ML20053D224

From kanterella
Jump to navigation Jump to search
Safeguards Sys Effectiveness Modeling.
ML20053D224
Person / Time
Site: Clinch River
Issue date: 05/28/1982
From: Boozer D, Susan Daniel, Hulme B
SANDIA NATIONAL LABORATORIES
To:
Shared Package
ML20053D221 List:
References
SAND76-0428, SAND76-428, NUDOCS 8206040205
Download: ML20053D224 (11)


Text

{{#Wiki_filter:. i: 1 .

 +

SAND 76-0428 Unlimited Release SAFEGUARDS SYSTEM EFFECTIVENESS MODELING*

                                                                                                                                            \

l l l l Drayton D. Boozer ' Systems Studies and Engineering Division 1754 Bernie L. Ilulme Numerical Mathematics D' ision 5122 Sharon L. Danien l" Reactor Safety Studios Division 5411 (  ;.-

               .s                                                                G. Bruce Varnado Nuclear Fuel Cycle Systems Safety Division 5412 g

liarold A. Bennett Leon D. Chapman, and Dennis Engi Systs.ns Analysis Division I 5741 f ' Sandia Laboratories Albuquerque. NM 87115 fi,h,. ABSTRACT A general methodology for the comparative evaluation of physical E pr otection system effectiveness at nuclear facilities is presently y under development. The approach is applicable to problems of 6 Y  : sabotage or theft at fuel cycle facilities. In this paper. the overall I ' methodology and the primary analytic techniques used to assess

   ;               ge:-

system effectiveness are brieDy outlined, 7._

                't 5 pri.      . v.n    si. .e a..,=.

I

                  'f
                 ' '6-* L -                                                s  n.u. t,,.

se :T i w.r emas.,,ic,

                  ;{          i j,                 a .,g,, ',i
  • n . .. s
u. s o.,.nme.n et c.me.re, sees P.n n.r.: n a sees.arwie. v.uss.. m eierw.. Prue. c.,r se.so 6 uweerws s 2.25 il -. - -

J.* : .. ,s  :

                        .,c;
                                        ~
  • Presented at the 17th Annual Meeting of the Institute of Nuclear Materials Mansic. me ni.

h Seattle. WA. June 22-24, 1976. lp  ?:; !! .~

      ;                            8206040205 820529

,} PDR ADOCK 05000537 O pop (' l W g*p _

3-

           ?          '

l l. ACKNOWLEDCMENTS The authors are indebted to Diane Holdrige for her development of subroutines

                         - which implernent the shortest path algorithms in versions tailored to our special needs and to R. B, Worrell for his suggestions on the application of set equation manipulation routines to the vital location analysis.

e d 4 1 9

   ?

l t

    .                                                                                                                  i 4

I I ~ 1 i 4

            ,                                                                                                                                  1~

SAFEGUARDS SYSTEM EFFECTIVENESS MODEl.ING Introduction Sandia Laboratories is currently engaged in several ERDA and NRC sponsored programs dealing with the physical protection of nuclear materials and nuclear facilities. To provide a I systematic approach to the problem of physical security, a methodology has been developed which considers the interrelations of elements within the overall system and provides a frame-work for the system integration of each element. I To implement the methodology, several analytic tools have been developed to identify key plant protected areas and to evaluate various alternatives to the, security system. Methodology The safeguards effectiveness evaluation methodology discussed here combines several i analytte techniques to provide a means of assessing the relative vulnerability of fixed facilities to sabotage or theft. The elements of the analytic procedure are shown in Figure 1. 5 i PLANT PHY$3 CAL SECURITY LAYOUT SYSTEM FAULT TREE O(5CRIPTm STUDY [- o e

                    '1 .                                                 pgggy                         MTAL gg                           LOCATION
    ,               v-                                                                                ANALYSl$
    .                j MODIFICATIONS i
  • RNWMUM PROTECTICN
     >                                                                                       PATM                        gTRATEGIES ANALY515 COMPUTE R i               .

