ML20210M731
| ML20210M731 | |
| Person / Time | |
|---|---|
| Issue date: | 05/31/1977 |
| From: | Messinger M NRC OFFICE OF NUCLEAR MATERIAL SAFETY & SAFEGUARDS (NMSS) |
| To: | |
| References | |
| NUDOCS 8702120622 | |
| Download: ML20210M731 (188) | |
Text
._ . - . . _-- .. .
o A CONCEPTUAL AND ANALYTIC FRAMEWORK FOR SAFEGUARDS MATERIAL ACCOUNTABILITY A REPORT TO THE NRC MATERIAL CONTROL AND ACCOUNTING TASK FORCE OFFICE OF NUCLEAR MATERIAL SAFETY AND SAFEGUARDS MAY 1977 l
l f* *'%e f /g U.S. Nuclear Regulatory Commission
- 'I Office of Nuclear Material Safety and Safeguards
/ o 21 2 770531 8702120622 PDR
. NOTICE The author is an Operations Research Analyst in the Test and Eval-uation Branch, Division of Safeguards of the Nuclear Regulatory Commission. He alone is responsible for the analysis, conclusions and recommendations of this document. They are not intended to reflect the views and position of the Nuclear Regulatory Commission, the NRC staff, or of any other organization of the U. S. Government.
4 A CONCEPTUAL AND ANALYTIC FRAMEWORK FOR SAFEGUARDS MATERIAL ACCOUNTABILITY i
A Report To The NRC Material Control and Accounting Task Force Office of Nuclear Material Safety and Safeguards ,
i May 1977 i
l i
Dr. Martin Messinger Test and Evaluation Branch Office of Nuclear Material Safety and Safeguards U.S. Nuclear Regulatory Commission i
. . ~ . - _ , , , . . , . . . . , , - - , , . , , ~ . , , . , - . . - . , - . . . . . _ - . , . . . . . , . - - . . , - - . . . . - , . . . . .
A CONCEPTUAL AND ANALYTICAL FRAMEWORK FOR SAFEGUARDS MATERIAL ACCOUNTABILITY TABLE OF CONTENTS PAGE
- 0. Executive Summary.............................................. i 1
- 1. Introduction...................................................
A Conceptual Structuring of Safeguards......................... 7 2.
7 2.1 Introduction..............................................
2.2 Conceptual Structure...................................... 7 2.3 Safeguard Elements........................................ 17 2.4 Relationship of Safeguard Elements to Material Ac co u n ta b i l i ty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
- 3. A Characterization of Material Accountability.................. 28 28 3.1 Introduction..............................................
28 3.2 Definition of Attributes.................................. 34 3.3 Parameters................................................
3.4 Probability Functions..................................... 35 3.4.1 Probability Functions for Discrete Material Accountability..................................... 36 3.4.2 Probability Functions for Continuous Material Accountability..................................... 45 3.4.3 A Further Discussion of Diversion Success Probability Functions.............................. 49 3.5 Summary................................................... 60
- 4. Characterization of Related Safeguard Systems.................. 63 4.1 Introduction.............................................. 63 4.2 Characterization of Boundary (Phase 1 and 3) Material Directed Detection........................................ 64 4.3 Characterization of Personnel Activity Detection.......... 74 Sa feg u a rd 0bj ecti ve s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 5.
5.1 Introduction.............................................. 76 5.2 NRL Statement of the Safeguard Objective. . . . . . . . . . . . . . . . . . 76 5.3 Safeguard Sub-obj ecti ve Li st. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
- 6. Feasible Safeguard Strategy Set................................ 88 6.1 Introduction.............................................. 88 6.2 Al ternative Safeguard Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . 89
TABLE OF CONTENTS (Continued)
PAGE
- 7. Material Accountability Performance Criteria................... 104 7.1 Introduction.............................................. 104 7.2 Performance Criteria for Meeting Category II and III 0 bj e c t i v e s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 7.3 Performance Criteria for Meeting Category I Safeguard 0 bj e c t i v e s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 7.3.1 Use of Continuous Material Accountability. . . . . . . . . . 115 7.3.2 Use of Exi t SNM Boundary Detection. . . . . . . . . . . . . . . . . 121 7.3.3 Simultaneous Independent Continuous and Discrete Material Accountability Subsystems................. 126 7.3.4 Simultaneous Discrete Material Accountability and Exit Boundary Detection............................ 132 7.3.5 General Approaches................................. 137
- 8. Summary-0verview............................................... 141
- 9. Conclusions.................................................... 148
- 10. Recommendations for Further Work............................... 151 4
l
_ _ ~ , _ .. . . . - , -
LIST OF TABLES Paae Table Generic Adversary Actions for Theft and Sabotage 13 1.
- 2. Fundamental Safeguard Elements, Components, and Subsystems 18
- 3. Applicability of Detection Subsystems to Each Generic Adversary Action 22
- 4. Material Accountability Attributes 29 Accountability Parameters 34 5.
- 6. Fundamental Aspects in Generating Diversion Success Probability Functions 55 85
- 7. Safeguard Objectives Derived From NRC Safeguard Goal
- 8. Material Accounting Attribute Requirements and Alternative Safeguards 90 Alternative Safeguard Strategies 96 9.
l Feasible Safeguard Strategy Set 99 10.
l 11. Cases Considered for Performance Criteria Analysis 107
- 12. System Requirements for Discrete External Material Accountability 116
- 13. Conceptual Performance Requirements for Continuous Material Accountability to Achieve Category I Safeguard Objectives 122
LIST OF FIGURES Figure Page
- 1. Levels of Analysis (Builder Pyramid) 4 Conceptual Protected Region 8 2.
- 3. Dependence of Optimum Diversion Success Likelihood on Maximum Diversion Time Span 44
- 4. Conceptual Material Accountability Design Sequence 58
- 5. Dependence of Optimum Transportation Success Likelihood on the Maximum Number of Portal Passages 71
- 6. Dependence of Optimum Number of Diversions on Alarm Threshold and Random Search Rate 72
- 7. Optimum Diversion Success Probability for Different Random Search Rates (Three Sigma Alarm Threshold) 73
- 8. Material Accountability Alternative fiatrix 91
- 9. Logic Diagram for Generating Alternative Safeguard Strategies 97 111
- 10. Required Bound on Diversion Success Probabilities
AN ABSTRACT This report is the result of a study to identify the role of material accountability in the nuclear safeguards program. This effort was perfomed in support of the NRC Material Control and Accounting Task Force. The study addresses material accountability from a con-ceptual point of view using the discipline of systems analysis. In particular, the report addresses the following five questions:
- 1. What is the best framework for viewing safeguards in general, and material accountability in particular, to understand the role of material accountability?
- 2. What relationships exist between material accountability and other safeguard elements?
- 3. Is material accountability an indispensible ingredient in safeguards?
- 4. What safeguard objectives can material accountability realistically achieve?
- 5. What safeguard strategies make efficient use of material accountability?
It is fundamental that the role of material accountability cannot be studied independently but must be addressed as but one component of a total safeguards system. This encompasses identifying the interfaces that exist between material accountability and other safeguard subsystems as well as identifying safeguard subsystems that can be used either in combination with material accountability, forming an integrated system, or as an alternative. It is also fundamental to note that the safeguard role of material accountability cannot be established without first establishing a clear understanding of the objectives of the safeguard
program. It is therefore essential to develop a comprehensive list of safeguard objectives and determine that subset of objectives that can conceptually utilize accountability.
The report is structured as follows: After the introductory section, a conceptual framework for safeguards will be developed, in Section 2, to enable the visualization of the safeguard function of material accountability along with its relationships to other safeguard subsystems. Sections 3 and a will characterize material accountability along with those safeguard subsystems with which material accountability can possibly interact. This characterization will consist of an appropriate set of attributes and parameters along with suitably optimized expressions for the theft or diversion success probability.
Optimization of these probability expressions will be shown in fact to be analogous to " black hatting" used in physical security evaluation.
A list of safeguard objectives will then be developed in Section 5 and each candidate strategy assessed in terms of its potential ability to assist in satisfying each of the safeguard objectives. This will be followed in Section 6 by establishing a collection of potential safeguard strategies, where each safeguard strategy makes use of some form of material accountability. A subset of promising safeguard strategies are then selected and conceptual parameter relationships obtained in Section 7 in order to achieve performance criteria.
Sections 8, 9, and 10 contain a brief summary, present conclusions and identify a few technical programs, both short term and long term, that NRC should sponsor in order to realize the full safeguard potential of material accountability.
EXECUTIVE
SUMMARY
Material Accounting - The Issue "Can material accounting play a significant role in the nuclear safe-guards program? In the last few years, this question has evolved into a major issue that both NRC and ERDA must resolve. In a search for the answer, both agencies have many ongoing research and development .
programs expending large sums of money directed toward improving the capability of material accounting. Included are efforts to improve nuclear measurement capabilities, to develop computer automated real time accounting systems, to investigate and characterize SNM diversion paths, to develop better statistical alarm algorithms, to understand optimum diversion strategies, and to characterize material accountability measures, such as MUF. However, to date, no significant effort has addressed the fundamental question--what functional role can material 4
accounting play in the nuclear safeguard program? No one has system-atically examined the requirements of safeguards and the capabilities of material accounting to satisfy these requirements. No one has considered whether alternative safeguards elements can efficiently complement, or even replace, material accountability. What has been clearly needed, is a study designed to place material accounting in its proper perspective.
11 This report is the result of such a study. It examines material accounting and related safeguards from a conceptual point of view. In particular, the report addresses the following five questions:
- 1. What is the best framework for viewing safeguards in general, and material accountability in particular, to understand the role of material accountability?
- 2. What relationships exist between material accountability and other safeguards elements?
- 3. Is material accountability an indispensible ingredient in safeguards?
4 .- What safeguard objectives can material accountability realistically achieve?
- 5. What safeguard strategies make efficient use of material accountability?
The term accountability has been used in place of the term, material accounting, explicitly to indicate a concept with a broad area of coverage and to avoid its identification with material physical inventory and i balance requirements of 10 CFR 70. In this study, material accountability is used to include the use of any or all data relevant to material amounts and flows which can be used to draw inferences about a material discrepancy.
In addition to the data generation and analysis requirements dictated by current regulations, there exists considerable process data generated in the normal management of the processing stream and data generated to provide
iii for quality control and assurance. Perhaps some of this data can be utilized in manner that can provide a sensitive and timely diversion signal.
The nuclear material accounting concept for safeguards has unfortunately revolved for many years around the concept of the periodic physical material audit and use of the statistical MUF-LEMUF diversion alarm criterion. It is important to understand that this is but one of many possible material accountability concepts and thus to focus at a conceptual phase on merely investigating the significance of MUF or an improved version of MUF within the current regulatory framework is extremely limiting and totally inconsis-tent with the need for comprehensive conceptual overview. In this report, a general characterization for material accountability is developed for which the MUF concept is but merely one example.
Conceptual Safeguard Structure In order to identify the relationships between material accountability and other safeguard subsystems, it is necessary to first develop an overall con-ceptual safeguard structure. Figure A depicts a region to be safeguarded.
It consists of a protected interior and a boundary. Depending upon particular applications, one can envision this region as representing a nuclear facility, a nuclear transporter, or even, for studying the problems of prov: ding inter-national safeguards, a nation. Also, as indicated in the figure, an adversary action sequence is composed of serial events consisting of an infiltration
, -- - - - - a - --
7 N
O I
T DY A E R T R T C A p IL ED u TN s F OU X RO E PB
/
n
/ N ' ig o
/
e R
N d e
s /. t c
e w-t o
r P
D l a
E R u T M t p
C IO N Y e S
E T R T c n
E I o
OT V C R N I
PI I T
, 'C A A
er
~
% ~ u ig F
y - N
/
{ N N' IO T
A R
T L
FI IN
v across the protected boundary, an activity within the protected interior, and finally, an exfiltration out across the protected boundary and on to a safe haven.
4 The partition of the adversary action sequence into three sequential phases logically enables the classification of safeguard subsystems according to the activity phase during which they act. The use of an SNM portal monitor, for example, serves to detect stolen or diverted SNM during the exfiltration phase. Material accountability serves to detect the unauthorized removal of SNM from the process stream and thus detects theft by stealth or deceit during the activity phase, i.e., it is a within area detection mechanism.
One can also partition the set of safeguard elements according to their primary function. Basically, safeguard elements serve either to delay, detect or respond to malevolent activities. Detection elements can be further partitioned into elements directed at direct detection of unau-thorized personnel activities or elements directed at detecting unautho-rized material flows or possession, i.e., we distinguish in the study between personnel directed detection and material directed detection.
In this framework, material accountability is thus viewed as a within area material directed detection safeguard element.
Since material accountability is a material directed safeguard detection safeguard subsystem, it is necessary to focus upon the entire collection
vi of detection subsystems to identify the alternatives that can be comple-mentary or perhaps serve as a substitute. Table A lists all the safe-guard detection elements partitioned according to the malevolent activity phase in which each operates. Examination of Table A reveals that material accountability relates to entrance and egress material directed boundary detection and to within area personnel directed activity detection.
Characterization of Material Accountability A generic characterization of material accountability requires the use of both qualitative attributes and quantitative parameters. Two material accountability attributes are utilized. The first attribute indicates whether the process is monitored on a discrete or continuous time basis.
Continuous monitoring signifies that a steady flow of material accounta-bility data is generated from the process resulting in a comprehensive time history. Conceptually, it should be clear that continuous accounta-bility is the limiting case of discrete material accountability as the length of the time interval between determinations tends to zero. Thus, the distinction between discrete and continuous material accountability is somewhat redundant and not truly fundamental.
The second attribute used in characterizing material accountability is, however, of fundamental importance. This attribute indicates whether the material accountability system is deeply intertwined with the process which it monitors or functions in a manner completely independent from
TABLE A DETECTION SUBSYSTEMS FOR EACH ADVERSARY ACTION PHASE Phase 1, unauthorized entrance across boundary Personnel (or vehicle) Directed Material Directed Metal & Explosive Detectors Entrance Controls Natural or Depleted Uranium Detectors Alarms Visual Observation Searches Phase 2, unauthorized activity within area Personnel (or vehicle) Directed Material Directed Visual Observation Material Accountability b a) Inventory & Audits Work Rules Alarms b) Process Controls-& Records Phase 3, unauthorized exiting across boundary Personnel (or vehicle) Directed Material Directed Exit controls SNM Monitors Alarms Metal Detectors Visual Observation Searches
viii the process. The term intrinsic will be used to denote a material accountability system that is functionally interdependent with the process and the term external will be utilized to denote a material accountability system that functions independently from the p'ocess.
r The reason why the distinction between intrinsic and external material accountability is of fundamental importance is that in order to demonstrate system performance one must be able to assure that material accountability, if utilized, be secure. Thus, the material accountability subsystem must be independent of the process at least with respect to the class of feasible threats. If an intrinsic system were employed one could never be certain that a threat had not been able to compromise the system and thereby mask the diversion. One would not have the inescapable proof necessary to achieve this safeguard assurance or overcheck function.
The Objectives of Safeguards and Material Accountability Official NRC policy covering safeguard objectives was established in June 1976. In essence, it demands realization of the nine objectives categorized in Table B into four groups. The potential of material accountability in the achievement of these objectives is also indicated in this table. Use of material accountability in the prevention of malevolent acts requires that it alarm to the activity in a timely manner. On the other hand, achievement of those objectives related to the categories of safeguard system assessment and loss assessment requires a capability to detect the occurrence of the activity. The fourth category, safeguard
TABLE B SAFEGUARDS OBJECTIVES AND THE ROLE OF MATERIAL ACCOUNTABILITY Safeguard Objective Potential Role of Material Accountability j
I. Prevention i Detection of covert activity
- 1. Prevent a sub-national theft or diversion of a strategic quantity of SNM Detection of covert activity
- 2. Prevent a national level theft or diversion of a strategic quantity of SNM Prevent nuclear proliferation Detect activity 3.
Prevent sabotage of nuclear facilities Detect activity in those cases where 4.
covert material flows' are involved II. Safeguard System Assessment a. :
Effectively deal with hoaxes Assess credibility of alleged theft 5.
- 6. Demonstrate past and present effective Provide proof that material has not performance of Safeguard System been misdirected
- 7. Provide an overcheck capability to verify Check that material has not been continued effective safeguard system misdirected performance III. Loss Assessment Assess losses resulting from malevolent act Determine quantity and types of SNM
- 8. missing IV. Safeguard Data Generation Provide timely and accurate data on the Provide quantitative data on material 9.
status of nuclear material and facilities inventories and material flows
x data generation requires neither a rapid response nor a high level of accuracy and is clearly dominated by the other safeguard objectives.
Satisfying the Objectives - Safeguard Strategies The combinations of the two attributes of continuous vs. discrete and intrinsic vs. external accountability systems result in four basic types of material accountability systems. Figure B depicts the potential of each of these types of systems, acting alone, to satisfy the four categories of safeguard objectives. It is noteworthy that in principle, a continuous, external material accountability system can achieve all the safeguard objec-tives. However, practical considerations will force design of any continuous system to be intrinsic so that a continuous, external system is.not a viable option.
Most likely, material accountability will be used in conjunction with other detection subsystems. The term " safeguard strategy" will be used in this report to denote a combination of safeguard subsystems that together can potentially serve in achieving the entire list of stated safeguard objectives. As indicated earlier, the study demonstrates that every safeguard strategy must include an external discrete material accountability system. The attainment of prevention will, in general, require a combination from material accountability, material directed boundary
. detection and within area personnel directed activity detection. Figure C
- _ . . _ ~ _ _ - . - - - . , - - _ . , . _ . . _ _ - _ _ , _ _ . . _ - . , , _ . , . , _ _ _ ,
r .
L A
N ~
R X ~X X E
T X
E E
T E
S R E C T
U SID B
I C I
R S T N X T I A R T
Y N x T
I I
i t
r L a I
B M A e v
T i t
N a U L n
r O A t e
C N l A
C R A E X X X X y it L T l AI S X i b
E a R U t n
E O u T U o A N c c
M I T A N l a
O C ir C I e S t a
N X M I
R X T B N
I e
r u
ig F
l l
l i
l V
I I
Y Y Y Y R R R R O O O O G G G G E E E E T T T T A A A A C C C C owD5k $2Uw3o o>1@wkO
DISCRETE EXTERNAL (FOR CATEGORY ll AND lit)
MATERIAL ACCOUNTABILITY 0 FEASIBLE SAFEGUARD AND : STRATEGY INTRINSIC MATERIAL _
ACCOUNTING '
(FOR CATEGORY 1)
MATERIAL DIRECTED _
BOUNDARY DETECTION ' OR 5.
WITHIN AREA PERSONNEL e AEQ MEANS ALL INPUTS ARE NECESSARY ACTIVITY DETECTION QR. MEANS AT LEAST ONE INPUT IS NECESSARY Figure C Logic Diagram for Identifying Feasible Safeguard Alternatives i
xiii ,
T depicts a logic diagram that generates the entire set of feasible safeguard detection strategies.
Table C lists the particular subset of promising safeguard strategies selected for analysis in the study. The latter two cases for achieving the detection component for prevention are examples of integrated safeguard strategies. The integration of safeguard subsystems suggests the concept of imposing both a time constraint and a daily or one-shot constraint on diversion.
A safeguard system that is capable of preventing theft by stealth or deceit over a range of feasible threats and scenarios must be both sensitive to short term diversion policies as well as long term systematic diversion.
By integrating two safeguard subsystems, one can be expressly designed to be sensitive to short term diversion and the other designed to be sensitive to long term systematic diversion. Essentially by simultaneously employing two complementary systems each " tuned" to a different portion of the threat spectrum one may be able to achieve design goals er at least obtain considerable design economy that would be difficult if not impossible by employing a single safeguard system to cover the entire threat range.
Conclusions
- 1. The fundamental question one could raise regarding the role of material accountability in safeguards is whether some form of material accountability is an essential ingredient. Is it possible to achieve all the stated safeguard objectives without the use of some form of I
1 TABLE C CASES CONSIDERED FOR PERFORMANCE CRITERIA ANALYSIS Category II and Category III Safeguard Objectives
- Discrete External Material Accountability Category I (To Achieve the Detection Component) a) Continuous Material Accountability E
Exit SNM Boundary Detection <
b) c) Simultaneous Independent Continuous and Discrete Material Accountability Subsystems d) Simultaneous Discrete Material Accountability and Exit SNM 1
1 Boundary Detection l
l
xv material accountability? This study clearly demonstrates the intuitively obvious fact that the answer is manifestly no! Material accountability is the only safeguard element that has any potential for achieving the Category II safeguard system assessment safeguard objectives and the Category III loss assessment safeguard objective.
In principle either a discrete or continuous material accountability system could be used but it must be external to the process or at least guaranteed secure over the entire class of feasible threats.
The judgment was made in the study that a continuous material accountability system because of technological considerations would have to be intrinsic to the process and that it would be virtually impossible to guarantee that an intrinsic system is secure. Hence, though conceptually feasible, continuous external material accounta-bility is not physically realizable, and thus was dropped from further consideration. We thus reach the conclusion that every safeguard sub-system must contain a discrete external material accountability subsystem.
- 2. A considerable research and development effort supported by ERDA has been underway over the past several years in order to develop a real time material accountability system. Such a real time system is not essential to satisfy the detection requirements in order to achieve all of the stated safeguard objectives and, in fact, may not even be sufficient. As observed earlier, such a system, by
xvi virtue of its physical implementation, employing extensive on line monitoring equipment, would be intrinsic to the process and hence probably not suitable for achieving Category II and III safeguards assessment objectives. In addition, the system is oriented towards measured material balances and may not be sensitive over the entire range of diversion possibilities.
Intrinsic continuous material accountability can be used, as proposed in several of the feasible safeguard strategies, for achieving the detection phase of Cagegory I prevention safeguard objectives. As demonstrated in the report, intrinsic material accounting is, for a large class of scenarios, functionally equivalent to exit portal monitoring. It is highly questionable whether a complex continuous intrinsic material accountability system can be economically or even technically competitive with a relatively simple SNM portal monitoring system.
- 3. The best safeguard strategy for achieving the detection component to satisfy Category I safeguard objectives is probably an integrated use of exit boundary detection and discrete material accountability.
Exit boundary detection would be ideally suited to detect SNM theft or diversion occurring over a relatively short time span and thus could serve to impose a daily constraint on diversion. Discrete
xvii material accountability, on the other hand, has a potential for detecting a long term systematic diversion and thus could serve to impose a time constraint. Depending upon design considerations, the discrete material accountability system could be the same external system used for achieving the safeguard assessment objec-tives or can be a separate internal discrete material accountability system. This suggests that existing process data, generated to provide quality control and normal process management, might serve as the input to drive such a system. An integrated safeguards subsystem based upon exit monitoring and intelligent use of normal process data conceptually will be able to provide the detection component needed to satisfy the safeguard prevention objectives.
Areas for Further Work
- 1. There is a vital need to view all safeguard system development and analysis using a system viewpoint bringing to bear all the modern tools of systems analysis, operations research, statistics, and engineering. Much of the current safeguard work appears to represent a collection of relatively unrelated tasks without a well l
defined common goal and where the interrelationships between each 1
of the tasks are not clearly defined. This material accountability report is intended in part to provide a coherent framework for demonstrating how the various aspects of material accountability
xviii relate to the whole and thus to help structure future material accountability development efforts. All of safeguards could benefit from using this type of :ystems approach.
- 2. Eventually, the choice of a safeguard system will depend largely upon technical and economic considerations. Though our present conceptual analysis required only specification of material accounta-bility attributes and a functional specification of quantitative parameters, it is essential for further work that quantitative values for paramaters such as system sensitivity, maximum diversion time span, and allowable information gathering and processing delay time, be a scertained. An effort should be undertaken to rationally define the interrelationship that exists between material types, threats, com-ponent safeguard systems, and public safeguard assurance requirements to arrive at suitable values for these parameters. Clearly established quantitative safeguard parameters are essential if one is to proceed from the concepts portion to the programs portion of Builder's levels of analysis pyramid.
