Saturday, July 30, 2011

Nuclear Plant has 16 billion Curies in CORE and daily releases of pollution

Nuclear Plant has 16 billion Curies in  CORE and daily releases of pollution
1.    It doesn’t take an accident for a nuclear power plant to release radioactivity into our air, water and soil. All it takes is the plant’s everyday routine operation, and federal regulations permit these radioactive releases.
2.    Radioactivity is measured in "curies." A large medical center, with as many as 1000 laboratories in which radioactive materials are used, may have a combined inventory of only about two curies. In contrast, an average operating nuclear power reactor will have approximately 16 billion curies in its reactor core. This is the equivalent long-lived radioactivity of at least 1,000 Hiroshima bombs.
3.    A reactor’s fuel rods, pipes, tanks and valves can leak. Mechanical failure and human error can also cause leaks. As a nuclear plant ages, so does its equipment - and leaks generally increase.
4.    Some contaminated water is intentionally removed from the reactor vessel to reduce the amount of the radioactive and corrosive chemicals that damage valves and pipes. The water is filtered and then either recycled back into the cooling system or released into the environment
5.    A typical 1000-megawatt pressurized-water reactor (with a cooling tower) takes in 20,000 gallons of river, lake or ocean water per minute for cooling, circulates it through a 50-mile maze of pipes, returns 5,000 gallons per minute to the same body of water, and releases the remainder to the atmosphere as vapor. A 1000-megawatt reactor without a cooling tower takes in even more water--as much as one-half million gallons per minute. The discharge water is contaminated with radioactive elements in amounts that are not precisely known or knowable, but are biologically active.
6.    Some radioactive fission gases, stripped from the reactor cooling water, are contained in decay tanks for days before being released into the atmosphere through filtered rooftop vents. Some gases leak into the power plant buildings’ interiors and are released during periodic "purges" and "ventings." These airborne gases contaminate not only the air, but also soil and water.
7.    Radioactive releases from a nuclear power reactor’s routine operation often are not fully detected or reported. Accidental releases may not be completely verified or documented.
8.    Accurate, economically-feasible filtering and monitoring technologies do not exist for some of the major reactor by-products, such as radioactive hydrogen (tritium) and noble gases, such as krypton and xenon. Some liquids and gases are retained in tanks so that the shorter-lived radioactive materials can break down before the batch is released to the environment.
9.    Government regulations allow radioactive water to be released to the environment containing "permissible" levels of contamination. Permissible does not mean safe. Detectors at reactors are set to allow contaminated water to be released, unfiltered, if below "permissible" legal levels.
10.                       The Nuclear Regulatory Commission relies upon self-reporting and computer modeling from reactor operators to track radioactive releases and their projected dispersion. A significant portion of the environmental monitoring data is extrapolated – virtual, not real.
11.                       Accurate accounting of all radioactive wastes released to the air, water and soil from the entire reactor fuel production system is simply not available. The system includes uranium mines and mills, chemical conversion, enrichment and fuel fabrication plants, nuclear power reactors, and radioactive waste storage pools, casks, and trenches.
12.                       Increasing economic pressures to reduce costs, due to the deregulation of the electric power industry, could further reduce the already unreliable monitoring and reporting of radioactive releases. Deferred maintenance can increase the radioactivity released - and the risks.
13.                       Many of the reactor’s radioactive by-products continue giving off radioactive particles and rays for enormously long periods – described in terms of "half-lives." A radioactive material gives off hazardous radiation for at least ten half-lives. One of the radioactive isotopes of iodine (iodine- 129) has a half-life of 16 million years; technetium-99 = 211,000 years; and plutonium-239 = 24,000 years. Xenon-135, a noble gas, decays into cesium-135, an isotope with a 2.3 million-year half-life.
14.                       It is scientifically established that low-level radiation damages tissues, cells, DNA and other vital molecules – causing programmed cell death (apoptosis), genetic mutations, cancers, leukemia, birth defects, and reproductive, immune and endocrine system disorders.
Nuclear Information and Resource Service
6930 Carroll Avenue Suite 340, Takoma Park, MD 20912
301 270 6477; 301 270 4291;

