YEAR 2000 READINESS OF COMPUTER SYSTEMS AT NUCLEAR POWER PLANTS (GENERIC LETTER NO. 98-01)
NUCLEAR REGULATORY COMMISSION
OFFICE OF NUCLEAR REACTOR REGULATION
WASHINGTON, D.C. 20555-0001
May 11, 1998
|NRC GENERIC LETTER NO. 98-01:||YEAR 2000 READINESS OF COMPUTER SYSTEMS AT NUCLEAR POWER PLANTS|
All holders of operating licenses for nuclear power plants, except those who have permanently ceased operations and have certified that fuel has been permanently removed from the reactor vessel.
The U.S. Nuclear Regulatory Commission NRC is issuing this generic letter to require that all addressees provide the following information regarding their programs, planned or implemented, to address the year 2000 (Y2K) problem in computer systems at their facilities: (1) written confirmation of implementation of the programs and (2) written certification that the facilities are Y2K ready with regard to compliance with the terms and conditions of their licenses and NRC regulations.
Description of Circumstances
Simply stated, the Y2K computer problem pertains to the potential for date-related problems that may be experienced by a system or an application. These problems include not representing the year properly, not recognizing leap years, and improper date calculations. An example of a date-related problem is the potential misreading of "00" as the year 1900 rather than 2000. These problems can result in the inability of computer systems to function properly by providing erroneous data or failing to operate at all. The Y2K problem has the potential of interfering with the proper operation of computer systems, hardware that is microprocessor-based (embedded software), and software or databases relied upon at nuclear power plants. Consequently, the Y2K problem could result in a plant trip and subsequent complications on tracking post-shutdown plant status and recovery due to a loss of emergency data collection.
The Y2K problem is urgent because it has a fixed deadline. It requires priority attention because of the limited time remaining, the uncertain risk that the problem presents, the technical challenges presented, and the scarcity of resources available to correct the problem.
Existing reporting requirements under 10 CFR Part 21, 10 CFR 50.72, and 10 CFR 50.73 provide for notification to the NRC staff of deficiencies and non-conformances, and failures, such as some of those which could result from the Y2K problem in safety-related systems. To date, the NRC staff has not identified or received notification from licensees or vendors that a Y2K problem exists with safety-related initiation and actuation systems. However, problems have been identified in non-safety, but important, computer-based systems. Such systems, primarily databases and data collection processes necessary to satisfy license conditions, technical specifications, and NRC regulations that are date driven, may need to be modified for Y2K compliance.
Some examples of systems and computer equipment that may be affected by Y2K problems follow:
- Security computers
- Plant process (data scan, log, and alarm and safety parameter display system) computers
- Radiation monitoring systems
- Dosimeters and readers
- Plant simulators
- Engineering programs
- Communication systems
- Inventory control systems
- Surveillance and maintenance tracking systems
- Control systems
To alert nuclear power plant licensees to the Y2K problem, the NRC issued Information Notice (IN) 96-70, "Year 2000 Effect on Computer System Software," on December 24, 1996. In IN 96-70, the NRC staff described the potential problems that nuclear power plant computer systems and software may encounter as a result of the change to the new century and how the Y2K issue may affect NRC licensees. In IN 96-70, the NRC staff encouraged licensees to examine their uses of computer systems and software well before the turn of the century and suggested that licensees consider appropriate actions for examining and evaluating their computer systems for Y2K vulnerabilities. The NRC staff also incorporated recognition of the Y2K concern in the updated Standard Review Plan, NUREG-0800, Chapter 7, "Instrumentation and Control," dated August 1997, which contains guidance for the NRC staff's review of computer-based instrumentation and control systems.
At the Nuclear Utilities Software Management Group (NUSMG) Year 2000 Workshop, an industry workshop held in July 1997, some nuclear power plant licensees described their Y2K programs and gave examples of areas in which they had addressed Y2K issues in order to ensure the safety and operability of their plants on and after January 1, 2000. Some of the issues discussed were (1) the evaluation of the impact of the Y2K problem on plant equipment, (2) the assessment process involved in the identification of Y2K-affected components, vendors, and interfaces, (3) the development of Y2K testing strategies, and (4) the identification of budget needs to address the Y2K problem.
