ML20211E969

From kanterella
Jump to navigation Jump to search
Requests Commission Approval to Publish in Fr,Notices of Denial of Petitions for Rulemaking (PRM-50-65,PRM-50-66 & PRM-50-67) Submitted by Nirs
ML20211E969
Person / Time
Issue date: 07/02/1999
From: Travers W
NRC OFFICE OF THE EXECUTIVE DIRECTOR FOR OPERATIONS (EDO)
To:
References
RULE-PRM-50-65, RULE-PRM-50-66, RULE-PRM-50-67 SECY-99-173, SECY-99-173-01, SECY-99-173-R, NUDOCS 9908300187
Download: ML20211E969 (86)
v  d  e


Text

.

RELEASED TO THE DDR l

s am E

lb5]99 b O'b E

$~I j

d5to initia!s

~

~ e spee..aeeeeeeeeeeesosse

\\...../

RULEMAKING ISSUE (Notation Vote)

July 2.1999 SECY-99-173 EQB:

The Commissioriers FROM:

William D. Travers Executive Director for Operations

SUBJECT:

DENIAL OF PETITIONS FOR RULEMAKING SUBMITTED BY THE NUCLEAR INFORMATION AND RESOURCE SERVICE PURPOSE:

To obtain the Commission's approval to publish in the FederalRegister notices of denial of the petitions for rulemaking (PRM-50-65, PRM-50-66, and PRM-50-67) submitted by the Nuclear Information and Resource Service (NIRS).

BACKGROUND:

The Nuclear Regulatory Commission (NRC) received the subject petitions for rulemaking (PRM-50-65, PRM-50-66, and PRM-50-67) from the NIRS, each dated December 10,1998.

The petitioner requested that the NRC amend its regulations to require the following actions be accomplished:

(1)

That nuclear facilities be shut down if they are not compliant with date-sensitive, computer-related issues regarding Y2K. The petitioner requested that the NRC take this action to ensure that Y2K issues will not cause the failure of nuclear safety systems and thereby pose a threat to public health and safety.

(2)

That every nuclear utility conduct a full-scale emergency planning exercise that involves coping with a date-sensitive, computer-related failure resulting from a Y2K issue. The petitioner requested that the NRC take this action to ensure that nuclear power plant CONTACT:

M. Chiramal, DE/NRR M. Gareri, DE/NRR l)f 415-2845 415-1014

(

//

)J 9908300187 990702 1 I.0 n

c PDR SECY l

U' j p i4 it 7

99-173 R PDR IDJh C d rl-k U% M b j

r The Commissioners

-2.-

licensees have developed and can implement adequate contingency and emergency plans to address major system failures that may be caused by a Y2K problem.

(3)

Ensure that the safety systems of reactors and other nuclear facilities have reliable back-up sources of electricity in the event of a Y2K incident.

On January 25,1999, the NRC published notices of receipt of the petitions for rulemaking in the FederalRegister(64 FR 3789; 64 FR 3791; and 64 FR 3792). Because of the nature of these petitions and the date-specific issues they address, the petitioner requested that the petitions be filed expeditiously and that public comment on the actions be limited to 30 days. The notice of receipt of a petition for rulemaking invited interested persons to submit comments by February 24,1999.

A total of 70 comments were received on PRM-50-65, with 54 commenters agreeing with the petition and 16 commenters opposing the petition.

A total of 64 comments were received on PRM-50-66, with 46 commenters agreeing with the petition and 18 commenters opposing the petition.

A total of 73 comments were received on PRM-50-67, with 56 commenters agreeing with the petition and 17 commenters opposing the petition.

Many of the comments docketed under PRM-50-65 responded to all three petitions.

DISCUSSION:

In developing the decisions on the NIRS petitions, the staff considered the information provided in the petitions and the comments received in response to the notice of receipt of the petitions.

Although the majority of the comments received supported the petition, the planning and implementation activities by the industry, the oversight provided by the NRC in addressing the Y2K problem at licensed nuclear facilities, and the existing regulations, have provided sufficient basis to deny the petitions.

In PRM-50-65, the petitioner requested that the NRC adopt the following text as a rule:

Any and all facilities licensed by the Nuclear Regulatory Commission under 10 CFR Parts 30,40,50, and 70 shall be closed by 12 pm Eastern Standard Time, December 1,1999, unless and until each facility has: (a) fully and comprehensively examined all computer systems, embedded chips, and other electronic equipment that may be date-sensitive to ensure that all such systems that may be relevant to safety are Y2K compliant; (b) repaired, modified, and/or replaced all such systems that are not found to be Y2K compliant; (c) made available to the public all information related to the examination and repair, modification and/or replacement of all such systems; (d) determined, through i

full-scale testing, that all repairs, modifications, and/or replacements of all such systems are, in fact, Y2K compliant.

l

r The Commissioners The NRC staff has determined that the actions taken by the licensees to implement a systematic and structured facility-specific Y2K readiness program and the NRC's oversight of the licensees' implementation of these Y2K readiness programs provide reasonable assurance of adequate protection to public health and safety. The petition is denied for the reasons cited in detail in the Federal Register notice (Attachment 1 A).

In PRM-50-66, the petitioner requested that the NRC adopt the following text as a rule:

Alllicensees subject to 10 CFR Part 50 and Appendix E will conduct a full-scale emergency planning exercise (as normally required under 10 CFR 50.47) during 1999. This exercise shall include a component that includes failure of one or more computer or other digital systems (this is popularly known as the "Y2K bug")

on January 1,2000, or other relevant date. Licensees that do not conduct, or that fail, this exercise shall close their facilities licensed under this part by December 1,1999, until such time as the licensees have conducted a successful exercise.

The NRC staff has determined that the existing required emergency operating and emergency plans, along with actions taken by the licensees to implement systematic and structured Y2K readiness contingency plans for critical Y2K dates, and NRC's oversight of the licensees' implementation of these Y2K readiness contingency plans provide reasonable assurance of adequate protection to public health and safety. The petition is denied for the reasons cited in detail in the Federa/ Register notice (Attachment 1 B).

In PRM-50-67, the petitioner requested that the NRC adopt the following text as a rule:

The Nuclear Regulatory Commission recognizes that date-sensitive computer programs, embedded chips, and other electronic systems that perform a major role in distributing, allocating, and ensuring electric power throughout the United States may be prone to failure beginning on January 1,2000. Loss of all attemating current electricity from both the offsite power grid and onsite emergency generators (commonly known as " station blackout,") long has been identified by the NRC as among the most prominent contributors to risk for atomic reactors.

(1) For these reasons, the NRC requires of Part 50 and 70 licensees as of December 1,1999: (a) that all emergency diesel generators that provide back-up power to nuclear licensees must be operational and remain operational; (b) that licensees that cannot demonstrate full operational capabilities of all emergency diesel generators must close until such time that full operational capabilities of emergency diesel generators are attained; (c) that all licensees must have a 60-day supply of fuel for emergency diesel generators.

(2) Further, to ensure adequate protection of public health and safety, the NRC requires that all licensees under these sections must provide altemate means of back-up power sufficient to ensure safety. These may include, but are not limited to: solar power panels, wind turbines, hydroelectric power, biomass power, and

r The Commissioners other means of generating electricity. These additional back-up systems must provide electricity directly to the licensee rather than to the broader electrical grid.

(3) Irradiated fuel pools are to be immediately classified as Class 1-E; back-up power systems must be sufficient to provide cooling for such pools.

Licensees which cannot demonstrate compliance with sections (1) and (2) must cease operations as of December 1,1999, until compliance with these sections is attained.

The NRC staff has determined that the actions taken by the licensees to implement a systematic and structured Y2K readiness program adequately address Y2K issues and NRC's oversight of the implementation of these industry programs provide reasonable assurance of adequate protection to public health and safety. The petition is denied for the reasons cited in detail in the Federa/ Register notice (Attachment 1C).

CONCLUSION:

The staff agrees that the Y2K issue is significant and acknowledges the importance of the issues raised by the petitioners. However, the staff has concluded that these issues can be and are being addressed without implementation of new rules.

The staff recommends that the Commission deny the petitions for rulemaking related to Y2K issues. The staff considers that the actions taken by licensees to address Y2K issues and NRC's oversight of these activities provide reasonable assurance of adequate protection to public health and safety. Establishing new prescriptive regulations, as proposed by the petitioner, is not necessary to ensure safe operation of facilities and the ability of the facilities to shutdown safely in the event of a Y2K incident.

RECOMMENDATION That the Commission:

1.

Acorove the Federa/ Register notices that deny the petitions (Attachments 1 A-1C).

2.

Note:

a.

The petitioner will be informed of this action (Attachment 2).

b.

The appropriate congressional committees will be informed of this action (Attachment 3).

c.

Upon publication of the notices of denial in the Federal Register, the Office of Administration will make the notices of denial available on NRC's rulemaking web site.

e The Commissioners

- 5.-

COORDINATION The Office of the General Counsel has reviewed this paper and has no legal objection to its content. The Office of the Chief information Officer has reviewed this paper for information technology and information management implications and concurs in it.

W William D. Travers Executive Director for Operations i

Attachments:

1 I

1.

a.

FederalRegister Notice 50-65 b.

FederalRegister Notice 50-66 c.

FaderalRegister Notice 50-67 2.

Letter to Petitioner Michael Marriotte, Nuclear information and Resource Service j

3.

Letters to Congress - Honorable Joe L. Barton and Honorable James M. Inhofe j

l Commissioners' completed vote sheets / comments should be provided directly to j

the Office of the Secretary by COB July 22, 1999.

Commission Staff Office comments, if any, should be submitted to the Commissioners NLT July 15, 1999, with an information copy to the Office of the Secretary.

If the paper is of such a nature that it requires additional review and comment, the Commissioners and the Secretariat should be apprised of when comments may be expected.

DISTRIBUTION:

Commissioners OGC OCAA OIG OPA j

OCA ACRS ASLBP CIO CFO EDO REGIONS SECY

r i

  • ~

(

l 4

ATTACHMENT 1-A FederalRegisterNotice 50-65 Nuclear Information and Resource Service; Petition for Rulemaking Denial O

[7590-01-P]

NUCLEAR REGULATORY COMMISSION 10 CFR Parts 30,40,50, and 70 (Docket No. PRM-50-65]

Nuclear Information and Resource Service; Petition for Rulemaking Denial l

AGENCY: Nuclear Regulatory Commission.

ACTION: Petition for rulemaking; denial.

SUMMARY

The Nuclear Regulatory Commission (NRC) is denying a petition for rulemaking l

(PRM-50-65) from the Nuclear Information and Resource Service (NIRS). The petitioner requested that NRC amend its regulations to require the shutdown of nuclear facilities that are not compliant with date-sensitive, computer-related issues regarding the Year 2000 (Y2K) issue.

The petitioner requested that NRC take this action to ensure that Y2K issues will not cause the failure of nuclear safety systems and thereby pose a threat to public health and safety. NRC is denying the petition because the Commission has determined that the actions taken by licensees to implement a systematic and structured facility-specific Y2K readiness program and NRC's oversight of the licensees' implementation of these Y2K readiness programs provide adequate protection to public health and safety.

ADDRESSES: Copies of the petition for rulemaking, the public comments received, and NRC's letters to the petitioners are available for public inspection or copying in the NRC Public l

l L

Document Room, 2120 L Street, NW. (Lower Level), Washington, DC, as well as on NRC's rulemaking website at http://ruleforum.llnl. gov.

. FOR FURTHER INFORMATION CONTACT: Matthew Chiramal, Office of Nuclear Reactor Regulation, U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001, telephone 301-415-2845, E-mail address <mxc@nrc. gov >, or Gary W. Purdy, Office of Nuclear Material Safety and Safeguards, U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001, telephone 301-415-7897, E-mail address <gwpi@nrc. gov >.

SUPPLEMENTARY INFORMATION:

Background

NRC received three related petitions for rulemaking (PRM-50-65, PRM-50-66, and PRM-50-67),

each dated December 10,1998, submitted by NIRS conceming various aspects of Y2K issues and nuclear safety. This petition (PRM-50-65) requested that NRC adopt regulations that would require facilities licensed by NRC under 10 CFR Parts 30,40, 50, and 70 to be Y2K compliant.

The second petition (PRM-50-66) requested that NRC adopt regulations that would require facilities licensed by NR ' under 10 CFR Part 50 to develop and implement adequate contingency and emergency plans to address potentici system failures. The third petition (PRM-50-67) requested that NRC adopt regulations that would require facilities licensed by NRC under 10 CFR Parts 50 and 70 to provide reliable sources of back-up power.

Because of the nature of these petitions and the date-specific issues they address, the petitioner requested that the petitions be addressed on an expedited schedule.

(

i

)

O On January 25,1999, NRC published a notice of. receipt of a petition for rulemaking in the FederalRegister(64 FR 3789). It was available on NRC's rulemaking web site and in the NRC Public Document Room. The notice of receipt of a petition for rulemaking invited interested persons to submit comments by February 24,1999.

The Petition The petitioner requested that NRC adopt the following text as a rule:

"Any and all facilities licensed by the Nuclear Regulatory Commission under 10 CFR Parts 30,40,50, and 70 shall be closed by 12 pm Eastem Standard Time, December 1,1999, unless and until each facility has: (a) fully and comprehensively examined all computer systems, embedded chips, and other electronic equipment that may be date-sensitive to ensure that all such systems that may be relevant to safety are Y2K compliant; (b) repaired, modified, and/or replaced all such systems that are not found to be Y2K compliant; (c) made available to the public all information related to the examination and repair, modification and/or replacement of all such systems; (d) determined, through full-scale testing, that all repairs, modifications, and/or replacements of all such systems are, in fact, Y2K compliant."

The petitioner noted that in NRC Generic Letter (GL) 98-01, " Year 2000 Readiness of Computer Systems at Nuclear Power Plants," dated May 11,1998, the NRC has recognized the potential for date-related problems that may affect a system or application (the Y2K problem). These potential problems include not representing the year properly, not recognizing leap years, and 3

7 improper date calculations. These problems could result in the inability of computer systems to operate or to function properly. The petitioner stated that the Y2K problem could potentially interfere with the proper operation of computer systems, microprocessor-based hardware, and software or databases relied on at nuclear power plants. Further, the petitioner asserted that the Y2K problem could result in a plant trip and subsequent complications in tracking post-shutdown plant status and recovery as a result of a loss of emergency data collection.

Additionally, the petitioner is also concerned that power grids providing offsite power to nuclear stations could be affected to the extent that localized and widespread grid failures could occur.

