RADIOLOGICAL
SABOTAGE AT NUCLEAR POWER PLANTS:
A MOVING
TARGET SET
Edwin S. Lyman, Paul Leventhal
Nuclear Control Institute
1000 Connecticut Avenue,
NW, Ste 804
Washington, DC 20036
(202) 822-8444
ABSTRACT
The Operational Safeguards Response Evaluation
(OSRE) is a Nuclear Regulatory Commission (NRC) program that uses
force-on-force exercises to test the strategies and capabilities of the
security organizations at commercial nuclear power plants to protect the public
from radiological sabotage. Despite the
success of OSRE --- which uncovered serious physical protection inadequacies in
nearly half of the plants tested --- it was cancelled in 1998 by NRC staff.
After whistleblowers publicized OSRE's cancellation,
NRC reinstated the program. However, the
nuclear industry, acting through the Nuclear Energy Institute (NEI), is
attempting to significantly weaken it by influencing a revision of the NRC
requirements for physical protection of nuclear power plants contained in 10
CFR Part 73.55. While this revision
would require licensees to conduct periodic performance testing of their
security plans, including force-on-force exercises, the testing regimen favored
by NEI would be conducted under far less NRC supervision than the current OSRE
program, and its results would be far more ambiguous.
Ideas that have been proposed by NEI include
changing the physical protection goal so that saboteurs would be able to cause
substantial damage to plant systems, as long as operators were able to prevent
an uncontrolled meltdown and loss of containment. In contrast, under OSRE such an outcome would have been
considered a failure, even if it would not have resulted in a radiological
release.
No level of damage to critical safety functions
should be considered an acceptable outcome of a test of the effectiveness of
physical protection at nuclear power plants.
Denial of access must remain the fundamental goal.
INTRODUCTION
The Clinton Administration has identified the
increasing threat of domestic terrorism, including use of weapons of mass
destruction, as one of the most important security issues facing
Americans. Although it rarely receives
as much attention as biological or chemical attack, radiological sabotage is an
important component of this threat that should not be underestimated. Commercial nuclear power plants, many of
which are located near densely populated urban areas, are logical targets for
attack. Additional concerns include the
introduction of plutonium in the form of MOX fuel at two Duke Energy nuclear
plants as part of DOE's warhead plutonium disposition plan. Use of MOX may increase the attractiveness
of these reactors as targets not only for theft but also for radiological
sabotage, because an attack on a MOX-fueled plant would cause a greater number
of casualties.[1]
The Nuclear Regulatory Commission (NRC) is charged
with ensuring that operators of commercial nuclear plants are capable of
protecting the public from acts of radiological sabotage. NRCs objective of maintaining public
confidence in its effectiveness is especially challenging in the physical
protection area. While the public has
access to considerable information about the NRC's activities in ensuring
reactor safety, it does not have comparable access to safeguards information
and thus cannot independently verify the adequacy of physical protection at
nuclear plants. Therefore, those
aspects of plant security that are visible to the public (as well as
terrorists) must provide unambiguous assurance that the public will be fully
protected from radiological sabotage, within a comfortable safety margin.
The Operational Safeguards Response Evaluation
(OSRE) is a performance-based program, modeled after programs at DOE
facilities, that was introduced to test the effectiveness of nuclear plant
physical protection systems to protect against the design-basis threat (DBT) of
radiological sabotage. The central
evaluation consists of a number of force-on-force (FOF) exercises in which mock
adversaries attempt to disable an entire "target set." An OSRE target set is defined as "a
combination of equipment that would have to be disabled for an adversary to
achieve [significant] core damage."[2] Another series of evaluations, known as
Regional Assists, tests the effectiveness of a plant's perimeter intruder
detection systems (PIDS) and other means of denying unauthorized access.
OSRE has been highly successful in identifying
significant physical protection vulnerabilities at U.S. nuclear plants --- as
of summer 1998, 40 instances in which mock adversaries were able to defeat an
entire target set occurred, demonstrating the potential for terrorists to cause
"significant core damage" at nearly half (27 of 57) the plants
tested. Most licensees that failed
their OSRE evaluations did so in spite of the fact that they were in compliance
with the requirements of their NRC-approved physical security plans (PCPs), had
many months of advance warning, had observed prior OSREs and had increased the
sizes of their security forces by an average of 80% over the numbers they had
committed to in their PCPs.[3]
The results of the OSRE program to date have
demonstrated that simple compliance with the PSPs, which are based on
requirements specified in 10 CFR 73.55 (b)-(h) (such as physical barriers and
communication systems) does not itself guarantee compliance with 10 CFR
73.55(a), which requires that licensees provide "high assurance" that
the public will be protected from the health and safety consequences of
radiological sabotage.
