Publication Date: 6/1/74
    Pages: 7
    Date Entered: 2/22/84
    Title: ANALYSIS AND USE OF PROCESS DATA FOR THE PROTECTION OF SPECIAL NUCLEAR MATERIAL
    June 1974
    U.S. ATOMIC ENERGY COMMISSION
    REGULATORY GUIDE
    DIRECTORATE OF REGULATORY STANDARDS
    REGULATORY GUIDE 5.24
    ANALYSIS AND USE OF PROCESS DATA FOR THE PROTECTION
    OF SPECIAL NUCLEAR MATERIAL
A. INTRODUCTION
    Section 70.51, "Material Balance, Inventory, and Records
    Requirements," of 10 CFR Part 70, "Special Nuclear Material," specifies
    certain requirements for persons licensed to possess or use special
    nuclear material (SNM). Paragraph (e)(1) of section70.51 requires that
    certain licensees(1) maintain procedures for the control of special
    nuclear material at their facilities which shall include unique
    identification of items or containers containing special nuclear
    material in process; inventory records showing the identity, location,
    and quantity of special nuclear material for all such items; and records
    of the source and disposition of all such items. Proposed section70.58,
    "Fundamental Nuclear Material Controls,"(2) would require that the
    licensee establish, maintain, and follow a system of storage and
    internal handling control to provide continuous knowledge of the
    identity, quantity, and location of all special nuclear material
    contained within the facility in discrete items and containers.
    Paragraph (b) of section70.22, "Contents of Applications," further
    requires certain applicants to include in their application a full
    description of their program for the control of and accounting for
    special nuclear material which will be in their possession under
    license, including procedures by which process losses are determined.
    Finally, section70.52, "Reports of Accidental Criticality or Loss of
    Special Nuclear Material," requires that each licensee promptly report
    to the Commission any loss, other than normal operating loss, of special
    nuclear material.
    ----------
    (1) Licensees authorized to possess at any one time special
    nuclear material in a quantity exceeding one effective kilogram and to
    use such special nuclear material for activities other than those
    involved in the operation of a nuclear reactor licensed pursuant to 10
    CFR Part 50 or those involved in a waste disposal operation; as sealed
    sources; or as reactor irradiated fuels involved in research,
    development, and evaluation programs in facilities other than irradiated
    fuel reprocessing plants.
    (2) Published for comment in the Federal Register on September 25,
    1973 (38 FR 26735).
    ----------
    This guide describes and identifies characteristics of a facility
    information system acceptable to the Regulatory staff for analyzing and
    using process yield and other information from run sheets, operating
    logs, and job orders to enhance material control by early detection of
    special nuclear material thefts.
B. DISCUSSION
    Since the statutory authorization of private ownership of special
    nuclear material, the AEC has required that persons licensed and
    authorized to possess and use such material establish records and
    reporting procedures to assure proper control of special nuclear
    material and submit periodic reports to the AEC concerning the
    disposition of special nuclear material. Material transaction reports,
    internal control records, and physical inventory reports and records are
    the subjects of other regulatory guides issued(3) or under development.
    Although frequent inventory verification (inventory testing)
    procedures may be voluntarily implemented by plant management, process
    data anomalies (e.g., abnormal unit process yield or a missing
    container) detected by the process operator may be the first indication
    that special nuclear material has been stolen. To effectively utilize
    process data for the detection of possible theft of special nuclear
    material, a number of preliminary tasks must be undertaken:
    * Significant data anomalies must be identified,
    * The magnitude of normal fluctuations must be determined,
    * The investigation of detected anomalies must consider
    possible innocent causes of the anomaly,
    * The information flow must assure that unresolved anomalies
    are promptly investigated,
    * Sufficient information must be compiled and maintained for
    retrieval to assure an effective reconstruction of
    circumstances associated with a detected theft.
    ----------
    (3) Regulatory Guide 5.13. "Conduct of Physical Inventories."
    ----------
1. Theft Mode Analysis-A Procedure for Identifying Useful Data
    Elements
    Theft mode analysis is a procedure whereby the modus operandi of a
    thief can be categorized by a small number of general features, each of
    which can be considered separately to identify and rank, with respect to
    likelihood, the different options within each category. Theft mode
    analysis is used herein for the specific purpose of identifying process
    data elements of potential significance as an indicator of SNM theft.
    For the purposes of this guide, which does not address security
    measures, theft mode analysis is limited to detecting theft by an
    insider-one authorized access to the material. Obviously, an individual
    not authorized access who has successfully escaped physical detection
    may be foiled as well owing to the potentially quick discovery of the
    theft.
    Table 1 outlines the main characteristics of a theft attempt by
    which an ordering by probability of various theft modes can be effected.
