Security and Nuclear Power Plants: Robust and Significant

Robert Lewis
Director of Preparedness and Response
 

Security of the nation’s commercial nuclear facilities is a critical part of the NRC’s mission. In response to recent media stories about security securityat nuclear power plants, we want to reassure you that U.S. nuclear power plants are adequately protected against potential terrorist attacks. In fact, they are among the best-protected sector of our national infrastructure.

In the decade since the 2001 terrorist attacks, the NRC, and its licensed operators, acted to enhance security at the nation’s nuclear plants. While the plants are secure, robust structures designed and built to withstand a variety of natural and man-made enemies, we ordered additional measures. For example, we strengthened requirements related to physical barriers, access controls, and intrusion detection and surveillance systems, as well as the existing well-trained and armed security officers.

Specific security measures are considered “safeguards information” (a type of unclassified, yet sensitive information) and are not made public, for obvious reasons. The NRC can, however, describe these enhancements in general terms.

Each plant’s security plan is based on a Design Basis Threat, or DBT, set by the NRC. This is the maximum threat a private-sector entity can be expected to defend against. Details of the DBT are not public, but our regulations spell out the types of threats our licensees must prepare for. These include an assault by one or more determined and capable adversary forces attacking by land or water, truck bombs, boat bombs, insider threats and cyber attacks. The NRC requires each plant to test its security force annually, and the NRC also tests the security forces at each plant every three years in a sophisticated force-on-force inspection.

Security doesn’t stop at a plant’s boundary. The NRC requires licensees to coordinate with local law enforcement and emergency responders who can assist in the unlikely event of an attack. The NRC itself continuously coordinates with other federal agencies to assess the current terrorist threat and take whatever actions might be necessary to bolster security at nuclear plants. We work with the Federal Aviation Administration, Department of Homeland Security and North American Aerospace Defense Command to guard against September 11-style air attacks.

A recent report published by the Nuclear Proliferation Prevention Project (NPPP) at the University of Texas used non-sensitive “open-source” information to assess the protections in place to counter terrorist threats to nuclear facilities in the United States, including potential threats to commercial nuclear power plants.

As an agency committed to the security of our nation’s nuclear power plants, we welcome recommendations for strengthening our oversight. However, we need to correct the record on two key points made in NPPP’s report. First, both new and existing reactors must mitigate against potential attacks using commercial aircraft; in fact our Aircraft Impact Assessment Rule requires design features for new plants to mitigate the effects of an airplane crash, and the NRC’s post-September 11 orders require existing plants to implement similar mitigating measures. Second, NRC regulations, based upon the DBT, do in fact require licensees to guard against waterborne attacks or explosives.

Author: Moderator

Public Affairs Officer for the U.S. Nuclear Regulatory Commission

33 thoughts on “Security and Nuclear Power Plants: Robust and Significant”

  1. It is interesting to learn about security and nuclear power plants. I did not know that each plant’s security plan was based on a design basis threat. I find that it is a good idea to prepare for possible terrorist situations by land or water. Thanks for the information.

  2. In response to Rich Andrews’ questions:

    The Aircraft Impact Assessment rule only applies to new nuclear power reactor designs. The assessment can either be done as part of the design certification process if the design has not been certified as a rule in the NRC’s regulations, or as part of the licensing process for a new reactor license application using a design that is already certified in the NRC’s regulations. In either case, all new reactors must have performed the aircraft impact assessment before it receives a license to construct the plant. Any improvements to the plant design that may be identified during the assessment would be included with the final reactor design to be certified or licensed.

    The Aircraft Impact Assessment rule does not apply to existing nuclear power reactors. The Commission determined in the AIA rulemaking that existing plants need not comply. However, as part of the Power Reactor Security rulemaking that the NRC promulgated in the 2009, all nuclear power reactors must have strategies for dealing with a loss of large areas of the plant due to fires or explosions. These strategies were originally required by Orders in the months after 9/11. So while existing plants are not covered under the Aircraft Impact Assessment rule, they have taken measures to address the potential consequences of an aircraft impact.

