ML20154J273

From kanterella
Jump to navigation Jump to search
Audit Rept on Implementation of GL 98-01, Year 2000 Readiness of Computer Systems at Nuclear Power Plants, on 980915-17
ML20154J273
Person / Time
Site: Monticello Xcel Energy icon.png
Issue date: 10/02/1998
From:
NRC (Affiliation Not Assigned)
To:
Shared Package
ML20154J253 List:
References
GL-98-01, GL-98-1, NUDOCS 9810150204
Download: ML20154J273 (24)


Text

.-

~...

-.~.

l~

t U.S. NUCLEAR REGULATORY COMMISSION OFFICE OF NUCLEAR REACTOR REGULATION (NRR)

AUDIT REPORT l

ON IMPLEMENTATION OF GENERIC LETTER (GL) 98-01

" YEAR 2000 READINESS OF COMPUTER SYSTEMS AT NUCLEAR POWER PLANTS" l

l Docket No:

50-263 l

License No:

DPR-22 I

Licensee:

Northern States Power Company (NSP)

Facility:

l Monticello Nuclear Generating Plant (MNGP)

Location:

2807 West Highway 75 i

Monticello, MN 55362 Dates:

September 15 - 17,1998 Audit Team Members:

Matthew Chiramal, NRR i

Dave Butler, Region lli Deirdre Spaulding, NRR Approved by:

Jared Wermiel, Chief Instrumentation and Controls Branch Office of Nuclear Reactor Regulation

)

9810150204 981002 PDR ADOCK 05000263 P

PDR Enclosure l

EXECUTIVE

SUMMARY

l 1

i From September 15 through 17,1998, the NRC staff conducted an audit of the Year 2000 (Y2K) program at the Monticello Nuclear Generating Plant in accordance with the audit plan (Attachment 1) for this activity. The purpose of the audit was to (1) assess the effectiveness of the Northem States Power Company (the licensee) programs for achieving Y2K readiness, including continued safe operation of the plant as well as compliance with applicable NRC regulations and license conditions with respect to the potential Y2K problems, (2) evaluate Y2K program implementation to assure that the licensee's schedule is in accordance with NRC Generic Letter (GL) 98-01 guidelines for achieving Y2K readiness by July 1999, and (3) assess the licensee's contingency plans for addressing risks associated with potential events resulting from Y2K problems. The audit team reviewed selected licensee documentation regarding Monticello's Y2K program and conducted interviews with the cognizant licensee personnel. The results of this audit and subsequent audits at other selected plants will be used by the staff to determine the need for additional action, if any, on Y2K readiness for r;uclear power plants.

Based on the staff's assessment and evaluation of the Monticello Y2K readiness program, the following observations were made:

1.

The Monticello Y2K readiness program is comprehensive and is based on the nuclear power industry Y2K problem guidance contained in Nuclear Energy Institute

.(NEI)/ Nuclear Utilities Software Management Group (NUSMG) 97-07, " Nuclear Utility Year 2000 Readiness."

2.

The Monticello Y2K readiness program is receiving appropriate management support and oversight.

3.

The licensee began the formal Monticello Y2K program later than most licensees (June 1998) and as a result, the licensee is still in the initial assessment stage. The licensee is undertaking an ambitious schedule in order to meet the July 1999 Y2K readiness date established by the NRC staff in GL 98-01. Despite the late start, the Y2K readiness schedule appears to be achievable because of the limited number of software items at the site, the fact that the licensee has already begun remediation of major critical computer systems, and the licensee has received support via information sharing with the Boiling Water Reactor Owners Group and a utility alliance.

4.

The licensee has not started the Monticello Y2K contingency planning. The licensee plans to utilize the nuclear industry guidance in NEl/NUSMG 98-07, " Nuclear Utility Year 2000 Readiness Contingency Planning," for this effort. With proper attention provided by management, the licensee should be able to complete this effort by July 1999.

5.

The licensee's corporate and Monticello plant-specific Y2K program interfaces are effectively addressing grid reliability and availability issues.

6.

The licensee will address the operating status of Monticello, which is currently planned to be in a refueling outage on December 31,1999, in its corporate Y2K readi, ness plan and associated contingency planning. Both operating and shutdown conditions for l

Monticello will be considered.

l l

l l

1

REPORT DETAILS

1.0 INTRODUCTION

The objectives of the Monticello Nuclear Generating Plant (MNGP) Y2K Program audit were to:

1.

assess the effectiveness of the Northern States Power Company (the licensee) programs for achieving Y2K readiness including continued safe operation of the plant as well as compliance with applicable NRC regulations and license conditions with respect to the potential Y2K problems, 2.

evaluate Y2K program implementation to assure that the licensee's schedule is in accordance with NRC Generic Letter (GL) 98-01 guidelines for achieving Y2K readiness by July 1999, and 3.

assess the licensee's contingency plans for addressing risks associated with potential events resulting from Y2K problems.

