Safety-focused risk analysis and assessment approaches struggle to adequately include malicious, deliberate acts against the nuclear power industry's fissile and waste material, infrastructure, and facilities. Further, existing methods do not adequately address non- proliferation issues. Treating safety, security, and safeguards concerns independently is inefficient because, at best, it may not take explicit advantage of measures that provide benefits against multiple risk domains, and, at worst, it may lead to implementations that increase overall risk due to incompatibilities. What is needed is an integrated safety, security and safeguards risk (or "3SR") framework for describing and assessing nuclear power risks that can enable direct trade-offs and interactions in order to inform risk management processes — a potential paradigm shift in risk analysis and management. These proceedings of the Sandia ePRA Workshop (held August 22-23, 2017) are an attempt to begin the discussions and deliberations to extend and augment safety focused risk assessment approaches to include security concerns and begin moving towards a 3S Risk approach. Safeguards concerns were not included in this initial workshop and are left to future efforts.
Instrumentation and control of nuclear power is transforming from analog to modern digital assets. These control systems perform key safety and security functions. This transformation is occurring in new plant designs as well as in the existing fleet of plants as the operation of those plants is extended to 60 years. This transformation introduces new and unknown issues involving both digital asset induced safety issues and security issues. Traditional nuclear power risk assessment tools and cyber security assessment methods have not been modified or developed to address the unique nature of cyber failure modes and of cyber security threat vulnerabilities. iii This Lab-Directed Research and Development project has developed a dynamic cyber-risk in- formed tool to facilitate the analysis of unique cyber failure modes and the time sequencing of cyber faults, both malicious and non-malicious, and impose those cyber exploits and cyber faults onto a nuclear power plant accident sequence simulator code to assess how cyber exploits and cyber faults could interact with a plants digital instrumentation and control (DI&C) system and defeat or circumvent a plants cyber security controls. This was achieved by coupling an existing Sandia National Laboratories nuclear accident dynamic simulator code with a cyber emulytics code to demonstrate real-time simulation of cyber exploits and their impact on automatic DI&C responses. Studying such potential time-sequenced cyber-attacks and their risks (i.e., the associated impact and the associated degree of difficulty to achieve the attack vector) on accident management establishes a technical risk informed framework for developing effective cyber security controls for nuclear power.
Nuclear power plants are increasingly adding digital components for plant operation, safety, and security. These digital components fill a gap with legacy equipment where replacement components no longer exist. They also benefit operation of the plant by increasing efficiency in power generation, monitoring of equipment and plant parameters, as well as aiding operator control. However, the addition of digital components and systems also adds cyber risks with previously unanalyzed failure modes and attack vectors are introduced with these new systems. These risks are difficult to identify, analyze, and mitigate due to the increasingly complex nature of the digital components and the integration of these components with additional plant processes and communication networks. The research presented in this paper develops a new method that addresses the cyber risk to inform appropriate levels of protection. EPRI and Sandia are working under a Cooperative Research and Development Agreement to develop an effective method of evaluating the cyber risk in production nuclear power facilities. The Cyber Hazards Analysis Risk Methodology (CHARM) focuses on ensuring adequate controls are in place for appropriate cyber protection of the plant from radiological release or generation risk. Existing plant hazards analyses (e.g., PRA, FTA) do not account for software deficiencies or adversarial intent. This method leverages existing plant analyses and MIT’s Systems Theoretic Process Analysis (STPA) to create cyber informed fault trees. These new fault trees will provide the basis for comprehensive cyber risk analysis and help ensure potential gaps in cyber security controls are identified and corrected.
Accident management is an important component to maintaining risk at acceptable levels for all complex systems, such as nuclear power plants. With the introduction of passive, or inherently safe, reactor designs the focus has shifted from management by operators to allowing the system's design to take advantage of natural phenomena to manage the accident. Inherently and passively safe designs are laudable, but nonetheless extreme boundary conditions can interfere with the design attributes which facilitate inherent safety, thus resulting in unanticipated and undesirable end states. This report examines an inherently safe and small sodium fast reactor experiencing a variety of beyond design basis events with the intent of exploring the utility of a Dynamic Bayesian Network to infer the state of the reactor to inform the operator's corrective actions. These inferences also serve to identify the instruments most critical to informing an operator's actions as candidates for hardening against radiation and other extreme environmental conditions that may exist in an accident. This reduction in uncertainty serves to inform ongoing discussions of how small sodium reactors would be licensed and may serve to reduce regulatory risk and cost for such reactors.
