United States Nuclear Regulatory Commission - Protecting People and the Environment

OIG/97E-13 - Special Evaluation: NRC's Progress on the Year 2000 Issue

Contents


Overview

Office of the Inspector General
U.S. Nuclear Regulatory Commission
Washington, D.C. 20555-0001
June 26, 1997

Memorandum To:

Anthony J. Galante
Chief Information Officer

Leonard J. Callan
Executive Director for Operations

Jesse L. Funches
Chief Financial Officer

From: Thomas J. Barchi
Assistant Inspector General for Audits
Subject: Special Evaluation: NRC's Progress on the Year 2000 Issue

Attached is the Office of the Inspector General's special evaluation of NRC's progress in addressing the Year 2000 issue. This report contains several suggestions for facilitating the agency's Year 2000 efforts.

We briefed the Chief Information Officer and senior NRC managers following our review and they generally agreed with our suggestions. This report does not contain recommendations, therefore, we did not solicit agency comments.

Attached is the Office of the Inspector General's special evaluation of NRC's progress in addressing the Year 2000 issue. This report contains several suggestions for facilitating the agency's Year 2000 efforts.

We briefed the Chief Information Officer and senior NRC managers following our review and they generally agreed with our suggestions. This report does not contain recommendations, therefore, we did not solicit agency comments.

Attachment: As stated

OIG chron
AIGA chron
RShideler RKelley
RMoody


To top of page

Report Synopsis

The Year 2000 problem has gained enormous attention in the Information Systems world. Defining the problem is relatively straightforward. The difficulty is rooted in the way dates are recorded and computed in many computer systems and other "non-computer" devices. For the past several decades, systems have typically used two digits to represent the year, such as "97" representing 1997. This was done to conserve on electronic data storage space and reduce operating costs. However, with this two digit format, the Year 2000 is indistinguishable from 1900, the year 2001 from 1901, etc. As a result, most "legacy" systems and even some recently developed systems will abort or produce erroneous results once the Year 2000 arrives. Systems that project dates will run into the problem even sooner. There are also numerous "devices" that use date information in their operation; for example, security systems, elevators, phone systems, etc. Correcting the problem and achieving Year 2000 compliance--defined as the ability of information systems to accurately process date data from, into, and between the year 1999 and the year 2000, including leap year calculations--will not be easy.

The Office of the Inspector General (OIG) has been tracking the Year 2000 issue for some time. Recent emphasis from the U.S. Office of Management and Budget and the U.S. General Accounting Office on the problem, the potential magnitude of the problem, and the effort that may be necessary to adequately address the issue led to the initiation of this evaluation. The overall objective of our evaluation was to obtain an understanding of the Nuclear Regulatory Commission's (NRC) strategy for addressing the Year 2000 issue. In addition, the Office of Information Resources Management (IRM) requested that OIG assist in evaluating the work of the contractor supporting the planning, coordination, and management of NRC's Year 2000 program. We are continuing to assist IRM per that request.

Because of the potential impact of Year 2000 problems and the fixed deadline for efforts to become Year 2000 compliant, we are providing our observations on areas that warrant agency attention. We believe that the NRC can provide greater assurance that its Year 2000 program will be successful by (1) issuing a policy directive in support of the program, (2) establishing and communicating a position on the extent of NRC's regulatory responsibilities with respect to licensees' actions to address Year 2000 problems, and (3) ensuring that managers consider the potential impact of Year 2000 problems in their management control plans and reasonable assurance statements.


To top of page

Introduction

This report provides the results of the Office of the Inspector General's (OIG) special evaluation of the U.S. Nuclear Regulatory Commission's (NRC) progress on the Year 2000 issue. OIG has been tracking the Year 2000 issue for some time. Recent emphasis from the U.S. Office of Management and Budget and the U.S. General Accounting Office on the problem, the potential magnitude of the problem, and the effort that may be necessary to adequately address the issue led to the initiation of this review. The overall objective of our evaluation was to obtain an understanding of the agency's strategy for addressing the Year 2000 issue. In addition, the Office of Information Resources Management (IRM) requested that OIG assist in evaluating the work of the contractor supporting the planning, coordination, and management of NRC's Year 2000 program. We are continuing to assist IRM per that request.


