Information Notice 1986-91, Limiting Access Authorizations
SSINS No.:
6385 IN 86-91
UNITED STATES
NUCLEAR REGULATORY COMMISSION
OFFICE OF INSPECTION AND ENFORCEMENT
WASHINGTON, D.C.
20555
November 3, 1986
IE INFORMATION NOTICE NO. 86-91:
LIMITING ACCESS AUTHORIZATIONS
Addressees
All nuclear power reactor facilities holding an operating license or
construction permit, and fuel fabrication and processing facilities using or
possessing formula quantities of special nuclear material.
Purpose
This information notice is provided to alert licensees to some of the weaknesses
in access control which could have an impact on public health and safety.
It is
expected that the recipients will review the information for applicability to
their facilities and consider actions, if appropriate, to preclude similar
problems from occurring at their facilities.
However, suggestions contained in
this information notice do not constitute NRC requirements; therefore, no
specific action or written response is required at this time.
Description of Circumstances
Some recent events involving threats to safety, for example unauthorized breaker
manipulation and misalignment of valves, have occurred at sites where large
numbers of personnel are granted unescorted access to a number of vital areas
and vital islands.
10 CFR 73.55(d)(7) clearly states that access must be limited
to individuals who require such access to perform their duties.
Granting access
to others for expediency or convenience increases the risk of sabotage and
vandalism by insiders and reduces the likelihood of identifying the perpetrators
in followup investigations.
Two recent examples follow where access was not limited in accordance with
10 CFR 73.55:
1. In an Enforcement Conference, a licensee claimed that a condition involving
two (2) unlocked and unalarmed vital area doors was not significant because
all but six (6) of about 4000 people onsite had been authorized access to
the vital area.
2. At another site most of the administrative/secretarial staff had been granted
access to a vital area because a spare word processing terminal had been
installed there.
8610290048
IN 86-91 November 3, 1986 As a result of these and other specific instances, an informal survey was
conducted of 18 sites in one NRC region.
The data collected showed that 90
percent of the 28,000 active badges allowed access to at least one vital area
and more than 50 percent of the badges allowed access to all vital areas.
A review of the above cases showed that the licensee's programs did not address
specific criteria for establishing "need for access" to vital areas or the
equipment contained therein.
In some cases, the plans or procedures simply
indicated that a member of management determines access authorization, but no
standard existed for what constituted need.
In other cases management provided
overly broad and nonspecific criteria such as "emergency duties" or "work- related duties."
Discussion:
The above described circumstances are indicative of potential weaknesses in
security programs which could allow individuals access to vital equipment when
no supportable reason for such access exists.
The root cause of this weakness
appears to be the lack of adequate criteria to clearly determine the circumstances
which must exist prior to allowing an individual free, unescorted access to
controlled areas of the plant.
While it is recognized that facilities differ, certain basic criteria should
be applied to determine the need for access.
As noted in IE Bulletin 79-16 (copy attached), valid need should be based on the performance of specific tasks
on or associated with equipment located in each vital area to which access is
authorized.
In addition, vital areas should exclude nonvital equipment and
activities to the extent possible to minimize the number of people requiring
access.
To minimize the number of people granted access, consideration may be given to
(1) removing or limiting unescorted access authorization for those with only
infrequent or administrative needs, and (2) removal of unescorted access
authorization when need no longer exists.
In accordance with IE Bulletin 79-16, dated July 26, 1979, access lists should be reviewed every 31 days to eliminate
individuals whose need for access has expired.
When only infrequent access is
required, escorted access authorization should be sufficient.
IN 86-91 November 3, 1986 No specific action or written response is required by this information notice.
If you have any questions regarding this matter, please contact the Regional
Administrator of the appropriate NRC regional office or the technical contact
listed below.
ran, d ir tor
Divisi of Emergency Preparedness
and Engineering Response
Office of Inspection and Enforcement
Technical Contact:
R. P. Rosano, IE
(301) 492-4006 Attachments:
1.
2.
List of Recently Issued IE Information Notices
UNITED STATES
NUCLEAR REGULATORY COMMISSION
OFFICE OF INSPECTION AND ENFORCEMENT
WASHINGTON, D.C. 20555
July 26, 1979
VITAL AREA ACCESS CONTROLS
Description of Circumstances
An attempt to damage new fuel assemblies occurred recently at an operating
nuclear reactor facility. During a routine fuel inspection, the licensee
discovered that a chemical liquid had been poured over 62 of 64 new fuel
assemblies.
