ML20147H761
| ML20147H761 | |
| Person / Time | |
|---|---|
| Issue date: | 12/11/1978 |
| From: | NRC OFFICE OF STANDARDS DEVELOPMENT |
| To: | |
| Shared Package | |
| ML18078B291 | List: |
| References | |
| RTR-WASH-1400 NUDOCS 7812270390 | |
| Download: ML20147H761 (80) | |
Text
-
s
-1
- l a/d
. f4
?
b' J.)> - g' y.
DETAILED RESP 0flSES RECEIVED FRON SD O
O.
78/2220376 f.-
- =m--
m..
... - ~ ~.
_. -_.-~>
l
,pearo4 I
f kf UNITEC
~,T A T E G
.[ ' *
, ((
NUCLEAR 5 3 '3O L iTC 3 Y c3' ' il!T s
' r? l./.)
w u ; r.,,
3.
e ;m3
-L o...,.-
DEC 1 1978 1
I MEMORANDUM FOR: Harold.R. Denton, Director NRR FROM:
Robert B. Minogue, Director, SD
SUBJECT:
REVIEW 0F REGULATORY ACTIONS AND STAFF POSITIONS WHICH RELY ON WASH-1400 i
1 We have surveyed the OSD staff to identify those regulatory actions or sta.fi positions that have used or referred to the risk assessment models l
and results of WASH-1400 since its issuance in August 1974. The results j
of that survey are listed in Enclosure.1 by Division and Branch in OSD to facilitate review.
In our assignment of categories to these actions we have taken the " licensing process" to be synonymous with the regulatory process. We have also -taken. "value of accident risk" as synownous with value of accident consequence.
In addition to the items described in Enclosure 1 we have received a l
detailed analysis of the use of WASH-1400 in NRR actions from one of our employees who was formerly in NRR.,E. Marinos. His analysis is provided as Enclosure 2 for your use.
Copies of the documents referred to in Enclosure 1 are also attached as requested.
i i
Robert B. Minogue, Dir tor l
Office 'of Standards Development l
i
Enclosures:
As stated l
l f
I 4
~..
~
Staff Review of.the Extent to Which Licensing and Other Regulatory
[
Actions or' Staff Positions Have Relied on the Risk Assessment j
Results and Models of WASH-1400 4
l f
1.
SHSS i
(a) (Category 1) Safeguards Standards Branch used WASH-1400 to provide an estimate of the consequences of sabotage.
- However, R. Jones states that the decisions to implement Reactor Sabotage regulations were based not on the WASH-1400 results j
but rather on the knowledge that sabotage could cause releases that would be harmful to the public. WASH-1400 is referenced in:
'(1) '" Safety and Security of Nuclear Power Reactors to Acts.of Sabotage," SAND 75-0504 Sandia Laboratories, March 1976, (2) Memo R.B. Minogue, thru L.V. Gossick to Ben Huberman, Director l
of Policy Evaluation transmitting a' discussion of design-j threat levels entitled " Basis and Rationale for Selections 1
of a Design Threat Level for Power Reactors Sabotage j
Protection" prepared by SD staff, January 3,1977 (3) Transcript of the public hearings on the Material Access n
Authorization Program "Rulemaking in the matter of f
i 10 CFR Parts 11, 50, and 70, Docket Rm-50-7,- July 10,11, i
V and 12, 1978."
2.
DES
'(a)
(Category 2) SCSB - In denial of. PRM 50-19, the. calculated consequences of core meltidowns in PWR and BWR reactor were used to estimate the potential effectiveness of an evacuatea containment to mitigate the effects of a Class 9 core melt-down accident. Risk assessment results and models (i.e..
probability of the events) were not used.
i (b)
(Category 2) EMSB - The justification of the need for R.G.1.139,
" Guidance for Residual Heat Removal," is based in part on the WASH-1400 result that showed the probability of core melt due to system and equipment failures that result in the inability to remove fission product decay heat is higher than the probability of core melt in the event of a large LOCA. Additional bases for j
the regulatory position of R.G.1.139 are provided in'the discussion,.
and it is the view of the staff that'the position would be unchanged if the WASH-1400 results had not been considered.
(Note.that as in
- i the safeguards case (see _1.(a) above) the use of WASH-1400 results is a conservative action; i.e., the need for increased safety or improved safeguards is demonstrated.)
j O
I
~
. Enclosure 1 s.
O)
\\v (c) (Category 3) EMSB - WASH-1400 estimates for fission product gap activity (Appendix VII) were used to affirm the use of R.G.1.25 source tems in R.G.1.89 to detemine the radiation environment i
for qualifying electrical equipment. The more conservative source term of R.G.1.25 was used in developing R.G.1.89; hence, it is concluded that no reconsideration of the application of WASH-1400 is necessary.
(d) (Category 4) TPSB - The staff is presently reevaluating the effectiveness of existing transportation regulations in protecting the health and safety of the public. Yo a very great extent, that reevaluation is depending on quantitative risk assessment. There is, of course, little in common between reactor accident prob-abilities and transportation accident probabilities. But there is some similarity in accident consequences and post accident cleanup between tne two. Therefore, the staff is using the con-sequence analysis portionsof WASH-1400 in the transportation analyses. These uses are documented at this time in NUREG-0170 (Vol.1) and a Sandia contractor report SAND 77-1927. The Sandia report is a precursor of a staff environmer.tal statement.
The staff use of quantitative risk assessment in general, and WASH-1400 material in particular has been cautious and critical.
O.
Some aspects of the staff's questions on the validity of this
\\.
/
risk assessment are addressed specifically in the overall summary and conclusions of NUREG-0170 (Vol. il, p. ix). The use of WASH-1400 material was sufficiently critical so that, in our view, no reconsideration is needed. I should point out that no rulemaking action has yet been taken on the basis of these risk assessments, j
l 1
l l
i Do
'V
\\
~
p em a%
UNITED "T ATES q
/ ',,J]
acca;.a nacuuram/.:wMu m O
l
'N :,:i H t.4 G T D *t. C
. n35
'. ~;j j 1,3 >, '...
NOV ' 61978 MEMORANDUM FOR: Guy Arlotto, Director, Division of Engineering Standards FROM:
E. C. Marinos, Reactor Systems Standards Branch
SUBJECT:
REVIEW 0F REGULATORY ACTIONS AND STAFF POSITIONS WHICH RELY ON WASH-1400 The attached information is transmitted pursuant to the request for more detailed identification of licensing actions and staff positions (relied on WASH-1400) for which I have knowledge,(memorandum from 3
D. F. Sullivan to G. Arlotto dated November 9,1978).
The licensing actions and staff positions identified in Enclosure (I) were applied to plant reviews conducted during my assignment in NRR, until December 15, 1976.
I have no knowledge of the present NRR staff plant review practices.
j i
Enclosure (II) is a list of references to documents where licensing I
actions and staff positions are identified.
0 hM E. C. Marinos Reactor Systems Standards Branch
Enclosures:
As stated cc w/ encl:
R. Minogue H. Denton i
W. Morrison l
D. Sullivan D. Bunch
/'Q i
1 I
m I
Enclosure I REGULATORY ACTIONS AND STAFF POSITIONS WHICH RELY ON WASH-1400 l
f Technical Issue References 1.
Pump Flywheel. Missiles Ref.1, pg 1082, item 4.1.3 j
Generated by Reactor and pg 1136, item 4.4.B.
Coolant Pung Oys* speed l
2.
Separatico of Electrical Ref.1, pg 1085, item 4.1.4.
Equipment 3.
Common Mode Failures Ref.1, pg 1132, item 4.4. A.
4.
Electrical Power Grid Sta-Refs :
1, pg 1170, item 4.4.0; l
bility and Effects on 3, Issue No. 9 and Issue No.
j Accident Consequences from 10; 5, pg 690 and pg 715.
Grid Frequency Degradation 5.
Turbine Missiles Ref 1, pg 1173, item 4.4.P.
6.
Relationship Between Required Ref 1, pg 1178, item 4.4.Q.
Seismic Qualification of Safety Equipment and Actual Earth-quake Response Spectra 7.
D. C. Power Supplies in Nuclear Refs:
2; 7, Task A-30; 1, pg Power Plants 1145, item 4.4.E.
8.
Treatment of Non-Safety Grade Refs:
3, Issue No. 1; 5, pg Equipment in Evaluations of 690 and pg 715.
Postulated Steam Line Break Accidents 9.
Loss of Offsite Power Subse-Refs:
3 Issue No. 4; 5, pg quent to Manual Safety 690 and pg 715.
Injection Reset Following a Loca
- 10. Analysis of Postulated Reactor Refs :
3, Issue No. 5 ; 5, pg 690 Coolant Pump Rotor Seizure and pg 715.
Incidents
- 11. Protection Against Single Refs:
3, Issue No. 6; 5, pg 690 Failures in Reactivity Control
~and pg 715.
Systems
- 12. Passive Failures Following a Refs:
3, Issue No. 7; 5, pg 690 Loss-of-Coolant Accident and pg 715.
g N.]
m
~
T..
[
'l Technica1' Issue
. References 13.
Use of Probabilistic Refs:
3 Issue No. 8; 5, pg 690 Assessment of Reliability.
and pg 715.
' 14.
Interpretation of GDC 19 Refs:
3, Issue No. 11; 5, pg 690
" Control Room" and pg 715.
I 15.
LoadBreakSwitch'(Genera-Refs :
3 Issue No. 12; 5, pg 690 tor Breakers) and pg 715; 6, pg 416 thru 423; 11; 12, pg 8-1 and Appendix E; 14.
- 16. Overpressurization Refs:
3, Issue No. 15; 5, pg 690 and pg 715.
77 Passive Mechanical Valve Refs:
4, Issue No. 17; 5, pg 690.
Failures
- 18. Onsite A.C. Emergency Power Refs:
1, pg 1145, item 4.4.E; 8; Supply 9, BTP 2, pg 8A-2; 10.
- 19. Allowable Time Periods Ref.1, pg 1148, item 4.4.E.
~
That Redundant Safety Equipment May be Inoperable 20.
Reliability of Safety Ref.1, pg 1161,' item 4.4.L.
Systems in the Normal Environ-ment and Post-Accident Conditions
- 21. Single Failure Criterion Re f. 13.
22.
Limiting Conditions of Re f. 15.
Operation for ECCS/ECI Components 23.
Impact of Component Outages Refs:
16, 17 and 18.
on ECCS Unavailability O
. =
enclosure 11
~
REFERENCES I
1.
Investigation of Charges Relating to Nuclear Reactor Safety:
Hearing 3
Before the Joint Comittee on Atomic Energy Congress of the United States 94th Cong. 2d Sess.
(February 18, 23 and 24, March 2 and 4, 1976),
i 2.
NUREG-0305 dated July, 1977 - Technical Report on D.C. Power Supplies
,in Nuclear Power Plants.
3.
NUREG-0138 dated November,1976 - Staff Discussion of Fifteen Techni-cal Issues Listed in Attachment to November 3,1976 Memorandum from Director, NRR to NRR Staff.
~
4.
NUREG-0153 dated December,1976 - Staff Discussion of Twelve Additional Technical Issues Raised by Responses to November 3, 1976 Memorandum from Director, NRR to NRR Staff.
5.
Regulatory Comission's Safety and Licensing Procedures: Hearing Before the Comittee on Government Operations of the United States Senate, 94th Congress, 2d Session (December 13,1976).
6.
Advisory Comittee on Reactor Safeguards,190th General Meeting, February 6, 1976.
7.
NUREG-0410 dated January 1,1978 - NRC Program for the Resolution of U
Generic Issues Related to Nuclear Power Plants.
8.
Before the Atomic Safety and Licensing Appeal Board - In the Matter of Florida Power & Light Company (St. Lucie Nuclear Power Plant, Unit 2); NRC Staff Response to Applicant's Submittal of April 3,1978.
9.
NUREG-75/087, Rev 1 - Standard Review Plan.
10.
Regulatory Guide 1.108, Revision 1 dated August, 1977 - Periodic Testing of Diesel Generator Units Used as Onsite Electric Power Systems
?
at Nuclear Power Plants.
11.
Proposed Technical Fosition on Qualification of High Interrupting Capacity Power Generator Breakers - Memorandum for R. E. Heineman 1
from E. C. Marinos dated October 26, 1976.
12.- Safety Evaluation Report - McGuire Nuclear Station, Unit 1 and 2, dated March 1978,_NUREG-0422.
I s
i O
l v
i l
t
u 7
(
4 t 13.
Information Report by the Office of Nuclear Reactor Regulations on the -
Single Failure Criterion - Memorandum for the Commissioners, thru L. V. Gossick, from E. G. Case dated August 17, 1977.
14.
Recomendation for Board Notification - Memorandum for D. Vassallo from F. Schroeder dated May 24, 1978,
- 15. A Quantitative Approach for Establishing Limiting Conditions of Opera-tion for ECCS/ECI Components in Comercial Nuclear Power Plants -
Science Applications, Inc.; Report No. SAI-78-649-WA dated Junc, 1978.
16.
The Impact of Component Outages on ECCS Unavailability - Science Applications, Inc. ; Report No. SAI-75-550-WA dated August,1975.
- 17. Amendment to " Impact of Component Outages on ECCS Unavailability" Based on NRC Surry Power Plant ECCS Reanalysis - Science Applications, Inc. ; Report No. SAI-76-536-WA dated May,1976.
- 18. The Impact of Component Outages on ECCS/ECI Unavailability for an Operational RESAR-3 PWR - Science Applications, Inc.; Report No.
SAI-76-622'WA dated July, 1977.
b)
U GV r--
e y-
\\
r.
m SAND 75-0504
's Specified External Distribution Only
.d....
-r- - -
1 1
M s
$5 Safety and Security of Nuclear Power.
Reactors to Acts of Sabotage
)
i u
4 s
e 4
tj i
'e e1 h
'r
,.., 3 l
- 7. :,
.A_} :
\\c
,.);
. t.t'.,\\'. 0
.,y,,.** f~).[k,* i "'- rf,,
- [f
- [ "'
i *z, s
- '5} 1,y?N'fT,1) g.
e.e Precerad by Sendie Laboratories, Albuoveraue. New Mexico 87115 and Liverrnore, California 94550.for the United States Nucteer Gegulatory Commission under ERDA Contract E(291).78B..
- g. -
- h. *. th. w. }hk. ' 4
- kk I'$
2 d1 I
nem.n-n w, emnn' n.:
. e. n..,.:. v. y Pririted I
I
- e f
4 f
y f
== *
';n.n : r-4
..~., w'u, w m e e a + u g.w yr w ;. p s. a. w a,?.m.: n..
..s r m 1
. _..m m. _.
Y N $ > $ I/ E I k h b I N $ ' d f
.E4 J?d_$h%h,Mn, Y
- D' 3""'E F ' $. L, 3 2 A,4 e-f. a.. s. 3., s" 'L'.6. '
. d l,1 J _ IA
. y, %,.,.
4 ii.
p( J i f_ s m
~
3 J
g e
e b1WXy5j;4$,WWh.M'u,Mf'x tic
, W14C'J55 d *"*
r 6
&.74Av
@._NJaM2f%9 e
g.f.'g gf 1
.,. -.- ~ _ _ _ _
=y
.w - -
~ y... _u
-,-n E.P 2500 C(7J 3 e
9
.-.-.w..
e
SAND 75-0504 Specified External Distribution only Printed March 1976 SAFETY AND SECURITY OF NUCLEA) 50WER REACTORS T:' ACTS.0F SABOTA,,
Prepared for the United States Nuclear Regulatory Comunission Office of Nuclear Regulatory Research i
~
by Sandia Laboratories Albuquerque, New Mexico 87115 Livermore, California 94550 ABSTRACT A study has been made of the vulnerability of U.S. comunercial light water reactor power plants to sabotage. The suscepti-i bility of nuclear plants to sabotage and the consequences of a successful attack are cesapared with respect to other indus-trial and civil targets. Recosumendations are given to further reduce the vulnerability of nuclear power plants to sophisticated sabotage threato.
i
CONTENTS Page
===1.
Background===
5 2.
Study Objectives 5
J Study Methodology 6
4.