- 3. Basic to the approach used in this report is the achievement of safeguard objectives by bounding the worst possible case. It is therefore necessary that an effort be undertaken to identify the class of feasible threats and for each threat, the set of possible
xix p
t scenarios that can be utilized. Identification and analysis of scenarios will probably have to be performed on a site specific basis and can be partially accomplished via the diversion path analysis program being developed by ERDA.'
The effort could be based on the evaluation / design sequence indicated in Figure 4. In particular, the following tasks should be included
- for each licensee df' interest:
- a. Define the class of feasible adversary levels (threats)* and for each threat in that class determine the corresponding set of feasible scenarios.
- b. Develop the expression for the diversion success probability, i.e., determine the relationship between the diversion success probability, the diversion policy, threat, and the scenario employed.
- c. Determine the optimum (from the diverter's viewpoint) diversion success probability, and the corresponding threat, scenario and optimum diversion policy.
Undertaking an exercise of this nature will take the NRC a long way in understanding the safeguards worth of current material
- NRC is trying to reserve the word threat for actual groups as reported by intelligence or police sources. The word threat used in this document means a hypothetical adversary force or level.
The document was prepared before Mangement's decision to clarify the nomenclature.
j
xx accountability practices, in identifying its weaknesses and limita-tions, and in establishing methodology that _can be used .in the evaluation of material accountability systems.
- 4. Much of the present material accountability development effort has been directed to improvement of measurement capability and in particular the development of on-line NDA suitable for incorporation into an intrinsic material accountability system. As observed in Section 3 measurement uncertainty is one of the fundamental aspects in the design of a material accountability system. Also of equal importance is the recordkeeping system, the data reduction methodo-logy and the alarm criteria upon which diversion detection depends.
In fact, one really cannot specify data requirements until one knows exactly how the data will be used. Current practice relies almost entirely upon the MUF-LEMUF concept and its embodiment in terms of simple statistical control charts. It is clear that the MUF-LEMUF approach does not make effective use of historical data and certainly does not permit any use of additional information available about the possible diversion process. Over the past decade much progress has been rr. te in the area of statistical communication theory using Kalman filtering and process control using the Box-Jenkins time series analysis and forecasting technique.
Kalman filtering represents an optimum approach to utilize particular information regarding the diversion process, e.g., the diversion
xxi occurs at a constant rate. The Box-Jenkins-approach, on the other hand, represents an ingenious empirical method for optimally utilizing historical data in predicting future performance.
4 It is imperative that an effort be undertaken to identify and evaluate the applicability of data reduction algorithms. This study must include:
- a. Kalman Filering
- b. Box-Jenkins
- c. Other statistical techniques, including:
i) Cu-SUM and V-Mask ii) Exponential Smoothing (a special case of Box-Jenkins) iii) Multi-variate probability intervals (generalization of MUF-LEMUF)
These data reduction techniques are applicable not only to external discrete material accountability but also to intrinsic discrete systems making use of process data.
- 5. Much speculation currently exists regarding the availability of process data and its suitability for safeguards use. As pointed out earlier, process data can possibly drive an intrinsic discrete
.,. . . . . - - ,m. . _ ~ _ , , - ,-
i I
xxii material accountability system that can serve in providing the detection component for achieving the Category I safeguards obj ectives. An effort should be undertaken to perform a site specific evaluation to ascertain the nature of the data available.
This effort could serve to provide sample data in support of the preceding data reduction analysis effort. Both efforts (4 and 5),
in conjunction, may lead in the near term to low cost easily implementable site specific intrinsic' internal material account-ability systems that can serve a meaningful safeguard function.
- 6. An effort should be undertaken to examine real time accountability systems, in particular DYMAC, in order to fully explore the implications of intrinsic material accountability. The DYMAC system represents a classic example of intrinsic material accountability where extensive interactions between the process and the system occurs as the result of the extensive employment of on line monitoring and computer equipment. Among the questions that should be addressed are:
- a. What is the potential for internal compromise of such a system? What redundancy and cross checks must be introduced to secure data processing over the entire class of feasible covert threats?
4 b
- b. To what degree of certainty can the security of an intrinsic f system such as DYMAC be guaranteed. How likely is such a
xxiii system to function exactly as originally designed without potential breaches occurring, over a long period of time, in its security?
- c. Can the extensive real time data generated by DYMAC be obtained by, and be useful to diverter in his attempt to defeat the system?
The first two questions essentially address the concern expressed in this study about employing intrinsic material accountability for achieving the Category II and III safeguard assessment objec-i tives. The third question addresses the potential of real time intrinsic material accountability of supplying information to a diverter than can assist in defeating the system. It is vital to fully understand these issues in order to assess the role of intrinsic real time material accountability systems in safeguards, of which the DYMAC system is an example.
1
. . . _ _ . . , _ _ _ . . ~ .
- 1. Introduction
' The purpose of this paper is to identify and analyze both the current and future roles of material accountability as a safeguard subsystem in the nuclear fuel cycle industry. The fact that questions regarding the signif-icance and utility of material accounting in the safeguards program have developed over the years into a major issue which requires resolution by both ERDA and NRC is evident and clearly does not need further exposition.
The term material accountability, as used in this paper, will include the use of any or all data relating to material amounts and flows to identify the existence of a material discrepancy.* Such data could include process data such as batch yields, data obtained from information generated to provide for quality control, data generated in the normal management of the processing stream and, of course, data that can be obtained by imposing i on the process, audits as is presently required in paragraph 70.51 of CFR 10.
In order to completly identify the potential of material accountability in nuclear safeguards and determine corresponding accountability requirements, it is essential to carefully define the totality of all safeguard subsystems and to identify all the possible interactions that exist between material accountability and the other safeguard subsystems. It would be simplistic
- The concept of " material accountability" as used in this report represents the material accounting portion of material control and accounting safeguard elements. The term accountability is used in place of the term accounting to indicate a broad area of coverage and to avoid identification with the procedures specified in 10 CFR 70.
l
2-to attempt an examination of material accountability as an independent safeguard system although its utility in that regard will become apparent from the analysis.
The synergism that is possible by integrating material accountability with other safeguard elements and subsystems is perhaps the key which makes the use of material accountability attractive to the safeguards program. In the following sections we will develop a structure to comprehensively view all safeguard subsystems and identify potential interactions, particularly those interactions that can exist between material accountability and the other safeguards.
One cannot investigate the role of material accountability without first asking the question of what one wants the safeguard program to accomplish.
It is therefore essential to develop a complete list of safeguard objectives and determine that subset of objectives that can conceptually utilize material accountability. It is perhaps, an impossible task to be certain that the list of safeguard objectives is complete. It can be only hoped that through continual review and peer discussions with safeguard staff members that a comprehensive list is obtained and that a major safeguard objective has not been inadvertently omitted. While it is possible to subjectively prioritize these objectives at the outset, the questions of priorities is more logically addressed after the analysis has progressed beyond the conceptual stage. Therefore, for each objective on our list that
' can conceptually utilize material accountability, we will develop all possible alternative strategies and determine the performance requirements needed for each of these strategies to achieve that objective. It will require a detailed economic and feasibility analysis, attainable only from the engineering design of an actual safeguard system, for one to finally i
select which of the alternative conceptual safeguard strategies is optimum, l
or even to decide whether achieving a particular safeguard objective is indeed worth its cost.
1 In the discussion that follows, safeguard alternatives, particularly those involving material accountability, will be addressed from a conceptual i viewpoint. If one considers the four level analysis pyramid illustrated in i,
Figure 1 (suggested by Carl Builder) consisting at the top of goals and objectives, followed next by strategies and approaches then by systems and operations and finally containing at the bottom components, elements and subsystems, we see that in this paper we are working within the top two 4
levels which comprise the conceptual half. The bottom two levels clearly I
comprise the safeguard engineering and design half. Establishing a concep-l tual and analytic safeguards framework for material accountability is fundamental in identifying all the safeguards interactions and to serve as j
a rational basis for establishing a future viable material accountability research and development program.
)
In Section 2, we will develop a conceptual framework for safeguards which I will enable us to clearly visualize the function of material accountability, l
e-4_
GOALS h &
OBJECTIVES CONCEPTS APPROACHES STRATEGIES PROGRAMS SYSTEMS OPERATIONS V
COMPONENTS, ELEMENTS, & SUBSYSTEMS Figure 1. Levels of Analysis (Builder Pyramid)
along.with its possible relationship to other safeguard subsystems. In Sections 3 and 4, we will then develop a characterization for material accountability along with those safeguard subsystems with which material accountability can possibly interact. This characterization will consist of an appropriate set of attributes and parameters alcag with suitably optimized expressions for the theft or diversion success probability. Optimization of these probability expressions will be shown in fact to be analogous to
" black hatting" used in physical security evaluation. A list of safeguard objectives will be developed in Section 5 and each candidate strategy assessed in terms of its potential ability to assist in satisfying each of the safeguard objectives. This will be followed in Section 6 by estab-lishing a collection of potential safeguard strategies, where each safeguard strategy makes use of some form of material accountability. A subset of promising safeguard strategies are then selected and conceptual parameter relationships obtained in Section 7, in order to achieve performance criteria. As indicated earlier, further selection of a safeguard strategy alternative is not possible until one enters the phase of actual safeguard system engineering design and corresponding economic and feasibility evaluation. Sections 8, 9 and 10 contain a brief summary, present some conclusions and identify a few technical programs, both short term and long term, that NRC should sponsor in order to realize the full safeguard potential of material accountability. The short term programs will primarily be directed towards improving the usage of data and systems currently available within the present industry.
i In examining the role of material accountability from a systems viewpoint, we inevitably have to deal with the terminology of a hierarchical safe-guard system structure. The totality of all safeguards will be referred to in this report as the safeguard system. Major components such as material accountability, boundary detection, and communications will be referred to as subsystems, and particular elemental items such as an SNM portal monitor, searchs, computer software, and diversion alarm algorithms will be referred to as safeguard elements. Thus, we will in this report, refer to safeguards in terms of a hierarchical structure consisting at the bottom of elements, containing larger portions consisting of combina-tions of elements called subsystems, and culminating with a safeguard system comprised of many safeguard subsystems.
The inconsistency inherent with such usage is that the larger subsystems themselves, such as material accountability, particularly when studied independently, can be viewed as a complete independent entity and thus itself thought of as a total system. Hence, we will, on occasion, refer to material accountability systems, though technically we mean it to be a subsystem of the total safeguard system. The fact that material accountability is truly a portion of a safeguard subsystem, and thus implies that its total worth in providing safeguards can only be accurately assessed by viewing the potential integration of material accountability with other safeguard subsystems, is fundamental to developing safeguards from a system viewpoint and basic to this study.
._7
- 2. A Conceputal Structuring of Safeguards 2.1 Introduction In this section we will develop a simple conceptual structure for safe-guards that encompasses all the elements and practices of the industry in a unified framework. This framework will then be used to show the relationships that exist between the various safeguard elements and in particular to demonstrate those relationships that exist between material accountability and other safeguard subsystems.
2.2 Conceptual Structure Figure 2 depicts a conceptual protected region; it consists simply of a boundary and an interior. Depending on the intended application, one can envision this region to be a " protected area" as defined in paragraph 73.2 of 10 CFR, a " Material Access Area", an entire plant or f acility, perhaps an imaginary moving zone surroundir.g a convoy engaged in the transportation of nuclear material, or for studying questions involving international safeguards, a nation.
In order for theft or sabotage to occur, there clearly would have to occur a partial concatenation of an unauthorized entrance across the region boundary (infiltration), an unauthorized activity within the interior of the region, and an unauthorized exiting across the boundary (exfiltration). The unauthorized activity could be envisioned to involve either personnel, animals, vehicles, materiel or material. A few examples should help clarify this fundamental point.
4 1
PROTECTED INTERIOR
\ / PROTECTED
\' s# / BOUNDARY N
- m + .
I i
r ( ~ SNM
)
s m
ACTIVITY INFILTRATION
/
N W ,/
EXFILTRATION l
! Figure 2 Conceptual Protected Region
N 9
For example, if the act was sabotage, e.g., the use of a bomb by a disgruntled employee, the scenario sequence would first involve the importation of the bomb into the plant followed by planting the device and its subsequent detonation within the plant at a suitable location.
In this particular case, the protected region consists of the facility in which the employee works and the boundary would consist of the plant perimeter. In order for the malevolent act to successfully occur the i employee would first have to effect an unauthorized movement of the
~
bomb across the plant boundary, followed by the unauthorized activity
- of emplacement and detonation of the device within the facility. It shoulo be noted that safeguards to prevent this activity could consist i of
l i
a) Measures at the plant boundary designed to detect the entrance into the plant of unauthorized materiel i
b) Measures within the plant designed to detect the unauthorized personnel activity of the employee planting his device, and perhaps ,
l even measures within the plant boundary designed to detect the presence of the weapon since the presence of a bomb within a facility can itself be viewed as an unauthorized activity.
{
It should be also noted that the employee's entrance to the facility at the beginning of a working day and his exit at the end of his shift are i
1
clearly authorized activities and could not directly be utilized in preventing this act of sabotage.
As a second example, consider an employee who works at a nuclear fuel fabrication facility which processes high enriched uranium metal. Suppose the employee decides to steal high enriched uranium, simultaneously substituting depleted uranium metal in its place in order to cover up 4
the theft. In this case, the protected area in which the employee works is the conceptual region under consideration and the protected area i
boundary constitutes the boundary to that region. This scenario requires the unauthorized transportation across the protected area boundary of depleted uranium metal, the unauthorized activity within the protected
] area of stealing high enriched uranium metal and replacing it with the depleted stock, and finally an unauthorized exiting of high enriched 2
uranium metal across the protected area boundary.
1 l
Safeguards to prevent this scenario could consist of measures at the plant boundary designed to detect unauthorized material crossing:
, depleted uranium metal on the way in, and high enriched uranium metal on
- the way out. Also safeguard measures could be incorporated within the protected area to detect the unauthorized personnel activity of removing high enriched uranium metal while substituting in its place depleted ,
l material, and perhaps safeguard measures to detect the presence of unauthorized depleted material within the protected area, i
f' l
i
{ l
- - , _ , , - - ,-_ _ _ m. . , - . _ _ , _ - - . . . . , . _ _ _ , - . . , . _ - - . _ _ . - _ - - . . ~ , . _ , . . . _ , - - - - - - _ - _ - - , - _ , - _ _ . - - . - - - - - . . . - . .
1 As another example, consider a forceful assault on a fixed site by an armed terrorist group. The scenario would include, in sequence, a forceful penetration of the facility boundary, acquisition of SNM within the facility and finally exfiltration from the facility with the stolen SNM. Safeguards to present the success of this scenario would include barriers placed around the facility perimeter to delay adversary penetra-1 tion ' sensors to detect penetration, guard forces to respond to and engage the adversary, use of vaults, locked doors and other forms of containment to delay the adversary during the material acquisition phase and perhaps the use of external response forces such as local and state i l police to prevent material acquisition and successful exfiltration j from the facility.
i As a final example to demonstrate that the suggested decomposition of thef t or sabotage into three fundamental phases also applies to the transportation of nuclear material as well as fixed site malevolence, consider an attack by an armed terrorist force on a transporter carrying nuclear material. The cargo compartment in this example may be viewed as the interior of the conceptual protected region and the vehicle hull
. may be considered to comprise the boundary of the region. Successful execution of this scenario would require entrance through the vehicle hull into the cargo compartment, successful removal of material from the cargo campartment, followed finally by exiting from the cargo compartment with the nuclear material. Safeguards to prevent the success of this s:enario could include use of armed guards accompanying the transporter, t
1
, . _ . . _ _ . - . . , _,,______..-_.__,._mm.. _ . _ , , . . - . _ _ . , _ . _ . . , . , . . . , _ , _ , _ . . _ _ _ _ _ _ . , , _ - . _ , . . - _ . . . . . . .- - - -
the summoning of external response forces to assist in thwarting the attack, and vehicle hardening, all to prevent successful hull penetration by the malevolent forces. One can, in addition, employ the use of suitable devices within the cargo compartment to delay and exacerbate the activity of removing the nuclear material, and finally use of armed forces to prevent successful exiting of this material from the vehicle.
One also could have incorporated disabling equipment into the transporter so that the adversary force could not easily move the vehicle from the location of the attack, potentially complicating all three phases of the malevolent act.
It should be evident that numerous examples can readily be constructed demonstrating the fundamental point that a target, either fixed site or transportation, can be viewed as consisting of an interior region and a boundary, and that a malevolent action sequence against that target can be partitioned into one or more of the three phases listed in Table 1.*
Basically, one can thus logically partition safeguard elements and sub-systems according to the phase of the adversary action sequence within which they act. In Section 5 we will address in depth the question of safeguard objectives. For our present purposes, however, we can simply assume for the sake of discussion that safeguard objectives are directed
- The three adversary activity phases listed in Table 1 characterize the interaction between the facility and adversary. From a societal risk viewpoint these three phases collectively represent the material acquisi-tion phase, which follows an adversary preparation phase and is followed by a material utilization phase.
TABLE 1 GENERIC ADVERSARY ACTIONS FOR THEFT AND SABOTAGE A. Unauthorized entrance across boundary (infiltration)
B. Unauthorized activity within an area C. Unauthorized exiting across boundary (exfiltration)
I 1
OJ I
i l
i 4
to prevent the successful completion of adversary activities. When we 'I
-examine the safeguard objectives in detail we will observe that the safeguard objectives can themselves be partitioned into four categories (omitting safeguard data generation): ;
a) Deterrence of theft or sabotage b) Prevent a malevolent activity c) Prove that one has indeed prevented theft or sabotage d) Assess the results of a successful theft or sabotage (preven-tion breach).
In essence, all the safeguard objectives relate to prevention of theft >
.! or sabotage and hence we suffer no loss in generality, and simplify matters considerably, by formulating our present discussion in terms of
]
prevention, i
The minimal set of fundamental components needed to prevent successful theft and sabotage consists of detection of an activity followed by a suitable response to the activity. In equation format we may write:
i Prevention = f (detection, response) (2.1)
}
}
lL i
15 - .
Clearly, in order to prevent theft or sabotage, it is first necessary to detect that the act is occurring and then bring to bear a suitable i response to prevent-its successful completion. -The detection and response 4
can occur at any of the phases of the adversary action sequence and both need not necessarily occur in the same phase. For example, one may detect the internal theft of SNM by an employee, but wait until the employee passes through an' exit monitor (perhaps to verify that he indeed has SNM in his possession) before responding by placing him under arrest.- Incorporated into the safeguard system may be elements or response
- activities primarily intended to cause adversary delay. In the transporter example, the armed escorts may merely engage during the entrance phase in a holding action until local or state police arrive to give assistance.
Armor plating the cargo compartment of the transporter and the use of vault type doors will also serve to delay the adversary in completing
- Phase 1. The use of delaying equipments within the cargo compartment is an example of effecting delay during Phase 2, the material removal phase. The use of armed forces in a fire fight during the entrance or exit phases even if only to effect a holding action, is clearly also a l response. One can, however, argue that delay resulting from hardening I- the vehicle to increase its penetration resistance is indeed a third fundamental component of prevention. This suggests that safeguard ,
elements to provide delay be ir.cluded in the prevention equation.
Prevention = f (detection, delay, response) (2.2) f
-- .- - ,,-e-
--mm9ir ,wm-,e-ew ---- -w.,. . , - - - , - - -~m*,--e, --.-r r-we--n-w-- w-w w-- ,-
,-vr,--t-=-+--e-v-e'e-
From a conceptual viewpoint it does not matter whether one breaks out delay from response. However, one may obtain increased clarity in discussion by explicity addressing safeguard subsystems and elements intended primarily to provide delay.
One might also argue that there properly exists a fourth ingredient in the prevention equation-to avoid attsnpts of theft and sabotage. Avoidance can take the form of measures to deter and measures designed to limit risk. Security clearance requirements along with other pre-employee screening techniques may upgrade the reliability of the work force above that of the normal population and is a good example of a measure designed to limit risk. Statistically, the probability of an employee who has successfully passed a comprehensive background check engaging in an act of theft or sabotage should be considerably reduced. In fact, the likeli-hood of a conspiracy simultaneously involving several cleared employees may be virtually nil. Another measure used to avoid malevolence, particularly in the case of an armed terrorist attack, is the use of the domestic intelligence networks, such as maintained by the FBI, to become aware of the terrorist intent and take appropriate action before an actual incident occurs. An example of deterrence would be the use of appropriate public relations techniques to promote public awareness that an etfective safeguard system is in place in the nuclear industry and thus the likelihood of any individual or group successfully stealing a significant quantity of SNM is very remote. Also, the public should be i
1
t made aware that substantial criminal penalties will be exacted by society for such an attempt. The relationship of material accountability to avoidance is primarily the deterrence effect resulting from fear of detection; though an important subject, it is not a direct relationship and will therefore not be discussed further in this report.
9 2.3 Safeguard Elements In this report, we will view prevention of theft or sabotage as consisting of three fundamental ingredients: ;
! a) Detection of the adversary
- b) Delay of the adversary i
c) Response to counter the adversary.
Table 2 contains a list of the fundamental safeguard elements partitioned according to whether the safeguard element serves primarily to detect, delay or respond. The first category, detection, can itself be further partitioned into two categories, those safeguard elements that are i
4 directed to detect the unauthorized activities of personnel or vehicles,
, and those safeguards elements that are designed to detect unauthorized material possession, movement, or location.
In the area of personnel or vehicle detection one can make use of alarms, ;
- for example, on fences and vault doors to detect unauthorized boundary 1
i i
TABLE 2 FUNDAMENTAL SAFEGUARD ELEMENTS, COMPONENTS, AND SUBSYSTEMS a) Detection Personnel - (or vehicle) " Directed ~ Material Directed .,
Alarms (sensor) ' SNM monitors Visual Observation Metal & Explosive Detectors Access Controls Searches Work Rules (Procedures')
Material Accountability:
~ ' '
a) Inventories & Audits b) Process Controls & Records c). Measurements d)s Data Evaluation
' e) Item. Controls
- e m
i ' " '
b) Delay ~" ~
_ ,J . ~
Passive . Active Barriers Guards Containment Devices l
c) Response On-site guards without use of deadly force .
l ,
On-site guards with use of deadly force Off-site force without use of deadly force Off-site forces with use of deadly force l
crossing, or alarms internal to an area, as with a volumetric sensor, to detect an unauthorized activity within an area. Visual observation by plant security guards can also serve as a mechanism to sense an un-authorized personnel activity. Access controls, such as badging employees -
and the use of badge exchange systems will serve to control access to the facility and limit unnecessary mobility of employees, thus resulting in an improved capability to detect unauthorized personnel, entrance or exit, boundary crossings. Lastly, the establishment and rigorous enforce-ment of work rules will enable one to detect unauthorized activities of an employee within a facility and also to limit risk. For example, the
! use of the two man buddy system in areas containing SNM makes the theft of SNM by a single employee easily detectable, either directly by the buddy or through visual observation by a plant guard observing a devia-tion from the buddy system necessary to perpetrate the crime.
In the case of detection that is directed towards material, one clearly can utilize metal and explosive detectors, monitors that measure radia-tion levels and can thus directly detect SNM, and searches of personnel and vechicles. The subject of this paper, material accountability, also belongs in this category, Material accountability serves to detect material discrepancies within a p"7 cess. Material accountability can be viewed as consisting of two main components:
I
a) The evaluation of process data and records generated from the normal management of the process (batch yields, quality control, managementcontrols,etc.)
b) The evaluation of data generated by requiring separate sdditional material balances, inventories and records (e.g., 10 CFR 70.51) which would not be part of the normal process control and management activities but serves only to provide a material physical audit for the specific purpose of providing safeguards.
