ML20196J694

From kanterella
Jump to navigation Jump to search
Forwards Revised Version of Documented Entitled Contingency Plan for Year 2000 Issues in Nuclear Industry. Revs Made to Correct Typographical Errors
ML20196J694
Person / Time
Issue date: 11/09/1998
From: Travers W
NRC OFFICE OF THE EXECUTIVE DIRECTOR FOR OPERATIONS (EDO)
To: Hoyle J
NRC OFFICE OF THE SECRETARY (SECY)
References
SECY-98-036-C, SECY-98-36-C, NUDOCS 9812100177
Download: ML20196J694 (25)


Text

. . .- . . _ .. _ . . -

p tR8sp p i UNITED STATES g

e j

NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 305664001 i

s. , ...,*.s November 9, 1998 i

i MEMORANDUM TO: John C. Hoyle, Secretary '

FROM: William D. Travers Executive Director for pera. ions [fp

{

SUBJECT:

CORRECTIONS TO COM-SECY 98-036 i Please find attached a revised version of the document entitled " Contingency Plan for the Year 2000 issus in the Nuclear Industry." This draft document was originally transmitted on

~

November 3,1998. Subsequent to its transmittal, a significant typographical error was discovered. The word " competence" on the second full sentence of the first paragraph on the second page should have been " compliance." In addition a number of minor typr aphical i errors (spacing) have also been corrected in the attached revision. Because the staff intends to make this draft document available to the public, it is important to correct these errors.

l t ,

.-)

fD  ;

o)' (OO

r. O

' ' ~ " ' "' ~; ' ) !)O ,'

9912100177 981109 PDR SECY '-  :

98-036 PDR

/ () !fh hV1M 3

._j

November 9, 1998 MEMORANDUM TO: John C. Hoyle, Secretary Orig!ne.! C'r._ _ _,

, FROM:

William D. Travers William D. Travers Executive Director for Operations 5

SUBJECT:

CORRECTIONS TO COM-SECY 98-036 i

Please find attached a revised versic'1 of the document entitled " Contingency Plan for the Year 2000 issus in the Nuclear Industry." This draft document was originally transmitted on November 3,1998. Subsequent to its transmittal, a significant typographical error was discovered. The word " competence" on the second full sentence of the first paragraph on the

  • 1 second page should have been "cornpliance." In addition a number of minor typographical e

errors (spacing) have also been corrected in the attached revision. Because the staff intends to make this draft document available to the public, it is important to correct these errors.

i E

f AEOD ED)

JG11tter er s 11/6/98 WTyp/58 114

.(

l l

%o iM)g U.S. Nuclear Regulatory Commission Contingency Plan for the Year 2000 issue in the Nuclear Industry l

1 I

CHAIR Joseph G. Glitter, AEOD -

1 MEMBERS l Clarence P. Breskovic, OIP l Matthew Chiramal, NRR  !

Elizabeth A. Hayden, OPA I Gary W. Purdy, NMSS John C. Voglewede, OClO Jared S. Wermiel, NRR

, \

J

$ 1 ATTACHMENT

I. INTRODUCTION The NRC is pursuing a comprehensive program for dealing with potential Year 2000 (Y2K) problems. We have been and will continue working with our licensees to ensure that potential Y2K problems have been identified and rectified and to ensure that our own computer-based systems will continue to function properly as we pass from 1999 into 2000. However, because of the nature of the Y2K issue, it is not possible to be 100 percent certain that all potential problems will be corrected. For this reason, the NRC established a task force to develop a contingency plan for ensuring that public health and safety and the environment will continue to be protected, even if unforeseen Y2K problems occur.

In a statement she made on June 12,1998, to the Senate Special Committee on the Y2K technology problem, Chairman Jackson said that the NRC recognizes "the national importance of a broader focus that helps to ensure that potential concerns with electrical grid reliability are identified and resolved." To this end, the task force also explored contingency planning options for responding to regu'atory and licensing issues that may result from grid reliability problems.

II. BACKGROUND Y2K-induced events are events that arise from a date-related problem that is experienced by a software system, a software application, or a digital device at a key rollover date when the system, application, or device does not perform its intended function. December 31,1999, to January 1,2000, and February 28,2000, to February 29,2000 are examples of key rollover dates. The nuclear utility industry is engaged in Y2K readiness programs at all nuclear power plant (NPP) facilities to seek out and correct Y2K problems that have any potential to affect ,

facility operations. Despite these efforts, there is some risk of Y2K-induced events. Effective l Y2K contingency planning sets up a process for reducing such associated risks. The next j section describes how the Y2K issue could affect facilities and other entities regulated by the NRC.  !

i 111. PROBLEM STATEMENT l

A. REACTORS

1. Commercial Nuclear Power Plants The electricity production and delivery systems, as two of the more important elements of the North American economic and social infrastructure, must remain dependable during the transition to Y2K. Every other critical element of infrastructure depends on the availability of an interconnected, reliable supply of electrical power. There is no doubt that cascading or even J localized outages of generators and transmission facilities could have serious short- and long-  !

term consequences. Continued safe operation of NPPs during the transition plays a major role in maintaining reliable electrical power supply systems.

l To ensure continued safe operation of NPPs during the Y2K transition, the NRC is engaged in comprehensive evaluation of licensee Y2K readiness. On May 11,1998, the NRC sent Generic Letter 98-01 to all operational NPP licensees, requiring them to take a number of steps to 1 I

address potential Y2K issues at their facilities. In addition, NRC is auditing a dozen NPPs (representing a cross-section by geographic location, type of design, and age of the plant) to j l

2 evaluate the effectiveness of measures those NPP licensees are taking to identify and correct Y2K issues at their facilities. NRC will use the results of these audits to determine if further regulatory action is required. By July 1,1999, all NPP licensees must confirm in writing that their plants are or will be Y2K ready by the year 2000 with re' gard to compliance with the terms and conditions of their license. Alllicensees have responded that they are implementing programs for Y2K readiness based upon industry guidance (Reference B.1) for Y2K readiness.

Industry has also prepared guidance (Reference B.2) to help NPP utilities develop Y2K contingency plans.

IntemalFacility Risks The Y2K readiness program irpplemented by each NPP utility is intended to identify and fix software-based items that could degrade, impair, or prevent operability of the facility. Safety-related instrumentation and control systems that perform safety function actuations do not present a Y2K issue because, in the vast majority of NPPs, these systems are analog hardwired and therefore.do not rely on software that may be subject to the Y2K issue. In those few cases in which such systems are computer based, the software does not have date-driven functions that may be affected by the Y2K issue. However, there remains some risk that plants could still be subject to a Y2K-induced event that has an effect on facility operations. Examples of such internal facility risks at NPPs are computer-based control systems for feedwater control, turbine control, and generator voltage regulator control; plant process computer; control rod position information system; security computer system; and area radiation monitoring systems.

