Publication Date: 9/1/86
    Pages: 12
    Date Entered: 10/27/86
    Title: VITAL AREA ACCESS CONTROLS, PROTECTION OF PHYSICAL SECURITY EQUIPMENT, AND KEY AND LOCK CONTROLS
    September 1986
    U.S. NUCLEAR REGULATORY COMMISSION
    REGULATORY GUIDE
    OFFICE OF NUCLEAR REGULATORY RESEARCH
    REGULATORY GUIDE 5.65
    VITAL AREA ACCESS CONTROLS, PROTECTION OF PHYSICAL SECURITY
    EQUIPMENT, AND KEY AND LOCK CONTROLS
    (Task SG 302-4)A. INTRODUCTION
    The NRC's principal requirements with respect to the protection of
    items of vital equipment at nuclear power reactors are contained in 10
    CFR Part 73, "Physical Protection of Plants and Materials." These
    requirements are aimed at safeguarding against sabotage that could cause
    a radiological release. The Commission has published amendments to 10
    CFR Part 73, Sections 73.55 and 73.70, that clarify safeguards policy
    for power reactors on control of access to vital areas during emergency
    and nonemergency situations, protection of certain physical security
    equipment, and key and lock controls. These revised requirements were
    developed to clarify or modify certain existing physical protection
    requirements. The amendments were designed to foster plant safety while
    maintaining adequate safeguards. This guide presents approaches that
    are acceptable to the NRC staff for implementing the amendments.
    Emphasis in the guide is on minimizing the safeguards impact on safety.
    Any information collection activities mentioned in this regulatory
    guide are contained as requirements in 10 CFR Part 73, which provides
    the regulatory basis for this guide. The information collection
    requirements in 10 CFR Part 73 have been cleared under OMB Clearance No.
    3150-0002.
B. DISCUSSION
    The objective of controlling access to protected and vital areas
    of nuclear power reactors is to ensure that only authorized persons with
    legitimate need be allowed access to such areas. This regulatory guide
    describes measures the NRC staff considers acceptable to implement
    regulatory requirements on access controls. The purpose of these
    measures is (1) to ensure adequate access for safety purposes while
    providing necessary physical security, (2) to provide protection of
    specified physical security equipment which, if sabotaged, could
    significantly affect the security of the plant, and (3) to provide
    guidance for key, lock, and combination changes when an employee with
    access to them leaves.
C. REGULATORY POSITION
1. PHYSICAL BARRIERS
    1.1 Openings in Vital Area Barriers (Excluding Doors) According to paragraph 73.55(c), access to vital areas requires
    passage through at least two physical barriers of sufficient strength to
    meet the performance requirements of paragraph 73.55(a). Accordingly,
    no accessible openings in vital areas should exist.
    Heating-ventilation-air conditioning ducts, cable tray penetrations,
    ventilation fans, etc. should be protected by gratings or other
    materials so that the integrity of the barrier is not decreased. In
    addition, the barrier should be constructed of materials that provide
    delay to forced entry. Such materials should be resistant to cutting,
    drilling, and puncture by small hand tools or tool substitutes.
    Examples of hardening techniques are described in the appendix.
    These techniques serve as guidelines for several cost-effective ways of
    increasing penetration resistance time without impairing the function of
    the penetration. Other techniques are acceptable, as long as the
    penetration area is hardened at least to the level of the weakest part
    of the barrier.
    The license should also ensure that safety systems are not
    compromised by such barriers.
    1.2 Separation of Protected Area and Vital Area Barriers at Water
    Sources
    Water sources designated as vital must be afforded the protection
    measures required of a vital area under Section 73.55. These
    requirements, in part, state:
    The licensee shall locate vital equipment only within a vital
    area, which in turn, shall be located within a protected area such
    that access to vital equipment requires passage through at least
    two physical barriers of sufficient strength to meet the
    performance requirements of paragraph (a) of this section. More
    than one vital area may be located within a single protected area.
    Protection of water sources designated as vital is complicated by
    the wide-ranging configurations of these sources and, in some cases, it
    is not practical to separate protected and vital area barriers to these
    sources, e.g., at water intake structures.