Analysis indicates that the chemical liquid was sodium hydroxide, a chemical stored and used onsite.
The licensee stores new fuel assemblies in dry storage wells on the same
elevation as the spent fuel pool within the Fuel Building, a vital area.
Access to the building is controlled by use of a coded keycard which elec- tronically unlocks the alarmed personnel portals. The licensee issues coded
keycards to both licensee and contractor personnel after the successful com- pletion of a background screening program.
In addition, licensee site manage- ment-certifies monthly that each individual has the need for a coded keycard
in order to perform required duties.
Further access within'this building is
not limited by other barriers or controls.
As a result of this incident, an initial licensee audit determined that several
hundred licensee and contractor personnel had access to this area during the
period when the attempt to damage the fuel was made. The audit also revealed
that one coded keycard reader at a vital area portal was inaccurately recording
access data at the alarm station.
Also discovered during this audit were
indications of frequent "tailgating" on access through the portals.
Tailgating
occurs when more than one person passes through a portal on one person's
authorized access. Their passage is therefore not recorded, and unauthorized
persons could gain entry in this manner.
Tailgating does not include author- ized access controlled by an escort.
Discussion of Applicable Requirements:
10 CFR .73.55(a) requires the licensees to protect against industrial sabotage
committed by an insider in any position.
10 CFR 73.55(d)(7) states that access
to Vital Areas shall be positively controlled and limited to individuals who
are authorized access to vital equipment and who require such access to perform
their duties. Specific commitments implementing this regulation are described
in each licensee's approved Security Plan.
Attachment 1
IN 86-91 lovember 3, 1986 Paqe I of 4
- IE Bulletin No. 79-16 July 26, 1979 NRR, in their meetings with the licensees in March 1977 to explain £ 73.55 and
what would constitute an acceptable plan, explained that positive control of
access to a vital area consisted of two elements: first, that the person
requesting entry has the necessary background screening and need to perform
Job related functions to be authorized access to that Vital Area, and second, that he has a need at that specific time to enter to perform a specific func- tion.
This is comparable to gaining access to a classified document; you need
both a clearance and a need to know.
In approving security plans, NRR assumes that the determination of need would
be based upon a valid need and not convenience.
Furthermore, access should
be authorized to a minimum number of people, and licensees should use reason- able alternatives to minimize the number of personnel and frequency of access.
Acceptance Criterion 5.B of the Security Plan Evaluation Report (SPER)
Workbook, dated January 1978, states that the licensee must commit to pro- viding positive access control to Vital Areas by:
1) Limiting access to authorized personnel.
2)
Requiring positive identification prior to entry.
3) Requiring an established need for access.
4) Maintaining records of entry, exit and reason for entry.
5) A system for control within the Vital Area.
NRR Review Guideline #21 suggests that blanket access authorizations should
not be granted by stating that an acceptable method of indicating the Vital
Areas to which access is authorized includes a record of each vital area to
which the holder is authorized access, and the card is encoded to permit access
to only those Vital Areas to which the individual has -been granted access.
Review Guideline 123 states that for access to a Type I Vital Area, the person
must be authorized entry by the shift supervisor or other designated individual
who has been informed of the estimated length of time to be spent in the Type I
Vital Area.
There needs to be some balance attained between operational necessity and the
administrative burden of validating the need for access each time entry is to
be afforded. Many licensees grant "permanent access authorization" to all
persons requiring access to vital areas, regardless of the frequency or dura- tion of the need. This is contrary to the regulations and guidelines from NRR
cited above.
Attachment 1
IN 86-91 November 3, 1936 IE Bulletin No. 79_16 July 26, 1979 Action to be Taken by Licensee:
1. Establish criteria for granting unescorted access to each vital area, which shall be based upon the following:
a. A screening program meeting ANSI N18.17. -
b. The individual has a valid need for access to the equipment contained
in each vital area to which access is authorized. Valid need is based
upon assigned duties requiring the performance of specific tasks upon
or associated with specific equipment located in each vital area to
which access is granted. Valid need to enter one vital area shall
not necessarily indicate that the person has a need to enter any other
vital area.
2.
An access list will be established for each area not to exceed 31 days.
