Nuclear plants undertake a variety of processes, some of which involve intensely radioactive materials and highly reactive chemicals. Moreover, being nuclear there is a public perception of dread and fear (i.e., a fate worse than death) associated with radioactive release which might, it could be argued, render plants such as BNFL Sellafield attractive targets to terrorists. However, to mount an attack on a nuclear plant the terrorist cell would have to plan ahead, locate the particularly hazardous plants and stores, determine the amount and nature of the radioactive contents and how readily this might be dispersed into the atmosphere, and identify the most vulnerable aspects of the buildings and containments of the targeted plants.
This article examines whether there is sufficiently detailed information available in the public domain for a terrorist group to plan an attack with sufficient confidence of success; if the regulatory safety case requirement includes accidental aircraft crash and, if it does, is this sufficient to safeguard against intentional aircraft crash; and, finally, how the plant's systems and processes could be modified and prepared to withstand such an intentional attack. If it could, how much of this defence would depend upon accepting intentional aircraft crash as inevitable, thereby relying almost totally upon consequence management to mitigate the outcome?
Using the United States and the United Kingdom plants as yardsticks, it is relatively straightforward to obtain all of the information required by simply accessing publicly available documents. Ministries and agencies of central government publish most of these sources, and local authorities maintain records of planning applications that include details of extant as well as proposed plants and buildings. These records and documents are readily accessible, and copies can be obtained directly from the originating department of documents that dated back to 1996 and earlier.
Also, there are a number of 'storehouses' of related information. Local and national, and international environmental (and other) groups hold pools of information that they have accumulated over the years. For example, one local group was able to provide photographs of locations deep within the BNFL Sellafield fuel reprocessing site and fully detailed engineered drawings of buildings. Scaled site maps that included the location of essential services are available for the Sizewell B PWR reactor from the Construction Report prepared for and published at the Public Inquiry.
When responding to requests for information and documentation, both HMG and the relevant local authority did not enquire to what purpose the information was required and, during my (Large & Associates) requests, there seems to have been no double-checking of the bona fides and identity of the enquirer.
Although as a result of the 11 September attacks the US Nuclear Regulatory Commission closed down all of its Internet web sites while it reviews the contents, web pages relating to Sellafield (HMG, BNFL, etc) remain, surprisingly, open and accessible.
Aircraft Crash and Design Basis Threats
Although concerns are centered around an intentional aircraft crash, a future terrorist attack against a nuclear plant might be in the form of some other external, man-made hazard. However, here I am considering aircraft crash in any form, although a future terrorist incident might involve, for example, a truck bomb driven close to or actually into the plant secure area.
The requirement that aircraft crash, irrespective of the forecast accident frequency, be accounted for in the regulatory safety case was not introduced until 1979 for nuclear reactors and 1983 for chemical separation and nuclear fuel plants, such as those at Sellafield. Examples of where the nuclear industry have taken this into account, such as for the Sizewell B PWR, are almost dismissive of the risk solely on the basis that the calculated frequency renders such an accidental event to be entirely incredible and, hence, there may have been little incentive to include for such a remote event in the design. For other Design Basis Threats (DBTs) the US Nuclear Regulatory Commission (NRC) requires nuclear plant operators to submit to force-on-force trials simulating intentional malicious actions. Since 1991 the NRC has conducted ninety-one trials or Operational Safeguards Response Evaluation tests, of which about 45 per cent of the tested nuclear plants failed. Most disturbing is that three plants tested shortly before 11 September - Farley, Oyster Creek and Vermont Yankee - were the worst on record. In another assessment, the NRC notes that between 15 to 20 per cent of US nuclear plants would sustain safety critical levels of damage from vehicle bombs accessing close to the supervised boundary of the plant.1
Preparedness in Britain
In the past, although some British nuclear plants have been subject to mock attack exercises, nothing on their vulnerability and/or performance has been published. Recently (May 2002), however, Bradwell nuclear power station was subject to some form of trial which involved the local authority emergency planning resource and which must have involved the central government Department of Trade's Office for Civil Nuclear Security (OCNS).
Apparently (because nothing is publicly available), OCNS has evolved a new procedure to assess security threats which are to be incorporated into a Design Basis Threat document which is to be the key planning aid for the plant operators. The DBT will provide intelligence about the 'motives, intentions and capabilities'2 of potential adversaries against which the plant operator is to 'beef-up' the plant management, contingency planning and physical security measures. Once all of this is in place, the Director of the OCNS will evaluate the robustness of Britain's individual nuclear plants, making this publicly available in its first annual report.3 At governmental level there is the recently formed Cabinet sub-committee referred to as the Chemical, Biological, Radiological and Nuclear (CBRN). The role of CBRN is to review the contingency arrangements in place to protect against terrorist attack, although its findings are classified as restricted and above, and nothing is publicly available on its membership and how and to whom it communicates its recommendations.
