AUGUST 31, 2017
This essay by Steven Aoki suggests that “An attack on a reactor spent fuel pool aimed at creating a loss-of-coolant accident and subsequent radiation release may not be the most likely form of terrorism, but the potentially catastrophic consequences requires responsible regulators and government officials to think about ways to reduce the risk. Significant steps and important technical studies have already been initiated in several countries, in part because of the lessons learned from the Fukushima accident.”
Steven Aoki is former Associate Administrator for Counterterrorism and Counterproliferation at the US Department of Energy.
Paper prepared for Workshop Reducing Risk of Nuclear Terrorism and Spent Fuel Vulnerability in East Asia co-sponsored by Nautilus Institute and Research Center for the Abolition of Nuclear Weapons, Nagasaki University, Nagasaki, January 20-22, 2017
Banner Image Credit: Unit 4 SFP – June 29, 2011, TEPCO photo 110701_1
II. SPECIAL REPORT BY STEVEN AOKI
NUCLEAR TERRORISM AND SPENT FUEL STORAGE
AUGUST 31, 2017
On March 11, 2011, I was standing in the Operations Center of the U.S. Department of Energy as news came in about a massive earthquake that had struck Japan earlier that day. Earlier optimism about a safe shutdown of the country’s nuclear plants turned to shock as TV broadcasts showed a tsunami inundating the Fukushima Dai-ichi power station, followed by an explosion at one of the reactor buildings and the first reports of radiation detection at the plant perimeter. As a senior nuclear counterterrorism official, I helped to organize DOE’s response to the emergency, including providing assistance to Japanese authorities, helping the U.S. government to make sense of what was going on and decide how to protect its own citizens in the region, and making available scientific and technical expertise from our national laboratories. As the crisis evolved over many weeks, I supported discussions between Secretary of Energy Steven Chu, a small group of expert advisors, and counterparts in Japan and across the American government. DOE played a particularly important role in conducting aerial surveys of radiation deposition and in forecasting the risks of larger radiation releases from the damaged reactors. This close-up involvement in one of history’s most serious nuclear accidents made me acutely aware of the need to better manage any future nuclear emergency and of the challenges governments face in any radiation release on this scale.
The massive radioactive contamination from Fukushima raises the question of whether a terrorist organization could deliberately create an incident of comparable severity. One pathway that has been proposed is an attack on a spent fuel storage pool at a power reactor. While it is hard to judge how likely this particular scenario may be, technical analysis and lessons learned from previous accidents provide some insight into ways to assess and reduce risk. This paper reviews our current understanding of the potential for creating a radiation release from a reactor spent fuel pool and provides some suggestions for next steps. It draws heavily on studies sponsored by nuclear safety regulators, on extensive analysis of the Fukushima accident, and on reviews conducted by committees of the U.S. National Academies of Sciences, Engineering, and Medicine at the request of the U.S. Congress. It reflects experiences gained from service at the Department of Energy and other U.S. agencies, but should not be taken as an expression of their views.
2. MECHANISM FOR RELEASE OF FISSION PRODUCTS FROM SPENT FUEL POOLS
At the height of the accident, emergency managers and government officials in Japan and the United States focused intensely on a ‘devil’s scenario’: the possibility that the water covering the spent fuel at one or more of the damaged reactors could leak or evaporate away. The fuel would then heat up, possibly to the point where the zirconium cladding of the stored fuel rods would fail. At worst, the cladding itself could catch fire, leading to a runaway release of highly radioactive fission products from the accumulated spent fuel (NAS 2016; Bader 2012). In the end, this scenario did not play out, but good luck and improvised on-the-spot responses played an uncomfortably important role in a successful outcome.
Nuclear safety experts and regulators have known about the danger of a spent fuel pool accident for more than thirty-five years (Benjamin et al. 1979). Over that time period, there have been extensive efforts in a number of countries to better quantify the risk and to identify preventive or mitigating measures. [See for example the historical discussion in (NEA 2015).] The Fukushima accident stimulated a number of additional studies, experimental efforts, and reviews.
The greatest risk to public safety from an accidental or deliberately-created event at a reactor spent fuel pool arises if the water level in the pool is lowered to the point where the fuel itself is uncovered and exposed to the atmosphere. Were that to happen, decay heat from fission products and other radioactive materials in the spent fuel would cause its temperature to rise. At about 800° C, the fuel’s zirconium cladding will begin to fail, releasing gaseous fission products. Once the temperature reaches 900-1200°, the cladding will react rapidly with air or steam in the environment. Because these reactions are highly exothermic, they can lead to a run-away zirconium fire that could spread from its initiation point to other assemblies in the pool, even those not self-heating to ignition temperature. Heating or melting of the fuel itself could then lead to dispersal of a high portion of the pool’s total fission product inventory into the outside environment (NAS 2016, p.36). The zirconium reaction with steam yields hydrogen as a product, making possible a hydrogen explosion in the building above the pool.
Draining water from the pool removes radiation shielding as well as cooling. Radiation levels in the vicinity of an uncovered spent fuel pool would preclude humans from entering and could be high enough to damage instrumentation and cameras relied on to assess or respond to the ongoing incident.
