Study to Assess Radiological Sabotage Potential Of

Home , Sabotage

. e, e

A STUDY TO

ASSESS THE RADIOLOGICAL SABOTAGE POTENTIAL OF

OPERATING NUCLEAR POWER PLANTS

KMC, INC.

1747 Pennsylvania Avenue

Washington, D.C.

With

THE COOPERATION AND ASSISTANCE OF: Arizona Public Service Company Baltimore Gas & Electric Company Commonwealth Edison Company Consumers Power Company Detroit Edison Company Duke Power Company Duquesne Light Company GPU Service Corporation Gulf States Utilities Company Houston Lighting & Power Company Illinois Power Company Nebraska Public Power District Niagara Mohawk Power Company Northeast Utilities Service Company Northern States Power Company Pennsylvania Power & Light Company Portland General Electric Company Public Service Electric & Gas Company Sacramento Municipal Utility District Southern Services, Inc. Tennessee valley Authority Washington Public Power Supply System Wisconsin Public Service Corporation Yankee Atomic Electric Company

loSo3o 17 6 '- , . , , -1-

ABSTRACT

A study was conducted to assess the ease or difficulty for a knowledgeable insider to sabotage an operating nuclear .. power plant in such a way as to substantially affect the health or safety of off-site persons. Two operating plants -- one a PWR and one a BWR -- were used for detailed evaluations. Senior operating and maintenance personnel from those plants actively participated in the phases of the study related to The study concludes that successful sabotage, . their plants. ~ while theoretically possible, is made highly unlikely in that it requires a detailed knowledge of the plant, multiple successful actions in a number of different locations, and a willing- ness to be caught or personally injured. The study also indicates than many acts can be countermanded by operating personnel; hence, many potentially successful acts of sabotage are reversible and . do not necessarily lead to high consequence events. The study developed and tested a methodology for assessing the susceptibility using accepted engineering approaches. This report, which is publicly available, by intent does not provide specifics of plant design features or sabotage techniques. All specifics . are proprietary to KMC, Inc. and will be made available only on a clearly established need to know basis.

=- C. . * -2-

INTRODUCTION

On February 24, 1977, the U.S. Nuclear Regulatory Com- ndssion (NRC) issued as an effective regulation 10 CFR 73.55 relating to physical security of nuclear power reactors. As part of this regulation, a licensee was required to protect against a knowledgeable insider acting alone or in consort with several persons engaged in a violent external assault.

- In attempting to develop this additional assurance against an insider, the NRC has suggested a two-man rule where- cy plant operations and maintenance personnel in areas contain- ing vital equipment must be in two-man teams of similar and equal skills. Alternately, they suggest separating vital equipment into compartments such that no single individual can have access to sufficient equipment to perform a complete act - of sabotage. While recognizing that the NRC desires greater assurance of protection from the insider than currently available, nuclear plant owners do not believe that the two-man

rule /subcompartmentalization approach is necessary or appro- . priate since the added costs and reduction in safety and operational access are not compensated by any significant increase in physical security. In this regard, twenty-four utilities with operating nuclear power plants or plants under construction have sponsored this study to develop an engineering approach for assuring an appropriate level of security against sabotage by a postulated insider.

The study utilizes two operating nuclear power plants -- one a BWR, the other a PWR -- to develop a methodical engineering approach to assess plant susceptibility to realistic acts of sabotage leading to substantial off-site releases of radio- - activity. The methodology allows a disciplined approach to determine the case or difficulty of successfully accomplishing a pre-planned sabotage scenario. This report provides, in addition to a description of the study methods and techniques, a discussion of the study's results and recommends an approach for improving the security aspects of plants without compro- mising operability or safety. Specifics of the study including details of the studied plants, sabotage techniques, and specific scenarios are retained as proprietary by KMC, Inc. Portions of this information are available only to participants in the study or certain regulatory authorities on a strict need to know basis as determined by KMC, Inc.

. .. . , -3-

DISCUSSION

Backc_round

.. In developing their current nuclear power plant physical security regulations and their proposed implementation of these regulations, the NRC (or its AEC predecessor) has participated in or commissioned a number of studies. The first of these studies 1/ was completed in 1968 by Southern - Nuclear Engineering; the study being under the direction of Dr. C. Rogers McCullough, nine-time Chairman of the Ad- visory Committee for Reactor Safeguards. This study which included detailed engineering evaluations of a number of existing nuclear power plants, and, although a number of recommendations were made, concluded that the probability of sabotage with serious consequences to public health and safety, while theoretically possible, was acceptably low.

