ML20198D878
ML20198D878 | |
Person / Time | |
---|---|
Issue date: | 12/31/1997 |
From: | NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES) |
To: | |
References | |
TASK-*****, TASK-DG-5008, TASK-RE REGGD-05.062, REGGD-5.062, NUDOCS 9801080296 | |
Download: ML20198D878 (27) | |
Text
__ _ _ m
<ps eng%, U.S. NUCLEAR REGULATORY COMMISSIOf* Dec2mber 1997
[ OFFICE OF NUCLEAR REGULATORY RESEARCH Division b 5 } Craft DG 5008 g
/mi
( ) %e e.ee DRAFT REGULATORY GUIDE v
Contact:
R.P. Rosano (301)415 3282 DRAFT REGULATORY GUIDE DG-5008 (Proposed Revision 2 of Regulatory Guide 5.62)
REPORTING OF SAFEGUARDS EVENTS A. INTRODUCTION 4 in 10 CFR Part 73, "Pnysical F7otection of Plants and Meterials,'"Sectidh 73.71 requires edh a4 y licensees to report to the Operations Center of the NRC or to record"In aJog certain safeguards events.
- W %#
The events to be reported are those that threaten nuclear activities orlessen the effectiveness of the A,s y physical protection system established by safeguards regulatiols%and the licensees' approved physical
- y hk protection and contingency plans. A A A This regulatory guide provides guidancetacceptabie'to the NRC staff for use by licensees in y/ g"g determining whefl and hoW events should:be reported. This guide is being revised to (1) incorporate of Mv pertinent points of Generic Letter 91031d" Rep 0,fting of Safeguards Events," March 6,1931),(2) my Ag incorporate changes to the regulations, such as the rescission of the requirement to submit quarterly l 6 e event logs to the NHC, and (3) clarify rgporting reauirements that might have been misunderstood by the industry in the past. The examples provided represent the types of events that should be reported n
and are not intended 16 be all-inclusive.
kfl gj
'S g ph L
'Copicsis avdNible WashNgton[DC;if5,fbr PDR's mailinginsp)ction address is Mailor Stopcopying for a DC LL 6, Washington. fee20555; from the NRC telephone (202)634 Public 3273; f ax Documen (202)634/3843. GL 9103 is also available on NRC's home page at http://www.ntc. gov /NRC/FEDWORLD!
index.html urW!er Generic Communicatior.s.
This regulatory guide is bemg issued in draft form to involve the public in the early stages of the development of a regulatory position in this area.
It has not received complete staff review and does not represent en official NRC staff position.
8%blic comments are being solicited on the draf t guide (including any implementation schedule) and its associated regulatory analysis or value! impact statement. Comments should be accompanied by appropnate supporting data. Wntten comments may be submitted to the Rules and oirective, Branch, office of Administration. u.S Nuclear Ftegulatory Commission, Washington, oC 2o555-0001. Copies of comments
.O received may be examined at the NRC Public Document Room,2120 L Street NW., Washington, oC. Comments will be most helpfulif received I b, February 28,1998. e J s. . .1 IWguesta lov single copees of draft or active regulatory guides lwhich may be reproduced) or for placement on an automatic destribution lest for single copies of future draft guides 6n specific divisions should be made in wntmg to the u.S. Nuclear Regulatory Comrnission. Washington, DC 20555-o001. Attantion:
Printing, Grapruce, and Distribut.on Branch, or by f.4 to 00114145272
~
9001000246 971231 ll. sllalls j cl eh ,l l3l PDR REGOD .
05.008 R PDR
Regulatory guides are issued to describe to the public methods acceptable to the NRC staff for implementing specific parts of the NRC's regulations, to explain techniques used by the staff in eve!uating specific problems or postulated accidents, and to provide guioance tc applicants. Regulatory guides are not substitutes for regulations, and compliance with regulatory guides is not required. Regulatory guides are issued in draft form for public comment to involve the public in developing the regulatory positions. Draft regulatory guides have not received complete staff review; they therefore do not represent official NRC staff positions.
The informction collections contained in this draft regulatory guide are covered by the requirements of 10 CFR Part 73, which were approved by the Office of Management and Budget, approval number 3150-0002. The NRC may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a currently valid OMB control number.
B. DISCUSSION The information reportable under 10 CFR 73.71 is required so that the NRC may stay informed of safe 0uards-related events that could endanger public health and safety or national security and which could generate public inquiries. The required information permits analysis of safeguards system reliability and availability.
Certain significant safeguards events warrant immediate involvement by the NRC and other government agencies such as the FBl; therefore, these events must be reported by telephone to the NRC within one hour of discovery of the event, followed by a detailed written report within 30 days.
Certain less significant safeguards events must be rec ded in a log and copies of the log must be maintained by the licensee for three years. The log entries allow the NRC to analyze repeated events at a particular site and similar events among licensees. If an event occurs repeatedly at one facility or throughout the industry, it may represent a generic issue or a defect in a physical protection program.
For the purposes of this guide and for understanding the regulations, a glossary is provided as Appendix A of this guide, O
2
m E C. R_EGULATORY. POSITION
- 1. LICENSEES SUBJECT TO 10 CFR 73.71 Licensees who are subject to the provisions of 10 CFR 73.25,73.26,73.27(c),
73.37,73.67(e), or 73.67(g) are subject to the provisions of 10 CFR 73.71(a).
