Science and Technology of Nuclear Installations

Volume 2013 (2013), Article ID 590684, 10 pages

http://dx.doi.org/10.1155/2013/590684

## Solution Monitoring Evaluated by Proliferation Risk Assessment and Fuzzy Optimization Analysis for Safeguards in a Reprocessing Process

Department of Science and Technology for Nuclear Material Management, Japan Atomic Energy Agency, 2-4 Shirane, Shirakata, Tokai-mura, Naka-gun, Ibaraki-ken 319-1195, Japan

Received 21 November 2012; Accepted 17 January 2013

Academic Editor: Jack D. Law

Copyright © 2013 Mitsutoshi Suzuki and Norichika Terao. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

Solution monitoring (SM) has been used in a nuclear reprocessing plant as an additional measure to provide assurance that the plant is operated as declared. The inline volume and density monitoring equipment with dip tubes is important for safety and safeguards purposes and is a typical example of safeguards by design (SBD). Recently safety, safeguards, and security by design (3SBD) are proposed to promote an efficient and effective generation of nuclear energy. In 3SBD, proliferation risk assessment has the potential to consider likelihood of the incidence and proliferation risk in safeguards. In this study, risk assessment methodologies for safeguards and security are discussed and several mathematical methods are presented to investigate risk notion applied to intentional acts of facility misuse in an uncertainty environment. Proliferation risk analysis with the Markov model, deterrence effect with the game model, and SBD with fuzzy optimization are shown in feasibility studies to investigate the potential application of the risk and uncertainty analyses in safeguards. It is demonstrated that the SM is an effective measurement system using risk-informed and cost-effective SBD, even though there are inherent difficulties related to the possibility of operator’s falsification.

#### 1. Introduction

As a result of greenhouse warming and increased energy demand, a global trend to introduce nuclear power into emerging countries has been a growing and increasing concern from the international society about the consequent impact on safety, safeguards, and security (3S). Introducing 3S mechanisms in an efficient and effective manner will require not only a balance between economic utilization of energy resource and mandatory installment of 3S countermeasures, but also intercooperation between those practices and implementation. The 3S initiative was launched at the Hokkaido Toyako Summit of 2008 by G8 countries [1] and was partly driven by the fact that the emerging nuclear countries are struggling with lack of national legal and technical expertise. The goals of the 3S initiative are to ensure that countries planning to use nuclear energy are supported by strong national programs and to prove to the international audience that the programs are purely peaceful and that nuclear material is properly handled, accounted for, and protected.

A systematic approach to enhance the timely, efficient and cost-effective integration of safety objectives, material control and accountability, and physical protection into the overall initial planning phase for a nuclear fuel facility may be applied for the introduction of nuclear energy by the “3S by design (3SBD)” methodology in which 3S countermeasures are considered in the design stage of those nuclear facilities [2, 3]. In comparison with numerous safety installations, one of the well-known achievements in safeguards is the solution monitoring (SM) system that was installed into the Rokkasho reprocessing plant (RRP) in the initial design phase as an output of safeguards by design (SBD) activities. Although SM prior to the RRP was limited to the solution storage area in the Tokai reprocessing plant, SM in the RRP includes all tanks in the main process line, containing 12 authenticated and 80 unauthenticated SM instruments. In a modern large reprocessing plant, the SM system plays an important role as an additional measure to provide assurance of the facility operation as declared and also measurement instrument for solution volume and density to verify in-process inventory.

In order to promote the designing work in a quantitative manner, the effective and time-consuming installment of countermeasures could be encouraged by risk assessment to enhance reliability, robustness, and transparency of nuclear facilities in an explicit and implicit manner. Probabilistic safety assessment (PSA) has been developed for several decades in safety and is noted again after the Fukushima accident to perform severe accident analysis. Although safeguards and security communities have different histories and encounter technical aspects due to the inherent nature of intentional and malicious acts, probabilistic risk approach (PRA) should be investigated to pursue cost-effective implementation. In the existing regulations of safeguards and security, it would be not so straightforward that the risk notion is applied to inherent threat and hazard recognition. In addition, the risk notion sometime leads to political and sociological concerns and has not been well discussed so far in an international community. However, in order to enhance the 3SBD methodologies, an integrated risk-informed approach is explored with attention to the scarcity of intentional acts in safeguards and the secrecy of actual incident data in security.

