Text

'k i

SAFEGUARDS REGULATORY EFFECTIVENESS REVIEW l

SALEM NUCLEAR POWER STATION UNITS 1 AND 2 DECEMBER 1982 l

l l

4 l

I i

I

_.:t-7.;g-

~

g+y -

~

- c.rs G

1 8412170373 840430 f

S00L 83-531 PDR i

9 9

TABLE OF CONTENTS PAGE 1.0 OVERVIEW I

1.1 Site Characteristics................

2

1. 2 Security Program Description............

2.0 FINDINGS 2

1 2.1 Potential Sabotage Vulnerabilities.

3 2.2 Safeguards Program Concerns 10

2. 3 General Observations................

12 2.4 Notable Safeguards Strengths............

14 2.5 Reduction of Safeguards Regulatory Burden...... - Background Information - Photographs l

9

SAFEGUARDS REGULATORY EFFECTIVENESS REVIEW 1.0 OVERVIEW A Regulatory Effectiveness Review of Units 1 and 2 of Salem Huclear.

Generating Station was conducted from December 2 thru December 10, 1982. The background and purpose of such reviews appear in Attach-ment 1.

Briefly stated, the main objective of this effort has been to detennine if Salem's security program, as implemented, provides the level of protection intended by NRC as expressed in 10 CFR Part 73.

In conducting this review, particular attention was focused on methods and procedures employed to protect vital equipment and the impact of the security program on plant safety.

1.1 Site Characteristics Units 1 and 2 of Salem Nuclear Generating Station are pressur-ized water reactors operated by Public Service Electric and Gas Company.

Unit 1, a 1090 MWe unit, was licensed in June 1977 and Unit 2, a 1115 MWe unit, was licensed in January 1981.

The two units are co-located on a single site in Hancocks Bridge, Lower Alloways Creek Township, New Jersey, approximately 13 miles from the town of Lower Alloways Creek.

Both units are fueled with standard low enriched uranium LWR fuel. The Delaware River serves as the l

ultimate heat sink for both units.

.+~

2 1.2 Security Program Description

.M

(

l i

l l

o L.-

2.0 FINDINGS i

2.1 Potential Sabotage Vulnerabilities A potential sabotage vulnerability is a safeguards program deficiency that brings into question the licensee's capability to protect

!!o against the design basis threat for radiological sabotage.

deficiencies in this category were found at Salem Nuclear Power Station Units 1 and 2.

t J

2.2 Safeguards Program Concerns s

4 A safeguards program concern is an observed weakness in the safe-guards program which, while it does not directly increase the risk of radiological sabotage, is considered to be of sufficient significance to indicate a need for prompt remedial action.

These concerns are identified below along with possible corrective measures.

There may be alternative solutions, however, which are better suited to site conditions.

2.2.1 Protected Area Entry Control and Searches I

t i

h t

l l

i

4 e

I t

'l 1

One possible approach to resolving these concerns would be through improved training and supervision related to conduct of pat-down searches, which might include designa-tion of a specific area for conduct of pat-down searches, and implementation of a procedural change equivalent to the following: Once a visitor has been identified by his escort, the escort would pass through the doors separating l

the search area from the badging area and wait outside the badging area.

Only one visi_ tor would be permitted l

l into the designated pat-down search area at a time.

The visitor would be patted-down and any hand-carried articles, I

or articles of clothing removed from the visitor to l

l facilitate the pat-down search would be examined.

After l

the search and the visitor badge request form had been

r

-S-l completed, the visitor would join his escort in the

]

badging area.

Any visitor that re-entered the search area from the badging area would be required to have another pat-down search prior to his return to the badging area.

q l

71'l l

1 t

i i

k I

s i

l 8

i i.

1 I

I p

11 l

l t

b q

I i

(

9 A

One way of improving

[~ hese procedures would be to institute a program of random pat-

,f t

down searches in which'each Individual granted unescorted access to the protected area was equipment searched with the metal detec-1 tor and had a probability of greater than 20% of undergoing h

=

a pat-down search prior to entry into the protected area.

2.2.2 Maintenance of Security Eauipment s

jThisconcernis probably best addressed by increased management attention and improved communications between security and maintenance supervisors.

