SSG-51 Human Factors Engineering in the Design of Nuclear Power Plants

The HFE processes to be applied in the design of human–machine interface (HMI) for all plant states, for achieving compliance with the requirements established in SSR-2/1 (Rev. 1) [1];

Integration of HFE into the design of a nuclear power plant throughout its lifetime for achieving compliance with the requirements established in GSR Part 2 [4];

Human performance monitoring and evaluation throughout the lifetime of the nuclear power plant;

Integration of HFE into safety processes, applications and product selection.

Development and review of the safety analysis report;

Plant modifications for achieving compliance with the requirements established in SSR-2/2 (Rev. 1) [2];

Periodic safety review.

Personal protective equipment (e.g. personal protective equipment used during maintenance activities, inspections, accident monitoring and operation of equipment for the mitigation of severe accidents);

Commercial off the shelf products;

Mobile devices (e.g. hand-held, portable and wearable devices).

Human factors (e.g. knowledge and expertise, cognition, performance expectations, motivation, stress, strength and body size);

Technical factors (e.g. technology, including controls and displays, software, hardware, tools, equipment, plant design and plant processes);

Organizational factors (e.g. management system, organizational structure, governance, resources, staffing levels, and the roles and responsibilities of managers and other plant personnel).

Programme management;

Analysis;

Design;

Verification and validation;

Implementation of the design;

Human performance monitoring.

HFE programme management should identify a systematic, integrated HFE process, should outline responsibilities for HFE and should present expected design inputs and outputs for the HFE process.

HFE programme management should establish a capable organizational unit with responsibility for human factors and with sufficient authority, at all hierarchical levels, to effect the necessary design changes to meet HFE expectations.

HFE programme management should identify the most recent HFE relevant codes, standards, methodologies and guidelines applicable to the engineering project.

HFE analyses should identify relevant operating experience (both positive and negative), with a focus on human performance issues and potential human errors and their mitigation.

HFE analyses should provide inputs (such as operator needs and requirements) useful for defining and selecting relevant design choices.

HFE analyses should be used to identify the organizational structure that frames the use of the HFE programme (i.e. the identification of users, their roles and responsibilities, required qualifications and regulatory requirements) and supports operation and maintenance.

HFE analyses should provide a preliminary understanding of the allocation of functions and the human information requirements for monitoring and controlling, where applicable, the functions of systems in the plant.

HFE analyses should provide insights and consideration of how operators are expected to respond in the presence of control system failures and HMI failures.

Results of the function analysis that identify the functional requirements for structures, systems and components.

Results of task analyses that provide insight into:

• What kind of alarms, information, procedures, controls and system feedback are necessary;

• The possible sequence of tasks;

• Potential human errors and considerations that impact human performance and provide error reducing and performance enhancing design features;

• Safety significant, complex tasks that warrant detailed technical and HFE analyses;

• Time constraints for significant tasks;

• Specific knowledge, skills and abilities needed by personnel in order to perform their assigned task(s) and meet operational objectives;

• Collaboration and coordination between individuals or groups that are necessary to support the task.

Specific HFE design principles and HMI design guidelines for developing technical specifications for vendors and for incorporating them into HFE specifications for vendors.

Updates to HFE requirements owing to design evolution or changes in standards;

Specific HFE design principles and HMI design guidelines for the specification of plant and workspace design and layout, and HMI components and their architecture;

Specific HFE design principles and HMI design guidelines for maintenance and testing;

The potential impact of new or modified designs on human performance, and the development of procedures and training;

Collection and analysis of user feedback through early HFE analyses in the form of usability testing and user reviews of prototypes and concepts;

Insight into the scope, content and usability of operating procedures used to support the execution of safety critical tasks;

Insight into the scope and content of training.

Verification of design implementation against previously identified HFE design principles and applicable HFE design codes, standards and guidelines;

Verification of design implementation to ensure all information and controls required for carrying out tasks have been provided in the design;

Validation in respect of human factors to ascertain the degree to which the HMI design and supporting mechanisms facilitate the achievement of safe operation of the plant;

Confirmation of the feasibility of important human tasks in the probabilistic and deterministic safety analyses through validation in respect of human factors;

Confirmation of the completion of HFE analyses and of HFE inputs into the design in accordance with the HFE programme and regulatory expectations.

