CHEMICAL SAFETY AND HAZARD INVESTIGATION BOARD WORKSHOP ON THE YEAR 2000 TECHNOLOGY PROBLEM AND CHEMICAL SAFETY FRIDAY DECEMBER 18, 1998 + + + + + The Workshop met in Room 333 in the Hall of the States at 444 North Capitol Street, N .W., Washington, D.C., at 8:30 a.m., Dr. Jerry Poje, Board Member, presiding. PRESENT: JERRY POJE, Board Member JACK ANDERSON, Participant JERRY BRADSHAW, Participant ROBERT J. BRANT, Participant KENNETH BROCK, Participant DENNIS CALHOUN, Participant JORDAN CORN, Participant DANIEL DALEY, Participant GEORGE R. DAVIS, Participant NORM DEAN, Participant RICHARD DUFFY, Participant LOUIS N. EPSTEIN, Participant MARK FRAUTSCHI, Participant KEITH L. GODDARD, Participant DAVE HART, Participant RON HAYES, Participant JIM S. HOLLER, Participant JOSEPH T. HUGHES, Participant PAUL E. HUNTER, Participant CHARLES ISDALE, Participant IRENE JONES, Participant DAVID C. KURLAND, Participant TOM W. LAWRENCE, Participant JIM MAKRIS, Participant SAM MANNAN, Participant PRESENT: (Cont'd) CRAIG MATHESON, Participant RUTH McCULLY, Participant FRED MILLAR, Participant ROBERT NEWELL, Participant RICHARD W. NIEMER, Participant ERIK D. OLSON, Participant PAUL ORUM, Participant ISADORE ROSENTHAL, Participant MANIK ROY, Participant GERALD SCANNEL, Participant ADRIAN SEPEDA, Participant RAY SKINNER, Participant ROBERT G. SMERKO, Participant DAVID SPEIGHTS, Participant MIKE SPRINKER, Participant PARIS STAVRIANDOS, Participant ANGELA SUMMERS, Participant ANDREA TAYLOR, Participant STEPHEN VIEDERMAN, Participant JACK WEAVER, Participant HARRY WEST, Participant INDEX OPENING REMARKS AND INTRODUCTIONS Dr. Jerry Poje 3 John Koskinen 9 PRESENTATIONS Dan Daley, Occi Chem 52 Adrian Sepeda, Occi Chem 66 Jordan Corn, Rohm & Haas 85 OVERALL RELEVANT CHEMICAL SAFETY ISSUES IN CONJUNCTION WITH Y2K COMPUTER PROBLEMS 127 HIGH PRIORITY ISSUES 182 P-R-O-C-E-E-D-I-N-G-S 8:41 a.m. DR. POJE: Good morning, everybody. It is amazing to gather this expert crowd into a room on a Friday morning in December when all sorts of other events are occurring in Washington. But we have a topic that is time-bound, and it is very important that we are here.. I would like to start with my introductory remarks. My colleague, John Koskinen, hasn't arrived yet. He has a rather busy schedule, as I am sure all of you can appreciate. When he does come, we will allow him to give us his opening remarks. The Year 2000 computer technology problem justifies establishing health and safety protection as a higher global priority. The Y2K dilemma requires strengthening all elements and their interrelatedness in our current system of safety. This means the equipment manufacturers, the facility managers and designers, the workers, the emergency response community, investigators, insurance companies, regulators, policy makers, researchers, professional societies, trade associations, environmentalists, community-based organizations and foundations. I think it is very important for us to understand that that is our system of safety. We all have a role to play in this system of safety. Simply stated, early computer designs do not function in the Year 2000. The source of Y2K problems are pervasive, involving computer hardware and software, date-related problems can affect computer clock mechanisms, operating systems, software packages, libraries, tools and application software. In addition, many different types of computer technology systems are at risk, such as personal computers, mainframe and mini-computers, programmable logic controllers, microprocessors, and embedded software based systems. The flawed designs became standard through all sectors of the world's economy, including chemical processing, handling, distribution and disposal industries. Larger technology systems developed around failed computer designs thereby creating a monumental problem. Fixing this problem is technically demanding, time consumptive and costly. Deadlines are certain and immutable. Several classes of date problems will be encountered over the next several years beginning in 1999. The major problem of relying upon two digits to indicate calendar year dating and others such as incorrect leap year algorithms, alternative number codes and rollover of registers used to store date data. While some institutions provide valuable models of due diligence in resolving Y2K problems, many governments, industries and communities are recognizing that it is too late for some important systems and organizations to repair the problem before the deadline. Available skilled personnel and financial resources are not sufficient. Many institutions have been slow to recognize the magnitude of risk associated with Y2K failures, and contingency planning and implementation are warranted. Chemical safety concerns include complete failure of safety-related systems, both for control and protection, malfunctions of embedded microprocessors and equipment, and potential failure to respond correctly to program instructions. Computer technology failures could include outright crashes or the generation of large observable errors or small accumulating errors in computer-derived data. Complicating the problem for chemical safety is the embedded Y2K problem that presents the added difficulties in locating non-compliant technologies. Of the 4 billion chips produced in 1996, 90 percent went into embedded systems. Between 1 and 3 percent of the estimated 50 billion embedded chips worldwide are subject to Y2K problems, and only a smaller percentage of these are deemed mission critical. Yet, this indicates that up to 25 million mission critical systems have a date problem. In the chemical manufacturing arena, as much as 70 to 90 percent of inventory assessment, remediation and testing efforts must be directed towards the embedded systems, which include alarm systems, computer mother board system controls, lighting controls, process controllers, pumps, refrigeration controls and valves. The goal of this expert workshop on the Year 2000 technology problem and chemical safety is to assess the Y2K problems associated with the safe management of hazardous chemicals and to identify opportunities to strengthen our system of safety. I commend the leadership, talent and public commitment of the participants in this workshop towards this task and look forward to your interactions throughout the day. You have been extraordinarily generous with your time and energy and motivation in bringing this meeting together. I hope you appreciate the rich talent to your left, to your right and across the table from you. You may not know each other yet, but I hope this meeting allows you to come together. I would also though like to take this opportunity to introduce a special guest today. Senators Bennett and Dodd have actually spurred us into this room by requesting the Chemical Safety Board to convene this meeting. However, we are also fortunate today to have the head of the President's Council on the Year 2000, Mr. John Koskinen, who opens our workshop with an assessment of the Y2K challenge before us. John Koskinen serves as an assistant to the President. From 1994 to 1997, he was Deputy Director for Management at the Office of Management and Budget, where he was responsible for OMB oversight of federal policies covering information and computers. Prior to joining OMB, John Koskinen spent more than 20 years in the private sector as a crisis management specialist, obviously bringing him to the forefront of national leadership on Y2K. John was appointed Assistant to the President and chair of the President's Council on the Year 2000 conversion in February of 1998. He has only been in this position for less than a year. He is responsible for coordinating federal government's efforts to insure that its critical information technology systems operate smoothly through the Year 2000, and the federal relationships with state, local and tribal governments and private sectors and foreign institutions as they deal with the same challenges. It is my pleasure to introduce John Koskinen. MR. KOSKINEN: Thanks. I knew when I saw the fire engines that I was in real trouble. You don't need a Y2K glitch to tie up traffic and make things late. But I am delighted to somewhat belatedly have a chance to talk with you, and I was very pleased when Jerry asked if I could join you. Because this is the kind of gathering that we have been trying to encourage really across not only the country but across all of the critical infrastructure and major industry sectors in the United States. And as Jerry was describing and as you all know, this is a unique kind of problem, particularly when you look at it from the perspective of Washington, not just because you can't move the date -- there is no way you can get an act of Congress to delay it and you can't get the judge to give you another week and you can't get the professor to give you another few days to do the paper. But also because it has a clear performance measure. For many of issues in the government we are used to thinking about what the appropriate perspective is to make sure that we are postured well. And as I have told the federal agencies, the unique thing about this problem is, as I said, not the date. It is, in fact, that the goal is not to have the better documents or the better graphs or the better arguments. The performance measure is very simple. Either the systems work or they don't. And it will be very obvious to people as we move through 1999 and the software systems increasingly are challenged, and then as we move into the Year 2000 and the hardware and the embedded chips are challenged to make the rollover. It will be pretty obvious whether we have met the challenge or not. It is indeed a fascinating challenge, because it reflects