The petitioner acknowledged that NRC has recognized the potential safety and environmental problems that could result if date-sensitive electronic systems fail to operate or provide false information. The petitioner asseded that NRC has required its licensees of reactor and major fuel cycle facilities to report by July 1,1999, on their programs to ensure compliance with Y2K issues. In addition, the petitioner asserted that NRC has not made explicit how it will define compliance nor what it plans to do for licensees of facilities that cannot prove compliance. in the petitioner's suggested regulatory text, NIRS defined compliance with Y2K issues as evaluation of all potential problems that may be safety-related, repair of all such problems, and full-scale testing of all solutions. The petitioner's proposed regulation would also require full public disclosure of all evaluation, repair, and testing data so that the information may be examined by independent experts and the public. Finally, the petitioner's proposed regulation would make it clear that nuclear facilities will be closed until they can demonstrate full compliance with Y2K issues.

The petitioner concluded by stating that NRC is obligated to act decisively to protect public health and safety and the environment. NIRS stated that anything short of the suggested 4

F 0

e approach in the petition is insufficient to fulfill this obligation and that NRC should adopt the suggested regulation as soon as possible.

Public Comments on the Petition in response to the petition, NRC received 70 comment letters, including 1 letter signed by 25 I

individuals from the State of Michigan,3 letters from industry groups,10 letters from utilities,13 letters from private organizations, and 43 letters from private citizens.

Fifty-four letters supported the petition,40 of which were from private citizens,13 were from private organizations, and 1 that was signed by 25 individuals. The comments supporting the petition addressed concems related to avoiding the occurrence of a catastrophic nuclear accident, the reasonableness of the petitioner's request, and opined that any uncertainty is too i

great for the nuclear industry.

Sixteen letters opposed the petitipn, of which 3 were from private citizens, 3 were from associated industries, and 10 were from utilities. The comments opposing the petition stated that the nuclear power industry has taken a coordinated approach to Y2K readiness, nuclear power plant licensees are implementing a structured Y2K program, NRC Y2K initiatives are underway, NRC staff is monitoring licensee activities, and current regulations and license conditions are adequate to address potential Y2K computer issues.

5

1 In some of the letters supporting the petition, the authors included the following additional comments that provide information or request action that was not contained in the petition.

These comments noted:

i l

1.

The date proposed in the petition, December 1.1999, to shut down all non-Y2K compliant nuclear power plants should be moved up 1 to 6 months before the year 2000. The reasons given were to allow sufficient time to shut down and to provide additional safety.

2.

Power grid failure would not allow controlled shutdown of the plant and plants could experience problems like the Russians. The Y2K problem could increase the chance of a core melt.

3.

The problem of " embedded systems," microchips, microprocessors, and such systems-within-systems are difficult to identify and the effects of their multiple failures are poorly understood, especially in the U.S. power grid.

4.

The audits conducted by NRC staff are too few.

These comments are addressed specifically in the discussion of " Reasons for Denial."

Reasons for Denial The NRC is denying the NIRS petition because the NRC has determined that: (1) the actions taken by licensees to implement a systematic and structured facility-specific Y2K readiness 6

E.,

program; and (2) NRC's oversight of licensees' implementation of these Y2K readiness programs together constitute an effective process for addressing Y2K issues such that there will continue to be reasonable assurance of adequate protection of public health and safety. NIRS has not presented any information (and no public comments have been received) that demonstrates that: (1) the licensees' activities are fundamentally incapable of effectively addressing Y2K issues in a timely fashion; (2) licensees are not adequately implementing the Y2K readiness programs; (3) NRC's inspection, audit, and oversight activities are fundamentally incapable of providing adequate regulatory control with respect to licensee implementation of Y2K readiness programs; and (4) the NRC is not effectively implementing its inspection, audit, and oversight activities with respect to Y2K issues. Finally, NIRS has not provided any basis why the NRC's current regulatory approach, which retains the regulatory authority to order licensees to discontinue or modify their licensed activities if the NRC finds that reasonable assurance of adequate protection to public health and safety will not be provided because of Y2K issues, will be inadequate in view of the 5-month time period between July 1,1999, when licensees are required to inform the NRC of the status of their Y2K remediation activities and the December 31,1999, date, when Y2K-induced problems are most likely to begin occurring.

Parts (a), (b), and (d) of the NIRS proposed rule are addressed below in Sections I, ll, Ill, IV, and V for Part 50 operating nuclear power plants, Part 50 non-power reactors, Part 50

)

decommissioning nuclear power plants, major licensees under Parts 40 and 70, and Part 30 and minor Parts 40 and 70 licensees, respectively. Part (c) of NIRS' proposed rule, conceming public access to Y2K information, is addressed for all types of licensees in Section VI.

7

l.

Part 50 Operatina Nuclear Power Plant Licensees A.

Industry and NRC Activities Addressing Y2K I

To alert nuclear facility licensees to the Y2K problem, NRC issued information Notice (IN) 96-70,

" Year 2000 Effect on Computer System Software," on December 24,1996. IN 96-70 described the potential problems that nuclear power plant computer systems and software may encounter as a result of the change to the new century and how the Y2K issue may affect NRC licensees.

IN 96-70 encouraged licensees to examine their uses of computer systems and software well before the year 2000 and suggested that licensees consider appropriate actions for examining and evaluating their computer systems for Y2K vulnerabilities.

In 1997, the nuclear industry began to assess the Y2K challenge and work with key Federal agencies to help nuclear power plant operators prepare for continued safe operations at the start of the year 2000. In July 1997, the Nuclear Utilities Software Management Group (NUSMG), a nuclear industry working group, conducted the first industry-wide workshop on Y2K readiness.

In October 1997, the Nuclear Energy Institute (NEI) and NUSMG issued a Y2K program plan guidance document, NEl/NUSMG 97-07, " Nuclear Utility Year 2000 Readiness," to all U.S.

nuclear power plant licensees. This document provides a step-by-step method to identify, test, and repair potential Y2K computer problems and contains detailed procedures and checklists for resolving Y2K issues, based on the best utility practices.

8

I l

l NEl/NUSMG 97-07 presented a strategy for developing and implementing a nuclear utility Y2K 1

program. The strategy recognizes management, implementation, quality assurance (QA) t measures, regulatory considerations, and documentation as the fundamental elements of a j

l successful Y2K project. The document contains examples currently in use by licensees'and also l

l recommends that the Y2K program be administered using standard project management techniques. The recommended components for management planning are management awareness, sponsorship, project leadership, project objectives, the project management team, the management plan, project reports, interfaces, resources, oversight, and QA. The suggested phases of implementation are awareness, initial assessment (which includes inventory, categorization, classification, prioritization, and analysis of initial assessment), detailed assessment (including vendor evaluation, utility-owned or utility-supported software evaluation, interface evaluation, and remedial planning), remediation, Y2K testing and validation, and notification.

Y2K testing is used both as an investigative tool to examine systems and components to identify Y2K problems and as a validation tool to confirm that the corrective actions have eliminated the Y2K problem. Y2K testing in support of evaluation efforts to determine whether a Y2K problem is present is performed during detailed assessments. Systems and components will then be repaired or replaced in a process known as "remediation." Y2K testing subsequent to remediation is performed to determine whether the remediation efforts have eliminated the Y2K problem and no unintended functions are introduced. Y2K testing may be performed at several levels:

Unit testing, which focuses on functional and compliance testing of a single application or software module; l

9

Integration testing, which tests the integration of related software modules and

' applications; and System testing, which tests the hardware and software components of a system.

For systems, components, and equipment classified as safety-related or critical to operations, the Y2K remediation activities include Y2K testing. On one end of the spectrum, there are the stand-alone, date-aware, microprocessor-based components that do not communicate digital information to any other devices. Properly performed bench testing of these devices, by the licensee or the vendor, coupled with software /firmware revision-level verification of the field devices as required,is adequate to establish their Y2K status. Repeating this test in the field as part of a plant-wide integrated test will not add any additional benefits related to system Y2K readiness. On the other end of the spectrum, the most highly complex systems, such as distributed control systems, may require in-plant testing of the remediated system. This testing may include a large portion of the plant equipment. However, even in this case, the maximum bounds of the test would involve the individual system being tested and the other devices and systems with which it communicates digital /date-related information.

NEl/NUSMG 97-07 specifies the QA measures that will apply to the activities in NEl/NUSMG 97-07 that apply primarily to project management and implementation. Documentation of Y2K i

)

program activities and results includes documentation requirements, project management documentation, vendor documentation, inventory lists, checklists for initial and detailed assessments, and record retention. NEl/NUSMG 97-07 also contains examples of various plans 10

and checklists as appendices that may be used or modified to meet the licensee's specific needs and/or requirements.

After issuing NEl/NUSMG 97-07, NEl conducted workshops and other means of sharing the experiences on the use of the document. In November 1997, NEl and NUSMG conducted the first in a series of industry-wide workshops on Y2K issues for project managers in charge of ensuring Y2K readiness at all operating nuclear power plants. In December 1997, NEl created an on-line bulletin board to share technical information and experiences related to testing and repairing computers and equipment.

j In January 1998, the NRC issued a draft generic letter for public comment which proposed: (1) that licensees of operating nuclear power plants be required to provide certain information I

regarding their programs that address the Y2K problem in computer systems at their facilities; and (2) to endorse the guidance in NEl/NUSMG 97-07 as one possible approach in implementing a plant-specific Y2K readiness program, if augmented in the area of risk management, contingency planning, and remediation of embedded systems [FederaIRegister j

(63 FR 4498)]. In the absence of adverse comment on the adequacy of the guidance in NEl/NUSMG 97-07, the NRC issued GL 98-01 on May 11,1998 [FederalRegister(63 FR 27607)]. In August 1998, NEl issued an industry document, NEl/NUSMG 98-07, " Nuclear Utility Year 2000 Readiness Contingency Planning," that provided additional guidance for establishing a plant-specific contingency planning process. NEl/NUSMG 98-07 addressed management controls, preparation of individual contingency plans, and development of an integrated contingency plan that allows the licensee to manage intemal and extemal risks associated with Y2K-induced events. Extemal events that should be considered for facility-specific contingency planning include electric grid / transmission / distribution system events, such as loss of off-site 11

power, grid instability and voltage fluctuations, load fluctuations and loss of grid control systems;. loss of emergency plan equipment and services; loss of essential services; and

)

depletion of consumables. NRC considers the guidance in NEl/NUSMG 98-07, when properly implemented, as an acceptable approach for licensees to mitigate and manage Y2K-induced events that could occur on Y2K-critical dates. In GL 98-01, NRC required all operating nuclear power plant licensees to submit written responses regarding their facility-specific Y2K readiness program in order to confirm that they are addressing the Y2K problem effectively. All licensees have responded to GL 98-01, stating that they have adopted a plant-specific Y2K readiness program based on the guidance of NEl/NUSMG 97-07, and the scope of the program includes identifying and, where appropriate, remediating, embedded systems, and provides for risk management and the development of contingency plans.

GL 98-01' also requests a written response, no later than July 1,1999, confirming that these facilities are Y2K ready with regard to compliance with the terms and conditions of their license and NRC regulations. Licensees that are not Y2K ready by July 1,1999, must provide a status report and schedule for the remaining work to ensure timely Y2K readiness.

As part of its oversight of licensee Y2K activities, NRC staff conducted sample audits of 12 plant-specific Y2K readiness programs. The objectives of the audits were to -

'On January 14,1999, NRC issued GL 98-01, Supplement 1, " Year 2000 Readiness of Computer Systems at Nuclear Power Plants," which provided licensees with a voluntary alternate response to that required by GL 98-01. The alternate response, also due by July 1, 1999, should provide information on the overall Y2K readiness of the plant, including those systems necessary for continued plant operation that are not covered by the terms and

~

conditions of the license and NRC regulations.

12 4

F.~

9 1

l Assess the effectiveness of licensees' programs for achieving Y2K readiness and in addressing compliance with the terms and conditions of their license and NRC i

regulations and continued safe operation.

Evaluate program implementation activities to ensure that licensees are on schedule to achieve Y2K readiness in accordance with GL 98-01 guidelines.

Assess licensees' contingency planning for addressing risks associated with events resulting from Y2K problems.

The NRC determined that this approach was an appropriate means of oversight of licensee Y2K l

readiness efforts because: (1) all licensees had committed to the nuclear power industry Y2K readiness guidance (NEl/NUSMG 97-07).i their first response to NRC GL 98-01; and (2) the audit would verify that licensees were effectively implementing the guidelines. The audit sample of 12 licensees included large utilities such as Commonwealth Edison and Tennessee Valley Authority as well as small single-unit licensees such as North Atlantic Energy (Seabrook) and Wolf Creek Nuclear Operating Corporation. The NRC staff selected a variety of types of plants j

of different ages and locations in this sample in order to obtain the necessary assurance that nuclear power industry Y2K readiness programs are being effectively implemented and that licensees are on schedule to meet the readiness target date of July 1,1999, established in GL 98-01. Also, NRC staff had not identified any Y2K problems in safety-related actuation systems as part of its audit activities.

1 in late January 1999, the NRC staff completed the 12 audits. At the conclusion of the audits, the l

NRC staff had the following observations:

13 l

Plant-specific Y2K projects based on NEl/NUSMG 97-07 began in mid to late 1997. Use of NEl/NUSMG 97-07 guidance results in an effective, structured program. The programs are generally on schedule for plants to be Y2K ready by July 1,1999. However, at some plants the licensees have scheduled some remediation, testing, and final certification for the fall 1999 outage.

Management oversight is vital for program effectiveness.

Sharing information through owners groups, utility alliances, the Electric Power Research Institute, and NEl is aiding the overall nuclear industry effort.

Independent audits and peer reviews of programs are very useful.

Safety system functions are usually not affected. There is limited computer use in safety-related systems and components.

Failures identified in embedded devices have generally not affected the functions performed but have led to errors such as incorrect dates in printouts, logs, or displays.

Central control of Y2K program activities, effective QA (including the use of existing plant procedures and controls), and independent peer reviews promote consistency across activities and improve the program.

I 14

On the basis of these audit observations, the NRC staff concluded that the audited licensees are

{

effectively addressing Y2K issues and are undertaking the actions necessary to achieve Y2K

)

readiness in accordance with the GL 98-01 target date, although some plants will have some remediation, testing, and final certification scheduled for the fall 1999 outage. The NRC staff did not identify any issues that would prevent these licensees from achieving Y2K readiness.

Licensee Y2K contingency planning efforts had not progressed far enough during the original 12 audits for a complete NRC staff review of the adequacy of implementation of the Y2K activities.

Therefore, the NRC staff is currently auditing the contingency planning efforts of six licensees different from the 12 included in the initial sample Y2K readiness audits. These audits, scheduled for completion by the end of June, will focus on the licensee's approach to addressing both intemal and extemal Y2K risks to safe plant operations based on the guidance in NEl/NUSMG 98-07.

i in addition to NRC staff activities addressed above, NRC regional staff is currently reviewing plant-specific Y2K program implementation activities at all operating nuclear power plants. The i

regional staff is using guidance prepared by NRC Headquarters staff, which conducted the 12 sample audits. These reviews are scheduled to be completed by July 1999. One of the public comments received by NRC in response to the petition indicated that the audits conducted by NRC staff are too few. On the basis of the information above, the NRC staff is reviewing the Y2K program at all operating nuclear power plants, thereby addressing this comment.