GR A PHICS 8;

                 ,c                                                     DISPLAY ADvtRSARY 1

f ,$ ATTRiguTES I ,b t ( p'1, . sitt stCumTv g $3MULATiOM

                 > yr                                                            ,
      !'                    )

1 FLgure 1. Safeguards Effectiveness Evalst:or. lj i.

                                    .t .                                                                                                     .
  • O
            '                                                                                                                       s S

F 5 d. The basic input information required includes: 1) definition of what can be done to raune the undesired event (Fault Tree Study), 2) physical description of the facility (Plant Physical Layout). l

3) details of the security system (Security System Description). and 4) characteristics of the -

adversary (Adversary Attributes). From this initial information a model of the facility is di ve It,ise rl which reflects the physical characteristics of the site and the likely targets for sabotage e,r the it. Specific adversary action sequences which place the greatest stress (in some sense) on the security system are analytically selected for detailed analysis. These sequences are defiried m terms of paths from the boundary of the facility to one or more target areas. The barrier pene-4 tration times, alarm probabilities, and guard response information for the paths are used along g with the adversary attributes in a simulation model to obtain a relative measure of the effertise- [ ness of the security system. Alternative security systems are evaluated by modifying ebe appropriate parameters in the plant model and cycling through the path analysis and simulatior. 4 model. The variation of system effectiveness with changes in the model parameters can be rapida j evaluated by repeated application of the process. An interactive computer graphics display systerr. 2 provides an efficient means of changing input data and reviewing the results at different stages of the cycle. , [ The fundamental analytical tools used in the analyses are fault tree analysis, graph-theore fic  ? modeling, and system simulation modeling. The application of each of these mathematical ter:h - niques to the effectiveness evaluation process is discussed below. l.

                                                                                                                                   ],

Fault Tree Analysis l t A fault tree is a logic diagram which graphically represents all of the comleinations <4 component and subsystem events which can result in a specified undesired system state. T he J undesired state for our purposes is either the theft of nuclear material or the sahntage of a I L nuclear facility. The fault tree analysis provides a means to inventory the combinations ref 3 initiating events which can pmduce the undesired event. j s g 3 The fault tree study provides the information on what must be done to cause the undentred  ; event. In regard to sabotage, the fault tree specifies the combinations of destructive or damagmr manipulations an adversary must complete to cause the release of radioactivit from the facility. 3 Each combination of initiating events is specified as a term in a logic equation *

                                                                                                            . The fault          ;

tree study can be performed on a generic basis (to some level of detail) to define the subsystems and components which require protection in a given type of facility. . i

 !                        The next step in the modeling process is to cetermine where in the facility the various initiating events can be accomplished (Vital Location Analysis). Each initiating action in the f

i system fault tree is replaced by the location or combination of locations at which the actior. < an i be accomplished. This amounts to a transformation of variables in the event equatior. to , j obtain a location equation for the undesired event, that is, to determine the combmations of ' 4 1 6 d i

    .' f.             '

s locations to which the adversary must gain access. The location in:Ormation is directly related to physical protection of the site because the locations are identified as buildings, rooms, and compartments for which barrier, alarm, and assessment systems con be designed. Strategies for protection of the facility can be formulated by further processinF of tl.e location equation. By forming the complement of the equation, one can determine the minm "in sets of locations which must be protected in order to assure that none of the action sequences can be completed. Measures such as cost or impact on operability rr ay also be applied to tre locations to obtain an ordering of the complement terms with respect to the desired measure. The effect of response measures other than guard force action can also be assessed. Damage control measures, which provide a defense against certain sabotage acts , can reduce the requirements for physical protection in some areas of the plant. Analyses such as these can help met priorities for protection of vital locations. l. The usefulness of these techniques is illustrated in their applicatinn to the LWH sabotage proble m. The fault tree for a typical LWR contains approximately 250 initiating actions. The re are literally thousands of combinations of these initiating actions which will cause the undesired event, far too many for a detailed analysis of each. The initiating actions can be accomplish < d at 35 locations with 125 possible combinations leading to completed sabotage action sequenc es. The minimum complement act contains 11 locations. Therefore, it would be possible to preclude all of the thousands of possible sabotage sequences at an LWR by assuring that the adversary could not gain access to 11 specific locations. The next step is to select for detailed analysis one or more paths from the boundary of the facility to each of the locations of interest. The paths chosen should be ones which optimire the

