|Beating the Millennium Bug at Nuclear Power Plants|
|Vince J Madden|
As 1999 progresses we are all becoming more conscious from media reports of the Year 2000 (Y2K) problem. The problem occurs in some software because two-digit fields were used to represent the year. The algorithms used may not be able to recognise the change to the new millennium and may misread "00" for the year 1900 instead of the year 2000. Others do not correctly identify the year 2000 as a leap year and risk failure at 29th February 2000 or 31st December 2000 (the 366th day). Date related problems can affect software in mainframes, desktop computers, local area networks and digital control systems, and software embedded in facility equipment. It can also affect information residing in data files, databases and libraries. The failure modes range from inconvenient display of dates to complete failure of processing systems and the functions they perform.
Y2K and Nuclear Power: First Steps
For a nuclear power plant the first challenge is to acquire an inventory of all potentially affected systems. With this inventory one can then assess whether or not there is any impact on plant safety and secondly whether the plant will be able to continue generating, affecting the utility’s ability to supply electricity into the transmission system. A significant loss of generating capacity could impact on a transmission and distribution company’s ability to maintain a supply of electricity to all its customers.
Responsibility for assessing Y2K rests with the operating organisation. In many countries the regulator has imposed requirements on a nuclear operator against the potential challenge that, unless satisfied, it will require plant shutdown for the date roll over.
In terms of international support a number of initiatives have been taking place. The World Association of Nuclear Operators (WANO) alerted all members to the potential Y2K problem in early 1998. A workshop on the topic at which members shared their experiences to date was held in April 1998 and a facility to exchange information on Y2K was established on our private internet site last summer. This has included documents on the methodology used by members in addressing Y2K that could be used by others.
At the IAEA General Conference in September 1998 a resolution was adopted defining a number of measures to address the year 2000 issue. In January 1999 the IAEA published "Achieving Year 2000 Readiness: Basic Processes" (TECDOC-1072). This document, available through the IAEA web site (www.iaea.org/ns/nusafe/y2000/y2k.htm), presents an approach that may be used for discovering, understanding and correcting Y2K related problems. The IAEA is establishing teams to support those member states that request assistance for their own national initiatives.
WANO is co-operating in this initiative by seeking experts for these teams from our member utilities. To date missions have taken place to plants in the Ukraine (Chernobyl, Zaporozhe) and China (Qinshan), and plans are being put in place to carry out further missions to Kozloduy in Bulgaria, and to Qinshan and Daya Bay (China). In the case of Slovakia, who have had an active Y2K programme for some time, and the team undertook a peer review of the work done at Bohunice.
A complete picture of the situation in all 33 of the countries operating NPPs is not readily available. An absence of information does not mean that there is no work being undertaken, rather that it is being addressed locally. A fuller overall picture should emerge at the 1999 IAEA General Conference when a report will be made by the Director General. However it does appear that certain countries have been slow to establish mechanisms to address the issue at the national level.
A particular focus of questioning has been the countries that operate the Soviet designed VVER and RBMK reactors. The Central European countries have all been operating Y2K projects for some time and have been co-operating in sharing information. In addition to the IAEA missions mentioned above, some Y2K activities are taking place through Western European utilities involved in the EU-funded TACIS and PHARE on-site assistance activities. The relationships established under these programmes have the capability to bring Western utility know-how alongside local initiatives. At the IAEA conference on "Strengthening of Nuclear Safety in Eastern Europe" held in June 1999, most country delegations provided information on their approach, including regulatory requirements, in their papers and presentations.
WANO, through its Paris Centre/Moscow Centre Advisory Committee, has been discussing Y2K at its meetings throughout 1998 and 1999. At the May 1999 meeting each of the 15 nuclear power plants represented at the meeting reported on the work being done and the contingency plans in preparation, with special focus on grid disconnection. The general situation may be summarised as follows: a common methodology, either Rosenergoatom’s or the IAEA’s, is being applied by all the plants; the local central utility (i.e. Rosenergoatom in Russia and Energoatom in Ukraine) is co-ordinating the work; nuclear regulators are closely monitoring the work done at plant level; and EU utilities present at various sites are collaborating in the work.
In response to a request by the European Commission, the WANO Paris Centre is setting up two expert teams to perform independent reviews of the Y2K work at five selected sites in Russia, Ukraine and Armenia as identified through the Moscow Centre. A Russian expert and a Ukrainian expert will be part of a six man WANO team leading this activity. Given the timescale involved, there will be a special focus on contingency planning to face potential internal and external events. The visits are being co-ordinated with the IAEA to avoid duplication.
Others, notably the US Department of Energy, are also active in providing support to operators in the former Soviet Union. Good integration of all these bilateral and multilateral activities is highly desirable so as to avoid duplication and to ensure that all plants which would benefit from assistance are adequately supported.
Until relatively recently reactor safety systems were based on analogue systems, and a number of utilities have reported that as a consequence their ability to shut down their reactors is unaffected by Y2K. In January 1999, reporting on the US electricity industry’s efforts to prepare the power supply system for the Y2K challenge, the North American Electricity Reliability Council stated: "No (nuclear) facility has found a Y2K problem that would have prevented safety systems from shutting down a plant, if conditions required after the turn of the century".