OSRE was secretly cancelled in 1998 by NRC
management after numerous complaints by licensees. Embarrassed by their failures, licensees had challenged NRC's
legal authority to conduct the tests, which are not explicitly required by regulation. Whether or not the cancellation was a result
of industry pressure,[4]
the public perception of the incident as a case of "shooting the
messenger" was unavoidable. To
restore public confidence, NRC must take exceptional care to demonstrate
independence from industry influence as its reactor safeguards program is
redesigned.
Following public disclosure of OSRE's cancellation,
the White House ordered it reinstated.
In the spring of 2000, the last of 68 nuclear plant sites, Commonwealth
Edisons Quad Cities plant, was evaluated, and the cycle began again with Duke
Energys Oconee plant. In spite of the
fact that the controversy led to a renewed focus on nuclear plant security by
politicians, regulators and the public, the performance of licensees has
apparently not improved following reinstatement, with the failure rate
remaining at nearly 50%. Significant
vulnerabilities continue to be identified at an alarming rate. Most recently, according to the Union of Concerned
Scientists, both Quad Cities and Oconee failed their OSREs.[5]
REVISING THE RULE: FIXING SOMETHING THAT "AIN'T BROKE"?
The
licensees challenge to the legal basis of OSRE was based on their view that as
long as they met their PSP commitments, they were in compliance with
regulations, even if their protective strategies and/or the ability of their
security personnel to carry them out were deficient. Although NRCs general counsel disagreed with this
interpretation, NRC decided to clarify the legal status of the OSRE program by
amending 10 CFR 73.55 to require force-on-force exercises. Industry then intervened, demanding that the
entire rule be revised, and NRC concurred.
Based on the recommendations of a staff task force, NRC also decided
that the industry could be given more responsibility for assessing its own tactical
response capability, even though all the evidence of its past performance
points to a need for more stringent oversight, not less.
The
revised rule will contain modifications explicitly requiring licensees to
conduct OSRE-like evaluated exercises on a more frequent cycle than the current
program (every three years instead of every eight years), with more numerous
smaller-scale drills in between. While
these changes will be improvements, the overall rule revision may significantly
limit NRC's role in supervising and assessing these drills and exercises. Past experience has shown that a lower level
of NRC oversight would result in a reduction in security at nuclear plants.
Part
of the reason for this concern about the revised rule is the new philosophy
that NRC has adopted in which licensees and other "stakeholders" are
afforded a much greater influence in the rulemaking process than they have had
previously. Although in principle this
would seem to be advantageous for public involvement, in practice only industry
has the resources to participate as a full partner with NRC in this
"interactive rulemaking" process.
This has the effect of converting rulemaking proceedings into a format
resembling two-party contract negotiations, which places the licensee in an
inappropriate position relative to the regulator. NRC's contract is with the public to protect its health and
safety --- it is not with the industry it regulates.
The
increased clout of the industry in influencing fundamental NRC activities has
been apparent during a series of public meetings being conducted by NRC to
discuss the interim "self-assessment" program that will replace the
current OSRE program until the revision of 10 CFR 73.55 is completed. This
plan, which has been drafted by the Nuclear Energy Institute (NEI) and is
subject to NRC approval, contains numerous elements that substantially weaken
NRC's authority to identify, require corrections at and take enforcement
actions against plants with significant vulnerabilities in their physical
protection systems. Although NRC staff
oppose many of NEIs proposed changes, currently resulting in a stalemate,
there is considerable pressure to resolve the outstanding issues and accept the
plan. Until this occurs, OSREs will
continue under the existing framework.
TARGET SETS:
FROM "PART 100" TO "CRITICAL SAFETY FUNCTIONS"
The
definition of target sets is one of the most important elements for developing
a protective strategy, because it determines the equipment that must be
protected and the resources that must be expended by licensees to do the
job. The target sets are not immutable
but are functions of the ultimate protection goal. According to the regulations, this goal is protection against
"the design basis threat of radiological sabotage." However, the size and content of target sets
can be varied depending on how "radiological sabotage" is
interpreted.
