IAEA-CN-184/266
Enhancing and Optimizing Safeguards Implementation by Remote
Safeguards Inspections
J. Araujo, C. Charlier, D. Hatt, A. Lebrun, N. Muroya, P. Rance, I. Tsvetkov, R.
Zarucki and M. Zendel
International Atomic Energy Agency, Vienna, Austria
Abstract
Remote safeguards inspections (RSIs) is one of the most important measures for the
International Atomic Energy Agency (IAEA) to transform its field activities to be more
selective and optimized/focused, while strengthening IAEA‟s analytical capacity, in
transitioning to Information Driven Safeguards (IDS). RSIs employ inspection activities with
limited physical presence of an IAEA inspector in the field utilizing unattended data
collection systems for containment and surveillance (C/S), Non-Destructive Assay (NDA)
instruments, operator plant key process parameters and making full use of State and Regional
Systems of Accounting for and Control of nuclear material (S/RSAC). Enhanced cooperation
between all parties while maintaining independent conclusions by the IAEA is vital for the
successful safeguards implementation of RSIs. The level of cooperation and willingness of a
State to implement RSI measures requested and properly justified by the IAEA will
demonstrate its commitment to full transparency in its nuclear activities.
The RSI approach does not target to eliminate the need for on-site inspections but rather to
reduce the frequency of routine on-site inspections beyond present levels. RSIs will shift
IAEA inspector resources from routine activities to non routine activities (e.g. complementary
access (CA) activities, unannounced inspections, validation or authentication of operator‟s
data, other activities in order to increase the assurance of the absence of undeclared nuclear
material and activities, and activities related to resolution of the specific safeguards concerns).
The IAEA is actively investigating means to combine data provided by IAEA remotely
operated instrumentation complemented by operator process data parameters with data and
information reported from activities assigned to S/RSAC. The data collected from facilities,
including operator‟s process parameter data/declarations, is transmitted via secure remote
transmission technologies to remote centres (IAEA Headquarters in Vienna or IAEA
Regional field offices), where all data is evaluated by inspectors supported by dedicated
computer software programme who are able to draw safeguards conclusions and to provide
feedback to the field (including instructions for follow-up action, if necessary). RSI will
mainly be implemented in a State with an Additional Protocol (AP) in force and for which
broader conclusion has been drawn and maintained as well as in cooperation with S/RSAC
which met and has demonstrated the desired level of efficiency and effectiveness in their
safeguards cooperation with the IAEA. Such desired level of cooperation for the S/RSAC
would need to be evaluated against criteria on a regular basis in order to ensure that the
desired level of effectiveness and efficiency of the S/RSAC is maintained.
The paper describes field trials to assess practical implementation issues and cost benefits at
various nuclear fuel cycle facilities such as a fuel fabrication plant, an on-load reactor and a
plutonium storage. The respective facilities were selected in view of S/RSAC technical
capabilities, availability of installed, remotely operated safeguards systems, process
monitoring features and the level of expected savings. Preliminary results are presented
together with considerations regarding the feasibility and practicality of deploying RSI as part
of a State Level Integrated Safeguards Approach. Future R&D of equipment which might
further enhance the efficiency and effectiveness of safeguards activities using RSI will be
discussed.
Introduction
Globalisation and growing scale of available information, e.g. via Internet, has opened the
path for the IAEA towards information driven safeguards (IDS). IDS applies enhanced
analysis of all information available to the IAEA together with physical verification using upto-date equipment and methodologies, complemented with, to ensure that States have fully
complied with their non-proliferation undertakings. It is designed to provide an
uncompromised level of assurance of non diversion of declared nuclear material and the
absence of undeclared nuclear material and activities in a State. Future safeguards challenges
include to cope with the renewed interest in nuclear power production (“nuclear renaissance”)
that will increase the number of facilities and nuclear material under safeguards worldwide
and hence result in a need for additional resources for the IAEA. The IAEA is constantly
looking for means to improve its efficiency and effectiveness to sustain its safeguards regime
and need to balance its efforts to monitor “the known” and “search for the unknown”. The
proposed concept of RSIs aims to join and extend existing remote monitoring applications
with new opportunities for enhanced cooperation into coherent and optimized SG approaches.
