Publication Date: 6/1/74
Pages: 7 Date Entered: 2/22/84 Title: ANALYSIS AND USE OF PROCESS DATA FOR THE PROTECTION OF SPECIAL NUCLEAR MATERIAL June 1974 U.S. ATOMIC ENERGY COMMISSION REGULATORY GUIDE DIRECTORATE OF REGULATORY STANDARDS REGULATORY GUIDE 5.24 ANALYSIS AND USE OF PROCESS DATA FOR THE PROTECTION OF SPECIAL NUCLEAR MATERIAL A. INTRODUCTION Section 70.51, "Material Balance, Inventory, and Records Requirements," of 10 CFR Part 70, "Special Nuclear Material," specifies certain requirements for persons licensed to possess or use special nuclear material (SNM). Paragraph (e)(1) of section70.51 requires that certain licensees(1) maintain procedures for the control of special nuclear material at their facilities which shall include unique identification of items or containers containing special nuclear material in process; inventory records showing the identity, location, and quantity of special nuclear material for all such items; and records of the source and disposition of all such items. Proposed section70.58, "Fundamental Nuclear Material Controls,"(2) would require that the licensee establish, maintain, and follow a system of storage and internal handling control to provide continuous knowledge of the identity, quantity, and location of all special nuclear material contained within the facility in discrete items and containers. Paragraph (b) of section70.22, "Contents of Applications," further requires certain applicants to include in their application a full description of their program for the control of and accounting for special nuclear material which will be in their possession under license, including procedures by which process losses are determined. Finally, section70.52, "Reports of Accidental Criticality or Loss of Special Nuclear Material," requires that each licensee promptly report to the Commission any loss, other than normal operating loss, of special nuclear material. ---------- (1) Licensees authorized to possess at any one time special nuclear material in a quantity exceeding one effective kilogram and to use such special nuclear material for activities other than those involved in the operation of a nuclear reactor licensed pursuant to 10 CFR Part 50 or those involved in a waste disposal operation; as sealed sources; or as reactor irradiated fuels involved in research, development, and evaluation programs in facilities other than irradiated fuel reprocessing plants. (2) Published for comment in the Federal Register on September 25, 1973 (38 FR 26735). ---------- This guide describes and identifies characteristics of a facility information system acceptable to the Regulatory staff for analyzing and using process yield and other information from run sheets, operating logs, and job orders to enhance material control by early detection of special nuclear material thefts. B. DISCUSSION Since the statutory authorization of private ownership of special nuclear material, the AEC has required that persons licensed and authorized to possess and use such material establish records and reporting procedures to assure proper control of special nuclear material and submit periodic reports to the AEC concerning the disposition of special nuclear material. Material transaction reports, internal control records, and physical inventory reports and records are the subjects of other regulatory guides issued(3) or under development. Although frequent inventory verification (inventory testing) procedures may be voluntarily implemented by plant management, process data anomalies (e.g., abnormal unit process yield or a missing container) detected by the process operator may be the first indication that special nuclear material has been stolen. To effectively utilize process data for the detection of possible theft of special nuclear material, a number of preliminary tasks must be undertaken: * Significant data anomalies must be identified, * The magnitude of normal fluctuations must be determined, * The investigation of detected anomalies must consider possible innocent causes of the anomaly, * The information flow must assure that unresolved anomalies are promptly investigated, * Sufficient information must be compiled and maintained for retrieval to assure an effective reconstruction of circumstances associated with a detected theft. ---------- (3) Regulatory Guide 5.13. "Conduct of Physical Inventories." ---------- 1. Theft Mode Analysis-A Procedure for Identifying Useful Data Elements Theft mode analysis is a procedure whereby the modus operandi of a thief can be categorized by a small number of general features, each of which can be considered separately to identify and rank, with respect to likelihood, the different options within each category. Theft mode analysis is used herein for the specific purpose of identifying process data elements of potential significance as an indicator of SNM theft. For the purposes of this guide, which does not address security measures, theft mode analysis is limited to detecting theft by an insider-one authorized access to the material. Obviously, an individual not authorized access who has successfully escaped physical detection may be foiled as well owing to the potentially quick discovery of the theft. Table 1 outlines the main characteristics of a theft attempt by which an ordering by probability of various theft modes can be effected. Table 2 identifies examples of subcategories of those classifications that might be appropriate to a particular facility, and Table 3 depicts the process of assigning estimated weighting (relative likelihood that a particular option (subcategory) would be utilized by