Text

Draft Rev 1 to Reg Guide 5.62,Task SG 901-4, Reporting of Safeguards Events
	ML20237H181
Person / Time
Issue date:	09/30/1987
From:	; NRC
To:	;
References
	TASK-OS, TASK-SG-901-4 REGGD-05.062, REGGD-5.062, NUDOCS 8709030148
	Download: ML20237H181 (21)
	v • d • e

, _ _ _ _ _ _ _ _ _ _ _ - __

Revision 1 _ D ($

September 1987 NOTE: -THIS GUIDE IS A DRAFT FINAL GUIDE.

l- TINAL PUBLICATION IS SCHEDULED FOR SEPTEMBER 1987. MINOR 1

< EDITORIAL CHANGES MAY BE MADE PRIOR TO PUBLICATION, HOWEVER, NO SUBSTANTIVE' CHANGES ARE ANTICIPATED.

l. REGULATORY GUIDE 5.62 l L (Task SG 901-4)

( REPORTING 0F SAFEGUARDS EVENTS L I A. INTRODUCTION In 10 CFR Part 73, " Physical Protection of Plants and Materials," ,

paragraphs 73.71(a) through (c) have recently been amended. Section 73.71 I requires licensees to report to the Operations Center of the NRC or to record for quarterly transmittal to the NRC certain safeguards events. These events are those that threaten nuclear. activities or lessen the effectiveness of a L security system as established by safeguards regulations or an approve ! secu- ;

rity or contingency plan. l This regulatory guide provides an approach acceptable to the NRC staff for

!, use by the licensee for determining when and how an event should be reported. 1 The examples provided represent the types of events that should be reported and are not intended to be all-inclusive. The applicability of events may vary from site to site.

~

l l Any information collection activities mentioned in this regulatory guide l are contained as requirements in 10 CFR Part 73, which provides the regulatory l

basis for this guide. The information collection requirements in 10 CFR Part 73 have been cleared under 0MB Clearance No. 3150-0002.

l B. DISCUSSION 4 The information reportable under S 73.71 is required so the NRC will be informed of safeguards-related events that have the potential to endanger public health and safety or national security. The required information is also used to monitor trends in safeguards system effectiveness.

I Because certain significant safeguards events warrant immediate involve-ment by the NRC and possibly other government agencies such as.the FBI, these

! events must be telephonically reported to the NRC within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months of discovery of the event, and a detailed written' report must follow within 30 days.

l .Certain other less significant safeguards events are re@ red to be '

l recorded in a log and copies of the recorded log submitted to the NC every .

l 3 months. While these events are less significant than those reportable .tithin 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months , they are required to be reported to the NRC on a quarterly basis for review and long-term trend analysis. If an event occurs repeatedly at one facility or throughout the industry, it may represent a defect in'the security program or a generic trend. Not all generic defects or trends require action on the'part of the NRC; however, this decision cannot be made unless the events are reported to the NRC. Licensees have been required to maintain a separate-log to record events reportable under S 73.71 in the past, but are now required

.to submit a copy of that log to the NRC on a quarterly basis.

8709030140 870829 1 PDR REGGD PDR l 05.062 R L - - - - - _ - - - - - - - _ _ _ - _ _ . _ _ _

au mu ww mmwouwm =- - . - - - __ _

For the purposes of this guide and for understanding the regulations, a glossary is given in Appendix A of this guide. Table 1 presents a summary of

, reportable events and reporting times.

I l C REGULATORY POSITION

1. LICENSEES SUBJECT TO S 73.71 Licensees who are subject to the provisions of SS 73.25,73.26,73.27(c),

73.37, 73.67(e), or 73.67(g) of'10 CFR Part 73 are subject to the provisions of paragraph 73.71(a).

Licensees who are subject to the provisions ci SS 73.20, 73.37, 73.50, 73.55, 73.60, or 73.67 are subject to the provisicns of paragraph 73.71(b) for events described in paragraph (I)(a)(1) of the new Appendix G to Part 73.

Licensees subject to the provisions of SS 73.20, 73.37, 73.50, 73.55, 73.60, or each licensee possessing strategic special nuclear material (SSNM) and subject to paragraph 73.67(d) are subject to the provisiolis of paragraph 73.71(b) for events described in paragraphs I(a)(2), I(a)(3), l(b), and I(c) of Appendix G to Part 73. Licensees subject to the provisions af SS 73.20, 73.37, 73.50, 73.55, or'73.60 'are subje::t to the provisions of paragraph 73.71(b) for events described in paragraph I(d) of Appendix G to Par: 73.

Licensees subject to the provisions of SS 73.20, 73.37, 73.50, 73.55, 73.60, or each licensee possessing SSNM and subject to paragraph 73.67(d) are subject _

to the provisions of paragraph 73.71(c).

2. REPORTABLE EVENTS 2.1 Safeguards Events To Be Reported Within 1 Hour Paragraphs 73.71(a) and (b) require certain events to be reported within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months of discovery. Events under paragraph 73.71(a) involve incidents in which a theft, loss, or diversion of a shipment of special nuclear material (SNM) or spent fuel has occurred or is believed to have occurred. A written r ort should be submitted to the NRC within 30 days on each event that is reported within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . Safeguards events reportable under paragraph 73.71(b) and described in Appendix G to 10 CFR Part 73 include: -

1. Acts, attempts, or threats to commit:

(a) Theft or unlawful diversion of SNM or spent fuel; (b) Significant physical damage to a power reactor, to any facil-ity possessing SSNM or such facility's equipment, to the carrier equipment transporting nuclear fuel or spent nuclear fuel, or to the nuclear fuel or spent nuclear fuel a facil-ity or carrier possesses; 2

annn.u a ~~~ - ~ - - - - - - - - - - - - - -- -

1 Table 1 Summary of Reporting Requirements REQUIRED REPORTS DESCRIPTION OF SAFEGUARDS EVENT ;

l Telephonic report within 1. Loss of shipment of SNM or spent fuel.

