Nuclear Reactor Air Defenses

None of the 103 nuclear power plants operating in the United States were designed to withstand suicide attacks from the air, such as we tragically experienced on September 11, 2001. This vulnerability prompted the Federal Aviation Administration (FAA) to establish no-fly zones around nuclear plants in the fall of 2001. This response was largely symbolic since FAA sanctions would probably not deter a suicide bomber, but it marked an implicit concession by the federal government that nuclear plants were vulnerable to air assault.

Nuclear plant owners would like us to now believe their facilities are hardened structures virtually immune to attack from the air. For example, they recently reported:

T he nuclear power industry is confident that nuclear plant structures that house reactor fuel can withstand aircraft impact, even though they were not specifically designed for such impacts. This confidence is predicated on the fact that nuclear plant structures have thick concrete walls with heavy reinforcing steel and are designed to withstand large earthquakes, extreme overpressures and hurricane force winds. The purpose of this study is to validate that confidence."

But what the nuclear industry asserts as confidence appears more like a confidence game. The thick, reinforced walls do not surround all vital parts of a nuclear power plant—as the industry knows very well. One study of aircraft hazards, jointly prepared by the owners of two similar nuclear power plants more than 20 years ago, concluded, "The control building is the only single building which, if hit, could lead to core melt." The control buildings at every nuclear plant in the United States are located outside the robust structures described by the industry. Thus, the nuclear industry’s proclamations about the robustness of thick, reinforced walls may be accurate, but they fail to tell the entire story.

Security tests conducted since 1991 under the NRC’s Operational Safeguards Readiness Evaluation (OSRE) program detail why the nuclear industry’s current assurances are incomplete. Each OSRE involved force-on-force exercises with a small group of mock intruders going up against the facility’s armed responders. As the NRC individual responsible for the OSRE program testified to Congress last year:

The "target set" attacked and defended by the adversary team and the security force respectively during the force-on-force exercises is defined by the NRC as follows:

"A target set is a minimum combination of equipment or operator actions which, if prevented from performing their intended safety function or prevented from being accomplished, would result in core damage."

Target sets vary from plant to plant. As implied by name, a target set generally involves more than a single pump, a single valve, or a single wall (however thick and reinforced). The Nuclear Energy Institute (NEI) issued guidance to assist plant owners in developing their target sets. NEI described the process for determining target sets as follows:

"Analysis identifies target sets that, if all targets within a target set are destroyed, could lead to significant core damage. Using these target sets provides a basis for evaluating the protective strategy and assessing the significance of issues based on the risk involved."[5]

To illustrate the concept (without revealing any plant-specific safeguards information), NEI provided sample target sets in Table A-1. Ten (10) target sets are shown as columns numbered 1 through 10. Reactor core damage can be prevented if cooling water is supplied from any one of four possible sources listed: normal (high-pressure supply), safety backup (emergency high-pressure supply), another safety backup (low-pressure supply), and an additional backup (alternate low-pressure supply).

In this sample, each cooling water supply can be disabled by any one of five ways: (1) power for the pump motor can be interrupted; (2) control for the pump and/or valves upstream and downstream of the pump can be lost; (3) the pathway from a water source to the pump can be eliminated; (4) the pathway from the pump to the reactor vessel can be eliminated; and, (5) the location of the pump itself can be rendered unusable by fire, etc.

As NEI reported, only one of the four ways of cooling the reactor need survive the attack:

"Each target set is developed to provide assurance that, if any element is protected, public health and safety will not be endangered by a significant radiological release."[6]

In the sample case, the adversary team must "knock out" at least one element for all four water supplies to attack a target set successfully, while the security force need only protect one element for one water supply to be successful. The NRC evaluates security during an OSRE by this performance measure:

"The licensee’s performance for a particular exercise scenario should be judged a success if the response force effectively protects against the adversary disabling and/or destroying all pieces of equipment and preventing the operator actions in a target set; and the licensee’s performance will be judged unsuccessful for the scenario if the response force is not able to prevent the adversary from disabling and/or destroying all pieces of equipment/actions in a target set."[7]

In 37 of the 81 OSREs conducted, the security forces were unable to defend even one element of the target set successfully from simulated ground assaults.* Some of the recent failures:

Quad Cities (IL): "In accordance with this interim guidance, the findings of the Quad Cities OSRE appear to have low to moderate safety significance as described in Section 4.3 of this report because there were losses of target sets in two scenarios due to specific deficiencies associated with procedures, training and the protective strategy."

