The Information Harm Triangle (IHT) is a novel approach that aims to adapt intuitive engineering concepts to simplify defense in depth for instrumentation and control (I&C) systems at nuclear power plants. This approach combines digital harm, real-world harm, and unsafe control actions (UCAs) into a single graph named “Information Harm Triangle.” The IHT is based on the postulation that the consequences of cyberattacks targeting I&C systems can be expressed in terms of two orthogonal components: a component representing the magnitude of data harm (DH) (i.e., digital information harm) and a component representing physical information harm (PIH) (i.e., real-world harm, e.g., an inadvertent plant trip). The magnitude of the severity of the physical consequence is the aspect of risk that is of concern. The sum of these two components represents the total information harm. The IHT intuitively informs risk-informed cybersecurity strategies that employ independent measures that either act to prevent, reduce, or mitigate DH or PIH. Another aspect of the IHT is that the DH can result in cyber-initiated UCAs that result in severe physical consequences. The orthogonality of DH and PIH provides insights into designing effective defense in depth. Finally, the IHT can also represent cyberattacks that have the potential to impede, evade, or compromise countermeasures from taking appropriate action to reduce, stop, or mitigate the harm caused by such UCAs. Cyber-initiated UCAs transform DH to PIH.
The security of the electric grid and supporting energy systems is crucial to national security. One of the complexities in analyzing the security of energy systems is the safety consequences that may result from accidents. For energy systems, the goal is to ensure that they operate as intended and that any consequences are mitigated or prevented. The integration of safety and security is paramount to protecting these systems from attacks and ensuring that large consequences are prevented. This report describes an integrated safety and security methodology to evaluate cybersecurity events that can lead to large consequences. This novel approach first describes how Systems-Theoretic Process Analysis (STPA) provides a digital causal analysis for Bayesian Networks (BNs). The use of STPA causal analysis provides a systematic approach to constructing BNs that adequately model cyber scenarios that result in consequences. When combined with the technical principles described in Risk-Informed Management of Enterprise Systems (RIMES), a comprehensive risk-informed cybersecurity analysis results that allows decision-makers to prioritize systems that most impact risk.
This is a simple model designed to run fast but still maintain the key physics and feedback mechanisms of a heat pipe. First, the capillary pressure is a function of the liquid working fluid volume fraction. Second, the boiling and condensation are based on the saturation temperature that is based on the heat pipe pressure. When the pressure goes up, the saturation temperature goes up and the vapor rains on the wick. When the pressure goes down, the saturation temperature goes down and the liquid in the entire wick boils. This is how the heat pipe adjusts to stay robust under different temperatures and heat fluxes.
This report describes the risk-informed technical elements that will contribute to a defense-in-depth assessment for cybersecurity. Risk-informed cybersecurity must leverage the technical elements of a risk-informed approach appropriately in order to evaluate cybersecurity risk insights. HAZCADS and HAZOP+ are suitable methodologies to model the connection between digital harm and process hazards. Risk assessment modeling needs to be expanded beyond HAZCADS and HAZOP+ to consider the sequence of events that lead to plant consequences. Leveraging current practices in PRA can lead to categorization of digital assets and prioritizing digital assets commensurate with the risk. Ultimately, the culmination of cyber hazard methodologies, event sequence modeling, and digital asset categorization will facilitate a defense-in-depth assessment of cybersecurity.
This report is a functional review of the radionuclide containment strategies of fluoride-salt-cooled high temperature reactor (FHR), molten salt reactor (IVISR) and high temperature gas reactor (HTGR) systems. This analysis serves as a starting point for further, more in-depth analyses geared towards identifying phenomenological gaps that still exist, preventing the creation of a mechanistic source term for these reactor types. As background information to this review, an overview of how a mechanistic source term is created and used for consequence assessment necessary for licensing is provided. How mechanistic source term is used within the LMP is also provided. Third, the characteristics of non-LWR mechanistic source terms are examined This report does not assess the viability of any software system for use with advanced reactor designs, but instead covers system function requirements. Future work within the Nuclear Energy Advanced Modeling and Simulations (NEAMS) program will address such gaps.
