Text

D850717 Honorable Nunzio J. Palladino Chairman U. S. Nuclear Regulatory Commission Washington, D. C. 20555

Dear Dr. Palladino:

SUBJECT:

ACRS COMMENTS ON PROVISIONS FOR PROTECTION AGAINST SABOTAGE During the course of several recent meetings of ACRS Subcommittees and the full Committee, two rather general questions have arisen with respect to the present provisions for protection against sabotage at nuclear power plants, these concern:

1) whether the present design basis threat continues to be appropriate; and

2) consideration of sabotage protection features in new designs.

With respect to Item 1, the design basis threat for radiological sabotage by an outsider is defined in 10 CFR Part 73.1 as a determined assault by several persons, with hand-carried weapons and equipment, along with some inside assistance. This threat is considered to have been adequately addressed when requirements spelled out in 10 CFR Part 73.55 are satisfied. The Commission further stated (in 1977) that "the level of protection specified in 10 CFR 73.55 is adequate and prudent at this time"; and added that the Commission would continue to review the situation and would consider changes should that be warranted. No changes have been made, and these requirements still deter-mine what the licensee must prepare for, and what the Staff can require.

Recently, much discussion has been directed at the threat of "truck-bombs,"

though "vehicle-bombs" (which would include aircraft and boats) might be a more appropriate term. Some Federal agencies have considered such devices in their design basis threat. There is, then, the natural question as to whether the NRC should make such a change.

This would appear to be an appropriate time for the Commission to reconsider its design basis threat definition and decide if the present definition should be reconfirmed, or modified. Such reconsideration may already be in progress; that we would encourage. However, at this time, we do not recommend that the NRC change its threat definition with respect to the vehicle-bomb. In our opinion, such a requirement on existing civil installations should be imposed only as a part of a national decision that there is a need to protect civil installations from which large consequences might be expected as a result of such an attack.

With respect to Item 2, consideration should be given as to whether changes are needed. As the regulations now stand, we do not find anything concerning sabotage analogous to the ALARA principle applied to protection from radiation exposure. Where options may be available, such as the separation of redun-dant systems, or the location or protection of essential plant features, con-sideration of the significance of these from the point of view of sabotage protection might be required in the regulatory decision process.

The manner of reaching a regulatory decision in this area may appear to present a new problem. In particular, the familiar and reassuring cost-benefit analysis will not be of any use since there is no way of quantifying the benefit. This situation is, of course, not really new. When the uncer-tainty bands of a PRA are so large as to render "quantification" of limited use, we have become accustomed to referring to the need for "making decisions in the face of large uncertainty." In such cases it is recognized that the decision required will have to be based on judgment. That will be the case here. In addition, the Commission will have to develop guidance as to how this judgment is to be exercised, and by whom.

Some of the observations made by the Committee in the course of its continuing review of a proposal for a standard nuclear island design illustrate the points mentioned above. The NRC Staff has concluded that the proposal meets the current design basis with respect to sabotage. It might, then, be assumed that the design features proposed adequately limit vulnerability. However, with the exception of the access control provisions required by NRC, none of the plant system features have been specifically considered from the point of view of inhibiting sabotage or mitigating its effects. Had this been done it seems possible, for example, that the location of the control room would have been chosen differently. The Applicant has stated that, unless the Commission develops further sabotage requirements by rulemaking or equivalent action, they need not volunteer any sabotage-specific design features. The NRC Staff considers that the proposal meets the present rule, therefore the Staff can request nothing additional.

This observation leads us to think that the matter needs reevaluation. In particular, there may be a need for some improved means of assuring ourselves (and, as a consequence, the public) that the matter of sabotage or terrorist threat is being given serious and effective consideration on a broad front.

It would be ridiculous to require, or even to suppose it possible, that pro-visions should be made with respect to all threats which might be conjectured.

Still, it may no longer be "enough" to leave things in the form that the description of responses to any particular short list of specified threats is judged to cover the situation -- since this would imply that other equally plausible threats have not been covered. However, in one way or another, the Commission itself will have to determine what is "enough." It may be helpful in this connection to consider the position taken by other countries, though the whole area is admittedly one of peculiar difficulty from a regulatory point of view.

