4. Facility Characterization and Target Identification

4. Facility Characterization and Target Identification

The Twenty-Seventh International Training Course 4-1


Abstract. The first step in the Design and Evaluation Process Outline (DEPO) is to “Define the PPS Requirements.” One task within that step is to characterize the facility and so clearly understand what to protect. Initially, the analyst must identify the areas of investigation for this facility characterization process and then proceed to collect the information from these areas. This section also introduces the units of radiation and radiation dose to understand the severity of an accident and the importance of careful handling of nuclear materials. In particular, the issue of material that is “self protecting” is explained. These concepts are used in another step of “Define the PPS Requirements,” namely, Target Identification. In a general sense, target identification can be considered as the process of identifying specific areas or items to be protected against undesirable consequences. From a policy perspective, target identification utilizes accepted consequence measures and risk-acceptance criteria to develop and promulgate appropriate target categorization scheme(s). From a facility perspective—assuming a graded approach is being used—target identification involves application of specified categorization scheme(s), the output of which will be used to determine protection strategies, design basis threats, and physical protection system performance requirements; it also involves developing referential (location) information for each specific item or area target. This material introduces the basic concepts involved in target identification, discusses application of the concepts to the protection of nuclear and radiological material from theft and nuclear facilities from sabotage, and presents various methods useful in generating the required referential information.

4.1 Introduction Facility

Characterization

Radiation Considerations

Target Identification

Prior to designing a physical protection system (PPS), as much information as possible should be gathered to understand the activities at the facility as well as the facility layout. This information helps identify constraints, document existing protection features, and reveal areas and assets that may be vulnerable. When collecting information, a variety of sources should be used including drawings, policies and procedures, tours, briefings, reference material, and personal interviews. At a nuclear facility, physical protection is related to the facility’s potential radiation hazards. Both the State and the International Atomic Energy Agency (IAEA) have defined that if radiation levels from an object are above a specific threshold, then the physical protection provisions may be decreased since levels of such magnitude will be high enough at the surface to harm significantly anyone attempting theft. Of course, this level of radiation also implies that the effects of sabotage may be very high. Target identification is a foundational requirement of security system design. For nuclear facilities, target identification includes four steps: (1) understand applicable security policies, (2) identify materials and systems that must be protected from theft or sabotage, (3) identify categorization (consequence) levels, and (4) develop target list.



4.2 Facility Characterization Areas of Investigation First Step An initial step in designing a new PPS, or upgrading an existing system, is

to characterize the facility to be protected. Before any decisions can be made concerning the level of protection needed, an understanding of what is being protected and the surrounding environment is essential. Too often, this crucial step is overlooked, and security systems are designed that either overprotect a nonessential component or fail to protect adequately a vital portion of the facility. When characterizing a facility, information about as many different aspects of the facility as possible must be obtained and reviewed. Major areas of investigation for facility characterization include:

Areas of Investigation

• Physical conditions • Facility operations • Facility policies and procedures • Regulatory requirements • Safety considerations • Legal issues • Corporate goals and objectives • Other information

Process is Not Structured and is

Subjective

As data is collected, other related areas of interest may emerge. The process of characterizing a facility is the most subjective and least constrained aspect of designing a PPS. The process may start out quite structured, but eventually may uncover information that can be surprising and lead to additional unanticipated areas. It is valuable to interview people around the facility, in addition to the documentation reviews, tours, and briefings that are normally used to collect information.

Source of Information in

This Section

Much of this section of the course comes directly from Chapter 2 of The Design and Evaluation of Physical Protection Systems by Mary Lynn Garcia, Butterworth-Heinemann 2001. It is used with the permission of the author.

4.2.1 Physical Conditions

Physical Conditions that Should be

Surveyed

Perhaps the easiest areas to characterize are the physical conditions. Physical characterization includes identifying the site boundary, the number and locations of buildings in the complex, room locations within buildings, access points, existing physical protection features, and all infrastructure details. This information is normally available in blueprints and drawings of the facility. Physical infrastructure that should be reviewed includes heating, ventilation, and air conditioning systems; communication paths and type (fiber optic, telephone, computer networks, etc.); construction materials of walls and ceilings; power distribution system; any unique environmentally controlled areas of the facility; locations of any hazardous materials; and exterior areas. Physical aspects of a site also include an understanding of the topography, vegetation, wildlife, background noise (such as airports, rail yards, major highways, or electromagnetic interference), climate and weather, and soil and pavement. This information



can be used to predict adversary paths into a facility, establish target locations, and identify potential sources of nuisance alarms for protection equipment.

Walkdown the Facility

After drawings and documents are consulted, a common practice is to “walkdown” the facility in ever decreasing circles up to the major targets. In this way, all areas and boundary elements are seen and characterized.

4.2.2 Facility Operations

Facility Operations Should be

Understood

Another major area for investigation is facility operations. This area includes such elements as major products of the facility, processes that support these products, operating conditions (working hours, off-hours, emergency operations), and the types and numbers of employees. A large part of this stage of data collection is the review of the procedures that are used to accomplish the mission of the facility.

Operational Review of Facility

Operational review of the facility should also include an evaluation of the supporting functions available at the site. These functions include procurement procedures, computing resources and distribution, maintenance activities, asset tracking, operational involvement and location of senior executives, workflow, shift changes, employee benefits, shipping and receiving, accounting functions, and any other supporting functions. This information will establish constraints when implementing security technology or procedures, and will help in the identification of facility vulnerabilities later in the process.

Additional Operational

Details to Survey

Operational details can reveal important transition periods at a facility. For example, at a shift change many employees can be entering and exiting the facility. Such details can be an important input into the design of any entry controls for the facility or parking areas. Knowledge of the workloads and schedule at the shipping and receiving dock will help when designing an asset tracking system or implementing controls over the movement of raw materials or product into and out of a facility. This information will establish the operational needs to be accommodated by any security upgrades. Vehicle activity into and out of a facility, as well as within the facility (if it is a large industrial complex), will also provide a basis for security effectiveness evaluations and establish operational constraints that must be considered as part of the security system design.

4.2.3 Facility Policies and Procedures

Review Written and Unwritten

Procedures and Policies

One of the most critical areas for study at a facility includes an understanding of the written and unwritten policies and procedures used at a site. Although many companies maintain well-documented collections of this information, it is not uncommon to find that employees use other, undocumented procedures to do their work. This lack of alignment can at times cause serious discrepancies in the way things are expected to be done and the way they are, in fact, accomplished. It is very useful to spend some time at a facility observing how things are done. One way to do this is



through guided tours of the facility accompanied by knowledgeable or responsible personnel, but it can also be revealing to spend time independently visiting all areas of the facility and watching the general operations.

Survey Corporate Policies

Corporate policies should exist that document to all employees the policy on bringing drugs, alcohol, or weapons onto corporate premises, the use-of-force by site guards, and other notifications to employees of corporate expectations.

Training on Corporate

Policies and Procedures

Training on the correct interpretation and application of corporate procedures must be provided at the facility. If employees are expected to maintain certain security levels, but have no training on what this means on a day-to-day basis, there can be disappointment on all sides. Corporate training should be available to solidify the expectations for employee behavior and show that management is fully committed to the physical protection policy.

Search for Signs of Corporate “Culture”

The presence or absence of well-documented, consistently trained and applied policies and procedures can be an indication of the corporate “culture” at a facility. A culture that is accustomed to clear expectations and the support to meet those expectations will be better able to accommodate the discipline necessary to support an effective security system. If the corporate culture is one that is less disciplined or more autonomous, a security system may not be embraced as willingly by the employees, which can be a serious impediment to the success of the system.

Security Culture A current emphasis by the IAEA is implementation of an effective security culture by the Member States. Security culture has three different layers that should be characterized. The first is the underlying assumption that drives the whole culture “Are we vulnerable to a threat?” If this is truly felt, then the next layer of espoused values will indicate that the management intends to counter that threat. Finally, an effective security culture has many visual artifacts, which are, generally, the areas suggested to be surveyed. These include structures, leadership behaviors, individual behaviors, and the general condition of the PPS equipment.

4.2.4 Regulatory Requirements

Local, State, or Industry

Regulatory Requirements

All facilities, no matter what their product or business, are responsible to some regulatory authority. In addition, every facility must meet certain standards in their work practices. These may be standards imposed by professional organizations, or they may be best practices within an industry. All construction must meet a variety of State and local building codes. Regardless of the formality of the regulation, it is important to understand the nature of all the regulations a facility may be expected or required to meet. These requirements must be considered when a security system is designed. Obviously, any security system that is implemented cannot put the company at risk of violating any regulations. These regulations then become an important requirement for the design and implementation of the security system.



4.2.5 Safety Considerations

Contention between Safety and

Security

Safety and security do not have the same goal, although they are complementary functions. For example, the safety function wants to give personnel free and rapid egress in case of an emergency and the security function wants to control all egress even in an emergency. This is the classic conflict between safety and security—safety people want evacuation as fast as possible and security people want to be sure that no asset is stolen or left unprotected.

Example of Safety and Security Compromise

While no security manager would want to put a person in physical danger to protect an asset, it is prudent to design technology systems and procedures to meet all needs. One example of this is the use of a short (10 to 15 second) time delay on fire exits from critical areas. This delay can allow safety or security personnel time to ascertain that there really is a fire or to broadcast instructions to personnel in the facility.

Safety and Security Must Work

Together

It should be clear that an important voice in the design of an effective security system will be the facility or operational safety officer. Safety and security personnel must work together to design systems that will be effective in normal (daily operations), abnormal (for example, a fire), and malevolent conditions (an attack on the facility by a human adversary). Conflicts between safety and security should be resolved by sound and integrated solutions.

4.2.6 Legal Issues

Legal Issues to be Considered

Perhaps the most visible and complex aspect of facility characterization is a thorough review of the legal issues that should be considered when designing and implementing a security system. Legal issues cover liability, privacy, access for the disabled, labor relations, employment practices, proper training for guards, the failure to protect personnel, and excessive use of force by guards, to list only a few. A good understanding of the criminal justice system will be a very useful component in the design and implementation of a PPS. Each facility will need to make its own assessment of which legal issues are concerns and what actions will be taken based on this information. Some of the legal issues associated with physical protection are security liability, failure to protect, overreaction, and even labor/employment issues.

4.2.6.1 Security Liability

Security Liability Sometimes

Drives Decisions

Within the context of liability incurred because of security system implementation, businesses may be sued for failure to provide reasonable security for persons, property, or information, and intrusive, improper, and abusive reactive services and practices when responding to an incident. Some businesses are driven to enact policies or procedures to avoid such lawsuits, while others are willing to accept the risk of these events. Understanding the security liability is important to understanding what drives the decisions at a facility.



