D

VS

a

ARR1A

1

tonurtfpt

V

0d

Nuclear Engineering and Design 241 (2011) 950–956

Contents lists available at ScienceDirect

Nuclear Engineering and Design

journa l homepage: www.e lsev ier .com/ locate /nucengdes

eveloping new methodology for nuclear power plants vulnerability assessment

enceslav Kostadinov ∗

lovenian Nuclear Safety Administration, Zelezna Cesta 16, SI-1000 Ljubljana, Slovenia

r t i c l e i n f o

rticle history:eceived 30 November 2009eceived in revised form1 November 2010ccepted 8 January 2011

a b s t r a c t

The fundamental aim of an efficient regulatory emergency preparedness and response system is to pro-vide sustained emergency readiness and to prevent emergency situations and accidents. But when anevent occurs, the regulatory mission is to mitigate consequences and to protect people and the envi-ronment against nuclear and radiological damage. The regulatory emergency response system, whichwould be activated in the case of a nuclear and/or radiological emergency and release of radioactivity tothe environment, is an important element of a comprehensive national regulatory system of nuclear andradiation safety.

In the past, national emergency systems explicitly did not include vulnerability assessments of the crit-ical nuclear infrastructure as an important part of a comprehensive preparedness framework. But afterthe huge terrorist attack on 11/09/2001, decision-makers became aware that critical nuclear infrastruc-ture could also be an attractive target to terrorism, with the purpose of using the physical and radioactiveproperties of the nuclear material to cause mass casualties, property damage, and detrimental economicand/or environmental impacts. The necessity to evaluate critical nuclear infrastructure vulnerability tothreats like human errors, terrorist attacks and natural disasters, as well as preparation of emergencyresponse plans with estimation of optimized costs, are of vital importance for assurance of safe nuclearfacilities operation and national security.

In this paper presented new methodology and solution methods for vulnerability assessment can helpthe overall national energy sector to identify and understand the terrorist threats to and vulnerabilities

of its critical infrastructure. Moreover, adopted methodology could help national regulators and agenciesto develop and implement a vulnerability awareness and education programs for their critical assetsto enhance the security and a safe operation of the entire energy infrastructure. New methods can alsoassist nuclear power plants to develop, validate, and disseminate assessment and surveys of new efficientcountermeasures. Consequently, concise description of developed new quantitative method and adapted

lear r

new methodology for nuc

. Introduction

The effective and timely consideration of critical nuclear infras-ructure vulnerability is strategically important to the future usef nuclear energy. The main objective of developing a new vul-erability assessment (VA) methodology is to provide a betternderstanding and a useful tool that can be used by national nuclearegulatory administrations that monitor critical nuclear infrastruc-

ure, especially nuclear power plant facilities, to assess their riskrom terrorist events. The new method for VA explained in thisaper provides some tools and guidance on approaches to managehe critical nuclear infrastructure terrorist risks.

∗ Tel.: +386 1 472 11 57/00; fax: +386 1 472 11 99.E-mail addresses: venceslav.kostadinov@gmail.com,

enceslav.Kostadinov@gov.si

029-5493/$ – see front matter © 2011 Elsevier B.V. All rights reserved.oi:10.1016/j.nucengdes.2011.01.006

egulatory vulnerability assessment of nuclear power plants are presented.

© 2011 Elsevier B.V. All rights reserved.

The capability of the evaluation of nuclear plants vulnera-bility to different kinds of threats, like human errors, naturaloccurrences and terrorist attacks, and preparation of emergencyresponse planning framework and estimation of needed costs, areof vital importance for the assurance the safe operation of criticalnuclear infrastructure and the maintenance of national security. Allkinds of nuclear facilities could be potential targets for attacks byterrorist organizations worldwide.

