Publications

Abstract not provided.

Abstract not provided.

Prescriptive approaches for the cybersecurity of digital nuclear instrumentation and control (I&C) systems can be cumbersome and costly. These considerations are of particular concern for advanced reactors that implement digital technologies for monitoring, diagnostics, and control. A risk-informed performance-based approach is needed to enable the efficient design of secure digital I&C systems for nuclear power plants. This paper presents a tiered cybersecurity analysis (TCA) methodology as a graded approach for cybersecurity design. The TCA is a sequence of analyses that align with the plant, system, and component stages of design. Earlier application of the TCA in the design process provides greater opportunity for an efficient graded approach and defense-in-depth. The TCA consists of three tiers. Tier 1 is design and impact analysis. In Tier 1 it is assumed that the adversary has control over all digital systems, components, and networks in the plant, and that the adversary is only constrained by the physical limitations of the plant design. The plant's safety design features are examined to determine whether the consequences of an attack by this cyber-enabled adversary are eliminated or mitigated. Accident sequences that are not eliminated or mitigated by security by design features are examined in Tier 2 analysis. In Tier 2, adversary access pathways are identified for the unmitigated accident sequences, and passive measures are implemented to deny system and network access to those pathways wherever feasible. Any systems with remaining susceptible access pathways are then examined in Tier 3. In Tier 3, active defensive cybersecurity architecture features and cybersecurity plan controls are applied to deny the adversary the ability to conduct the tasks needed to cause a severe consequence. Tier 3 is not performed in this analysis because of the design maturity required for this tier of analysis.

The Information Harm Triangle (IHT) is a novel approach that aims to adapt intuitive engineering concepts to simplify defense in depth for instrumentation and control (I&C) systems at nuclear power plants. This approach combines digital harm, real-world harm, and unsafe control actions (UCAs) into a single graph named “Information Harm Triangle.” The IHT is based on the postulation that the consequences of cyberattacks targeting I&C systems can be expressed in terms of two orthogonal components: a component representing the magnitude of data harm (DH) (i.e., digital information harm) and a component representing physical information harm (PIH) (i.e., real-world harm, e.g., an inadvertent plant trip). The magnitude of the severity of the physical consequence is the aspect of risk that is of concern. The sum of these two components represents the total information harm. The IHT intuitively informs risk-informed cybersecurity strategies that employ independent measures that either act to prevent, reduce, or mitigate DH or PIH. Another aspect of the IHT is that the DH can result in cyber-initiated UCAs that result in severe physical consequences. The orthogonality of DH and PIH provides insights into designing effective defense in depth. The IHT can also represent cyberattacks that have the potential to impede, evade, or compromise countermeasures from taking appropriate action to reduce, stop, or mitigate the harm caused by such UCAs. Cyber-initiated UCAs transform DH to PIH.

Abstract not provided.

The security of the electric grid and supporting energy systems is crucial to national security. One of the complexities in analyzing the security of energy systems is the safety consequences that may result from accidents. For energy systems, the goal is to ensure that they operate as intended and that any consequences are mitigated or prevented. The integration of safety and security is paramount to protecting these systems from attacks and ensuring that large consequences are prevented. This report describes an integrated safety and security methodology to evaluate cybersecurity events that can lead to large consequences. This novel approach first describes how Systems-Theoretic Process Analysis (STPA) provides a digital causal analysis for Bayesian Networks (BNs). The use of STPA causal analysis provides a systematic approach to constructing BNs that adequately model cyber scenarios that result in consequences. When combined with the technical principles described in Risk-Informed Management of Enterprise Systems (RIMES), a comprehensive risk-informed cybersecurity analysis results that allows decision-makers to prioritize systems that most impact risk.

This is a simple model designed to run fast but still maintain the key physics and feedback mechanisms of a heat pipe. First, the capillary pressure is a function of the liquid working fluid volume fraction. Second, the boiling and condensation are based on the saturation temperature that is based on the heat pipe pressure. When the pressure goes up, the saturation temperature goes up and the vapor rains on the wick. When the pressure goes down, the saturation temperature goes down and the liquid in the entire wick boils. This is how the heat pipe adjusts to stay robust under different temperatures and heat fluxes.

This report describes the risk-informed technical elements that will contribute to a defense-in-depth assessment for cybersecurity. Risk-informed cybersecurity must leverage the technical elements of a risk-informed approach appropriately in order to evaluate cybersecurity risk insights. HAZCADS and HAZOP+ are suitable methodologies to model the connection between digital harm and process hazards. Risk assessment modeling needs to be expanded beyond HAZCADS and HAZOP+ to consider the sequence of events that lead to plant consequences. Leveraging current practices in PRA can lead to categorization of digital assets and prioritizing digital assets commensurate with the risk. Ultimately, the culmination of cyber hazard methodologies, event sequence modeling, and digital asset categorization will facilitate a defense-in-depth assessment of cybersecurity.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Vital Area Identification (VAI) is an important element in securing nuclear facilities, including the range of recently proposed advanced reactors (AR). As ARs continue to develop and progress to licensure status, it will be necessary to ensure that safety analysis methods are compatible with the new reactor designs. These reactors tout inherently passive safety systems that drastically reduce the number of active components whose failures need to be considered as basic events in a Level 1 probabilistic risk assessment (PRA). Instead, ARs rely on natural processes for their safety, which may be difficult to capture through the use of fault trees (FTs) and subsequently difficult to determine the effects of lost equipment when completing a traditional VAI analysis. Traditional VAI methodology incorporates FTs from Level 1 PRA as a substantial portion of the effort to identify candidate vital area sets. The outcome of VAI is a selected set of areas deemed vital which must be protected in order to prevent radiological sabotage. An alternative methodology is proposed to inform the VAI process and selection of vital areas: Systems-Theoretic Process Analysis (STPA). STPA is a systems-based, top-down approach which analyzes a system as a hierarchical control structure composed of components (both those that are controlled and their controllers) and controlled actions taken by/acted upon those components. The control structure is then analyzed based on several situational parameters, including a time component, to produce a list of scenarios which may lead to system losses. A case study is presented to demonstrate how STPA can be used to inform VAI for ARs.