    Dave McIntyre

  3. Regarding the Aircraft Impact Assessment Rule, when are nuclear plants covered by the rule required to:
    1. Complete the analysis &
    2. Implement any necessary improvements?

  4. Mr. Moderator,
    Your introduction to security at nuclear plants mentions a so-called “Aircraft Impact Assessment Rule” and references 10 CFR 50.150. It is very difficult for the layman to understand which US nuclear plants are required to do this important assessment as the rule’s applicability section is long and very confusing. Please assure us that all US nuclear sites with nuclear fuel on-site are required to do this analysis. Thanks.

  5. Nuke Plant Operators Are The Best
    When faced with a large aircraft crash into a nuke plant’s auxiliary building (AB), plant operators and all nuke workers that support them would shine. They have already imagined the unimaginable.

    As we have discussed before, an aircraft crash on-site into one of our overloaded spent fuel pools would have devastating consequences on and off-site. A massive amount of radioactivity would be immediately released after a huge explosion and then a raging aviation-fueled fire in the AB surrounding the containment building. This raging fire would eventually result in a complete loss of control of the reactor inside the containment building.

    How would the operators and on-site nuke plant workers react? They would react with a grim resolve to do anything and everything possible to minimize the accident’s effects both on-site and off-site. Even dealt this dead-man’s hand, they would react with professionalism and courage. Why? Because they have already thought about the unthinkable and what they would do. I have had the privilege to work with some of these folks and I know their dedication to their jobs and just how sharp they are.

    Just what are some of the things these very capable folks would do?
    1. Immediately declare a General Emergency (the most serious emergency classification) and recommend to off-site authorities public protective action measures. A minimum recommendation at this time would a so-called “keyhole” evacuation of the 10-mile emergency planning zone around the nuke plant. The recommendation would be evacuate within 2 miles in all directions around the plant and 2 to 5 miles evacuation in the downwind sectors. For all other areas of the emergency planning zone the recommendation would be in-house shelter.
    2. Order an on-site evacuation of all personnel except for emergency responders. Dependent on wind direction these personnel would evacuate either the normal evacuation route or the alternate evacuation route from the site.
    3. Ask emergency response personnel to report to their emergency duty stations. On-site these are the Control Room (CR) itself, an Operations Support Center (OSC), and a Technical Support Center (TSC). Certain emergency response personnel also leave the nuke site and report to an off-site emergency center called the Emergency Operations Facility (EOF).
    4. While these actions are taking place, the CR operators have been very busy. Numerous alarms have sounded in the CR. Fire and smoke detector alarms; radiation monitor alarms, even seismic monitor alarms due to the shock of an airplane crash within the plant. There are so many alarms that it is not possible to acknowledge them all individually. Operators then use a master alarm shut-off switch, so they can concentrate on the key parameters to help ensure a proper plant response.
    5. CR operators ensure the operating reactor(s) are immediately shutdown.
    6. Operators ensure that auxiliary building ventilation is promptly secured so that fresh air does not fan the flames and smoke. This action also reduces the rate at which highly radioactive materials (gas and particulates) are vented from the AB into the environment. The operators also can remotely close air inlet and outlet dampers on individual compartments in the AB to slow the spread of the fire. The downside of securing all ventilation in the AB is that smoke and airborne radioactivity levels skyrocket in the building itself making access for plant fire-fighting and other actions outside the CR utterly impossible.
    7. The CR Operators also ensure the CR ventilation system begins operating in a so-called emergency air make up mode. This not only ensures that any air drawn into the CR must pass thru a HEPA and a charcoal filter to trap airborne radioactivity, it also ensures that the CR itself is maintained at a slightly positive pressure so that any air leakage is out of the CR and not in.
    8. The CR closely monitors the reactor inside the containment to ensure it remains in a safe shutdown condition.
    9. As the fires spread the ability to maintain the reactor in a safe condition will be compromised. The fires start to affect instrumentation and control cables and power cables in the auxiliary building, which feed into the containment to support the reactor. When the operators see this occurring they will at some point have to do the unthinkable before they lose all control of the reactor.
    10. The CR operators have to create an accident to delay a reactor core melt situation. This delaying action is critical as it takes time to initiate further public protective action measures.
    11. The operators intentionally create a Loss of Coolant Accident (LOCA) in the containment building. They open a power-operated relief valve on the Reactor Cooling System causing a reactor coolant leak. Soon after this action the safety systems at the plant automatically kick in to pump water into the reactor to make up for this loss. This makeup water comes from a large tank in the auxiliary building.
    12. Eventually, the large tank is emptied and the operators ensure that reactor cooling is accomplished by a so-called recirculation system. The water that has been intentionally dumped into the containment building builds up in the building’s basement. The recirculation mode allows this collected reactor coolant to be cooled and then recycled into the reactor. This process will go on automatically until the AB fire gradually fries the electrical cables that make it all possible.
    13. The CR operators and other nuke plant workers will undoubtedly and voluntarily take emergency levels of radiation dose to help make sure all this happens. Delaying the inevitable will buy more time to protect the public. All you could ever expect from these brave warriors.

