The Washington Post did a followup story on the Peach Bottom (Pa.) nuclear facility Y2k problem noted earlier in this forum. There's more details in this account than in the initial reports. Again, the "official" report of the event should be out this week, and I'll try to obtain it when available.

http://www.washingtonpost.com/wp-srv/WPlate/1999-03/07/075l-030799-idx.html

-- Anonymous, March 07, 1999

Answers

Rick, The additional details were very good, thanks for the link. I am particularly interested in the part about the operators getting ready to shutdown, and curious as to the regulatory basis of this (or are they just not prepared for an extended shutdown of their computer?) It would be good for all of us to get more information on this aspect, in addition to the testing/y2k problems.

Plant monitoring computers are not typically safety related, although some individual plant monitoring systems are, but I am not familiar with Peach Bottom's system. However, there are a lot of regulatory requirments met via the plant monitoring computers, and when they are down, the operators have to jump through hoops with a loss of plant computer procedure to monitor process varibles by other indicators, perform various calculations including core parameters, etc. You just don't want them down for very long. Without knowing every plant in the country, I would'nt rule out that there could be some plants that just don't have the means to fulfill all the Tech Spec surveillance requirements for very long (say over 6 hours )without getting the computer back up, but I wouldn't want this at my plant :)

The post story did tend to overstate the criticality of this system though, at least for the dozen or so plants I am familiar with, because you aren't blind without the plant monitoring computer, just very inconvienced. This makes sense for non-safety plant monitoring computer systems, if they are reactor safety critical, they would have to be designed as safety related and provided as truly redundant systems. Thats why some post accident monitoring systems (post TMI) are separate monitoring systems designed to safety-class (but typically send isolated signals to the non-safety plant monitoring system).

Plant monitoring computers have lots of custom software, RTC(s), and thus much y2k bug potential. The bugs may be minor and not affect anything, or they could be major - only testing can tell for sure, and then only if done properly. I have stated many times that as far as embedded systems go, I haven't found or even heard of a y2k bug that causes a failure of a system that could directly shut a nuclear plant down (or for that matter, a fossil unit, from the industry information I have read). But as we have touched on from time to time, I do think there is a bit higher potential for a y2k bug that could affect plant operation due to regulatory issues - this is something you identified some time back as a potential issue and that I have agreed with you on - the plant monitoring computer is one of the places where this could happen.

Regards, FactFinder

-- Anonymous, March 08, 1999

I think the lesson to be learned is that false assumptions screw us up all the time in life. Most later day programmer assumed there programs would be replaced before the two digit date became a problem. They weren't. The Peach Bottom tester assumed that rolling the clock on the back-up system would not affect the primary system. He reacted to a "no take" indication by rolling the clock again now on the primary systems. Boom ... systems down. False assumption screw ups are just one more thing we have to worry about and they are the most untractable. You can't type test those.

-- Anonymous, March 10, 1999