Text

.,

e#""%o RELEASED TO THE PDR t

g sis)18 ? @

a e

\\,*****/

j POLICY ISSUE (Information)

Mav 1.1998 SECY-98-094 EQB:

The Commissioners FROM:

L. Joseph Callan Executive Director for Operations

SUBJECT:

PROPOSED NRC GENERIC LETTER 98-XX, " YEAR 2000 READINESS OF COMPUTER SYSTEMS AT NUCLEAR POWER PLANTS" PURPOSE:

To inform the Commission of the staff's intent to issue the attached generic letter. The purpose of the generic letter is to request nuclear power plant (NPP) licensees to provide the following information regarding their programs, planned or implemented, to address the Year 2000 (Y2K) problem in computer systems at their facilities: (1) written confirmation of implementation of the programs and (2) written certification that the facilities are Y2K ready with regard to compliance with the terms and cc,ditions of their licenses and NRC regulations.

A copy of the proposed generic letter is attached.

DISCUSSION:

Simply stated, the Y2K computer problem pertains to the potential for date-related prob! cms that may be experienced by a computer system or application. These problems include not representing the year properly, not recognizing leap years, and improper date CONTACT:

Matthew Chiramal, NRR 301-415-2845; E-mail: mxc i

SECY NOTE:

TO BE MADE PUBLICLY

l[

3 AVAILABLE AFTER ISSUANCE OF THE GL i j j-9805190099 980501 r g i ~~

PDR SECY T 1 V b, J

98-094 R PDR

.s

.p

o calculations. An example of a date-related problem is the potential misreading of "00" as the year 1900 rather than 2000. The Y2K problem has the potential to interfere with the proper operation of computer systems, hardware that is microprocessor-based (embedded software), and software or databases relied upon at NPPs. Furthermore, there is a risk that l

affected plant systems and equipment may fail to function properly. Consequently, the Y2K problem could result in a plant trip and subsequent complications in tracking post-shutdown plant status and recovery due to a loss of emergency data collection.

The Y2K problem is urgent because it has a fixed deadline. This matter requires priority attention because of the limited time remaining, the uncertain risk that the problem l

presents, the technical challenges presented, and the scarcity of resources available to l

correct the problem.

Existing reporting requirements under 10 CFR Part 21,10 CFR 50.72, and 10 CFR 50.73 provide for notification of the NRC staff of deficiencies, non-conformances, and failures, l

such as those that could result from the Y2K problem in safety-related systems. To date, the NRC staff has not identified or received notification from licensees or vendors of digital protection systems that a Y2K problem exists with safety-related initiation and actuation systems. However, problems have been identified in non-safety, but important, computer-based systems. Such systems, primarily databases and data collection processes necessary to satisfy NRC regulations, license conditions, and technical specifications that are date driven, may need to be modified for Y2K compliance.

1 The following NRC regulations form the basis for requesting information from NPP licensees regarding their programs to address the Y2K problem in computer systems at their facilities required by the NPP license or NRC regulations:

10 CFR 50.36, " Technical Specifications," paragraph (c)(3), " Surveillance Requirements," and paragraph (c)(5), " Administrative Controls." These paragraphs relate, respectively, to requirements pertaining to testing, calibration, or inspection to ensure that the necessary quality of systems and components is maintained and to the provisions for management, procedures, recordkeeping, and review and audit necessary to ensure operation of the facility in a safe manner.

10 CFR 50.47, " Emergency Plans," paragraph (b)(8), relates to the provision and maintenance of adequate emergency facilities and equipment to support emergency responses.

Appendix B to 10 CFR Part 50, Criterion Ill, " Design Control," requires among other things that design control measures provide for verifying or checking the adequacy of design, such as by the performance of design reviews, by the use of alternate or simplified calculational methods, or by the performance of a suitable testing program.

Appendix B to 10 CFR Part 50, Criterion XVll, " Quality Assurance Records," requires that sufficient records be maintainect to furnish evidence of activities affecting quality.

The records are to include operating logs and results of reviews.

O V Appendix E to 10 CFR Part 50, Section VI, " Emergency Response Data System,"

j relates to the provision and maintenance of licensee links to the Emergency Response

~

Data System.

