Year 2000 Computing Crisis: FAA Must Act Quickly to Prevent Systems
Failures (Testimony, 02/04/98, GAO/T-AIMD-98-63).

Pursuant to a congressional request, GAO discussed the Federal Aviation
Administration's (FAA) efforts to address the year 2000 problem,
focusing on: (1) FAA's reliance on information processing; (2) where the
agency stands today; (3) what remains at risk; and (4) what GAO
recommends must be done to increase the likelihood that FAA systems will
be year 2000 compliant by January 1 of that year.

GAO noted that: (1) many of FAA's systems could fail to perform as
needed when using dates after 1999, unless proper date-related
calculations can be assured; (2) the implications of FAA's not meeting
this immovable deadline are enormous and could effect hundreds of
thousands of people through customer inconvenience, increased airline
costs, grounded or delayed flights, or degraded levels of safety; (3)
FAA's progress in making its systems ready for the year 2000 has been
too slow; (4) at its current pace, it will not make it in time; (5) the
agency has been severely behind schedule in completing basic awareness
activities, including establishing a program manager with responsibility
or its year 2000 program and issuing a final, overall year 2000
strategy; (6) further, FAA does not know the extent of its year 2000
problem because it has not completed key assessment activities; (7)
specifically, it has yet to analyze the impact of its systems' not being
year 2000 compliant, inventory and assess all of its systems for date
dependencies, make final its plans for addressing any identified date
dependencies, or develop plans for continued operations in case systems
are not corrected in time; (8) until these activities are completed, FAA
cannot know the extent to which it can trust its systems to operate
safely using dates beyond 1999; (9) delays in completing awareness and
assessment activities also leave FAA little time for critical
renovation, validation, and implementation activities--the final three
phases in an effective year 2000 program; and (10) with under 2 years
left, FAA is quickly running out of time, making contingency planning
even more critical.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  T-AIMD-98-63
     TITLE:  Year 2000 Computing Crisis: FAA Must Act Quickly to Prevent 
             Systems Failures
      DATE:  02/04/98
   SUBJECT:  Systems conversions
             Computer software
             Strategic information systems planning
             Data integrity
             Computer software verification and validation
             Air traffic control systems
             Information resources management
             Systems compatibility
IDENTIFIER:  FAA Year 2000 Program
             
******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO report.  Delineations within the text indicating chapter **
** titles, headings, and bullets are preserved.  Major          **
** divisions and subdivisions of the text, such as Chapters,    **
** Sections, and Appendixes, are identified by double and       **
** single lines.  The numbers on the right end of these lines   **
** indicate the position of each of the subsections in the      **
** document outline.  These numbers do NOT correspond with the  **
** page numbers of the printed product.                         **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
** A printed copy of this report may be obtained from the GAO   **
** Document Distribution Center.  For further details, please   **
** send an e-mail message to:                                   **
**                                                              **
**                                            **
**                                                              **
** with the message 'info' in the body.                         **
******************************************************************


Cover
================================================================ COVER


Before the Subcommittee on Technology, Committee on Science, and the
Subcommittee on Government Management, Information and Technology,
Committee on Government Reform and Oversight, House of
Representatives

For Release on Delivery
Expected at
2 p.m.
Wednesday,
February 4, 1998

YEAR 2000 COMPUTING CRISIS - FAA
MUST ACT QUICKLY TO PREVENT
SYSTEMS FAILURES

Statement of Joel C.  Willemssen
Director, Civil Agencies Information Systems
Accounting and Information Management Division

GAO/T-AIMD-98-63

GAO/AIMD-98-63t


(511442)


Abbreviations
=============================================================== ABBREV

  CIO - Chief Information Officer
  DSR - Display System Replacement
  FAA - Federal Aviation Administration
  NWS - National Weather Service

============================================================ Chapter 0

Ms.  Chairwoman, Mr.  Chairman, and Members of the Subcommittees: 

We appreciate the opportunity to testify on the Federal Aviation
Administration's (FAA) efforts to address the Year 2000 problem--a
situation in which systems could malfunction or fail because the "00"
in the year 2000 may be indistinguishable from the "00" in 1900
unless these systems are modified or replaced.  With only 696 days
remaining until January 1, 2000, federal agencies must act now to
ensure that critical systems continue to operate.  There may be no
more urgent federal information systems priority. 