    The intake structures for vital water sources located at the main
    protected area barrier are considered to meet requirements for vital
    areas if the structure is Seismic Category I reinforced concrete and, in
    the case of the essential service water intake structure designated as
    vital, if the intake structure (1) is secured with screening or grill to
    prevent introduction of large objects, (2) has double barriers on any
    nonwater side that contains a movable opening, (3) is equipped with
    heavy-duty doors that provide delay to penetration, (4) is kept under
    constant surveillance by closed circuit TV for rapid assessment, and (5)
    is protected by an intrusion alarm system.
    In all cases, associated piping, valves, pumps, and controls
    should be either buried or enclosed in a substantial structure(*) with
    hatches, ports, and other openings locked and alarmed. Manholes that
    provide access to vital equipment or the protected area and are located
    within the owner-controlled area should be locked and alarmed if the
    cover can be lifted without the aid of machinery.
2. TIME-DEPENDENT VITAL AREAS (SPENT FUEL POOLS) Spent fuel pools are currently provided vital area protection in
    accordance with Section 73.55. However, it is recognized that the
    radiation levels of spent fuel decay rapidly after removal from the
    reactor core and eventually do not require vital area protection because
    the potential for a Part 100 release(**) is remote. Accordingly, under
    an alternative safeguards approach, spent fuel pools could be included
    in vital areas during that period when the spent fuel pools pose a
    threat to public health and safety. After this initial period,
    licensees would have the option of relaxing the spent fuel pool
    safeguards.
    ----------
    (*) A substantial structure means a structure that meets the
    requirements of paragraph 73.2(f)(2) or its equivalent.
    (**) The criteria in Section 100.11 of 10 CFR Part 100 specify
    reference values to be used in the evaluation of reactor sites with
    respect to potential reactor accidents of exceedingly low probability of
    occurrence and low risk of public exposure to radiation. Those
    reference values are a total radiation dose in excess of 25 rem to the
    whole body or a total radiation dose in excess of 300 rem to the thyroid
    from iodine exposure (based on a 2-hour exposure time commencing
    immediately following the onset of the postulated fission product
    release).
    ----------
3. CONTROL OF ACCESS TO VITAL AREAS UNDER ROUTINE CONDITIONS
    3.1 Access Lists
    Paragraph 73.55(d)(7)(i)(A) requires that the licensee establish
    current authorization access lists for each vital area. The access list
    should be updated and reapproved by the cognizant licensee manager or
    supervisor on the last working day of each calendar month. The access
    list should include only those individuals whose specific duties require
    that they have access to the vital area during routine operations.
    Certain access controls may be suspended during emergency or abnormal
    plant conditions, and the list would be unnecessary under these
    circumstances. Therefore, the names of emergency response personnel
    need not be on the list.
    3.2 Logging Requirements
    Licensees are required to keep a log that indicates name, badge
    number, time of entry, and time of exit of all individuals granted
    access to a vital area except to the reactor control room. The intent
    is to maintain a record of personnel access and egress for each specific
    vital area. This may be accomplished through the use of
    computer-controlled access devices. A log documenting personnel access
    and egress for the reactor control room is not needed because this area
    is always occupied.
    3.3 Revocation of Access Authorization
    Paragraph 73.55(d)(7)(i)(C) requires the licensee to revoke an
    individual's access authorization and retrieve that individual's
    identification badge and other entry devices, as applicable, prior to or
    simultaneously with the notification to the individual of the
    termination when the termination is involuntary and for cause. Under
    these circumstances, the licensee should have in place the mechanisms or
    procedures necessary to ensure that such individuals cannot gain
    unescorted access to the site. This provision is intended to reduce
    opportunities for disgruntled individuals to have access to the reactor
    facility.
    3.4 Locks, Alarms, and Emergency Controls for Unattended Vital Area
    Doors
    In the interest of controlling access to vital areas in the
    accomplishment of the safeguards objective, paragraph 73.55(d)(7)(i)(D)
    requires that the licensee lock and protect unoccupied vital areas by an
    activated intrusion alarm system, e.g., a balanced magnetic switch.
    The licensee should protect a vital area by maintaining locks and
    alarms on all doors that are not attended access control points.
    Acceptable criteria for the use and selection of commercially available
    locks are found in Regulatory Guide 5.12, "General Use of Locks in the
    Protection and Control of Facilities and Special Nuclear Materials."
