Publication Date: 11/1/87
    Pages: 12
    Date Entered: 12/16/87
    Title: REPORTING OF SAFEGUARDS EVENTS (2/81)
    Revision 1
    November 1987
    U.S. NUCLEAR REGULATORY COMMISSION
    REGULATORY GUIDE
    OFFICE OF NUCLEAR REGULATORY RESEARCH
    REGULATORY GUIDE 5.62
    (Task SG 901-4) REPORTING OF SAFEGUARDS EVENTS
A. INTRODUCTION
    In 10 CFR Part 73, "Physical Protection of Plants and Materials,"
    paragraphs 73.71(a) through (c) have recently been amended. Section
    73.71 requires licensees to report to the Operations Center of the NRC
    or to record for quarterly transmittal to the NRC certain safeguards
    events. These events are those that threaten nuclear activities or
    lessen the effectiveness of a security system as established by
    safeguards regulations or an approved security or contingency plan.
    This regulatory guide provides an approach acceptable to the NRC
    staff for use by the licensee for determining when and how an event
    should be reported. The examples provided represent the types of events
    that should be reported and are not intended to be all-inclusive. The
    applicability of events may vary from site to site.
    Any information collection activities mentioned in this regulatory
    guide are contained as requirements in 10 CFR Part 73, which provides
    the regulatory basis for this guide. The information collection
    requirements in 10 CFR Part 73 have been cleared under OMB Clearance No.
    3150-0002.
B. DISCUSSION
    The information reportable under Section 73.71 is required so the
    NRC will be informed of safeguards-related events that have the
    potential to endanger public health and safety or national security.
    The required information is also used to monitor trends in safeguards
    system effectiveness.
    Because certain significant safeguards events warrant immediate
    involvement by the NRC and possibly other government agencies such as
    the FBI, these events must be reported by telephone to the NRC within 1
    hour of discovery of the event, and a detailed written report must
    follow within 30 days.
    Certain other less significant safeguards events are required to
    be recorded in a log and copies of the recorded log submitted to the NRC
    every 3 months. While these events are less significant than those
    reportable within 1 hour, they are required to be reported to the NRC on
    a quarterly basis for review and long-term trend analysis. If an event
    occurs repeatedly at one facility or throughout the industry, it may
    represent a defect in the security program or a generic trend. Not all
    generic defects or trends require action on the part of the NRC;
    however, this decision cannot be made unless the events are reported to
    the NRC. Licensees have been required to maintain a separate log to
    record events reportable under Section 73.71 in the past, but are now
    required to submit a copy of that log to the NRC on a quarterly basis.
    For the purposes of this guide and for understanding the
    regulations, a glossary is given in Appendix A of this guide. Table 1
    presents a summary of reportable events and reporting times.
C. REGULATORY POSITION
1. LICENSEES SUBJECT TO SECTION 73.71
    Licensees who are subject to the provisions of Sections 73.25,
    73.26, 73.27(c), 73.37, 73.67(e), or 73.67(g) of 10 CFR Part 73 are
    subject to the provisions of paragraph 73.71(a).
    Licensees who are subject to the provisions of Sections 73.20,
    73.37, 73.50, 73.55, 73.60, or 73.67 are subject to the provisions of
    paragraph 73.71(b) for events described in paragraph (I)(a)(1) of the
    new Appendix G to Part 73. Licensees subject to the provisions of
    Sections 73.20, 73.37, 73.50, 73.55, 73.60, or each licensee possessing
    strategic special nuclear material (SSNM) and subject to paragraph
    73.67(d) are subject to the provisions of paragraph 73.71(b) for events
    described in paragraphs I(a)(2), I(a)(3), I(b), and I(c) of Appendix G
    to Part 73. Licensees subject to the provisions of Sections 73.20,
    73.37, 73.50, 73.55, or 73.60 are subject to the provisions of paragraph
    73.71(b) for events described in paragraph I(d) of Appendix G to Part
    73.
    (Due to database constraints, Table 1 is not included. Please contact
    LIS to obtain a copy.) Licensees subject to the provisions of Sections 73.20, 73.37,
    73.50, 73.55, 73.60, or each licensee possessing SSNM and subject to
    paragraph 73.67(d) are subject to the provisions of paragraph 73.71(c).
2. REPORTABLE EVENTS
    2.1 Safeguards Events To Be Reported Within 1 Hour
    Paragraphs 73.71(a) and (b) require certain events to be reported
    within 1 hour of discovery. Events under paragraph 73.71(a) involve
    incidents in which theft, loss, or diversion of a shipment of special
    nuclear material (SNM) or spent fuel has occurred or is believed to have
    occurred. A written report should be submitted to the NRC within 30
    days on each event that is reported within 1 hour. Safeguards events
    reportable under paragraph 73.71(b) and described in Appendix G to 10
    CFR Part 73 include:
1. Acts, attempts, or threats to commit:
    (a) Theft or unlawful diversion of SNM or spent fuel;
    (b) Significant physical damage to a power reactor, to any
    facility possessing SSNM or such facility's equipment,
    to the carrier equipment transporting nuclear fuel or
    spent nuclear fuel, or to the nuclear fuel or spent
    nuclear fuel a facility or carrier possesses;
    (c) Interruption of normal operation of a licensed nuclear
    power reactor through the unauthorized use of or
    tampering with its machinery, components, or controls,
    including the security system.
