Share This!
Text SizeAAA Share Email

Aircraft Threats to Nuclear Plants

None of the 103 nuclear power plants operating in the United States were designed to withstand suicide attacks from the air, such as we tragically experienced on September 11, 2001. This vulnerability prompted the Federal Aviation Administration (FAA) to establish no-fly zones around nuclear plants in the fall of 2001. This response was largely symbolic since FAA sanctions would probably not deter a suicide bomber, but it marked an implicit concession by the federal government that nuclear plants were vulnerable to air assault.

Nuclear plant owners would like us to now believe their facilities are hardened structures virtually immune to attack from the air. For example, they recently reported:

"[T]he nuclear power industry is confident that nuclear plant structures that house reactor fuel can withstand aircraft impact, even though they were not specifically designed for such impacts. This confidence is predicated on the fact that nuclear plant structures have thick concrete walls with heavy reinforcing steel and are designed to withstand large earthquakes, extreme overpressures and hurricane force winds. The purpose of this study is to validate that confidence."[1]

But what the nuclear industry asserts as confidence appears more like a confidence game. The thick, reinforced walls do not surround all vital parts of a nuclear power plant—as the industry knows very well. One study of aircraft hazards, jointly prepared by the owners of two similar nuclear power plants more than 20 years ago, concluded, "The control building is the only single building which, if hit, could lead to core melt."[2] The control buildings at every nuclear plant in the United States are located outside the robust structures described by the industry. Thus, the nuclear industry's proclamations about the robustness of thick, reinforced walls may be accurate, but they fail to tell the entire story.

Security tests conducted since 1991 under the NRC's Operational Safeguards Readiness Evaluation (OSRE) program detail why the nuclear industry's current assurances are incomplete. Each OSRE involved force-on-force exercises with a small group of mock intruders going up against the facility's armed responders. As the NRC individual responsible for the OSRE program testified to Congress last year:

"Eighty-one OSREs have been conducted to date. At 37 of them, the expert NRC team identified a significant weakness; significant being defined as the adversary team simulating sabotaging a target set, which would lead to core damage and in many cases, to a probable radioactive release."[3]

The "target set" attacked and defended by the adversary team and the security force respectively during the force-on-force exercises is defined by the NRC as follows:

"A target set is a minimum combination of equipment or operator actions which, if prevented from performing their intended safety function or prevented from being accomplished, would result in core damage."[4]

Target sets vary from plant to plant. As implied by name, a target set generally involves more than a single pump, a single valve, or a single wall (however thick and reinforced). The Nuclear Energy Institute (NEI) issued guidance to assist plant owners in developing their target sets. NEI described the process for determining target sets as follows:

"Analysis identifies target sets that, if all targets within a target set are destroyed, could lead to significant core damage. Using these target sets provides a basis for evaluating the protective strategy and assessing the significance of issues based on the risk involved."[5]

To illustrate the concept (without revealing any plant-specific safeguards information), NEI provided sample target sets in Table A-1. Ten (10) target sets are shown as columns numbered 1 through 10. Reactor core damage can be prevented if cooling water is supplied from any one of four possible sources listed: normal (high-pressure supply), safety backup (emergency high-pressure supply), another safety backup (low-pressure supply), and an additional backup (alternate low-pressure supply).

In this sample, each cooling water supply can be disabled by any one of five ways: (1) power for the pump motor can be interrupted; (2) control for the pump and/or valves upstream and downstream of the pump can be lost; (3) the pathway from a water source to the pump can be eliminated; (4) the pathway from the pump to the reactor vessel can be eliminated; and, (5) the location of the pump itself can be rendered unusable by fire, etc.

As NEI reported, only one of the four ways of cooling the reactor need survive the attack:

"Each target set is developed to provide assurance that, if any element is protected, public health and safety will not be endangered by a significant radiological release."[6]

In the sample case, the adversary team must "knock out" at least one element for all four water supplies to attack a target set successfully, while the security force need only protect one element for one water supply to be successful. The NRC evaluates security during an OSRE by this performance measure:

"The licensee's performance for a particular exercise scenario should be judged a success if the response force effectively protects against the adversary disabling and/or destroying all pieces of equipment and preventing the operator actions in a target set; and the licensee's performance will be judged unsuccessful for the scenario if the response force is not able to prevent the adversary from disabling and/or destroying all pieces of equipment/actions in a target set."[7]

In 37 of the 81 OSREs conducted, the security forces were unable to defend even one element of the target set successfully from simulated ground assaults.* Some of the recent failures:

Quad Cities (IL): "In accordance with this interim guidance, the findings of the Quad Cities OSRE appear to have low to moderate safety significance as described in Section 4.3 of this report because there were losses of target sets in two scenarios due to specific deficiencies associated with procedures, training and the protective strategy."[8]