4.2.6.2 Failure to Protect

Failure to Protect Personnel May Drive Policies

Being charged with “Failure to Protect” can refer to a variety of instances including the negligence of security guards to protect personnel, loss of property through employee embezzlement or fraud, and loss of information such as a trade secret. This would also include loss of intellectual property, such as patents, copyrights, or trademarks, and loss of confidential information including employee personnel files, patient records, or business records. In the U.S. (and perhaps in other countries around the world), the courts have generally ruled that an employee has the right to expect that they will be protected in their workplace from danger, theft, and abuse. If these events do happen, the facility may be liable for this failure, and sometimes fear of this liability drives policies at a facility.

4.2.6.3 Overreaction

Facilities may Fear Overreaction

Claims

The liability incurred for overreaction involves incidents such as excessive use of force by a guard, invasion of privacy by an investigator or technology, and false imprisonment by a guard. While these issues are resolved through clear policies at the facility and training to reinforce the policy, many companies still do not align their policies and procedures with their practices. This exposes them to increased liability with respect to these types of events.

4.2.7 Labor/Employment Issues

Dealing with Labor Unions

Many companies have organized labor (union represented) employees and so must be aware of federal law pertaining to union membership drives, strikes, and conduct of disciplinary interviews and interrogations of union members. Other aspects of this area include Workers Compensation claims, termination of employment for security violations, and negligent hiring practices. As facility information is collected and legal questions arise, consult with an attorney or review the many information sources on law and security to help develop guidelines, policies, and procedures that limit corporate liability while effectively protecting assets.

4.2.8 Corporate Goals and Objectives

Status of the Security

Organization

When designing a PPS, it will be important to understand how the corporation or facility views the role of the security organization. If security is seen as a required function that adds no value, it will be difficult to establish an integrated security system using people, procedures, and equipment to meet the desired goals. It is important for senior management to view the security function as a part of the total business operation and a partner in the strategic plan for reaching corporate goals. For this reason, it is vital that the security system designer has the support of senior management. If senior management is not convinced of the importance of security to the business, they may be reluctant to commit any resources towards system development or improvement. This attitude is a good indication of a poor security culture at the facility.



Obtain Support of Corporate

Executives

The first job of the security system designer, then, may be to convince executives of the value and importance of at least evaluating a facility to see if there are any vulnerabilities, and then to present system improvements in a manner that shows management what value has been added.

4.2.9 Other Information

Political Environment and

Other Information

The political environment in the surrounding community and internal to the facility can provide additional information for facility characterization. Local politicians or councils can have an effect on operations at a facility, and internal power struggles could have an effect on the value placed on security systems or functions. Liaison between the facility and local law enforcement can also be important, particularly if the facility will depend on this group for any response to a security event. The existence of or membership in any mutual aid agreements with other industries in the area should also be investigated, because these agreements can provide additional resources to respond to threats or collect information concerning threats. Mutual aid agreements also allow links to others in the community for dealing with any emergency conditions.

4.3 Summary of Facility Characterization Summary of Facility

Characterization This section described the process of collecting information to characterize a facility. Prior to designing a PPS, as much information as possible should be gathered to understand the activities at the facility and the facility layout. This information will help identify constraints, document existing protection features, and reveal areas and assets that may be vulnerable. Areas of investigation include physical conditions, facility operations, facility policies and procedures, regulatory requirements, safety considerations, legal issues, and corporate goals and objectives. As more information is collected, additional areas of interest may emerge. When collecting information, a variety of sources should be used including drawings, policies and procedures, tours, briefings, reference material, and personal interviews.

4.4 Radiation Considerations and Physical Protection

Understanding Radiation is Important to

Understanding PPS

The physical protection required at a nuclear facility is related to the potential radiation hazards associated with the facility. You will also find that radiation characteristics affect the physical protection requirement. The purpose of this section is to provide introductory information on radiation safety, to define danger levels of radiation, and to explain how some waste materials in the nuclear industry are “self protecting.” The subjects of this section are: units of radiation, biological effects of radiation, interaction between physical protection and radiation safety, and self-protecting materials.



4.4.1 Units of Radiation

Types of Radiation All radioactive materials emit alpha particles, beta particles, gamma rays, X-rays, or neutrons. The types of radiation differ principally by the degree of penetrability in matter and were originally differentiated on this basis. (Alpha, beta, and gamma radiation were named from the first three letters of the Greek alphabet based on the thickness of the absorber required to stop them.)

Source Strength and Radiation

Dose

Although there are several different units to specify levels of radiation and dose, we use the units curie (Ci), rad, and rem, with the international units becquerel (Bq), gray (Gy), and sievert (Sv) in parentheses. Source strength indicates how much radiation is being emitted by a source and radiation dose rate indicates how much radiation is being received at some point away from the source. To measure source strength we use the curie (Ci) or becquerel (Bq); to measure radiation exposure or dose, we use the “Roentgen equivalent man” (rem) or sievert (Sv). Curie = 3.7 × 1010 particles/second Becquerel = 1 disintegration/second A 1-curie source (3.7 × 1010 Bq) of gamma rays from cobalt-60 can deliver a radiation dose of 1 rem/hr (0.01 Sv/hr) at a distance of 1 meter.

4.4.2 Biological Effects of Radiation

Acute vs. Chronic Exposure

Radiation exposure falls into two main categories, acute and chronic. Acute exposure relates to the effects of large radiation doses received in a short time period (2 hours or less) and are relatively well understood. Chronic exposures are small radiation doses accumulated over a long time period (years) and they are somewhat less well understood and continue to be a subject of intense debate.

Internal and External Doses

Alpha radiation cannot affect internal body tissues if its source is external to the body. Materials that emit large numbers of alpha particles are health hazards when they are inhaled or ingested. External sources of gamma rays and neutrons can penetrate human tissue and therefore pose a health hazard.

Effects of Acute Radiation Dose

The effects of an acute radiation dose are shown in Table 1. It takes a large number of rem (Sv) to produce any noticeable physical symptoms.



Table 1. Biological Effects of Radiation—Whole Body Acute Dose

Dose Probable Effect Below 25 rem (0.25 Sv) No noticeable effect 25 to 75 rem (0.25 to 0.75 Sv) Blood changes detected in lab tests only (weeks) Above 100 rem (1 Sv) Nausea, loss of appetite, fatigue (2 hrs), loss of hair (weeks) 350 rem (3.5 Sv) 50% fatal (month) 600 rem (6 Sv) 95% fatal (1-2 months) 10,000 rem (100 Sv) Vomiting (minutes), Fatal (a few days)

Low-Level Chronic Radiation

The effects of low-level chronic radiation are shown in Table 2. It takes a large number of rem (Sv) to produce any noticeable physical symptoms. The units of man-rem/year (man-Sv/y) mean that on the average, an event will occur when the cumulative dose to a population reaches its man-rem/y (man-Sv/y) level. It is not possible to predict the effects of a chronic low-level radiation dose for a specific individual. However, the effects can be considered statistically within a large population. A somatic effect refers to the probability that an exposed individual will develop a fatal disorder (i.e., a form of cancer) that could be attributed to radiation exposure at some earlier time. A genetic effect refers to the probability that radiation exposure causes a disorder in the offspring of an exposed population.

Table 2. Biological Effects of Radiation—Low-Level Chronic Dose

Effect Probability of Effect Somatic (exposed person) 1 death per 7,000 man-rem/y (70 man-Sv/Y) Genetic (offspring) Less than 1% increase in disorders per million man-rem/y (10,000 man-

Sv/Yr)

4.4.3 Interaction between Physical Protection and Radiation Safety

Physical Protection Is Related to

Radiation Levels

One of the purposes of the PPS is to prevent the adversary from reaching highly radioactive material in use or storage. Physical protection requirements are often related to the level of potential radiation hazards at a facility. The PPS is usually designed to give maximum protection to the areas of the facility with the highest potential radiation levels. At a U.S. nuclear power station, a “protected area” is established around the entire station, and “vital areas” are established within the protected area to secure the reactor and associated process and safety systems against sabotage that could lead to a significant release of radiation.

Self-Protecting Material

When addressing protection of nuclear material against theft, some materials are considered to be self-protecting. Nuclear Security Series 13 (NSS-13) states that “Nuclear material with gamma radiation levels above 1 Sv/hr (100 rad/hr) at one meter unshielded may be protected in accordance with the requirements of a lower category” (Section 4.6). In the U.S., this class of material is referred to as “self-protecting” and so a reduced physical security system is designed for such material.



Dose Rate Very High for Self-

Protecting Material

The reason these levels of radiation are called “self protecting” can be seen by considering what the dose rate would be 1 cm from the surface (nearly on contact). For a point source, the dose rate decreases as the inverse of the square of the distance from the source. A source that produces 1 Sv/hr at a distance of one meter would produce 10,000 Sv/hr at 1 cm: (100 cm)2 x = _______ • 1 Sv/hr (1 cm)2 x = 10,000 Sv/hr In two seconds, a person would receive 6 Sv (600 rem) at 1 cm from this source, which is a 95% fatal dose. Dose rates at this very high level can have nearly immediate effects on the central nervous system of an individual, and thus these materials have inherent hazards that make them less likely to be stolen.

Spent Nuclear Fuel Assemblies

Require Heavy Shielding

Spent nuclear fuel assemblies from nuclear reactors fall into this category of self protecting. If a person were to attempt to steal spent nuclear fuel, they would have to employ a very heavy shielded cask. This restriction limits their ability to quickly steal this material and thus the protection category can be reduced. Additionally, the type of reactor may greatly affect attractiveness of the facilities to theft or sabotage. Continuously operating (1 MW and more) reactors require regular re-fueling (potentially a high security concern for theft) whereas low power single fuel loading reactors, like the SLOWPOKE, contain very little target material and generate very moderate radioactivity, making them relatively unattractive targets for theft or sabotage.

4.4.4 Summary of Radiation Considerations and Physical Protection

Summary of Radiation

Considerations and Physical

Protection

The physical protection required at a nuclear facility is related to the potential radiation hazards associated with the facility. It should be clear that radiation characteristics affect the physical protection requirement. This section has presented some introductory information on radiation safety, defined danger levels of radiation, and explained how some waste materials in the nuclear industry are self protecting. In particular, both the State and the IAEA have defined that if radiation levels from an object are above 1 Gy/hr (100 rad/hr) at 1 meter, then the physical protection provisions may be decreased. Radiation levels of this magnitude are high enough at the surface that the material will cause death and possibly even rapid disability in anyone trying to steal the material. Of course, this condition implies that the effects of sabotage of this material may be very high.



4.5 Target Identification Identify Adversary

Targets Target identification is a simple but important concept that underlies any effective security system. Consider that if security can be defined to be a system that provides protection to targets from threats—where target refers to something that is subject to danger or risk of harm or loss—then it almost goes without saying that the targets to be protected must be identified if a security system is to be properly designed. While this concept may be nothing more than common sense, the actual processes used to identify and evaluate targets can range from the simple to the very complex. This material presents important concepts and considerations used in target identification, with a focus on targets involving nuclear and radiological materials at facilities. The material is organized into two main sections—one that introduces basic target identification concepts (Section 3.6) and one that applies these concepts to nuclear areas (Section 3.7)—and is followed by a summary and appendix. The example guidance offered within the material makes use of IAEA recommendations and U.S. regulations. However, note that the appropriate competent authority (e.g., national regulatory body) in each State is responsible for establishing guidance in this area.