Hundreds of critical FAA computer systems make its operations
possible; without these specialized systems, FAA could not
effectively control air traffic, target airlines for inspection, or
provide up-to-date weather conditions to pilots and air traffic
controllers.  However, many of these systems could fail to perform as
needed when using dates after 1999, unless proper date-related
calculations can be assured.  The implications of FAA's not meeting
this immovable deadline are enormous and could affect hundreds of
thousands of people through customer inconvenience, increased airline
costs, grounded or delayed flights, or degraded levels of safety. 

FAA's progress in making its systems ready for the year 2000 has been
too slow.  At its current pace, it will not make it in time.  The
agency has been severely behind schedule in completing basic
awareness activities, including establishing a program manager with
responsibility for its Year 2000 program and issuing a final, overall
Year 2000 strategy.  Further, FAA does not know the extent of its
Year 2000 problem because it has not completed key assessment
activities.  Specifically, it has yet to analyze the impact of its
systems' not being Year 2000 compliant, inventory and assess all of
its systems for date dependencies, make final its plans for
addressing any identified date dependencies, or develop plans for
continued operations in case systems are not corrected in time. 
Until these activities are completed, FAA cannot know the extent to
which it can trust its systems to operate safely using dates beyond
1999. 

Delays in completing awareness and assessment activities also leave
FAA little time for critical renovation, validation, and
implementation activities--the final three phases in an effective
Year 2000 program.\1 With under 2 years left, FAA is quickly running
out of time, making contingency planning even more critical. 

As our report being released at this hearing today makes clear, FAA's
delays to date are cause for serious concern.\2 Given the rapid
approach of the millennium, such delays can no longer continue.  My
statement today will examine (1) FAA's reliance on information
processing, (2) where the agency stands today, (3) what remains at
risk, and (4) what we recommend must be done to increase the
likelihood that FAA systems will be Year 2000 compliant by January 1
of that year. 


--------------------
\1 Year 2000 Computing Crisis:  An Assessment Guide
(GAO/AIMD-10.1.14, September 1997). 

\2 FAA Computer Systems:  Limited Progress on Year 2000 Issue
Increases Risk Dramatically (GAO/AIMD-98-45, Jan.  30, 1998). 


   FAA DEPENDS ON INFORMATION
   PROCESSING TO FULFILL ITS
   MISSION
---------------------------------------------------------- Chapter 0:1

In ensuring a safe, secure, and efficient airspace system that
contributes to national security and the promotion of U.S.  airspace,
FAA administers a wide range of aviation-related programs, such as
those to certify the airworthiness of new commercial aircraft
designs, inspect airline operations, maintain airport security, and
control commercial and general aviation flights.\3

Integral to executing each of FAA's programs are extensive
information processing and communications technologies.  For example,
each of FAA's 20 en route air traffic control facilities, which
control aircraft at the higher altitudes between airports, depends on
about 50 interrelated computer systems to safely guide and direct
aircraft.  Similarly, each of FAA's almost 100 flight standards
offices, responsible for inspecting and certifying various sectors of
the aviation industry, is supported by over 30 mission-related safety
database and analysis systems.  Because of the complexity of these
systems supporting FAA's mission, many of them are unique to FAA, not
off-the-shelf systems that could be readily maintained by vendors. 

FAA also has numerous, complex information processing exchanges with
various external organizations, including airlines, aircraft
manufacturers, general aviation pilots, and other government
agencies, such as the National Weather Service (NWS) and the
Department of Defense.  Over the years, these organizations and FAA
have built vast networks of interrelated systems.  For example,
airlines' flight planning systems are linked to FAA's Enhanced
Traffic Management System, which monitors flight plans nationwide,
controls high-traffic situations, and alerts airlines and airports to
bring in more staff during busy periods.  As another example, FAA
facilities rely on weather information from NWS ground sensors,
radars, and satellites to control and route aircraft. 

It is easy to see, then, that should FAA systems not be Year 2000
compliant, the domino effect would be far-reaching.  In fact,
representatives of major airlines are concerned that even if their
own systems are ready for the millennium, they could not fly until
FAA's systems were Year 2000 compliant. 


