A QUARTERLY RESEARCH & DEVELOPMENT JOURNALVOLUME 1, NO. 1

WINTER • 1999

CONFIDENCE BY DESIGN:Ensuring things don’t fail

ALSO:Managing ambiguous data

Sandia to develop customPentium® chip

Sandia, Compaq set worldrecord in database sorting

S A N D I A T E C H N O L O G Y

Surety science andengineering began 50 yearsago in the defense sector

and grew from the need toknow if nuclear materialswere used only as intended,

were safe in abnormalenvironments, and

secure in malevolentcircumstances.

[ [Sandia’s Z accelerator, the most powerful producer of X-rays in the world

ON THE COVER: Technician Stephanie Reel with plenum of one of severalmetal deposition systems in the Microelectronics Development Laboratoryat Sandia National Laboratories. Metal deposition systems are used forradiation-hardened microelectronics processing. (See NewsNotes, page 6.)

Sandia Technology is a quarterly journal published bySandia National Laboratories. Sandia is a multiprogramengineering and science laboratory operated by SandiaCorporation, a Lockheed Martin company, for theDepartment of Energy. With main facilities in Albuquerque,New Mexico, and Livermore, California, Sandia has broad-based research and development responsibilities for nuclearweapons, arms control, energy, the environment, economiccompetitiveness, and other areas of importance to the needsof the nation. The Laboratories’ principal mission is tosupport national defense policies, by ensuring that thenuclear weapon stockpile meets the highest standards ofsafety, reliability, security, use control, and militaryperformance. For more information on Sandia, see ourWeb site at http://www.sandia.gov.

To request additional copies or to subscribe, contact:Chris Miller, EditorMarketing Communications Dept.MS 0129Sandia National LaboratoriesP.O. Box 5800Albuquerque, NM 87185-0129Voice: (505) 844-5550Fax: (505) 844-1392e-mail: cmiller@sandia.gov

Sandia Technology Staff:Laboratory Directed Research & Development ProgramManager: Chuck Meyers, Sandia National LaboratoriesEditor: Chris Miller, Sandia National LaboratoriesResearchers: Joy Bemesderfer & Donna Drayer,Technically WriteWriter: Katharine Beebe, Technically WriteDesigner: Douglas Prout, Technically WritePhotographer: Randy Montoya, Sandia NationalLaboratories

S A N D I A T E C H N O L O G Y

Dear Readers:

This is the first issue of a newpublication produced by SandiaNational Laboratories called SandiaTechnology, a quarterly research anddevelopment journal. We createdSandia Technology by merging twoprevious publications – Inside Sandiaand Emergent. We hope you agree withus that combining the two parts doesequal a better whole. Sandia Technologyincorporates Inside Sandia’s focus onSandia technologies that have made itout of the laboratory and are or soonwill be benefiting Americans, as wellas Emergent’s focus on innovativetechnological concepts now underdevelopment in the laboratory. This issue focuses on surety scienceand engineering, an evolving disciplinewhose origins date to the developmentof nuclear weapons. This new era ofhigh-consequence management hasrequired new approaches to ensure wedon’t experience the unthinkable – anaccidental nuclear detonation. Suretyscience and engineering principles havekept our nuclear stockpile safe, secure,and reliable. Many technologicaladvances have come directly from ourweapons surety program, and we believethat sharing surety practices,technologies, and strategies will benefitthe nation in many other areas. We hope you enjoy this debut issueof Sandia Technology. Please let usknow what you think.

Sincerely,

Chris MillerEditor

FROM THEE d i t o r

TABLE OFC o n t e n t s

2

4

9

10

11

Confidence by Design

News Notes(pages 4, 6, 8, 12)

Surety as a Discipline

Navigating ComputationalWrong Turns

Walking on Eggsduring and after the Cold War

Comments byDr. William Wulf, PresidentNational Academy of Engineering

I N S I G H T S

“The more importantsomething is when it works,themore it can hurt you when itfails.”

Ted Dellin, Sandia NationalLaboratories

The airplane your children board.Your last flu shot. The cyberspacenetwork you trade stocks on.Whatever it is, it's safe if it cannotharm you, reliable if it doesn't fail,and secure if it's yours and functionsfor no one else. In other words, it'sa sure thing. Safe, reliable, secure – soundssimple until you consider the tangleof systems that typify modern life.In a systems context, safety, reliability,and security are the challenge. Everyday, people depend more heavily ontechnological systems. Those systemsinteract to serve users better. Unfortu-nately, as technologies evolve, so doesthe potential for failure – andcatastrophe. Systems are complex. Complexityspawns breakdowns. And break-downs invite disaster.

Witness these examples:

August 1996: Power cables in theNorthwest sag into tree limbs andplunge power-grid users throughout thewestern United States into darkness.When power is restored, sometelecommunications systems are justtwo hours from exhausting reserves andshutting down services.

