<DOC> [106 Senate Hearings] [From the U.S. Government Printing Office via GPO Access] [DOCID: f:55952.wais] S. Hrg. 106-44 NUCLEAR AND CHEMICAL SAFETY: Y2K ISSUES ======================================================================= HEARING BEFORE THE SUBCOMMITTEE ON CLEAN AIR, WETLANDS, PRIVATE PROPERTY AND NUCLEAR SAFETY OF THE COMMITTEE ON ENVIRONMENT AND PUBLIC WORKS UNITED STATES SENATE ONE HUNDRED SIXTH CONGRESS FIRST SESSION __________ FEBRUARY 24, 1999 __________ Printed for the use of the Committee on Environment and Public Works ----------- U.S. GOVERNMENT PRINTING OFFICE 55-952 cc WASHINGTON : 1999 _______________________________________________________________________ For sale by the U.S. Government Printing Office Superintendent of Documents, Congressional Sales Office, Washington DC 20402 COMMITTEE ON ENVIRONMENT AND PUBLIC WORKS ONE HUNDRED SIXTH CONGRESS JOHN H. CHAFEE, Rhode Island, Chairman JOHN W. WARNER, Virginia MAX BAUCUS, Montana ROBERT SMITH, New Hampshire DANIEL PATRICK MOYNIHAN, New York JAMES M. INHOFE, Oklahoma FRANK R. LAUTENBERG, New Jersey CRAIG THOMAS, Wyoming HARRY REID, Nevada CHRISTOPHER S. BOND, Missouri BOB GRAHAM, Florida GEORGE V. VOINOVICH, Ohio JOSEPH I. LIEBERMAN, Connecticut MICHAEL D. CRAPO, Idaho BARBARA BOXER, California ROBERT F. BENNETT, Utah RON WYDEN, Oregon KAY BAILEY HUTCHISON, Texas Jimmie Powell, Staff Director J. Thomas Sliter, Minority Staff Director ------ Subcommittee on Clean Air, Wetlands, Private Property, and Nuclear Safety JAMES M. INHOFE, North Carolina, Chairman GEORGE V. VOINOVICH, Ohio BOB GRAHAM, Florida ROBERT E. BENNETT, Utah JOSEPH I. LIEBERMAN, Connecticut KAY BAILEY HUTCHISON, Texas BARBARA BOXER, California (ii) C O N T E N T S ---------- Page FEBRUARY 24, 1999 OPENING STATEMENTS Inhofe, Hon. James M., U.S. Senator from the State of Oklahoma... 1 WITNESSES Poje, Gerald, Board Member, U.S. Chemical Safety and Hazard Investigation Board............................................ 2 Prepared statement........................................... 18 Swanson, David, Senior Vice President, Ciritical Issues, Edison Electric Institute............................................. 6 Prepared statement........................................... 47 Travers, William D., Executive Director for Operations, Nuclear Regulatory Commission.......................................... 5 Prepared statement........................................... 43 ADDITIONAL MATERIALS Report, Preparing the Electrical Power Systems of North America for Transition to the Year 2000, prepared for the Department of Energy by the North American Electric Reliability Council...... 51 (iii) NUCLEAR AND CHEMICAL SAFETY: Y2K ISSUES ---------- WEDNESDAY, FEBRUARY 24, 1999 U.S. Senate, Committee on Environment and Public Works, Subcommittee on Clean Air, Wetlands, Private Property and Nuclear Safety, Washington, DC. The subcommittee met, pursuant to notice, at 2:20 p.m. in room 216, Hart Senate Building, Hon. James M. Inhofe (chairman of the subcommittee) presiding. Present: Senator Inhofe. OPENING STATEMENT OF HON. JAMES M. INHOFE, U.S. SENATOR FROM THE STATE OF OKLAHOMA Senator Inhofe. The hearing will come to order. I was commenting to our guests here today that this morning when we had our Y2K (Year 2000) compliance hearing before the committee that I chair in the Senate Armed Services Committee, the Readiness Committee, we filled the room and had standing room only. That's certainly not a reflection on the witnesses, let me assure you. It's very difficult in the afternoon to get members here because, as you know, we are on the floor right now, but it is very, very significant that we have this hearing. It does affect some of the entities within the jurisdiction of the Subcommittee on Clean Air, Property Rights, Wetlands and Nuclear Safety. I think it's very important to take all three perspectives into account. The power disruptions from nuclear and electrical power plants can cause problems for facilities that store and use toxic chemicals. The Y2K bug potential power outages can cause computer systems failures for any program controlled by a PC such as fire alarms, thermostats, security systems, door locks and heating and air conditioning systems just to name a few. We are concerned and this morning it seemed as if the reaction to the trauma that would be inflicted by this potentially, at least in this morning's hearing, was all the way from nothing to being completely wiped out. So we'll try to find out where we are in these specific areas. I would like to hear from the witnesses today on three specific areas. No. 1, are the facilities on track for responding to the Y2K issue. No. 2, are the Federal agencies taking the necessary precautions to safeguard the safety. No. 3, what remains to be done. And, to also kind of get an idea of where we are on schedule. It's an honor to have such a distinguished panel which consists of: Gerald Poje, board member with the U.S. Chemical Safety and Hazard Investigation Board in Washington; William D. Travers, executive director for Operations of the NRC; and Mr. David Swanson, senior vice president, Critical Issues, Edison Electric Institute. Mr. Poje. STATEMENT OF GERALD POJE, BOARD MEMBER, U.S. CHEMICAL SAFETY AND HAZARD INVESTIGATION BOARD Mr. Poje. Thank you, Mr. Chairman. I'm Gerald Poje, one of the four members of the U.S. Chemical Safety and Hazard Investigation Board. We've all been nominated by the President and confirmed by the U.S. Senate. My special emphasis is toxicology and policies dealing with chemical hazards. I oversee the Board's efforts in reducing risk of accidents associated with the Year 2000 computer problems. Today, I appear before you at the behest of our chairman, Paul L. Hill, Jr., to whom you addressed your request for testimony from our agency. Dr. Hill and I thank you for inviting the Board to testify regarding this critical issue. The Chemical Safety Board is an independent Federal agency with the mission of ensuring the safety of workers and the public by preventing or minimizing the effects of industrial and commercial chemical incidents. The CSB is a scientific investigatory organization with the responsibility for finding ways to prevent or minimize the effects of chemical accidents at commercial and industrial facilities and in transport. The CSB is not an enforcement or regulatory body. The problem before this committee today is urgent and significant. According to the Environmental Protection Agency, 85 million Americans live, work and play within a 5-mile radius of 66,000 facilities handling regulated amounts of high hazard chemicals. Yet even this estimate may underestimate the full risk to the U.S. population. In November, Senators Bennett and Dodd of the U.S. Senate Special Committee on the Year 2000 Technology Problem asked the Chemical Safety Board to investigate the issues of chemical safety and the Year 2000 computer technology problem. The Senate Special Committee requested evaluation of the extent of this problem as it pertains to the automation systems and embedded systems that monitor and control the manufacture of toxic and hazardous chemicals or safety systems that protect processes, the awareness of large, medium and small companies within the industry of the Year 2000 threat and their progress to date in addressing the Year 2000 problem; the impact of the Year 2000 technology problem on EPA's risk management plans required in June 1999; and the role Federal agencies are playing in preventing disasters due to the Year 2000 problem. On December 18, 1998, our Board convened an expert workshop on Y2K and chemical safety involving leaders from industries, equipment vendors, insurance companies, regulatory agencies, resource agencies, universities, labor organizations, environmental organizations, trade organizations, professional engineering associations and health and safety organizations. The Board found that the Year 2000 problem is significant and unprecedented as a problem in the chemical manufacturing and handling sector. It poses unique risks to business continuity and worker and public health and safety. Four points should be drawn from our meetings and research to date. First, large enterprises with sufficient awareness, leadership, planning, financial and human resources are unlikely to experience catastrophic failures and business continuity problems unless their current progress is interrupted or there are massive failures of utilities and other sectors. Second, the overall situation with small- and mid-sized enterprises is indeterminate but efforts on the Y2K problem appear to be less than appropriate based on input from many experts. Third, while the impact of the risk management plan should be positive, there are no special emphases or even specific mention of Year 2000 technology hazards in either USEPA or Occupational Safety and Health Administration regulations regarding process safety. Fourth, Federal agencies are aware of and involved in Year 2000 technology and chemical safety issues. However, significant gaps exist and there do not appear to be specific plans to address these gaps. It is important to point out that the Y2K compliance activities reported to the Chemical Safety Board to date have not found a single failure either of embedded microchips or software which by itself could cause catastrophic chemical accidents. However, it is unclear what the outcome might be from multiple failures, that is, multiple control system failures, multiple utility failures, or a combination of utility and control system failures. Surveillance of the industry sector that handles high hazard chemicals is insufficient to draw detailed conclusions regarding Y2K compliance efforts, especially for small- and mid-sized enterprises. Given the time constraints altering the situation requires a massive effort. The Board has concluded that this effort should focus on first, providing easy to use tools; second, promoting accessible resources; and third, providing attractive incentives for Y2K compliance efforts. Additional efforts should be the focus of an urgent meeting of agencies convened by the Administration. Special expert workshop attendees reached consensus on the importance of four issues related to the Y2K problem and chemical safety: small- and medium-sized enterprises risks and needs; risk management programs and their applicability to the Y2K problem; utility continuity issues; and finally, a responsive communication among the stakeholders. For small- and medium-sized enterprises, failure from Y2K noncompliance is more likely for three reasons: a general lack of awareness regarding process safety and a particular lack of awareness of the Y2K impact; a lack of financial resources; and lack of technical know-how for fixing the problems. Given the time constraints, altering this situation will require an accelerated action. Under risk management, there is a general consensus that facilities doing an effective job in managing their risks should not see any major health and safety problems associated with internal Y2K issues as long as they have a serious Y2K management program. Risk management generally consists of a variety of programs and activities to assess and manage risks. To be fully effective, these programs must be implemented with the complete involvement of the management, labor, and local responders. Risk management also includes the utilization of best practices, equipment procedures, auditing, testing and certification, adherence to industrial and professional society standards, and compliance with applicable regulations such as the OSHA process safety management rule and the EPA risk management program. The chemical processing industry has practiced these risk management principles for a long time. However, the Y2K issue will test the existing system of safety and failure will likely engender review of policy issues as well as review of industrial programs and practices. Under utility continuity, a major threat to facilities could be from external failure such as electrical, natural gas, water and wastewater utilities failures. Concerned about the reliability of electric power supply, many members of the chemical processing industry are seeking ways to assess the vulnerability of their specific utility. For managers of some facilities that draw high power loads, prudent safety practice may determine that the plant be shut down during critical time periods and restart at a later date. However, such decisions should not be made without communicating these planned actions with their utilities in order to prevent problems on the power grid. Responsive communication and trust between stakeholders is of tremendous importance in resolving the Y2K-related problems. Stakeholders in the context of the chemical safety arena include corporate and facility managers, operators, other workers, vendors, equipment manufacturers, unions, trade associations, regulators, nonregulatory agencies, emergency responders, insurance companies, community organizations and environmental organizations. While logistics and timing problems may prevent a regulatory approach for assuring Y2K compliance, voluntarily communicating accurate and relevant information to the public on the status of Y2K compliance is essential to avoid chaos and panic and allay public fears and promote more rational behavior. Contingency planning risk management and decisions concerning shutdown must also involve communication amongst these stakeholders. Knowledge is key to responsive communications and therefore, Y2K contingency planning and responsive communications should be enhanced through training and education efforts in the public and private sector developed to address the challenges of Y2K-related incidents and scenarios. In summary, the Year 2000 technology problem is a significant problem in the chemical manufacturing sector and handling sector. It poses unique risks to business continuity and worker and public health and safety. Large enterprises with sufficient awareness, leadership planning, financial and human resources are unlikely to experience catastrophic failures and business continuity problems unless their current progress is interrupted or there are massive failures of utilities. The overall situation with small- and mid-sized enterprises is indeterminant but efforts on the Y2K problem appear to be less than appropriate based on inputs from many people to the Safety Board. I'd be happy to answer your questions at an appropriate time. Senator Inhofe. Thank you, Mr. Poje. Mr. Travers. STATEMENT OF WILLIAM D. TRAVERS, EXECUTIVE DIRECTOR FOR OPERATIONS, NUCLEAR REGULATORY COMMISSION Mr. Travers. Thank you, Mr. Chairman. I am pleased to be here today on behalf of the Nuclear Regulatory Commission to discuss the status of our response to the potential Year 2000 computer problem, particularly as it relates to nuclear power plants. NRC's Y2K nuclear activities can be divided into three basic areas: our actions internal to the NRC; our interactions with our licensees in the nuclear power industry and our broader interactions; both nationally and internationally. Relative to our internal efforts, I'm pleased to tell you that as of February 5, 1999, all 88 of NRC's mission critical, business essential and non-critical systems have been examined and, as needed, fixed. The most recent report from Congressman Horn on government agency Y2K progress gave NRC's efforts an overall ``A'' grade. Relative to our interactions externally, the NRC has been working with nuclear industry organizations and our licensees since 1996 to address the Y2K problem. In 1997, the Nuclear Energy Institute, NEI, agreed to take the lead in developing industrywide guidance for addressing the Y2K problem at nuclear power reactors. In 1998, the NRC accepted the NEI guidance as an appropriate program for nuclear power plant Y2K readiness. Thus far, all of our licensees have notified NRC that they have adopted plant-specific programs which meet this guidance and that they are working to be Y2K ready by July 1, 1999. Any nuclear plant which is not Y2K ready by July 1, 1999 must provide a schedule for remaining work and the NRC will assess these responses by September 30, 1999 to determine if any further plant-specific regulatory actions are needed. In order to provide for an appropriate level of independent NRC oversight, the NRC staff has conducted 12 planned audits at nuclear power plants of their Y2K readiness programs. The audits included a variety of types of plants of different ages, vendor design and locations. The results of these audits, which have been documented in NRC-issued audit reports, indicate that nuclear power plants are effectively addressing Y2K readiness issues. To date, the NRC staff has not identified any Y2K problems that impact the safety function of nuclear plant equipment. The majority of commercial nuclear power plants have protection systems that are analog rather than digital or computer-based and thus are not impacted by the Y2K problem. Most Y2K problems that have been identified are associated with nonsafety support systems. In addition to the 12 audits, NRC resident inspectors who are assigned to all power reactor sites will carry out reviews of licensee Y2K readiness activities. In order to address the possibility of unanticipated Y2K problems, the NRC and the nuclear industry have determined that contingency plans should be developed. NEI has issued additional guidance for contingency planning which is being incorporated into the Y2K readiness programs by all US nuclear power reactors. The NRC will conduct six reviews of licensee contingency plans which will be completed by June 1999. Additionally, resident inspectors at all power reactor sites will carry out reviews of utility contingency plans. Although the primary focus of NRC Y2K activities has been nuclear safety, we recognize the national importance of a broader focus that helps to ensure that potential concerns with electrical grid reliability are identified and resolved. To this end, the NRC supports the efforts of the President's Council on Y2K Conversion and in fact, is a member of the Energy Electric Power Sector Working Group. The NRC is also developing its own Y2K contingency plan to enable us to respond rapidly to unanticipated Y2K events. The draft NRC Y2K contingency plan is being coordinated with the U.S. nuclear power industry, other Federal agencies, including FEMA, State governments, and international regulatory organizations. In early October, the NRC plans to conduct a Y2K exercise which is intended to assure that all aspects of our Y2K contingency plan are in place and effective. Regulators from Taiwan, Japan, Finland, Sweden and the United Kingdom have all expressed an interest in participating in this exercise. The NRC is also actively involved in promoting awareness of Y2K readiness issues internationally. For example, in preparation for the 42d IAEA general conference in Vienna in September, the NRC took the lead in drafting a resolution on Y2K readiness. That resolution urged, among other things, that member States submit information to the IAEA on their Y2K activities and that the IAEA act as a central coordination point for information sharing. In summary, the NRC has been proactive in addressing the Y2K problems internal to the NRC and with our licensees. Additionally, we continue to work both nationally and internationally to promote awareness and to provide assistance. To date, we have determined that the nuclear power industry has been effectively addressing the Y2K problem. Further, we believe that we have established an appropriate regulatory framework that is focused on assuring that the Y2K problem will not have an adverse impact on nuclear power plant safety. We look forward to working with the subcommittee and certainly welcome any questions you may have. Thank you, Mr. Chairman. Senator Inhofe. Thank you, Mr. Travers. Mr. Swanson. STATEMENT OF DAVID SWANSON, SENIOR VICE PRESIDENT, CRITICAL ISSUES, EDISON ELECTRIC INSTITUTE Mr. Swanson. Thank you very much, Mr. Chairman, for the opportunity to appear before the subcommittee today. The subject that you are addressing is important and we in the electric utility industry appreciate the interest of you and your colleagues. Let me begin by emphasizing the conclusion that we have reached as a result of the Y2K readiness assessment work the industry is undertaking. The electric utility industry is cautiously optimistic that Y2K will not present us or the American people with an electric supply problem during the Y2K transition. Why do we say this and what does it mean and how can we be sure that our cautious optimism is warranted? Since early 1998, utilities began to inventory and test their operating systems for Y2K failures. In June, they joined together in an industrywide effort to jointly demonstrate the results and thoroughness of their individual efforts. The Department of Energy provided the impetus for this decision and it has been a great pleasure working with them and the President's Council as this work has gone forward. Last spring, the North American Electric Reliability Council was requested by DOE to assess electric utility Y2K readiness and ensure that electric systems would operate reliably into 2000. EEI, the American Public Power Association, the North Rural Electric Cooperative Association, the Canadian Electric Association and the Utility Telecommunications Council have all provided major resources in support of this effort. As a result of this unprecedented level of cooperation and dedication, virtually 100 percent of all electric operating entities are now participating in this assessment. Companies, depending on size and configuration, are spending up to $100 million, in some cases more, on this effort; 88 percent have officers directing their Y2K efforts and 84 percent report to their boards of directors on the status of their Y2K efforts. As of today, nearly 60 percent of mission critical operating equipment has been tested and found ready now for operating over the Year 2000 transition. Problems have been far fewer in number than expected and most only affect minor matters. We have not found in any of the systems we have tested systemic problems which could, when fixed, lead to serious or widespread problems. We are on a schedule to have tested by June 30, 1999 more than enough equipment to supply the load we expect on January 1, 2000. Additional units or equipment that have not been tested by June 30, 1999 will be on a specific exceptions list made public with specified completion dates. Overall, we believe we will have our systems ready with more than adequate reserves for the transition. In addition, we are scheduling two special days in April and September for testing our contingency plans. The first on the rollover to the 99th day of 1999, April 8-9, we will be focusing on our backup communications capabilities and our ability to obtain information from and execute controls at remote substations. This will be a test where we do not alter operations of the systems, but we will be testing our ability to have and use backup communications equipment. The second is a near dress rehearsal for New Year's Eve. This will occur on September 8-9, 1999, the 9-9-99 date. We are in the planning stage for this event now and will be announcing our more detailed plan soon. Critical infrastructures such as telecommunications and natural gas are being factored into our planning. The coordination with State and local emergency service providers is also being considered as we complete planning for this event. In addition, the industry has several testing programs underway or in planning with the telecommunications industry. The work that has been done and will continue to be done by this industry has been fully cooperative and completely open. We think this is the best Y2K readiness program in the energy world. Another challenge this year is to meet and communicate with our customers, stay close to our regulators and to work with State and Federal legislative and administrative bodies to provide the American people with information they can use to make wise decisions on how they should prepare for this rollover into the next millennium. Chemical manufacturers and other large industrial customers with special needs should communicate with and work closely with their local utilities and we with them to make sure both parties know each others plans and needs so that things go as smoothly as possible. Finally, Mr. Chairman, congressional hearings like this one today help foster this open dialogue. They are an important part of the overall coordination effort. Thank you once again for the opportunity to appear here today and we will be happy to respond to any questions you may have. Senator Inhofe. Thank you, Mr. Swanson. This has been much more positive than it was this morning and we're all pretty optimistic right now. Mr. Poje, you mentioned that the smaller and medium-sized companies are the ones that probably have the greatest risk for Y2K problems and that OSHA and EPA really haven't made any special emphasis on these companies. I'm the last one to advocate more regulation but do you think they are doing enough? Mr. Poje. I'd like to give you an example, Senator. Just this past Friday, the Chemical Safety Board had to respond to an incident that occurred in Allentown, PA, at a company called Concept Sciences, Inc. Catastrophic failure at that facility, a very small facility, fewer than 20 employees, killed five workers and caused damages to 11 other businesses in the area. The small businesses in the sense that I'm talking about need to be more carefully considered perhaps than small businesses in general because of their unique risk of handling high hazard materials. You asked the question about EPA and OSHA. Currently, there are no plans for addressing individual facilities and assessing their status for Y2K compliance from the two major regulatory agencies. They do not have the staff, nor the wherewithal to address that sizable portion of the chemical handling community. What we've been trying to do is work with our sister agencies in making sure that we're getting as many alerts out to people, that we are addressing the associations that need to be addressed, to make sure they can encompass their total membership in an awareness program around Y2K problems. It is slow work, however, and we are approaching a 300-day deadline before the turn of the century. So I think there is much more that needs to be done and I'm urging my other agencies to work with us to get relevant information out there. Senator Inhofe. Do you think there is a reluctance on behalf of the smaller and medium-sized companies to seek help from the EPA thinking that perhaps there might be an enforcement fine or something they'd be subjecting themselves to? Mr. Poje. I think there is historically a distancing from regulatory agencies for all businesses for good reason. Oftentimes the interactions are very unfavorable or not necessarily the most salutary ones. On the issue of Y2K though, it is important for everybody to recognize that there is no regulatory fix that can be applied here. What we need right now is due diligence and examples for how people can get into compliance. The Board was graced with the due diligence and public spiritedness of two major chemical corporations, Oxychem and Rohm and Haas in sharing detailed analyses of how they attack the Y2K problem. Those examples are ill-suited as examples to provide to small- and mid-sized enterprises because they're of such different size dimensions. We've been seeking associations who might be willing to share their best practices for addressing this issue with the Board so that such information could be disseminated more broadly to other parties. The risks from small- and mid-sized enterprises do not necessarily scale down to zero as you reduce the size of your economic or work force size in this arena of chemical safety. Senator Inhofe. I'd be asking all three of you this question. What would your feeling be about some type of an amnesty program to pull people out of their shells so they would be less reluctant to seek help in advance? Mr. Poje. The Environmental Protection Agency has already put out a guidance on Y2K testing that would assure people that if they're showing due diligence in testing their systems for Y2K compliance, the EPA would look favorably on that activity as a more important activity than enforcing an environmental release prescription ordinance. They would want to make sure that Y2K testing is proceeding because of the very large risk both to the environment as well as to business continuity to make sure that Y2K is being addressed in these businesses. It's uncertain right now how that policy has penetrated into the broad community of small- and mid-sized enterprises to provide some sense of encouragement for addressing onto the problem. Senator Inhofe. Mr. Travers, as you know, this committee has had a couple of oversight hearings and I think it's been very productive in terms of the regulatory process and certainly it's been helpful to us to learn more about what you do, how you're doing it and how things are going in nuclear energy. It appears that our facilities are further along in their Y2K plans than most industries. I'm glad that you focused on safety first. As a whole, do you suspect there will be any outages? Right now, we're dependent upon nuclear energy for some 20 percent of our generation. Do you think there are going to be any outages? Mr. Travers. I would point out very briefly before answering your question directly, that this approach the NRC has been on has had the benefit of a very cooperative arrangement with the nuclear industry. Certainly we have developed what would be a necessarily independent strategy should any safety systems be at issue. But, we have had the benefit of a very cooperative engagement with the nuclear industry organizations and utilities. In specific response to your question, we're carrying out our program with recognition that there is a broader question-- one that, strictly speaking, we do not have a regulatory authority over. That is this question of grid reliability. Our program, however, is being conducted with an acknowledgement of the importance of grid reliability. In fact, the industry itself has recognized the importance of this. The guidance that the nuclear power industry is following and using in preparing their nuclear plants for Y2K readiness specifically includes a review of systems that transcend the safety-related systems, those systems that are principally in place and required to maintain safety. Our program, in addition to that, in terms of the audits that we're doing, is also reviewing systems