The audit was conducted in accordance with the established audit plan (Attachment 1) which was based in part on the guidance and requirements contained in the following documents:

GL 98-01, " Year 2000 Readiness of Computer Systems at Nuclear Power Plants" e

Licensee Response (s) to GL 98-01 e

Plant technical specifications and license terms and conditions e

Applicable NRC regulations e

NEl/NUSMG 97-07, " Nuclear Utility Year 2000 Readiness" e

Prior to the audit at the plant site, the audit team had obtained and reviewed the MNGP Year 2000 Readiness implementation Plan and associated work instructions (draft versions of document numbers 1,2, and 3 listed in Attachment 2).

The audit process started with an entrance meeting attended by the MNGP Year 2000 Readiness Project Manager (PM) and other site personnel, the Year 2000 PM of Prairie Island Nuclear Plant, and members of the audit team. Attachment 3 is a list of the attendees. The PM and members of the project team described the project organization, the project plan and its implementation, and the project status and ongoing activities.

Following the meeting, the audit team spent the rest of the audit reviewing the project plan and its associated procedures, the plan implementation products (documents and data bases) and interacting with the project team members, particularly with the PM. The documents reviewed are listed in Attachment 2.

2 2.0 MNGP Y2K PROJECT DESCRIPTION 2.1 Proiect Oraanization The MNGP Y2K project has 15 full-time persons (including the PM and two contractors) and 3 part-time persons). The PM has overall responsibility for the project and reports to the General Superintendent - Design and Engineering, MNGP, who reports to the Monticello Site Plant Manager. The Plant Manager reports to the President-Nuclear Generations who provides the information to the Project Sponsor.

MNGP participates with other organizations that are addressing the Y2K effort. The licensee has been involved with the Boiling Water Reactor (BWR) Owners Group. According to the licensee, the BWR Owners Group final report on its Y2K program is due October 1998. MNGP has been able to take advantage of the BWR Owners Group generic Y2K efforts for several noncompliant computer systems. MNGP will be upgrading its nonsafety-related process computer system (PCS), a General Electric Company (GE) 3D Monicore Baseline 94 system.

The GE 3D Monicore Baseline 98 upgrade system which is Y2K compliant is scheduled to be installed at the site in November 1998 with testing and final acceptance of the PCS occurring over a period of approximately 2 months. Other Y2K compliant upgrades being coordinated through the BWR Owners Group are the GE NUMAC automated TIP [ traversing in-core probe]

control units and the rod worth minimizer (RWM), and GE Fanuc reactor recirculation control and motor-generator (MG) set scoop tube positioner and controller systems.

To further the exchange of Y2K information, MNGP is also part of a Y2K Alliance, which is composed of representatives from Point Beach, Kewaunee, Monticello, Duane Amold, and Prairie Island nuclear power plants.

i 2.2 Project Plan The MNGP Year 2000 Readiness Implementation Plan (item 1 of documents reviewed in ) is the plant-specific plan that was developed by the licensee and issued on l

July 17,1998. It is based on the guidance provided in NEl/NUSMG 97-07, which was endorsed by the NRC in NRC GL 98-01 as guidance that when properly implemented presents one approach for achieving Y2K readiness. The audit team's review confirmed that the MNGP Year l

2000 Implementation Plan is based on the guidance contained in NEl/NUSMG 97-07.

The MNGP Year 2000 Readiness implementation Plan consists of the following phases.

awareness, initial assessment, detailed assessment, remediation, contingency planning and risk management, and notification. It also includes requirements for quality assurance, regulatory considerations, and documentation.

2.2.1 Awareness At MNGP, the formal Y2K awareness phase of the Y2K program was initiated in June 1998 to i

all site personnel via Site News Letters. Additionally, through various group meetings and e-mails, information on Y2K problems was disseminated to system engineers and stsff during s-,

3 the start of the project. On September 16,1998, the plant Year 2000 Project was discussed at the Engineering / Technical Staff Training session.

At the corporate level, Y2K awareness began in 1996. The NSP board of directors approved the NSP Year 2000 Project and its budget in 1996.

The MNGP Y2K project implementation schedule is provided in Table 1.

2.2.2 initial Assessment The initial assessment stage of the MNGP Y2K Project started in July 1998. The co npleted initial assessment will result in the identification of all software applications and embedded system components at the MNGP. The NSP Software Master Configuration Index (SMCl) was used by MNGP to identify the software applications, and the Champs database was used to aid in the identification of embedded systems. The tasks ofinitial assessment include (1) inventory, (2) categorization, (3) classification, (4) prioritization, and (5) analysis of the initial assessment.

The licensee indicated that the inventory of all software application items and approximately 80 percent of the embedded system components was complete.

in the identification of embedded systems, it is necessary to review the procedures and documentation for occurrences of phrases that would indicate the existence of an intemal clock or processor, survey the vendors for information on their equipment, perform system walk-downs, and review schematics, program listings, and reference manuals.