Reactor spent fuel pools can contain a lot of radioactive material – more than in the reactor core itself after a few years of operation. As of 2014, the U.S. reported 50,390 metric tons of spent fuel in pool storage at 66 reactor sites (some sites report common storage as a single facility) (DOE 2014). A single power reactor fuel load is typically 100-120 tons. In the absence of clear direction on the back end of the fuel cycle, reactor spent fuel pools in several countries are full or nearly so, even after their capacity was increased through the use of higher-density storage racks. In the worst case, a deliberately-induced accident at a spent fuel pool could – at least in principle – release more radioactive material than the reactor accidents at Chernobyl and Fukushima.
Scenarios for Fuel Damage
Safety studies identify two pathways to a catastrophic spent fuel pool accident. In a loss of coolant accident, water in the pool drains away because the pool itself is breached, through a leak in pumps, pipes, heat exchangers or other systems external to the pool, or because the seals around the gates connecting the pool to other parts of the reactor fail, allowing water to escape. Sloshing of water out of the pool because of an earthquake or an explosion in the building above the pool is another possible mechanism to partially remove water from the pool.
Because of regulatory requirements for seismic resistance, spent fuel pools are typically robust steel-lined reinforced concrete structures. At some reactors, the pool is located below ground level; in other cases, for example the BWRs involved in the Fukushima accident, the pool is elevated above ground within the reactor building.
Up to now, there have been no cases of structural failure or substantial coolant leakage from a reactor spent fuel pool even though several operating reactors have experienced moderate to strong earthquakes. In a 2014 study, the U.S. NRC carried out detailed modeling of the response of a specific reactor spent fuel pool to an earthquake larger than that previously considered in the licensing process (NRC 2014). Like the damaged units at Fukushima, the reactor modeled (Peach Bottom 1) was a BWR with a Mark I containment. The study concluded that even for a seismic shock substantially larger than the design basis, the likelihood of damage to the pool and liner sufficient to cause leakage would be no more than 10%. The probability that water would drain sufficiently quickly to empty the pool in six to nine hours was estimated to be 5%.
In addition to seismically-generated cracking assessed by the 2014 NRC report, previous studies investigated the possibility that a pool lining could be ruptured by a heavy load drop onto the pool floor (NRC 2000). While much of the published analysis focuses on estimating the probability of an accidental load drop during normal plant operations, it may be possible to create a significant leak by deliberately hoisting and then dropping a 25 ton spent fuel cask, at least at some reactors.
The 2014 NRC study did not address in detail the possibility of coolant loss from components or piping external to the pool, noting that these systems only connect to the pool at a height well above the top of the stored fuel elements, and are fitted with anti-syphoning devices. This limits the risk that the pool could be completely drained through these systems. A similar argument is made regarding the movable gates separating the spent fuel pool from the transfer channel through which fuel is moved into and out of the reactor core. While this is strictly true with respect to emptying the pool, leakage around a damaged gate into an adjacent empty space could rapidly lower the water level to just above the top of the stored spent fuel, shortening the time for subsequent evaporative loss (NAS 2016). Note also that a drop in water level below the pump intakes near the top of the pool will cause a loss of suction in cooling system, halting circulation (NEA 2015, p.97).
Water can spill over the side of a spent fuel pool if external shaking causes the water in the pool to slosh back and forth. This was observed at Fukushima Unit 3, where investigators estimate that the water level was reduced by about two meters following the earthquake and a hydrogen explosion in the reactor building (NEA 2015, p.69). Again, this is not a mechanism to empty a pool, but could shorten the timeline for evaporative loss of coolant.
The second primary pathway to a spent fuel pool radiation release is a loss of cooling accident. In this case, the pool retains its physical integrity, but its associated water circulation and heat exchange system ceases to function, for example because of a loss of both primary and back-up electrical power. Without external cooling, decay heat generated in the spent fuel causes the temperature in the pool to rise, accelerating evaporation from the pool’s surface. If events are allowed to proceed, the remaining water can begin to boil. Eventually, the water level will drop to the point where the fuel is uncovered. This began to happen to the spent fuel pools at Fukushima Units 1-4, although at all four reactors emergency responders managed to replace the evaporated water and restore circulation before any fuel was exposed.
The rate of temperature increase for the water in a spent fuel pool heats depends on the heat input from the stored fuel. This in turn is a function of both how much fuel is in the pool and its age, since each fuel bundle generates less heat as the shorter-lived radioisotopes decay away over time. At a reactor undergoing decommissioning or an away-from-reactor wet storage facility all of the fuel may be five years or older in age, producing heat at a rate 100 times lower than when first discharged. On the other hand, at some points in its operating cycle a pool at an operating reactor will contain a freshly-discharged partial core. For certain types of maintenance, the entire core will be placed temporarily in the spent fuel pool, as was done at Fukushima Unit 4 three and a half months before the accident. The total heat load and the initial volume and temperature of water in the pool establish a timeline for progression of the event from normal operating conditions to potential fuel damage. This will generally be slower than a loss of coolant accident in a reactor core, but could range in duration from multiple hours to a few days or more.
If external cooling and replacement water supply are not re-established, the pool will heat up and its water level drop through evaporation, eventually to and below the top of the racks holding the spent fuel. Once the fuel is partially uncovered, the progression of the event will be governed by a number of complex phenomena, influenced by aspects of the design of the fuel bundles and the spent fuel racks. According to recent numerical simulations, steam generated by boiling at the bottom of partially exposed fuel elements will for a time provide sufficient cooling to prevent damage of the exposed upper parts. For fuel that is not too recently discharged, convective cooling in air may suffice to prevent cladding damage. This natural circulation could be blocked, however, by remaining at the bottom of the pool or pumped into a dry pool to reestablish cooling. A good summary of the relevant phenomenology is given in (NEA 2015, pp.94-99).
