ML20210L332

From kanterella
Jump to navigation Jump to search
Final USNRC Contingency Plan for Y2K Issue in Nuclear Industry
ML20210L332
Person / Time
Issue date: 05/10/1999
From:
NRC
To:
Shared Package
ML20210L326 List:
References
PROC-990510-01, NUDOCS 9908090082
Download: ML20210L332 (62)


Text

l c

z 47

{&gc.h8PEGu A o 4

m 0

E: 1 E

1 o& G O

4 4*4 4+

l l

l U.S. Nuclear Regulatory Commission Contingency Plan for the Year 2000 issue in the Nuclear industry May 10,1999

D8S288
!7J8P' CORRESPONDENCE PDR l

Year 2000 Readiness Disclosure Pursuant to the Year 2000 Information and Readiness Act Pub. L No.105-271,112 Stat. 2386 (1998)

1 l

l =

Team Members l The members of the Contingency Plan for the Year 2000 issue in the Nuclear Industry Team are as follows:

Joseph G. Giitter, IRO, Chair Clarence P. Breskovic, OIP Jos6 A. Calvo, NRR Matthew Chiramal, NRR Laura S. Gerke, OCA Thomas P. Gwynn, RIV Elizabeth A. Hayden, OPA Thomas G. Hiltz, EDO Jerry L. Mauck, NRR Gary W. Purdy, NMSS Randolph L. Sullivan, NRR John C. Voglewede, OClO Jared S. Wermiel, NRR Richard H. Wessman, NRR l

Other Contributors Thomas H. Andrews Jr., RIV Julie A. Crutchley, NRR l Mary Glenn Crutchley, IRO .

l Harry D. Felsher, NMSS i Joseph R. Gray, OGC Allen G. Han'sen, NRR l James W. Hufham, Rll James H. Joyner, lil, RI l John R. Jolicoeur, IRO i Falk Kantor, NRR l Roland Lickus, Rill Renee M. Pedersen, OE i

L

a O

TABLE OF CONTENTS

1. I NTR OD U CTI O N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

' II. BAC KG RO U N D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .... .. ..1 lll. PROBLEM STATEM ENT . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 A. R EACTO RS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

1. Commercial Nuclear Power Plants . . . . . . . . . . . . . . . . . . . . . . . . . . 1 l 2. Research and Trainingfrest Reactors . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Decommissioned or Permanently Shutdown Reactors . . . . . . . . . . . . . 4 B. MATERIALS LICENSEES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1. M edical licensees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2. Radiopharmaceutical Manufacturers . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3. I rradiators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
4. Fuel Cycle Facilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 C. I NTERNATI ONAL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 D. I N F RASTR U CTU R E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1. Electrical Grid Concerns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -. . . . . 7
2. Telephone Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..... 10
3. Flooding / Loss of Heat Sink . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
4. C on su m a ble s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 IV. C OO R D I NATIO N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 A. I N D U STRY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 B. WH ITE H O U S E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 C. OTHER FEDERAL AGENCIES . . . . . . . -. . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 D. AGREEM ENT STATES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 E. lNTERNATIONAL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15 V. C O NTI N G E N CY P LAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .... . .... 18 A. SCENARIO DEVELOPMENT . . . . . . . . . .. . . .. .. . .. . 18 B. INCIDENT RESPONSE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18 C. NPP INFORMATION SHARING . . . . . . . . . . . . . . . . . . . . . . . .. . 24 D. NPP REGULATORY RESPONSE . . . . . . . . . . .. . .... ..... . 26 I

1 E. EXERCISES / WORKSHOPS . . . . . . . . . . . . . ..... . ....... .. . 26 VI. REFERENCES '. . . . . . . . . . . . . . .... ...... . .... . .. .. ......... .. 28 A. GENERIC COMMUNICATIONS . . . . . . . . . . . . . . . . . . . . .... ........ 28 B. INDUSTRY GUIDANCE DOCUMENTS . . . . . . . ..... ..... . . ... . 29 C. OTHER RELEVANT DOCUMENTS . . . . . . . . . . . . . . . . ..............29 ATTACHMENT 1 COMMENTS ON DRAFT Y2K CONTINGENCY PLAN FROM EXTERNAL STAKEHOLDERS . . . . . . . .. . ...... ... .i ATTACHMENT 2 - Y2K REMEDIATION STATUS OF NPP AND GDP TELCOS (as of April 14,1999) . .. .. . . . xix ATTACHMENT 3 TIMELINE FOR OPERATIONS CENTER STAFFING FOR STANDBY MODE . . . . . . . . . . . . . . . . . . . . . . ..... . . . . xxiii ATTACHMENT 4 Y2K STAFFING PLAN . . . . . . . . . . . . . . . . . . . . . . . . .... . . . xxiv ATTACHMENT 5 NRC Y2K EXERCISE SCHEDULE . . . . . . . . . . . . . . . . . . .... .xxviii 2

l. INTRODUCTION-The NRC is pursuing a comprehensive program for dealing with potential Year 2000 (Y2K) problems. ' We continue to work with our licensees to ensure that potential Y2K problems have been identified and rectified. Based on progress to date, we have a high degree of confidence that our licensees will complete all of their Y2K efforts by December 31,1999. NRC completed Y2K remediation of its own systems on February 5,1999, well ahead of the Office of Management and Budget (OMB) target of March 31, %99. However, because of the nature of the Y2K issue, it is not possible to be 100 percent certain that all potential problems will be corrected. For this reason, the NRC established a task force to develop a contingency plan for ensuring that public health and safety and the environment will continue to be protected, if unforeseen Y2K problems occur.

In a statement to the Senate Special Committee on the Y2K Technology Problem on June 12, 1998, Chairman Jackson said that the NRC recognizes "the national importance of a broader focus that helps to ensure that potential concems with electrical grid reliability are identified and resolved." To this end, the task force also explored contingency planning options for responding to regulatory and licensing issues that may result from grid reliability problems.

This contingency plan was originally issued in draft form and placed on the NRC extemal web site to allow for stakeholder feedback. This modified contingency plan reflects stakeholder comments, which are identified and addressed in Attachment 1. Additional information on j NRC's Y2K program, including the NRC Y2K contingency planning effort, can be found on the NRC Y2K web site (http://www.nrc. gov /NRC/ NEWS / year 2000.html).

11. BACKGROUND Y2K-induced events are events that arise from a date-related problem that is experienced by a software system, a software application, or a digital device at a key rollover date when the system, application, or device does not perform its intended function. December 31,1999, to January 1,2000, and February 28,2000, to February 29,2000, are examples of key rollover dates. The nuclear utility industry is engaged in Y2K readiness programs at all nuclear power plant (NPP) facilities to seek out and correct Y2K problems that have any potential to affect facility operations. Despite these efforts, there is some risk of Y2K-induced events. Effective Y2K contingency planning sets up a process for reducing such associated risks. The next section describes how the Y2K issue could affect facilities and other entities regulated by the NRC.

Ill. PROBLEM STATEMENT A. . REACTORS

1. Commercial Nuclear Power Plants The electricity production and delivery systems, as two of the more important elements of the North American economic and social infrastructure, must remain dependable during the transition to the year 2000. Every other critical element of infrastructure depends on the availability of an interconnected, reliable supply of electrical power. There is no doubt that cascading or even localized outages of generators and transmission facilities could have serious l

short- and long-term consequences. Continued safe operation of NPPs during the transition plays a major role in maintaining reliable electrical power supply systems.

To ensure continued safe operation of NPPs during the Y2K transition and beyond, the NRC has been working with licensees of operating NPPs to achieve Y2K readiness of their facilities before the year 2000. The NRC has issued Information Notice 96-70, " Year 2000 Effect on Computer System Software," December 24,1996; Generic Letter (GL) 98-01, " Year 2000 Readiness of Computer Systems at Nuclear Power Plants," May 11,1998; and GL 98-01, Supplement 1, .* Year 2000 Readiness of Computer Systems at Nuclear Power Plants,"

January 14,1999, in GL 98-01, the NRC requested that all operating nuclear power plant licensees submit written responses regarding their facility-specific Y2K readiness programs in order to obtain confirmation that licensees are addressing the Y2K problem effectively. All licensees have responded to GL 98-01 stating that they are implementing plant-specific programs based upon industry guidance (Reference B.1) that are intended to make the plants Y2K ready by July 1,1999. Industry has also prepared guidance (Reference B.2) for Y2K contingency planning which is being used by NPP licensees in developing plant-specific Y2K contingency plans as part of Y2K readiness activities. Both GL 98-01 and GL 98 Supplement 1, request a written response, no later than July 1,1999, confirming that these facilities are Y2K ready. Licensees who are not Y2K ready by July 1,1999, must provide a status report and schedule for remaining work to ensure timely Y2K readiness.

In addition, NRC audited 12 nuclear power plant licensee Y2K programs (representing a cross-section of type of design, use of computer systems, age of the plants and geographical

' location) to evaluate the effectiveness of the programs NPP licensees are taking to identify and correct Y2K issues at their facilities. These audits, which represent 42 of 103 nuclear power plant units, were completed in January 1999. Based on the results of these audits, the NRC concluded that the audited licensees were effectively addressing the Y2K problem and were undertaking actions necessary to achieve Y2K readiness in accordance with the guidance in GL 98-01. The NRC staff did not identify any issues that would preclude these licensees from

. achieving Y2K readiness. These findings are consistent with those recently reported by the Department of Energy in the report prepared by the North American Electric Reliability Council on the status of Y2K readiness of the electric power grid. The NRC is not aware of any Y2K problems in nuclear power plant systems that directly impact actuation of safety functions.

Errors such as incorrect dates in print-outs, logs, or displays have been identified by licensees in safety-related devices, but the errors do not affect the functions performed by the devices or systems. Most Y2K problems are in balance-of-plant and other systems such as security systems and plant monitoring systems which support day-to-day plant operation but have no direct functions necessary for reactor safety. These systems are being addressed in the licensee Y2K readiness programs consistent with the industry gtidance and GL 98-01 schedule.

Based on the completed audits, the NRC staff noted that licensee Y2K contingency planning efforts have not progressed far enoug.1 for a complete NRC review, and, therefore, additional '

oversight of this area is planned. Over the next few months, the NRC plans to review the contingency planning efforts of six licensees different from those included in the initial 12 sample Y2K readiness audits. These reviews will focus on the licensees' approach to addressing both internal and external Y2K risks to safe plant operations based on the guidance in NEl/NUSMG 98-07.

2

l 6 . -

The staff has begun additional assessment of Y2K programs at all operating nuclear power plants. NRC resident or regional inspectors will review plant-specific Y2K program implementation activities. including contingency planning. The inspectors will be using guidance prepared by the NRC headquarters staff who conducted the 12 sample audits. Training in the use of the guidance has been provided and experienced headquarters staff will be available to the resident or regional inspectors for support and assistance during the review as necessary.

Headquarters will also provide oversight of these reviews to ensure consistency among the Y2K program implementation activities.

, IntemalFacility Risks The Y2K readiness program implemented by each NPP utility is intended to identify and fix -

software-based items that could degrade, impair, or prevent operability of the facility. Safety- l related instrumentation and control systems that perform safety function actuations do not present a Y2K issue because, in the vast majority of NPPs, these systems are analog hardwired and therefore do not rely on software that may be subject to the Y2K problem. In those few cases in which such systems are computer based, the software does not have date-driven

- functions that may be affected by the Y2K issue. However, there remains some risk that plants

. could still be subject to a Y2K-induced event that has an effect on facility operations. Examples of such intemal facility risks at NPPs are computer-based control systems for feedwater control, turbine control, and generator voltage regulator control; plant process computer; control rod position information system; security computer system; and area radiation monitoring systems.

NEl / NUSMG 98-07 provides a methodology for developing contingency plans to reduce the risk of Y2K-induced events. Contingency plans should be developed based on risk, consequences, and possible mitigation strategies.

ExtemalRisks Even if the intemal facility risks are small, there are still extemal risks to consider. Extemal risks arise from conditions, circumstances, or events that are beyond the direct control of facility management. The task force identified electrical grid and telecommunications concems as the  !

most significant extemal risk censiderations; these and other concems are discussed further in  !

Section D. A methodology for identifying, analyzing, and managing extemal risks is available in l NEl / NUSMG 98-07.

2. Research and Training / Test Reactors ]

Research and training / test reactor licensees have established programs to evaluate and correct j Y2K deficiencies. Many research reactors will be shut down on January 1,2000, as the institutions operating them (e.g., universities and laboratories) will be closed for the holiday.

Further, these reactors often have passive safety features and low power levels, which ensure minimal potential offsite consequences. In addition, the staff concluded that any research  !

reactor in operation on January 1,2000, could be readily shut down manually using emergency

- procedures and existing shutdown systems, even if their operational systems should experience a Y2K problem.

1 3

I l

l

( ,

I

3. Decommissioned or Permanently Shutdown Reactors .

1

. The staff is assessing the need for Y2K regulatory oversight at decommissioned or permanently shutdown reactors. Although health and safety issues are not postulated, these facilities may

' have process control, computers, or administrative support devices susceptible to a Y2K problem.

