[Federal Register Volume 64, Number 162 (Monday, August 23, 1999)]
[Proposed Rules]
[Pages 45900-45907]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 99-21750]


 ========================================================================
 Proposed Rules
                                                 Federal Register
 ________________________________________________________________________
 
 This section of the FEDERAL REGISTER contains notices to the public of 
 the proposed issuance of rules and regulations. The purpose of these 
 notices is to give interested persons an opportunity to participate in 
 the rule making prior to the adoption of the final rules.
 
 ========================================================================
 

  Federal Register / Vol. 64, No. 162 / Monday, August 23, 1999 / 
Proposed Rules  

[[Page 45900]]


-----------------------------------------------------------------------

NUCLEAR REGULATORY COMMISSION

10 CFR Parts 30, 40, 50, and 70

[Docket No. PRM-50-65]


Nuclear Information and Resource Service; Petition for Rulemaking 
Denial

AGENCY: Nuclear Regulatory Commission.

ACTION: Petition for rulemaking; denial.

-----------------------------------------------------------------------

SUMMARY: The Nuclear Regulatory Commission (NRC) is denying a petition 
for rulemaking (PRM-50-65) from the Nuclear Information and Resource 
Service (NIRS). The petitioner requested that NRC amend its regulations 
to require the shutdown of nuclear facilities that are not compliant 
with date-sensitive, computer-related issues regarding the Year 2000 
(Y2K) issue. The petitioner requested that NRC take this action to 
ensure that Y2K issues will not cause the failure of nuclear safety 
systems and thereby pose a threat to public health and safety. NRC is 
denying the petition because the Commission has determined that the 
actions taken by licensees to implement a systematic and structured 
facility-specific Y2K readiness program and NRC's oversight of the 
licensees' implementation of these Y2K readiness programs provide 
reasonable assurance of adequate protection to public health and 
safety.

ADDRESSES: Copies of the petition for rulemaking, the public comments 
received, and NRC's letters to the petitioners are available for public 
inspection or copying in the NRC Public Document Room, 2120 L Street, 
NW. (Lower Level), Washington, DC, as well as on NRC's rulemaking 
website at http://ruleforum.llnl.gov.

FOR FURTHER INFORMATION CONTACT: Matthew Chiramal, Office of Nuclear 
Reactor Regulation, U.S. Nuclear Regulatory Commission, Washington, DC 
20555-0001, telephone 301-415-2845, E-mail address <[email protected]>, or 
Gary W. Purdy, Office of Nuclear Material Safety and Safeguards, U.S. 
Nuclear Regulatory Commission, Washington, DC 20555-0001, telephone 
301-415-7897, E-mail address <[email protected]>.

SUPPLEMENTARY INFORMATION:

Background

    NRC received three related petitions for rulemaking (PRM-50-65, 
PRM-50-66, and PRM-50-67), each dated December 10, 1998, submitted by 
NIRS concerning various aspects of Y2K issues and nuclear safety. This 
petition (PRM-50-65) requested that NRC adopt regulations that would 
require facilities licensed by NRC under 10 CFR Parts 30, 40, 50, and 
70 to be Y2K compliant. The second petition (PRM-50-66) requested that 
NRC adopt regulations that would require facilities licensed by NRC 
under 10 CFR Part 50 to develop and implement adequate contingency and 
emergency plans to address potential system failures. The third 
petition (PRM-50-67) requested that NRC adopt regulations that would 
require facilities licensed by NRC under 10 CFR Parts 50 and 70 to 
provide reliable sources of back-up power. Because of the nature of 
these petitions and the date-specific issues they address, the 
petitioner requested that the petitions be addressed on an expedited 
schedule.
    On January 25, 1999, NRC published a notice of receipt of a 
petition for rulemaking in the Federal Register (64 FR 3789). It was 
available on NRC's rulemaking website and in the NRC Public Document 
Room. The notice of receipt of a petition for rulemaking invited 
interested persons to submit comments by February 24, 1999.

The Petition

    The petitioner requested that NRC adopt the following text as a 
rule:

    Any and all facilities licensed by the Nuclear Regulatory 
Commission under 10 CFR Parts 30, 40, 50, and 70 shall be closed by 
12 pm Eastern Standard Time, December 1, 1999, unless and until each 
facility has: (a) fully and comprehensively examined all computer 
systems, embedded chips, and other electronic equipment that may be 
date-sensitive to ensure that all such systems that may be relevant 
to safety are Y2K compliant; (b) repaired, modified, and/or replaced 
all such systems that are not found to be Y2K compliant; (c) made 
available to the public all information related to the examination 
and repair, modification and/or replacement of all such systems; (d) 
determined, through full-scale testing, that all repairs, 
modifications, and/or replacements of all such systems are, in fact, 
Y2K compliant.

    The petitioner noted that in NRC Generic Letter (GL) 98-01, ``Year 
2000 Readiness of Computer Systems at Nuclear Power Plants,'' dated May 
11, 1998, the NRC has recognized the potential for date-related 
problems that may affect a system or application (the Y2K problem). 
These potential problems include not representing the year properly, 
not recognizing leap years, and improper date calculations. These 
problems could result in the inability of computer systems to operate 
or to function properly. The petitioner stated that the Y2K problem 
could potentially interfere with the proper operation of computer 
systems, microprocessor-based hardware, and software or databases 
relied on at nuclear power plants. Further, the petitioner asserted 
that the Y2K problem could result in a plant trip and subsequent 
complications in tracking post-shutdown plant status and recovery as a 
result of a loss of emergency data collection. Additionally, the 
petitioner is also concerned that power grids providing offsite power 
to nuclear stations could be affected to the extent that localized and 
widespread grid failures could occur.
    The petitioner acknowledged that NRC has recognized the potential 
safety and environmental problems that could result if date-sensitive 
electronic systems fail to operate or provide false information. The 
petitioner asserted that NRC has required its licensees of reactor and 
major fuel cycle facilities to report by July 1, 1999, on their 
programs to ensure compliance with Y2K issues. In addition, the 
petitioner asserted that NRC has not made explicit how it will define 
compliance nor what it plans to do for licensees of facilities that 
cannot prove compliance. In the petitioner's suggested regulatory text, 
NIRS defined compliance with Y2K issues as evaluation of all potential 
problems that may be safety-related, repair of all such problems, and 
full-scale testing of all solutions. The petitioner's proposed 
regulation would also require full public disclosure of all evaluation, 
repair, and testing data so that the information may be examined by 
independent experts and the public. Finally, the petitioner's proposed 
regulation would make it clear that nuclear facilities will be closed

[[Page 45901]]

until they can demonstrate full compliance with Y2K issues.
    The petitioner concluded by stating that NRC is obligated to act 
decisively to protect public health and safety and the environment. 
NIRS stated that anything short of the suggested approach in the 
petition is insufficient to fulfill this obligation and that NRC should 
adopt the suggested regulation as soon as possible.