In a changing environment of nuclear renaissance, it is necessary for operators and S/RSAC
to gain and maintain the confidence of the public. The public must be assured that nuclear
power generation is safe and does not increase the risk of misuse of nuclear material for
nuclear weapons. Therefore it should be in the utmost interest of S/RSAC and operators to
receive a “clean” record from the IAEA regarding the peaceful use of nuclear materials and
activities under their control. Multinational companies have already expressed their
willingness to support the IAEA in safeguards implementation beyond legal obligations.
Information Driven Safeguards and Remote Safeguards Inspections
Information driven safeguards (IDS) has been identified as an approach to adapt the IAEA‟s
safeguards verification activities to the changing environment. Inspection results in an IDS
approach are being evaluated within the context of all other available information (e.g. open
source, satellite imagery, complementary access activities etc.). Integrated Safeguards (IS) is
a specific case of IDS whereby the IAEA has drawn and maintained a “broader conclusion”
regarding the completeness and correctness of a State‟s peaceful nuclear programme. Under
IS, on-site inspection effort is significantly reduced by applying a State-Level Approach
(SLA) for facilities and LOFs within the State where nuclear fuel cycle is well developed.
The SLA varies based on State-specific factors. The IS-SLA uses an extended timeliness goal
for spent fuel verification from the present three-month to a twelve-month interval, a reduced
random sample sizes for nuclear material verification and a coarser defect testing level.
Thereby the inspection frequency is lowered with optimized on-site verification activities.
Further savings for the IAEA are still needed to compensate expected additional inspection
burden caused by the nuclear renaissance and other new safeguards commitments, e.g. SG
implementation in India and possible involvement in nuclear disarmament activities. The
concept of RSI is a promising path to further optimize and join future safeguards efforts while
maintaining credible safeguards implementation. The RSI concept builds on current remote
monitoring techniques and seeks to automate inspection activities to the extent feasible.
Enhanced cooperation with S/RSACs and operators is the other important element in the RSI
concept, whereby State inspectors and/or facility operators may carry out IAEA prescribed
activities, e.g. operating attended and unattended inspection systems with remote and secure
IAEA oversight. The level of cooperation and technical competence of the S/RSAC and
operators will be crucial to the successful implementation of RSIs.
The RSI safeguards approach (see Fig. 1) is based on inspection activities with reduced
physical presence of IAEA inspectors in the field involving remote transmission of
authenticated data/information from IAEA equipment system, the cooperation of the
operator/SSAC/RSAC and the monitoring of process parameters & operator measurement
systems remotely to the IAEA Headquarters or a Regional Office for safeguards evaluation.
The RSI Safeguards Approach will be implemented at specific facilities and thus would
automatically become part of a State-Level Approach. Any development effort for a RSI
facility level safeguards approach should be consistent with the broader objectives of the
State-level approach for the State in question.
Fig. 1: RSI approach
RSIs will be complemented by unannounced supporting. Such on-site supporting inspections
will be guided by knowledge obtained from the collaborative analysis of all available
information. They will add an appropriate level of unpredictability to the applied safeguards
measures and could be used to independently verify S/RSAC/operator RSI activities as
prescribed by the IAEA, to authenticate the RM systems, to detect any tampering of IAEA
equipment systems and to resolve anomalies resulting from safeguards activities. In addition,
activities required by the IAEA's State-level approach which cannot be covered by the
transmission of data, e.g. follow-up actions at the site, re-verification of inventories,
examination of containment, could be carried out as well during a supporting inspection. The
continuous data collection mode provides a comprehensive record of activities which could
justify a lower number of inspections compared to the number foreseen in current safeguards
approaches. Complementary access activities and design information verification as part of
the SLA could be performed in conjunction with the supporting inspection or carried out as a
stand alone activity.
The Safeguards Environment for RSI
Safeguards data under RSI approach may originate from IAEA unattended monitoring and
measurement systems (surveillance systems, seals, NDA instruments, sensors and radiation
monitors), or from operator monitoring of plant /process parameters as well as S/RSAC
measurement systems authentication measures. The IAEA is constantly expanding its remote
monitoring capabilities and has accumulated excellent experience in using unattended
monitoring systems (UMS) operated in remote monitoring mode. Such systems are operating
in various facilities worldwide (such as reprocessing plants, power and research reactors and
plutonium fabrication plants). In addition, the Agency also has experience in electronically
receiving and reviewing State and operator books and records, and in selectively monitoring
operators performing Agency functions such as application or removal of electronic seals.