The ongoing work connected with Generic Issue A-29, "Nuclear Power Plant Design for the Reduction of Vulnerability to Industrial Sabotage," is, of course, relevant to this situation, but its terms of reference may be somewhat too specific, its possible emphasis on cost-benefit considerations may be unduly limiting, and its timing is not necessarily appropriate for the needs of a policy decision. Some attention to sabotage threats is called for in the recent severe accident policy statement; but this is in a somewhat generalized way, and in the context of severe accident considerations. In addition to these items, the Commission might consider whether the NRC Staff, in the course of reviews of new designs, should take account of design options, and possible combinations of measures, which might have the effect of reducing or inhibiting sabotage or terrorist threats.

We are not expressing an opinion that terrorism or sabotage is a serious threat at this time. However, plants built to designs now being proposed may still be in operation fifty or more years in the future. Many countries have experienced increasingly violent terrorism in the past decade. It would appear prudent for the Commission to take these matters into account in connection with the review of applications for future nuclear power plants, and to develop appropriate guidance for that purpose.

Additional comments by ACRS Member Glenn A. Reed, and ACRS Members Harold W.

Lewis, Forrest J. Remick, Paul G. Shewmon, and David A. Ward are presented below.

Sincerely, Carson Mark Acting Chairman Additional Comments by ACRS Member Glenn A. Reed I agree with most of the ACRS report, but consider it to be focused too much on physical measures, and I am concerned that physical measures may not be beneficial against insider as well as outsider threats. In my opinion, even past physical measures related to the insider aspects have aggravated genuine security and emergency operability in the workplace. Therefore, I recommend that for any modification of the insider threat aspect, personnel screening, psychological testing measures, and personnel evaluation measures be the principal focus for the Commissioners' review.

Additional Comments by ACRS Members Harold W. Lewis, Forrest J. Remick, Paul G. Shewmon, and David A. Ward We are not persuaded that any new and extraordinary protection against sabo-tage is required for nuclear power plants. We believe the existing level of precaution against attacks from the outside and subversion from the inside are as close to the appropriate level as can be defined at this time. With

continuing highly visible, politically motivated acts of terrorism throughout the world, this recommendation may seem not in vogue. We will briefly state our reasons.

A nuclear power plant could be a target for sabotage for two reasons: 1) as a "multiplier" of the real damage effect from weapons the terrorist already has at his command, and 2) as a psychological threat to cause panic or unrest in the population around a plant.

Contrary to the generally held perception, a nuclear power plant would be inefficient as a means to multiply the actual impact of terrorist weapons.

Theoretically, a core damage accident could be induced by high explosives, strategically fired in a plant -- especially with the hypothetical cooperation of an insider. However, in practice, great precision and skill would be required. Given the existing sabotage-resistance of a plant, including its inherent attributes, "success," defined as inducing an unmitigated core melt, would be far from a sure thing. There are far easier and surer ways for a saboteur to cause hundreds or thousands of deaths in the general population.

While not an efficient target for actual damage to the public, a nuclear power plant probably is an attractive psychological target. However, any additional sabotage protection would do little to change the impact of a token attack undertaken only for its psychological value. An explosion fired outside a new moat or a new series of tank traps would have essentially the same irrational effects as an explosion outside existing chain link fences. Only education and leadership from public figures can deal with the psychological-only threat.

Current experience may indicate that an increased portion of society's re-sources should be spent for added protection against the threat of sabotage which could induce actual damage and bodily harm to the public. Improved intelligence activities and personnel selection in critical jobs come to mind.

If so, there are vast numbers of public and private activities that are in much greater need of protection than is nuclear power.

The uniqueness of nuclear power is not in its particular vulnerability to sabotage, but in its being controlled and regulated by an activist government agency. We believe there is a risk that the NRC, given its ability and tradition for "doing something" about real or perceived problems, will saddle taxpayers and ratepayers with an inappropriate burden. This could result, in effect, in diversion of societal resources from other areas of need, including protecting the more likely targets of sabotage.