2. Any actual entry of an unauthorized person into a protected
    area, material access area, controlled access area, vital
    area, or transport equipment.
3. Any uncompensated failure, degradation, or discovered
    vulnerability in a safeguards system that could allow
    unaithorized or undetected access to a protected area,
    material access area, controlled access area, vital area, or
    carrier transporting nuclear fuel, spent fuel, or formula
    quantities of SSNM.
4. Any actual or attempted introduction of contraband into a
    protected area, material access area, vital area, or
    transport equipment.
    To clarify, safeguards system failures include not only mechanical
    or electrical system failures but also improper security procedures or
    personnel practices. Discovered vulnerabilities include incidents in
    which the security system has not failed, but some flaw in the security
    system that had existed without being noticed has been discovered.
    2.2 Examples of Safeguards Events To Be Reported Within 1 Hour
    The following are examples of events that should be reported to
    the NRC within 1 hour because of their potential to endanger public
    health and safety or national security. This list should not be
    considered all-inclusive. The applicable regulation is cited for each
    event, and compensatory measures are discussed if appropriate.
1. Credible bomb or extortion threats. In addition to the
    initial telephone report, a telephone report of the results of a bomb
    search should be made within 1 hour of completion of the search.
    Unsubstantiated threats need not be reported immediately unless a
    specific organization or group claims responsibility or the threat is
    one of a pattern of harassing threats; in these cases, the threat must
    be reported within 1 hour. (Paragraph I(a)(1), (2), or (3) of Appendix
    G) There are no compensatory measures that would preclude the reporting
    of a substantiated threat within 1 hour. If a threat cannot be
    substantiated (no organization or group identified, negative search
    results, and no additional evidence other than the threat message), the
    event need only be logged. (Also see number 13 in Section 2.4 of this
    guide.)2. Discovery of a criminal act involving individuals granted
    unescorted protected area or vital area access that, in the judgment of
    the licensee, adversely affects radiological safety in licensed
    activities or facility operations (e.g., felonious acts, discovery of a
    conspiracy to bomb the facility or disturb its vital components,
    vandalism of vital equipment, reasonable suspicion of illegal sale, use,
    possession, or introduction of a controlled substance onsite).
    (Paragraph I(a)(2) or (3) of Appendix G) Because of the serious nature
    of such an event, discovery of the event should be reported within 1
    hour even if the individual's unescorted access authorization is
    cancelled. (Also see number 3 in this section.)3. Discovery of a criminal act involving a person granted unescorted
    protected area or vital area access if the act has the potential for
    adversely affecting the public health and safety, e.g., illegal use of a
    controlled substance offsite by a reactor control room operator.
    (Paragraph I(a)(2) or (3) of Appendix G) Licensees should exercise
    judgment in determining the reportability of criminal acts conducted
    offsite. Only those acts with the potential for affecting the
    radiological safety of licensed activities need be reported. Criteria
    that can be used to judge reportability of these types of events include
    (1) the event indicates a failure in program design or implementation,
    (2) the person involved has safety-related responsibilities, or (3) the
    event is receiving media attention. Positive drug screens should be
    validated prior to determining reportability to the NRC. If the event
    is properly compensated, e.g., the program failure is corrected or the
    individual's unescorted access is suspended, then the event need only be
    logged.
4. Discovery of theft or loss of classified documents
    pertaining to facility or transport safeguards. (Paragraph I(a) of
    Appendix G) (Note: This is also reportable under Section 95.57 of 10
    CFR Part 95.) This type of event is considered a credible threat to the
    proper safeguarding of a facility or transport. By the nature of this
    event, its discovery can occur only after a significant degradation of
    the safeguards system designed to protect the classified documents. No
    measure can adequately compensate for such an event, and events of this
    type should always be reported within 1 hour of discovery. After the
    discovery, the licensee should endeavor to locate the missing or stolen
    document, take measures to help ensure the event is not repeated, and
    take whatever steps are possible to minimize the consequences of the
    event.
5. Fire or explosion of suspicious or unknown origin within the
    isolation zone, protected area, material access area, or vital area.
    (Note: Events reportable under Sections 50.72 or 50.73 do not require
    duplicate reports under Section 73.71.) (Paragraphs I(a)(1), (2), (3),
    or I(d) of Appendix G) If the origin of a fire or explosion can be
    determined within 1 hour to be nonsuspicious and the facility sustains
    no significant damage, the event is not considered a security threat to
    the facility and need not be reported or logged. (Also see number 4 in
    Section 2.5.) 6. Discovery of a suspicious vehicle following a licensed
    carrier transporting formula quantities of SSNM. (Paragraph I(a)(1) of
    Appendix G) In this situation, armed escorts or other responsible
    personnel should determine whether or not a threat exists and assess the
    extent of the threat, if any. If a threat exists, it should be reported
    to the NRC within 1 hour of confirmation and the provisions of paragraph
    73.26(e) should be followed. If no threat exists, the event need not be
    reported or logged.
7. Mechanical breakdown of transport vehicle carrying formula
    quantities of SSNM. (Paragraphs I(a)(1), (2) of Appendix G) Since it is
    difficult to readily determine if a mechanical breakdown is random or
    intentional, and because of the strategic significance of the material,
    mechanical breakdowns of transports carrying formula quantities of SSNM
    should always be reported to the NRC within 1 hour of discovery.
