Would appreciate your thoughts regarding engineer Dick Mills' mathematical analysis of grid vulnerability during y2k rollover. He estimates 40% of power plants will have "bugs" of varying impact during and after rollover, based on Drake Equation and his "best guesses" of numbers of unremediated or improperly remediated chips. Mills' article is featured today in Westergaard's Year 2000 site and can be accessed at http://www.y2ktimebomb.com/PP/RC/dm9911.htm
Also note Mills' frustration, expressed in the final paragraphs of the article, regarding NERC's withholding of system studies of y2k which NERC assured Mills last June would be forthcoming: "So far, I've seen no such efforts in progress or proposed. It is yet another failure of the electric power industry to do everything possible to provide the public with real information about Y2K, not just public relations whitewash and self-congratulatory announcements of progress. That failure annoys me greatly. I just heard tonight that a major topic of discussion at the most recent NERC conference (which I did not attend) was the Red Cross' call for personal preparation, and whether that implied characterization of Y2K as a disaster. If the anecdote is true, then their attention is focused on their public image rather than your welfare and in my book that's highly unethical." Mills also states that although "many Y2K pundits have been softening thier [sic] predictions lately in the face of real status information coming in," Mills is "bucking the trend and sharpening [his] predictions at this particular time."
- Malthusienne
ARTICLE TEXT BEGINS
Guesses, Damn Guesses, and Educated Estimates
By Dick Mills March 19, 1999
Up to now in Power Prognosticaoins, I've avoided mathematics. This week is different. However, I promise nothing more than multiplication and division will be used. I further promise that you can skip ahead to the conclusion and summary and still get the points of the column without looking at the math.
The Drake Equation
The Drake Equation, Ns7fp7ne7fl7fi7fe7fl = N, is used in SETI research to estimate the number of worlds with intelligent life. Carl Sagan popularized the Drake Equation in his book and TV series, Cosmos. Ns is the number of stars, fp is the fraction of stars with planetary systems, and so on. Even though this method of estimation is nothing more than organized guessing, it is nevertheless useful. It allows people to apply what they do know to estimate things that are necessarily speculative. I'd like to try to make a kind of Drake equation for Y2K in electric power and see what conclusions it leads us to. Here goes.
Ng7Ne7fy7ff = Nb
Where:
Ng is the number of power plants, ~6000 in the lower 48 states of the USA.
Ne is the number of embedded systems and applications per plant. The range is 100 to 4000. In nuclear plants I've seen 1,200 and 2,400 reported. Newer plants and modernized plants use many more than old fashioned plants. Small hydro plants, which are very numerous, use fewer embedded systems. I'm going to use 750 as my guess for the median.
fy is the fraction of embedded systems that are vulnerable to Y2K. Various reports I've seen in the past year indicate 20%, 11%, 2% and 0.2% all based on supposedly reliable reports of actual testing. It's hard to know what to believe. I choose to use 2% and 10% as the low and high limits.
ff is the fraction of the vulnerable systems that will not fixed by 2000-01-01. This number includes things not fixed at all or fixed incorrectly. Here I'll use my favorite number inspired by Capers Jones, namely 15%. I've written about this number before. It represents the historical average number of bugs that fall through the cracks after the projects are 100% ready, after all assurances and after all testing.
Nb is the number of Y2K bugs remaining in all power plants on 2000-01-01.
13,500 < Nb < 67,500
That sounds very alarming. However, on a per plant basis, it sounds more manageable.
2.25 < Nb/Ng < 11.25
However, most bugs don�t result directly in anything so serious as a plant trip. They may cause only cosmetic problems, or cause loss of functionality that's not critical to power production. Let's define another factor:
ft is the fraction of residual bugs that may cause a plant trip. Estimating ft is difficult. It takes a lot of knowledge of how computers are applied in the plants and the ways in which they may fail. I'll estimate 0.05 for ft strictly based on my own experience with training simulators.
This gives us the expected number of tripping bugs per plant.