NRC staff will continue its oversight of Y2K issues at nuclear power plants through the remainder of 1999. In July 1999, the NRC staff will review alllicensee responses to GL 98-01 or its supplement and address any questions that may raise concems. On the basis of the reviews 15

of the licensee responses, findings of the additional audits and reviews, and any additional information, NRC will, by September 1999, determine the need for issuing orders to address Y2K readiness issues, including, if warranted, shutdown of a plant. At this time, NRC believes that all licensees will be able to operate their plants safely during the transition from 1999 to 2000 and does not believe that significant plant-specdic action directed by NRC is likely to be needed.

As discussed above, GL 98-01 set a date of July 1,1999, for licensees to submit information on their efforts to complete their plant-specific Y2K program. The July 1,1999, date was selected to ensure that there would be adequate time for the Commission to determine what additional regulatory action, if any, would be necessary to ensure that Y2K problems will not threaten adequate protection to public health and safety. The 5-month period for NRC review and evaluation of the adequacy of the licensees' responses is sufficient to allow the NRC to take appropriate action, including (if necessary) the issue of immediately effective orders directing shutdown or other appropriate action if the Commission finds that there is insufficient assurance that a licensee will be Y2K ready such that all license conditions and relevant NRC regulations:

are met.

2These regulations are -

10 CFR 50.36, " Technical Specifications," paragraph (c)(3), " Surveillance requirements," and paragraph (c)(5), " Administrative controls."

10 CFR 50.47, " Emergency Plans," paragraph (b)(8).

Appendix B to 10 CFR Part 50, Criterion lil, " Design Control," and Criterion XVil, " Quality Assurance Records."

Appendix E to 10 CFR Part 50, Section VI, " Emergency Response Data System."

Appendix A to 10 CFR Part 50, General Design Criterion (GDC) 13,

=

" Instrumentation and Control"; GDC 19, " Control Room"; and GDC 23,

" Protection System Failure Modes."

16

i-NIRS presents no information or argument why these above actions by the licensees and the inspection, auditing, and oversight activities of the NRC are insufficient to address Y2K problems, such that actions required in NIRS' proposed rule are necessary.

B.

The Need for Y2K " Compliance," as Opposed to " Readiness" NIRS' proposed rule would require that nuclear power plants be shut down by December 1, 1999, unless licensees demonstrate that Y2K compliance has been achieved. However, NIRS has not explained why "Y2K compliance," as opposed to "Y2K readiness," is necessary. "Y2K compliant" is generally understood as referring to computer systems or applicatioris that accurately process date/ time data (including but not limited to calculating, comparing, and sequencing) from, into, and between the 20th and 21st centuries, the years 1999 and 2000, and leap-year calculations. "Y2K ready" is generally understood as referring to a computer system or application that has been determined to be suitable for continued use into the year 2000 even j

though the computer system or application is not fully Y2K compliant. For "Y2K ready" systems, licensees may have to rely upon workarounds and other activities to ensure that the systems, components, and equipment function as intended. Prudence might lead to Y2K compliance as an objective for remedial activities in order to reduce licensee costs of implementing workarounds and other activities in the interim until full Y2K compliance is achieved. However, protection of public health and safety does not necessitate establishment of Y2K compliance as a regulatory requirement, and failure to achieve compliance should not require plant shutdown, so long as Y2K readiness is achieved. Accordingly, the NRC does not believe that a rule that requires Y2K compliance, or Y2K readiness, is appropriate or necessary for ensuring i

reasonable assurance of adequate protection at nuclear power plants after December 1,1999.

17

c-C.

Limited Susceptibility of Nuclear Power Plant Systems to Y2K Problems NRC audits and reviews indicate that most nuclear power plant systems necessary for shutting down the reactor and maintaining it in a safe shutdown condition are not susceptible to Y2K problems. The majority of commercial nuclear power plants have protection systems that are analog rather than digital. Because Y2K concems are associated with digital systems, analog reactor protection system functions are not affected by the Y2K issue. Errors such as incorrect dates in printouts, logs, or displays have been identified by licensees in safety-related devices, but the errors do not affect the functions performed by the devices or systems. Most Y2K issues are in balance-of-plant and other systems that have no direct functions necessary for safe operation of the reactor.

Wdh respect to safety systems using digital electronics that are necessary for performing safe-shutdown and maintaining the reactor in a safe shutdown condition, licensees are undertaking the NEl/NUSMG 97-07 and NEl/NUSMG 98-07 processes described above for addressing Y2K problems. With respect to balance-of-plant systems, licensees implementing their plant-specific Y2K program are classifying important balance-of-plant and other non-safety-related systems (such as those that support continued plant operations, provide information and aid to the plant operators like sequence-of-events monitoring for tracking post-shutdown status of plants, and whose failure could lead to a plant transient or trip) as " mission-critical" or "high." Systems and equipment classified as mission-critical or high, when found to be Y2K susceptible during the assessment stage of the Y2K program, are also scheduled to be remediated similar to safety-related systems.

18

4 F

in sum, the NRC believes that the actual scope of plant systems necessary to provide reasonable assurance of adequate protection to public health and safety, which are potentially susceptible to Y2K problems, is relatively limited and that the licensees' current activit s are sufficient to ensure that Y2K problems will not adversely affect safety-related or balance-of-plant systems.

D.

Public Comments One public comment in support of the NIRS petition stated that embedded chips are difficult to

)

identify and the effects of their failures are poorly understood, especially in the U.S. power grid.

When the NRC staff was developing GL 98-01, it recognized that embedded systems pose a potential Y2K problem that must be recognized and addressed in any successful Y2K effort.

Accordingly, GL 98-01 informed licensees that Y2K programs should be augmented to address remediation of embedded systems. Licensees have stated in their responses to the generic letter that embedded systems are being addressed in their Y2K programs, and these statements have been confirmed by NRC audits to date. NRC understands that the electric utilities j

i providing power to the grid have similar efforts underway that are being monitored by the North American Electric Reliability Council.

One public comment in support of the petition indicated that the rule should require nuclear i

I power plants to shut down 6 months before the end of the 1999 to allow a safe period of time to l

shut down the plant. The NRC does not agree that it takes 6 months to safely shut down a plant. Under normal conditions, it takes several hours to safely shut down a nuclear power plant by reducing reactor power gradually. However, in an emergency, the reactor can be shut down safely within seconds, either automatically or manually. The reactor will be shut down 19

automatically by the reactor protection system upon the sensing of an unusual condition.

Moreover, the operator always has the capability to manually shut down the reactor using the reactor protection system. Accordingly, the NRC does not agree that it is necessary to shut down nuclear power plants 6 months before the end of 1999 in order to ensure a safe shutdown of the plants.

A commenter in favor of the petition stated that the Y2K problem could increase the chance of a meltdown. However, the commenter did not provide any basis for this assertion. The NRC disagrees with the commenter. Safety functions performed by the reactor protection system for shutting down the reactor and by the engineered safety features actuation for mitigating accidents, cooling down the reactor, and providing emergency power to safety systems upon a loss of offsite power are not affected by the Y2K problem. Although there is some concem that the reliability of the offsite power sources may be lower during the Y2K transition, if a loss of offsite power were to occur because of Y2K, the plant would trip automatically because all nuclear plants are designed for such an event. The emergency onsite power supply system would provide power to the safety system equipment automatically. This sequence of events is not affected by the Y2K problem because all these safety systems do not rely upon computer-operated systems or components that are date-sensitive. For these reasons, the NRC disagrees that a Y2K problem could increase the probability of a core melt accident at a nuclear power plant.

One public comment in support of the petition indicated that the audits conducted by NRC staff are too few. The NRC has responded to this comment in section I.A.

20

9 E.

Summary The NRC believes that licensees' Y2K activities and programs, considered together with NRC oversight activities, provide a reasonable approach for ensuring that Y2K problems will not pose an unreasonable threat to public health and safety. NIRS has not explained why this regulatory approach will not provide reasonable assurance of adequate protection from any potential Y2K-initiated problems at operating nuclear power plants, such that the rule proposed by NIRS is necessary.

II.

Part 50 Non-Power Reactor Licensees NRC used several methods to inform all non-power reactor (NPR) licensees of the need to ensure that their facilities are ready for the year 2000.

In 1996, NRC staff contacted all NPR licensees informing them of a potential for problems in systems either controlling or supporting the reactor because of Y2K issues. In December 1996, i

NRC issued IN 96-70 to alert nuclear facility licensees to the Y2K problem. IN 96-70 described the potential problems that nuclear power plant computer systems and software may encounter as a result of the change to the new century and how the Y2K issue may affect NRC licensees.

IN 96-70 encouraged all licensees to examine their uses of computer systems and software well 4

before the year 2000. IN 96-70 also suggested that licensees consider appropriate actions for examining and evaluating their computer systems for Y2K vulnerabilities.

NRC also coordinated with the Organization of Test, Research and Training Reactors (TRTR) to distribute information about the Y2K problem through TRTR newsletters. These newsletters 21

were distributed to all members of the organization to focus attention on the Y2K problem and related ongoing activities. The staff at all 37 licensees with operating reactors receive copies of the TRTR newsletter. The TRTR newsletters articles included "Concems about the Millennium,"

February 1997; " Year 2000 Concems," February 1998; "NRC Response on Year 2000," May 1998; "More on the Y2K lasue," August 1998; and "Another Y2000 Notice," November 1998.

NRC staff has confirmed through several telephone conversations and discussions during inspections that all licensees of operating reactors are aware of the Y2K concems and have ongoing actions to be Y2K ready by the end of the year or sooner.

Since 1998, while conducting inspections of NPR facilities, the NRC staff is also verifying that licensees are addressing the Y2K problem with regard to reactor safety. NRC staff has inspected about 50 percent of the operating reactors and intends to complete the inspections of all operating NPRs by October 1999. These inspections will verify that the licensees have programs to deal with Y2K and that all digital safety equipment at these facilities are considered in the program. Moreover, most institutions that operate the NPRs have their own Y2K programs that include the NPRs.

The safety systems at most operating reactors are analog systems that are not affected by the Y2K problem. Several operating reactors have digital safety equipment that provides instrument indication to the facility operator that is part of the licensee's Y2K program. Also, seven of these reactors have digital reactor protection system functions also considered in the licensee's Y2K program. These systems operate in parallel with the analog reactor protection systems, which are not affected by Y2K. Also, the digital systems initiate reactor scrams in case of a malfunction in the digital equipment. The analog systems generally provide the required reactor safety functions. The analog systems are independent of the digital equipment and have built-in 22

i k

redundancy to ensure that the reactor scrams. The power levels of these reactors are low (up i

to a maximum of 2 MWt) and many of them operate at low temperatures in relatively large pools q

I of water. The only safety function that is generally required is for the reactor to scram. Thus, the Y2K concern poses very low risk. NIRS does not explain why the licensees' Y2K program activities and NRC's oversight of the licensees' implementation of the programs are inadequate j

i such that the rule proposed by NIRS is necessary to provide reasonable assurance of adequate protection.

i

{

111.

Part 50 Decommissionina Nuclear Power Plant Licensees I

The suggested rule language in the petition would require that all facilities not compliant with Y2K issues be shut down by December 1,1999. Nuclear power plants that are permanently shutdown with fuel removed from the reactor core would, therefore, not be subject to the rule as j

proposed by NIRS. However, since the purpose of the proposed rule appears to be directed to ensuring that Y2K problems at all nuclear power plants - both operating and decommissioning

-will not pose a threat to public health and safety, the following discussion on the activities for addressing the Y2K problem at decommissioning nuclear power plants is provided.

There are two potential radiological health and safety concems with respect to Y2K problems at decommissioning plants: (1) spent fuel storage, including site security; and (2) the actual conduct of dismantlement and decommissioning activities. Of greater concem is the spent fuel storage. The concems in this area relate to providing sufficient cooling to the spent fuel and providing sufficient security against diversion and sabotage of the spent fuel. There are 21 decommissioning nuclear power plants that have been shut down more than a year,6 of which have had spent fuel removed from the site. Accordingly, there are only 15 decommissioning 23

nuclear power plants where spent fuel storage is of concern. Although licensees for all of these facilities are implementing Y2K programs, it is unlikely that Y2K problems would pose a significant problem to providing sufficient spent fuel cooling. First, electrical and makeup water systems for spent fuel pools are not computer-controlled. Moreover, even if there was an interruption in electrical power, there is a long time period for the licensee to respond to the problem before integrity of the spent fuel rods becomes an issue because sufficient time is available to take compensatory action before boiling starts. The spent fuel pool is conservatively estimated (based on the Zion _ units) to begin boiling 68 hours7.87037e-4 days <br />0.0189 hours <br />1.124339e-4 weeks <br />2.5874e-5 months <br /> after loss of the spent fuel pool cooling system. Boiling does not become a concern until the fuel rods begin to be uncovered by boil-off of cooling water. Since fuel rods are normally covered by 23 feet of water (for purposes of shielding), and it would take approximately two weeks or more to begin uncovering the spent fuel rods (assuming that no make-up water is added to the pool), the NRC believes that there is sufficient time to recover electrical power and/or provide makeup water to prevent the fuel rods from uncovering.

The other threat to spent fuel is diversion and sabotage. Licensees of decommissioning reactors are taking steps to ensure that Y2K problems will not disable necessary security and safeguards systems and controls. Licensees with computer-based site security systems that have been identified as potentially Y2K vulnerable have tested the system for Y2K, upgraded the system to be Y2K compliant, or will make the system Y2K compliant before the end of 1999.

With respect to the safety of conducting dismantiemer,t and decommissioning activities, the NRC does not believe that these activities are subject to Y2K problems that would pose a threat to public health and safety because the conduct of these activities in the field do not rely upon computer-controlled devices to ensure protection against radiological dangers.

24

In sum, licensees of decommissioning nuclear power plants are implementing Y2K activities that address equipment and systems important to safety, such that there is reasonable assurance of adequate protection to public health and safety.

IV.

Maior Parts 40 and 70 Licensees To alert major Parts 40 and 70 licensees of the potential Y2K problem, NRC issued information Notice (IN) 96-70, " Year 2000 Effect on Computer System Software," dated December 24,1996.

IN 96-70 described the potential Y2K problems, encouraged licensees to examine their uses of computer systems and software well before the year 2000, and suggested that licensees consider appropriate actions to examine and evaluate their computer systems for Y2K vulnerabilities.