By adapting simplified but sophisticated risk analytic pro-cesses and assessments (Kostadinov, 2005, 2006a,b, 2007, 2008;Kostadinov et al., 2004; Kostadinov and Petelin, 2004; Rees andRubin, 2003; Sims et al., 2003; Holter and Young, 2003), we wouldbe able to evaluate potential vulnerabilities to a wide range of

threats to critical nuclear infrastructure assets, such as:

• Utility staff.• Nuclear facilities.• Essential knowledge.

ring and Design 241 (2011) 950–956 951

•••

rprp(daa

2

dIpslscanm2atEfH

tbsmdmbetftl

avleoncftFpvu0cann

The New Risk Management Model - Potential Loss of

Terrorist Threat

1000 10000000

Fre

quencu o

f tr

rigering e

vents

per

year

---------------------------------------------------

I

I

I

I

I

I

I

I

I

I

ITerrorist threat on NPP

before 9/11

Terrorist threat on NPP

after 9/11

Beyond design basis

accidents

acidents

Design basis nuclear

?!

V. Kostadinov / Nuclear Enginee

Information technology.Plant control room.Electric power transmission.

Armed with such vital insights, nuclear operators and nuclearegulatory bodies could plan and optimize changes in oversightrocedures, organizations, equipment, hardware and software toeduce risks consistent with the security and safety of nuclearower plants operation, budget, manpower, and other limitationsKostadinov, 2005, 2007; US NRC Generic Letter, 1991). The conciseescription of qualitative estimations of an adaptive methodologynd a new quantitative model proposed for nuclear applications,re presented herein.

. The basic definition and new types of risk

In the existing turbulent world we need the new or the improvedefinition of risk and implementation of different types of risk.

n view of a possible terrorist sabotage and an attack on nuclearower plants, it is the urgent need for reassessing effectiveness oftate-of-the-art protective measures. Therefore, the nuclear regu-ators worldwide need new risk based decisions for monitoring theecurity and the safe operation of the critical nuclear asset, espe-ially nuclear power plants (NPPs), regarding possibility of sabotagend terrorist attacks. Accordingly, it is the need for developing aew strategy and the methodology for the terrorism risk assess-ents to nuclear power plants. The new approach (Kostadinov,

005, 2006a,b, 2007, 2008; Kostadinov et al., 2004; Kostadinovnd Petelin, 2004) is somewhat different in comparison withhe methodology for a classical risk assessment (NASA Systemsngineering Handbook, 1995; US NRC Generic Letter, 1991) androm previous methods (Rees and Rubin, 2003; Sims et al., 2003;olter and Young, 2003; Garrick, 2004; ASME, 2004).

The classical definition of risk usually assumes the product ofhe probability and consequences. Sometimes the risk could alsoe defined as a frequency of occurrence times the severity of con-equences. The design of old NPPs had possibly assigned a littleore weight on the likelihood of occurrences of severe NPP acci-

ents than on the severity of their consequences. Thus a nuclearanagement and regulators have based categorization of design

asis accidents. The design and safety analyses of NPPs have consid-red an identification of postulated triggering events and assumedheir frequencies. Then, developing scenarios and consequencesor postulated triggering events have been evaluated. In this wayhe nuclear industry has based the NPPs safe operation and designimits of safety systems.

This strategy has also greatly influenced nuclear plants’ oper-tional procedures. Because of assumed a very low probability ofery severe accidents (beyond design bases) and especially postu-ated the very low probability of terrorist attacks, these triggeringvents had not been considered in the design and safety analysesf nuclear power plants. Consequently the overall potential mag-itude of the risk could be underestimated. In short, the typicallassification of triggering events was mainly based on an initiatingrequency. Therefore, at a design stage only triggering events withhe higher postulated likelihood of occurrence were analyzed (seeig. 1). Moreover, this very important fact has to some extent reap-eared at the advanced nuclear facilities design. Therefore, the NPPsulnerability and terrorist risk assessments before 09/11/2001 hadnfortunately not adequately been taken into account. But after

9/11/2001 the overall “risk picture” (see Fig. 1) has dramaticallyhanged and engineers, managers, decision makers and politiciansre now aware of a very real possibility of terrorist attacks (inter-al and external) on critical nuclear infrastructure, especially onuclear power plants and research reactors.

Consequences per year

Fig. 1. The new overall risk picture.

