Publications

46 Results
Skip to search filters

Using the Information Harm Triangle to Identify Risk-Informed Cybersecurity Strategies for Instrumentation and Control Systems

Nuclear Technology

Rowland, Michael T.; Maccarone, Lee M.; Clark, Andrew

The Information Harm Triangle (IHT) is a novel approach that aims to adapt intuitive engineering concepts to simplify defense in depth for instrumentation and control (I&C) systems at nuclear power plants. This approach combines digital harm, real-world harm, and unsafe control actions (UCAs) into a single graph named “Information Harm Triangle.” The IHT is based on the postulation that the consequences of cyberattacks targeting I&C systems can be expressed in terms of two orthogonal components: a component representing the magnitude of data harm (DH) (i.e., digital information harm) and a component representing physical information harm (PIH) (i.e., real-world harm, e.g., an inadvertent plant trip). The magnitude of the severity of the physical consequence is the aspect of risk that is of concern. The sum of these two components represents the total information harm. The IHT intuitively informs risk-informed cybersecurity strategies that employ independent measures that either act to prevent, reduce, or mitigate DH or PIH. Another aspect of the IHT is that the DH can result in cyber-initiated UCAs that result in severe physical consequences. The orthogonality of DH and PIH provides insights into designing effective defense in depth. Finally, the IHT can also represent cyberattacks that have the potential to impede, evade, or compromise countermeasures from taking appropriate action to reduce, stop, or mitigate the harm caused by such UCAs. Cyber-initiated UCAs transform DH to PIH.

More Details

Development of Integrated Safety and Security Models for Comprehensive Reliability and Resiliency Evaluation

Clark, Andrew; Fink, Madeleine S.

The security of the electric grid and supporting energy systems is crucial to national security. One of the complexities in analyzing the security of energy systems is the safety consequences that may result from accidents. For energy systems, the goal is to ensure that they operate as intended and that any consequences are mitigated or prevented. The integration of safety and security is paramount to protecting these systems from attacks and ensuring that large consequences are prevented. This report describes an integrated safety and security methodology to evaluate cybersecurity events that can lead to large consequences. This novel approach first describes how Systems-Theoretic Process Analysis (STPA) provides a digital causal analysis for Bayesian Networks (BNs). The use of STPA causal analysis provides a systematic approach to constructing BNs that adequately model cyber scenarios that result in consequences. When combined with the technical principles described in Risk-Informed Management of Enterprise Systems (RIMES), a comprehensive risk-informed cybersecurity analysis results that allows decision-makers to prioritize systems that most impact risk.

More Details

Simple Heat Pipe Model

Mousseau, Vincent A.; Clark, Andrew

This is a simple model designed to run fast but still maintain the key physics and feedback mechanisms of a heat pipe. First, the capillary pressure is a function of the liquid working fluid volume fraction. Second, the boiling and condensation are based on the saturation temperature that is based on the heat pipe pressure. When the pressure goes up, the saturation temperature goes up and the vapor rains on the wick. When the pressure goes down, the saturation temperature goes down and the liquid in the entire wick boils. This is how the heat pipe adjusts to stay robust under different temperatures and heat fluxes.

More Details

Safety and Security Defense-in-Depth for Nuclear Power Plants

Clark, Andrew; Rowland, Michael T.

This report describes the risk-informed technical elements that will contribute to a defense-in-depth assessment for cybersecurity. Risk-informed cybersecurity must leverage the technical elements of a risk-informed approach appropriately in order to evaluate cybersecurity risk insights. HAZCADS and HAZOP+ are suitable methodologies to model the connection between digital harm and process hazards. Risk assessment modeling needs to be expanded beyond HAZCADS and HAZOP+ to consider the sequence of events that lead to plant consequences. Leveraging current practices in PRA can lead to categorization of digital assets and prioritizing digital assets commensurate with the risk. Ultimately, the culmination of cyber hazard methodologies, event sequence modeling, and digital asset categorization will facilitate a defense-in-depth assessment of cybersecurity.