The
criterion for evaluating the success of a licensees security response during
an OSRE is "prevention of significant core damage." The presumption is that if significant core
damage occurs, significant radiological releases to the environment will
follow. However, NEI criticized this
criterion and proposed that it be replaced with the criterion used to
demonstrate protection of the public from design-basis accidents ---
"prevention of a 10 CFR Part 100 release." Part 100 releases, which are assumed to result from accidents
that "result in substantial meltdown of the core with subsequent release
of fission products, correspond to doses less than 25 rem to individuals at
the site boundary.
This
change would mean that a licensee could pass an OSRE even if the mock adversary
were able to cause "significant core damage," provided that the
radiological release predicted to result from the attack would not exceed Part
100 limits. An NEI memorandum makes
clear that this proposal was intended to change the OSRE ground rules so that
past failures could be reinterpreted as successes. Moreover, it would shield future failures from enforcement
actions.
In
defending the Part 100 approach, NEI argued that the "significant core
damage" criterion was too conservative, because it did not take into
account operational responses and engineered features that could mitigate the
consequences of a core melt, even if an entire target set were destroyed and
significant core damage occurred. NEI
also stressed that it sought to bring the security regulations into conformity
with other safety regulations, in effect treating sabotage as if it were a
design-basis accident. These arguments
are deeply flawed.
The
Part 100 proposal failed the "public confidence" test in a number of
ways and clearly showed how out of touch with the public the industry has
become. First, the public would not be
likely to accept the inability of a plant security force to prevent terrorists
from blowing up multiple pieces of vital equipment and causing a partial core
meltdown, even if the off-site releases were minimal. To appreciate this point, one need only look at the intense
public and media response to the recent Indian Point 2 steam generator tube
rupture, which did not result in a measurable release of radiation. Another example was the 1999 Tokaimura
criticality accident, which did not cause radiation doses in excess of Part 100
limits (the maximum dose at the site boundary was estimated as 9.2 rem) yet
caused an uproar in Japan and around the world that has not yet subsided.
Simply put, it is foolish to
weaken physical protection standards so that saboteurs would have the
opportunity to cause significant core damage, because under those
circumstances, the uncertainties associated with efforts to bring the plant to
a safe condition would be much greater than if access were effectively denied
to intruders. NEI's proposal would have
made it impossible to provide a credible estimate of the risk to the public
from acts of radiological sabotage.
Although NRC management was
initially inclined to accept a Part 100-based approach, once the shortcomings
were fully appreciated it decided to adopt a different strategy. Accordingly, in SECY-00-0063, NRC staff proposed
--- and the Commission accepted --- an alternative which is closer to the
spirit of the OSRE standard, and in fact may be even more conservative.[6] In this approach,
performance criteria would be tied not to permissible radiological releases,
but to protection of the so-called critical safety functions (CSFs) that
provide the capabilities for achieving safe shutdown and long-term heat
removal.
A
requirement to protect CSFs is more fundamental than a requirement to prevent
significant core damage, and also covers other potential sources of
radiological releases, such as spent fuel storage areas. However, some CSFs (such as process
monitoring systems) are less critical than others, in that if lost, core damage
would not inevitably result. Because
this could mean more targets that need protection and substantial additional
resource expenditures for security, NEI has embraced the original significant
core damage standard and has not accepted the staffs approach. Some NRC inspectors familiar with OSRE also
believe that the CSF approach would not be cost-effective.
It is
clear that a balance must be struck.
While the prevention of significant core damage must remain the
fundamental goal, there also must be recognition that public confidence would
be shaken if terrorists were able to penetrate a nuclear plant and disable any
combination of systems, not merely those that would inevitably cause a severe
accident.
Despite
NEIs apparent abandonment of the Part 100 criterion, it is continuing to
search for other opportunities within the rulemaking process to weaken the
revised regulations for physical protection.
For instance, the possibility that credit may be given for operator response is still
on the table. NEI maintains that even
if an entire target set is destroyed by a sabotage attack, operators will be
able to act appropriately in sufficient time to prevent significant core damage
from occurring. However, there is no
evidence that operators have the necessary training to cope with the complex
set of events that could occur during an attack. Destruction of an entire target set typically corresponds to a
"beyond-design-basis" accident, which is likely to be beyond the
effective control of operators or mitigation systems.