Public Comments on the Petition

    In response to the petition, NRC received 70 comment letters, 
including 1 letter signed by 25 individuals from the State of Michigan, 
3 letters from industry groups, 10 letters from utilities, 13 letters 
from private organizations, and 43 letters from private citizens.
    Fifty-four letters supported the petition, 40 of which were from 
private citizens, 13 were from private organizations, and 1 that was 
signed by 25 individuals. The comments supporting the petition 
addressed concerns related to avoiding the occurrence of a catastrophic 
nuclear accident, the reasonableness of the petitioner's request, and 
opined that any uncertainty is too great for the nuclear industry.
    Sixteen letters opposed the petition, of which 3 were from private 
citizens, 3 were from associated industries, and 10 were from 
utilities. The comments opposing the petition stated that the nuclear 
power industry has taken a coordinated approach to Y2K readiness, 
nuclear power plant licensees are implementing a structured Y2K 
program, NRC Y2K initiatives are underway, NRC staff is monitoring 
licensee activities, and current regulations and license conditions are 
adequate to address potential Y2K computer issues.
    In some of the letters supporting the petition, the authors 
included the following additional comments that provide information or 
request action that was not contained in the petition. These comments 
noted:
    1. The date proposed in the petition, December 1, 1999, to shut 
down all non-Y2K compliant nuclear power plants should be moved up 1 to 
6 months before the year 2000. The reasons given were to allow 
sufficient time to shut down and to provide additional safety.
    2. Power grid failure would not allow controlled shutdown of the 
plant and plants could experience problems like the Russians. The Y2K 
problem could increase the chance of a core melt.
    3. The problem of ``embedded systems,'' microchips, 
microprocessors, and such systems-within-systems are difficult to 
identify and the effects of their multiple failures are poorly 
understood, especially in the U.S. power grid.
    4. The audits conducted by NRC staff are too few.
    These comments are addressed specifically in the discussion of 
``Reasons for Denial.''

Reasons for Denial

    The NRC is denying the NIRS petition because the NRC has determined 
that: (1) the actions taken by licensees to implement a systematic and 
structured facility-specific Y2K readiness program; and (2) NRC's 
oversight of licensees' implementation of these Y2K readiness programs 
together constitute an effective process for addressing Y2K issues such 
that there will continue to be reasonable assurance of adequate 
protection of public health and safety. NIRS has not presented any 
information (and no public comments have been received) that 
demonstrates that: (1) the licensees' activities are fundamentally 
incapable of effectively addressing Y2K issues in a timely fashion; (2) 
licensees are not adequately implementing the Y2K readiness programs; 
(3) NRC's inspection, audit, and oversight activities are fundamentally 
incapable of providing adequate regulatory control with respect to 
licensee implementation of Y2K readiness programs; and (4) the NRC is 
not effectively implementing its inspection, audit, and oversight 
activities with respect to Y2K issues. Finally, NIRS has not provided 
any basis why the NRC's current regulatory approach, which retains the 
regulatory authority to order licensees to discontinue or modify their 
licensed activities if the NRC finds that reasonable assurance of 
adequate protection to public health and safety will not be provided 
because of Y2K issues, will be inadequate in view of the 6-month time 
period between July 1, 1999, when licensees are required to inform the 
NRC of the status of their Y2K remediation activities and the December 
31, 1999, date, when Y2K-induced problems are most likely to begin 
occurring.
    Parts (a), (b), and (d) of the NIRS proposed rule are addressed 
below in Sections I, II, III, IV, and V for Part 50 operating nuclear 
power plants, Part 50 non-power reactors, Part 50 decommissioning 
nuclear power plants, major licensees under Parts 40 and 70, and Part 
30 and minor Parts 40 and 70 licensees, respectively. Part (c) of NIRS' 
proposed rule, concerning public access to Y2K information, is 
addressed for all types of licensees in Section VI.

I. Part 50 Operating Nuclear Power Plant Licensees

A. Industry and NRC Activities Addressing Y2K

    To alert nuclear facility licensees to the Y2K problem, NRC issued 
Information Notice (IN) 96-70, ``Year 2000 Effect on Computer System 
Software,'' on December 24, 1996. IN 96-70 described the potential 
problems that nuclear power plant computer systems and software may 
encounter as a result of the change to the new century and how the Y2K 
issue may affect NRC licensees. IN 96-70 encouraged licensees to 
examine their uses of computer systems and software well before the 
year 2000 and suggested that licensees consider appropriate actions for 
examining and evaluating their computer systems for Y2K 
vulnerabilities.
    In 1997, the nuclear industry began to assess the Y2K challenge and 
work with key Federal agencies to help nuclear power plant operators 
prepare for continued safe operations at the start of the year 2000. In 
July 1997, the Nuclear Utilities Software Management Group (NUSMG), a 
nuclear industry working group, conducted the first industry-wide 
workshop on Y2K readiness.
    In October 1997, the Nuclear Energy Institute (NEI) and NUSMG 
issued a Y2K program plan guidance document, NEI/NUSMG 97-07, ``Nuclear 
Utility Year 2000 Readiness,'' to all U.S. nuclear power plant 
licensees. This document provides a step-by-step method to identify, 
test, and repair potential Y2K computer problems and contains detailed 
procedures and checklists for resolving Y2K issues, based on the best 
utility practices.
    NEI/NUSMG 97-07 presented a strategy for developing and 
implementing a nuclear utility Y2K program. The strategy recognizes 
management, implementation, quality assurance (QA) measures, regulatory 
considerations, and documentation as the fundamental elements of a 
successful Y2K project. The document contains examples currently in use 
by licensees and also recommends that the Y2K program be administered 
using standard project management techniques. The recommended 
components for management planning are management awareness, 
sponsorship, project leadership, project objectives, the project 
management team, the management plan, project reports, interfaces, 
resources, oversight, and QA. The suggested phases of implementation 
are awareness, initial assessment (which includes inventory, 
categorization, classification,