that are not, strictly speaking, safety-related systems. They are balance of plant systems; they're the systems that would be required to keep plants on-line and safely operating. We have, in this regard, developed a strategy we think that covers what is greater than normally our turf and certainly our focus. We think we've done that in a way that will ensure that, at least, nuclear power plants maintain their operational status through Y2K. Nevertheless, as I mentioned earlier in my testimony, we do have contingency plans to react in case there are any problems that crop up. Senator Inhofe. A minute ago, you talked about in June there will be further reviews. Kind of elaborate a little bit about what's going to take place then? Mr. Travers. By July, we expect to have responses from all nuclear power plants. The responses are required based on a generic letter that was issued by the NRC. Senator Inhofe. Of the 103, how many have you received so far? Mr. Travers. I'm not sure how many we've received, but we've checked in as to where they stand. In fact, we've completed our 12 audits that cover a variety of different types of designs of plants, locations and so forth. So we've been looking at the safety systems and the systems that would be necessary to keep the plants operational through Y2K. Senator Inhofe. Do they all give you assurances at this point that they're going to be ready by that time? Mr. Travers. In fact, they indicate that most plants are on target to meet the July 1 deadline. A number of plants think they may be challenged. I think we have upwards of about 18 plants who have indicated that they may need some additional time. Nevertheless, if they're not Y2K ready on July 1, they need to report to NRC with a schedule and the specifics of what needs yet to be done. At that point, and by September 1999, the NRC expects to be in a position to make judgments about any further regulatory actions that might need to take place on a plant-specific basis. Senator Inhofe. Having served with Congressman Horn--we called him Professor Horn at that time--it's very unusual to extract an ``A'' from him on anything. Explain a bit more about this report? Mr. Travers. Timing is everything and in this case, we are very pleased to be here today because it was just a few days ago that Congressman Horn's report came out. As you know, it's fundamentally based on the internal systems at NRC and their readiness, mission critical, business essential and so forth, to be Y2K ready. We have completed all of our systems, not just the mission critical systems, and we have declared them Y2K ready, so we're very pleased to be here today to report that to you. Senator Inhofe. Mr. Swanson, explain to me and maybe some of the others that didn't really understand this 99th day, the drill dates you have, 99th day and September 1999? Who all participates in this drill and what are you accomplishing with this? Mr. Swanson. In the April drill, the 99th day of 1999, some computer programmers think you may trigger some end of file codes in old Fortran programs. I used to write Fortran programs, so that may be the case but we'll just have to see. The point of the April drill is to go out in the field and make sure if we do have a failure in our telecommunications capabilities, we have, for instance, remote terminal units in the field, in the distribution system. A medium-sized utility may have a couple of hundred. We have metering points at each of these substations. The energy management system for a utility needs to know what the load is out in the field and they get that information back through local telecommunications providers, through local telephone lines back into places where it's brought back to the utility, analyzed and managed. If we don't have that capability, we're flying blind. So we will be putting people in the field with backup communications equipment who know what the metering point is and is supposed to do, can extract the information from that location and through the backup communications, get it back into the system so that we're not flying blind. That's the April test. We will not be adjusting our system in any way. We won't be reducing generation, we won't be changing generation, we won't be changing any of the existing operating parameters. We'll just be using this as a test of our backup capability. In September, it's a different story. Here what we're trying to put together is more of a real dress rehearsal. This is expected to be a fairly--it could be in some areas, depending on the temperature, a fairly heavy load day. We will be looking at how we can dispatch generation, the kinds of issues that may come up in January that we can test during this particular configuration. We don't expect that September 9 is going to cause us any programs because of the date itself, but it might and it's a convenient place for us to be ready just in case it does. We will also be looking at coordinating very closely with the natural gas, the telecommunications industry specifically; we're thinking about bringing in the emergency management authorities in the communities and States because it's important for them to be aware of and tied to the kind of testing and work that we're going to be doing. We're going to try to make it as close to a real dress rehearsal for the Year 2000 conversion as we can. We're not done planning for that. A lot of the planning that we'll be doing for that will be driven by some of the data that is still going to be developed, the issues that come up as we have more consultations with the other critical infrastructures and emergency planning folks that we need to be and are undertaking now. Senator Inhofe. This morning at our hearing, we had both DOD and intelligence with their charts projecting at what point we are today, when we're going to reach there. Did I understand you correctly when you said 60 percent of your equipment has been tested? Mr. Swanson. Yes. The latest monthly data we had was 57 percent and since we're halfway through another month, that's been kicked up some, so we are probably at or around 60 percent or maybe a little more right now. Senator Inhofe. Projected forward from here? Mr. Swanson. The orders that we are giving to and that have been accepted by our member companies is that all equipment has to be remediated and tested by May 31 and that all systems have to be declared ready by June 30. We know there are going to be generating units that are going to be in fall outage testing and remediation. So if a company is not able to declare that it is 100 percent ready by June 30, it has to tell us which facilities are going to be on an exceptions list and when that testing will be done so that we can tell you and we can tell our customers exactly how we stand and in terms of our readiness on June 30. Senator Inhofe. But you're optimistic now that you're on track to be in compliance on the day? Mr. Swanson. Yes, that's right. Senator Inhofe. How about the rest of you, the other two, as of today, are all the facilities around the country within your specific area on track for responding? Mr. Poje. Senator, I wish I could say that we had surveillance data on the chemical sector, but there isn't. The Chemical Manufacturers Association, which represents perhaps 90 percent-plus of the chemical manufacturing in this country, their membership, 192 members represents that sizable productive capacity, they have issued a survey request to their membership. Of 192 members, 100 have responded and they've gotten additional information off the websites. Within a week or two we should have a report available about their membership. But, their membership is not the totality of the chemical handling sector. There are many smaller associations, there are many people who do not produce chemicals but use them and use them in highly automated systems that will have embedded systems- related problems. We have no information to assess their status. The anecdotal information provided to us by vendors of automation equipment indicates that there can be some significant problems associated with these smaller enterprises and there is no surveillance program right now to provide us with an answer to their status. So we are in a different and somewhat data-deficient state in the chemical sector as compared to the nuclear sector or compared to the electrical utility sector. The sector itself is extraordinarily heterogeneous with types of processes and sizes of companies that it is perhaps a more difficult sector to assess and surveil. Senator Inhofe. Is there anything you can think of that can be done? Mr. Poje. I know a number of small associations met last week at the Chemical Manufacturers Association and they are beginning their own surveillance. Whether that's sufficient for meeting the total needs of the sector is uncertain, but it certainly is very good news for those particular smaller chemical repackagers, distributors, chemical handlers. Because in doing such, they will provide an awful lot of alerting of their individual members to the importance of the Y2K problem. Senator Inhofe. Mr. Travers, I assume that you are on schedule and satisfied. Mr. Travers. Mr. Chairman, if I might make two comments. We are on track and I'll discuss that both in terms of our program and perhaps more importantly the utilities program just briefly. We have, as I indicated, completed the audits that we intended, the 12 audits. We intend to follow that through by carrying out some additional reviews at all sites. That's going to begin in just a month or so and be completed by July. Our licensees give us every indication, and the audits confirm it, that they are on track to respond to our generic letter by July 1, including submission of the fact they've carried out their contingency planning. I may be able to give you a little bit of extra information that has been provided to us from the nuclear industry. It indicates that they have divided their efforts into four different parts, one being an initial assessment and all nuclear power plants have completed an initial assessment of their Y2K readiness. The percent completion of what they term their detailed assessment, the readiness of their systems, is on average 92 percent complete. They have indicated that 53 percent of the industry has completed this detailed assessment, so 92 percent has to do with the number of sites. Remediation for their own tracking is on the order of about 90 percent, so the next category is once you find the problem, how do you address it and remediation is the technique. They've indicated of the problems they found, they have already addressed something over 90 percent. Essentially, the short answer to your question is, they and we are on track. Senator Inhofe. Good. This morning during the DOD approach to this problem, it came across that while we're going to be able to make it from our end of it and what we have control over, however, we are impacted by the fact that some countries are not in a position to do what we're able to do. The obvious case would be Russia which doesn't really have the resources or the inclination to do what we're doing and some of the things in terms of warning systems might not be in compliance which would impact us over here. So we're having to deal with that. From any of your perspectives, is there a problem you see from other countries not being able to do this that would have any kind of impact on us? Mr. Poje. Certainly from the petrochemical perspective, an enormous amount of U.S. petrochemical feedstock products, petroleum, are coming from other countries. So we do have a very strong vested interest in assuring that supply continues. I know there's been some discussion about maintaining the strategic petroleum reserve as a way of assuring that we are protected in such a circumstance. The situation amongst the chemical manufacturing, handling and using sectors also provides the recognition that there is an extraordinary interdependence among each other and that some companies may require small amounts of various essential ingredients in order to continue their business. It's a major issue assuring that the just in time delivery systems are going to work; that is also quite important to assuring the preservation of business continuity. So there is a fair amount of discussion about the supply chain problems and how to assure those that are upstream and downstream can guarantee it. Dan Dailey, who is the facilities manager for Oxychem, used the expression that ``One can as easily die of starvation as you can die of constipation.'' It's very important that many of these facilities know that they can meet the input of feedstock chemicals and guarantee that their customers are going to receive it because there is no capacity for on-the-scene storage for a long period of time waiting for that delivery to your downstream community. This is a very significant concern and there is a fair amount of connection now between single companies and their suppliers and customers. That also is an area that we are hopeful could be the venue within which to alert small- and mid-sized enterprises about how they can comply with Y2K- related problems. Senator Inhofe. Any other comments? Mr. Travers. Yes, Mr. Chairman. There certainly is some concerns about the extent of identification and remediation of Y2K systems in other countries. For the most part, it's our understanding that Western Europe, Japan and some of the more economically developed countries have largely addressed Y2K problems at nuclear power plants in a fashion similar to what's happening in the United States. I might point out at a recent meeting of the International Nuclear Regulators Association, which is chaired by Chairman Shirley A. Jackson, that organization, which encompasses eight countries--the United States, Canada, France, Germany, Japan, Spain, Sweden and the United Kingdom--did emphasize a concern regarding the results or the readiness in some countries. To emphasize that concern, they have urged officials in the former Soviet Union and the Ukraine to address these Y2K issues. Whether or not those problems could affect us, I can't say. There is certainly some potential for that. We have been working with the international community to certainly emphasize the need to address these issues in a strong way. The United Nations conference, which was held recently, expressed a similar concern. I think the International Nuclear Regulators Association wanted to reemphasize the concern that was expressed at the recent conference at the United Nations. In our contingency planning, we are looking at obtaining early information from countries that are some 14 or 13 hours ahead, including Japan and North Korea, about any problems they may encounter in the transition to the Year 2000. We have a means available to understand that information and to try to learn from it and be able to react to it in advance of the change in millennium. Senator Inhofe. That's interesting. You mean those that are ahead of us on the time scale, in that very short time period, you think that would offer enough time for a warning? Can you give an example of what could happen? Mr. Travers. It very well could. At the very least, it would put us in a position to understand what the problem was to an extent, whether it be a communication problem. For example, in the area of communications, the NRC is establishing satellite backup communications at all nuclear power reactor sites. It's hard to say what lesson we might learn from a 13- hour or so advance, but we think there is an advantage to trying our best to understand what does happen, if anything, and to see how quickly we can either implement a fix, which may be less likely than putting in place an ability to react to it so that it doesn't affect us in a fundamental way. Senator Inhofe. We'll hope communications doesn't break down that day. Mr. Swanson. Mr. Swanson. Three quick points. North America is being treated as an operating entity from our point of view and Canada and the United States are working together on the readiness assessment for all of the North American electric systems. Second, many of the investor-owned utilities and other electric energy companies have businesses overseas. From what I've been able to tell, at least the ones I've talked to informally, they're treating their overseas facilities just like they treat their domestic, they're giving them the same readiness assessment and remediation and testing. They are doing that for a couple of reasons. One is they want to make sure they're there and ready to operate for their customers. They also want to be seen in that country as being a reliable supplier. So they've got both a business and a political issue they want to cover thoroughly and completely in the country where they're doing business. They obviously have their business affected if the grid breaks down. They are in the process of working through that issue within each of the jurisdictions or countries in which they operate. The third point I want to make is what Mr. Travers just mentioned but from a slightly different perspective. We're operating right now on an issue which is what confidence do our customers have in our ability to meet our cautious and probably growing optimism? Are we really going to be there and do they need to do something just in the case we're not going to be there. I get worried about if problems develop in the Pacific Rim and in the 13 hours notice that we have, we start to have companies dropping, making plans or executing plans to drop off the system. Panic is exportable, panic is instantly available around the world and I get very worried that we're going to be looking at a very uncertain load situation as a result of potential failures overseas. That doesn't say that they are going to be there but if it happens, I am concerned that it can have an effect here. That's put an additional burden on us and a lot of our customers like the chemical manufacturing companies to deal with that up front and make sure we understand our situation here and deal with it specifically on its own terms. Senator Inhofe. You've all indicated things you're going to be doing between now and the end of the year and I would ask that you keep us informed so that we have kind of a clearinghouse here so we can know of problems and also if there are governmental agencies that would be in a position to be more cooperative, if you let us know, we might be able to assist you in that. Yes? Mr. Swanson. That reminded me I did want to make one comment on the EPA amnesty issue. We've been working, as Mr. Poje's folks have, with the EPA on this and it's an important question for us. We think the work we're doing is important and we think it's being done in the public interest. We're a little concerned about it being an enforcement- related action. I think we all need to understand that when a power plant is operating and the environmental control equipment goes down because of a Y2K failure, for instance, that affects the operation of that plant. The plant may well come off line because we can't balance its operation of that plant without the environmental control equipment operating. We'd be glad to provide more information to you in that regard but I think raising the issue with EPA, in a constructive way as we are doing, would be very helpful to all of us. Senator Inhofe. That is essentially what we're talking about doing. Mr. Poje. I think on this issue of talking about the interrelatedness between two sectors of the economy, it becomes very important to understand how to maximize safety in this arena. It does no good to have chemical handling facilities operate with a degree of insecurity about how their plants will function. We've seen a much higher incidence of catastrophic failure associated with shutdown and with startup procedures. Facilities, for their own insecurities and contingencies about their own plans, whether they haven't met their plans and need to assure themselves that they stay shutdown, it becomes very important that information is communicated in an accelerated way to the utilities and that the utilities themselves take some responsibility for polling major consumers of power to be assured they will operate according to the anticipated plan of operation to maintain integrity of the grid. Senator Inhofe. As providers, do you have any comment about that? Mr. Swanson. Yes, I do. Mr. Poje is right. One of the things which has characterized the meetings between industries so far is far too much focus on assurances. What we're going to be working very hard on is to make sure it's the engineers and technicians and project managers for Y2K remediation and testing that are really brought into the discussion and if you talk about equipment, that you don't talk about written assurances or even verbal assurances. You talk about what you're doing and everyone has to get a sense of confidence in the integrity and the thoroughness of the program and the incentives on both sides to do it right. We had a lot of discussions this week with our State regulators who are meeting here in Washington. They are very much interested in getting in the middle of that as well, for the same reason, which is that they need to get a sense of confidence of whether we're doing the right thing or not. They can't tell from paper. They need to look at the process live and see how it's working. I think that's what we need to get going between our companies: have face-to-face meetings, go to facilities, talk to the engineers, look at the equipment, and share information. I think that can really work and work well. Mr. Poje. I think the one advantage here is, I think everybody is talking about contingency planning. It is very important that at some level those contingency plans be shared across sectors and to look at the intersector relatedness to make sure there is explicit elements in such plans for doing this across sectors. Senator Inhofe. What vehicle should be used to accommodate that? Mr. Poje. I know the vehicle that the Board was persuaded to use because of our own deficient nature, we operate with fewer than 20 full-time employees at our institution, so compared to our sister entities here, we are small. The only way we could glean an understanding of this issue was by bringing in the technically expert people from that vast array of stakeholders. It was the first time that many of them had been in the same room, and able to talk across their stakeholder community of insurance companies or industrial facility managers, or worker perspectives. That expert meeting was a refreshing place within which to crystallize where are the real risks, what are the real problems and how do we get on to solving them very quickly. I certainly would champion Mr. Swanson's statement to you-- get face-to-face meetings and get the technically expert people talking about the technically complicated issues so that we're not driven by a generalized anxiety. That won't solve any problems. Mr. Travers. Mr. Chairman if I could just correct one thing I said for the record. While the remediation efforts of the nuclear power plants are on track, I misread a chart. The average currently at least is 53 percent of systems at 66 sites, safety and other systems, have been remediated and they are working towards completing those by July 1 or shortly thereafter, 53 as opposed to 60 as opposed to 90 which is quite a different number. I apologize for that. Senator Inhofe. I would like to have you keep us informed as time goes by and to look at us as a resource to be helpful, that's what we want to be, and we almost set a record and had a meeting under 1 hour but didn't quite make it. I appreciate very much your taking the time to come here and testify. We look forward to staying informed as your progress continues. We also would like to have any input you have that we could share our knowledge with the governmental agencies and try to be a support group for you. We're adjourned. [Whereupon, at 3:18 p.m., the subcommittees were adjourned, to reconvene at the call of the chair.] [Additional statements submitted for the record follow:] Statement of Gerald V. Poje, U.S. Chemical Safety and Hazard Investigation Board Good afternoon, Mr. Chairman and distinguished members of the Subcommittee. I am Gerald V. Poje, Ph.D., one of four members of the U.S. Chemical Safety and Hazard Investigation Board (CSB) nominated by the President and confirmed by the U.S. Senate. Today I appear before you at the behest of our Chairman, Dr. Paul L. Hill, Jr. to whom you addressed your request for testimony from our agency. Dr. Hill and I thank you for inviting the CSB to testify regarding this critical issue. The Chemical Safety Board is an independent Federal agency with the mission of ensuring the safety of workers and the public by preventing or minimizing the effects of industrial and commercial chemical incidents. Congress modeled it after the National Transportation Safety Board (NTSB), which investigates aircraft and other transportation accidents for the purpose of improving safety. Like the NTSB, the CSB is a scientific investigatory organization. The CSB is responsible for finding ways to prevent or minimize the effects of chemical accidents at commercial and industrial facilities and in transport. The CSB is not an enforcement or regulatory body. Additionally, the CSB conducts research, advises Congress, industry and labor on actions they should take to improve safety, and makes regulatory recommendations to the U.S. Environmental Protection Agency and the U.S. Department of Labor. I am a specialist in toxicology and policies dealing with chemical hazards. I oversee the board's efforts on reducing risks of accidents associated with Year 2000 computer problems. Currently, I work with the Intergovernmental Forum on Chemical Safety and the Organization for Economic Cooperation and Development to promote global remediation and contingency planning concerning Y2K problems. background The U.S. Chemical Safety and Hazard Investigation Board at the request of Senators Bennett and Dodd of the U.S. Senate Special Committee on the Year 2000 Technology Problem has investigated the issues of chemical safety and the Year 2000 computer technology problem. On December 18, 1998, our board convened an expert workshop on ``Y2K and Chemical Safety,'' involving leaders from industries, equipment vendors, insurance companies, regulatory agencies, research agencies, universities, labor organizations, environmental organizations, trade associations, professional engineering associations, and health and safety organizations. The CSB has continued the dialog with the participants over the last 2 months. I recommend the process of our safety board's efforts for addressing other critical issues associated with the Year 2000 technology problem. The board members are completing review and approval for the final draft report, and our staff is currently formatting that document. We will soon release the report to the Special Committee and it will be available at the Chemical Safety Board's website: http:// www.chemsafety.gov. The Senate Special Committee requested evaluation of: <bullet> the extent of the Year 2000 Problem as it pertains to the automation systems and embedded systems that monitor or control the manufacture of toxic and hazardous chemicals, or safety systems that protect processes, <bullet> the awareness of large, medium, and small companies within the industry of the Year 2000 threat, <bullet> their progress to date in addressing the Year 2000 problem, <bullet> the impact of the Year 2000 technology problem on the Risk Management Plans required in June 1999, and <bullet> the role Federal agencies are playing in preventing disasters due to the Year 2000 problem. Synopsis The Year 2000 Problem is a significant problem in the chemical manufacturing and handling sector posing unique risks to business continuity and worker and public health and safety. According to the U.S. Environmental Protection Agency, 85 million Americans live, work and play within a 5-mile radius of 66,000 facilities handling regulated amounts of high hazard chemicals. The CSB has developed the following findings from our investigative efforts: <bullet> Large enterprises with sufficient awareness, leadership, planning, financial and human resources are unlikely to experience catastrophic failures and business continuity problems unless their current progress is interrupted or there are massive failures of utilities. <bullet> The overall situation with small- and mid-sized enterprises is indeterminate, but efforts on the Y2K problem appears to be less than appropriate based upon inputs from many experts. <bullet> While the impact of the Risk Management Plans should be positive, there are no special emphases or even specific mention of Year 2000 technology hazards in either U.S. Environmental Protection Agency or Occupational Safety and Health Administration regulations regarding process safety. <bullet> Federal agencies are aware of and involved in Year 2000 technology and chemical safety issues. However, significant gaps exist, and there do not appear to be specific plans to address these gaps. Scope of Issues The Expert Workshop as well as the research conducted for our report concluded that the Year 2000 (Y2K) problem is one of major proportions and has the potential for causing disruption of normal operations and maintenance at the nation's chemical and petroleum facilities. It is important to point out that Y2K compliance activities reported to the Chemical Safety Board to date have not found a single failure (embedded microchips or software) which by itself could cause a catastrophic chemical accident. However, it is unclear what the outcome might be from multiple failures, e.g., multiple control system failures, multiple utility failures, or a combination of multiple utility and control system failures. Surveillance of the industrial sector that handles high hazard chemicals is insufficient to draw detailed conclusions regarding Y2K compliance efforts. One theme upon which experts agree is that failures from Y2K noncompliance at small- and mid-sized enterprises is more likely. The reason is a lack of awareness regarding process safety in general and the Y2K impact in particular, lack of resources, and technical know-how for fixing the problems. Given the time constraints, altering this situation requires a massive effort. The Board has concluded that this effort should focus on: (1) providing easy-to-use tools, (2) promoting accessible resources, and (3) providing attractive incentives for Y2K compliance efforts. Additional efforts should be the focus of an urgent meeting of agencies convened by the administration. The potential for catastrophic events, at U.S. chemical process plants, stemming from Year 2000 non-compliance, can be divided into three categories: failures in software or embedded microchips within the process plants, external Y2K-related problems (e.g., power outages), and multiple Y2K-related incidents that may strain emergency response organizations. A check list of devices to be assessed for Year 2000 compliance at a chemical plant and the consequence of their failure is identified in Appendix A. The limited scope of the Y2K Expert Workshop and the research conducted for this study concluded that large multinational companies are, in general, following a well-thought out and well-managed path toward Y2K compliance. These multinational enterprises have, in addition to their Y2K compliance efforts, made contingency plans, including, in some cases, plans to shutdown batch operations for limited periods at the turn of the century. I have appended the PowerPoint presentations regarding approaches to managing this issue from two major chemical manufacturers: Appendix B from the OxyChem corporation and Appendix C from the Rohm & Haas company. Both companies have demonstrated significant leadership by sharing their information within the industry and with many others. Many more examples of facility-specific Year 2000 compliance efforts are urgently needed. These conclusions vis-a-vis large and multinational companies should not be construed to mean that there is no potential for Y2K- related catastrophic events at these facilities. It is possible that some Y2K-impacted components may not have been identified, compliance programs may not achieve 100 percent completion in time, or multiple failures that may not have been considered may result in accidents. The major control and instrumentation vendors canvassed in this study are involved in an extensive program to provide Y2K compliance for their products. There is, however, reason to believe that some independent control systems integrators may have developed and implemented control systems for which there is little or no documentation of Y2K-related vulnerabilities. In addition, some vendors are no longer in business or not as cooperative as the major control and instrumentation vendors. EPA's Risk Management Program and OSHA's Process Safety Management program mandated by the Clean Air Act Amendments of 1990 may provide significant benefit in terms of improving overall safety programs, reliability of chemical process plants, emergency response plans, and other programs. As a result, the overall capability and readiness of the chemical process industry to deal with and effectively overcome the Y2K threat is very high. However, it must be pointed out that none of these regulatory programs or activities have any direct relationship with Y2K compliance. Instituting new regulations to standardize testing or certification is not a reasonable approach for three reasons. First, in the remaining time, it is not possible to develop the mechanism and logistics needed for rulemaking, standard development, and establishment of reporting procedures. Second, implementation of any standardized method or regulation may cause penalties and unnecessary complications for many companies that do not fit the selected standard but have already expended an extensive amount of effort on Y2K compliance. Third, it is critical to minimize overall administrative efforts in order to focus available resources on the remedial efforts within this limited timeframe. This should not be construed to minimize the need for independent verification and validation of Year 2000 compliance programs and contingency planning. Priority Issues and Findings Special Expert Workshop attendees reached consensus on the importance of four issue areas related to Y2K problems and chemical safety: (1) Small- and medium-size enterprises (SMEs) risks and needs, (2) Risk management programs and their applicability, (3) Utility continuity, and (4) Responsive communication among the stakeholders. The following findings were developed based on input from the workshop attendees and research conducted during this study. 