         '               adversary's probability of success and therefore place the greatest burden on the safegaards system. The process for selecting these "most stressing" paths is discussed in the following sec tion.

I; Minimum Path Analysis I l In a facility as large and complex as a nuclear power reactor plant, there 16 an enormoas 3 number of possible paths an adversary can take to complete a particular action sequence, in lo order to systematically study these possibilities, a discrete model of the plant layout called a graph [5 ] has been developed. A graph is simply a network of nodes and arcs. In our model l e the nodes represent locations (i.e., points on the plant boundary, on internal barriers, an<t at l, vital hardware locations), and the arcs are ways to travel between locations. Both the nodes and arcs are assigned weights which are measures of some quantity to be minimized. By looku.g

        ;                 for certain paths in the graph that are shortest in the sense of the given weights, one can find physical routes through the plant that are optimal for the adversary. When shortest-time pat's are sought, the boundary and barrier node weights are minimum penetration times, the hardw4r *
         -{

iZ- node weights represent minimum removal or destruction times, and the arc weights are minin.um f

         ,b7 lh             transit times.

l t

i 7

r o

  • s If The theft problem is to find all the shortest paths from any boundary node to any one hard- g ware node and then back to any boundary node. In the sabotage problem different combinations (

of the hardware nodes in the graph form minimal sets of hardware whose destruction can c ause a nuclear release, and the adversary's escape is not essential. The sabotage problem then as to find all the shortest paths from any boundary node through all of the hardware nodes or locations in one of the sets that could lead to completion of a sabotage sequence without returning to the boundary. Unfortunately, the sabotage problem is difficult to solve efficiently. The refesre. a lower bound on the sabotage times is obtained by studying the worst-case situation of sim A-taneous sabotage by several teams each having only one hardware node as a target. Even with a computer it is impossible, in a reasonable amount of time to identify ar4 evaluate the length of every path of the type to be minimized because the numbt:r of sur b paths can be factorial in the number of nodes. However, a technique has been developed for applying to both the theft and the simultaneous sabotage problemn an algorithm due to Dip stro as modified by Yen *

                                                    . This algorithm is the best known search procedure for finding the lengths of the shortest paths In a graph from one node to all others because it is guaranteed to work and the computer run time is proportional to only the square of the number of nodes. A process which ntraces and saves all of the shortest paths as well as their lengths has been added to the Dijkstra algorithm.

Computer Graphics Package ! An interactive computer graphics program has been developed to compute and display tim shortest paths in a graph model of a nuclear power reactor plant. The physical layout of the plant (locations of buildings, obstacles, equipment, and vital materials) can be displayed in plan view on the graphics screen together with the shortest paths to the vital locations. The interaattw capability allows the analyst to change plant characteristics from the graphics terminal and thereny to rapidly assess the effect of upgrades in plant defenses. The internal barriers subdivide a plant into regions, and each level of a buliding cientains one or more regions. To display the details of either a level or a regicri, it is necessary to digitiae 1) the lines defining the level or region, 2) the coordinates of the graph nodes (t,uund ry, o barrier, and hardware) of the level or region, and 3) the coordinates of pseudo-nedes whir h ot.t-line obstacles within e' region. These coordinates are also used to cutmoatically compute the are ! weights for the graph model as follows. i< l' t , The are weights are the transit times between each pair of nodes of a region. In each region an auxiliary graph is constructed by connecting every node and pseudo-node by a straight lme to