Moreover, operators may not be willing or able to take actions
that require leaving the control room or other secured areas to operate
auxiliary controls during a security event.
During the intrusion of the protected area at Three Mile Island in
February 1993, a number of operators, including the shift supervisor and
operations coordinator, acted out of concern for personal safety rather than
fulfill their command and control duties appropriately.[7] In spite of this data point, NEI hopes to
get credit for postulated heroic actions by operators to save the plant while
risking injury.
If NRC is prepared to allow credit to be given for
operator intervention during exercises, at a minimum it should require that
simulators or equivalent means be employed to test operator response. Credit should not be given for any operator
action unless the licensee can demonstrate that such a response is achievable,
given the highly confusing state of the plant during the attack and the small
window of time (on the order of thirty minutes) between destruction of a target
set and core uncovery. NEI argues that
no such demonstrations are necessary because plant operators are capable of
dealing with such accidents through the implementation of Severe Accident
Management Guidelines (SAMGs), but this is not sufficient to alleviate this
concern. As a recent NUREG report
notes, there is no credible human reliability analysis built on SAMGs, which
are not procedures, but guidelines that require subjective assessments by the
operators.[8]
Some in the industry have objected to use of
simulators in this context, on the basis that existing units cannot be
programmed to handle such complex events.
However, this argument only underscores the point that operators are not
trained for these events and need to be tested if they wish to assert their
capability to act under extreme conditions.
Also, if credit is to be
given for beneficial operator actions, then consistency demands that negative
credit be given for malevolent operators.
The current OSRE rules do not consider the possibility of active
insiders, who could have access to the control room. An insider holding control room operators at bay with firearms
for the duration of the attack, intentionally disabling safety systems or
tampering with instrumentation and control systems could neutralize the ability
of operators to bring the plant to a
safe condition. Scenarios must be considered
in which the operators themselves are targets.
NRC staff has acknowledged
these concerns, and while it is prepared to allow operator actions to be
considered, it has proposed significant constraints on the circumstances under
which credit will be given. In
particular, it has specified that credit for operational decisions [will be]
based on probability of success of those actions.[9] This includes requiring that operators in
the field be provided protection if they are to be given credit for their
actions. In effect, operator actions
will be considered CSFs that must be protected. Not surprisingly, NEI has rejected these restrictions.
No matter what constraints
are imposed, consideration of operator actions will greatly increase the complexity
of interpreting the results of performance testing. Former NRC Chairman Jackson observed during a May 5, 1999 hearing
that analysis based on probabilistic risk assessment (PRA) would be necessary
to determine the probability of successful mitigation of sabotage events. The
uncertainties inherent in PRA analysis are themselves significant --- the
uncertainties that would plague an attempt to extend PRA analysis to include
deliberate acts of sabotage would be even greater. A large degree of subjectivity would be injected into the
evaluation of security response, providing a great deal of leeway that would
distract attention from the fundamental issue --- the poor performance of the
security organization. This will
complicate the job of inspectors, who need simple and well-defined criteria to
judge licensees' performance during exercises.
In addition to not testing for an active insider, there are a number of other characteristics of the DBT which have not been utilized during OSREs in accordance with unwritten instructions to inspectors (details are Unclassified Safeguards Information and are not publicly available). As part of a Commission request, a new Adversary Characteristics Document (ACD) has been prepared that updates and clarifies the DBT. However, both NEI and NRC are opposed to a requirement that at least one exercise be conducted during the three-year cycle which utilizes the full capability of the adversary specified in the ACD. Instead, NRC will be satisfied with individual drills and exercises that only use subsets of the ACD's capabilities, as long as the union of all the subsets includes the entire ACD.
This does not make sense. Clearly, licensees must be able to demonstrate that they can protect against the entire DBT at once. Response capability is not a linear process --- the full DBT is likely to pose a greater challenge than the sum of its parts.