More recently the NRC has sponsored a study at Sandia - Laboratories on the " Safety and Security of Nuclear Power Reactors to Acts of Sabotage." This study, the majority of which the NRC has classified on a national security basis, includes more active forms of sabotage than this study by considering primarily external intrusion rather than a single dedicated insider. Nevertheless, the published conclusionsj/3/ of the Sandia effort are generally consistent with the results of this study. Also consistent is the observation that " nuclear power plants have inherent resistance to sabotage due to their ' safety based design and construction." As an effort separate from the Sandia Study the summer of 1976. 4/, an NRC sponsored workshop was held inThe purpose of this workshop was to iden- _ tify practicable design measures to improve nuclear power plant security for future plants. Although a number of specific recommendations were made, the workshop recommended that their suggestions be further studied for potential impact on plant operations, personnel exposure, safety, and other factors. - '. -4

As a related, but not connected, effort one of the workshop participants provided a separate report 5/ relating to possible nuclear plant sabotage scenarios. The NRC has classified the entire report; hence, it cannot be commented upon here. To the extent applicable, however, this separate report has been considered in conducting this study.

Despite the limited applicability or caveats of the aforementioned studies to the specific problem of the insider, the NRC appears to have utilized these studies to a substantial extent in developing their current recommended positions. While attempts to transfer technology such as two- man rule as used for weapons programs or subcompartmentalization as used in fuel fabrication plants to an operating power plant has serious difficulties, the NRC currently has little other guidance on which decisions can be based. It is against this background that the participating utilities commissioned this study to develop an engineering approach to assess and, if appropriate, improve the assurance that an insider could not easily perform a substantial act of sabotage to a nuclear - power plant. It is only by a desciplined engineering approach that all of the multiple factors relating to the plant such as safety, operations, maintenance, and security can be considered in their proper perspective.

Overall Objectives

In developing the overall objectives of this study there was no illusion that any practical approach can render sabotage cf a nuclear power plant -- or any other of a wide variety of natural and man-made systems -- totally immune from willful and dedicated acts of sabotage. The number of theoretical sabotage scenarios is infinite. The overall results of such scenarios is influenced by numerous factors including the natural resistance of the plant to sabotage, the skill and dedication of the saboteur, the probability of his being detected, and the subsequent course of events following his actions. This study concentrates on

_. ' : -5-

assessing the plant's natural resistance as well as the saboteur's necessary skill and dedication and the probability of success and detection. Specifically, its overall objectives are to develop and verify a methodology which allows an individual plant owr.cr to:

/ 1. Assess the degree of difficulty of conducting a successful sabotage leading to a substantial release of radioactivity. 2. Identify and evaluate the more likely scenarios , for his specific plant. 3. Provide the means for quickly evaluating any specific scenario which an individual reviewer / evaluator may identify. 4. Identify possible improvements in plant security which do not detract from plant safety or operability and which are cost effective.

The study does not have as one of its objectives to . assess the probability of the knowledgeable and motivated individual existing and being permitted access to the plant. Neither does it completely assess the capability of the plant operating staff to " undo" or repair an act of sabotage; it does, however, address such actions where they would be straight- forward with equipment and time available. Another factor which the study does not address, but which must eventually be addressed in using the study, is an approach for developing definitions and limits on an acceptable degree of difficulty of sabotage.

Methodology In developing the approach for conducting the study, two overriding considerations were kept in mind:

- 1. The overall objectives require the use of a flexible approach which recognizes the limitless number of potential scenarios. 2. A major purpose of the study is to develop and demonstrate a methodology which can be applied to any specific plants. . .

. -6-

Based on these considerations, the approach was:

1. Identify systems /comconents/ actions potentially involved in causing or mitigatina a core meltdown and F resulting release of radioactivity. Reference to WASH-1400 6/ establishes that in order to release substantiaf amounts of radioactivity it is necessary to overheat the fuel in the reactor core to the point of melting. Once fuel melting occurs there remain a number of barriers and systems which can minimize its impact on the public. Other potential sources of radioactivity, i.e. the waste storage system and spent fuel storage pool can be separately considered. 2. Identify -- using existing literature as a cuide -- possible sabotage techniques and possible factors which would affect the practicality of these techniques. In assessing the possibility and practicality of sabotaging a component or system both overt and covert acts must be considered. There have been identified in literature 1/2/5/ a number of sabotage techniques that are well known to engineers knowledgeable of the - specific equipment or to individuals trained in industrial sabotage. 3. Usinc specially crecared worksheets (Ficure 1) identify pertinent information related to the sabotaging of specific systems / components or to specific actions. In filling out the worksheets there is no specific consideration of scenarios. The assumption is made that the potential saboteur has access to the equipment (or equipment area) unless obtaining this access is of itself an action different from normal plant security considerations. It is further assumed that he has as a minimum a trair ed operator's knowledge of the plants. . ~

. Y GT NL F IU O TC CI EF FF FI AD T C SR E l RO i O S TE CS AA FE

r -

N O I T A C O L

a t O O T T I E T E E A I C I M I S I D T N K 1 , R I O e W r N u Y O g D I i U T F T A S C I C D M N K I

S D O l i T E M

N O . I O l T f C N E U D F O C ' * : . -7-

4. Using WASH-1400 and u.aer existing literature for guidance develop speci fic see urios for potentially successful sabotace using the appropriate collage of worksheets to identify plant specific requirements. WASH-1400 as well as literature directed more toward possible plant sabotage identifies the sequence and timing of system / equipment malfunctions and failures that would be necessary to cause a potential release of radioactivity which would have substantial off-site consequences. Each of the specific failures or malfunctions should be covered by specific worksheets.