[[Page 45902]]

prioritization, and analysis of initial assessment), detailed 
assessment (including vendor evaluation, utility-owned or utility-
supported software evaluation, interface evaluation, and remedial 
planning), remediation, Y2K testing and validation, and notification.
    Y2K testing is used both as an investigative tool to examine 
systems and components to identify Y2K problems and as a validation 
tool to confirm that the corrective actions have eliminated the Y2K 
problem. Y2K testing in support of evaluation efforts to determine 
whether a Y2K problem is present is performed during detailed 
assessments. Systems and components will then be repaired or replaced 
in a process known as ``remediation.'' Y2K testing subsequent to 
remediation is performed to determine whether the remediation efforts 
have eliminated the Y2K problem and no unintended functions are 
introduced. Y2K testing may be performed at several levels:
     Unit testing, which focuses on functional and compliance 
testing of a single application or software module;
     Integration testing, which tests the integration of 
related software modules and applications; and
     System testing, which tests the hardware and software 
components of a system.
    For systems, components, and equipment classified as safety-related 
or critical to operations, the Y2K remediation activities include Y2K 
testing. On one end of the spectrum, there are the stand-alone, date-
aware, microprocessor-based components that do not communicate digital 
information to any other devices. Properly performed bench testing of 
these devices, by the licensee or the vendor, coupled with software/
firmware revision-level verification of the field devices as required, 
is adequate to establish their Y2K status. Repeating this test in the 
field as part of a plant-wide integrated test will not add any 
additional benefits related to system Y2K readiness. On the other end 
of the spectrum, the most highly complex systems, such as distributed 
control systems, may require in-plant testing of the remediated system. 
This testing may include a large portion of the plant equipment. 
However, even in this case, the maximum bounds of the test would 
involve the individual system being tested and the other devices and 
systems with which it communicates digital/date-related information.
    NEI/NUSMG 97-07 specifies the QA measures that will apply to the 
activities in NEI/NUSMG 97-07 that apply primarily to project 
management and implementation. Documentation of Y2K program activities 
and results includes documentation requirements, project management 
documentation, vendor documentation, inventory lists, checklists for 
initial and detailed assessments, and record retention. NEI/NUSMG 97-07 
also contains examples of various plans and checklists as appendices 
that may be used or modified to meet the licensee's specific needs and/
or requirements.
    After issuing NEI/NUSMG 97-07, NEI conducted workshops and other 
means of sharing the experiences on the use of the document. In 
November 1997, NEI and NUSMG conducted the first in a series of 
industry-wide workshops on Y2K issues for project managers in charge of 
ensuring Y2K readiness at all operating nuclear power plants. In 
December 1997, NEI created an on-line bulletin board to share technical 
information and experiences related to testing and repairing computers 
and equipment.
    In January 1998, the NRC issued a draft generic letter for public 
comment which proposed: (1) that licensees of operating nuclear power 
plants be required to provide certain information regarding their 
programs that address the Y2K problem in computer systems at their 
facilities; and (2) to endorse the guidance in NEI/NUSMG 97-07 as one 
possible approach in implementing a plant-specific Y2K readiness 
program, if augmented in the area of risk management, contingency 
planning, and remediation of embedded systems [Federal Register (63 FR 
4498)]. In the absence of adverse comment on the adequacy of the 
guidance in NEI/NUSMG 97-07, the NRC issued GL 98-01 on May 11, 1998 
[Federal Register (63 FR 27607)]. In August 1998, NEI issued an 
industry document, NEI/NUSMG 98-07, ``Nuclear Utility Year 2000 
Readiness Contingency Planning,'' that provided additional guidance for 
establishing a plant-specific contingency planning process. NEI/NUSMG 
98-07 addressed management controls, preparation of individual 
contingency plans, and development of an integrated contingency plan 
that allows the licensee to manage internal and external risks 
associated with Y2K-induced events. External events that should be 
considered for facility-specific contingency planning include electric 
grid/transmission/distribution system events, such as loss of off-site 
power, grid instability and voltage fluctuations, load fluctuations and 
loss of grid control systems; loss of emergency plan equipment and 
services; loss of essential services; and depletion of consumables. NRC 
considers the guidance in NEI/NUSMG 98-07, when properly implemented, 
as an acceptable approach for licensees to mitigate and manage Y2K-
induced events that could occur on Y2K-critical dates. In GL 98-01, NRC 
required all operating nuclear power plant licensees to submit written 
responses regarding their facility-specific Y2K readiness program in 
order to confirm that they are addressing the Y2K problem effectively. 
All licensees have responded to GL 98-01, stating that they have 
adopted a plant-specific Y2K readiness program based on the guidance of 
NEI/NUSMG 97-07, and the scope of the program includes identifying and, 
where appropriate, remediating, embedded systems, and provides for risk 
management and the development of contingency plans.
    GL 98-01 1 also requests a written response, no later 
than July 1, 1999, confirming that these facilities are Y2K ready with 
regard to compliance with the terms and conditions of their license and 
NRC regulations. Licensees that are not Y2K ready by July 1, 1999, must 
provide a status report and schedule for the remaining work to ensure 
timely Y2K readiness. By July 1, 1999, all licensees responded to GL 
98-01, Supplement 1. The responses indicated that 68 plants are Y2K 
ready and 35 plants need to complete work on a few non-safety computer 
systems or devices after July 1, 1999 to be Y2K ready.
---------------------------------------------------------------------------

