[Federal Register Volume 64, Number 162 (Monday, August 23, 1999)] [Proposed Rules] [Pages 45900-45907] From the Federal Register Online via the Government Publishing Office [www.gpo.gov] [FR Doc No: 99-21750] �======================================================================== �Proposed Rules � Federal Register �________________________________________________________________________ � �This section of the FEDERAL REGISTER contains notices to the public of �the proposed issuance of rules and regulations. The purpose of these �notices is to give interested persons an opportunity to participate in �the rule making prior to the adoption of the final rules. � �======================================================================== � ��Federal Register / Vol. 64, No. 162 / Monday, August 23, 1999 / Proposed Rules�� [[Page 45900]] ----------------------------------------------------------------------- NUCLEAR REGULATORY COMMISSION 10 CFR Parts 30, 40, 50, and 70 [Docket No. PRM-50-65] Nuclear Information and Resource Service; Petition for Rulemaking Denial AGENCY: Nuclear Regulatory Commission. ACTION: Petition for rulemaking; denial. ----------------------------------------------------------------------- SUMMARY: The Nuclear Regulatory Commission (NRC) is denying a petition for rulemaking (PRM-50-65) from the Nuclear Information and Resource Service (NIRS). The petitioner requested that NRC amend its regulations to require the shutdown of nuclear facilities that are not compliant with date-sensitive, computer-related issues regarding the Year 2000 (Y2K) issue. The petitioner requested that NRC take this action to ensure that Y2K issues will not cause the failure of nuclear safety systems and thereby pose a threat to public health and safety. NRC is denying the petition because the Commission has determined that the actions taken by licensees to implement a systematic and structured facility-specific Y2K readiness program and NRC's oversight of the licensees' implementation of these Y2K readiness programs provide reasonable assurance of adequate protection to public health and safety. ADDRESSES: Copies of the petition for rulemaking, the public comments received, and NRC's letters to the petitioners are available for public inspection or copying in the NRC Public Document Room, 2120 L Street, NW. (Lower Level), Washington, DC, as well as on NRC's rulemaking website at http://ruleforum.llnl.gov. FOR FURTHER INFORMATION CONTACT: Matthew Chiramal, Office of Nuclear Reactor Regulation, U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001, telephone 301-415-2845, E-mail address mxc@nrc.gov>, or Gary W. Purdy, Office of Nuclear Material Safety and Safeguards, U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001, telephone 301-415-7897, E-mail address gwp1@nrc.gov>. SUPPLEMENTARY INFORMATION: Background NRC received three related petitions for rulemaking (PRM-50-65, PRM-50-66, and PRM-50-67), each dated December 10, 1998, submitted by NIRS concerning various aspects of Y2K issues and nuclear safety. This petition (PRM-50-65) requested that NRC adopt regulations that would require facilities licensed by NRC under 10 CFR Parts 30, 40, 50, and 70 to be Y2K compliant. The second petition (PRM-50-66) requested that NRC adopt regulations that would require facilities licensed by NRC under 10 CFR Part 50 to develop and implement adequate contingency and emergency plans to address potential system failures. The third petition (PRM-50-67) requested that NRC adopt regulations that would require facilities licensed by NRC under 10 CFR Parts 50 and 70 to provide reliable sources of back-up power. Because of the nature of these petitions and the date-specific issues they address, the petitioner requested that the petitions be addressed on an expedited schedule. On January 25, 1999, NRC published a notice of receipt of a petition for rulemaking in the Federal Register (64 FR 3789). It was available on NRC's rulemaking website and in the NRC Public Document Room. The notice of receipt of a petition for rulemaking invited interested persons to submit comments by February 24, 1999. The Petition The petitioner requested that NRC adopt the following text as a rule: Any and all facilities licensed by the Nuclear Regulatory Commission under 10 CFR Parts 30, 40, 50, and 70 shall be closed by 12 pm Eastern Standard Time, December 1, 1999, unless and until each facility has: (a) fully and comprehensively examined all computer systems, embedded chips, and other electronic equipment that may be date-sensitive to ensure that all such systems that may be relevant to safety are Y2K compliant; (b) repaired, modified, and/or replaced all such systems that are not found to be Y2K compliant; (c) made available to the public all information related to the examination and repair, modification and/or replacement of all such systems; (d) determined, through full-scale testing, that all repairs, modifications, and/or replacements of all such systems are, in fact, Y2K compliant. The petitioner noted that in NRC Generic Letter (GL) 98-01, ``Year 2000 Readiness of Computer Systems at Nuclear Power Plants,'' dated May 11, 1998, the NRC has recognized the potential for date-related problems that may affect a system or application (the Y2K problem). These potential problems include not representing the year properly, not recognizing leap years, and improper date calculations. These problems could result in the inability of computer systems to operate or to function properly. The petitioner stated that the Y2K problem could potentially interfere with the proper operation of computer systems, microprocessor-based hardware, and software or databases relied on at nuclear power plants. Further, the petitioner asserted that the Y2K problem could result in a plant trip and subsequent complications in tracking post-shutdown plant status and recovery as a result of a loss of emergency data collection. Additionally, the petitioner is also concerned that power grids providing offsite power to nuclear stations could be affected to the extent that localized and widespread grid failures could occur. The petitioner acknowledged that NRC has recognized the potential safety and environmental problems that could result if date-sensitive electronic systems fail to operate or provide false information. The petitioner asserted that NRC has required its licensees of reactor and major fuel cycle facilities to report by July 1, 1999, on their programs to ensure compliance with Y2K issues. In addition, the petitioner asserted that NRC has not made explicit how it will define compliance nor what it plans to do for licensees of facilities that cannot prove compliance. In the petitioner's suggested regulatory text, NIRS defined compliance with Y2K issues as evaluation of all potential problems that may be safety-related, repair of all such problems, and