To top of page

Background

The Year 2000 problem has gained enormous attention in the Information Systems world. Defining the Year 2000 problem is relatively straightforward. The difficulty is rooted in the way dates are recorded and computed in many computer systems and other "non-computer" devices. For the past several decades, systems have typically used two digits to represent the year, such as "97" representing 1997. This was done to conserve on electronic data storage space and reduce operating costs. However, with this two digit format, the Year 2000 is indistinguishable from 1900, the year 2001 from 1901, etc. As a result, most "legacy" systems and even some recently developed systems will abort or produce erroneous results once the Year 2000 arrives. Systems that project dates will run into the problem even sooner.

Many government computer systems were originally developed 20 to 25 years ago, are poorly documented, and use a wide variety of computer languages--many of which are old or obsolete. Moreover, computer systems have numerous components--hardware, software, operating systems, communications applications, and databases--that are affected by the date problem. In addition, all of those internal and external systems that must communicate date information must be date compatible once the problem is fixed. Correcting the problem and achieving Year 2000 compliance--defined as the ability of information systems to accurately process date data from, into, and between the year 1999 and the year 2000, including leap year calculations--will not be easy. Additionally, there are numerous "devices" that use date information in their operation; for example, security systems, elevators, phone systems, etc. These must also be made Year 2000 compliant.

In October 1996, NRC's Executive Director for Operations issued a memorandum to office directors and regional administrators regarding the Year 2000 issue. In addition to requesting information pursuant to developing an inventory of NRC's systems and devices, the memorandum provided basic guidance for initiating the agency's program.

IRM has the lead role in the agency's Year 2000 efforts. IRM's corrective action plan for addressing the problem is comprised of five phases: (1) awareness, (2) assessment, (3) renovation, (4) validation, and (5) implementation. At this time, IRM has essentially completed an inventory of agency systems and devices and is currently assessing the systems and devices for which it has responsibility. However, IRM, which is responsible for a large number of agency systems, is not remediating systems and devices developed and maintained by other offices. The approach and status of these efforts may not be the same as IRM's.


To top of page

Evaluation Results

Because of the potential impact of Year 2000 problems and the fixed deadline for efforts to become Year 2000 compliant, we are providing our observations on areas that warrant agency attention. We believe that the NRC can provide greater assurance that its Year 2000 program will be successful by (1) issuing a policy directive in support of the program, (2) establishing a position on the extent of NRC's regulatory responsibilities with respect to licensees' actions to address Year 2000 problems, and (3) ensuring that managers consider the potential impact of Year 2000 problems in their management control plans and reasonable assurance statements.


To top of page

NRC Should Issue A Policy Directive In Support Of The Year 2000 Program

NRC's Chief Information Officer has lead responsibility for information technology used by the agency. The Director, IRM, is the Program Manager with overall responsibility for Year 2000 activities. In addition, an IRM project manager has day-to-day responsibility and coordinates and supports the efforts of all offices. NRC's efforts to address the Year 2000 issue are concentrated within IRM since they have responsibility for maintaining the agency's major systems and software inventory. However, systems and devices developed and maintained by individual regions or offices are the responsibility of that region or office. Although IRM will provide assistance to those offices as needed, IRM does not have responsibility for ensuring that such systems and devices are made Year 2000 compliant.

The duties of the project manager are not formally defined but include oversight of the contractor retained by IRM to track the progress of remediation work on each of the agency's systems and coordination of the work of NRC offices and regions. The project manager has an action plan that guides his work on the agency's Year 2000 program. In addition, the contractor will provide the project manager with a master plan that will encompass monitoring the work of all offices. Individual offices, including branches within IRM, are not currently required to prepare a project plan to address any Year 2000 problems they may have. The project manager does not have the authority to require that offices develop such plans.