The acquired data, including results of S/RSAC/operator activities prescribed by the IAEA, is
transmitted using secure remote transmission technologies to HQs (in Vienna or in Regional
offices) for further analysis for the purpose of deriving safeguards conclusions and providing
feedback to the field or instructions for follow-up action, where necessary.
Remote inspection activities are especially important for facilities where processes are highly
automated and access to nuclear material is virtually impossible. The time an inspector can
stay in spent fuel handling areas is limited due to the high neutron and gamma radiation
fields. RSIs could overcome these limitations and automate a large part of the routine
verification effort in the field currently spent by inspectors. On-site inspections and visits by
inspectors will remain essential, but their contribution to an overall safeguards approach can
be optimized through the use of RSIs.
The IAEA spends worldwide ~8000 person days of inspection (PDIs) effort per year which
includes considerable savings by implementing remote monitoring and selected approaches
based on randomized unannounced inspections such as to verify spent fuel transfer from an
on-load reactor (OLR) to dry storage facilities. Further potential in savings could be mainly
realized in bulk handling facilities (reprocessing, conversion, fuel fabrication and
enrichment), on load reactors and LWR reactors with MOX fuel loading.
The inspection effort for on-load reactors (mainly Candu) requires about five times the
inspection effort of an off-load reactor. The number of LWRs with MOX fuel loading is
steadily increasing and a typical inspection effort of ~ 200 PDIs is used per reactor as
compared to about 10 PDIs for a „normal‟ LWR. Future reductions in inspection effort by RSI
could be used to cope with an expected increase in nuclear power generation activities and
safeguarded materials arising from the forecast „nuclear renaissance‟, the anticipated increase
in safeguards verification activities in India as well as in some nuclear weapon States. A
proportional increase in budgetary resources is unlikely to happen and a shift of routine
activities in the field towards remote inspection activities could free up in-field inspectors for
the increased inspection burden and the complex information evaluation process.
Limitations of RSI based on experience to date with IAEA installed systems include security
concerns of operators and State authorities.
Goals of RSI
The goals and objectives of RSI are maintaining credible safeguards implementation by
optimizing IAEA inspection effort reducing the resources involved in on site verification of
declared nuclear material and redirecting of routine inspection effort towards information
driven safeguards activities. Such IDS activities could be assessing on-going activities at the
facility, spending more time for context driven data evaluation (e.g. State evaluation reports)
and design information verifications.
Specific detailed goals include minimizing routine inspection activities to be carried out in the
field, transferring routine inspection work in the field to Headquarters, making better use of
inspector‟s time for activities such as to detect undeclared nuclear material and activities,
delivering more timely safeguards data with decreased travel requirements for IAEA
inspectors, providing quick feedback/instructions for follow-up action to the field inspectors,
and minimizing DA sample loads by RM operated NDA.
The distribution of “routine inspection work” to HQ/Field offices/experts aims to reduce the
number of on-site inspectors otherwise necessary to perform the in field data evaluation and
to gain more flexibility in the applied inspection effort. Speedy evaluation by an expert group
at HQ or field offices enables the inspectorate to perform better follow-up and post analysis
which could lead to a quicker feedback providing corresponding instructions for follow-up
action, where necessary, to the field inspectors. The application of enhanced RM systems as
part of the RSI scheme will strengthen the IAEA‟s virtual presence in the field, and provide
stronger deterrence towards possible proliferators. Applying RSI activities in a coherent
manner at facilities in a State could become part of a State-level approach.
RSI Requirements
A key condition for the IAEA to apply RSIs is a functioning infrastructure to allow secure
remote transmission of data and remote access to RM systems for modification and
maintenance. It is of utmost importance that the operator transmits his nuclear material
declarations in a timely manner, meeting highest IAEA quality and security standards.
