ML20248G623
| ML20248G623 | |
| Person / Time | |
|---|---|
| Issue date: | 09/30/1989 |
| From: | Serkiz A NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES) |
| To: | |
| References | |
| REF-GTECI-A-29, REF-GTECI-SA, TASK-A-29, TASK-OR NUREG-1267, NUDOCS 8910100321 | |
| Download: ML20248G623 (35) | |
Text
,
NUREG-1267 Technica: Reso:ution 0:?
Generic Sa:?ety Issue A-29
(
i
\\
Nuclear Power Plant Design for Reduction I
of Vulnerability to Industrial Sabotage i
U.S. Nuclear Regulatory Commission Office of Nuclear Regulatory Research 1
A.W. Seikiz po: coq k,
l Sa 288L24 8""
1267 R PDR l
=
AVAILABILITY NOTICE Availability of Reference Materials Cited in NRC Publications Most documents cited in NRC publications will be available from one of the following sources:
1.
The NRC Public Document Room 2120 L Street, NW, Lower Level, Washington, DC 20555 2.
The Superintendent of Documents, U.S. Govemment Printing Office, P.O. Box 37082 Washington, DC 20013-7082 3.
The National Technical information Service Springfield, VA 22161 Although the listing that follows represents the majority of documents cited in NRC publica-tions, it is not intended to be exhaustive.
i Referenced documents available for inspection and copying for a fee from the NRC Public Document Room include NRC correspondence and intemal NRC memoranda; NRC Office of Inspection and Enforcement bulletins, circulars, information notices, inspection and investi-gation notices; Licensee Event Reports; vendor reports and correspondence; Commission papers; and applicant and licensee documents and correspondence.
The following documents in the NUREG series are available for purchase from the GPO Sales l
l Program: formal NRC staff and contractor reports, NRC-sponsored conference proceed-
]
ings, and NRC booklets and brochures. Also available are Regulatory Guides, NRC regula-tions in the Code of Federal Regulations, and Nuclear Regulatory Commission issuances.
Documents available from the National Technical information Service include NUREG series reports and technical reports prepared by other federal agencies and reports prepared by the Atomic Energy Commission, forerunner agency to the Nuclear Regulatory Commission.
Documents available from public and special technical libraries include all open literature items, such as books, journal and periodical articles, and transactions. Federal Register notices, federal and state legislation, and congressional reports can usually be obtained from these libraries.
I Documents such as theses, dissertations, foreign reports and translations, and non-NRC conference proceedings are available for purchase from the organization sponsoring the publication cited.
Single copies of NRC draft reports are available free, to the extent of supply, upon written request to the Office of Information Resources Management, Distribution Section, U.S.
Nuclear Regulatory Commission Washington, DC 20555.
Copies of industry codes and standards used in a substantive manner in the NRC regulatory i
process are maintained at the NRC Library, 7920 Norfolk Avenue, Bethesda, Maryland, and are available there for reference use by the public. Codes and standards t.re usually copy-righted and may be purchased from the originating organization or, if they are American l
National 3tandards, from the American National Standards Institute,1430 Broadway, Now York. NY 10018.
I I
1
i
)
l l
l Technical Resolution of Generic Safety Issue A-29 3
1 Nuclear Power Plant Design for Reduction of Vulnerability to Industrial Sabotage l
Manuscript Completed: March 1989 Date Published: September 1989 A.W. Serkiz, NRC Project Manager i
Division of Safety Issue Resolution Office of Nuclear Regulatory Research U.S. Nuclear Regulatory Commission i
I Washington, DC 20555
=..q, 4
ABSTRACT nis report summarizes key technical findings related to The results reveal that insider sabotage at operating nu-Generic Safety issue A-29, " Nuclear Power Plant Design clear plants has not been a significant problem in the for Reduction of Vulnerability to Industrial Sabotage."
United States to date and that there are no singular de-The findings in this report deal with (1) a historical review sign modifications or procedures that by themselves of reported sabotage-related events at nuclear facilities, would completely eliminate or mitigate the threat of in-(2) NRC physical security requirements, (3) industry sider sabotage. Rather, it will take a combination of sys-measures to prevent / mitigate sabotage, (4) design and tematic and focused improvements in the three areas of procedural approaches that could be used to deter sabo-reliable personnel, effective design features, and plant I
tage. (5) current NRC and industry initiatives aimed at procedures developed to provide a strategy to deal with personnel screening and selection, and (6) design consid-prevention of insider sabotage and to be able to mitigate crations applicable to Advanced Light Water Reactors adverse actions.
(ALWRs).
l I
I 1
l l
l iii NUREG-1267
l CONTENTS Page i
l Abstract........
iii l
Acknowledgments..........
vii Executive Sumraary.....
ix 1.
Introduction..........
I 1.1 liackground...
I 1.2 Report Orga.eization....
1 2.
llistorical Review Of Sabotage Events at Nuclear Facilities 1
2.1 Categorization of NRC Safeguard Events 2
2.1.1 Radiological Sabotage Events..
2 2.1.2 Nonradiological Sabotage Events.
2 2.1.3 liomb-Related Events....
2 2.1.4 Intrusion Events........
3 2.1.5 Material Missing and/or Allegedly Stolen Events......
3 2.1.6 Tampering / Vandalism Events 3
1
1.7 Arson Events.........
4 2.1.8 Firearm-Related Events...
4 2.1.9 Alcohol / Drug.Related Events 4
2.1.10 Transportation-Related Events 5
2.1.11 Miscellaneous Events..
5 2.2 Summary of Safeguard.Related Events........
5 1
3.
NRC Physical Security Requirements.
8 3.1 Physical Security Organization 10 3.1.1 Summary of NRC Requirements: 10 CFR 73.55(b)..
10 3.1.2 NRC Guidance 10 3.2 Physical Barriers.
10 3.2.1 Sumuary of NRC Requirements: 10 CFR 73.55(c)....................
10 3.2.2 NRC Guidance 10 3.3 Access Requirements..
11 3.3.1 Summary of NRC Requirements: 10 CFR 73.55(d).....
11 3.3.2 NRC Guidance Il 3.4 Detectiou Aids 11 3.4.1 Summary of NRC Requirements: 10 CFR 73.55(c).........
12 3.4.2 NRC Guidance..........
12 3.5 Communication Requirements....................
12 3.5.1 Summary of NRC Requirements: 10 CFR 73.55(f)............................
12 3.5.2 NRC Guidance...
12 3.6 Testing and Maintenance............................
13 3.6.1 Summary of NRC Requirements: 10 CFR 73.55(g)........................
13 3.6.2 NRC Guidance.......
13 v
CONTENTS (continued)
Page 3.7 Response Capabilities and Vulnerability Analyses..
13 3.7.1 Summary of NRC Requirements: 10 CFR 73.55(h)......
13 3.7.2 NRC Guidance.....
14 4.
Other Measures To Prevent / Mitigate Sabotage 14 5.
Recomrnended Alternatives From Previous NRC Studies............
16 I
5.1 Description of Design Alternatives Assessed in NUREG/CR-4462....................
17 5.1.1
'Ihree 1007o Trains of Safety-Related Equipment.
17 5.1.2 Two Additional Bunkered RCIC and AFW Pumps for BWRs and PWRs....
17 5.1.3 Feed-and-Bleed Operation of BWR Suppression Pools......
17 i
5.1.4 Control Rod Drive Hydraulic System for Reactor Coolant Makeup..........
18 5.1.5 Cross Connection Eetween Class IE/Non-Class IE.....................
18 5.1.6 Installation of *1V Cameras in Vital Areas................
18 l
18
{
5.1.7 Two. Person Rule..
I 5.2 Insights and Recommendations of US! A-45....
19 5.2.1 USI A-45 Recolnmendations for Prevention /Miiigation of Sabotage Acts.
19 5.3 Insights and Recommendations of NUREG/CR-2643...........
20 I
5.4 Current NRC and Inductry Initiatives Aimed at Personnel.................
22 5.4.1 Fitness for Duty......
22 5.4.2 Access Authorization.............
23 6.
Summary and Recommendaticas 24 6.1 Reliable Personnel.
24 6.2 Design and Equipment..
25 6.3 Effective Administrative Procedures 25 References.
26 Figures 4
2.1 Number of reactor safeguard events Rported. CY 1979-1987.
6 1
2.2 Number of reactor safeguard events reported, excluding alcohol / drug-related and bomo hoax events 7
Tables I
2.1 Safeguard-relaMd events. 1979-1987...................
S 2.2 Insider motivation for events at DOE facilities..
9 2.3 Significant characteristics of high-ecmsequence events at DOE facilities 9
17
)
5.1 Core melt frequency reduction associated with alternatives.......................
i 5.2 Summary of sabotage detection methods for reactor systems.
21 NURI?G-1267 vi m
ACKNOWLEDGMENTS This report is the result of the efforts of both contractor staff (A. D. Choekie, J. T. liauth, J. Olson, C. J. Geisen-and NRC personnel.*lhe technical support services pro-dorfer, and M. S. liarris) are noted. In addition, the con-vided by llattelle Pacific Northwest IEboratory (PNL) tribudons of NRC staff (W. Minners, K. Kniel, P. Norian, and llattelle's llutnan Affairs Research Center (II ARC) and L Gallay,her) are also acknowledged by the Project through the efforts of A. S. Tabatabai (PNI.) and HARC Manager.
i
{
i l
i l
l 1
\\
1 i
I vii NURiiG-1267
EXECUTIVE
SUMMARY
lusider sabotage of operating nuclear power plants has procedures, or operator training are effective and can in not bec.) a significant problem in the United States to some instances be as effective as major design changes in date. The DOE-and NRC-reported incidents of illicit reducing sabotage-induced core melt frequency and cost acts suggests that there have been instances af insider signifiumtiy less to implement. The core melt fregt.cnq vandalism and tampering at nuclear facilitics over the reduction attt;buted to these alternatives is estimated to years. However, the majority of these acts have been com-be in the range of 213-06/RY m 1E-05/H Y. Examples of I
mitted by disgruntled employees who intended to embar.
such alternatives are presented in Section 5.1.
rass the management and damage the facility, but not to harm other emph>yees or the public.
Additional insights from previous studies indicate thet there are no single design modifications or procedures l
Evaluation of current NRC regulatory requirements and that by themsclves yvould comple*cly climinate or miti-industry initiatives and measures in the arca of physical gate the threat of msider sabotage. Ilut i hkes a co nbma-security and prevention of insider sabotage indicates that tion of systernatic and focused improvements in the three adequate attention is being paid to this issue. The licen-areas of reliable personnel, effectwe design, airl ade-sees meet the intents of 10 CFR 73.55 requirements for quuc procedures to develop a comprehensive insider j
providing physical protection of licensed activitics in nu-saWtage prevention / mitigation strstegy.
j clear power reactors. The licensees have implemented procedures to hmit access to vital systems and areas and to Therefore, based on the findings presented in this report, prevent unauthorized entnes. There are also several the staff believes that no regulatory backfit action isjusti-NRC and industry steps under way to further refine the fied or needed at this time, particularly considering that screemng process of personnel to ensure that only reh-employee reliability is being addressed through the re-l able staff members gam access authorization. These cently published fitness-for-duty rule and the publication j
of a proposed rule on access authorization. The staff l
measures will be further enhanced and complemented by therefore believes that licensees should continue to the NRC's proposed fitness for duty and access authonza*
tion rules.
monitor and assess their securhy practices in terms of: (1) hiring reliable personnel, and (2) developing surveillance Furthermore, extensive efforts and resources are ex-procedures to prevent, detect, and mitigate adverse in-1 sider acts. In addition, the NR C shoofd continue to moni-l pended in designing nuclear pqwcr plants to minimize the (or and assess the security effectiveness of the licensecs' nsk to the public health and sat ety from equipment or sys-tem malfunction or failure. Safety measures include pro-actions and practices through Systematic Assessment of l
visions for redundancy and separation of important safety Licensee performance (SALP) mspections.
1 systems, confinement and trapping of radionuclides re-Regarding future plants, the staff believes that sabotage i
leases, and series of monitors, annunciators, and alarms should be addressed as follows:
I to warn plant personnelof unusualconditions. Addition-ally,in response to NRC's regulations and requirements, fI)
"!uti nary reactor applications, evaluate the nuclear industry has been active in implementing sabotage m accordance with SECY-89-13," Design i
measures to enhance the inhetent safety of plant design 9"itements Related to the Evolutionary AL,Rs.
As a minimum requirement,information and to prevent and/or mitigate insider sabotage acts at h-censed nuclear facilities.These actions rance from physi-should be provided to demonstrate the existence of eat security measur es that limit access to sensitive areas to adequate physical barriers to protect vital equip-
~
design fea'tures that enhance the availability of systems ment in accordance with 10 CFR 73.55(c) and to J
functions in case of a sabotage attempt. Desig'n and proce-identify access control pWnts to all vital areas in ac-dural changes implemented at existing plants as the result c rdance wit h 10 CFR 73.55(d). In addition, the staff of such NRC requirements as fire protection. station cypeds designers to provide an appropnate discus-r and putsider sabotage applicabic to blackout, and AIWS can be credited for further enhanc-ing plant capabihty to mitigate the consequences of sabo-their designs. I his discussion should include an iden-tape acts and to prevent and detect insider sabotage acts.
tification of design features that decrease reliance on physical secunty programs for sabotage protec-Several previous NRC-sponsored studies addressing the insider sabotage issue have identified and assessed (2) For advanced reactor applications, the staff recom-various design tnd procedural alternatives. The overall mends development of additional guidance or conclusion of these studies was that design alternatives requirements for plant design features to resist requiring complex changes were not practical and cost sabotage as discussed in the memorandum from F.
eficctive for existing plants. Ilowever, alternatives that Gillespie to 11. Morris, dated January 23,1989,"Dc-rely mamly on simple design modifications, enhanced sign for Resistance to Sabotage."
ix NUREG-1267
L INTRODUCTION How signific:mt a pn aiem is sabotage at nucicar facilities?
)
The objective of tras report is to provide the technical ba-What are the current NRC regulatory require-sis for the U. S. Nuclear Regulatory Commission (N RC) ments?
staff resobstion of Generic Safe'y issue 4GSI) A-29,"Nu-clear Power Plant Design for Reduction of Vuherability What industry rneasures and initiatives are provided to Industrial Sabotage" (Ref.1).
to prevent and/or mengate msider sabotape?