Licensees who are subject to the provisions of 10 CFR 73.20,73.37,73.50,73.55, 73.60, or 73.67 are subject to the provisions of 10 CFR 73.71(b) for events described in Paragraph (l)(a)(1) of Appendix G, " Reportable Safeguards Events," to Part 73. Licensees subject to the provisions of 10 CFR 73.20, 73.37, 73.50, 73.55, 73.60, or each licensee possessing strategic special nuclear material (SSNM) and subject to 10 CFR 73.67(d), are subject to the provisions of 10 CFR 73.71(b) for events described in Paragraphs l(a)(2),
1(a)(3), l(b), and f(c) of Appendix G to Part 73. Licensees subject to the provisions of 10 CFR 73.20, 73.37,73.50, or 73.60 are subject to the provisions of 10 CFR 73.71(b) for events described in paragraph 1(d) of Appendix G to Part 73.
Licensees subject to the provisions of 10 CFR 73.20, 73.37, 73.50, 73.55, 73.60, or m each licensee possessing SSNM and subject to 10 CFR 73.67(d) are subject to the provisions j of 10 CFR 73.71(c).
- 2. REPORTABLE EVENTS 2.1 Safeguards Events To Be Reported Within One Hour According to 10 CFR 73.71(a) and (b), certain events must be reported within one hour of discovery. Events under 10 CFR 73.71(a) involve incidents in which theft, loss, or diversion of a shipment of special nuclear material (SNM) or spent fuel has occurred or is believed to have occurred. A written report must be submitted to the NRC within 30 days on each event that is reported within one hour. Safeguards events reportable under 10 CFR 73.71(b) are described in Section I of Appendix G to 10 CFR Part 73:
(a) Any event in which there is reason to believe that a person has committed or caused, or attempmd to commit or cause, or has made a credible threat to commit or cause:
1 (1) A thef t or unlawful diversion of special nuclear material; or 3
(2) Significant physical damage to a power reactor or any f acility possessing SSNM or its equipment or carrier equipment transporting nuclear fuel or spent nuclear fuel, or to the nuclear fuel or spent nuclear fuel a f acility or carrier possesses; or (3) Interruption of normal operation of a licensed nuclear power reactor through the unauthorized use of or tampering with its machinery, components, or controls including the security system.
(b) An actual untry of an unauthorized person into a protected area, material access area, controlled access area, vital area, or transport. [See the Glossary in Appendix A to this guide for a definition of " unauthorized person.")
(c) Any f ailure, degradation, or the discovered vulnerability in a safeguard system that could allow unauthorized or undetected access to a protected area, material access area, controlled access area, vital area, or transport for which compensatory measures have not been employed.
(d) The actual or attempted introduction of contraband into a protected area, material access area, vital area, or transport.
Safeguards systems include 'aquipment, procedures, and personnel practices; therefore, f ailures include not only mechanical and electrical system f ailures but also improper security procedures and inadequate or inadequately implemented personnel practices.
Discovered vulnerabilities include significant flaws in the physical protection system that could result in a reduction in overall protection at the site.
2.2 Examples of Safeguards Events To Be Reported Within One Hour The following are examples of events that should be reported to the NRC within one hour because of their potential to endanger public health and safety or national security. This list should not be considered all-inclusive. The applicable portion of Appendix G to Part 73 is cited for each example, and compensatory measures that are acceptable to the NRC staff are discussed in Appendix C to this guide.
- 1. Events involving actual or attempted theft or diversion of SNM, attempts to steal or divert a shipment of spent fuel, significant physical damage to a power reactor, or tampering that causes or has the potential to cause an interruption of the normal operation of a licensed nuclear power reactor. (Paragraphs 1(a)(1),1(a)(2), and l(a)(3) of Appendix G) There are no compensatory measures that would preclude reporting this event within one hour, 4
)
- 2. Bomb threat or extortion threats. (Paragraphs 1(a)(2) and 1(a)(3) of Appendix G) There
) are no compensatory measures that would preclude reporting this event within one hour.
- 3. Discovery of criminal acts that have a connection to plant operations or discovery of a conspiracy to bomb the f acility or sabotage its vital components. (Paragraphs l(a)(2),
1(a)(3),1(c), and 1(d) of Appendix G) There are no compensatory measures that would preclude reporting this event within one hour. 1
- 4. Discovery of theft or loss of classified documents or significant unclassified safeguards information outside the protected area per'sining to facility or transport safeguards for which compensatory measures have not been implemented.
(Paragraph l(c) of Appendix G) (Note: This is also reportable under 10 CFR 95.57 for classified information.) The licensee should also report results of a search for the classified documents or safeguards information. See Example 12 of Regulatory Position 2.4 for similar examples involving loss, not thef t, of such information. There are no compensatory measures that would preclude reporting this event within one 9 hour.
- 5. Fire or explosion of suspicious or unknown origin within the isolation zone, protected area, controlled access area, material access area, or vital area. (Note: Events reportable under 10 CFR 50.72 or 50.73 do not requira duplicate reports under 10 CFR 73.71.) (Paragraphs 1(a)(2),1(a)(3), and 1(c) of Appendix G) See Example 4 of Regulatory Position 2.5 for similar examples that need not be reported or logged.