5. Evaluate specific scenarios to identify the degree of difficulty inherent in oerformina a potentially successful act of sabotage. A number of factors influence the ease or difficulty of actually performing a potentially successful sabotage act including the combination of skills required, necessary tools and equipment, time available, the route to be traveled, and the possibility of detection. This information can be developed, using the collage of workshe'ets, for each scenario studied. . 6. Based on the evaluations of the ease or difficulty of comoletinc specific scenarios, identify cos- sible improvements in clant security which do not detract from plant safety or operability and which are cost effective. In applying this methodology to this specific study, every effort was made to utilize a broad spectrum of available talents. Specifically, steps 1 & 2 (identify systems / components and sabotage techniques) were provided by KMC, Inc. in the form of partially filled-in worksheets The participating utilities, in turn, assembled a team of senior station supervisory personnel* who worked with a KMC, Inc. engineer to complete the worksheets. In the course of these working sessions, a number of- items were added or deleted from the original work sheets as the teams identified plant specific items and provided their own input. Work was performed at the plant and when questions arose, the actual equipment, system, location, etc. was viewed

* Each team included plant cperations (shift supervisor), maintenance foreman, and engineering personnel. _

. .

* _a_

or specific plant experts were questioned. Once the worksheets were completed at the plant sites, they were re-reviewed for completeness and internal consistency as well as for consistency between plants. The final worksheets were then provided to the participating utility for their re iew and comment.

Logic Diagrams

In view of the substantial amount of information available, a simple and accurate method of organizing and evaluating the information is required. The system used in this study employed a technique of logic diagrams. These logic diagrams provided a visual summary of one or more worksheets as well as also being used to visually identify various sabotage scenarios. A sample logic diagram for disabling the spray pond recirculation system (a hypothetical system, chosen for illustrative purposes only) is shown as Figure 2. A simplified system diagram is shown in Figure 2A.

The logic diagram is constructed on the principle that a succesciul act -- in this case, disabling the spray pond , recirculat. ion system in a manner that would not be obvious or readily correctable by the operator -- is represented by completing a path from point 1 to point 2. Each potential act is represented by an open switch contact; a successful act closes that switch and helps to complete a path. For example, reference to Figure 2A shows that disabling both booster pumps would disable the system; disabling only one, however, would not since a complete path would not result. Disabling both recirculation pumps or disabling one booster pump in train A and one recirculation pump in train B would have similar successful sabotage potential. In the case of closing the suction or discharge valves another consideration comes into play. As shown in Figure 2A, the valves are manual and if of large size would take a saboteur considerable time to close one of these manual valves. Unless he was also to jam the position indication to continue to show "Open," it is likely that as flow changed the operator would detect the change in valve position indication and investigate. A path indicated but not developed on this diagram is to disable electric power. Because of its more universal application, this scenario is separately developed and can be " plugged in" wherever applicable. Also missing frcm this diagram is the failure of passive components (e.g. pipe failure); these failures could be added should they be considered important in the overall evaluation.

- .

. I;PRNE POllD "ECIllCULATIOt1. SYSTEM

DISABLE ELECTRIC POWER o - - d |- - - o k k kk

A A A .A DISABLE RECIRCULATIOt1 PUtiPS . SUMP ,iI ci i U X ^ A R Z

X X o lI o ^1 |- " DISABLE RECIR U 1 013 BOOSTER PUMPS [ l n 1 0 13OOSTER YYNY f""""p DISABLE VPI ,1 | trl . !I CLOSE PUf1P SUCTIOt1 h ^* ' ilEAT EXCilAtlGERS

DISABLE VPI N ' ! ,3!l 3 . CLOSE PUtiP DISCIIARGE VALVES

Pigure 2 - Logic Diagram Figure 2A - Simplified Schematic . . -9-

These logic diagrams, in addition to providing a simple summary of various important actions, provide building blocks from which various overall scenarios may be evaluated. The logic diagram is only a tool which can be made as simple er complex as desired; for the purpose of this study it was used primarily to assist in evaluating overall scenarios or major systems. The technique, however, is equally applicable to subsystems or even components, and, in fact, was used at this level in some instances.