Wednesday, July 27, 2011


Emergency Planning: The ever-present nuclear threat
This year, the government made local authorities that host nuclear power stations formally responsible for devising plans that detail how our emergency services and local councils will respond to a radiological emergency. The plans revolve around a detailed plan for the area immediately around each power station, called the Detailed Emergency Planning Zone  (DEPZ). In this zone, the local authorities have to design countermeasures that are triggered by different levels of radiation being released.
Beyond this tiny zone – the largest is just 3.3km/2 miles away from the relevant power station – the public will have to rely upon the local authorities to miraculously “extend” the zones, with little extra money or resources. The rest of us are left more or less completely exposed.
At a time when the government is sending out mixed messages about the terrorist threat we all face, Greenpeace have commissioned a report that explores how effective our current nuclear emergency plans would be if the unthinkable ever became a reality.
They include scenarios that indicate that our present emergency plans would beoverwhelmed alarmingly quickly, putting the safety of all of us in jeopardy. One such scenario is explained in detail below.
Accidents at British nuclear plants are not uncommon, but so far, apart from Windscale, the accidents have been relatively minor and have not required any of the emergency plans to be fully tested. This is the result of luck more than judgement, however, as our scenarios show. Our investigations indicate that when it comes to nuclear safety we have nothing to be complacent about.
Nuclear Power Stations: A Constant Threat
Each power station has storage space for holding the tonnes of fuel that are waiting to be used and fuel that has already been used. When fuel is spent (used up), it is extremely hot and needs to be stored in water for some months to allow it to cool and lose some its high level radioactivity. The spent fuel is made up of a combination of uranium and plutonium, a by-product of the reactor process, and is extremely radioactive.
If just one tonne of this spent fuel was involved in an accident or terrorist incident that caused a fuel storage tank to break open, then the current emergency plan would berendered ineffective. Such a scenario could result in dangerous levels of high level radiation spreading up to 60km/36 miles in 7 hours and 100 km/60 miles in day. If a release of this kind were to take place at somewhere like Hartlepool power station, just 6 miles from the 89,000 people who live in Hartlepool then the current plans that account for an area of just 0.6 miles around the plant would surely be overwhelmed.
The type of radiation that might escape from a power station would be even more dangerous than the waste inside a nuclear transport because it would not have had the chance to complete the cooling process and lose some of the radiation that is normally very fragile and short lived. If it is released without having any time to cool, then this volatile radiation still exists and is particularly prone to being absorbed by people through the thyroid gland, potentially causing cancer in the future.
Zone Explanations
Zone 1: 1 – 3 km/0 – 2 miles
This is the area immediately around a power station, known as the Detailed Emergency Planning Zone (DEPZ), where local councils are required to draw up plans that will protect the residents living within that area. The plans involve providing one or all of three options. The first is to provide information to the residents on what has occurred and what they should do. The second is to distribute potassium iodate tablets that if taken early can prevent certain types of cancer that are caused by the intake of damaging radiation. If the levels are too dangerous to allow continued exposure to residents, then the local authority must arrange for evacuation for all residents within the DEPZ.
Zone 2: 3 – 10km/2 – 6 miles
This zone contains those people who are most at risk in the event of a nuclear emergency. There is no detailed plan in place to protect them from becoming contaminated. The best on offer is the option of the DEPZ being “extended” to take into account the surrounding area. Exactly how this would be done is not clear at all. To suddenly “extend” this zone up to 10 km/6 miles away from the source of the release would firstly involve the local authority being able to assess the situation, which they would have to do without specialist training and equipment, and also be able to offer the same level of protection to thousands more people. Some councils rely on the operators of the nuclear power stations or groups like the National Radiological Protection Board to carry out this assessment for them, but it is highly likely that this might not be possible, either because communications are down or perhaps the NRPB cannot get to the area quickly enough for their assessment to be effective. In such a circumstance, the councils would be obliged to carry out the assessment themselves.
If an accident were to occur at Hartlepool power station, then this could easily contaminate a 10km/6 mile area around the source of the release. This would then cover the town of Hartlepool itself, a town with a population of 89,000, which would stretch even the most well equipped emergency plan, never mind a plan that only has a DEPZ of 1km,/0.6 miles inside which the only human dwellings are two small businesses.
Zone 3: 10 – 100km/60 miles
Studies commissioned by Greenpeace have revealed that deadly radiation released during a nuclear accident could spread up to 100 km/60 miles away from the site in just 1 day. Exactly how dangerous the radiation would be would depend upon the atmospheric conditions and wind direction at the time of the release, but it is worth remembering that parts of England and Wales are still under government restrictions as a result of the Chernobyl accident in the Ukraine 16 years ago. In this zone you receive no actual assistance in protecting yourself, the most likely advice from your local authorities being to stay inside with the doors and windows closed.
100km/60 miles and beyond
If you live outside any of the zones above, unfortunately you are still not safe. The two scenarios we have described deal with the possibility of a very small release. To put our 1 tonne of radioactive material into context, the accident that took place at Chernobyl involved between 100 and 130 tonnes of material. The consequences of a comparable release occurring in the UK are impossible to calculate. At best, it would mean massively escalating rates of cancer, the contamination of foodstuffs such as dairy produce, which would therefore have to be avoided, and would cause a mass evacuation from the area surrounding the source of the release. At worst, no one knows.
If the Government decides to go ahead with its recommendation to build more nuclear power stations, the risk of accidents will increase as the number of power stations increase. Nuclear power - and the deadly waste it produces – poses a constant threat to the health and safety of all of us. The best emergency plan is to remove the risk in the first place by phasing out nuclear power for good.

