Publication Date: 9/1/86
Pages: 12 Date Entered: 10/27/86 Title: VITAL AREA ACCESS CONTROLS, PROTECTION OF PHYSICAL SECURITY EQUIPMENT, AND KEY AND LOCK CONTROLS September 1986 U.S. NUCLEAR REGULATORY COMMISSION REGULATORY GUIDE OFFICE OF NUCLEAR REGULATORY RESEARCH REGULATORY GUIDE 5.65 VITAL AREA ACCESS CONTROLS, PROTECTION OF PHYSICAL SECURITY EQUIPMENT, AND KEY AND LOCK CONTROLS (Task SG 302-4)A. INTRODUCTION The NRC's principal requirements with respect to the protection of items of vital equipment at nuclear power reactors are contained in 10 CFR Part 73, "Physical Protection of Plants and Materials." These requirements are aimed at safeguarding against sabotage that could cause a radiological release. The Commission has published amendments to 10 CFR Part 73, Sections 73.55 and 73.70, that clarify safeguards policy for power reactors on control of access to vital areas during emergency and nonemergency situations, protection of certain physical security equipment, and key and lock controls. These revised requirements were developed to clarify or modify certain existing physical protection requirements. The amendments were designed to foster plant safety while maintaining adequate safeguards. This guide presents approaches that are acceptable to the NRC staff for implementing the amendments. Emphasis in the guide is on minimizing the safeguards impact on safety. Any information collection activities mentioned in this regulatory guide are contained as requirements in 10 CFR Part 73, which provides the regulatory basis for this guide. The information collection requirements in 10 CFR Part 73 have been cleared under OMB Clearance No. 3150-0002. B. DISCUSSION The objective of controlling access to protected and vital areas of nuclear power reactors is to ensure that only authorized persons with legitimate need be allowed access to such areas. This regulatory guide describes measures the NRC staff considers acceptable to implement regulatory requirements on access controls. The purpose of these measures is (1) to ensure adequate access for safety purposes while providing necessary physical security, (2) to provide protection of specified physical security equipment which, if sabotaged, could significantly affect the security of the plant, and (3) to provide guidance for key, lock, and combination changes when an employee with access to them leaves. C. REGULATORY POSITION 1. PHYSICAL BARRIERS 1.1 Openings in Vital Area Barriers (Excluding Doors) According to paragraph 73.55(c), access to vital areas requires passage through at least two physical barriers of sufficient strength to meet the performance requirements of paragraph 73.55(a). Accordingly, no accessible openings in vital areas should exist. Heating-ventilation-air conditioning ducts, cable tray penetrations, ventilation fans, etc. should be protected by gratings or other materials so that the integrity of the barrier is not decreased. In addition, the barrier should be constructed of materials that provide delay to forced entry. Such materials should be resistant to cutting, drilling, and puncture by small hand tools or tool substitutes. Examples of hardening techniques are described in the appendix. These techniques serve as guidelines for several cost-effective ways of increasing penetration resistance time without impairing the function of the penetration. Other techniques are acceptable, as long as the penetration area is hardened at least to the level of the weakest part of the barrier. The license should also ensure that safety systems are not compromised by such barriers. 1.2 Separation of Protected Area and Vital Area Barriers at Water Sources Water sources designated as vital must be afforded the protection measures required of a vital area under Section 73.55. These requirements, in part, state: The licensee shall locate vital equipment only within a vital area, which in turn, shall be located within a protected area such that access to vital equipment requires passage through at least two physical barriers of sufficient strength to meet the performance requirements of paragraph (a) of this section. More than one vital area may be located within a single protected area. Protection of water sources designated as vital is complicated by the wide-ranging configurations of these sources and, in some cases, it is not practical to separate protected and vital area barriers to these sources, e.g., at water intake structures. The intake structures for vital water sources located at the main protected area barrier are considered to meet requirements for vital areas if the structure is Seismic Category I reinforced concrete and, in the case of the essential service water intake structure designated as vital, if the