albuquerque, new mexico, usa john hockert · • sabotage logic model – a logic model that...
TRANSCRIPT
Sabotage Target Ident i f i ca t ion
October 24 – November 11, 2016 Albuquerque, New Mexico, USA
John Hockert
Learning Objectives
After completing this session, you should be able to:
• Identify steps in sabotage target identification • Identify facility characteristics useful for target identification • Recognize the purpose of and uses for a conservative analysis of
the potential release of facility inventories • Identify two types of sabotage attacks • Recognize how logic models can be used to identify
combinations of areas from which malicious acts can lead to radiological release
• Recognize how logic models can be used to identify combinations of areas that, if protected against malicious act, prevent radiological release
2
Sabotage Target Identification
Physical Protection System Design Process
3
Identify PPS Objectives
Establish Facility Design Design PPS Analyze PPS
Design
Final PPS Design
Redesign PPS
Sabotage Target
Identification Sabotage Criteria
Sabotage Target Identification
Steps in Sabotage Target Identification
4
Exceed URC / HRC?
Estimate Consequences of Release of Total Facility Radioactive Inventory
No Yes
No Sabotage Targets
Identify Areas / Locations With Inventories that, if Released,
Would Exceed URC / HRC
Indirect Sabotage Possible?
No Yes
Direct Areas / Locations Only
Sabotage Targets
Add Indirect Sabotage Target
Areas
Sabotage Target Identification
Estimate Consequences of Release of Total Facility Radioactive Inventory • Use Safety and Operating Documents to: • Identify inventories of nuclear and other radioactive material
that could be released due to sabotage • Gather information on the facility
Material locations Material form, characteristics and quantity
• Gather information on the site, how radiological release could be transported to the public and environment Weather patterns Site geometry
5
Sabotage Target Identification
Estimate Consequences of Release of Total Facility Radioactive Inventory (Cont’d)
6
• Estimate the potential radiological consequence of complete release of total inventory of radioactive material Do not consider physical protection and safety
mitigation measures Use conservative data and assumptions
• Use dose estimation tools developed for safety analysis / emergency planning Gaussian Plume Dispersion Models Model release and exposure after an explosion or fire
dispersal event Consider nuclear criticality / overpower event for nuclear
material, if within definition of unacceptable/ high radiological consequences (URC / HRC)
• If consequences do not exceed URC / HRC, then no sabotage targets
Sabotage Target Identification
Representative Consequences from Criticality / Reactor Overpower Event
Consequences highly dependent upon reactor design, plant layout, and details of sabotage scenario
7
Adapted from NUREG/CR-6504, Vol. 2, An Updated Nuclear Criticality Slide Rule, http://web.ornl.gov/sci/scale/pubs/cr6504v2.pdf
Sabotage Target Identification
Steps in Sabotage Target Identification
8
Exceed URC / HRC?
Estimate Consequences of Release of Total Facility Radioactive Inventory
No Yes
No Sabotage Targets
Identify Areas / Locations With Inventories that, if Released,
Would Exceed URC / HRC
Indirect Sabotage Possible?
No Yes
Direct Areas / Locations Only
Sabotage Targets
Add Indirect Sabotage Target
Areas
Sabotage Target Identification
Identify Individual Inventories Where Release May Exceed URC / HRC • Estimate the potential radiological consequence of
release of radioactive inventory in each location Do not consider physical protection and safety mitigation
measures Use conservative data and assumptions Consider possibility that adversary will accumulate radioactive
material from multiple locations
• Each location or combination of locations where release consequences can exceed URC / HRC is a potential sabotage target
• Confirm by verifying that release scenario is within the capability of design basis threat
9
Sabotage Target Identification
Steps in Sabotage Target Identification
10
Exceed URC / HRC?
Estimate Consequences of Release of Total Facility Radioactive Inventory
No Yes
No Sabotage Targets
Identify Areas / Locations With Inventories that, if Released,
Would Exceed URC / HRC
Indirect Sabotage Possible?
