Risk-based physical protection system

The requirements of PPS are derived by State and regulatory authority using a risk-based approach with an aim to ensure that operators’ design measures can keep the threat risks below the acceptable levels. The risk can be quantitatively defined as a product of frequency of event and consequence of a malicious act (equation 1). (IAEA 2018b, 25).

𝑅𝑖𝑠𝑘 = 𝐹𝑟𝑒𝑞𝑢𝑒𝑛𝑐𝑦 ∙ 𝐶𝑜𝑛𝑠𝑒𝑞𝑢𝑒𝑛𝑐𝑒𝑠 (1)

The quantitative risk assessment considers the probability of the event of occurring and the quantitatively expressed consequences of malicious act in concern. There are challenges associated with the quantitative method since the probabilities may be difficult to determine.

Furthermore, the consequences may be challenging to quantify for successful malicious act if there is no appropriate way to express them. Furthermore, the consequences may be challenging to quantify for successful malicious act if there is no appropriate way to express them. At least radiological consequences can be defined quantitively and used for several malicious acts, including sabotage and unauthorized removal of radioactive material (if the aim is to cause harm using material). (IAEA 2018b, 25).

The qualitative method can also be used in risk assessments (figure 7). In such case the likelihood of a malicious act and the associated risk are not quantified. The approach is to consider different factors (e.g., consequences, threat likelihood, adversary capabilities) indicating a risk and use them to form combinations of features, which can be used to represent low-, medium- and high levels of risks. (IAEA 2018b, 25).

Figure 7. Risk assessment matrix as an example of qualitative method (modified from IAEA 2019b, 123).

Concerning theft of NM, the graded approach can be implemented by categorizing the material considering the properties relevant to its potential to be used in a nuclear explosive device (element, isotopic composition, quantity). In addition, other characteristics of NM such as irradiation level, chemical and physical form and degree of dilution can be used as these may affect the attractiveness of material (radiation health effects and difficulties). The NM is categorized to classes I-III, of which the class I NM has the most stringent protective requirements. The fourth class ’below the class III’ may not need excessive means of protection, but still should be secured by at least with access control. Similarly, radioactive material is categorized to classes requiring certain levels of protection in respect to relevant factors (physical and chemical properties, quantity, mobility, availability, and accessibility).

Figure 8 shows the categorization scheme for NM. (IAEA 2018b, 28-33; IAEA 2011b, 14-15).

Figure 8. The categorization of nuclear material to classes with different levels of protection required (IAEA 2018b, 27).

The graded approach for determining the required levels of protection for sabotage targets such as SSCs is based on two threshold values, unacceptable and high radiological consequences (URC and HRC) defined by the State. The targets of sabotage, which may lead to radiological consequences exceeding the HRC should be provided the highest means of protection to prevent any severe conditions (significant radioactive release affecting the population and environment). URC defines a level above which protection measures should be implemented. URC permits to identify all targets which should need an appropriate level of protection. The potential radiological consequences arising from sabotage may be graded to reflect several ranges of severity and required level of protection can be defined to be corresponding to these. HRC and URC may include criteria for the release of the radionuclides (e.g., total activity or release of specific radionuclides) and dose criteria (equivalent dose of an individual). Figure 9 presents, how a graded approach is implemented to derive PPS requirements within these two thresholds. (IAEA 2018b, 34-36).

Figure 9. The relationship between the protection requirements and threshold values for HRC and URC (IAEA 2018b, 36).

The risk-based approach for PPS indicates connections between safety and security. As it already can be clear from the above discussion three coupling points between security and safety can be introduced: 1) damage done to SSCs, 2) radiological consequences (equivalent dose for an individual) and 3) the event frequency of occurrence (Hyvärinen et al 2016, 70).

The damage done to plant SSCs is mainly associated with sabotage, whether it is aimed to cause high radiological consequences (e.g., terrorism) or to disrupt the operator activities (e.g., extreme activists). The malicious acts involving sabotage and plant events are interrelated because sabotage of SSCs could lead to PIEs like any internal hazard, such as fire or flood. The adversaries’ sabotage acts are precursors of PIEs, thus providing a link between safety and security. Thus, it is possible to connect DiD levels with the sabotage act in concern by considering the plant event category resulting from such threat. (IAEA 2014a, 105-112).

For example, the terroristic attack (e.g., large airplane crash) may represent sabotage which could be related to DiD level 4 (DEC) and an event regarding the extreme activists provoking the operator to shut down the reactor could fit in DiD level 2 (AOO), based on damage done to NPP.

The risk-based approach used both in safety (Deterministic Analysis and PSA) and security makes it possible to have a common ground for the design of SSCs and PPS by using integrated analyses, at least when sabotage is in concern (IAEA 2014a, 105-112). Theft of nuclear and/or radioactive material may need a different approach.

Similar probabilistic calculation methods (e.g fault trees and event trees) are used for security event sequences (attack scenarios) as are for accident sequences (accident scenarios) when PSA is done in safety analyses (IAEA 2019b, 38, 57-58; IAEA 2010, 24, 34, 37-39).

Although event frequency of occurrence for malicious acts can be difficult to determine, the analogy between probabilistic methods in security and safety analyses indicates that it might be possible to determine security event frequencies or at least define indicative values. The frequency of occurrence for initiation of the malicious act may not be quantified, but the approach could be to evaluate the frequency of events leading to successful penetration through PPS to different security zones, for which data may be derived from practical exercises. Thus, the event frequency could be a valid coupling point between safety (DiD levels) and security (threat events).

The radiological consequences (equivalent dose for an individual) provide an evident coupling point between safety and security events involving sabotage. The above-mentioned categorization for nuclear and radioactive material may provide means to connect security events involving theft of material to DiD levels.