Table 2 provides the results of inventory of software items. Of the 290 software items identified,120 will require assessment testing, and 60 will require additional detailed and integrated testing. Table 3 provides a list of safety-related softwares at MNGP.

Table 4 provides the results of inventory for the embedded systems. A total of 453 embedded items had been identified to date. Out of the total of 453 identified embedded items,175 still need to be assigned a classification.

Prioritization The inventory phase includes the prioritization of the identified items. The priority is based on the criticality and risk of the functions performed. The criticality is based on the criteria as suggested by NEl/NUSMG 97-07: (1) raitical (life-threatening implications, required by regulations; major impact on service to customers), (2) severe (mandated by regulatory agencies but can be lost for short periods of time; asset is used solely as a backup to an asset of critical importance; business continues but with great difficulty), (3) high (mandated by regulatory agencies but which have compensatory measures; business continues but with serious difficulty), (4) medium (minimal impact on company's core business; compensatory measures are more costly to use than the asset), (5) low (customer service is not affected; minimal impact on business operation), or (6) none ( no lost productivity; asset is no longer being used or has no identified users). Risk assessment is based on the frequency of usage and type of usage and is classified as critical, high, medium, or low. Priority of high, medium, or low will be assigned commensurate with the level of importance relative to criticality and risk.

_-.m.

.. _. _ _ _. _. _ _ _ _ _ _ _. ~. _ _. _ _ _... _. ~ _. _ _

l.:

l 4

Analysis ofInitial Assessment The results of the MNGP initial assessment of the software applications and embedded items will be placed in the MNGP Y2K Application Checklist and Embedded Component Summary.

Analysis of the initial assessment is the final step in the initial assessment phase. During the analysis of the initial assessment, items are dispositioned as "not affected" or designated as j

needing further detailed assessment. Items that do not display a date or calculate a date require no further evaluation and are designated as "not affected." All other items will require I

detailed assessment and will be dispositioned as follows: use as is, remove, replace, or remediate and test.

NRC Audit Team Ammassment Several folders for embedded components were reviewed by the audit team. The componer.ts were selected from the database print-out titled " Embedded Components Sorted by Classification [sp]" dated Tuesday, September 15,1998, consisting of 18 pages.

i Out of a total of 453 embedded components identified, a total of 32 embedded component folders were reviewed by the audit team.

y 159 items had a classification that needed to be determined - 24 items were selected for review 23 items were classified under " Continuity of Business" - 1 item was selected for review 126 items were classified under "important to Operation" - 2 items were selected for review 12 items were classified under " License Commitment" - 1 item was selected for review l

55 items were classified under "Non-essential" - 0 items were selected for review 12 items were classified under " Personnel Safety" - 1 item was selected for review 20 items were classified under " Required by Regulations"- 1 item was selected for review 1

8 items were classified under " Safety Related" - 2 items were selected for review While reviewing the embedded component information, the audit team found that for component with ID number 427 a " low" priority was assigned. The PM indicated that a Y2K issue does not exist here because there is no date function. From its initial look at the folder in detail, the audit team determined that there seemed to be a different method for determining the priority of these components from the method that is spelled out in the NEl/NUSMG 97-07 guidance. The PM indicated that the impact evaluation grid, risk evaluation grid, and corrective action grid proposed in NEl/NUSMG 97-07 were modified and combined in the risk assessment and prioritization gu' dance provided in the MNGP Year 2000 Embedded Component Work Instruction (item 3 of documents reviewed in Attachment 2). The intent was to make risk assessment and priority determination easier. The PM also indicated that the determination of risk and priority also involves the engineering judgements of the evaluator, system engineer, system superintendent, and PM. The audit team considered the explanation acceptable and for components in which no date functions exist a low priority is appropriate. Table 5 provides a list

5 of embedded components that were reviewed by the audit team. Table 6 provides information on the embedded components that MNGP classified as safety related.

2.2.3. Detailed Assessment in the detailed assessment phase, MNGP will obtain information on each item to determine its expected performance when subjected to the NEl/NUSMG 97-07 identified problem dates.

j There are four different evaluations that may be carried out during the detailed assessment phase. Vendor evaluation, plant-owned or supported software evaluation, interface evaluation, and embedded components evaluation. Vendor evaluation encompasses validation testing i

based on the criticality of the item, prior experience with the vendor, extent of documentation, or plant knowledge of the item. Plant-owned or supported software evaluation encompasses knowledge-based decisions, scanning, and testing. When testing is proposed, test specifications and pacedures are developed. Interface evaluation encompasses the review of the interface capability with software and applications that interface with other systems.

Embedded components evaluation encompasses the use of knowledge-based decisions and testing. When sufficient vendor and plant information is available to support a knowledge-based decision, no additional testing is required. Upon completion of the detailed I

assessment, each component found to be susceptible to the Y2K problem will be used as is, retired, replaced, or modified.

