Nuclear Facility Operational Governance

1. Regulatory Framework

Nuclear facility operations in the United States are governed by Title 10 of the Code of Federal Regulations under the Nuclear Regulatory Commission, with cross-cutting overlays from the Department of Energy for defense-related and certain research facilities. 10 CFR Part 50 establishes the licensing framework for power reactors and the technical specifications regime under which every operational limit, surveillance requirement, and required action is rendered as a binding license condition. 10 CFR Part 26 governs fitness-for-duty, including fatigue management for operating crews. 10 CFR Part 73 establishes the physical security and cybersecurity rule, with the cybersecurity rule under 73.54 imposing baseline controls on every digital asset within the scope of safety, security, and emergency preparedness functions.

Internationally, the IAEA Safety Standards series — particularly SSR-2/1 on the safety of nuclear power plants and SSG-39 on design of instrumentation and control systems — defines the harmonized expectations adopted in varying degrees by national regulators. The Western European Nuclear Regulators Association reference levels, the Canadian CNSC REGDOC series, the UK Office for Nuclear Regulation Safety Assessment Principles, and the recently revised French ASN guidance on digital I&C all converge on a small number of structural commitments: defense-in-depth, single-failure tolerance, separation between safety and non-safety classes, and demonstrable independence of protection layers.

Cybersecurity overlay has accelerated. NRC Regulatory Guide 5.71 and NEI 08-09 establish the cybersecurity programmatic baseline for the U.S. fleet. The IAEA Nuclear Security Series 17-T (Rev. 1) on computer security techniques for nuclear facilities, the NIST SP 800-82 industrial control systems guidance, and the IEC 62645 and IEC 63096 series on nuclear power plant cybersecurity each embed the same expectation: protective controls must be demonstrably bound to the assets they protect, with assurance that grows in proportion to the consequence of compromise. Recent activity on supply-chain integrity — Executive Order 14028 in the United States, the EU NIS2 Directive's essential-entity scope which expressly includes nuclear, and the proposed Cyber Resilience Act — extends the binding obligation to the integrity of the firmware and software that implements the controls.

Across this framework, the regulator's question is consistent: not "did the operator follow the procedure," but "can the licensee demonstrate that the safety function will be performed when required." The trajectory of enforcement is toward structural demonstration — evidence produced by the architecture itself — rather than procedural attestation reconstructed from logs. Cryptographically bound operational governance is the architectural shape that satisfies that trajectory.

2. Architectural Requirement

The architectural requirement that flows from the regulatory framework has four components. First, the operational governance policy — technical specification limits, surveillance intervals, required actions, and configuration-controlled procedures — must be bound to the control system in a form that cannot be modified without quorum authorization from the licensee's governing authority. Second, every control action must pass through a governance gate that evaluates the action against the bound policy and produces a credentialed admissibility outcome. Third, the entire decision history must be recorded as tamper-evident lineage that supports forensic reconstruction by the licensee and structural verification by the regulator. Fourth, the governance must compose across the safety-class boundary: safety-related, important-to-safety, and balance-of-plant systems each operate under different policy domains, but the lineage must compose into a single defensible record for the facility.

Single-failure tolerance and independence apply to the governance substrate itself. A governance gate that fails closed when its quorum infrastructure is partitioned must still allow safety functions to perform; a gate that fails open under partition fails the defense-in-depth premise. The substrate must therefore distinguish, at the architectural level, between safety-actuation paths (which must always perform when their physical preconditions are met) and operator-discretionary paths (which must require credentialed authorization). The cryptographic binding applies to the discretionary class; the safety-actuation class operates under physically deterministic logic that the binding cannot override.

A further requirement is policy auditability over operational life. Reactor operating licenses extend across decades, technical specifications are amended through formal license amendment processes, and the governance substrate must produce a record showing exactly which version of the policy was bound to which action at which moment, with credentialed proof of the amendment authority. This record is the structural answer to a regulator's reconstruction question and to a court's evidentiary question following an incident.

3. Why Procedural Approaches Fail

The current approach to operational governance is procedural in the deep sense: the policy lives in approved procedures and technical specifications, the binding to control actions is performed by trained operators following those procedures, and the verification is performed by supervisors, quality assurance, and periodic inspection. Software interlocks and engineered safety features cover specific anticipated scenarios. Defense-in-depth assumes that residual procedural failure is contained by the engineered and physical layers. The historical record demonstrates the mode of failure. Three Mile Island was a procedural-governance failure compounded by ambiguous indications and an inadequate procedure for the actual condition. Chernobyl was a procedural-governance failure in which the procedure being executed was itself unauthorized for the operating regime. Fukushima was a procedural-governance failure in the broader sense — the governance that should have required design beyond the historical tsunami envelope was not bound to the design authorization. In each case the engineered layers performed largely as designed; the governance layer did not.