The second category, delay, can also be partitioned into two subsets:
systems that employ static means to obtain delay and dynamic systems that actively produce delay by essentially responding to the unauthorized activity. Barriers and the physical containment structures are examples of passive delay systems. The use of on-site guard forces to engage in a holding action during a terrorist attack until superior state or local police forces can arrive is an example of an active delaying tactic.
The third category, response, essentially consists of the use of either on-site or off-site forces and whether or not ce of deadly force can be applied. Response procedures will depend greatly upon the nature of the stimulus, i.e. armed terrorist group, student protest, or plant employee- ,
and the location and critical nature of the situation. For example, the response required to a terrorist attack that is detected as the adversary
forces approach the facility boundary may be vastly different than if the attack is detected after entrance is gained to the facility, or after SNM is obtained. Similarly, the response required after the detection of an internal theft of SNM by an employee will depend upon whether or not he is still inside the facility. It should be evident that the subject of response strategies, appropriate in different tactical situations, is in itself a vast subject suitable for discussion in a
! paper which must encompass many dimensions, including individual civil 1
rights and varying state laws regarding the use of deadly force, in additon to primary mission of providing effective safeguards. In the discussion that follows, however, we mainly have to concern ourselves with those safeguard elements and subsystems that enable the detection of unauthorized activities, since material accountability is a detection mechanism and can therefore complement other similarly directed detection safeguard elements and subsystems. The only interface with response subsystems which needs to be addressed is essentially the timeliness l requirement. The exact composition of the resulting response, though of importance to the overall safeguard program, is not really germane to an analysis of safeguard utility of material accountability.
2.4 Relationship of Safeguard Elements to Material Accountability
- In Table 3, safeguard elements employed for detection, both personnel and material directed, are sorted according to their applicability during each of the three malevolent activity phases. We immediately i
TABLE 3 APPLICABILITY OF DETECTION SUBSYSTEMS TO EACH GENERIC ADVERSARY ACTION a) Phase 1, unauthorized entrance across boundary
- Personel (or vehicle) Directed Material Directed Access (Entrance) controls Metal & Expolosive Detectors Alarms Natural or Depleted Uranium Detectors Visual observation Searches b) Phase 2, unauthorized activity within area
_ Personnel (or vehicle) Directed Material Directed Visual observation Material Accountability Work Rules >
a) Inventory & Audits Alarms b) Process controls & records c) Measurements e d). Data evaluation U e) Item controls c) Phase 3, unauthorized exiting across boundary Personnel (or vehicle) Directed Material Directed Access (Exit) controls SNM Monitors Alarms Metal Detectors Visual Observation Searches
I r
observe from this table that the two components of material accountability, process controls and safeguard imposed SNM audits, along with the possibility of directly detecting an unauthorized personnel activity within the facility are the only available mechanisms for detecting an SNM theft from within the area. In fact, if an employee were to divert material and squirrel it away within the facility, material accountability would provide the only available material directed detection mechanism.
In this case one is entirely dependent upon material accountability and direct personnel detection of the malevolent act to provide safeguards.
One can readily obtain a fairly general characterization of the internal covert theft success probability. Suppose we allow, in this general case, an individual to possibly import substitute material, steal material within the process activity, covering the theft by replacing the stolen SNM with the substitute material, and then finally transport the SNM out through the plant boundary. In the more specific cases, where substitute materials are not used or the stolen material is stored within the facility for later use, the corresponding probability terms can be deleted from the resulting overall success probability expression (or equivalently set equal to 1). Let:
Pi : Denote the probability of successfully importing substitute material
Pma : denote the probability of not being detected by the material accountability subsystem P
p
- denote the probability that the personnel activities of stealing the SNM are not directly detected P
e
- denote the probability that the stolen SNM is successfully transported out across the facility boundaries The probability of an undetected SNM theft then becomes:
Undetected Theft Probability =pP x (P xP xP) (2.3) 4 ma e The above probability expression has been bracketed to indicate that it consists of two components: one component representing the probability that the adversary will successfully avoid direct personnel activity detection and a second component representing the probability that the adversary will defeat the material directed detection safeguard elements.
Thus we have:
Probability of adversary activities not being directly detected = P p (2.4)
Probability of defeating safeguard elements providing materially directed detection = Pg xPma xP e (2.5)
_ 25 -
It should be noted that the evaluation of these probabilities, in specific cases, depends greatly upon the actual theft scenario employed.
For example, the probability of a diverter defeating the material accounta-bility subsystem, Pma, would differ depending upon whether or not substi-tute material was used to replace the stolen SNM. It should also be noted that we have implicitly assumed that the diversion detection was sufficiently timely to enable an appropriate and successful response.
Strictly speaking, from a systems viewpoint, one should work with the total mission success probability and thus incorporate success probabili-ties for response. We have, however, defined success to be non-detection in order to simplify the analysis and in recognition of the fact that in most covert thefts it will be a paramount goal for the diverter to go undetected.
The expression for the internal covert theft success probability suggests that numerous trade-offs are possible in designing that portion of the safeguard system that protects against the possibility of internal theft.
At one extreme, one could place total emphasis on the direct detection of a diverter's activities in the process of stealing SNM. As listed '
i in Table 3, one would then have to design alarm systems, visual observa-tion systems and implement effective work rules so that the resulting overall success probability, P p , will be sufficiently small.
For convenience, we will use the Greek symbol Episolon, c, to denote an
. ~ . . _
N arbitrary small quantity. Hence, employing only personnel directed detection techniques, one obtains for the required safeguard system performance requirements that Pp ic (2.6) where e of course, must be chosen in a given design small enough to meet specified safeguard system performance levels. One could at the other extreme, place complete emphasis on materially directed detection. One then has to design a safeguard system such that:
P4 xP ma xPeic (2.7)
One then faces the question of dividing the detection burden between boundary detection, P $ and Pe , and with area detection, Pma" In an integrated safeguard system one would, in general, make use of some combination of personnel directed detection and material directed detection. The important points to be emphasized are:
a) That material accountability techniques represent a collection of safeguard elements that provide a within area material directed detection capability, and
b) that material accountability can complement both detection safe-guard elements that function within the work areas that are directed to personnel activities and material. directed safeguard elements that function at the facility boundaries.
This simple analysis thus serves to completely identify the other safe-guard elements with which material accountability can directly interact and hence serves to scope the study. As indicated earlier, we also have to examine the question of timeliness to determine the interrelationships with safeguard response elements and subsystems. One cannot, however, from the expression for the success probability of covert SNM theft alone completely assess the utility of material accountability and thus develop a set of performance criteria since, as will be discussed, material accountability can potentially serve in achieving many other safeguard objectives in addition to assisting in the prevention of covert SNM theft.
- 3. A Characterization of Material Accountability 3.1 Introduction The purpose of this section is to develop a conceptual characterization for material accountability that can be used to represent and classify all material accountability subsystems. This characterization will serve to identify and provide insight -into the fundamental aspects of material accountability as well as later being of assistance in developing l
conceptual perfonnance criteria that will enable material accountability, in conjunction perhaps with other safeguard subsystems, to achieve safeguard objectives. This characterization in part will consist of two-attribute descriptors, one to indicate the discrete or continuous nature of material accountability data and determinations and the other to indicate the degree of separability of the material accountability system from the manufacturing process. Two parameters will be defined and used to quantify the temporal resolution and the delry time in processing the data needed to reach a decision. Finally a class of probability functions will be introduced which relate the theft or diversion success probability to the level of threat and adversary strctegy employed. These probability functions will completely characterize the sensitivity of the material -
accountability subsystem in detecting a material loss and the capability of an adversary to mask diversion.
3.2 Definition of Attributes Table 4 lists the two material accountability attributes. The first attribute in the table is used to describe whether the material accountability 4
TABLE 4 MATERIAL ACCOUNTABILITY ATTRIBUTES Data Characterization
. Discrete 1
. Periodic 4
. Aperiodic
- .. Random
. Demand
. Continuous ,
O!
I B
Separability from Process
. Intrinsic (Embedded in the process)
. External (Independent from the process) i I
- a _
subsystems monitors the process on a discrete time or continuous time basis. Discrete monitoring means that material accountability data and determinations are obtained at a fixed set of times. As indicated in Table 4, discrete material accountability can be broken down further into periodic and aperiodic monitoring. An example of a material accounta-bility subsystem utilizing periodic monitoring is the physical material inventory and material balance requirements of 10 CFR 70 which require a bi-monthly audit and subsequent MUF/LEMUF determination for facilities in possession of a sufficient quantity of potentially strategic SNM (1 effective kilogram of unirradiated plutonium or high enriched uranium).
Aperiodic monitoring can be further divided into the categories random or demand. By random monitoring we mean that a strategy is utilized that essentially results in monitoring the process on a non-predictable basis. By demand monitoring we mean that material accountability data is generated from the process only upon request. Continuous material accountability signifies that a steady flow of data is generated which results in a complete time history and a continuous determination. One could justifiably argue that in the real world a truly continuous material accountability system cannot exist. All material accountability data and resulting material balances or determinations must be obtained from a real process in discrete chunks. Conceptually, however, continuous material accountability is a possibility and essentially represents the limiting case of periodic monitoring as the length of the interval between successive material determination is made sufficiently small.
The second attribute listed in Table 4 is used to indicate whether or not the material accountability subsystem is deeply intertwined with the process which it monitors. The term intrinsic will be used to denote a material accountability subsystem that is embedded into and therefore interdependent with the process. On the other hand, the term external will be used to denote a material accountability subsystem which can be made to function completely independent from the process. A material account-ability subsystem which depends heavily on automated on-line in-process measurements is an example of an intrinsic system. Continuous material accountability, by its very nature would probably have to be an intrinsic system. Use of process data for material accountability is another example of an intrinsic system. On the other hand, a material audit based on an independent physical inventory is completely separate from the process and thus serves as an example of an external material account-ability system.
Another concept intimately related to notion of intrinsic and external material accountability is the concept of secure material accountability.
Against a particular threat, a given material accountability subsystem can either be compromised or isstamper safe. A material accountability subsystem with respect to a given threat can thus be regarded to be 1 either secure or insecure. Whereas, the concept of intrinsic or external relates the material accounting subsystem to the process, the concept of secure or insecure is threat dependent. Given an entire class of feasible threats, one can address question whether a given material accountability system is secure over that entire class.
,e-mm - e-
By introducing redundancy and suitable cross checks, it is possible, at least conceptually, to harden a material accountability subsystem to the level where it is secure over the entire feasible threat spectrum. It is important to realize, however, that to assure an external material accountability subsystem has been secure with respect to a specified class of feasible threats is a much simpler task than to assure than an intrinsic material accountability system has been secure. One can never be certain that a system design has been achieved or maintained over a period of time, particularly where adherence to strict personnel pro-cedures is required. One should also note that a material accountability system cannot be external to itself. (Thus, implicit in the definition of external and intrinsic is the tacit assumption that the process does not include the material accountability operations.) Since by definition, an external material accountability subsystem is an independent entity, it is only vulnerable only from within, and hence requirements for its hardening can be relatively well defined. The inseparability from the process of an intrinsic material accountability subsystem creates numerous possibilities and opportunities for compromise and thus can become very difficult to secure. In fact, the only way to absolutely guarantee that a system has not been compromised is to assure that an interaction with the system could not have occurred, i.e., it is external to the process.
When we later examine the safeguard objectives, we will observe that in order to achieve a portion of these objectives it is vital to be certain that the material accountability system is secure over the entire class
, of feasible threats and hence highly desirable, if not essential, that an external material accountability subsystem be used.
3.3 Parameters The two parameters that are necessary to completely characterize a material accountability system are the resolution interval,' denoted in this paper by the letter R and the information processing delay time, denoted by the letter D. As shown in Table 5, the resolution interval is defined as the length of time that occurs between two successive material determinations. In the case of a discrete material account-ability system where determinations are performed on a periodic basis, the resolution interval will be a constant. For a system employing random or demand audits, the length of the resolution interval will, of course, then be a variable. It should also be noted that by definition the length of the resolution interval in a continuous material account-ability system is zero. In fact, one could have defined continuous material accountability as a subsystem which has zero length resolution.
The significance of the resolution interval is that it represents the limiting capability of the material accountability system to pin-point the time of occurrence of an event. For example, with the current two month periodic physical inventory and material balance requirements of 10 CFR 70, the uncertainty of the time of occurrence of a one-shot theft, if detected via the current physical inventory would be the two month interval that has elapsed since the last physical inventory.
TABLE 5 ACCOUNTABILITY PARAMETERS l
Resolution interval (discrete material accounting only) ,
a .
R$ = time between the i-th and i-ith material balances Delay D = time between obtaining material accountability i
data and being able to make determination regarding SNM loss I '
i y *
, n l
l
~ As shown in Table 5, the second parameter, the delay time, D, signifies the elapsed time from obtaining material accountability data to the completion of the data processing needed to make a decision regarding-SNM loss. Under the current 10 CFR 70 bi-monthly physical audit require-ments, a maximum of 30 days delay is allowable, primarily to obtain t'
isotopic analysis and perform the MUF-LEMUF calculations and comparison.
The fundamental significance of the delay time is that it limits .the ability of material accountability to effectively interface with other detection and response safeguard elements and subsystems. For example, for a one-shot SNM theft, the elapsed time between occurrence and detec-tion by the material accountability system could be as much as the sum of the resolution and delay times, R+D. Even with a continuous material accountability system, i.e., R equals zero, the information processing l
delay time may not be small enough to prevent the occurrence of the theft, or even to peimit an effective recovery operation.
t 3.4 Probability Functions Lastly, in order to complete the characterization of material account-ability subsystems, it is necessary in some appropriate manner to quantify the sensitivity of the system in detecting material losses. The manner through which the question of diversion detection sensitivity is best addressed and which at the same time, also serves to describe the re-lationship of detection sensitivity to the threat level, scenario employed and the diversion strategy utilized by the adversary is the use of l
appropriate diversion or theft success probability functions. These probability functions must contain as parameters a characterization of the threat and theft strategy employed. It should be noted that in terms of a theft success probability, the more sensitive the material accounting system to detecting a material loss, the smaller should be the corresponding probability function quantifying, the likelihood of theft or diversion success. Again it should be pointed out that we are for simplicity equating diversion success with the probability that the diversion is not detected.
3.4.1 Probability Functions for Discrete Material Accountability
'In this section we will develop expressions for the probability that a discrete material accountability subsystem will not detect theft or diversion of SNM. Noting that a discrete material accountability sub-system works with data obtained at the conclusion of each of a finite set of accounting intervals, we see that the general expression for detecting cumulative losses occurring over a span of n intervals must be of the forn*:
Diversion success probability = Pad (K), K K , R , R Rn , T, S T) 2 n z 2 where: K9 denotes the material stolen or diverted during the i-th interval (3.1 )
R9 denotes the duration of the i-th accounting interval l
l
l The symbol T is used as a descriptor to signify the dependence of the diversion success probability on the threat, which in our context is l-defined as the number and type (capability) of individuals comprising i
the adversary group. The symbol TS is a descriptor used to denote the dependence of the diversion success probability on the actual scenario employed by the threat. A complete scenario description must include a detailed description of the diversim process as well as the exact diversion mechanisms employed. Possible diversion mechanisms can include, for example, falsifying of records, manipulation of data to inflate the normal statistical fluctuations, comingling of different materials, and the use of substitute material to replace stolen SNM. It should be manifestly clear that the diversion success probability depends heavily
~
on the threat and scenario employed in effecting the diversion as well as the quantity and distribution over time of the SNM diverted. For example, intuitively, it seems plausible that a group of employees having access to material accounting records sufficient to permit falsification would stand a better chance of success than a group of employees who must defeat an honest accounting system.
The total material stolen or diverted over the n accounting intervals, denoted by K, is clearly the cumulative sum of the quantity diverted during each of the n intervals considered:
n K=I K (3.2)
, 9 i=1
If a threat, T, desired to divert K kg of SNM over n accounting intervals by employing scenarioTS , they would still have left the decision as to how much material to divert during each interval. A given distribution of the K kg into components (Kj , K ***K ) will be referred to as a 2 n diversion policy. One could view the diversion policy as being part of the diversion scenario. For our purposes, however, it is very useful to be explicit and separate the diversion policy from the diversion mechanics employed. Obviously, a diverter desires to choose that diversion policy which maximizes his success likelihood. Hence, for a specified scenario and a fixed diversion span of n intervals of respective lengths {R },
one can define the optimum diversion success probability by Pad (K, Rj , R2 Rn , T. S T) = Max P Kn ; R), R 2 Rn , T, ST) ad (K1 ' K2
{Kj } S.T. I Kg=K (3.3)
Equation 3.3 simply states that for a fixed number of accounting intervals and specified scenario, the optimum diversion success probability is obtained by examining the totality of all diversion policies that yield K kg and selecting that policy which yields the maximu'm value. The corresponding diversion policy is referred to as the optimal policy.
The diverters problem is to find that optimal policy. It should be noted that the optimal success probability, the left hand side of Eq. 3.3, is indicated by including only a single non-subscripted quantity K l
in its argument list as compared to the diversion success probability corresponding to a specific diversion policy which contains in its argument list n subscripted quantities to specify the amounts diverted in each of the n accounting intervals considered. It should also be noted that a diverter need not utilize all of the diversion span avail-able, in which case some of the trailing entries in the diversion policy vector will consist of zeros, i.e., (K), K 2 ***K i , 0, 0,. 0). In fact, particularly if a random detection mechanism is utilized, it may not be to a diverter's advantage to excessively extend his exposure, t
The maximum acceptable diversion span will normally be governed by j external constraints dictated by the motivations underlying the SNM diversion and the particular application for which the diverted material is intended. Hence for our purposes a maximum permitted diversion span must be specified much in the same almost arbitrary manner as one must define a strategic quantity of SNM. In fact, since the set of diversion policies corresponding to a given span contains as a subset all the diversion policies corresponding to all shorter diversion spans, the
- optimum diversion probability must increase as the maximum permitted diversion span increases.
Available to the threat, T, is clearly the choice of scenario ST limited l only by their particular capabilities and resources, and the choice of diversion policy. Hence the general problem facing a given adversary is l
l
(
i
to optimize not only over the diversion policy but over the set of diversion scenarios, {ST ), that is within their capacity to execute P ad (K, Rj , R 2 Rn , T) = Max P ad (K, Rj , R 2 Rn ; T, ST)
{ST }
. = Max Max P ad (Kl ' K 2 K ; Rj , R n 2 Rn ; T, ST)
{ST ) {Kj }
IKg=K (3.4)
In Eq. 3.4, {S T} is used to denote the subset of all theft or diversion scenarios for which that threat is capable. The threat clearly desires f
to find that particular scenario, denoted by S* and the corresponding diversion policy, denoted by {K)* which maximizes its diversion success likelihood.
For sake of completeness, let us briefly consider the problem faced in the design of a material accountability subsystem. The system design must take into account the entire range of feasible threats denoted by
{T}. As with the case of specifying the maximum possible diversion span, defining the class of feasible threats represents essentially a j judgment call. One possibility in assessing the potential vulnerability j of a material accountability system one is to compute the maximum diver-l l sion success probability over the entire range of feasible threats.
I This maximum is given by l
l
, i l
P ad (K, Rj , R. Rn ) = Max P ad (K; Rj , R 2 Rn ; T S T)
{T)
= Max Max Max P ad (K1 , K 2 Kn ; R), R 2 Rn ; T, S T)
{T) {ST ) {K$ )
IKg=K (3.5)
Eq. 3.5 represents for the material accountability system the worst possible case. As will be discussed later, system specification based on this ultimate maximum diversion success probability will be clearly conservative since in reality one need not be faced with the maximum credible threat nor will that threat necessarily utilize its resources in a maximally efficient manner. Eq. 3.5 is the expression which provides the basis for generating material accountability performance criteria and for material accountability system design.
Let us consider a simple example to illustrate some of the concepts involved. Assume that a periodic physical inventory and material balance is performed and that the simple MUF-LEMUF alarm criterion is employed.
That is,- the material accountability system indicates an alann condition if the current MUF exceeds the current LEMUF without any regard for past data-i.e., no time series analyses. This characterizes essentially the present procedure for analyzing bi-monthly physical inventory data under the current regulatory framework as specified in 10 CFR 70.
i i
[
Clearly since the past has no effect on the current analysis, successive !
material accounting intervals are statistically independent and thus the diverter, by symmetry, will optimize his success probability by removing an' equal amount of SNM during each accounting interval. The only question involved is'the trade off that will exist between the diverter removing too much material per accounting interval and thereby assuming a too high per event risk and excessively extending his exposure. If we assume that the maximum pennitted diversion span is n accounting intervals and the diverter elects to use only the first j intervals, Eq. 3.1 becomes because of statistical independence j
P ad (K1 , K2 ***KJ , 0, 0, 0, T, S ) = n P T
i=1 ad (Ki , R, T, ST )' d * " .6)
(3 where from MUF-LEMUF theory, letting N(x) denote the cumulative nonnal distribution function 1 2/ 2
-Y dy N(x) = g we have (3.7)
Pad (Ki , R, T, ST ) = N(2-K9/oR )
R is defined as the standard deviation of the material balance un-certainty for a single accounting interval of duration R and must reflect the threat and diversion scenario employed.
[
As indicated earlier the optimum policy consists of equal diversions and thus to obtain a total of K kilograms over J attempts must be of the l
, form 1
( K/J , K/J. K/J , 0, 0 0) , jin (3.8)
The corresponding success likelihood is thus given by Pad (K, J, n) = N(2 - K/JoR ) (3.9)
The diverter's problem of determining the optimum diversion policy in order to maximize his success likelihood thus reduces to the simple problem of finding the value for J which maximizes Eq. 3.9 subject to the condition that J does not exceed the maximum diversion span n. This problem is readily treated by means of ordinary differential calculus.
Figure 3 depicts the behavior of the optimum diversion success likeli-hood as the maximum possible diversion span increases. It should be noted that an optimum diversion span, denoted by n*, exists. If the maximum allowable span, n, is less than n* the diverter is forced to excessively increase his per-shot risk thereby adversely affecting his overall success likelihood. On the other hand, as indicated by the
~
dotted curve, unnecessarily extending his exposure by spreading the diversion over too long a time period will again adversely affect his overall success probability. That is for n > n*, the di"erter will optimize by using only a portion of the maximum diversion span permitted.
c
?u DIVERTER USES ONLY PORTION O OF AVAILABLE DIVERSION SPAN o
E (n > n')
id %
M N
] N 8 N 0 N '
8 N 2 E % N
$ DIVEh75R USES \
R ENTIRE DIVERSION SPAN
\
2 (n* > n)
J i p n* (Optimum) i l MAXIMUM DIVERSION SPAN - n Figure 3. Dependence of Optimum Diversion Success Likelihood on Maximum Diversion Time Span l
1 i
For the MUF-LEMUF comparison, it can be shown that the optimum diversion I
span n* is approximately given by n* = 2K/o, = 4K/LEMUF (3.10)
! and that the corresponding optimum success probability is given by P
Max (K) = N(2 .5)4K/LEMUF = (.9332)4K/LEMUF (3.11) l Taking the natural logarithm on both sides, one obtains
- 25 nPMax(E) = K/LEMUF (3.12)
In (.9332)
For a 99% detection confidence, i.e., P Max
= .01, Eq. 3.12 demonstrates that the LEMUF must be given by approximately by K/16.7. A strategic
. limit of 2 Kg thus requires approximately a 120 gram LEMUF for a 99%
detection probability level provided the MUF-LEMUF diversion alarm decision criterion is utilized.