Tuesday, July 19, 2011



Passive nuclear safety is a safety feature of a nuclear reactor that does not require operator actions or electronic feedback in order to shut down safely in the event of a particular type of emergency (usually overheating resulting from a loss of coolant or loss of coolant flow). Such reactors tend to rely more on the engineering of components such that their predicted behaviour according to known laws of physics would slow, rather than accelerate, the nuclear reaction in such circumstances. This is in contrast to some older reactor designs, where the natural tendency for the reaction was to accelerate rapidly from increased temperatures, such that either electronic feedback or operator triggered intervention was necessary to prevent damage to the reactor.
Terming a reactor 'passively safe' is more a description of the strategy used in maintaining a degree of safety, than it is a description of the level of safety. Whether a reactor employing passive safety systems is to be considered safe or dangerous will depend on the criteria used to evaluate the safety level. This said, modern reactor designs have focused on increasing the amount of passive safety, and thus most passively-safe designs incorporate both active and passive safety systems, making them substantially safer than older installations. They can be said to be "relatively safe" compared to previous designs.
Reactor vendors like to call their new generation reactors 'passively safe' but this term is sometimes confused with 'inherently safe' in the public perception. It is very important to understand that there are no 'passively safe' reactors or 'passively safe' systems, only 'passively safe' components of safety systems exist. Safety systems are used to maintain control of the plant if it goes outside normal conditions in case of anticipated operational occurrences or accidents, while the control systems are used to operate the plant under normal conditions. Sometimes a system combines both features. Passive safety refers to safety system components, whereas inherent safety refers to control system process regardless of the presence or absence of safety specific subsystems.
As an example of a safety system with 'passively safe' components, let us consider the containment of a nuclear reactor. 'Passively safe' components are the concrete walls and the steel liner, but in order to fulfil its mission active systems have to operate, e.g. valves to ensure the closure of the piping leading outside the containment, feedback of reactor status to external instrumentation and control (I&C) both of which may require external power to function.
The International Atomic Energy Agency (IAEA) classifies the degree of "passive safety" of components from category A to D depending on what the system does not make use of[1]:
1.     no moving working fluid
2.     no moving mechanical part
3.     no signal inputs of 'intelligence'
4.     no external power input or forces
In category A (1+2+3+4) is the fuel cladding using none of these: It is always closed and keeps the fuel and the fission products inside and is not open before arriving at the reprocessing plant. In category B (2+3+4) is the surge line, which connects the hot leg with the pressurizer and helps to control the pressure in the primary loop of a PWR and uses a moving working fluid when fulfilling its mission. In category C (3+4) is the accumulator, which does not need signal input of 'intelligence' or external power. Once the pressure in the primary circuit drops below the set point of the spring loaded accumulator valves, the valves open and water is injected into the primary circuit by compressed nitrogen. In category D (4 only) is the SCRAM which utilizes moving working fluids, moving mechanical parts and signal inputs of 'intelligence' but not external power or forces: the control rods drop driven by gravity once they have been released from their magnetic clamp. But nuclear safety engineering is never that simple: Once released the rod may not fulfil its mission: It may get stuck due to earthquake conditions or due to deformed core structures. This shows that though it is a passively safe system and has been properly actuated, it may not fulfil its mission. Nuclear engineers have taken this into consideration: Typically only a part of the rods dropped are necessary to shut down the reactor. Samples of safety systems with passive safety components can be found in almost all nuclear power stations: the containment, hydro-accumulators in PWRs or pressure suppression systems in BWRs.
In most texts on 'passively safe' components in next generation reactors, the key issue is that no pumps are needed to fulfil the mission of a safety system and that all active components (generally I&C and valves) of the systems work with the electric power from batteries.
IAEA explicitly uses the following caveat[1]:
... passivity is not synonymous with reliability or availability, even less with assured adequacy of the safety feature, though several factors potentially adverse to performance can be more easily counteracted through passive design (public perception). On the other hand active designs employing variable controls permit much more precise accomplishment of safety functions; this may be particularly desirable under accident management conditions.
Nuclear reactor response properties such as Temperature coefficient of reactivity and Void coefficient of reactivity usually refer to the thermodynamic and phase-change response of the neutron moderator heat transfer process respectively. Reactors whose heat transfer process has the operational property of a negative void coefficient of reactivity are said to possess an inherent safety process feature. An operational failure mode could potentially alter the process to render such a reactor unsafe.
Reactors could be fitted with a hydraulic safety system component that increases the inflow pressure of coolant (esp. water) in response to increased outflow pressure of the moderator and coolant without control system intervention. Such reactors would be described as fitted with such a passive safety component that could - if so designed - render in a reactor a negative void coefficient of reactivity, regardless of the operational property of the reactor in which it is fitted. The feature would only work if it responded faster than an emerging (steam) void and the reactor components could sustain the increased coolant pressure. A reactor fitted with both safety features - if designed to constructively interact - is an example of a safety interlock. Rarer operational failure modes could render both such safety features useless and detract from the overall relative safety of the reactor.
[edit] Examples of passive safety in operation
Traditional reactor safety systems are active in the sense that they involve electrical or mechanical operation on command systems (e.g., high-pressure water pumps). But some engineered reactor systems operate entirely passively, e.g., using pressure relief valves to manage overpressure. Parallel redundant systems are still required. Combined inherent and passive safety depends only on physical phenomena such as pressure differentials, convection, gravity or the natural response of materials to high temperatures to slow or shut down the reaction, not on the functioning of engineered components such as high-pressure water pumps.
Current pressurized water reactors and boiling water reactors are systems that have been designed with one kind of passive safety feature. In the event of an excessive-power condition, as the water in the nuclear reactor core boils pockets of steam are formed. These steam voids moderate fewer neutrons, causing the power level inside the reactor to lower. The BORAX experiments and the SL-1 meltdown accident proved this principle.
A reactor design whose inherently safe process directly provides a passive safety component during a specific failure condition in all operational modes is typically described as relatively fail-safe to that failure condition.[1] However most current water cooled and moderated reactors, when scrammed, can not remove residual production and decay heat without either process heat transfer or the active cooling system. In other words, whilst the inherently safe heat transfer process provides a passive safety component preventing excessive heat in operational mode "On", the same inherently safe heat transfer process does not provide a passive safety component in operational mode "Off (SCRAM)". The Three Mile Island accident exposed this design deficiency: the reactor and steam generator were "Off" but with loss of coolant it still suffered a partial meltdown.[2]
Third generation designs improve on early designs by incorporating passive or inherent safety features [3] which require no active controls or (human) operational intervention to avoid accidents in the event of malfunction, and may rely on pressure differentials, gravity, natural convection, or the natural response of materials to high temperatures.
In some designs the core of a fast breeder reactor is immersed into a pool of liquid metal. If the reactor overheats, thermal expansion of the metallic fuel and cladding causes more neutrons to escape the core, and the nuclear chain reaction can no longer be sustained. The large mass of liquid metal also acts as a heatsink capable of absorbing the decay heat from the core, even if the normal cooling systems would fail.
The pebble bed reactor is an example of a reactor exhibiting an inherently safe process that is also capable of providing a passive safety component for all operational modes. As the temperature of the fuel rises, Doppler broadening increases the probability that neutrons are captured by U-238 atoms. This reduces the chance that the neutrons are captured by U-235 atoms and initiate fission, thus reducing the reactor's power output and placing an inherent upper limit on the temperature of the fuel. The geometry and design of the fuel pebbles provides an important passive safety component.