There are no compensatory measures that would preclude reporting this event within one hour,
- 6. Discovery of a suspicious vehicle following a licensed carrier transporting formula quantities of SSNM. (paragraph l(a)(1) of Appendix G) See Example 5 of Regulatory Position 2.5 for similar examples that need not be reported or logged. There are no compensatory measures that would preclude reporting this event within one hour.
rh i 7. Completc loss of of fsite communications. (Paragraph l(a)(2) or (3) of Ap.oendix G) d if offsite communications Pre restored within one hour of the loss, the licensee should 5
)
report this event immediately after restoration of communications, if communications cannot be restored within one hour of the loss, the licensee should use alternative means to notify the NRC. There are no compensatory measures that would preclude reporting this event within one hour.
- 8. Mass demonstration or other civil disturbance at or near the plant site that could pose a threat to the f acility. (Paragraphs l(a)(2), l(a)(3),1(b), cr 1(d) of Appendix G) There are no compensatory measures that would preclude reporting this event within one hour.
- 9. Tampering with safety or physical protection equipment that is confirmed to be of malevolent or suspicious origin (Paragraphs 1(a)(1),1(a)(2), l(a)(3),1(b),1(c), or l(d) of Appendix G) See Example 6 of Regulatory Position 2.5 for similar examples that need not be reported or logged. There are no compensatory rneasures that would preclude reporting this event within one hour.
- 10. An assault on a power reactor, f acility, or transport possessing or transporting SSNM regardless of whether perimeter penetration is achieved. (Paragraphs 1(a)(2), l(a)(3),
1(b), or l(d) of Appendix G) There are no compensatory measures that would preclude reporting this event within one hour.
- 11. Discovery of f alsified identification badges or key cards. (Paragraph l(a) of Appendix G)
There are no compensatory measures that would preclude reporting this event within one hour; however, steps should be taken immediately to cancel the badges or key cards from the access system and to determine to what extent the badges or key cards have been used.
- 12. Discovery of uncompensated and unaccounted for, lost, or stolen key cards, identification card blanks, keys, or any access device that could allow unauthorized or undetected access to protected areas, controlled access areas, or vital areas.
(Paragraph l(c) of Appendix G) See Example 6 of Regulatory Position 2.4 for similar examples that need only be logged. See Appendix C for a discussion of acceptable compensetory measures.
6
- 13. . Uncompensated loss of all ac power supply to security systems that could allow
\
('v ) unauthorized or undetected access to a protected area, material access area, controlled access area, or vital area. (Paragraph l(c) of Appendix G)
- 14. Uncompensated loss of the ability to detect intrusion (a) at the protected area perimeter when the loss involves several intrusion detection system zones or (b) within a single intrusion detection system zone when the condition could become known to a
- person not authorized unescorted access, either because it lasts for a conside_ 2ble time or is visually conspicuous to the casual observer. (Paragraph l(c) of Appendix G)
See Examples 3 and 4 of Regulatory Position 2.4 for similar examples that need only to be logged.
- 15. Uncompensated loss of alarm capability or locking mechanism on a vital area portal.
(Paragraph l(c) of Appendix G) See Example 9 in Regulatory Position 2.4 for similar examples that need only to be logged.
,4 16. Improper control (to include loss or offsite removal) of access. control media, including picture badges, keys, key cards, or access control computer codes, that results in someone using the medium during the time that it is not controlled. (" Improper control," as used here, does not include approved systems allowing employees to take badges offsite.) See Example 18.7 of Regulatory Position 2.4 for similar examples that need only to be logged. See Example 9 of Regulatory Position 2.5 for similar examples that need not be reported or logged.
- 17. Incomplete or inaccurate preemployment screening records (to include f alsification of background information or inadequate administration, control, or evaluation of
- psychological tests) if the licensee would have denied unescorted access based on knowledge of the complete or accurate information, had a complete preemployment screening been done. See Example 18,9 of Regulatory Position 2.4 for similar examples that need only to be logged.
- 18. Unavailability of a minimum number of security personnel or an actual or imminent strike by the guard force. (Paragraph l(c) of Appendix G)
(~]-
'w]
7
- 19. Loss of a security weapon onsite that is not retrieved within one hour of the discovery of its loss. See Example 13 of Regulatory Position 2.4 for similar examples that need only to be logged.
- 20. Loss of alarm capability or locking mechanism on a material access area portal.
- 21. Discovery of unaccounted for, lost, or stolen keycards, identification card blanks, keys, or any access device that could allow unauthorized or undetected access to material access areas.
22, At a fuel facility, loss of the capability at a single alarm station to monitor or remotely assess alarms.
2.3 Safeguards Events To Be Logged The following safeguards events are reportable under 10 CFR 73.71(c) and described 1 in Section ll of Appendix G to 10 CFR Part 73; they need only to be logged within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> of their discovery. l
- 1. Any f ailure, degradation, or discovered vulnerability in a physical protection system that could have allowed unauthorized or undetected access to a protected area, material access area, controlled access area, vital area, or transport had compensatory measures not been established. (If compensatory measures had not been established, this report would be required within one hour. See Paragraph l(c) of Appendix G.)
Logging is not required for preplanned situations that require compensatory measures, such as special outage work, equipment relocation, exercises and drills, and other situations that are not the result of a failure of the physical protection system. See Appendix C to this guide for a discussion of acceptable compensatory measures.
- 2. Any other threatened, attempted, or committed act not previously defined in Appendix G to Part 73 that could reduce the effectiveness of the physical protection system below that committed to in a licensed physical protection or contingency plan or the actual condition of such reduction in effectiveness.
8
_a
_, - False alarms generally ne6d not be reported or logged. However,if false or n'uisance
~
i f alarm rates significantly reduce the effectiveness of the system, the licensee should take -
x) corrective action and note the degraded status and compensatory measures taken in the
+
safeguards event log.
