Confidence Governance for Nuclear Operations

1. Regulatory and Compliance Framework

Nuclear operations sit inside the most prescriptive regulatory perimeter of any industrial sector, and the introduction of AI-enabled autonomous management adds a second perimeter that is still being constructed. The first regime is the U.S. Nuclear Regulatory Commission framework. 10 CFR Part 50 Appendix A (General Design Criteria for Nuclear Power Plants) imposes the protection-system independence requirement (Criterion 22), the protection-system reliability and testability requirement (Criterion 21), and the single-failure tolerance requirement that has historically been satisfied by hard-wired analog instrumentation. 10 CFR 50.55a(h) incorporates IEEE Std 603 ("Standard Criteria for Safety Systems for Nuclear Power Generating Stations") by reference, which governs the qualification of digital instrumentation and control systems. 10 CFR Part 73 governs physical security and cybersecurity, with NRC Regulatory Guide 5.71 providing the implementation guidance for cybersecurity programs at nuclear facilities.

Regulatory Guide 1.152 ("Criteria for Use of Computers in Safety Systems of Nuclear Power Plants") is the central regulatory document for digital safety systems and explicitly addresses the lifecycle, qualification, and cybersecurity requirements for digital protection systems. NUREG/CR-6303 ("Method for Performing Diversity and Defense-in-Depth Analyses of Reactor Protection Systems") and NUREG-0800 (Standard Review Plan) Chapter 7 govern the review of instrumentation and control systems. The NRC's emerging position on AI in nuclear applications, articulated in the 2023 "NRC Artificial Intelligence Strategic Plan" and the 2024 "Strategic Plan for Use of Artificial Intelligence", indicates that high-consequence AI applications will require the same defense-in-depth, diversity, and human-oversight properties as traditional digital I&C, and that machine-learning systems must demonstrate predictability and reproducibility under licensing.

The second regime is the IAEA framework. IAEA Safety Standard SSR-2/1 (Safety of Nuclear Power Plants: Design) and SSG-39 (Design of Instrumentation and Control Systems) impose the international floor for protection-system architecture. IAEA TECDOC-1762 addresses computer-based systems important to safety. The IAEA's 2024 work on AI in nuclear applications follows the same architectural pattern as the NRC: AI is permissible in defense-in-depth layers when it does not undermine the qualified protection system, and human oversight must remain structurally enforceable.

The third regime is NIST. NIST SP 800-82 Revision 3 (Guide to Operational Technology Security) governs OT cybersecurity in industrial sectors including nuclear; NIST SP 800-53 controls map into the cybersecurity-program requirements of 10 CFR 73.54. The NIST AI Risk Management Framework (AI RMF 1.0) and the Generative AI Profile provide the federal baseline for AI risk management that NRC guidance increasingly references for AI-in-safety contexts. The fourth regime is the EU AI Act. Annex III point 2 classifies AI systems used in the management and operation of critical infrastructure (including nuclear) as high-risk, triggering Article 9 risk-management, Article 10 data-governance, Article 13 transparency, Article 14 human-oversight, Article 15 accuracy and robustness, and Article 17 quality-management obligations. Article 14 specifically requires that human-oversight measures enable natural persons to intervene in or interrupt operation, which is exactly the architectural property a binary protection system cannot provide between normal operations and trip.

ISO/IEC 27001:2022 applies to nuclear-operator information-security management systems, and IEC 61513 (Nuclear power plants — Instrumentation and control important to safety) and IEC 62645 (Nuclear power plants — Instrumentation, control and electrical power systems — Cybersecurity requirements) provide the international technical floor.

2. Architectural Requirement

The architectural shape that satisfies the cumulative regulatory floor between normal automated operations and emergency protection has six properties. First, the system must compute a continuous confidence state from multiple independent inputs, because IEEE 603 single-failure tolerance and NUREG/CR-6303 diversity analysis both require that no single sensor, model, or input class determine the operational posture. Second, the confidence-driven pause must be structurally distinguishable from the qualified protection-system trip, because NRC Regulatory Guide 1.152 and IEEE 603 require the protection system to retain its independence and qualification.

Third, the system must produce graduated outcomes — permit, monitor, defer, partially execute, refuse — because EU AI Act Article 14 human-oversight obligations are meaningless in a binary system, and the NRC AI Strategic Plan presupposes graduated authority allocation between AI and human operators. Fourth, recovery from the paused state must require hysteretic re-establishment of confidence above a higher threshold than the pause threshold, because oscillation at a single threshold is itself a hazard category under SSG-39 and NUREG-0800 Chapter 7.