8. Complete loss of offsite communications. (Paragraph I(a)(2)
    or (3) of Appendix G) If possible, the licensee should report the
    complete loss of communications from the site within 1 hour or
    immediately after restoration of communications. If communications from
    the site are lost and cannot be restored within 1 hour, the licensee
    should use communications located offsite to notify the NRC.
9. Mass demonstration at plant site that may pose a threat to
    the facility. (Paragraph I(a)(2) or (3) of Appendix G) 10. Civil disturbance near the plant site that may pose a threat
    to the facility. (Paragraph I(a)(2) or (3) of Appendix G) 11. Confirmed tampering of suspicious origin with safety or
    security equipment. (Paragraph I(a)(1), (2), or (3) of Appendix G) 12. An assault on a power reactor, facility, or transport
    possessing or transporting SSNM regardless of whether perimeter
    penetration is achieved. (Paragraph I(a)(1), (2), or (3) of Appendix G) 13. Confirmed intrusions by unauthorized individuals into the
    protected area, material access area, controlled access area, vital
    area, or carrier transporting formula quantities of SSNM. (Paragraph
    I(b) of Appendix G) Measures should be taken to preclude the recurrence
    of such events. Since any compensatory measures for such an event would
    be after the fact of a serious safeguards degradation, there are no
    compensatory measures that would preclude reporting such an event within
    1 hour of discovery. The violation of licensee-established work rules
    (e.g., area zoning) within an area by an authorized individual need not
    be reported or logged as a safeguards event. (Also see number 11 in
    Section 2.4.) 14. Uncompensated suspension of safeguards controls during
    either radiological or nonradiological emergencies that could allow
    undetected or unauthorized access. (Note: Events reportable under
    Sections 50.72 or 50.73 do not require duplicate reports under Section
    73.71.) (Paragraph I(c) of Appendix G) Section 5.3, "Controls that Can
    Be Suspended During an Emergency," of Regulatory Guide 5.65, "Vital Area
    Access Controls, Protection of Physical Security Equipment, and Key and
    Lock Controls," describes safeguards measures that may be suspended
    during nonradiological emergencies.
    15. Discovery of intentionally falsified identification badges
    or key cards. (Paragraph I(a) of Appendix G) This event is considered a
    safeguards threat to the facility and should always be reported within 1
    hour of discovery. Measures should be taken immediately to cancel the
    badges or key cards from the access system and to determine to what
    extent the badges or key cards have been used.
    16. Discovery of uncompensated and unaccounted for, lost, or
    stolen key cards, I.D. card blanks, keys, or any access device that
    could allow unauthorized or undetected access to protected areas,
    material access areas, controlled access areas, or vital areas.
    (Paragraph I(c) of Appendix G) Such events need not be reported within 1
    hour if measures are taken within 10 minutes of the discovery of the
    loss to preclude the use of the lost or stolen device for gaining access
    to a controlled area and to ensure that the lost or stolen device has
    not been used in an unauthorized manner prior to completion of actions
    to prevent unauthorized use of the device. (Also see number 6 in
    Section 2.4.) 17. Compromise of safeguards information (including loss or
    theft) that would significantly assist a person in an act of
    radiological sabotage or theft of SNM. (Paragraph I(a) of Appendix G)
    There is no measure that would adequately compensate a compromise of
    safeguards information once the event has occurred. A licensee should
    always report this type of event within 1 hour of discovery, and
    follow-up measures similar to those for theft or loss of a classified
    document should be taken. (Also see number 4 in this section.) 18. Uncompensated loss of the ability to monitor or remotely
    assess protected area alarms through loss of both central and secondary
    alarm stations. (Paragraph I(c) of Appendix G) If the event involves an
    outage of the alarms, closed circuit television, or security computers,
    the event is considered properly compensated if the original capability
    is restored within 10 minutes of discovery of the event or if dedicated
    observers with appropriate communications equipment are in place within
    10 minutes of the discovery to provide total observation of each
    area.(1) Licensees are expected to discover this type of event upon
    occurrence. If immediate restoration of system capability is provided
    by activating secondary computers, the loss of backup capability need
    not be reported within 1 hour. (Also see number 10 in Section 2.4.) 19. Unavailability of a minimum number of security personnel or
    an actual or imminent strike by the security force. (Paragraph I(c) of
    Appendix G) If an unexpected unavailability of a minimum number of
    security personnel occurs, procedures pre-approved by the NRC may be
    used; or "on call" guards or trained management, supervisory, or
    operations personnel available within 10 minutes may be used to
    supplement the on-duty security force. If minimum requirements cannot
    be met, the event should be reported within 1 hour of discovery.