No Yes
Direct Areas / Locations Only
Sabotage Targets
Add Indirect Sabotage Target
Areas
Sabotage Target Identification
Consider Indirect Sabotage That May Lead to URC /HRC • Indirect because it does not require access to the inventory
being released • Uses stored energy to disperse the inventory
Radioactive material (decay heat) Process systems (heat or pressure)
• Involves attacks against process or safety systems that normally maintain the facility in a safe state Initiating Events of Malicious Origin (IEMOs) cause disruption of
normal plant operating state Disablement events cause failure of mitigating systems
11
Sabotage Target Identification
12
RADIOACTIVEMATERIAL
Indirect Sabotage
Initiating Event of Malicious Origin
Disablement Event
Direct Sabotage
Sabotage Target Identification
Indirect Sabotage Must Be Analyzed When:
• Facilities have: In-process radiological inventory that can be dispersed to create
URC / HRC Inherent process energy sufficient to for this dispersal High Consequence Facilities (per NSS 13)
• Typically, complex facilities with: Front line systems (e.g., reactor core cooling) that respond to
plant upsets to prevent URC / HRC Support systems (e.g., electrical power, component cooling)
required for operation of front line systems Front line and support systems designed with sufficient
redundancy / diversity to function if single active failure
13
Sabotage Target Identification
Complexity Requires Systematic Approach
• IAEA NSS 16, Identification of Vital Areas at Nuclear Facilities, provides one approach Systematic, comprehensive identification of indirection sabotage target
areas / area combination Leverages information in deterministic and probabilistic safety analyses Area focus simplifies analysis – areas are what is protected
• IAEA provides training on NSS 16 approach • References
NSS 16, http://www-pub.iaea.org/MTCD/Publications/PDF/Pub1505_web.pdf
SAND2004-2866, http://www.osti.gov/scitech/biblio/1028320/
14
Sabotage Target Identification
Steps in Sabotage Target Identification
15
Exceed URC / HRC?
Estimate Consequences of Release of Total Facility Radioactive Inventory
No Yes
No Sabotage Targets
Identify Areas / Locations With Inventories that, if Released,
Would Exceed URC / HRC
Indirect Sabotage Possible?
No Yes
Areas / Locations Only Sabotage
Targets
Add Indirect Sabotage Target
Areas
Sabotage Target Identification
Key Terminology for NSS 16 Approach
• Sabotage Logic Model – A logic model that documents the malicious events or combinations of malicious events that could lead to unacceptable / high radiological consequences.
• Sabotage Area Logic Model – A sabotage logic model that identified the physical areas from which the malicious events can be performed.
• Minimal Cut Set –the smallest set of events sufficient to cause the outcome of the logic model.
• Sabotage Target Set – the smallest set of areas sufficient to cause the outcome of the sabotage area logic model. The target sets are the combinations of areas from which malicious acts leading to unacceptable / high radiological consequences can be accomplished.
16
INTERNATIONAL ATOMIC ENERGY AGENCY, Identification of Vital Areas at Nuclear Facilities, Technical Guidance, Nuclear Security Series No. 16, IAEA, Vienna (2012)
Sabotage Target Identification
Key Terminology (Cont’d)
• Prevention Set – the smallest set of events that will prevent the outcome of a logic model.
• Candidate Vital Area Set – A prevention set (complement cut set or minimal path set) for a sabotage area logic model that identifies a set of areas whose protection will prevent malicious acts leading to unacceptable / high radiological consequences. Sabotage cannot be accomplished unless the saboteur can enter at least one area in the prevention set.