In addition, to the extent that the general design criteria (GDCs) of Appendix A to 10 CFR Part 50 are applicable to a power reactor f acility, the foe, wing criteria also provide a basis for the request:

GDC 13, " Instrumentation and Control," addresses the provision of appropriate instrumentation and controls to monitor and control systems and variables during normal operation, anticipated operational occurrences, and accident conditions as appropriate to ensure adequate safety.

GDC 19, " Control Room," requires the provision of a control room from which actions can be taken to operate the nuclear plant safely.

GDC 23, " Protection System Failure Modes," requires that the protection system be designed to failinto a safe state or into a state demonstrated to be acceptable on some other defined basis.

To alert NPP licensees to the Y2K problem, the NRC issued information Notice (IN) 96-70,

" Year 2000 Effect on Computer System Software," on December 24,1996. In IN 96-70, the staff described the potential problems that NPP computer systems and software may encounter as a result of the change to the new century and how the Y2K issue may affect NRC licensees. In IN 96-70, the staff encouraged licensees to examine their uses of computer systems and software well before the turn of the century and suggested that licensees consider appropriate actions to examine and evaluate their computer systems for Y2K vulnerabilities. The NRC staff also incorporated recognition of the Y2K concern in the updated Standard Review Plan, NUREG-0800, Chapter 7, " Instrumentation and Control,"

dated August 1997, which contains guidance for the staff's review of computer-based instrumentation and control systems.

However, on the basis of interactions with the industry, the staff determined that additional assurance that licensees were pursuing the Y2K problem was needed. On this basis, the staff decided to issue the attached generic letter. A notice of opportunity for public comment on the proposed draft generic letter was published in the FederalRegister on January 29,1998. Comments were received from 16 licensees,2 industry groups,5 individuals, and the General Accounting Office. Copies of the comments received are available in the NRC Public Docket Room (PDR). A copy of the staff's evaluation of these comments can be found in the NRC Central Files and will be made available in the PDR after the final generic letter is issued. The comments resulted in changes to the proposed draft generic letter to provide clarification but did not change the originalintent of the generic letter or the actions requested of NRC licensees.

g 4

The Committee To Review Generic Requirements (CRGR) reviewed the proposed draft generic letter during its meeting (Number 313) on January 13,1998. The staff incorporated the comments provided by CRGR at that meeting. The CRGR reviewed the proposed final generic letter during its meeting (Number 318) on April 17,1998, and has endorsed the generic letter.

The Office of the General Counsel has reviewed this generic letter and has no legal objections to its content. Furthermore, the Office of Management and Budget has confirmed that the proposed generic letter is a n'on-major " rule" under the provisions of the Small Business Regulatory Enforcement Fairness Act (see 5 U.S.C., Chapter 8), enacted March 29,1996.

The Chief inforrnation Officer has no objection to the issuance of the proposed generic letter.

The staff intends to issue this generic letter approximately 5 working days after the date of this information paper.

h L. J seph Callan Ex cutive Director for Operations

Attachment:

Proposed Generic Letter 98-xx, " Year 2000 Readiness of Computer Systems at Nuclear Power Plants" DISTRIBUTION:

Commissioners OGC OCAA 01G OPA OCA ACRS CIO CF0 EDO REGIONS SECY

W l

NRC GENERIC LETTER NO 98-XXX: YEAR 2000 READINESS OF COMPUTER SYSTEMS AT NUCLEAR POWER PLANTS l

l Addressees All holders of operating licenses for nuclear power plants, except those who have

{

permanently ceased operations and have certified that fuel has been permanently removed from the reactor vessel.

l Purpose i

The U.S. Nuclear Regulatory Commission (NRC) is issuing this generic letter to require that all addressees provide the following information regarding their programs, planned or s

implemented, to address the year 2000 (Y2K) problem in computer systems at their i

facilities: (1) written confirmation of implementation of the programs and (2) written certification that the facilities are Y2K ready with regard to compliance with the terms and conditions of their licenses and NRC regulations.

l Description of Circumstances j

Simply stated, the Y2K computer problem pertains to the potential for date-related problems that may be experienced by a system or an application. These problems include not representing the year properly, not recognizing leap years, and improper date calculations. An example of a date related problem is the potential misrcading of "00" as the year 1900 rather than 2000. These problems can result in the inability of computer systems to function properly by providing erroneous data or failing to operate at all. The l

Y2K problem has the potential of interfering with the proper operation of computer l

systems, hardware that is microprocessor-based (embedded software), and software or databases relied upon at nuclear power plants. Consequently, the Y2K problem could l

result in a plant trip and subsequent complications on tracking post shutdown plant status l

and recovery due to a loss of emergency data collection.