4.6 Basic Concepts Questions to

Identify Targets Target identification is a multi-faceted problem that can be approached as a series of questions. 1. What do we have that needs protection? (What are potential targets?)

2. Are there different operational conditions that must be considered?

3. What is the target worth to us?

4. What is its worth to those who are interested in its theft, damage, or destruction?

5. Where, specifically, is the target located?

The material in this section explores these questions by considering the case of a simple, single-bay, normally unmanned, commercial warehouse. The warehouse is simple in that no co-located functions or activities such as an office exist at the facility that may also need protection.

4.6.1 Protection Needs

Security Protection Policy

Since the normal facility state to be evaluated is storage, it is almost trivial to answer the question of what needs protection: (a) the warehouse itself (e.g., from vandalism or arson) and (b) the goods stored in the warehouse (e.g., from theft or destruction). In real life, however, things are not always so straightforward. To begin with, facilities and operations can be quite complex compared to the simple warehouse example. But more to the point,



in practice security policy is usually established through the use of high-level goals or objectives; for example, provide protection against disruption of operations, theft of assets, crime against persons, destruction of property, and negative publicity or embarrassment. Some of these goals would have been covered by the simple warehouse target identification example presented above. But, how would security be used to protect against, say, negative publicity or embarrassment? The bottom line is that a security specialist must interpret and deconstruct security goals—be they abstract or not—into specific targets that can be afforded protection.

4.6.2 Operational States

Consider All Operational Conditions

In response to the second question related to different operational conditions, refer again to the simple commercial warehouse example. The protection of any storage facility in active use will ultimately have to be concerned with the condition that exists during the off-loading or loading of cargo vehicles. In general, target identification must consider all possible facility states, as enumerated in the supporting facility characterization studies. Of note here, though, is the fact that the potential facility target list has grown by the exposure of the cargo while in the vehicle or on the dock (i.e., outside of the warehouse proper), the vehicle itself, and the presence of personnel involved in the handling and transport of the goods.

4.6.3 Loss Potential

What Is Target’s Worth to the

Owner?

The third question—that of worth to the owner or operator—is related to the determination of the protection levels that will ultimately be provided to the target. If we refer to the targets in the warehouse example in their storage state, worth is a simple monetary consideration: (a) replacement cost of the warehouse and (b) replacement cost of the commercial goods stored in the warehouse. To this list, it is also reasonable to add (c), loss of revenue that would result from theft of goods or destruction of the warehouse and its contents (at least until fully replaced and customer confidence is restored). Such considerations help an owner or operator decide how much protection —usually a combination of security measures and insurance—is appropriate. Yet what of the other classes of security goals? What are appropriate (and comparable) measures of worth on things like crime against persons or negative publicity? In the end, the perception of security is just that—perception. Individuals must use their personal judgment and values to establish measures of security. If the concern is for a home or private business, the owner is responsible for making this valuation, be it explicit or not. If the concern is at a societal level, then determination lies with policy makers and other government officials. This task, however, is difficult at best. For example, it has been pointed out that the general public’s perceived risk of crime is greater than the actual risk of crime; furthermore, this perceived risk does not correlate with the actual crime rate.1

1 Physical Security, FM 3-19.30, Headquarters, Department of the Army, Washington, D.C., January 8, 2001, p. B-88.



4.6.4 Attractiveness

What Is the Target Worth to the

Threat?

Perhaps less obvious is the fourth question that asks what is the worth of the target to the threat? Some may be inclined to ask, why do we care? “Beauty is in the eye of the beholder.”2 That is, from a security perspective, sufficient motivation (payoff) must exist for a threat to attack a facility. An example that illustrates this behavior can be found in crime statistics. For each kind of theft, it has been found that specific items are consistently chosen by thieves.3 In general, these so-called hot products are items that are easily disposed of yet retain a high black market value, such as computers, entertainment equipment, name-brand clothing and footwear, perfume, cigarettes, and prescription drugs. The resale of hot product cargo may be as lucrative as drug dealing but has far fewer risks for the threat.4 Attractiveness is a term also found in use as an adjective in target descriptions that apply this concept in a broader sense; that is, it is used as a measure of worth or attractiveness as a function of threat objective (e.g., rather than theft for sale on the black market, consider the usefulness of material in committing an act designed to cause terror through radiological sabotage). So, what of our simple warehouse example? If the goods that are stored and transshipped at the facility include categories considered to be hot products, two conclusions can be drawn: (1) theft attacks will be more likely and (2) because the target is available in bulk and can be resold quickly on the black market at a high price, threats will devote more resources to the attack to help assure success (i.e., the threat will be more capable). The owner or operator can accept the increased risk, provide added protection, or disallow the use of the facility for such goods.

4.6.5 Location

What Is the Threat Environment?

Consideration of the last question regarding target location is important as it bears on the threat environment and thus attractiveness level. For the warehouse example, is it located in a large metropolitan area where gangs are known to be vandalizing? Is it located in a small town that prides itself on being crime-free? Or is it located in a remote area where few people other than those who use it even know of its existence? Certainly, a gang from the big city bent on vandalism could drive to Small Town U.S.A. or the wilderness to commit its acts, but this is probably an unlikely event that can be factored into target attractiveness considerations. Consider, however, that for a well-financed terrorist organization bent on acquiring nuclear material, a nuclear material warehouse in the wilderness may be the more attractive target!

2 Wolfe Hungerford, Margaret, Molly Bawn, I.xii, 1878. 3 Clarke, Ronald V., Hot Products: understanding, anticipating and reducing demand for stolen goods, Police Research Series Paper 112, Home Office, Policing and Reducing Crime Unit, Research, Development and Statistics Directorate, London, England, 1999. 4 Mayhew, Claire, “The Detection and Prevention of Cargo Theft,” Trends & Issues in crime and criminal justice, No. 214, Australian Institute of Criminology, Canberra, Australia, September 2001.



4.6.6 Other Considerations

4.6.6.1 Graded Approach

Segregate Assets Target location can have on-site implications such as providing another alternative to solving the hot product problem. The simple warehouse example used to this point was defined as a single-bay structure. The location of goods within the structure was undifferentiated from a security standpoint, and all protection measures for goods would apply to all warehouse contents. However, what if the existing warehouse could be physically divided or added to, or a separate warehouse built, that would allow segregation of the hot products from the remaining goods in storage? This action would allow the application of graded (different levels of) protection to the different categories (hot or not) of stored goods.

4.6.6.2 Consequence Measures

Consequences of Target Loss

In general, it should be noted that rather than discussing worth (which is useful when money is involved), targets are usually evaluated based on loss consequence (which may be money, but may be in terms like injury, death, linear inches of newspaper column space of bad publicity, or what have you). In addition, while many consequence scales can be treated as if they were (and are in fact) continuous variables with real units (like money), analysts or policy makers often choose to normalize (0-1), scale (e.g., 1 to 5), divide into discrete measures (also referred to as “binning,” e.g., 1, 2, 3, 4, or 5), or assign semi-quantitative values (e.g., high, medium, or low) to target loss consequences. Consequence analysis techniques can also range from the qualitative to the quantitative. The choice of scale and technique may be driven by the costs associated with using a particular method; it can also be driven by uncertainties and the concomitant need to rely on expert opinions or the judgments of policy makers. Normalized or scaled consequence measures can be very useful when designing rational (balanced) security systems that include otherwise disparate goals (e.g., protect persons and property). However, the value judgments employed must be kept foremost in mind when interpreting the results of any subsequent risk evaluations.5 The same is also true of the uncertainties in any quantitative consequence measures that may be developed.6

5 Further discussion on risk and consequences can be found in the Risk Management and Regulatory Requirements module. 6 “…the problem with quantifying risk assessment is that when managers are given numbers, the numbers are treated as absolute judgments, regardless of warnings against doing so. These numbers are then taken as fact, instead of what they really are: subjective evaluations of hazard level and probability.” J. Wiggins, ESA Safety Optimization Study, Hernandez Engineering, HEI-685/1026, Houston, Texas, p. 85, 1985, as quoted in Tim Bedford and Roger Cooke, Probabilistic Risk Analysis: Foundations and Methods, Cambridge University Press, Cambridge, United Kingdom, p. 4, 2001.



4.6.7 Concept Summary

Identify Targets to Be Protected

In summary, as part of the process of developing requirements for a security system, it is necessary to identify the targets that are to be protected. A simplified description of a generic target identification process would include these elements:

1. Identification of the applicable security policy with attendant goals or objectives

2. Appropriate interpretation and decomposition of policy into specific targets that require protection

3. Determination and evaluation of appropriate loss consequence measures for each specific target or target type

What constitutes appropriate will depend on the particular user of the

measures. For example, policy or decision makers may make use of consequences in risk analyses for establishing security system performance requirements and funding levels. Facility or system designers may make use of consequences in operational planning or in selecting functional security elements as part of a graded protection approach. If a rational security policy is to be implemented across multiple targets or protection goals, any scheme used must also provide a means for consequence comparisons to be made.

4. Development of referential (location) information for each specific

target. Facility or system designers will make use of location information in

operational planning and in placing functional security elements as part of a graded protection approach. Policy or decision makers will be interested in such information at a coarser level (e.g., on a facility-by-facility or in-transit level).

4.7 Concept Application 4.7.1 Security Policy

IAEA Recommendations

Most people recognize that the misuse of nuclear or radiological materials can have ramifications that are international in scope. Any investigation into security policies that might apply should begin with the agency that is chartered by the United Nations with oversight for such materials— the IAEA. This body has promulgated an information circular entitled The Physical Protection of Nuclear Material and Nuclear Facilities (NSS-13)7 which states:8

7 IAEA, The Physical Protection of Nuclear Material and Nuclear Facilities, INFCIRC/225/Rev.5 (NSS-13), Austria, January 2011. 8 Ibid, §2.1 and 5.9-5.19.



2.1 The objectives of the State’s physical protection system should be…to establish conditions which would minimize the possibilities for unauthorized removal of nuclear material and/or for sabotage … 5.9-5.19. The level of the physical protection measures should be specifically designed to take into account the nuclear facility or nuclear material, the State’s design basis threat and the radiological consequences.

Note that level as used in NSS-13 must include physical protection

performance measures. This is implied by the call for testing to ensure that the PPS is capable of effectively responding to the design basis threat (DBT).9

The IAEA has also published guidance on radioactive source protection. For example, the International Basic Safety Standards for Protection against Ionizing Radiation and for the Safety of Radiation Sources10 (BSS), paragraph 2.34, states:

Sources shall be kept secure so as to prevent theft or damage …

The Code of Conduct on the Safety and Security of Radioactive Sources11 (CODEOC) in §III, paragraph 7 goes further by stating:

Every State should, in order to protect individuals, society and the environment, take the appropriate measures necessary to ensure … radioactive sources … are … securely protected …

Guidance on the implementation of the recommendations in the Code of Conduct is provided in Security of Radioactive Sources.12

IAEA regulations and international conventions also include guidance for transportation security and nonproliferation. However, this document focuses on facility security.

