Safety-focused risk analysis and assessment approaches struggle to adequately include malicious, deliberate acts against the nuclear power industry's fissile and waste material, infrastructure, and facilities. Further, existing methods do not adequately address non- proliferation issues. Treating safety, security, and safeguards concerns independently is inefficient because, at best, it may not take explicit advantage of measures that provide benefits against multiple risk domains, and, at worst, it may lead to implementations that increase overall risk due to incompatibilities. What is needed is an integrated safety, security and safeguards risk (or "3SR") framework for describing and assessing nuclear power risks that can enable direct trade-offs and interactions in order to inform risk management processes -- a potential paradigm shift in risk analysis and management. These proceedings of the Sandia ePRA Workshop (held August 22-23, 2017) are an attempt to begin the discussions and deliberations to extend and augment safety focused risk assessment approaches to include security concerns and begin moving towards a 3S Risk approach. Safeguards concerns were not included in this initial workshop and are left to future efforts. This workshop focused on four themes in order to begin building out a the safety and security portions of the 3S Risk toolkit: 1. Historical Approaches and Tools 2. Current Challenges 3. Modern Approaches 4. Paths Forward and Next Steps This report is organized along the four areas described above, and concludes with a summary of key points. 2 Contact: rforres@sandia.gov; +1 (925) 294-2728
In response to the expansion of nuclear fuel cycle (NFC) activities -- and the associated suite of risks -- around the world, this project evaluated systems-based solutions for managing such risk complexity in multimodal and multi-jurisdictional international spent nuclear fuel (SNF) transportation. By better understanding systemic risks in SNF transportation, developing SNF transportation risk assessment frameworks, and evaluating these systems-based risk assessment frameworks, this research illustrated interdependency between safety, security, and safeguards risks is inherent in NFC activities and can go unidentified when each "S" is independently evaluated. Two novel system-theoretic analysis techniques -- dynamic probabilistic risk assessment (DPRA) and system-theoretic process analysis (STPA) -- provide integrated "3S" analysis to address these interdependencies and the research results suggest a need -- and provide a way -- to reprioritize United States engagement efforts to reduce global nuclear risks. Lastly, this research identifies areas where Sandia National Laboratories can spearhead technical advances to reduce global nuclear dangers.
ANS IHLRWM 2017 - 16th International High-Level Radioactive Waste Management Conference: Creating a Safe and Secure Energy Future for Generations to Come - Driving Toward Long-Term Storage and Disposal
Transportation of spent nuclear fuel (SNF) is expected to increase in the future, as the nuclear fuel infrastructure continues to expand and fuel takeback programs increase in popularity. Analysis of potential risks and threats to SNF shipments is currently performed separately for safety and security. However, as SNF transportation increases, the plausible threats beyond individual categories and the interactions between them become more apparent. A new approach is being developed to integrate safety, security, and safeguards (3S) under a system-theoretic framework and a probabilistic risk framework. At the first stage, a simplified scenario will be implemented using a dynamic probabilistic risk assessment (DPRA) method. This scenario considers a rail derailment followed by an attack. The consequences of derailment are calculated with RADTRAN, a transportation risk analysis code. The attack scenarios are analyzed with STAGE, a combat simulation model. The consequences of the attack are then calculated with RADTRAN. Note that both accident and attack result in SNF cask damage and a potential release of some fraction of the SNF inventory into the environment. The major purpose of this analysis was to develop the input data for DPRA. Generic PWR and BWR transportation casks were considered. These data were then used to demonstrate the consequences of hypothetical accidents in which the radioactive materials were released into the environment. The SNF inventory is one of the most important inputs into the analysis. Several pressurized water reactor (PWR) and boiling water reactor (BWR) fuel burnups and discharge times were considered for this proof-of-concept. The inventory was calculated using ORIGEN (point depletion and decay computer code, Oak Ridge National Laboratory) for 3 characteristic burnup values (40, 50, and 60 GWD/MTU) and 4 fuel ages (5, 10, 25 and 50 years after discharge). The major consequences unique to the transportation of SNF for both accident and attack are the results of the dispersion of radionuclides in the environment. The dynamic atmospheric dispersion model in RADTRAN was used to calculate these consequences. The examples of maximum exposed individual (MEI) dose, early mortality and soil contamination are discussed to demonstrate the importance of different factors. At the next stage, the RADTRAN outputs will be converted into a form compatible with the STAGE analysis. As a result, identification of additional risks related to the interaction between characteristics becomes a more straightforward task. In order to present the results of RADTRAN analysis in a framework compatible with the results of the STAGE analysis, the results will be grouped into three categories: • Immediate negative harms •Future benefits that cannot be realized •Additional increases in future risk By describing results within generically applicable categories, the results of safety analysis are able to be placed in context with the risk arising from security events.
As grid energy storage systems become more complex, it grows more difficult to design them for safe operation. This paper first reviews the properties of lithium-ion batteries that can produce hazards in grid scale systems. Then the conventional safety engineering technique Probabilistic Risk Assessment (PRA) is reviewed to identify its limitations in complex systems. To address this gap, new research is presented on the application of Systems-Theoretic Process Analysis (STPA) to a lithium-ion battery based grid energy storage system. STPA is anticipated to fill the gaps recognized in PRA for designing complex systems and hence be more effective or less costly to use during safety engineering. It was observed that STPA is able to capture causal scenarios for accidents not identified using PRA. Additionally, STPA enabled a more rational assessment of uncertainty (all that is not known) thereby promoting a healthy skepticism of design assumptions. We conclude that STPA may indeed be more cost effective than PRA for safety engineering in lithium-ion battery systems. However, further research is needed to determine if this approach actually reduces safety engineering costs in development, or improves industry safety standards.
Port security is an increasing concern given the significant role of ports in global commerce and today’s increasingly complex threat environment. Current approaches to port security mirror traditional models of accident causality – ‘a series of security nets’ based on component reliability and probabilistic assumptions. Traditional port security frameworks result in isolated and inconsistent improvement strategies. Recent work in engineered safety combines the ideas of hierarchy, emergence, control and communication into a new paradigm for understanding port security as an emergent complex system property. The ‘System-Theoretic Accident Model and Process (STAMP)’ is a new model of causality based on systems and control theory. The associated analysis process – System Theoretic Process Analysis (STPA) – identifies specific technical or procedural security requirements designed to work in coordination with (and be traceable to) overall port objectives. This process yields port security design specifications that can mitigate (if not eliminate) port security vulnerabilities related to an emphasis on component reliability, lack of coordination between port security stakeholders or economic pressures endemic in the maritime industry. This article aims to demonstrate how STAMP’s broader view of causality and complexity can better address the dynamic and interactive behaviors of social, organizational and technical components of port security.
The Gulf Nuclear Energy Infrastructure Institute (GNEII) was established collaboratively by Sandia National Laboratories, Texas A&M University, and the United Arab Emirates’ (UAE’s) Khalifa University of Science, Technology and Research in 2011 to provide a regional mechanism for developing responsible nuclear energy infrastructure. By combining education and research, GNEII helps increase knowledge and expertise about nuclear energy infrastructure—including safety, safeguards, and security—among Gulf and Middle East professionals working in regional nuclear-power programs. GNEII has been recognized by the White House as a major achievement in enhanced science and technology partnerships with the developing world.