Single fluid fluoride molten salt reactors feature fissile, fertile and actinide radioisotopes in molecular bonds with the fluoride coolant. The molecular bonds provide a passive safety feature in that a loss-of-coolant event corresponds with a loss-of-fuel event. The molten fluoride fuel can not itself reach criticality but only reaches criticality by the addition of a neutron reflector such as pyrolytic graphite. The higher density of the fuel[4] along with additional lower density FLiBe fluoride coolant without fuel provides a flotation layer passive safety component in which lower density graphite that breaks off control rods or an immersion matrix during mechanical failure does not induce criticality. Gravity driven drainage of reactor liquids provides a passive safety component.
Some reactors such as the liquid metal and molten salt variants use Thorium-232 fuel which is more abundant in nature than Uranium isotopes and requires no enrichment. The difficulty of enrichment in the Uranium fuel cycle provides a passive safety component against nuclear proliferation. Neutron capture of Thorium-232 breeds both the fissile Uranium-233 and trace amounts of Uranium-232 by neutron knock-off. Neutron cross-section and decay products of Uranium-232 complicate designs and damage electronics if built into nuclear weapons, although Operation Teapot demonstrated its plausibility. Isolation of Uranium-233 from Uranium-232 is not currently believed possible providing a partial passive safety component against nuclear proliferation.
Low power pool-type reactors such as the SLOWPOKE and TRIGA have been licensed for unattended operation in research environments because as the temperature of the low-enriched (19.75% U-235) uranium alloy hydride fuel rises, the molecular bound hydrogen in the fuel cause the heat to be transferred to the fission neutrons as they are ejected.[5] This Doppler shifting or spectrum hardening[6] dissipates heat from the fuel more rapidly throughout the pool the higher the fuel temperature increases ensuring rapid cooling of fuel whilst maintaining a much lower water temperature than the fuel. Prompt, self-dispersing, high efficiency hydrogen-neutron heat transfer rather than inefficient radionuclide-water heat transfer ensures the fuel cannot melt through accident alone. In uranium-zirconium alloy hydride variants, the fuel itself is also chemically corrosion resistant ensuring a sustainable safety performance of the fuel molecules throughout their lifetime. A large expanse of water and the concrete surround provided by the pool for high energy neutrons to penetrate ensures the process has a high degree of intrinsic safety. The core is visible through the pool and verification measurements can be made directly on the core fuel elements facilitating total surveillance and providing nuclear non-proliferation safety. Both the fuel molecules themselves and the open expanse of the pool are passive safety components. Quality implementations of these designs are arguably the safest nuclear reactors.
[edit] Examples of reactors using passive safety features
Three Mile Island Unit 2 was unable to contain about 480 PBq of radioactive noble gases from release into the environment and around 120 kL of radioactive contaminated cooling water from release beyond the containment into a neighbouring building. The pilot-operated relief valve at TMI-2 was designed to shut automatically after relieving excessive pressure inside the reactor into a quench tank. However the valve mechanically failed causing the PORV quench tank to fill, and the relief diaphragm to eventually rupture into the containment building.[7] The containment building sump pumps automatically pumped the contaminated water outside the containment building.[8] Both a working PORV with quench tank and separately the containment building with sump provided two layers of passive safety. An unreliable PORV negated its designed passive safety. The plant design featured only a single open/close indicator for the PORV rather than separate open and close indicators.[9] This rendered the mechanical reliability of the PORV indeterminate directly, and therefore its passive safety status indeterminate. The automatic sump pumps and/or insufficient containment sump capacity negated the containment building designed passive safety.