Verification and monitoring data generated during RSIs need to satisfy IAEA‟s requirements
regarding authenticity, completeness and correctness. Authenticity of data is a pre-requisite to
ensure a valid interpretation of the collected data. Completeness, meaning no gaps in the data,
provides assurance that all items are monitored while correctness of data is necessary for
qualification and quantification of the verified and monitored nuclear items. However, an
appropriate level of unpredictability by unannounced supporting inspections can validate
“unauthenticated” continuously provided data. It is also essential for the IAEA to be able to
draw its independent conclusions from the RSIs, meaning that a “quality control” on the
information provided by the S/RASC and the operator should be established in order to
validate their information.
The full implementation of RSIs will require negotiating an agreement between IAEA and
S/RSAC authority to define all operational conditions of the RSI approach. This includes the
technical agreement with the operators to implement the RSI measures. The technical
agreement would also address security concerns of operators and S/RSAC towards the remote
transmission of process data beyond obligatory NMA declarations. Making use of operator or
S/RSAC resources for IAEA inspection purposes will require a careful judgement to
ensure that the IAEA retains its obligation to independently verify State declarations;
however, State or operator provided information can be used to assist the IAEA in improving
the effectiveness and efficiency of its inspections.
A cost-benefit analysis on a case by case basis, considering all boundary conditions, State
specific factors, capital costs and human resource requirements for implementation and
maintenance, is needed before an optimized safeguards approach based on RSIs can be
applied.
Equipment for Remote Safeguards Inspections
Unattended monitoring systems are the backbone of RSI and a variety of unattended
monitoring systems have been developed and installed at numerous facilities worldwide in
order to verify nuclear material flows and inventories, and to maintain continuity of
knowledge (CoK) of nuclear material and activities. Instrumentation used for RSIs must be
highly reliable and robust to minimize equipment system failures and technical visits by
IAEA technicians. The equipment should not require extensive user training and must be
compatible with other SG instrumentation providing common data formats for the subsequent
evaluation. In order to minimize expensive equipment logistics such as maintenance and
installations, a high level of standardization and modularity is needed. A full set of
requirements is specified by IAEA technical experts to enable IAEA independent verification
and monitoring capabilities. Equipment developers need to be fully aware of such
requirements when providing for RSI instrumentation equipment intended for joint use by
IAEA, S/RSAC and operators.
RM data transmission can be either in real time or upon demand. Most of the systems are
connected via the internet using secure VPN tunnels and the transmission of large quantities
of data can be performed at very low cost. The Headquarters network has a security system
with predetermined access rights so that individuals could see and retrieve only the
information for which they had a clearance and a need to know basis. RM data transmission
provides the capability of assessing the operational status of verification instrumentation and,
in many cases, malfunctions can be repaired remotely without the need for technicians to visit
a facility.
A well planned preventive maintenance regime should be setup which could also involve
equipment maintained by Operator or S/RSAC, if proper authentication is possible. This is
technically feasible as demonstrated using the next generation of surveillance systems
(XCAM) which has a secure modular design, whereby security sensitive modules are
intrinsically tamper indicating. This allows handling of the modules for installation, service
and preventive maintenance by third parties without the need for the physical presence of
IAEA inspectors.
The role of S/RSAC and Facility Operators under RSI approach
Article 7 of the comprehensive safeguards agreement (CSA) stipulates that the IAEA, in its
verification activities, shall take due account of the technical effectiveness of the State‟s
system avoiding duplication of inspection efforts. Key issue is the independence of the IAEA
in deriving its safeguards conclusions. The IAEA has put into practice this article by
enhanced cooperation approaches between IAEA and S/RSAC, e.g. new partnership or joint
use inspection arrangements. An effective, technically competent and independent S/RSAC is
a valuable partner during joint inspections. In one case, the IAEA inspectorate decides on an
unannounced, short notice and unpredictable basis to forego its participation in any single
joint inspection. The respective S/RSAC inspectors carry out the inspection in accordance
with defined procedures and provide their inspection data to the IAEA shortly after the
inspection. Another option allows reducing the number of IAEA inspectors in a joint team,
whereby the S/RSAC inspectors do most of the routine activities while the IAEA inspector(s)
perform quality control (QC) checks on the work performed by S/RSAC inspectors. Such QC
checks could involve re-measurement of randomly selected items in presence of the IAEA
inspector to validate the result of the verified population.
