Spent nuclear fuel mismanagement poses a major threat to the United States. Here's how. - Bulletin of the Atomic Scientists
Power transmission lines near Dixon, California on August 12, 2012. A widespread collapse of the US power grid system could threaten nuclear facilities, including overloaded spent fuel pools. (Credit: Photo by Wendell/intherough, licensed under CC BY-NC-SA 2.0 via Flickr)
Irradiated fuel assemblies—essentially bundles of fuel rods with zirconium alloy cladding sheathing uranium dioxide fuel pellets—that have been removed from a nuclear reactor (spent fuel) generate a great deal of heat from the radioactive decay of the nuclear fuel’s unstable fission products. This heat source is termed decay heat. Spent fuel is so thermally hot and radioactive that it must be submerged in circulating water and cooled in a storage pool (spent fuel pool) for several years before it can be moved to dry storage.
The dangers of reactor meltdowns are well known. But spent fuel can also overheat and burn in a storage pool if its coolant water is lost, thereby potentially releasing large amounts of radioactive material into the air. This type of accident is known as a spent fuel pool fire or zirconium fire, named after the fuel cladding. All commercial nuclear power plants in the United States—and nearly all in the world—have at least one spent fuel pool on site. A fire at an overloaded pool (which exist at many US nuclear power plants) could release radiation that dwarfs what the Chernobyl nuclear accident emitted.
Many analysts see very rare, severe earthquakes as the greatest threat to spent fuel pools; however, another far more likely event could threaten US nuclear sites: a widespread collapse of the power grid system. Such a collapse could be triggered by a variety of events, including solar storms, physical attacks, and cyberattacks—all of which are known, documented possibilities. Safety experts have warned for decades about the dangers of overloading spent fuel pools, but the Nuclear Regulatory Commission and Congress have refused to act.
The threat of overloaded spent fuel pools. Spent fuel pools at US nuclear plants are almost as densely packed with nuclear fuel as operating reactors—a hazard that has existed for decades and vastly increases the odds of having a major accident.
Spent fuel assemblies could ignite—starting a zirconium fire—if an overloaded pool were to lose a sizable portion or all of its coolant water. In a scenario in which coolant water boils off, uncovered zirconium cladding of fuel assemblies may overheat and chemically react with steam, generating explosive hydrogen gas. A substantial amount of hydrogen would almost certainly detonate, destroying the building that houses the spent fuel pool. (Only a small quantity of energy is required to ignite hydrogen gas, including electric sparks from equipment. It is speculated a ringing telephone initiated a hydrogen explosion that occurred during the Three Mile Island accident in 1979.)
A zirconium fire in an exposed spent fuel pool would have the potential to emit far more radioactive cesium 137 than the Chernobyl accident released. (The US Nuclear Regulatory Commission (NRC) has conducted analyses that found a zirconium fire at a densely packed pool could release as much as 24 megacuries of cesium 137; the Chernobyl accident is estimated to have released 2.3 megacuries of cesium 137.) Such a disaster could contaminate thousands of square miles of land in urban and rural areas, potentially exposing millions of people to large doses of ionizing radiation, many of whom could die from early or latent cancer.
In contrast, if a thinly packed pool were deprived of coolant water, its spent fuel assemblies would likely release about 1 percent of the radioactive material predicted to be released by a zirconium fire at a densely packed pool. A thinly packed pool has a much smaller inventory of radioactive material than a densely packed pool; it also contains much less zirconium. If such a limited amount of zirconium were to react with steam, most likely too little hydrogen would be generated to threaten the integrity of the spent fuel pool building.
After being cooled under water for a minimum of three years, spent fuel assemblies can be transferred from pools to giant, hermetically sealed canisters of reinforced steel and concrete that shield plant workers and the public from ionizing radiation. This liquid-free method of storage, which cools the spent fuel assemblies by passive air convection, is called “dry cask storage.”