At local government level, local authorities are presently preparing off-site plans as required by the Radiation (Emergency Preparedness & Public Information) Regulations (REPPIR). For this the nuclear plant operator is required to prepare a Report of Assessment upon which the Health & Safety Executive determines the need and coverage of any off-site emergency planning. REPPIR was prepared and enacted before the events of 11 September so, not surprisingly, it is silent on the specific need to include DBTs in the Report of Assessment. The extent to which realistic DBTs have been included by the operator and, importantly, how the limited resources of local authorities can be marshaled as effective countermeasures or, at least, to mitigate the potential consequences has yet to be made publicly available, although all will be revealed by off-site plan implementation deadline of 20 September 2002.4 Like many other nuclear countries, Britain has been jarred into action by the events of 11 September. New committees have been formed, assessments are being made and there is now, via REPPIR, a real opportunity to put in place, resources permitting, effective emergency planning and consequence management measures.
However, it has to be acknowledged that modifying the existing plants to improve their physical invulnerability is just not practicably feasible. In place of this, there must be effective intelligence gathering on the ground in advance of any planned attack and this must be communicated to the operators and the emergency planners.
We are now beginning to learn that although informed in advance of the threat, the Bush administration was unable the thwart the 11 September attacks. A similar failure in acting upon gathered intelligence cannot be tolerated again, particularly if it was believed that a nuclear plant had been identified as a target.
Defending Nuclear Plants - Consequence Management
Nuclear plants are almost totally ill-prepared for a terrorist attack from the air. The design and construction of the buildings date from a period of over fifty years. Many of the older buildings would just not withstand an aircraft crash and subsequent aviation fuel fire. Some buildings, now redundant for the original purpose, have been crudely adapted for storage of large quantities of radioactive materials for which they are clearly unsuited. In addition, the design of the most modern plants on the site does not seem to provide that much defence (in terms of containment surety, dispersion of stocks to different localities, and segregation of hazardous materials) against an aerial attack.
It would not seem to be practicable for each and every building and process at such nuclear plants to be modified to provide adequate protection against aircraft crash. The investment requirement would be enormous and the practical difficulties challenging indeed. Many of the processes would have to be relocated, possibly to underground caverns and bunkers, which in itself might introduce other safety related detriments.
If a terrorist group planned to intentionally crash an aircraft onto a nuclear power station then the probability of the event becomes unity and it is inappropriate to mitigate the chance of such an intentional attack occurring by probabilistic-based assessment. Considering an intentional, terrorist driven aircraft crash as a certainty, rather than as some remote probability, requires the event to be assessed in terms of its consequence management alone and this consequence management is the only form of mitigation available. In other words, there are no practicable measures that might be implemented on site to provide an in-depth defence to avert such an event.
However, the idea that a severely damaging event, arriving like a 'bolt out of the blue', could be 'managed' by improvising the use of other systems and resources is doubtful, particularly because ad hoc decisions and actions (taken in unpracticed and highly stressed situations) might lead from one severe condition situation to another just as hazardous.
1 Lyman E, Terrorism Threat and Nuclear Power: Recent Developments and Lessons to be Learned, Rethinking Nuclear Energy and Democracy after 09/11, Int Symp, PSR/IPPNW Switzerland, Basel April 2002)
2 Sunil Parekh, Assistant Private Secretary to John Denham, Home Office Minister, 10 May 2002
3 The DTI OCNS first report has now been published but it contains no details whatsoever about the performance of the individual nuclear power plants, although it notes that it, itself, is experiencing staffing difficulties that does not permit it to carry out its function completely.
4 By 20 September or six months after the HSE has served notice to the relevant local authority - at the moment the HSE seems to be running about 3 to 4 months late on these notices so implementation for many sites would not be expected to until the new years of 2003.
5 There is considerable confusion, or so it seems, relating to the emergency limits for radiation exposure for individuals expected to support the local authority offsite emergency plan. For example, local authority offsite plans assume that the three emergency services will attend without restriction. Of these, the firefighters have their own nationally agreed incident exposure limits (50mSv and 100mSv for lifesaving), the Ambulance Service Association (representing all 35 UK NHS ambulance services) has a 'zero tolerance' of radiation exposure for its crews and paramedics, and the police forces do not provide specific training and individual officers are not issued with any means of personal dosimetry - only the firefighters seem to be aware of the need to have a competent person overseeing the radiation exposure of individual firefighters and crews. The incredible situation of having a number of competent persons, each permitting different exposures is possible under the Regulations. The differences in the dose limitation systems (where such exist) could result in non-attendance of the ambulance crews, definitely staged withdrawal of firefighters at their own preset limits, that is well before local authority employees reach the HSE's recommended radiation exposure limits (100mSv and 250mSv for lifesaving), leaving just the police alone to lead the countermeasures without the support of their emergency services colleagues. On its part, the HSE is presently recommending emergency dose limits of 100 and 250mSv, the latter for life saving, for those individuals participating in the offsite plan but this seems to give no account of high risk nature of the employment of firefighters and police officers (ie in account of the total risk including that encountered in the course of non-nuclear activities) and the fact that the majority of local authorities could not be expected to train and equip each of their employees participating in the emergency with real time personal dosimetry equipment.
6 This paper has concentrated on nuclear site plants and processes on a nuclear site itself. It should also be noted that a nuclear plant depend upon the continuous import of services, particularly electricity and mains water, to maintain safety on the site, and if imported electricity supplies fail solely on the on-site emergency plant supplies. These imported services (the national grid electricity lines, emergency generators and water pipelines may also be susceptible to terrorist attack.
John H Large is Head of Large & Associates, Consulting Engineers, London