[Senate Hearing 106-44]
[From the U.S. Government Publishing Office]
S. Hrg. 106-44
NUCLEAR AND CHEMICAL SAFETY: Y2K ISSUES
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON
CLEAN AIR, WETLANDS, PRIVATE PROPERTY AND NUCLEAR SAFETY
OF THE
COMMITTEE ON
ENVIRONMENT AND PUBLIC WORKS
UNITED STATES SENATE
ONE HUNDRED SIXTH CONGRESS
FIRST SESSION
__________
FEBRUARY 24, 1999
__________
Printed for the use of the Committee on Environment and Public Works
-----------
U.S. GOVERNMENT PRINTING OFFICE
55-952 cc WASHINGTON : 1999
_______________________________________________________________________
For sale by the U.S. Government Printing Office
Superintendent of Documents, Congressional Sales Office, Washington DC
20402
COMMITTEE ON ENVIRONMENT AND PUBLIC WORKS
ONE HUNDRED SIXTH CONGRESS
JOHN H. CHAFEE, Rhode Island, Chairman
JOHN W. WARNER, Virginia MAX BAUCUS, Montana
ROBERT SMITH, New Hampshire DANIEL PATRICK MOYNIHAN, New York
JAMES M. INHOFE, Oklahoma FRANK R. LAUTENBERG, New Jersey
CRAIG THOMAS, Wyoming HARRY REID, Nevada
CHRISTOPHER S. BOND, Missouri BOB GRAHAM, Florida
GEORGE V. VOINOVICH, Ohio JOSEPH I. LIEBERMAN, Connecticut
MICHAEL D. CRAPO, Idaho BARBARA BOXER, California
ROBERT F. BENNETT, Utah RON WYDEN, Oregon
KAY BAILEY HUTCHISON, Texas
Jimmie Powell, Staff Director
J. Thomas Sliter, Minority Staff Director
------
Subcommittee on Clean Air, Wetlands, Private Property, and Nuclear
Safety
JAMES M. INHOFE, North Carolina, Chairman
GEORGE V. VOINOVICH, Ohio BOB GRAHAM, Florida
ROBERT E. BENNETT, Utah JOSEPH I. LIEBERMAN, Connecticut
KAY BAILEY HUTCHISON, Texas BARBARA BOXER, California
(ii)
C O N T E N T S
----------
Page
FEBRUARY 24, 1999
OPENING STATEMENTS
Inhofe, Hon. James M., U.S. Senator from the State of Oklahoma... 1
WITNESSES
Poje, Gerald, Board Member, U.S. Chemical Safety and Hazard
Investigation Board............................................ 2
Prepared statement........................................... 18
Swanson, David, Senior Vice President, Ciritical Issues, Edison
Electric Institute............................................. 6
Prepared statement........................................... 47
Travers, William D., Executive Director for Operations, Nuclear
Regulatory Commission.......................................... 5
Prepared statement........................................... 43
ADDITIONAL MATERIALS
Report, Preparing the Electrical Power Systems of North America
for Transition to the Year 2000, prepared for the Department of
Energy by the North American Electric Reliability Council...... 51
(iii)
NUCLEAR AND CHEMICAL SAFETY: Y2K ISSUES
----------
WEDNESDAY, FEBRUARY 24, 1999
U.S. Senate,
Committee on Environment and Public Works,
Subcommittee on Clean Air, Wetlands,
Private Property and Nuclear Safety,
Washington, DC.
The subcommittee met, pursuant to notice, at 2:20 p.m. in
room 216, Hart Senate Building, Hon. James M. Inhofe (chairman
of the subcommittee) presiding.
Present: Senator Inhofe.
OPENING STATEMENT OF HON. JAMES M. INHOFE,
U.S. SENATOR FROM THE STATE OF OKLAHOMA
Senator Inhofe. The hearing will come to order.
I was commenting to our guests here today that this morning
when we had our Y2K (Year 2000) compliance hearing before the
committee that I chair in the Senate Armed Services Committee,
the Readiness Committee, we filled the room and had standing
room only. That's certainly not a reflection on the witnesses,
let me assure you.
It's very difficult in the afternoon to get members here
because, as you know, we are on the floor right now, but it is
very, very significant that we have this hearing. It does
affect some of the entities within the jurisdiction of the
Subcommittee on Clean Air, Property Rights, Wetlands and
Nuclear Safety.
I think it's very important to take all three perspectives
into account. The power disruptions from nuclear and electrical
power plants can cause problems for facilities that store and
use toxic chemicals. The Y2K bug potential power outages can
cause computer systems failures for any program controlled by a
PC such as fire alarms, thermostats, security systems, door
locks and heating and air conditioning systems just to name a
few.
We are concerned and this morning it seemed as if the
reaction to the trauma that would be inflicted by this
potentially, at least in this morning's hearing, was all the
way from nothing to being completely wiped out. So we'll try to
find out where we are in these specific areas.
I would like to hear from the witnesses today on three
specific areas. No. 1, are the facilities on track for
responding to the Y2K issue. No. 2, are the Federal agencies
taking the necessary precautions to safeguard the safety. No.
3, what remains to be done. And, to also kind of get an idea of
where we are on schedule.
It's an honor to have such a distinguished panel which
consists of: Gerald Poje, board member with the U.S. Chemical
Safety and Hazard Investigation Board in Washington; William D.
Travers, executive director for Operations of the NRC; and Mr.
David Swanson, senior vice president, Critical Issues, Edison
Electric Institute.
Mr. Poje.
STATEMENT OF GERALD POJE, BOARD MEMBER,
U.S. CHEMICAL SAFETY AND HAZARD INVESTIGATION BOARD
Mr. Poje. Thank you, Mr. Chairman.
I'm Gerald Poje, one of the four members of the U.S.
Chemical Safety and Hazard Investigation Board. We've all been
nominated by the President and confirmed by the U.S. Senate.
My special emphasis is toxicology and policies dealing with
chemical hazards. I oversee the Board's efforts in reducing
risk of accidents associated with the Year 2000 computer
problems.
Today, I appear before you at the behest of our chairman,
Paul L. Hill, Jr., to whom you addressed your request for
testimony from our agency. Dr. Hill and I thank you for
inviting the Board to testify regarding this critical issue.
The Chemical Safety Board is an independent Federal agency
with the mission of ensuring the safety of workers and the
public by preventing or minimizing the effects of industrial
and commercial chemical incidents. The CSB is a scientific
investigatory organization with the responsibility for finding
ways to prevent or minimize the effects of chemical accidents
at commercial and industrial facilities and in transport. The
CSB is not an enforcement or regulatory body.
The problem before this committee today is urgent and
significant. According to the Environmental Protection Agency,
85 million Americans live, work and play within a 5-mile radius
of 66,000 facilities handling regulated amounts of high hazard
chemicals. Yet even this estimate may underestimate the full
risk to the U.S. population.
In November, Senators Bennett and Dodd of the U.S. Senate
Special Committee on the Year 2000 Technology Problem asked the
Chemical Safety Board to investigate the issues of chemical
safety and the Year 2000 computer technology problem.
The Senate Special Committee requested evaluation of the
extent of this problem as it pertains to the automation systems
and embedded systems that monitor and control the manufacture
of toxic and hazardous chemicals or safety systems that protect
processes, the awareness of large, medium and small companies
within the industry of the Year 2000 threat and their progress
to date in addressing the Year 2000 problem; the impact of the
Year 2000 technology problem on EPA's risk management plans
required in June 1999; and the role Federal agencies are
playing in preventing disasters due to the Year 2000 problem.
On December 18, 1998, our Board convened an expert workshop
on Y2K and chemical safety involving leaders from industries,
equipment vendors, insurance companies, regulatory agencies,
resource agencies, universities, labor organizations,
environmental organizations, trade organizations, professional
engineering associations and health and safety organizations.
The Board found that the Year 2000 problem is significant
and unprecedented as a problem in the chemical manufacturing
and handling sector. It poses unique risks to business
continuity and worker and public health and safety.
Four points should be drawn from our meetings and research
to date. First, large enterprises with sufficient awareness,
leadership, planning, financial and human resources are
unlikely to experience catastrophic failures and business
continuity problems unless their current progress is
interrupted or there are massive failures of utilities and
other sectors.
Second, the overall situation with small- and mid-sized
enterprises is indeterminate but efforts on the Y2K problem
appear to be less than appropriate based on input from many
experts.
Third, while the impact of the risk management plan should
be positive, there are no special emphases or even specific
mention of Year 2000 technology hazards in either USEPA or
Occupational Safety and Health Administration regulations
regarding process safety.
Fourth, Federal agencies are aware of and involved in Year
2000 technology and chemical safety issues. However,
significant gaps exist and there do not appear to be specific
plans to address these gaps.
It is important to point out that the Y2K compliance
activities reported to the Chemical Safety Board to date have
not found a single failure either of embedded microchips or
software which by itself could cause catastrophic chemical
accidents. However, it is unclear what the outcome might be
from multiple failures, that is, multiple control system
failures, multiple utility failures, or a combination of
utility and control system failures.
Surveillance of the industry sector that handles high
hazard chemicals is insufficient to draw detailed conclusions
regarding Y2K compliance efforts, especially for small- and
mid-sized enterprises. Given the time constraints altering the
situation requires a massive effort. The Board has concluded
that this effort should focus on first, providing easy to use
tools; second, promoting accessible resources; and third,
providing attractive incentives for Y2K compliance efforts.
Additional efforts should be the focus of an urgent meeting of
agencies convened by the Administration.
Special expert workshop attendees reached consensus on the
importance of four issues related to the Y2K problem and
chemical safety: small- and medium-sized enterprises risks and
needs; risk management programs and their applicability to the
Y2K problem; utility continuity issues; and finally, a
responsive communication among the stakeholders.
For small- and medium-sized enterprises, failure from Y2K
noncompliance is more likely for three reasons: a general lack
of awareness regarding process safety and a particular lack of
awareness of the Y2K impact; a lack of financial resources; and
lack of technical know-how for fixing the problems. Given the
time constraints, altering this situation will require an
accelerated action.
Under risk management, there is a general consensus that
facilities doing an effective job in managing their risks
should not see any major health and safety problems associated
with internal Y2K issues as long as they have a serious Y2K
management program.
Risk management generally consists of a variety of programs
and activities to assess and manage risks. To be fully
effective, these programs must be implemented with the complete
involvement of the management, labor, and local responders.
Risk management also includes the utilization of best
practices, equipment procedures, auditing, testing and
certification, adherence to industrial and professional society
standards, and compliance with applicable regulations such as
the OSHA process safety management rule and the EPA risk
management program.
The chemical processing industry has practiced these risk
management principles for a long time. However, the Y2K issue
will test the existing system of safety and failure will likely
engender review of policy issues as well as review of
industrial programs and practices.
Under utility continuity, a major threat to facilities
could be from external failure such as electrical, natural gas,
water and wastewater utilities failures. Concerned about the
reliability of electric power supply, many members of the
chemical processing industry are seeking ways to assess the
vulnerability of their specific utility.
For managers of some facilities that draw high power loads,
prudent safety practice may determine that the plant be shut
down during critical time periods and restart at a later date.
However, such decisions should not be made without
communicating these planned actions with their utilities in
order to prevent problems on the power grid.
Responsive communication and trust between stakeholders is
of tremendous importance in resolving the Y2K-related problems.
Stakeholders in the context of the chemical safety arena
include corporate and facility managers, operators, other
workers, vendors, equipment manufacturers, unions, trade
associations, regulators, nonregulatory agencies, emergency
responders, insurance companies, community organizations and
environmental organizations.
While logistics and timing problems may prevent a
regulatory approach for assuring Y2K compliance, voluntarily
communicating accurate and relevant information to the public
on the status of Y2K compliance is essential to avoid chaos and
panic and allay public fears and promote more rational
behavior.
Contingency planning risk management and decisions
concerning shutdown must also involve communication amongst
these stakeholders. Knowledge is key to responsive
communications and therefore, Y2K contingency planning and
responsive communications should be enhanced through training
and education efforts in the public and private sector
developed to address the challenges of Y2K-related incidents
and scenarios.
In summary, the Year 2000 technology problem is a
significant problem in the chemical manufacturing sector and
handling sector. It poses unique risks to business continuity
and worker and public health and safety. Large enterprises with
sufficient awareness, leadership planning, financial and human
resources are unlikely to experience catastrophic failures and
business continuity problems unless their current progress is
interrupted or there are massive failures of utilities.
The overall situation with small- and mid-sized enterprises
is indeterminant but efforts on the Y2K problem appear to be
less than appropriate based on inputs from many people to the
Safety Board.
I'd be happy to answer your questions at an appropriate
time.
Senator Inhofe. Thank you, Mr. Poje.
Mr. Travers.
STATEMENT OF WILLIAM D. TRAVERS, EXECUTIVE DIRECTOR FOR
OPERATIONS, NUCLEAR REGULATORY COMMISSION
Mr. Travers. Thank you, Mr. Chairman.
I am pleased to be here today on behalf of the Nuclear
Regulatory Commission to discuss the status of our response to
the potential Year 2000 computer problem, particularly as it
relates to nuclear power plants.
NRC's Y2K nuclear activities can be divided into three
basic areas: our actions internal to the NRC; our interactions
with our licensees in the nuclear power industry and our
broader interactions; both nationally and internationally.
Relative to our internal efforts, I'm pleased to tell you
that as of February 5, 1999, all 88 of NRC's mission critical,
business essential and non-critical systems have been examined
and, as needed, fixed. The most recent report from Congressman
Horn on government agency Y2K progress gave NRC's efforts an
overall ``A'' grade.
Relative to our interactions externally, the NRC has been
working with nuclear industry organizations and our licensees
since 1996 to address the Y2K problem. In 1997, the Nuclear
Energy Institute, NEI, agreed to take the lead in developing
industrywide guidance for addressing the Y2K problem at nuclear
power reactors. In 1998, the NRC accepted the NEI guidance as
an appropriate program for nuclear power plant Y2K readiness.
Thus far, all of our licensees have notified NRC that they
have adopted plant-specific programs which meet this guidance
and that they are working to be Y2K ready by July 1, 1999. Any
nuclear plant which is not Y2K ready by July 1, 1999 must
provide a schedule for remaining work and the NRC will assess
these responses by September 30, 1999 to determine if any
further plant-specific regulatory actions are needed.
In order to provide for an appropriate level of independent
NRC oversight, the NRC staff has conducted 12 planned audits at
nuclear power plants of their Y2K readiness programs. The
audits included a variety of types of plants of different ages,
vendor design and locations. The results of these audits, which
have been documented in NRC-issued audit reports, indicate that
nuclear power plants are effectively addressing Y2K readiness
issues.
To date, the NRC staff has not identified any Y2K problems
that impact the safety function of nuclear plant equipment. The
majority of commercial nuclear power plants have protection
systems that are analog rather than digital or computer-based
and thus are not impacted by the Y2K problem. Most Y2K problems
that have been identified are associated with nonsafety support
systems. In addition to the 12 audits, NRC resident inspectors
who are assigned to all power reactor sites will carry out
reviews of licensee Y2K readiness activities.
In order to address the possibility of unanticipated Y2K
problems, the NRC and the nuclear industry have determined that
contingency plans should be developed. NEI has issued
additional guidance for contingency planning which is being
incorporated into the Y2K readiness programs by all US nuclear
power reactors.
The NRC will conduct six reviews of licensee contingency
plans which will be completed by June 1999. Additionally,
resident inspectors at all power reactor sites will carry out
reviews of utility contingency plans.
Although the primary focus of NRC Y2K activities has been
nuclear safety, we recognize the national importance of a
broader focus that helps to ensure that potential concerns with
electrical grid reliability are identified and resolved. To
this end, the NRC supports the efforts of the President's
Council on Y2K Conversion and in fact, is a member of the
Energy Electric Power Sector Working Group.
The NRC is also developing its own Y2K contingency plan to
enable us to respond rapidly to unanticipated Y2K events. The
draft NRC Y2K contingency plan is being coordinated with the
U.S. nuclear power industry, other Federal agencies, including
FEMA, State governments, and international regulatory
organizations.
In early October, the NRC plans to conduct a Y2K exercise
which is intended to assure that all aspects of our Y2K
contingency plan are in place and effective. Regulators from
Taiwan, Japan, Finland, Sweden and the United Kingdom have all
expressed an interest in participating in this exercise.
The NRC is also actively involved in promoting awareness of
Y2K readiness issues internationally. For example, in
preparation for the 42d IAEA general conference in Vienna in
September, the NRC took the lead in drafting a resolution on
Y2K readiness. That resolution urged, among other things, that
member States submit information to the IAEA on their Y2K
activities and that the IAEA act as a central coordination
point for information sharing.
In summary, the NRC has been proactive in addressing the
Y2K problems internal to the NRC and with our licensees.
Additionally, we continue to work both nationally and
internationally to promote awareness and to provide assistance.
To date, we have determined that the nuclear power industry has
been effectively addressing the Y2K problem. Further, we
believe that we have established an appropriate regulatory
framework that is focused on assuring that the Y2K problem will
not have an adverse impact on nuclear power plant safety.
We look forward to working with the subcommittee and
certainly welcome any questions you may have.
Thank you, Mr. Chairman.
Senator Inhofe. Thank you, Mr. Travers.
Mr. Swanson.
STATEMENT OF DAVID SWANSON, SENIOR VICE PRESIDENT, CRITICAL
ISSUES, EDISON ELECTRIC INSTITUTE
Mr. Swanson. Thank you very much, Mr. Chairman, for the
opportunity to appear before the subcommittee today. The
subject that you are addressing is important and we in the
electric utility industry appreciate the interest of you and
your colleagues.
Let me begin by emphasizing the conclusion that we have
reached as a result of the Y2K readiness assessment work the
industry is undertaking. The electric utility industry is
cautiously optimistic that Y2K will not present us or the
American people with an electric supply problem during the Y2K
transition.
Why do we say this and what does it mean and how can we be
sure that our cautious optimism is warranted? Since early 1998,
utilities began to inventory and test their operating systems
for Y2K failures. In June, they joined together in an
industrywide effort to jointly demonstrate the results and
thoroughness of their individual efforts. The Department of
Energy provided the impetus for this decision and it has been a
great pleasure working with them and the President's Council as
this work has gone forward.
Last spring, the North American Electric Reliability
Council was requested by DOE to assess electric utility Y2K
readiness and ensure that electric systems would operate
reliably into 2000. EEI, the American Public Power Association,
the North Rural Electric Cooperative Association, the Canadian
Electric Association and the Utility Telecommunications Council
have all provided major resources in support of this effort.
As a result of this unprecedented level of cooperation and
dedication, virtually 100 percent of all electric operating
entities are now participating in this assessment. Companies,
depending on size and configuration, are spending up to $100
million, in some cases more, on this effort; 88 percent have
officers directing their Y2K efforts and 84 percent report to
their boards of directors on the status of their Y2K efforts.
As of today, nearly 60 percent of mission critical
operating equipment has been tested and found ready now for
operating over the Year 2000 transition. Problems have been far
fewer in number than expected and most only affect minor
matters. We have not found in any of the systems we have tested
systemic problems which could, when fixed, lead to serious or
widespread problems.
We are on a schedule to have tested by June 30, 1999 more
than enough equipment to supply the load we expect on January
1, 2000. Additional units or equipment that have not been
tested by June 30, 1999 will be on a specific exceptions list
made public with specified completion dates. Overall, we
believe we will have our systems ready with more than adequate
reserves for the transition.
In addition, we are scheduling two special days in April
and September for testing our contingency plans. The first on
the rollover to the 99th day of 1999, April 8-9, we will be
focusing on our backup communications capabilities and our
ability to obtain information from and execute controls at
remote substations. This will be a test where we do not alter
operations of the systems, but we will be testing our ability
to have and use backup communications equipment.
The second is a near dress rehearsal for New Year's Eve.
This will occur on September 8-9, 1999, the 9-9-99 date. We are
in the planning stage for this event now and will be announcing
our more detailed plan soon.
Critical infrastructures such as telecommunications and
natural gas are being factored into our planning. The
coordination with State and local emergency service providers
is also being considered as we complete planning for this
event. In addition, the industry has several testing programs
underway or in planning with the telecommunications industry.
The work that has been done and will continue to be done by
this industry has been fully cooperative and completely open.
We think this is the best Y2K readiness program in the energy
world.
Another challenge this year is to meet and communicate with
our customers, stay close to our regulators and to work with
State and Federal legislative and administrative bodies to
provide the American people with information they can use to
make wise decisions on how they should prepare for this
rollover into the next millennium.
Chemical manufacturers and other large industrial customers
with special needs should communicate with and work closely
with their local utilities and we with them to make sure both
parties know each others plans and needs so that things go as
smoothly as possible.
Finally, Mr. Chairman, congressional hearings like this one
today help foster this open dialogue. They are an important
part of the overall coordination effort.
Thank you once again for the opportunity to appear here
today and we will be happy to respond to any questions you may
have.
Senator Inhofe. Thank you, Mr. Swanson.
This has been much more positive than it was this morning
and we're all pretty optimistic right now.
Mr. Poje, you mentioned that the smaller and medium-sized
companies are the ones that probably have the greatest risk for
Y2K problems and that OSHA and EPA really haven't made any
special emphasis on these companies.
I'm the last one to advocate more regulation but do you
think they are doing enough?
Mr. Poje. I'd like to give you an example, Senator. Just
this past Friday, the Chemical Safety Board had to respond to
an incident that occurred in Allentown, PA, at a company called
Concept Sciences, Inc. Catastrophic failure at that facility, a
very small facility, fewer than 20 employees, killed five
workers and caused damages to 11 other businesses in the area.
The small businesses in the sense that I'm talking about
need to be more carefully considered perhaps than small
businesses in general because of their unique risk of handling
high hazard materials.
You asked the question about EPA and OSHA. Currently, there
are no plans for addressing individual facilities and assessing
their status for Y2K compliance from the two major regulatory
agencies. They do not have the staff, nor the wherewithal to
address that sizable portion of the chemical handling
community.
What we've been trying to do is work with our sister
agencies in making sure that we're getting as many alerts out
to people, that we are addressing the associations that need to
be addressed, to make sure they can encompass their total
membership in an awareness program around Y2K problems. It is
slow work, however, and we are approaching a 300-day deadline
before the turn of the century.
So I think there is much more that needs to be done and I'm
urging my other agencies to work with us to get relevant
information out there.
Senator Inhofe. Do you think there is a reluctance on
behalf of the smaller and medium-sized companies to seek help
from the EPA thinking that perhaps there might be an
enforcement fine or something they'd be subjecting themselves
to?
Mr. Poje. I think there is historically a distancing from
regulatory agencies for all businesses for good reason.
Oftentimes the interactions are very unfavorable or not
necessarily the most salutary ones.
On the issue of Y2K though, it is important for everybody
to recognize that there is no regulatory fix that can be
applied here. What we need right now is due diligence and
examples for how people can get into compliance.
The Board was graced with the due diligence and public
spiritedness of two major chemical corporations, Oxychem and
Rohm and Haas in sharing detailed analyses of how they attack
the Y2K problem. Those examples are ill-suited as examples to
provide to small- and mid-sized enterprises because they're of
such different size dimensions.
We've been seeking associations who might be willing to
share their best practices for addressing this issue with the
Board so that such information could be disseminated more
broadly to other parties. The risks from small- and mid-sized
enterprises do not necessarily scale down to zero as you reduce
the size of your economic or work force size in this arena of
chemical safety.