A typical US storage pool for a 1,000-megawatt-electric reactor contains from 400 to 500 metric tons of spent fuel assemblies. (Dry casks can store 10 to 15 tons of spent fuel assemblies, so each cask contains a far lower amount of radioactive material than a storage pool.) Reducing the total inventories of spent fuel assemblies stored in US spent fuel pools by roughly 70 to 80 percent reduces their amount of radioactive cesium by about 50 percent. And the heat load in each pool drops by about 25 to 30 percent. With low-density storage, a pool’s spent fuel assemblies are separated from each other to an extent that greatly improves their ability to be cooled by air convection in the event that the pool loses its coolant water. Moreover, a dry cask storage area, which has passive cooling, is less vulnerable to either accidents or sabotage than a spent fuel pool.
In the aftermath of the March 2011 Fukushima Daiichi accident in Japan, in which there was a risk of spent fuel assemblies igniting, the NRC considered forcing US utilities to expedite the transfer of all sufficiently-cooled spent fuel assemblies stored in overloaded pools to dry cask storage. The NRC decided against implementing such a safety measure.
To help justify its decision, the NRC chose to analyze only one scenario that might lead to a zirconium fire: a severe earthquake. In 2014, the NRC claimed that a severe earthquake with a magnitude “expected to occur once in 60,000 years” is the prototypical initiating event that would lead to a zirconium fire in a boiling water reactor’s spent fuel pool.
The NRC’s 2014 study concluded that the type of earthquake it selected for its analyses would cause a zirconium fire and a large radiological release to occur at a densely packed spent fuel pool once every nine million years (or even less frequently). Restricting its analyses to a severe earthquake scenario allowed the NRC to help allay public fears over the dangers of spent fuel pool accidents. (At the time of the Fukushima Daiichi accident, the New York Times and other news outlets warned that a zirconium fire could break out in the plant’s Unit 4 spent fuel pool, causing global public concern.)
There is good reason to question whether severe earthquakes pose the greatest threat to spent fuel pools. A widespread collapse of the US power grid system that would last for a period of months to years—estimated to occur once in a century—may be far more likely to lead to a zirconium fire than a severe earthquake. The prospect that a widespread, long-term blackout will occur within the next 100 years should prompt US utilities to expedite the transfer of spent fuel from pools to dry cask storage. Utilities in other nations, including in Japan, that have overloaded pools should follow suit.
Solar storms, physical attacks, and cyberattacks have the potential to cause a nightmare scenario in which the US power grid collapses, along with other vital infrastructures—leading to reactor meltdowns and spent fuel pool fires, whose radioactive emissions would aggravate the disaster.
Vulnerability to solar storms. In 2012, the NRC issued a Federal Register notice stating that an extreme solar storm (with its accompanying geomagnetic storm at the Earth) could cause the failure of hundreds of extra-high voltage transformers—with a maximum voltage rating of at least 345 kilovolts—precipitating widespread, long-term blackouts. The NRC posited that such a solar storm might occur once in 153 years to once in 500 years and initiate “a series of events potentially leading to [reactor] core damage at multiple nuclear sites.”
The NRC’s Federal Register notice announced the agency had determined that the threat of prolonged power outages leading to at least one spent fuel pool fire must be addressed in its rulemaking process. The NRC decided to consider enacting regulations that Thomas Popik of the Foundation for Resilient Societies, a non-profit organization focusing on infrastructure reliability, requested in a petition for rulemaking. Popik asked the NRC to require plant owners to ensure spent fuel pools would have long-term cooling and a replenished supply of coolant water in the event that an extreme solar storm collapsed large portions of the US power grid for a period of months to years. Among other things, Popik was concerned that emergency diesel generators would not be able to supply the onsite electricity needed to cool the spent fuel pool for more than a few days.
Over the past 160 years, the Earth has been hit by two solar superstorms—the 1859 Carrington Event and the 1921 New York Railroad Superstorm—that would be powerful enough to disable large portions of today’s global power grids. Scientists estimate that such extreme solar storms may hit the Earth once in a century, so the odds are that the Earth will be hit by a solar superstorm at some point during this century. In July 2012, a solar superstorm, estimated to have been more intense than the Carrington Event, crossed the Earth’s orbit, missing the Earth by about 1.8 million miles, or by one week’s time.
