Editor's note: This article appears in print with the title "In Search of the Black Swan."

Half a world away from Japan’s stricken Fukushima Daiichi nuclear power plant, deep in the pine forests of Georgia, hundreds of workers are prepping the ground for an American nuclear renaissance they still believe is on the way. Bulldozers rumble across sunken plateaus of fresh, hard-packed backfill that covers miles of recently buried piping and storm drains. If plans stay on track, sometime next year two new nuclear reactors will begin to rise from the ground—the first reactors to be approved in the U.S. in more than 25 years.

That would be the starting gun for a renewed expansion of nuclear power in the U.S., which came to a virtual standstill after a partial meltdown at the Three Mile Island plant in 1979. Since then, the specter of climate change has turned nuclear power from an environmental menace to a potential source of carbon-free energy. Both Presidents George W. Bush and Barack Obama embraced the technology in the hope of triggering new construction. The U.S. Nuclear Regulatory Commission (NRC) is now reviewing proposals to build 20 more reactors in addition to the Georgia pair, adding to the 104 built decades ago.

More than half of these new reactors—including the two Vogtle units in Waynesboro, Ga.—would be AP1000s, the first of a new generation that incorporates “passive” safety features intended to avoid disasters like the one in Japan. In the event of an accident, the reactor relies on natural forces such as gravity and condensation to help keep its nuclear fuel from dangerously overheating—features the Fukushima plant lacked.

A few months ago it seemed a good bet that Georgia’s two AP1000s would win the final stage of NRC approval for construction later this year. But the Fukushima calamity in March, in which a staggering 9.0 earthquake and massive tsunami left the hot cores of four reactors deprived of coolant, has once again put the prospect of nuclear catastrophe foremost in the public’s mind. Within weeks polls showed the number of Americans who supported new reactors had dropped from 49 to 41 percent compared with before the accident, reflecting a distrust of the technology regardless of assurances that risks are infinitesimal and reactor defenses are robust. The spectacle of Fukushima provided an object lesson in the limits of risk assessments.

Despite planning, nuclear power will always be vulnerable to black swan events—highly unlikely occurrences that have big repercussions. A rare event—especially one that has never occurred—is difficult to foresee, expensive to plan for and easy to discount with statistics. Just because something is only supposed to happen every 10,000 years does not mean it will not happen tomorrow. Over the typical 40-year life of a plant, assumptions can also change, as they did on September 11, 2001, in August 2005 when Hurricane Katrina struck, and in March after Fukushima.

The list of potential black swan threats is damningly diverse. Nuclear reactors and their spent-fuel pools are targets for terrorists piloting hijacked planes. Reactors may be situated downstream from dams that, should they ever burst, could unleash biblical floods. Some reactors are located close to earthquake faults or shorelines exposed to tsunamis or hurricane storm surges. Any one of these threats could produce the ultimate danger scenario like the ones that emerged at Three Mile Island and Fukushima—a catastrophic coolant failure, the overheating and melting of the radioactive fuel rods, and the deadly release of radioactive material. (Explosions ignited Chernobyl’s core.)

Preparing for these scenarios is hard enough without having to stay within a budget. Utility companies have tried to reduce the enormous up-front expenses of building reactors. Even with streamlined licensing and construction, a nuclear plant now costs almost twice as much to build per megawatt as a coal plant and almost five times as much as a natural gas plant. The difference can be offset by lower operating costs—coal is almost four times more expensive than nuclear fuel, whereas gas costs 10 times as much—but those savings are realized only if nuclear plants can run at high capacity for many years. In the 1970s and 1980s plant shutdowns for maintenance and safety issues at times ruined the operational gains. For nuclear to compete, vendors have tried to slash construction costs and reduce shutdowns by making systems simpler and more reliable, without cutting safety margins.

Of course, it is impossible to build a reactor that is immune from any threat whatsoever, even if engineers encase it in colossal containment walls, bury it in a watertight vault and hire an army of psychics to predict the future. In designing the AP1000, engineers have no doubt tried to choose the best course through myriad constraints of physics, expense and disaster planning. What they have come up with is, by necessity, a product of compromises. In the wake of Fukushima, the question uppermost in people’s minds is: Are nuclear reactors safe enough?

Passive Defense against Catastrophe
The AP1000s and other “Gen III+” reactors under NRC review were designed with a different catastrophe in mind than the one in Japan. The 1979 partial-core meltdown at Three Mile Island near Harrisburg, Pa., was caused not by natural disaster but mainly by human error. Within months engineers were brainstorming reactor improvements, simplifying safety features and adding cooling backups that would kick in without human intervention. Gen III+ reactors such as the AP1000 are the result.
The water coolant inside the AP1000 circulates through a closed system of pipes. As the water passes over the reactor core, it absorbs heat but does not vaporize, because it is kept under high pressure. The pipes, in turn, are cooled by water from a secondary reservoir. If power is lost to the pumps, the reactor has a battery backup. If that fails, natural forces take over: water flows in from three emergency water tanks kept inside the reactor’s domed, steel containment vessel, which looms over the core.

