A plant being decommissioned is more like a construction project than an operating plant – but with particular radiological issues. A new security concept is needed, and one that can be quickly adapted as site needs change during the process, to ensure security and efficiency during the process. By Markus Esch and Andrea Renner
A security concept includes everything that is needed to protect a nuclear plant against malicious acts, which are defined in for example Convention on the physical protection of nuclear material, IAEA INFCIRC/274/ Rev. 1 May 1980. The safety objectives are to avoid unauthorized abstraction of nuclear or radioactive material from the site, and to avoid exposure of an unacceptably large amount of radioactive material to the environment. The integral parts of a security concept are a security strategy, technical measures, and administrative and personnel measures. The balance between technical and administrative measures will vary depending on the overall strategy.
A security strategy is the basic philosophy of how to detect and react to threats and how to assure the safe state of a plant under threat.
Technical measures include physical barriers, security lighting, security management systems, video surveillance systems, redundancy and spatial separation. It also has to maintain interlocks between safety-related structures, systems and components while ensuring safety-related access is not blocked. Administrative measures include information security and access control. Personnel measures may be the responsibility of the plant owner or the state, and include protection by guards or by the owners’ security organization.
Initial inputs into a security strategy include the risk potential, the design basis threats, the declared target sets and the regulatory requirements.
The main security features are generally:
- Physical barriers
- Access control subsystems
- Control points for personnel and vehicle access into the protected area
- Detection, lighting, surveillance, assessment and alarm subsystems
- Central alarm station
- Communications and power systems.
From a security point of view, the plant site (or ‘owner-controlled area’) should be separated into different levels of security-related areas that nest within one another.
Vital equipment and safety-relevant buildings must be contained within a so-called ‘vital area’ within a so-called ‘protected area’, so that access to vital equipment requires passage through at least two physical barriers. More than one vital area may be located within a single protected area (see Figure 1). Isolation zones must be maintained in outdoor areas adjacent to the physical barrier at the perimeter of the protected area and must be large enough to permit observation of the plant area. Depending on national regulations more security areas can be defined; Finland, for example, has four (restricted area, site area, plus the above two).
If vital areas include non-vital systems, access will inevitably be more frequent, for example for maintenance and testing of non-safety-related systems. Access control then needs more effort.
According to IAEA Safety Standards; Safety Requirements, No. WS-R-5; "Decommissioning of Facilities Using Radioactive Material," decommissioning can be divided into preparation and implementation.
Preparations for decommissioning include developing a decommissioning strategy, initial decommissioning planning and radiological characterization of the facility. Implementation includes preparing a final decommissioning plan and submitting it to the regulatory body for approval, managing the project and implementing the plan, managing the waste, and demonstrating that the site meets the end-state criteria defined in the plan.
Security changes during D&D
Removing fuel, process fluids and operational waste from a reactor and, if practicable, from the site removes the main radiological and security risks presented by the facility. The residual radioactive material presents a smaller but still significant risk to workers, the public and the environment during decommissioning and decontamination. The lower risk requires a lower level of security measures. Once all of the fuel is removed from the plant, radiological release risk is much lower.
Since removing fuel from the reactor alters the plant’s safety status, some of the systems or components considered as vital equipment during plant operation will no longer be needed. From a security point of view, less equipment has to be protected. For the same reasons, the vital areas may shrink as fewer buildings need to be protected. Access controls, surveillance and so on can be reduced. For example, after moving fuel out of a PWR and into the spent fuel pool, the main steam isolation valves and the main steam safety valves will no longer be needed and the valve chamber may be regarded as no longer part of the vital area.
The second important step from a security point of view is reached when spent fuel is removed completely from the plant site to spent fuel storage or final disposal.
When decommissioning begins the plant changes from an operating facility into a construction site. Whilst during operation the main work on the plant site was to produce electricity and to do maintenance or testing, during decommissioning the main work is to remove systems and components by segmentation, decontamination, demolition and so on. Changing operating conditions require changed security measures, to ensure that the required security level will be maintained while at the same time work proceeds efficiently. It might for example be reasonable to create new access points or to replace existing equipment with new temporary security equipment.
Experience from decommissioning German nuclear plants
One challenging situation learned from experience in Germany after the nuclear phase-out decision is that spent fuel may need to remain in the spent fuel pool for a long period before it can be removed from the plant. Therefore the risk potential of the plant stays high and requires a high level of security, even while decontamination operations are being carried out. In this case we recommend consolidating safety-related systems into a safety island on the plant site, which can be protected as a vital area. For example the heating, ventilation and air-conditioning system is still needed but with a much lower throughput, so it can be replaced with a smaller unit installed in a separate, protected building. This will reduce access control and surveillance requirements, allowing decommissioning workers greater freedom of movement on site.
Decommissioning will probably require more workers than operation would, although this might not be the case at all times. From a security point of view this might require more personnel or additional access points.
Decommissioning activities such as segmentation, cutting and milling, especially of large components, require additional working space that must be under radiation protection. In addition, extra space will be needed for storing radioactive and non-radioactive waste. Spaces newly assigned to handling or storing radioactive material should be security-checked before work starts. Additional security measures might be needed.
Decommissioning will generate large amounts of fluid, dust and solid waste. Waste treatment and interim storage facilities have to be built on site. Adequate security measures are needed for those buildings too.
In an ideal world, plant decommissioning proceeds in an orderly logical fashion (Figure 2). The plant finally shuts down. Fuel is moved into the spent fuel pool for radioactivity decay. Decommissioning work starts. Fuel is removed from the site and placed into a spent fuel repository. Further decommissioning takes place. Operation of radwaste storage begins.
It is important to recognize that in the real world removing fuel from the plant site does not necessarily correlate with the decommissioning licence and the start of the decommissioning phase. One aspect that has been challenging in Germany is that security measures required by the operating licence have to stay in place until a licence for decommissioning is given and the spent fuel is removed from the site. This has required owners to plan improvements to their security measures for a few years, even though they will not be required after the spent fuel is removed. Analysing safety-related systems and creating a smaller vital area have helped define which of the improvement measures are still needed to maintain the required security level.
When it is determined which measures are still required, it has to be decided whether they will either be carried out as planned, or replaced by compensatory measures, which might be personnel-based or short-term technical measures. Decision-making factors include whether the measure can be put in place by the end of that phase, and whether it can be done in an economically-reasonable manner. For example, it might not be necessary to replace a gate that no longer fulfils requirements if it is not often needed. Simply placing a concrete barrier in front of the gate could cost a quarter of the replacement price.
Security measures are mandatory for the entire decommissioning process. An unexpected final shutdown and decommissioning of a nuclear facility, whether for political or for technical reasons, leads to some security challenges. These can be met by complete analysis of all factors that influence security such as duration, space required, number of personnel, risk potential, and so on. As a result of this analysis, an optimized security concept can be developed. This concept should be adapted frequently to fit the changing conditions during decommissioning.
About the authors
Markus Esch and Andrea Renner, Westinghouse Electric Germany GmbH, Mannheim, Baden-Württemberg, Germany. Some of this material was previously presented as Plant Security During Decommissioning; Challenges And Lessons Learned From German Phase Out Decision, ICEM2013-96072, at ASME 2013 15th International Conference on Environmental Remediation and Radioactive Waste Management ICEM2013, 8-12 September2013, Brussels, Belgium