STATEMENT OF DAVID
LOCHBAUM,
NUCLEAR SAFETY ENGINEER,
UNION OF CONCERNED
SCIENTISTS
JUNE 5, 2002
On behalf of the Union of
Concerned Scientists (UCS), it is my pleasure to appear before the Committee
and express our support for both S.1586 and S.1746. We believe that these
bills, if enacted, would significantly reduce the risk of radiological sabotage
by lessening the probability that attempted sabotage will be successful and by
lessening the consequences should sabotage be successful despite all protective
measures.
My name is David Lochbaum.
After obtaining a degree in nuclear engineering from The University of
Tennessee in 1979, I worked more than 17 years in private industry, most of
that time at operating nuclear power plants in Georgia, Alabama, Mississippi,
Kansas, New Jersey, and Pennsylvania. I have been the Nuclear Safety Engineer
for UCS since October 1996. UCS, established in 1969 as a non-profit, public interest
group, seeks to ensure that all people have clean air, energy and
transportation, as well as food that is produced in a safe and sustainable
manner. UCS has worked on nuclear plant safety issues
for nearly 30 years.
Some representatives of
the nuclear industry claim that nuclear power plants are such hardened
structures as to be virtually immune from attack. Other industry
representatives assert that even a successful attack would not endanger the
American public because radioactive material released from the sabotaged
nuclear plant would so diluted within five miles as to preclude the need for
either sheltering or evacuation. There would be no need for the security
upgrades specified in the proposed legislation if either of these claims were
valid.
Compelling circumstantial
evidence creates more than reasonable doubt for the veracity of the industry's
claims. Force-on-force tests of nuclear plant security administered by the
Nuclear Regulatory Commission (NRC) since 1991 consistently demonstrated
security capabilities below NRC’s minimum expectations nearly half of the time.
Nuclear plants cannot be considered immune from attack when security forces,
given up to six months advance warning of the precise test date, are unable to
prevent simulated reactor core damage from a very, very small band of mock
attackers. On at least two recent occasions, a single mock intruder
successfully simulated the destruction of the equipment needed to cool the
reactor. Nuclear plants cannot be considered immune from attack when security
forces are unable to prevent a lone saboteur from triggering a reactor
meltdown. In the past two years, I have attended numerous NRC public meetings
where industry representatives contended that poor performance on a security
test would not have occurred had an armed guard not taken a wrong turn while
rushing to his or her response position. Again, nuclear plants cannot be
considered immune from attack when a single mistake by a single guard means the
difference between successful defense and reactor sabotage.
With respect to the
potential consequences from the successful attack on a nuclear plant, the
industry’s actions speak much louder than its rhetoric. If it were even close
to being true that radioactivity releases would not endanger people living five
miles or more away, then it would also be true that the nuclear power industry
would not need federal liability protection. Representatives of the nuclear
power industry testified before the Congress that the Price-Anderson Act needed
to be renewed for existing plants and expanded to cover any new nuclear plants
that are built. The industry’s need for Price-Anderson protection is an
implicit concession that the offsite consequences from a nuclear plant
accident/attack could be extremely serious.
It is our steadfast
position that US nuclear plants are vulnerable to attack and that the
consequences from a successful attack could be dire. It is further our position
that all reasonable measures must be taken to lessen this risk. The proposed
legislation in S.1586 and S.1746 represents reasonable steps that would reduce
the probability of a successful attack and reduce the consequences following a
successful attack. Thus, we support both bills and hope they become law.
Operation
Safeguards and Response Unit
While all provisions of both bills have merit, the most
valuable portion of the proposed legislation is Section 4 of S.1746 (the
Nuclear Security Act of 2001). This section would amend Section 204 of the
Energy Reorganization Act of 1974 (42 U.S.C. 5844) to create an Operation
Safeguards and Response Unit within the NRC. Subsection (d)(3)(B) of the
amended act requires the NRC to conduct force-on-force testing at each nuclear
plant at least once every two years. Force-on-force tests are the best measure
of the integrated capability of security fences, locked doors, intrusion
detection equipment, access control barriers, and armed guards to defend the
plant from attempted sabotage. Absent such performance demonstrations, security
must be evaluated via piece-meal audits of the various physical protection
elements.
