Unit Monitoring and Control Issue Description The detailed design of HSIs (alarms, displays, and controls) to enable a single operator to effectively manage one or more SMRs is an important design consideration. HSIs must enable monitoring the overall status of multi-units, as well as easy retrieval of detailed information on an individual unit. This need raises several questions. For example, should the HSIs for each unit be separate from those of other units, or should they be integrated to help operators maintain high-level awareness of the status of all units for which they are responsible. If the units are separated, and an operator is focusing on one of them, awareness of the status of the other units may be lost. If the information is integrated, it might be a challenge to ensure that operators do not confuse information about one unit with that about the others. Related to this is the problem of how to address unit differences in designing HSIs, as discussed earlier.

Alarm design is especially important in ensuring that operators are aware of important disturbances, thereby minimizing the effects of change blindness and unit neglect.

SMR personnel may also require more advanced I&C- and HSI-capabilities than currently used to support their tasks. For example, systems that provide diagnostics and prognostics support for monitoring and situation assessment activities may be needed. How personnel manage and understand these capabilities is an important consideration to overall personnel performance.

The organization of information in supporting teamwork is another important HSI design consideration, e.g., deciding what information crew members need to have access to individually, and as a crew, to promote teamwork. A key aspect to be researched is employing a large overview display in a control room with multiple operators, each controlling more than one unit. Its value needs to be determined.

Another problem is the HSIs needed for shifting control for one unit from one operator to another.

Implications Research should be undertaken to define the requirements imposed by multi-unit monitoring and control on all HSI resources, and to delineate how they should be integrated into workstation, overview displays, and control room layouts to support multi-unit control rooms.

Research on this issue will provide a technical basis for developing new review guidance.

See also the implications discussed in D.2.1, Multi-Unit Operations and Teamwork, and D.4.8, Control Room Configuration and Workstation Design for Multi-Unit Teams.

88

D.4.10 HSIs for New Missions Issue Description HSIs are needed to help the monitoring and control of new missions, such as hydrogen production, or the industrial use of steam. The question of how to design and integrate them into the control room needs to be addressed.

Implications The review of the new HSIs themselves can likely be supported by the guidance in NUREG-0700, but the guidance may need to be expanded to address the interplay between these new functions and the reactor controls. Before researching this issue, more detailed data are needed from SMR designers on how personnel manage new missions, and how their operations are staffed and integrated into the rest of SMR operations.

D.5 Management of Off-Normal Conditions and Emergencies One important aspect of managing off-normal conditions and emergencies already raised issue D.3.2, Staffing Models, that discusses, among other aspects, the operational teams transitions that may be required to manage off-normal units, such as transferring the unit to another operator(s).

We identified nine issues for this aspect of ConOps:

Safety Function Monitoring

Potential Impacts of Unplanned Shutdowns or Degraded Conditions of One Unit on Other Units

Handling Off-Normal Conditions at Multiple Units

Design of Emergency Operating Procedures (EOPs) for Multi-Unit Disturbances

New Hazards

Passive Safety Systems

Loss of HSIs and Control Room

PRA Evaluation of Site-wide Risk

Identification of Risk-Important Human Actions (RIHAs) when One Operator/Crew is Managing Multiple SMRs D.5.1 Safety Function Monitoring Issue Description One action taken by the NRC after the accident at the Three-Mile Island NPP was to improve the operating crews ability to monitor critical safety functions by requiring each plant to install a safety-parameter display system (SPDS) through 10 CFR 50.34(f)(2)(iv). The NRC also published guidance on the characteristics of SPDS in NUREG-0835 (NRC, 1981)), NUREG-1342 (Lapinsky et al, 1989), and NUREG-0737 (Supplement 1) (NRC, 1983). The HFE aspects of the NRCs SPDS guidance was integrated into NUREG-0700, Section 5 (OHara & Fleger, 2020).

89

The specific safety functions and parameters identified in the SPDS documents identified above are based on conventional LWRs. However, SMR designs, using non-LWR technology, such as HTGRs and LMRs, may require different safety functions and parameters to help operating crews to effectively monitor the plants safety. This was partly addressed in the Revision 3 update to NUREG-0700. The treatment of SPDS functions was modified to make the review guidance technology neutral. However, new issues arise for safety function monitoring of multi-unit plants.

Implications Research is needed on the design of SPDS in multi-unit plants to determine how individual unit status can quickly be assessed and details of units at risk can be quickly determined.