The Y2K problem is urgent because it has a fixed deadline. It requires priority attention because of the limited time remaining, the uncertain risk that the problem presents, the l

technical challenges presented, and the scarcity of resources available to correct the problem.

l Existing reporting requirements under 10 CFR Part 21,10 CFR 50.72, and 10 CFR 50.73 l

provide for notification to the NRC staff of deficiencies and non-conformances, and l

failures, such as some of those which could result from the Y2K problem in safety-related systems. To date, the NRC staff has not identified or received notification from licensees or vendors that a Y2K problem exists with safety-related initiation and actuation systems.

However, problems have been identified in non-safety, but important, computer-based systems. Such systems, primarily databases and data collection processes necessary to satisfy license conditions, technical specifications, and NRC regulations that are date driven, may need to be modified for Y2K compliance, l

i l

\\

"~

Some examples of systems and computer equipment that may be affected by Y2K problems follow:

Security computers Plant process (data scan, log, and alarm and safety parameter display system computers Emergency response systems Radiation monitoring systems Dosimeters and readers Plant simulators Engineering programs Communication systems Inventory control systems Surveillance and maintenance tracking systems Control systems To alert nuclear power plant licensees to the Y2K problem, the NRC issued Information Notice (IN) 96-70, " Year 2000 Effect on Computer System Software," on December 24, 1996. In IN 96-70, the NRC staff described the potential problems that nuclear power plant computer systems and software may encounter as a result of the change to the new century and how the Y2K issue may affect NRC licensees. In IN 96-70, the NRC staff encouraged licensees to examine their uses of computer systems and software well before the turn of the century and suggested that licensees consider appropriate actions for examining and evaluating their computer systems for Y2K vulnerabilities. The NRC staff also incorporated recognition of the Y2K concern in the updated Standard Review Plan, NUREG-0800, Chapter 7, " Instrumentation and Control," dated August 1997, which contains guidance for the NRC staff's review of computer-based instrumentation and control systems.

At the Nuclear Utilities Software Management Group (NUSMG) Year 2000 Workshop, an industry workshop held in July 1997, some nuclear power plant licensees described their Y2K programs and gave examples of areas in which they had addressed Y2K issues in order to ensure the safety and operability of their plants on and after January 1,2000.

Some of the issues discussed were (1) the evaluation of the impact of the Y2K problem on plant equipment, (2) the assessment process involved in the identification of Y2K-affected components, vendors, and interfaces, (3) the development of Y2K testing strategies, and (4) the identification of budget needs to address the Y2K problem.

The Nuclear Energy Institute (NEI) met with NUSMG and nuclear plant utility representatives in August 1997 to formulate an industry-wide plan to address the Y2K issue. On October 7,1997, representatives of NEl and NUSMG met with the NRC staff to discuss the actions NEl was taking to help utilities make their plants " Year 2000 ready."

NEl presented a framework document that provides guidance for utilities to use in readying for the Year 2000. The framework document makes a distinction in terminology between "Y2K ready" and "Y2K compliant." "Y2K compliant" is defined as computer systems or applications that accurately process date/ time data (including but not limited to calculating, 1

l l

,i 3

comparing, and sequencing) from, into, and between the 20th and 21st centuries, the years 1999 and 2000, and leap-year calculations. "Y2K ready" is defined as a computcr system or application that has been determined to be suitable for continued use into the year 2000 even though the computer system or application is not fully Y2K compliarit.

(These definitions have been cdopted by the NRC for purposes of this generic letter.)