7 2.2.3 Access Control And Alarm Monitoring Comouter r-I,

/'

o e

a e

I k

.i

?

i

\\

\\

t i

1 I

l i

l

v_

+

)

~

The long tem approach to this problem might be an up-grade of the computer capability, including provisions for improved system reliability, provisions for a sufficient number of access authorization levels to adequately limit vital area access, and provisions to prevent either the en

\\

In the short tem, one approach to mitigating the safety and operational consequences of the current key card access control system's relichility problems would be to

)

(See section 2.5.1 of this report for a discussion of the Security Access Permit program.) Effective implementation of this approach would require that the current site license condition related to key control be modified to eliminatetherequirementfo(

F

)

l i

' ~'

~

~

p 4

2.2.4.

Diesel Generator.

a 1g _

l l

a t*

V i

3 f

B r

l t

k i

t, 1

i

?

I s

9 i

\\

i i

t i

l

\\

r e

.I i'

2.2.sp

,t b

i-(e c

6 F

1L I

• • - _,e mm em.

~ -

- ~.

e--~,

R

2.3 General' Observations Observations are relatively minor items that do not require corrective

[

action.

However, the team believes the following suggestions could

/

improve the licensee's safeguards progfam.

There may be alternative approaches to those suggested, however, which are better suited to site conditions.

L m.

.';onfiguration of Closed Circuit Television Cameras {_

2.3.1

.e w M

M-W*

.anee.-s

= -

w.

--e-,e..

m.

=

1 i

\\

1 k

s E

i.

t i,

e l

{

c j l A

I

?)

ii k

J'

-~

iL.

2.3.2 Personal Safety Concerns About CARD 0X System Activation in Combination With Access Control Computer Failure The elevator in the 4160 Volt Switchgear Room on the 64' elevation of Unit 1 opens into a small concrete enclosure from which the only egresses are In the event of an activation of w

the CARD 0X (carbon dioxide) fire suppression system, the elevator would not pick up passengers from this elevation and the room would fill with carbon dioxide, creating an l

uninhabitable atmosphere.

Should the.I g

at this time (see di'scussion in

_1 i

Section 2.2.3), individuals could be trapped in the enclosure in an uninhabitable atmosphere.

Although three i

Scott Airpacks have been mounted on the wall in the I

enclosure, it might be difficult for individuals under j

i stress to begin using them in time to avoid the poten-tially lethal conditions. This problem could be largely

}

resolved, in the long term, by improvements in the reliability of the access control computer.

In the I

meantime, one possible solution to the problem would be r

[

. to f

a.

t

\\

k i

I

\\

1 I

i b

2.4 Notable Safeguards Strengths, Notable safeguards strengths are areas of the safeguards program considered to be particularly effective.

These are highlighted to identify good safeguards practices contributing to the overall effectiveness of the program.

Items falling into this area are enumerated below.

2.4.1 Security Force Training, Motivation, and Professionalism Although the team was concerned about the level of training in conduct of pat-down searches (see Section 2.2.1), the general level of security force training in other areas as well as security force motivation and professionalism was impressive.

The team had the opportunity to observe a security force exer-cise, which was modified specifically to address command and control issues of concern to the RER team.

The exercise demon-strated excellent command and control and the officers partici-pating showed a good understanding of defensive tactics.

The l

team was also favorably impressed with the security officer l

1 7-training program, particularly the use of{

1

[

for firearms qualification and the licensee's efforts to develop a tactical training program using a commerical laser engagement simulation system.

Such factors contribute to good morale as well as improving security force effectiveness.

1 4

-y

13 2.4.2 Coordination and Comunication With Local Law Enforcement Agencies 1

The licensee's coordination and communication with local law r

~

enforcement agencies was a definite strong point.

i l

I L

V---

i This comunications capability would be definite asset in coordinating security force and law enforcement response to a possible security incident.

e 2.4.3 1

b l

l l

l 1

I t

t i

i

~~

N L-1 J

g

~-

t

, erimeter Intrusion Detection Systen 2.4.t 2

- )

l

_/_

i 2.5 Reduction of Safeguards Regulatory Burden One of the objectives of the Regulatory Efffectiveness Review program is l

to identify areas in which licensees' safeguards regulatory burden can be eased without significant impact upon security program effectiveness.

l The following items appear to be in this category.

Again, there may be alternative approaches to these suggested which are better suited to site conditions.

m --,

,,,.,,_w,

15-2.5.1 Security Access Permit Program Inresponsetorecenteventsinvolvi[1gmispositionof components in plant systerns, Salem implemented a Security Access Pemit (SAP) program to monitor and control access to gertain areas of the plant.