How do teachers evaluate their students’ academic
performance? Do they use a checklist to verify that students attend classes
with textbooks, pencils, paper, and calculators? No, they use tests that
demonstrate their students’ capabilities. Textbooks and class attendance are
the pathway to knowledge while tests are the best measure of progress along
that pathway. Likewise, security checklists show that a nuclear plant has
gates, guards, and guns, but they provide little insight on how far the plant
has progressed along the pathway to adequate security. Force-on-force tests
demonstrate whether the desired performance objective of adequate security has
been achieved. Frequent demonstration of adequate security performance is
invaluable.
The NRC initiated force-on-force
testing in 1991. Due to resource constraints, the NRC only tested each nuclear
plant about once every eight years. UCS heard from many NRC staffers and
nuclear plant workers that security capabilities ramped up at some nuclear
plants in advance of the force-on-force tests and rapidly declined shortly
afterwards. More frequent testing levels out the peaks and valleys and assures
more consistent security capabilities.
Legislation directing the NRC to
conduct frequent force-on-force tests ensures that the agency has the budget
necessary to administer the tests. In July 1998, resource allocation issues prompted
the NRC to cancel force-on-force testing. The ensuing public outcry reversed
the NRC’s decision with testing re-instituted in fall 1998. This legislation
ensures that nuclear facility security tests are not discarded at the next
budget crisis.
This legislation also ensures that
testing of nuclear facility security remains in the NRC's hands where it
belongs. The nuclear industry has been campaigning to conduct the security
tests themselves and to evaluate their performance on the tests. Nuclear facility
security is too important to permit the equivalent of take-home tests that are
self-graded. The industry’s consistently poor performance on security tests
since 1991 does not warrant self-assessment in this vital area.
The very nature of nuclear plant
security does not lend itself to industry self-assessment. The nuclear industry
has successfully employed self-assessment in other areas. For example,
requalification of control room operators is conducted by plant owners subject
to audit by the NRC. The standards employed by the plant owners and the audit
reports issued by the NRC are all publicly available for perusal by people
living near the facility and by public-interest groups like UCS. In addition,
NRC inspection reports covering control room operator performance during
routine operations and during transient conditions are publicly available. This
transparency makes it harder for self-assessments to cover up poor performance.
Conditions are significantly
different when it comes to nuclear plant security. For obvious reasons, the
public does not have the same access to either security standards or NRC audit
reports. This necessary opaqueness makes it easier for self-assessment to cover
up poor performance. The NRC must retain control over nuclear plant security
tests to protect the public against inadequate security being masked by the
self-assessment process.
Subsection (d)(3)(F) of the amended
act requires the NRC to submit an annual report on force-on-force testing
results to the Congress and the President. This annual report facilitates
oversight of this important public health issue. This report also provides the
American public with the "big picture" it deserves regarding nuclear
facility security. The anxiety level in America following 09/11 about potential
vulnerabilities of nuclear facilities to terrorist attack would have been
significantly lessened had the Federal government been able to point to the
information in this annual report as tangible evidence of security
preparedness. People living near nuclear facilities that had performed well on
robust security tests conducted by NRC would take comfort in that knowledge.
People living near nuclear facilities that had not performed so well on
security tests would also benefit, albeit in a different way. Anxiety about
abstract security concerns would be replaced by more focused concerns. The
ensuing discussions about actions taken to compensate for and correct problem
areas would allay anxiety faster than press releases about hardened facilities
and lack of credible threats against specific nuclear facilities.
Subsection (d)(4) of the amended act requires NRC in
conjunction with FEMA and other Federal, State, and local agencies to exercise
response to a radiological emergency at each nuclear facility at least once
every three years. Appendix E to 10 CFR Part 50 currently requires a full-scale
exercise of the emergency response plan for each nuclear power plant at least
once every two years. UCS believes that the key difference between the existing
requirement in Appendix E to 10 CFR Part 50 and the intent of subsection (d)(4)
is emergency response to an act of radiological sabotage. The exercises
conducted to satisfy 10 CFR 50 Appendix E simulate nuclear accidents that cause
releases of radioactivity to the air and water. The emergency response to
radiological sabotage would be similar, but it might be more complicated. For
example, Federal, State, and local resources might be more challenged following
a sabotage event because of the need to also provide protection of other
potential targets in the region. In addition, protective measures of securing
bridges and tunnels might impede evacuation efforts. Therefore, it seems
prudent and reasonable to periodically assess whether emergency response plans
for nuclear facilities can also handle acts of sabotage.