B. MATERIALS LICENSEES The Y2K issue could affect NRC's materials licensees in different ways because of the diverse types of work performed by those licensees. For example, medical licensees, radiopharma-ceutical manufacturers, and irradiator facilities would be concemed about systems that could affect worker or public health and safety. Fuel cycle facilities would be concemed about systems that could affect the common defense and security, as well as systems that could affect

. worker or public health and safety. If it is determined that a device has a Y2K problem that affects health and safety, NRC will use generic communications (such as Information Noticps) to notify licensees of unsafe devices. Y2K problems could occur in systems developed intemally by licensees or consultants, or systems that are acquired from extemal sources. In an effort to inform materials licensees and fuel cycle facilities of the Y2K issue, NRC has issued one generic letter (Reference A.2) and three information notices (References A.3, A.4, and A.5).

1. Medical Licensees intemalRisks For medical licensees, overexposure or underexposure of patients represents the greatest intemal Y2K risk. During on-site interviews with licensees and manufacturers, NRC found that devices containig byproduct material (high-dose-rate afterloaders and teletherapy units) appear to be Y2K compliant. However, manufacturers of some treatment planning systems and dose calibrators have found that the devices are not Y2K compliant, but upgrades for these treatment planning systems and dose calibrators are generally available from manufacturers.

The NRC does not regulate treatment planning systems and dose calibrators, because they do not contain licensed radioactive material. NRC is working with the Food and Drug Administration (FDA) to determine if there are any health and safety problems associated with medical devices that use byproduct material. In addition, NRC inspectors make Y2K inquiries' during each routine inspection. Again, treatment planning systems and dose calibrators have been identified as having Y2K problems. Materials inspectors have indicated that licensees are aware of available upgrades and the licensees will upgrade the systems to be Y2K compliant before the end of 1999. Due to the efforts of licensees, manufacturers, FDA, and this agency, NRC believes that the Y2K risk to patients from medical devices that contain byproduct material is low.

ExtemalRisks For medical licensees, extemal Y2K risks include lack of supplies and loss of power. Most hospitals stock necessary supplies and have emergency power. Supply shortages would affect hospital operations, but should not have an impact on radiation safety. However, power 4

4 J

interruption could be a contributing factor to a misadministration during teletherapy treatment.

NRC has identified at least one case in the past where loss of electrical power during a

  • teletherapy treatment contributed to a misadministration (the patient treatment table moved when the power was off and, following the power restoration, the wrong side of the patient was

- treated). This misadministration could have been avoided if proper procedures had been g followed. With backup power systems and close adherence to procedures, NRC believes that l the Y2K risk to patients from medical devices that contain byproduct material is low.

2. Radiopharmaceutical Manufacturers IntemalRisks l For radiopharmaceutical manufacturers, overexposure of workers, release of radioactive material to the environment, product quality, and accuracy of the measured activity represent the greatest intamal Y2K risk. During an interview of a large manufacturer of L radiopharmaceutical products, the manufacturer indicated that the Y2K issue would not affect worker health and safety or the environment. The safety systems used at the facility are not computer-controlled. Further, the doss /6alibrators used at the facility are Y2K compliant. The manufacturer believed that the Y2K issue would not affect product quality or accuracy of the measured activity. Due to the use of safety systems that are not computer controlled, and the use of Y2K-compliant dose calibrators, NRC believes that the Y2K risk to workers, the
environment, and patients from manufactured radiopharmaceutical products is low.

ExtemalRisks '

For radiopharmaceutical manufacturers, extemal Y2K risks include lack of supplies and loss of L power. These extemal factors may lead to a reduction in the production of radiopharma-cauticals. Supply shortages or a stop in produdion should not have an impact on radiation safety. A loss of power could affect ventilation systems which may lead to higher airbome concentrations of radioactive material. However, procedures are in place to minimize exposure of employees to byproduct materials when ventilation is lost. NRC believes that the Y2K risk to workers, the environment, and patients from manufactured radiopharmaceutical products is low.

I

3. Irradiators IntemalRisks For irradiator licensees, protecting worker health and safety represents the greatest intemal Y2K risk. NRC has interviewed an organ!zation that operates 12 large irradiator facilities in the United States. During the on-site interview, the licensee indicated that there are no health and safety problems related to the Y2K issue. The interlock systems and source movement systems for the irradiators'are not controlled by computers. Currently, NRC materials inspectors make Y2K inquiries during routine inspections of irradiator facilities. During one inspection, the licensee informed NRC that their tote position display is not Y2K ready. The tote position display is not a safety system; the tote system is used to move products through the irradiator.

Further, this system is a one-of-a-kind modification made by the licensee. The licensee was authorized by NRC to make the modifications and is updating the display system. Because the 5

safety systems used at these facilities are not computer-controlled, NRC believes that the Y2K risk to workers from irradiator facilities is low.

hiemalRisks For irradiators, the external Y2K risk is loss of power. For panoramic irradiators, loss of power would cause the totes to stop moving through the irradiator which could lead to a fire involving products within the irradiation area. NRC requires that, if power is lost for more than 10 seconds, the source racks are automatically lowered into a shielded position. Further, the lock to the radiation room door is required to not be deactivated by a power failure. Finally, the irradiator sources are designed and built to withstand the heat generated by a fire. NRC believes that the Y2K risk at irradiator facilities to workers is low.

4. Fuel Cycle Facilities IntemalRisks Foi fuel cycle facilities, there have been no identified internal-only Y2K risks. During on-site interviews with three fuel cycle facilities, NRC found that the facilities were aware of the Y2K issue. In addition, NRC inspectors have asked Y2K questions during inspections at all fuel cycle

- facilities. Based on these Y2K inspections, the facilities were aware of the Y2K problem and were adequately addressing Y2K issues.

A generic letter (Reference A.2) was sent to major fuel cycle facilities which requested written confirmation by December 31,1998, that their computer systems were Y2K ready and that the facilities can operate safely before and after January 1,2000.- The generic letter also requested that if a facility was not Y2K ready by December 31,1998, a status report and schedule for remaining work would be sent to the NRC by July 1,1999. Each fuel cycle facility has responded to the generic letter and stated that they have implemented a Y2K readiness program. No facility stated that they were Y2K ready by December 31,1998, however each facility has indicated that they will be Y2K ready well before January 1, 2000. The Y2K readiness program implemented by eacn facility is intended to identify and repair software, hardware, and embedded systems that could degrade, impair, or prevent operability of the facility.

hiemalRisks For fuel cycle facilities, external Y2K risks include diversion / theft of special nuclear material, for a Gaseous Diffusion Plant (GDP) there is the added risk of lose of heat /off-site power, and exposure to workers from a uranium hexafluoride (UF.) release during restart. NRC believes the risk of diversion / theft of special nuclear material to be low. The restart of a GDP poses no risk to members of the public. There have been no identified risk-significant Y2K concems for fuel cycle facilities.

I 6

1

C. INTERNATIONAL The latest assessment by The President's Council in the Year 2000 Conversion (Reference C.9) concludes that Intemational Y2K activity is significantly lagging and will be the source of greatest Y2K risk to the U.S. For these reasons, NRC is reviewing existing emergency notification procedures with our intomational counterparts and coordinating Y2K-related contingency plans, particularly with Mexico and Canada.

D. INFRASTRUCTURE

1. Electrical Grid Concems Extemal electrical grid system problems that could arise as a result of a Y2K problem are grid instability, voltage and frequency fluctuations, circuit breaker malfunctions, load fluctuations, and loss of grid control systems. The North American Electric Reliability Council (NERC) has released quatterly reports on the t'atus of Y2K remediation and contingency planning for the North American electric power supply and delivery systems (Reference C.2, C.8, and C.11).

With more than 75% of mission-critical components tested through March 31,1999, findings continue to indicate that transition through critical Y2K rollover dates is expected to have minimalimpact on electric system operations in North America. Only a small percentage (i.e.,

less than 3%) of components tested indicate problems with Y2K date manipulations. Most of the reported problems are what NERC refers to as " nuisance errors," such as incorrect data displays and date-time stamps used for data logging and reperting. According to NERC:

"In most cases Y2K does not affect primary device functions related to keeping generators and power delivery facilities in service and electricity supplies to customers."

(Reference C.11).

A more detailed discussion of how the Y2K problem could affect the North American electric grid is provided below.

Y2K Threats to the Electric Grid The North American electric grid consists of four regional electrical grids or Interconnections, as shown in Figure 1.

The largest Interconnection is the Eastem Interconnection which covers the eastem two-thirds of the United States and much of Canada. The Westem interconnection, which essentially covers the westem third of the United States and Canada, is the only interconnection with ties to 7

b

%_ ./

JR8962&B E -Westem interconnection Ed - Texas interconnection 0 - Eastem Interconnection 8 - Quebec interconnection Figure 1. Electrical Grid interconnections in North America Mexico.' The Quebec Interconnection (sometimes included as part of the Eastern interconnection) covers the Canadian Province of Quebec. The Texas Interconnection, also known as the Electric Reliability Council of Texas (ERCOT), covers most of Texas. Ee interconnections are mostly independent of each other, except for ac/dc/ac inter-ties that filter out most disturbances. Thus, in the worst case situation, a wide-spread outage, however unlikely, would be confined to the affected interconnection.

NERC has identified the following four critical areas that pose the greatest direct threat to power production and delivery: Power Production, Energy Management Systems, Protection Systems, and Telecommunications.

Power Production I

Power plants must be capable of responding to load supply and demand on the grid during the Y2K transition period. Newer plants with digital control systems may be the most vulnerable.

' The U. S. interface with Mexico primarily resides in two power areas of the Western Systems Coordinating Council (WSCC): (1) Cahfornia-Mexico Power Area which serves the Baja California region with 408 MW transfer capability and (2) Arizona-New Mexico-Southem Nevada Power Area which serves through a Southwestern tie (312 MW transfer capabikty which is limited by Presidential permit to 200 MW) to Northem Mex!9. Given that Mexico ,

represents a small proportion (0.7% and 1.1% respectively) of the transmission load profile for the WSCC l operational areas cited above, the staff does not believe that Mexico originated Y2K power systems problems will pose a significant threat to U. S. power production and delivery. The Electric Reliability Council of Texas (ERCOT) does not have interconnections with Mexico.

l

p l )

L' . The control and protection functions that the digital control systems perform often utilize time-dependent algorithms, which can, if uncorrected, lead to unintentional generator trips.

3 j

, Energy Management Systems l Electric utility control centers monitor power system operations (including generating plants, transmission and distribution systems, and customer loads), retain historical data, and allow for the manual and automatic control of field equipment. The control center's energy management system includes supervisory control and data acquisition systems, automatic generation control systems, energy management applications and databases, and graphical user interfaces.

I Uncorrected Y2K issues in these systems could result in the loss of monitoring, dispatching, and control functions, in addition, many energy management systems rely on precise time signals that may be provided by global positioning system (GPS) technology. GPS has a unique and pressing problem: the clock used by this system will turn over to 0000 Universal Time Code (UTC) time on August 22,1999.

Protection Systems i

Many newer relay protection devices are digital and are vulnerable to Y2K issues. The concem l

l raised by NERC was the possibility of a common-mode failure in which all relays of a particular model fail at once, causing a latge number of coincident outages in transmission facilities.

i Telecommecications Interdependencies with telecommunications continues to be a top priority for the electric industry. As shown in Figure 2, the transmission and distribution of electrical power is highly dependent on microwave, telephone, and very high frequency (VHF) radio communications.

Telecommunications systems, in tum, are highly dependent on the availability of electrical power. This mutual dependence directly affects real-time operations and control of electric systems and therefore requires the greatest attention in contingency planning and preparations.

The electric industry is working with the telecommunications industry to address this dependency issue. Coordination meetings are taking place to understand the contingency requirements of each sector. Controlled demonstration tests are planned between electric substations and control centers and extemal telecommunications providers. The lessons from these coordination meetings and demonstration tests will be widely distributed to members of both industries. Additionally, communications will be the focus of electric industry contingency planning and drills.

l First drafts of contingency plans have been completed by bulk electric operating organizations and reviewed by North American Electric Reliability Council (NERC) and the NERC Regional Councils. Contingency plans are to be ready by the end of June 1999. The electric power ,

industry of North America conducted a coordinated drill on April 9,1999 which simulated the 1 l partialloss of voice and data communications needed to operate the electric power grids of the United States and Canada. This drill, which was facilitated by NERC, successfully tested l backup voice systems and manual procedures needed to support grid operations in the unlikely j event of a loss of telecommunications. A second, more comprehensive NERC drillis planned i l

9

! for September 8-9. The next section describes how Y2K issues are being addressed by the telecommunications industry.

g--

c y. ..

l

'II K .... . . . . . '

/\ 3

~  :

_ 1 1111111 i l lll ii in * * " , , . - I

~ j

\ ..

mW W p ,g ag= cg. ,,=l;=

>="

Figure 2. The Generation. Transmission. and Distnbution of Electricity Requires Telecommunications Systems

2. Telephone Network As discussed previously, reliable telecommunications service is crucial to the production and delivery of power. Based on information from the Federal Communication Commission (FCC),

the National Communications System (NCS), and the President's National Security Telecommunications Advisory Committee (NSTAC), it appears that there will be little or no interruption of service as a result of the Y2K issue from the major telecomrd;.:nication providers.

This is significant because the major local exchange carriers (LECs), such as Bell Atlantic, SBC, GTE, and U.S. West represent over 95% of the switched and special access lines in the nation.

However, many of NRC's nuclear power plant and fuel cycle facility sites are located in rural areas that are serviced by one of approximately 1,400 small and independent telephone companies. Consequently, the task force evaluation of the telecommunications infrastn:cture devoted special attention to the Y2K status of the smaller telephone companies.