full-scale testing of all solutions. The petitioner's proposed regulation would also require full public disclosure of all evaluation, repair, and testing data so that the information may be examined by independent experts and the public. Finally, the petitioner's proposed regulation would make it clear that nuclear facilities will be closed [[Page 45901]] until they can demonstrate full compliance with Y2K issues. The petitioner concluded by stating that NRC is obligated to act decisively to protect public health and safety and the environment. NIRS stated that anything short of the suggested approach in the petition is insufficient to fulfill this obligation and that NRC should adopt the suggested regulation as soon as possible. Public Comments on the Petition In response to the petition, NRC received 70 comment letters, including 1 letter signed by 25 individuals from the State of Michigan, 3 letters from industry groups, 10 letters from utilities, 13 letters from private organizations, and 43 letters from private citizens. Fifty-four letters supported the petition, 40 of which were from private citizens, 13 were from private organizations, and 1 that was signed by 25 individuals. The comments supporting the petition addressed concerns related to avoiding the occurrence of a catastrophic nuclear accident, the reasonableness of the petitioner's request, and opined that any uncertainty is too great for the nuclear industry. Sixteen letters opposed the petition, of which 3 were from private citizens, 3 were from associated industries, and 10 were from utilities. The comments opposing the petition stated that the nuclear power industry has taken a coordinated approach to Y2K readiness, nuclear power plant licensees are implementing a structured Y2K program, NRC Y2K initiatives are underway, NRC staff is monitoring licensee activities, and current regulations and license conditions are adequate to address potential Y2K computer issues. In some of the letters supporting the petition, the authors included the following additional comments that provide information or request action that was not contained in the petition. These comments noted: 1. The date proposed in the petition, December 1, 1999, to shut down all non-Y2K compliant nuclear power plants should be moved up 1 to 6 months before the year 2000. The reasons given were to allow sufficient time to shut down and to provide additional safety. 2. Power grid failure would not allow controlled shutdown of the plant and plants could experience problems like the Russians. The Y2K problem could increase the chance of a core melt. 3. The problem of ``embedded systems,'' microchips, microprocessors, and such systems-within-systems are difficult to identify and the effects of their multiple failures are poorly understood, especially in the U.S. power grid. 4. The audits conducted by NRC staff are too few. These comments are addressed specifically in the discussion of ``Reasons for Denial.'' Reasons for Denial The NRC is denying the NIRS petition because the NRC has determined that: (1) the actions taken by licensees to implement a systematic and structured facility-specific Y2K readiness program; and (2) NRC's oversight of licensees' implementation of these Y2K readiness programs together constitute an effective process for addressing Y2K issues such that there will continue to be reasonable assurance of adequate protection of public health and safety. NIRS has not presented any information (and no public comments have been received) that demonstrates that: (1) the licensees' activities are fundamentally incapable of effectively addressing Y2K issues in a timely fashion; (2) licensees are not adequately implementing the Y2K readiness programs; (3) NRC's inspection, audit, and oversight activities are fundamentally incapable of providing adequate regulatory control with respect to licensee implementation of Y2K readiness programs; and (4) the NRC is not effectively implementing its inspection, audit, and oversight activities with respect to Y2K issues. Finally, NIRS has not provided any basis why the NRC's current regulatory approach, which retains the regulatory authority to order licensees to discontinue or modify their licensed activities if the NRC finds that reasonable assurance of adequate protection to public health and safety will not be provided because of Y2K issues, will be inadequate in view of the 6-month time period between July 1, 1999, when licensees are required to inform the NRC of the status of their Y2K remediation activities and the December 31, 1999, date, when Y2K-induced problems are most likely to begin occurring. Parts (a), (b), and (d) of the NIRS proposed rule are addressed below in Sections I, II, III, IV, and V for Part 50 operating nuclear power plants, Part 50 non-power reactors, Part 50 decommissioning nuclear power plants, major licensees under Parts 40 and 70, and Part 30 and minor Parts 40 and 70 licensees, respectively. Part (c) of NIRS' proposed rule, concerning public access to Y2K information, is addressed for all types of licensees in Section VI. I. Part 50 Operating Nuclear Power Plant Licensees A. Industry and NRC Activities Addressing Y2K To alert nuclear facility licensees to the Y2K problem, NRC issued Information Notice (IN) 96-70, ``Year 2000 Effect on Computer System Software,'' on December 24, 1996. IN 96-70 described the potential problems that nuclear power plant computer systems and software may encounter as a result of the change to the new century and how the Y2K issue may affect NRC licensees. IN 96-70 encouraged licensees to examine their uses of computer systems and software well before the year 2000 and suggested that licensees consider appropriate actions for examining and evaluating their computer systems for Y2K vulnerabilities. In 1997, the nuclear industry began to assess the Y2K challenge and work with key Federal agencies to help nuclear power plant operators prepare for continued safe operations at the start of the year 2000. In July 1997, the Nuclear Utilities Software Management Group (NUSMG), a nuclear industry working group, conducted the first industry-wide workshop on Y2K readiness. In October 1997, the Nuclear Energy Institute (NEI) and NUSMG issued a Y2K program plan guidance document, NEI/NUSMG 97-07, ``Nuclear Utility Year 2000 Readiness,'' to all U.S. nuclear power plant licensees. This document provides a step-by-step method to identify, test, and repair potential Y2K computer problems and contains detailed procedures and checklists for resolving Y2K issues, based on the best utility practices. NEI/NUSMG 97-07 presented a strategy for developing and implementing a nuclear utility Y2K program. The strategy recognizes management, implementation, quality assurance (QA) measures, regulatory considerations, and documentation as the fundamental elements of a successful Y2K