Senator Inhofe. I'd be asking all three of you this
question. What would your feeling be about some type of an
amnesty program to pull people out of their shells so they
would be less reluctant to seek help in advance?
Mr. Poje. The Environmental Protection Agency has already
put out a guidance on Y2K testing that would assure people that
if they're showing due diligence in testing their systems for
Y2K compliance, the EPA would look favorably on that activity
as a more important activity than enforcing an environmental
release prescription ordinance. They would want to make sure
that Y2K testing is proceeding because of the very large risk
both to the environment as well as to business continuity to
make sure that Y2K is being addressed in these businesses.
It's uncertain right now how that policy has penetrated
into the broad community of small- and mid-sized enterprises to
provide some sense of encouragement for addressing onto the
problem.
Senator Inhofe. Mr. Travers, as you know, this committee
has had a couple of oversight hearings and I think it's been
very productive in terms of the regulatory process and
certainly it's been helpful to us to learn more about what you
do, how you're doing it and how things are going in nuclear
energy.
It appears that our facilities are further along in their
Y2K plans than most industries. I'm glad that you focused on
safety first. As a whole, do you suspect there will be any
outages? Right now, we're dependent upon nuclear energy for
some 20 percent of our generation. Do you think there are going
to be any outages?
Mr. Travers. I would point out very briefly before
answering your question directly, that this approach the NRC
has been on has had the benefit of a very cooperative
arrangement with the nuclear industry. Certainly we have
developed what would be a necessarily independent strategy
should any safety systems be at issue. But, we have had the
benefit of a very cooperative engagement with the nuclear
industry organizations and utilities.
In specific response to your question, we're carrying out
our program with recognition that there is a broader question--
one that, strictly speaking, we do not have a regulatory
authority over. That is this question of grid reliability.
Our program, however, is being conducted with an
acknowledgement of the importance of grid reliability. In fact,
the industry itself has recognized the importance of this. The
guidance that the nuclear power industry is following and using
in preparing their nuclear plants for Y2K readiness
specifically includes a review of systems that transcend the
safety-related systems, those systems that are principally in
place and required to maintain safety.
Our program, in addition to that, in terms of the audits
that we're doing, is also reviewing systems that are not,
strictly speaking, safety-related systems. They are balance of
plant systems; they're the systems that would be required to
keep plants on-line and safely operating.
We have, in this regard, developed a strategy we think that
covers what is greater than normally our turf and certainly our
focus. We think we've done that in a way that will ensure that,
at least, nuclear power plants maintain their operational
status through Y2K. Nevertheless, as I mentioned earlier in my
testimony, we do have contingency plans to react in case there
are any problems that crop up.
Senator Inhofe. A minute ago, you talked about in June
there will be further reviews. Kind of elaborate a little bit
about what's going to take place then?
Mr. Travers. By July, we expect to have responses from all
nuclear power plants. The responses are required based on a
generic letter that was issued by the NRC.
Senator Inhofe. Of the 103, how many have you received so
far?
Mr. Travers. I'm not sure how many we've received, but
we've checked in as to where they stand. In fact, we've
completed our 12 audits that cover a variety of different types
of designs of plants, locations and so forth. So we've been
looking at the safety systems and the systems that would be
necessary to keep the plants operational through Y2K.
Senator Inhofe. Do they all give you assurances at this
point that they're going to be ready by that time?
Mr. Travers. In fact, they indicate that most plants are on
target to meet the July 1 deadline. A number of plants think
they may be challenged. I think we have upwards of about 18
plants who have indicated that they may need some additional
time. Nevertheless, if they're not Y2K ready on July 1, they
need to report to NRC with a schedule and the specifics of what
needs yet to be done. At that point, and by September 1999, the
NRC expects to be in a position to make judgments about any
further regulatory actions that might need to take place on a
plant-specific basis.
Senator Inhofe. Having served with Congressman Horn--we
called him Professor Horn at that time--it's very unusual to
extract an ``A'' from him on anything. Explain a bit more about
this report?
Mr. Travers. Timing is everything and in this case, we are
very pleased to be here today because it was just a few days
ago that Congressman Horn's report came out.
As you know, it's fundamentally based on the internal
systems at NRC and their readiness, mission critical, business
essential and so forth, to be Y2K ready. We have completed all
of our systems, not just the mission critical systems, and we
have declared them Y2K ready, so we're very pleased to be here
today to report that to you.
Senator Inhofe. Mr. Swanson, explain to me and maybe some
of the others that didn't really understand this 99th day, the
drill dates you have, 99th day and September 1999? Who all
participates in this drill and what are you accomplishing with
this?
Mr. Swanson. In the April drill, the 99th day of 1999, some
computer programmers think you may trigger some end of file
codes in old Fortran programs. I used to write Fortran
programs, so that may be the case but we'll just have to see.
The point of the April drill is to go out in the field and
make sure if we do have a failure in our telecommunications
capabilities, we have, for instance, remote terminal units in
the field, in the distribution system. A medium-sized utility
may have a couple of hundred. We have metering points at each
of these substations. The energy management system for a
utility needs to know what the load is out in the field and
they get that information back through local telecommunications
providers, through local telephone lines back into places where
it's brought back to the utility, analyzed and managed.
If we don't have that capability, we're flying blind. So we
will be putting people in the field with backup communications
equipment who know what the metering point is and is supposed
to do, can extract the information from that location and
through the backup communications, get it back into the system
so that we're not flying blind. That's the April test.
We will not be adjusting our system in any way. We won't be
reducing generation, we won't be changing generation, we won't
be changing any of the existing operating parameters. We'll
just be using this as a test of our backup capability.
In September, it's a different story. Here what we're
trying to put together is more of a real dress rehearsal. This
is expected to be a fairly--it could be in some areas,
depending on the temperature, a fairly heavy load day. We will
be looking at how we can dispatch generation, the kinds of
issues that may come up in January that we can test during this
particular configuration. We don't expect that September 9 is
going to cause us any programs because of the date itself, but
it might and it's a convenient place for us to be ready just in
case it does.
We will also be looking at coordinating very closely with
the natural gas, the telecommunications industry specifically;
we're thinking about bringing in the emergency management
authorities in the communities and States because it's
important for them to be aware of and tied to the kind of
testing and work that we're going to be doing. We're going to
try to make it as close to a real dress rehearsal for the Year
2000 conversion as we can.
We're not done planning for that. A lot of the planning
that we'll be doing for that will be driven by some of the data
that is still going to be developed, the issues that come up as
we have more consultations with the other critical
infrastructures and emergency planning folks that we need to be
and are undertaking now.
Senator Inhofe. This morning at our hearing, we had both
DOD and intelligence with their charts projecting at what point
we are today, when we're going to reach there. Did I understand
you correctly when you said 60 percent of your equipment has
been tested?
Mr. Swanson. Yes. The latest monthly data we had was 57
percent and since we're halfway through another month, that's
been kicked up some, so we are probably at or around 60 percent
or maybe a little more right now.
Senator Inhofe. Projected forward from here?
Mr. Swanson. The orders that we are giving to and that have
been accepted by our member companies is that all equipment has
to be remediated and tested by May 31 and that all systems have
to be declared ready by June 30.
We know there are going to be generating units that are
going to be in fall outage testing and remediation. So if a
company is not able to declare that it is 100 percent ready by
June 30, it has to tell us which facilities are going to be on
an exceptions list and when that testing will be done so that
we can tell you and we can tell our customers exactly how we
stand and in terms of our readiness on June 30.
Senator Inhofe. But you're optimistic now that you're on
track to be in compliance on the day?
Mr. Swanson. Yes, that's right.
Senator Inhofe. How about the rest of you, the other two,
as of today, are all the facilities around the country within
your specific area on track for responding?
Mr. Poje. Senator, I wish I could say that we had
surveillance data on the chemical sector, but there isn't. The
Chemical Manufacturers Association, which represents perhaps 90
percent-plus of the chemical manufacturing in this country,
their membership, 192 members represents that sizable
productive capacity, they have issued a survey request to their
membership. Of 192 members, 100 have responded and they've
gotten additional information off the websites. Within a week
or two we should have a report available about their
membership.
But, their membership is not the totality of the chemical
handling sector. There are many smaller associations, there are
many people who do not produce chemicals but use them and use
them in highly automated systems that will have embedded
systems-
related problems. We have no information to assess their
status.
The anecdotal information provided to us by vendors of
automation equipment indicates that there can be some
significant problems associated with these smaller enterprises
and there is no surveillance program right now to provide us
with an answer to their status. So we are in a different and
somewhat data-deficient state in the chemical sector as
compared to the nuclear sector or compared to the electrical
utility sector.
The sector itself is extraordinarily heterogeneous with
types of processes and sizes of companies that it is perhaps a
more difficult sector to assess and surveil.
Senator Inhofe. Is there anything you can think of that can
be done?
Mr. Poje. I know a number of small associations met last
week at the Chemical Manufacturers Association and they are
beginning their own surveillance. Whether that's sufficient for
meeting the total needs of the sector is uncertain, but it
certainly is very good news for those particular smaller
chemical repackagers, distributors, chemical handlers. Because
in doing such, they will provide an awful lot of alerting of
their individual members to the importance of the Y2K problem.
Senator Inhofe. Mr. Travers, I assume that you are on
schedule and satisfied.
Mr. Travers. Mr. Chairman, if I might make two comments.
We are on track and I'll discuss that both in terms of our
program and perhaps more importantly the utilities program just
briefly.
We have, as I indicated, completed the audits that we
intended, the 12 audits. We intend to follow that through by
carrying out some additional reviews at all sites. That's going
to begin in just a month or so and be completed by July.
Our licensees give us every indication, and the audits
confirm it, that they are on track to respond to our generic
letter by July 1, including submission of the fact they've
carried out their contingency planning.
I may be able to give you a little bit of extra information
that has been provided to us from the nuclear industry. It
indicates that they have divided their efforts into four
different parts, one being an initial assessment and all
nuclear power plants have completed an initial assessment of
their Y2K readiness.
The percent completion of what they term their detailed
assessment, the readiness of their systems, is on average 92
percent complete. They have indicated that 53 percent of the
industry has completed this detailed assessment, so 92 percent
has to do with the number of sites.
Remediation for their own tracking is on the order of about
90 percent, so the next category is once you find the problem,
how do you address it and remediation is the technique. They've
indicated of the problems they found, they have already
addressed something over 90 percent.
Essentially, the short answer to your question is, they and
we are on track.
Senator Inhofe. Good. This morning during the DOD approach
to this problem, it came across that while we're going to be
able to make it from our end of it and what we have control
over, however, we are impacted by the fact that some countries
are not in a position to do what we're able to do. The obvious
case would be Russia which doesn't really have the resources or
the inclination to do what we're doing and some of the things
in terms of warning systems might not be in compliance which
would impact us over here. So we're having to deal with that.
From any of your perspectives, is there a problem you see
from other countries not being able to do this that would have
any kind of impact on us?
Mr. Poje. Certainly from the petrochemical perspective, an
enormous amount of U.S. petrochemical feedstock products,
petroleum, are coming from other countries. So we do have a
very strong vested interest in assuring that supply continues.
I know there's been some discussion about maintaining the
strategic petroleum reserve as a way of assuring that we are
protected in such a circumstance.
The situation amongst the chemical manufacturing, handling
and using sectors also provides the recognition that there is
an extraordinary interdependence among each other and that some
companies may require small amounts of various essential
ingredients in order to continue their business. It's a major
issue assuring that the just in time delivery systems are going
to work; that is also quite important to assuring the
preservation of business continuity. So there is a fair amount
of discussion about the supply chain problems and how to assure
those that are upstream and downstream can guarantee it.
Dan Dailey, who is the facilities manager for Oxychem, used
the expression that ``One can as easily die of starvation as
you can die of constipation.'' It's very important that many of
these facilities know that they can meet the input of feedstock
chemicals and guarantee that their customers are going to
receive it because there is no capacity for on-the-scene
storage for a long period of time waiting for that delivery to
your downstream community.
This is a very significant concern and there is a fair
amount of connection now between single companies and their
suppliers and customers. That also is an area that we are
hopeful could be the venue within which to alert small- and
mid-sized enterprises about how they can comply with Y2K-
related problems.
Senator Inhofe. Any other comments?
Mr. Travers. Yes, Mr. Chairman. There certainly is some
concerns about the extent of identification and remediation of
Y2K systems in other countries. For the most part, it's our
understanding that Western Europe, Japan and some of the more
economically developed countries have largely addressed Y2K
problems at nuclear power plants in a fashion similar to what's
happening in the United States.
I might point out at a recent meeting of the International
Nuclear Regulators Association, which is chaired by Chairman
Shirley A. Jackson, that organization, which encompasses eight
countries--the United States, Canada, France, Germany, Japan,
Spain, Sweden and the United Kingdom--did emphasize a concern
regarding the results or the readiness in some countries.
To emphasize that concern, they have urged officials in the
former Soviet Union and the Ukraine to address these Y2K
issues. Whether or not those problems could affect us, I can't
say. There is certainly some potential for that. We have been
working with the international community to certainly emphasize
the need to address these issues in a strong way.
The United Nations conference, which was held recently,
expressed a similar concern. I think the International Nuclear
Regulators Association wanted to reemphasize the concern that
was expressed at the recent conference at the United Nations.
In our contingency planning, we are looking at obtaining
early information from countries that are some 14 or 13 hours
ahead, including Japan and North Korea, about any problems they
may encounter in the transition to the Year 2000. We have a
means available to understand that information and to try to
learn from it and be able to react to it in advance of the
change in millennium.
Senator Inhofe. That's interesting. You mean those that are
ahead of us on the time scale, in that very short time period,
you think that would offer enough time for a warning? Can you
give an example of what could happen?
Mr. Travers. It very well could. At the very least, it
would put us in a position to understand what the problem was
to an extent, whether it be a communication problem. For
example, in the area of communications, the NRC is establishing
satellite backup communications at all nuclear power reactor
sites. It's hard to say what lesson we might learn from a 13-
hour or so advance, but we think there is an advantage to
trying our best to understand what does happen, if anything,
and to see how quickly we can either implement a fix, which may
be less likely than putting in place an ability to react to it
so that it doesn't affect us in a fundamental way.
Senator Inhofe. We'll hope communications doesn't break
down that day.
Mr. Swanson.
Mr. Swanson. Three quick points. North America is being
treated as an operating entity from our point of view and
Canada and the United States are working together on the
readiness assessment for all of the North American electric
systems.
Second, many of the investor-owned utilities and other
electric energy companies have businesses overseas. From what
I've been able to tell, at least the ones I've talked to
informally, they're treating their overseas facilities just
like they treat their domestic, they're giving them the same
readiness assessment and remediation and testing.
They are doing that for a couple of reasons. One is they
want to make sure they're there and ready to operate for their
customers. They also want to be seen in that country as being a
reliable supplier. So they've got both a business and a
political issue they want to cover thoroughly and completely in
the country where they're doing business.
They obviously have their business affected if the grid
breaks down. They are in the process of working through that
issue within each of the jurisdictions or countries in which
they operate.
The third point I want to make is what Mr. Travers just
mentioned but from a slightly different perspective. We're
operating right now on an issue which is what confidence do our
customers have in our ability to meet our cautious and probably
growing optimism? Are we really going to be there and do they
need to do something just in the case we're not going to be
there.
I get worried about if problems develop in the Pacific Rim
and in the 13 hours notice that we have, we start to have
companies dropping, making plans or executing plans to drop off
the system. Panic is exportable, panic is instantly available
around the world and I get very worried that we're going to be
looking at a very uncertain load situation as a result of
potential failures overseas.
That doesn't say that they are going to be there but if it
happens, I am concerned that it can have an effect here. That's
put an additional burden on us and a lot of our customers like
the chemical manufacturing companies to deal with that up front
and make sure we understand our situation here and deal with it
specifically on its own terms.
Senator Inhofe. You've all indicated things you're going to
be doing between now and the end of the year and I would ask
that you keep us informed so that we have kind of a
clearinghouse here so we can know of problems and also if there
are governmental agencies that would be in a position to be
more cooperative, if you let us know, we might be able to
assist you in that. Yes?
Mr. Swanson. That reminded me I did want to make one
comment on the EPA amnesty issue. We've been working, as Mr.
Poje's folks have, with the EPA on this and it's an important
question for us. We think the work we're doing is important and
we think it's being done in the public interest.
We're a little concerned about it being an enforcement-
related action. I think we all need to understand that when a
power plant is operating and the environmental control
equipment goes down because of a Y2K failure, for instance,
that affects the operation of that plant. The plant may well
come off line because we can't balance its operation of that
plant without the environmental control equipment operating.
We'd be glad to provide more information to you in that
regard but I think raising the issue with EPA, in a
constructive way as we are doing, would be very helpful to all
of us.
Senator Inhofe. That is essentially what we're talking
about doing.
Mr. Poje. I think on this issue of talking about the
interrelatedness between two sectors of the economy, it becomes
very important to understand how to maximize safety in this
arena. It does no good to have chemical handling facilities
operate with a degree of insecurity about how their plants will
function. We've seen a much higher incidence of catastrophic
failure associated with shutdown and with startup procedures.
Facilities, for their own insecurities and contingencies
about their own plans, whether they haven't met their plans and
need to assure themselves that they stay shutdown, it becomes
very important that information is communicated in an
accelerated way to the utilities and that the utilities
themselves take some responsibility for polling major consumers
of power to be assured they will operate according to the
anticipated plan of operation to maintain integrity of the
grid.
Senator Inhofe. As providers, do you have any comment about
that?
Mr. Swanson. Yes, I do. Mr. Poje is right. One of the
things which has characterized the meetings between industries
so far is far too much focus on assurances. What we're going to
be working very hard on is to make sure it's the engineers and
technicians and project managers for Y2K remediation and
testing that are really brought into the discussion and if you
talk about equipment, that you don't talk about written
assurances or even verbal assurances. You talk about what
you're doing and everyone has to get a sense of confidence in
the integrity and the thoroughness of the program and the
incentives on both sides to do it right.
We had a lot of discussions this week with our State
regulators who are meeting here in Washington. They are very
much interested in getting in the middle of that as well, for
the same reason, which is that they need to get a sense of
confidence of whether we're doing the right thing or not. They
can't tell from paper. They need to look at the process live
and see how it's working.
I think that's what we need to get going between our
companies: have face-to-face meetings, go to facilities, talk
to the engineers, look at the equipment, and share information.
I think that can really work and work well.
Mr. Poje. I think the one advantage here is, I think
everybody is talking about contingency planning. It is very
important that at some level those contingency plans be shared
across sectors and to look at the intersector relatedness to
make sure there is explicit elements in such plans for doing
this across sectors.
Senator Inhofe. What vehicle should be used to accommodate
that?
Mr. Poje. I know the vehicle that the Board was persuaded
to use because of our own deficient nature, we operate with
fewer than 20 full-time employees at our institution, so
compared to our sister entities here, we are small. The only
way we could glean an understanding of this issue was by
bringing in the technically expert people from that vast array
of stakeholders.
It was the first time that many of them had been in the
same room, and able to talk across their stakeholder community
of insurance companies or industrial facility managers, or
worker perspectives. That expert meeting was a refreshing place
within which to crystallize where are the real risks, what are
the real problems and how do we get on to solving them very
quickly.
I certainly would champion Mr. Swanson's statement to you--
get face-to-face meetings and get the technically expert people
talking about the technically complicated issues so that we're
not driven by a generalized anxiety. That won't solve any
problems.
Mr. Travers. Mr. Chairman if I could just correct one thing
I said for the record. While the remediation efforts of the
nuclear power plants are on track, I misread a chart. The
average currently at least is 53 percent of systems at 66
sites, safety and other systems, have been remediated and they
are working towards completing those by July 1 or shortly
thereafter, 53 as opposed to 60 as opposed to 90 which is quite
a different number. I apologize for that.
Senator Inhofe. I would like to have you keep us informed
as time goes by and to look at us as a resource to be helpful,
that's what we want to be, and we almost set a record and had a
meeting under 1 hour but didn't quite make it.
I appreciate very much your taking the time to come here
and testify. We look forward to staying informed as your
progress continues.
We also would like to have any input you have that we could
share our knowledge with the governmental agencies and try to
be a support group for you.
We're adjourned.
[Whereupon, at 3:18 p.m., the subcommittees were adjourned,
to reconvene at the call of the chair.]
[Additional statements submitted for the record follow:]
Statement of Gerald V. Poje, U.S. Chemical Safety and Hazard
Investigation Board
Good afternoon, Mr. Chairman and distinguished members of the
Subcommittee. I am Gerald V. Poje, Ph.D., one of four members of the
U.S. Chemical Safety and Hazard Investigation Board (CSB) nominated by
the President and confirmed by the U.S. Senate. Today I appear before
you at the behest of our Chairman, Dr. Paul L. Hill, Jr. to whom you
addressed your request for testimony from our agency. Dr. Hill and I
thank you for inviting the CSB to testify regarding this critical
issue.
The Chemical Safety Board is an independent Federal agency with the
mission of ensuring the safety of workers and the public by preventing
or minimizing the effects of industrial and commercial chemical
incidents. Congress modeled it after the National Transportation Safety
Board (NTSB), which investigates aircraft and other transportation
accidents for the purpose of improving safety. Like the NTSB, the CSB
is a scientific investigatory organization. The CSB is responsible for
finding ways to prevent or minimize the effects of chemical accidents
at commercial and industrial facilities and in transport. The CSB is
not an enforcement or regulatory body. Additionally, the CSB conducts
research, advises Congress, industry and labor on actions they should
take to improve safety, and makes regulatory recommendations to the
U.S. Environmental Protection Agency and the U.S. Department of Labor.
I am a specialist in toxicology and policies dealing with chemical
hazards. I oversee the board's efforts on reducing risks of accidents
associated with Year 2000 computer problems. Currently, I work with the
Intergovernmental Forum on Chemical Safety and the Organization for
Economic Cooperation and Development to promote global remediation and
contingency planning concerning Y2K problems.
background
The U.S. Chemical Safety and Hazard Investigation Board at the
request of Senators Bennett and Dodd of the U.S. Senate Special
Committee on the Year 2000 Technology Problem has investigated the
issues of chemical safety and the Year 2000 computer technology
problem. On December 18, 1998, our board convened an expert workshop on
``Y2K and Chemical Safety,'' involving leaders from industries,
equipment vendors, insurance companies, regulatory agencies, research
agencies, universities, labor organizations, environmental
organizations, trade associations, professional engineering
associations, and health and safety organizations. The CSB has
continued the dialog with the participants over the last 2 months. I
recommend the process of our safety board's efforts for addressing
other critical issues associated with the Year 2000 technology problem.
The board members are completing review and approval for the final
draft report, and our staff is currently formatting that document. We
will soon release the report to the Special Committee and it will be
available at the Chemical Safety Board's website: http://
www.chemsafety.gov.
The Senate Special Committee requested evaluation of:
the extent of the Year 2000 Problem as it pertains to the
automation systems and embedded systems that monitor or control the
manufacture of toxic and hazardous chemicals, or safety systems that
protect processes,
the awareness of large, medium, and small companies within
the industry of the Year 2000 threat,
their progress to date in addressing the Year 2000
problem,
the impact of the Year 2000 technology problem on the Risk
Management Plans required in June 1999, and
the role Federal agencies are playing in preventing
disasters due to the Year 2000 problem.