January 1998: An ice storm cripplesNew England and southern Quebec,leaving businesses and residents withoutpower for as long as three weeks.Canada alone suffers losses of $1.6billion.

May 1998: A single failedcommunications satellite disables 90percent of the pagers across the UnitedStates, along with ATMs, credit-cardsystems, and TV and radio networksworldwide. Physicians, lawenforcement officials, and others whorely on instant communication arecompromised.

December 1998: Human error shutsSan Francisco down. When aconstruction crew overlooks a buriedpowerline, their work causes aswitchboard blowout. The blowoutshuts two generators down. Across49-square miles, elevators stop withpeople inside. Trolleys, trains, electricbuses quit. Traffic lights fail. Airplanesland elsewhere.

“The more important something iswhen it works, the more it can hurt youwhen it fails,” said Sandian Ted Dellin,who is researching electronics reliability.

What if the machine misfires?What do we do if America seizes up?

D E S I G N

2

Confidence by

At Last, a Sure Thing Enter surety science and engin-eering. It is an evolving disciplinedesigned to integrate safety, reliability,and security into technologies acrossthe spectrum, from space explorationto infrastructures. When applied totechnology, surety is the methodologyby which a system, any system, canbe designed to operate exactly asplanned every time in every circum-stance. When applied to management,surety acts as a philosophy by whichfail-safe decisions are made. Inessence, surety is a way of approachingjust about any systems-problem, anapproach that considers why and howa system fails, then anticipates andprevents such failures. Fifty years ofdefense research at Sandia NationalLaboratories has done the ground work.Now Sandia is working more closelywith industry, universities, and muchof government to give surety a morewidespread application. Eric Bloch, a member of the SandiaPresident’s Advisory Council (Blochworks on the Council on Competi-tiveness in Washington, D.C.) hasendorsed surety science and engineer-ing as “a roadmap for thinking abouthigh-level problems.” “We believe this is a much morepowerful tool than what's generally inuse today,” said Pace VanDevender.As Sandia's chief information officer,VanDevender sets corporate processesand requirements and ensures the Labs’information system is protected.

Consequence Determines Surety

Since the 1940s, Sandia has conduc-ted pioneering studies in safety,reliability, and security.

“In the 40s we had nuclear weapons,”said Jim Rice, Sandia director ofInformation Systems Engineering andof lab-wide surety research. “And thennuclear energy in the 70s. Recentlywe tried to look at it all as a discipline– all three components (safety, relia-bility, and security) optimized together.It's a philosophy applied to systems-engineering problems.” Surety science and engineering maybe applied at four levels, dependingon the consequences of a systemfailure. The greater the consequences,the higher the surety level. Level I surety is primarily reactive.Standard engineering is applied, anddesigns are tested to ensure reliability.

Used for many manufactured goods,level I is adequate when failure won'tcreate catastrophic consequences.Typical level I surety measures includereliability insurance, warranties, andparts replacement. Level II is proactive, a step up fromreactive. Lives may be at risk, sopeople intervene before a problemoccurs. For example, airports installmetal detectors to prevent highjackings.Public schools do likewise to reducegang activity. Other examples of levelII surety measures include training andcertification for pilots. Level III surety is preventative.Science and engineering attempt topredict and reduce the potential for asystem to fail by redesigning thesystem. Because auto accidents kill,manufacturers incorporate seatbeltsand airbags – not as an add-on any-more, but – as an integral part of totalvehicle design. Other level III exam-ples include automatic cooling systemsin nuclear reactors and other systemsbuilt into aging nuclear weapons. Level IV surety, applied when failureis unthinkable, is fundamental. Asystem works in perfect harmony with,not circumventing, the laws of nature.Absolute surety is the rule here.Modern nuclear weapons, for example,are designed to function in accord withnatural law.

When applied to technology, surety is the methodology by which a system, anysystem, can be designed to operate exactly as planned every time in

every circumstance. When applied to management, surety actsas a philosophy by which fail-safe decisions are made.

[ [

3

S A N D I A T E C H N O L O G Y

Sandia’s explosives-detection portal

Initially, developing surety as a broaddiscipline requires research in the hardsciences (physics, chemistry, andbiology), as well as in mathematics,engineering, and the social sciences.Research investments are expected toyield returns many times over in livessaved and reduced design, production,and maintenance costs for both defenseand commercial technologies.

Surety Nuts and Bolts

Sandia has been a leader in devel-oping the following key tools that enableengineers to understand how things fail: Modeling and simulation use theworld's fastest computers to recreate agiven system, then simulate its exposureto catastrophic con-ditions. Example: Aplane crash involving anuclear weapon. Risk-and-reliabilitymanagement began atSandia as safety studiesof nuclear weapons andreactors. Risk is calcu-lated through studies ofcomponent- and system-reliability combined withstudies on humanreliability.