  6. Good to hear that you and perhaps other plants have participated in such a scenario.
    What were the challenges to you, others of the operating staff, and other responders to your spent fuel damage scenario?
    Did the scenario postulate an aircraft crash into the spent fuel pool?

  7. Once again I am replying to myself. More on an aircraft crash into a nuke plant’s spent fuel cooling pool. Here goes…
    Aircraft Crash Into A Spent Fuel Pool
    In a previous blog I asked if any nuke plant had used a massive spent fuel damage accident as one of its biannual emergency exercises. Let me take a shot at answering that question.
    I would be quite surprised if any nuke plant has ever conducted such an emergency exercise. I have worked on preparing nuke plant scenarios for emergency exercises and have worked with emergency planners who create such scenarios. We call massive damage to a spent fuel pool as a no-win scenario. No matter what operators and emergency responders do they will not be successful in mitigating the impact of the accident.
    In most scenarios planners have to simulate breaking so much plant equipment to even get a release of radioactivity to occur, that emergency responders believe the scenario is unrealistic. An aircraft crash, although unlikely, has devastating and unmanageable consequences.
    In addition a devastating fire driven by aviation fuel in the spent fuel pool spreads quickly throughout the entire auxiliary building surrounding the large containment building. The containment building is a super-sized building with re-enforced concrete walls over 3- foot thick. The containment building houses the operating reactor itself. Even a raging auxiliary building fire would not affect anything inside the containment building itself.
    So the reactor is safe, right. I wish it were so. To operate and monitor the reactor inside the containment there are a massive amount of instrumentation and power cables that must feed into the containment thru the auxiliary building. A raging fire in the aux. building will eventually destroy these important electrical cables. It leaves control room operators totally blind as to what is going on inside the reactor in the containment. They have lost control of the plant due to a hostile action. They can no longer maintain the reactor in a safe shutdown condition. It is only a matter of time until the reactor is no longer properly cooled and the reactor core melts. Which makes matters
    even worse is that the fire has spread highly radioactive materials not only off-site but also within the plant itself making any fire-fighting efforts or any outside the control room plant recovery efforts utterly impossible.
    Let’s talk about off-site consequences. Public protective action measures for the entire ten-mile radius emergency planning zone around the reactor (called among nuke plant emergency planners the “wheel of death”) would be either stay indoors or run like hell (evacuate).
    At the Fort Calhoun Station (northwest of Omaha, NE) the prevailing winds are from the NW to the SE. Any radioactive release will then most likely head toward the Omaha metro area, which includes Council Bluffs, Iowa. A busy large airport is located just outside the wheel of death. Assume an aircraft is highjacked by terrorists and flown directly to the Fort Calhoun site at only 200 mph. The trip to the plant only takes a little over 3 minutes. There is absolutely no time for anyone to do anything to intercept the plane. As they crudely say in the Navy, not even time enough to kiss your sweet ass goodbye.

