Safety-focused risk analysis and assessment approaches struggle to adequately include malicious, deliberate acts against the nuclear power industry's fissile and waste material, infrastructure, and facilities. Further, existing methods do not adequately address non- proliferation issues. Treating safety, security, and safeguards concerns independently is inefficient because, at best, it may not take explicit advantage of measures that provide benefits against multiple risk domains, and, at worst, it may lead to implementations that increase overall risk due to incompatibilities. What is needed is an integrated safety, security and safeguards risk (or "3SR") framework for describing and assessing nuclear power risks that can enable direct trade-offs and interactions in order to inform risk management processes -- a potential paradigm shift in risk analysis and management. These proceedings of the Sandia ePRA Workshop (held August 22-23, 2017) are an attempt to begin the discussions and deliberations to extend and augment safety focused risk assessment approaches to include security concerns and begin moving towards a 3S Risk approach. Safeguards concerns were not included in this initial workshop and are left to future efforts. This workshop focused on four themes in order to begin building out a the safety and security portions of the 3S Risk toolkit: 1. Historical Approaches and Tools 2. Current Challenges 3. Modern Approaches 4. Paths Forward and Next Steps This report is organized along the four areas described above, and concludes with a summary of key points. 2 Contact: rforres@sandia.gov; +1 (925) 294-2728
Instrumentation and control of nuclear power is transforming from analog to modern digital assets. These control systems perform key safety and security functions. This transformation is occurring in new plant designs as well as in the existing fleet of plants as the operation of those plants is extended to 60 years. This transformation introduces new and unknown issues involving both digital asset induced safety issues and security issues. Traditional nuclear power risk assessment tools and cyber security assessment methods have not been modified or developed to address the unique nature of cyber failure modes and of cyber security threat vulnerabilities. iii This Lab-Directed Research and Development project has developed a dynamic cyber-risk in- formed tool to facilitate the analysis of unique cyber failure modes and the time sequencing of cyber faults, both malicious and non-malicious, and impose those cyber exploits and cyber faults onto a nuclear power plant accident sequence simulator code to assess how cyber exploits and cyber faults could interact with a plants digital instrumentation and control (DI&C) system and defeat or circumvent a plants cyber security controls. This was achieved by coupling an existing Sandia National Laboratories nuclear accident dynamic simulator code with a cyber emulytics code to demonstrate real-time simulation of cyber exploits and their impact on automatic DI&C responses. Studying such potential time-sequenced cyber-attacks and their risks (i.e., the associated impact and the associated degree of difficulty to achieve the attack vector) on accident management establishes a technical risk informed framework for developing effective cyber security controls for nuclear power.
Nuclear power plants are increasingly adding digital components for plant operation, safety, and security. These digital components fill a gap with legacy equipment where replacement components no longer exist. They also benefit operation of the plant by increasing efficiency in power generation, monitoring of equipment and plant parameters, as well as aiding operator control. However, the addition of digital components and systems also adds cyber risks with previously unanalyzed failure modes and attack vectors are introduced with these new systems. These risks are difficult to identify, analyze, and mitigate due to the increasingly complex nature of the digital components and the integration of these components with additional plant processes and communication networks. The research presented in this paper develops a new method that addresses the cyber risk to inform appropriate levels of protection. EPRI and Sandia are working under a Cooperative Research and Development Agreement to develop an effective method of evaluating the cyber risk in production nuclear power facilities. The Cyber Hazards Analysis Risk Methodology (CHARM) focuses on ensuring adequate controls are in place for appropriate cyber protection of the plant from radiological release or generation risk. Existing plant hazards analyses (e.g., PRA, FTA) do not account for software deficiencies or adversarial intent. This method leverages existing plant analyses and MIT’s Systems Theoretic Process Analysis (STPA) to create cyber informed fault trees. These new fault trees will provide the basis for comprehensive cyber risk analysis and help ensure potential gaps in cyber security controls are identified and corrected.
Accident management is an important component to maintaining risk at acceptable levels for all complex systems, such as nuclear power plants. With the introduction of passive, or inherently safe, reactor designs the focus has shifted from management by operators to allowing the system's design to take advantage of natural phenomena to manage the accident. Inherently and passively safe designs are laudable, but nonetheless extreme boundary conditions can interfere with the design attributes which facilitate inherent safety, thus resulting in unanticipated and undesirable end states. This report examines an inherently safe and small sodium fast reactor experiencing a variety of beyond design basis events with the intent of exploring the utility of a Dynamic Bayesian Network to infer the state of the reactor to inform the operator's corrective actions. These inferences also serve to identify the instruments most critical to informing an operator's actions as candidates for hardening against radiation and other extreme environmental conditions that may exist in an accident. This reduction in uncertainty serves to inform ongoing discussions of how small sodium reactors would be licensed and may serve to reduce regulatory risk and cost for such reactors.
Accident management is an important component to maintaining risk at acceptable levels for all complex systems, such as nuclear power plants. With the introduction of self - correcting, or inherently safe, reactor designs the focus has shifted from management by operators to allowing the syste m's design to manage the accident. While inherently and passively safe designs are laudable, extreme boundary conditions can interfere with the design attributes which facilitate inherent safety , thus resulting in unanticipated and undesirable end states. This report examines an inherently safe and small sodium fast reactor experiencing a beyond design basis seismic event with the intend of exploring two issues : (1) can human intervention either improve or worsen the potential end states and (2) can a Bayes ian Network be constructed to infer the state of the reactor to inform (1). ACKNOWLEDGEMENTS The author s would like to acknowledge the U.S. Department of E nergy's Office of Nuclear Energy for funding this research through Work Package SR - 14SN100303 under the Advanced Reactor Concepts program. The authors also acknowledge the PRA teams at A rgonne N ational L aborator y , O ak R idge N ational L aborator y , and I daho N ational L aborator y for their continue d contributions to the advanced reactor PRA mission area.
United States nuclear power plant Licensee Event Reports (LERs), submitted to the United States Nuclear Regulatory Commission (NRC) under law as required by 10 CFR 50.72 and 50.73 were evaluated for reliance to the United Kingdom’s Health and Safety Executive – Office for Nuclear Regulation’s (ONR) general design assessment of the Advanced Boiling Water Reactor (ABWR) design. An NRC compendium of LERs, compiled by Idaho National Laboratory over the time period January 1, 2000 through March 31, 2014, were sorted by BWR safety system and sorted into two categories: those events leading to a SCRAM, and those events which constituted a safety system failure. The LERs were then evaluated as to the relevance of the operational experience to the ABWR design.