    20. Uncompensated loss of all ac power supply to security
    systems that could allow unauthorized or undetected access to a
    protected area, material access area, controlled access area, or vital
    area. (Paragraph I(c) of Appendix G) If the security system integrity
    can be maintained by standby power, the event is considered properly
    compensated and need only be logged. However, if standby power fails
    prior to restoration of ac power, the event should be reported within 1
    hour of loss of standby power. Licensees are expected to discover this
    type of event upon occurrence. (Also see number 7 in Section 2.4.) 21. Uncompensated loss of ability to detect within a single
    intrusion detection system zone. (Paragraph I(c) of Appendix G) Proper
    compensation for this event means immediate deployment (within 10
    minutes of discovery) of back-up intrusion detection equipment or
    posting a dedicated observer with a view of the entire area and
    capability to communicate with alarm stations.(1) Licensees are expected
    to discover this type of event upon occurence. (Also see number 3 in
    Section 2.4.)----------
    (1) Posting personnel as a compensatory measure implies that the
    personnel are capable of performing the lost or degraded function. When
    they cannot perform that function, such as when they are asleep, there
    is an uncompensated loss that must be reported within 1 hour of
    discovery. Preplanned compensatory measures are normally described in
    NRC-approved safeguards plans.
    ----------
    22. Loss of alarm capability or locking mechanism on a material
    access area or vital area portal. (Paragraph I(c) of Appendix G) A
    bolt-position alarm capability is not a proper compensatory measure for
    loss of a balanced-magnetic alarm because it is not tamper-resistant.
    Proper compensation for either of these events means immediate (within
    10 minutes of discovery) posting of a dedicated observer for loss of an
    alarm or posting an armed member of the security force for loss of a
    lock. The posted observer or guard should have appropriate
    communications equipment.(1) In addition, a thorough search of the
    affected area should be initiated immediately and completed as soon as
    practicable. Licensees are expected to discover this type of event upon
    occurrence. (Also see number 8 in Section 2.4.) 23. Discovery of the actual or attempted introduction into or
    possession within the protected area, material access area, or vital
    area of unauthorized weapons, explosives, or incendiary devices.
    (Paragraph I(d) of Appendix G) There are no compensatory measures that
    would preclude reporting this event within 1 hour. If an actual
    introduction of contraband is made, steps should be taken to correct the
    vulnerability that allowed the introduction. The discovery of vehicular
    emergency equipment such as safety flares during entrance searches need
    not be reported or logged. (Also see number 5 in this section.) 24. Loss of security weapon at the site. (Paragraph I(a)(3) of
    Appendix G)2.3 Safeguards Events To Be Reported and Submitted Quarterly in a Log
    The following safeguards events reportable under paragraph
    73.71(c) need only be logged within 24 hours of their discovery and
    submitted quarterly to the NRC:
1. Any failure or degradation of a safeguards system or
    discovered vulnerability in a system that could have allowed
    unauthorized or undetected access to a protected area,
    material access area, controlled access area, vital area, or
    transport equipment if compensatory measures had not been
    established. (Logging is not required for preplanned
    situations that require compensatory measures, such as
    special outage work, equipment relocation, exercises and
    drills, and other situations that are not the result of a
    safeguards system failure.) 2. Any other threatened, attempted, or committed act not
    previously defined in Appendix G that has the potential for
    reducing the effectiveness of the safeguards system below
    that committed to in a licensed physical security or
    contingency plan or the actual condition of such reduction
    in effectiveness.
    With respect to the proper compensation of an event, compensatory
    measures need to be implemented promptly to be effective. For example,
    measures used to compensate for a design flaw or vulnerability in a
    safeguards barrier that has existed for some period of time and that
    could allow unauthorized or undetected access are not considered
    effective if implemented more than 10 minutes after the flaw or
    vulnerability occurs; such events require immediate reporting. Prompt
    implementation will minimize any period of degradation that may exist
    between the occurrence and proper compensation after discovery of
    certain events. Proper compensation after discovery of an event does not
    relieve the licensee from the responsibility for taking long-term
    corrective action, nor does it relieve the licensee from possible
    enforcement action by the NRC for non-compliance during the periods of
    safeguards system degradation. However, licensees are not ordinarily
    cited for violations resulting from matters not within their control,
    such as equipment failures that occurred despite reasonable licensee
    quality assurance measures, testing and maintenance programs, or
    management controls. (See 10 CFR Part 2, Appendix C, paragraph V.A.) False alarms (those generated without any apparent cause) and
    nuisance alarms (those generated by an identified input that does not
    represent a safeguards threat) generally need not be reported or logged.
    However, if false or nuisance alarms are so frequent that the
    effectiveness of the alarm system is degraded or a pattern of false or
    nuisance alarms emerges, the licensee should take corrective action and
    note the degraded status and compensatory measures taken in the
    safeguards event log.
    2.4 Examples of Safeguards Events To Be Reported and Submitted
    Quarterly in a Log
    The following are examples of events that are less significant
    than those reportable within 1 hour, and according to the rule are
    required to be logged within 24 hours and submitted quarterly to the
    NRC. This list should not be considered all-inclusive. The applicable
    regulation is cited for each event, and compensatory measures are
    discussed where appropriate.
1. Properly compensated security computer failures. (Paragraph
    II(a) of Appendix G) Properly compensated means that within 10 minutes
    of the discovery of the failure the system is restored to operation, the
    backup system is operational, or other resources (e.g., security
    personnel with appropriate communications equipment) are posted to
    provide an equivalent level of protection. In all cases, a thorough
    search of all areas where alarms or access controls may have been
    compromised by the failure should be initiated immediately and completed
    as soon as practicable. Licensees are expected to discover this type of
    event upon occurrence.