project. The document contains examples currently in use by licensees and also recommends that the Y2K program be administered using standard project management techniques. The recommended components for management planning are management awareness, sponsorship, project leadership, project objectives, the project management team, the management plan, project reports, interfaces, resources, oversight, and QA. The suggested phases of implementation are awareness, initial assessment (which includes inventory, categorization, classification, [[Page 45902]] prioritization, and analysis of initial assessment), detailed assessment (including vendor evaluation, utility-owned or utility- supported software evaluation, interface evaluation, and remedial planning), remediation, Y2K testing and validation, and notification. Y2K testing is used both as an investigative tool to examine systems and components to identify Y2K problems and as a validation tool to confirm that the corrective actions have eliminated the Y2K problem. Y2K testing in support of evaluation efforts to determine whether a Y2K problem is present is performed during detailed assessments. Systems and components will then be repaired or replaced in a process known as ``remediation.'' Y2K testing subsequent to remediation is performed to determine whether the remediation efforts have eliminated the Y2K problem and no unintended functions are introduced. Y2K testing may be performed at several levels:
Unit testing, which focuses on functional and compliance testing of a single application or software module; Integration testing, which tests the integration of related software modules and applications; and System testing, which tests the hardware and software components of a system. For systems, components, and equipment classified as safety-related or critical to operations, the Y2K remediation activities include Y2K testing. On one end of the spectrum, there are the stand-alone, date- aware, microprocessor-based components that do not communicate digital information to any other devices. Properly performed bench testing of these devices, by the licensee or the vendor, coupled with software/ firmware revision-level verification of the field devices as required, is adequate to establish their Y2K status. Repeating this test in the field as part of a plant-wide integrated test will not add any additional benefits related to system Y2K readiness. On the other end of the spectrum, the most highly complex systems, such as distributed control systems, may require in-plant testing of the remediated system. This testing may include a large portion of the plant equipment. However, even in this case, the maximum bounds of the test would involve the individual system being tested and the other devices and systems with which it communicates digital/date-related information. NEI/NUSMG 97-07 specifies the QA measures that will apply to the activities in NEI/NUSMG 97-07 that apply primarily to project management and implementation. Documentation of Y2K program activities and results includes documentation requirements, project management documentation, vendor documentation, inventory lists, checklists for initial and detailed assessments, and record retention. NEI/NUSMG 97-07 also contains examples of various plans and checklists as appendices that may be used or modified to meet the licensee's specific needs and/ or requirements. After issuing NEI/NUSMG 97-07, NEI conducted workshops and other means of sharing the experiences on the use of the document. In November 1997, NEI and NUSMG conducted the first in a series of industry-wide workshops on Y2K issues for project managers in charge of ensuring Y2K readiness at all operating nuclear power plants. In December 1997, NEI created an on-line bulletin board to share technical information and experiences related to testing and repairing computers and equipment. In January 1998, the NRC issued a draft generic letter for public comment which proposed: (1) that licensees of operating nuclear power plants be required to provide certain information regarding their programs that address the Y2K problem in computer systems at their facilities; and (2) to endorse the guidance in NEI/NUSMG 97-07 as one possible approach in implementing a plant-specific Y2K readiness program, if augmented in the area of risk management, contingency planning, and remediation of embedded systems [Federal Register (63 FR 4498)]. In the absence of adverse comment on the adequacy of the guidance in NEI/NUSMG 97-07, the NRC issued GL 98-01 on May 11, 1998 [Federal Register (63 FR 27607)]. In August 1998, NEI issued an industry document, NEI/NUSMG 98-07, ``Nuclear Utility Year 2000 Readiness Contingency Planning,'' that provided additional guidance for establishing a plant-specific contingency planning process. NEI/NUSMG 98-07 addressed management controls, preparation of individual contingency plans, and development of an integrated contingency plan that allows the licensee to manage internal and external risks associated with Y2K-induced events. External events that should be considered for facility-specific contingency planning include electric grid/transmission/distribution system events, such as loss of off-site power, grid instability and voltage fluctuations, load fluctuations and loss of grid control systems; loss of emergency plan equipment and services; loss of essential services; and depletion of consumables. NRC considers the guidance in NEI/NUSMG 98-07, when properly implemented, as an acceptable approach for licensees to mitigate and manage Y2K- induced events that could occur on Y2K-critical dates. In GL 98-01, NRC required all operating nuclear power plant licensees to submit written responses regarding their facility-specific Y2K readiness program in order to confirm that they are addressing the Y2K problem effectively. All licensees have responded to GL 98-01, stating that they have adopted a plant-specific Y2K readiness program based on the guidance of NEI/NUSMG 97-07, and the scope of the program includes identifying and, where appropriate, remediating, embedded systems, and provides for risk management and the development of contingency plans. GL 98-01 1 also requests a written response, no later than July 1, 1999, confirming that these facilities are Y2K ready with regard to compliance with the terms and conditions of their license and NRC regulations. Licensees that are not Y2K ready by July 1, 1999, must provide a status report and schedule for the remaining work to ensure timely Y2K readiness. By July 1, 1999, all licensees responded to GL 98-01, Supplement 1. The responses indicated that 68 plants are Y2K ready and 35 plants need to complete work on a few non-safety computer systems or devices after July 1, 1999 to be Y2K ready. --------------------------------------------------------------------------- \1\ On