In July 1998, the FCC rechartered the Network Reliability and Interoperability Council (NRIC) to advise the FCC on efforts of the telecommunications industry to prepare for the Y2K transition.

A March 1999 report (Reference C.10) issued by the FCC in conjunction with NRIC concludes:  ;

"Our analysis of the public telephone network indicates that the largest local and long distance carriers are well on their way to being ready for Year 2000. These carriers are expected to be 100 percent ready, including having their contingency plans in place, by the second quarter of 1999."

10 i

However, the report further concludes

"The remaining carriers, which we define as medium /small, lag behind the large

, carriers in their remediation and contingency planning efforts and nearly half of I

the small medium carriers surveyed by the Commission reported not having formal processes for managing the Year 2000. These findings are of concem to us."

The task force has also followed the efforts of the President's National Security Telecommunications Advisory Committee (NSTAC) Year 2000 Subgroup, which has been l tasked by the NCS to (1) investigate the Y2K readiness of the information and telecommuni-L cations infrastructure as it relates to an enduring continuity of Govemment and (2) investigate societalimplications of potential Y2K outages and contingency planning efforts with respect to private sector operations in the United States and abroad. One of the major conclusions of the September 1998 NSTAC Year 2000 Subgroup status report (Reference C.7), is that "interoperability testing between service providers is critical to preparing the telecommunications infrastructure for the millennium change."

l Consequently, the task force has kept abreast of telecommunications industry interoperability test programs. In March 1999, the Telco Y2K Forum, a consortium of the nations largest LECs,

!- completed six months of testing for potential Year 2000 complications that might affect interoperability within the voice and data networks. These tests involved equipment and software common to the Telco Forum members companies-about 90% of the access lines in the nation. Only six Y2K-related anomalies were identified in over 1,900 tests. These six anomalies were subsequently resolved, retested, and subsequently passed. Similar testing l between LECs and long distance companies (Sprint, AT&T) conducted under the auspices of

~

I the Alliance for Telecommunications Industry Solutions (ATIS) is also being conducted. Of particular note is the fact that the ATIS tests include the Govemment Emergency Telecommunications System (GETS) GETS, which provides authenticated access, enhanced

- routing, and priority treatment in long-distance telephone networks, is one of the Government-l - wide emergency telecommunications initiatives administered through the NCS.

Conclusion regarding telecommunications infrastructure

- The task force concludes that wide spread telecommunications outages are highly unlikely, i based on information from the FCC and NSTAC and the results of the Telco Y2K Forum and l ATIS interoperability tests. More likely are local telecorr; "anications outages, particularly in areas that rely on small and independent telephone companies. Because many of the facilities licensed by NRC are located in rural areas that are served by these smaller telephone companies, the NRC requested the NCS to contact the telecommunications service providers regarding the Y2K compliance of their local telephone office switches. The results of this survey, provided in Attachment 2, suggests that the local telephone switches providing service l to NPPs and GDPs will be Y2K compliant. In addition, many utilities have corporate communication networks that they would be able to rely upon as well as the Emergency l'

Telecommunications System (ETS) provided by the NRC. The backbone of the ETS is the FTS 2000 network, which will be Y2K ready by July 1999, according to General Services Administration (GSA). ' Although it appears that the telecommunications infrastructure that NRC 11

1 l

relies'on to communicate with NPPs and GDPs will be Y2K ready, the staff is taking prudent

, measures to establish a backup emergency communication capability, as discussed in Section V.B.

3. Flooding / Loss of Heat Sink in NEl/NUSMG 98-07, loss of heat sink was identified as an external event that NPPs should consider for contingency planning purposes. This is a potential concem because systems used to control the amount of water released from a reservoir or hydroelectric dam can rely upon computers or embedded controllers that are suscepti' ole to the Y2K problem. Consequently, the task force examined the potential for a Y2K-induced loss of heat sink (or flooding) that could' affect NRC-licensed facilities that are on rivers or flood plains.

The NRC has leamed from the U.S. Army Corps of Engineers (USACE) that, although there are potential Y2K problems that could prevent the operation of these systems, there are no I identified failure mechanisms that could result in a substantial increase or decrease in the amount of water released. !n addition, there is a capability to manually operate the hydroelectric plants or, if necessary, the sluice gates in a manner that ensures that minimum downstream flows are maintained.

Another factor examined by the task force was the need for reliable communication between nuclear power plant operators and the USACE. For example, in January, ice jamming on the Missouri River could result in reduced river water levels. Often when this occurs, affected NPP operators contact the USACE and ask them to increase downstream flows. However, because the chain of events that influences river water levels typically takes place over a number of days, this scenario would only be a concem if there were a prolonged (i.e., at least several days) telecommunication outage. Since this is highly unlikely, the task force concluded that loss of j heat sink was not a significant concem for NRC contingency planning purposes.

4. Consumables Another concem raised by the task force was the potential that certain chemicals, diesel fuel oil, water, food, and other consumables may be difficult to obtain if the Y2K transition results in a breakdown of major infrastructures. As an example of this potential problem, a truck en route to the Turkey Point Plant to deliver water in the aftermath of Hurricane Andrew was diverted by local law enforcement officials for another use. Based on the latest assessment by the )

President's Council on the Year 2000 Conversion, the infrastructure necessary to support a dependable supply of consumables (chemicals, water, oil and gas, and trensportation) is expected to be ready for the Y2K transition. Depletion of consumables is also addressed in NEl/NUSMG 98-07. <

IV. COORDINATION A. INDUSTRY In the summer of 1998, with oversight from the Nuclear Energy Institute (NEI), the industry formed a Contingency Planning Task Force to provide NPP utilities with a " focused approach" to -

12

4 [

[

}

.Y2K contingency planning.- The primary product of that task force was a Y2K contingency plan guidance document entitled NEI/NUSMG 98-07, Nuclear Utility Year 2000 Readines.s Contingency Planning, dated August 1998. This document, which builds on Y2K readiness

. programs already in place, provides guidance that can be used by the plant operating staff to develop effective contingency plans for mitigating the potential unanticipated effects of a Y2K problem. The guidance incorporates risks to safe plant operation resulting from potential Y2K problems into the existing emergency procedures and emergency response organization at each NPP To a large extent, Y2K contingency planning will depend on the specific systems and risks identified as affected by Y2K st the individual plant. However, two generic areas of consideration for contingency planning identified in NEl/NUSMG 98-07 are (1) augmentation of staff and (2) availability of consumables (e.g., emergency diesel generator fuel oil and water chemistry control chemicals).

NEl has indicated that it does not plan additional coordination of licensee contingency planning efforts because of the plant-specific nature of the Y2K issue; however, NEl continues to monitor licensee progress. Individual licensees will work with the NRC as necessary in accordance with their existing emergency response procedures (as they would for any unanticipated operating event) should they experience plant operability concems due to Y2K problems. The NRC has concluded that the existing emergency response capability at nuclear facilities, supplemented to address the Y2K problem in accordance with NEl/NUSMG 98-07, provides the best approach to licensee contingency planning for this issue.

B. WHITE HOUSE The importance of addressing the Y2K problem in the U.S. was acknowledged by President Clinton early last year when he established the President's Council on Year 2000 Conversion on February 4,1998. The Council is made up of representatives from more than 30 major U.S.

Federal agencies, including the NRC. The Council Chair is Mr. John Koskinen, Assistant to the President. Each agency on the U.S. Council is responsible for oversight of the Y2K efforts necessary for ensuring availability of the infrastructure sector for which they have statutory responsibility. These " sector coordinators" promote action on the Y2K problem and offer support to public and private sector organizations-both domestically and intemationally-within j their policy areas. In particular, agencies are working with industry trade associations (which have unique capabilities for communicating with their members about the Y2K problem);

individual companies; and U.S. State and local govemments. The nine major sector areas covering the provision of critical services are: benefits / payments, communications, electrical power, emergency services, financial services, oil and gas, solid waste, transportation, and water supply. The NRC supports the efforts of the President's Council on Year 2000  !

Conversion and is an active member of the Council's Year 2000 Energy / Electric sector, Health l Care sector, and Emergency Services sector working groups.

C. OTHER FEDERAL AGENCIES I Federal Emeraency Manaaement Aaency (FEMA)

The NRC is working closely with FEMA on the Y2K problem, supporting regional FEMA Y2K workshops with information on NRC's Y2K program. These workshops are to communicate to regional Federal agencies, States, and local government officials, the status of Y2K problems j 13 4

w,,w

r associated with the major sectors.of the infrastructure (transportation, energy, food supplies, .

' health care, etc.) and to assist them in contingency planning efforts. The NRC also is working closely with FEMA on their plans to conduct I'2K workshops for the State and local radiological emergency preparedness (REP) community NRC and nuclear power plant licensees will

' participate in these workshops NRC is an active member of the Emergency Services Sector (ESS) Working Group for Y2K, which is headed by FEMA. In addition, the NRC is participating in regular Catastrophic Disaster Response Group (CDRG) meetings on the Y2K problem. The CDRG, which consists of all 27 Federal Response Plan (FRP) partners, is chaired by FEMA.

- Although the Y2K focus for the CDRG is narrower than that for the ESS Working Group, the activities are complementary.

Department of Energy (DOE)

DOE is the principal Federal agency with oversight responsibility for Y2K concems in electricity supply systems. Because DOE represented the energy sector (oil, gas, and electricity) at the FEMA Y2K workshops, NRC worked closely with DOE to ensure that NRC's Y2K program was accurately reflected. NRC has also confirmed that DOE assets relied upon for a radiological emergency, such as those deployed in support of a Federal Radiological Monitoring and Assessment Center (FRMAC), have been remediated for Y2K.

Federal Enerav Reaulatory Commission (FERC)

NRC contacted FERO to find out if they were considering Y2K contingency planning related to  !

. issues or potential problems associated with electricity supply systems. FERC is not developing such plans, but is relying on DOE Y2K contingency plans to address these issues, j National Communications System (NCS)

The NRC has worked closely with the NCS regarding the National Telecommunications Coordination Network (NTCN) that is being developed to provide for emergency communications in the event of a widespread telecommunications outage. At the request of NRC, the NCS has contacted telecommunications companies that provide service to NPPs and GDPs regarding Y2K readiness. NCS provided formal feedback to NRC on the draft NRC Y2K contingency plan.

U.S. Army Corps of Ennineers (USACE)

The NRC has consulted with the USACE conceming the potential for Y2K failures that could -

affect river water levels and flows.

Department of State (DOS)

The NRC is coordinating its activities regarding the intemational aspects of the contingency plan with the DOS and with other Federal govemment agencies, as needed (e.g., Department of Energy).

Government Services Administration (GSA)

GSA has advised the NRC that the FTS 2000 network will be Y2K ready.

i 14 i

i i

(. D. AGREEMENT STATES in February 1998, NRC provided information to Agreement States to increase their awareness

' of the Y2K problem. Through the letter, States were provided information on the nature and scope of the Y2K problem, potential problems for materials licensees, and the actions NRC was taking to encourage NRC materials licensees to examine their computer systems and software.

In the letter, we recommended that Agreement States also encourage their licensees to conduct similar examinations to assure they are Y2K compliant. NRC a'so requested Agreement States to share information with NRC on any Y2K problems identified by Agreement State licensees that could impact NRC, other Agreement States, or other licensees.

l To help provide further information to Agreement States, a link was established on the Office of State Programs (OSP) home page directly to the NRC Y2K website to help States obtain access to NRC information. We also provided the Agreement States with information on how to

! subscribe to the NRC Year 2000 list server that would automatically e-mail information to subscribers as it became available.

1 i On January 26,1999, all Agreement States were contacted again through the OSP list server  !

l. referring them to the earlier February 6,1998, letter, and asking that they be sure to share with l us any information on Y2K problems that may have been identified by their licensees. We also asked for information on the status of their efforts to address Y2K issues.

State responses, although limited in number, indicated tha'. Y2K was being addressed through  !

Statewide efforts and anticipated completion before the year 2000. No licensee problems were identified.

l In addition, during Managet . Review Board (MRB) meetings for the Integrated Material  !

! Performance Evaluation Program over the past 18 months, the MRB Chair has questioned Agreement State managers about their State's Y2K activities. The managers have indicated

' that Y2K issues in their programs were being addressed as part of Statewide efforts.

E. INTERNATIONAL i

1. Multilateral Coordination Multilateral coordination takes place in the form of information exchange and coordination at intemational forums such as the Intemational Atomic Energy Agency (IAEA) and the Nuclear Energy Agency (NEA).

Intemational Atomic Energy Agency (IAEA)

At its 1998 General Conference, the IAEA adopted a U.S.-sponsored resolution (drafted by the NRC) to make the IAEA a clearinghouse and central point of contact for IAEA Member States to exchange information regarding diagnostic and remediation actions being taken at NPPs, and at fuel cycle and medical facilities that use radioactive materials, to make these facilities Y2K ready. The resolution also' urged Member States to share information with the IAEA on actions being planned or implemented by operating and regulatory organizations and emphasized that 15

I

^

Member States should have contingency plans in place well before December 31,1999, to address potential problems that n.ay arise at that time at those nuclear facilities.

In response, the IAEA has created a special project to address nuclear Y2K-related safety concems and contingency planning for NPPs and research reactors, and is in the process of holding several Y2K workshops. The IAEA also conducted a survey of its Member State's Y2K programs in which the NRC participated (http://www.iaea.org/ns/nusafely2000/Y2Kinfor.htm)

The U.S. also provided a cost-free expert to the IAEA to assist in the establishment of IAEA Y2K guidelines and contingency planning. -

~~ Nuclear Energy Agency (NEA) .