Farley (AL): "The licensee’s protective strategy failed during force-on-force exercises in that the licensee failed to prevent the mock adversaries from gaining access to target sets in two of four exercises and the simulated destruction of the significant plant equipment during a third exercise."

Oyster Creek (NJ): "On May 8-9, 2001, the NRC OSRE team observed and evaluated four force-on-force exercises. In one force-on-force exercise, your response strategy was insufficient to successfully interdict an adversary force. Consequently, there was a loss of a complete target set that was necessary to prevent or mitigate core damage."

Vermont Yankee (VT): "As noted in our inspection report, the finding was considered preliminarily Yellow because response strategy weaknesses found during the conduct of the OSRE were considered generally predictable, repeatable and indicative of a broad programmatic problem. This determination was based on potential response strategy vulnerabilities that were identified during the conduct of table-top drills, and subsequently confirmed by the results from two of the four force-on-force exercises."

The sample target sets illustrate the conclusion reached more than 20 years ago about the control building being an Achilles’ heel. Target Set 6 shows that knocking out the control element for all four water supplies can result in core damage. An aircraft hitting the control building may destroy the control elements for all four water supplies, and much more.

These target sets should be used to evaluate nuclear power plants for destruction caused by postulated aircraft impact and subsequent fire. This aircraft hazard evaluation approach mirrors the approach taken for in-plant fire hazards. Following the extremely serious fire at the Browns Ferry nuclear plant in 1975, the NRC required all plant owners to evaluate their facilities room by room, assuming a postulated fire completely engulfs the room, destroying all equipment and cabling in it. The fire hazards analysis must show that sufficient equipment exists outside the room to enable the reactor to be shut down and adequately cooled. Many plant owners had to relocate equipment and/or cabling in order to get successful results from their fire hazards analyses. These fire hazards analyses are "living documents" in that proposed changes to plant procedures and proposed modifications to plant structures must be formally reviewed against them to verify that protection against fires will not be lessened.

The real way to ensure adequate protection of nuclear plants from aerial threats would be to replicate the fire hazards analysis process.# If the aircraft hazards evaluation determines that all targets within a target set are likely to be disabled, at least three options are available to the plant’s owner to remedy the vulnerability:

1. Other equipment outside of and not affected by the impact zone could be added to the target set. Using the sample target sets, a fifth makeup water supply system could be added if it were outside the impact zone and could adequately cool the reactor core.
2. Protection in place for at least one of the targets within the existing target set could be provided. Using Target Set 9 from the sample target sets, if an aircraft impact at the location of the low-pressure supply system and the alternate low-pressure supply system potentially caused collateral damage to the discharge pathway for the emergency high-pressure supply system, it might be possible to install a shield wall or screen to protect the exposed pathway. 
3. Affected portions of a system could be relocated to a safe place outside the impact zone. Using Target Set 5 from the sample target sets, if the only part of the emergency high-pressure supply system within the impact zone was the power cable for the pump, that power cable could be rerouted.

The aircraft hazards analysis would not only establish adequate protection at nuclear plants (for those that may not already be there), it would also provide the means to ensure that future changes to plant structures and procedures do not compromise that protection.

Absent such aircraft hazards analyses, nuclear power plant protection against aerial threats is a nuclear Magi not Line—a defense that looks good on paper but is easily circumvented in practice. Thick, reinforced reactor containment walls might not be breeched by a fully loaded 767 aircraft. But that’s not enough as documented by the NRC:

"The heart of this program [OSRE] is nuclear power plant security force demonstrations of their armed response capability in onsite force-on-force exercises. Significant weaknesses were identified in 27 of 57 plants (or 47%) evaluated to date. "Significant" here means that a real attack would have put the nuclear reactor in jeopardy with the potential for core damage and a radiological release, i.e., an American Chernobyl. … For example, 14 of these plants were unable to prevent mock adversary forces from gaining (simulated) access into reactor containment!"[12]