ENHANCING A SYSTEMS ENGINEERING AND REGULATORY LIFECYCLE-BASED
FRAMEWORK FOR SECURITY-BY-DESIGN

“By-design” is an increasingly popular phrase in the expanding discussions revolving around advanced and small modular reactors (A/SMR)—particularly in terms of achieving desired levels of nuclear security performance. A primary driver for these concepts relates to claims that earlier incorporation of such performance-based design decisions results in more efficient facility designs and less re-work. Current thinking to achieve “security-by-design” (SeBD) includes applying traditional physical protection design strategies “early in the design lifecycle,” seeking “intrinsic security…as an integral part of the organization,” and making “security…[a] part of the facility lifestyle.” Yet, both internal and external dynamics related to A/SMRs suggest a need to recharacterize popular interpretations of security-by-design. In response, Sandia National Laboratories—with support from the U.S. National Nuclear Security Administration’s (NNSA) Office of International Nuclear Security (INS)—has introduced a model framework for SeBD that is based on systems engineering and the regulatory lifecycle. Invoking key concepts from systems theory, this framework describes SeBD options by aligning best practices in engineering design with best practices in regulatory decisionmaking. In contrast to retrofitting security solutions to already completed facility designs, this framework categorizes SeBD options based on whether the A/SMR facility designer (e.g., vendor), operator (e.g., utility), or designer (who plans to own and operate their own facility) should take primary responsibility for execution. As demonstrated in a set of notional use cases, this systems engineering and regulatory lifecycle based approach to SeBD can result in more economical design for, and efficient engineering of, security solutions for A/SMRs. After briefly contextualizing the anticipated benefits of “by-design” concepts, this paper will summarize the range of popular interpretations—including the latest views on “security-bydesign.” This paper will then review the foundations and characteristics of a systems engineering and regulatory lifecycle framework for SeBD. Next, a set of representative use cases demonstrate the efficacy of this approach, as well as more precisely describe the related benefits. Lastly, this paper will discuss conclusions and insights for the adequacy of this systems engineering and regulatory lifecycle framework, as well as implications for next steps toward continued refinement and deployment.