Millennium Short Circuit: The Y2K Effect on Energy Utilities
May 14, 1998
Madam Chairwoman, members of the Subcommittee, I am pleased to be here today to describe how the U.S. Nuclear Regulatory Commission (NRC) is responding to the Year 2000 computer problem for operating nuclear power plants. Our efforts can be divided into three basic areas; our actions within NRC, our interactions with our licensees and the nuclear industry, and our interactions in the broader effort to address the issue of a reliable electrical grid.
The NRC Strategy for Addressing the Year 2000 Problem Actions Within
With respect to power reactor licensees, the NRC is working to ensure that all of our systems critical to our mission will be Year 2000 compliant so that our communications and data interfaces will function well. The one mission critical system that is directly linked to operating nuclear power plants is our Emergency Response Data System (ERDS). This application performs the communication and data transmission functions that provide near real-time data to NRC incident response personnel during declared emergencies. The NRC is currently upgrading ERDS to be Year 2000 compliant in order to maintain the same communication protocol as the current system. Once upgraded, either a 2-digit or a 4-digit date field will be accepted. The upgrade is on schedule to be completed, tested and implemented by March 4, 1999. This effort is being conducted under NRC's own Year 2000 effort and is overseen by Mr. Tony Galante, the NRC's Chief Information Officer. All of our mission-critical systems are on schedule to be Year 2000 compliant in accordance with OMB's guidelines.
NRC's Interaction With Reactor Licensees
Since 1996, NRC has been working with industry organizations to address the Year 2000 problem. After discussions with the Nuclear Energy Institute (NEI) in 1997, they agreed to take the lead to develop industry-wide guidance for addressing the Year 2000 problem at nuclear power reactors. Last November a framework document, which NRC had reviewed, was sent to all power reactor licensees by NEI. We believe that the guidance in that framework document, "Nuclear Utility Year 2000 Readiness" (NEI/NUSMG 97-07), when properly augmented and implemented, presents nuclear power plant licensees with an acceptable approach for addressing the Year 2000 problem. We will continue to work closely with other Federal agencies and industry groups, and to participate in working groups, to ensure that we stay abreast of emerging Year 2000 concerns and take appropriate action to protect public health and safety and the environment. We strongly encourage licensees to share information regarding identified remediation and implementation activities so that Year 2000 problems are identified early and addressed in a cost-effective way.
In order to obtain confirmation that licensees are effectively addressing the Year 2000 problem with regard to compliance with the terms and conditions of their licenses and the NRC regulations, the NRC is requiring that all operating nuclear power plant licensees submit a written response stating how they plan to address the Year 2000 problem. The written response is required by a Generic Letter issued on May 11, 1998, which has been developed and refined over the past six months.
A copy of that Generic Letter is being provided for the record (available at http://www.nrc.gov/NRC/NEWS/year2000.html). This Generic Letter refers to the NEI guidance document (NEI/NUSMG 97-07) as an example of an acceptable approach for addressing the Year 2000 issue at nuclear power plants.
By the middle of August 1998, the initial written response to the Generic Letter is due. In that response, nuclear power plant licensees should indicate whether they are pursuing a Year 2000 program based on the NEI program or a different program. Licensees, who elect to use a different program, are required to present a brief description of the program that they are using to ensure that the computer systems at their facilities will be ready for the Year 2000. In addition, all operating nuclear power plants are required to submit a written response no later than July 1, 1999, confirming that the facility is or will be Year 2000 ready by the Year 2000. If their program is incomplete as of July 1, 1999, their response must contain a status report, including completion schedules, of work remaining to be done to confirm their facility will be Year 2000 ready.
In addition to the written responses, we plan to conduct inspections, on a sampling basis, to assess licensee preparedness for the Year 2000. Any Year 2000 program used at a nuclear facility must be tailored to meet the specific needs and requirements of that facility and should, in general, comprise the following phases: awareness, assessment, remediation, validation, and implementation. Completion of the Year 2000 program means that the licensee has attained the program objectives; these could range from all computer systems and applications, including embedded systems, being Year 2000 compliant, to some being Year 2000 compliant and the remaining retired or having permanent and/or temporary compensatory measures in place.
Bounding the Year 2000 Concern for Nuclear Power Plants
The potential impact of the Year 2000 problem on nuclear power plants varies with the types of computer systems in use. Licensees rely upon (1) software to schedule maintenance and technical specification surveillance, (2) programmable logic controllers and other commercial off-the-shelf software and hardware, (3) digital process control systems, such as a feedwater control or valve control, (4) digital systems for collecting operating data, and (5) digital systems to monitor post-accident plant conditions.
