One-way transforms have been used in weapon systems processors since the mid- to late-1970s in order to help recognize insertion of correct pre-arm information while maintaining abnormal-environment safety. Level-One, Level-Two, and Level-Three transforms have been designed. The Level-One and Level-Two transforms have been implemented in weapon systems, and both of these transforms are equivalent to matrix multiplication applied to the inserted information. The Level-Two transform, utilizing a 6 x 6 matrix, provided the basis for the ''System 2'' interface definition for Unique-Signal digital communication between aircraft and attached weapons. The investigation described in this report was carried out to find out if there were other size matrices that would be equivalent to the 6 x 6 Level-Two matrix. One reason for the investigation was to find out whether or not other dimensions were possible, and if so, to derive implementation options. Another important reason was to more fully explore the potential for inadvertent inversion. The results were that additional implementation methods were discovered, but no inversion weaknesses were revealed.
The Unique Signal is a key constituent of Enhanced Nuclear Detonation Safety (ENDS). Although the Unique Signal approach is well prescribed and mathematically assured, there are numerous unsolved mathematical problems that could help assess the risk of deviations from the ideal approach. Some of the mathematics-based results shown in this report are: 1. The risk that two patterns with poor characteristics (easily generated by inadvertent processes) could be combined through exclusive-or mixing to generate an actual Unique Signal pattern has been investigated and found to be minimal (not significant when compared to the incompatibility metric of actual Unique Signal patterns used in nuclear weapons). 2. The risk of generating actual Unique Signal patterns with linear feedback shift registers is minimal, but the patterns in use are not as invulnerable to inadvertent generation by dependent processes as previously thought. 3. New methods of testing pair-wise incompatibility threats have resulted in no significant problems found for the set of Unique Signal patterns currently used. Any new patterns introduced would have to be carefully assessed for compatibility with existing patterns, since some new patterns under consideration were found to be deficient when associated with other patterns in use. 4. Markov models were shown to correspond to some of the engineered properties of Unique Signal sequences. This gives new support for the original design objectives. 5. Potential dependence among events (caused by a variety of communication protocols) has been studied. New evidence has been derived of the risk associated with combined communication of multiple events, and of the improvement in abnormal-environment safety that can be achieved through separate-event communication.
Conventional systems surety analysis is basically restricted to measurable or physical-model-derived data. However, most analyses, including high-consequence system surety analysis, must also utilize subjective information. In order to address this need, there has been considerable effort on analytically incorporating engineering judgment. For example, Dempster-Shafer theory establishes a framework in which frequentist probability and Bayesian incorporation of new data are subsets. Although Bayesian and Dempster-Shafer methodology both allow judgment, neither derives results that can indicate the relative amounts of subjective judgment and measurable data in the results. The methodology described in this report addresses these problems through a hybrid-mathematics-based process that allows tracking of the degree of subjective information in the output, thereby providing more informative (as well as more appropriate) results. In addition, most high consequence systems offer difficult-to-analyze situations. For example, in the Sandia National Laboratories nuclear weapons program, the probability that a weapon responds safely when exposed to an abnormal environment (e.g., lightning, crush, metal-melting temperatures) must be assured to meet a specific requirement. There are also non-probabilistic DOE and DoD requirements (e.g., for determining the adequacy of positive measures). The type of processing required for these and similar situations transcends conventional probabilistic and human factors methodology. The results described herein address these situations by efficiently utilizing subjective and objective information in a hybrid mathematical structure in order to directly apply to the surety assessment of high consequence systems. The results can also improve the quality of the information currently provided to decision-makers. To this end, objective inputs are processed in a conventional manner; while subjective inputs are derived from the combined engineering judgment of experts in the appropriate disciplines. In addition to providing output constituents (including portrayal of uncertainty) corresponding to combination of these input types, their individual contributions to the resultant uncertainty are determined and provided as part of the output information. Finally, the safety assessment is complemented by a latent effects analysis, facilitated by soft-aggregation accumulation of observed operational constituents.