January 14, 1999, NRC issued GL 98-01, Supplement 1, ``Year 2000 Readiness of Computer Systems at Nuclear Power Plants,'' which provided licensees with a voluntary alternate response to that required by GL 98-01. The alternate response, also due by July 1, 1999, should provide information on the overall Y2K readiness of the plant, including those systems necessary for continued plant operation that are not covered by the terms and conditions of the license and NRC regulations. --------------------------------------------------------------------------- As part of its oversight of licensee Y2K activities, NRC staff conducted sample audits of 12 plant-specific Y2K readiness programs. The objectives of the audits were to-- Assess the effectiveness of licensees' programs for achieving Y2K readiness and in addressing compliance with the terms and conditions of their license and NRC regulations and continued safe operation. Evaluate program implementation activities to ensure that licensees are on schedule to achieve Y2K readiness in accordance with GL 98-01 guidelines. Assess licensees' contingency planning for addressing risks associated with events resulting from Y2K problems. The NRC determined that this approach was an appropriate means of oversight of licensee Y2K readiness efforts because: (1) all licensees had committed to the nuclear power [[Page 45903]] industry Y2K readiness guidance (NEI/NUSMG 97-07) in their first response to NRC GL 98-01; and (2) the audit would verify that licensees were effectively implementing the guidelines. The audit sample of 12 licensees included large utilities such as Commonwealth Edison and Tennessee Valley Authority as well as small single-unit licensees such as North Atlantic Energy (Seabrook) and Wolf Creek Nuclear Operating Corporation. The NRC staff selected a variety of types of plants of different ages and locations in this sample in order to obtain the necessary assurance that nuclear power industry Y2K readiness programs are being effectively implemented and that licensees are on schedule to meet the readiness target date of July 1, 1999, established in GL 98- 01. Also, NRC staff had not identified any Y2K problems in safety- related actuation systems as part of its audit activities. In late January 1999, the NRC staff completed the 12 audits. At the conclusion of the audits, the NRC staff had the following observations: Plant-specific Y2K projects based on NEI/NUSMG 97-07 began in mid to late 1997. Use of NEI/NUSMG 97-07 guidance results in an effective, structured program. The programs are generally on schedule for plants to be Y2K ready by July 1, 1999. However, at some plants the licensees have scheduled some remediation, testing, and final certification for the fall 1999 outage. Management oversight is vital for program effectiveness. Sharing information through owners groups, utility alliances, the Electric Power Research Institute, and NEI is aiding the overall nuclear industry effort. Independent audits and peer reviews of programs are very useful. Safety system functions are usually not affected. There is limited computer use in safety-related systems and components. Failures identified in embedded devices have generally not affected the functions performed but have led to errors such as incorrect dates in printouts, logs, or displays. Central control of Y2K program activities, effective QA (including the use of existing plant procedures and controls), and independent peer reviews promote consistency across activities and improve the program. On the basis of these audit observations, the NRC staff concluded that the audited licensees are effectively addressing Y2K issues and are undertaking the actions necessary to achieve Y2K readiness in accordance with the GL 98-01 target date, although some plants will have some remediation, testing, and final certification scheduled for the fall 1999 outage. The NRC staff did not identify any issues that would prevent these licensees from achieving Y2K readiness. Licensee Y2K contingency planning efforts had not progressed far enough during the original 12 audits for a complete NRC staff review of the adequacy of implementation of the Y2K activities. Therefore, the NRC staff audited the contingency planning efforts of six licensees different from the 12 included in the initial sample Y2K readiness audits. These audits focused on the licensee's approach to addressing both internal and external Y2K risks to safe plant operations based on the guidance in NEI/NUSMG 98-07. These audits were completed in June 1999. In addition to NRC staff activities addressed above, NRC regional staff reviewed plant-specific Y2K program implementation activities at all operating nuclear power plants. The regional staff used guidance prepared by NRC Headquarters staff, which conducted the 12 sample audits. These reviews were completed by July 1999. One of the public comments received by NRC in response to the petition indicated that the audits conducted by NRC staff are too few. On the basis of the information above, the NRC staff has reviewed the Y2K programs at all operating nuclear power plants, thereby addressing this comment. NRC staff will continue its oversight of Y2K issues at nuclear power plants through the remainder of 1999. On the basis of the reviews of the licensee responses to GL 98-01, Supplement 1, findings of the additional audits and reviews, and any additional information, NRC will, by September 1999, determine the need for issuing orders to address Y2K readiness issues, including, if warranted, shutdown of a plant. At this time, NRC believes that all licensees will be able to operate their plants safely during the transition from 1999 to 2000 and does not believe that significant plant-specific action directed by NRC is likely to be needed. As discussed above, GL 98-01 set a date of July 1, 1999, for licensees to submit information on their efforts to complete their plant-specific Y2K program. The July 1, 1999, date was selected to ensure that there would be adequate time for the Commission to determine what additional regulatory action, if any, would be necessary to ensure that Y2K problems will not threaten adequate protection to public health and safety. Licensees of plants with a projected completion date by September 30, 1999, will be monitored to ensure that the schedules are maintained. Completion of plant-specific items identified by licensees in the generic letter responses will be documented in routine NRC inspection reports. The licensees of the plants that are scheduled to be Y2K ready after September 30 will receive additional scrutiny on a case-by-case basis to ensure that no Y2K deficiencies remain. If, by September 30, 1999, it appears that Y2K readiness activities will not be completed by December 31, 1999 transition such that there is sufficient assurance that all license conditions and relevant NRC regulations 2 are met, the NRC will take appropriate regulatory action, including the issuance of orders requiring specific actions, if warranted. NIRS presents no information or argument why these above actions by the licensees and the inspection, auditing, and oversight activities of the NRC are insufficient to address Y2K problems, such that actions required in NIRS' proposed rule are necessary. --------------------------------------------------------------------------- \2\ These regulations are-- 10 CFR 50.36, ``Technical Specifications,'' paragraph (c)(3), ``Surveillance requirements,'' and paragraph (c)(5), ``Administrative controls.'' 