United States GAO General Accounting Washington, Office D.C. 20548 Resources, Community, and Economic Development Division B-283279 August 20,1999 The Honorable Bill Richardson Secretary of Energy Washington, D.C. Subject: Nuclear Weapons: Year 2000 Status of the Nation’s Nuclear WeaDons Stockr%le Dear Secretary Richardson: Year 2000 (Y2K) problems can result when computer hardware (such as microprocessors) or software fails to correctly interpret year and date data represented in a two-digit format. Concern has been expressed in the Congress and elsewhere regarding the impact of Y2K on the nation’s nuclear weapons stockpile as well as the ancillary equipment used to test weapons in the stockpile and control their use. Consequently, we reviewed what actions DOE and its contractors have taken to determine if any Y2K problems exist with the nation’s nuclear weapons or supporting ancillary equipment. Results in Brief Based on our review of documents and the discussions we held with weapon design engineers, we believe the nuclear weapons in the nation’s enduring stockpile will not be affected by the Year 2000. Only four of the weapons in the enduring stockpile contain microprocessors. The microprocessors in these weapons do not rely on an internal clock that is aware of the actual date to carry out the timing functions necessary for the weapons to perform as designed. Instead, the weapons perform their timing functions through the use of an analog timing source, external to the microprocessor, that keeps relative time-similar to a stopwatch. Most of the ancillary equipment associated with nuclear weapons either do not have a Y2K problem, have been replaced by Y2K- compliant equipment, or have an acceptable work-around. However, one type of test equipment at Pantex-where assembly, disassembly, and surveillance of nuclear weapons is conducted-and one type of test equipment at the Kansas City Plant-where parts for nuclear weapons are made-are noncompliant as of August 1999. According to DOE and contractor officials, this test equipment is expected to be fixed by January 1,200o. . GAO/RCED-99-272R Y2K Status of the Nation’s Nuclear Weapons Although we did not identify Y2K problems with the nation’s nuclear weapons, we did identify process and documentation weaknesses. Specifically, the process for designing, assessing, and certifying nuclear weapons is highly structured in order to ensure that the weapons remain safe and reliable. This process includes extensive documentation and peer review. However, DOE and Sandia National Laboratories management did not require this same level of rigor for the nuclear weapons Y2K assessment. Consequently, the reviews performed were often unstructured, did not always include thorough documentation, and were subjected to minimal peer review. This report contains a recommendation to improve the documentation of the Y2K readiness of the nation’s nuclear weapons. Background The Y2K problem is rooted in the way dates are recorded in many computer systems. For the past several decades, systems have typically used two digits to represent the year, such as “98” for 1998, to save electronic storage space and reduce operating costs. In this two-digit format, however, 2000 is indistinguishable from 1900. Because of this ambiguity, date -dependent hardware and software could generate incorrect results or fail to operate altogether when processing years beyond 1999. Nuclear weapons represent a special Y2K situation, because they must remain safe against accidental detonation resulting from abnormal occurrences, such as a lightning strike, while also being highly reliable if they ever need to be used. Nuclear weapons are supported by ancillary equipment that are used to securely manage the codes necessary to ensure authorized use of a weapon, so-called use control equipment, and test for the proper functioning of a weapon or its components. Three national laboratories-Lawrence Livermore, Los Alamos, and Sandia National Laboratories-are responsible for designing, assessing, and certifying the nation’s nuclear weapons. The key laboratory in dete r-mining if the weapons are Y2K compliant is Sandia National Laboratories (Sandia), which is responsible for the electronic systems for nuclear weapons. For example, Sandia provides the electronic systems that provide arming, fuzing, and firing capability for nuclear weapons. Subsystems within these systems may include radar, voltage power regulators, .programmers, and trajectory sensing signal generators. Lawrence Livermore and Los Alamos National Laboratories are responsible for designing the nuclear portion of the weapons, which does not contain electronic systems. In response to concern raised by the Congress about the Y2K readiness of the nation’s nuclear weapons, in February 1999, DOE’s Assistant Secretary for Defense Programs requested that the three national laboratories certify that the nuclear weapons and their supporting ancillary equipment were Y2K compliant. In February 1999, the Director of Sandia stated that Sandia personnel responsible for each warhead had reviewed the weapons’ system software and hardware and had not identified any Y2K problems. He 2 GAOIRCED-99-272R Y2K Status of the Nation’s Nuclear Weapons made a corresponding