Remote and Autonomous Operation Under Proposed Part 57: What the Rule Says, What It Doesn't, and What the NRC Needs to Hear

May 26, 2026

Executive Summary

Proposed 10 CFR Part 57 is the first NRC commercial licensing framework to explicitly authorize remote operation and autonomous operation of nuclear power plants. The NRC calls this "a paradigm shift for the nuclear industry and the NRC" — and means it. The proposed rule contains definitions, application content requirements, staffing classifications, and operator licensing provisions that collectively sketch the outline of a new regulatory model. But the outline is not yet a framework. The NRC has asked in Q10-1 — one of twelve Specific Requests for Comment in Section VII of the proposed rule — what additional requirements and guidance are necessary for regulatory review of remote and autonomous operation under Part 57. That question is open because the NRC does not yet have the answers. The comment period closes June 15, 2026.

This article unpacks exactly what the proposed rule says, grounds each concept in existing NRC precedent where it exists, and is honest about what the rule leaves dangerously underdeveloped — including a difficult conversation about autonomous operation, sensor data integrity, and whether any current AI architecture could safely run a nuclear plant without human oversight.

Three Concepts the Rule Introduces — and Their Existing Precedents

The proposed rule introduces three separate but related concepts that are easy to conflate and important to keep distinct. The regulatory treatment — and the application content required — differs across all three.

Remote monitoring is defined in proposed § 57.3 as observing plant data from a location outside the site boundary. It explicitly excludes operator actions to manipulate the reactor. This concept has a well-established, if limited, NRC precedent: the Emergency Response Data System (ERDS), mandated after Three Mile Island and codified in NUREG-1394. ERDS provides a direct real-time data transfer from licensee plant computers to the NRC Operations Center, transmitting 25 to 100 selected parameters at 15 to 60 second intervals — but only after the licensee declares an Alert or higher emergency condition. It is emergency-activated, read-only, limited in scope, and one-directional. Part 57's remote monitoring concept extends the same principle to routine operations and a potentially richer parameter set, but the underlying data transmission architecture — a one-way read from the plant computer — is not new. That continuity with ERDS is worth acknowledging explicitly in a comment, because it grounds the concept in precedent and allows the discussion to focus on what is genuinely novel: the scope, the routine application, and the cybersecurity requirements for a persistent rather than emergency-activated data link.

Remote operation is defined in proposed § 57.3 as commanding and controlling the reactor from a location outside the site boundary. The proposed rule redefines "control room" to accommodate locations outside the site boundary where actions can be taken to operate the unit safely. An applicant proposing remote operation must describe its remote operation program under proposed § 57.60(a)(8)(xi).

Here is the technical question the proposed rule does not ask, let alone answer: how do the signals for commanding and controlling a reactor leave the site boundary, and what is their safety classification?

In current nuclear plant I&C architecture, safety-related signals are carried on safety-related circuits — cables, conduit, and terminations that are qualified, separated, and protected commensurate with their safety function. A command signal from a control room operator to a safety-related actuator is a safety-related signal carried on a safety-related circuit. If a remote operator is performing the same function from outside the site boundary, that command pathway — whatever medium carries it across the site boundary — inherits the same qualification requirements. If the pathway uses commercial-grade components, those components must undergo commercial grade dedication (CGD) to be used in a safety-related application. The proposed rule says nothing about the signal integrity, qualification, or separation requirements for the remote command pathway.

The more fundamental question is whether a remote operator should be performing safety-related actions at all, or whether remote operation should be scoped to non-safety-related functions only, with safety functions handled by the autonomous passive design. This distinction maps directly onto the operator-dependent versus operator-independent facility classification discussed below. It should be addressed explicitly in both the proposed rule and in Q10-1 commentary.

Autonomous operation is defined functionally in proposed § 57.60(a)(1)(vi) as the autonomous performance of operations and safety functions without reliance on human intervention, external command, or active control system input under normal, abnormal, and accident conditions. The application content requirement is a description and assessment of design features. There is no further specification of what that assessment must contain, what standards it must meet, or how the NRC will review it.

This is the most consequential gap in the proposed rule, and it deserves the most careful treatment.

The Staffing Architecture: Two Classes of Facility

The proposed rule's approach to remote and autonomous operation is built into the operator licensing and staffing framework through a binary classification.

Operator-dependent facilities require specifically licensed operators and senior operators under proposed § 57.420. The operator is in the safety chain — their action or inaction can affect whether the 1 rem TEDE criterion is met.

Operator-independent facilities demonstrate that no operator actions are required to maintain the plant within the criterion of proposed § 57.25(a). These facilities are governed by Generally Licensed Reactor Operators (GLROs) under proposed § 57.405 — a new class of nuclear personnel whose license is effective without individual application or licensing documents. A GLRO can manipulate controls but is not in the safety chain, because by definition their actions are not required to maintain the plant within its dose criterion.