A separate issue assessed in post-Fukushima analysis is the possibility of a criticality excursion in a partially drained spent fuel pool. If the water (which is a neutron absorber) surrounding a group of fuel assemblies is removed while the assemblies themselves contain water, calculations show that it is possible for a group of adjacent assemblies to have a neutron multiplication factor (k-effective) greater than one, i.e., to sustain a chain reaction (NEA 2015, pp. 88-93).
Accidents and Incidents Involving Spent Fuel Storage
The sequence of events at Fukushima Unit 4 during the accident illustrates the potential dangers of a spent fuel loss of cooling accident. When the earthquake and tsunami struck, Unit 4 had been shut down for 102 days to allow maintenance activities to proceed inside the reactor pressure vessel. The complete active core of 548 assemblies was stored temporarily in the spent fuel pool. The pond contained previously discharged fuel as well, for a total of 1331 assemblies. The pool at Unit 4 had the highest thermal load of any of the four units damaged in the accident, initially generating 2.3 megawatts.
At 15:42 on March 11, shortly after the second of two tsunami waves inundated the site, a station blackout was declared for Units 1-5, indicating the loss of primary and back-up electrical power. This meant, among other things, that the electrical pump-driven cooling system for the spent fuel pool ceased to function. Temperature sensors, water level indicators, and monitoring cameras also stopped functioning once power was cut off. On March 12, a hydrogen explosion occurred at Unit 1, followed by a second explosion on March 14 at Unit 3. A third hydrogen explosion on March 15 destroyed the reactor building at Unit 4, exposing the spent fuel pool. Since there was no core in the Unit 4 reactor, the explosion there raised concern that the pool had drained and that hydrogen was being generated by exposed spent fuel. It is now generally believed that hydrogen originating in the Unit 3 reactor entered the Unit 4 spent fuel handling area through a shared ventilation duct and caused the explosion in the Unit 4 reactor building.
Although indirect evidence led the reactor operator to conclude that the pool was intact, the absence of reliable data on the status of the spent fuel at Units 3 and 4 made authorities in Tokyo (and in Washington) very anxious, and efforts to maintain water in all of the pools received high priority. Elevated levels of radiation and debris from the hydrogen explosions prevented human access to areas of the plant near the spent fuel pool to make measurements or take remedial actions. Attempts to replenish the water in the Units 3 and 4 pools began on March 17, initially with helicopter drops and fire engines, and subsequently using a remotely operated concrete pumper with a long extensible boom. The boom also made it possible to monitor the pool temperature. Temporary off-site power was restored to Units 3 and 4 on March 26. The concrete pumping truck continued to be used for water injection until June, when it was superseded by use of a fire hose and by adding water to the reactor well that connected to the spent fuel pool. [Timeline from (IAEA 2015).]
Post-event reconstruction of the accident indicates that water levels in the Unit 4 spent fuel pool were maintained by leakage from adjacent reactor well and dryer-separator pit. As the level in the pool dropped, the pressure difference across the gate separating it from the transfer channel and reactor well caused the gate seals to leak, allowing water to flow into the pool. Without this source of replenishment, a US National Academy of Sciences study estimates that the water level could have fallen to the top of the spent fuel storage racks within 12 days of the initial accident. Even with inflow from the reactor well and external injections using the concrete pumper, the water level still dropped as low as two meters above the top of the spent fuel on two or more occasions in early April, in part because on-site responders were using an erroneous indirect measure of the amount of water in the spent fuel pool.
While in the end, there was no significant damage to stored fuel or radioactivity release from the spent fuel pool at Unit 4, post-event reconstruction of the accident shows this was by any measure a close-run thing. A catastrophic outcome was likely averted by a combination of improvised measures to refill the pool and unanticipated leakage into the pool from the reactor well. None of the techniques used to add water in the absence of the normal circulation system had been planned for or practiced, and the necessary equipment was not immediately available at the site. The first two procedures attempted (dropping water from a helicopter and spraying using a fire engine water cannon) were later judged to be ineffective. Moreover, had planned maintenance in the reactor pressure vessel proceeded as scheduled, the reactor well would have been drained on March 7, and therefore would not have provided a source of replacement water to the pool. This would have significantly shortened the timeline for action to avert uncovering the fuel.
A particularly disturbing aspect of the accident was the need to make important decisions, both with respect to the management of the emergency itself and the possible need to order evacuations of large numbers of people far from the accident site, with little or no hard information about the state of the pool or the likely further evolution of the situation. Senior officials said publicly that they believed the Unit 4 pool had completely drained, only to be contradicted by others relying on hard-to-interpret imagery from a single helicopter overflight.
The Fukushima accident is not the only significant incident involving spent fuel storage and handling. A 2009 review of operational events reported to the IAEA identified 28 instances related to fuel integrity in storage facilities. Of these, 16 involved a loss of cooling (Martin Ramos, 2010). While most involved only a temporary loss of cooling to a reactor spent fuel pool with no damage to the fuel, in two events fuel bundles being handled outside of the normal storage configuration were allowed to overheat to the point of damage. A report by the Nuclear Energy Agency identifies four more recent incidents involving temporary cooling interruption at spent fuel pools (NEA 2015, p.41).