NEl/NUSMG issued the framework document NEl/NUSMG 97-07, " Nuclear Utility Year 2000 Readiness," to alllicensees in November 1997. The document recommends methods for nuclear utilities to attain Y2K readiness and thereby ensure that their facilities remain safe and continue to operate within the requirements of their license. The scope of NEl/NUSMG 97-07 includes software, or software-based systems or interf aces, whose failure (due to the Y2K problem) would (1) prevent the performance of the safety function of a structure, system, or component or (2) degrade, impair, or prevent cornpliance with the nuclear facility license and NRC regulations.

Discussior.

Diverse concerns are associa+ed with the potential impact of the Y2K problem on nuclear power plants because of the variety

'd types of computer systems in use. The concerns result from licensees' reliance upon t u software to schedule maintenance and technical specificpCon surveillance, (2) programmable logic controllers and other commercial off-the-shelf software and hardware, (3) digital process control systems, (4) software to support facility operation, (5) digital systems for collection of operating data, and (6) digital systems to monitor post-accident plant conditions. The scope of NEl/NUSMG 97-07 includes the broad range of computers and software-based systems in a nuclear power plant. However, NRC Y2K concerns are limited to safety-related systems and other systems required by the nuclear power plant license and NRC regulations.

One application that is common to all power reactor licensees is the link between plant computers and the NRC's Emergency Response Data System (ERDS). This application performs the communica: ion and data transmission functions that provide near real-time data availability to NRC and State incioent response personnel duririg declared emergencies. The NRC is currently performing Y2K-related upgrades to ERDS, which will maintain the same communication protocal as the current system, with the exception that aither 2-digit-or 4-digit-year fields will be accepted. Those licensees that anticipate chcoges to their ERDS link should allow time in their schedules for retesting their systems.

NRC contractors will support requests for testing on a "first-come, first-served" basis.

NE!/NUSMG 97-07 suggests a strategy for de seloping and implementing a nuclear utility Y2K prograra. Ne strategy recognizes management, implementation, quality assurance (CA) mea w, t< tulatory considerations, and documentation as the fundamental elements of a succ w'

'l project. The document contains examples currently in use by licc. vee: r-also recommends that the Y2K program be administered using standard project..g.aagement techniques.

J 4

The recommended components for management planning are management awareness, sponso ship, project leadership, project objectives, the project management team, the management plan, project reports, interfaces, resources, oversight, and QA. The suggested phases of implementation are awareness, initial assessment (which includes inventory, categorization, classification, prioritization, and analysis of initial assessment),

detailed assessment (including vendor evaluation, utility-owned or utility-supported software evaluation, interface evaluation, and remedial planning), remediation, Y2K testing and validation, and notification.

The QA measures apply to project management QA and implementation QA. Regulatory considerations include the performance of appropriate reviews, reporting re(uirements, and documentation. Documentation of Y2K program activities and results includes documentation requirements, project management documentation, vendor documentation, inventory lists, checklists for initial and detailed assessments, and record retention.

NEl/NUSMG 97-07 a so contains examples of various plans and checklists as appendices, which may be used or modified to meet the licensee's specific needs and/or requireinents, it should be recognized that NEl/NUSMG 97-07 is programmatic and does not fully address all the elements of a comprehensive Y2K program. In particular, augmented guidance in the area of risk management, business continuity and contingency planning, and remediation of embedded systems is needed to fully address some Y2K issues that may arise in licensee program implementation. The NRC staff believes that the guidance in NEl/NUSMG 97-07, when properly augmented and implemented, presents an example of one possible approach for licensees when addressing the Y2K problem at nuclear power plant facilities.

Another document that provides a useful overview of toe elements of an effective Y2K program is a guide issued by the Account;ng and Information Management Division (AIMD),

U.S. General Accounting Office (GAO), GAO/AIMD-10.1.14, " Year 2000 Computing Crisis:

An Assessment Guide," September 1997. This guide is a distillation of the best practices of the Govemment and the private sector for dealing with the Y2K prob!em.

It should be noted that the guidance in NEl/NUSMG 97-07 and GAO/AMID-10.1.14 provides a framework only. Any Y2K program employed at a nuclear facility must be tailored to meet the specific needs and requirements of that facility and should, in general, be c amposed of the following phases: awareness, assessment, remediation, validation, and iWamentation. Completion of the Y2K program means the attainment of tha program objectives, which could range from all computer systems and applications, including embedded systems, being Y.2K compliant, to some being Y2K compliant and the remaining retired or with permanent and/or temporary compensatory measures or work-arounds in place. Also to be considered are the future maintenance requirements for keeping the systems and applications Y2K ready, for example, when the " fixed date window" approach is used.