This binary is the structural gateway to the remote and autonomous operation framework. The proposed rule does not specify what analysis is sufficient to demonstrate operator independence — whether a transient analysis without operator action credit is sufficient, or whether a human factors analysis bounding maintenance error pathways is also required. That evidentiary gap is part of what Q10-1 commentary should address.

The FFD "Flexibility" That Isn't

Proposed Part 57 includes what the preamble describes as a flexible fitness-for-duty pathway. An applicant may propose an FFD program of its own specification if operator action would not be required to maintain the reactor within the criterion of proposed § 57.25(a) and a credible operator or maintenance error could not result in exceeding that criterion.

This flexibility deserves honest scrutiny. The expanded testing requirements in the current 10 CFR Part 26 framework — hair and saliva testing in addition to urine — are more invasive, not less, and more expensive to administer. The "risk-informed" framing of the flexible FFD pathway describes what is, in practice, intensive continuous surveillance of a workforce. No comparable high-reliability industry subjects its workers to this level of biological monitoring as a condition of employment.

The human factors research is clear that psychological safety in high-reliability operations depends on supervisors having the authority and the relationship to intervene when a worker is having a bad day — not because of substance impairment, but because of the full range of human experience that affects judgment and attention. An employee who comes to work distracted by a family crisis needs a supervisor who can take him off a sensitive task and check in. What they do not need is a regulatory framework that transforms a bad day into a potential enforcement action. The distinction between a human performance problem and a regulatory compliance problem is not semantic — conflating them increases stress, erodes trust, and in industries where we have data, increases the risk of the mental health crises we are trying to prevent.

The flexible FFD pathway as constructed does not reduce regulatory burden on workers in any meaningful sense. A comment on this framework should say so directly, and propose that the NRC consider whether the occupational health evidence supports a genuinely risk-informed approach that relies on trained supervisory judgment for non-chemical indicators of fitness, reserving the biological testing program for cause-based and random screening consistent with DOT and other high-reliability industry models.

Autonomous Operation: Could an AI Run a Nuclear Plant?

This is the question that sits behind Q10-1, even if no one in the comment period has asked it directly. The proposed rule envisions designs that perform safety functions autonomously — without human intervention, external command, or active control system input. In a world where artificial intelligence systems are increasingly capable of complex decision-making, the question of whether an AI could serve as the autonomous safety system for a nuclear plant is not hypothetical. It is the design question some Part 57 developers are already working on.

The honest answer, from someone who thinks carefully about what AI systems can and cannot do, is: not yet, and not without a qualification framework that does not currently exist.

The reasons are analytically useful for a Q10-1 comment, because they define what the qualification framework would need to contain.

Sensor data integrity is the foundational problem. An autonomous safety system is only as reliable as the data it is fed. The accident at Three Mile Island Unit 2 is the canonical example. A relief valve position indicator showed the valve as closed when it was in fact open. Operators made rational decisions based on what their instruments told them — including overriding the emergency core cooling system to prevent what appeared to be an overfill condition, when in reality the reactor coolant was boiling away and exposing the fuel. The operators were not negligent. They were responding correctly to incorrect information. An autonomous system in the same situation faces an identical challenge — and potentially a worse one, because an experienced licensed operator has intuitions about plant behavior that a control system does not. When the instrument readings don't match what the plant sounds like, feels like, or looks like, a human operator can recognize that the data may be wrong. An autonomous system that has no independent check on sensor accuracy cannot.

A qualification standard for an autonomous safety system must therefore include: cross-validation of safety-relevant sensor data against independent physical measurements; defined confidence thresholds below which the system defaults to a conservative safe-state response regardless of what the primary instruments indicate; and a documented analysis of failure modes in which the system receives systematically incorrect data and must determine whether to act on that data or default to safe shutdown.

Formal verification of decision logic is required but not yet mature for complex systems. For a simple, well-defined decision space — trip the reactor if neutron flux exceeds a setpoint — the logic can be formally verified to a high degree of confidence using established digital I&C qualification methods. For a system that must make sequenced decisions across a complex accident progression with multiple interacting parameters, formal verification becomes computationally intractable with current methods. The proposed rule's requirement for a "description and assessment of design features" for autonomous operation does not come close to specifying the depth of verification required. A Q10-1 comment should propose that the NRC define what verification methods are acceptable for autonomous safety function performance as a function of the complexity of the decision space.

Cybersecurity of the data feed is not a secondary concern — it is a primary safety concern. An autonomous safety system that acts on sensor data is only as trustworthy as the integrity of the data pathway from sensor to processor. For current operating plants, the cybersecurity model relies heavily on air-gapping: the plant computer has no internet connection, and critical networks have no wireless access. This is not an administrative preference — it reflects a considered judgment that network connectivity introduces attack surfaces that cannot be adequately controlled by software security measures alone. Remote operation via any network-connected medium, including wireless communication the proposed rule explicitly acknowledges, abandons the air-gap model. The cybersecurity requirements for a persistent remote command and control pathway crossing the site boundary are qualitatively different from anything in the current 10 CFR 73.54 framework. An autonomous safety system that could be fed false sensor data by a cyber intrusion is not a safety system — it is a liability.