2.4 Examples of Safeguards Events To Be 1.ogged The following are examples of events that are less significant than those reportable within one hour, and they must be logged. This list should not be considered allinclusive.
The applicable regulation is cited for each event, and compensatory measures are discussed '
where appropriate.
- 1. Properly compensated security computer failures. (Paragraph ll(a) of Appendix G)
- 2. Properly compensated vital area card reader failures. (Paragraph ll(a) of Appendix G)
Loss of ability to detect within a single intrusion detection system zone for a short 3.
g period of time. See Example 14 of Regulatory Position 2.2 for similar examples that must be reported within one hour.
- 4. Properly compensated loss of the ability to detect intrusion (a) at the protected area perimeter when the loss involves several intrusion detection system zones or (b) within a single intrusion detection system zone when the condition could become known to a person not authorized unescorted access, either because it lasts for a considerable time or is
- ually conspicuous to the casual observer. (Paragraph l(c) of Appendix G) .
See Example 14 of Re0ulatory Position 2.2 for similar examples that must be reported within one hour.
- 5. Properly compensated f ailure or degradation of a single perimeter lighting zone below the acceptable standard described ln th'e physical security plan, if the intrusion detection system remains operational. (Paragraph Il(a) of Appendix G)
- 6. Accidental removal offsite or loss of access badge or other access medium, if -
M' )
h,_,/ measures have been taken within-10 minutes of the discovery of the loss to preclude g
- - t- T -- +
the use of the badge to gain access to a controlled area and to ensure that the badge has not been used in an unauthorized manner, if an access control system also uses biometrics, the loss of an access badge or keycard does not need to be logged.
(Paragraph II(a) of Appendix G) See Example 12 of Regulatory Position 2.2 for similar examples that must be reported within one hour.
- 7. Properly compensated loss of either alarm or locking mechanism on a vital area portal.
(Paragraph ll(a) of Appendix G) See Example 15 of Regulatory Position 2.2 for similar examples that must be reported within one hour.
- 8. Security computer failures that have the potential to reduce the effectiveness of the physical protection system. (Paragraph ll(b) of Appendix G)
- 9. Properly compensa'ed loss of alarms, closed circuit television, or security computers.2 The loss of backup capability may also be only logged if immediate restoration of system capability is provided by activating secondary computers. See Examples 15 and 16 in Regulatory Position 2.2 for similar examples that must be reported within one hour.
- 10. At a power reactor, loss of the capability of a single alarm station to monitor or remotely assess alarms, but monitoring or assessment capability remains in other stations. (Paragraph II(b) of Appendix G)
- 11. For shipments of formula quantities of SSNM. intra-convoy communications ability is lost but ability to communicate with movement control center remains. (Paragraph ll(b) of Appendix G)
- 12. Loss of unclassified safeguards information when there does not appear to be evidence of theft and, within the first hour after the discovery, the information is retrieved and determined not to have been in the possession of an unauthorized Posting personnel as a compensatory measure implies that the personnel are capable of performing the lost or degraded function. When they cannot perform that f unction, such as when they are asleep, there is an uncompensated loss that must be reported within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> of discovery, Preplanned compensatory measures are normally destnbed in NRC-approved safeguards plans.
10
person, or thef t of such information when (i) the information would not have allowed
) unauthorized or undetected access to a protected area, material access area, controlled access area, vital area, or transport, or (ii) the vulnerability caused by the loss of the information is fully compensated upon discovery. See Example 4 of Regulatory Position 2.2 for similar examples that must be reported within one hour.
- 13. Loss of a security weapon onsite that is retrieved within one hour of the discovery of its loss. See Example 19 of Regulatory Position 2.2 for similar examples that must be reported within one hour,
- 14. Properly compensated closed circuit television failure in a single zone while the intrusion detection system remains operational. (Paragraph ll(a) of Appendix G)2
- 15. A design flaw or vulnerability in the physical barrier of a protected area, controlled access area, or vital area that could have allowed unauthorized access. (Paragraph II(a) of Appendix G)
- 16. Discovery of contraba'id inside the protected area that is not a significant threat.
(Paragraph II(b) of Appendix G) 1
- 17. Compromise of safeguards information that would not significantly assist an individual in gaining unauthorized or undetected access to a facility or would not significantly assist an individualin an act of radiological sabotage or theft of SNM. (Paragraph ll(a) of Appendix G)
- 18. Partial failure of an otherwise satisfactory access authorization or access control program. The following are examples of partial failure.
18.1 An employee or vendor who has been cleared and authorized to receive a badge permitting unescorted access to protected and vital areas inadvertently enter the protected area improperly, e.g., through a vehicle gate, without being searched and issued a badge. The licensee discovers the event, searches the
T individual, issues a badge, and takes corrective action to prevent recurrence.
11
18.2 Search equipment does not perform properly, which could allow unsearched individuals to enter the protected area, and the licensee does not detect the failure for a short period. See Example 8 in Regulatory Position 2.5 for similar examples that do not need to be reported or logged.
18.3 An individual who is required to have an escort for a particular area inadvertently becomes separated from his or her escort but the escort or another person authorized for unescorted access recognizes the situation within several minutes and corrects it.
18.4 An employee of a licensee or contractor who is authorized entry to a vital area enters that vital area improperly without realizing that the card reader is processing a preceding employee's card, or the employee walks in behind another employee without using a key card.