Sabotace Scenarios In developing the individual sabotage scenarios, considerable reference was made to the event trees and associated tables from Appendix I of NASH-1400. It would, of course, be possible to independently develop sabotage scenarios from _ the worksheets and logic diagrams of this study, but such an approach would ignore the considerable effort, particularly the completeness, of the WASH-1400 effort. On the other hand, it must be recognized that WASH-1400 did not specifically consider sabotage, placing emphasis on random or unde- tected failures as opposed to somewhat predictable and deliberate failures. As an example, WASH-1400 finds a major con- tributor to a loss of coo. ant accident having substantial off-site consequences would be a rupture of the low pressure portion of a PWR Reactor Eeat Removal (RHR) pipe outside of containment initiated by the failure of two check valves designed to isolate this portion of the system from the reactor coolant system. While it could be argued that a saboteur could cause the necessary failure of the RHR pipe, there appears no practical way ha could assure (or even aid) the failure of the self-contaiaed check valves. Hence, this scenario, while significan- in WASH-1400, would appear to have negligible importance to a potential saboteur. Other examples can be found in such occurrences as steam explosions, hydrogen accumulation and unfavorable meteorology whose probability of occurrence would be unaffected, or little affected, by any acts of a saboteur.

_ * | -10-

Conversely, there exist certain events whose random probability of. occurrence is quite low but which could represent reasonably easy occurrences for a saboteur to perpetuate. Some of these events have been identified in other studies; others have been identified in this study. No useful purpose is served by giving specific examples in this publicly available report; however, it is important to recognize that none of these events of themselves or in simple combination are adequate to create a successful act of sabotage, as defined for this study. It should also be recognized that even a relatively easy event is by no means a certain event. For example, an event with a probability of random failure of 5 X 10-4 (1 in 2000) would be considered fairly unlikely; whereas, a sabotage probability of 5 X 10-1 (1 in 2) would be considered relatively easy. Nevertheless, this 5 X 10-1 number also implies one chance in two of being unsuccessful. If a saboteur must perform a large number of these one chance in two events, his overall probability of success begins to become unattractive. As the success of sabotaging individual pieces of equipment becomes less, the overall success is

amplified and becomes smaller. .

Reference to WASH-1400 provides an additional insight which cannot be ignored. Even if a saboteur were to be totally successful in initiating an event resulting in a substantial radioactive release, the probabilities of his actions resulting in a significant number of deaths or injuries is fairly low. This low " success" probability is the result of factors over which a potential saboteur has little or no con aal. These

factors include the actual kinetics of tha even , the release and plate-out of fission products, the meteorological condi- tions, the extent of personnel evacuation, and possible counter actions by the plant staff such as delayed initiation of containment sprays or closure and controlled venting of containment.

Eventually a finite number of scenarios can be identified whose possibility cannot be ruled out on credibility grounds. Once identified, it is necessary to evaluate these - potentially credible scenarios for completeness, characteriza- tion of the requisite skills of the saboteur, potential for premature detection, and overall ease or difficulty. Based on these evaluations it is possible to reach some general

- . . - -11-

conclusions relating to sabotage of the plant by an insi. der acting alone or in cooperation with an outside group. For this study, scenario evaluation was conducted by individually evaluating a number of scenarios. Work underway at Sandia Laboratories 1/ would allow these manipulations to be conducted usiig computer techniques. The Sandia work appears complementary with the work performed in this study, and, in fact, has the potential for significantly expanding its usefulness. It is also possible to identify areas of plant weakness, from a sabotage viewpoint, and take any corrective action which may appear appropriate.

As a final observation, it is possible that any evaluation will fail to identify all potential scenarios of reasonable credibility until well into the final review processes. Should this occur, the methodology should permit that previously overlooked scenario to be evaluated fairly quickly without invalidating or requiring changes to any other part of the Proposed changes in plant design which may occur through thestudy. life of the plant can similarly be assessed without affecting previously completed portions of the study.

Confirmation of Scenarios In any engineering study it is important to perform an independent check for possible errors or incompleteness prior to use or publication. While the results of this study will receive a wide distribution, only a relatively few people will have access to the details on which the conclusions were based. As such, a more stringent than normal review procedure was employed throughout the study, specifically: 1. All completed worksheets were reviewed with the PWR and BWR utilities selected for study to assure their correctness. 2. All scenarios were reviewed with the PWR and BWR utilities selected for study including management not involved in developing the worksheets, to assure correctness and completeness. 3. All scenarios were reviewed by an independent review group representing three of the sponsoring utilities to assure their correctness and cca.pleteness. C . .

. -12-

t 4. The study results and methodology were presented to a group representing all of the study's sponsors, partially to assure that no obvious errors or omissions existed.

