ML18086B734
| ML18086B734 | |
| Person / Time | |
|---|---|
| Issue date: | 11/06/1981 |
| From: | Dircks W NRC OFFICE OF THE EXECUTIVE DIRECTOR FOR OPERATIONS (EDO) |
| To: | Bradford P NRC COMMISSION (OCM) |
| Shared Package | |
| ML18086B735 | List: |
| References | |
| NUDOCS 8112010135 | |
| Download: ML18086B734 (7) | |
Text
Enclosure II 1-1
,.,.ff NOV 0 6 1981; I i'
MPlORAHDU~*1 FOR:
Conl"l1 ssioner Bradford FROM:
William J. Dircks Executive Director fer Operations SlfP.,JECT:
STAFF PRACTICE FCR PERMITTH!G COUTH!UEO OPERATim.!
FOLLOHHJG /IJ! mnICATIOH OF SABOT.A.GE This is in resoonse to your October Bth r.iePloranrlu~inquirfng about staff practices for dealinri with indications of sabotage in vital areas of power plants.
In rletem.ining Hhat actions are appropriate following an indication of sa!°'otage at a nuclear power plant, tile ~overning principle is to avoid undue risk to the public health and safety.
In i111ple'.'1enting the principle, al 1 pertinent factors ~ust be carefully exar.1ined to deternine whether the condition resulteo frof.1 an accident or from a deliherate act of vanrlalism, nalicious r1isc'1ief or sabotage. If judged to be an atte!"lpted act of
- radiological sahota0,e, factors such as sophistication, intent, and the possibility of other acts by the sane person must be considered ~swell as the event hi story of the pl ant.
In forilmlating a:i.v response action, the NRC staff l'iiust consider potential safety corisequences of such actions ~nrj the condition of the :ilant. Before rP.r.o:nnendin~ any change in the operating stat11s of *the facility, the technical staff nust consider the basis for the ch~nge and its potential for riiti ~atihrr or c0'"'p1J11ndinq1 the. si turition.
The staff be1 i eves that as
- r. ('?enc:>ral rule, the public health and safety is tiest served bJ1 initially nr.intC1i.ning a st.ahle n;oc1e of plant cpcra.tion since the transients caused hy cltanqes in plant status couln contribute to a reduction in rlant safety.
In addition, contir::;ency pl<ins ant.! other measures must he initiated to correct. the condition anr prevent furtber acts while the facts of the matter are being fully assessed.
13ecRuse P.ach pl ant situation is uniq11e,
- liarrl and fast rule.s. for dealing \\*Ii th atte~ptrid sa~ot~ge do not seem practical.
Howev~r, the stRff has drafted a preliminary guirleline to follo\\rl in deteminino wh<lt cciurse of action is appropriate in a suspected sabotage situation.
Copy is enclosed.
OFFICE *************************
pURNAME~........................
DATE.. ************************
~ FORM 318 (10*80) NRCM 0240 OFFICIAL RECORD COPY
--~---------
USG PO: 19S1-335*960
/.
OFFICE.
SURNAME)>
DATE)-
Cor.~rni ssi oner Bradford \\!ith re~F~rd to incirlP.nt response, l!RC's Operation Center has procedures in place for ensurfnq prompt notification of the appropriate staff members to evaluate any st*spected attempt to commf t sabotage. The collective expertise of these individuals provides a technical resource to support unc*s Executive Team and others involved in decision ~aking about continued operation of a nuclear power plant following indications of sabotage in vital areas.
William J. Dircks Executive Director for Operations
Enclosure:
Sabot~~e Event Evaluation cc:
Chairr'!an Palladino Commissioner Gilins~y Cor;*1i ssi oner Ahearne Con~issioner Roherts OPE CGC SECY DISTRIBUTIO~~:
~ocket File w/incoming NRC PDR w/incoming Local PrR w/incoming EDI') Reading cSSPB. Reading 1-1. ['ire ks
- K. Cornell T. Rehm J. Davis PPAS.