  8. Thank you Joyce for clarifying our current situation. Yes, the unthinkable has happened in Fukushima & Hanford plant’s uncontrolled leakage w/ no end in sight. No governmental agency has come forth in preparing their citizens for consequences of these nuclear “events.”

  9. I know that 150 gpm of spray from the fire protection system ensures that fuel damage does not occur when fuel is loaded in configurations that are required by the b.5.b security rule following 9/11, and that plants are required to have procedures and equipment to set this up, on the fly, and have to be trained on it.

    The consequences depend on a lot of factors. It is unlikely you would have an immediate loss of inventory due to the design of the various pools out there (concrete pool with thick liners making 2 barriers to inventory loss, siphon breakers and piping which is at least 7 feet above the pool). What is much more likely is a loss of inventory over a short period of time (hour or two?). The biggest concern in this case would be the radiological conditions on site due to uncovered fuel, and the hindrance to the operators and their ability to deal with cooling down the reactor core post crash.

    At Fukushima we saw how the spent fuel pool can complicate the response to a severe plant event, especially when methods for determining the status of the pool and protecting the pool are not proceduralized or trained on. I think the post-accident/severe event SFP instrumentation is a step in the right direction, but maybe more needs to happen?

  10. Nuke worker here. I’ve participated in a scenario which included severe damage to the spent fuel pool and a security threat. I know it’s been done before at some plants, I just don’t know if it’s a requirement.

  11. A major nuclear attack if successful would ofcoarse have a greater magnatude than thousands. Much as when we have a military attack it would more likely be a barrage . We could all take more responsibility. Short of building underground habitats to shelter in place for 600-10000 years theres no practical solution to multi melt down scenerio. Meltdowns are not readily remedeid.Perhaps the moderator has a solution what would be a remedy for meltdown of say just 25 % of Nuclear Power Plants happening at once ?What is our individual responsibilty to increase our odds of survival ? I know in the past “meltdown” wasn’t an acceptable world . But now we all accept that is a possible reality.It happened the whole world is taking about it. Pointing fingers of blame and offering no solution. How much daily cesium can we handle anyhow?

  12. It is unthinkable to have thousands of our school children & teachers woefully unprepared for a major “nuclear event” in or around any nuclear site after an aerial attack. Since this seems to be our Achilles heel, we must have proper evacuation plans in place across the nation.
    I call upon school boards to take up their responsibility in protecting hundreds of thousands of our school children in planning for safe evacuation in the event of a nuclear accident of this nature. We must do so. If we can not protect our children, what is our value as human beings?

  13. Mr Moderator,
    To the best of your knowledge has any US nuclear plant conducted an emergency exercise whose scenario included massive damage to spent fuel in a plant’s spent fuel pool? These emergency response exercises are required to be conducted biannually at each nuke plant site. A spent fuel damage exercise would be an excellent learning experience for both on-site and off-site emergency responders.

  14. Mr McIntire, I would wish you well in promoting safety. Your above statement reads a little bragadocious at best. At worst one might be left with the impression that the NRC is implying your team has super powers. Thank you for your honest efforts in attempting a seemingly impossable task. It is with great amazement that you have managed to resolve so many safety issues but not super natural. The Union of Concerned Sceintest would seem to have less bias than your stakeholders. Its not actually the puppets that are so offensive as it is the puppeteer. Lets work together. The Union of Concerned Scientest are ready willing and able to help you provide we the people saftey. Trust you need to earn and with the nauture of your task that may be impossible.. Good luck & Thank you

