Publication Date: 6/1/74     Pages: 7     Date Entered: 2/22/84     Title: ANALYSIS AND USE OF PROCESS DATA FOR THE PROTECTION OF SPECIAL NUCLEAR MATERIAL     June 1974     U.S. ATOMIC ENERGY COMMISSION     REGULATORY GUIDE     DIRECTORATE OF REGULATORY STANDARDS     REGULATORY GUIDE 5.24     ANALYSIS AND USE OF PROCESS DATA FOR THE PROTECTION     OF SPECIAL NUCLEAR MATERIAL A. INTRODUCTION     Section 70.51, "Material Balance, Inventory, and Records     Requirements," of 10 CFR Part 70, "Special Nuclear Material," specifies     certain requirements for persons licensed to possess or use special     nuclear material (SNM). Paragraph (e)(1) of section70.51 requires that     certain licensees(1) maintain procedures for the control of special     nuclear material at their facilities which shall include unique     identification of items or containers containing special nuclear     material in process; inventory records showing the identity, location,     and quantity of special nuclear material for all such items; and records     of the source and disposition of all such items. Proposed section70.58,     "Fundamental Nuclear Material Controls,"(2) would require that the     licensee establish, maintain, and follow a system of storage and     internal handling control to provide continuous knowledge of the     identity, quantity, and location of all special nuclear material     contained within the facility in discrete items and containers.     Paragraph (b) of section70.22, "Contents of Applications," further     requires certain applicants to include in their application a full     description of their program for the control of and accounting for     special nuclear material which will be in their possession under     license, including procedures by which process losses are determined.     Finally, section70.52, "Reports of Accidental Criticality or Loss of     Special Nuclear Material," requires that each licensee promptly report     to the Commission any loss, other than normal operating loss, of special     nuclear material.     ----------     (1) Licensees authorized to possess at any one time special     nuclear material in a quantity exceeding one effective kilogram and to     use such special nuclear material for activities other than those     involved in the operation of a nuclear reactor licensed pursuant to 10     CFR Part 50 or those involved in a waste disposal operation; as sealed     sources; or as reactor irradiated fuels involved in research,     development, and evaluation programs in facilities other than irradiated     fuel reprocessing plants.     (2) Published for comment in the Federal Register on September 25,     1973 (38 FR 26735).     ----------     This guide describes and identifies characteristics of a facility     information system acceptable to the Regulatory staff for analyzing and     using process yield and other information from run sheets, operating     logs, and job orders to enhance material control by early detection of     special nuclear material thefts. B. DISCUSSION     Since the statutory authorization of private ownership of special     nuclear material, the AEC has required that persons licensed and     authorized to possess and use such material establish records and     reporting procedures to assure proper control of special nuclear     material and submit periodic reports to the AEC concerning the     disposition of special nuclear material. Material transaction reports,     internal control records, and physical inventory reports and records are     the subjects of other regulatory guides issued(3) or under development.     Although frequent inventory verification (inventory testing)     procedures may be voluntarily implemented by plant management, process     data anomalies (e.g., abnormal unit process yield or a missing     container) detected by the process operator may be the first indication     that special nuclear material has been stolen. To effectively utilize     process data for the detection of possible theft of special nuclear     material, a number of preliminary tasks must be undertaken:     * Significant data anomalies must be identified,     * The magnitude of normal fluctuations must be determined,     * The investigation of detected anomalies must consider     possible innocent causes of the anomaly,     * The information flow must assure that unresolved anomalies     are promptly investigated,     * Sufficient information must be compiled and maintained for     retrieval to assure an effective reconstruction of     circumstances associated with a detected theft.     ----------     (3) Regulatory Guide 5.13. "Conduct of Physical Inventories."     ---------- 1. Theft Mode Analysis-A Procedure for Identifying Useful Data     Elements     Theft mode analysis is a procedure whereby the modus operandi of a     thief can be categorized by a small number of general features, each of     which can be considered separately to identify and rank, with respect to     likelihood, the different options within each category. Theft mode     analysis is used herein for the specific purpose of identifying process     data elements of potential significance as an indicator of SNM theft.     For the purposes of this guide, which does not address security     measures, theft mode analysis is limited to detecting theft by an     insider-one authorized access to the material. Obviously, an individual     not authorized access who has successfully escaped physical detection     may be foiled as well owing to the potentially quick discovery of the     theft.     Table 1 outlines the main characteristics of a theft attempt by     which an ordering by probability of various theft modes can be effected.     