Contingency plans should identify failure modes and mitigation strategies for such risks. Y2K contingency planning should also consider the potential that the Y2K issue could potentially affect many such systems and components.

ExtemalRisks

\

Even if the intemal facility risks are small, there are still external risks to consider. External risks arise from conditions, circumstances, or events that are beyond the direct control of facility management. The task force identified electrical grid and telecommunications concerns as the significant extemal risk considerations; these and other concerns are discussed further in Section D.

)

As part of its contingency planning, the staff will attempt to identify those NPPs that may be most vulnerable to Y2K issues. Potential vulnerability will be determined on the basis of the ,

information given in the second response to GL 98-01 and input from the Y2K program audits  !

and other sources. Such an approach permits the staff to be better prepared to address i potential Y2K prob ems at these particular plants in its contingency planning efforts. l

2. Research and Training / Test Reactors  !

Research and training / test reactor licensees have also established programs to evaluate and correct Y2K deficiencies. Many research reactors will be shut down on January 1,2000, as the i institutions operating them (e.g., universities and laboratories) will be closed for the holiday.  !

Further, these reactors often have passive safety features and low power levels, which ensure I minimal potential offsite consequences. In addition, the staff concluded that any research l reactor in operation on January 1,2000, could be readily shut down manually using emergency 1

)

procedures and existing shutdown systems, even if their operational systems should experience a Y2K problem.

B. MATERIALS LICENSEES The Y2K issue may affect NRC's materials licensees in many different ways. For example, computer software that is used to calculate therapeutic dose or to account for radioactive decay may not recognize the turn of the century; this could lead to incorrectly calculated doses or exposure times for medical treatment planning. Other examples of software that may be l affected are security control, radiation monitoring, technical specification surveillance testing, l and accumulated burn-up programs. Also, equipment that licensees have purchased may  ;

contain computer software susceptible to the Y2K issue. The problem could occur not only in I computer software or data acquired from external sources, but also in programs developed by l licensees or consultants. In an effort to inform materials licensees of the Y2K issue, NRC has I issued three information notices (References A.3, A.4, and A.5) and one generic letter (Reference A.2).

1. Medical Licensees By interviewing licensees and manufacturers, the staff found that devices containing byproduct material (high-dose-rate and teletherapy units) appear to be Y2K compliant. Manufacturers of some dose calibrators have found them not Y2K compliant; also, some treatment planning systems are not Y2K compliant. NRC is working with the U.S. Food and Drug Administration (FDA) to determine if there are any health and safety problems associated with medical devices that use byproduct material.
2. Manufacturers NRC interviewed a large manufacturer of radiopharmaceutical products. At the time of the interview, the manufacturer did not believe that the Y2K issue would affect health and safety.

The dose calibrators used at the manufacturing facility are Y2K compliant. The manufacturer believes that the Y2K issue will not affect product quality or accuracy of the measured activity.

3. Irradiators NRC has interviewed Sterigenics, a firm that operates 12 large irradiator facilities. Sterigenics' staff believes that there are no health and safety problems related to the Y2K issue. The interlock systems and source movement for the irradiators used at its facilities are not controlled by computers. NMSS will contact a large manufacturer of irradiators for more information. g

~

\

4. Fuel Cycle Facilities NRC has conducted interviews at two fuel cycle facilities regarding the Y2K issue. All fuel cycle facilities have been inspected for Y2K concems. The primary Y2K'concem for fuel cycle facilities is diversion / theft of special nuclear material.

A generic letter (Reference A.2) was sent to fuel cycle licensees and certificate holders requesting (1) written confirmation of implementation of their Year 2000 Readiness Program;

(2) written confirmation that the facilities are Y2K ready and in compliance with the terms and conditions of their license / certificate and NRC regulations; and (3) for facilities that are not Y2K 3

ready on or before December 31,1998, a written response updating the status and schedule of 1 the facilities' Year 2000 Readiness Program. Every fuel facility tas sent written confirmation of  !

Implementation of their Year 2000 Readiness program.

Risks forFuelFacilities /.

The Y2K readiness program implemented by each fuel facility is intended to identify and repair software, hardware, and embedded systems that could degrade, impair, or prevent operability of the facility. The primary Y2K concern for fuel cycle facilities is diversion / theft of special nuclear material. However, the risk of diversion / theft of special nuclear materialis highly unlikely and poses no undo safeguards risk. In the unlikely event of a complete facility blackout, the GDPs would shut down to a safe condition. However, the restart of the GDP could pose a slight risk to employees from a uranium hexafluoride (UF.) release. A release of UFe in this scenario poses no risk to members of the public. Identification of Y2K problems with fuel cycle facilities will be done after all the responses to the Generic Letter are received. There is no identified risk-significant concern for fuel cycle facilities.

Risks for OtherMaterials Licensees For medicallicensees, overexposure or underexposure of patients represents the greatest risk.

Dose calibrators and some treatment planning systems have Y2K compliant problems. Due to the efforts of the manufacturers of dose calibrators and treatment planning systems, FDA, and the NRC, the risk to patients is considered to be low.

The risk of the Y2K issue affecting health and safety at manufacturers and irradiators facilities is low. Most of the safety systems at these facilities are not computer controlled.

If it is determined that a device has a Y2K problem that affects health and safety, NMSS will use current procedures for notifying licensees of unsafe devices. Notification will be sent directly to the affected licensees through use of the License Tracking Systern.

C. INTERNATIONAL -

It is highly probable that Canada and Mexico will experience similar problems as described above, which could have negative effects on U.S. public health and safety, just as Y2K issues in the United States could affect Canada and Mexico. For these reasons, NRC must review existing emergency notification procedures with those countries and coordinate Y2K-related contingency plans.

D. INFRASTRUCTURE

1. Electrical Grid Concerns Extemal electrical grid system problems that could arise as a result of a Y2K problem are loss of offsite power, grid instability, voltage and frequency fluctuations, circuit breaker malfunctions, load fluctuations, and loss of grid control systems. The North American Electric Reliability Council released a report on September 17,1998, that evaluated the anticipated impacts of

Y2K on electrical systems (Reference C.2). The initial findings of the report conclude that proper contingency planning on the part of electric utilities should alleviate widespread power outages. However, the report also conceded that the Y2K issue would result in increased risk of isolated, local outages.

One of the major concerns raised in the NERC report is the lack of information on Y2K readiness - about 25 percent of the electric utilities did not respond to the NERC Y2K readiness survey. However, the report also indicates that all NPP Y2K programs are on schedule to achieve Y2K ready status, largely owing to leadership from the Nuclear Energy Institute (NEI) in this area. Another major concern raised in the report is the dependency of l electrical power generation, transmission, and distribution on telecommunications systems.

One reason for this concern is that these telecommunication systems may be outside of the utility's control.

