1. Introduction to the International Training Course · The Twenty-Sixth International Training Course 1-1 1. Introduction to the International Training Course Abstract. In 1978,

The Twenty-Sixth International Training Course 1-1

1. Introduction to the International Training Course

Abstract. In 1978, the US Department of Energy selected Sandia National Laboratories as the organization to conduct the International Training Course on the Physical Protection of Nuclear Facilities and Materials. The course is designed to transfer technical information for the prevention of radiological sabotage and the theft of nuclear materials. It is organized around a three-step methodology for the design and analysis of a physical protection system: (1) define the physical protection system requirements, (2) design the physical protection system, and (3) evaluate the physical protection system design. The course structure presents the material to the participants through lecture sessions and gives the participants, divided into groups, an opportunity to apply the material through subgroup exercises. They are also given the opportunity to examine equipment in demonstrations. Finally, each subgroup works through a major physical protection design and evaluation exercise. Each subgroup presents their results. Although the course contains detailed information on physical protection, participants need not master all the material to learn and to use the design and evaluation methodology. It is presumed that participants reach different levels of understanding based primarily on their backgrounds and the subject matter’s relevance to their country’s needs.

1.1 General Information

1.1.1 Location

Description of

Albuquerque, NM, USA

The International Training Course is held in Albuquerque, the largest city in New Mexico. Albuquerque lies in the Chihuahuan Desert at the crossroads of Interstate 40 and Interstate 25 in central New Mexico. The city lies on a plain along the banks of the Rio Grande River at the base of the Sandia Mountains. Albuquerque has approximately 500,000 residents and is situated at 5,000 feet (1,524 meters) above sea level.

Settlement History In 1706, Albuquerque was founded by a group of colonists who had been granted permission by King Philip of Spain to establish a new villa (city) on the banks of the Rio Grande (which means “big river”). The colonists chose a place along the river where it made a wide curve. The river provided water to irrigate the crops and the Bosque (cottonwoods, willows and olive trees) provided a source of wood. The site also provided protection from and the opportunity for trade with the Indians from the pueblos in the area. The early Spanish settlers were religious people, and

Define Physical Protection System Requirements

1-2 The Twenty-Sixth International Training Course

the first building erected was a small adobe chapel. Its plaza was surrounded by small adobe homes, built close together for mutual protection against any threats posed by hostile forces in this vast and dangerous country. That church, San Felipe de Neri, still stands. The building itself has been enlarged several times and remodeled, but its original thick adobe walls are still intact. The church is the hub of Old Town, the historic and sentimental heart of Albuquerque, with activities such as shopping and dining. To this day, special holidays and feast days are still commemorated as part of the year-round attractions of this "original" Albuquerque.

Cultural Aspects Albuquerque represents a synergy of Native American, Hispanic, and Anglo cultures where traditional and modern cultures co-exist. The University of New Mexico is centered in Albuquerque. Native American reservations and pueblos exist near the city. Sandia National Laboratories brings science and technology to the city.

Aerial View of Sandia National Laboratories

Climate Albuquerque is renowned for its year-round, pleasant climate. Low humidity and warm temperatures combine to make Albuquerque an enjoyable destination during any season.

Albuquerque Average Temparatures

20

30

40

50

60

70

80

90

100

JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC

Fa

hre

nh

eit

-6.7

-1.7

3.3

8.3

13.3

18.3

23.3

28.3

33.3

Ce

lsiu

sAvg HighAvg Low

Dress Southwestern informality prevails. Business occasions and theatrical events offer opportunities to dress more formally. During Albuquerque's warmer season, sweaters or jackets are advisable in higher-altitude areas.

Temperatures



1.1.2 Facilities

Sheraton Uptown Hotel

Sandia National Laboratories

Sleeping accommodations are located at the Sheraton Uptown Hotel in Albuquerque.

The Sheraton Uptown is located at the northeast corner of Menaul Blvd. and Louisiana Blvd. NE. Address: 2600 Louisiana Blvd NE Albuquerque, NM 87110 Phone number is 1 (505) 881-0000 FAX number is 1 (505) 881-3736 The lecture room and subgroup rooms are located at Sandia National Laboratories(SNL) in the International Program’s Building (IPB) and the Innovation Parkway Office Center (IPOC). Transportation to and from the Sheraton Uptown and SNL will be provided on a daily basis.

1.1.3 Financial Responsibilities

IAEA Responsibilities

IAEA will pay for the participant’s room and associated tax for designated countries.