D.5.2 Potential Impacts of Unplanned Shutdowns or Degraded Conditions of One Unit on Other Units Issue Description Unplanned shutdowns or degraded conditions in one unit may affect other units, especially those sharing systems. Operators must be able to detect and assess these impacts; therefore, HSIs are needed to support their managing the situation (OHara, Gunther, Martinez-Guridi &

Anderson, 2019). Clear criteria should signal the conditions under which additional personnel must be brought-in or the affected unit is transferred to another operator or crew. Further, the design of the control room and the HSI must support the effective transfer of a unit to other operators.

Implications While this is clearly a broad safety issue, research is needed on the operators tasks, HSIs, procedures, and training essential to successfully manage such situations. The research should reflect approaches proposed by SMR applicants. Guidance is needed for HFE reviews of proposed approaches to handle unplanned shutdowns and degraded conditions. It will impact NUREG-0711 and NUREG-0700.

D.5.3 Handling Off-Normal Conditions at Multiple Units Issue Description Evaluations are needed of the crews ability to handle off-normal conditions and emergencies in a control room with multiple units, as we noted in Sections D.2.1 and D.3.2. As with current plants, changes in the crew, including their augmentation, may be needed to handle off-normal situations. Most SMRs propose having operators/crews monitoring and controlling multiple units. Then, the following questions about off-normal conditions arise.9

With the large number of operating units on a site, e.g., 12, a transient frequency of once per reactor-year becomes once per calendar-month for the site. How such events will be addressed poses several issues:

9 Transients occur more frequently than accidents and are less severe. Examples of transients are reactor or turbine trips and loss of offsite power, while those of accidents are a stuck-open primary relief valve and a loss of coolant accident.

90

- With operators controlling multiple reactors, do they need relief if a transient occurs in one of their units? If so, how will it be provided, on-shift or on-call operators?

- Will the designated transient relief be for the site or per unit?

- Will this relief be an operator or a crew?

For an accident, in contrast to a transient, there will likely be augmented crew per emergency planning (EP) requirements. But questions remain about the EP staff needed on shift to immediately respond to an accident while awaiting augmented staff:

- Is the number of on-shift EP staff at current plants adequate for multi- SMR plants?

- Will it apply to the site or does each unit need a designated emergency crew?

These questions should be addressed considering the potential for common cause initiating events that could affect multiple onsite units, or even all of them. Examples are loss of offsite power, and external events such as fire, flood, and earthquakes.

A related question, discussed in Section D.5.2, pertains to the control location(s) where the affected units are managed. Is it acceptable to have the affected unit controlled from the same workstation as unaffected units, or is it preferable to switch operations of the affected unit to separate workstation?

Implications This issue affects 10 CFRs staffing and emergency-planning regulations and guidance. SMR vendors stated that emergency planning zones might be reduced, potentially lowering the staffing requirements for EP crews.

The resolution of this issue can have a significant impact on staffing, since any increase per SMR unit is multiplied by the number of reactors on site.

See also the discussion in Section D.5.2, Potential Impacts of Unplanned Shutdowns or Degraded Conditions of One Unit on Other Units; and D.5.4, Design of Emergency Operating Procedures (EOPs) for Multi-Unit Disturbances.

D.5.4 Design of Emergency Operating Procedures (EOPs) for Multi-Unit Disturbances Issue Description The potential for disturbances at multiple units, particularly ones sharing systems, may necessitate developing emergency operating procedures (EOPs) that consider strategies for responding to multi-unit emergencies from external events, such as loss of grid, earthquakes, high winds, and floods, or from failures of shared systems, such as the ultimate cooling or the switchyard. Responses must be evaluated carefully to account for unit interactions, and procedures must ensure the critical safety functions of each unit. Some questions that arise are:

Will each unit have independent procedures, or will they be integrated?

How will procedures address differences between units?

Will a set of common procedures apply to all units?

How will the execution of common procedures be managed?

91

Most new reactor designs have computer-based procedure (CBP) systems to support crews in managing emergency conditions. Their use in managing multi-unit emergencies must ensure the operators awareness of all units. The procedures likely will have to support use by multiple crew members. CBPs are relatively new operator-support systems in NPPs; the many new demands imposed by multi-unit EOPs will require new functionalities necessitating regulatory review.

Implications The NRC reviews the design and content of EOPs and their implementation in CBP applications using the guidance in SRP Chapter 13 and 18. This guidance might need updating if EOPs are modified to cover multi-unit disturbances. In addition, NUREG-0700 contains detailed design review guidelines for CBP that also may need upgrades to address multi-unit applications.