    \1\ On January 14, 1999, NRC issued GL 98-01, Supplement 1, 
``Year 2000 Readiness of Computer Systems at Nuclear Power Plants,'' 
which provided licensees with a voluntary alternate response to that 
required by GL 98-01. The alternate response, also due by July 1, 
1999, should provide information on the overall Y2K readiness of the 
plant, including those systems necessary for continued plant 
operation that are not covered by the terms and conditions of the 
license and NRC regulations.
---------------------------------------------------------------------------

    As part of its oversight of licensee Y2K activities, NRC staff 
conducted sample audits of 12 plant-specific Y2K readiness programs. 
The objectives of the audits were to--
     Assess the effectiveness of licensees' programs for 
achieving Y2K readiness and in addressing compliance with the terms and 
conditions of their license and NRC regulations and continued safe 
operation.
     Evaluate program implementation activities to ensure that 
licensees are on schedule to achieve Y2K readiness in accordance with 
GL 98-01 guidelines.
     Assess licensees' contingency planning for addressing 
risks associated with events resulting from Y2K problems.
    The NRC determined that this approach was an appropriate means of 
oversight of licensee Y2K readiness efforts because: (1) all licensees 
had committed to the nuclear power

[[Page 45903]]

industry Y2K readiness guidance (NEI/NUSMG 97-07) in their first 
response to NRC GL 98-01; and (2) the audit would verify that licensees 
were effectively implementing the guidelines. The audit sample of 12 
licensees included large utilities such as Commonwealth Edison and 
Tennessee Valley Authority as well as small single-unit licensees such 
as North Atlantic Energy (Seabrook) and Wolf Creek Nuclear Operating 
Corporation. The NRC staff selected a variety of types of plants of 
different ages and locations in this sample in order to obtain the 
necessary assurance that nuclear power industry Y2K readiness programs 
are being effectively implemented and that licensees are on schedule to 
meet the readiness target date of July 1, 1999, established in GL 98-
01. Also, NRC staff had not identified any Y2K problems in safety-
related actuation systems as part of its audit activities.
    In late January 1999, the NRC staff completed the 12 audits. At the 
conclusion of the audits, the NRC staff had the following observations:
     Plant-specific Y2K projects based on NEI/NUSMG 97-07 began 
in mid to late 1997. Use of NEI/NUSMG 97-07 guidance results in an 
effective, structured program. The programs are generally on schedule 
for plants to be Y2K ready by July 1, 1999. However, at some plants the 
licensees have scheduled some remediation, testing, and final 
certification for the fall 1999 outage.
     Management oversight is vital for program effectiveness.
     Sharing information through owners groups, utility 
alliances, the Electric Power Research Institute, and NEI is aiding the 
overall nuclear industry effort.
     Independent audits and peer reviews of programs are very 
useful.
     Safety system functions are usually not affected. There is 
limited computer use in safety-related systems and components.
     Failures identified in embedded devices have generally not 
affected the functions performed but have led to errors such as 
incorrect dates in printouts, logs, or displays.
     Central control of Y2K program activities, effective QA 
(including the use of existing plant procedures and controls), and 
independent peer reviews promote consistency across activities and 
improve the program.
    On the basis of these audit observations, the NRC staff concluded 
that the audited licensees are effectively addressing Y2K issues and 
are undertaking the actions necessary to achieve Y2K readiness in 
accordance with the GL 98-01 target date, although some plants will 
have some remediation, testing, and final certification scheduled for 
the fall 1999 outage. The NRC staff did not identify any issues that 
would prevent these licensees from achieving Y2K readiness.
    Licensee Y2K contingency planning efforts had not progressed far 
enough during the original 12 audits for a complete NRC staff review of 
the adequacy of implementation of the Y2K activities. Therefore, the 
NRC staff audited the contingency planning efforts of six licensees 
different from the 12 included in the initial sample Y2K readiness 
audits. These audits focused on the licensee's approach to addressing 
both internal and external Y2K risks to safe plant operations based on 
the guidance in NEI/NUSMG 98-07. These audits were completed in June 
1999.
    In addition to NRC staff activities addressed above, NRC regional 
staff reviewed plant-specific Y2K program implementation activities at 
all operating nuclear power plants. The regional staff used guidance 
prepared by NRC Headquarters staff, which conducted the 12 sample 
audits. These reviews were completed by July 1999. One of the public 
comments received by NRC in response to the petition indicated that the 
audits conducted by NRC staff are too few. On the basis of the 
information above, the NRC staff has reviewed the Y2K programs at all 
operating nuclear power plants, thereby addressing this comment.
    NRC staff will continue its oversight of Y2K issues at nuclear 
power plants through the remainder of 1999. On the basis of the reviews 
of the licensee responses to GL 98-01, Supplement 1, findings of the 
additional audits and reviews, and any additional information, NRC 
will, by September 1999, determine the need for issuing orders to 
address Y2K readiness issues, including, if warranted, shutdown of a 
plant. At this time, NRC believes that all licensees will be able to 
operate their plants safely during the transition from 1999 to 2000 and 
does not believe that significant plant-specific action directed by NRC 
is likely to be needed.
    As discussed above, GL 98-01 set a date of July 1, 1999, for 
licensees to submit information on their efforts to complete their 
plant-specific Y2K program. The July 1, 1999, date was selected to 
ensure that there would be adequate time for the Commission to 
determine what additional regulatory action, if any, would be necessary 
to ensure that Y2K problems will not threaten adequate protection to 
public health and safety. Licensees of plants with a projected 
completion date by September 30, 1999, will be monitored to ensure that 
the schedules are maintained. Completion of plant-specific items 
identified by licensees in the generic letter responses will be 
documented in routine NRC inspection reports. The licensees of the 
plants that are scheduled to be Y2K ready after September 30 will 
receive additional scrutiny on a case-by-case basis to ensure that no 
Y2K deficiencies remain. If, by September 30, 1999, it appears that Y2K 
readiness activities will not be completed by December 31, 1999 
transition such that there is sufficient assurance that all license 
conditions and relevant NRC regulations 2 are met, the NRC 
will take appropriate regulatory action, including the issuance of 
orders requiring specific actions, if warranted. NIRS presents no 
information or argument why these above actions by the licensees and 
the inspection, auditing, and oversight activities of the NRC are 
insufficient to address Y2K problems, such that actions required in 
NIRS' proposed rule are necessary.
---------------------------------------------------------------------------