The RSI concept aims to increase such enhanced cooperation beyond present levels whereby
the S/RSAC would provide its own inspection resources to carry out activities under the
direction of the IAEA inspectorate. The national/regional inspectorate could be requested to
act in a way prescribed by the IAEA, and observed via remote communication means while
carrying out actual measurements on the IAEA‟s behalf. Additional devices could ensure
authentication of the verification activity (e.g. time and location stamping). An S/RSAC could
also initiate the remote transmission of inspection data collected from unattended systems
upon IAEA demand, or could simply collect verification data from an unattended system and
provide it to the IAEA inspectorate. Appropriate system configuration and other measures
should ensure that the data is transmitted without compromising data authenticity and data
sharing protocols.
A process to evaluate and maintain the assurance of the efficiency and effectiveness of the
S/RASC should be established with in the IAEA.
Facility operators could also perform selected activities for RSIs, for instance, attaching
electronic seals on nuclear material containers under surveillance (such as reactor vessels,
spent fuel casks or UF6 cylinders). The attached seals including their routing of cables or
wires would be subject to verification by an IAEA inspector at a later stage or location. The
operator could initiate data transfers from a measurement system, provided that the system is
appropriately configured to ensure that data is transmitted without compromising data
authenticity and data sharing protocols. Trouble shouting and selected maintenance activities
could be also attributed to the operator. Facility Operators could facilitate book audit
activities providing declarations on nuclear materials and activities using mailbox systems.
Face to face communication to discuss possible discrepancies with the facility operator could
be readily established where necessary using video conferencing services. Video conferencing
with S/RSAC inspector and operator at the end of an inspection could be an additional
element to confirm that the inspection took place as scheduled and that all activities have been
carried out according to agreed procedure.
As part of the RSI, some key process parameters will also be transmitted directly to the IAEA
HQ or a regional office. The signals could be taken from the operator plant/process
monitoring system and selected in such a way that it will make it difficult for the operator to
tamper with all the signals in order to cover a miss use of the facility or an attempt to divert
nuclear material. In such a case, this information taken from the operator process equipment
does not need to be authenticated.
The technical capability, level of support and independence of S/RSAC are important
parameters to assess the value for the IAEA of such S/RSAC provided assistance.
Reduced IAEA in-field inspections activities would minimize the intrusiveness for facility
operators requiring less frequent escorts and less operational interference. More importantly,
RSI provides the opportunity for the S/RSAC and operators to demonstrate an exemplary
level of collaboration and good will in Safeguards implementation to dissipate public
concerns on misuse of nuclear material for nuclear weapons associated with the expansion of
nuclear activities for power generation.
Field Trials
To further the concept of RSI, field trials at various facilities (MOX fuel fabrication plant,
CANDU reactor, and Pu storage facility) have been recently initiated. The field trials should
investigate feasibility and practicality of deploying RSI and their outcome could be used to
develop a coherent model for RSI implementation. The RSI field trials are important to
determine and test ways to improve the interaction between existing SG measures. Activities
under the field trials should extend IAEA experience for enhanced cooperation and should
identify feasible safeguards activities by third parties in support of IAEA safeguards
implementation. Although, there are already established policies (e.g., Policy Paper 16 on
Remote Monitoring and Policy Paper 20 on Joint Use of Equipment), the preparations for the
field trials could identify where policy may need to be revised and the proposed changes
could be tested using the field trials.
The facilities were selected considering installed operational RM systems, potential of
savings and level of expected collaboration with S/RSAC and operators. At each selected
facility activities were identified currently used to verify the State/Regional Authority‟s
declarations by unattended or remotely monitored systems including enhanced cooperation
activities. All data that are presently gathered or could be collected in future were
documented. Additional activities supported by S/RSAC/operator that IAEA could use, when
properly validated/authenticated, to support drawing an independent safeguards conclusion,
were considered. This included identifying conditions (unannounced access or equivalent),
methods (e.g. use of sealed IAEA standards, additional equipment, comparison of results with
those obtained from IAEA instruments, etc.) and requirements necessary for
validation/authentication of data obtained from S/RSAC/operator. The acceptability to the
operator/State was judged, e.g. for the transmittal of the electronic data and information to the
IAEA Headquarters.
