Disaster by Design/ Safety by Intent #38
Disaster by Design
It takes a village to raise a child.
It takes between the tango and the child-rearing numbers to respond to a nuclear plant accident.
Whatever that number, those individuals are not always at the nuclear plant when the accident begins. If the accident happens at night, on weekends, or on a holiday, the small group of workers at the plant will stop doing the tango and call in reinforcements from those nearby raising children.
The responders will rush to the plant site to staff the Technical Support Center, the Operations Support Center, and the Emergency Operations Facility. From these locations, the responders coordinate the onsite and offsite efforts to mitigate the accident and protect workers and the public from radiation releases.
Or will they?
The NRC’s regulations require that emergency exercises be conducted at least once every two years at every operating nuclear plant. Following 9/11, the regulations were revised to require at least one emergency exercise every eight years feature a hostile action based (HAB) event. As suggested by the name, a HAB event involves mock attackers simulating measures that sabotage the nuclear plant and result in radioactivity being released.
NOTE: A webpage maintained by the NRC has links to the reports issued by Federal Emergency Management Agency (FEMA) on emergency exercises for each nuclear power plant.
Exercises at the Salem and Hope Creek plants
A HAB event was part of the emergency exercise conducted in May 2014 at the side-by-side Salem and Hope Creek nuclear plants in New Jersey.
The good news is that no mistakes were made by workers in the Technical Support Center (TSC) during the HAB event.
As David Burgin, a representative of the plant’s owner, reported during an emergency preparedness session during the NRC’s Regulatory Information Conference in March 2015, the bad news is that workers were not able to reach the TCS during the HAB event to take right, or wrong, steps.
Soon after plant workers reported the HAB event to local, state, and federal, the vicinity around the plant was placed in “lock down” to prevent the bad guys from escaping or being reinforced.
The lock down also stymied good guys from reaching the site and staffing the Technical Support Center and the Operations Support Center. A shortage of local law enforcement officers and plant security personnel made it impossible to escort arriving responders safely and securely to their assigned duty stations. So, the responders remained on the outside looking in.
Making matters worse, cyber security firewalls stymied virtual arrival at the plant by responders from remote locations. The Technical Support Center was within the firewalls, but these responders were not in the Technical Support Center. And the firewalls impeded their access to current information about plant status and their ability to make informed decisions about measures to mitigate the accident and protect the public.
The best news is that the HAB event was just an exercise rather than an actual emergency.
Safety by Intent
For decades, biennial emergency exercises afforded individuals within local, state, and federal organizations the opportunity to role-play the steps they would take to protect the public following a nuclear plant accident.
Following 9/11, the NRC revised its regulations to require at least one exercise every eight years to simulate a nuclear accident caused by hostile actions. The “hostile actions” increased the complexity of an already complicated response network.
Fortunately, not every plant—and not every individual within local, state, and federal organizations—needs to experience a HAB event exercise in order to learn ways to successfully handle the complex wrinkles introduced by the hostile actions. The three major players in the HAB event exercises—the nuclear industry, NRC, and FEMA—have been collecting good and bad lessons learnable from each exercise and sharing them.
Unfortunately, bad guys might lack the patience needed to wait until enough of the HAB event shortcomings have been flushed out and fixed before commencing their hostile actions. If hostile actions do exploit HAB event shortcomings someday, the U.S. Congress will probably ask the NRC to justify its eight-year HAB event exercise interval. And the media might ask the U.S. Congress why it waited until after a disaster to seek that justification instead of asking about it now.
—–
UCS’s Disaster by Design/ Safety by Intent series of blog posts is intended to help readers understand how a seemingly unrelated assortment of minor problems can coalesce to cause disaster and how effective defense-in-depth can lessen both the number of pre-existing problems and the chances they team up.