Participant Responsibilities

The participant is responsible for paying these charges:

Local and long distance phone calls In-room movies Room service Mini-bar Any other items charged to your room Evening meals not stated on the ITC Schedule

Meals Hotel provides: Breakfast: Monday through Friday at 7:30 AM Lunch: Monday through Friday at the IPB Bistro. The participant pays for: Evening and weekend meals, except where specified in the ITC

schedule.

Transportation Transportation to all course-related activities, including group meals and weekend activities, will be provided to the participant. Transportation for non-course activities is the responsibility of the participant. Hotel reception can help with most transportation questions. Some useful phone numbers are: Yellow Cab (Taxi): 247-8888 Albuquerque Cab Company (Taxi): 883-4888 City of Albuquerque Bus Schedules are available from the hotel

concierge

Health Care For minor healthcare problems: Sandia’s medical organization and ITC Staff can help with colds, aches,

pains, and minor accidents. For major or emergency care: Obtain assistance from local doctors and hospitals. The IAEA has provided temporary insurance. If you become ill, you need to: obtain the necessary services, pay for the services yourself, and then submit a claim to the insurance company when you return home. For a non-emergency problem, contact: Greg Baum Cell phone: 505-717-6340 Robert Otero Cell phone: 505-814-4363 In an emergency, call 911. You may also wish to contact the front desk for help.



1.1.4 Be On Time

Please Participate The ITC presents a great deal of information to the participants. For the participants to have the best possible learning experience and to avoid interfering with the learning environment, we ask that every participant be on time. Lecture start and break times will be clearly stated and each participant is expected to be seated and ready to proceed at the appropriate times.

1.2 Course Introduction

Sponsors This course is conducted by Sandia National Laboratories (SNL) on behalf of the US Department of Energy (DOE). It is funded by the US Department of State under the auspices of the International Atomic Energy Agency (IAEA).

1.2.1 History

DOE Commits to Transferring

Physical Protection Information

When the United States Congress passed the Nuclear Non-Proliferation Act of 1978, it committed the DOE to provide training in physical security techniques and technology to Member States of the IAEA. The DOE selected one of its national laboratories, Sandia National Laboratories, to fulfill this U.S. commitment. In 1978, the International Training Course (ITC) on the Physical Protection of Nuclear Facilities and Materials was initiated. Course participants learn a methodology for designing and evaluating physical protection systems to guard nuclear facilities and materials against the threats of radiological sabotage and theft.

1.2.2 Sandia National Laboratories

Sandia’s Origin Sandia National Laboratories began in 1945 on Sandia Base in Albuquerque, New Mexico, as the Z Division of what is now Los Alamos National Laboratory. Both labs were born out of America’s atomic bomb development effort—the Manhattan Project. Sandia began as an ordnance design, testing, and assembly facility, and was located on Kirtland Air Force Base to be near an airfield and to work closely with the military. In 1949, President Harry Truman wrote a letter to the American Telephone and Telegraph Company president offering the company “an opportunity to render an exceptional service in the national interest” by managing Sandia. AT&T accepted, began managing the Labs on Nov. 1, 1949, and continued in that role for nearly 44 years.

Sandia’s Mission and Customers

Sandia’s original mission—providing engineering design for all non-nuclear components of the nation’s nuclear weapons—continues today, but Sandia now also performs a wide variety of national security research and development. The Lockheed Martin Corp. has managed Sandia since October 1, 1993, for the U.S. Department of Energy. DOE’s National Nuclear Security Administration (NNSA) sponsors most of Sandia’s work, but we also work for other federal agencies, including the Department of Defense, the Department of Homeland Security, and others. We work cooperatively with government, industry, and academic partners to



accomplish our missions. Today Sandia employs about 7,900 people and has two primary facilities, a large laboratory and headquarters in Albuquerque and a smaller laboratory in Livermore, Calif.

Sandia’s Expertise Sandia National Laboratories staff has performed many evaluations and upgrades of nuclear facilities in the United States and abroad. A methodology for accomplishing these evaluations and upgrades has evolved. In addition, Sandia National Laboratories is the lead DOE laboratory in physical protection. Because of this capability, Sandia has presented this course since 1978 to participants from 68 different countries. Table 1-1 lists the countries that have participated in this training since 1978. It is the proven methodology developed and used by Sandia National Laboratories, coupled with supporting physical protection technology information, which has served as the basis for the courses.