In order to gather Y2K information regarding materials and major fuel cycle facilities, NRC formed a Y2K Team within the Office of Nuclear Material Safety and Safeguards (NMSS) in 1997. From September 1997 through December 1997, this NMSS Y2K Team visited a cross-section of materials licensees and fuel cycle facilities and conducted Y2K interviews. Each licensee or facility visited by the team indicated that they were aware of the Y2K issue and were in various stages of implementing their Y2K readiness program.

On June 22,1998, the NRC staff issued Generic Letter (GL) 98-03, "NMSS Licensees' and Certificate Holders' Year 2000 Readiness Programs." This GL requested major Parts 40 & 70 licensees to submit by September 20,1998, written responses regarding their facility-specific Y2K readiness program in order to confirm that they were addressing the Y2K problem effectively. All licensees responded to GL 98-03 by stating that they have adopted a facility-25

specific Y2K readiness program and that the scope of the program included identifying and, where appropriate, remediating, hardware, software, and embedded systems, and provided for risk management and the development of contingency plans.

GL 98-03 also requested a written response, no later than December 31,1998, which confirmed that these facilities were Y2K ready or provided a status report of work remaining to be done to become Y2K ready, including completion schedules. All licensees provided a second response to GL 98-03, which identified work remaining to be done, including completion schedules.

Furthermore, following the second response, NRC requested a third written response, no later than July 1,1999, which would confirm that these facilities are Y2K ready or would provide an updated status report.

On August 12,1998, IN 98-30, "Effect of the Year 2000 Computer Problem on NRC Licensees and Certificate Holders," provided licensees additional information on the Y2K issue. IN 98-30 provided definitions of "Y2K ready" and "Y2K compliant," encouraged licensees to contact vendors and test their systems for Y2K problems, and described elements of a Y2K readiness program.

I Between September 1997 and October 1998, the major Parts 40 & 70 licensees were also asked Y2K questions during other inspections. Based on these Y2K inspections, the licensees were aware of the Y2K problem and were adequately addressing Y2K issues. There have been no identified risk-significant Y2K concems for major Parts 40 & 70 licensees.

1 NIRS' proposed rule would require that licensees be shutdown by December 1,1999, unless licensees demonstrate that "Y2K compliance" has been achieved. However, NIRS has not 26

explained why "Y2K compliance" as opposed to "Y2K readiness" is necessary. NIRS asserted that NRC has not made explicit how it will define "Y2K compliance." However, NRC explicitly defined the terms "Y2K ready" and "Y2K compliant" in GL 98-03. "Y2K ready" was defined as a computer system or application that has been determined to be suitable for continued use into the year 2000, even though the computer system or application is not Y2K compliant. "Y2K compliant" was defined as a computer system or application that accurately processes date/ time data (including, but not limited to, calculating, comparing, and sequencing) from, into, and between the years 1999 and 2000, and beyond, including leap-year calculations. Thus, by definition, systems that are "Y2K ready" are able to perform their functions properly. There is no discemable safety reason why achieving Y2K readiness rather than Y2K compliance should result in facility shutdown. Accordingly, there is no basis for requiring facility shutdown if a licensee cannot demonstrate Y2K compliance.

NIRS presents no information or argument why those above actions by the licensees and NRC are insufficient to address Y2K problems such that reasonable assurance of adequate I

protection will not be provided after December 1,1999, such that facility shutdown is necessary.

V.

Part 30 and Minor Parts 40 and 70 Licensees To alert Part 30 and minor Parts 40 and 70 licensees, the NRC issued ins 96-70 and 98-30, which have been discussed in Section IV, " Major Parts 40 and 70 Licensees."

In addition to the efforts by the NMSS Y2K Team to gather information regarding materials licensees and major fuel facilities from September through December 1997, discussed under Section IV, NMSS staff also conducted telephone interviews with device manufacturers and 27

distributors. Further, NRC determined that few of approximately 5,800 materials licensees use processes or have safety systems that are computer-controlled, thus minimizing potential Y2K impacts. The interviews and site visits confirmed that licensees were identifying and addressing potential Y2K problems.

From the interviews conducted by the NMSS Y2K Team, NRC leamed that early versions of some treatment planning systems (computer systems for calculating dose to medical patients being treated with radiation or radioactive material) have Y2K problems and that upgrades for treatment planning systems were available. However, treatment planning systems are regulated by the U.S. Food and Drug Administration (FDA) and not by NRC because the systems do not contain licensed material. NRC has shared information on non-Y2K-compliant treatment -

planning systems with the FDA. For materials licensees, the NMSS Y2K Team did not identify any Y2K issues for NRC-regulated material. As a result of the interviews and site visits, NRC's focus has been to determine if any commercially available devices (medical and industrial) have potential Y2K vulnerabilities and to ensure that licensees evaluate self-developed. systems, commercial off-the shelf software and hardware, and safety systems.

In addition to Y2K interviews, materials inspectors have been instructed to confirm receipt of NRC's information notices, determine whether the licensees have identified any potential problems associated with the Y2K issue, and note ar)y corrective actions taken by the licensees.

Through the routine inspection process, NRC has made assessments of the Y2K status of its materials licensees and continues to do so. To date, only the treatment planning systems described above, dose calibrators, and a tote position display for an irradiator have been identified through the inspection process as having Y2K problems. NRC materials inspectors have indicated that licensees are aware of available upgrades for treatment planning systems 28

n and dose calibrators. The irradiator tote position display is not a safety system. Further, the irradiator tote position display system that had the Y2K problem was a one-of-a-kind modification made by the licensee (the licensee was authorized by NRC to make the modification). The irradiator licensee is updating the tote position display system to eliminate the Y2K problem. No generic Y2K issues for NRC-reguiated material used by materials licensees have been identifed.

NIRS asserted that NRC has not made explicit what it plans to do about those facilities that cannot prove compliance. As discussed in Section IV,

  • Major Parts 40 and 70 Licensees" above, NIRS has not explained why "Y2K compliance" as opposed to "Y2K readiness" is necessary.- Furthermore, Y2K readiness is not required for protection of public health and safety for Part 30 and minor Parts 40 and 70 licensees due to the amount and type of licensed material used by them. The risks to the public from these facilities are low. In addition, NRC has determined that few of the approximately 5,800 materials licensees use processes or have safety systems that are computer-controlled, thus minimizing potential Y2K impacts.

Accordingly, there is no basis for requiring facility shutdown if a licensee cannot demonstrate "Y'2K compliance."

NIRS presents no information or argument why those above actions by the licensees and NRC are insufficient to address Y2K problems such that reasonable assurance of adequate

. protection will not be provided after December 1,1999, such that facility shutdown is necessary, i

29

VI.

Public Information NIRS requested in item (c) of its petition that NRC adopt regulations that would require that licensees make available to the public by December 1,1999, all information related to the examination and repair, modification, and/or replacement of ali computer systems, embedded chips, and other electronic equipment that may be date-sensitive. NIRS indicated that this rule l

provision is necessary in order to allow " independent experts" and the public to examine this information.

The NRC has already made available to the public substantial information on Y2K and the status of licensees' activities to address potential Y2K problems and will continue to make this information public. The audit reports of the NRC staff reviews of the 12 nuclear power plant-specific Y2K readiness project activities and documentation are publicly available both in the Public Document Rooms and the NRC Year 2000 Web site. The Y2K readiness information submitted by nuclear power plant licensees under GL 98-01 will be made available to the public when they are submitted in July 1999, as with any other correspondence that is received from licensees. The reports documenting the NRC staff audits of the six nuclear power plant-specific contingency planning activities and the results of the facility-specific Y2K program reviews of all operating nuclear power plants will also be made available to the public. The NRC inspection reports with Y2K information from Parts 30,40, and 70 licensees and the licensees' responses to GL 98-03 have been placed in the PDR. Summaries of (1) inspection reports with Y2K information, (2) GL 98-03 responses, and (3) interviews with a cross-section of materials and fuel cycle licensees on Y2K issues are available on the NRC Year 2000 Web site.

30 l

In view of the information that has been made available and will be made available to the public.

NIRS has not provided any basis for requiring licensees, by rule, to provide public access to Y2K information beyond that which the NRC has determined must be submitted to the NRC in furtherance of the NRC's regulatory oversight.

Conclusion The rule proposed by NIRS is not needed because the Commission has determined that the activities taken by licensees to implement a systematic and structured facility-specific Y2K readiness program, together with the NRC's oversight of the licensees' implementation of these l

Y2K readiness programs, provide reasonable assurance of adequate protection to public health and safety.

For these reasons, the Commission denies the petition.

l Dated at Rockville, Maryland, this day of

.1999.

For the Nuclear Regulatory Commission.

1 Annette L. Vietti-Cook, Secretary of the Commission.

31 I

o f.

r o -

f l

t l

l 1

l l

ATTACHMENT 1-B i

i I

FederalRegisterNotice 50-66 Nuclear Information and Resource Service; Petition for Rulemaking Denial l

l i

I I

t

[7590-01-P]

NUCLEAR REGULATORY COMMISSION I

10 CFR Part 50 l

l

[ Docket No. PRM-50-66) l i

Nuclear Information and Resource Service; Petition for Rulemaking Denial l

l AGENCY: Nuclear Regulatory Commission.

L l

ACTION: Petition for rulemaking; denial.

SUMMARY

The Nuclear Regulatory Commission (NRC) is denying a petition for rulemaking (PRM-50-66) from the Nuclear Information and Resource Service (NIRS). The petitioner requested that NRC amend its regulations to require licensees of operating nuclear power plant facilities to conduct a full-scale emergency planning exercise that involves coping with a date-sensitive, computer-related failure resulting from a Year 2000 (Y2K) issue. The petitioner i

requested that NRC take this action to ensure that licensees of nuclear facilities have developed and can implement adequate contingency and emergency plans to address potential major system failures that may be caused by a Y2K computer problem. NRC is denying the petition because the Commission has determined that the actions taken by the licensees to implement systematic and structured Y2K readiness contingency plans for critical Y2K dates in concert with existing required emergency response plans and procedures, and NRC's oversight of the

licensees' implementation of these Y2K readiness contingency plans provide reasonable assurance of adequate protection to public health and safety.

~ ADDRESSES: Copies of the petition for rulemaking, the public comments received, and the NRC's letters to the petitioners are available for public inspection or copying in the NRC Public Document Room,2120 L Street, NW. (Lower Level), Washington, DC, as well as NRC's rulemaking web site at http://ruleforum.llnl. gov.

FOR FURTHER INFORMATION CONTACT: Matthew Chiramal, Office of Nuclear Reactor Regulation, U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001, telephone 301-415-2845, E-mail address mxc@nrc. gov.

SUPPLEMENTARY INFORMATION:

Background

NRC received three related petitions for rulemaking (PRM-50-65, PRM-50-66, and PRM-50-67),

each dated December 10,1998, submitted by the NIRS conceming various aspects of Y2K 1

issues and nuclear safety. This petition (PRM-50-66) requested that NRC adopt regulations that would require facilities licensed by NRC under 10 CFR Part 50 to develop and implement adequate contingency and emergency plans to address potential system failures. The first petition (PRM-50-65) requested that NRC adopt regulations that would require facilities licensed by NRC under 10 CFR Parts 30,40,50, and 70 to be Y2K compliant. The third petition 2

i s

i (PRM-50-67) requested that NRC adopt regulations that would require facilities licensed by NRC under 10 CFR Parts 50 and 70 to provide reliable sources of backup power.

Because of the nature of these petitions and the date-specific issues they address, the petitioner requested that the petitions be addressed on an expedited schedule.

On January 25,1999, NRC published a notice of receipt of this petition for rulemaking in the Federa/ Register (64 FR 3791). It was available on the NRC's rulemaking web site and NRC Public Document Room. The notice of receipt of petition for rulemaking invited interested persons to submit comments by February 24,1999.

The Petition The petitioner requested that NRC adopt the following text as a rule':

"All licensees subject to 10 CFR Part 50 and Appendix E will conduct a full-scale emergency planning exercise (as normally required under 10 CFR 50.47) during 1999. This exercise shall include a component that includes failure of one or more computer or other digital systems (this is popularly known as the "Y2K bug")

on January 1,2000, or other relevant date. Licensees that do not conduct, or that fail, this exercise shall close their facilities licensed under this Part by

' in preliminary discussion, the petitioner stated, "We also believe that other major fuel cycle facilities should be subject to a similar rule." However, the petitioner provided no supporting reasoning, no regulatory text, and no specific request that NRC adopt such a rule. Therefore, NRC has considered only the specifically requested rule language.

3

T December 1,1999, until such time as the licensees have conducted a successful exercise.

NRC shall publish and provide to each licensee, within 30 days of the date of this rule, a Regulatory Guide that outlines potential emergency exercise scenarios.

NRC shall publish and provide to each licensee, by December 1,1999, a Regulatory Guide that describes the various scenarios that have been undertaken and the successful (and unsuccessful) responses to the problems posed" The petitioner stated that although the probability of the occurrence of Y2K-related events that would require emergency response and the implementation of contingency plans is unknown, it would fall within the range of safety matters for which NRC requires emergency planning exercises. Furthermore, the petitioner asserts that addressing Y2K-related problems will require the use of potentially unfamiliar contingency plans, relying on ingenuity to circumvent failure of essential communications system's or failure of offsite emergency responders to perform their tasks effectively and coping with issues not normally tested during emergency exercises.

. The petitioner considers it prudent to require each licensee to conduct an exercise and that each exercise address a different aspect of the Y2K problem. The petitioner suggested that some exercises should test problems initiated by Y2K-related failures and that others should test problems exacerbated by Y2K-related failures. The petitioner believes that this approach would provide some familiarity with the possible range of issues that could develop and create an overall industry capability to effectively address potential Y2K problems.

4

.i Under the petitioner's suggested regulation, the licensees would develop exercise scenarios that would be approved by NRC in an expedited fashion, and NRC would publish and distribute regulatory guides that would outline potential emergency response scenarios and describe the scenarios that were tested and the successful responses to the problem posed.

The petitioner stated that these actions would provide reasonable assurance that nuclear power plant licensees have developed and can implement adequate contingency and emergency plans to address major system failures that may be caused by the Y2K problem.

Public Comments on the Petition In response to this petition, NRC received 64 comment letters, including i letter signed by 25 citizens from the State of Michigan,3 from nuclear associated industries,11 from utilities,13 from private organizations,1 from the State of Illinois Department of Nuclear Safety, and 35 from private citizens.

Forty-six letters supported the petition,- of which 13 were from private organizations, 32 were from private citizens, and one which was signed by 25 citizens of the State of Michigan. Thirty-nine of these 46 letters communicated a brief statement in support of the petition. Seven of the 46 letters,' of which 3 were from private individuals and 4 were from private organizations, discussed reasons for supporting the petition.

i In some letters, support of the petition was based on belief that actual emergency response exercises will provide invaluable information in addressing Y2K issues because of the j

1 O

i

complexity of Y2K issues and the lack of experience of licensees of nuclear facilities in responding to such an event.