Synopsis
The Year 2000 Problem is a significant problem in the chemical
manufacturing and handling sector posing unique risks to business
continuity and worker and public health and safety. According to the
U.S. Environmental Protection Agency, 85 million Americans live, work
and play within a 5-mile radius of 66,000 facilities handling regulated
amounts of high hazard chemicals. The CSB has developed the following
findings from our investigative efforts:
Large enterprises with sufficient awareness, leadership,
planning, financial and human resources are unlikely to experience
catastrophic failures and business continuity problems unless their
current progress is interrupted or there are massive failures of
utilities.
The overall situation with small- and mid-sized
enterprises is indeterminate, but efforts on the Y2K problem appears to
be less than appropriate based upon inputs from many experts.
While the impact of the Risk Management Plans should be
positive, there are no special emphases or even specific mention of
Year 2000 technology hazards in either U.S. Environmental Protection
Agency or Occupational Safety and Health Administration regulations
regarding process safety.
Federal agencies are aware of and involved in Year 2000
technology and chemical safety issues. However, significant gaps exist,
and there do not appear to be specific plans to address these gaps.
Scope of Issues
The Expert Workshop as well as the research conducted for our
report concluded that the Year 2000 (Y2K) problem is one of major
proportions and has the potential for causing disruption of normal
operations and maintenance at the nation's chemical and petroleum
facilities. It is important to point out that Y2K compliance activities
reported to the Chemical Safety Board to date have not found a single
failure (embedded microchips or software) which by itself could cause a
catastrophic chemical accident. However, it is unclear what the outcome
might be from multiple failures, e.g., multiple control system
failures, multiple utility failures, or a combination of multiple
utility and control system failures. Surveillance of the industrial
sector that handles high hazard chemicals is insufficient to draw
detailed conclusions regarding Y2K compliance efforts.
One theme upon which experts agree is that failures from Y2K
noncompliance at small- and mid-sized enterprises is more likely. The
reason is a lack of awareness regarding process safety in general and
the Y2K impact in particular, lack of resources, and technical know-how
for fixing the problems. Given the time constraints, altering this
situation requires a massive effort. The Board has concluded that this
effort should focus on: (1) providing easy-to-use tools, (2) promoting
accessible resources, and (3) providing attractive incentives for Y2K
compliance efforts. Additional efforts should be the focus of an urgent
meeting of agencies convened by the administration.
The potential for catastrophic events, at U.S. chemical process
plants, stemming from Year 2000 non-compliance, can be divided into
three categories: failures in software or embedded microchips within
the process plants, external Y2K-related problems (e.g., power
outages), and multiple Y2K-related incidents that may strain emergency
response organizations. A check list of devices to be assessed for Year
2000 compliance at a chemical plant and the consequence of their
failure is identified in Appendix A.
The limited scope of the Y2K Expert Workshop and the research
conducted for this study concluded that large multinational companies
are, in general, following a well-thought out and well-managed path
toward Y2K compliance. These multinational enterprises have, in
addition to their Y2K compliance efforts, made contingency plans,
including, in some cases, plans to shutdown batch operations for
limited periods at the turn of the century.
I have appended the PowerPoint presentations regarding approaches
to managing this issue from two major chemical manufacturers: Appendix
B from the OxyChem corporation and Appendix C from the Rohm & Haas
company. Both companies have demonstrated significant leadership by
sharing their information within the industry and with many others.
Many more examples of facility-specific Year 2000 compliance efforts
are urgently needed.
These conclusions vis-a-vis large and multinational companies
should not be construed to mean that there is no potential for Y2K-
related catastrophic events at these facilities. It is possible that
some Y2K-impacted components may not have been identified, compliance
programs may not achieve 100 percent completion in time, or multiple
failures that may not have been considered may result in accidents.
The major control and instrumentation vendors canvassed in this
study are involved in an extensive program to provide Y2K compliance
for their products. There is, however, reason to believe that some
independent control systems integrators may have developed and
implemented control systems for which there is little or no
documentation of Y2K-related vulnerabilities. In addition, some vendors
are no longer in business or not as cooperative as the major control
and instrumentation vendors.
EPA's Risk Management Program and OSHA's Process Safety Management
program mandated by the Clean Air Act Amendments of 1990 may provide
significant benefit in terms of improving overall safety programs,
reliability of chemical process plants, emergency response plans, and
other programs. As a result, the overall capability and readiness of
the chemical process industry to deal with and effectively overcome the
Y2K threat is very high. However, it must be pointed out that none of
these regulatory programs or activities have any direct relationship
with Y2K compliance.
Instituting new regulations to standardize testing or certification
is not a reasonable approach for three reasons. First, in the remaining
time, it is not possible to develop the mechanism and logistics needed
for rulemaking, standard development, and establishment of reporting
procedures. Second, implementation of any standardized method or
regulation may cause penalties and unnecessary complications for many
companies that do not fit the selected standard but have already
expended an extensive amount of effort on Y2K compliance. Third, it is
critical to minimize overall administrative efforts in order to focus
available resources on the remedial efforts within this limited
timeframe. This should not be construed to minimize the need for
independent verification and validation of Year 2000 compliance
programs and contingency planning.
Priority Issues and Findings
Special Expert Workshop attendees reached consensus on the
importance of four issue areas related to Y2K problems and chemical
safety: (1) Small- and medium-size enterprises (SMEs) risks and needs,
(2) Risk management programs and their applicability, (3) Utility
continuity, and (4) Responsive communication among the stakeholders.
The following findings were developed based on input from the workshop
attendees and research conducted during this study.
1. Small- and Mid-sized Enterprises (SMEs)
The Y2K Expert Workshop members were quite concerned about Y2K
failures at SMEs, particularly since their risks to public health and
safety can be quite significant. Multinational companies and other
organizations may be willing to make available Y2K information and
tools to SMEs. However, this willingness is tempered by concerns about
legal liability to individual companies or trade associations that
contribute the information. For example, if Y2K checklists or tools are
made available through a website used by an SME, and yet that SME still
has a Y2K problem for whatever reason, could the SME sue the
information provider? SMEs also have lesser access to associations that
have helped larger corporate entities become educated on safety issues.
The experiences with some SMEs on other issues seems to indicate that
in order to be useful, the information provided has to be very detailed
and specific to the SMEs.
However, large businesses and even SMEs have restructured and thus
may have fewer resources to devote towards time limited technical
problems. To compound the problem, trade associations have also
undergone restructuring and as a result may not have the resources
needed to serve their membership.
2. Risk Management
There is a general consensus that facilities doing an effective job
in managing their risks should not see any major health and safety
problems. Risk management generally consists of a variety of programs
and activities to assess and manage risks. To be fully effective, these
programs must be implemented with the complete involvement of the
management, labor, and local responders. Risk management also includes
the utilization of best practices (e.g., equipment, procedures,
auditing, testing, and certification), adherence to industrial and
professional society standards, and compliance with applicable
regulations. The chemical processing industry has practiced these risk
management principles for a long time. However, the Y2K issue will test
the existing system of safety, and failure may engender review of
policy issues as well as review of industrial programs and practices.
3. Utility Continuity
A major concern of the participants at the Y2K Expert Workshop was
that the main threat to facilities could be from external failures,
such as electrical, natural gas, water and waste water utilities. Many
members of the chemical process industry are concerned about the
reliability of electric power supply and are seeking ways to assess the
vulnerability of their specific utility.
For some managers of facilities that draw high power loads prudent
safety practice may determine that the plant be shut down during
critical time periods and restarted at a later date. However, such
decisions should not be made without communicating these planned
actions with their utilities in order to prevent problems on the power
grid.
4. Responsive Communications among Stakeholders
Communication and trust between stakeholders is of tremendous
importance in resolving Y2K related problems. Stakeholders, in the
context of chemical safety, include: corporate and facility managers,
operators, other workers, vendors, equipment manufacturers, unions,
trade associations, regulators, non-regulatory agencies, emergency
responders, insurance companies, community organizations and
environmental organizations. Stakeholder communication has various
dimensions.
While logistic and timing problems may prevent a regulatory
approach for assuring Y2K compliance, voluntarily communicating
accurate and relevant information to the public on the status of Y2K
compliance is essential. Given the extent of work being done for Y2K
compliance, this communication will avoid creating chaos and panic,
allay public fears and promote rational behavior. Contingency planning,
risk management, and decisions concerning shutdown must also involve
communication among stakeholders.
Equally as important is the communication between different
companies, both large and small, and communications across sectors of
the economy. The complex interdependency of modern society assures that
all entities have a stake in the Y2K efforts of others. The sharing of
information and building experience has a much greater chance of
reducing or even completely eliminating the catastrophic threat of Y2K-
related failures. Historically, safety-related issues have been
addressed on a non-competitive basis, and the safety-related Year 2000
issues should follow the same path.
Knowledge is key to responsive communication. Public agencies and
the private sector already support training and education for chemical
managers, workers and Hazardous Materials (HAZMAT) emergency responders
through programs which tailor training modules to specific targeted
groups of responders at the awareness, operations, technician and
specialist levels. Y2K contingency planning and responsive
communications should be enhanced through training and education
efforts developed to address the challenges of Y2K related incidents
and scenarios.
Summary
In summary, the Year 2000 technology problem is a significant
problem in the chemical manufacturing and handling sector posing unique
risks to business continuity and worker and public health and safety.
Large enterprises with sufficient awareness, leadership, planning,
financial and human resources are unlikely to experience catastrophic
failures and business continuity problems unless their current progress
is interrupted or there are massive failures of utilities. The overall
situation with small- and mid-sized enterprises is indeterminate, but
efforts on the Y2K problem appears to be less than appropriate based
upon inputs from many experts. Federal agencies are aware of and
involved in Year 2000 technology and chemical safety issues. However,
significant gaps exist, and there do not appear to be specific plans to
address these gaps.
Statement of William D. Travers, Nuclear Regulatory Commission
introduction
Mr. Chairman, members of the Committee, I am pleased to be here
today on behalf of the Commission to discuss with you the status of the
U.S. Nuclear Regulatory Commission (NRC) response to the potential Year
2000 computer problem, particularly as it pertains to nuclear power
plants. Our efforts can be divided into three basic areas: our actions
internal to the NRC, our interactions with our licensees and the
nuclear power industry, and our broader interactions, both nationally
and internationally.
All 88 of NRC's mission-critical, business essential and non-
critical systems have been examined and as needed, fixed with regard to
the Year 2000 problem. In all, a total of 42 of 103 operating nuclear
power plant units were associated with the Y2K readiness program audits
of 12 utility licensees. Based on the results of these audits, we have
concluded that the audited licensees are effectively addressing the Y2K
problem and are taking the actions necessary to achieve Y2K readiness
per the Generic Letter 98-01 target date. Further, the audits have
verified that the NEI/NUSMG guidance is sufficient. We have not
identified any issues that would preclude licensees from achieving Y2K
readiness. Finally, we are actively involved in promoting awareness of
the Year 2000 problem internationally.
actions internal to the nrc
I am pleased to tell you that as of February 5, 1999, all 88 of
NRC's mission-critical, business-essential and non-critical systems
have been examined and, as needed, fixed with regard to the Year 2000
(Y2K) problem. This work was accomplished more than a month ahead of
OMB's established milestone and well under budget.
As part of this effort, we analyzed and identified embedded chip
systems at the NRC and made necessary upgrades or replacements to make
them Y2K compliant. Also, we worked with our data exchange partners and
repaired, validated, and implemented those systems requiring changes.
All work necessary to ensure that 100 percent of our
telecommunications infrastructure is compliant or not affected by Year
2000 issues has been completed. Our telecommunications service
providers have been contacted to determine their plans to achieve Year
2000 compliance. All have responded that they are compliant or will be
compliant by mid-1999. The one (NRC) mission-critical system that is
directly linked to operating nuclear power plants is our Emergency
Response Data System (ERDS). This application performs the
communication and data transmission functions that provide near real-
time data to NRC incident response personnel during declared
emergencies. We have verified that this system has been made Y2K
compliant and that the interface of the system with licensed facilities
is functional.
nrc actions with licensees
Since 1996, the NRC has been working with nuclear industry
organizations and licensees to address the Y2K problem. To ensure that
senior level management at operating U.S. nuclear facilities was aware
of the Y2K problem, the NRC issued Information Notice (IN) 96-70,
``Year 2000 Effect on Computer System Software,'' on December 24, 1996.
The Notice 96-70 described the potential problems that nuclear facility
computer systems and software might encounter during the transition to
the new century. All U.S. nuclear power plants, fuel cycle facilities,
and other material licensees were provided with copies of this
document.
In 1997, the Nuclear Energy Institute (NEI) agreed to take the lead
in developing industry-wide guidance for addressing the Y2K problem at
nuclear power reactors. In November 1997, NEI issued a guidance
document to all U.S. nuclear power plant licensees, entitled ``Nuclear
Utility Year 2000 Readiness'' (NEI/NUSMG 97-07).
In Generic Letter 98-01, issued May 11, 1998, the NRC accepted the
NEI/NUSMG 97-07 guidance as an appropriate program for nuclear power
plant Year 2000 readiness and requested that all operating U.S. nuclear
power plant licensees submit written responses regarding their
facility-specific Y2K readiness programs in order to obtain
confirmation that licensees are addressing the Y2K problem effectively.
Thus far, all licensees have responded to GL 98-01 stating that they
have adopted plant-specific programs, similar to that outlined in the
NEI/NUSMG 97-07 guidance document, that are intended to make the plants
Y2K ready by July 1, 1999.
Similarly, Generic Letter 98-03 was sent to fuel cycle licensees
and certificate holders requesting written confirmation of
implementation of their Year 2000 Readiness Program. Further,
facilities were requested to provide written confirmation that the
facilities are Y2K ready and in compliance with the terms and
conditions of their license/certificate and NRC regulations. All
facilities have confirmed implementation of their Year 2000 Readiness
Program. All facilities are scheduled to be Y2K ready in October 1999.
Generic Letter 98-01 also requests a written response, no later
than July 1, 1999, confirming that these facilities are Y2K ready.
Licensees who are not Y2K ready by July 1, 1999, must provide a
schedule for remaining work to ensure timely Y2K readiness. The NRC
will assess these responses and, by September 30, 1999, determine the
need for further plant-specific regulatory actions. Should the NRC
identify a situation where the Y2K problem results in a licensee being
in noncompliance with the plant license or NRC regulations, appropriate
regulatory action (e.g. a shutdown order) will be taken as necessary.
Based on the results of our audits (as discussed below), licensee
management oversight of the Y2K readiness programs has generally been
aggressive and is contributing to the success of nuclear power plant
Y2K readiness efforts. Licensees are devoting the necessary resources
to their programs to meet their readiness schedules. At a recent
February 11, 1999 Commission meeting on the Year 2000 issue, the
Nuclear Energy Institute (NEI) informed the Commission that all 66
power reactor sites will carry out an audit of their Year 2000
readiness activities. Specifically, NEI stated that 54 sites have
completed internal Year 2000 quality assurance audits, 33 sites have
completed cross utility audits, and 43 sites have completed third party
audits. Moreover, the continued sharing of work and information through
owners groups and utility alliances is aiding in proper Y2K readiness
program implementation.
As with other aspects of plant operation, we provide independent
oversight and respond when appropriate to ensure adequate protection of
public health and safety. Our oversight processes rely on the
recognized ability of our licensees to complete critical self-
assessments and initiate appropriate corrective actions.
Notwithstanding the comprehensive industry Y2K efforts, we have
recognized the importance of providing an appropriate level of NRC
oversight of Y2K preparations at nuclear power plants.
NRC resident inspectors who are assigned to all power reactor sites
will carry out reviews of licensee Y2K readiness activities. In
addition, since last September, the NRC staff has conducted 12 planned
sample audits of nuclear power plant licensee Y2K programs. These
audits were completed in January 1999. The results of these audits have
been documented in NRC-issued audit reports which are available on the
NRC website and have been discussed at industry workshops. We also plan
to communicate a summary of our observations and lessons learned
through the issuance of an information notice.
The NRC staff selected a variety of types of plants of different
ages, vendor design, and locations in this audit sample in order to
obtain the necessary assurance that nuclear power industry Y2K
readiness programs are being effectively implemented and that licensees
are on schedule to meet the readiness target date of July 1, 1999,
established in Generic Letter 98-01. The licensee sample audits
included large utilities such as Commonwealth Edison and Tennessee
Valley Authority as well as small, single reactor licensees such as
North Atlantic Energy (Seabrook) and Wolf Creek Nuclear Operating
Corporation.
These findings are consistent with those recently reported by the
Department of Energy in the January 11, 1999, report prepared by the
North American Electric Reliability Council on the status of Y2K
readiness of the electric power grid.
To date, the NRC staff has not identified or been apprised of any
Y2K problems in nuclear power plant systems that directly impact
actuation of safety functions. The majority of commercial nuclear power
plants have protection systems that are analog rather than digital or
software-based and thus not impacted by the Y2K problem. Errors such as
incorrect dates in print-outs, logs or displays have been identified by
licensees in some safety-related devices, but the errors do not affect
the safety functions performed by the devices or systems. Most Y2K
problems are in non-safety systems such as security systems and plant
monitoring systems which support day-to-day plant operation but have no
functions necessary for reactor safety. In addition, through site
visits and surveys NRC continues to monitor the security systems at
reactors and does not expect any Y2K problems following licensee
actions in this area. These systems are being addressed in the licensee
Y2K readiness programs consistent with the industry guidance and the GL
98-01 schedule.
In NRC Generic Letter 98-01, it was also noted that despite the
best of efforts to achieve Y2K readiness, unanticipated problems
(particularly events external to a plant) could occur and disrupt
continued plant operation. Therefore, contingency plans are needed to
address potential unanticipated Y2K problems. To address this need, in
August 1998 NEI issued another guidance document, ``Nuclear Utility
Year 2000 Readiness Contingency Planning,'' (NEI/NUSMG 98-07) which is
being incorporated into Y2K readiness programs by all U.S. nuclear
power plant licensees. These detailed plant-specific Y2K contingency
plans also are scheduled to be completed by July 1, 1999.
As a result of the 12 sample audits, we have concluded that, in
general, licensees began to develop contingency plans late in the Y2K
preparation process. As a consequence, we have decided to conduct six
additional, differently focused reviews, involving licensees other than
those that comprised the original 12, to determine the effectiveness of
industry contingency planning guidance. We will begin these reviews in
April 1999 and conclude them in June 1999. These reviews will focus on
the licensees' approach to addressing both internal and external Y2K
risks to safe plant operations based on the guidance in NEI/NUSMG 98-
07. Resident inspectors at all power reactor sites will also carry out
reviews of licensee's contingency plans.
NRC has conducted one Y2K inspection at each of the ten major fuel
facilities. The inspections determined that all facilities are
adequately addressing Year 2000 issues and will be Year 2000 Ready by
December 31, 1999. The Y2K readiness program implemented by each fuel
facility is intended to identify and repair software, hardware, and
embedded systems that could degrade, impair, or prevent operability of
the facility.
broader national focus
Although the primary focus of the NRC with our licensees has been
on public health and safety, related to reactor operations, we
recognize the concern that the Year 2000 problem could affect the
reliability of electrical grids. Our regulatory focus on electrical
grid reliability has related primarily to the challenges to plant
safety systems that might result from a grid transient, such as a loss
of offsite power.
However, the Y2K problem has presented the NRC with a unique
challenge because NRC regulatory oversight and authority does not
extend to the U.S. offsite electrical grid system. Nonetheless, we
recognize the national importance of a broader focus that helps to
ensure that potential concerns with electrical grid reliability are
identified and resolved. The NRC supports the efforts of the
President's Council on Year 2000 Conversion. As members of the Energy/
Electric Power Sector Working Group, we understand the importance not
only of maintaining nuclear power plant safety, but of enhancing safe
grid operation in the face of the Y2K problem as well.
With respect to electric power distribution, in May 1998, the U.S.
Secretary of Energy requested that the North American Electric
Reliability Council (NERC) coordinate efforts within the electric power
industry to assure a smooth Year 2000 transition. The NERC is a
voluntary industry reliability group, made up of 10 regional councils,
whose membership includes nearly every major provider of electricity
generation and transmission within the Eastern, Western, and Texas
interconnections that form the backbone of the electricity supply
system for the United States, Canada, and a small portion of Mexico.
The NERC has established recommended industry-wide milestones for
ensuring that U.S. electric systems are ready for the Year 2000. The
recommended completion date for the remediation/testing phase of Y2K
preparations is May 1999. Mission-critical systems and components
(e.g., power production, energy management systems, telecommunications,
substation controls and system protection, and distribution systems)
are to be made Y2K ready by June 30, 1999.
The NERC has worked in partnership with trade associations
representing investor-owned utilities (Edison Electric Institute),
municipal utilities (American Public Power Association), rural electric
cooperatives (National Rural Electric Cooperatives Association),
nuclear power plant operators (Nuclear Energy Institute), and the
Canadian electric power industry (Canadian Electricity Association) to
ensure the most complete coverage of the industry in the surveys and
assessments of Y2K readiness.
The U.S. electric power industry is placing considerable emphasis
on contingency planning for the Year 2000 transition. The NERC is
targeting June 1999 for completion of contingency plans.
The NRC also is developing a Y2K contingency plan to enable us to
respond rapidly to potential events at licensed U.S. facilities
resulting from unanticipated Y2K problems. The draft plan includes
provisions to collect and disseminate information on Y2K-related events
that occur in countries in time zones ahead of the U.S. Continued safe
operation of nuclear power plants during the transition to the Year
2000 is important to help maintain reliable electrical power supplies.
As such, the draft NRC Y2K contingency plan includes considerations for
rapid decisionmaking under circumstances where a Y2K problem might
result in licensee non-compliance, but would not affect continued safe
plant operation. The draft NRC Y2K contingency plan is being
coordinated with the U.S. nuclear power industry, other Federal
agencies (including the Federal Emergency Management Agency), State
governments, and international nuclear regulatory organizations. The
public comment on the draft Y2K contingency plan recently concluded and
the final plan is scheduled to be forwarded to the Commission in April.
In early October the NRC plans to conduct a ``Y2K Exercise.'' In
this dry run we will attempt to ensure that all aspects of our Y2K
contingency plan are in place. Regulators from Taiwan, Japan, Finland,
Sweden and the United Kingdom have all expressed an interest in
participating in this exercise. We also hope to have participation from
several of our licensees.
We consider public awareness a vital aspect of our Y2K program and
have kept the public informed about our Y2K activities through numerous
media releases, responses to questions by telephone, electronic mail,
and letters, interviews with reporters, participation at workshops,
public meetings, and maintenance of current Y2K information on our Web
site.
international activities
We are actively involved in promoting awareness of the Year 2000
readiness issues internationally. In preparation for the 42nd IAEA
General Conference in September 1998, the NRC took the lead in drafting
a resolution on the Year 2000 (Y2K) readiness for the safety of nuclear
power plants, fuel cycle facilities, and other enterprises using
radioactive materials. That resolution urged, among other things, that:
Member States submit information to the IAEA on activities underway to
inventory and remediate Y2K problems at their nuclear facilities; and
that the IAEA act as a central coordination point in disseminating
information about Member State Y2K activities.
During its numerous bilateral side meetings with countries such as
Argentina, Lithuania, Russia and Ukraine, the NRC presented the draft
resolution and urged their support. Ultimately, 28 Member States co-
sponsored the resolution, including a number of countries that have
nuclear facilities whose safety are of particular concern to the U.S.
Government.
