oversight

Nuclear Weapons: Year 2000 Status of the Nation's Nuclear Weapons Stockpile

Published by the Government Accountability Office on 1999-08-20.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

      United States
GAO   General Accounting
      Washington,
                            Office
                    D.C. 20548

      Resources, Community,     and
      Economic Development      Division



       B-283279

      August 20,1999

      The Honorable Bill Richardson
      Secretary of Energy
      Washington, D.C.

       Subject: Nuclear Weapons: Year 2000 Status of the Nation’s Nuclear WeaDons Stockr%le

      Dear Secretary Richardson:

      Year 2000 (Y2K) problems can result when computer hardware (such as
      microprocessors) or software fails to correctly interpret year and date data represented
      in a two-digit format. Concern has been expressed in the Congress and elsewhere
      regarding the impact of Y2K on the nation’s nuclear weapons stockpile as well as the
      ancillary equipment used to test weapons in the stockpile and control their use.
      Consequently, we reviewed what actions DOE and its contractors have taken to
      determine if any Y2K problems exist with the nation’s nuclear weapons or supporting
      ancillary equipment.

      Results   in Brief


      Based on our review of documents and the discussions we held with weapon design
      engineers, we believe the nuclear weapons in the nation’s enduring stockpile will not be
      affected by the Year 2000. Only four of the weapons in the enduring stockpile contain
      microprocessors. The microprocessors in these weapons do not rely on an internal
      clock that is aware of the actual date to carry out the timing functions necessary for the
      weapons to perform as designed. Instead, the weapons perform their timing functions
      through the use of an analog timing source, external to the microprocessor, that keeps
      relative time-similar to a stopwatch. Most of the ancillary equipment associated with
      nuclear weapons either do not have a Y2K problem, have been replaced by Y2K-
      compliant equipment, or have an acceptable work-around. However, one type of test
      equipment at Pantex-where assembly, disassembly, and surveillance of nuclear
      weapons is conducted-and one type of test equipment at the Kansas City Plant-where
      parts for nuclear weapons are made-are noncompliant as of August 1999. According
      to DOE and contractor officials, this test equipment is expected to be fixed by
      January 1,200o.

                                                                               .




                                           GAO/RCED-99-272R Y2K Status of the Nation’s Nuclear Weapons
Although we did not identify Y2K problems with the nation’s nuclear weapons, we did
identify process and documentation weaknesses. Specifically, the process for
designing, assessing, and certifying nuclear weapons is highly structured in order to
ensure that the weapons remain safe and reliable. This process includes extensive
documentation and peer review. However, DOE and Sandia National Laboratories
management did not require this same level of rigor for the nuclear weapons Y2K
assessment. Consequently, the reviews performed were often unstructured, did not
always include thorough documentation, and were subjected to minimal peer review.
This report contains a recommendation to improve the documentation of the Y2K
readiness of the nation’s nuclear weapons.

Background

The Y2K problem is rooted in the way dates are recorded in many computer systems.
For the past several decades, systems have typically used two digits to represent the
year, such as “98” for 1998, to save electronic storage space and reduce operating costs.
In this two-digit format, however, 2000 is indistinguishable from 1900. Because of this
ambiguity, date -dependent hardware and software could generate incorrect results or
fail to operate altogether when processing years beyond 1999.

Nuclear weapons represent a special Y2K situation, because they must remain safe
against accidental detonation resulting from abnormal occurrences, such as a lightning
strike, while also being highly reliable if they ever need to be used. Nuclear weapons
are supported by ancillary equipment that are used to securely manage the codes
necessary to ensure authorized use of a weapon, so-called use control equipment, and
test for the proper functioning of a weapon or its components.

Three national laboratories-Lawrence    Livermore, Los Alamos, and Sandia National
Laboratories-are responsible for designing, assessing, and certifying the nation’s
nuclear weapons. The key laboratory in dete r-mining if the weapons are Y2K compliant
is Sandia National Laboratories (Sandia), which is responsible for the electronic
systems for nuclear weapons. For example, Sandia provides the electronic systems that
provide arming, fuzing, and firing capability for nuclear weapons. Subsystems within
these systems may include radar, voltage power regulators, .programmers, and
trajectory sensing signal generators. Lawrence Livermore and Los Alamos National
Laboratories are responsible for designing the nuclear portion of the weapons, which
does not contain electronic systems.