3.4.2 Probability Functions for Continuous Material Accountability let us now turn our attention to the continuous material accountability case. As indicated earlier, a continuous material accountability system can be viewed as the limiting case of a discrete system as the time interval between successive material balances becomes sufficiently small. Therefore to obtain an expression for the theft or diversion success probability for the continuous case we start with Eq. 3.1 with equal accounting intervals and let R tend to zero. Rewriting Eq. 3.1 with equal intervals we have:
J J
-_.,.---,--..___.,m.-- ,- , - .
Diversion success probability = P ad (K), K 2 '**K n ; n(R); T, S T) (3.13)
If we note that the ratio K /R j is the amount diverted during the i-th period we can rewrite Eq.- 3.13 in the form:
Diversion success probability = P ad (r), r2 r n; n(R); T, ST) (3.14)
.;hcrc r j = K j/R (3.15) denotes the diversion rate during the i-th interval.
.: \
If we fix the total diversion span ,from, say, timej t to t2 and let R bacome sufficently small, n tends to infinity and the r , ji=1, 2, n become the instantaneous diversion rate function. Eq. 3.14 in the limit thus,becomes t
Diversion success probability = Pac (r(t) lt2 , T, ST ) (3.16) 1 wherer(t)lt2 is used to denote the diversion rate function over the 1
, entire diversion interval starting at time jt and ending at time t and 2
will be referred to as the diversion rate profile. We have also intro-duced the subscript (ac) in place of the subscript (ad) to signify that we now are charactefizing a continuous material accounting system.
I i
,- Eq. 3.16 is the fundamental equation for the diversion success probability l
l for a continuous material accountability system and is analogous to 1
i Eq. 3.1 for the discrete case. Eq. 3.16 indicates that the probability of theft or diversion success depends upon the diversion rate profile as well as the actual threat and actual diversion scenario. The diversion rate profile is the diversion policy for the continuous case. Integrating the diversion policy over the diversion span yields the total quantity diverted.
2 K= r(t) dt (3.17)
' t)
One can now proceed in a manner completely analogous to the discrete case and ask for a given threat and scenario what is the diverter's optimum diversion policy.
t P ac (K, t), t ,2 T, S )T = Max Pac (r(t) 2, T, ST) (3.18) r(t) t) t 2
t) r(t) dt = K The left hand side of Eq. 3.18 denotes the maximum diversion success probability corresponding to threat T employing scenario ST . The argu-ment list simply contains the total quantity diverted (to denote utiliza-tion of the optimum diversion policy), the beginning and end of the diversion interval, the threat, and scenario employed. As before, for
each potential scenario, the threat desires to find that policy which optimizes its success likelihood. In general, a given threat will search over all diversion scenarios within its capability in order to simultaneously l
obtain the optimal diversion scenario along with the corresponding optimum !
diversion policy 1
P ac (K, t), t ,2T) = Max Pac (K, tj , t 2, T, ST)
{ST }
= Max Max , T, S )
Pac (r(t)l T (3.19)
{ST ) r(t) 2r (t) dt = K l tj Finally, the design of a material accountability system must consider the totality of all feasible threats {T}. Hence, in complete analogy with 4
the discrete case, the maximum diversion success likelihood can be expressed as:
Pad (K, t), t 2) = Max Pac (K, t), t2 , T)
{T)
= Max Max Max P ac(r(t)lf2,T,S) T
{T) {ST } r(t) 1 t
r(t) dt = K (3.20)
J t) k
- . - _ _ _ . - . _ .-. _ , , _ _ . _ _ . _ = .
f Eq. 3.20 represents for the continuous material accountability system the worst possible case and thus serves, in complete analogy with the discrete case, as a conservative basis for generating material account-ability performance criteria and as a basis for design.
3.4.3 A Further Discussion of Diversion Success Probability Functions It is worthwhile, at this point, to establish a few obvious relationships that the diversion success probability functions must satisfy, indicate some assumptions that can reasonably be made, and address the question of dependence of these probability functions on technological considerations.
By the manner in which we defined our optimum diversion success probabili-ties, for a given threat and specified scenario, we observe that the optimum diversion success probabilities are monotonically increasing
! functions of the maximum diversion span permitted. For the discrete
-case we can write in equation form:
P ad (K; R), R 2 Rn ; T, S T) 1 Pad (K; Rj , D7 Rn , R n+1 R ; T, S )
m T m>n (3.21 )
and for the continuous case we have:
P ad (K, jt , t2 , T, ST ) 1Pad (K, t), t3 , T, ST ), t3>t2 (3.22)
Equations 3.21 and 3.22 should be clear, since the diverter is not required to use his maximum diversion span and would choose that diversion span, up to the maximum permitted, that yielded the greatest success likelihood.
The class of policies that are available'in obtaining the right side of Eq. _3.21 or Eq. 3.22 must include as a subset the class of policies avail-able in generating the left hand sides of Eq. 3.21 and 3.22. In fact, for the discrete case, one simply has to set the quantities K n+1 through K, equal to zero, and in the continuous case, set r(t) equal to zero over the time. interval t 2to t . Clearly, 3
since a larger maximum diversion time span enlarges the set of available policies from which a diverter can choose, a greater maximum diversion success probability must result.
Clearly, it must also' follow from Eq.'s 3.21 and 3.22 that the optimum diversion success probability for a given threat or for a given class of threats are monotonic increas'ing functions of the diversion span permitted.
We have thus:
Discrete Case Pad (K; R), R 2 Rn I } 1 ad (K; R), R 2 Rn , Rn +1' Rm ; T), m > n P ad (K; Rj , R 2 Rn ) 1 Pad (K; Rj , R2. R ,n R +1 n R,), m > n (3.23)
Continuous Case Pac (K,j t , 2t , T) 1P ac (K,j t , 3t , T), t3>t2 P (K, t j, t )2 1 P (K, t), t3 ), t3>t2 (3.24)
Intuitively, in a well designed material accountability system, the diversion success probability functions should be monotonic decreasing functions of the total quantity of material diverted. The absolute truth of this statement would of course depend upon the capabilities and limitations of the measuring l
equipment and the data reduction algorithms employed in the subsequent
analysis. As a trivial example, .if one considers a conventional resi-dential gas or electric meter, an undetected diversion of an amount equal to an integral multiple of the maximum reading capacity of the meter can occur simply because the meter, in monitoring the flow, would execute one or more complete cycles. However, the assumptions of monotonicity appears realistic, particularly since good engineering and operations research judgement will be used in designing the measuring apparatus and in selecting the diversion alarm decision criteria. Expressing this assumption in equation form for each of the diversion success probabilities we obtain:
Discrete Rn ;T, ST)
P ad (Kl ' K2 ***Kn ; R), R 2 R ; T, S ) > P ad n T (Kj *, K 2** *
- Kn *; Rj , R 2 If Kj * > K j , i = 1, 2 n P ad (K; Rj , R 2 Rn ; T; S T) > P ad (K*; R), R 2 Rn ; T, S7) If K* > K P ad (K; Rj , R 2 Rn ; T) > P ad (K*; R), R 2 R ; T) If K* > K n
P ad (K; Rj , R 2 Rn ) > P ad (K*; R), R 2 Rn ) If K* > K (3.25)
Continuous t t Pac (r(t),lt T, ST ) > Pac (r*(t)lt T, S T ) If r*(t) > r(t) for t) <t<t 2 _
1 1 P ac (K, t), t , T, S ) > P ac (K*, tj , t , T, S ) if K* > K 2 T 2 T Pac (K, t), t 2, T) > P ac ( K* , t) , t2 , T) i f K* > K _
Pac (K, t), t2) > Pac (K*, t), t2) if K* > K (3.26)
The first equation of both 3.25 and 3.26 simply state th'at if over a given diversion span a diverter increases the amount diverted during at least one accounting period in the discrete case, or over a finite interval of time for the continuous case, then his success probability ,
will decrease. The remaining equations state that the respective optimum diversion. success probabilities decrease as the total diverted quantity increases.
Finally, it is reasonable to assume, at least at our conceptual study level, that the diversion success probability expressions are invariant to a time shift. In reality, it may matter at what point in the processing cycle material is diverted. Measurement limitations may suggest, for example, that material be best diverted from a storage hopper when it is full and not partially empty. Particular portions of a campaign may be particularly vulnerable to diversion as the result of material flows and existing meterial forms. Finally, the data reduction algorithm may be vulnerable at special times, for example, times wtan partial accounting information becomes available to the diverter. These areas are extremely important to investigate but need to be addressed during the safeguard engineering design and is not pertinent to our present conceptual analysis.
The time invariance assumption for the case of discrete material accountability with equal length material accounting intervals is expressed in equation form as:
P ad_(K), K2 K ; Rj , R - R ; T, S ) = P n 2 n T ad (Kl ' K 2' *
- Kn ; Rj ,3, R2+j Rn +j ; T, ST)
= Pad (K), K 2 Kn , n, T, S T)
P ad (K;-R),'R 2 Rn ; T, S T) = P ad (K; . Rj ,3, R +j Rn +j ; T, ST) 2
= Pad (K, n, T, ST )
l P ad (K; R), R 2 Rn ; T) = P ad (K; Rj ,3, R +j Rn +2; T) = Pad (K, n, T) 2 Pad (K; R), R 2 Rn ) = P ad (K; Rj ,3, R2+j Rn +j ) = Pad (K, n) (3.27) when the parameter n is utilized to denote n equal accounting intervals of length R.
Analogously for the continuous material accountability case we obtain in equation form for the time invariance assumption that:
t t P ac(r(t)l2. T, S )T = P ac (r(t)lt j+h2+h , T, ST) = P ac (r(t), t -t), T, S )
2 T t j P ac (K, t), t 2, T, S T) = P ac (X, t j+h, t +h, 2
T, ST) = P ac ( K, 2t -t), T, S )
T P ac (K, tj , t 2, T) = P ac ( K, t j+h, t +h, 2 T) = P ac , t 2-t), T)
Pac (K, t), t 2) = P ac ( K, t j+h, t 2+h) = Pac (K, 2t -t)) (3.28)
The monotone relationships on quantity and diversion span as well as the time invariance property will prove useful later in obtaining conceptual material accountability performance criteria.
b i
. . . , . ,. . ..n.--y~... -,,..,n . - , , .----cc- ,, , - - , , - - - - . , - >-n.,-.-.a -n,-. ..----_,-.---n-
I
_ 54 _
Up to this point we have examined the options available to the adversary force to minimize the effectiveness of a material accountability system in detecting diversion. Let us now briefly examine the technical aspects of a material accountability system that determines the diversion success probability functions and identify those options available to the safeguard 1
, system design engineer to bound and thus limit the potential impact of an intelligent diverter..
Table 6 lists the three broad areas which contribute to the overall diver-sion success probability functions, which we will regard as the fundamental conceptual system design aspects. The firt; item on the list, measurement errors and uncertainties, refers to the basic limitations of equipment and techniques to obtain element and isotopic analysis of material flows and inventories, including holdup in the process stream, as well as potential human errors associated with drawing samples and making maasure-ments. The second item, record keeping errors and uncertainties, refers to data recording, key punching, and accounting errors that will invariably occur. The last item on the list, data reduction effectiveness, refers to the ability of the material accountability system to process the data and draw accurate inferences regarding the occurrence of theft or diversion.
Specification of the error structure of the material accountability system along with the ability of the system to ebstract the diversion signal information from the data uncertainties, which constitute back-ground noise, completely determines the diversion success probability functions.
i
--., _ . _ . - - . , _ , - . _ _ . - - . , , , . --- .. _ . - . m. --__ -- . , .-
r TABLE 6 FUNDAMENTAL ASPECTS IN GENERATING DIVERSION SUCCESS PROBABILITY FUNCTIONS
- 1. Measurement Errors and Uncertainties
- 2. Record Keeping Errors and Uncertainties ,_
E
- 3. Effectiveness and Sensitivity of the Data Reduction i Algorithm
_ 56 .
It should be observed that these fundamental conceptual design aspects are not completely determined by the material accountability system but depend to a large degree upon the actual threat and scenario employed.
For example, the measurement uncertainties associated with diversion through the use of substitute material may be significantly higher than if substitute material is not employed. The uncertainties associated with record keeping may be greatly inflated if the threat has access to the record system and can thus be in a position to alter material account-ability data. Also as indicated earlier, the effectiveness of data reduction will depend upon the manner in which the theft occurs. This fact was embodied in our discussion of adversary policy optimization.
The optimum diversion policy for a specified threat and diversion scenario will vary in response to the specific data reduction algorithm used.
The optimum policy against a MUF/LEMUF statistical test, for example, will be different than the optimum policy if, for example, a Kalman filtering algorithm is utilized.
To be strictly technical, or.e should have also included in the argument list of each of the diversion success probability functions these fundamental con:eptual design aspects to emphasize the effect of measurement and data recording uncertainties as well as the effect of the data reduction i
algorithm on the overall diversion success probability. As an example, Eq. 3.1, the diversion success probability for the discrete case would then take form:
n
Diversion Success Probability =
ad ( K) , K (3.29) 2 . . .K n ; R) , R 2 ' 'Rn; T , S T; M, C , A)
P where the new parameters M, C and A are defined as:
M = M(T, S ): denotes the uncertainties associated with material T
measurements and depends, as indicated, upon the threat and diversion scenario C = C(T, ST ): denotes the uncertainties associated with the record keeping system A = denotes the data reduction algorithm Eq. 3.29 contains both parameters representing the effects of the threat and parameters representing the effects of the system design and thus suggest that a game theoretic problem is posed in the design of a material accountability system. The safeguard system design engineer has control over the functions M and C as well as the choice of the data reduction algorithm, A, and the material determination intervals, {R$ }. For each selection of M, C and A, a given threat can optimize over its set of feasible diversion scena.ios and choice of the diversion policy to employ.
The safeguard system design engineer is thus essentially faced with the problem of designing a material accountability system with M, C and A such that the grand maximum diversion success probability over the entire class of feasible threats is acceptably bounded.
Figure 4 illustrates, for a discrete material accountability system, the sequence of logical events that transpires in specifying the conceptual ygr-v, -,--i---3-e-v,---s-.--s 7 y gy-- --w ,,i- -- w, - w mr r
l l
CANDIDATE MATERI AL ACCOUNTABILITY SYSTEM (HARDWARE & SOFTWARE) 4 OBTAIN DESIGN ASPECTS E If 7
OBTAIN DIVERSION SUCCESS
.; PROBABILITY FUNCTION If Pg ( {K i), (Rj), T, S T, M(T, ST), C(T, ST), A) .
i FIX THREAT; PERFORM m
+
ADVERSARY OPTIMlZATION: '
MAX MAX ST (Ki j II Pg (K, (Rj), T, M(T), C(T), A) i MAXIMl2E OVER CLASS OF
- FEASIBLE THREATS, /. e., 5 OBTAIN WORST CASE:
I
. MAX y T Pg (K, lR }i , M, C, A)
SELECT (Ri j AND (A); DESIGN i HARDWARE AND SOFTWARE ELEMENTS m l
l- TO ACHIEVE SATISFACTORY '
t UPPER BOUND, (
If l Pg (K) < E I
i l Figure 4. Conceptual Material Accountability Design Sequence
_ 59 _
l design aspects to achieve a desired bound on the diversion success probability.
We have characterized the conceptual design of a candidate material accountability system in terms of the three conceptual design aspects listed in Table 6, namely measurement uncertainties, record keeping uncertainties, and the effectiveness of data reduction and analysis in abstracting a diversion signal from noise. As indicated, specification of ,
i the uncertainties along with the data reduction algorithm, threat, scenario, i i resolution intervals, and diversion policy leads to a complete determination of the diversion success probability. Maximation of the probability for a fixed threat T over both the choice of diversion policy and scenario yields the dependence of the success probability on the threat, quantity diverted, and system design parameters. flaximizing the result over the class of feasible threats yields the maximum potential vulnerability of the material accounting system as a function of the total quantity diverted and the system design parameters. It is the goal of the safeguard system design engineer to specify these parameters so that a satisfactory upper bound on the diversion success probability can be achieved. It should be noted that what constitutes a satisfactory upper bound depends upon the safeguard objectives to be met as well as how the material accountability subsystem will be used synergistically in conjunction i
with other safeguard subsystems.
In a sense, the conceptual material accountability system design sequence
! depicted in Figure 4, represents a direct analogy to the black hatting
simulation procedures currently utilized in the effective design and r
evaluation of the physical security aspects of safeguards. As applied to physical security systems, black hat testing signifies a mental probing, the purpose to identify system vulnerabilities and develop corrective modifications to the system design. For the case of material accountability system design, obtaining the optimum diversion success probabilities by maximizing over the range of diversion policies, diversion scenarios, and threat spectrum, represents an equivalent mathematical formalism for probing a material accountability system to ascertain its vulnerability. The choice of the design parameters to bound the success probability is analogous to the physical security situation where the black hatting leads to an improved system design.
3.5 Summary In this section we have developed a characterization for material account-ability in terms of attributes to represent its discrete or continuous nature and its separability from the process, parameters to define its resolving capability and its inherent time delay in generating and processing material accountability data, and finally several diversion success probability functions to characterize its sensitivity to detecting diversion. In particular, we accounted for the effect of a spectrum of feasible threats and a range of possible diversion scenarios, by introducing suitable optimum diversion success probability functions. It was observed that working with maximum diversion success probability functions, the black hat analogy with physical security, represented a conservative worst
possible case approach since we were giving maximum credit to the intelli-gence of a diverter while at the same time assuming the worst of a defined class of credible threats.
In essence, from a conceptual viewpoint, we have seen that a material accountability safeguard system can be represented as an n-tuple, i.e.,
Material accountability system =
[ Continuous External Optimum diversion f or or Resolution, Delay success probabilities Discrete Internal s Attributes Parameters Functions (3.30)
We observed that the maximum diversion success probabilities would depend upon the safeguard system design which could be conceptually characterized in terms of the measurement and record keeping uncertainties and on the effectiveness of the data reduction algorithm. In fact, it was observed that these three technological aspects of a material accountability system represent a fundamental conceptual characterization of the design aspects needed in specifying the diversion detection sensitivity. From the safeguard system design engineers viewpoint, one could thus alternatively view the optimum diversion success probability simply as a function of M, C, and A.
Optimum diversion success probability = F (M, C, A)
62 -
Hence the two attributes, the two parameters, the measurement and record
- keeping uncertainties and data reduction effectiveness yield a complete conceptual specification of a material accountability system from a design viewpoint.
In designing a material accounting system one has, of course, to consider its interactions and synergisms with other safeguard systems as well as alternative safeguards in achieving a given set of safeguard objectives.
It will be later demonstrated that specification of the diversion success probability functions in conjunction with simultaneously utilizing other complementary safeguards will enable the achievement of required diversion detection sensitivity levels. Specification of the resolution and processing delay parameters will determine the timeliness of the informa-tion, and specification of the attributes will control the susceptibility of the system to internal compromise.
4 1
To fully examine the potential interactions of material accountability with related safeguards and obtain performance objectives, it is necessary
, to develop an appropriate characterization for each of the other safeguard subsystems that can interact with material accountability. This is the purpose of the next section.
i
- 4. Characterization of Related Safeguard Subsystems 4.1 Introduction As indicated earlier in Section 2 and Table 3, material accountability
! serves safeguards as a material directed detection mechanism which functions primarily during phase 2 of the adversary. action sequence, l
1.e., to detect' the occurrence of an unauthorized activity within the protected region. Eq.'s 2.3, 2.4, and 2.5 clearly demonstrated that
- also potentially contributing to the overall covert theft detection f~ capability is the use of material directed detection during both the I infiltration and exfiltration phases of the malevolent activity sequence and the within area use of personnel directed detection in order to directly detect the unauthorized activity of diverting SNM from the i
normal process flow. Thus, the safeguard elements related to material s
l accountability which must be fully considered in evaluating its present ,
and potential safeguard roles consist of entrance and exit material detection at the protected region boundaries and within area detection of unauthorized personnel activities, r
One also needs to some extent to be concerned with the coupling of covert theft detection to the initiation of appropriate response activities.
The interaction that exists between detection and response safeguard subsystems is primarily the isquired timeliness of detection. Hence a
- I complete characterization of response is not needed in our study, but i
1 1
i
{ _ - . . . . - --_- - _- . - - _ ._
only a determination of suitable timeliness upper bounds. These upper bounds will put constraints on the resolution interval and processing delay time, as well as the diversion detection sensitivity, and can be readily established in terms of the safeguard objectives.
4.2 Characterization of Boundary (Phase 1 and 3) Material Directed Detection Material directed detection at the perimeter of a protected region both during both the infiltration and exfiltration phases of an adversary action sequence are similar. As indicated in Table 3, material directed boundary detection consists of the use of metal and SNM portal monitors and direct searches of personnel for hidden SNM. During the entrance phase, the purpose of material directed detection is to detect the attempted importation of substitute material or possibly to detect the presence of shielding materials or containers that can later be used to aid in the exportation of stolen SNM from the facility. During the exit phase, the primary purpose of material directed detection is, of course, to detect stolen SNM being transported out across the facility boundary.
The probability of successfully transporting across the boundary of a protected region (either entrance or exiting) of a total of K kilograms l of material (either substitute or SNM) is a function of the number of portal passages, the threat, and the scenario employed. In equation form one can write:
Prob. of successfully transporting K kilograms across facility boundary using E portal passages = P j ,K2 ' ***E E , E,T,ST) c (K where Kj denotes the amount transported during the 1-th portal passage and the sum of the Kj is equal to K. The symbol T is used as a descriptor to signify the dependence of the overall transportation success probability on the threat, and the symbol ST is a descriptor used to denote the-dependence of the overall transportation success probability on the actual scenario employed by the threat.
The form of Eq. 4.1 appears to be very similar to the expression for the overall diversion success probability Eq. 3.1, for the case of discrete material accountability. The partition of the total quantity transported into the components j(K , K2 * *
- K E ) will be referred to as the trans-portation policy. Obviously, a diverter would desire to select that transportation policy which maximizes his transportation success likeli-hood. In complete analogy with the discrete material accountability case, if we assume that a fixed threat is allowed at most E portal passages to transport K kilograms of SNM across the facility boundary, we can define for a given scenario, the optimum transportation success probability by maximizing over the total class of all partitions of K, (Kj ), i = 1,2, ...E
^
that sum to K.
r s
Pc (K,E,T,ST) = Max
{ K P) c (Kl2 K'***E E ;E,T,ST )
j IKj=K (4.2)
J The corresponding maximizing policy is the diverter's optimum transporta-tion policy. As done with material accountability the use of a single non-subscripted quantity in the probability function argument list signifies that the probability is optimal over the set of transportation policies. Again as with material accountability, it may be to the advantage of a diverter not to use the maximum number of portal passages available; that is, the optimum transportaticn policy may be of the form (K),K2 * *
- Ke , 0, 0,. . 0), where the trailing entries of a portion of the transportation policy components are zero. It should be noted that the one can relate the maximum number of portal passages to the maximum diversion time span permitted and the number of employees comprising the threat that are available to transport material. We obtain for the maximum number of portal passages:
E = (maximum diversion time span) X (number of work shifts / time span) X (number of persons making exits / shift) X (number of exits for each person / shift) (4.3)
Again, a given threat can optimize over the entire class of feasible
! scenarios (S ) available. Hence, we can define in equation form:
T l
l
V i
Pc (K.E.T) = Max Pc (K,E,T,ST )
l {ST I l = Max Max P c (K),K2 ' * *K E;E,T,ST)
{ST } IKi }
IKj=K (4.4)
Finally, the design of a material directed boundary detection system must consider the entire class of feasible threats, {T}. Thus, we can i define the optimum transportation success probability over the class of feasible threats where for each threat we assume that an optimal transportation scenario and policy is employed.