2. Properly compensated vital area card reader failures.
    (Paragraph II(a) of Appendix G) For this event, proper compensation
    means posting appropriate personnel (i.e., armed guard if door is
    unlocked, dedicated observer if door remains locked but access is
    required) within 10 minutes of discovery.(1) The appropriate personnel
    must have a current access list and communications capability to alarm
    stations. A thorough search of the affected area must be initiated
    immediately and completed as soon as practicable. Licensees are expected
    to discover this type of event upon occurrence.
3. Properly compensated alarm failures. (Paragraph II(a) of
    Appendix G) For this event, proper compensation means deployment of
    back-up alarm equipment (a bolt-position alarm capability is not
    considered back-up alarm equipment because it is not tamper-resistant)
    or posting a dedicated observer within 10 minutes of discovery.(1) The
    dedicated observer should have appropriate communications equipment and
    should be able to observe the entire affected area of the portal. In
    addition, a thorough search of the affected area should be initiated
    immediately and completed as soon as practicable. Licensees are
    expected to discover this type of event upon occurrence. (Also see
    number 21 in Section 2.2.) 4. Properly compensated closed circuit television failure in a
    single zone while the intrusion detection system remains operational.
    (Paragraph II(a) of Appendix G) Properly compensated means providing
    other assessment capability, such as posting a dedicated observer with
    communications equipment to assess the entire zone within 10 minutes of
    discovery of the failure.(1) Licensees are expected to discover this
    type of event upon occurrence.
5. Properly compensated failure or degradation of a single
    perimeter lighting zone if the intrusion detection system remains
    operational. (Paragraph II(a) of Appendix G) Measures to properly
    compensate for failure or degradation of a lighting zone must be
    implemented within 10 minutes of discovery and may include (1) using
    standby power, (2) using low-light-level surveillance devices, (3) using
    portable lighting systems, or (4) posting dedicated observers with
    appropriate communications equipment to provide an equivalent level of
    protection.
6. Properly compensated accidental removal offsite or loss of
    badge by employee. (Paragraph II(a) of Appendix G) For this event,
    proper compensation is cancelling the badge from the access control
    system within 10 minutes of onsite personnel discovering that the badge
    is missing. Measures must be taken to be sure the badge has not been
    used in an unauthorized manner while it has been missing. (Also see
    number 16 in Section 2.2.) 7. Properly compensated loss of the ac power supply for the
    entire intrusion detection system that, if uncompensated, would allow
    unauthorized or undetected access. (Paragraph II(a) of Appendix G)
    Proper compensation for this event is immediately available emergency
    power through an uninterruptible power source such as a battery
    supported by a generator. If back-up power is not available, security
    personnel with communications equipment should be posted within 10
    minutes of discovery; however, this action is not considered proper
    compensation for the event and does not excuse a licensee from reporting
    the event within 1 hour. Licensees are expected to discover this type
    of event upon occurrence. (Also see number 20 in Section 2.2.) 8. Properly compensated loss of either alarm or locking
    mechanism on a material access area or a vital area portal. (Paragraph
    II(a) of Appendix G) A bolt-position alarm capability is not considered
    a proper compensatory measure because it is not tamper-resistant.
    Proper compensation for this event is immediate (within 10 minutes of
    discovery) posting of a dedicated observer for a loss of alarm or an
    armed member of the security force for loss of a lock.(1) The posted
    personnel should have appropriate communications equipment. In
    addition, a thorough search of the affected area should be initiated
    immediately and completed as soon as practicable. Licensees are
    expected to discover this type of event upon occurrence. (Also see
    number 23 in Section 2.2.) 9. Security computer failures that may not enable unauthorized
    or undetected access. (Paragraph II(b) of Appendix G) 10. Loss of the capability of a single alarm station to monitor
    or remotely assess alarms but monitoring or assessment capability
    remains in other stations. (Paragraph II(b) of Appendix G) (Also see
    number 18 in Section 2.2.) 11. Tailgating by a licensee or contractor employee to gain
    access to an area to which he or she is authorized access. (Paragraph
    II(b) of Appendix G) (Also see number 13 in Section 2.2.) 12. For shipments of formula quantities of SSNM, intra-convoy
    communications ability is lost, but ability to communicate with movement
    control center remains. (Paragraph II(b) of Appendix G) 13. Unsubstantiated bomb or extortion threat. (Paragraph II(b)
    of Appendix G) An unsubstantiated bomb or extortion threat is a threat
    in which no specific organization or group claims responsibility, the
    search result is negative, and no evidence is available other than the
    threat message. If a threat is one of a pattern of harassing, even if
    unsubstantiated, it should be reported within 1 hour.
    2.5 Events Not Required To Be Logged or Reported
    Certain failures of the safeguards system that do not and could
    not reduce the effectiveness of the system have little or no safeguards
    significance; events having little or no safeguards significance need
    not be reported or logged. The following are examples of events that
    are not required to be logged or reported. This list should not be
    considered all-inclusive.
1. Cuts made by authorized maintenance personnel through a
    vital area barrier for a legitimate reason (e.g., to install pipe) if
    prior approval, coordination with security, and proper compensatory
    measures have been established.
2. A person attempting to climb a protected area fence if the
    person is obviously a child.
3. Infrequent nuisance alarms caused by mechanical or
    environmental problems and false alarms that do not exceed the rates
    committed to in the licensee's approved security plan or do not degrade
    alarm system effectiveness.