2.2A. Y2K Testina and Validation MNGP will perform Y2K testing in support of the evaluction efforts to determine whether the Y2K problem is present. Testing is performed during detailad assessments and requires the development of test procedures. Y2K testing will also be performed subsequent to remediation to determine whether those efforts have eliminated the Y2K problem and no unintended functions are introduced.

MNGP will perform assessment testing per computer problem / change reports (PCRs) and associated verification and validation (V&V) plans and test procedures that they currently have I_

or will establish. Assessment testing will be handled as follows: The test procedures will be written as the application or process software is received and evaluated. A generic test procedure has been prepared which is being used as the starting point. It consists of 16 l

various categories for Y2K evaluation and testing. Some test procedures, such as those for the security computer and equipment database, are currently being developed from the generic test procedure. This assessment testing process is expected to continue through January 1999.

MNGP will perform testing subsequent to remediation consisting of unit testing, integration testing, and system testing. Unit testing focuses on a single application, software module, or component. Integration testing examines the integration of related software modules, applications, and components. System testing examines the hardware and software components of the system as a whole.

MNGP will perform validation to confirm that the software is capable of performing its intended i

function. Validation is performed subsequent to remediation and Y2K testing. Upon

.c

6 satisfactory validation, certification and documentation will indicate "Y2K Ready" or "Y2K Compliant" depending on the remediation that was implemented.

2.2.5. Remediation or Reolacement Remediation or replacement will be performed per PCRs and associated V&V plans. A review of the SMCI for final disposition will also be performed. The purpose of remediation is to

- properly disposition items identified in the detailed assessment. MNGP is revising its existing

" Computer & Information Systems - Problem / Change Report"(item 6 of documents reviewed) l for software applications, and " Condition Report Process," (item 5 of documents reviewed) for embedded systems. These two documents ensure that identified items are properly tracked L

and dispositioned.

2.2.6. Reaulatory Considerations The MNGP Year 2000 Readiness implementation Plan and associated documents (items 1,2, l

3, and 4 of documents reviewed) include references to existing plant procedures that have guidance on regulatory considerations, such as 10 CFR 50.59 reviews, and reportability evaluations per 10 CFR 50.72,10 CFR 50.73, and 10 CFR Part 21, and operability determinations as required by plant technical specifications.

I 2.2.7. Continoency Plannino MNGP has not begun contingency planning; however, in January 1999 MNGP will begin its contingency planning in accordance with NEl/NUSMG 98-07, " Nuclear Utility Year 2000 Readiness Contingency Planning."

2.2.8. Y2K Proaram Manaaement With regard to the MNGP schedule, there are activities that need to be completed by individuals at the NSP corporate level beyond the control of the MNGP Y2K team. Thus, when making the determination whether the MNGP Y2K project is on schedule, the audit team evaluated the interaction of the MNGP Y2K project management with the NSP Y2K corporate Y2K program.

l 2.2.9. Electric Grid issues MNGP is addressing the issue of substation equipment in the following manner. There appeared to be some questions as to where the boundaries of responsibility for review of substation equipment reside. The boundary between NSP generation and the new independent l

transmission company is not clearly defined with regard to the issue of Y2K readiness of the substation equipment. Some of the MNGP equipment resides in the substation, and because of this, the question of who should perform the Y2K assessment is not yet resolved. The equipment in question includes metering and relaying equipment. The corporate level bi-weekly project team meeting, which includes MNGP Y2K project management, is addressing this issue.

l

_m t

L 7

3.0 AUDIT TEAM FINDINGS The following six observations were made by the audit team of the MNGP Y2K project:

1.

The licensee's MNGP Year 2000 Readiness Implementation Plan is a comprehensive document and is based on the guidance contained in NEl/NUSMG 97-07 with additional l

plant-specific procedures for evaluation of computer software and embedded software.

The plan and associated procedures make use of existing plant procedures for software configuration control, software quality assurance (QA), software V&V, and change reporting. The plan is implemented through a project team consisting of a PM and technical specialists. The assessment and evaluation process requires the interaction of a cross-section of the plant organization.

2.

The MNGP Year 2000 Readiness Project has the support of a senior management sponsor. At present, communication of the progress of the project to senior management is through a project tracking report. Once the project's initial assessment is completed (scheduled for November 1998), bi-monthly project status meetings with NSP corporate senior management are planned.

3.