The site's commitment to the SAP program was formalized in a confirmatory action letter from the NRC dated August 18, 1982.

Since this program exceeded the capability of Salem's present security computer, security officers have been pemanently stationed at entrances to ap-proximately ( ]1ocations throughout Units 1 and 2.

(To support implementation of the SAP program, b

The implementing procedures call for the security officer to i

manually log the entrance and exit times and the badge number of l

the individual granted access.

Additionally, the security officer must detemine whether the individual is authorized access.

Access authorization is verified by consulting a large loose leaf binder containing all Security Access Pemits for the specific area for which access is being controlled.

Once authorization has been verified and the logging has been 1

completed, the security officer grants access, using a key card for those doors equipped with a card reader.

In the event of l

e B

I

'4:.

computer failure, However, as indicated in Section 2.2.3,l r

A Security Access Permit could be obtained for either a calendar week or calendar month period. The shorter period pemits could be authorized by a first line supervisor in either the licensee's or contractor's organization and could be delivered directly to the security officer on post by anyone, including the individual requesting access.

The calendar month oermit requires approval by a second line supervisor in either the licensee's or a contractor's organi-l zation and is sent to the Security Office for dissemination to appropriate securit; posts.

Procedures do not provide for screening of calendar week permits and require only cursory review of calendar month pemits to detemine whether access authorization was appropriate, whether the individual signing the pemit was authorized to do so, or whether the signature on the pemit was genuine.

In discussion, the licensee stated that the program

• f I

i I

~

jthe team judged that the primary safeguards benefits of the SAP program were derived from the access monitoring (logging).

However, in observing the program in operation, it was determined that the primary adverse impact upon plant operation and the l

primary potential adverse impact upon plant safety arose from delays and security officer errors in verifying access author-ization.

Therefore, in the team's judgment, the licensee's regulatory burden could be eased without significant impact on security program effectiveness by eliminating the access permit portion of the program.

However, the posts and access logging should be retained until appropriate improvements in the access control computer system (see Section 2.2.3) and vital area configuration have been accomplished.

I 2.5.2 Compensatory Measures Upon Loss of CCTV Cameras of a Zone I

l 1

l e

l

'This would eliminate the need for a fixed post in such zones and would pemit greater flexibility in the use of security officers, while, in the team's judgment, actually increasing security effectiveness.

2.5.3 Maintenance of Isolation Zones There appear to be some instances in which excessive concern about keeping the isolation zones clear may have had an adverse impact on plant safety or other aspects of security.

In particular, the extra fencing and barbed tape around the junction boxes at the site perimeter appears to provide little, if any, additional resistance to undetected penetration of the site.

On the other hand, to the extent that this impedes equipment maintenance (see Section 2.2.2),

it may actually degrade security.

Therefore, in the team's judgment, any extra fencing or barbed tape around those junction boxes that impedes security equipment maintenance should be removed, as convenient.

Likewise, careful consider-ation should be given to the impact upon plant safety of the relocation of the fire protection equipment currently in the isolation zone.

If this impact is potentially significant, the equipment should remain in its current location.

It should be clearly understood that' these recommendations do not in any way sanction administrative or operational

m.

convenience as a justification for failure to keep the plant isolation zone clear.

Rather, the intent is to ensure that measures employed to keep the isolati6n zone clear do not have a net adverse impact on plant security or unduly affect plant safety.

O O

e e

e e

9

-mmm

.A REGULATORY EFFECTIVENESS REVIEW

~

Background

In NRC's Policy and Planning Guidance 1982 (NUREG-0085, Issue 1. January 1982),

the Commission provided to the staff the following guidance for establishing priorities and for improving the regulatory process:

Staff, in addition to assuring that safeguards plans are in place at operating facilities and for transportation, will accelerate its indeoendent assessment that these implemented plans meet safe-guards o)jectives and that safeguards regulations adeauately support those objectives.

l Emphasis added)

In order to pursue this guidance as it relates to power reactors, the Division of Safeguards Power Reactor Safeguards Licensing Branch developed a reactor safeguards Regulatory Effectiveness Review (RER) program.