1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months followed by a written .

report within 30 days 2. Recovery or accounting of lost shipment of SNM or spent fuel.

3. Threatened, attempted, or actual:

a. Theft or unlawful diversion of SNM, l

b. Significant physical damage to a reactor l or facility or carrier possessing SSNM,

c. Unauthorized interruption of normal operations at a power reactor.

l l

4. Actual entry of unauthorized person into a PA, MAA, CAA, VA, or transport.

l 5. Uncompensated failure, degradation, or dis-cov.ered vulnerability in a safeguards system -

that could allow unauthorized or undetected access to a PA, MAA, CAA, VA, or transport.

6. Actual or attempted introduction of contra-

,and into a PA, MAA, VA, or transport. >

Safeguards event log 1. Compensated failure, degradation, or submitted every 3 months discovered vulnerability in a safeguards system that if uncompensated could have l allowed unauthori7ed or undetected access to a PA, MAA, CAA, VA, or transport. ,

2. Any other threatened, attempted, or committed act not previously defined in Appendix G of 10 CFR Part 73 that has the potential for reducing the effectiveness of the safeguards system below that com-mitted to in a licensed physical security or contingency plan or the actual condition of such reduction in effectiveness.

PA = protected area l

MAA = material access area CAA = controlled access area VA = vital area SNM = special nuclear material SSNM = strategic special nuclear material 3

mnn-w , - . - - - _ _ _ - - - - - - - --.

t I

(c) Interruption of normal operation of a licensed nuclear power reactor through the unauthorized use of or tampering with its machinery, components, or controls, including the security system. l 1

h

2. Any actual entry of an unauthorized person into a protected area, material access area, controlled access area, vital area, or transport equipment.

3. Any uncompensated failure, degradation, or c<scovered vulnerability j in a safeguards system that could allow unauthorized or undetected j access to a protected area, material access area, controlled access j area, vital area, or carrier transporting nuclear fuel, spent fuel, '

or formula quantities of SSNM.

4. Any actual or attempted introduction of contraband into a protected area, material access area, vital area, or transport equipment.

To clarify, safeguards system failures include not only mechanical or electrical system failures but also improper security procedures or personnel .

practices. Discovered vulnerabilities include incidents in which the security !

l system has not failed but some flaw in the security system that had existed f

without being noticed has been discovered. l l 1 2.2 Examples of Safeguards Events To Be Reported Within 1 Hour _

l l The following are examples of events that should be reported to the NRC :

within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months because of their potential to endanger public health and safety or national security. This list should not be considered all-inclustve. The l

l applicable regulation is cited for each event, and compensatory measures are discussed if appropriate.

1. Credible bomb or extortion threats. In addition to the initial I telephone report, a telephone report of the results of a bomb search should be made within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months of completion of the search. Unsubstantiated threats need not be reported immediately unless a specific organization or group claims responsibility or the threat is one of a pattern of harassing threats; in these cases, the threat must be reported within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . (Paragraph I(a)(1),

j (2), or (3) of Appendix G) There are no compensatory measures that would preclude the reporting of a substantiated threat within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . If a threat cannot be substantiated (no organization or group identified, negative search results, and no additional evidence other than the threat message), the event need only be logged. (Also see number 13 in Section 2.4.)

2. Discovery of a criminal act involving individuals granted unescorted protected area or vital area access that, in the judgment of the licensee, adversely affects radiological safety in licensed activities or facility opera-tions (e.g., certain felonious acts, discovery of a conspiracy to bomb the facility or disturb its vital components, vandalism of vital equipment, reason-able suspicion of illegal sale, use, possession, or introduction of a controlled substance onsite). (Paragraph I(a)(2) or (3) of Appendix G) Because of the serious nature of such an event, discovery of the event should be reported within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months even if the individual's unescorted access authorization is cancelled. (Also see number 3 in this section.)

l

maamn wmmma nn-,---n _ _ _ _ _ -----.- - --

3. Discovery of a criminal act involving a person granted unescorted protected area or vital area access if the act has the potential for adversely affecting the public health and safety, e.g., illegal use of a controlled sub-stance offsite by a reactor control room operator. (Paragraph I(a)(2) or (3)

Of Apper.Jix G) Licensees should exercise judgment in determining the report-ability of criminal acts conducted offsite. Only those acts with the potential for affecting the radiological safety of licensed activities need be reported. ,

Criteria that can be utad to judge deportability of these types of events include (1) the event indicates a failure in program design or implementation, (2) the person involved has safety-related responsibilities, or (3) the event is receiving media attention. Positive drug screens should be validated prior to determining deportability to the NRC. If the event is properly compensated, j e.g., the program failure is corrected or the individual's unescorted access is suspended, then the event need only be logged.