Since the General Conference, the NRC likewise has worked with the
IAEA to formulate a Y2K program that would address nuclear safety
aspects of the Y2K problem. We requested that State Department funds be
allocated, under the FY98 Voluntary Contribution, to fund a Cost-Free
Expert (an individual who would work at the IAEA for 1 year at no cost
to the IAEA) to work specifically on Y2K nuclear safety matters in the
Department of Nuclear Safety. The Cost-Free Expert assumed his post in
December 1998, and the Department of Nuclear Safety is now developing
and implementing a comprehensive program to help Member States address
Y2K remediation issues and contingency planning.
In the international arena, our understanding is that the nuclear
power industry and its regulators in Canada, Western Europe, and the
Far East have undertaken similar efforts and readiness schedules to
that of the NRC for addressing the Y2K problem at nuclear power plants.
However, some countries have started only recently to focus on the Y2K
problem. Last month, at a meeting of the International Nuclear
Regulators Association (INRA), which is Chaired by NRC Chairman, Dr.
Shirley Ann Jackson, a statement was drafted on the Y2K problem,
expressing concern that the results of the recent United Nations
Conference indicated that few countries will be Y2K ready, and that few
have adopted expert guidance regarding remediation and contingency
planning. Contingency planning, while important in itself to all
countries, takes on new importance in late-starting countries, due to
the short time remaining before the Year 2000. In its statement, which
was transmitted to appropriate agencies in INRA member governments, to
the Nuclear Energy Agency of the Organization for Economic Cooperation
and Development, to the International Atomic Energy Agency, and to the
Chairman of the first Review Meeting of the Convention on Nuclear
Safety for use in the peer review process, the INRA urged governments
and their regulatory authorities to take urgent action to diagnose the
extent of the Y2K problem in nuclear facilities (including nuclear
power plants, fuel cycle facilities, and medical facilities), and to
formulate and implement effective remediation programs and contingency
planning in the near term for this pre-eminent concern. This remains a
key aspect to effective Y2K readiness.
summary
As discussed above, we have been proactive in addressing the Year
2000 problem internal to the NRC and with our licensees. Additionally,
we continue to work, both nationally and internationally, to promote
awareness and provide assistance in addressing the Year 2000 problem.
Ensuring continuity at the interfaces of regulator-to-licensee,
regulator-to-public, and regulator-to-government is crucial. It is the
recognition that, despite industry efforts and our efforts, something
still could go awry that will continue to drive our Y2K readiness
efforts.
With that said, it is of paramount importance to note that the NRC
and the nuclear power industry are addressing the Year 2000 computer
problem in a comprehensive, thorough and deliberate manner. To date, we
have not identified or received notification from licensees or vendors
that a Year 2000 problem exists with safety-related initiation and
actuation systems. Further, we believe that we have--through Generic
Letter 98-01, the sample audits and other oversight activities--
established a framework that appropriately assures that the Year 2000
problem will not have an adverse impact on the ability of a nuclear
power plant to safely operate or safely shut down.
We look forward to working with the Subcommittee and welcome your
questions.
______
Statement of David Swanson, Edison Electric Institute
Good afternoon, Mr. Chairman and Members of the Subcommittee. I am
David Swanson, Senior Vice President, Critical Issues, for the Edison
Electric Institute (EEI). EEI is the association of U.S. shareholder-
owned electric utilities and industry affiliates and associates
worldwide. EEI's member companies serve about 70 percent of all
ultimate electricity consumers in the United States and generate about
75 percent of utility-produced electricity. Thank you for inviting me
here to testify on the electric utility industry's preparations for the
Year 2000 (Y2K) conversion.
Obviously, the electric utility industry is a key part of the
nation's critical infrastructure, so our preparations for Y2K are
important to virtually everyone. Without safe, reliable, and affordable
electric power, government, businesses, the economy, and the public at
large are at risk. The Y2K issue has made us more aware than ever of
how dependent we are on technology, other utilities, our suppliers and
our customers. Meeting the Y2K Challenge is a team effort for utilities
both large and small. Only through cooperation and teamwork will we be
successful in preparing for the Year 2000.
The electric power industry is an industry that runs 24 hours a
day, 7 days a week. Since technology and people occasionally, and
unpredictably, fail to perform as planned, the industry places a very
high importance on contingency plans. It is an industry that is
accustomed to planning for and responding to emergencies and other
unexpected events, such as weather, natural disasters, accidents,
equipment failures, etc., that might affect the generation,
transmission and distribution of electricity. While Y2K poses a set of
challenges that might be different than these other natural
occurrences, the fact that we know when it will occur gives us a
distinct planning advantage over many of the other challenges we face
daily.
overview of electric utility industry y2k readiness
Last May, the U.S. Department of Energy asked the North American
Electric Reliability Council (NERC) to undertake the coordination of an
industry process to ensure a smooth transition to the Year 2000, and to
conduct a comprehensive assessment of Year 2000 preparations in the
electric utility industry. NERC is a voluntary, non-profit organization
formed in 1968 to coordinate the reliability and adequacy of bulk
electric systems in North America. All segments of the U.S. electric
utility industry are working with NERC in this process. This includes
EEI, the American Public Power Association (APPA), the Electric Power
Supply Association (EPSA), the National Rural Electric Cooperative
Association (NRECA), the Nuclear Energy Institute (NEI), UTC--The
Telecommunications Association (formerly known as the Utility
Telecommunications Council), and the Canadian Electricity Association
(CEA).
As part of its mission, NERC was asked to produce status reports to
DOE for the industry. The data collected continue to indicate that Y2K
will have, at most, a minimal impact on electric system operations in
North America, and our confidence in the ability of the system to
``keep the lights on'' through the Y2K transition continues to build.
The second NERC report to DOE, released last month, is attached to my
testimony. Ongoing data collection is continuous, with comprehensive
updates provided to DOE on a quarterly basis. DOE requested a final
report by July 1999, and subsequent reports are likely. The NERC/DOE
reports and other material, such as the industry Y2K coordination plan,
are available on the NERC website at: www.nerc.com. Additional Y2K
information is available at our own website: www.eei.org.
The January 1999 NERC/DOE Status Report is based on data provided
through November 30, 1998, by over 98 percent of the electrical systems
in the United States and Canada. The report concludes that:
With proper contingency planning, sufficient generating
capacity is anticipated to be available to meet demand during critical
Y2K transition periods, including additional reserves and quick start
units.
Nuclear generating facilities are expected to be available
to supply their share of energy needs and all nuclear safety systems
are expected to be fully ready for Y2K.
Transmission outages are expected to be minimal and
outages that may occur are anticipated to be mitigated by reduced
energy transfers established as part of the contingency planning
process.
Distribution systems tend to be the least sensitive to Y2K
anomalies, but testing and contingency planning remain important, as
distribution systems have the least options for redundant supplies and
facilities.
Telecommunications from external service providers is a
key issue due to the uncertainties as to what capabilities might be
lost and the real-time impact of any such losses. Extensive
coordination and joint demonstration tests with the telecommunications
industry are required and are being planned.
According to the NERC report, more than 44 percent of utilities'
mission-critical components were tested by the end of November 1998,
and that figure now is approaching 60 percent. The most prudent time to
schedule testing of electric systems for Y2K problems is during those
times of the year when demand for electricity is low. As a result,
electric companies have scheduled some of their Y2K work during
regularly scheduled maintenance periods during the low load periods in
the spring and fall. Based on testing done to date and scheduled
testing in the spring of 1999, most electrical systems necessary to
operate into the Year 2000 will have been tested, remediated, and will
be Y2K ready by the industry target date of June 30, 1999. Facilities
that will miss the June 30 target are already identified, few in
number, and will not affect electric reliability into the Year 2000.
Among non-nuclear generators, the most serious concern exists in
the most modern plants directly operated by means of digital control
systems. Nonetheless, not one ``live'' test of a fully remediated unit
has resulted in a Y2K failure that caused the unit to shut down. No
nuclear facility has found a Y2K problem that would prevent safety
systems from shutting down a plant in an emergency.
What problems have been found are typically limited to logs or date
displays. All systems are expected to be at full capability during Y2K.
Testing of substation controls and system protection devices reveal no
power interruptions or safety concerns as a result of Year 2000
rollover in associated digital electronics.
The Year 2000 conversion is not a new issue to the electric
industry. EEI and the rest of the industry recognized the threat posed
by Y2K several years ago and have been working toward solutions at
several levels. Most electric utilities involved in generation and
transmission have established Y2K programs and invested substantial
personnel, financial, and technical resources in identifying and
resolving Y2K problems. The industry has long been testing critical
software. The Electric Power Research Institute (EPRI) has a special
program devoted to identifying problems with embedded microchips and
embedded digital controllers and working with vendors to find
solutions. The EPRI program is open to any type of company, not just
electric utilities, and several industries are represented.
Nearly all of the detailed Y2K problem identification and
resolution has been and will continue to be performed by individual
electric utilities. For example, an EEI member company will typically
spend anywhere from $10 million to $100 million addressing the Y2K
problem. The NERC assessment survey tells us that 88 percent of
utilities responding have their Y2K programs reporting to a Vice
President or higher, and 84 percent indicate that they provide their
Board of Directors with at least quarterly briefings on the status of
their Y2K programs. As an example of work already underway, one major
utility invested 16 person-years in 1998 alone. Another utility has
1,400 people across various departments assigned full- or part-time
responsibility for Y2K activities. In terms of remediation and testing,
some utilities are already operating multiple fossil generating units
with almost all clocks set exactly 2 years into the future in an effort
to eliminate any Y2K uncertainty. The industry has set a target date of
June 30 for all utilities to have contingency plans in place. Industry-
wide Y2K simulation drills are scheduled for April 8-9 (transition to
the 99th day of 1999) and September 8-9 (transition to 9/9/99).
focus of electric utility industry y2k testing programs
Electrical systems are operated such that the loss of one, two or
three facilities will not cause cascading outages. Y2K poses the
potential threat that common failures, such as all generator protection
relays of a particular model, failing simultaneously, or the coincident
loss of multiple facilities could result in stressing the electric
system to the point of a cascading outage over a large area. Testing
results are confirming our initial feeling that this possibility is
extremely low. As a result, we look to potential problems which might
be created by more limited failures.
It is here that preparation for these kinds of failures begins to
look like prevention and response programs we undertake under non-Y2K
circumstances. It is important to understand that all prevention
programs do not have to be the same, but they do have to be
coordinated. So the preparation of the electricity systems in North
America has been a coordinated team effort by those entities
responsible for system reliability--the NERC Regional Reliability
Councils and the individual power providers.
There are four critical areas which pose the greatest potential
threat to maintaining a reliable supply of electricity during the Y2K
transition: generation, energy management systems, telecommunications,
and relay protection devices.
First, power generating facilities must be able to operate through
critical Y2K periods without tripping off-line. The threat is most
severe in newer power plants with digital control systems, which
contain time sensitive control and protection schemes. Digital
controllers built into station equipment may also pose a threat.
However, most older plants operate with analog controls, and will be
less problematic.
Energy management systems are computers within the electric control
centers within the electric reliability regions across North America.
These computers are used to operate transmission facilities and control
generating units. Many of the control center software applications
contain built-in time clocks used to run various power system
monitoring, dispatch, and control functions. Many energy management
systems are also dependent on time signal emissions from Global
Positioning Satellites as a time reference. In addition to resolving
Y2K problems within utility energy management systems, these supporting
satellite systems outside of utility control must be Y2K compliant.
Telecommunications is another critical area. Electric supply and
delivery systems are highly dependent on microwave, telephone, frame
relay, and radio communications systems. Therefore, the dependency of
the electric supply on facilities leased from telephone companies and
commercial communications network service providers is a crucial
factor. Telecommunications systems are the nerve center of the
electricity networks and it is important that we address the mutual
dependencies of electric utility systems and the telecommunications
industry. Utilities have similar mutual dependencies with natural gas
pipelines.
The final technical area of concern is in relay protection devices,
which are used to rapidly isolate a portion of the transmission system
that may be in trouble. Many protective relays are electromechanical
and will not be affected. However, newer relays are digital and may
have a risk of a common failure in which all the relays of a certain
model fail simultaneously, which could result in coincident
transmission facility outages.
As a final observation, New Year's Eve 1999 falls on a Friday
which, of course, is followed by a holiday weekend. Therefore, for
nearly all of the country, during the first critical 72 hours, electric
system conditions are likely to be favorable, with the level of
electricity transfers at relatively light levels and extra generating
capacity available.
conclusion
Understandably, customers are concerned about whether their
electric service will be provided without interruption into the Year
2000. Policymakers at all levels are watching the electric utility
industry's Y2K preparations very closely. Industry representatives have
been called to testify before numerous Congressional hearings like this
one, and we have cooperated with the General Accounting Office in an
independent review of the industry's preparations requested by the
Senate Special Committee on the Year 2000. Also, virtually every state
and local regulatory and legislative body is exercising some degree of
oversight authority over, at least, the investor-owned utilities
operating in their jurisdiction.
The electric utility industry's goal is to ensure that electric
supply and delivery during all Y2K critical transition periods is
provided without interruption. EEI and other industry organizations are
working to ensure that each of the approximately 3,200 power providers
in the electricity supply and delivery chain realize that they are all
important links to overall industry success. Y2K issues must be
addressed and resolved by each supplier. Even though the individual
companies which make up the industry have become more competitive, they
have banded together and have been devoting the resources necessary to
achieve a successful Y2K transition.
Utilities and customers must communicate with each other about
their Y2K plans and programs. EEI and other industry organizations are
urging their members to develop a ``Y2K rapport'' with all of their
customers. Working together, not only can customers develop confidence
in their utility's Y2K preparations, but utilities also can better
understand the Y2K plans and needs of their customers during the
critical periods. For instance, sudden large changes in the demand for
electricity due to a lack of customer confidence--such as a large
chemical plant deciding suddenly to shut down--can cause almost as many
problems with the stability of the electric system as a sudden loss of
supply.
The ability to share technical information on Y2K problems and
solutions is improving. Congress provided valuable assistance in this
regard last year by enacting the Year 2000 Information and Readiness
Disclosure Act, which provides a limited ``safe harbor'' for shared Y2K
information. Particularly helpful is a provision in the law which
specifically promotes industry-wide data gathering efforts such as the
NERC reporting process. But liability fears continue to have a chilling
effect on some Y2K activities and threaten to divert valuable time and
resources away from remediation efforts. We urge Congress, working
closely with all stakeholders, to enact timely, bipartisan legislation
that will encourage Y2K remediation and discourage unnecessary
litigation.
In conclusion, the electric utility industry is well aware of the
seriousness of the Y2K problem and the risks it poses. We are engaged
in a total assessment process that will help guide us toward a
successful transition to the Year 2000. And, communication and
coordination among electric utilities, their customers, suppliers and
vendors are the key to achieving that smooth transition. The electric
power industry is one that anticipates unplanned events and problems
and exercises contingency plans on a daily basis to keep the lights on.
At this time we are cautiously optimistic that the transition to the
Year 2000 will not be different from an electricity supply perspective
than any other.
Thank you again for the opportunity to present this testimony
today.
______
Preparing the Electric Power Systems of North America for Transition to
the Year 2000: A Status Report and Work Plan
(Prepared by the North American Electric Reliability Council)
executive summary
Background
This report is the second in a series of comprehensive quarterly
status reports on efforts to prepare electric power supply and delivery
systems for operation into the Year 2000. This report was prepared by
the North American Electric Reliability Council (NERC) in response to a
May 1998 request from the United States Department of Energy (DOE) to
coordinate the industry's Y2K effort. The first quarterly status report
was delivered to DOE on September 17, 1998.
Results from the Fourth Quarter 1998
Minimal Operational Impact: With more than 44 percent of mission-
critical components tested through November 30, 1998, findings continue
to indicate that transition through critical Year 2000 (Y2K) rollover
dates is expected to have minimal impact on electric system operations
in North America. Only a small percentage of components tested indicate
problems with Y2K date manipulations. The types of impacts found thus
far include such errors as incorrect dates in event logs or displays,
but do not appear to affect the ability to keep generators and power
delivery facilities in service and electricity supplied to customers.
Universal Participation: The level of participation in the
industry-coordinated Y2K readiness assessment process increased
dramatically during the fourth quarter 1998 and exceeds 98 percent of
the electrical systems in the United States and Canada. This
accomplishment addresses a concern raised in the previous report
regarding the status of the non-reporting entities. Efforts will
continue toward retaining as close to universal participation as
possible. Recent legislation on Y2K information disclosure, as well as
the credibility gained by the first report to DOE, has had a positive
impact in encouraging information sharing and allowing additional
entities to report their readiness status.
Contingency Planning: Despite the expected minimal impacts on
operating systems, the electric industry is taking very serious steps
to prepare for possible operating contingencies. First drafts of
contingency plans are being completed now by bulk electric operating
organizations and will be reviewed by NERC and the NERC Regional
Councils by the end of January 1999. Contingency plans are to be ready
by the end of June 1999. Additionally, the industry is preparing to
conduct two coordinated drills on April 9, 1999 and on September 8-9,
1999 to prepare for operations under Y2K conditions.
Critical Issues
Issue 1--Meeting Industry Established Targets: Analysis of fourth
quarter 1998 report data (through November 30, 1998) indicates that, on
average, the electric industry is close to, but slightly lagging the
target of all mission-critical facilities being Y2K Ready by June 30,
1999. Followup interviews conducted by NERC staff with Y2K program
managers indicate that those entities reporting expected completion
dates later than the industry targets are doing so for one or both of
the following reasons:
A small number of facilities or systems (typically 1-5 per
entity) may be completed beyond the target date because of a scheduled
outage period or other project planning considerations.
Some entities have been including items in their monthly
reports not essential to sustained reliable electric operations going
into the Year 2000.
A general conclusion from these discussions with Y2K program
managers, which must be confirmed by more detailed reporting, is that
nearly all electrical systems necessary to operate into the Year 2000
will have been tested, remediated, and declared Y2K Ready by June 30,
1999. Any facilities or systems that will be completed after this date
are specifically known, are limited in number, and would not adversely
impact the ability to provide sustained reliable electric service into
the Year 2000 should they not be available. Despite these assurances,
further steps are outlined in this report to move the industry into
conformance with established targets.
Issue 2--Limited Ability to Test External Voice and Data
Communications: Operation of electric systems is highly dependent on
voice and data communications from external service providers. The
electric industry has been assured and has full confidence that
telecommunications services will be reliable through Y2K rollover
periods. However, it is difficult to achieve extensive verification in
the form of integrated testing of electrical system voice and data
communications functions with external communications services
providers. The dependence on voice and data communications directly
affects real-time operations and control of electric systems and
therefore requires the greatest attention in contingency planning and
preparations.
The electric industry is working hard, in cooperation with the
telecommunications industry, to address this dependency issue.
Coordination meetings are already taking place to understand the
contingency requirements of each sector. Controlled demonstration tests
are planned between electric substations and control centers and
external telecommunications providers. The lessons from these
coordination meetings and demonstration tests will be widely
distributed to members of both industries. Additionally, communications
will be the focus of electric industry contingency planning and drills.
Issue 3--Preparation of Distribution Systems for Y2K: Results to
date indicate that distribution systems are generally the least
dependent on electronics and computers and are the least susceptible to
Y2K anomalies. Several industry associations working with NERC have
done an excellent job of enlisting the participation and cooperation of
the approximately 3,000 electric distribution entities in the United
States and Canada.
Despite this reduced distribution equipment vulnerability, these
systems are on the front line of electricity delivery to customers.
Distribution systems are essentially radial in design and have fewer
options that can be used to correct in real time for a failure.
Therefore, continued vigilance is necessary to complete testing of all
critical electronic components within distribution systems. Contingency
planning and preparations are a key aspect of assuring distribution
systems are ready to respond to conditions that might affect the
ability to serve customers.
Continuing Industry Efforts
This report updates the industry work plan for continued
coordination of Y2K efforts across North American electric systems:
1. NERC and its Regional Reliability Councils, in a cooperative
partnership with the several trade associations, will continue to
facilitate electric industry preparations for Y2K. These efforts
include ongoing readiness assessment reports and information sharing.
2. The Y2K readiness assessment process will be modified to
recognize specific, justifiable exceptions to the industry target dates
and to apply greater supervision to any programs that are not in
conformance with industry goals.
3. Draft contingency plans will be reviewed and coordinated at the
Regional and NERC levels, with a goal of having plans ready by June 30,
1999.
4. The industry will conduct a drill on April 9, 1999, aimed at
operating with limited communications under simulated Y2K conditions.
5. NERC will facilitate coordination efforts with the
telecommunications industry to better understand and prepare for
interdependencies. This effort will include one or more integrated
demonstration tests between electric facilities and external
communications services.
section 1. conclusions and recommendations
1.1 Overall Summary of Y2K Readiness Status
The following expectations are reasonable at this time based on
information reviewed through the fourth quarter 1999 (based on data
provided through November 30, 1998):
1. With proper contingency planning, sufficient generating capacity
is anticipated to be available to meet demand during critical Y2K
transition periods, including additional reserves and quick start
units.
2. Nuclear generating facilities are expected to be available to
supply their share of energy needs and all nuclear safety systems are
expected to be fully ready for Y2K.
3. Transmission outages are expected to be minimal and outages that
may occur are anticipated to be mitigated by reduced energy transfers
established as part of the contingency planning process.
4. Distribution systems tend to be the least sensitive to Y2K
anomalies, but testing and contingency planning remain important, as
distribution systems have the least options for redundant supplies and
facilities.
5. Telecommunications from external service providers is a key
issue due to the uncertainties as to what capabilities might be lost
and the real-time impact of any such losses. Extensive coordination and
joint demonstration tests with the telecommunications industry are
required.
1.2 Critical Issues
Although a guarantee of continuous electric supply is not possible
due to everyday occurrences, the goals of the Y2K program in the
electric industry are:
To provide electricity supply and delivery to customers
that is uninterrupted by a Y2K condition or failure.
To provide continuous operation of all essential functions
and services such as customer response, business operations, supplies,
and emergency repair capability.
Three issues are presented here as needing special focus in the
coming months in order to achieve these goals.
Issue 1--Meeting Industry Established Targets: The industry target
dates have been set in recognition of the strategic importance of
reliable electricity supply to all other sectors and to national
security. Additionally, these targets were set to allow time for
validation and execution of contingency preparations and the conduct of
a rehearsal exercise on the rollover from September 8 to September 9,
1999. The targets are:
Completion of Remediation and Testing by May 31, 1999.
All mission-critical facilities needed for sustained
electrical operations into the Year 2000 are Y2K Ready by June 30,
1999.
Analysis of the fourth quarter 1999 report data (through November
30, 1998) indicates that, on average, the electric industry is close
to, but slightly lagging its Y2K readiness targets. However, this means
a portion of the industry is reporting expected completion dates that
lag the established targets. Followup interviews were conducted with
some Y2K program managers, by the NERC staff, to determine the reasons
these entities are expecting to miss the targets. It is apparent from
these discussions that:
Most electric facilities necessary for reliable operation
into the Year 2000 will have completed Remediation and Testing by the
end of May 1999.
A small number of facilities (typically 1-5 per entity)
may be completed beyond the target because of a scheduled outage
period, vendor supply restrictions, or other project planning
considerations.
Some entities have been including items in their monthly
reports not essential to sustained reliable electric operations into
the Year 2000.
A general conclusion from these discussions with Y2K program
managers, which must be confirmed by more detailed reporting
information in future periods, is that nearly all electrical systems
necessary to operate into the Year 2000 will have been tested,
remediated, and declared Y2K Ready by June 30, 1999. Any facilities or
systems that will be completed after this date are specifically known,
are limited in number, and would not impact the ability to provide
reliable service into the Year 2000 if operation without the equipment
became necessary.