Actually, the very important presumption could be that nationalemergency arrangements (preparedness and anticipated response)could be essentially improved. To improve national emergencyarrangements, the new NPPs vulnerability assessment methodol-ogy and resolution methods have to be developed (Kostadinov,2005, 2006a,b, 2007, 2008; Kostadinov et al., 2004; Kostadinov andPetelin, 2004).

The new strategy needs a new comprehensive definition of aNPPs terrorism risk assessment. We assumed that a new integratedrisk assessment definition could include the safety concerns, assetperformance and cost. As a first step in developing the new method-ology, we need a deeper understanding of new terminology andthe new definition and implementation of the threat analysis inthe NPP risk assessment model. Especially, we need to include thenew component in a risk assessment model, the new term namedvulnerability assessment of critical nuclear infrastructure assets(objects).

3. Objectives and benefits of new NPP vulnerabilityassessment methods

The basic objectives of performing nuclear power plant vulner-ability assessments are:

• Better understanding of NPP threats and vulnerabilities.• Determination of acceptable levels of risk.• Incorporation of new countermeasures to fix identified vulnera-

bilities.

The direct benefits of performing a nuclear power plant vulner-ability assessment could be:

• Defining key critical nuclear infrastructure assets (especiallyNPP’s and research reactor’s key critical assets);

• Identifying vital NPP’s vulnerabilities (weaknesses) and timelydeveloping preventive plans and effective emergency responses;

• Developing methodology and methods for an integrated riskmanagement process;

• Developing and sustaining internal new skills and expertise;• Initiating new industry and regulatory actions and standards for

NPPs responses;• Establishing cost-effective and efficient countermeasures and

training programs; and• Establishing and disseminating consciousness of necessity of new

standards and regulatory principles.

The significant benefits of a vulnerability assessment researchare related to increased NPPs security, reliability and availability.The prevention of a NPP shutdown due to the threat of terrorist

952 V. Kostadinov / Nuclear Engineering and Design 241 (2011) 950–956

odel

aasia

ctnoTa2a

ontt(tiecdn

mit

4a

epgnoapTsc

4

stob

Fig. 2. The new risk management m

ttacks or sabotage will avoid the loss of overall national economicctivities. Initial estimates of only economic losses due to a NPPhutdown because of terrorist attacks and/or sabotage could runnto millions of dollars, depending on the size and types of areasffected.

Actually the effective, secure and safe operation of the criti-al energy (nuclear) infrastructure (NPPs) is a very important forhe national security, the human health and the safety and eco-omic vigor of nations. The safe operation, security and reliabilityf this critical infrastructure are becoming a vital national concern.he possibility of terrorist attacks on critical nuclear infrastructuressets is especially problematic in the post 11/9 world (Kostadinov,005; Kostadinov et al., 2004; Kostadinov and Petelin, 2004; Reesnd Rubin, 2003; Sims et al., 2003).

In the paper discussed a new vulnerability assessment method-logy and presented new solution methods can help the overallational energy sector to identify and understand the terroristhreats to and vulnerabilities of its critical infrastructure. Fur-hermore, the VA methodology could help national regulatorsadministrative bodies) and agencies to develop and implementhe vulnerability awareness and education programs for their crit-cal assets to enhance the security and safe operation of the wholenergy infrastructure. Especially important is that new VA solutionsan also help nuclear energy utility companies (NPPs) to timelyevelop, validate, and disseminate an assessment and survey ofew efficient countermeasures.

The regulatory bodies can facilitate the development of newethodologies and strategies with associated tools to assist in the

mplementation, provide the training and technical assistance ando stimulate regulatory actions to mitigate significant problems.

. The new models for the terrorism risk and vulnerabilityssessments of NPPs

To cope with new terrorist threats, developing of new strat-gy for the risk management as an integrated process of assessingossible terrorist risk scenarios is crucial. Because of possible tar-ets dispersion worldwide and consequently very high potentialational losses, we need the proper prioritization and allocationf limited resources. It could be achieved by comparative riskssessments process, prioritizing of countermeasures and timelyreventive actions and the efficient response in the case of attacks.his unique new methodology contains all needed (counter) mea-ures required to reduce a risk and mitigate the severity ofonsequences.