Study Resulta j
4.1 Inherent Resistance of Nuclear Plants to Sabotage 7
j 4.2 Susceptibility of Nuclear Plants to sabotage 8
j 4.3 Consequences 8
i 4.4 Comparison with Sabotage to other Targets 8
5.
Recommendations 5.1 Plant Design 10 5.2 Administrative Control 10 5.3 Emergency Planning 11 6.
Summary 11 j
7.
References 12 II.LUSTRATIONS Figure 1
Study Methodology 6
2 Comparison of various Sabotage Targets e 9
O 4
SAFETY AND SECURITY OF NUCLEAR POWER REACTORS TO ACTS OF SABOTAGE
===1.
Background===
Conumercial nuclear power plants are designed and operated to very high stan-dards,to protect against accidents. The plants include a variety of engineered safety features which provide additional protection against a radioactive release.
Consequently, the risk to the public due to accidents caused by equipment failure or operator error is very low.1 There remains the question whether consequences created by deliberate sabotage could contribute significantly to the ptblic risk.
In 1968 the U.S. Atonnic Energy Cossaission sponsored an appraisal of the potential hasard of industrial sabotage in nuclear power plants.2,3 This appraisal, directed by Dr. C. Rogers McCullough, reviewed the history of industrial sabotage l
and examined the motivation and extent of knowledge likely to be possessed by various types of saboteurs. An assessment was made of the likelihood and.possible consequences of a number of sabotage acts and the level of damage necessary to create a public hazard. It was concluded that, although, sabotage with serious consequences to the publit.: is possible in theory, the probability of occurrence was sufficiently low that no undue risk to the health and safety of the public existed.
Recent events indicate thats (1) terrorism has increased in many parts of the world, (2) terrorists are becoming more sophisticated, and (3) a greater variety of more complex targets are being attacked. This situation demands reconsideration of the vulnerability of various civil and industrial facilities to sabotage. Thus early in 1974 the Atomic Energy Commaission began at Sandia Laboratories this study on the vulnerability of nuclear power plants to sabotage. This report sununarises the objectives, methodology, results, and recommendations.
2.
study Obiectives The objectives os the study ares (1) Evaluation of the susceptibility of nuclear plants to sabotage for a broad range of threats, (2) Determination of the consequences of successful sabotage, (3) Comparison of the susceptibility and the consequences with sabo-tage of other industrial targets, a
(4). Recommendations of means by which sabotage might be prevented or
.its consequences mitigated.
The likelihood of sabotage attempts in nuclear power plants was not estimated.
5
.~
. ~ -.
l Principal emphasis is on sabotage which could produce levels of radioactivity constituting a hazard to the lives, health, or property of the general public.
Sabotage which would cause only loss to the operating utility company was not evaluated.
3.
Study Methodology Two typical U.S. commercial nuclear power plants -- one having a pressurized water reactor (PWR) and the other having a boiling water reactor (BWR) -- were studied in detail. A number of other plants of both reactor types were visited and studied in order to identify plant-to-plant differences and to assure general applicability of the results.
The study methodology (see Figure 1) combines ~ systematic analysis and empirical gaming to identify plant vulnerabilities and to determine countermeasures. Fault trees were developed to systematically inventory all combinations of sabotage actions that could lead to a radioacti re rele4.se from the plant. Adversary study teams developed detailed sabotage sequences describing how sabotage operations might be accomplished. Differing amounts of information and plant access were afforded to the teams. The teams evaluated the resources required to accomplish sabotage and estimated their chances of achieving success. These results were analyzed to obtain a qualitative measure of the susceptibility of the plants to sabotage.
O Fault Tree g"
EY*l"*U*
Provide Study tag options Coun h easures Recommendations h
Myersary Develop Evaluate Study Sabotage Plant Sequences Susceptibility o
===a-
==
m.
lReactorSafety 8
Evaluate Ot v
nd Study Consequences i
Industrial Sabotage Figure 1.
Study Methodology 6
1 J
The same combination of fault tree analysis and empirical gaming was employed to determine countermeasures to reduce the vulnerability of the plants to sabotage.
The fault trees were analyzed to define conditions sufficient to prevent a radio-active release and to identify vital plant systems that should be protected.
p Measures'to thwart sabotage were also formulated by members of the adversary teams by drawing upon their experience gained in determining how to penetrate the plant defenses.
]heconsequencesofthesabotagesequenceswereestimatedusingdatadeveloped r
by the Reactor Safety Study. In order to place the study results in perspective,
}
the adversary team manhare investigated the susceptibility of other targets to f
sabotage and estimated the consequences of an attack.
M 4.
Study Results 4.1 Inherent Resistance of Nuclear Plants to Sabotage The following characteristics of commercial nuclear power plants greatly increase the difficulty of releasing radioactivity by sabotages (1) The " defense-in-depth" concept of reactor plant designs (2) The massive structure of the plant, which protects critical f
components from external attack k
(3) The safety design basis of the plant, which emphasizes system reliability, flexibility, redundancy, and protection against_
common mode failures and (4) Engineered safety features, which are added to the basic system to cope with abnormal operations or accidents.
As an example, in a commercial light water reactor plant, fuel containing the radioactive fission products is enclosed in metallic cladding and is located within a thick steel reactor vessel. The reactor vessel and coolant piping are located within a massive steel and concrete containment structure. Although, in part, the purpose of these multiple containments is to provide successive confinement of radiotoxic fission products, the containments may also serve as effective physical barriers against external threats.
Additional plant protection measures can be taken to supplement the inherent resistance of nuclear power plants to sabotage. These measures could be degraded by:
(1) Excessive dependence on perimeter security to provide sabotage
.protections and (2) Possible conflicts between safety and security in plant design and operation requirements, particularly in regard to access to vital components.
7 C
1 4.2 S'usceptibility of Nuclear Plants to Sabotage Acts of willful destruction occur in many industries. They may be caused by disgruntled amployees during periods of discordant labor relations, by fanatics or extremists during periods of civil unrest, or by mentally deranged individuals.
Such acts have rarely occurred at nuclear power plants. The sequences developed by the adversary teams and the systematic presentation of plant failure modes described by the fault trees jointly demonstrate that there is negligible chance that acts of willful destruction would result in release of radioactive materials.
Sabotage which might endanger the public could enly be carried out by knowl-edgeable, capable personnel having a high degree of technical competence. Such an attack would require thorough planning in order to mount an effort coordinated to bypass the plant security system and to disable or destroy elements of several plant systems in the multiple plant defenses against a radioactive release.
4.3 consequences The elapsed time between the initiation of a sabotage-induced failure sequence and the actual release of radioactive materials varies considerably. For many credible sequences, such as long-term transient incidents, sufficient time is avail-able after initiation for a plant damage control team to nullify or mitigate the consequences of the attack.
The Reactor Safety Study 1 developed methods to predict the magnitude of the radioactivity released and the public consequences occurring from random equipment failure and human error for various accident sequences. All sabotage options that I
have been identified lead to plant failure sequences that were included in the Safety Study. Therefore, sabotage cannot create consequences greater than those considered by the Safety Study.
,j Many factors influence the consequences: the sabotage option chosen, the operating status of the engineered safety features, the containment failure mode, the time and space variation of the wind and meteorological conditions, the site population distribution, and the extent of amergency response by on-site and off-site personnel. Control of all ttnae factors is well beyond the capabilities of a credible sabotage operation. Evaluation of the probable consequences arising from the sequences developed by the adversary teams yielded values that are a small fraction of the maximum consequences considered by the Reactor Safety Study.
4.4 Comparison with Sahotage to other Targets Within the civil, industrial, and military sectors of our society are many potential targets for sabotage, which, if attacked, could result in public harm. -
To evaluate objectively the risk resulting from sabotage of a given target, the following factors must be known:
8
(1) The likelihood that sabotage will be attempted, O
(2) The susceptibility of the target to sabotage, and (3) The consequences of successful sabotage.
Reliable methods have not been developed for predicting the likelihood of attack.
Thus, judgments of the seriousness of the threat must be based on perception and intuition. The latter two factors, susceptibility and ennsequences, are amenable to analysis. Qualitative comparisons of the relative susceptibility of various targets to sabotage and estimates of the consequences can be made. Such objective knowledge of the_ susceptibility of a target and the consequences of a successful attack are useful inputs in making subjective judgments of risk.
Nuclear power reactors appear far less susceptible to sabotage than most other civil or industrial targets. The technical requirements, planning, and necessary manpower and equipment are much greater for a credible sabotage attempt on a nuclear power reactor than are required for an attack on other potential industrial or civil targets. The probable consequences of successful sabotage of a power reactor are comparable to the consequences that could be produced by sabotage of many otner targets. The lower susceptibility to sabotage attack of nuclear reactors j
reduces the likelihood of credible attacks being mounted by unsophisticated elements.
I l
Figure 2 shows a qualitative ranking of the magnitude of susceptibility of various targets to sabotage, along with the magnitude of consequences of successful sabotage. For equal attack likelihood, targets listed near the upper right-hand corner (high susceptibility, high consequences) present the greatest risk.
NUCLEAR WEAPONS DAM WATER SUPPLY WARFARE CHEMICALE FOOD SUPPLY 5
PUBLIC GATHERING a
NUCLEAR POWER REACTOR PUBLIC BUILDING RAILROAD YARD AND TRAINS N
MUNITIONS DEPOT BRIDGE DOCKS AND SHIPS E
TUNNEL TOXIC CHEMICALS h
AIRPORT AND AIRCRAFT PETROLEUM AND NATURAL GAS "3
EXPLOSIVES MILITARY BASE BANK COMMUNICATIONS FOSSIL FUEL PCWER PLANT POWER TRANSMISSION LOW MEDIUM HIGH SUSCEPTIBILITY 1
Figure 2.
Comparison of Various Sabotage Targets
)
9 t
5.
Recommendations Recommendations have been developed to reduce further the susceptibility of nuclear power plants to sabotage. These recommendations fall into three categories:
plant design, administrative control, and emergency planning.
5.1 Plant Design In practice, sabotage protection as well as safety and operability considerations should be an integral part of nuclear power plant design.
Specific recommendations were developed for a PWR and a BWR nuclear power plant for plant design modifications to counter sabotage. The impact of these plant specific recommendations can be summarized by the following generic recommendations:
Recommendation 1 - Systems
- whose disablement, destruction, or misuse could cause a radioactive release, the immediate loss of reactor coolant, or the permanent loss of plant' monitoring and control should be adequately protected by physical barriers, intrusion detection systems, and active response.
Examples are the reactor vessel and the control room. Protection of such systems should not be difficult since the safety-based design of the plant has already located these systems deep within the plant behind massive physical barriers.
Recommendation 2 - Systems
- required to provide recevery from short-term transient incidents which could lead to a radioactive release should be adecuately protected by physical barriers, intrusion detection systems, and active response.
A flexible combination of physical protection and emergency plant damage con-txcl response (see Recommendation 7) is recommended to assure that transient incidents created by sabotage cannot lead to a radioactive release. Physical protection of some systems is required to prevent those transient sequences which might cause a release in times which are too short for plant damage control actions to be effective. Although these systems may be located throughout the vital area of the plants, they are highly redundant and are provided with great flexibility.
Adequate protection of a required minimum set of these systems appears to require relatively minor plant modifications.
5.2 Administrative control Control of personnel access during shutdown, repair, or operation of nuclear power plants would preclude sabotage actions by unauthorized personnel. The
- Systems used here also denote plant features or areas.
10
['~
specific recommendations that.have been developed follow Recommendation 3 - Procedures should be developed to permit access to containment and other vital areas only by authorized personnel during shutdown, repair, or operation. Following every prolonged period of shutdown or repair, a methodical inspection of containment should be made by qualified personnel.
Recommendation 4 - Close supervision, by knowledgeable personnel, should be given to maintenance or repair being perforined on equipment of vital systems er in vital areas.
Recommendation 5 - Only those persons who are required to operate, maintain, or inspect the reactor plant should be admitted to the
]
control room.
Recommendation 6 - Plant tours for the general public should not be conducted in vital areas.
Recommendation 4 could have spinoff benefit in terms of increased plant availability and safety.
5.3 Emergency Planning k
The final recommendation involves planning for emergency damage control actions which would be performed by plant operating personnel. A flexible preplanned response by trained. personnel of the plant operating staff would be a very effective countermeasure against sabotage.
Recommendation 7 - Emergency plans'should include a damage control team to provide effective response to acts of sabotage. Equipment required by the team should be provided and plant modifications implemented to provide features to expedite the use of the equipment. The team should be capable of restoring lone-term emergency cooling to effect safe shutdown following sabotage attack.
6.
Summary Nuclear power plants have inherent resistance to sabotage due to their safety-based design and construction. A highly determined, knowledgeable, planned, and skillful effort would be required in order for saboteurs to circumvent plant security measures, create an initiating incident, and disable the engineered safety features in order to cause a radioactive release from the plant. Countermeasures involving plant design, protection systems, administrative control, and amargency i,, ss
(
planning have been recommended to provide increased protection against such sophisticated efforts.
11
l 7.
References 1.
Reactor Safee/ Study - An Assessment of Accident Risks in U.S. Commercial Nuclear Power Plants, U.S. Nuclear Regulatory Commission, WASH-1400 (NUREG-75/014), October 1975.
2.
C. R. McCullough, S. E. Turner, and R. L. Lyerly, An Appraisal of the Potential Hazard of Industrial sabotage in Nuclear Power Plants, Southern Nuclear Engineering, Inc., SNE-51 UC-80, July 1968.
S.
E'. Turner, C. R. McCullough, and R. L. Lyerly, Industrial Sabotage in 3.
Nuclear Power Plants, Nuclear Safety, Vol. II, No.
2, March-April 1970,
- p. 107.
O l
9 Ol 12
Distributions
\\
NRC/ Office of Nuclear Regulatory Research Division of Safeguards, Fuel Cycle and Environmental Research J. S. Berggren Washington, D.C.
20545 (100) 1000 G. A. Fowler 1200 W. A. Gardner 1230 W. L. Stevens Attn:
J. W. Hickman, 1233 1300 D. B. Shuster 1310 A. A. Lieber 1700
- 0. E. Jones 1710 V. E. Blake, Jr.
1730 H. H. Patterson 1750 J. E. Stiegler 4300 R. L. Peurifoy, Jr.
5000 A. Narath 5100 J. K. Galt 5120 G. J. Simmons 5400 A. W. Snyder 5410 D. J. McCloskey (100) 5420 J. V. Walker 5430 R. M. Jefferson 5440 H. D. Sivinski 8100 L. Gutierres 8110 A. N. Blackwell Attn A. T. Jones, 8112 8300 B. F. Murphey 8320 T. S. Gold Attna R. L. Rinne, 8321 3141 C. A. Pepmueller, Actg. (5) 3151 W. L. Garner (3)
(ERDA/ TIC) (SEDO) 8266 E. A. Aas (2) l e
G
/*\\
U 13
(
Al N U CLE A.R R EG U L ATO R Y CO MMISSIO N IN TH3 MATTER OF:
Rulemaicing in the matter of 10 CFR Pr.rts-11, 50 & 70 l
I Docket No. 101-5 0- 7 Place - Washington, D. C.
Date.
Monday, July 10, 1978 p,,,,
1 - 241 1
N eohene:
(*02)*47 3700 ACE TF.DERAL RI?ORmd. BC.
OffichlReponers m ticen C:=irel Sweet Weshington. 0,0. 20C01 NATICNWICE COVERAGE 0.AILY
c-23 mm level that we' re concerned about.
j l
}
2 DR. EALL:
That's a bit of jargon. Would you say i
3 what part 100 release means?
4 XR. JONES :
300 rem to t he thyroid, 25 rem to the 5
whole body.
That is not to say that a release less than that would not be hazardous.
6 7
DR. HALL:
Let's go back.
8 This is a release greater than that which is I
i 9
imagined in the Safety Analysis' Report?
l 10 !
MR. JONES: That is correct.
11 DR. EALL:
Is this an accident, the magnitude of 12 which would have been examined in WASH 14007 13 XR. JONES:
Yes.
Although WASH 1400 did not addres 14 sabo tage,
it would have been.