What insights and recommendations are provided in previous NRC studies?
i ld IIaChgrOutKI What is the appropriate regulatory action (s)?
e fn 1967 the Florida Power and Ught Company was in an atternpt to provide answer, to these questions, this directed by a Comn ssion Order to adJress industrial u
report has been organized as follow *. Section 2 prescrits a l
sabotage at its Tur key Itint p; ant. Guidance for the pro-historical review of sabotage events at nudcar facilities.
tection of nuelcar power plants against sabotage was Discussion in this section also includes insignts r egarding published by the Commission in late 1971. 'lhis initial insider mativation to commit illico acts. Section 3 summa-seenrny plan guidance was significantly upgraded in 1977 rizes current NRC physical securits requirements and wnh the pubhection of 10 LFR 73,55. These rcuhtions guidelines. Section 4 presents, suminary of several indus-addressed phpical prmecnon against radiolopcal mbo-trymeasuresand initiatives to pr event, detect orinitigate tape of heensed actwities in nuc) car power reactors.
insider acts. Section 5 presents a summary of lessms learned, insights, and recommendatiotis from several re-The approach employed in developing 10 ( Fli 73.55 and lated NRC studies. Section 6 presents a surnmary of the i
the associated guiJance Jacaments was to treat the re-repart insights and recommendations.
J ductim of the vulnerabihty of reactors to sabotage as a plant physical security funcuon ad not as a design re.
qmremem Ahbough there in signincant degree of in-
- 2. IIISTORICAL REVIEW OF SAH-hetent sr.>t we protection p ded by current plant je-TAGE EVENTS AT NUCLEAR signs, extensive security mea *.cs are required to provide an acceptable lesel of protecten. An alternative method p
g' g
]
would be to incorporate design features into plants to re-duce the vulnerabthty to sabotare. In 1976. G31 A-29 was An meident M @mymtd mwad a knwt un6 estabihhed as a genenc salety issue.
the authority of the NRL must be reported in accordance l
with the provisions of 10 CI R 73.71. This same section i
require, the reporting of ".any tmaccounteJ-for ship-Since 1978. sescral studies have been initiated by the NRC to address the issue of sabotage arv] means for its ments, suspected thefts, unlawful diversion, radiological 3
savag, sr events which significan:1y threaten or le.sen l
prevention anu mitigation. lhest studies have comined the ciectiveness of safeguards.
" Summaries of the I
plant-specific s olnerabihues to Fabotage and tampering, occurrences of these types of Svents car
- be found in the I
idennued design alternatives. proposed changes to opar-NRC Safeguards Summaty Event Ust (SSEL), which is ating procedures, and analyred the reasons and mouva-published anneally as NUREG-0525 (itef. 2). The latest tions for msider abotape attempts. Major findmgs and in~
version, Revision 14, summarizes those events that were i
sghts derwed in a selected number of previous NRC reported to hat.c occurred between 1957 and 1087.
l studies are summarited m this repor'
=
l In 1978 the reporting requirements of 10 CFR 73.71 were L2 Report Olyallizatioil revised. As a consequence, the NRC noted a 100 percent increase in the number of safeguard events reported The approach used to develop the technical resulction of between 1978 and 1979. To eliminate any possible GSI A-29 was first to review the current NRC regulatcry distortions in tbc assessment of event counts due to this r requirements and industry measures (i.e., system designs, reporting regturement change, only those events occur-procedures, and other initiatives) that have been imple-ring af ter 1978 were included in this remw effort.
tr.ented to reduce plant vulnembility to insider sabotage, and second, to assess the adequacy of these measures and A previous study for the NRCinvestigated the vu!nerabil-requirements and determine if there is a need and jestifi-ity of plants to sabotage and evaluated alternatives to the cation for further regulatory action. Consistent with this basic design of nuclear powec plants (Ref. 3). The report approach, the information in this report is intended to an-relied primarily on data both from NUREG-0525, Revi-swer the following questions that arise in the decision-sion 11 (Ref. 4)(events through 1983) and from the U.S.
making process to develop a technical resolution for GSI Department of Energy (DOE) on related incidents at A-24:
their facilities.
i l
Dis review is an update of the previous assesstr.cnt of gation by the licersce on May 15 revealed that ike sabotage events using data from 1979 through 1987..
three lines had been shortedeut deliberately at re-1 ruote locations more than thirty rniles from the facil-1.1 Categorization of NRC Safeguard ity. De fou tennission lines converge on the site l
EwntS from four different directions. Ilwause of the dis-tances, tiining and actions necessary to short the l
Saft guaul.related events have becn organized into 11 Unct, it was helieved that more than one indivWal l
categories in Itevision 14 to NUREG4)S25 Otef. 2),
was involved in the incident. Siner tre location
]
w hich is the latest vercion of the report.These 11 catego-where these acts occurred and the lines mvolved rics are:
weic not subject to NRCecurity requirements, this event was included because of its general interest 1.
Radiological sr.botage events and is considered closed perding new developments.
2.
Ne' radiological sabotage events Plant status: Unit I was in a maimenance outage.
3.
Ilornb-:clated ever.ts Unit 2 was in hot standby and Unit 3 was in a j
preoperational test phase. Fuci Ucsent at site.
]
N tIi i rbssi and/or allegedly stolen events 6.
Tamperim;/ vandalism events 2.1.3 llomb-Related Events Ii rr rel ed events 3.
Alcohol / drug-reiated events
- 10. Transportation-related events The bomb-related events category consists of those
- 11. Miscelbncous events events it which explosives or inflaramatory maternis were involved. These events are further classified as The 11 categories are namined in the following subsec-cither bomb threats a those invohing bomb devices.
I tions. A brief definition of the categorys a revien of the llomb threats are those situations that appeared to be number of occurrencW betwren 1979 and 1957, and a set hoaxes. The second bomb-related event classification in-of repWscatative examples em imiuded in each subme-cludes thostevents w her e either a bomb or explosive ma-1 tion. Also included in this cection i, a summary of the terial was found or an explosion occurred at a licensed j
tren6 and pattims of the safeguar6-related events-facility.
j 2.1.1 Radiological Sabotage EientS Bomb.rciated events nere the most prevalent type of threats to safeguards occurring during the period from Itadiological sabotage meludes any deliberate act di-1979 to 1987. Out of a total of 1001 events reported at re-rected against a licensed activity that could endanger the actor sites during this period, 429 were bomb-related f
public health and safety by exposure to radiation.
events. The vast majority (i.e.,426) were bomb threats.
Only three situations occurred involving bomb devices.
.there were no reponed events during the period f. rom Twd of the three involved the possession of explosives.
1979 throuch 1987 that met the radiological sabotage and the third event involved a tube filled with acetylenc
'"k"""-
gas that exploded.
2.1.2 Nonradiological Sabotare Events An example of a bomb threat occurred at the Browns This category is comprised of events that have been deter.
Ferry site in 1986. The following is a description of that event as summan7ed in NUREG-0525, Revision 14:
mined by the i ederal Itur eau of Investigation (1 BI) to be sabowge events but couN not enflanget the public health and safety by exposure to radialier,.
Bomb threat. Apparent hoax. At 1:25 p.m., an anonymeas call was received at a pay phone located Only or,c nonradioiopical sabotage event occurred during adjacent to the visitor processing area at the en-l 1he 1979 tbrough 1987 perioJ.This event took place more trance to the Drowns Fcrry site.The caller, believed than 30 mdes from the Palo Verde nuclear power plant to be male, stated, "This is a bomb threat: at 3:06 l
operated by Arizona Public Service Company and, al-p.m., a bcmb will go off at the back side." The areas though not a situation ll.at directly invoh'es the NRC. it both within and outside the protected area were was included in NURI:G-0525 for information purposes.
evacuated and searched, with negative iesults. The The following is a description of the event as summari/ed licensee notified the FBI, Limestone County Sher-in NUREG-0525. Revision 14:
iff's Office, and the Alabama State Police and initi-ated the appropriate secucity contingency measures.
Between approximately 8:50 p.m. and 9:30 p.m., on No perpetrator identified. Plant status: All units had May 14, three of four Innsmission lines that provide been shut down, and Units 1 and 2 had been electrical power to the site were sabotaged. Investi-defueled. Fuct present at site.
l 2.1.4 Intrusion Events Unit 2 and contained 5 gmms of U-235 each.1he previous inventory of September 10,1986, did not intrusion etents are classified as incidents of attempted identify any missing SNM.The licensee searched f or or actual infiltration of a facility's barriers or safeguards the fission chambers with negative results.
systems. The following are two examples that represent the range of the 29 cvents that were described in 1986-Hrowns, Ferry.Ter.nence Vallev Authenty NUREG-0525 as intrusions at nuclear reactor tites for the period 1979 to 10S7. Only one intrusion event was re-On Odobu 17,1W6, the licensee reported a fuel ported at a nonreactor facility during the same period, loadir g chamber loss of 10 grams of SNM. On Janu-ary 14,1987, the licensee reported the results of a J1R5-ThrqcJii!c Island. GPU Nuclear Coroor;p fo!!owup inventory that encompassed the entire his-
- hen, tory of the plant. Four traveling in-core probe (nP) detectors and nine source range monitor (SRM)/in-At 6:10 a.m, three independent demonstrators at.
termediate range mon!!or(IRM) detectors could not ternpted to block the north gate to the island. The te accounted for and were considered to have been heensee rc20cated site access to the south gate for previously shipped as radwaste.The SNM content of about I hour. The state police arrested the demon.
these detectors was: TIPS =.001 gram each, l
stratocs for trespassing. Fuel present at site.
SRMs=.003 gram cach, and IRMs%001 gram l
cach.
b84-Vermont Yankee. Vermont Yankee Nuclear Power Corporation 2.].6 Tampering /Vandalisrn Events At 3:15 p.m., a contractor arrived at Gatehouse 2 to Tampering or vandalism events pertain to incidents in aam access to tlic protected area.The guard directed which destruction or attempted destruction of property, iim to Gatehouse 3 for processing. While enroute to parts, and equipmeu occarrert but did not directly cause a Gatehouse 3, he mistakenly entcred a warehouse ac.
radioactive release. Between 1979 and 1987 there were 87 cess gate open for a delivery. The guard posted at the tampd.ng or vandalism events reported at nuc! car reac gate did not detect the unauthorized, uncontrolled tor sites.
entry.1hc contractor proceeded to his onsite con-tact, who realized the individual had not been l.ypically, instances of tampering or varth.sm are sim!!ar authorized for access and thus escorted him (at 3:30 to the following examples described a NUREG-0525, RCVISIOD 34 p.m.) to Gatehouse 3 for proper processing. The guard at the warehouse gate was relieved from duty W4w. B e ledo Edison Comnany and disciplined.1.icensee mvestigation of the inci, dent accounted for the contractor's activities while The licensec reported two unexplained incidents of unescorted in the protected area. No safeguards misaligned equipment that had no effect on plant threat had occurred. Fuel present at site.
operation.The first incident involved the misadjust-ment of a second stage reheat valve used for 2.1.5 Material Missing and/or AllegedIv prepsure reduction in the reheater lirtes.The second Stolen Events meident involved an open breaker fer a motor-operated containment spray isolation valve. Both This cat egory includes those events in which licensed ma_
anomatics were discovered by control room indica-terial was stolen, alleged to be stolen, or found missing.
tors. The licensee conducted an inves:igation, in-This category was overwhelmingly comprised of events creased surveillance, and heightened personnel sen-that took place at nonreactor licensees' facilitics. Of the 5!tivity to potential anomahes. Fuel present at the 243 events that werc reported between 1979 and 1987, sne.
ontv four occurred at reactors. The following are two of the'sc four event': described in NUREG-0525, Revisioa 1986-Vomic. Georcia Power Comnany 14, in which radioactive material was discovered to be The applicant reported two instances of damage to nussmg or stolen:
equipment in the Safety Injection (SI) system. Two sight glasses used to indicate oil level in an SI pump 1987-Indian Point. Consolidated E6ison Company were broken, and a relay glass cover in a switch gear supplying power Ia an SI pump was damaged in such The licensee inventory of special nuclear material a manner that the relay was also damaged., The ap-(SNM) accounted for all SNM except four fission plicant's investigation concluded that the incidents chambers.Two fission chambers were for Unil l and appeared to be deliberate and may have been re-contained 1.5 grams of U-235 cach. Two were for lated to reduction of the onsite workforce. I icensee 3
nmeluded investigation. No perpetrator identified.
revolver while dry-firing. No damage to security sys-Plant status: Preoperational. Eccl prescnt at site.
tems occurred. The officer was placed on adminis-trative leave. Following disciplinary actior, the offi-2.1.7 Arson Events cer was returned to duty. Plant status: O icrational.
l Arson events iuclude intentional acts involving Fuel present at site.
inflammatory rnaterials that result e damage to property, i
equipment, or att.cr assets. Of the 18 arson-related 2.1.9 Alcohol / Drug-Related Events events reported between 1979 anJ 1987,15 took place a nucicar power plants, Two examples of the range of 15 Included in this category are situations involving alcohol arson events as described in NURFG-0525, Revbion 14, or the reasonable suspicion of the alegal s:de, use, posses-are:
sion. or satroduct6an of a controlled substance. Siree 1985 there has been a significant increase in the number of MS-Ilraidwnt. Commonweahh Edison Com-alc hol-or drug-related events reporttid to the NRC.
oany Two factors arc ccnsidered responsibic for thisinarked At 10:00 p.m., ther e was a fire in a dumpster located increase. The first.is the emphasis being placed on thesc outside the sertice building. It was promptly extin-issues by the nuclear utility industry and the NRC's policy guished. Tm hooks of matches were found at the on fitness.for duty. Second, revisions in the reporting re-scene. Fuel not present at site-quircinents have provided more explicit guidance for the reporting of drug-related events.
1987-Hrowns Ferrv.Tanessee Vallev Authority
^
l At 10:47 a.m., a fire was detected in electrical wiring Hetween 1979 and 1987 there were 300 reported crug;-or to the drywell blowers at drywell penetration *Eli" alcohol-related events. Almost two-thirdsof these events in-Unit 2. There were no personal injurio,. The fol-occurred in 1986 and 1987 alonc (42 in 1986 and 150 in lowing systems tvere affected: drywell and floor 1987). The vast majority of the events took place at nu-draiu sump pumps, recirculation loop valve oper-clear reactor sites. Or9y four events pil in 1987) occurred abihty, nuclear instrumentation, and drywell blow-at nonreactor. locations.
ers anu dampers. I ocalized damage occurred to three cable tuys and some aluminum conduits. ne ne following are several typical examples, as described fire is believed to be of suspicious origin. The initial in NUIM40525, Revision 14, of the drug-and alcoh 4 investigation by the FBI and the Bureau of Akchol, related ever ts at nuclear reactor sites:
lobacco, and Firearms identified no suspwt. Plant status: $hutdown. Fuel present at site.
