Earth Island Institute: Earth Island Journal: Fall 98

The Year 2000 Problem: An Environmental Impact Report
by Chris Clarke
With any luck, the turn of the millennium will happen without serious incident. The stroke of midnight will approach on December 31, 1999 and then it will pass, and life will go on as normal.
Banks will open on Monday, January 3 and customers will be able to access their accounts (and be charged the usual spiraling set of service fees). The power will stay on, oil refineries won’t explode, and life, for better or worse, will go on as usual. If all goes well.
All is unlikely to go well, however. All is already not going well. Though Year 2000 (Y2K) problems have to date been relatively minor, they are happening. As we approach the end of the century, they are expected to increase in frequency and severity. And given the interconnected systems with which we run our industrial societies, it is possible that the millennium will be marked by a cascade of catastrophic failures in automated systems that safeguard our environment, public health and safety.
At issue is a decades-old programming shortcut that has persisted to the present day. In the years before the personal computer, when a room-sized mainframe would have maybe four kilobytes of memory, programmers used only two digits to denote a particular year. Hence the problem: unless they’re specifically programmed to do so, computers may not understand that the year “00” follows the year “99.”
Using two-digit date fields made sense at the time. Memory was expensive, and computers were relatively slow. Less memory was required if the two digits marking the century were omitted. The date rollover was a generation away; programmers assumed that their code wouldn’t be in use 30 years hence.
For years, however, the Y2K bug was not considered to be of sufficient importance to justify the expense of rewriting code: rather, code was patched and amended to meet the needs of new machines. Code written in the 1950s and ‘60s – written in dead languages such as COBOL – forms the nucleus of layers of subsequent code, some of it now unfamiliar to any living programmer.
To date, the Y2K bug has caused only minor problems, more in the realm of inconveniences than disasters. Computers are already interpreting year 2000 in expiration dates for credit cards and future mortgage payments as the year 1900 resulting in delays in billing and the like. But programmers fear that as the current date closes in on 1/1/2000, those inconveniences will become more and more major.
Most businesses and government agencies using date-sensitive computer applications are now engaged in a global game of beat-the-clock, trying to bring themselves up to Y2K compliance. In some arenas, notably mainframe applications such as the large centralized databases used by banks and insurance companies, there is every reason to expect that industry will be mostly Y2K compliant by December 31, 1999. (Most personal computers’ operating systems are already Y2K-compliant, though not all software on those computers necessarily is.)
Bad Date = Bad Data
What will happen when a computer misreads the date on 1/1/2000? In the best case, nothing. Some computers are used for tasks to which the date is irrelevant. A computer that changes a stoplight from green to red and back every three minutes may function perfectly even if it thinks it’s changing the stoplight in 1902.
The second-best-case scenario is that the machine will read the date wrongly and then crash. Whatever service the computer provides will be interrupted – certainly an inconvenience, perhaps even a serious problem. But crashes are, usually, noticed immediately, meaning that the problem will likely be noticed and fixed relatively quickly.
There is a third, more insidious kind of error that can result though, and this is the one programmers fear most. If a computer misreads the date yet does not crash, whatever data the computer generates from that point on become suspect. Garbage In, Garbage Out is a long-standing maxim in the computer world, and for good reason. Any calculation made using a false date should be assumed to come out false. Computers rarely function in a cybernetic vacuum. Bad data stemming from a single Y2K-KO’ed computer can propagate across networks, corrupting data wherever the network leads. And if the computer generating the bad data isn’t crashing, no one may notice the problem until the walls fall in.
Embed with the Devil
There are two kinds of computers that are vulnerable to the Y2K bug. One of them is the kind most people would readily recognize as computers: PCs, mainframes, palmtops and laptops. Many analysts believe that the Y2K bug is likely to be nearly eradicated by January 1, 2000 in these machines. The bad news is that if even a-half percent of them fail, the results could be traumatic.
The other kind of computer, referred to as an “embedded system,” is hidden away in other machinery. Such diverse items as coffee pots, sport utility vehicles, oil refineries and elevators operate with the assistance of microprocessors put in place to automate mechanical functions. Embedded chips that are Y2K-compliant, or that don’t use years in their calculations, are expected to sail through the date rollover with no problem. Your dashboard clock may show the wrong date, but your car will probably still run. You may have problems programming your VCR, but most people already do. Elevators may shut down if they think their last maintenance occurred 99 years ago. You might even get stuck in one.
But there is more to the embedded-systems aspect of Y2K than annoyance and inconvenience. By the end of 1999, there will be about 50 billion embedded chips used throughout the world. While some of them can be fixed by rewriting code, others have the non-compliant code hardwired in and must be replaced. A thorough accounting of them is impossible by 1/1/00. About three to five percent of them are expected to fail. And even if just one-tenth-of-one-percent of them fail in ways that threaten human life or the environment, that’s 50 million failures to deal with on New Year’s Day. Most experts consider embedded systems to be the real Y2K threat.