18.5 An individual enters a vital area to which he or she is authorized unescorted access by mistakenly using an access control meaium (key card or badgt)
Intended for another individual who is also authorized unescorted access to the area.
18.6 An individualis incorrectly issued a badge granting access to vital areas to which he or she is not authorized, but does not enter any vital areas or does not enter any vital areas with malevolent intent. Another example is an individual who is incorrectly issued a badge but cannot reasonably use it because he or she does not know the personalidentification number needed to enter the area, and the event is promptly discovered and corrected by the licensee.
18.7 Improper control (to include loss or offsite removal) of access control media, including picture badges, keys, key cards, or access control computer codes, that could be used to gain unauthorized or undetected access, when the event is discovered and corrected by the licensee. See Example 16 in Regulatory Position 2.2 for similar examples that must be reported within one hour. See 12
Example 9 in Regulatory Position 2.5 for similar examples that need not be
,/ reported or logged.
~
18.8 Card reader feilure that causes vital area doors to unlock in the open position or to lock in the closed position but with no functional door a:larm. See Example 10 of Regulatory Position 2.5 for similar examples that need nct be reported or logged.
18.9 incomplete or inaccurate preemployment screening records or inadequate administration, control, or evaluation of psychological tests that would not necessarily have resulted in a denial of eccess. See Example 17 of Regulatory Position 2.2 for similar examples that must be reported withir, one hour.
2.5 Events Not Required To Be Logged or Reported Certain failures of the safegJards system that do not and could not roduce the 73 ef fectiveness of the system have little or no safeguards significance; events that have little or n,) no safeguards significance need not be reported or logged. The following are examples of events that are not required to be logged or reported. This list should not be considered all-inclusive.
- 1. Cuts made by authorized maintenance personnel through a material access area or vital area barrier for a legitimate reason (e.g., to install a pipe) with prior approval, coordination with security, and proper compensatory measures.
- 2. A child attempting to climb a protected area fence.
- 3. Infrequent nuisance alarms caused by mechanical or environmental problems and false ararms that do not exceed the rates committed to in the licensee's approved physical protection plan or do not degrade system cffectiveness.
- 4. A fire or explosica if the origin can be determined, within one hour, to be
/ nonsuspicious and the facility sustains no significant damage. See Example 5 of s' Regulatory Position 2.2 for similar examples that must be reported within one bour.
13
I l
S. A suspicious vehicle following a transport that is determined, within one hour, not to i be a threat. See Example 6 of Regulatory Position 2.2 for similar examples that must be reported within one hour.
- 6. Suspected tampering with safety equipment that is determined, within one hour, not to be tampering. See Example 9 of Regulatory Position 2.2 for similar examples that 4
must be reported within one hour. ;
l
- 7. Discovery of vehicular emergency equipment such as safety flores during entrance searches, unless tho introduction was done for malevolent purposes.
- 8. Failure of search equipment if the failure is discovered by the licensee before anyone goes through unsearched and the licensee uses other equipment with the same capabilities (such as hand held or walk-through search devices). See Example 18.2 of Regulatory Position 2.4 for similar examples that need to be logged.
- 9. Improper control (to include loss or offsite removal) of access control media, including picture badges, keys, key cards, or access control computer codes, that the licensee determines could not be used to gain unauthorized or undetected access. See Example 16 of Regulatory Position 2.2 for similar examples that must be repotted within one hour. See Example 18.7 of Regulatory Position 2.4 for similar examples that need only to be logged.
- 10. Card raader failure that causes vital area doors to lock in the closed position but the door alarrn functions properly, provided that access control measures are implemented before allowing individuals into the vital areas. See Example 18.8 of Regulatory Position 2.4 for similar examples that need only to be logged.
- 3. PROCEDURES 3.1 Training of Non-Security Staff Discovery of reportable events is not limited to mernbers of the security organization.
It is recommended that all regular site employees receive security training to foster an 14
,3
, aware,1ess of site security and be briefed on their responsibility to immediately notify site 1
y/ 1,ecurity of security anomalies.
3.2 Dual Reporting Events of a dual nature (i.e., both having safety and safeguards implications and being subject to the requirements of 10 CFR 50.72,50.73, and 73.71) do not require duplicate reports under the requirements of 10 CFR 73.71. If a power reactor licensee reports an event that is reportable in accordance with both 10 CFR 50.73 and 73.71, the procedures described in 10 CFR 50.73 (i.e., submittal of a licensee event report (LER)) must be followed. The procedures contained in NUREG 1022, " Licensee Event Report System,"* describe how to indicate that an LER meets multiple reporting requirements. Similarly, SNM licensees need not report more than once for events covered under both 10 CFR 70.52 and 73.71, or under both 10 CFR 74.11 and 73.71.
3.3 NRC Form 366
,a
( )
n/ When submitting reports of events that are reportable solely under the provisions of 10 CFR 73.71, power reactor licensees should use LER Form 366 all other licensees should write a letter. The requirements of 10 CFR 73.21(g) must be met when transmitting safeguards information, in addition, when transmitting classified information, the requirements of 10 CFR 95.39 must be followed, it is recognized that not allitems of NRC Form 366 may apply when safeguards events are reported. Licensees should be sure that all the information needed by the NRC, as described in Regulatory Position 3.5 of this guide, is included on the form, whether under a specific item or in the text section.
- Copies are available at current rates from the U.S. Government Printing Office, P.O. Box 37082. Washington.