Others letters stated that all emergency plans rely heavily on offsite sources of help, such as police, fire, and other essential services, but that these services, as well as critical communications entities, may also be vulnerable to the Y2K problem if they are not properly assessed, remedied, and tested. Some letters cited numerous problems that have occurred in previous emergency planning exercises, irrespective of the Y2K problem. An example stated was the Pilgrim exercise of December 13,1995, in which the Boston Edison Company was unable to communicate to the proper authorities. Other examples cited the occurrence of lost electrical buses. Some letters communicated the importance of testing and retesting for every conceivable contingency.

Eighteen letters opposed the petition, of which 3 were from private citizens,3 were from nuclear associated industries, one was from the State of Illinois Department cf Nuclear Safety, and 11 were from utilities. The letters opposing the petition stated that the additional emergency planning exercise suggested by the petition is not needed to ensure public health and safety.

These letters indicated that NRC analysis and industry testing have confirmed that safety systems will function to shut down a reactor if required, that licensees and NRC are developing contingency plans for key Y2K rollover dates, and that these contingency plans will evaluate specific risk factors and, where appropriate, pro, vide mitigation strategies to allow continued safe operation. These letters stated that this effort provides a rational review and systematic approach to issues that could affect the continued safe operation of a plant within the conditions 6

y I.

e of its license, which the commenters believe is a more effective approach for ensuring that plants continue to operate and meet commitments.

l Reasons for Denial l

l I

Pursuant to 10 CFR 50.47, " Emergency Plans"; 10 CFR 50.54, " Conditions of Licenses,"

(

paragraphs (q), (s), and (t); and Appendix E to 10 CFR Part 50, nuclear facilities are required to l

provide emergency response capabilities that take into account a variety of circumstances and challenges, to exercise their plans periodically to develop and maintain key skills of involved personal, and to identify deficiencies in the emergency plan and personnel and take appropriate actions to correct identified deficiencies. In accordance with 10 CFR 50.54(q), nuclear power reactor licensees are required to follow and maintain in effect emergency plans that meet the l

planning standards in 10 CFR 50.47(b) and the requirements of Appendix E to Part 50. In part, licensees are required to train and test their organization and associated equipment to ensure that under all conditions and contingencies, such as power outages and computer and i

communication failures, appropriate emergency response is available and effective in an emergency.

To accomplish these requirements, licensees conduct numerous exercises and drills i

throughout the year. Inherent in the nature of emergency response is the realization that in an emergency, equipment may fail, loss of power may occur, personnel may not be available, and weather conditions may cause the emergency or escalate it. It is typical that, in the development of scenarios for exercises and drills, as well as in employee training programs, communication links, plant computers, and display and monitoring equipment are "out of 7

service" or " fail" at inappropriate times; ' The staff commonly oversees exercises that include these types of problems and the licensee's staff benefits from having to work around this training obstacle when a particular approach has been blocked. The staff has observed licensees resorting to manual and backup systems to respond effectively and overcome'such obstacles.

In terms of the effects of the Y2K problem, the staff believes that the Y2K problem is not unique

-it is a software error. Although the cause of computer and equipment failure may be different under Y2K, the result and the expected response are the same as situations encountered during many previous emergency exercises and drills. Therefore, there is no need to require licensees to conduct additional exercises to test specifically for potential Y2K failures.

i in addition to existing emergency response plans, licensees of operating nuclear power plants and decommissioning power plants where spent fuel is stored at the plant site are preparing and implementing Y2K contingency plans as part of the plant-specific Y2K program. Operating nuclear power plant-specdic Y2K contingency plans are based on the guidance in Nuclear Energy institute / Nuclear Utilities Software Management Group NEl/NUSMG 98-072,

  • Nuclear Utility Year 2000 Readiness Contingency Planning," dated August 1998, which provides a process and a method for preparing and implementing a facility-specific integrated contingency plan that considers specific risks from intemal and extemal sources. The Y2K contingency plans are generally built upon existing contingency activities (such as emergency preparedness, 2 NEl/NUSMG 98-07 was preceded by NEl/NUSMG 97-07, " Nuclear Utility Year 2000 Readiness," dated October 1997, which presented a strategy for developing and implementing a nuclear utility Y2K program.

8

)

disaster recovery, storm damage restoration, grid restoration, and station blackout) and plant I

emergency procedures, coupled with the consideration that potential Y2K-related failures could affect many systems and components. Among the extemal events that are considered for contingency planning are-J the loss of emergency plan equipment and services: pagers, radios, sirens and

=

meteorology information, and

)

the loss of essential services: telephone, microwave, water, satellites, networks, J

security, police, and fire-fighting capability, The need for simulated exercises, development of special procedures, and Y2K contingency plan specific training is considered in the Y2K contingency planning procesc Contingency plan verification is included in NEl/NUSMG 98-07 guidelines to provide confidence that the plans can be executed as intended. The contingency planning efforts, as outlined in NEl/NUSMG 98-07, provide additional training, staffing, and material procurement for occurrences that could happen at any time but that have a higher probability of occurring during the critical Y2K-related dates.

Licensees and NRC are currently developing contingency plans for critical Y2K rollover dates.

. These contingency plans evaluate specific risk factors and, where appropriate, provide mitigation strategies to cope with plant-specific effects of the most probable and serious failures that might be initiated or exacerbated by the Y2K problem.

1 On May 11,1998, NRC issued Generic Letter (GL) 98-01, " Year 2000 Readiness of Computer Systems at Nuclear Power Plants." in GL 98-01, NRC requested that all operating nuclear 9

power plant licensees submit written responses regarding their facility-specific Y2K readiness programs in order to obtain confirmation that licensees are addressing the Y2K problem effectively. All licensees have responded to GL 98-01, stating that they have adopted plant-specific programs that are intended to make the plants Y2K ready by July 1,1999. These programs are pattemed on industry guidelines (NEl/NUSMG 97-07, " Nuclear Utilities Year 2000 Readiness") that have been found acceptable by NRC. GL 98-01 also requests a written response, no later than July 1,1999, confirming that these facilities are Y2K ready, including contingency planning. Licensees who are not Y2K ready by July 1,1999, must provide a status report and schedule for the remaining work to ensure timely Y2K readiness.

NRC considers the guidance in NEl/NUSMG 98-07, when properly implemented, as an acceptable approach for licensees to mitigate and manage Y2K-induced events that could occur on Y2K-critical dates.

As part of its oversight of licensee Y2K progr'am activities, NRC staff is currently auditing the contingency planning effort of six licensee facilities. These audits will be completed during June 1999. These audits will focus on the licensee's approach to addressing both intemal and extemal Y2K risks to safe plant operation, based on the guidance in NEl/NUSMG 98-07. The audits at these facilities will examine in detail back-up measures the utilities have in place to deal with possible Y2K problems, either on site or off site, including problems with the loss of emergency plan equipment and services (pagers, radios, sirens, and meteorology), the loss of essential services (telephone, microwave, water, satellites, networks, security, police), and the failure of the offsite emergency responders to perform their task effectlyely.

10

Additionally, NRC regional sta# is currently reviewing Y2K activities at all operating nuclear power plants to verify the status of licensee efforts to ensure that all plants will be able to function safely on January 1,2000, and beyond. The reviews will: (1) verify that all NRC licensees have implemented Y2K program activities; (2) evaluate the progress they have made to ensure that they are on schedule to achieve Y2K readiness; and (3) assess their contingency plans for addressing Y2K-related issues. The regional staff is using guidance prepared by the NRC Headquarters staff that is based on NRC GL 98-01, NEl/NUSMG 97-07, and NEl/NUSMG 98-07. These reviews are scheduled to be completed by July 1999.

The offsite components of emergency preparedness and response, which are the responsibility of States, counties, and municipalities, are already utilized by those govemmental entities to address a wide range of events (e.g., grid failures, tomadoes, floods, hurricanes, snowstorms, industrial accidents). These events often involve widespread loss of normal capabilities and services (e.g., loss of electricity and telephone service, blocking of roads) coupled with the need for a multi-capability response. NRC is also working closely with the Federal Emergency Management Agency (FEMA) on its plans to conduct Y2K workshops for the State and local radiological emergency preparedness community. NRC and nuclear facilities licensees will participate in these workshops. NRC is an active member of the Emergency Services Sector Working Group for Y2K, which is headed by FEMA. In addition, to facilitate Agreement State efforts to address the Y2K issue, a link to State Govemment Year 2000 Web sites has been j

provided by the NRC. NRC will make every effort to share with the States any Y2K issue that j

i may also affect Agreement States or Agreement State licensees.

11

NIRS has not explained why the approach currently being pursued by the licensees, the nuclear industry, and NRC does not provide reasonable assurance of adequate emergency response capabilities during the transition from 1999 to 2000.

In the case of research and training / test reactors, licensees of these facilities also have established programs to evaluate and correct Y2K deficiencies. Many research reactors will be shut down on Jainuary 1,2000, as the institutions operating them (e.g., universities and laboratories) will be closed for the holiday. Further, these reactors often have passive safety features and low power levels, which ensure minimal potential offsite consequences. In addition, NRC staff concluded that any research reactor in operation on January 1,2000, could be readily shut down manually using emergency procedures and existing shutdown systems, even if their operational systems should experience a Y2K problem.

Conclusion Plant-specific industry planning for Y2K contingencies, which is built upon existing emergency response plans and procedures required by the current emergency preparedness regulations, provides a reasonable assurance that adequate protection measures will be taken in the event of radiological emergency during Y2K critical dates. Imposing a new prescriptive rule as proposed in the petition in an area in which the industry action is already exceeding the actions that address the petitioner's general issues would be counterproductive to the ongoing Y2K readiness efforts of the licensees. Therefore, the additional full-scale emergency planning exercise requested by the NIRS is not necessary to ensure emergency response capabilities to 12

+

provide reasonable assurance of adequate protection to public health and safety despite the occurrence of Y2K problems.

i For these reasons, the Commission denies the petition.

Dated at Rockville, Maryland, this day of

.1999.

For the Nuclear Regulatory Commission.

Annette L. Vietti-Cook, Secretary of the Commission.

i r

13

[

i_

ATTACHMENT 1-C FederalRegisterNotice 50-67 Nuclear Information and Resource Service; Petition for Rulemaking Denial 9

0

r

[75G0-01-P]

NUCLEAR REGULATORY COMMISSION l

10 CFR Parts 50 and 70

[ Docket No. PRM-50-67]

Nuclear Information and Resource Service; Petition for Rulemaking Denial AGENCY:

Nuclear Regulatory Commission.

ACTION:

Petition for rulemaking; denial.

i

SUMMARY

The Nuclear Regulatory Commission (NRC)is denying a petition for rulemaking

)

(PRM-50-67) from the Nuclear Information and Resource Service (NIRS). The petitioner requested that the NRC amend its regulations to require that nuclear facilities ensure the availability of backup power sources to power atomic reactor and other nuclear facility safety systems in the event of a date-sensitive, computer-related incident resulting from a Year 2000 (Y2K) issue. The petitioner requested that NRC take this action to ensure that reliable backup sources of power are available in the event of a Y2K incident. The Commission agrees that maintaining reliable emergency power is important and has considered the petitioners request as part of its review of existing regulatory requirements and licensee actions to assure reliable emergency power during the Y2K transition. Based on this review the Commission has determined that existing regulatory requirements, actions taken by the licensees to implement a f

I

systematic and structured Y2K readiness program adequately address Y2K issues, and NRC's oversight of the licensees' implementation of these programs provides reasonable assurance of adequate protection to public health and safety. Because the Commission has concluded that existing programs already address the petitioner's concern regarding availability of emergency power, the petition is denied.

ADDRESSES: Copies of the petition for rulemaking, the public comments received, and NRC's letters to the petitioners are available for public inspection or copying in NRC Public Document Room,2120 L Street, NW. (Lower Level), Washington, DC, as well as on NRC's rulemaking web site at http://ruleforum.llnl. gov.

FOR FURTHER INFORMATION CONTACT: Matthew Chiramal, Office of Nuclear Reactor Regulation, U.S. Nuclear Regulatory Commission, Washington, D.C. 20555-0001, telephone 301-415-2845, E-mail address mxc@nrc. gov, or Gary W. Purdy, Office of Nuclear Material Safety and Safeguards, U.S. Nuclear Regulatory Commission, Washington, D.C. 20555-0001, telephone 301-415-7897, E-mail address gwpi@nrc. gov.

SUPPLEMENTARY INFORMATION:

Background

NRC received three related petitions for rulemaking (PRM-50-65, PRM-50-66, PRM-50-67), each dated December 10,1998, submitted by the NIRS concerning various aspects of Y2K issues and nuclear safety. This petition (PRM-50-67) requested that NRC adopt regulations that would 2

i require facilities licensed by NRC under 10 CFR Parts 50 and 70 to provide reliable sources of backup power. The first petition (PRM-50-65) requested that NRC adopt regulations that would l

require facilities licensed by NRC under 10 CFR Parts 30,40,50, and 70 to be Y2K compliant.

The second petition (PRM-50-66) requested that NRC adopt regulations that would require facilities licensed by NRC under 10 CFR Part 50 to develop and implement adequate 1

contingency and emergency plans to address potential system failures.

j i

)

Because of the nature of these petitions and the date-specific issues they address, the petitioner requested that the petitions be addressed on an expedited schedule.

l On January 25,1999, NRC published a notice of receipt of a petition for rulemaking in the FederalRegister(64 FR 3789). It was available on NRC's rulemaking web site and in the NRC Public Document Room. The notice of receipt of a petition for rulemaking invited interested persons to submit comments by February 24,1999.

The Petition The petitioner requested that NRC adopt the following text as a rule:

"The Nuclear Regulatory Commission recognizes that date-sensitive computer programs, embedded chips, and other electronic systems that perform a major role in distributing, allocating, and ensuring electric power throughout the United States may be prone to failure beginning on January 1,2000. Loss of all attemating current electricity from both the offsite power grid and onsite 3

emergency generators (commonly known as " station blackout") long has been

' identified by NRC as among the most prominent contributors to risk for atomic reactors.

(1) For these reasons, NRC requires of Part 50 and 70 licensees as of December 1,1999: (a) that all emergency diesel generators that provide backup power to nuclear licensees must be operational and remain operational; (b) that licensees I

that cannot demonstrate full operational capabilities of all emergency diesel generators must close until such time that full operational capabilities of emergency diesel generators are attained; (c) that all licensees must have a 60-day supply of fuel for emergency diesel generators.

