Assessing Independence from Human Performance: Considerations for Functional Requirements Analysis and Function Allocation

ML25072A129
Person / Time
Issue date:	03/09/2025
From:	Theresa Buchanan, D'Agostino A, Brian Green NRC/NRR/DRO/IOLB
To:
References
Download: ML25072A129 (1)
v • d • e

Text

Assessing Independence from Human Performance:

Considerations for Functional Requirements Analysis and Function Allocation Brian Green1, Theresa Buchanan, Amy DAgostino U.S. Nuclear Regulatory Commission, Washington, D.C., brian.green@nrc.gov ABSTRACT The U.S. Nuclear Regulatory Commission (NRC) places emphasis upon the role that humans play in the safe operation of commercial nuclear power facilities. At present, the current regulatory framework for commercial nuclear power plants has been extensively influenced by the safety role of humans at large light-water reactor (LLWR) facilities. However, the deployment of advanced reactor technologies has necessitated a reevaluation of the implications of human-system interactions on plant safety performance. The NRC staff have proposed, via the 10 CFR Part 53 framework, to establish a new class of commercial nuclear reactor facility, the self-reliant-mitigation facility. This classification would reflect a determination that credible human action or inaction at a facility would not be reasonably expected to influence safety outcomes in a significant manner. To facilitate this screening, the authors developed five high-level criteria to provide confidence in the adequacy of such determinations. In doing so, the authors identified that certain traditional conventions for the description of function allocation and categorization of safety features became insufficient when applied within the context of reactor designs that achieve safety without reliance on human actions. This paper describes how the NRC may plan to consider the functional requirements analysis to identify where facility safety is dependent upon human support across a wide variety of reactor technologies. This paper also describes how traditional function allocation approaches may need supplementation to evaluate certain advanced reactor designs, including consideration of how safety features and characteristics provide resilience to failures of human performance.

Keywords: advanced reactors, functional requirements analysis, function allocation, 10 CFR Part 53, human performance

1. INTRODUCTION The U.S. Nuclear Regulatory Commission (NRC) places emphasis upon the role that humans play in the safe operation of commercial nuclear power facilities. Examples of areas in which the NRC has implemented regulatory oversight include operator licensing, human factors engineering (HFE), operator staffing, and the training and qualification of certain categories of plant personnel. The existing regulatory framework of Title 10 of the Code of Federal Regulations (10 CFR) has been shaped by industry events which, in many cases, highlighted the importance of human-system interactions in achieving safety and revealed areas in which greater regulatory focus was warranted. This regulatory framework has also been extensively influenced by the safety role of humans at large light-water reactor facilities. As a result, the potential for deployment of new, advanced reactor technologies necessitated a fresh evaluation of the implications of human-system interactions on plant safety performance.

1 brian.green@nrc.gov

In October 2024, the NRC published a proposed regulation which would establish a Risk-Informed, Technology-Inclusive Regulatory Framework for Advanced Reactors at 10 CFR Part 532. This proposed rulemaking was developed by the NRC in response to the mandate of the 2019 Nuclear Energy Innovation and Modernization Act (NEIMA) [1]. The proposed 10 CFR Part 53 contains a new framework for licensing and regulating commercial nuclear plants during the various stages of their life cycles, by means of requirements that are technology-inclusive, risk-informed, and performance-based [2]. The authors of this paper contributed to the development of the proposed rule, including its human-systems provisions. In general, this new human-systems framework takes an integrated approach to the areas of HFE, staffing, operator licensing, and training. Within each area, design-specific plant safety functions3 are used as the foundation for performance-based objectives, with the relative role of the human in the fulfillment of safety functions being used as a mechanism to both integrate the regulatory approach and allow for gradation within its requirements. To facilitate understanding how a given power plant design would depend upon humans for the fulfillment of safety functions, a proposed requirement was included at 53.730(d) that would require all facility license applicants to provide a functional requirements analysis (FRA) and function allocation (FA) as part of their application. Under this proposed requirement, the FA would specifically need to describe whether safety functions were assigned to human action, automation, active safety features, passive safety features, or inherent safety characteristics [2].