the underlying and increasing reliance on information technology across the economy and really across the globe. You hear a lot of talk about global villages and global economies, but what is clear, and those of you who are dealing in a major industry like chemical manufacturing and use understand, is that that global economy and that global village increasingly relies on the exchange of information and financial services through electronic transmissions. And while significant increases in productivity are the result of our increased reliance on information technology, now we find that it all has come home to roost. Because to the extent that this problem is not met, it really challenges everything that virtually moves around the world. So when I agreed with the President to come back and take on this responsibility, the original focus certainly of everyone has been the federal systems. And in fact, when my new best friend, Ed Yardeni, began a year and a half ago to predict that there was a 30 percent chance of a deep worldwide recession, his analysis was based primarily on the fact that the federal government and its systems were not going to be able to make it and that the billions of dollars of transfer payments would fail. We would not be able to issue Social Security and Veterans checks, and we would not be able to collect taxes, which didn't worry too many people. But on the other hand, we would not also be able to make refunds and process those transactions effectively. We wouldn't be able to put the $250 billion a year into the economy we do through the Medicare system, and in fact there would be a major economic contraction as we go forward. That is a legitimate concern and has been for some time. When I was in the government before in my prior incarnation, one of the numerous management initiatives that I had responsibility for was this problem. We organized in 1995 an interagency task force to deal with the problem. And we, like everyone, initially started to look at it as a software issue because in fact the government is primarily involved in information processing and financial transactions. But as you step back, you don't have to step back very far to be able to understand that if the federal systems all work, it doesn't do us much good if the interfaces we have with state and local governments and others don't work. Most of the -- a significant number of major federal problems are actually run and administered by the states. So that we have a major project with all of the states to make sure that Medicaid, food stamps, job training and unemployment insurance can be run effectively by their systems. And then you don't have to step back much farther to take a look at the economy and look at the world and understand that even if we get the federal systems to work and we get the state systems with which we interface to work and we have major problems anywhere else, we have not really actually been able to protect the economy and the public as we should. So we have basically worked on those three tiers, the federal systems, the interfaces, and reaching out, both domestically and internationally across the public and private sectors, to try to see what we can do in a cooperative venture to deal with this problem. And in that regard, in our outreach we have organized the President's Council, which has 35 agencies, including the regulators -- the Securities Exchange Commission, the Federal Reserve and others -- into a set of sector working groups taking a look at what are the most important sectors to us in terms of trying to protect the economy and the public. So we have a working group on oil and gas, we have a working group on electric power, telecommunications, transportation, financial services and you move through the area. And one of our concerns is the concern you are dealing with here, which is in fact the chemical industry, which has the safety issues that you are concerned with that obviously is a critical part of the economy. And even if we can protect the safety, which we need to focus on, we also need to worry about whether we can continue production. So EPA has been reaching out and working with the major associations as part of our strategy, which is to deal with this problem on a wholesale rather than a retail basis in light of the magnitude of it. So in each of these sector groups, we have been reaching out to existing trade association and umbrella groups to form a working relationship on the theory that they can then reach out to their constituent members and feed back to us information that would be important. So as you look at it, I thought it might be helpful to give you a little bit of our perspective as of today as to where we are and where we are going in a context in which you all know far better than most that it is still impossible to predict today what the end of 1999 looks like. And people who tell you what is going to happen, including the survivalists who are selling lots in New Mexico as well as the people who say nothing is going to happen, they are all making guesses. Some of them may be slightly more educated, but they are guesses because we have still substantial amounts of work to be done and it is being done in the private sector as well as in the public sector. But if you run quickly through those tiers, notwithstanding the continuing expressions of concern in some areas, starting with the federal government it is clear now as you look at the quarterly reports that the government puts out, and it was just put out on the 7th -- the quarterly reports. We have been doing these quarterly reports to the public for almost two years. As Yardeni says, whatever else you want to say about the government, it is the only transparent organization on the planet about this problem. If you want to know an agency and a number of mission critical systems and where they are, all you have to do is read the report. And according to that report, the last one that comes out, 61 percent of the mission critical systems in the government have been renovated, tested and implemented. So we are done with those. Of the mission critical systems that are at risk, 90 percent of the fixes have already been accomplished and those systems are into testing. Our goal is to have all work done, tested and implemented and operational by the end of March of 1999. And while a handful or a small percentage of mission critical systems won't meet that deadline, I think by then and even now it is going to become increasingly clear that the problems, to the extent there are any, and threats to the economy and the public won't come from the federal systems. That doesn't mean we have solved all the other problems, but whether it is the FAA or Social Security or the IRS, those systems actually are going to meet the government deadlines. That doesn't mean that there isn't a substantial amount of work still being done, just as in the chemical industry. Clearly in a couple of agencies, we have major challenges. The Defense Department has cornered the market on microprocessors and embedded chips. All those smart weapons that are now in use in Iraq are smart because of the fact that they have embedded chips in them and all of those systems have to be tested as well as all of their software and processing systems -- their financial management and payroll systems. But everybody from the Secretary of Defense on down is focused on that problem. Our other major area of focus and challenge is in the Health Care Financing Administration, which puts $250 billion a year into the health care network, and is viewed as a government system. But the irony is it is run by 60 large private sector insurance companies. The HCFA internal system will easily meet the government goals. The question is whether we can get the private sector companies to be up and running and meet those challenges. They are running antiquated technical systems. There are 7 major systems. So that while it is clear that all of them aren't going to miss the deadlines, some of them may. But they demonstrate the need that we have talked about with federal agencies and that again applies across the board that everybody needs a back-up plan. They need to be able to deal with what the eventualities are if a system you thought was fixed turns out not to be fixed or if somebody else's system that you rely on that they thought was fixed is not fixed, or if people haven't even tried to deal with it. In fact, we will do a press briefing next week on unemployment insurance, which will be the first federal program challenge. It is run by the states for us. And, it calculates benefits by looking forward a year. So on Monday, January 4, 1999, it has to be able to -- the systems have to be able to read January 3, 2000 and calculate backwards. And as luck would have it, a handful of states and territories are having difficulty getting their systems up to speed and running by then, which I think is actually terrific. Because always being an optimist, there has got to be a good story in there somewhere. It is going to allow us to demonstrate a number of things. First, that this is a real problem and that if you don't get your systems fixed, they are likely not to be able to function. Secondly, it will demonstrate to the states that where they are administering federal programs, the rest of the programs have a year to go and my hope is the governors will decide they don't want to be in the same difficulty and the same crunch as the handful are that are now dealing with unemployment insurance. Thirdly, it will demonstrate the importance of contingency and back-up plans. Because, in fact, the labor department in those states have workarounds that will allow the benefits to be paid in January across the