Despite these assurances, further steps are outlined in this report
to move the industry into conformance with established targets. NERC
and its Regional Councils will identify and apply greater supervision
to bulk electric Y2K programs that do not conform to industry
expectations. The four criteria for a non- conforming program are:
1. Expected to complete Remediation and Testing or Y2K Ready status
for mission-critical electrical facilities past industry targets of May
31, 1999 and June 30, 1999, respectively. Reasonable, specific
exceptions may be justified for a limited number of facilities if they
do not pose a risk to electric operations into the Year 2000.
2. Reported exceptions are excessive, not reasonably justified, or
may pose a risk to electric operations into the Year 2000.
3. Missed status reports for two consecutive months.
4. Program has no written plan or does not report to executive
management.
This clear position on the need for conformance to industry
targets, and the recognition that a small number of facilities may have
reasonable justification for a later completion date, should result in
the industry being on track to meet its targets by the first quarter
1999 report to DOE.
Issue 2--External Telecommunications Dependency: It is becoming
clear that voice and data communications from external service
providers is a key dependency that affects real-time operation and
control of electric systems and that extensive integrated testing with
these external communications providers will not be practical.
The electric industry has been repeatedly assured and has full
confidence that telecommunications services will be reliable through
Y2K rollover periods. However, it is difficult to achieve extensive
verification in the form of integrated testing of electrical systems
voice and data communications functions with external communications
services providers. Electric systems have other dependencies, such as
fuel supply and spare/replacement parts. However, voice and data
communications are real-time dependencies and are the most challenging
to account for in contingency planning and preparations.
The electric industry has taken an approach of testing all mission-
critical facilities, including its internally-owned voice and data
communications facilities. The testing, however, generally stops with
the electric utility's equipment and does not include external
communications services.
The telecommunications industry is working on the Y2K issue as much
or more than any other sector. The inability to conduct extensive,
integrated testing with all critical communications customers is
understandable, as communications networks are global, very complex,
and extremely interconnected. Telecommunications service providers
cannot conduct end-to-end testing of live circuits, including
integrated testing with all critical customers' equipment. The
conclusion at this point is that extensive, end-to-end testing of
electrical utility voice and data equipment with external
telecommunications service providers is not practical.
This characterization is intended to spotlight electric system
operational concerns, not to point attention toward the
telecommunications industry. In a parallel situation, it is also not
practical for the electric industry to perform end-to-end testing that
includes coordinated rollovers with all critical electricity customer
equipment. The inability to perform end-to-end testing is not a
limitation unique to the telecommunications industry.
To address this issue, the electric industry must work hard and in
close cooperation with the telecommunications industry. Coordination
meetings are already taking place to understand the interdependencies
and contingency requirements of each sector. A small number of
controlled demonstration tests are being planned jointly between
electric substations, power plants, control centers, and external
telecommunications providers. It is important in these efforts to
obtain the cooperation of not only major communications service
providers, but also the local telephone companies that provide leased
line service. The lessons from these coordination meetings and
demonstration tests will be widely distributed to members of both
industries.
In addition to these industry-level efforts, coordination and some
integrated testing efforts are occurring at the individual utility
level. The goal of these efforts is to provide greater assurances that
electric and telecommunications services will be there for each other
during critical Y2K periods. Obviously, extensive joint testing at the
individual utility level is not practical when one realizes there are
over 3,200 electric organizations and over 1,400 telecommunications
organizations in North America who are dependent on each other.
Issue 3--Distribution Systems: Results to date indicate that local
distribution systems are generally the least dependent on electronics
and computers and the least susceptible part of the electric system to
Y2K anomalies. Industry associations working with NERC (American Public
Power Association, the Canadian Electricity Association, the Edison
Electric Institute, and the National Rural Electric Cooperative
Association) have done an excellent job of enlisting the participation
and cooperation of the approximately 3,000 electric distribution
entities in the United States and Canada. This information, included
with this report, provides assurances that distribution systems are
less vulnerable to Y2K anomalies and that they are taking steps to test
and repair equipment that may be susceptible.
Despite this reduced distribution equipment vulnerability, these
systems are on the front line of electricity delivery to customers.
Distribution systems are essentially radial in design and have fewer
options that can be used to correct in real-time for a failure.
Therefore, continued vigilance is necessary to complete testing of all
critical electronic components within distribution systems. Contingency
planning and preparations are a key aspect of assuring distribution
systems are ready to respond to conditions that might affect the
ability to serve customers.
To address this issue, the following measures are recommended:
1. Associations should continue the quarterly assessment of Y2K
readiness of distribution systems, with a goal of universal
participation of distribution entities in North America.
2. Efforts should be expanded to assure testing of all critical
digital components in distribution systems and to assure development of
contingency plans.
The recommendations above are directed to all types of distribution
systems without distinction of size or ownership type.
1.3 General Recommendations to the Electric Industry
The following recommendations support the continuation of the
industry-led Y2K program:
1. NERC and its Regional Reliability Councils, in a cooperative
partnership with sector trade associations, should continue to
facilitate electric industry preparations for Y2K. These efforts
include ongoing readiness assessments, information sharing, and other
activities defined in the NERC Y2K Coordination Plan.
2. Organizations within the electric industry should establish
project plans and resources to meet or exceed the industry milestones
of completing Remediation and Testing by May 31, 1999, and all mission-
critical systems Y2K Ready by June 30, 1999.
3. With coordination by NERC and its Regions, the industry should
assess operating risks associated with Y2K and prepare contingency
plans by June 30, 1999. Steps to mitigate operating risks should be
coordinated on Interconnection, intra- and interregional, and
individual company levels.
4. Coordination should be established at the industry and
organizational levels to address interdependencies with communications
providers, natural gas and oil suppliers, and coal transportation
providers.
5. Interdependencies with external telecommunications providers
should receive special attention, including development of
demonstration tests and coordinated inter-sector contingency planning.
6. Additional focus should be applied to executing Y2K programs for
digital components and preparing contingency plans in electric
distribution systems.
1.4 What Can Others Do?
Overall success of Y2K efforts in the electric industry depends on
cooperation among the industry, government agencies, and customers.
This section suggests ways that these stakeholders may help the
process.
Federal Governments in the United States, Canada, and
Mexico
1. Allow the industry to continue managing Y2K efforts. Feedback on
overall goals and effectiveness of Y2K efforts should be provided
through the existing industry-led program.
2. Coordinate global issues related to Y2K that may have secondary
effects on sustaining electricity supply in North America, including
international oil and gas supplies and financial institutions.
3. Facilitate inter-sector coordination as needed to address
interdependencies and assure continuity of essential services.
State, Provincial, and Local Governments and Commissions
1. Encourage electric utilities within the local jurisdiction to
participate in the industry efforts facilitated by NERC, its Regional
Reliability Councils, and the industry trade association partners.
Maximize the use of the existing NERC-facilitated process and readiness
assessment information. Additional surveys and reports tend to draw
resources from the primary focus of addressing Y2K technical issues.
2. Facilitate inter-utility coordination within the local
jurisdiction to assure continuity of essential utility services such as
electricity, water, sewage, natural gas, and telephone.
3. Facilitate coordination of emergency services such as police,
fire, and other emergency management services.
Electricity Customers
1. Identify the possible impacts of Y2K in your business or home
and initiate actions necessary to assure safety and business
continuity.
2. Check the Y2K information provided by your local electricity
provider on the Internet or through literature mailings. If you are not
satisfied with the Y2K program of your electricity provider, let them
know.
3. Customers with electrical demands essential to safety and public
well-being, such as hospitals; emergency services; public
communications; gas, water, and sewage facilities; and hazardous
materials handlers should review their emergency power supply
provisions and procedures, and coordinate their needs with the local
electricity provider.
4. Large commercial and industrial customers that would be severely
impacted by an electrical outage should also review their emergency
power supply provisions and procedures, and coordinate their needs with
the local electricity provider.
section 2. background
2.1 Y2K in Electric Systems
Appendix A provides an introductory review of how electric systems
operate and the potential impacts of Y2K.
2.2 Y2K Readiness Assessment Objective
In a letter to NERC in May 1998, DOE requested an initial
assessment by September 1998 of the electric industry's progress in
addressing the Y2K issue and assurance by July 1999 that electric
systems are ready to operate into the Year 2000 (Appendix B). This
report provides the second assessment of Y2K readiness of the electric
industry. Subsequent reports will continue to be provided on a
quarterly basis.
This report provides a comprehensive status report of:
What the electric industry is doing to address the Y2K
issue and how much progress has been made in the fourth quarter 1998.
What the plans are to complete the preparations for Y2K.
How the industry is preparing to deal with and minimize
the impact of any contingencies on the electric system that might still
occur, despite best efforts to fix or replace Y2K-deficient devices.
2.3 Readiness Assessment Process
A brief overview of the readiness assessment process is provided
here, with a more detailed description provided in Appendix C.
NERC Y2K Readiness Assessment Process
The NERC Y2K Readiness Assessment process uses a detailed
questionnaire that allows each organization to report progress across
NERC-established mission-critical areas. The reporting cycle has been
completed on a monthly basis since its inception in July 1998. The NERC
questionnaire is targeted to the approximately 200 entities that own,
operate, or monitor the bulk electric systems of North America.
Distribution System Process
A separate process to gather information from the 3,000
distribution systems is managed under NERC supervision by the American
Public Power Association (APPA), the Canadian Electricity Association
(CEA), the Edison Electric Institute (EEI), and the National Rural
Electric Cooperative Association (NRECA). These organizations bring the
ability to rapidly and closely coordinate with electric distribution
entities through their existing membership channels. These four
organizations have consolidated their findings into the distribution
report of Section 3.8.
Nuclear Facility Process
NERC has enlisted the Nuclear Energy Institute (NEI) to provide
assessment findings for nuclear facilities, which have been
incorporated into Section 3.4 of the report. NEI's Y2K program allows
for greater efficiency and technical expertise in the nuclear area than
would otherwise be available. CEA has assisted by providing analysis of
data from Canadian nuclear facilities.
Business Information Systems
EEI has developed the assessment report on Business Information
Systems that is included in Section 3.9, based on data from the NERC
assessment reports.
2.4 NERC Assessment Report Format
The NERC Y2K Readiness Assessment uses a Microsoft
EXCELTM spreadsheet. This spreadsheet, which is available
from the NERC web site (http://www.nerc.com/Y2K), has been distributed
widely through available channels to all targeted entities. Completed
responses are gathered electronically at the end of each month and
compiled into an EXCEL data base. The process has been automated to
facilitate the aggregation of the individual reports, while maintaining
the anonymity of the reporting organizations. Once submitted, the
reports go through a verification and data validation process. The
final results are made public on the NERC Y2K web site.
A list of responding entities is provided on the NERC Y2K web site,
but NERC has made a firm commitment to all reporting organizations that
NERC will not connect their identities to the specific responses in the
data base.
The NERC Y2K Readiness Assessment spreadsheet has an initial
section to identify the organization, followed by sections covering the
following areas essential to sustained, reliable operations of electric
systems into the Year 2000:
General preparation (project plans, contingency plans,
training, etc.)
Nuclear power generation
Non-nuclear power generation
EMS/SCADA
Telecommunications
Substation controls and system protection (including
distribution)
Business information systems
section 3. readiness assessment results fourth quarter 1998
This section summarizes the findings of the Y2K readiness of
electric systems as of the fourth quarter 1998 (based on data provided
through November 30, 1998). Each area of the progress assessment report
includes major findings, an analysis of those findings, and
recommendations. Supporting data are available for electronic download
from the NERC Y2K web site at http://www.nerc.com/y2k.
About 98 percent of the electricity supply and delivery
organizations in North America have participated in the NERC Y2K
Readiness Assessment process to date. About 194 of 198 bulk electric
entities and 2,821 of the 2,888 distribution entities in North America
have participated in this process by responding to data gathering
efforts by NERC, APPA, NRECA, or CEA. Lists of all participating
organizations are available at the NERC Y2K web site at http://
www.nerc.com/y2k.
Reports were received from entities representing:\1\
---------------------------------------------------------------------------
\1\ These numbers understate the total load and generation
reported, since they are based only on the NERC data.
---------------------------------------------------------------------------
More than 704,017 MW (96 percent) of system peak load out
of a total estimated system peak load for North America of 734,335 MW
More than 666,474 MW (92 percent) of non-nuclear
generating capacity out of 724,741 estimated in 1998 for North America
100 percent of operational nuclear reactors (103 units at
66 facilities) reporting through the NEI process. More than 93,617 MW
(84 percent) of nuclear generating capacity out of 111,046 MW also
reported voluntarily through the NERC process, including all Canadian
nuclear facilities
This participation level is a marked improvement from the first
report in September 1998. To assure continued strong participation, the
NERC monthly report will become a conformance criterion for all bulk
electric entities in the next period. APPA, NRECA, and CEA will
continue to encourage participation of the few remaining distribution
entities.
3.1 Readiness Status: Project Planning and Management Involvement
This first readiness assessment section reviews project plans and
controls and management involvement. This section refers to data from
the NERC assessment and therefore is limited to bulk electric systems.
Results from distribution systems are addressed later in Section 3.8.
Executive Involvement in Y2K
Findings
90 percent of reporting entities indicate the Y2K program reports
to a vice president or higher.
89 percent of reporting entities indicate the Board of Directors or
governing body of the organization receives at least quarterly
briefings on the status of the Y2K program.
These numbers have leveled off after a slight increase from the
third quarter 1998 report.
Analysis
Followup interviews with entities reporting ``no'' on these items
indicate that most Y2K programs do in fact report to senior management.
The terms ``Vice President'' and ``Board of Directors'' lead to
confusing responses in organizations that may have a governance
structure different than a corporation, such as Federal, state, county,
and municipal agencies. These organizations include certain water and
electricity management districts and the U.S. Army Corps of Engineers.
Not one followup interview indicated that the Y2K issue was buried at a
technical or middle management level. In future periods, the reporting
criteria will be clarified to indicate the acceptability of equivalent
terms to Vice President and Board of Directors.
Executive awareness and oversight are critical factors in Y2K
project success. The risk potential for shareholders, customers,
neighboring electric systems, and dependent industries warrants
accountability for the Y2K program by a corporate executive or
equivalent. These two report items will become criteria in future
periods for determining whether a Y2K program conforms to industry
expectations.
Recommendations
1. NERC will issue a clarification explaining the alternative use
of terms that are equivalent to Vice President and Board of Directors.
2. NERC will establish these two items as criteria for a conforming
Y2K program beginning in the first quarter 1999.
3. The Y2K program at each electric supply or delivery organization
should be a direct responsibility of a corporate vice president or
higher (or equivalent for organizations other than corporations). This
individual should be accountable for the overall success of the Y2K
program.
4. The Board of Directors or equivalent governing body of each
organization should receive at least quarterly updates of the Y2K
program status.
Use of a Written Y2K Plan
Findings
72 percent of entities reporting indicate they have developed a
written plan for the management of their Y2K projects.
24 percent indicate a written plan is being developed with an
average expected completion on December 31, 1998.
4 percent indicate they expect to use an unwritten plan or no plan.
Analysis
Followup interviews indicate that the use of written plans may be
understated. For example, one utility that reported ``In Progress'' has
a written plan filling a two-inch binder. This plan is used everyday to
guide the project. However, because the plan is evolving, that entity
chose to report it as ``In Progress''. Once again, this is an
opportunity to clarify the reporting criteria to gain a better picture
of the level of conformance with expectations. If a written plan exists
and it is being used, it should be reported as a ``Written Plan''.
However, this issue cannot be entirely explained by confusion with
the reporting criteria. A small portion of entities exists that simply
has not completed its written plan. These entities should complete
their plans immediately. Of the two entities reporting, they do not
plan to develop a written plan at all, both are power producers. One
has already completed all Y2K remediation and testing on its production
facilities. The other plans to be ready by March 1999.
The use of a written project plan is critical. NERC will make this
item a criterion for a conforming program beginning in the next report
period. A written plan should include as a minimum: assigned
responsibilities and accountabilities, measurable milestones, and a
schedule. Those entities that have not completed a written project plan
should take immediate action to develop one. Even entities that do not
feel they have Y2K problems or have completed their work should have a
written plan addressing the issues listed above.
No single best model exists for a Y2K project plan. The key
characteristics of a plan are that it meets the needs of the
organization and its stakeholders, it is adopted by the organization
for implementation, and the organization's officers accept the plan as
an effective approach to address the identified risks.
Recommendations
1. NERC will issue a clarification explaining that an existing
written plan that is being effectively used should be reported as a
``Written Plan'', even though the plan may continue to evolve.
NERC will establish this item as a criterion for a conforming Y2K
program beginning in the first quarter 1999.
3. The Y2K program at each electric supply or delivery organization
should be guided by a ``Written Plan''.
3.2 Overall Progress Compared to Y2K Milestones
Y2K progress can be measured as a percent of work completed in
several key phases. NERC has adopted the use of three phases:
Inventory, Assessment, and Remediation/Testing. NERC has deliberately
avoided placing a strict definition on these three phases, so as to
prevent conflicts with internal project definitions.
These terms are commonly accepted in the industry and represent a
reasonable division of the Y2K technical work. The division of work
into these phases, however, is approximate and may require a certain
amount of translation from internally defined project measures within
each organization. Remediation and Testing is intended to include
repair or replacement of Y2K deficient systems or components.
Y2K Ready means a system or component has been determined to be
``suitable for continued use into the Year 2000.'' Note that this is
not necessarily the same as Y2K Compliant, which implies fully correct
date manipulations. Consistent with practices across other industries,
the NERC Assessment Process has adopted the term Y2K Ready and does not
use the term Y2K Compliant.
It should be noted that these NERC-defined work phases do not
necessarily flow sequentially. They will often be completed in parallel
and there may be a need to iterate between the phases. For example,
some devices may require testing to complete the initial assessment of
Y2K susceptibility. After repair, the device may be tested again.
The NERC progress assessment is focused on mission-critical systems
associated with the reliable and sustained production, transmission,
and distribution of electricity into the Year 2000.
Findings
Averages of the reporting organizations for the fourth quarter 1998
(as of November 30, 1998) indicate the following overall progress and
expected completion dates for mission-critical electrical systems:
------------------------------------------------------------------------
Current
Average Percent Complete Projected
Y2K Program Phase 4th Qtr 1998 Average
Completion Date
------------------------------------------------------------------------
Inventory.................... 96 August 1998
Assessment................... 82 November 1998
Remediation/Testing.......... 44 June 1999
------------------------------------------------------------------------
The monthly progress in each of the three phases is shown in the
graph below, beginning with data from the previous quarterly report
(August 1998 data).
A more detailed analysis is provided below for each of the three
work phases, beginning first with the Inventory phase.
The first graphic below shows that most reporting entities are 100
percent completed with initial Inventory. Most of the rest are nearly
complete with this phase. A handful of organizations, mainly smaller
producers or distribution entities, are reporting a low percentage of
Inventory completed.
This graph and similar ones that follow have on the horizontal axis
the numbers 1 through 191, representing each entity reporting through
the NERC process in November 1998. The vertical axis is the percent
completion or expected completion date reported by each entity. The
responses were sorted by magnitude for viewing and analysis.
A review of expected Inventory completion dates (below) shows that
most who did not meet the industry target of October 31, 1998 (shown by
the heavy dark line) will be completed by the next quarterly report to
DOE. The few entities expecting initial Inventory to be completed after
March 1999 appear to misunderstand the reporting criteria because each
of them has already completed at least 89 percent of their Inventory.
Similar distribution curves are shown below for the Assessment
phase. Assessment requires an initial review of whether the device or
system may be susceptible to Y2K anomalies and should be further
tested, repaired, or replaced. It does not require full completion of
testing and remediation.
This first graphic shows about one third of reporting entities
having completed their initial Assessment phase. The completion
percentage drops off gradually over the remaining organizations, with
some smaller organizations reporting 0 percent completion.
Most entities are expecting completion of the initial Assessment
phase in the next quarter. Interestingly, again the latest projected
completion dates come from entities that are well underway (60 percent
or more complete). The smaller entities with 0 percent completion are
expecting to be done with the Assessment phase in the first quarter of
1999 because they have only a few items to assess.
Progress in the Remediation and Testing phase is shown in the two
graphs below. A few entities with a small number of facilities report
100 percent completion of Remediation and Testing. A wide variation
exists among other entities, including some that report 0 percent
completion of this phase. While most of the entities at the lower end
of this curve have only a few facilities, some are mid-sized bulk
electric entities. The heavy line in the graph below indicates a
November 30, 1998 target of 52 percent complete. This is an expected
progress level assuming a linear pace from the 28 percent reported in
August 1998 to 100 percent completion by the end of May 1999.
The second graph below shows the projected completion dates for
Remediation and Testing, with the heavy line indicating the industry
target of May 31, 1999. Most of the entities that reported an expected
completion date of more than 30 days after the target (about 25
percent) were contacted for followup questioning.
Of these, nearly all report that a small number of items are
preventing them from completing Remediation and Testing by the target
date. For example, a generating facility is scheduled for a maintenance
outage in September 1999. To take the unit out of service for extended
maintenance prior to that date would incur substantial costs. The unit
is not necessary to meet lower than normal electricity demand through
the initial transition to the Year 2000. All testing that could be done
with the unit in service is done or will be completed by the target
date.
Other entities contacted indicate that they were including all
facets of their Inventory in the report, even those items not essential
for sustained electric operations. These entities did not understand
the reporting criterion to include only those facilities mission-
critical for reliable electric operations into the Year 2000.
In the final graph below, more than two thirds of reporting
entities recognize and intend to meet the industry target of having all
mission-critical facilities Y2K Ready by June 30, 1999 (the heavy line
shown in the graph is the target). Those reporting Y2K Ready dates
after the target fall into one of two categories:
A handful of facilities will not be Y2K Ready until later
than the target for reasons discussed previously. Based on expected
loading conditions for Y2K critical periods, reliable operation can be
achieved if these facilities were not available.
Reporting criteria are not clearly understood. Some
entities assume that they cannot say they are Y2K Ready until all work,
even non-essential systems, are completed. Some assume Y2K preparation
is a continuing process right up to December 31, 1999, even though
electric facilities needed for operation are ready months earlier.
Analysis
Analysis of the monthly report data for bulk electric systems, as
presented above, indicates that, on average, the bulk electric systems
are close to meeting Y2K readiness targets. However, this means a
portion are reporting expected completion dates that lag the industry
targets. Followup interviews were used to determine the reasons these
entities were expecting to miss the targets. It is apparent from these
discussions that:
Most electric facilities necessary for reliable operation
into the Year 2000 will have completed Remediation and Testing by the
end of May 1999.
A small number of facilities (typically 1-5 per entity
with late projections) may be completed beyond the target because of a
scheduled outage period, vendor supply restrictions, or other project
planning considerations.
Some entities have been including items not essential to
reliable electric operations going into the Year 2000.
A general sense of these discussions, which must be confirmed by
more detailed reporting information in future periods, is that most
electrical systems necessary to operate into the Year 2000 will have
been tested, remediated, and will be Y2K Ready by June 30, 1999. Any
facilities or systems that will be completed after this date are
specifically known, are limited in number, and would not impact the
ability to provide reliable electric service into the Year 2000 should
they not be available. Despite these assurances, further steps outlined
in the recommendations below will be taken to move closer to full
conformance with industry targets.