S. Hanauer T.
~1url ey R. Vollmer
~- Snyder P. Clieck R. Mattson OELD OCA
(~)
G. Ertter (NRR Ticket No. 10953)
S. Cavanaugh DL :SSP.B*
DL:SSPB*
DL:A[l/L*
o***********************... *********************........................
.... ~.~1~.~-~-~-~/.~~.
Jl1il 1 er P.Tedesco
.... 1.9l6<1...~)......
1 'J/2..0/nl
--~-~!.~~!.~~*-******
E. Hughes L. Berry D. Eisenhut R. Purple R. Tedesco J. Heltemes J. Mill er E.
~1cPeek SSPB LA P. Fine l
DL:DIR
,\\ ~\\~~*
DIR: I&E
~--~=* *************************
DEisenhut
- ~~ ~*sr***
RDeYounn
- .**************.* ri ****
10/~81 1 t/ /81 mo*
WDi rcks l ti. /81 DIR: NMSS JDavis l 0/Z,8 /81
-~""'c.... s....
an
- ,...,,a...,...
,a... e....
a'0.11*...,
10....
c'M1..'.....
a2:.11o1.an..__ ______
....:O~E...1F~I C.....a...tl A:::L.Ji.L....DR....i:E.,;C~Qi!...Ru.!oD~C~Q~p_y!!_ __
~-----~usGPo:
1se1-s3::.. -
SABOTAGE EVENT EVALUATION PURPOSE The purpose of this document is to provide NRC personnel with criteria for determining if sabotage has been committed and the appropriate action neces-sary to ensure continued safe facility conditions.
OBJECTIVE The primary objective in.dealing with any event occurring in a nuclear fa~ility is to ensure a continued safe facility condition.
When an event occurs, accidentally or deliberately initiated, judgments must be made regarding potential consequences of the event and the corrective or response actions to be taken to eliminate the conditions and minimize the consequences.
Figure 1 is a simplistic model of the decision process one would normally follow in choosing a particular course of action. The following is a descrip-tion of the major elements in the model; a number of factors to be considered at each element is listed in descending order of importance.
The interrela-tionship between the elements are also discussed.
SAFETY SIGNIFICANCE When an event occurs, accidentally or deliberately initiated, judgment must be made regarding the safety significance of the event.
Some 6f the factors that should be considered in making this decision are as follows:
A.
The event causes a safety systein not to perform its intended function resulting in possible release of radioactive material.
B.
The event may cause a safety system not to pe.rform its intended function if it were called upon to do so.
C.
The event may cause a system designed to prevent or mitigate the consequence of malfunction not to perform its intended function if called upon to do so.
D.
The event may cause a safety system failure only if.multiple other events occur.
E.
The event may cause a system designed to protect a safety. system not ~o to perform its intended function.
F.
There are no apparent safety implications.
Upon discovery of an abnormal condition in which sabotage is suspected, a judg-ment must be made regarding the probability of a malevolent act, as opposed to an accidental occurrence.
In making ~his judgment three factors must be con-.
sidered:
t 1.
OVERTNESS - Sometimes by the very act itself, 'it is obvious that an act of sabotage has been intended (Surrey.fuel rods) but more often than not the cause of the event is not obvious, for example, misaligned valves.
In such cases the following criteria should be used in making the decision:
A.
Physical evidence is available which is clearly related to the event e.g., lock to valve cut and valve misaligned, or actuator to motor control valve shorted out.
B.
Physical evidence tangentially relating to the event, e.g., door to VA forced open - valve misaligned.
C.
Circumstantial evidence clearly relating to the event, e.g., lock
& chain missing - valve misaligned.
D.
Circumstantial evidence tangentially relating to event, e.g., key to VA door missing - valve misaligned.
E.
No evidence of deliberate manipulation of equipment.
- 2.
INTENT - Some inferences concerning the intent of the adversary can be drawn from the analysis of the safety significance and the overtness of act.
