The U.S. Congress asked the National Academy of Sciences (NAS) to conduct a technical study on lessons learned from the Fukushima Daiichi nuclear accident for improving safety and security of commercial nuclear power plants1 in the United States. The complete study task is given in Sidebar 1.2 in Chapter 1.
This study was carried out in two phases: Phase 1 focused on the causes of the Fukushima Daiichi accident and safety-related lessons learned for improving nuclear plant systems, operations, and regulations exclusive of spent fuel storage. The phase 1 report was issued in 2014 (NRC, 2014).2
Phase 2 (this study) focused on three tasks:
- Security-related lessons learned from the Fukushima Daiichi accident for improving nuclear plant systems, operations, and regulations;
- Lessons learned from the accident for improving safety of spent fuel storage; and
- Reevaluation of the findings and recommendations from previous NAS reports on spent fuel storage safety and security.
The Academies committee that carried out this study (hereafter referred to as the committee) provides findings and recommendations to address these study tasks in Chapters 2, 3, and 4 of this report. Summarized ver-
1 The terms nuclear power plant and nuclear plant are used interchangeably in this report.
sions of selected key findings and recommendations are presented in the following sections.
TASK 1: SECURITY-RELATED LESSONS LEARNED FOR PLANT SYSTEMS, OPERATIONS, AND REGULATIONS3
The March 11, 2011, Great East Japan Earthquake and tsunami caused extensive damage to safety and security infrastructure at the Fukushima Daiichi plant. Tsunami damage and power losses affected the integrity and operation of numerous security systems, including lighting, physical barriers and other access controls, intrusion detection and assessment equipment, and communications equipment. Workers monitoring the protected area of the plant evacuated to higher ground just before the tsunami arrived at the plant, and some security workers were temporarily evacuated from the plant on the fourth day of the accident.
The committee finds (Finding 3.1) that extreme external events and severe accidents can cause widespread and long-lasting (i.e., days to weeks) disruptions to security infrastructure, systems, and staffing at nuclear plants that can create opportunities for malevolent acts and increase the susceptibility of critical plant systems to these acts. The committee recommends (Recommendation 3.1) that nuclear plant operators and their regulators upgrade and/or protect nuclear plant security infrastructure and systems and train security personnel to cope with extreme external events and severe accidents. The committee judges that the following three actions are needed:
- Ensuring that there is adequate separation of plant safety and security systems so that security systems can continue to function independently if safety systems are damaged. In particular, security systems need to have independent, redundant, and protected power sources;
- Implementing diverse and flexible approaches for coping with and reconstituting plant security infrastructure, systems, and staffing during and following external events and severe accidents; and
- Training of security personnel on implementing approaches for reconstituting security infrastructure and systems.
The committee sees an opportunity for the nuclear industry to expand its FLEX initiative4 to include critical security-related equipment, such as access control, intrusion detection, and assessment, communications, and
4 Diverse and Flexible Coping Strategies to maintain/restore reactor and spent fuel pool cooling and reactor containment function.
portable-lighting equipment. This equipment would need to be sufficiently standardized so that it could be used across the U.S. nuclear plant fleet and protected against extreme external events, severe accidents, and sabotage. Security personnel at U.S. plants would need to be trained on the use of this equipment if it were different from existing equipment at their plants.
TASK 2: LESSONS LEARNED FOR SPENT FUEL STORAGE5
Spent fuel was stored in eight locations at the Fukushima Daiichi plant on March 11, 2011: in spent fuel pools in each of the six reactor units (Units 1-6), in a common spent fuel pool, and in a dry cask storage facility. The present report focuses on spent fuel storage in the Unit 1-4 pools because these units sustained severe damage as a result of the March 11, 2011, earthquake and tsunami.
The committee finds (Finding 2.1) that the spent fuel storage facilities (pools and dry casks) at the Fukushima Daiichi plant maintained their containment functions during and after the March 11, 2011, earthquake and tsunami. However, the loss of power, spent fuel pool cooling systems, and water level- and temperature-monitoring instrumentation in Units 1-4 and hydrogen explosions in Units 1, 3, and 4 hindered efforts by plant operators to monitor conditions in the pools and restore critical pool-cooling functions. Plant operators had not planned for or been trained to respond to the conditions that existed in the Unit 1-4 spent fuel pools after the earthquake and tsunami. Nevertheless, they successfully improvised ways to monitor and cool the pools using helicopters, fire trucks, water cannons, concrete pump trucks, and ad hoc connections to installed cooling systems. These improvised actions were essential for preventing damage to the stored spent fuel and the consequent release of radioactive materials to the environment. The committee recommends (Recommendation 2.1) that the U.S. nuclear industry and its regulator give additional attention (described in Chapter 2) to improving the ability of plant operators to monitor real-time conditions in spent fuel pools and maintain adequate cooling of stored spent fuel during severe accidents and terrorist attacks.