--------------------
\3 General aviation flights are any civil aircraft operations not
involving commercial activities. 


   FAA'S YEAR 2000 AWARENESS,
   ASSESSMENT WORK INCOMPLETE;
   EXTENT OF PROBLEM UNKNOWN
---------------------------------------------------------- Chapter 0:2

To assist agencies in resolving the Year 2000 problem, we have
prepared a guide that discusses the scope of the challenge and offers
a structured, step-by-step approach for reviewing and assessing an
agency's readiness to handle this challenge.\4 The guide describes in
detail five phases, each of which represents a major Year 2000
program activity or segment.  The first phase, awareness, entails
gaining executive-level support and sponsorship and ensuring that
everyone in the organization is fully aware of the issue.  During
this phase a Year 2000 program team is also established, and an
overall strategy developed.  The second phase, assessment, entails
assessing the likely Year 2000 impact on the enterprise, identifying
core business areas, inventorying and analyzing the systems
supporting those areas, and prioritizing their conversion or
replacement.  Contingency planning is also initiated, and the
necessary resources identified and secured. 

FAA recognizes that the upcoming change of century poses significant
challenges.  It began Year 2000 problem awareness activities in May
1996, and within 3 months had established a Year 2000 product team
and designated it the focal point for Year 2000 within FAA.  A Year
2000 steering committee was also established.  Since then, the
product team and steering committee have conducted various awareness
activities and have briefed FAA management.  In September 1996 the
product team issued the FAA Guidance Document for Year 2000 Date
Conversion. 

Yet FAA was late in designating a Year 2000 program manager and its
initial program manager recently retired.  FAA has not yet selected a
permanent replacement and needs to fill this position as soon as
possible.  Further, its strategic plan--defining program management
responsibilities and providing an approach to addressing the
millennium challenge--has yet to be made final.  A draft of this plan
was provided to the Administrator on December 1, 1997, and we
understand that it is now being revised.  Until an official
agencywide strategy is available, FAA's executive management will not
have the approved road map they need for achieving Year 2000
compliance.  The lack of a formal agencywide strategy also means that
FAA's program manager position lacks the authority to enforce Year
2000 policies.  As a result, each line of business within the agency
will have to decide if, when, and how to address its Year 2000
conversion, irrespective of agency priorities and standards. 

Additionally, FAA's inventory of all information systems and their
components is still evolving.  According to a Year 2000 program
official, FAA's inventory of 741 systems was completed on December
29, 1997.  However, we have found that the inventory changed on at
least three occasions since then and, by January 23, 1998, had
reached 769 systems. 

Other crucial tasks include an assessment of the criticality of the
systems in the inventory, and deciding whether they should be
converted, replaced, retired, or left as is.  On January 30, 1998, we
were told by a Year 2000 program official that all outstanding
systems assessments were to be received that day, but that review and
validation of these assessments would continue during February. 
Assessing the likely severity of systems failures is crucial as well,
yet FAA only recently began to examine the likely impact of Year
2000-induced failures; this assessment is due to be presented to FAA
management this month, February 1998. 

Without the thorough definition of a program's scope and requirements
that only such inventorying and assessment can provide, cost
estimates are uncertain at best, as the agency acknowledges.  FAA's
current Year 2000 program cost estimate of $246 million will likely
change once the agency more accurately identifies its inventory and
determines how it will go about making its systems Year 2000
compliant. 

On the basis of our discussions with FAA personnel, it is clear that
FAA's ability to ensure the safety of the National Airspace System
and to avoid the grounding of planes could be compromised if systems
are not changed.  FAA's organization responsible for air traffic
control reported that 34 of the 100 mission-critical systems it
initially assessed were likely to result in catastrophic failure if
they were not renovated.  FAA plans to renovate all of these systems. 
As of January 30, 1998, assessments of another 140 mission-critical
air traffic control systems were continuing. 


--------------------
\4 GAO/AIMD-10.1.14, September 1997. 