Technical Analysis of Risks to Spent Fuel Storage
Because of the potentially serious consequences of any loss of cooling at a spent fuel storage facility, accident sequences and fuel behavior have been investigated since the late 1970s. Building on experiments and modeling developed for reactor core loss of cooling events, these studies have examined how a loss of cooling event could develop in a spent fuel pool, whether air or steam circulation will provide sufficient cooling to partially or fully exposed spent fuel to avoid cladding failure, and how fuel assemblies will behave at elevated temperatures. These efforts intensified after the Fukushima accident, and include ongoing international experimental collaboration as well as efforts directed at improving severe accident codes and other predictive tools.
Nuclear Energy Agency review paper
As a contribution to post-Fukushima regulatory and operational improvements, an OECD Nuclear Energy Agency (NEA) international committee published a comprehensive report on technical issues relevant to accidents at spent fuel pools (NEA 2015). The report surveys past accidents, describes the physical and engineering mechanisms that come into play in an accident situation, and reviews previous technical studies and event sequences. It identifies criticality control as a concern, particularly for high-density storage racks that rely on neutron absorbers and borated water to maintain a sub-critical configuration.
The NEA committee observed that spent fuel pools are large robust monolithic structures engineered to prevent loss of cooling and to slow the progression of an accident, giving operators time to intervene before catastrophic damage to stored fuel. The main phenomena involved in a cooling accident are well-understood, although there are still some uncertainties regarding three-dimensional flow in the air/steam environment that would apply to a slowly-draining spent fuel pool. The computer codes relied on for analysis and reconstruction of pool accidents were developed for reactor core modeling. Some benchmarking of codes against spent fuel pool accident scenarios has been carried out, but additional work is needed to validate and identify limitations of codes in a broader range of situations. Because of the challenges of integrating multiple aspects of a complicated accident, it is still not possible to produce a quantitative realistic estimate of the radiological release source term for a postulated event.
The NEA report underscores the importance of reliable instrumentation to detect and manage any abnormal events, as well as the need for better training for nuclear plant operators. It did not specifically address terrorism or sabotage risks, although the same underlying phenomenology and remedial actions would come into play in a deliberately-initiated event as in an accident.
Two sets of integral experiments on fuel assemblies in an environment designed to simulate a spent fuel pool accident have been carried out at Sandia National Laboratory. As part of a U.S. NRC analysis of risks to the spent fuel pool at a reactor undergoing decommissioning, during 2004-2006 Sandia conducted tests on simulated BWR fuel assemblies to obtain data on thermohydraulic, heat transfer, and cladding ignition phenomena under conditions simulating a loss of coolant accident in a spent fuel pool. The results were used to validate a severe accident computer code. Similar experiments involving simulated PWR assemblies were conducted during 2009-2013 under joint sponsorship of the U.S. NRC and the OECD, with participation by 13 countries. Each of the two experimental series included tests on arrays of simulated assemblies intended to replicate conditions for coolant flow and heat transfer in a spent fuel pool rack. To examine the development of a zirconium fire in a drained spent fuel pool, the central assembly in an array was internally heated until its cladding ignited. Fire propagation along the length of the assembly and to adjacent elements was observed (Beaton et al. 2009).
Other experimental studies
Starting in late 2013, and expected to continue until 2019, the DENOPI project at France’s Institut de Radioprotection et de Sûreté Nucléaire involves experimental study of convection and boiling within a spent fuel pool, multiphase flow in heated and partially uncovered fuel assemblies, and the kinetics of cladding oxidation under the conditions expected to arise in a spent fuel pool accident (IRSN 2016). A number of other relevant experiments, conducted in several countries, are described in the NEA report.
These technical studies and the experience at Fukushima provide the backdrop to a continuing debate about whether spent fuel should be transferred out of pools at reactors to dry cask storage. In many countries, the long-term management of spent fuel, whether through reprocessing or direct geological disposition, failed to go forward as originally intended. To address growing spent fuel inventories, regulatory authorities approved the use of higher-density storage racks in existing pools. Critics argue that this increased both the likelihood and potential consequences of a catastrophic loss of coolant accident, and advocated the accelerated transfer of older fuel to on-site dry casks. Others believe that the level of risk reduction obtained does not justify the costs of such an accelerated transfer.
In a 2003 paper, Alvarez and colleagues (Alvarez et al. 2003) described the large radiological release that would follow a cladding fire in a nearly-full spent fuel pool. Citing their own back-of-the envelope calculations as well as previous NRC-sponsored modeling, they argue that convective air cooling would be inadequate to keep fuel in a high-density storage configuration from heating above the cladding ignition temperature. To reduce this risk, they advocate moving all spent fuel older than five years from pool to dry cask storage. Additionally, they call for the addition of water sprays and ventilation above spent fuel pools, hardening pools against terrorist attack, operational changes to reduce the frequency of temporary whole-core transfers to the pool, and legislative requirements to consider a terrorist-intitiated spent fuel pool fire in safety and licensing decisions.