The field trial will include mock-up support inspections to test the validity of conditions,
methods and requirements for validation/authentication of data obtained from S/RSAC/
operator. A cost benefit analysis considering savings versus equipment acquisition and
installation costs (including amortized replacement cost) will be prepared to judge whether
the tested RSI approach can be applied reasonably. Based on the experience gained in the
field trials, the RSI concept could be possibly extended beyond tested measures and future
R&D needs could be identified which further enhance efficiency and effectiveness of the RSI
approach.
Future Considerations
The IAEA envisions that inspectors in the future are able to make better use of their time in
the field with the assistance of technology that would provide them with improved data
gathering and enhanced analysis tools and that would connect them in near real-time with
IAEA managers, safeguards experts, and IAEA databases. RSIs will play an increasingly
important and versatile role to meet this vision. The following considerations are possible
areas to expand and enhance future RSI activities:





New measurement technologies will be incorporated into unattended systems to
perform real-time process monitoring at declared facilities with very high reliability.
Backpack detection systems combining spatial information with neutron and gamma
detectors will be available that can communicate remotely with a data centre via
wireless LAN. Such systems, encapsulated in tamper indicating enclosures will be used
by S/RSAC inspectors in combination with live video recording to provide authentic
attribute type measurements of nuclear material.
Advanced containment and surveillance equipment will improve options for RSIs.
Standardized and integrated platforms for NDA and C/S data collection will be
designed to produce ‘intelligent’ safeguards data and to allow installation, service and
preventive maintenance by third parties without the presence of IAEA personnel. Radio
frequency identification tags (RFID) for identification and tracking of items are widely
used in industry and could potentially be used for RSIs, provided that all associated
safeguards vulnerabilities are mitigated.
New NFC facilities that are planned to be built will be designed to facilitate Safeguards
implementation (“Safeguards by Design”) and will have a large fraction of safeguards
equipment integrated into the facility process for joint-use in remote mode.
Enhanced information technology (IT) capabilities will further automate
review/evaluation of remotely acquired data. Data acquisition, evaluation and archiving
will be seamlessly managed and will form a global information system for the
inspector in the field and at headquarters. Expert systems with smart evaluation
algorithms including object and pattern recognition for safeguards relevant items and
activities will facilitate the interpretation of safeguards monitoring activities by
comparing all relevant signal sequences and will alert the inspectorate in the case of
deviations, which then will investigate the flagged events.
The opportunities for satellite imagery applications will be enlarged by satellite based
remote sensing, e.g. different spectral ranges and radiation profiles.


A remote network with various, multiple sensors will produce a
verification/monitoring matrix for various processes which will be more difficult to
defeat than stand-alone systems.
Robotics will be advanced to develop a mobile inspection robot to carry out simple
verification tasks (radiation, seals, weighing) measuring receipts of inputs and outputs
or to keep continuity of knowledge (CoK) replacing “human surveillance” during
transfers of nuclear material. Mobile robots could enter hazardous environments (high
radiation, chemical contamination, high electric fields, high winds on roofs, etc.) where
humans cannot go.
Conclusions
Remote safeguards inspections will become an increasingly important element of information
driven safeguards. This approach requires the expanded deployment of UMS and surveillance
systems for the remote collection and transmission of verification data. S/RSAC and facility
operators could significantly contribute to the implementation of RSIs by enhanced
cooperation whereby the existing security concerns of operators and State authorities
regarding the use of remote monitoring need to be addressed in order to fully exploit the great
potential of remote safeguards inspections. The evaluation of safeguards from RSI requires
powerful IT tools for data evaluation to cope with the increased amount of data generated
there from and to translate the savings of on-site inspections into real savings. The resulting
savings in inspection effort could partly compensate safeguards inspection efforts arising
from an expected increase in nuclear materials and activities from the forecast „nuclear
renaissance‟, additional safeguards obligations and from a shift towards information
evaluation.
The RSI concept suggests a change in attitude from a passive tolerance of SG implementation
by most S/RSAC and operators towards an active and enhanced support role, joining efforts
with the IAEA to run a powerful safeguards regime to promote the peaceful use of nuclear
energy.