  15. Spent Fuel Damage Due to Airplane Crash
    I must give a lot of credit to the nuclear industry and its regulator, the NRC, for reacting proactively to the Japanese Fukushima nuclear catastrophe. As you know not only the nuke reactors there but also their associated spent fuel pools were impaired and damaged by an earthquake followed by a tsunami.
    The industry has added level instrumentation to our nuke plant spent fuel pools and upgraded plant emergency plans in response to this tragedy overseas. There are four classifications of nuke plant emergencies that can be declared. In increasing order of severity they are:
    A Notification of Unusual Event or NOUE,
    An Alert,
    A Site Area Emergency (SAE), and finally the most serious,
    A General Emergency (GE).
    A General Emergency will be promptly declared if a “hostile action” results in damage to spent fuel in a nuke plant spent fuel pool. An aircraft crash into the spent fuel pool would be undoubtedly one of the worst hostile acts imaginable.
    Another change to nuke plant emergency plans, which I do not believe is nearly conservative enough, is that only an Alert will be declared if “a validated notification from the NRC of an aircraft attack within 30 minutes of the site” is received. As time is a very important factor for any public protective measures to be initiated, 30 minutes and an Alert just does not cut the mustard. My opinion is that a GE should be declared immediately if such a validated threat is received.
    Public protective measures that would need to be implemented would be extensive and may reach beyond the so-called 10-mile radius Emergency Planning Zone around each of our nuke sites. Accident mitigation on-site for such an aircraft crash would be extremely difficult if not impossible. It would be like moving the chairs around on the Titanic.

  16. Dear Hiddencamper,
    You make a good point!
    What is your take on the potential consequences of an airplane crash directly on a fully-loaded, re-racked spent fuel pool?

  17. I am responding to your comment on behalf of Rob Lewis.

    A report by the Union of Concerned Scientists characterized safety issues requiring NRC special inspections as “near misses.” None involved aerial attacks on nuclear power plants. The NRC has stated we disagree with the report’s characterization. Special Inspections, rather than representing disaster narrowly averted, represent the NRC acting to resolve safety issues long before they become substantial threats to the safe operation of a reactor.

    David McIntyre

  18. With regards to ft. calhoun, this was classified as a red finding because design and installation errors caused a common mode failure potential of both divisions of safety related power. The fire and loss of decay heat removal in and of themselves did not constitute a red finding, but contributed to the overall assessment. (That’s how i read the inspection report)

  19. There are probably 20 ways to send a reactor and or fuel pool into melt down using less than $50,000

    When you are living in a glass house, with the most dangerous thing on the planet, you can’t stop all the stones, esp. insider stones. Sheesh, 11 near misses in 2011/12 and that was without any evil intent!

    Come on guys, put down the plutonium, and stop pretending that humans and mother nature can cooperate to make this “too cheap to meter” energy.

  20. Since you are taking your sweet time to even post my comments, let me talk some more to myself.
    Even early in the ’70s one of the spent fuel pool accidents that was postulated was to see if the highly radioactive fuel located therein could be damaged by a missile. The “missile” postulated was a large piece of the last stage turbine bucket coming off the turbine generator in the plant’s turbine building. Could this missile (rotating at 1800 RPM) penetrate the massive steel casing around the turbine itself, fly over the taller containment structure, and then descend thru the roof of the spent fuel building on the other side and damage the fuel stored there? This lob shot was analyzed away at the time by determining that the missile would not get thru the turbine casing in the first place. This example shows how sensitive potential spent fuel damage was even at that time. A more recent example of concerns related to spent fuel storage occurred just last year at the Fort Calhoun Nuclear Station. Well known is the fact that spent fuel is highly radioactive and must be constantly covered with water and cooled by a system designed for such a purpose. Naturally, if the so-called decay heat cannot be removed the fuel it overheats and eventually melts releasing its deadly contents to the air. At Fort Calhoun their cooling system failed for just a few hours and the NRC assessed its safety significance as a Red finding, its most serious classification. When we consider an aircraft crashing into the spent fuel pool, it makes these other concerns rather academic.

