Text

.

2 u

• a.............o...

g#" *$,, RELEASED TO THE PDR g Cfb

"% ********enesee3..e....,,

POLICY ISSUE (Information)

September 24, 1997 SECY-97-213 EQB: The Commissioners FROM A. J. Galante Chief Information Officer

SUBJECT:

YEAR 2000 COMPUTER ISSUE PURPOSE:

To inform the Commission of the agency's efforts to manage the Year 2000 computer problem.

BACKGROUND:

l The Year 2000 computer problem is a seemingly simple one: assuring that computers will l recognize a correct date of January 1,2000 and beyond. The problem results from computer

} hardware or software that uses two-digit fields to recognize the year. If the problem is not l corrected, systems will fail to recognize the change in century and will misread "00" for the Year l 2000 as 1900, if affected components are not altered to handle the date, there is a risk that l these systems will fail to function property. .

I The issue continues to receive a great deal of attention from the Congress, the press, and other interested groups. On April 29,1996; January 14,1997; March 26,1997; and May 20,1997; NRC received Congressionalinquires on this subject. The Chief Information Officer (CIO)

Council, formed as a result of the Clinger-Cohen Act of 1996 (formerly known as the Information Technology Management Reform Act of 1996), has discussed the Year 2000 issue at each of its monthly meetings since its formation in August 1996. Agency Clos are providing leadership and direction to ensure that work is done to correct the Year 2000 problem within the Federal Govemment.

Unfortunately, the Year 2000 problem is not limited to the Federal Govemment. The issue affects State and locr! govemments, firms from which NRC procures goods and services, the regulated industry, and the public. The potential effects of this issue are clearly globalin nature. U"q C4 11 - D 'i

Contact:

y- oa.> 9 Amold E. Levin, IRM SECY NOTE: To be made publicly available (301) 415-7458 in 5 working days from the date of this paper.

Eu se8P " 2a',n.tf.Q I tilliIHl2Elllll 97-213 R PDR ' '

The Commissioners t DISCUSSION:

This problem has several unique characteristics that shape the agency's strategy for solving it.

First, it has an unmovable deadline. Unlike other computer development or maintenance activities, the deadline for fixing the Year 2000 problem is not set admir:lstratively, but by the problem itself. Repairs must therefore be fully implemented and tested by December 31,1999.

This characteristic makes time the single most critical resource.

Second, unlike a normal system development or maintenance activity, many systems must be worked on concurrently. Comparisons and computations using dates permeate practically all computer systems within the Federal Govemment, State and local govemments, and in the private sector. Thera is thus a real potential for substantial strain on another key resource-expertise.

Third, complexity is increased by concurrent changes to multiple systems and elements within a system (e.g., the operating system). Because computer systems inter-operate and share data, the modified systems must be tested together. Furthermore, all of these changes must be made and tested while the current systems continue to operate.

The Year 2000 problem potentially affects the NRC in the fellowing three areas of information systems development or use:

(1) systems developed by NRC staff or its contractors to support the agency's information system requirements (2) commercial off-the-shelf hardware and software for minicompute4 microcomputer, and other agency applications (e.g., keycard access)

I (3) hardware and software (including embedded microchips) usert by the regulated industry The strategy adopted by NRC follows industry best practices that have. been broadly applied in the Federal Govemment (Year 2000 Computing Crisis: An Assessment Guide, General Accounting Office Report GAO/AIMD-10.1.14, February 1997). These best practices include five phases:

e awareness raising staff and industry awareness of the problem e assessment assessing the scope of the problem by creating an inventory of systems and deciding which ones to change, replace, or discard e renovation updating the systems that have a date problem o validation testing and validating the changed systems e implementation implementing the revised systems

4 4

l' 'The Commissioners -3.-

1 l

l The Office of Management and Budget, in consultation with the ClO Council, has set

Govemment wide milestones (Getting Federal Computers Ready for 2000, Office of j Management and Budget report dated February 6,1997) for completion of the majority of the work in the five phases. The phases, although sequential, overlap. For example, the j awareness phase continues throughout the entire process. At NRC, the majority of the work i- under the assessment phase will be completed by September 30,1997. Fudher details of the agency's program to resolve the Year 2000 issue intemally can be found in Appendix A.