In this paper, we will show the SM system as an example of SBD and will investigate the risk assessment methodologies that could be applied to the integrated risk approach for 3S assessment. In feasibility studies SM will be shown as advanced measurement technologies to ensure an operational transparency and a full obedience of safeguards implementation.

#### 2. Solution Monitoring

In international safeguards, quantitative and timely judgments regarding the location and movement of special nuclear material (SNM) are performed to ensure that there is no loss or unauthorized removal of SNM [4]. Nuclear material accounting (NMA) is used to confirm the quantity of SNM in all declared locations and measurement error uncertainty plays an essential role in NMA. Material balance (MB) closure is conducted after plant shutdown and cleanout measures to move material into measureable locations, so that the time-consuming procedure is conducted on annual basis as physical inventory verification (PIV). As increasing throughput of a reprocessing plant, NMA requires frequent MB with the concept of near-real-time accounting (NRTA) to meet the timeliness goals of international safeguards criteria without shutdown and flush-out as interim inventory verification (IIV). Because the timeliness goals are deterministic and are defined by the conversion time, more frequent inventory verification would become mandatory in a large reprocessing plant dealing with high-burnup fuels if the safeguards measures heavily rely on NMA alone.

Due to concerns about proliferation risk that have been recognized as an important aspect of 3S and about requirement of the timeliness goal of the IAEA safeguards, modern reprocessing facilities should be provided with SM to increase safeguardability [5] as well as to respond to the requirement. As SM in conventional PUREX facilities, the level, density, and temperature (LDT) measurements of tanks are performed in SM management system (SMMS) [6]. Because NMA is a component in the IAEA safeguards, IIV by measurement and/or estimation is mandatory verification in NRTA. SM has become a tool of international safeguards and provides additional assurance that the plant is operated as declared. In addition to this, SM is utilized for partial SNM accounting in which tank volume is measured by SM and the SNM concentration is estimated by an empirical formula that is a function of acidity. However, the frequent NMA is still costly and inefficient, so that an enhanced SM application has been investigated to reduce this burden.

In the SMMS, the LDT tank data is produced by three dip tubes installed into tanks. Each of the three tubes measures pressure at different heights inside the tank, such as the level (), density (), and reference pressure (), as shown in Figure 1.

The three pressure values are used to calculate the density , level , and volume , using (1). The density is calculated from and with a separation height between the density pressure and the level pressure dip tube. And the level is derived from and . The volume is obtained from the level and the temperature with a tank calibration equation (). The three pressure values are measured by high precision pressure transducer connected with dip tubes and the temperature is by thermocouple:

The SM application in the IAEA safeguards must rely on process data that are assured to be accurate and complete to draw safeguards conclusions and the data validity is checked using an authentication process. The authenticated equipment is owned and controlled by the IAEA, and when deployed for an unattended operation, it should be installed with tamper-indicated enclosure and seal system. However, in a large reprocessing facility, the number of SM instruments becomes large and it becomes expensive to install and maintain by the IAEA. Therefore, the IAEA, national safeguards authority, and operator can establish joint use equipment (JUE) resulting in ease of data collection, reduction of maintenance burden, and reduced cost of multiple parties. In case of SM at the RRP, that is, a typical example of JUE, the electric signal from the operator-owned SM is not strictly guaranteed to be secured, so the IAEA randomly selects the instrument for independent authentication in which the inspector can carry an agency-controlled instrument to check for proper operation of the operator equipment [6]. Instead of the authentication of individual instrument, reliability of authentication could be verified by the direct comparison of data collected from adjacent and connected tanks. The notion of self-authentication was proposed to make use of solution transfer between the authenticated and unauthenticated tanks [7]. The self-authentication notion in which falsification attempt of data from any one tank requires falsification of data from connected tanks has not been approved by the IAEA.