Disposal overpacks are proposed as an element of the engineered barrier system for direct disposal of spent nuclear fuel in dual-purpose canisters (DPCs). DPCs are currently licensed for storage and transport, but not disposal. In the DPC disposal system, overpacks would provide long-term containment, and conversely, they would keep groundwater from flooding DPCs. Without flooding, DPCs can never achieve nuclear criticality because they are under-moderated.
Accident management is an important component to maintaining risk at acceptable levels for all complex systems, such as nuclear power plants. With the introduction of self-correcting, or inherently safe, reactor designs the focus has shifted from management by operators to allowing the system's design to manage the accident. Inherently and passively safe designs are laudable, but nonetheless extreme boundary conditions can interfere with the design attributes which facilitate inherent safety, thus resulting in unanticipated and undesirable end states. This report examines an inherently safe and small sodium fast reactor experiencing a beyond design basis seismic event with the intent of exploring two issues: (1) can human intervention either improve or worsen the potential end states and (2) can a Bayesian Network be constructed to infer the state of the reactor to inform.
Accident management is an important component to maintaining risk at acceptable levels for all complex systems, such as nuclear power plants. With the introduction of self - correcting, or inherently safe, reactor designs the focus has shifted from management by operators to allowing the syste m's design to manage the accident. While inherently and passively safe designs are laudable, extreme boundary conditions can interfere with the design attributes which facilitate inherent safety , thus resulting in unanticipated and undesirable end states. This report examines an inherently safe and small sodium fast reactor experiencing a beyond design basis seismic event with the intend of exploring two issues : (1) can human intervention either improve or worsen the potential end states and (2) can a Bayes ian Network be constructed to infer the state of the reactor to inform (1). ACKNOWLEDGEMENTS The author s would like to acknowledge the U.S. Department of E nergy's Office of Nuclear Energy for funding this research through Work Package SR - 14SN100303 under the Advanced Reactor Concepts program. The authors also acknowledge the PRA teams at A rgonne N ational L aborator y , O ak R idge N ational L aborator y , and I daho N ational L aborator y for their continue d contributions to the advanced reactor PRA mission area.
United States nuclear power plant Licensee Event Reports (LERs), submitted to the United States Nuclear Regulatory Commission (NRC) under law as required by 10 CFR 50.72 and 50.73 were evaluated for reliance to the United Kingdom’s Health and Safety Executive – Office for Nuclear Regulation’s (ONR) general design assessment of the Advanced Boiling Water Reactor (ABWR) design. An NRC compendium of LERs, compiled by Idaho National Laboratory over the time period January 1, 2000 through March 31, 2014, were sorted by BWR safety system and sorted into two categories: those events leading to a SCRAM, and those events which constituted a safety system failure. The LERs were then evaluated as to the relevance of the operational experience to the ABWR design.
Developing a big picture understanding of a severe accident is extremely challenging. Operating crews and emergency response teams are faced with rapidly evolving circumstances, uncertain information, distributed expertise, and a large number of conflicting goals and priorities. Severe accident management guidance (SAMGs) provides support for collecting information and assessing the state of a nuclear power plant during severe accidents. However, SAMGs developers cannot anticipate every possible accident scenario. Advanced Probabilistic Risk Assessment (PRA) methods can be used to explore an extensive space of possible accident sequences and consequences. Using this advanced PRA to develop a decision support system can provide expanded support for diagnosis and response. In this paper, we present an approach that uses dynamic PRA to develop risk-informed "Smart SAMGs". Bayesian Networks form the basis of the faster-than-real-time decision support system. The approach leverages best-available information from plant physics simulation codes (e.g., MELCOR). Discrete Dynamic Event Trees (DDETs) are used to provide comprehensive coverage of the potential accident scenario space. This paper presents a methodology to develop Smart procedures and provides an example model created for diagnosing the status of the ECCS valves in a generic iPWR design.