4. When the origin of a fire or explosion can be determined
    within 1 hour to be nonsuspicious and the facility sustains no
    significant damage.
3. PROCEDURES
    The determination for reporting an event under paragraphs
    73.71(a), (b), and (c) should be made by onsite security management or
    their equivalent. However, discovery of such an event is not limited to
    members of the security organization. It is recommended that all
    regular site employees receive security orientation by the security
    organization to foster an awareness of site security and to be briefed
    on their responsibility to immediately notify site security of
    safeguards anomalies.
    Events of a dual nature (i.e., having both safety and safeguards
    implications and subject to the requirements of Sections 50.72, 50.73,
    and 73.71) do not require duplicate reports under the requirements of
    Section 73.71. If a power reactor licensee reports an event that is
    reportable in accordance with both Sections 50.73 and 73.71, the
    procedures described in Section 50.73 (i.e., submittal of a licensee
    event report (LER)) must be followed. The procedures contained in
    NUREG-1022, "Licensee Event Report System,"(2) describe how to indicate
    that an LER meets multiple reporting requirements. When submitting
    reports of events reportable solely under the provisions of Section
    73.71, power reactor licensees should use LER Form 366; all other
    licensees should write a letter. If the written report contains
    restricted data, e.g., unclassified safeguards information, the report
    must be appropriately marked. If NRC Form 366 or 366A is used,
    restricted data may be included only in the text section (Item 17 of the
    form). Restricted data should not be included in the abstract section
    (Item 16) or any other section of the form other than the text section.
    In addition, the text should clearly indicate the information that is
    restricted. Finally, the requirements of paragraph 73.21(g) must be met
    when transmitting written proprietary information.
    It is recognized that not all items of NRC Form 366 may apply when
    safeguards events are reported. Power reactor licensees should be sure
    that all the information needed by the NRC for analysis and evaluation,
    as described in section 3.2 of this guide, is included on the form,
    whether under a specific item or in the text section.
    Procedures for the 1-hour report, the 30-day followup report, and
    the quarterly log are discussed in the following sections.
    ----------
    (2) F. J. Hebdon, "Licensee Event Report System," U.S. Nuclear
    Regulatory Commission, NUREG-1022, September 1983.
    ----------
    3.1 1-Hour Reports
    When a licensee, licensee employee, or contract employee discovers
    an event reportable under paragraph 73.71(a) or (b), telephone
    notification to the NRC Operations Center listed in Appendix A to 10 CFR
    Part 73 should be made within 1 hour of the discovery. Telephone
    notification should be made via the Emergency Notification System (ENS)
    if the licensee is party to that system. If the ENS is inoperative or
    unavailable, a commercial telephone should be used to ensure that the
    required notification is received by the NRC Operations Center within 1
    hour of discovery of the event. The commercial telephone number that
    may be used to contact the NRC Operations Center is (301) 951-0550.
    Other methods that may be used to ensure notification within 1 hour
    include telegram, mailgram, or facsimile. Telegrams and mailgrams
    should be hand delivered to the Operations Officer at the NRC Operations
    Center, Maryland National Bank Building, 7735 Old Georgetown Road,
    Bethesda, Maryland 20814. For information concerning facsimiles,
    telephone the NRC Operations Center at (301) 492-8893. If pertinent
    information or errors are uncovered after the initial telephone report
    but prior to submittal of the written report, the licensee should notify
    the NRC Operations Center of the information or error by telephone.
    Under the provisions of paragraph 73.71(a), the licensee (or
    agent) should also notify the NRC Operations Center by telephone within
    1 hour of the recovery of or accounting for a shipment with information
    on the material located, known reason for loss, etc.
    Telephone reports made pursuant to Section 73.71 may be
    transmitted over unprotected lines as permitted by the exemption in
    paragraph 73.21(g)(3).
    3.2 30-Day Followup Written Reports
    A followup written report must be submitted within 30 days of a
    1-hour report. Power reactor licensees should use the Licensee Event
    Report form, NRC Form 366, in submitting their reports; all other
    licensees should use a letter format. For all licensees, the
    information described below is sufficient for NRC analysis and
    evaluation and should be included in the report as a minimum. Reports
    of events must be legible and reproducible and should include the
    following:
1. Date and time of event (start and end time).
2. Location of actual or threatened event in a protected area,
    material access area, controlled access area, vital area, or
    other (specify area).
3. For power reactors, the operating phase, e.g., shut-down,
    operating.
4. Safety systems affected or threatened, directly or
    indirectly.
5. Type of security force onsite (proprietary or contract).
6. Number and type of personnel involved, e.g., contractors,
    security, visitors, NRC personnel, other (specify).
7. Method of discovery of incident, e.g., routine inspection,
    test, maintenance, alarm, chance, informant, communicated
    threat, unusual circumstances (give details).
8. Procedural errors involved, if applicable.
9. Immediate actions taken in response to event.
10. Corrective actions taken or planned.
    11. Local, State, or Federal law enforcement agencies contacted.
    12. Description of media interest and press release.
    13. Indication of previous similar events.
    14. Knowledgeable contact.
    For security system failures, provide the following in addition to
    Items 1 through 14:
    15. Description of failed or malfunctioned equipment (including
    manufacturer and model number).