Examples from U.S. National programs will, of course, provide direction for security programs as well. While the examples that follow come from the U.S., most countries will have similar guidance.

Civilian facilities licensed to use nuclear material in the U.S. fall under the jurisdiction of either the U.S. Department of Energy (DOE) or the U.S. Nuclear Regulatory Commission (NRC). The DOE security program13 objectives include the following provisions:

9 Ibid, §3.21 10 IAEA, International Basic Safety Standards for Protection against Ionizing Radiation and for the Safety of Radiation Sources, Safety Standards, Safety Series no. 115, Vienna, Austria, 1996. 11 IAEA, Code of Conduct on the Safety and Security of Radioactive Sources, Vienna, Austria, 2004. 12 IAEA, Security of Radioactive Sources, IAEA Nuclear Security Series No. 11, Vienna, Austria, 2009. 13 USDOE, Safeguards and Security Program, DOE Order 470.1, Washington, D.C., Chg. 1, June 21, 1996.



To deter, prevent, detect, and respond to unauthorized possession, use, or sabotage of special nuclear materials. [Protection programs will] … use the Design Basis Threat Policy, … provide levels of protection in a graded manner in accordance with the potential risks … comparable in effectiveness to other Federally regulated programs with … prudent application of resources.

The NRC protection program14 purpose is to prescribe:

… requirements for the establishment and maintenance of a physical protection system which will have capabilities for the protection of special nuclear material … [D]esign basis threats … shall be used to design safeguards systems to protect against acts of radiological sabotage and to prevent the theft of special nuclear material … [and] which will … provide high assurance that activities involving special nuclear material are not inimical to the common defense and security and do not constitute an unreasonable risk to the public health and safety.

NRC requirements also make use of the concepts of level of protection and performance objectives.

4.7.2 Target Types

What Should Be Protected?

While the DOE security program includes concerns for many things not discussed above—ranging from nuclear weapons to classified material to toxicological sabotage—the common target thread in the international and national documents reviewed is twofold: protect material (nuclear or radiological) from theft, and protect against acts of radiological sabotage. It is to these common targets that the present discussion will remain focused. However, it should be recognized and always kept in mind that most facilities have broader security objectives that must also be met.

A closer reading of the references cited above and related documents suggests that a somewhat more refined set of security goals of concern could be:

1. Protect nuclear material from theft that could lead to the construction of a nuclear explosive device by a technically competent group.15

2. Protect radiological material from theft that could lead to the construction of a

radiological weapon.16

3. Protect radiological material in use or storage from sabotage that could directly endanger the health and safety of personnel, the public, and the environment by exposure to radiation or release of radioactive substances.17

14 U.S. Code of Federal Regulations, Title 10, Part 73 (10 CFR 73), Washington, D.C. 15 Compare NSS-13, §4.1-4.4. 16 This could include use of the material passively (e.g., unshielded source placed in a public area) or in an active design (dispersed using conventional explosives or by mechanical means). 17 Compare NSS-13, §2.1.



Note that for this security goal, the threat uses conventional explosives or

mechanical means to disperse radiological materials in situ (or at least at the facility where the materials are located) rather than in some other location of their choosing.

4. Protect nuclear facilities (systems) from sabotage that could indirectly

endanger the health and safety of personnel, the public, and the environment by exposure to radiation or release of radioactive substances.

Note that for this security goal, the threat uses the inherent energy available in

nuclear materials (decay heat for irradiated or spent fuel and nuclear energy in reactor core assemblies or subassemblies) to disperse radiological materials in situ.

Other divisions could be made, but this list can be related in a fairly

straightforward way to further target definition and the consequence discussions that follow.

4.7.2.1 Nuclear Materials

Targets of Interest Vary by Agency

The Statute of the IAEA (ST) was approved in October 1956 by the United Nations Conference on the Statute of the IAEA and entered into force in July 1957 (as amended). Per Article III.A.5, the IAEA is authorized to “establish and administer safeguards designed to ensure that special fissionable … materials … are not used in such a way as to further any military purpose …” (military purpose is herein interpreted to refer to a nuclear explosive device, be it used in a State military action or by terrorists). Special fissionable materials are currently18 defined to be “plutonium-239; uranium-233; uranium enriched in the isotopes 235 or 233; any material containing one or more of the foregoing. …” The IAEA also makes use of the categories direct use nuclear material—plutonium containing less than 80% Pu-238, U-233, and uranium containing at least 20% U-235 (also known as highly enriched uranium or HEU)—and indirect use nuclear material—uranium containing less than 20% U-235, including low-enriched, natural and depleted uranium, and thorium—in its protection recommendations.

Title 10, Part 73, of the U.S. Code of Federal Regulations (10 CFR 73) makes use of the term strategic special nuclear material (Category I) for uranium containing at least 20% U-235, U-233, or plutonium. These regulations also make use of the terms formula quantity and special nuclear material (Category I) of low and medium strategic significance for various combinations of weights of plutonium and these two uranium isotopes with different U-235 enrichment levels. Thorium is not mentioned.

18 IAEA, IAEA Safeguards Glossary, International Nuclear Verification Series No. 3, 2001 Edition, Austria, June 2002. Cf. significant quantities definition in this reference.



In contrast with both the IAEA and USNRC, the USDOE nuclear materials list is quite extensive. This list19 contains uranium in its various isotopic forms and enrichment levels, plutonium in its various isotopic forms, americium-241 and -243, berkelium, californium-252, curium, deuterium, lithium-6, neptunium-237, thorium, and tritium. (It should be noted, however, that some of this material, like tritium, is neither fissile nor fissionable but can be used in making efficient weapons.)

Agency’s Interests Depend on Their

Role

The differences between the IAEA, USNRC, and USDOE nuclear material targets of concern can be related to the particular concerns of the agencies in question. The IAEA, in its nonproliferation role, is concerned with international control of nuclear materials with which a nuclear explosive device can be made; while it is theoretically true20 that materials such as neptunium, americium, curium, and californium can be used for such purposes, they are generally considered to be too rare or too radioactive to serve as realistic materials. The USNRC, through 10 CFR 73, is concerned with regulating U.S. nuclear power, and so it focuses on uranium and plutonium. The USDOE, by contrast, not only has to worry about nonproliferation but asset management as well because it is responsible for the ownership (on behalf of the U.S. government) of an extensive amount of nuclear material; although the numbers are very out of date, consider that in 1974 nuclear materials represented 47% of the total assets (or $6,700,000,000 in then-year dollars, $31.8 billion in 2010 dollars) held by the U.S. Atomic Energy Commission (now DOE).21

4.7.2.2 Radiological Materials

Adversary Target Selection Factors

Plutonium and other fissionables, spent nuclear fuel, radioactive wastes,22 and radioactive sources could all theoretically pose some public and environmental risk if used in a radiological weapon or spread through an act of sabotage. Because of the time frames associated with acquisition, weaponization, and contamination (post-event cleanup impact), terrorists interested in constructing a radiological weapon would likely be more attracted to sources with medium-length half-lives (months to decades). Other target selection factors of concern to an adversary might include considerations for potential human health effects (radiation type and level), difficulty of acquisition and handling while producing a weapon, and the intended dispersal mode. Bulky or highly radioactive materials, such as radioactive wastes or spent power reactor fuel, may be more of a target for threats considering in situ dispersal sabotage events.

19 USDOE, Nuclear Material Control and Accounting, DOE Order 474.2 Admin, Washington, D.C., August 30, 2011. 20 See, for example, David Albright and Kevin O’Neill (eds.), The Challenges of Fissile Material Control, Washington, D.C.: Institute for Science and International Security Press, 1999. 21 Baranowski, Frank P., “Materials Management—A Program in Review,” Proceedings of the 15th Annual Meeting of the Institute of Nuclear Materials Management, Journal of the Institute of Nuclear Materials Management, Vol. III, No. III, pp. 34-48, 1974. 22 For further discussion on radioactive waste see Committee on Science and Technology for Countering Terrorism, Making the Nation Safer: The Role of Science and Technology in Countering Terrorism, Chapter 2, National Research Council, National Academy Press, 2002.



Radioactive sources—because of their widespread use (millions)—have recently become of great public concern over their potential use in radiological weapons by terrorists. From a possible 2300 radioisotopes, only a fraction satisfy selection criteria for use as a source in medical (around 100), industrial, agricultural, scientific, and public applications. The levels and types of radioactivity, as well as source size and mass, differ significantly among the different applications. The locations of sources are as diverse geographically as they are functionally.

A study23 by the Monterey Institute of International Studies (MIIS) concluded that the “more dangerous commercial sources are those containing relatively large amounts of radioactivity (typically more than a few curies [Ci] worth of radioactivity, or in terms of mass, roughly a gram or more of radioactive material) of seven reactor-produced radioisotopes: americium-241, californium-252, cesium-137, cobalt-60, iridium-192, plutonium-238, and strontium-90.” Another independent study24 conducted by the U.S. DOE and NRC identified ten isotopes or “radioactive materials of greatest concern.” These included the seven listed by the MIIS plus three more: polonium-210, plutonium-239, and curium-244. Table 3 lists the characteristics of certain isotopes of greatest concern.

Table 3. Characteristics of Certain Isotopes of Greatest Concern (DOE/NRC study)

Isotope Common Use Description (size, radiological characteristics, quantity, form, storage configuration, etc.)

Am-241 Measurement instruments, including well logging instruments and gauges

Sources are typically small to moderate in physical size and radiological emission (up to 1 inch in diameter, 6 inches long, and tens of millicuries to tens of curies in strength); smoke detectors use microcurie quantities. In neutron sources, the Am-241 is typically mixed with beryllium oxide, which is a toxic substance; double-encapsulated in stainless steel holders; and used for a variety of industrial assay applications. Thousands of these sources are in use.

Cs-137 Medical imaging, food/other irradiation, gauges

Found in sealed portable sources and in large irradiation facilities. The sealed sources are often found as cesium chloride, a form of particular concern for radiation dispersal device (RDD) use.

Pu-238 Medical devices and measurement instruments

Used in the past as a heat source for pacemakers, an application that was phased out in the early 1970s. Also used as a thermal-electric generator heat source where it is contained as an oxide in stainless steel or other containers. As with the Am-241 and Pu-239, and unlike the gamma emitters, a great deal of shielding is not required in application.

Sr-90 Heat source for thermal-electric generators and sealed sources

Used in large quantities in heavily shielded configurations.