Table 2 identifies examples of subcategories of those classifications     that might be appropriate to a particular facility, and Table 3 depicts     the process of assigning estimated weighting (relative likelihood that a     particular option (subcategory) would be utilized by a thief) to each of     the subcategories based on knowledge of the particular plant and     process. As a description of a possible theft, the weighting factor is     a measure of the probability that the means of accomplishing that theft     will have incorporated that particular subcategory. The factors are     therefore multiplied in turn for each permutation of subcategories     (Table 4) and rearranged in order of decreasing relative likelihood     (Table 5). (Note: This is still an estimate no more valid than the     individual weighting factors assigned to each subcategory. The     approach, however, enables the analyst to concern himself with one theft     mode characteristic at a time.) Such an analysis provides a means of     ranking various theft modes and allows the subsequent identification of     those elements of process data which would depart from a norm if a theft     by the more likely modes were to have occurred.     Such an analysis can be applied to an entire process material     balance area, internal material control areas, individual process lines,     or unit processes. For a relatively large area, the large variety of     types of in-process material of different attractiveness and     opportunities for theft may complicate the identification of process     data elements affected by a theft. The trade-off between an extensive     list of material attractiveness subcategories and repeat analysis of     smaller material control areas depends on the type and location of     in-process material at a particular facility.     If the identification of subcategories has been done carefully,     one can reasonably assume that essentially all of the theft modes of     potential use to an insider are identified by the combinations of     characteristics in Table 5. Further, the ratio of a running total of     the relative likelihood identified in the last column to the total of     all entries in that column is a measure of the likelihood that, should a     theft occur, it will be characterized by one of the modes making up the     running total.     Table 5 indicates that, for the hypothetical example used,     approximately 95% of the plausible theft events by a lone individual     that are at least as likely as a theft event by two in collusion could     be expected to be of a type depicted by the first 29 entries of Table 5.     The information in Columns I, II, and V indicate that the production     data affected by these 95% would be those data affected by a simple     removal of product, feed, or in-process materials with no attempt having     been made to conceal that fact other than perhaps substituting inert     material or altering tag or log entries to foil a weight check. The     magnitude of the effect will depend on the target sensitivity for the     system and the highest number in Column III. For example, an assumed     mass sensitivity of 500 grams of special nuclear material would indicate     that the magnitude of the expected anomaly would correspond to a single     removal of material containing approximately 50 grams (500 grams divided     by 10) of special nuclear material. The information in Columns IV and     VI of Table 5 is most useful for guiding the development of suitable     investigative actions which would be implemented after the anomaly is     discovered. 2. Data Base for Estimating the Magnitude of Normal Fluctuations     Having determined the magnitude of an anomaly which must be     detected if the target sensitivity is to be realized for 95% of the     plausible thefts, normal fluctuations in that process parameter must be     estimated. This can be based on the estimated performance of planned     measurement techniques, the estimated production consistency from unit     processes, the sensitivity of quality control analyses, and experience     with a particular process or piece of equipment or with similar     equipment at other plants of the same or another company. If the     estimated normal fluctuations would mask the anomaly, use of such     signals for that plant would provide an indication of possible theft for     95% of the plausible modes only for a higher mass sensitivity (perhaps     1200 grams of SNM) and a change in production procedures (e.g., reduced     process fluctuations, smaller material containers, more quality     assurance checks, etc.) would be required to render smaller anomalies     discernible. 3. Verification     In addition to a mass sensitivity, the analysis of theft modes     should consider the time lag from first detection of the anomaly until     recovery plans are initiated and the AEC is notified of a potential     theft of material.     Investigative actions taken to verify the validity of a detected     anomaly as a signal of a bona fide theft should be gauged to the variety     of innocent causes for such an anomaly. A response based on an     established hierarchy of decision makers (levels of responsibility for     taking investigative actions) can provide such timely verification.     Further, a time limit imposed on each decision level for identification     of the innocent cause also assures that anomalies will be promptly     resolved or passed on to a higher level of management authorized to     implement a more extensive investigation. 4. Record Rentention to Aid Recovery     In addition to providing a basis for evaluating the sensitivity of     process data anomalies as an aid to material control, records allow     reconstruction of the circumstances surrounding a detected theft and     identification of salient characteristics of the stolen material. Such     information can aid recovery measures and provide a basis for revising     procedures. 5. Examples of Investigative Procedures Utilizing a Decision     Hierarchy     Response to an anomaly can take the form of an abnormal situation     action sheet which would be prepared for each process operator and     management official in the plant. The following scenarios indicate how     such a system might actually work in practice.     