Bulletin 79-16: Vital Area Access Controls
UNITED STATES
NUCLEAR REGULATORY COMMISSION
OFFICE OF INSPECTION AND ENFORCEMENT
WASHINGTON, D.C. 20555
July 26, 1979
IE Bulletin No. 79-16
VITAL AREA ACCESS CONTROLS
Description of Circumstances:
An attempt to damage new fuel assemblies occurred recently at an operating
nuclear reactor facility. During a routine fuel inspection, the licensee
discovered that a chemical liquid had been poured over 62 of 64 new fuel
assemblies. Analysis indicates that the chemical liquid was sodium
hydroxide, a chemical stored and used onsite.
The licensee stores new fuel assemblies in dry storage wells on the same
elevation as the spent fuel pool within the Fuel Building, a vital area.
Access to the building is controlled by use of a coded keycard which
electronically unlocks the alarmed personnel portals. The licensee issues
coded keycards to both licensee and contractor personnel after the
successful completion of a background screening program. In addition,
licensee site management certifies monthly that each individual has the need
for a coded keycard in order to perform required duties. Further access
within this building, is not limited by other barriers or controls.
As a result of this incident, an initial licensee audit determined that
several hundred licensee and contractor personnel had access to this area
during the period when the attempt to damage the fuel was made. The audit
also revealed that one coded keycard reader at a vital area portal was
inaccurately recording access data at the alarm station. Also discovered
during this audit were indications of frequent "tailgating" on access
through the portals. Tailgating occurs when more than one person passes
through a portal on one person's authorized access. Their passage is
therefore not recorded, and unauthorized persons could gain entry in this
manner. Tailgating does not include authorized access controlled by an
escort.
Discussion of Applicable Requirements:
10 CFR 73.55(a) requires the licensees to protect against industrial
sabotage committed by an insider in any position. 10 CFR 73.55(d)(7) states
that access to Vital Areas shall be positively controlled and limited to
individuals who are authorized access to vital equipment and who require
such access to perform their duties. Specific commitments implementing this
regulation are described in each licensee's approved Security Plan.
.
IE Bulletin No. 79-16 July 26, 1979
Page 2 of 4
NRR, in their meetings with the licensees in March 1977 to explain SS 73.55
and what would constitute an acceptable plan, explained that positive
control of access to a vital area consisted of two elements: first, that the
person requesting entry has the necessary background screening and need to
perform job related functions to be authorized access to that Vital Area,
and second, that he has a need at that specific time to enter to perform a
specific function. This is comparable to gaining access to a classified
document; you need both a clearance and a need to know.
In approving security plans, NRR assumes that the determination of need
would be based upon a valid need and not convenience. Furthermore, access
should be authorized to a minimum number of people, and licensees should use
reasonable alternatives to minimize the number of personnel and frequency of
access.
Acceptance Criterion 5.B of the Security Plan Evaluation Report (SPER)
Workbook, dated January 1978, states that the licensee must commit to pro-
viding positive access control to Vital Areas by:
1) Limiting access to authorized personnel.
2) Requiring positive identification prior to entry.
3) Requiring an established need for access.
4) Maintaining records of entry, exit and reason for entry.
5) A system for control within the Vital Area.
NRR Review Guideline #21 suggests that blanket access authorizations should
not be granted by stating that an acceptable method of indicating the Vital
Areas to which access is authorized inclUdes a record of each vital area to
which the holder is authorized access, and the card is encoded to permit
access to only those Vital Areas to which the individual has been granted
access.
Review Guideline #23 states that for access to a Type I Vital Area, the
person must be authorized entry by the shift supervisor or other designated
individual who has been informed of the estimated length of time to be spent
in the Type I Vital Area.
There needs to be some balance attained between operational necessity and
the administrative burden of validating the need for access each time entry
is to be afforded. Many licensees grant "permanent access authorization" to
all persons requiring access to vital areas, regardless of the frequency or
duration of the need. This is contrary to the regulations and guidelines
from NRR cited above.
.
IE Bulletin No. 79-16 July 26, 1979
Page 3 of 4
Action to be Taken by Licensee:
1. Establish criteria for granting unescorted access to each vital area,
which shall be based upon the following:
a. A screening program meeting ANSI N18.17.
b. The individual has a valid need for access to the equipment
contained in each vital area to which access is authorized. Valid
need is based upon assigned duties requiring the performance of
specific tasks upon or associated with specific equipment located
in each vital area to which access is granted. Valid need to enter
one vital area shall, not necessarily indicate that the person has
a need to enter any other vital area.
2. An access list will be established for each area not to exceed 31 days.
An individual will be on the access list only for the duration of the
task to be performed. If an individual has a valid need for unescorted
access for a single entry or for intermittent occasions during this
period, a separate daily access list shall be prepared. All access
lists shall be approved by the station manager (or equivalent) or his
designated representative.
3. Individuals will be removed from the access list immediately upon
termination of need. If an individual has not entered the vital area
during the effective period of the access list (not to exceed 31 days)
the need for access should be reassured prior to extending the
authorization. To ensure that these actions are taken, the access list
shill be reviewed and reapproved at least every 31 days.
4. Void access authorizations for all personnel not satisfying the
criteria in lab and where appropriate, reprogram the key card system
and reissue key cards that are coded to implement the above vital area
access authorization program.
5. Develop reasonable alternatives so that the number and frequency of
access to vital areas can be minimized consistent with safe operations.
6. Establish emergency procedures where, during an emergency, additional
authorized personnel, meeting criteria in la&b, can move freely
throughout the vital areas with their entry and exit being recorded.
Upon securing from the emergency, the entry/exit record will be
reviewed, and normal access control will be reestablished.
7. Prevent tailgating by one or more of the following:
.
IE Bulletin No. 79-16 July 26, 1979
Page 4 of 4
a. Establish procedures that require authorized personnel to prevent
other personnel, including those authorized unescorted access,
from tailgating. Ensure all authorized personnel are trained in
the procedure, and establish a management program that ensures
that the procedure is properly performed.
b. Acquire equipment, such as turnstiles, to prevent tailgating.
Ensure that such equipment will not deny access or egress under
emergency conditions.
c. Station a guard, watchperson or escort at the vital area access
portal. This alternative would be most useful when there is a
large number and frequency of access, such as occurs with
containment during refueling.
d. By any other means that achieve this objective.
8. Assign corporate responsibility for management oversight of VA access
control and require personal involvement to ensure that all
intermediate levels of management are properly discharging their
responsibilities in this regard.
9. Conduct routine functional tests of the electronic access control
system, including each key card reader, to verify (i) its operability
and proper performance, and ii) the accuracy of the data recorded. This
test should be incorporated into the seven-day test required by 10 CFR
73.55(g).
10. Report in writing within 45 days (for facilities with an operating
license) the actions you have taken and plan to take (including a
schedule) with regard to Items 1 through 9. Reports should be submitted
to the Director of the appropriate NRC Regional Office and a copy
should be forwarded to the NRC Office of Inspection and Enforcement,
Division of Safeguards Inspection, Washington, D.C. 20555.
Approved by GAO, B180225 (R0072); clearance expires 7-31-80. Approval was
given under a blanket clearance specifically for identified generic
problems.
Page Last Reviewed/Updated Tuesday, March 09, 2021