l

4. Discovery of theft or loss of classified documents pertaining to facility or transport safeguards. (Paragraph I(a) of Appendix G)-(Note: This is also reportable under S 95.57 of 10 CFR Part 95.) This type of event is considered a credible threat to the proper safeguarding of a facility or trans-port. By the nature of this event, its discovery can occur only after a signif-icant degradation of the safeguards system designed to protect the classified documents. No measure can adequately compensate for such an event, and events of this type should always be reported within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months of discovery. After the discovery, the licensee should endeavor to locate the missing or stolen docu-ment, take measures to help ensure the event is not repeated,. and take whatever ~

steps are possible to minimize the consequences of the event. l

5. Fire or explosion of suspicious or unknown origin within the isolation zone, protected area, material access area, or vital area. (Note: Events l

reportable under SS 50.72 or 50.73 do not require duplicate reports under S 73.71.) (Paragraphs I(a)(1), (2), or (3), or I(d) of Appendix G) If the origin of a fire or explosion can be determined within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months to be nonsuspicious and the facility sustains no significant damage, the event is not considered a security threat to the facility and need not be reported or logged. (Also see number 4 in Section 2.5.)

6. Discovery of a suspicious vehicle following a licensed carrier trans-porting formula quantities of SSNM. (Paragraph I(a)(1) of Appendix G) In -

I this situaH on, armed escorts or other responsible personnel should determine

) whether o. not a threat exists and assess the extent of the threat, if any. If

! a threat exists, it should be reported to the NRC within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months of confirmation and the provisions of paragraph 73.26(e) should be followed. If no threat exists, the event need not be reported or logged.

7. Mechanical breakdown of transport vehicle carrying formula quantities of SSNM. (Paragraphs I(a)(1), (2) of Appendix G) Since it is difficult to readily determine if a mechanical breakdown is random or intentional, and because of the strategic significance of the material, mechanical breakdowns of transports carrying formula quantities of SSNM should always be reported to the NRC within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months of discovery.

5

4 a o'

8. Complete loss of offsite cominonications. (Paragraph I(a)(2) or (3) of Appendix G) If possible, the licensee should report the complete loss of communications from the site within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months or immediately after restoration of communications. If communications from the site are lost and cannot be restored within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months , the licensee should use communications located offsite to notify the NRC.

9. Mass demonstration at plant site that may pose a threat to the facility. (Paragraph I(a)(2) or (3) of Appendix G)

10. Civil disturbance near the plant site that may pose a threat to the facility. (Pa/agraph I(a)(2) or (3) of Appendix G)

11. Confirmed tampering of suspicious origin with safety or security equipment. (Paragraph I(a)(1), (2), or (3) of App.ndix G) ,

l

12. An assault on a power reactor, facility, or transport possessing or transporting SSNM regardless of whether perimeter penetration is achieved.

(Paragraph I(a)(1), (2), or (3) of Appendix G) i

13. Confirmed intrusions by unauthorized individuals into the protected area, material access area, controlled access area, vital area, or carrier transporting formula quantities of SSNM. (Paragraph I(b) of Appendix G) Meas-ures should be taken to preclude the recurrence of such events. Since any compensatory measures for such an event would be after the fact of a serious _

safeguards degradation, there are no compensatory measures that would preclude ,

reporting such an event within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months of discovery. The violation of licensee-established work rules (e.g., area zoning) within an area by an authorized individual need not be reported or logged as a safeguards event. (Also see I number 11 in Section 2.4.)

14. Uncompensated suspension of safeguards controls during either radio-i logical or nonradiological emergencies that could allow undetected or unauthor-ized access. (Note: Events reportable under SS 50.72 or 50.73 do not require duplicate reports under S 73.71.) (Paragraph I(c) of Appendix G) Section 5.3,

" Controls that Can Be Suspended During an Emergency," of Regulatory Guide 5.65,

" Vital Area Access Controls, Protection of Physical Security Equipment, and Key and Lock Controls," describes safeguards measures that may be suspended during nonradiological emergencies.

15. Discovery of intentionally falsified identification badges or key cards. (Paragraph I(a) of Appendix G) This event is censidered a safeguards threat to the facility and should always be reported within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months of discovery.

Measures should be taken immediately to cancel the badges or key cards from the access system and to determine to what extent the badges or key cards have been used.

16. Discovery of uncompensated and unaccounted for, lost, or stolen key cards, I.D. card blanks, keys, or any access device that couM alkw unauthor-ized or undetected access to protectcd areas, material access areas, controlled access areas, or vital areas. (Paragraph I(c) of Appendix G) Such events i

6 1

l w-__-____- _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

wau>a en ~ _ , , , . - - _ _ - - - -

need not be reported within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months if measures are taken within 10 minutes of

' the discovery of the loss to preclude the use of the lost or stolen device for gaining access to a controlled area and to ensure that the lost or stolen device has not been used in an unauthorized manner prior to completion of actions to prevent unauthorized use of the device. (Also see number 6 in Section 2.4.)

17. Compromise of safeguards information (including loss or theft) that would significantly assist a person in an act of radiological sabotage or theft of SNM. (Paragraph I(c) of Appendix G) There is no measure that would ade-quately compensate a compromise of safeguards information once the event has occurred. A licensee should always report this type of event within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months of discovery, and follow-up measures similar to those for theft or loss of a classified document should be taken. (Also see number 4 in Section 2.2 above.)

18. Uncompensated loss of the ability to monitor or remotely assess protected area alarms through loss of both central and secondary alarm stations.