statement for the ancillary equipment. The Directors of Los Alamos and Lawrence Livermore National Laboratories made similar certifications. Nuclear weapons and ancillary equipment are, or will be, Y2K compliant Based on our interviews with weapon design engineers and review of weapon design documents, the nuclear weapons in the nation’s enduring stockpile will not be affected by the Year 2000. Only four of the nuclear weapons in the enduring stockpile-the W84 and W88 warheads and the B61 and B83 bombs-contain microprocessors; the balance of the enduring stockpile does not. The microprocessors these weapons use are not “date aware” -they do not generate or store a date-and they are not “date reliant”- they do not need to know the date to function properly. Instead, the weapons perform their timing functions through the use of an analog timing source, external to the microprocessor, that keeps relative time-similar to a stopwatch. Jn addition, no date information is transmitted to a nuclear weapon by its delivery system. Finally, the nuclear weapon’s arming, fuzing, and ftig subsystems do not contain any power sources that would enable them to retain a date, if one were to be stored in a microprocessor. The Y2K status of the use control equipment associated with nuclear weapons falls into three categories. Either the equipment does not have a Y2K problem, the equipment has been replaced by Y2Kcompliant equipment, or an acceptable work-around exists. The work-around involves either resetting the date after January 1,ZOOOor entering the current date when the equipment is used. In either instance, there is no negative impact on the operation of this equipment. A similar situation exists for test equipment. Most equipment is either Y2K compliant or has an acceptable work-around in place. Where test equipment is not Y2K compliant, the problem that results is that the computer will not record the correct date on data obtained during a test. Typically, the work-around involves either resetting the clock after January $2000, manually entering the date into the computer, or manually “inking in” the test date on the printout of the test data. One type of test equipment at Pantex- where surveillance testing on nuclear weapons is conducted-and one type of test equipment at the Kansas City Plant-where parts for nuclear weapons are made-are non-compliant as of August 1999. However, according to DOE and contractor officials, this test equipment is expected to be fixed by January 1,200O. DOE’s assessment of nuclear weapons Y2K compliance did not follow a structured approach The process for designing and maintaining nuclear weapons is highly structured in order to ensure that the weapons remain safe and reliable. The design process includes extensive documentation and peer review, including inter-laboratory reviews between Lawrence Livermore, Los Alamos, and Sandia National Laboratories. Nuclear weapons are produced from detailed engineering specifications that include traditional line drawings, written manufacturing and processing procedures, three-dimensional models, GAO/RCED-99-272R Y2K Status of the Nation’s Nuclear Weapons and assembly procedures that are available for later review, if ever needed. Once a nuclear weapon enters the stockpile, it is subjected to a formal program of surveillance, assessment, and certification. As part of the surveillance process, weapons are removed from the stockpile, disassembled, and subjected to a series of tests. Using surveillance and other data, weapon designers perform a variety of formal assessments that result in regular reports on the safety and reliability of the weapons. Finally, the results of this process are used to produce an annual certification that the stockpile is safe and reliable. DOE and Sandia management did not require this same rigor for the nuclear weapons Y2K assessment. Specifically, we found that the assessments performed were often unstructured, did not always include thorough documentation, and were subjected to minimal peer review. For example, the assessment of the W88 warhead was very inform& relied on the memory and experience of the designers, and incorporated minimal examination of design diagrams and documents. In particular, the responsible design engineer for the systems in this warhead did not review the software code for the microprocessor in the W88 to determine Y2K compliance, but rather he relied on his memory of what the code contained.’ According to Sandia engineers responsible for the system, because of the m-depth knowledge and familiarity of the designers with the system, and the fact that the system does not use date or time dependent data, rigorous re-examination of the details was not determined to be required. In contrast, the assessment for the B61 bomb was relatively structured and involved engineers reviewing data on the hardware and software contained in the weapon. Standardized documentation of the assessment was not required by Sandia management, and as a result, design engineers had different interpretations of what level of documentation, if any, to provide. For most of the warheads we evaluated, there was no detailed documentation beyond a memorandum or e-mail that stated that no Y2K problems had been found. For