Reconsideration of Nuclear Power Plant Security Requirements Associated with an Internal Threat (Generic Letter 96-02)
OFFICE OF NUCLEAR REACTOR REGULATION
WASHINGTON, D.C. 20555-0001
February 13, 1996
|NRC GENERIC LETTER 96-02:||RECONSIDERATION OF NUCLEAR POWER PLANT SECURITY REQUIREMENTS ASSOCIATED WITH AN INTERNAL THREAT|
All holders of operating licenses or construction permits for nuclear power reactors.
The U.S. Nuclear Regulatory Commission (NRC) is issuing this generic letter to notify addressees that the NRC has reconsidered its positions on certain security measures associated with protecting nuclear power plants against an internal threat. It is expected that addressees will review the information for applicability to their facilities and consider actions, as appropriate. However, suggestions contained in this generic letter are not NRC requirements; therefore, no specific action or written response is required.
The fitness-for-duty (FFD) rule (10 CFR Part 26) published on June 7, 1989, required power reactor licensees to implement FFD programs. The access authorization rule (10 CFR 73.56) published on April 25, 1991, required power reactor licensees to implement access authorization programs. One objective of these regulations was to ensure the reliability and trustworthiness of persons granted unescorted access to protected areas at nuclear power facilities. In light of these regulations, the NRC initiated an evaluation of security requirements associated with protection against the insider threat at nuclear power plants. One purpose of the evaluation was to determine if other security requirements pertaining to protection against an insider remain appropriate. The staff reported the results of its initial review in SECY-92-272, "Re-Examination of Nuclear Power Plant Security Requirements Associated With the Internal Threat," dated August 4, 1992. After performing this initial review, the staff recommended a reduction or elimination of certain security requirements that gave only marginal protection against the insider threat.
After reviewing SECY-92-272, the Commission asked the staff to reexamine the subject and explore alternatives for allowing reductions in unnecessary or marginally effective security measures. The results of this reevaluation are reported in SECY-93-326, "Reconsideration of Nuclear Power Plant Security Requirements Associated With an Internal Threat," dated December 2, 1993.
Description of Circumstances
In a staff requirements memorandum dated February 18, 1994, which is available in the NRC public document room, the Commission endorsed staff recommendations to (1) issue generic correspondence informing licensees of the opportunity to revise certain commitments in their security plan and (2) proceed with rulemaking regarding specific changes to reduce or eliminate certain security requirements. This generic letter identifies those areas in which licensees may choose to revise their plans without having to wait for the issuance of the rule changes that are in progress. Section 10 CFR 73.55(a) specifies that the Commission may authorize a licensee to provide measures for protection against radiological sabotage other than those required by 10 CFR 73.55 paragraphs (b) through (h) if the licensee demonstrates that the measures have the same high assurance objectives as specified in 10 CFR 73.55(a) and that the overall level of system performance provides protection against radiological sabotage equivalent to that which would be provided by paragraphs (b) through (h) and meets the general performance requirements of 10 CFR 73.55(a). The Commission has determined that although the alternate measures addressed herein could result in a small decrease in a licensee's measures to protect against an internal threat, the additional licensee commitments described reflect appropriately the same high assurance objectives as specified in 73.55(a), and if properly implemented, the overall level of system performance will provide protection equivalent to that provided by paragraphs (b) through (h) and meet the general performance requirements of 10 CFR 73.55(a).
This generic letter was originally published in the Federal Register (November 2, 1994) for public comment and has been modified on the basis of those comments.
Some of the changes identified will require licensees to submit security plan changes in accordance with the provisions of 10 CFR 50.90, while other changes may be processed in accordance with the provisions of 10 CFR 50.54(p) and can be implemented without NRC approval. Staff positions reflected in A and D do not apply to structures which are required to be bullet-resisting because leaving these doors unlocked or failing to compensate for lock failures would offset the bullet-resisting protection features.
As discussed below, licensee security plans may be revised in the following four areas:
Vital Area Access Control Measures
Changes to vital area (VA) access control measures identified below are subject to confirmation that (1) certain other site-specific measures are in place or will be implemented to demonstrate (e.g., through contingency drills) that a capability, including a protective strategy, exists to protect against an external adversary after making any of the changes and (2) measures are in place to examine hand-carried packages for explosives (at the protected area barrier) using equipment specifically designed for that purpose.
Plan changes requesting any of the following VA measures must contain commitments to hold contingency drills at a frequency sufficient to maintain response capability for response personnel. The use of "organic"-type X-ray equipment would satisfy the criteria for inspecting hand-carried packages for explosives. Other acceptable methods would include portable "sniffers" and visual inspection.
