ML20032A954
| ML20032A954 | |
| Person / Time | |
|---|---|
| Site: | Crane  |
| Issue date: | 10/26/1981 |
| From: | Rose D LOS ALAMOS NATIONAL LABORATORY |
| To: | |
| References | |
| LA-UR-79-3292, NUDOCS 8111030627 | |
| Download: ML20032A954 (8) | |
Text
.
a?
~
, (,
- a. t's 5 [
- CA
'plI;A U.9 79-3292 gy st pe if. 1 J
Lfic.
aT15 2
TITLE:
Pre-and Post-Accident Security Status at Three Mile g
Island 3
U.S,N uc zr, 3
. LIBRARY R GULATORYm"...diS
~
WASHina a
~
^
STOP555
'U*C'20555
~. >
. AUTHOR (S):
D.
G.
Rose 4
s
- a
~
r SUBMITTED TO:
The President's Commission on the Accident at
.Three Mile., Island ~
- ~.
3.-
t c
'lt s
- .. [
j
^
?
_ t, ;
s
.y a -
u :. a 3
.'.}Q
{..
1-c-
a._
~
- s r
~
~ '~
t' (D
C L
O CC O
$+-
t O
By acceptance of this article, the pubusi ar recognizes that the h
U.S. Govern vt retains a nonexclusive, r ryalty. free license
,[
to publish c4 <eproduce the published forrn of this contribu-(g tion, or to ajfow others to do so, for U.S. Goverrrnent pur-L i
C poses.
2 y
The Los Alamos Scientific Laboratory requests that the pub.
lisher identify this article as work performed under the aus-g-
C pices'of the U.S. Departrnent of Energy.
a t
D T @ M,< a LOS ALAMOS SCIENTIFIC LABORATORY m
Post Office Box 1663 Los Alames, mw Mexico 87545 An Affirmative Action / Equal Opportunity Empicyer
[05000289
- d-.
011026 Form No. RM R3 F
.j, g )
'W.
St. NO. 26.*9 PDR...
avu
.,,g
'p er rNaseay i
WM comrpact w-isoseno sa gg,'{Jg
- s. c w
_q_
y
q l
PRE-IND POST-ACCIDENT SECURITY STATUS AT THREE MILE ISLAND Donald G. Rose
.m Los Alamos, Scientific Lab' oratory y
ABSTRACT We evaluated the status of the physical' security nea-sures in place at the Three Mile Island Nuclear ~ Station r
- a before and after the accident on Man:h 28, 1979. We found that before the accident, the plant security com '
~
plied with 10 CFR 73.55 and was adequately protected..
from_ external attack, but that there was. not adequate protection against sabotage by an insider. The same situation exists today except that protection from external attack has been enhanced.
i I.
IN1RODUC' TION ~
~
The Los Alamos Scientific Laboratory -(LASL,) was requested to_ provide' a review.of.the status of securitj of the Three Mile Island Nuclear Station (T'1I), Units 1 and 2 just before the accident of March 28, 1979, and as it is This review was performed by inspection of the Modified Amended Security now.
Plan (MASP) for this f acility prepared by Metropolitan-Edison Company (Met-Ed),_
of the Security Plan Evaluation Report prepared by the Nuclear Regulatory Com-mission (NRC), and of letters between the NRC and Met-Ed. This subject was discussed with the NRC physical security review team leader, the NRC Inspec-tion' and Enforement Division security inspector for TMI, and the head of
~
security for Met-Ed at Three Mile Island.
This. report is based upon the information received from these sources.
This report will not describe the details of the physical security measures in place at TMI or the precise security deficiencies, if any. Title 10, Code of Federal Re]ulations, Part 2.790(d)(1) and Part 9.12 require that
... detailed security. measures for the physical protection of a licensed facility or. a plant in which licensed special nuclear material is produced or 4
... ~,,..
..-s we
.---.~=L=-
.used" be withheld from public disc.., ire At the same t me, I am infdrmed. by Ethe staff of the President's Commission on the Accident at Three Mile Island that the information contained in this report will be considered public. Rhat
- I will put in this. report are general comments on the security's,tatus at TMI
.and my cpinion as to the sacurity of the plant at the times in question.
ll.
NUCLEAR POWER PLNIT PHYSICAL SECURITY-
~
~
The physical security requirements at nuclear power plants were severely t:pgraded by the publishing of a new rule, Title 10, Code of Federal Regula.
tions, Part 73.55 (10 CFR 73.55) in February 1977. At that time and later, -
r the NRC provided the licensees with Regulatory Guides and other guidance as to hcw to comply with 10 CFR 73.55. The rule required that each power plant be protected to "high assurance" from a threat defined as a determined external assault, attack by, stealth. or. deceptive actions, of several p.ersons with the assistarce of one insider, and from the internal threat of an insider, including an employee in any position. -
The security measurescre, quired by. the rule start with.the, usual adminis-trative measures: a proper. security organization that is independent of opera-
=
tions, proper background check of the plant employees, security training of the security force and other employees, badging and identification of employ-ees, an access control system, proper search procedures, and security audits.