Dr. Strange-launch
A serious Y2K threat involves computer systems that control toxic or dangerous substances. Chief among those substances is the global arsenal of nuclear weapons. In 1980, a chip costing less than a dollar failed in a NORAD computer in Colorado. The failure produced a phantom attack: it appeared as if the Soviet Union had launched an all- out nuclear blitz over the North Pole. Only the fortuitous discovery of the computer error saved the Northern Hemisphere from becoming a radioactive hell. Two decades later, the US and Russia still have thousands of warheads targeted at each other, and then there’s France, Britain, and China. All depending on date-sensitive microprocessors.
The Pentagon is largely silent on its drive to achieve Y2K compliance. Aside from establishing a Y2K office to coordinate compliance efforts across the military branches, and issuing a series of boilerplate pronouncements about progress in fixing its payroll and accounting systems, the only real news to come out of the Pentagon’s Y2K compliance effort has been the recent early retirement of Y2K-related staff in the Office of the Secretary of Defense.
Anthony Valetta, acting assistant Secretary of Defense for C3I (Command, Control, Communications, and Intelligence), took an early retirement in 1998. So did five high- ranking members of his staff. The retirements came at the same time a number of resignations of top Y2K staff rippled through major corporations. It is widely understood that these retirements were propelled by an unwillingness to be associated with a feared potential disaster come the millennium.
One hopes any Distant Early Warning radar reports of Russian missile launches in January 2000 will be treated with a grain of salt by the Pentagon. One can only hope that the same caution will be applied by other nuclear armies.
Nuclear Powerplants
At the other end of the nuclear cycle, the US Nuclear Regulatory Commission expects that Y2K problems may impede the ability of nuclear powerplant operators to monitor unusual bursts of radiation in a reactor’s vented air or water, potentially depriving plant operators of an early warning of a serious problem in the reactor core (to say nothing of the radiation risk to the environment). Dosimetry instruments designed to protect workers from radiation may also fail. Embedded chips (which may or may not be compliant) could be in anything from emergency core-cooling systems to the plant’s wet-dry vacuum cleaner. Failures in record-keeping software could result in lapses in scheduled maintenance.
The NRC says it will shut down any plant whose mission-critical systems are non-Y2K compliant by December ‘99. Eric Trapp, head of the Y2K program for Southern California Edison, told the Los Angeles Times that 40 engineers worked for four months to pare down a list of 190,000 devices at the San Onofre Nuclear Generating Station to 450 items that had some date sensitivity. It will take the company another year to analyze those devices and fix the ones that will fail in the year 2000.
Sweden intends to shut down all its nukes before rollover if there’s any doubt about their safety. British regulators have found Y2K faults in four of that country’s nuclear reactors. Cash-stropped Russia, however, has officially adopted a risky “fix-on-failure” policy, raising the specter of multiple Chernobyls.
Railroads, Factories & Satellites
Most industrial facilities use hundreds of embedded microprocessors, most of which are not date-sensitive. But if a fraction of those that are date-sensitive either fail or spew bad data, the results could be catastrophic. Valves on offshore oil drilling platforms may fail, causing spills. Refineries may fail to detect toxic leaks, or may open valves at the wrong time, spurring Bhopal-scale disasters. Railroad switch boxes could send trains onto the wrong tracks, triggering collisions, derailments, fires and toxic spills. Municipal incinerators could burn waste at temperatures too low to destroy dioxins and other carcinogens. Smelters and chemical processors would also be vulnerable. Supertankers’ navigational systems may fail, leading to collisions or groundings.
The world may see collisions and groundings sooner than 1/1/2000. A problem similar to Y2K will hit the worldwide satellite Global Positioning System on August 22, 1999. GPS uses a different calendar, which will roll over at that time. If this reads a bit like idle speculation, that’s because it is. No one knows what will happen to the world’s industrial infrastructure at the end of next year. But a couple of anecdotal events suggest that extraordinary luck will be required for nothing to happen at all.
In late December, 1996, an aluminum smelter in New Zealand suffered catastrophic failure when the plant’s computer system, made up of 660 computers, shut down without warning at midnight. The computers regulated temperatures in the smelter’s pot cells. With the computers down, five of the pot cells overheated and destroyed themselves. An identical problem occurred two hours later at an aluminum smelter in Tasmania. The problem: 1996 was a leap year, but the computer software used by both plants failed to recognize this, and crashed when confronted with a 366th day of the year.