In addition to the reporting requirements in the Generic Letter, NRC regulations (10 CFR Part 21, 10 CFR 50.72, and 10 CFR 50.73) also require licensees to notify the NRC of significant deficiencies, significant non-conformances, and failures, such as some of those which could result from the Year 2000 problem in safety-related systems. To date, the NRC staff has not identified or received notification from licensees or vendors that a Year 2000 problem exists with safety-related initiation and actuation systems. However, problems have been identified in non-safety, but important, computer-based systems. Such systems, primarily databases and data collection processes necessary to satisfy license conditions, technical specifications, and NRC regulations that are date driven, may need to be modified for Year 2000 compliance.
Some examples of systems and computer equipment that are most likely to be affected by Year 2000 problems follow:
- Plant security computers
- Plant process systems (data scan, log, and alarm and safety parameter
display system computers)
- Radiation monitoring systems
Because of the limited time remaining in which to address the problem, the majority of the program remediation, validation, and implementation activities should be completed at a facility by mid -1999, leaving only a few such activities scheduled for the third and fourth quarters of 1999. In addition, we recognize that despite every reasonable effort by licensees to identify and correct Year 2000 computer system problems at their facilities, some software, applications, equipment, and systems may remain susceptible to the problem. Additionally, software, data, and systems external to the facility could potentially affect the facility adversely. Therefore, to ensure continued safe operation of the facility into the Year 2000 and beyond, licensees should formulate contingency plans for affected systems and equipment. The concept of Year 2000 readiness includes the planning, development, and implementation of appropriate contingency plans or compensatory actions for items that are not expected to be Year 2000 compliant or ready and to address the possible impact that unrecognized problems may have on safe plant operation.
Interactions with the Nuclear Power Industry
NRC has been actively involved with the nuclear industry in addressing the Year 2000 problem and we are reasonably encouraged by the industry's efforts. We expect continuation of this effort in the response to the Generic Letter that I mentioned earlier.
To ensure that senior level management at nuclear power plant licensees were aware of the Year 2000 problem, the first industry-wide NRC action was to issue Information Notice (IN) 96-70, "Year 2000 Effect on Computer System Software," on December 24, 1996. In that Information Notice, the NRC staff described the potential problems that nuclear power plant computer systems and software may encounter as a result of the change to the new century. The NRC staff also encouraged licensees to examine their uses of computer systems and software well before the turn of the century and suggested that licensees consider appropriate actions for examining and evaluating their computer systems for Year 2000 vulnerabilities.
At the Nuclear Utilities Software Management Group (NUSMG) Year 2000 Workshop, an industry workshop held in July 1997, selected nuclear power plant licensees described their Year 2000 programs and gave examples of areas in which they had addressed Year 2000 issues in order to ensure the safety and operability of their plants on and after January 1, 2000. Some of the issues discussed were (1) the evaluation of the impact of the Year 2000 problem on plant equipment, (2) the assessment process involved in the identification of components, vendors, and interfaces, (3) the development of Year 2000 testing strategies, and (4) the identification of budget needs to address the Year 2000 problem.
In August 1997, the NRC staff incorporated recognition of the Year 2000 concern in the updated Standard Review Plan, NUREG-0800, Chapter 7, "Instrumentation and Control." This document provides guidance to the NRC staff's reviewer of computer-based instrumentation and control systems to ensure the Year 2000 issue was addressed in new systems or modifications being proposed by licensees.
Also in August 1997, the Nuclear Energy Institute (NEI) met with NUSMG and nuclear plant utility representatives to formulate an industry-wide plan to address the Year 2000 issue. On October 7, 1997, representatives of NEI and NUSMG met with the NRC staff to discuss the actions NEI was taking to help utilities make their plants "Year 2000 ready." NEI presented the framework document discussed earlier. That document makes a distinction in terminology between "Year 2000 ready" and "Year 2000 compliant." "Year 2000 compliant" is defined as computer systems or applications that accurately process date/time data (including but not limited to calculating, comparing, and sequencing) from, into, and between the 20th and 21st centuries, the years 1999 and 2000, and leap-year calculations. "Year 2000 ready" is defined as a computer system or application that has been determined to be suitable for continued use into the year 2000 even though the computer system or application is not fully Year 2000 compliant.