(2) Further, to ensure adequate protection of public health and safety, NRC requires that all licensees under these sections must provide attemate means of backup power sufficient to assure safety. These may include, but are not limited to: solar power panels, win'd turbines, hydroelectric power, biomass power, and other means of generating electricity. These additional backup systems must provide electricity directly to the licensee rather than to the broader electrical grid.

(3) Irradiated fuel pools are to be immediately classified as Class 1-E; backup power systems must be sufficient to provide cooling for such pools. Licensees which cannot demonstrate compliance with sections (1) and (2) must cease operations as of December 1,1999, until compliance with these sections is attained."

4 e

b

The petitioner acknowledged that NRC has recognized the potential safety and environmental problems that could result if date-sensitive electronic systems fail to operate or provide false information. The petitioner asserted that NRC has required its licensees of reactor and major fuel cycle facilities to report by July 1,1999, on their programs to ensure compliance with %2K issues.

The petitioner discussed the " availability of electricity to power atomic reactor and other nuclear facility safety systems." The petitioner explained that electricity is required to operate atomic reactor safety and cooling systems and that this electricity is provided by offsite sources (overall an electrical grid). The petitioner commented that NRC has long recognized that the loss of all attemating current from both onsite and offsite systems, known generally as " station blackout," is the most important contributor to risk at most atomic reactors. The petitioner correctly noted that NRC has required licensees to have backup sources of onsite emergency power, normally multiple emergency diesel generators, capable of supplying the electricity necessary to operate essential safety systems..

The petitioner asserted that the e'mergency diesel generators (EDGs) used at atomic reactors have proven unreliable and are often out of service. The petitioner claimed that the unprecedented condition posed by the Y2K problem, coupled with the demonstrated and ongoing failures of EDGs, constitutes reasonable doubt that EDGs can be relied on. Therefore, the petitioner believes that NRC should adopt regulations that require that licensees have all EDGs operational during the Y2K transition, that they have a 60-day supply of fuel as of December 1, 1999, and that licensed facilities that cannot meet these requirements be closed.

I t

5 I

i

The petitioner discussed the likelihood and the potential consequences of a failure of all or a portion of the electric power grid in the United States. The petitioner recognized that the failure of all or a portion of the electrical grid as a result of Y2K issues is well beyond the scope of NRC's authority. However, the petitioner stated that the extended failure of all or a portion of the electrical grid would place severe stress on the current EDG system of backup power supply and that the failure of EDGs at one or more reactor sites could result in extended station blackouts and nuclear catastrophes. The petitioner asserted that this possibility is well within the range of probabilities for which NRC routinely requires action by its licensees. The petitioner further asserted that reliance on unreliable EDGs is insufficient under these conditions. Therefore, the petitioner believes that it is essential that NRC take the regulatory action suggested in this petition on an expedited basis.

Public Comments on the Petition in response to the petition, NRC received 73 comment letters, which included i letter signed by i

25 citizens of the State of Michigan,3 letters from nuclear associated industries,10 letters from l

utilities,14 letters from private organizations, and 45 letters from private citizens.

Fifty-six letters supported the petition, of which 41 were from private citizens,14 were from private organizations, including i from the NIRS and 1 signed by 25 individuals. The comments supporting the petition addressed the concem ti,iat diesel generators are unreliable and that a,

reliable electric power grid is needed.

6

i In some of the letters supporting the petition, the authors included the following additional comments that provide information or requested action that was not contained in the petition.

These comments noted that-l 1.

Y2K may increase the possibility of local, regional or widespread blackouts.

Losing all electric power to the station is called station blackout. EDGs, each capable of powering the entire plant, compensate for the loss of off-site electric power. Reliability of diesel generators is considerably lower than required and, moreover, one of two diesel generators is often out of service. Therefore, for Y2K, an additional source of backup power needs to be provided, and both EDGs should be operable with sufficient fuel on site to compensate for fuel delivery problems.

2.

In order to ensure that sufficient electric power is available during an extended loss of offsite power to safely shut down a nuclear plant and cool the spent fuel pool, enough diesel fuel should be available at the site for periods extending from 60 days to 160 days to whatever the time period that offsite power is not available.

3.

An additional power source or method should be available during power failure to provide makeup water to the spent fuel pool.

4.

On at least one occasion, a nuclear power plant licensee falsified data relative to the reliability of EDGs. The concern is that other nuclear utilities may not provide

)

reliable data for their EDGs to NRC.

j l

7 I

l l

l

I 4

These comments are addressed specifically in the discussion of " Reasons for Denial."

Seventeen letters opposed the petition, including 4 from private citizens,3 from nuclear associated industries, and 10 from utilities. Comments opposing the petition stated that onsite emergency electric power generators are already required to be maintained in a state of readiness and validated by periodic testing, fuel supplies are maintained at a level adequate to facilitate appropriate response / recovery actions, and the current regulations and license conditions are adequate to address the issue. One commenter used a specific facility as an

- example to demonstrate that in the highly unlikely event of a total loss of electrical power (meaning the loss of the electric grid and backup power) the conditions at that facility would not threaten public health and safety. Any potential adverse impacts would be limited to work areas and equipment within the facility, and there would be no catastrophic or significant loss of control or containment of nuclear material. That commenter indicated that the provision of a tertiary

- (meaning a secondary backup) source of electric power to its fuel facility, which would be independent of the broader electric grid, as would be required under PRM-50-67, is an unreasonable requirement that would force shutdown of the facility on December 1,1999, in the absence of any significant credible safety risk.

Reasons for Denial NRC is denying the petition because the Commission has determined that current NRC regulations and license conditions goveming power systems at Part 50 and 70 facilities provide

- reasonable assurance of adequate protection to public health and safety, and licensees are taking appropriate actions to provide reasonable assurance that Y2K problems will not adversely 8

l

affect the functioning of these power systems. The NRC is reviewing the licensees' implementation of these Y2K activities and will have sufficient time to take appropriate regulatory action if licensees' Y2K activities and programs are not properly implemented in a timely fashion.

NIRS does not explain why the licensees' Y2K activities and programs, and NRC's oversight of l

the licensees' implementation of these activities and programs, are inadequate such that the rule proposed by NIRS is necessary to provide reasonable assurance of adequate protection from Y2K-induced unavailability of onsite power systems.

l l

NIRS' proposed rule contained three separate requirements for Part 50 and Part 70 licensees:

(1) operational demonstration of EDGs and provision of a 60-day diesel fuel supply; (2) attemate means of backup power; and (3) classification of fuel pools as Class 1-E. Facilities that cannot demonstrate compliance with these requirements by December 1,1999, would be required to shut down until they could demonstrate compliance. The proposed requirements are addressed j

below for Part 50 power reactors, Part 50 decor'nmissioning reactors, Part 50 non-power reactors, and Part 70 licensees in Sections I, II, Ill, and IV, respectively.

l.

Part 50 Nuclear Power Plants.

i A.

Diesel Generator Operationi aoability and Sixtv-Day Fuel Suoolv Nuclear power plants must be protected against loss of offsite power (LOOP) by providing an onsite backup power system by either 10 CFR Part 50, Appendix A, General Design Criteria (GDCs) 17 and 18, or equivalent requirements in the plant's licensing basis. Most licensees rely upon diesel generators to provide onsite backup power, although there is at least one licensee 9

u l

that relies upon hydroelectric power. Alllicensees have comnded to provide an onsite supply of fuel to operate diesel generators; most t.ommitments are for a 7-day supply. In addition, nuclear 1

power plants are required by 10 CFR 50.63 to have the capability to withstand loss of all ac power (generally referred to as " station blackout" [SBO]) for an established period of time. As indicated in Section I.A.2 there is no reason to believe that Y2K would significantly affect the probability or duration of a LOOP and/or a SBO from that otherwise assessed in a licensee's coping analysis required by 10 CFR 50.63. To demonstrate that their plants can cope with SBO, some licensees rely upon an attemate ac power source (s) (separate from the backup power system) that utilizes diesel generators or gas turbine generators.

1.

EDG Reliability NIRS claims that EDGs have proven to be unreliable, such that licensees should be required to demonstrate " full operational capability"' of EDGs that provide backup power. As previously noted, backup onsite power is usually provided by diesel generators, which supply electric power to the plant safety systems upon a LOOP, NRC regulations require that onsite electric power supplies and the onsite electric distribution system have sufficient independence, redundancy, and testability to perform their safety functions assuming a single failure. Furthermore, in accordance with their license conditions, all licensees are required to have backup electricity sources operational to supply safety-related equipment at all times independent of circumstances such as Y2K-induced LOOP. The operation and maintenance of diesel generators and other The NRC assumes that by " capability," NIRS actually means " reliability" because

" capability" normally refers to the ability of the emergency power system to power safety related electricalloads at the plant; whereas reliability normally refers to the actual performance of the f

system in terms of availability, which is what NIRS addresses in its petition.

10 4

safety-related equipment necessary for the safe shutdown of the reactor are controlled by the plant technical specifications (TSs). The TSs are intended to ensure that sufficient power will be available to supply safety-related equipment at all times regardless of key Y2K dates. Moreover, the plant TSs require that immediate action be taken to restore inoperable diesel generators to operable status. The plant TSs require the diesel generators to be tested routinely in order to demonstrate their operability and their ability to supply power as needed.

NIRS did not present any information demonstrating that diesel generators are unreliable such that they should not be relied upon to provide backup power upon a LOOP. For each nuclear power plant, selected target diesel generator reliability values were established for plant-specific coping analysis in accordance with the requirements of 10 CFR 50.63, the SBO rule. Availability and reliability values are tracked by each licensee in accordance with the requirements of 10 CFR 50.65, the maintenance rule, and associated industry guidance.

In the resolution of Generic Safety issue B-56, " Diesel Generator Reliability," one of the options recommended by NRC staff was to revise the SBO rule to include specific requirements for demonstrating diesel generator reliability. However, in SECY-93-044, " Resolution of Generic Safety lasue B-56, Diesel Generator Reliability," dated March 25,1993, the Commission disapproved the revision to the SBO rule on the basis of the real progress made by the nuclear industry in improving the reliability of the diesel generators. NRC requirements and industry activities have resulted in a very high diesel generator reliability. In 1993, the industry-wide average reliability of diesel generators was in excess of 98 percent. An Idaho National Engineering Laboratory study (INEL-95-0035, " Emergency Diesel Generator Power System Reliability: 1987-1993") of a number of nuclear power EDG reliability concluded that those plants 11

T with a 0.950 reliability target goal were actually demonstrating 0.987, and the plants with a 0.975 reliability target goal were actually demonstrating 0.985. The Commission stated that the industry should continue an aggressive program of maintenance as well as root cause analysis that will continue to offer assurance that diesel generator reliability will be maintained at a satisfactory levelin the future.

All licensees have implemented a maintenance monitoring program consistent with the maintenance rule, which became effective on July 10,1996. Licensees are required to monitor the performance of diesel generators against the established goals and to take appropriate corrective actions if the goals are not met. The maintenance rule requires that these goals be evaluated by the licensees at least every refueling cycle, not to exceed 2 years. To evaluate the process established by licensees to set goals and monitor them, and to verify that preventive maintenance has been effective for systems and components under the maintenance rule, NRC staff conducted baseline inspections of all nuclear plants during 1996 -1998. At several plants, diesel generators were among the systems and components reviewed to verify that goals were established and monitoring and trending were being performed. Diesel generators continue to be inspected and evaluated using the risk-informed, performance-based inspection process, which is part of the NRC Oversight Baseline Inspection Program. NRC staff will continue to assess the reliability of diesel generators at nuclear power plants to ensure that the reliability of diesel generators is maintained at levels specified by each licensee when it performed its plant-specific coping analyses for SBO.

Additionally, the scope of licensees' Y2K programs, including contingency planning, covers the onsite power r,nd other emergency power systems at the plant. NRC audits and reviews of 12

l l

licensee Y2K program activities to date have verified licensee consideration of these systems,

)

and no associated Y2K issue relating to onsite power systems have been identified.

The NRC does not believe, on the basis of current information from the North American Electric Reliability Council (NERC)2, that availability of offsite power from the electrical grid is likely to be significantly affected by Y2K-induced problems. In its most recent reports issued on January 11 and April 30,1999, NERC states, " Transmission outages are expected to be minimal and outages that may occur are anticipated to be mitigated by reduced energy transfers established as part of the contingency planning process." Both reports indicate that the transition through critical Y2K rollover dates should have a minimal impact on electric systems operations in North America and that widespread, long-term loss of the grid as a result of Y2K-induced events is not l

a credible scenario. Therefore, there is no reason to believe that Y2K would significantly affect the probability or duration of a LOOP and/or a SBO from that otherwise assessed in the licensee's coping analysis required by 10 CFR 50.63.

As discussed above, the diesel generators and associated onsite power supply systems, being within the scope of licensees' Y2K readiness programs, will be Y2K ready prior to the Y2K transition, and no decrease in reliability of the diesel generators is expected. The information provided by NERC indicates that the likelihood of a LOOP is not expected to increase significantly during Y2K transition. Based on these considerations, plus the ability of the plants to l

l a NERC is an electric industry organization made up of 10 Regional Reliability Councils that account for nearly every bulk electric supply and delivery organization in the interconnections of North America.

l I

NERC and its Regional Reliability Councils set operating and engineering standards for the reliability of electric systems in North America. In May 1998, U.S. Department of Energy requested NERC to facilitate the electric industry's Y2K effort.

13

cope with a station blackout, the likelihood of an event that willjeopardize public health and safety is acceptably low.

One of the public comments received by NRC in response to the petition indicated a concem regarding falsification of EDG reliability data by licensees. This particular concem has been 4

investigated and resolved as documented in an NRC memorandum dated December 20,1993, from the Office of Investigations to the Region 11 Regional Administrator, "Vogtle Electric Generating Plant: Alleged False Statements Regarding Test Results on Emergency Diesel Generators (Case No. 2-90-020R)." Falsification of EDG failure data by licensees is not considered by NRC as an industry-wide, generic occurrence. Such incidents, when identified,

. will continue to be treated by NRC on a case-by-case basis and appropriate actions will be taken in response.

2.

Sixty-Day Fuel Supply NIRS' proposed rule would require each nuclear power plant licensee to have a 60-day onsite supply of fuel for diesel generators, as opposed to a 7-day fuel supply to which most licensees have committed. However, NIRS provided no technical basis why offsite power from the grid would not be reestablished within the 7-day period accommodated by existing onsite fuel supplies. Nor did NIRS explain why, should a LOOP continue for longer than 7 days, a licensee would be unable to resupply diesel fuel for a period of 60 days so that a 60-day fuel supply must be maintained onsite. Commenters on the NIRS petition who suggested a requirement for a larger fuel supply (able to accommodate 160 days of operation without resupply) also did not provide any technical bases for their recommendations.

j 14

As stated previously, the likelihood or duration of a LOOP is not expected to be significantly affected.by the Y2K issue.