I 15 DR. EALL:
Did they make any comment about sabotage '
i 16 in that report?
17 XR. JONES:
Yes, I believe they did make a comment is in there to the effect that treatment of sabotage was a I
19 different situation with different probabilities and that l
20 they were not addressing them.
l 21 DR. EALL:
Did they make any statement about the 22 consequences of sabotage?
23 1 XR. JONES:
I don' t believe they did.
I don't l
I 24,
recall that they made any --
4 4* con.cs ine. '
25 l DR. EALL:
Is that the feeling of the rest of the I
i
+
24 i
i panel?
l l
2 Does anyone have a different view of that?
3 MR. JONES:
I think NASH 1400 did not address 4
sabotage consequences and make a comparison.
I don't recall 5
that.
We can check that.
6 DR. EALL:
I wish you would check that, because it 7
is not part of this hearing record, of course,but I do 8
remember hearing Dr. Rasmussen make some presentations and 9
Sol Levine make some presentatioEs of that report.
10 So, perhaps before, or sometime in this, if you 11 have occasion, you might just verify it.
12 '
Carole, did you get an answer for your definition?
l l
13 MS. FRINGS: Yes.
14 DR. EALL:
In your testimony you mention that you 15 would be exempting nonpower reactors if their inventory was 16 less than the formula amount.
Is that a correct statement?
l l
17 !
MR. JONES:
That's correct, yes.
18 DR. HALL:
The University of Michigan asked scme 19 questions which I will paraphrase. These were submitted by t
20 Reid R.
Burn.
I don' t know if you have them.
l t
21 MR. JONES: Yes.
l 22 DR. EALL:
And the questions really go to the I
I
.i 23 l problem of why is the quantity of material, the formula, an
(
\\
24,
important consideration?
i Q. con.,. inc. '
25 MR. JONES: The formula quantity, which is 2 kg's l
i s
209 O,
I]
Safety and Security of Nuclear Power Plants, Power Reactors p;
to Espionage-and Sabotage.
3; Would you summarize the conclusions of that?
I 4!
DR. KNUTH:
Yes, sir.
5 i
I have the report right.in front of me.
It is 6
a fairly short report.. It isabout 12 pages.
If the Board 7
please I' can submit the entire report, have it Xerox'd for i
8 your consideratien.
9 The general conclusion of the report is that the l
10 I nuclear power plants as designed have an inherent resistance l
11 8
to, s abo thge.
This is based upon the design of the plants, the I
12 I
p defense-in-depth concept, massive structures of the plant which l V I3 lI protect critical ~ components; the safety design basis of the Id l plant which emphasizes reliability, flexibility, redundancy i
i I3 and protection against common made failures, and against safety 16 l features which are added to the basic features.
I I
17 The results of this particular study conducted for 18 the NRC indicate that the consequences and susceptibility for 19 I
sabotage to nuclear power plants is on the low side of many 1
20 other =indus trial targets.
21 And they also concluded in there that the consequences 22 of sabotaging a nuclear power plant would be well within the 23 l small fraction.of the. maximum consequences considered by the 24 {I
.\\\\
Reactor -Safety S tudy, WASH-14 0 0, so-called.
It's not only m m.a mn. ine 25 l difficult to sab'otage them, but the potential consequences i
332 210 I
are' low compared' to many other industrial targets such as 2
public buildings, bridges, tunnels, aircraft, so forth.
3 DR. EALL:
Let me direct your attention to your 4
, testimony at page 3, the top of the page, where you refer to l
5 this; and then you use the word -- let me quote:
6 "As indicated the probable potential consequences"
-- and I will stress the word " probable" -- what we' are 7
8 looking for is not the probable but the upper reaches; with that interpretation would you change the statement you made l
9 10 previously?
11 DR. ICTUTH:
Well, of course, the sabotage that 12 (e-gives you the highest consequences always is a poor number; 13 and of. course the Reactor Safety Study considered the nurber 14 of core melt downs,, those having higher consequences have a
\\$
lower probability.
l 16 But this particular study did not try to attach t
17 i
a probability of sabotage to compare with the Reactor 18 Safety Study. But the consequences of sabotage would be within 19 the range of the Reactor Safety Study.
i 20 DR. EALL:
Can you answer a question I asked the 21 Staff earlier?
I Did the WASE-1400 =ention.or discuss the sabotage 23 O
prob lem?
l 24 :
DR. KNUTH:
Yes, it did.
i
's wo,,,, i n,
They did not, in. WASH-1400, attempt to develop -
i e
- :33 211 1
. probabilities of sabotage.
Well, let me go back one step.
2 The general results of WASH-1400 showed that i.
i 3
a core meltdown, one out of about every 150 core meltdowns, would result in something on the order of greater than 10 5
localities.
The Reactor Safety Study did indicate that the i
potential consequences of sabotage acts would be within those 7
considered in the Safety Study, they did not make any attempt I
8 to attach probability to a sabotace attempt.
They just did l
9 not have the basic data to try to come up with probability j
l 10 numcers.
11 But there is. a statement the consequences are within 12 the scope of WASH-1400 ; yes, sir.
\\\\
13 I believe that appears in the final appendices on t
responses to agencies' comments, such as the Union of Concerned l 14 Scientists, which raised this question; and in the final draf t they addressed i..
17 DR. HALL:
Yes, that confirms my memory, too.
CHAIR M VERKUIL:
We vculd appreciate obtaining 19 a copy ~of that report.
l 20 DR. KNUTH:
Three copies for the record, s d -'
I CHAIRMAN VF.RKUIL:
Yes, that would be fine.
12 MS. FRINGS :
I have a ques tien for Mr. Culp.
m I believe on page 9 of your testimony you discuss 24 l W g_, %, '
the' problem that industry really canno afford to wain months 25 '
Could ycu please explain for your people to be cleared.
i-
f NUCLEAR REGULATORY COMMISS!ON r.
n IN THE MATTER OF:
1 l
Rulemaking, 10 CFR Parts 11, 50 & 70 4
Docket No. RM 50-7 s
I Place - Washington, D. C.
Date -
Wednesday, July 12, 1978 Pages 422-557
~
1 I
J Te4echene:
(202)347 0700 ACE. FEDERAL REPORTERS. DiC.
OficialReponers ua Nenh C:pitej Streer Weshirgton. C.C. 20001 N Ai!ONWlOE COVERAGE. 0AILY
t'~
l y,6 487 f
t I
and safety was also of concern.
And we have addressed both 2
issues in this proposed regulation.
3 DR. EALL:
What are the consequences, then, which I
4 are contemplated in the licensing of a nuclear power clant?
5 The national, maximum, consequences?
6 MR. JONES:
The maximum consequence would be the 7
core meltdown and the releases indicated in WASH-1400.
I think 8
Jim can address that.
9 MR. MILLER:
I think the references to WASH-1400 I
i 10 '
were given earlier this morning and, of course, there are 11 consequence tables.
We are implementing the physical security 12 as was mentioned I believe on Monday to prevent a sabotage I
I 13 event that could lead to a release of the magnitude of Part 1d 100.
15 MR. EALL:
You are saying physical security measures,
I i
16 to prevent?
I i
i l'7 MR. MILLER:
Tha: is correct.
18 MR. EALL:
So that even if there were an insider 19 with evil intent he couM not acccmplish this?
l l
20 MR. MILLER:
That is the charter that is given in l
21 7355, an insider is included in two different places; in 7355 22 l (a) (1), wherein the insider assists in an active fashion and 23 passive f ashion to the external threat; and in 7355 (a) (2) 24 '
wherein he acts alone,
{
} a.mmn. ine.
25 DR. EALL:
So, then, the clearance program i
I l
l t
492 4
I 7s DR. HALL:
Let me go back then to this report.
\\
2 Is this report to be accepted that says an act of sabotage can 3
be no greater than that which has been included in the envelope >
of accidents concerning the licensing?
3 MR. JONES:
I believe I am correct that kRSH-1400 6
is not the criteria for licensing reactors.
.7 DR. EALL:
Granted.
8 MR. JONES:
All WASH-1400 says is that they have 9
addressed the maximum occurrence, and a saboteur could not cause!
10 l
anything more than that.
They are not saying that a saIoteur could not cause that, I2 DR. HALL:
I understand.
C'
(
I3 What layour, or the Staff's position, do you accept I#
this report by the Sandia Laboratory as being reasonable and accurate?
l 16 MR. JONES:
Yes.
I7 DR. EALL:
So that a saboteur could not cause 18 an accident greater than that which is contemplated in the 19 Safety Analysis Report?
20 MR. JONES:
Righ t.
Correct.
21 I
DR. EALL:
Which is to say, I agree with you that 22 it is implied he cculd cause at leas t that.
23 MR. JONES:
Yes.
/N 24 DR. HALL:
But no more than.
'y ennen w.
25 MR.-JONES:
But no more than.
I i
4 enow i b
t 495
.i
(]
1 consequences be?
Will there be an immediate hazard to people i
\\j
\\
2 who live in a certain radius ?
Will there be a long-term 3
possible disease impact upon people?
4 I really don' t have any concept of what is going 3
to happen?
6 MR. JONES:
Bo th.
7 MS. FRINGS:
Both?
So, what sorts of things?
8 You know, I have read about, for example, as a 9
consequence of an atomic bomb exploding, which is different?
10 !
MR. JONES :
That is different.
11 MS. FRINGS :
So, is it anything comparable?
Or what 12 other kinds of results would occur?
13 MR. JONES :
The consequences are not quite as great Id or as great as an atomic bomb.
Do you have data?
15 MR. MILLER: I think I would refer you t NASH-1400 16 and the consequence tables that are in that docu=ent.
l'7 DR. HALL:
I don't think that is a part of the record.-
18 MS. FRINGS :
I realize that.
I appreciate your I
19 referring to it; so that we can look at that so we do have some I
20 thing on the record for the benefit of the public who may not j
21 be looking at these documents?
22 DR. HALL:
If you could --
23 MR. JONES:
We will put it in the record.
{
24 DR. RALL:
Excuse me, I think that would be
's %oomes, inc.
23 very dif ficult -- and the Board, althcugh I happen to be f amiliar i
i.
l i
l
+
496 l
- i with nuclear materials, the Board as a majority is not.
And to swamp the Board with the report of WASH-1400 would be just 1
an unfriendly act.
(Laughter.)
?.3 5
6 7
8
\\
l i
10 l
11 1
12 13 14 15 16 17 i
t 18 1
19 20 21 22 4
I 23
)
24 1
%n.n, ine. l 25 i
7 l
l I-i t
_., =,
497 My
.cf MS FRINGS:
I would aj.so submit that it is not I
)-
2 just ~ important for the Board to understand this.
After all, 3-3 this.is a public hearing, and we are trying to advise the 4
public what the. consequences would be.
3 MR. LIEBERMAN:
I was just going to add that the 6
Executive Summary of WASH-1400 attempts, I think, to give 7
some perspective on the question.
It's not a very thick-y document, and that mignt be relevant.
9 The general question of the safety or the conse-10 quences of reactors is not something that can really be 11 answered in, shall we say, twenty-five words or less.
It 12 really involves many consideratiens and many factors, and c
\\
13 just to give a short summary here might really not do any 14 of us a good service.
15 DR. EALL:
You couldn't summarize Part 50lra-16 quirements?
17 MR. LIESERMAN:
We could certainly do that.
I 18 Maybe Mr. Miller _cou2d speak to that.
i i
19 MS. FRINGS:
Before you get into that, let me just 20 ask, is the Executive Summary written in laymen's terms or l
i t
21 is itjaLtechnical document that only a scientist would under-22 stand?
23 MR.. LIE 3ERMAN:
I think it's understandabla to
- Q).
(
24 a' layman.
That's the purpose of the Executive Summary.
momn,w.
25 MR. MILLER:
Let's address the Executive Summary m1 i
r 498 1
for just a minute.
The' Executive Summary in the consequence l'
2 area, postulating an event as you have postulated it -- maxi-3 mum release, maximum sabotage event -- addresses factors 4
such as immediate fatalities, latant fatalities, property
'5 damage-from such things as contamination.
6 MS. FRINGS:
You say it addresses them.
Does 7
it conclude that these things could occur?
8 MR. MILLER:
It gives the exact numbers and dollar 4
9 Costs.
i 10 MS. FRINGS:
Okay.
That's the kind of thing I 11 was interested in.
~s 12 MR. MILLER:
We will make those tables available t
13 from the report.
14 MS. FRINGS :
I think that would be very helpful, j
i 15 DR. EALL:
Do you have any idea when you can make 16 them available to us?
17 MR. LIE 3ERMAN:
We can have it done by this 18 afternoon or tomorrow.
19 CHAIR &tN VERKUIL:
Is there any attempt to ecmpare 20 { 'the consequences of other disasters?
21 MR. LIE 3ERMAN:
That's in NASK-1400.
They : mpara 22 it'to airplane accidents and other things of this sort.
23 CHAIRMAN VERKUIL:
Could we extract that?
I'm
N l
24 ! advised by the friendly.act of my colleague here that we
%n.n. ine.l
-25 don't have to go into. WASH-1400.
Could you extrac: the
- L 1
i t
L l
499 i
i e l t
comoarability data?
s
\\
What we'd like to get a sense for is whether a 2
similar kind of disaster could occur in a variety of other 3
situations which would not be presumably subject to the same 4
5 kind of protection you have sought.
MR. MILLER:
Yes, I think most of that informa-6
_2_.
7 tion is in Chapter 6, and we can supply it.
It has things such as dam failures and conseque.nces from fires and earth-8 9
quakes, that type of information.
10 CHAIRMAN VERKUIL:
That would be most helpful.
11 (The Board conferring.)
12 I wonder if we might just take a 5-minute break?
f\\.
i
)
13 We are hoping to close by around noon, as I understand this 14 room has other uses.
I believe we can.
We'll take a short 15 break now.
16 (Recess.)
i 17 CHAIRMAN VERKUIL:
Let's reconvene, please.
18 MS. FRINGS :
We will proceed by going into some l
19 questions on Issue 2, which is a discussion of the advantages i
20 and disadvantages of alternative programs to the screening 21 program' that has been proposed.
I 22 A couple of my questions will be based on things i
23 raised by other participants.
I believe this question was
/N raised by Westinghouse when-they testified.
They were 24 emn, inc.
s 25 makingL the point that the DCD and DCE programs require very t
I
. [
1
~
-a
511 4
[') ~.,;5 talked about the worst case, and that's what we're presenting 1
2 here.
3 CRAIRMAN VERKUIL:
I hate to get into this, but 4
I can't avoid it.
5 (Laughter.)
6 After listening, it seemed to me that the case 7
for application of the clearance rule is stronger now in 8
research reactors and not in power reactors because of the 9
fact that they're left out of the Sandia report and'the fact I
10 that their physical protections are not evaluated as care-Il fully.
We now seem to be turning it on its head, because 12
,-~
we started out leaving out research reactors, at least most 13 of them, from the requirements of the clearance rule to begin m,
14 with.
a I
15 MR. MILLER:
W'e still are.
My understanding was I
t t
16 we were talking about the higher powered research reactors, 17 of which there are not that many.
j 18 CIBIRMAN VERKUIL:
And those are the ones that 19 seem to have, as I understand your definition, the most i
20 problems with respect to greater damage than had already been I
i i
1 21 anticipated through the Sandia report or the NASH-1400 study.
22 The others at least were contemplated and have
[
23 been dealt with in terms of risk, in terms of the safety
{
24 risks that were already set aside from accidents.
' 4=n n. w. ;
25 l MR. MILLER:
May we separate the two differen:
I
.l
512
~
things?> WASH-1400 and the Sandia study that we're referring j
to only deal with power reacters.
We cannot talk in the 2
conten of nonpower reactors in dose wo documents.
3 CHAIRMAN VERKUIL:
Mr. Knuth, you introduced us 4
t the Sandia report and requested a little time to discuss 5
WASE-1400; Maybe it would be appropriate if you made your 6
statement now.
7 No one has used the podium yet.
Why don't you 8
try it out.
9 DISCUSSION OF WASE-1400 SY DR. DONALD F.
10
- g KNUTH, KMC, INCOPPORATED.