Fifth, every confidence-state transition must be recorded as a credentialed observation in an audit-grade lineage chain, because NRC license-condition reporting, IAEA SSR-2/1 documentation, and EU AI Act Article 12 logging obligations all demand reconstructable provenance. Sixth, the system must compose hierarchically across unit, station, and operator-fleet scopes, because operator coalitions, multi-unit sites, and small-modular-reactor fleets each have authority taxonomies that current single-unit architectures flatten. What no current digital I&C product provides is the substrate that ties these six properties together as structural conditions.

3. Why Procedural Compliance Fails

Nuclear safety systems are designed around binary logic: if a measured parameter exceeds a limit, the protection system activates. This approach is essential and will remain the foundation of nuclear safety. But between normal operations and emergency shutdown lies a region of degraded confidence where the autonomous management system is uncertain about conditions but no single parameter has breached a safety limit.

In this region, current systems continue normal operations because no trip condition has been met. Human operators may notice the accumulating anomalies and intervene, or they may not. The ambiguous region between clearly safe and clearly unsafe is where the most dangerous operational decisions are made, because the system is operating with reduced confidence but full authority. The historical accident record — Three Mile Island, Davis-Besse, Forsmark — repeatedly shows that the failure mode is not a missed trip but a continuation of operations through a degraded-confidence window that the architecture provided no first-class state for.

Procedural compensation for this gap takes the form of operator procedures, technical specifications, and limiting conditions for operation. Operators are trained to pause discretionary maneuvers when instrumentation is suspect; technical specifications require entry into limiting conditions when surveillance requirements cannot be met; abnormal-operating procedures cover named degraded-instrumentation scenarios. These procedural overlays are necessary but insufficient: they depend on the operator correctly perceiving the confidence degradation in the first place, and the human-factors literature is unambiguous that mode confusion, automation complacency, and alarm flooding routinely defeat that perception in exactly the conditions where the procedures are needed.

Confidence governance addresses this region by computing a continuous confidence state from multiple inputs: sensor agreement, model prediction accuracy, equipment health indicators, environmental conditions, and historical anomaly patterns. When the composite confidence drops below a safety threshold, the autonomous system enters non-executing mode, pausing discretionary operations without triggering emergency shutdown.

Standard machine-learning governance approaches do not solve this either. Confidence-thresholded inference (refuse when softmax probability is below a threshold) does not produce the architectural property of a non-executing mode that is distinct from a refusal; it produces a per-decision abstention that does not compose into a system-level posture. Anomaly-detection overlays produce alerts that human operators must triage, which restores the human-factors gap procedural compensation was supposed to close. EU AI Act Article 14 human-oversight obligations cannot be satisfied by alerts; they require the ability to interrupt operation, which presupposes a structural state to interrupt to.

4. What the AQ Confidence-Governance Primitive Provides

The Adaptive Query confidence-governance primitive, disclosed under USPTO provisional 64/049,409, specifies a continuous confidence state computed as a weighted aggregation of credentialed observations from sensor inputs, model predictions, equipment-health indicators, environmental signals, and historical anomaly patterns, each within a published authority taxonomy. The confidence state is a first-class architectural variable that the system, the operator, and the regulator can reason about.

Non-executing mode is not a shutdown. It is a governed state where the autonomous management system continues to monitor, analyze, and recommend but stops executing discretionary operational changes. Power level adjustments, fuel management operations, maintenance scheduling, and load-following maneuvers are paused. The system continues to monitor safety-critical parameters and will activate emergency protection systems if hard limits are breached. The qualified protection system retains its independence and qualification under IEEE 603 and Regulatory Guide 1.152; the confidence-governance layer sits architecturally between normal operations and protection, providing the graduated state that the binary architecture does not.

In non-executing mode, the system enters an inquiry posture. It actively investigates the source of confidence degradation: which sensor inputs are anomalous, which model predictions are diverging from observations, which equipment health indicators are declining. This investigation occurs structurally rather than depending on an operator to diagnose the source of the anomaly. Each diagnostic finding is recorded as a credentialed observation that re-enters the chain as evidence for the recovery decision.

The transition to non-executing mode is immediate when confidence drops below the threshold. There is no delay for confirmation and no override for convenience. The safety-critical threshold is a structural property of the confidence governance system that cannot be bypassed by operational pressure to maintain power output or meet production schedules. This is the EU AI Act Article 14 human-oversight property in its strongest form: the human can resume, but the system can pause, and the pause is not subject to commercial override.

A system that pauses at a confidence threshold and resumes at the same threshold will oscillate when confidence fluctuates near the boundary. Hysteretic recovery addresses this by requiring confidence to recover to a higher threshold before operations resume. If the pause threshold is set at a specific confidence level, the resume threshold is set meaningfully higher. The system must demonstrate sustained confidence recovery before resuming autonomous operations. This asymmetry is deliberate. Entering non-executing mode should be easy: any confidence degradation below the threshold triggers the pause. Resuming operations should be harder: the system must not only resolve the condition that caused the confidence drop but demonstrate that confidence has been restored with margin.