Applications –and More Applications

Though still a young field, suretyscience and engineering is likely tosupport applications and studies asvaried as physics and finance, asdifferent as the spread of fire anddisease. Surety may be philosophicalin principle, but its many applicationsare grounded in practicality. Here is asampling of areas where, collaboratingwith government, academia, andindustry, Sandia has forged advances.

Architectural Surety:Earthquakes Don't Kill People –Buildings Do

Sandia's Architectural Surety pro-gram strives to enhance public safety,ensure reliable structures, and increasepublic awareness of the benefits asso-ciated with the new design or retrofitsof public, commercial, and privatefacilities. The Labs have conductedsurety research because threats tostructures, from terrorism and naturaldisasters to aging materials, are makingAmericans nervous. Two examples:• Whether unleashed by a hurricane ora terrorist's bomb, flying glass convertsan elegant building into a killing field.Surety research is studying fracture

configurations to develop glass thatbreaks into slow-moving, sandlikegranules which are less harmful thanslivers and shards of conventionalglazings.• Through modeling and simulation,engineers can understand how fire mightbehave based on floor plan andmaterials, how best to evacuate abuilding, and how to implement securitymeasures against bombings, such asthose of the World Trade Center in NewYork and the Alfred P. Murrah FederalBuilding in Oklahoma City.(Continued on page 5.)

SANDIA, COMPAQ SETWORLD RECORD IN LARGEDATABASE SORTING

Just as scientists need very fastnumber-crunching computers toreplace physical testing withcomputer models, business peopleneed a corollary procedure – thecapacity to sort and manipulatelarge amounts of data rapidly. Ina major step toward that goal,Sandia has teamed with CompaqComputer Corporation, theworld's highest-volume supplierof personal computers, to sortinformation three times faster thanthe previous record, at approx-imately two-thirds the installedcost of current techniques.

The Sandia cluster of computershas sorted a terabyte of data – theinformation contained in about amillion unabridged dictionaries –in less than 50 minutes. Theprevious record, on a shared-memory supercomputer ratherthan a cluster of industry-standardcomputers, was 150 minutes.Estimates suggest that in threeyears, large-scale data storage(called warehousing) will increasefrom a 272-gigabyte average toa predicted 6.5 terabytes, and froma $15-billion to a $113-billionmarket by 2002, according toa marketing report from theconsulting firm Palo AltoManagement Group.

Contact: Carl Diegert505-845-7193e-mail: diegert@sandia.gov

N E W SN o t e s

At every level the bottom line is understandinghow things fail. [[

4

S A N D I A T E C H N O L O G Y

Computer simulation of an airplane fire

Engineers can use architecturalsurety to simulate threats, predictoutcomes, and design safer buildingsthat behave predictably duringdisasters. To manage risk and improvestructural design, Sandia's computersimulations and material testingaddress community and nationalconcerns about our buildings. Sandiahas been coordinating interactiveworkshops, university courses,seminars, and conferences to bringarchitects, engineers, and other designprofessionals together to work onarchitectural surety issues.

Transportation Surety:Ending the Fear of Flying

Every year more and more Ameri-cans travel by airplane, making thedemand for user-friendly skies moreextreme. To meet President Clinton'sSafer Skies program goal of reducingfatal accidents fivefold in the nextdecade, Sandia has put surety awing. In the fall of 1997, the FederalAviation Administration chose Sandiaand eight universities to create anAirworthiness Assurance Center forExcellence. Now in the second year

of a three-year pilot program, theCenter is developing improvedmaintenance, inspection, and repairtechniques; crashworthiness initiatives;safer propulsion and fuel systems andlanding gears; and improved aircraftmaterials. The Center combines topexpertise and cutting-edge softwaretools to detect and correct underlyingproblems before they set into motiona chain of events that ends in disaster. Sandia's role focuses on developingnondestructive inspection technologies,along with providing structural-defectsamples, reliability assessments of newtechnologies, and technology transferfrom the Center to the industrial sector.

“By targeting and preventing the

leading causes of fatalities and

injuries,” Vice President Al Gore has

said of the Safer Skies initiative, “by

expanding engine inspections and

by improving pilots' warning and

detection systems, we will significantly

reduce the number of plane

crashes and save ... lives.”

Some of the causes of U.S. aircrashes that the Center is studyinginclude lost control (32 percent of fatalaccidents); runway incidents (12percent); ice and snow (9 percent); andwindshear, sabotage, and highjacking(each 3 percent). Another Sandia-FAA partnershipproduced a portal that checks passen-gers and carry-on luggage forexplosives. Located inside an airportterminal, the portal emits a puff of aironto a person and baggage, and asensor scans the air for chemicals.This device was tested recently at theAlbuquerque International Airport. Transportation-surety research isapplied also to nuclear weapons andhazardous-materials transport, as wellas to railroad-transportation safety.

Electronics Surety:A Key to Global Leadership

Could surety science and engineer-ing techniques promise defenseand economic superiority? Quitepossibly so. Defense superiority, Sandian TedDellin told a national surety workshoplast fall (see sidebar page 9), dependson reliable electronics. And affordableeconomic leadership rests on sustainingthe electronics revolution, said Dellin,deputy director of reliability at Sandiaand an adjunct professor at TheUniversity of New Mexico.

