Albuquerque, New Mexico, USA John Hockert · • Sabotage Logic Model – A logic model that...

Sabotage Target Ident i f i ca t ion

October 24 – November 11, 2016 Albuquerque, New Mexico, USA

John Hockert

Learning Objectives

After completing this session, you should be able to:

• Identify steps in sabotage target identification • Identify facility characteristics useful for target identification • Recognize the purpose of and uses for a conservative analysis of

the potential release of facility inventories • Identify two types of sabotage attacks • Recognize how logic models can be used to identify

combinations of areas from which malicious acts can lead to radiological release

• Recognize how logic models can be used to identify combinations of areas that, if protected against malicious act, prevent radiological release

2

Sabotage Target Identification

Physical Protection System Design Process

3

Identify PPS Objectives

Establish Facility Design Design PPS Analyze PPS

Design

Final PPS Design

Redesign PPS

Sabotage Target

Identification Sabotage Criteria


Steps in Sabotage Target Identification

4

Exceed URC / HRC?

Estimate Consequences of Release of Total Facility Radioactive Inventory

No Yes

No Sabotage Targets

Identify Areas / Locations With Inventories that, if Released,

Would Exceed URC / HRC

Indirect Sabotage Possible?

No Yes

Direct Areas / Locations Only

Sabotage Targets

Add Indirect Sabotage Target

Areas


Estimate Consequences of Release of Total Facility Radioactive Inventory • Use Safety and Operating Documents to: • Identify inventories of nuclear and other radioactive material

that could be released due to sabotage • Gather information on the facility

Material locations Material form, characteristics and quantity

• Gather information on the site, how radiological release could be transported to the public and environment Weather patterns Site geometry

5


Estimate Consequences of Release of Total Facility Radioactive Inventory (Cont’d)

6

• Estimate the potential radiological consequence of complete release of total inventory of radioactive material Do not consider physical protection and safety

mitigation measures Use conservative data and assumptions

• Use dose estimation tools developed for safety analysis / emergency planning Gaussian Plume Dispersion Models Model release and exposure after an explosion or fire

dispersal event Consider nuclear criticality / overpower event for nuclear

material, if within definition of unacceptable/ high radiological consequences (URC / HRC)

• If consequences do not exceed URC / HRC, then no sabotage targets


Representative Consequences from Criticality / Reactor Overpower Event

Consequences highly dependent upon reactor design, plant layout, and details of sabotage scenario

7

Adapted from NUREG/CR-6504, Vol. 2, An Updated Nuclear Criticality Slide Rule, http://web.ornl.gov/sci/scale/pubs/cr6504v2.pdf



8

Exceed URC / HRC?


No Yes

No Sabotage Targets




No Yes


Sabotage Targets


Areas


Identify Individual Inventories Where Release May Exceed URC / HRC • Estimate the potential radiological consequence of

release of radioactive inventory in each location Do not consider physical protection and safety mitigation

measures Use conservative data and assumptions Consider possibility that adversary will accumulate radioactive

material from multiple locations

• Each location or combination of locations where release consequences can exceed URC / HRC is a potential sabotage target

• Confirm by verifying that release scenario is within the capability of design basis threat

9



10

Exceed URC / HRC?


No Yes

No Sabotage Targets




No Yes


Sabotage Targets


Areas


Consider Indirect Sabotage That May Lead to URC /HRC • Indirect because it does not require access to the inventory

being released • Uses stored energy to disperse the inventory

Radioactive material (decay heat) Process systems (heat or pressure)

• Involves attacks against process or safety systems that normally maintain the facility in a safe state Initiating Events of Malicious Origin (IEMOs) cause disruption of

normal plant operating state Disablement events cause failure of mitigating systems

11


12

RADIOACTIVEMATERIAL

Indirect Sabotage

Initiating Event of Malicious Origin

Disablement Event

Direct Sabotage


Indirect Sabotage Must Be Analyzed When:

• Facilities have: In-process radiological inventory that can be dispersed to create

URC / HRC Inherent process energy sufficient to for this dispersal High Consequence Facilities (per NSS 13)

• Typically, complex facilities with: Front line systems (e.g., reactor core cooling) that respond to

plant upsets to prevent URC / HRC Support systems (e.g., electrical power, component cooling)

required for operation of front line systems Front line and support systems designed with sufficient

redundancy / diversity to function if single active failure

13


Complexity Requires Systematic Approach

• IAEA NSS 16, Identification of Vital Areas at Nuclear Facilities, provides one approach Systematic, comprehensive identification of indirection sabotage target

areas / area combination Leverages information in deterministic and probabilistic safety analyses Area focus simplifies analysis – areas are what is protected

• IAEA provides training on NSS 16 approach • References

NSS 16, http://www-pub.iaea.org/MTCD/Publications/PDF/Pub1505_web.pdf

SAND2004-2866, http://www.osti.gov/scitech/biblio/1028320/

14


http://www-pub.iaea.org/MTCD/Publications/PDF/Pub1505_web.pdf


http://www.osti.gov/scitech/biblio/1028320/


15

Exceed URC / HRC?


No Yes

No Sabotage Targets




No Yes

Areas / Locations Only Sabotage

Targets


Areas


Key Terminology for NSS 16 Approach

• Sabotage Logic Model – A logic model that documents the malicious events or combinations of malicious events that could lead to unacceptable / high radiological consequences.

• Sabotage Area Logic Model – A sabotage logic model that identified the physical areas from which the malicious events can be performed.

• Minimal Cut Set –the smallest set of events sufficient to cause the outcome of the logic model.

• Sabotage Target Set – the smallest set of areas sufficient to cause the outcome of the sabotage area logic model. The target sets are the combinations of areas from which malicious acts leading to unacceptable / high radiological consequences can be accomplished.

16

INTERNATIONAL ATOMIC ENERGY AGENCY, Identification of Vital Areas at Nuclear Facilities, Technical Guidance, Nuclear Security Series No. 16, IAEA, Vienna (2012)


Key Terminology (Cont’d)

• Prevention Set – the smallest set of events that will prevent the outcome of a logic model.

• Candidate Vital Area Set – A prevention set (complement cut set or minimal path set) for a sabotage area logic model that identifies a set of areas whose protection will prevent malicious acts leading to unacceptable / high radiological consequences. Sabotage cannot be accomplished unless the saboteur can enter at least one area in the prevention set.

INTERNATIONAL ATOMIC ENERGY AGENCY, Identification of Vital Areas at Nuclear Facilities, Technical Guidance, Nuclear Security Series No. 16, IAEA, Vienna (2012)


NSS 16 Target Identification Process Summary

The steps for identifying indirect sabotage target areas are: 1. Determine facility process states corresponding to URC / HRC 2. Identify initiating events of malicious origin (IEMOs) 3. Identify systems / equipment needed to mitigate IEMOs, if possible 4. Develop sabotage logic model

• Logical combinations of sabotage acts (IEMOs and equipment disablement) that could lead to URC / HRC

5. Identify areas in which sabotage acts can be performed • Depends upon design basis threat capabilities • Identify sabotage acts that can be accomplished outside protected area

6. Solve sabotage logic model to identify sabotage target sets 7. Transform sabotage logic model to identify sabotage prevention

sets

18


1. Determine Process States Corresponding to URC / HRC • Approach 1: Analyze numerous severe accidents to determine

whether consequences meet URC / HRC criteria Frequently complex and expensive, involving analysis of poorly understood

and characterized physical processes Effort comparable to Level 3 Probabilistic Risk Assessment

• Approach 2: Conservatively define a plant state as equivalent to URC / HRC Responsibility of Competent Authority Defining plant state as “core damage” or equivalent permits utilization of