1. Small- and Mid-sized Enterprises (SMEs) The Y2K Expert Workshop members were quite concerned about Y2K failures at SMEs, particularly since their risks to public health and safety can be quite significant. Multinational companies and other organizations may be willing to make available Y2K information and tools to SMEs. However, this willingness is tempered by concerns about legal liability to individual companies or trade associations that contribute the information. For example, if Y2K checklists or tools are made available through a website used by an SME, and yet that SME still has a Y2K problem for whatever reason, could the SME sue the information provider? SMEs also have lesser access to associations that have helped larger corporate entities become educated on safety issues. The experiences with some SMEs on other issues seems to indicate that in order to be useful, the information provided has to be very detailed and specific to the SMEs. However, large businesses and even SMEs have restructured and thus may have fewer resources to devote towards time limited technical problems. To compound the problem, trade associations have also undergone restructuring and as a result may not have the resources needed to serve their membership. 2. Risk Management There is a general consensus that facilities doing an effective job in managing their risks should not see any major health and safety problems. Risk management generally consists of a variety of programs and activities to assess and manage risks. To be fully effective, these programs must be implemented with the complete involvement of the management, labor, and local responders. Risk management also includes the utilization of best practices (e.g., equipment, procedures, auditing, testing, and certification), adherence to industrial and professional society standards, and compliance with applicable regulations. The chemical processing industry has practiced these risk management principles for a long time. However, the Y2K issue will test the existing system of safety, and failure may engender review of policy issues as well as review of industrial programs and practices. 3. Utility Continuity A major concern of the participants at the Y2K Expert Workshop was that the main threat to facilities could be from external failures, such as electrical, natural gas, water and waste water utilities. Many members of the chemical process industry are concerned about the reliability of electric power supply and are seeking ways to assess the vulnerability of their specific utility. For some managers of facilities that draw high power loads prudent safety practice may determine that the plant be shut down during critical time periods and restarted at a later date. However, such decisions should not be made without communicating these planned actions with their utilities in order to prevent problems on the power grid. 4. Responsive Communications among Stakeholders Communication and trust between stakeholders is of tremendous importance in resolving Y2K related problems. Stakeholders, in the context of chemical safety, include: corporate and facility managers, operators, other workers, vendors, equipment manufacturers, unions, trade associations, regulators, non-regulatory agencies, emergency responders, insurance companies, community organizations and environmental organizations. Stakeholder communication has various dimensions. While logistic and timing problems may prevent a regulatory approach for assuring Y2K compliance, voluntarily communicating accurate and relevant information to the public on the status of Y2K compliance is essential. Given the extent of work being done for Y2K compliance, this communication will avoid creating chaos and panic, allay public fears and promote rational behavior. Contingency planning, risk management, and decisions concerning shutdown must also involve communication among stakeholders. Equally as important is the communication between different companies, both large and small, and communications across sectors of the economy. The complex interdependency of modern society assures that all entities have a stake in the Y2K efforts of others. The sharing of information and building experience has a much greater chance of reducing or even completely eliminating the catastrophic threat of Y2K- related failures. Historically, safety-related issues have been addressed on a non-competitive basis, and the safety-related Year 2000 issues should follow the same path. Knowledge is key to responsive communication. Public agencies and the private sector already support training and education for chemical managers, workers and Hazardous Materials (HAZMAT) emergency responders through programs which tailor training modules to specific targeted groups of responders at the awareness, operations, technician and specialist levels. Y2K contingency planning and responsive communications should be enhanced through training and education efforts developed to address the challenges of Y2K related incidents and scenarios. Summary In summary, the Year 2000 technology problem is a significant problem in the chemical manufacturing and handling sector posing unique risks to business continuity and worker and public health and safety. Large enterprises with sufficient awareness, leadership, planning, financial and human resources are unlikely to experience catastrophic failures and business continuity problems unless their current progress is interrupted or there are massive failures of utilities. The overall situation with small- and mid-sized enterprises is indeterminate, but efforts on the Y2K problem appears to be less than appropriate based upon inputs from many experts. Federal agencies are aware of and involved in Year 2000 technology and chemical safety issues. However, significant gaps exist, and there do not appear to be specific plans to address these gaps. <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> Statement of William D. Travers, Nuclear Regulatory Commission introduction Mr. Chairman, members of the Committee, I am pleased to be here today on behalf of the Commission to discuss with you the status of the U.S. Nuclear Regulatory Commission (NRC) response to the potential Year 2000 computer problem, particularly as it pertains to nuclear power plants. Our efforts can be divided into three basic areas: our actions internal to the NRC, our interactions with our licensees and the nuclear power industry, and our broader interactions, both nationally and internationally. All 88 of NRC's mission-critical, business essential and non- critical systems have been examined and as needed, fixed with regard to the Year 2000 problem. In all, a total of 42 of 103 operating nuclear power plant units were associated with the Y2K readiness program audits of 12 utility licensees. Based on the results of these audits, we have concluded that the audited licensees are effectively addressing the Y2K problem and are taking the actions necessary to achieve Y2K readiness per the Generic Letter 98-01 target date. Further, the audits have verified that the NEI/NUSMG guidance is sufficient. We have not identified any issues that would preclude licensees from achieving Y2K readiness. Finally, we are actively involved in promoting awareness of the Year 2000 problem internationally. actions internal to the nrc I am pleased to tell you that as of February 5, 1999, all 88 of NRC's mission-critical, business-essential and non-critical systems have been examined and, as needed, fixed with regard to the Year 2000 (Y2K) problem. This work was accomplished more than a month ahead of OMB's established milestone and well under budget. As part of this effort, we analyzed and identified embedded chip systems at the NRC and made necessary upgrades or replacements to make them Y2K compliant. Also, we worked with our data exchange partners and repaired, validated, and implemented those systems requiring changes. All work necessary to ensure that 100 percent of our telecommunications infrastructure is compliant or not affected by Year 2000 issues has been completed. Our telecommunications service providers have been contacted to determine their plans to achieve Year 2000 compliance. All have responded that they are compliant or will be compliant by mid-1999. The one (NRC) mission-critical system that is directly linked to operating nuclear power plants is our Emergency Response Data System (ERDS). This application performs the communication and data transmission functions that provide near real- time data to NRC incident response personnel during declared emergencies. We have verified that this system has been made Y2K compliant and that the interface of the system with licensed facilities is functional. nrc actions with licensees Since 1996, the NRC has been working with nuclear industry organizations and licensees to address the Y2K problem. To ensure that senior level management at operating U.S. nuclear facilities was aware of the Y2K problem, the NRC issued Information Notice (IN) 96-70, ``Year 2000 Effect on Computer System Software,'' on December 24, 1996. The Notice 96-70 described the potential problems that nuclear facility computer systems and software might encounter during the transition to the new century. All U.S. nuclear power plants, fuel cycle facilities, and other material licensees were provided with copies of this document. In 1997, the Nuclear Energy Institute (NEI) agreed to take the lead in developing industry-wide guidance for addressing the Y2K problem at nuclear power reactors. In November 1997, NEI issued a guidance document to all U.S. nuclear power plant licensees, entitled ``Nuclear Utility Year 2000 Readiness'' (NEI/NUSMG 97-07). In Generic Letter 98-01, issued May 11, 1998, the NRC accepted the NEI/NUSMG 97-07 guidance as an appropriate program for nuclear power plant Year 2000 readiness and requested that all operating U.S. nuclear power plant licensees submit written responses regarding their facility-specific Y2K readiness programs in order to obtain confirmation that licensees are addressing the Y2K problem effectively. Thus far, all licensees have responded to GL 98-01 stating that they have adopted plant-specific programs, similar to that outlined in the NEI/NUSMG 97-07 guidance document, that are intended to make the plants Y2K ready by July 1, 1999. Similarly, Generic Letter 98-03 was sent to fuel cycle licensees and certificate holders requesting written confirmation of implementation of their Year 2000 Readiness Program. Further, facilities were requested to provide written confirmation that the facilities are Y2K ready and in compliance with the terms and conditions of their license/certificate and NRC regulations. All facilities have confirmed implementation of their Year 2000 Readiness Program. All facilities are scheduled to be Y2K ready in October 1999. Generic Letter 98-01 also requests a written response, no later than July 1, 1999, confirming that these facilities are Y2K ready. Licensees who are not Y2K ready by July 1, 1999, must provide a schedule for remaining work to ensure timely Y2K readiness. The NRC will assess these responses and, by September 30, 1999, determine the need for further plant-specific regulatory actions. Should the NRC identify a situation where the Y2K problem results in a licensee being in noncompliance with the plant license or NRC regulations, appropriate regulatory action (e.g. a shutdown order) will be taken as necessary. Based on the results of our audits (as discussed below), licensee management oversight of the Y2K readiness programs has generally been aggressive and is contributing to the success of nuclear power plant Y2K readiness efforts. Licensees are devoting the necessary resources to their programs to meet their readiness schedules. At a recent February 11, 1999 Commission meeting on the Year 2000 issue, the Nuclear Energy Institute (NEI) informed the Commission that all 66 power reactor sites will carry out an audit of their Year 2000 readiness activities. Specifically, NEI stated that 54 sites have completed internal Year 2000 quality assurance audits, 33 sites have completed cross utility audits, and 43 sites have completed third party audits. Moreover, the continued sharing of work and information through owners groups and utility alliances is aiding in proper Y2K readiness program implementation. As with other aspects of plant operation, we provide independent oversight and respond when appropriate to ensure adequate protection of public health and safety. Our oversight processes rely on the recognized ability of our licensees to complete critical self- assessments and initiate appropriate corrective actions. Notwithstanding the comprehensive industry Y2K efforts, we have recognized the importance of providing an appropriate level of NRC oversight of Y2K preparations at nuclear power plants. NRC resident inspectors who are assigned to all power reactor sites will carry out reviews of licensee Y2K readiness activities. In addition, since last September, the NRC staff has conducted 12 planned sample audits of nuclear power plant licensee Y2K programs. These audits were completed in January 1999. The results of these audits have been documented in NRC-issued audit reports which are available on the NRC website and have been discussed at industry workshops. We also plan to communicate a summary of our observations and lessons learned through the issuance of an information notice. The NRC staff selected a variety of types of plants of different ages, vendor design, and locations in this audit sample in order to obtain the necessary assurance that nuclear power industry Y2K readiness programs are being effectively implemented and that licensees are on schedule to meet the readiness target date of July 1, 1999, established in Generic Letter 98-01. The licensee sample audits included large utilities such as Commonwealth Edison and Tennessee Valley Authority as well as small, single reactor licensees such as North Atlantic Energy (Seabrook) and Wolf Creek Nuclear Operating Corporation. These findings are consistent with those recently reported by the Department of Energy in the January 11, 1999, report prepared by the North American Electric Reliability Council on the status of Y2K readiness of the electric power grid. To date, the NRC staff has not identified or been apprised of any Y2K problems in nuclear power plant systems that directly impact actuation of safety functions. The majority of commercial nuclear power plants have protection systems that are analog rather than digital or software-based and thus not impacted by the Y2K problem. Errors such as incorrect dates in print-outs, logs or displays have been identified by licensees in some safety-related devices, but the errors do not affect the safety functions performed by the devices or systems. Most Y2K problems are in non-safety systems such as security systems and plant monitoring systems which support day-to-day plant operation but have no functions necessary for reactor safety. In addition, through site visits and surveys NRC continues to monitor the security systems at reactors and does not expect any Y2K problems following licensee actions in this area. These systems are being addressed in the licensee Y2K readiness programs consistent with the industry guidance and the GL 98-01 schedule. In NRC Generic Letter 98-01, it was also noted that despite the best of efforts to achieve Y2K readiness, unanticipated problems (particularly events external to a plant) could occur and disrupt continued plant operation. Therefore, contingency plans are needed to address potential unanticipated Y2K problems. To address this need, in August 1998 NEI issued another guidance document, ``Nuclear Utility Year 2000 Readiness Contingency Planning,'' (NEI/NUSMG 98-07) which is being incorporated into Y2K readiness programs by all U.S. nuclear power plant licensees. These detailed plant-specific Y2K contingency plans also are scheduled to be completed by July 1, 1999. As a result of the 12 sample audits, we have concluded that, in general, licensees began to develop contingency plans late in the Y2K preparation process. As a consequence, we have decided to conduct six additional, differently focused reviews, involving licensees other than those that comprised the original 12, to determine the effectiveness of industry contingency planning guidance. We will begin these reviews in April 1999 and conclude them in June 1999. These reviews will focus on the licensees' approach to addressing both internal and external Y2K risks to safe plant operations based on the guidance in NEI/NUSMG 98- 07. Resident inspectors at all power reactor sites will also carry out reviews of licensee's contingency plans. NRC has conducted one Y2K inspection at each of the ten major fuel facilities. The inspections determined that all facilities are adequately addressing Year 2000 issues and will be Year 2000 Ready by December 31, 1999. The Y2K readiness program implemented by each fuel facility is intended to identify and repair software, hardware, and embedded systems that could degrade, impair, or prevent operability of the facility. broader national focus Although the primary focus of the NRC with our licensees has been on public health and safety, related to reactor operations, we recognize the concern that the Year 2000 problem could affect the reliability of electrical grids. Our regulatory focus on electrical grid reliability has related primarily to the challenges to plant safety systems that might result from a grid transient, such as a loss of offsite power. However, the Y2K problem has presented the NRC with a unique challenge because NRC regulatory oversight and authority does not extend to the U.S. offsite electrical grid system. Nonetheless, we recognize the national importance of a broader focus that helps to ensure that potential concerns with electrical grid reliability are identified and resolved. The NRC supports the efforts of the President's Council on Year 2000 Conversion. As members of the Energy/ Electric Power Sector Working Group, we understand the importance not only of maintaining nuclear power plant safety, but of enhancing safe grid operation in the face of the Y2K problem as well. With respect to electric power distribution, in May 1998, the U.S. Secretary of Energy requested that the North American Electric Reliability Council (NERC) coordinate efforts within the electric power industry to assure a smooth Year 2000 transition. The NERC is a voluntary industry reliability group, made up of 10 regional councils, whose membership includes nearly every major provider of electricity generation and transmission within the Eastern, Western, and Texas interconnections that form the backbone of the electricity supply system for the United States, Canada, and a small portion of Mexico. The NERC has established recommended industry-wide milestones for ensuring that U.S. electric systems are ready for the Year 2000. The recommended completion date for the remediation/testing phase of Y2K preparations is May 1999. Mission-critical systems and components (e.g., power production, energy management systems, telecommunications, substation controls and system protection, and distribution systems) are to be made Y2K ready by June 30, 1999. The NERC has worked in partnership with trade associations representing investor-owned utilities (Edison Electric Institute), municipal utilities (American Public Power Association), rural electric cooperatives (National Rural Electric Cooperatives Association), nuclear power plant operators (Nuclear Energy Institute), and the Canadian electric power industry (Canadian Electricity Association) to ensure the most complete coverage of the industry in the surveys and assessments of Y2K readiness. The U.S. electric power industry is placing considerable emphasis on contingency planning for the Year 2000 transition. The NERC is targeting June 1999 for completion of contingency plans. The NRC also is developing a Y2K contingency plan to enable us to respond rapidly to potential events at licensed U.S. facilities resulting from unanticipated Y2K problems. The draft plan includes provisions to collect and disseminate information on Y2K-related events that occur in countries in time zones ahead of the U.S. Continued safe operation of nuclear power plants during the transition to the Year 2000 is important to help maintain reliable electrical power supplies. As such, the draft NRC Y2K contingency plan includes considerations for rapid decisionmaking under circumstances where a Y2K problem might result in licensee non-compliance, but would not affect continued safe plant operation. The draft NRC Y2K contingency plan is being coordinated with the U.S. nuclear power industry, other Federal agencies (including the Federal Emergency Management Agency), State governments, and international nuclear regulatory organizations. The public comment on the draft Y2K contingency plan recently concluded and the final plan is scheduled to be forwarded to the Commission in April. In early October the NRC plans to conduct a ``Y2K Exercise.'' In this dry run we will attempt to ensure that all aspects of our Y2K contingency plan are in place. Regulators from Taiwan, Japan, Finland, Sweden and the United Kingdom have all expressed an interest in participating in this exercise. We also hope to have participation from several of our licensees. We consider public awareness a vital aspect of our Y2K program and have kept the public informed about our Y2K activities through numerous media releases, responses to questions by telephone, electronic mail, and letters, interviews with reporters, participation at workshops, public meetings, and maintenance of current Y2K information on our Web site. international activities We are actively involved in promoting awareness of the Year 2000 readiness issues internationally. In preparation for the 42nd IAEA General Conference in September 1998, the NRC took the lead in drafting a resolution on the Year 2000 (Y2K) readiness for the safety of nuclear power plants, fuel cycle facilities, and other enterprises using radioactive materials. That resolution urged, among other things, that: Member States submit information to the IAEA on activities underway to inventory and remediate Y2K problems at their nuclear facilities; and that the IAEA act as a central coordination point in disseminating information about Member State Y2K activities. During its numerous bilateral side meetings with countries such as Argentina, Lithuania, Russia and Ukraine, the NRC presented the draft resolution and urged their support. Ultimately, 28 Member States co- sponsored the resolution, including a number of countries that have nuclear facilities whose safety are of particular concern to the U.S. Government. Since the General Conference, the NRC likewise has worked with the IAEA to formulate a Y2K program that would address nuclear safety aspects of the Y2K problem. We requested that State Department funds be allocated, under the FY98 Voluntary Contribution, to fund a Cost-Free Expert (an individual who would work at the IAEA for 1 year at no cost to the IAEA) to work specifically on Y2K nuclear safety matters in the Department of Nuclear Safety. The Cost-Free Expert assumed his post in December 1998, and the Department of Nuclear Safety is now developing and implementing a comprehensive program to help Member States address Y2K remediation issues and contingency planning. In the international arena, our understanding is that the nuclear power industry and its regulators in Canada, Western Europe, and the Far East have undertaken similar efforts and readiness schedules to that of the NRC for addressing the Y2K problem at nuclear power plants. However, some countries have started only recently to focus on the Y2K problem. Last month, at a meeting of the International Nuclear Regulators Association (INRA), which is Chaired by NRC Chairman, Dr. Shirley Ann Jackson, a statement was drafted on the Y2K problem, expressing concern that the results of the recent United Nations Conference indicated that few countries will be Y2K ready, and that few have adopted expert guidance regarding remediation and contingency planning. Contingency planning, while important in itself to all countries, takes on new importance in late-starting countries, due to the short time remaining before the Year 2000. In its statement, which was transmitted to appropriate agencies in INRA member governments, to the Nuclear Energy Agency of the Organization for Economic Cooperation and Development, to the International Atomic Energy Agency, and to the Chairman of the first Review Meeting of the Convention on Nuclear Safety for use in the peer review process, the INRA urged governments and their regulatory authorities to take urgent action to diagnose the extent of the Y2K problem in nuclear facilities (including nuclear power plants, fuel cycle facilities, and medical facilities), and to formulate and implement effective remediation programs and contingency planning in the near term for this pre-eminent concern. This remains a key aspect to effective Y2K readiness. summary As discussed above, we have been proactive in addressing the Year 2000 problem internal to the NRC and with our licensees. Additionally, we continue to work, both nationally and internationally, to promote awareness and provide assistance in addressing the Year 2000 problem. Ensuring continuity at the interfaces of regulator-to-licensee, regulator-to-public, and regulator-to-government is crucial. It is the recognition that, despite industry efforts and our efforts, something still could go awry that will continue to drive our Y2K readiness efforts. With that said, it is of paramount importance to note that the NRC and the nuclear power industry are addressing the Year 2000 computer problem in a comprehensive, thorough and deliberate manner. To date, we have not identified or received notification from licensees or vendors that a Year 2000 problem exists with safety-related initiation and actuation systems. Further, we believe that we have--through Generic Letter 98-01, the sample audits and other oversight activities-- established a framework that appropriately assures that the Year 2000 problem will not have an adverse impact on the ability of a nuclear power plant to safely operate or safely shut down. We look forward to working with the Subcommittee and welcome your questions. ______ Statement of David Swanson, Edison Electric Institute Good afternoon, Mr. Chairman and Members of the Subcommittee. I am David Swanson, Senior Vice President, Critical Issues, for the Edison Electric Institute (EEI). EEI is the association of U.S. shareholder- owned electric utilities and industry affiliates and associates worldwide. EEI's member companies serve about 70 percent of all ultimate electricity consumers in the United States and generate about 75 percent of utility-produced electricity. Thank you for inviting me here to testify on the electric utility industry's preparations for the Year 2000 (Y2K) conversion. Obviously, the electric utility industry is a key part of the nation's critical infrastructure, so our preparations for Y2K are important to virtually everyone. Without safe, reliable, and affordable electric power, government, businesses, the economy, and the public at large are at risk. The Y2K issue has made us more aware than ever of how dependent we are on technology, other utilities, our suppliers and our customers. Meeting the Y2K Challenge is a team effort for utilities both large and small. Only through cooperation and teamwork will we be successful in preparing for the Year 2000. The electric power industry is an industry that runs 24 hours a day, 7 days a week. Since technology and people occasionally, and unpredictably, fail to perform as planned, the industry places a very high importance on contingency plans. It is an industry that is accustomed to planning for and responding to emergencies and other unexpected events, such as weather, natural disasters, accidents, equipment failures, etc., that might affect the generation, transmission and distribution of electricity. While Y2K poses a set of challenges that might be different than these other natural occurrences, the fact that we know when it will occur gives us a distinct planning advantage over many of the other challenges we face daily. overview of electric utility industry y2k readiness Last May, the U.S. Department of Energy asked the North American Electric Reliability Council (NERC) to undertake the coordination of an industry process to ensure a smooth transition to the Year 2000, and to conduct a comprehensive assessment of Year 2000 preparations in the electric utility industry. NERC is a voluntary, non-profit organization formed in 1968 to coordinate the reliability and adequacy of bulk electric systems in North America. All segments of the U.S. electric utility industry are working with NERC in this process. This includes EEI, the American Public Power Association (APPA), the Electric Power Supply Association (EPSA), the National Rural Electric Cooperative Association (NRECA), the Nuclear Energy Institute (NEI), UTC--The Telecommunications Association (formerly known as the Utility Telecommunications Council), and the Canadian Electricity Association (CEA). As part of its mission, NERC was asked to produce status reports to DOE for the industry. The data collected continue to indicate that Y2K will have, at most, a minimal impact on electric system operations in North America, and our confidence in the ability of the system to ``keep the lights on'' through the Y2K transition continues to build. The second NERC report to DOE, released last month, is attached to my testimony. Ongoing data collection is continuous, with comprehensive updates provided to DOE on a quarterly basis. DOE requested a final report by July 1999, and subsequent reports are likely. The NERC/DOE reports and other material, such as the industry Y2K coordination plan, are available on the NERC website at: www.nerc.com. Additional Y2K information is available at our own website: www.eei.org. The January 1999 NERC/DOE Status Report is based on data provided through November 30, 1998, by over 98 percent of the electrical systems in the United States and Canada. The report concludes that: <bullet> With proper contingency planning, sufficient generating capacity is anticipated to be available to meet demand during critical Y2K transition periods, including additional reserves and quick start units. <bullet> Nuclear generating facilities are expected to be available to supply their share of energy needs and all nuclear safety systems are expected to be fully ready for Y2K. <bullet> Transmission outages are expected to be minimal and outages that may occur are anticipated to be mitigated by reduced energy transfers established as part of the contingency planning process. <bullet> Distribution systems tend to be the least sensitive to Y2K anomalies, but testing and contingency planning remain important, as distribution systems have the least options for redundant supplies and facilities. <bullet> Telecommunications from external service providers is a key issue due to the uncertainties as to what capabilities might be lost and the real-time impact of any such losses. Extensive coordination and joint demonstration tests with the telecommunications industry are required and are being planned. According to the NERC report, more than 44 percent of utilities' mission-critical components were tested by the end of November 1998, and that figure now is approaching 60 percent. The most prudent time to schedule testing of electric systems for Y2K problems is during those times of the year when demand for electricity is low. As a result, electric companies have scheduled some of their Y2K work during regularly scheduled maintenance periods during the low load periods in the spring and fall. Based on testing done to date and scheduled testing in the spring of 1999, most electrical systems necessary to operate into the Year 2000 will have been tested, remediated, and will be Y2K ready by the industry target date of June 30, 1999. Facilities that will miss the June 30 target are already identified, few in number, and will not affect electric reliability into the Year 2000. Among non-nuclear generators, the most serious concern exists in the most modern plants directly operated by means of digital control systems. Nonetheless, not one ``live'' test of a fully remediated unit has resulted in a Y2K failure that caused the unit to shut down. No nuclear facility has found a Y2K problem that would prevent safety systems from shutting down a plant in an emergency. What problems have been found are typically limited to logs or date displays. All systems are expected to be at full capability during Y2K. Testing of substation controls and system protection devices reveal no power interruptions or safety concerns as a result of Year 2000 rollover in associated digital electronics. The Year 2000 conversion is not a new issue to the electric industry. EEI and the rest of the industry recognized the threat posed by Y2K several years ago and have been working toward solutions at several levels. Most electric utilities involved in generation and transmission have established Y2K programs and invested substantial personnel, financial, and technical resources in identifying and resolving Y2K problems. The industry has long been testing critical software. The Electric Power Research Institute (EPRI) has a special program devoted to identifying problems with embedded microchips and embedded digital controllers and working with vendors to find solutions. The EPRI program is open to any type of company, not just electric utilities, and several industries are represented. Nearly all of the detailed Y2K problem identification and resolution has been and will continue to be performed by individual electric utilities. For example, an EEI member company will typically spend anywhere from $10 million to $100 million addressing the Y2K problem. The NERC assessment survey tells us that 88 percent of utilities responding have their Y2K programs reporting to a Vice President or higher, and 84 percent indicate that they provide their Board of Directors with at least quarterly briefings on the status of their Y2K programs. As an example of work already underway, one major utility invested 16 person-years in 1998 alone. Another utility has 1,400 people across various departments assigned full- or part-time responsibility for Y2K activities. In terms of remediation and testing, some utilities are already operating multiple fossil generating units with almost all clocks set exactly 2 years into the future in an effort to eliminate any Y2K uncertainty. The industry has set a target date of June 30 for all utilities to have contingency plans in place. Industry- wide Y2K simulation drills are scheduled for April 8-9 (transition to the 99th day of 1999) and September 8-9 (transition to 9/9/99). focus of electric utility industry y2k testing programs Electrical systems are operated such that the loss of one, two or three facilities will not cause cascading outages. Y2K poses the potential threat that common failures, such as all generator protection relays of a particular model, failing simultaneously, or the coincident loss of multiple facilities could result in stressing the electric system to the point of a cascading outage over a large area. Testing results are confirming our initial feeling that this possibility is extremely low. As a result, we look to potential problems which might be created by more limited failures. It is here that preparation for these kinds of failures begins to look like prevention and response programs we undertake under non-Y2K circumstances. It is important to understand that all prevention programs do not have to be the same, but they do have to be coordinated. So the preparation of the electricity systems in North America has been a coordinated team effort by those entities responsible for system reliability--the NERC Regional Reliability Councils and the individual power providers. There are four critical areas which pose the greatest potential threat to maintaining a reliable supply of electricity during the Y2K transition: generation, energy management systems, telecommunications, and relay protection devices. First, power generating facilities must be able to operate through critical Y2K periods without tripping off-line. The threat is most severe in newer power plants with digital control systems, which contain time sensitive control and protection schemes. Digital controllers built into station equipment may also pose a threat. However, most older plants operate with analog controls, and will be less problematic. Energy management systems are computers within the electric control centers within the electric reliability regions across North America. These computers are used to operate transmission facilities and control generating units. Many of the control center software applications contain built-in time clocks used to run various power system monitoring, dispatch, and control functions. Many energy management systems are also dependent on time signal emissions from Global Positioning Satellites as a time reference. In addition to resolving Y2K problems within utility energy management systems, these supporting satellite systems outside of utility control must be Y2K compliant. Telecommunications is another critical area. Electric supply and delivery systems are highly dependent on microwave, telephone, frame relay, and radio communications systems. Therefore, the dependency of the electric supply on facilities leased from telephone companies and commercial communications network service providers is a crucial factor. Telecommunications systems are the nerve center of the electricity networks and it is important that we address the mutual dependencies of electric utility systems and the telecommunications industry. Utilities have similar mutual dependencies with natural gas pipelines. The final technical area of concern is in relay protection devices, which are used to rapidly isolate a portion of the transmission system that may be in trouble. Many protective relays are electromechanical and will not be affected. However, newer relays are digital and may have a risk of a common failure in which all the relays of a certain model fail simultaneously, which could result in coincident transmission facility outages. As a final observation, New Year's Eve 1999 falls on a Friday which, of course, is followed by a holiday weekend. Therefore, for nearly all of the country, during the first critical 72 hours, electric system conditions are likely to be favorable, with the level of electricity transfers at relatively light levels and extra generating capacity available. conclusion Understandably, customers are concerned about whether their electric service will be provided without interruption into the Year 2000. Policymakers at all levels are watching the electric utility industry's Y2K preparations very closely. Industry representatives have been called to testify before numerous Congressional hearings like this one, and we have cooperated with the General Accounting Office in an independent review of the industry's preparations requested by the Senate Special Committee on the Year 2000. Also, virtually every state and local regulatory and legislative body is exercising some degree of oversight authority over, at least, the investor-owned utilities operating in their jurisdiction. The electric utility industry's goal is to ensure that electric supply and delivery during all Y2K critical transition periods is provided without interruption. EEI and other industry organizations are working to ensure that each of the approximately 3,200 power providers in the electricity supply and delivery chain realize that they are all important links to overall industry success. Y2K issues must be addressed and resolved by each supplier. Even though the individual companies which make up the industry have become more competitive, they have banded together and have been devoting the resources necessary to achieve a successful Y2K transition. Utilities and customers must communicate with each other about their Y2K plans and programs. EEI and other industry organizations are urging their members to develop a ``Y2K rapport'' with all of their customers. Working together, not only can customers develop confidence in their utility's Y2K preparations, but utilities also can better understand the Y2K plans and needs of their customers during the critical periods. For instance, sudden large changes in the demand for electricity due to a lack of customer confidence--such as a large chemical plant deciding suddenly to shut down--can cause almost as many problems with the stability of the electric system as a sudden loss of supply. The ability to share technical information on Y2K problems and solutions is improving. Congress provided valuable assistance in this regard last year by enacting the Year 2000 Information and Readiness Disclosure Act, which provides a limited ``safe harbor'' for shared Y2K information. Particularly helpful is a provision in the law which specifically promotes industry-wide data gathering efforts such as the NERC reporting process. But liability fears continue to have a chilling effect on some Y2K activities and threaten to divert valuable time and resources away from remediation efforts. We urge Congress, working closely with all stakeholders, to enact timely, bipartisan legislation that will encourage Y2K remediation and discourage unnecessary litigation. In conclusion, the electric utility industry is well aware of the seriousness of the Y2K problem and the risks it poses. We are engaged in a total assessment process that will help guide us toward a successful transition to the Year 2000. And, communication and coordination among electric utilities, their customers, suppliers and vendors are the key to achieving that smooth transition. The electric power industry is one that anticipates unplanned events and problems and exercises contingency plans on a daily basis to keep the lights on. At this time we are cautiously optimistic that the transition to the Year 2000 will not be different from an electricity supply perspective than any other. Thank you again for the opportunity to present this testimony today. ______ Preparing the Electric Power Systems of North America for Transition to the Year 2000: A Status Report and Work Plan (Prepared by the North American Electric Reliability Council) executive summary Background This report is the second in a series of comprehensive quarterly status reports on efforts to prepare electric power supply and delivery systems for operation into the Year 2000. This report was prepared by the North American Electric Reliability Council (NERC) in response to a May 1998 request from the United States Department of Energy (DOE) to coordinate the industry's Y2K effort. The first quarterly status report was delivered to DOE on September 17, 1998. Results from the Fourth Quarter 1998 Minimal Operational Impact: With more than 44 percent of mission- critical components tested through November 30, 1998, findings continue to indicate that transition through critical Year 2000 (Y2K) rollover dates is expected to have minimal impact on electric system operations in North America. Only a small percentage of components tested indicate problems with Y2K date manipulations. The types of impacts found thus far include such errors as incorrect dates in event logs or displays, but do not appear to affect the ability to keep generators and power delivery facilities in service and electricity supplied to customers. Universal Participation: The level of participation in the industry-coordinated Y2K readiness assessment process increased dramatically during the fourth quarter 1998 and exceeds 98 percent of the electrical systems in the United States and Canada. This accomplishment addresses a concern raised in the previous report regarding the status of the non-reporting entities. Efforts will continue toward retaining as close to universal participation as possible. Recent legislation on Y2K information disclosure, as well as the credibility gained by the first report to DOE, has had a positive impact in encouraging information sharing and allowing additional entities to report their readiness status. Contingency Planning: Despite the expected minimal impacts on operating systems, the electric industry is taking very serious steps to prepare for possible operating contingencies. First drafts of contingency plans are being completed now by bulk electric operating organizations and will be reviewed by NERC and the NERC Regional Councils by the end of January 1999. Contingency plans are to be ready by the end of June 1999. Additionally, the industry is preparing to conduct two coordinated drills on April 9, 1999 and on September 8-9, 1999 to prepare for operations under Y2K conditions. Critical Issues Issue 1--Meeting Industry Established Targets: Analysis of fourth quarter 1998 report data (through November 30, 1998) indicates that, on average, the electric industry is close to, but slightly lagging the target of all mission-critical facilities being Y2K Ready by June 30, 1999. Followup interviews conducted by NERC staff with Y2K program managers indicate that those entities reporting expected completion dates later than the industry targets are doing so for one or both of the following reasons: <bullet> A small number of facilities or systems (typically 1-5 per entity) may be completed beyond the target date because of a scheduled outage period or other project planning considerations. <bullet> Some entities have been including items in their monthly reports not essential to sustained reliable electric operations going into the Year 2000. A general conclusion from these discussions with Y2K program managers, which must be confirmed by more detailed reporting, is that nearly all electrical systems necessary to operate into the Year 2000 will have been tested, remediated, and declared Y2K Ready by June 30, 1999. Any facilities or systems that will be completed after this date are specifically known, are limited in number, and would not adversely impact the ability to provide sustained reliable electric service into the Year 2000 should they not be available. Despite these assurances, further steps are outlined in this report to move the industry into conformance with established targets. Issue 2--Limited Ability to Test External Voice and Data Communications: Operation of electric systems is highly dependent on voice and data communications from external service providers. The electric industry has been assured and has full confidence that telecommunications services will be reliable through Y2K rollover periods. However, it is difficult to achieve extensive verification in the form of integrated testing of electrical system voice and data communications functions with external communications services providers. The dependence on voice and data communications directly affects real-time operations and control of electric systems and therefore requires the greatest attention in contingency planning and preparations. The electric industry is working hard, in cooperation with the telecommunications industry, to address this dependency issue. Coordination meetings are already taking place to understand the contingency requirements of each sector. Controlled demonstration tests are planned between electric substations and control centers and external telecommunications providers. The lessons from these coordination meetings and demonstration tests will be widely distributed to members of both industries. Additionally, communications will be the focus of electric industry contingency planning and drills. Issue 3--Preparation of Distribution Systems for Y2K: Results to date indicate that distribution systems are generally the least dependent on electronics and computers and are the least susceptible to Y2K anomalies. Several industry associations working with NERC have done an excellent job of enlisting the participation and cooperation of the approximately 3,000 electric distribution entities in the United States and Canada. Despite this reduced distribution equipment vulnerability, these systems are on the front line of electricity delivery to customers. Distribution systems are essentially radial in design and have fewer options that can be used to correct in real time for a failure. Therefore, continued vigilance is necessary to complete testing of all critical electronic components within distribution systems. Contingency planning and preparations are a key aspect of assuring distribution systems are ready to respond to conditions that might affect the ability to serve customers. Continuing Industry Efforts This report updates the industry work plan for continued coordination of Y2K efforts across North American electric systems: 1. NERC and its Regional Reliability Councils, in a cooperative partnership with the several trade associations, will continue to facilitate electric industry preparations for Y2K. These efforts include ongoing readiness assessment reports and information sharing. 2. The Y2K readiness assessment process will be modified to recognize specific, justifiable exceptions to the industry target dates and to apply greater supervision to any programs that are not in conformance with industry goals. 3. Draft contingency plans will be reviewed and coordinated at the Regional and NERC levels, with a goal of having plans ready by June 30, 1999. 4. The industry will conduct a drill on April 9, 1999, aimed at operating with limited communications under simulated Y2K conditions. 5. NERC will facilitate coordination efforts with the telecommunications industry to better understand and prepare for interdependencies. This effort will include one or more integrated demonstration tests between electric facilities and external communications services. section 1. conclusions and recommendations 1.1 Overall Summary of Y2K Readiness Status The following expectations are reasonable at this time based on information reviewed through the fourth quarter 1999 (based on data provided through November 30, 1998): 1. With proper contingency planning, sufficient generating capacity is anticipated to be available to meet demand during critical Y2K transition periods, including additional reserves and quick start units. 2. Nuclear generating facilities are expected to be available to supply their share of energy needs and all nuclear safety systems are expected to be fully ready for Y2K. 3. Transmission outages are expected to be minimal and outages that may occur are anticipated to be mitigated by reduced energy transfers established as part of the contingency planning process. 4. Distribution systems tend to be the least sensitive to Y2K anomalies, but testing and contingency planning remain important, as distribution systems have the least options for redundant supplies and facilities. 5. Telecommunications from external service providers is a key issue due to the uncertainties as to what capabilities might be lost and the real-time impact of any such losses. Extensive coordination and joint demonstration tests with the telecommunications industry are required. 1.2 Critical Issues Although a guarantee of continuous electric supply is not possible due to everyday occurrences, the goals of the Y2K program in the electric industry are: <bullet> To provide electricity supply and delivery to customers that is uninterrupted by a Y2K condition or failure. <bullet> To provide continuous operation of all essential functions and services such as customer response, business operations, supplies, and emergency repair capability. Three issues are presented here as needing special focus in the coming months in order to achieve these goals. Issue 1--Meeting Industry Established Targets: The industry target dates have been set in recognition of the strategic importance of reliable electricity supply to all other sectors and to national security. Additionally, these targets were set to allow time for validation and execution of contingency preparations and the conduct of a rehearsal exercise on the rollover from September 8 to September 9, 1999. The targets are: <bullet> Completion of Remediation and Testing by May 31, 1999. <bullet> All mission-critical facilities needed for sustained electrical operations into the Year 2000 are Y2K Ready by June 30, 1999. Analysis of the fourth quarter 1999 report data (through November 30, 1998) indicates that, on average, the electric industry is close to, but slightly lagging its Y2K readiness targets. However, this means a portion of the industry is reporting expected completion dates that lag the established targets. Followup interviews were conducted with some Y2K program managers, by the NERC staff, to determine the reasons these entities are expecting to miss the targets. It is apparent from these discussions that: <bullet> Most electric facilities necessary for reliable operation into the Year 2000 will have completed Remediation and Testing by the end of May 1999. <bullet> A small number of facilities (typically 1-5 per entity) may be completed beyond the target because of a scheduled outage period, vendor supply restrictions, or other project planning considerations. <bullet> Some entities have been including items in their monthly reports not essential to sustained reliable electric operations into the Year 2000. A general conclusion from these discussions with Y2K program managers, which must be confirmed by more detailed reporting information in future periods, is that nearly all electrical systems necessary to operate into the Year 2000 will have been tested, remediated, and declared Y2K Ready by June 30, 1999. Any facilities or systems that will be completed after this date are specifically known, are limited in number, and would not impact the ability to provide reliable service into the Year 2000 if operation without the equipment became necessary. Despite these assurances, further steps are outlined in this report to move the industry into conformance with established targets. NERC and its Regional Councils will identify and apply greater supervision to bulk electric Y2K programs that do not conform to industry expectations. The four criteria for a non- conforming program are: 1. Expected to complete Remediation and Testing or Y2K Ready status for mission-critical electrical facilities past industry targets of May 31, 1999 and June 30, 1999, respectively. Reasonable, specific exceptions may be justified for a limited number of facilities if they do not pose a risk to electric operations into the Year 2000. 2. Reported exceptions are excessive, not reasonably justified, or may pose a risk to electric operations into the Year 2000. 3. Missed status reports for two consecutive months. 