[ Surety research is studying fracture configurations todevelop glass that breaks into slow-moving, sandlike granules

that are less harmful than slivers andshards of conventional glazings.

[

5

Architectural Surety project leader Rudy Matalucci

S A N D I A T E C H N O L O G Y

Defense research has led to numerousmicroelectronics breakthroughs, manyof which have evolved into commercialtechnologies. Thus, many U.S. defenseinitiatives support economic stability. A problem, however, occurs whenmicroelectronics advances outpacereliability developments that supportweapons and marketable products.Level III surety, Dellin said, mayprovide the solution whereby reliabilitykeeps up with invention. How? Byfinding all sources of failure, developingmodels that will predict these failures,and then building reliability into thedesign of technologies.

Life-Cycle Engineering:Designing Affordable ProductsConsumers Can Rely On

The life cycle of a product might becompared to that of a living beingexperiencing birth, life, and death. Aproduct is “born” whendesigned and manufac-tured. It “lives” while itfunctions. And it “dies”when it breaks or isreplaced. Supported by theLaboratory DirectedResearch and Develop-ment fund, life-cycleengineering, which servesSandia’s mission ofnuclear stockpile steward-ship, has laid thegroundwork to manage lifecycles for many productsin the commercial sectoras well. The key lies inpredicting the effects oftime and stresses on materials andsystems. The result is affordableproducts of superior quality that performand age predictably. In addition tonuclear weapons stewardship, life-cycleengineering has applications inmedicine, computing, air and spacetravel, and in various other technologieswhere failure is notan option.

Infrastructure Surety:The Heartbeat of a Nation

Cripple infrastructure and you cripplenations. Power, water, and energysystems; public transportation systems;air-traffic control; financial services andcommunication all compriseinfrastructure, as do fire, medical, law-enforcement, and other complexnetworks. Increasingly, infrastructuresystems are computer operated andinterconnected. The result is a fast,effective “machine” that improvesquality of life for millions. But when the machine misfires, livesmay be imperiled. Whether by plan orby mistake, an individual connected tothe Internet could bring these interde-pendent systems to a catastrophic halt.Natural disasters have done so already. Research to protect the aging nuclearstockpile and its underlying nuclearinfrastructure has yielded surety science

and engineering applications outsidethe weapons complex. Throughmodeling and simulation, Sandia hasrecreated infrastructure breakdowns andis developing a warning system topredict – plus techniques to repair andprevent – infrastructure breakdowns,break-ins, and catastrophes. Crime may have America by thethroat, but Sandia surety engineers havedeveloped a pilot program to deter crime

N E W SN o t e s

6

SANDIA TO DEVELOP CUSTOMPENTIUM�® CHIP FOR SPACE &DEFENSE NEEDS

Intel Corp. will provide a royalty-free license for its Pentium®

processor design to Sandia for thedevelopment of custom-mademicroprocessors for U.S. space anddefense purposes. The agreementsaves taxpayers hundreds ofmillions of dollars in microprocessordesign costs and provides thefederal government with a 10-foldincrease in processing power overthe highest-performing existingtechnology.

Sandia, DOE's lead lab formicroelectronics research anddevelopment, will develop acustom, radiation-hardenedversion of the Pentium processorfor use in satellites, space vehicles,and defense systems. Radiationhardening is required to“immunize” systems andapplications from radiation, suchas cosmic rays, which affect thereliability of conventionalelectronics.

Secretary of Energy Bill Richardsonheralded the agreement as amodel of industry and governmentcooperation. “We're proud to bea part of this unique opportunityto partner with Intel to significantlyadvance the state of the art inspace and defense electronics,”Richardson said during a newsconference announcing theagreement.

Contact: Robert Blewer505-844-6125e-mail: blewerr@sandia.gov

A complete inertial guidance system is smaller than a paperclip

S A N D I A T E C H N O L O G Y

(Continued on page 7.)

7

in schools. Tested two years ago in aNew Mexico high school and usingSandia-developed technologies, theprogram put cameras, sensors, andmetal detectors, along with a securityguard, on site and gave parents kits todetect drug use. Although the pilot program costmore than most schools can afford, itidentified these surety approaches tosafer schools: Greater use ofinconspicuous technologies, especiallythose that maintain themselves; use ofartificial intelligence to customizesecurity solutions for individualschools; and improved building design. Small wonder crime is a problemwhen prevention tools and methodshaven’t changed much since horse-and-buggy days. Meanwhile, crimehas developed new faces: In additionto violent crime, we have white-collaras well as cyber crime. In response, Sandia has developeda “smart” gun that fires only for itsdesignated user. Gun manufacturerColt is commercializing the technology.