INTERNATIONAL ATOMIC ENERGY AGENCY, Identification of Vital Areas at Nuclear Facilities, Technical Guidance, Nuclear Security Series No. 16, IAEA, Vienna (2012)
Sabotage Target Identification
NSS 16 Target Identification Process Summary
The steps for identifying indirect sabotage target areas are: 1. Determine facility process states corresponding to URC / HRC 2. Identify initiating events of malicious origin (IEMOs) 3. Identify systems / equipment needed to mitigate IEMOs, if possible 4. Develop sabotage logic model
• Logical combinations of sabotage acts (IEMOs and equipment disablement) that could lead to URC / HRC
5. Identify areas in which sabotage acts can be performed • Depends upon design basis threat capabilities • Identify sabotage acts that can be accomplished outside protected area
6. Solve sabotage logic model to identify sabotage target sets 7. Transform sabotage logic model to identify sabotage prevention
sets
18
Sabotage Target Identification
1. Determine Process States Corresponding to URC / HRC • Approach 1: Analyze numerous severe accidents to determine
whether consequences meet URC / HRC criteria Frequently complex and expensive, involving analysis of poorly understood
and characterized physical processes Effort comparable to Level 3 Probabilistic Risk Assessment
• Approach 2: Conservatively define a plant state as equivalent to URC / HRC Responsibility of Competent Authority Defining plant state as “core damage” or equivalent permits utilization of
Level 1 Probabilistic Risk Assessment Defining plant state as ‘unanalyzed condition” permits utilization of
deterministic safety analysis Simplification of analysis may increase protection costs
• Core damage may have minor radiological consequences • Some mitigation measures excluded from consideration
19
Sabotage Target Identification
2. Identify IEMOs
Anything that can happen by accident can be made to happen
• IEMOs include safety IEs plus sabotage only events Direct sabotage “Low probability” events
• IEMOs that exceed mitigating system capacity Include as events leading to HRC/ URC in the sabotage logic model Capability of threat to cause these IEMOs will be addressed later in
process
• IEMOs within mitigating system capacity Identify mitigating systems Continue process to model sabotage of mitigating systems
20
Sabotage Target Identification
3. Identify Mitigating Systems / Equipment
What equipment is needed to prevent an IEMO from causing plant state corresponding to URC / HRC? • Use deterministic / probabilistic safety
analysis to identify the equipment needed to mitigate the postulated / modeled IE analogous to the IEMO
• Perform an engineering review or safety analysis to identify equipment that might be able to mitigate IEMOs unique to sabotage
21
ReactorVessel
SteamGen.
To Turbine
Generator
RefuelingWater
StorageTank
ACCUPRESS
Containment Sump
HX
HXRHR Pumps
From Feedwater
Pumps
BITCharging Pump
PDPF CV
F
ToPRT
GWT
VCT
Safety Injection Pumps
F
Sabotage Target Identification
LOOP-SAB SMLOCA-SAB BDB-LOCA SAB-SF
SABOTAGE OFPLANT
LOSS OF OFFSITEPOWER
SABOTAGESMALL LOCASABOTAGE LOCA BEYOND
MITIGATIONSABOTAGE
SPENT FUEL
PLANT-SAB
4. Develop Sabotage Logic Model • Determine the combinations of malicious acts
that can lead to URC / HRC • Top Event – URC / HRC • Intermediate events – AND / OR
combinations of events leading to Top Event
• Terminal Events – Destruction or disablement of components or structures
• Structure is identical to fault trees used in Probabilistic Safety Analysis
22
Sabotage Target Identification
Process of Sabotage Logic Model Development • Develop facility sabotage fault tree
Direct dispersal events IEMOs that exceed mitigating system capacity IEMOs that can be mitigated and the front-line systems that are
used to mitigate them • Develop system sabotage fault tree branches
Determine events that can disable front-line systems required to mitigate IEMOs
• Include support system failures that cause front-line systems to fail • Determine events that can disable required support systems • Include sub-dependencies and interdependencies
23
Sabotage Target Identification
Conversion of Safety Logic Models to Sabotage Logic Models • Remove events not associated with equipment failures (e.g.,
operator recovery, human error) • Add sabotage events that would be incredible for safety
analysis Direct sabotage attacks (e.g., explosive dispersal) Spontaneous catastrophic failures of passive components (e.g.,