DR. KNUTH:
I just thought I'd like to make a 12 few c mments on WASH-1400.
13 ja WASH-1400 is a reactor safety study.
It's a 15 very v lumin us study, using a number of man-years of effort j
16 to complete, and it looked at a
number of events leading i
j7 to accidents in commercial nuclear power plants.
l' 18 The study took these events that could lead to-19
' core melts and looked at the equipment that would have to I
i 20 fail as a consequence of maloperation or just equipment 21 failure, and it attached to that probability estimates that a particular event or sequence could lead to core melt.
l 22 l
23 The consequences that arose from any particular 24 sequence of events were dependent to a high degree upon the V
4toortoft, IN.
25 various. sequences that actually occured.
l i
b
=r m:
e-513
.I r,
/
7 i
For example, a loss ~of coolant accident followed
'l t
l
\\
2 by failure of the core cooling system to eject.'ater would 3
lead to one set of consequences, and it would also have a 4
set of probabilities associated with it that that could 5
occur.
6 Another event that could lead to some core melt 7
could be'a *3 actor excursion by failure to scram.
That 8
could also lead to a core melt, having its consequences and 9
having again its unique probability of occurrence.
10 What the study went on to do is to look at what
-1 11 would be the results of the most likely consequences of a 12 core melt, and, as indicated by the staff, the most likely 7-s
\\
13 consequences for a core melt are fairly small.
It would 14 result in less than one fatality.
It wouldn't result in 15 any early fatalities, and the property damage is in the i
16 reports that the staff indicated they would give to you.
i 17 It went on to show also that approximately one i
18 in 150 core melts would result in consequences that could I
19 result in more than ten early deaths, and the associated latent s
20 effects and property damage and so forth are also listed in l
l.
21 that report.-
4 i
22 Looking'at the other side of the coin, looking I
23 at sabotage, the general studies that have been made that O).
(
24 can lead to core melt, the statements in the sandia. report,
.on.,. m.,
! indicate that the consequences of core melt would be within 25 i
_.,--,--_.-.,m,
r i
l 514
_i 4
those studied in the reactor safety study.
O d8 j
1 0
i0 Again in sabotage a number of chains of events 2
are possible.
A saboteur may elect to sever the primary 3
coolant system.
He may simultaneously breach the containment.
4 A number of chains are possible.
5 What we've done in various studies in evaluating 6
the consequence is to look at these various scenarios -- and 7
there is almost an infinite array -- to determine what would 8
a saboteur hi to have in the way of skills to accomplish 9
i' these variot vents.
10
..at we became convinced of is that it is very
);
clifficult for a saboteur to think through the events and 12~
/'N to be able to sabotage sufficient equipment to cause high-13 consequence events, mainly because of the inherent safety 14 i
I 15 design of the plant.
l I
16 Not to say that it is not possible; it's just very difficult to do.
j7 j
The problem we had in using WASE-1400 and trying 18 19 to apply its methodology to
..botage was to try to associate a pr bability with it.
We just cocid not establish what l
20 the probability was that there was even a saboteur existing, 21 or what would be the probability that a particular sa.coteur 22 23 w uld pic.k a particular chain of events.
As I say, it's i
24 almost an infinite chain.
He could elect to destroy some coortert IrbC.
I 25 equipment by shorting it out or what have ycu.
What would I
515
~1 1
' r~'
1 be the probability that.an operator would detect it on a
~
2 routine safety < test and repair it or damage control measures i
3
. in the. event of that incident to mitigate the consequences?
4 We just could not really establish the probability.
5 I think, in summary, the Sandia report, in 6
discussing the various consequences -- if you will refer to 7
page 9 of the report that I had entered into the record 8
yesterday,.there is a graphic table which attempts to estab-l 9
lish what the consequences and susceptibility of sabotage 10 in various industrial targets are.
You will note that 11 nuclear power plants, commercial power plants, fall essen-12 tially. in the consequences. they could have due to sabotage b
13 that is called medium consequences.
14 In that same category, a saboteur could arrive 15 at the same consequences, whether you're talking in terms i
i 16 of cost in terms of lives sacrificed or in terms of dollar 17 cost damage.
He could sabotage public buildings, bridges, 18 tunnels, airports and aircraft and so forth.
There are 19 other targets that would give even much higher consequences 20 which would have even lower susceptibilit'y should he choose 21 to do so.
And that is the context that I think has to be 22 made clear, that sabotage of a nuclear power plant is dif-23 ficult.
The effect that it would have on the public health A
[
'24 and safety is somewhat tenuous.
I would take a very skilled me,wn. w.
25 saboteur.to.do it,.and provisions are already in effect, were
~
-~.w,.
e.+
-e.
r 516
'o j
placed in effect since these studies have been done.
These
[~'%
'N /
studies were done prior to any implementation of access 2
s l
control and so forth that further reduce the susceptibility 3
of plants to sabotage.
4 CEAIRMAN VERKUIL:
Mr. Lieberman, did you have j
5 i
any question you might want to ask?
6 MR. LIEBERMAN:
I just want to ask if any of 7
the panel members have any comments to make to that.
8 (No response.)
DR. EALL:
I'm sure, Dr. Knuth, you're not saying j
9 i
10 that because there is perhaps a greater risk from a dam that 11 one should not take all reasonable precautions to protect 12 a reactor power plant?.
fs
(,).
13 DR. KNUTH:
No, sir, I'm not.
I think the amount ja of protection provided has to be to provide reasonable assur-15 ance.
I think we have achieved reasonable assurance.
I 16 I'm not suggesting that employees should not be i
37 screened for reliability.
I think it should be done.
The l
18 question is do you also need to have a full field background 19 clearance for operators to go in and operate a plant, and I
i 20 I don't think that's necessary.
21 CHAIRMAN VERK"IL:
Mr. Jones' observation--I 22 think it's fair -- was that this report, or rather that i
23 WASE-1400 did not consider sabotage as an additional factor e-'s l
(
)
24 added on to accident.
You say you can't calculate the
\\
/
s/
tea u m i.tr<.
25 probability of adding sabotage in in terms o'f how it might 1
517 m.
1 increase risks.
~
D k_,
2' DR. KNUTH:
In the reactor safety study, you 3
can have a sequence of events which lead to core melt and 4
lead to high-consequence accidents.
You can then take an 5
engineering look at that sequence and say what is the 6
probability that that would occur.
7 We know that diesels, for example, the probability 8'
that they may not start is 1 in 100.
You can assign that 9
probability.
What's the probability that you lose offsite l
10 power?
There are statistics to show what that probability l
11 is.
~'
12 So you can take an accident-- not caused by some-O)
(
13 one failing equipment but just occurs out of its pure 15 orneriness -- and calculate what is the probability that 15 this would occur.
The probability then would be to an 16 accident having certain consequences.
i i
17 In the area of sabotage, you can make the state-18 ment c ;.a t the consequences of core melt would not exceed I
i 19 those from a core melt induced by a similar method, but you i
20 cannot use the same methodology and say, "Now, what is the 21 probability that a saboteur would be clever enough to use 22 this particular chain?"
That's where we run into difficulty.
231 We couldn't even establish what the probability was that l
24 there was a saboteur lurking out in the real world, anyway.
n.n. ine.
I hope that helped.
l 25 e
518
~ l 1
CHAIRMAN - VERKUIL :
Thank you.-
- r
(}-
Xj-(Dr. Knuth excused.)
2 3
CHAIRMAN VERKUIL:
Are there any questions for i
4 the panel?
3 MS. FRINGS:
Mr. Miller, I would just like to 6
see if I can understand the staff's reasoning here.
7 As I understand it-- we're all having communica-8 tions problems, I guess -- when you license a reactor, as 9
I understand it you are requiring that the reactor have a 10 certain safety standard that would insure that, if an ac-11 cident does occur, a certain maximum result or radiation 12 release is the worst that could happen.
Am I correct so O'
L 13 far?
14 MR. MILLER:
Right.
15 MS. FRINGS:
Are you also saying that when you i
16 make that determination, you're licensing the reactor, you're 17 only considering accidents; you're not considering sabotage?
18 MR..NELLER :
Right.
I 19 MS. FRINGS:
Now, is it true that it's the staff's j
20 opinion that consequences could be worse or could be more I
21 disastrous from an act of sabotage than from an accident?
22 In other words, is.it possible from an act of sabotage that 4
23 you could have a higher radiation release or' worst consequence g-'sIl.
l i
24 than vou could from an accident that might occur in that
' 'V e900fteft, tr%C.
i
'25 !
reactor?
I t
I l
y e--r
519 I
MR. MILLER:
No, I think Dr. Knuth stated that Ok-)
rather well, that as far as consequences are concerned, 2
3 consequences could probably be no more than those established 4
in WASH-1400.
5 MS. FRINGS:
From an accident?
6 MR. MILLER:
The type of accident that he was 7
talking about, that's right.
8 However, where he cid mention that there is some 9
controversy is in the probability of a sabotage event.
10 MS. FRINGS :
I did understand his point on that.
i 11 MR. MILLER:
What we are saying is that 73.55 12 requires us and requir'es licensees to establish security A.()
13 programs -- I won't even call them physical security programs 14 anymore -- to protect against an external threat and an 15 internal threat.
I 16 In implementing that regulation, we are saying l
17 that the probability approaches 1 of an internal or external 18 threat being there.
l l
t 19 So let me again answer it:
As far as the con-i i
20 sequences are concerned, we agree that the consequences would l
l 21 be - no more than WASH-14 00, l
i 22 DR. EALL:
Did I understand you to say that there 23 is a probability of 1 that there is a saboteur in each and i
/N 24 everv olant?
\\
eaar m s.Inc.
25 MR. MILLER:
No, I did not mean that.
6 I
t
520 l
DR. HALL:
I hope you didn't.
\\
2 (Laughter.)
v 3
MR. MILLER:
If I may, 73.55 (a) says, and I 4
quote.
This.is the General Performance Requirements:
5 "The licensee shall establish and maintain 6
an onsite physical protection system and security 7
organization which'shall provide protection and 8
high assurance against successful industrial 9
sabotage by both of the following. "
10 The first is external threat, perhaps aided by an 11 internal threat, and the second is the internal threat.
12 CHAIRMAN VERKUIL:
So you do not assign a proba-
,I 1
A
(
13 bility to.the sabotage factor?
14 MR. MILLER:
No.
We require that the onsite 15 physical protection system and security organization provide 16 protection against the threat levels.
We do not say that i
17 the threat level is actually there.
l
\\
18 MR. JONES:
If I may try to communicate some more, 19 WASH-1400 analyzed the probability of accicents causing a I
20 certain consequence.
A sabotage event can cause that same 21 consequence.. Redundant safety systems are designed to pre-22 vent that accident'from occurring.
Security systems as we 23
'are prcposing are designed to prevent thut sabotage event j.
(N l.
24 from-occurring, and in order to have the high assurance of hmorwn. i=.
j f 25 prevention of that. sabotage, we believe that we need 4
L
(
[
\\
\\
tr.
9 m
,N b
UNITED STATES V)-
.[
t NUCLEAR REGULATORY COMMISSION I
5 h,
WASHINGTON, D. C. 20556 1
8
\\.....,o y
MEMORANDUM FOR: Harold Denton, Director, NRR Saul Levine, Director, RES
~
Robert Minogue, Director, SD #.
Howard Shapar, Executive Legal Director Clifford Smith, Jr., Director, NMSS John Davis, Acting Director, IE FROM:
Lee V. Gossick Executive Director for Operations
SUBJECT:
REVIEW 0F REGULATORY ACTIONS AND STAFF POSITIONS WHICH RELY ON WASH-1400 The Commission has requested (October 19, 1978 Chilk memo, attached) that the staff review the extent to which licensing and other regulatory actions or staff positions have relied on the risk asse_ssment. result.s and_Laodali of WASH-1400.
V' As a first step, you are requested to (a) survey your staff to identify those licensing and other regulatory actions or staff positions that have used or referred to the risk assessment models and results of WASH-1400 since its issuance in August 1974, and (b) have your staff provide a copy of all such documents to you. Examples of the documentation to be considered include hearing testimony, Regulatory Guides, Regulations,
.NUREG reports, generic issues, topical reports, and consultant or contractor reports.
Your survey should be sufficiently deep to reach all knowledgeable individual staff members in your office.
Subtle as well as major reliances should be examined. Attention should be paid to past, present, and pending staff practices which led, or will lead, to regulatory actions or staff positions.
As a second step, each Office is requested to provide (1) a list identify-ing those actions or positions where WASH-1400 was used, categorized per ; (2) copies of all documents identified by the survey; (3) your reco mended actions and views as to whether, in view of the Lewis Committee reconnendations, any of these actions or positions should be reconsidered; and (4) the effect of such reconsideration.
.m e 4
\\
\\
i Multiple Addressees' ' l
(
Please provide your response by November 20, 1978 to the Director of NRR who will coordinate'the responses from a technical standpoint to highlight the most significant matters, check for consistency, and provide a report to my office by Hovember 27, 1978.
Please call Mr. Denton-or Del Bunch of his staff if you have any questions.
(Offices listed as cc's are requested to contribute to this review to the extent possible.)
(Signed) Lee V. Go658'k Lee V. Gossick Executive Director for Operations Attachments:
As stated cc: Technical Advisor to ED0 Office of Administration Controller Office of International Programs O
Office of Management & Program Analysis O
r
---r
=
=
ATTACHMENT 1 1
CATEGORIZATION 0F LICENSING ACTIONS USING WASH-1400 VALUES AND METHODOLOGY Catecory 1
' Includes those actibns in which an absolute value of accident risk
'as set forth' in WASH-1400 was relied upon in. the licensing process to make a specific licensing decision.
Included in this category would be' any reliance on an overall probability for core melting or on the
'l probability' of a given event sequence leading to core melt.
A possible example is the use of the RSS-to develop quantitative estimates of health risk from the coal and nuclear fuel cycles.
Catecory 2 Includes those actions in which the absolute values of accident risks of WASE-1400 were used in the licensing process, but when such use was restricted to relative comparisons of risks.
Included in this category would be any reliance on the overall probability of core' melting of the RSS to draw comparisons between two design con-cepts.
Possible examples are the use of the RSS to compare an FNP to a land based plant and the use of the RSS to develop perspectives on overall ATWS risks.
I D-Cateeorv 3 Includes those actions in which the quantitative estimates or fault tree /
event tree analyses of WASH-1400 were used in the licensing process to illustrate or confirm staff conclusions on the disposition of a potential safety issue or to aid in selecting the preferred of. several alternate regulatory requirements. One possible example is the NUREG-0138, Treat-meat of Non-safety Grade Equipment in Postulated Steam Line Break Evaluations.
Catecory 4 Includes those actions in which values of WASH-1400 were modified by staff to reflect different data base or experience and were then used in the' licensing process.
A possible example is the adjustment of the RSS estimates of Scram unreliability in'NUREG-0460.
Catecory 5
- ncludes those actions in which the event tree / fault tree methodology of WASH-1400 were.used in the licensing process, but no reliance was
=ade on dne specific numerical estimates of WASH-1400,
~
~
Action -
/ CON /ADM-UNITED STATES
/j
- M80 %,
NUCLEAR REGULATORY COMMISSION Reh
,t.
09
~
WASHINCTON, D. C. 20655 gg 8
October 19, 1978 av 3g Minogue OFFICE OF THE O OI SECRETARY yan j
MEMORANDUM FOR:
Lee V.
Gossick, EDO er Kenneth Pedersen, Director, OPE Hayden James L.
Kelley, Acting G ral Counsel Hanauer Carlton Kammerer, Direct OCA j
FROM:
Samuel J. Chilk, Secretaj
SUBJECT:
STAFF REQUIREMENTS - DIS CU :3 ION OF RISK ASSESSMENT REVIEW GROUP
.. ORT,
10:40 A.M.,
FRIDAY, OCTOBER 13, 1978, COMMISSIONERS' CONFERENCE ROOM, D.
C.