   '                    every other node and pseudo-node, except that such lines intersecting obstacles in the regi<m are deleted. Floyd's algorithm                la applied to each auxiliary graph to find the lengths of the shortest paths between every pair of nodes in the corresponding region. Because of the wh s tho f

ll austilary graph is constructed, these distances are the lengths of routes which go around. nr.t

    .                                                                                                                               p
     .               8                                                                                                              l J                                                                                                     ___    _--_-_____-___-3

f

        *i h

through, ol'stacles within a region. Therefore, distances for shortest physical routes between nodes are obtained, and these are divided by travel velocities to obtain the desired arc weights. The path analysis program provides barrier sequences and delay time information for une in th" simulation modeling. Simulation Models Dynamic simulation models have been developed to obtain a better understanding or the complex interactions between adversaries and security system components. Many of the relatie n-ships used in these models are difficult to define and so are based on either experient" or intuition. As such, many would be quick to discount the potential of such a model on the hauts of inadequate data; however, the purpose of a model should be to explore the interrelationships of the variables, their relative importance, and required accuracy. In addition, constr uting the model forces the analyst to openly describe relationships between components, acknowledge inconsistencies, and critique results. It also offers a straightforward solution to otherwise har<f-to-envision multidimensional interactions. Within the framework of the above statements, the dynamic models can provide a relative evaluation of proposed changes in safeguards systems. Forcible Entry Safeguard Effectiveness Model (FESEM) -- The Forcible Entry Safeguard I;ffectiveness Model UN is used to evaluate alternative fixed-site protection systems. The model requires as input the characteristics of the fixed-site to be evaluated. Response forces must be characterized by number, size, response time, and probabillty of their receiving valid communication of both external and internal attacks. (Extervial implica no inside assistance while internal means the adversary has inside assistance.) liarriers must be specified by number, type, and thickness. If the barrier is alarmed, the probability of the alarm workir.c for exterr.al and internal attacks must be specified. The distance between barriers and tbc prot.al.ilit-l of a high explosive (llE) detonation being detected if the adversary uses llE0 to penetrate a bar rior must be inputs to FESEM. l

, The model is capable of selecting the adversary attributes at random for attacks against

,f the fixed-site design. These attributes include the number of adversaries, types of weaponn

                 ,             (side arms or automatic weapcris), and their resources for barrier penetration (such an tools hm
   !                           no llE, or tools plus HID. In addition, four types of adversary attacks are considered - aatotag-/
   ,                           internal, aabotage/exterr.,1, theft / internal, and theft / external. Internal attacka imply that th I

adversaries have an insider working at the fixed-site who may, by intent or under duress, degrade t the alarm and communication systems. The mode of transportation ivehicles, no vehicles, or g air vehicles) and the dedication of the adversaries can be treated as randon variablem in the f generation of adversary attributes. 4 l l l u I ,

                \N                                                                                                                      >

m ,. y- , - -----. s .:"" 1. ._ , m . ,, d l can simulate a lar&v Given these inputs, stong with an attack path, the computer mo eluate the ef nurnber of adversary attacks against the site design in eva between barrar re. *