Design
Basis Threat
The second most valuable part of the
proposed legislation is Section 3 of the Nuclear Security Act of 2001 which
would amend Chapter 14 of the Atomic Energy Act of 1954 (42 U.S.C. 2201 et
seq.) to add Section 170C, “Protection of Sensitive Nuclear Facilities Against
the Design Basis Threat." Subsection (c)(1) requires the NRC to revise the
design basis threat from its 1960s-vintage level to a more realistic level. The
current design basis threat was promulgated by the NRC nearly 40 years ago and
has not been substantively changed other than the addition of the vehicle bomb
requirement in 1993/1994. [DAL1] Subsection (c)(1) requires the NRC, in consultation with the
Assistant to the President for Homeland Security and other appropriate Federal,
State, and local agencies to review the design basis threat every three years
and revise it as applicable. Subsection (c)(2) requires the NRC to report to
Congress on changes made to the design basis threat. These provisions ensure
that the design basis threat remains at the Goldilocks' level — not too high,
not too low, but just right.
Defining the design basis threat
level appropriately is extremely important. The nuclear facility owner is responsible
for protecting against an attack up to and including the design basis threat
level. The Federal government is responsible for protecting the facility from
larger threats. This division of responsibility is both necessary and
practical. The owner of a nuclear power plant situated along our coasts cannot
be expected to defend the facility against an enemy destroyer cruising
offshore. Likewise, the Federal government cannot be expected to defend a
privately owned nuclear power plant against sabotage by a handful of
individuals or a small group of plant workers.
The initial upgrade of the design basis threat is warranted.
Left unchanged, the current design basis threat requires the Federal government
to protect Americans from radiological sabotage caused by a very small group of
outside attackers or plant workers. It requires the Federal government to
protect nuclear plants from a truck bomb of the size used by Timothy McVeigh in
Oklahoma City. It's unrealistic to expect that the Federal government could
adequately defend against such a small attacking force.
Subsections (d)(2)(B)(iv) and (d)(2)(B)(v) explicitly
require security protection for spent fuel whether it is stored in wet-pools or
dry casks. Highlighting the potential hazard from spent fuel, and the
corresponding need for its protection, is very important. Since 1991, 0ver 300
force-on-force exercises have been administered by NRC at US nuclear power
plants. None of those exercises ever tested the security protection for
spent fuel. We are not suggesting that the spent fuel hazard is equivalent to
the reactor hazard; rather that the spent fuel hazard is not negligible and
must be appropriately protected. Thus, it is beneficial that this proposed
legislation clearly establishes that the design basis threat applies to both
the reactor and its spent fuel, thus making it more likely that both hazards
will be adequately protected.
Potassium
Iodide Stockpiles
Section 5 of the Nuclear Security
Act of 2001 amends Section 170 of the Atomic Energy Act of 1954 (42 U.S.C.
2210) to require stockpiling of potassium iodide for the population with a
50-mile radius around each nuclear facility. The amendment additionally
requires distribution plans to be developed to get the potassium iodide to
people as expeditiously as possible in event of a nuclear accident/attack.
Potassium iodide does not provide
immunity from all radioactivity that could be released following a nuclear
accident/attack, but it does provide protection against thyroid damage caused
by radioactive iodine (I-131). That potassium iodide has value is clearly
demonstrated by the fact that it is distributed to nuclear plant workers and to
Federal, State, and local personnel responding to the nuclear accident/attack.
It would seem imprudent public policy not to provide equivalent protection for
the innocent people living downwind of the facility.
According to the NRC, thirteen
states currently stockpile potassium iodide for the people living within the
emergency planning zone around nuclear power plants. The proposed legislation
eliminates the inequity associated with some Americans being protected while
many other Americans are not protected. The NRC protecting only some Americans
makes about as much sense as the US Coast Guard requiring lifeboats on only
some cruise ships. Given its low cost and long shelf life, it would seem
exceedingly difficult for Federal, State, and local authorities to assure
American victims that everything had been done to protect them from radiation
if potassium iodide hadn't been stockpiled and distributed.