t l The c.gency is also addressing the Year 2000 computer problem as it relates to our licensees, i -With respect to operating reactors, staff discussions with vendors of digital protection systems have confirmed that safety-related initiation and actuation systems are not subject to the Year

{ 2000 concem. This determination was based on the fact that computer-based, safety-related

[ initiation and actuation systems do not rely on date-driven data bases in order to perform their

[ required functions. However, non-safety-related, but important, computer-based systems may j need modification for Year 2000 compliance. Further details on the Year 2000 issue and operating nuclear power plants can be found in Appendix B.-

. Fuel cycle and materials licensees have av.nibited knowledge of the Year 2000 problem, but j they have not informed NRC of any significant problems identified or corrected to date.-

j informal staff contact with some nuclear gauge manufacturers have indicated that there will be j no Year 2000 problems. Manufacturers indicated that either the programming or

! microprocessors do not perform functions that require a 4-digit date field or they already use

[ 4-digit dates that will function correctly for dates beg!aning with the year 2000 and beyond.

j Although the results of these informal surveys are positive, there is a possibility that some other manufacturers may have a problem. Frer fuel cycle and materials licensees, the scope of the Year 2000 problem involves facility secunty, material control and accounting, and patient treatment concems. Further details on these issues can be found in Appendix C.

RESOURCES-NRC's current resource estimate to resolve the Year 2000 issue is 24.6 FTE and $7.2 million for contract support over the period FY-1996 through FY-2000. The total cost, 49.3 million (including salaries and benefits), has been reported to the Office of Management and Budget, _

and subsequently to Congress as part of the Federal Govemment's overall assecament of this issue. Both the uncertainties and the costs of resolving Year 2000 problems may rise as our invr lvement with other Federal agencies, States, contractors, vendors, and licensees increases, COORDINATION The Office of the General Counsel has reviewed this paper and has no legal objections. The Executive Director for Operations has reviewed this paper and concurs on its contents.

Additionally, the Office of the Chief Financial Officer has reviewed this commission paper for resource implications and has no objections.  ;

o .

The Commissioners '

CONCLUSION' l

The NRC is making progress in addressing the Year 2000 problem. We are well aware of the work that remains, and we are cognizant of the limited time and agency resources necessary to accomplish this work Nevertheless, we are accelerating agency activities to address this challenge, and we are confident that the problem will be solved without disruption of agency l programs.

l 1

~

t: )

A. a nte Chie formation Officer Attachments:

Appendices A-C cc: OGC OCAA OlG OPA OCA ACRS CIO CFO EDO SECY

APPENDIX A YEAR 2000 AT THE NUCLEAR REGULATORY COMMISSION  !

9 SCOPE OF THE YEAR 2000 PROBLEM AT NRC The scope of the Year 2000 problem at the NRC includes (1) both hardware and software in the l form of computer processors (mainframes, mini-computers and microcomputers, and scientific workstations), their peripheral devices (i.e., laser printers, automated scanners, etc.), and the application systems and commercial off-the shelf (COTS) software that reside on them; (2) application software at NRC data services host systems for govemmer t-wide financial and cross-service systems; (3) telecommunications systems with embedded microchips; and (4) non-data processing systems with embedded microchips (e.g., elevators and access / security systems).

STATUS OF THE YEAR 2000 PROBLEM AT NRC NRC's Year 2000 activities are aligned to conform to those outlined in the February 6,1997, Office of Management and Budget (OMB) report entitled, "Getting Federal Computers Ready for 2000." On the basis ofindustry best practices, the report defines five phases with milestone completion dates to insure a successful Year 2000 Program:

Awareness -

raising management and staff awareness of the problem -

12/96 Assessment -

determining the scope of the problem by inventorying systems and deciding which systems to change, replace, or discard - 06/97 Renovation -

making code changes to the systems to be changed -12/98 Validation -

testing the changed systems - 01/99 Implementation -

placing changed systems into production - 11/99 NRC reports on the status of these milestones to OMB under the Chairman's signature on a quarterly basis. Copies of these reports are also sent to the Subcommittee on Govemment Management, Information, and Technology, Committee on Govemment Reform and Oversight, U.S. House of Representatives.

NRC is very active in raising Awareness of the issues associated with the Year 2000 problem.