Software standards endorsement timelines are a real constraint. A comment that simply identifies IEEE 603 or IEC 61508 as the applicable standard for autonomous safety function software and leaves it there is not useful, because NRC endorsement of software standards for nuclear applications is measured in years to decades. The proposed rule's silence on applicable standards for autonomous operation will not be resolved by a comment that names a standard — it requires the NRC to commit to a specific endorsement process with a defined timeline as part of the final rule. Without that commitment, the first Part 57 application proposing autonomous safety function performance will arrive at an agency with no review standard in place.

What Remote Monitoring Cannot See

There is a dimension of nuclear plant safety that deserves explicit acknowledgment in a Q10-1 comment, because the proposed rule's emphasis on data streams and autonomous systems risks obscuring it entirely.

When I shadowed operators at a large light water reactor, I observed two things that no plant computer can replicate. One operator spent his entire shift walking down the inside of the plant — checking gauges in valve nests, verifying indicator panel readings against expected values, noting anything that looked or sounded different from the day before. Another spent his shift walking the outside of the plant — the switchyard, the ISFSI where spent fuel casks sit under 10 CFR 72, the diesel generators, the water intake building, the cooling towers, the dispersion stack. He was looking for bird nests in vents, animals seeking warmth on electrical equipment (a plant lost a main transformer because of a snake doing just that), rats and mice chewing through insulated cables, anything that a sensor wouldn't catch but that eyes and ears and nose would. These are not ceremonial activities and were performed once per 12 hour shift. They are the human sensing layer that catches the things the plant computer doesn't know it doesn't know.

Remote monitoring transmits the parameters the plant computer is configured to transmit. It does not transmit the smell of hot insulation, the sound of a pipe system experiencing water hammer, the sight of a diesel generator air intake that has been partially blocked by a nest, or the sound of feral cats hunting along cable raceways. For a microreactor deployed at a remote site — which is precisely the deployment model Part 57 is designed to support — the question of who performs this function, and how often, and with what qualification, is a safety analysis question the proposed rule does not address.

A Q10-1 comment should propose that the NRC require, as part of the staffing plan under proposed § 57.395(c), a defined physical inspection program that specifies the frequency, scope, and qualification requirements for physical walkdowns of the facility — separate from the remote monitoring and autonomous operation framework, and not substitutable by data stream coverage.

What a Strong Comment on Q10-1 Should Build

The NRC asked whether remote and autonomous operations should be allowed for low-consequence designs, and what additional requirements and guidance are necessary for regulatory review. The first question is effectively answered by the proposed rule — the NRC has decided to allow them. The second is where substantive commentary changes the final rule.

A strong comment should propose four things:

A tiered framework that distinguishes remote monitoring from remote operation to non-safety-related controls from remote operation to safety-related controls from supervised autonomous operation from fully autonomous operation — with defined evidentiary requirements and signal qualification standards at each tier.

A sensor data integrity standard for autonomous safety function performance that includes cross-validation requirements, confidence thresholds, and defined safe-state defaults when data integrity cannot be assured — anchored by the TMI-2 lesson that the failure mode of an autonomous system acting on false data is categorically different from the failure mode of an instrumentation anomaly in a staffed plant.

A cybersecurity framework for remote command and control that acknowledges the abandonment of the air-gap model and proposes what replaces it — specifying what network security architecture, signal integrity protections, and intrusion detection requirements are necessary for a safety-related remote command pathway.

A physical inspection program requirement that ensures someone with eyes, ears, and professional judgment walks the plant on a defined schedule — regardless of how sophisticated the remote monitoring and autonomous operation framework becomes.

A Note on the FFD Framework and Worker Dignity

The comment period closes June 15. Among all the technical arguments worth making before that date, the one about the fitness-for-duty framework is the most important to make plainly: a surveillance program that treats workers as potential threats rather than trusted professionals in a high-reliability industry is not a safety program. It is a compliance program that may actively undermine the psychological safety conditions that make high-reliability operations possible. The nuclear industry needs the best people it can find. Treating them accordingly is not separate from nuclear safety. It is part of it.

Sarah Gibboney, P.E. is the founder of Gibboney Nuclear. She has 17 years of continuous nuclear energy experience spanning both DOE authorization and NRC licensing frameworks, has contributed to the licensing of 8 reactor designs and 2 operating reactors, and co-authored 2 construction permit applications. She previously published on proposed Part 57's eligibility criteria and the Licensing Modernization Project at gibboneynuclear.com. She works with advanced reactor developers on licensing strategy, pathway selection, and regulatory engagement across both the DOE Reactor Pilot Program and NRC commercial licensing pathways.