Applicable HFE related issues identified in the review of operating experience at the nuclear power plant;

Insights from experience identified by plant personnel;

Issues identified in the review of operating experience at other nuclear power plants and in other industries.

Minor problems (e.g. near misses or low level events) that are often precursors or contributors to more significant events;

Adverse trends that could indicate a reduction in reliability;

Data on root causes that could point to a need for improvements in design;

Evidence of influences and trends in the organizational culture that could prove problematic for future operations;

Corrective actions and their implementation;

Recurring events;

Reviews of maintenance practices;

Industry communications on best practices.

High level functions that ensure safe operation of the plant;

Relationships (e.g. the plant configurations or success paths²) between high level functions and the plant systems responsible for performing those functions;

The decomposition of high level functions into lower level functions that can be mapped to tasks to be performed by plant automation or by humans, or by humans and automation jointly;

A framework for determining the roles and responsibilities of personnel and automation.

To personnel (e.g. manual control, with no automation).

To automatic systems (e.g. fully automatic control and passive, self-controlling phenomena).

To a combination of personnel and automation, for example:

• Shared operation (i.e. the automatic operation of some aspects of a function, with other aspects performed manually);

• Operation by consent or delegation (i.e. automation takes control of a function when personnel have given permission and the situation permits);

• Operation by exception (i.e. automatic operation of a function, unless there are specific predefined situations or circumstances necessitating manual control).

Tasks that are performed in different locations (e.g. control room, supplementary control room, local control stations, emergency response facilities);

Tasks that differ depending on the plant state;

Tasks that require individual work and/or cooperation or exchanges between different organizational units (e.g. operations, maintenance, procedures development and computer systems engineering) and interested parties;

Tasks that sometimes have to be performed under time pressure or harsh environmental conditions and contexts, or that are safety critical and rarely performed.

Tasks posing an occupational risk to personnel;

Tasks credited in the safety analysis;

Tasks identified from operating experience as challenging or prone to error;

Tasks identified as difficult by operating personnel and for which no plans have been made to automate that task;

Tasks that are critical for maintaining the plant in a safe state or restoring it to a safe state following an event.

The expected human tasks and the potential human errors that have an impact on safety;

The expectations regarding how each task will be conducted, the expected task outcomes, and estimates of the reliability of human performance for the task;

The means for error prevention in place for safety critical tasks;

The safety functions impacted and the initiating conditions and terminating conditions for each task;

The sequence for implementing tasks and subtasks;

The personnel needs (e.g. organizational aspects, staffing, qualification and training), the equipment needs (e.g. HMI elements, special tools and protective clothing) and the documentation needs (e.g. procedures, processes and instructions);

The human performance requirements and constraints (e.g. time, precision and independent verification);

Required communication systems and access to those systems.

Documentation (supplier documentation, technical specifications, existing procedures, manuals and training materials);

Knowledgeable personnel from the design team, operating personnel who have gained operating experience in similar plants, interested parties and experts from other industries;

Walkthrough and ‘talkthrough’ to analyse tasks performed by a predecessor system and tasks from similar plants, as well as the tasks associated with the system being developed;

Data from the review of operating experience (with account taken of differences from the reference design);

Data from the customer’s requirements;

Data from other analyses that are inputs to the HFE design process (e.g. function analysis and allocation, and treatment of important human tasks);

Data from simulator studies;

International HFE standards (see also the Annex).

The safe completion of human tasks;

The workload of the personnel;

The ability to align the contribution of each team member with a team’s task;

The independence and cooperation of the individuals responsible for checking the progress of tasks (e.g. checking actions taken in the control room and locally by the operators);

The perception of the task and its benefits, and its acceptance by the personnel.

Concept of operations in operational states and accident conditions;

Design requirements;

Task requirements;

Regulatory requirements;

Operating experience;

Treatment of important human tasks (e.g. treatment of important human tasks might determine that a two person rule needs to be in effect to ensure reliable completion of certain tasks).

The tasks assigned to each member should be clearly described.

The basis for task distribution should be determined and justified.

The workload of each team member should be reasonable in all operational states and accident conditions.

The impact on human performance should be taken into account when distributing the tasks between teams working during the day and teams working at night.

The tasks required in various operating situations should be assigned to team members in a manner that ensures continuity of responsibilities and maintains individual and team situation awareness.