Furthermore, the NRC licensees are taking appropriate actions to ensure that their plants will be able to cope with Y2K-induced LOOP durations longer than 7 days. As part of each plant's Y2K activities, each licensee is preparing a co' tingency plan, which includes obtaining diesel fuel and n

j 1

other necessary supplies to cope with Y2K-induced long-term LOOP events. As part of NRC's review of iicensees' implementation of their Y2K programs, NRC will confirm that licensee Y2K programs address emergency power sources, arrangements for obtaining critical commodities (e.g., EDG fuel oil) and other considerations for contingency planning identified in Nuclear Energy Institute / Nuclear Utilities Software Management Group (NEl/NUSMG) 98-07, ' Nuclear Utility Year 2000 Readiness Contingency Planning," dated August 1998.

The capability of diesel generators and the adequacy of existing fuel supplies have been demonstrated at numerous plants during weather-induced interruptions of the power grid and other cases of LOOP from the grid. An example is the Turkey Point nuclear plant LOOP event during the August 1992 Hurricane Andrew when the diesel generators automatically picked up safety-related loads and maintained the plant for an extended period (over 6 days) during t.he recovery until site power was restored. NRC considers the current 7-day fuel capacity to be sufficient to operate diesel generators for longer than the time that it takes to replenish the onsite supply from outside sources. Accordingly, a rule requiring licensees to maintain sufficient fuel to operate their diesel generators for a 60-day period or longer is not necessary to provide reasonable assurance of adequate protection against Y2K-induced LOOP events. The regulation requires nuclear power plants to withstand LOOP events regardless of whether the 15

i p

i LOOP is due to Y2K or other causes. The petitioner has not demonstrated that Y2K would significantly affect the probability or duration of loss of all attemating current power from that otherwise assumed in the licensee's coping analysis required by 10 CFR 50.63, and the licensees' coping analyses continue to be applicable during the period that NIRS claims would present an :ncreased susceptibility to a LOOP.

B.

Additional Altemate Means of Backuo Power NIRS' petition requests NRC to require all licensees to provide an attemate (second) means of backup power, such as solar power panels, wind turbines, hydroelectric power, and biomass power. The petition also requests NRC to require that the attemate backup power system provide electricity directly to the licensee rather than to the broader electrical grid.

1.

Need for Additional Backup Power Source As discussed in Section I.A.1 above, not only must licensees provide a source of backup power upon a LOOP, some licensees have provided an attemate ac power source in order to demonstrate that they are able to cope with a LOOP concurrent with a loss of onsite backup power (an SBO) for a specified duration. Thus, these licensees have three sources of power: (1) offsite power from two independent circuits; (2) onsite backup power from independent, redundant power supplies; and (3) attemate ac power. The NRC does not believe that the NIRS' i

proposal for a fourth source of power (" alternative backup power," in the words of NIRS) is necessary to provide reasonable assurance of adequate protection against Y2K-induced i

problems.

16 I

E i

The petitioner does not explain why Y2K would affect diesel generators as a source of backup

. and/or altemate ac power, such that a source of power in addition to diesel generators is necessary to address SBO. The scope of the licensees' Y2K program covers both the onsite backup and the altemate ac power systems at nuclear power plants. Since 1996, NRC has been working with the nuclear industry and licensees of operating nuclear power plants in order to achieve Y2K readiness at all nuclear power plants. NRC has issued information Notice (lN) 96-70, " Year 2000 Effect on Computer System Software," on December 24,1996; Generic Letter (GL) 98-01, " Year 2000 Readiness of Computer Systems at Nuclear Power Plants," on May 11, 1998; and GL 98-01, Supplement 1, " Year 2000 Readiness of Computer Systems at Nuclear Power Plants," on January 14,1999.

NRC issued IN 96-70 to alert nuclear power plant licensees of the Y2K problem. The information notice described the potential problems that nuclear power plant computer systems and software may encounter during and following the transition into the year 2000 and how the Y2K issue may affect NRC licensees. IN 96-70 encouraged licensees to examine their uses of computer systems and software well before the year 2000 and suggested that licensees consider appropriate actions for examining and evaluating their computer systems for Y2K vulnerabilities.

In GL 98-01, NRC endorsed the guidance in the industry document issued by the NEl/NUSMG 97-07, ' Nuclear Utility Year 2000 Readiness," when properly augmented in the area of risk management, contingency planning, and remediation of embedded systems, as one possible approach in implementing a plant-specific Y2K readiness program. In August 1998, NEl issued an industry document, NEl/NUSMG 98-07, which provided additional guidance in the area of intemal and extemal risk management and contingency planning. Extemal events that should be l

17

I e

considered for facility-specific contingency planning include electric grid / transmission / distribution system events (e.g., a LOOP, grid instability and voltage fluctuations, load fluctuations and loss of grid control systems), loss of emergency plan equipment and services, loss of essential services, and depletion of consumables. The NRC considers the guidance in NEl/NUSMG 98-07, when properly implemented, as an acceptable approach to mitigate and manage Y2K-induced events that could occur on Y2K-critical dates.

In GL 98-01, NRC requested that all operating nuclear power plant licensees submit written responses regarding their facility-specific Y2K readiness programs in order to obtain confirmation that licensees are addressing the Y2K problem effectively. All licensees have responded to GL 98-01, stating that they have adopted plant-specific programs that are intended to make the plants Y2K ready by July 1,1999. GL 98-01 also requests a written response, no later than July 1,1999, confirming that these facilities are Y2K ready, including contingency planning.

Licensees who are not Y2K ready by July 1,1999, must provide a status report and schedule for the remaining work to ensure timely Y2K readiness.

As part of its oversight of licensee Y2K activities, the NRC staff conducted sample audits of 12 plant-specific Y2K readiness programs. The objectives of the audits were as follows:

1.

To assess the effectiveness of licensee programs for achieving Y2K readiness and in addressing compliance with the terms and conditions of their license and NRC regulations and continued safe operation.

18

2.

To evaluate program implementation activities to ensure that licensees are on schedule to achieve Y2K readiness in accordance with GL 98-01 guidelines.

3.

To assess the licensee contingency planning for addressing risks associated with events resulting from Y2K problems.

NRC staff determined that this approach was an appropriate means of oversight of licensee Y2K readiness efforts because: (1) all licensees had committed to the nuclear power industry Y2K readiness guidance (NEl/NUSMG 97-07) in their first response to NRC GL 98-01; and (2) the audit would verify that licensees were effectively implementing the guidelines. The sample of 12 l

licensees included large utilities such as Commonwealth Edison and Tennessee Valley Authority, as well as small single-unit licensees such as North Atlantic Energy (Seabrook) and Wolf Creek Nuclear Operating Corporation. NRC staff selected a variety of types of plants of different ages l

l and locations in this sample in order to obtain the necessary assurance that nuclear power industry Y2K readiness programs are being effectively implemented and that licensees are on schedule to meet the readiness target date of July 1,1999, established in GL 98-01.

In late January 1999, NRC staff completed the 12 audits. On the basis of the audit observations, NRC staff has concluded that licensees are effectively addressing Y2K issues and are j

undertaking the actions necessary to achieve Y2K readiness in accordance with the GL 98-01 target date, although some plants will have some remediation, testing, and final certification scheduled for the fall 1999 outage. NRC staff did not identify any issues that would prevent these licensees from achieving readiness.

1 19 l

m NRC staffis not aware of any Y2K problems in nuclear power plant systems that directly affect actuation of safety functions, including the emergency onsite power systems. Moreover, NRC audit results to date have not identified any associated residual Y2K problems with the emergency onsite power system and have confirmed the licensees' consideration of these systems. Also, the audits did not identify any Y2K problem in safety-related activation systems.

Additionally, the NRC's regional staff is currently reviewing Y2K activities at all operating nuclear power plants to verify the status of licensee efforts to ensure that all plants will be able to function safely on January 1,2000, and beyond. These reviews will: (1) verify that all NRC licensees have implemented Y2K program activities; (2) evaluate the progress made to ensure that the licensees are on schedule to achieve Y2K readiness; and (3) assess licensees' contingency plans for addressing Y2K-related issues. The reviews are scheduled to be completed by July 1999.

NRC staff is currently auditing the contingency planning efforts of six licensee facilities. The audits at these facilities will examine in detail backup measures the utilities have in place to deal with possible Y2K problems, either on site or off site, that might affect plant operations. The J

l audits will be accomplished during May and June 1999.

The reviews and audits will allow NRC staff to verify the progress of alllicensees and determine whether any regulatory action is needed. Information from the reviews will be used in conjunction with the status reports that NRC has required its nuclear power plant licensees to provide by July 1,1999.

20

4.

NIRS presents no information or argument why these actions by the licensees, the nuclear j

- industry, and NRC are not sufficient to ensure that onsite back up and attemate ac power i

systems will not be adversely affected by Y2K-induced problems.

i 2.

Specific Backup Power Sources Proposed by NIRS The petitioner's proposed altemative backup power sources, such as solar and wind, are not i

reliable backup power sources because of their undependability under unpredictable weather conditions or because they are limited by the amount of power they can generate. Additional comments received by the NRC in response to the petition also suggested the requirement for altemate power. The petitioner does not provide sufficient technical information to demonstrate that these additional attemative backup power sources would add more reliability than current backup power sources. Therefore, most of the sources of altemative backup power that are included in NIRS' proposed rule would not constitute an acceptable attem'ative source of backup power with the same level of availability and capability as diesel generators.

1 C.

Soent Fuel Pool Class 1E Classification and Backuo Power The proposed rule would require all Part 50 licensees to immediately classify irradiated (spent) fuel pools as Class 1-E and provide sufficient backup power to provide cooling to these pools.

Because Class 1-E is an electric system classification, the NRC assumes that the petitioner intends the rule to require that the backup power supply for spent fuel pool cooling systems be classified as Class 1-E.

21

The petitioner does not explain why classification of the electric power system for spent fuel pool cooling systems as Class 1-E is necessary to protect spent fuel pools against a Y2K-induced LOOP. The Class 1-E classification addresses design and quality assurance (QA) requirements for manufacture and insta!!ation of electrical system components. Most of these systems are based upon analog controls and, therefore, are not subject to Y2K problems. Furthermore, simple reclassification of the electrical power system by itself would not appear to have any direct effect on minimizing Y2K-induced loss of power necessary for spent fuel cooling. Rather, an evaluation of the power system for Y2K susceptibility is necessary, which is what licensees have committed to implement. Thus, it is not clear how the requested requirements in the NIRS petition would provide assurance that Y2K problems prevent electrical power systems from performing their necessary safety functions and a rule change is not necessary since licensees are already directly addressing spent fuel pool cooling as part of their Y2K programs.

Furthermore, the NRC does not agree that a backup source of electrical power for spent fuel cooling is necessary at nuclear power plants in order to provide reasonable assurance of adequate protection. At most operating nuclear power plants, the emergency onsite power system can directly supply electric power to its spent fuel pool cooling systems. At those plants at which the spent fuel cooling system is not directly connected to the emergency onsite power system, the capability exists of connecting the cooling system to the emergency onsite power system. Requiring a backup (tertiary) source of electrical power is not justified in view of the length of time between loss of spent fuel cooling and the point at which there is a significant threat to integrity of the spent fuel rods. A licensee is required to keep the spent fuel pool filled to a level more than 23 feet above the top of the fuel rods and, generally, the water temperature in the pool is to be maintained below 140 f. For a typical pool with a capacity of about 400,000 22

9 gallons and a worst case heat load causing 50 gpm of water loss as a result of evaporation, it would take about 3 days for the pool level to drop to the top of the fuel racks. This estimate does not include the heat-up time of 3 to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for the pool water to increase from 140 *f to 212 *f.

This scenario assumes a total loss of all ac electric power and that no corrective actions are l

taken for 3 days in response to the decreasing water level in the spent fuel pool. For a typical l

heat load (non-refueling), the time to uncovering of the spent fuel pool would be around 2 weeks, again assuming that no make-up water is added to the pool. Upon loss of water shielding, the radiation levels above the pool would increase. Assuming LOOP and failure of onsite emergency l

l power sources, the only action necessary would be to provide make-up water to the spent fuel l

pool. The existing plant operating / emergency procedures provide for initiation of make-up water to the pool upon detection of low level. At many plants, the make-up water supply is provided by a plant safety system. Upon loss of all ac power, make-up water from any source, such as fire hoses supplied by diesel-driven fire pumps, can be used to maintain the required water level in the pool. In light of the substantial period of time available for a licensee to take mitigative actions upon loss of spent fuel pool electrical power, the NRC concludes that providing an additional backup source of power is not warranted at any operating nuclear power plant.

II.

Part 50 Decommissioning Nuclear Power Plants.

i There are 21 permanently shutdown nuclear power plants which have been shut down for more i

1 than a year. Six of these facilities have removed all spent fuel from the site. Therefore, there are only 15 decommissioning power plants to which the proposed requirements in the petition would potentially apply.

23

- Spent fuel pool cooling and support systems may be configured differently for decommissioning plants than for operating reactors due to the reduced need for decay heat removal at decommissioning plants. As decay heat loads drop, utilities are able under 10 CFR 50.59 to remove equipment from service once it no longer is needed to provide its safety function. At some plants there is no need for forced circulation to remove heat from the pool as adequate heat loss to ambient keeps the pool at an acceptable temperature. After three years of decay in the spent fuel pool, the heat load from spent fuel is significantly reduced. Consequently, the potential for boiling is reduced and the time available for the licensee to take mitigative action is greater. With the exception of five plants (Haddam Neck, Maine Yankee, Big Rock Point, Zion, and Millstone 1), all nuclear power plants currently undergoing decommissioning have been shut

. down for more than 3 years.

The reasons discussed in Section I.C above regarding why electrical systems need not be classified Class 1-E for spent fuel pools at operating nuclear power plants also apply equally to decommissioning nuclear power plants. As previously noted, requiring a backup source of electrical power is not justified in view of the length of time between loss of spent fuel cooling and the point where there is a significant threat to integrity of the spent fuel rods. Upon loss of all ac power, make-up water from any source, such as fire hoses supplied by diesel-driven file pumps, can be used to maintain the required water level in the pool.

4 in view of the long time period available for the licensee to respcnd to loss of power to the spent fuel pool cooling system and the relative simplicity of mitigative actions, the requirements i

proposed by NIRS with respect to spent fuel pool electrical system reclassification and the provision of attemative power are not justified.

24

Ill.

Part 50 Non-Power Reactor Licensees.

Non-power reactors operate at power levels ranging from 250 KWt to 2 MWt, and they operate at low temperatures. Any non-power reactor in operation on January 1,2000, can be readily shut down manually using emergency procedures and existing shutdown systems. These reactors have passive safety features and generally do not require power to shut down and dissipate decay heat. Accordingly, NRC regulations do not currently require Part 50 non-power reactors to provide a backup power source.