More Details

Mechanistic Source Term Considerations for Advanced Non-LWRs

Andrews, Nathan A.; Nenoff, T.M.; Luxat, David L.; Clark, Andrew; Leute, Jennifer E.

This report is a functional review of the radionuclide containment strategies of fluoride-salt-cooled high temperature reactor (FHR), molten salt reactor (IVISR) and high temperature gas reactor (HTGR) systems. This analysis serves as a starting point for further, more in-depth analyses geared towards identifying phenomenological gaps that still exist, preventing the creation of a mechanistic source term for these reactor types. As background information to this review, an overview of how a mechanistic source term is created and used for consequence assessment necessary for licensing is provided. How mechanistic source term is used within the LMP is also provided. Third, the characteristics of non-LWR mechanistic source terms are examined This report does not assess the viability of any software system for use with advanced reactor designs, but instead covers system function requirements. Future work within the Nuclear Energy Advanced Modeling and Simulations (NEAMS) program will address such gaps.

More Details

Failures and Implications of Heat Pipe Systems

Clark, Andrew

Under Department of Energy (DOE), Office of Nuclear Energy (NE), Gateway for Accelerated Innovation in Nuclear (GAIN), Sandia National Laboratories (SNL) was awarded DOE-NE GAIN voucher GA-19SN020107, "Risk-informed mechanistic source term calculations for a sodium fast reactor." Under this GAIN voucher, SNL supported the industry partners development in preparation for licensing and commercialization by providing subject matter expertise on heat pipe technologies, providing computer code training and support, and perform first-of-a-kind experiments demonstrating the safety/risk impacts of heat pipe breach failures. The experiments that were performed had two primary goals: measure the peak heat fluxes that lead to heat pipe dry out and subsequent wall breach; and observe the consequences that result from catastrophic failure of a heat pipe wall. Intentional breaching of the heat pipe walls took advantage of heat pipe physics and operating limits. Large and nearly instantaneous heat fluxes were applied to the heat pipe to first cause localized dry out at the evaporator section which then leads to melting of the heat pipe wall. The hour glass heat pipe (Test 1) experienced dry out at 112 W/cm 2 and after 45 seconds, wall temperatures measure about 1,280degC and intentional failure of the heat pipe wall was achieved. The cylindrical heat pipe (Test 2) experienced dry out at 125 W/cm 2 and after 65 seconds, wall temperatures exceeded 1,400degC and intentional failure of the heat pipe wall was achieved. Both experiments characterize the parameters needed to lead to heat pipe wall failure. Furthermore, the failure of the heat pipes characterizes the safety/risk impacts from sodium-oxygen reactions that occur following the intentional failure. There were two major conclusions of these intentional failure tests: the heat pipes were able to continue operating beyond expected performance limits, and the failure behavior validated decades of operational experience. ii ACKNOWLEDGEMENTS First and foremost, many thanks to Daniel Ray (SNL, Dept. 8823) for the design and construction of the heat pipes, sodium fill operations, test apparatus, and many other experimental troubleshooting issues that arose over the course of this project. These experiments would not have been possible without the valuable efforts of Daniel. Second, thanks to Josh Christian and Benson Tso (both SNL, Dept. 8823) for the consultations and operation of the solar furnace. Third, thanks to Byron Demothenous and Anthony Tanbakuchi (both SNL, Dept. 1535) for the photometric setup. Also, thanks to Julius Yellowhair (SNL, Dept. 8823) for the processing, clipping, and presentation of the videos collected for these experiments. Fourth, thank you to current and separated SNL staff members that supported this project every step of the way. This includes Chuck Andraka, Matthew Denman, and Zachary Jankovsky. Additionally, thank you to the reviewers of this report. Last, and certainly not least, SNL would like to thank the DOE-NE GAIN for the support of this work under work-package GA-1951\1020107. Simply put, none of this work would be possible without their support. iii

More Details

SNL/JAEA Collaborations on Sodium Fire Benchmarking

Clark, Andrew; Denman, Matthew R.; Takata, Takashi T.; Ohshima, Hiroyuki O.