    \2\ These regulations are--
     10 CFR 50.36, ``Technical Specifications,'' paragraph 
(c)(3), ``Surveillance requirements,'' and paragraph (c)(5), 
``Administrative controls.''
     10 CFR 50.47, ``Emergency Plans,'' paragraph (b)(8).
     Appendix B to 10 CFR Part 50, Criterion III, ``Design 
Control,'' and Criterion XVII, ``Quality Assurance Records.''
     Appendix E to 10 CFR Part 50, Section VI, ``Emergency 
Response Data System.''
     Appendix A to 10 CFR Part 50, General Design Criterion 
(GDC) 13, ``Instrumentation and Control''; GDC 19, ``Control Room''; 
and GDC 23, ``Protection System Failure Modes.''
---------------------------------------------------------------------------

B. The Need for Y2K ``Compliance,'' as Opposed to ``Readiness''

    NIRS' proposed rule would require that nuclear power plants be shut 
down by December 1, 1999, unless licensees demonstrate that Y2K 
compliance has been achieved. However, NIRS has not explained why ``Y2K 
compliance,'' as opposed to ``Y2K readiness,'' is necessary. ``Y2K 
compliant'' is generally understood as referring to computer systems or 
applications that accurately process date/time data (including but not 
limited to calculating, comparing, and sequencing) from, into, and 
between the 20th and 21st centuries, the years 1999 and 2000, and leap-
year calculations. ``Y2K ready'' is generally understood as referring 
to a computer system or application that has been determined to be 
suitable for continued use into the year 2000 even though the computer 
system or application is not fully Y2K compliant. For ``Y2K ready'' 
systems, licensees may have to rely upon work arounds and other 
activities to ensure that the systems, components,

[[Page 45904]]

and equipment function as intended. Prudence might lead to Y2K 
compliance as an objective for remedial activities in order to reduce 
licensee costs of implementing workarounds and other activities in the 
interim until full Y2K compliance is achieved. However, protection of 
public health and safety does not necessitate establishment of Y2K 
compliance as a regulatory requirement, and failure to achieve 
compliance should not require plant shutdown, so long as Y2K readiness 
is achieved. Accordingly, the NRC does not believe that a rule that 
requires Y2K compliance, or Y2K readiness, is appropriate or necessary 
for ensuring reasonable assurance of adequate protection at nuclear 
power plants after December 1, 1999.

C. Limited Susceptibility of Nuclear Power Plant Systems to Y2K 
Problems

    NRC audits and reviews indicate that most nuclear power plant 
systems necessary for shutting down the reactor and maintaining it in a 
safe shutdown condition are not susceptible to Y2K problems. The 
majority of commercial nuclear power plants have protection systems 
that are analog rather than digital. Because Y2K concerns are 
associated with digital systems, analog reactor protection system 
functions are not affected by the Y2K issue. Errors such as incorrect 
dates in printouts, logs, or displays have been identified by licensees 
in safety-related devices, but the errors do not affect the functions 
performed by the devices or systems. Most Y2K issues are in balance-of-
plant and other systems that have no direct functions necessary for 
safe operation of the reactor.
    With respect to safety systems using digital electronics that are 
necessary for performing safe-shutdown and maintaining the reactor in a 
safe shutdown condition, licensees are undertaking the NEI/NUSMG 97-07 
and NEI/NUSMG 98-07 processes described above for addressing Y2K 
problems. With respect to balance-of-plant systems, licensees 
implementing their plant-specific Y2K program are classifying important 
balance-of-plant and other non-safety-related systems (such as those 
that support continued plant operations, provide information and aid to 
the plant operators like sequence-of-events monitoring for tracking 
post-shutdown status of plants, and whose failure could lead to a plant 
transient or trip) as ``mission-critical'' or ``high.'' Systems and 
equipment classified as mission-critical or high, when found to be Y2K 
susceptible during the assessment stage of the Y2K program, are also 
scheduled to be remediated similar to safety-related systems.
    In sum, the NRC believes that the actual scope of plant systems 
necessary to provide reasonable assurance of adequate protection to 
public health and safety, which are potentially susceptible to Y2K 
problems, is relatively limited and that the licensees' current 
activities are sufficient to ensure that Y2K problems will not 
adversely affect safety-related or balance-of-plant systems.

D. Public Comments

    One public comment in support of the NIRS petition stated that 
embedded chips are difficult to identify and the effects of their 
failures are poorly understood, especially in the U.S. power grid. When 
the NRC staff was developing GL 98-01, it recognized that embedded 
systems pose a potential Y2K problem that must be recognized and 
addressed in any successful Y2K effort. Accordingly, GL 98-01 informed 
licensees that Y2K programs should be augmented to address remediation 
of embedded systems. Licensees have stated in their responses to the 
generic letter that embedded systems are being addressed in their Y2K 
programs, and these statements have been confirmed by NRC audits to 
date. NRC understands that the electric utilities providing power to 
the grid have similar efforts underway that are being monitored by the 
North American Electric Reliability Council.
    One public comment in support of the petition indicated that the 
rule should require nuclear power plants to shut down 6 months before 
the end of 1999 to allow a safe period of time to shut down the plant. 
The NRC does not agree that it takes 6 months to safely shut down a 
plant. Under normal conditions, it takes several hours to safely shut 
down a nuclear power plant by reducing reactor power gradually. 
However, in an emergency, the reactor can be shut down safely within 
seconds, either automatically or manually. The reactor will be shut 
down automatically by the reactor protection system upon the sensing of 
an unusual condition. Moreover, the operator always has the capability 
to manually shut down the reactor using the reactor protection system. 
Accordingly, the NRC does not agree that it is necessary to shut down 
nuclear power plants 6 months before the end of 1999 in order to ensure 
a safe shutdown of the plants.
    A commenter in favor of the petition stated that the Y2K problem 
could increase the chance of a meltdown. However, the commenter did not 
provide any basis for this assertion. The NRC disagrees with the 
commenter. Safety functions performed by the reactor protection system 
for shutting down the reactor and by the engineered safety features 
actuation for mitigating accidents, cooling down the reactor, and 
providing emergency power to safety systems upon a loss of offsite 
power are not affected by the Y2K problem. Although there is some 
concern that the reliability of the offsite power sources may be lower 
during the Y2K transition, if a loss of offsite power were to occur 
because of Y2K, the plant would trip automatically because all nuclear 
plants are designed for such an event. The emergency onsite power 
supply system would provide power to the safety system equipment 
automatically. This sequence of events is not affected by the Y2K 
problem because all these safety systems do not rely upon computer-
operated systems or components that are date-sensitive. For these 
reasons, the NRC disagrees that a Y2K problem could increase the 
probability of a core melt accident at a nuclear power plant.
    One public comment in support of the petition indicated that the 
audits conducted by NRC staff are too few. The NRC has responded to 
this comment in section I.A.

