Sage Journals: Discover world-class research

Abstract

A Fukushima-like nuclear accident does not have to be caused by nature. Similar results could be wrought by a dedicated terrorist group that gained access to a nuclear power plant and disabled its safety systems. To guard against natural accidents, terrorist sabotage, and possible combinations of these two classes of events, nuclear plant operators and regulators should consider a combined approach called nuclear safety-security. Although safety and security programs have different requirements, they overlap in key areas and could support and enhance one another. Nuclear facilities could improve safety-security in technical ways, including more secure emergency electrical supplies, better security for control rooms, and, at new plants, reactor containment structures built to survive attacks by terrorist-flown airplanes. At the institutional level, regulators could strengthen the safety-security interface by requiring that it be built into the life cycle of nuclear plants, from design to dismantlement. The authors offer technical and institutional recommendations on how, for example, the International Atomic Energy Agency can support improved safety-security at nuclear plants globally by creating design standards that relate to both accidents and threats while encouraging countries to accept International Physical Protection Advisory Service missions that review security and physical protection systems and provide advice on best practices.

Keywords

defense in depth design-basis accident design-basis threat IPPAS nuclear safety nuclear security nuclear terrorism safety-security interface

In 1979, the Three Mile Island accident created great public concern about the safety of nuclear power plants. Seven years later, the Chernobyl disaster showed the widespread damage a nuclear accident can cause. The September 11, 2001 terrorist attacks installed another fearsome possibility in the public consciousness—nuclear terrorism. Now, the Fukushima disaster has delivered another wakeup call, announcing that—despite the precautions taken since Three Mile Island and Chernobyl—major nuclear accidents are still possible.

But the Japanese earthquake and tsunami of 2011 rang another, implicit alarm bell: A Fukushima-like accident doesn’t have to be caused by nature. Similar results could be wrought by a dedicated terrorist group that gained access to a nuclear power plant and disabled its safety systems (Kim, 2011).

Despite the catastrophe at Fukushima, nuclear materials and equipment will continue to be produced and spread around the globe to meet energy needs. To ensure that nuclear facilities do not endanger the public, it is time to think in terms not of nuclear safety, or nuclear security, but of a combined approach called nuclear safety-security.¹ Luckily, even though safety and security programs have different requirements, they overlap in key areas and could, with proper planning and support, enhance one another.

Nuclear safety and defense in depth

To prevent severe accidents at nuclear power plants, they are designed in accordance with the concept of defense in depth, which refers to multiple layers of protection aimed at reducing risks to both the public and workers. The defense-in-depth strategy places priority on the prevention of accidents and, if they can’t be prevented, on the mitigation of their consequences (International Atomic Energy Agency, 1996).

This layering of protection—for example, the placement of reactors inside containment structures intended to keep radiation from reaching the environment, even if reactors leak radioactive materials—makes modern nuclear plants less susceptible to accidents than most other industrial facilities. It is clear, however, that the strategy cannot eliminate the possibility of accidents and that sometimes human error may be the very cause of accidents (Ha, 2008).

The Three Mile Island accident in 1979 helped to identify and eliminate the weaknesses in defense in depth—a reactor core did partly melt down, and some radiation did escape from the reactor—even as it demonstrated the importance of human factors and the human–machine interface during times of crisis. The 1986 Chernobyl disaster illustrated not just the consequences of inadequate defense in depth, but the need for a safety culture, which the Soviet nuclear power program markedly lacked. And the recent Fukushima disaster showed that nuclear power plants can fail, even when they are designed in accordance with defense-in-depth principles, if they are subjected to forces greater than they were built to withstand.

Design-basis accident

A design-basis accident is “a postulated accident that a nuclear facility must be designed and built to withstand without loss to the systems, structures and components necessary to ensure public health and safety” (US Nuclear Regulatory Commission, 2011). In other words, the minimum function- and performance-based considerations that go into the construction of nuclear facilities and equipment are stipulated by the design-basis accident. Until now, this has been the guide for safety standards of nuclear facilities; that is, the most severe set of circumstances a nuclear power plant is likely to face.

But as Three Mile Island, Chernobyl, and Fukushima all show, circumstances can exceed the design basis of nuclear power plants. The likelihood of such circumstances occurring may be low, but the consequences can be severe, and the circumstances do not have to arise accidentally. Although Fukushima is said to have been caused by a natural disaster—the combined effects of a huge earthquake and ensuing tsunami—what really caused the accident was a station blackout that persisted for days. The earthquake-tsunami cut off-site power, on-site emergency diesel generators malfunctioned, and batteries ran out. With no electricity, there was no way to operate pumps to circulate coolant for the reactors (Kang, 2011).