In February 1998, the NEA sent a Y2K questionnaire to members of its Committee on Nuclear

. Regulatory Agencies (CNRA). The responses showed that all participating regulatory bodies were taking aggressive steps with licensees to identify and solve Y2K problems. In August 1998, the NEA finished its work on an intemational e-mail notification system. enabling CNRA members to rapidly and confidentially exchange Y2K information. The CNRA members are Belgium, Canada, Czech Republic, Finland, France, Germany, Hungary, IAEA, Japan, Netherlands, South Korea, Spain, Sweden, Switzerland, United Kingdom, and United States.

The NEA also organized a Y2K workshop in February 1999, which was also attended by regulators from the former Soviet Union and Central and Eastem Europe. At the workshop the .

Chairman of the NRC invited countries to participate in a world-wide Y2K contingency plan 1pxercise later this year. Also at this meeting, several regulators expressed an interest in participating in a Y2K early waming system.

NRC is suppoiting NEA in the development of a Y2K early waming system Countries in earlier time zones, which will experience any Y2K-related problems before the U.S. does, have been invited to provide information to this system in the quickest possible manner to enable licensees

- in participating countries to avoid common-cause failures. This effort includes mainly Far Eastem countries, such as Japan, South Korea, and Taiwan, which operate reactors designed by U.S. vendors, as well as some European countries, Canada and Mexico. The Office of Intemational Programs (OIP) developed a prototype user interface for an Intemet-based reporting system. At the request of NEA, a number of countries have provided comments on this prototype system. The vast majority of the comments support the proposed system. OIP contacted the World Association of Nuclear Operators (WANO) regarding the proposed early waming system. WANO also identified the potential need for such a system and is interested in participating in its development. This system, referred to as the Y2K early waming system (YEWS), is discussed further in Section V.C.

Intemational Safeguards and Physical Protection

. The IAEA Department of Safeguards established a project in 1996 for Y2K conversion activities.

The project covers assessment, conversion and testing of the software applications, instrument evaluation software, embedded systems, PC hardware attached to various equipment and computer infrastructure. In addition, the IAEA is working closely with Member States and their 16

t

. systems of accounting for control of nuclear material and on the conversion of systems used jointly with Member States at nuclear facilities.

In February 1999. OIP participated in an intemational seminar on Y2K and safeguards and physical protection sponsored by the IAEA. The seminar was attended by 47 IAEA Member States and OIP presented a progress report on the NRC's Y2K efforts. A working group was established and issued recommendations to regulatory authorities and facility operators on how to remediate Y2K problems in the area of physical protection.

2. Bilateral Coordination .

NRC's ma%cus of bilateral contingency planning efforts is on Canada and Mexico. The NRC enjoys close 11l lateral ties with both countries and special emergency procedures are already in

. placa permitting rapid and redundant communications should an emergency arise. Contingency planning for these countries involves, among other things, the examination of existing procedures and communications channels for Y2K compliance. In addition, Canada and Mexico will particippie in YEWS.

. Canada

' The Atomic Energy Control Board (AECB) of Canada is addressing the Y2K issue at Canadian NPPs and hopes to have all plants Y2K compliant by June 30,1999. Members of the NRC's continency planning team met with the AECB in December 1998 and again in February 1999 to discuss coordination of their respective Y2K contingency plans.

Mexico OIP met with the Mexican nuclear regulator (CNS) and is in the process of coordinating i contingency plans.

IAEA

' NRC and IAEA are coordinating contingency plans for direct NRC-IAEA communications in case of a U.S. nuclear emergency. In February 1999, OIP met with the IAEA's emergency response j team and discussed coordination of Y2K contingency plans. Further discussions will be held in  !

May 1999 during the visit of an IAEA emergency response team member to the NRC.

I L Other Countries l Countries with which the NRC has technical information exchange arrangements are being individually contacted by NRC regarding Y2K issues as part of the ongoing emergency  ;

l prepareoness information exchange. NRC is exploring the possibility of using existing bilateral means of communications as redundant communications channels should the regular intemational emergency response system fait during the Y2K transition period.

17 1

r FederalAgencies NRC is coordinating with the emergency response centers of Federal agencies involved in the intemational nuclear emergency notification and response system, such as the Departments of State and Energy, the Environmental Protection Agency, the Federal Emergency Management Agency, the National Security Council, and the President's Council on Y2K Conversion.

V. CONTINGENCY PLAN A. SCEN RIO DEVELOPMENT The task force evaluated a range of possible scenarios. At the lowest end of the spectrum is a situation in which everything goes on as usual during the transition from 1999 to 2000. At the opposite end of the spectrum the task force hypothesized a worst-case scenario involving a widespread telecommunications outage, a complete loss of the North American power grid, and several major incidents at NRC-licensed facilities (e.g., station blackout, loss of ultimate heat sink, loss of feedwater) in conjunction with risk-significant challenges at many other licensed facilities (e.g., loss of offsite power or feedwater transients). The task force agreed on a

" planning scenario

  • that falls somewhere between the two extremes. This planning scenario would encompass events that are beyond our current best estimate of likely consequences, but that would allow the staff to respond to unforeseen possibilities. After careful consideration of the current understanding of Y2K readiness and risk, as described in Section Ill, the task force established the following planning assumptions:

- Y2K problems will lead to localized electrical grid disturbances and power outages within one or more interconnections. However, there will not be major regional or nationwide electric power outages.

- Local or regional telecommunications outages will occur, but there will not be a complete loss of the public switched network (PSN). Networks associated with Regional Bell Operating Companies (RBOCs), major independent telephone companies, and

- interexchange carriers (IXCs) will remain functional.

  • At least two NRC-licensed facilities will be affected directly or indirectly by a Y2K problem

' that requires an NRC response (e.g., loss of offsite power).

- Y2K problems will affect several nuclear power plants outside of the United States. {

l

- Unforeseen Y2K problems will place a dozen or more nuclear power plant licensees in j situations that depart from a license condition or a technical specification. J B. INCIDENT RESPONSE

Response

The task force determined that the backbone of the contingency plan should be the agency's well-established and well-tested incident Response Plan. On the basis of the planning scenario, 18 u )

~*

the agency would enter Standby mode on New Year's Eve 1999. Attachment 3 provides a timeline of when the Operations Center would be staffed in preparation for the Y2K transition.

Ordinarily, in Standby mode, the Operations Center technical teams are completely staffed and o a member of the Executive Team leads the agency's response. To prepare for potential Y2K problems, a staffing plan has been developed. The details of this plan are provided in Attachment 4.

Operations Center Readiness The NRC Operations Center re. lies on three major interrelated systems to ensure the timely flow (of information during an emergency: the Emergency Telecommunications System (ETS), the

Emergency Response Data System (ERDS), and the Operations Centar information l Management System (OCIMS). ETS is the telecommunications network that NRC relies on for voice and data communication between the NRC Operations Center and the emergency response facilities (control room, technical support center, emergency operations facility) associated with every NPP and major fuel cycle facility. ERDS is a real-time data system that allows safety-related information to be downloaded from plant computers at all commercial NPPs. OCIMS is the primary means of creating, storirig, sending, and retrieving information in the Operations Center. All three of these systems are considered mission critical. All of these systems have been remediated and tested for Y2K readiness. Nonetheless, the staff has developed Y2K contingency plans for each of these systems.

Telecommunications Readiness The ETS communication links to NRC licensed facilities are carried on dedicated lines to the Federal Telecommunications System (FTS) 2000 network as shown in Figure 3.

l The FTS 2000 network is essentially separate from the public switched telephone network. The General Services Administration has advised the NRC that the FTS 2000 network will be Y2K ready by July 1999, in addition to the ETS, the NRC may communicate with its licensees via the PSN. As discussed in Section D.2, the NRC has worked with the Office of the Manager, NCS, and the FCC to keep abreast of Y2K developments in the public switched network. We are also working closely with NCS to obtain information conceming the Y2K status of the local central office closest to the NPPs and GDPs. This information is provided in Attachment 2.

Although the NRC is becoming increasingly confident that the telecommunications systems relied on to communicate with NPPs and GDPs will be operable during and after the Y2K transition, several prudent measures are being taken to ensure that communications will be possible for a range of scenarios up to and including a widespread telecommunications outage that affects both the FTS 2000 system and the PSN.

19

Utliity Communication Systems Public


Switched i

1

-- L Netwo,*

l T l J-----------Mljig ' !l TELCO E .-

.- 8 l _.

lk y!_be.g & pgj l lN 8

l Nuclear DALS(7 Functions) j i

"A MM l

I i LocalCentral i Power Plant l i_ _ _ , a ce l m Endorrice ,

l 1 s

1 I I

- l I l

A l g_____mc9_____jy]__' ,,, ,,

DALS(6 Functions) iiijjij ', . ,

Operati acility M l o c.

NRC Operations Center voice communication-NRCOC Bridges - Switch ERDS -

NRCOC LAN-Figure 3. NRC Emergency Telecommunications Systems (ETS)

Local Telecommunications Outage (Single Central Office)

A local outage of a local Bell Atlantic Centrai Office (CO) because of a failure to properly implement a telephone switch Y2K software upgrade, for example, would be unlikely to result in a complete loss of communications between NRC and its NPPs and major fuel cycle facilities.

This is because the NRC's ETS is designed to remain functional following a single fault or failure, barring a fire in the telephone cable room, a major private branch exchange (PBX) failurer, or some other common-mode failure. The trunk groups from the Operations Center PBX are routed to two physically separate add / drop multiplexers (ADMs) in the telephone cable room where they are added to the Synchronous Optical Network (SONET).8 To provide for diversity, one of the trunks is routed to a different CO than the others. Another trunk is dedicated to outgoing calls on the FTS2000 network. Thus, by design, the NRC Operations 2

A limited number of Washington Interagency Telephone System (WITS) lines are also provided in the Operations Center in the event of a PBX power failure.

8 Because SONET is *self healing"it should not be vulnerable to a single fiber cut.

20

__ ------------ ___a

4 Center would still be capable of communicating with its licensees even in the event of a local CO outage attributable to a Y2K problem.

Generic Software Problem if, despite extensive testing, a Y2K software patch for a major switch type was unknowingly susceptible to a Y2K problem, this problem could theoretically cause the failure of all telephone switches or PBXs of a particular type. For example, all of the telephone switches that NRC Headquarters relies on are Lucent SESS and could be susceptible to this type of common mode failure. Similarly, a failure to properly remediate network signaling system software could result in widespread telecommunications outages. Although, this appears to be very unlikely, the task force has developed a back-up communication method that will ensure that NRC will be in contact with its licensees during the Y2K transition.

National Telecommunications Coordination Network Specifically, NRC will be part of the National Telecommunication Coordination Network (NTCN),

which is a dedicated network, independent of the public switched network, for coordination of emergency telecommunication issues.

Although the design of this network has not been finalized and is subject to change, the basic concept is illustrated by Figures 4 and 5. As shown in Figure 4, the NRC, and about a dozen other Federal Agencies in the Washington D.C. area, will be connected to the NTCN through a dedicated ringdown line to the National Coordinating Center for Telecommunications (NCC).

The NCC, which falls under the NCS Operations Division, is staffed by 17 representatives from the telecommunications industry and govemment for the purpose of responding to telecommunications requests during emergencies. The NRC link to the NTCN will be a stand alene phone in the NRC Operations Center. A conscious decision was made not to tie the NTCN into the Operations Center PBX out of concem that an unknown Y2K-related software problem with the Fujitsu 9600M PBX could theoretically render this back-up system ineffective.

As shown in Figure 5, the ringdown lines to the NCC from the participating Federal Agencies will conceptually have the capability to be bridged to a number of other telecommunications resources including the FTS, the PSN, and mobile satellite phones. Also, access to the Alerting and Coordination Network (ACN), which consists of private telecommunications company assets, provides a diverse and redundant means of communication in the very unlikely event that both the FTS and PSN networks have been affected by a Y2K problem.

In addition, as part of the NRC Y2K Contingency Plan, the NRC is planning to provide one portable satellite telecommunications unit at each NPP and GDP in the United States and to install appropriate satellite telecommunications equipment at Headquarters and in Region IV.

This chanel of communication will be sufficient to notify NRC of any events. If normal telephone access to the NRC Operations Center is lost, the site could still communicate with the NRC via either direct satellite communication or via satellite link relayed through the NTCN for emergency reports.

21

y

p

\

/ ,

s g' Washington, D.C.

A* FCC 4 ~

w Mee House k

, reuA NASA g .

Arnneton Virginia \-

The Petdagon h DSANcC x ',

Figure 4. NRC will be a node on the National Telecommunications Coordination Network Other Emergency Communication Initiatives NRC participates in a number of Government-wide emergency telecommunications initiatives. l Most of these are administered through the NCS. An example of a technology currently in use l by NRC is the GETS, which provides authenticated access, enhanced routing, and priority treatment in long distance telephone networks. GETS presumes continued operation of public and Federal telephone networks during national emergencies when the volume of network traffic is expected to be very high. However, this system may not provide protection in the event of a major network outage. NRC has requested the NCS to provide GETS cards to NPP and major fuel cycle facilities for the Y2K transition and beyond.

