Publication Date: 9/1/86     Pages: 12     Date Entered: 10/27/86     Title: VITAL AREA ACCESS CONTROLS, PROTECTION OF PHYSICAL SECURITY EQUIPMENT, AND KEY AND LOCK CONTROLS     September 1986     U.S. NUCLEAR REGULATORY COMMISSION     REGULATORY GUIDE     OFFICE OF NUCLEAR REGULATORY RESEARCH     REGULATORY GUIDE 5.65     VITAL AREA ACCESS CONTROLS, PROTECTION OF PHYSICAL SECURITY     EQUIPMENT, AND KEY AND LOCK CONTROLS     (Task SG 302-4)A. INTRODUCTION     The NRC's principal requirements with respect to the protection of     items of vital equipment at nuclear power reactors are contained in 10     CFR Part 73, "Physical Protection of Plants and Materials." These     requirements are aimed at safeguarding against sabotage that could cause     a radiological release. The Commission has published amendments to 10     CFR Part 73, Sections 73.55 and 73.70, that clarify safeguards policy     for power reactors on control of access to vital areas during emergency     and nonemergency situations, protection of certain physical security     equipment, and key and lock controls. These revised requirements were     developed to clarify or modify certain existing physical protection     requirements. The amendments were designed to foster plant safety while     maintaining adequate safeguards. This guide presents approaches that     are acceptable to the NRC staff for implementing the amendments.     Emphasis in the guide is on minimizing the safeguards impact on safety.     Any information collection activities mentioned in this regulatory     guide are contained as requirements in 10 CFR Part 73, which provides     the regulatory basis for this guide. The information collection     requirements in 10 CFR Part 73 have been cleared under OMB Clearance No.     3150-0002. B. DISCUSSION     The objective of controlling access to protected and vital areas     of nuclear power reactors is to ensure that only authorized persons with     legitimate need be allowed access to such areas. This regulatory guide     describes measures the NRC staff considers acceptable to implement     regulatory requirements on access controls. The purpose of these     measures is (1) to ensure adequate access for safety purposes while     providing necessary physical security, (2) to provide protection of     specified physical security equipment which, if sabotaged, could     significantly affect the security of the plant, and (3) to provide     guidance for key, lock, and combination changes when an employee with     access to them leaves. C. REGULATORY POSITION 1. PHYSICAL BARRIERS     1.1 Openings in Vital Area Barriers (Excluding Doors) According to paragraph 73.55(c), access to vital areas requires     passage through at least two physical barriers of sufficient strength to     meet the performance requirements of paragraph 73.55(a). Accordingly,     no accessible openings in vital areas should exist.     Heating-ventilation-air conditioning ducts, cable tray penetrations,     ventilation fans, etc. should be protected by gratings or other     materials so that the integrity of the barrier is not decreased. In     addition, the barrier should be constructed of materials that provide     delay to forced entry. Such materials should be resistant to cutting,     drilling, and puncture by small hand tools or tool substitutes.     Examples of hardening techniques are described in the appendix.     These techniques serve as guidelines for several cost-effective ways of     increasing penetration resistance time without impairing the function of     the penetration. Other techniques are acceptable, as long as the     penetration area is hardened at least to the level of the weakest part     of the barrier.     The license should also ensure that safety systems are not     compromised by such barriers.     1.2 Separation of Protected Area and Vital Area Barriers at Water     Sources     Water sources designated as vital must be afforded the protection     measures required of a vital area under Section 73.55. These     requirements, in part, state:     The licensee shall locate vital equipment only within a vital     area, which in turn, shall be located within a protected area such     that access to vital equipment requires passage through at least     two physical barriers of sufficient strength to meet the     performance requirements of paragraph (a) of this section. More     than one vital area may be located within a single protected area.     Protection of water sources designated as vital is complicated by     the wide-ranging configurations of these sources and, in some cases, it     is not practical to separate protected and vital area barriers to these     sources, e.g., at water intake structures.     