breeching of vessels, tanks, and pipes) Spurious control faults after initial operation
• Location focus Combine multiple faults / failures that occur in the same location
(e.g., failure of pump and mis-positioning of co-located valve)
24
Sabotage Target Identification
Boolean Algebra
• A + A = A 1= true • A*A = A 0= false • A + 0 = A 0*A=0 • A*1 = A • A*(B + C) = A*B + A*C • A + (B*C) = (A + B)*(A + C)
25
Sabotage Target Identification
Example Simplified Logic Model
26
URC-FROM-LOCA
URC from LOCA
Create LOCA Disable LOCA Mitigation
Disable Pump A Disable Pump B
Only One Pump Required for
LOCA Mitigation
Sabotage Target Identification
Example Simplified Logic Model (Cont’d)
27
Both Pumps Required for
LOCA Mitigation
Sabotage Target Identification
Logic Model Development Result
The product of this step is a sabotage logic model that includes: • Direct dispersal events • IEMOs that exceed mitigating system capacity • The combinations of IEMOs and equipment
disablement events that together result in URC These types of sabotage scenarios are linked with OR gates
28
Sabotage Target Identification
5. Identify Areas
• Define areas for facility Assign names and abbreviations to the areas Mark up elevation or other drawings to define areas
• Areas should be locations that can be protected. For example: Has four walls, a ceiling, and floor, or Any component (such as motor control center or electrical rack) or location for
which an enclosure or other means of providing penetration delay, access control, and intrusion detection could feasibly be constructed
• Areas should be as small scale as practicable Easier to combine areas later than to split large areas
29
Sabotage Target Identification
Link Locations to Logic Model IEMOs / Disablement Events • Locations from which components or structures can be
disabled or destroyed Depends strongly on DBT (ability to
locate and destroy components) May include remote areas from which
equipment is controlled (e.g., turn off pump, manipulate valve)
• Note disablement events that can be accomplished from outside the Protected Area (e.g., disable normal power) Depends upon DBT (e.g., standoff weapons) These events are modeled to always occur in the sabotage logic
model because protecting vitals areas cannot prevent them
30
Sabotage Target Identification
Linking Areas in the Logic Model
31
Becomes
SYSA-MDP-D-L
PUMP A DISABLED LOCALLY
SYS-PRM-A
SYS Pump Room A
SYSA-MDP-D-L
PUMP A DISABLED LOCALLY
Sabotage Target Identification
Minimal Cut Sets “The smallest set of events sufficient to cause the outcome of the logic model” or, in the case of a sabotage logic model, sabotage (a top event) to occur. • Each of the basic events in the minimal cut set must
occur for the top event (sabotage) to occur. • Fault trees have a finite number (usually more than one)
of unique minimal cut sets. • For sabotage area logic model, these are the target sets
– For nuclear power plants there may be hundreds of target sets
32
Sabotage Target Identification
6. Solve Sabotage Area Logic Model • Sabotage Area Logic Model can be solved by using standard fault
tree analysis methods / software Unlike PSA, there are no probabilities associated with sabotage events Qualitative fault tree solution
• Important to simplify based upon areas to permit solution
• Solution to Sabotage Area Logic Models Minimal cut sets of areas from which sabotage can be accomplished –
Target Sets
• Target Sets for: Direct sabotage events will consist of a single area (the location of the
radioactive material) Indirect sabotage events will usually consist of two or more areas
One for the IEMO and one (or more) for disablement events
33
Sabotage Target Identification
7. Identifying Prevention Sets • Prevention Set contains at least one member of every
Target Set. • Transform the Sabotage Area Logic Model into a
Sabotage Prevention Area Logic Model Use the Boolean NOT operator to create a logic model for
preventing sabotage Standard fault tree analysis tool
• Solve the Sabotage Prevention Area Logic Model Minimal cut sets of areas that may be protected to prevent
sabotage Referred to as prevention sets Typically there is more than one prevention set
Sabotage Target Identification
Summary Sabotage Target Identification
35
Exceed URC / HRC?
Estimate Consequences of Release of Total Facility Radioactive Inventory
No Yes
No Sabotage Targets
Identify Areas / Locations With Inventories that, if Released,
Would Exceed URC / HRC
Indirect Sabotage Possible?
