The Co-Intelligence Institute // CII home // Y2K home

Y2K, Nuclear Weapons and Nuclear Power

See also
Y2K bug could cause problems at U.S. nuclear power,
Making the World Safer for the Millenium (about de-alerting nuclear weapons)
Report from the Nuclear Y2K Symposium March 1999 by Mark Frautschi
Y2K Toxics/Nukes
Safe or Sorry: The "Y2K Problem" and Nuclear Weapons, by Michael Kraig, Bulletin of the Atomic Scientists, March/April, 1999

'From THE NATION magazine
March 15, 1999

T H E - N I G H T M A R E - S C E N A R I O

What if the World's Y2K Nuclear Computer Problems Aren't Fixed in Time?

(Background and related information follow the article.)


Y2K is coming, ready or not. Right now, mostly not. And despite
desperate efforts to correct the monumentally shortsighted failure to
program the world's computers and computer chips with complete date codes,
some disruption is now inevitable when the clocks tick over at midnight at
the end of the year.

Most worrisome, because of their vast potential for destruction, are
the world's nuclear weapons arsenals and nuclear power plants. For if the
network of interconnected systems collapses and cascades into systemic
infrastructure failures, power and communications could be lost worldwide.
Restoration may be delayed or even impossible in a world where everything
else has snapped to a halt. In the chaos and confusion that would follow no
one knows what would happen to nuclear bombs and nuclear reactors. In the
truly worst-case scenario, accidental nuclear war and/or reactor meltdowns
could release enough deadly radioactivity to return the planet to the insects.

Probably nothing will happen immediately. All the world's 36,000
nuclear weapons could simply cease to function as the Y2K wave rolls over
them. But a newly released report from the respected and independently
funded British American Security Information Council (BASIC) warns of the
possibility of accidental or mistaken launch of nuclear weapons. The authors
acknowledge that this is highly improbable. Most nuclear launch systems
require manual activation. But given the existing hairtrigger,
launch-on-warning systems on which so many nuclear weapons are still
balanced, such a launch, however implausible, could take place within ninety
seconds of computer failure in the warning systems. If all military warning,
tracking and interception systems were down, bombs could be hitting targets
within minutes. The US military is aware of the danger and is working
desperately to establish cooperative procedures with Russia, China and other
nuclear powers to avert what Deputy Defense Secretary John Hamre has called
"the nightmare condition."

The greatest danger comes from Russian and Chinese missiles.
Currently, at least thirteen Chinese nuclear missiles are thought to be
capable of reaching the West Coast of the United States. Until Clinton's
visit to China last June, some of the Chinese missiles were reportedly
targeted on US cities. As a result of recent understandings, both nations
have agreed to de-target their nuclear missiles. But such an agreement is
currently unverified and provides flimsy protection, since missiles can be
retargeted in ten seconds. As the Y2K digital tsunami moves west from the
international date line in the Pacific, China and Russia will become the
first nuclear nations to face possible computer failures--almost half a day
earlier than the United States. All contact and communications could be lost
or disrupted. Launch-site commanders could be left literally in the dark,
trying to read the meaning of silence.

On a recent visit to Russia, Defense Secretary William Cohen offered
to share early-warning information and exchange up to eighty observers, who
would be stationed at the Russian and US launch and communications centers
during Y2K. Russian Defense Minister Igor Sergeyev rejected the proposal
with a bland assurance that "there is no such danger [for nuclear weapons]
since in the Strategic Missile Forces we use special technologies."

However, according to a number of Russian scientists currently
working in the United States, the financially starved Russian military and
its dilapidated computer systems are even more prone to Y2K failure than
those in the United States. The BASIC report quotes Sergei Fradkov, a former
Soviet satellite control technician now working for a Wall Street software
developer, who says, "Russia is extremely vulnerable to the Year 2000
problem.... If the date shifts to 0 for a brief moment...that fools the
system into thinking there is a high probability of an attack in progress."