10 CFR 50.47, ``Emergency Plans,'' paragraph (b)(8). Appendix B to 10 CFR Part 50, Criterion III, ``Design Control,'' and Criterion XVII, ``Quality Assurance Records.'' Appendix E to 10 CFR Part 50, Section VI, ``Emergency Response Data System.'' Appendix A to 10 CFR Part 50, General Design Criterion (GDC) 13, ``Instrumentation and Control''; GDC 19, ``Control Room''; and GDC 23, ``Protection System Failure Modes.'' --------------------------------------------------------------------------- B. The Need for Y2K ``Compliance,'' as Opposed to ``Readiness'' NIRS' proposed rule would require that nuclear power plants be shut down by December 1, 1999, unless licensees demonstrate that Y2K compliance has been achieved. However, NIRS has not explained why ``Y2K compliance,'' as opposed to ``Y2K readiness,'' is necessary. ``Y2K compliant'' is generally understood as referring to computer systems or applications that accurately process date/time data (including but not limited to calculating, comparing, and sequencing) from, into, and between the 20th and 21st centuries, the years 1999 and 2000, and leap- year calculations. ``Y2K ready'' is generally understood as referring to a computer system or application that has been determined to be suitable for continued use into the year 2000 even though the computer system or application is not fully Y2K compliant. For ``Y2K ready'' systems, licensees may have to rely upon work arounds and other activities to ensure that the systems, components, [[Page 45904]] and equipment function as intended. Prudence might lead to Y2K compliance as an objective for remedial activities in order to reduce licensee costs of implementing workarounds and other activities in the interim until full Y2K compliance is achieved. However, protection of public health and safety does not necessitate establishment of Y2K compliance as a regulatory requirement, and failure to achieve compliance should not require plant shutdown, so long as Y2K readiness is achieved. Accordingly, the NRC does not believe that a rule that requires Y2K compliance, or Y2K readiness, is appropriate or necessary for ensuring reasonable assurance of adequate protection at nuclear power plants after December 1, 1999. C. Limited Susceptibility of Nuclear Power Plant Systems to Y2K Problems NRC audits and reviews indicate that most nuclear power plant systems necessary for shutting down the reactor and maintaining it in a safe shutdown condition are not susceptible to Y2K problems. The majority of commercial nuclear power plants have protection systems that are analog rather than digital. Because Y2K concerns are associated with digital systems, analog reactor protection system functions are not affected by the Y2K issue. Errors such as incorrect dates in printouts, logs, or displays have been identified by licensees in safety-related devices, but the errors do not affect the functions performed by the devices or systems. Most Y2K issues are in balance-of- plant and other systems that have no direct functions necessary for safe operation of the reactor. With respect to safety systems using digital electronics that are necessary for performing safe-shutdown and maintaining the reactor in a safe shutdown condition, licensees are undertaking the NEI/NUSMG 97-07 and NEI/NUSMG 98-07 processes described above for addressing Y2K problems. With respect to balance-of-plant systems, licensees implementing their plant-specific Y2K program are classifying important balance-of-plant and other non-safety-related systems (such as those that support continued plant operations, provide information and aid to the plant operators like sequence-of-events monitoring for tracking post-shutdown status of plants, and whose failure could lead to a plant transient or trip) as ``mission-critical'' or ``high.'' Systems and equipment classified as mission-critical or high, when found to be Y2K susceptible during the assessment stage of the Y2K program, are also scheduled to be remediated similar to safety-related systems. In sum, the NRC believes that the actual scope of plant systems necessary to provide reasonable assurance of adequate protection to public health and safety, which are potentially susceptible to Y2K problems, is relatively limited and that the licensees' current activities are sufficient to ensure that Y2K problems will not adversely affect safety-related or balance-of-plant systems. D. Public Comments One public comment in support of the NIRS petition stated that embedded chips are difficult to identify and the effects of their failures are poorly understood, especially in the U.S. power grid. When the NRC staff was developing GL 98-01, it recognized that embedded systems pose a potential Y2K problem that must be recognized and addressed in any successful Y2K effort. Accordingly, GL 98-01 informed licensees that Y2K programs should be augmented to address remediation of embedded systems. Licensees have stated in their responses to the generic letter that embedded systems are being addressed in their Y2K programs, and these statements have been confirmed by NRC audits to date. NRC understands that the electric utilities providing power to the grid have similar efforts underway that are being monitored by the North American Electric Reliability Council. One public comment in support of the petition indicated that the rule should require nuclear power plants to shut down 6 months before the end of 1999 to allow a safe period of time to shut down the plant. The NRC does not agree that it takes 6 months to safely shut down a plant. Under normal conditions, it takes several hours to safely shut down a nuclear power plant by reducing reactor power gradually. However, in an emergency, the reactor can be shut down safely within seconds, either automatically or manually. The reactor will be shut down automatically by the reactor protection system upon the sensing of an unusual condition. Moreover, the operator always has the capability to manually shut down the reactor using the reactor protection system. Accordingly, the NRC does not agree that it is necessary to shut down nuclear power plants 6 months before the end of 1999 in order to ensure a safe shutdown of the