Since advanced nuclear technologies may result in commercial nuclear facilities where human performance has a substantially reduced influence on safety outcomes (as compared to the operating fleet of power reactors), we sought to develop a structure of regulations and guidance that would yield an appropriate regulatory footprint under such circumstances. For facilities in which there would be dependence on human performance for safety outcomes (e.g., required operator actions that must be implemented in a timely and correct manner), we accomplished this by proposing performance-based and flexible requirements for areas such as HFE, staffing, operator licensing, and training. However, we recognized the potential for designs in which licensed operator action, inaction, or inappropriate actions would not credibly influence safety outcomes (including defense-in-depth) in a significant manner. Accordingly, we also recognized that such designs would warrant a substantially different regulatory treatment. In light of this, the NRC has proposed under 10 CFR Part 53 to establish a new class of facility, the self-reliant-mitigation facility (SRMF), for which the regulations would offer enhanced flexibilities and targeted relaxations in a manner commensurate with the relative independence of such designs from needing human support to fulfill safety functions and ensure safe operation. The SRMF terminology itself reflects differences in how operators are anticipated to need to interact with their plant systems in mitigating events and achieving safe outcomes; facilities that do not need operators to interact with their systems to accomplish this would be self-reliant in that regard

[2].

To identify SRMFs, we developed, for inclusion within the proposed 10 CFR Part 53 rule, five high-level criteria that can, collectively, provide confidence in the adequacy of such determinations. It should be noted that these criteria go beyond the general requirements of the proposed 10 CFR Part 53 (including those pertaining to the previously discussed FRA and FA requirements of 53.730(d)) and would only apply to the subset of designs seeking classification within the narrower SRMF classification. These criteria, which are provided under 10 CFR 53.800, may be summarized via the following underlying objectives which they 2 At the time of writing, the proposed 10 CFR Part 53 regulation is undergoing a public comment period. It should be noted that changes to the content of the rule may occur in response to comments and that this would be reflected in the subsequent final rule when it is published.

3 Safety functions play an important role within the proposed 10 CFR Part 53 that is broader than the human-systems framework. The proposed requirement of 53.230 would require, in part, applicants for commercial nuclear plants to identify the safety functions associated with a given plant design (e.g., reactivity control, heat removal, radionuclide retention, etc.).

serve to ensure: 1) no human action being needed to satisfy radiological consequence criteria, 2) no human action being needed to address licensing basis events, 3) safety functions not being allocated to human action, 4) reliance upon robust and highly reliable safety features, and 5) adequate defense in depth achieved without reliance on human action [2]. However, in developing the detailed criteria by which to implement these objectives, we identified that traditional approaches for both function allocation description and safety feature categorization became inadequate for the purposes of screening reactor designs that, owing to the significantly relaxed human-systems requirements under which they would operate, must be able to achieve acceptable safety outcomes independently of human action and performance-related considerations.

In this paper, we describe how the HFE tool of FRA is broadly applied under the proposed 10 CFR Part 53 to understand how designs fulfill safety functions. We also discuss how, within this framework, the various types of safety features and characteristics relied upon to fulfill safety functions were considered to influence the human role in nuclear safety. Additionally, we further describe how the traditional approach to FA may need supplementation to fully assess certain advanced reactor designs (i.e., SRMFs), specifically by using an approach that considers the resilience of a design to failures of human performance.

2. SELF-RELIANT MITIGATION FACILITIES As nuclear power-related technologies evolve and advanced commercial reactors are deployed, we anticipate the emergence of facilities that have been designed in a manner that qualifies them as SRMFs.

For example, the NRC staff anticipates that some micro-reactor applicants will propose to operate multiple micro-reactor units from a centralized and remote location. Since communications with remote facilities can be interrupted, for remote operations to be safe, there should be a high degree of assurance in the ability of operators to remotely accomplish any actions needed for safety or, alternatively, reliance on such actions should be eliminated. Compounding the complexity of the issue, a lack of on-site operators might remove opportunities for local actions as a backup to remote operations. Given this scenario, an approach for addressing the potential loss of remote-control capabilities may include the use of SRMF facilities, which, by definition, could demonstrate safety in the absence of human intervention [3].

As previously discussed, SRMFs would represent a specific subset of the commercial nuclear plants licensed under 10 CFR Part 53 that, owing to their safety characteristics, would be afforded substantial relaxations from the human-systems requirements that would otherwise apply within the proposed regulation. For example, proposed 10 CFR Part 53 regulations would not require SRMFs to be staffed by Senior Reactor Operators (SROs) and Reactor Operators (ROs); instead, they would be staffed by a new category of Generally Licensed Reactor Operator (GLRO). In contrast with SROs and ROs, GLROs would not have medical fitness requirements, would not need to individually apply to the NRC for licensing, and could complete their licensing examination process without the NRC being present. Additionally, licensed operator staffing requirements for SRMFs would be minimal, with no limitations being prescribed on how many reactors (or facilities) that GLROs could oversee, nor where the GLROs would even need to physically be located [2]. These differences reflect, in part, the distinction that GLROs would not (and could not) be depended upon to implement actions that would fulfill plant safety functions.