The audit team was under the impression that all nuclear power plant licensees had started their facility-specific Y2K program by early 1998 because NEl/NUSMG 97-07 was provided to senior utility management in November 1997. The MNGP Year 2000 Readiness Project was formally started in June 1998 and incorporated into the NSP corporate Y2K program at that time. The licensee was aware of the Y2K problem in late 1996 and had initiated an ad-hoc evaluation of some MNGP computer systems (e.g.,

plant process computer, plant security computer, and the turbine electronic pressure regulator) in 1997. The MNGP project is at the initial assessment stage now which is expected to be completed by October / November 1998. The overall MNGP Y2K project is scheduled to be completed by July 1999 with readiness achieved at that time. The audit team considers the schedule to be an ambitious one. However, the licensee appears to be able to meet the project schedule since (1) the number of software items at the site that are to be assessed for Y2K vulnerabilities (290 software items and around 500 embedded components per initial inventory) is not large, and (2) the licensee appears to have already identified and begun upgrades to major critical computer systems and components for Y2K compliance / readiness, and (3) licensee participation in BWR Owners Group and utility alliance efforts is permitting a more rapid assessment and remediation of systems and equipment because of information sharing than if the licensee had to proceed on its own. The audit team notes that detailed assessment, including some testing and remediation, and subsequent associated testing of some remaining critical systems and components are major tasks yet to be done.

4.

The audit team had planned to review the outline of the licensee's Y2K contingency plan for MNGP. However, the licensee has not as yet started on the plant Y2K contingency l

plan. The projected start date for MNGP Year 2000 Contingency Plan is January 1999.

l The Y2K PM stated that the contingency plan will be based on the guidance in NEl/NUSMG 98-07 and initiated in parallel with the detailed assessment efforts of the

8 overall MNGP Y2K project. The audit team pointed out that a single point-of-contact for contingency planning has not been identified in the existing project team. The audit team believes that completion of the detailed Y2K contingency plans at MNGP can be achieved by July 1999 with the necessary attention provided by the Y2K PM and senior management.

5.

NSP corporate efforts and interfaces with its generation Y2K projects, including MNGP and Prairie Island Y2K projects, are good for addressing electrical grid reliability and availability issues. The audit team notes that the biweekly project team meeting is a good vehicle for identifying and assigning responsibilities for interface items that might affect plant operations and grid concerns such as the substation equipment issue noted above.

6.

According to the licensee's present plan, MNGP is to be shut down for reactor refueling in December 1999. However, there is a possibility that the unit may continue to operate during the December 31,1999 - January 1,2000, roll-over period. The NSP corporate Y2K program and MNGP Year 2000 Readiness implementation Plan and associated contingency plans will consider both MNGP operating conditions.

Date: October 1998 Table 1 MNGP Y2K Project implementation Schedule Table 2 Software inventory Table 3 Inventory of Safety-Related Software at MNGP Table 4 Inventory of Embedded Systems Table 5 Embedded Components Reviewed by the Audit Team Table 6 Safety-Related Embedded Components identified by MNGP Y2K Readiness Audit Plan Documents Reviewed Entrance Meeting - Attendees

Table 1 - MNGP Y2K Project Implementation Schedule Activity Startina date Finishina date Awareness June 1998*

September 16,1998" initial assessment July 1998 December 1998 Detailed assessment November 1998 March 1999 TestingNalidation December 1998 June 1999 Remediation December 1998 June 1999 Contingency planning January 1999 A limited awareness effort began with the receipt and review of NRC Information Notice l

96-70 in December 1996.

The MNGP personnel will be kept informed of the Y2K readiness project status through the Site News Letters.

l

'f l

T.1 - 1 l

l Table 2 - Software inventory l

l Total High Safety related**

Augmented Standard criticality

  • Software 290 30 18 39 233 i

items High criticality software systems are those that perform mission critical functions

{

including safety-related systems performing direct safety functions and those i

nonsafety-related systems required for plant operation.

Table 3 lists the inventory of safety-related software at MNGP.

I T2-1

s-l Table 3 -Inventory of Safety-Related Software at MNGP.

No.

Software ID Function 1

ARCON 96 Calculates relative concentrations in plumes from control room air intakes 2

BLOCKAGE 2.5 Predicts whether accumulation of debris on torus suction strainer leads to loss of ECCS 3

CBATR Compartment bulk air temperature transfer calculation model - used for temperature response for station blackout and equipment qualification 4

GOTHIC Thermal hydraulic information for containment -

HELB [high-energy line break] analysis for equipment qualification 5

MPM Voltage Motor power monitor - collect and analyze 3-phase motor current 6

NPLATE Base plate analysis program 7

PIPEPLUS Calculates piping deflections, stresses, support loads 8

PPPS EPRI prediction program for MOV

[ motor-operated valve] thrust 9

STARDYNE Structural analysis program 10 A-FAULT ANSI fault analysis program 11 AOVDB Air-operated valve predictive maintenance 12 DAPPER /300 Performs analysis of 3-phase AC power load flow, voltage, fault current 13 MMOV Support MOV program 14 PACKING NFORC MOV diagnostic software 15 RISC Shielding, isotopic / decay heat and nuclear criticality calculations 16 STAD lil DETERMINE Finite element structural analysis 17 THRUST PACK DATA Provide detailed MOV spring pack data 18 VOTES MOV diagnostic software None of the safety-related software identified to date performs a direct safety function. The above systems provide support or auxiliary functions to safety-related systems. They do not have real-time functions.