a thief) to each of the subcategories based on knowledge of the particular plant and process. As a description of a possible theft, the weighting factor is a measure of the probability that the means of accomplishing that theft will have incorporated that particular subcategory. The factors are therefore multiplied in turn for each permutation of subcategories (Table 4) and rearranged in order of decreasing relative likelihood (Table 5). (Note: This is still an estimate no more valid than the individual weighting factors assigned to each subcategory. The approach, however, enables the analyst to concern himself with one theft mode characteristic at a time.) Such an analysis provides a means of ranking various theft modes and allows the subsequent identification of those elements of process data which would depart from a norm if a theft by the more likely modes were to have occurred. Such an analysis can be applied to an entire process material balance area, internal material control areas, individual process lines, or unit processes. For a relatively large area, the large variety of types of in-process material of different attractiveness and opportunities for theft may complicate the identification of process data elements affected by a theft. The trade-off between an extensive list of material attractiveness subcategories and repeat analysis of smaller material control areas depends on the type and location of in-process material at a particular facility. If the identification of subcategories has been done carefully, one can reasonably assume that essentially all of the theft modes of potential use to an insider are identified by the combinations of characteristics in Table 5. Further, the ratio of a running total of the relative likelihood identified in the last column to the total of all entries in that column is a measure of the likelihood that, should a theft occur, it will be characterized by one of the modes making up the running total. Table 5 indicates that, for the hypothetical example used, approximately 95% of the plausible theft events by a lone individual that are at least as likely as a theft event by two in collusion could be expected to be of a type depicted by the first 29 entries of Table 5. The information in Columns I, II, and V indicate that the production data affected by these 95% would be those data affected by a simple removal of product, feed, or in-process materials with no attempt having been made to conceal that fact other than perhaps substituting inert material or altering tag or log entries to foil a weight check. The magnitude of the effect will depend on the target sensitivity for the system and the highest number in Column III. For example, an assumed mass sensitivity of 500 grams of special nuclear material would indicate that the magnitude of the expected anomaly would correspond to a single removal of material containing approximately 50 grams (500 grams divided by 10) of special nuclear material. The information in Columns IV and VI of Table 5 is most useful for guiding the development of suitable investigative actions which would be implemented after the anomaly is discovered. 2. Data Base for Estimating the Magnitude of Normal Fluctuations Having determined the magnitude of an anomaly which must be detected if the target sensitivity is to be realized for 95% of the plausible thefts, normal fluctuations in that process parameter must be estimated. This can be based on the estimated performance of planned measurement techniques, the estimated production consistency from unit processes, the sensitivity of quality control analyses, and experience with a particular process or piece of equipment or with similar equipment at other plants of the same or another company. If the estimated normal fluctuations would mask the anomaly, use of such signals for that plant would provide an indication of possible theft for 95% of the plausible modes only for a higher mass sensitivity (perhaps 1200 grams of SNM) and a change in production procedures (e.g., reduced process fluctuations, smaller material containers, more quality assurance checks, etc.) would be required to render smaller anomalies discernible. 3. Verification In addition to a mass sensitivity, the analysis of theft modes should consider the time lag from first detection of the anomaly until recovery plans are initiated and the AEC is notified of a potential theft of material. Investigative actions taken to verify the validity of a detected anomaly as a signal of a bona fide theft should be gauged to the variety of innocent causes for such an anomaly. A response based on an established hierarchy of decision makers (levels of responsibility for taking investigative actions) can provide such timely verification. Further, a time limit imposed on each decision level for identification of the innocent cause also assures that anomalies will be promptly resolved or passed on to a higher level of management authorized to implement a more extensive investigation. 4. Record Rentention to Aid Recovery In addition to providing a basis for evaluating the sensitivity of process data anomalies as an aid to material control, records allow reconstruction of the circumstances surrounding a detected theft and identification of salient characteristics of the stolen material. Such information can aid recovery measures and provide a basis for revising procedures. 