Another NCS service utilized by the NRC is the Telecommunications Service Priority (TSP) system, which provides priority provisioning and " ration of National Security and Emergency Preparedness (NS/EP) telecommunications t .. NS/EP telecommunications services are those that are critical to the maintenance of a , readiness or the response to and management of any event or crisis that causes a vuuld cause harm. NRC has TSP on many of its critical circuits. NRC also sponsors power companies for TSP service on circuits supporting nuclear power plants.

22 o_ - - - _ - - - - - _

1 i

1 4

Non-Bridged Resources Bridged Resources NCC Ringdowns PSN Internet s

. NAWAS ERLink i ~~", ~ r. -/ DSN s~ NGC: '

'v ', " '

s e -

5 Conferencing  !

SVTS T --- -- Cellular

' ? Bridge?.j

/ N Mobile Satellite

/ ..4' \ N

/ ,/ \ ' 'Shares SIPRNET NTCN HF l FTS Figure 5. NTCN Resource Architecture Concept Loss of Normal (PEPCO) Power The Operations Center also has a dedicated emergency power system, including a dedicated emergency diesel generator and several uninterruptible power supplies. These systems are Y2K ready. The 600 KW diesel generator that provides emergency power to the Operations Center and its support systems has a day tank that holds 100 gallons and a larger storage tank that holds 2000 gallons. Based on worst case load conditions, this supply is adequate to provide for approximately one day of continuous diesel generator operation. A contract will be written to ensure that NRC has priority in receiving fuel oil for replenishing the diesel generator storage tank from a dependable supply.

Environmental Control Systems The three systems that are relied on to control the Environment of the Operations Center are:

(1) Environmental Management and Control System, (2) Tenant Chilled and Condenser Water System, and (3) Air Handling Units System. All three systems have been confirmed to be Y2K ready. If normal power is lost, each system would be powered from the tenant diesel.

23 i

u . . . . . _ . __ --

Back-up to the Headquarters Operations Center Because the possibility of a regional communications or electric grid outage cannot be excluded, the staff recommended one additional contingency measure: the capability to rapidly establish a back-up Operations Center. Region IV was selected to perform this function for several reasons:

a Region IV is the only regional office that is not in the Eastem Interconnection. A major grid outage in the Eastem Interconnection could affect Headquarters and Regions I,11, and Ill.

- Region IV is the only regional office that has telecommunications systems comparable to those at Headquarters. It was for this reason that the back-up to the Headquarters Automatic Notification System was placed in Region IV.

Region IV is one time zone removed from Headquarters and may be in a better position to respond to major problems on the East Coast that may affect Headquar*ers.

Staffing Because NRC's response to an incident at a NPP requires a different type of expertise than an incident at a fuel cycle facility, the current response procedures are oriented to a particular type of facility. However, in order to respond to the Y2K planning scenario, a scaled-down multidisciplinary team of responders, as described in Attachment 4, has been established. The total number of Headquarters responders, approximately 40, represents about half of the number who would typically participate in a full-participation exercise. If needed, the Region IV Incident Response Center (IRC) would be rapidly staffed and could carry out many of the Headquarters functions. Attachment 4 also provides information on the proposed staffing of the Region IV IRC. The staffing plan also recommends that a resident or regionalinspector be

- stationed at every NPP and GDP site. In consultation with the Regional Emergency Response Coordinators, the IRC in each Region will be staffed with a minimum of three responders. The staffing plan will be revised, as necessary, as the detailed Y2K contingency plan implementing procedures are developed.

C. NPP INFORMATION SHARING The task force determined that the Y2K response team should not only respond to any Y2K-related problems at NRC-licensed facilities, but should also serve as a coordinator of safety-significant Y2K information that could affect our licensees. Ideally, any Y2K issues that may

~ begin to appear in Japan, Korea, and other nations that are on the front end of the Intemational Date Line could be communicated to NRC and its nuclear power plant licensees through the NEA reporting system, YEWS, described in Section IV.E. Likewise, information entered into the YEWS reporting system by NRC, based on information from licensees in the Eastern time zone, would also be useful to NRC licensed nuclear power plants further west. Although, it is unlikely that licensees could take corrective actions on the basis of this information (indeed, it may not be prudent to take short-term actions without thoroughly analyzing the problem), it may assist licensees in implementing contingency measures. NRC would also share this information with 24

l the Department of Energy, the Department of State, and other Federal agencies as part of a coordinated Federal communication plan for the Y2K transition. This plan calls for an Information Coordination Center which will suppoit senior Administration decision makers in addressing emergencies that may arise in the U.S. snd around the world, during and after the Y2K transition. The information Coordination Center, which is being organized by the President's Council on the Year 2000 Conversion, is still in the initial planning stages. The NRC, as a member of the Y2K Domestic Interagency Working Group (IWG), will continue to ensure that our information sharing plans are fully coordinated with the President's Council on the Year i 2000 Conversion and other stakeholders. '

in developing the "early waming" scenario permitted by time zone differences, the task force-made several assumptions concoming the nature of the Y2K problem:

First, the Y2K problem is not limited to the transition that occurs at midnight, December 31, 1999.. Other significant dates, including September 9,1999 (9/9/99) and February 29, 2000.

However, the task youp concluded that the Y2K rollover is the most significant operating date.

This assumption is consistent with prioritization of transition dates by other groups such as the North American Electric Reliability Council. Fortunately, from an electric reliability perspective, New Year's Eve falls on a Friday and January 1 is a Saturday. Demands on the electric system at night and on weekends are normally reduced from peak conditions. If winter weather conditions are not a significant factor, excess generating capability should be available during this critical transition period.'

l Socond, Y2K problems that originate with the midnight, December 31,1999, rollover may not be apparent at that time.' For example, a control circuit that fails to reset for any date after 1999 may not exhibit this failure until a demand is placed on this circuit. This may not occur for days, weeks, or months aftsr the transition date. The task force assumed that the greatest probability of failure, particularly for nuclear po.ver plant systems, would occur shortly (seconds, minutes, hours) after the transition date because such short processing times are involved with these systems. The general probability of failure would decrease with the passage of time, and risk  ;

factors involving simultaneous failures or failures involving infrastructure beyond the plant's i control would also decrease. In any case, the task force recommends that the greatest l emphasis be placed on facilities located in the time zone in which local midnight is occurring. l i

Third, some Y2K problems involving safety systems may show up quickly enough and clearly  !

enough to be positively identified. This information could be passed along to units containing ,

t similar systems in sufficient time to take some positive action. The likelihood of such an event l occurring and the usefulness of further distributing such information are clearly debatable.

Nevertheless, the provision for early warning due to time zone differences appears to warrant j consideration in agency contingency plans.

4

  • This conclusion is consistent with the most recent NERC report (Reference C.11).

25 l

I D, NPP REGULATORY RESPONSE The NRC has determined that if the agency were to address Y2K problems affecting plant operability within the existing regulatory framework and procedures, continued safe operation of the facility could be unnecessarily adversely impacted. This could potentially result in an adverse impact on public health and safety by forcing an unnecessary plant shutdown and further exacerbate grid stability concems. The staff is separately seeking Commission approval on a proposed revision to the enforcement discretion policy to address this concem.

Pursuant to the SRM on COMEXM-98-004 issued on July 28,1998, the NRC's Enforcement Policy (NUREG-1000, Rev.1) has been revised to allow the staff to exercise enforcement discretion in cases involving severe weather or other natural phenomena. The staffs determination would be based on balancing the broader impacts on public health and safety or common defense and security of not operating against the potential radiological or other hazards associated with continued operation, and a determination that safety will be maintained while exercising this discretion. A similar recognition of the broader public interest in a reliable and stable electrical grid during times when there is potential for Y2K-related challenges to the grid is the basis for this proposed enforcement discretion policy specifically developed for application in Y2K transition or rollover periods. Where an appropriate safety determination can be made, continued plant operation could make a significant contribution to grid stability and reliability, providing necessarj reserve power if there are major losses at other generating facilities.

The staff proposes to amend the " General Statement of Policy and Procedure for NRC Enforcement Actions," NUREG-1600, Rev.1, by adding Appendix E to the policy. Appendix E will describe the interim enforcement policy to exercise enforcement discretion for certain situations related to Y2K problems.

To ensure that the NRC can support multiple licensee requests for enforcement discretion during the transition from 1999 to 2000, key managers and support staff will be at the NRC headquarters Operations Center during this period. In addition, the NRC Region IV IRC will be staffed to provide backup support to Headquarters, if necessary.

E. EXERCISES / WORKSHOPS i i

Attachment 5 is a time line of the Y2K exercises and workshops that NRC plans to participate in between now and the Year 2000.

~ FEMA Exercises On May 19 and 20, FEMA is conducting an FRP Community Table Top Exercise. This exercise has several purposes:

Explore issues related to supporting a Federal consequence management response to ,

possible emergency conditions resulting from Y2K. I

+ Examine the effect of the Y2K environment on the Federal Response Plan.

26 l.

Address roles, responsibilities, and authorities of the Federal departments and agencies and the Catastrophic Disaster Response Group (CDRG) members'.

, Examine processes for information sharing, coordination, and decision-making from the nationallevel response structure.

Examine coordination processes eddressed in the draft FRP Operations Supplement for Y2K.

Determine the process for arbitrating issues, prioritizing needs, and allocating resources.

Issues identified during this tabletop will be forwarded for review at a National Table Top Exercise tentalively scheduled for September 18 and 25.8 On the first Saturday of the National Table Top Exercise, CDRG representatives from participating agencies would exercise their role l under the FRP in responding to a simulated disaster caused by a Y2K problem. According to l FEMA, the second Saturday would be a four hour tabletop exercise headed by the Vice i President and would involve the Cabinet Secretaries and the Agency heads.  ;

FEMA is also conducting Y2K contingency planning seminars for State and local radiological i emergency preparedness (REP) officials in all nine of their REP regions. Utilities and the NRC have been invited to attend and participate in these seminars, which are expected to start in May.

NRC Exercises The staff is planning two different types of exercises involving utilities. The first exercise is a table top exercise, scheduled on July 14, that would involve NRC, Baltimore Gas and Electric, the State of Maryland, and Calvert, St. Mary's and Dorchester counties. The purpose of this

exercise would be to discuss how contingency plans for each organization would be used in l response to a number of scenarios, including loss of telecommunications and loss of offsite

!. power. At least one scenario will involve the transfer of the NRC Y2K response lead from Headquarters to Region IV.

i l A large scale exercise is tentatively scheduled on October 15. During this exercise, the NRC l would test the Y2K contingency plan in its entirety. The headquarters Operations Center, the l Regional IRCs and the back-up IRC in Arlington, Texas would be staffed by the same people l who have volunteered to staff the centers beginning December 31. There are three major facets of the NRC contingency plan that will be tested:

Incident Response: The planning basis of the NRC Y2K Contingency Plan assumes that l there will be two events involving an NRC licensed facility (caused directly or indirectly l

l 8

The CDRG, composed of representatives from all departments and agencies under the Federal Response Plan, operate at the national level to provide guidance and policy direction on response coordination and operationalissues associated with implementation of the Federal Response Plan.

  • The National Table Top Exercise was originally scheduled for June 19 and 26.

27

by a Y2K problem) that will require an NRC response. An example might be a complete loss of off-site power. In this exercise, two or more nuclear power plant licensees and a gaseous diffusion plant will simulate a relatively significant event (i.e., involving an emergency declaration) that the NRC would be required to respond to.

The planning basis within the NRC Y2K Contingency Plan also assumes that as many as a dozen nuclear power plant licensees may find themselves in a situation where their technical specifications may require them to shutdown, but where continued operation is in the best interest of public health an safety in a broader sense. An example might be the loss of one.out of two offsite power sources to the plant ceused by grid stability problems. Thus, several utilities will contact the NRC response team requesting enforcement discretion under the Y2K enforcement discretion guidelines.

The third facet of the Y2K Contingency Plan, Information Sharing, involves taking advantage of the time zone differences. As discussed in Section IV.E., NRC is supporting NEA in developing a Y2K Early Waming System. We intend to test this system during the October exercise by obtaining simulated information from participating countries and sharing it with our nuclear power plant licensees. We will also be testing our back-up communication equipment during this exercise.

This exercise is being planned for October to allow sufficient time for the portable satellite equipment to be procured, deployed, and tested. It will also allow sufficient time for the staff to provide generic communication to our licensees regarding the NRC Y2K Contingency Plan, particularly with regard to the proposed Y2K enforcement discretion guidelines.

VI. REFERENCES A. GENERIC COMMUNICATIONS

1. May 11,1998 - NRC Generic Letter 98-01: Year 2000 Readiness of Computer Systems at Nuclear Power Plants.
2. June 22,1998 - NRC Generic Letter 98-03: NMSS Licensees' and Certificate Holders' Year 2000 Readiness Programs.

December 24,1996 - NRC Infonnation Notice 96-70: Year 2000 Effect on l 3.

Computer System Software.

4. August 6,1997 - NRC Information Notice 97-61: U.S. Department of Health and Human Services Letter to Medical Device Manufacturers on the Year 2000 l Problem. I
5. August 12,1998 - NRC Information Notice 98-30: Effect of the Year 2000 l Computer Problem on Material and Fuel Cycle Licensees and Certificate Holders. l
6. January 14,1999 - NRC Generic Letter 98-01, Supplement 1: Year 2000 Readiness of Computer Systems at Nuclear Power Plants.