I h

=n M v

{

2 C%

JR89638 E -Westem Interconnection EB -Texas interconnection O - Eastem Interconnection E3 -ouetccInterconnection r

g Figure 1. Electrical Grid interconnections in North America Interconnections There are four large electric grid Interconnections in North America as shown in Figure 1. The largest Interconnection is the Eastern Interconnection which covers the eastern two-thirds of the United States and much of Canada. The Western interconnection has connections into Mexico and covers the western U.S. and British Columbia and Alberta, Canada. The Quebec Interconnection (sometimes included as part of the Eastem Interconnection) covers the Canadian Province of Quebec and the Texas Interconnection covers most of Texas. The interconnections are mostly independent of each other, and are essentially ac/dc/ac inter-ties that filter out most, but not all, disturbances. A major disturbance within the interconnection has

1 the potential to cascade to the entire interconnection. The North American Electric Reliabilitsj Council (NERC) has identified the following four critical areas that pose the greatest direct threat to power production and delivery.

PowerProduction As discussed previously, power plants (including fossil and nuclear) mu'st be able'to stay online during the Y2K transition period to avoid major grid disturbances or outages. Newer plants with digital control systems may be the most vulnerable. The control and protection functions that the digital control systems perform often utilize time-dependent algorithms, which can, if uncorrected, lead to unintentional generator trips. ,

Energy Management Systems Electric utility control centers monitor power system operations (including generating plants, transmission and distribution systems, and customer loads), retain historical data, and allow for the manual and automatic control of field equipment. The control center's energy management system includes supervisory control and data acquisition systems, automatic generation control systems, energy management applications and databases, and graphical user interfaces.

Uncorrected Y2K issues in these systems could result in the loss of monitoring, dispatching, and control functions. In addition, many energy management systems rely on precise time signals that may be provided by global positioning system (GPS) technology. GPS has a unique and pressing problem: the clock used by this system will tum over to 0000 on August 29.,1999, s..........,,

,# g., .

k .........

~- 5 5 '

/- - .1111l11 3 TSKil Tif x ' . . -[

Tr.msrr,ss

/ ,g ..

- w

- P. 'l'J**

(, f tu_

~

i g - oe ,

n.y c g ,m Figure 2.' The Generation, Transmission, and Distribution of Electricity Requires Telecommunications Systems

_ _ _ _ _ _ _ . - _ . . _ _ ._._ _.__ .- _ ._ _ _ _._._ _ m _ _

i Telecommunications

As shown in Figure 2, the transmission and distribution of electrical power is highly dependent

! on microwave, telephone, and VHF radio communications. Telecommunications systems, in i

tum, are highly dependent on the availability cf electrical power. Section D.2 contains a 1

discussion of how Y2K issues are being addressed by the telecommunications industry.

i '

l .

} Protection Systems e l 1 Many newer relay protection devices are digital and are vulnerable to Y2K issu'es. The concem

raised by NERC was the possibility of a common-mode fal;ure in which all releys of a particular i model fall at once, causing a large number of coincident outages in transmission facilities.

j 2. Telecommunications f As discussed previously, reliable telecommunications service is crucial to the production and i delivery of power. The Regional Bell Operating Companies (RBOCs), such as Bell Atlantic and

U.S. West, independent telephone companies, such as Aliant Communications, and interexchange carriers (IXCs) , such as AT&T, MCI Worldcom, and Sprint, have programs in place to ensure that their telephone networks will be Y2K compliant. For example, AT&T has committed approximately half a billion dollars to complete the assessment, revision, and testing of its voice, wireless, data, and government networks by December 31,1993. Major RBOCs are participants in the National Year 2000 Telco Forum, a consortium that has contracted with Belicore to conduct interoperability testing of data and voice networks. In addition, both IXCs and RBOCs are in a partnership with the Alliance for Telecommunications Industry Solutions

~

(ATIS) to plan and conduct Y2K signaling interoperability tests. The testing, which is being organized by the ATIS Network Testing Committee (NTC), involves advancing the network clock and ensuring that the signaling between local exchange carriers (U.S. West, Ameritech, and GTE) and IXCs (Sprint and AT&T) is unaffected by the Y2K transition.

Although it appears that telecommunications providers are taking the necessary steps to ensure continued reliable operation of the public switched network (PSN) through the Y2K transition, th6 task force identified the following concems:

e s

  • Although we know that many major telecommunications service providers are taking the

," ' necessary steps to address potential Y2K concerns, we know less information about the

/ small local telephone companies. Many NPPs and fuel cycle facilities are located in f

rural areas that are serviced by small telephone companies.

(p a M p Although m$ny utilities have corporate communication networks that tie into the PSN

( s

" downstream" of the local telephone company, some utilities appear to rely extensively

.on the small local telephone company. The recently enacted Year 2000 Information and

" " Readiness Disclosure Act should help small local telephone companies get on the track of Y2K compliance.

  • The PSN is so vast and complex that it is impractical to perform a rigorous quantitative reliability analysis. Despite the fact that recent studies conclude that the probability of a widespread outage is low, there have been two widespread outages within the last year 1

caused by network signaling software problems. E,oth of these outages were attributed to a company that provides network signaling capability to small telephone companies.

NRC participates in a number of Government wide emergency telecommunications initiatives.

Most of these are administered through the National Communications System (NCS). An example of a technology currently in use by NRC is the Government Emergency Telecommunications System (GETS), which provides authenticated access, enhanced routing, and priority treatment in long-distance telephone networks. GETS presumes continued operation of public and Federal telephone networks during national emergencies when the volume of network traffic is expected to be very high. However, this system may not provide protection in the event of a major network outage.

NCS has been working closely with the NTC to ensure that emergency telecommunications systems are included in the internetwork Y2K testing of the PSN. The NCS is also in the initial stages of developing communication network attematives in the event of a major PSN outage.

These alternatives utilize high-frequency radio and dedicated land lines. The NRC is exploring the option of becoming a node on the special NCS Y2K contingency network.

3. Flooding / Loss of Heat Sink in the industry planning document (Reference B.2), loss of heat sink was identified as an external event that NPPs should censider for contingency planning purposes. This is a potential concern because systems used to control the amount of water released from a reservoir or hydroelectric dam often rely upon computers or imbedded controllers that are susceptible to the Y2K issue. Consequently, the task force examined the potential for a Y2K-induced loss of heat sink (or flooding) that could affect NRC-licensed facilities that are on rivers or flood plains. The staff has consulted with the U.S. Army Corps of Engineers (USACE) regarding this issue and has teamed that, although there are potential Y2K problems that could prevent the operation of these systems, there are no identified failure mechanisms snat could result in a substantialincrease or decrease in the amount of water re! eased. In addition, there is a capability to manually operate the hydroelectric plants or, if necessary, the sluice gates in a manner that ensures that minimum downstream flows are maintained. However, another factor examined by the task force was the need for reliable communication between nuclear power plant operators and the USACE. For example,in January, ice jamming on the Missouri River can result in reduced river water levels. Often when this occurs, NPP operators contact the USACE and ask them to increase downstream flows. However, becauso the chain of events that influences river water levels typically takes place over a number of days, this scenario would only be a concern if there were a prolonged (i.e., at least several days) telecommunication outage. Since this is highly unlikely, the task force ::cncluded that loss of heat sink was not a significant concem for NRC contingency planning purposes.
d. Consumables Another concern raised by the task force was the potential that certain chemicals, diesel fuel oil, water, food, and other consumables may be difficult to obtain if the Y2K transition results in a breakdown of major infrastructures. As an example of this potential, a truck en route to the Turkey Point Plant to deliver water in the aftermath of Hurricane Andrew was diverted by local law enforcement officials for another use.