5. Examples of Investigative Procedures Utilizing a Decision Hierarchy Response to an anomaly can take the form of an abnormal situation action sheet which would be prepared for each process operator and management official in the plant. The following scenarios indicate how such a system might actually work in practice. a. Abnormal yield A process operator notes on the basis of experience or posted normal values that the yield from a particular batch process is significantly less than normal. He notifies his area foreman, (who may, for example, have had the process charged with a short batch to complete a particular job run) and immediately checks for material held up in the process or for an error in the product measurements. After ten minutes the foreman notifies his superior, for example, the MBA custodian, and initiates a check of the unit process run sheets, emptied process material containers, and material transfer documents to his area to assure that the proper amount of material had been charged and also checks scrap and waste streams from the process. After an hour the MBA custodian notifies the process engineer and begins an earnest search, calling for special product quality and measurement control checks and verifying when last the contents of the process containers had been measured (such as transfer into the MBA, origination of the item, previous physical inventory, etc.). After another four hours the process engineer notifies the plant shift supervisor and calls for an immediate physical inventory of all materials having passed that process step after the anomaly was detected, a check and verification of the contents of all containers in the MBA, and a listing of all persons who may have had access to the material. If the material is not found within 6 hours of his being notified, the shift supervisor calls for a shutdown inventory and notifies the plant manager and the AEC. b. Missing container A process operator is instructed by his job sheet to put the SNM of container A06 into process. However, upon going to get item A06, he discovers that it is not in the store of material awaiting processing. He then notifies his area foreman (who may, for example, have had another operator take the item for a QC sample) and immediately checks around the area to see if A06 was misplaced on the pallet, has a smeared tag, etc. After ten minutes the foreman notifies his superior, for example, the MBA custodian, and initiates a check of the unit process run sheets, empty containers, and process transfer documents to his area and also checks the area from which the container was supposed to have come. After an hour the MBA custodian notifies the process engineer and begins an earnest search, checking to see when last the presence of Item A06 had been verified (such as transfer into the MBA, origination of the item, previous physical inventory, etc.). After another four hours the process engineer notifies the plant shift supervisor and calls for 100% inventory of containers in the concerned MBA, a check and verification of run sheets of similar processes in the MBA, and an item check of other MBAs. If the material is not found within 6 hours of his being notified, the shift supervisor calls for a shutdown inventory and notifies the plant manager and the AEC. C. REGULATORY POSITION The following characteristics form a basis acceptable to the Regulatory staff for the analysis and use of production data anomalies as a means of early detection of thefts of special nuclear material: 1. Classification of Theft Modes. In classifying theft modes, the following characteristics should be considered: a. Material attractiveness b. Record modification c. Distribution of amounts stolen d. Removal mode e. Number of individuals involved f. Type of individual 2. Performance Characteristics. Performance characteristics should be consistent with the following assumptions: a. All abnormal situations reported to the material balance area custodian should be recorded as exception reports. b. The prescribed response to an anomaly for each level of management should be consistent with the magnitude of the anomaly and the number of innocent events which could have caused it. c. The mass sensitivity should be consistent with the ability to detect 95% of the plausible theft modes as may be perpetrated by an individual granted access to the area. d. The time lag (from detection of the anomaly--first indication of a potential theft--until notification to the AEC) should not exceed 24 hours. e. To provide adequate records to support an effective reconstruction of circumstances associated with a theft, records should be maintained as follows: (1) All production information identified for use in determining innocent causes for process data anomalies should be maintained at least until the close of the second inventory period following the one for which those data apply and should be retrievable within four hours of a request for such information. (2) Exception reports, data actually used to identify the innocent cause of detected anomalies, summary (inventory period) reports of production activities, records of inter-MBA material transfers, and personnel access logs should be maintained for five years following their preparation and should be available to the AEC within seven days of a request for such information. 3. Assurance Statement The degree of protection afforded by analysis and use of process data anomalies should be expressed in terms of an assurance statement as follows: "Analysis of anomalies in process data will, within 24 hours of occurrence of that anomaly, detect an estimated 95% of plausible thefts of grams or more of by a lone individual who normally has access to the material." (Due to database constraints, Tables 1-5 are not included. Please contact LIS to obtain a copy.)16 |