T.3 - 1

~

Table 4 -Inventory of Embedded Systems Total Safety related Augmented Standard Important Required by to Safety regulations Embedded 453 8

20 1

Items Required by important to Personnel Continuity Non-essential license operation safety of l

commitments business 1

12 127 12 35 55 l

l l

l l

i l

l i

T.4 - 1 i

t

5.

Table 5 - Embedded Components Reviewed by the Audit Team Classification Instrument name System Mission Date function Y2K status (V-Vendor) critical and note if to be tested To be EPR Pressure Control TRB TBD No Not determined (turbine) applicable (TBD)*

V - GE Fanue since no date function (N/A)

TBD Digital Feedwater RFC (recirc TBD Unknown Unknown Level Control flow V-Autech Data control)

Systems TBD Main Steam Radiation PRM TBD Unknown Unkncwn Channel A V-GE To be tested TBD RFC B Programmable RFC TBD Unknown Unknown Controller V - GE Fanue TBD Rod Worth Minimizer RWM TBD No N/A V - GE NUMAC TBD FW A Flow to Level RLC TBD Unknown Unknown Control TBD FW B Flow to Level RLC TBD Unknown Unknown Control TBD RFC A Genius Digital RFC TBD Unknown Unknown I/O Module TBD RFC A Genius Relay RFC TBD Unknown Unknown Output Module TBD RFC A Genius Digital RFC TBD Unknown Unknown I/O Module TBD RFC B Genius Digital RFC TBD Unknown Unknown 1/O Mcdule TBD RFC B Genius Relay RFC TBD Unknown Unknown Output Module T.5 - 1

l.*

\\

l Table 5-continued Classification Instrument name System Mission Date function Y2K status (V-Vendor) critical and note if to be tested l

TBD RFC B Genius Digital RFC TBD Unknown Unknown I/O Module TBD Transmation TBD None Unknown i

TBD Transmation TBD Unknown Unknown l

TBD RFC A Genius Analog RFC TBD Yes Unknown Module TBD RFC A Genius Analog RFC TBD Yes Unknown l

Module TBD RFC B Genius Analog RFC TBD Yes Unknown Module l

TBD RFC B Genius Analog RFC TBD Yes Unknown Module TBD Recirc MG A Scoop RFC TBD Unknown Unknown Tube Position TBD Recire MG B Scoop RFC TBD Unknown Unknown Tube Position TBD Recire MG B Scoop RFC TBD Unknown Unknown '

Tube Position i

TBD Recirc MG A Scoop RFC TBD Unknown Unknown Tube Position t

TBD RFC A Adjustable RFC TBD Unknown Unknown Speed Drive TBD RFC B Adjustable RFC TBD Unknown Unknown Speed Drive Continuity of

  1. 11 Recire Flow RFC Critical No Ready l

business Control Important to

  1. 12 RFP Recire Flow CFW Critical None Not affected operation Control I

T.5 - 2

\\.

Table 5-continued i

Classification Instrument name System Mission Date function Y2K status (V-Vendor) critical and note if to be tested l

l Important to Vessel Level RLC Severe None Not affected operation (Feedwater) Master l

Controller License SRS Controller Chemistry High None Not affected commitment Personnel Personnel Rad Medium Yes Unknown safety Contamination Protection Monitor Required by Automated TIP TIP Critical Yes regulations Control Unit 3 Safety related EFT Temperature EFT Critical None Not affected Control Safety related Div i 120 VAC Class UPS Critical None Not affected 1E inverter Items that have not been classified have not been assessed and the data in the folders

!s preliminary.

l T.5 - 3

.~.

Table 6 - Safety-Related Embedded Components identified by MNGP Instrument Name System Mission Date Y2K Critical Function Status EFT Temperature Control EFT Critical None N/A EFT Temperature Control EFT Critical None N/A Reactor Vessel Skin Temperature RPV Critical None N/A SRV Tailpipe Temperature MST Critical None N/A CGCS 'A" Pressure Temperature CGCS Critical None N/A Indicator CGCS "B" Pressures Temperature CGCS Critical None N/A Indicator Div i 120 VAC Class 1E inverter UPS Critical None N/A Div 11120 VAC Class 1E Inverter UPS Critical None N/A MNGP has not identified to date any safety-related embedded system susceptible to the Y2K problem.

i l

l l

T.6 - 1 I

l

s Revision 0 (08/13/1998) i Y2K READINESS AUDIT PLAN Preamble The objectives of this audit are:

(1) To assess the effectiveness ofllcensee programs for achieving Y2K readiness andin addressing compliance with the terms and conditions of theirlicense and NRC regulations and continued safe operation.

(2) To evaluate program implementation activities to assure that licensees are on schedule to achieve Y2K readiness in accordance with GL 98-01 guidelines.

(3) To assess the licensee contingencyplanning for addressing risks associated with events

\\

resulting from Y2K problems.