Such a long-lasting electricity cutoff is beyond the design-basis accident of most nuclear plants in most countries. Before Fukushima, in fact, the US Nuclear Regulatory Commission (NRC) required that utilities have only eight hours of back-up power in the event of a station blackout; this is based on the assumption that eight hours would be plenty of time to restore electrical power for cooling the core and spent fuel pools. After Fukushima, an NRC task force recommended expanding the ability of all operating and new reactors to provide backup power for both design-basis and beyond-design-basis external events (Miller et al., 2011).

But it doesn’t necessarily take a natural disaster for a Fukushima-like nuclear accident to occur at any nuclear power plant that relies on water for cooling. Terrorists and other malefactors could attack a plant’s power system, cooling system, or both, potentially leading to a core meltdown and damage to spent fuel. The Fukushima accident reflects the power of nature. It also implicitly shows the overlap between nuclear safety and nuclear security concerns.

Nuclear security and defense in depth

Since the 1960s, the peaceful use of nuclear energy has expanded around the world, and as the volume of nuclear materials and their international transport increased, so did concerns about the protection of nuclear materials against terrorist groups. International regulation of nuclear material, in fact, began decades ago, in programs spearheaded by the United States and the International Atomic Energy Agency (IAEA).

But the September 11, 2001 terrorist attacks against the United States illustrated the need for fundamental changes in nuclear security systems that aim to address threats to nuclear facilities. Since 9/11, the term “nuclear security” has become the preferred term for describing means to prevent nuclear terrorism (Usami, 2010); the usage was cemented by the April 2010 Nuclear Security Summit hosted by US President Barack Obama.

The concept of defense in depth applies as much to nuclear security as to nuclear safety. At the design level of nuclear facilities, defense in depth relates to physical protection that reflects “a concept of several layers and methods of protection (structural, other technical, personnel and organizational) that have to be overcome or circumvented by an adversary in order to achieve his objectives” (IAEA, 2011). Such a defense involves a mixture of hardware (security devices), procedures (including the organization of guards and their performance), and facility design (including layout).

Defense in depth in nuclear security should be based on the physical protection system, which serves to detect, delay, and respond effectively to attempts to harm a nuclear facility, and on the system for nuclear material accountancy and control to protect against insider and outsider threats (IAEA, 2011).

Design-basis threat

In 1999, the IAEA introduced a new concept for nuclear facility security, the design-basis threat, defining it as the “attributes and characteristics of potential insider and/or external adversaries, who might attempt unauthorized removal of nuclear material or sabotage, against which a physical protection system is designed and evaluated” (IAEA, 1999). Although details of particular design-basis threats vary by country and power plant and remain confidential, the IAEA provides a basic guideline (IAEA, 2011).

Design-basis threats are based on real threats and threat scenarios, but they clearly do not cover all contingencies. For example, the IAEA’s primary methods for defending against a design-basis threat are aimed at countering ground attacks on nuclear facilities but do not take into consideration the possibility of aerial attacks (Kim, 2008). In April 2007, the NRC announced it would issue a proposed rule to require license applications for new reactors to improve protection against impact by large commercial aircraft (Holt and Andrews, 2007).

As with accidents that exceed a nuclear plant’s design basis, there are, at least in theory, threat scenarios in which malefactors penetrate a nuclear plant’s physical protection system and damage a reactor or cooling system, causing radiation emissions. This situation is described as a beyond-design-basis threat. Post-Fukushima, the scope of design-basis threats should be reconsidered. Since a design-basis threat is considered the maximum credible threat, the scope of these threats should also be broadened to cover the entire spectrum of possible terrorist attacks, as is the case with severe accident scenarios for a design-basis accident (Park et al., 2003).

The nuclear safety-security interface

For those with malicious intent, who wanted to sabotage a nuclear power plant and release radiation, they would need knowledge about the plant’s safety systems, including its power supplies and cooling equipment. Such information is not easily obtainable, but well-prepared terrorists—particularly those with connections to people working at a nuclear plant—could likely acquire it.

It is possible to imagine terrorists marrying such information with the safety weaknesses exposed by the Fukushima catastrophe and targeting spent nuclear fuel or core cooling systems at other nuclear plants. In other words, Fukushima has implicitly exposed the relationship between the nuclear safety problem and the nuclear security problem. The disaster also suggests that nuclear power plant safety and security can be strengthened simultaneously through improvements in vital areas, including on-site power supplies, the cooling system for reactors and spent fuel ponds, and the main control room.

But if reinforcing safety systems can sometimes enhance security, robust security systems can also interfere with emergency response or effective safety practices. In other words, the main challenges in improving nuclear safety-security lie in elements or actions in one area that are antagonistic to the other. One key example: Delay barriers serve a security function, denying terrorists quick access to vital areas, but such barriers could also limit rapid access for emergency personnel in the event of an accident (Koenick, 2011). The emergency evacuation process illustrates the conflict well: For both terrorist incidents and natural accidents at nuclear plants, safety personnel seek to accelerate the speedy evacuation of people; however, the top priority for security forces is to identify and detain the insider threat or intruder (Hahn, 2011).

