Information Notice No. 98-30: Effect of the Year 2000 Computer Problem on NRC Licensees and Certificate Holders
NUCLEAR REGULATORY COMMISSION
OFFICE OF NUCLEAR MATERIAL SAFETY AND SAFEGUARDS
WASHINGTON, D.C. 20555
August 12, 1998
|NRC INFORMATION NOTICE 98-30:||EFFECT OF THE YEAR 2000 COMPUTER PROBLEM ON NRC LICENSEES AND CERTIFICATE HOLDERS|
All material and fuel cycle licensees and certificate holders.
The U.S. Nuclear Regulatory Commission (NRC) is issuing this information notice to remind all addressees of the potential problems their computer systems and software may encounter as a result of the change to the year 2000. It is expected that recipients will review this information for applicability to their facilities and consider actions, as appropriate, to avoid potential problems. However, suggestions contained in this information notice are not NRC requirements; therefore, no specific action nor written response is required.
Description of Circumstances:
The Year 2000 (Y2K) problem pertains to the potential inability of computers to correctly recognize dates beyond December 31,1999. This problem results from computer hardware and/or software that uses two-digit fields to represent the year. These systems may misread the year 2000 and cause the systems to fail, generate faulty data, or act in an incorrect manner. The Y2K problem has the potential to interfere with the proper operation of any computer system, hardware that is microprocessor-based (embedded software), software, or database.
As discussed in this Information Notice, "Y2K Ready" is defined as a computer system or application that has been determined to be suitable for continued use into the year 2000, even though the computer system or application is not Y2K Compliant. A Y2K Readiness Program is a plan for a facility to become Y2K Ready. "Y2K Compliant" is defined as a computer system or application that accurately processes date/time data (including, but not limited to, calculating, comparing, and sequencing) from, into, and between the years 1999 and 2000, and beyond, including leap-year calculations.
The Y2K problem is urgent because it has a fixed, non-negotiable deadline that is quickly approaching. This matter requires priority attention because of the limited time remaining to assess the magnitude of the problem, assess its associated risks, and implement programs that will achieve a satisfactory resolution of the Y2K problem.
Existing reporting requirements under 10 CFR Part 21 provide for notification to NRC of deficiencies, non-conformances, and failures, such as the Y2K problem in safety-related systems.
Examples of systems that may be affected by the Y2K problem include:
- Treatment planning systems
- Dose calibrators
- Embedded systems
- Decay programs
- Physical Protection
- Analytical systems that rely on microprocessors and software controls
- Material Control and Accounting
- Emergency response systems
- Radiation monitoring systems
- Dosimeters, dosimetry programs, and readers
- Communication systems
- Surveillance and maintenance tracking systems
To alert licensees and certificate holders to the Y2K problem, NRC issued Information Notice (IN) 96-70, "Year 2000 Effect on Computer System Software," on December 24, 1996, and IN 97-61, "U.S. Department of Health and Human Services Letter, to Medical Device Manufacturers, on the Year 2000 Problem," on August 6, 1997. In IN 96-70, the staff described the potential problems that computer systems and software may encounter as a result of the change from the year 1999 to the year 2000 and how the Y2K issue may affect NRC licensees and certificate holders. IN 96-70 encouraged licensees and certificate holders to examine their uses of computer systems and software well before the year 2000 and suggested that they consider appropriate actions to examine and evaluate their computer systems for Y2K vulnerabilities. In IN 97-61, the staff forwarded to licensees a letter from the U.S. Department of Health and Human Services, Food and Drug Administration (FDA ), to medical device manufacturers, regarding the Y2K problem. In a letter dated June 25, 1997, the FDA reminded medical device manufacturers that some computer systems and software applications currently used in medical devices, including embedded microprocessors, may experience problems as a result of the turn to the new century. In addition, the letter indicated that computer-controlled design, production, or quality control processes could be adversely affected.
As part of NRC's response to the Y2K problem, NRC assembled a Y2K team to gather more information on the Y2K programs of materials and fuel cycle licensees and certificate holders. In addition, materials and fuel cycle inspectors have been instructed to confirm receipt of NRC's INs 96-70 and 97-61, by materials and fuel cycle licensees and certificate holders; determine whether the licensees and certificate holders have identified any potential problems associated with the Y2K issue; and note any corrective actions taken by the licensees and certificate holders.
There are several concerns associated with the potential impact of the Y2K problem because of the variety and types of computer systems and software in use. For example, the role and use of computers and embedded systems in: (1) treatment planning systems; (2) dose calibrators; (3) programmable logic controllers and other commercial off-the-shelf software and hardware; (4) document control systems; (5) process control systems; (6) engineering calculations; and (7) systems for the collection of operating and post-accident site parameter data. Licensees should develop contingency plans for systems that are not Y2K Ready.
Some treatment planning systems and dose calibrators have been found not to be Y2K Compliant by the manufacturer. Addressees should contact their treatment planning system and dose calibrator venders to determine if their systems are Y2K Ready. Further, addressees should verify that their treatment planning systems and dose calibrators are Y2K Ready.