A key factor in determining whether a facility would be a SRMF is whether operators would have a role in maintaining and fulfilling safety functions (e.g., by implementing credited actions to mitigate plant events).

In its most basic form, the SRMF classification reflects a determination that credible human action or inaction at a facility would not be reasonably expected to influence safety outcomes in a significant manner.

As previously described, the classification of a facility as an SRMF is based, in part, upon a design meeting the objectives of safety functions not being allocated to human action, as well as reliance upon robust and highly reliable safety features [2]. As also noted earlier, issues arose in developing specific criteria to address these principles, as we identified that certain traditional conventions for the description of FA and

categorization of safety features presented challenges within this new context. As a result, we considered what adaptations of these approaches and conventions were needed. A primary goal in this process was to develop risk-informed and performance-based requirements that could accomplish these objectives while simultaneously affording flexibilities for developers in meeting the SRMF criteria.

3. IMPORTANCE OF FRA/FA IN THE ADVANCED NUCLEAR DOMAIN In general, FRA and FA are conducted to define the functions necessary to accomplish plant goals and to allocate those functions in a manner that is consistent with the comparative strengths and weaknesses of humans and machines. For a commercial nuclear power plant, the plant goal4 of concern from the NRCs perspective is that of radiological safety [4]. While the safety functions necessary to accomplish this goal are design-specific and can vary across reactor technologies (a factor that the human-systems framework of the proposed 10 CFR Part 53 utilizes to achieve a technology-inclusive approach), common examples of high-level safety functions within an FRA include reactivity and power control, heat removal, and radioactive material retention [5]. A technology-inclusive human-system regulatory framework must be able to identify where facility safety is dependent upon human support across a wide variety of reactor technologies. As a means of achieving this, design-specific safety functions are useful because of the shared utility that such safety functions have within both the systems design and HFE aspects of facility development [6].

Within the FRA process, high-level functions are decomposed to identify the systems, components, and actions necessary to perform those functions. Traditionally, FA is then considered to consist of the subsequent assignment of personnel, automation, or combinations thereof to fulfill these identified functions. In so doing, the FA process plays a substantial part in defining the role of personnel [4]. However, in practice, advanced nuclear reactor designs tend to utilize more than just manual operator action and traditional automation to fulfill safety functions. We note that advanced reactor designs tend to make extensive use of both passive safety systems and inherent safety characteristics in conjunction with active, automated systems, all while minimizing (or altogether eliminating) reliance upon credited, manual operator actions. Moreover, recent HFE-related guidance development work has highlighted that a lack of explicitly credited operator actions does not necessarily mean that the human role in the achievement of safety has been eliminated. For example, human actions that have significance for a given design may also exist as outgrowths of diversity and defense in depth analyses for instrumentation and control systems, severe accident mitigation strategies, or safe shutdown fire response [7]. At the same time, a lack of required human actions does not, by itself, alleviate vulnerabilities to errors of commission, as inappropriate human actions (e.g., system misalignments and configuration control issues) have the potential to affect plant systems as well.

4. CONSIDERATION OF SAFETY FEATURE TYPES WITHIN THE FA Inherent safety characteristics, passive safety features, automated safety systems, and manual human actions work in different ways to support safety, in addition to being subject to differing vulnerabilities, as result of the following attributes:

x inherent safety characteristics (e.g., a negative moderator temperature coefficient for reactivity) rely upon the intrinsic attributes of a hazard to limit the behavior of that hazard, thus allowing them to limit undesired departures from safe operation [8];

4 Although the mission of the NRC is such that the safety goal is the regulatory focus from a human-systems perspective, it should be noted that the application of good HFE principles within a facility can yield other benefits such as improved operational efficiencies and enhanced worker job satisfaction.

x passive safety features (e.g., a decay heat removal system that relies on natural circulation flow) generally do not rely on external inputs to accomplish their functions and, instead, rely upon factors such as natural effects and stored energy; such features tend to place human beings and automation into secondary (i.e., defense-in-depth) roles. Importantly, certain passive safety features may remain vulnerable to human errors such as incorrect system alignments, or other failure mechanisms [8, 9];

x automated safety systems (e.g., coolant injection pumps actuated by digital logic) rely upon active safety systems and, while able to reduce the potential for human error, typically remain vulnerable to it. Such systems may be dependent upon sources of motive power and can be vulnerable to design deficiencies such as common cause failures, which generally places the operator into a confirmatory, backup role [8];

x manual operator actions (e.g., manually opening a valve in response to an alarm) rely upon human intervention to ensure that safety systems can perform their credited functions and are subject to a range of human errors and limitations [8].