.1. The new NPPs terrorist risk management model

The bases for new NPPs terrorist’s risk management model pre-ented are analyses and the classification of possible terroristhreats on critical nuclear assets. We create the new process forptimum risk management strategy. The new model is composedy:

for NPPs terrorist risk assessments.

1. Risk prevention measures than could reduce frequency of trigger-ing events.

2. Risk reduction measures than could reduce possible criticalnuclear infrastructure asset vulnerabilities.

3. Risk mitigation measures than could reduce possible criticalnuclear infrastructure asset losses and can accelerate recovery.

The simplified process of the new risk management model ispresented in Fig. 2:

All nuclear administrations need improvements of their nationalemergency preparedness and response systems for their criticalnuclear infrastructure. The important improvement of nationalemergency plans will be to develop a vulnerability assessmentof its critical nuclear infrastructure (Kostadinov, 2006a,b, 2008;Kostadinov et al., 2004; Kostadinov and Petelin, 2004).

4.2. New vulnerability assessment conception

The probability of terrorist attacks can be defined as the proba-bility of occurrence of severe and harmful consequences in definedtime. In the process of a new methodology development, we havepresumed a new understanding of probability of terrorist attacks ona nuclear asset (objects). Our important new presumption was thata probability is not constant but rather it could change with time,depending on our preparedness and countermeasures. Thus, weunderstand the risk (vulnerability) assessments as a dynamic pro-cess where threats, triggering events and information are changingwith time, as our countermeasures also do.

4.3. Developing threat analysis scenarios

The selection of terrorist triggering event (TE) is an importantinitial step for determining proper threat analysis scenarios. Theestablishment of an accurate threat analysis scenario is the mostimportant link in a successful vulnerability (risk) assessment. Actu-ally, TE can be defined as a trigger event in the scenario that has highpotential to produce harmful (adverse) consequences. Some exam-ples of possible terrorist triggering events could be an aircraft crashin the NPP containment, a missile attack on the NPP spent fuel pool,and an internal bombing inside the NPP control room.

The most important term in understanding the terrorist threatsis a comprehensive overview of credible terrorist scenarios. Fordeveloping this special type of analyses we have defined the sce-nario as a set of unexpected but credible and connected adversetime events.

4.4. Interactive triggering events

On the basis of a qualitative analysis we assumed that the mostdangerous scenario for threat analysis on a critical nuclear asset willresult from interactive triggering events (ITEs). It means that twoor more synchronic triggering terrorist events interact and resultin unexpected disastrous consequences.

V. Kostadinov / Nuclear Engineering and Design 241 (2011) 950–956 953

The New Quantitative Risk

Model

Terrorist Risk Evaluation

Risk acceptability or reduction

Terrorist Threat Assessments

VulnerabilityAssessments

Verification Validation

Terrorist Risk Management Evaluation

Terrorist Risk Mitigation

ntitat

ct(iy

zs

4a

byrwhs

Naoaomtpaer

Fig. 3. The new threat analysis strategy and qua

We can imagine the time frame of threat analysis scenario as theourse of events on the time (x-axis) scale as cause–outcome chain:riggering (threshold) event → planning → preparation → actiondestroying effect) → feedback (lessons learned from “operat-ng” experience) leading to harmful consequences on the-axis.

In this process not only our critical asset but the terrorist organi-ations are fortunately also vulnerable. The weakest points in theircenarios could be preparatory and before the attack phases.

.5. The difference between classical definition of risk and hazardnd the new terrorist risk model

Another a new important point is that we must also differetween a definition of risk and hazard in the case of threat anal-sis to a critical nuclear asset. Sometimes in classical analyses ofisk there is an equalization of those terms. Consequently the riskas defined as a quantity expressing hazard, danger or chance ofarmful consequences associated with actual or potential expo-ures.