Subject to confirmation of these measures, the following changes to a security plan may be acceptable:
|A.||Compensatory Measures - No compensatory measures need be taken for either a lock or VA alarm failure for up to 72 hours after the failure is discovered. After 72 hours, the equipment must either be operable or compensatory actions taken by posting a guard or watchman. During the first 72 hours of a lock or alarm failure, that portal will be added to the existing patrol schedule to periodically confirm functioning of the operable feature (lock or alarm). If both lock and alarm fail at a portal, that portal must be posted immediately (within the time specified in the current plan).|
|B.||Maintenance of Discrete Vital Area Access Lists - Separate access authorization lists for each vital area of the facility may be eliminated. As an alternative to those separate lists, it would be acceptable to maintain a single listing of persons who have access to any vital area. To maintain its accuracy, this listing would have to be revised as the access status of a person changes, especially as the status relates to removal or loss of vital area access authorization, but a 31 day validation of the list is not required.|
|C.||Alarm Response - Modification to the response to vital area access control alarms (doors) may be acceptable. Response is only needed to a VA door intrusion or tamper alarm but not to other alarms. All other alarms are to be resolved by existing procedures (e.g., assess cause and fix problem).|
|D.||Locked Condition of Door - Although locking mechanisms and access control systems, including door alarms, would be retained, doors to vital areas could be left unlocked. Licensees choosing this option would be expected to have the capability to remotely lock the door(s) from both the central and secondary alarm stations, as necessary, in response to an external threat. Licensees choosing this option would be expected to demonstrate their ability to remotely lock doors in time to delay an adversary where delay was essential in the protective strategy. Contingency drills should test the use of the system locking function. The contingency plan and procedures may have to be modified to indicate the immediate "locking" of all VA doors during a safeguards emergency. Access control systems would be retained on VA doors and would be expected to continue to maintain a record of personnel access and generate alarms if the door were opened by someone without a proper access. Existing plan commitments for compensatory measures for failed door alarms and access hardware must remain in effect, unless changes are approved by the NRC. If the system function to lock the doors has failed (unable to control locks from alarm stations), the VA doors will have to be returned to a locked status.|
|The process for licensees to revise their security plans to implement the changes to security measures in vital areas will depend on what is presently contained in their security plans. Since acceptance of these changes is conditional on confirmation of two offsetting conditions, most changes would need to be processed in accordance with the provisions of 10 CFR 50.90. Changes in security plans should include commitments to the two measures described in the first paragraph of Section I above.|
Access Search of On-Duty Armed Security Guards
Changes that would allow armed security officers who (1) are on duty and carry a weapon in accordance with assigned duties, (2) have already been searched during their current shift, and (3) have left the protected area on official business, to reenter the protected area without being subjected to the metal detector searches (but still be subjected to explosive searches) would be acceptable. If search equipment is a single unit containing both metal-detection and explosive-detection equipment, alarms from the metal detector may be disregarded. The staff considers that this change could be made to security plans in accordance with the provisions of 10 CFR 50.54(p).
Containment Access Control Measures
Changes were proposed, when this generic letter was published for public comment, that would allow persons other than security personnel, provided they are appropriately trained with respect to access control procedures in accordance with the security plan, to perform the access control function for personnel and materials entry into the containment at any time frequent access is permitted to the containment. However, this position is now unnecessary because the NRC amended its regulations to eliminate 10 CFR 73.55(d)(8) effective October 10, 1995. Special access controls for entry into the containment during periods of frequent access are no longer required.
Alternative Measures for Control of Security Badges
Changes that would allow for alternative approaches for accountability of picture badges used for unescorted access so that certain types of badges may be taken outside the protected area. Alternative approaches need to include the ability to ensure positive identification of individuals upon entry to the protected area. For employees, such changes can be made under 50.54(p). The staff considers that changes to security plans to allow contractors to take security picture badges off site would first require a request for exemption from the provisions of 10 CFR 73.55(d)(5). An exemption is not required for licensee employees because the regulations currently allow licensee employees to take badges off site. Upon approval of the exemption request for contractor personnel, licensees would be allowed to implement the change in accordance with the provisions of 10 CFR 50.54(p).
For assurance of unrestricted emergency access, the NRC staff notes the advantages of (1) having the ability to remotely unlock doors to vital areas from each alarm station, (2) ensuring that malfunctions result in doors failing unlocked rather than locked, and (3) allowing all operators and auxiliary operators to carry metal keys that can override keycard-operated lock mechanisms. However, these conditions are not required for licensees to implement any of the positions presented in this generic letter.
This generic letter requires no specific action or written response. If you have any questions about this matter, please contact one of the technical contacts listed below.
Dennis M. Crutchfield, Director
Division of Reactor Program Management
Office of Nuclear Reactor Regulation
Loren L. Bush, NRR
Robert F. Skelton, NRR