28-

B. INDUSTRY GUIDANCE DOCUMENTS l

1. October 1997 - Nuclear Energy institute and Nuclear Utilities Software l Management Group Report NEl/NUSMG 97-07: Nuclear Utility Year 2000 Readiness. ]
2. August 1998 - Nuclear Energy Institute and Nuclear Utilities Software Management Group Report NEl/NUSMG 98-07: Nuclear Utility Year 2000 Readiness Contingency Planning.

C. OTHER RELEVANT DOCUMENTS

1. March 1997 - National Security Telecommunications Advisory Committee, Information Assurance Task Force: Electric Power Risk Assessment.
2. September 17,1998 North American Electric Reliability Council: Preparing the Electric Power Systems of North America for Transition to the Year 2000, A Status Report and Work Plan.
3. August 13,1998 - Nuclear Regulatory Commission: Year 2000 Readiness Audit Plan (for NRC staff review of select nuclear power plants).

'4. September 8,1998 - North American Electric Reliability Council: Year 2000 Contingency Planning and Preparations Guide (Draft).

5. September 1997 - U.S. General Accounting Office (GAO): GAO/AIMD-10.1.14,

" Year 2000 Computing Crisis: An Assessment Guide."

6. August 1998 - U.S. General Accounting Office (GAO): GAO/AIMD-10.1.19, " Year 2000 Computing Crisis: Business Continuity and Contingency Planning."

7 September 1998 - The President's National Security Telecommunications Advisory Committee, Network Group, Year 2000 Problem Status Report. I

8. January 11,1999 - North American Electric Reliability Council, North American Electric Reliability Council, Preparing the Electric Power Systems of North I America for Transition to the Year 2000. A Status Report and Work Plan, Fourth  !

Quarter,1998.

9. April 21,1999 - The President's Council on the Year 2000 Conversion, Second Summary of Assessment Information.

I

10. March 1999, The Federal Communications Commission in conjunction with the Network Reliability and Interoperability Council, Y2K Communications Sector Report.

I 29 t

~

11. April 30,1999 - North American Electric Reliability Council, Preparing the Electric Power Systems of North America for Transition to the Year 2000. A Status Report and Work Plan, First Quarter,1999.

1

, l 30

l l ATTACHMENT 1 COMMENTS ON DRAFT Y2K CONTINGENCY PLAN FROM EXTERNAL STAKEHOLDERS A. One responder (1) wants to shut down all reactors by July 1,1999, due to fear of fraudulent statements regarding Y2K compliance - one responder (2) feels that January 1, 2000, is too late to shut down unsafe reactors - one responder (6) wants reactors to shutdown over the holidays, especially if they are not Y2K compliant - two responders (7 and 11) want to shut down reactors that do not meet Y2K compliance.

Resoonse To ensure that all operating nuclear power plants remain safe, licensees of operating reactors are required to be in compliance with the terms and conditions of their license (s) and NRC regulations at all times if the Y2K problem leads to a condition that would cause the facility to not be in compliance with the terms and conditions of its license or any NRC reguiation, then actions required by the license or regulations will be taken, including, if warranted, shutdown of a plant.

The NRC has been proactive with licensees in order to address the Y2K problem and achieve Y2K readiness of all nuclear power plants. The licensees have been notified of Y2K issues though NRC's generic communication and industry guidance documents. Of particular note is Generic Letter (GL) 98-01, issued on May 11,1998, which required licensees w -'spond to the following:

1. Within 90 days of the date of this generic letter, submit a written response indicating whether or not you have pursued and are continuing to pursue a Y2K program, such as or similar to, that outlined in NEl/NUSMG 97-07, augmented appropriately in the areas of risk management, contingency planning, and remediation of embedded systems. If your program significantly differs from the NEl/NUSMG guidance, present a brief description of the programs that have already been completed, are being conducted, or are planned to ensure Y2K readiness of the computer systems at your facility (ies). This response must address the program's scope, assessment process, plans for corrective actions (including testing and schedules), QA measures, contingency plans, and regulatory compliance.
2. Upon completing your Y2K program or, in any event, no later than July 1,1999, submit a written response confirming that :sur facility is Y2K ready, or will be Y2K ready, by the year 2000 with regard to compliancs with the terms and conditions of your license (s) and NRC regulations. If your program is intornplete as of that date, your response must contain a status report, including ccmpledon schedules, of work remaining to be done to confirm your facility is/will be Y2K r9ady by the year 2000.

l All licensees have responded to GL 98-01 stating that they have adopted plant-specific programs that are intended to make plants Y2K ready by July 1,1999. The second response to i

L ___

i GL 98-01 in July 1999, would confirm that the plant is Y2K ready by July 1,1999. Licensees who are not ready by July 1,1999 would provide a status report and schedule for the remaining work to ensure timely Y2K readiness.

Based on the above discussion, it will not be necessary to shut down all operating nuclear plants during the critica! Y2K rollover date. However, NRC will determine licensee readiness after the July 1,1999 responses to GL 98-01 are reviewed. The NRC will take appropriate action up to and including requiring plant shut down, if necessary. Additional discussion on this topic can be found in the response to Docket No. PRM-50-65, a petition for rulemaking from the Nuclear Information and Resources Service.

I l

. il i

G

~

B. Five responders (7,8,9,11, and 12) state that the 12 audits of reactor licensee Y2K readiness are insufficient and all plants should be audited - one responder (10) feels the material audits should be performed by an independent auditor - five responders (3, 4, 5, 14, and 15) state that identifying the plants most vulnerable to Y2K would not be productive - one responder (6) suggests that the audit program is unacceptable.

l Resoonse One of a number of initiatives undertaken by the NRC staff to address the Y2K problem was the conduct of 12 sample audits of licensee Y2K readiness programs. The NRC staff determined that this approach was an appropriate means of oversight oilicensee Y2K readiness efforts j because all licensees had committed to the nuclear power industry Y2K readiness guidance (NEl/NUSMG 97-07) in their first response to NRC GL 98-01 and because the NRC staff had not identified any Y2K problems in safety-related actuation systems. The sample of 12 licensees included large utilities such as Commonwealth Edison and Tennessee Valley Authority (WA) as well as small single-unit licensees such as North Atlantic Energy (Seabrook) and Wolf Creek l Nuclear Operating Corporation. Because licensee Y2K programs are corporate-wide, many of the NRC staff audits included more than a single nuclear power plant site since many utilities own more than one nuclear power plant. In all, a total of 42 of 103 operating nuclear power plant units were asr v.iated with the Y2K readiness program audits of 12 utilities. The NRC staff selected a variety ct .,,as of plants of different ages and locations in this sample in order to obtain the necessary assurance that nuclear power industry Y2K readiness programs are being effectively implemented and that licensees are on schedule to meet the readiness target date of July 1,1999, established in GL 98-01.

l

in late January 1999, we completed the 12 audits. On the basis of the audit findings, we I concluded that the audited licensees were effectively addressing Y2K issues and were i undertaking the actions necessary to achieve Y2K readiness in accordance with the GL 98-01 target date. We did not identify any issues that would preclude these licensees from achieving readiness. These findings are consistent with those recently reported by the Department of Energy in the report prepared by the North American Electric Reliability Council on the status of

! .Y2K readiness of the electric power grid.

The NRC staff is not aware of any Y2K problems in nuclear power plant systems that directly impact actuation of safety functions. The majority of commercial nuclear power plants have protection systems that are analog rather than digital. Because Y2K concerns are associated with digital systems, analog reactor protection system functions are not impacted by the Y2K issue. Errors such as incorrect dates in printouts, logs, or displays have been identified by licensees in safety-related devices, but the errors do not affect the functions performed by the l devices or systems. Most Y2K issues are in balance-of-plant and other systems such as personnel access controls and plant monitoring systems, which support day-to-day plant operation but have no direct functions necessary for safe operation of the reactor. These I systems are being addressed in the licensee Y2K readiness programs consistent with the industry guidance and GL 98-01 schedule.

We have noted from the completed audits that licensee Y2K contingency planning efforts have not progressed far enough for a complete NRC staff review, and, therefore, additional oversight iii

l of this area is planned for the spring of 1999. The NRC staff currently plans to audit the contingency planning efforts of six different licensees from those included in the initial 12-sample Y2K readiness audits, beginning in May 1999 and ending in June 1999. As stated earlier, licensee Y2K programs are corporate-wide and many utilities own more than one nuclear power plant. Therefore, a total of 18 operating nuclear power plant units will be associated with these six licensee audits.- These audits will focus on the licensee's approach to addressing both intemal and extemal Y2K risks to safe plant operations based on the guidance in NEl/NUSMG 98-07 With regard to the assessment of Y2K programs at operating nuclear power plants, NRC' inspectors will review plant-specific Y2K program implementation activities including contingency planning at all U.S. power reactors during the April-July 1999 period. The inspectors will be using guidance prepared by the NRC headquarters staff who conducted the 12 sample audits. Training in the use of the guidance has been provided. The experienced headquarters staff has been available to the inspectors for support and assistance during the review, as necessary. The headquarters staff will also provide oversight of these reviews to ensure consistency among the Y2K program implementation activities. The reviews will allow NRC to check on the progress of all licensees and determine whether any regulatory action is needed, Information from the reviews also will be used in conjunction with status reports NRC

. has directed its power reactor licensees to provide by July 1.

!! should be noted that one or more independent audits are performed by licensees as an integral part of plant-specific Y2K readiness programs.

We agree that attempting to " identify those NPPs that may be most vulnerable to Y2K issues,"

as discussed in the draft contingency plan, is counterproductive. The paragraph containing that statement has been deleted in the modified plan.

I iv I

I l

C. Three responders (8, 9, and 12) want to delete the section entitled " Regulatory  ;

l Response" - five responders (3, 4, 5,14, and 15) do not believe special provisions for use of 10 CFR 50.54(x) is warranted, but propose that NRC establish a revised enforcement policy that allows timely decisions during the Y2K transition period.

Responders (3,4,5,14, and 15) also agree that NRC should provide appropriate l support staff to assist licensees in making prompt operability determinations during the Y2K transition period.

Response  !

l The NRC agrees with the comments that support staff should be provided in the NRC

. Operations Center to assist licensees in operability determinations, and also have the authority to grant enforcement discreticn when appropriate. The NRC Operations Center will be staffed j and ready to process any request received from a licensee. 1 The staff disagrees with the comments that Section V.C., " Regulatory Response," should be

' deleted from the contingency plans. As stated in the introduction of the contingency plans, it is not possible to be 100 percent certain that all potential problems will be found and corrected successfully when we pass from 1999 into 2000. Therefore, the NRC is planning in advance, via the Contingency Plan and the Interim Enforcement Policy Regarding Enforcement j

l. Discretion, to develop procedures and guidelines to assist the staff and licensees during this transition period. These documents will provide guidance to the licensees, staff in the regional l offices, and the Office of Nuclear Reactor Regulation on the process for the NRC to exercise i enforcement discretion with regard to Limiting Conditions for Operation (LCOs) in power reactor technical specifications or license conditions. It is prudent that the NRC proceeds with these plans for ensuring that public health and safety and the environment will continue to be protected, even if unforeseen Y2K problems occur.

l l

l l

1 l

1 i l i

V i

1 l

l

. 4 D. Four responders (7, 8, 9, and 12) believe the need for increased power during the I weekend of the Y2K transition is not required and that there could be too much power I produced during that period.

Response

The NRC agrees with the comment that under normal circumstances the power generated from I

nuclear power plants, as well as other base-loaded power generation facilities, might not be needed in some areas of the U.S. on January 1,2000. However, the transition from December 31,1999, to January 1,2000, is not considered to be normal circumstances because the Y2K problem has the potential to cause grid disturbances or outages, i

l I

i Vi

E l<

, E. Five responders (7,9,11,12, and 16) do not consider that it is more important to

. produce power than protect public health and safety.

Response

l Agree. The Commission shares the concem that the Y2K problem not pose an adverse impact l

on public health and safety. NRC inspectors are reviewing licensee Y2K programs at all U.S.

power reactors during the period between April 1,1999 and June 30,1999. NRC GL 98-01 requires a written response by July 1,1999, confirming that all operating nuclear power plants are Y2K ready. Licensees who are not Y2K ready by July 1,1999, must provide a status report and schedule fo.* remaining work to ensure timely readiness. In July 1999, the NRC staff will review all licensee responses to GL 98-01 and address any questions that may raise concerns.

i By September 1999, the NRC will determine the need for issuing orders to address Y2K readiness issues, including, if warranted, shutdown of a plant.

l The NRC has been proactive with licensees in order to address the Y2K problem and achieve Y2K readiness of all nuclear power plants. (See response to Comment A for additional details of nuclear plant Y2K readiness activities.)

1 l

. I s

i vii -

I

~

F. Five responders (6,7,8,9 and 12) do not want licensees to operate outside their license during Y2K because they believe it is not justified or safe. Five responders (3,4, 5,14, and 15) want the NRC to implement a revised enforcement policy that allows timely decisions during the Y2K transition period. These responders (3,4,5,14, and 15) also suggest that " regulatory response" support staff in the NRC Operations Center during the Y2K transition need to have the authority to rapidly respond to an actual situation and, where appropriate, grant enforcement discretion, based on actual conditions that exist at the time.

Response

The NRC agrees with the comments that knowledgeable staff be available in the NRC Operations Center that have appropriate authority to respond to licensee requests in a timely manner. We also agree that a revised enforcement discretion policy is needed to allow timely decisions during this transition period.