Purpose The primary purpose of an RER is to evaluate the overall system effectiveness of a plant's security program, thereby detemining if it provides the level of protection intended by NRC. If it fail's to provide such protection, specific recommendations are made on how deficiencies can be corrected to ensure provision of adequate safeguards. An additional purpose of an RER is to detennine whether existing regulations yield a level of protection commensurate with NRC's safeguards i

In this sense, the RER is a part of an effort aimed at assuring the quality goal.

of NRC's safeguards approach and associated implementing requirements. If, after a number of sites have been assessed, it is determined that current requirements fail to provide the level of protection intended or are generally mis.nderstood or misinterpreted, specific improvements L., the regulations and associated NRC guidance will be suggested to ensure that the intended level of protection is l

l achieved.

e

e., J '; ' 3 '

.e*

Regulatory Base Current regulatory requirements for safeguarding power reactors are contained in 10 CFR 73.55. This regulation requires a physical protection system and security organization whose objective is "to provide high assurance that activities involving special nuclear material are not inimical to the common defense and security, and do not constitute an unreasonable risk to the public health and safety." The physical protection system shall be designed, the regulation states, "to protect against the design basis threat of radiological l

sabotuge as stated in Part 73.1(a), which is quoted below:

(1) Raotological sabotage. (i) A determined violent external assault, attack by stealth, or deceptive actions of several persons with the following attributes, assistance and equipment:

(A) Well-trained (including military training and skills) and dedicated individuals. (B) inside assistance which may include ~a know-ledgeable individual who attempts to participate in a passive role (e.g., provide information), an active role (e.g., facilitate entrance and exit, disable alams and comunications, participate in violent attack), or both.

(C) suitable weapons, up to and including hand-held automatic weapons equipped with silencers and having effective long range accuracy. (D) ' hand-carried 4

equipment, including incapaciting agents and explosives for use' as tools of entry or for otherwise destroying reactor, facility, transporter, or container integrity or features of the safeguards systems, and (ii) An internal threat of an insider, including an employee (in any position)."

4 l

The performance objectives in 10 CFR 73.55(a) are supplemented by a set of detailed physical protection requirements in Sections 73.55(b) through (h) and in Appendices B and C of the rule. Licensee physical protection programs are developed and implemented in consideration of these requirements with individual site characteristics in mind.

Review Method The review team consisted of safeguards analysts from the Division of Safeguards i

and active-duty U.S. Army personnel serving with the JFK Center for Military i

l Assistance, acting in a support role to NRC under an interagency agreement. A regional safeguards inspector accompanied the team as an observer.

L --

p, 3

In conducting this review, two teams were employ 2d: ene looking at safIguards from the viewpoint of an external adversary group of several persons and the other looking at it from the persp,ective of a single insider. The teams assumed that radiological release is the objective of a power plant adversary and thus 4

applied the 10,CR Part 100 definition as the criterion of successful sabotage.

Further, the characteristics of-potential adversaries were bounded by the design l

l basis threat for radiological' sabotage as cited in 10 CFR 73.1(a). These factors, as well as the impact of security on plant safety, were considered during the review teams analysis of the site's safeguards.

The review process began with a preliminary analysis conducted at NRC Headquarters.,

.A principal input to the preliminary phase was a listing of vital areas and components developed by Los Alamos National Laboratories. This list of potential sabotage targets was derived from data obtained during a site visit by Los Alamos engineers. Computer codes developed by Sandia National Laboratories and the NRC j

staff coupled with computer graphics equipment located at NRC, pennitted the team to translate site layout and safety system configurations into computer graphics j

for rapid screening and analysis.

Another step in preparing for the visit was the analysis of each vital component as a potential sabotage target. First, a descriptive list of components in vital areas was prepared based on the Los Alamos vital area analysis. Then actions necessary to sabotage each component were identified, along with combinations of such actions that might lead to radiological release. The results of this target analysis served as a guide to the teams during the onsite phase.

e

. e.M a

..es.

1. '

While onsite, the teams conducted a thorough review of the site's security system. The external team focused on:

local terrain, facility layout, intrusion detection equipment, barriers, and nighttime illumination; sedurity force organization, training, equipment and procedures; and local law enforce-ment capabilities. The internal team concentrated on vital area protection, operator response, access controls and procedures, and CAS and SAS operations.

Information gathered onsite was synthesized by the teams during offsite meetings.

The tentative conclusions formed during these sessions were presented to and discussed with site corporate management at the end of the onsite evaluation.

The teams' conclusions and recommendations are documented in this report.

9

(*

s O

.eJ.J.***

.t

,_