In addition, intent can be determined by other means, the most obvious being a communicated threat.
A.
Communicated threat is received prior to event occurrence.
B.
Communicated threat received - circumstantial evidence relating to event.
C.
Communicated threat received - no other ~vidence (physical or cir-cumstantial); no event'occurrence.
D.
No communicated threat received.
- 3.
HISTORY - the historical significance of an event shriuld be evaluated using the following criteria:
A.
Hi story of recent similar events es ca 1 ati ng wi_th respect to safety sign i f.i cance B.
History of random events with no escalation in safety significance.
.~*
C.
History of vandalism relating to labor/management problems.
D.
No previous events.
An analysis of the above factors may lead to a conclusion about whether the
/
act was willful or accidental.
When overtness is judged to be low, and history is found to be low, the event may not be treated as sabotage.
If the evidence is not conclusive or if it is determined to be accidental, the appropriate corrective action to prevent recurrence and to mitigate the consequenc~s should be taken.
'-'1 I 1~11"*'._,,.._'-""'-.,..
~~* *
. i-i
\\
~. Such corrective action should prevent recurrence irregardless of whether the act was accidentally or willfully initiated.
SOPHISTICATION LEVEL If the event is determined to be an act of sabotage or after evaluation of the previous factors, sabotage cannot be ruled out, a judgment must be made regarding the level of sophistication and intended consequences of the adversary.
Some inferences regarding the adversary 1s capability can be drawn from the safety significance of the target. If the adversary 1s capability is evaluated as being high, his potential to do significant damage is great; therefore, sophistication level is a critical element in the decision.
Evaluation of the following factors may provide some insight regarding sophistication level:
A.
Target selection and timing clearly demonstrates an intention to cause public health and safety consequences, a high degree of knowledge of the plant, and the sabotage scheme demonstrates a high level of profes-sional capabilities, (expert employment and most advantageous location of explosives or installation of a jumper which would nullify the safety function of a vital component.)
B.
Evidence indicates an intention to cause public health and safety conse-quences and a sophisticated sabotage method used but target selection and timing demonstrates limited plant knowledge.
C.
Target selection and timing indicate poor knowledge of plant - crude sabotage method used.
After consideration of the above factors, a response action must be taken that is commensurate with the potential safety consequences of the act and the sophistication level of the ~dversary. The following is a list of possible response actions in ascending order from least stringent to most stringent.
One or more of these measures may be ne'eded:
- 1.
Notify FBI
- 2.
tonduct search 1
- 3.
Conduct equipment check
- 4.
Initiate licensee investigation with NRC monitoring investigation.
...~
- 5.
Limit access 1Pattern of searches should be fashioned to terminate any possible scenario:
e.g., if it appears that the insider has targeted the emergency diesel urge the licensee to determine whether the remainder of the emergency electrical system is operable.
v
~~. 6.
Initiate accelerated *functional testing
- 7.
Implement regional team investigation
- 8.
Establish limited two-man rule
- 9.
Establish total two-man rule
- 10.
Activate response center
- 11.
Consider controlled shutdown lZ.
Initiate controlled shutdown following the approach in standard technical specification, e.g., assure availability of required systems before proceeding from one operating status to the next.
................. I,_... ---**---* *
- l.
J1.J nor1 \\llTIV/\\3 lllW JJ\\/IOOVS I
I m01s1H E--1 13ATI
~
1J\\JlomtS (--
I t.Klll\\fJLLSIHc:DS
~~-
.~
i I
I I
L.o..
JJBUa.
IL__
~
r-I..,.
~ -*
\\.
e
.. 11
~IJIJJV r
SNOilJ\\f 3/\\ID:lruCD lfBJIJJ\\I I
~-
~
I 3Sf'DdSll I
SSJllH3N)
I~
~
I l
~
f N
~ 3 I
A 3
e llf~IS
- 1 y
..,\\ ~ -~
+f*--