4. Program has no written plan or does not report to executive management. This clear position on the need for conformance to industry targets, and the recognition that a small number of facilities may have reasonable justification for a later completion date, should result in the industry being on track to meet its targets by the first quarter 1999 report to DOE. Issue 2--External Telecommunications Dependency: It is becoming clear that voice and data communications from external service providers is a key dependency that affects real-time operation and control of electric systems and that extensive integrated testing with these external communications providers will not be practical. The electric industry has been repeatedly assured and has full confidence that telecommunications services will be reliable through Y2K rollover periods. However, it is difficult to achieve extensive verification in the form of integrated testing of electrical systems voice and data communications functions with external communications services providers. Electric systems have other dependencies, such as fuel supply and spare/replacement parts. However, voice and data communications are real-time dependencies and are the most challenging to account for in contingency planning and preparations. The electric industry has taken an approach of testing all mission- critical facilities, including its internally-owned voice and data communications facilities. The testing, however, generally stops with the electric utility's equipment and does not include external communications services. The telecommunications industry is working on the Y2K issue as much or more than any other sector. The inability to conduct extensive, integrated testing with all critical communications customers is understandable, as communications networks are global, very complex, and extremely interconnected. Telecommunications service providers cannot conduct end-to-end testing of live circuits, including integrated testing with all critical customers' equipment. The conclusion at this point is that extensive, end-to-end testing of electrical utility voice and data equipment with external telecommunications service providers is not practical. This characterization is intended to spotlight electric system operational concerns, not to point attention toward the telecommunications industry. In a parallel situation, it is also not practical for the electric industry to perform end-to-end testing that includes coordinated rollovers with all critical electricity customer equipment. The inability to perform end-to-end testing is not a limitation unique to the telecommunications industry. To address this issue, the electric industry must work hard and in close cooperation with the telecommunications industry. Coordination meetings are already taking place to understand the interdependencies and contingency requirements of each sector. A small number of controlled demonstration tests are being planned jointly between electric substations, power plants, control centers, and external telecommunications providers. It is important in these efforts to obtain the cooperation of not only major communications service providers, but also the local telephone companies that provide leased line service. The lessons from these coordination meetings and demonstration tests will be widely distributed to members of both industries. In addition to these industry-level efforts, coordination and some integrated testing efforts are occurring at the individual utility level. The goal of these efforts is to provide greater assurances that electric and telecommunications services will be there for each other during critical Y2K periods. Obviously, extensive joint testing at the individual utility level is not practical when one realizes there are over 3,200 electric organizations and over 1,400 telecommunications organizations in North America who are dependent on each other. Issue 3--Distribution Systems: Results to date indicate that local distribution systems are generally the least dependent on electronics and computers and the least susceptible part of the electric system to Y2K anomalies. Industry associations working with NERC (American Public Power Association, the Canadian Electricity Association, the Edison Electric Institute, and the National Rural Electric Cooperative Association) have done an excellent job of enlisting the participation and cooperation of the approximately 3,000 electric distribution entities in the United States and Canada. This information, included with this report, provides assurances that distribution systems are less vulnerable to Y2K anomalies and that they are taking steps to test and repair equipment that may be susceptible. Despite this reduced distribution equipment vulnerability, these systems are on the front line of electricity delivery to customers. Distribution systems are essentially radial in design and have fewer options that can be used to correct in real-time for a failure. Therefore, continued vigilance is necessary to complete testing of all critical electronic components within distribution systems. Contingency planning and preparations are a key aspect of assuring distribution systems are ready to respond to conditions that might affect the ability to serve customers. To address this issue, the following measures are recommended: 1. Associations should continue the quarterly assessment of Y2K readiness of distribution systems, with a goal of universal participation of distribution entities in North America. 2. Efforts should be expanded to assure testing of all critical digital components in distribution systems and to assure development of contingency plans. The recommendations above are directed to all types of distribution systems without distinction of size or ownership type. 1.3 General Recommendations to the Electric Industry The following recommendations support the continuation of the industry-led Y2K program: 1. NERC and its Regional Reliability Councils, in a cooperative partnership with sector trade associations, should continue to facilitate electric industry preparations for Y2K. These efforts include ongoing readiness assessments, information sharing, and other activities defined in the NERC Y2K Coordination Plan. 2. Organizations within the electric industry should establish project plans and resources to meet or exceed the industry milestones of completing Remediation and Testing by May 31, 1999, and all mission- critical systems Y2K Ready by June 30, 1999. 3. With coordination by NERC and its Regions, the industry should assess operating risks associated with Y2K and prepare contingency plans by June 30, 1999. Steps to mitigate operating risks should be coordinated on Interconnection, intra- and interregional, and individual company levels. 4. Coordination should be established at the industry and organizational levels to address interdependencies with communications providers, natural gas and oil suppliers, and coal transportation providers. 5. Interdependencies with external telecommunications providers should receive special attention, including development of demonstration tests and coordinated inter-sector contingency planning. 6. Additional focus should be applied to executing Y2K programs for digital components and preparing contingency plans in electric distribution systems. 1.4 What Can Others Do? Overall success of Y2K efforts in the electric industry depends on cooperation among the industry, government agencies, and customers. This section suggests ways that these stakeholders may help the process. Federal Governments in the United States, Canada, and Mexico 1. Allow the industry to continue managing Y2K efforts. Feedback on overall goals and effectiveness of Y2K efforts should be provided through the existing industry-led program. 2. Coordinate global issues related to Y2K that may have secondary effects on sustaining electricity supply in North America, including international oil and gas supplies and financial institutions. 3. Facilitate inter-sector coordination as needed to address interdependencies and assure continuity of essential services. State, Provincial, and Local Governments and Commissions 1. Encourage electric utilities within the local jurisdiction to participate in the industry efforts facilitated by NERC, its Regional Reliability Councils, and the industry trade association partners. Maximize the use of the existing NERC-facilitated process and readiness assessment information. Additional surveys and reports tend to draw resources from the primary focus of addressing Y2K technical issues. 2. Facilitate inter-utility coordination within the local jurisdiction to assure continuity of essential utility services such as electricity, water, sewage, natural gas, and telephone. 3. Facilitate coordination of emergency services such as police, fire, and other emergency management services. Electricity Customers 1. Identify the possible impacts of Y2K in your business or home and initiate actions necessary to assure safety and business continuity. 2. Check the Y2K information provided by your local electricity provider on the Internet or through literature mailings. If you are not satisfied with the Y2K program of your electricity provider, let them know. 3. Customers with electrical demands essential to safety and public well-being, such as hospitals; emergency services; public communications; gas, water, and sewage facilities; and hazardous materials handlers should review their emergency power supply provisions and procedures, and coordinate their needs with the local electricity provider. 4. Large commercial and industrial customers that would be severely impacted by an electrical outage should also review their emergency power supply provisions and procedures, and coordinate their needs with the local electricity provider. section 2. background 2.1 Y2K in Electric Systems Appendix A provides an introductory review of how electric systems operate and the potential impacts of Y2K. 2.2 Y2K Readiness Assessment Objective In a letter to NERC in May 1998, DOE requested an initial assessment by September 1998 of the electric industry's progress in addressing the Y2K issue and assurance by July 1999 that electric systems are ready to operate into the Year 2000 (Appendix B). This report provides the second assessment of Y2K readiness of the electric industry. Subsequent reports will continue to be provided on a quarterly basis. This report provides a comprehensive status report of: <bullet> What the electric industry is doing to address the Y2K issue and how much progress has been made in the fourth quarter 1998. <bullet> What the plans are to complete the preparations for Y2K. <bullet> How the industry is preparing to deal with and minimize the impact of any contingencies on the electric system that might still occur, despite best efforts to fix or replace Y2K-deficient devices. 2.3 Readiness Assessment Process A brief overview of the readiness assessment process is provided here, with a more detailed description provided in Appendix C. NERC Y2K Readiness Assessment Process The NERC Y2K Readiness Assessment process uses a detailed questionnaire that allows each organization to report progress across NERC-established mission-critical areas. The reporting cycle has been completed on a monthly basis since its inception in July 1998. The NERC questionnaire is targeted to the approximately 200 entities that own, operate, or monitor the bulk electric systems of North America. Distribution System Process A separate process to gather information from the 3,000 distribution systems is managed under NERC supervision by the American Public Power Association (APPA), the Canadian Electricity Association (CEA), the Edison Electric Institute (EEI), and the National Rural Electric Cooperative Association (NRECA). These organizations bring the ability to rapidly and closely coordinate with electric distribution entities through their existing membership channels. These four organizations have consolidated their findings into the distribution report of Section 3.8. Nuclear Facility Process NERC has enlisted the Nuclear Energy Institute (NEI) to provide assessment findings for nuclear facilities, which have been incorporated into Section 3.4 of the report. NEI's Y2K program allows for greater efficiency and technical expertise in the nuclear area than would otherwise be available. CEA has assisted by providing analysis of data from Canadian nuclear facilities. Business Information Systems EEI has developed the assessment report on Business Information Systems that is included in Section 3.9, based on data from the NERC assessment reports. 2.4 NERC Assessment Report Format The NERC Y2K Readiness Assessment uses a Microsoft EXCEL<SUP>TM</SUP> spreadsheet. This spreadsheet, which is available from the NERC web site (http://www.nerc.com/Y2K), has been distributed widely through available channels to all targeted entities. Completed responses are gathered electronically at the end of each month and compiled into an EXCEL data base. The process has been automated to facilitate the aggregation of the individual reports, while maintaining the anonymity of the reporting organizations. Once submitted, the reports go through a verification and data validation process. The final results are made public on the NERC Y2K web site. A list of responding entities is provided on the NERC Y2K web site, but NERC has made a firm commitment to all reporting organizations that NERC will not connect their identities to the specific responses in the data base. The NERC Y2K Readiness Assessment spreadsheet has an initial section to identify the organization, followed by sections covering the following areas essential to sustained, reliable operations of electric systems into the Year 2000: <bullet> General preparation (project plans, contingency plans, training, etc.) <bullet> Nuclear power generation <bullet> Non-nuclear power generation <bullet> EMS/SCADA <bullet> Telecommunications <bullet> Substation controls and system protection (including distribution) <bullet> Business information systems section 3. readiness assessment results fourth quarter 1998 This section summarizes the findings of the Y2K readiness of electric systems as of the fourth quarter 1998 (based on data provided through November 30, 1998). Each area of the progress assessment report includes major findings, an analysis of those findings, and recommendations. Supporting data are available for electronic download from the NERC Y2K web site at http://www.nerc.com/y2k. About 98 percent of the electricity supply and delivery organizations in North America have participated in the NERC Y2K Readiness Assessment process to date. About 194 of 198 bulk electric entities and 2,821 of the 2,888 distribution entities in North America have participated in this process by responding to data gathering efforts by NERC, APPA, NRECA, or CEA. Lists of all participating organizations are available at the NERC Y2K web site at http:// www.nerc.com/y2k. Reports were received from entities representing:\1\ --------------------------------------------------------------------------- \1\ These numbers understate the total load and generation reported, since they are based only on the NERC data. --------------------------------------------------------------------------- <bullet> More than 704,017 MW (96 percent) of system peak load out of a total estimated system peak load for North America of 734,335 MW <bullet> More than 666,474 MW (92 percent) of non-nuclear generating capacity out of 724,741 estimated in 1998 for North America <bullet> 100 percent of operational nuclear reactors (103 units at 66 facilities) reporting through the NEI process. More than 93,617 MW (84 percent) of nuclear generating capacity out of 111,046 MW also reported voluntarily through the NERC process, including all Canadian nuclear facilities This participation level is a marked improvement from the first report in September 1998. To assure continued strong participation, the NERC monthly report will become a conformance criterion for all bulk electric entities in the next period. APPA, NRECA, and CEA will continue to encourage participation of the few remaining distribution entities. <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> 3.1 Readiness Status: Project Planning and Management Involvement This first readiness assessment section reviews project plans and controls and management involvement. This section refers to data from the NERC assessment and therefore is limited to bulk electric systems. Results from distribution systems are addressed later in Section 3.8. Executive Involvement in Y2K Findings 90 percent of reporting entities indicate the Y2K program reports to a vice president or higher. 89 percent of reporting entities indicate the Board of Directors or governing body of the organization receives at least quarterly briefings on the status of the Y2K program. These numbers have leveled off after a slight increase from the third quarter 1998 report. Analysis Followup interviews with entities reporting ``no'' on these items indicate that most Y2K programs do in fact report to senior management. The terms ``Vice President'' and ``Board of Directors'' lead to confusing responses in organizations that may have a governance structure different than a corporation, such as Federal, state, county, and municipal agencies. These organizations include certain water and electricity management districts and the U.S. Army Corps of Engineers. Not one followup interview indicated that the Y2K issue was buried at a technical or middle management level. In future periods, the reporting criteria will be clarified to indicate the acceptability of equivalent terms to Vice President and Board of Directors. Executive awareness and oversight are critical factors in Y2K project success. The risk potential for shareholders, customers, neighboring electric systems, and dependent industries warrants accountability for the Y2K program by a corporate executive or equivalent. These two report items will become criteria in future periods for determining whether a Y2K program conforms to industry expectations. <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> Recommendations 1. NERC will issue a clarification explaining the alternative use of terms that are equivalent to Vice President and Board of Directors. 2. NERC will establish these two items as criteria for a conforming Y2K program beginning in the first quarter 1999. 3. The Y2K program at each electric supply or delivery organization should be a direct responsibility of a corporate vice president or higher (or equivalent for organizations other than corporations). This individual should be accountable for the overall success of the Y2K program. 4. The Board of Directors or equivalent governing body of each organization should receive at least quarterly updates of the Y2K program status. Use of a Written Y2K Plan Findings 72 percent of entities reporting indicate they have developed a written plan for the management of their Y2K projects. 24 percent indicate a written plan is being developed with an average expected completion on December 31, 1998. 4 percent indicate they expect to use an unwritten plan or no plan. <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> Analysis Followup interviews indicate that the use of written plans may be understated. For example, one utility that reported ``In Progress'' has a written plan filling a two-inch binder. This plan is used everyday to guide the project. However, because the plan is evolving, that entity chose to report it as ``In Progress''. Once again, this is an opportunity to clarify the reporting criteria to gain a better picture of the level of conformance with expectations. If a written plan exists and it is being used, it should be reported as a ``Written Plan''. However, this issue cannot be entirely explained by confusion with the reporting criteria. A small portion of entities exists that simply has not completed its written plan. These entities should complete their plans immediately. Of the two entities reporting, they do not plan to develop a written plan at all, both are power producers. One has already completed all Y2K remediation and testing on its production facilities. The other plans to be ready by March 1999. The use of a written project plan is critical. NERC will make this item a criterion for a conforming program beginning in the next report period. A written plan should include as a minimum: assigned responsibilities and accountabilities, measurable milestones, and a schedule. Those entities that have not completed a written project plan should take immediate action to develop one. Even entities that do not feel they have Y2K problems or have completed their work should have a written plan addressing the issues listed above. No single best model exists for a Y2K project plan. The key characteristics of a plan are that it meets the needs of the organization and its stakeholders, it is adopted by the organization for implementation, and the organization's officers accept the plan as an effective approach to address the identified risks. Recommendations 1. NERC will issue a clarification explaining that an existing written plan that is being effectively used should be reported as a ``Written Plan'', even though the plan may continue to evolve. NERC will establish this item as a criterion for a conforming Y2K program beginning in the first quarter 1999. 3. The Y2K program at each electric supply or delivery organization should be guided by a ``Written Plan''. 3.2 Overall Progress Compared to Y2K Milestones Y2K progress can be measured as a percent of work completed in several key phases. NERC has adopted the use of three phases: Inventory, Assessment, and Remediation/Testing. NERC has deliberately avoided placing a strict definition on these three phases, so as to prevent conflicts with internal project definitions. These terms are commonly accepted in the industry and represent a reasonable division of the Y2K technical work. The division of work into these phases, however, is approximate and may require a certain amount of translation from internally defined project measures within each organization. Remediation and Testing is intended to include repair or replacement of Y2K deficient systems or components. Y2K Ready means a system or component has been determined to be ``suitable for continued use into the Year 2000.'' Note that this is not necessarily the same as Y2K Compliant, which implies fully correct date manipulations. Consistent with practices across other industries, the NERC Assessment Process has adopted the term Y2K Ready and does not use the term Y2K Compliant. It should be noted that these NERC-defined work phases do not necessarily flow sequentially. They will often be completed in parallel and there may be a need to iterate between the phases. For example, some devices may require testing to complete the initial assessment of Y2K susceptibility. After repair, the device may be tested again. The NERC progress assessment is focused on mission-critical systems associated with the reliable and sustained production, transmission, and distribution of electricity into the Year 2000. Findings Averages of the reporting organizations for the fourth quarter 1998 (as of November 30, 1998) indicate the following overall progress and expected completion dates for mission-critical electrical systems: ------------------------------------------------------------------------ Current Average Percent Complete Projected Y2K Program Phase 4th Qtr 1998 Average Completion Date ------------------------------------------------------------------------ Inventory.................... 96 August 1998 Assessment................... 82 November 1998 Remediation/Testing.......... 44 June 1999 ------------------------------------------------------------------------ The monthly progress in each of the three phases is shown in the graph below, beginning with data from the previous quarterly report (August 1998 data). A more detailed analysis is provided below for each of the three work phases, beginning first with the Inventory phase. <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> The first graphic below shows that most reporting entities are 100 percent completed with initial Inventory. Most of the rest are nearly complete with this phase. A handful of organizations, mainly smaller producers or distribution entities, are reporting a low percentage of Inventory completed. This graph and similar ones that follow have on the horizontal axis the numbers 1 through 191, representing each entity reporting through the NERC process in November 1998. The vertical axis is the percent completion or expected completion date reported by each entity. The responses were sorted by magnitude for viewing and analysis. <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> A review of expected Inventory completion dates (below) shows that most who did not meet the industry target of October 31, 1998 (shown by the heavy dark line) will be completed by the next quarterly report to DOE. The few entities expecting initial Inventory to be completed after March 1999 appear to misunderstand the reporting criteria because each of them has already completed at least 89 percent of their Inventory. <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> Similar distribution curves are shown below for the Assessment phase. Assessment requires an initial review of whether the device or system may be susceptible to Y2K anomalies and should be further tested, repaired, or replaced. It does not require full completion of testing and remediation. This first graphic shows about one third of reporting entities having completed their initial Assessment phase. The completion percentage drops off gradually over the remaining organizations, with some smaller organizations reporting 0 percent completion. <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> Most entities are expecting completion of the initial Assessment phase in the next quarter. Interestingly, again the latest projected completion dates come from entities that are well underway (60 percent or more complete). The smaller entities with 0 percent completion are expecting to be done with the Assessment phase in the first quarter of 1999 because they have only a few items to assess. <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> Progress in the Remediation and Testing phase is shown in the two graphs below. A few entities with a small number of facilities report 100 percent completion of Remediation and Testing. A wide variation exists among other entities, including some that report 0 percent completion of this phase. While most of the entities at the lower end of this curve have only a few facilities, some are mid-sized bulk electric entities. The heavy line in the graph below indicates a November 30, 1998 target of 52 percent complete. This is an expected progress level assuming a linear pace from the 28 percent reported in August 1998 to 100 percent completion by the end of May 1999. <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> The second graph below shows the projected completion dates for Remediation and Testing, with the heavy line indicating the industry target of May 31, 1999. Most of the entities that reported an expected completion date of more than 30 days after the target (about 25 percent) were contacted for followup questioning. Of these, nearly all report that a small number of items are preventing them from completing Remediation and Testing by the target date. For example, a generating facility is scheduled for a maintenance outage in September 1999. To take the unit out of service for extended maintenance prior to that date would incur substantial costs. The unit is not necessary to meet lower than normal electricity demand through the initial transition to the Year 2000. All testing that could be done with the unit in service is done or will be completed by the target date. <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> Other entities contacted indicate that they were including all facets of their Inventory in the report, even those items not essential for sustained electric operations. These entities did not understand the reporting criterion to include only those facilities mission- critical for reliable electric operations into the Year 2000. In the final graph below, more than two thirds of reporting entities recognize and intend to meet the industry target of having all mission-critical facilities Y2K Ready by June 30, 1999 (the heavy line shown in the graph is the target). Those reporting Y2K Ready dates after the target fall into one of two categories: <bullet> A handful of facilities will not be Y2K Ready until later than the target for reasons discussed previously. Based on expected loading conditions for Y2K critical periods, reliable operation can be achieved if these facilities were not available. <bullet> Reporting criteria are not clearly understood. Some entities assume that they cannot say they are Y2K Ready until all work, even non-essential systems, are completed. Some assume Y2K preparation is a continuing process right up to December 31, 1999, even though electric facilities needed for operation are ready months earlier. <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> Analysis Analysis of the monthly report data for bulk electric systems, as presented above, indicates that, on average, the bulk electric systems are close to meeting Y2K readiness targets. However, this means a portion are reporting expected completion dates that lag the industry targets. Followup interviews were used to determine the reasons these entities were expecting to miss the targets. It is apparent from these discussions that: <bullet> Most electric facilities necessary for reliable operation into the Year 2000 will have completed Remediation and Testing by the end of May 1999. <bullet> A small number of facilities (typically 1-5 per entity with late projections) may be completed beyond the target because of a scheduled outage period, vendor supply restrictions, or other project planning considerations. <bullet> Some entities have been including items not essential to reliable electric operations going into the Year 2000. A general sense of these discussions, which must be confirmed by more detailed reporting information in future periods, is that most electrical systems necessary to operate into the Year 2000 will have been tested, remediated, and will be Y2K Ready by June 30, 1999. Any facilities or systems that will be completed after this date are specifically known, are limited in number, and would not impact the ability to provide reliable electric service into the Year 2000 should they not be available. Despite these assurances, further steps outlined in the recommendations below will be taken to move closer to full conformance with industry targets. Recommendations 1. NERC will clarify reporting requirements to indicate that organizations should report items necessary for reliable electric operations into the Year 2000, and that completion should be reported when the work is done. 2. Reporting in future periods will allow for identification of a limited number of specific exceptions planned for justifiable reasons. NERC will review the exceptions, justifications, and the potential reliability impacts to determine if the exceptions are acceptable on a reliability basis. 3. In future periods, NERC and its Regional Councils will identify and apply greater supervision, including notice to the chief executive, to programs that do not conform to industry expectations. The four criteria for non-conformance are: a. Expected to complete Remediation and Testing or Y2K Ready status for mission-critical electrical facilities past industry targets of May 31, 1999 and June 30, 1999, respectively. Reasonable, specific exceptions may be justified for a limited number of facilities if they do not pose a risk to electric operations into the Year 2000. b. Reported exceptions are excessive, not reasonably justified, or may pose a risk to electric operations into the Year 2000. c. Missed Y2K readiness status reports for two consecutive months. d. No written plan or does not report to executive management. 4. Electric supply and delivery organizations should take steps to complete initial Inventory and Assessment immediately, and to complete the remaining targets by the following schedule: ------------------------------------------------------------------------ Recommended Completion Date for Mission- Y2K Program Phase Critical Systems/ Components ------------------------------------------------------------------------ Remediation/Testing........................... May 31, 1999 Y2K Ready Status.............................. June 30, 1999 ------------------------------------------------------------------------ These targets apply specifically to facilities that are necessary to meet demand and reserve requirements for reliable operation into the Year 2000. Note that the targets may not apply to 100 percent of the generating units, if some units or facilities are not essential to meet operating requirements during the 1999-2000 winter season. Y2K Ready indicates ``suitable for use into the Year 2000 and beyond.'' 