Pc (K,E) = Max Pc (K,E,T)
{T}
= Max Max Max P c (K),K2 ' *K E;E,T,ST)
{T} {ST } {K j l IK j=K (4.5)
As an example of exit SNM detection, let us consider the use of SNM portal monitors coupled with the use of random searches. This model has been discussed in detail in the report NR-NMSS-007* which the reader can refer for further details. Typical doorway SNM portal monitors that are currently in use utilize gamma radiation as a detection mechanism, t
- "A new Look at Portal Monitoring", A Report to the Office of Nuclear Material Safety and Safeguards, NR-NMSS-007, May 1976.
1
The detector can be characterized by two parameters, the trigger quantity and the alarm offset. The trigger quantity, denoted by u, is defined as the quantity of material that can be detected by the portal at a 50%
probability level. The alarm offset, which we will denote by k, which is defined as the level of radiation measured in standard deviations above the average background radiation at which an alarm will occur. In terms of these two parameters one can readily prove that the quantity of SNM that will be detected on a given exit is a random variable whose standard deviation, denoted byg o , is given by the ratio of u to k:
og = u/k (4.6)
If we denote the random search frequency by r, and utilize the fact that the actual detection threshold of the portal monitor on a given passage will be, to an excellent approximation, normally distributed with mean u and standard deviation go , we can write for the probability of success-fully transporting K kilograms g
of SNM through the portal without either initiating an alarm or being subjected to a random search by:
Pc (Ki ,1) = (1-r) N (k - Kj /ag ) (4.7)
Where N(x) has been defined earlier as the cumulative normal distributinn function. If we further stipulate that a portal alarm leads to a personnel search and that personnel searches whether randomly initiated or as a response to an alarm are completely effective (i.e., the probability of SNM detection as the result of a personnel search is 1.0), than Eq. 4.7 yields the one-shot transportation success probability.
If we assume that successive portal passages are statistically indepen-dent, a diverter, by symmetry, will optimize his transportation success probability by transporting an equal amount of SNM during each portal l
passage. Specification of the optimum transportation policy thus i reduces to a determination of the optimum number of portal events which is then completely determined by a trade off between the diverter excessively increasing his per-shot risk by removing too much material per exit and the diverter utilizing too many portal passages and hence, excessively increasing his risk of being selected for a random search or equivalently being subjected to a false alarm.
If we assume that a maximum of E portal events are permitted and that e are actually used, Eq. 4.1 becomes because of statistical independence e
Pc (K l 'K2 ' Ke , 0, 0, 0; T, ST ) = n P c (Kg , T, ST)
(4'0) i=1 Using Eq. 4.7 we obtain:
e Pc ( i' 2"
- Ke , 0, 0, . . 0, T, ST ) = (1-r) Hi=1N(k-Kj/og) (4.9)
- As indicated earlier the optimum transportation policy will utilize equal divisions and thus must be of the form:
(K/e, K/e, " K/e, 0, 0 " 0), e < E _
and thus the corresponding transportation success likelihood is given by:
P c (K, T, ST ) = (1-r)'N(k - K/eog )" (4.10)
1-The diverter's optimum transportation success probability and corresponding 4 i optimum policy is then obtained using ordinary calculus by maximizing the right hand side of Eq. 10. Figure 5 depicts the behavior of the optimum transportation success likelihood as the maximum number of portal passages increases.
If the maximum permitted number of portal
^
passages is less than the optimum, the diverter is forced to excessively
[ increase in per-shot risk. On the other hand, unnecessarily extending his exposure, as shown by the dotted curve, adversely affects his overall transportation probability due to the increased likelihood of a random search of the occurrence of false alarm.
I Figure 6 gives the relationship between the optimum number of portal
] events, the total quantity to be diverted, the random search rate, the alarm standard deviation, and the alarm threshold. (A derivation and further discussion of this family of curves is given in the reference "A New Look at Portal Monitoring.") Figure 7 gives the optimum transporta-r l tion success probability for the particular case of a three sigma portal j alarm for search rates varying between zero and five percent as a function of the normalized quantity diverted (i.e., the ratio of the quantity :
diverted to the portal standard deviation). The significant effect of introducing a small random search rate is clearly apparent. In studying
- Figures 6 and 7 it should be understood that the overall effectiveness
) of the particular exit detection method results from a synergistic
! complementary relationship that exits between portal monitoring and I I
random searches. The portal monitor serves to place a risk on one-shot <
l i
, w-- , ---,.a-,-, -n,.w,,,.. ...,nn,, ,-.m ,,-e-- r,.-----.- ,-,--.,e-- -,-n-n ,-~--.n-_m-,_-- - - . - - -
l 1
i
^
l s u) . DIVERTER USES ONLY i H' PORTION OF AVAILABLE I J NUMBER OF PORTAL PASSAGES o E> e*
! DIVERTER MUST USE
@ ENTIRE NUMBER OF i o AVAILABLE PORTAL -
~s
- E PASSAGES, E < e' %
DIVERTER USES
_a %
N ALL AVAILABLE d %
N 3 PORTAL PASSAGES
$ N 8 ua N g N D
?n i E a
i 2 X
2 e' (Optimum Number of Portal Passages) ,
I MAXIMUM NUMBER OF PORTAL PASSAGES - E i
I Figure 5. Dependence of Optimum Transportation Success Likelihood on the Maximum Number of Portal Passages
a l
- + + $,h,?,?
' ~
z t t (
1.8 _
1.6 _
1.4 _
cP
~E 1.2 _
x I
2 E
5 1.0 _
8
.8 _
.6 _
.4 _
r =_ 0
, I l ,
2 3 4 $
ALARM THRESHOLD STANDARD DEVIATIONS k Figure 6. Dependence of Optimum Number of Diversions on Alarm Threshold and Random Search Rate
1.0 l
M w
O ,1 90% DETECTION CONFIDENCE D
e z
9 m
< a" r m 4 >
I 6
u.
o t~
co r=0 g
o a:
a.
2 D 99% DETECTION CONFIDENCE r = .001 3 '01 X
<t 2
i r = .002 i
r = .01 r = .05 r = .005 i
I I I I I l I
.001 50 100 150 200 250 300 350 NORMALIZED OUANTITY DIVERTED - K/ag Figure 7. Optimum Diversion Success Probability for Different Random Search Rates (three sigma alarm threshold)
portal passages and thus limits the amount that can be removed per-shot.
On the other hand, the use of random searches introduces an exposure risk and serves to limit the ability of extending the SNM transportation over a large number of' portal exits. With both safeguard elements sim,ultaneously in place, a diverter's success likelihood is bounded in this situation at both extremes and hence controllable. The concept of using complementary safeguard subsystemsoto impose constraints on one-shot division and systematic long term diversion is fundamental and will s
be explored further later on.
4.3 Characterization of_Within Area Personnel Activity Detection As listed in Table 3, direct detection of an individual in the act of diverting SNM can be accomplished by visual observation either through the use of guard patrols or closed circuit TV, through the use of work rules, such as buddy system requirements, and by alarming sensitive equipments and areas.
If we consider that a diverter may steal his desired quantity of SNM over l a span of many individua1 diversion events, it is seen that the diverter's theft success probability for a given system must be of the form:
(Probability of diverter detected stealing not being K kiloarams of SNM directly) = Pa (Kj , K 2 ...K s ; s,T,S ) (4*II)
T
~
A given threat, T, thus has available the choice of scenario, S , the choice T
of the number of thefts, s, and the choice of the theft policy (K), K2 ...K s )'
It is not clear that introducing optimum probabilities and defining corresponding optimum theft policies in analogy with the proceeding safeguard detection mechanism is of any intrinsic value. The number of theft events may simply be determined by the availability of material, perhaps the ability of a diverter to safely store the material temporarily within the facility, or his capability to successfully transport the material outside the facility. For example, if direct detection was simply the result of random patrol, the quantity of material involved in l
each theft would be irrelevant. Thus, if we denote by P(T, ST) the single event detection probability, we see that for s theft events, the overall probability of success is given by:
Overall probability of theft success = {l- p(T, ST)}8 (4.12) where:
P(T, ST ) = probability of theft detection due to random patrol for
, threat T employing scenario S T Obviously in this case, the diverter would desire to limit exposure and make s as small as possible. The number of thefts that a diverter would employ is thus clearly driven both by the availability and quantity of suitable material and the impact the thefts would have on the other safeguard subsystems.
- 5. Safeguard Objectives 5.1 Introduction At the outset of this paper we indicated that one cannot meaningfully investigate the safeguards role of material accountability without addressing in depth the question of what the safeguard program must accomplish. In thir, section we will examine the NRC statement of the
~
safeguards objective and derive from that statement a list of subobjectives that the safeguard system must achieve. We will also, in this section determine that subset of those safeguard functions which conceptually can be achieved through some application of material accountability. In subsequent sections, we will identify a comprehensive set of safeguard strategies utilizing material accountability in conjunction with related safeguard subsystems, examine that set to obtain the subset of feasible safeguard itrategies and develop appropriate performance criteria. For convenience in terminology we will refer to the NRC safeguard objective statement as the safeguard goal and the derived subobjectives as safeguard objectives.
5.2 NRC Statement of the Safeguard Objective In a memorandum dated 10 June 1976 from the Office of Policy Development to the Division of Safeguards staff, the safeguard objective was defined as follows:
_ Statement of Safeguards Objective (Safeguard Goal)
" Safeguards measures are designed to deter, prevent, or respond to (1) the unauthorized possession or use of significant quanti-ities of nuclear materials through theft or diversion; and (2) sabotage of nuclear facilities. The safeguards program has as its objective achieving a level of protection against such acts to insure against significant increase in the overall risk of death, injury, or property damage to the public from other causes beyond the control of the individual."
This statement was amplified in the memorandum by the inclusion of the following set of NRC Guidelines:
NRC' GUIDES AS TO SAFEGUARDS' PURPOSE AND EFFECi1VENESS Effective and acceptable safeguards have for their purpose the provision for public safety and security by deterrence of:
(1) thefts or diversions of nuclear materials (2) sabotage of nuclear facilities, and (3) hoaxes arising from threatened sabotage or from alleged thefts or diversions, through appropriate measures designed to detect, prevent, or respond to such acts.
(1) preventing, with high confidence, a civil disaster, (2) providing substantial protection against serious civil damage, and (3) providing timely and accurate information on the status of nuclear material and facilities
78 -
To-be acceptable, safeguards must take realistic account of the risks involved, and of burdens on the public, in terms of civil liberties, institutional, economic, and environmental impacts.
The NRC safeguard objective statement (safeguards goal) and guidelines require a safeguard system to possess a capability to deter malevolent activities: thef ts, sabotage, and hoaxes. As indicated earlier, we suggested that deterrence could be considered to be a fourth fundamental safeguard ingredient and indicated that deterrence will automatically result from emplacing an effective safeguard system for which it is manifestly clear to the public that the likelihood of an individual or a group successfully carrying out a malevolent act is indeed very remote.
! The objective statement and guidelines also refer to having appropriate safeguard measures designed "to detect, prevent, or respond" to malevolent acts. We have viewed prevention, in this paper, to result from both detection and response, and thus not in itself a fundamental safeguard ingredient.
5.3 Safeguard Objectives let us expand the NRC safeguard goal and corresponding guidelines into a comprehensive list of required safeguard objectives and identify which can be possibly satisfied through the use of material accountability.
The NRC safeguard goal clearly requires the safeguard system to be capable of preventing the successful theft or diversion of nuclear w r e
material. We can further elaborate to distinguish the cases of a sub-national terrorist theft or diversion or a national level theft or diversion. The distinction between a national and terrorist activity .
involves perhaps a different quantity of material or possibly different
! material forms. When one cons'iders the possible intentions of small l third world nations, the distinction between a national level diversion j or terrorist diversion may not be all clear. A further break out of the thef t prevention safeguard function must also include distinguishing covert internal threats and overt external threats. Thus, we have defined the following safeguard objectives:
- 1. Prevent a terrorist theft or diversion of a strategic quantity of SNM (a) against threats by stealth and deceit (b) against threats by force
- 2. Prevent a national level theft or diversion of a strategic quantity of SNM (a) against threats by stealth and deceit (b) against threats by force As has been pointed out many times, successful prevention must include a mechanism for detection as well as an effective response capability.
Clearly, in the case of threats by force the detection mechanism must essentially be incorporated within the physical security subsystems.
For threats involving stealth or deceit, on the other hand, material
accountability may be able to provide a mechanism for detection of the activity. Hence, material accountability has a potential capability of assisting in the achievement of subobjectives la and 2a.
Though an item of'high importance to NRC, but not explicitly embodied in the NRC safeguard goal, is the important international question of preventing nuclear proliferation. The second objective was intended to refer to the case of a nation illegally by theft or diversion obtaining SNK from another nation. Nuclear proliferation, on the other hand, raises the question of a nation misdirecting nuclear material 'from within its own boundaries. The diversion of nuclear material by a nation into a secret weapons program must, by definition, be a covert activity. We can thus define as a third safeguard objective:
- 3. Prevent Nuclear Proliferation
-Material accountability can clearly play a role in preventing nuclear proliferation by detecting the presence of abnormal material flows within a facility or abnormal shipments from that facility.
The NRC Safeguard goal mandates that a safeguard system must be able to prevent-acts of sabotage. Thus, we have:
- 4. Prevent Sabotage of Nuclear Facilities Material accountability is clearly of limited application against acts of sabotage. Since material accountability serves to detect material I
losses, it can only have potential use in detecting those sabotage scenarios which involve unauthorized material removals or flows within the facility. An example of an act of sabotage for which prior SNM diversion is involved is the accumulation of plutonium at a mixed oxide facility for later dispersal in an attempt to contaminate part of the facility and perhaps employees.
The NRC safeguards goal also demands that safeguards be capable of effectively dealing with hoaxes. Thus, as a safeguards objective we must include:
- 5. Effectively deal with hoaxes arising from threats of sabotage or alleged thefts or diversions of nuclear material.
The classic case in point is the threat communication: "I have a bomb made with material stolen from XYZ corporation where I used to work."
This threat illustrates the obvious application of material account-ability to the hoax problem, namely to resolve the question of threat credibility. Material accountability can potentially serve safeguards by assessing whether the quantities of SNM involved could have conceivably been stolen or diverted as alleged by the threat.
Hoax credibility assessment is but one of several areas where the safe-guard system must draw inferences regarding its past performance. For example, it is conceivable, even with the best safeguard system engineer-ing, that a weakness or oversight in the system be identified at a
-future time. In such a contingency, it would be highly desirable to be able to go back and verify whether or not the safeguard system was compromised. In the same spirit, the safeguard system should be' capable of providing proof that it is indeed functioning properly and provide ample warning if safeguard control is in danger of being lost. Proof of functional integrity can be invaluable in preparing congressional and other legal safeguard related testimony. An overcheck capability may also serve as a primary vehicle for initiating investigating activities.
In . light of this discussion, we can list the following two safeguard functions.
- 6. Demonstrate past and present effective performance of the safeguard system.
(a) In response to inquiries, i.e., testimony (b) in response to new information, i.e., identified safeguard weakness
- 7. Provide an overcheck capability to verify continued effective performance and to provide a warning if safeguard control is endangered.
The only practical and perhaps reliable method for verifying that a safeguard system has performed or is performing effectively is to account a
for all of the material. Material accountability is the only safeguard i
subsystem available that can potentially accomplish this task. No matter how well a physical security system is designed nor how flawless its past functional history, there is no way one can be certain that in has not been compromised. The same statement can be made in general for any form of containment, whether it be a physical constraint or a portal egress control. It is simply impossible after the fact to prove that containment controls or portals have properly functioned.
In the event of an overt attack, whether it be theft or sabotage, or the discovery of a covert operation, a safeguard system must be able to identify the magnitude and scope of the losses in order to assist in the response and recovery operations. It should also be noted that an act of sabotage may be part of a subterfuge by the adversary to cover up his primary mission of SNM theft or diversion. Thus, whether the malevolent act be superficially one of sabotage or clearly an attempt to obtain SNM, some form of material accounting must be employed. Therefore, we have:
- 8. Assess losses resulting from an overt attack or from internal covert SNM theft or diversion.
I,astly, the NRC safeguard guidelines indicate that a safeguard system should provide " timely and accurate information on the status of nuclear material and facilities." The purpose of this requirement is to identify
to the NRC potentially critical areas, such as the presence of large shipments and inventories of strategic SNM, in order that the NRC can assess the current vulnerability of the industry and be able to prepare effectively for potential threats that are identified by the intelligence community. Also, such information can serve to generate an historical data base from which safeguard analysis can be performed. Hence, we have:
- 9. Provide timely and accurate data or the status of nuclear material and facilities.
Clearly material accountability can serve this role by quantifying the material flows, inventories, etc.
For reference, the safeguard objectives derived in this section are listed in Table 7 along with an indication of the manner in which material accounting can potentially be used. As noted in the table the list of safeguard objectives has been partitioned into four categories: j t
I) to prevent theft or sabotage, II) to assess the capability of the safeguard system to prevent or to have prevented, III) to assess losses resulting from a successful theft, and finally,
TABLE 7 SAFEGUARD OBJECTIVES DERIVED FROM NRC SAFEGUARD G0AL Safeguard Objective Potential Role of Material Accountability I. Prevention
- 1. Prevent a terrorist theft or diversion Detection of stealth or deceit.
of a strategic quantity of SNM.
- 2. Prevent a national level theft or diver- Detection of stealth or deceit.
sion of a strategic quantity of SNM.
- 3. Prevent nuclear proliferation. Detect activity.
- 4. Prevent sabotage of nuclear facilities. Detect activity in those cases where covert SNM flows are involved.
II. Safeguard System Assessment
- 5. Effectively deal with hoaxes. Assess credibility of alleged theft. '
- 6. Demonstrate past and present effective Provide proof that SNM has not been misdirected.
S?
performance of safeguard sys' tem.
- 7. Provide an overcheck capability to verify Check that SNM has not been misdirected. i continued effective safeguard system performance.
III. Loss Assessment
- 8. Assess losses resulting from malevolent Determine quantity and types of SNM missing.
act.
IV. Safeguard Data Generation
- 9. Provide timely and accurate data on the Provide quantitative data on material inventories status of nuclear material and facilities. and material flows.
l l
I IV) to provide data to identify industry vulnerability, to assist
~
in safeguard analysis, and to enable cost benefit analysis.
In satisfying the safeguard objectives listed under Category I, namely prevention, detection must be able to couple effectively with a response capability. Detection will thus have to occur in a sufficiently timely manner. In order for material accountability to aid in achieving Category I prevention safeguard objectives, requirements both on timeliness as well as requirements on detection sensitivity will have to be met.
Material accountability, if employed in resolving hoax situations will also be required to provide accurate information, perhaps to a negotiating team, within a sufficiently short time frame to enable it to be of use.
However, in achieving the remaining two objectives in Category II, safeguard system assessment requires only a suitable detection mechanism, and thus material accountability, if utilized, will be driven primarily by accuracy considerations and not by timeliness specifications. Achieving the objective listed in the third category, loss assessment, will require that accurate information on material losses be provided in a time frame i sufficient to aid in the recovery operations subsequent to the attack.
The last category, safeguard data generation, does not require either l the level of accuracy nor the rapid response time potentially required to satisfy most of the other safeguard objectives. For example, consider a facility with a flow of 1,000 kilograms of SNM per month. To estimate this quantity within 50 Kg (i.e. 5%) may be sufficient to monitor
T operations. However, if this data was to be used to detect diversion, an accuracy improvement between one and two orders of magnitude would be required.
It was suggested in Section 2 that all the objectives of safeguards could be expressed in terms of prevention. This fact is now almost obvious in terms of our categorization. The safeguard objectives in Category II can be viewed as verifying that prevention has been achieved both in the past and in the present. The safeguard objective in Category III can be viewed as verifying a breach in the ability of the safeguard system to prevent. Finally, the last category, safeguard data generation, can be viewed as precursor of prevention and part of what we referred to in Section 2 as the avoidance of malevolence. It should be observed that the objectives listed under Categories II, III, and IV can all be achieved by means of only a detection mechanism. Category I safeguard l objectives, on the other hand, require the use of both detection and appropriate response mechanisms. Hence, conceptually structuring a safeguard system in terms of prevention, as done in Section 2, will thus automatically permit addressing safeguard objectives listed in the other categories.
- 6. Feasible Safeguard Strategy Set 6.1 Introduction In this section, we will identify using the safeguard structure developed in Section 2 and the set of safeguard objectives developed in Section 5, the possible alternative safeguard strategies that can be employed in order to achieve all those objectives. By a safeguard strategy we mean a single safeguard subsystem or combination of subsystems that together achieve all the stated safeguard objectives. Since we are concerned with defining the potential safeguard roles of material accounting, we will concentrate on defining those safeguard strategies that pertain to detection. In order to achieve the Prevention Objectives listed in .
Category I, a total safeguard system would of course, require the inclusion of additional safeguards subsystems to enable the successful execution of appropriate response activities.
In this section we will limit our specification of material accountability to an identification of the two subsystem attributes:
i l
- 1) discrete or continuous j l
and
- 2) intrinsic or external Specification of the requirements for the parameters and sensitivity probability functions, defined in Section 3, will be dealt with in the following section.
6.2 Alternative Safeguard Strategies Table 8 identifies for each safeguard objective category the required fundamental safeguard components, the required material accountability attributes and other candidate alternative safeguard systems necessary to achieve the safeguard objectives listed within that category. There l
are four possible combinations of the material accountability attributes which, conceptually, a material accountability system can assumet
- 1. Continuous material accountability which is completely independent from the process.
- 2. Continuous material accountability which is intertwined with the process.
- 3. Discrete material accountability which is completely independent of the process.
- 4. Discrete material accountability which is intertwined with the process.
Figure 8 depicts in matrix form each of these attribute combinations, indicating which categories of safeguard objectives can be achieved by a material accountability subsystem of that type acting alone. Strictly speaking, explicit inclusion of an attribute in the characterization of material accountability to distinguish between the continuous and discrete cases is redundant since the resolution parama*er, R, covers both possi-bilities. However, for the sake of discussion, the vastly different character of a continuous material accountability system makes it worth-while to explicitly emphasize this concept rather than simply referring
. ~
TABLE 8 MATERIAL ACCOUNTING ATTRIBUTE REQUIREMENTS AND ALTERNATIVE SAFEGUARDS Material Accountability Required Fundamental . Attributes Other Safeguard Safeguard Objective Safeguard Components Resolution Separability System Alternatives Category I Detection and Response Continuous Intrinsic a) Matl. directed (Prevention) (or Discrete or boundary detection (stealth and deceit only) System Coupled External (entrance and With Other exit)
Subsystems) b) within area personnel directed detection i Category II Detection Continuous External None (Safeguard System or Assessment) Discrete ',
o Category III Detection Continuous External None .
(Loss Assessment) or Discrete Category IV Detection Continuous External None (Safeguard Data or or Generation) Discrete Intrinsic i
's' L
A N
R X E X X T
X E E T
E S R E C T S U I D
B I
R CI S
T N T I X
A R
_ Y T T N I i x
I r L
I t
a B M A e T v N it a
U L n r
O A e C N t C R lA A E X X X X y L T i t
AI S X i b
l E
R U a t
E O n T U u A N o c
M I T
c N A l
O C i a
C I e
r S t N a I
X X M R
T 8 N
I e
r u
ig F
l l
l i
l l
V I
Y Y Y Y R R R R O O O O G G G G E E E E T T T T A A A A C C C C ow win cysa[O >c@Nto c <
i
> 4
to a class of material accountability systems where the resolution interval, R, approaches zero. For all practical purposes one can view a material accountability system to be continuous if a small resolution interval is required. Practical engineering design considerations will force such a system to make use of sophisticated automated on line real time monitoring equipment integrated into the process. We can, there-fore, assume that a continuous material accountability system by nature of its physical realization is intrinsic to the manufacturing process.
The DYMAC concept under development at the Los Alamos Scientific Laboratories is a classic example of an intrinsic material accounting system because of its extensive use of on-line NDA, load cells and other automated measuring equipment and procedures.