0.1 < ft7Nb/Ng < .56
Now we need a little probability theory. If I have a dart board divided into N equally sized areas and then randomly throw N darts at it, it is highly unlikely that all N fall into different squares. Probably, many squares will have several darts and many will have none at all. The same principle applies here. Some plants will have multiple tripping bugs yet they can only trip once. The effect is somewhat mitigating. I confess that my math is too rusty to write the equation for the probability effect (readers are welcome to mail it to me), but I'm pretty good at simulating such things. Here's a curve that expresses the effect that I calculated with a little simulation program.
Applying this curve to the result so far gives us Nt , the number of plants expected to trip on 2000-01-01. (A power plant tripping is like the engine of your car stalling. It can usually be restarted and used immediatly. See, Another Myth - We Must Fix all the Bugs To Have Power.)
1,200 < Nt < 4,000
(9%) < Nt < (43%)
That's very interesting, but how does it relate to the probability of a blackout? Well, if I had access to a full-scale power system simulator with data for the USA, I could calculate the S-curve for the country. Lacking that, we'll have to use the so-called back-of-an-envelope method.
A simplistic way to look at the chance of blackouts is to simply compare capacity to load and ignore all transients. If the capacity falls below the load demand, there's risk of overload and blackout.
On New Year's eve, most businesses are closed and we use only a fraction of peak power. In addition, if the power companies are smart, they'll have all available generators on line. That means that the generating capacity at midnight could be 3 to 4 times the actual load. Even in our worse case assumption, it would be hard to cause an overload on this basis alone. We could have more than half of the generators trip, yet still not overload the grid.
But the simplistic view is optimistic because it doesn't consider transient shocks. Like a child's tower of wooden blocks, the grid can topple by being bumped. The only rule-of-thumb I know is 20%. If a single generator contributing 20% or more of the connected capacity of a grid trips, the grid will probably collapse. The rule isn't very useful except for islands or very small grids where a single generator could amount to 20% of the total. In our large grids in the lower 48 states, the largest generator is 1% or less of the total connected capacity; not even close to 20%.
Would it be comparable to say that 20% of the plants tripping simultaneously would have the same effect as one giant plant tripping? Yes, but that's not the case in Y2K, the actual trip times of the 20% will be smeared over a period of minutes or hours. That's much less serious than if they all trip in the same second. A guess is necessary, and I'll make a guess of 4:1. It would take trips of 4000 Mw of capacity in small plants spread over an elapsed time of several minutes to have the same risk to the grid as the trip of a single 1000 Mw plant.
One more important factor: loads. In an earlier article, I discussed how customer loads are an essential part of the power delivery system and that the trip of a load is just as much of a shock to the grid as the trip of an equally big plant. I suspect that the Y2K readiness of large industrial customers is worse than for utilities, but to keep the discussion simple, let's assume that the statistics for customer loads are the same as for utility generators. Therefore, if every 1 Mw of shock to the grid caused by generators tripping, is matched by 1 Mw of shock due to loads tripping, the total shock is 1+1=2 Mw.
Anyhow, all these words come down to a single number, (20%)74/2 = 40%. If we expect 40% or more of the nation's power plants to have residual tripping Y2K bugs, then we should expect a large-scale blackout on New Year's Eve. 40% corresponds to Nb/Ng = 10.4 residual Y2K bugs per plant.
40% falls within my range of expectations (9%) < Nt < (43%), but near the upper extreme. That implies that a network collapse is possible, but unlikely
Conclusion
Regional or larger blackouts on 2000-01-01 are still a possibility even though the probability may be much less than 50%. Prudence dictates that we should prepare for the contingency regardless of what we believe will actually happen.
So what happens after midnight New Years Eve? I've written about the restart of the tripped plantsand of operating the failed portions manually. On the Monday morning, 2000-01-03 when peak power demand first returns, we'll really need all the power so the risk of upsets will peak once again. Then in the weeks and months to follow and in the summer months Y2K may cause additional problems. Perhaps I'll write Drake equations for those scenarios in future columns.