In the course of developing SRMF criteria to address the aforementioned principles of safety functions not being allocated to human action and reliance upon robust and highly reliable safety features, we noted two key issues that presented themselves when we attempted to develop clear language that would lend itself to appropriate, consistent interpretation. First, function allocations to passive and automated/active safety systems do not necessarily remove the human from having any role in fulfillment of the associated function.

We noted that, depending upon the specific nature and subtleties of system design, appreciable backup roles on the part of the operator, as well as vulnerabilities to both human errors of omission and/or commission may still exist. Conceptually, this required us to depart from a traditional FA thought process (specifically as it is described within the NUREG-0711, Human Factors Engineering Program Review Model) in which a function is allocated to a choice of agents (be it a machine, human, or combination of both) because the nature of the SRMF is such that all allocations must be made to the machine and qualified in a manner that removes the need for retaining the human in a backup role. In section 5, of this paper, we discuss our approach towards addressing this within the proposed human-systems framework of 10 CFR Part 53.

Secondly, we noted that varying interpretations and inconsistent definitions exist for terms such as inherent and passive within the context of describing nuclear safety systems. This is consistent with past observations by the International Atomic Energy Agency (IAEA), which has noted that, within the context of safety at advanced nuclear plants, both the terms passive and inherent have tended to be used inconsistently [8, 10]. Due to these challenges, we determined that avoidance of the terms inherent and passive when describing system characteristics was necessary to develop a regulatory framework for SRMF classification. The approach that we adopted for addressing this need will be described in section 6 of this paper.

5. ADAPTATION OF FA FOR ASSESSING THE HUMAN ROLE IN SAFETY As mentioned earlier, in contrast with existing licensing pathways, the proposed 10 CFR Part 53 would explicitly require all applicants for commercial nuclear plants to submit both an FRA and FA [2]. This is intended to provide a clear picture of how advanced nuclear reactors will fulfill design specific safety functions, while also establishing a basis for related performance-based and technology-inclusive requirements within areas such as staffing, operator licensing, and HFE. Under the proposed framework, the FA approach would be modified to show not only how functions are allocated to either automation or human action but, additionally, would also delineate whether the allocations were made to active safety features, passive safety features, or inherent safety characteristics [2]. While this approach will still identify dependencies on credited human action for the fulfilment of safety functions, insights into whether other functions rely upon active safety features, passive safety features, or inherent safety characteristics will yield a more holistic picture of the human safety role by also capturing where the human has been placed

into a role where they must credibly maintain a backup or defense-in-depth function (e.g., by manually actuating active components should automation fail). Separately, the criteria for the proposed, narrower SRMF class of commercial nuclear plant would also utilize this same FA as one input to be used (in conjunction with others) in evaluating whether safety function fulfilment does not rely upon credited human action.

6. ASSESSING INDEPENDENCE FROM HUMAN PERFORMANCE FOR A SRMF As discussed previously, the classification of a commercial nuclear plant as a SRMF essentially stems from an evaluation of whether credible human action or inaction at the facility would reasonably be expected to significantly influence safety outcomes. Thus, a primary consideration of the evaluation effectively becomes whether the safety performance of the design is reasonably independent from the influence of human performance. We noted that, while features described as passive might tend to indicate an ability to meet this threshold, inconsistency in definitions results in the potential for passive systems that might not meet this standard. For example, passive safety features can involve components such as fail-open valves, DC powered squib valves, and check-valves that, while generally of high reliability, can still possess features such as moving mechanical parts and wiring that can introduce possible failure modes. Potential sources of failures may also stem from human errors of omission (such as failing to implement a procedure step to fire a squib valve) or errors of commission (such a introducing a latent defect into a safety related component during maintenance activities that renders the system unable to fulfil its function).