1986-Waterford. l ouipaha Power and I icht Com-2.13 Firearm-Related Events The licensee terminated the jobs of two secunty of fi-Ihe firearms category typically includes events iri which a cers who had positive resulti, on drug analysis tests.
discharge, discovery, or loss of firearms occurred a a li-They were arnong a number of empkiyees selected censed facility. Ther c were 104 firearm-related events be-for testing uc. der the licensee s funess for duty pro-tween 1979 and 1987. The rajority (i.e.,95) occurred at grarr.. Plant status: Operational. Fuel present at site.
nuclear power plants. Two examples of the situations in-volving fwcarms as described in NURl!G-0525, Revision 14, are presented below:
1987-Peach Hottom. Philaelohia Flectric Corn-1987-Haddam Neck. Connecticut Wnkee Atomic Power Comoany A contractor rmployee tried to enter the protected area while intoxicated. Licensee security guards A.38-caliber revolver was detected in the duffle bag administered sobriety tests, and the individwd of a contract security guard reporting for work when failed His protected area access was revoked, and the bag was passed through the metal detector at the his employment was terminated. Plant status: Shut-protected area primary access control point. The down. Fuel present at site.
guard stated that it was his personal handgun, which he had inadvertently left in the duffle bag from the 1987-Dresden. Commonwealth Fdison Company previous day. lhe guard was demed access to the plant, and his employment was terminated. Plant During a routine entry search, a contractor status: Shutdown. Fuct present at site.
employee exhibited slurred speech and the odor of 1086-Farlev Plant. Alabama Power Comoany "I".hol was detected. A full beer can was discovered m his wat during the search. Ile was derued access, At 10:25 a.m., an officer stationed in the central and his employment was terminated. Plant status:
alarm station accidentally discharged a.38-caliber Operational. Fuel present at site.
NUHliG-1267 4
1987-1ladiim Neck. Connecticut Yankec Atom.ig psychological testing results, for the last year. About Power Coc1 pat..y 36 clerical personnel with protected area access n
were involved, two of whnrn had acess to the control A dree-level drug testing program was completed for the entire security force (109 persons) after a room, a vital area. The licensee immediately re-scinded their unescorted access authorization.
guard was found smoking tranjuana on lurie 20, 1987. The first test icvel was an enzyme multiplied
.lhere was no irdication af wrongdoing.Thchcensce immunoassay technique (EMI F): the second les el, investigated other contractors who also might have for any EMr1 positive results, was a gas chromatog-had the same nisunJerstaiiding. Fuct present at raphy mass spectrometer (GCMS): and tne third, for any GCMS positive findings, was a physiaan's evalu-ation for possible talse positives due to prescription 2.2 Summary Of Safeguard-Related drugs or foods. Three individuals tested positive af.
Events ter ti e second level test, and their access was termi-nated. Plant status: Operational. Fuel.present at As described below, acts that dh ectly threaten the safety site.
of the nuclear reactor systerm, and pose a ttreat to the public health and safety are reluively few in number and 2.1.10 Transportanon-Relatul E, vents have resuited in minimal darriape to the facilities.
Between 1979 and 1987, there were a total of 1295 safe-E, vents included m. this category typically involve situ-ations wherc licensed material was misrauted or mvolved guard-related eventsinvolving nuclear materials or facili-in an accident. Iktween 1979 and 1987 there w cre 13 such ties regulated by the NRC. A breakdowriof these events by the 11 classification categories is preseated in Table events. On y three of these events invohlca material from 2'.1. Also included in Table 2.1 is Inc number of ments at a nuclear reactor site. Iwo of the events invoh ed misrout-c ther nuclear reactor sites on other sites for cach cate-ing or inadvertent tra sport of the radwaste shipment.
Ihe third event mvohed a truck accident transportmg gory. As c m be noted, almost 7S percent (i.c.1001) of all dewatered resin from a nuc! car reactor site.
reported safeguard events occurred at nuclear reactor 2.1.11 Miscellaneous Even1S Figure 2.1 presents a graphical distribmion by year of the 1001 events that occurred at nuclear reactor sites. From Significant events that do not fit into any of the other cate-1979 through 1985 the total nrmber of events peryear re-gories are grouped under the heading of miscellaneous mained relatively constant. In fact, us shown in the lower events. I orty-three of the 55 miscellaneous events that portion of Figure 2.1, the average number of events per occurred between 1979 and 1987 took placc at nuclear re' reactor had been decreasing over this period. In 19S6 actor sites. Two reactor events, as described in there was a major change in the general trend. Between NUREG-0525, Revision 14, are premnad below:
1985 and 1986 a 42 percent increase in reported events J
was experienced. "Ihis situation continutd between 1986 l
1986-South Texas. Houston IichtinP OSM"M and 1987 with a 90 percent incrcase in the number of M MIS events. This change was due primarily to bomb threats Hetwetn 7 a.m. and 9 a.m., the windows of approxi.
and alcohol / drug-relaled evcats. Bomb threats increased mately 350 cars were damaged in the South Texa',
almost 100 percent between 1985 and 1986 and ac-project parking lot. The damage was believed to be counted for over 50 percent of the total increase in reac-related tolabar unrest.The South Texas project had tor events during this period. Between 1986 and 1987.
recently reduced the workforce and cut back though, tomb tbreats actually deetcased by about 20 per-workhours. A check in the plant revea!cd nodamage cent. But during this came 1-year period, alcohol-and q
to the facility. Plant status: Preoperational. Fuel nog drug-rclated events grew by over 240 percent (from 42 to j
present at site.
146). As previously mentioned, this increase appears to be related to the fitness for duty (FFD) program initia-1985-Snoreham. l one Island Uchtine Comnany tives instituted by the nuclear utility industry and the NRC.
While conducting a routine audit of one of the utili-ty's contractors, anomalies were noted on the certifi-If one examines the trend of safeguard events at reactor cations of background investigations. The contrac-sites, excluding bomb threats or hoaxes and alcohol / drug-tor, who provided temporary clerical personnel, had related events, the average number of events per reactor not been requesting background investigations be-has increased only slightly over the past few years.
cause he thought the licensec was undertaking them. Ilowever, the contractor's home office had As shown in Figure 2.2, the average number of events per been issuing the certifications, based on acceptable reactor has been around 0.35 to 0.44 for most of the 5
i
7 7 A
,7 3
8 9 2 2
6 5
4 1
2 9 8
1 1
dr 5
7 3 1
a 8
8 8 1 u ),
g1 e0 f
0 a
1 s
4 4 9
=
rN 8
6 7 o(
1 S
t T
cd 7
a e N
et 8 r r9 3
2 7 9 E
o1 f
8 7 7 0 V
op -
E e9 e
9 rr7 b st 1
?
2 7 6 3 mne u vY 8
9 7 1
NeC 1
1 3 2 2 2
8 8 7 1
erug iF 0
5 5
1 8
0 7 1
1 9
1 8 6 1
7 1
6 1
7 S
0 0
0 R E r 5
0 5
SOG Y 2
2 1
T T A NCR R E A E re VE V hENiS R
D E R A p E?
e
3 9
7 7 7 5
8 5 9 0
4 f
6 0 1 8
4 9 4 de 0
trop 2
e 5
5 3 r
4 8
3 8 s
0 t d nn ea v
8 ed 4
09 3
e 8
3 7 dt d
0 S
ra al e T
u r N
g aa e g-1 3
6 7 2 E
f 8
1 7
V a u 0
s r E
d r /
s.
m ol ot Hi8 t
n 6
ch 2
7 6 e
0 ao v i 8 2 7 ec e 0
rl a x foga 3
rn o eih 1
4 2 3
d 2 7 b
ub 0
ml m c
u xo Neb Ii y
2 0
0 1 3
3 7 4 2
0 1
e r
9 u
9 0 8 2
g
, 7 2 6 i
G F
S 0
6 R E r SOGY k
TT A NCR R EAE s
r VE V e
EV ER A p I
g5O L
9-year period. In 1987, there was a moderate inci case due offsite consequences, and there ir, no evidence of obvious in tar ge part to firearm-related and miscellaneous events.
imerd io cause them. Ilowever, the acts with intent to care plant damage have been coramitted by those with A review of the event sum <naries indicates that most acts of damage in power plants are pnerally committed by knowledge of the safety systemsand with access to sensi-insiders. Tbc invohrment of intluders trem offsite and kive equipment. Several methods of deahng with this unauthorized access to restricted areas by onsite staff threat (i.e., increated redu6cancy, physical security, represent a small percentage of the total reported events.
physical separation, staff qualification) are discussed in insider acts cover a range of damage. No acts have had any subsecuent parts cf this report.
i TalJe 2.1 Safeguard.related events, 1979-1987 (Ref. 2).
Events at Events at Type of Event Reactor Sites Other Sites Total Radiological Sabotage 0
0 0
Nonradiological Sabotage 0*
O O
Ilomb Device Events 3
0 1
ivomb Threats 426 11 437 j
Intrusions 29 1
30 Missing Material 4
239 243 Tampering 87 5
92 Arson 15 3
28 Fireacm-Related 95 4
'S4 Alc01a 1/ Drugs 296 4
300
)
Transportation 3
10 15 Miscellaneous 43 12 55 TOTAL
.1001 294 1295
- The singe event identdied in Rejereye 2 was At nt 2 icactor and did not directly invnive NRb:
this entry is provided br ininrmation only.
A previous study for thc NRC cxamined the incidents that
- 3. NRC PflYSICAL SECURITY have occurred at DOE facilities over the last 35 yeais REQUIREMENTS (Ref. 3). In general, the niajority of the events at DOE fa-cilities were determined to be oflittle consequence. Pe..
The requirements for the physical protection of licensed twecu 75 percent and 85 percent of the events involved nuclear power reactors against radiological sabotage are tbef t, vandalism, and general persc>nnel misconduct that described in 10 CFR 73.55. Each licensee is required to had little significance related to national security or the establish and maintaic an onsite physical protection sys-public health and safety. The DOE information also pro.
tein and the security organization. The objective of the vided insights into the insider motivations for their ac.
physical protection system and security organiction is to tions. Table 2.2 illustrates the distribution of the known
... provide high rf ssurance that activitics involving special nuclear matciial are not inimical to the common defense motivations. Table 2.3 deals with the motivatior.s of po-tentially significant events such as sabotage. nuclear theft, and security and do not constitute an unreasonable risk to and violent acts. The distribution of motivations changes the public health and safety.. "(10 CFR 73.55(a)).
when high-cons 7quence events are involved. Disgruntle-ment is a prime motivation in many destructive or violent The plant's physical protection system is required to pro-actions, llombing incidents usually involve political or teet against the design basis threat of sabotage that could j
ideological rnotivations. The data suggest that most dis-cause a radiological release. Radiological sabotage is de-gruntled emphiyees who are sufficiently upset with the fined in 10 CFR 73.2 as any deliberate act against a plant work environment to perform such acts de so by harming (or transport) containing special nuclear materials that the facility rather than their fellow employees.
could directly or indirectly endanger public health and i
i NURHG-1267 8
l j
~
l f
Table 2.2 Insider motivation for events at DOE facilities.*
l Percentage of Percentage of I
Intent Total Intent Total Greed /persanal use of gain 49 Bribery 1
Opportunity / availability 20 Gain power 1
l Disgrt.ntlement 6
Pay debts 1
Personalloyalty 5
Coerced I
Game playing 4
Fraud cause 1
Mentalillness/ drugs 3
Peer pressure 0.4 Coverup 2
Gambling debts 0.1
{
Political / ideological 2
nreatened 0.1
{
Rcvenge 2
Religious 0.05 Gain recognition 1
' From Reference 3.
Table 2.3 Significant characteristics of high consequence events at DOE failities.
._a Motivation %
Types Politicel/
Peer Mental j
of Crime Ideological Disgruntlement Revenge Pressure 111 ness i
Arson 20 40 5
0 10 Assault 3
56 9
0 9
Hombing 67 17 17 0
0 Destruc; ion of information 22 44 11 0
11 Kidnapping 0
0 33 0
33 Murder / attempted 50 0
13 0
29 Rape 0
0 14 0
25 Sabotage (Vandalism) 10 47 10 4
2 Suicide 0
17 0
0 66 Threat of violence 3
27 16 0
24 Violence 0
62 14 0
10 safety by exposure to radiation. Radiological sabota;;c can tems and procedures, communications systems, a test and take the form of external assanit by several people who maintenance program, and contingency response plans j
have formal military training enfi skills to gain access and and procedures.
j destroy the reactor, facility, or hafeguards syst ems,. These j
p
- p y gg
]
pcople may bc well armed with weapons and cxplo-sn es.This definitmn abo assumes t,ne possibility of m, sider tors ar9 described in 10 CFR 73.55. Paragraplas (b) i assistance,cither with passive assistance such as eccess in-through (h)of the regulations provide:sp0cFic system per-formation, or active panicipation in the asmult. Radio-formanceicquirements for protection against radiologi-9.,ical sabotage tds0 m;f udes potnitial int ernal threats by ad cabotage. The seven topics addren cd by these para-msiders or einployees in any position, for example, a con-graphs are.
spiracy among individuals who haw access to and detaGed
(
Laovdedge sf ntscar poircr plants.They may have P. ems thm could IMised te steai special nuclect materials scch 1.
Physical security organization, I
l i
as small tools, substitute materials, or fdse documents.
2.
Physical barriers, 3.
Access requirements, t
4.
Detection aids, i
ne dant's physical protection system is comprised of a 5.
Communication requirements, i
secuTity organization, a physical barrier system, an access 6.
Testing and maintenance, and control system, chtection aidr. surveillance and alarm gs-7.
Response requireme 21s.
.__-___a
I The current regniatory requircmchts and NRC guidance 3.1.2 NRC Guidance associated with each of these topics are discussed in the following sections.
Detailed acceptance criteria and guidelines for the plant security organization are described in NUREG-0908 (Ref. 5). This includes the following arcs security 3.1 Physical Security Organization organization development, management policies, the respor.sibility of the security organization to train non-I
'the performance objective of the security organization is security plant personnel on radiological sabotage to detect, engage, and impede amy threats or attempts of measures, local law enforcerneru iiaison, ano security radiological sabotage or theft of nw:kar materials.
personnel equipment.
