Information Notice No. 99-20: Contingency Planning for the Year 2000 Computer Problem
NUCLEAR REGULATORY COMMISSION
OFFICE OF NUCLEAR MATERIAL SAFETY AND SAFEGUARDS
WASHINGTON, D.C. 20555
June 25, 1999
|NRC INFORMATION NOTICE 99-20:||CONTINGENCY PLANNING FOR THE YEAR 2000 COMPUTER PROBLEM|
All material and fuel cycle licensees and certificate holders.
The U.S. Nuclear Regulatory Commission (NRC) is issuing this information notice (IN) to encourage addresses to develop Year 2000 (Y2K) contingency plans. It is expected that recipients will review this information for applicability to their facilities and consider actions, as appropriate, to avoid potential problems. However, suggestions contained in this IN are not NRC requirements; therefore, no specific action nor written response is required.
On June 14, 1999, NRC issued IN 99-18, "Update on NRC's Year 2000 Activities for Materials Licensees and Fuel Cycle Licensees and Certificate Holders," to licensees and certificate holders to update addressees regarding NRC's Y2K activities and provide sources of Y2K information. IN 99-18 provided a detailed description of the Y2K problem and addressees should refer to it for a listing of available information sources concerning Y2K issues.
The Y2K problem pertains to the potential inability of computers to correctly recognize dates beyond December 31, 1999. This problem results from computer hardware and/or software that uses two-digit fields to represent the year. These systems may misread the year 2000 and cause the systems to fail, generate faulty data, or act in an incorrect manner. The Y2K problem has the potential to interfere with the proper operation of any computer system, hardware that is microprocessor-based (embedded software), software, or database.
The Y2K problem is urgent because it has a fixed, non-negotiable deadline that is quickly approaching. This matter requires priority attention because of the limited time remaining to assess the magnitude of the problem, assess its associated risks, and implement programs that will achieve a satisfactory resolution of the Y2K problem.
Existing reporting requirements under 10 CFR Part 21 provide for notification to NRC of deficiencies, non-conformances, and failures, such as the Y2K problem, in safety-related systems.
NRC has placed a Y2K website on its homepage. The website contains information on NRC Y2K activities, Y2K information notices, and links to other webpages useful for helping licensees implement their Y2K readiness program.
The International Atomic Energy Agency (IAEA) has published IAEA-TECDOC-1087, "Potential Vulnerabilities of Nuclear Fuel Cycle Facilities to the Year 2000 Issue and Measures to Address Them." This document provides helpful information for fuel cycle facilities.
NRC staff has several concerns associated with the potential impact of the Y2K problem on materials licensees, primarily because of the variety and types of computer systems and software in use. Licensees need to be aware of Y2K effects on health and safety, as well as regulatory requirements such as record-keeping. Although licensees are working to remediate the Y2K problem, they should be developing Y2K contingency plans. In an effort to encourage and help licensees develop Y2K contingency plans, we are providing answers to the following frequently asked questions:
Q: What is a Y2K contingency plan?
A: Y2K contingency plan is a set of procedures to deal with difficulties that might be caused directly or indirectly by a Y2K problem, or difficulties in which the severity of the problem is exacerbated by a Y2K problem. Brand new contingency plans do not have to developed for Y2K. Existing emergency procedures or disaster recovery plans can be adjusted for Y2K.
Q: Why should I worry about Y2K contingency planning?
A: Contingency planning is important for continued protection of workers, the public, and the environment, as well as to maintain business continuity. Even licensees that have remediated their systems for Y2K should consider developing Y2K contingency plans. The most extensive Y2K remediation program may not have found all Y2K problems. Y2K contingency plans will allow licensees to cope with internal Y2K problems as well as Y2K problems of business partners and external influences such as electric power, telecommunications, or water.
Q: What do I need to consider?
A: Y2K could affect licensees' internal systems such as hardware, software, embedded systems, and networks. Y2K could also affect external systems including electric power, telecommunications, and suppliers (national and international). Y2K contingency plans should consider internal risks, external risks, and possible interaction between the two.
Q: What is involved in Y2K contingency planning?
A: There are four basic phases in contingency planning: initiation, impact analysis, contingency planning, and testing.
In the initiation phase, licensees should develop a master schedule, for development of the plan, and include milestones to keep contingency planning on track. Existing disaster recovery plans or emergency procedures should be reviewed for applicability to internal and external Y2K risks. In the impact analysis phase, the Y2K internal and external risks and the effect of these risks on mission-critical and safety systems should be identified. Also, licensees should assess the potential impact of mission-critical and safety system failures on workers, the public, the environment, and business continuity.
In the contingency planning phase, the contingency plan is developed and documented. As part of this phase, the licensee determines how and when the plan will be implemented. Finally, individuals who will implement the contingency plan and fix Y2K problems as they occur should be identified.
In the testing phase, the team ensures that the contingency plan will provide adequate protection to workers, the public, and the environment, as well as ensure business continuity. Tests of the contingency plan are developed and conducted. Finally, disaster recovery plans and procedures should be updated to include the Y2K contingency plan
Q. Where can I receive help?
A. The U.S. General Accounting Office (GAO) has published a contingency planning guide, "Year 2000 Computing Crisis: Business Continuity and Contingency Planning," dated August 1998. The guide describes four phases of Y2K business contingency planning structure: initiation, business impact analysis, contingency planning, and testing.
The Department of Veterans Affairs, Veterans Health Administration, has developed a contingency planning document, "Patient-Focused Y2K Contingency Planning Guidebook."
In an effort to provide the public with Y2K information, the President's Council on Year 2000 Conversion website has information regarding Y2K and the Federal Government's efforts to prepare its computer systems, links to information on Y2K compliance for critical sectors of the economy, and other Y2K resources. In addition, the Council has established a Y2K consumer information line at 1-888-USA-4-Y2K which provides free Y2K information. The information at this website or through the information line may useful in determining external Y2K risks and developing contingency plans.
This information notice requires no specific action nor written response. If you have any questions about the information in this notice, please contact the technical contacts listed below, or the appropriate regional office.
Donald A. Cool, Director
|Contacts:||Gary Purdy, NMSS
Harry Felsher, NMSS
|Attachments:||1. List of Recently Issued NMSS Information Notices
2. List of Recently Issued NRC Information Notices
(NUDOCS Accession Number 9906220076)