The notorious RBMK graphite moderated, water cooled reactors of Chernobyl Power Plant disaster were designed with a positive void coefficient with boron control rods on electromagnetic grapples for reaction speed control. To the degree that the control systems were reliable, this design did have a corresponding degree of active inherent safety. The reactor was unsafe at low power levels because erroneous control rod movement would have a counter-intuitively magnified effect. Chernobyl Reactor 4 was built instead with manual crane driven boron control rods that were tipped with the moderator substance, graphite, a neutron reflector. It was designed with an Emergency Core Cooling System (ECCS) that depended on either grid power or the backup Diesel generator to be operating. The ECCS safety component was decidedly not passive. The design featured a partial containment consisting of a concrete slab above and below the reactor - with pipes and rods penetrating, an inert gas filled metal vessel to keep oxygen away from the water cooled hot graphite, a fire-proof roof, and the pipes below the vessel sealed in secondary water filled boxes. The roof, metal vessel, concrete slabs and water boxes are examples of passive safety components. The roof in the Chernobyl Power Plant complex was made of bitumen - against design - rendering it ignitable. Unlike the Three Mile Island accident, neither the concrete slabs nor the metal vessel could contain a steam, graphite and oxygen driven hydrogen explosion. The water boxes could not sustain high pressure failure of the pipes. The passive safety components as designed were inadequate to fulfil the safety requirements of the system.
The General Electric Company ESBWR (Economic Simplified Boiling Water Reactor, a BWR) is a design reported to use passive safety components. In the event of coolant loss, no operator action is required for three days.[10]
The Westinghouse Electric Company AP-1000 ("AP" standing for "Advanced Passive") is a design reported to use passive safety components. In the event of an accident, no operator action is required for 72 hours.[11]
The integral fast reactor was a fast breeder reactor run by the Argonne National Laboratory. It was a sodium cooled reactor capable of withstanding a loss of (coolant) flow without SCRAM and loss of heatsink without SCRAM. This was demonstrated throughout a series of safety tests in which the reactor successfully shut down without operator intervention. The project was canceled due to proliferation concerns before it could be copied elsewhere.
The Molten-Salt Reactor Experiment was a molten salt reactor run by the Oak Ridge National Laboratory. It was a fluoride salt cooled reactor in which the fuel molecules function also as a molten fluoride salt coolant. It featured thermochemical freeze valves in which the molten salt was actively cooled to freezing point by air in flattened sections of the Hastelloy-N salt piping to block flow. If the reactor vessel developed excessive heat or if electric power was lost to the air cooling, then the fuel and coolant could thermochemically penetrate the valve into drain tanks away from the neutron reflector becoming sub-critical enroute for passive or active water cooling.[12] During testing, it was observed that about 6–10% of the calculated 54 Ci/day (2.0 TBq/day) production of tritium diffused out of the fuel system into the containment cell atmosphere and another 6–10% reached the air through the heat removal system.[13] Inhalation of 70 GBq of tritium is equivalent to an adult human dose of 3 Sv [14] in which 50% of cases would be expected to die within 30 days. The fluoride salt molecular bond passive safety component failed to prevent tritium production from fission thus presenting a proliferation risk. The fluoride salt molecular bonds did not prevent tritium from leaking into the containment.
The fleet of BWRs and PWRs operating within the last 10 years in the United States have reported on 42 occasions a quarterly average daily tritium emission level of more than 22 mCi/day (70 GBq/day) from a power plant.[15] During the first quarter of 2001 Palo Verde Unit 1 released on average 9 Ci/day (333 GBq/day) tritium gas.[15] The passive safety component of water as neutron moderator failed to prevent excessive tritium gas (hydrogen with 2 neutrons) from being released from the plant as gas for dilution with air rather than water diluted tritiated water. Inhalation of tritium is absorbed at almost twice the rate as ingested tritium.[14]
-----      ---------          -------             -------                   --------                 ---------                  ----------
see web pages for Figures:
Next generation of reactors in U.S., up for review by the Nuclear Regulatory Commission, are meant to provide cooling even in the absence of power.
The first new nuclear reactor ordered in the U.S. in roughly three decades is beginning to take shape near Augusta, Ga. Southern Company and its partners have dug 27.5 meters down to reach bedrock and are now refilling the hole to provide a stable, anchored foundation for what is likely to be the first of a new generation of reactors in the U.S.: two new AP1000 models at the Vogtle Electric Generating Plant that stand next to two older pressurized water reactors, which came online in the 1980s—the first of some 14 AP1000s and 20 new reactors in total that may be built in the U.S. in the next 15 years.