                                                                                                                                    /

c8ncept. 11arrier breaks. delays provided by barriers, crossing timesb and advancements along the pdhe are-simulated h Mite guard forre wta< h < orre" Alarms at a given barrier may trigger communications to t e on-Off-site g h the adversar r. to the scene and assesses the situation. esists. L'pon the arrival *of' any guard force, an engagement is in em i ntti ir.t t - 1interrupted. hiring the engagement simulationIfl tion theofadversary Ute theft or sabotage. wins 'Ithet n. eng4gem be - rupted by it'e arrival of the off site guard force or comp eAfter a ends on* aimulatirre. ffectiveness of the alte riesign against the 59w n Irvi . Secumuisted t.. deterr#c the relative e thre.it. o or 4, i nents or. fixed-we FESEM provides a framework for performing inexpensive f t of different saf. cgaards options. esperY. f r.o. ' t-systerr.s and for dttermining the relative cost-bene s d approach that is anal 3tually bi.M esolved with the development of FESEM is a structure The validity of tt." d fixed site security changen. -re which can provide an evaluation of propose d different site configurattrm: moitel should improve as improved data become available an , studied. of 141 M is to simulate 9 e Insider Safecuard Effectiveness Model USEMJ -- TheInparlose IM;M ansi <!9 t :o u .. ' .ro r1 of nuclear fac6lities. interaction of inalders with the security system d the effectiveness of the ab o.ar9 - to be the threat, whereas in FESEM insiders serve to degra eThe system against an external threat. talbs barriers, and secarity foreci personnel control system. that is, the set of sensors, porISGM can model various used to control pornonnel within a nuclear facility. , stealt5. decett) for theft or sabotage. _ Pr>rtal e m. v '- areas. portalt.. rund barriera. p.-. i.el The pinnt connints of threr baste entitles: Gates and doorn are also consistered t. I.xo pl~ of cither lermonnel. anaterial, or vehicle types. Area, point. or line sen cases of portals. i ensorw. Point sensors include %M ares sensors arc CCTV's. microwave. and ultrason bor n. c s Line tienbors are typically im Me t 4 sensors in portals and pressure sensors in glove re. selsmic shoc k. etr . fences and may respond to one of several parameters such as pressu Personnel have authorited arem lypuath, t<. Plant personnel are either guards or employees.bdivided into onIntation Specified plant areas. Guards are further su l s whertas on-stattor. guarcs are uwo patrol guards are used for response to more serious a armthese sensork. Skill a to operate ports 1 pensors and to asness alarms fromified as insiders to attributen are use.1 for employees ident

                                                                                                                 'l
                                                                                                                                                        /

O probabilities. This probability is also affected ty the personnel density and the number t f (("li ' . In the area. Following an ansessment delay, an action is taken based on a preplatined resp.rit.* to each alarm. . It is evident that a large number of possible insider exit paths entsth if one elle,ws the possibility of forcible " breakout" scenarios. Generally only a subset of plant entitie s tered se nv., , are involved in e particular insider path; however. ISEM is structured so that initially all required plant data can be input and then used only on the paths for which it is applienble. For a particular path, the model is best illustrated by the sequence shown in f igure 2. This particular path involves insider exit from a material access area, through two pertals, to the plant exterior. For this case, two sensor systeme are shown. The response typiolly truolsen guards; however, action such as locking portals can be taken. t%ICIR I s.! R0sfl pa*.t [alf PORTAL AE[A PC R* at '# AA l j

                                                                                 ,-       mN g       S!WG L OGIC j , AL A RY           p( i.,-
  • lj
                                                               \/              U                         I RIS P0'.51       ![te Rily        '.*UIRIAi        '.* A*f pi At CON'ROL          Cir.t e nt       Aero .ta-a RI A           Akia             Rt. if e 4914 Figure 2. Insider Sequence / Safeguard System Interaction The actual engagement between insiders and guards is modeled as a discrete-state /cor.-

tinuous-time stochastic process in which guard arrivals are counted and constrained to insure feasibility. Transition times between states are assumed to be continuous random variable, which can be a function of force f.f re, weapons, competence, ard other parameters that ar e thought to be relevant and quantifiable. Distributions of the tranMition times, along with a co. r-t . of ti.e number of guard arrivals. completely specify the stochastic process which deserthes tii engagement. The Insidor Safeguard Effectiveness Model (ISEM) is based on the following anurr.ptiores: Il a critical sneiden path is identified at input. 2) one insider carries the material, h all insidern pntentially degrade alarm systems. 4) Fuard responses are preplanned for e:ev t. aht en. J _

