Text

ik b

,i DISTRIBUTION:

SGPR r/f SGPR s/f Case file NOV 4 1983 Section file ETen Eyck/

BMendelsohn MEMORANDUM FOR:

Donald B. Mausshardt, Deputy Director RBurnett Office of Nuclear Material Safety and Safeguards FROM:

Robert F. Burnatt Director Division of Safeguards l

SUBJECT:

TURKEY POINT RER On October 27, 1933, I was accompanied by George McCorkle and Barry Mendelsohn to a meeting in the office of Frank Miraglia, NRR, to discuss the Turkey Point RER report.

In addition to a number of people present from various NRR Divisions, Bob Fonner of OELD also attended at my request.

NRR expressad a number of areas of concern with the report, however, none of them touched on the findings set forth in the report as they pertained to areas which we identified as requiring improvement.

In short, their problems were primarily procedural and administrative in nature.

One area discussed was a perception by some NRR personnel that the report identified generic issues or defic.iencies in the rule. We pointed out that generic issues and rule deficiencies are difficult to perceive on the basis of one report - rather, such findings result from trends noted from a series of reviews.

I believe we can resolve this matter without any particular difficulty.

Mr. D. Mcdonald, the NRR Project Manager for Turkey Point is a fomer IE inspector. He appe.ars to be fimly convinced that there is no difference between a RER and an inspection. We discussed this at considerable length and again I believe that we can disabuse both him and others in NRR of this erroneous impression.

Other areas of concern expressed by HRR personnel were directed to a perceived lack of clarity in identifying so-called defects as resulting from faulty

. implementation, inadequacy of security pla.ns, and inadequate inspection activities. The project manager also seemed to be of the opinion that in one portion of the report (2.1) we stated that no deficiencies were uncovered that would question the licensees capability to protect against the design basis threat, whereas in another paragraph (2.2) we identified areas of concern of sufficient significance to indicate a need for prompt remedial action. We believe that this can be handled by changing our standard introductory phrase-ology to the referenced paragraphs to the satisfaction of all concerned.

Again, there was no disagreement on the part of anyone present as to the find-ings themselves as recited in paragraph 2.2 BpQ 2 Q 18 e4043n crnce>

su:.nwe>...................... SHOLL Y83-531 pgg

. - - ~ ~. -..

.... - ~ ~.

.......................l...................,.............

one>

tmc ronu sia (1o-e:> nacu c:43 OFFiClAL RECORD COPY usceo. i,si-mm

=

~

y,

)

t I

i I

2_

1 We are working with Bob Fonner to develop appropriate' language to resolve possible conflicts as described in the above paragraph. We also received several suggestions relative to a possible re-fomating of certain areas of the report. We have this under consideration and will make it a matter of special interest during a meeting scheduled with NRR for Tuesday, November 16 on the general subject of vital area identification, or before that time if at all p;ssible..

Robert F. Burnett, Director Division of Safeguards O

f l

t

.I

'!SGPR

~

SG

\\

(""RBq/Vj 'EE"