Solar superstorms are caused by coronal mass ejections: Eruptions of billions of tons of electrically-charged particles spat from the Sun’s corona, which travel at velocities as fast as several million miles per hour and can reach the Earth within 24 hours. Most coronal mass ejections, however, miss the Earth because it is a relatively small point within the solar system.
When a solar superstorm’s electrically-charged particles envelop the Earth, they cause extreme geomagnetic storms—mostly affecting high northern and southern latitudes. In a geomagnetic storm, the Earth’s geomagnetic field varies in magnitude, creating electric fields in the ground that induce electric currents in the power grid. Extreme geomagnetic storms may induce electric currents strong enough to melt the copper windings of extra-high voltage transformers, which may become damaged beyond repair and need to be replaced.
Extra-high voltage transformers are mostly manufactured overseas and difficult to transport. (Such transformers weigh between 100 and 400 tons.) In the United States, only a small number of facilities build extra-high voltage transformers. They cost several million dollars to manufacture and install; each is custom made to fit the specifications of its substation. Different designs are not typically interchangeable with one another, and few spares are manufactured. Manufacturing and installing even one such massive transformer can take over one year.
Solar storms that were far less intense than the New York Railroad Superstorm have collapsed modern power grids. In the early hours of March 13, 1989, on a freezing night, a geomagnetic storm caused Canada’s Hydro-Québec grid to collapse within 90 seconds, leaving six million people without electric power for about 9 hours. (The magnitude of geomagnetic storms can be measured in nanoteslas per minute, where the tesla is a unit of magnetic flux density.) The New York Railroad Superstorm is estimated to have reached a magnitude of approximately 5,000 nanoteslas per minute, and the March 1989 Storm was one-tenth as intense, reaching approximately 480 nanoteslas per minute. In late October 2003, geomagnetic storms less intense than the March 1989 Storm caused a blackout in southern Sweden and permanently damaged 15 extra-high voltage transformers in South Africa by overheating them.
Solar storms can cause large geomagnetic field variations to suddenly materialize over vast geographic areas, precipitating multiple, near-simultaneous failures at different locations of the electric power grid system. Over the past half century, the United States and other nations have dramatically expanded their power grids—adding more long-distance transmission lines and high-voltage infrastructure—thereby increasing their vulnerability to geomagnetic storms. Moreover, the aging of vital power-grid infrastructures also increases the grid’s vulnerability.
Vulnerability to physical attacks. On April 16, 2013, gunmen attacked the Metcalf Transmission Substation in San Jose, California, rendering it out of service. The gunmen shot 120 rounds from semiautomatic rifles, hitting 17 extra-high voltage transformers. The transformers leaked more than 50,000 gallons of cooling oil. They overheated, without exploding, and shut down. According to Jon Wellinghoff, a former Chairman of the Federal Energy Regulatory Commission, the Metcalf attack nearly caused a blackout in Silicon Valley; one that may have persisted for a period of several weeks.
In response to the assault on Metcalf, its owner—Pacific Gas and Electric—decided to spend $100 million over the course of three years to help fortify its substations. That did not prevent thieves, in August 2014, from cutting through a fence at Metcalf and pilfering construction equipment that was intended to bolster security. It took utility workers more than four hours to realize the substation had been burgled.
In January 2022, the Department of Homeland Security warned that domestic terrorists have been devising credible strategies for sabotaging the US power grid over the past few years. Protecting all 55,000 substations that make up the US grid, however, is a difficult task. In December 2022, at least one malefactor shot at and severely damaged two substations—owned by Duke Energy—in North Carolina’s Moore County, located about 90 miles east of Charlotte. Around 45,000 homes and businesses lost electricity as a result, and tens of thousands of customers got their power restored only after several days. Commenting on the Moore County attacks, Wellinghoff observed that “most [substations] don’t seem to be very well protected. Many of them still have chain link fences, like the one in North Carolina.”