board and the beneficiaries will never notice the difference. And a corollary to that point is it is important for the public to understand that if a system doesn't work and can't meet the challenge, it doesn't mean that the world comes to an end. There are appropriate in many cases back-up or work-around plans so that in many ways it will create more back office work and it may slow things somewhat, but if there is a problem, it can in fact in most cases be dealt with. Which moves us, as I say, if the federal systems are going to work and as I say I think we are going to have a lot of ongoing dialogue as we have now with projects with the states, the real question is what is going to happen everywhere else. I think clearly we have major problems internationally. Probably today still half the countries in the world have not made any major effort in this area on the theory either that it doesn't apply to them because they are not running big mainframe systems, or the theory that a lot of people have is that they will fix it when it breaks. They will watch and see what happens and then they will respond accordingly. So to some extent out of frustration with the fact that there is no organized global coordination of this issue, we worked with the United Nations. You may have seen the reports. We got the United Nations to invite every country to send their Year 2000 coordinator to meet with us last Thursday and Friday (December 10-11, 1998) in New York at the United Nations, partially on the strategy that if we invited countries and through the World Bank paid for one coordinator from each developing country, if necessary, we might actually get somebody appointed as the Year 2000 coordinator so that they could come to the meeting. And it turned out that that happened in a number of cases. It was on the theory that for about $2,500.00 through the World Bank if we could get somebody appointed in a country sent to New York, spend a day and a half with us and go home nervous and worried, then it would be the best $2,500.00 investment we ever made. We thought if we got 30 or 40 countries, it would be a nice critical mass and if we got 50 or 60, we would have a chance to accomplish something. 120 countries sent their senior year 2000 executives to meet with us in a stunning turnout. The only major country in the developed countries that didn't participate was Belgium. Everyone else in the OECD and across the world was there. And it generated what I think is the most valuable Year 2000 document in the world right now, which is the list of the 120 countries, their Year 2000 coordinators, their name, address, fax numbers and e-mail addresses. Because it now allows us to deal directly at the senior level in these countries with whoever is nominally in charge without going through all the diplomatic niceties of trying to figure out through our embassies and their embassies who you need to get a hold of. But we also wanted them not to just come together and commiserate about the problem. We created break-out sessions at working lunches and now have a commitment to regional cross-border activities in each of the major regions of the world. The steering group that we created was, by design, created in such a way that we have at least one country and in many cases two who are in fact now committed to being the coordinators for those regional activities -- in Asia, South America, Central America, Africa, Western Europe and Eastern Europe. As we went through the U.N. meeting and we had a series of sectoral presentations, it is clear that internationally, much as domestically and in fact in most countries, the central bank regulators have done an excellent job and the banking system, as a general matter, while there is more work to be done is going to function. And certainly domestically, as we will reveal with the assessments we are having done, there will not be major problems in the financial system. And it is a great tribute to the work that the banking system has done. As I kid the bankers, it is a testimony to federal regulation because part of the reason that it is so systemically being solved is the banking regulators -- the Fed, the OECD, the OCC and the FDIC -- I love those outfits -- have all worked together constructively with the industry, so that now less than 1 percent of the banks have any question at all about their ability to meet this transition, banks of any size. It is also clear that while, when I started, the International Telecommunications Union was not doing much, with a lot of prodding there is now a fairly significant international telecommunications process going. This may not solve the problem in every country but at least will keep the major networks around the world operating. And similarly with air traffic, the FAA has been working very actively with the international air carriers and others. At the other end of the spectrum, it is very clear that shipping has not had a similar level of activity and it is a concern of ours. We are now, as a result of this meeting, have organized a cabal, as it were, to lean heavily on the international maritime organization to in fact hold a meeting in January of all the major players -- the International Association of Ports, the IMO, all of the tankers companies which have a group called Intertanco, my favorite name actually -- Intertanco and the major shippers to try to in fact get an international now full-court press to look at what the shipping issues are. As Admiral Nakara of the Coast Guard who made the presentation to the UN noted, 95 percent of what we import in this country comes by sea. And if we have major problems in ports around the world or we have major problems with the operation of shipping, it is obviously going to be a problem for us. Domestically I think that the major infrastructures will hold. The grids will hold. Telecommunications systems will work. Clearly banking functions will work. Our risks, and they are real risks, are in those areas and with those organizations that have decided much like foreign countries that it is not their problem or they will fix it when it breaks. A lot of small to medium-size companies and public organizations have done a very good job, and we are trying to be careful not to ding everybody who is not in our huge operation. But on the other hand it has been clear from the start that a lot of particularly smaller organizations in the private sector and the public sector have come late to the game if they are in the game at all. The National Association of Counties did an assessment for us that was released last week, and it noted that on the one hand, 50 percent of the counties have an organized plan for dealing with this problem, the other side of the coin, of course, means that 50 percent of the counties don't. And that split is primarily by size. Virtually all of the large counties with over 500,000 people have an organized plan, and the majority of smaller counties do not. And as I have told them publicly, it was a great public service that they did for their members, even though the county executives were a little unhappy, because it now has, I hope, everybody in their local counties and every local newspaper asking is our county one in the 50 percent that have a plan or are we in the counties of the 50 percent that don't, because that is where we are going to have our risk. I don't think that we are going to have a major single catastrophic event that shuts down the country, but I think our risk if we don't get more activity at the local level and we don't get more activity by all the small entities in every industry group, is that we will have a series of localized problems. Our bigger risk that we are focused on is the risk of overreaction by the public. Clearly it is not an issue of how many people go to New Mexico or the high desert in California to get away from it all, because there will always be a certain number of people who want to do that. The real question is how many people decide to take what seem to be very normal precautions. If a few million do it, it is one thing. If a couple hundred million Americans all decide to do anything differently, they can create a self-fulfilling prophecy that has nothing to do with whether the systems operate or not. So if we have a substantial number of people who decide to take 20 percent of their investments out of the market or to take money out of the bank and all show up buying prescription drugs and gasoline in the last week of 1999, it won't matter whether the systems are operating. We will have a major economic challenge to deal with. So we all have a challenge to deal with. Our strategy for that, and it is a strategy that this industry and every industry I think needs to pursue, is we need to provide the public with candid information and assessments of where we are. Overreaction occurs and panic occurs when people don't have information or there is a void and rumors then hold sway because that is the only information out there. So one of the things I would encourage all the individual companies as well as this industry is be candid. The lawyers all say, gee, don't say anything, even in the face of the Information Disclosure Act we got passed. Some public relations firms are saying, wow, you know gee you have got to be careful. People were appalled in a public relations firm gathering that I would even consider going on 60 minutes. I tell you, I think it is the wrong approach. I think your customers and the public and government agencies you relate to and others will all feel a lot better about the process if they know where you are and they know you are working against the problem. So the first thing we have to do is get more real information out and it needs to be