plants. A commenter in favor of the petition stated that the Y2K problem could increase the chance of a meltdown. However, the commenter did not provide any basis for this assertion. The NRC disagrees with the commenter. Safety functions performed by the reactor protection system for shutting down the reactor and by the engineered safety features actuation for mitigating accidents, cooling down the reactor, and providing emergency power to safety systems upon a loss of offsite power are not affected by the Y2K problem. Although there is some concern that the reliability of the offsite power sources may be lower during the Y2K transition, if a loss of offsite power were to occur because of Y2K, the plant would trip automatically because all nuclear plants are designed for such an event. The emergency onsite power supply system would provide power to the safety system equipment automatically. This sequence of events is not affected by the Y2K problem because all these safety systems do not rely upon computer- operated systems or components that are date-sensitive. For these reasons, the NRC disagrees that a Y2K problem could increase the probability of a core melt accident at a nuclear power plant. One public comment in support of the petition indicated that the audits conducted by NRC staff are too few. The NRC has responded to this comment in section I.A. E. Summary The NRC believes that licensees' Y2K activities and programs, considered together with NRC oversight activities, provide a reasonable approach for ensuring that Y2K problems will not pose an unreasonable threat to public health and safety. NIRS has not explained why this regulatory approach will not provide reasonable assurance of adequate protection from any potential Y2K-initiated problems at operating nuclear power plants, such that the rule proposed by NIRS is necessary. II. Part 50 Non-Power Reactor Licensees NRC used several methods to inform all non-power reactor (NPR) licensees of the need to ensure that their facilities are ready for the year 2000. In 1996, NRC staff contacted all NPR licensees informing them of a potential for problems in systems either controlling or supporting the reactor because of Y2K issues. In December 1996, NRC issued IN 96-70 to alert nuclear facility licensees to the Y2K problem. IN 96-70 described the potential problems that nuclear power plant computer systems and software may encounter as a result of the change to the new century and how the Y2K issue may affect NRC licensees. IN 96-70 encouraged all licensees to examine their uses of computer systems and software well [[Page 45905]] before the year 2000. IN 96-70 also suggested that licensees consider appropriate actions for examining and evaluating their computer systems for Y2K vulnerabilities. NRC also coordinated with the Organization of Test, Research and Training Reactors (TRTR) to distribute information about the Y2K problem through TRTR newsletters. These newsletters were distributed to all members of the organization to focus attention on the Y2K problem and related ongoing activities. The staff at all 37 licensees with operating reactors receive copies of the TRTR newsletter. The TRTR newsletters articles included ``Concerns about the Millennium,'' February 1997; ``Year 2000 Concerns,'' February 1998; ``NRC Response on Year 2000,'' May 1998; ``More on the Y2K Issue,'' August 1998; and ``Another Y2000 Notice,'' November 1998. NRC staff has confirmed through several telephone conversations and discussions during inspections that all licensees of operating reactors are aware of the Y2K concerns and have ongoing actions to be Y2K ready by the end of the year or sooner. Since 1998, while conducting inspections of NPR facilities, the NRC staff is also verifying that licensees are addressing the Y2K problem with regard to reactor safety. NRC staff has inspected about 50 percent of the operating reactors and intends to complete the inspections of all operating NPRs by October 1999. These inspections will verify that the licensees have programs to deal with Y2K and that all digital safety equipment at these facilities are considered in the program. Moreover, most institutions that operate the NPRs have their own Y2K programs that include the NPRs. The safety systems at most operating reactors are analog systems that are not affected by the Y2K problem. Several operating reactors have digital safety equipment that provides instrument indication to the facility operator that is part of the licensee's Y2K program. Also, seven of these reactors have digital reactor protection system functions also considered in the licensee's Y2K program. These systems operate in parallel with the analog reactor protection systems, which are not affected by Y2K. Also, the digital systems initiate reactor scrams in case of a malfunction in the digital equipment. The analog systems generally provide the required reactor safety functions. The analog systems are independent of the digital equipment and have built- in redundancy to ensure that the reactor scrams. The power levels of these reactors are low (up to a maximum of 2 MWt) and many of them operate at low temperatures in relatively large pools of water. The only safety function that is generally required is for the reactor to scram. Thus, the Y2K concern poses very low risk. NIRS does not explain why the licensees' Y2K program activities and NRC's oversight of the licensees' implementation of the programs are inadequate such that the rule proposed by NIRS is necessary to provide reasonable assurance of adequate protection. III. Part 50 Decommissioning Nuclear Power Plant Licensees The suggested rule language in the petition would require that all facilities not compliant with Y2K issues be shut down by December 1, 1999. Nuclear power plants that are permanently shutdown with fuel removed from the reactor core would, therefore, not be subject to the rule as proposed by NIRS. However, since the purpose of the proposed rule appears to be directed to ensuring that Y2K problems at all nuclear power plants--both operating and decommissioning--will not pose a threat to public health and safety, the following discussion on the activities for addressing the Y2K problem at decommissioning nuclear power plants is provided. There are two potential radiological health and safety concerns with respect to Y2K problems at decommissioning plants: (1) spent fuel storage, including site security; and (2) the actual conduct of dismantlement and decommissioning activities. Of greater concern is the spent fuel storage. The concerns in this area relate to providing sufficient cooling to the spent fuel and providing sufficient security against diversion and sabotage of the spent fuel. There are 21 decommissioning nuclear power plants that have been shut down more than a year, 6 of which have had spent fuel removed from the