A blackout causes valves to open, and pressure and temperature differences between the core and tanks move cool tank water into the reactor vessel to cool the fuel rods. If needed, water from a huge, fourth tank in the ceiling of the outer concrete shield building can pour water directly onto the outside of the dome, carrying away heat by boiling off as steam. Inside the dome, steam that rises up from the reactor core strikes the cooled ceiling, condenses and falls back down to the core. This fourth tank holds 795,000 gallons of water, enough to last for three days, and can be refilled by hose, according to Howard Bruschi, Westinghouse’s former chief technology officer. Vents in the building also draw in outside air, which cools the steel containment vessel.

The virtue of these backups—and what makes the AP1000 an improvement over older reactors—is that they require no electricity or human action. Proponents argue that the “station blackout” that hit Fukushima—a loss of electricity from the grid as well as on-site backup generators, which stopped all cooling pumps—would have been less of a problem had these systems been in place. Even if the backups worked for only a few days, that would give plant operators time to reestablish electrical power.

Whether the systems could prevent a core meltdown and a release of radiation to the atmosphere is a matter of debate. Proponents of the Gen III+ designs claim they are at least 10 times safer than the nation’s 104 operating reactors. Other engineers are more conservative. Hussein S. Khalil, director of Argonne National Laboratory’s Nuclear Engineering Division, would go no further than to state: “It’s actually fair to say that the Gen III+ plants achieve through natural means a comparable degree of safety to upgrades that have been added to existing plants.”

Industry critic Edwin Lyman, a senior staff scientist at the Union of Concerned Scientists, is not willing to concede even that. He has challenged specific cost-saving design choices made for both Westinghouse’s AP1000 and General Electric’s ESBWR (another new design). At the top of Lyman’s concerns are the strength of the steel containment vessel and the concrete shield building around the AP1000. In Fukushima, as engineers injected water into the containment structure to cool the exposed rods, they kept a worried eye on the pressure from steam and potentially explosive hydrogen.

The AP1000 containment vessel, Lyman says, does not have sufficient safety margins. One yardstick he uses for the containment capacity of a reactor—and hence its ability to withstand a rise in pressure—is the ratio of a reactor’s thermal power to its containment volume. For Westinghouse’s AP600, a predecessor discontinued because it generated too little power to be attractive to utilities, that ratio stood at about 885 cubic feet per megawatt—roughly on par with most operating pressurized water reactors. But when Westinghouse enlarged the reactor to 1,100 megawatts for the AP1000, it did not expand the containment capacity proportionally; the ratio dropped to 605 cubic feet per megawatt, Lyman says. Containment vessels and buildings, he notes, “are expensive.”

Westinghouse’s Bruschi argues that the AP1000 is still well within the range required by NRC regulations. He added—and several independent nuclear engineers concurred—that the extra cooling provided by the passive systems most likely would reduce the pressure the containment would face during a severe accident. Lyman, though, worries about buildups of pressure that go beyond what many nuclear engineers anticipate. 

Lyman is more comfortable with the design of the Areva EPR, a model developed in consultation with German and French utilities and European regulators and now under NRC review. Instead of passive backup systems, the Areva has four primary diesel generators and two secondary generators, all housed in separate, waterproof buildings located on opposite sides of the plant. That makes it extremely unlikely they would all fail at once, says Marty Parece, vice president of technology at Areva’s Reactor and Services Business Group. Even if the generators did fail, the EPR has a thicker, double-walled containment building and a core catcher—a structure that would “catch” molten fuel, contain it and coat it with gravity-fed water. The catcher would prevent a melting, radioactive core from escaping through the floor.

Safety vs. Cost
Nuclear designers do not have the luxury of preventing any one type of catastrophe. They need to keep in mind many scenarios. The trouble is, different threats require different measures, and sometimes preparing for one detracts from another. Potentially the most damaging critique of the new AP1000 passive-safety reactors comes from John Ma, a senior structural engineer at the NRC. In 2009 the NRC made a safety change related to the events of September 11, ruling that all plants be designed to withstand a direct hit from a plane. To meet the new requirement, Westinghouse encased the building’s concrete walls in steel plates.

Last year Ma, a member of the NRC since it was formed in 1974, filed the first “nonconcurrence” dissent of his career after the NRC granted the design approval. In it, Ma argues that some parts of the steel skin are so brittle that the “impact energy” from a plane strike or storm-driven projectile could shatter the wall. A team of engineering experts hired by Westinghouse disagreed, as did several engineers consulting for the NRC’s Advisory Committee on Reactor Safeguards, which recommended the design be approved.