In our opinion in the case of terrorist threats (attacks) onPPs there must be the intelligible difference. Therefore, we havessumed the hazard of terrorist attack on a NPP as the potential ofccurrence of harmful consequences for people and environments a result of an actual or potential terrorist attack. In the processf developing a new vulnerability assessment method and the newethodology we have proposed the new definition of risk for the

hreat analysis to a critical nuclear asset as a combination of therobability of terrorist attack and the vulnerability of the nuclearsset (objects) (Kostadinov, 2005, 2006a,b, 2007, 2008; Kostadinovt al., 2004; Kostadinov and Petelin, 2004). This new definition ofisk is a clear distinction from classical definition of hazard.

ive model for the NPPs terrorist risk evaluation.

4.6. The new NPP vulnerability assessment model

In general, the vulnerability of a critical nuclear asset can bedefined as the probability of the (predicted) terrorist attack timesthe probability of a failure of a critical asset protection or the effec-tiveness of the protection system. At a nuclear power plant it couldbe the probability of a failure of containment as the last and mostrobust defense system.

4.7. The new threat analysis strategy and the new mathematicalmodel for the NPP risk evaluation

To better understand the whole new process of NPPs vulnerabil-ity and terrorist risk assessments at the threat analysis of a criticalnuclear asset, we started with the quite new definition for the riskevaluation.

The new process is presented in Fig. 3:In the threat on a critical nuclear asset analysis we have defined

the new mathematical model for the risk estimation, where wesupposed the Risk of Terrorist Attack (TA) on NPP (Risk(TA/NPP))as a function of the probability Pr(UC) and vulnerability VA(NPP/TA)assessment of terrorist attacks on a nuclear power plant:

Risk(TA/NPP) = Pr(UC) ∗ VA(NPP/TA) (1)

where we assumed the Pr(UC) as the probability of occurrence ofharmful (undesired) consequences and the VA(NPP/TA) as the plantvulnerability assessment.

In developing the new vulnerability assessment methodology andrisk management strategy we have defined the new term the vul-nerability assessment of NPP on terrorist attacks as:

VA(NPP/TA) ∝ A(P)AF ∗ PCF (2)

9 ring a

wgc

N

R

csp

R

oyt

tatocFfaoaatj

4

tmm

toetmaCsuvo

1

54 V. Kostadinov / Nuclear Enginee

here we assumed the A(P)AF as the assumed (predicted) trig-ering event frequency and the PCF as the probability of theontainment failure.

Consequently, we can estimate the risk of terrorist attack on aPP as:

isk(TA/NPP) = Pr(UC) ∗ A(P)AF ∗ PCF (3)

Because consequences of a terrorist attack on operating facilitiesould be more adverse than on decommissioned or temporarilyhutdown, we will assess the risk of terrorist attack on a nuclearower plant during operation:

isk(TA/NPP) = Pr(UC) ∗ A(P)AF ∗ PCF ∗ OF (4)

The OF term have been assumed as the overall nuclear facilitiesperation factor. The A(P)AF can be estimated from statistical anal-ses of NPPs past and/or operating experience data or assumed onhe basis of the personal expertise of an analyst.

In developing the new risk assessment model we have definedhe new term risk assessment of terrorist attack on a NPP as the prob-bility of occurrence of harmful (undesired) consequences Pr(UC)hat is actually measure of consequences of terrorist attack(s)n a nuclear power plant and depends on protective system(s)haracteristics, times a NPP vulnerability assessment VA(NPP/TA).urthermore, we have defined the new term the vulnerability as aunction of probability of failure of protective system or a criticalsset at given countermeasures times the probability of occurrencef an event. For the NPP vulnerability assessment to the terroristttack, we assumed the Probability of the Containment Failure (PCF)s the last and most robust defense system. In this way the newerm vulnerability of critical nuclear asset was presented as theoint probability distribution for each asset–threat combination.

.8. Sample case-study calculations

The importance of the new mathematical model is in its quan-itative nature. It is one of the first attempts for developing a

athematical model and equations for a quantitative risk assess-ent of terrorist attacks on nuclear power plants.Only for the sake of a descriptive review of the new quantita-

ive model, the comparative risks assessment of terrorist attacksn two different nuclear power plants is presented. In this simplexample we present the use of some equation’s factors, particularlyhe probability of the containment failure (PCF). Therefore, we esti-

ate the risk for two NPP plants, one with classical containmentnd the other only with usual building around the nuclear reactor.ertainly, in the model we can also assess a failure of other safetyystems. Furthermore, we have assumed that the containment fail-re does not necessarily mean radioactive releases. All numericalalues are descriptive and are not based on a statistical observationr expert experience.