A fundamental question regarding the role of material accountability is whether it is an essential ingredient of the safeguard program. In other words, can a safeguard system be constructed that satisfies all the stated safeguard objectives without the use of material accountability?
The answer to this question as seen from Table 8 is manifestly No' Material accountability is the only safeguard tool that can serve to satisfy the objectives relating to safeguard system assessment and loss l assessment in the aftermath of a malevolent act. The only reliable and assured way to prove past and present system performance, provide a safe-guard system overcheck, resolve hoax credibility, and determine the extent i of losses after an attack is by " counting the marbles."
l
One can further deduce that a material accountability system designed to satisfy safeguard objectives in Categories II and III must be external to the process. For if an intrinsic material accountability were employed one could never be assured that the system was sufficiently l
l hardened and truly secure. One could not prove that an internal threat l
. did not compromise the system (and thus one could not obtain the impecca-r ble proof needed to satisfy the safeguard objectives of Category II.)
The situation with intrinsic material accountability is analogous to the problem faced by portal monitors, fences, ete: it is impossible after the fact, to prove that these safeguard subsystems have indeed performed their task. It should be clear that in principle a secure intrinsic system could be used if indeed one could verify that the system is secure. It is the difficulty in verification that strongly suggests the use of external material accountability in achieving Category II and Category III safeguard objectives.
In addition to avoiding the possibility of compromise, the objective in Category III, loss assessment, requires the use of external material accountability system because possible damage to the facility and internal equipment resulting from an attack may render an intrinsic system totally inoperable. Also, an intrinsic system tacitly assumes that the material is contained within normal processing channels, an assumption that may not be satisfied particularly following a malevolent act involving sabotage.
At the other extreme, one can raise the question whether it is possible, by the sole use of some form of material accountability, to design a safeguard system that can achieve all of the safeguard objectives for which material accountability has any potential. From Table 8, it is clear that a continuous external material accountability subsystem can achieve, at least in principle, all of the stated safeguard objectives.
However, as indicated, a continuous external material accountability system is not physically attainable, hence in order to achieve all the safeguard objectives it is necessary to look at the following alterna-tive safeguard strategies.
a) where either several forms of material accountability are simultane-ously employed or b) where a discrete external material accountability system is combined with other safeguard subsystems.
The reason why a discrete material accountability is not able by itself to satisfy Category I prevention objectives is that the detection must 1 occur timely enough to permit coupling to an appropriate response activity.
As indicated earlier, the resolution interval R associated with a discrete material accountability subsystem causes an inherent potential time lag in detecting the occurrence of diversion.
Figure 8 indicates that Category I objectives can be covered by the inclusion in the total safeguard system of a separate, continuous, internal material accountability subsystem. Thus, one alternative possible safeguard strategy to achieve all the stated safeguard objectives
l l
1 1
I internal material accountability subsystem. Thus, one alternative possible safeguard strategy to achieve all the stated safeguard is the simultaneous use of a discrete, external material accountability subsystem l
and a separate continuous, internal material accountability subsystem.
The discrete external material accountability subsystem will enable the achievement of Categories II, III, and IV safeguard objectives and the continuous intrinsic material accountability system will serve to achieve the safeguard objectives of Category I.
In Section 2, it was demonstrated that material accountability could be supplemented or replaced by a combination of material directed boundary detection or direct within area detection of malevolent personnel activi-ties. Hence still another alternative possibility to achieve all the stated safeguard objectives is to use either one or a combination of material directed boundary detection and within area personnel activity detection in conjunction with or as an alternative to material account-ability to achieve the objectives of-Category I and a discrete external material accountability subsystem to achieve the remaining safeguard obectives listed in Categories II, III and IV.
Table 9 lists the resulting collection of alternative safeguard strategies partitioned according to whether or not material accounting is integrated with related safeguard subsystems. Table 9 can alternatively be expressed in terms of the logic diagram given in Figure 9.
TABLE 9 ALTERNATIVE SAFEGUARDS STRATEGIE1 Material Accounting Only
- 1. A single continuous external material accountability subsystem
- 2. Simultaneous use of a continuous intrinsic material accountability subsystem and an
- independent discrete external material accountability subsystem.
Integration of Material Accountability and Related Safeguards
- 3. Use of a discrete external material accountability subsystem and any combination of a) material directed boundary detection b) within area personnel directed activity detection i and c) other material accountability subsystems. ,
E 1
e
_ _ _ . . _ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ . _ _ _ _ _ _ _ _ _ _ _____.-_.m.___
. . . - . .. - - - . = -. .
4 i
! CONTINUOUS EXTERNAL
- MATERIAL ACCOUNTABILITY j SAFEGUARD l DISCRETE EXTERNAL OR O MATERIAL ACCOUNTABILITY 1 O
CONTINUOUS INTRINSIC 3 MATERIAL ACCOUNTABILITY l AND 0 FEASIBLE SAFEGU ARD STR ATEGY I DISCRETE INTRINSIC i
! MATERIAL ACCOUNTABILITY
- e
\ , m
- i
'! MATERI AL DIRECTED AND e ALL INPUTS NECESSARY 4
BOUNDARY DETECTION \ OR e AT LEAST ONE INPUT NECESSARY j . I OR
- MUST BE USED IN CONJUNCTION WITH
! ) AT LEAST ONE OTHER SAFEGUARD l WITHIN AREA PERSONNEL SUBSYSTEM ACTIVITY DETECTION
- l t
Figure 9. Logic Diagram for Generating Alternative Safeguard Strategies
I Since a continuous external material accountability system is not feasible, we are'left with only the choice of either alternative 2 or 3 of Table
- 9. Hence, in Figure 9, the set of feasible safeguard strategies is given by the output of the "and" gate.
In addition to indicating the totality of alternative safeguard strategies, Figure 9 also suggests the potential for safeguard system redundancy and diversity. Figure 9 indicates that in order to achieve all the safeguard objectives one must use a discrete external material accountability system and at least one of other safeguard subsystem. One would thus obtain, for example, redundancy and diversity by simultaneously using in addition to discrete external material accountability both a continuous internal material accountability subsystem and material directed boundary 3
detection. Though the continsous material accountability subsystem is emplaced primarily to achieve Category I safeguard objectives, there is no reason why it can not be used to assist the discrete external material accountability system in accomplishing its primary safeguard objectives.
Alternatively, the discrete material accountability subsystem, though not incorporated into the safeguard subsystem for prevention purposes may be able to provide information and thus assist the safeguard subsystems that are primarily intended to accomplish those objectives. Enumeration of all the redundant feasible safeguard strategies implied by Figure 9 yields _ the set of 7 feasible safeguard strategies which are listed in Table 10. In generating performance requirements on the safeguard l
m s
TABLE 10 FEASIBLE SAFEGUARD STRATEGY SET I
- 1. Discrete external material accountability.and continuous intrinsic materfal' accountability.
- 2. Discrete external material accountability + material' directed boundary detection.
- 3. Discrete external material accountability + within area personnel activity detection.
- 4. Discrete external material accountability + intrinsic (continuous or discrete) material accountability + material directed boundary detection.
- 5. Discrete external material accountability + intrinsic.(continuous or discrete) material .
accountability + within area personnel activity detection.
- 6. Discrete external material accountability + material directed boundary detect. ion + within' area personnel activity detection $!
- 7. Discrete external material accountability + intrinsic (continuous or discrete) material '
accountability + material directed boundary detection + within area personnel activity detection.
..-._.w..._-...._
1 A
- 100 -
subsystems utilized in each of these strategies we can either. consider cases where only the respective primary subsystems are utilized or where all infonnation gathered from the safeguard subsystems, even if they are not directly intended for that purpose, is utilized in an integrated fashion.
It is worthwhile to examine briefly one example of how a safeguard subsystem not primarily intended to accomplish a particular safeguard objective can synergistically assist the primary safeguard subsystem in accomplishing its assigned task. As a case in part consider the safe-guard strategy of using a discrete external mate-ial accountability system along with use of material directed boundary detection (Table 10,-
safeguard strategy number 2). Furthermore, suppose that boundary detec-tion safeguard subsystem consists of the use of SNM portal monitors. We previously stated, in Eq. 4.7, that the one-shot success probability of a diverter transporting K grams of SNM through a portal monitor is given in terms of the cumulative normal probability distribution function by:
Pc (K,1) = N(k - K/og )
where k was defined as the alarm offset in standard equations above the mean background and o was defined as the standard elevation of the g
portal's detection threshold (also expressed in the same units since the ratio of K to o must g be dimensionless). By Eq. 4.6, it is seen that a diverter could, with a 50% chance of success, transport from the facility in a single attempt u = ko grams g
of SNM. If, for example, the portal
- 101 -
detection has a standard deviation of 10 grams and a 4 sigma alarm offset is employed, 40 grams could be obtained per shot with 50% success probability. Clearly the portal detector limits the ability of a diverter to remove a strategic quantity of SNM from the facility in a single attempt, i.e., it places a per-shot or daily control on SNM diversion. However, a diverter could in principle defeat this system by spreading the SNM transportation over a sufficient number of portal exits or even perhaps by penetrating the boundary elsewhere. One can easily calculate for this particular case that a strategic quantity of, say, 5 kg, could be obtained with an 84% success probability by spreading the diversion over 2000 exits, i.e.
overall n-shot probability of transport success = N(k-K/og )"
where:
n = number of portal exits K = strategic quantity /n = 5000/2000 = 2.5 grams / exit Therefore for 2000 diversions each consisting of 2.5 grams we have:
overall probability of success = N(3.75)2000
= (.99991158)2000 = .84 (6.1)
In fact, one can show that for this case a 2000 event diversion policy is indeed the optimum transportation policy for the diverter to follow.
In order to counter the possibility of a diversion scenario involving an extended time frame one thus has to either significantly improve the
, - 102 -
portal monitor sensitivity or else couple the portal monitor with another safeguard element. Whereas the portal monitor served to emplace as a dailycontrolonSNMdiversion,thisaddiIional,safeguardelementmust be sensitive to a diversion process extending over a period of time.
The use of random searches in this regard was discussed in an earlier example. Another possibility to institute a time control is the use of the same discrete material accountability subsystem that already must be emplaced in order to achieve Category II, III and IV safeguard objectives.
To be useful as a time constraint on diversion, the material account-ability subsystem simply must have the capability to detect a cumulative diversion spread over several accounting periods of 5 Kg at a sufficiently high confidence level. Integrating both safeguard subsystems, one obtair.s for the probability of a diversion success extendirg over m equal length accounting intervals where within each accounting period n portal exit passages are made:
Probability of diversion success
= Pad (K/m, K/m .. .K/m; m(R)).Pc (k-T/mnog )*" (6.2)
We are tacitly, Eq. 6.2, making assumptions regarding both the theft and l
transportation policy that the diverter will employ.
However, the equation does demonstrate the coupling that will occur. One would thus obtain for this particular safeguard strategy of employing discrete external material accountability and SNM exit portal monitoring performance
i - 103 -
goals by working with the combined probability to satisfy Category I safeguard objectives and the material accountability detection probability to satisfy the safeguard objectives in Categories II, III, IV.
It shculd also be noted that one could have employed a separate material 1 accountability subsystem to assist the exit boundary detection system (i .e. , Table 10, safeguard strategy number 4). In particular, one could envision satisfying the detection component of the safeguard prevention objectives by combining portal SNM detection with an intrinsic discrete material accountability subsystem based on the use of process and quality control data. This is an extremely promising safeguard strategy.
- 104 -
- 7. Material Accountability Performance Criteria 7.1 Introduction In this section we will briefly examine the conceptual performance criteria that a material accountability subsystem must satisfy in order that it achieve its designed safeguard objectives. In particular, we will abstractly obtain upper bounds on the resolution interval, R, the processing delay time, D, and lower bounds on the diversion detection sensitivity as characterized in terms of a maximum acceptable value for the diversion success probability functions (i.e., the non-detection probability) defined earlier in Section 3.
It is important to realize that we have limited our analysis to con-sideration of only that portion of the adversary action sequence where the threat interacts with the facility. One could also for completeness, consider a threat preparation phase, prior to obtaining SNM, and a threat utilization phase after SNM is obtained. If the overall NRC safeguard goal is to limit societal risk, then performance criteria for on-site safeguard subsystems, and in particular material accountability, should be developed within a " global" framework which considers the entire adversary action sequence from its conception through SNM utiliza-tion, and apportion the safeguard burden among developing a capability to interdict an adversary during the preparation phase, developing a capability to prevent a threat from successfully utilizing SNM, as well as placing emphasis on preventing the loss of SNM from a facility.
\
- 105 -
Clearly such an approach is amenable to the same systems type framework presented here, but on a much larger scale. In our present development of conceptual performance criteria for material accountability, one can envision that at an earlier stage this higher level analysis was performed and has been reflected in the desired bounds on the diversion success probability function.
To comprehensively evaluate the safeguard potential of material account-ability, one would have to examine each of the seven feasible safeguard strategies listed in Table 10 and for each of the safeguard objectives stated in Table 7 obtain respective performance criteria. It would also be necessary to consider separately cases where only the primary safeguard subsystem is utilized and all possible situations where synergistic-assistance from secondary safeguard systems is possible. It will, however, adequately serve our purpose if we limit our discussion to considering use of single primary safeguard subsystem and only a few of the more basic cases where the interaction of two safeguard subsystems occur. In particular, we have demonstrated earlier that discrete external material accountability must be utilized in order to achieve Category II and III safeguard objectives, and to achieve Category I safeguard objectives we have demonstrated via Eq. 6.2 and Tables 9 and 10 that many alternative safeguard strategies exist, some utilizing a single safeguard subsystem while other alternatives utilize two or more subsystems in conjunction. We will limit our discussion for achieving
l l - 106-Category II and III safeguard objectives to external discrete material l
accountability (Section 7.2). To achieve the detection component of Category I safeguard objectives, we will limit our discussion to the sole use of continuous material accountability (Section 7.3.1), the sole use of exit SNM boundary detection (Section 7.3.2), simultaneous use of continuous and discrete material accountability (Section 7.3.3), and simultaneous use of discrete material accountability, and exit SNM boundary detection (Section 7.3.4). Pertinent comments will be made to indicate how the addition to these safeguard strategies of still other safeguard elements can help to overcome safeguard weaknesses. There is no need to explicitly address the achievement of safeguard data generation, Category IV, since as demonstrated earlier,its requisite performance requirements will be most certainly dominated by the ether safeguard objectives.
Table 11 lists all the cases to be considered. It should also be observed that the performance criteria derived will perhaps be conservative since further requirement relaxation may result from being able to utilize additional safeguard information provided by the use of secondary safeguard subsystems which has not been considered.
7.2 Performance Criteria for Meeting Category II & III Objectives As indicated in Table 11, use of discrete external material accountability will be studied in order to obtain conceptual performance requirements to achieve Category II and Category III safeguard objectives. Again the
TABLL 11 CASES CONSIDERED FOR PERFORMANCE CRITERIA ANALYSIS To Achieve Category II and Category III Safeguard Objectives Discrete External Material Accountability (Section 7.2)
To Achieve Category I Safeguard Objectives a) Continuous Material Accountability (Section 7.3.1) b) Exit SNM Boundary Detection (Section 7.3.2) c) Simultaneous Independent Continuous and Discrete Material Accountability Subsystems (Section 7.3.3) 5
'd d) Simultaneous Discrete Material Accountability and Exit SNM Boundary Detection (Section 7.3.4) '-
- 108 -
reason for using discrete material accountability is based on the question of assuring that the system is secure over the entire class of feasible threats. The basic sensitivity expression is the optimum diversion success likelihood over the total set of all feasible threats and diversion scenarios, assuming that the diverter utilizes the optimum diversion policy. As indicated earlier.this probability bounds the system vulnerability and hence a safeguard system design based on this optimum represents a conservative approach. The expression for the optimum diversion success probability was given earlier in Eq. 3.5 as Maximum diversion success Probability
= Pad (K, R), R 2 ...R n )
Let us first consider the requirement for SNM loss assessment in the aftermath of a theft or sabotage, the Category III safeguard objective.
Following a malevolent incident, to assist recovery operations one fundamentally needs to assess: i b
- a. whether or not a strategic quantity was stolen?
and more generally:
- b. how much material is missing, and in what forms does the missing material exist?
I l
l
- 109 -
' Clearly, of necessity a malevolent act would be followed by a demand audit and thus the theft success probability function to address corresponds, to a single accounting interval whose duration extends from the last formal inventory up to the present demand material audit. If we make use of the facts that a) the duration of this interval is bounded by the normal accounting l interval duration and b) by Eq. 3.21, the monotonicity relationship, the'non-detection probability increases as a function of the maximum diversion time, we can obtain a conservative upper bound the diversion success probability by assuming the standard accounting interval R.
Generally, we require to resolve both questions a and b that:
Pad (K, R) < c (K)
( 7.1 )
where: R = the normal accounting internal duration and: c(K)= the maximum allowable non-detection probability The probability bound c(K), must be a monotonically decreasing function of the quantity diverted since, clearly, the greater quantity diverted the
- 110 -
more imperative it becomes to be able to detect that loss. In order to achieve sufficient reliability in determinina whether or not a strategic quantity of SNM is missing, this probability bound must be below a maximum acceptable threshold, for K equal to the quantity of SNM judged to be strategic. Figure 10 depicts two hypothetical diversion success probability bounds. Both functions approach unity for very small diversions and approach essentially zero (at least below the specified acceptable upper bound) by the time a strategic quantity of material is involved. The hypothetical bound depicted by the first function is primarily desirable if quantities of SNM below the strategic quantity are deemed to be essentially of nuisance value and.the loss detection therefore relatively unimportant. A diversion success probability bound, in the form of the second function is required, on the other hand, if it is deemed that a loss of even small quantities of SNM is unacceptable from a safeguards viewpoint. As will be demonstrated later for systematic diversion, a material accountability subsystem that is sensitive to small SNM diversions may be able to use this sensitivity to compensate for its inherent information processing delay. Hence one may, in order to f
overcome the information processing delay, design a material accountability subsystem satisfying the later probability bound. It should be clearly understood that the strategic limit and the specified bounds on the diversion success probability are both judgment calls which cannot be made abstractly within a safeguard design. Given this probability bound, the safeguards system design engineer must realize a material
h E
C I
1 b 1) IF LOSSES BELOW STRATEGIC y QUANTITY ARE UNIMPORTANT
$ 2) IF SMALL LOSSES ARE O IMPORTANT x
n.
w 0
a z
9 '
E E E Q
.s m
3 9
a E
D E
X ACCEPTABLE BOUND ON DIVERSION SUCCESS FOR STRATEGIC QUANTITY OF SNM u
___ _ ----,--g--------
STRkTEGIC QUANTITY i
QUANTITY DIVERTED AS A RESULT OF MALEVOLENT ACT-K(Kilograms)
Figure 10. Required Bound on Diversion Success Probabilities t
- 112 -
accountability subsystem capable of satisfying Eq. 7.1 for the loss assessment objective to be achieved.
The requirement on timeliness is essentially defined by the interface that must exist between the audit following the attack and the recovery I
operations that must follow. It clearly would make a great difference l if one knew whether or not a strategic quantity of material was involved.
Following an apparent act of sabotage, it is also vital to know if that act was part of a cover to conceal an SNM theft. In equation form the requirement on timeliness can be expressed as C+D<t max (7.2) 1 where C = time to perform material audit D = the information processing delay time t
max
= the maximum delay time that can be tolerated The maximum permitted time delay, tmax, will depend upon many factors including the material type potentially stolen, and the perceived intent of the adversary force. Obviously, rapid identification of a loss of strategic quantity of weapon grade inaterial to an adversary intent on mass destruction is far more critical than if the material involved was not directly usable and would require extensive chemical conversions.
As with the strategic limit and acceptable diversion success probability bound, requirements on timeliness cannot be made abstractly within 4 a safeguard design. In order to intelligently arrive at a upper bound
- 113 -
on the diversion alarm acquisition time, one needs to carefully study l-the interaction with response and recovery safeguard operations' as well as perform a careful analysis-of the impact that the information gathering and processing delay has on the potential public risk.
i
! To achieve Category II safeguard objectives one again needs to obtain a sufficient detection sensitivity in determining whether a strategic quantity of SNM has been stolen. The basic distinction is that the diversion may span several accounting intervals. Hence we again, as in Figure 10, need to define a suitable c(k) function and require that i P ad (K, Rj , R 2 ,...R n ) 1 c(K) (7.3) t One important question that now arises is what should be the maximum number of accounting intervals that will be considered. By the monotonicity property, Eq. 3.21, the longer the maximum permitted diversion time span the larger the maximum diversion success probability and hence the more difficult it will be to effectively bound. If we simplify the notation and I
let bax denote the maximum length of any accounting interval and N max be the maximum number of accounting intervals considered (i.e., Nmax Rmax is the maximum permitted diversion time span), we can rewrite Eq. 7.3 as Pad (K, Nmax' bax) 1 c(k) (7.4)
The left hand side of Eq. 7.4 denotes the optimum success probability i for d'verting K Kilograms of material over a span of Nmax accounting 7
w em-- , - , - + < > - -, we---- a ww,ww wem,---e a -----+-~~--~m er
- 114 -
intervals each of maximum length R,,x. This clearly represents to the material accountability subsystem the worst case since it represents a maximum time span consisting of maximum length (hence minimum number of) accounting intervals. .
Constructing a material accountability subsystem satisfying Eq. 7.4' enables Category II safeguard objectives to be acheived. For example, in response to a potential hoax one needs only to evaluate the non-detection probability function over the interval specified by the threat. Suppose the alleged diversion spanned past accounting intervals denoted by
{R j , R 2 ...R,}. We would be able to verify from the historical material accountability records that P ad (K, R j ,...R m) < Pad (K, Nmax' bax) < c(k)
In fact, the infeasibility of an undetected past covert theft would have been already demonstrated by essentially this same bound because of the requirement that a safeguard system provide an over check capability.
The only timeliness consideration that exists is from a threat that implies a current theft. A demand audit would then have to be performed and the results analyzed. Eq. 7.2 would gavern the permitted times for initiating and completing the audit and the subsequent data analysis.
The total maximum permitted delay time would have to be determined by i studying the interactions with the negotiating and response activities.
- 115 -
Demonstrating past and present safeguard performance and providing an ongoing safeguard system over check capability are basically similar except perhaps that the latter has to satisfy a timeliness requirement to identify a potential safeguard problem within a time frame permitting appropriate corrective measures before a safeguard breach occurs. The recent cumulative MUF problems faced by NRC and ERDA are classic examples where the current material accounting system did not give an alarm in a timely manner.
The requirements on a discrete external material accountability system to satisfy Category II and III safeguard objectives are summarized in Table 12. Again it should be pointed out, that for each safeguard objective appropriate values for K, c(k), and t max depends ultimately upon the interfaces that must exist with other safeguard subsystems.
7.3 Performance Criteria for Achieving Category I Safeguard Objectives l Let us now obtain conceptual performance criteria for some safeguard strategies designed to achieve Category 1 safeguard prevention objectives.
The first case to be considered, as indicated in Table 11, is the sole use of intrinsic continuous material accountability.
7.3.1 Sole Use of Continuous Material Accountability Eq. 3.20 the diversion success probability against a continuous material accountability system optimized over the entire class of feasible threats, i
i TABLE 12 SYSTEM REQUIREMENTS FOR DISCRETE EXTERNAL MATERIAL ACCOUNTABILITY
- Requirement i Safeguard Objective Sensitivity Delay Comments' j Category II Effectively Resolve P a) ad I * " max Rmax) i c(K) C+D 1tmax K = quantity specified in Hoaxes threat; c(K) small enough to prove threat incredible.
b) t short enough to iRfErface with negotiation and response activities.