DC 20402 9328 (telephone (202)512 2249); or from the National Technical Information Service by writing NTIS
' /_'j at 5285 Port Royet Road, Springfield VA 22161. Copies are also available for inspection or copying for a fee
/ f rom the NRC Public Document Room at 2120 L Street NW., Washington, DC; the PDR's mailing address is Mail
'v' Sto' LL-6. Washington, DC 20555; telephone (2021634 3273; f ax (202)634-3343.
15
3.4 One Hour Reports When a licensee, licensee employee, or contract employee discovers an event reportable under 10 CFR 73.71(a) or (b), telephone notification to the NRC Operations Center listed in Appendix A to 10 CFR Part 73 should be made within one hour of the discovery.
Telephone notification should be made via the Emergency Notification System (ENS)if the licensee is a party to that system if the ENS is inoperative or unavailable, a commercial telephone should be used to ensure that the required notification is received by the NRC Operations Center within one hour of discovery of the event. The commercial telephone number that may be used to contact the NRC Op ations Center is (301)816 5100. Other methods that may be used to ensure notification within one hour include telegram, mailgram, or f acsimile. Telegrams and mailgrams should be hand delivered to the Operations Officer at the NRC Operations Center, Two White Flint North,11545 Rockville Pike, Rockville, MD 20852. For information concerning f acsimiles, telephone the NRs iperations Center at (301) 816 5100. If pertinent information or errors are uncovered after the initial telephono report but prior to submittal of the written report, the licensee should notify the NRC Operations Center of the information or error by telephone.
Under the provisions of 10 CFR 73.71(a), the licensee (or agent) should also notify the NRC Operations Center by telephone within one hour of the recovery of or accounting for a shipment with information on the materiallocated, known reason for loss, etc.
Telephone reports made pursuant to 10 CFR 73.71 may be transmitted over unprotected lines as permitted by the exemption in 10 CFR 73.21(gi(3).
3.5 30 Day Follow Up Written Reports A follow up written report must be submitted within 30 days of a one hour report.
Power reactor licensees should use the Licensee Event Report form, NRC Form 366, in submitting their reports; all other licensees should use a letter format. For alllicenseos, the information described below is sufficient for NRC analysis and evaluation and should be included in the report as a minimum. Reports of events must be legible and reproducible and should include the following.
- 1. Date and time of event (start and end time).
16
- 2. Location of actual or threatened event in a protected area, material access area,
(
) controlled access area, vital area, or other (specify area).
- 3. For power reactors, the operating phase, e.g., shut-down, operating.
- 4. Safety systems affected or threatened, directly or indirectly.
- 5. Type of security force onsite (proprietary or contract).
- 6. Number and type of personnel involved, e.g., contractors, security, visitors, NRC personnel, other (specify).
- 7. Method of discovery of incident, e.g., routine inspection, test, maintenance, alarm, chance, informant, communicated threat, unusual circumstances (give details).
- 8. Procedural errors involved, if applicable.
- 9. Immediate actions taken in response to event.
- 10. Corrective actions taken or planned.
- 11. Local, State, or Federallaw enforcement agencies contacted.
- 12. Description of media interest and press release.
- 13. Indication of previous similar events.
- 14. Knowledgeable contact.
For security system failures, provide the following in addition to items 1 througn ?4:
- 15. Description of failed or malfunctioned equipment (including manufacturer and model 9 number).
17
- 16. Apparent cause of each component or system f ailure. (For uncompensated security computer f ailures, state the reason the event could not be compensated and list specific components affected, e.g., central processor, peripheral / terminal equipment, sof twbre.)
- 17. Status of the equipment prior to the event (e.g., operating, bein0 maintained, made secure) and compensatory measures in place.
- 18. Secondary functions affected (for multiple-function components).
- 19. Effect on plant safety.
- 20. Unusual conditions that may have contributed to f ailure, e.g., environmental extremes.
For threat related incidentsgrovide the following in addition to items 1 through 14:
- 21. Number of perpetrators.
- 22. Type of throat, e.g., bomb, extortion.
- 23. Means of communication, e.g., letter, telephone.
- 24. Text of threat.
- 25. Clear photocopy of threat letter and accompanying envelope if applicable.
Licensees should submit one copy of each written report to the U.S. Nuclear Regulatory Commission, Document Control Desk, Washington, DC 20555, and one copy to the appropriate Regional Office listed in Appendix A to 10 CFR Part 73, if portinent information or errors are uncovered af ter the initial telephone report or the written report is submitted, the licensee should notify the NRC Operations Center by telephone of the information or errors. if additional portinent information is uncovered af ter the written report has been submitted, the licensee should submit a complete revised written report (with revisions indicated) to the Document Control Desk and the Regional Office. The revised 18
- . . . ~ . - . - . - .- . _ - -. ..-- . - - . _ . - - , - - - _ . . ~ - - . - . -
report should be complete and should not contain only the supplementary or revised .
Information.=-
U -
l
- 3.6 - Maintenance of Los ' _
[
= Events reportable un' der 10 CFR 73,71ic) on'y need to be logged.-- Each log must _be
~
retained for three years af ter the last entry to that log. In' maintaining the log, it is -
- recommended that the licensee log the information as received and then summarize and --
update the log entry when the event terminates. However/ licensees are required by 10 CFR -
P
, 73.71(c) to log entries within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> of the discovery of the event. Since the licensee l would immediately investigate all events that threatened nuclear activities or lessened the effectiveness of the security system, the details would generally be available when the entry was made in the log, Log entries should include as a minimumi
- 1. Date and time of the event.