OFFICE (OPEN TO PUBLIC ATTENDANCE)
The Commission requested that:
a.
a draf t NRC public statement be prepared which would address the Commission's current policy s
regarding the applicability and significance of h
WASH-1400 risk estimates, would indicate Commission acceptance of the Lewis Report', would indicate that the Commission is currently reviewing the use of risk assessment techniques within NRC to identify any necessary corrections, would address controversial issues associated with prior commission statements regarding NASH-1400 and its Executive Summary, and would describe initiatives to be taken the Commission and the NRC staff; MM (E
, OPE /OGC) (SECY Suspense: Oct. 31, 1978) b.
a proposed response to Congressman Udall and other Congressional offices, as appropriate, be prepared regarding the Commission's position regarding the Lewis Report, including a description of initiatives to be taken by NRC as a result of the report's conclu s;
MM
- (EDO OGC/ OPE) (SECY Suspense: Oct. 31, 1978) c.
a review be conducted of responses to Congressional correspondence to identify any NRC comments that may require revision in light of the Lewis Report; (OPE /OCA) (SECY Suspense: Oct. 31, 1978) n v
9
)
d.
an analysis be made of the implications of changing the Commission's previously enunciated position regarding WASH-1400 or any prior actions taken on the bas's of WASH-1400 risk estimates; MPlk E
/OGC/ OPE) (SECY Suspense:
Nov. 15, 1978) e.
the staff should review the extent to which licensing and other regulatory actions or staff positions have relied on the risk assessment models and results of WASH-1400.
The staff should review those actions and positions and state their views as to whether there should be continued reliance and the effect of discontinuing that reliance; NSk
_ @ (SECY Suspense: Dec. 1, 1978) 0 f.
an analysis be made of the impact of any program
.fw changes that might be necessary as a result of the Lewis Report on the Commission's FY 79 and 80 budget bmissions; and
- W73 gp g
(SECY Suspense: Nov. 15, 1978) g.
an appropriate letter transmitting the Lewis Report to all prior recipients of WASH-1400 be r~'s prepared for the Secretary 's signature.
The
(
proposed letter will be circulated for Commission N-concur ance prior to issuance.
/bOMid)
_ ED SECY) (SECY Suspense: Oct. 31, 1978) cc:
Chairman Hendrie Commissioner Gilinsky Commissioner Kennedy Commissioner Bradford Commissioner Ahearne Director, OPA O
e
(
Connmb > inn a petition for rulcinaking on behalf of the Connecticut Citteen Action Group, the Public Interest Re-scarch Group, Free Environinent, the O
+
( j)
Iown Public Interest Research Group,
(
Citizens United for Responsible Energy, Iowa Federation of Wornen's Clubs, and the Good News General Store Cooperative, requesting the Commission to amend its regulations in 10 CFR Part 50, " Licensing of Pro-duction and Utilization Facilities."
The petitioners requested the Com-mission to amend 10 CFR Part 50 to i
require that:
(
- 1. Nuclear reactors be located below ciound level; and
- 2. Nuclear reactors be housed in scaled buildings in which permanent heavy vacuums are maintained.'
A notlec of filing of petition for rule-making was published in the ForRAI.
Rocistra on March 10,1977 (42 FR 13365). The comment period expired May 9,1977. Ten letters of public com.
ment were received, none of which supported the petition.
In considering the petiff<m. the l
Commission has reviev,ed ' existing studies on the subject, including a re-cently completed study which was ini-tlated by the NRC in the spring of 1975 with Sandla Laboratories, the ex-isting and alternative containment concepts, and an impact /value analy.
sls of allcrnate concepts. The Commis-slon has also reviewed the pubtle com-ments which have been submitted.
p 13ased on that review, which is sum-
/
marized in Attachment A, the Com.
(
mission does not believe that there is a sufficient basis at the present time for adopting Parts 1 and 2 of the petition-ers' proposals, the effect of which would be to prohibit the licensing of any nuc! car power plant which was not located unde ;rmund and scaled in a heavy vacuum containment. In renching that conclusion, the Commis.
slon is not adopting a position that un-derground siting or heavy vacuum con-tainment designs could not meet pre-sent safety criteria. Rather. the post-tion is that there is not sufficient sup-porting material to indicate that such designs should be made mandatory to the exclusion of all other nuclear power plant designs.
The use of heavy vacuum contain.
ments, whether above or below
[7590-01]
ground, will not ensure containment of a core melt accident, and will not NUCLEAR REGULATORY appreciably increase the containment COMMISSION pressure retaining capability.
The Commission's review also indl.
! Docket No. PitM 50-191 cated that whether a potential might CONNECTICUT QTtIIN ACTION CEOUP, ET exist for reducing the consequences AL.
from a Class 9 core melt Jtecident by Nelles of Dental of Petitlen fee Ruterneking
'In addit.lon, a thtrd proposal in the pett-With Regard to teating Nuclear teaters tion. which has been separately handled, re-Selow Ground level and Seeling Them la quests that a full time Federal employee, Heavy Venium Centeineneng with full authority to shut down the plant in case of any operational abnormality, m)
On January 21,1977 Louis J. Strico, always be present in a reactor's control Jr., filed with the Nuclear Regulatory room.
s FEDERIL RfCliTit, VOL. 43, NO. 76-WIDNESDAY, Artil 19,1978
i NDTICas 16557 underground siting depends heavily on reactors is in a developmental stage, The petitioners' request that nuclear site dependent pararneters, plant and a final report is expected about reactors be located below ground level
- l layout, equipment design, and avail. April 1978.8 does not identify for what specific res.
able technology in areas such as high Upon reviewing the studies and arti. sons such action should be taken. Ac.
pressure, rapid closing large diameter cles available to date on underground cordingly, the following assumptions tunnel an siting, the following should first be have had to be made in order to be j
cordingly,,d shaft sealing systems. Ac.
the NRC will review what noted:
able to evaluate the proposal.
further work may be appropriate on
- 1. The current NRC design require.
First, additional protection against.
this subject. Including any assurances ment is that reactor containments be or reduction of the risk from acci.
designed to withs dents up through Class 8 accidents cluding. Class 8,tand up t8. and in.
which may be needed for consider.
Design Basis Accl* (Loss of Coolant Accident) is one ob-ation on a case by. case basis of under.
ground siting applications. This review. dents. Class 9 accidents, such as core jective of proposing underground is expected to be completed in about a melt, are not required because their siting
- probability of occurrence is so small year.
that their environmental risk is ex.
- Second, additional protection.
This conclusion not to change 10 against, or reduction of, the risk from _
CFR Part 50 applies to consideration tremely low.
Class 9 (core melt) accidenta is an.
of underground siting and heavy
- 2. Underground nuclear plants thag vacuum containments, both in combi. were actually constructed are lirdited other objective of proposing under.
nation as requested by the petitioners, in number and their rated capacity ground siting. Regulatory Guide 4.2.8 and separately, ranges between 8.5 MW(e) to 286 in addition to defining a spectrum of Class 1 through 8 accidents, describes Therefore. In accordance with 10 MW(e). The experience gained from Class 9 accidents and their probability CFR 2.803, the Commission has decid. these planta is not necessarily applica.
f occurring as ed that sufficient reason does not exist ble to present day base load plants of to publish a notice of proposed rule. 1000 to 1200 MW(e). Large capacity
- *
- sequences of postulated successive making, and is hereby denying of underground plants may - require failures more severe than those postulated Parta 1 and 2 of the petition. Some major changes in design for equip.
[*' ** Il8h % th b
to ments, such as condensers, pumps.
further explanation of the grounds for penetrations and physical size and Their consequences could be severe. How.
dental la set forth in Attachment A.
ever, the probability of their occurrence is A copy of the petition for rulemak. layout.
so small that their environmental risk is es.
1n5 and copies of the letters of com.
- 3. Actual experience with under. tremely low. Defense in depth (multiple ment concerning the petition are avail. ground reactor siting has demonstrat. physical barriers), quality assurance for able for public inspection at the Com. ed operational concerns such as design, manufacture, and operation. contin.
mission's Public Document Room at groundwater seepage; poor accessibil. ued survenlance and testins. and conserva.
1717 H Street NW., Washington, D.C.
ity for inspection. maintenance or tive destsn are all applied to provide and Dated at Weahington, D.C this repair; corrosion of liners or struc.
s d'8b't S
an at nt ts s
- tures, and resulted in some question
- are, and wut remain, sufficiently remote in 12th day of April 1978.
For the ing of theoreticaLbenefits. All three probability that the environmental risk la mission.. ' Nuclear Regulatory Com., countries. Sweden. Switzerland, and extremely low. For these reasons, it is not SAutr L J. Cart.E.
France that have built underground necessary to discuss such events in appts.
Secretarvo/fAe Commission, nuclear power planta have continued. cants'Environmenta1 Reports..
D to erect subsequent planta' above In some cases, however, Where men.
AfrACHMEffr A ground. (Sample Comment! "Despite sures Can readily be incorporated into Rrvtsw or PRorosAL roa,UNDERGRotTND the experiences from t.he Plowshare practical iznplementations of NRC cri.
Smwo Between'1958 and 1974 about' a program, the achievement of accept. ' teria, the NRC has recommended able leak tightness following a class 9 design, or other, considerations based dozen feasibility studies were made on accident in an underground plant ap.
on parameters which are in excess of underground nuclear power plants. In pears to be doubtful because of multi. those calculated for a Class 8 LOCA.
addition, extensive bibliographies exisg ple accesses and lienetrations.")s One such example is extending instru.
in these studies and in published arti.
- 4. In spite of the numerous studies. mentatioq, ranges to be capable of
~
cles which illustrate the extent to and articles on this subject, an actual, reading containment atmospheric pa-
~
'which this subject has been, and con. detailed engineering design for a pro.
rameters at levels equivalent to those tinues to be, discussed in the technical posed large commercial underground which would exist at estimated con.
literature. The most recently complet. power Macter may be needed. As tainment building structural limits-ed study was initlated by the NRC in the spring of 1975 with Sandia Laborar
"#.ted in one article.'
such as three to four times design
- hre un advantases and disadvan-pressure levels.
tories. The final study report was sub N hout In considering the petitioners' pro.
lasued in August 1977.8 Basically, the rsround, d e ve Sandia study concluded that there are greater attendon in sitins considerauon. re.
posal for underground siting as it re, other, more cost effective, alternatives search and development. From the eco-lates to 'the safety of the public to underground siting which would nomic standpoint there are many potenual against design basis accidents up to, reduce direct atmospheric releases, tradeoffs that will not be clear unul a serl.
""d including' Class 8 (LOCA)' the fol.
The material and conclusions of this ous enstneerins effort will have taken place.
most recent report supplement and
' Copies of the report of the California di n th te o
update the other, previously existing. 8tudy on Underground attins may be on studies.
, tained after April 1978 from Energy Re.
- 1. Present above ground contain-Another separate study by the State sources Conservauon and Development ments are designed to contain the of California on underground siting of {
gil pressures and temperatures resulting j
n
' Copies of the report, entitled NUREO.. 37251.
from such accidents.
' Discussion in Nuclear Safety Vol.18. No.
- 2. Since current containments are 0288. " Underground siting of Nuclear und N P
t f
designed to withstand Class 8 (LOCA)
U[usus 9
ob cal and Safety Assessment." by Crowley.
- The Natsonal Technical Information 8er.
Doan, and McCreath. Nuclear Safety. Vol. '
vloe U.S. Department of Commerce 5388
- R.O. 4.2. revision 2. " Preparation of Enyh 16, No. 8. September to October 1974, pp.
A~
Port Royal Road. Springfield Va. 22'.81*
Fonmental Reports for Nuclear Power Sta.
619-834.
(
printed $9 microfiche 88.
'Id.
e Uons."lasued April 1978.
(
. g,
" FEDERAL RSGtSTER. YOt. 43, NO. y&-WIpMESOA,Y, Armit 19, 1978 1
g
.g
~
p
%.S.
.s "s.
_s g.,_
,_m
a e
,4; eaw,w' m,
- +
a e
- - - ~ - - - -, - ~
16558 NOTICES
. pressures, if any releases of contain-Second, in the absence of a definl*
To attempt to design the current ment volume to the atmosphere were tion in the petition of what would con-generation of contalnments to with-Necur either before, during, or after stitute a heavy vacuum, it will be as-stand three times theLr current design
_ lass 8 EOCA) accident they would sumed that this !cvel is about 1 psia, pressures would be costly and would directed, by plant design, through which is a practical technological limit att11 be ineffective. Even if a stronger N.4 elevated release point of the fil-and the level used at the Pickering mntahnt were M, h mahum tered ventilation system. Equivalent - CANDU reactors, which employ a result would be to permit the core to releases from underground contain-vacuum building.* Also,1 psia maxi-
' melt through the base mat before the ments would also have to be made mizes the potential benefita which from an above ground stack, and there could be postulated from th'e petition. continuing pressure buildup would s
would be a resultant release to the en-ers' proposal.
~
otherwise eventually breach the con-I vironment similar to that from an Third, the assumed design objective tainment structure. Also, increasing i
above ground containment-is to have containment walls and deme the containment building volume to
- 3. Some advantages may be argual capable of remaining leaktight before, limit the resulting pressures to a level I
for the extra " hardening" of the facill-resembling current design pressure ty which would result if it were below during and after core pnelt with re-spect to direct release of fission prod-levels would have the same drawbacks i g th cm a oes, r ane tc.
e r,
g' Yth as the stronger containment concept.-
I 4
g The factor which will reduce the ef-
):
all of the disadvantages which result $'to the s ils or r k on wh ch the fectiveness of the heavy vacuum con-from the current state of the techno1* containment building rests, cept to contain core melt regardless of l
ogy (or lack of it) of constructing and In WASH.1400,' an analysis of core operating such plants below ground melt sequences, probabilities and con. containment design pressure, is that still apply.
' sequences are presented in Appendix the air pressent inside a containment i
While it thus seems clear that for VIII, " Physical Processes in Reactor which is under atmospheric pressure is i
Meltdown Accidents" and its sub Ap-a relatively minor contributor to the ll A acc ents ere is pe n pendix E.
"Cuntainment Failure potential maximum pressure. The l
need for requiring underground siting, Medes Evaluattens." Of interest in major contributors to the final pres-and that no idenufiable potentially evMuating this proposal is the follow-sure are the steam, hydrogen generat-1 significant increase in safety to the inq information from those references: ed by the metal water reactions, and l
public would result, this is not quite so '-
cu,,,e eu,,,a clear for Class 9 core melt accidents.
non condensible carbon dioxide gener-e.
Current studles r6nd experience indi-pre.surtred-botitne =-ater ated by the action of the molten core i
cate that whether a potential might siter reacter reactor on the concrete foundation mat. Re-crist for reducing the risk from u (Pwm,
(BWm Class 9 core melt accident by under.
Pounds per square inch significantly affect the post-accident ground siting depends heavily on sito.
- Wu'8 pressure; CANDU-reactor 4
dependent parameters, plant layout, The Canadian rwulpment design, and avajlable tech
- Ygy in areas such as high pressure, cmulam,,am e system at Pickering is mentioned in li
( ' ld closing, large diameter tunnel containment dentsa the petition as an example of a nu-
.ws.as p,sure-se se
.I
- Lil' shaft scaling systems, premure es,
71 clear power plant employing a heavy i '
In addition to these variables, the 7t.3 Vacuum concept. Some clarification
( l drawbacks of underground siting must ranure pressure _
1eoats riasse needs to be made regarding this refer.
h be considered-in ett.her a generic Estimated chas s study, or* consideration of a specific 11
- ccadant or="use.
-us
-ases e.nce.