I l

l 5

It is recognized that in spite of every reasonable effort by licensees to identify and correct j

Y2K computer system problems at their f acilities, some software, applications, equipment, and systems may remain susceptible to the problem. Additionally, sof tware, data, and systems external to the facility could potentially affect the facility adversely. Therefore, to i

ensure continued safe cperation of the facility into the Year 2000 and beyond, contingency l

plans should be formulated for affected systems and equipment. The concept of Y2K I

readiness includes the planning, development, and implementation of appropriate I

contingency plans or compensatory actions for items that are not expected to be Y2K compliant or ready and to address the possible impact of unidentified items and their effect on safe plant operation.

1 l

Because of the limited time remaining in which to address the Y2K problem, at some facilities it may be necessary that some remediation and implementation activities be performed during normally scheduled plant outages in order to avoid additional outages to l

effect these activities. Hence, licensees should plan for this work accordingly. The NRC staff notes that unless the majority of the Y2K program remediation, validation, and implementation activities are completed at a f acility by mid -1999, leaving only a few such activities scheduled for the third and fourth quarters of 1999, the facility may not be Y2K ready by the year 2000.

In the course of implementing the Y2K program, problems could be identified that l

potentially affect the licensing basis of the plants. In certain cases, license amendments j

may be needed to address the problem resolution. Licensees should plan to submit such i

license amendments to the NRC on a timely basis. The utility Y2K programs and schedules should have the flexibility to accommodate such an eventuality. In addition,iicensees are reminded that any changes to their facilities that affect their current licensing basis must be reviewed in accordance with existing NRC requirements and the change psoperly documented. Finally, we strongly encourage licensees to share information regarding ideritified remediation and implementation activities in order to maintain the likelihood that all Y2K problems are identified. We understand that Owners' Groups are implementing this and we encourage this effort.

Required Response i

in order to gain the necessary assurance that addressees are effectively addressing the Y2K problem with regard to compliance with the terms and conditions of their licenses and NRC regulations, the NRC staff requires that all addressees submit a written response to this generic letter as follows:

(1) Within 90 days.f the date of this generic letter, submit a written response indicating whether or not you have pursued and are continuing to pursue a Y2K program as, or similar to, that outlined in NEl/NUSMG 97-07, augmented appropriately in the areas of l

risk management, contingency planning, and remediation of embedded systems. If j

your program significantly differs from the NEl/NUSMG guidance, present a brief j

description of the programs that have already been completed, are being conducted, or are planned to ensure Y2K readiness of the computer systems at your facility (ies).

l

[

l.

l J 6

This response must address the program's scope, assessment process, plans for corrective actions (including testing and schedules), QA measures, contingency plans, and regulatory compliance.

(2) Upon completing your Y2K program or, in any event, no later than July 1,1999, submit a written response confirming that your facility is Y2K ready, or will be Y2K ready, by the year 2000 with regard to compliance with the terms and conditions of your license (s) and NRC regulations. If your program is incomplete as of that date, your response must contain a status report, including completion schedules, of work remaining to be done to confirm your facility is/will be Y2K ready by the year 2000, f

Address the written reports to the U.S. Nuclear Regulatory Commission, Attention:

Document Control Desk, Washington, D.C. 20555-0001, under oath or affirmation under the provisions of Section 182a, Atomic Energy Act 1954, as amended, and 10 CFR 50.54(f). In addition, submit a copy to the appropriate regional administrator.

Backfit Discussion This generic letter requires information from addressees under the provisions of Section 182a of the Atomic Energy Act of 1954, at amended, and 10 CFR 50.54(f). The required information will enable the staff to verify that each nuclear power plant licensee is l

implementing an effective plan to address the Y2K problem and provide for safe operation of the facility before January 1,2000, and is in compliance with the terms and conditions of their license (s) and NRC regulations. The following NRC regulations form a basis for this j

requirement:

10 CFR 50.36, " Technical Specifications," paragraph (c)(3), " Surveillance Requirements," and paragraph (c) (5), " Administrative controls." These sections relate, respectively, to requirements pertaining to testing, calibration, or inspection to ensure that the necessary quality of systems and components is maintained and to provisions relating to management, procedures, recordkeeping, and review and audit necessary to ensure operation of the facility in a safe manner.