. On August 27,1996, NRC issued an intemal AUTOS Network Bulletin with interim guidance on what to look for in reviewing nationEl laboratory, private contractor, and locally developed products for the potential impact of the century change and what IRM is doing for other applications and systems.

On September 3,1996, an article on the Year 2000 software problem was published in NRC's Weekly Announcements.

NRC established an extemal Year 2000 World Wide Web site to provide links to GSA Year 2000 resource sites as well as to share information.

A-1

• NRC h:s issu:d cn inf:rmation notice to lic:ns:es informing them of the Year 2000 problem and suggesting that licensees may wish to consider what actions may be appropriate to examine and evaluate their software systems.

NRC is currently near the end of the Assessment phase of its program. ,During this phase, NRC initiated an agency-wide effort to create a complete inventory of all automated information systems and COTS software that the agency owns or share.s with other agencies. We have also established and defined three categories into which all of our systems are being placed.

They are:

Mission-Critical: any system that has a high importance related to accomplishing the NRC mission and requires a high level of reliability because any delay in access to the system for any reason could adversely affect the abil2, 'f the agency to fulfillits mission of protecting public health and safety, promoting the tommon defense and security, and protecting the environment.

Business-essential: any system that is integral to agency processes that are required to meet agency statutory, programmatic, legal, or financial obligations. Typically, the agency could function without any major impact on its operations if any of these systems malfunctioned and was unavailable for up to 3 or 4 weeks while it was being repaired.

Non-critical: any system that is not mission-critical or business-essential and whose unavailability would, therefore, only represent an inconvenience to the agency. Typically, these systems can be unavailable for extended periods (1 to 2 months or more) while they are being repaired and manual processes can be readily used in their place if need be.

The following systems have been identified by NRC offices as mission-critical:

. Emergency Response Data System (ERDS/AEOD)

+ Operation Center Information Management System (OCIMS/AEOD)

+ Emergency Telecommunication System (ETS/AEOD)

+ Sealed Source and Device Nationwide Registry (SSDR/NMSS)

. Licensing Tracking System (LTS/NMSS)

+ Ge ,eral License Database (GLDB/NMSS)

+ Agency computer systems network (AUTOS!)RM)

NRC is currently determining which systems will be classified as business-essential. These systems will have second priority with respect to renovation and validation efforts. Non-critical systems will have the lowest renovation and validation priority, in assessing the agency's microcomputer hardware, it has been determined that NRC's basic 486 PC is not Year 2000 compliant. In FY 1996 NRC began te replace these PCs with Pentium-based PCs that are Year 2000 compliant. NRC plans to be usir,s fewer than 275 486 PCS by mid-1999, and will install a software upgrade bringing them into Year 2000 compliance.

Additional information on the agency's large collection of COTS software is also being collected.

IRM will be making a reference database of COTS software available to NRC staff that will indicate whether a particular package is Year 2000 compliant and, if it is, the compliant version number. This will assist the staff in deciding if they need to upgrade their COTS software or discard it through the normal excess procedure.

A-2

The Renovation phase of NRC's program has begun with a focus on mission-critical systems.

Several systems are currently being renovated and that work will steadily increa>c as we )

approach the scheduled date for completing the renovation phase. NRC's Validation ano {

Implementation phases will be done concurrently with system renovation, and these phases are l

. following our established milestones.

ISSUES CONSIDERED MOST SIGNIFICANT l l

The most significant 't ear 2000 issue is NRC's inability to precisely determine and document the status of systems that are outside agency control. This category includes systems services provided by other Govemment agencies and systems acquired from commercial sources. Most of the services are provided by major vendors such as AT&T, Bell Atlantic, Microsoft, and IBM.

We are confident that these providers will correct any Year 2000 problems in such a manner as to prevent interruption of the business functions of their customers.

STRATEGY FOR DEALING WITH THE PROBLEM NRC has created a Year 2000 Program to organize and resolve allissues associated with the Year 2000 problem. A Program Manager has been appointed who has overall responsibility for NRC's Year 2000 Program and reports directly to the NRC Chief Information Officer (CIO). The CIO reports to the Cha rman of the Commission.

l Although the Office of liformation Resources Management (IRM) has the overall lead for the l agency, all offices and regions must actively participate in addressing the Year 2000 effort. IRM is responsible for assossing and correcting the Year 2000 problem for software that it supports.