While the project manager provides guidance and support to offices other than IRM, there is no formal agency-wide support for the cross-functional demands of the position. One of the most critical parts of the Year 2000 project will be the coordination among the agency's offices on questions of system interactions and the timing of system renovation and implementation. In addition, we believe numerous agency-wide issues may arise such as (1) resource demands on offices, (2) definition of and prioritization of work on mission critical systems, (3) interaction with other entities that co-own or co-developed systems used by NRC, (4) interaction with agencies whose software NRC uses, (5) decisions regarding replacement of systems that would otherwise require remediation, and (6) interactions among NRC offices and branches where systems overlap. For example, IRM's Systems Development and Integration Branch will need to have close cooperation from the Commission and senior NRC officials to ensure that required adaptive(1) changes are minimized during the period of heaviest Year 2000 work. A process for quick resolution of conflicts on priorities is needed.

GAO's draft Year 2000 Computing Crisis: An Assessment Guide, dated February 1997, recommends that agencies obtain and formalize management support through issuance of a Year 2000 policy directive and/or program charter. As outlined in NRC guidance, a directive would communicate program information to NRC employees and would include: (1) a statement of the policy of the agency, (2) the objectives of the program, (3) the responsibilities of personnel, (4) the authorities of various personnel, and (5) other requirements for specific functional areas.

To help ensure the success of its Year 2000 program, we believe NRC should issue a policy directive in order to provide guidance to the agency in support of the program. Given the fixed deadline for the effort, it is important that responsibilities and authorities be identified as early as possible to ensure timely resolution of any agency-wide or cross-functional issues. A policy directive would also provide guidance and authorities for the resolution of inter- and intra-agency conflict and coordination problems. Because NRC has chosen to provide coordination of its Year 2000 effort through a position within IRM, issuance of a directive in support of that function should be a priority.


To top of page

NRC Should Clarify Its Position On Licensees' Actions To Address Their Year 2000 Problems

NRC's Office of the General Counsel has stated that regulatory program offices, principally the Office of Nuclear Reactor Regulation and the Office of Nuclear Materials Safety and Safeguards, and ultimately, the Commissioners, have responsibility for regulating licensees' approaches to Year 2000 issues. These offices decide what, if any, actions in regard to public health and safety and the common defense and security must be taken by licensees on Year 2000 issues .

In December 1996, NRC issued an Information Notice to all licensees to ensure their awareness of the Year 2000 issue. Currently, the agency is examining its regulatory role in regard to licensee actions for addressing Year 2000 problems and may issue additional notices. Because offices within NRC may have responsibilities for which they will have to provide resources and because of the limited time frame, we believe it is important that the agency provide formal guidance to offices defining the agency's regulatory responsibilities for licensee actions. This guidance should be stated in the policy directive and communicated to agency personnel and licensees.


To top of page

Managers Should Consider Reporting Requirements On This Issue

In accordance with requirements of the Federal Managers' Financial Integrity Act, agency managers should continuously monitor, evaluate, and improve the effectiveness of management controls associated with their programs and administrative activities. These controls are a means of managing the risk associated with those programs. The adequacy of management controls should be assessed within a reasonable time frame of new or major redirections of activities.

Each year, certain offices and regions submit a management control plan to the Chairman, Executive Committee for Management Controls (ECMC), reporting on the status of corrective action on significant or material weaknesses in their annual management control plans and their annual reasonable assurance statements. Other offices submit this information in their annual reasonable assurance statements. The status of corrective action on weaknesses that do not rise to the level of a significant or material weakness is not reported to the Chairman, ECMC. However, these actions must be tracked and reviewed in the offices and regions in a manner that will ensure that control weaknesses are addressed promptly and adequately. If weaknesses not determined to be significant enough to be reported to the ECMC are identified, corrective action plans should be developed and monitored at the office level or below. Managers must monitor the progress of corrective actions to ensure timely and effective results.

We reviewed each of the 1997 management control plans submitted to the Chairman, ECMC. None of the control plans identified or discussed the Year 2000 issue. While offices and regions may determine that the Year 2000 problem poses no potential risk to their programs and operations, we believe that agency managers should be sure to consider the potential impact of the problem in revising their management control plans and in composing their reasonable assurance statements.