Some of the more recent reactor designs have made extensive use of digital equipment, and hence Y2K assessments are compelling. Having completed an assessment and conducted any necessary remediation or replacement, many utilities are conducting an integrated simulation test. Tokyo Electric Power Company carried out a simulation in April 1999 to verify that there will be no problems at Kashiwazaki-Kariwa unit 6 on 1 January 2000. This Advanced BWR is the first reactor in Japan to have fully digital systems for instrumentation and control (I&C) and safety, and so relies more heavily on computers than earlier plants. During a scheduled annual outage the simulation was carried out by setting the computer clocks to shortly before midnight on 31 December 1999 and letting the systems run through to 1 January 2000. All was well.
An analogous test was carried out at the Civaux-2 plant of Electricité de France (EDF) in March 1999. This unit, which has not yet gone critical, also features fully digital I&C. The EDF test also covered two other key dates that have the potential to be problematical: 8-9 September 1999 and 28-29 February 2000. After the test the date was reset correctly and no anomaly in any of the three tests was reported.
All the above is not to say that nothing requiring attention has been found. It is quite common for plants to report assessments which reveal shortcomings in non-reactor safety critical systems such as site-access computers, radiation monitoring equipment and similar systems that need a date function. Problems have also been reported in computer based systems for feedwater control, turbine control and control rod position indication — though the latter does not affect the ability of a control rod to insert. Two of the most common problems encountered have been in-core monitoring systems, which are required to ensure that local power limits are not exceeded, and area radiation monitoring systems.
The solutions adopted have varied from modification and testing of the software through to replacement of the software and associated hardware. It can be more practical and cheaper to bring forward a planned replacement programme than tackle an extensive investigative and remediation project, particularly if in a few years’ time a replacement system will need to be installed in any case to maintain equipment reliability. In some systems it has been possible simply to workaround the problem by winding back the computer clock. This approach has been adopted on the feedwater control system at a Swedish plant where they are reported as having wound back the clock by eight years, thereby delaying the problem. In the intervening period they anticipate replacing the relevant computer system.
From the time of this Symposium there is less than four months to go to 1 January 2000. The question arises as to what can be done in the remaining period. A particular focus is contingency planning. All nuclear power plants already have established contingency plans to cope with the likes of a hurricane, fire or a nuclear emergency. Based on a knowledge of the risks derived from a Y2K assessment it is possible to develop supplementary plans that take account of any identified internal or external risk. Key in the latter is the supply chain, and some utilities are taking steps to increase stock holdings of selected consumables if they consider that there is a significant risk that their supplier has not adequately prepared for Y2K. Whilst development of a Y2K contingency plan requires the preparation of an inventory and some assessment work, accumulated international experience has the potential to short circuit the process and enable a plant to focus on the development of its contingency plan.
In very many of the countries operating nuclear plants, work began as long ago as 1996. In such instances the assessment and any remediation or replacement programme has now largely been carried out. This work has been quite a significant cost to the industry. The two nuclear operating utilities in the UK have spent in excess of US$50 million at their nuclear power plants plus further sums on company "essential" and "business critical" work. EDF reports spending US$100 million in equipment upgrades for its units. In the USA, PECO, operator of the Peach Bottom and Limerick plants, has been spending US$55 million over three years on its power plants, distribution system and offices. The Electricity Association, a trade body for the UK electricity industry, reports a spend "in excess of US$320 million on the production of system inventories that could be affected, impact analysis, prioritisation and implementation of corrective actions, and development of projects and contingency plans to address non-compliant systems".
In the run up to the date roll-over on 31 December 1999, a number of international initiatives have surfaced with the aim of the early sharing of information on the impact, if any, when the transition to 1 January 2000 occurs. Nuclear plants in Japan for example will experience the transition some 7 to 8 hours before Western Europe and 12 to 15 hours before the USA.
It still remains to be seen the extent to which the nuclear industry collaborates in providing early notification of problems, and indeed of zero problems. Language difficulties and short term local priorities at plants could mitigate against the ability of Asian plants to provide English language reports, as has being proposed, at anything other than a high level. However, a relevant question is how this information will be used in the later time zones. Subsequent to the roll-over a detailed analysis and sharing of information needs to be carried out. Where problems arise there is some potential that the same problem can recur on other key dates in 2000, e.g. 29 February.
In conclusion, in most countries Y2K projects have been in place for the last two to three years. As is the norm for safety in the nuclear industry, the onus of proof lies on the operator. In proving and establishing nuclear safety against Y2K very significant costs have been incurred. The operators have also been concerned to maintain plant availability and to protect business critical systems, and this has further added to the cost. Help is being made available through national and international organisations to those nuclear operators requesting it. As has been demonstrated throughout the ten years of WANO’s existence, the nuclear community is willing to share experiences in the common interest of nuclear safety. Even for the late starters there is still much of practical value that can be done to ensure plant safety and availability.
© copyright The Uranium Institute 1999 SYM979899