Recommendations
1. NERC will clarify reporting requirements to indicate that
organizations should report items necessary for reliable electric
operations into the Year 2000, and that completion should be reported
when the work is done.
2. Reporting in future periods will allow for identification of a
limited number of specific exceptions planned for justifiable reasons.
NERC will review the exceptions, justifications, and the potential
reliability impacts to determine if the exceptions are acceptable on a
reliability basis.
3. In future periods, NERC and its Regional Councils will identify
and apply greater supervision, including notice to the chief executive,
to programs that do not conform to industry expectations. The four
criteria for non-conformance are:
a. Expected to complete Remediation and Testing or Y2K Ready status
for mission-critical electrical facilities past industry targets of May
31, 1999 and June 30, 1999, respectively. Reasonable, specific
exceptions may be justified for a limited number of facilities if they
do not pose a risk to electric operations into the Year 2000.
b. Reported exceptions are excessive, not reasonably justified, or
may pose a risk to electric operations into the Year 2000.
c. Missed Y2K readiness status reports for two consecutive months.
d. No written plan or does not report to executive management.
4. Electric supply and delivery organizations should take steps to
complete initial Inventory and Assessment immediately, and to complete
the remaining targets by the following schedule:
------------------------------------------------------------------------
Recommended Completion
Date for Mission-
Y2K Program Phase Critical Systems/
Components
------------------------------------------------------------------------
Remediation/Testing........................... May 31, 1999
Y2K Ready Status.............................. June 30, 1999
------------------------------------------------------------------------
These targets apply specifically to facilities that are necessary
to meet demand and reserve requirements for reliable operation into the
Year 2000. Note that the targets may not apply to 100 percent of the
generating units, if some units or facilities are not essential to meet
operating requirements during the 1999-2000 winter season. Y2K Ready
indicates ``suitable for use into the Year 2000 and beyond.''
3.3 Non-Nuclear Generation
Findings
With 666,474 MW (92 percent) of non-nuclear generation reporting
out of the 724,741 MW of total non-nuclear capacity in North America,
the following progress is reported as of November 30, 1998:
------------------------------------------------------------------------
Y2K Program Phase Average Percent Complete
------------------------------------------------------------------------
Inventory 96
Assessment.................................... 79
Remediation/Testing........................... 42
------------------------------------------------------------------------
The graph above indicates substantial progress since the previous
report. The graph below indicates improvement in the projected date for
achieving a Y2K Ready status for mission-critical non-nuclear
generation. As described in the previous section, this pace must be
accelerated to reach the goal of Y2K Ready by the end of the second
quarter 1999.
Analysis
Testing of non-nuclear generators continues to indicate a minimal
number of failures that might cause an unremediated unit to trip. Fully
remediated units are all expected to be able to operate into the Year
2000. The more typical types of failures that have been detected affect
a date stamp of a historical function or a display screen, but would
not impact unit operation.
The most serious concern for power production continues to be in
the more modern plants operated by a Digital Control System (DCS).
These stations are highly automated to obtain maximum efficiency. The
DCS controls nearly all aspects of a generating unit from fuel and
airflow for combustion, to water and steam flows, to turbine-generator
controls, to auxiliary systems. Most of the technical expertise for
these highly complex digital systems is with the original vendor,
making this one of the more important vendor dependencies for the
electric industry. Although DCS vendors are generally cooperative, the
resources of some are stretched under the current demand. DCS vendor
support is one of the constraints often quoted for units that will be
completed past the industry target dates. There have been a few
instances during Y2K testing in which it is thought that a lock up of
an unremediated DCS system might have caused the unit to trip.
Another type of system reported as being somewhat more problematic
than others are continuous emissions monitoring systems (CEMS).
Problems being detected, however, do not appear to be limiting the
operation of a unit, because they are linked to the data management
rather than the monitoring devices themselves. A spectrum of approaches
exists to deal with emissions monitoring from use of internal expertise
for testing to dependence on vendor support, to replacing systems with
those known to be Y2K compliant.
Of particular interest are the results of integrated tests
involving the entire power station. More than 40 units at more than a
dozen utilities have been tested while operating on-line and producing
power. These tests consist of simultaneously moving as many systems and
components as possible forward or backward to various critical dates.
These tests require an extraordinary level of preparation and
coordination to ensure the safety of all systems and that the impact to
the electric system would be minimal should a unit trip during the
test.
Of all the integrated unit tests reported to date, not one test of
a fully remediated unit has resulted in a Y2K failure that caused the
unit to trip. In some cases, units that were moved forward to a post
January 1, 2000 date have been left to continue running with clocks set
ahead with no negative consequences. Others report setting back the
date at which their units operate. A typical setback is 28 years to
closely align the calendar dates with days of the week and leap years.
One issue moving forward is how much of this integrated generator
testing is appropriate. The answer is not simple because the
preparations to conduct such a test on a unit are extensive and the
results continue to indicate that a unit properly tested at the
component level does not exhibit problems at the overall unit level.
The experience with this type of testing will continue to increase in
the next quarter. More detailed results from these tests should be
shared across the industry to evaluate whether further integrated
testing is appropriate, or if it is simply a challenging exercise with
little incremental value.
Most Y2K testing at power plants is performed using in-house
resources during a scheduled outage. Controllers with embedded chips
sometimes can be tested in place, but are often moved to a special test
laboratory set up at the plant. Tests are often performed using
specially adapted PCs or laptops that can be connected to a device to
run a series of tests. Many companies reporting have adopted a
customized version of the General Motors Year 2000 Testing Template,
the EPRI Y2K Test Procedures, or the British Standards Institute Y2K
Compliance Standard.
Some power producers rely on vendor test results if they are
credibly documented or verified. However, most power producers are
committed to testing all mission-critical components and systems
themselves (DCS systems are the obvious exception as previously
discussed). Power producers also are actively implementing vendor
supplied or recommended upgrades. Some have hired additional
technicians or engineers to assist in the process.
Recommendations
1. Organizations with generating facilities should adjust schedules
and resources to meet the recommended industry milestones. Specific
exceptions should be reported beginning in the first quarter 1999.
2. Organizations with DCS controls on generating units should
collaborate through EPRI or vendor user groups to optimize available
resources and information necessary to test and remediate DCS systems.
3. NERC or EPRI should facilitate an industry assessment of the
benefits and risks of on-line generating unit tests and propose
guidelines for the practice.
3.4 Nuclear Generation
Nuclear facility Y2K programs are closely coordinated within the
overall enterprise-wide Y2K program. However, to take advantage of
substantial work and leadership in this area by NEI, NERC requested
that NEI provide an assessment of Y2K activities in the nuclear sector
for incorporation into this report. The assessment by NEI is provided
here.
Each nuclear facility Y2K readiness program has a broad scope,
including components and systems important to the continued operation
to generate electricity into the Year 2000. Reporting is based on the
full program, not just those items considered mission critical.
Findings
This nuclear Y2K program update is based on November 30, 1998
status reports from all (100 percent) operational nuclear generation
plants. There are 103 operational reactors at 66 facilities. Reporting
is at the facility level.
All nuclear generation facilities have a Y2K readiness program
based on guidance in NEI/NUSMG 97-07, ``Nuclear Utility Year 2000
Readiness.'' All readiness programs have senior management involvement.
The following summary is based on reporting milestones that are
slightly different for the nuclear facilities compared to the other
areas reporting.
------------------------------------------------------------------------
Y2K Program Phase Average Percent Complete
------------------------------------------------------------------------
Inventory (Initial Assessment)................ 99
Detailed Assessment........................... 75
Remediation................................... 31
------------------------------------------------------------------------
Similar to the other areas being assessed in this report,
completion of the detailed assessment, including component testing and
development of remediation strategies, is a good indicator of the Y2K
readiness of nuclear plant facilities. The projected percentage of
plants completing these efforts is indicated in the following chart.
No facility has found a Y2K problem that would have prevented
safety systems from shutting down a plant, if conditions required after
the turn of the century. Thus, Y2K problems in nuclear facilities do
not represent a public health and safety issue.
Twenty facilities have identified specific components for which
remediation is currently scheduled to extend beyond the June 30, 1999,
target date for readiness program completion.
All facilities will develop contingency plans for key rollover
dates. Work on this phase is 13 percent done, with a target completion
date of June 30, 1999.
Analysis
On average, detailed assessments are 75 percent completed, compared
to 40 percent in the previous report. Although the rate of progress is
good, expected completion dates for this phase have slipped for some
facilities. Currently, 50 percent of the facilities estimate completion
of this phase by the end of the year, compared to 84 percent in the
previous report. Although few problems are being found, this delay in
the schedule for completing detailed assessments reduces the time
available to complete required remediation.
Twenty facilities have identified specific components for which
remediation is not scheduled to be completed by June 30, 1999. In
general, this represents one or two items at a plant. The nuclear
readiness program recognizes that some remediation would extend beyond
the target completion date of June 30, 1999. In many cases, a low risk
remediation effort has been scheduled for a fall 1999 outage to avoid
an unnecessary shutdown. In some cases, delays are driven by projected
component delivery schedules or the scope of work involved.
Facilities have recently started work on contingency plans for key
Y2K rollover dates, with most of the planning effort to be conducted
between January and June 1999. NEI conducted a workshop for nuclear
facility Y2K project managers in early December to focus on the work
remaining to be done in 1999. This workshop was part of a continuing
process of sharing information between project managers and reviewing
solutions to problem areas. Topics included:
Current industry status and areas needing attention
Training on the industry's contingency planning guide
Sharing audit program insights
Expectations for readiness program reporting
Sharing remediation insights
The Canadian Electricity Association has assisted by coordinating
with the three entities operating nuclear power producing facilities in
Canada. All of these facilities are similar in design, utilizing Atomic
Energy Canada Limited's CANDU heavy-water reactors. The nuclear
industry in Canada is regulated by the Atomic Energy Control Board
(AECB), which has established a rigorous Y2K program as part of its
licensing activities. The AECB does ``not foresee the need for license
conditions specific to Y2K issues at this time. Safety issues that
could arise from Y2K-related problems can be dealt with at assessment
and are covered by existing license conditions.''
Recommendations
1. Nuclear facility managers need to apply additional attention to
detailed assessments that are scheduled for completion after December
31, 1998. Facilities should review outstanding work to ensure critical
systems are tested first and, where possible, schedules accelerated.
2. Any remediation scheduled to be completed after June 30, 1999
warrants special management attention. In some cases low risk items
will continue to be scheduled for fall outages. For other items,
schedules should be reviewed and accelerated or alternate remediation
strategies considered.
3.5 Energy Management Systems
Of the major control centers reporting in the third quarter 1998,
the following results are reported. Progress has improved since the
previous report and is nearly on target for completion of Remediation
and Testing by May 31, 1999.
As shown in the graph below, the projected schedule for achievement
of Y2K Ready status for EMS/SCADA systems has improved.
------------------------------------------------------------------------
Y2K Program Phase Average Percent Complete
------------------------------------------------------------------------
Inventory..................................... 98
Assessment.................................... 82
Remediation/Testing........................... 48
------------------------------------------------------------------------
As shown in the graph below, the projected schedule for achievement
of Y2K Ready status for EMS/SCADA systems has been improved.
Analysis
Most companies utilize commercial EMS/SCADA products. A few have
ordered new Y2K compliant systems as part of their Y2K remediation
approach. For those, Y2K testing may consist of factory acceptance
tests in the vendor's shop. For these new systems, Y2K issues are
typically resolved prior to delivery and installation.
Some of the entities interviewed report using the EPRI Testing
Guidelines during their EMS/SCADA testing. A few organizations use a
simulator or test bed during EMS/SCADA testing, while others use their
backup or development EMS/SCADA systems as test environments. A few
entities report that they use the Bellcore Y2K Test Procedures or an
ABB-Integrated Test Package for end-to-end testing of SCADA.
Several organizations report having made upgrades to satellite
clocks connected to their EMS computers. These upgrades are required to
correct the well-known 1,024-week rollover bug in Global Positioning
Systems (GPS).
Interviews with Y2K program managers indicate that no major
problems are being encountered during testing and that EMS/SCADA
systems are expected to be at full capability during Y2K. Problems that
have been found are typically limited to historical logs or date
displays.
Testing is a complex process that includes computer hardware,
communications equipment, computer operating systems, data bases,
software applications, display systems, etc. For some components, such
as computer operating systems, the utility is highly dependent on a
vendor. For the most part, however, utilities have the expertise in
house to test and correct for any date problems within the EMS/SCADA.
The two most significant risks associated with EMS/SCADA operation
into the Year 2000 are:
Loss of external data communications (discussed in next
section)
Overload of alarm systems or data buffers if a burst of
activity occurs during critical rollover periods
Recommendations
1. Organizations with control center facilities such as EMS and
SCADA systems should adjust schedules and resources to meet the
recommended milestones.
2. EMS/SCADA systems are vital to reliable electric system
operation and should be rigorously tested. Contingency strategies
should be well defined and practiced, including use of backup
facilities and alternatives such as manual control and voice
communications.
3.6 Telecommunications
Findings
The following are the progress results in the fourth quarter of
1998 for the internally owned and operated telecommunications systems
used to monitor and operate electric supply and delivery systems.
------------------------------------------------------------------------
Y2K Program Phase Average Percent Complete
------------------------------------------------------------------------
Inventory..................................... 94
Assessment.................................... 78
Remediation/Testing........................... 48
------------------------------------------------------------------------
Projections for Y2K Ready status have improved but continue to lag
the target slightly.
Analysis
The electric industry owns and maintains a majority of its voice
and data communications facilities. However, a significant portion of
voice and data communications flow over the facilities of external
service providers. These providers may be local telephone carriers
providing dedicated circuits to carry monitoring and control signals to
power plants and substations. They also may be providers of long
distance services, satellite systems, cellular systems, and wide-area
networks. The electric industry, like many other industries is
dependent on a complex set of integrated communications systems.
Most entities report satisfactory progress in testing their
internal communications systems, as reported above. Like EMS/SCADA and
DCS systems, communications is an area that often requires support from
vendors. Entities report making Year 2000 upgrades on older network
equipment (e.g., routers, hubs, and switches). Often testing procedures
or test results have been made with the assistance of or information
available from equipment vendors.
It is apparent that it will not be practical to perform extensive
integrated testing with external voice and data communications service
providers. Typically these service providers are working hard to
complete their own program but cannot dedicate substantial resources to
joint testing with individual customers, including electric utilities.
Also, these service providers typically cannot provide live circuits
for end-to-end testing with electric systems, leaving most testing for
a laboratory environment.
The large number of entities involved further compounds the
challenge of joint testing with external communications providers.
There are over 3,000 electric organizations in North America, over
1,400 independent telephone companies, and dozens of other major
communications service providers. One large electric utility may use as
many as 40 to 50 telephone companies in several states.
To overcome these challenges, it is necessary to collaborate across
both industries to perform the following:
Share information to test and remediate as smartly as
possible
Conduct joint demonstration tests of integrated electric
system voice and data systems with independent telephone companies and
major service providers
Coordinate inter-industry contingency planning
These activities have become more formalized in recent months to
provide both industries necessary support. NERC is working to develop
one or more joint tests near the end of the first quarter 1999.
Coordinated contingency planning is beginning in January 1999.
Many larger electric entities, and in some cases regions that have
banded together for the purpose of coordinating with communications
providers, have had success in getting necessary support and testing.
Partial loss of voice and data communications remains a high
priority for contingency planning for electrical systems. Backup voice
communications systems that do not have common failure modes with
primary systems are the appropriate strategy for voice communications.
Loss of data communications may require manual operation of some
facilities. These issues are discussed further under contingency
planning in Section 4.
Recommendations
1. Organizations should adjust Y2K schedules and resources to meet
the recommended milestones for voice and data communication systems
essential to electric power production and delivery.
2. NERC should coordinate joint demonstration tests with the
telecommunications industry with the goal of discovering
vulnerabilities and developing mitigation strategies.
3. For communication systems that are deemed essential to power
system operation, contingency plans for alternative communications
should be provided.
3.7 Substation Controls and System Protection
Findings
The progress by phase in the area of Substation Controls and System
Protection is provided below.
------------------------------------------------------------------------
Y2K Program Phase Average Percent Complete
------------------------------------------------------------------------
Inventory..................................... 97
Assessment.................................... 81
Remediation/Testing........................... 53
------------------------------------------------------------------------
Projected completion of Y2K Ready status has improved, similar to
other areas, but is slightly behind target.
Analysis
Most entities report finding no system protection devices that
would cause power interruptions or safety concerns as a result of a
Year 2000 rollover in digital electronics. Some report minor issues
with microchips and relays, which may result in minor cosmetic results
such as two-digit years in logs. Entities report repair of these
devices using vendor supplied chip upgrades. Many electric systems
still utilize electromechanical relays, which are not date sensitive.
Most report known work around procedures for cosmetic problems.
A few entities report using test beds or test labs for testing
substation and system protection devices. Typically these are portable
laptop computers with special customized software. Generally no date
rollover problems are found. Some event recorders may experience date
problems, but most other items are date insensitive. Event recorders
should be fully tested and remediated, as they may provide valuable
information following a disturbance.
Some relays and devices do not recognize a leap year, but this
condition exists in other years as well, is not unique to Y2K, and is
not an operating problem.
Recommendation
1. Organizations with transmission or distribution substations
should adjust schedules and resources to meet the recommended
milestones.
3.8 Distribution Systems
Background
Due to the number (about 3,000) and diversity of distribution
systems in North America, NERC has obtained the assistance of four
electric industry associations (APPA, CEA, EEI and NRECA) to collect
information on the developing state of readiness of electric
distribution systems. Due to the differences among industry segments,
each association took a different approach to collecting assessment
information. This section of the report was developed through the
collaborative efforts of these four organizations.
EEI's approach was to analyze the distribution system data provided
by the NERC assessment reports, because the majority of the investor-
owned electric utilities are directly involved in reporting to NERC in
all assessment categories. This approach also allowed EEI to gather
information on investor-owned utilities that are not part of EEI's
membership.
APPA's approach was to develop a three-tiered survey to assess the
current Y2K status of APPA member and nonmember public power systems.
Over 2,000 surveys were sent out, followed by a phone survey starting
in October 1998. The first tier was a comprehensive three-page survey
sent to the largest 241 systems. The second tier was a two-page survey
sent to the middle 539 systems. The remaining systems, those with less
than 3,000 customer meters, received a simplified one-page survey. To
date, APPA has received responses from systems representing
statistically a virtual 100 percent of the customers served by public
power, and surveys from over 98 percent of all systems. APPA also has
included Y2K readiness information from the Virgin Islands, Guam,
American Samoa, and Puerto Rico.
NRECA's approach started with information from its telephone survey
in August 1998. This information established a baseline set of data on
the amounts and types of equipment at each distribution cooperative.
That data was used to divide rural electric distribution cooperatives
into two groups for the fourth-quarter survey conducted in early
December 1998. About 600 cooperatives that have minimal or no Y2K
sensitive equipment were faxed a four-page abbreviated form. The
remaining approximately 275 cooperatives were faxed an eight-page
survey similar to the NERC form. NRECA non-members were included in the
process. Questions about generation were not posed to rural electric
distribution systems, as they do not control generation assets. The
Generation & Transmission (G&T) cooperatives that do own generation are
reporting through the NERC process.
CEA used a short questionnaire, similar in content to those used by
APPA and NRECA, to gather information from Canadian distribution
entities. There were 71 responses received to date.
Findings
Indicated below, is the fourth quarter 1998 Y2K progress results
for distribution system organizations responding to the NERC survey:
------------------------------------------------------------------------
Average Percent Complete
Y2K Program Phase 4 Qtr 1998
------------------------------------------------------------------------
Inventory..................................... 96
Assessment.................................... 79
Remediation/Testing........................... 56
------------------------------------------------------------------------
Analysis
Distribution system control, communication, monitoring, and data
gathering equipment can be separated into three categories: (1)
electromechanical, (2) analog electronic, and (3) digital electronic.
Electromechanical equipment is the predominant type of equipment in
distribution systems and is not date sensitive because it has no
electronics.
Analog electronic equipment generally monitors voltage, current, or
frequency and has little or no need for a date function. Also, much of
the voice communications equipment used by distribution systems is
analog electronic.
Although EMS and SCADA hardware devices and operating software
depend on date functions, relatively few distribution systems use these
systems. Two thirds of rural electric distribution cooperatives do not
have significant investments in SCADA or EMS equipment. Revenue
metering equipment falls into all three categories.
With few exceptions, digital electronic equipment is the category
in distribution systems that may be susceptible to Year 2000 rollover
problems. There are some recent trends toward automation and
computerization of some distribution devices, including regulators,
reclosers, meters, recorders, relays, capacitor controls, automatic
transfer switches, time-of-use meters, communication with mainframe,
and interfaces to SCADA, where microprocessor and/or digital
electronics are involved. These devices need to be evaluated, assessed,
and tested for Y2K readiness.
With regard to telecommunications systems, like the rest of the
industry, distribution systems rely on the publicly switched telephone
network, as well as private wireless and wired networks for mission
critical power delivery functions. Telecommunications equipment owned
or used by rural electric cooperatives is under scrutiny for Y2K
deficiencies.
Responses to the top two tiers of APPA survey, which together
represent nearly 95 percent of the customers served by public power,
indicate that over 96 percent have Y2K plans. Over a third of these
have hired consultants to assist in their Y2K efforts. Some testing has
been completed by almost 70 percent of these public power systems. Over
65 percent of the small public power systems report that their city
government has the overall responsibility for the Y2K plan.
Responses to the NRECA survey indicate 97 percent of Inventory, 92
percent of Assessment, and 80 percent of Remediation and Testing have
been completed as of early December 1998. Responses indicate 90 percent
of software and 94 percent of hardware systems will be Y2K Ready by
June 30, 1999.
CEA analyzed data received from 76 Canadian utilities. These
results suggest that 61 percent of the Y2K work in the distribution
area had been completed by Canadian electric utility organizations as
of the end of November. The average date for Y2K project completion is
June 1998.
Distribution entities have reported that the assessment of
protective relaying systems have not uncovered any problems that would
prevent these systems from being Y2K Ready. Further testing of specific
systems will be done to confirm these findings. Equipment manufacturers
have indicated that most of the date-related information does not
affect the system protection aspects of the relays. Companies are
testing more than just the calendar function of the devices. They are
also testing normal device operation as devices pass through critical
dates in testing.
Distribution entities are reporting some problems in the metering
and fault recorders area involving software that is not compliant.
Vendors are providing new software versions in each case.
No universal guidance exists to date on the need to test all
microprocessor- based components in distribution systems. At issue is
whether every individual device should be tested. The question is most
difficult in distribution systems, where thousands of a specific type
of device could be found. An alternative would be to apply
statistically valid sampling methods or to rely on the vendor
certification of a particular model of a device. Distribution equipment
in this category includes communications devices, relays, reclosers,
and some metering with digital components.
Further evaluation is needed to assess the benefits of one testing
strategy over another within distribution systems. Pending further
research, it is recommended that if the failure of a digital device
alone could result in customer outages, each individual device should
be tested. Otherwise statistical measures or vendor certification may
be more appropriate.
NRECA and APPA developed Y2K Readiness Guides that were distributed
to all public power systems and rural electric systems in October 1998.
APPA also has undertaken a project to produce a Y2K case study guide of
three municipal electric systems in the U.S. This study guide is
scheduled for completion in February 1999. NERC's Contingency Planning
Guide will also be made widely available to all electric distribution
systems to assist their planning efforts.