"The nuclear revival is underway in Georgia," said Jim Miller, chief executive ,Southern Nuclear Operating Co., the subsidiary charged with administering the corporation's nuclear power plants in February. "It will provide safe, clean, reliable, low-cost electric energy to our customers for generations to come."

Of course, that was before the accident at Fukushima  nuclear power plant in Japan, following the 9.0-magnitude earthquake and subsequent tsunami. That power plant boasted six boiling-water reactors built in the 1970s by General Electric, Toshiba and Hitachi, and capable of pumping out more than 4 gigawatts of electricity. It also proved incapable of withstanding the twin perils of an earthquake that disconnected it from the electrical grid and a tsunami that wiped out back-up diesel generators and flooded electrical equipment.

"First you rely on the grid," explains Scott Burnell, a spokesman for the U.S. Nuclear Regulatory Commission, which oversees safety at the 23 such boiling water reactors in operation in this country. "If the grid is no longer available, you use diesel generators. If there is an issue with the diesels, you have a battery backup. And the batteries usually last long enough for you to get the diesels going."That did not prove to be the case at Fukushima Daiichi. But new reactor designs—including the Economic Simplifed Boiling Water Reactor from GE-Hitachi that passed its safety rating from the NRC on March 9, two days before the quake—are meant to provide cooling even in the absence of power.

For example, the AP1000s being built in Georgia boast "passive" safety features—safety technology that kicks in with or without human intervention or electricity. In the case of the Westinghouse AP1000 design that means cooling water sits above the reactor core and, in the event of a potential meltdown like at Fukushima Daiichi or Three Mile Island in Pa., will, with the opening of a heat-sensitive valve, simply flow water into the reactor, dousing the meltdown. "Never has so much money been spent to prove that water runs downhill," Westinghouse spokesman Vaughn Gilbert told Scientific American in 2009.

Further, although the thick steel vessel containing the nuclear reactor is encased in a further shell of 1.2-meter-thick concrete, that shell is surrounded by a building that is open to the sky. Should the concrete containment vessel begin to heat up during a meltdown, natural convection would pull in cooling air.

But that open-air building was initially rejected by NRC for a lack of structural strength. The U.S. regulator argued that it would not withstand a severe shock such as an earthquake or airplane impact, because it was initially planned to be built from pre-fabricated concrete and steel modules in order to save money.

The modified design now under review by the NRC employs more steel reinforcement as well as improved venting (maintaining such venting has proved critical at Fukushima Daiichi).
 But some critics, such as engineer Arnie Gundersen of Fairewinds Associates, have further concerns. For instance, if the containment building housing the reactor core were to spring a leak—as appears to have happened at Fukushima Daiichi— radioactive material would be wafted up and out of the AP1000 thanks to that same natural convection.

In the end, all nuclear power plants suffer from a balancing act between absolute safety and acceptable cost. "With earthquakes, there are limits to what you can do," says nuclear engineer Michael Golay of the Massachusetts Institute of Technology. "What risk are you willing to tolerate?”