3.2 Physical 13arriers i
2.1.1 Summary of NRC Requirements:
(
The performance objectwe for the physical barrier system is to serve as an effectis e safeguard agair,st thtcats Or at-Each licensee is required to establish a security organiza.
tempts of radiological sabotage,
)
tion with armed guards to protect the facility against r:1diological sabotage. Each facility is required to submit 3 2.1 Summary of NRC Requirements:
to the NRC a security organization plan and documenta-10 CFR 73.55(c) tion that demonstrates the ability of security organization personnel to perform their duths, Vital equipment must be h3cated within a protected area so that access reqaires passare through at least two physi-cal barriers. Vital equipmem is defined in 10 CFR 73.2 as
.lhc h.censee ns r equired to maintnin and demonstrate.that any equipment, system, device, or material in which ils the safeguards are m accordance with NRC regulations, as specified in the licensee's security contingency and damage, destruction, or rdcase could directly or indi-guard training plans. If a contract gnard force to used, the rectly endanger the public health and safety by radiation l
bcensec is responsible for maintaining contractor safe-exposurr. Any equipment required to protect public guards m accordance with NRC regulations and the health and safety in case of radiological sabotage is con-tecunty plar;. ihe NRC has full access so any documents sidered vital. Areas in which this equipment is housed are also considered vital.
I and reports sept by the licensee and any contractors that apply to the conditions of the seemity organization. The Physical barricrr to vital equipment and areas include licensee must demonstrate the ability ofits physicN secu-fences, buildings, walls, ceilings, and floors, and any other rity organization personnel to perform their assigned physical obstructions intended for that purpose. Physical duties, and the contractor has to ensure that all secunty barriers must be sepercate and distinct from one another i
personnel are aware of their responsibilities.
within the protected arca. Isolation zones are required i
between the physical barrierand the protected area barri-l
'the secanty organization must have a formal manage-er to permit viering clear of all objects that could conceal ment system that includes written plant security proce.
or shield an individual. Vehicle parking areas mun be dures and a designated individual who is responsible for outside the isolation zone and outside the protected area the development, revision, implementation, and enforce.
barrier.
ment of those proceduren.
3.2.2 NRC Guidance A training and quahfications plan must outline which Guidance for physical barrier systems are addressed in guards, watchmen, anned response persons, and other members of the security organization will be selected.
several documents. These include NUREG-0908 (Ref.
5), Rrgulatory Guide 5.65 (Ref. 6), and NUREG/
tmined, equipped, tested, and quahfied, subject to NRC CR-1327 (Rcf. 7).
apinoval. As defined in 10 Cl R 731 a guard is an armed, uniformed individual whose primary responsibihty is the NU)WG-0908 provides guidelines to satisfy the design prot (ction of nuclear matenals against theft and the pro-and performance requirements for physical barriers.
tection of the plant against radiological sabotagm A These guidelines include assessment criteria for pro-wanhman is an individual not necessarily armed or uni-tected area barriers; vital arca/ island barriers; security formed who assists in plant protectior; u the course of posts and structurcs; keys: locks and comNnations; and other duties. Security personnel are to be trained, test and maintenance procedures.
equipped, and qualified in accorJance with the " General Criteria for Security Personner' described in Appendir. H Regulatory Guide 5.65 provides detailed examples of W 10 WR hut 73. At least one security orgafilzation physic:d barrier hardening techniques for openings and member raust be on site at all times.
physical barrier requirements for water sourecs.
NUR EG-1267 10
I 1
3.3 Access Requireitients Provisions for rapid ingress and egress during cmer-gency conditions, The primary objective of access coretrol requirementsis to Alarmed and kicked doors or hatches in order to limit access to pmtected and vi'ai areas of the plant to gain access to the reactor containment, and l
authorized personnel with a legitimate need to be in those Changing or rotating keys, locks, combinations, and e
areas.
related access control devices at least every 12 months.
33,1 Summary of NRC Requirements:
10 CFR 73.55(d) 33.2 NRC Guidance The licensee is responsible for controlling all points of l
personnel and vehicle access into protected areas. A con-Several documents provide guidance en access control.
l trolled access area 9 defir ed in E CFR 73.2 as any tem.
These include NUREG-0908 (Ref. 5), Regulatory Guide j
porarily or permanently established area cicarly demer-5.7 (Ref. 8), and Regulatory Guide 5.65 (Ref. 6). The cated and controlled 'o isolate the materials and peopic guidance in Regulatory Guide 5.7 is not directly aimed at withm.
the nudcar power plants (it is applicable to nuclear fuel cycle facilitics).110 wever, the general insights contained in this regulatory guide are applicable to nuclear power Prior to entering a controlled acess area, h.censecs are authorized to search and seize any evicce @at could be plant security measures. Other NRC guidance is found in l
used for radiological sabotage. If there is suspic nn that an Regulatory Guide 5.12 (Ref. 9) and in Review Guidelines mdividual is attempting to bnng firearms, explosives, or Number 18 (Ref.10).
incendiary devices into protected areas, the licensee is authorized ta conduct a physical pat 9wn scarch of the NUREG-0908 describes access authorization require-mentQor protected arca access and vitM arca/ island ac-individuat. If firearm or explosive detection equipment is inoperathe or not or : rating properly, the licensee is cess. Assessment criteria are also provided for picture authorized to condad physical scarches of all individuals badge systems; searches of personnel, vehicles, packages, who otherwise would have required on equipment scarch, and material that may contain firearms expl6sives, or in-I l
The indivWual controlling the last access control point cendiary devices; scarch equipment; access and cutry re.
l must be isolated within a bullet-resistant structure. Lt-quirements for personnel; escort procedures; and records criterio censeca are also authorired to search hand-carried pack-ages and vehicles for firearms, explosives, and incendiary Regulatory Guide 5.7 describes entry identification arad de" ices that Sould be used for radiological sabotage, authorization procedures; personGel search procedt res; package or material identificatica and search equipment As defined in 10 CFR 73.2, an authorized mdividual is any and procedures; and entry and search aids for protected persca who is detignated by the licensee to have re>ponsi-areas, nuclear material access areas, and vital areas. The bility or controi over s pecial nuclear materials, or an indi-vidual who has unescorted acces to areas where special appendix to Regulatory Guide 5.7 provides an acceptable testing method for determining the detection capability of nuclear materials are used or rtored. A material access firearm, explosive, and metal detectors.
area is any location that contains special nuclear material.
These locations are protected by physica; harriers. A Regulatory Guide 5.65 provides detailed criteria for ac-i numbered picture badge identification systern te regtered cess contrel measurs under routinc and emergency con-for all irvlividuais with authorized access to protected ar-ditions and suspension of secunty measures in an emer-ca without escort. Individuals not authorized to enter gency. It also provides information on the con trol of locks, protected areas without escort must be escorted.
combinations, and related access control devices.
Each licensee b required to establish nn access at@oriza-Regulatory Guide 5.12 provides guidance on the types of tion system to limit unescorted access to vital areas during locks to be used in c(mtrolling access and the acceptance nonemergency conditions to individuals who require ac-criteria for each type of lock.
cess to perform their duties.The access authorization sys-tem requires:
Review Guidelines Numb fr 18 describes the regulatory position for access control functions for contioning ad-Establishment of current authorization access lists, mission to protected areas.
Control over all points of personnel and whicle ac-e cess.
3.4 Detection Aids Revocation of an individual's unescorted access Detection aids consist ofintrusion alarms that are electri-authorization upon termination, cal, electromechanical, or electro-optical. All these types Installation of an intrusion alarm system, of detection aids will detcet intrusien by an individualinto 11 NUREG-1267
a proheted area and/or detect tampering with the aid it-NUREG /CR-0509 describes methods for supplying elec-self. Detection aids are intended to satisfy the pcrform-tric power for security operations in the event of normal ance objenives of 10 CFR 73.55 by warning security per-power loss. The report addret.scs systems requirements, sonnel im:rediately of unauthorized access in protected estimated costs per kilovolt-ampere, operating and ma-areas.
intenance requirements, and system information.
Regulatory Guide 5.44 describes several types of perime-3.4.1 Summary of NRC Requirements: 10
.ter intrusion alarm systems that satisfy the performance CFR 73.5S(e) criteria described in 'O CFR 73.55. These alarm systems include micr owave, electronic field, ferrous metal detec-All alarms must annunciate m a continuously manned tor, pressure /stram-sensitive, infrared, and vibration-or central alarm station loct. icd within the protected area strain-detector perimeter alarm systems Also discussed and in at least one other continuously manned station not are impicmentation considerations. Appendix A to the necessarily on site so that a single act cannot remove the regulatory guide contains examples of test' g methods for m
capability of calling for assistance or respondhg to the perimeter intrusion alarm systems. Appendix !! provides alarm.The onsite centml alarm station must be located so methods that can be used to calculate the confidence limit that it is not visible from the perimeter of the protected on the detection probability of alarm systems.
area. Personnel assigned to the alarm station must not j
have any conflicting dutics that interfere with response to Review Guidelines Number 10 discusses compensatory alarms. The alarm station walls, doors, floor, ceiling, and measures for security lighting in the event of normal any windows must be bullet resistant. Secondary power power loss.
supplies for alarm annunciator equipment must be 10-cated within vital areas. All emergency exits in protected 3.5 Communication Requirements areas and vital areas require alarms.
The primary purpose of the communication requirements i
All alarm systems must be tamper-indicating and self-for the plant physical protection system and security or-checking (i.e., provide automatic indication when the g nization is to provide rapid response to radiological alarm system fails).
sabotage threats and theft and to aid effective coordi-nated response efforts.
3.4.2 NRC Guidance 3.5.1 Summary of NRC Requirements:
10 CFR 7?.55(f)
Several documents provide guidance for detection aids and support systems. Thesc includc NUREG-0908 (Ref.
Guards, watchmen, and response individuals on duty 5), NURl!G/CR-146S (Ref. I1), NURFG/CR-0509 must be able to maintain continuous communication with (Ref.12), Regulatory Guide 5.44 (Ref.13), and Review an individual in each alarm station. In turn, the person in Guidelines Number 10 (Ref.14). The guidance provided the alarm station must be able to call for assistance from in NUREG/CR-146S and NUREG/CR-0509 is not di-other guards, watchmen, and armed force personnel and rectly aimed at nuclear power plants; it is intended for from law enforcement authorities.
fuel cycle facilitis, llowever, the general insights from these reports are applicable to nuclear power plant secu-Alarm stations are required to have both conventional rity measures.
telephone service and radio or microwave-transmitted two-way communication with law enforcement agencies.
NUREG-0908 provides general acceptance criteria for bk ower loss, nonportable communications alarm / intrusion devices, illumination, surveillance, re-cords of false and nuistmce alarm rates, tamperindication equipment must have an independent power source.
and self-test capabilities of alarms, corcpensatory meas-urcs in the event of detection hardware outages central 3.5.2 NRC Guidance i
alarm staMon/ secondary alarm stathn operating proce-Several documents discuss requirements and guidelines dures, test and maintenance procedures, and records.
for security communication systems. These include NUREG/CR-1468 provides detailed information on in-1 trwion detectors, signal transmission units, and receiver units in suppcrt of the performance reAjuirements cited in NUREG-0908 describes communication system guide-10 CFR 73.5.9e)(1). NUREG/CR-1468 also provides in-lines, including emergency powcr systems, communica-formatien on detection aids, incitHing alarm station re-tion system compatibilities with plant monitoring equip-ccivers and systems, and closed circuit television (CCTV) ment, tamper-indicating devices, and testing and systems.
maintenance criteria.
l NUREG-1267 12
1 NUREG/CR-0508 describesvarious communication sys-3.7.1 Summary of NRC Requirements:
tems requirements, types of communication systems, 10 CFR 73.55(h) command and control centers, and system analysis guide-lines.
Licensees are required to establish a safeguards contin-a gency plan for dealing with threats, thefts, and radiologi-l ca! sabotage. Safeguards contingency plans must be de-3.6 Testing and Maintenance veloped in accordance with criteria in Appendix C,"Li-censee Safeguards Contingency Plans," to 10 CFR Part The purpose of the test, maintenance, and audit proce.
- 73. In the event of threats, theft, or radiological sabotage, j
dures is to ensure that the security organization and all se.
an acceptable safeguards contingency plan must contam a 1
curity systems continue to satisfy established perform.
predetermined set of decisions and actions to satisfy
)
ance criteria.
stat ed objectives to identify data, criteria, procedures, and mechanisms necessary to carry out the decisions and ac-tions and to specify the individual, group, or organization 3.6.1 Summary of NRC Requirements:
responsible for each decision and action.
A safeguards contingency plan is required to have five
'" 8 Licensees are required to test and maintain intrusion alarms, emergency alarms, communication equipment, Background.The background section describes per-e physical barriers, and other security-related devices as re-ceived dangers and incidents that the plan addresses, quired. Communication and abrm equipment used for the purpose of the plan, and the general aims and security should be tested on a periodic basis. Onsite com-operational concepts underlying the implementa-I munication systems should be tested at the beginning of
. tion of the plan.
cach security personnel work shift. Offsite communica-tion equipment must be tested at least once a day.
Generic Planning Base. The generic planning base defines the criteria for initiating and handling a safe-The security program requires periodic review at least guards contingency (e.g., the planned response to every 12 months by evaluators who are independent of se-alarms or other mdications that a protected area has curity organization supervisors and managers. This review been penetrated, that matenal is missmg or unac-includes an audit of security management, supervision, counted for, or that there have been threat indica-procedures, practices, the effectiveness of the physical ti ns such as telephone threats or escalatmg.uvil dis-protection system, the plant physical protection system's turbances).
testing and maintenance program, and liaison agree-ments with kical law enforcement agencies.