The intake structures for vital water sources located at the main     protected area barrier are considered to meet requirements for vital     areas if the structure is Seismic Category I reinforced concrete and, in     the case of the essential service water intake structure designated as     vital, if the intake structure (1) is secured with screening or grill to     prevent introduction of large objects, (2) has double barriers on any     nonwater side that contains a movable opening, (3) is equipped with     heavy-duty doors that provide delay to penetration, (4) is kept under     constant surveillance by closed circuit TV for rapid assessment, and (5)     is protected by an intrusion alarm system.     In all cases, associated piping, valves, pumps, and controls     should be either buried or enclosed in a substantial structure(*) with     hatches, ports, and other openings locked and alarmed. Manholes that     provide access to vital equipment or the protected area and are located     within the owner-controlled area should be locked and alarmed if the     cover can be lifted without the aid of machinery. 2. TIME-DEPENDENT VITAL AREAS (SPENT FUEL POOLS) Spent fuel pools are currently provided vital area protection in     accordance with Section 73.55. However, it is recognized that the     radiation levels of spent fuel decay rapidly after removal from the     reactor core and eventually do not require vital area protection because     the potential for a Part 100 release(**) is remote. Accordingly, under     an alternative safeguards approach, spent fuel pools could be included     in vital areas during that period when the spent fuel pools pose a     threat to public health and safety. After this initial period,     licensees would have the option of relaxing the spent fuel pool     safeguards.     ----------     (*) A substantial structure means a structure that meets the     requirements of paragraph 73.2(f)(2) or its equivalent.     (**) The criteria in Section 100.11 of 10 CFR Part 100 specify     reference values to be used in the evaluation of reactor sites with     respect to potential reactor accidents of exceedingly low probability of     occurrence and low risk of public exposure to radiation. Those     reference values are a total radiation dose in excess of 25 rem to the     whole body or a total radiation dose in excess of 300 rem to the thyroid     from iodine exposure (based on a 2-hour exposure time commencing     immediately following the onset of the postulated fission product     release).     ---------- 3. CONTROL OF ACCESS TO VITAL AREAS UNDER ROUTINE CONDITIONS     3.1 Access Lists     Paragraph 73.55(d)(7)(i)(A) requires that the licensee establish     current authorization access lists for each vital area. The access list     should be updated and reapproved by the cognizant licensee manager or     supervisor on the last working day of each calendar month. The access     list should include only those individuals whose specific duties require     that they have access to the vital area during routine operations.     Certain access controls may be suspended during emergency or abnormal     plant conditions, and the list would be unnecessary under these     circumstances. Therefore, the names of emergency response personnel     need not be on the list.     3.2 Logging Requirements     Licensees are required to keep a log that indicates name, badge     number, time of entry, and time of exit of all individuals granted     access to a vital area except to the reactor control room. The intent     is to maintain a record of personnel access and egress for each specific     vital area. This may be accomplished through the use of     computer-controlled access devices. A log documenting personnel access     and egress for the reactor control room is not needed because this area     is always occupied.     3.3 Revocation of Access Authorization     Paragraph 73.55(d)(7)(i)(C) requires the licensee to revoke an     individual's access authorization and retrieve that individual's     identification badge and other entry devices, as applicable, prior to or     simultaneously with the notification to the individual of the     termination when the termination is involuntary and for cause. Under     these circumstances, the licensee should have in place the mechanisms or     procedures necessary to ensure that such individuals cannot gain     unescorted access to the site. This provision is intended to reduce     opportunities for disgruntled individuals to have access to the reactor     facility.     3.4 Locks, Alarms, and Emergency Controls for Unattended Vital Area     Doors     In the interest of controlling access to vital areas in the     accomplishment of the safeguards objective, paragraph 73.55(d)(7)(i)(D)     requires that the licensee lock and protect unoccupied vital areas by an     activated intrusion alarm system, e.g., a balanced magnetic switch.     The licensee should protect a vital area by maintaining locks and     alarms on all doors that are not attended access control points.     Acceptable criteria for the use and selection of commercially available     locks are found in Regulatory Guide 5.12, "General Use of Locks in the     Protection and Control of Facilities and Special Nuclear Materials."     