intake structure (1) is secured with screening or grill to prevent introduction of large objects, (2) has double barriers on any nonwater side that contains a movable opening, (3) is equipped with heavy-duty doors that provide delay to penetration, (4) is kept under constant surveillance by closed circuit TV for rapid assessment, and (5) is protected by an intrusion alarm system. In all cases, associated piping, valves, pumps, and controls should be either buried or enclosed in a substantial structure(*) with hatches, ports, and other openings locked and alarmed. Manholes that provide access to vital equipment or the protected area and are located within the owner-controlled area should be locked and alarmed if the cover can be lifted without the aid of machinery. 2. TIME-DEPENDENT VITAL AREAS (SPENT FUEL POOLS) Spent fuel pools are currently provided vital area protection in accordance with Section 73.55. However, it is recognized that the radiation levels of spent fuel decay rapidly after removal from the reactor core and eventually do not require vital area protection because the potential for a Part 100 release(**) is remote. Accordingly, under an alternative safeguards approach, spent fuel pools could be included in vital areas during that period when the spent fuel pools pose a threat to public health and safety. After this initial period, licensees would have the option of relaxing the spent fuel pool safeguards. ---------- (*) A substantial structure means a structure that meets the requirements of paragraph 73.2(f)(2) or its equivalent. (**) The criteria in Section 100.11 of 10 CFR Part 100 specify reference values to be used in the evaluation of reactor sites with respect to potential reactor accidents of exceedingly low probability of occurrence and low risk of public exposure to radiation. Those reference values are a total radiation dose in excess of 25 rem to the whole body or a total radiation dose in excess of 300 rem to the thyroid from iodine exposure (based on a 2-hour exposure time commencing immediately following the onset of the postulated fission product release). ---------- 3. CONTROL OF ACCESS TO VITAL AREAS UNDER ROUTINE CONDITIONS 3.1 Access Lists Paragraph 73.55(d)(7)(i)(A) requires that the licensee establish current authorization access lists for each vital area. The access list should be updated and reapproved by the cognizant licensee manager or supervisor on the last working day of each calendar month. The access list should include only those individuals whose specific duties require that they have access to the vital area during routine operations. Certain access controls may be suspended during emergency or abnormal plant conditions, and the list would be unnecessary under these circumstances. Therefore, the names of emergency response personnel need not be on the list. 3.2 Logging Requirements Licensees are required to keep a log that indicates name, badge number, time of entry, and time of exit of all individuals granted access to a vital area except to the reactor control room. The intent is to maintain a record of personnel access and egress for each specific vital area. This may be accomplished through the use of computer-controlled access devices. A log documenting personnel access and egress for the reactor control room is not needed because this area is always occupied. 3.3 Revocation of Access Authorization Paragraph 73.55(d)(7)(i)(C) requires the licensee to revoke an individual's access authorization and retrieve that individual's identification badge and other entry devices, as applicable, prior to or simultaneously with the notification to the individual of the termination when the termination is involuntary and for cause. Under these circumstances, the licensee should have in place the mechanisms or procedures necessary to ensure that such individuals cannot gain unescorted access to the site. This provision is intended to reduce opportunities for disgruntled individuals to have access to the reactor facility. 3.4 Locks, Alarms, and Emergency Controls for Unattended Vital Area Doors In the interest of controlling access to vital areas in the accomplishment of the safeguards objective, paragraph 73.55(d)(7)(i)(D) requires that the licensee lock and protect unoccupied vital areas by an activated intrusion alarm system, e.g., a balanced magnetic switch. The licensee should protect a vital area by maintaining locks and alarms on all doors that are not attended access control points. Acceptable criteria for the use and selection of commercially available locks are found in Regulatory Guide 5.12, "General Use of Locks in the Protection and Control of Facilities and Special Nuclear Materials." Descriptions of various surface protection alarms and guidance on testing and maintaining alarm systems can be found in NUREG-0320, "Interior Intrusion Alarm Systems."