Classification as a SRMF results, in part, in facility operation being supervised by individuals that are not intended to be credited for the completion of credited human actions (i.e., GLROs) [2]. Besides mitigative actions during events, this also extends to manual, backup actuations of safety systems as well. Thus, the safety features used to respond to plant events at a SRMF need to be of a highly reliable nature and possess a high degree of independence from the influence of human performance. However, we found that ambiguities in the definition and interpretation of terms such as passive and inherent resulted in challenges when we attempted to use them as a means of defining the needed SRMF attributes. In light of this, we elected to focus, instead, on the attributes that were needed to result in the desired human role, in effect reframing the proposed requirement to focus on a performance-based outcome (elimination of the human role) versus the type of system or design characteristic needed to achieve that objective. This led to a determination that, in lieu of the traditional safety terminology, it would be appropriate to instead propose reliance upon safety systems that cannot be rendered unavailable by credible human errors of commission or omission, nor credibly require manual human operation in response to equipment failures

[2]. We expect that, within this context, consideration of how various safety features and characteristics provide resilience to failures of human performance will provide a useful framework that can avoid ambiguities associated with relying solely upon terms such as inherent and passive.

The proposed requirement, with its performance-based nature, is expected to give flexibilities to developers who design SRMFs. For example, inherent safety characteristics, such as certain fuel and moderator reactivity coefficients, likely offer a reliable means of providing this high degree of independence from human performance, as they are integral to the reactor design and generally vulnerable only to the effects of analytical uncertainties. Beyond this, robust passive safety features, such as heat transfer to the airspace around a reactor vessel, heat pipes, or immersion of the vessel in a pool of water, tend to also provide high resilience against human performance issues as these mechanisms tend to lack components that must be operated or that could be mispositioned. However, by virtue of the approach that we have described here, the nature of the proposed requirement is sufficiently flexible to not necessarily exclude passive safety features of a less robust nature, or even active features for that matter. Rather, such systems could be evaluated to ensure that they possessed a reasonable degree of resistance against human errors of

commission or omission that might credibly occur, while simultaneously not being anticipated to require manual human operation in response to equipment failures.

From a practicality standpoint, the use of safety features of a less robust passive or active nature introduces new possibilities for systems to be rendered unavailable by human errors. For example, a manual isolation valve for an emergency heat exchanger may need to be closed to support outage activities but might potentially not be restored to an open position following the completion of maintenance. For active, automated safety features, a potential concern may be whether the available degree of diversity and redundancy within the system is adequate to render common-cause failure as not credible (which might otherwise necessitate crediting operators for the implementation of backup actuations) [11]. In some instances, concerns may be potentially alleviated via the incorporation of adequate diversity and redundancy into the design. In others, engineered measures that reinforce appropriate human performance may instead be adequate. Such engineered measures may serve to prevent human errors (e.g., interlocks),

alert personnel to the occurrence of an error (e.g., misalignment-related alarms), or to enforce the establishment of a safe condition if an error goes unresolved (e.g., an automatic transition of the plant to a safe, stable condition). We note that the use of devices to enforce appropriate human performance in this manner is conceptually similar to the enhanced/augmented administrative controls presently used at fuel cycle facilities [12]. Furthermore, we note that an assessment of whether human errors of commission or omission are credible might also be quantitively supported by means of Human Reliability Analysis (HRA) methods as well.

7. CONCLUSIONS The deployment of advanced reactor technologies warrants a fresh evaluation of the implications of human-system interactions on plant safety performance. To this end, the proposed human-systems framework of 10 CFR Part 53 uses an integrated approach within areas such as HFE, staffing, and operator licensing, with design-specific plant safety functions serving as the foundation for performance-based objectives.

Additionally, the proposed framework would introduce a new class of commercial nuclear plant, the SRMF, to categorize plants where the design results, in part, in operators not having a role in maintaining and fulfilling safety functions. The HFE tools of FRA and FA have a high degree of utility in supporting the analytic needs for implementing such a framework. In developing this framework, we found that the FA methodology should be modified so as to not only show how safety functions are allocated to either automation or human action, but also to describe whether those allocations are made to active safety features, passive safety features, or inherent safety characteristics. Additionally, we found that ambiguities in the definition and interpretation of terms such as passive and inherent resulted in challenges when we attempted to use them as a means of defining certain attributes of the SRMF class of commercial nuclear plant. In response, we instead reframed the proposed requirement to focus on a performance-based outcome (elimination of the human role) versus the type of system or characteristic needed to achieve that objective.