- o,nc,p "McC6HkTE"3 rn6

~~~>

......q..........

11/..U/. 83 11/../.83 ons>

ac ror.u 3:s no.sa Nacu c:a OFFiClAL RECORD COPY ac.a i., ua.3

t'

- DRAFT 4,

WpHRING PAPER

Background

The Regulatory Effectiveness Review program for power reactors is the culmination of an evolving program of safeguards effectiveness reviews that incorporates the experience of NRC regional and headquarters staff and licer. sees since 1976. This effectiveness review program began with assess-ments of the vulnerability to theft by external assault of safeguarded strategic special nuclear material in transport or use at certain fuel cycle facilities. At the direction of the Commission, these reviews were broadened to include both consideration of the insider threat and use of capability oriented evaluation techniques. The new augmented reviews, referred to as Comprehens'ive Evaluations, included participation by the Regions and Office of Inspection and Enforcement as well as Safeguards Division. These compre-hensive Evaluations were conducted at all fuel cycle facilities possessing formula quantities of strategic special nuclear material between 1977 and 1979 by four separate evaluation teams that performed Material Control and Accounting Assessment, a Physical Security Assessment, an External Assault Survey, and a Diversion Path Survey, respectively. The individual team reports were then synthesized into an overall assessment of a facility safe-guards adequacy. Although'those reviews were thorough, they placed a heavy burden on licensee and NRC resources.

Subsequently, the sabotage vulnerability of spent fuel storage sites was

, assessed, using a more efficient technique that consisted of a concurrent on-site evaluation by two teams - one focusing on the internal threat and one concentrating on the external threat, as specified in 10 CFR 73.1.

The success of this approach made it a natural candidate when the Director of NMSS tasked the Safeguards Division to review the effectiveness of safe-guards programs at nuclear power reactors upon the transfer of regulatory responsibility in this area to NMSS. The additional difficulty of the e DRAFT X WOFRIliG PAPER

=

c

1. DRAFT N 2-gongingpgpga

(

reactor sabotage problem, due to the large number of possible sabotage targets and their complex interactions, led to major changes in technical approach. Fortunately, it was possible to take advanta'ge of a program to independently determine reactor vital areas that had begun several-years ea rlier. This effort, conducted by Los Alamos National Laboratory for NRC, was expanded upon to determine both combinations of plant equipment that, if sabotaged, could result in a significant radiological release and sets of equipment that, if protected, could ensure that the plant was capable of achieving and maintaining stable hot standby. The Commission was informed of the staff's approach and proposed schedule for developing the program in SECY80-449.

As indicated to the Commission, the staff planned to refine the basic tech-nical approach through field tests at operating reactor sites. Shortly after the first field test had demonstrated the overall promise of the approach, the program was selected for transfer to the Regions, corresponding staffing reductions were proposed for the headquarters support staff in the out years, and personnel participating in the program were detailed to other activities.

At the conclusion of the detail, staff supporting the program began, once again, to improve and refine the approach through field tests with other licensees who had volunteered to participate in the program. Although the second field test was completed to the satisfaction of both the licensee and staff, the third proposed field test was delayed due to concern over the site selected. Staff's inability to resolve this concern in a timely fashion may have been a factor in the decision by the licensee whose site had been scheduled for the review field test to hire one of the NRC team leaders and perform his own review.

v

- DRAFT %

170RKING PAPE

e-

/

1. DRAFT \\

+. p0EKniaPApza t

In the interim, that portion of the approach,'innivi'ng identification of combinations of equipment that, if protected, were sufficient to preserve the

~

site's capability to achieve safe shutdown, was employed to assist in the special inspection of Beaver Valley Nuclear Power Station following the incidents of suspected tampering with plant safety systems in June 1981.

Although this review was a significant aid in improving those portions of the approach exercised, the results had little impact on the inspection team's final conclusions.

With the Commission's renewed emphasis on quality assurance, the program's quality assurance aspects were highlighted, staff resources assigned to the program increased, and clearance to conduct a third field test was finally l

obtained. At about this same time, the technical merits of the supporting Los Alamos work were called into question and programmatic activities were suspended while the contractor's efforts were reviewed by an ' inter-office t