2006 National Academy study
In 2004, the U.S. Congress requested a classified study by the National Academy of Sciences on the safety and security of spent fuel storage, including the vulnerability of pool storage to a terrorist attack, prompted in part by the concerns outlined in the paper by Alvarez et. al. The major conclusions of the classified study were subsequently redacted and released in unclassified form. While withholding sensitive details on specific scenarios, it concluded that:
‘… under some conditions, a terrorist attack that partially or completely drained a spent fuel pool could lead to a propagating zirconium cladding fire and the release of large quantities of radioactive materials to the environment’ (NAS 2006, p.10).
The report’s authors called on the NRC to undertake a more detailed investigation of the vulnerability of spent fuel pools and the consequences of a loss-of-coolant event. The report endorsed reconfiguration of the way in which fuel assemblies are stored in spent fuel pools so that recently-discharged high decay heat assemblies were surrounded by older, lower decay heat assemblies. Recognizing that pool storage will always be necessary for the newest spent fuel, the report did not make a recommendation regarding a requirement to transfer older fuel from pool to dry cask storage, although it suggested that the NRC should consider such a requirement.
2014 NRC Spent Fuel Study
Reflecting these and other concerns, the NRC undertook a series of technical studies on the safety risks of spent fuel storage, aimed at better understanding the underlying physical phenomena, developing and validating computer codes to model the behavior of spent fuel pools under severe accident conditions, and supporting regulatory decisions. This multi-year effort included the experimental program carried out at Sandia National Laboratory mentioned above.
As part of its post-Fukushima review of U.S. nuclear safety requirements, the NRC initiated a technical Spent Fuel Pool Study to evaluate the consequences of an earthquake exceeding the safety design basis event at a U.S. reactor similar to those involved in the Japanese accident. The study sought to determine whether accelerating the transfer of spent fuel from pool to dry cask storage would provide a substantial improvement in safety. It was accompanied by a broader regulatory analysis that looked beyond a single plant design to assess the costs and benefits of requiring an accelerated transfer to dry cask storage at some or all U.S. nuclear power plants. The study was completed in 2013 and published in 2014.
The NRC’s technical study included detailed structural modeling of the response of a BWR spent fuel pool to a large seismic event, computer simulation of accident progression, and an assessment of both successful and unsuccessful mitigating actions by plant operators. It found that even for a one-in-60,000 year earthquake, a total loss of cooling water at a spent fuel pool was unlikely, with an estimated 5% probability for a moderate rate of water loss through an earthquake-induced leak. In that case, the pool would be drained in six to nine hours, assuming the plant operators were unable to make up the leakage. The NRC also assessed that a radiation release from damaged fuel was probable only if the earthquake occurred within a few months after the transfer of spent fuel to the pool from the reactor core – about 8% of the normal reactor operating cycle. Taking these factors into account, the study concluded that for the plant it examined the likelihood of a radiological release from the spent fuel would be about one time in 10 million years or less (NRC 2014).
The related regulatory analysis (NRC 2013) addressed a hypothetical regulation to require moving older fuel assemblies to dry cask storage, thereby reducing the density, heat generation, and total radionuclide content of the spent fuel held in reactor pools. It concluded that continuation of existing regulations allowing high-density loading of spent fuel pools remained consistent with the NRC’s safety goals and that requiring a reduction in spent fuel pool inventories would “provide no more than a minor safety improvement.” Moreover, an NRC cost/benefit analysis generally showed that the assessed safety benefit of an expedited transfer to dry casks did not outweigh the projected costs of the transfer.
2016 National Academy study
The National Academy revisited the safety and security of spent fuel pools as part of its review of lessons learned from the Fukushima accident.(NAS 2016) In addition to a number of security-specific recommendations addressed below, the Academy reviewed its own 2006 report on spent fuel safety and the NRC’s 2014 Spent Fuel Study. In contrast to the NRC’s judgment that expedited transfer to dry storage casks would not provide a significant safety improvement, the Academy committee recommended further assessment of this option, including additional attention to sabotage risks. The Academy review also recommended additional validation of key computer codes used to model severe accidents in spent fuel pools and additional efforts to address terrorism scenarios as well as earthquakes as potential triggers for a loss of coolant event in a pool.
Some thirteen years after publication of the Alvarez paper, there continues to be an active policy debate among informed experts over the potential safety benefit of reducing the density of spent fuel storage in reactor pools by accelerating transfers to dry casks. Fundamental to the debate is disagreement over how to incorporate terrorism and sabotage threats in an assessment of the safety of spent fuel storage.
3. TERRORISM RISKS FOR SPENT FUEL POOLS
There has never been a radiation release from a nuclear power plant caused by a terrorist attack. Perhaps this is because reactors are simply not attractive targets for terrorist groups. They are generally hardened, well-protected facilities with multiple layers of physical barriers, alarm systems, and well-trained guard forces. In comparison to an airport or an urban transport hub, they are often located at relatively remote rural sites, where preliminary surveillance or the staging of an attack force may prove easier for law enforcement to detect. Notwithstanding an occasional mention on extremist web pages, nuclear facilities have generally not acquired high political or symbolic importance in the eyes of terrorist groups.
During the 1970s and 1980s, however, reactors under construction were attacked a number of times by dissident groups, most notably the 1982 bombing of South Africa’s Koeburg reactor project. More recently, anti-nuclear protesters entered operational nuclear power sites in several European countries, including by paragliding onto the roofs of buildings. During 2012, activists broke into the heavily-guarded Y-12 complex in the U.S. In 2015, police seized recordings showing that a suspect linked to the Paris terrorist attacks earlier that year conducted video surveillance of a high-level official at a nuclear research facility. There have also been instances of equipment sabotage at nuclear power plants by employees, although none that posed an immediate public safety threat.