#### 3. Risk Assessment Methodologies

One of the most promising synergies resulting from the integrated 3S consideration is the adoption of 3SBD approach for new nuclear facilities. An incorporation of 3S synergism into the conceptual design and system development phase increases regulatory effectiveness as well as operational efficiency and also reduces expensive and time-consuming retrofitting. Promoting 3SBD will require, among other technical and institutional issues, harmonization of the risk notion embedded in each of the “” areas. The benefit of the 3SBD concept has been pointed out and discussed extensively in the international community. To assess the 3S risk, several mathematical tools are mapped according to incidence frequency and governing law as shown in Figure 2.

In safety, PSA has been developed by the long historical trials and discussions. This approach is to estimate the frequencies of accidents and failures from the historical data and to analyze the accident sequence with event trees and fault trees based on these parameters. Because of the recent concern about nuclear security, similar probabilistic assessment was extended for use in developing guidelines for protection of nuclear power plants against sabotage [8]. Although the conventional vulnerability assessment in physical security has been well developed on a deterministic and prescriptive basis, an inherent difficulty in determining the frequency of terrorist attacks by malicious acts is undertaken by the conservative estimate in which the initial probability is assumed to be unity as in the case of a postulated accident in safety. The risk formalization in security is expressed as follows [9]: where () is the incidence probability, () the performance probability, () the interruption probability, () the neutralization probability, and the consequence, respectively. After assuming that the most upstream event is deterministic and the incidence probability is unity, the event sequence is analyzed probabilistically on a basis of the plant layout, system design, and structural robustness. Because of the difficulty of specifying the incidence probability, the security system is usually evaluated by the performance probability in which the timeline analysis is performed to identify the interruption probability and the security countermeasures; fence, sensor, camera, and so on are designed and installed into actual nuclear facilities. The neutralization probability is the unique feature of the security risk assessment and is determined by the performance of the response force. In addition to this, the deterrence effect can be estimated with a Bayesian method utilizing historical data, the game method assuming rational behaviour and payoff matrix, and others, and the incidence probability could be evaluated qualitatively as in the decision process [10].

Similarly, a major difficulty encountered in applying probabilistic methods to safeguards is to determine the incidence of diversion and misuse. Although the mathematical formalization for the international safeguards has been developed for several decades [11], the discussion of developing probabilistic methodology to address nonproliferation issues was done in a different perspective [12]. In safeguards, the diversion of nuclear material and the misuse of technology are initiated by the motivation of state and intentional act by facility operator, therefore the estimation of intentional act is generally very difficult. In addition to the incidence probability, there is another uncertainty related to measurement error in material accounting. This is the significant quantity (SQ) and timeliness goal that underlines the basis for NMA. Based on the prescriptive and deterministic logic, uncertainty of NMA should be controlled under this limit as a first priority in safeguards. The IAEA determined the threshold value for nuclear material losses for each type of facility and process. However, as an amount of nuclear material increases in large-scale facilities, uncertainty due to measurement error becomes large and likely exceeds the limit. Because it is important to control the mass measurement error within the absolute threshold of NMA, a probability distribution of the measurement error of NMA has to be considered in conjunction with the incidence probability as shown in Figure 3. The two-dimensional probability formalization is proposed as follows [13, 14]:

In (3), the measurement error probability is defined as related to measurement error in material accounting. The measurement error probability is the probability density function and the accumulated distribution function is detection probability. On the other hand, the incidence probability is defined as a Poisson density function. It should be noted that both probabilities are not independent and those are closely correlated each other. This will be discussed later in the game theoretical study.