I The' Pickering type of vacuum cense application. Other design alter-system is designed to accommodate natives to underground siting, such as When comparing the pressure reduo.
filtered atmospheric venting or com-tion derived from the second assump. the same general type of accidents as partment venting, appear to promise tion above with the WASH-1400 flg.'
our domestic reactors, i.e., up to and an equal measure of reductfon of risk tires given above. It can be seen that including Class 8 accidents as we from a Class 9 core melt occurrence, the additional pressure margin pro-would define them. It is not intended and with lower costa.
vided by maintaining a i psia vacuum to be designed for. nor is it capable of on current 41ay containmenta is very protecting against, the d! rect release RsvW or NoPOaAr. mm HEAY'r small. Heavy vacuum would reduce of fission products from the contain.
f VAcUtTM CoMAU(MEMS -
any accident pressure in the contain* ment system following a core melt-l In reviewing this proposal,it is again ment by about 14 psi. It is also appar-down.'
necessary to make certain assump. ent that the objective stated in the Instead, a CANDU vacuum building tions, since the petition is not explicit, third assumption of avoiding direct re-has been constructed only when there as to its rationale, lease of fission products through the are economic benefits to be gained by Fint. It is assumed that the intent of containment walls or dome under core this proposal is to go beyond the cur. meltdown conditions cannot be met by then being able to design the contain-
' rent requirements for containment of using a heavy vacuum containment. ment building for the lower pressure IDCA type socidents up through The pressure would still build to a level which results from t.he post-acci-l Class 8 sceldents, and to require con. level two to three times greater than dent pressure being shared by the con.
tainmer.t of a Class 9 (core melt) acci-the pressure for which the current tainment and vacuum bullrfings.
G j
dent.'
containment structures are designed.
Therefore, on the basis of economfat, i
As noted in the undergyound siting
-m supplementary, common vacuum I'
discussion, such a design requirement M]gNuel building has been employed on'ly at F
8t uo by is not a part of NRC regulations or W. Fee and G. E. Shaw, VII Consres Inter. multi-unit CANDU sites such as Pick.
I policy. However, for purposes of re-nauooal. "ta conttneinent de la Radioacti-ering and Bruce.'
- f l-N v11wtng the effectiveness of this pro-vite dana,1Utillaauon of l'Enerrte Nu.
IFR Doc. 78-10382 P11ed 4-18-78; 8:45 aml posal. It will be assumed that such a cleaire." Vernauhn, 28-31 Mai 1974. Societe
[50ndition exista due to insufficient 8
Francalme de Radioprotocuan.
- J
*1d.No.8. '
'* ling of reactor com and contala-
'VASH-1400 (NUREO-TS/104h
- Reactor ht with a asultir.s oore meltdown.
Bate 6y study " October 1978.
e Id. No. 8.
(Y
[
. l i
nosht nooism, vot. 43, no. n-moursoAy, arait i,, i,rs-4 6
m e
g 7
s m
u 4
+
a W
y--
N.,y c
9-7-e+
--ag.r in
I
\\
' l
[ o'"" '
November 1974 U.S. ATOMIC ENERGY COMMISSION
(,,
REGULATORY GUIDE s
DIRECTORATE OF REOULATORY STANDARDS REGULATORY GUIDE 1.89 QUALIFICATION OF CLASS IE EQUIPMENT FOR NUCLEAR POWER PLANTS l
A. INTRODUCTION C. REGULATORY POSITION Criterion III, " Design Control," of Appendix B, The procedures desenbed in IEEE Std 323 1974,
" Quality Assurance Criteris for Nuclear Power Plants "IEEE Standard for Qualifying Class IE Equipment for and Fuel Reprocessing Plants," to 10 CFR Part 50, Nuclear Power Generating Stations,"' dated February
" Licensing of Production and Utilization Facilities,"
28,1974, for qualifying Class IE equipment for service in requires that design control measures provide for veri.
light water cooled and gas-cooled nuclear power plants fying the adequacy of a specific design feature by design are generally acceptable and provide an adequate basis reviews, by calculational methods, or by suitable qualifi-for complying with design verification requirements of cation testing of a prototype unit under the most Critenon ill of Appendix B to 10 CFR Part 50 to verify adverse conditions. This regulatory guide describes a adequacy of design under the most adverse design condi-method acceptable to the Regulatory staff for com-tions subject to the following:
plying with the Commission's regulations with regard to design verification of Class IE equipment for service in light water cooled and gas-cooled nuclear power plants.
- 1. Reference is made in IEEE Std 323-1974, Sections 2, 6.3.2(5), and 6.3.5, to IEEE Std 3441971, " Guide for
/
B. DISCUSSION Seismic Qualification of Class i Electric Equipment for IEEE Std 3231974, "lEEE Standard for Qualifying Nuclear Power Generating Stations." The specific appli-Class IE Equipment for Nuclear Power Generating Sta-cability or acceptability of IEEE Std 344 will be covered tions,"' dated February 28,1974, was prepared by Sub-separately in other regulatory guides, where appropriate.
committee 2 Equipment Qualification, of the Nuclear
- 2. The radiological source term for qualification tests in Power Engineering Committee of the Institute of Elec.
a nuclear radiation environment should be based on the trical and Electronica Engineers, Inc., (IEEE) and sub.
same source term as that used in Regulatory Guide 1.7 (Safety Guide 7, 3/10/71) for BWRs and PWRs. An sequently was approved by the IEEE Standards Board on December 13, 1973. The standard describes basic equivalent source term (i.e.,100% of the noble gases, procedures for qualifying Class IE equipment and inter-50% of the halogens, and 1% of the remaining solids faces that are to be used in nuclear power plants and developed from maximum fullpower operation of the core) should be used for HTGRs. The containment size components or equipment of any interface whose failure could adversely affect any class IE equipment-should be taken into account in each case. For exposed organic materials, calculations should take into account both beta and gamma radiation.
The requirements delineated include principles, pro.
cedures, and methods of qualification which, when satisfied, will confirm the adequacy of the equipment design for the performance of Class IE functions under
- Copies may de obtained from the institute of Electncal and normal, abnormal, design basis event, post design basis-Electronics Engmeers. Inc., United Engineering Center,345 East event, and containment test conditions.
47th Street. New York, New York 10017.
USAEC REGULATORY GulOES cap., o, pu.a.m.e p.m m., t. etnemea tiv r.we.i no,csi,ae the **=.ea.
o.me.e es the us. Av.mc energy comm.m.oa. w h.aeoa. 04. 20s46 M
SG h.
et
.I.
O, tang
- ,.c 3.F1 O OU..'H." 9 th Snd S tent MD 1
OEae a ="*.' l:gu,.. t":T:37T,;"l.' 0 00,':
M".S*~sl:Oe. a &*"ll1"= '**"""'*" """'"**"' " '"-
m o) 3" ".".". 2::',..:'*.".. :,"*LlF"=".'L"".!T.'*."/%""P.~"
r. -
um,~,on,,,
e.
- =="_-.==.=== -
a.. -
! "* "'t ;l:,L"'"!::,'"'
2":::"=.,
- P:::'.ul:1",.:=:'.:",::* :: "::T*~~ --*-"
t ' = = t:2'.1
,: ;=" "-
i
c D, IMPLEMENTATION for which the issue date of tN Safety Evaluation Report (SER) is July 1,1974, or after.
The purpose of this secuan is to provide information to applicants a-d licensees regarding the Regulatory staff's plans for utilizing this regulatory guide.
For those construction permit appLeations for which an SER was issued prior to July 1.1974, the Regulatory This guide reflects current regulatory practice.There-staff may, subsequent to issuance of the construction fore, except in these cases in which the applicant permit (or operating license), reevaluate the Safety proposes an acceptable attemative method for com-Analysis Report on a case by case basis to assure that plying with specified portions of the Commission's acceptable methods for qualification of Class IE equip.
regulations, this guide will be used by the Regulatory ment have been specified in purchase orders executed staff in evaluating all construction permit applications for such equipment on or after November 15,1974.
e G,
~
4 e
9 O
l e
O 1.89 2
e g
f#>R 81EOg'70U.S. NUCLEAR REGULATORY COMMISSION e
May 1978 (M.,y, L
) OFFICE OF STANDARDS D N
%fQpk
. hh,
- 5 x-
-9 5
}
{hx Y
- w <-
REGULATORY GUIDE L139a,
A, GUIDANCEFORRESIDUACHEAT' REMOVAL y
&x
%k 1 %rf
&[#hg Nb T
9
%w -
AYQ t
i g
)
,f.C. MS,g h
T fl tg$
%g Q,
USNRC REGULATORY GUIDES Regulatory Guides are sneued to descrets and make avestable to the pubesc rnethods Comments moud be wat te the secretary of tra Conunies.on.US. Nucmar Regw letory Commission. Waemgton. O.C. 20$56. Atienten Docketing and Service acceptacle to the NRC staff of emplernenting specific parts of the Commassen's 8"'"-
requietene, to deemeets techneues used by the staff in aweiustme specifee protmens or postulated scedents. or to provide guasence to applicants. Requietory Godes The gudes are essued en the following ten troad dessons are not substitutes for regulations, and cornpliance with them se not renvered
- 1. Power Reactors
- 6. Products Methods and solutions efterent from thoes set out an the guedes will be accoot-2 Reiserch and Test Reactors
- 7. Transportaten seee if they provide e basis for the findmge reousente to the wwe or continuance 1 Fuels and Materiels Faciteties
- 8. Occupatenal Health of a permet or licenas by the Commneson, 4 E averonmental and Siemg
- 9. Antitrust Review Comments and swegestions for emprovements in thew guces are ee.mraged at all
- 5. Materiets and Plant Protection
- 10. Generse times, sad pades will be revesed, as aooropriate, to accornmodate comments and to retlect new enformetsen er esperience. However, cornrnents on this gude,if am,,,or serigie copies of isesed guides Iwhicti may be teoroducedi or for piace-receswed withen about f*O rnonths efter its issuence, well tw particularly useful In ment on an aatomatec ds1tributen isst for sengee cooses of future guides en specetic etelvetmo the need for en eerly rewesson.
desens should be made en veretmg to the US. Nuclear Reguutory Commessson.
Weensttgeon. D.C.
20555. Attenten-Director. Dmsen of Docuenent Control eunima e
_,.,.,.m, awe.+e'---
' ' " ' ' ~ ' ' ~
.f" "*%
UNITED STATES y-t NUCLEAR REGULATORY COMMisslON
[
j WASHINGTON D. C, 20555
\\
Vl e
- g
,/
JAN 31377 MEMORANDUM FOR:
Ben Huberman, Director Office of Policy Evaluation THRU:
Lee V. Gossick Executive Director for Operatio FROM:
Robert 8. Minogue, Director Office of Standards Development
SUBJECT:
SECY 76-242C - PHYSICAL PROTECTION OF NUCLEAR POWER REACTORS AGAINST INDUSTRIAL SAB0TAGE This responds to your memorandum of December 23, 1976.
It provides a more detailed writeup of the basis for the selection of design threat levels for use in regulating the protection of nuclear power reactors against sabotage.
Design' threat levels for use in 10 CFR Part 73, 573.55(a), were tentatively chosen by the Commission following Policy Session 76-55 of December 14, 1976, as indicated by the Secretary's
.O memorandum to the Executive Director for Operations dated December 17,
( j' 1976 (including the revised version of December 23,1976).
The threat levels are stated in the context of general performance requirements which are supplementary to a number of specific requirements contained in 973.55.
Attached is a paper describing the factors considered in arriving at the basis and rationale for selection of design threat levels for power reactor sabotage protection.
Our consideration of those factors indicates that there is conservatism in the Commission's tentatively selected general performance requirements.
I'believe that this paper is sufficient to support the proposed Statement of Considerations con-tained in my December 22 memorandum to the Secretary, including the correction pages we submitted on December 30 in response to the Secretary's December 23 revision of his December 17 memorandum.
This paper has been concurr'd 4n by NRR..
Copies of the final draft were e
All comments received were incorporated.
k0l$ Y y
G Robert B. Minogue, Director Office of Standards Development
Enclosure:
As stated A
Contact:
R. J. Mattson 443-6953 cc's:-
See next page ENCLOSURE 3
l t-l:
r-
' ~
Memorandum for Ben Huberman JAN 3 1977 cc's w/ encl: - Chairman Rowden Commissioner Gilinsky Comissioner Kennedy -
l Commissioner Mason l
P. L.. Strauss i
S..J. Chilk K. R.' Chapman 3
- B. C. Rusche i
E. Volgenau H.-.K. Shapar 1
I i.-
3 Y
t a
ene I
W*
s e
l o.
=rwr-w..
w n.
w.
.,,q.
.,,,,<,.,p..p.r.,,mr_w,,.4,,,,,,,,
,,,.g9,9__.
wg,,, _,.,
,,y%y,gy,.
.,,pp
.pp,,9,
st$ ll fq BASIS AND RATIONALE FOR SELECTION OF A DESIGN THREAT LEVEL FOR POWER REACTOR SABJTAGE PROTECTION December 30, 1976 This paper is to describe more fully the rationale for the level of physical protection at nuclear power reactors than previously has been provided(1)(2)(3)(4)(5).H In understanding that rationale, it will be necessary to consider studies and analyses having general safeguards significance; i.e., significance for both the protection of materials from theft and protection of facilities from sabotage.
Because of this, it will also be necessary to examine certain specific attributes of power reactors, their vulnerability to sabotage, and the potential consequences of their sabotage. The thrust of this paper is principally one of summarizing and documenting what has been said before in Commission papers, staff memoranda, f
and policy discussions over the past 10 years, leading to this stage of policy formation for power reactor sabotage protection.
The decision process for choosing design threat levels is of a predominantly judgmental and qualitative nature.
Because of this, the historical longevity of certain design threat levels and of their linguistic construction adds credence to their acceptability and validity.
For this reason, we will begin by summarizing the origins and the evolution of the design threat concept.
Considerations of threat level date back to the earliest regulatory action involving. reactor sabotage which occurred in the licensing of the Turkey Point plant in 1967.
Since 1967 there has been considerable change in AEC and then NRC policy, licensing practice, and understanding of the p).
If Numbers in parenthesis refer to references listed at the end of this paper.
i m
j_
_~2 -
security requirenients for power reactors.
Such change generally originated l
-from two sources--increased capability for analysis and change in the incidence and type of malevolent acts in. society.
Some of the change
- resulted.in changes in what have come to be known as design threat levels.
Before summarizing the principal milestones in this evolutionary process, we will define more precisely what is meant by design threat levels.
The concept is directly analogous to the concept of design basis accidents
~ '
used in our regulation of reactor safety. The need for these analogous concepts of design basis events ' arises because of the natural continuum of j
.all possible' events.
In the case.of sabotage, the events of interest are malevolent actions involving a potentially. infinite number of permutations and combinations of many variables, such as the number of people, their skills, arms, tactics, motives, and timing, and the facility's operating l
status.. Rather than study an infinite array of possible events, we choose a few design basis events (eitner accidents or threats) so as to reasonably characterize the total continuum of possible events within certain reasonable bounds. Thus, for example, in safety regulation, we require safety system design against:an instantaneous double-ended pipe break but not a pressure vessel failure. The overall result is that designing for the double-ended; pipe break provides protection against a wide spectrum of possible-' loss of. coolant accidents, including pressure vessel failures of 1
a certain limited character.
In this' paper we are concerned with the analogous situation of developing y.
g tthe' rationale by which to choose design. threat levels.for reactor physical b
protection against:a: spectrum of possible sabotage threats Obviously the
'"]
- +,. -..
4
,.-,m
3
~
'y) ntture of the vulnerability of power reactors, the potential consequences associated with their sabotage, and societal or political limitations on the resources which could be brought to bear in their attempted destruction will figure in the selection of reasonable bounds for the design threat levels.
However, once specific threat levels are chosen, protection against sabotage will not in reality be limited to those events.
It will also exist for threats which are larger and smaller, simpler and more sophisticated I
thin the design threats. That is, we will be protecting against a continuum I
of threats, contained within reasonable bounds, with varying levels of confidence in that protection depending upon the position of a real threat within the continuum of possible threats. Corollary to this is the fact D.
that implicit design level threats which underlie existing licensing practice provide some confidence, albeit unquantified and insufficient, of protection against the generally higher threats now being considered for inclusion in 573.55.
We will now proceed with an enumeration of the important historical milestones in the evolution of design threats for reactor sabotage protection.
In 1967 the Atomic Energy Commission (AEC) issued an order (6) concerning sabotage protection at Florida Power and Light Company's Turkey Point Units 3 and 4.
The order stated that physical security requirements were to be addressed by the utility during its arplication for an operating license, and that the utility would not be required to protect against sabotage perpetrated by enemies of the United States. At that time, no detailed regulations and guides existed to say how this protection was to be accomplished or to more
'd precisely characterize the threat.
^
O A study which has come to be known as the McCullough study (7) was completed in 1968 for the AEC.
