Text

f

~

~

s

. (.V*h a.

t -

t. ',

's

[gh M L

'i jun 25 MC

\\

u.m #

[Q A Technique for Analyzing the Impact of Noncompliance with Physical Security Requirenents to be presented at

'Ihird Annual Symposium on Safeguards & Nuclear Material Managanent May 6-8,1981 School for Nuclear Technology; Karlsruhe, Germany by loren L. Bush, Jr.

Office.of Inspection and Enforcement U.S. Nuclear Regulatory Conmission 8107070109 810600'?

PDR MISC D

_.v.,

. +, -

/

A Technique for Analyzing the Impact of Noncompliance with Physical Security Requirements Loren L. Bush, Jr.

Chief, Physical Security Section Office of Inspection and Enforcement U.S. Nuclear Regulatory Commission ABSTRACT The United States Nuclear Regulatory Commission (USNRC) presently analyzes the impact that items of noncompliance with physical security requirements could have on the ability of (1) commercial power reactor licensees to prevent, deter, detect, and/or respond to unauthorized access to vital equipment, and (2) certain fuel facility licensees to prevent undetected and/or unauthorized removal of strategic nuclear material. These analy,ses result in judgments about the effect of items of noncompliance on the overall effectiveness of a physical security sys cem and, consequently, on the level of assurance that the degraded system can meet the performance requirements of Part 73, Title 10, Code of Federal Regulations. This paper describes the methodology used by inspectors from the Office of Inspection and Enforcement to conduct these analyses.

i i

This paper was prepared by an employee of the United States Nuclear Regulatory Commission an'd fits the description in the new U.S. Copyright Act of a " United States Government work".

It was written as a part of official duties, and cannot be copyrighted.

O A Technique for Analyzing the Impact of Noncompliance with Physical Security Requirements

SUMMARY

The United Staten Nuclear Regulatory Commission (USNRC) presently analyzes the impact that items of noncompliance with physical security requirements could have on the ability of (1) commercial power reactor licensees to prevent, deter, detect and/or respond to unauthorized access to vital equipment, and (2) certain fuel facility licensees to prever.i ur. detected and/or unauthorized removal of strategic nuclear material. These analyses result in judgments about the effect of items of noncompliance on the overall effectiveness of a physical secur.y system and, consequently, on the level of assurance that the degraded system can meet the performance requirements of Part 73, Title 10, Code of Federal Regulations. This paper describes the nethodology used by inspectors from the Office of Inspection and Enforcement to conduct these analyses.

Title 10 of the U.S. Code of Federal Regulations, Part 73 rcquires that licensees establish and maintain a physical protection system capable of protecting with high assurance against acts of radiological sabotase and to i

prevent theft of special nuclear material. The regulation itself contains performance type statements such as " Prevent, Deter, Detect, Delay, and Respond" fcilowed by specification type statements concerning such specific security system features as security guards, barriers, access This paper was prepared by an employee of the United States Nuclear Regulatory Commission and fits the description in the new U.S. Copyright Act of a " United States Government work".

It was written as a part of official duties, and cannot be copyrighted.

controls, CCTV, alarms, locks, etc. The licensee's security program to met these requirements is described in a security plan which constitutes the legally enforceable requirements with which the licensee is expected to remain in compliance.

Except for the general performance statements, the NRC safeguards inspection process resembles that used by almost any regulatory authority to determine compliance.

However, because of the uniqueness of the performance statement, there is a need for NRC inspectors to determine the impact that noncompliance with any of the specification type requirements has on the continuing ability of the licensee to meet the general performance requirement. A special procedure is used to identify areas that interrelate so that when problems are identified during an inspection the inspector will imediately inspect related areas to determine if adequate protection is still being provided.

This procedure also is used to deterr;ine the severity of non-compliances and the appropriate /comensurate enforcement action.

This procedure, then, calls for a methodology, such as a fault tree or logic tree analysis, to show the relationship between the overal; performance state-ment and the individual specifications, functions, or components. The Office of Inspection <.nd Enforcement has developed a procedure (TI-1016) to assist inspectors in making a judgment about whether a licensee is in compliance with -the overall performance requirement by evaluating the synergistic effect of deficiencies.

l t

TI-lG16 is entitled " Physical Protection Safeguards Analysis of Noncompliance".

The analysis enables NRC management and staff to understand the impact that noncompliance with the approved security plan could have on the capability of the licensee's safeguards program to:

1) prevent, deter, detect and/or respond to unauthorized access to vital equipment at licensed power reactors, or 2) to prevent undetected and/or unauthorized removal of SNM at Group I fuel facilities.

It applies to both commercial nuclear power reactors and to commercial nuclear fuel fabrication facilities utilizing high enriched special nuclear material. To facilitate field analysis and to make the technique as simplistic as possible, vulnerability charts were developed that relate parts of the rule to protective measures that exist at various locations throughout the facility.

Compliance with the physical security plan is indicat1 that the licensee's 2

security program is prod cing a high level of assurance that the performance requirement is being satisfied. This assumes that there are no weaknesses in the security plan--when such weaknesses are identified corrective action l

is taken.

Noncompliances can have many degrees of impact upon security system performane.

It is possible that the number and significance of noncompliances do not adversely affect the level of assurance; however, f

noncompliances which may seem insignificant when considered independently, can cause a serious degradation of security when considered collectively.

The procedure serves as a tool to enable the inspector to make this i

distinction.

l l

i

l There are three levels of assurance which will result from analyzing the physical protection of a facility:

High Assurance - The noncompliance (s) found within the scope of the inspections do not adversely affect the licensee's ability to meet the performance res.irement. Corrective actions will normally be initiated or completed within 20 days.

Conditionally Acceptable Assurance - The noncompliance (s) found are such that the physical security system can still meet the general performance requirement, however, further failures will significantly reduce the capability to meet the performance requirement. Corrective action needs to be initiated or completed within 20 days or less, <

dep, ding on specific circumstancer.

Unacceptable Assurance - The noncompliances indicate that the ability to meet the performance requirements is reduced to a single security elenent (i.e., locked door, guard, alarm, etc.).

If the facility is found to have " unacceptable assurance", the inspector remains on site until " conditionally acceptable assurance" or better is attained.

The specific methods used to conduct the safeguards analysis, and axamples of each type of determination are discussed at length in the body of the

~

paper that follows.

_. _ _