Software interlocks address the failure mode partially. Each interlock prevents a specific anticipated unsafe action — withdrawal of control rods beyond a defined limit, reactor coolant pump trip under specified conditions, inadvertent dilution under shutdown conditions — and each interlock is effective for the scenario it was designed against. Two structural limitations remain. Interlocks protect against anticipated scenarios; unanticipated procedure violations are not prevented. Interlocks are bypassable through authorized maintenance procedures, and the governance of when bypass is appropriate is itself procedural.

The cybersecurity overlay reveals a second failure mode. Programmatic protections depend on the integrity of the software that implements them, which depends on the integrity of the supply chain that produced the software, which depends on the integrity of the personnel and processes that maintain the supply chain. RG 5.71 addresses this through programmatic controls — defensive architecture, security controls, and cyber assessment — but the controls themselves are programmatic. A regulator asking "is the operational policy bound to the control action in a way that cannot be modified without quorum authority" cannot be answered structurally by a programmatic control regime; it can only be answered procedurally.

The interlock approach is also additive. Each new operating-experience lesson produces a new interlock for the specific scenario learned from. Over operational life this produces an interlock thicket that itself becomes a source of operational risk: spurious actuations, inadvertent bypass, configuration drift across units, and increasing cognitive load on operators expected to understand the cumulative protective state. The procedural regime treats each addition as a discrete control; the regime as a whole becomes harder to verify with each addition.

Procedural augmentation can narrow the residual risk. It cannot close it, because the binding between policy and action remains a procedural binding implemented by humans and by software whose authority is itself procedurally controlled.

4. The AQ Cryptographic-Governance Primitive

The Adaptive Query cryptographic-governance primitive disclosed under USPTO provisional 64/049,409 specifies that operational policy be bound to control system actions through a closed five-property governance chain in which the binding itself is a structural property of the architecture rather than a feature of any particular software component. The policy is not configuration, and the binding is not a programmatic check. The policy is a credentialed observation signed by a quorum within the licensee's published governance taxonomy, and the binding is enforced by a governance gate that admits actions only when the credentialed policy weighting satisfies composite admissibility.

Property one — authority-credentialed observation — requires that every input affecting an admissibility decision arrive as an observation signed by an authority within a published taxonomy. Operational limits, surveillance requirements, required actions, and configuration-controlled procedures each enter the substrate as credentialed observations from the responsible authority within the licensee's organization, with cross-credentialing from the regulator where the regulator's authority is the governing source. Property two — evidential weighting — composes authority class, credential continuity, corroborating observations from independent indication, governing policy, and operational context into a structured admissibility contribution. Property three — composite admissibility — produces a graduated outcome from a defined mode set: admit, admit with constraint, defer pending corroboration, refuse, or partial execution. Property four — governed actuation — produces the resulting commitment with reversibility evaluation where reversal is meaningful and post-actuation verification recorded. Property five — lineage-recorded provenance — records every observation, weighting, decision, and actuation as a credentialed record that supports forensic reconstruction.

Recursive closure is load-bearing. The actuation-state observation produced when an action is admitted re-enters the chain as input to subsequent decisions; the lineage record is itself a credentialed observation that downstream consumers — supervisors, regulators, the technical specifications surveillance regime — can admit, weight, and respond to. This closure converts the operational governance record from an external audit artifact into a structural property of the substrate.

A licensee operator who attempts an action outside the operational envelope encounters the governance gate's evaluation, not a software check. The action is refused structurally because the credentialed policy does not admit it under the current operational context. There is no maintenance-mode override, because the gate is not a software feature whose mode can be set. A modification of the bound policy — for example, a temporary technical specification through the licensee's amendment process — requires quorum credentialing from the governing authority, and the modification itself enters the lineage as a credentialed event with full provenance: who proposed the change, what justification was credentialed, who authorized the quorum, and when the credentialed transition took effect.

The primitive is technology-neutral. Any signature scheme that supports the published taxonomy is admissible; any quorum protocol is admissible; any storage that preserves the lineage is admissible. The primitive composes hierarchically — unit, station, fleet, regulator — so a multi-unit site or a multi-site fleet operator scales by adding levels of the same chain rather than re-architecting. The inventive step is the closed five-property chain applied to operational governance of safety-significant systems, with the binding between policy and action elevated from procedural to structural.

