Systems engineering today faces a wide array of challenges, ranging from new operational environments to disruptive technological — necessitating approaches to improve research and development (R&D) efforts. Yet, emphasizing the Aristotelian argument that the “whole is greater than the sum of its parts” seems to offer a conceptual foundation creating new R&D solutions. Invoking systems theoretic concepts of emergence and hierarchy and analytic characteristics of traceability, rigor, and comprehensiveness is potentially beneficial for guiding R&D strategy and development to bridge the gap between theoretical problem spaces and engineering-based solutions. In response, this article describes systems–theoretic process analysis (STPA) as an example of one such approach to aid in early-systems R&D discussions. STPA—a ‘top-down’ process that abstracts real complex system operations into hierarchical control structures, functional control loops, and control actions—uses control loop logic to analyze how control actions (designed for desired system behaviors) may become violated and drive the complex system toward states of higher risk. By analyzing how needed controls are not provided (or out of sequence or stopped too soon) and unneeded controls are provided (or engaged too long), STPA can help early-system R&D discussions by exploring how requirements and desired actions interact to either mitigate or potentially increase states of risk that can lead to unacceptable losses. This article will demonstrate STPA's benefit for early-system R&D strategy and development discussion by describing such diverse use cases as cyber security, nuclear fuel transportation, and US electric grid performance. Together, the traceability, rigor, and comprehensiveness of STPA serve as useful tools for improving R&D strategy and development discussions. In conclusion, leveraging STPA as well as related systems engineering techniques can be helpful in early R&D planning and strategy development to better triangulate deeper theoretical meaning or evaluate empirical results to better inform systems engineering solutions.
The PRO-X program is actively supporting the design of nuclear systems by developing a framework to both optimize the fuel cycle infrastructure for advanced reactors (ARs) and minimize the potential for production of weapons-usable nuclear material. Three study topics are currently being investigated by Sandia National Laboratories (SNL) with support from Argonne National Laboratories (ANL). This multi-lab collaboration is focused on three study topics which may offer proliferation resistance opportunities or advantages in the nuclear fuel cycle. These topics are: 1) Transportation Global Landscape, 2) Transportation Avoidability, and 3) Parallel Modular Systems vs Single Large System (Crosscutting Activity).
Security engineering approaches can often focus on a particular domain—physical security, cyber security, or personnel security, for example. Yet, security systems engineering consistently faces challenges requiring socio-technical solutions to address evolving and dynamic complexity. While some drivers of this complexity stem from complex risk environments, innovative adversaries, and disruptive technologies, other drivers are endogenous and emerge from the interactions across security engineering approaches. In response, INCOSE's Systems Security Working Group identified the need to better coordinate “disparate security solutions [that] operate independently” as one of eleven key concepts in their IS21 FuSE Security Roadmap. From this perspective, this need for “security orchestration” aligns with the perspective that security is a property that emerges from interactions within complex systems. Current efforts at Sandia National Laboratories are developing a systems security engineering approach that describes high consequence facility (HCF) security as a multidomain set of interacting layers. The result is a multilayered network (MLN)-based approach that captures the interactions between infrastructure, physical components, digital components, and humans in nuclear security systems. This article will summarize the MLN-based approach to HCF security and describe two preliminary results demonstrating potential benefits from incorporating interactions across disparate security solutions. Here, leveraging the logical structure of networks, this MLN model-based approach provides an example of how security orchestration provides enhanced systems security engineering solutions.
Advances on differentiating between malicious intent and natural "organizational evolution"to explain observed anomalies in operational workplace patterns suggest benefit from evaluating collective behaviors observed in the facilities to improve insider threat detection and mitigation (ITDM). Advances in artificial neural networks (ANN) provide more robust pathways for capturing, analyzing, and collating disparate data signals into quantitative descriptions of operational workplace patterns. In response, a joint study by Sandia National Laboratories and the University of Texas at Austin explored the effectiveness of commercial artificial neural network (ANN) software to improve ITDM. This research demonstrates the benefit of learning patterns of organizational behaviors, detecting off-normal (or anomalous) deviations from these patterns, and alerting when certain types, frequencies, or quantities of deviations emerge for improving ITDM. Evaluating nearly 33,000 access control data points and over 1,600 intrusion sensor data points collected over a nearly twelve-month period, this study's results demonstrated the ANN could recognize operational patterns at the Nuclear Engineering Teaching Laboratory (NETL) and detect off-normal behaviors - suggesting that ANNs can be used to support a data-analytic approach to ITDM. Several representative experiments were conducted to further evaluate these conclusions, with the resultant insights supporting collective behavior-based analytical approaches to quantitatively describe insider threat detection and mitigation.