. For nuclear plants with classical containment we can assumeA(P)AF as 0.3 (30/100/year), where it is assumed 30 possibletriggering events of 100 threats or potential destructive eventsper year. For the determination of potential consequences wecan assess a likelihood of undesired consequences (Pr(UC)) as0.6 (also we can estimate consequences as a potential finan-cial damage ($/year), so it could mean that in 6 of 10 triggeringevents, undesired (also financial!) consequences could be abovepredefined limit!). We have assumed the PCF value as 0.4 (40%probability of containment failure one hour after attack, which

can change with time!). So, another a very important new con-tribution of our new model is the fact that we can consider thata risk could change with time. Finally, we can calculate that VAis equal 0.12 (0.3 × 0.4) and can estimate the risk R(TA/NPP) asjoint probability of 0.072 (0.12 × 0.6) or about 7%. We can also

nd Design 241 (2011) 950–956

calculate the Risk as a potential financial damage ($/year) or asan expected loss of the threat event.

2. For nuclear plants without classical containment the value forPCF is much higher because a probability of building failureimmediately after attack is very high. Regardless of the fact thata building failure (e.g. under a rocket attack) does not necessar-ily mean radioactive releases, the risk of terrorist attacks on thistype of nuclear power plant is higher. So for PCF equal 0.9 (90%probability of building failure immediately after attack) and thesame A(P)AF value equals 0.3 we can calculate the VA as 0.27 andassuming Pr(UC) as 0.8 (because of higher vulnerability) we canestimate the risk R(TA/NPP) as 0.216 or about 22%.

This descriptive estimation indicates that for this type of plantthe risk is relatively higher for 200% or the risk is 3 times higher.Maybe it seems as high difference, but we have intentionallyselected values for conditional probabilities to evidently demon-strate applicability of the model. If we considered other systemsinstead of the containment the difference could be much lower.

Only for the purpose of this sample calculation for the NPP riskestimation the OF conservative value could be assumed as 0.95, thatmeans that from all world’s nuclear plants operate 95% or about 400power plants. By this factor in the model we can consider that con-sequences could change with the operation state of the facility(ies).This estimation does not include the decommissioned and closedNPPs and large number of research reactors and nuclear waste facil-ities. Those, together with the aviation and petroleum sectors, couldbe the highest priority of terrorist targets.

Last but not least, we wish to stress the very important char-acteristic of the new model being that the product of Pr(UC) andA(P)AF can assist in planning and improving protective counter-measures. It will change by incorporating new countermeasuresand could be measure for assessing relative importance of protec-tive measures. So, another very important result of the proposednew model is that we can calculate on the cost-benefit base thedecreasing of the risk of terrorist attack depending on protectivemeasures used.

4.9. The new perceived and estimated risk definition

For the sake of the VA procedure development we definedanother useful risk definition (Kostadinov, 2005, 2006a,b, 2007,2008; Kostadinov et al., 2004; Kostadinov and Petelin, 2004). Itis a very important for the timely and accurate risk estimation ofthe terrorist attack on critical infrastructure objects, to distinguishbetween the perceived and estimated risk. The perceived risk of theterrorist attack on the NPP at the time of assessment consideringavailable information or the perceived probability of the terroristattack on the NPP could be the degree of belief of decision-makersthat the terrorist attack will occur. This subjective (policy-makers,analysts) risk assessment could change (improve) with time asinformation are gathering through new data and the experiencefeedback. In this manner the perceived risk converges to the esti-mated risk that is known (its probability distribution) and it doesnot change with time.