Level 1 Probabilistic Risk Assessment Defining plant state as ‘unanalyzed condition” permits utilization of

deterministic safety analysis Simplification of analysis may increase protection costs

• Core damage may have minor radiological consequences • Some mitigation measures excluded from consideration

19


2. Identify IEMOs

Anything that can happen by accident can be made to happen

• IEMOs include safety IEs plus sabotage only events Direct sabotage “Low probability” events

• IEMOs that exceed mitigating system capacity Include as events leading to HRC/ URC in the sabotage logic model Capability of threat to cause these IEMOs will be addressed later in

process

• IEMOs within mitigating system capacity Identify mitigating systems Continue process to model sabotage of mitigating systems

20


3. Identify Mitigating Systems / Equipment

What equipment is needed to prevent an IEMO from causing plant state corresponding to URC / HRC? • Use deterministic / probabilistic safety

analysis to identify the equipment needed to mitigate the postulated / modeled IE analogous to the IEMO

• Perform an engineering review or safety analysis to identify equipment that might be able to mitigate IEMOs unique to sabotage

21

ReactorVessel

SteamGen.

To Turbine

Generator

RefuelingWater

StorageTank

ACCUPRESS

Containment Sump

HX

HXRHR Pumps

From Feedwater

Pumps

BITCharging Pump

PDPF CV

F

ToPRT

GWT

VCT

Safety Injection Pumps

F


LOOP-SAB SMLOCA-SAB BDB-LOCA SAB-SF

SABOTAGE OFPLANT

LOSS OF OFFSITEPOWER

SABOTAGESMALL LOCASABOTAGE LOCA BEYOND

MITIGATIONSABOTAGE

SPENT FUEL

PLANT-SAB

4. Develop Sabotage Logic Model • Determine the combinations of malicious acts

that can lead to URC / HRC • Top Event – URC / HRC • Intermediate events – AND / OR

combinations of events leading to Top Event

• Terminal Events – Destruction or disablement of components or structures

• Structure is identical to fault trees used in Probabilistic Safety Analysis

22


Process of Sabotage Logic Model Development • Develop facility sabotage fault tree

Direct dispersal events IEMOs that exceed mitigating system capacity IEMOs that can be mitigated and the front-line systems that are

used to mitigate them • Develop system sabotage fault tree branches

Determine events that can disable front-line systems required to mitigate IEMOs

• Include support system failures that cause front-line systems to fail • Determine events that can disable required support systems • Include sub-dependencies and interdependencies

23


Conversion of Safety Logic Models to Sabotage Logic Models • Remove events not associated with equipment failures (e.g.,

operator recovery, human error) • Add sabotage events that would be incredible for safety

analysis Direct sabotage attacks (e.g., explosive dispersal) Spontaneous catastrophic failures of passive components (e.g.,

breeching of vessels, tanks, and pipes) Spurious control faults after initial operation

• Location focus Combine multiple faults / failures that occur in the same location

(e.g., failure of pump and mis-positioning of co-located valve)

24


Boolean Algebra

• A + A = A 1= true • A*A = A 0= false • A + 0 = A 0*A=0 • A*1 = A • A*(B + C) = A*B + A*C • A + (B*C) = (A + B)*(A + C)

25


Example Simplified Logic Model

26

URC-FROM-LOCA

URC from LOCA

Create LOCA Disable LOCA Mitigation

Disable Pump A Disable Pump B

Only One Pump Required for

LOCA Mitigation


Example Simplified Logic Model (Cont’d)

27

Both Pumps Required for

LOCA Mitigation


Logic Model Development Result

The product of this step is a sabotage logic model that includes: • Direct dispersal events • IEMOs that exceed mitigating system capacity • The combinations of IEMOs and equipment

disablement events that together result in URC These types of sabotage scenarios are linked with OR gates

28


5. Identify Areas

• Define areas for facility Assign names and abbreviations to the areas Mark up elevation or other drawings to define areas