10 CFR 50.47, " Emergency Plans," paragraph (b)(8), which relates to the provision and maintenance of adequate emergency facilities and equipment to support the emergency responses.

Appendix B to 10 CFR Part 50, Criterion 111, " Design Control," requires that design control measures shall provide for verifying or checking the adequacy of design, such as by the performance of design reviews, by the use of attemate or simplified calculational methods, or by the performance of a suitable testing program.

l Appendix B to 10 CFR Part 50, Criterion XVil, " Quality Assurance Records," requires that sufficient records shall be maintained to furnish evidence of activities affecting quality. The records are to include operating logs and the results of reviews.

Appendix-E to 10 CFR Part 50, Section VI, " Emergency Response Data System,"

which relates to the provision and maintenance of licensee links to the ERDS.

l 1

l l

J

~/

Appendix A to 10 CFR Part 50, General Design Criterion (GDC) 13, " Instrumentation and Control," which addresses the provision of appropriate instrumentation and controls to monitor and control systems and variables during normal operation, anticipated operational occurrences, and accident conditions, as appropriate, to ensure adequate safety.

Appendix A to 10 CFR Part 50, GDC 19, " Control Room," which requires the provision of a control room from which actions can be taken to operate the nuclear plant safely.

Appendix A to 10 CFR Part 50, GDC 23, " Protection System Failure Modes," which requires that the protection system shall be designed to failinto a safe state or into a state demonstrated to be acceptable on some other defined basis.

Paperwork Reduction Act Statement This generic letter contains information collections that are subject to the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.). These information collections were approved by the Office of Management and Budget (OMB), approval number 3150-0011, which expires on September 30,2000.

The public reporting burden for this collection of information is estimated to average 100 hours0.00116 days <br />0.0278 hours <br />1.653439e-4 weeks <br />3.805e-5 months <br /> per response, including the time for reviewing the instructions, searching data sources, gathering and maintaining the needed data, and completing and reviewing the information collected. This estimate assumes a licensee's response simply conirms the existence of a Y2K program, similar to that outlined in NEl/NUSMG 97-07, and that the program will be completed by July 1,1999. Licensees whose Y2K program significantly differs from the NEl/NUSMG guidance or whose Y2K program will not be completed by July 1,1999, must submit additionalinformation to the NRC.

The NRC is seeking public comment on the potentialimpact of the collection of information contained in this generic letter and on the following issues:

1.

Is the proposed collection of information necessary for the proper performance of the functions of the NRC, including whether the information will have practical utility?

j 2.

is the estimate of burden accurate?

3.

Is there a way to enhance the quality, utility, and clarity of the information to be collected?

1 4.

How can the burden of the collection of information be minimized, including the use I

of automated collection techniques?

i 1

1 9

8 j

Send comments on the burden estimate and any aspect of this collection of information, including suggestions for reducing this burden, to the Information and Records l

Management Branch, T 6 F33, U.S. Nuclear Regulatory Commission, Washington, D.C.

I 20555-0001, and to the Desk Officer, Office of Information and Regulatory Affairs, NEOB-10202 (3150-0011), Office of Management and Budget, Washington, D.C. 20503.

)

The NRC may not conduct or sponsor, and a perscn is not required to respond to, a collection of information unless it displays a currently valid OMB control number.

If you have any questions about this matter, please contact one of the technical contacts listed below or the appropriate Office of Nuclear Reactor Regulation (NRR) project manager.

Jack W. Roe, Acting Director Divisim of Reactor Program Management Office of Nuclear Reactor Regulation j

Technical

Contact:

M. Chiramal, NRR 301-415-2845 E-mail: mxc@nrc. gov Lead Project Manager:

Allen G. Hansen, NRR 301-415-1390 agh@nrc. gov

Attachment:

List of Recently issued NRC Generic Letters

^

l