candid. We cannot mislead people about the nature of the problem or what is fixed or not fixed. My goal, as I have said, is for the public to feel they know everything I know. So we are going to provide all the data and all the information as we get it to the public because I think they need to know that. The second thing they need to know, and again this meeting is a step in that direction, is that we are managing against the problem. Again, people panic and decide that it is every person for themselves when either they don't have information or it looks like no one is in fact in an organized way dealing with the problem. So in an area as important as the areas you are dealing with today about public safety and the safety of chemical plant operation, but as I say also, I think, in the ability of chemical plants to continue to provide the critical products they provide, it is important for people to understand that the industry is working together and companies are, in fact, managing against the problem. The reason we have these working relationships, I think it is important for the public to understand, is that the government and the private sector are working together cooperatively to deal with this issue. This is not a question of people regulating or yelling at each other or trying to find blame. This is an issue of all of us trying to make sure that we meet that performance standards and that the systems, or as many of them as we can, work. The third thing we have to do, and again I think it is part of the information flow, but we have to establish for the public that, in fact, our normal emergency response mechanisms have been reviewed and updated, and, if there are problems, we will be able to respond to them. People have a great deal of confidence in our ability to respond to natural disasters and they have a great deal of confidence in our ability to respond to industrial accidents and problems because we have experience and we have organizations and they understand that. What we must have people understand, and it has to be a reality, is that we are prepared to deal with whatever problems occur through 1999 and at the end of 1999 and that we are building on the existing emergency response systems. And if we can get that information across to the public, and if we can share that information on a regular basis, I think then there is a tremendous amount of common sense in the body politic and people will respond accordingly, and we won't aggravate whatever difficulties we have by allowing people to overreact to the issue. A final request I would have, and one of the reasons I really was delighted to come and talk with you, is that as you know in response to the ongoing dialogue we have had with a whole set of industry sectors, Congress to its credit passed the bill we suggested, modified and made better by that process, providing protection for voluntary disclosure of information. And it is critical, we think, for people to not only exchange information about how they are doing, but in areas like chemical production and operations as well as telecommunications and power, we need people to share technical data and information about their experience with products, their experience with systems, where the problems are, where the problems are not, where there are problems how they were fixed, what the testing protocols are and what the testing results are. The statute very clearly protects all of that information in terms of being shared both from anti-trust charges and also from charges of product disparagement from anybody whose products you talk about and also in terms of negligence or other liability claims if the information isn't 100 percent accurate. In fact, unless you lie about it, you are protected totally. And the reason for sharing that is obviously major players and companies need to be able to take advantage of that, because nobody knows exactly how to test for this because nobody has ever had to deal with this problem. So it is important for people to be able to compare test results. Equally important, if you look at the issue internationally and if you look at the issue in every industry, and in this industry as well, the smaller players who are coming late to the game may have far fewer technical resources and they clearly have less time. We have 378 days left -- but who counts. Those less-resourced people and businesses need to be able to take advantage of the experiences that other people have already had. We talked in New York where the vast majority of the countries there are developing countries, and what they need is, besides time, not money so much as they need technical information. If you are running a water treatment plant or a waste treatment plant or a chemical plant or a power plant anywhere in the world and you are late to the game, your only chance of making it is to be able to know what the experience of others has been about where the problem is and what the fixes are and what the tests are. And while there are only 378 days left, there still are 378 days. And while I have said, while it is never too late to start, it may be too late to finish. But nonetheless, the work has to be done. And if it is a 6 to 9 month process or it is a year and a half process, if you don't do the first year's work now, it is going to have to get done in the year 2000. So I would encourage the trade associations represented here and the companies here to work together to figure out how do you get on the Web sites and otherwise in the public domain the information you've got about how you dealt with this problem. And if we can do that and we are pushing and encouraging people across the board to do that, you will have made a major contribution not only to your own companies and industries as a solution to this problem, but you will have made a major contribution to the ability of people around the world to be able to get through this problem with as little difficulty as possible. So Y2K is a major challenge. I don't think there has been anything like it that anybody that I know anyway has been able to identify in terms of a problem that cuts across all sectors and a problem that cuts across all countries and in fact is going to happen more or less in a very constrained period of time. But on the other hand, I think that we are making great progress. There are increasing numbers of meetings like this where people are cooperatively looking at problems together. And as I say, not saying who is at fault, but basically trying to figure out how do we solve the problem. So I really appreciate and commend Senator Bennett and his staff and Senator Dodd, with whom I have had a very close working relationship, for encouraging this meeting to be held. And I appreciate the fact that all of you who have day jobs that don't involve sitting in this room have come together to share the information and to develop a common perspective about where we are going. And as I say, my sense is the public understands this is a complicated problem, and they don't expect the result of this meeting to be there is no problem or it is all solved. I think people will be delighted to know that we have isolated where the problems are and what work remains to be done. Because as I say, if they are confident that we are engaged in that mode of cooperative action, I think they will be confident that we will solve the problem. So I appreciate the time and wish you all good luck. DR. POJE: Thank you, John. Please take just a brief opportunity to introduce ourselves to each other. We have prepared background bios from everybody and we have also provided a list of participants. There are many corrections to be made to this list. I am going to circulate it around. But I think it is important for us all to know the qualifications and experience of the people from various sectors who are around this table. I am Jerry Poje with the Chemical Safety Hazard Investigation Board. MR. KOSKINEN: I am going to stay and listen to find out who you all are. DR. POJE: To my left? MR. DALEY: I am Dan Daley with Occidental Chemical. I am the Maintenance Director. MR. SEPEDA: I am Adrian Sepeda with Occidental Chemical Corporation, and I am responsible for the Process Risk Management Programs. MR. CORN: I am Jordan Corn with Rohm and Haas. I am responsible for the Year 2000 Process Control Program. MR. FRAUTSCHI: I am Mark Frautschi. I am with Shakespeare and Tau Consulting. I am interested in embedded systems and the human and social dimensions of the Year 2000 problem. MR. DEAN: Hi. I am Norman Dean. I am the Executive Director of the newly created Center for Y2K in Society. Our role is to try to mobilize the non-profit community and foundations to take an interest in this issue. MR. FRODYMA: My name is Frank Frodyma. I am the Deputy Director of Policy at OSHA (Occupational Safety and Health Administration). Among other things, we handle interagency coordination with organizations like EPA and the Chem Board. MR. SKINNER: I am Ray Skinner. I am the area director of the Houston South OSHA Office. We are very, very much concerned with the continued safety. We are very proud of the chemical industry for the progress they have made so far in the implementation of the process safety management of highly hazardous chemicals, and we want to make sure that the Y2K issue does not cause us problems. MS. GREENHOFF: My name is Cheryl Greenhoff. I am the new IT director for OSHA. I have just been on board a couple of weeks. MR. CALHOUN: I'm Dennis Calhoun, Citgo Petroleum Health, Safety and Environmental focusing on Y2K contingency planning and crisis management and I am here representing API. DR. ROSENTHAL: Isadore Rosenthal. I am a new member of the Chemical Safety Board. I come with a