E I 4 t d 61 ir,mide r > a t e i

5) employees and guards are treated as groupa having composite attributes, an Further extenatona to ISEM will involve developmer.t of : i identified on an individual basis. i d' ' e lP '

insi11c sequence generator, inclusion of individual personnel attributes, andt.tcont *r' nuirir ' The primary contribution of Isl:M is that it provi'len a t ' e. me .1 of the engagement enodel. d I' t t ha - f ramemoth *ithin whith safeguard systern efft clivences measures can be generate personnel centrol aspect of the insider problem. Conclunion f leer f a< it.f a

  • The modeling techniques described above have been applied to a variety o not d theoretwal a'Iv ino rr. n's 1:ach of the modeln is t>cing refined and extended as additional data an become available.

The applicability of the overall methodology has been demonstrated in the The results of that analysis are being used to guide the concept'.al d*:vol'.p tspiral LWil plant. ment of a balanced I,Wil safeguards system. 3 .,

T References

1. H. II. Worrell, Set thuntionTransformation System (SETS), SL A-71-0028 A.

Sandia 1.aboratories, Albuquerque, New Mexico, July lis7.1

2. M. D. Olman, Use of the set Evaluation Program (SEP) in Fault Tree Ar .lym, SAND 7G 0168, Sandia Laboratories, Albuquerque, New Mexico, to be pi,bl %. d, .

1976. 1 H. II. Worrell, Common Event Analysta Using Variable Tran.sformations, , SAND 76-0024, Sandta Laboratories, Albuquerque, New Mexico, to be publishe d. 1976.

4. D. J. McCloskey, Safety and Security of Nuclear Power Heactors to Arts of Sabotage, SAND 75-0504, Sandia Laboratories, March 1975.

5 N. Deo, Graph Theory with Applications to Engineering and Computer Seiera e, Prentice-liall, Englewood Cliffs,1974.

6. E. W. Dijkstra, "A Note on Two Problems in Connection with Graphs,"

Numer. Math. , Vol.1, pp. 269-2 71,1959.

7. J. Y. Yen, " Finding the Lengths of All Shortest Paths in N-Node Nonnegative-Distance Complete Networks Using 1/2N3 Additions and N3 Com pa rison s, "

J. A ssor. Comput. Mach. , Vol.19, pp. 423-424,1972. 11 . T. A. Williams and C. P. White, "A Note on Yen's Algorithm for Finding the Length of All Shortest Paths in N-Node Nonnegative-Dintance Networks. " J. Assoc. Comput. Mach. , Vol. 20, pp. 389-390,1973. te. 11. L. Ilulme, Graph Theoretic Models of Theft Problerns. I. The llanic 'I heft Model, SAND 75-0595, Sandia Laboratories, Albuquerque, New Mexico, November 1975.

10. H. W. Floyd, " Algorithm 97, Shortest Path " Comm. ACM. , Vol. 5, p. 345,1%2.

l l 11. L. D. Chapman, Effectiveness Evaluation of Alternative Faxed Site Fafeguay l Security Systems SAND 75-6159, presented at the 1976 Sumr..er Computes Simulatton Conference, July 12-14, 1976 Washington, D. C, 1

12. II. A. Bennett, Dynamic Model of a Terrorist Attack, SAND 75-0658 Sandia 1. abo-tories, Albuquerque, New Mexico, February 1976.

l

     ~

F. W. Lanchester Aircraft in Warfare: The Dawn of the Fourth Arm, Constable, London,1916. l 14. P. M. Morse and G. E. Kimball, Methods of Operations Hesearch. John Wiley and Sons,1071. l

15. B. L. Ilulme, Pathftnd'.ng in Graph-Theoretic Sabotage Models. 1. Simultaneous Attack by Several Teams, SAND 76-0314, Sandia Laboratories Albuquerque, 1 New Mexico, J une 1976.

l l l 1.5 L}}