Other more radical designs, however, seem to offer greater safety margins. So-called pebble bed reactors, a Gen III+ design under development, rely on gas instead of water to carry heat away from the nuclear fuel and contain thousands of tiny grains of radioactive material embedded in spheres of graphite the size of tennis balls. The graphite slows the pace of fission, making the core less likely to overheat, and the cooling gas is less prone to cause an explosion than water that turns to steam. Several other so-called small modular reactors that generate less power but have a much lower cost than a large facility may also be worth considering because they generate less heat, making them easier to cool.

Most nuclear experts seem comfortable with the balance West­ing­house has struck between safety and cost and believe that its containment structure provides sufficient protection for most accidents. In the end, engineers have to decide how best to balance safety and cost.

A Failure of Imagination
Fukushima raises questions that go beyond design preferences, however. One cause of the disaster was a failure of imagination, something that any regulator or designer is vulnerable to. The Fukushima plant was built to withstand a magnitude 8.2 earthquake, and the 9.0 quake was within its safety margin. But whereas the plant was built to survive tsunami waves of 18.7 feet, the waves that hit were 46 feet tall. Waves of that height are not without precedent: an earthquake and tsunami of comparable size struck the area in A.D. 869, says Thomas Brocher, director of the Earthquake Science Center at the U.S. Geological Survey in Menlo Park, Calif. When engineers make such “design-basis” errors—for a reactor, bridge or skyscraper—all bets are off.

Such a grave miscalculation seems less likely in the U.S. The NRC requires operators to demonstrate that their plants can withstand the largest flood, tsunami or earthquake possible based on all information that is known “plus an additional safety margin,” says NRC spokesperson Brian Anderson. The standard is based on modeling that estimates the largest regional earthquake in the past 10,000 years. The additional margin of error generally works out to between 1.5 and two times that size, says Bozidar Stojadinovic, an earthquake engineering expert at the University of California, Berkeley, and an NRC consultant.

Still, engineers can prepare only for events they can foresee. Seismologists are always uncovering new earthquake risks. A few decades ago the possibility that an earthquake or tsunami would hit the Pacific Northwest was considered remote. Then scientists dated the demise of red cedar trees there to 1700, suggesting an earthquake had occurred that year, and uncovered records of a tsunami in Japan confirming it. Working backward, geologists determined that a magnitude 9.0 earthquake had hit an area that runs roughly from northern Vancouver Island to northern California. The realization forever changed the design basis for buildings constructed in the region. Two nuclear power plants had previously been built in the region—in Oregon and in northern California—but both had already been decommissioned.

Earthquakes are so infrequent on the East Coast of the U.S. that earthquake research has seemed far less urgent. Still, the Indian Point reactor north of New York City is within 50 miles of almost 6 percent of the U.S. population, a higher concentration than for any plant in the nation. Seismologists do not agree on which faults in the region are likely to cause a quake or how they might interact, says Boston College seismologist John E. Ebel. One 2008 study found that a number of small local faults believed to have been inactive could in fact contribute to a major quake.

Fukushima demonstrates the need for a “new paradigm,” says Naj Meshkati, a professor of engineering at the University of Southern California and an expert on the effects of earthquakes on nuclear plants. “Our design basis has been based on improbable possibilities,” he says. “But engineers are not so good at designing for a once-in-a-blue-moon event that hasn’t happened.” Such uncertainties make it impossible to know if a margin of error of twice the design basis is sufficient.

On the other hand, no man-made structure is 100 percent earthquake-proof, says Michael Corradini, a member of the NRC’s advisory committee on reactor safeguards. “The question,” he says, “is what are you willing to design for—and does society understand that and accept that factor of safety?”

How safe is safe enough? When it comes to nuclear power, a thoughtful answer must take into account the alternatives and  the kind of risk you can live with. Coal produces half the nation’s electricity and 80 percent of carbon dioxide emissions from its power plants, according to the U.S. Department of Energy; nuclear power produces 20 percent of its electricity and releases no carbon dioxide. Pollution from just two northeastern coal-fired plants was linked to tens of thousands of asthma attacks, hundreds of thousands of episodes of upper respiratory illnesses and 70 deaths annually, according to a 2000 study commissioned by the Clean Air Task Force. Natural gas burns cleaner, but evidence is mounting that some methods of extracting it pose environmental and human health risks of their own.

Uncertainty in the wake of the Japan accident could still derail plans for some new reactors, but the imperatives of global warming and our need for energy suggest the revival will continue. Secretary of Energy Stephen Chu endorsed the AP1000 in February 2010, after President Obama announced $8.3 billion in conditional loan guarantees. “The Vogtle project [in Georgia] will help America to recapture the lead in nuclear technology,” Chu said. The track record of nuclear power also argues for the advocates. For all the anxiety of Three Mile Island, it did not amount to a single human casualty. Track records, of course, do not reflect events that have never happened but someday might.