UNITED STATES NUCLEAR REGULATORY COMMISSION OFFICE OF INSPECTION AND ENFORCEMENT WASHINGTON, D.C. 20555 July 26, 1979 IE Bulletin No. 79-16 VITAL AREA ACCESS CONTROLS Description of Circumstances: An attempt to damage new fuel assemblies occurred recently at an operating nuclear reactor facility. During a routine fuel inspection, the licensee discovered that a chemical liquid had been poured over 62 of 64 new fuel assemblies. Analysis indicates that the chemical liquid was sodium hydroxide, a chemical stored and used onsite. The licensee stores new fuel assemblies in dry storage wells on the same elevation as the spent fuel pool within the Fuel Building, a vital area. Access to the building is controlled by use of a coded keycard which electronically unlocks the alarmed personnel portals. The licensee issues coded keycards to both licensee and contractor personnel after the successful completion of a background screening program. In addition, licensee site management certifies monthly that each individual has the need for a coded keycard in order to perform required duties. Further access within this building, is not limited by other barriers or controls. As a result of this incident, an initial licensee audit determined that several hundred licensee and contractor personnel had access to this area during the period when the attempt to damage the fuel was made. The audit also revealed that one coded keycard reader at a vital area portal was inaccurately recording access data at the alarm station. Also discovered during this audit were indications of frequent "tailgating" on access through the portals. Tailgating occurs when more than one person passes through a portal on one person's authorized access. Their passage is therefore not recorded, and unauthorized persons could gain entry in this manner. Tailgating does not include authorized access controlled by an escort. Discussion of Applicable Requirements: 10 CFR 73.55(a) requires the licensees to protect against industrial sabotage committed by an insider in any position. 10 CFR 73.55(d)(7) states that access to Vital Areas shall be positively controlled and limited to individuals who are authorized access to vital equipment and who require such access to perform their duties. Specific commitments implementing this regulation are described in each licensee's approved Security Plan. . IE Bulletin No. 79-16 July 26, 1979 Page 2 of 4 NRR, in their meetings with the licensees in March 1977 to explain SS 73.55 and what would constitute an acceptable plan, explained that positive control of access to a vital area consisted of two elements: first, that the person requesting entry has the necessary background screening and need to perform job related functions to be authorized access to that Vital Area, and second, that he has a need at that specific time to enter to perform a specific function. This is comparable to gaining access to a classified document; you need both a clearance and a need to know. In approving security plans, NRR assumes that the determination of need would be based upon a valid need and not convenience. Furthermore, access should be authorized to a minimum number of people, and licensees should use reasonable alternatives to minimize the number of personnel and frequency of access. Acceptance Criterion 5.B of the Security Plan Evaluation Report (SPER) Workbook, dated January 1978, states that the licensee must commit to pro- viding positive access control to Vital Areas by: 1) Limiting access to authorized personnel. 2) Requiring positive identification prior to entry. 3) Requiring an established need for access. 4) Maintaining records of entry, exit and reason for entry. 5) A system for control within the Vital Area. NRR Review Guideline #21 suggests that blanket access authorizations should not be granted by stating that an acceptable method of indicating the Vital Areas to which access is authorized inclUdes a record of each vital area to which the holder is authorized access, and the card is encoded to permit access to only those Vital Areas to which the individual has been granted access. Review Guideline #23 states that for access to a Type I Vital Area, the person must be authorized entry by the shift supervisor or other designated individual who has been informed of the estimated length of time to be spent in the Type I Vital Area. There needs to be some balance attained between operational necessity and the administrative burden of validating the need for access each time entry is to be afforded. Many licensees grant "permanent access authorization" to all persons requiring access to vital areas, regardless of the frequency or duration of the need. This is contrary to the regulations and guidelines from NRR cited above. . IE Bulletin No. 79-16 July 26, 1979 Page 3 of 4 Action to be Taken by Licensee: 1. Establish criteria for granting unescorted access to each vital area, which shall be based upon the following: a. A screening program meeting ANSI N18.17. b. The individual has a valid need for access to the equipment contained in each vital area to which access is authorized. Valid need is based upon assigned duties requiring the performance of specific tasks upon or associated with specific equipment located in each vital area to which access is granted. Valid need to enter one vital area shall, not necessarily indicate that the person has a need to enter any other vital area. 2. An access list will be established for each area not to exceed 31 days. An individual will be on the access list only for the duration of the task to be performed. If an individual has a valid need for unescorted access for a single entry or for intermittent occasions during this period, a separate daily access list shall be prepared. All access lists shall be approved by the station manager (or equivalent) or his designated representative. 3. Individuals will be removed from the access list immediately upon termination of need. If an individual has not entered the vital area during the effective period of the access list (not to exceed 31 days) the need for access should be reassured prior to extending the authorization. To ensure that these actions are taken, the access list shill be reviewed and reapproved at least every 31 days. 4. Void access authorizations for all personnel not satisfying the criteria in lab and where appropriate, reprogram the key card system and reissue key cards that are coded to implement the above vital area access authorization program. 5. Develop reasonable alternatives so that the number and frequency of access to vital areas can be minimized consistent with safe operations. 6. Establish emergency procedures where, during an emergency, additional authorized personnel, meeting criteria in la&b, can move freely throughout the vital areas with their entry and exit being recorded. Upon securing from the emergency, the entry/exit record will be reviewed, and normal access control will be reestablished. 7. Prevent tailgating by one or more of the following: . IE Bulletin No. 79-16 July 26, 1979 Page 4 of 4 a. Establish procedures that require authorized personnel to prevent other personnel, including those authorized unescorted access, from tailgating. Ensure all authorized personnel are trained in the procedure, and establish a management program that ensures that the procedure is properly performed. b. Acquire equipment, such as turnstiles, to prevent tailgating. Ensure that such equipment will not deny access or egress under emergency conditions. c. Station a guard, watchperson or escort at the vital area access portal. This alternative would be most useful when there is a large number and frequency of access, such as occurs with containment during refueling. d. By any other means that achieve this objective. 8. Assign corporate responsibility for management oversight of VA access control and require personal involvement to ensure that all intermediate levels of management are properly discharging their responsibilities in this regard. 9. Conduct routine functional tests of the electronic access control system, including each key card reader, to verify (i) its operability and proper performance, and ii) the accuracy of the data recorded. This test should be incorporated into the seven-day test required by 10 CFR 73.55(g). 10. Report in writing within 45 days (for facilities with an operating license) the actions you have taken and plan to take (including a schedule) with regard to Items 1 through 9. Reports should be submitted to the Director of the appropriate NRC Regional Office and a copy should be forwarded to the NRC Office of Inspection and Enforcement, Division of Safeguards Inspection, Washington, D.C. 20555. Approved by GAO, B180225 (R0072); clearance expires 7-31-80. Approval was given under a blanket clearance specifically for identified generic problems.
Page Last Reviewed/Updated Thursday, March 29, 2012