O 5. The study's methodology and major scenarios were independently reviewed by Dr. Norman Rasmussen, the director of the WASH-1400 study.

All of these independent reviews supported the methodology and provide reasonable assurance that the majority of credible scenarios have been considered.

Analysis of Scenarios

once the potentially viable scenarios are developed, the process of evaluation was undertaken. This task, while at first impression is somewhat open-ended, was actually simplified by a number of natural constraints. First, the actual number of combinations of systems and components whose sequential or combined sabotage could lead to a substantial off-site release of radioactivity is limited. Secondly, the majority of these scenarios require a " final action" which places fairly well defined time sequences on the scenarios. For example, if the final action must be loss of off-site power, initiation of this action at a premature time would generally result in plant shutdown, discovery of other ele- ments of the scenario, and probable recognition of the sabotage attempt.

The key consideration in developing and evaluating sabotage scenarios is the requirement for a core meltdown. Any scenario not resulting in a substantialcore melt, while potentially expensive to the utility, would not be expected to have a substantial impact on public health and safety. (Damage to radioactive waste storage or spent fuel facilities

- could result in off-site releases, but other constraints limit the magnitudes of these releases. ) Reference to WASH-1400 shows that in order to af f ect a core meltdown one or more of a rather limited number of finite actions must occur -- basically, either a loss of core coolant or an extended loss of all means of heat removal.

~ - . -13-

Other considerations tend to influence the number of scenarios actually requiring investigation. For example, sabotaging of equipment which is normally operating must be a final action or in close proximity to a final action. The severing of pipes or other techniques for initiating a loss of coolant must similarly be final actions or in close

proximity thereto (parenthetically, we note that in the majority of cases such actions would likely result in death or injury to the saboteur). The sabotaging of most equipment, for example Emergency Core Cooling Systems, must be accompanied or followed by an act which leads to a need for that equipment.

By reference to individual wcrksheets (or logic diagrams) the various factors affecting each sabotage action can be assessed. Even a superficial evaluation will eliminate certain scenarios from further consideration. For example, a scenario which requires disruption of cooling water at the water intake structure (usually a separate building some dis- tance from the main plant) followed immediately by a loss of coolant initiated by opening valves in the containment can be dismissed because of the logistical problems of these acts by a single insider. Numerous less obvious but equally rele- vant examples occur as detailed evaluations are made. Another example is that scenarios which require gagging of certain types of relief valves which are designed without gags can be eliminated. One area of considerable difficulty which many other studies have chosen to accept without challenge is loss of off-site power. For the plants specifically considered for this study, tne deliberate and properly timed removal of all off-site power was an act of considerable difficulty. With one possible exception, it would have required a number of trained marksmen with high powered rifles or substantial explosives all closely coordinated. Such a substantial para- military action would appear sadly misplaced being used to selectively attack 230 KV or larger transmission towers or large transformers in widely dispersed electrical substations on the assumption that a single inside operative could successfully complete a ecmplex series of unlikely actions on a prearranged schedule. Accordingly, we have included deliberate loss of off-site power as a mechanism in successful sabotage scenarios, but believe that its integration into a successful sabotage does or can be made to represent a difficult action. For some stations of which we are aware the removal of off-site pcwer, while still a major effort, would be more credible than for the plants scudied.

_ ' : -14-

Another factor which was specifically considered in the study was indication that a particular action had taken place. For example, changing a particular valve line-up so as to render a system ineffective would in many cases be indicated to the plant operators by alarms or changes in status lights. The saboteur is thus faced with the possibility of detection or the need to include disabling the indication in his tasks; this disabling, of course, represents yet another action which must be successfully performed. Disabling the indication is often a more demanding task than disabling the associated system or component; for example, certain commonly used motor operated valves have their position indicators built into the covered operating mechanism, making deactivation at the valve fairly difficult. Another consideration, less easily manip- ulated is the periodic equipment tests and operator check-offs. These equipment checks, ranging from twice per shift through periods up to once per month for a substantial amount of important equipment place practical constraints on the time available to perform a successful act of sabotage.

. One of the more interesting results is that credit for the use of explosives inside of the plant does not mate- rially alter any conclusions of the study. There exist only a few cases where explosives significantly ease the task for a knowledgeable saboteur. In these cases the amount, location, or environment in which the explosives must be employed form the basis of a substantial deterrent. Since this study was limited to a single, knowledgeable insider, the question of a group of unsophisticated saboteurs using explosives as their principal vehicle for sabotage was not considered. Similarly not considered was the question of "very large" amounts of explosives which could indiscriminately blow up major portions of the plant. Such considerations would appear unrelated to the issues which this study is primarily addressing.