site. Accordingly, there are only 15 decommissioning nuclear power plants where spent fuel storage is of concern. Although licensees for all of these facilities are implementing Y2K programs, it is unlikely that Y2K problems would pose a significant problem to providing sufficient spent fuel cooling. First, electrical and makeup water systems for spent fuel pools are not computer-controlled. Moreover, even if there was an interruption in electrical power, there is a long time period for the licensee to respond to the problem before integrity of the spent fuel rods becomes an issue because sufficient time is available to take compensatory action before boiling starts. The spent fuel pool is conservatively estimated (based on the Zion units) to begin boiling 68 hours after loss of the spent fuel pool cooling system. Boiling does not become a concern until the fuel rods begin to be uncovered by boil- off of cooling water. Since fuel rods are normally covered by 23 feet of water (for purposes of shielding), and it would take approximately two weeks or more to begin uncovering the spent fuel rods (assuming that no make-up water is added to the pool), the NRC believes that there is sufficient time to recover electrical power and/or provide makeup water to prevent the fuel rods from uncovering. The other threat to spent fuel is diversion and sabotage. Licensees of decommissioning reactors are taking steps to ensure that Y2K problems will not disable necessary security and safeguards systems and controls. Licensees with computer-based site security systems that have been identified as potentially Y2K vulnerable have tested the system for Y2K, upgraded the system to be Y2K compliant, or will make the system Y2K compliant before the end of 1999. With respect to the safety of conducting dismantlement and decommissioning activities, the NRC does not believe that these activities are subject to Y2K problems that would pose a threat to public health and safety because the conduct of these activities in the field do not rely upon computer-controlled devices to ensure protection against radiological dangers. In sum, licensees of decommissioning nuclear power plants are implementing Y2K activities that address equipment and systems important to safety, such that there is reasonable assurance of adequate protection to public health and safety. IV. Major Parts 40 and 70 Licensees To alert major Parts 40 and 70 licensees of the potential Y2K problem, NRC issued Information Notice (IN) 96-70, ``Year 2000 Effect on Computer System Software,'' dated December 24, 1996. IN 96-70 described the potential Y2K problems, encouraged licensees to examine their uses of computer systems and software well before the year 2000, and suggested that licensees consider appropriate actions to examine and evaluate their computer systems for Y2K vulnerabilities. In order to gather Y2K information regarding materials and major fuel cycle facilities, NRC formed a Y2K Team within the Office of Nuclear Material Safety and Safeguards (NMSS) in 1997. From September 1997 through December 1997, this NMSS Y2K Team visited a cross-section of materials [[Page 45906]] licensees and fuel cycle facilities and conducted Y2K interviews. Each licensee or facility visited by the team indicated that they were aware of the Y2K issue and were in various stages of implementing their Y2K readiness program. On June 22, 1998, the NRC staff issued Generic Letter (GL) 98-03, ``NMSS Licensees' and Certificate Holders' Year 2000 Readiness Programs.'' This GL requested major Parts 40 and 70 licensees to submit by September 20, 1998, written responses regarding their facility- specific Y2K readiness program in order to confirm that they were addressing the Y2K problem effectively. All licensees responded to GL 98-03 by stating that they have adopted a facility-specific Y2K readiness program and that the scope of the program included identifying and, where appropriate, remediating, hardware, software, and embedded systems, and provided for risk management and the development of contingency plans. GL 98-03 also requested a written response, no later than December 31, 1998, which confirmed that these facilities were Y2K ready or provided a status report of work remaining to be done to become Y2K ready, including completion schedules. All licensees provided a second response to GL 98-03, which identified work remaining to be done, including completion schedules. Furthermore, following the second response, NRC requested a third written response, no later than July 1, 1999, which would confirm that these facilities are Y2K ready or would provide an updated status report. On August 12, 1998, IN 98-30, ``Effect of the Year 2000 Computer Problem on NRC Licensees and Certificate Holders,'' provided licensees additional information on the Y2K issue. IN 98-30 provided definitions of ``Y2K ready'' and ``Y2K compliant,'' encouraged licensees to contact vendors and test their systems for Y2K problems, and described elements of a Y2K readiness program. Between September 1997 and October 1998, the major Parts 40 & 70 licensees were also asked Y2K questions during other inspections. Based on these Y2K inspections, the licensees were aware of the Y2K problem and were adequately addressing Y2K issues. There have been no identified risk-significant Y2K concerns for major Parts 40 and 70 licensees. NIRS' proposed rule would require that licensees be shutdown by December 1, 1999, unless licensees demonstrate that ``Y2K compliance'' has been achieved. However, NIRS has not explained why ``Y2K compliance'' as opposed to ``Y2K readiness'' is necessary. NIRS asserted that NRC has not made explicit how it will define ``Y2K compliance.'' However, NRC explicitly defined the terms ``Y2K ready'' and ``Y2K compliant'' in GL 98-03. ``Y2K ready'' was defined as a computer system or application that has been determined to be suitable for continued use into the year 2000, even though the computer system or application is not Y2K compliant. ``Y2K compliant'' was defined as a computer system or application that accurately processes date/time data (including, but not limited to, calculating, comparing, and sequencing) from, into, and between the years 1999 and 2000, and beyond, including leap-year calculations. Thus, by definition, systems that are ``Y2K ready'' are able to perform their functions properly. There is no discernable safety reason why achieving Y2K readiness rather than Y2K compliance should result in facility shutdown. Accordingly, there is no basis for requiring facility shutdown if a licensee cannot demonstrate Y2K compliance. NIRS presents no information or argument why those actions by the licensees and NRC described above are insufficient to address Y2K problems and to demonstrate that reasonable assurance of adequate protection will not be provided after December 1, 1999, so that facility