a. Abnormal yield     A process operator notes on the basis of experience or     posted normal values that the yield from a particular batch process is     significantly less than normal. He notifies his area foreman, (who may,     for example, have had the process charged with a short batch to complete     a particular job run) and immediately checks for material held up in the     process or for an error in the product measurements. After ten minutes     the foreman notifies his superior, for example, the MBA custodian, and     initiates a check of the unit process run sheets, emptied process     material containers, and material transfer documents to his area to     assure that the proper amount of material had been charged and also     checks scrap and waste streams from the process. After an hour the MBA     custodian notifies the process engineer and begins an earnest search,     calling for special product quality and measurement control checks and     verifying when last the contents of the process containers had been     measured (such as transfer into the MBA, origination of the item,     previous physical inventory, etc.). After another four hours the     process engineer notifies the plant shift supervisor and calls for an     immediate physical inventory of all materials having passed that process     step after the anomaly was detected, a check and verification of the     contents of all containers in the MBA, and a listing of all persons who     may have had access to the material. If the material is not found     within 6 hours of his being notified, the shift supervisor calls for a     shutdown inventory and notifies the plant manager and the AEC.     b. Missing container     A process operator is instructed by his job sheet to put the     SNM of container A06 into process. However, upon going to get item A06,     he discovers that it is not in the store of material awaiting     processing. He then notifies his area foreman (who may, for example,     have had another operator take the item for a QC sample) and immediately     checks around the area to see if A06 was misplaced on the pallet, has a     smeared tag, etc. After ten minutes the foreman notifies his superior,     for example, the MBA custodian, and initiates a check of the unit     process run sheets, empty containers, and process transfer documents to     his area and also checks the area from which the container was supposed     to have come. After an hour the MBA custodian notifies the process     engineer and begins an earnest search, checking to see when last the     presence of Item A06 had been verified (such as transfer into the MBA,     origination of the item, previous physical inventory, etc.). After     another four hours the process engineer notifies the plant shift     supervisor and calls for 100% inventory of containers in the concerned     MBA, a check and verification of run sheets of similar processes in the     MBA, and an item check of other MBAs. If the material is not found     within 6 hours of his being notified, the shift supervisor calls for a     shutdown inventory and notifies the plant manager and the AEC. C. REGULATORY POSITION     The following characteristics form a basis acceptable to the     Regulatory staff for the analysis and use of production data anomalies     as a means of early detection of thefts of special nuclear material: 1. Classification of Theft Modes.     In classifying theft modes, the following characteristics should     be considered:     a. Material attractiveness     b. Record modification     c. Distribution of amounts stolen     d. Removal mode     e. Number of individuals involved     f. Type of individual 2. Performance Characteristics.     Performance characteristics should be consistent with the     following assumptions:     a. All abnormal situations reported to the material balance     area custodian should be recorded as exception reports.     b. The prescribed response to an anomaly for each level of     management should be consistent with the magnitude of the anomaly and     the number of innocent events which could have caused it.     c. The mass sensitivity should be consistent with the ability     to detect 95% of the plausible theft modes as may be perpetrated by an     individual granted access to the area.     d. The time lag (from detection of the anomaly--first     indication of a potential theft--until notification to the AEC) should     not exceed 24 hours.     e. To provide adequate records to support an effective     reconstruction of circumstances associated with a theft, records should     be maintained as follows:     (1) All production information identified for use in     determining innocent causes for process data anomalies should be     maintained at least until the close of the second inventory period     following the one for which those data apply and should be retrievable     within four hours of a request for such information.     (2) Exception reports, data actually used to identify the     innocent cause of detected anomalies, summary (inventory period) reports     of production activities, records of inter-MBA material transfers, and     personnel access logs should be maintained for five years following     their preparation and should be available to the AEC within seven days     of a request for such information. 3. Assurance Statement     The degree of protection afforded by analysis and use of process     data anomalies should be expressed in terms of an assurance statement as     follows: "Analysis of anomalies in process data will, within 24 hours     of occurrence of that anomaly, detect an estimated 95% of plausible     thefts of grams or more of by a lone individual who normally has     access to the material."     (Due to database constraints, Tables 1-5 are not included. Please     contact LIS to obtain a copy.)16