text

March 6, 1991

TO: ALL HOLDERS OF OPERATING LICENSES OR CONSTRUCTION PERMITS FOR NUCLEAR POWER REACTORS AND ALL OTHER LICENSED ACTIVITIES INVOLVING A FORMULA QUANTITY OF SPECIAL NUCLEAR MATERIAL (SNM).

SUBJECT: REPORTING OF SAFEGUARDS EVENTS (GENERIC LETTER 91-03)

This generic letter provides an immediate revision to current NRC policy regarding prompt reporting of safeguards events, thereby eliminating unnecessary prompt reporting of certain safeguards events and reducing their attendant effect on the NRC Operations Center. The revised position reduces the reporting burden on licensees and does not impose any new requirements.

On June 9, 1987, the NRC revised Section 73.71 of Title 10 of the Code of Federal Regulations (10 CFR), "Reporting of Safeguards Events." The rule requires licensees to report significant events to the NRC Operations Center promptly, within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> after discovery, and to record certain other safeguards events in a log for quarterly reporting to the NRC.

The NRC published Revision 1 to Regulatory Guide (RG) 5.62 in November 1987 and published NUREG-1304 in February 1988, both titled, "Reporting of Safeguards Events," to clarify the rule changes and to provide guidance on reporting safeguards events.

When the NRC published the above guidance, it was anticipated that there would be a need to revise it again based on experience with implementation of the rule. During the implementation period, the NRC staff evaluated the safeguards events reported to the NRC Operations Center based on their safety significance and the immediate actions taken by the NRC and the licensees, and the staff determined that many of the events did not need to be reported promptly. Some events were being reported in accordance with NRC guidance that the NRC staff has subsequently determined is inappropriate, while other events were being reported because the NRC guidance did not provide enough clarity. The NRC staff has initiated an appropriate revision to RG 5.62, which will supersede NUREG-1304. However, the scope of the proposed revision is much broader than prompt safeguards reports. When completed, the revised guidance will be issued for public comment, and therefore, may not be published for a considerable time. Pending completion of the revision to RG 5.62, this generic letter provides interim guidance that should reduce unnecessary reporting to the NRC Operations Center and reduce the reporting burden on licensees.

Enclosure 1 to the generic letter lists examples of safeguards events that do not need to be reported promptly to the NRC Operations Center. Unless otherwise noted, if these events are properly compensated in accordance with RG 5.62 and NUREG-1304, they need only be logged.Licensees should properly compensate for events listed in Enclosure 1 within 10 minutes of discovery by a licensee employee, contractor, or vendor or within the time prescribed in the licensee's NRC-approved plan (as stated in RG 5.62). However, if extenuating circumstances prevent compensation within that time, the event need not be reported promptly provided there was no malevolent intent, nothing adverse resulted from the delay, and the licensee takes appropriate measures to ensure a more timely response or other necessary action in the future. For example, if an individual inadvertently fails to notify security of a safeguards event in a timely manner, the licensee may still log the event if the above conditions are met. In these cases, the licensee should note the cause of delay in the log entry.

If the licensee determines that unauthorized or undetected access could have been gained during any of the enclosed events, the licensee should immediately initiate a thorough search of the affected area for sabotage devices, evidence of tampering, or persons who may have achieved unauthorized access (as stated in NUREG-1304). The licensee should complete the search as soon as practicable. If additional information is subsequently discovered that establishes the event as significant, the licensee should report the event to the NRC within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> of discovering the additional information.

A significant fitness-for-duty (FFD) event must be reported under the provisions of 10 CFR 26.73, but need not be reported under Section 73.71. FFD program performance data must be submitted under the provisions of 10 CFR 26.71(d). In those rare cases where an event with safeguards significance is caused by an FFD event, the FFD aspects must be submitted to the NRC in accordance with 10 CFR Part 26, and safeguards aspects reported in accordance with 10 CFR 73.71. When a telephonic report is required by both rules, the licensee need only make one telephone call to the NRC Operations Center within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. In that case, a written report of the safeguards aspects must also be submitted within 30 days, as required by 10 CFR 73.71.

Backfit Discussion

The actions in this generic letter are voluntary; no backfit is intended. This action is expected to result in a safety enhancement and a saving of resources. The staff performed an analysis of the type described in 10 CFR 50.109(a)(3) and 50.109(c), and a qualitative determination was made that any attendant costs are nominal and are balanced by continued savings due to reduced significant event reporting.

This generic letter consists of guidance and does not require a response. Therefore, an OMB clearance number is not necessary.

.If you have any questions about this matter, please call the NRC technical contact listed below.