In 2014, The Wall Street Journal reported that a US Federal Energy Regulatory Commission analysis had concluded that if saboteurs synchronized physical attacks and disabled as few as nine critical power substations, especially on a hot summer day, the entire US mainland could lose electric power for several months. Unfortunately, determining or simply procuring information about the locations of the most critical substations in the continental US is a relatively easy task.
Malefactors can also physically attack substations remotely. For instance, drones armed with improvised explosive devices could target US substations in synchronized swarms, potentially collapsing the power grid. In September 2022, Russia attacked civilian infrastructure in Ukraine, including the Ukrainian power grid, with waves of Iranian Shahed-136, “kamikaze” drones. These drones can carry up to 110 pounds (50 kilograms) of explosives over hundreds of miles. Kamikaze drones explode on impact. In October 2022, Russian kamikaze drones partly disrupted the delivery of electricity in the three major Ukrainian cities of Kharkiv, Kyiv, and Lviv.
Vulnerability to cyberattacks. In December 2015, Russian hackers caused power outages in Ukraine by remotely opening circuit breakers, thereby cutting off the flow of electricity, at dozens of substations. It is the first confirmed instance, worldwide, that a cyberattack caused a blackout. Within minutes, the hackers targeted three energy utilities, causing outages that lasted six hours and affected nearly a quarter-million people. Fortunately, the Ukrainian power grid has the odd benefit of being partly antiquated. It is not completely dependent on computer control systems; that is, industrial control systems and supervisory control and data acquisition (also known as “SCADA”) systems, which monitor and command an electric grid’s physical equipment. Ukrainian grid operators were able to turn the power back on by bypassing their compromised control systems and manually closing circuit breakers at affected substations. One year later, in December 2016, another Russian cyberattack would cause a second blackout in Ukraine.
The 2016 cyberattack was more sophisticated than that of 2015. Power was restored after one hour; however, the hackers shut down a large Kyiv substation that handled a greater electric load (200 megawatts) than the total load handled by the dozens of substations that had been successfully targeted the previous year. The hackers deployed malware—later named “CrashOverride”—that analysts have characterized as “an automated, grid-killing weapon.”
CrashOverride was designed to communicate with the Ukrainian power grid’s particular computer control systems, enabling it to manipulate the behavior of physical equipment at substations. At a preset time, CrashOverride opened circuit breakers at targeted substations to precipitate the blackout, without requiring oversight from hackers.
Malware programs like CrashOverride can also be tailored to attack European and North American power grids. Some analysts have posited that Ukraine is “Russia’s test lab for cyberwar,” noting that “in the cyber world, what happens in Kiev almost never stays in Kiev.” The US power grid is more computerized and automated than Ukraine’s grid, providing many openings for cyber infiltration. The Idaho National Laboratory (INL) has warned that the interconnectivity of SCADA systems exposes the US power grid to cyberattacks.
Given enough time, hackers could penetrate US transmission networks and plant CrashOverride or another tailored malware at any number of desired locations. CrashOverride can automatically execute the task of scanning transmission networks and selecting multiple targets, including those that control automated on-off switches for circuit breakers. Once entrenched, CrashOverride is set “like a ticking bomb,” ready to sow chaos in power grid systems at any specified time.
Analysts at Dragos and Eset, two cyber-security companies for critical infrastructure, have pointed out that CrashOverride contains some code indicating it has the capacity to disable protective relays, which protect transmission lines and transformers against electric surges by opening circuit breakers. If hackers rendered protective relays inoperable while increasing local electric loads, they could cause transmission lines to melt and transformers to burn. Wide portions of the US grid could become disabled for months to years if hackers managed to destroy many extra-high voltage transformers.
In 2016, Idaho National Laboratory analysts came to similar conclusions as those at Dragos and Eset, warning that a major cyberattack on the US grid could seriously damage critical equipment, including extra-high voltage transformers, and lead to cascading blackouts. Some substations have networks that are incapable of detecting hackers’ intrusions and planted malware. INL analysts have cautioned that hackers could exploit such vulnerabilities to launch a coordinated cyberattack against multiple substations. Five years later, in June 2021, US Energy Secretary Jennifer Granholm acknowledged that hackers have the capability to shut down the US power grid.
