This is from the NRC Audit of Brunswick Nuclear Plant. You can read the full report at:

http://www.nrc.gov/NRC/Y2K/Audit/Y2K50324.html#_1_1

"The licensee began the formal Brunswick Y2K readiness program in September 1997, developed the plant inventory by December 1997, and completed the initial assessment phase in March 1998, and is scheduled to complete the detailed assessment phase in December 1998. The licensee has established a tightly-controlled schedule in order to meet the June 1999 Y2K readiness date established by the program. (The one exception in meeting the readiness schedule is the installation and integrated system testing of the modified, Y2K compliant digital feedwater control system application in Brunswick Unit 1. The licensee plans to take a forced outage on Unit 1 sometime in the Fall of 1999 to accomplish this activity.)"

I personally get very nervous when I see any organization that has not completed their assessment phase yet. Also, according to this, the "digital feedwater control system" fix will not be able to be accomplished until after the NRC "readiness" date. Technically, this should mean the plant will be shut down. Will the NRC bend the rules to allow remediation AFTER their set date?

I was also very concerned about another part of the Audit:

"The licensee is accepting vendor certifications for embedded components including those in high priority mission critical systems without conducting additional confirmatory testing at the plant site. "

This is a shortcut. In my opinion it's very risky to do this for any mission critical systems. Anyone else have concerns with accepting vendor certifications versus on-site testing?

Happy Thanksgiving all! I'm especially thankful today, that when I turn the light switch on, the electricity flows.

-- Anonymous, November 26, 1998

Answers

"The licensee is accepting vendor certifications..."

There have been quite a few studies that emphasize the necessity of not accepting vendor Y2k certifications for mission or process critical systems / components. These need to be tested independent of vendor certifications. Additionally, almost every "vendor certification" I've ever seen has a disclaimer similar to Allen Bradley's:

"Because of the variety of uses for the products described in this service, those responsible for the application and use of this control equipment must satisfy themselves that all necessary steps have been taken to assure that each application and use meets all performance and safety requirements, including any aplicable laws, regulations, codes, and standards."

Over the next few days, I'll see if I can dig up some references to studies that emphatically support this view. If anyone else has such references at their fingertips, please post them!

-- Anonymous, November 26, 1998

I emphatically support that view.

I am in the process of writing two reports. One is an introduction to the embedded systems question that has caused so much confusion. It will hopefully explain the difference between embedded chips and embedded systems and their relation to the Y2K problem. The other is a table summarizing over 35 PLC manufacturers and my take on their Y2K readiness. I hope to post both here within the next week.

As a quick point regarding PLCs and other embedded systems and accepting the vendor's statement of Y2K compliance: bad idea. As Rick points out, almost all vendor's have a statement indicating that they cannot warrant or be held responsible for 3rd-party additions, or in-house modifications to the systems. All PLCs are programmed in a special boolean control language called "Ladder Logic". Much of the code is developed by 3rd-parties, outside consultants and internal engineers. It is in this code that problems will arise. For example, almost all PLCs that support date and time operations have a YEAR register/field that only supports a two digit date (ie. it rolls over to 00 in 2000). The vendors' compliance for this is to state "the customer must ensure that they code around the 2 digit limitation by using a user-defined 4 digit field, if they require such capability".

Great. So what they're telling us is this: "if you have a PLC that uses time/date you must be aware of that and repair it yourself.

--AJ

-- Anonymous, November 27, 1998

Bonnie,

This is a misinterpretation of the "NRC readiness date". What the NRC required in their Generic Letter 98-01, "Year 200 Readiness of Computer Systems at Nuclear Power Plants" is that "... no later that July 1, 1999, submit a written response confirming that your facility is Y2K ready, or will be Y2K read, by the year 2000 with regard to compliance with the terms and conditions of your license(s) and NRC regulations."

An acceptable alternative to being Y2K ready by 7/1/1999 is to provide a status report of work remaining to be done after that date to confirm that the plant will be Y2K ready by the year 2000. So the NRC does not need to "bend the rules" in the case of Brunswick's plans for remediating their digital feedwater control system.

-- Anonymous, November 30, 1998

Thank you very much, Tom, for the information about the NRC letter. If I'm understanding this correctly, then all a nuclear generating facility has to do to stay on line is submit their intent to fix by Jan.1, 2000, regardless of whether those fixes will actually be accomplished successfully? Since you can't *know* whether a fix or replacement will proceed successfully until after it's done and tested, then WHERE IS THE SAFEGUARD in this written comfirmation procedure? I am by no means questioning the validity of your answer. I believe you. I am just incredulous that a paper confirmation would be accepted as evidence of remediation for a nuclear facility! What am I missing here? Somebody please tell me that oversight of nuclear remediation isn't just a bureaucratic paper game. Please.

-- Anonymous, November 30, 1998

Tom, Bonnie, et.al.;

I've had quite a few conversations with NRC personnel on the wording of this requirement. There is no question that they are requiring a certification, under oath and affirmation by a responsible corporate officer, that the plant is or will be Y2k ready. If the answer is "will be", then a full status, subject to continuous monitoring by the site NRC resident inspector (every nuclear plant has at least one), will be required to justify that the plant is complying. Prior to the date, any plant answering "will be" will have to supplement the original submittal with a statement that it is, in fact, Y2k ready.

Tom: Look as this as a JCO (justification for continued operation) - your licensing folks are going to have to write one heck of a JCO if they can't answer "ready" by July, 1999.

Bonnie: Again, every nuclear plant has a resident inspector onsite, and you can be assured that this will be one of their priorities (continuing onsite review) during 1999.

-- Anonymous, November 30, 1998

Thanks, Rick, for the prompt answer. My pulse rate is settling down now... *smile* From all the above, however, it now appears to me that we really won't know whether all the nuclear facilities will be online for the rollover until quite close to the end of 1999. With the dependency the East coast of the U.S. has upon nuclear power generation, by fall of next year there's going to be a lot of tense folks waiting to hear a "yea" or "nay" from the NRC.

Thanks again, too, to A.J. and Tom for their informative answers. I appreciate it! Best wishes to all.

-- Anonymous, November 30, 1998