Licensee Planning Base.ne licensee planning base describes unique factors at each facility that affect contingency planning. This includes the licensee's 3.6.2 NRC Guidance wg ni atimal structure, the physical layout of the plant meloding physical structures and their loca-Guidelines are provided for test, maintenance, and audit tions, and a description of the site in relation to procedures for the plant security orsnization and physi-ma6y mm, mads, and mgennvhnmemal fea-cal protection systems. Rese guidehnes are included in te imputag to N chcup com6naum 06 N'UREG-0908 (Ref. 5), which provides general perform-sp pperaums. Wasis is Nah main ad
" *""I "#
E"#'
ance criteria and guidelines for the evaluation and audit
"* ""d command and control points for response a
of physical security at nuclear power plants.
acth.es. & mduded in de kense pannmg l
NUREG-0908 also provides general guidelines for test-base are transportation routes, safeguards system ing and maintaining comm,mication systems.
hardware, law enforcement assistance agreements, policy constraints, and assumptions such as use of 3.7 Response Capabilities and Vulner-deadly force, use of employee property, use of off-duty employees, site security Junsdiction bounda-l ability Analyses ries, and administrative and logistical considera-i tions.
1 The general objective of response capabilities and vulner-1 ability analyses is to ensure that cach licensee has the abil-Responsibility Matrix. The responsibility matrix ity to deter, impede, and respond to threats of actual ra-identifies organizational entities responsible for spe-dialogical sabotage attempts or theft of special nuclear cific responses to safegunrds contingencies. The re-materials. This includes the development and implemen-sponsibility matrix depicts the assignment of respon-tation of a licensee safeguards contingency plan.
sibilities for all decisions and actions to be taken in 13 NUREG-1267
response to the imuating event and provides an ries of monitors, annunciators, and alarms to warn plant overall picture of the response actions and interrela-personnel of unusual conditions.
tionships. 'Ihese safeguards responsibilities are as-signed so that there is no conflict in dutics or respon-Furthermore, in response to NRC regulations and re-sibilitics that would prevent the execution of a safe-quirements, the nuclear ind ustry has been active in imple-guards contingency plan.
menting measures and procedures to enhance the inher-ent safety of plant design and to prevent and/or mitigate Procedures. In order to execute the safeguards con-insider sabotage acts at licensed nuclear facilitics. These tingency plans described in the responsibility matrix, actions range from physical security measures that limit procedures detail the actions and decisions to be access to sensitive areas to design features that enhance made by each member or unit of the responsible the availability of system function in case of a sabolage at-organization.
tempt.
As part of the general response requirements, the licen-ne available literature was reviewed and several meet-see is responsible for establishing and documenting liai-ings with the management of the Nuclear UtilityManage-son agreements with local law enforcement authorities.
ment and Resources Council (NUMARC) were held to obtain a better understanding of the current industry in the event of an unusual presence or activity of persons practices and capabilities to prevent, detect, or mitigate within an isolation zone, the security organization will de-insider sabotage acts. The following is a summary of the termine whether a threat exists, assess the extent of the findings from the literature reviews and the meetings:
threat, and take immediate concurrent mensures to neu-tralize the situation with guards, armed response person-L All plants are required to comply with the require-nel, and/or assistance from local law enforcement agen-ments of 10 CFR 73.55. Examples of industry meas-cies. In the event of radiological sabotage, a threat, or urcs include implementation of card-rcader access theft, guards and all armed response personnel are re-systems, search of all vehicles and individuals, and quired to use whatever force is required to impede at-the use of microwave detection systems, locked tempted acts of radiological sabotage or theft.
doors, double fences, and surveillance cameras.
In order to detect a threat, observation of all isolation 2.
Records of individuals entering seasitive areas and zones and physical barriers at the perimeter of the pro-the time spent in those areas are kept. In addition, tected arca is required, preferably by means of CCTV or card-rcader access systems will activate an alarm if by other suitable means that limit exposure to possible at-there is delay in entrance (i.e., unauthorized indi-tack.
viduals walking into sensitive areas once a door is opened).
3.7.2 NRC Guidance 3.
Security personnel are required to have periodic Guidelines for response capabilities and vulnerability training that includes conducting drills on a regular analyses are provided in several documents, including basis.
NURiiG-0908 (Ref. 5).
4.
In some plants, a security guard accompanies plant A current study under way for the NRC will assess contin-personnel while inspecting and repairing sensitive gency response planning and vulnerability analysis guide-systems. Entry into vital areas also requires authori-hnes to counter vehicle bomb threats. This study will in-zation from both the Engineering and Security De-clude analyses of scenario response options, bomb blast partments.
eff ects on power plant systems, selection of preferred sys-tems, and contingency response measures.
5.
Reemployment investigation of staff, personnci screening, psychological profile testing, and testing
- 4. OTIIER MEASURES TO
'"""""**P"""""'*"## " " d **'d' PREVENT / MiTlGATE In addition, the inherent safety design features oflicensed SABOTAGE plants, regulatory requirements imposed by the NRC to address plant design vulnerabilities in certain areas, other Ext ensive efforts and resources are expended in designing than sabotage, have also contributed to increasing plant nuclear power plants to minimize the risk to the public resistance to sabotage acts. For example, Appendix R to health and safety from equipment or system malfunction 10 CFR Part 50 specifies "... structures, systems, and com-or failure. Safety measures include provisions for redun-ponents important to safety shall be designed and located dancy aad separation of important safety systems, con-to minimize, consistent with other safety requirements, finement and trapping of radionuclides releases, and se-the probability and effect of fires and explosions."
NUREG-1267 14
Nuc! car power plants have met the intent of this require-with the situation where the primary and backup systems ment by installing automatic fire detection systems. physi-are not availab!c coincidentally with the loss of offsite cally separating safety systems, separating cables and power (Ref. 3).
cquipment and associated nonsafety circuits of redundant trains by a fire barrier having a 3-hour rating, and moni-During this same time period the NRC and nuclear utili-toring a trained and equipped onsite fire brigade (a team tics have initiated a number of activitics to address the is-of at least five members on cach shift). In addition, the sues associated with both the physical security and sabo-plants must demonstrate that an alternative or dedicated tage. The following information, based on discussions shutdown capability is provided for a specific fire area.
with representatives from NUM ARC, provides an over-This shutdown capability must be able to (1) achieve and view of some of the specific plant activitics and modifica-maintain suberitical reactivity conditions in the reactor, tions that address some of the concerns raised in GSI u
(2) maintain reactor coolant inventory, (3) achieve and A-29.
maintain hot standby conditions for a PWR (hot shutdown for a llWR), (4) achieve cold shutdown conditions within The loss of Class 1E batteries to start the diesels is a sabo-72 hours, and (5) achieve cold shutdown conditions there-tage scenario that has been identified as having a poten-after. Implementation of Appendix R requirements has tially significant impact on the safe shutdown of a plant. If not only enhanced plant capabilities to deal with "acci-this situation did occur, the staff at the affected plant dental" fires but also those that are " intentionally" initi-would have both the skill and equipment to install the ated.
necessary cross connections between the Class IE and non-Class 1E battery systems.
Specifically, the modifications made by the utilities to ad-dress the fire protection issues presented in Appendix R If, because of a sabotage act in which there is a loss of off-to 10 CFR Part 50 have provided the plants with the abil-site power and failure of the normal component cooling ity to use the plant fire-water system as an alternative water (CCW) pumps, there will be a need to remove the coohnt supply in the event of the loss of the emergency heat from those components that are normally serviced by service water (ESW) system. The increased pumping ca-the CCW, most plants currently have the ability to use the pabilitics of the modified firc-water systems allow the ESW system to cool these components.There are procc-plants to use the system to remove heat from the secon-dures in place to properly align the breakers and ensure dary side of the residual heat removal (RilR) heat ex-the necessary flow to the components.
changers as well as simultaneously meet the necessary fire protection needs of the plant.
Furthermore, NUMARC has developed a set of guide-lines and tecnnical bases to address NRC's station black-For a postulated sabotage scenario in which the saboteur out requirements at light water reactors (LWRs). As part attempts to cause a failure in the ESW system, there may of this process, five general initiatives were identified by be an alternative coolant supply available by using the NUM ARC lo address the most iikely contributors to sta-plant fire-water FyStem.This would render a sabotage ac_
tion blackout risk (Ref.16). These initiatives are:
tion against the ESW system ineffective and help to pre-vent plant damage and public consequences. Therefore, Risk reduction. Each utility is required to review its e
as a result of the Appendix R requirements, there may be site (s) against Regulatory Guide 1.155 (Ref.17).
an additional element of redundancy in the ESW systera Utihties are reqmred to reduce site contributions to at many plants.
the overall risk of station blackout.
Procedures. Each utility is to implement procedures The fire protection program, therefore, extends the con-cept of defense-in-depth to fire protection in areas that at each site in the following areas: coping with a sta-are important to safety. This increased attention to fire tion blackout, restoring ac power following a station safety in safety-significant areas may serve to prevent or blackout event, preparing the plant for severe discourage potential acts of sabotage using fire as an in.
weather conditions to minimize the probability and itiator. In addition, fire detection systems, fire suppres-consequences of offsite power loss, and station sion systems, and a trained fire brigade serve to mitigate blackout response.
the consequences of a fire whether accidentally or inten-tionally started as an act of sabotage.
Cold starts. Each utility is required to reduce or climinate cold fast-starts of emergency diesel gen-Additionally, since the inception of the Generic Safety Is-erators during testing. Utilities should ensure that sue A-29, there have been a number cf NRC-sponsored emergency diesel generator tests are performed efforts directed at the identification of various design al-only when the diesel has been prewarmed and lubri-ternatives and measur es to reduce the vulnerability of nu-cated except during actual demand terts (e.g.,during clear power plants to sabotage. Most alternatives deal a scheduled outage). Current initiatives also include 15 NUREG-1267
the development of an emergency dicsci generator
- 5. RECOMMENDED ALTERNA-reliability program.
UVES FROM PREVIOUS NRC I
STUDIES Emergency power availability. Each utility is re-e quired to assess the ability of its plants to cope with a Over the last few years, several studies have been initi-station blackout, using the industrywide plant per.
ated by the NRC that have assessed the issue of nuclear formance indicator program managed by the Insti.
power plant sabotage. As part of these studies, a number j
tute for Nuclear Power Operations (INPO).
of potential design and procedural modifications have l
Through this program, a plant can monitor specific been proposed to reduce the vulnerability of nuclear i
dicscl generator unavailability and compare its per.
power plants to sabotage. The range of design changes formance to an mdustry average.
proposed include complex design modifications such as addition of a dedicated, bunkered, decay heat removal system, or addition of a third 100-percent train of safety Coping assessment. liach utility is required to assess systems, to relatively simple changes such as installation e
the ability of its plants to cope with a station of CClV to cover vital areas. These studies have also at-j blackout. 'lhis initiative addresses condensate tempted to assess the effcetiveness of the proposed de-inventory for decay heat removal, assessment of the sign and procedural modifications. In some cases, because Class III battery capacity, compressed air, effects of of the high costs associated with a given design change,it ventilation loss, and containment isolation.
was judged not to be cost effective. In other cases, specific design changes proved to be cost effective and appropri-ate on a plant-specific basis, but not for the entire class of These initiatives should ensure that essential decay heat LWRs. The overall conclusion of many of these previ-removal systems will perform satisfactorily during station ously initiated studies is that single design or procedural blackouts. For a PWR, these initiatives ensure that the changes are not the most effective solution to the insider core remains covered in the event of a station blackout.
sabotage issue. It takes a focused and systematic approach I or a llWR, only a momentary core uncovering is al-in the three areas of reliable peopic, effective design, and lowed. For both PWRs and BWRs. all isolation valves effective administrative procedures to develop a compre-should perform as intended without ac power. Again, hensive sabotage preventionimitigation strategy. More implementation of these imtiatives provides an additional detailed discussion of this approach is presented in Sec-degree of sabotage deterrence and mitigation capability tion 6.
for sabotage-induced transients.
In this section a summary is provided of the design and Finally, design and procedure modifications in response procedural modifications proposed in selected previous to the anticipated transient without scram (Kl'WS) issue NRC-sponsored studies. A brief discussion of the effec-can also be credited for enha:.cing sabotage prevention tiveness of these proposed changes is also provided.
and mitigation capabilities of plants. The NRC's ATWS rule, as well as requiring specific hardware changes (i.e.,
As part of a previous NRC cffort to address the GSI diversified means of actuating the scram system), urges
^-29,25 sabotage and tampering avoidance technology the licensees to develop a reliability assurance program alternatives were assessed (NURl!G/CR-4462)(Ref. 3).
for the reactor trip system (RTS). The reliability assur-
,Ihe alternatives were pnontized according to their rela-ance program should include an analysis of the failure tive impact on reducing core melt frequency associated modes of the RTS, establishment of a numerical perform-with sabotage and tampering acts. Section 5.1 presents a ance standard for the RTS, feedback of industrywide op-brief description of several of the proposed alternatives crating experience, and licensee programs to ensure that that were assessed in NURIiG/CR-4462.
the frequency of challenges to the RTS be as low as practi-cable.
Section 5.2 presents the m. sights and recommendations generated in NRC's evaluation of the Unresolved Safety Issue (USI) A-45, " Shutdown Decay Heat Removal Re-These reliability assurance programs, while being di-quirements."
rected at preventing KlWS events, can also help to pre-vent / mitigate sabotage actions by ensuring that the RTS Section 5.3 presents a brief overview of the conclusions not be vulnerable to single failures. In addition, the fail-reached in another NRC-sponsored study, NUREG/
ure modes analysis suggested in NRC's A'lWS resolution CR-2643 (Ref.18).
could provide additional information to licensees on po-tential vulnerabilities within the RTS. 'lhese vul-Finally, Section 5.4 presents a discussion of several ongo-nembilities, if discovered, could then be dealt with by the ing efforts by the NRC staff that address a crucial ingredi-licensees in order to prevent their exploitation by poten-ent of insider sabotage prevention strategy, the human tial saboteurs.
element.
I NURI!G-1267 16
5.1 Description of Design Alternatives sabotage issue. Although the costs associated with imple-Assessed in NUREG/CR-446~9 mentin8 these alternatives were not estimated as part of the NUREG/CR-4462 study, the effectiveness of the al-ternatives in terms of their impact on reducing sabotage-This section provides a brief discussion of the description induced core melt frequency was quantified. Table 5.1 and effectiveness of selected design and procedural alter-presents a summary of the alternatives discussed bclow 4
natives analyzed in NUR EG/CR-4462 that were assessed and the core melt frequency reduction associated with the l
to have the greatest impact on addressing the insider proposed alternatives, j
l Table 5.1 Core melt frequency reduction associated with alternatives [Ilase Case Sabotage CMF = 2E-04/RY].