example, a design engineer for the W88 warhead stated that he spent about 2 weeks dete r-mining that the warhead’s systems had no Y2K problems, but that he prepared no documentation of the discussions; the process followed; or the documents, diagrams, or software examined. In one case we reviewed, however, we did find that a formal assessment document was being prepared. Specifically, the lead engineer for the B61 bomb stated that since he believed Sandia was certifying Y2K compliance as part of the fiscal year 1999 annual stockpile certification, a formal process to serve as a basis for the statement was warranted. This engineer stated that he did not receive a memorandum asking for formal documentation-the decision to do so was self-initiated. For other weapons, the draft annual stockpile certification reports contain brief, conclusion-type statements on Y2K compliance, which, according to laboratory officials, are based on various verification activities and engineering expertise. However, specific documentation of the activities . performed to arrive at the Y2K conclusions was not always prepared. Sandia engineers acknowledged that the focus of the annual certification process is on the need for underground testing, not Y2K. ’ We reviewed the software code for this weapon system and found that no Y2K problems were present 4 GAO/RCED-99-272R Y2K Status of the Nation’s Nuclear Weapons Finally, peer review was not regularly performed on the Y2K assessments. When peer review did occur, it was largely of the nature of one engineer talking to another and asking, “Am I missing anything?” and was not documented. Offices within Sandia, such as the Surety Assessment Center, which provides an independent assessment of nuclear weapons safety and reliability, did not perform any independent evaluation of the design engineers’ Y2K assessments. We found no instance of independent review of the Y2K assessments by the two other national laboratories. According to design engineers for the W88, peer review is not as critical for the Y2K assessments as it is for other reviews, such as safety reviews, because the answers regarding Y2K were very “obvious” and, therefore, did not require as much dociunentation or external scrutiny. Independent studies found similar problems Two independent assessments of Sandia’s Y2K readiness efforts found similar weaknesses. The first assessment,’ an internal review conducted by Sandia employees in January 1999, found that “the Y2K readiness process is apparently being implemented for Sandia’s primary mission, nuclear weapons surety; however, we did not see the rigorous formality of operations with respect to Y2K remediation . , . that we are accustomed to seeing in the weapons program.” In discussing this study with its authors, they told us that they could find no formal report that addressed what weapons were considered and what type of analysis was performed. They felt a statement, such as “no vulnerabilities found,” needed more justification. A subsequent external study performed by a consulting firm, Keane, I~c.,~dated March 29,1999 stated that the documentation of Sandia’s Y2K effort was inconsistent and inadequate. It noted that while there were pockets of solid documentation, for the most part, Sandia’s Y2K documentation would not satisfy a request to detail what Sandia had done about Y2K problems and why. Conclusion Although we did not identify any Y2K problems with the nation’s nuclear weapons or supporting ancillary equipment, we do believe that DOE should have adhered more closely to its overall model for assessing and certifying nuclear weapons in performing its Y2K evaluation. In the absence of underground nuclear testing, the credibility of the Department’s certification that the nation’s nuclear weapons are safe and reliable is heavily reliant on the quality of the analytical processes used, including peer reviews, and on accurate, thorough documentation. Given that Y2K was a known problem that could raise concerns about the safety and reliability of the nation’s nuclear weapons, we ’ “Independent System Risk Assessment of Distributed Y2K Implementation at Sandia National Laboratories,” Jan. 1999,SAND99-0044. a“Year 2000 Readiness Disclosure: Independent Audit of Sandia National Laboratories Year 2000 Program,” Mar. 29,1999. 5 GAO/RCED-99-272R Y2K Status of the Nation’s Nuclear Weapons believe a relatively small investment of time in thorough documentation would provide the level of assurance expected. Recommendation To serve as a basis for the certification of YZK readiness of nuclear weapons, we recommend that DOE require Samba National Laboratories to thoroughly document the Y2K assessments performed, including the scope of the assessments; documents, diagrams, and software reviewed; discussions held; and logic used. Agency Comments We provided DOE with a draft of this report for review and comment. DOE stated that the Department’s credibility as to its certification that the nation’s nuclear weapons are safe and reliable had been enhanced directly as the result of our work. DOE concurred with our recommendation and stated that they had begun activities to thoroughly document their YZK assessments. DOE’s comments are included as enclosure I. We performed our