In response to concern raised by the Congress about the Y2K readiness of the nation’s
nuclear weapons, in February 1999, DOE’s Assistant Secretary for Defense Programs
requested that the three national laboratories certify that the nuclear weapons and their
supporting ancillary equipment were Y2K compliant. In February 1999, the Director of
Sandia stated that Sandia personnel responsible for each warhead had reviewed the
weapons’ system software and hardware and had not identified any Y2K problems. He



2                          GAOIRCED-99-272R Y2K Status of the Nation’s Nuclear Weapons
made a corresponding statement for the ancillary equipment. The Directors of Los
Alamos and Lawrence Livermore National Laboratories made similar certifications.

Nuclear   weapons   and ancillary     equipment   are, or will be, Y2K compliant

Based on our interviews with weapon design engineers and review of weapon design
documents, the nuclear weapons in the nation’s enduring stockpile will not be affected
by the Year 2000. Only four of the nuclear weapons in the enduring stockpile-the W84
and W88 warheads and the B61 and B83 bombs-contain microprocessors; the balance
of the enduring stockpile does not. The microprocessors these weapons use are not
“date aware” -they do not generate or store a date-and they are not “date reliant”-
they do not need to know the date to function properly. Instead, the weapons perform
their timing functions through the use of an analog timing source, external to the
microprocessor, that keeps relative time-similar to a stopwatch. Jn addition, no date
information is transmitted to a nuclear weapon by its delivery system. Finally, the
nuclear weapon’s arming, fuzing, and ftig subsystems do not contain any power
sources that would enable them to retain a date, if one were to be stored in a
microprocessor.

The Y2K status of the use control equipment associated with nuclear weapons falls into
three categories. Either the equipment does not have a Y2K problem, the equipment has
been replaced by Y2Kcompliant equipment, or an acceptable work-around exists. The
work-around involves either resetting the date after January 1,ZOOOor entering the
current date when the equipment is used. In either instance, there is no negative impact
on the operation of this equipment.

A similar situation exists for test equipment. Most equipment is either Y2K compliant or
has an acceptable work-around in place. Where test equipment is not Y2K compliant,
the problem that results is that the computer will not record the correct date on data
obtained during a test. Typically, the work-around involves either resetting the clock
after January $2000, manually entering the date into the computer, or manually “inking
in” the test date on the printout of the test data. One type of test equipment at Pantex-
where surveillance testing on nuclear weapons is conducted-and one type of test
equipment at the Kansas City Plant-where parts for nuclear weapons are made-are
non-compliant as of August 1999. However, according to DOE and contractor officials,
this test equipment is expected to be fixed by January 1,200O.

DOE’s assessment of nuclear         weapons Y2K compliance     did not follow   a
structured approach

The process for designing and maintaining nuclear weapons is highly structured in order
to ensure that the weapons remain safe and reliable. The design process includes
extensive documentation and peer review, including inter-laboratory reviews between
Lawrence Livermore, Los Alamos, and Sandia National Laboratories. Nuclear weapons
are produced from detailed engineering specifications that include traditional line
drawings, written manufacturing and processing procedures, three-dimensional models,


                          GAO/RCED-99-272R Y2K Status of the Nation’s Nuclear Weapons
and assembly procedures that are available for later review, if ever needed. Once a
nuclear weapon enters the stockpile, it is subjected to a formal program of surveillance,
assessment, and certification. As part of the surveillance process, weapons are
removed from the stockpile, disassembled, and subjected to a series of tests. Using
surveillance and other data, weapon designers perform a variety of formal assessments
that result in regular reports on the safety and reliability of the weapons. Finally, the
results of this process are used to produce an annual certification that the stockpile is
safe and reliable.

DOE and Sandia management did not require this same rigor for the nuclear weapons
Y2K assessment. Specifically, we found that the assessments performed were often
unstructured, did not always include thorough documentation, and were subjected to
minimal peer review. For example, the assessment of the W88 warhead was very
inform& relied on the memory and experience of the designers, and incorporated
minimal examination of design diagrams and documents. In particular, the responsible
design engineer for the systems in this warhead did not review the software code for the
microprocessor in the W88 to determine Y2K compliance, but rather he relied on his
memory of what the code contained.’ According to Sandia engineers responsible for the
system, because of the m-depth knowledge and familiarity of the designers with the
system, and the fact that the system does not use date or time dependent data, rigorous
re-examination of the details was not determined to be required. In contrast, the
assessment for the B61 bomb was relatively structured and involved engineers
reviewing data on the hardware and software contained in the weapon.