) Demonstrate Pad (K, Nmax, Rmax 1 c(K) Not. Critical a) K < strategic limit l Performance b) c(R) adequate to provide ,
public assurance Safeguard System Pad (K, Nmax., R,ax) < c(K) C+D < t a) K < strategic limit i Overcheck - max b) c(K) adequate to provide g j to NRC assurance that ,
safeguards are adequate.
I c) t short enough to.take eYiEctivecorrectiveaction Category III Loss Assessment Pad (K,R) < c(K) C+D < t a) .K = material loss of concern
- max i
(< the strategic limit) b) c[K) small enough to be able
- to reliably identify loss.
c) t~ small enough to inter-j i
fI85withrecoveryand.
response activities.
i 4
- 117 -
i their corresponding feasible scenarios, and assuming that an optimum l diversion policy is utilized, represents, by analogy with the discrete case,-the conservative approach that must be taken to bound the diversion problem and thus obtain safeguard control. Using the time invariance property defined by Eq. 3.28, we can rewrite Eq. 3.20 in terms of the total diversion time span, not explicitly indicating the beginning and end times of the diversion.
Maximum diversion success probability
= Pac (K, t) (7.5) where K = quantity of SNM diverted t = Total diversion time span Again, we will have to establish a maximum credible diversion time span, i
tmax, and work with P ac
- max). Making use of the monotonicity property, Eq. 3.24, the success probability for a given diversion of duration t, can be bounded by the diversion success probability correspond-i ing to the maximum allowable diversion time span Pac (K, t) 1Pac (K, tmax), f r t 1 t max (7.6)
As with the discrete case a maximum allowable non-detection probability function, c(K), must basically be selected and the continuous material accountability system designed so that:
P (K, tmax) I '(K) (7*7)
- ac
- 118 -
'1 Eq. 7.7, however, needs to be modified to include the interrelationship i between delay and diversion detection sensitivity. The main distinction between achieving Category I safeguard objectives and achieving Category
- II and III objectives is that detection of the malevolent activity by itself.is not sufficient: an appropriate and timely response is essential.
4
> Certainly, if detection of a thef t does not occur, the activity will be i successfully accomplished. However, on the other hand, one can envision a situation where the continuing presence of activity, such as an extended
' covert diversion, is detected, yet the facility.is unable to either identify the source and take corrective action or the alarm is given too late.
The maximum allowable processing delay time is, in general, a function of both the diversion policy employed and the probability bound c(k).
Symbolically we can write Maximum bound on. processing delay time
= D(PT , c(k)) (7.8) where P:
T denotes the diversion policy employed by the threat (i.e., r(t) from t start to tend) e 1
e
-+--.-w.--,---vy .-,,,,---,y,,v,, , - - , ~~,,-,.,--w_w,.----- .----,r m, ,,. , , , , - m.,------ y- -- . - - - - - - .n---.-. , , - - . , . - - - .-- w.7- , - c
- 119 -
c (k): defined previously to be the acceptable upper bound on the diversion success probability expressed as a function of the quantity of SNM diverted.
l To more explicitly demonstrate the interrelationship that exists between the information processing delay time and diversion detection sensitivity, let r(t) denote the diversion policy utilized and t* the total required diversion time span associated with that policy. Initializing t equal to zero at the start of the diversion, we can express the cumulative quantity of SNM diverted up to time t, denoted by k(t), by:
k(t)= 't r(t)dt o
Since the diversion is completed at time t*, we will assume that k (t*)
is equal to K, a strategic quantity of SNM. Let D denote the information
, processing time delay and Pac (k(t)) denote the probability that continuous material accountability subsystem will not have sufficient information to indicate a diversion alarm by the time t against this diversion policy.
Clearly, the material accountability system must be able to alarm by t* - D in order to compensate for the processing time delay, thi.s we can rewrite Eq. 7.7 as:
- 120--
Pac-(k(t*-D))5_c(k) (7.7a)
By the time monotonicity property and definition of the probability-bound we can also write:
P ac (k(t*-D)) 1 Pac(k(t*)) < c(K) (7.b)
Eq.7.7 demonstrates the obvious fact that in order to compensate for processing time delay, the probability bound must be_ achieved at an earlier time where only a portion of the strategic limit has been diverted, thus interrelating the diversion policy, information processing time delay and the acceptable upper hand on the diversion success probability.
Obviously, for all practical purposes, the processing delay time for timely detection of a one shot diversion event must essentially be zero,
- since for a suitable response, it must be less than the time it can take an employee to remove the material and leave the facility. At the other extreme, the processing delay for a systematic diversion extending over a long . time span is relatively unimportant particularly if c(k) i,s selected so that it is small for values of k well below the strategic threshold. In such a situation the material accountability subsystem will be able to detect the diversion long before a strategic quantity is obtained, with ample lead time so that the balance of the strategic
-- - .sn- ---,,,.-,-w - . , - - , , - - , , -
..-a r we, , - ~ ., - ,~-- ..--- --.-- , ,--e, ,-n , - p.- ,, - ,
- 121 -
quantity of material is not obtained by the diverter during the proc-essing delay interval.
The proceeding discussion clearly indicates that the allowable informa-tion processing time for a continuous material accountability system to identify a material loss is dynamic: it must be capable of responding extremely rapidly to gross one shot diversions of strategic material quantities but need not be rapid in identifying diversions where small quantities of material are dribbled over an extended period of time.
Such a dynamic capability can perhaps be achieved through the hybred use of continuous monitoring of material via, for example, position indicators in order to identify large one shot thefts, and by statistical analysis of inventory and flow measurements to identify systematic diversion.
The conceptual performance requirements for continuous material account-ability to enable the achievement of the Category I safeguard objectives l are summarized in Table 13.
7.3.2 Use of Exit SNM Boundary Detection Exit SNM boundary detection is another alternative safeguard strategy that can be utilized to detect any SNM diversion for situations where the diversion scenario includes transportation of the diverted material across the facility boundary. Exit boundary detection is therefore suitable to aid in the achievement of the Category I prevention safeguard
- .. . _ _ = _ .
E TABLE 13 CONCEPTUAL PERFORMANCE REQUIREMENTS FOR CONTINUOUS MATERIAL ACCOUNTABILITY TO ACHIEVE CATEGORY I SAFEGUARD OBJECTIVES Category I Requirement Safeguard Objectives Sensitivity Maximum Processing Delay Comments
- 1. Prevent sub-national P(K,tmax) i c(K) D(PT , c(k)) a) K= strategic quantity covert theft of for terrorist group.
strategic quantity b) Both c(k) and D(P T
, c(k))
of SNM jointly chosen so that detection plus response will provide adequate safeguard assurance.
- 2. Prevent national P(K,t < c(K) D(PT , c(k)) a) Same as above but K is i level theft of max) a strategic quantity ,
strategic quantity for a national weapon
- of SNM program development effort M I
- 3. Prevent nuclear P(K,t,,x) i c(K) D(PT , c(k)) a) K is strategic quantity proliferation for national weapon program.
b) Both c(k) and D(P T
, c(k))
jointly chosen to provide for adequate international measures
- 4. Prevent sabotage P(K,tmn) i c(K) D(PT , c(k)) Same as (1) but K is of nuclear facilities minimum quantity suitable for use in sabotage activity
- 123 -
objectives with the exception of sabotage scenarios involving only unauthorized within area material flows.
i We will again take a conservative approach and develop conceptual perfor-mance criteria against the diversion success probability Eq. 4.5, optimized over the class of feasible threats, the corresponding class feasible diversion scenarios, and assuming that an optimum diversion policy is followed.
Optimum diversion success probability
= P (K,E) (7.9) c where K = quantity of SNM diverted E = maximum number of possible exit passages during diversion time span The similarity that exists between the design basis, Eq. 7.9, for an exit boundary detection safeguard subsystem and the design basis, Eq.
7.5, for a continuous material accountability system should be noted.
The only superficial difference between these two probability expressions is that the total diversion time span, t, in the continuous material accountability case is replaced by the total number of exit passage E in the boundary detection case. Clearly, as demonstrated by Eq. 4.3, E is
- 124 -
directly proportional to.the total permitted diversion time span, the proportionality depending upon the number of individuals in the threat actively engaged in transporting SNM across the facility boundary and
.the number of exit passages that each diverter is able to make per shift.-
Functionally, exit SNM boundary detection appears identical to continuous material accountability as long as the diversion scenario requires that the material actually leave the plant. This point becomes manifestly 4
clear if one envisions the extreme case of a hypothetical facility consisting of a single work ;tation staffed by a single employee and further assume that the facility boundaries immediately surround the work station. From a safeguard viewpoint, the physical mechanism by which a material removal is detected is immaterial. It makes no difference whether the material theft is detected, by a material acc.ountability subsystem, as-the material is removed from the production line or detected a f?w feet away, by a portal monitor, as the employee attempts to leave
! the facility. It is, however, important to note the qualification--as long as the diversion scenario requires that the diverted material leave l the facility. Categorically continuous material accountability and SNM l
exit boundary detection are different: the first safeguard subsystem is 7
a within area material directed detection activity which functions during phase 2 of the adversary action sequence and the second subsystem a material directed boundary detection activity which functions during the
.-- - -_ _ _ - . . - _ . - . - - . ..- , - . _ . . - ~ . - - . . _ . - . _ - -
- 125 -
, exflitration phase of the adversary action sequence. However, for diversion scenarios where the material leaves the facility, for all practical purposes, they act equivalently.
Analogous to the case of continuous material accountability, we again have to specify the maximum possible number of exit passages, E max' which in this case must be derived from the maximum possible diversion time span and the spectrum of credible threats. In analogy with the time monotonicity property for continuous material accountability, Eq.
d 3.24, one has 4
Pc (K,E) 1 Pc(K,Emax), f r E 1 max E
To achieve the Category I safeguard objectives, we thus have to specify
- a maximum allowable diversion success probability function, c(k), and f design the continuous material accountability such that:
l l
Pc (K,Emax) s c(K) (7.11)
An extremely attractive feature of SNM exit boundary detection is that ,
the detection, if it occurs, is timely: there are no information pro-cessing delays associated with the use of exit boundary detection. The safeguard objectives of Category I are thus completely achievable as
- 126 -
long as the function c(k) is chosen sufficiently small for amounts of SNM deemed significant. Table 13 applies to this case simply by deleting the references to information processing delay time and incorporating a suitable relationship between t max and E max
- 7.3.3 Simultaneous Use of Independent Continuous and Discrete Material Accountability Subsystems In this section we will examine how separate discrete and continuous material accountability safeguard subsystems can be integrated to provide a timely and sensitive detection mechanism that is suitable for the achievement of Category I prevention safeguard objectives. We have previously demonstrated that in order to satisfy Category II and III safeguard objectives, an external discrete material accountability subsystem must be incorporated into any total safeguard system. There-fore, given that a discrete system already is in place, the obvious question arrives whether it can also serve a secondary goal in assisting another safeguard subsystem in achieving Category I safeguard objectives.
In Section 7.3.1 we demonstrated that sole use of continuous material accountability would require that it be capable of the timely detection ;
of both short term diversion as well as long term systematic diversion.
In fact, the notion of a dynamic processing delay time was introduced to indicate that perhaps a long information processing delay time would be acceptable in detecting long term systematic diversion whereas essentially
- 127 -
a zero processing delay time is required in order to successfully detect -
a one-shot diversion event. In the SNM portal monitor example presented in the last section, we briefly introduced the concept of imposing a time constraint and daily constraint. In order for a single safeguard subsystem to successfully provide for adequate detection over the entire range of feasible threats and scenarios it must be capable of providing both a satisfactory time constraint as well as a satisfactory daily constraint on SNM diversion. These diversion constraints are achieved through both an adequate detection sensitivity to SNM diversion and adequate information processing time delay. The concept of a dynamic processing delay is just an alternate way of stating that the requirement on the processing delay time differ for a time constraint and daily constraint.
If one examines Table 12 which lists the requirements for discrete material accountability to satisfy Category II and Category III safe-guard objectives, we observe that we may essentially have in place a safeguard subsystem that, depending on the value of tmax, w uld also serve to implace an effective time constraint that can be used to achieve Category I safeguard objectives.
In using the discrete material accountability system to achieve the time diversion constraint, one also gains the important ancillary
- 128 -
advantage that the discrete material accountability system functions external to the process and thus is not subject to compromise by a systematic long term diverter.
N Thus, by the simultaneous use of both continuous and discrete material accountability, the continuous material accountability subsystem can be tailored to provide only a daily constraint on SNM diversion needed to provide a capability of rapidly identifying the occurrence of large material thefts from the process. This can probably be accomplished by the appropriate use of on-line monitoring equipment that can sense abrupt changes in material quantities and flows. It would not have to be designed to detect small diversion signals embedded in the normal noise fluctuations associated with the process. Though extensive safe-guard engineering analysis is required, by limiting the objective of a continuous material accountability system to only providing a daily constraint, one very likely simplifies the technological problems.
, In developing an expression for the undetected diversion success prob-ability against the simultaneous use of separate discrete and continuous material accountability subsystems, we will assume that the diversion begins at the beginning of an accounting interval and terminates just prior to the end of an accounting interval. The time monotonicity property demonstrates that this is a conservative assumption since the
- 129 -
discrete material accountability subsystem is not affected by where in the accounting interval the diversion begins or ends, and the maximum probability of defeating a continuous material subsystem can only increase as the permitted diversion time span increases. Since the two material l
l accountability subsystems are independent, the general non-detection probability expression is obtained by multiplying their respective component probabilities, Eq. 3.1 for discrete material accountability and Eq. 3.16 for continuous material accountability.
Diversion success probability t
= Pad (Kl . K2 ... Kn ; R), R2 ... Rn ; T. ST) P ac (r(t)l2, T, S T) t)
This general non-optimized expression is written expressly to indicate that the optimum diversion policy for this integrated case corresponds to neither the optimum policy for the discrete case nor the optimum diversion policy corresponding to the continuous case. The optimum diversion policy corresponding to a given threat and scenario would have ,
to take into account the effects of both the continuous and discrete portions of the combined material accountability system. In particular, at one extreme, where the entire diversion span is short and contained within a single accounting interval, the daily portion of the system must dominate and thus the optimum diversion policy will be dictated by the continuous material accountability subsystem. At the other extreme,
- 130 -
long term systematic diversion, the time constraint on diversion must dominate and the optimum diversion policy thus determined by the discrete portion of the combined material accountability system.
?
One can, however, simplify the analysis conservatively by bounding the optimum diversion success probability as the product of the two optimum diversion probabilities obtained when each subsystem is considered as acting independently.
Maximum non-detection probability =
P ad(K; R), R2 , Rn ) Pac (K,t) (7.13) t As indicated earlier, for short time span diversions the continuous l system must dominate and tFes the maximum non-detection probability approaches that for the ccntinuous system acting alone.
Maximum uiversion probability t+ small , pac (K,t)
(7.14)
On the other hand, for long term systematic diversion, the maximum diver-l sion success probability must approach that for the discrete system acting alone.
[ Maximum non-detection probability t+ large , pad (K,R),R2 , Rn )
r
- (7.15)
E
- 131 -
To achieve the Category I safeguard objectives one has, in general, to satisfy P ad(K;R),R2 , . Rn ) Pac (K,IR)) 1 c(K) (7.16)
Which for a long term systematic diversion must reduce to P ad(K,R),R2 ; Rn ) s c(K) (7.17) and for a short term diversion span must reduce to Pac (K,t) < c(K) (7.18)
The maximum allowable processing delay time is basically the same as stated previously for the case, where continuous material accounting was used alone, Eq. 7.8, i.e., the allowable upper bound on the processing delay time would be a function of the diversion policy (in particular the total diversion time span) and the sensitivity bound, c(k). Since, in this present case, the continuous portion of the combined material accountability system is responsible for the detection of short term diversion it must be required to have a rapid response. Intuitively, since we are dealing with large elemental diversions, achievement of a short information processing delay time does not appear technically formidable. The discrete portion of the material accountability system,
- 132 -
l on the other hand, is responsible for the detection of long term system-atic diversion and can tolerate the presence of a significant processing delay which nonnally can be expected to accompany the use of discrete external material accountability.
The proceeding discussion demonstrates the basic advantage of integrating two separate safeguard subsystems, in particular discrete and continuous material accountability, in order to provide the diversion detection component needed to achieve the Category I safeguard objectives. Essen-tially, the use of two separate subsystems permits a division of labor:
one system to provide the daily constraint on diversion and the other system to provide the time constraint. Table 13 essentially also applies to this case where Eq.'s 7.16, 7.17 and 7.18 are used to specify the sensitivity requirements in general and for the extreme limiting cases of long term and one-shot diversion.
7.3.4 Simultaneous Discrete Material Accountability and Exit Boundary Detection As indicated in Section 7.3.2, exit SNM boundary detection appears functionally identical to continuous material accountability as long as the diversion scenario requires that the material leave the facility.
This suggests that in the integrated safeguard strategy developed in the last section, we can replace continuous material accountability with exit boundary detection and integrate the use of discrete material
- 133 -
accountability with exit boundary detection in order to achieve the detection component required in achieving the Category I safeguard objectives. It should be noted that the discrete material account-ability subsystem may be the external system emplaced in order to achieve Category II and III safeguard objectives, or a separate intrinsic material accountability system, perhaps based on the use of normal process data.
By complete analogy with the preceding section, the general expression for the overall diversion success probability is the product of the diversion success probabilities resulting from the discrete material accountability subsystem, Eq. 3.1, and the exit boundary detection
/ subsystem, Eq. 4.1. As before, we assume that the diversion begins at the start of an accounting interval and terminates just prior to the completion of an accounting interval. Thus Diversion success probability = Pad(K), K2 , Kn ;R),R2 , Rn ;T,ST)
P (K K Ke ;E,T,ST )
c e) e2 E (7.19)
It should be noted that if the diversion scenario does not require that the material leave the facility, the exit boundary detection term in Eq.
7.19 becomes unity and thus only the discrete material accountability subsystem would be available. It should also be observed that the relationship between Kj and K e. depends upon the actual scenario employed.
1
- 134 -
For example, if material is transported from the facility at the time it is actually stolen, K$ will be equal to the sum of the amounts transported across the exit portal during that accounting interval. If the diversion scenario permits the stolen material to be temporarily stored within the facility a different relationship may exist.
We again simplify the analysis by bounding the overall diversion success probability by the product of the individual component optimum probabilities.
Maximum undetected diversion success probability =
P ad(K;Rj ,R2 , Rn ) Pc (K,Emax) (7.20) where: Rj +R +
2 Rn = the maximum allowable diversion time span and E max
= the corresponding maximum number of exit passages I
As demonstrated earlier through the exit SNM detection example presented in Section 4, an exit boundary detection subsystem may itself be envi-sioned to consist of two safeguard elements: one to emplace a daily constraint on SNM diversion, and the other to emplace a time constraint.
Thus, we can write:
l P (K, Emu) = Pcd(K,Emax) Pct (K, Emu) (7.21)
- 135 -
where: Pcd(K,Emax) = the transportation success probability associated with the exit boundary detection safeguard element that provides the daily constraint on SNM diversion and Pct (K,Emax) = the transportation success probability associated with the exit boundary detection safeguard element that provides the time constraint on SNM diversion For scenarios possessing a short diversion time span, the dominant detection mechanism must be the exit boundary detection subsystem and in particular that safeguard element that provides the daily constraint.
Maximum diversion success probability t+ small (7.22)
Pc (K, Emax) " cd(K,Emax)
Use of exit boundary detection to impose the daily constraint on SNM diver-sion has the important advantage of providing a very rapid response as there are no associated information processing delays.
For long term systematic diversion the diversion success probability will depend upon the discrete material accountability subsystem and the portion of the exit boundary detection that imposes the time constraint
- 6
- e. _..
- . p:-
r,
,. ./ -
,t. . e,'.., e,
-s *
- y. ,. 1; - >_ .
.t
.- - -. , cs .i M*.I 44 4 :
. +.p 1
3 .
g r'
' _ ' J.i
.. . +. .. -
- 4. . : , . ,
~.x*; ;
2.. ...g
+. y -L .
-s k ;*. _ . . . - . .
... . .n ..,
)'
. g
'..,:...'.,( y m y - . t. -
~;. . . , , .
g..,.
.1,,,
.,. - I- .
f.
1
- 9. -:
,.+ *l .
'u .,m.p . '- -
?,.'.
,4 sg. *< . .,; *.,
. ,. .. x
- f. - 'g.
- , t . J ,,.'
5
- y::,, A.
4 es . >f , ; .
,.: ' . - e.
1., ......., .
l .g
\";>, .-.... .
- i .'g ~
s.g.- .:
. 3, >y
- f
-y,'
g'- -....* * ,: , .
- , y ; ,'.
7 no .
,' nx,, g,?? ,~ 3
-. . ,y ' . - Q
..g
. ii .*- . . ,s . . . . .
.g
.n, . ,. ..
,, u.s -f 3 .. -' : N l *, . ' s :; .. -
g.
i .-s A ,=-
1 .,,# .
- . ' , , = ..- ,,. ;: -
,x - . .:,_
~ , ' ' g ' ; -:
4 . , ,
s_5,'
,-4' g.
- u. -; %_ ;.
4, : .- ' .~
- .f.'r., ;.ger. ,
_ -. l-.. -
%+* g - . *- .
't ~.' ' ._ *,
- V; s.
..s.. - =y .
.s .
- Q' 4 -l.% .'*.
et y ,~ .b../
s
. - (; -
t
.t,
..,,f
,7 '#
th .
5
- -
- p,'. . g.
.,'.- , f..,& 4 '5, ,
.'g ,"'W...,.
. f , ., ; .
- ,*i 5 3 Q, l..r i; y - %
. ,$ fjsyd (- [ r.
";j,s 3, -y* 13 4 ' -
.c-
.3 =: *:, -
W . '- G',. -
y' 4' .f, .' ,-J'.[ ',Q-'
i
- *;4 C . , - ]
~4.g
,0 3 .I g..,, .n b' ....[,,...' u ,,e
'..P s =04 + 2 24 j
..'u'. .
..* ,h (.. ~'f..-
j ..* . s
-Nat ;,
l,, -j'; ;7,,
4 ,.
+
, 'y .. a y, e .
g-
- *,o .% .
- r y . 9y,9 ..
.- *h . - *g T/ ,k J . Qt.,,kf[ ' .g' A . / t , h,. ,. . ] '.e ]d' M (r
' ' ' =y '{ ', I 4 ' . , ,, h 'ft *h- ( ' g -'
s' f f ,. g .,. < ,,
_p ' ' , ,, , .,j l
i .
- 137 -
Table 13 also essentially applies to this case where Eq.'s 7.24, 7.25, and 7.26 are used to specify the e.ensitivity requirements.
7.3.5 General Approaches In concluding, this section should be observed either from Table 3 or Eq. 2.3, that the diversion detection subsystems considered could be further augmented by the incorporation of within area personnel activity detection subsystems and, for cases where a substitution scenario is employed, with the use entrance boundary detection. Within area personnel activity detection can provide a mechanism for imposing a daily constraint for scenarios where the diverted SNM does not leave the facility. In principle within area personnel activity detection can serve to provide either a time constraint or a daily constraint. For example, personnel observation via CCTV will provide a random detection mechanism which results in imposing a time constraint. The use of sensors and alarms on the other hand, introduces a daily constraint. For the sake of discussion we will model a within area personnel detection subsystem as composed of two elements: one imposing a time constraint and the other imposing a daily constraint. In equation form we have Probability of not being directly detected stealing SNM =
P (K ,K *** Ks ; T,S T) = Pas (K),K2 **' Ks ,T,ST )
a 1 2 P at(K,K2 ' K s,s,T,ST) (7.27) ,
- 138 -
where: PasIKl' K 2; *** K ;s T, S )T = the probability of the personnel activity not being directly detected by the daily part of the within area the personnel detection subsystem Pat (Kl K ,
2 Ks ; T, ST) = the probability of the personnel activity not being directly detected by the time part of the within area the personnel activity detection subsystem.
