Text

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . _ _ _ - _ _ _ _-_-_____ _ -_ -

Revision 0 (08/13/1998)

Y2K READINESS AUDIT PLAN Preamble The objectives of this audit are:

(1) To assess the effectiveness of licensee programs for achieving Y2K readiness and in addressing compliance with the terms and conditions of their license and NRC regulations and continued safe operation.

(2) To evaluate program implementation activities to assure that licensees are on schedule to achieve Y2K readiness in accordance with GL 98-01 guidelines.

(3) To assess the licensee contingency planning for addressing risks associated with events resulting from Y2K problems.

This audit shouldinclude review of relevant documentation, andinterviews with selected utility personnel. Examples of relevant documentation are: facility specific Y2K program plan, assesstnent plan, inventory listing / database (including possibly separate inventories of embedded systems), project tracking, reviews and evaluations of regulatory considerations including 10 CFR 50.59 changes, QA procedures related to Y2K program, etc. If possible, include direct observation of testing and validation methodology.

Document Review - Thorough familiarization with the following is requiredprior to the audit,

a. Generic Letter 98-01

b. Licensee Response (s) to GL 98-01

c. License terms and conditions

d. NEl/NUSMG 97-07, " Nuclear Utility Year 2000 Readiness" Additionally, the review shouldinclude the following:

a. TechnicalSpecifications

b. 10CFR50.36, " Technical Specifications," paragraph (c)(3), Surveillance requirements," paragraph (c)(5), " Administrative controls."

c. 10CFR50.47, " Emergency Plans," paragraph (b)(8)

d. 10CFR50.59, " Changes, tests and experiments"

e. 10CFR50 Appendix B Criterion Ill, " Design Control"

! f. 10CFR50 Appendix B Criterion XVil, " Quality Assurance Records"

g. 10CFR50 Appendix E, " Emergency Response Data System"

h. 10CFR50 Appendix A GeneralDesign Criterion (GDC) 13, " Instrumentation and Control"

1. 10CFR50 Appendix A GDC 17, " Electric power systems" J. 10CFR50 Appendix A GDC 19, "Controlroom"

(

9008170176 980813 PDR ORG NRRA L

g O

2

k. 10CFRSO Appendix A GDC 23, " Protection system failure modes"

l. Standard Review Plan Chapter 7, r.,ecially Branch Technical Position 14

m. NRC Inspection Manual Chapter 0330: Guidance for Review of Licensee Draft Documents

n. NRC Inspection Noanual Chapter 0620: Inspection Documents and Records

o. NRC Inspection Manual Chapter 0610: Inspection Reports

p. Response to Questionnaire Relating to Draft Tl on Y2K Readiness of Computer Systems at Nuclear Power Plants

q. NEl/NUSMG 98-07, " Nuclear Utility Year 2000 Readiness Contingency Planning" Year 2000 Computing Crisis: An Assessment Guide, GAO/AIMD-10.1.14, September 1997

s. Year 2000 Computing Crisis: Business Continuity and Contingency Planning, Exposure Draft, GAO/AIMD-10.1.19, March 1998

t. Year 2000 Computing Crisis: A Testing Guide, Exposure Draft, GAO/AIMD-10.1.21, June 1998 A. Pre-Visit Activities

1. Through the Project Manager in coordination with the resident inspector, let the licensee know of the site audit visit 3 to 4 weeks in advance of the visit.

2. Obtain a copy of the licensee's Y2K Readiness Plan and an organization chart showing the Y2K Project alignment. Obtain the name of the Y2K project manager.

3. Based on the Resident inspector's response to the Y2K questionnaire, identify the stage of the implementation of the plan. Make a list of documents, per the licensee's plan, which have been completed. ( For example, if initial assessment has been completed, the inventory list showing the item, its classification and prioritization, should also have been completed.) Select the documents that would be reviewed during the audit at the site.

4. Review the plan, and form an outline of the areas that you would focus on during the site audit.

5. Inform the licensee of the documents that you plan to review, and the project staff you would like to meet. Convey to the licensee that you would like to have a presentation of the plant's Y2K program on the first day of the visit as part of the entrance meeting.

B. Site Visit Activities DAY 1 f 1. At the entrance meeting, convey to the licensee that the intent of the visit is to see I how well the plant-specific Y2K readiness program is being implemented and whether it will meet its main objective of making the plant Y2K ready on schedule. The audit will l

l

e 3

focus on those areas affecting safety (safety-related computer systems) first.