The rate of confidence change is also monitored. A rapid confidence decline triggers earlier intervention than a gradual decline, even if both are approaching the same threshold. The differential alarm detects situations where confidence is falling fast enough that waiting for the threshold breach may not leave sufficient margin for safe transition. The primitive is technology-neutral with respect to the underlying inference and signal-processing techniques and composes hierarchically across unit, station, and fleet scopes.

5. Compliance Mapping

Against 10 CFR Part 50 Appendix A and IEEE Std 603, the confidence-governance layer is architecturally separate from the qualified protection system and does not undermine its independence, single-failure tolerance, or qualification. The protection system retains its trip authority; the confidence-governance layer adds a graduated state above protection rather than replacing it. Against NRC Regulatory Guide 1.152, the confidence-state computation, threshold logic, and lineage record are auditable as digital safety-system functions with reproducible behavior.

Against NUREG/CR-6303 diversity-and-defense-in-depth analysis, the multi-input confidence computation is itself a diversity-providing layer between normal operations and protection, with credentialed observations from heterogeneous sensor classes, prediction models, and equipment-health subsystems. Against the NRC AI Strategic Plan, the architecture provides the predictability, reproducibility, and human-oversight properties the Plan specifies as preconditions for AI deployment in safety-relevant contexts.

Against IAEA SSR-2/1 and SSG-39, the confidence-governance layer is a defense-in-depth element with documented design basis, qualification, and surveillance. Against IEC 61513 and IEC 62645, the substrate provides the credentialed-observation chain that satisfies cybersecurity-relevant logging and integrity requirements.

Against the EU AI Act Annex III point 2 critical-infrastructure high-risk classification, the architecture provides the Article 9 risk-management documentation (the confidence-state design basis), the Article 10 data-governance trail (the credentialed-observation lineage), the Article 13 transparency property (the confidence state is exposed and explainable), the Article 14 human-oversight property (the operator can resume but cannot suppress the pause), the Article 15 accuracy-and-robustness property (the multi-input aggregation and hysteresis are robustness measures), and the Article 17 quality-management trail (the lineage chain).

Against NIST SP 800-82 R3 and SP 800-53, the architecture provides the OT-relevant logging, integrity, and access-control evidence in a credentialed structural form rather than as procedural overlay. Against ISO/IEC 27001:2022, the lineage chain satisfies Annex A logging and monitoring controls.

The confidence computation is auditable. Regulators can examine the inputs, weights, and thresholds that govern the confidence state. The transition to non-executing mode is logged with the confidence state and the specific inputs that drove the degradation. Recovery is logged with the evidence that supported resumption. The entire confidence governance lifecycle is available for regulatory review.

6. Adoption Pathway

For nuclear operators, confidence governance provides a governance layer between normal automated operations and emergency protection systems. It addresses the operational region where conditions are degraded but not yet dangerous, the region where human operators have historically made errors by continuing to operate with insufficient confidence. The deployment is a defense-in-depth addition rather than a protection-system change, which materially simplifies the licensing pathway: 10 CFR 50.59 evaluation, NRC topical-report submission, and inspection under the existing reactor oversight process.

For the nuclear industry moving toward greater automation of plant management — small modular reactors with reduced staffing, advanced reactors with longer fuel cycles, fleet operations centers, and load-following operations under deepening renewable penetration — confidence governance provides the structural safety primitive that ensures automation enhances safety rather than introducing new risk. The autonomous system operates with full authority only when its confidence is high. When confidence degrades, authority is revoked and must be re-earned through demonstrated recovery.

The adoption pathway is staged. First, deploy the confidence-governance substrate as a non-safety advisory layer producing graduated-outcome recommendations to the operator and to the existing automation, with the recommendations logged in a credentialed lineage chain that supports regulatory review. Second, integrate the substrate with discretionary-control loops (load-following, condensate-polishing, secondary-side optimization) under a license-amendment or 50.59 evaluation that authorizes the non-executing-mode pause as a structural property of those loops. Third, extend the substrate to advanced-reactor and SMR fleet-operations contexts where reduced staffing and load-following requirements make graduated authority allocation a licensing precondition rather than a feature.

Each stage produces compliance-relevant evidence — NRC inspection findings, INPO peer-review observations, IAEA OSART mission outputs, EU AI Act conformity-assessment artifacts — that supports the next. The endpoint is a nuclear automation architecture in which the qualified protection system retains its trip authority, the operator retains the resume authority, and the substrate provides the graduated state between them that satisfies NRC, IAEA, NIST, and EU AI Act obligations simultaneously because the architectural floor was raised by the substrate rather than papered over by procedure.