A general expression for the overall diversion success probability con-sidering the simultaneous use of discrete material accountability, con-tinuous material accountability, both entrance and exit boundary detec-tion, and within area personnel activity detection is given by:
overall diversion success probability =
l Pad (Kj ,K 2 K ; R j ;R ,
n 2 Rn ; T,ST ) Pc (Ki ,Kj Kj .;E ,T,ST) 1 2 E Pc (Kej 'K e 2 K e ;E,T,ST) Pa(Kj,K2 Ks ;e,T,ST)
E t
P ac(r(t)l2, T,ST) (7.28) t j
- 139 -
P is used to denote the probability of successfully importing substitute material.
From Eq.'s 7.23, 7.27, and 7.28, we see that the short term diversion probability is given by:
Short term diversion success probability =
Pcd(Ke'K e Kj ; E , T, S )
T Pcd(Ke), Ke 2 Ke ; E, T, ST) j 2 E l t K ; P, T, S T) Pac (r(t)l2, T, S T) (7.29)
Pas (Kl ' K2 s t j and the long term systematic diversion success probability is given by:
long term diversion success probability =
Pad (K),K2 K;R,R2 j Rn ; T, ST) Pct (K$,Kj K g ,,
n E , T, S T) Ke ; E, T, S T) Pat (Kl ' E2 K;s, Pct (Ke), Ke 2 E s
t T, ST) Pac (r(t)l2, T, ST) (7.30) tj i
i Eq.'s 7.28, 7.29 and 7.30 demonstrate that considerable redundancy can be obtained from existing and potential safeguards elements that can be used to construct many safeguard strategies to provide the detection
- 140 -
component needed in order to achieve Category I safeguard objectives.
Even for the case where material is neither imported into or removed from the facility one can still, without resorting to the use of con-tinuous material accountability, be able to impose both a time and daily constraint on SNM diversion. Though, we have only examined in this section four particular safeguard strategies, these examples should illustrate the underlying approach and thus one should be able to con-struct and analyze using Eq. 's 7.28, 7.29, and 7.30, other potential safeguard strategies of interest.
- 141 -
- 8. Su_mmaryy-Overview: Relat_i_on_ to_ Builder's Memo In a memo to the NRC Safeguard Staff dated August 17, 1976, Mr. Carl Builder, the former Director of the NRC Safeguard Division, suggested that a perspective on the possible roles of Material Accountability would be obtained by a detailed examination of the following three questions:
- 1. Are we losing something significant?
- 2. Did we loss someting significant?
- a. when there is reason to be concerned
- b. during some period in the past
- 3. What do we know about the nature of the operations?
- a. as a prognosis
- b. as a diagnosis The above list represents a complete set of questions for which material accountability could be called to answer in the sense that they embody all the safeguard objectives listed in Table 7: Category 7 safeguard emcompasses Category II and III safeguard objectives and the third question is clearly equivalent to the safeguard objective listed under Category IV.
- 0n the Role of Material Accounting, Carl H. Builder, Director, Division of Safeguards,17 August 1976
- 142 -
- The main thesis of this report is that in order to identify the capabil-ity of Material Accountability to address these three questions, it is imperative that one study Material Accountability and indeed all of -
safeguards using a systems viewpoint. This encompasses identifying the interfaces that exist between material accountability and other safeguard subsystems as well as identifying safeguard subsystems that can be used either in combination with material accountability as an integrated safeguard system or as an alternative to replace material accountability.
It is clearly not meaningful to attempt an evaluation of material account-ability as an entirely independent safeguard system.
Section 2 served to develop a conceptual systems framework through which one could view all of safeguards and in particular identify the relation-ships between material accountability and the other safeguard subsystems.
It was observed that safeguard objectives are achieved through the use of an appropriate detection activity coupled to a suitable response.
The detection activity can be viewed as either material directed or personnel directed. It was also noted an adversary action sequence can be partitioned into as many as three activity phases: infiltration across the protected region boundary, within area personnel directed activity, and finally, exfiltration across the protected region boundary detection.
A
- 143 -
Material accountability was shown to be a potential safeguard subsystem that conceptually can provide for a within area material dir?cted detec-tion capability. It can therefore, as demonstrated by Eq. 2.3, be integrated with or replaced by other suitable detection safeguard elements, namely within area personnel activity detection and both entrance and exit material directed boundary detection. It is also important to -
realize that a material accountability safeguard subsystem would also have to interface with a response activity appropriate for the safeguard objective it is designed to achieve.
Mr. Builder's material accountability questions were directed at the capability of a material accountability system to function as a , material directed detection activity. However, one cannot address a capability unless one can quantitatively define the requirements. Implied in the question list is a need to establish requirements on detection sensitivity timeliness, and the relation of the material accountability system to the process and the threat. In fact, in order to identify requirements, the microscopic viewpoint presented by Mr. Builder's three questions is not completely adequate since, for example, the use of material account-ability in preventing a covert terrorist diversion may have different requirements than a material accountability system emplaced to prevent nuclear proliferation. As another example, the response interface required to deal with a hoax differs radically from the response inter- ,
face required when material accountability is used for loss assessment f in the aftermath of an attack.
~
+
y :
I t
- 144 - I I
w L
[
One clearly needs to stay, at least initially, at a macroscopic level i
[
and examine separately each and every safeguard objective rather starting
[
with a condensed generic set. The purpose of Section 5 was thus to 'I develop from the NRC Safeguards Objective statement and other considera- '
tions a comprehensive list of implied safeguard objectives. The fact h-that the desired list of safeguard objectives could be meaningfully h i partitioned into four categories which, as indicated earlier, could be i e
$ identified with Builder's three questions demonstrates the basic equiva- _-
lence of the two formulations. Table 7 serves as a summary of the
[ safeguard objectives developed in Section 5. ?
n The purpose of Sections 3 and 4 was to structure material accountability and related safeguard systems in terms of attributes and quantitative f e-parameters. A formal characterization of these safeguard subsystems is ,
clearly necessary if one is to quantify the requirements that they must {
meet in order to achieve the stated safeguards objectives. A key point d 6 -
in this section was the fact that the detection sensitivity would, to a _._
T large degree, depend upon the actual scenario employed by a diverter. 4 Pg It would be rational and certainly conservative to assume that a diverter would take steps to minimize the detection sensitivity of the system and k
thus considerable effort was expended in characterizing his capability i
,- of optimizing the success probability of avoiding detection. It is c h against these optimum diversion success probabilities that performdnce 3 i requirements were specified. In a sense, as Figure 4 depicts, one can }
3
- y
_s
-m
=
- 145 -
am view the design of a material accountability system as a gaming procedure.
A " black hat" type of analysis is needed to identify the maximum vulner-ability. The objective of the system design is to bound the non- !
detection probability against this worst case situation below a level k consistent with achieving the safeguard objectives. -
In Section 6, a set of feasible safeguard strategies were developed. By a feasible safeguard strategy we mean a combination of safeguard subsys-tems that together can potentially serve in achieving all of the stated j safeguard objectives. For each safeguard objectives category, Table 8 ,
lists the requirements on the material accountability attributes. In terms of material accountability attributes, Figure 8 clearly depicts the four possible conceptual forms that a material accountability system .
can assume, which are:
i a
, 1. Continuous Material Accountability, independent from the process :
Continuous Material Accountability, intertwined ;
2.
with the process
- 3. Discrete Material Accountability, independent from the process I
i
- 146 -
- 4. Discrete Material Accountability, intertwined with the process The feasible set of safeguard strategies consists of one or more of the conceptual material accountability systems coupled with simultaneous use of appropriate related safeguards subsystems. Tables 9, 10 and Eq. 6.2 present alternative ways of characterizing the entire set of feasible safeguard strategies.
To reiterate, the fundamental purpose for distinguishing between intrinsic and external material accountability is the question of whether one can ever be absolutely certain that a material accountability subsystem is secure against an entire class of feasible threats. By introducing suitable redundancy and cross checks into the system design, one can certainly harden a system to increase its overall security. However, it is clearly impossible to guarantee that all the diversion paths have been identified and blocked, particularly if there exists extensive interrelationships between the process and the material accountability system. The analogy with containment is quite clear: no matter how well one designs barriers and alarms, there is no way after the fact to guarantee that safeguard elements or subsystems composed of these elements have not been compromised if interactions between these systems and plant employees have occurred. Therefore, to achieve Category II and III safeguard objectives, it is necessary to utilize an external material
- 147 -
accountability system. The only vulnerability of an external material accountability system to compromise is from within itself, which presents a much simpler problem to treat.
In Section 7 an attempt was made to develop expressions for the concep-tual performance requirements in terms of specifying the detection sensitivity and timeliness that material accountability must attain in order to achieve its intended safeguard objective within the context of the particular safeguard strategy. The performance criteria was stated in terms of abstract sensitivity requirements, SNM strategic limit, maximum diversion time span, and maximum safeguard information gathering and processing time delay. It was pointed out that these parameters are, in a large part, judgment calls as to what indeed constitutes effective safeguards, and thus requires a policy decision that must be made external to the analysis. It is important to note that the concep-tual feasibility of a safeguard strategy involves only the material accountability attributes. Achieving sensitivity and timelines require-ments over a given diversion time span relate basically to technical feasibility which is dependent upon technology and economic considerations.
~
- 148 -
- 9. Conclusions
- 1. The fundamental question one could raise regarding the role of material accountability in safeguards is whether some form of material i
accountability is an essential ingredient. Is it possible to achieve
! all the stated safeguard objectives without the use of some form of
{ material accountability? This study clearly demonstrates the intuitively l
n obvious fact that the answer is manifestly no! Material accountability l is the only safeguard element that has any potential for achieving the I
f Category II safeguard system assessment safeguard objectives and the I Category III loss assessment safeguard objective.
5 In principle either a discrete or continuous material accountability e
L system could be used but it must be external to the process or at least p guaranteed secure over the entire class of feasible threats. The judgment E
f was made in the study that a continuous material accountability system
[ because of technological considerations would have to be intrinsic to I the process and that it would be virtually impossible to guarantee that an intrinsic system is secure. Hence though conceptually feasible,
(
k continuous external material accountability is not physically realizable, E
h and thus was dropped from further consideration. We thus reach the 9
g conclusion that every safeguard subsystem must contain a discrete external k
- i. material accountability subsystem.
( ._
L E
- 149 -
- 2. A considerable research and development effort supported by ERDA has been underway over the past several years in order to develop a real time material accountability system. Such a real time system is not essential to satisfy the detection requirements in order to achieve all of the stated safeguard objectives, and, in fact, may not even be sufficient.
As observed earlier, such a system, by virtue of its physical implementa-tion employing extensive on line monitoring equipment, would be intrinsic to the process and hence probably not suitable for achieving Category II and III safeguard assessment objectives. In addition, the system is oriented towards measured material balances and may not be sensitive over the entire range of diversion possibilities, the current development effort will because of technological limitations, lead to an intrinsic system.
Intrinsic continuous material accountability can be used, as proposed in several of the feasible safeguard strategies, for achieving the detection phase of Category I prevention safeguard objectives. As demonstrated in the report, intrinsic material accounting is, for a large class of scenarios, functionally equivalent to exit portal monitoring. It is highly questionable whether a complex continuous intrinsic material accountability system can be economically or even technically competitive with a relatively simple SNM portal monitoring system.
- . *-(-* ,
4 . .. J -N.,., ..+ * $' '
.1 ,'i - ; .h . , f . . " 7 v, ;! .7 'I -
v'.'. :,.'k~ ~P*.' -i ..
'x 's.P ' . . ' '9..'9 ; i .' ~. - k 1 -:--
[.,.
r - -
,.4 r . , , ..
.-p.--+
$. .s- $,.,
': +
.,y
- 150 -
3.< ',i ;..,.s
. + i.- L
- '+
g j. ,1 --
'{i 1-
- 3. The best safeguard strategy for achieving the detection component ',y.
1 v
.?
,? .
to satisfy Category I safeguard objectives is probably an integrated use '
[ J.-
O of exit boundary detection and discrete material accountability. Exit ,[y-..", .:
- , ={. boundary detection would be ideally suited to detect SNM theft or diver-n ,,_ .
..r-- . .,
' .[
sion occurring over a relatively short time span and thus could serve to l}
l'; ].7
' J:. ;
impose a daily constraint on diversion.
o Discrete material accountability, # ,. ; ; . -
c . ; ~ .
.2 g, l on the other hand, has a potential for detecting a long term systematic
- 7. -
]
l'g diversion and thus could serve to impose a time constraint. Depending lG;$
, v i- M q upon design considerations, the discrete material accountability system $j-i
.q >s .
Y.I .
could be the same external system used for achieving the safeguard I . c'
)f assessment objectives or can be a separate internal discrete material V g.',2-accountability system. This suggests that existing process data, generated WC, -
,4 to provide quality control and normal process manaaement, might serve 'J.^f, "
[ as the input to drive such a system. An integrated safeguard subsystem .F~u+
n.
f.I -
based upon exit monitoring and intelligent use of normal process data i.1(r, 5.
,~, conceptually will be able to provide the detection component needed to , 7- ?<
W. ...
[l .
satisfy the safeguard prevention objectives. $[
,. s s
- .; ,.=;r e v . r. .
- J
(,'
q(. -
L ::
qg"*
.-e , e o
' * *y.. '
gAi 'eV,Rr A y ,,j
/ [ ..
e
(
,;.4 y e.'
n-yy. -~. ,
.,4, ,
,,.,s
.k :,_
~
F M(A ,,
'Ab.u.. .'.' '
a.?,f y,5 (, , .
ei i j hi l' '.
p.f y 9 . .. .
.a
- + ' - - I I '4 'l
- * + * '
', b . , _ ,,-" .T f, ,
- 151 -
- 10. Areas for Further Work
- 1. There is a vital need to view all safeguard system development and analysis using a system viewpoint bringing to bear all the modern tools of systems analysis, operations research, statistics, and engineering.
Much of the current safeguard work appear to represent a collection of relatively unrelated tasks without a well defined common goal and where the interrelationships between each of the tasks are not clearly defined.
This material accountability report is intended in part to provide a co-herent framework for demonstrating how the various aspects of material accountability relate to the whole and thus to help structure future material accountability development efforts. All of safeguards could benefit from using this type of systems approach.
- 2. Eventually, the choice of a safeguard system will depend largely upon technical and economic considerations. Though our present concep-tual analysis required only specification of material accountability attributes and a functional specification of quantitative parameters, it is essential for further work that quantitative values for parameters such as system sensitivity, maximum diversion time span, and allowable information gathering and processing delay time be ascertained. An effort should be undertaken to rationally define the interrelation that exist between material types, threat, component safeguard systems, and public safeguard assurance requirements to arrive at suitable values for these parameters. Clearly established quantative safeguard parameters 7
i l
- 152 -
are essential if one is to proceed from the concepts portion to the pro-grams portion of Builder's levels of analysis pyramid.
- 3. Basic to the approach used in this report is the achievement of safeguard objectives by bounding the worst possible case. It is there-fore necessary that an effort be undertaken to identify the class of feasible threats and for each threat, the set of possible scenarios that can be utilized. Identification and analysis of scenarios will probably have to be performed on a site specific basis and can be partially accomplished via the diversion path analysis program being developed by ERDA. The effort could be based on the evaluation / design sequence indicated in Figure 4. In particular, the following tasks should be included for each licensee of interest:
- a. Define the class of feasible threats, and for each threat in that class determine the corresponding set of feasible scenarios.
- b. Develop the expression for the diversion success probability, i.e., determine the relationship between the diversion success probability and the diversion policy, threat, and the scenario
) employed.
- c. Determine the optimum (from the diverter's viewpoint) diversion success probability, and the corresponding threat, scenarios and optimum diversion policy.
l
- 153 -
Undertaking an exercise of this nature will take the NRC a long way in understanding the safeguards worth of current material accountability practices, in identifying its weaknesses and limitations, and in estab-lishing methodology that can be used in the evaluativn of material accountability systems.
- 4. Much of the present material accountability development effort has been directed to improvement of measurement capability and in particular the development of on-line NDA suitable for incorporation into an intrinsic material accountability system. As observed in Section 3 measurement uncertainty is one of the fundamental aspects in the design of a material accountability system. Also of equal importance is the record keeping system, the data reduction methodology and the alarm criteria upon which diversion detection depends. In fact one really cannot specify data requirements until one knows exactly how the data will be used. Current practice relies almost entirely upon the MUF-LEMUF concept and its embodyment in terms of simple statistical control charts. It is clear that the MUF-LEMUF approach does not make effective use of historical data and certainly does not permit any use of additional information available about the possible diversion process. Over the past decade much progress has been made in the area of statistical communica-tion theory using Kalman filtering and process control using the Box-Jenkins time series analysis and forecasting technique. Kalman filtering represents an optimum approach to utilize particular information regarding
- 154 -
the diversion process, e.g., the diversion occurs at a constraint rate.
The Box-Jenkins approach, on the other hand, represents an ingenious empirical method for optimally utilizing historical data in predicting future performance.
It is imperative that an effort be undertaken to identify and evaluate the applicability of data reduction algorithms. This study must include:
a) Kalman Filtering b) Box-Jenkins c) Other statistical techniques, including i) Cu-SUM and V-Masks ii) Exponential Smoothing (a special case of Box-Jenkins) iii) Multi-variate probability intervals (generalization of MUF-LEMUF)
These data reduction techniques are applicable not only to external dis-crete material accountability but also to intrinsic discrete systems e
making use of process data. '
5 Much speculation currently exists regarding the availability of process data and its suitability for safeguards use: As pointed out earlier, process data can possibly drive an intrinsic discrete material accountability system that can serve in providing the detection component
'; , : , . . ' .g \ q ; ::.a. *-s z ~ __ .,;,, u . '.. , c 3 ni; . _ , . .,, & .r 2. % . .,l __ .w ....-::. -:, . . .
T
. . . . iy.;; s. . ,,.?.- _
=..'..,,. ' , ,~_,
,..- _y
- u*.
~'
j.r.__ *{-f,*-
.' ?
...,,\.
.'r.,
. . , . .&, .s , %.
g, v.
- , . ' ..j -- ,
- l. '. ' ,'
- .. ,9 i
4e- s .pi , . __ ,
. .** - ,,T' l .. , e .a. so,.
?- . .. ;d ** - I. 4 ph , g 1..-t ,
,~,s p-r Q ,
, . . 2; .?
3.g . - -
y'z -
, ' .f -?
,.. *$-i ', .-
- s D g',, ?N < *x g_ l 9 R ,'"
? &f qg3..
L
.~
l ' rA
._g y
+ . .~(
.,..r
=
' nw ,
' ?
gf. s .f; /r, v '$..
- - *v . y ,y
( ,..ry,
'.,.s.. .
,b g ej ,
h
- p. ,Y +,' f ._.^ . -
w q. 3 j.> .. t+ . -
i k'.' eg. ';y. '
s .A . w-
. . 'y
{> ;. h~S f- s 3..', - .p)g: -
m,.
'19446 f --
.f.
- 6 '
[ , .' [?
' .-:~.'
V !. g.~
y'nb ; ..,4
','- v- - . , . . . -.r:' _ 9; 3
En,
'.:.,( ,, ,: ..:. : '.,.W. i $w e_. 4 - .
j .+ . -
- ks_ .
4.
.s ., ,.., . ,ce.j, . L <. c .
. * [. *.x * 'q -f,n / ?
.* n _ j' _ b 4.
N ,. -.,,',
- ':n,.
"y'r.. , ;-
- i. , . .r' '
y
- y *yg . ' ,- .a
- q. .
g .
,~. a , .: . ...,. .v.,.%
j' : r 3 y- -
, >-?.,.,4 . .. .p.;
p- , , . - u ..
,,.<>.+ , ,*.,, * * -
f.'
- , .4 , [:.. ,
f
'A 7
,\'. , ..
' tag ' g[ A s*
-,E) m'
< ' --Lp.,p'p - .
3: t ., 3 , ' 4 j_ ..
o .,
i-w y;v' ? -.* .,n .,i, 5-D
~; flW ' k: .p _' s.
- '., :*n 'r .* . J f' 'f
...3 .- > ;~e* *; t, ,
s.;
A.'Q _ e_
.i._.. ..,.
- . .+p .. ~ m .,
m .
l'. *:(,
. . .>.'.y. ,* *(( ,,*#.- ' ' '*.
y
.'9 P* .,3-^ ' , . ,
- t
.J ;
34,'*
'<.:'....'4
. . F,. g' -
g' - fi
. . , -- l . t. - ..s' W
x-e f .. i, 5.' t
'*"j..,s.
y ' '.- fe'4 y, . ,--
,1 -
- 'm
?%- , ,* -i .' . .- ; *
,5.,w.'.e - ,
*< *,1 ,
\
,y,.-,-
- g. Q .gh' /.%
- LW -' ,me..{ ..
- 6. - _)
,.Q4 + n.R .-fj .,[t.*j k - ,p
,p.
J* +
g .' 'p._
)' * { . hI
><g,. . , , ,, 'N
- %$' .=. . ' .)
. ; .3 . , . ' .. r, . >
i;.,.
Oj.'k,.' '.Q.. l, .
w .
@.glM m.' , y;$ .,}
.' d,;-[rk) N[,.
. g, -
4 - .g.
r'_
.'..s.'. $
~ .
,g. 1 W ' , . J. , ' .; * ,. .5 M .
,e' . . e t'.
p e . y-
- r- .. . . . . - . ,. ' : -.
, *; , ,. .. . _g ]
, . jf pup- - .-; . . . . , _ j]. ,;. ,,a
. , ,] , _t.{ g , Bg , p . . . , ' , , .
. ,( *, ,
g- ' , /
. r.
- 156 -
F potential breaches occurring, over a long period of time in
=
E its security? -
E 5 ./ :
',_4. ' 's.c. j,., J"!
f ' [*.,.
').'
k<
- L . t: n.- .. :
- 4 l ,. p.
E c. Can the extensive real time data generated by DYMAC be obtained .g .) ; j .wt gg,..
p .a
! by, and be useful to diverter in his attempt to defeat the jhhh . .
g ... .e. ..
[ system?
Kpze [',;.)fej ' r, y
g r Xf:;cy.y ... .., .: ,j*K p . . .
- The first two questions essentially address the concern expressed in C M,. h~(.
. .t.....
- g _ ec3.. V.
this study about employing intrinsic material accountability for achieving 22i' .if- fr '.
'N W.
.g. ph .c
- the Category II and III safeguard assessment objectives. The third 4j .
7q::.1 u v. g ,h .
. : .p-question addresses the potential of real time intrinsic material account- St.ve e.s s.
i: ,.. .
l ability of supplying information to a diverter that can assist in N, f.[ .
.a. %,*
.y,_ ,- l, defeating the system. It is vital to fully understand these issues in ' p"p.p.;- f.'Jr. -4 order to assess the role of intrinsic real time material accountability @d{f
. ,c. . , -:,d. .w:
's. - .
f . ~,;
l systems in safeguards, of which the DYMAC system is a particular example.
f.g.:.y
. t: .
j . .>. t, ;
- 'g f, . . "c , . '
E W.;.9 '. *k
- . ^< 24* ,:
~
K 5 E .;;' ., . 5 y f : '
..~,# ,' >
g .
{: f - [] ' 'p. - , ..E.' .
r ,
4 O ,f. ' 4 ~q.
9 +y 2 .
g *: S. ;r , W:.c
?) .
,, [ Sif
- e- D
%m.C;.
3p :a.
'9, .,. 9 mm L a. *f-lf
=
. .n ;hk, ,e~(b .
.- . ,7 f.
- _ ,,
- . .n an W
wp . ,' .
$^
g ,...
R ,?;$ - ~ ~- *
- p y.rr,.q ..,al. .>
- 3 y ....-e. . .
.i