(Paragraph I(c) of Appendix G) If the event involves an outage of the alarms, closed circuit television, or security computers, the event is considered properly compensated if the original capability is restored within 10 minutes of discovery of the event or if dedicated observers with appropriate communica-tions are in place within 10 minutes of the discovery to provide total observa-tion of each area.1 Licensees are expected to discover this type of event upon occurrence. If immediate restoration of system capability is provided by activating secondary computers, the loss of backup capability need not be reported within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . (Also see number 10 in Section 2.4.) _~

19. Unavailability of a minimum number of security personnel or an actual or imminent strike by the security force. (Paragraph I(c) of Appendix G) If an unexpected unavailability of a minimum number of security personnel occurs, procedures pre-approved by the NRC may be used; or "on call" guards or trained management, supervisory, or operations personnel available within 10 minutes may be used to supplement the on-duty security force. If minimum requirements cannot be met, the event should be reported within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months of discovery.

20. Uncompensated loss of all ac power supply to security systems that could allow unauthorized or undetected access to a protected area, material access area, controlled access area, or vital area. (Paragraph I(c) of Appen-dix G) If the security system integrity can be maintained by standby power,-

the event is considered properly compensated and need only be 1.ogged.1 However, if standby power fails prior to restoration of ac power, the event should be reported within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months of loss of standby power. Licensees are expected to discover this type of event upon occurrence. (Also see number 7 in Section 2.4.)

21. Uncompensated loss of ability to detect within a single intrusion detection system zone. (Paragraph I(c) of Appendix G) Proper compensation for this event means immediate deployment (within 10 minutes of discovery) of back-up intrusion detection equipment or posting a dedicated observer with a view of the entire area and capability to communicate with alarm stations.1 2 Posting personnel as a compensatory measure implies that the personnel are i capable of performing the lost or degraded function. When they cannot per- I rorm that function, such as when they are asleep, there is an uncompensated loss that must be reported within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months of discovery.

7

mm--g - - - ---= -

(Also see number 3 in Section 2.4.) Licensees are expected to discover this type of event upon occurrence.

22. Loss of alarm capability or locking mechanism on material access area or vital area portal. (Paragraph I(c) of Appendix G) A bolt position alarm carability is not a proper compensatory measure for loss of a balanced- I magnetic alarm because it is not tamper-resistant. Proper compensation for I either of these events means immediate (within 10 minutes of discovery) post-ing of a dedicated observer for loss of an alarm or posting an armed member of l l

the security force for loss of a lock. The posted observer or guard should have appropriate communications equipment.1 In addition, a thorough sea yh of the affected area should be initiated immediately and completed as soon a practicable. Licensees are expected to discover this type of event upon l occurrence. (Also see number 8 in Section 2.4.)

l 23. Discovery of the actual or attempted introduction into or possession l within the protected area, material access area, or vital area of unauthorized weapons, explosives, or incendiary devices. (Paragraph I(d) of Appendix G)

There are no compensatory measures that would preclude reporting this event within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . If an actual introduction of contraband is made, steps should be taken to correct the vulnerability that allowed the introduction. (Also see l

number 5 in this section.) The discovery of vehicular emergency equipment such as safety flares during entrance searches need not be reported or logged.

24. Loss of security weapon at the site. (Paragraph I(a)(3) of Appendix G) l 2.3 Safeguards Events To Be Reported and Submitted Quarterly in a Log 1

1 l

The following safeguards events reportable under paragraph 73.71(c) need )

only be logged within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months of their discovery and submitted quarterly to ;

I the NRC- I

\

l

1. Any failure or degradation of a safeguards system or discovered vulnerability in a system that could have allowed unauthorized or '

l undetected access to a protected area, material access area, con-trolled access area, vital area, or transport equipment if compensa-tory measures had not been established. (Logging is not required for preplanned situations that require compensatory measures, such -

as special outage work, equipment relocation, exercises and drills, and other situations that are not the result of a safeguards system failure.)

2. Any other threatened, attempted, or committed act not previously defined in Appendix G that has the potential for reducing the effectiveness of the safeguards system below that committed to in a licensed physical security or contingency plan or the actual condition of such reduction in effectiveness.

f 1

8 l

1

i With respect to the proper compensation of an event, compensatory measures !

need to be implemented promptly to be effective. Prompt implementation will !

minimize any period of degradation that may exist between the occurrence and proper compensation af ter discovery of certain events. Proper compensation after discovery of an event does not relieve the licensee from the responsi-bility for taking long-term corrective action, nor does it relieve the licensee from possible enforcement action by the NRC for noncompliance during the periods of safeguards system degradation. However, licensees are not ordinarily cited for violations resulting from matters not within their control, such as equip- 1 ment failures that occurred despite reasonable licensee quality assurance meas- l ures, testing and maintenance programs, or management controls. (See 10 CFR Part 2, Appendix C, paragraph V.A.)

False alarms (those generated without any apparent cause) and nuisance alarms (those generated by an identified input that does not represent a safe-guards threat) generally need not be reported or logged. However, if false or nuisance alarms are so frequent that the effectiveness of the alarm system is degraded or a pattern of false or nuisance alarms emerges, the licensee should j take corrective action and note the degraded status and compensatory measures j taken in the safeguards event log. !

l l 2.4 Examples of Safeguards Events To Be Reported and Submitted Quarterly in a j l L, og The following are examples of events that are less significant than those reportable within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months , and according to the rule are required to be logged within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months and submitted quarterly to the NRC. This list should not be j considered all-inclusive. The applicable regulation is cited for each event, '

and compensatory measures are discussed where appropriate.