The spent fuel pool in Unit 4 was of particular concern because it had a high decay-heat load. The committee used a steady-state energy-balance model to provide insights on water levels in the Unit 4 pool during the first 2 months of the accident (i.e., between March 11 and May 12, 2011). This model suggests that water levels in the Unit 4 pool declined to less than 2 m (about 6 ft) above the tops of the spent fuel racks by mid-April 2011. The model also suggests that pool water levels would have dropped
below the top of active fuel6 had there not been leakage of water into the pool from the reactor well and dryer/separator pit through the separating gates. This water leakage was accidental; it was also fortuitous because it likely prevented pool water levels from reaching the tops of the fuel racks. The events in the Unit 4 pool show that gate leakage can be an important pathway for water addition or loss from some spent fuel pools and that reactor outage configuration can affect pool storage risks.
The events in Unit 4 pool have important implications for accident response actions. As water levels decrease below about 1 m above the top of the fuel racks, radiation levels on the refueling deck and surrounding areas will increase substantially, limiting personnel access. Moreover, once water levels reach approximately 50 percent of the fuel assembly height, the tops of the rods will begin to degrade, changing the fuel geometry and increasing the potential for large radioactive material releases into the environment.
TASK 3: REEVALUATION OF THE FINDINGS AND RECOMMENDATIONS FROM PREVIOUS NAS REPORTS7
The “previous NAS reports” referred to in Charge 2 of this study (see Sidebar 1.2 in Chapter 1) refer to a single study carried out in 2003-2004 at the request of the U.S. Congress. That study produced two reports: a report containing classified and other security-sensitive information, hereafter referred to as the classified report (NRC, 2004), and an abbreviated version of this classified report that was suitable for unrestricted public release, hereafter referred to as the public report (NRC, 2006). The public report is similar in content to the classified report and contains all of its findings and recommendations. However, redactions and wording modifications were made to the classified report, including its findings and recommendations, to remove classified and other security-sensitive information.
Table 4.1 in Chapter 4 (pp. 102-110) summarizes the committee’s reevaluation of the findings and recommendations in the public report (NRC, 2006). The left column of the table displays the findings and recommendations in NRC (2006) organized by their order of presentation in that report. The committee’s reevaluation is presented in the right column of the table, also in the form of findings and recommendations. Selected key findings and recommendations from Table 4.1 are described below.
6 The tops of the spent fuel racks are designed to be slightly taller than the top of active fuel.
Terrorist Attacks on Spent Fuel Storage or Theft of Spent Fuel
NRC (2006) concluded that the terrorist attack risks could not be addressed “using quantitative and comparative risk assessments.” Instead, the report examined “a range of possible terrorist attack scenarios in terms of (1) their potential for damaging spent fuel pools and dry storage casks; and (2) their potential for radioactive material releases” (NRC, 2006, p. 27).
The present committee agrees with NRC (2006) that there are technical challenges associated with identifying terrorist attack scenarios and quantifying their likelihoods. However, the committee judges that the NRC (2006) report’s focus on quantification is too narrow a perspective for judging the feasibility of applying risk assessment methods to nuclear plant security. The committee finds (Finding 4.1 in Table 4.1) that understanding of security risks at nuclear power plants and spent fuel storage facilities can be improved through risk assessment.
Risk assessment can help to broaden scenario identification, including cyber and asymmetric attack8 scenarios; account for the performance of plant security personnel in responding to the identified scenarios; identify potential onsite and offsite consequences of such scenarios, ranging from radioactive releases to psychological impacts; and better characterize uncertainties. The identification of scenarios may be incomplete and the estimates developed through expert elicitation are subjective and can have large uncertainties. Nevertheless, risk assessment methods can provide useful security insights.
The committee recommends (Recommendation 4.1A) that the U.S. nuclear industry and the U.S. Nuclear Regulatory Commission (USNRC) strengthen their capabilities for identifying, evaluating, and managing the risks from terrorist attacks. The committee also recommends (Recommendation 4.1B) that the USNRC sponsor a spent fuel storage security risk assessment of sufficient scope and depth to explore the benefits of this methodology for enhancing security at U.S. nuclear plants.
NRC (2006) recommended that the USNRC obtain an independent review of surveillance and security measures for protecting stored spent fuel. The committee finds (Finding 4.3) that the USNRC has not obtained this review. The committee recommends (Recommendation 4.3) that this independent review include an examination of the effectiveness of the USNRC’s security and surveillance measures for addressing the insider9 threat. This threat can also be addressed using the committee-recommended security risk assessment (Recommendation 4.1B).
9 An insider is a person who is authorized to have physical and/or cyber access to nuclear plant facilities and systems and is working alone or with outsiders to attack the plant.
Safety and Security of Pool Storage
The safe storage of spent fuel in pools depends critically on the ability of nuclear plant operators to keep the stored fuel covered with water. This fact was understood more than 40 years ago and was powerfully reinforced by the Fukushima Daiichi accident. If pool water is lost through an accident or terrorist attack,10 then the stored fuel can become uncovered, possibly leading to fuel damage including runaway oxidation of the fuel cladding (a zirconium cladding fire) and the release of radioactive materials to the environment. NRC (2006) reviewed work that was being carried out by the USNRC and others to better understand how stored fuel can become uncovered as well as the consequences of such exposure.