IRM also is responsible for providing advice and consultation assistance to offices and regions in addressing computer systems for which those organizations have lead responsibility. To keep NRC staff up to date on this effon, IRM posts Year 200v-related news and links on the agency's World Wide Web Server, and maintains a list containing the names and e-mail addresses of individuals working on Year 2000 issues.

Intemal accountability for performance of Year 2000 activities is being assured through continuous monitoring of all office activities against established milestones. A Year 2000 point of contact (POC) has been established for every office within the agency. POCs provide close coordination of their Year 2000 activities with the Year 2000 Program Manager. Beginning with October 1997, office directors will send progress reports to the Year 2000 Program Manager on a monthly basis. These reports will show the status of Year 2000 efforts in their office and will be used to update a central Year 2000 inventory System database.

Offices and regions have lead responsibility for assessing and correcting the Year 2000 problem for computer systems that they developed and that they maintain. IRM is working with offices and regions that purchased commercial off-the-shelf software (COTS) packages that are not supported on an agency-wide basis to determine who will assume lead responsibility.

! A-3 t

Progress reports will be reviewed continuously by the Year 2000 Program Manager, and deviations from established schedules will be reported to the CIO. If any such deviations are reported, the CIO will discuss them with the managers who are responsible for the systems. As part of this discussion, the CIO will determine the remedial actions to be taken. The CIO will periodically brief the Chairman, the Executive Director for Operations, and the Chief Financial Officer of the NRC on any schedule deviations and the status of any remedial actions taken.

NRC YEAR 2000 CONTACT: Amold E. (Moe) Levin 301 415-7458 l

l i

A-4 ,

APPENDIX D 1

I YEAR 2000 AND OPERATING NUCLEAR POWER PLANTS SCOPE OF THE YEAR 2000 PROBLEM AT OPERATING NUCLEAR POWER PLANTS Discussions with vendors of digital protection systems Westinghouse, General Electric, Combustion Engineering, Foxboro, Allen Bradley, and Frematome/ Babcock & Wilcox confirmed the staffs determination that safety related initiation and actuation systems (e.g., reactor trip system, engineered safety feature actuation system) are not subject to the Year 2000 concem.

This determination was based on the fact that computer-based safety-related initiation and actuation systems do not rely on date-driven databases in order to perform their required functions. However, non-safety-related, but important, computer-based systems, primarily databases and data collection necessary for plant operations that are date driven, may need modification for Year 2000 compliance. Examples of systems that may be affected by Year 2000 problems are:

. security computers e

plant process (data scan, log, and alarm)/ Safety parameter display system computers e

emergency response systems e

radiation monitoring systems dosimeters / readers

. plant simulators

. engineering programs

. communication systems e

inventory control system technical specification surveillance tracking system l It should be noted that design deficiencies and nonconformances in computer systems resulting from the Year 2000 concem are subject to the existing requirements for reporting under 10 CFR Part 21 and 10 CFR Part 50.72 and 50.73 for those systems within the scope of these rgulations.

STATUS OF THE YEAR 2000 PROBLEM AT OPERATING NUCLEAR POWER PLANTS Licensees of operating nuclear plants are aware of the Year 2000 issue. Based on discussions with the Nuclear Energy Institute (NEI), it is the staffs understanding that all licensees have initiated plans and actions to address the issue as it relates to the computer systems at their facilities.

On December 24,1996, NRC issued Information Notice 96-70, " Year 2000 Effect on Computer System Software," to alert NRC licensees, certificate holders, and registrants of the potential problems their computer systems and software may encounter as a result of the change to the new century. The information notice (lN) contained a discussion of how the Year 2000 issue may affect NRC licensees. The IN also contain information on the means to facilitate exchange of information among licensees, NRC, and the public via the NRC's World Wide Web server (www.nrc. gov). The IN encouraged licensees to designate a point of contact, examine their uses of computer systems and software well before the tum of the century and suggested that B-1

licensees consid:r cetions cppropriato to cxrmin) cnd cv:lurt3 thtir computir systrms r:l:tsd

, to the Year 2000 issue.

NRR has incorporated guidance on recognition of the Year 2000 issue in the updated Standard l Review Plan, NUREG-0800, Chapter 7, " Instrumentation and Cor. trol," which was issued in August 1997.

