Bulletin 79-16: Vital Area Access Controls

                               UNITED STATES 
                       NUCLEAR REGULATORY COMMISSION 
                    OFFICE OF INSPECTION AND ENFORCEMENT 
                           WASHINGTON, D.C. 20555 

                               July 26, 1979  

                                             IE Bulletin No. 79-16 

VITAL AREA ACCESS CONTROLS 

Description of Circumstances: 

An attempt to damage new fuel assemblies occurred recently at an operating 
nuclear reactor facility. During a routine fuel inspection, the licensee 
discovered that a chemical liquid had been poured over 62 of 64 new fuel 
assemblies. Analysis indicates that the chemical liquid was sodium 
hydroxide, a chemical stored and used onsite. 

The licensee stores new fuel assemblies in dry storage wells on the same 
elevation as the spent fuel pool within the Fuel Building, a vital area. 
Access to the building is controlled by use of a coded keycard which 
electronically unlocks the alarmed personnel portals. The licensee issues 
coded keycards to both licensee and contractor personnel after the 
successful completion of a background screening program. In addition, 
licensee site management certifies monthly that each individual has the need 
for a coded keycard in order to perform required duties. Further access 
within this building, is not limited by other barriers or controls. 

As a result of this incident, an initial licensee audit determined that 
several hundred licensee and contractor personnel had access to this area 
during the period when the attempt to damage the fuel was made. The audit 
also revealed that one coded keycard reader at a vital area portal was 
inaccurately recording access data at the alarm station. Also discovered 
during this audit were indications of frequent "tailgating" on access 
through the portals. Tailgating occurs when more than one person passes 
through a portal on one person's authorized access. Their passage is 
therefore not recorded, and unauthorized persons could gain entry in this 
manner. Tailgating does not include authorized access controlled by an 
escort. 

Discussion of Applicable Requirements: 

10 CFR 73.55(a) requires the licensees to protect against industrial 
sabotage committed by an insider in any position. 10 CFR 73.55(d)(7) states 
that access to Vital Areas shall be positively controlled and limited to 
individuals who are authorized access to vital equipment and who require 
such access to perform their duties. Specific commitments implementing this 
regulation are described in each licensee's approved Security Plan. 
.

IE Bulletin No. 79-16                                  July 26, 1979  
                                                       Page 2 of 4 

NRR, in their meetings with the licensees in March 1977 to explain SS 73.55 
and what would constitute an acceptable plan, explained that positive 
control of access to a vital area consisted of two elements: first, that the 
person requesting entry has the necessary background screening and need to 
perform job related functions to be authorized access to that Vital Area, 
and second, that he has a need at that specific time to enter to perform a 
specific function. This is comparable to gaining access to a classified 
document; you need both a clearance and a need to know. 

In approving security plans, NRR assumes that the determination of need 
would be based upon a valid need and not convenience. Furthermore, access 
should be authorized to a minimum number of people, and licensees should use 
reasonable alternatives to minimize the number of personnel and frequency of 
access. 

Acceptance Criterion 5.B of the Security Plan Evaluation Report (SPER) 
Workbook, dated January 1978, states that the licensee must commit to pro-
viding positive access control to Vital Areas by: 

1) Limiting access to authorized personnel. 

2) Requiring positive identification prior to entry. 

3) Requiring an established need for access. 

4) Maintaining records of entry, exit and reason for entry. 

5) A system for control within the Vital Area. 

NRR Review Guideline #21 suggests that blanket access authorizations should 
not be granted by stating that an acceptable method of indicating the Vital 
Areas to which access is authorized inclUdes a record of each vital area to 
which the holder is authorized access, and the card is encoded to permit 
access to only those Vital Areas to which the individual has been granted 
access. 

Review Guideline #23 states that for access to a Type I Vital Area, the 
person must be authorized entry by the shift supervisor or other designated 
individual who has been informed of the estimated length of time to be spent
in the Type I Vital Area.  