    Table 2 identifies examples of subcategories of those classifications
    that might be appropriate to a particular facility, and Table 3 depicts
    the process of assigning estimated weighting (relative likelihood that a
    particular option (subcategory) would be utilized by a thief) to each of
    the subcategories based on knowledge of the particular plant and
    process. As a description of a possible theft, the weighting factor is
    a measure of the probability that the means of accomplishing that theft
    will have incorporated that particular subcategory. The factors are
    therefore multiplied in turn for each permutation of subcategories
    (Table 4) and rearranged in order of decreasing relative likelihood
    (Table 5). (Note: This is still an estimate no more valid than the
    individual weighting factors assigned to each subcategory. The
    approach, however, enables the analyst to concern himself with one theft
    mode characteristic at a time.) Such an analysis provides a means of
    ranking various theft modes and allows the subsequent identification of
    those elements of process data which would depart from a norm if a theft
    by the more likely modes were to have occurred.
    Such an analysis can be applied to an entire process material
    balance area, internal material control areas, individual process lines,
    or unit processes. For a relatively large area, the large variety of
    types of in-process material of different attractiveness and
    opportunities for theft may complicate the identification of process
    data elements affected by a theft. The trade-off between an extensive
    list of material attractiveness subcategories and repeat analysis of
    smaller material control areas depends on the type and location of
    in-process material at a particular facility.
    If the identification of subcategories has been done carefully,
    one can reasonably assume that essentially all of the theft modes of
    potential use to an insider are identified by the combinations of
    characteristics in Table 5. Further, the ratio of a running total of
    the relative likelihood identified in the last column to the total of
    all entries in that column is a measure of the likelihood that, should a
    theft occur, it will be characterized by one of the modes making up the
    running total.
    Table 5 indicates that, for the hypothetical example used,
    approximately 95% of the plausible theft events by a lone individual
    that are at least as likely as a theft event by two in collusion could
    be expected to be of a type depicted by the first 29 entries of Table 5.
    The information in Columns I, II, and V indicate that the production
    data affected by these 95% would be those data affected by a simple
    removal of product, feed, or in-process materials with no attempt having
    been made to conceal that fact other than perhaps substituting inert
    material or altering tag or log entries to foil a weight check. The
    magnitude of the effect will depend on the target sensitivity for the
    system and the highest number in Column III. For example, an assumed
    mass sensitivity of 500 grams of special nuclear material would indicate
    that the magnitude of the expected anomaly would correspond to a single
    removal of material containing approximately 50 grams (500 grams divided
    by 10) of special nuclear material. The information in Columns IV and
    VI of Table 5 is most useful for guiding the development of suitable
    investigative actions which would be implemented after the anomaly is
    discovered.
2. Data Base for Estimating the Magnitude of Normal Fluctuations
    Having determined the magnitude of an anomaly which must be
    detected if the target sensitivity is to be realized for 95% of the
    plausible thefts, normal fluctuations in that process parameter must be
    estimated. This can be based on the estimated performance of planned
    measurement techniques, the estimated production consistency from unit
    processes, the sensitivity of quality control analyses, and experience
    with a particular process or piece of equipment or with similar
    equipment at other plants of the same or another company. If the
    estimated normal fluctuations would mask the anomaly, use of such
    signals for that plant would provide an indication of possible theft for
    95% of the plausible modes only for a higher mass sensitivity (perhaps
    1200 grams of SNM) and a change in production procedures (e.g., reduced
    process fluctuations, smaller material containers, more quality
    assurance checks, etc.) would be required to render smaller anomalies
    discernible.
3. Verification
    In addition to a mass sensitivity, the analysis of theft modes
    should consider the time lag from first detection of the anomaly until
    recovery plans are initiated and the AEC is notified of a potential
    theft of material.
    Investigative actions taken to verify the validity of a detected
    anomaly as a signal of a bona fide theft should be gauged to the variety
    of innocent causes for such an anomaly. A response based on an
    established hierarchy of decision makers (levels of responsibility for
    taking investigative actions) can provide such timely verification.
    Further, a time limit imposed on each decision level for identification
    of the innocent cause also assures that anomalies will be promptly
    resolved or passed on to a higher level of management authorized to
    implement a more extensive investigation.
4. Record Rentention to Aid Recovery
    In addition to providing a basis for evaluating the sensitivity of
    process data anomalies as an aid to material control, records allow
    reconstruction of the circumstances surrounding a detected theft and
    identification of salient characteristics of the stolen material. Such
    information can aid recovery measures and provide a basis for revising
    procedures.