    16. Apparent cause of each component or system failure. (For
    uncompensated security computer failures, state the reason
    the event could not be compensated and list specific
    components affected, e.g., central processor,
    peripheral/terminal equipment, software.) 17. Status of the equipment prior to the event (e.g., operating,
    being maintained, made secure) and compensatory measures in
    place.
    18. Secondary functions affected (for multiple-function
    components).
    19. Effect on plant safety.
    20. Unusual conditions that may have contributed to failure,
    e.g., environmental extremes.
    For threat-related incidents, provide the following in addition to
    Items 1 through 14:
    21. Number of perpetrators.
    22. Type of threat, e.g., bomb, extortion.
    23. Means of communication, e.g., letter, telephone.
    24. Text of threat.
    25. Mode of operation.
    26. Clear photocopy of threat letter and accompanying envelope
    if applicable.
    Licensees should submit one copy of each written report to the
    U.S. Nuclear Regulatory Commission, Document Control Desk, Washington,
    DC 20555, and one copy to the appropriate Regional Office listed in
    Appendix A to 10 CFR Part 73. If pertinent information or errors are
    uncovered after the initial telephone report or the written report is
    submitted, the licensee should notify the NRC Operations Center by
    telephone of the information or errors. If the information is uncovered
    after the written report has been submitted, the licensee should submit
    a complete revised written report with revisions indicated to the
    Document Control Desk and the Regional Office. The revised report
    should be complete and should not contain only the supplementary or
    revised information.
    3.3 Maintenance and Quarterly Submittal of Log
    Events reportable under paragraph 73.71(c) only need to be logged.
    In maintaining the log, it is recommended that the licensee log the
    information as received and then summarize and update the log entry when
    the event terminates. However, licensees are required by paragraph
    73.71(c) to log entries within 24 hours of the discovery of the event.
    Since the licensee would immediately investigate all events that
    threatened nuclear activities or lessened the effectiveness of the
    security system, the details would generally be available when the entry
    was made in the log. Log entries should include as a minimum:
1. Date and time of the event;
2. Brief (one-line) description of the event;
3. Brief (one-line) description of compensatory or corrective
    actions taken;
4. Area affected, e.g., vital area, protected area, owner
    controlled, transport; and
5. How detected, e.g., alarm, routine inspections, patrol,
    informants.
    Every 3 months, the licensee is required to submit one copy of all
    log entries not previously submitted to the NRC Document Control Desk.
    The log entries need not be typed as long as they are legible; a
    photocopy is acceptable. Licensees are permitted a 30-day grace period
    for all log submittals.
    Events of a similar nature that are logged and submitted to the
    NRC under paragraph 73.71(c) may be consolidated into a single log entry
    if they occur repeatedly within the quarterly submittal period. The
    date and time should be specified for each occurrence of the event. For
    example, if there is a repeated occurrence of a compensated computer
    failure and each failure is the result of the same problem, only one log
    entry providing the details of 1 through 5 above need be made. However,
    the date, time, and duration of the event should be recorded in the log
    for each occurrence.
    Each log must be retained for 3 years after the last entry to that
    log.
    APPENDIX A
    GLOSSARY
    NOTE: This glossary only applies to the requirements of Section 73.71
    of 10 CFR Part 73.
    Any failure, degradation, or discovered vulnerability: The cessation of
    proper functioning or performance of equipment, personnel, or procedures
    that compose the physical protection program necessary to meet Part 73
    requirements, or a discovered defect in such equipment, personnel, or
    procedures that degrades function or performance.
    Credible threat: A threat should be considered credible when (1)
    physical evidence supporting the threat exists, (2) information
    independent from the actual threat message exists that supports the
    threat, or (3) a specific group or organization claims responsibility
    for the threat.
    Dedicated observer: A person, not necessarily a member of the security
    force, posted as a temporary compensatory measure for a degraded
    assessment or detection capability or both. While performing this
    function, duties must be limited to detection and assessment. As a
    minimum, the person must be able to view the entire area affected by the
    degradation and must be able to communicate with the central alarm
    station.
    Diversion of SNM: Unauthorized movement of SNM by individuals
    authorized access to or control over the material.
    False alarm: An alarm generated without an apparent cause.
    Investigation discloses no evidence of a valid alarm condition,
    including tampering, no nuisance alarm conditions, and no equipment
    malfunction.
    Interruption of normal operation: The cessation of normal operation
    that, if accomplished, would result in substantial economic harm or cost
    to the licensee.
    Loss of SNM: (1) A failure to measure or account for material by the
    material control and accounting system approved for the facility when
    the material is authorized to be possessed by the licensee and is not
    confirmed stolen or diverted or (2) an accidental (i.e. unplanned)
    offsite release or dispersal of SNM known or suspected to be 10 times
    greater than normal operating losses for the time in question, whether
    or not the release is measured. The term loss implies that a search has
    been conducted to confirm the material is missing. For fixed sites,
    this search should be conducted within the 1-hour time for reporting.
    "Lost" versus "unaccounted for" in regard to transportation of material:
    The term "lost" covers material that is no longer in the possession of
    the party authorized to possess it during a specific time period, and a
    search for the material has verified the loss. "Unaccounted for" refers
    to material in transit that has not arrived at its delivery point 4
    hours or more after the estimated arrival time; however, a search has
    not confirmed the material to be lost.