Insufficient public safety. After the Fukushima Daiichi accident, the US nuclear industry established the Diverse and Flexible Mitigation Capability (FLEX) strategy, which is intended to help workers at nuclear plants manage a severe accident. The FLEX strategy stipulates that plant sites store portable equipment, such as backup generators and battery packs that can provide emergency power and pumps that can inject coolant water into the reactor or spent fuel pool. Such equipment is also stored at two national response centers, located in Memphis, Tennessee and Phoenix, Arizona. The response centers must be capable of dispatching required equipment to any nuclear plant located in the United States within 24 hours. However, each center only houses five complete sets of FLEX equipment, not nearly enough equipment to simultaneously service the entire US nuclear reactor fleet.
In a long-term, nationwide blackout, US nuclear power plants would lose their supply of offsite electricity. Emergency diesel generators, which provide onsite electricity, are back-up systems designed to power cooling pumps and other safety equipment only for a relatively short period of time. Such generators would likely fail to operate continuously for a period of months to years. The longest loss-of-offsite power events in the United States all lasted less than a week.
Most US nuclear plants are required to have at least a seven-day onsite supply of fuel for emergency diesel generators, and many have arrangements to receive prompt deliveries of fuel. Yet amid the logistical challenges and social disruptions of a nationwide, long-term blackout, it appears unlikely that a steady fuel supply could be transported to and maintained at every nuclear plant in the US fleet.
Overloading spent fuel pools should be outlawed. Safety analysts have warned about the dangers of overloading spent fuel pools since the 1970s. For decades, experts and organizations have argued that in order to improve safety, sufficiently cooled spent fuel assemblies should be removed from high-density spent fuel pools and transferred to passively cooled dry cask storage. Sadly, the NRC has not heeded their advice.
In the face of the NRC’s inaction, Sen. Edward Markey of Massachusetts introduced The Dry Cask Storage Act in 2014, calling for the thinning out of spent fuel pools. The act, which Senator Markey has reintroduced in subsequent congressional sessions, has not passed into law.
The relatively high probability of a nationwide grid collapse, which would lead to multiple nuclear disasters, emphasizes the need to expedite the transfer of spent fuel to dry cask storage. According to Frank von Hippel, a professor of public and international affairs emeritus at Princeton University, the impact of a single accident at an overstocked spent fuel pool has the potential to be two orders of magnitude more devastating in terms of radiological releases than the three Fukushima Daiichi meltdowns combined. If the US grid collapses for a lengthy period of time, society would likely descend into chaos, as uncooled nuclear fuel burned at multiple sites and spewed radioactive plumes into the environment.
The value of preventing the destruction of US society and untold human suffering is incalculable. So, on the issue of protecting people and the environment from spent fuel pool fires, it is surprising when one learns that promptly transferring the nationwide inventories of spent fuel assemblies that have been cooled for at least five years from US pools to dry cask storage would be “relatively inexpensive”—less than (in 2012 dollars) a total of $4 billion ($5.4 billion in today’s dollars). That is far, far less than the monetary toll of losing vast tracts of urban and rural land for generations to come because of radioactive contamination.
One should also consider that plant owners are required, as part of the decommissioning process, to transfer spent fuel assemblies from storage pools to dry cask storage after nuclear plants are permanently shut down. So, in accordance with industry protocols, all spent fuel assemblies at plant sites are intended to eventually be placed in dry cask storage (before ultimately being transported to a long-term surface storage site or a permanent geologic repository).
If the NRC continues to allow the industry’s mismanagement of spent fuel to pose an existential threat to the United States, Congress must be compelled to pass legislation requiring utilities to swiftly thin out spent fuel pools.
Editor’s note: The author thanks David Lochbaum, Frank von Hippel, and M.V. Ramana for their review of and comments on an earlier version of this article.
No comments:
Post a Comment