During the rollover from December 31,1999, to January 1,2000, the NRC Operations Center will be staffed with knowledgeable projects and technical staff ready to process any request received from a licensee. A small number of staff will also be present in each regional incident Response Center to facilitate communication with the resident inspectors and to support requesta for enforcement discretion, if necessary. With regard to the revised enforcement discretion policy, the staff is preparing for Commission review and approval of an interim enforcement policy regarding enforcement discretion that will provide guidelines for the Y2K transition / rollover period.

The NRC is pursuing a comprehensive program for dealing with potential Year 2000 (Y2K) issues. We have been and will continue working with our licensees to ensure that potential Y2K issues have been identified and rectified. Most, if not all, licensees will be Y2K ready by Fall of 1999. However, it is not possible to be 100 percent certain that all potential problems will be corrected when we pass from 1999 into 2000. Therefore, the NRC has prepared plans to use Enforcement Discretion and has developed procedures and guidelines to assist the staff and licensees during this transition period. These documents will provide guidance to the licensees, staff in the regional offices, NRC Operations Center, and the Office of Nuclear Reactor Regulation on the process for the NRC to exercise enforcement discretion with regard to Limiting Conditions for Operation (LCOs) in power reactor TSs or license conditions. It is prudent that the NRC proceeds with these plans for ensuring that public health and safety and the environment will continue to be protected even if unforeseen Y2K problems occur.

viii l

i J

1

\

G. Five responders (3,4, 5,14, and 15) want to use the wording " embedded devices" instead of" embedded systems."

Response

The staff agrees with the comment on including embedded devices" in the scope of the Y2K problem. However, the term " embedded systems" will be used since that phrase has been used extensively when discussing the Y2K computer problem. The following discussion taken from

- the document on the Millennium Problem in Embedded Systems by the Institute of Electrical Engineers, the reference document on Y2K and embedded systems is provided for clarification.

1 A general purpose definition of embedded systems is that they are devices used j to control, monitor or assist the operation of equipment, machinery or plant. l'

" Embedded" reflects the fact that they are an integral part of the system. In many cases their embeddedness may be such that their presence is far from obvious to the casual observer and even the more technically skilled might need to )

examine the operation of a piece of equipment for some time before being able to conclude that an embedded control system was involved in its functioning. At the other extreme, a general-purpose computer may be used to control the operation of a large complex processing plant, and its presence will be obvious.

I All embedded systems are or include computers or microprocessors. Some of j these computers are, however, very siinple systems as compared with a personal computer. The very simplest embedded systems are capable of performing only a single function or set of functions to meet a single predetermined purpose. In more complex systems, the functioning of the ,

embedded system is determined by an application program that enables the embedded system to be used for a particular purpose in a specific application.

The ability to have programs means that the same embedded system can be used for a variety of different purposes. In some cases a microprocessor may be  !

designed in such a way that application software for a particular purpose can be )

added to the basic software in a second process, after which it is not possible to l make further changes. The applications software on such processors is l sometimes referred to as firmware. l l

ix

~

H. Three commentors [9,12, and 13] addressed NRC participation in the National Telecommunication Coordinating Network (NTCN) being planned by the National Communications System. Specific comments in this area include:

Commentor 13 provided some clarifying remarks conceming the NTCN and suggested adding a discussion of the Telecommunications Service Priority system that NRC subscribes to for its critical telecommunication circuits.

  • Commentor 3 stated (and 9 endorsed) the following statement. "We do not know the details of this system, but on the surface (NTCN) it seems to be an excellent idea, and we encourage the NRC to participate in this and other systems that hold promise for telecommunications even if there is an outage in the Washington D.C. area."

Response

At the time that the draft Contingency Plan was completed and made publically available for comment, there was little detailed information available to the NRC on the NTCN The final Contingency Plan includes mure detailed information on the NTCN and how it will be integrated into the NRC's plans for communicating with our licensees during the Y2K transition.

6 X

l. Two responders commented on the planning basis in the Contingency Plan.

One responder (2) did not agree with the premise that planning for the middle of two extreme scenarios is sufficiently safe. Instead, she believes that the NRC should plan for the worst-case scenario, since she believes that the infrastructure (electric grid and telecommunications) will not be Y2K compliant. Five responders (3,4,5,14, and 15) recommend that the document continue to emphasize that the planning scenario is not an estimate of expected events.

Resoonse l Based on review of the latest NERC Status Report (April 30,1999), the latest FCC Y2K Communications Sector Report (March 1999), and the most recent report of the President's Council on the Year 2000 Conversion (April 21,1999), and on dialog and interaction with

! numerous Federal and private sector organizations dealing with the Y2K issue, the NRC I

contingency plan task force does not believe that there will be major infrastructure problems during the Y2K transition. The Contingency Plan has been updated to reflect the latest (as of April 1999) information with regard to the Y2K readiness of the infrastructure, particularly with  ;

regard to electric grid reliability and telecommunications. We still believe that the contingency planning assumptions are appropriately conservative.

i l

xi

o J. Four responders (4, 5,14, and 15) recommend removing Attachment 3, " Critical Dates,"

since it is not relevant to licensee planning.

Response

NRC agrees. This section of the Contingency Plan has been modified.

xii

K. Five responders (3,4,5,14, and 15) are unaware of any DOE Y2K contingency planning efforts for the electricity supply and state that industry is coordinating with the North American Electric Reliability Council (NERC).

Response

The Contingency Plan has been modified to address NRC coordination with DOE. NERC is facilitating the Y2K readiness reporting process for DOE.

xiii

~

L. Responders would like more Y2K exercises and workshops to be conducted.

-Response A new section has been added to the Contingency Plan that addresses NRC plans for Y2K exercises and workshops.

xiv

M. Two commentators (6 and 7) provided general remarks. One (6) agreed with the characterization that loss-of-offsite-power (LOOP) was "a major portion of the total plant risk," taking into account the history of emergency d;esel generator (EDG) problems onsite and believed that the NRC should be held accountable for any consequences should the Y2K plan not work. The other (7) expressed apprehension given the recent GAO criticism of NRC oversight of licensee activities (i.e., TIME magazine cover story).

Response

The comments are general remarks that touch upon offsite and onsite electric power system reliability, accountability in the event that problems happen due to Y2K and express apprehension of the Y2K problem at it affects nuclear plants.

To ensure that all operating nuclear power plants remain safe, licensees of operating reactors are required to be in compliance with the terms and conditions of their license (s) and NRC regulations at all times if the Y2K problems leads to a condition that would cause the facility to not be in compliance with the terms and conditions of its license or any NRC regulation, then actions required by the license or regulations will be taken, including , if warranted, shutdown of a plant. The NRC has been proactive with licensees in order to address the Y2K problem and achieve Y2K readiness of all nuclear power plants. (See response to Comment A for additional details of nuclear plant Y2K readiness activities.)

The scope of the licensees' Y2K program covers the emergency onsite power and other emergency power systems at the plant. The NRC audit results to date have verified the licensees' consideration of these systems and have not identified any associated residual Y2K problems. Emergency onsite power is usually provided by diesel generators, which supply electric power to the plant safety systeme upon a LOOP from the extemal power grid. NRC regulations require that the onsite electric power supplies and onsite electric distribution system shall have sufficient independence, redundancy, and testability to perform their safety functions assuming a single failure. By design, normally, a single EDG with its dedicated set of safety system equipment is capable of safely shutting down the reactor and maintaining it in a safe condition.

The operation and maintenance of the EDGs and the other safety-related equipment necessary for the safe shutdown of the reactor are controlled by the plant technical specifications (TSs).

Plant TSs require the EDGs to be tested routinely in order to demonstrate their operability and capability of supplying power as needed. This test ensures a high level of readiness and reliability. The plant TSs also require that immediate action be taken to restore the diesel generators to operable status if they are found inopersble. Therefore, although occasional problems have been reported with backup diesel generators, the staff concludes that onsite power provided by' diesel generators is a reliable source of emergency power in the case of a loss of offsite power.

Plants are also required to be able to cope with the loss of all ac electrical power to the nuclear plant. This event, called station blackout (SBO), includes the loss of the emergency diesel generators as well as the power from the offsite power grid. The NRC issued 10 CFR 50.63, the SBO rule, in 1988, which requires that nuclear power plants be able to cope with an SBO event xv 1

for a specified duration. Specifically, the SBO rule required plant-specific coping analyses to ensure that a plant could withstand a total loss of ac power for a specified duration and to determine appropriate actions to mitigate the effects of a totalloss of ac power. The NRC staff has verified that each nuclear power plant complies with the SBO rule. Furthermore, each plant must have SBO procedures in place to restore offsite and onsite power as soon as practical in order to supply power to the shutdown safety systems. This requirement is consistent with our defense-in-depth philosophy for maintaining reactor safety. For the Y2K concem, licensee preparations will include contingency plans to ensure prompt response to Y2K-related issues that might arise.

xvi

r N. One commenter (10) questict.ed whether " analog hardwiring" does reduce internal facility risk since it was not designed for that purpose. Also, any interactions between ,

hardwired analog systems and balance of plant systems should be specifically identified  ;

or referenced in the Y2K plan.

ResDonse Independence and separation of safety protection systems from nonsafety systems, whether  ;

analog hardwired or digital, are design regulatory requirements (10 CFR Part 50.55 a(h),10 '

CFR Part 50, Appendix A, Criteria 22 and 24) which applies to all nuclear power plant instrumentation and control system designs. Any interconnection between an analog safety system and a nonsafety digital data acquisition system like the plant process computer would be i through isolation devices and one-way communication pathways to assure the independence and integrity of the safety system. Additionally, during remediation testing of a computer system i as part of the plant-specific Y2K readiness program implementation such interfaces are norms!!y tested at the plant site j i

xvii

~

INDEX OF RESPONDERS (Attachment 1)

ID NO. ORGANIZATION DATE SUBMITTED NO.1 ARCABA COMMUNITY PREPAREDNESS January 25,1999 NO. 2 PRIVATE CITIZEN - ANN PREHN No Date NO. 3 TVA February 4,1999 NO. 4 CP&L February 15,1999 NO. 5 PECO February 16,1999 NO. 6 PRIVATE CITIZEN - ROBIN MILLS FWoruary 4,1999 Nd. 7 MASSACHUSETTS CITIZENS FOR SAFE ENERGY cuary 10,1999 NO. 8 GLOBAL RESOURCE ACTION CENTER 'ebruary 5,1999 NO. 9 PACE February 4,1999 NO.10 PRIVATE CITIZEN - MARVIN LEWIS January 2,1999 NO.11 MAINE GREEN PARTY February 15,1999 NO.12 NIRS February 4,1999 NO.13 NCS February 12,1999 NO.14 NEl February 12,1999 NO.15 NORTH ATLANTIC February 12,1999 NO.16 PRIVATE CITIZEN - RICHARD BERGER February 18,1999 xviii

. I l

e ,' ATTACHMENT 2 Y2K REMEDIATION STATUS OF NPP AND GDP TELCOS (as of April 14,1999)

Switch Switch Y2K ID Plant Name Carrier Type Manufacturer Status Contel of Arkansas, Inc. DBA DMS 100/200 (Digital) 1 Arkansas GTE Arkansas Host Nortel Done Babcock & Wilcox 2 (BWX) Bell Atlantic-Virginia,Inc. SESS (Digital)(Local)/(Toll) Lucent Done Bell Atlantic - Pennsylvania, 3 Beaver Valley Inc. DMS 100 (Digital) Host Nortel Done 4 Bellefonte GTE South, Inc. - Alabama GTD5 (Digital) AGCS Done 5 Big Rock Ameritech Michigan Remote Switching Center Nortel Done 6 Braidwood Ameritech I!!inois Remote Switching Center Nortel Done 7 Browns Ferry South Central Bell Lucent Done SESS Remote (SB RSM) 2099 8 Brunswick Southem Bell Telephone Co. Remote Switching Center Nortel 4/23/99 9 Byron GTE of lilinois GTD5 (Digital) AGCS Done 10 Callaway Kingdom Telephone Co. DMS (Digital) Nortel Done 11 Calvert Cliffs Bell Atlantic- Maryland,Inc. SESS Remote (5A RSM) Lucent Done 12 Catawba Southem Bell Telephone Co. SESS Remote (SA RSM) Lucent Done 13 Clinton GTE of Illinois GTD5 (Digital) AGCS Done 14 Comanche Peak GTE Southwest, Inc. - Texas DMS (Digital) Nortel Done 15 Cooper Station Aliant Communication GTD5 (Digital) AGCS 3099 Sprint - Florida, Inc. DBA 16 Crystal River United Telephone of Florida DSS (Digital) North Electric Done 17 Davis Besse Ameritech Ohio SESS (Digital)(Local)/(Toll) Lucent Done Contel of the South DBA GTE 18 DC Cook So. - Michigan SESS Host (Digital) Lucent 2099 2099 19 Diablo Canyon Pacific Bell SESS (Digital); Local)/(Toll) Lucent 6/30/99 20 Dresden Ameritech Illinois SESS (Digital)(Local)/(Toll) Lucent Done 21 Duane Arnold Palo Co-Op Phone Association DMS (Digital) Nortel Done 22 Farley Graceba Total Communications DCO Siemens 2099 l