review group with participants from the Offices of Research, Analysis and Evaluation of Operational Data, and Nuclear Reactor Regulation. The group's unanimous conclusion was that the techniques employed " provide an appropriate l

l technical basis for validation of licensee designated vital areas and review i

of reactor safeguards regulatory effectiveness." With this endorsement and 3

.the successful completion of the third field test, the Regulatory Effective-

' ness Review Program seemed ready for implementation.

i However, despite these initial successes, support for the program was limited and, after completion of the first actual review, the program was abruptly suspended due to concerns about the format of working documents employed by the staff during the reviews. These concerns were quickly

- DRAFT N F0 EKING PAPER

0 w

. /DrMT EpBKING PAPIR

-resolved. Nevertheless, program activites remained suspended pending a review of the program by the newly created Ad Hoc Committee to Review Safe-guards Requirements at Power Reactors. At the request of the Committee and the affected licensee, a second regulatory effectiveness review was performed to facilitate the Committee's examination of the program. Although the Committee found the regulatory effectiveness reviews to be "an appropriate regulatory means for assessing the adequacy of safeguards and the' potential impacts of security on plant safety," it recommended that the scope of the program be reduced to include only newly licensed reactors and that the

' thrust of the program be broadened to include specific examination of the

. safety / safeguards interface.

Despite the history of continuing impediments to the implementation of the program and continual adjustment of the program's scope and objectives, the staff remains confident that a stable, well supported reactor regulatory effectiveness review program can contribute significantly to NRC's safeguards program.

l l

l i

l l

- DRAFT \\

KOR%niGPAPIII

J

- DRUT '-

RORKING PAPER s

This presents the rationale for the staff's position that the regulatory effectiveness review (RER) program should not be limited to post-implementa-tion licensing regulatory effectiveness reviews of current operating reactors.

Rather, regulatory effectiveness reviews of current operating reactors can be at least as useful, of not more useful, than those of newly licensed plants. This conclusion is based upon consideration of the difficulties involved in conducting regulatory effectiveness reviews at newly licensed plants, the changes in the safeguards regulatory process and security technology since implementation of 10 CFR 73.55, and the expected impact of the Safety / Safeguards Review Committee's report.

Difficulties with RERs at Newly Licensed Power Reactors Most newly licensed reactors experience start-up problems in implementing their security plans and procedures. Despite the best efforts of the licensee in developing his security plan and implei$enting procedures and of the NRC staff in reviewing licensee f.ubmittals and inspecting licensee procedures, unforseen difficulties can and frequently do arise. Although these difficulties can impact plant operations or result in frilure to comply with NRC regulations, the majority of them are relatively easy for the licensee or Region to identify and are adequately resolved through mechanisms other than regulatory effectiveness reviews. The performance of a regulatory effectiveness review during this phase of plant operation would not be expected to aid significantly in the identification or resol-ution of these concerns.

Further, it is quite polsible that the presence of these more obvious implementation problems would obscure more subtle concerns similar to those discovered in past regulatory effectiveness reviews at operating reactor sites. These considerations lead to n

/ DRAFT A..

PiOEXING PAPIR

T P

s s

! / DRAFT lgggggyng73pg3 the conclusion that regulatory effectiveness reviews are most useful as an evaluation tool for licensee security system effectivMand as a mechanism to validate NRC's safeguards regulations when performed at sites that have no outstanding compliance issues, evaluation memoranda, or other safeguards program concerns.

In addition, scheduling constraints make it difficult to perform regulatory effectiveness reviews promptly following license issuance. A regulatory effectiveness review must be preceded by a Los Alamos vital area analysis.

To ensure that accurate site data is collected, a power reactor must be at least 95% complete before its vital' area analysis site visit can be con-ducted. After the site visit has been completed, Los Alamos requires at least three months to generate a computer analysis and necessary regula-tory effectiveness review preliminary analysis rehuires three additional months. Therefore, a regulatory effectiveness review must be scheduled at least six months after the Los Alamos vital area analysis site visit.