23 Ferguson, Charles D., Tahseen Kazi, and Judith Perera, Commercial Radioactive Sources: Surveying the Security Risks, Center for Nonproliferation Studies Occasional Paper No. 11, Monterey Institute of International Studies, Monterey, California, January 2003. 24 DOE/NRC Interagency Working Group on Radiological Dispersal Devices, Radiological Dispersal Devices: An Initial Study to Identify Radioactive Materials of Greatest Concern and Approaches to Their Tracking, Tagging, and Disposition, Report to the Nuclear Regulatory Commission and the Secretary of Energy, Washington, D.C., May 2003.



Isotope Common Use Description (size, radiological characteristics, quantity, form, storage configuration, etc.)

Po-210 Static eliminators Typically found as metal foils. Co-60 Food/other irradiation and

radiography Typically cast as metal rods, or pins, several to dozens of which are combined in a holder to provide desired radiation intensity. Storage requires heavy shielding, typically in large facility.

Ir-192 Gamma source used for mobile and fixed radiography applications.

Used in many fixed and mobile irradiation applications, these sources are found in instruments used for weld inspections and other industrial applications. The mobile application of these sources and availability make them a particular concern.

Pu-239 Alpha or neutron source, typically used in research

Used in research facilities, these sources are generally small because significant quantities of Pu-239 are tightly regulated because of weapons potential

Cm-244 or Cf-252

Neutron source used in research and measuring instruments

Sources are small, and those in instruments are shielded

Se-75 Industrial radiography Double capsule design, active Se in a form of pressed pellet inside inner Ti-capsule, outer capsule-stainless steel cylinder diameter about 6 mm, length about 12 mm

Pm-147 Thickness gauges Radioactive Pm in a ceramic (oxide) form, pressed in a Ta-shell, protected from outside by a stainless steel, flat cylinder or stick of linear size up to 160 mm

Gd-153 Industrial radiography Radioactive isotope in metal pellet or oxide form in A1 cladding and outside steel capsule, cylinder form of typical length 30 mm, diameter 10 mm

Yb-169 Industrial radiography Same as Gd-153 Tm-170 Industrial radiography Same as Gd-153 Note: Am: americium; Cs: cesium; Pu: plutonium; Sr: strontium; Po: polonium; Co: cobalt; Ir: iridium; Cm: curium; Cf:

californium; Se: selenium; Pm: promethium; Gd: gadolinium; Yb: ytterbium; Tm: thulium.

4.7.2.3 Nuclear Facilities

Safety of Nuclear Reactors

In considering the safety or sabotage of nuclear reactors, the possibility of a catastrophic nuclear explosion can be disregarded. A nuclear reactor cannot behave like a nuclear bomb. Even if the fuel in a reactor approached the purity required for a weapon (the vast majority of reactors are very far from this), there is no mechanism present for the nearly perfect implosive compaction that is required for a successful nuclear detonation. However, the high-power levels and fuel exposures (integrated neutron flux levels) of current-generation nuclear power plants result in core inventories of radioactive materials with activity levels that may exceed 10,000,000,000 Ci (370 EBq25). Because of the potentially severe consequences of the release of even a significant fraction of such a radioactive inventory, rigorous designs, construction, and operational practices are required to mitigate the risks to acceptable levels. Current designs include the use of multiple barriers to prevent the release of fission products and the use of elaborate safety systems to ameliorate the effects of an accident should one occur. Thus, it is generally considered that the risks to the public from

25 Exabecquerel, or 1018 Becquerel. This quantity is several hundred times larger than the strongest source referenced in IAEA-TECDOC-1344 (see facility radiological materials consequence discussion below), and many orders of magnitude larger than a typical source.



accidents in large nuclear power plants are far less than those from other causes, both natural and man-made. 26

However, what if a terrorist sabotages the reactor system and, possibly, reactor safety systems in a way that breaches all barriers and protections, and so causes a large release of the radionuclides? Security is called upon to help protect against such events, but what is the target? In a simple research reactor, the reactivity controls and cooling systems that require protection may be straightforward to identify. Nuclear power plant designs, on the other hand, typically involve the use of thousands or tens of thousands of components that can interact in potentially millions of combinations. To determine what should be protected in such cases requires an understanding of actual plant designs that is far beyond the present scope. However, a brief discussion is provided here that should provide readers with a reasonable introduction to the topic.

Types of Nuclear Reactor

Accidents

Reactor accidents. Most conceivable nuclear reactor accidents (and so sabotage events) fall under one of the following four headings: 1. External or site-induced accidents 2. Fuel-handling accidents 3. Reactivity accidents 4. Cooling-failure accidents

External Accidents External or site-induced accidents may be natural or man-made: wind, flooding, tornadoes, landslides, earthquakes, aircraft impact, and so on. For our purposes, these events are beyond the scope of security provided by a PPS and are not discussed further (which is not to say that they should not be addressed by a facility).

Fuel-handing Accidents

Fuel-handling accidents involve nuclear material outside of a normal reactor core configuration, such as during refueling operations or storage in a spent fuel pool. For example, sabotage of the cooling systems used to remove decay heat, or violation of criticality safety features or procedures, could result in melting and release of radionuclides. The systems, locations, and operational timing of fuel handling events are generally simple enough to allow adequate security system design and planning to take place without the use of detailed, rigorous analysis procedures.

Reactivity Accidents Reactivity accidents involve the uncontrolled production of neutrons. An understanding of this accident type must begin with an explanation of just what is meant by reactivity in a nuclear context. To do this first requires the definition of the neutron multiplication factor, k.

𝑘𝑘 = number of neutrons in the (n + 1)th generation

number of neutrons in the nth generation

26 Lewis, E. E., Nuclear Power Reactor Safety, John Wiley and Sons, New York, p. 3, 1977.



A neutron chain reaction (neutrons produced by one fission proceed to cause other fissions) is said to be subcritical, critical, or supercritical, depending on whether

k <1,

k =1, or

k >1, respectively. Often it is more convenient to deal with reactivity, ρ, which is defined in terms of the multiplication factor by

ρ =k −1

k.

It should be apparent that the subcritical, critical, or supercritical states

correspond to ρ < 0, ρ = 0, and ρ > 0, respectively.

Reactivity accidents take place when unplanned reactivity is inserted into the core, causing it to become supercritical with an attendant power increase beyond the ability of the heat transport system to remove it (even though it may be in good working order). Reactivity accidents are often sub-classified as overpower transients or nuclear excursions, depending on whether they involve a relatively slow rise in power over the rated value for a design or a very rapid power excursion. In either situation, the initial damage caused is due to melting or vaporization of the fuel. Extreme cases may involve melting and relocation of substantial portions of the core, or vapor (fuel-coolant) explosions that can cause extensive destruction (e.g., Chernobyl) even to the point of threatening the integrity of the reactor vessel. Excursions may involve failures of reactivity control systems (control rods) or other reactivity injection mechanisms (e.g., accidental cold water injection in a pressurized-water reactor [PWR] or fast closure of main steam isolation valves causing a steam void collapse in a boiling-water reactor [BWR]).

Cooling Failure Accidents

Cooling-failure accidents may originate from a number of sources. The heat produced in the reactor core must be removed, and adequate heat transport requires that coolant flow, temperature, and inventory be maintained. Flow can be affected by the coolant pumps or piping obstructions (e.g., valves). Inventory can be affected by leaks in the coolant boundary. Temperature can be affected by the heat sink (e.g., loss of load). System responses to these accidents for U.S. power reactors — PWRs and BWRs —are generally considered to be bounded by the following three cases:

• Loss of coolant accident (LOCA)

Coolant line is breached between the reactor vessel and an isolation valve (in a main coolant loop for PWRs, or in a recirculation line or steam line in BWRs).

• Loss of off-site power transient

Reactor power cannot be reduced fast enough to match the loss of load. Exacerbated by the conservative yet reasonable assumption (for analysis purposes) that station power and main cooling flows (feedwater pumps) will be lost.



• Main steam line break (PWR only)

Rupture of the main steam line(s) overcools the reactor core, reactivity, and thus power increases (these designs have a negative thermal reactivity coefficient), followed by failure of the steam generator tubes due to dynamic loads.

Reactor Accident Response

Reactor accident response. The most important action to be taken in the event of a reactivity or cooling-failure accident is to promptly shut the reactor down. This rapidly reduces the power to the level of decay heat and so alleviates the heat removal problem. The second problem to be faced is the removal of decay heat. Thus, the major components of a reactor safety system will include: (1) a plant protection system to sense reactivity or cooling problems and initiate appropriate action, (2) a reactivity control system27 that can maintain the reactor in a subcritical condition regardless of the conditions following initiation of an accident, and (3) an emergency cooling system28 that can remove decay heat under accident conditions for a sufficiently long period. When postulated accidents are of sufficient severity to breach the primary system envelope, engineered safety systems also include a containment isolation system to prevent fission products from being released into the environment; this includes pressure control and heat removal systems, and possibly containment atmosphere controls (e.g., fire suppression and fission product scrubbers).

Sabotage Prevention

Preventing sabotage. If a threat intends to commit radiological sabotage at a nuclear reactor, basically they can create an extreme reactivity excursion or cooling-failure event by: (1) manipulating or destroying equipment (called an initiating event of malicious origin or IEMO) that exceeds the capacity of or is not protected by safety systems or (2) create an IEMO and disable the safety systems that would otherwise mitigate the event. Conversely, to prevent sabotage, the security system must (1) protect all equipment from IEMOs that safety systems cannot mitigate and (2) protect either (a) equipment from IEMOs that facility safety systems can mitigate (i.e., destruction of safety systems alone will not cause radiological sabotage) or (b) those areas containing a minimum set of safety and related support systems that can mitigate such IEMOs. Note that, in general, a choice exists regarding what equipment to protect to prevent radiological sabotage in a nuclear power plant; the equipment selected for protection is referred to as vital equipment, and the physical areas in which they are located are referred to as vital areas.

Vital Area Protection

In a study29 of current-generation light water reactors, the USNRC recommended the following vital equipment/area protection philosophy: “to

27 This may include SCRAM (safety control rod axe man) systems and control rods or liquid injection systems (e.g., borated water—water containing soluble boric acid or sodium pentaborate solution, an excellent neutron absorber) such as the BWR standby liquid control system (SLCS). 28 In PWRs this includes such systems as residual heat removal (RHR), safety injection (SI), auxiliary feedwater (AFW), and service water. In BWRs this includes the high-pressure coolant injection, low-pressure coolant injection, automatic depressurization, and core spray, and reactor core isolation cooling systems. 29 USNRC, Vital Equipment/Area Guidelines Study: Vital Area Committee Report, NUREG-1178, Washington, D.C., February 1988.



protect as vital the reactor coolant pressure boundary and one train of equipment—with its associated piping, water sources, power supplies, and instrumentation—that provides the capability to achieve and maintain hot shutdown.” In more detail, the equipment to protect as vital under these guidelines includes:

• One train of equipment (with the associated piping, water sources, power supplies, controls, and instrumentation) that provides the capability to perform the functions (reactivity control, decay heat removal, and process monitoring) that is necessary to achieve and maintain hot shutdown for a minimum of 8 hours from the time of reactor trip, plus the major components of the reactor coolant makeup system and associated support equipment necessary to achieve this goal. Equipment examples include, but are not limited to:

Reactivity control—control rod scram components and systems.

