[en] Event tree analysis and Monte Carlo-based discrete event simulation have been used in risk assessment studies for many years. This report details how features of these two methods can be combined with concepts from object-oriented analysis to develop a new risk assessment methodology with some of the best features of each. The resultant Object-Based Event Scenarios Tree (OBEST) methodology enables an analyst to rapidly construct realistic models for scenarios for which an a priori discovery of event ordering is either cumbersome or impossible (especially those that exhibit inconsistent or variable event ordering, which are difficult to represent in an event tree analysis). Each scenario produced by OBEST is automatically associated with a likelihood estimate because probabilistic branching is integral to the object model definition. The OBEST method uses a recursive algorithm to solve the object model and identify all possible scenarios and their associated probabilities. Since scenario likelihoods are developed directly by the solution algorithm, they need not be computed by statistical inference based on Monte Carlo observations (as required by some discrete event simulation methods). Thus, OBEST is not only much more computationally efficient than these simulation methods, but it also discovers scenarios that have extremely low probabilities as a natural analytical result--scenarios that would likely be missed by a Monte Carlo-based method. This report documents the OBEST methodology, the demonstration software that implements it, and provides example OBEST models for several different application domains, including interactions among failing interdependent infrastructure systems, circuit analysis for fire risk evaluation in nuclear power plants, and aviation safety studies

No abstract available

[en] Document available in abstract form only. Full text of publication follows: With the uncertain future of the proposed Yucca Mountain Repository for final disposal of used light water reactor fuel, the need to store these fuels past their current regulatory certification periods has become clear. This situation presents possible regulatory and technical issues with regard to both storage safety and security. The U.S Department of Energy (DOE), Office of Nuclear Energy (NE) is engaged in a program to develop the technical bases for extending dry storage and subsequent transportation of used nuclear fuel (UNF). The DOE/NE program addressing this issue is divided into four main topical areas: Research and Development (R and D) Opportunities, Security, Transportation, and Concept Evaluations. This paper will discuss work to address security issues for long-term storage of UNF. The time-frame for long-term management of UNF is currently defined to be on the order of 300 years. This longer time-frame presents possible regulatory and technical issues with regard to both storage safety and security. Issues associated with maintaining security for very long-term storage are being identified and addressed. An assessment has been performed of security regulations, including those from the U.S. Nuclear Regulatory Commission and the DOE, for impacts over the longer time-frame

[en] Material control and accountability (MC and A) operations that track and account for critical assets at nuclear facilities provide a key protection approach for defeating insider adversaries. MC and A activities, from monitoring to inventory measurements, provide critical information about target materials and define security elements that are useful against insider threats. However, these activities have been difficult to characterize in ways that are compatible with the path analysis methods that are used to systematically evaluate the effectiveness of a site's protection system. The path analysis methodology focuses on a systematic, quantitative evaluation of the physical protection component of the system for potential external threats, and often calculates the probability that the physical protection system (PPS) is effective (PE) in defeating an adversary who uses that attack pathway. In previous work, Dawson and Hester observed that many MC and A activities can be considered a type of sensor system with alarm and assessment capabilities that provide recurring opportunities for 'detecting' the status of critical items. This work has extended that characterization of MC and A activities as probabilistic sensors that are interwoven within each protection layer of the PPS. In addition, MC and A activities have similar characteristics to operator tasks performed in a nuclear power plant (NPP) in that the reliability of these activities depends significantly on human performance. Many of the procedures involve human performance in checking for anomalous conditions. Further characterization of MC and A activities as operational procedures that check the status of critical assets provides a basis for applying human reliability analysis (HRA) models and methods to determine probabilities of detection for MC and A protection elements. This paper will discuss the application of HRA methods used in nuclear power plant probabilistic risk assessments to define detection probabilities and to formulate 'timely detection' for MC and A operations. This work has enabled the development of an integrated path analysis methodology in which MC and A operations can be combined with traditional sensor data in the calculation of PPS effectiveness. Explicitly incorporating MC and A operations into the existing evaluation methodology provides the basis for an effectiveness measure for insider threats, and the resulting PE calculations will provide an integrated effectiveness measure that addresses both external and insider threats. The extended path analysis methodology is being further investigated as the basis for including the PPS and MC and A activities in an integrated safeguards and security system for advanced fuel cycle facilities. This work has demonstrated the application of HRA methods used in NPP PRAs for defining detection probabilities for MC and A activities. The approaches used to characterize and evaluate MC and A activities highlight their importance as protection elements for insider theft. In addition, this work has identified three key MC and A factors that can be manipulated to enhance the effectiveness of MC and A as a 'sensor' within the larger PPS. The overall MC and A detection probability can be increased by proper selection of MC and A activities. The effectiveness of subsequent observations can also be increased by reducing the dependence between observations through the use of HRA and human factor techniques. Finally, steps can be taken to lengthen the adversary's timeline by reducing the frequency of potentially vulnerable states and providing more opportunities for MC and A detection. Defining MC and A detection probabilities has supported the probabilistic basis for and enabled the development of an extended path analysis methodology in which MC and A protections can be combined with traditional sensor data in the calculation of PPS effectiveness. In evaluating the initial modeling and analysis, it is evident that these methods are most applicable for protracted theft and discontinuous timeline scenarios - current methods are adequate for abrupt theft scenarios. Explicitly incorporating MC and A protection into the existing S and S system evaluation provides the basis for an effectiveness measure for insider threats. The resulting PE calculations provide an integrated effectiveness measure that addresses both outsider and insider threats. (authors)