    Descriptions of various surface protection alarms and guidance on
    testing and maintaining alarm systems can be found in NUREG-0320,
    "Interior Intrusion Alarm Systems."(*) The licensee should install "panic" hardware and establish
    procedures that permit rapid and orderly egress from vital areas in the
    event of an emergency situation. Emergency exit doors that have "panic"
    hardware should be alarmed to the central and secondary alarm stations
    so the use of such doors can be monitored.
4. EMERGENCY ACCESS TO VITAL AREAS
    During emergencies or abnormal conditions, it may be necessary for
    certain licensee personnel to gain quick access to vital equipment in
    order to mitigate or terminate some adverse plant condition. Also, it
    is important to ensure that personnel can quickly evacuate vital areas
    if the emergency condition results in high radiation or other dangerous
    conditions within the vital area. Thus, paragraph 73.55(d)(7)(ii)(A)
    requires that licensees ensure prompt access to vital equipment during
    emergencies or abnormal conditions. Licensees can provide for rapid
    ingress/egress during such conditions by providing backup keys to vital
    areas and methods of opening locked doors in the case of computer or
    power failure.
    4.1 Access Keys
    In the event of an emergency or abnormal condition at a power
    reactor, it may be necessary for certain personnel, particularly an
    operator, to have prompt access to vital areas or equipment. To
    facilitate access, operating personnel should be provided with keys to
    open doors that are locked for security or other purposes.
    4.2 Access Codes and Antipassback Control Features
    It has been observed that the use of individual manually entered
    identification codes and the use of the "antipassback" feature
    programmed into card key computers hamper ingress because of mistaken
    entries, poor memories, entry denial for failure to log out of an area,
    etc. In order to minimize the impact on safety by ensuring prompt
    access, the use of manually entered codes and the antipassback feature
    in vital area access control systems is not required or recommended by
    the NRC.
    ----------
    (*) Copies may be obtained from the Superintendent of Documents,
    U.S. Government Printing Office, Post Office Box 37082, Washington, DC
    20013-7082.
    ----------
    4.3 Loss of Electric Power
    In order to facilitate safety, the licensee should provide for
    rapid ingress/egress during a computer or power outage. If vital area
    doors are not specifically required by the licensee's physical security
    plan to fail in the closed position upon loss of electric power,
    procedures that provide for prompt compensatory measures in opening
    locked doors should be established. The following are acceptable
    procedures for providing for safe ingress/egress during a power or
    computer outage:
1. Have locks on interior vital area doors fail open during an
    outage or emergency and have guards immediately deployed to monitor
    ingress/egress.
2. Use an uninterruptible power supply system for electrical
    locking devices.
3. Have locks fail closed and provide keyed bypass locks for
    vital areas. Ensure that all necessary personnel have keys.
4. Have locks fail closed and install crash ("panic") bars and
    alarms on doors for emergency ingress/egress.
5. SUSPENDING SECURITY MEASURES
    5.1 Authority
    Paragraph 73.55(a) permits the licensee to suspend any safeguards
    measures pursuant to Section 73.55 in an emergency in accordance with
    paragraphs 50.54(x) and (y) of 10 CFR Part 50. If immediately needed to
    protect the public health and safety, such suspension is permissible
    provided that (1) the action taken is approved, as a minimum, by a
    licensed senior operator prior to the emergency action being implemented
    and (2) all safeguards measures are restored as soon as practicable
    following the suspension. This flexibility will accommodate the
    potential need for rapid response to emergency or abnormal conditions.
    The licensee should specify in the physical security or
    contingency plan the individual, by title, responsible for relaxing
    security requirements if necessary during emergencies. The plan should
    also specify a chain of responsibility for suspension of safeguards
    requirements in the event that the first designated individual is
    unavailable.
    5.2 Conditions
    The authority to suspend safeguards measures should be exercised
    only when site conditions are or may soon become a danger to the public
    health and safety. Security measures should be relaxed only to the
    extent necessary to accommodate the emergency situation in accordance
    with paragraphs 50.54(x) and (y). Each instance in which safeguards
    requirements are suspended without approved compensatory measures would
    have to be reported to the NRC under the provisions of Section 73.71 as
    an event that lessens the effectiveness of safeguards.
    5.3 Controls That Can Be Suspended During an Emergency
    The types of controls that could be suspended in an emergency
    might include but are not limited to the following:
1. The search and identification of personnel required by
    paragraph 73.55(d)(1),
2. The search of hand-carried items required by paragraph
    73.55(d)(2),
3. The search of vehicles required by paragraph 73.55(d)(4),
4. The use of a badge identification system required by
    paragraph 73.55(d)(5),
5. The registration of personnel required by paragraph
    73.55(d)(6), and
6. The access controls for vital areas in paragraph
    73.55(d)(7).