(*) The licensee should install "panic" hardware and establish procedures that permit rapid and orderly egress from vital areas in the event of an emergency situation. Emergency exit doors that have "panic" hardware should be alarmed to the central and secondary alarm stations so the use of such doors can be monitored. 4. EMERGENCY ACCESS TO VITAL AREAS During emergencies or abnormal conditions, it may be necessary for certain licensee personnel to gain quick access to vital equipment in order to mitigate or terminate some adverse plant condition. Also, it is important to ensure that personnel can quickly evacuate vital areas if the emergency condition results in high radiation or other dangerous conditions within the vital area. Thus, paragraph 73.55(d)(7)(ii)(A) requires that licensees ensure prompt access to vital equipment during emergencies or abnormal conditions. Licensees can provide for rapid ingress/egress during such conditions by providing backup keys to vital areas and methods of opening locked doors in the case of computer or power failure. 4.1 Access Keys In the event of an emergency or abnormal condition at a power reactor, it may be necessary for certain personnel, particularly an operator, to have prompt access to vital areas or equipment. To facilitate access, operating personnel should be provided with keys to open doors that are locked for security or other purposes. 4.2 Access Codes and Antipassback Control Features It has been observed that the use of individual manually entered identification codes and the use of the "antipassback" feature programmed into card key computers hamper ingress because of mistaken entries, poor memories, entry denial for failure to log out of an area, etc. In order to minimize the impact on safety by ensuring prompt access, the use of manually entered codes and the antipassback feature in vital area access control systems is not required or recommended by the NRC. ---------- (*) Copies may be obtained from the Superintendent of Documents, U.S. Government Printing Office, Post Office Box 37082, Washington, DC 20013-7082. ---------- 4.3 Loss of Electric Power In order to facilitate safety, the licensee should provide for rapid ingress/egress during a computer or power outage. If vital area doors are not specifically required by the licensee's physical security plan to fail in the closed position upon loss of electric power, procedures that provide for prompt compensatory measures in opening locked doors should be established. The following are acceptable procedures for providing for safe ingress/egress during a power or computer outage: 1. Have locks on interior vital area doors fail open during an outage or emergency and have guards immediately deployed to monitor ingress/egress. 2. Use an uninterruptible power supply system for electrical locking devices. 3. Have locks fail closed and provide keyed bypass locks for vital areas. Ensure that all necessary personnel have keys. 4. Have locks fail closed and install crash ("panic") bars and alarms on doors for emergency ingress/egress. 5. SUSPENDING SECURITY MEASURES 5.1 Authority Paragraph 73.55(a) permits the licensee to suspend any safeguards measures pursuant to Section 73.55 in an emergency in accordance with paragraphs 50.54(x) and (y) of 10 CFR Part 50. If immediately needed to protect the public health and safety, such suspension is permissible provided that (1) the action taken is approved, as a minimum, by a licensed senior operator prior to the emergency action being implemented and (2) all safeguards measures are restored as soon as practicable following the suspension. This flexibility will accommodate the potential need for rapid response to emergency or abnormal conditions. The licensee should specify in the physical security or contingency plan the individual, by title, responsible for relaxing security requirements if necessary during emergencies. The plan should also specify a chain of responsibility for suspension of safeguards requirements in the event that the first designated individual is unavailable. 5.2 Conditions The authority to suspend safeguards measures should be exercised only when site conditions are or may soon become a danger to the public health and safety. Security measures should be relaxed only to the extent necessary to accommodate the emergency situation in accordance with paragraphs 50.54(x) and (y). Each instance in which safeguards requirements are suspended without approved compensatory measures would have to be reported to the NRC under the provisions of Section 73.71 as an event that lessens the effectiveness of safeguards. 