Decay heat removal—turbine-driven auxiliary feedwater pump, including control, water source (e.g., condensate storage tank), and main steam safety valves (PWRs). Turbine-driven high-pressure core injection (HPCI), reactor core isolation cooling (RCIC) pump, isolation condenser, including auto start, control, and safety-relief valves (BWRs).

Process monitoring—pressurizer pressure and level, steam generator

pressure and level, reactor coolant hot and cold leg temperature (PWRs). Reactor pressure and level, suppression pool temperature and level (BWRs).

Reactor coolant makeup and reactor coolant pump seal cooling—

charging pump, including water source and motor control center (PWRs).

Support functions—diesel generator, including switchgear, cooling,

startup, and controls (PWRs and BWRs); battery (PWRs and BWRs); service water pump and motor control center (PWRs and BWRs); component cooling water pump and motor control center (PWRs).

• The reactor vessel and reactor coolant piping up to and including a

single, protected, normally closed isolation valve or protected valve capable of closure in interfacing systems. Note this precludes the need to protect LOCA-mitigating equipment.

• The control room and any remote locations from which vital equipment

can be controlled or disabled (such as remote shutdown panels, motor control centers, circuit breakers, or local control stations).



• Cable terminals or junctions, and areas such as cable spreading rooms. Cable runs in trays and conduit need not be protected unless cables necessary for safe shutdown capability are individually identifiable and the identification is reasonably accessible.

Note that when any components or systems protected as vital are inoperable

(e.g., during maintenance), appropriate compensatory measures (such as stationing guards at alternate locations) must be taken to ensure the ability to reach hot shutdown can be achieved.

4.7.3 Consequence Measures—the Facility Perspective

Whether speaking of international recommendations found in NSS-13 or the U.S. national regulations of DOE or NRC, physical security policy makers have chosen to divide target theft consequences into discrete measures (bins) called categories. While consequence values are not explicitly assigned, the different categories can at least be interpreted to provide a relative, semi-quantitative ranking (e.g., high, medium, or low).

4.7.3.1 Nuclear Materials

Categorization Basis

IAEA categorization of nuclear materials is based on four attributes: (1) element, (2) isotopic concentration (e.g., uranium enrichment), (3) mass, and (4) irradiation history (or radiation level). The primary categories of concern are labeled 1, 2, and 3, with Category I representing the highest-risk material. A fourth, unlabeled category exists for materials not falling in Category III. The categorization table from NSS-13 is provided as Table 4.

U.S. Categorization Examples

The USNRC 10 CFR 73 regulations, like the IAEA, also define three categories of nuclear material to be protected. The definitions, however, while being close to those in NSS-13, are not quite the same, and they depend on three attributes: (1) element, (2) isotopic concentration (e.g., uranium enrichment), and (3) mass. • Formula quantity (or Category I) means strategic in any combination in

a quantity of 5000 grams or more computed by the formula, grams = (grams contained U-235) + 2.5 (grams U-233 + grams plutonium).

• Category I of moderate strategic significance (or Category II) means:

(1) less than a formula quantity of Category I but more than 1000 grams of U-235 (contained in uranium enriched to 20 percent or more in the U-235 isotope) or more than 500 grams of U-233 or plutonium, or in a combined quantity of more than 1000 grams when computed by the equation, grams = (grams contained U-235) + 2 (grams U-233 + grams plutonium); or (2) 10,000 grams or more of U-235 (contained in uranium enriched to 10 percent or more but less than 20 percent in the U-235 isotope).



Table 4. IAEA NSS-13 Nuclear Material Categories

Material Form Category I Category II Category IIIc

1. Plutoniuma Unirradiatedb 2 kg or more Less than 2 kg but more than 500 g

500 g or less but more than 15 g

2. Uranium-235 Unirradiatedb

– uranium enriched to 20% 235U or more

5 kg or more Less than 5 kg but more than 1 kg

1 kg or less but more than 15 g

– uranium enriched to 10% 235U but less than 20% 235U

10 kg or more Less than 10 kg but more than 1 kg

– uranium enriched above natural, but less than 10% 235U

10 kg or more

3. Uranium-233 Unirradiatedb 2 kg or more Less than 2 kg but more than 500 g

500 g or less but more than 15 g

4. Irradiated Fuel (The categorization of irradiated fuel in the table is based on international transport considerations. The State may assign a different category for domestic use, storage, and transport taking all relevant factors into account.)

Depleted or natural uranium, thorium, or low-enriched fuel (less than 10% fissile content)d/e

Note: This table is not to be used or interpreted independently of the text of the entire publication. a All plutonium except that with isotopic concentration exceeding 80% in plutonium-238.

b Material not irradiated in a reactor or material irradiated in a reactor but with a radiation level equal to or less than 1 Gy/h (100 rad/h) at 1 m unshielded.

c Quantities not falling in Category III and natural uranium; depleted uranium and thorium should be protected at least in accordance with prudent management practice.

d Although this level of protection is recommended, it would be open to States, upon evaluation of the specific circumstances, to assign a different category of physical protection.

e Other fuel which by virtue of its original fissile material content is classified as Category I or II before irradiation may be reduced

one category level while the radiation level from the fuel exceeds 1 Gy/h (100 rad/h) at one meter unshielded

• Category I of low strategic significance (or Category III) means: (1) less than an amount of Category I of moderate strategic significance but more than 15 grams of U-235 (contained in uranium enriched to 20 percent or more in U-235 isotope) or 15 grams of U-233 or 15 grams of plutonium or the combination of 15 grams when computed by the equation, grams = (grams contained U-235) + (grams plutonium) + (grams U-233); or (2) less than 10,000 grams but more than 1,000 grams of U-235 (contained in uranium enriched to 10 percent or more but less than 20 percent in the U-235 isotope); or (3) 10,000 grams or more of U-235 (contained in uranium enriched above natural but less than 10 percent in the U-235 isotope).



Without going into all the details (the interested reader can consult DOE O 474.2), suffice it to say that the U.S. DOE uses two consequence measures for nuclear material: a four-level attractiveness level (A-E) and a four-level categorization (I-IV). The attractiveness level assigned is related to the ease with which material could be used to make a nuclear explosive device: A. WEAPONS—assembled weapons and test devices B. PURE PRODUCTS—pits, major components, buttons, ingots, recastable

metal, directly convertible materials C. HIGH-GRADE MATERIAL—carbides, oxides, solutions (≥ 25 g/l),

nitrates, fuel elements and assemblies, alloys and mixtures, UF4 or UF6 (≥ 50% U-235)

D. LOW-GRADE MATERIAL—solutions (1-25 g/l), process residues

requiring extensive reprocessing, moderately irradiated material, Pu-238 (except waste), UF4 or UF6 (≥ 20% <50% U-235)

E. ALL OTHER MATERIALS—highly irradiated forms, solutions,

uranium containing < 20% U-235 (any form or quantity) The material categorization is based on two attributes: element or isotope composition (Pu, U-233, U-235, other) and mass (which is a function of attractiveness and element or isotope). Rules exist for determining the categorization of mixtures. Note that certain attractiveness-categorization pairings do not exist (i.e., A-II, -III, and -IV, B-IV, C-IV, D-I and -IV, and E-I, -II, and -III). It should also be noted that all nuclear materials other than those containing Pu, U-233, or U-235—as well as small quantities of Pu, U-233, or U-235—fall in Category IV (which makes Categories I, II, and III somewhat comparable with the IAEA and USNRC schemes).

4.7.3.2 Radiological Materials

IAEA Source Categorization

Scheme

The IAEA has published30 a categorization scheme for radioactive sources used in common (“typical”) activities. The principal attributes used in the scheme included the activity, D, that could cause fatalities or result in permanent injuries (used as a normalizing factor), and the range of actual activity levels, A, found in sources and normal practices. A rank order and nominal categorization of the sources considered—based solely on the ratio of A-to-D—is illustrated in Figure 1. The final categorization issued by the IAEA also considered other attributes such as the nature of the work, the mobility of the source, experience from reported accidents, typical vs. unique activities within an application, and expert opinion. The end result was a five-level categorization of sources (1 to 5, with 1 representing the highest health risk), which appears in tabular form in Appendix A to this material .

30 IAEA, Categorization of radioactive sources, IAEA-TECDOC-1344, Austria, July 2003; “IAEA publication “Categorization of Radioactive Sources,” IAEA Safety Guide No. RS-G-1.9, Vienna, Austria, 2005.



IAEA has also issued guidance for protection of radioactive sources31 that defines a Security Level for each source category (see Table 5) and provides recommended security measures for each security level.

Figure 1. IAEA-TECDOC-1344 relative ranking of source practices based on A/D

31 IAEA, Security of Radioactive Sources, IAEA Nuclear Security Series No. 11, Vienna, Austria, 2009.



Table 5. IAEA NSS-11 Security Group Based Upon Source Categorization

Source Category

Source Type A/D Security Level

I RTGs

Irradiators

Teletherapy sources

Fixed multibeam teletherapy (gamma knife) sources

A/D > 1000 A

II Industrial gamma radiography sources High/medium dose rate brachytherapy sources

1000 > A/D > 10 B

III Fixed industrial gauges that incorporate high activity sources

Well logging gauges

10 > A/D > 1 C

IV Low dose rate brachytherapy (except eye plaques and permanent implants)

Industrial gauges that do not incorporate high activity sources

Bone densitometers

Static eliminators

1 > A/D > 0.01 Apply measures as described in the Basic Safety Standards

V Low dose rate brachytherapy eye plaques and permanent implant sources

XRF devices

Electron capture devices

Mossbauer spectrometry sources

Positron emission tomography (PET) check sources

0.01 > A/D

and

A > exempt



4.7.3.3 Nuclear Facilities

Sabotage Definition

Do You Need To Protect Facility

From Sabotage?

The IAEA defines32 sabotage as: “Any deliberate act directed against a nuclear facility or nuclear material in use, storage or transport which could directly or indirectly endanger the health and safety of personnel, the public and the environment by exposure to radiation or release of radioactive substances.” Unlike the cases discussed for the protection of nuclear and radiological material from theft where varying theft consequences were managed through the surrogate of categorization, the current approach to identifying sabotage as a potential target begins with a yes or no proposition; either you have to protect against it or you do not. At that point, the “level of the physical protection measures should be specifically designed to take into account the nuclear facility or nuclear material, the State’s design basis threat and the radiological consequences.” That is, the problem is twofold. First it must be determined if the DBT is capable of an act of sabotage that would lead to unacceptable radiological consequences (presumably in the form of some threshold measures related to the endangerment of personnel, the public, and the environment). If so, the next task is to use some means to develop a PPS design and evaluate its performance vs. the DBT in order to demonstrate that risk has been mitigated to an acceptable level.