.g.

IV. COORDINATION A. INDUSTRY l

in the summer of 1998, under the oversight of the Nuclear Energy Institute (NEI), the industry formed a Contingency Planning Task Force to provide NPP utilities with a " focused approach" to Y2K contingency planning. The primary product of that task force was a Y2K contingency plan guidance document entitled NEUNUSMG 98-07, Nuclear Utility Year 2000 Readiness Contingency Planning, dated August 1998. This document, which builds on Y2K readiness  ;

programs already in place, preeents guidance that can be used by plant operating staff to l develop effective contingency plans for mitigatirg the potential unanticipated effects of a Y2K  ;

issue. The guidance incorporates risks to safe plant operation resulting from potential Y2K issues into the existing emergency procedures and emergency response organization at each  ;

NPP. To a large extent, Y2K issue contingency planning will be plant specific or it will depend on the specific systems and risks identified as affected by the Y2K issue at the individual plant.

However, two generic areas of consideration for contingency planning identified in NEl/NUSMG 98-07 are (1) augmentation of staff and (2) availability of consumables (e.g., emergency diesel generator fuel oil and water chemistry control chemicals).

The staff contacted NEl concerning the need for further coordination of nuclear industry Y2K contingency planning efforts. NEl indicated that it does not plan additional coordination of licensee contingency olanning efforts because of the plant-specific nature of the issue. NEl stated that individual licensees will work with the NRC as necessary in accordance with their existing emergency response procedures (as they would for any unanticipated operating event) shculd they experience plant operability concerns due to Y2K issues. The staff has concluded that the existing emergency response capability at the nuclear facilities, supplemented to address the Y2K issue in accordance with NEl/NUSMG 98-07, provides the best approach to licensee contingency planning for this issue.

Due to the variety of operations, materials licensees have had to develop individua! Y2K remediation plans. From a small sample of materials and fuel cycle licensees, it appears that larger facilities are sware of the Y2K issue and are addressing the issue. The NRC Office of the inspector General (OlG) conducted a survey that identified a lack of Y2K awareness among radiation safety officers of Priority 3 licensees.

B. ~ OTHER FEDERAL AGENCIES 1.' NRC is a member of the Emergency Services Sector (ESS) Working Group for Y2K, which is headed by the Federal Emergency Management Agency (FEMA). FEMA has been working closely with the private sector and with State and local governments to I ensure that emergency services and emergency response will not be affected by the

_ Y2K transition. The Catastrophic Disaster Response Group, which includes representatives of the 12 lead agencies of the Federal Response Plan, is working with constituent groups on issues of emergency preparedness and allocation of resources.

Although the focus for the CDRG is narrower than that for the ESS Working Group, the activities are complimentary. The NRC is participating in monthly CDRG meetings on the Y2K issue. Based on a survey by FEMA of State emergency managers, most State Emergency Operation Center systems are Y2K compliant and will be available for

i i

i disaster response. There is less information about the counties level of readiness, including county police and 911 centers. [

4

2. The Department of Energy (DOE) is the principal Federal agency with oversight responsibility for Y2K issues in electricity supply systems. The NRC will coordinate with j DOE on NRC/ DOE contingency plans.  !

~

l _

3. NRC contacted the Federal Energy Regulatory Commisalon (FERC) to find out if they l were considering Y2K contingency planning related to issues or potential problems  !

associated with electricity supply systems. FERC is not developing such plans, but is i relying on DOE Y2K contingency plans to address these issues. .

~

4. The NRC is working closely with the National Communication System (NCS) to I ensure that emergency response communications will not be affected by the Y2K i transition. NRC is exploring the option of becoming a node on the special NCS Y2K contingency network.
5. The NRC has consulted with the U.S. Army Corps of Engineers (USACE) concoming the potential for Y2K failures that could affect river water levels and flows.
6. i The NRC is coordinating its activities regarding the intomational aspects of the ,

contingency plan with FEMA, the Department of State, and the Environmental

{

d Protection Agency. y ,  :

i

7. The National Interagency Fire Cache 'can provide emergency telecommunications  !

equipment support to the NRC, including HF radios and mobile satellite equipment. Use  !

of such equipment would require advance placement at a licensed facility or placement within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after an incident. l

8. The NRC has discussed the Y2K readiness of FTS2001 services with the General j Services Administration (GSA). GSA has assured NRC that the FTS2001 system will  !

be Y2K compliant.- v, j

~.

9. NRC is coordinating activities regarding medical devices that use byproduct material  ;

. ' with the U.S. Food and Drug Administration (FDA). ,

y (; y L  :

C.1{

+; C.M U /: 1 To facilitate Agreemdni State efforts to address the Y2K issue, a link to State Govemment Year  :

2000 Websites has been provided by NRC. NRC's, website identifies Y2K resources, notices, conferences, and other related information. The States have been given the Intemet address ,

of this site. The NRC will make every effort to share with the States any issue involving the i Y2K issue and problems involving NRC materials licensees that may also affect Agreement j States or Agreement State licensees. NRC also requested that Agreement States share any 1 information about Agreement State materials licensees that have identified a Y2K issue that i could affect NRC, other Agreement States, or their licensees. 7

D. INTERNATIONAL REGULATORY BODIES AND IAEA/NEA

1. Multilateral Coordination Multilateral coordination takes place in the form of information exchange and coordination at international forums such as the International Atomic Energy Agency (IAEA) and the Nuclear Energy Agency (NEA). Both organizations have established programs to let IAEA member states exchange Y2K information in an effort to diagnose and remedy Y2K-related nuclear safety problems. The Office of International Programs will actively participate and monitor progress in these areas.

Intemational Atomic Energy Agency (IAEA)

At its 1998 General Conference, the IAEA adopted a U.S.-sponsored resolution (drafted by the NRC) to make the IAEA a clearinghouse and central point of contact for IAEA member states to exchange information regarding diagnostic and remediation actions being taken at NPPs, and at fuel cycle and medical facilities that use radioactive materials, to make these facilities Y2K ready, The resolution also urges Member States to share information with the IAEA regarding diagnostic and corrective actions being planned or implemented by operating and regulatory organizations and emphasizes that Member States should have contingency plans in place at operating and regulatory organizations well before December 31,1999, in order to handle potential problems that may arise at that time at those nuclear facilities.