5.3 Controls That Can Be Suspended During an Emergency The types of controls that could be suspended in an emergency might include but are not limited to the following: 1. The search and identification of personnel required by paragraph 73.55(d)(1), 2. The search of hand-carried items required by paragraph 73.55(d)(2), 3. The search of vehicles required by paragraph 73.55(d)(4), 4. The use of a badge identification system required by paragraph 73.55(d)(5), 5. The registration of personnel required by paragraph 73.55(d)(6), and 6. The access controls for vital areas in paragraph 73.55(d)(7). 5.4 Use of Escorts In the event safeguards controls are suspended, the licensee should use escorts to the extent possible. Offsite response personnel should be escorted by designated licensee personnel with operable two-way radio communications to the central and secondary alarm stations. At least one escort should accompany each emergency vehicle, and all offsite emergency response personnel should be in view of the escort at all times unless this would constitute a danger to the escort. For the purpose of this guide, an escort is defined as a member of the security organization or other designated individual responsible for accompanying those personnel not allowed unescorted access within a protected area. An escort is not required to possess a technical knowledge of the plant's processes or equipment. 5.5 Access Controls for Emergency Response During Drills or Exercises During a preplanned drill or exercise, the offsite emergency response personnel may enter the protected areas, and certain access-safeguards requirements may be waived provided that: * The NRC is notified in advance of the drill what measures will be waived and when the drill is scheduled, * Each vehicle is escorted by a member of the licensee's security organization equipped with two-way radio communication to the alarm station, * All emergency response personnel remain within view of the licensee's escort at all times, and * The licensee positively identifies at least one member of the emergency response team who verifies that the other personnel are bona fide members of the responding organization. The access-safeguards requirements that may be waived are: * Search and identification of emergency response personnel, * Search of emergency response vehicles, * Search of hand-carried packages and equipment, and * Badging and registration of emergency response personnel. The drill or exercise must stop at the vital area boundary; there is no regulatory authority for relaxation of controls into vital areas during any nonemergency situation. If it is considered necessary to familiarize the emergency response personnel with plant layout, including vital areas, the full security plan measures must first be applied. 6. PHYSICAL PROTECTION PLAN AND CONTINGENCY PLAN INTERFACE Paragraph 73.55(d)(7)(ii) requires that the licensee design the access authorization system to accommodate the potential need for rapid ingress or egress of individuals during emergency conditions or situations that could lead to emergency conditions. In order to facilitate ingress/egress during such conditions, the licensee should conduct periodic reviews of security and contingency plans and ensure prompt access to vital equipment. 6.1 Periodic Review of Security and Contingency Plans Paragraph 73.55(d)(7)(ii)(B) requires that the licensee periodically review physical security plans and contingency plans and procedures to evaluate their potential impact on plant and personnel safety. The licensee should conduct such review annually to ensure that security procedures do not adversely affect the procedures outlined for emergency or abnormal conditions. Licensees should also review the plans whenever changes are made that could affect plant or personnel safety or when the licensee becomes aware of a procedure that could affect safety. Licensees may use the Plant Operations Review Committee (PORC), quality assurance audit programs, corrective action reporting systems, or other appropriate programs to monitor the potential for safety/security impacts. 6.2 Cross-Training Interface problems between security and operations are reduced when the respective staffs are made aware, through cross-training and indoctrination, of the roles, responsibilities, and general practices of both organizations. The licensee should provide personnel with opportunities to learn about the other organization. 7. PROTECTION OF SECURITY EQUIPMENT Paragraph 73.55(e)(1) requires, in part, that onsite secondary power supply systems for alarm annunciation equipment and nonportable communication equipment be located in vital areas. Protection of these items of equipment is necessary to reduce vulnerabilities in the system because their sabotage could significantly impact the safeguards of a plant. Therefore, licensees are required to locate these pieces of equipment in vital areas. 