[en] Document available in abstract form only. Full text of publication follows: Decision makers wish to use risk-based cost-benefit analysis to prioritize security investments. However, understanding security risk requires estimating the likelihood of attack, which is extremely uncertain and depends on unquantifiable psychological factors like dissuasion and deterrence. In addition, the most common performance metric for physical security systems, probability of effectiveness at the design basis threat [P(E)], performs poorly in cost-benefit analysis. It is extremely sensitive to small changes in adversary characteristics when the threat is near a systems breaking point, but very insensitive to those changes under other conditions. This makes it difficult to prioritize investment options on the basis of P(E), especially across multiple targets or facilities. To overcome these obstacles, a Sandia National Laboratories Laboratory Directed Research and Development project has developed a risk-based security cost-benefit analysis method. This approach characterizes targets by how difficult it would be for adversaries to exploit each targets vulnerabilities to induce consequences. Adversaries generally have success criteria (e.g., adequate or desired consequences and thresholds for likelihood of success), and choose among alternative strategies that meet these criteria while considering their degree of difficulty in achieving their successful outcome. Investments reduce security risk as they reduce the severity of consequences available and/or increase the difficulty for an adversary to successfully accomplish their most advantageous attack

[en] This paper summarizes the development of a framework for risk-based regulation and design for new nuclear power plants. Probabilistic risk assessment methods and a rationalist approach to defense in depth are used to develop a framework that can be applied to identify systematically the regulations and standards required to maintain the desired level of safety and reliability. By implementing such a framework, it is expected that the resulting body of requirements will provide a regulatory environment that will ensure protection of the public, will eliminate the burden of requirements that do not contribute significantly to safety, and thereby will improve the market competitiveness of new plants. (author)

[en] The overall purpose of the new approach, termed Risk-Informed Regulation, is to formulate a method of regulation that is logically consistent and devised so that both the reactor designer and regulator can work together in obtaining systems able to produce economical electricity safely. In this new system the traditional tools (deterministic and probabilistic analyses, tests and expert judgement) and treatments (defense-in-depth, conservatism) of safety regulation would still be employed, but the logic governing their use would be reversed from the current treatment. In the new treatment, probabilistic risk analysis (PRA) would be used as the paramount decision support tool, taking advantage of its ability to integrate all of the elements of system performance and to represent the uncertainties in the results. The latter is the most important reason for this choice, as the most difficult part of safety regulation is the treatment of uncertainties, not the assurance of expected performance. The scope of the PRA would be made as large as that of the reactor system, including all of its performance phenomena. The models and data of the PRA would be supported by deterministic analytical results, and data to the extent feasible. However, as in the current regulatory system, the models and data of the PRA would require being complemented by subjective judgements where the former were inadequate. All of these elements play important roles in the current decision-making structure; the main departure from current practice would be making all of these treatments explicit within the PRA, therefore, decreasing the frequency of sometimes arbitrary judgments. In the intended sense the PRA would be used as a vehicle for stating the beliefs of the designer and regulatory decision-maker; the foundation of their decisions. Thus, the PRA should be viewed as a Bayesian decision tool, and be used in order to take advantage of its capabilities in integration and inclusion of uncertainties