)
Core Melt Alternative Frequency Reduction Type of Fix Three 100% trains of safety-related equipment 2E-05/RY Complex design change llunkered RCIC and AFW pumps IE-04/RY Complex design change l
Feed-and bleed operation of suppression pool 2E-06/RY Procedural and operator training l
Use of CRDHS to supply reactor coolant makeup 1E-05/RY Significant design change Cross connection provided between Class IE/non-Class lE 2E-06/RY Design and procedural changes Implementation of the two-person rule IE-05/RY Procedural change Installation of TV cameras 2E-06/RY Design in vital areas change 5.1.1 Three 100% Trains of Safety-Itelated 5.1.2 Two AdditionalIlunkered RCIC and l
Equipment AITY Pumps for IlWRs and P%its This alternative requires two additional bunkered reactor
)
c reisolationcooling(RCIC)and AFWpumpsforBWRs The present arrangement in plants is to have two inde-an
, mpcMy.hs wd pmde an ahnM pendent safety trains-from sensors: through logic cir-cuitry; through engineered safeguards actuation; to the gme d Mundancy to ene sa@W aM ma%own.
mor bunWd pump anangement w nR&
paths for safety injection, containment isolation / spray, tem loss due to msider sabotage actions more difficult.
and emergency power generation. Although this arrange-ment provides separation of the train components in such This design feature was estimated to reduce the sabotage-a way that the single failure criterion is met, acceptable induced core melt frequency by 1E-04/RY.This concept levels of reliability are established, and surveillance for was assessed in a much greater depth as part of USI A-45 determining operability status is possible without shutting studies (Ref.19) and shown not to be cost effective.
down the plant. Still, it can be postulated that it is possible for a group of knowledgeable and determined individuals 5.1.3 Feed and Illeed Operation of11%11 to disable a sufficient amount of equipment to paralyze Suppression Pools many plant safety functions, including reactor protection.
His alternative would call for the addition of a thiro iso-De normal heat removal path from the reactor (i.e.,
lated safety train to be located in a different location (with steam blowdown to the main condenser)is lost following a adequate controlled access and separation) from those loss of offsite power due to loss of the main circulating that now cxist at many plants.
water system that cools the condenser and maintains its vacuum. When this event occurs, steam is vented to the suppression pool because safety /rclief valves open as a result of high pressure. Cooling water is supplied to the The core melt frequency associated with imp!cmentation core by the RCIC system, the high-pressure coolant injec-of this alternative was estimated to be 2E-05/RY.This is tion (HPCI) system, or the high-pressure core spray a very complex and expensive design modification for ex-(HPCS) system. After initial supplies of water stored in isting plants since there is no physical room to add an-the condensate storage tank (CS'O and/or the refueling other set of systems with all the diversity, fail-safeness, water storage tank (RWST) are exhausted, these systems and other desired requirements. In addition, the basic are realigned to draw water from the suppresskm pool.
concept behind this alternative. " bunkered safety sys-Suppression pool cooling is provided via heat exchange to I
tems," has been analyzed in the resolution of USI A--45 CCW and/or service water systems (SWSs), which trans-l (Ref.19) and shown not to be cost effective.
fer heat to the ultimate heat sink. This is accomplished by 17 NUREG-1267
J a single-mode containment spray system or by an operat-5.1.5 Cross Connection lletween Class ing mode of another system such as the low-pressure core IE/Non-Class 1E spray (LPCS) system, the low-pressure coolant injection (LPCI) system, or the RHR system, if suppression pool This alternative would provide cross connections to per-cooling is lost, the pool will heat up to its design tempera-mit the non-Class 1E batteries to supply de power to ture/ pressure limit within a matter of hours. This design safety-related systems when one or more Class IE batter-feature would provide an alternative method to prevent ies are disabled. In the sabotage scenario, a loss of offsite such heatup.
power is assumed to occur coincidentallywith sabotage of one or more Class 1E batteries. At least one emergency In a sabotage scenario, a loss of offsite power is assumed diesel generator receives control power from an operable to occur coincidentally with sabotage of the suppression Class IE de supply and operates, providing Class IE ac pool cooling systems. Other safety-related systems are as.
power to safety-related systems.
sumed to operate normally, including those supplymg water from the suppression pool to the core and the The effectiveness of this alternative in terms of sabotage-emergency diesel generators. This design feature would induced core melt frequency reduction was estimated to provide an alternative method for cooling the suppression be 2E-06/RY It is believed that the implementation of pool in the event that normal suppression pool cooling this alternative can be recomplished at existmg plants systems are disabled. Acceptable suppression pool through removable disconnect links in each bus tie circuit, temperature would be maintained by supplying " cold" two circuit breakers in series located at different locations water to the pool and draining off " hot" water. Radioac.
to minimize the likelihood of inadvertently oraccidentally lively contaminated water from the pool would be trans, crosstying the circuits, administrative controls, procc-ferred to large onsite tanks where possible (CST or dural changes, and operator training.
RWST) or to a large onsite settling basin.
5.1.6 Installation of TV Cameras in Vital This alternative was estimated to reduce the sabotage-Areas induced core melt frequency by 211-06/RY. It is believed that this alternative can be implemented at most plants The proposed design alternative to install CCTV cameras through procedural changes and operator training.
in vital areas would provide a means to both monitor the area for unauthorized entry and activities and to assess the existence of a threat.
5.1.4 Control Rod Drive Ilydraulic System for Reactor Coolant Makeup The effectiveness of Ihis alternative in tet ms of sabotage-induced core melt frequeng reduction was estimated to In llWRs, the control rod drive hydraulic system be 2E-06/RY. It is believed that this alternative can be (CRDHS) supplies pressurized water to operate and cool simply implemented at existing plants.
the control rod drive mechanisms. The system typically has two pumps. cach capable of supplying 100 percent of Currently, onsite security surveillance systems use access the system requirements. The water is drawn from the cards and TV cameras to monitor for unauthorized entry.
condensate storage tank and is ultimately discharged to Augmentation of such surveillance techniques to monitor the reactor vessel, for unauthori7ed access to vital areas, or equipment, would thereby provide a means to detect such entries and ta owp mecth adnt in a sabotage scenario where a loss-nf-of fsite-power tran-sient occurs comcidcatally with a successful sabotage of the high-pressure injection system, which may include the 5.1.7 Two Persod Rule RCIC system, the 1IPCI system, the 1IPCS system. or the feedwater coolant injection (FWCI) system, the CRDHS twgpeyson rule b a means of protecting against po-could be used as an additional high-pressure injection tential 'msider, sabotage attempts by limitmg the access to important areas to teams of workers with at least two W "'
people of equivalent experience. The objective of the proposed rule is that when work is being performed in an The effectiveness of this alternative in terms of reduction important area, a person with an equivalent level of expe-in sabotage-induced core melt frequency was estimated to tience as the person doing the work oversees the actions be Ili-05/RY. Implementation of thisalternative at exist-being taken, thereby reducing opportunities for sabotage ing plants will require significant design modifications as-events.
sociat ed with additional pumping capacity and larger pip-ing and valves. This may not prove to be a cost-cifective The effectiveness of this alternative in terms of sabotage-alternative at most plants and should be analyzed on a induced core melt frequency reduction was estimated to plant-specific basis.
be 1E-05/RY. Military experience with the two-person NUREG-1267 18
l 1
l I
l I
l rule has been very positive and it is believed that it may valves. The CCW beat exchangers located in a different prove to be as effective in nuclear power plants.
location have a similar configuration. These mantial valves are accessible to the operators and therefore they 5.2 Insights and Recommendations of could be deliberately closed. Since the CCW is an active USI A-4"5 "Y"'**'"**
I U"* "wid be mdicated m the amtml room; however, an operator would have to examine the As part of NRC staff evaluation of USI A-45,' Shutdown equipment to ascertain tbc reason for the loss of flow.
Decay Ileat Removal Requirements." the issue of sabo-tage and plant vulnerabih, ties to msider sabotage acts was
- 2. Auxiliary Feedwater System j
also considered (Ref.19).
In one of the reference plants, the four AISV pumps are located in a common compartment. Each pump train may
'The study concluded that lack of independence, separa-be isolated from the system by upstream and downstream tion, and physical protection of redundant safeguard manual valves. 'lhere are also motor-operated valves on trains makes a significant contribution to plant risk. In ad-the downstream side of the pumps: therefore,if any or.c dition, support system failures (i.e., cmergency power, of three valvesin a train is closed and disabled closed, that service water, and component cooling) and lack of redun-train is unavailable. The motor-driven pumps could also dancy and sharing of systems at support system level con-be rendered useless by cutting or disconnecting pump ca-tribute significtmtly to core melt frequency.
bles. '!he turbine-driven pumps could be put out of serv-ice by disabling specific valves. Because the AITV systera The study also identified the potential vulnerability of is in a standby mode during power operation, these ad-l safety-related or decay heat removal equipment to un-versc actions could go undetected for extetided periods of authorized acts by virtue of the plant arrangement. It time. Similarly, the water supply to the AITV system should be noted that these vulnerabilities are plant-could be isolated by closing and disabling several valves.
specific-Again, the situation could go undetected for an extended period of time.
A listing of some of the potential vulnerabilities follows.
Details of these vulnerab?ities can be found in the safe-
- 3. Iligh Pressure Safety Injection (llPSI) S3 stem I
guard appendices of the UM A-45 study (Ref.19).
i In one of the reference plants, the HPSI pumps are 10-Failure to switch over from injection to rectreulation cated in a common compartment.The HPSI pumps have e
a normally locked-open manual valve on the outlet side Station blackout due to common-mode battery that could be closed and disabled to prevent flow. This i
e faHure would be an action that could only be detected by close Station blackout due to diesel generator failure inspection.There are motor-operated valves at the pump Failure of ECC recirculation due to itHR pump suction and discharge that could be closed with the local e
cooling failure caused by valve failure handwheel and disabled. However, because they are Common mode failure of safety system pumps otor-ope ted valves with status indicators in the con-e trol room, some added actions would be required to avoid Common-mode failure of safety system valves alerting the control room.
e Failure of the low-pressure injection system in the e
recirculation mode
- 4. Diesel Generators Failure of the AITV system turbine-driven pump With regard to diesel generator vulnerability to sabotage, e
Failure of the CWS pumps the lubricating oil and cooling lines, which are small bore e
long-term station blackout caused by battery deple-and exposed, could be crimped or disconnected; control e
tion or condensate storage tank depletion synems could be damaged or improperly connected; and improper setpoint adjustments could be made. Many of in addition to identification of the above vulnerabilities,
".p tential actions woukt be very difficult to detect until a
genemW Mad was anem#.
USl A-45 discussed ways in which an insider could disable systems using " simple" meims. The concerns for sabotage 3.2.1 USl A--45 Recommendatm.ns for I
vulnerability are illustrated with the following examples.
Again, detdits of these vulnerabilities can be found in Prevention / Mitigation of Sabotage Acts sabotage studies related to the USl A-45 study (Ref.19).
l In addition to identifying plant-specific vulnerabilities to l
- 1. Component Cooh.ng Water Systems insider sabotage. contractor studies performed under USI i
In one of the reference plants, the CCW pumps are lo-A-45 also provided several recommendations to enhe.nce l
cated in a common area. Each of the CCW pumps may be plant capabilities for the prevention / mitigation of sabo-isolated by clo-ing upstream and downstream manual tage acts. These recommendations relate to procedural l
19 NUREG-1267
l' modifications, revised access authorization, equipment der USI A-45 have proposed several design modifications and plant layout modifications,and substitutional modifi-that may be effective in reducing sabotage vulnerability.
l cations. Following is a brief discussion of these recom.
A few recommendations include:
l mendations.
I or manual valves, it is suggested that remote indi-l
- 1. Procedural Modifications e tion of macual valves position and out-of-position j
alarms be provided to detect improper valve adjust-l An obvious technique to prevent covert sabotage by a sin-ments. It is also suggested that protective enclosures l
gle insidec is to institute administrative procedures thai be provioed to restrict access to the valve yoke and prevent any single indisidual from having lone access to bonnet.
l.
Vital equipment. Such procedures may be implemented try two-person rules, security watches, or remote CCTV 1.or turbine-driven pumps,it is recommended that a surveillance.The underlying concept is that each person rnechanical backup governor be provided to control assigned has the opportunity to observe or detect un' the turbine if central power is lort, or primary enclo-authorized activity by the others. Security watches func-sures be installed to restrict access to the shaft scals, tion in a similar manner. With remote surveillance, there the governor and associated linkage. the lube oil fill is nn opportunity for security personnel to detect un-nnd drain fittings, and the governor speed set con-authorized actions by the persons actually performing t he trols. It is also suggested that a protative enclosure inspection or maintenance. 'Ilms potential detection be installed across from the pump bay with con-serves as a deterrent, in an alterna;ive approach, the ca-trolled access to permit work on only one train at a pabilities of computers and computer-controlled door time.
locks and controls are used, fly comparing the credentials of individuals seeking access to vital areas with prees' tablished authorization lists, the number of mdividuals For diesel generators. nonstandard hardware re-e quirmg special tools Mdministrativelv controlled) haing access to any particular component is controlled.
- g. @un valve retainers. lobe oil and fuel oil fdl Alse using the real-time capabilities of the computer, ac-lube oil and cooline system drain plugs etc.. is ecss patter.'s can be arranged so that any given individual recommended. It is also dup $pested that doorways be-dou not have access. ' redundant eqmpment until oper-tween two diesel generotors be closed off so access abihty of the last component visited is venfied by mde-can be limited to one unit at a time.
pendent means. Such systems also keep track of entries, w ihat, given prob! cms, it may be determined which per-son had rnost recent access. This practice provides a de-
- 4. Substitutional Modification gree of protect on becaure of the likelil ood of detection i
nr, at least, the establishment of responsibility if an un-adum the hay hm renoval rystem vulnerabihties.
authorized act does occur.
y A4 considered an add-on decay heat removal train.
1 or PWRs, this would take the form of a train of MW and pnmary system makeup supply. For I!WRs. it would
- 2. Revised Access Authorintion take the form of coupled hipb and low-pressure mjection combineo with suppression pool cooling.These systems j
lt has been mggested that careful sercening:of nuclear would be housed in separate structures and have inde-nower plant employees to ensure that only reliable and pendent support systems, electric ptmer, cooling, etc. In l
- .iable persons with a demonstrated capacity for gaahty both instances, such add-ons would provi<Je systems that performance are hired is the most effective way of reduc-are independent of the rmrmal plant safety systems and, mg the insider threat. The rationale is that if a utility em-thus, could be subject to more rigid sceurity controlswith-I plays pood peopic, compensates them adequately, and out signific;mtly affecting normal plant operations. Such then less them do their jobs, the best icsults will be ob^
systems could not be shown to be cost effectke, however, tained.
and so they were not adopted in the resolution of USl A-45.