1. Properly compensated security computer failures. (Paragraph II(a) of Appendix G) Properly compensated means that within 10 minutes of the l discovery of the failure the system is restored to operation, the backup system is operational, or other resources, e.g. , security personnel with appropriate communications equipment, are posted to provide an equivalent level of protec-tion. In all cases, a thorough search of all areas where alarms or access controls may have been compromised by the failure should be initiated immediately and completed as soon as practicable. Licensees are expected to .

discover this type of event upon occurrence.

l 2. Properly compensated vital area card reader failures. (Paragraph l II(a) of Appendix G) For this event, proper compensation means posting appro-l priate personnel (i.e., armed guard if door is unlocked, dedicated observer if l door remains locked but access is required) within 10 minutes of discovery.1 The appropriate personnel must have a current access list and communications capability to alarm stations. A thorough search of the affected area must be l initiated immediately and completed as soon as practicable. Licensees are l expected to discover this type of event upon occurrence.

3. Properly compensated alarm failures. (Paragraph II(a) of Appendix G) l For this event, proper compensation means deployment of back-up alarm equip-I ment (a bolt position alarm capability is not considered back-up alarm equip-ment because it is not tamper-resistant) or posting a dedicated observer within l

l 9

\

l i

10 minutes of discovery.1 The dedicated observer should have appropriate com- l munications equipment and should be able to observe the entire affected area of !

the portal. In addition, a thorough search of the affected area should be l initiated immediately and completed as soon as practicable. (Also see number 1 21 in Section 2.2.) Licensees are expected to discover this type of event upon occurrence.

4. Properly compensated closed circuit television failure in a single zone while the intrusion detection system remains operational. (Paragraph II(a) of Appendix G) Properly compensated means providing other assessment capability, such as posting a dedicated observer with communications equipment to assess the entire zone within 10 minutes of discovery of the failure.1 Licensees are i expected to discover this type of event upon occurrence.

5. Properly compensated failure or degradation of a single perimeter j lighting zone if the intrusion detection system remains operational. (Para-graph II(a) of Appendix G) Measures to properly compensate for failure or degradation of a lighting zone must be implemented within 10 minutes of dis-covery and may include (1) using standby power, (2) using low-light-level surveillance devices, (3) using portable lighting systems, or (4) posting dedicated observers with appropriate communications equipment to provide an equivalent level of protection.

6. Properly compensate 1 accidental removal offsite or loss of badge by I employee. (Paragraph II(a) of Appendix G) For this event, proper compensation is cancelling the badge from the access control system within 10 minutes of discovery by onsite personnel that the badge is missing. Measures must be ,

taken to be sure the badge has not been used in an unauthorized manner while it has been missing. (Also see number 16 in Section 2.2.)

7. Properly compensated loss of the ac power supply for the entire intrusion detection system that, if uncompensated, would allow unauthorized or undetected access. (Paragraph II(a) of Appendix G) Proper compensation for this event is immediately available emergency power through an uninterruptible power source such as a battery supported by a generator. If back-up power is not available, security personnel with communications equipment should be posted within 10 minutes of discovery; however, this action is not considered proper compensation for the event and does not excuse a licensee from reporting the event within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . Licensees are expected to discover th.is type of event i uoon occurrence. (Also see number 20 in Section 2.2.)

8. Properly compensated loss of either alarm or locking mechanism on a ,

material access area or a vital area portal. (Paragraph II(a) of Appendix G) ;

A bolt position alarm capability is not considered a proper compensatory meas- i ure because it is not tamper-resistant. Proper compensation for this event is immediate (within 10 minutes of discovery) posting of a dedicated observer for a loss of alarm or an armed member of the security force for loss of a lock.1 1

The posted personnel should have appropriate communications equipment. In addi-l tion, a thorough search of the affected area should be initiated immediately and completed as soon as practicable. Licensees are expected to discover this type of event upon occurrence. (Also see number 23 in Section 2.2.)

l 9. Security computer failures that may not enable unauthorized or undetected access. (Paragraph II(b) of Appendix G) 10

f a

l t

10. Loss of the capability of a single alarm station to monitor or 2 remotely assess alarms but monitoring or assessment capability remains in other !

stations. (Paragraph II(b) of Appendix G) (Also see number 18 in Section 2.2.) !

I

11. Tailgating by a licensee employee or contractor to gain access to an )

area to which he or she is authorized access. (Paragraph II(b) of Appendix G) s (Also see number 13 in Section 2.2.) l

12. For shipments of formula quantities of SSNM, loss of intra-convoy ;

communications ability is lost, but ability to communicate with movement control center remains. (Paragraph II(b) of Appendix G) 1

13. Unsubstantiated bomb or extortion threat. (Paragraph II(b) of Appen- 1 dix G) An unsubstantiated bomb or extortion threat is a threat in which no !

specific organization or group claims responsibility, the search result is ]'

negative, and no evidence is available other than the threat message. If a threat is one of a pattern of harassing, even if unsubstantiated, it should be i reported within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . l 2.5 Events Not Required To Be Logged or Reported Certain failures of the safeguards system that do not and could not reduce l the effectiveness of the system have little or no safeguards significance; !

events having little or no safeguards significance need not be reported or !

logged. The following are examples of events that are not required to be logged !

or reported. This list should not be considered all-inclusive. ]

1. Cuts made by authorized maintenance personnel through a vital area barrier for a legitimate reason (e.g., to install pipe) if prior approval, :

coordination with security, and proper compensatory measures have been estab- ;

lished.