3.3 Non-Nuclear Generation Findings With 666,474 MW (92 percent) of non-nuclear generation reporting out of the 724,741 MW of total non-nuclear capacity in North America, the following progress is reported as of November 30, 1998: ------------------------------------------------------------------------ Y2K Program Phase Average Percent Complete ------------------------------------------------------------------------ Inventory 96 Assessment.................................... 79 Remediation/Testing........................... 42 ------------------------------------------------------------------------ <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> The graph above indicates substantial progress since the previous report. The graph below indicates improvement in the projected date for achieving a Y2K Ready status for mission-critical non-nuclear generation. As described in the previous section, this pace must be accelerated to reach the goal of Y2K Ready by the end of the second quarter 1999. <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> Analysis Testing of non-nuclear generators continues to indicate a minimal number of failures that might cause an unremediated unit to trip. Fully remediated units are all expected to be able to operate into the Year 2000. The more typical types of failures that have been detected affect a date stamp of a historical function or a display screen, but would not impact unit operation. The most serious concern for power production continues to be in the more modern plants operated by a Digital Control System (DCS). These stations are highly automated to obtain maximum efficiency. The DCS controls nearly all aspects of a generating unit from fuel and airflow for combustion, to water and steam flows, to turbine-generator controls, to auxiliary systems. Most of the technical expertise for these highly complex digital systems is with the original vendor, making this one of the more important vendor dependencies for the electric industry. Although DCS vendors are generally cooperative, the resources of some are stretched under the current demand. DCS vendor support is one of the constraints often quoted for units that will be completed past the industry target dates. There have been a few instances during Y2K testing in which it is thought that a lock up of an unremediated DCS system might have caused the unit to trip. Another type of system reported as being somewhat more problematic than others are continuous emissions monitoring systems (CEMS). Problems being detected, however, do not appear to be limiting the operation of a unit, because they are linked to the data management rather than the monitoring devices themselves. A spectrum of approaches exists to deal with emissions monitoring from use of internal expertise for testing to dependence on vendor support, to replacing systems with those known to be Y2K compliant. Of particular interest are the results of integrated tests involving the entire power station. More than 40 units at more than a dozen utilities have been tested while operating on-line and producing power. These tests consist of simultaneously moving as many systems and components as possible forward or backward to various critical dates. These tests require an extraordinary level of preparation and coordination to ensure the safety of all systems and that the impact to the electric system would be minimal should a unit trip during the test. Of all the integrated unit tests reported to date, not one test of a fully remediated unit has resulted in a Y2K failure that caused the unit to trip. In some cases, units that were moved forward to a post January 1, 2000 date have been left to continue running with clocks set ahead with no negative consequences. Others report setting back the date at which their units operate. A typical setback is 28 years to closely align the calendar dates with days of the week and leap years. One issue moving forward is how much of this integrated generator testing is appropriate. The answer is not simple because the preparations to conduct such a test on a unit are extensive and the results continue to indicate that a unit properly tested at the component level does not exhibit problems at the overall unit level. The experience with this type of testing will continue to increase in the next quarter. More detailed results from these tests should be shared across the industry to evaluate whether further integrated testing is appropriate, or if it is simply a challenging exercise with little incremental value. Most Y2K testing at power plants is performed using in-house resources during a scheduled outage. Controllers with embedded chips sometimes can be tested in place, but are often moved to a special test laboratory set up at the plant. Tests are often performed using specially adapted PCs or laptops that can be connected to a device to run a series of tests. Many companies reporting have adopted a customized version of the General Motors Year 2000 Testing Template, the EPRI Y2K Test Procedures, or the British Standards Institute Y2K Compliance Standard. Some power producers rely on vendor test results if they are credibly documented or verified. However, most power producers are committed to testing all mission-critical components and systems themselves (DCS systems are the obvious exception as previously discussed). Power producers also are actively implementing vendor supplied or recommended upgrades. Some have hired additional technicians or engineers to assist in the process. Recommendations 1. Organizations with generating facilities should adjust schedules and resources to meet the recommended industry milestones. Specific exceptions should be reported beginning in the first quarter 1999. 2. Organizations with DCS controls on generating units should collaborate through EPRI or vendor user groups to optimize available resources and information necessary to test and remediate DCS systems. 3. NERC or EPRI should facilitate an industry assessment of the benefits and risks of on-line generating unit tests and propose guidelines for the practice. 3.4 Nuclear Generation Nuclear facility Y2K programs are closely coordinated within the overall enterprise-wide Y2K program. However, to take advantage of substantial work and leadership in this area by NEI, NERC requested that NEI provide an assessment of Y2K activities in the nuclear sector for incorporation into this report. The assessment by NEI is provided here. Each nuclear facility Y2K readiness program has a broad scope, including components and systems important to the continued operation to generate electricity into the Year 2000. Reporting is based on the full program, not just those items considered mission critical. Findings This nuclear Y2K program update is based on November 30, 1998 status reports from all (100 percent) operational nuclear generation plants. There are 103 operational reactors at 66 facilities. Reporting is at the facility level. All nuclear generation facilities have a Y2K readiness program based on guidance in NEI/NUSMG 97-07, ``Nuclear Utility Year 2000 Readiness.'' All readiness programs have senior management involvement. The following summary is based on reporting milestones that are slightly different for the nuclear facilities compared to the other areas reporting. ------------------------------------------------------------------------ Y2K Program Phase Average Percent Complete ------------------------------------------------------------------------ Inventory (Initial Assessment)................ 99 Detailed Assessment........................... 75 Remediation................................... 31 ------------------------------------------------------------------------ <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> Similar to the other areas being assessed in this report, completion of the detailed assessment, including component testing and development of remediation strategies, is a good indicator of the Y2K readiness of nuclear plant facilities. The projected percentage of plants completing these efforts is indicated in the following chart. <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> No facility has found a Y2K problem that would have prevented safety systems from shutting down a plant, if conditions required after the turn of the century. Thus, Y2K problems in nuclear facilities do not represent a public health and safety issue. Twenty facilities have identified specific components for which remediation is currently scheduled to extend beyond the June 30, 1999, target date for readiness program completion. All facilities will develop contingency plans for key rollover dates. Work on this phase is 13 percent done, with a target completion date of June 30, 1999. Analysis On average, detailed assessments are 75 percent completed, compared to 40 percent in the previous report. Although the rate of progress is good, expected completion dates for this phase have slipped for some facilities. Currently, 50 percent of the facilities estimate completion of this phase by the end of the year, compared to 84 percent in the previous report. Although few problems are being found, this delay in the schedule for completing detailed assessments reduces the time available to complete required remediation. Twenty facilities have identified specific components for which remediation is not scheduled to be completed by June 30, 1999. In general, this represents one or two items at a plant. The nuclear readiness program recognizes that some remediation would extend beyond the target completion date of June 30, 1999. In many cases, a low risk remediation effort has been scheduled for a fall 1999 outage to avoid an unnecessary shutdown. In some cases, delays are driven by projected component delivery schedules or the scope of work involved. Facilities have recently started work on contingency plans for key Y2K rollover dates, with most of the planning effort to be conducted between January and June 1999. NEI conducted a workshop for nuclear facility Y2K project managers in early December to focus on the work remaining to be done in 1999. This workshop was part of a continuing process of sharing information between project managers and reviewing solutions to problem areas. Topics included: <bullet> Current industry status and areas needing attention <bullet> Training on the industry's contingency planning guide <bullet> Sharing audit program insights <bullet> Expectations for readiness program reporting <bullet> Sharing remediation insights The Canadian Electricity Association has assisted by coordinating with the three entities operating nuclear power producing facilities in Canada. All of these facilities are similar in design, utilizing Atomic Energy Canada Limited's CANDU heavy-water reactors. The nuclear industry in Canada is regulated by the Atomic Energy Control Board (AECB), which has established a rigorous Y2K program as part of its licensing activities. The AECB does ``not foresee the need for license conditions specific to Y2K issues at this time. Safety issues that could arise from Y2K-related problems can be dealt with at assessment and are covered by existing license conditions.'' Recommendations 1. Nuclear facility managers need to apply additional attention to detailed assessments that are scheduled for completion after December 31, 1998. Facilities should review outstanding work to ensure critical systems are tested first and, where possible, schedules accelerated. 2. Any remediation scheduled to be completed after June 30, 1999 warrants special management attention. In some cases low risk items will continue to be scheduled for fall outages. For other items, schedules should be reviewed and accelerated or alternate remediation strategies considered. 3.5 Energy Management Systems Of the major control centers reporting in the third quarter 1998, the following results are reported. Progress has improved since the previous report and is nearly on target for completion of Remediation and Testing by May 31, 1999. As shown in the graph below, the projected schedule for achievement of Y2K Ready status for EMS/SCADA systems has improved. ------------------------------------------------------------------------ Y2K Program Phase Average Percent Complete ------------------------------------------------------------------------ Inventory..................................... 98 Assessment.................................... 82 Remediation/Testing........................... 48 ------------------------------------------------------------------------ <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> As shown in the graph below, the projected schedule for achievement of Y2K Ready status for EMS/SCADA systems has been improved. <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> Analysis Most companies utilize commercial EMS/SCADA products. A few have ordered new Y2K compliant systems as part of their Y2K remediation approach. For those, Y2K testing may consist of factory acceptance tests in the vendor's shop. For these new systems, Y2K issues are typically resolved prior to delivery and installation. Some of the entities interviewed report using the EPRI Testing Guidelines during their EMS/SCADA testing. A few organizations use a simulator or test bed during EMS/SCADA testing, while others use their backup or development EMS/SCADA systems as test environments. A few entities report that they use the Bellcore Y2K Test Procedures or an ABB-Integrated Test Package for end-to-end testing of SCADA. Several organizations report having made upgrades to satellite clocks connected to their EMS computers. These upgrades are required to correct the well-known 1,024-week rollover bug in Global Positioning Systems (GPS). Interviews with Y2K program managers indicate that no major problems are being encountered during testing and that EMS/SCADA systems are expected to be at full capability during Y2K. Problems that have been found are typically limited to historical logs or date displays. Testing is a complex process that includes computer hardware, communications equipment, computer operating systems, data bases, software applications, display systems, etc. For some components, such as computer operating systems, the utility is highly dependent on a vendor. For the most part, however, utilities have the expertise in house to test and correct for any date problems within the EMS/SCADA. The two most significant risks associated with EMS/SCADA operation into the Year 2000 are: <bullet> Loss of external data communications (discussed in next section) <bullet> Overload of alarm systems or data buffers if a burst of activity occurs during critical rollover periods Recommendations 1. Organizations with control center facilities such as EMS and SCADA systems should adjust schedules and resources to meet the recommended milestones. 2. EMS/SCADA systems are vital to reliable electric system operation and should be rigorously tested. Contingency strategies should be well defined and practiced, including use of backup facilities and alternatives such as manual control and voice communications. 3.6 Telecommunications Findings The following are the progress results in the fourth quarter of 1998 for the internally owned and operated telecommunications systems used to monitor and operate electric supply and delivery systems. ------------------------------------------------------------------------ Y2K Program Phase Average Percent Complete ------------------------------------------------------------------------ Inventory..................................... 94 Assessment.................................... 78 Remediation/Testing........................... 48 ------------------------------------------------------------------------ <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> Projections for Y2K Ready status have improved but continue to lag the target slightly. <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> Analysis The electric industry owns and maintains a majority of its voice and data communications facilities. However, a significant portion of voice and data communications flow over the facilities of external service providers. These providers may be local telephone carriers providing dedicated circuits to carry monitoring and control signals to power plants and substations. They also may be providers of long distance services, satellite systems, cellular systems, and wide-area networks. The electric industry, like many other industries is dependent on a complex set of integrated communications systems. Most entities report satisfactory progress in testing their internal communications systems, as reported above. Like EMS/SCADA and DCS systems, communications is an area that often requires support from vendors. Entities report making Year 2000 upgrades on older network equipment (e.g., routers, hubs, and switches). Often testing procedures or test results have been made with the assistance of or information available from equipment vendors. It is apparent that it will not be practical to perform extensive integrated testing with external voice and data communications service providers. Typically these service providers are working hard to complete their own program but cannot dedicate substantial resources to joint testing with individual customers, including electric utilities. Also, these service providers typically cannot provide live circuits for end-to-end testing with electric systems, leaving most testing for a laboratory environment. The large number of entities involved further compounds the challenge of joint testing with external communications providers. There are over 3,000 electric organizations in North America, over 1,400 independent telephone companies, and dozens of other major communications service providers. One large electric utility may use as many as 40 to 50 telephone companies in several states. To overcome these challenges, it is necessary to collaborate across both industries to perform the following: <bullet> Share information to test and remediate as smartly as possible <bullet> Conduct joint demonstration tests of integrated electric system voice and data systems with independent telephone companies and major service providers <bullet> Coordinate inter-industry contingency planning These activities have become more formalized in recent months to provide both industries necessary support. NERC is working to develop one or more joint tests near the end of the first quarter 1999. Coordinated contingency planning is beginning in January 1999. Many larger electric entities, and in some cases regions that have banded together for the purpose of coordinating with communications providers, have had success in getting necessary support and testing. Partial loss of voice and data communications remains a high priority for contingency planning for electrical systems. Backup voice communications systems that do not have common failure modes with primary systems are the appropriate strategy for voice communications. Loss of data communications may require manual operation of some facilities. These issues are discussed further under contingency planning in Section 4. Recommendations 1. Organizations should adjust Y2K schedules and resources to meet the recommended milestones for voice and data communication systems essential to electric power production and delivery. 2. NERC should coordinate joint demonstration tests with the telecommunications industry with the goal of discovering vulnerabilities and developing mitigation strategies. 3. For communication systems that are deemed essential to power system operation, contingency plans for alternative communications should be provided. 3.7 Substation Controls and System Protection Findings The progress by phase in the area of Substation Controls and System Protection is provided below. ------------------------------------------------------------------------ Y2K Program Phase Average Percent Complete ------------------------------------------------------------------------ Inventory..................................... 97 Assessment.................................... 81 Remediation/Testing........................... 53 ------------------------------------------------------------------------ <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> Projected completion of Y2K Ready status has improved, similar to other areas, but is slightly behind target. <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> Analysis Most entities report finding no system protection devices that would cause power interruptions or safety concerns as a result of a Year 2000 rollover in digital electronics. Some report minor issues with microchips and relays, which may result in minor cosmetic results such as two-digit years in logs. Entities report repair of these devices using vendor supplied chip upgrades. Many electric systems still utilize electromechanical relays, which are not date sensitive. Most report known work around procedures for cosmetic problems. A few entities report using test beds or test labs for testing substation and system protection devices. Typically these are portable laptop computers with special customized software. Generally no date rollover problems are found. Some event recorders may experience date problems, but most other items are date insensitive. Event recorders should be fully tested and remediated, as they may provide valuable information following a disturbance. Some relays and devices do not recognize a leap year, but this condition exists in other years as well, is not unique to Y2K, and is not an operating problem. Recommendation 1. Organizations with transmission or distribution substations should adjust schedules and resources to meet the recommended milestones. 3.8 Distribution Systems Background Due to the number (about 3,000) and diversity of distribution systems in North America, NERC has obtained the assistance of four electric industry associations (APPA, CEA, EEI and NRECA) to collect information on the developing state of readiness of electric distribution systems. Due to the differences among industry segments, each association took a different approach to collecting assessment information. This section of the report was developed through the collaborative efforts of these four organizations. EEI's approach was to analyze the distribution system data provided by the NERC assessment reports, because the majority of the investor- owned electric utilities are directly involved in reporting to NERC in all assessment categories. This approach also allowed EEI to gather information on investor-owned utilities that are not part of EEI's membership. APPA's approach was to develop a three-tiered survey to assess the current Y2K status of APPA member and nonmember public power systems. Over 2,000 surveys were sent out, followed by a phone survey starting in October 1998. The first tier was a comprehensive three-page survey sent to the largest 241 systems. The second tier was a two-page survey sent to the middle 539 systems. The remaining systems, those with less than 3,000 customer meters, received a simplified one-page survey. To date, APPA has received responses from systems representing statistically a virtual 100 percent of the customers served by public power, and surveys from over 98 percent of all systems. APPA also has included Y2K readiness information from the Virgin Islands, Guam, American Samoa, and Puerto Rico. NRECA's approach started with information from its telephone survey in August 1998. This information established a baseline set of data on the amounts and types of equipment at each distribution cooperative. That data was used to divide rural electric distribution cooperatives into two groups for the fourth-quarter survey conducted in early December 1998. About 600 cooperatives that have minimal or no Y2K sensitive equipment were faxed a four-page abbreviated form. The remaining approximately 275 cooperatives were faxed an eight-page survey similar to the NERC form. NRECA non-members were included in the process. Questions about generation were not posed to rural electric distribution systems, as they do not control generation assets. The Generation & Transmission (G&T) cooperatives that do own generation are reporting through the NERC process. CEA used a short questionnaire, similar in content to those used by APPA and NRECA, to gather information from Canadian distribution entities. There were 71 responses received to date. Findings Indicated below, is the fourth quarter 1998 Y2K progress results for distribution system organizations responding to the NERC survey: ------------------------------------------------------------------------ Average Percent Complete Y2K Program Phase 4 Qtr 1998 ------------------------------------------------------------------------ Inventory..................................... 96 Assessment.................................... 79 Remediation/Testing........................... 56 ------------------------------------------------------------------------ <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> Analysis Distribution system control, communication, monitoring, and data gathering equipment can be separated into three categories: (1) electromechanical, (2) analog electronic, and (3) digital electronic. Electromechanical equipment is the predominant type of equipment in distribution systems and is not date sensitive because it has no electronics. Analog electronic equipment generally monitors voltage, current, or frequency and has little or no need for a date function. Also, much of the voice communications equipment used by distribution systems is analog electronic. Although EMS and SCADA hardware devices and operating software depend on date functions, relatively few distribution systems use these systems. Two thirds of rural electric distribution cooperatives do not have significant investments in SCADA or EMS equipment. Revenue metering equipment falls into all three categories. With few exceptions, digital electronic equipment is the category in distribution systems that may be susceptible to Year 2000 rollover problems. There are some recent trends toward automation and computerization of some distribution devices, including regulators, reclosers, meters, recorders, relays, capacitor controls, automatic transfer switches, time-of-use meters, communication with mainframe, and interfaces to SCADA, where microprocessor and/or digital electronics are involved. These devices need to be evaluated, assessed, and tested for Y2K readiness. With regard to telecommunications systems, like the rest of the industry, distribution systems rely on the publicly switched telephone network, as well as private wireless and wired networks for mission critical power delivery functions. Telecommunications equipment owned or used by rural electric cooperatives is under scrutiny for Y2K deficiencies. Responses to the top two tiers of APPA survey, which together represent nearly 95 percent of the customers served by public power, indicate that over 96 percent have Y2K plans. Over a third of these have hired consultants to assist in their Y2K efforts. Some testing has been completed by almost 70 percent of these public power systems. Over 65 percent of the small public power systems report that their city government has the overall responsibility for the Y2K plan. Responses to the NRECA survey indicate 97 percent of Inventory, 92 percent of Assessment, and 80 percent of Remediation and Testing have been completed as of early December 1998. Responses indicate 90 percent of software and 94 percent of hardware systems will be Y2K Ready by June 30, 1999. CEA analyzed data received from 76 Canadian utilities. These results suggest that 61 percent of the Y2K work in the distribution area had been completed by Canadian electric utility organizations as of the end of November. The average date for Y2K project completion is June 1998. Distribution entities have reported that the assessment of protective relaying systems have not uncovered any problems that would prevent these systems from being Y2K Ready. Further testing of specific systems will be done to confirm these findings. Equipment manufacturers have indicated that most of the date-related information does not affect the system protection aspects of the relays. Companies are testing more than just the calendar function of the devices. They are also testing normal device operation as devices pass through critical dates in testing. Distribution entities are reporting some problems in the metering and fault recorders area involving software that is not compliant. Vendors are providing new software versions in each case. No universal guidance exists to date on the need to test all microprocessor- based components in distribution systems. At issue is whether every individual device should be tested. The question is most difficult in distribution systems, where thousands of a specific type of device could be found. An alternative would be to apply statistically valid sampling methods or to rely on the vendor certification of a particular model of a device. Distribution equipment in this category includes communications devices, relays, reclosers, and some metering with digital components. Further evaluation is needed to assess the benefits of one testing strategy over another within distribution systems. Pending further research, it is recommended that if the failure of a digital device alone could result in customer outages, each individual device should be tested. Otherwise statistical measures or vendor certification may be more appropriate. NRECA and APPA developed Y2K Readiness Guides that were distributed to all public power systems and rural electric systems in October 1998. APPA also has undertaken a project to produce a Y2K case study guide of three municipal electric systems in the U.S. This study guide is scheduled for completion in February 1999. NERC's Contingency Planning Guide will also be made widely available to all electric distribution systems to assist their planning efforts. Recommendations 1. All distribution organizations should plan to have mission- critical systems and components Y2K Ready by June 30, 1999. This includes remediation and testing of components identified to have Y2K problems and measures to mitigate the possible loss or malfunction of systems and components that can not be repaired and will not be replaced. 2. Distribution entities should prepare Y2K plans including special operating procedures, training, contingency plans, and emergency response. 