This audit should include review of relevant documentation, and interviews with selected utility personnel. Examples of relevant documentation are: facility specific Y2K program plan, assessment plan, inventory listing / database (including possibly separate inventories of embedded systems), project tracking, reviews and evaluations of regulatory considerations including 10 CFR 50.59 changes, QA procedures related to Y2K program, etc. Ifpossible, include direct observation of testing and validation methodology.

Document Review - Thorough familiarization with the following is required prior to the auc'it.

a. Generic Letter 98-01
b. Licensee Response (s) to GL 98-01
c. License terms and conditions
d. NEI/NUSMG 97-07, " Nuclear Utility Year 2000 Readiness" Additionally, the review should include the following:
a. Technical Specifications b.

10CFR50.36, " Technical Specifications," paragraph (c)(3), " Surveillance requirements," paragraph (c)(5), " Administrative controls."

c.

10CFR50.47, " Emergency Plans," paragraph (b)(8) d.

10CFR50.59, " Changes, tests and experiments"

e. 10CFR50 Appendix B Criterion Ill, " Design Control" f.

10CFR50 Appendix B Criterion XVil, " Quality Assurance Records" g.

10CFR50 Appendix E, " Emergency Response Data System" h.

10CFR50 Appendix A General Design Criterion (GDC) 13, " Instrumentation and Control" I.

10CFR50 Appendix A GDC 17, " Electric power systems" J.

10CFR50 Appendix A GDC 19, "Controlroom"

c 2

k.

10CFR50 Appendix A GDC 23,

  • Protection system failure modes" I.

Standard Review Plan Chapter 7, especially Branch TechnicalPosition 14

m. NRC Inspection Manual Chapter 0330: Guidance for Review of Licensee Draft Documents
n. NRC Inspection Manual Chapter 0620: Inspection Documents and Records
o. NRC Inspection Manual Chapter 0610: Irspection Reports
p. Response to Questionnaire Relating to Draft Tion Y2l< Readiness of Computer Systems at NuclearPower Plants NEl/NUSMG 98 07, " Nuclear Utility Year 2000 Readiness Contingency Planning"

~

q.

Year 2000 Computing Crisis: An Assessment Guide, GAO/AIMD-10.1.14, r.

September 1997 Year 2000 Computing Crisis: Business Continuity and Contingency Planning, s.

Exposure Draft, GAO/AIMD-10.1.19, March 1998 Year 2000 Computing Crisis: A Testing Guide, Exposure Draft, GAO/AIMD-10.1.21, t.

June 1998 A. Pre-Visit Activities

1. Through the Project Manager in coordination with the resident inspector, let the licensee

)

know of the site audit visit 3 to 4 weeks in advance of the visit.

I

2. Obtain a copy of the licensee's Y2K Readiness Plan and an organization chart showing the Y2K Project alignmer? Obtain the name of the Y2K project manager.
3. Based on the Resident inspector's response to the Y2K questionnaire, identify the stage of the implementation of the plan. Make a list of documents, per the licensee's plan, which have been completed. (For example, if initial assessment has been completed, the inventory list showing the item, its classification and prioritization, should also have been completed.) Select the documents that would be reviewed during the audit at the site.
4. Review the plan, and form an outline of the areas that you would focus on during the site audit.
5. Inform the licensee of the documents that you plan to review, and the project staff you would like to meet. Convey to the licensee that you would like to have a presentation of the plant's Y2K program on the first day of the visit as part of the entrance meeting.

B. Site Visit Activities DAY 1

1. At the entrance meeting, convey to the licensee that the intent of the visit is to see how well the plant-specific Y2K readiness program is being implemented and whether it will meet its main objective of making the plant Y2K ready on senedule. The audit will focus on those areas affecting safety (safety-related computer systems) first. Subsequently, the remainder of the Y2K readiness program will be assessed for those areas important to plant operation but not directly affecting safety. Systems to consider include the security computer, emergency

s V

3 response (data collection and communication) systems, radiation monitoring systems, surveillance tracking systems, and process controls (feedwater, turbine, power).

2. _ Use information obtained from licensee's presentation, along with your understanding plant-specific plan, as a means of gaining a good understanding of the licensee's program.

. Conduct discussions with the licensee's program staff on specific aspects requiring additiona detail. The idea is to get a good understanding of the licensee's Y2K program and its implementation. Discuss management, QA, resources, and schedules. Remember, it is based on this that you would flesh out the detailed audit that you had outlined during yourpre-visit activities.

(These activities, plus access to site, would probably take all of the first day.)

DAYS 2,3 & 4 The licensee's facility specific Y2K program was developed based on the guidance in NEl/NUSMG 97-07. NEl/NUSMG 97-07 suggests a five phase approach to ensure that a licensees plant continues t6 operate safely and within the requirements of their license and NRC regulations. The status of the implementation of these phases and schedules for remaining activities, including planning and coordination of Y2K-related work during currently planned outages,'should be examined against the July 1,1999 Y2K readiness date in GL 98-

01. The allocation of funds and resources for completion of the phases should also be 4

reviewed.