#### 4. Feasibility Studies in Safeguards

##### 4.1. Proliferation Risk Analysis

Without showing an explicit description of proliferation risk, the risk notion has already been considered in the IAEA safeguards as the state-level evaluation, and the safeguards inspection is carried out according to risk analysis with an expert elicitation. However, using a mathematical formalization of proliferation risk probability one could demonstrate its advantage in an objective manner, and the quantitative representation is valuable in the 3SBD approach. The assessment method of the proliferation resistance (PR) of generation IV reactors was addressed by the proliferation resistance and physical protection working group (PRPPWG) of generation IV international forum (GIF) [15]. The method is intended to be used to evaluate the PR, defined as the degree to which a system can be put with proliferation acts even under international safeguards and those attributes are defined for its characterizations. The evaluation methodology has been clearly noted for the notion of proliferation risk with assuming the Markov process model for all extrinsic and intrinsic measures and the diversion probability directly indicates the vulnerable path instead of an expert elicitation. It should be noted that the measurement error probability shown in (3) is not considered in this model, so that only the incidence probability can be calculated through the Markov model. This is a clear difference from the conventional NMA in safeguards even if the results closely relate to the safeguards effectiveness.

In this study, an aqueous reprocessing model that is composed of the total 43 process steps from spent fuel pond to product storage is assumed as a typical PUREX process. As shown in the Figure 4, the Markov model is assumed for the entire PUREX process in which an initiation of diversion as well as a detection of the diversion is governed by random stochastic process with the characteristic time intervals. In addition to PIV and IIV, monitoring benefit of SMMS as an additional measure is considered in the extrinsic barriers in this model. Individual time intervals of these safeguards measures, characterized by “”, are assumed to be frequencies of the incidence of diversion and/or detection at each process and this random stochastic process can be modeled as a Poisson probability distribution. This is a special assumption used in the PRPPWG and is a well-known methodology for proliferation resistance evaluation. Intrinsic barriers with radiation exposure and heat generation from residual fission products (FPs) have to be overcome to proceed to weapon production from a diverter’s point of view. However, no matter how much FPs remain in the product solution, the diverter could have a capability to lessen the barrier and to remove these radioactive materials using radiation protections, chemical reactions, and separation facilities. Therefore, the prolonged time to prepare an additional process to extract from radioactive solution to raw material for weapon production is modeled as a time factor representing the technical difficulty as “.”

While the SM can generate real-time LDT data of the tank inventory, the SM capability depends on not only software performance of pattern recognition but also noisy background by sampling, homogenization, evaporation, and so on. The confidence level of diversion confirmation, shown by “” and related to the SM capability, is defined corresponding to the process steps with an assumption that the plutonium concentration determines the detection capability of the solution level change corresponding to a SQ (-). And also the technical difficulties are assumed to be proportional to the decontamination factors in the entire process; the head end, the extraction and separation, the first and second purification, and concentration processes. Assuming typical PUREX process composed of 43 process steps and using these parameters, such as , , , and processing times, at each process, the proliferation risk analysis with the Markov model is performed. After solving a set of 43 differential equations with the assumed parameters, one can estimate the relative likelihood of failure, success, and detection, as proliferation risk analysis. At each process step, the detection, failure and success probabilities are shown in Figure 5. The detection probability at step number 1, spent fuel pond, shows the largest probability due to the residence time of the fuel in the pond. The success probability, that means “success” form the diverter’s point of view, can be seen after step number 34 and especially after the number 40. In the downstream from the second purification process and the concentrated solution from evaporator and in product tanks the process is assigned to have the low intrinsic factors because of low radioactivities and heat generation from FPs as well as high concentration of plutonium. It is clearly understood that the proliferation risk analysis is capable of showing the proliferation vulnerability in the entire process steps and the detection capability of SM plays an important role in this vulnerable region as effective safeguards measure.