Unacceptable Radiological

Consequences

States have many options on how to define unacceptable radiological consequences. One possible approach would be to look to the safety33 realm for guidance. For instance, consider the safety-related radiological acceptance criteria discussed by IAEA NS-R-1 paragraph 5.69:

…the design basis for items important to safety shall be established and confirmed. It shall also be demonstrated that the plant as designed is capable of meeting any prescribed limits for radioactive releases and acceptable limits for potential radiation doses… [italics added]

That is to say, sabotage criteria might be based on some design basis (e.g., no core damage), potential radioactive release, or radiation dose levels (or some combination thereof). But this is not to say that radiological sabotage criteria should be the same—quantitatively—as safety criteria; establishment of any such criteria is a decision for appropriate national authority. However, to illustrate such criteria, consider the following U.S. 10 CFR 100 requirements (NS-R-1 does not provide quantitative recommendations):

… an individual located at any point on its [facility] boundary for two hours immediately following onset of the postulated fission product release would not receive a total radiation dose to the whole body in excess of 25 rem or a total radiation dose in excess of 300 rem to the thyroid from iodine exposure. (10 CFR 100.11(a)(1))

32 NSS-13 §2.12. 33 IAEA, Safety of Nuclear Power Plants: Design, Safety Standards Series No. NS-R-1, Vienna, 2000.



Safety Assessment However, given some form of a safety assessment that provides a

quantitative measure of the potential impact at the site boundary (as in 10 CFR 100 above) or other suitable control point (e.g., nearest population center), it is easy to imagine, by analogy with the theft categorization examples, a radiological sabotage categorization scheme. For example, if the two-hour dose at the boundary was less than 25 rem, this could be defined to be a Category IV facility. Then, assuming a power of ten is appropriate (but recognizing the exposure mechanisms of concern and the actual criteria for establishing different category levels is a policy issue), a two-hour dose of 25 to 250 rem would be assigned to Category III, 250 to 2500 rem to Category II, and 2500 rem or more to Category I. A similar scheme for worker and environmental impacts could be developed.

Risk Scales In contrast to taking a quantitative approach, expert judgment could be used to develop relative risk scales. For example, a scale was developed and published for use in assessing sabotage risks of various spent fuel disposal alternatives.34 Such relative risk scales could provide a means of system sabotage categorization for use in physical security system design.

Use International Nuclear Event

Scale

Another approach to consider would be possible use or adaptation of the International Nuclear Event Scale published by the IAEA and shown in Table 6. This approach could be accomplished by mapping the estimated consequences of a particular postulated sabotage action to the criteria presented in the table (note that multiple attributes are expressed in the criteria column).

Evaluate Consequences of

Malevolent Acts

In the end, what must be recognized is that while it has been fairly easy (if not always transparent) for policy makers to issue target theft categorizations using a variety of attributes such that acceptable levels of protection can be established, that has not historically been the case for radiological sabotage. Furthermore, it would appear that in any case support in the form of some type of safety assessment is required to resolve the issue. As noted by NSS-13:35

If the potential radiological consequences of sabotage exceed the State’s unacceptable radiological consequences, then the operator should identify equipment, systems or devices, or nuclear material¸ the sabotage of which could directly or indirectly lead to this condition as potential sabotage targets and protect them in accordance with the following design process … and protection requirements … . The results of safety analysis provide useful input, including target identification and potential radiological consequences, and should be considered during design of the physical protection system.

34 Lessler, R. M., and A. S. Ahluwalia, “Safeguards assessment of spent fuel disposal alternatives,” Proceedings of the 20th Annual Meeting of the Institute of Nuclear Materials Management, Journal of the Institute of Nuclear Materials Management, Vol. VIII, Proceedings Issue, pp. 790-806, 1979. 35 NSS-13, §5.8.



Table 6. International Nuclear Event Scale36

Level/ Descriptor

Off-Site Impact

On-Site Impact Criteria Examples

ACCIDENTS 7

Major Accident

Major Release: Widespread health and

environmental effects

External release of a large fraction of the radioactive material in a large facility (e.g., the core of a power reactor). This would typically involve a mixture of short- and long-lived radioactive fission products (in quantities radiologically equivalent to more than tens of thousands terabecquerels of iodine-131). Such a release would result in the possibility of acute health effects; delayed health effects over a wide area, possibly involving more than one country; long-term environmental consequences.

Chernobyl Ukraine, 1986

6 Serious Accident

Significant Release: Likely

requires full implementation of

planned countermeasures

External release of fission products (in quantities radiologically equivalent to the order of thousands to tens of thousands of terabecquerels of iodine-131). Such a release would be likely to result in full implementation of countermeasures covered by local emergency plans to limit serious health effects.

Kyshtym Reprocessing Plant, USSR (now Russia),

1957

5 Accident with Off-Site Risk

Limited Release: Likely to require

partial implementation of

planned countermeasures

Severe damage to reactor core or radiological

barriers

• External release of radioactive material (in quantities radiologically equivalent to the order of hundreds to thousands of terabecquerels of iodine-131). Such a release would be likely to result in partial implementation of countermeasures covered by emergency plans to lessen the likelihood of health effects.

• Severe damage to the installation. This may involve severe damage to a large fraction of the core of a power reactor, a major criticality accident or a major fire or explosion releasing large quantities of radioactivity within the installation.

Windscale Pile UK, 1957

Three-Mile Island, U.S.,

1979

4 Accident Without

Significant Off-Site Risk

Minor Release: Public exposure of

the order of prescribed limits

Significant damage to

reactor core, radiological

barriers, or fatal exposure of a

worker

• External release of radioactivity resulting in a dose to the critical group of the order of a few millisieverts.* With such a release the need for off-site protective actions would be generally unlikely except possibly for local food control.

• Significant damage to the installation. Such an accident might include damage to major on-site recovery problems such as partial core melt in a power reactor and comparable events at non-reactor installation.

• Irradiation of one or more workers resulting in an overexposure where a high probability of early death occurs.

Windscale Reprocessing

Plant, UK, 1973 Saint-Laurent, France, 1980 Buenos Aires Critical Assy.,

Argentina, 1983

INCIDENTS 3

Serious Incident

Very Small Release: Public exposure at a

fraction of prescribed limits

Severe spread of

contamination or acute health

effects to a worker

• External release of radioactivity resulting in a dose to the critical group of the order of tenths of a millisievert.* With such a release, off-site protective measures may not be needed.

• On-site events resulting in doses to workers sufficient to cause acute health effects and/or an event resulting in a severe spread of contamination (for example, a few thousand terabecquerels of activity released in a secondary containment where the material can be returned to a satisfactory storage area).

• Incidents in which a further failure of safety systems could lead to accident conditions, or a situation in which safety systems would be unable to prevent an accident if certain initiators were to occur.

Vandellos, Spain, 1989

2 Incident

Significant spread of

contamination or overexposure

of a worker

• Incidents with significant failure in safety provisions but with sufficient defense in depth remaining to cope with additional failures. These include events where the actual failures would be rated at level 1 but which reveal significant additional organizational inadequacies or safety culture deficiencies.

• An event resulting in a dose to a worker exceeding a statutory annual dose limit and/or an event which leads to the presence of significant quantities of radioactivity in installation in areas not expected by design and which require corrective action.

1 Anomaly

Anomaly beyond the authorized regime but with significant defense in depth remaining. This may be due to equipment failure, human error, or procedural inadequacies.

DEVIATIONS 0

Below Scale

No safety significance

Deviations where operational limits and conditions are not exceeded. Examples include: a single random failure in a redundant system, spurious initiation of protection systems without significant consequences, leakages within operational limits.

The doses are expressed in terms of effective dose equivalent (whole body dose). Those criteria where appropriate can also be expressed in terms of corresponding annual effluent discharge limits authorized by National authorities.

36 IAEA, The International Nuclear Event Scale: for prompt communication of safety significance, 99-00305/FS-05, Vienna, Austria.



4.7.4 Consequence Measures—the Policy Perspective

Higher Authority Issues Protection

Requirements

When loss consequences due to theft or sabotage have ramifications that exceed local facility impacts, protection goals should be established by higher authority. Clearly that is the case with the protection of nuclear facilities or nuclear and radiological materials. As this responsibility is passed up the hierarchy, a point will eventually be reached where the decision maker is concerned with implementing risk management and with issuing (rather than implementing) requirements. Risk management is used in support of decision processes in a structured attempt to eliminate losses, human, financial, or other. It is accomplished by virtue of exercising an integrated model of a specific problem and weighing the costs, benefits, and risks of all available options for achieving risk control. All decisions so made will be with some degree of uncertainty, great or small. Probabilistic risk assessment (PRA) is a technique used to quantify that uncertainty as part of the input to the decision process. As risk increases, most decision makers will require subordinates to provide improved models and uncertainty measures (data for which will flow from the facility level). Risk management decisions are implemented through policy instruments such as regulations, directives, or orders. From a target identification standpoint, example policy instruments were expressed by the categorization schemes presented above.

Targets May Be Characterized In

Many Ways

While it is not the purpose herein to teach decision theory or risk management and tools, it is important to recognize that targets can be characterized by a plethora of attributes that may or may not be important to facility security and the decision maker. In the theft categorization examples, target attributes used by one or more authorities included: element, isotopic concentration, mass, irradiation history, activity or radiation level, health hazard levels, mobility,37 and weaponization attractiveness38 level. Recognizing, however, that while the categorization tables are not transparent (i.e., the user has no way to look through the results to the policy-level decision tables), it would be expected that some form of multi-attribute utility model was employed.39 For most facilities and decision makers, this idea has to be extended to other security goals (e.g., protection of other material asset categories, personnel, and operational

37 Under sabotage, the question was asked regarding whether the threat was capable of creating an act of sabotage. Here mobility refers to the ease of theft; that is, can a threat agent pick it up or is some form of lift and transport capability required? This general theme—inherent robustness against sabotage or theft separate from any security system—is often referred to as target vulnerability. 38 Consider the case of hot products presented in the basic concepts section. While the DOE attractiveness level example shown earlier might imply threat independence, it must be recognized that different adversaries have different capabilities in terms of pre- and post-nuclear material possession that could lead to development of a nuclear explosive device. For an example of some of these considerations see Murphey, William M., Theodore S. Sherr, and Carl A. Bennett, “Societal risk approach to safeguards design and evaluation,” Proceedings of the 16th Annual Meeting of the Institute of Nuclear Materials Management, Journal of the Institute of Nuclear Materials Management, Vol. IV, No. III, pp. 588-606, Fall 1975. 39 For a simple example that uses multi-attribute utility theory in target identification see Sacks, I., A. Maimoni, and R. Adams, “Target identification procedure for plutonium reprocessing facilities,” Proceedings of the 18th Annual Meeting of the Institute of Nuclear Materials Management, Journal of the Institute of Nuclear Materials Management, Vol. VI, No. III, pp. 548-558, Fall 1977.



capability) if a rational (balanced) security policy is to be implemented. This process must also be extended to allow comparisons across other risk categories as well if resource disbursement (and possibly disinvestment) decisions are to be properly made. Generally speaking, it would make things easy if consequences could always be related to monetary values,40 but non-dimensional, normalized scoring systems are probably more prevalent. For example, the USDOE41 uses a method referred to as the Capital Asset Management Process (CAMP), which provides ranking criteria for the four major categories of health and safety, environment, safeguards and security, and programmatic.

