Small Modular Reactors (SMRs) and other Advanced Nuclear Technologies (ANTs) offer potential advantages in respect of being quickly deployable and requiring lower capital investments. However, in respect of security, what benefit can a competent authority (CA) take from another CA’s assessment of security (including security by design - passively engineered) in a reactor technology, especially modularised technology? If a CA can take no benefit then, as a community of CAs, we risk inflating the price of and delaying installation of the next generation of potentially simpler, quicker and cheaper to install, nuclear power.
It is not the CA’s role to promote nuclear power but can the CA community remove barriers by working together? Naturally there will be differences in DBT so the importing CA will of course want to do some form of assessment but this paper suggests it need not start with a blank page.
Through CPPNM compliance CAs already accept foreign flagged vessels in territorial waters so there is a precedent, albeit tenuous, of taking account of other CAs’ security regimes in an international context. Many states already import reactor designs from other states. Does the importing CA start from a zero base assessment of the security characteristics and required physical protection or does it take account of the assessment activity of the exporting CA? If so to what extent?
The UK has a mature process for assessing reactor designs before construction, seeking to ensure safety and security by design and decreasing risks of construction, known as generic design assessment (GDA). The UK GDA process, which for security purposes is described in the Security Assessment Principles (SyAPs), Technical Assessment Guides (TAGs) and other regulatory guidance published on ONR website. UK GDA includes a comprehensive security assessment, specifically security by design, taking account of all conceptual security arrangements, from leadership and management for security, organisational culture, competence, EMIT, supply chain, physical measures for theft and sabotage, computer security including operational technology, workforce trustworthiness, emergency response and policing and guarding. The regulatory guidance against which the assessments are undertaken is largely published, with the exception of a limited number of classified annexes and one of 37 TAGs, hence an importing CA can clearly understand the nature of assessment that would be undertaken by the UK CA and target its own supplementary assessment, if required, at areas it considers appropriate.
Naturally no two states will have the same DBT and states are unlikely to share their DBTs with other states. Therefore an importing CA may ask whether an exporting CA’s assessment, against an unknown DBT, is relevant to their own. This paper suggests that many aspects of a DBT will be very similar, for example it would be no great surprise if the author suggested that the UK’s DBT contained reference to vehicle and or person-borne explosive device(s), unmanned aerial systems, armed attackers, insider(s), indirect fire weapon systems, advanced cyber attack capabilities etc. A relatively straightforward assessment (especially compared to a zero base start point) targeted and focussed at particular perceived vulnerabilities, potential vital areas and considering high end threats described in its own DBT would enable an importing CA to confirm whether the assessment by the exporting CA is fit for purpose.
For the UK the safety-security interface is a mature consideration within the CA (it is the same CA for nuclear safety, security and safeguards). The UK IRRS mission in 2019 is a full scope mission and contains the safety-security interface module in full. Following an extensive self-assessment process (this aspect will be updated post the September 2019 mission) it is expected to recognise good practice in this area and importing CAs can derive benefit from the holistic nature of the assessment undertaken by the UK ONR during GDA.
The overall aim is for the security community, which has for long been perceived as a blocker, to enable and support, but not promote (which is not the role of the CA), the peaceful use of nuclear power. Greater collaboration between CAs could enable the potential modularisation, rapidly deployable and scalable nature of the next generation of reactors to be realised.