8. KEYS AND LOCKS Paragraph 73.55(d)(9) requires, in part, that keys, locks, combinations, and related access control devices be controlled to reduce the probability of compromise. The licensee is required to change or rotate all keys, locks, and combinations at least every 12 months or whenever there is evidence or suspicion that any key, lock, combination, or related access control device has been compromised. Such suspicion may be interpreted as the reasonable belief that compromise has occurred even though physical evidence has yet to be uncovered. Changes should also be made whenever a person who had access to protected areas or vital areas is terminated for cause. Keys, combinations, and other access control devices should be issued only to those individuals possessing an unescorted access authorization. D. IMPLEMENTATION The purpose of this section is to provide information to applicants regarding the NRC staff's plans for using this regulatory guide. Except in those cases in which an applicant or licensee proposes an acceptable alternative method for complying with specified portions of the Commission's regulations, the methods presented in this guide will be used in the evaluation of security methods and procedures for all operating plants and plants that have not received an operating license. APPENDIX The purpose of this appendix is to provide examples of techniques pertaining to methods of hardening openings in ceilings and walls of vital areas. Techniques 1 through 3 are excerpted from NUREG/CR-1378, "Hardening Existing Strategic Special Nuclear Material Storage Facilities,"(*) June 1980. ---------- (*) Copies may be obtained from the Superintendent of Documents, U.S. Government Printing Office, Post Office Box 37082, Washington, DC 20013-7082. ---------- Technique No. 1 Hardening Opening in Ceiling or Wall EXISTING STRUCTURE: Opening in ceiling or wall TOOLS REQUIRED FOR PENETRATION:Depends on existing opening PENETRATION TIME:Depends on existing opening HARDENING ACTION: 1. Add strong steel jamb to opening. 2. Form three separate grates by welding No. 4 or No. 5 rebar into 6-inch (15-cm) grids. Weld grates to inside, center, and outer lips of jamb. (Another method is to weld six separate layers of rebar alternating vertical and horizontal and offset from each other.) 3. Add a baffle on inside for openings in vital areas if accessible. INCREASED PENETRATION RESISTANCE TIME: Approximately 15 minutes ADDITIONAL PENETRATION TOOLS REQUIRED: Boltcutters ADVANTAGES OF TECHNIQUE: 1. Multiple layers to penetrate 2. Delay time can be increased by increasing either size of rebar or numbers of rebar. Technique No. 2 Hardening a Duct in a Ceiling or Wall Where Air Flow Is Required EXISTING STRUCTURE: Duct opening in ceiling or wall where air flow is required TOOLS REQUIRED FOR PENETRATION:Depends on existing opening PENETRATION TIME:Approximately 1 minute for a 24 x 24 in. (61 x 61 cm) duct (horizontal)HARDENING ACTION: 1. Line duct with coils of general purpose barbed tape obstacle (GPBTO) or concertina. If coils cannot be used, bands or ribbons of barbed tape can be riveted to walls. 2. Attach diffusers with 16 quarter-inch bolts. INCREASED PENETRATION RESISTANCE TIME: Approximately 10 minutes ADDITIONAL PENETRATION TOOLS REQUIRED: Depends on installation method for barbed tape ADVANTAGES OF TECHNIQUE: 1. Greatly hampers crawl-through 2. Various installation methods allow upgrading with minimal effects on duct performance. Technique No. 3 Hardening Opening in Ceiling or Wall Where Air Flow Is Required EXISTING STRUCTURE: Opening of any size TOOLS REQUIRED FOR PENETRATION:Depends on existing opening PENETRATION TIME:Depends on existing opening HARDENING ACTION: 1. Add strong steel jamb to opening. 2. Weld steel pipes no larger than 3 inches (7.5 cm) in diameter together and then weld to steel jamb. INCREASED PENETRATION RESISTANCE TIME:More than 15 minutes ADDITIONAL PENETRATION TOOLS REQUIRED:Cutting torch ADVANTAGES OF TECHNIQUE: 1. Allows air flow. 3. Reduces bodily access. VALUE/IMPACT STATEMENT A separate value/impact statement has not been prepared for this regulatory guide. The guide was developed to present approaches acceptable to the NRC staff for fostering plant safety while maintaining adequate safeguards in accordance with amendments to 10 CFR Part 73. A value/impact statement prepared for these amendments was made available in the NRC Public Document Room at the time they were published. This value/impact statement is also appropriate to this regulatory guide. 20 |