Therefore, if the plant operating license is granted expeditously, it is unlikely that o regulatory effectiveness review can be performed within the first 4 or 5 months after the reactor is licensed. Other scheduling con-straints, such as plant outages or conflicts with inspections or INP0 audits, could possibly preclude completion of a regulatory' effectiveness review within the first year after a reactor has been licensed.

Changes in Safeguards Regulatory Process and Security Technology As the discussion in the Licensing and Inspection section of Appendix C of the Committee's report indicates, the review of security plans under

p. -

t -marr '

IDRKING PAPEft

}

r -

/IEUT' ggpKINGFAPER 10 CFR 73.55 has improved over the years.

"[0ne facility] traced many of their problems to the 1977 licensing reviews, noting that they are now successfully working them out with the NRC staff through security plan revisions." This is not surprising since both the staff and licensees have gained experience in the implementation of 10 CFR 73.55, the licensing review and acceptance criteria have been letter documented, security contentions have been given more consideration in the hearing process, and the decreasing licensing caseload has permitted more studied and careful scrutiny of licensee submittals.

It has also become easier for newly licensed plants to develop reliable, effective security programs implementing the requirements of 10 CFR 73.55.

Better, more reliable security equipment (e.g., security computers, intrusion detection systems) is available now than had been developed at the time.

10 CFR 73.55 became effective. Vendors and consulting firms have also gained experience in equipment installation and security program development to assist licensees in meeting NRC security requirements.

In short, with comparable emphasis, security programs at newly licensed plants would be expected to be at least as good as, if not definitely superior to, those at plants that had to employ backfits to meet the requirements of 10 CFR 73.55.

l Therefore, the greater gains in security program effectiveness are likely to result from regulatory effectiveness reviews of o,perating reactor facilities rather than reviews of newly licensed facilities.

In addition, as noted in Appendix C of the Safety / Safeguards Committee report: "Some licensees 'over-l I

e e DRAFT S F70REING PAPI!!

I

g,

.]

/ DLiTT %

_4 F10EING PAPE reacted' in devising their site security.' Some may have been pushed by

[the1976-77] review teams. Accordingly, some licensees would probably welcome an opportunity to revise some of their security plan comitments to reduce the security burden." The regulatory effectiveness review program can provide licensees with just su:h an opportunity, without the need to request a plan review.

It would be unfortunate to deny this opportunity to licensees by excessively restricting the scope of the regulatory effec-tiveness review program.

Safety / Safeguards Interface

. Implementation of the recommendations of the Safety / Safeguards Review Committee is definitely expected to minimize the impact of security on safety at newly licensed plants.

However, there is a clear ~ possibility that security procedures, which have been used "successfully" for years at currently operating plants would not receive the same degree of scrutiny accorded to security procedures under development for new plants. As noted in Appendix C of the Safety / Safeguards Review Committee's report, "none of-the industryrrepresentatives could recall any instances of safety /

safeguards issues being raised with the NRC. There was general agreement the licensees simply want to satisfy NRC requirements rather than raise issues about them." Therefore, the regulatory effectiveness review program will most likely be a more effective mechanism for surfacing safety / safeguards interface concerns at currently operating plants than newly licensed power reactors.

1 Y

WOEInc PAP 5t

- - - - - - - - puwrT u,

RomnUqFAP::R Conclusion In conclusion, the regulatory effectiveness review program should not be limited to post-implementation licensing reviews of newly licensed power reactors for the following reasons: 1) start-up problems in security program implementation that are apparent to licensee management and Regional staff are likely to obscure more subtle security program effectiveness concerns similar to those discovered in past regulatory effectiveness reviews; 2) improvements in the security equipment, increases in licensee, vender, and consultant experience in security program development, and improvements in the licensing process suggest that security programs are likely to be more effective at

(

newly licensed plants; 3) the regulatory effectiveness review program, if applied to currently operating reactors, would provide a welcome opportunity to review security plan comitments to reduce the burden resulting from past "over-reaction" in the security area; and 4) implementation of the recomenda-