The Nuclear Utilities Software Management Group (NUSMG) held a Year 2000 workshop in July 1997 to identify, present, and discuss the approaches being taken by the nuclear industry related to the Year 2000 issue. There were 67 attendees representing 35 operating nuclear utilities, NEl, EPRI, NRC, and three vendors. The Year 2000 issue will be discussed at the NUSMG Semiannual Meeting in November 1997.

NEl met with nuclear plant utility representatives in August 1997 to formulate an industry-wide plan to address the Year 2000 issue. NEl plans to present the status of this work to the NRC in early October 1997.

The level of activities by the licensees in addressing the Year 2000 problem at their facilities varies considerably. At the NUSMG Year 2000 workshop held in July 1997, some licensees presented their ongoing and planned efforts in addressing the Year 2000 problem at their facilities. Some of these efforts appear to be comprehensive at addressing the Year 2000 problem. However, the status of actions being taken or planned industry-wide by nuclear power plant licensees is not clear at present.

i ISSUES CONSIDERED MOST SIGNIFICANT The significance of the Year 2000 problems at operating nuclear plants will vary from plant to plant, depending on the computer applications that are affected by the Year 2000 change and its consequences. Although the staff believes that safety-related safe shutdown systems will function as intended, nevertheless, in the worst case, the staff can hypothesize a scenario

. involving a potential common-mode failure to several non-safety-related, but important, computer-based systems necessary for plant operation that could significantly challenge the plant staff, e.g., a licensee could be faced with a plant trip as a result of a Year 2000 problem which results in the loss of offsite power and subsequent complications in tracking post-shutdown plant status and recovery due to a loss of emergency data collection and communications systems. Note that even under such a scenario, plant operators are trained to use their symptom-based emergency procedures and safety-related-post accident monitoring parameter indications to maintain safe plant shutdown conditions.

STRATEGY FOR DEALING WITH THE PROBLEM Because of the concems involving a potential common-mode failure type of event, as discussed previously, and since the Year 2000 problem has the potential to affect any computer system, including hardware that is microprocessor-based (embedded software), software, and data bases at nuclear power plants, the most effective strategy for the NRC would be to confirm implementation of an industry-wide effort, such as the one being planned by NEl.

In order to facJ. tate this action, the staff is considering a request for information pursuant to 10 CFR 50.54(f) to licensees of operating plants requesting designation of a point of contact, and a description of the programs planned or implemented to ensure Year 2000 compliance B-2

_ _ _ _ _ _ _ ~

cnd th:Ir schIdul:s. This requ:st would csk for confirmation of cny pt:n being impl: ment 2d -

. once the staff agrees that it sufficiently addresses the issue. Such an information request can be issued by the end of calendar year 1997. Meanwhile, the staff will work with NEl to generically address the Year 2000 issue. Whether the staff needs to take regulatory actions j under 10 CFR 50.54(f) will be determined by the results of its interaction with NEl. I NRR YEAR 2000 CONTACT: Jared S. Wermiel 301-415-2821 5

B-3

APPENDIX C l YEAR 2000 AND FUEL CYCLE AND MATERIALS LICENSEES 1

SCOPE OF WlE YEAR 2000 PROBLEM FOR FUEL CYCLE AND MATERIALS LICENSEES For fuel cycle and materials licensees, ita scope of the Year 2000 potential problem involves security concems, such as perimeter and other alarm systems that are computer controlled; material control and accounting concems, such as automatic data systems that track inventories within the facility and record materials leaving the facility; and patient treatment concems, such as calibration and treatment planning on equipment used for diagnostic and therapeutic medical applications, e.g., in hospitals and clinics.

STATUS OF THE YEAR 2000 PROBLEM FOR FUEL CYCLE AND MATERIALS LICENSEES Most of the information conceming the current state of knowledge and activities by licensees has been gathered through informal means.

Fuel cycle licensees know about the Year 2000 problem, but they have not informed NRC of any significant problems that they have identified or corrected to date, i

informal contacts with several (approximately seven) large and small nuclear gauge manufacturers have revealed that they will have no Year 2000 problems. Most manufacturers

, indicated that either the programming or microprocessors do not perform functions that require

! a 4-digit date field or they already use 4-digit dates that will function correctly after the year 2000. Although the responses to these informal surveys have been positive, the possibility exists that some other manufacturers may have problems. ,

An informal conversation with an instructor of users of high-dose-rate (HDR) remote after-loading machines (used in medical brachytherapy therapeutic treatments) revealed that one manufacturer of HDR units, Nucletron, has already addressed the Year 2000 problem.