This significant recognition has two important implications forthe risk assessment of the terrorist attack on the NPP:

1. Even with very little or incomplete information the good ana-lysts and risk management organizations can produce subjectivebut valid and valuable probability estimates for regulatory and

political decision makers to timely decide and act against thisterrorist threats (risk), and

2. Because of the difference between subjective and objective riskassessments of the terrorist attack on critical infrastructureobjects, there is always a chance of the hindsight.

ring a

am

5a

oc

c

◦

◦

◦

◦◦

5o

acssmq

s

•••

••••

a

ad

◦◦◦◦

6

pbt

V. Kostadinov / Nuclear Enginee

The key step in the timely and good defense strategy and the safend secure NPP operation is a credible vulnerability assessment toinimize this hindsight.

. Assessing the possible terrorist threats on NPPs and theirdverse consequences

We can imagine the threat analysis as an integrated systemf methods for ranking a possibility of terrorist attack on specificritical infrastructure objects (targets), especially on NPPs.

For our vulnerability assessment model we can assume someredible and important terrorist threats on NPPs as:

The suicide attack with fully fuelled civilian aircraft on the NPP(plant containment, plant spent fuel pool or plant control room).The intentional fully fuelled and loaded with explosives smallairplanes crash on the NPP (plant containment, plant spent fuelpool or plant control room).The intentional attack with remote-controlled fully fuelled andloaded with explosives small airplanes on the NPP (plant con-tainment, plant spent fuel pool or plant control room).The intentional attack with rocket missiles.The internal attack with hostage taking of key operational per-sonnel.

.1. The definition of possible consequences of the terrorist attackn the NPP

The very important term at integrated risk assessment is anccurate understanding of consequences. In general we can defineonsequences as undesired and harmful effects of a terrorist attack,abotage or natural catastrophe on a NPP. Because we have pre-umed a time dependence of risk (vulnerability) assessment, weust also consider all short and long term credible time conse-

uence effects.The possible undesired consequences of a terrorist attack or

abotage (internal/external) on a NPP may be:

Large plant and equipment damage.Large personnel harm.Large environmental impact, people injury and psychologicaleffects.Large material and process damage.Large national and international security and progress influence,A very important long term consequence, andLarge turmoil and alteration of accepted psychological life’smatrices.

The degree of adverse consequences depends of the amount ofn uncontrolled radioactive release into the environment.

In our risk assessment model we have supposed that the prob-bility of an uncontrolled radioactive release into the environmentepends on the:

Mode of a terrorist attack.Design and construction of the attacked plant.Operation mode of the plant at time of an attack.Environmental conditions at time of an attack.

. Credible key countermeasures

The important averting factor of a terrorist attack on a nuclearower plant could be in advance prepared and tested the intelligi-le structure of protective measures. The initiating event could beerrorist based or a nuclear accident, however the good emergency

nd Design 241 (2011) 950–956 955

planning provides a reasonable assurance that the public health andsafety will be protected. The effective emergency plan can man-age a range of postulated events that would result in a radiologicalrelease, including the most severe.

Through developing the emergency plan procedures, gather-ing a new knowledge and a better comprehension of the new VAmethodology, we could propose some effective countermeasures:

• timely intelligent analyses and assessments of available informa-tion,

• good worldwide cooperation and exchange of threats and riskassessments with other world’s organizations,

• adequate decision-makers coordinate patience,• persistence in prevention efforts and practiced response on all

kind of threats,• robust and inventive asset protection,• international treaty requiring government’s specific protection

against terrorist attack on NPPs,• strengthening specific regulatory requirements for the nuclear

facilities security and safe operation, and especially important,and

• persistent consultations between politicians, nuclear regulatorsand scientists.

7. Conclusions

As a rule a good planning leads to an effective response. Efficientemergency preparedness programs enable emergency personnel torapidly identify, evaluate, and react to a wide spectrum of emer-gencies, including those arising from terrorism or natural eventssuch as floods and earthquakes. Trustworthy, an accident responseprogram integrates the overall capabilities for the response andrecovery of radiological incidents and emergencies involving facil-ities and materials. It emphasizes the integration of the safety,security, and emergency preparedness as the basis for the primarymission of the protecting public health and safety.