background in the chemical industry and more recently in business studies. MR. SCANNEL: I am Gerry Scannel, President of the National Safety Council and former Assistant Secretary of OSHA. We have over 17,000 members that are anxiously waiting to see what they should be doing. Unfortunately, they should have started before now. MR. KOSKINEN: Tell them it is never too late. MR. ISDALE: I am Charles Isdale. I am a process control consultant and part-time senior lecturer at Texas A&M University. MR. BRADSHAW: I am Jerry Bradshaw, also a lecturer at Texas A&M University and representing the Mary Kay O'Connor Process Safety Center which we have in the chemical engineering department at A&M. MS. JONES: I am Irene Jones representing Huntsman Corporation in Houston, Texas, and I am responsible for process safety and risk management. DR. MANNAN: Sam Mannan, Director of the Mary Kay O'Connor Process Safety Center at Texas A&M University. We have made a major commitment to process safety and issues related to process safety. So we think the Y2K issue is a major issue for us to deal with. MR. SUSIL: I am John Susil, representing Celenese Corporation from Dallas, a chemical manufacturer. I am manager for process safety for Celenese. In addition to that, I chair the global steering committee for Y2K for Celenese. MR. KOSKINEN: I assume that was a skiing accident. No? MR. SUSIL: No. It is just years of abuse. I wish it were something more exciting, but no. MR. LAWRENCE: I am Tom Lawrence with Risk Reliability and Safety Engineering and Safety Consulting firm, and I am here representing the American Society of Safety Engineers. DR. WEST: My name is Harry West, Shawnee Engineers out of Houston, Texas, and I represent the small systematic integrators who are being blamed for all these problems. MR. HUGHES: My name is Joseph Hughes and I work for the National Institute of Health and I am the Director of the Superfund Worker Training Program. We focus on training chemical workers and emergency responders, and we are thinking about undertaking a training initiative over the next year to look at the Y2K preparedness. MR. KURLAND: I am David Kurland. I am a senior counsel with Rohm and Haas Company. I have been providing legal counsel to my company on its Year 2000 efforts. I have also been chairing an information sharing group -- a technical information sharing group within the Chemical Manufacturers Association, where we get a lot of folks who are working on this problem together in a room and talk about where we are, what we are doing, testing results and other kinds of useful information. MR. HART: My name is Dave Hart. I work with Rockwell Automation and I work on mostly customer and Y2K issues. MR. HAYES: I am Ron Hayes. I am from Sunoco. We make gasoline and chemicals and I am in the manufacturing group. MR. VIEDERMAN: I'm Steve Viederman, President of the Jessie Smith Noyes Foundation representing no one. However, we fund environmental work at the community level. And, we are deeply concerned about the impacts of the whole Y2K issue from chemical safety to everything else on communities, and we will be reporting back to them because of our concerns for community and workers. DR. TAYLOR: Good morning. I am Andrea Taylor, newly appointed board member for the U.S. Chemical Safety Board. I would like to alert those up front that it is very hard to hear in the back of the room. So if you can project your voices for those of us who are hard of hearing, it would be much better. Thank you. DR. HOLLER: Good morning. I am Jim Holler with the Agency for Toxic Substances and disease registry. I am responsible for the emergency response activity, which deal with public health issues in acute release situations. MR. NEWELL: I am Bob Newell from Honeywell's Industrial Control Division in Phoenix, Arizona. I am the Year 2000 program manager for the customer response for all the products we have in the world. DR. NIEMEIER: I am Rick Niemeier from the National Institute for Occupational Safety and Health. I am a senior toxicologist and the Internet guru. And because of that Internet guru title, I have been awarded the Y2K problem for the Institute. In about another week or so, we are about to launch an Internet site where occupational safety and health professionals can share their issues about the Y2K problem. And we are working closely with OSHA and trying to address these occupational safety and health issues for Y2K. MR. SPEIGHTS: I am David Speights. I am Deputy Director of the Chemical Emergency Preparedness and Prevention Office at U.S. Environmental Protection Agency. And we are involved in both the Y2K problem for its impact on EPA itself and government, and also for its impact in the chemical industry and particularly its relationship to risk management plans and the general duty clause in the Clean Air Act. MR. DUFFY: I am Rich Duffy. I am the Occupational Safety and Health Director for the International Association of Fire fighters. We are the labor union that represents 225,000 men and women that are fire fighters and emergency medical personnel. We are probably ill prepared at this point for December 31, 1999. MS. EPSTEIN: I am Lois Epstein. I am an engineer with the Environmental Defense Fund here in Washington, and we are interested in the range of environmental impacts that might be associated with the Y2K issue. DR. MILLAR: I am Fred Millar. I am formerly the Toxic Director at Friends of the Earth. And in that capacity, I initiated Section 112R of the Clean Air Act, which means that on June 20 of next year, 66,000 chemical companies will for the first time reveal to the public their worst case accident scenarios off-site. If that is a time of rising concerns about Y2K, it should be a very important thing for us to work on. I am now doing some writing for the National League of Cities and other people with the Public Technology Incorporated in terms of what local governments should be doing to work on Y2K. DR. DAVIS: My name is George Davis. I am here representing the ISA, which is the International Society for Measurement Control. Our role in the Y2K equation is to try and disseminate as much information as we can to a membership of roughly 50,000 to 60,000 process control engineers worldwide. MR. ANDERSON: Hi, my name is Joe Anderson. I am the Health and Safety Director of the Oil, Chemical and Atomic Workers International Union. As you can tell from our title, we represent many of the workers that will be employed in the facilities which you all represent. So, we are happy to be at the table. We are very interested in being integrated into both the planning and process implementation phase of this Y2K problem. We think that we can offer both important information and facility to deal with this problem. DR. GODDARD: My name is Keith Goddard. I represent the State of Maryland Department of Labor. I also administer the occupational safety and health program in our state. DR. WEAVER: I am Jack Weaver. I am representing two groups today. The first organization is the American Institute of Chemical Engineers and the several divisions of the AICHE which deal with safety, computer controls, engineering design and construction. And secondly, I am representing the Center for Chemical Process Safety, which has about 85 members, 60 of them in the chemical, petroleum and pharmaceutical industry with others including contractors and consultants. Over 100 universities are associated with the center and we also have strong affiliations with government agencies, including DOE, EPA, the Health and Safety Executive of the UK, and the Chemical Safety Board. DR. SUMMERS: My name is Angela Summers. I am the Director of Premier Consulting and Engineering. We are an independent consulting organization within Triconex Corporation. Triconex manufactures a triplicated computer system used in emergency shutdown systems. My group supports user companies such as OxyChem, Shell and Exxon in the application of those computer systems. MR. BRANT: Good morning. I'm Bob Brant with the Chemical Safety Board. I head up the investigations for the board, such as the chemical investigations of refineries. I am glad to see this group addressing Y2K here because we already have enough work. MR. MAKRIS: My name is Jim Makris. I am the Chairman of the United States Government's National Response Team, and I direct the Chemical Emergency Preparedness and Prevention Office at the Environmental Protection Agency. If you want to understand how I spend most of my time, it is carrying out the program that Fred Millar says he initiated a few years ago. MR. HUNTER: My name is Paul Hunter. I am with the Senate Special Committee on the Year 2000 technology problem. This area of chemical safety and chemical manufacturing and Y2K readiness has become my responsibility. On behalf of Senators Dodd and Bennett, I would really like to thank the Chemical Safety Board for arranging this meeting on such short notice. It has been an excellent cast of members that Jerry has pulled together, and we are really appreciative of him doing that. MR. BROCK: My name is Ken Brock. Andrea, you can tell them who I am back there if you can't hear me. I am Senior Vice President for Loss Prevention at HSB Industrial Risk Insurers. If the name is not familiar, we were the old IRI. I guess I represent the insurance industry because my partner from Factory Mutual is not here yet. I am in charge of loss prevention services that we provide to our global 1000 customers, and we are very interested in fire and explosion issues. My field staff are working with our customers on Y2K issues and have been for some time. DR. SMERKO: Good morning. I am Bob Smerko, President of the Chlorine Institute. The Institute's mission is the promotion