NEI/NUSMG issued the framework document to all licensees in November 1997. The document recommends methods for nuclear utilities to attain Year 2000 readiness and thereby ensure that their facilities remain safe and continue to operate within the requirements of their license. The scope of the document includes software, or software-based systems or interfaces, whose failure (due to the Year 2000 problem) would (1) prevent the performance of the safety function of a structure, system, or component or (2) degrade, impair, or prevent compliance with the nuclear facility license and NRC regulations. After reviewing the document, the NRC has endorsed this document as an acceptable approach for dealing with the Year 2000 problem at nuclear power plants.
NEI/NUSMG 97-07 also suggests a strategy for developing and implementing a Year 2000 program for nuclear utilities. The strategy recognizes management, implementation, quality assurance (QA) measures, regulatory considerations, and documentation as the fundamental elements of a successful Year 2000 project. The document contains examples of strategies that licensees are currently using and also recommends that the Year 2000 program be administered through standard project management techniques.
The recommended components for management planning are (1) management awareness, (2) sponsorship, (3) project leadership, (4) project objectives, (5) the project management team, (6) the management plan, (7) project reports, (8) interfaces, (9) resources, (10) oversight, and (11) quality assurance. The suggested phases of implementation are awareness, initial assessment (which includes inventory, categorization, classification, prioritization, and analysis of initial assessment), detailed assessment (including vendor evaluation, utility-owned or utility-supported software evaluation, interface evaluation, and remedial planning), remediation, Year 2000 testing and validation, and notification.
The QA measures specified in NEI/NUSMG 97-07 apply to project management QA and implementation QA. Regulatory considerations include the performance of appropriate reviews, reporting requirements, and documentation. Documentation of Year 2000 program activities and results includes documentation requirements, project management documentation, vendor documentation, inventory lists, checklists for initial and detailed assessments, and record retention. NEI/NUSMG 97-07 also contains examples of various plans and checklists as appendices, which may be used or modified to meet the licensee's specific needs and/or requirements.
It should be recognized that NEI/NUSMG 97-07 is programmatic and does not fully address all the elements of a comprehensive Year 2000 program. In particular, augmented guidance in the area of risk management, business continuity and contingency planning, and remediation of embedded systems is needed to fully address some Year 2000 issues that may arise in licensee program implementation. The NRC staff believes that the guidance in NEI/NUSMG 97-07, when properly augmented and implemented, presents an example of one approach for licensees when addressing the Year 2000 problem at nuclear power plant facilities.
The Nuclear Regulatory Commission's Role For Electrical Grids
Although the primary focus with our licensees has been on public health and safety related to reactor operations, we recognize the concern that the Year 2000 problem may potentially affect the reliability of electrical grids. Our regulatory focus in electrical grid reliability primarily relates to the challenges to plant safety systems that might occur as a result of a transient on the electrical grid, such as a loss of offsite power. Nuclear power reactors have two independent sources of offsite power and are designed to safely shut down if a loss of all offsite power were to occur. In the event of a loss of offsite power, onsite electric power systems provide adequate electrical power to safely shutdown and cool down the reactors. As you know, NRC's regulatory oversight and authority does not extend to the offsite electrical grid system.
Notwithstanding our regulatory limits, we recognize the national importance of a broader focus that helps ensure that potential concerns with electrical grid reliability are identified and resolved. We support the efforts of the President's Council on Year 2000 Conversion and are members of the Energy Working Group. We are working closely with representatives from the Federal Energy Regulatory Commission and the Department of Energy to give assistance with, and share information on, potential problems associated with the Year 2000.
The NRC and the nuclear power industry are addressing the Year 2000 computer problem in a thorough and deliberate manner. To date, we have not identified or received notification from licensees or vendors that a Year 2000 problem exists with safety-related initiation and actuation systems. Further, we believe that we have, through Generic Letter 98-01 and the planned follow-up inspections, established a framework that appropriately assures us that the Year 2000 problem will not have an adverse impact on the ability of a nuclear power plant to safely operate or shut down. We recognize the importance of maintaining a reliable electrical grid and will continue to work with the President's Council on Year 2000 Conversion Energy Working Group, the Federal Energy Regulatory Commission, and the Department of Energy to give assistance and share information regarding potential problems associated with the coming of the Year 2000.
We look forward to working with the Subcommittee and welcome your questions.