Descriptions of various surface protection alarms and guidance on     testing and maintaining alarm systems can be found in NUREG-0320,     "Interior Intrusion Alarm Systems."(*) The licensee should install "panic" hardware and establish     procedures that permit rapid and orderly egress from vital areas in the     event of an emergency situation. Emergency exit doors that have "panic"     hardware should be alarmed to the central and secondary alarm stations     so the use of such doors can be monitored. 4. EMERGENCY ACCESS TO VITAL AREAS     During emergencies or abnormal conditions, it may be necessary for     certain licensee personnel to gain quick access to vital equipment in     order to mitigate or terminate some adverse plant condition. Also, it     is important to ensure that personnel can quickly evacuate vital areas     if the emergency condition results in high radiation or other dangerous     conditions within the vital area. Thus, paragraph 73.55(d)(7)(ii)(A)     requires that licensees ensure prompt access to vital equipment during     emergencies or abnormal conditions. Licensees can provide for rapid     ingress/egress during such conditions by providing backup keys to vital     areas and methods of opening locked doors in the case of computer or     power failure.     4.1 Access Keys     In the event of an emergency or abnormal condition at a power     reactor, it may be necessary for certain personnel, particularly an     operator, to have prompt access to vital areas or equipment. To     facilitate access, operating personnel should be provided with keys to     open doors that are locked for security or other purposes.     4.2 Access Codes and Antipassback Control Features     It has been observed that the use of individual manually entered     identification codes and the use of the "antipassback" feature     programmed into card key computers hamper ingress because of mistaken     entries, poor memories, entry denial for failure to log out of an area,     etc. In order to minimize the impact on safety by ensuring prompt     access, the use of manually entered codes and the antipassback feature     in vital area access control systems is not required or recommended by     the NRC.     ----------     (*) Copies may be obtained from the Superintendent of Documents,     U.S. Government Printing Office, Post Office Box 37082, Washington, DC     20013-7082.     ----------     4.3 Loss of Electric Power     In order to facilitate safety, the licensee should provide for     rapid ingress/egress during a computer or power outage. If vital area     doors are not specifically required by the licensee's physical security     plan to fail in the closed position upon loss of electric power,     procedures that provide for prompt compensatory measures in opening     locked doors should be established. The following are acceptable     procedures for providing for safe ingress/egress during a power or     computer outage: 1. Have locks on interior vital area doors fail open during an     outage or emergency and have guards immediately deployed to monitor     ingress/egress. 2. Use an uninterruptible power supply system for electrical     locking devices. 3. Have locks fail closed and provide keyed bypass locks for     vital areas. Ensure that all necessary personnel have keys. 4. Have locks fail closed and install crash ("panic") bars and     alarms on doors for emergency ingress/egress. 5. SUSPENDING SECURITY MEASURES     5.1 Authority     Paragraph 73.55(a) permits the licensee to suspend any safeguards     measures pursuant to Section 73.55 in an emergency in accordance with     paragraphs 50.54(x) and (y) of 10 CFR Part 50. If immediately needed to     protect the public health and safety, such suspension is permissible     provided that (1) the action taken is approved, as a minimum, by a     licensed senior operator prior to the emergency action being implemented     and (2) all safeguards measures are restored as soon as practicable     following the suspension. This flexibility will accommodate the     potential need for rapid response to emergency or abnormal conditions.     The licensee should specify in the physical security or     contingency plan the individual, by title, responsible for relaxing     security requirements if necessary during emergencies. The plan should     also specify a chain of responsibility for suspension of safeguards     requirements in the event that the first designated individual is     unavailable.     5.2 Conditions     The authority to suspend safeguards measures should be exercised     only when site conditions are or may soon become a danger to the public     health and safety. Security measures should be relaxed only to the     extent necessary to accommodate the emergency situation in accordance     with paragraphs 50.54(x) and (y). Each instance in which safeguards     requirements are suspended without approved compensatory measures would     have to be reported to the NRC under the provisions of Section 73.71 as     an event that lessens the effectiveness of safeguards.     