    Nuisance alarm: An alarm generated by an identified input that does not
    represent a safeguards threat. Nuisance alarms may be caused by
    environmental (rain, sleet, snow, lightning) or mechanical (natural
    objects such as animals or tall grass) factors.
    Properly compensated: Measures, including backup equipment, additional
    security personnel, and specific procedures, taken to ensure that the
    effectiveness of the security system is not reduced by failure or other
    contingencies affecting the operating of the security-related equipment
    or structures. Preplanned compensatory measures are normally described
    in NRC-approved safeguards plans.
    Safeguards event: Any incident representing an attempted, threatened,
    or actual breach of the safeguards system or reduction of the
    operational effectiveness of that system.
    Safeguards Event Log: A compilation of log entries for the events
    described in Section II of Appendix G to 10 CFR Part 73. Entries must
    include the date and time of the event, a description of the event, and
    any action taken. Repeated events may be consolidated into a single log
    entry with the date, time, and duration of each event recorded for each
    occurrence. The ongoing safeguards event log may be maintained in more
    than one location onsite. The log may be typed or handwritten as long
    as it is legible and reproducible. Entries in a safeguards event log
    submitted to the NRC need not be in time-sequential order.
    Safeguards system: The equipment, personnel, and procedures that make
    up the physical protection program necessary to meet Part 73
    requirements.
    Significant physical damage: Physical damage to the extent that the
    facility, equipment, transport, or fuel cannot perform its normal
    function (applies to a power reactor, a facility possessing SSNM or its
    equipment, carrier equipment transporting nuclear fuel or spent nuclear
    fuel, or to the nuclear fuel or spent nuclear fuel a facility or carrier
    possesses).
    Tampering: When used in connection with Appendix G to 10 CFR Part 73,
    altering for improper purposes or in an improper manner.
    Theft of SNM: The unauthorized taking of SNM for unauthorized use.
    Unauthorized person: Any unescorted person in an area to which the
    person is not authorized unescorted access.
    APPENDIX B
    SAMPLE LOG ENTRIES
    Safeguards events reportable under paragraph 73.71(c) of 10 CFR Part 73
    need only be logged within 24 hours of their discovery. The copy of the
    log (photocopy) submitted to the NRC every 3 months does not have to be
    typewritten, but it must be legible. The sample log items presented
    here should not be considered all-inclusive.
    LOG ENTRY EVENT
    DATE/TIME DATE/TIME EVENT RESPONSE
1. 1-8-87/0140 1-8-87/0130 CAS operator receivedArea search initiated at
    0135
    telephone bomb threathrs, completed 0140 hrs,
    from unidentified male.nothing found.
    Bomb reported near
    diesel generator
2. 1-8-87/1245 1-8-87/1043 Delivery truck Guard posted at 1050 hrs,
    significantly damagedrelieving patrol (immedia
    PA fence in zone No. 4.comp), PA searched.
    Discovered at 1047 by
    security patrol, no PA
    or VA alarms received.
3. 1-9-87/1605 1-9-87/1433 Card reader failure atAt 1440 hrs, posted guar
    VA portal No. 2. with current access list.
    System failure corrected a
    operational at 1600 hrs.
4. 1-9-87/1815 1-9-87/1730 I.D. badge No. 342 lostBadge cancelled 1732 hr
    onsite. Badge found on employee's
    jacket at 1745 hrs.
5. 1-9-87/2055 1-9-87/2025 Security system Determined caused by
    failure, single CPU electrical storm/power
    surge.
    outage. System back on line at 202
    hrs. All VA portals
    confirmed locked and alarm
    by security.
6. 1-10-87/1410 1-10-87/1405 Fence repaired. (SeeCompensatory post
    Entry No. 2.) discontinued at 1405.
7. 1-12-87-1100 1-12-87/0802 Perimeter fence alarmsArea searched by securit
    1-12-87/0815 received zone No. 4 patrol. No apparent cause
    1-12-87/0817 for alarms. Security post
    1-12-87/0819 after third alarm and
    1-12-87/0823 maintenance called to chec
    system. System function
    verified through test each
    occurrence. All actions
    completed 1035.
8. 1-12-87/1610 1-12-87/1443 CCTV failure, perimeterDedicated observer in p
    zone No. 2 (IDS 1450 hrs. No alarms
    operational). received. Camera replaced
    and operational at 1610.
9. 1-12-87/2015 1-12-87/2007 See No. 5 above. Same as No. 5 above. Syst
    on-line at 2011 hrs.
10. 1-12-87/2350 1-12-87/2230 Latch alarm received onGuard posted at 2238.
    VA portal No. 6. searched, no abnormalities
    Responder found doorfound. Maintenance reques
    slightly ajar. initiated at 2315.
    VALUE/IMPACT STATEMENT
    A separate value/impact statement has not been prepared for this regulatory
    guide was revised to provide guidance on reporting physical security events in ac
    paragraphs 73.71(a) through (c) of 10 CFR Part 73. A regulatory analysis was pre
    proposed revisions to Section 73.71 and was made available in the NRC Public Docu
    the time of publication (August 27, 1985-50 FR 34708). This regulatory analysis
    appropriate for this regulatory guide.
    17