D.5.5 New Hazards Issue Description Many SMR designs are based on non-light water technology. In contrast to LWR designs, they potentially involve new hazards, for example, under some circumstances, graphite cores are flammable and could create radiologically hazardous fumes. The hazards must be understood, and then addressed in those safety systems that monitor and mitigate the hazards, the HSIs that personnel use to monitor the plant, the procedures they use to address hazards, and operator training.

Implications Vendors need to address new hazards and the NRC likely will review them as part of the licensing process. Review guidance will be needed for monitoring the HSIs of systems that detect hazards, the procedures identifying appropriate operator actions, and the training for the overall management of hazards. This probably will affect the guidance in NUREG-0711 and NUREG-0700.

D.5.6 Passive Safety Systems Issue Description In response to transients and accidents, some SMRs employ passive safety systems that depend on physical processes rather than active components, such as pumps. For example, should an excessively high temperature be reached, the temperature gradient increases natural circulation and cooling. Some passive systems use one or two valves to initiate the process.

The IAEAs (2009) raised concerns about passive systems based on the limited experience with reactor designs using such systems:

The reliability of passive safety systems may not be understood as well as that of active ones.

There might be undesired interaction between active and passive safety systems.

92

It may be difficult to turn off an activated passive safety system after it was passively actuated.

Incorporating passive safety features and systems into advanced reactor designs to achieve targeted safety goals must be proven as effective.

We note that passive safety systems depend on physical processes are not as amenable to routine testing as are active ones. There are no components to easily test, e.g., no pumps to start. For passive systems with valves, operating them would not fully test the process in the absence of the physical condition that initiates it. Thus, operators may not become as familiar using them as they are with current-generation active systems, nor know from operational experience how to verify the systems proper automatic initiation and operation in a real event.

For example, there may not be the same observable initiation signals to start systems. Flow rates and temperatures typically are much lower, and perhaps not as easily verified.

Operational aspects of monitoring and verifying the success of passive systems must be defined, along with any operator actions needed to initiate or back them up should they fail to operate as designed.

Implications Active safety systems must be tested periodically, thereby giving operators the opportunity to become familiar with them. However, there may not be an equivalent opportunity with passive safety systems. In addition, verification of system alignments and examinations of passive system condition may be of greater significance as periodic operational tests may not be possible. Thus, higher reliance on simulators may be needed to assure the operators familiarity with, and training on, passive safety systems.

Procedures must be written to specify the operators actions for monitoring, backing-up, and securing passive systems, and NRCs guidance updated to address them. Additionally, the control room V&V program should address these aspects of operator interaction with passive systems. Another implication is that verification of system alignments and examinations of passive system condition may be of greater significance as periodic operational tests may not be possible. The new guidance likely will impact the review guidance in both NUREG-0711 and NUREG-0700.

D.5.7 Loss of HSIs and Control Room Issue Description The design of a multi-modular SMR control room should consider the potential loss of HSIs and the entire control room, taking into account (1) NRC I&C requirements and guidance, and (2) 10 CFR 50 Appendix A, GDC 19, Control Room, and Appendix R. Also, for the site-wide PRA (discussed in Section D.5.8 below), the impact of loss of control room and HSIs might consider the following:

potential loss of the main control room and how to use back-up facilities

operator errors at one operator workstation may affect multiple units rather than just one

potential loss of one operator-workstation that impacts multiple units

a site-wide initiating event that likely will impact all units similarly 93

Implications Using a single control room for multiple units has implications for various aspects of control room requirements, guidance, and analyses, including design, PRA and failure analysis, human reliability analysis (HRA), GDC 19 compliance, control room evacuation, Appendix R, and remote shutdown. The HFE guidance in NUREG-0711 most likely will be affected because it addresses analyses and evaluations of degraded conditions (OHara, Gunther, Martinez-Guridi

& Anderson, 2019).

D.5.8 PRA Evaluation of Site-Wide Risk Issue Description SMR sites may have more units than current PRAs typically address. Therefore, modeling SMRs, especially those with shared systems, probably will require new models for PRAs. A single-unit PRA considers common- or site-wide-systems such as offsite power, AC power on site, the ultimate heat sink, and various cross-connections between units, such as air- and cooling-water-systems. They also cover the effect of site-wide initiating events, such as loss of offsite power, station blackout, seismic events, and external floods.

PRAs may need upgrading to encompass site-wide risk for multiple units. A site-wide PRA may evaluate potential core damage (CD) at multiple units caused by site-wide initiating events and the influences of common systems and a common control room as potential common cause failures. This site-wide PRA may result in CD at multiple units, but at a lower frequency than for a single unit. However, the PRA level 2 releases could be potentially high due to CD at multiple units.