An individual will be on the access list only for the duration of the
task to be performed. If an individual has a valid need for unescorted
access for a single entry or for intermittent occasions during this
period, a separate daily access list shall be prepared.
All access
lists shall be approved by the station manager (or equivalent) or his
designated representative.
3. Individuals, will be removed from the access list immediately upon
termination of need.
If an individual has not entered the vital area
during the effective period of the access list (not to exceed 31 days)
the need for access should be reassured prior to extending the authoriza- tion. To ensure that these actions are taken, the access list shall be
reviewed and reapproved at least every 31 days.
4. Void access authorizations for all personnel not satisfying the criteria
in lafb and where appropriate, reprogram the key card system and reissue
key cards that are coded to implement the above vital area access authori- zation program.
5. Develop reasonable alternatives so that the number and frequency of access
to vital areas can be minimized consistent with safe operations.
6. Establish emergency procedures where, during an emergency, additional
authorized personnel, meeting criteria in la&b, can move freely throughout
the vital areas with their entry and exit being recorded.
Upon securing
from the emergency, the entry/exit record will be reviewed, and normal access
control will be reestablished.
7. Prevent tailgating by one or more of the following:
Attachment I
IN 86-91 Aovember 3, 1986 IE Bulletin No. 79-16 July 26, 1979 a.
Establish procedures that require authorized personnel to prevent
other-personnel, including those authorized unescorted access, from
tailgating.
Ensure all authorized personnel are trained in the proce- dure, and establish a management program that ensures that the proce- dure is properly performed.
b-. Acquire equipment, such as turnstiles, to prevent tailgating. Ensure
that such equipment will not deny access or egress under emergency
conditions.
c.
Station a guard, watchperson or escort at the vital area access portal.
This alternative would be most useful when there is a large number and
frequency of access, such as occurs with containment during refueling.
d.
By any other means that achieve this objective.
8.
Assign corporate responsibility for management oversight of VA access
control and require personal involvement to ensure that all intermediate
levels of management are properly discharging their responsibilities in
this regard.
9.
Conduct routine functional tests of the electronic access control system, including each key card reader, to verify (i) its operability and proper
performance, and (ii)
the accuracy of the data recorded. This test should
be incorporated into the seven-day test required by 10 CFR 73.55(g).
10. Report in writing within 45 days (for facilities with an operating
license) the actions you have taken and plan to take (including a
schedule) with regard to Items 1 through 9. Reports should be submitted
to the Director of the appropriate NRC Regional Office and a copy should
be forwarded to the NRC Office of Inspection and Enforcement, Division of
Safeguards Inspection, Washington, D.C.
20555.
Approved by GAO, B180225 (R0072); clearance expires 7-31-80.
Approval was
given under a blanket clearance specifically for identified generic problems.
Attachmtont 1
November 3, 1986 Attachment 2
November 3, 1986
LIST OF RECENTLY ISSUED
IE INFORMATION NOTICES
Information
Date of
Notice No.
Subject
Issue
Issued to
86-90
86-89
86-05 Sup. 1
86-25 Sup. 1
86-88
86-87
86-86
86-85
86-84 Requests To Dispose Of Very
11/3/86 Low-Level Radioactive Waste
Pursuant to 10 CFR 20.302
Uncontrolled Rod Withdrawal
10/16/86
Because Of A Single Failure
Main Steam Safety Valve Test 10/16/86
Failures And Ring Setting
Adjustments
Traceability And Material
10/15/86
Control of Material And
Equipment, Particularly
Fasteners
Compensatory Measures For
10/15/86
Prolonged Periods Of Security
System Failures
All power reactor
facilities holding
All BWR facilities
All power reactor
facilities holding
All power reactor
facilities holding
All power reactor
facilities holding
fabrication and
processing facilities
All power reactor
facilities holding
All registered users
of NRC certified
packages
All NRC medical
licensees
All NRC medical
institution licensees
Loss Of Offsite Power Upon An 10/10/86
Automatic Bus Transfer
Clarification Of Requirements 10/10/86
For Fabrication And Export Of
Certain Previously Approved
Type B Packages
Enforcement Actions Against
Medical Licensees For
Willfull Failure To Report
Misadministrations
Rupture Of A Nominal
40-Millicurie Iodine-125
Brachytherapy Seed Causing
Significant Spread Of
Radioactive Contamination
10/3/86
9/30/86 OL - Operating License
CP = Construction Permit