Summary
Make no mistake, the Drake equation and all my math is just organized guessing. There's guessing, damn guessing, and educated estimates. So don't put more significance on the result than it deserves. On the other hand, if other experts would like to propose different guesses, ask them to quantify their estimates for each of the factors in the equation. At least you'll then be comparing apples to apples.
There are numerous other factors and refinements that could be added to the simple model presented here. For example, factors for transmission and distribution. I think it's complicated enough. Adding more sophisticated factors requires more guesses and wouldn't necessarily make the end result more believable. One of the best principles of good engineering is KISS; (keep it simple stupid). I'll try to keep it that way.
The bad news is that the guessing is unnecessary. Given the right analytical tools and the right database, it is perfectly possible to calculate the expected values and ranges of most of these factors. I've personally created some of the tools myself, and worked for the consulting companies that do such analyses. Therefore I'm confident it could be done. I could do it myself. Last June NERC assured me that system studies of Y2K would be forthcoming. So far, I've seen no such efforts in progress or proposed. It is yet another failure of the electric power industry to do everything possible to provide the public with real information about Y2K, not just public relations whitewash and self-congratulatory announcements of progress. That failure annoys me greatly. I just heard tonight that a major topic of discussion at the most recent NERC conference (which I did not attend) was the Red Cross' call for personal preparation, and whether that implied characterization of Y2K as a disaster. If the anecdote is true, then their attention is focused on their public image rather than your welfare and in my book that's highly unethical.
Damn Fools
By the way, you may have noticed that many Y2K pundits have been softening thier predictions lately in the face of real status information coming in. Why then am I bucking the trend and sharpening my predictions at this particular time? I guess that proves that there are fools, damn fools, and Dick. I'm just a glutton for punishment.
ARTICLE TEXT ENDS
-- Anonymous, March 19, 1999
Malthusienne, I've always admired Mr. Mill's "graph and math" approach to the potential problems of Y2K with utilities. Glenn, I know many people agree with your assessment that Dick Mill's articles debunking some popular utility myths were on the "pollyanna" side of the fence, but personally I've never thought that was his approach. I believe he and Rick Cowles have always been closer together in their views than is generally realized. Nor has Mr. Mills refrained from previously pointing out industry problems.
For instance, it was Mr. Mills who wrote about the problems in the steady decline of U.S. generating capacity versus demand and what that means to the future price and availability of electricity, especially in the summer peak seasons. He has warned more than once that any Y2K disruptions may impact people in the summer of 2000, instead of just the beginning months.
While his articles have explained what will not cause a grid collapse, he has also explained what could cause one, and he has tried to estimate probabilities for various scenarios in as dispassionate a way as possible. If he finds in his research that he was in error about something he had previously cited, he has also admitted this and put the new data in his next piece. Yes, I think he is cautious and analytical by nature. Aren't most engineers? *grin* Jet jockeys have a prerequisite "derring do" in their natures (sometimes termed an "I'm God's gift to the world" confidence) but this is just part of what enables them to do the job they do. Looking at all sides of a problem and believing you can somehow come up with a solution is likewise part and parcel of the engineering mentality.
This recent article clearly shows the irritation Mr. Mill's is experiencing about the lack of good systems data which he had expected to surface. I also think that this is one of the first decent attempts to quantify things not done along with things not done correctly, or things missed altogether. Most of us are aware that testing after remediation is being given short shrift in the majority of businesses, assuming they get to it at all. When there is not plenty of time to test for errors, then fix and test some more, the quality of work done becomes a very important factor.
If cautious, analytical Mr. Mills states that: " Regional or larger blackouts on 2000-01-01 are still a possibility even though the probability may be much less than 50%. Prudence dictates that we should prepare for the contingency regardless of what we believe will actually happen," then I think anyone should heed the man's words and prepare. A fear monger Mr. Mills is not. If he says regional or larger outages (we're talking whole grids here) are still possible then by golly, that falls into the category of "You can take that to the bank" as they used to say!
Also notice that this prediction is focused only on mathematical probabilities regarding Y2K utility remediation and does not take into account telecommunication and fuel supply interconnections (trains, oil, gas) and vendor problems.
-- Anonymous, March 23, 1999