Standardized documentation of the assessment was not required by Sandia
management, and as a result, design engineers had different interpretations of what
level of documentation, if any, to provide. For most of the warheads we evaluated,
there was no detailed documentation beyond a memorandum or e-mail that stated that
no Y2K problems had been found. For example, a design engineer for the W88 warhead
stated that he spent about 2 weeks dete r-mining that the warhead’s systems had no Y2K
problems, but that he prepared no documentation of the discussions; the process
followed; or the documents, diagrams, or software examined. In one case we reviewed,
however, we did find that a formal assessment document was being prepared.
Specifically, the lead engineer for the B61 bomb stated that since he believed Sandia
was certifying Y2K compliance as part of the fiscal year 1999 annual stockpile
 certification, a formal process to serve as a basis for the statement was warranted. This
engineer stated that he did not receive a memorandum asking for formal
 documentation-the decision to do so was self-initiated. For other weapons, the draft
 annual stockpile certification reports contain brief, conclusion-type statements on Y2K
 compliance, which, according to laboratory officials, are based on various verification
 activities and engineering expertise. However, specific documentation of the activities .
 performed to arrive at the Y2K conclusions was not always prepared. Sandia engineers
 acknowledged that the focus of the annual certification process is on the need for
 underground testing, not Y2K.



’ We reviewed the software code for this weapon system and found that no Y2K problems were present


4                            GAO/RCED-99-272R Y2K Status of the Nation’s Nuclear Weapons
Finally, peer review was not regularly performed on the Y2K assessments. When peer
review did occur, it was largely of the nature of one engineer talking to another and
asking, “Am I missing anything?” and was not documented. Offices within Sandia, such
as the Surety Assessment Center, which provides an independent assessment of nuclear
weapons safety and reliability, did not perform any independent evaluation of the design
engineers’ Y2K assessments. We found no instance of independent review of the Y2K
assessments by the two other national laboratories. According to design engineers for
the W88, peer review is not as critical for the Y2K assessments as it is for other reviews,
such as safety reviews, because the answers regarding Y2K were very “obvious” and,
therefore, did not require as much dociunentation or external scrutiny.

Independent studies found similar problems

Two independent assessments of Sandia’s Y2K readiness efforts found similar
weaknesses. The first assessment,’ an internal review conducted by Sandia employees
in January 1999, found that “the Y2K readiness process is apparently being implemented
for Sandia’s primary mission, nuclear weapons surety; however, we did not see the
rigorous formality of operations with respect to Y2K remediation . , . that we are
accustomed to seeing in the weapons program.” In discussing this study with its
authors, they told us that they could find no formal report that addressed what weapons
were considered and what type of analysis was performed. They felt a statement, such
as “no vulnerabilities found,” needed more justification.

A subsequent external study performed by a consulting firm, Keane, I~c.,~dated March
29,1999 stated that the documentation of Sandia’s Y2K effort was inconsistent and
inadequate. It noted that while there were pockets of solid documentation, for the most
part, Sandia’s Y2K documentation would not satisfy a request to detail what Sandia had
done about Y2K problems and why.

Conclusion

Although we did not identify any Y2K problems with the nation’s nuclear weapons or
supporting ancillary equipment, we do believe that DOE should have adhered more
closely to its overall model for assessing and certifying nuclear weapons in performing
its Y2K evaluation. In the absence of underground nuclear testing, the credibility of the
Department’s certification that the nation’s nuclear weapons are safe and reliable is
heavily reliant on the quality of the analytical processes used, including peer reviews,
and on accurate, thorough documentation. Given that Y2K was a known problem that
could raise concerns about the safety and reliability of the nation’s nuclear weapons, we



’ “Independent System Risk Assessment of Distributed Y2K Implementation at Sandia National
Laboratories,” Jan. 1999,SAND99-0044.
a“Year 2000 Readiness Disclosure: Independent Audit of Sandia National Laboratories Year 2000 Program,”
Mar. 29,1999.


5                             GAO/RCED-99-272R Y2K Status of the Nation’s Nuclear Weapons
believe a relatively small investment of time in thorough documentation would provide
the level of assurance expected.

Recommendation

To serve as a basis for the certification of YZK readiness of nuclear weapons, we
recommend that DOE require Samba National Laboratories to thoroughly document the
Y2K assessments performed, including the scope of the assessments; documents,
diagrams, and software reviewed; discussions held; and logic used.

Agency Comments

We provided DOE with a draft of this report for review and comment. DOE stated that
the Department’s credibility as to its certification that the nation’s nuclear weapons are
safe and reliable had been enhanced directly as the result of our work. DOE concurred
with our recommendation and stated that they had begun activities to thoroughly
document their YZK assessments. DOE’s comments are included as enclosure I.




