The first new nuclear reactor to be approved in the United States in a generation is also designed to be the safest.

Two Toshiba/Westinghouse AP1000 reactors were cleared yesterday by the Nuclear Regulatory Commission for construction by Southern Co. in Georgia. Compared to the 104 existing U.S. reactors, the AP1000 comes with a markedly simpler set of defenses to bring the reactors to a safe shutdown after a serious accident.

The new design replaces the complex emergency system of power-driven pumps and valves found in current reactors. These systems, delivering cooling water to reactor cores after normal cooling fails, are the kind that were catastrophically disabled when power was lost at the Fukushima Daiichi power station in Japan last year.

Instead, the AP1000 (for "advanced passive") relies crucially on gravity, the ordinary condensation of steam into water to recirculate cooling water, and valves that operate automatically when called on during accidents.

Its emergency system is engineered to operate for 72 hours without outside power or operators' intervention, and then water supplies could be replenished by a single pump run off an emergency generator. This is a big advance over the Fukushima units, and also existing U.S. reactors, Westinghouse says. And the NRC agreed.

But the AP1000's radically different design required a lengthy examination by the NRC staff and expert advisers. Its last line of defense is an outer shield or shell structure of a never-before-tested concrete-steel composite. The NRC was obliged to rely on computer modeling to confirm that the shield structure could withstand the most severe anticipated earthquake and a crash by a commercial airliner -- a new requirement imposed after the 9/11 attacks.

NRC staff engineer John Ma filed a "nonconcurrence" in 2010, challenging the shield building's strength in those emergency scenarios. The NRC staff and the commission's advisory committee disagreed, giving the design a green light. "Professional opinions may vary," the final staff response said, "and the NRC has in place mechanisms for ... resolving any issue a differing view may raise."

Construction greenlighted, but critics not satisfied

In December, the NRC commissioners unanimously approved the AP1000 design in a display of unity markedly in contrast to the internal battles over the implications of Japan's nuclear accident for the U.S. industry. With yesterday's action, Southern can begin building the two 1,154-megawatt units at its existing Vogtle reactor site near Augusta. It was the first operating license the NRC has granted since 1996.

The December decision followed five years of additional review and modifications after the NRC's initial AP1000 design certification. The staff's summary of the design safety evaluation fills 1,578 pages, the top layer of thousands of pages more of documents constituting the safety review.

The review has not satisfied the AP1000's strongest critics. Their objections center on the strength of the outer shield structure, the adequacy of the passive systems and the ability of the NRC's review -- despite its length and depth -- to anticipate and defend against the range of possible system failures in such a massive industrial machine.

Jim Warren, executive director of NCWarn, one of the AP1000's most vociferous opponents, says that even if the design is perfect -- which he doesn't acknowledge -- the reactors at the Vogtle plant must be built to match the design.

He points to the most recent report by William Jacobs Jr., the independent construction monitor for the Vogtle project retained by the Georgia Public Service Commission Public Interest Advocacy Staff. Jacobs' report lists more than a page of new change orders proposed by the contractors. The details are blacked out in his report.

"Finalization of the detailed Vogtle specific AP1000 design culminating in issuance of Certified For Construction (CFC) design packages for the Project remains a concern," Jacobs said.

Passive safety systems

The AP1000's heart is a steel reactor pressure vessel containing the fuel. It is enclosed by a steel containment building that also holds steam generators and other essential components. These include emergency water tanks filled with pressurized nitrogen that would force water into the reactor core if a pipe break cut off normal recirculating cooling water.

Surrounding the containment is the shield building that is separated from the containment and open at the top so that air moving between the two structures would carry heat away from the containment through a "chimney" effect.

The shield building supports a large water tank. In an accident, water would automatically flow downward from the tank into the containment structure, bathing the outside of the reactor vessel. The water would turn to steam, pulling heat from the reactor vessel. Steam would condense back to a liquid state inside the containment and flow back to replenish the water supply to create long-term cooling. Some water from the tank would also be diverted into the reactor core if needed.

Despite the AP1000's passive features, which have cut the number of pumps and valves dramatically compared to current reactors, the safety systems still require the precise activation of valves and pumps during parts of the emergency cooling response, says Edwin Lyman, senior staff scientist with the Union of Concerned Scientists.

For example, valves must work to prevent high pressures in the reactor vessel from blocking injection of emergency cooling water, he said.

"The key to the all emergency core cooling systems is that you have to depressurize the reactor vessel, and that requires valves to open. Unless you can get makeup water into the core at a sufficiently high rate, you may wind up uncovering the core. This is what happens at Fukushima," he said.

The NRC's review of multiple depressurization systems delved far down to include the actions of "squib" valves that are opened automatically through an explosive charge when sensors detect emergency conditions.

Testing a philosophy

On Page 1,144 of the safety review, the NRC staff spent several pages on a proposed change by Westinghouse to create a five-second delay between the firing of the first and second squib valves in each pair of valves. The reason: to avoid damage to pipes from a simultaneous activation. The change was accepted.

Elsewhere in the safety report, the NRC staff noted its concerns that chemical residue from the activation of other squib valves could interfere with water flow through the valves, and how that question was resolved.

On another point, the staff told Westinghouse its testing of some squib valves wasn't adequate to qualify performance of other, as-built versions. The staff demanded more testing. In the end, the NRC staff was satisfied.

From the NRC's perspective, the documented resolution of hundreds of such issues testifies to the thoroughness of the review and the creation of multiple lines of defense against accidents. Westinghouse can point to years of work in the trenches by engineers striving to create a design that earns acceptance by nuclear power developers around the world.

Skeptics like Lyman see this as evidence that even a simplified reactor is a hugely complex matrix of components that must work together in both anticipated and perhaps unforeseen emergencies.

"The overarching concern here is that the functioning of some of these designs and systems is predicated on the accuracy of the computer analysis. These are complicated, coupled systems, and you're putting a lot of dependence on the ability to model these very complex situations," Lyman said. The NRC sets up boundaries within which to assess design safety; otherwise, the review couldn't be completed, he said. "It comes down to a philosophy: How safe is safe enough?"