Sodium-cooled Fast Reactors (SFRs) have an extensive operational history that can be leveraged to accelerate the licensing process for advanced reactor designs. Sandia National Laboratories has reconstituted the United States SFR data from the Centralized Reliability Data Organization (CREDO) into a new database called the Sodium System Component Reliability Database (NaSCoRD). The NaSCoRD database and others like it will help reduce parametric uncertainties encountered in probabilistic risk analysis (PRA) models for advanced non-light water reactor technologies. This paper is an extension of previous work done at Sandia National Laboratories which analyzed pump data. This paper investigates the failure rates of filters/strainers. NaSCoRD contains unique records of 147 filters/strainers that have operated in Experimental Breeder Reactor II, Fast Flux Test Facility, and test loops including those operated by both Westinghouse and the Energy Technology Engineering Center. This paper presents filter failure rates for various conditions allowable from the CREDO data that has been recovered under NaSCoRD. The current filter reliability estimates are presented in comparison to estimates provided in historical studies. The impacts of the suggested corrections from the Idaho National Laboratory report, Generic Component Failure Data Base for Light Water and Liquid Sodium Reactor PRAs, and various prior distributions on these reliability estimates are also presented. The paper also briefly describes the potential improvement of the NaSCoRD database.

This report is a functional review of the radionuclide containment strategies of fluoride-salt-cooled high temperature reactor (FHR), molten salt reactor (IVISR) and high temperature gas reactor (HTGR) systems. This analysis serves as a starting point for further, more in-depth analyses geared towards identifying phenomenological gaps that still exist, preventing the creation of a mechanistic source term for these reactor types. As background information to this review, an overview of how a mechanistic source term is created and used for consequence assessment necessary for licensing is provided. How mechanistic source term is used within the LMP is also provided. Third, the characteristics of non-LWR mechanistic source terms are examined This report does not assess the viability of any software system for use with advanced reactor designs, but instead covers system function requirements. Future work within the Nuclear Energy Advanced Modeling and Simulations (NEAMS) program will address such gaps.

The U.S. Nuclear Regulatory Commission (NRC) has interacted with vendors pursuing the commercialization of micro-reactors (i.e., reactors capable of producing about 1 MW(th) to 20 MW(th) of energy from nuclear fission). It is envisioned that micro-reactors could be assembled and fueled in a factory and shipped to a site. Many of the sites are expected to be remote locations requiring off-grid power or in some cases military bases. The objective of this effort is to explore the technical issues and the approach required to reach a finding of "reasonable assurance of public health and safety" for this new and different class of reactors. The analysis performed here leverages available micro-reactor design and testing data available from national laboratory experience as well as commercial design information to explore technical issues. Some factors considered include source term, accidents that would need to be analyzed, and the extent of the probabilistic risk assessment (PRA). The technical evaluation was performed within the framework of the Licensing Modernization Project (LMP) to identify licensing basis events, classification of structures, systems and components, and defense-in-depth needed to provide regulatory certainty. With this framework and technical evaluation in mind, the scope and content of a micro-reactor licensing application is discussed.

Abstract not provided.

Abstract not provided.

Under Department of Energy (DOE), Office of Nuclear Energy (NE), Gateway for Accelerated Innovation in Nuclear (GAIN), Sandia National Laboratories (SNL) was awarded DOE-NE GAIN voucher GA-19SN020107, "Risk-informed mechanistic source term calculations for a sodium fast reactor." Under this GAIN voucher, SNL supported the industry partners development in preparation for licensing and commercialization by providing subject matter expertise on heat pipe technologies, providing computer code training and support, and perform first-of-a-kind experiments demonstrating the safety/risk impacts of heat pipe breach failures. The experiments that were performed had two primary goals: measure the peak heat fluxes that lead to heat pipe dry out and subsequent wall breach; and observe the consequences that result from catastrophic failure of a heat pipe wall. Intentional breaching of the heat pipe walls took advantage of heat pipe physics and operating limits. Large and nearly instantaneous heat fluxes were applied to the heat pipe to first cause localized dry out at the evaporator section which then leads to melting of the heat pipe wall. The hour glass heat pipe (Test 1) experienced dry out at 112 W/cm² and after 45 seconds, wall temperatures measure about 1,280°C and intentional failure of the heat pipe wall was achieved. The cylindrical heat pipe (Test 2) experienced dry out at 125 W/cm² and after 65 seconds, wall temperatures exceeded 1,400°C and intentional failure of the heat pipe wall was achieved. Both experiments characterize the parameters needed to lead to heat pipe wall failure. Furthermore, the failure of the heat pipes characterizes the safety/risk impacts from sodium-oxygen reactions that occur following the intentional failure. There were two major conclusions of these intentional failure tests: the heat pipes were able to continue operating beyond expected performance limits, and the failure behavior validated decades of operational experience.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.