Table 1-1. Participating Countries of Past ITCs

Albania

Algeria

Argentina

Armenia

Australia

Austria

Bangladesh

Belarus

Belgium

Brazil

Bulgaria

Canada

Chile

China

Croatia

Cuba

Czech Republic

Denmark

DR of the Congo

Egypt

Finland

France

Germany

Ghana

Greece

Hungary

India

Indonesia

Iran

Iraq

Israel

Italy

Jamaica

Japan

Jordan

Kazakhstan

Korea

Latvia

Lithuania

Malaysia

Mexico

Morocco

Netherlands

Nigeria

Norway

Pakistan

Philippines

Poland

Portugal

Romania

Russia

Saudi Arabia

Serbia

Slovakia

Slovenia

South Africa

Spain

Sweden

Switzerland

Syria

Thailand

Tunisia

Turkey

Ukraine

Uzbekistan

Venezuela

Vietnam

Zaire

ITC Logo The course logo, an incomplete circle surrounding an atom, represents the mission of Physical Protection of Nuclear Facilities and Materials. If a nuclear facility could be completely enclosed with an impenetrable barrier, then the problem of physical protection would be very simple. Unfortunately, barriers are not impenetrable, and people and materials must move in and out of the facility. These imperfections in the barrier are represented by the opening in the circle. It is the goal of a physical protection system, then, to counteract or minimize the effect of having this opening in the barrier of a nuclear facility. The physical protection system is represented by the plug being placed in the opening of the barrier. We all recognize that in an actual



facility, the plug cannot completely fill the hole in the barrier. Thus, the goal of this ITC is to teach participants to design a system that comes as close as is economically and operationally possible to filling the hole and to use evaluation tools that give a quantitative measure of how well the hole is filled.

Figure 1-1. International Training Course Logo

1.2.3 Course Objective

Course Objective At the end of this training course, participants will be able to apply the principles of a performance-based methodology to design and evaluate the physical protection of nuclear facilities and material against theft or sabotage.

1.2.4 Methodology

Design and Analysis Methodology

The design and analysis methodology presented in this course is reflected in the structure of the course. The methodology consists of three major steps: 1. Define physical protection system requirements—First, study the

existing facility and its plans to learn all of the operations, conditions, and important physical features that affect the physical protection system. Then conduct a detailed study of the range of adversaries that the physical protection system must successfully counter. Finally, identify the most important areas or materials that must be protected from the adversary.

2. Design a physical protection system—Either identify the existing physical protection elements for potential upgrading or design a new protection system using elements of detection, delay, and response that are effective against the capabilities of the potential adversary.

3. Evaluate the physical protection system design—Given the information about the facility, threat, targets, and physical protection system, use accepted analysis techniques to obtain a measure of the protection system’s effectiveness. Redesign and reanalysis may be required if the measure of effectiveness is not satisfactory.

1.2.5 Course Structure

Mapping Course Structure to the

Methodology

Table 1-2 lists all the lectures arranged in relation to the three major steps of the design and evaluation methodology, including sections covering the introduction, supporting information, application, and course summary.

Course Elements Three elements are used in the ITC to present the material, to give



participants an opportunity to use the material, and to allow examination of equipment and security installations. The three mechanisms are lectures subgroup exercises equipment demonstration

1.2.5.1 Lecture Sessions

Technical Experts Present Lectures

The ITC introduces each subject with a lecture developed by technical experts at Sandia National Laboratories. A technical expert will present the material and will be available for questions at the conclusion of each lecture. The participant notebooks contain reference material and copies of the slides used in the presentation. All participants attend the lectures as a group.

Guest Speakers The ITC also features guest lectures from the International Atomic Energy Agency, physical protection experts from other Member States, the US Nuclear Regulatory Commission, the US Department of State, and the US Department of Energy.

1.2.5.2 Subgroup Exercises

Subgroups Are Team Efforts

The course participants will be divided into teams of six people to work together in subgroup exercises. A subgroup exercise follows a lecture or group of lectures. Table 1-2 shows the schedule of all lectures and subgroup activities. The subgroup exercise consists of a review of the lecture material, structured exercises for solving problems, and questions for discussion.