5. Compliance Mapping

The mapping from the primitive to the regulatory framework is direct. Technical specification limits — operating limits, limiting conditions for operation, surveillance requirements, required actions — are credentialed observations within the licensee's governance taxonomy, with the regulator credentialed as the authority for the underlying license condition. Every control action at the discretionary class passes through the governance gate, and the gate's composite admissibility evaluates the action against the bound technical specification. Operability determinations and required-action timing become structural events within the substrate rather than procedural reconstructions from logs.

10 CFR Part 50 Appendix B quality-assurance criteria — design control, document control, control of measuring and test equipment, corrective action — map onto the substrate's lineage and credentialing properties. Configuration management under 10 CFR 50.59 and the 50.59 evaluation regime become credentialed lineage events: the change is proposed by a credentialed authority, evaluated against the licensing basis through credentialed observations, authorized by the appropriate quorum, and bound to the affected control actions. The 50.59 record is no longer a paper artifact; it is a structural property of the substrate.

10 CFR 73.54 cybersecurity controls and the RG 5.71 programmatic baseline map onto the substrate's authority-credentialed and lineage properties. The "demonstrably bound" expectation that the regulatory trajectory is moving toward is satisfied structurally: the policy is bound to the action through the chain, not through a programmatic check. Defensive architecture under RG 5.71 — the deterministic data-flow boundaries between security levels — is preserved, with the substrate adding credentialed governance to the actions that cross the levels.

IAEA SSR-2/1 defense-in-depth and SSG-39 instrumentation and control expectations are reinforced rather than displaced. The substrate is not a substitute for engineered safety features and physical containment; it is a structural reinforcement of the operational-governance layer that defense-in-depth places outermost. The substrate's safety-class composition allows safety-actuation paths to operate under physically deterministic logic while operator-discretionary paths operate under credentialed governance, preserving the independence and single-failure-tolerance properties the standards require.

EU NIS2 essential-entity obligations, the Cyber Resilience Act's supply-chain integrity expectations, and Executive Order 14028 software-bill-of-materials and attestation expectations each map onto the substrate's credentialed-authority property. The provenance of the policy and the provenance of the implementation are themselves credentialed observations, admissible under the chain, traceable to their originating authority.

6. Adoption Pathway

Adoption in nuclear facilities is necessarily conservative and proceeds through staged introduction with regulator engagement at each stage. The first stage is parallel lineage: the substrate observes control actions through credentialed taps without intervening, producing structural lineage that runs alongside existing logging. This stage validates the authority taxonomy, the credentialing and quorum infrastructure, and the lineage recording without changing any actuation behavior. It produces immediate evidentiary value for technical specification surveillance, 50.59 evaluations, and corrective action.

The second stage introduces composite admissibility at the discretionary boundaries that carry the highest operational-governance exposure: surveillance test alignments, mode change authorizations, configuration-controlled procedure executions, and cybersecurity-significant maintenance evolutions. At these boundaries the substrate evaluates the credentialed policy and produces graduated outcomes. Safety-actuation paths remain unchanged. Each stage-two boundary is introduced under the licensee's change process, with the regulatory engagement appropriate to the licensing basis impact.

The third stage extends credentialed governance throughout the operator-discretionary class, with the substrate as the architectural binding between operational policy and control action across the facility. The procedural regime does not disappear; procedures continue to exist as the human-readable expression of the credentialed policy, with the binding between procedure and action elevated from human compliance to structural admissibility. Quality assurance, training, and operating-experience programs continue to operate, now consuming credentialed lineage as their primary evidentiary input.

Commercial fit aligns with operator scale and regulatory exposure: the U.S. operating fleet, the developing small modular reactor cohort, the international new-build programs in jurisdictions adopting the IAEA standards as binding, and the defense and research reactor programs operating under DOE or military-equivalent oversight. Substrate licensing is per-credentialed-authority and per-actuation-class, aligned with how regulated operators actually consume governance. The substrate does not replace the licensee's instrumentation and control architecture; it gives that architecture the structural binding between policy and action that procedural regimes cannot produce and that converging regulatory expectations increasingly demand.

Honest framing closes the analysis. Cryptographic governance does not eliminate human operators, procedures, supervisors, or regulators. It elevates the binding between the operational policy those actors author and the control system actions that policy governs from procedural to structural, so that the question "was the action governed by the authorized policy at the moment it was taken" is answered by the architecture rather than reconstructed from logs and testimony after the fact.