The Nuclear Energy Institute (NEI) met with NUSMG and nuclear plant utility representatives in August 1997 to formulate an industry-wide plan to address the Y2K issue. On October 7, 1997, representatives of NEI and NUSMG NEI/NUSMG 97-07, "Nuclear Utility Year 2000 Readiness," to all licensees in November 1997. The document recommends methods for nuclear utilities to attain Y2K readiness and thereby ensure that their facilities remain safe and continue to operate within the requirements of their license. The scope of NEI/NUSMG 97-07 includes software, or software-based systems or interfaces, whose failure (due to the Y2K problem) would (1) prevent the performance of the safety function of a structure, system, or component or (2) degrade, impair, or prevent compliance with the nuclear facility license and NRC regulations.
Diverse concerns are associated with the potential impact of the Y2K problem on nuclear power plants because of the variety and types of computer systems in use. The concerns result from licensees' reliance upon (1) software to schedule maintenance and technical specification surveillance, (2) programmable logic controllers and other commercial off-the-shelf software and hardware, (3) digital process control systems, (4) software to support facility operation, (5) digital systems for collection of operating data, and (6) digital systems to monitor post-accident plant conditions. The scope of NEI/NUSMG 97-07 includes the broad range of computers and software-based systems in a nuclear power plant. However, NRC Y2K concerns are limited to safety-related systems and other systems required by the nuclear power plant license or NRC regulations.
One application that is common to all power reactor licensees is the link between plant computers and the NRC's Emergency Response Data System (ERDS). This application performs the communication and data transmission functions that provide near real-time data availability to NRC and State incident response personnel during declared emergencies. The NRC is currently performing Y2K-related upgrades to ERDS, which will maintain the same communication protocol as the current system, with the exception that either 2-digit- or 4-digit-year fields will be accepted. Those licensees that anticipate changes to their ERDS link should allow time in their schedules for retesting their systems. NRC contractors will support requests for testing on a "first-come, first-served" basis.
NEI/NUSMG 97-07 suggests a strategy for developing and implementing a nuclear utility Y2K program. The strategy recognizes management, implementation, quality assurance (QA) measures, regulatory considerations, and documentation as the fundamental elements of a successful Y2K project. The document contains examples currently in use by licensees and also recommends that the Y2K program be administered using standard project management techniques.
The recommended components for management planning are management awareness, sponsorship, project leadership, project objectives, the project management team, the management plan, project reports, interfaces, resources, oversight, and QA. The suggested phases of implementation are awareness, initial assessment (which includes inventory, categorization, classification, prioritization, and analysis of initial assessment), detailed assessment (including vendor evaluation, utility-owned or utility-supported software evaluation, interface evaluation, and remedial planning), remediation, Y2K testing and validation, and notification.
The QA measures specified in NEI/NUSMG 97-07 apply to project management QA and implementation QA. Regulatory considerations include the performance of appropriate reviews, reporting requirements, and documentation. Documentation of Y2K program activities and results includes documentation requirements, project management documentation, vendor documentation, inventory lists, checklists for initial and detailed assessments, and record retention. NEI/NUSMG 97-07 also contains examples of various plans and checklists as appendices, which may be used or modified to meet the licensee's specific needs and/or requirements.
It should be recognized that NEI/NUSMG 97-07 is programmatic and does not fully address all the elements of a comprehensive Y2K program. In particular, augmented guidance in the area of risk management, business continuity and contingency planning, and remediation of embedded systems is needed to fully address some Y2K issues that may arise in licensee program implementation. The NRC staff believes that the guidance in NEI/NUSMG 97-07, when properly augmented and implemented, presents an example of one possible approach for licensees when addressing the Y2K problem at nuclear power plant facilities.
Another document that provides a useful overview of the elements of an effective Y2K program is a guide issued by the Accounting and Information Management Division (AIMD), U.S. General Accounting Office (GAO), GAO/AIMD-10.1.14, "Year 2000 Computing Crisis: An Assessment Guide," September 1997. This guide is a distillation of the best practices of the Government and the private sector for dealing with the Y2K problem.