- 3. I:qaipment and P: ant I a3out Modifications 11 is a l enemlly held view that knowledgeable insiders emi 5.3 Insights and Recorititiendationis of cause harm if they so desire. Stated another way, regard.
NUREG/CR--2643 less of how one changes or alters the design of a piece of equipment, someone at some time, must install, main-This NRC+ponsored study. NUREG/CR-2643 (Ref.
tain, and operate it. Th us, there is always the possibilny of 18), assessed the use of arca-type physical protcetion, access. Design changes may alter oc reduce vul-damage control, component-level design changes, and nerabilities, but they cannot climinhte them. Gisen the detection requirements. The conclusions documented in above considerations, contractor studies performed un-NURiiG/CR-2643 are briefly discussed below.
NUREG-1267 20
- 1. Conclusions Itegarding Use of Area.T pe Physical
%c study also notes that many of the design features that 3
Protection Measures for Protecting Against are necessary for implementing some of the damage con-Sabotage by an insider trol measures are not found in current nuclear power The arca-type physical protection measures that were plant designs. Therefore, damage control opportunities identified and analyzed in NUltliG/ Cit-2643 include with currently available resources may be somewhat three concepts: (1) team zoning, (2) area zoning, and (3) limited.
operational zoning. liach of these concepts was shown to For damage control to be effective, the design features be capable of providmg some improved protection against that are necessary to establish cross connections or to ojw msider sabotage in comparison with a baschne physical crate systems in alternative modes must be permanently protection system that is representative of actual plant m' installed and availabic on short notice to the plant operat'-
stallations. The study also investigated the concepts of ing personnel. Design features such as fluid system cross time zoning and function /oning and determmed that connections and electrical system bus ties must be these techniques ". offer littic. if any, protection against carefully enginected to ensure that the separation,inde-sabotage by a smgle msider' pendence, and reliability of safety-related systems are not The area safeguards study illustrated that each of these adversely affected by the damage contml measures.
arca-type physical protection measures may be at least
- 3. Conclusion Itegarding Use of Component.1xvel partially effective.The choice of w hich measures to use at Design Changes for Protection Against Sabotage by a specific plant should be made by the utihty operating the an lusider plant. The utility can determine which of the systerns is The conclusion reached in this arca is that component-most appropriate for their particular plant by constdenng level design changes cannot make a component invulner-the following variables: (1) manpower costs. (2) current abic to sabotage by an insider. Ilowever, such design physical protection system configuration. (3) distnbution changes can make a component more resistant to sabo-angl types of vital areas. and (4) existing work rules re-tage actions, and in conjunction with arca-type physical quired by safety wnsiderations.
protection measures or operations controls, c:m provide protection against the insider.
- 2. Conrlus.mns llegardm.g Use of Damage C.ontrol for Protertion Against Sabotage by an insider
- 4. Summary of Potential Detection Itequirements for The study of damage control options reveals that damage PWIt and IlWII Systems control can make a ".useful contribution to sabotage The detection requirements have a direct relationship to protection at nuclear power plants; not as a stand-alone the types and normal operating status of equipment in measure, but as an ele ment in an integrated sabotage pro-systems required to establish or maintain the plant in a tection system.
" Through the use of a damage control safe shutdown condition. Tabic 5.2 provides a summary of syst em. diverse systems can be ahpned and operated to re-the potential detection requirements for reactor systems.
store functional capabilities that have been lost or de-Further information on the detection requirements for graded as a result of an act of sabotage against a specific PWit and IlWit systems is presented in Appendices II set of safety-related systems or equipment.
and F to NUltf!G/ Cit-2643 (Itef.18).
Table 5.2 Summary of sabotage detection methods for reactor systems.
Type of System Sabotage Detection Method Operating fluid or ventuation systems display Safety-related instrumentation Standby fluid or ventilation systems Operations control elements linergized portions of electrical systems Safety-related display instrumentation
- Decnergized portions of electrical (e.g., standby power Operations control elements and two-person rule" sources and " cold" side of circuit breakers for stimdby equipment) systems Actuation of control systems Safety-related display instrumentation, i.e., for input logic and operations control elements (e.g., for out-put logic panels)
- Saicty-related display instrumentation provides af ter-the. fact indication of a sabotage attempt. His capabihty may not be adequate in some applica-tions, and operatiom control elements (OCth) may be required to detect the sabotage attempt at its omet.
- *hacticahty of OClis for the dicscl generator is questionable. He two-perum rule is an administrative @crnative.
- 5. Overall Conclusions of NUltEG/ Cit.-2643 insider. The report concludes that effective insider pro-1!ach of the studies discussed in the Sandia report address tection will require a combination of measures since no a different approach for protecting against sabotage by an single approach provides a complete solution. It also 21 NUllEG-1267
l makes it clear that some of the safeguards measures will characterized society was beginning to be reflected in nu-require extensive plant modifications in order to be suc-clear power plants as well. In 1982, the NRC published cessfully implemented, for public comment a proposed rule addressing FFD con-cerns. This rule would have required the licensees to de-The desirable system from a plant standpoint is one that velop and implement written FFD procedures (47 FR takes full advantage of as many of those elements already 33980). Ilased on public comments, the NRC decided to in existence at a plant as possible. Additionally, the postpone the implementation of a rule in order to allow desirabic system should also use existing analyses and the industry to develop its own program. A policy state-i existing plant arrangements and have a minimum impact ment to this effect was issued in 1986 (51 FR 27921).
{
(cost and personnel) on plant operation. From the view-i point of protection, the system should be effective in Industry, through the coordinating activities of the I
l making sabotage more difficult.
NUMARC and the technical assistance of the INPO and the Edison Electric Institute (EEI), began a comprehen-sive program in the FFD area. (This program will be de-5.4 Current NRC and Industry Init.la-scribed more fully below.) The NRC, in turn, began con-ilVCS A,rned at Personnel ducting audits of thc utility programs. In December 1987, i
the NRC requested a status report from its staff concern-1 One of the most effective ways that licensees czm ensure ing the progress of the industry initiatives. The staff re-the protection of the facility and source material from in-ported that there had been substantial progress in the sider threats is to ensure the reliability of emphiyees and area, but that some utilities were lagging behind and that contractor / visitor personnel that are granted unescorted there was an insufficient level of standardization and con-access. There havc been two major industry /NRC initia-sistency in the develop.nent and application of FFD pro-tives in this area m, recent years:(1) fitness for duty (FFD) grams. Based on this report, the NRC instructed the staff and (2) access authorization.
to begin preparing a rule focusing explicitly on drug abuse Hoth of these initiatives are concerned with establishing a high level of trustworthiness among employees of com-In August 1988, the NRC staff published a draft rule for mercial nuc! car power plants, both for safety and safe-public comment. 'lhe integration of public comments and guards reasons. The following sections outline the cur-deliberations by the NRC suggest that if a formal rule is to rent regulatory positions and industry practices relative to be implemented, it will be implemented in the first quar-these areas.
tc> of calendar year 1989.
5.4.1 Fitness for Duty The provisions of the draft rule include mandatory reemployment, for-cause, and random drug testing for Fitness for duty (FFD) refers to the assurance that indi_
certain classes of illegal drugs; sanctions for empk>yces viduals with unescorted access to the protected areas of with confirmed positive tests; and requirements for the plant are physically and emotionally fit to perform training of all personnel in FFD concerns and access to their assigned duties and to respond to emergency situ.
emphiyee assistance programs. The draft rule does not ations as they occur. Thus, FFD concerns the impairing currently require either random testing for alcohol or ad-effects of drug and alcohol abuse; the debilitating effects ditional psychological testing.
of over-the-coanter and prescription medicines; fatigue; stress induced by excessive heat, noise, etc.: and psycho.
- 2. NRC Guidance i
logical problems due to family, marital, financial, or other As discur, sed above, the NRC does not have formal guide-l problems.1 icensees respond to these concerns yvith pro-lines available, although it is currently working under the l
prams to screen potentnl employees, identify impaired 1986 Policy Statement on Fitness for Duty. The policy employees through observation and chemical and psycho-statement directs the licenhecs to develop programs con-logical t esting, and : chabilitat e employees before they are sistent with the " eel Guide to Effective Drug and Alco-returned to positions of trust.
hol/ Fitness for Duty olicy Development"(51 FR 30870) p (Rcf. 20).
- 1. Currer.1 NRC Requirements and Recommendations
'Ihere is currently no rule in place for FFD. Ilowever, a
- 3. Industry Practices proposed rule, which the NRC expects to implement in Industry practices in the area of FFD are defined through 1989, is being prepared, three major initiatives. The first, which is more pertinent to access authorization,is ANSI Standard 3.3-1982 (Ref.
Fitness for duty became a significant area of concern for 21). In this standard, the provisions forinitial and periodic the NRC in the late 1970s. 'lhis increased concern grew background and psychological tests are stated. While this out of the fact that the increase in illicit drug abuse that standard does not identify the exact tests to be used, the NURiiG-1267 22
1 I
i 16PF and the MMP1 are among the most common in the served in one licensee program that the level of training industry.
provided to personnel did not exceed 15 minutes a year.
More directly pertinent to FFD is the eel guide. This Industry practice in the area is in a state of flux. In antici-guide was developed directly in response to the NRC con.
pation of the final rule, more and more licensees are cern for ITD. The guide covers alcohol and drug abuse adopting random testing programs. Until the final rule is but does not address the other FFD problems identified issued, however, it will not be possible to identify the above. Within the guide are provisions for the develop-status of industry practice in FFD.
ment of company policy, methods of communicating the l
policy to employees and contractors, methods for recog-5.4.2 Access Authorization l
nizing FFD. training for supervisors for identifying and dealing with FFD problems, guidelines for chemical test.
Access authorization refers to programs designed to en-sure the basic trustworthiness of individuals who are ing, and development of liaisons with local law enforce.
ment personnel, strategies for involving unions, and ef-granted unescorted access. Its primary concern is with the l
fcctive emph>yee assistance programs. The guide neither application of various screening mechanisms to the pro-1 addresses basic security concerns such as provisions for cess of emphiyee selection. These mechamsms mclude checks on educational, military, emph>yment, and scarches nor mandates random chemical testing.
enmmal history, as well as the application of various psy-chologd tests.
The third industry-based initiative is based on INPO audits of FFD programs. Since 1985, INPO has been con-l
- 1. Current NRC Requirements ducting audits of the plants' FFD programs as part of their overall plant and etility audits. While the audit ma-As in the case of FFD. the access authorization program terials are not available for inspection. it is assumed that for the NRC is in the form of a policy statement rather INPO uses the EEI guide as a standard for good practice than a rule (53 FR 7534).The NRC is currently evaluating in the industry.
the effectiveness of industry initiatives in the area before deciding whether to implement a rule.
In December of 1987, NUMARC reported to the NRC on the effectiveness of the industry initiatives. In their re.
- 2. NRC Guidance port, the following major points were made:
Three sets of guidelines are available to the industry. Tbe i
first is represented in ANSI Standard 3.3-1982 (Ref. 21).
The eel guide has been successfully completed.
This standard sets out general criteria for an access e
INPO has added FFD evaluation criteria to its plant authorization program in the areas of background screen-e audits.
ing, identification, and security traming. Within the area of screening, general goals are identified for the areas of All licensees currently have formal 1 FD poh..cies m e
previour employment, education, criminal conviction, place addressmg drug use onsite and offsite.
character recommendations, and psychological testing.
All licensees in some way include alcohol in the FFD The goals previde very little guidance for implementa-e program.
tion.
Virtually all licensees discharge employees if illegal e
drugs are used.
R egulatory G uide 5.65 (1}cf. 6) provides some guidance a.
the area of access authorization.The licensees should de-Virtually all licensees have provided FFD training velop, mamtain, and revise on a month;y basis a list of e
for the managerial and supervisory personnel.
those individuals whose specific duties require access; Virtually all licensees have provided training to all keep a log of each individual's entry and exit from pro-e employees including contractor personnel.
tected areas; revoke access authorization and retrieve the Virtually all licensees conduct preempkiyment and badge when empk>yment is terminated; and secure unat-e tended doors to vital areas with kicks and alarras. lhis for-cause chemical testing.
regulatory guide also provides guidance on how access About half of the licensees conduct random testing authorization may be relaxed during emerger:cy situa-e for drug abuse.
tions.
All licensees have implemented empkiyce assis-tance programs as an element of the FFD program.
The third set of guidelines is discussed below under mdustry practices.
While the report from the industry indicated a high level of success, the audits of these programs conducted by the
- 3. Industry Pract. ices NRC indicated that the level of implementation and fol-Detailed information on industry practices is not avail-lowup was not always satisfactory. For example,it was ob-able. However, in response to the NRC consideration of 23 NUREG-1267
the access authorization rule, industiy has developed its dimcy, physical separation, enhanced operator training own set of guidelines, revised most recently in 1986 (Ref.
and procedures, and identification and correction of plant 22).1hese guidelines identify the general requirements vulnerabilities through systematic risk assessment stud-I for unescorted access, the dimensior.s of an effective ics. Additional design changes should be made if improve-l sereening program (including checks on education, em-ments in safety are substantial and cost cffective based on ploy ment, criminal history, military service, character and findings derived from the resolution of generic safety is-repatation, venfication of identity, credit, and psychologi-sues and individual plant evaluations required as part of cal status), the appropriate scope of the access authoriza-the severe accident policy. While such changes would be tion program, detailed evaluction criteria for authorizing initiated for other reasons, enhancement of sabotage pro-access, methods for periodic review of access authoriza-tection should also be a consideration in determining tion, methods for the transfer or reinstatement cf access their worth.
a uthorizat ion, access during cold sh utdown, provisions for a continual behavioral observation program, contractor Additionally, the NRC has sponsored various studies over and vendor requ.rtments, record requirements, and the years to identify plant vulnerabilities to msider sabo-audits of the utility and contractor / vendor access authori.
tage and to assess the effectiveness of proposed design zation programs.ihe extent to which these guidelinesare and procedural modifications. More recent studies such I
being impicmented and followed in the industry is not as the USl A-45 study (Ref.19) have stated that in some l
known at this time. Ilowever, they are considerably mc>re plants, because of the colk) cation of redundant safety sys-detailed than those of either the regulatory guide or the tems, a knowledgeable insider could easily disable these ANSI standard.
systems. In addition, since some systems are in a standby mode, their failure would not be detected until they are called upon to perform their function or are closely exam-
- 6. SUh1h1ARY AND RECOhlh1ENDA-ined. Another NRC-sponsored study (Ref. 3) prioritized TIONS the effectiveness of various design alternativesin terms of reducing plant risk due to sabotape and tampering. The Insider sabotage of operating nuclear power plants has alternatives analyzed range from an independent, dedi-not been a significant problem in the United States to cated, bunkered decay heat removal system to a simple date.The DOli and NRC data bases on illicit acts suggest design change such as the installation of TV cameras in that there have been instances of insider vandalism and vital areas.
tamperir g at nuclear facilities over the years. However,
.lhe insights from these studies indicate that ther e are no the majority of these acts have been committed by de gruntled employees who mtended to embarrass the man-s ngle design modifications or procedures that would agement and damage the facility but not to harrr other completely climinate the thrcat of insider sabotage since, emph>yces or the public.
regardless of the design modification, there will always be access to the system for its installation, maintenance, or in addition, the hcensees meet the intent of NRC's operation. Therefore, thc potential for insider access and sabotage always exists. G,iven this fact, it is bclieved that a 10 Cl:R 73.55 iegnirements. These regulations provide mmpre e stmt@m deahng with the inadmaW-for physical security of licensed facilities. means of pre-tape pmWm hum Wus on th elements ventingMetecting unauthorized access, physical barriers, and respoase requirements.12urthermore, there are in-Reliable personnel, e
dustry steps under way to further refine the screening Design and equipment, and e
procers of personnel to ensure that only reliable staff I!ffective admmistrative procedures.
