The “Year 2000” problem – a regulator’s perspective1 January 1998
The UK’s NII is ensuring that its licensees have an adequate strategy in place.
The safety case for any nuclear installation has, necessarily, to consider the effects of system failure on overall plant risk, and thus any equipment failure induced by a date change (such as those at the millennium change or 29 February 2000 or 9 September 1999) can be expected to be bounded by existing fault sequences covering that equipment. Of particular note in this case, however, is the common cause failure aspect, with its potential to affect multiple systems simultaneously.
Currently, most protection systems in the UK do not employ computer systems (even Sizewell B, Britain’s most advanced nuclear station, has a non-computer-based, secondary protection system), and simple PLCs, which contain embedded chips, often do not use date or time in their logic. It can thus be expected that nuclear installations will shut down safely. Nonetheless, the Nuclear Installations Inspectorate (NII) believes that the nuclear industry should adopt a cautious stance, and carry out careful reviews.
This need for caution is further reinforced by the fact that even when shutdown there is the potential for challenges to safety to occur due to other computer-based systems experiencing common cause failures induced by the millennium end or any of the other problem date changes. Such simultaneous failures could place a burden on the installation’s staff. Information may need to be checked manually so as to avoid unsafe actions; and many computer-assisted operations may require to be performed manually with the heightened potential, due to the stressful situation, for human error to occur.
The Inspectorate has ensured that all licensees are aware of the matter, and is now ensuring that each has an adequate strategy and action plan in place (recognising the immutability of the dates) to deal with the safety issues. The licensees need to identify all safety-critical systems on their sites which contain software (including those employing embedded software), plus any off-site systems which may have safety implications. This list of systems will need to be prioritised, based on safety significance and required plant outages (since their testing must be done under safe conditions), and then reviewed for potential, date-related problems. Any date-related failure modes must next be established through inspection and test.* Clearly at this stage plant safety must be paramount which means that these activities must be covered by appropriate safety submissions or risk assessments. Once determined, any problem-systems need to either be modified, replaced or safe ‘work-around’ strategies devised, and re-tested. Consideration will, also, be given to emergency arrangements. In particular, the equipment involved in handling an emergency will need to be checked and contingency plans laid.
Despite having taken all the above precautions, licensees should consider the need for special, additional, contingency arrangements to be in place at the key times. These may include, for example: enhanced staffing over the critical dates associated with the millennium change; avoiding, where possible, all invasive plant operations (eg on-line refuelling) at these times; and the securing of any safety-related external supplies and items.
The Inspectorate will be monitoring the implementation of the licensees’ action plans; reviewing any safety submissions arising from the investigations and subsequent modifications; and ensuring that the arrangements each licensee has in place at the key times are adequate.
Finally, the NII itself will have assured the adequacy of its own systems and arrangements for the millennium change and the other key dates.