Under Department of Energy (DOE), Office of Nuclear Energy (NE), Gateway for Accelerated Innovation in Nuclear (GAIN), Sandia National Laboratories (SNL) was awarded DOE-NE GAIN voucher GA-19SN020107, "Risk-informed mechanistic source term calculations for a sodium fast reactor." Under this GAIN voucher, SNL supported the industry partners development in preparation for licensing and commercialization by providing subject matter expertise on heat pipe technologies, providing computer code training and support, and perform first-of-a-kind experiments demonstrating the safety/risk impacts of heat pipe breach failures. The experiments that were performed had two primary goals: measure the peak heat fluxes that lead to heat pipe dry out and subsequent wall breach; and observe the consequences that result from catastrophic failure of a heat pipe wall. Intentional breaching of the heat pipe walls took advantage of heat pipe physics and operating limits. Large and nearly instantaneous heat fluxes were applied to the heat pipe to first cause localized dry out at the evaporator section which then leads to melting of the heat pipe wall. The hour glass heat pipe (Test 1) experienced dry out at 112 W/cm 2 and after 45 seconds, wall temperatures measure about 1,280degC and intentional failure of the heat pipe wall was achieved. The cylindrical heat pipe (Test 2) experienced dry out at 125 W/cm 2 and after 65 seconds, wall temperatures exceeded 1,400degC and intentional failure of the heat pipe wall was achieved. Both experiments characterize the parameters needed to lead to heat pipe wall failure. Furthermore, the failure of the heat pipes characterizes the safety/risk impacts from sodium-oxygen reactions that occur following the intentional failure. There were two major conclusions of these intentional failure tests: the heat pipes were able to continue operating beyond expected performance limits, and the failure behavior validated decades of operational experience. ii ACKNOWLEDGEMENTS First and foremost, many thanks to Daniel Ray (SNL, Dept. 8823) for the design and construction of the heat pipes, sodium fill operations, test apparatus, and many other experimental troubleshooting issues that arose over the course of this project. These experiments would not have been possible without the valuable efforts of Daniel. Second, thanks to Josh Christian and Benson Tso (both SNL, Dept. 8823) for the consultations and operation of the solar furnace. Third, thanks to Byron Demothenous and Anthony Tanbakuchi (both SNL, Dept. 1535) for the photometric setup. Also, thanks to Julius Yellowhair (SNL, Dept. 8823) for the processing, clipping, and presentation of the videos collected for these experiments. Fourth, thank you to current and separated SNL staff members that supported this project every step of the way. This includes Chuck Andraka, Matthew Denman, and Zachary Jankovsky. Additionally, thank you to the reviewers of this report. Last, and certainly not least, SNL would like to thank the DOE-NE GAIN for the support of this work under work-package GA-1951\1020107. Simply put, none of this work would be possible without their support. iii
Two sodium spray fire experiments performed by Sandia National Laboratories (SNL) were used for a code - to - code comparison between CONTAIN - LMR and SPHINCS. Both computer codes are used for modeling sodium accidents in sodium fast reactors. The comparison between the two codes provides insights into the ability of both codes to model sodium spray fires. The SNL T3 and T4 experiments are 20 kg sodium spray fires with sodium spray temperature s of 200 deg C and 500 deg C, respe ctively. Given the relatively low sodium temperature in the SNL T3 experiment, the sodium spray experienced a period of non - combustion. The vessel in the SNL T4 experiment experienced a rapid pressurization that caused of the instrumentation ports to fail during the sodium spray. Despite these unforeseen difficulties, both codes were shown in good agreement with the experiment s . The subsequent pool fire that develops from the unburned sodium spray is a significant characteristic of the T3 experiment. SPHIN CS showed better long - term agreement with the SNL T3 experiment than CONTAIN - LMR. The unexpected port failure during the SNL T4 experiment presented modelling challenges. The time at which the port failure occurred is unknown, but is believed to have occur red at about 11 seconds into the sodium spray fire. The sensitivity analysis for the SNL T4 experiment shows that with a port failure, the sodium spray fire can still maintain elevated pressures during the spray.