of safety in the production, distribution and use of chlorine, which is a critical chemical for the world. We recently put up a Web site for sharing information about Y2K among our members. MS. RICKETT: My name is Kate Rickett. I work at EPA on the Year 2000 outreach project. MR. JONESEY: My name is Gary Jonesey. I am a senior counsel at the U.S. EPA's Enforcement Office. I was the primary drafter of the Y2K enforcement policy. In the short-term, I am most interested in any information or perspectives that people might have that would cause us to revise the policy. It is available on our Year 2000 Web site, but we will be making any revisions that might be necessary over the coming three to four weeks and then publishing that in the Federal Register. MS. WARNER: Hi, I am Karen Warner from the Bureau of National Affairs. I am covering this meeting for Daily Environment Report and other publications. MR. MATTHIESSEN: I am Craig Matthiessen, a chemical engineer with the Chemical Emergency Preparedness and Prevention Office responsible for chemical accident prevention programs. MS. FRANKLIN: I am Kathy Franklin, EPA, and also with the Chemical Emergency Preparedness and Prevention Office. MR. ORUM: I am Paul Orum. I coordinate the Working Group on Community Right-to-Know, an affiliation of public interest groups in all 50 states, representing more than 1,500 groups concerned with disclosure of chemical hazards and the use of that disclosure to reduce those hazards. MR. OLSON: I am Erik Olson with the National Resources Defense Council and also here on behalf of the Campaign for Safe and Affordable Drinking Water, a coalition of about 300 groups. We are particularly concerned both about chemical releases to air and water. However, we also are concerned about losses in critical infrastructure, particularly water and waste water, and what impacts that may have on the chemical industry and many other aspects of what goes on. MR. MILLER: My name is Robert Miller. I am the Information Systems Manager for the Chemical Safety Board. MS. DAY: I'm Felicia Day, Right to Know News, Thompson Publishing. MS. BARTON: I'm Delila Barton, the Thompson Publishing Chemical Process Safety Report. MR. COGAN: My name is Phil Cogan. I am head of external relations for the Chemical Safety Board. MR. SMITH: I am Jonathan Smith. I am a reporter with Chemical Engineering. MR. MORALES: I am Oscar Morales with the Environmental Protection Agency working inside and outside on the Y2K problems for the Office of Toxic Substances and the inclusion of prevention policy. MS. MORGAN: I'm Renee Morgan, U.S. Chemical Safety Board. DR. STAVRIANIDIS: I am Paris Stavrianidis, and I am the Director of Risk Engineering for Factory Mutual insurance company. We provide research engineering and loss prevention services to our insurance customers. MR. LAMAR: My name is Eric Lamar. I'm Director of Hazardous Materials Emergency Response Training for the International Association of Fire fighters. MS. LINDHART: I'm Joanne Lindhart from Organizational Resource Counselors. I represent users and producers of chemicals, some of whose members are in this room and some who are not. MR. ERNY: My name is Bill Erny. I am with the American Petroleum Institute at headquarters here in Washington, DC. I am a mechanical engineer. I am here representing the interests of the petroleum industry with Mr. Calhoun of Citgo, and we certainly want to ensure the safe petroleum operations here in the United States. MR. MARSHALL: I am Mike Marshall. I am with OSHA. I am the program coordinator for OSHA's Process Safety Services. MR. KIRK: Phil Kirk. I am with the Chemical Safety Board, and as you might have guessed from my photographic activities, I am with the Office of External Relations. DR. POJE: Okay. We have heard everybody's names. I would encourage you throughout the day, particularly at breaks and at lunchtime to engage each other in conversation. One of the messages that John Koskinen gave to us this morning was the importance of disseminating good information and to be candid. We are blessed today with having two presentations to initiate our discussion. The presentations are by our colleagues from OxyChem and from Rohm and Haas. The purpose of the presentations is not necessarily to put both of these companies under a microscope, but to give us examples of how companies are coping with this issue. I commend the individuals and their companies for their willingness and eagerness to provide these presentations and information for your briefing books about how they are coping with their Y2K problem. So without further ado, I would like to introduce Dan Daley and Adrian Sepeda from OxyChem. Our schedule calls for about a 20 minute presentation, and we will allow 15 minutes for questions and answers. Then we will hear from Jordan Corn at Rohm and Haas. MR. DALEY: Thank you. I appreciate the opportunity to come and speak to you. This is one of those areas that it probably takes 2 million words to adequately describe. I am not going to have time for that today. So if you would please hold your questions until the end, and I will try to get through this briefing as quickly as possible. What I am trying to do here is explain what OxyChem is doing to address the Y2K problem. Basically in OxyChem our Y2K program focuses on five key areas -- information technology, control systems, the supply chain, which consists of suppliers and customers, and contingency planning. In each and every key area that I mentioned above, the Y2K program will depend on a specific process that includes each of the following steps. The first step being conducting an inventory of all the devices, systems or relationships where there is a concern about Y2K failure. When I use the term all, basically it is an issue of trying to find all of those devices. For example, we have done inventories at our plants. At the time that we did the inventories on the 40 plants that we have internationally, we identified 30,000 embedded devices. So there is a large quantity of devices to follow up on and process. The kinds of relationships that I am talking about is supplier relationships where effectively if we lose a supply, our plants will be interrupted. I mentioned the customers. Clearly on that end of the Y2K program, we are getting a lot of inquiries. We are getting thousands of inquiries from our customers. But we are primarily concerned with what we call close-linked customers. Those customers where if they have an interruption, it would back up into our plants. The next step is investigation. We are determining the true likelihood of failure and the impact should a failure occur. That is one of the most difficult parts of the program, truly understanding the likelihood of failure. Just because you find a device and it contains a microprocessor does not mean that it has a high likelihood of failure. As a matter of fact, a very small percentage of the devices are likely to fail. Remediation includes the actions that will correct the Y2K related deficiencies or mitigate or impact their failure. And finally documentation includes the creation of the information needed to share the results. And a large piece of what we are doing upon which our program amongst those 40 plants depends is the ability to share results so that people aren't doing things in a redundant manner. If we want to focus on process plant safety, the two most important areas of our program are control systems and contingency planning. Control systems refers to the process being used to identify and correct problems associated with microprocessors and programming that is embedded in systems and devices used to monitor and control process plants. This basically includes distributed control systems (DCSs), programmable logic controllers (PLCs), the whole range of smart controllers, and anything that has a microprocessor built into it. At the beginning of our program, there was a perception that microprocessors had come into our plants in a much smaller way than they really have. One thing that you have to realize is that if you've replaced things over the last couple of years, the only kinds of devices that you had available to replace with in many cases are devices that in some way contain a microprocessor. So there are just a lot more microprocessors in the plants than you might first imagine. The second issue is contingency planning, and that is the process used to identify the likely scenario and make plans to deal with it, and to surface possible situations and to assure ability to respond to them. I think the two important words to highlight here is the 'likely scenario.' It is important to actually have identified the devices and the relationships, screened all of those, and to build that into a likely scenario of what you are going to have to deal with. And then also go beyond that and take it to the point of understanding what the possible scenarios are if, in fact, you didn't find everything. This is a detailed slide. I am sure you are probably not going to see everything. You might refer to the briefing books that you received. What I tried to do in terms of how we are going about handling systems is focus on one of the areas, handling of control systems. The first step is basically to identify again all underlying systems and devices containing microprocessors and programming. The second is to prioritize all identified systems according to likelihood of failure and impact of failure. I think everybody is used to a Process Hazard Analysis (PHA) prioritization grid. We assigned a priority code based on both likelihood of failure and impact of failure. The next step is to investigate. Here basically we attempted to develop a standard methodology, and I will emphasize the