It was a study of the degree of hazard to the public health and safety that could be created by industrial sabotage of a commercial nuclear power reactor of then current design. The study concluded that:
(a) plant security measures cannot guarantee imunity from sabotage, but they can serve certain important deterrent functions, and (b) engineered safety features and protective systems at nuclear power plants impede simple acts of sabotage from creating a public hazard. The study considered sabotage acts by an insider, specifically acts which might be motivated by a dispute between labor and management. The McCullough study included an in-depth investigation of industrial sabotage in the United States. This inyestigation was co.mbined with an estimate of the future role of nuclear power.in the U.S. to conclude that a potential domestic ~
threat level would be comprised of tactically unskilled but armed individuals who had_ extensive expertise and experience in the use of i
high explosives', niotivated 'to' cause damage but with no' real intent to harm
~
the public.
The one exception was the potential 'psychocath with a motive of mass killings.
In the reactor case work of the late 1960's and early 1970's, there was rapid development of a licensing review practice which aid not explicitly treat design threat levels.
However, in the case-specific decision process there was a need.to answer threat related questions, a good example of which w'as whether to arm guards. By about 1973 the AEC Regulatory staff had begun to describe design level threats in more specific terms for its internal use in making safeguards decisions.
For example, security objectives were used
+
r
b
- by the staff in developing specific requirements for SNM transportation systems to protect them against a continuum of threats. That continuum was characterized by three specific statements of threats 'of a discrete nature; viz, two armed individuals, a squad size group, and a paramilitary group.(8)
Considerations of design threat levels as applied to reactor physical protection were included in the 1973 ANSI Standard N18.17, " Industrial Security for Nuclear Power Plants"..(9) That standard was endorsed in Regulatory Guide 1.17,. also in 1973. (10) The standard contained speciff-cations of what are now called design threats, as follows:
"(a) A single disgruntled employee who is authorized to have p
access to the plant and who is familiar with the details Q
of construction and operation of the plant;
"(b) A single fanatic or mentally deranged person, either an authorized employee or an outsider, whose knowledge of the plant may range from none to intimate familiarity;
"(c) A small group of discordant individuals, not normally authorized access to the plant, who are intent on perpe-trating acts of sabotage or seizing control of the plant;
"(d) Spontaneous and undisciplined actions of a relatively large group of people involved in mob activities associated with acts of civil disturbance. Although it is clear that other potential threats may exist or develop, conscientious application of measures designed to protect against the threats discussed above will provide substantial protection against other postulated threats."
In endorsing these words, Regulatory Guide 1.17 further required the arming of guards at nuclear power plants for three reasons which were documented in an October 1973 letter providing further elaboration cf the design threats, c.
as follows: (11) e k
-9
-,----_r,_
~ "(a) To provide a deterrent against sabotage attempts,
"(b) To give the security force the capability to neutralize an attempt with force by several individuals (otherwise,
the entire plant might be at the mercy of one armed man),
and
"(c) Most importantly, to give the security force a means of self-defense so that they can protect themselves while summoning help from the local authorities."
In early 1974 the security plans at all operating reactors were reviewed in accordance with the guidance of Regulatory Guide 1.17.
The experience gained in these licensing actions was reflected in the November 1975 publication by NRR of the reactor Standard Review Plan, Section 13.6,
" Industrial Security" (12), which required a finding that Regulatory Guide 1.17, or equivalent, was met.
Hence, there was traceability from design d
threat levels to licensing requirements.
The drafting of 10 CFR Part 73, 573.55 for issuance in proposed form in November 1974 relied upon those design threat levels; i.e., ANSI N18.17, above, as elaborated in reference (11).
However, the design threat levels were not explicitly stated in the regulation issued for public comment.
Other safeguards actions which occurred in parallel with those specific to power reactor sabotage protection underscored the important role that design threat levels had come to play in the regulatory decision-making process. Two examples are noteworthy here.
In its May 9,1974, review of the "Special Safeguards Study" (13) (14),
the AEC Regulatory staff emphasized the usefulness and desirability of " design i
basis incidents"'(or threats as we call them today). That staff review p
specifically noted that protection against a squad size attack assisted by
. ~,
--,o
d
,k inside personnel raised an important issue of facility vulnerability. to internal' subversion of either the operating staff or the guard force, an issue which required attention and correction (something which three years later remains to be accomplished in the regulations for power plant sabotage protection).
Subsequent licensing actions and regulatory guide development responded to this need to provide better treatment of the inside threat.
Another important safeguards consideration concerning clearances paralleled the changes described above in reactor sabotage protection.
Consideration of the inside threat at both reactors and fuel cycle facilities led the AEC Regulatory staff to recognize the potential value of clearances for persons in the comercial sector having access to or control over SNM.
Clearances are known to increase the assurance of personnel reliability, thus mitigating the threat of action by single individuals or conspiracies of individuals having " insider" privileges.
Legislative authority for such clearances was granted in an amendment to the Atomic Energy Act in 1974.
In January of 1975 the AEC Regulatory staff issued Regulatory Guide 5.43,
" Plant Security Force Duties" (15).
This guide contained specifications on the capabilities of the security organization which were compatible with ANSI N18.17 Regulatory Guide 1.17, and the proposed regulation 573.55.
It required that the security organization be capable of the following:
"(a) Preventing any successful theft or act of sabotage by one or two armed individuals or a group of unarmed people.
"(b) Delaying the attack of an armed group up to squad size sufficiently long to allow notification of and response by e
law enforcement authorities so that the attempted theft or p
sabotage is thwarted or stolen material is promptly recovered.
U
'. ' "(c) - Defending.itself in the event of a well-planned attack, executed in a disciplined and organized manner suffi-ciently.well to. communicate with law enforcement authorities to advise them.of. the attack and its scope and furnish information to be used as a basis for countermeasures and a properly escalated response. by local, State or Federal counterforces either to prevent removal of the material. or recover it or to initiate appropriate postsabotage action."
l In the last two years, much new work has been accomplished in safeguards. Our' sophistication in safeguards analysis has grown in response to the formation of NRC with a definitive legislative mandate in this area. There has been an addition of consloerable inhouse safeguards expertise and associated increases.in resources for safeguards research and l
~
contractual assistance.
From the work performed with the considerably augmented resources, there has accumulated an impressive array of studies providing new knowledge which bears on the selection of design threat levels for sabotage protection of nuclear. power plants. These studies range from assessments of, the history, trends, motivation, and capabilities of malevo-lent groups in the' United States.and worldwide, to detailed engineering studies of the vulnerability of reactors from a design perspective and from a physical security system perspective,to onsite visits to operating nuclear power plants.to assess the capability and practicability of meeting certain design threat levels. The salient features of this body of knowledge as it pertains to the design threat level required for protection of nuclear power plants against sabotage will be summarized in the next few-pages.
At'the outset it-is important to acknowledge that the principal policy e
changeN10 wing'from.the recent work of the NRC staff is the apparent need to provide:e'xplicit statements of. design threat levels in our regulatory require-iments for safeguards
-In-the choosing of the specific wording of such-t e
,e- - -
,,.-,.4 c
.,, -,n-
,y,y e
+
_ g.
. explicit statements, some debate has occurred.
At the Commission level many discussions have centered on understanding the various design threat levels proposed for nuclear power plant sabotage protection and for theft protection. for strategic quantities of special nuclear material (SSNM).
Within the' staff there also has been discussion of the more detailed I
aspects of design threat levels; e.g., the degree to which automatic weapons' barrier penetration ' devices, or assault vehicles might be used by potential saboteurs has been considered at length.
We cannot in this paper,' because of the time and the scope limitations J
on its writing, justify the selection of-the design threat levels for the myriad of facilities. for which NRC has safeguards respoilsibility or
()
cognizance. Those facilities range from peaceful to military applications, they serve government, academic, and commercial purposes, and their development status ranges from laboratory to full-scale production models.
This' paper is narrowly concerned with the rationale and basis for the sabotage protection to be required for the approximately 60 commercial nuclear power plants operating in the. United States today, and others in the near term.
In that regard, this paper has been drafted in full cognizance.
of; closely allied policy documents concerning Lother. broader NRC safeguards responsibilities, including the reports by the Division of Safeguards
' describing.the joint ERDA/NRC task force work (16), the NMSS policy papers concerning implementation of the recommendations flowing from the work of
~
the task force (1/), and the safeguards supplement to GESMO (18).
We believe os that the judgments being made for nuclear power plant sabotage protection are consistent with those documents at their present stage of development, as e-e+
w-e.
--.,---m n
u
,y:y e
w-,
-r--
~
,q L) i 4
described below.
Clearly, the analyses, policy thinking, and data contained in these documents are a part of the basis for the judgments being reached ncw on design level threats for nuclear power plant sabotage protection.
We will now briefly outline the salient features of the existing body of knowledge in the threat assessment area as that knowledge applies to protection of nuclear power reactors against sabotage.
The organization of the material proceeds from general considerations to those more specific to the present day situation in the United States.
For the various types of malevolent groups (criminal, terrorist, revolutionary, guerrilla, etc.) operating in situations other than open warfare, there is no known correlation between tactics, motivations, or j
n (Q
objectives and any desir.e to kill large numbers of individuals.
This conclusion is based upon coninunications by NRC staff with knowledgeable individuals in the FBI, CIA, NSA, and DIA as well as studies performed by the BDM Corporation and the Mitre Corporation.
For example, of the 4478 incidents of armed attack, arson, bombing, kidnapping, and hijacking studied by BDM, none attempted nor resulted in killing numbers of individuals comparable to the p6tential.. dea.ths resulting from reactor sabotage with
~
~
q radiological consequences (19).
Moreover, in studying malevolent grouos and J
the possible psychology of nuclear terrorism, no case could be made for mass killing as a logical, consistent, method of any group to achieve its Of coursi, tiie threat 'of m'ss killina or destr'uction exists,
~
~
ends (19-22).
a however the fulfillment of such a threat does not appear to be consistent with the goals of any known past or present group (19)(21)(22).
Groups and individuals with trivial or non-existent resources and poorly defined objectives have often threatened mass killings, but this seems to be an
-1 O '.s J
expression of frustration and impotence rather than a re ilizable commitment to mass killings (19)(21)(23)(24)(25).
The size, capability, and the acceptability of methods used by a malevolent group depend upon the level of popular support for the group.
In general, the larger.the base of support sought or needed by the group, the more " respectable" and " traditional" its methods become.
Criminal groups are an exception because they necessarily operate covertly, attracting a minimum of attention to themselves.
These conclusions are derived from examining both the characteristics and the evolution of a number of malevo-lent groups. As one example of this concept, in its earlier days the PLO engaged in numerous skyjackings, but as it gained recognition and influence Ci as being representative of the Palistinians, its official policy moderated (26).
However, extremely alienated or frustrated groups are inclined to bizarre and desperate acts,especially acts of vengeance (21)(26)(27).
Large, well-organized, para-military-type groups apparently are tolerated only in areas with a high degree of social and political dis-function.
In a relatively stable society, domestic terrorist or revolutionary groups are limited by circumstance (funding, support, need to avoid retaliation by general populace) to relatively unsophisticated, symbolic acts carried out by a few individuals and resulting in little, if any, loss of life.
This conclusion follows from knowledge of the political and 3
social environuent in which terrorist and revolutionary groups have
~
operated (21)(26).
e gO
~
-fQ) A classic example of a group overstepping acceptable bounds is the fate of Uraguay's Tupamaros (28). A study of the specific objective of revolutionary and terrorist acts in the context of the society fostering those groups reveals a strong correlation between the realizable group objectives, the size of a group, and the types of acts (29).
Of the possible methods to carry out mass killings or destruction, the use of chemical or biological agents is easier, more certain of success, and less likely to endanger or expose the perpetrators, than is the sabotace of a nuclear power reactor. This statement is primarily based upon a study by Mission Research Corporation (formerly ADCON) which discussed the O
threat of mass casualties and makes a detailed comparison of chemical, biological, and radiological means of inflicting mass casualties and destruction (30).
It is also supported by a similar conclusion of a recent reactor vulnerability study by Sandia Corporation (31).
In addition, both BDM and Mitre conclude that sabotage of a nuclear power reactor is a difficult task requiring a high level of technical sophistication (32)(33).
Staff communication with the FBI and CIA lead us to conclude that there is no knowledge of any group in the U.S. presently possessing the required degree of technical knowledge, resources and motive to sabotage nuclear power plants so as to cause radiological hazard to the public.
- However, these same sources are. quick to point out that technical knowledge and f
sophistication have been easily acquired by certain groups in the past, and e
this presumably could be done again if nuclear action became a desirable p
motive to such a group.
It should be noted that the routine actions of the FBI and CIA provide an intelligence capability which is designed to detect
1 l
(mv) change in the character or the motives of such groups in the U.S.
Groups not known to the intelligence community are usually unknown because of small cellular organizations -- a factor which severely restricts the capaci-ties and options of the group.
There is no history of or evidence for any known group intendina or attempting to kill large numbers of individuals by use of special nuclear material or sabotage of a nuclear power plant.
Reference 26 has an extensive discussion on moi:ivations, from which this conclusion is drawn (34).
In addition, Reference 26 discusses the characteristics of sabotage specifically as it relates to mass destruction (35).
(
There is no evidence of any malevolent group in the U.S. today with a t
history of "true" terrorist or revolutionary activity.
That is, while symbolic acts of violence directed at selected individuals or institutions and of a disruptive nature have occurred, violent terrorist or revolutionary activities indiscriminantly directed against the lives of people or the stability of the government have only appeared in the radical literature.
This conclusion is inferred by the staff from the representative group studies done by Mitre (21) and it follows from the motivation analysis done by BDM (22)(26)(35).
The acts which have occurred in the U.S., and which
~
are generally mistermed " terrorist" or " revolutionary" by the press have
{
been largely limited to bombings and threats, with occasional attacks by ethnxentric revolutionary groups on police - an identifiable " enemy" more e
or less acceptable as a target to the " community" within which the group r) operated (36). Although various groups take credit for a variety of (V
mishaps and acts of others, the bombings and attacks which have occurred have taken place' covertly, and the individuals involved have attempted to
avoid directly exposing themselves (32). Moreover, there is no history of attacks on essential, protected industrial facilities in the U.S., even though, historically, these are prime targets for the revolutionary aiming at disruption or disability of the government (26).
Finally, staff discussions with the FBI lead us to conclude at present there is no evidence of any known group in the U.S. with the resources, knowledge, and motives required for carrying out a concerted assault against any reasonably well-protected facility.
Of the possibilities for sabotage of a nuclear power plant, we judae that the greatest risk is portended by the actions of an insider.
This m
conclusion is based on the fact that reactor sabotage could be accomplished by a lone individual with sufficient knowledge and access to vital equip-ment (31)(43). The conclusion is also supported by observation and study of the motives and actions of past malevolent groups, especially those in the U.S. (38). Acts of sabotage which have occurred at industrial facilities (e.g., the fire at Indian Point Number 2) generally involve one to three individuals, with at least one person being an employee or former employee, targeted at easily accessible equipment or structures, with no apparent attempt to cause casualties.
Here there arises a corollary risk which is the act of symbolic protest or disruption without the intent to kill by the dissident insider, but which results in damage beyond that intended
{
and leads to an unintended release of radioactive material (36).
e v
~
c'3 15 -
V Ultimately, the intentions of a malevolent group and its ability to carry out its intentions are more strongly dependent upon the nature and stability of the society which fosters the group than on the numbers characteristically or potentially involved in any specific activity of the group.
This conclusion is reached upon observation and study of the acts and motives of a number of malevolent groups.
Generally, it must be presumed that a well-established group can acquire whatever resources are necessary to carry out the acts it deems appropriate.
Societal turmoil, moreover, can generate groups for specific short-term ends (e.g., reactor sabotage), either spontaneously or by splintering from already established organizations. A high frustration level in a society as a whole will tend to produce numbers of psychopathic and sociopathic individuals who could conceivably attempt nuclear action for a large variety of reasons (36).
Fortunately, the history of such issue-intensive groups and individuals indicates that they are intrinsically limited in their capabilities, by both the nature of the personalities involved (24), and the restraints imposed by the day-to-day exercise of the instruments of law and order in a stable society (26).