Farley (AL): "The licensee's protective strategy failed during force-on-force exercises in that the licensee failed to prevent the mock adversaries from gaining access to target sets in two of four exercises and the simulated destruction of the significant plant equipment during a third exercise."[9]

Oyster Creek (NJ): "On May 8-9, 2001, the NRC OSRE team observed and evaluated four force-on-force exercises. In one force-on-force exercise, your response strategy was insufficient to successfully interdict an adversary force. Consequently, there was a loss of a complete target set that was necessary to prevent or mitigate core damage."[10]

Vermont Yankee (VT): "As noted in our inspection report, the finding was considered preliminarily Yellow because response strategy weaknesses found during the conduct of the OSRE were considered generally predictable, repeatable and indicative of a broad programmatic problem. This determination was based on potential response strategy vulnerabilities that were identified during the conduct of table-top drills, and subsequently confirmed by the results from two of the four force-on-force exercises."[11]

The sample target sets illustrate the conclusion reached more than 20 years ago about the control building being an Achilles' heel. Target Set 6 shows that knocking out the control element for all four water supplies can result in core damage. An aircraft hitting the control building may destroy the control elements for all four water supplies, and much more.

These target sets should be used to evaluate nuclear power plants for destruction caused by postulated aircraft impact and subsequent fire. This aircraft hazard evaluation approach mirrors the approach taken for in-plant fire hazards. Following the extremely serious fire at the Browns Ferry nuclear plant in 1975, the NRC required all plant owners to evaluate their facilities room by room, assuming a postulated fire completely engulfs the room, destroying all equipment and cabling in it. The fire hazards analysis must show that sufficient equipment exists outside the room to enable the reactor to be shut down and adequately cooled. Many plant owners had to relocate equipment and/or cabling in order to get successful results from their fire hazards analyses. These fire hazards analyses are "living documents" in that proposed changes to plant procedures and proposed modifications to plant structures must be formally reviewed against them to verify that protection against fires will not be lessened.

The real way to ensure adequate protection of nuclear plants from aerial threats would be to replicate the fire hazards analysis process.# If the aircraft hazards evaluation determines that all targets within a target set are likely to be disabled, at least three options are available to the plant's owner to remedy the vulnerability:

  1. Other equipment outside of and not affected by the impact zone could be added to the target set. Using the sample target sets, a fifth makeup water supply system could be added if it were outside the impact zone and could adequately cool the reactor core.
  2. Protection in place for at least one of the targets within the existing target set could be provided. Using Target Set 9 from the sample target sets, if an aircraft impact at the location of the low-pressure supply system and the alternate low-pressure supply system potentially caused collateral damage to the discharge pathway for the emergency high-pressure supply system, it might be possible to install a shield wall or screen to protect the exposed pathway. 
  3. Affected portions of a system could be relocated to a safe place outside the impact zone. Using Target Set 5 from the sample target sets, if the only part of the emergency high-pressure supply system within the impact zone was the power cable for the pump, that power cable could be rerouted.

The aircraft hazards analysis would not only establish adequate protection at nuclear plants (for those that may not already be there), it would also provide the means to ensure that future changes to plant structures and procedures do not compromise that protection.

Absent such aircraft hazards analyses, nuclear power plant protection against aerial threats is a nuclear Maginot Line—a defense that looks good on paper but is easily circumvented in practice. Thick, reinforced reactor containment walls might not be breeched by a fully loaded 767 aircraft. But that's not enough as documented by the NRC:

"The heart of this program [OSRE] is nuclear power plant security force demonstrations of their armed response capability in onsite force-on-force exercises. Significant weaknesses were identified in 27 of 57 plants (or 47%) evaluated to date. "Significant" here means that a real attack would have put the nuclear reactor in jeopardy with the potential for core damage and a radiological release, i.e., an American Chernobyl. … For example, 14 of these plants were unable to prevent mock adversary forces from gaining (simulated) access into reactor containment!"[12]

At that time (February 1999), the adversary teams had simulated the destruction of at least one target set at 27 different nuclear plants. Roughly half of the time (i.e., at 13 of the 27 plants), the adversary team did not enter the reactor containment in order to destroy every target within the target set. Whether arriving on foot or by air, adversaries should not be able to wipe out an entire target set. Until the NRC independently verifies that all plant owners have evaluated their target sets for potential air assault and implemented measures to redress all identified vulnerabilities, millions of Americans will be protected more by rhetoric than by reality.


* The math gets a little complicated. The typical OSRE features four force-on-force exercises. For this statistic, 37 of the plants tested had at least one exercise where the target set was completely eliminated.