3. Pending further research, it is recommended that if the failure of a digital device alone could result in customer outages, each individual device should be tested. Otherwise statistical measures or vendor certification may be more appropriate. 3.9 Business Information Systems Background This section on Business System Information Systems is included at the request of the electric utilities and their associations. Although business systems do not have instantaneous impact on the power supply of North America, some of these functions may be necessary for the sustained operation of each organization. Electricity providers must have the continuing ability to service customers, order fuel supplies, pay their work force, and locate equipment in the field. The readiness assessment of business information systems was done with the cooperation of APPA, CEA, EEI and NRECA. Electric utilities vary greatly in size and scope. They may be distribution-only, or vertically integrated with generation and transmission. Customer counts range from a few hundred to several million. Thus, no single approach to assessing Y2K readiness of business information systems is appropriate. Larger, investor-owned electric utilities, represented by EEI, all received the Business Systems Assessment form included in the NERC process. APPA, CEA, and NRECA used the survey processes previously described in the distribution section. Findings The following are the results in the fourth quarter of 1998 for business systems at electric supply and delivery organizations responding to the NERC survey: ------------------------------------------------------------------------ Average Percent Complete Y2K Program Phase 4 Qtr 98 ------------------------------------------------------------------------ Inventory..................................... 98 Assessment.................................... 91 Remediation/Testing........................... 58 ------------------------------------------------------------------------ <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> Analysis To date, 170 electricity providers utilities have responded to the Business Systems portion of the NERC survey, including 78 investor- owned utilities, 22 generation and transmission cooperatives, and 27 municipal utilities. As in the third quarter survey, business systems are at a higherpercentage of completion than the overall average. The readiness of business systems has improved substantially during the 3-months since the initial report, with 98 percent of all business systems inventoried and 91 percent assessed. However, only 78 percent of electricity providers responding to the NERC survey have completed inventory of all business systems, and only 15 percent have completed all assessments. Only one electricity provider reports completion of all remediation and testing for business systems. About 95 percent of business systems at reporting utilities are expected to be Y2K Ready in the second quarter of 1999, with all systems ready in the third quarter. This is an improvement in the expected completion date over the September 1998 report, though not yet in conformance with NERC targets. Organizations are reporting that systems that share data between the mainframe and distributed platforms are difficult to test due to the complexity of the systems and information relationships. Organizations have indicated that network components are difficult to test thoroughly, as real-world environments are difficult to replicate. Others have cited the lack of ``user experts'' as an issue when it comes to certifying a system as Y2K Ready. Some entities are taking a second look at their inventory and assessment as they have obtained additional information concerning systems that may be at risk. In some cases, entities are waiting on vendors to supply Y2K fixes to systems or waiting on certification or testing of outsourced business systems before remediation and testing phases can be completed. Recommendation 1. Although business system Y2K readiness is above average and accelerating among respondents, schedules should be adjusted and necessary resources added to meet the recommended NERC milestones. In particular, electricity providers must quickly complete the inventory and assessment of all business systems to allow sufficient time for remediation and testing by May 31, 1999. 3.10 General Issues Identified During Assessment Process Several issues that span the overall Y2K program are addressed in this section. 1. Customer Support: Each electrical system entity that directly serves customers should establish an information program focused on sharing results and recommendations with customers. Establishing a Y2K web site and literature mailings have proven successful for that purpose. Some entities have conducted or plan to conduct symposia targeted toward customers, particularly larger ones. Customers with very large demands (for example greater than 10 MW) and customers with critical demands related to public health or safety should review their own emergency power supply provisions and coordinate as needed with their electricity provider. It is not practical in most instances for the electricity provider to conduct joint tests of facilities with individual customers, but the needs and the power supply provisions of the most critical customers should be discussed. 2. Vendor Support: Although electrical utilities tend to have substantial in- house expertise to operate and maintain their systems, they are dependent on vendors in some areas, as pointed out previously (i.e., DCS, EMS/SCADA, and telecommunications). Vendor support has been generally satisfactory with some instances of spotty cooperation. In some cases, the utility is sufficiently large or can band together with others to provide leverage to get the necessary support from vendors. Electric utilities are most likely to apply business incentives to obtain cooperation rather than to threaten legal actions. Vendor user groups and collaborative efforts such as that sponsored by EPRI can have a positive effect on gaining vendor cooperation and consolidating demands on vendors. In some cases, raising issues to the upper level of management of the vendors has been successful. 3. Information Sharing: The ``Year 2000 Information and Readiness Disclosure Act'' has had a positive impact on the flow of information sharing by electric utilities and their suppliers. Although liability issues have not been erased, information sharing is much freer in the past 3 months. 4. Independent Verification: The process NERC and its association partners use relies on information reported by members of the industry. There have been extensive followup discussions with Y2K program managers at reporting entities on issues and concerns raised by the assessments. The NERC project team is satisfied that the results reported are open and accurate and, if anything, conservative statements of progress. Some organizations use an independent review function within the organization to monitor their Y2K program. Others have hired an independent firm to verify program performance. Ultimately, the decision regarding whether independent verification is necessary should be made by each organization. In future periods, NERC will request information on whether an independent review is performed of each organization's Y2K program. 5. Excessive Reporting Burden: Some entities report continuing requests for excessive information from customers and regulatory agencies. Every effort should be made by customers and regulatory agencies to use existing information from the NERC program. Where it is appropriate to obtain details of an individual program, that information should be directly requested from the utility. The NERC report format should be used as much as possible, even for these individual requests for information. 6. Personnel Resources: Availability of qualified resources, particularly engineers and technicians, is an issue reported by a number of programs. 7. Clean Facility Management: Y2K programs should implement positive controls to assure that once facilities have been declared Y2K Ready they do not become re-contaminated by incoming supplies or software modifications. section 4. contingency planning and preparations 4.1 Goal of Contingency Planning The NERC Y2K program uses a ``defense-in-depth'' concept. Test results into the fourth quarter of 1998 continue to indicate that Y2K failures do not appear to be of the type that would cause properly remediated electrical facilities to trip out of service. However, the consequences of wide-spread or extended outages, however improbable, are so significant that the industry does not plan to stop simply with testing and repairing equipment. Contingency planning is an important step in assuring that electric systems are operated in a manner such that operating problems are handled without resulting in a loss of customers due to Y2K. 4.2 NERC Y2K Contingency Planning Guide NERC has developed a guide to Year 2000 contingency planning and preparations for the electricity supply and delivery systems of North America. The goal is to mitigate operating risks to achieve reliable and sustained electric operations during the transition into the Year 2000 and beyond. This guide is intended to address all aspects of electric power production, transmission, and distribution in North America. The guide is available on the NERC Y2K web site at http://www.nerc.com/y2k. The following steps outline the NERC process for Y2K contingency planning and preparations. These steps are intended as a general guide. Regions and operating entities are expected to develop contingency plans that meet their specific requirements. Step 1: Identify Y2K Operating Risks Step 2: Conduct Y2K Scenario Analysis Step 3: Develop Risk Management Strategies Step 4: Implement General Preparations Step 5: Plan Power System Operations during Y2K Periods Step 6: Implement the Y2K System Operating Plan 4.3 Organization and Responsibilities The effort of preparing electric systems for operation during critical Y2K transition periods must be coordinated at several levels. NERC is coordinating contingency planning and preparations at the Interconnection and interregional levels. NERC will review the contingency planning and preparation efforts across all ten Regional Reliability Councils. Regional Reliability Councils will coordinate efforts within their Regions and with neighboring Regions. This includes intra- and interregional studies and preparations. Regional Reliability Councils will assure participation of members of the Region. Organizations that operate generation, transmission, or distribution systems will participate through the Regions in this contingency planning and preparations effort. They will coordinate contingency planning and preparations with their customers. 4.4 Critical Y2K System Operating Dates Part of the Y2K risk assessment process is to internally review the risks of Y2K anomalies for various dates. NERC-recommended dates for consideration are listed below in priority order. It is important to recognize that critical transition periods may last only for minutes or hours due to primary causes (i.e., unit trips, loss of primary voice communications, etc.) or for days or weeks for secondary causes such as reduced supplies of natural gas, oil, or coal. Priority 1 Dates December 31, 1999 to January 1, 2000; Rollover to 2000: Date = 010100 Priority 2 Dates September 8, 1999 to September 9, 1999; February 28, 2000 to March 1, 2000; Special value: Date = 090999; Rollover in/out of leap year date Priority 3 Dates April 8, 1999 to April 9, 1999; August 21, 1999 to August 22, 1999; Special value: 99th day of 1999; GPS satellite clocks expire 4.5 Activities Completed During Fourth Quarter 1998 The following activities have been completed in the fourth quarter 1998: 1. All bulk electric operating entities have been requested to prepare draft contingency plans by December 31, 1998. These plans are to be submitted to the NERC Region, integrated into a Regional plan and reviewed for completeness and consistency. NERC will review the contingency planning process and results at a meeting by the end of January 1999. A mid-point review of contingency plans conducted by NERC in November 1998 demonstrated that this task is being taken very seriously and progress has been substantial. 2. NERC is initiating a series of Interconnection studies to analyze electric system behavior under anticipated Y2K conditions. A first step is to gather system snapshots during the current New Year's Eve period to obtain demand and generation patterns. This data will be used to build one or more base cases for Y2K studies. Data from previous New Year's Eves on long weekends indicate that demands are typically in the 40-50 percent of system peak demand. The data will be adjusted over a range of possible conditions determined by customer behavior, weather, and Y2K operating plans. The NERC Engineering Committee will facilitate a series of power flow and stability studies to evaluate various operating strategies. Individual Regions and operating entities will also perform studies with more local detail. 3. Initial planning of the April 9, 1999 industry drill has begun. A document describing the scope, objectives, and reporting requirements for this drill will be available by the end of January. This drill will focus on operating the system with limited voice and data communications. It requires placing personnel at key operating facilities and communicating by backup systems. One Regional entity, PJM Interconnection L.L.C (PJM), completed a drill on December 15-16, 1998 that included Y2K-related communications. PJM simulated the loss of voice communication--requiring operators to provide drill data via point-to-point satellite communications. This portion of the drill tested the operator's ability to use ``one-way'' communications to supply necessary data (satellite phones, when in the point-to-point mode, are very similar to walkie-talkies). This drill simulated the loss of voice and data communications with another company and requested that the necessary data be supplied to calculate Area Control Error (i.e., tie line flows and schedules). A number of data and communication issues were identified (i.e., know what screens the data is located on, how to report flows ``from bus to bus'' rather than +/-, frequency of reporting, and threshold delta for increased reporting frequency). Additional tests of satellite communications will be planned in PJM as more local control centers obtain satellite communications. In addition, tests of power system control data reporting requirements will be drilled in the future. A satellite communications protocol is being developed for the purposes of conducting a point-to-point satellite conference call. 4. In November 1998, the NERC Operating Committee approved the Contingency Planning Guide and recommended proceeding with the April and September drills. On January 4, 1999, the NERC Board of Trustees approved conduct of the April 1999 drill and development of a detailed plan for the September 1999 drill. 4.6 Y2K Contingency Planning Issues 1. Voice and Data Communications: The provision of voice and data communications is emerging as the highest priority issue in contingency planning. Electric power systems have grown over the past 20 years to be heavily dependent on communications equipment and networks for real- time control and monitoring. Operation with limited communications is feasible, by returning to more manual methods of control and monitoring that were used in the past. Potential mitigation strategies include provision of backup voice communications independent of primary systems and preparations to operate in a manual mode using personnel at key operating facilities. Contingency planning will also include consideration of information management during Y2K periods. Information from Asia, Australia, and Europe that might be considered in operating systems in North America will be obtained and broadcast to operating entities. A communications function will be established to rapidly share information and gather information regarding systems conditions during Y2K periods. 2. Unusual Loading Patterns and Minimum Generation Conditions: Another priority concern that is emerging from the contingency planning process stems from the need to have additional generating units on line as a precaution against Y2K events. With additional generators on line and the possibility of customer demand being low through the extended holiday period, utilities must consider what is called a ``minimum generation'' condition. When there is too much generation on line in relation to demand, system voltages and frequency can rise. Planning for the rollover into the Year 2000 must tradeoff the need to have additional reserves to respond to possible generator contingencies with the potential for excessive voltages. Customers should be encouraged during the period not to take unusual steps such as shutting down facilities that would normally operate through the holiday weekend. Extremely low demand or an unusual demand pattern can present additional challenges for operation of the electric system. 3. Restoration Plans: Control areas should review system restoration plans for Y2K considerations, including the ability to black start. These plans should be coordinated with neighboring systems, including plans to reconnect systems. Dependence on external black start resources should be coordinated to ensure they will be available under Y2K conditions. 4. Contingency Planning in Distribution Systems: Contingency planning should be extended to distribution systems. In particular, distribution systems should prepare plans for restoring customers under anticipated Y2K conditions. Loss of external power supplies and loss of distribution facilities should be considered in the contingency planning process. 5. Emergency Services: Coordination of emergency services and emergency response to serve the public are not part of the NERC Y2K program. Planning for emergency services and emergency response should be handled through those agencies that would typically provide support, such as municipal, county, and state emergency response agencies. These agencies should coordinate emergency response strategies with essential utility services providers, including electricity, communications, water, and sewage. Issues to be addressed include movement of utility- essential employees to key locations, service restoration priorities, communications, and Y2K scenario response strategies. 6. Market Operations: One goal of preparing for Y2K is to impact electric market operations as little as is necessary and to allow market participants to be part of the Y2K operating strategy. It is not certain at this point if the number of market transactions should be reduced during the critical rollover periods (they may already be at a low level due to the holiday). It is clear that market participants should be part of the solution and should be informed and included in the contingency planning process. NERC offers an Interim Market Interface Committee as a good forum to start discussions in early 1999. Similar coordination should take place at the Region and the individual system levels. 4.7 Contingency Planning Schedule Contingency planning efforts are specific to each operating entity but require coordination at the Regional, interregional, and Interconnection levels. The NERC Operating Committee, through its Security Coordinator Subcommittee, will facilitate this process. The following milestones are applicable to the NERC contingency planning process: ------------------------------------------------------------------------ ------------------------------------------------------------------------ December 31, 1998......................... First draft of Regional and operating entity contingency plans available to NERC/Regions for review January 25-26, 1999....................... NERC review of draft contingency plans January 27, 1999.......................... Inter-industry contingency planning coordination meeting April 8-9, 1999........................... First industry-coordinated Y2K readiness drill (communications) June 30, 1999............................. Second draft of Regional and operating entity contingency plans available to NERC/Regions for review September 8-9, 1999....................... Second industry-coordinated Y2K readiness drill ------------------------------------------------------------------------ section 5. nerc y2k coordination plan This section provides a summary of the Y2K coordination activities of the electric industry of North America. As described in Appendix C, the program is being facilitated by NERC, its ten Regional Reliability Councils, and trade association partners. More than other industries, the electric power industry of North America has proven its capability over the past 30 years to meet operating challenges through close coordination of planning and operations. The result is the most reliable electric service in the world. 5.1 Objectives The goal of the NERC Y2K Coordination Plan is to prepare the electric systems of North America for reliable and sustained operations into the Year 2000 and beyond. This goal is achieved through the following objectives: 1. Assuring mission critical systems are Y2K Ready by June 30, 1999 through coordination of a rigorous program of identification, repair or replacement, and testing of software, digital components, and integrated systems. The principal tool for coordinating this effort at the industry level is the NERC Y2K Readiness Assessment Report. 2. Coordinating the sharing of Y2K technical and project management information and resources. This sharing occurs through the NERC Y2K web site, industry conferences, technical committee meetings, a NERC- sponsored Y2K Coordination Task Force, an EPRI information exchange program, and other cooperative efforts. 3. Coordinating the assessment of Y2K operational risks and developing and implementing contingency plans in accordance with the NERC Contingency Planning Guide. NERC, its Regional Reliability Councils, and their members are working together to meet these objectives. The previously mentioned industry associations, APPA, CEA, EEI, EPRI, EPSA, NEI, and NRECA, are assisting in these efforts and working actively with their members. 5.2 Defense-in-Depth Strategy NERC is focused on operational reliability through a ``defense-in- depth'' strategy. The defense-in-depth strategy assumes that although one has taken all reasonable and necessary preventive steps, there can never be 100 percent assurance that major system failures cannot cause a catastrophic outcome. Instead, multiple defense barriers are established to reduce the risk of catastrophic results to extremely small probability levels and to mitigate the severity of any such events. Despite the NERC Y2K readiness assessment process and the Herculean efforts of countless persons across the industry, there is no guarantee that all Y2K deficiencies will be identified, fixed, and tested in the remaining time. The cornerstone of the NERC Y2K plan, therefore, is to coordinate industry actions in implementing the following defense-in- depth strategy: 1. Identify and fix known Y2K problems. NERC is providing a vehicle for sharing of information on known Y2K problems and solutions associated with the operation, control, and protection of power generation, transmission, and distribution facilities. This information includes a generic inventory of Y2K susceptible components, testing guides, and Y2K project management guides. 2. Identify most probable and credible worst-case scenarios. NERC is facilitating the conduct of Regional and individual system assessments of risks to determine most probable and credible worst-case scenarios. Mitigation plans for these scenarios will be developed and implemented on a Regional and local basis. 3. Plan for the probable--prepare for the worst. NERC will coordinate efforts to prepare for reliable and sustained operation of electric systems into the Year 2000 and beyond. Preparations include development of special operating procedures and conducting training and system-wide drills. 4. Operate systems in a precautionary posture during critical Y2K transition periods. NERC will coordinate efforts to assure electric power systems are operated in a manner commensurate with identified operating risks. Examples of precautionary measures may include reducing bulk transfers, ensuring that all available generation and transmission facilities are in service, and increased staffing at control centers, critical substations, and generating stations during rollover periods. 5.3 NERC Y2K Coordination Plan To accomplish the objectives stated above, a ``Y2K Coordination Plan for the Electricity Production and Delivery Systems of North America'' was developed in June 1998 and is continuously maintained. This plan is divided into the following three phases: Phase 1 (May-September 1998)--In Phase 1, NERC mobilized coordination and information-sharing efforts and performed a preliminary review of Y2K readiness of electric power production and delivery systems. Phase 1 culminated in an initial report to the NERC Board of Trustees on September 14, 1998 and to DOE on September 17, 1998. Phase 2 (September 1998-July 1999)--NERC is assisting the Regional Reliability Councils and their member operating entities in resolving the known Y2K technical problems. A process of monthly reporting of progress using established criteria is continuing. A Contingency Planning and Preparations Guide is being implemented to identify, assess, and prepare for most probable and credible worst-case scenarios. Phase 2 will culminate in July 1999 with a report to the NERC Board and to DOE on measures being taken to prepare bulk electric power production and delivery systems for operation during the Y2K transition. Interim quarterly reports, such as this report, will continue to be provided. Phase 3 (July 1999-March 2000)--During this period, NERC will review the final preparation and implementation of contingency plans and operating procedures. NERC and its Regional Reliability Councils will facilitate the conduct of a September 1999 drill and final arrangements to prepare for critical Y2K periods. Phase 1 Tasks Task 1. Establish an Internet web site for sharing of information on known Y2K problems and solutions. NERC has established a Y2K web site and will continue to add resources and links to other sites. The web site includes Y2K resources and an information exchange forum. (Done and continuing.) Task 2. Prepare a list of bulk electric system Y2K key entities and contacts. This list identifies Y2K key personnel in each Region and at system operating entities. This list is maintained on the NERC Y2K web site. (Done and continuing.) Task 3. Establish a NERC Y2K Coordination Task Force. This Task Force has one representative from each Region who is knowledgeable about Y2K issues and the activities within the Region. The Task Force coordinates through frequent teleconferences and meetings to ensure high levels of information exchange and coordination of efforts. (Done and continuing.) Task 4. Coordinate a preliminary assessment of Y2K readiness. NERC, along with its Regional Reliability Councils and industry partners, has facilitates reporting of quarterly status of Y2K readiness, as summarized in this report. This Y2K Readiness Assessment process will continue through the remaining phases. Report data will be gathered on a monthly basis and summary progress reports delivered to DOE on a quarterly basis. (Continuing.) Phases 2 and 3 Tasks and Schedule Task 5. Develop Y2K contingency plans. NERC, in coordination with the Regional Reliability Councils, is facilitating the identification of most probable and credible worst-case scenarios. These scenarios will be evaluated from the perspective of probability and consequences to determine appropriate mitigation strategies. (Initial drafts completed and currently under review.) Task 6. Facilitate development and implementation of Y2K preparedness plans. NERC, in cooperation with the Regional Reliability Councils, will facilitate the development and implementation of special procedures and plans for operation during Y2K transition periods. NERC will develop the generic elements of a preparedness plan for use by operating entities in developing specific plans. (Under development.) Task 7. Facilitate conduct of training and drills. Training and drills will be coordinated by Regional Reliability Councils to ensure personnel and systems are ready for operations during the Y2K transition. A drill in April 1999 is focused on communications during Y2K. A September 8-9, 1999 drill is planned as a rehearsal for the New Year's rollover. (Under development.) Task 8. Coordination of plans to configure electric systems in precautionary posture. NERC and the Regions will coordinate the preparation of operating plans to mitigate the consequences of any adverse Y2K problems. Examples may include ensuring that all available transmission facilities are in service, starting additional generators, which include older analog controlled units, providing additional staff at control centers, power stations, and critical substations, and operating the electric system with reduced electricity transfers. The critical Y2K operating period is likely to extend several weeks before and after midnight December 31, 1999. (Under development.) Task 9. Coordination of system monitoring and rapid response during Y2K period. NERC, the Regional Councils, and Security Coordinators will monitor conditions during Y2K-critical periods and be prepared to implement pre-established contingency plan. This includes development and implementation of a Y2K communications plan. (Under development.) ______ APPENDIX A background--year 2000 impacts on electric power systems of north america Will the lights go out at midnight, December 31, 1999? Many so- called experts in the news and on the Internet have predicted that the electric systems of North America will suffer major power outages as a result of the ``Y2K bug.'' These outages are forecast to last days, weeks or even months as electric utilities scramble to fix hard-to-find problems. Life in North America as we know it will supposedly come to a grinding halt without electricity and make a slow, painstaking recovery. Are these predictions true? One thing we do know--these predictions are not based on facts or rational analysis of information from the industry. That is the purpose of this report. This report provides a comprehensive review of where the electric industry of North America is in its efforts to identify, fix, and test for the Y2K bug. This report looks at the nature of the Y2K threat in electrical systems, what is being done about it, the schedule