Russia's nuclear command and control system is linked in what, until
recently, was a top-secret program called Perimeter. Although exact details
are still not known, Perimeter is reminiscent of the "Doomsday Device" in
the sixties black-comedy film Dr. Strangelove, which triggered an automatic
massive Soviet retaliation. The US government did not even know of the
existence of Perimeter until it was first reported in the New York Times on
October 8, 1993. At the time, former Director of Central Intelligence Robert
Gates said such a system was "unlikely." However, Jane's Intelligence
Review, the world's most authoritative weapons journal, has since confirmed
the existence of Perimeter and revealed more details. According to Jane's,
if Moscow were to be attacked, or even if there was "interruption of command
links to key Soviet leadership," Perimeter would automatically trigger a
low-frequency radio signal that would launch a communications missile that
would, in turn, transmit to all launch complexes the codes that would launch
thousands of Russia's nuclear weapons. The present status of Perimeter is

Like China, Russia has de-targeted its nuclear missiles. But they
can be back on target in ten seconds. Whether this could happen as the
result of an automatic or accidental computer default is not known. Sites in
the United States, of course, would be programmed into the Russian and
Chinese computers as primary targets. No doubt also programmed into Russian
computers would be target options for sites in China, France, Germany,
Britain and all the NATO countries. Already NATO nations have begun
cooperative nuclear security arrangements with Russia. The dangers may not
be limited just to the Northern Hemisphere. Probably both Russia and China
have computer programs to target the United States' biggest offshore
communications system: the Pine Gap satellite spy base in the middle of the
Australian desert.

British Minister of State for Defense Procurement Lord Gilbert says
that his government is "not complacent" about the possible impact of Y2K on
nuclear weapons aboard British submarines. "We have been in close contact
with the US and France over this issue. The year 2000 [problem] has also
been raised with Russia and China," Gilbert said. "I can assure you that our
procedures for control of our nuclear deterrent are robust enough to
preclude any possibility of an accidental launch of a Trident missile
through equipment malfunction." According to a BASIC research report,
Britain has become the first nuclear power to begin de-alerting its nuclear
missiles from the cold war hairtrigger. The time it takes to fire missiles
on British nuclear submarines has been moved from "a few minutes" to
"several days." According to BASIC this could serve as a precedent and "have
important implications for all nuclear forces globally."

The US military faces a daunting challenge, for it is dealing with
the largest interconnected computer network in the world, with 1.5 million
computers and 28,000 automated systems. It utilizes more than seventy
different computer languages, some of them so obscure there is no one alive
who can even read them. And all military systems are riddled with embedded
computer chips. These chips are an especially vexing Y2K problem, perhaps an
even greater challenge than the computers themselves. Tens of billions of
chips are built into everything from toasters and video players to bombs and
missiles, some programmed to shut down if they misread the date. There are
probably more embedded chips in the US military system than in any other
system in the world.

The military continues to offer reassurances that the Y2K problem
can be handled. Capt. Allan Toole, who now heads the Pentagon's Y2K Special
Weapons Agency, says, "I have a good feeling about Y2K in this agency." A
good feeling may not be enough. A more reflective response came from Deputy
Defense Secretary Hamre, who admitted last October, "Probably one out of
five days I wake up in a cold sweat thinking [Y2K] is much bigger than we
think, and then the other four days I think maybe we really are on top of
it. Everything is so interconnected, it's very hard to know with any
precision that we've got it fixed."

Last March the London Sunday Times quoted John Koskinen, head of the
White House Y2K conversion council, saying there was concern "if the data
doesn't function and [the missiles] actually go off." However, he added,
"it's more likely that they won't function." Koskinen now says that since US
missiles are launched by humans, they could not be fired accidentally.

Diane Shields, vice president of CACI, a government contractor
testing nuclear bomb launch systems in US submarines for Y2K problems, told
a group of computer experts last year that the systems would fail in their
present condition. Hamre warns that the military's concern is not that their
computer screens will all go blank on 2000. "That's kind of good news," he
said, "because then we'll know we have a problem. Our bigger fear is going
to be that the system seems to work fine, but the data is unreliable. That's
a far worse problem." Hamre has observed that "the Year 2000 problem is the
electronic equivalent of El Niño."

John Pike of the independent, nonprofit Federation of American
Scientists warns, "The fundamental problem is that we don't know what could
happen.... There's a real risk though that we could see the sort of
computer malfunctions that we've seen in previous years, where the command
and control systems erroneously report that an attack is in progress [and]
erroneously direct missiles to shoot at the wrong target." Pike continues,
"There is a small, finite risk that this could lead to an accidental nuclear

Pike says the US military is already starting to classify
information to cover up the vulnerability of nuclear weapons to Y2K
disruption. According to a Congressional staff member quoted in the BASIC
report, "These decisions constitute a concerted effort to censor information
on Y2K progress. If there's anything bad, the immediate response is to cover
it up, rather than taking care of the problem."