- 2. Brief (one-line) description of the' event.
- 3. Brief (one line) description of compensatory measure or corrective actions taken.
A
- 4. Area affected, e.g., vitM area, protected area, material access area, owner controlled area, transport.
- 5. How detected, e.g., alarm, routine inspection, patrol, informants.
A 1.
19:
w,,, n.+---w y, - - , e - c,a.,
APPENDlX A GLOSSARY NOTE: This Olossary applies only to the requirements of 10 CFR 73.71.
Any fal/ure, degradat/on, or d/scovered vulnerabl//ty. The cessatbr. of proper functioning or performance of equipment, personnel, or procedures that are part of the physical protection program necessary to meet Part 13 requirements, or a discovered defect in such eauipment, personnel, or procedures that degrades funcilon or performance.
Contraband. Unauthorized materials, including fire ms, explosives, and other too's or weapons usefulin radiological sabotage, or materials that could be used to perpettate or conceal a theft of SNM fo.g., shielding materials used to defeat SNM exit detectori or radicactive sources that could be used to f alsely trigger an evacuation alarm).
Credible threat. A threat should be considered credible when (1) physical evidence supporting the threat exists, D)Information independent of the actual threat message exists that supports the threat, or (3) a specific, known group or organization claims responsibility for ths threat.
Ded/cated observer. A person, not necessarily a member of the guard force, posted as a temporary compensatory measure for a degraded assessment or detection capability or both.
Wnile performing this function, duties must be limited to detection and assessment. As a minimum, the person must be able to view the entire area affected by the degradation and must be able to communicate with the alarm station.
D/ vers /on of SNM. Unauthorized removal of SNM.
Falso alarm. An alarm generated without an apparent cause investigation discloses no evidence of a valid alarm conditinn, such as tampering, nuisance alarm conditions, or equipment malfunction.
/nterrupt/on of normaloperat/on. A departure from normal operation that, if accomplished, would result in a challenge to the plant safety systems.
Nu/sance alarm. An alarm generated by an identified input thht does not represent a threat.
Nuisance alarms may be caused by environmental factors (rain, sleet, snow, lightning) or mechanical f actors (natural objects such as animals or tall grass).
Properly compe isated. Measures, which may include backup equipment, security personnel, or specific procedures, taken to ensure that the effectiveness of the security system is not reduced by f aik.ro or other contingencies affecting the operation of the security-related equipment or structures. Preplanned compensatory measures are normally described in NRC-approved physical protection plans. (See Appendix C of this guide for more detail.)
Sa/epuards event. Any incident representing an attempted, threatened, or actual breach of the physical protection system or reduction of the operational effectiveness of that system.
Safeguards Eventloc. A compilation of log entries for the events described in Section 11 of Appendix G to iO CFR Part 73. Entries should include the date and time of the avent, a description of the event, and any action tt. ken. Repeated events may be consohdated into a 20
d single log entry with the date, time, and duration recordeo for each occurrence. The ongoing safeguards event log may be maintained in more than one location onsite. Tho; log may be typed or handwritten as long as it is. legible and reproducible.
Sefesaserufs system. The equipment, personnel, and procedures that make up the physical-protection program necessary to meet Part 73 requirements.-
Slan/f/ cent phys /ce/ demepe. : Physical damage _to the extent that the f acility, equipment,_
transport, or fuel cannot perform its normal function (applies to a power reactor, a f acility _
- possessing SSNM or its equipment, carrier equipment transporting nuclear fuel or spent nuclear fuel, or_ to the nuclear fuel or spent nuclear fuel a facility or carrier possesses).
Tempering L Altering for improper purposes or in an improper manner.
Theft of SNM The unauthorized taking of SNM.
Unauthor/redperson. Any unetcorted person in an area to which the person is not authorized
__ unescorted access. -This includes authorized and unaut1orized persons who gain access in an-unauthorized manner. -
~
21
APPENDIX B SAMPLE LOG ENTRIES Safeguards events reportable under 10 CFR 73.71(c) need only be logged within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> of their discovery. The sample log items presented here should not be considered allinclusive.
LOG ENTRY EVENT DATE/ TIME DATE/ TIME EVENT RESPONSE
- 1. 1 8-97/0140 1 8 97/0130 CAS operator received Area search initiated telephone bomb threat at 0135 hours0.00156 days <br />0.0375 hours <br />2.232143e-4 weeks <br />5.13675e-5 months <br />, completed from unidentified 0140 hours0.00162 days <br />0.0389 hours <br />2.314815e-4 weeks <br />5.327e-5 months <br />, nothing male. Bomb reported found. !
near diesel generator.
- 2. 1-8 97/1245 1 8 97/1043 Delivery truck sig- Guard posted at 1050 nificantly damaged hours, relieving patrol PA fence in zone No. (immediate comp.), PA
- 4. Discovered at searched.
1047 by guard patrol. no PA or VA alarms received.
- 3. 1-9 97/1605 1-9 97/1433 Card reader f ailure At 1440 hours0.0167 days <br />0.4 hours <br />0.00238 weeks <br />5.4792e-4 months <br />, posted at VA portal No. 2. guard with current access list. System failure corrected and operational at 1600 hours0.0185 days <br />0.444 hours <br />0.00265 weeks <br />6.088e-4 months <br />.
- 4. 1-9 97/1815 1 9 97/1730 ID badge No. 342 Badge cancelled 1732 lost onsite. hours. Badge found on employee's jacket at 1745 hours0.0202 days <br />0.485 hours <br />0.00289 weeks <br />6.639725e-4 months <br />.