shutdown is necessary. V. Part 30 and Minor Parts 40 and 70 Licensees To alert Part 30 and minor Parts 40 and 70 licensees, the NRC issued INs 96-70 and 98-30, which have been discussed in Section IV, ``Major Parts 40 and 70 Licensees.'' In addition to the efforts by the NMSS Y2K Team to gather information regarding materials licensees and major fuel facilities from September through December 1997, discussed under Section IV, NMSS staff also conducted telephone interviews with device manufacturers and distributors. Further, NRC determined that few of approximately 5,800 materials licensees use processes or have safety systems that are computer-controlled, thus minimizing potential Y2K impacts. The interviews and site visits confirmed that licensees were identifying and addressing potential Y2K problems. From the interviews conducted by the NMSS Y2K Team, NRC learned that early versions of some treatment planning systems (computer systems for calculating dose to medical patients being treated with radiation or radioactive material) have Y2K problems and that upgrades for treatment planning systems were available. However, treatment planning systems are regulated by the U.S. Food and Drug Administration (FDA) and not by NRC because the systems do not contain licensed material. NRC has shared information on non-Y2K-compliant treatment planning systems with the FDA. For materials licensees, the NMSS Y2K Team did not identify any Y2K issues for NRC-regulated material. As a result of the interviews and site visits, NRC's focus has been to determine if any commercially available devices (medical and industrial) have potential Y2K vulnerabilities and to ensure that licensees evaluate self-developed systems, commercial off-the shelf software and hardware, and safety systems. In addition to Y2K interviews, materials inspectors have been instructed to confirm receipt of NRC's information notices, determine whether the licensees have identified any potential problems associated with the Y2K issue, and note any corrective actions taken by the licensees. Through the routine inspection process, NRC has made assessments of the Y2K status of its materials licensees and continues to do so. To date, only the treatment planning systems described above, dose calibrators, and a tote position display for an irradiator have been identified through the inspection process as having Y2K problems. NRC materials inspectors have indicated that licensees are aware of available upgrades for treatment planning systems and dose calibrators. The irradiator tote position display is not a safety system. Further, the irradiator tote position display system that had the Y2K problem was a one-of-a-kind modification made by the licensee (the licensee was authorized by NRC to make the modification). The irradiator licensee is updating the tote position display system to eliminate the Y2K problem. No generic Y2K issues for NRC-regulated material used by materials licensees have been identified. NIRS asserted that NRC has not made explicit what it plans to do about those facilities that cannot prove compliance. As discussed in Section IV, ``Major Parts 40 and 70 Licensees'' above, NIRS has not explained why ``Y2K compliance'' as opposed to ``Y2K readiness'' is necessary. Furthermore, Y2K readiness is not required for protection of public health and safety for Part 30 and minor Parts 40 and 70 licensees due to the amount and type of licensed material used by them. The risks to the public from these facilities are low. In addition, NRC has determined that few of the [[Page 45907]] approximately 5,800 materials licensees use processes or have safety systems that are computer-controlled, thus minimizing potential Y2K impacts. Accordingly, there is no basis for requiring facility shutdown if a licensee cannot demonstrate ``Y2K compliance.'' NIRS presents no information or argument why those actions by the licensees and NRC described above are insufficient to address Y2K problems and to demonstrate that reasonable assurance of adequate protection will not be provided after December 1, 1999, so that facility shutdown is necessary. VI. Public Information NIRS requested in item (c) of its petition that NRC adopt regulations that would require that licensees make available to the public by December 1, 1999, all information related to the examination and repair, modification, and/or replacement of all computer systems, embedded chips, and other electronic equipment that may be date- sensitive. NIRS indicated that this rule provision is necessary in order to allow ``independent experts'' and the public to examine this information. The NRC has already made available to the public substantial information on Y2K and the status of licensees' activities to address potential Y2K problems and will continue to make this information public. The audit reports of the NRC staff reviews of the 12 nuclear power plant-specific Y2K readiness project activities and documentation are publicly available both in the Public Document Rooms and the NRC Year 2000 Web site. The Y2K readiness information submitted in July 1999 by nuclear power plant licensees under GL 98-01, Supplement 1, is available to the public, as with any other correspondence that is received from licensees. The reports documenting the NRC staff audits of the six nuclear power plant-specific contingency planning activities and the results of the facility-specific Y2K program reviews of all operating nuclear power plants are also available to the public. The NRC inspection reports with Y2K information from Parts 30, 40, and 70 licensees and the licensees' responses to GL 98-03 have been placed in the PDR. Summaries of (1) inspection reports with Y2K information, (2) GL 98-03 responses, and (3) interviews with a cross-section of materials and fuel cycle licensees on Y2K issues are available on the NRC Year 2000 Web site. In view of the information that has been made available and will be made available to the public, NIRS has not provided any basis for requiring licensees, by rule, to provide public access to Y2K information beyond that which the NRC has determined must be submitted to the NRC in furtherance of the NRC's regulatory oversight. Conclusion The rule proposed by NIRS is not needed because the Commission has determined that the activities taken by licensees to implement a systematic and structured facility-specific Y2K readiness program, together with the NRC's oversight of the licensees' implementation of these Y2K readiness programs, provide reasonable assurance of adequate protection to public health and safety. For these reasons, the Commission denies the petition. Dated at Rockville, Maryland, this 17th day of August, 1999. For the Nuclear Regulatory Commission. Andrew L. Bates, Acting Secretary of the Commission. [FR Doc. 99-21750 Filed 8-20-99; 8:45 am] BILLING CODE 7590-01-P