2. A person attempting to climb a protected area fence if the person is obviously a child.

3. Infrequent nuisance alarms caused by mechanical or environmental problems and false alarms that do not exceed the rates committed to in the licensee's approved security plan or degrade alarm system effectiveness. _

j

4. When the origin of a fire or explosion can be determined within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months to be nonsuspicious and the facility sustains no significant damage.

3. PROCEDURES l The determination for reporting an event under paragraphs 73.71(a), (b), i and (c) should be made by onsite security management or their equivalent. How-ever, discovery of such an event is not limited to members of the security organization. It is recommended that all regular site employees receive secu- !

rity oriutation by the security organization to foster an awareness of site j security and to be briefed on their responsibility to immediately notify site j security of safeguards anomalies.

11

4 Events of a dual nature (i.e., having both safety and safeguards implica-tions and subject to the requirements of SS 50.72, 50.73, and 73.71) do not require duplicate reports under the requirements of S 73.71. If a power reac-tor licensee reports an event that is reportable in accordance with both SS 50.73 and 73.71, the procedures described in S 50.73 (i.e. , submittal of a licensee event report (LER)) must be followed. The procedures containcd in NUREG-1022, " Licensee Event Report System,"2 describe how to indicate that an LER meets multiple reporting requirements. When submitting reports of events reportable solely under the provisions of S 73.71, power reactor licensees should use LER Form 366; all other licensees should write a letter. If the written report contains restricted data, e.g. , unclassified safeguards infor-mation, the report must be appropriately marked. If NRC Form 366 or 366A is used, restricted data may be included only in the text section (Item 17 of the form). Restricted data should not be included i the abstract section (Item 16) or any other section of the form other than the text section. In addition, the text should clearly indicate the information that is restricted. Finally, the requirements of paragraph 73.21(g) must be met when transmitting written pro-prietary information.

l It is recognized that not all items of NRC Form 366 may apply when safe-l guards events are reported. Power reactor licensees should be sure that all l

the information needed by the NRC for analysis and evaluation, as described in l

Section 3.2 of this guide, is included on the form, whether under a specific I item or in the text section.

Procedures for the 1-hour reporti the 30-day followup report, and the quarterly log are discussed in the following sections.

3.1 1-Hour Reports When a licensee, licensee employee, or contract employee discovers an event reportable under paragraph 73.71(a) or (b), telephone notification to the NRC Operations Center listed in Appendix A to 10 CFR Part 73 should be made within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months of the discovery. Telephone notification should be made via the Emergency Notification System (ENS) if the licensee is party to that system.

If the ENS is inoperative or unavailable, a commercial telephone should be used to ensure that the required notification is received by the NRC Operations l

Center within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months of discovery of the event. Commercial telephone numbers that may be used to contact the NRC Operations Center are (301) 951-0550, (301) 427-4056, (301) 427-4259, and (301) 492-8893. Other methods that may be used to ensure notification within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months include telegram, mailgram, or facsimile.

Telegrams and mailgrams should be hand delivered to the Operations Officer at the NRC Operations Center, Maryland National Bank Building, 7735 Old Georgetown Road, Bethesda, Maryland 20814. For information concerning facsimiles, tele-phone the NRC Operations Center at (301) 492-8893. If pertinent information or errors are uncovered after the initial telephone report but prior to submittal of the written report, the licensee should telephonically notify the NRC Opera-tions Center of the information or error.

ZF. J. Hebdon, " Licensee Event Report System," U.S. Nuclear Regulatory Commission, !

NUREG-1022, September 1983. ]

12 l

i Under the provisions of paragraph 73.71(a), the licensee (or agent) should also notify the NRC Operations Center by telephone within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months of the recovery of or accounting for a shipment with information on the material located, known reason for loss, etc.

Telephone reports made pursuant to S 73.71 may be transmitted over unpro-tected lines as permitted by the exemption in paragraph 73.21(g)(3),

3.2 30-Day Followup Written Reports A followup written report must be submitted within 30 days of a 1-hour report. Power reactor licensees should use the Licensee Event Report form, NRC I Form 366, in submitting their reports; all other licensees should use a letter l format. For all licensees, the information described below is sufficient for NRC analysis and evaluation and should be included in the report as a minimum. I Reports of events must be legible and reproducible and should include the following:

1. Date and time of event (start and end time).

2. Location of actual or threatened event in a protected area, material i access area, controlled access area, vital area, or other (specify l area).

3. For power reactors, the operating phase, e.g. , shut-down, operating.

4. Safety systems affected or threatened, directly or indirectly.

5. Type of security force onsite (proprietary or contract).

6. Number and type of personnel involved, e.g., contractors, security, visitors, NRC personnel, other (specify).

7. Method of discovery of incident, e.g., routine inspection, test, maintenance, alarm, chance, informant, communicated threat, unusual circumstances (give details).

8. Procedural errors involved, if applicable. _

9. Immediate actions taken in response to event.

10. Corrective actions taken or planned.

11. Local, State, r;c Federal law enforcement agencies contacted.

12. Description of media interest and press release.

13. Indication of previous similar events.

14. Knowledgeable contact.

1 l

l 13

For security system failures, provide the following in addition to Items 1 through 14:

15. Description of failed or malfunctioned equipment (including manu-facturer and model number).

16. Apparent cause of each component or system failure. (For uncompensated security computer failures, state the reason the event could not be compensated and list specific components affected, e.g., central processor, peripheral / terminal equipment, software.)