Strengthening the safety-security interface will be a complex undertaking. Systems that prevent and respond to nuclear accidents and nuclear terrorism must be improved and, where they overlap, made to work seamlessly with one another. They must also take into account a third type of possible nuclear catastrophe: the combined disaster, in which opportunistic antagonists time their malicious activity to take advantage of natural disasters that weaken nuclear safety systems (Khripunov and Kim, 2011b). The apparent lack of security in the immediate aftermath of the Fukushima meltdowns highlights the need for planning for such combined nuclear dangers.

Technical recommendations

Technical measures to strengthen nuclear safety-security at nuclear facilities will depend on the specific characteristics of the facilities. But all nuclear plant operators and regulators should consider the following measures to strengthen nuclear safety-security:

Secure the electrical supply. The fundamental reason for the Fukushima nuclear accident was a prolonged station blackout caused by the failure of off- and on-site sources of electric power. Off-site power lines are, generally speaking, outside the control of nuclear plant operators. So security for on-site back-up power sources—usually diesel generators—needs to be strengthened to protect them from terrorist attack. Emergency generators should be located on high ground to prevent the kind of flooding that disabled back-up power at Fukushima. In case either natural or human activity disables emergency generators, nuclear plant operators should ensure ready access to mobile emergency generators sufficient to power all plant cooling systems.

Protect the reactor cooling system. Operators need to enhance security to protect reactor cooling pumps and controls from sabotage. Plant operators should also create an on-site water reservoir that can be used to remove decay heat from reactor fuel in the event cooling pumps fail or are sabotaged.

Make spent fuel ponds safer. The Fukushima accident shows that spent fuel storage pools are vulnerable when cooling systems fail. Protection of the pools should, therefore, be part of a nuclear plant’s safety-security plan, and plant operators should have sufficient water reserves on site to cool the pools, even if a natural disaster or sabotage damages them. To minimize risks in this area, plant operators should move spent fuel from the pools after five years of cooling and place it in dry-cask storage.

Guard the main control room. Destruction of the main control room—by, for example, a terrorist bomb—would cause unpredictable results, including, perhaps, core meltdown (Park et al., 2003). Therefore, plant operators should double the physical security dedicated to the main control room.

Strengthen the containment structure. New reactors need to include improved protection against aircraft crashes. A robust containment structure could protect a reactor against a large, terrorist-flown aircraft, preventing or limiting what would otherwise be a significant release of radioactive material.

Institutional recommendations

The following institutional measures would strengthen nuclear safety-security:

Raise awareness of the nuclear safety-security intersection. High-level meetings on safety-security should convene regularly to ensure that the interface receives adequate attention. The Nuclear Security Summits and the IAEA are effective venues for such senior-level discussions.

Integrate the safety-security interface into nuclear facilities’ service life. Safety-security measures must be built into a plant in all its phases, from design and construction to routine operation to decommissioning and dismantlement (Khripunov and Kim, 2011a). Safety and security thus begins at the drawing board, with an assessment of candidate sites for the plant and the design of the installation itself. This integration includes considerations of cyber-intrusion and aircraft attacks that cannot be guarded against by traditional security methods.

Establish post-Fukushima international standards for design-basis accidents and design-basis threats. The primary cause of the station blackout at Fukushima was a beyond-design-basis accident. As currently calculated, design-basis threats also might fail to cover the spectrum of possible terrorist attacks. It is important to establish post-Fukushima international standards for both design-basis accidents and threats. These standards would consider an expansive list of possible accidents and incidents—whether caused by internal events like malfunctioning safety systems and human error or external events like earthquakes, fires, floods, tornadoes, and terrorist attacks. To establish such international standards for design-basis accidents and threats that do not infringe on sovereignty and confidentiality, the IAEA should create model documents that respective countries can adapt to the specifics of their nuclear plants.

Strengthen the IAEA’s role to further assist national regulators. National regulators have primary responsibility and authority for nuclear safety-security, but the IAEA should continue being the main agency to provide advice and expertise that help strengthen the safety-security interface around the world. In particular, the IAEA should encourage countries to accept the International Physical Protection Advisory Service, as well as the International State System of Accountancy and Control Advisory Service missions. These missions review practices across countries and at individual nuclear plants—explaining how safety and security regimes compare with international guidelines and best practices, recommending improvements, and providing follow-up assistance. The highest levels of leadership and management in each country are also needed to ensure an effective balance between safety and security.