In addition to the scenaries considered in the study, there exists a broad class of scenarios which do not loan themselves to definitive evaluation. These include such hy- pothesized events as diversionary and destructive fires, releases of poison or disabling gases, explosives directed at persons or major control centers, and other non-specific actions. In each example of this type, there exists compelling arguments that such requirements as plant separation criteria, alternate control room requirements, ventilation requirements against toxic gases, and fire protection considerations make the grobable consequences of such events manageable. These arguments are persuasive, but a precise analysis is difficult. . . , -15-

It is, however, equally difficult for a dedicated saboteur to predict the ultimate consequences of his actions -- cer- tainly they are less predictable than the scenarios considered in this study. Further, it appears unlikely that a saboteur who would resort to such violent and uncertain actions would find any significant deterrent in the presence of an additional locked door or a " buddy." It appears equally unlikely that a knowledgeable saboteur acting alone would resort to these techniques except as final nuisance actions, since in the majority of cases they would tend to mobilize emergency personnel and procedures earlier than he would find desirable.

F ' . . -16-

OVERALL CONCLUSIONS

Based on the work done for this study and the critical review by the sponsoring utilities, a number of overall conclusions have been reached: 1. The methodoloev of the study apoears viable in oro- viding individual plant owners with a disciplined engineering approach to evaluating the sabotace potential of that olant. As the study progressed, modifications by the authors and reviews of the sponsoring utilities relied more and more on the logic diagrams; additional information or corrections were made on these diagrams because of the convenience and visibility. The worksheets proved invaluable as input for these modifications or additions. The various plant engineer- ~ ing drawings, Safety Analysis Reports, and construction drawings were also useful, but these " paper references" were no substitute for actual observation of the plant and familiarity with its layout and idiosyncrasies. .

2. Sabotage of an operating nuclear power plant leading to a substantial release of radioactivity of f-site by a single inside saboteur is a very difficult and uncertain undertaking.

- While the study was able to identify a number of potentially successful sabotage scenarios for both the PWR and BWR, the actual actions necessary to complete them would require an exceptional level of skill coupled with a generous amount of luck. No scenario could be identified which could be completed by a single action or by repeating a single type action (e . g. , closing a number of valves or disabling a number of relays). Each scenario required a series of different, often hazardous, skills which must be properly sequenced and usually clandestinely accomplished.

3. If required, engineering modifications can be made to individual plants which will render identified scenarios substantially more difficult or impossible. ., ,. -17-

As with successful plant operation, a successful sabotage is a detailed series of step by step actions, each of which must be properly conducted. If this step by step scenario is broken, the sabotage is not likely to be successful. For most scenarios, one or more of the steps is so difficult as to render the scenario unreasonable. Where this is not the case, compensating engineering solutions which do not compromise plant safety or operability usually can be identified.

4. Generic requirements such as two-man rule or subcompartmentalization are neither necessary nor appropriate. All of the scenarios for this study were developed for the plants as currently designed and operated with the assumption that the insider had normal access to the plant. The additional burden imposed by the use of two-man rule would in all probability serve only to jeopardize the well being of the " buddy," since disabling him would represent one of the easier actions in a scenario. Extensive subcompartmentalization could have additional deterring effects on certain ' scenarios, but would likely have an equal deterring effect on recovery actions, including recovery actions from events in no way related to sabotage. Subcompartmentalization could represent one engineered approach for certain pieces of equipment at some plants, but this approach has significant negative aspects when indiscriminately imposed on a generic basis.

5. The probability of a sincle inside saboteur escaping detection, in3ury, or death is low. The majority of the sabotage scenarios require actions which normal plant safety requirements would prohibit, such as working on energized electrical equipment, disabling high pressure piping, or entering areas not normally occupied. Further, the saboteur is performing acts for which personnel safety provisions are not provided, and for which equipment behavior is not predictable. The possibility of unexpected alarms, equipment failures, steam releases, electrical arcing, - or equipment operation all increase the possibility that even the most knowledgeable saboteur will be detected, injured, or killed. ' ._ e e , 18-

6. Even for scenarios identified as successful acts of sabotage, considerable uncertainty exists as to the degree of success or the correctness of the scenario. Successful scenarios identified in this study are based primarily on chains of events identified in various reactor safety studies. All of these studies, including the more " realistic" WASH-1400, have identified and unidentified con- servatisms to assure protection of public health and safety. While in most cases no quantitative assurance of this con- servatism exists, its very existance is an uncertainty to a saboteur. In order to improve his chances of success, the saboteur would probably exceed the scenarios developed by this study. By how much should he exceed them? We don't know; neither does the saboteur.