17. Status of the equipment prior to the event, e.g., operating, being maintained, made secure, compensatory measures in place.

18. Secondary functions affected (for multiple-function components).

19. Effect on plant safety.

20. Unusual conditions that may have contributed to failure, e.g. ,

environmental extremes.

For threat-related incidents, provide the following in addition to Items 1 through 14:

21. Number of perpetrators.

l 22. Type of threat, e.g., bomb, extortion.

l 23. Means of communication, e.g., letter, telephone.

24. Text of threat.

l t

25. Mode of operation.

26. Clear photocopy of threat letter and accompanying envelope if I applicable.

Licensees should submit one copy of each written report to the U.S. Nuclear Regulatory Commission, Document Control Desk, Washington, DC 20.555, and one copy to the appropriate Regional Office listed in Appendix A to 10 CFR Part 73.

l If pertinent information or errors are uncovered after the initial telephone report or the written report is submitted, the licensee should telephonically notify the NRC Operations Center of the information or errors. If the informa-tion is uncovered after the written report has been submitted, the licensee snould submit a complete revised written report with revisions indicated to the Document Control Desk and the Regional Office. The revised report should be complete and should not contain only the supplementary or revised information.

3.3 Maintenance and Quarterly Submittal of a Log Events reportable under paragraph 73.71(c) only need to be logged. In maintaining the log, it is recommended that the licensee log the information as l

l 14

received and then summarize and update the' log entry when the event terminates-.

However, licensees are required by paragraph 73.71(c) to log entries within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months of the discovery of the event. Since the licensee would immediately investigate all events that threatened nuclear activities or lessened the:

effectiveness of the security system, the details would generally be available when the entry was made in the log. Log entries should include as a minimum:

1. Date and time of the event;

2. Brief (one-line) description of the event;

3. Brief (one-line) description of compensatory or corrective actions taken;

4. Area affected, e.g., vital area, protected area, owner controlled, transport;-and

5. How detected, e.g., alarm, routine inspections, patrol, informants.

Every 3' months, the licensee is' required to submit one copy of all-log-entries not previously submitted to the NRC Document Control Desk. The log entries need not be typed as long as they are legible; a photocopy is acceptable. Licensees are permitted a five-day grace period for all log submittals.

Events of a similar nature that are logged and submitted to the NRC under paragraph 73.71(c) may be consolidated into a single log entry if they occur repeatedly within the quarterly submittal period. The date and time should be !

specified for each occurrence of the' event. For example, if there is a repeated l occurrence of a compensated computer failure and each failure is the result of the same problem, only one log entry providing the details of 1 through 5 above need be made. However, the date, time, and duration of the event should be recorded in the log for each occurrence.

Each log must be retained for 3 years after the last entry to that log.

l l

l i

15

l APPENDIX A j GLOSSARY Note: This glossary only applies to the requirements of S 73.71 of 10 CFR j Part 73. l Any failure, degradation, or discovered vulnerability: The cessation of proper functioning or performance of equipment, personnel, or procedures that compose the physical protection program necessary to meet Part 73 requirements, or a ,

discovered defect in such equipment, personnel, or procedures that degrades '

function or performance.

Credible threat: A threat should be considered credible when (1) physical evidence supporting the threat exists, (2) information independent from the actual threat message exists that supports the threat, or (3) a specific group or organization claims responsibility for the threat.

Dedicated observer: A person, not necessarily a member of the security force, posted as a temporary compensatory measure for a degraded assessment and

, detection capability. While performing this function, duties must be limited to detection and assessment. As a minimum, the person must be able to view the entire area affected by the degradation and must be c.ble to communicate with the central alarm station.

Diversion of SNM: Unauthorized movement of SNM by individuals authorized access to or control over the material.

False alarm: An alarm generated without an apparent cause. Investigation discloses no evidence of a valid alarm condition, including tampering, no nuisance alarm conditions, and no equipment malfunction.

Interruption of normal operation: The cessation of normal operation that, if accomplished, would result in substantial economic harm or cost to the licen-see.

Loss of SNM: (1) A failure to measure or account for material by the material control and accounting system approved for the facility when the material is .

authorized to be possessed by the licensee and is not confirmed stolen or diverted or (2) an accidental (i.e., unplanned) offsite release or dispersal

~

i l of SNM known or suspected to be 10 times greater than normal operating losses I

for the time in question, whether or not the release is measured. The term loss implies that a search has been conducted to confirm the material is missing. For fixed sites, this search should be conducted within the 1-hour time for reporting.

" Lost" versus " unaccounted for" in regard to transportation of material: The term " lost" covers material that is no longer in the possession of the party authorized to possess it during a specific time period, and a search for the material has verified the loss. " Unaccounted for" refers to material in transit that has not arrived at its delivery point 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months or more af ter the estimated arrival time; however, a search has not confirmed the material to be lost.

16

l l .

Nuisance alarm: An alarm generated by an identified input that does not represent a safeguards threat. Nuisance alarms may be caused by environmental (rain, sleet, snow, lightning) or mechanical (animals or natural objects such as tall grass) factors.

Properly compensated: Measures, including backup equipment, additional security personnel, and specific procedures, taken to ensure that the effectiveness of the security system is not reduced by failure or other contingencies affecting the operation of the security-related equipment or structures.