Moreover, an attack on an operating reactor could well be within reach for a terrorist groups. From 9/11 through the 2008 Mumbai attack to the most recent incidents in Paris and Brussels, non-state groups have demonstrated an ability to organize and launch coordinated attacks across multiple locations, deploying teams of suicide commandos armed with explosives and military weapons. While these attacks struck public gathering places, other groups have attacked embassies, military bases, and airports, targets known to be defended. From a different perspective, small groups of criminals have successfully attacked vaults or armored vehicles containing large amounts of cash, gems, or other high-value property, using a combination of surreptitious entry, technical measures to defeat alarms, violence, and insider access.
Nuclear regulators and reactor operators therefore recognize their responsibility to ensure that reactors and other facilities – including stored spent fuel – are protected against terrorist attack or sabotage. This responsibility is codified by international agreements on physical protection of nuclear facilities and against nuclear terrorism, and is bolstered by industry best practices guidance and the IAEA’s series of nuclear security conferences, most recently in December 2016. Where spent fuel pools are concerned, the potentially catastrophic consequences of a worst-case event justifies serious protective measures even if a reasonable judgment is that the risk of a successful attack is low.
Translating that responsibility into a concrete assessment of risk that can in turn be balanced against the anticipated costs of additional security has proven difficult and uncomfortable, as the nearly fifteen year history of U.S. policy debate demonstrates. Unlike many safety issues, it is not possible to rely on a probabilistic or analytical engineering basis to estimate the likelihood of a particular terrorist attack scenario. There are too few cases in the historical record to derive meaningful statistics, and in any event, terrorists are intelligent adversaries aware and able to adapt their tactics to whatever defensive measures are put in place. Unlike with an earthquake, one cannot assume that the risk of a terrorist attack during the short interval immediately following fuel discharge is low, simply because this period makes up a small fraction of the total reactor operating cycle. A terrorist could, after all, have inside or surveillance-based knowledge of when refueling is scheduled to occur, and develop a plan accordingly. But there is also a danger of creating a superhuman adversary by cascading multiple instances of perfect insider expertise on top of generous assumptions about the skills, performance level, and motivation of the attackers. Additionally, possible vulnerabilities and overall assessments are treated as sensitive or classified information by those government agencies that have undertaken detailed reviews of the level of risk. It should be noted, however, that the 2006 National Academy report, reflecting a prior classified review, contained a statement that:
The [Academy] committee has concluded that there are some scenarios that could lead to the partial failure of the spent fuel pool wall, thereby resulting in the partial or complete loss of pool coolant. A zirconium cladding fire could result if timely mitigative actions to cool the fuel were not taken [NAS 2006, p.49].
In many countries, security planning for nuclear facilities relies on assessing the performance of protective forces and engineered security features against a design basis threat (DBT) – a hypothetical force with numbers and capabilities intended to represent the highest level of attack a plant could reasonably be expected to resist from its own resources. Both analytical models and live-play exercises can then be used to assess whether the plant can withstand an assault at the level of the DBT without a radiation release endangering public safety. Use of a DBT has been very helpful in focusing attention on the net performance of security systems, rather than merely on compliance with externally-mandated requirements for individual security system components. But by directing attention to high-end threats, at least in the U.S. often framed as a paramilitary fire fight, it may inadvertently lead regulators and security managers to overlook other scenarios that carry significant risk. For example, electrical power or cooling water supply might be accessible to physical sabotage or cyber intrusion at a location far from the plant itself.
Even if an attempted attack on stored spent fuel does not result in a substantial radiation release, it can still impose costs on the facility operator and its national authorities. A perception that an ultimately unsuccessful attack created a close call with disaster or the exposure of major deficiencies in the response of security forces would lead to a loss of confidence in nuclear program management and oversight. Other nuclear plants could be forced to shut down in response to public pressure, and any attempt to address the long-term disposition of spent fuel or nuclear waste would be greatly complicated. The aftermath of the Y-12 security breach in the U.S. may be instructive in this regard.
In its 2016 report, the National Academies called for use of a formal risk assessment process to evaluate security at nuclear power plants and spent fuel facilities. The Academy study emphasized the importance of identifying and addressing insider, asymmetric, and cyber threats, using analytic approaches developed in other counterterrorism and security contexts, including the use of event trees, elicitation of expert views on risk levels, and consultation with intelligence agencies to establish the overall terrorism background for assessing the threat to nuclear facilities. Whether or not it proves productive to attempt to quantify overall terrorism risk through this type of methodology, it would certainly be useful to develop approaches that systematically evaluate a broad range of site-specific scenarios and incorporate initiating actions beyond the perimeter controlled by the plant operator. Even with large uncertainties, a systematic scenario analysis would clarify the initiating conditions, the timelines, and the likelihood of successful response by plant operators and external security or emergency response forces. This might result in reducing the level of risk ascribed to some scenarios, while identifying hidden vulnerabilities in other areas. A comprehensive assessment of this sort could help to resolve the continuing debate over the level of risk mitigation to be obtained by transferring spent fuel from reactor pools to on-site or off-site dry cask storage.