In response, the IAEA has created a special project to address nuclear Y2K-related safety concems and contingency planning for NPPs and research reactors, and plans to hold several Y2K workshops starting in December 1998. The IAEA also recently sent a questionnaire to member states requesting information about their respective Y2K plans. The questionnaire was distributed to NRC technical offices and NRC will send the coordinated responses to the IAEA.

The U.S. is also providing a cost-free expert to the IAEA to assist in the establishment of IAEA Y2K guidelines. This expert is Morgan Libby, who co-authored the NEl paper titled " Nuclear Utility Year 2000 Readiness Contingency Planning." He will assist the IAEA on Y2K contingency planning.-

Y2K issues were discussed in September 1998 at a special session of the international Conference on Topical issues in Nuclear, Radiation, and Waste Safety which met in Vienna and at the At. gust 1998 meeting of the WER Regulators Group in Armenia.

4 At this time, NRC knows nothing about the IAEA contingency plan for the international emergency msponse system.

Nuclear Energy Agency (NEA) in February 1998, the NEA sent a Y2K questionnaire to members of its Committee on Nuclear Regulatory Agencies (CNRA). A brief summary of the responses issued in May 1998 showed that all participating regulatory bodies were taking aggressive steps with licensees to identify and solve Y2K issues. In August 1998, the NEA finished its work on an international e-mail notification system, enabling CNRA members to rapidly and confidentially exchange Y2K

. . - - - - -. .--.- .. .- - .-.- - -. ~ - - -_ - -

information. The NEA plans to make the e-mail system Y2K ready by setting up redundant ,

computer and power supply systems.The CNRA members are Belgium, Canada, Czech l Republic, Finland, France, Germany, Hungary, IAEA, Japan, Netherlands, South Korea, Spain, Sweden, Switzerland, United Kingdom, and United States. I The NEA is also organizing a Y2K workshop in February 1999 (co-sponsored by the IAEA), and l the NRC has proposed that regulators from the fonner Soviet Union and Central and Eastem Europe be invited to attend. ,., f; e 3 Eurppean Union .

,y 7 i The European Commission sponsored a meeting of eastem/westem European nuclear i

regulators in June 1998, at which the Y2K topic was reviewed; attendees spoke about progress i in theirindustry.

t

2. Bilateral Coordination j

(

NRC's main focus of bilateral contingency planning efforts is on Canada and Mexico. The NRC i enjoys close bilateral ties with both countries and special emergency procedures are in place i permitting rapid and redundant communications should an emergency arise. Contingency planning for these countries will involve, among other things, the examination of existing  ;

procedures and communications channels. It may also be necessary to coordinate with U.S. l border States and Canadian and Mexican provinces. -

{

Canada .

i The Atomic Energy Control Board (AECB) of Canada is addressing the Y2K issue at Canadian }

NPPs and hopes to have all plants Y2K compliant by June 30,1999. Informal contacts with the i AECB indicate that currently Canada has no plans to examine existing U.S.-Canadian l emergency response procedures from a Y2K perspective. NRC will formally approach the  !

AECB to discuss multilateral and bilateral aspects of Y2K contingency planning.  ;

, ,, t Mexico , .Y ' ,

V j

,j,/ i; . .y The status or existence of Y2K contingency plans in Mexico is not known at the moment. When l informally approached, the Mexicans requested a formal communication, and that is being i prepared. ,

6 ' N l IAEA. .-

/ i v 3 f i. .

NRC and IAEA',will coordinate contingency plans for direct NRC-IAEA communications in case  ;

. of amU.S. nuclear emergency.  !

a  :

OtherCountries Countries with which the NRC has technical information exchange arrangements will be  !

individually contacted by NRC regarding Y2K issues as part of the ongoing emergency  ;

preparedness information exchange. NRC will explore the possibility of using existing bilateral j i

l i

I

means of communications as redundant communications channels should the regular

, intomational emergency response system fail.

NRC will also encourage countries in earlier time zones, which will experience Y2K-related i problems before the U.S. does, to relate information about Y2K issues to the NRC in the i quickest possible manner to enable U.S. licensees to avoid common-cause failures. This effort  ;

will be directed mainly at Far Eastem countries, such as Japan, South Korea, and Taiwan, which operate U.S.-style reactors, but could also include certain European countries. The time '

difference for these countries vs. EST or PST ranges from plus 12 to 15 hours1.736111e-4 days <br />0.00417 hours <br />2.480159e-5 weeks <br />5.7075e-6 months <br /> (Far East) and 6  :

to 9 hours1.041667e-4 days <br />0.0025 hours <br />1.488095e-5 weeks <br />3.4245e-6 months <br /> (Europe). It may also be possible to coordinate this activity with FEMA if a proposal j by the Chairman of the U.S. Senate Committee on the Year 2000 to set up,a Y2K "early 4 warning" system is implemented. -

FederalAgencies NRC is coordinating with the emergency response centers of all Federal agencies involved in i i

the intomational nuclear emergency notification and response system, such as the (

, Departments of State and Energy, the Environmental Protection Agency, the Federal  !

l Emergency Management Agency, the National Security Council, and the President's Council on Y2K Conversion. i s

j 3. Intemational Safeguards and Physical Protection .

,. o ., t

' ~

The IAEA has instituted a program to examine all its safeguards systems (computers and j equipment) for Y2K compliance, and plans to have all systems under its control Y2K compliant i l by the end of 1998. It will take longer to modify in-field equipment because much of the  !

software was developed by outside suppliers and because some of the equipment is built in to plant processes. The IAEA is' working to resolve these problems.

NRC has also asked NMSS to' investigate the contingency plans of foreign countries with  !

i respect to physical protection and to raise the issue of Y2K in future visits to study physical j protection. ,

j i 's s' t l V. CONTINGENCY PLAN.

! A. SCENARIO DEVELOPMENT '

i f. p I The task force evaluated a range of possible scenarios. At the lowest end of the spectrum is a i i situation in which everything goes on as usual during the transition from 1999 to 2000. At the j opposite end of the spectrum the task force hypothesized a worst-case scenario involving a j widespread telecommunications outage, a complete loss of the North American power grid, and  !

. several major incidents at NPPs (e.g., station blackout, loss of ultimate heat sink, loss of j feedwater) in conjunction with risk-significant challenges at many other plants (e.g., loss offsite

power or feedwater transients). The task force decided that the most prudent course of action
was to identify a " planning scenario" that falls somewhere between the two extremes. This  !

3 planning scenario would encompass events that are beyond our current best estimate of likely 1

consequences, but that would allow the staff to respond to unforeseen possibilities. After  !