E. Summary

    The NRC believes that licensees' Y2K activities and programs, 
considered together with NRC oversight activities, provide a reasonable 
approach for ensuring that Y2K problems will not pose an unreasonable 
threat to public health and safety. NIRS has not explained why this 
regulatory approach will not provide reasonable assurance of adequate 
protection from any potential Y2K-initiated problems at operating 
nuclear power plants, such that the rule proposed by NIRS is necessary.

II. Part 50 Non-Power Reactor Licensees

    NRC used several methods to inform all non-power reactor (NPR) 
licensees of the need to ensure that their facilities are ready for the 
year 2000. In 1996, NRC staff contacted all NPR licensees informing 
them of a potential for problems in systems either controlling or 
supporting the reactor because of Y2K issues. In December 1996, NRC 
issued IN 96-70 to alert nuclear facility licensees to the Y2K problem. 
IN 96-70 described the potential problems that nuclear power plant 
computer systems and software may encounter as a result of the change 
to the new century and how the Y2K issue may affect NRC licensees. IN 
96-70 encouraged all licensees to examine their uses of computer 
systems and software well

[[Page 45905]]

before the year 2000. IN 96-70 also suggested that licensees consider 
appropriate actions for examining and evaluating their computer systems 
for Y2K vulnerabilities.
    NRC also coordinated with the Organization of Test, Research and 
Training Reactors (TRTR) to distribute information about the Y2K 
problem through TRTR newsletters. These newsletters were distributed to 
all members of the organization to focus attention on the Y2K problem 
and related ongoing activities. The staff at all 37 licensees with 
operating reactors receive copies of the TRTR newsletter. The TRTR 
newsletters articles included ``Concerns about the Millennium,'' 
February 1997; ``Year 2000 Concerns,'' February 1998; ``NRC Response on 
Year 2000,'' May 1998; ``More on the Y2K Issue,'' August 1998; and 
``Another Y2000 Notice,'' November 1998. NRC staff has confirmed 
through several telephone conversations and discussions during 
inspections that all licensees of operating reactors are aware of the 
Y2K concerns and have ongoing actions to be Y2K ready by the end of the 
year or sooner.
    Since 1998, while conducting inspections of NPR facilities, the NRC 
staff is also verifying that licensees are addressing the Y2K problem 
with regard to reactor safety. NRC staff has inspected about 50 percent 
of the operating reactors and intends to complete the inspections of 
all operating NPRs by October 1999. These inspections will verify that 
the licensees have programs to deal with Y2K and that all digital 
safety equipment at these facilities are considered in the program. 
Moreover, most institutions that operate the NPRs have their own Y2K 
programs that include the NPRs.
    The safety systems at most operating reactors are analog systems 
that are not affected by the Y2K problem. Several operating reactors 
have digital safety equipment that provides instrument indication to 
the facility operator that is part of the licensee's Y2K program. Also, 
seven of these reactors have digital reactor protection system 
functions also considered in the licensee's Y2K program. These systems 
operate in parallel with the analog reactor protection systems, which 
are not affected by Y2K. Also, the digital systems initiate reactor 
scrams in case of a malfunction in the digital equipment. The analog 
systems generally provide the required reactor safety functions. The 
analog systems are independent of the digital equipment and have built-
in redundancy to ensure that the reactor scrams. The power levels of 
these reactors are low (up to a maximum of 2 MWt) and many of them 
operate at low temperatures in relatively large pools of water. The 
only safety function that is generally required is for the reactor to 
scram. Thus, the Y2K concern poses very low risk. NIRS does not explain 
why the licensees' Y2K program activities and NRC's oversight of the 
licensees' implementation of the programs are inadequate such that the 
rule proposed by NIRS is necessary to provide reasonable assurance of 
adequate protection.