The scope of systems described in the licensee's Y2K program should include an inventory and assessment of software-based systems and equipment necessary for plant safety and operatic,n, and to satisfy license conditions, technical specifications, and NRC regulations. It should be confirmed that the inventory and assessment has included a review of embedded software systems. Inventory / assessment should also include testing and calibration equipment, spares and interfaces. The program plan should provide appropriate emphasis and priority on safety-related systems / components and systems required for safe operation at the initial and i

detailed assessment stages.

Methods for assessing Y2K susceptibility should be examined. Verify that appropriate bases (e.g., testing, knowledge-based decisions, testing of the same system by others, use of a tool to evaluate code, vendor certified information, code inspections, and engineering analysis) are provided for Y2K readiness and Y2K compliance as identified by the facility specific program i

objectives. { NOTE: Where the licensee relies on data andinformation provided by others for the bases, including vendors, care should be taken to check that the licensee's program has steps as appropriate for assessing and validating the information.} Further, when compensatory measures or " work arounds" are identified for achieving Y2K readiness, they i

. should be evaluated for their appropriateness. (NOTE: When compensatory measures are used, they should be addressed in related contingency plans. They should also ?>e identified, as part of the program, in longer-term maintenance or corrective actions to maintein the system, device, or appIl cation Y2K ready.}

4

s 4

Testing and validation is performed as part of the implementation process. There are several critical dates that should be considered in the determination of Y2K readiness or compliance as follows:

September 9,1999, 09/09/99 December 31,1999, 12/31/99 January 1,2000, 01/01/00 -

February 28,2000, 02/28/00 February 29,2000, 02/29/00 March 1,2000, 03/01/00 i

in addition to the information provided in NEl/NUSMG 97-07, contingency planning should be addressed in detail. Contingency actions to be taken in the event that unanticipated occurrences or malfunctions occur should be reviewed against the potential concems identified in the Y2K program. In addition, it should be confirmed that certain, high-priority contingency plans, identified by the facility-specific contingency planning, have been established, for example, for ensuring adequate emergency diesel fuel oil to cope with a possible extended loss of offsite power, augmentation of staffing, alternative means of emergency communication and post-accident data collection are available, attemative means of controlling access to vital areas

)

is provided, and provisions to minimize the probability of losing electric power from the grid are l

available in the event of a nuclear power plant shutdown. It can be anticipated that many licensees will not have completed contingency planning at this stage of their program.

However, contingency planning should clearly be incorporated in the facility-specific Y2K program plan. Licensee programs may reference NEl/NUSMG 98-07 or GAO/AIMD-10.1.19 as a basis for contingency planning.

The licensee's review of their regulatory compliance should include a determination of the need for changes to the licensing basis, technical specifications, licensing commitments, and plant safety analysis report.

C. Conclusion of Site Activities Plan to have an exit meeting with the Y2K project manager. Discuss, in general terms, the review you had done of the facility specific Y2K program, and in particular, any open items that 2

were identified to conclude your audit. Mutually agree upon an avenue to resolve these open items so that you can close out the audit.

4 4

. - _ _ _ _. - - _ _... ~.. _.. _. _ _.. _ _ - - _

l-r l

Documents Reviewed l

l 1.

MNGP Year 2000 Readiness Implementation Plan, Revision 0, July 17,1998 MNGP Year 2000 Assessment - Computer Work Instruction, C5M-05.01, Revision 0, l

2.

l

- July 2.1,1998 3.

MNGP Year 2000 Embedded Compont...i Project Work Instruction, PWi-Y2K-2.01, Revision 0, July 30,1998 4.

MNGP Software Queiity assurance Requirements,4AWi-08.03.03, Revision 3, January 29,1998 l

S.

MNGP Condition Report Process,4 awl-10.01.03, Revision 7, December 16,1997 6.

MNGP Computer Problem / Change Report (PCR), CWi-02.03, Revision 3, September 10,1998 7.

MNGP Software Verification and Validation - Computer Work Instruction, CWl-04.05, Revision 1, January 30,1992 8.

MNGP QA Records Control. 4 awl-02.10.01, Revision 3, July 12,1996 I

I

.._m

_ _. - _ _ _. _ - _ ~ _

j r

d l

Entrance Meetina - Attendees I

Seotember 15.1998 Dave Butler NRC Rill John Grubb Gen. Supt. NGS Deirdre Spaulding Elec. Engr. NRC/NRR/HICB Matthew Ch ramal NRR/NRC Gene Heupel Process Leader - Eng.

Ronald Siepel Y2K Project Manager-Monticello Roger Oelschlager Y2K Project Manager-Prairie island Peggy Anderson Y2K Jack Thorson Y2K Embedded Sam Shirey Licensing Russ Van Dell NSP - Computer & Info System Mike Hippe Production Engineer

.