for completing the work, and how the industry is preparing to deal with contingencies that may occur. Will the lights go out? The answer is that no one knows for certain yet what the effects of Y2K will be. The risks that Y2K may impact electric system operations are real--much like the risks that earthquakes or severe weather could cause electrical outages even before the new millennium arrives. In our favor is a work force of competent people, dedicated to maintaining reliable electric system operations, who are working hard to solve the problem. What is the Y2K Bug? The Y2K bug results from a programming convention for the designation of a date as MMDDYY in the United States and DDMMYY in other parts of the world. This convention has been used extensively since the earliest days of computer programming and now affects numerous software programs and electronic devices, including some of those used in electric power systems. The bug becomes apparent as we transition from the year 1999 to 2000, when computers and electronic chips read the year as 00. The most obvious outcome is that computer programs and electronic devices could interpret 1/1/2000 as 1/1/1900, causing problems for any applications that depend on time or dates. Testing has shown that the Y2K bug is actually much more complex than this simple explanation because a variety of problems can occur with date interpretation. The problems are not restricted to a single date change at midnight December 31, 1999. Date-related anomalies may occur at 1/1/99, 9/9/99, 2/29/00 and up to a dozen other dates. Although there are many known types of Y2K failures, the three dominant ones are: <bullet> Failure to recognize the correct year in transitioning from 99 to 00. <bullet> Expiration of an electronic ``clock'' that was referenced to measure time as the number of seconds from an initial start date, such as January 1, 1970, and which will expire on a certain date when the clock counter buffer is full. <bullet> Use of certain values, such as 99, to serve as placeholders with special meanings for programmers, hence the concerns for 1/1/99 and 9/9/99. How did something that is so obviously a major problem today come to happen? Common wisdom is that programmers in the early days of computers were thoughtfully saving precious memory space by using two digits for the year. A more likely explanation is that programmers were simply carrying forward a common practice in everyday life of depicting a date as MMDDYY. Because most computer applications (then as well as today) are not date sensitive, programmers were simply denoting a date in the same manner it would be written or viewed by a human. If anything, use of the MMDDYY (or DDMMYY) format saved on the amount of programming code needed to convert the date to any format other than the one in which it would be displayed. Regardless of how we arrived at this dilemma, it is upon us. The concern now is how to fix the problem and mitigate its consequences-- now. The hands of time will not stop as they tick toward an inevitable encounter with the Year 2000. How do Electric Power Systems Work? <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> overview of electric power systems The figure above shows that electricity is produced in power plants. There are many types of power production facilities, but the most common are fossil-fueled (oil, natural gas, and coal-fired), hydroelectric (run-of-river or pumped storage), and nuclear plants. There are also power plants that use renewable resources, such as wind, geothermal, and solar power. A commercial power production station may consist of a single unit producing as little as a few million watts (MW), up to very large stations of 8-10 large generating units producing a total of 8,000 MW or more. In 1998 there is about 835,787 MW of electric power production capability in North America--enough to power 8.36 billion light bulbs at 100 watts each! A generating station typically contains a complex set of equipment, controls, and computers to manage fuel, boilers, water and steam systems, plant auxiliary equipment, and electrical systems, just to mention a few. A power station will usually have an adjacent electrical switchyard to which it feeds its electrical output, and which it uses for outside power when the plant is off-line. Some generators are located remote from demand centers, often near a fuel supply or a cooling water supply. Other generators are close to the demand centers and are especially useful during heavy demand periods or as a backup supply. In the switchyard, the electricity from the power plant is usually ``stepped up'' in voltage for transmission to other parts of the system. The voltage of the electricity that is generated is increased to a higher voltage to allow it to flow over a longer distance with a lower power loss--the higher the voltage, the lower the current flow for the same amount of power transported. The transmission system consists of electric substations networked together by connecting power lines. Each substation contains transformers to raise or lower voltage, voltage regulating devices, circuit breakers and switches, meters, control devices, and communications equipment. Most, but not all, control equipment is in the substation. This equipment includes controllers to operate devices, and protection systems to open circuits if there is a fault. Each substation typically has its own backup battery power supply so that the protection systems, controls, and communication equipment can continue to operate for several hours, if there is a power outage. The bulk electric transmission system is tightly networked so there are many alternative paths for the power to flow. The transmission system carries the electricity to load centers where the voltage is ``stepped down'' through transformers for local distribution. Distribution systems have much of the same types of equipment as the transmission systems, except that the distribution equipment operates at lower voltages. As distribution systems get closer to the ultimate points of use, they typically become more ``radial,'' like the spokes on a wheel. Power flow into a modest-sized town might have 6-10 power lines. By the time the power is flowing along a typical street, there is usually only one line providing the power flow at any moment in time. Some of these radial distribution lines are sectionalized with cross ties, so that if part of a line becomes damaged (say by a fallen tree) many of the customers whose electric service was interrupted can be reconnected from an alternate source. Large metropolitan load centers are typically more networked and have numerous power sources. Distribution systems tend to be more electro- mechanical and have less digital controls than the bulk electric systems. Both transmission and distribution systems, have extensive protection schemes--relaying. Relays detect abnormalities (faults) in the power system. Each relay is responsible for the protection of a specific sector of the power system. When a relay has detected a fault condition, it sends a signal to the appropriate circuit breakers in the switchyard or substation to open, thus disconnecting the element of the power system that has the abnormality. Abnormalities can be caused by such events as a simple kite string contact, a lightning stroke contact to a circuit, or the failure of a transformer. Some protective devices are used along distribution feeders to automatically sectionalize the feeder (isolate sections where an abnormality occurred) or to reclose on the power source after a fault has been cleared. At the point of use, the electricity flows through a meter and into the customer's electrical system. Some large commercial and industrial customers connect at higher distribution voltages such as 480, 4,160, or 13,700 volts. However, most residential customers connect to the electric system at 120/240-volt service. Many customers that have critical electrical needs provide their own backup power supplies as a precaution against the loss of offsite power. Although power supplies in North America are very reliable compared to other parts of the world, some outages are inevitable due to storms, fires, accidents, or equipment failures. Two components of the power system that are not shown in the figure above but which are very important are the control centers and the data and voice communications systems. Although the facilities shown in the figure represent the physical plant to produce and move power, the control centers and communications facilities serve as the brains and nervous system. About 200 control centers in North America manage the bulk electric system. Of these, 136 operate as ``control areas,'' meaning they dispatch generation on a moment-by-moment basis to maintain a balance of power generation and demand. The remaining centers operate transmission facilities only. In addition, hundreds of additional control centers are used to monitor and control the local distribution systems. All control centers typically have a data acquisition capability to collect real-time status of the electric system, supervisory control to operate breakers, switches, and voltage control devices, and other software programs to manage the system. The figure below shows conceptually the control center operator dispatching generation and transmission within his or her area to: (a) balance demand and generation and (b) to ensure flows and voltages stay within safe limits. <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> control centers are used to monitor and control power systems In addition to the control centers, power systems depend on an intricate network of voice and data communications. Much of the communications capabilities such as remote terminal units at the substations, fiber optic lines, local and wide area networks, telephone and radio systems, and microwave systems are owned and operated by electric utilities. Other capabilities, such as dedicated leased telephone lines, satellites, cellular networks, and Internet services may be provided by external sources. The bulk electric systems of North America are tightly connected into three major electrical Interconnections,\1\ sometimes called ``grids.'' All of the generators and electrical demands within each Interconnection are connected electrically and operate together as a single large interconnected ``machine.'' The largest of these grids, the Eastern Interconnection, covers the eastern two-thirds of the U.S. and eastern Canada. The second largest, the Western Interconnection, covers the western third of the U.S., western Canada, and the northern portion of the Baja California Peninsula in Mexico. The third is called ERCOT (Electric Reliability Council of Texas), which covers most of Texas. In addition to these three major Interconnections, there are numerous smaller electrical systems in Alaska, Hawaii, and several coastal islands off the U.S. and Canada. --------------------------------------------------------------------------- \1\ Quebec, Canada was previously described as a fourth Interconnection in North America. Although Quebec still does not operate synchronously within the Eastern Interconnection, modifications made to its electrical system including the strength of its HVDC ties to New England and New York are the basis for recently incorporating Quebec into the Eastern Interconnection. Quebec operates to the same reliability standards as other utilities in the Northeast Power Coordinating Council. --------------------------------------------------------------------------- Each of the three major Interconnections is a highly connected electrical network. A major disturbance within an Interconnection can have an immediate effect throughout the Interconnection. This high level of interdependence within an Interconnection means that the strength of the overall system may only be as strong as the weakest link. It also means that electric systems depend on each other for help during critical periods. This interdependence implies that an individualistic approach to the challenges of Y2K may leave gaps in efforts to prevent adverse effects to operations within an Interconnection. The three major interconnections operate without synchronous connections, but there are DC ties connecting them. Major DC ties allow Quebec to deliver electricity to New England and New York, connect the Eastern and Western Interconnections, and connect ERCOT (Texas) to the Eastern Interconnection. <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> three major electrical interconnections of north america As a final note, electricity is the original and ultimate example of ``just-in-time'' manufacturing. Electricity cannot be stockpiled in large quantities like other commodities, such as water, gasoline, clothing, and paper. This real-time production requirement greatly increases the complexity of producing (generating), transporting (transmission), and delivery (distribution) of electricity. At the instant someone turns on a light or their PC, the additional electricity required must be immediately available from a generating station that may be hundreds of miles away. What is the Nature of the Y2K Issue in Electrical Systems? In most respects the electric industry faces the same Y2K challenges as every other industry and even small businesses and individuals. Y2K anomalies could lead to the malfunction of software programs on mainframe computers, servers, PCs, and communications systems. Corrupted data could be passed from one application to another causing erroneous results. In the electric industry, this means computer programs used for accounting, administration, billing, and other important functions could experience problems. Of greater concern, both in the electric industry and elsewhere, is the pervasiveness of the Y2K bug in embedded chips. Small electronic chips control devices used throughout our society. Examples include heating and cooling systems, VCRs, answering machines, facsimile machines, coffeepots, microwave ovens, and traffic controls. In the electric industry, these chips are used in communications and numerous power system device controllers. Electronic chips are generally mass-produced without knowing the ultimate application of the chip. A single circuit board can have 20-50 of these chips from various manufacturers. Because of the diversity of chip suppliers, one vendor may use a different mix of chips even within devices labeled with the same name, model number, and year. Many of these chips have built-in clocks that may experience date change anomalies associated with Y2K. The difficulty is in identifying all of these devices, determining if they have a Y2K problem, and repairing or replacing those that do. It is estimated that less than 1-2 percent of these devices may use a time/date function in a manner that could result in a Y2K malfunction of the device. Mission-Critical Systems Affected by Y2K It is important to understand how Y2K may affect the components of the electrical system that are essential to the production, transmission, and delivery of electricity. Addressing the Y2K bug is a daunting task, but it becomes more manageable if we focus on mission- critical systems. There are five areas in which Y2K poses the greatest risks to a reliable electric supply: <bullet> Power production--generating units must be able to operate through critical Y2K periods without tripping off line. Units that are scheduled to operate must be able to startup and deliver electricity as planned. The threat is most severe in power plants with Digital Control Systems (DCSs). Many older plants operating with analog controls may be less problematic. Numerous control and protection systems within the DCS use time-dependent algorithms, which may result in generating unit trips when encountering a Y2K anomaly. Digital controllers that have been built into station equipment, protection schemes, and communications also may pose a risk. Nuclear generation is an important part of the electric supply mix and is addressed as a separate element of this report. <bullet> Energy management systems--There are about 200 bulk electric control centers \2\ in North America. From these control centers, system operators monitor and control the backbone of the electrical systems and dispatch generation to meet demand. Computer systems within these control centers use complex algorithms to manage the operations of transmission facilities and to dispatch generating units. At any moment in time, a percentage (i.e., 10-20 percent) of generating units may be on automatic control for the purpose of following the change in electrical demand and regulating Interconnection frequency. Many of the control center software applications contain built-in time clocks used to run various power system monitoring, dispatch, and control functions. Some energy management systems are dependent on time signal emissions from Global Positioning Satellites, which reference the number of weeks and seconds since 00:00 UTC January 6, 1980.\3\ Beyond the 200 bulk electric operating centers, there are hundreds of additional control centers used to manage sub-transmission and distribution systems. These systems are typically operated using a subset of an energy management system, called Supervisory Control and Data Acquisition (SCADA). --------------------------------------------------------------------------- \2\ The number 200 is approximate, depending on the definition of bulk electric control center. Bulk electric operations centers perform generation dispatch and control, transmission monitoring and control, and emergency operations. There are 136 Control Areas. \3\ UTC is an acronym for an internationally coordinated time scale that forms the basis for disseminating standard frequencies and time signals. --------------------------------------------------------------------------- <bullet> Telecommunications--Electric power systems are highly dependent on microwave, telephone, VHF radio, and satellite communications. If the control centers are the ``brains'' of the electrical grids, communications systems are the ``nervous system.'' Telecommunications is the single most important area in which the electric systems depend on another industry. Many of the telephone, microwave, and network services used for communications in the electric industry are provided by telephone companies and other communications and network service providers. The dependency of electric supply and delivery systems on external service providers is a crucial factor in successful performance during Y2K transition periods. <bullet> Substation controls and system protection--Throughout electric transmission and distribution systems there are substations that contain control equipment such as circuit breakers, disconnect switches, and transformers. Remote terminal units (RTUs) in substations serve as the communications hubs for the substations, allowing them to communicate with the control centers. Substations also contain most of the transmission and distribution system protection relays, which serve to operate circuit breakers to quickly isolate equipment should an electrical fault occur on a line, transformer, or other piece of equipment. Many devices and relays in a substation are electromechanical (not digitally controlled), but a portion of these devices may be digital. <bullet> Distribution systems--Distribution systems deliver electricity from the transmission network to customers. Because there is a lot of commonality in the types of substation equipment in distribution compared to transmission, for the purpose of this report, transmission and distribution substations are aggregated as one area. Distribution systems have additional equipment outside substations (for example along a distribution feeder) that may have electronic controls. Examples include reclosers (relays that open and close a feeder in rapid succession to allow a fault to clear), capacitors, voltage regulators, and special monitoring devices. Although the five areas outlined above focus directly on the production and delivery of electricity, other support systems are essential to sustained operations of the electricity service provider. These systems have been grouped under the heading ``Business Information Systems'' in this report. They may include customer service call centers, supply and inventory systems, accounting systems, and others. ______ APPENDIX B Letter from the Department of Energy Asking NERC to Coordinate the Electric Industry's Y2K Readiness Program The Secretary of Energy, Washington, DC, May 1, 1998. Mr. Erle Nye, Chairman of the Board, North American Electric Reliability Council, Dallas, TX. Dear Erle: We are writing to seek the North American Electric Reliability Council's (NERC's) assistance in assessing whether the Nation's electricity sector is adequately prepared to address the upcoming Year 2000 computer problem. The Administration is undertaking a coordinated effort to assess various sectors' readiness to address the issue. The Department of Energy (DOE) is taking the lead in working with the electricity industry to facilitate actions necessary for a smooth transition through this critical period. To this end, we are requesting that NERC undertake the coordination of an industry process to assure a smooth transition. The electric system is such a highly interdependent network, and so vital to the security and well-being of the Nation, that there is very little margin for error or miscalculation. The Department realizes that activities designed to address this issue are already underway in many electric utilities, the Electric Power Research Institute (EPRI), and in other Federal agencies. We are concerned, however, that these activities may not be fully coordinated, or worse, may be incomplete. The Nation needs to know that a systematic process is in place to ensure that the electric supply system will not experience serious disruption. This is truly a reliability issue, and NERC has demonstrated over the last 30 years that it is capable of coordinating the activities of electric market participants to resolve such issues. NERC is the most appropriate body to organize this process and report periodically on its status. We are confident that NERC will be able to mobilize the necessary cooperation from the Regional Reliability Councils, their members' utilities, and other industry organizations, to develop and implement a process that is both efficient and effective. We are asking that you provide us with written assurances by July 1, 1999, that critical systems within the Nation's electric infrastructure have been tested, and that such systems will be ready to operate into the Year 2000. The DOE is prepared to work with NERC to help overcome any obstacles that you might encounter in carrying out this effort. Finally, we wish to work with you to provide a suitable public forum in the late summer or early fall of this year at which NERC and others could report on the industry's assessment of this issue and outline its plans to address this challenge. Public events on this subject are important and valuable for two reasons. First, they will convey to the public and public officials that the industry is indeed preparing systematically for the transition. Second, they will confirm to the industry that Government agencies and the public are depending on them to ensure that the transition goes smoothly. We are looking forward to further discussions with you on this important issue. Sincerely, Federico Pena, Secretary, Elizabeth A. Moler, Deputy Secretary. ______ APPENDIX C who's in charge of the electric industry's y2k program? In an industry that has about 3,200 organizations in North America that could be considered part of the electricity supply and delivery chain, that's a tough question. Ultimately, every individual electric service organization is accountable to its own stakeholders for its performance in meeting the challenges of Y2K. Those stakeholders may include customers; Federal, state, provincial, and local government agencies; shareholders of an investor-owned utility; or members of an electric cooperative. In other words, every electric service provider is ultimately accountable to its stakeholders for resolving Y2K challenges. Regulatory oversight on the Y2K issue is a very complicated matter. In the United States, the Department of Energy has authority to act in matters that concern maintaining a secure supply of electricity to the nation. In Canada, many of the powers for regulating electric utilities lie in the provincial governments, although the Canadian Federal Government also has regulatory powers. In both countries, local governments have jurisdiction, often over retail matters, siting of facilities, and other issues. Finally, a portion of the Western Interconnection is in Mexico. In short, considering the electric Interconnections of North America span three countries and countless state, provincial, and local jurisdictions, defining legal authorities for resolution of Y2K problems is an extremely complex issue. This complexity is one of the reasons the Department of Energy in early May 1998 turned to the North American Electric Reliability Council (NERC) to coordinate Y2K preparations in the electric industry (see the letter from DOE in Appendix B). NERC is a voluntary not-for- profit industry organization made up of ten Regional Reliability Councils. NERC and its ten Regional Reliability Councils account for nearly every bulk electric supply and delivery organization in the Interconnections of North America, spanning the United States, Canada, and Northern Baja California, Mexico. NERC and its Regional Reliability Councils set operating and engineering standards for the reliability of electric systems in North America. The implementation of these standards has resulted in a quality of electric service unequalled in the world. Representation in NERC and its Regions includes all segments of the electric industry: investor-owned, Federal agency, rural electric cooperative, state/ municipal, and provincially owned utilities, independent power producers, and power marketers. NERC and the Regions rely on the voluntary efforts of technical experts from the industry who serve on various engineering and operating committees. Through this collective effort, the industry is able to set standards for reliability, monitor compliance with the standards, assess the future reliability of bulk electric systems, and review past incidents for lessons learned. In short, NERC and its ten Regional Reliability Councils offer the best opportunity for the industry to coordinate a collective effort to address the challenges of Y2K. More information regarding NERC and its ten Regional Reliability Councils may be obtained from the NERC web site at http://www.nerc.com. In asking NERC to facilitate the electric industry's Y2K efforts, DOE requested an initial status report and coordination plan by September 1998. A second report reviewing the readiness of electric systems for the transition to the Year 2000 and contingency plans was requested by July 1999. Because of the critical nature of the Y2K and the need to provide timely information to all interested parties, NERC is additionally providing written quarterly reports to DOE and the public until the Year 2000. These reports will be posted on NERC's Y2K web site at http://www.nerc.com/y2k, along with the monthly summaries of Y2K readiness assessment surveys. Although the letter from DOE was a catalyst for a heightened level of coordination, NERC and its Regional Reliability Councils recognize that there are many jurisdictions involved. NERC and the Regions have proven experience addressing international issues related to electric system reliability in the United States, Canada, and Mexico. NERC's membership is broad-based and focused on electric system reliability, making NERC a good choice to lead a coordinated effort to resolve Y2K issues. However, NERC has historically been focused on reliability of bulk electric systems. The inclusion of distribution systems significantly raises the coordination requirements from about 200 entities operating bulk electric systems to nearly 3,200 total organizations. Additionally, it was recognized that some business systems are essential to sustained electric operations and should be included in this report. To address these issues, NERC has requested and received full cooperation from several industry trade associations with close ties to various sectors of the industry. These organizations are: American Public Power Association--APPA's membership includes many state, county, and municipal electricity service providers. APPA is coordinating information sharing and surveys of its members, as well as smaller nonmember public power utilities. APPA is assisting NERC in the industry-wide readiness review of electric distribution systems. Canadian Electricity Association--CEA is assisting NERC by coordinating efforts in Canada, particularly to address the readiness of electric distribution systems and Canadian nuclear facilities. CEA also is serving as an interface to Canadian government agencies. Edison Electric Institute--EEI, representing investor-owned utilities, has established a program to address Y2K technical, regulatory, and liability issues. EEI is supporting the industry's Y2K coordination efforts by facilitating Y2K manager forums, addressing legal issues, and reviewing the readiness of utility business information systems. EEI also is assisting in the readiness review of electric distribution systems. Electric Power Research Institute--The EPRI Y2K embedded systems program focuses on the technical and project management issues relating to achieving Y2K readiness. While the program deals mainly with the electric power industry, the program includes efforts in the areas of natural gas pipelines and telecommunications. Electric Power Supply Association--EPSA is providing coordination among its members, which include independent power producers and other power generating entities. National Rural Electric Cooperative Association--NRECA is coordinating Y2K readiness assessments and information sharing among its membership, which includes about 900 rural electric systems, including generation and transmission cooperatives and power distribution cooperatives. NRECA is working closely with APPA and EEI to provide NERC an assessment of the Y2K readiness of distribution systems in the United States. Nuclear Energy Institute--NEI is coordinating the assessment of Y2K readiness of U.S. nuclear facilities and is providing that information as part of this report. NERC is relying on NEI's program to facilitate efforts in the nuclear sector, due to the specialized needs in this area. <greek-d>