• Areas should be locations that can be protected. For example: Has four walls, a ceiling, and floor, or Any component (such as motor control center or electrical rack) or location for

which an enclosure or other means of providing penetration delay, access control, and intrusion detection could feasibly be constructed

• Areas should be as small scale as practicable Easier to combine areas later than to split large areas

29


Link Locations to Logic Model IEMOs / Disablement Events • Locations from which components or structures can be

disabled or destroyed Depends strongly on DBT (ability to

locate and destroy components) May include remote areas from which

equipment is controlled (e.g., turn off pump, manipulate valve)

• Note disablement events that can be accomplished from outside the Protected Area (e.g., disable normal power) Depends upon DBT (e.g., standoff weapons) These events are modeled to always occur in the sabotage logic

model because protecting vitals areas cannot prevent them

30


Linking Areas in the Logic Model

31

Becomes

SYSA-MDP-D-L

PUMP A DISABLED LOCALLY

SYS-PRM-A

SYS Pump Room A

SYSA-MDP-D-L

PUMP A DISABLED LOCALLY


Minimal Cut Sets “The smallest set of events sufficient to cause the outcome of the logic model” or, in the case of a sabotage logic model, sabotage (a top event) to occur. • Each of the basic events in the minimal cut set must

occur for the top event (sabotage) to occur. • Fault trees have a finite number (usually more than one)

of unique minimal cut sets. • For sabotage area logic model, these are the target sets

– For nuclear power plants there may be hundreds of target sets

32


6. Solve Sabotage Area Logic Model • Sabotage Area Logic Model can be solved by using standard fault

tree analysis methods / software Unlike PSA, there are no probabilities associated with sabotage events Qualitative fault tree solution

• Important to simplify based upon areas to permit solution

• Solution to Sabotage Area Logic Models Minimal cut sets of areas from which sabotage can be accomplished –

Target Sets

• Target Sets for: Direct sabotage events will consist of a single area (the location of the

radioactive material) Indirect sabotage events will usually consist of two or more areas

One for the IEMO and one (or more) for disablement events

33


7. Identifying Prevention Sets • Prevention Set contains at least one member of every

Target Set. • Transform the Sabotage Area Logic Model into a

Sabotage Prevention Area Logic Model Use the Boolean NOT operator to create a logic model for

preventing sabotage Standard fault tree analysis tool

• Solve the Sabotage Prevention Area Logic Model Minimal cut sets of areas that may be protected to prevent

sabotage Referred to as prevention sets Typically there is more than one prevention set


Summary Sabotage Target Identification

35

Exceed URC / HRC?


No Yes

No Sabotage Targets




No Yes


Sabotage Targets


Areas


NSS 16 Indirect Target Identification Process Summary The steps for identifying indirect sabotage target areas are: 1. Determine facility process states corresponding to URC / HRC 2. Identify initiating events of malicious origin (IEMOs) 3. Identify systems / equipment needed to mitigate IEMOs, if possible 4. Develop sabotage logic model

• Logical combinations of sabotage acts (IEMOs and equipment disablement) that could lead to URC / HRC

5. Identify areas in which sabotage acts can be performed • Depends upon design basis threat capabilities • Identify sabotage acts that can be accomplished outside protected area

6. Solve sabotage logic model to identify sabotage target sets 7. Transform sabotage logic model to identify sabotage prevention sets

36


References

37

NSS 16, Identification of Vital Areas at Nuclear Facilities, from IAEA http://www-pub.iaea.org/MTCD/Publications/PDF/Pub1505_web.pdf

SAND2004-2866, A Systematic Method for Identifying Vital Areas at Complex Nuclear Facilities, from Sandia National Laboratories http://www.osti.gov/scitech/biblio/1028320




http://www.osti.gov/scitech/biblio/1028320/

Backup Slides

(Gaussian Dispersion Dose at Distance)