Whether automatic actions are properly allocated for response to a postulated initiating event;

Whether the HMI can support anticipation of, and response to, an unexpected event;

Whether the HMI provides information on incremental changes in anticipation of sudden disruptions or fault conditions (e.g. use of predictive displays);

Whether provisions and locations for additional tools and equipment are available;

Whether implementation by the operating organization of ‘stress tests’ of the response of plant systems to severe accidents provides insights for how operators might be able to use equipment for purposes other than the original intent in order to protect fission product boundaries;

Whether different operational strategies might have to be adopted in order to achieve a safe state as an event unfolds;

Whether equipment could be used out of its design intent to support the adoption of a different strategy (e.g. use of the fire protection system for heat removal).

Operating experience review;

Function analysis and function allocation;

Task analysis;

Analysis of staffing, organization and qualifications;

Treatment of important human tasks.

Constraints imposed by the overall I&C system (e.g. constraints on the information that can be presented due to the availability of sensor data);

The physical environment in which the HMI is to be deployed;

Cognitive limitations and cognitive strengths of the users;

The knowledge, skills and abilities of personnel, including personnel from various occupational groups;

Applicable regulatory requirements.

Tasks necessary to control the plant during a range of plant states, from normal operation to accident conditions;

Detailed I&C requirements (e.g. requirements for display range, precision, accuracy and units of measurement);

Requirements relating to aspects that support tasks, including habitability (e.g. lighting and ventilation requirements).

Should, as far as practicable, accommodate the different roles and responsibilities of various types of operating personnel expected to interact with the plant;

Should be designed with primary attention given to the role of the operator who is responsible for the safe operation of the equipment;

Should support the development of a common situation awareness on the part of the control room staff (e.g. by means of large wall-mounted plant status displays);

Should provide an effective overview of the plant status;

Should, as far as practicable, apply the simplest design from the users’ perspective that is consistent with function and task requirements;

Should present information such that it can be rapidly recognized and understood by operators (e.g. taking into account knowledge about human information processing and visual attention);

Should accommodate failure of analogue and digital displays without significant interruption of control actions;

Should reflect consideration of human cognition, physiological characteristics, characteristics of human motor control and human body sizes.

To be consistent with the design guidance used for the existing HMI, so that personnel have a similar interface across new and old equipment;

To be consistent, as far as possible, with users’ existing strategies for gathering and processing information, and executing actions identified in the task analysis.

Requirements for human tasks;

Human performance capabilities and limitations;

Performance requirements for the HMI;

Inspection and testing needs;

Maintenance demands;

The use of proven technology and operating experience with predecessor designs.

Locating controls at proper positions;

The use of protective structures;

A demand for a second confirmatory action;

The use of interlocks or permissive signals, with proper assignment of priorities;

The proper selection of physical characteristics, such as size, operating pressure or force, and tactile, optical and/or acoustic feedback.

To allow access to individual components, when necessary;

To allow access to information about the status of each component;

To control the relationship to other components.

Workstation height;

Inclination of benchboards, angle and depth of consoles, and workstations that can be adjusted for sitting and standing;

Control device location;

Display device location;

Layout of control and display devices at a console or workstation;

Size and legibility of text and graphics;

Space for legs and feet.

Access to the components on the panels for repair, removal or replacement;

Separation of controls and displays used only for testing and maintenance from those used for operations;

Contingency space for special test equipment or for access for repairs.

To assess the general state of the plant in any condition;

To operate the plant within the specified limits on parameters associated with plant systems and equipment (operational limits and conditions);

To confirm that safety actions for the actuation of safety systems are automatically initiated when needed and that the relevant systems perform as intended;

To determine both the need for and the time for manual initiation of the specified safety actions.”

Operating goals and objectives, including safe operation;

The organization of the HMI into workstations (e.g. consoles and panels);

The arrangement of workstations and supporting equipment in the main control room.

Recognize the actions being taken by the reactor protection system and other automatic systems;

Analyse the cause of disturbances and follow their course;

Perform any necessary manual counteractions.

Should permit full view of all control and display panels (including alarm displays);

Should facilitate verbal communication from operators at the workstations to any point in the main operating area;

Should permit access to workstations without the need to overcome obstacles;

Should permit efficient, unobstructed movement and communication.