No Yes
Direct Areas / Locations Only
Sabotage Targets
Add Indirect Sabotage Target
Areas
Sabotage Target Identification
NSS 16 Indirect Target Identification Process Summary The steps for identifying indirect sabotage target areas are: 1. Determine facility process states corresponding to URC / HRC 2. Identify initiating events of malicious origin (IEMOs) 3. Identify systems / equipment needed to mitigate IEMOs, if possible 4. Develop sabotage logic model
• Logical combinations of sabotage acts (IEMOs and equipment disablement) that could lead to URC / HRC
5. Identify areas in which sabotage acts can be performed • Depends upon design basis threat capabilities • Identify sabotage acts that can be accomplished outside protected area
6. Solve sabotage logic model to identify sabotage target sets 7. Transform sabotage logic model to identify sabotage prevention sets
36
Sabotage Target Identification
References
37
NSS 16, Identification of Vital Areas at Nuclear Facilities, from IAEA http://www-pub.iaea.org/MTCD/Publications/PDF/Pub1505_web.pdf
SAND2004-2866, A Systematic Method for Identifying Vital Areas at Complex Nuclear Facilities, from Sandia National Laboratories http://www.osti.gov/scitech/biblio/1028320
Sabotage Target Identification
Backup Slides
(Gaussian Dispersion Dose at Distance)
Sabotage Target Identification
Gaussian Dispersion
• Useful primarily for modeling consequences of direct sabotage
• Model plume coverage after a fire / explosion dispersal event
• Dependent upon atmospheric and geographic conditions
39
Sabotage Target Identification
Radiological Dispersion Modeling Tools
• HotSpot – Lawrence Livermore National Laboratory direct (explosive) attack
• GENII – Pacific Northwest National Laboratory (PNNL) • MACCS2 – Sandia National Laboratories / NRC • Published Software Quality Assurance Reports
http://energy.gov/ehss/safety-software-quality-assurance-central-registry
• Most are available for international use
40
Sabotage Target Identification
Other Dispersion Models
41
• Radiological Assessment System for Consequence AnaLysis (RASCAL (and many others) https://rsicc.ornl.gov/CustomerService.a
spx
• Turbo FRMAC (and others) https://nirp.sandia.gov/Programs.aspx
• International Tools at: http://www.iaea.org/inis/collection/NCLCollectionStore/_Public/37/115/37115779.pdf
• Good to use the same tools for safety and sabotage analyses if the tools can model sabotage events
• Many, many others
Sabotage Target Identification
Dispersion Modeling Tools
42
All tools calculate dose at some distance
• Gaussian Dispersion Models valid for > 100 meters
• Dose calculations for dispersion inside structures or nearer than 100 m require more sophisticated models Computational Fluid
Dynamics 3-D Advection Dispersion
Models
Sabotage Target Identification
Tools (cont’d)
43
HotSpot
Sabotage Target Identification
Example Airborne Release Fractions (ARF) / Respirable Fractions (RF) • Explosions
Metals Maximum ARF/ RF occurs when TNT equiv. explosive mass equals
mass of metal containing MAR, ARF*RF = 0.12
Powders: ARF = 0.8 x TNT equiv. / (MAR + Inert), RF=0.25
• Fires Uranium Metal Fire: ARF * RF ranges from ~ 1E-5 to 4E-4
depending upon temperature Uranium Oxide Powder: ARF = 6E-3, 1E-2
44
DOE-HDBK-3010-94, Airborne Release Fractions/Rates and Respirable Fractions for Nonreactor Nuclear Facilities, http://www.energy.gov/ehss/downloads/doe-hdbk-3010-94 NUREG-1320, Nuclear Fuel Cycle Facility Accident Analysis Handbook, http://www.nrc.gov/docs/ML1225/ML12254A158.pdf
Sabotage Target Identification
Example Calculation Am-241
MAR = 454 grams of Am-241 powder Dispersed by 1 lb. of TNT Stability Class F 1 m/s wind ARF =0.8 / RF = 0.25
45
Sabotage Target Identification
Comparison to HEU
46
MAR = 5 kilograms of U-235 powder in 93% enriched U Dispersed by 1 lb. of TNT Stability Class F, 1 m/s wind ARF= .07 / RF= 0.25
HEU dispersal consequence is over a million
times less than Am-241
Sabotage Target Identification
Sabotage Consequences Have No Relationship to Theft Categorization
Sabotage analysis based on radiotoxicity, not on mass
• Different from INFCIRC 225 Categorization Table
• Cat 1 does not automatically exceed URC or HRC
• Cat 3 does not mean there is no viable sabotage target
47
The largest consequences may not be from nuclear material
Sabotage Target Identification