I j

\

d

i l'

i i

careful consideration of the current understanding of Y2K readiness and risk, as described in

Section ill, the task force established the following planning assumptions
;

i i

  • Y2K problems will lead to localized electric 1 grid disturbances and power outages within  ;

one or more interconnections. However, there will not be major regional or nationwide ,

) electric power outages.

).  ;

Local or regional telecommunications outages will occur, but there will not be a complete ,

loss of the public swiched network (PSN). Networks associated with Regional Bell Operating Companies (RBOCs), major independent telephone companies, and

interexchange carriers (IXCs) will remain functional.

l

' l

  • At least two NRC-licensed facilities will be affected directly or indirectly by a Y2K issue

{

that requires an NRC response (e.g., loss of offsite power). -
  • Y2K issues will affect at least one NPP outside of the United States.

i

  • . Unforeseen Y2K issues will place a dozen or more licensees in situations that depart ,

from a license condition or a technical specification.

B. INCIDENT RESPONSE -

Response Mode -

The task force deterrained that the backbone of the contingency plan should be the agency's $

well-established and well-tested incident Response Ple . On the basis of the planning scenario, the agency would enter Standby mode on Nw Year's Eve 1999. In Standby mode, l the Operations Center technical teams are completely staffed and a member of the Executive Team leads the agency's response. Ordinarily, the congressional and intemational liaison team l positions are not filled during Standby. However, as discussed below, the task force '

recommends not only staffing the intomational liaison team position, but augmenting it as well.

Attachment 1 provides a timeline of when the Operations Center would be staffed for Standby.

Operations Center Readiness ~

The NRC Operations Cbnter relies on three major interrelated systems to ensure the timely flow of information during ari emergency: the Emergency Telecommunications System (ETS), the Emergency Response Data System (ERDS), and the Operations Center Information Management System (OCIMS). ETS is the telecommunications network that NRC relies on for voice and data communication between the NRC Operations Center and the emergency response facilities (control room, technical support center, emergency operations facility) associated with every NPP and major fuel cycle facility. ERDS is a real-time data system that allows safety-related information to be downloaded from plant computers at all commercial NPPs. OCIMS is the primary means of creating, storing, sending, and retrieving information in the Operations Center. All three of these systems are considered mission critical. The staff is very confident that by the Office of Management and Budget (OMB) implementation milestone date of March 1999, these systems will be made Y2K compliant. Nonetheless, the staff has developed Y2K contingency plans for each of these systems. The contingency plans assume that electric power, telecommunications, and building support systems are available.

Although a widespread communications outage that affected both the Regional Bell Operating Company (Bell Atlantic) and the FTS2000 network is considered extremely unlikely, the NRC is exploring the option of becoming a node on an emergency communications network being planned by the National Communication System in preparation for potential Y2K problems.

This network may allow NRC to communicate with many of its licensees even if there is a regional telecommunications outage that affected the Washington, D.C. metropolitan area.

A localized outage (e.g., a problem at a central office) would be much less likely to affect NRC communications with its power plant and fuel cycle licensees. This is because the NRC's Emergency Telecommunications Systems (ETS) is designed to remain functional following a single fault or failure, barring a fire in the telephone cable room or some other common-mode failure. The trunk groups from the NRC private branch exchange (PBX) are routed to two physically separate add / drop multiplexers (ADMs) in the telephone cable room where they are added to the Synchronous Optical Network (SONET). Because SONET is "self healing" it should not be vulnerable to a single fiber cut. A limited number of Washington Interagency Telephone System (WITS) lines are also provided in the Operations Center in the event of a complete PBX failure. To provide for diversity, one of the trunks is routed to a different central office (CO) than the others. One of the trunks is dedicated to outgoing calls on the FTS2000 network. The FTS2000 network, the largest private telephone network in the world, is essentially independent of the public switched network. Currently, dedicated lines are run to each NPP site from the closest FTS2000 point of presence. However, because the direct access line (DAL) circuits are often run parallel with commercial telephone lines (and are, therefore, susceptible to common-mode failure mechanisms), an alternate means has been established to reach each NPP's control room via a microwave link through the load dispatcher.

The Operations Center also has a dedicated emergency power system, including a dedicated emergency diesel generator and several uninterruptible power supplies, and a dedicated i heating, ventilation, and cooling system. The Facilities Branch within the NRC Office of ]

Administration is working with the vendors of the support systems (environmental management I and control system, tenant chilled and condenser water systems, air handling units, emergency i power systems) to ensure that Y2K compliance meets the OMB-scheduled date of March 1999.

In addition, because a regional telecommunications or electric grid outage is a possibility, the staff recommends one additional contingency measure: a back-up operations center. The staff recommends that the Region IV Incident Response Center (IRC) be staffed with a small cadre of responders. Region IV was selected for several reasons:

  • Region IV is the only regional office that is not in the Eastem Interconnection. A major i grid outage in the Eastern Interconnection could affect Headquarters and Regions I,11,

& and 111.

.- Region IV is the only regional office that has telecommunications systems comparable to those at Headquarters. It was for this reason that the back-up to the Headquarters Automatic Notification System was placed in Region IV.

  • Region IV is one time zone removed from Headquarters and may be in a better position to respond to major problems on the East Coast that affected Headquarters.

l i

l

- l

I Staffing Because NRC's response to an incident at a NPP requires a different type of expertise than an ,

incident at a fuel cycle facility, the response procedures are oriented to a particular type of facility. For example, if an event occurs at a reactor, the Reactor Safety Team and a Protective Measures Team with speciahy in reactor safety are called to the Operations Center. However, in order to respond to the Y2K planning scenario, a scaled-down multidisciplinary team of responders, as described in Attachment 1, is recommended. The total number of Headquarters responders, approximately 40, represents about half of the number who would typically participate in a full-participation exercise. It is currently envisioned that the Region IV IRC would be staffed with approximately 20 responders, which corresponds to the current number of positions in the response organization. In their backup capacity, however, they would not be expected to carry out all of the responsibilities of the headquarters team. On the other hand,if the problems encountered during the Y2K transition are more significant than anticipated in the planning scenario, then Region IV could provide additional response support. The task force also recommends that a resident inspector be on site during the Y2K transition.

Information Brokers ,

This specialized response team would not only respond to any Y2K related problems at NRC-licensed facilities, but would also serve as a broker of safety-significant Y2K information that could affect our licensees. Ideally, any Y2K issues that may begin to appear in Japan, Korea, and other nations that are on the front end of the International Date Line could be communicated to NRC through IAEA. The response teams could then rapidly evaluate this information for applicability to NRC licensees and communicate this information via fax, phone, or computer (Internet). The task force also discussed the possibility that NRC could relay information related to Y2K issues experienced by facilities in the Eastern time zone, provided ,

that licensees volunteered this information as soon as possible and did not rely on the timing i and threshold established by the 10 CFR 50.72 reporting requirements. Although, it is unlikely that licensees could take corrective actions on the basis of this information (indeed, it may not be prudent to take short-term actions without thoroughly analyzing the problem), it may assist licensees in implementing contingency measures. This information-brokering activity is further discussed in the timeline provided as Attachment 2.