~

tions of the Safety / Safeguards Review Comittee and the general emphasis on safety / safeguards interface concerns are more likely to prevent safety / safe-guards problems from arising at newly licensed plants than to eliminate all such problems at currently operating reactors.

In light of these consider-ations and the Safety / Safeguards Review Comittee's conclusion that regula-tory effectiveness reviews are "an appropriate regulatory means for assessing the adequacy of safeguards regulations and the potential impacts of security on plant safety," the limitations on the scope of the program recomended by the Safety / Safeguards Review Comittee appear to be unwarranted and counterproductive.

P

1. E\\

1l'0H%IH3 PAPEt

,r The Regulstory Effectiveness Review (RER) Program RERs serve as NRC's primary safeguards quality assurance program. They:

- Assure security system effectiveness against the design basis

. threats.

- Identify generic safeguards issues and validate regulations.

- Aid licensees in cost-effective use of security assets.

- Identify safety ' problems resulting from security pro'cedures.

They are independent of, but complementary to the NRC inspection program.

They are conducted in three basic phases:

- A preliminary analysis, including review of site vital area analysis data and diagrams of plant layout and safety system configuration.

- An on-site review requiring about one week per reactor unit. They do not include challenges to site security programs but rather-involve a structured examination of vital areas and equipment and an assessment of the site security programs.

- Follow-up activities, including documentation and management review of the results and assembling site data for possible use in future licensing decisions or NRC emergency response activities.

At present,-the method has been refined by three field tests with RERs completed at two sites.

The program was examined and endorsed by the NRC Safety / Safeguards Review Committee which considered it "an appropriate regulatory means for assess-ing the adequacy, and the potential impacts of security on plant safety;" Based upon the Committee's recommendation, the staff proposes to give priority to conducting RERs at recently licensed reactor units.

Current budget planning includes resources sufficient to complete RERs involving a total of five reactor units in fiscal 1983 and six each during fiscal years 1984 and 1985.

4

TALKING POINTS ON RER PROGRAM FOR SEPTEMBER 26-27, 1983 MANAGEMENT MEETING OBJECTIVES OF PROGRAM:

The primary purpose of this program is to assess the effectiveness of reactor safeguards, as implemented, in meeting the objectives of 10 CFR 73.55(a) to protect against radiological sabotage at operating nuclear power reactors relative to the design basis threat contained in 10 CFR 73.l(a)(1). The program is also designed l')'to validate the identifi-cation of vital areas and equipment, 2) to identify safety problems that may result from implementing security procedures, 3) to evaluate contingency response capabilities and coordination with local law enforcement, 4) to identify generic issues and validate the regulatory base, and 5) 'to assist the licensees in cost effective application of security assets. The RER program is, in addition, a part of the effort aimed at assuring the quality of NRC's safeguards approach and associated implementing requirements. The teams who perform the reviews, then, act in support of hRC's quality assurance program for safeguards, both as 'it applies to licensee security systems and to NRC regulations.

STATUS OF WORK r

Subsequent to the endorsement of the RER program by the Safety / Safeguards Committee, RERs have been performed.at Turkey Point, North Anna, and Surry.

The on-site portion of the Surry RER was completed last Friday (September 23).

l UPCOMING SCHEDULE During FY84 the program will focus on sites in Regio'ns II & III, since the initial decentralization of the program is planned to be phased in first (FY85) at these Regions. This focus will familiarize their inspectors with the program and help prepare them for decentralization. Our present budgeted program calls for the conduct of 6 reviews in FY84 and then 18 per year beginning in FY85 until completion in FY91.

Prerequisites to selection of a reactor for a RER include:

(1) At-least-95% completion of-the unitf wv ewg (2) Receipt by NRC of the LANL vital area analysis computer print-out; and, (3)

Receipt of unit layout and system drawings.

Although specific sites have not yet been mutually agreed upon by the l

Regions and HQ, some candidates for which these prerequisites could be met include Kewaunee, Summer, Browns Ferry 1, 2, & 3, Big Rock Point, 1

l Davis-Besse 1, La Salle 1 & 2, Prairie Island 1 & 2, Quad Cities 1 & 2, 1.

l Robinson 2, Sequoyah 1 & 2, and Watts Bar 1 & 2.

Consideration will l

also be given to requests from Region II for RERs at McGuire, Oconee, 1

l and Catawba and from Region V for San Onofre.

.