Consider the following hypothetical
situation. State X has two operating nuclear power plants. Plant A is located
in the northern part of the state while Plant B is in the southeastern corner
of the state. State X has not stockpiled potassium iodide, while State Y on its
eastern border has done so. A serious accident at Plant B releases large
amounts of radiation to the air necessitating both sheltering and evacuations.
Residents in State Y living within the emergency planning zone are also
provided potassium iodide. Residents in State X living within the emergency
planning zone do not receive potassium iodide.
In all likelihood, the post-mortem
for this accident would cause potassium iodide to be stockpiled in State X for
the people within the emergency planning zone around Plant A. Federal and State
X authorities would have a very tough time explaining why the people in State Y
received greater protection. Parents in State X will never know whether their
children's thyroid illnesses might have been prevented had they just been given
a dollar's worth of potassium iodide like their friends with healthy kids over
in State Y received. Enacting the proposed legislation will prevent this
hypothetical situation from becoming a tragic reality.
Expanding the potassium iodide
inventory to cover a 50-mile radius rather than a 10-mile radius decreases the
likelihood that affected people will not be protected. No matter where the line
is drawn, the question will remain about people living at N+1 miles. The
50-mile radius seems to be a reasonable compromise. Even if conditions affect
people 60 or 70 miles downwind, the 50-mile inventory makes it more likely that
potassium iodide can be redirected from people living 40 to 50 mile upwind to
affected people downwind.
Carrying
of Firearms by Nuclear Facility Security Forces
Section 1 of S.1586 would amend Chapter 14 of Title I of the Atomic Energy Act of 1954 (42 U.S.C. 2201 et seq.) to replace subsection k with a subsection authorizing security guards to carry firearms. Another subsection would be added to authorize security guards to make arrests, subject to limitations, of persons committing felonies or reasonably believed to have committed felonies. This legislation ensures security guards are properly equipped and authorized to carry out their protective assignments.
Federalization
of the Nuclear Security Force
Section 3 of the Nuclear Security Act of 2001 would amend
Chapter 14 of the Atomic Energy Act of 1954 (42 U.S.C. 2201 et seq.) to add
Section 170C, “Protection of Sensitive Nuclear Facilities Against the Design
Basis Threat." Subsection (b)(1) requires NRC to employ the nuclear
security force at sensitive nuclear facilities. This provision is our least
favorite part of the proposed legislation. Our concern is in having the NRC
responsible both for providing security and for assessing whether security is
adequate. It would seem to create at least organizational tension if not an
outright conflict-of-interest for the NRC staff to do both.
Federalization of the nuclear security force provides gains
to offset the conflict-of-interest concern. For example, subsection (e)(2)(A)
requires the NRC to establish minimum qualification standards for members of
the nuclear security force. Currently, the qualification standards for security
personnel are established by the plant owners or the companies they've
contracted with for security. Consequently, there's a very wide range of
"minimum" qualification standards.
There is also a wide range of working conditions for
security guards at nuclear plants. Security guards at some plants have told me
about good working conditions. They get fair compensation and benefits and
receive good initial and follow-up training. They reported security staffing
levels sufficient to permit adequate coverage of all posts and to avoid fatigue
associated with chronic overtime. Unfortunately, I have also heard from
security guards complaining about poor training, defective equipment,
insufficient staffing levels, low pay, lack of medical benefits, and other
factors contributing to bad morale. Federalization is unlikely to make all
security guards content all the time, but it should serve to narrow the gap
between the guard forces at facilities where management recognizes their
importance and the guard forces at facilities where management views them as
undesired financial drains.
The periodic force-on-force testing conducted by the NRC as
proposed in Section 4 of the Nuclear Security Act of 2001 could achieve the
same positive gain as would result from Federalizing the nuclear security
force. Plant owners who currently undervalue their security guards would likely
have to change that outlook in order to attain the required performance levels
on the two-year force-on-force tests.
As
detailed above, the proposed legislation contains many provisions that
individually and collectively improve nuclear facility security. The only
element potentially missing from the proposed legislation is adequate
protection against insider sabotage. Subsection (c)(1)(A)(iv) of the proposed
amendment to Chapter 14 of the Atomic Energy Act of 1954 (42 U.S.C. 2201 et
seq.) outlined in Section 3 of the Nuclear Security Act of 2001 requires the
NRC to revise the design basis threat to include several nuclear workers
assisting in an attack. Subsection (b)(2) requires the NRC to “develop and
implement a security plan for each sensitive nuclear facility to ensure the
security of all sensitive nuclear facilities against the design basis threat.”