##### 4.2. Deterrence Effect

The relation between the measurement error and the incidence probability is correlated with each other. Although the proliferation risk analysis in the preceding section does not consider the measurement error probability, both probabilities are investigated as a deterrence effect in this section. The incidence probability is determined by the diverter’s intention and the deterrence effect on the diverter should influence the initiation of the incidence and the possible deterrence effect is studied using a game theoretical model. Although a payoff matrix is not easily defined objectively to model the inspector-operator relation, a noncooperative two-person zero-sum game is assumed to investigate an effectiveness of the operator’s restraint of falsification in the SM data that is an indication of the operator’s diversion. The game theoretical model in safeguards verification has been developed in series of the reference papers and the challenge is continued in recent work in which the time dependency in the payoff matrix was discussed [16]. In this study, the time-varying and randomly distributed variables representing the SM performance related to the material unaccounted for (MUF) are considered with a stochastic game model to investigate the operator’s choice of -diversion, which is applied to falsifying data in an attempt to conceal diversion [17]. It should be noted that the MUF- and -diversions are a traditional theme in the IAEA safeguards. The inspector trusts the measurement data taken by the operator but is not allowed to use them for the MUF verification without ensuring no data falsification in the verification.

The stochastic game model is an integration of a Markov decision process and a matrix game and is utilized to consider the inspector-operator relation among multiple players and at multiple stages [18]. The payoff matrix of the game model is assumed as shown in Table 1. The MUF- and -diversions in the operator’s choices are specific cases in the international safeguards and those correspond to concealment of the diversion in the measurement uncertainty and data falsification to mask the diversion, respectively. And the legal choice means no-diversion attempt. A mixed strategy is chosen to investigate for the inspector and operator deterrence effect. Generally it can be assumed that a -diversion should have an important influence and a first kind of error probability likely keeps large to avoid nondetection. Therefore, the relation between ,, and is assumed as . Similarly, the relation between , , and is . The payoff parameters and are set constant values throughout the calculations. And the parameters of and are set the same value and those of and are set the same value but different from . When the variance of MUF increases according to the frequency of MB closure, it leads to decrease of the SM performance and the detection probability. This results in an increase of average run length (ARL). Because this delay detection likely increases the chance of diversion, it can be modelled as increase of the payoff parameters of and in Table 1. Despite the increases of and , the probability of operator’s choice in legal behaviour nearly approaches unity and the choices in MUF- and -diversions are nearly zero as shown in Figure 6(a) as a result of the game theoretical calculation. This is clear evidence for the deterrence effect that the operator will likely tend to obey legal behaviour even if the payoff increases according to the decrease of the SM performance.

On the other hand, in case that the solution transferring from the unauthenticated tank 1 to the authenticated tank 2, tank 1 is shipper and tank 2 receiver, the operator likely has a concern about detection of the falsification during the transfer. Because the transferred solution is conserved between the two tanks and the downstream tank 2 is independently monitored by the inspector, any falsifications in the upstream tank 1 are likely detected. The increase of concern can be modeled to the increase of the payoff parameter of . In case (b) in Figure 6, the differences between the inspector and the operator choices in tanks 1 and 2 are shown according to the increase of operator’s concern. The probability of operator’s legal choice in tank 2 is larger than that in tank 1. And the inspector’s choice of -alarm and the operator’s choice of -diversion in tank 1 are always larger than those in tank 2. These results mean that falsification in the unauthenticated tank more likely happens than that in the authenticated tank. Moreover, the probabilities of -diversion or -alarm in the unauthenticated tank do not increase much in spite of the increase of concern. The inspector’s and operator’s choices can be estimated in advance by the dependency of payoff parameters on the assumption that the inspector and operator behave rationally.

##### 4.3. Fuzzy Optimization

In this section the safeguards performance by the SM and minimization of initial and running costs is investigated as an uncertainty analysis for multiple-objective problem. The multiple-objective problem can be solved by several mathematical methods. However, in this study a fuzzy optimization technique is applied to obtain multiple-goals solution by a well-known liner programming (LP) method. The fuzzy linear programming (FLP) has originally been proposed in the 1970’s and the application for nuclear fuel cycle optimization has been investigated thereafter [21, 22]. The FLP is currently improved and the basic FLP using a linear membership function is employed as follows.

