Крючков Фундаменталс оф Нуцлеар Материалс Пхысицал Протецтион 2011

Zoning helps establish a defense-in-depth system to detect the intruder’s attempts to defeat separate barriers (area boundaries) and predict the intruder’s movement path and targets (Fig. 5.1, b).

In addition, zoning makes it possible to differentiate personnel access into some areas and, additionally, be fully aware (with an accuracy up to an area) of where the NI personnel are (Fig. 5.1, c).

Adequacy of the PPS to assumed potential threats and models of potential intruders.

The concept of the PPS adequacy to threats relates to the necessity of having the PPS “tuned” exactly to the threats assum ed. Where the system is designed to deal with a milder potential threat, no protection will be ensured. Where, contrarily, the PPS is redundant (just in case), excessive capital and operating costs may be involved.

The PPS structure, composition and operation so depend on the potential threats and potential intruder models assumed.

We shall introduce some of the terms and definitions used in the field. Threat - a potential of an act of sabotage or an NM theft.

External threat - a threat coming from an external attacker. Internal threat - a threat coming from an insider.

Attacker model - a combination of qualitative and quantitative characteristics of an intruder used to analyze the resistance to sabotage, formulation of requirements to the PPS and appraisal of the PPS efficiency.

External attacker – an attacker out of the number o f persons without the right of access to the protected area.

Insider – an attacker with the right of unescorted access to the protected area.

Examples of major threats to an NI are:

∙a theft of NM or NM-based items;

∙sabotage at a nuclear facility (NF) or within an NM storage facility;

∙a terrorist act;

∙nuclear blackmail.

As an act of nuclear blackmail requires the intruders to seize NM or the NF’s key components, protection against this threat is reduced to ensuring physical protection against the two first types of threats.

Now we shall look at major intruder types as the “b earers” of the above threats.

The classification of intruders is given in Fig. 5.2.

Further we need to build models of potential intruders which can be divided into “macromodels” and “micromodels”.

451

Of note is that the intruder model should be revised on a regular basis. The reason for this may be a change in the political situation in the country or in the region or an onsite change (redeployment, relocation of NM, a change in the NI infrastructure and so on).

Timely countermeasures.

Timelines of countermeasures is defined by the fact that, whatever is the scenario under consideration, the relation Тi ³ Тrf is to be fulfilled, where Тi is the time required by the intruder to accomplish his objective and Тrf is the time needed by the response force to suppress the said action in response to alarms from respective facilities.

Balanced strength of the PPI protection given the PPI value (attractiveness), potential consequences of unauthorized activities and the potential of any scenarios to be realized by the attacker.

The definition is absolutely clear so no comments on this are needed.

Adaptivity.

This suggests the PPS capability to adapt to changes in:

·threats and intruder models;

·the installation’s layout and the boundaries of the guarded areas;

·locations of physically protected items;

·types and techniques of guarding;

·seasonal and climatic conditions.

Frequency of performance monitoring. Continuous monitoring serves the purpose of detecting any deviations from onsite routine, e.g. supervision as to correctness of the procedure performance by the PPS personnel. Because of large amounts of information that circulates in the PPS, current PPSs cannot do without automation of the monitoring process.

Physical protection is monitored at the agency level and at the level of the NI as such (self-monitoring).

General technical concept of the PPS design suggests ensuring reliability, survivability and unification of the PPS components, mutual compatibility thereof and so on. This is typical of many complex manmachine systems.

References

1. Измайлов А.В. Методы проектирования и анализа эффективности систем физической защиты ядерных материалов и установок. М.: МИФИ, 2002.

453

CHAPTER 6

PPS CREATION (PERFECTION) PROCESS. STAGES AND

PHASES

The lifecycle of the physical protection system for a nuclear installation involves the creation of the PPS and support of its onsite operations. If we deal not with an installation under design but with an active installation where the PPS already exists, it makes more sense to talk about perfection rather than creation of the PPS.

The PPS lifecycle stages are shown in Fig. 6.1. The “feedbacks” between stages reflect the need for the work to be redone given a variety of factors (changes in threats, intruder models, site layout, locations and compositions of physically protected items, constraints on the feasibility of proposed decisions, etc.).

Fig. 6.1. Lifecycle of a physical protection system.

The PPS creation (perfection) process comprises the followings stages:

∙predesign;

∙design;

∙PPS commissioning.