To top of page

Matters for Consideration

Our evaluation of NRC's progress on the Year 2000 issue indicates that, while the agency is making progress in addressing the Year 2000 problem, it should consider further improving the program by:

  1. Issuing a policy directive in support of the program,
  2. Establishing and communicating a position on the extent of NRC's regulatory responsibilities with respect to licensees' actions to address Year 2000 problems that may impact public health and safety, and
  3. Ensuring that managers consider the potential impact of Year 2000 problems in preparing and revising their management control plans and reasonable assurance statements.

To top of page

Objectives, Scope, and Methodology

The objective of our evaluation was to obtain an understanding of the agency's strategy for addressing the Year 2000 issue. The scope of the evaluation was limited to the current status of the U.S. Nuclear Regulatory Commission's (NRC) Year 2000 project and to the agency's plans for completing the project within the time frame available. At this time, the agency has essentially completed its inventory of systems but does not have the results of its contractors' assessments of those systems or recommendations for addressing any problems. The contractors' deliverables also include a revised action plan for the program. Therefore, we were able to review the agency's awareness efforts and the inventory but only against the current action plan and can make no observations on future actions since those will be defined by the results of the contractors' assessments of the agency's systems. In addition, at the request of the Office of Information Resources Management, the Office of the Inspector General is assisting in evaluating the work of the contractor supporting the planning, coordination, and management of NRC's Year 2000 program.

To determine the current status of the project and the agency's planned approach for completing the effort, we interviewed project management, and region and program office officials. We also reviewed documentation of current project status and schedules, contract documents, meeting records, project costs and budgets, 1997 management control plans, and other related documentation.

We conducted our evaluation in April and May 1997.


To top of page

Major Contributors to this Report

Corenthis B. Kelley
Team Leader

Robert W. Moody
Senior Auditor


To top of page

Glossary: Office of the Inspector General Products

Investigative

1. Investigative Report - White Cover

An Investigative Report documents pertinent facts of a case and describes available evidence relevant to allegations against individuals, including aspects of an allegation not substantiated. Investigative reports do not recommend disciplinary action against individual employees. Investigative reports are sensitive documents and contain information subject to the Privacy Act restrictions. Reports are given to officials and managers who have a need to know in order to properly determine whether administrative action is warranted. The agency is expected to advise the OIG within 90 days of receiving the investigative report as to what disciplinary or other action has been taken in response to investigative report findings.

2. Event Inquiry - Green Cover

The Event Inquiry is an investigative product that documents the examination of events or agency actions that do not focus specifically on individual misconduct. These reports identify institutional weaknesses that led to or allowed a problem to occur. The agency is requested to advise the OIG of managerial initiatives taken in response to issues identified in these reports but tracking its recommendations is not required.

3. Management Implications Report (MIR) - Memorandum

MIRs provide a "ROOT CAUSE" analysis sufficient for managers to facilitate correction of problems and to avoid similar issues in the future. Agency tracking of recommendations is not required.

Audit

4. Audit Report - Blue Cover

An Audit Report is the documentation of the review, recommendations, and findings resulting from an objective assessment of a program, function, or activity. Audits follow a defined procedure that allows for agency review and comment on draft audit reports. The audit results are also reported in the OIG's "Semiannual Report" to the Congress. Tracking of audit report recommendations and agency response is required.

5. Special Evaluation Report - Burgundy Cover

A Special Evaluation Report documents the results of short-term, limited assessments. It provides an initial, quick response to a question or issue, and data to determine whether an in-depth independent audit should be planned. Agency tracking of recommendations is not required.

Regulatory

6. Regulatory Commentary - Brown Cover

Regulatory Commentary is the review of existing and proposed legislation, regulations, and policies so as to assist the agency in preventing and detecting fraud, waste, and abuse in programs and operations. Commentaries cite the IG Act as authority for the review, state the specific law, regulation or policy examined, pertinent background information considered and identifies OIG concerns, observations, and objections. Significant observations regarding action or inaction by the agency are reported in the OIG Semiannual Report to Congress. Each report indicates whether a response is required.

To top of page


1. Adaptive changes, as used here, are modifications to systems made necessary by changes to regulations or laws. These changes frequently require significant effort, are mandatory, and may have fixed time frames or deadlines for implementation.

Page Last Reviewed/Updated Thursday, March 29, 2012