XIX

1 ATTACHMENT 2 Y2K REMEDIATION STATUS OF NPP AND GDP.TELCOS (as'of April 14,1999)

Switch Switch Y2K ID Plant Name Carrier Type Manufacturer Status Century Telephone of 23 Fermi Michigan, Inc. DMS 100 (Digital) Host Nortel Done 24 Fitzpatrick Bell Atlantic New York DMS (Digital) Norte. 2099 25 Fort Calhoun Blair Telephone Company DMS (Digital) Nortel Done 26 Ginna Bell Atlantic New York SESS Remote (5A RSM) Lucent Done DCO (Digital)/ Century 27 Grand Gulf South Central Bell System (Toll) Siemens Done 28 Harris Southem Bell Telephone Co. DMS 100 (Digital) Host Nortel Done 29 Hatch Southem Bell Telephone Co. SESS (Digita!)(Local)/(Toll) Lucent Done 30 Hope Creek Bell Atlantic - New Jersey, Inc. DMS 100 (Digital) Host Nortel 1Q99 31 Indian Point Bell Atlantic New York SESS Remote (5A RSM) Lucent 1Q99 32 Kewaunee Ameritech Wisconsin SESS Remote (SA RSM) Lucent 'eone 33 La hile Ameritech Illinois 5ESS Remote (SA RSM) Lucent Done 34 Limerick Bell Atlantic - Pennsylvania, Inc SESS Host (Digital) Lucent Done 35 McGuire Southem Bell Telephone Co. SESS (Digital)(Local)/(Toll) Lucent Done Southem New England 36 Millstone Telephone Co. No.1 A ESS (Local)/(Toll) Lucent Done DMS 100/200 (Digital) 37 Monticello Tds Telecom Host Nortel Done 38 Nine Mile Point Bell Atlantic New York DMS (Digital) Nortel 2099 39 North Anna Bell Atlantic-Virginia, lac. SESS Remote (5A RSM) Lucent Done 40 Oconee Southem Bell Telephone Co. SESS Host (Digital) Lucent Done 41 Oyster Creek Bell Atlantic - New Jersey, Inc. DMS 100 (Digital) Host Nortel Done 2099 42 Paducah South Central Bell DMS 100 (Digital) Host Nortel 5/15/99 GTD5-EAX (Digital) 43 Palisades GTE of Michigan Remote AGCS 2099 US West Communications - '

44 Palo Verde Mountain Bell Remote Switching Center Nortel Done I

l xx I

1 l

J ATTACHMENT 2 Y2K REMEDIATION STATUS

- OF NPP_ AND GDP.TELCOS (as of April 14,1999)

Switch Switch Y;K ID Plant Name Carrier Type Manufacturer Status GTDS-EAX (Digital) 45 Peach Bottom GTE of Pennsylvania Remote AGCS Done 46 Perry Alltel Westem Reserve Phone SESS Remote (SA RSM) Lucent Done 47 Pilgrim Bell Atlantic NE SESS Host (Digital) Lucent Done GTD5-EAX (Digital) 48 Point Beach GTE of Wisconsin Remote AGCS Done 49 Portsmouth GTE North, Inc. - Ohio GTD5 (Digital) AGCS Done US West Communications -

50 Prairie Island Northwestem Bell DMS 100 (Digital) Host Nortel Done 51 Quad Cities GTE North,Inc. Illinois Remote Switching Center Nortel 1Q99 52 River Bend South Central Bell Remote Switching Center Nortel Done 53 Robinson Southem Bell Telephone Co. SESS (Digital)(Local)/(Toll; Lucent Done 54 Salem Bell Atlantic- New Jersey, Inc. DMS 100 (Digital) Host Nortel 1Q99 55 San Onofre Pacific Bell DMS 100 (Digital) Host Nortel Done 56 Seabrook Bell Atlantic NE DMS (Digital) Nortel Done 57 Sequoyah South Central Bell SESS (Digital)(Local)/(Toll) Lucent Done l 58 South Texas GTE Southwest, Inc. - Texas GTD5 (Digital) AGCS Done )

59 St. Lucie Southern Bell Telephone Co. No.1 A ESS (Local)/(Toll) Lucent Done i 60 Summer Southem BellTelephone Co. SESS Remote (SA RSM) Lucent Done 61 Surry GTE South, Inc. - Virginia Remote Switching Center Nortel Done Commonwealth Telephone 62 Susquehanna Enterprises, Inc. Remote Switching Center Nortel 1Q99 63 Three Mile island Bell Atlantic- Pennsylvania, Inc DMS 100 (Digital) Host Nortel Done 64 Turkey Point Southem Bell Telephone Co. SESS (Digital)(Local)/(Toll) Lucent Done 65 Vermont Yankee Bell Atlantic NE SESS Host (Digital) Lucent Done 66 Vogtle Southern Bell Telephone Co. DMS 100 (Digital) Host Nortel Done DCO (Digital)/ Century 67 Waterford South Central Bell System (Toll) Siemens Done XXi

4 ATTACHMENT 2

'Y2K REMEDIATION STATUS OF NPP AND"GDP TELCOS (as of' April 14,1999)

Switch Switch Y2K ID Plant Name Carrier Type Manufacturer Status AT&T Technologies Optically Remote 68 Watts Bar South Central Bell Switching Module AT&T Done 69 WNP United Telephone - Northwest Remote Switching Center Nortel 1Q99 Spring / United Telephone 70 Wolf Creek Company of Kansas SESS Host (Digital) Lucent Done l

xxii

ATTACHMENT 3 TIMELINE FOR OPERATIONS CENTER STAFFING FOR STANDBY MODE

. Day Time (EST)' <

' Response Level A subset of the Y2K Response Team (communicators, reactor ,

experts, electrical /l&C experts, and other NRC representatives) will assemble in the Operations Center to monitor Y2K reports from NEA ,

and other foreign regulatory bodies. Any reported Y2K-related plant system problems, grid problems, or widespread telecommunication outages will be evaluated for relevancy and communicated to our licensees. In addition, this group would assess any problems created by a Y2K failure associated with an embedded chip that is date 12/31/99 1200 stamped in earlier time zone (e.g., UTC).

Agency enters Standby response mode. Operations Center is staffed 12/31/99 2200 with the full Y2K response team.

01/01/00 0000 Y2K transition begins.

Operations Center communicators conduct " phone checks" of all NPPs in EST zone. Any Y2K problems are reported to licensees via 01/01/00 0015 YEWS.

Operations Center communicators conduct " phone checks" of all NPPs in CST zone. Any Y2K problems are reported to licensees via 01/01/00 0115 YEWS.

l

, Operations Center communicators conduct " phone checks" of all l NPPs in MST zone. Any Y2K problems are reported to licensees via 01/01/00 0215 YEWS.

Operations Center communicators conduct " phone checks" of all NPPs in PST zone. Any Y2K problems are reported to licensees via 01/01/00 0315 YEWS.

l The Executive Team member would decide when the response organization could stand down from Standby or if events warrant 01/01/00 0600 escalating the NRC response to initial Activation.

xxiii

, i ATTACHMENT 4 Y2K STAFFING PLAN l

HEADQUARTERS STAFFING As shown in the follow % staffing chart, the Headquarters multi-disciplinary team of responders would be headed by xecutive Team Member, the director of Incident Response Operations (IRO). The ET member would be supported by a chronology officer and a status summary officer-since Headquarters plans to issue several status summaries during the Y2K staffing period. In the event that a Y2K problem involving an NRC licensee requires an NRC response, the Reactor and Fuel Cycle Safety Team (R/FST), the Protective Measures Team (PMT), the Liaison Team (LT), the Headquarters Operations Officers (HOOs), and the Operational Support Team (OST) will fulfill their roles as they would for any NRC response. The Director of the R/FST would also have the added responsibility of providing direction to the Regulatory Response Team. It is envisioned that the Director R/FST position will be filled by a NRR manager who is currently a Director or Deputy Director on the Reactor Safety Team.

The Information Technology Support Team would be responsible fcr ensuring that Operations Center information systems and support systems function as expected during the Y2K transition. l This team willinclude the Office of Administration facility support staff and contractors to ensure that emergency power and environmental control systems remain operable through the Y2K transition. This team would also be responsible for the logistics associated with operation of the portable satellite equipment. The Information Sharing Team would consist primarily of representatives from the Office of international Programs. However, in carrying out the information sharing aspect of the :ontingency plan, they will receive support from specialists on the R/FST incident Response Team and from the communicators on R/FST and PMT. The Y2K Team Coordinator would support the ET member in ensuring that the various aspects of the Contingency Plan (Incident Response, Information Sharing, and Regulatory Response) are coordinated and implemented in an effective manner.

The advance team that staffs the Operations Center at 1200 on December 31, will be a relatively small subset of the full Y2K Response Team.

xxiv l

1 i

NRC Headquarters Y2K Response Team Y2KInaduun Response Tasm I

T teemter Frank canpel Et sina D-messy --

samary asser ommer Assemand Fue eyes Pmusen umsen W bdsumban PesadqusMum bdsmudien Y2Kisam tesessus Team separt Toshnessy ops,segna shang Coolensaw seasly Team Tema 1esm suppsel ones Team mm. nas i men n su o o, sss.,s.ns,.

o,s o .n.t. or .

_ us.sn c si s,.sis.

thas -

om.

.e,.

I-seen.or neia.un=

ET T_

sp-an. on-s ==v u

masense murmus Fausen Fuuten e p es,g

_. us.n. === opww.

s=== c-o,.m v en Technsw e e

-~

sans .

teensomnus spesiksha - Deutse teematonal sense r s, === _ us n c ==m-EiselosWisc Destafisc the speasesi speedst Ems,pency

~

ops.or posed T p en,g punes Fesmy m _

e.,s n .

c-n .

emne Ramsar satuy Ans,a

[ Famed.

opwar t Esen on.s

' heenser Asessemem Aa ,

sshousnes Fud secu Famy s, .er= --

s =*'

w = Team I as i s.Y2K m R = Position to be Filled g

XXV l

l

4 REGION SUPPORT AND BACKUP Starting on December 31, all four regions will staff their IRCs with a small number of people to support headquarters with the regulatory response role (enforcement discretion review), to serve as liaison with FEMA and States, and to initiate the call-out of response personnel, if needed. Regions will retain the option to increase or reduce staffing as deemed necessary.

Each region will respond to events using routine response procedures and will provide for a replacement shift to provide 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> operation, if needed.

In addition to the staffing for regulatory response, Region IV will have the capability to rapidly augment staffing in the Region IV IRC with personnel to meet the following objectives:

Assist headquarters in an " overflow" capacity Act in the role of NRC Headquarters in the event of a loss of ability to respond from the headquarters Operations Center The augmented Region IV response staffing will resemble the organization chart below:

Region IV Backup Y2K Response Team

':::1.:-

., M

-: b 'lllll" llll:'::: ,L"?."'l, lllllll'" d .*ll"., :llll*

"'*"'"' F u

- n,,, *

=- -

5 _

,s E g -

4llllll.

~

m,

. 'i::::l" ape.a.a.i men .-

While the organization may show 28 positions, some economy will be achieved depending on the skills of individuals who are selected. Some positions (such as those under the Resource Manager) may be consolidated to only require two people instead of four. Additional support /

personnel may be needed for regulatory response and information brokering roles. Plans are being made to accommodate up to 30 people for Y2K response and support in Region IV. A second shift roster will be prepared to ensure availability of personnel to fill these positions on an ongoing,24-hour basis,if needed.

xxvi

i Each region will arrange for one resident inspector (or other qualified individur.1) to be available to respond promptly to the assigned operating NPP and GDP site beginning at 5:00 p.m. EST

. (00:00 UTC) on December 31. The assigned responder will be onsite not later than 10:00 p.m. .

local time and will be expected to be in (one of) the control room (s) from about 11:00 p.m. until  !

about 1:00 a.m. local time, monitoring ongoing operations and conditions.7 After 1:00 a.m., if I conditions are normal, the assigned inspector may return to the NRC office, remaining available to respond, if necessary.

Each site will have a satellite telephone for contingency use if other telecommunications lines are not available. The Regions and Headquarters will also have appropriate satellite communications capability. The satellite phone will be tested on December 31, before 11:00 p.m. to verify operability.

Between 12:15 a.m. and 1:00 a.m. on January 1, the assigned inspector will provide a status report to NRC management. The report will contain current plant status, preliminary details of any abnormalities which have been experienced, and information about contingency plans the licensee had to implement. These reports will be made to the regional IRC. Once all sites for a region have called in, the Regional IRC will forward a summary of information to the

- headquarters Operations Center. If there are communications problems affecting a regions IRC, the assigned inspector will call the headquarters Operations Center. If the headquarters Operations Center cannot be contacted, then the Region IV IRC will be notified. Phone numbers for these con'_ :ts will be distributed to each site prior to December 31.

' l If necessary, another inspector will be dispatched to relieve the on-duty inspector. 1 I .

l I

l 1

l

'7 At each GDP, there is one Operations Center, multiple control rooms for different processes, and multiple control areas in the buildings Consequently, the GDP resident inspector (or other qualified individual) will be in an I appropriate safety-significant location sf the facility at the transition time.

xxvii I

]

ATTACHMENT 5 NRC Y2K EXERCISE SCHEDULE ,

Date Exercise / Activity I May 19-20 Federal Response Plan Community Tabletop Exercise May - August FEMA Y2K REP Seminars July 14 (tentative) NRC Y2K Tabletop September 9 NERC Exercise (NRC involvement not currently planned)

September 18 and 25 National Y2K Tabletop October 15 (tentative) Y2K Response Team Full Scale Exercise Headquarters Operations Center, Regional incident Response December 31-January 1 Centers and sites staffed by Y2K Response Team i

xxviii