5.3 Controls That Can Be Suspended During an Emergency     The types of controls that could be suspended in an emergency     might include but are not limited to the following: 1. The search and identification of personnel required by     paragraph 73.55(d)(1), 2. The search of hand-carried items required by paragraph     73.55(d)(2), 3. The search of vehicles required by paragraph 73.55(d)(4), 4. The use of a badge identification system required by     paragraph 73.55(d)(5), 5. The registration of personnel required by paragraph     73.55(d)(6), and 6. The access controls for vital areas in paragraph     73.55(d)(7).     5.4 Use of Escorts     In the event safeguards controls are suspended, the licensee     should use escorts to the extent possible. Offsite response personnel     should be escorted by designated licensee personnel with operable     two-way radio communications to the central and secondary alarm     stations. At least one escort should accompany each emergency vehicle,     and all offsite emergency response personnel should be in view of the     escort at all times unless this would constitute a danger to the escort.     For the purpose of this guide, an escort is defined as a member of the     security organization or other designated individual responsible for     accompanying those personnel not allowed unescorted access within a     protected area. An escort is not required to possess a technical     knowledge of the plant's processes or equipment.     5.5 Access Controls for Emergency Response During Drills or Exercises     During a preplanned drill or exercise, the offsite emergency     response personnel may enter the protected areas, and certain     access-safeguards requirements may be waived provided that:     * The NRC is notified in advance of the drill what measures     will be waived and when the drill is scheduled,     * Each vehicle is escorted by a member of the licensee's     security organization equipped with two-way radio     communication to the alarm station,     * All emergency response personnel remain within view of the     licensee's escort at all times, and     * The licensee positively identifies at least one member of     the emergency response team who verifies that the other     personnel are bona fide members of the responding     organization.     The access-safeguards requirements that may be waived are:     * Search and identification of emergency response personnel,     * Search of emergency response vehicles,     * Search of hand-carried packages and equipment, and     * Badging and registration of emergency response personnel.     The drill or exercise must stop at the vital area boundary; there     is no regulatory authority for relaxation of controls into vital areas     during any nonemergency situation. If it is considered necessary to     familiarize the emergency response personnel with plant layout,     including vital areas, the full security plan measures must first be     applied. 6. PHYSICAL PROTECTION PLAN AND CONTINGENCY PLAN INTERFACE     Paragraph 73.55(d)(7)(ii) requires that the licensee design the     access authorization system to accommodate the potential need for rapid     ingress or egress of individuals during emergency conditions or     situations that could lead to emergency conditions. In order to     facilitate ingress/egress during such conditions, the licensee should     conduct periodic reviews of security and contingency plans and ensure     prompt access to vital equipment.     6.1 Periodic Review of Security and Contingency Plans     Paragraph 73.55(d)(7)(ii)(B) requires that the licensee     periodically review physical security plans and contingency plans and     procedures to evaluate their potential impact on plant and personnel     safety. The licensee should conduct such review annually to ensure that     security procedures do not adversely affect the procedures outlined for     emergency or abnormal conditions. Licensees should also review the plans     whenever changes are made that could affect plant or personnel safety or     when the licensee becomes aware of a procedure that could affect safety.     Licensees may use the Plant Operations Review Committee (PORC), quality     assurance audit programs, corrective action reporting systems, or other     appropriate programs to monitor the potential for safety/security     impacts.     6.2 Cross-Training     Interface problems between security and operations are reduced     when the respective staffs are made aware, through cross-training and     indoctrination, of the roles, responsibilities, and general practices of     both organizations. The licensee should provide personnel with     opportunities to learn about the other organization. 7. PROTECTION OF SECURITY EQUIPMENT     Paragraph 73.55(e)(1) requires, in part, that onsite secondary     power supply systems for alarm annunciation equipment and nonportable     communication equipment be located in vital areas. Protection of these     items of equipment is necessary to reduce vulnerabilities in the system     because their sabotage could significantly impact the safeguards of a     plant. Therefore, licensees are required to locate these pieces of     equipment in vital areas. 