Implications The overall issue of site-wide PRAs is a policy issue for the NRC. From an HFE perspective, calculating RIHAs from a site-wide PRA may generate more actions than does a single-unit PRA. These RIHAs should be addressed as part of the applicants HFE program to ensure they can be reliably performed by plant staff. The treatment of RIHAs is already addressed in HFE reviews via NUREG-0711, so that new guidance for the HFE reviews may be unnecessary.

However, additional HRA considerations might be required to identify these RIHAs.

See the discussion in Section D.5.9, Identification of RIHAs when One Operator/Crew is Managing Multiple SMRs.

D.5.9 Identification of Risk-Important Human Actions when One Operator/Crew is Managing Multiple SMRs Issue Description An area where new techniques may be needed is the identification of RIHAs. Plant designers typically identify and address them in their HFE programs. For SMRs, this is more challenging since there will be new/unfamiliar systems and hence, little or no operating experience to draw upon. If the PRA is more troublesome to quantify, it will be harder to accurately to identify RIHAs.

94

Even when the units themselves are deemed independent, i.e., no shared systems and the units are separated physically, there is the potential for human error if the same operators monitor them. For example, the potential for human error for one unit may increase if the operators attention is directed to another unit.

Modifications may be needed to PRA and HRA methods to account for these effects.

Implications This issue has implications for PRA and HRA techniques and for calculating RIHAs. The HFE guidance most likely to be affected is NUREG-0711, which addresses how applicants HFE program addresses RIHAs.

See also the discussion in Section D.5.7, PRA Evaluation of Site-wide Risk.

D.6 Management of Maintenance and Modifications There are three issues for this aspect of SMR ConOps:

Modular Construction and Component Replacement

New Maintenance Operations

Managing Novel Maintenance Hazards D.6.1 Modular Construction and Component Replacement Issue Description Many SMRs are designed for modular construction and component replacement. Some SMR designs will be fabricated at the factory, transported to the plant site, and assembled there.

Previously, plant personnel participated in the on-site construction, component-level testing of installed components, and pre-operational testing; hence, they gained a thorough knowledge of structures, systems, and components. Fabricating plants at factories will necessitate changing how personnel obtain knowledge of systems and components that historically was gained (at least partially) via the construction process.

Implications The implications on safety of this approach are unknown but should be discussed with industry and vendors to determine their plans to address this issue.

D.6.2 New Maintenance Operations Issue Description Some SMRs will require new maintenance operations whose impact of safety must be assessed. They include operations such as disconnecting a reactor and moving it past other operating reactors to a maintenance location. This operation will involve decoupling the reactor from all the electrical- and mechanical-systems while continuously monitoring the reactor throughout the entire process.

95

In addition, current practices take on new meaning when applying them to SMRs. Current operating practices led to the increase in capacity factors from about 63% several decades ago, to the industrys current over 90%. These practices include on-line maintenance. Some of the next generation of plants similarly is likely to employ on-line maintenance practices because the same working fluids (steam and water) and equipment (pumps, motors, valves, piping, and heat exchangers) will be used. Consequently, the SMRs can be expected to be maintained online, just like their current larger counterparts.

One outcome of continuous on-line maintenance is that the operator will be faced with several units, each in a different configuration due to normal maintenance and surveillance. Research is required to develop displays to show operators the important differences in the configurations of the units they are monitoring, and the acceptable operations. The operator requires accurate situational awareness of each units status.

Operators are responsible for safe operation of the plant including establishing and maintaining it in a condition safe for maintenance personnel. Operators take a system out of service, ensure it is safely isolated during maintenance, and return it to service. The process is difficult enough with one operating crew per unit; it must be evaluated for multiple units. Systems are taken out of and returned to service under the direction of the control room, typically through a system of locks and tags that signal to maintenance personnel and others when the component and system cannot be operated. Additional research is required into the ways by which operators can maintain safe configuration of multiple units during maintenance.

Implications There are new operations whose impact on safety should be evaluated. Additional information is needed from vendors about these planned practices, followed by research to determine their effects on performance, and how to design HSIs, procedures, and training to support their safe practice.

D.6.3 Managing Maintenance Hazards Issue Description We identified several potential challenges in human factors associated with maintaining each specific design we examined. They are listed in OHara, Higgins and Pena (2012), Section 3.4, Insights for SMR ConOps from SMR Design and Operations, item 19. These new maintenance practices should be analysed to ensure personnel and plant safety.

Implications This issue can most likely be addressed by industry research, and vendors HFE programs evaluating maintenance design and planning.

96

ML21266A192

Text

1.3 above

Navigation menu

Search