First, two ordinary linear optimizations are performed incorporating the objective functions of and . Because the piecewise linear cases of and are reducible to a standard LP scheme, the optimization problem becomes the customary form with constraint conditions. The solution of these problems leads to Pareto optimal strategies, in which is the lowest attainable cost and the smallest measurement error, and and are utilized to find boundaries for the multiple-goals optimization. In the FLP, the two objective functions of and are transformed into their membership functions which are denoted by and . The membership functions of the fuzzy sets characterizing the objective functions increase linearly from 0 to 1 at the highest achievable values. For example, the membership function of the cost objective can be expressed as
where is the boundary value in the allowable region and the maximum value of is reached at . The similar expression to (4) is defined for in an analogous way, with the constant . The objective for the multicriteria optimization is to maximize the compound membership function:
Due to the form of (5), the maximization of corresponds to the problem as follows:
Because of the linearity of the functions and , (6) is solved as a standard LP problem. The solution maximizes * λ* and consequently as well. The value of

*reflects the deviation of the multi-criteria optimum from the various single-criteria optima. If the solution of (6) yields , no strategy can be found with all the objective function values within allowed limits. This possibility, however, should be normally excluded due to the symmetric balance.*

*λ*In order to investigate the cost effectiveness of the safeguards system in an advanced reprocessing plant, the performance of several safeguards measures governed by the measurement error is compared. The optimization using the FLP is applied to pursue the optimal design with considering the tradeoff relation between the safeguards performance and the cost. One of the controversial points in safeguards measures is a tradeoff relation between destructive analysis (DA) and nondestructive analysis (NDA). NDA instruments are generally remotely operated, do not need much labor, do not produce contamination, and provide results more quickly than DA. In addition to this, DA increases cost for labor due to the huge amount of samples in a plant operation and this leads to a high operational cost. On the other hand, at the dissolution process of spent nuclear fuel and at the input accountability tank, NDA instruments are not supposed to be used in a high radiation field environment. Therefore, DA is the only method that could be used for elemental identification and conducting NMA for plutonium under harsh circumstances.

After taking into account the constraints, an optimum selection of DA or NDA is investigated using the single-objective functions. A fuzzy technique based on LP is applied to the optimization. The three schemes in the safeguards measures are examined for the typical three stages in an advanced reprocessing process. The three schemes are a combination of SM and isotope dilution mass spectroscopy (IDMS), that of SM and hybrid K-edge densitometry (HKED), and that of flow meter (FM) and other advanced NDA such as neutron coincidence counting (NCC). For the typical three stages in the reprocessing process, we select dissolution, solvent extraction, and concentration processes. In the dissolution process, there is the constrained condition for NDA due to harsh circumstances. As increasing of the throughput of nuclear material, both the measurement error and the cost estimation are modeled to change as a function of the throughput and as shown in Table 2. Random and systematic errors leading to the performance and initial investment and running cost of individual measurement scheme are shown. The error scaling of the FM and NCC is proportional to the square of throughput due to the neutron counting statics. It should be noted that schemes and have been already developed and are currently applied to the reprocessing plant. But scheme is under development and the parameters of scheme are tentatively assumed.

The optimized selections of three schemes from stages 1 to 3 according to the increase of the throughput are shown in Figure 7 [23]. In a small throughput region, scheme A, SM and IDMS, is the optimum selection. These are indicated as , , and in Figure 7 for all stages 1 to 3. In a medium throughput region, schemes A and B show intermediate values only in stage 1. This means that the two schemes are the possible selections for stage 1 and scheme A is still optimum for stages 2 and 3. However, in a large throughput region, the scheme C becomes the optimum selection in the stage 1, schemes B and C are in stage 2, and the scheme B in stage 3. This means that scheme C, combination of FM and NCC, becomes the better selection in a large throughput region based on the measurement error and the cost. It should be pointed out that the assumption on the measurement error and the cost of the individual scheme as a function of the throughput is a preliminary one. However, it is understood that the general characteristic of the competitive relation between DA and NDA is shown qualitatively and the FM scheme assists a cost-effective performance of the safeguards system in a large throughput plant.