Participants Apply Information from

Lectures to Subgroup Exercises

The subgroup sessions provide the participants with the opportunity to work problems using the hypothetical facility data (found in the Exercise Data Book) and to ask questions in a small group environment. The teams complete the exercises, thus giving each participant the opportunity to apply the lecture material to practical situations. After the exercises are completed, more subjective and advanced questions on the actual application of the technology are discussed if time permits. As the course progresses, subgroup problems build on data and conclusions from earlier problems. A hypothetical facility, the Lagassi Institute of Medicine and Physics (LIMP), is introduced, and one of the center’s facilities, the research reactor, is used throughout the subgroup exercises.

Subgroups Form Teams

Members of each team are carefully selected to ensure that all groups are balanced with respect to physical protection responsibilities and experience and that the participants will be able to work well together. The subgroup instructor is a member of the Sandia National Laboratories staff who has been specially trained for this assignment. Each team will remain with the same subgroup instructor during the entire course. The subgroup instructor’s role is to answer questions about the material and to help the team complete the exercises.



Final Exercise Incorporates

Material from Entire Course

The final subgroup exercise is a major design and analysis problem in which the teams use the course methodology to design and analyze the physical protection system for a facility at the LIMP. With the completion of this design and analysis problem, the participants will have used the methodology several times in problems of increasing difficulty. The participants will then be prepared to take this methodology back to their own country and apply it to the most difficult problem, their own facility. Each subgroup will make an oral presentation of their final exercise solution to a panel of physical protection experts from Sandia National Laboratories’ technical management. The panel will discuss the solutions and offer suggestions.

Table 1-2. The Twenty-Third International Training Course

Design Steps Lectures Subgroups

— Introduction 1. Introduction to the International Training Course and DEPO

I. Define Physical Protection System Requirements

2. Facility Characterization and Target Identification

3. Introduction to Hypothetical Facility

4. Threat Definition

5. Risk Management and Regulatory Requirements

Subgroup 3S

Subgroup 4S

II. Design a Physical Protection System

6. Design of Physical Protection Systems

7. Intrusion Detection Sensors

8. Entry Control Systems

9. Contraband Detection

10. Alarm Assessment

11. Access Delay

12. Response Force

13. Alarm Communication and Display

14. Performance Testing

15. Performance Testing Response

Subgroup 7S

Subgroup 8S

Subgroup 9S

Subgroup 10S

Subgroup 11S

Subgroup 12S

Subgroup 13S

Subgroup 15S

III. Evaluate the Physical Protection System Design

16. Evaluation of Physical Protection Systems

17. Path Interruption Analysis

18. Adversary Sequence Diagram

19. Multipath Analysis

20. Neutralization Analysis

21. Scenario Analysis

22. Tabletop Analysis

23. Insider Analysis

Subgroup 17S

Subgroup 18S

Subgroup 19S

Subgroup 20S

Subgroup 21S

Subgroup 22S

Subgroup 23S

— Application 24. Transportation Security

25. Cyber Security

26. Introduction to the Final Exercise

Presentation of Subgroup Results

Subgroup 24S

Subgroup 26S

Comment [SJA1]: Shelly, do the subgroups listed in this table need to correspond to the modules or exercises?



1.2.5.3 Equipment Demonstration

Test Field Demonstrations

Before the final subgroup exercise, the entire group will take a field trip to observe examples of physical protection system components. Technical personnel who work with physical protection equipment at Sandia National Laboratories will show equipment to the class for exhibition and demonstration.

1.3 Scope

Data Is Hypothetical;

Facilities Need to Develop Their Own

Databases

The International Training Course is designed to present detailed information on the physical protection of nuclear facilities and materials. It provides a basic methodology for the design and evaluation of a security system. The data tables included throughout the written material are approximate and should be used only as estimates in working the exercises for this course. Each facility should run its own tests and experiments to obtain data for application at the specific facility.

Participants from All Areas of Physical

Protection

The course material was designed for participants with a wide range of technical backgrounds and experience. It is not essential that all of the material in the course be mastered by all participants.

1.4 INFCIRC/225 INFCIRC/225 Rev. 5 Provides Basis for

Reference

Information Circular 225, Rev. 5, The Physical Protection of Nuclear Material and Nuclear Facilities (INFCIRC/225/Rev.5), contains recommendations issued by the International Atomic Energy Agency (the IAEA or the Agency) for the information of all Member States. Throughout the ITC, references are made to the recommendations in INFCIRC/225/Rev.5. INFCIRC/225 explicitly states that its recommenda-tions should be reviewed and updated periodically to reflect the state of the art in the physical protection of nuclear material. The recommendations quoted in the ITC material are current and consistent with Revision 5 of INFCIRC/225, but may be superseded by future revisions of INFCIRC/225. INFCIRC/225 has become the primary basis for implementation of national systems of physical protection by Member States. States do not formally notify the IAEA of their adherence to or acceptance of the recommendations of INFCIRC/225. Member States reflect their acceptance through their national laws, regulations, bilateral agreements for cooperation, specific assurances between supplier and recipient states involved in nuclear transfers, and implementation practices at nuclear facilities.