There needs to be some balance attained between operational necessity and 
the administrative burden of validating the need for access each time entry 
is to be afforded. Many licensees grant "permanent access authorization" to 
all persons requiring access to vital areas, regardless of the frequency or 
duration of the need. This is contrary to the regulations and guidelines 
from NRR cited above. 
.

IE Bulletin No. 79-16                                       July 26, 1979 
                                                            Page 3 of 4 

Action to be Taken by Licensee: 

1.   Establish criteria for granting unescorted access to each vital area, 
     which shall be based upon the following: 

     a.   A screening program meeting ANSI N18.17. 

     b.   The individual has a valid need for access to the equipment 
          contained in each vital area to which access is authorized. Valid 
          need is based upon assigned duties requiring the performance of 
          specific tasks upon or associated with specific equipment located 
          in each vital area to which access is granted. Valid need to enter
          one vital area shall, not necessarily indicate that the person has
          a need to enter any other vital area. 

2.   An access list will be established for each area not to exceed 31 days.
     An individual will be on the access list only for the duration of the 
     task to be performed. If an individual has a valid need for unescorted 
     access for a single entry or for intermittent occasions during this 
     period, a separate daily access list shall be prepared. All access 
     lists shall be approved by the station manager (or equivalent) or his 
     designated representative. 

3.   Individuals will be removed from the access list immediately upon 
     termination of need. If an individual has not entered the vital area 
     during the effective period of the access list (not to exceed 31 days) 
     the need for access should be reassured prior to extending the 
     authorization. To ensure that these actions are taken, the access list 
     shill be reviewed and reapproved at least every 31 days. 

4.   Void access authorizations for all personnel not satisfying the 
     criteria in lab and where appropriate, reprogram the key card system 
     and reissue key cards that are coded to implement the above vital area 
     access authorization program.  

5.   Develop reasonable alternatives so that the number and frequency of 
     access to vital areas can be minimized consistent with safe operations.

6.   Establish emergency procedures where, during an emergency, additional 
     authorized personnel, meeting criteria in la&b, can move freely 
     throughout the vital areas with their entry and exit being recorded. 
     Upon securing from the emergency, the entry/exit record will be 
     reviewed, and normal access control will be reestablished. 

7.   Prevent tailgating by one or more of the following: 
.

IE Bulletin No. 79-16                                  July 26, 1979 
                                                       Page 4 of 4 

     a.   Establish procedures that require authorized personnel to prevent 
          other personnel, including those authorized unescorted access, 
          from tailgating. Ensure all authorized personnel are trained in 
          the procedure, and establish a management program that ensures 
          that the procedure is properly performed.  

     b.   Acquire equipment, such as turnstiles, to prevent tailgating. 
          Ensure that such equipment will not deny access or egress under 
          emergency conditions. 

     c.   Station a guard, watchperson or escort at the vital area access 
          portal. This alternative would be most useful when there is a 
          large number and frequency of access, such as occurs with 
          containment during refueling. 

     d.   By any other means that achieve this objective. 

8.   Assign corporate responsibility for management oversight of VA access 
     control and require personal involvement to ensure that all 
     intermediate levels of management are properly discharging their 
     responsibilities in this regard. 

9.   Conduct routine functional tests of the electronic access control 
     system, including each key card reader, to verify (i) its operability 
     and proper performance, and ii) the accuracy of the data recorded. This
     test should be incorporated into the seven-day test required by 10 CFR 
     73.55(g). 

10.  Report in writing within 45 days (for facilities with an operating 
     license) the actions you have taken and plan to take (including a 
     schedule) with regard to Items 1 through 9. Reports should be submitted
     to the Director of the appropriate NRC Regional Office and a copy 
     should be forwarded to the NRC Office of Inspection and Enforcement, 
     Division of Safeguards Inspection, Washington, D.C. 20555. 

Approved by GAO, B180225 (R0072); clearance expires 7-31-80. Approval was 
given under a blanket clearance specifically for identified generic 
problems.