It should be noted that the guidance in NEI/NUSMG 97-07 and GAO/AMID-10.1.14 provides a framework only. Any Y2K program employed at a nuclear facility must be tailored to meet the specific needs and requirements of that facility and should, in general, be composed of the following phases: awareness, assessment, remediation, validation, and implementation. Completion of the Y2K program means the attainment of the program objectives, which could range from all computer systems and applications, including embedded systems, being Y2K compliant, to some being Y2K compliant and the remaining retired or with permanent and/or temporary compensatory measures or work-arounds in place. Also to be considered are the future maintenance requirements for keeping the systems and applications Y2K ready, for example, when the "fixed date window" approach is used.
It is recognized that in spite of every reasonable effort by licensees to identify and correct Y2K computer system problems at their facilities, some software, applications, equipment, and systems may remain susceptible to the problem. Additionally, software, data, and systems external to the facility could potentially affect the facility adversely. Therefore, to ensure continued safe operation of the facility into the Year 2000 and beyond, contingency plans should be formulated for affected systems and equipment. The concept of Y2K readiness includes the planning, development, and implementation of appropriate contingency plans or compensatory actions for items that are not expected to be Y2K compliant or ready and to address the possible impact of unidentified items and their effect on safe plant operation.
Because of the limited time remaining in which to address the Y2K problem, at some facilities it may be necessary that some remediation and implementation activities be performed during normally scheduled plant outages in order to avoid additional outages to effect these activities. Hence, licensees should plan for this work accordingly. The NRC staff notes that unless the majority of the Y2K program remediation, validation, and implementation activities are completed at a facility by mid -1999, leaving only a few such activities scheduled for the third and fourth quarters of 1999, the facility may not be Y2K ready by the year 2000.
In the course of implementing the Y2K program, problems could be identified that potentially affect the licensing basis of the plants. In certain cases, license amendments may be needed to address the problem resolution. Licensees should plan to submit such license amendments to the NRC on a timely basis. The utility Y2K programs and schedules should have the flexibility to accommodate such an eventuality. In addition, licensees are reminded that any changes to their facilities that affect their current licensing basis must be reviewed in accordance with existing NRC requirements and the change properly documented. Finally, we strongly encourage licensees to share information regarding identified remediation and implementation activities in order to maintain the likelihood that all Y2K problems are identified. We understand that Owners' Groups are implementing this and we encourage this effort.
In order to gain the necessary assurance that addressees are effectively addressing the Y2K problem with regard to compliance with the terms and conditions of their licenses and NRC regulations, the NRC staff requires that all addressees submit a written response to this generic letter as follows:
|(1)||Within 90 days of the date of this generic letter, submit a written response indicating whether or not you have pursued and are continuing to pursue a Y2K program such as, or similar to, that outlined in NEI/NUSMG 97-07, augmented appropriately in the areas of risk management, contingency planning, and remediation of embedded systems. If your program significantly differs from the NEI/NUSMG guidance, present a brief description of the programs that have already been completed, are being conducted, or are planned to ensure Y2K readiness of the computer systems at your facility(ies). This response must address the program's scope, assessment process, plans for corrective actions (including testing and schedules), QA measures, contingency plans, and regulatory compliance.|
|(2)||Upon completing your Y2K program or, in any event, no later than July 1, 1999, submit a written response confirming that your facility is Y2K ready, or will be Y2K ready, by the year 2000 with regard to compliance with the terms and conditions of your license(s) and NRC regulations. If your program is incomplete as of that date, your response must contain a status report, including completion schedules, of work remaining to be done to confirm your facility is/will be Y2K ready by the year 2000.|
Address the written reports to the U.S. Nuclear Regulatory Commission, Attention: Document Control Desk, Washington, D.C. 20555-0001, under oath or affirmation under the provisions of Section 182a, Atomic Energy Act 1954, as amended, and 10 CFR 50.54(f). In addition, submit a copy to the appropriate regional administrator.