Another offspring of Sandia’sweapons experience, a team of expertsin bomb-disablement technologies, isnow available to the Federal Bureauof Investigation and the AlbuquerquePolice Department. President Clintonrecognized two of the team membersfor dismantling a mail bomb found inthe Unabomber’s Montana cabin. Theevidence the two Sandians gatheredhelped convict the Unabomber. Other Sandia technologies providingsurety science and engineering to thecriminal-justice system include anevidence detector – a forensics toolthat detects crime-scene

The community-wide pilot

reduced theft by 98 percent;

vandalism and false alarms, each

by 90 percent; fights by 75 percent;

and truancy by 35 percent.

evidence such as blood, fingerprints,and semen. The Albuquerque PoliceDepartment crime lab is collaboratingon development of this technology. Another technology, a softwareprogram called VRaptor, sets up ahostage situation in virtual reality andallows law-enforcement trainees toidentify and practice shooting at thecriminal, not the victim, during theconfusion, impaired visibility, and rapidchanges of a crime that is unfolding.VRaptor research was supported byLDRD funding. But more than focusing on individualtechnologies, Sandia research focuseson protecting the interdependencies ofour infrastructures. These increasinginterdependencies can cause an outagein one infrastructure to cascade orripple through other infrastructures,causing failures there too. Sandiamodels interdependent networks, suchas power, transportation, and communi-cations infrastructures, together as one.Systems of economic infrastructureare also being studied. Throughcomputer simulation, the goal is topredict in real time the consequencesof national infrastructure failures. Infrastructure, however, is becomingmore and more global, and Sandia haslaunched efforts to identify infrastruc-ture requirements around the world.These extend beyond services, to theessentials for survival: water, food,and clean air, for example. This effort

[Whether by plan or by mistake, an individual connectedto the internet could bring these interdependent

systems to a catastrophic halt. Naturaldisasters have done so already.

[

A robotic system is used to dismantle munitions

S A N D I A T E C H N O L O G Y

has brought Sandia surety expertstogether with the EnvironmentalProtection Agency and the departmentsof Energy and of Defense to developenvironmental surety.

Food Surety:Smart Steaks Snitch if They Thawen Route to the Market

Ever wonder if frozen food thawedbefore it reached the store? That willbecome a concern of the past withSandia’s patented food sensor. Placedvisibly on each food parcel, theinexpensive device reveals a red “flag”when the temperature of meat and otherfoods rises above freezing. A “smart”material tells the tale. The diameterof a thread and less thanhalf an inch long, a thinwire curls whenwarmed above 32degrees F and tears apiece of green paper toexpose red paperunderneath. Thetechnology evolvedfrom solar research atSandia. “When there’s pres-sure from Washingtonon food processors,transporters, anddisplayers to protectconsumers againstspoiled food, we havea technology patentedto do just that,” saidSandian DavidMartinez, who co-developed thetechnology with Professor MoShahinpoor of The University of NewMexico College of Engineering. This UNM-Sandia collaboration hasproduced eight patents.

Nuclear Stewardship:Always a Priority

Surety science and engineering began50 years ago in the defense sector andgrew from the need to know if nuclear

weapons and materials were used onlyas intended, were safe in abnormalenvironments, and secure in malevolentcircumstances. Surety remains akeystone of nuclear stockpile andenergy stewardship. Storing, moving,and processing plutonium and enricheduranium, for instance, present a globalchallenge, particularly when emergingnuclear powers may be politically andeconomically unstable. However, as a partner with theDepartment of Energy, the NuclearRegulatory Commission, and othernational laboratories, Sandia has refineda systems approach to nuclear safetythat can benefit the broad expanse ofmodern life outside the defense sector.This approach has roots in understand-

ing how accidents – all kinds ofaccidents – occur. In modeling andsimulation capabilities, materialstesting, and risk-management studies,Sandia has the tools and experience torecreate, in the safe and virtual worldof computers, events such as accidentsinvolving nuclear weapons. The Labsthen can study the causes and conse-quences, and ultimately, design a worldwith greater safety, reliability, security– and confidence – built in.

8

N E W SN o t e s

RESEARCH FOCUSED ONECONOMICAL, LONGER-LASTINGLITHIUM ION BATTERIES

Efforts by a team of Sandians toimprove the lithium ion battery maymean that one day soon people willbe driving affordable electric cars andoperating their CD players and cellularphones on smaller, longer-lastingbatteries.

The research combines a new mixtureof metals to create the cathodeportion of the lithium ion battery – ahigh-tech, environmentally friendlyelectrical-energy-storage device.

“We've tried various combinations oflithium (a light-weight metal) withmanganese, cobalt, nickel, chromium,and aluminum and are making somebreakthroughs,” says Sandia inorganicchemist Tim Boyle.

If the right combination of materialscan be found, lithium ionrechargeable batteries may becomeeconomical enough and have a longenough run time to be practical topower electric cars or replace existingtraditional lead-acid batteries. Lithiumion batteries are commonly found inlaptop computers and camcorders.Their use, however, is limited to smallelectronic devices because of theircost and safety concerns.