III. Part 50 Decommissioning Nuclear Power Plant Licensees

    The suggested rule language in the petition would require that all 
facilities not compliant with Y2K issues be shut down by December 1, 
1999. Nuclear power plants that are permanently shutdown with fuel 
removed from the reactor core would, therefore, not be subject to the 
rule as proposed by NIRS. However, since the purpose of the proposed 
rule appears to be directed to ensuring that Y2K problems at all 
nuclear power plants--both operating and decommissioning--will not pose 
a threat to public health and safety, the following discussion on the 
activities for addressing the Y2K problem at decommissioning nuclear 
power plants is provided.
    There are two potential radiological health and safety concerns 
with respect to Y2K problems at decommissioning plants: (1) spent fuel 
storage, including site security; and (2) the actual conduct of 
dismantlement and decommissioning activities. Of greater concern is the 
spent fuel storage. The concerns in this area relate to providing 
sufficient cooling to the spent fuel and providing sufficient security 
against diversion and sabotage of the spent fuel. There are 21 
decommissioning nuclear power plants that have been shut down more than 
a year, 6 of which have had spent fuel removed from the site. 
Accordingly, there are only 15 decommissioning nuclear power plants 
where spent fuel storage is of concern. Although licensees for all of 
these facilities are implementing Y2K programs, it is unlikely that Y2K 
problems would pose a significant problem to providing sufficient spent 
fuel cooling. First, electrical and makeup water systems for spent fuel 
pools are not computer-controlled. Moreover, even if there was an 
interruption in electrical power, there is a long time period for the 
licensee to respond to the problem before integrity of the spent fuel 
rods becomes an issue because sufficient time is available to take 
compensatory action before boiling starts. The spent fuel pool is 
conservatively estimated (based on the Zion units) to begin boiling 68 
hours after loss of the spent fuel pool cooling system. Boiling does 
not become a concern until the fuel rods begin to be uncovered by boil-
off of cooling water. Since fuel rods are normally covered by 23 feet 
of water (for purposes of shielding), and it would take approximately 
two weeks or more to begin uncovering the spent fuel rods (assuming 
that no make-up water is added to the pool), the NRC believes that 
there is sufficient time to recover electrical power and/or provide 
makeup water to prevent the fuel rods from uncovering.
    The other threat to spent fuel is diversion and sabotage. Licensees 
of decommissioning reactors are taking steps to ensure that Y2K 
problems will not disable necessary security and safeguards systems and 
controls. Licensees with computer-based site security systems that have 
been identified as potentially Y2K vulnerable have tested the system 
for Y2K, upgraded the system to be Y2K compliant, or will make the 
system Y2K compliant before the end of 1999.
    With respect to the safety of conducting dismantlement and 
decommissioning activities, the NRC does not believe that these 
activities are subject to Y2K problems that would pose a threat to 
public health and safety because the conduct of these activities in the 
field do not rely upon computer-controlled devices to ensure protection 
against radiological dangers.
    In sum, licensees of decommissioning nuclear power plants are 
implementing Y2K activities that address equipment and systems 
important to safety, such that there is reasonable assurance of 
adequate protection to public health and safety.

IV. Major Parts 40 and 70 Licensees

    To alert major Parts 40 and 70 licensees of the potential Y2K 
problem, NRC issued Information Notice (IN) 96-70, ``Year 2000 Effect 
on Computer System Software,'' dated December 24, 1996. IN 96-70 
described the potential Y2K problems, encouraged licensees to examine 
their uses of computer systems and software well before the year 2000, 
and suggested that licensees consider appropriate actions to examine 
and evaluate their computer systems for Y2K vulnerabilities.
    In order to gather Y2K information regarding materials and major 
fuel cycle facilities, NRC formed a Y2K Team within the Office of 
Nuclear Material Safety and Safeguards (NMSS) in 1997. From September 
1997 through December 1997, this NMSS Y2K Team visited a cross-section 
of materials

[[Page 45906]]

licensees and fuel cycle facilities and conducted Y2K interviews. Each 
licensee or facility visited by the team indicated that they were aware 
of the Y2K issue and were in various stages of implementing their Y2K 
readiness program.
    On June 22, 1998, the NRC staff issued Generic Letter (GL) 98-03, 
``NMSS Licensees' and Certificate Holders' Year 2000 Readiness 
Programs.'' This GL requested major Parts 40 and 70 licensees to submit 
by September 20, 1998, written responses regarding their facility-
specific Y2K readiness program in order to confirm that they were 
addressing the Y2K problem effectively. All licensees responded to GL 
98-03 by stating that they have adopted a facility-specific Y2K 
readiness program and that the scope of the program included 
identifying and, where appropriate, remediating, hardware, software, 
and embedded systems, and provided for risk management and the 
development of contingency plans.
    GL 98-03 also requested a written response, no later than December 
31, 1998, which confirmed that these facilities were Y2K ready or 
provided a status report of work remaining to be done to become Y2K 
ready, including completion schedules. All licensees provided a second 
response to GL 98-03, which identified work remaining to be done, 
including completion schedules. Furthermore, following the second 
response, NRC requested a third written response, no later than July 1, 
1999, which would confirm that these facilities are Y2K ready or would 
provide an updated status report.
    On August 12, 1998, IN 98-30, ``Effect of the Year 2000 Computer 
Problem on NRC Licensees and Certificate Holders,'' provided licensees 
additional information on the Y2K issue. IN 98-30 provided definitions 
of ``Y2K ready'' and ``Y2K compliant,'' encouraged licensees to contact 
vendors and test their systems for Y2K problems, and described elements 
of a Y2K readiness program.
    Between September 1997 and October 1998, the major Parts 40 & 70 
licensees were also asked Y2K questions during other inspections. Based 
on these Y2K inspections, the licensees were aware of the Y2K problem 
and were adequately addressing Y2K issues. There have been no 
identified risk-significant Y2K concerns for major Parts 40 and 70 
licensees.
    NIRS' proposed rule would require that licensees be shutdown by 
December 1, 1999, unless licensees demonstrate that ``Y2K compliance'' 
has been achieved. However, NIRS has not explained why ``Y2K 
compliance'' as opposed to ``Y2K readiness'' is necessary. NIRS 
asserted that NRC has not made explicit how it will define ``Y2K 
compliance.'' However, NRC explicitly defined the terms ``Y2K ready'' 
and ``Y2K compliant'' in GL 98-03. ``Y2K ready'' was defined as a 
computer system or application that has been determined to be suitable 
for continued use into the year 2000, even though the computer system 
or application is not Y2K compliant. ``Y2K compliant'' was defined as a 
computer system or application that accurately processes date/time data 
(including, but not limited to, calculating, comparing, and sequencing) 
from, into, and between the years 1999 and 2000, and beyond, including 
leap-year calculations. Thus, by definition, systems that are ``Y2K 
ready'' are able to perform their functions properly. There is no 
discernable safety reason why achieving Y2K readiness rather than Y2K 
compliance should result in facility shutdown. Accordingly, there is no 
basis for requiring facility shutdown if a licensee cannot demonstrate 
Y2K compliance.
    NIRS presents no information or argument why those actions by the 
licensees and NRC described above are insufficient to address Y2K 
problems and to demonstrate that reasonable assurance of adequate 
protection will not be provided after December 1, 1999, so that 
facility shutdown is necessary.