On the basis of deeper understanding of a new VA strategy anddeveloped procedure for assessment of a threat analysis to a NPP,we could recommend some key protective measures influencing themagnitude of harmfulness:

1. Intelligent and timely prepared and tested preventive actions toreduce the probability of occurrence of the terrorist attack on anuclear power plant.

2. Planned, prepared and tried strong response actions to mitigateadverse consequences of the terrorist attack on a NPP.

In our opinion one unusual but very efficient inherent protectivemeasure that at the moment protects NPPs of the large-scale dev-astative terrorist attack could be the fact that the terrorist attackon one NPP should badly affect the safe and economic operation ofall NPPs worldwide.

By developing new terms and methodology, emergency planprocedures, methods and scenarios analyses, we can expect:

I. That credible terrorist attacks on nuclear power plants shouldbe prevented, moreover,

II. Those unexpected (incredible) terrorist attack scenarios,which will result in the large and irreversible plant damageand disaster, should be expected.

References

ASME 2004 International Mechanical Engineering Congress and RD&D Expo, 2004.Homeland security panel discussions. In: HOMET–ASME Risk Analysis and Man-agement for Critical Asset Protection ASME–IMECE 2004 , Anaheim, CA, USA,November 13–19.

9 ring a

G

H

K

K

K

K

56 V. Kostadinov / Nuclear Enginee

arrick, B.J., et al., 2004. Confronting the risk of terrorism: making the right decisions.Reliability Engineering & System Safety 86 (2), 119–176 (Edited by Study Groupon Combating Terrorism).

olter, G.M., Young, J., 2003. Analytical approaches to address homeland securityissues. In: Proceedings of International Mechanical Engineering Congress andRD&D Expo , ASME–IMECE 2003, Washington, DC, USA.

ostadinov, V., 2005. Coordination of Slovenian Nuclear Safety Administration’sEmergency Preparedness Procedures, Rev. 1.

ostadinov, V., 2006a. Vulnerability assessment as a missing part of efficient reg-ulatory emergency preparedness system for nuclear critical infrastructure.ATW – International Journal for Nuclear Power, 632–635 (Kernenerg., jg. 51,h. 2).

ostadinov, V., 2006b. Vulnerability assessment as a missing part of efficient reg-

ulatory emergency preparedness system for nuclear critical infrastructure. In:Presented at 3rd International Symposium on Systems & Human Science: Com-plex Systems Approaches for Safety, Security and Reliability, 6–8 March 2006 ,Palais Daun Kinsky, Vienna, Austria.

ostadinov, V., 2007. Risk Analysis after 9/11. Nuclear Engineering InternationalJournal 52 (632), 16–17.

nd Design 241 (2011) 950–956

Kostadinov, V., 2008. Developing new methodology for vulnerability assessmentsof nuclear facilities. Preliminary D.Sc. Thesis Proposition, University of Maribor,Maribor.

Kostadinov, V., Petelin, S., 2004. Preliminary regulatory assessment of nuclear powerplants vulnerabilities. In: Presented at International Conference Nuclear Energyfor Central Europe 2004 , Portoroz, Slovenia.

Kostadinov, V., Petelin, S., Stritar, A., 2004. Developing procedure for nuclear reg-ulatory vulnerability assessment of nuclear power plants. In: Presented atInternational Mechanical Engineering Congress and RD&D Expo , ASME–IMECE2004, Anaheim, CA, USA.

NASA Systems Engineering Handbook, 1995. SP-610S.Rees, D.C., Rubin, K.I., 2003. Managing & protecting infrastructure assets. In: Pre-

sented at International Mechanical Engineering Congress and RD&D Expo ,ASME–IMECE 2003, Washington, DC, USA.

Sims, J.R., Balkey, K.R., Ayyub, B.M., Feigel, R.E., 2003. A common approach to riskanalysis for homeland security decision-making. In: Presented at InternationalMechanical Engineering Congress and RD&D Expo , ASME–IMECE 2003, Wash-ington, DC, USA.

US NRC Generic Letter No. 88-20, 1991. Individual Plant Examination For SevereAccident Vulnerabilities, Supplement 4.