Specifically, the treatment planning and source decay software utilize a 4-digit date field.

ISSUES CONSIDERED MOST SIGNIFICANT Although each of the concems noted above is important, we consider that the most significant concems are those related to patient treatment. In this area, a large number of users of radioactive materials for medical diagnosis and treatment are involved, as well as a number of manufacturers of medical diagnostic and therapeutic equipment that contains computerized measurement and recording devices. The potentialimpact of failure of these devices due to Year 2000 problem is large, based on their widespread use throughout the country in hospitals and clinics.

C-1

STRATE 2Y FOR DEALING WITH THE PROILEM Beginning in November 1996, NMSS has moved forward to alert licensees to the Year 2000

. concems and to emphasize their potential safety significance. On December 24,1996, NMSS

. and NRR issued NRC Information Notice 96 70, " Year 2000 Effect on Computer System Software," which provided licensees, certificate holders, and registrants with background information on the Year 2000 problem and urged them to take appropriate action. Names and phone numbers of technical contacts were provided, along with brief instructions on using the NRC's World Wide Web page to obtain additional information. Also, licensees were encouraged to post questions, problems identified, and solutions on a NRC maintained list

- server Letters were also sent to nine professional organizations with copies of the information notice, asking the organizations to make the information available to their members, in July 1997, NMSS incorporated an inspection item on the Year 2000 issue into pilot inspection l Procedure 87115, " Nuclear Medicine Programs." As other inspection precedures on licensed materials programs are updated, this item will also be incorporated. This activity is expected to be completed in early 1998.

In addition, the June / July 1997 issue of the NMSS Licensee Newsletterincluded an article on p and a copy of the June 25,1997, letter from the U.S. Food and Drug Administration (FDA) to medical device manufacturers which alerted them to the fact that some computer systems and ,

software applications, including microprocessors may be affected by the Year 2000 problem.

The FDA letter also mentioned that computer-controlled design, production, or quality control processes could be adversely affected. Medical device manufacturers were reminded of their responsibilities with respect to device performance and encouraged to conduct hazard and safety analyses to determine Year 2000 compliance. On August 6,1997, NMSS issued NRC Information Notice 97-61, "U.S. Department of Health and Human Services Letter to Medical Device Manufacturers," on the Year 2006 problem. This information notice was sent to all NRC medical licensees, and to veterinarians and manufacturers / distributors of medical devices, providing them cop!es of the FDA June 25 letter and providing them with the FDA's point of contact for information. No specific action or response on the part of licensees was required by this information notice.

More recently, to obtain additional information on the activities of materials, medical, and fuel cycle licensees, NMSS is implementing the following plan. A meeting of NMSS divisions was held to determine the extent of current knowledge of licensee activities and how to best acquire additional information on licensee activities. NMSS will begin, shortly, with the assistance of an .

Individual from the Office of Nuclear Regulatory Research, to assess the status of selected ;

licensees' activities for dealing with the Year 2000 problem and to note any problems identified through the licensees' efforts. A list of generic questions (questionnaire) is being developed that will be used for the assessment. The first such visit will be to a large broad-scope materials licensee. Subsequently, NMSS will assess the feedback from that visit, and adjust our approach, if necessary. Other licensees to be contacted may include the National institutes -

of Standards Technology (NIST), one of the gaseous diffusion plants, and a fuel manufacturer.

Following the evaluation of licensee responses to the questionnaire, NMSS will assess the need to issue more information notices or to take other actions, as appropriate.

In addition, NMSS is identifying vendors of medical devices to ascertain what actions they have taken or plan to take in regard to the Year 2000 problem.

C-2

1 l

The main f:cus of our activiti2s in tho nrar 1:rm will be to s:nsitize licensus to tha Yctr 2000

. , problem, to gain an understanding of any safety and safeguards problems identified by the

licensees, and to share that information with the industry,

NMSS YEAR 2000 CONTACT

John J. Surmeier 3 301 415-7823 1

J 4

1 J

Y 1

a r

4 3

i E

C-3 w.-_