Identify the actions being taken by automatic systems;

Perform any necessary manual counteractions;

Follow the course of the plant’s behaviour or response.

Parameter deviations or rate of change deviations from control or protection set points;

Equipment failures, anomalies or discrepancies;

Incomplete or failed automatic actions.

Digital signals;

Analogue signals;

Calculated, synthesized or grouped signals from direct inputs or derived from other systems.

Event based reduction techniques filter or suppress alarms generated as a consequence of the failure of a support system or item of equipment, or as a consequence of a plant event;

Significance based reduction techniques suppress lower priority alarms in situations with alarm overload.

Flashing, initiated when the alarm condition appears or clears, and terminated after acknowledgement or reset, respectively. Grouped alarms should reflash when any new sub-alarm appears after another sub-alarm has already been set off and has been acknowledged.

Colour coding: alarms can light with different colours depending on the alarm priority and on the alarm state. Other display coding methods may be used.

Spatially dedicated, continuously visible displays (e.g. analogue tile panels or arrays of visual display units with continuously visible tile-like panels, or continuously visible mimic displays with integrated alarms);

Alarm message list displays (e.g. text messages presented on visual display unit screens);

Alarms integrated into graphic displays (e.g. mimic displays or soft control displays);

Individual alarm information displays;

Mixed displays (i.e. a combination of the other types of display).

Chronological order;

Priority level;

Alarm state;

Alarm message;

Any other logical order.

Trends for variables from which the alarm is derived;

Statistics, such as how often, on average, the alarm has occurred;

Relationships with other alarms or variables;

Current or historical work orders or reports relating to the alarm.

The system or functional group to which the alarm belongs;

The exact message associated with the alarm;

Priorities for response to alarms;

Automatic actions, and immediate and other operator actions;

A list with the potential cause or causes of the alarm;

References.

The availability and status of equipment necessary to successfully complete each procedure;

The validity of any assumptions or claims made in safety analyses about tasks performed by humans that are related to safety.

To identify potential errors that need to be highlighted in the procedure;

To describe the flow of information, actions and feedback necessary for the successful completion of a task;

To identify links between tasks and personnel;

To provide preliminary information on the timing of individual actions within the procedure;

To facilitate the transition between procedures;

To establish the format and content of technical warnings, prerequisites (initiating conditions) and requirements for termination of the procedure.

Identification of HFE standards and guidelines;

Verification of the HMI, including hardware (e.g. consoles, panels and analogue interfaces, including alarm displays) and software, and of associated documentation (e.g. procedures, instructions and alarm sheets);

Review of design requirements, drawings and manuals;

Verification of means to support tasks, including the provision of tools, job aids, personal protective equipment, task related equipment and training, the qualifications of operators, and the availability of accessible and usable procedures at the point of need.

The ability of control room personnel to complete the required actions in operational states and accident conditions;

The presentation and the organization of procedures to support task performance;

The capability of the HMI to support operator tasks;

The suitability of the layout of the workspace to support task and system performance;

The resources for crisis management and coordination among the team members involved in the management of an accident, including external organizations.

The layout of the main and supplementary control rooms as it supports operator tasks;

The effectiveness of the systems for monitoring, control and maintenance (inside and outside the control rooms);

The monitoring and control systems in the control room linked to the entire plant for use in operational states and accident conditions.

The concept of operations in all operational states and accident conditions;

The technical and user requirements associated with the tasks, especially safety critical tasks;

The functional and detailed specifications of the means of control and of the level of automation;

Inputs from function analysis;

Regulatory requirements;

Inputs from the review of operating experience;

Important human tasks;

Data from safety analysis;

Data from human reliability analysis;

Data from the analysis of staffing, organization and qualifications;

Data from previous HFE reviews and analyses;

Input from simulation, where available (e.g. partial task simulation).

As more interfaces become available;

As procedures become more detailed;

As operators are trained;

As simulations become more realistic.

The scope of the evaluation;

The necessary data collection and analysis;

Measures of effectiveness;

Evaluation and acceptance criteria;

Participants involved in the evaluation;

Training needs for the evaluation team, including for those participating as user representatives;

The test environment;

The schedule.

The selection of scenarios;

Materials⁵ and tools to be used by the evaluation team.