)

in developing the "early warning" scenario permitted by time zone differences, the task force I made several assumptions concerning the nature of the Y2K issue:

First, the Y2K issue is not limited to the transition that occurs at midnight, December 31,1999.

Other significant dates, including September 9,1999 (9/9/99) and February 29,2000 (a leap day), are discussed in Attachment 3. However, the task group concluded that the Y2K rollover is the most significant operating date. This assumption is consistent with the prioritization of transition date by groups such as the North American Electric Reliability Council.

Second, Y2K issues that originate with the midnight, December 31,1999, rollover may not be apparent at that time. For example, a control circuit that fails to reset for any date after 1999 may not exhibit this failure until a demand is placed on this circuit. This may not occur for days, weeks, or months after the transition date. The task force assumed that the greatest probability of failure, particularly for reactor safety systems, would occur shortly (seconds, minutes, hours) after the transition date because such short processing times are involved with these systems.

1 1

The general probability of failure would decrease with the passage of time, and risk factors involving simultaneous failures or failures involving infrastructure beyond the plant's control would also decrease. In any case, the task force recommends that the greatest emphasis be placed on facilities located in the time zone in which local midnight is occurring.

Third, some Y2K issues involving safety systems may show up quickly enough and clearly enough to be positively identified. This information could be passed along to units containing similar systems in sufficient time to take some positive action. The likelihood of such an event occurring and the usefulness of further distributing such information are clearly debatable.

Nevertheless, the provision for early warning due to time zone differences appears to warrant consideration in agency contingency plans.

O. REGULATORY RESPONSE -

As discussed in Section Ill, the nuclear industry is pursuing a program to identify and remediate Y2K issues that could affect facility operations. The program will incorporate effective contingency planning for reducing the risks associated with unanticipated Y2K-induced events.

Despite these activities, there remains some risk that software-based systems, components, or equipment will still be subject to Y2K-induced events at key rollover dates that affect facility operations. These risks are primarily external to the plant and are of particular concern with regard to electric grid availability (loss of offsite power), if such events were to occur, to i continue to operate the nuclear plant safely generating electrical power during the transitional period, the plant licensee may have to (1) take actions that depart from a license condition or a technical specification and (2) seek immediate approval from the NRC for such a departure from a license condition or technical specification. These actions may be in the best interest of maintaining public health and safety during the Y2K transition period.

The task force recognizes that the nexus between maintaining a reliable electric power grid and public health and safety is less clear and less direct than that which has traditionally been

, associated with NRC's statutory requirements under the Atomic Energy Act. However, because

the potential impact of the Year 2000 problem is so widespread, the task force believes that failure to provide electricity to customers at this critical time may have adverse public health and safety consequences.

The potential for adverse impact on public health and safety results primarily from the fact that

an unreliable grid can adversely affect NPP safety. An unreliable grid may result in a loss of offsite power at a NPP. A loss of offsite power requires NPPs to rely on their onsite sources of emergency power. Exclusive reliance on emergency power sources increases the overall plant risk from other, possibly Y2K-related, problems at the plant. In fact, probabilistic risk

, assessments frequently identify the loss of both onsite and offsite ac power, referred to as station blackout, as a situation that constitutes a major portion of the total plant risk.

In addition, failure to provide the electricity to the grid may also have an impact on public health and safety in a broader sense. For example, in mid-July 1995, a heat wave struck the upper Midwest and contributed to a number of fatalities in the Milwaukee and Chicago areas. Many of the fatalities were directly attributed to the heat, and involved people without access to air conditioning. A loss of the grid during this period would have likely resulted l'1 an increased 4

number of fatalities. In situations like this, grid reliability has a direct relationship to public health and safety.

i In an effort to help ensure reliable power to the electric grid during the transitional period of the  !

Y2K rollover date, as an important aspect of the protection of public health and safety in the {

broader sense discussed above, the task force recommends the following:

l i

The NRC examine whether the use of 10 CFR 50.54(x) by licensees in these  ;

circumstances may be appropriate.

l

- or - , t The NRC develop a revised enforcement discretion policy specific to the Y2K transition per8od with specific guidance on those circumstances under which continued plant i operation would be permitted and no significant safety concem results, j

=

i The NRC will provide support staff consisting of projects and enforcement personnelin j the Operations Center to assist licensees in making prompt operability determinations i during this transition period. I The NRC has determined that if the agency were to address Y2K issues affecting plant operability within the existing regulatory framework and procedures, continued safe operation of ,

the facility could be unnecessarily adversely impacted, thereby potentially resulting in adverse  !

Impact on public health and safety by forcing an unnecessary plant shutdown. NRC approval '

for relief from a technical specification or license condition under current practices for  :

notification of enforcement discretion would be too cumbersome and unworkable given the desire for prompt action if the licensee determines that continued safe plant operet% la j possible. Consequently,' a 10 CFR 50.54(x)-type relief or a revised enforcement discretion  :

policy will be considered.

The above options are currently under review and a final determination on the appropriate  !

approach to address this issue will be made after consideration of stakeholder input.  !

VI. REFERENCES x A. GENERIC COMMUNICATIONS y

f 1. May 11,1998_ . NRC Generic Letter 98-01: Year 2000 Readiness of Computer  !

fp Systems at Nuclear Power Plants.

l 1-  !

f ' 2. June 22,1998 - NRC Generic Letter 98-03: NMSS Licensees' and Certificate  !

b Holders' Year 2000 Readiness Programs.  !

L s .

( ' 3. > December 24,1996 - NRC Information Notice 96-70: Year 2000 Effect on N. Computer System Software.  !

.,1.,, f

4. August 6,1997 - NRC Information Notice 97-61: U.S. Department of Health and  ;

Human Services Letter to Medical Device Manufacturers on the Year 2000 i Problem. I

, _ =__ .. . _ _ .

J

5. August 12,1998 - NRC Information Notice 98-30: Effect of the Year 2000 Computer Problem on Material and Fuel Cycle Licensees and Certificate Holders.

B. INDUSTRY GUIDANCE DOCUMENTS

1. October 1997 - Nuclear Energy institute and Nuclear Utilities Software Management Group Report NEl/NUSMG 97-07: Nuclear Utility Year 2000 Readiness.
2. August 1998 - Nuclear Energy Institute and Nuclear Utilities Software Management Group Report NEl/NUSMG 98-07: Nuclear Utility Year 2000 Readiness Contingency. Planning.

C. OTHER RELEVANT DOCUMENTS

1. March 1937 - National Security Telecommunications Advisory Committee, Information Assurance Task Force: Electric Power Risk Assessment.
2. September 17,1998 - North American Electric Reliability Council: Preparing the Electric Power Systems of North America for Transition to the Year 2000, A Status Report and Work Plan.