1.5 Course Conclusion

Help Us Improve the Course

Improvements are made each time the course is presented and reflect the result of a series of evaluation questionnaires that the participants are asked



to complete each day, rating the sessions and providing suggestions on how to improve the material for the next course. These comments are important because the material is revised each year. You are benefiting from the input of all previous course participants. For the benefit of those in future courses, you will be asked to critique this course very seriously.

Course Methodology

In this session, we have introduced the design and evaluation methodology used successfully by Sandia National Laboratories and explained that the course is structured around this methodology. The use of lectures, subgroups, field trips, and equipment demonstrations was explained. Table 1-2 is a schedule of the entire course.

1.6 Process of Physical Protection System Design and Evaluation

1.6.1 Overview

Creating an effective physical protection system includes the determination of the physical protection system requirements, the design of a new physical protection system or characterization of an existing physical protection system, the evaluation of the design or system, and, most likely, a redesign or refinement of the system. To develop the requirements, the designer must begin by gathering information about facility operations and conditions, such as a comprehensive description of the facility, operating states, and physical protection requirements as well as regulatory requirements. The designer then needs to define the threat, which involves considering factors about potential adversaries: types of adversaries, the adversary’s capabilities, and the range of the adversary’s tactics. Next, the designer should identify targets. Determination of whether nuclear materials are attractive targets is based mainly on the type and quantity of material and the ultimate goal of the adversary threat. Finally, the designer must identify the regulatory requirements and risk management considerations. The designer now knows the objectives of the physical protection system, that is, “what to protect against whom.” The next step is to design the new system or characterize the existing system. If designing a new system, one must determine how best to combine the components and elements that provide the three functions of detection, delay, and response to meet the objectives of the system. After a physical protection system is designed or characterized, it must be analyzed and evaluated to ensure it meets the physical protection requirements. Evaluation must consider the effectiveness of a system of elements that work together to assure protection rather than regarding each element separately. Due to the complexity of protection systems, an evaluation usually requires modeling techniques. If significant vulnerabilities are found, the initial system must be redesigned to correct the vulnerabilities and a reevaluation must be conducted.



1.6.2. Introduction

Balanced PPS Ensures Best Use

of Resources

The implementation of an effective physical protection system (PPS) requires a methodical approach in which the designer or analyst evaluates the effectiveness of a proposed or existing PPS against the objectives or requirements for the PPS. Without this type of careful assessment, the PPS might waste valuable resources on unnecessary protection or, worse yet, fail to provide adequate protection at critical points of the facility. For example, it would probably be unwise to protect a facility’s employee cafeteria with the same level of protection as the facility’s fuel storage area. However, sophisticated and expensive security features at a facility’s main entrance would be wasted if uncontrolled entry were possible through a cafeteria loading dock.

1.7 Security Design and Evaluation Approaches Use System

Performance to Evaluate

Effectiveness

Any design process must have criteria for evaluating elements of the design. INFCIRC/225 Rev.5 states “The State should define requirements for the physical protection of nuclear material in use and storage and during transport and for nuclear facilities…” A design process based on performance requirements will select elements and procedures according to the contribution they make to overall system performance. The effectiveness measure will be overall system performance.

Other Design and Analysis Methods:

Expert Opinion and Standards

Historical approaches to security design and analysis have included the use of expert opinion and the development of standards and associated design features. Expert opinion relies on the experience and abilities of a person or persons to correctly evaluate and suggest design improvements. The process is subjective, inconsistent, and biased towards the particular experiences of the people involved.

Feature-Based Approach uses

Presence of Elements

Standards development is one way to build consistency and repeatability into evaluation of system design. Often, a set of “features” is required to be present to meet those standards. A feature-based approach selects elements or procedures to satisfy requirements that certain items are present. The feature-based approach can lead to the use of a “check list” method to determine system effectiveness based on the presence or absence of required features. For example, a performance criterion for the perimeter detection system would be that the system be able to detect an intruder using any attack method. A feature criterion for the same detection system might be that the system has two specific sensor types, which might not detect one of the adversary’s attack methods. The use of a feature-based approach in regulations or requirements that apply to physical protection systems should generally be avoided or handled with extreme care.



