Consumer FAQ: Will Y2K cause nuclear plant meltdowns?

A: Y2K is not a potential cause of problems that would lead to an uncontrolled nuclear reactor accident.

According to the Nuclear Regulatory Commission: "Safety-related instrumentation and control systems that perform safety function actuations do not present a Y2K issue because, in the vast majority of [nuclear power plants], these systems are analog hardwired and therefore do not rely on software that may be subject to the Y2K issue." In other words, the safety systems perform functions like measuring the temperature of the nuclear reactor core and, if it exceeds safe operating temperatures, an analog switch like the thermostat in your home uses activates the motors that retract the fuel rods to end the reaction.

The NRC goes on, "In those few cases in which such systems are computer-based, the software does not have date-driven functions that may be affected by the Y2K issue. However, there remains some risk that plants could still be subject to a Y2K-induced event that has an effect on facility operations. Examples of such internal facility risks at [nuclear power plants] are computer-based control systems for feedwater control, turbine control, and generator voltage regulator control; plant process computer; control rod position information system; security computer system; and area radiation monitoring systems. Contingency plans should identify failure modes and mitigation strategies for such risks." The message is that, if the nuclear plant staff are aware of the problem -- and they are -- they can be prepared to override any systems that may have Y2K problems.

The Nuclear Energy Agency, a Paris-based agency of the Organization for Economic Co-operation and Development, has issued statements that nuclear plant safety should not be a cause of public concern, because the industry is aware of Y2K and preparing to deal with its impact on plant operation.

"I don't see the millennium bug being any different than a normal day for nuclear power plants, from what we've seen so far," said Barry Kaufer, of the Nuclear Energy Agency.

Engineering reliability

While it is easy for someone new to nuclear power plant management issues to envision problems that may occur, the professional nuclear power plant engineer makes a practice of reviewing those potential problems at every step of their work. The industry has been aware of Y2K for several years and problems have been ferreted out by individual engineers across the globe.

Despite the debate about how much testing has been done as part of formal Y2K programs, the real issue is how the nuclear plant has been engineered to minimize all types of risk, not just date-related problems. "The best system performance is effected when malfunctions are eliminated," according to the Standard Handbook For Electrical Engineers. "Reliability is the interface between quality assurance and safety. Reliability can neither be tested nor legislated into equipment; it must be built in."

The point is not that the nuclear industry enjoys the protection of bullet-proof safety systems - no system is completely bullet-proof - but that the people operating the plants are engaged in building safety into their procedures and daily practices. Repeated assurances from regulators that the industry's engineers are assisted by equipment that does not rely on date-dependent computers is an indication that the scope of potential problems with Y2K is no greater than ordinary operation.

The safety mechanism

Nuclear plants are steam-powered engines. The heat of the reactor must be controlled to prevent both steam explosions that would rupture the nuclear container (as happened at Chernobyl) and an uncontrolled nuclear reaction (the "China Syndrome").

Fuel rods are inserted into a water-filled chamber. A low-level nuclear reaction begins to heat the fuel as the radioactive material in the rods due to its close proximity to the other rods, creating heat. By withdrawing or inserting the rods, the reaction can be reduced or increased.

Emergency situations are handled by fast insertion of control rods that interfere with the nuclear reaction. Think of it like Superman and kryptonite - lead would interfere with the kryptonite's ability to sap Superman of strength. The control rods interfere with the nuclear reaction, erecting a barrier that prevents the radioactive material from interacting. According to the Standard Handbook For Electrical Engineers, this system is "provided for control drives mounted on top of the reactor by a delatching capability with the rods free-falling into the reactor core." If gravity continues to work as it has, this system will work. This would prevent a nuclear accident.

Temperature sensors used to control the nuclear reaction and the cooling fluid are redundant, usually providing at least two different monitoring and control mechanisms. "In order to avoid spurious action," the Standard Handbook For Electrical Engineers says, "that is, initiation of a protection when none is required, it is usually the practice to provide a logic arrangement and initiate action only where there is a coincidence of two or more channels. Conventional protection systems have used a logic arrangement involving three or four channels and requiring the coincidence of two of three or three of four in order to initiate action."

All nuclear systems are designed to avoid "common-mode failures," single points of failure that can cause events to spin out of control. Y2K has been presented as the ultimate common-mode failure, but the use of analog measurement devices and controls along side digital ones decreases the exposure to Y2K-related errors.

So, in looking at the nuclear safety issue, keep in mind that none of these plants are controlled by one or two computers working in isolation. Digital controls have been added to, but not replaced, analog controls. Consequently, Y2K is not a significant threat to nuclear plant safety.