#### 5. Summary

PRA in safeguards and security has been evolving and applied to the promotion of 3SBD activities. However, the theoretical basis is diverse and the effectiveness of PRA in these areas has not been clearly demonstrated yet. SM with the LDT tank data has been widely used to implement the IAEA safeguards in the large reprocessing plant and has become an important measure to assure the credibility of no diversion and no misuse of SNM. Not only for an advanced instrument but also for risk-oriented installation, it is shown that SM is a good example of safeguards by design activities. The Markov model is applied to PRA with the PUREX model and it is clearly demonstrated that the vulnerable path in the PUREX process is safeguarded by the SMMS originally installed based on the expert elicitation. The game theoretical approach applied to the theoretical explanation of the IAEA safeguards is used to explain the effectiveness of the self-authentication notion. The deterrence effect on the operator’s falsification is shown as a compromise with the profit and the penalty and this concern makes the deterrence effect one of explanations for the self-authentication. The last study on SM is the uncertainty analysis to optimize the safeguards measures with the tradeoff relation between the safeguards performance due to measurement error and the economical consideration as increasing the throughput in the advanced reprocessing process. Both the harsh circumstances with the residual minor actinide (MA) and FPs and the increase of measurement uncertainty due to the large throughput support more NDA installment than DA with considering the initial and running cost of those measures.

On the other hand, for the purpose of quantitative application of SM to the IAEA safeguards, the validity of the SM data taken from the unauthenticated tank is investigated in terms of the detection probability (DP) at the authenticated tank. The self-authentication based on the mass conservation of authenticated solution among those tanks is investigated by the detection capability for the -diversion and is discussed in the same way for the MUF-diversion. Although the quantitative SM application is capable of showing high DP for abrupt falsification, it is understood that the small and protracted falsification is difficult to detect due to the systematic error. In order to investigate the DP in the distribution of two random variables, and MUF, the correlation between - and MUF*-*diversions was investigated in the traditional approach to evaluate the - and MUF-diversions. However, it is understood that in the small and protracted diversion the distribution of cannot be assumed as a Gaussian, so that the operator’s strategy is considered using the game model. In this regards, the game theoretical approach needs to be pursued to explain the two-dimensional probability distribution of the proliferation risk analysis.

The probabilistic risk methodologies in safeguards and security have been developing and the inherent difficulties due to intentional acts are still challenges. However, the Markov model, the game method, and other mathematical methods could be applicable to the decision problems in safeguards as well as security. Integrating the PSA in safety with the risk assessment techniques in safeguards and security would have a potential to fascinate with the younger generation, and the comprehensive 3S regulation based on the quantitative risk discussion should be transparent and persuasive for a reasonable approach in the mandatory 3S implementation.