  21. Yes I am replying to myself so please excuse me but I have to add this.
    NUKE PLANT POISON
    Aircraft can be poison for nuclear power plants. An aircraft crash on a nuke site could cause a disaster akin to Chernobyl or Fukushima. The amount of highly radioactive fuel now stored at U.S. nuke plant sites far exceeds that stored at nuke plants in most other countries. These countries have provided for safe storage of their used fuel off-site in safe repositories. This makes our nuke sites an even more tempting terrorist target.
    An aircraft crashing into our overloaded on-site spent fuel pools would cause an immediate and on-going release of huge amounts of radioactivity into the atmosphere. These spent fuel pools have a typical construction grade roof which would offer little protection from an aircraft crash. In fact an aircraft crash even into the re-enforced containment building surrounding the plant’s reactor would result in direct damage to the reactor itself. It is high time to at least acknowledge the fact that an aircraft crash on-site could result in a Japan/Russian-type nuclear catastrophe.
    Currently there are established no-fly zones around our nuke plants which I am sure terrorists will respect.

  22. I am sorry Mr Moderator but your answer to Joy is woefully misleading. While the information you provide is true you are as they say not giving us the whole truth. Say you are right and at least a train of safety equipment is available to cover and cool the reactor. But what if the reactor is already badly damaged by a fully fueled aircraft loaded with high explosive?! Pouring water on a badly damaged reactor core is not going to help much especially with all barriers to a radioactive release to the public breached. As you are aware the licensing bases, especially for older nukes, does not take into account a terrorist attack by aircraft of today’s size and capabilities. The crash of an old 707 or a tornado-borne telephone pole into the containment structure was an original design bases. Even with that design bases the aircraft breached the wall of the containment structure and was just stopped short of the reactor itself by the reactor shield walls. Mr Moderator tell us straight. Can you assure us that the reactor core of any licensed nuke plant will not be directly damaged by a fully fueled, explosive-laded large aircraft?

  23. The NRC’s post-9/11 Orders and rules require existing commercial nuclear power plants to have additional resources available to keep safety systems running after an explosion and fire, such as those that might occur with an aircraft crash. The NRC’s post-Fukushima requirements are enhancing these additional resources. New reactor designs have to assess where they could add functions or features that are equivalent to what existing plants have put in place. Also, the NRC requires each licensee to develop procedures to enhance their capabilities to communicate with the federal government and mitigate any potential imminent aircraft impact.

    Robert Lewis

  24. Moderator Note: The incident to which you refer occured at a facility storing nuclear weapons material, a Department of Energy controlled facility. It was not at an NRC-licensed site.

  25. You folks should just come right out and state that the NPPP report was poorly written, based on incomplete information, even compared to what is readily publicly available, poorly researched, and the author and her sponsoring professor should be ashamed of themselves for letting such a travesty of inadequate research ever see the light of day, much less to have publicly distributed it.

    However, it’s fairly apparent that the paper was not intended as a supportable scholarly work, but as a piece of propaganda, and it served that purpose well for its author and her sponsor and her sponsor’s patrons. They should all be utterly ashamed of themselves. They are information vandals, spewing falsehoods into the public eye, and thus stealing the public’s ability and it’s right to make rational choices based on accurate information.

  26. Being somewhat familiar with the extensive nuke plant security measures in place more than a decade ago, I can only imagine what they must be like today. Trouble is all these measures protect the plant site only. No such security measures are in place for earthen dams on the Missouri River. The failure of these dams due to terrorist attack would be devastating for nuke plants downstream, Fort Calhoun and Cooper Stations. A tsunami would result that would vastly exceed the existing flood protection measures in place at these sites. Ironically, the only “security” measure at these vulnerable upstream dams are signs. These signs are huge and display a warning required under international law. They say that these dams are off-limit targets during a war. I feel better already.

  27. Am remembering that 80+yr. old nun penetrating security at one of our nuclear plants to alert us all that these “security efforts” are not providing any sense of security against terrorists intent on creating serious damage to our nuclear plants.
    Our current plans described here do not address aerial attacks.

Comments are closed.