The methodology in this report addresses the safety effects of organizational and operational factors that can be measured through ''inspection.'' The investigation grew out of a preponderance of evidence that the safety ''culture'' (attitude of employees and management toward safety) was frequently one of the major root causes behind accidents or safety-relevant failures. The approach is called ''Markov latent effects'' analysis. Since safety also depends on a multitude of factors that are best measured through well known risk analysis methods (e.g., fault trees, event trees, FMECA, physical response modeling, etc.), the Markov latent effects approach supplements conventional safety assessment and decision analysis methods. A top-down mathematical approach is developed for decomposing systems, for determining the most appropriate items to be measured, and for expressing the measurements as imprecise subjective metrics through possibilistic or fuzzy numbers. A mathematical model is developed that facilitates combining (aggregating) inputs into overall metrics and decision aids, also portraying the inherent uncertainty. A major goal of the modeling is to help convey the top-down system perspective. Metrics are weighted according to significance of the attribute with respect to subsystems and are aggregated nonlinearly. Since the accumulating effect responds less and less to additional contribution, it is termed ''soft'' mathematical aggregation, which is analogous to how humans frequently make decisions. Dependence among the contributing factors is accounted for by incorporating subjective metrics on commonality and by reducing the overall contribution of these combinations to the overall aggregation. Decisions derived from the results are facilitated in several ways. First, information is provided on input ''Importance'' and ''Sensitivity'' (both Primary and Secondary) in order to know where to place emphasis on investigation of root causes and in considering new controls that may be necessary. Second, trends in inputs and outputs are tracked in order to obtain significant information, including cyclic information, for the decision process. Third, Early Alerts are provided in order to facilitate pre-emptive action. Fourth, the outputs are compared to soft thresholds provided by sigmoid functions. The methodology has been implemented in a software tool.
This report is a supplement to ''The Unique Signal Concept for Detonation Safety in Nuclear Weapons,'' SAND91-1269, which provides a prerequisite fundamental background on the unique signal (UQS) concept. The UQS is one of the key constituents of Enhanced Nuclear Detonation Safety (ENDS), as outlined in Section 1 of that report. There have been many documents written over the past quarter of a century describing various aspects of the UQS, but none of these emphasized the mathematical approaches that help explain why the UQS is effective in resisting inadvertent pre-arming, even in abnormal environments and how UQS implementations can be quantitatively assessed. The intent of this report is to describe various pertinent mathematical methodologies (many of which have not been previously reported) without duplicating, any more than necessary, background information available in other reports. Mathematical UQS analysis is needed because of quantitative requirements associated with ENDS, and because limited comparisons of various implementation approaches can be quantified under mathematical modeling assumptions. Some of the mathematics-based results shown in this report are presented to explain: (1) The reasons that the UQS methodology can provide greater protection against accident environments than could combinational techniques (Sections 2.1 through 2.4); (2) The reason that the probability of inadvertently duplicating a UQS comprising n bivalued events cannot be estimated as low as (1/2) inches (Section 2.4); (3) The value of, and the Sandia National Laboratories policy on independent sequential communication of UQS events (Section 3.4); and (4) The care that must be exercised if any signal processing is necessary (Section 4). There are also numerous examples (e.g., in Appendices A and B) of ill-advised deviations from UQS methodology that can seriously degrade safety. These examples help demonstrate that the UQS methodology should not be compromised.
Surface and groundwater resources do not recognize political boundaries. Where nature and boundary cross, tension over shared water resources can erupt. Such tension is exacerbated in regions where demand approaches or exceeds sustainable supplies of water. Establishing equitable management strategies can help prevent and resolve conflict over shared water resources. This paper describes a methodology for addressing transboundary water issues predicated on the integration of monitoring and modeling within a framework of cooperation. Cooperative monitoring begins with agreement by international scientists and/or policy makers on transboundary monitoring goals and strategies; it leads to the process of obtaining and sharing agreed-upon information among parties with the purpose of providing verifiable and secure data. Cooperative modeling is the process by which the parties jointly interpret the data, forecast future events and trends, and quantify cause and effect relationships. Together, cooperative monitoring and modeling allow for the development and assessment of alternative management and remediation strategies that could form the basis of regional watershed agreements or treaties. An example of how this multifaceted approach might be used to manage a shared water resource is presented for the Kura River basin in the Caucasus.
Safety analysis of complex systems depends on decomposing the systems into manageable subsystems, from which analysis can be rolled back up to the system level. The authors have found that there is no single best way to decompose; in fact hybrid combinations of decompositions are generally necessary to achieve optimum results. They are currently using two backbone coordinated decompositions--functional and risk, supplemented by other types, such as organizational. An objective is to derive metrics that can be used to efficiently and accurately aggregate information through analysis, to contribute toward assessing system safety, and to contribute information necessary for defensible decisions.