UCS recommends that the Committee consider strengthening the proposed language
by revising it to explicitly incorporate the following items, obtaining a firm
commitment from the NRC to include these items as appropriate in the security
plans, or providing clear guidance on expectations regarding these items in the
Committee reports accompanying the bills:
ú
Two-person rule for vital areas: Authorized individuals typically
gain entry to vital areas within nuclear facilities using computerized access
cards. An authorized individual could thus enter vital area(s) alone and tamper
with safety equipment. Adoption of the two-person rule for vital area entry
would eliminate the opportunity for a single person acting alone to attempt
sabotage.
ú
In-plant security cameras: The majority of security cameras in
use today at nuclear facilities protect against unauthorized intrusion to the
site. Fewer security cameras are deployed inside the facility to protect
against sabotage. Installation of additional security cameras within the
nuclear facility would provide greater protection against sabotage by workers.
ú
Security guard accompanying visitors
in vital areas:
Under certain conditions, a single authorized individual can escort five
visitors into vital areas without being accompanied by a security guard. These
visitors have had no background investigations other than a perfunctory check
using the social security numbers they provide. The potential exists for an
insider to arrange for the external attackers to enter the facility as visitors
and then escort them into vital areas. Requiring all visitors into vital areas
to be accompanied by a security guard provides substantive protection against
this threat.
ú
50.59 screenings for insider sabotage: 10 CFR 50.59 requires proposed
modifications to nuclear facilities and planned changes to procedures to be
reviewed for possible erosion of safety margins. Safety margin reductions must
be approved in advance by the NRC. But these 50.59 screenings do not
specifically require an evaluation of whether the changes provide insiders with
greater opportunities for sabotage. For example, a temporary configuration
during a refueling outage may reduce response time to less than that available
when the plant is operating. The insider may elect to attempt sabotage during
this vulnerable period. If this vulnerability was identified, it would be
possible to compensate for it by posting a security guard by essential
equipment during the temporary alignment. Requiring 50.59 screenings to
explicitly assess insider sabotage provides substantive protection against this
threat.
ú
Compensation for longer
testing/inspection intervals: In recent years, the NRC has allowed plant owners to
lengthen the interval between tests and inspections of safety equipment. The
reductions in testing/inspection frequencies have been justified using actual
experience of component failure rates. Longer testing/inspection
intervals—particularly when their schedules are readily available—provide
insiders with ample opportunities to plan and execute a campaign of tampering
with safety equipment over time with the aim of disabling all mitigating and
containment systems when sabotage is ultimately attempted. These opportunities
should be lessened by the NRC (a) recognizing that equipment tests and
inspections also guard against sabotage and therefore intervals must not be
solely based on observed failure rates, or (b) requiring random
tests/inspections to be conducted if the intervals are solely based on observed
failure rates.
ú
Providing operators with anti-sabotage
training:
The NRC's Generic Fundamentals Examination Question Bank for boiling water
reactor (BWR) operator license candidates has 959 pages of questions while the
NRC's Generic Fundamentals Examination Question Bank for pressurized water
reactor (PWR) operator license candidates has 977 pages of questions Not a
single one of the literally hundreds of questions directly deals with how to
defend the plant from an insider attempting radiological sabotage. Operator
candidates receive classroom instruction and control room simulator training on
how to cope with postulated pipe breaks, pump failures, and power outages.
Licensed operators receive annual retraining on these subjects. Training operator
candidates and licensed operators on how to respond to scenarios such as an
insider attempting to take over the control room or an insider manipulating
switches from the remote shutdown panel would supplement the skills they
develop to handle non-sabotage emergencies.
In summary, UCS supports both S.1586 and
S.1746 and hope that both bills become law. If only one part of the bills
became law, we'd prefer that it be the part requiring the NRC to conduct
force-on-force security tests at each nuclear facility at least once every two
years. If only one part of the bills didn't become law, we'd least miss the
part Federalizing the nuclear security forces.
David Lochbaum
Nuclear Safety Engineer
Union of Concerned Scientists
Washington Office