Recommendations
1. All distribution organizations should plan to have mission-
critical systems and components Y2K Ready by June 30, 1999. This
includes remediation and testing of components identified to have Y2K
problems and measures to mitigate the possible loss or malfunction of
systems and components that can not be repaired and will not be
replaced.
2. Distribution entities should prepare Y2K plans including special
operating procedures, training, contingency plans, and emergency
response.
3. Pending further research, it is recommended that if the failure
of a digital device alone could result in customer outages, each
individual device should be tested. Otherwise statistical measures or
vendor certification may be more appropriate.
3.9 Business Information Systems
Background
This section on Business System Information Systems is included at
the request of the electric utilities and their associations. Although
business systems do not have instantaneous impact on the power supply
of North America, some of these functions may be necessary for the
sustained operation of each organization. Electricity providers must
have the continuing ability to service customers, order fuel supplies,
pay their work force, and locate equipment in the field.
The readiness assessment of business information systems was done
with the cooperation of APPA, CEA, EEI and NRECA. Electric utilities
vary greatly in size and scope. They may be distribution-only, or
vertically integrated with generation and transmission. Customer counts
range from a few hundred to several million. Thus, no single approach
to assessing Y2K readiness of business information systems is
appropriate. Larger, investor-owned electric utilities, represented by
EEI, all received the Business Systems Assessment form included in the
NERC process. APPA, CEA, and NRECA used the survey processes previously
described in the distribution section.
Findings
The following are the results in the fourth quarter of 1998 for
business systems at electric supply and delivery organizations
responding to the NERC survey:
------------------------------------------------------------------------
Average Percent Complete
Y2K Program Phase 4 Qtr 98
------------------------------------------------------------------------
Inventory..................................... 98
Assessment.................................... 91
Remediation/Testing........................... 58
------------------------------------------------------------------------
Analysis
To date, 170 electricity providers utilities have responded to the
Business Systems portion of the NERC survey, including 78 investor-
owned utilities, 22 generation and transmission cooperatives, and 27
municipal utilities.
As in the third quarter survey, business systems are at a
higherpercentage of completion than the overall average. The readiness
of business systems has improved substantially during the 3-months
since the initial report, with 98 percent of all business systems
inventoried and 91 percent assessed.
However, only 78 percent of electricity providers responding to the
NERC survey have completed inventory of all business systems, and only
15 percent have completed all assessments. Only one electricity
provider reports completion of all remediation and testing for business
systems.
About 95 percent of business systems at reporting utilities are
expected to be Y2K Ready in the second quarter of 1999, with all
systems ready in the third quarter. This is an improvement in the
expected completion date over the September 1998 report, though not yet
in conformance with NERC targets.
Organizations are reporting that systems that share data between
the mainframe and distributed platforms are difficult to test due to
the complexity of the systems and information relationships.
Organizations have indicated that network components are difficult to
test thoroughly, as real-world environments are difficult to replicate.
Others have cited the lack of ``user experts'' as an issue when it
comes to certifying a system as Y2K Ready.
Some entities are taking a second look at their inventory and
assessment as they have obtained additional information concerning
systems that may be at risk. In some cases, entities are waiting on
vendors to supply Y2K fixes to systems or waiting on certification or
testing of outsourced business systems before remediation and testing
phases can be completed.
Recommendation
1. Although business system Y2K readiness is above average and
accelerating among respondents, schedules should be adjusted and
necessary resources added to meet the recommended NERC milestones. In
particular, electricity providers must quickly complete the inventory
and assessment of all business systems to allow sufficient time for
remediation and testing by May 31, 1999.
3.10 General Issues Identified During Assessment Process
Several issues that span the overall Y2K program are addressed in
this section.
1. Customer Support: Each electrical system entity that directly
serves customers should establish an information program focused on
sharing results and recommendations with customers. Establishing a Y2K
web site and literature mailings have proven successful for that
purpose. Some entities have conducted or plan to conduct symposia
targeted toward customers, particularly larger ones. Customers with
very large demands (for example greater than 10 MW) and customers with
critical demands related to public health or safety should review their
own emergency power supply provisions and coordinate as needed with
their electricity provider. It is not practical in most instances for
the electricity provider to conduct joint tests of facilities with
individual customers, but the needs and the power supply provisions of
the most critical customers should be discussed.
2. Vendor Support: Although electrical utilities tend to have
substantial in- house expertise to operate and maintain their systems,
they are dependent on vendors in some areas, as pointed out previously
(i.e., DCS, EMS/SCADA, and telecommunications). Vendor support has been
generally satisfactory with some instances of spotty cooperation. In
some cases, the utility is sufficiently large or can band together with
others to provide leverage to get the necessary support from vendors.
Electric utilities are most likely to apply business incentives to
obtain cooperation rather than to threaten legal actions. Vendor user
groups and collaborative efforts such as that sponsored by EPRI can
have a positive effect on gaining vendor cooperation and consolidating
demands on vendors. In some cases, raising issues to the upper level of
management of the vendors has been successful.
3. Information Sharing: The ``Year 2000 Information and Readiness
Disclosure Act'' has had a positive impact on the flow of information
sharing by electric utilities and their suppliers. Although liability
issues have not been erased, information sharing is much freer in the
past 3 months.
4. Independent Verification: The process NERC and its association
partners use relies on information reported by members of the industry.
There have been extensive followup discussions with Y2K program
managers at reporting entities on issues and concerns raised by the
assessments. The NERC project team is satisfied that the results
reported are open and accurate and, if anything, conservative
statements of progress. Some organizations use an independent review
function within the organization to monitor their Y2K program. Others
have hired an independent firm to verify program performance.
Ultimately, the decision regarding whether independent verification is
necessary should be made by each organization. In future periods, NERC
will request information on whether an independent review is performed
of each organization's Y2K program.
5. Excessive Reporting Burden: Some entities report continuing
requests for excessive information from customers and regulatory
agencies. Every effort should be made by customers and regulatory
agencies to use existing information from the NERC program. Where it is
appropriate to obtain details of an individual program, that
information should be directly requested from the utility. The NERC
report format should be used as much as possible, even for these
individual requests for information.
6. Personnel Resources: Availability of qualified resources,
particularly engineers and technicians, is an issue reported by a
number of programs.
7. Clean Facility Management: Y2K programs should implement
positive controls to assure that once facilities have been declared Y2K
Ready they do not become re-contaminated by incoming supplies or
software modifications.
section 4. contingency planning and preparations
4.1 Goal of Contingency Planning
The NERC Y2K program uses a ``defense-in-depth'' concept. Test
results into the fourth quarter of 1998 continue to indicate that Y2K
failures do not appear to be of the type that would cause properly
remediated electrical facilities to trip out of service. However, the
consequences of wide-spread or extended outages, however improbable,
are so significant that the industry does not plan to stop simply with
testing and repairing equipment. Contingency planning is an important
step in assuring that electric systems are operated in a manner such
that operating problems are handled without resulting in a loss of
customers due to Y2K.
4.2 NERC Y2K Contingency Planning Guide
NERC has developed a guide to Year 2000 contingency planning and
preparations for the electricity supply and delivery systems of North
America. The goal is to mitigate operating risks to achieve reliable
and sustained electric operations during the transition into the Year
2000 and beyond.
This guide is intended to address all aspects of electric power
production, transmission, and distribution in North America. The guide
is available on the NERC Y2K web site at http://www.nerc.com/y2k.
The following steps outline the NERC process for Y2K contingency
planning and preparations. These steps are intended as a general guide.
Regions and operating entities are expected to develop contingency
plans that meet their specific requirements.
Step 1: Identify Y2K Operating Risks
Step 2: Conduct Y2K Scenario Analysis
Step 3: Develop Risk Management Strategies
Step 4: Implement General Preparations
Step 5: Plan Power System Operations during Y2K Periods
Step 6: Implement the Y2K System Operating Plan
4.3 Organization and Responsibilities
The effort of preparing electric systems for operation during
critical Y2K transition periods must be coordinated at several levels.
NERC is coordinating contingency planning and preparations at the
Interconnection and interregional levels. NERC will review the
contingency planning and preparation efforts across all ten Regional
Reliability Councils.
Regional Reliability Councils will coordinate efforts within their
Regions and with neighboring Regions. This includes intra- and
interregional studies and preparations. Regional Reliability Councils
will assure participation of members of the Region.
Organizations that operate generation, transmission, or
distribution systems will participate through the Regions in this
contingency planning and preparations effort. They will coordinate
contingency planning and preparations with their customers.
4.4 Critical Y2K System Operating Dates
Part of the Y2K risk assessment process is to internally review the
risks of Y2K anomalies for various dates. NERC-recommended dates for
consideration are listed below in priority order. It is important to
recognize that critical transition periods may last only for minutes or
hours due to primary causes (i.e., unit trips, loss of primary voice
communications, etc.) or for days or weeks for secondary causes such as
reduced supplies of natural gas, oil, or coal.
Priority 1 Dates
December 31, 1999 to January 1, 2000; Rollover to 2000: Date =
010100
Priority 2 Dates
September 8, 1999 to September 9, 1999; February 28, 2000 to March
1, 2000; Special value: Date = 090999; Rollover in/out of leap year
date
Priority 3 Dates
April 8, 1999 to April 9, 1999; August 21, 1999 to August 22, 1999;
Special value: 99th day of 1999; GPS satellite clocks expire
4.5 Activities Completed During Fourth Quarter 1998
The following activities have been completed in the fourth quarter
1998:
1. All bulk electric operating entities have been requested to
prepare draft contingency plans by December 31, 1998. These plans are
to be submitted to the NERC Region, integrated into a Regional plan and
reviewed for completeness and consistency. NERC will review the
contingency planning process and results at a meeting by the end of
January 1999. A mid-point review of contingency plans conducted by NERC
in November 1998 demonstrated that this task is being taken very
seriously and progress has been substantial.
2. NERC is initiating a series of Interconnection studies to
analyze electric system behavior under anticipated Y2K conditions. A
first step is to gather system snapshots during the current New Year's
Eve period to obtain demand and generation patterns. This data will be
used to build one or more base cases for Y2K studies. Data from
previous New Year's Eves on long weekends indicate that demands are
typically in the 40-50 percent of system peak demand. The data will be
adjusted over a range of possible conditions determined by customer
behavior, weather, and Y2K operating plans. The NERC Engineering
Committee will facilitate a series of power flow and stability studies
to evaluate various operating strategies. Individual Regions and
operating entities will also perform studies with more local detail.
3. Initial planning of the April 9, 1999 industry drill has begun.
A document describing the scope, objectives, and reporting requirements
for this drill will be available by the end of January. This drill will
focus on operating the system with limited voice and data
communications. It requires placing personnel at key operating
facilities and communicating by backup systems.
One Regional entity, PJM Interconnection L.L.C (PJM), completed a
drill on December 15-16, 1998 that included Y2K-related communications.
PJM simulated the loss of voice communication--requiring operators to
provide drill data via point-to-point satellite communications. This
portion of the drill tested the operator's ability to use ``one-way''
communications to supply necessary data (satellite phones, when in the
point-to-point mode, are very similar to walkie-talkies).
This drill simulated the loss of voice and data communications with
another company and requested that the necessary data be supplied to
calculate Area Control Error (i.e., tie line flows and schedules). A
number of data and communication issues were identified (i.e., know
what screens the data is located on, how to report flows ``from bus to
bus'' rather than +/-, frequency of reporting, and threshold delta for
increased reporting frequency).
Additional tests of satellite communications will be planned in PJM
as more local control centers obtain satellite communications. In
addition, tests of power system control data reporting requirements
will be drilled in the future. A satellite communications protocol is
being developed for the purposes of conducting a point-to-point
satellite conference call.
4. In November 1998, the NERC Operating Committee approved the
Contingency Planning Guide and recommended proceeding with the April
and September drills. On January 4, 1999, the NERC Board of Trustees
approved conduct of the April 1999 drill and development of a detailed
plan for the September 1999 drill.
4.6 Y2K Contingency Planning Issues
1. Voice and Data Communications: The provision of voice and data
communications is emerging as the highest priority issue in contingency
planning. Electric power systems have grown over the past 20 years to
be heavily dependent on communications equipment and networks for real-
time control and monitoring. Operation with limited communications is
feasible, by returning to more manual methods of control and monitoring
that were used in the past. Potential mitigation strategies include
provision of backup voice communications independent of primary systems
and preparations to operate in a manual mode using personnel at key
operating facilities.
Contingency planning will also include consideration of information
management during Y2K periods. Information from Asia, Australia, and
Europe that might be considered in operating systems in North America
will be obtained and broadcast to operating entities. A communications
function will be established to rapidly share information and gather
information regarding systems conditions during Y2K periods.
2. Unusual Loading Patterns and Minimum Generation Conditions:
Another priority concern that is emerging from the contingency planning
process stems from the need to have additional generating units on line
as a precaution against Y2K events. With additional generators on line
and the possibility of customer demand being low through the extended
holiday period, utilities must consider what is called a ``minimum
generation'' condition. When there is too much generation on line in
relation to demand, system voltages and frequency can rise. Planning
for the rollover into the Year 2000 must tradeoff the need to have
additional reserves to respond to possible generator contingencies with
the potential for excessive voltages. Customers should be encouraged
during the period not to take unusual steps such as shutting down
facilities that would normally operate through the holiday weekend.
Extremely low demand or an unusual demand pattern can present
additional challenges for operation of the electric system.
3. Restoration Plans: Control areas should review system
restoration plans for Y2K considerations, including the ability to
black start. These plans should be coordinated with neighboring
systems, including plans to reconnect systems. Dependence on external
black start resources should be coordinated to ensure they will be
available under Y2K conditions.
4. Contingency Planning in Distribution Systems: Contingency
planning should be extended to distribution systems. In particular,
distribution systems should prepare plans for restoring customers under
anticipated Y2K conditions. Loss of external power supplies and loss of
distribution facilities should be considered in the contingency
planning process.
5. Emergency Services: Coordination of emergency services and
emergency response to serve the public are not part of the NERC Y2K
program.
Planning for emergency services and emergency response should be
handled through those agencies that would typically provide support,
such as municipal, county, and state emergency response agencies. These
agencies should coordinate emergency response strategies with essential
utility services providers, including electricity, communications,
water, and sewage. Issues to be addressed include movement of utility-
essential employees to key locations, service restoration priorities,
communications, and Y2K scenario response strategies.
6. Market Operations: One goal of preparing for Y2K is to impact
electric market operations as little as is necessary and to allow
market participants to be part of the Y2K operating strategy. It is not
certain at this point if the number of market transactions should be
reduced during the critical rollover periods (they may already be at a
low level due to the holiday). It is clear that market participants
should be part of the solution and should be informed and included in
the contingency planning process. NERC offers an Interim Market
Interface Committee as a good forum to start discussions in early 1999.
Similar coordination should take place at the Region and the individual
system levels.
4.7 Contingency Planning Schedule
Contingency planning efforts are specific to each operating entity
but require coordination at the Regional, interregional, and
Interconnection levels. The NERC Operating Committee, through its
Security Coordinator Subcommittee, will facilitate this process.
The following milestones are applicable to the NERC contingency
planning process:
------------------------------------------------------------------------
------------------------------------------------------------------------
December 31, 1998......................... First draft of Regional and
operating entity
contingency plans available
to NERC/Regions for review
January 25-26, 1999....................... NERC review of draft
contingency plans
January 27, 1999.......................... Inter-industry contingency
planning coordination
meeting
April 8-9, 1999........................... First industry-coordinated
Y2K readiness drill
(communications)
June 30, 1999............................. Second draft of Regional and
operating entity
contingency plans available
to NERC/Regions for review
September 8-9, 1999....................... Second industry-coordinated
Y2K readiness drill
------------------------------------------------------------------------
section 5. nerc y2k coordination plan
This section provides a summary of the Y2K coordination activities
of the electric industry of North America. As described in Appendix C,
the program is being facilitated by NERC, its ten Regional Reliability
Councils, and trade association partners.
More than other industries, the electric power industry of North
America has proven its capability over the past 30 years to meet
operating challenges through close coordination of planning and
operations. The result is the most reliable electric service in the
world.
5.1 Objectives
The goal of the NERC Y2K Coordination Plan is to prepare the
electric systems of North America for reliable and sustained operations
into the Year 2000 and beyond. This goal is achieved through the
following objectives:
1. Assuring mission critical systems are Y2K Ready by June 30, 1999
through coordination of a rigorous program of identification, repair or
replacement, and testing of software, digital components, and
integrated systems. The principal tool for coordinating this effort at
the industry level is the NERC Y2K Readiness Assessment Report.
2. Coordinating the sharing of Y2K technical and project management
information and resources. This sharing occurs through the NERC Y2K web
site, industry conferences, technical committee meetings, a NERC-
sponsored Y2K Coordination Task Force, an EPRI information exchange
program, and other cooperative efforts.
3. Coordinating the assessment of Y2K operational risks and
developing and implementing contingency plans in accordance with the
NERC Contingency Planning Guide.
NERC, its Regional Reliability Councils, and their members are
working together to meet these objectives. The previously mentioned
industry associations, APPA, CEA, EEI, EPRI, EPSA, NEI, and NRECA, are
assisting in these efforts and working actively with their members.
5.2 Defense-in-Depth Strategy
NERC is focused on operational reliability through a ``defense-in-
depth'' strategy. The defense-in-depth strategy assumes that although
one has taken all reasonable and necessary preventive steps, there can
never be 100 percent assurance that major system failures cannot cause
a catastrophic outcome. Instead, multiple defense barriers are
established to reduce the risk of catastrophic results to extremely
small probability levels and to mitigate the severity of any such
events.
Despite the NERC Y2K readiness assessment process and the Herculean
efforts of countless persons across the industry, there is no guarantee
that all Y2K deficiencies will be identified, fixed, and tested in the
remaining time. The cornerstone of the NERC Y2K plan, therefore, is to
coordinate industry actions in implementing the following defense-in-
depth strategy:
1. Identify and fix known Y2K problems. NERC is providing a vehicle
for sharing of information on known Y2K problems and solutions
associated with the operation, control, and protection of power
generation, transmission, and distribution facilities. This information
includes a generic inventory of Y2K susceptible components, testing
guides, and Y2K project management guides.
2. Identify most probable and credible worst-case scenarios. NERC
is facilitating the conduct of Regional and individual system
assessments of risks to determine most probable and credible worst-case
scenarios. Mitigation plans for these scenarios will be developed and
implemented on a Regional and local basis.
3. Plan for the probable--prepare for the worst. NERC will
coordinate efforts to prepare for reliable and sustained operation of
electric systems into the Year 2000 and beyond. Preparations include
development of special operating procedures and conducting training and
system-wide drills.
4. Operate systems in a precautionary posture during critical Y2K
transition periods. NERC will coordinate efforts to assure electric
power systems are operated in a manner commensurate with identified
operating risks. Examples of precautionary measures may include
reducing bulk transfers, ensuring that all available generation and
transmission facilities are in service, and increased staffing at
control centers, critical substations, and generating stations during
rollover periods.
5.3 NERC Y2K Coordination Plan
To accomplish the objectives stated above, a ``Y2K Coordination
Plan for the Electricity Production and Delivery Systems of North
America'' was developed in June 1998 and is continuously maintained.
This plan is divided into the following three phases:
Phase 1 (May-September 1998)--In Phase 1, NERC mobilized
coordination and information-sharing efforts and performed a
preliminary review of Y2K readiness of electric power production and
delivery systems. Phase 1 culminated in an initial report to the NERC
Board of Trustees on September 14, 1998 and to DOE on September 17,
1998.
Phase 2 (September 1998-July 1999)--NERC is assisting the Regional
Reliability Councils and their member operating entities in resolving
the known Y2K technical problems. A process of monthly reporting of
progress using established criteria is continuing. A Contingency
Planning and Preparations Guide is being implemented to identify,
assess, and prepare for most probable and credible worst-case
scenarios. Phase 2 will culminate in July 1999 with a report to the
NERC Board and to DOE on measures being taken to prepare bulk electric
power production and delivery systems for operation during the Y2K
transition. Interim quarterly reports, such as this report, will
continue to be provided.
Phase 3 (July 1999-March 2000)--During this period, NERC will
review the final preparation and implementation of contingency plans
and operating procedures. NERC and its Regional Reliability Councils
will facilitate the conduct of a September 1999 drill and final
arrangements to prepare for critical Y2K periods.
Phase 1 Tasks
Task 1. Establish an Internet web site for sharing of information
on known Y2K problems and solutions. NERC has established a Y2K web
site and will continue to add resources and links to other sites. The
web site includes Y2K resources and an information exchange forum.
(Done and continuing.)
Task 2. Prepare a list of bulk electric system Y2K key entities and
contacts. This list identifies Y2K key personnel in each Region and at
system operating entities. This list is maintained on the NERC Y2K web
site. (Done and continuing.)
Task 3. Establish a NERC Y2K Coordination Task Force. This Task
Force has one representative from each Region who is knowledgeable
about Y2K issues and the activities within the Region. The Task Force
coordinates through frequent teleconferences and meetings to ensure
high levels of information exchange and coordination of efforts. (Done
and continuing.)
Task 4. Coordinate a preliminary assessment of Y2K readiness. NERC,
along with its Regional Reliability Councils and industry partners, has
facilitates reporting of quarterly status of Y2K readiness, as
summarized in this report. This Y2K Readiness Assessment process will
continue through the remaining phases. Report data will be gathered on
a monthly basis and summary progress reports delivered to DOE on a
quarterly basis. (Continuing.)
Phases 2 and 3 Tasks and Schedule
Task 5. Develop Y2K contingency plans. NERC, in coordination with
the Regional Reliability Councils, is facilitating the identification
of most probable and credible worst-case scenarios. These scenarios
will be evaluated from the perspective of probability and consequences
to determine appropriate mitigation strategies. (Initial drafts
completed and currently under review.)
Task 6. Facilitate development and implementation of Y2K
preparedness plans. NERC, in cooperation with the Regional Reliability
Councils, will facilitate the development and implementation of special
procedures and plans for operation during Y2K transition periods. NERC
will develop the generic elements of a preparedness plan for use by
operating entities in developing specific plans. (Under development.)
Task 7. Facilitate conduct of training and drills. Training and
drills will be coordinated by Regional Reliability Councils to ensure
personnel and systems are ready for operations during the Y2K
transition. A drill in April 1999 is focused on communications during
Y2K. A September 8-9, 1999 drill is planned as a rehearsal for the New
Year's rollover. (Under development.)
Task 8. Coordination of plans to configure electric systems in
precautionary posture. NERC and the Regions will coordinate the
preparation of operating plans to mitigate the consequences of any
adverse Y2K problems. Examples may include ensuring that all available
transmission facilities are in service, starting additional generators,
which include older analog controlled units, providing additional staff
at control centers, power stations, and critical substations, and
operating the electric system with reduced electricity transfers. The
critical Y2K operating period is likely to extend several weeks before
and after midnight December 31, 1999. (Under development.)
Task 9. Coordination of system monitoring and rapid response during
Y2K period. NERC, the Regional Councils, and Security Coordinators will
monitor conditions during Y2K-critical periods and be prepared to
implement pre-established contingency plan. This includes development
and implementation of a Y2K communications plan. (Under development.)
______
APPENDIX A
background--year 2000 impacts on electric power systems of north
america
Will the lights go out at midnight, December 31, 1999? Many so-
called experts in the news and on the Internet have predicted that the
electric systems of North America will suffer major power outages as a
result of the ``Y2K bug.'' These outages are forecast to last days,
weeks or even months as electric utilities scramble to fix hard-to-find
problems. Life in North America as we know it will supposedly come to a
grinding halt without electricity and make a slow, painstaking
recovery.