In addition to these, the plants were required to institute particular protec-tion against an external attack or the actions of an :nside man.
The philoscphy of protection against external attack is based upon the following actions.
1.
Detect an attack, 2.
Assess each alam as to whether it is an attack or false alarm, 3.
Delay the attackers, 4
Interpose amed responders between the attackers and their target, and 5.
Call for aid from the local law enforcenent agencies, if required to neutralize the attackers.
9
The rule 10 CFR 73.55 requires that plants havn hardware or procedures installed to effect'each of the 'above steps.. Each plant will be found with the following measures in place for protection against external attack,
," ~
1.
Detection - Electronic-or mechanical intrusion detection ~ devices or
~~
continuous surveillance by guards or watchmen.
2.. Assessment -' An isolation zone along the protected area barrier
' wit'h' closed c-ircuit television viewing all sections' of the barrier or an assessment team of guards to.go out and assess the alarms.
- 3.
Delay - Delay of external attackers by Larriers around the protected and vital areas (see below), distance, and locked doors.
4.
Interposition - A response force of armed persons who.are able to
~
respond imediately to a confirmed alarm in such 'a way as to inter-pos.e themselves between the attackers and their target. -The number of responders ~ varies from plant to plant depending upon the other
" ~
' security charact' eristics of th'e plant. The _dtity of the response force i~s t'o immobilize the att'ackers before they get;to' their
~ target, neutralize them if they can, or hold them until reserves
' ar'r.1 ve'.
~l
^$
5.
Call Aid'- Two alann stations, each wj,th identical alann_.annuncid-tion, assessment information, and comunications to the members of
~
l the security force and to the local law enforcement' agencies. The i
comunications to the' local law enforcement agencies must be redun-dant. This precludes attackers or an insider from being able to comprcmise conmunications offsite with a single action.
Protection against the actions of an insider is a different matter. The rule states that protection should be afforded against the actions.of an insider, the word "an" meaning one.
To aid :n this protection, the NRC defined vital areas of two types.
A vital area is defined in 10 CFR 73.2 as "any area which contains vital equipment within a structure, the walls, roof,'
and floor of which constitute physical barriers...." Vital equipment is in turn defined as, "any equipment, system, device, or material, the failure,.
destruction, or release of which could directly or indirectly endanger the public health and safety by exposure to radiation. Equipment or systers that
~
F l
e.
-we g-.
-r - v 9 e r-,.,.,,,
e-n -.
,-,,4-.
..,,-w,.
-c.--.,%y.,,yw-__,_,-
ym,-.,m.
,,.,...,w..,
r,y
-.mm
_q..
q,
,,.., __ _, _ _..r.-,
8 yould be required to function to protect public health and safety following a
,such a failure, destruction, or release are'also considered to be vital."-
l The two types of vital areas are explained in an NRC' gridance' document,
, Review Guideline No.17, " Definition of Vital Area 'and Equipment." Type I vital areas are those wherein successful sabotage ~can'be' accomplished by com-
' promising or destroying the vital systems or component's located within this All other vital areas are Type II.
A saboteur w5uld have't6 enterIwo area.
~or more separate Type II vital areas to successfully sabotage a plant'.
The protection' against the insider consists of '
~
l.
The background investigations of the personnel hired by the plant;
~
" 2.
Restriction of unescorted access to the ' protected' area of the plant,
to those properly investigated and badged;"
~ ~ ' ' 13.
Restriction.of unescorted access to all vital areas to those who have passed the background investigation, have been approved for
[., [.
access to those vital areas their work will' require, and who have'
_] _...
been cleared foi a'short time to certain vital areas for' immediate
- gn7,
~
[4 ff In'strun[e'nIa[$ehrh o'f' all persons entering the protected area,
~
pat-down sea ch of all vibtors~and a p$rtion $b the r.eg'uil'ar~~0
_ ' employees, a'nd th~or'ough package search; and -
-5.
The two-man rule:
No one will be allowed in a Type I vital area without another person accompanying him.
There may be other methods for protection against the single insider than access control and the two-man rule, but none have appeared so far.
Unfortunately, the' long lead times involved in prrcuring the new equip-ment and new construction have prevented many licensees from implementing the security plans by February 23, 1979, as required in 10 CFR 73.55.
In these cases the licensees were allowed' additional time to complete installations if they would institute other security measures to compensate for the missing items.