      THE HOST COMPUTER SYSTEM: 
      CRITICAL INFORMATION
      PROCESSING LINK
-------------------------------------------------------- Chapter 0:2.1

As FAA completes its systems assessments, it faces difficult
decisions about how to renovate, retire, or replace its
date-dependent systems.  One of the most significant examples is
FAA's Host Computer System--the centerpiece information processing
system in FAA's en route centers--which runs on IBM mainframe
computers.  Key components of the Host include its operating system,
application software, and microcode--low-level machine instructions
used to service the main computer.  While FAA officials expressed
confidence that they have resolved any date dependencies in the
Host's operating system and application software, IBM reported that
it has no confidence in the ability of its microcode to survive the
millennium date change because it no longer has the skills or tools
to properly assess this code.  IBM has therefore recommended that FAA
purchase new hardware. 

Given these concerns, FAA--in an attempt to help ensure success and
minimize risk--is considering moving in two directions
simultaneously:  It is continuing its assessment of the microcode
with a plan to resolve and test any identified date issues, while at
the same time preparing to purchase and implement new hardware,
called Interim Host, at each of its 20 en route centers before
January 1, 2000.  Yet the purchase of new hardware carries its own
set of risks--risks that FAA must mitigate in a short period of time. 
These are at least fourfold. 

  -- First, Lockheed Martin, currently the Host software support
     contractor, will be responsible for porting the existing Host
     operating system and application software to the new hardware. 
     This software conversion requires extensive testing to ensure
     that air traffic control operations are not affected. 
     Unexpected problems in testing and certifying the new system for
     use in real-time operations may also become apparent. 

  -- Second, the Interim Host will have to be deployed concurrently
     with FAA's new Display System Replacement (DSR), compounding the
     risk of delays and problems.  When upgrading parts of a
     safety-critical system such as the Host and DSR, it is simpler
     and safer to upgrade one part at a time. 

  -- Third, deploying the Interim Host to 20 en route centers in less
     than 2 years will be very difficult.  As a point of reference,
     FAA's Display Channel Complex Rehost took almost 2 years to
     deploy to just five centers. 

  -- Fourth, by moving quickly to purchase the Interim Host, FAA may
     not be purchasing a system that best meets its long-term needs. 
     For example, alternative mainframe systems may provide more
     communications channels--something the Host currently depends on
     peripheral systems to provide. 


      EXTERNAL ORGANIZATIONS ALSO
      CONCERNED ABOUT FAA YEAR
      2000 COMPLIANCE
-------------------------------------------------------- Chapter 0:2.2

External organizations are also concerned about the impact of FAA's
Year 2000 status on their operations.  FAA recently met with
representatives of airlines, aircraft manufacturers, airports, fuel
suppliers, telecommunications providers, and industry associations to
discuss the Year 2000 issue.  At this meeting participants raised the
concern that their own Year 2000 compliance would be irrelevant if
FAA were not compliant because of the many system interdependencies. 
Airline representatives further explained that flights could not even
get off the ground on January 1, 2000, unless FAA was substantially
Year 2000 compliant--and that extended delays would be an economic
disaster.  Because of these types of concerns, FAA has now agreed to
meet regularly with industry representatives to coordinate the safety
and technical implications of shared data and interfaces. 


   LITTLE TIME REMAINS FOR
   CRITICAL RENOVATION,
   VALIDATION, AND IMPLEMENTATION
   ACTIVITIES, PLACING JANUARY 1,
   2000, READINESS AT RISK
---------------------------------------------------------- Chapter 0:3

One result of delayed awareness and assessment activities is that the
time remaining for renovation, validation, and implementation can
become dangerously compressed.  Renovation, validation, and
implementation activities are the three critical final phases in
correcting Year 2000 vulnerabilities.  Renovation involves
converting, replacing, or eliminating selected systems and
applications.  Validation entails testing, verifying, and validating
all converted or replaced systems and applications, and ensuring that
they perform as expected.  Implementation involves deploying,
operating, and maintaining Year 2000-compliant systems and
components.  Contingency plans are also implemented, if necessary. 

FAA has started to renovate some of the systems it has already
assessed.  However, because of the agency's delays in completing its
awareness and assessment activities, time is running out for FAA to
renovate all of its systems, validate these conversions or
replacements, and implement its converted or replaced alternatives. 