Some systems that have been determined to be Y2K Compliant by the manufacturer have been found not to be Y2K Compliant by the end user. Conversely, some systems that have been determined not to be Y2K Compliant by the manufacturer have been found to be Y2K Ready by the end user. Further, devices that are the same model may have microprocessors from different manufacturers which may cause the devices to behave differently in the year 2000. Addressees should not rely completely on manufacturers certification. Y2K Readiness is also dependent on the manner in which the system is used. Again, addressees should verify that all of their systems are Y2K Ready.
Applications that have no apparent date manipulation algorithms may still be affected by a Y2K problem. For example, a subroutine that date-stamps the header information in archival tapes, regardless of the rest of the content of the tape, may be affected. In addition, individual systems may be "date-safe," but the integrated operations that the systems support may be vulnerable to the Y2K problem. Therefore, after testing a subsystem for Y2K compliance, a functional test of the entire system should be performed.
The following elements can be used to aid in the development of a successful Y2K Readiness Program: (1) management planning; (2) implementation; (3) quality assurance (QA); (4) regulatory considerations; and (5) documentation. The components for planning include management awareness, sponsorship, project leadership, project objectives, project management team, management plan, project reports, interfaces, resources, and oversight. The phases of implementation include: awareness; initial assessment (e.g., inventory, categorization, classification, prioritization, and analysis); detailed assessment (e.g., vendor evaluation, software evaluation, interface evaluation, remedial planning); remediation; testing and validation; and notification. The features of QA include project management QA as well as implementation QA. The aspects of regulatory considerations include the performance and documentation of appropriate reviews and/or evaluations. The elements of documentation of activities and results include project management documentation, vendor certifications, inventory lists, checklists, and record retention.
There are three reference documents that may help licensees and certificate holders with their Y2K Readiness Programs. The General Accounting Office published "Year 2000 Computing Crisis: An Assessment Guide," in September 1997 and "Year 2000 Computing Crisis: Business Continuity and Contingency Planning. Exposure Draft," in March 1998 as general business tools; and the Nuclear Energy Institute published NEI/NUSMG 97-07, "Nuclear Utility Year 2000 Readiness," in October 1997 to assist nuclear power plants in the development of their Y2K Readiness Programs. Even though the latter applies to commercial nuclear power plants, the general discussion of the elements in Y2K Readiness Programs could be beneficial to other business entities.
NRC has certified that its Nuclear Material Management Safeguards System (NMMSS) is Y2K Compliant. For NRC licensees and certificate holders required to report nuclear material transactions to NMMSS, from May 1, 1998, through mid-1999, NMMSS will operate in a manner that allows all nuclear material transaction reports to NMMSS to be either in the current two-digit year reporting format or in the Y2K Compliant four-digit year format. After mid-1999, only the Y2K Compliant format will be acceptable. Licensees and certificate holders that use their own software to input data into NMMSS will have to modify it themselves, to be Y2K Compliant.
The U.S. Food and Drug Association has established a web site to provide information regarding the status or impact on product performance of the "Year 2000 Date Problem" for medical devices and scientific laboratory equipment (biomedical equipment). The information provided, or the linked sites maintained by manufacturers, have been provided by the manufacturers of the products in response to the January 21, 1998, request from the Deputy Secretary of the Department of Health and Human Services.
Many manufacturers have web sites that contain Y2K information regarding their products. This information may include information on products that are not Y2K Compliant and the availability of product updates. Attachment 1 contains a list of websites that may be useful in addressing the Y2K problem.
This information notice requires no specific action or written response. If you have any questions about the information in this notice, please contact the technical contact listed below or the appropriate regional office.
Frederick C. Combs, Acting Director
Division of Industrial and Medical Nuclear Safety
Office of Nuclear Material Safety and Safeguards
|Contact:||Gary Purdy, NMSS
|Attachments:||1. Selected Year 2000 Web Sites
2. List of Recently Issued NMSS Information Notices
3. List of Recently Issued NRC Information Notices
(NUDOCS Accession Number 9808070136)
August 12, 1998
Selected Year 2000 websites
|U.S. Food and Drug Administration||medical device manufacturers list of Y2K compliant and non-compliant devices|
|U. S. Government Accountability Office||two Y2K reports|
|National Institute of Standards and Technology||Y2K information, test programs|
|Nuclear Regulatory Commission||Information Notices, Generic Letters, links, NEI Report|
|The Institution of Engineering and Technology||embedded software information|
|Open Government Project - United Kingdom||software compliance information|
|Year 2000 Medical Issues||medical issues (not much radiation protection)|
|School of Public Health - University of Michigan||links to manufacturers and dosimetry companies|
|The Oncology and Radiology Portal Site||Links to Oncology/Radiology Commercial Sites|
Except for its own website, the U.S. Nuclear Regulatory Commission makes no claims of the accuracy in the information provided at these websites. The list of sites is provided for use by addressees as a possible source of Y2K information.