Contact: Tim Boyle505-272-7625e-mail: tjboyle@sandia.gov

S A N D I A T E C H N O L O G Y

SURETY INSTITUTE:An Enduring Forum

An American Institute for SuretyScience and Engineering is slated toprovide a clearinghouse for suretyinformation. It will link researchersfrom government, academia, andindustry with one another as well aswith data and cutting-edge tools.The Institute will drive surety scienceand engineering as a disciplineapplied to problems affectingmainstream life and Americaninfrastructures. As applicable, theInstitute will house databases, websites, and a library, and will offerawards for breakthroughs. It willalso support university courses,technology transfer, and research-and-development partnerships.Technological and theoreticaladvances will be applied to solvereal-world problems, ranging fromeconomic to environmental issuesand much in between.

For more information, contactTed Dellin (505) 844-2044;email: dellinta@sandia.gov.Or Ray Bair (505) 296-3505;email: bair@compuserve.com. Or visitthe Institute Web site at www.isse.org.

9

Representatives from industry,academia, and governmentconvened last fall in Washington,D.C., to consider a new disciplineat the first-ever Surety Scienceand Engineering Workshop.Orchestrated by Sandia NationalLaboratories and co-sponsoredby the U.S. Department ofEnergy, NationalAcademy ofEngineering, andNationalA c a d e m y o fSciences, thew o r k s h o pexp lored themethodology ofsurety scienceand engineeringand its potentialuses to address some of thenation's most pressing problems. What united these challengeswas the need to predict andprevent accidents and thecrippling consequences thatsystem failures cause. ManySandia researchers believe a newdiscipline, called surety scienceand engineering, has evolvedfrom their work to protect thenation's nuclear stockpile. Theyfurther believe the discipline canbe applied to many national andglobal problems, such asprotecting our nation's criticalinfrastructures, making our airtransportation system safer,improving the reliability of

electronics, and even fightingcrime (see cover story). More than 100 experts fromgovernment, industry, andacademia brainstormed on howsurety science and engineeringprinciples can be applied tonational problems and whetherit can be considered a new

discipline. Helpingto lead thediscussion wasWilliam Wulf,president of theNational Academyof Engineering(see Insights,inside back cover);Vic Reis, DOEassistant secretaryfor Defense Pro-

grams; and Pace VanDevender,Sandia's chief information officer.At the end of the workshop,most attendees felt suretyscience and engineering hasgreat potential, although theydetermined much work remainsto be done. “The workshop gave us astrong vote that surety scienceand engineering does have broadapplicability beyond its originalroots in nuclear weapons,” saidJoan Woodard, workshopchairperson and Sandia vicepresident of Energy, Information,and Infrastructure TechnologyDivision.

SURETY METHODOLOGYWORTH DEVELOPING?National Workshop Votes Yes

What united these challenges was the need topredict and prevent accidents and the crippling

consequences that system failures cause. [[

S A N D I A T E C H N O L O G Y

AMERICAN INSTITUTEFOR SURETY SCIENCEAND ENGINEERING

Neutron tube bake station

Sandian Stephen Bespalko isdeveloping a technology to manageambiguous data. He calls this advancemission surety for large-scale, real-time information systems. Bespalko'sconcept allows researchers to back-track and recover when designingalgorithms that must process datacontaining errors. “Military and defense applicationsmust deal with ambiguous informationand/or data with errors,” said Bespalko.He is creating a technology thatdetermines if decisions based onincomplete or inconsistent data or datawith errors are still correct as newinformation is received. “Say, you're driving to a city andcome to a fork in the road, and theroadsign is partly covered,” Bespalkosaid. “You're at a fork where everyonealways gets confused, and you take awrong turn because you only see halfthe sign. You have to make a decisionat the intersection, but the decisionmay be wrong because you don't haveenough information. Then you go thewrong way until you see a sign thatmakes it clear you have to turn aroundand go back.” With Bespalko's software, theengineer can design a system that cango back. Recovery is built into thetechnology, into the problem-solvingprocess. “Before, systems would ignore theerrors or eventually throw out theresults and start over when it becameclear the system had made a bigmistake,” Bespalko said. “Andsometimes you wouldn't know till youdrove to the wrong city.” Mission surety technology allowsthe software to detect the wrong turnas soon as possible, figure out how farback the decision-making process hasto go, backtrack, then continue downthe correct path.

Benefits include greatly reducingdevelopment costs for certaininformation-intensive defense systems.Defense-system cost is a majorconcern. The U.S. Air Force has seta goal of reducing the cost ofdeveloping command-and-controlsystems by 90 percent. Mission suretysupports that goal. In addition to defense applications,the software has many other uses,particularly those involving spatialdata. With undergraduate assistantHolly Dison from the University ofNew Mexico mathematics department,Bespalko is adapting his technologyto make less expensive and moreaccurate models of roads and otherlarge components of the nation'sinfrastructures.