Sincerely,

James G. Partlow Associate Director for Projects Office of Nuclear Reactor Regulation

Technical Contact:

Nancy E. Ervin, NRR (301) 492-0946

Attachments:

1. Examples of Safeguards Events That Do Not Need To Be Reported to the NRC Within One Hour of Discovery

2. List of Recently Issued Generic Letters

. EXAMPLES OF SAFEGUARDS EVENTS THAT DO NOT NEED

TO BE REPORTED TO THE NRC WITHIN 1 HOUR OF DISCOVERY

The following are examples of events that can be logged if they are properly compensated in accordance with existing approved guidance (i.e., RG 5.62 and NUREG-1304) or by the relaxed guidance in this generic letter. (Specific factors that could change reportability are addressed with the applicable example.)

o A design flaw or vulnerability in a protected area (PA), controlled access area (CAA), material access area (MAA), or vital area (VA)

safeguards barrier.

o A failed compensatory measure such as inattentive or sleeping security personnel, or equipment that fails after being successfully established as an effective compensatory measure for a degraded security system. If security personnel are ineffective because of alcohol or drugs, the security degradation can be logged under 10 CFR 73.71, and the positive results of the for-cause test included in the data submitted to the NRC under 10 CFR 26.71(d).

o Discovery of contraband inside the PA that is not a significant threat. For example, such a condition could be the discovery of a few bullets. If contraband is found in a vehicle located in a parking lot outside the PA, normally no report or log entry is required. If it constitutes a threat or attempted threat, a report is required within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> as currently stated in RG 5.62 and NUREG-1304.

o Compromise (including loss or theft) of safeguards information that could not significantly assist an individual in gaining unauthorized or undetected access to a facility, or would not significantly assist an

individual in an act of radiological sabotage or theft of SNM.

o Loss of all ac power supply to security systems, or loss of all computer systems provided adequate compensatory measures can be maintained until systems are restored. Further, if a power loss or computer failure could not enable unauthorized or undetected access, no report or log entry is required. For example, a computer failure would not require reporting if it is negated by an automatic switchover to a functioning backup computer without a time delay. Also, momentary loss of lighting caused by a power interruption would not require reporting if the loss could not have allowed undetected or unauthorized access.

Enclosure 1 To Generic Letter 91-03

.o Partial failure of an otherwise satisfactory access authorization or access control program. The following are examples of partial failures:

- A vendor who has been cleared and authorized to receive a badge permitting unescorted access to protected and vital areas inadvertently enters the PA through a vehicle gate before being searched and issued a badge. The licensee discovers the event, searches the individual, issues a badge and takes corrective action to prevent recurrence.

- Search equipment fails and the licensee does not detect the failure, thereby allowing unsearched individuals to enter the PA. Individuals are not authorized PA entry without the proper search under the provisions of 10 CFR 73.46(d)(4)(i) and 10 CFR 73.55(d)(1). If the licensee discovers search equipment failure before anyone goes through unsearched, and the licensee immediately uses other equipment available with the same capability (such as hand-held or walk-through searching devices), no report or log entry is required.

- An individual who is required to have an escort for a particular area inadvertently becomes separated from his or her escort but the escort or another person authorized unescorted access recognizes the situation and corrects it. Further, if an individual separates from his or her escort to use a rest room which has limited means of egress and the escort remains nearby and has full view of the egress area, no report or log entry is required.

- An employee of a licensee or contractor enters a VA improperly without realizing that the card reader is processing a preceding employee's card, or the employee walks in behind another employee without using a key card. This event can be logged even if the employee was not authorized access to any VA, if the improper entry was inadvertent or without malevolent intent.

- An individual enters a VA to which he or she is authorized unescorted access by inadvertently using an access control medium (key card or badge) intended for another individual who also is authorized unescorted access to the area.

- An individual authorized only PA access is incorrectly issued a badge granting VA access, but does not enter any VAs or does not enter any VAs with malevolent intent. Further, if an individual is incorrectly issued a badge, but cannot reasonably use it because he or she does not know a personal identification number (PIN)

needed to enter the PA, the event need not be reported or logged if it is promptly discovered and corrected.

.- Improper control (to include loss or offsite removal) of access control media, including picture badges, keys, key cards or access control computer codes, that could be used to gain unauthorized or undetected access. Proper compensation includes preventing successful use of the medium and initiation of measures to determine if the medium was used during the period it was lost or offsite. If the licensee determines that the medium was used during this period, the licensee should report the event to the NRC within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> from the time the use was discovered. If the licensee determines that the medium could not have been used to gain unauthorized or undetected access, the licensee does not have to report or log the event. Situations of this type could include the following: if the authorized individual only momentarily takes a badge outside of the PA, and the event is immediately discovered and corrected by return of the badge before a compromise could occur; if a badge or key is only momentarily misplaced and the event is discovered and corrected before anyone could reasonably use the device for entry; or if a badge is automatically deleted from the system when taken offsite, a new badge with a different access code is issued to the individual involved upon reentry, and the previous access code is not used in another badge.

- Card reader failure that causes VA doors to unlock in the open position or to lock in the closed position but with no functioning door alarm. Further, if card reader failure causes VA doors to lock in the closed position and the door alarms function properly, no report or log entry is required, provided that proper access control measures are implemented before allowing individuals into the vital areas.

- Incomplete preemployment screening records (to include falsification of a minor nature), or inadequate administration, control or evaluation of psychological tests. Unescorted access of the individual may need to be cancelled or suspended until the identified anomaly is resolved. If the licensee determines that unescorted access would have been denied based on developed information, a 1-hour report is required after discovery of the new information, as currently stated in RG 5.62 and NUREG-1304.