With the project’s HFE requirements (e.g. ergonomic requirements and project specific requirements);

With the plant’s operational acceptance criteria;

With the regulatory requirements for operator response.

The analysis and assessment of any HFE related issues;

The tracking of HFE related issues;

The approach for resolving design deficiencies.

Static testing (e.g. to verify that the system meets the design specifications);

Dynamic testing (e.g. testing of the system response in terms of time and accuracy);

Scenario testing and partial task simulations or full scope simulations (e.g. testing of operator response in terms of time and accuracy);

Observation;

Independent reports (e.g. questionnaires and structured interviews);

Checklists (e.g. within static or dynamic testing);

Walkthroughs of tasks.

The complexity of the task to be performed;

The workload (individual and team);

The knowledge, skills and abilities required with respect to the design;

Sequencing and response times;

Requirements for situation awareness (individual and team);

Requirements for using procedures;

Requirements for detecting and responding to adverse conditions;

Requirements for collaboration and communication between users and with other teams.

Time;

Accuracy;

Communication frequency and content;

Error detection and error recovery rates;

Parameters relating to situation awareness (e.g. cue identification, comprehension and prediction);

Use of group decision making methods;

Gaze time and dwell time (e.g. from eye tracking);

Fatigue;

Probability of successful task performance.

Simulations and test beds should correspond to the design and physical layout of the plant.

The tested scenarios should be representative of the operating conditions in all plant states and should include events (e.g. failures) and their initiating conditions.

The operating tasks should be representative of those used in the plant (e.g. monitoring, detection, diagnosis, anticipation of changes in parameters, surveillance, control and manual recovery of automatic control systems).

Participants should be trained and should occupy a position in the test scenario corresponding to their levels of qualification and responsibility.

The procedures applied should match those that will be used in the relevant operating conditions.

The range of human interactions expected during scenarios should be tested.

The actions taken by the test participants (e.g. by means of manual collection of data by observers during each test);

Communication between the test participants in the control room and communication between the control room and other teams involved in the operation of the plant and crisis management.

To facilitate the surveillance of the plant and to enhance situation awareness;

To optimize the workload of personnel;

To encourage cooperation and communication among personnel.

The chronology of the actions taken;

The identification of tasks that were performed consistently well and without issues;

The identification and analysis of unusual occurrences in the execution of the scenario (e.g. any difficulties encountered by personnel, hesitations about how to proceed and misunderstandings between the members of the control room team about the status of the systems or equipment).

The systems that were used successfully by the test participants and that meet their needs;

The systems that were difficult to use;

The implied safety significance of the test results;

Suggestions for improved design (made by both the analyst and users).

Comprehend the situation;

Take the required actions, while taking the corresponding requirements into consideration;

Cooperate with one another in the control room, and with the personnel with whom the control room staff have to interact (e.g. maintenance personnel, automatic control systems personnel and crisis management teams).

The implementation of the design process matches its technical specification in terms of standards, functionality and safety performance;

The implemented design has not generated any issues or conflicts (e.g. safety, operability or cultural aspects) relating to personnel, the management system, or structures, systems or components (e.g. inconsistencies with existing systems or interfaces).

Organizational factors;

Personnel factors;

Job design;

Safety analysis;

Probabilistic safety assessment and human reliability analysis;

The HMI;

Equipment;

Procedures;

Training;

Plant reference documentation;

The working environment.

An assessment that considers the consequences of the as-built design on actions that might be necessary to mitigate any undesirable consequences of HFE design implementation.

Elements that need to be in place prior to commencing the implementation (e.g. the training of the implementation team on the use of simulators or test beds that is necessary to ensure that they attain the desired level of task performance).

A definition of criteria for successful implementation. This could link to the human performance monitoring system to ensure that the right aspects of human performance are being tested or measured.

A method for capturing, assessing and resolving HFE related issues that are identified during the HFE design implementation stage.

Where practicable, contingency strategies in the event that the HFE design implementation fails to meet its performance objectives.