Mission surety is attracting attentionworldwide. Last fall Bespalko spokeat a software-engineering symposiumin Zurich, Switzerland. He has alsoaddressed a National Academy ofSciences meeting about transportationuses as well as speaking to otherinternational audiences about his ideas. Laboratory Directed Research andDevelopment (LDRD) funding hassupported Bespalko's softwareengineering advance. LDRD is anexploratory research fund that supportsnational security and enhances Sandia'stechnology base. The LDRD programis dedicated to early exploration andexploitation of innovative conceptsthat arise during laboratory work.

10

Navigating ComputationalWRONG TURNS

Recovery is built into the technology, into theproblem-solving process.[ [

S A N D I A T E C H N O L O G Y

Surety science and engineeringhas its origin in Sandia's missionof nuclear-stockpile stewardship,which includes safeguardingnuclear technologies aswell as the associatedinfrastructure. Indeed, allthings nuclear must besafe, reliable, and secure. Yet potentially catastro-phic incidents, extendingback 40 years, have demon-strated that, despite layersof well-studied precautions,accidents still happen.From the beginning, Sandiahas researched and re-fined surety science andengineering to prevent furthersuch incidents. The followingexamples demonstrate theneed for surety science andengineering.

May 1957,South of Albuquerque, N.M. A B-36 aircraft carrying an atomicbomb approaches Kirtland Air ForceBase to land. When the plane is at analtitude of 1,700 feet, the bomb dropsthrough and tears off the bomb-baydoors. Although the attached parachuteopens, the weapon hits the ground withenough speed to set off the high-explosive charge – but not the nuclearcomponent – destroying the bomb andleaving a crater 12 feet deep and 25feet in diameter. Radiological survey of the areadiscloses no radioactivity beyond thelip of the crater at which point the levelis 0.5 milliroentgens. There are no

health or safety problems. Both theweapon and capsule were on board theaircraft but the capsule was not insertedfor safety reasons. A nuclear detona-tion was not possible.

January 1966,Palomares, Spain A B-52 and KC-135 collide duringa routine high-altitude air-refuelingoperation. Both aircraft crash nearPalomares, Spain. Four of the 11crewmen survive. The B-52 carriedfour nuclear weapons. One is

recovered on the ground, and anotheris recovered from the sea on April 7after extensive search and recoveryefforts. Two of the weapons’ high-explosive materials explode onimpact with the ground, releasingsome radioactive materials. About1,400 tons of slightly contami-nated soil and vegetation areremoved to the United States forstorage at an approved site.Representatives of the Spanishgovernment monitor the cleanupoperation.

January 1968,Thule, Greenland On approach to land at ThuleAir Force Base, a B-52 carrying

four nuclear bombs catches on fireand crashes during an attempt to

land. Six of seven crewmen ejectsafely. Fire destroys all four weapons.

Some 237,000 cubic feet of contami-nated ice, snow, and water, with crashdebris, are removed to an approvedstorage site in the United States overthe course of a four-month operation.Although an unknown amount ofcontamination is dispersed by the crash,environmental sampling shows normalreadings in the area after the cleanupis completed. Representatives of theDanish government monitor thecleanup operation.

11

S A N D I A T E C H N O L O G Y

Indeed, all things

nuclear must be

safe, reliable,

and secure.[ [

NATIONAL SCHOOL SECURITYTECHNOLOGY CENTER BASEDAT SANDIA

Sen. Jeff Bingaman, D-N.M., hasannounced the establishment of anew national center of expertise inschool security technology to bebased at Sandia NationalLaboratories in Albuquerque.Funding to establish the SchoolSecurity Technology Center isincluded in the FY99 spending billas part of Department of Justiceappropriations. Sandia will be invitedto apply for $1.4 million. The initiative seeks to make thenation's school grounds safer forthousands of elementary, middle,and high school students byimproving security on hundreds ofschool campuses. Efforts to improveschool security have intensifiedfollowing recent shootings atcampuses across the country. TheCenter will draw on Sandia's decadesof experience designing andevaluating security systems as partof its DOE mission to protectmaterials vital to U.S. nationalsecurity. In the spring of 1996, Sandiasecurity technology experts firstrecommended a set of measures toaddress a variety of problems atBelen High School in New Mexico.Since then Sandia has advisedadministrators at dozens of otherNew Mexico schools and at morethan 100 schools nationwide.