Two sodium spray fire experiments performed by Sandia National Laboratories (SNL) were used for a code - to - code comparison between CONTAIN - LMR and SPHINCS. Both computer codes are used for modeling sodium accidents in sodium fast reactors. The comparison between the two codes provides insights into the ability of both codes to model sodium spray fires. The SNL T3 and T4 experiments are 20 kg sodium spray fires with sodium spray temperature s of 200 deg C and 500 deg C, respe ctively. Given the relatively low sodium temperature in the SNL T3 experiment, the sodium spray experienced a period of non - combustion. The vessel in the SNL T4 experiment experienced a rapid pressurization that caused of the instrumentation ports to fail during the sodium spray. Despite these unforeseen difficulties, both codes were shown in good agreement with the experiment s . The subsequent pool fire that develops from the unburned sodium spray is a significant characteristic of the T3 experiment. SPHIN CS showed better long - term agreement with the SNL T3 experiment than CONTAIN - LMR. The unexpected port failure during the SNL T4 experiment presented modelling challenges. The time at which the port failure occurred is unknown, but is believed to have occur red at about 11 seconds into the sodium spray fire. The sensitivity analysis for the SNL T4 experiment shows that with a port failure, the sodium spray fire can still maintain elevated pressures during the spray.

More Details

xLPR Scenario Analysis Report

Eckert, Aubrey C.; Lewis, John R.; Brooks, Dusty M.; Martin, Nevin S.; Hund, Lauren H.; Clark, Andrew; Mariner, Paul M.

This report describes the methods, results, and conclusions of the analysis of 11 scenarios defined to exercise various options available in the xLPR (Extremely Low Probability of Rupture) Version 2 .0 code. The scope of the scenario analysis is three - fold: (i) exercise the various options and components comprising xLPR v2.0 and defining each scenario; (ii) develop and exercise methods for analyzing and interpreting xLPR v2.0 outputs ; and (iii) exercise the various sampling options available in xLPR v2.0. The simulation workflow template developed during the course of this effort helps to form a basis for the application of the xLPR code to problems with similar inputs and probabilistic requirements and address in a systematic manner the three points covered by the scope.

More Details

Field test to evaluate deep borehole disposal

Radwaste Solutions

Hardin, Ernest H.; Brady, Patrick V.; Clark, Andrew; Cochran, John R.; Freeze, Geoff; Kuhlman, Kristopher L.; MacKinnon, Bob; Sassani, David C.; Su, Jiann-Cherng S.

Sandia National Laboratories has begun research on the potential use of deep boreholes for the dis¬posal of radioactive waste. Characterization activities will focus on measurements and samples that are important for evaluating the long-term iso¬lation capability of the deep borehole disposal (DBD) concept. Engineering demonstration activities will focus on providing data to evaluate the concept’s operational safety and practicality. Procurement of a scientifically acceptable deep borehole field test (DBFT) site and a site management contractor is now under way.

More Details

HyRAM V1.0 User Guide

Zumwalt, Hannah R.; Clark, Andrew; Groth, Katrina G.

Hydrogen Risk Assessment Models (HyRAM) is a prototype software toolkit that integrates data and methods relevant to assessing the safety of hydrogen fueling and storage infrastructure. The HyRAM toolkit integrates deterministic and probabilistic models for quantifying accident scenarios, predicting physical effects, and characterizing the impact of hydrogen hazards, including thermal effects from jet fires and thermal pressure effects from deflagration. HyRAM version 1.0 incorporates generic probabilities for equipment failures for nine types of components, and probabilistic models for the impact of heat flux on humans and structures, with computationally and experimentally validated models of various aspects of gaseous hydrogen release and flame physics. This document provides an example of how to use HyRAM to conduct analysis of a fueling facility. This document will guide users through the software and how to enter and edit certain inputs that are specific to the user-defined facility. Description of the methodology and models contained in HyRAM is provided in [1]. This User’s Guide is intended to capture the main features of HyRAM version 1.0 (any HyRAM version numbered as 1.0.X.XXX). This user guide was created with HyRAM 1.0.1.798. Due to ongoing software development activities, newer versions of HyRAM may have differences from this guide.

More Details
46 Results
46 Results