4.7.5 Referential Information

Develop Target List Having moved from security policy to identification of the particular target types of interest and applicable categorization schemes, it is then necessary to develop an actual target list—target description (including any characteristics that would impact theft or sabotage42 scenarios) and location—suitable for use in a facility PPS design or assessment process. The actual method used to generate such a list is a function of the extent and nature of the targets to be protected. For example, theft targets in small storage facilities can be listed by description, consequence category, and location simply through a manual review of the nuclear material accounting and control (NMAC) records with cross-reference to the appropriate categorization tables. For larger storage facilities, the use of automated databases would likely be the preferred method. Systems with nuclear material in use can be more problematic. Small pool-type reactors may be amenable to a manual listing of theft and sabotage targets. However, enrichment, fabrication, and reprocessing facilities and power reactors will likely require the use of a more rigorous theft or sabotage target identification technique.

4.7.5.1 Itemization

Item-by-Item List When considering theft of localized items such as solids (e.g., fuel elements) or materials in containers (e.g., UF4), an item-by-item listing of targets is an appropriate technique (whether generated manually or by using a computerized database). This method is nothing more than the development of a list of all categorized quantities of materials along with a description and their physical location, generally referred to as a storage or in-use area (e.g., building, room, and storage bin number). If the facility is simple enough, this technique can also be applied to process theft and

40 For a proliferation example that includes social costs of nuclear theft and sabotage see Carolyn D. Heising, “Analyzing the reprocessing decision: plutonium recycle and nuclear proliferation,” Proceedings of the 19th Annual Meeting of the Institute of Nuclear Materials Management, Journal of the Institute of Nuclear Materials Management, Vol. VII, Proceedings Issue, pp. 91-110, 1978. 41 USDOE, Real Property and Asset Management, DOE Order 430.1B Chg2, Washington, D.C., September 24, 2003. 42 See, for example, David F. Beck, “An integrated safety-security process for evaluating consequences of postulated acts of sabotage,” Proceedings of the 44th Annual Meeting of the Institute of Nuclear Materials Management, 2003.



sabotage of critical components (which are said to be located in a vital area); for example, consider plutonium nitrate flowing through pipes and equipment in a small pilot process line or the reactivity control system for a research reactor.

VITAL AREA: An area … containing equipment, systems or devices, or nuclear material, the sabotage of which could directly or indirectly lead to high radiological consequences.43

A digression is in order at this point. If it has not become obvious to the reader, it is time to explicitly point out that theft and sabotage protection by use of a PPS relies on the protection of areas, be they large or small. When the item count is small, this may not seem like much of an advantage from a target identification standpoint. However, when talking about the protection of systems with dozens to hundreds of components, the advantage should be obvious.

4.7.5.2 Walkdowns

Technique to Understand Plant

Configurations and Procedures

Walkdowns are techniques for a team of experienced engineers, operators, security and safety personnel and technicians to quickly understand plant configuration and procedures by in-plant inspections and by perusal of existing documents such as design drawings, operating procedures, and safety analysis reports. In a target identification context, walkdowns provide a method for interpreting protection goals such as the USNRC vital equipment/area protection philosophy discussed earlier: “to protect as vital the reactor coolant pressure boundary and one train of equipment—with its associated piping, water sources, power supplies, and instrumentation—that provide the capability to achieve and maintain hot shutdown.” The deliverable of a target identification walkdown is identification of the vital areas to be protected. (But note that walkdowns serve other security assessment purposes as well.)

4.7.5.3 Advanced Concepts

Target Identification for Complex

Systems

For systems that are too complex for manual target identification techniques, or when specific guidance like NUREG-117829 is not available, more rigorous methods are required. It is important to understand that the proper use of such methods requires the analyst(s) to have a detailed understanding of the systems to be evaluated including interactions and response to threat-induced stimuli. However, instruction in these methods would warrant courses in themselves and so only a brief introduction is provided here.

Logic Models Logic models. Modern nuclear power and large reprocessing plant designs involve the use of thousands or tens of thousands of components that can interact in potentially millions of combinations, some of which could lead to accident sequences with radiological consequences. This complexity may also hold the potential of providing threat agents with opportunities for

43 NSS-13.



material diversion (theft) or sabotage. In order to deal with such large numbers of components and combinations, logic models have been successfully used to identify the vital areas to be considered in the design and evaluation of PPSs.44 More recently it has been shown that vital area analysis can leverage information contained in plant safety analyses.45 Logic models make extensive use of Boolean algebra, and often employ graphical representations of a model’s logic equations in forms known as event and fault trees.46 Fault trees can be solved to produce sabotage or theft scenarios that are to be protected against (minimum cut sets). Equipment represented in a fault tree can also be linked to physical areas to produce location trees; these can be solved to identify vital area sets (minimum path sets), one of which must be protected to prevent the undesired events. Practically speaking, it is usually considered necessary to implement these models on computers that can handle the large datasets involved (although manual development has been reportedly used for large processing facilities47).

Complex Processes Diversion path analysis. There are many potential targets in material processing plants because the materials are found throughout a complex array of piping systems and process equipment. A systematic technique for identifying opportunities for material diversion and theft in process facilities—diversion path analysis (DPA)—has been developed48 and successfully applied at an enriched uranium facility.49 The basic method may also prove useful for the analysis of advanced reactor concepts that involve circulating liquid fuels or continuous refueling.50 The fundamental concept in DPA is the casting of all chemical processes and mechanical operations into a networked collection of basic unit processes. This basic material flow element, by definition, contains no uncharacterized internal flows (recycle), but the model does allow for changes in physical or

44 Varnado, G. Bruce, and Nestor R. Ortiz, “Fault tree analysis for vital area identification,” Proceedings of the 19th Annual Meeting of the Institute of Nuclear Materials Management, Journal of the Institute of Nuclear Materials Management, Vol. VII, Proceedings Issue, pp. 438-447, 1978, and Varnado, G. Bruce, and Roy A. Haarman, “Vital area analysis for nuclear power plants,” Proceedings of the 21st Annual Meeting of the Institute of Nuclear Materials Management, Journal of the Institute of Nuclear Materials Management, Vol. IX, Proceedings Issue, pp. 319-327, 1980. 45 Hockert, John and David F. Beck, A Systematic Method for Identifying Vital Areas at Complex Nuclear Facilities, SAND2004-2866, Sandia National Laboratories, Albuquerque, NM, 2005. 46 See, for example, Bedford and Cooke, chapters 6 and 7. 47 Ebel, Paul, personal recollections, 17th International Training Course on the Physical Protection of Nuclear Facilities and Materials, Albuquerque, NM, September 2003. 48 Murphey, William A., John C. Schleter, and Marcia D. K. Maltese, “Internal control vis-à-vis diversion path analysis,” Proceedings of the 14th Annual Meeting of the Institute of Nuclear Materials Management, Journal of the Institute of Nuclear Materials Management, Vol. II, No. 3, pp. 232-274, 1973, and Murphey, William M. [sic], and John C. Schleter, “Practicality of diversion path analysis,” Proceedings of the 15th Annual Meeting of the Institute of Nuclear Materials Management, Journal of the Institute of Nuclear Materials Management, Vol. III, No. III, pp. 236-268, 1974. 49 Schaumann, C. M., C. A. Stanford, and R. S. Thomason, “Diversion path analysis at Savannah River Plant,” Proceedings of the 19th Annual Meeting of the Institute of Nuclear Materials Management, Journal of the Institute of Nuclear Materials Management, Vol. VII, Proceedings Issue, pp. 140-147, 1978. 50 For example, molten salt and certain pebble-bed reactor designs. See U.S. DOE Nuclear Energy Research Advisory Committee and the Generation IV International Forum, A Technology Roadmap for Generation IV Nuclear Energy Systems, December 2002.



chemical form or composition. The output of a DPA is a set of ranked theft or diversion paths, somewhat like a cut set analysis of a fault tree. Path rankings are based on a combination of relative weights assigned to diversion path parameters (including material attractiveness, records, distribution of diverted amounts, removal mode, number of individuals, and type of individual). A DPA would have to be followed by a walkdown or other procedure to actually identify areas to protect.

Conceptual Design Phases

Digraphs. Another systems engineering analysis technique that may have applicability is to use digraph (directed graph) theory to describe the elements of a structure (e.g., reactor or process system) and the way in which these elements interact.51 Once defined, cut sets can be identified (as for logic models). Some other method like a walkdown would have to be used to identify areas to protect. Digraphs, however, have one apparent advantage: they can be readily applied to high-level system descriptions such as exist in conceptual design phases. The application of digraphs to target identification has been developed for plutonium reprocessing facilities.52

Judgment Expert opinion. Unique situations, cost and schedule demands, and technical difficulties can all give rise to analysis problems. The situation may be such that the state of system understanding is not sufficient to develop a model. It may also be the case not enough observations have been made to quantify the model with real data. In such cases, the engineer must resort to the use of engineering judgment as a basis for evaluation. Considerable work has gone into developing techniques and a mathematical basis for the use of expert opinion.53 Nevertheless, one should never presume that engineering judgment can take the place of rigorous evaluation techniques in terms of design surety or assurance.

4.8 Summary of Target Identification Four-Step Process

to Identify Targets

Target identification has been presented as a foundational requirement to security system design. For facilities concerned with theft or sabotage of nuclear and radiological materials, target identification, as a process, can be described by the following steps: 1. Develop an understanding of the applicable security policies with

attendant goals or objectives. 2. Identify the types of nuclear and radiological materials and nuclear

systems (e.g., reactors or material process lines) that must be protected from theft and sabotage at the particular facility of concern.

51 See, for example, Aslaksen, Erik, and Rod Belcher, Systems Engineering, Prentice Hall of Australia, Sydney, 1992, and Wilson, Robin J., Introduction to Graph Theory, 4th Ed., Addison Wesley Longman Limited, Essex, England, 1996. 52 Sacks, Maimoni, and Adams. 53 See, for example, Bedford and Cooke, Chapter 10.



3. Identify the appropriate categorization (consequence) levels that apply for each theft and sabotage target located at the particular facility of concern.

4. Develop a target list for the facility to include target description,

category, and location (area) to be protected. Developing this list may require use of itemization, walkdowns, and other advanced target identification techniques.



Appendix A: IAEA-TECDOC-1344 Categorization of Radioactive Sources

4. Facility Characterization and Target Identification

Documents

Transcript of 4. Facility Characterization and Target Identification