In the introduction to the BASIC report, former US disarmament
negotiator Paul Warnke concludes: "The only prudent course may be to
de-alert or even de-activate those nuclear missile systems where date-related
malfunctioning in associated command, control, and communications systems
poses even a remote possibility of accidental launch." The BASIC report has
formally called for nuclear bombs and missiles to be de-targeted, taken off
alert, de-coupled from their launch vehicles and brought under independent
international verification.

Verification will be the real challenge. The prospects are not
encouraging for achieving the unprecedented level of multinational
cooperation and voluntary transparency that will be required to secure all
the world's nuclear bombs in the next ten months. Belatedly, the United
States and Russia have opened talks. On a recent visit to Moscow a top-level
Pentagon team discussed establishing a joint missile-warning center to
prevent accidental launch of nuclear missiles during Y2K disruptions.

Nor do we know what will happen when Y2K strikes the 432 nuclear
reactors around the planet. A growing number of experts are concerned that
at least some of them will fail, causing a shutdown or, in the worst case,
even a meltdown. When the giant three-reactor Oskarshamn utility in Sweden
was tested last year, it automatically shut down as soon as the clock
reached 2000.

In an open letter to President Clinton and the Nuclear Regulatory
Commission (NRC), Leon Kappelman, professor of computer science at the
University of North Texas and co-chair of the Society for Information
Management Year 2000 Working Group, warned that reactors could be a threat
to public safety during Y2K.

Kappelman wrote, "Although the NRC publicly acknowledges
century-date-related computer-processing risks that are profoundly
threatening to human lives and the environment, they refuse to require or
take any action." When pressed on the issue the NRC admitted, "In a worst
case scenario...a plant trip could result in a loss of off-site power and
subsequent complications in tracking post-shut-down plant status and
recovery due to loss of emergency data collection and communications." This
has never happened, and it is not clear how serious it could become.

An audit of the Seabrook reactor in New Hampshire released by the
NRC this past November found that in this single power plant 1,304 separate
software items and embedded chips would be affected by the Y2K bug. Twelve
were described as having "safety implications." Another thirteen could cause
the reactor to trip off. Of the more than seventy reactor sites under the
authority of the NRC, only twelve audits were planned. Nine of these audits
have been completed and published. Contingency planning has just begun.

Emergency petitions presented by the Washington, DC-based Nuclear
Information Resource Service (NIRS) this past December called on the NRC to
close by December 1999 any reactor that cannot be proved Y2K-compliant by
full testing. In the second petition NIRS calls for additional backup power
units to insure a steady and continuing supply of power to the reactors and
cooling facilities. The third NIRS emergency petition calls for full-scale
emergency response exercises during 1999 to prepare for possible problems.
NIRS executive director Michael Mariotte warned, "The unpredictability of
how systems may respond to Y2K bugs, questions of the reliability of
off-site emergency responders, including telecommunications, fire, police
and other officials, all beg for additional training and practice."

Most of the world's reactors have large diesel backup systems for
emergency power; even if the reactors have been turned off, permanent
cooling must be maintained over the reactor cores to avoid meltdowns.
Diesels are not ideal backup systems for Y2K problems. Many have embedded
computer chips that may fail during the clickover. And if the loss of normal
power and support services is prolonged, the supply of diesel fuel could run
out. Resupply may be impossible in a world paralyzed by Y2K. Paul Gunter,
director of the NIRS Reactor Watchdog Project, reported to the NRC that
existing backup systems "frequently don't work and are subject to multitudes
of problems." Gunter warned, "This is just the tip of the iceberg, our
investigation of these generators is continuing and we are finding they are
even less reliable than we had believed."