. In summary, based on this study we reach conclusions similar to others who have performed such studies; that is, sabotage of a nuclear power plant in a manner to have a substantial effect on public health and safety is theoretically possible but very difficult and very uncertain as to results. For . such sabotage to be performed by a single insider with or without outside help is an act of great uncertainty and per- sonal danger. When viewed in this light, little, if any, additional deterrent is provided by such generic approaches as two-man rule or subcompartmentalization, which provide only small incremental changes in difficulty or danger to the postulated saboteur. On the other hand, these generic solutions provide significant incremental effects on plant operational difficulty and ecsts as well as an undefined but potentially negative impact on plant safety.

As a final observation this study does not represent the entire picture of the vulnerability of a nuclear plant against sabotage by an insider. Other requirements such as personnel screening, access control, personnel search procedures, and work authorization and containment checkout procedures provide additional deterrents which would limit the number and capabilities of any potential saboteurs which may exist. These additicnal deterrents although not specifically addressed should further support the conclusions of this study.

- ' . ' . -19-

REFERENCES

An Appraisal of the Potential Hazard of Industrial Sabotage 1/ in Nuclear Plants, C. Rogers McCullough, Stanley Turner, Raymond Lyerly, SNE-51, July, 1968. 2/ Safety ar 'c e-- ty of Nuclear Power Reactors to Acts of Sabotage Laboratories, SAND 75-0504, March, 1976. 3/ Nuclear Safety, Vol. 17, No. 6, Nov-Dec, 1976. NUREG-0144, Summary Report of Workshop on Sabotage Protection 4/ in Nuclear Power Plant Design, February, 1977.

5/ "Mickelson Study" -- classified. 6/ WASH-1400, Reactor Safety Study (Rasmussen Report), 1976. U.S. NRC, Office of Nuclear Regulatory Research Study, 7/ " Integration of Plant Design and Damage Control into LWR Safeguards," Sandia Laboratories. . . ,. . - .

- - - . , .. : - .. . . . , -- . . _ ,,. _ , _ _ _. 9...... ; ;; , _a . : va. ^ .' ..p.3. - . . . m .-s. . m . ..~ .- . .g.y - . . -- 5. e-E. m ,r . _ - - - wgv = , . pj. : . - - - . . ., - . .g. r s. - . ' ' : AREAS OF EXPERTISE . F.' # " -~. J . - On d 7 " . . .u - -- . ? ' . . e. - - :.,. z . -. 4-(~ . - ', .. p.u ' .: - 9;;.v..f. . .

- . , .- ~y . . . ,, ,- .- . -- . .c - t. . , .7, . g . _ ,. - - , :w.., - ,. . . ., . . '.. . . . ,..,...w. . .t. ..:-r.. ._ . - . , , . , . . , . _ (.

e . . . ._;.- - -.- :. _ . n ,..:.' -. :. r . ~w-_ r - n .... p i". C;p .s . ..K., ,-s.w d.g~ h&?$;< '. -: ._~5 'k - S ~'. --~: : -. ,. ;.G-%,. 'ud .. ; ;' _'-M. i. 3 + --:--. c sy -M, .-:~ ..y .. w;-c : .: -- . . .. . - - -.a..w.-.-:----....,.,---: . . . .. ,. * ..- . -. ... . * - ,: ..: . '.Q*y d . . " -;; :.Q. * . ~sT;T.- . - -& b- s. .. - -. .," . . . . - - . - . %.- . . ,d. :e . .:f. w.,*[., - . .- .'-. 7+ . ,, -r Technical Management includingexpen-1 %|:.q|~~... . Health - Physics-including the development - " E- ''. .- L ~ 9 ^' ence in establishing project needs and relat'edI~ "of survey programs to' determine compliance - ~ [' 2~~ - '1' 7 y !icensing and environmental strategy. as we,il - with Part 20 and Appendix_ 1, evaluation of. '_ , ?: .. _ ' - - - ; -