We performed our review from April through August 1999 in accordance with generally
accepted government auditing standards. To determine the status of Y2K compliance,
we interviewed weapon design engineers and reviewed design information and
diagrams for each nuclear weapon containing microprocessors, as well as a
representative number of other weapons in the enduring stockpile. Since Sandia
weapon design engineers did not review the software code for the microprocessor in
the W88 warhead, to determine Y2K compliance, we reviewed the code and found no
Y2K problems. We determined the Y2K status of ancillary use control and test
equipment at the Kansas City and Pantex Plants, and DOD field sites by reviewing
documents and interviewing engineers. We also determined the overall process used
for weapon surveillance, assessment, and certification and compared it to the process
that Sandia design engineers followed in assessing the weapons for Y2K compliance.

This report contains recommendations to you. As you know, 31 U.S.C. 720 requires the
head of a federal agency to submit a written statement of the actions taken on our
recommendations to the Senate Committee on Governmental Affairs and the House
Committee on Government Reform no later than 60 days after the date of this letter and
to the House and Senate Committees on Appropriations with the agency’s first request
for appropriations made more than 60 days after the date of this letter.

We plan to distribute copies of this report to congressional committees with jurisdiction
over issues related to Y2K or nuclear weapons. We will also make copies available to
others on request. If you have any questions regarding this letter, please contact James



6                          GAOiRCED-99-272R Y2K Status of the Nation’s Nuclear Weapons
Noel or me at (202) 512-3841. Key contributors to this assignment were Keith Rhodes
and Chris Pacheco.

Sincerely yours,




(Ms.) Gary L. Jones
Associate Director, Energy,
 Resources, and Science Issues

Enclosure




7                       GAO/RCED-99-272R Y2K Status of the Nation’s Nuclear Weapons
 Appendix   I



                                Comments      from the Dewrtment            of Enerrrv




                                                Department of Energy ’
                                                    Washington, DC 20585
                                                      August   13,. 1999


                Ms. Gary Jones
                Associate Director, Energy, Resourcls
                 and Science fssues
                U.S. General Accounting office
                Washington, D.C. 20548

                Dear Ms. Jones:

                We have reviewed the draft of your proposed report entitled, ‘wuclear Weapons: Year 2000
                Status of the Nation’s Nuclear Weapons Stockpile (GAO/RCED-99-272R),” which was
                transmitted to us on July 28, 1999.

                We concur with your recommendation. Your conclusion and recommendation both relate to the
                degreeof thorough documentation regarding the TiZK assessmentsperformed. Following your
                review and outbriefing, SandiaNational Laboratories has started indexing and documenting the
                memoranda,presentations,and other quality evidence relating to their Y2K assessments.San&~-
                is collecting evidence gathered from other membersof the nuclear weapons complex and is
                permanently storing this evidence (retrievable by date, author, subject, or keyword “Y2K”) in
                their corporate Electronic Document Management System. The evidence includes overview
                material, high-level managementstatementsof compliance, and detailed evidence sorted by
                weapon-related categories.

                We believe the Department of Energy’s credibility as to its certific&.ion that the Nation’s nuclear
                weaponsare safe and reliable has been enhanced,directly as a result of your review activities. If
                you require additional assistanceor have questions about comments, pleaserefer them to Abdul
                Dasti, of my staff, at 301-903-7724.

                                                               Sincerely,




                                                               Deputy Assistant Secretary
                                                                for Military Application and
                                                                Stockpile Management
                                                               Defense Programs
(141322)




                                GAOLRCED-99-272R Y2K Status of the Nation’s Nuclear Weapons
Ordering    Information

The first copy of each GAO report and testimony is free.
Additional   copies are $2 each. Orders should be sent to the
following address, accompanied by a check or money order
made out to the Superintendent     of Documents, when
necessary. VISA and Mastercard      credit cards are accepted, also.
Orders for 100 or more copies to be mailed to a single address
are discounted 25 percent.

Orders by mail:

U.S. General Accounting   Office
P.O. Box 37050
Washington, DC 20013

or visit:

Room 1100
700 4th St. NW (corner of 4th and G Sts. NW)
U.S. General Accounting  Office
Washington, DC

Orders may also be placed by caBing (202) 512-6000
or by using fax number (202) 512-6061, or TDD (202)       512-2537.

Each day, GAO issues a list of newly available reports and
testimony.   To receive facsimile copies of the daily list or any
list from the past 30 days, please call (202) 512-6000 using a
touchtone phone. A recorded menu wiB provide information          on
how to obtain these lists.

For information on how to access GAO reports on the INTERNET,
send an e-mail message with “info” iu the body to:

info%vww.gao.gov

or visit GAO’s World Wide Web Home Page at:

httpYYwww.gao.gov
United States
General Accounting    Office
Washington,   D.C. 20548-0001


Official   Business
                                     I   Permit   No. GlOO   I
Penalty    for Private   Use $300
Address    Correction    Requested