We do know all too well what would happen if normal or emergency
power were lost to the high-level atomic waste fuel pools in which
irradiated fuel rods from the reactor cores are kept cool. If Y2K brings
down the national power grid for even a few days and the cooling systems
stop working, the water will boil off and lethal radioactivity will be
released. Although most pools are located onsite, near the reactors, many
are not even connected to the emergency power systems. Mary Olson, the NIRS
radioactive waste specialist, notes, "The NRC currently does not even
require that these fuel pools have backup power." Evidently, the NRC has
always assumed that in the event of a loss of power there would be plenty of
time either to get the power back up or bring in additional emergency power
systems before the danger point is reached. Some reactors even have plans to
use firehoses in a cooling pool emergency. But with Y2K, even the pumps on
the firehoses might not work.

And if Y2K brings down the nation's electric power grid, it could
take weeks or longer to restore power. According to Olson, the recently
loaded rods--those loaded in the past two years--could begin to melt down
within forty-eight hours of power loss.

Recent statements from the US power industry claiming that the risk
of a power grid failure is "not as serious" as first feared and "can be
fixed in time" have been viewed with skepticism by critics. In a nationwide
questionnaire this past September by the North American Electric Reliability
Council (NERC) to determine the state of nationwide Y2K preparedness, 25
percent of the more than 200 bulk-power utilities did not even bother to
respond. Since all the utilities are interconnected in the major power
grids, a computer failure anywhere can "cascade" into failure everywhere.
Thus, with a quarter of the utilities not reporting back, there can be no
assurance that the grid will not collapse.

Russian reactors present an even more alarming problem, given that
nation's economic crisis. Unpaid workers at some nuclear reactors have
actually gone on strike. Neighboring European nations are terrified at the
possibility that Y2K could precipitate more Chernobyls. Finland, which
shares a border with Russia, has offered to help the Russians check out
their reactor computer systems and to help close down and secure any
reactors that are not Y2K compliant. This past November, the Times of London
quoted intelligence sources saying they feared a possible nuclear meltdown
in the former Soviet-bloc nations. These sources believed at least some of
the sixty-five Soviet-made nuclear plants could malfunction during Y2K.
"Russia's nuclear industry is in desperate straits. Throw in Y2K and you
could have a giant Chernobyl on your hands," said one source quoted in the
Times article.

In the United States the NRC warned early last year that any
reactors not confirmed to be Y2K compliant will be ordered to close down
before the end of the year. Rick Cowles, former manager of the Y2K program
for Digital Equipment Corporation, predicts that most US reactors will have
to be shut down before the millennium.

Cowles, author of the book Electric Utilities and Y2K and arguably
the world's leading authority on the subject, has become increasingly gloomy
about the prospects of a serious power loss. When asked recently what could
be done to keep the electric power systems going, Cowles responded, "The
truth is, I don't have any good advice." Michael Harden, author of
Millennium Minefields: Embedded Systems and the Year 2000 Problem, predicts
that all nuclear plants will have to shut down, at least briefly, on New
Year's Day.

There are solutions to all these nuclear problems. But there is not
much time, and the nuclear industry and nuclear militaries have been slow to
react to the challenge. In the latest Congressional gradings of Y2K
compliance in government departments, the NRC got a C-, with only 69 percent
of its computers expected to be compliant by March. The Defense Department
got a D-, with only 59 percent. And the Energy Department got an F, with
only 55 percent. They are so far behind there is no way they will be ready
and tested by January 1. Representative Stephen Horn, chairman of the House
Subcommittee on Government Management, Information and Technology, which
grades the departments, says the Energy Department's status is a source of
"deep anxiety." He complained, "Who wants an 'F' student managing nuclear

At a December 1998 Y2K conference sponsored by the World Future
Society in Washington, DC, Dr. Harrison Fox, an adviser to Representative
Horn's subcommittee, expressed "great concern" about state of Y2K compliance
at the Pentagon, citing nuclear weapons management as the most critical
problem. Two weeks later, stung by mounting criticism, the Pentagon
announced that it had suddenly achieved 81 percent Y2K "readiness" and will
be Y2K "ready" by 2000. Deputy Defense Secretary Hamre announced on December
31 that minor glitches are still likely to crop up on January 1, 2000, but
he said, "I think it's going to clearly be in a category of nuisance.... I'm
very confident we won't have major problems." However, he acknowledged "some
nervousness" in Washington about potential computer problems in Russia.
"They don't seem to have the same level of urgency that we have had over
it," he warned. The Pentagon report will be studied closely--and if past
reports are any guide, skeptically--by the General Accounting Office in its
scheduled March 1999 survey.