International discourse has naturally been shaped by the evolution of threats—from nuclear safety spurred by Three Mile Island and Chernobyl, to nuclear security since 9/11, and now nuclear safety and security in the aftermath of Fukushima. To guard against natural accidents, terrorist sabotage, and possible combinations of these, it is time for a combined approach that strengthens nuclear safety-security.

Footnotes

Funding

This research received no specific grant from any funding agency in the public, commercial, or not-for-profit sectors.

Note

Author biographies

Duyeon Kim is the deputy director at the Center for Arms Control and Non-Proliferation, where her policy work focuses on North Korea, nuclear nonproliferation, nuclear security, and nuclear terrorism prevention. She is a former career journalist from Seoul, Korea, having served as the Foreign Affairs Ministry correspondent and Unification Ministry correspondent for a leading South Korean broadcaster. Her news stories covered North Korea’s nuclear programs, the six-party talks, inter-Korean relations, US foreign policy, South Korean foreign policy, and the United Nations.

Jungmin Kang is a visiting professor at the department of nuclear and quantum engineering at the Korea Advanced Institute of Science and Technology in Daejeon, Korea. His recent research interests include multinational approaches to uranium enrichment and spent fuel management, as well as verification and dismantlement of the North Korean nuclear weapons program.

References

Ha J (2008) Issue of comprehensive risk evaluation and direction of its technology development. Nuclear Industry, December (Korean).

Hahn C (2011) Intersection between nuclear safety and nuclear security. Asan Plenum: Our Nuclear Future, Seoul, Korea, June 13–15.

Holt M and Andrews A (2007) Nuclear power plants: Vulnerability to terrorist attack. CRS report for Congress. August 8. Available at: http://www.fas.org/sgp/crs/terror/RS21131.pdf.

International Atomic Energy Agency (1996) Defence in depth in nuclear safety: INSAG-10. Report by the International Nuclear Safety Advisory Group. Available at: http://www-pub.iaea.org/MTCD/publications/PDF/Pub1013e_web.pdf.

International Atomic Energy Agency (1999) The physical protection of nuclear material and nuclear facilities (INFCIRC/225/Rev.4, corrected), June. Available at: http://www.iaea.org/Publications/Documents/Infcircs/1999/infcirc225r4c/rev4_content.html.

International Atomic Energy Agency (2011) Nuclear security recommendations on physical protection of nuclear material and nuclear facilities (INFCIRC/225/Revision 5). IAEA Nuclear Security Series No. 13. Available at: http://www-pub.iaea.org/MTCD/publications/PDF/Pub1481_web.pdf.

Kang J (2011) Five steps to prevent another Fukushima. Bulletin of the Atomic Scientists, May 4. Available at: http://www.thebulletin.org/web-edition/features/five-steps-to-prevent-another-fukushima.

Khripunov I and Kim D (2011a) Time to think safety-security. Korea Times, August 8. Available at: http://www.koreatimes.co.kr/www/news/opinon/2011/08/137_92394.html.

Khripunov I and Kim D (2011b) Nature and malice: Confronting multiple hazards to nuclear power infrastructure. Bulletin of the Atomic Scientists, September 7. Available at: http://thebulletin.org/web-edition/op-eds/nature-and-malice-confronting-multiple-hazards-to-nuclear-power-infrastructure.

10.

Kim D (2011) Fukushima and the Seoul 2012 Nuclear Security Summit. Bulletin of the Atomic Scientists, March 18. Available at: http://www.thebulletin.org/web-edition/op-eds/fukushima-and-the-seoul-2012-nuclear-security-summit.

11.

Kim S (2008) International trends on nexus of nuclear safety and security. Nuclear Industry, April (Korean).

12.

Koenick S (2011) Safety and security interface, IAEA/ICPT School of Nuclear Management. IAEA Nuclear Safety and Security Department. August 16. Available at: http://www.iaea.org/inisnkm/nkm/pages/2011/NEMschool2011/topics/topic7/06A_Koenick_IAEA%20supplemental%20safety%20security%20interface.pdf.

13.

Miller C, Cubbage A, Dorman D, et al. (2011) Recommendations for enhancing reactor safety in the 21st century: The near-term task force review of insights from the Fukushima Dai-Ichi Accident. US Nuclear Regulatory Commission, July 12. Available at: http://pbadupws.nrc.gov/docs/ML1118/ML111861807.pdf.

14.

Park

Jung

Yang

(2003) A PSA-based vital area identification methodology development. Reliability Engineering & System Safety 82: 133–140.

15.

US Nuclear Regulatory Commission (2011) Design-basis accident. Available at: http://www.nrc.gov/reading-rm/basic-ref/glossary/design-basis-accident.html.

16.

Usami M (2010) Progress of international effort on nuclear security: Strengthening counter-measure to terror and its challenge. Legislation and Investigation 309, October (Japanese).