V. Part 30 and Minor Parts 40 and 70 Licensees

    To alert Part 30 and minor Parts 40 and 70 licensees, the NRC 
issued INs 96-70 and 98-30, which have been discussed in Section IV, 
``Major Parts 40 and 70 Licensees.''
    In addition to the efforts by the NMSS Y2K Team to gather 
information regarding materials licensees and major fuel facilities 
from September through December 1997, discussed under Section IV, NMSS 
staff also conducted telephone interviews with device manufacturers and 
distributors. Further, NRC determined that few of approximately 5,800 
materials licensees use processes or have safety systems that are 
computer-controlled, thus minimizing potential Y2K impacts. The 
interviews and site visits confirmed that licensees were identifying 
and addressing potential Y2K problems.
    From the interviews conducted by the NMSS Y2K Team, NRC learned 
that early versions of some treatment planning systems (computer 
systems for calculating dose to medical patients being treated with 
radiation or radioactive material) have Y2K problems and that upgrades 
for treatment planning systems were available. However, treatment 
planning systems are regulated by the U.S. Food and Drug Administration 
(FDA) and not by NRC because the systems do not contain licensed 
material. NRC has shared information on non-Y2K-compliant treatment 
planning systems with the FDA. For materials licensees, the NMSS Y2K 
Team did not identify any Y2K issues for NRC-regulated material. As a 
result of the interviews and site visits, NRC's focus has been to 
determine if any commercially available devices (medical and 
industrial) have potential Y2K vulnerabilities and to ensure that 
licensees evaluate self-developed systems, commercial off-the shelf 
software and hardware, and safety systems.
    In addition to Y2K interviews, materials inspectors have been 
instructed to confirm receipt of NRC's information notices, determine 
whether the licensees have identified any potential problems associated 
with the Y2K issue, and note any corrective actions taken by the 
licensees. Through the routine inspection process, NRC has made 
assessments of the Y2K status of its materials licensees and continues 
to do so. To date, only the treatment planning systems described above, 
dose calibrators, and a tote position display for an irradiator have 
been identified through the inspection process as having Y2K problems. 
NRC materials inspectors have indicated that licensees are aware of 
available upgrades for treatment planning systems and dose calibrators. 
The irradiator tote position display is not a safety system. Further, 
the irradiator tote position display system that had the Y2K problem 
was a one-of-a-kind modification made by the licensee (the licensee was 
authorized by NRC to make the modification). The irradiator licensee is 
updating the tote position display system to eliminate the Y2K problem. 
No generic Y2K issues for NRC-regulated material used by materials 
licensees have been identified.
    NIRS asserted that NRC has not made explicit what it plans to do 
about those facilities that cannot prove compliance. As discussed in 
Section IV, ``Major Parts 40 and 70 Licensees'' above, NIRS has not 
explained why ``Y2K compliance'' as opposed to ``Y2K readiness'' is 
necessary. Furthermore, Y2K readiness is not required for protection of 
public health and safety for Part 30 and minor Parts 40 and 70 
licensees due to the amount and type of licensed material used by them. 
The risks to the public from these facilities are low. In addition, NRC 
has determined that few of the

[[Page 45907]]

approximately 5,800 materials licensees use processes or have safety 
systems that are computer-controlled, thus minimizing potential Y2K 
impacts. Accordingly, there is no basis for requiring facility shutdown 
if a licensee cannot demonstrate ``Y2K compliance.''
    NIRS presents no information or argument why those actions by the 
licensees and NRC described above are insufficient to address Y2K 
problems and to demonstrate that reasonable assurance of adequate 
protection will not be provided after December 1, 1999, so that 
facility shutdown is necessary.

VI. Public Information

    NIRS requested in item (c) of its petition that NRC adopt 
regulations that would require that licensees make available to the 
public by December 1, 1999, all information related to the examination 
and repair, modification, and/or replacement of all computer systems, 
embedded chips, and other electronic equipment that may be date-
sensitive. NIRS indicated that this rule provision is necessary in 
order to allow ``independent experts'' and the public to examine this 
information.
    The NRC has already made available to the public substantial 
information on Y2K and the status of licensees' activities to address 
potential Y2K problems and will continue to make this information 
public. The audit reports of the NRC staff reviews of the 12 nuclear 
power plant-specific Y2K readiness project activities and documentation 
are publicly available both in the Public Document Rooms and the NRC 
Year 2000 Web site. The Y2K readiness information submitted in July 
1999 by nuclear power plant licensees under GL 98-01, Supplement 1, is 
available to the public, as with any other correspondence that is 
received from licensees. The reports documenting the NRC staff audits 
of the six nuclear power plant-specific contingency planning activities 
and the results of the facility-specific Y2K program reviews of all 
operating nuclear power plants are also available to the public. The 
NRC inspection reports with Y2K information from Parts 30, 40, and 70 
licensees and the licensees' responses to GL 98-03 have been placed in 
the PDR. Summaries of (1) inspection reports with Y2K information, (2) 
GL 98-03 responses, and (3) interviews with a cross-section of 
materials and fuel cycle licensees on Y2K issues are available on the 
NRC Year 2000 Web site.
    In view of the information that has been made available and will be 
made available to the public, NIRS has not provided any basis for 
requiring licensees, by rule, to provide public access to Y2K 
information beyond that which the NRC has determined must be submitted 
to the NRC in furtherance of the NRC's regulatory oversight.

Conclusion

    The rule proposed by NIRS is not needed because the Commission has 
determined that the activities taken by licensees to implement a 
systematic and structured facility-specific Y2K readiness program, 
together with the NRC's oversight of the licensees' implementation of 
these Y2K readiness programs, provide reasonable assurance of adequate 
protection to public health and safety.
    For these reasons, the Commission denies the petition.

    Dated at Rockville, Maryland, this 17th day of August, 1999.

    For the Nuclear Regulatory Commission.
Andrew L. Bates,
Acting Secretary of the Commission.
[FR Doc. 99-21750 Filed 8-20-99; 8:45 am]
BILLING CODE 7590-01-P