If spent fuel in reactor pools is judged to be an attractive target for a terrorist attack, there certainly is a lot of it around. For example, the four East Asian countries making reports under the Joint Convention on the Safety of Spent Fuel Management and on the Safety of Radioactive Waste Management had a total spent fuel inventory in excess of 14,000 metric tons at the end of 2013 (see Table 1). While inventories in Japan have grown relatively slowly since the post-Fukushima shut down of nuclear power plants there, operating reactors elsewhere continue to discharge spent fuel. In South Korea, authorities believe that the maximum available capacity in reactor pools will soon be reached, but have been unable to gain public support for interim storage elsewhere. There is thus good reason to pay attention to the safety and security of the facilities where this fuel is being stored and the strategy for managing it over the long term.
Table 1: Spent Fuel in Asian Countries – Late 2013
Source: National reports under the Joint Convention on the Safety of Spent Fuel Management and on the Safety of Radioactive Waste Management, 2011-2014
4. STEPS TO REDUCE RISK
Implement Fukushima lessons learned
Even without consensus on an accelerated transfer of spent fuel from pool to dry cask storage, there are steps that can be taken to reduce the risk of a catastrophic release, whether from a terrorist attack or a natural disaster. Many of these actions were recommended by review panels after Fukushima, and are already being implemented at existing reactors in the U.S. and other countries. They certainly should be incorporated in the design of newly-constructed facilities.
As a starting point, plant operators and emergency response managers need reliable real-time information about the state of the spent fuel pool, particularly the water level, temperature, and functioning of coolant circulation circuits. There are also leak detectors to monitor any loss of coolant into sumps or other spaces below the bottom of the pool. At Fukushima Unit 4, standard instrumentation stopped operating once primary and backup electrical power was lost. The normal expedient – send someone up to check the condition of the pool – was precluded by high levels of radioactive contamination from the other damaged reactors on the refueling deck. Large amounts of physical debris created by the hydrogen explosions at Units 3 and 4 also kept humans or robots from getting to areas near the top of the pool. The instrumentation that was available was designed to monitor conditions close to normal operations, and there were disputes about what readings would be expected if the pool were in fact rapidly draining. Even after operators began adding water, they misinterpreted the available instrument data, so that less reached the pool than intended.
This experience led the NRC to issue a March 2012 order requiring U.S. nuclear power plants to have a reliable and redundant means of indicating whether there are adequate water levels in spent fuel pools. Plants must now have both a primary and a back-up system that can provide accurate data even if there is damage to the reactor building or other conditions restricting access to the pool area.
Even under the most demanding (and improbable) scenarios, the timeline to proceed from a terrorist attack to a spent fuel pool loss-of-coolant accident is slow, measured in hours to days. This gives emergency responders time to organize damage control activities and if necessary add water to a leaking pool. These actions will only succeed, however, if equipment can be deployed quickly to overcome any loss of power or water supply.
In the U.S., the nuclear industry developed a strategy to stockpile necessary portable equipment at or near reactors to ensure that an alternative source of emergency electrical power and cooling water circulation can be provided even after a Fukushima-like event renders unavailable both normal off-site power and hard-wired backup generators. While designed primarily to ensure continued reactor core cooling in the event of a larger-than-expected earthquake, windstorm, or other natural disaster, this approach would also help recovery from a terrorist-initiated incident, including an attack on a spent fuel pool.
The technical studies described above and post-Fukushima lessons-learned reviews identified two additional measures that could reduce the risk that a damaged spent fuel pool could lead to a zirconium fire and a massive radiation release. Changing the way in which fuel is arranged in the pool so that recently discharged assemblies with high heat output are surrounded by older, cooler assemblies has been shown in computer models to improve the ability of the total fuel inventory to maintain convective air or steam cooling in a loss-of-coolant situation. This approach to fuel management is being implemented at existing U.S. plants. Modeling also indicates that a water spray directed at the top of the spent fuel racks could be effective in maintaining cooling even if the pool water is partially or completely drained (NRC 2016).
Improve crisis management
The Fukushima accident revealed deficiencies and failures in crisis management as well as engineering. Operators, safety authorities, and governments lacked tools to predict the likely progression of the accident quickly and with credible estimates of uncertainty. Available information was not comprehensively integrated either in Japan or elsewhere, and often poorly communicated or apparently incomplete. As a result, critical public safety decisions were made on the basis of unvalidated or back-of-the-envelope calculations of risk.
Many of these issues have been addressed by reforms in emergency management organizations undertaken in the last five years. There is a continuing need, however, for the development of better predictive tools that yield usable outputs in the time scale relevant to an evolving emergency. Training events and exercises are widely implemented, but adequately simulating the need to assemble, integrate, and communicate essential information from on-site participants and technical experts to national government decision levels remains a very difficult problem.
At a strategic level, risk assessments for nuclear facilities need to be reviewed periodically and updated as needed through an established channel for dialogue between security regulators and national security and intelligence agencies. Unlike seismic or tropical cyclone hazards, terrorism risks can change quickly, perhaps invalidating assumptions underlying estimates of the adequacy of security measures. In today’s environment, cyber threats may be particularly subject to rapid change.