Are these predictions true? One thing we do know--these predictions
are not based on facts or rational analysis of information from the
industry. That is the purpose of this report. This report provides a
comprehensive review of where the electric industry of North America is
in its efforts to identify, fix, and test for the Y2K bug. This report
looks at the nature of the Y2K threat in electrical systems, what is
being done about it, the schedule for completing the work, and how the
industry is preparing to deal with contingencies that may occur.
Will the lights go out? The answer is that no one knows for certain
yet what the effects of Y2K will be. The risks that Y2K may impact
electric system operations are real--much like the risks that
earthquakes or severe weather could cause electrical outages even
before the new millennium arrives. In our favor is a work force of
competent people, dedicated to maintaining reliable electric system
operations, who are working hard to solve the problem.
What is the Y2K Bug?
The Y2K bug results from a programming convention for the
designation of a date as MMDDYY in the United States and DDMMYY in
other parts of the world. This convention has been used extensively
since the earliest days of computer programming and now affects
numerous software programs and electronic devices, including some of
those used in electric power systems. The bug becomes apparent as we
transition from the year 1999 to 2000, when computers and electronic
chips read the year as 00.
The most obvious outcome is that computer programs and electronic
devices could interpret 1/1/2000 as 1/1/1900, causing problems for any
applications that depend on time or dates. Testing has shown that the
Y2K bug is actually much more complex than this simple explanation
because a variety of problems can occur with date interpretation. The
problems are not restricted to a single date change at midnight
December 31, 1999. Date-related anomalies may occur at 1/1/99, 9/9/99,
2/29/00 and up to a dozen other dates. Although there are many known
types of Y2K failures, the three dominant ones are:
Failure to recognize the correct year in transitioning
from 99 to 00.
Expiration of an electronic ``clock'' that was referenced
to measure time as the number of seconds from an initial start date,
such as January 1, 1970, and which will expire on a certain date when
the clock counter buffer is full.
Use of certain values, such as 99, to serve as
placeholders with special meanings for programmers, hence the concerns
for 1/1/99 and 9/9/99.
How did something that is so obviously a major problem today come
to happen? Common wisdom is that programmers in the early days of
computers were thoughtfully saving precious memory space by using two
digits for the year. A more likely explanation is that programmers were
simply carrying forward a common practice in everyday life of depicting
a date as MMDDYY. Because most computer applications (then as well as
today) are not date sensitive, programmers were simply denoting a date
in the same manner it would be written or viewed by a human. If
anything, use of the MMDDYY (or DDMMYY) format saved on the amount of
programming code needed to convert the date to any format other than
the one in which it would be displayed.
Regardless of how we arrived at this dilemma, it is upon us. The
concern now is how to fix the problem and mitigate its consequences--
now. The hands of time will not stop as they tick toward an inevitable
encounter with the Year 2000.
How do Electric Power Systems Work?
overview of electric power systems
The figure above shows that electricity is produced in power
plants. There are many types of power production facilities, but the
most common are fossil-fueled (oil, natural gas, and coal-fired),
hydroelectric (run-of-river or pumped storage), and nuclear plants.
There are also power plants that use renewable resources, such as wind,
geothermal, and solar power.
A commercial power production station may consist of a single unit
producing as little as a few million watts (MW), up to very large
stations of 8-10 large generating units producing a total of 8,000 MW
or more. In 1998 there is about 835,787 MW of electric power production
capability in North America--enough to power 8.36 billion light bulbs
at 100 watts each!
A generating station typically contains a complex set of equipment,
controls, and computers to manage fuel, boilers, water and steam
systems, plant auxiliary equipment, and electrical systems, just to
mention a few. A power station will usually have an adjacent electrical
switchyard to which it feeds its electrical output, and which it uses
for outside power when the plant is off-line. Some generators are
located remote from demand centers, often near a fuel supply or a
cooling water supply. Other generators are close to the demand centers
and are especially useful during heavy demand periods or as a backup
supply.
In the switchyard, the electricity from the power plant is usually
``stepped up'' in voltage for transmission to other parts of the
system. The voltage of the electricity that is generated is increased
to a higher voltage to allow it to flow over a longer distance with a
lower power loss--the higher the voltage, the lower the current flow
for the same amount of power transported. The transmission system
consists of electric substations networked together by connecting power
lines. Each substation contains transformers to raise or lower voltage,
voltage regulating devices, circuit breakers and switches, meters,
control devices, and communications equipment. Most, but not all,
control equipment is in the substation. This equipment includes
controllers to operate devices, and protection systems to open circuits
if there is a fault. Each substation typically has its own backup
battery power supply so that the protection systems, controls, and
communication equipment can continue to operate for several hours, if
there is a power outage.
The bulk electric transmission system is tightly networked so there
are many alternative paths for the power to flow. The transmission
system carries the electricity to load centers where the voltage is
``stepped down'' through transformers for local distribution.
Distribution systems have much of the same types of equipment as
the transmission systems, except that the distribution equipment
operates at lower voltages. As distribution systems get closer to the
ultimate points of use, they typically become more ``radial,'' like the
spokes on a wheel. Power flow into a modest-sized town might have 6-10
power lines. By the time the power is flowing along a typical street,
there is usually only one line providing the power flow at any moment
in time.
Some of these radial distribution lines are sectionalized with
cross ties, so that if part of a line becomes damaged (say by a fallen
tree) many of the customers whose electric service was interrupted can
be reconnected from an alternate source. Large metropolitan load
centers are typically more networked and have numerous power sources.
Distribution systems tend to be more electro- mechanical and have less
digital controls than the bulk electric systems.
Both transmission and distribution systems, have extensive
protection schemes--relaying. Relays detect abnormalities (faults) in
the power system. Each relay is responsible for the protection of a
specific sector of the power system. When a relay has detected a fault
condition, it sends a signal to the appropriate circuit breakers in the
switchyard or substation to open, thus disconnecting the element of the
power system that has the abnormality. Abnormalities can be caused by
such events as a simple kite string contact, a lightning stroke contact
to a circuit, or the failure of a transformer. Some protective devices
are used along distribution feeders to automatically sectionalize the
feeder (isolate sections where an abnormality occurred) or to reclose
on the power source after a fault has been cleared.
At the point of use, the electricity flows through a meter and into
the customer's electrical system. Some large commercial and industrial
customers connect at higher distribution voltages such as 480, 4,160,
or 13,700 volts. However, most residential customers connect to the
electric system at 120/240-volt service.
Many customers that have critical electrical needs provide their
own backup power supplies as a precaution against the loss of offsite
power. Although power supplies in North America are very reliable
compared to other parts of the world, some outages are inevitable due
to storms, fires, accidents, or equipment failures.
Two components of the power system that are not shown in the figure
above but which are very important are the control centers and the data
and voice communications systems. Although the facilities shown in the
figure represent the physical plant to produce and move power, the
control centers and communications facilities serve as the brains and
nervous system.
About 200 control centers in North America manage the bulk electric
system. Of these, 136 operate as ``control areas,'' meaning they
dispatch generation on a moment-by-moment basis to maintain a balance
of power generation and demand. The remaining centers operate
transmission facilities only. In addition, hundreds of additional
control centers are used to monitor and control the local distribution
systems. All control centers typically have a data acquisition
capability to collect real-time status of the electric system,
supervisory control to operate breakers, switches, and voltage control
devices, and other software programs to manage the system. The figure
below shows conceptually the control center operator dispatching
generation and transmission within his or her area to: (a) balance
demand and generation and (b) to ensure flows and voltages stay within
safe limits.
control centers are used to monitor and control power systems
In addition to the control centers, power systems depend on an
intricate network of voice and data communications. Much of the
communications capabilities such as remote terminal units at the
substations, fiber optic lines, local and wide area networks, telephone
and radio systems, and microwave systems are owned and operated by
electric utilities. Other capabilities, such as dedicated leased
telephone lines, satellites, cellular networks, and Internet services
may be provided by external sources.
The bulk electric systems of North America are tightly connected
into three major electrical Interconnections,\1\ sometimes called
``grids.'' All of the generators and electrical demands within each
Interconnection are connected electrically and operate together as a
single large interconnected ``machine.'' The largest of these grids,
the Eastern Interconnection, covers the eastern two-thirds of the U.S.
and eastern Canada. The second largest, the Western Interconnection,
covers the western third of the U.S., western Canada, and the northern
portion of the Baja California Peninsula in Mexico. The third is called
ERCOT (Electric Reliability Council of Texas), which covers most of
Texas. In addition to these three major Interconnections, there are
numerous smaller electrical systems in Alaska, Hawaii, and several
coastal islands off the U.S. and Canada.
---------------------------------------------------------------------------
\1\ Quebec, Canada was previously described as a fourth
Interconnection in North America. Although Quebec still does not
operate synchronously within the Eastern Interconnection, modifications
made to its electrical system including the strength of its HVDC ties
to New England and New York are the basis for recently incorporating
Quebec into the Eastern Interconnection. Quebec operates to the same
reliability standards as other utilities in the Northeast Power
Coordinating Council.
---------------------------------------------------------------------------
Each of the three major Interconnections is a highly connected
electrical network. A major disturbance within an Interconnection can
have an immediate effect throughout the Interconnection. This high
level of interdependence within an Interconnection means that the
strength of the overall system may only be as strong as the weakest
link. It also means that electric systems depend on each other for help
during critical periods. This interdependence implies that an
individualistic approach to the challenges of Y2K may leave gaps in
efforts to prevent adverse effects to operations within an
Interconnection.
The three major interconnections operate without synchronous
connections, but there are DC ties connecting them. Major DC ties allow
Quebec to deliver electricity to New England and New York, connect the
Eastern and Western Interconnections, and connect ERCOT (Texas) to the
Eastern Interconnection.
three major electrical interconnections of north america
As a final note, electricity is the original and ultimate example
of ``just-in-time'' manufacturing. Electricity cannot be stockpiled in
large quantities like other commodities, such as water, gasoline,
clothing, and paper. This real-time production requirement greatly
increases the complexity of producing (generating), transporting
(transmission), and delivery (distribution) of electricity. At the
instant someone turns on a light or their PC, the additional
electricity required must be immediately available from a generating
station that may be hundreds of miles away.
What is the Nature of the Y2K Issue in Electrical Systems?
In most respects the electric industry faces the same Y2K
challenges as every other industry and even small businesses and
individuals. Y2K anomalies could lead to the malfunction of software
programs on mainframe computers, servers, PCs, and communications
systems. Corrupted data could be passed from one application to another
causing erroneous results. In the electric industry, this means
computer programs used for accounting, administration, billing, and
other important functions could experience problems.
Of greater concern, both in the electric industry and elsewhere, is
the pervasiveness of the Y2K bug in embedded chips. Small electronic
chips control devices used throughout our society. Examples include
heating and cooling systems, VCRs, answering machines, facsimile
machines, coffeepots, microwave ovens, and traffic controls.
In the electric industry, these chips are used in communications
and numerous power system device controllers. Electronic chips are
generally mass-produced without knowing the ultimate application of the
chip. A single circuit board can have 20-50 of these chips from various
manufacturers. Because of the diversity of chip suppliers, one vendor
may use a different mix of chips even within devices labeled with the
same name, model number, and year. Many of these chips have built-in
clocks that may experience date change anomalies associated with Y2K.
The difficulty is in identifying all of these devices, determining if
they have a Y2K problem, and repairing or replacing those that do. It
is estimated that less than 1-2 percent of these devices may use a
time/date function in a manner that could result in a Y2K malfunction
of the device.
Mission-Critical Systems Affected by Y2K
It is important to understand how Y2K may affect the components of
the electrical system that are essential to the production,
transmission, and delivery of electricity. Addressing the Y2K bug is a
daunting task, but it becomes more manageable if we focus on mission-
critical systems. There are five areas in which Y2K poses the greatest
risks to a reliable electric supply:
Power production--generating units must be able to operate
through critical Y2K periods without tripping off line. Units that are
scheduled to operate must be able to startup and deliver electricity as
planned. The threat is most severe in power plants with Digital Control
Systems (DCSs). Many older plants operating with analog controls may be
less problematic. Numerous control and protection systems within the
DCS use time-dependent algorithms, which may result in generating unit
trips when encountering a Y2K anomaly. Digital controllers that have
been built into station equipment, protection schemes, and
communications also may pose a risk. Nuclear generation is an important
part of the electric supply mix and is addressed as a separate element
of this report.
Energy management systems--There are about 200 bulk
electric control centers \2\ in North America. From these control
centers, system operators monitor and control the backbone of the
electrical systems and dispatch generation to meet demand. Computer
systems within these control centers use complex algorithms to manage
the operations of transmission facilities and to dispatch generating
units. At any moment in time, a percentage (i.e., 10-20 percent) of
generating units may be on automatic control for the purpose of
following the change in electrical demand and regulating
Interconnection frequency. Many of the control center software
applications contain built-in time clocks used to run various power
system monitoring, dispatch, and control functions. Some energy
management systems are dependent on time signal emissions from Global
Positioning Satellites, which reference the number of weeks and seconds
since 00:00 UTC January 6, 1980.\3\ Beyond the 200 bulk electric
operating centers, there are hundreds of additional control centers
used to manage sub-transmission and distribution systems. These systems
are typically operated using a subset of an energy management system,
called Supervisory Control and Data Acquisition (SCADA).
---------------------------------------------------------------------------
\2\ The number 200 is approximate, depending on the definition of
bulk electric control center. Bulk electric operations centers perform
generation dispatch and control, transmission monitoring and control,
and emergency operations. There are 136 Control Areas.
\3\ UTC is an acronym for an internationally coordinated time scale
that forms the basis for disseminating standard frequencies and time
signals.
---------------------------------------------------------------------------
Telecommunications--Electric power systems are highly
dependent on microwave, telephone, VHF radio, and satellite
communications. If the control centers are the ``brains'' of the
electrical grids, communications systems are the ``nervous system.''
Telecommunications is the single most important area in which the
electric systems depend on another industry. Many of the telephone,
microwave, and network services used for communications in the electric
industry are provided by telephone companies and other communications
and network service providers. The dependency of electric supply and
delivery systems on external service providers is a crucial factor in
successful performance during Y2K transition periods.
Substation controls and system protection--Throughout
electric transmission and distribution systems there are substations
that contain control equipment such as circuit breakers, disconnect
switches, and transformers. Remote terminal units (RTUs) in substations
serve as the communications hubs for the substations, allowing them to
communicate with the control centers. Substations also contain most of
the transmission and distribution system protection relays, which serve
to operate circuit breakers to quickly isolate equipment should an
electrical fault occur on a line, transformer, or other piece of
equipment. Many devices and relays in a substation are
electromechanical (not digitally controlled), but a portion of these
devices may be digital.
Distribution systems--Distribution systems deliver
electricity from the transmission network to customers. Because there
is a lot of commonality in the types of substation equipment in
distribution compared to transmission, for the purpose of this report,
transmission and distribution substations are aggregated as one area.
Distribution systems have additional equipment outside substations (for
example along a distribution feeder) that may have electronic controls.
Examples include reclosers (relays that open and close a feeder in
rapid succession to allow a fault to clear), capacitors, voltage
regulators, and special monitoring devices.
Although the five areas outlined above focus directly on the
production and delivery of electricity, other support systems are
essential to sustained operations of the electricity service provider.
These systems have been grouped under the heading ``Business
Information Systems'' in this report. They may include customer service
call centers, supply and inventory systems, accounting systems, and
others.
______
APPENDIX B
Letter from the Department of Energy Asking NERC to Coordinate the
Electric Industry's Y2K Readiness Program
The Secretary of Energy,
Washington, DC, May 1, 1998.
Mr. Erle Nye,
Chairman of the Board,
North American Electric Reliability Council,
Dallas, TX.
Dear Erle: We are writing to seek the North American Electric
Reliability Council's (NERC's) assistance in assessing whether the
Nation's electricity sector is adequately prepared to address the
upcoming Year 2000 computer problem.
The Administration is undertaking a coordinated effort to assess
various sectors' readiness to address the issue. The Department of
Energy (DOE) is taking the lead in working with the electricity
industry to facilitate actions necessary for a smooth transition
through this critical period. To this end, we are requesting that NERC
undertake the coordination of an industry process to assure a smooth
transition.
The electric system is such a highly interdependent network, and so
vital to the security and well-being of the Nation, that there is very
little margin for error or miscalculation. The Department realizes that
activities designed to address this issue are already underway in many
electric utilities, the Electric Power Research Institute (EPRI), and
in other Federal agencies. We are concerned, however, that these
activities may not be fully coordinated, or worse, may be incomplete.
The Nation needs to know that a systematic process is in place to
ensure that the electric supply system will not experience serious
disruption.
This is truly a reliability issue, and NERC has demonstrated over
the last 30 years that it is capable of coordinating the activities of
electric market participants to resolve such issues. NERC is the most
appropriate body to organize this process and report periodically on
its status. We are confident that NERC will be able to mobilize the
necessary cooperation from the Regional Reliability Councils, their
members' utilities, and other industry organizations, to develop and
implement a process that is both efficient and effective. We are asking
that you provide us with written assurances by July 1, 1999, that
critical systems within the Nation's electric infrastructure have been
tested, and that such systems will be ready to operate into the Year
2000. The DOE is prepared to work with NERC to help overcome any
obstacles that you might encounter in carrying out this effort.
Finally, we wish to work with you to provide a suitable public forum in
the late summer or early fall of this year at which NERC and others
could report on the industry's assessment of this issue and outline its
plans to address this challenge.
Public events on this subject are important and valuable for two
reasons. First, they will convey to the public and public officials
that the industry is indeed preparing systematically for the
transition. Second, they will confirm to the industry that Government
agencies and the public are depending on them to ensure that the
transition goes smoothly.
We are looking forward to further discussions with you on this
important issue.
Sincerely,
Federico Pena,
Secretary,
Elizabeth A. Moler,
Deputy Secretary.
______
APPENDIX C
who's in charge of the electric industry's y2k program?
In an industry that has about 3,200 organizations in North America
that could be considered part of the electricity supply and delivery
chain, that's a tough question. Ultimately, every individual electric
service organization is accountable to its own stakeholders for its
performance in meeting the challenges of Y2K. Those stakeholders may
include customers; Federal, state, provincial, and local government
agencies; shareholders of an investor-owned utility; or members of an
electric cooperative. In other words, every electric service provider
is ultimately accountable to its stakeholders for resolving Y2K
challenges.
Regulatory oversight on the Y2K issue is a very complicated matter.
In the United States, the Department of Energy has authority to act in
matters that concern maintaining a secure supply of electricity to the
nation. In Canada, many of the powers for regulating electric utilities
lie in the provincial governments, although the Canadian Federal
Government also has regulatory powers. In both countries, local
governments have jurisdiction, often over retail matters, siting of
facilities, and other issues. Finally, a portion of the Western
Interconnection is in Mexico. In short, considering the electric
Interconnections of North America span three countries and countless
state, provincial, and local jurisdictions, defining legal authorities
for resolution of Y2K problems is an extremely complex issue.
This complexity is one of the reasons the Department of Energy in
early May 1998 turned to the North American Electric Reliability
Council (NERC) to coordinate Y2K preparations in the electric industry
(see the letter from DOE in Appendix B). NERC is a voluntary not-for-
profit industry organization made up of ten Regional Reliability
Councils. NERC and its ten Regional Reliability Councils account for
nearly every bulk electric supply and delivery organization in the
Interconnections of North America, spanning the United States, Canada,
and Northern Baja California, Mexico.
NERC and its Regional Reliability Councils set operating and
engineering standards for the reliability of electric systems in North
America. The implementation of these standards has resulted in a
quality of electric service unequalled in the world. Representation in
NERC and its Regions includes all segments of the electric industry:
investor-owned, Federal agency, rural electric cooperative, state/
municipal, and provincially owned utilities, independent power
producers, and power marketers.
NERC and the Regions rely on the voluntary efforts of technical
experts from the industry who serve on various engineering and
operating committees. Through this collective effort, the industry is
able to set standards for reliability, monitor compliance with the
standards, assess the future reliability of bulk electric systems, and
review past incidents for lessons learned. In short, NERC and its ten
Regional Reliability Councils offer the best opportunity for the
industry to coordinate a collective effort to address the challenges of
Y2K. More information regarding NERC and its ten Regional Reliability
Councils may be obtained from the NERC web site at
http://www.nerc.com.
In asking NERC to facilitate the electric industry's Y2K efforts,
DOE requested an initial status report and coordination plan by
September 1998. A second report reviewing the readiness of electric
systems for the transition to the Year 2000 and contingency plans was
requested by July 1999. Because of the critical nature of the Y2K and
the need to provide timely information to all interested parties, NERC
is additionally providing written quarterly reports to DOE and the
public until the Year 2000. These reports will be posted on NERC's Y2K
web site at http://www.nerc.com/y2k, along with the monthly summaries
of Y2K readiness assessment surveys.
Although the letter from DOE was a catalyst for a heightened level
of coordination, NERC and its Regional Reliability Councils recognize
that there are many jurisdictions involved. NERC and the Regions have
proven experience addressing international issues related to electric
system reliability in the United States, Canada, and Mexico.
NERC's membership is broad-based and focused on electric system
reliability, making NERC a good choice to lead a coordinated effort to
resolve Y2K issues. However, NERC has historically been focused on
reliability of bulk electric systems. The inclusion of distribution
systems significantly raises the coordination requirements from about
200 entities operating bulk electric systems to nearly 3,200 total
organizations. Additionally, it was recognized that some business
systems are essential to sustained electric operations and should be
included in this report.
To address these issues, NERC has requested and received full
cooperation from several industry trade associations with close ties to
various sectors of the industry. These organizations are:
American Public Power Association--APPA's membership includes many
state, county, and municipal electricity service providers. APPA is
coordinating information sharing and surveys of its members, as well as
smaller nonmember public power utilities. APPA is assisting NERC in the
industry-wide readiness review of electric distribution systems.
Canadian Electricity Association--CEA is assisting NERC by
coordinating efforts in Canada, particularly to address the readiness
of electric distribution systems and Canadian nuclear facilities. CEA
also is serving as an interface to Canadian government agencies.
Edison Electric Institute--EEI, representing investor-owned
utilities, has established a program to address Y2K technical,
regulatory, and liability issues.
EEI is supporting the industry's Y2K coordination efforts by
facilitating Y2K manager forums, addressing legal issues, and reviewing
the readiness of utility business information systems. EEI also is
assisting in the readiness review of electric distribution systems.
Electric Power Research Institute--The EPRI Y2K embedded systems
program focuses on the technical and project management issues relating
to achieving Y2K readiness. While the program deals mainly with the
electric power industry, the program includes efforts in the areas of
natural gas pipelines and telecommunications.
Electric Power Supply Association--EPSA is providing coordination
among its members, which include independent power producers and other
power generating entities.
National Rural Electric Cooperative Association--NRECA is
coordinating Y2K readiness assessments and information sharing among
its membership, which includes about 900 rural electric systems,
including generation and transmission cooperatives and power
distribution cooperatives. NRECA is working closely with APPA and EEI
to provide NERC an assessment of the Y2K readiness of distribution
systems in the United States.
Nuclear Energy Institute--NEI is coordinating the assessment of Y2K
readiness of U.S. nuclear facilities and is providing that information
as part of this report. NERC is relying on NEI's program to facilitate
efforts in the nuclear sector, due to the specialized needs in this
area.