Contact:Mary Wilson Green505-844-7746e-mail: mgreen@sandia.gov

COMPUTER PROGRAM 'SEES'BEYOND 3-D TO BETTERCLASSIFY DATA

A sophisticated new dataclassification scheme is beingincorporated into the design ofSandia National Laboratories' hand-held “lab-on-a-chip” chemical sensorsystem. The classification method – basedon human perception rather thanmathematical equations – is sosimple that it can be hard to graspfor those who expect complexity. It is based on the human abilityto visually group real-world objectsseen near each other, says thetechnique's principal developer,Gordon Osbourn. “In the area ofvisual perception, no computer hasever matched a biological system –for example, a dog's or a two-year-old's,” says the Sandia physicist. Osbourn says the program isbased on people's tendency togroup objects within the confinesof a dumbbell. The subconsciousmind sizes the dumbbell so that eachbell centers on a point. If no otherpoint intrudes in the space, oneconsiders the two points a group,he says. But while biological visual systemsare limited to analyzing two-dimensional plots or 3-D patterns,Osbourn's system offers theopportunity to “see” in many

“dimensions,” in effect cross-analyzing patterns among many datasets. The same empirical judgmentsmade by human eyes are made bya computer program to judgecloseness among the points of manygroups of data. The relationsbetween data may be too complexfor a human to see, but the sameempirical process used in humandecision-making is followed in thecomputer program. Because the technique is basedon observation of how peopleempirically group objects they see,it is called VERI, for Visual-EmpiricalRegion of Influence. A patent isexpected to be issued this year.

Contact: Gordon Osbourn505-844-8850e-mail: gcosbou@sandia.gov

12

N E W SN o t e s

“In the area of visualperception, no computer

has ever matched abiological system.”

S A N D I A T E C H N O L O G Y

Gordon Osbourn

he world that we’re about to enteris one that’s very different from the

world that we prepared for during theCold War. Then we knew who all theplayers were and what the rules were.Today, the dramatic reduction in thecost of a cyber attack, the proliferationof weapons of mass destruction, andthe blurring distinction between statesand terrorist groups make it extremelydifficult to know with certainty eitherthe rules or the players.

Indeed we may noteven know we’reunder attack. Thepower grid fails onthe West Coast, the911 number isjammed in Atlanta,and a bank ishaving somethingelse happen inChicago. Are weunde r a t t ack?There probablyisn’t a s ingleindividual whoknows that thosethings are goingon, much less hasany way of deter-mining whetherthey are a singleconcerted attack.

The most challenging of the problemsin this new world arise because theyare not “just technical issues.” They-are mixtures of technical issues withpeople issues, with social issues, andwith policy issues. Whether the subjectis global economic interdependencies,the cost and priority of fixing aginginfrastructures, or chemical orbiological threats – they all havetechnical, social, and policycomponents.

Furthermore, all this is happening ina context in which technology is chang-ing extremely rapidly. Indeed it is thespeed with which the technology ischanging (and our dependence on itcorrespondingly increases) that lendsgreat urgency to addressing these chal-lenges. The cost of an attack in cyberspace is falling dramatically, while theconsequences are rising just as rapidly.The longer we delay in addressing theproblem, the worse it gets.

Our national leadersare beginning togrope with theseissues, but they areboth very complica-ted and very differentfrom those of the past.We don’t have thelegal or conceptualstructure to deal withsome of them. Forexample, in this newworld there is, andmust be, a blurringbetween lawenforcement andnational security – yetcurrent law strictlydivides what ourmilitary can do fromwhat our lawenforcement agenciescan do. As another

example, we have profound issues ofhow to manage these new threatswithout destroying the openness in oursociety or violating the privacy of ourcitizens – that is one of the fundamentaldisputes in the debate over nationalcryptographic policy, for example.

The Academies (National Academy ofSciences, National Academy ofEngineering) provide independentbalance and authoritative advice to thefederal government. These are almost

always on policy-related issues with astrong technical component. Forexample, Presidential Directives 62and 63 were written in response to thereport of the President’s Commissionon Critical Infrastructure Protection.The directives call for the Academiesto convene a roundtable on the subject.

“Roundtable” is a term of art in theAcademy context. It’s a standingcommittee that includes industry,university, and government people.Normally we exclude governmentpeople from situations where we wouldbe giving advice, since we don’t wantthe government giving advice to itselfand putting the imprimatur of theAcademy on that advice in the process– so roundtables don’t provide adviceto the government. However, they doprovide a forum in which the issuescan be discussed, in which variousperspectives can be brought into playand where we can decide whether weneed to spin out a study on a specificissue.

When Pace VanDevender and EricBloch came to see me about thisworkshop on surety science andengineering, I jumped at the chance tohost it here at the NAE. This is awonderful first step in what is goingto be a long journey, and it’s a longjourney on which we must move outsmartly. The technology of attack isoutpacing the technology of defense,and the technology is moving at thespeed of Moore’s Law (doubling every18 months). So this is an extremelyimportant meeting, and I’m delightedthat we could co-host it.

*Excerpted from talk given at SuretyScience and Engineering workshop.(see page 9)

Dr. William Wulf, President,National Academy of Engineering

T

S A N D I A T E C H N O L O G Y

[INSIGHTS

The power grid fails on theWest Coast, the 911 number is jammed in Atlanta, and a bankis having something else happen in Chicago. Are we under attack?

by Dr. William Wulf, President, National Academy of Engineering

[*