RTC Emphasizes Performance-Based

Approach

The conceptual design techniques that are presented in this course are based on a performance approach to meeting the physical protection system requirements. Much of the component technology material will, however, be applicable to either performance-based or feature-based design methods. Analysts should evaluate overall system performance, rather than the mere presence or absence of system features or components. This means that the PPS is designed and evaluated to ensue it provides a required level of performance or protection.

1.7.1 Define Physical Protection System Requirements

Characterize the Facility, Define the

Threat, and Identify the Targets

The first step in the development and evaluation of a PPS design, as shown in Figure 1-3, is to determine the requirements of the protection system. To formulate these requirements, the designer must Characterize the facility operations and conditions Define the threat spectrum Identify the targets of the adversary Identify regulatory requirements

Describe Physical Features,

Processes, and Current PPS

Characterizing facility operations and conditions requires: developing a thorough description of the facility, including the location

of the site boundary, building locations, floor plans, structure elevations, and access points

describing the processes and operations within the facility identifying existing physical protection system elements

Sources of

Information Characterization information can be obtained from existing documentation and personal contacts, such as: facility design blueprints process descriptions safety analysis reports environmental impact statements site tours interviews with facility personnel

These sources help provide an understanding of the physical protection interface requirements for the facility and an appreciation for the operational and safety constraints. An effective physical protection system design must balance the often conflicting objectives of safety, operations, and security.



Legal and Cultural Issues

Another important consideration during facility characterization is the cultural, legal, and regulatory environment. Regulatory requirements may impose specific design approaches that must be met while achieving desired performance levels. Legal and cultural issues may constrain the options available to the designer in trying to meet PPS goals.

Determine the Design Basis Threat (DBT)

Next, a threat definition for the facility must be made. INFCIRC/225 Rev 5. states that “A design basis threat developed from an evaluation by the State of the threat of unauthorized removal of nuclear material and of sabotage of nuclear material and nuclear facilities is an essential element of a State's system of physical protection.” Information must be collected to answer these questions about the adversary: What types of adversaries need to be considered? What are the adversaries’ intentions and motivations? What tactics will the adversary use? What are the adversary’s capabilities? How many adversaries may attack?

Define PPSRequirem ents

DesignPPS

Evaluate PPS

Final PPSDesign

RedesignPPS

Figure 1-3. Design and Evaluation Cycle

Classes of Adversaries

Adversaries can be separated into three classes: outsiders, insiders, and outsiders in collusion with insiders. For each class of adversary, the designer should consider the full range of tactics, including combinations of the following: Deceit is the covert attempt to defeat of a physical protection system by

using false identification. Force is the overt attempt to defeat a physical protection system by

physical force. Stealth is the covert attempt to defeat a physical protection system by

technically defeating the intrusion detection sub-system.

Understanding the Adversary

Important capabilities for an effective adversary to have include: knowledge of the PPS, any skills that would be useful in the attack, and tools and weapons that could be used in the attack.



Because it is generally not possible to test and evaluate all possible capabilities of an unknown adversary, the designer and analyst must make assumptions. These assumptions can be based on published information about human performance and the tested performance of physical protection elements.

Target Identification Adversary target identification must be performed for the facility. At most nuclear facilities, nuclear materials appear in several different physical and chemical forms. The attractiveness of these materials as theft or sabotage1

targets depends greatly on their form, since the form of the material determines its ease of acquisition by the potential thief, as well as the ease of subsequent malicious use. In light water reactors, for example, nuclear material appears in four forms: fuel assemblies, solid wastes, liquid wastes, and gaseous wastes. These materials rank differently in terms of their attractiveness to a potential saboteur or thief.

Knowledge of Vital Areas Is Used in

Preventing Sabotage

In a nuclear reactor, the greatest concern in the design of a PPS is to prevent radioactive release from the reactor that may be caused by sabotage. Vital areas (those areas within a reactor complex that contain equipment, systems, devices, or material whose failure, destruction, or misuse could result in a radiological release endangering the public) are of particular concern. For example, the containment building that houses the reactor, the steam generators, and the primary coolant loops will always be designated a vital area. Other locations containing machinery and safety systems designed to decrease the severity of accidental damage to nuclear facilities may also require designation as vital areas.