Furthermore, the desire for public acceptability as " instruments of the people" and the effective operation of the intelligence community severely restrict the options available to well-f established groups. The history of the Black Panthers is a good example
=
of a combination of effective intelligence and comunity pressure causing c
fundamental changes in an established " revolutionary" organization.
Od n
p p-
AU 16 -
Considerations of the unique characteristics of nuclear power plants have also figured in the development of design threat levels for use in regulating sabotage protection.
Principally, the considerations have involved questions of vulnerability and consequences.
In the following paragraphs, we will summarize the salient features of'these considerations.
The most likely consequences of successful sabotage of a nuclear power plant are significantly less than the conceivably extreme consequences associated with other possible malevolent acts, including theft of SSNM and subsequent detonation of an illicit nuclear weapon.
The consequences of reactor sabotage leading to core meltdown would be comparable to
/^
those described for accidental core meltdowns, i.e., ranging betweenl
\\'
at most 3,300 fatalities and the more likely result of less than one (31)
(40).
Other studies have estimated that a nuclear explosion with a 100 ton yield could kill promptly as many as 50,000 people depending on the location (41).
The consequences of a one kiloton nuclear explosion have been estimated to be prompt fatalities of the order of a few hundred thousand individuals, depending on the location (42).
Biological pathogens such as anthrax spores' disseminated in an aerosol form in the New York City area have been estimated to be capable of causing up to 600,000 prompt fatalities (42).
The design of nuclear plants, the remote nature of their sites, and f
the ability to decrease and delay the public consequences of a successful e
reactor sabotage by reactor. scram actions and by preplanned public emergency O
evacuation measures, all serve to decrease the relative attractiveness of reactors as targets for acts of wanton or threatened violence.
Other
I'
(
- 17 _
(
targets in both the civilian and the military sectors of our society are simply more vulnerable (lower risk to perpetrator) and the public conse-quences are more certain (30)(31}(36).
Nuclear power plants are Inherently resistant to sabotage owing to such characteristics as their massive structures, the spatial layout of reactor systems, and the " defense-in-depth" concept of reactor and safety system design.
The NRC staff and others (7)(13)(19)(21)(26)(43) have consistently reached this conclusion over the past 10 years of study. The conclusion owes to the innate characteristics of power reactors, the criteria for their safe design and operational control,. and their required j
safety systems, all of which significantly reduce vulnerability to acts of sabotage which could lead to a release of radioactive materials.
The
\\v following discussion elaborates the features which are most important in this regard.
The design and physical nature of light water power reactors are inherently resistant to acts of violence.
The fission products are enclosed in metallic clad fuel rods which are shielded by water and located in a thick steel reactor vessel.
The vessel is located within a massive reinforced concrete structure with a controlled atmosphere.
In addition to providing barriers to the release of radioactive materials, these desian features also constitute physical hardening against destruction by sabotage.
The massive reinforced concrete structures provide physical protection of 7-r vital systems from overt acts of sabotage directed at the periphery of the
~
plant buildings. These structures are required in order to protect vital safety equipment against such things as tornadoes, earthquakes, fire, and O'
missiles and are inherently resistant to penetration.
In addition the vital systems are spatially separated within such hardened structures.
The v
O '
safety design criteria for power reactors prevent or mitigate radioactive releases by requiring conservative reactor designs and safety margins, system reliability, quality assurance, redundancy, diversity, tests and inspections, and protection against common mode failures.
For example, the reactor protection system is designed to automatically scram the reactor which significantly reduces the stored energy of the core and simultaneously minimizes the potential risk to the public.
Such design features are necessary for sustained operation and safety over the lifetime of the plant.
Engineered safety features are required and must be designed to mitigate postulated transients and accidents concurrent with an additional single failure. The design basis limits the release of fission products under Oh abnormal reactor conditions.
These systems also provide protection against most potential sabotage attempts involving a single destructive act.
The successful sabotage of a nuclear power plant to result in a public health hazard would require considerable expertise and opportunity on the part of the sab.oteur.
The saboteur must be knowledgeable in the operation and location of the redundant, physically separated, and function-ally diverse reactor systems and safety systems and must be given or seize
'the time required to sabotage redundant trains and systems.
Generally, the susceptibility of reactors to single acts of sabotage, e.g., destruction of components such as pumps, or power supplies, do not portend a radiological risk to the public. These time requirements and the complexities of the target are significant deterrents to the potential saboteur.
e t%i) v
4 l
Conclusion:
Having considered the breadth of information and the reaulatory precedents indicated above, the staff reached a judgment through the consensus gathering process of interoffice concurrence that a general performance requirement should be explicitly stated in 173.55(a) for is-suance of the regulation in effective form, as shown in Enclosure A of SECY-76-242C.(4) The staff had also conducted onsite studies of six plants to determine the practicality and effectiveness of 573.55 in meeting the proposed general performance requirements (design level threats). That work was described in SECY-76-2428.
After its examination of roughly the same information base, the Commission tentatively selected somewhat different and generally more conservative design threat levels as described in the Secretary's memorandum of December 17, 1976 (revised on December 23) to the Executive Director for Operations.
The design threat levels chosen by the Comission were stated as follows;
"(a) General performance requirements j
"The licensee shall establish and maintain an onsite physical protection system and security organization which will provide protection with high confidence against successful industrial sabotage by both of the following:
"A.
A determined violent external assault, or attack by stealth of one to three persons with the following attributes, assis-tance and equipment:
(1) Well trained (including military tra1ning and skills) and dedicated individuals, (2) inside assistance of one knowledgeable individual who may attempt to e
participate-in both a passive role (e.g., provide information) and active role (e.g., facilitate entrr a and exit, disable alarms and comunications, participate violent attack),
e (3) suitable weapons, up to and including hand-held automatic weapons, equipped with silencers and having effective long-O range accuracy. (4) hand-carried equipment, including explosives I
for use as tools of entry or otherwise destroying the reactor integrity, and
~1 y
.ygr
--r
d "B.
In internal threat of one insider or one employee (in any position)."
There is an important difference between the threat levels recommended by the staff in SECY-76-242C and those tentatively chosen by the Commission.
It lies in the " determined violent" nature of the threat described by the Commission. The determined violent nature is consistent with other safe-guards actions already taken or planned by the Nuclear Regulatory Comission, e.g., the orders to licensees issued by the Division of Safeguards in the spring of 1976 concerning the use of deadly force.
The change also provides consistency in judgment concerning the resources to be presumed available to perpetrators of theft or sabotage and their willingness to die or kill.
Q Presumably, any group willing to commit a nuclear atrocity, whether by sabotage or by theft and detonation of a nuclear device, can be assumed to be capable of determined and violent actions with all available resources, obtained either legally or illegally.
In SECY-76-242C the staff did not recomend the determined violenc nature for the nuclear power plant design threat.
That judgment had two bases.
First, the overriding risk of sabotage to nuclear power plants, viewed in context with knowledge of their vulnerabiiity, is the insider, acting with or without outside assistance, with motive, access, and knowledge of the plant.
Second, there are differences between the potential consequences of sabotage of a power reactor versus SSNM theft and successful detonation of an illicit nuclear weapon.
In reality, however, inconsistencies in the specification of e
threat characteristics are not as important as they first appear.
For example, the difference in assault capability between three and six determined people with the same weapons probably is not as large as the
- O v difference between three professional thieves whose,overridino concern is self preservation and three determined violent terrorists willing to kill and die.
In fact, such differences are not amenable to precise quantitative analysis.
In recognition of this situation, and in recognition of the size of. basic maneuvering units generally appearing in small unit tactics in armies throughout the world, the staff has previously preferred a more general characterization of the assault force, e.g.,
speaking in terms of squad size groups with paramilitary capabilities.
Based on the foregoing, the rationale for the design threat levels in $he general performance reguirements of 573.55(a) can be summarized as follows:
).
A.
The determined violent assault by three persons is believed to be a conservative overestimate of the motives and capabilities of existing or past groups with malevolent interest in the United States. The conservatism is judged to be reasonable in light of the potential consequences of a successful sabotage of a nuclear power plant.
The arms and other characteristics of the assault threat are estimates of what could be reasonably obtained in the U.S. by a determined violent group.
The hypothesized aid by an insider is commensurate with the observed practice of dedicated, malevolent groups in the past to enhance their chances of success and to decrease the risk of injury or death of the perpetrator.
B.
The requirements for protection against the lone insider are motivated primarily by the need for protection against a deranged l
l or unstable employee.
In addition, recent study concerning the possible subversion or coercion of employees is sufficient to l
i'
. 22 warrant enlargement of' the inside threat specification to include all persons with inside access,' independent of their position or authority.
The inside threat is. Judged to be adequately limited to one person at this time while work is being initiated and carried to completion over the next several years to provide better
~
information on alternatives for dealing with internal conspiracies i-at nuclear power plants.
=
I e-O r%
a=>me-+
w r-v-
v,ayyw y r
--=wrev.--%
a w-i w
.c--.
ev,++
, + - -
w,
-s
-we.
-y
,+-s y s y r-T *W t-r y"v N-'
~.
/G REFERENCES 1.
SECY-76-242, " Requirements for the Physical Protection of Nuclear Power Reactors," April 26, 1976.
2.
SECY-76-242A, " Requirements for the Physical Protection of Nuclear Power Reactors," April 26, 1976.
3.
SECY-76-242B, " Requirements for the Physical Protection of Nuclear Power Reactors," September 8,1976.
4.
SECY-76-242C, " Requirements for the Physical Protection of Nuclear Power Reactors," October 7,1976.
5.
Memorandum from B. Snyder to Commissioners' Assistants, " Design Basis Threats for Power Reactor Safeguards (Proposed 73.55)," December 8, 1976.
6.
Memorandum and Order:
In the Matter of Florida Power and Light Co.,
August 4, 1967.
Docket Nos. 50-250 and 50-251.
7.
C. Rogers McCullough, et.al, "An Appraisal of the Potential Hazard of Industrial Sabotage in Nuclear Power Plants," Southern Nuclear Engineering Report, SNE-51, July 1968.
8.
Conversation with R. B. Minogue, now Director of Standards Development, concerning View Graph used in 1973 briefing of the AEC.
9.
American National Standards Institute draft Standard N18.17
" Industrial Security for Nuclear Power Plants," March 23, 1973.
- 10. Regulatory Guide 1.17, " Protection of Nuclear Power Plants Against Industrial Sabotage," June 1973.
- 11. Letter to Mr. Byron Lee, Jr., of Commonwealth Edison, dated October 23, 1973, from Mr. Lester Rogers, then Director of Regulatory Standards, responding to Mr. Lee's letter of June 20, 1973, to Mr. L. Manning i
Muntzing, then Director of Regulation, USAEC.
12.
" Standard Review Plan for the Review of Safety Analysis Reports for
- l Nuclear Power Plants," LWR Edition, Section 13.6 Industrial Security,"
Office of Nuclear Reactor Regulation, U.S. Nuclear Regulatory Commission, i
September 1975.
- 13. David M. Rosenbaum, et.a1., "Special Safeguards Study." Congressionhl I,
Record,120, No. 59, April 30,1974.
- 14. Memorandum to L. Manning Muntzing, then Director of Reaulation, from D. F. Knuth, Director of Regulatory Operations, J. O' Leary, Director
{N of Licensing, and L. Rogers, Director of Regulatory Standards, giving staff comments on Special Safeguards Study, May 9,1974.
/3b 15.
Regulatory Guide 5~43, " Plant Security Force Duties," January 1975.
- 16. Joint ERDA/NRC Task Force Report on Safeguards.
17.
SECY-76-416A, B.
18.
Safeguards Supplement to GESM0, Section 5.2.3, Chapter 5 Draft dated December 21, 1976.
19.
BDM " Draft working paper 8, Summary of Findings, Analysis of the Terrorist Threat to the Commercial Nuclear Industry."
12 Sept.1975 BDM/W-75-176-TR. Also see " Analysis of Group Size" BDM/W-75-247-TR, December 1975.
20.
Ibid.,-p. 81.
21.
Mitre "The Threat to Licensed Nuclear Facilities," September 1975, MTR-7022. This report characterizes several past and existing malevolent groups.
- 22. BDM " Behavioral Analysis of the Terrorist Threat to Nuclear Installa-tions, Phase 1,: BDM/W-74-043-TR, July 1974,Section IV.
[]
23.
Staff communications with H. G. Hubbard, M.D., Aberrant Behavior
(/
Center.
24.
Staff communications with F. G. Harris, M.D., Aberrant Behavior Center.
- 25. Brian Jenkins, "Will Terrorists Go Nuclear," Paper presented at the California Seminar on Arms Control and Foreign Policy, November 1975.
26.
BDM " Draft working paper C, Supportive Appendices: Analysis of the Terrorist Threat to the Commercial Nuclear Industry." BDM/W-75-176-TR (see Appendix D).
27.
BDM Ref.19, pp II II-19, P III-43, 28.
Ref.19, pp 22, 23.
29.
Ref. 26, Appendixes D and F.
30.
ADCON "Superviolence:
The Civil Threat of Mass Destruction Weapons,"
A 72-034-10, 29 Sept. 72, Chapters 8,9.
These findings are also 7
supported by a number of classified documents reviewed by the staff.
I 31.
" Safety and Security of Nuclear Power Reactors to Acts of Sabotage,"
Sandia Report, SAND 75-0504, March 1976.
e p
32.
Ref. 22, p 78.
- 33.
Ref. 26, p E-9.
O
'34.
Ref. 26, pp F-21, F-23.
35.
Ref. 26, pp E-43, E-44.
See also Ref. 25, p 12.
36.
Ref. 26, Appendix H.
37.
For example, a group calling itself " Project Achilles Heel" claimed responsibility for the Indian _ Point 2 fire.
Ref. 26, p B-19.
38.
Ref. 26, Appendix F.
39.
Ref. 26, Appendices F, G, H.
- 40. WASH-1400, " Reactor. Safety Study," p 9, U.S. Nuclear Regulatory Commission, October 1975.
41.
Mason Willrich and Theodore B. Taylor, " Nuclear Theft:
Risks and Safegua rds," pp 21-24, Ballinger, Cambridge, Mass.,1974.
- 42. ADCON, op. cit, Chapter 9.
43.
" Summary Report of Workshop on Sabotage Protection in Nuclear Power Plant Design," Draft Sandia Report, SAND 76-0637, November 1976.
G er.
~
<r NUREG-0170 l
VOL.1 l
\\
l l
FINAL ENVIRONMENTAL STATEMENT l
ON THE l
TRANSPORTATION OF RADIOACTIVE l
MATERIAL BY AIR AND OTHER MODES Docket No. PR-71,73 (40 FR 23768)
December 1977 l
,f* "*%,
%...../
i i
Office of Standards Development U. S. Nuclear Regulatory Commission
m' Y
INTERIM REPORT Accession No.
SAND 77-1927 Contract Program or Project
Title:
Generic Environmental Assessment on Transportation of Radioactive Materials Near or Throuch a Laroe Densely Populated Area Subject of this Document: Transport of Radionuclides in Urban Environs:
A Working Draft Assessment Type of Document:
Preliminary Report Draft Assessment Author (s):
A.R. Ducharme, Jr. (Project Coordinator); R.E. Akins; S.L. Daniel; D.M. Ericson, Jr. ; B.H. Finley, N. N. Finley; P.C. Kaestner; D.D. Sheldon; J.M. Taylor; M.S. Tierney Date of Document:
May 1978 Responsible NRC Individual and NRC Office or Division: N. Eisenbero Transportation and Product Standards Branch Office of Standards Development This document was prepared primarily for preliminary or internal use. It has not received full review and approval. Since there may be substantive changes, this document should not be considered final.
Sandia Laboratories Albuquerque, New Mexico 87185 for the U.S. Department of Energy Prepared for U.S. Nuclear Regulatory Commission Washington, D.C. 20555 under DOE Contract AT(29-1)-789 NRC FIN No. A-1077-A
'?
INTERIM REPORT l
- _ _ _ _ _ - _ _ _ _ _ _ _ _ _ _ - _ _ _ _ - __