#### References

- T. Arai and K. Naito, “The new nexus, 3Ss: safeguards, safety, security, and 3s-based infrastructure development for the peaceful uses of nuclear energy,”
*Journal of Nuclear Materials Management*, vol. 37, no. 4, pp. 6–10, 2009. View at Google Scholar · View at Scopus - M. Stein, M. Morichi, L. Van Den Durpel et al., “Safety, security, and safeguards by design—an industrial approach,” in
*Proceedings of the Global Conference*, Paris, France, September 2009. - M. Suzuki, Y. Izumi, T. Kimoto, Y. Naoi, T. Inoue, and B. Hoffheins, “Investigating 3S synergies to support infrastructure development and risk-informed methodologies for 3S by design,” in
*Proceedings of the IAEA Safeguards Symposium*, IAEA-CN-184/64, 2010. - IAEA Safeguards Glossary 2001 Edition,
*International Nuclear Verification Series No. 3*, IAEA, Vienna, Austria, 2002. - T. Bjornard, M. Schanfein, D. Hebditch et al., “Improving the safeguardability of nuclear facilities,” in
*Proceedings of the INMM 50th Annual Meeting*, 2009. - J. Howell, M. Ehinger, and T. Burr,
*Process Monitoring for Safeguards*, LA-UR-07-7305, 2007. - T. Burr, L. Wangen, and M. Mullen,
*Authentication of Reprocessing Plant Safeguards Data through Correlation Analysis*, LA-12923-MS, ISPO-374, 1995. - Engineering Safety Aspects of the Protection of Nuclear Power Plants against Sabotage,
*IAEA Nuclear Security Series No. 4, Technical Guidance*, IAEA, Vienna, Austria, 2007. - “Sandia National Laboratories Security Risk Assessment Methodologies,” http://www.sandia.gov/ram/RAM-CI.html.
- E. Kardes and R. Hall, “Survey of literature on strategic decision making in the presence of adversaries,”
*CREATE Report*, 2005. View at Google Scholar - R. Avenhaus and M. J. Canty, “Formal models for NPT safeguards,”
*Journal of Nuclear Materials Management*, vol. 35, no. 4, pp. 69–76, 2007. View at Google Scholar · View at Scopus - S. V. Mladineo, C. T. Olinger, R. S. Denning et al.,
*Guidelines for the Performance of Nonproliferation Assessments*, PNNL-14294, 2003. - M. Suzuki, T. Burr, and J. Howell, “Risk-informed approach for safety, safeguards, and security (3S) by design,” in
*Proceedings of the 19th International Conference on Nuclear Engineering (ICONE '11)*, ICONE19-43154, Chiba, Japan, May 2011. - M. Suzuki and S. Demuth, “Proliferation risk assessment for large reprocessing facilities with simulation and modeling,” in
*Proceedings of the Global Conference*, Paper 399247, Chiba, Japan, December 2011. - M. Yue, L. Y. Cheng, and R. A. Bari, “A Markov model approach to proliferation-resistance assessment of nuclear energy systems,”
*Nuclear Technology*, vol. 162, no. 1, pp. 26–44, 2008. View at Google Scholar · View at Scopus - R. Avenhaus and M. J. Canty, “Playing for time: a sequential inspection game,”
*European Journal of Operational Research*, vol. 167, no. 2, pp. 475–492, 2005. View at Publisher · View at Google Scholar · View at Scopus - R. Avenhaus and M. Canty,
*Compliance Quantified: An Introduction to Data Verification*, Cambridge University Press, Cambridge, UK, 1996. - M. Suzuki and T. Burr, “Self-authentication of solution monitoring data for large reprocessing facilities,” in
*Proceedings of the 2nd Japan-IAEA Workshop on Advanced Safeguards for Future Nuclear Fuel Cycles*, Tokai, Japan, November 2009. - J. E. Stewart, N. Ensslin, T. L. Cremers et al.,
*Measurement and Accounting of the Minor Actinides Produced in Nuclear Power Reactors*, LA-13054-MS, 1996. - M. M. Pickrell and K. Budlong-Sylvester,
*Safeguards Alteratives for a UREX+ Facility NA-NE Joint Fuel Cycle Facility Design Project Technology Denonstration to Enhance the Safeguards of a UREX+ Facility*, LA-UR-06-1075, 2005. - H. J. Zimmermann, “Fuzzy programming and linear programming with several objective functions,”
*Fuzzy Sets and Systems*, vol. 1, no. 1, pp. 45–55, 1978. View at Google Scholar · View at Scopus - P. Silvennoinen, T. Vieno, and J. Vira, “Multigoal fuel cycle optimization including nonproliferation objectives,”
*Nuclear Technology*, vol. 48, no. 1, pp. 34–42, 1980. View at Google Scholar · View at Scopus - M. Suzuki and H. Ihara, “Development of safeguards system simulator composed of multi-functional cores,”
*Journal of Power and Energy Systems*, vol. 2, no. 2, pp. 899–907, 2008. View at Google Scholar