Safeguards event: Any incident representing an attempted, threatened, or actual breach of the safeguards system or reduction of the operational effectiveness of l

that system.

Safeguards Event Log: A compilation of log entries for the events described in Section II of Appendix G to 10 CFR Part 73. Entries must include the date and time of the event, a description of the event, and any action taken.

Repeated events may be consolidated into a single log entry with the date, time, and duration of each event recorded for each occurrence. The ongoing safeguards event log may be maintained in more than one location onsite. The log may be typed or handwritten as long as it is legible and reproducible.

Entries in a safeguards event log submitted to the NRC need not be in time-sequential order.

Safeguards system: The equipment, personnel, and procedures that make up the physical protection program necessary to meet Part 73 requirements.

Significant physical damage: Physical damage to the extent that the facility, equipment, transport, or fuel cannot perform its normal function (applies to a power reactor, a facility possessing SSNM or its equipment, carrier equipment transporting nuclear fuel or spent nuclear fuel, or to the nuclear fuel or i spent nuclear fuel a facility or carrier possesses).

Tampering: When used in connection with Appendix G to 10 CFR Part 73, altering for improper purposes or in an improper manner.

Theft of SNM: The unauthorized taking of SNM for unauthorized use.

Unauthorized person: Any unescorted person in an area to which the person is-not authorized unescorted access.

I 17

APPENDIX B SAMPLE LOG ENTRIES l

{

Safeguards events reportable under paragraph 73.71(c) of 10 CFR Part 73 need only be logged within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months of their discovery. The copy of the log '

(photocopy) submitted to the NRC every 3 months does not have to be typewritten, )

but it must be legible. The sample log items presented here should not be ]

considered all-inclusive.

l LOG ENTRY EVENT )

DATE/ TIME DATE/ TIME EVENT RESPONSE

1. 1-8-87/0140 1-8-87/0130 CAS operator received Area search initiated 3 telephonic bomb threat at 0135 hrs, com-from unidentified male. pleted 0140 hrs, Bomb reported near nothing found, diesel generator.

2. 1-8-87/1245 1-8-87/1043 Delivery truck damaged Guard posted at j PA fence significantly 1050 hrs, relieving _l in zone #4. Discovered patrol (immediate l at 1047 by security comp), PA searched.

patrol, no PA or VA l alarms received. l

3. 1-9-87/1605 1-9-87/1433 Card rader failure at At 1440 hrs, posted VA portal #2. guard with current i access list. System I failure corrected and operational at 1600 hrs.

4. 1-9-87/1815 1-9-87/1730 I.D. badge #342 lost Badge cancelled onsite. 1732 hrs. Badge found on employee's jacket at 1745 hrs.

5. 1-9-87/2055 1-9-87/2025 Security system failure, Determined caused single CPU outage, by electrical storm /

power surge. System back on line at 2028 hrs, All VA portals confirmed locked and alarmed by security. ,

l 18

4 LOG ENTRY EVENT DATE/ TIME DATE/ TIME EVENT RESPONSE

6. 1-10-87/1410 1-10-87/1405 Fence repaired. Compensatory post (See Entry #2) discontinued at 1405.

l 7. 1-11-87/1035 1-11-87/0715 Perimeter fence alarm Area searched by i l 1-11-87/0728 received zone #4. security patrol 1-11-87/0730 each occurrence.

1-12-87/1100 1-12-87/0745 No apparent cause ;

i 1-12-87/0815 for alarms. Security ;

1-12-87/0817 posted after third l alarm each day and maintenance called to check system. I System function verified through test each occurrence.

All actions completed 1035.

8. 1-12-87/1610 1-12-87/1443 CCTV failure, perimeter Dedicated observer in zone #2 (IOS opera- place 1450 hrs. No !

tional). alarms received.

Camera replaced and l l operational at 1610. "

9. 1-12-87/2015 1-12-87/2007 See #5 above. Same as #5 above.

System on-line at 2011 hrs.

I

10. 1-12-87/2350 1-12-87/2230 Latch alarm received Guard posted at 2238.

on VA portal #6. Re- Area searched, no sponder found door abnormalities found.

slightly ajar. Maintenance request initiated at 2315.,

1 19

- o .

l VALUE/ IMPACT STATEMENT A separate value/ impact statement has not been prepared for this regulatory guide. The guide was revised to provide guidance on reporting physical secu-rity events in accordance with paragraphs 73.71(a) through (c) of 10 CFR Part 73.

A regulatory analysis was prepared for the proposed revisions to S 73.71 and was made available in the NRC Fublic Document Room at the time of publication (August 27, 1985--50 FR 34708). This regulatory analysis is also appropriate ;

for this regulatory guide. '

I i

l 1

20

k# lo,, UNITED STATES 8 n NUCLEAR REGULATORY COMMISSION.

$ N. W ASHING TON, D. C,20555

\...../

August 29, 1987 NOTE TO: Document Control Desk

SUBJECT:

PLACEMENT OF DOCUMENT IN PUBLIC DOCUMENT ROOM Flase arrange to have the enclosed document placed in the Public Document Room'in Washington,.D.C. I can be reached at Extension 74773 should there be any questions concerning this matter. Thank you, l'

[4'/t /J <

fb Pricilla A. Dwyer Policy and Operations Section Operations Branch Division of Safeguards and Transportation

Enclosure:

As stated

ML20237H181

Text

SUBJECT:

Enclosure:

Navigation menu

Search