NRC (2006) identified three measures that appear to have particular merit for reducing the likelihood of zirconium cladding fires following loss-of-pool-coolant events:
- Developing a redundant and diverse response system to mitigate loss-of-pool-coolant events that would be capable of operation even if the pool or overlying building were severely damaged;
- Reconfiguring spent fuel in the pools (i.e., redistribution of high-decay-heat assemblies so that they are surrounded by low-decay-heat assemblies) to more evenly distribute decay-heat loads and enhance radiative heat transfer; and
- Limiting the frequency of offloads of full reactor cores into spent fuel pools, requiring longer shutdowns of the reactor before any fuel is offloaded, and providing enhanced security when such offloads must be made.
The committee received briefings and technical reports from USNRC and its contractor Sandia National Laboratories on additional technical analyses and physical experiments that have been carried out since NRC (2006) was released. The committee finds (Finding 4.5) that these USNRC and Sandia technical analyses confirm that reconfiguring spent fuel in pools can be an effective strategy for reducing the likelihood of fuel damage and zirconium cladding fires following loss-of-pool-coolant events. If a loss-of-coolant event results in fuel exposure, then reconfiguration may provide additional time for mitigating actions to be taken. However, reconfiguring the fuel does not eliminate the risks of zirconium cladding fires in all cases.
The USNRC and Sandia National Laboratories have performed physical experiments and computer analysis using the Methods for Estimation of Leakages and Consequences of Releases (MELCOR) code to analyze
10 Such occurrences are referred to as loss-of-pool-coolant events.
loss-of-coolant events in spent fuel pools. These studies examined whether zirconium cladding fires could develop in the stored fuel assemblies and propagate to other assemblies in the pool; whether specific configurations of fuel in the pool could delay or prevent these fires from occurring; and whether certain mitigating strategies are effective for preventing this from occurring. The committee finds (Finding 4.6) that this additional work has substantially improved the state of knowledge concerning spent fuel behavior following partial or complete loss of pool water. However, experimental validation of the codes has not been performed for partially drained pools. The committee recommends (Recommendation 4.6) that the USNRC sponsor an end-to-end validation of the MELCOR code for modeling loss of coolant in spent fuel pools and validate key submodels.
The committee also finds (Finding 4.7) that the USNRC has not analyzed the potential vulnerabilities of spent fuel pools to the specific terrorist attack scenarios identified in NRC (2004). The agency has made good progress in implementing actions recommended in NRC (2006) to reduce the consequences of zirconium cladding fires (Finding 4.8). The committee recommends (Recommendation 4.8) that the USNRC and industry take additional steps to improve capabilities for further reducing and mitigating the risks of zirconium cladding fires. These steps are described in Chapter 6.
Safety and Security of Dry Cask Storage and Comparison with Pool Storage
The USNRC is performing additional analysis on dry cask vulnerabilities and incorporating results into its regulations through rulemaking. The vulnerability studies are addressing a range of attack scenarios and appear to be well conceived. However, because this work was still under way when the present study was being completed, the committee finds (Finding 4.9) that it is unable to assess that work’s technical soundness and completeness. At the time the present report was being written, the USNRC’s Independent Spent Fuel Storage Installation security rulemaking actions had not been completed and its future was not certain.11 Consequently, the committee also finds (Finding 4.10) that it is unable to evaluate the technical soundness and completeness of this rulemaking. The committee recommends (Recommendation 4.10) that the USNRC should give high priority to completing these analyses and rulemaking.
The USNRC has completed technical and regulatory studies12 to inform
11 On October 6, 2015, the Commission approved a 5-year delay in the commencement of this rulemaking. See http://pbadupws.nrc.gov/docs/ML1528/ML15280A105.pdf.
a regulatory decision on the need for earlier-than-planned movements (expedited transfer) of spent fuel at commercial nuclear plants from pools to dry cask storage. These USNRC studies are valuable technical contributions to understanding the consequences of spent fuel pool accidents. However, the present committee finds (Finding 4.11) that these analyses did not consider spent fuel storage sabotage risks, dry cask storage risks, or certain health consequences that would likely result from a severe nuclear accident. The analysis also used simplifying bounding assumptions that make it technically difficult to assign confidence intervals to the consequence estimates or make valid risk comparisons. The committee recommends (Recommendation 4.11) that the USNRC perform a spent fuel storage risk assessment to elucidate the risks and potential benefits of expedited transfer of spent fuel from pools to dry casks. This risk assessment should address accident and sabotage risks for both pool and dry storage. The committee judges that this analysis is needed to address Finding 4E in NRC (2006) on whether “earlier movements of spent fuel from pools into dry cask storage would be prudent to reduce the potential consequences of terrorist attacks on pools at some commercial nuclear plants.”
The committee’s critiques of the Spent Fuel Pool Study and Expedited Transfer Regulatory Analysis are intended to strengthen the quality of future technical analyses of spent fuel pool storage risks to support sound decision making by the USNRC and nuclear industry.