    5.4 Use of Escorts
    In the event safeguards controls are suspended, the licensee
    should use escorts to the extent possible. Offsite response personnel
    should be escorted by designated licensee personnel with operable
    two-way radio communications to the central and secondary alarm
    stations. At least one escort should accompany each emergency vehicle,
    and all offsite emergency response personnel should be in view of the
    escort at all times unless this would constitute a danger to the escort.
    For the purpose of this guide, an escort is defined as a member of the
    security organization or other designated individual responsible for
    accompanying those personnel not allowed unescorted access within a
    protected area. An escort is not required to possess a technical
    knowledge of the plant's processes or equipment.
    5.5 Access Controls for Emergency Response During Drills or Exercises
    During a preplanned drill or exercise, the offsite emergency
    response personnel may enter the protected areas, and certain
    access-safeguards requirements may be waived provided that:
    * The NRC is notified in advance of the drill what measures
    will be waived and when the drill is scheduled,
    * Each vehicle is escorted by a member of the licensee's
    security organization equipped with two-way radio
    communication to the alarm station,
    * All emergency response personnel remain within view of the
    licensee's escort at all times, and
    * The licensee positively identifies at least one member of
    the emergency response team who verifies that the other
    personnel are bona fide members of the responding
    organization.
    The access-safeguards requirements that may be waived are:
    * Search and identification of emergency response personnel,
    * Search of emergency response vehicles,
    * Search of hand-carried packages and equipment, and
    * Badging and registration of emergency response personnel.
    The drill or exercise must stop at the vital area boundary; there
    is no regulatory authority for relaxation of controls into vital areas
    during any nonemergency situation. If it is considered necessary to
    familiarize the emergency response personnel with plant layout,
    including vital areas, the full security plan measures must first be
    applied.
6. PHYSICAL PROTECTION PLAN AND CONTINGENCY PLAN INTERFACE
    Paragraph 73.55(d)(7)(ii) requires that the licensee design the
    access authorization system to accommodate the potential need for rapid
    ingress or egress of individuals during emergency conditions or
    situations that could lead to emergency conditions. In order to
    facilitate ingress/egress during such conditions, the licensee should
    conduct periodic reviews of security and contingency plans and ensure
    prompt access to vital equipment.
    6.1 Periodic Review of Security and Contingency Plans
    Paragraph 73.55(d)(7)(ii)(B) requires that the licensee
    periodically review physical security plans and contingency plans and
    procedures to evaluate their potential impact on plant and personnel
    safety. The licensee should conduct such review annually to ensure that
    security procedures do not adversely affect the procedures outlined for
    emergency or abnormal conditions. Licensees should also review the plans
    whenever changes are made that could affect plant or personnel safety or
    when the licensee becomes aware of a procedure that could affect safety.
    Licensees may use the Plant Operations Review Committee (PORC), quality
    assurance audit programs, corrective action reporting systems, or other
    appropriate programs to monitor the potential for safety/security
    impacts.
    6.2 Cross-Training
    Interface problems between security and operations are reduced
    when the respective staffs are made aware, through cross-training and
    indoctrination, of the roles, responsibilities, and general practices of
    both organizations. The licensee should provide personnel with
    opportunities to learn about the other organization.
7. PROTECTION OF SECURITY EQUIPMENT
    Paragraph 73.55(e)(1) requires, in part, that onsite secondary
    power supply systems for alarm annunciation equipment and nonportable
    communication equipment be located in vital areas. Protection of these
    items of equipment is necessary to reduce vulnerabilities in the system
    because their sabotage could significantly impact the safeguards of a
    plant. Therefore, licensees are required to locate these pieces of
    equipment in vital areas.
8. KEYS AND LOCKS
    Paragraph 73.55(d)(9) requires, in part, that keys, locks,
    combinations, and related access control devices be controlled to reduce
    the probability of compromise. The licensee is required to change or
    rotate all keys, locks, and combinations at least every 12 months or
    whenever there is evidence or suspicion that any key, lock, combination,
    or related access control device has been compromised. Such suspicion
    may be interpreted as the reasonable belief that compromise has occurred
    even though physical evidence has yet to be uncovered. Changes should
    also be made whenever a person who had access to protected areas or
    vital areas is terminated for cause.