- V< . as methods _of m.e.et.ing those needs..m = . n#.. -th.e. effectiveness of.monito.nng.. programs for . -u. - -- . . . . . 2.,43.2 . . - e ,/_ Nuclear Engineering minclud. . , h.- . - .- P. - . ing specia zed.- - . .,. . both background and operational conditionsK:-' and of programs to assess potential doses to.,m...v%__;. .. m - m - ~'.-. - experienc_e in design engineering | plant layout, ' - c_- u- - both the pubhc and on-site personnel through -;:.e.:-- e - - . . . .. - - -'c.- < ---. : . -..s analysis.'. materials_ selection, and systems .,.. m .all phases of the fuel cycle,including . uranium u. .:e< - . .- c ; . 9 .- sgineenng. - ...... r- - -e r .. .. . - -C. mill _s and, mines.wg.._g . -;.,3 ,;_.;g.9 mx:;^e %.;: . . . ._ c. : .p -Va ;_ . . .y.:p . . _a -4.+.4- _s . - ~ ^''C- E~ ~ '" # - -: Radiation Protection and Waste Manage - .. Plant Operations--including' . -9~ developinglech-.7 .~5 - ~ ,, .. m: . z . ., -- - . %C .d ". - ,:f ..s ment-inc!Uding experience in personnetpro .. syp; , - -- - - n- - ' c . catioris and internaf. tection, rad. ,: - . . - < - - - manuals?u .-- - - ? x .. -. - - ~. . d. ioactive -m, _ ate..nal dispersion. . - arid . - , ;nical sp~ional ecd.OA, assun. - -v ng ive.#;- s.a%m.a p~perat.. p;,%.y.- -~ c// ?.< iqui - .e n - - ~ .r - :- e ..- 'M. ' ;;,.7disposa..l,l. . ,d and. .c.ase.o. ,us waste m. _an,a..ge .. . - ce h. - m: yO assunng-effect.-- - - -ical,#[email protected].< comphance:with reg ~ulatory requirements,'and w.m.-2 $d'tm. .-. dr - -. - . - ,.q:. ' . $ ib ment sptems evaluation;an'- , 'adiolog.- -: ,- ~ -- i- c prepan.ng-for government.. inspect.ion = .= , e.u W;g . ~ .~p. .W._/.=.-e. ;e . 3- - z. c a ' -: - W -- ;m uc ~:.r.. . . ~.sc-WTa:w.; -- - ~1 :.:p::.. monitoring

- "p %e%N; Mc.: . .,g.. M --. . N ^ m .=. ance with surface -anch.>,*+a;r .- - sign - - - active waste, and comph. -'2"..---. : 3 ',.m .. . cation forStructu.ral. . _ an..d3- mechanical;de.. _ . . . .y . - . air regulations.cf Federal, State and locals.-c -- r-e;- 2 : _ . # j p. . c oc e S : . Q_.. . gp p- - 9. 9.yg797gg- 9,g g y p_ y: : ., g y m -~ p - g Q--. s.- ...... _ - . . ' r ~:".a . . . .g a :. - y_ - . g. q ; M. . . _ . . . _ , - - . ., Electrical and Instrumentation Engineen;ng .t 1., y e.g, ._ .. ,..g;y ,n.. _g ;'.i ',i,s.. . ,;p g; ,, . :.q., ,.;- y 'i g y; p - fb. -T 1- @ , W'- - .' including . experience inivaluating.em_erge. ncy'.?. E.. , . .f r. 7.,Y-a.;. ,. M. .;W. 4.: .' .' ;-..,'$. . . ..w,.i . '@.. . --M. .. . _ . ' ' ;- ' - - . '- - - .. - ~ '~ power reciuirements and instrument:andW.- 7- r.< , r. ; ' . .. . ~ ~ ~ 3 2 ~ control systems for safetyk-OM.@J~ph : -.. - N ' .'-' : - . QM'M N - ,; - . y . .~. .. ------Auxiliary Systems-including experier3ce in - .. . , t 7; . ' - - - _..> r W .* ;.',*- . eview of Nuclear Steam>v Supply System~- and 5 ; - ...;.. u - .- u. .% u--a -

--;*c .e. ,- c ,. ;., mir . : ;1 m -~ . _ _, cup _. --n. .q-'u. . m._ . :_. . ..'.u. < , Ba'ance of Plant support systems Q. ,Jrea. .. - _.. .- n. . ; .::v - .- .s .. . . _. . , . .. protectidnfsystems)m.p ,i.-.:w, -- - .; , +.- . .p. . u -wp- ... m ' .. ;.- :_ . ; - - m - n;fg a . - m p.J9, e ~ " .m.o " Facility Operations--including experience in - f KMC, Inc.1 < - -4 . ~- ' ' ~~ O ' the review cf emergency planning, provisions 1747 Pennsylvania Ave., N.W. _. -- -

and procedures, test operat:cns, andC ^ . . . ~ ~_ Washington, D.C. 20006 ~ ~- "' - - - - ' onerational problerhs'.5- - .-.L' . 202/223-3163 1 { -

Environmental Considerations-inclucing - - excerience in reviewing environmentalimpact . Dr. Donald F. Knuth - President g recor's and env;ronmental rnon;tonng require : ?. John E:McEwen. Jr.- Vice President ments: anc atsc in establishing suitable design Nancy L. Hickman - Treasurer-Secretarf _ - cntena cased on eva!uation c; metecrolcgical . . - Troy B. Conner. Jr. - Chairman a : hydrotogica! ccnditions. Emergency Plans-irch c rg the develcc- e : c' a :c.Cas ar: mternai crogra" s

S . . . - :. .Me "el Te**'sTs cf AOCGnC:X E. t.:'-' ag witn Ea:e anc CCa! CM O.a!s to assure s7s"'!as resOC*3e CaCaD!hty and devetoo"'y a 0 COcic'na'mg "ECwre mec: cal sen/ Ices