# While the existing fire hazards analyses will be useful input to the aircraft hazards analyses, they do not eliminate the need for further study for two reasons: (1) the fire hazards analyses assumed that the postulated fire would be confined to a single room, whereas the aircraft impact and resulting fire(s) may affect multiple rooms, and (2) many rooms were summarily accepted as-is by the fire hazards analyses due to insufficient combustibles being present to sustain a fire--assumptions invalidated by the large amount of fuel carried by aircraft. The fire hazards analyses will expedite the aircraft hazards analyses by defining the equipment needed to cool the reactor if a room is hit. If that equipment could also be disabled by an aircraft hitting the room, action will be required to eliminate that vulnerability.

Cited Sources:

1) Nuclear Energy Institute report dated December 2002, "Deterring Terrorism: Aircraft Crash Impact Analyses Demonstrate Nuclear Power Plant's Structural Strength."

2) Report from Spring 1982 by the Power Authority of the State of New York and the Consolidated Edison Company of New York, Inc., "Indian Point Probabilistic Safety Study," Section 7.6.2, "Aircraft Hazards Analysis."

3) Testimony on April 11, 2002, by David N. Orrik, Reactor Security Specialist, Office of Nuclear Security and Incident Response, Nuclear Regulatory Commission, before the US House Subcommittee on Oversight and Investigations, "A Review of Enhanced Security Requirements at NRC Licensed Facilities."

4) Nuclear Regulatory Commission Memorandum dated November 17, 2000, from Glenn M. Tracy, Chief – Operating Licensing, Human Factors and Plant Support Branch, to John R. White, Chief – Radiation Safety and Safeguards Branch, Region I; Kenneth P. Barr, Chief – Plant Support Branch, Region II; James R. Creed, Team Leader – Safeguards Staff, Region III; and Gail M. Good, Chief – Plant Support Branch, Region IV, "Conduct, Agenda, and Rules of Engagement for Operational Safeguards Response Evaluations," page 4.

5) Nuclear Energy Institute draft report dated October 2000, "Safeguards Performance Assessment Program."

6) Nuclear Energy Institute draft report dated October 2000, "Safeguards Performance Assessment Program."

7) Nuclear Regulatory Commission Memorandum dated November 17, 2000, from Glenn M. Tracy, Chief – Operating Licensing, Human Factors and Plant Support Branch, to John R. White, Chief – Radiation Safety and Safeguards Branch, Region I; Kenneth P. Barr, Chief – Plant Support Branch, Region II; James R. Creed, Team Leader – Safeguards Staff, Region III; and Gail M. Good, Chief – Plant Support Branch, Region IV, "Conduct, Agenda, and Rules of Engagement for Operational Safeguards Response Evaluations," page 6.

8) Nuclear Regulatory Commission letter dated February 1, 2001, from Glenn M. Tracy, Chief – Operating Licensing, Human Factors and Plant Support Branch, to Oliver D. Kingsley, President – Nuclear Generation Group and Chief Nuclear Officer, Commonwealth Edison Company, "NRC Operational Safeguards Response Evaluation (Inspection Report Nos. 50-254/2000-201 and 50-265/2000-201)."

9) Nuclear Regulatory Commission letter dated June 21, 2001, from Charles A. Casto, Director – Division of Reactor Safety, Region II, to D. N. Morey, Vice President, Southern Nuclear Operating Company, Inc., "Farley Nuclear Plant – NRC Inspection Report 50-348/01-07 and 50-364/01-07."

10) Nuclear Regulatory Commission letter dated June 22, 2001, from Wayne D. Lanning, Director – Divison of Reactor Safety, Region II, to Ronald J. DeGregorio, Vice President – Oyster Creek, AmerGen Energy Company LLC, "Oyster Creek Generating Station – NRC Inspection Report 05000219/2001-011."

11) Nuclear Regulatory Commission letter dated March 25, 2002, from Hubert J. Miller, Regional Administrator, Region I, to Michael A. Balduzzi, Senior Vice President and Chief Nuclear Officer, Vermont Yankee Nuclear Power Corporation, "Final Significance Determination for a Yellow Finding at the Vermont Yankee Generating Station (NRC Inspection Report 50-271/01-010)."

12) Nuclear Regulatory Commission memorandum dated February 3, 1999, from Captain David N. Orrik, Security Specialist, to William D. Travers, Executive Director for Operations, "Differing Professional Opinion Regarding NRC's Reduction of Effectiveness and Efficiency in the "Staff Recommendations" of the Follow-on OSRE Program for Nuclear Power Plants."

Powered by Convio
nonprofit software