An executive at a volatile gas manufacturing company in the US told Y2K consultant Peter de Jager that a test at his company’s manufacturing plant exposed a chilling danger. When the date in the company’s computers was experimentally moved forward, an embedded chip failed, shutting down the plant’s cooling system. Without the cooling system, the official shuddered, the plant would have exploded. De Jager, in an interview in the St. Louis Post Dispatch, said that the company – which he did not identify – is now replacing its chips. He worries about the companies that aren’t checking their factories.
The Grid
Though the prospect of a cold shutdown of the US’ 110 licensed nuke plants may bring a smile to the lips of clean-energy advocates, the sobering reality is that 22 percent of the electricity used in the US comes from nuclear powerplants.
Many of us would likely be willing to deal with that 22 percent shortfall in exchange for safer energy. We may, however, be facing quite a bit more than a 22 percent shortfall if Y2K brings severe electrical grid problems, leading to brownouts or blackouts over much of the country.
Most large power-generating stations rely on date-sensitive microprocessors in transformers, cooling systems and communications networks. Most of these will have to be either reprogrammed or replaced. The electrical utility industry has mobilized a huge effort to try and track down offending chips. But even if 1 percent of the suspect processors aren’t found and replaced, failures and crashes could force generating plants to shut down, or interfere with the transmission of electrical power to consumers.
North America’s electric powerplants are linked in a massive grid that runs from the southern tier of Canadian provinces across the 48 contiguous US states into a small part of northern Mexico. The grid is divided into four regions known as interconnections. Each interconnection is a tightly-woven network of generating stations, users and transmission lines. With the exception of Quebec, which sells many megawatts of hydropower to the Eastern Interconnection, not much power crosses interconnection boundaries. A failure in one interconnection may leave another unscathed.
But within an interconnection, the transmission and generating systems are so tightly meshed that a problem in one area can result in a cascade of failures that leaves a whole region without electricity. In August 1996, high temperatures caused four powerlines in eastern Oregon to sag until they hit tree branches and shorted out. This outage, combined with high demand for electricity for air conditioning, resulted in much of the Western Interconnection going down. [See “Climate Change Melts US Power Grid,” Fall ‘96 EIJ] Wildly fluctuating grid voltage levels forced a number of powerplants offline and as many as three million people from Portland to San Diego, and eastward to El Paso, went without power for up to three days.
The Eastern Interconnection gets as much as a third of its power from nukes. If that interconnection is already stressed due to an NRC shutdown of non-compliant nuke plants, even the smallest problem with other generators could trigger massive, cascading power outages during the coldest weeks of winter.
Other utilities could also be affected: Gas and oil companies rely on electric power to distribute their fuels to consumers. Lack of electricity and fuel would severely hinder emergency response crews. If the disruption proves long-term, delivery of food and water could grind to a halt.
Senator Bob Bennett (R-Utah), Chairman of the US Senate Special Committee on the Year 2000 Computer Problem, told the National Press Club in July that while he did not foresee a total failure in the North American power grid, “I expect we will have brownouts and regional blackouts, and in some areas of the country there will be power failures.” Other analysts aren’t as optimistic.
Y2K Yahoos
The potential for Y2K-related accidents has prompted a new survivalist trend, with ties to the far right and millenial Christian movements. Based largely on fear of the poor — “when the welfare checks get cut off, the cities will erupt” — these new survivalists are heading for the hills, stocking up on guns, gasoline and generators.
This movement, if it gains steam, could pose a significant threat to the environment, since the exodus will be largely composed of people with little experience in rural living. Many of them are advocating squatting on public lands, diverting natural watercourses for drinking and wastewater use, and hunting wild game that is often already severely stressed by habitat loss. The use of fossil-fuel powered generators for electrical generation would add significantly to air and noise pollution in formerly remote areas.
But those indulging in millenial panic are missing the point. The Y2K bug is a serious problem, but it is only a symptom of an increasingly brittle technological-social structure that has come to control more and more of the planet. The problem is not just one category of bad code: it is a fundamental, systemic hubris in engineering and management. The living planet is not a machine; it is a complex and interconnected system, affected dramatically by subtle forces and almost impossible to reliably predict. We must begin to recognize that human society shares these qualities with the natural world.
It would be a great mistake to fail to constructively address the Y2K problem while we have time. It would be an even worse mistake, if rollover comes without major incident, to assume the problem has gone away.
It’s not the date, it’s the data. We’ve built a society that is so vulnerable to glitches that two digits can bring it down. That society is no doubt vulnerable to other bugs, bugs that may not give us several decades’ warning. We can take Y2K as a wakeup call, and begin to remake our society so that it’s more resilient. A quick fix and quick amnesia would be the worst disaster of all.
What You Can Do: Contact your representatives in government to demand legislation to shut down all non-essential, non-Y2K-compliant chemical and atomic industrial facilities before January 1, 2000. Demand a global “stand-down” of all weapons of mass destruction before 2000.