Security assessments support decision-makers' ability to evaluate current capabilities of high consequence facilities (HCF) to respond to possible attacks. However, increasing complexity of today's operational environment requires a critical review of traditional approaches to ensure that implemented assessments are providing relevant and timely insights into security of HCFs. Using interviews and focus groups with diverse subject matter experts (SMEs), this study evaluated the current state of security assessments and identified opportunities to achieve a more "ideal" state. The SME-based data underscored the value of a systems approach for understanding the impacts of changing operational designs and contexts (as well as cultural influences) on security to address methodological shortcomings of traditional assessment processes. These findings can be used to inform the development of new approaches to HCF security assessments that are able to more accurately reflect changing operational environments and effectively mitigate concerns arising from new adversary capabilities.
Traditional systems engineering demonstrates the importance of customer needs in scoping and defining design requirements; yet, in practice, other human stakeholders are often absent from early lifecycle phases. Human factors are often omitted in practice when evaluating and down-selecting design options due to constraints such as time, money, access to user populations, or difficulty in proving system robustness through the inclusion of human behaviors. Advances in systems engineering increasingly include non-technical influences into the design, deployment, operations, and maintenance of interacting components to achieve common performance objectives. Furthermore, such advances highlight the need to better account for the various roles of human actors to achieve desired performance outcomes in complex systems. Many of these efforts seek to infuse lessons and concepts from human factors (enhanced decision-making through Crew Resource Management), systems safety (Rasmussen's “drift toward danger”) and organization science (Giddens' recurrent human acts leading to emergent behaviors) into systems engineering to better understand how socio-technical interactions impact emergent system performance. Safety and security are examples of complex system performance outcomes that are directly impacted by varying roles of human actors. Using security performance of high consequence facilities as a representative use case, this article will outline the System Context Lenses to understand how to include various roles of human actors into systems engineering design. Several exemplar applications of this organizing lenses will be summarized and used to highlight more generalized insights for the broader systems engineering community.
Multilayered networks (MLN), when integrated with traditional task analyses, offer a model-based approach to describe human performance in nuclear power plant security. MLNs demonstrate the interconnected links between security-related roles, security operating procedures, and technical components within a security system. However, when used in isolation, MLNs and task analyses may not fully reveal the impacts humans have within a security system. Thus, the Systems Context Lenses were developed to enhance design for and analysis of desired complex system behaviors, like security at Nuclear Power Plants (NPPs). The System Context Lenses integrate systems engineering concepts and human factors considerations to describe how human actors interact within (and across) the system design, operational environment, and sociotechnical context. Through application of the Systems Context Lenses, critical Performance Shaping Factors (PSFs) influencing human performance can be identified and used to analytically connect human actions with technical and environmental resources in an MLN. This paper summarizes the benefit of a tiered-lens approach on a use case of a multilayered network model of NPP security, including demonstrating how NPP security performance can be improved by more robustly incorporating varying human, institutional, and broader socio-technical interactions.
Vital Area Identification (VAI) is an important element in securing nuclear facilities, including the range of recently proposed advanced reactors (AR). As ARs continue to develop and progress to licensure status, it will be necessary to ensure that safety analysis methods are compatible with the new reactor designs. These reactors tout inherently passive safety systems that drastically reduce the number of active components whose failures need to be considered as basic events in a Level 1 probabilistic risk assessment (PRA). Instead, ARs rely on natural processes for their safety, which may be difficult to capture through the use of fault trees (FTs) and subsequently difficult to determine the effects of lost equipment when completing a traditional VAI analysis. Traditional VAI methodology incorporates FTs from Level 1 PRA as a substantial portion of the effort to identify candidate vital area sets. The outcome of VAI is a selected set of areas deemed vital which must be protected in order to prevent radiological sabotage. An alternative methodology is proposed to inform the VAI process and selection of vital areas: Systems-Theoretic Process Analysis (STPA). STPA is a systems-based, top-down approach which analyzes a system as a hierarchical control structure composed of components (both those that are controlled and their controllers) and controlled actions taken by/acted upon those components. The control structure is then analyzed based on several situational parameters, including a time component, to produce a list of scenarios which may lead to system losses. A case study is presented to demonstrate how STPA can be used to inform VAI for ARs.