    Keys, combinations, and other access control devices should be
    issued only to those individuals possessing an unescorted access
    authorization.
D. IMPLEMENTATION
    The purpose of this section is to provide information to
    applicants regarding the NRC staff's plans for using this regulatory
    guide.
    Except in those cases in which an applicant or licensee proposes
    an acceptable alternative method for complying with specified portions
    of the Commission's regulations, the methods presented in this guide
    will be used in the evaluation of security methods and procedures for
    all operating plants and plants that have not received an operating
    license.
    APPENDIX
    The purpose of this appendix is to provide examples of techniques
    pertaining to methods of hardening openings in ceilings and walls of
    vital areas.
    Techniques 1 through 3 are excerpted from NUREG/CR-1378,
    "Hardening Existing Strategic Special Nuclear Material Storage
    Facilities,"(*) June 1980.
    ----------
    (*) Copies may be obtained from the Superintendent of Documents,
    U.S. Government Printing Office, Post Office Box 37082, Washington, DC
    20013-7082.
    ----------
    Technique No. 1
    Hardening Opening in Ceiling or Wall
    EXISTING STRUCTURE: Opening in ceiling or wall
    TOOLS REQUIRED FOR PENETRATION:Depends on existing opening
    PENETRATION TIME:Depends on existing opening
    HARDENING ACTION:
1. Add strong steel jamb to opening.
2. Form three separate grates by welding No. 4 or No. 5 rebar
    into 6-inch (15-cm) grids. Weld grates to inside, center,
    and outer lips of jamb. (Another method is to weld six
    separate layers of rebar alternating vertical and horizontal
    and offset from each other.) 3. Add a baffle on inside for openings in vital areas if
    accessible.
    INCREASED PENETRATION RESISTANCE TIME: Approximately 15 minutes
    ADDITIONAL PENETRATION TOOLS REQUIRED: Boltcutters
    ADVANTAGES OF TECHNIQUE:
1. Multiple layers to penetrate
2. Delay time can be increased by increasing either size of
    rebar or numbers of rebar.
    Technique No. 2
    Hardening a Duct in a Ceiling or Wall Where Air Flow Is Required
    EXISTING STRUCTURE: Duct opening in ceiling or wall where air flow
    is required
    TOOLS REQUIRED FOR PENETRATION:Depends on existing opening
    PENETRATION TIME:Approximately 1 minute for a 24 x 24 in. (61 x 61 cm)
    duct (horizontal)HARDENING ACTION:
1. Line duct with coils of general purpose barbed tape obstacle
    (GPBTO) or concertina. If coils cannot be used, bands or
    ribbons of barbed tape can be riveted to walls.
2. Attach diffusers with 16 quarter-inch bolts.
    INCREASED PENETRATION RESISTANCE TIME: Approximately 10 minutes
    ADDITIONAL PENETRATION TOOLS REQUIRED: Depends on installation method
    for barbed tape
    ADVANTAGES OF TECHNIQUE:
1. Greatly hampers crawl-through
2. Various installation methods allow upgrading with minimal
    effects on duct performance.
    Technique No. 3
    Hardening Opening in Ceiling or Wall Where Air Flow Is Required
    EXISTING STRUCTURE: Opening of any size
    TOOLS REQUIRED FOR PENETRATION:Depends on existing opening
    PENETRATION TIME:Depends on existing opening
    HARDENING ACTION:
1. Add strong steel jamb to opening.
2. Weld steel pipes no larger than 3 inches (7.5 cm) in
    diameter together and then weld to steel jamb.
    INCREASED PENETRATION RESISTANCE TIME:More than 15 minutes
    ADDITIONAL PENETRATION TOOLS REQUIRED:Cutting torch
    ADVANTAGES OF TECHNIQUE:
1. Allows air flow.
3. Reduces bodily access.
    VALUE/IMPACT STATEMENT
    A separate value/impact statement has not been prepared for this
    regulatory guide. The guide was developed to present approaches
    acceptable to the NRC staff for fostering plant safety while maintaining
    adequate safeguards in accordance with amendments to 10 CFR Part 73. A
    value/impact statement prepared for these amendments was made available
    in the NRC Public Document Room at the time they were published. This
    value/impact statement is also appropriate to this regulatory guide.
    20