The direct and long-term political effects of serious nuclear incidents are not necessarily confined to the territory of a single country, and terrorist threats can cross international borders. Some degree of regional or broadly international planning and preparation for mutual support in an emergency situation would therefore be appropriate. For nuclear terrorism events, the Convention on Physical Protection, its 2005 Amendment, and other international agreements may already provide a platform for bilateral or multilateral discussions, as would the periodic IAEA ministerial conferences on nuclear security. As an example of the kinds of issues that could be addressed, legal authorities may be needed for rapid acceptance of foreign technical assistance. Exchanges of information on identified vulnerabilities and best practices, even at a generic level, are always sensitive, but it may be possible to achieve something in this area as well on a confidential basis between responsible government authorities.
An attack on a reactor spent fuel pool aimed at creating a loss-of-coolant accident and subsequent radiation release may not be the most likely form of terrorism, but the potentially catastrophic consequences requires responsible regulators and government officials to think about ways to reduce the risk. Significant steps and important technical studies have already been initiated in several countries, in part because of the lessons learned from the Fukushima accident.
Underlying the problem, however, is the legacy of over fifty years of spent fuel discharges from power reactors, much of which remains in spent fuel pools originally intended to hold significantly smaller quantities than their current inventories. Even without additional reactor operation, this legacy remains, and will continue to require active management by governments. What to do with the spent fuel is of course central to the politically and economically difficult question of the eventual strategy for the back end of the nuclear fuel cycle and the disposition of high-level nuclear waste. In addition to familiar concerns about the nonproliferation implications of the plutonium contained in spent fuel, policymakers must also plan to ensure the safe near- and intermediate-term storage of a growing inventory of material. These plans need to take into account both a heightened appreciation for hazards arising from extreme natural phenomena, and an evolving, potentially asymmetric threat from terrorists. Whatever long-term approach – or interim temporizing – is adopted, there will be value in a realistic and comprehensive risk assessment that includes sabotage and terrorist attack, as well as in better readiness for response to an emergency.
Alvarez, Robert, Jan Beyea, Klaus Janberg, Jungmin Kang, Ed Lyman, Allison Macfarlane, Gordon Thompson, and Frank N. von Hippel. 2003. “Reducing the Hazards from Stored Spent Power-Reactor Fuel in the United States.” Science and Global Security 11: 1–51. at: https://www.princeton.edu/sgs/publications/articles/fvhippel_spentfuel/rAlvarez_reducing_hazards.pdf
Bader, Jeffrey A. 2012. “Inside the White House During Fukushima: Managing Multiple Crises.” Foreign Affairs, March 8. at: https://www.foreignaffairs.com/articles/americas/2012-03-08/inside-white-house-during-fukushima
Beaton, Robert, Alexander Velazquez-lozada, Abdelghani Zigh, Samuel G Durbin, and Eric R Lindgren. 2009. “Experiments on Ignition of Zirconium-Alloy in a Prototypical Pressurized-Water Reactor Single Fuel Assembly in a Spent Fuel Pool during a Complete Draindown,” at: http://www.nrc.gov/docs/ML1433/ML14335A547.pdf
Benjamin, A, David J McCloskey, Dana A Powers, and Stephen Dupree. 1979. “Spent Fuel Heatup Following Loss of Water During Storage.” NUREG/CR-0649.
DOE 2014. U.S. Department of Energy. “Fifth National Report for the Joint Convention on the Safety of Spent Fuel Management and on the Safety of Radioactive Waste Management.”
IRSN 2016. “DENOPI Project.” Accessed December 5. at: http://www.irsn.fr/EN/Research/Research-organisation/Research-programmes/DENOPI-project/Pages/DENOPI-project.aspx
IAEA 2015. International Atomic Energy Agency. “The Fukushima Daiichi Accident Report by the Director General.” Director General, 1–222.
Martin Ramos, M. 2010. “EU Clearinghouse on NPP OEF Summary Report on Fuel Related Events.”
NAS 2006. Committee on the Safety and Security of Commercial Spent Nuclear Fuel Storage – National Research Council. Safety and Security of Commercial Spent Nuclear Fuel Storage, Public Report. Washington: National Academies Press.
NAS 2016. Nuclear and Radiation Studies Board, National Academies of Sciences Engineering and Medicine. Lessons Learned from the Fukushima Nuclear Accident for Improving Safety and Security of U.S. Nuclear Plants: Phase 2. Washington: National Academies Press.
NEA 2015. Nuclear Energy Agency, Organization for Economic Cooperation and Development. “Status Report on Spent Fuel Pools under Loss-of-Cooling and Loss-of-Coolant Accident Conditions: Final Report.” NEA/CSNI/R(2015)2.
NRC 2013. U.S. Nuclear Regulatory Commission.“Regulatory Analysis For Japan Lessons-Learned Tier 3 Issue On Expedited Transfer Of Spent Fuel.” COMSECY-13-0030.
NRC 2014. U.S. Nuclear Regulatory Commission.“Consequence Study of a Beyond-Design-Basis Earthquake Affecting the Spent Fuel Pool for a U . S . Mark I Boiling Water Reactor.” NUREG-2161.
NRC 2016. U.S. Nuclear Regulatory Commission. “Spent Fuel Pool Project Phase II: Pre-Ignition and Ignition Testing of a 1×4 Commercial 17×17 Pressurized Water Reactor Spent Fuel Assemblies under Complete Loss of Coolant Accident Conditions.” NUREG/CR-7216.
IV. NAUTILUS INVITES YOUR RESPONSE
The Nautilus Asia Peace and Security Network invites your responses to this report. Please send responses to: email@example.com. Responses will be considered for redistribution to the network only if they include the author’s name, affiliation, and explicit consent