NIRS did not present any information or rationale why Part 50 non-power reactors must provide

, an "altemate" source of backup power to address Y2K losses of power. In particular, NIRS did not address the fact that these facilities are not required to have a backup power source because power is not required to shut down and maintain these facilities in a safe-shutdown condition. In the absence of any rationale in support of the proposed requirement, the Commission concludes that there is no basis for adopting the proposed requirement for Part 50 non-power reactor licensees.

IV.

Part 70 Licensees To alert major Part 70 licensees of the Y2K problem, NRC issued Information Notice (IN) 96-70 in December 1996, and IN 98-30 in August 1998. In IN 96-70, NRC staff described the potential Y2K problems, encouraged licensees to examine their uses of computer systems and software well before the year 2000, and suggested that licensees consider appropriate actions to examine and evaluate their computer systems for Y2K vulnerabilities. In IN 98-30, NRC staff provided 25

definitions of "Y2K ready" and "Y2K compliant," encouraged licensees to contact vendors and test their systems for Y2K problems, and described elements of a Y2K readiness program.

In order to gather Y2K information regarding materials and major fuel cycle facilities, NRC formed a Y2K Team within the Office of Nuclear Material Safety and Safeguards (NMSS) in 1997. From September through December 1997, this NMSS Y2K Team visited a cross-section of materials licensees and fuel cycle facilities and conducted Y2K interviews. Each licensee or facility visited by the team indicated that it was aware of the Y2K issue and was in various stages of implementing its Y2K readiness program.

On June 22,1998, the NRC staff issued Generic Letter (GL) 98-03, "NMSS Licensees' and Certificate Holders' Year 2000 Readiness Programs," requested major Part 70 licensees to inform NRC of the status of their Y2K readiness programs. In GL 98-03, the NRC staff requested all major Part 70 licensees to submit by September 20,1998, written responses regarding their facility-specific Y2K readiness program in order to confirm that they were addressing the Y2K problem effectively. All licensees responded to GL 98-03 by stating that they had adopted a facility-specific Y2K readiness program, and the scope of the program included identifying and, where appropriate, remediating embedded systems, and provided for risk management and the development of contingency plans. GL 98-03 also requested a written response, no later than December 31,1998, which confirmed that these facilities were Y2K ready or provided a status report of work remaining to be done to become Y2K ready, including completion schedules. All licensees provided a second response to GL 98-03, which provided reports of work to be done, including completion schedules. Furthermore, following the second response, NRC requested a 26 j

1

i 4

third written response, no later than July 1,1999, which would confirm that these facilities were Y2K ready or would provide an updated status report.

Between September 1997 and October 1998, the major fuel cycle facilities were also asked Y2K questions during other inspections. On the basis of these Y2K inspections, the licensees were aware of the Y2K problem and were adequately addressing Y2K issues. There have been no identified risk-significant Y2K concems for major Part 70 licensees.

NIRS presents no information or argument why these above-mentioned actions by the licensees and NRC are not sufficient to address Y2K problems and provide reasonable assurance of adequate protection during the transition from 1999 to 2000.

I EDG Reliability and Fuel Suoolv The requirements proposed in the NIRS petition would require that: (1) all EDGs that provide backup power be operational and (2) licensees have a 60-day supply of fuel for EDGs or the facility would be shut down. The petitioner indicated these requirements are necessary to protect public health and safety. However, there are no Part 70 licensees required to have EDGs in order to provide backup power to protect public health and safety. In the event of the loss of electric power in Part 70 facilities, processing stops and there is no need for electric power to maintain a safe condition. There are some Part,70 licensees who have independent power

- sources in order t'o meet physical protection (PP) requirements. These licensees are also required to have contingency plans for PP (e.g., augmented guard force) in the event of loss of independent power. Based on the above discussion, the 60-day fuel supply requirement is also 27 4

not needed for Part 70 licensees to provide reasonable assurance of adequate protection to public health and safety.

The petitioner does not provide sufficient technical information to demonstrate that Part 70 licensees must shut down if they do not have EDGs providing backup power or must have a 60-day fuel supply for EDGs.

Additional Attemate Means of Backup Power NIRS asserted that NRC must require licensees to provide attemate means of backup power (e.g., solar power panels, wind turbines, hydroelectric power, biomass power). As stated above, it is not necessary for Part 70 licensees to have backup power in order to shutdown to a safe condition and the Part 70 licensees who are required to have independent power sources to meet PP requirements also have Contingency Plans to meet the loss of the back-up power.

Further, the petitioner does not provide sufficient technical information to demonstrate that these attemative back-up power sources are needed to to provide reasonable assurance of adequate protection to public health and safety.

Back-up Power Sucolv for Spent Fuel Pool Coolina System The proposed rule in the NIRS petition would have NRC require that all licensees immediately classify irradiated fuel pools as Class 1-E, and provide sufficient back-up power to provide cooling to these pools. Because Class 1-E is an electric system classification, NRC staff assumes that the petitioner intends the rule to apply to the back-up power supply for spent fuel 28 l

i

pool cooling systems. Although some Part 70 licensees have irradiated fuel at their facilities, these facilities do not store large quantities of irradiated fuel. The irradiated fuel is used for research and development or educational purposes, if the irradiated fuel is stored in a pool, the heat generated from the fuel would be minimal and would not require a pool cooling system.

The petitioner provides no technical justification to support the proposal that spent fuel pools be immediately classified as Class 1-E. The regulatory action requested by NIRS is not required for Part 70 licensees.

1 l

Conclusion l

Existing NRC requirements, licensee commitments, and licensee activities and programs are sufficient to cope with losses of power, including those losses of offsite power that could be caused by Y2K problems. NIRS has not presented any information either that existing requirements and licensee commitments are inadequate to address losses of power due to Y2K problems, such that the requirements proposed in NIRS' petition are necessary to provide reasonable assurance of adequate protection to public health and safety. Accordingly, the Commission denies the petition.

1 Dated at Rockville, Maryland, this day of

.1999.

For the Nuclear Regulatory Commission.

i Annette L. Vietti-Cook, Secretary of the Commission.

29 l

l

l 1

1 1

I ATTACHMENT 2 Letter to Petitioner l

Michael C. Mariotte, Executive Director Nuclear Information and Resource Service l

1 i

4

[g%g$

UNITED STATES

r j

NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20666 0001

\\...../

Mr. Michael Mariotte, Executive Director Nuclear Information and Resource Service 142416* St., NW, Suite 404 Washington, DC 20036

Dear Mr. Mariotte:

I am responding to the three related petitions for rulemaking that the Nuclear Information and Resource Service submitted to the U.S. Nuclear Regulatory Commission (NRC) on December 10,1998. The petitions requested that the Commission amend its regulations to require that nuclear facilities be shut down if systems relevant to safety are not compliant with Y2K issues (PRM-50-65), that nuclear power plants develop and implement adequate contingency plans and conduct emergency planning exercises to address potential system failures (PRM-50-66), and that additional reliable back-up sources of power be provided for nuclear facilities (PRM-50-67).

The NRC agrees that Y2K issues are significant and acknowledges the importance of the issues raised by the petitions. However, the NRC has concluded that the requirements in the three rules proposed by NIRS are not necessary to ensure that these facilities will continue to provide reasonable assurance of adequate protection to public health and safety. The NRC's judgement in this regard is based upon: (i) licensee activities to identify and address Y2K problems, including the development of contingency plans where appropriate, (ii) NRC oversight of the implementation of licensee actions (which includes inspections, audits, and review of licensee responses to NRC requests for information on licensee Y2K activities), (iii) NRC's current regulatory requirements, which require reliable power where necessary and (iv) existing NRC authority under the Atomic Energy Act to take all necessary actions necessary to provide reasonable assurance of adequate protection to public health and safety, including issuing order to shutdown a facility if warranted. A detailed discussion of the NRC's rease,cing in this matter are contained in the enclosed Denials of Petition for Rulemaking, which will be published in the Federal Register.

The NRC concludes that the rules which NIRS has proposed are not necessary to provide reasonable assurance of adequate protection to public health and safety. Accordingly, the petitions have been denied.

Sincerely, l

William D. Travers Executive Director for Operations

Enclosures:

1.

FederalRegister Notice 50-65 2.

FederalRegister Notice 50-66 3.

FederalRegister Notice 50-67

r l

I i

)

i l

l l

1 l

J ATTACHMENT 3 Letters to Congress:

Honorable Joe L. Barton, House of Representatives i

Honorable James M. Inhofe, U.S. Senate f

I

i n

Mng _

p 4

UNITED STATES

-g j

NUCLEAR REGULATORY COMMISSION WASHINGTON. D.C. 2006H001

.....,o.

The Honorable Joe L Barton, Chairman

. Subcommittee on Energy and Power Committee on Commerce United States House of Representatives Washington, DC 20515 l

Dear Mr. Chairman:

l The U.S. Nudear Regulatory Commission (NRC) has sent the enclosed Federa/ Register

(

notices to the Office of the Federal Register for publication. With this action, the NRC denies l

three related petitions for rulemaking submitted by the Nuclear Information and Resource l

Service (NIRS). The petitioner, NIRS, requested that the Commission amend its regulations to require that nuclear facilities be shut down if they are not compliant with Y2K issues (PRM-50-65). The additional two related petitions would require nuclear power plant and major j

fuel cycle facilities to develop and implement adequate contingency plans and conduct l

emergency planning exercises to address potential system failures (PRM-50-66) and to provide reliable back-up sources of power for nuclear facilities (PRM-50-67).

With respect to NIRS' petition for a rule requiring / shutdown of nuclear facilities that are not Y2K compliant, the Commission finds that licensees are taking action to identify and address Y2K problems. The NRC has required licensees to provide information to the NRC describing

, their activities for addressing Y2K issues, and to provide information by July 1,1999 that describe the status of their work. Additionally, the NRC is auditing and inspecting the implementation of licensees' Y2K activities. The NRC has sufficient authority to take timely action (including, as appropriate, issuance of orders directing shutdown of facilities) if it finds that Y2K-induced problems threaten continued assurance of adequate protection to public health and safety. Accordingly, the NRC concludes that NIRS' proposed rule is not necessary to provide reasonable assurance of adequate protection to public health and safety in the event of any Y2K-induced problems.

With respect to the NIRS' petition for a rule requiring a special emergency preparedness exercise at nuclear power plants to test the capability to cope with Y2K-induced failures, the NRC finds that emergency preparedness exercises routinely assume problems and equipment failures, in order to test the capability of the onsite and offsite organizations to cope with such problems. Furthermore, licensees have prepared Y2K contingency plans with respect to emergency preparedness implementation. The NRC will be reviewing the implementation of these contingency plans. Accordingly, the NRC does not believe that NIRS' proposed rule is necessary to provide reasonable assurance of emergency preparedness capabilities at nuclear power plants Finally, with respect to the NIRS' petition for a rule requiring an attemative source of emergency power, the NRC has determined that sufficient redundant backup power sources are currently present at nuclear power plant facilities because of existing requirements with respect to loss of offsite power and station blackout. Redundant power sources are not 4

i

a Honorable J. L Barton i necessary at other facilities which are the subject of NIRS' petition, either because such power is not required to shutdown and maintain the plants in a safe condition, or because adequate measures are already in place to address loss of power (primarily related to security and safeguards).

Sincerely, Dennis K. Rathbun, Director Office of Congressional Affairs

Enclosures:

1.

FederalRegisterNotice 50-65 2.

FederalRegisterNotice 50-66 3.

FederalRegister Notice 50-67 cc w/ encl: Representative Ralph M. Hall i

I

\\

@ retoqk UNITED STATES gp j

NUCLEAR REGULATORY COMMISSION 2

WASHINGTON, D.C. 20066 4 001 I

44.....,o The Honorable James M. Inhofe, Chairman Subcommittee on Clean Air, Wetlands, Private Property and Nuclear Safety Committee on Environment and Public Works United States Senate Washington, DC 20510 i

Dear Mr. Chairman:

The U.S. Nuclear Regulatory Commission (NRC) 'has sent the enclosed Federa/ Register notices to the Office of the Federal Register for publication. With this action, the NRC denies three related petitions for rulemaking submitted by the Nuclear information and Resource Service (NIRS). The petitioner, NIRS, requested that the Commission amend its regulations to require that nuclear facilities be shut down if they are not compliant with Y2K issues (PRM 65). The additional two related petitions would require nuclear power plant and major fuel cycle facilities to develop and implement adequate contingency plans and conduct emergency planning exercises to address potential system failures (PRM-50-66) and to provide reliable back-up sources of power for nuclear facilities (PRM-50-67).

With respect to NIRS' petition for a rule requiring / shutdown of nuclear facilities that are not Y2K compliant, the Commission finds that licensees are taking action to identify and address Y2K problems. The NRC has required licensees to provide information to the NRC describing their activiti,es for addressing Y2K issues, and to provide information by July 1,1999 that describe the status of their work. Additionally, the NRC is auditing and inspecting the implementation of licensees' Y2K activities. The NRC has sufficient authority to take timely action (including, as appropriate, issuance of orders directing shutdown of facilities) if it finds that Y2K-induced problems threaten continued assurance of adequate protection to public health and safety. Accordingly, the NRC concludes that NIRS' proposed rule is not necessary to provide reasonable assurance of adequate protection to public health and safety in the event of any Y2K-induced problems.

With respect to the NIRS' petition for a rule requiring a special emergency preparedness exercise at nuclear power plants to test the capability to cope with Y2K-induced failures, the NRC finds that emergency preparedness exercises routinely assume problems and equipment failures, in order to test the capability of the onsite and offsite organizations to cope with such problems. Furthermore, licensees have prepared Y2K contingency plans with respect to emergency preparedness implementation. The NRC will be reviewing the implementation of these contingency plans. Accordingly, the NRC does not believe that NIRS' proposed rule is necessary to provide reasonable assurance of emergency preparedness capabilities at nuclear power plants Finally, with respect to the NIRS' petition for a rule requiring an attemative source of emergency power, the NRC has determined that sufficient redundant backup power sources are currently present at nuclear power plant facilities because of existing requirements with respect to loss of offsite power and station blackout. Redundant power sources are not necessary at other facilities which are the subject of NIRS' petition, either because such power b

l-Honorable J. M. Inhofe is not required to shutdown and maintain the plants in a safe condition, or because adequate measures are already in place to address loss of power (primarily related to security and safeguards).

Sincerely, Dennis K. Rathbun, Director Office of Congressional Affairs

Enclosures:

1.

FederalRegisterNotice 50-65 2.

FederalRegisterNotice 50-66 3.

FederalRegister Notice 50-67 cc w/ encl: Senator Bob Graham i

e

\\

.

Retrieved from "https://kanterella.com/w/index.php?title=ML20211E969&oldid=4009820"