FAA's delays are further magnified by the agency's poor history in
delivering promised system capabilities on time and within budget,
which we have reported on in the past.\5

FAA's weaknesses in managing software acquisition will also hamper
its renovation, validation, and implementation efforts.\6

Given the many hurdles that FAA faces and the limited amount of time
left, planning for operational continuity through the turn of the
century becomes ever more urgent.  To ensure the ability to carry out
core functions, such planning defines assumptions and risk scenarios,
operational objectives, time frames, priorities, tasks, activities,
procedures, resources, and responsibilities.  Such planning also lays
out the specific steps and detailed actions that would be required to
reestablish functional capability for mission- critical operations in
the event of prolonged disruption, failure, or disaster.  We plan to
issue a guide later this month, in exposure draft form, to assist
agencies in ensuring business continuity by performing necessary
contingency planning for the Year 2000 crisis. 


--------------------
\5 Advanced Automation System:  Implications of Problems and Recent
Changes (GAO/T-RCED-94-188, Apr.  13, 1994); High-Risk Series:  An
Overview (GAO/HR-95-1, February 1995); and High-Risk Series: 
Information Management and Technology (GAO/HR-97-9, February 1997). 

\6 Air Traffic Control:  Immature Software Acquisition Processes
Increase FAA System Acquisition Risks (GAO/AIMD-97-47, Mar.  21,
1997). 


   STRUCTURED, RIGOROUS APPROACH
   CAN REDUCE LEVEL OF RISK, BUT
   URGENT ACTION ESSENTIAL
---------------------------------------------------------- Chapter 0:4

FAA's delays to date put the agency at great risk.  The coming
millennium cannot be postponed, and FAA will continue to be hamstrung
until all inventorying and assessments have been completed.  Once the
degree of vulnerability has been determined, a structured, five-phase
approach with rigorous program management--such as that outlined in
our assessment guide\7 --can offer a road map to the effective use of
available resources, both human and financial. 

But time is short.  Should the pace at which FAA addresses its Year
2000 issues not quicken, and critical FAA systems not be Year 2000
compliant and therefore not be ready for reliable operation on
January 1 of that year, the agency's capability in several essential
areas--including the monitoring and controlling of air traffic--could
be severely compromised.  This could result in the temporary
grounding of flights until safe aircraft control can be assured. 
Avoiding such emergency measures will require stronger, more active
oversight than FAA has demonstrated in the past. 

Our report being released today makes a number of specific
recommendations to increase the likelihood that FAA systems will be
Year 2000 compliant on January 1 of that year.\8 In summary, we
recommend that the Secretary of Transportation direct that the
Administrator, FAA, take whatever action is necessary to expedite
overdue awareness and assessment activities.  At a minimum, this
would include

  -- issuing a final FAA Year 2000 plan providing the Year 2000
     program manager with the authority to enforce Year 2000 policies
     and outlining FAA's strategy for addressing the date change;

  -- assessing how its major business lines and the aviation industry
     would be affected if the Year 2000 problem were not corrected in
     time and using these results to help rank the agency's Year 2000
     activities;

  -- completing inventories of all information systems and their
     components, including data interfaces;

  -- completing assessments of all inventoried systems to determine
     criticality and whether the system will be converted, replaced,
     or retired;

  -- determining priorities for system conversion and replacement
     based on systems' mission-criticality;

  -- establishing plans for addressing identified date dependencies;

  -- developing plans for validating and testing all converted or
     replaced systems;

  -- crafting realistic contingency plans for all business lines to
     ensure the continuity of critical operations; and

  -- developing a reliable cost estimate based on a comprehensive
     inventory and completed assessments of the various systems'
     criticality, and how their needs for modification will be
     addressed. 


--------------------
\7 GAO/AIMD-10.1.14, September 1997. 

\8 GAO/AIMD-98-45, Jan.  30, 1998. 


-------------------------------------------------------- Chapter 0:4.1

Officials of both FAA and the Department of Transportation generally
agreed with our findings, conclusions, and recommendations.  FAA's
CIO stated that FAA recognizes the importance of addressing the Year
2000 problem and plans to implement our recommendations. 

This concludes my statement, and I would be pleased to respond to any
questions that you or other Members of the Subcommittees may have at
this time. 


*** End of document. ***