Subsequently, the remainder of the Y2K readiness program will be assessed for those areas important to plant operation but not directly affecting safety. Systems to consider include the security computer, emergency response (data collection and communication) systems, radiation monitoring systems, surveillance tracking systems, and process controls (feedwater, turbine, power).

2. Use information obtained from licensee's presentation, along with your understanding of the plant-specific plan, as a means of gaining a good understanding of the licensee's program. Conduct discussions with the licensee's program staff on specific aspects requiring additional detail. The idea is to get a good understanding of the licensee Y2K program and its implementation. Discuss management; QA, resources, and schedules.

Remember, it is based on this that you would flesh out the detailed audit that you had outlined during your pre-visit activities.

(These activities, plus access to site, would probably take all of the first day.)

DAY 2, 3 & 4 The licensee's facility specific N 2X program was developed based on the guidance in NEl/NUSMG 97-07. NEl/NUSMG 97-07 suggests a five phase approach to ensure that a licensees plant continues to operate safely and within the requirements of their license and NRC regulations. The status of the implementation of these phases and schedules for remaining activities, including planning and coordination of Y2K-related work during currently planned outages, should be examined against the July 1,1999 Y2K readiness date in GL 98-01. The allocation of funds and resources for completion of the phases should also be reviewed.

The scope of systems described in the licensee's Y2K program should include an inventory and assessment of software-based systems and equipment necessary for plant safety and operation, and to satisfy license conditions, technical specifications, and NRC regulations.

It should be confirmed that the inventory and assessment has included a review of embedded software systems. Inventory / assessment should also include testing and calibration equipment, spares and interfaces. The program plan should provide appropr. ate emphasis and priority on safety-related systems / components and systems required for iafe operation at the initial and detailed assessment stages.

l Methods for assessing Y2K susceptibility should be examined. Verify that appropriate bases (e.g. testing, knowledge-based decisions, testing of the same system by others, use of a tool to evaluate code, vendor certified information, code inspections, and engineering analysis) are provided for Y2K readiness and Y2K compliance as identified by the facility specific program objectives. { NOTE: Where the licensee relies on data and information provided by others for the bases, including vendors, care should be taken to check that the licensee's program has steps as appropriate for assessing and validating the information.}

Further, when compensatory measures or " work arounds" are identified for achieving Y2K readiness, they should be evaluated for their appropriateness. [ NOTE; When

\

Q 4

compensatory measures are used, they should be addressed in related contingency plans.

They should also be identified, as part of the program, in longer-term maintenance or corrective actions to maintain the system, device, or application Y2K ready.}

Testing and validation is performed as part of the implementation process. There are several critical dates that should be considered in the determination of Y2K readiness or compliance as follows:

September 9,1999, 09/09/99 December 31,1999, 12/31/99 January 1, 2000, 01/01/00 February 28,2000, 02/28/00 February 29,2000, 02/29/00 {'

March 1, 2000, 03/01/00 i

in addition to the information provided in NEl/NUSMG 97-07, contingency planning should be addressed in detail. Contingency actions to be taken in the event that unanticipated occurrences or malfunctions occur should be reviewed against the potential concerns identified in the Y2K program. In addition, it should be confirmed that certain, high-priority contingency plans, identified by the facility-specific contingency planning, have been established, for example for ensuring adequate emergency diesel fuel oil to cope with a possible extended loss of offsite power, augmentation of staffing, alternative means of l

emergency communication and post-accident data collection are available, alternative '

means of controlling access to vital areas is provided, and provisions to minimize the probability of losing electric power from the grid are available in the event of a nuclear power plant shutdown. It can be anticipated that many licensees will not have completed or even addressed contingency planning at this stage of their program. However, contingency planning should clearly be incorporated in the facility-specific Y2K program plan. Licensee programs may reference NEl/NUSMG 98-07 or GAO/AIMD-10.1.19 as a basis for contingency planning.

The licensee's review of their regulatory compliance should include a dete mination of the need for changes to the licensing basis, technical specifications, licensing commitments, and plant safety analysis report. ,

C. Conclusion of Site Activities l

Plan to have an exit meeting with the Y2K project manager. Discuss, in general terms, the review you had done of the facility specific Y2K program, and in particular, any open items that were identified to conclude your audit. Mutually agree upon an avenue to resolve j these open items so that you can close out the audit.

j l

i