review from April through August 1999 in accordance with generally accepted government auditing standards. To determine the status of Y2K compliance, we interviewed weapon design engineers and reviewed design information and diagrams for each nuclear weapon containing microprocessors, as well as a representative number of other weapons in the enduring stockpile. Since Sandia weapon design engineers did not review the software code for the microprocessor in the W88 warhead, to determine Y2K compliance, we reviewed the code and found no Y2K problems. We determined the Y2K status of ancillary use control and test equipment at the Kansas City and Pantex Plants, and DOD field sites by reviewing documents and interviewing engineers. We also determined the overall process used for weapon surveillance, assessment, and certification and compared it to the process that Sandia design engineers followed in assessing the weapons for Y2K compliance. This report contains recommendations to you. As you know, 31 U.S.C. 720 requires the head of a federal agency to submit a written statement of the actions taken on our recommendations to the Senate Committee on Governmental Affairs and the House Committee on Government Reform no later than 60 days after the date of this letter and to the House and Senate Committees on Appropriations with the agency’s first request for appropriations made more than 60 days after the date of this letter. We plan to distribute copies of this report to congressional committees with jurisdiction over issues related to Y2K or nuclear weapons. We will also make copies available to others on request. If you have any questions regarding this letter, please contact James 6 GAOiRCED-99-272R Y2K Status of the Nation’s Nuclear Weapons Noel or me at (202) 512-3841. Key contributors to this assignment were Keith Rhodes and Chris Pacheco. Sincerely yours, (Ms.) Gary L. Jones Associate Director, Energy, Resources, and Science Issues Enclosure 7 GAO/RCED-99-272R Y2K Status of the Nation’s Nuclear Weapons Appendix I Comments from the Dewrtment of Enerrrv Department of Energy ’ Washington, DC 20585 August 13,. 1999 Ms. Gary Jones Associate Director, Energy, Resourcls and Science fssues U.S. General Accounting office Washington, D.C. 20548 Dear Ms. Jones: We have reviewed the draft of your proposed report entitled, ‘wuclear Weapons: Year 2000 Status of the Nation’s Nuclear Weapons Stockpile (GAO/RCED-99-272R),” which was transmitted to us on July 28, 1999. We concur with your recommendation. Your conclusion and recommendation both relate to the degreeof thorough documentation regarding the TiZK assessmentsperformed. Following your review and outbriefing, SandiaNational Laboratories has started indexing and documenting the memoranda,presentations,and other quality evidence relating to their Y2K assessments.San&~- is collecting evidence gathered from other membersof the nuclear weapons complex and is permanently storing this evidence (retrievable by date, author, subject, or keyword “Y2K”) in their corporate Electronic Document Management System. The evidence includes overview material, high-level managementstatementsof compliance, and detailed evidence sorted by weapon-related categories. We believe the Department of Energy’s credibility as to its certific&.ion that the Nation’s nuclear weaponsare safe and reliable has been enhanced,directly as a result of your review activities. If you require additional assistanceor have questions about comments, pleaserefer them to Abdul Dasti, of my staff, at 301-903-7724. Sincerely, Deputy Assistant Secretary for Military Application and Stockpile Management Defense Programs (141322) GAOLRCED-99-272R Y2K Status of the Nation’s Nuclear Weapons Ordering Information The first copy of each GAO report and testimony is free. Additional copies are $2 each. Orders should be sent to the following address, accompanied by a check or money order made out to the Superintendent of Documents, when necessary. VISA and Mastercard credit cards are accepted, also. Orders for 100 or more copies to be mailed to a single address are discounted 25 percent. Orders by mail: U.S. General Accounting Office P.O. Box 37050 Washington, DC 20013 or visit: Room 1100 700 4th St. NW (corner of 4th and G Sts. NW) U.S. General Accounting Office Washington, DC Orders may also be placed by caBing (202) 512-6000 or by using fax number (202) 512-6061, or TDD (202) 512-2537. Each day, GAO issues a list of newly available reports and testimony. To receive facsimile copies of the daily list or any list from the past 30 days, please call (202) 512-6000 using a touchtone phone. A recorded menu wiB provide information on how to obtain these lists. For information on how to access GAO reports on the INTERNET, send an e-mail message with “info” iu the body to: info%vww.gao.gov or visit GAO’s World Wide Web Home Page at: httpYYwww.gao.gov United States General Accounting Office Washington, D.C. 20548-0001 Official Business I Permit No. GlOO I Penalty for Private Use $300 Address Correction Requested
Nuclear Weapons: Year 2000 Status of the Nation's Nuclear Weapons Stockpile
Published by the Government Accountability Office on 1999-08-20.
Below is a raw (and likely hideous) rendition of the original report. (PDF)