2

3. August 13,1998 - Nuclear Regulatory Commission: Year 2000 Readiness Audit Plan (for NRC staff review of select nuclear power plants). '
4. September 8,1998 - North American Electric Reliability Council: Year 2000 Contingency Planning and Preparations Guide (Draft).
5. September 1997 - U.S. General Accounting Office (GAO): GAO/AIMD-10.1.14, Year 2000 Computing Crisis: An Assessment Guide."
6. . August 1998 - U.S. General Accounting Office (GAO): GAO/AIMD-10.1.19,

" Year 2000 Computing Crisis: Business Continuity and Contingency Planning."

1 s.

x.

I t

w

l HEADQUARTERS MULTIDISCIPLINARY TEAM OF RESPONDERS Executive Team Member (Lead overall response effort)

ET Chronology Officer Status Summary Officer Reactor Safety Team ,

Director -

Communicators (2) > '

Reactor Systems Analyst (Reactor Safety Team)

Electrical /l&C Specialists (2)

Foreign Reactor Experts (2)

Protective Measures Team Director Communicators (2)

State Interface Emergency Planning Specialist Dose Assessment Analysts Liaison Team State Liaison Federal Liaisons (2)

Intemational Liaisons (2)

Public Affairs (2)

Intelligence Community Liaison Operational Sucoort Team

'~

Coordinator ,

l Word Processing Operatort- ~

Electronic Mail Operator .

Courier / Facsimile Operator. _ .

Automatic Notification System Operator Information Technoloav Sucoort LTelecommunications Specialist Operation Center information Management System Contractor Facility Support Contractor (TECOM)

C .

f ' Headauarters'Ocerations Officers (2-3) i -

V - Reso$nse Coordination Team (2-3) t <

' Reaulatorv Response Team Project Director Enforcement Specialist l OGC Representative l

l ATTACHMENT 1

Y REGION IV BACKUP TEAM OF RESPONDERS

1. Base Team Manager ,
2. Base Team Secretary -
3. Director of Site Operations  ! ^
4. Dose Assessor
5. Emergency Notification System Communicator (Base Team) .  ;
6. Emergency Response Coordinator / Manager i
7. Emergency Response Data System Operator (Base Team)
8. Environmental Dose Assessment Coordinator '
9. Govemment Uaison Coordinator / Manager
10. Health Physics Network Communicator (Base Team)
11. ~ Health Physics Specialist
12. Monitoring & Analysis Coordinator - FRMAC

~

13. Protective Measures' Coordinator / Manager
14. Public Affairs Coordinator i.
15. Radiation Safety Coordinator ~
16. React'or Safety Coordinator / Manager
17. Reactor Safety Operations Coordinator 1
18. Reactor Systems Specialist 19.- Resource manager /NRC Field Office Coordinator  !

1

20. Safeguards / Security Coordinator (Position Under Review) l
21. ~ Status Sumrnary Communicator (Position Under Review) l

l TIMELINE FOR OPERATIONS CENTER STAFFING FOR STANDBY MODE I

{

Day Time Response Level l

12/31/99 1100 Relatively small cache of communicators, foreign reactor experts, l electrical /l&C experts, and NRC representatives will assemble in the Operations Center in preparation for calls from lAEA and other foreign regulatory bodies. Any reported Y2K-related plant system problems, grid problems, or widespread telecommunication outages will be evaluated for relevancy and communicated to our licensees. l 12/31/99 2300 Agency enters Standby response mode. Operations Center is staffed with specialized response staff plus representatives from OE, OGC, and NRR Projects to respond to emergency licensing issues.

01/01/00 0000 Y2K transition begins.

1 01/01/00 0015 Operations Center communicators conduct " phone checks" of all NPPs and fuel cycle facilities in EST zone. Any Y2K problems are reported to licensees. i 01/01/00 0115 Operations Center communicators conduct " phone checks" of all NPPs and fuel cycle facilities in CST zone. Any Y2K problems are reported to licensees.

01/01/00 0215 Operations Center communicators conduct " phone checks" of all NPPs and fuel cycle facilities in MST zone. Any Y2K problems are reported to licensees.

01/01/00 0315 Operations Center communicators conduct " phone checks" of all NPPs and fuel cycle facilities in PST zone. Any Y2K problems are reported to licensees.

01/01/00 0600 The Executive Team member would decide when the response organization'could stand down from Standby or if events warrant escalating the NRC response to initial Activation. Provided that there are no major Y2K-related problems, the NRC would continue to monitor for a couple of days with a small cadre of Y2K experts.

s

+

ATTACHMENT 2

CRITICAL DATES (From " Circles of Risk" by Jay Golter and Paloma Hawry)

January 1,2000, is not the only date in the near future that may disrupt data-processing systems. Other dates that could cause disruptions are the following:  !

January 1,1999, One-Year-1.cok-Ahead Date into Next Century . -

Many computer programs process data by looking forward one year and counting dates back from that point. If such systems have two-digit date problems that are not corrected in time, they may begin to malfunction or fail at the start of 1999.

August 22,1999, GPS Rollover The Global Positioning System (GPS) is a constellation of 24 low-orbiting satellites that continuously signal data that can be used to determine the exact location of any receiver on the surface of the earth. The data are also used by some systems to establish the exact time of day for transaction logging. The clocks on this system report the time as the number of weeks since the launch of the system in 1980. On August 22,1999, this counter will overflow and return to 0000 (as would happen on the odometer of a car that traveled 1 million miles). At that point some systens, or equipment, that use the GPS signals may malfunction. Among the vulnerable devices are some cellular telephones, devices that track the location of freight shipments, and some navigational equipment.

However, many manufacturers of such devices have built their products to handle the rollover period correctly. ,

l September 9,1999 (9/9/99)

A common programming device was to enter 9999 as a signal that a stack of data had i reached its end. This signal may sometimes have been programmed on date fields, ,

with the result that the date 9/9/99 will have a special and unintended meaning in a l program. Although the incidence of 1/1/2000 problems appears to be much greater l than that of 9/9/99 problems, systems should be checked for each. l February 29,2000 (Uncommon Leap Year)

The year 2000 is divisible by four and is a leap year. However, years divisible by 100

' are not leap years (1900 was not one) unless they are divisible by 400 (2400 will be another leap year). Some programmers did not know about the hundred-year rule when j they wrote their original codes, and those programs will run fine in 2000. Some '

programmers knew about the hundred-year rule, but not about the four-hundred-year

( '

rule, and their programs are likely to fail. ,

l December 31,2000 (366* Day of Uncommon Leap Year) i l

Some programs operate by counting the days in the year. If the writers of these programs were unaware of the uncommon-leap-year situation, the's systems may not fail until December 31,2000, the (unexpected) 366* day of the yeai.

ATTACHMENT 3