The outputs from the design project, including supporting provisions (e.g. the HMI, procedures and training), meet the relevant standards and performance and success criteria, as defined at the start of the project;

Any negative effects on humans, technology and the organization are tolerable or suitably ameliorated;

Any changes made to the as-built design are reflected in plant drawings and materials (e.g. training material, procedures, drawings, simulators, organizational structures and ancillary equipment);

All HFE related issues identified prior to HFE design implementation have been adequately addressed;

Any new HFE related issues have been captured and assessed, and a suitable plan for resolution has been established;

Any remaining non-conformances have been assessed and deemed to be acceptable on safety grounds.

Whether the HMI design meets (and will continue to meet) the original safety, operability and performance assumptions;

Whether the HMI design can be effectively used by operating personnel to conduct their tasks in the main control room, supplementary control room, local control stations and emergency response facilities;

Whether changes made to the HMI design, procedures and training have any adverse effects on how operators carry out their work tasks;

Whether human tasks can be accomplished in accordance with response time criteria and performance criteria;

Whether the level of performance established at the stage of system validation is maintained over the lifetime of the plant;

Whether the supporting provisions, such as supervision, training, staffing, procedures, personal protective equipment, tools and job aids, are appropriate and sufficient to support personnel in performing their tasks.

Individuals responsible for human performance monitoring, and the users of its outputs, should be adequately trained.

Individuals responsible for human performance monitoring should be suitably qualified and experienced in the domains of human and organizational factors, systemic approaches and root cause analysis methods.

The causes and significance of deficient human performance should be comprehensively understood and means for performance improvement should be identified.

A culture of open and honest reporting should be established to ensure the effective use of issue reporting by system users.

Individual and team performance is affected by human performance at all levels within the organization; therefore, effective human performance monitoring should capture data from all levels.

Progress in responding to and resolving degraded human performance should be monitored to ensure that the response is within appropriate timescales.

Type I systems represent an equivalent reproduction of paper based procedures and do not receive any processed or real time information.

Type II systems augment procedures with dynamic embedded process data.

Type III systems provide the capabilities of Type II systems and include embedded soft controls to manipulate plant equipment. Type III systems could include the capability for automated sequences of steps that automatically carry out the actions described in the procedure.

Display, to the extent reasonably achievable, only information relevant to the task to be performed;

Continuously provide distinguishing information (e.g. title, revision number, date, plant name and unit) for each procedure;

Maintain consistency of display and location of information, navigation aids, controls and other application menus for each display in the computerized procedures system;

Arrange the computerized procedures system (including, for example, its structure, format, navigation menus and controls) to be adaptive to any device on which the system is going to be used.

They are presented when the step is on the display;

They are read by the operator before the actions detailed in the step are carried out;

Each warning or caution is presented in a way that is easily distinguished from other warnings or cautions.

Makes it easy for the operator to process the information;

Clearly distinguishes each set of items from other sets of items;

Includes a header specifying the content of the list.

Procedures that were currently being carried out;

Procedure steps already completed and those not completed, including the step in which the execution of the procedure was interrupted;

Information about steps or conditions that were being monitored when the transition to backup procedures took place;

The information necessary to continue the execution of the procedure where it was interrupted, avoiding repetition of steps already completed.

Assist the operator in recognizing the progress of the automation and in making any relevant and necessary decisions or adjustments for the procedure to continue;

Maintain the operator’s awareness of the status of plant equipment involved in the sequence of steps being carried out;

Enable the operator to authorize the procedure to continue.

HFE programme management, including the authority and oversight for HFE in the design process;

The human factors analysis methods applied;

Assumptions for the choice of HMI design, with account taken of HFE;

Human factors verification and validation, including the identification and resolution of HFE related issues during the design project and assumptions made during analysis;

A description of how the HMI design has been implemented in the plant as a whole;

A description of the strategy for human performance monitoring for safety critical tasks.

The most resource intensive conditions feasible for each operational mode or plant state;

The feasibility of the division and coordination of work in the most resource intensive conditions, as assessed by function allocation, task analyses and workload analyses.

Within each system;

Between similar systems that are already used by operators;

With existing characteristics of the HMI at the plant.

Error correction functions (e.g. an easy means for correcting erroneous entries and for correcting individual errors without the need for correctly entered commands or data to be re-entered);

Features for early detection and correction of errors by users and software, after keying in, but before entry into the system;

Error checking in a manner that does not disrupt the user (e.g. at the end of data fields rather than character by character);

User control of the process when equipment is controlled from a mobile device (e.g. capability to stop the process at any point in the sequence as a result of an indicated error).