As for concern over reactors, the NRC has published the NIRS
petitions in the Federal Register for public comment. The commission says,
however, that at this point it will not support the petitions because it is
not convinced it needs to "mandate" that utilities insure that their
emergency diesel generators are operable and have sufficient fuel onsite.
And in apparent reevaluation of its own earlier rulings, the NRC saw "no
reason to mandate that non-Y2K-compliant reactors should be shut down by
December." This too will be studied closely by the GAO in March.

In Russia some experts now say that even if their nuclear reactors
are discovered to be prone to Y2K disruptions, they cannot be turned off
because hundreds of thousands of people might freeze in the depths of
winter. Russia is belatedly moving to deal with the weapons danger. This
month Aleksandr Krupnov, chairman of the State Communications Committee,
announced that Russia will need $3 billion to fix the Y2K problem and
appealed to the United States and other NATO nations for advice and money to
help make Russia's nuclear launch system safe for the year 2000. In the
present condition, Krupnov says, "Who knows if the country will be ready? I
can't give any guarantees."

Of course, if the Y2K danger prods the world into a cooperative
effort to defuse the bombs, it could reinvigorate the cause of world nuclear
disarmament and boost awareness of the need for safe, sustainable energy
sources. Y2K and potential nuclear problems will be discussed March 8 at a
daylong seminar given by BASIC and NIRS for Congress, NGOs and academics.
Meanwhile, the perils of Y2K in the nuclear age give new urgency to the
warning offered nearly twenty years ago by Arthur C. Clarke: "War may no
longer begin just in the minds of men, it could begin in the circuits of
Kevin Sanders, a former CNN science editor, is currently director of
special projects at the New York City-based War & Peace Foundation. In 1996
he wrote, produced and presented Judgment in The Hague, a documentary report
on the World Court hearings on the legality of nuclear weapons.

Background and Related Information

British American Security Information Council (BASIC)

BASIC's site offers links to press releases, policy papers, primary source
documents, two sites on the Y2K nuclear problem in the US and the latest
studies of the US Nuclear Arsenal, among others.

Nuclear Information & Resource Service (NIRS)

The homepage of NIRS, the "information and network center for citizens and
environmental organizations concerned about nuclear power, radiation waste,
radiation and sustainable energy issues," offers links to news and alerts,
actions and events, chat groups, "background on the issues" and the NIRS
online store.

Federation of American Scientists

The homepage of FAS, an organization "engaged in analysis and advocacy on
science, technology and public policy for global security," has links to
info on arms-sales monitoring, the Cooperative Research Program on Nuclear
Non-Proliferation and Disarmament (CK) and a list of other nuclear resources
on the Web.

The Subcommittee on Government Management (CK), Information and Technology

The committee's homepage offers links to its "Report on the Y2K Problem" and
related news stories, including Congressional gradings of governmental
agencies' Y2K preparedness.
Send your letter to the editor to

Copyright ©1999 The Nation Company, L.P. All rights reserved. Unauthorized
redistribution is prohibited.

If you liked what you just read, you can subscribe to The Nation by calling
1-800-333-8536 or by following this link. The Nation encourages activists
and friends of the magazine to share our articles with others. However, it
is mandatory that academic institutions, publications and for-profit
institutions seeking to reprint material for redistribution contact us for
complete guidelines.

Please attach this notice in its entirety when copying or redistributing
material from The Nation. For further information regarding reprinting and
syndication, please call The Nation at (212) 209-5426 or e-mail

See also "Making the World Safer for the Millenium" by the Alliance for Nuclear Accountability, strategies for de-alerting nuclear weapons to prevent accident nuclear attacks from Y2K.

Y2K bug could cause problems at U.S. nuclear power

Tuesday March 9, 5:53 AM
By Michael Kahn

WASHINGTON, March 8 - The U.S. nuclear power industry is ill-prepared
for the year 2000 computer bug, which could disrupt the delivery of
electricity needed to cool reactors and avoid meltdowns, experts warned
on Monday.

The warning came amid concern that the nuclear sector may not be as far
along as other U.S. industries in preparing its computerized operations
for the turn of the century.