A recommendation was made to the NRC that a proper security clearance similar to that now in use in DOE could obviate some of the present re-quirements of pat-down search of some cf the regular employees, the two-man rule, and the compartmentalization of vital areas. The commission has-been 1 -
,considering the merits of clearance and has not yet made"a decision.. The com,-
^ mission decided to postpone the need for pat-down search of regular employens' and other measures fo'r protection against the insider until a decision is made on clbarer.ce in the,Mathrial fcce's
- Authorization. Thus some plants will not s
yet have all the m'easures.Tn blac'eIfor. protectid ag'ainstl the insider..
~
m a
1._
s.
"~
III. THREE MILE I'SLAND PHYSICAL SECURITY'
. m
.i Both un_it's' of' the Thj ee' Mile Island Nuclear Scat. ion' are sur' oun'ded by' i
r
-,s the same protected area. barrier. Thus at the time of the accident, the p? ant
~
was a single unit Eith respectio ~' security. The. ultimate intrusion detection
~ -
system and attack assessme.nt system for the protected area perimeter were not '
installed. Howev'er[ com;iensatory' measures in' the form of additional patrols and additional surveillance of the protected area perimeter had been instituted. These measures, plus the facts' that the plant is on an island accessible by.only two bridges, each.
o guarded by two amed security personnel, an approach to the island by boat is slow and easily detected, and o
o the island is surrounded by an 8-ft-high' cyclone fence, 4
assure that the protection against external attack is closely equivalent to what it would' be after the intrusion detection devices are installed.-
The licensee defined the Unit 1 and Unit 2 Turbine Buildings, the Diesel-f
-Generating Building, and the Auxiliary and Fuel Handling Building as a single j
vital area.
So most of the operations of TM1 take place inside this vital The licensee defined only two Type I vital areas within this large area.
vital area--the control rooms and the containment buildings.
In fact, the large vital area met the definition of Type I;'and so the two-man rule should have been required anywhere within the confines of those buildings.
However, because of the delay in requiring the institution of protection against the insider, Three Mile'Isla'nd was not required to have the two-man rule or to compartmentalize to smaller ardas. The plant was inspected by Region I of the Inspection and Enforcement Division of the NRC on November 7
~
5-S pmy,-w,-m,-
,,,m a v w
.e e e. c+ -
te.-,+
or--,--,e.,-ww+-+,,,
-,m--w-w--
-.we
=w w
e,-e%
e--
w
through Decemb:r 1,1978, and found to be in compliance with the rule. # The
.' ' ' plant was again inspected in March 1979 and was found to b'e in compliance with the rule except that some vital area doors that should have been locked or guarded were found to be open and u,nguarded. Actually, there was very poor protection against the sabotage actions of the insider. Approximately 500 persons had access to' the large vital area at that time, and there was little or no control of the whereabouts of the people inside the vital area. So it cannot be said that sabotage to the. Auxiliary Feedwater System was impossible.
During the period March 28 through April 6,1979, all persons not re-quired for safety operations were barred from the island. During this time, the compensatory measures for loss of intrusion detection were not in place.
s On April 6,1979, cor ditions reverted to what they had been before the accident.
The accident seriously delayed the installation of security hardware.
As a result, only a few of the'new systems, intrusion detection systems, door alanns, assessment capability, and alann stations have been instialled.
Basically, the differences between the security status now and before the accident can be listed as follows.
1.
The compensatory measures for the lack of intrusion detection have been enhanced. Thus, althoug'h the prob 5flity that an atdinpted intrusion will be detected now is not as high as it will be when the instrumental detection devices are installed, the NRC staff and I feel that the probability is high enough.
2.
One alarm station has been hardened and has the full commu'nication capability.
3.
Package control at the entry to the protected area is more thorough than it was before.
4.
A fence has been installed to divide the protected area into two separate areas, and a wall is being construct d on the operating floor of the spent fuel pool to divide it into two areas. When these are completed, the plant can be divided into two separate areas with regard to security. The rest of the buildings are so constructed that Units 1 and 2 can be divided Within these build-ings, all doors are. guarded by armed pesonnel so that travel f_ rom up
_----.---.----,_m m.
..-+m e
w.
e= - em -
em.
.. s
' u one unit to the other is restricted. Badges define who has accass to each unit.
5.
The same situation exists now as did before with respect to the vital areas. Thus, although the plant is considered in compliance with 10 CFR 73.55, there is still little protection against the actions of'an insider. Now approximately 1500 persons have un-escorted access to the island, 900-1000 have unescorted access to Unit II, and 600 have unescorted access into Unit I.
Most of these
~
people are contractor personnel.
The conclusion can'be drawn that the. protection against the activities of an insider is still inadequate at TMI now, although the plant is considered to be in compliance with 10 CFR 73.55.
4
\\
9
- g e
e I
,F a
i
..-