INTERNATIONAL ATOMIC ENERGY AGENCY, Safety of Nuclear Power Plants: Design, IAEA Safety Standards Series No. SSR-2/1 (Rev. 1), IAEA, Vienna (2016).

INTERNATIONAL ATOMIC ENERGY AGENCY, Safety of Nuclear Power Plants: Commissioning and Operation, IAEA Safety Standards Series No. SSR-2/2 (Rev. 1), IAEA, Vienna (2016).

INTERNATIONAL ATOMIC ENERGY AGENCY, Safety Assessment for Facilities and Activities, IAEA Safety Standards Series No. GSR Part 4 (Rev. 1), IAEA, Vienna (2016).

INTERNATIONAL ATOMIC ENERGY AGENCY, Leadership and Management for Safety, IAEA Safety Standards Series No. GSR Part 2, IAEA, Vienna (2016).

INTERNATIONAL ATOMIC ENERGY AGENCY, Application of the Management System for Facilities and Activities, IAEA Safety Standards Series No. GS-G-3.1, IAEA, Vienna (2006).

INTERNATIONAL ATOMIC ENERGY AGENCY, The Management System for Nuclear Installations, IAEA Safety Standards Series No. GS-G-3.5, IAEA, Vienna (2009).

INTERNATIONAL ATOMIC ENERGY AGENCY, Operating Experience Feedback for Nuclear Installations, IAEA Safety Standards Series No. SSG-50, IAEA, Vienna (2018).

INTERNATIONAL ATOMIC ENERGY AGENCY, Protection against Internal Hazards other than Fires and Explosions in the Design of Nuclear Power Plants, IAEA Safety Standards Series No. NS-G-1.11, IAEA, Vienna (2004). (A revision of this Safety Guide is in preparation.)

FOOD AND AGRICULTURE ORGANIZATION OF THE UNITED NATIONS, INTERNATIONAL ATOMIC ENERGY AGENCY, INTERNATIONAL CIVIL AVIATION ORGANIZATION, INTERNATIONAL LABOUR ORGANIZATION, INTERNATIONAL MARITIME ORGANIZATION, INTERPOL, OECD NUCLEAR ENERGY AGENCY, PAN AMERICAN HEALTH ORGANIZATION, PREPARATORY COMMISSION FOR THE COMPREHENSIVE NUCLEAR-TEST-BAN TREATY ORGANIZATION, UNITED NATIONS ENVIRONMENT PROGRAMME, UNITED NATIONS OFFICE FOR THE COORDINATION OF HUMANITARIAN AFFAIRS, WORLD HEALTH ORGANIZATION, WORLD METEOROLOGICAL ORGANIZATION, Preparedness and Response for a Nuclear or Radiological Emergency, IAEA Safety Standards Series No. GSR Part 7, IAEA, Vienna (2015).

INTERNATIONAL ATOMIC ENERGY AGENCY, Accident Management Programmes for Nuclear Power Plants, IAEA Safety Standards Series No. SSG-54, IAEA, Vienna (2019).

INTERNATIONAL ATOMIC ENERGY AGENCY, Operational Limits and Conditions and Operating Procedures for Nuclear Power Plants, IAEA Safety Standards Series No. NS-G-2.2, IAEA, Vienna (2000). (A revision of this Safety Guide is in preparation.)

INTERNATIONAL ATOMIC ENERGY AGENCY, Recruitment, Qualification and Training of Personnel for Nuclear Power Plants, IAEA Safety Standards Series No. NS-G-2.8, IAEA, Vienna (2002). (A revision of this Safety Guide is in preparation.)

INTERNATIONAL ATOMIC ENERGY AGENCY, Format and Content of the Safety Analysis Report for Nuclear Power Plants, IAEA Safety Standards Series No. SSG-61, IAEA, Vienna (in preparation).

INTERNATIONAL ATOMIC ENERGY AGENCY, Modifications to Nuclear Power Plants, IAEA Safety Standards Series No. NS-G-2.3, IAEA, Vienna (2001). (A revision of this Safety Guide is in preparation.)

INTERNATIONAL ATOMIC ENERGY AGENCY, Periodic Safety Review for Nuclear Power Plants, IAEA Safety Standards Series No. SSG-25, IAEA, Vienna (2013).