The current wave of small modular reactor (SMR) designs all have the goal of reducing the cost of management and operations. By optimizing the system, the goal is to make these power plants safer, cheaper to operate and maintain, and more secure. In particular, the reduction in plant staffing can result in significant cost savings. The introduction of advanced reactor designs and increased use of advanced automation technologies in existing nuclear power plants will likely change the roles, responsibilities, composition, and size of the crews required to control plant operations. Similarly, certain security staffing requirements for traditional operational nuclear power plants may not be appropriate or necessary for SMRs due to the simpler, safer and more automated design characteristics of SMRs. As a first step in a process to identify where regulatory requirements may be met with reduced staffing and therefore lower cost, this report identifies the regulatory requirements and associated guidance utilized in the licensing of existing reactors. The potential applicability of these regulations to advanced SMR designs is identified taking into account the unique features of these types of reactors.
Uncertainty distributions for specific parameters of the Cassini General Purpose Heat Source Radioisotope Thermoelectric Generator (GPHS-RTG) Final Safety Analysis Report consequence risk analysis were revised and updated. The revisions and updates were done for all consequence parameters for which relevant information exists from the joint project on Probabilistic Accident Consequence Uncertainty Analysis by the United States Nuclear Regulatory Commission and the Commission of European Communities.
A multi-attribute utility analysis is applied to a decision process to select a treatment method for the management of aluminum-based spent nuclear fuel (Al-SNF) owned by the US Department of Energy (DOE). DOE will receive, treat, and temporarily store Al-SNF, most of which is composed of highly enriched uranium, at its Savannah River Site in South Carolina. DOE intends ultimately to send the treated Al-SNF to a geologic repository for permanent disposal. DOE initially considered ten treatment alternatives for the management of Al-SNF, and has narrowed the choice to two of these: the direct disposal and melt and dilute alternatives. The decision analysis presented in this document focuses on a formal decision process used to evaluate these two remaining alternatives.
A multi-attribute utility analysis is applied to the decision to select a treatment method for the management of aluminum-based spent nuclear i%el (A1-SNF) owned by the United States Department of Energy (DOE). DOE will receive, treat, and temporarily store Al- SNF, most of which is composed of highly enriched uranium, at its Savannah River Site in South Carolina. DOE intends ultimately to send the treated Al-SNJ? to a geologic repository for permanent disposal. DOE initially considered ten treatment alternatives for the management of A1-SNF, and has narrowed the choice to two of these the direct disposal and melt and dilute alternatives. The decision analysis presented in this document focuses on a decision between these two remaining alternatives.
The Department of Energy (DOE) proposes to construct and operate the National Ignition Facility (NIF) in support of the Stockpile Stewardship and Management (SSM) Programmatic Environmental impact Statement (PEIS). The National Environmental Policy Act requires the DOE to look at alternative sites for the NIF. The SSM PEIS will evaluate four alternative locations for the NIF. This study documents the process and results of a site selection study for a preferred site for the NIF at SNL/NM. The NIF research objectives are to provide the world`s most powerful laser systems to be used in ignition of fusion fuel and energy gain to perform high energy density and radiation effects experiments in support of the DOE`s national security, energy, and basic science research mission. The most immediate application of the NIF will be to provide nuclear-weapon-related physics data, since many phenomena occurring on the laboratory scale are similar to those that occur in weapons. The NIF may also provide an important capability for weapons effects simulation. The NIF is designed to achieve propagating fusion bum and modest energy gain for development as a source of civilian energy.
The potential radiological and nonradiological risks associated with specific radioactive waste shipping campaigns at the Hanford Site are estimated. The shipping campaigns analyzed are associated with the transportation of wastes from the N-Reactor site at the 200-W Area, both within the Hanford Reservation, for disposal. The analysis is based on waste that would be generated from the N-Reactor stabilization program.
The objective of this review is to evaluate the South Texas Project (STP) Probabilistic Safety Analysis (PSA) for the USNRC. The PSA was reviewed for thoroughness of analysis, accuracy in plant modeling, legitimacy of assumptions, and overall quality of the work. The review is limited to the internal event analysis and the fire sequence analysis. This review is not a quantitative evaluation of the adequacy of the PSA. The adequacy of the PSA depends on the intended uses and must be addressed on a case-by-case basis by the licensee and the NRC. This review identifies strengths, weakness, and areas where additional clarification would assist the NRC in evaluating the PSA for specific regulatory purposes. The licensee, Houston Lighting and Power (HL P), reviewed a draft version of this report prior to its final release to the USNRC. The responses provided by HL P are provided in detail in appendices to this report, and they are summarized in the main body of the report. All issues raised during the review were adequately addressed by HL P in the responses. 27 refs., 4 tabs.