5. Examples of Investigative Procedures Utilizing a Decision
    Hierarchy
    Response to an anomaly can take the form of an abnormal situation
    action sheet which would be prepared for each process operator and
    management official in the plant. The following scenarios indicate how
    such a system might actually work in practice.
    a. Abnormal yield
    A process operator notes on the basis of experience or
    posted normal values that the yield from a particular batch process is
    significantly less than normal. He notifies his area foreman, (who may,
    for example, have had the process charged with a short batch to complete
    a particular job run) and immediately checks for material held up in the
    process or for an error in the product measurements. After ten minutes
    the foreman notifies his superior, for example, the MBA custodian, and
    initiates a check of the unit process run sheets, emptied process
    material containers, and material transfer documents to his area to
    assure that the proper amount of material had been charged and also
    checks scrap and waste streams from the process. After an hour the MBA
    custodian notifies the process engineer and begins an earnest search,
    calling for special product quality and measurement control checks and
    verifying when last the contents of the process containers had been
    measured (such as transfer into the MBA, origination of the item,
    previous physical inventory, etc.). After another four hours the
    process engineer notifies the plant shift supervisor and calls for an
    immediate physical inventory of all materials having passed that process
    step after the anomaly was detected, a check and verification of the
    contents of all containers in the MBA, and a listing of all persons who
    may have had access to the material. If the material is not found
    within 6 hours of his being notified, the shift supervisor calls for a
    shutdown inventory and notifies the plant manager and the AEC.
    b. Missing container
    A process operator is instructed by his job sheet to put the
    SNM of container A06 into process. However, upon going to get item A06,
    he discovers that it is not in the store of material awaiting
    processing. He then notifies his area foreman (who may, for example,
    have had another operator take the item for a QC sample) and immediately
    checks around the area to see if A06 was misplaced on the pallet, has a
    smeared tag, etc. After ten minutes the foreman notifies his superior,
    for example, the MBA custodian, and initiates a check of the unit
    process run sheets, empty containers, and process transfer documents to
    his area and also checks the area from which the container was supposed
    to have come. After an hour the MBA custodian notifies the process
    engineer and begins an earnest search, checking to see when last the
    presence of Item A06 had been verified (such as transfer into the MBA,
    origination of the item, previous physical inventory, etc.). After
    another four hours the process engineer notifies the plant shift
    supervisor and calls for 100% inventory of containers in the concerned
    MBA, a check and verification of run sheets of similar processes in the
    MBA, and an item check of other MBAs. If the material is not found
    within 6 hours of his being notified, the shift supervisor calls for a
    shutdown inventory and notifies the plant manager and the AEC.
C. REGULATORY POSITION
    The following characteristics form a basis acceptable to the
    Regulatory staff for the analysis and use of production data anomalies
    as a means of early detection of thefts of special nuclear material:
1. Classification of Theft Modes.
    In classifying theft modes, the following characteristics should
    be considered:
    a. Material attractiveness
    b. Record modification
    c. Distribution of amounts stolen
    d. Removal mode
    e. Number of individuals involved
    f. Type of individual
2. Performance Characteristics.
    Performance characteristics should be consistent with the
    following assumptions:
    a. All abnormal situations reported to the material balance
    area custodian should be recorded as exception reports.
    b. The prescribed response to an anomaly for each level of
    management should be consistent with the magnitude of the anomaly and
    the number of innocent events which could have caused it.
    c. The mass sensitivity should be consistent with the ability
    to detect 95% of the plausible theft modes as may be perpetrated by an
    individual granted access to the area.
    d. The time lag (from detection of the anomaly--first
    indication of a potential theft--until notification to the AEC) should
    not exceed 24 hours.
    e. To provide adequate records to support an effective
    reconstruction of circumstances associated with a theft, records should
    be maintained as follows:
    (1) All production information identified for use in
    determining innocent causes for process data anomalies should be
    maintained at least until the close of the second inventory period
    following the one for which those data apply and should be retrievable
    within four hours of a request for such information.
    (2) Exception reports, data actually used to identify the
    innocent cause of detected anomalies, summary (inventory period) reports
    of production activities, records of inter-MBA material transfers, and
    personnel access logs should be maintained for five years following
    their preparation and should be available to the AEC within seven days
    of a request for such information.
3. Assurance Statement
    The degree of protection afforded by analysis and use of process
    data anomalies should be expressed in terms of an assurance statement as
    follows: "Analysis of anomalies in process data will, within 24 hours
    of occurrence of that anomaly, detect an estimated 95% of plausible
    thefts of grams or more of by a lone individual who normally has
    access to the material."
    (Due to database constraints, Tables 1-5 are not included. Please
    contact LIS to obtain a copy.)16