Another troubling aspect of the ACD process is that NRC has solicited feedback from NEI on the financial, operational or managerial impacts of the ACD on licensees,[10] despite earlier statements by NRC staff that the ACD was "a finished document" not subject to industry comment. NEI does not have access to intelligence that would qualify it to challenge any aspect of the ACD. Moreover, the financial impact of the ACD on licensees has no bearing on the content of the document itself. When queried on this issue, NRC management stated that NEIs feedback was limited to the clarity of the document and not its substance, but this clearly conflicts with the original request for comments. Since the public does not have access to these closed-door deliberations, these contradictions can only lead to a growing mistrust of the process.
The
past performance of nuclear plants during OSREs has not entitled them to
receive a larger share of the responsibility for regulating their compliance
with security rules. There is great
concern among NRC inspectors that without the vigorous oversight and analytical
capabilities of NRC and expert contractors, skills will deteriorate and corners
will be cut. A program in which
licensees are able to both develop and grade their own tests can obviously be
abused.
There
also must be comprehensive NRC review of licensee-chosen target sets,
especially if operator actions are to be credited. Otherwise, the licensee may deliberately omit pieces of equipment
from target sets that could be used to prevent core damage. If the mock intruders were able to destroy
the entire target set, the licensee could then argue that operators would have
been able to discover and use the additional piece of equipment to save the
plant, even though such actions were not part of approved emergency operating
procedures. This argument has already
been used to reduce the severity of the violation associated with at least one
recent OSRE failure.
On the
other hand, the more frequent drills required under the new plan could, of
course, be all to the good, provided that they are meaningful and effective.
Sensitive about the appearance of foxes guarding the henhouse, NRC has
changed the name of the Self-Assessment Program (SAP) to the Safeguards
Performance Assessment (SPA). To ensure
that this represents more than a change in name only, NRC should insist in
maintaining its role in devising appropriate drills and independently
evaluating performance. The
NRC-observed exercises must be at least as stringent as the current OSREs. In particular, regional inspectors have repeatedly
flagged the participation of skilled contractors in evaluated exercises as an
essential component of a credible program.
NEI would like to eliminate the use of these contractors because of
their cost.
However,
doubts remain about whether the industry will take the SPA seriously, even if
all the outstanding issues are resolved in its favor. To date, the industry has refused to commit to incorporate the
SPA into plant PSPs, which would make it legally binding on licensees. NEI's position is that the SPA is a
voluntary program.
The OSRE program has been quite successful in uncovering vulnerabilities in the physical protection systems at nuclear power plants. It has been the only mechanism for compelling NRC licensees to maintain and improve their physical protection capabilities. Efforts by the industry to reduce its effectiveness in the future must be decisively stopped.
ENDNOTES
[1] E. Lyman, "Public
Health Consequences of Substituting Mixed-Oxide for Uranium Fuel in
Pressurized-Water Reactors," to appear in the journal Science and Global Security.
[2] U.S. NRC, "Operational
Safeguards Response Evaluation (OSRE) Inspection Manual," Inspection
Procedure 81110, July 1997.
[3] D. Orrik, "Differing
Professional View Regarding NRC Abandoning its Only Counter-Terrorism
Program," memorandum to S. Collins, Nuclear Regulatory Commission, August
7, 1998.
[4] In a May 3, 1999 letter to
Representative Ed Markey, former NRC Chairman Jackson denied that NRC had
received any written proposals from the industry to eliminate OSRE, but
admitted that some licensees expressed their discontent during informal
conversations with staff.
[5] D. Lochbaum, Union of
Concerned Scientists, "Comments on the Safeguards Performance Assessment
Program," letter to Glenn Tracy, NRC, July 14, 2000.
[6] U.S. NRC, Staff
Re-Evaluation of Power Reactor Physical Protection Regulations and Position on
a Definition of Radiological Sabotage, SECY-00-0063, March 9, 2000.
[7] U.S. NRC, Unauthorized
Forced Entry into the Protected Area at Three Mile Island Unit 1 on February 7,
1993, NUREG-1485, April 1993, p. 3-7.
[8] M. Pilch et al, Assessment of the DCH Issue for Plants with Ice Condenser Containments,
NUREG/CR-6427 (Washington, D.C.: U.S.
NRC, 2000), p. 52.
[9] R. Rosano NRC, presentation
at the Public Meeting on the Safeguards Performance Assessment Program, U.S.
Nuclear Regulatory Commission, Rockville, MD, July 12, 2000.
[10] R. Rosano, NRC, Review of
Adversary Characteristics Document, memo to Jim Davis, NEI, April 6, 2000.