The predesign stage includes the following phases:

∙NI vulnerability analysis, including analysis of threats and potential attacker models;

∙categorization of physically protected items (PPI), including nuclear material and critical components of nuclear facilities;

∙performance assessment of the existing PPS;

∙conceptual design of the PPS;

∙feasibility study, including prioritization of investments, crediting, etc.;

454

∙development of technical specifications for the PPS creation (perfection), including individual technical specifications for technical subsystems.

The design stage includes:

∙design of engineered physical protection features (EPPF);

∙development of engineering documentation for EPPFs;

∙development of organizational and technical documentation.

∙The PPS commissioning stage includes:

∙order placement for and supply of equipment (under design documentation);

∙construction and erection;

∙startup;

∙development of operating documentation;

∙run-up;

∙training of the PPS personnel;

∙development of required site-level regulations;

∙initial tests of engineered physical protection features (EPPF);

∙pilot operation of the PPS;

∙acceptance tests of the PPS;

∙acceptance of the PPS.

A note should be made that the design and commissioning stages are fairly standard and typical of many PPS-like complex systems, while predesign takes into account the specific features of the physical protection system.

The work to create (perfect) the PPS for an NI begins with the installation vulnerability analysis. The items to be subject to physical protection1 (PPI) and the potential intruder models for each PPI are identified at this stage.

The PPIs are then categorized and the NI PPS efficiency is assessed (actual physical protection status for active installations) given the PPI categorization results and other factors. Weaknesses in the PPS are identified.

Proposals are further developed on removing the detected weaknesses and raise so the security status of nuclear material. These proposals are concerned with the structure and composition of engineered physical protection features (types and arrangement of detection sensors, situation

1 The NI vulnerability analysis and the PPS efficiency assessment are discussed in more details in the chapters that follow.

455

assessments, access control, control panels and so on), the structure and composition of physical barriers (perimeter, onsite, buildings and rooms) and tactics of the response force. The efficiency of the options is assessed, and the materials and workforce needed to implement these are identified.

The site security service examines the options and chooses the most feasible one. This takes into account not only the efficiency and the cost of the option in question but also practical considerations relating to the NI operations (installation retrofit plan, etc.).

The scope of the work for the most complex PPS creation phases (NI vulnerability analysis and PPS efficiency assessment) is considered below. A note should be made that a vulnerability analysis should be conducted on a periodic basis to track down potential changes in threats, intruder models, onsite NM configurations and the PPS structure and composition. The PPS efficiency is subject to assessment not only at the predesign stage but at all subsequent stages as well, including during the PPS operations following the commissioning.

456

CHAPTER 7

NI VULNERABILITY ANALYSIS

A vulnerability analysis shall be performed early into the predesign stage and include, primarily, determination of the external and internal threats the installation may be exposed to and the vulnerability areas to be subject to physical protection.

The NI vulnerability analysis results are taken as the input for the NI conceptual design.

The key phases of a vulnerability analysis are:

∙formation of an expert team to conduct the analysis;

∙development of the analysis program;

∙acquisition of initial data on the NI vulnerabilities and the items to be subject to physical protection;

∙determination of threats and attacker models;

∙finalization of the analysis results.

As defined by the “Physical Protection Rules ...”, a vulnerability analysis is undertaken by the NI administration involving, where required, specialized organizations (security agencies, research and design organizations specializing in the field of the given NI, etc.).

Determination of the NF vulnerability areas is the process of identifying the NF elements that may be potential targets of an attacker and the locations thereof.

In terms of NM thefts, the NI vulnerabilities are locations within the guarded areas where NM is stored or used.

NM-related vulnerabilities are more apparent. These are NM locations. Identifying vulnerabilities of an NF requires a special analytical work. For example, the answer to the question if failure (collapse) of an NF component (pump, vessel, pipeline, control system cable, etc.) leads to severe radiological effects is not altogether obvious and needs rather indepth studies, NF simulations and so on.

The NF vulnerabilities may be identified using logic schemes and the mathematical graph-theory apparatus.

A logic scheme is an efficient tool of identifying vulnerabilities when considering potential threats of NM theft or acts of sabotage at the NF.

Let us consider an example of a hazardous aftermath (event), i.e. radioactivity escape as the result of an act of sabotage with respect to a component of a WWER-type reactor.

457

Normally, for an analysis, a tree of failures from sabotage (TFS) is built (Fig. 7.1).

It can be seen from Fig. 7.1 that the end event “Ra dioactivity escape” is expanded into intermediate events of level 1, level 2 and so on until we arrive at the initial events. Fig. 7.2 gives an example of the event “Escape during power operation” (level 3) expanded into 3 m ore levels.

Fig. 7.1. Upper part of the TFS for WWER reactor

458