Gaussian Dispersion

• Useful primarily for modeling consequences of direct sabotage

• Model plume coverage after a fire / explosion dispersal event

• Dependent upon atmospheric and geographic conditions

39


Radiological Dispersion Modeling Tools

• HotSpot – Lawrence Livermore National Laboratory direct (explosive) attack

• GENII – Pacific Northwest National Laboratory (PNNL) • MACCS2 – Sandia National Laboratories / NRC • Published Software Quality Assurance Reports

http://energy.gov/ehss/safety-software-quality-assurance-central-registry

• Most are available for international use

40




Other Dispersion Models

41

• Radiological Assessment System for Consequence AnaLysis (RASCAL (and many others) https://rsicc.ornl.gov/CustomerService.a

spx

• Turbo FRMAC (and others) https://nirp.sandia.gov/Programs.aspx

• International Tools at: http://www.iaea.org/inis/collection/NCLCollectionStore/_Public/37/115/37115779.pdf

• Good to use the same tools for safety and sabotage analyses if the tools can model sabotage events

• Many, many others


https://rsicc.ornl.gov/CustomerService.aspx

https://rsicc.ornl.gov/CustomerService.aspx

https://nirp.sandia.gov/Programs.aspx

http://www.iaea.org/inis/collection/NCLCollectionStore/_Public/37/115/37115779.pdf

http://www.iaea.org/inis/collection/NCLCollectionStore/_Public/37/115/37115779.pdf

Dispersion Modeling Tools

42

All tools calculate dose at some distance

• Gaussian Dispersion Models valid for > 100 meters

• Dose calculations for dispersion inside structures or nearer than 100 m require more sophisticated models Computational Fluid

Dynamics 3-D Advection Dispersion

Models


Tools (cont’d)

43

HotSpot


Example Airborne Release Fractions (ARF) / Respirable Fractions (RF) • Explosions

Metals Maximum ARF/ RF occurs when TNT equiv. explosive mass equals

mass of metal containing MAR, ARF*RF = 0.12

Powders: ARF = 0.8 x TNT equiv. / (MAR + Inert), RF=0.25

• Fires Uranium Metal Fire: ARF * RF ranges from ~ 1E-5 to 4E-4

depending upon temperature Uranium Oxide Powder: ARF = 6E-3, 1E-2

44

DOE-HDBK-3010-94, Airborne Release Fractions/Rates and Respirable Fractions for Nonreactor Nuclear Facilities, http://www.energy.gov/ehss/downloads/doe-hdbk-3010-94 NUREG-1320, Nuclear Fuel Cycle Facility Accident Analysis Handbook, http://www.nrc.gov/docs/ML1225/ML12254A158.pdf


http://www.energy.gov/ehss/downloads/doe-hdbk-3010-94

http://www.nrc.gov/docs/ML1225/ML12254A158.pdf

Example Calculation Am-241

MAR = 454 grams of Am-241 powder Dispersed by 1 lb. of TNT Stability Class F 1 m/s wind ARF =0.8 / RF = 0.25

45


Comparison to HEU

46

MAR = 5 kilograms of U-235 powder in 93% enriched U Dispersed by 1 lb. of TNT Stability Class F, 1 m/s wind ARF= .07 / RF= 0.25

HEU dispersal consequence is over a million

times less than Am-241


Sabotage Consequences Have No Relationship to Theft Categorization

Sabotage analysis based on radiotoxicity, not on mass

• Different from INFCIRC 225 Categorization Table

• Cat 1 does not automatically exceed URC or HRC

• Cat 3 does not mean there is no viable sabotage target

47

The largest consequences may not be from nuclear material


Albuquerque, New Mexico, USA John Hockert · • Sabotage Logic Model – A logic model that...

Documents

Transcript of Albuquerque, New Mexico, USA John Hockert · • Sabotage Logic Model – A logic model that...