- 5. 1-9 97/2055 1 9-97/2025 Security system Determined caused by f ailure, single electrical storm / power CPU outage, surge. System back on line at 2028 hours0.0235 days <br />0.563 hours <br />0.00335 weeks <br />7.71654e-4 months <br />. All VA portals confirmed lacked and alarmed by guard force.
6, 1-10 97/1410 1 10-97/1405 Fence repaired (See Compensatory post Entry No. 2) discontinued at 1405.
O 22
- 7. 1 12 97/1100 1 12 97/0812 Protected area fence Area searched by
(-)
1 12 97/0815 alarms recolved security patrol. No
(,/ 1 12 97/0817 from zone No. 4 apparent cause for 1 12 97/0819 alarms. Guard posted 1 12 97/0823 after third alarm and maintenance called to check system. System function verified through test each occurrence. All actions completed 1035.
- 8. 1 12-97/1610 1 12-97/1443 CCTV f ailure, peri- Dedicated observer in meter zone No. 2 place 1450 hrs. No (IDS operational) alarms received. Camera replaced and operational at 1610.
- 9. 1 12 97/2015 1-12 97/2007 See No. 5 above. Same as No. 5 above.
System on line at 2011 hours0.0233 days <br />0.559 hours <br />0.00333 weeks <br />7.651855e-4 months <br />.
- 10. 1-12 97/2350 1 12 97/2230 Latch alarm received Guard posted at 2238.
on VA portal No.6. Area searched, no abr ..r.
Responder found door malities found. Main-slightly ajar. tenance request initiated at 2315.
/ \
O 23 l
APPENDlX C COMPENSATORY MEASURES Credit '.ie? be taken for compensatory measures when deciding on the type of report and when it is due. The significance of the system defect or vulnerability is the key factor in j determining whether the event should be reported in one hour or simply logged. Even l compensatory measures implemented promptly after discovery of the defect or vulnerability cannot provide protection for the period of time that the defect or vulnerability existed.
Therefore, any f ailure, degradation, or discovered vulnerability that is known to have existed for a significant period of time and that should or could have been discovered in the course of ;
patrols, surveillance, operational tests, or other means should still be considered for reporting within one hour.
The following are examples of compensatory measures that could warrant credit for the licensee: these measures relate to the examples given in the text of this regulatory guide.
Other compensatory measures may be used if they p ovide equivalent levels of protection.
Loss of alarm capab//ity. With respect to material access areas or vital area portals, adequate compensation requires that a dedicated observer with appropriate communications capability be posted within 10 minutes of discovery of the loss and that the area be searched.
Failure of /ock/np mechan /sm. With respect to material access area or vital area portals, adOquate compensation requires that an armed security force member with appropriate communications capability be posted within 10 minutes of discovery and that the area be searched.
Loss of ability to monitor or remotely assess protected area alarms. Adequate compensation for such loss includes restoration of the cri aal capability within 10 minutes of discovery of the event, or dedicated observers with appropriate communications capability posted within 10 minutes of the discovery if they are capable of observing each of the affected zones.
Loss of a// power to secur/ty systems. The only compensatory measure that could reduce this event from a one hour report to a loggable event is that the security system has been maintained throughout the event by standby power. The NRC does not consider immediate posting of guard personnel to be sufficient to relieve the need for a one-hour report of this event.
Loss of ability to detect intrusion at protected area perimeter. Adequate compensation for this failure would be (a) deployment of backup intrusion detection equipment within 10 minutes of discovery or (b) posting a dedicated observer capable of monitoring each affected zone with suitable communications equipment for contacting alarm stations.
Security computer fa//ure. Compensatory measures for this f ailure include restoration of the computer, deployment of a backup computer system, or posting security personnel capable of providing an equivalent level of protection, all within 10 minutes of discovery of the f ailure.
Vita / area card readers. An acceptable compensatory measure for this f ailure would be posting a security force member with appropriate access lists and communications capability at each door.
24
. . ~ _ , ._. . - - _ _ . . . - _ .
I e
VALUE/ IMPACT STATEMENT
- A separate value/ impact statement has not been prepared for this regulatory guide.1The-guide is being revited to provide additional guidance on reporting safeguards events in .
accordance with 10 CFR 73.71(a) through (c). A regulatory analysis was prepared for the proposed revisions to 10 CFR 73.71 and was made available in the NRC Public Document Room at the time of publication (August 27,1985,50 FR 34708).-:This regulatory analysis is also appropriate for this regulatory guide, i
1 e .
25
l 9
1 Printed on rec 14d W
l O Federal Recycling Program
- U.S. G'iVERNMENT PHINTING OFFICE; 1997 432 37414X)06
- l. . . . . . .. -_____ _ _ - _ _ _ _ _ - _
_ _ _ = _ _ ____ _ _ __ _
. UNITED STATES FIRST m m ELEAR REGULATORY COGGANSSION POSTAGE AND FEES PAtO
' I 120555064215 2 ISA15S155115 OSNRC PERMIT NO. G47 -
US NRC-0IRM i~ INFOMMATION & RECORDS MGMT
- WN BUSINESS DOCUMENT CONTROL DESK PENALTY FOR PRIVATE USE,5300 . 1WFN-P117 DC 20555 j WASHINGTON 1
4 1
i.
t I
l -
i l-i 'L l ,
t I
I
.. g i !
i 1
1
?
I I
l I
.