8. KEYS AND LOCKS     Paragraph 73.55(d)(9) requires, in part, that keys, locks,     combinations, and related access control devices be controlled to reduce     the probability of compromise. The licensee is required to change or     rotate all keys, locks, and combinations at least every 12 months or     whenever there is evidence or suspicion that any key, lock, combination,     or related access control device has been compromised. Such suspicion     may be interpreted as the reasonable belief that compromise has occurred     even though physical evidence has yet to be uncovered. Changes should     also be made whenever a person who had access to protected areas or     vital areas is terminated for cause.     Keys, combinations, and other access control devices should be     issued only to those individuals possessing an unescorted access     authorization. D. IMPLEMENTATION     The purpose of this section is to provide information to     applicants regarding the NRC staff's plans for using this regulatory     guide.     Except in those cases in which an applicant or licensee proposes     an acceptable alternative method for complying with specified portions     of the Commission's regulations, the methods presented in this guide     will be used in the evaluation of security methods and procedures for     all operating plants and plants that have not received an operating     license.     APPENDIX     The purpose of this appendix is to provide examples of techniques     pertaining to methods of hardening openings in ceilings and walls of     vital areas.     Techniques 1 through 3 are excerpted from NUREG/CR-1378,     "Hardening Existing Strategic Special Nuclear Material Storage     Facilities,"(*) June 1980.     ----------     (*) Copies may be obtained from the Superintendent of Documents,     U.S. Government Printing Office, Post Office Box 37082, Washington, DC     20013-7082.     ----------     Technique No. 1     Hardening Opening in Ceiling or Wall     EXISTING STRUCTURE: Opening in ceiling or wall     TOOLS REQUIRED FOR PENETRATION:Depends on existing opening     PENETRATION TIME:Depends on existing opening     HARDENING ACTION: 1. Add strong steel jamb to opening. 2. Form three separate grates by welding No. 4 or No. 5 rebar     into 6-inch (15-cm) grids. Weld grates to inside, center,     and outer lips of jamb. (Another method is to weld six     separate layers of rebar alternating vertical and horizontal     and offset from each other.) 3. Add a baffle on inside for openings in vital areas if     accessible.     INCREASED PENETRATION RESISTANCE TIME: Approximately 15 minutes     ADDITIONAL PENETRATION TOOLS REQUIRED: Boltcutters     ADVANTAGES OF TECHNIQUE: 1. Multiple layers to penetrate 2. Delay time can be increased by increasing either size of     rebar or numbers of rebar.     Technique No. 2     Hardening a Duct in a Ceiling or Wall Where Air Flow Is Required     EXISTING STRUCTURE: Duct opening in ceiling or wall where air flow     is required     TOOLS REQUIRED FOR PENETRATION:Depends on existing opening     PENETRATION TIME:Approximately 1 minute for a 24 x 24 in. (61 x 61 cm)     duct (horizontal)HARDENING ACTION: 1. Line duct with coils of general purpose barbed tape obstacle     (GPBTO) or concertina. If coils cannot be used, bands or     ribbons of barbed tape can be riveted to walls. 2. Attach diffusers with 16 quarter-inch bolts.     INCREASED PENETRATION RESISTANCE TIME: Approximately 10 minutes     ADDITIONAL PENETRATION TOOLS REQUIRED: Depends on installation method     for barbed tape     ADVANTAGES OF TECHNIQUE: 1. Greatly hampers crawl-through 2. Various installation methods allow upgrading with minimal     effects on duct performance.     Technique No. 3     Hardening Opening in Ceiling or Wall Where Air Flow Is Required     EXISTING STRUCTURE: Opening of any size     TOOLS REQUIRED FOR PENETRATION:Depends on existing opening     PENETRATION TIME:Depends on existing opening     HARDENING ACTION: 1. Add strong steel jamb to opening. 2. Weld steel pipes no larger than 3 inches (7.5 cm) in     diameter together and then weld to steel jamb.     INCREASED PENETRATION RESISTANCE TIME:More than 15 minutes     ADDITIONAL PENETRATION TOOLS REQUIRED:Cutting torch     ADVANTAGES OF TECHNIQUE: 1. Allows air flow. 3. Reduces bodily access.     VALUE/IMPACT STATEMENT     A separate value/impact statement has not been prepared for this     regulatory guide. The guide was developed to present approaches     acceptable to the NRC staff for fostering plant safety while maintaining     adequate safeguards in accordance with amendments to 10 CFR Part 73. A     value/impact statement prepared for these amendments was made available     in the NRC Public Document Room at the time they were published. This     value/impact statement is also appropriate to this regulatory guide.     20