Adversary and targets are not

Independent

The three topics for defining PPS requirements – characterize facility, define threat, and identify target – are not totally independent. Thus each must be considered while taking into account knowledge of the others. For example, the types of adversary are probably dependent on the types of facility targets.

Protection Objectives

Given the information obtained through facility characterization, threat definition, and target identification, the designer or regulator can determine the protection requirements of the PPS. An example of a protection requirement might be to “interrupt and neutralize a well-equipped, criminal adversary before he can remove nuclear material from a vault.”

1 Sabotage is “…Any deliberate act directed against a nuclear facility or nuclear material in use, storage or transport which could directly or indirectly endanger the health and safety of personnel, the public and the environment by exposure to radiation or release of radioactive substances.” INFCIRC/225



1.7.2 Design a Physical Protection System (PPS)

Combining Elements of a PPS

The second step in the development of a PPS design (Fig. 1-3) is to determine how best to combine such elements as fences, vaults, sensors, procedures, communication devices, and response force personnel into a PPS that can satisfy the protection requirements. The resultant PPS design should meet these requirements within the operational, safety, and economic constraints of the facility. When characterizing an existing PPS, the next step the process is to describe the configuration of its elements.

Primary Functions of a PPS

The primary functions of a PPS are detection of an adversary, delay of that adversary, and response by the response force.

General Guidelines for PPS Design

Several general guidelines should be observed during the PPS design, as follows: Detection should be placed far from the target. Delay should be placed near the target. The response force should be reliably notified early enough to have time

to respond to an alarm. PPS designers should take advantage of the strengths of each piece of

equipment and use equipment in combinations that complement the strengths of each and protect against any weaknesses.

Additional Considerations in

PPS Design

While being concerned about the performance of the individual components and of the total system, the designer must also consider: Purchase costs Installation issues and costs Maintenance of equipment costs Staffing costs

Consider Long-Term Costs

Full Life-cycle costs must be considered instead of only initial purchase and installation costs. Initially low-cost, high-performance components may, over their expected lifetimes, require extensive maintenance that will result in high continuing costs and the possibility of degraded performance. Long-term economic and performance impacts must be understood while considering alternatives for a physical protection system design.



1.7.3 Evaluate the Physical Protection System Design

Feature-based Evaluation vs.

Performance-based Evaluation

The third step evaluation of the PPS design, begins with a review and thorough understanding of the protection requirements the system must satisfy. This can be done simply by checking for required features of a PPS, such as intrusion detection, entry control, access delay, response communications, and a response force. However, a PPS design based on required features cannot be expected to lead to a high-performance system unless those features, when used together, are sufficient to assure adequate levels of protection. Rigorous analysis and evaluation techniques are used to estimate the minimum performance levels achieved by a PPS. This is a necessary step for a performance-based approach to PPS evaluation.

Full System Tests May Be Impractical

An existing PPS at an operational facility cannot normally be tested comprehensively as a system due to operation and funding constraints. Evaluation techniques are based on performance tests of component subsystems. Component performance estimates are combined into system performance estimates by the application of system modeling techniques.

Analysis and Re-evaluation Are a

Cyclic Process

Evaluation of the PPS design will either find that the design effectively achieved the protection requirements, or it will identify weaknesses. If the protection requirements are achieved, then the design and evaluation process is completed. However, the PPS should be re-evaluated periodically to ensure that the original protection requirements remain valid and that the protection system continues to meet them.

1.7.4 Redesign of the Physical Protection System

Redesigns or Upgrades Are

Based on Vulnerability

Assessments

The result of the evaluation phase is a system effectiveness evaluation. If the PPS is found to be ineffective, vulnerabilities in the system can be identified. The next step in the design and evaluation cycle is to iterate or upgrade the initial protection system design to correct the noted vulnerabilities. It is possible that the PPS requirements and constraints also need to be reevaluated. An analysis of the redesigned system is performed. This cycle (Fig. 1-3) continues until the results indicate that the PPS meets the protection requirements.

1.8 Summary A process for the design and analysis of a PPS has been presented. Figure

1-3 and Figure 1-4 show this process with references to the specific lecture sessions in the course.



Figure 1-4. ITC Design and Evaluation Process Outline (DEPO)

Documents

1. Introduction to the International Training Course · The Twenty-Sixth International Training Course 1-1 1. Introduction to the International Training Course Abstract. In 1978,