This generic letter requires information from addressees under the provisions of Section 182a of the Atomic Energy Act of 1954, as amended, and 10 CFR 50.54(f). The required information will enable the staff to verify that each nuclear power plant licensee is implementing an effective plan to address the Y2K problem and provide for safe operation of the facility before January 1, 2000, and is in compliance with the terms and conditions of their license(s) and NRC regulations. The following NRC regulations form a basis for this requirement:
- 10 CFR 50.36, "Technical Specifications," paragraph (c)(3), "Surveillance Requirements," and paragraph (c) (5), "Administrative controls." These sections relate, respectively, to requirements pertaining to testing, calibration, or inspection to ensure that the necessary quality of systems and components is maintained and to provisions relating to management, procedures, recordkeeping, and review and audit necessary to ensure operation of the facility in a safe manner.
- 10 CFR 50.47, "Emergency Plans," paragraph (b)(8), which relates to the provision and maintenance of adequate emergency facilities and equipment to support the emergency responses.
- Appendix B to 10 CFR Part 50, Criterion III, "Design Control," requires
that design control measures shall provide for verifying or checking
the adequacy of design, such as by the performance of design reviews,
by the use of alternate or simplified calculational methods, or by the
performance of a suitable testing program.
- Appendix B to 10 CFR Part 50, Criterion XVII, "Quality Assurance Records,"
requires that sufficient records shall be maintained to furnish evidence
of activities affecting quality. The records are to include operating
logs and the results of reviews.
- Appendix E to 10 CFR Part 50, Section VI, "Emergency
Response Data System," which relates to the provision and maintenance
of licensee links to the ERDS [this citation
was inadvertently omitted from the final copy of NRC Generic Letter
- Appendix A to 10 CFR Part 50, General Design Criterion (GDC) 13, "Instrumentation
and Control," which addresses the provision of appropriate instrumentation
and controls to monitor and control systems and variables during normal
operation, anticipated operational occurrences, and accident conditions,
as appropriate, to ensure adequate safety.
- Appendix A to 10 CFR Part 50, GDC 19, "Control Room," which requires the provision of a control room from which actions can be taken to operate the nuclear plant safely.
- Appendix A to 10 CFR Part 50, GDC 23, "Protection System Failure Modes," which requires that the protection system shall be designed to fail into a safe state or into a state demonstrated to be acceptable on some other defined basis.
Paperwork Reduction Act Statement
This generic letter contains information collections that are subject to the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.). These information collections were approved by the Office of Management and Budget (OMB), approval number 3150-0011, which expires on September 30, 2000.
The public reporting burden for this collection of information is estimated to average 100 hours per response, including the time for reviewing the instructions, searching data sources, gathering and maintaining the needed data, and completing and reviewing the information collected. This estimate assumes a licensee's response simply confirms the existence of a Y2K program, similar to that outlined in NEI/NUSMG 97-07, and that the program will be completed by July 1, 1999. Licensees whose Y2K program significantly differs from the NEI/NUSMG guidance or whose Y2K program will not be completed by July 1, 1999, must submit additional information to the NRC.
The NRC is seeking public comment on the potential impact of the collection of information contained in this generic letter and on the following issues:
|1.||Is the proposed collection of information necessary for the proper performance of the functions of the NRC, including whether the information will have practical utility?|
|2.||Is the estimate of burden accurate?|
|3.||Is there a way to enhance the quality, utility, and clarity of the information to be collected?|
|4.||How can the burden of the collection of information be minimized, including the use of automated collection techniques?|
Send comments on the burden estimate and any aspect of this collection of information, including suggestions for reducing this burden, to the Information and Records Management Branch, T-6 F33, U.S. Nuclear Regulatory Commission, Washington, D.C. 20555-0001, and to the Desk Officer, Office of Information and Regulatory Affairs, NEOB-10202 (3150-0011), Office of Management and Budget, Washington, D.C. 20503.
The NRC may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a currently valid OMB control number.
If you have any questions about this matter, please contact one of the technical contacts listed below or the appropriate Office of Nuclear Reactor Regulation (NRR) project manager.
|Original signed by
D. B. Matthews
|Jack W. Roe, Acting Director
Division of Reactor Program Management
Office of Nuclear Reactor Regulation
|Technical Contact:||M. Chiramal, NRR
|Lead Project Manager:||Allen G. Hansen, NRR
Attachments: List of Recently Issued NRC Generic Letters
(NUDOCS Accession Number 9805050192)