ACKNOWLEDGMENTS The authors would like to acknowledge the technical contributions of Mr. Jesse Seymour to the formation of this paper, input and reviews of Dr. David Desaulniers, Mr. William Reckley, Ms. Lauren Nist, Ms.

Maurin Scheetz, Dr. Niav Hughes Green, Mr. Stephen Fleger, Dr. Stephanie Morrow, and Mr. Ian Jung of the U.S. Nuclear Regulatory Commission, as well as the work of Dr. John OHara of the Brookhaven National Laboratory, in the development of material discussed within the paper.

This paper was prepared as an account of work sponsored by an agency of the U.S. Government. Neither the U.S. Government nor any agency thereof, nor any employee, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for any third party's use, or the results of such use, of any

information, apparatus, product, or process disclosed in this publication, or represents that its use by such third party would not infringe privately owned rights.

REFERENCES

1. Nuclear Energy Innovation and Modernization Act, Public Law No: 115-439 (available via https://www.congress.gov/bill/115th-congress/senate-bill/512).

2. U.S. Nuclear Regulatory Commission (U.S. NRC), Risk-Informed, Technology-Inclusive Regulatory Framework for Advanced Reactors [proposed 10 CFR Part 53 rule], Federal Register, 89 FR 86918-87128, October 31, 2024.

3. U.S. NRC, Micro-Reactor Licensing and Deployment Considerations: Fuel Loading and Operational Testing at a Factory (SECY-24-0008), Enclosure 1 pp. 10-11, U.S. NRC, Washington DC, United States (2024) (available via U.S. NRC ADAMS library at ML23207A251).

4. U.S. NRC, Human Factors Engineering Program Review Model (NUREG-0711, Revision 3), pp. 23-25, U.S. NRC, Washington DC, United States (2012) (available via U.S. NRC Agencywide Document Access and Management System (ADAMS) library at ML12324A013).

5. U.S. NRC, Guidance for a Technology-Inclusive, Risk-Informed, and Performance-Based Methodology to Inform the Licensing Basis and Content of Applications for Licenses, Certifications, and Approvals for Non-Light-Water Reactors (Regulatory Guide 1.233, Revision 0), p. 24, U.S. NRC, Washington DC, United States (2020) (available via U.S. NRC ADAMS library at ML20091L698).

6. J. Seymour, D. Desaulniers, B. Green, Technology-Inclusive Human-System Considerations for Advanced Reactors (paper no. 84), International Atomic Energy Agency International Conference on Topical Issues in Nuclear Installation Safety, Vienna, Austria, October 18-21, 2022, pp. 3-4 (available via U.S. NRC ADAMS library at ML22136A209).

7. J. OHara, S. Fleger, D. Desaulniers, B. Green, J. Seymour, & A. D'Agostino, Development of HFE Review Guidance for Advanced Reactors (Report No. F0028-04), pp. 108-111, Brookhaven National Laboratory, Upton NY, United States (2021) (available via U.S. NRC ADAMS library at ML21287A088).

8. U.S. NRC, Risk-Informed and Performance-Based Human-System Considerations for Advanced Reactors (staff white paper), pp. 8-10, U.S. NRC, Washington DC, United States (2021) (available via U.S. NRC ADAMS library at ML21069A003).

9. Sandia National Laboratory, Human Factors Considerations for Automating Microreactors (Sandia Report SAND2020-5635), p. 10, Sandia National Laboratory, Albuquerque NM, United States (2020),

(available via U.S. NRC ADAMS library at ML20175A117).

10. International Atomic Energy Agency, Safety Related Terms for Advanced Nuclear Plants (IAEA-TECDOC-626), pp. 7-13, International Atomic Energy Agency, Vienna, Austria, (1991) (available via https://www.iaea.org/publications/882/safety-related-terms-for-advanced-nuclear-plants-report-of-a-technical-committee-meeting-vaesteras-sweden-30-may-2-june-1988).

11. U.S. NRC, Guidance for Evaluation of Defense in Depth and Diversity to Address Common-Cause Failure Due to Latent Design Defects in Digital Instrumentation and Control Systems (Branch Technical Position 7-19, Revision 9), pp. 9-10, U.S. NRC, Washington DC, United States (2024)

(available via U.S. NRC ADAMS library at ML24005A077).

12. U.S. NRC, Standard Review Plan for Fuel Cycle Facilities License Applications (NUREG-1520, Revision 2), pp. 3-B-5, 14-1, and 14-2, U.S. NRC, Washington DC, United States (2024) (available via U.S. NRC ADAMS library at ML15176A258).