U.S. Rep. Edward Markey said the Nuclear Regulatory Commission needed to
be more aggressive in dealing with the computer problem's potential
effect on the nation's electricity grid and its nuclear power-plant

"The NRC needs to ensure that reliable backup power sources will be
available for all of the reactors that are operating when the millennium
arrives," the Massachusetts Democrat told a Congressional symposium on
Y2K nuclear threats.

The millennium problem arises because many older computers record dates
using only the last two digits of the year. If left uncorrected, such
systems could treat the year 2000 as the year 1900, generating errors or
system crashes next Jan. 1.

Normally, reactors are connected to the larger electrical grid, which
brings in the necessary power for cooling. The NRC requires every
reactor to have on site at least two diesel-powered generators to
provide emergency power in case of failure.

But some experts at the symposium questioned the reliability of the
backup generators in the face of Y2K-induced power shortages.
"It is imperative that this issue is addressed at this very critical
time frame," Paul Gunter, director of the Nuclear Information and
Resource Service's Reactor Watchdog Project, told reporters at a news

He added the NRC should be more stringent in setting Y2K standards,
especially in light of a November audit of the Seabrook, New Hampshire,
reactor, which found 12 safety-related systems affected by the Y2K bug.
"They have to draw a line of nuclear safety and shut down any plant that
crosses the line," Gunter said.

However, Steven Unglesbee, a spokesman for the Nuclear Energy Institute,
said nuclear power plants have been working with the NRC on a standard
industry approach to potential Y2K problems for the past three years.
Plants have multiple safety systems, in addition to the diesel
generators, and reactor controls respond to conditions within the
reactor itself that have nothing to do with the computer, Unglesbee

"We're confident that the power plants will enter the next century
generating electricity at the same safe levels they do today," he said.
"When the clock strikes midnight, they will be as safe as they are now."
Western analysts have been more concerned about Russia's nuclear plants,
which have lagged behind the United States in Y2K preparations.

Last week, an independent Ukraine power expert said that all five of the
Ukraine's aging nuclear power plants could be paralyzed when the clock
ticks into the next century.

The world's worst nuclear accident occurred in 1986 when Ukraine's
Chernobyl nuclear power plant exploded, spewing a cloud of radioactive
dust over Russia and parts of Western Europe.

"On Feb. 8, 1999, PECO Energy was testing software systems for Year 2000
readiness at Peach Bottom Atomic Power Station in York County, PA. A
technician performing the test inadvertently made an error that impacted the
plant monitoring systems. Plant operating procedures required the incident
to be reported to the Nuclear Regulatory Commission (NRC). The incident did
not cause any operating failures, nor did it compromise plant safety. One of
the systems affected was the Safety Parameter Display System ( SPDS ). SPDS
is an information system that collects and displays plant operational
information from various plant instruments. The lockup of SPDS for more than
a short period of time requires an NRC notification. The cause of the lockup
has been determined to be due to a technician not following the modification
acceptance testing procedures. The failure was not caused by a Year 2000
bug. Y2K testing continues at Peach Bottom with full anticipation of meeting
PECO Energy's scheduled completion dates for Y2K readiness."

Report from the Nuclear Y2K Symposium March 1999

by Mark Frautschi

(excerpted from Y2KWEEKX week 43 issue 27 March 13, 1999; free subscription available from

I attended the Nuclear Y2k Symposium on Monday 8 March at the House Cannon
Office building on Capitol Hill. The Co-sponsors included Senator Tom
Harkin, Representative Ed Markey, Standing for Truth About Radiation (STAR), British American Security Information Council
(BASIC), and, and the Nuclear Information and
Resource Service (NIRS),

Nuclear power was the focus of the morning session, followed by a
well-attended press conference, while nuclear weapons were the focus of the

Overall I thought that the panelists and the sponsors put on a balanced
presentation. Fortunately, a NRC ( representative,
Jared Wermiel, the Chief information and Controls Officer, whose background
includes Bechtel Power (nuclear contractor) was among the speakers.
Unfortunately there was no DoD representative.

There are several unknowns to be concerned about.

o The armed services are not sharing information with each other.

o The NRC is conducting limited, paper audits (reading reports, not making
independent tests) of 12 facilities. They are considering upping this to the
approximately 105 nuclear generating plants. Basically they are relying on
self-reporting of each plant. The design of the NRC is that of regulator,
not auditor. Beyond the leadership issue of mandating real (not paper)
audits, there is the logistical challenge of managing 105 real audits.