=
mernberr. gain access authorization. These measures will l
be enhanced and complemented by NRC's recently pro.
'!he following is a discussion of these three elements.
i posed fitness for duty (ITD) and access authorization rules.
6.1 Reliable Persolmel The most effective way to ensure protection of the facility Plant safety design features are also tolerant of syste from insider threats is by emphiying a teliable staff. The failurev caused by vandalism or sabotage Modern, li-NRC and the industry are currently working on several in-censed nuclear power plants have multiple safety trains itiatives to ensure that this is the case.The measures that and :cdundant systems, and it takes several system fail' are cerrently being empk>yed by the industry include pre-urcs and events for a postulated accident to pose a threat empkiyment investigation, psychological testing and pro-to plant and publ c safety. In addition, plant modifications fihng, and empkiyee screening. Some organizations even made in rcsponWL to various NRL requirements such as use on-the-job counseling to assist emph>yces with their fitc protection station blackout, and ATWS have also en-problems.
hanced the plant capabilities to detect and mitigate sabo-tage acts This has been accomplished through such The NRC is also working on several initiatives that are means as provithng for additional safety systems, redun-aimed at enhancing the reliabihty of nuclear power plant NUREG-1267 24
4 personnel.ne first of theseinitiatives is tha proposed fit-tion should be provided to demonstrate the exis-ness for duty (ITD) rule, u hich i intended to ensure that tence of adequate physical barriers to protect vital persons with unescorted access to the protected areas of equipment in accordane with 10 CFR 73.55(c) and the plant are physically and emotionaGy fit to perform to iden,ify access control points to all vital areas in their assigned duties and to respsmd to emergency situ-accordance with 10 CFR 73.55(d). In addiiion, the ations as they occur.
staff expects designers to p: ovide an appropriate dis-cussion of in*hder and outsider sabotage applicable De second NRC initiative in this area relates to acces;,
te (beir dedgns. This discussion should include an authorization.This program is designed to ensure the tw identification of design features that decrease reli-sic trustworthiness of persons who are gmnted unes.
ance on physical sccurity programs for sabotage pro-corted access.
tection."
6.2 Design and Equipnient 6.3 EITective Administrative Proce-dures As noted before, regardless of the specific design of a sys-l tem or equipment, there is always the potential for insider The third ingredient of an insider sabotage strategy is im-I access and sabotage since someone has to mstall, main-plementing effective administrative procedares to pre-i tain, and operate the system. Despite this drawback, pre-vent and/or limit unauthorized access to systems or vital vious NRC studies have identified several design and pro-4; teas. Utilitics have already implemented procedures for cedural alt ernatives that could be useful in limiting access access control, locked doors, and maintenance of sensi.
I to and enhancing system availability to mitigate msider tive systems.
l sabotage acts.
l i
Several of these design alternatives were evaluated in One of the challenges in mitigating the consequences of Reference 3. Table 5.1 presents a summary of these alter-an insider's adverse actions is m discovering equipment natives, their effectiveness, and the type of fix (i.e., com-damage or system failurcs that go undetected until that plex design modification, piacedural changes).
system is called upon to perform its mtended function.
There are currently several means of attempting to detect r deter these types of insider acts. One means would be The USl A-45 study (Ref.19) was also successful in dis-to use the two-person rule where a second person with
]
covering several plant-specific insider sabotage vul-nerabilities. He rr.ain insight from that study is t!'at, in egmvalent knowledge and experience observes 'the ac-tions of the first person. Another one is the installation of some plants, there are redundant safety systems collo-CCTV m vital areas. Although not as effective as the two-cated without any physical separation among them. In pers n rul, CCTV does act asa deterrent. At some utih-addition, the USI A-45 study discussed means of dis-ties, a security guard accompanies the maintenance crew abling these systems without any obvious indication of system failure through casual observation. This fact is while they inspect or repair the safety systems. In addi-especially true for systems in standby mode that lack a tion, in some utilities, access to vital areas requires status indicator in the control room. This type of system au horization from both the Security and Engineering ep rinmits.
failure will not be detected until the system is called upon to perform a function or t'pon close examination. This in-sight highlights the need for the utilities to perform a sp-
[*.o procedure-related recommendations that enhance tematic evaluation of their plants and to use the iosights msider sabotage detection capability of the plants are:
from their probabilistic risk assessment (PRA) studies to identify these types of vulnerabilities and take corrective For maintenance of redundant safety systems, inde-actions. This evaluation will be donc under Generic Lct-pendently verify the operability of the system / train ter 88-20, Individual Plani Examination for Severe Acci-last worked on prior to initiation of work on other dent Vulnerabilities (Ref. 23).
systems.
Incorporate 3n into the plant design of such features that Perform periodic, independent inspection and veri-would enhance sabotage protection is more readily ac-fication of operability of safety systems, important complished in new designs.Therefore, the issue of physi-support systems, and those in the standby mode.
cid security is being addressed through the implementa-
'Ihcre should be procedures in place to ensure that tion of the policy on advanced light water reactors the individual (s) who most recently worked on these
( ALWRs) as stated in SECY-89-013 (Ref. 24).
systems are not part of this independent verification process. The systems subject to this independent
" Sabotage should be addressed in all future ALWR verification should include the AIM, HPSI, LPSI, applications. As a minimum requirement, informa-ESW, and CCW systems and the diesel generators.
'25 NUREG-1267 l
l t
REFERENCES 14-Memorandum from R. A. Clatk io Reactor Safe-I guards Licensing Branch, USNRC," Compensatory 1.
R. limrit et al.,"A Prioritization of Generie Safety Measures for the Loss of Normal Power Supply to issues," NUREG-0933, December 1933.
Security Lighting," Review Guidelines Number 10, 197R 2.
U.S. Nuclear Regulatory Commission (USNRC),
" Safeguards Suminary Event List (SSliL),"
- 15. Union Carbide Corporation," Security Communica-NUREG-0525. Revision 14,.)uly 1988.
non Systems for Nuclear Fixed. Site Facilitier,,"
3.
W. O. Andrews et al., "A Ranking of Sabotage /
NUREG/CR-0508, Y/DW-128, July 1980.
l Tampering Avoidance Techaolegy Alternatives,"
)
- 16. Nuclear Management Resources Council Pacific Northwest Labortiories, NUREG/
CR-4462, PNir5690, January 1986.
(NUMARC), "buidelmes and Technical Basis for NUM ARC Initiadves Addressing Station Blackouts 4.
USNRC, " Safeguards Summary Event List ut light Water Reactors," N UM ARC 87-00,1987.
(SSEL)," N UREG-0525. Revision 11.J anuary 1986.
l
- 17. USNRC, Regulatory Guide 1.155, " Station lilackout."
5.
USN RC, " Acceptance Criteria for the Evaluation of Nuclear Power Reactor Security Plans,*
- 18. L. A. Goldmau and P. R. Lobner, "A Review of Se-NUREG-0908, August 1982.
lected Methods for Prvtection Against Sabotape by an Insider," Sandia 12boratories, NUREGI 6.
USNRC, Regulatory G,uide 5.65, " Vital Area Ac-CR4643, SAND 82-7036, October 1982.
cess Controls, Protectkm of Physical Security Equip-ment, and Key and Inck Controls."
- 19. USNRC, " Regulatory and llackfit Analysis: Unre-7.
Mason and Ilanger, " Security Lighting-Planning solved Safety issue A-45, Shutdoven Decay licat Re-Docutnent for Nuclear Fixed Site Facilitics,"
moval Requirements," NUREG-1289, November 1988-NUREG/CR -1327, MilSM-SD 7911, April 1980.
USNRC, Regulatory Guide 5.7, Revision 1," Entry /
- 20. " eel Guide to Effective Drug and Alcohol / Fitness lixit Control for Protected Areas, Vital Areas, and for Duty Policy Developnient," Edison Electric In-Material Access Areas."
stitute, Human Resource Management Division, 9.
USNRC, RegulJ. lory Guide 5.12, " General Use of I ncks in the Protection and Control of Facilities and
- 21. American Nuclear Society Standards Committee, Special Nuclear Matvials."
" Security for Nudcar Power Plants," ANSI /ANS l
3.3-1982, 1982.
- 10. Memorandum from R. A. Clark to Reactor Safe-guards 1.icensing Ilranch, USNRC, " Protected Area
- 22. Nuclear Utility Management and Resource Com-Control Function in llullet Resisting Structure,"
mittee," Industry Guidelines for Nuclear Power Ac-i Review Guidelines Number 18,1978.
cess Authorization Programs," Washington, DC, j
October 3,1986.
- 11. Mason and llanger, " Design Concepts for Inde-pendent Central Alarm Station and Secondary
- 23. USNRC Letter to All Licensees Holding Operating Alarm Station Intrusion Detection Systems, Licenses and Construction Pennits for Nuclear NUlWG/CR-1468, MilSM-SD 7919, hovember Power Reactor Facilities, " Individual Plant Examin-ation for Severe Accident Vulnerabilities-10 CI'R
- 12. Union Carbide Corpomtion, " Emergency Power 9 50.54(f)," Generic Letter No. SS-20, dated Supplies for Physical Security Systems," NUREG/
November 23,1988.
CR-0509, Y/DA-7678. October 1979.
- 24. USNRC," Design Requirements for the Evolution-
- 13. USNRC, Regulatory Guide 5.44. Revision 2 "Pe-ar) Advanced Light Water Reactors (ALWRs),"
rimeter Intrusion Alarm Systems."
SECY-89-013, dated January 19,1989.
NUREG-1267 26 i
l
! g,o m 235 u s wuctt An necutATony commission
- i. agogNgt,s E3E' BIBLIOGRAPHIC DATA SHEET
~^
"~
isa meructiom o" '"' '"'"'
NUREG-1267 2 TIT LE AND 5Vbi tT LE Technical Resolution of Generic Safety Issue A-29 Nuclear Power Plant Design for Reduction of Vulnerability 3-DATE REPORT PUBLISHLD
,, s to Industrial Sabotage September 1989
- 6. TYPE OF REDORT Technical Aleck U. Serkiz
- 7. YL RIOU COvt H LD einchwwe n.orno N/A eguIveM;3GongNazA,\\0N N AM t kNo Avou t 5s <<< unc oro..e o
.s.o~. on.c.,r n o u.s worn t R.o.<. orr comm.ss,o.na m..u a.aarass or conar.caer. era...ac Division of Safety Issue Resolution Office of Nuclear Regulatory Research U.S. Nuclear Regulatory Commission Washington, DC 20555 9 ON R tNG Of G ANf ZAT lON - N AML AND ADDRl $$ HI NRC. Irve "Swe as atmer" it contractor. pewsk NRC Onumon. O!torv er Repoon. U S Mk r Royeretary Commisuun.
Same as 8, above.
. 10. SUPPLEME N1 ARY NOTES
- 11. ABST R ACT (Joa woro, or eu r This report summarizes key technical findings related to Safety Issue A-29, " Nuclear Power Plant Design for the Reduction of Vulnerability to Industrial Sabotage." The findings in this report deal with (1) anhistorical review of reported sabotage-related events at nuclear facilities, (2) NRC physical security requirements, (3) industry measures to prevent / mitigate sabotage. (4) design and procedural approaches that could be used to deter sabotage. (5) current NRC and industry initiatives aimed at personnel screening and selection, and (6) design considerations applicable to Advanced Light Mater Reactors (ALWRs).
The results reveal that insider sabotage at U.S. operating nuclear plants has not been a significant problem in the United States to date and that there are no singular design modifications or procedures that by themselves would completely eliminate or mitigate the threat of insider sabotage.
Rather, it will take a combietion of systematic and focused improvements in the three areas of reliable personnel, effective design features, and plant procedures developed to provide a gggy to deal with prevention of insider sabotage and to be able to mitigate adverse
- 12. *,i Y WORDS 'DLSCR t i OHL (test sworos er persses the# eritt assest everserners err sur erme the recort 1 il AV Ask Al$iLti V L1 AI L ML N1 Unlimited
- 14. bt CUHI1 Y LLAbbif ILA IIDiv Sabotage, Vulnerability, Safeguards
"[/nEassified (Th.s keportl l
Unclassified i
1 tb. NUMBEN Of PAGL5
]
- 16. PfisLE NRCDOMM3360495
UNITED STATES senciat eovnmetass un NUCLEAR REGULATORY COMMISSION
- 8"usUI"
WASHINGTON, D.C. 20555
,,,u,,,, c.c PENAtyf,$a palvATE USE #
\\.
120555139531 g3 ypt.0ADM 1 1ANIAI11S DIV FOIA TPS P-209POR-NUREGPUBLICATIONS SVCS WASHINGTON DC 20555 l
h t
l
{
C l
l l,
i E
C l
s 2
l C
w