There are bureaucratic questions as to the mission of the NRC, safety, not
management, as applied to Y2k, which crosses institutional and
organizational boundaries. According to its detractors, representatives of
the nuclear power industry (a vague term) to reduce its oversight are
lobbying the NRC. One detractor compared this with the atmosphere at the
1977 licensing of Three Mile Island Unit 2, where discussion of multiple,
simultaneous failure modes were specifically excluded from the testimony.
Ironically, the event of 28 March 1979 was a multiple, simultaneous failure,
when one considers the human elements of the system, along with the
technological ones. Even post Three Mile Island, we tend to worship the
technology, and blame, or ignore the humans. It was the operators who
disabled system, after system that could have prevented Three Mile Island
from devolving from a minor failure to the release of 10 Million Curies (1
Curie = 3.7 X 10^10 disintigrations/second) of radioactivity, according to
one estimate. I have not read any official reporting on Three Mile Island.
These comments reflect what I learned at the meeting and at dinner

The human factor is an unknown. Fortunately there are voices from a spectrum
of agendas who argue for Y2k related drills and nuclear plants are included
in those scheduled for April and September. This unknown contains risks as
well as benefits. It is perhaps an

o I spoke with Jared Wermiel of the NRC in the corridor about some of the
basic physics of nuclear power plants and on site waste storage. Nuclear
power requires off site power to cool the core and the stored spent fuel
should the plant go black. If the grid is lost, the plant is required to
shut down.

Jared gave me a few basic facts about the operation of nuclear power plants.

The core of a typical megawatt capacity power plant releases in the
neighborhood of 6 megawatts of heat during normal operation. In the event of
a failure, the plant SCRAMs, which means that the control rods fall (by
gravity) into the core, among a number of other actions. The heat production
drops exponentially, such that the thermal output within a few hours. Within
a day or two, the residual heat production is on par with that required to
keep the spent fuel cool, tenths of a megawatt, that is, one hundred, or so,
thousand watts of heat to dissipate.

To remove this waste heat, recirculation pumps are required. Since it is an
open system (with the spent fuel) evaporation losses must be replenished.
The power to run these pumps is a fraction of the residual losses. These
pumps draw on the order of 2000 gallons per minute; let me call that 8000
liters in 60 seconds or 133 l/s. If I raise that 133 kg of water 50 meters
(against gravity, g = 9.8 m/s^2) we have about 6,500 watts to operate a
perfectly efficient pump. So call that 10,000 watts. That is in the realm of
ordinary generators. You could buy three and use one for backup and one for
maintenance. Say you lose all three, the water temperature slowly will rise
and boil. (It will boil off in the case of the fuel - taking heat by
vaporization and transport.) It will take time. Wermiel indicated it was the
order of days. (If we knew the size of the storage vessel, we could estimate

The net result is that I am much less concerned about calls for shutting
down the nuclear reactors in summer, to allow them time to cool down, just
in case. It's not that much of a 'hair trigger.' I think that for reasons of
public policy, communication and confidence and for contingency planning, we
should audit the plants now (real audits, not paper audits) and have a clear
policy by the summer. Since IV&V can take 40 % or more of a Y2k effort, I've
just asked to increase the size of the work substantially and I've asked for
this late in the game. If the resources simply are not there, we need to
tell the public that, as Senator Bennett has said on several occasions, the
we are 'flying blind' in this important area, and to describe the
contingency plans that we are taking. It will be interesting to see whether
there is public debate on this point.

Jared also described the NRC Operations Center in Rockville, MD. The NRC has
the ability to monitor plant data (they are tied into all of the plant
monitoring systems of the nuclear generating stations around the country)
remotely. I wish that I had thought to ask him why the Peach Bottom incident
on 1 March 1999 was not picked up by the NRC with no monitoring going on for
seven hours. I'll follow up and see what I learn. Anyway, this plant has
dedicated telecommunications owned by the NRC and is capable of handling 9
disaster situations simultaneously. The drills the NRC plans for y2k are
based on a scenario (not a prediction!) of two simultaneous y2k-induced
events. A second command center is located in another state.