importance of standardization in creating processes and programs that can be used across your entire enterprise. My sense is that probably with many of the different companies you talk to, you will find out that they use a different approach, but it is important that they standardize that approach and they adhere to that approach. Within OxyChem, basically the approach that we use starts with triage by priority. Clearly the items that are down with a low likelihood of failure and a low impact, the benefits of investigating and carrying on the work on those is fairly small, and so we tend to prioritize those out and not work on them as part of our early program. The next step is sharing information. We have set up the sequel server data base in which we compile all the information about the devices that we have investigated. As a second step after prioritization, we ask for plants to look at similar devices from other plants to see if they have already been cleared. And if they have, basically engineers use that information to clear their own devices. The third approach is to use vendor information. Facility managers eliminate items vendors have tested -- underline have tested -- and confirmed to be compliant or not a Y2K device. Again, some folks take the point that everything needs to be tested. Well, everything is not a Y2K device. Everything does not contain a real time clock. And it is important to understand those things that do not contain a real time clock and get them off your list. But in addition, rather than just going to a vendor and asking for a verbal response, "Is this device compliant or not?", if it is a Y2K device, it is important to understand that it has been cleared by some testing procedure like a Sematech test rather than accepting some people's claim that they are certain that it is clear. The next step is physical inspections. If previous approaches haven't worked and you have a spare device on the shelf, it is possible to actually do a physical inspection. If the device does not have an internal battery, it can't maintain an internal date. If it doesn't have digital exchange of signals and it only exchanges analog signals, it can't have its date renewed externally, then it is also not a Y2K device. So it is possible by physical inspection to eliminate some additional items. If all of the above, which are less expensive ways of doing things fail, then basically we go into detailed testing. Detailed testing requires rigorous preparation and rigorous execution of the test. One thing to be certain of is that you can get yourself in more trouble testing if in fact you haven't done it right. From that information, we create a data base to record results and share the information. The one piece of advice I would give is think about your end results before starting to develop a data base. We spent some time doing that. I know of a number of other companies who have not done that. Basically they end up with a bunch of spreadsheets all over the different plants and they have a very difficult time in sharing information. On the other hand, don't spend all of your time working on the means to the end. Get into the process of clearing things and start remediating things as quickly as possible. Provide adequate technical support. While not a particularly technically demanding issue, there are some important subtleties about Y2K, such as clock cycle issues -- basically the issue of register overflow. Just because you can't see that a device uses a date and it doesn't print a date, that doesn't mean that somewhere in the device that a date is not being used and is not critical and may not cause a Y2K failure. So be certain that you understand clock cycle issues. Another problem is the integration and interrelationship issues. Overall work process flow focusing on the right things. Make sure that your process basically understands how you plan to clear things and that you are focusing on the right things. There are Y2K issues or Y2K-like issues that will not occur in the Year 2000. For example, on clock cycle issues, one manufacturer is selling devices claimed as being Y2K compliant that will have a register overflow condition that will occur in the year 2006. That approach is not really what we are after. We are after something that we think will have addressed all these date problems. Next comes remediation. Again, create a standard methodology and use the standard methodology. Here I offer one piece of advice: don't try to be opportunistic. Fix the Y2K problem. In many, many cases people are saying, "Gee, this is broken. Let's go ahead and upgrade and take care of a whole bunch of things that we want to do in the future." If you spend too much time in engineering doing that, you are not going to fix the Y2K problem and get it done on time. Take patches and fixes that are supplied by vendors. Lots of vendors are providing free patches and fixes. That is the cheapest, easiest, fastest way to get it done, and those are the best things to use. When a vendor doesn't have a plan for remediating their equipment, fire up the steamroller. If you are dealing with vendors and they don't know what they are doing, you have to get after them fast and escalate it through the organization. Using this approach avoids the problem of having some poor engineer in a plant fighting with a big vendor trying to solve problems. This is not the time for normal budget cycles. Basically it is time that you get your program funded and get things remediated. Track remediation to insure closure. Make sure that there is a system in place that basically tracks each device to the end when it is cleared and it is ready for production and then test after remediation. Finally, we come to documentation. Create a minimum standard requirement for documentation. Describe what, where, who and when. Don't duplicate documentation. For a company like OxyChem that has both a central corporate function and a plant function, basically make sure that you are doing your documentation at one place and audit while the work is being done. That is one of the key points. For the process that we are using at OxyChem, we need to make sure that all facilities are following the intent of that process and not just slipping by somehow. I am going to say a few brief remarks on contingency planning. Adrian will say more. I think that the SEC's requirement to identify the most likely worst case scenario is a good one. This requirement tends to focus on each plant and each company truly understanding what is the most likely case. And that is important to go down and specifically for each area, such as for IT systems identify what is the most likely worst case scenario there, what is the most likely scenario for control systems, and so on down the list including suppliers, close-linked customers, for the surrounding community. And after that, Y2k contingency planning requires creating a composite scenario that assumes multiple problems occurring simultaneously. That is probably the biggest difference from conventional contingency planning. Many of us who have worked in plants have spent some time on the wrong end of a fire hose, but we have done that and there has been a communication systems in place. We have been able to communicate. We have had radios and we have had phones. Think about it if you are on the wrong end of a fire hose and there is a problem and you don't have a communication systems. How would that work? How would you get around that issue? Conduct what-if exercises and conduct table-top exercises. Now onto the emergency response piece. Basically above the line here we are thinking about things that we have been able to accomplish and quantify. And, below the line in emergency response we are thinking about all the 'uns': the unlikely situations, the unrecognized problems, and those that we have been unable to address. In those cases, basically those are the scenarios that are not as straightforward and they are not as well quantified, but we need to be able to respond to them. Finally, the last thing I wanted to mention is I think successful Y2K programs will incorporate the following characteristics. Under project management, you need a 'take charge' leader. If you are a fan of Star Wars movies, you probably remember when Darth Vadar arrived at the death star and said, "I am here to put you back on schedule." You need somebody like that. In many organizations, the information technology (IT) people are heading Y2K problem resolution. And yet, in many cases, an IT project manager does not have the same kind of project managerial skills that we expect in engineers who build plants and does those kind of things. You need somebody that is a steamroller kind of person. Under process development, recognize that nobody has ever done this before and it doesn't come naturally. You need someone who understands and can articulate how the process will work in a plant. Don't allow the process of clearing devices or remediating devices to be done 47 different ways because it is going to take a lot longer. Standardize the way in which you do things. Under process implementation, realize that in the last 10 or 15 years, billions of dollars have been spent on reengineering. Go out and find one of those reengineered processes that is working the way it was designed to. It is important when you design your process that the people use the process as it was designed and you have a mechanism in place that allows people to understand that. Finally, define accountability and authority. Make sure that somebody has been pointed at and told, "This is your job. It is critical that you get this done and you are going to have the resources to do it. Are there any questions about that?" MR. SEPEDA: In building on the Y2K program structure that Dan described, and specifically the triage sections and the likely worst case scenario sections, OxyChem has developed contingency planning into three broad groupings around those things that you would do for: 1. continued operations, 2. safe shutdown, and finally 3. emergency response. As you examine each of these I sequence and again falling back on the structure that you saw earlier, you transcend from the more likely scenarios down into addressing the more unlikely scenarios. Specifically, the first level of contingency planning deals with those things that are necessary to keep your facility running in an environmentally and safe fashion. What are the preplanned items that you can deal with and that you should implement to keep the facility on line but also operating environmentally and safety? I will present just a few examples. I won't elaborate on all of these, but to give you some idea of the things that you should consider. You might want to look at adjusting inventories, both incoming and outgoing, and perhaps waste water systems, so that you build in some flexibility from normal time constraints to address issues and respond to those issues and continue operations without excursions. If you are a small user of some types of utility services that you are buying from others or perhaps even generating yourself, you can look at ways that you may be able to supplement or back-up those systems. For example, you could purchase compressed air -- bottled compressed air and nitrogen systems to back-up generating systems on plant site, and maybe you could even purchase some portable steam generators that would supplement steam that you are buying from a neighbor who could also have Y2K problems. Dan mentioned communication systems. Sometimes our communication systems are so sophisticated that very small upsets bring the entire system down. You may want to look at other ways that you can communicate, perhaps some low-tech systems that will allow you to communicate over relatively short distances. Other things that you can deal with are perhaps the increase of staffing at certain key times. A number of dates may be key, not only the midnight at the turn of the century, but some of the embedded systems perhaps have actions that are taken hours after that. They may recognize the date change but not have an action to take immediately. So it may be an impact that falls sometime after that. You may have some units that you run part-time. Plan ahead. If you are a batch operator, maybe you want to plan so that your batches aren't in the middle of something at what you view key time periods are. If you have some units that you only run part-time, run them and get ahead and shut down during the key times so that you have more resources available to address major issues as they arise. There are a number of inputs and outputs in the system. Perhaps you have to make other travel arrangements, both for your commodities and perhaps for your people as well. One thing that popped up that we thought might be important is there may be an opportunity for you to lock yourself out of your plant. So you might want to examine your security systems and make sure that they positively work and you guarantee it and you know it. If not, make sure that you have ways to go around those systems so that you can get into perhaps your plant, that the gates work, or that you can get into key rooms in your plants or perhaps computer systems. As you go down the list of likely scenarios and their impacts and you look at it in a variety of categories, the next thing is what if the plan doesn't work. What if there is an issue that comes about in the plan itself and the first level of contingency planning didn't take care of it and you recognize that you have to shut the facility down? So what are the things that you can do to shut the facility down safely? Again, I offer some examples. In all likelihood, it is going to be in the middle of the night. So you might need some lights or some very simple things as to make sure that everybody has a flashlight with batteries in it that work and that it has been checked, or assure that maybe there are some portable light stations. Again, assure staffing of key people to perform various functions. Shutdowns take a lot of work. So you want to examine those procedures and ask what are the functions that we might need to have an orderly shutdown should we have different types of service interruptions. Perhaps the problem could arise from something that was overlooked within your site or perhaps it could come from an external influence. Those externalities are the more likely things that could occur: external inputs causing you to bring your plant down. So how are you going to address those? Maybe there is one or maybe there are two or three things that may be happening to you at one time. Be sure and test all of your emergency shutdown equipment and systems and so forth. Industry typically goes through the emergency response plans and drills and even start-ups and shutdown training and drills to make sure that they know how to do that. If you have some opportunity to predict more likely times that you are going to do this, take advantage of that knowledge and pre-plan and test systems as much as possible. Obviously, you want to test your Uninterrupted Power Supply (UPS) systems. For communication systems, if you have a system that requires vent scrubbing, make sure that that works. And look at how it might work under a variety of conditions with various system failures. Do some shutdown drills. You don't necessarily have to shut the plant down. You can do table-top drills, you can do intellectual drills, you can do walk-through drills. There are a number of types of drills that you can go through, but conduct some drills on shutdown and know how would you shut this facility down if you had this type of failure or this type of failure, and again go back to the risk breaking that you looked at when you said what are the likely scenarios that may occur. And finally, after you go through the plan and you have proceeded all the way through the first level of contingency planning where you are trying to keep plant processes running and the second level where you are trying to effect the safe shutdown, should you have an incident, what are you going to do in your emergency response plan to make sure that you have the proper attention and address emergencies in an appropriate fashion. Most facilities do drills pretty regularly. Emergency Response Planning provides an opportunity to enhance those drills looking at a variety of factors. You may want to have your emergency response team on some kind of active standby. As you proceed through the other layers of contingency planning to see that they build upon each other, some actions are the same for all levels of contingency planning and some of them might have very specific use. And some people play different roles. So you have to look at where are you in the contingency planning and what might happen next. If you have an emergency response team or a control center, you may want to activate that during key periods or you might want to make sure that it can be quickly and easily activated. If communications are anticipated to be a problem, you might want to verify how you are going to handle the communication systems, both with your outside emergency responders and maybe with the community around you. How are you going to provide information if someone, an outside emergency response agency, is no longer able to provide that to the community? How can you work with that agency so that you or the agency has a back-up system for providing communication to the community around you? And how are you going to be able to call for emergency response if the communication systems are out or maybe other systems are out? Again, you want to start looking at having drills considering various types of failures, maybe multiple system failures, both internally -- what might happen to you internally and then how do you deal with outside agencies or responders or anyone around you when you have more than one failure. As you walk through those, you can see that they tend to build on each other and they are just examples. To make it work effectively for contingency planning, you have to do that very specific work, first for your company because it has a specific and designated type of culture, then you look at the business groups and you walk it all the way down to the individual facility. Contingency planning for one facility is probably a little bit different than it is for another facility, maybe even within the same business group. What might be important in silicates operation may be somewhat less important in a chlorine manufacturing operation or in a facility making some kind of special chemicals like resorcinol and so forth. So you have got to look at the specific facility that you are dealing with and decide what are the likely scenarios. What are the things that you can do to preplan to first look at on-line, shutdown, and then effective emergency response? Dan and I will be glad to enter into a discussion and answer some questions if you would like. DR. POJE: Thank you very much, Adrian. While I know we are a little bit behind schedule, I want to take a few questions. Dan and Adrian are going to be here throughout lunchtime and the rest of the day to provide additional informal responses. Jack? DR. WEAVER: A question for Adrian. There are lot of really good insights here, and I think suggestions that many hadn't thought of before. One that occurred to me was that in the first level, the continued safe operations, as you are planning for the event, Year 2000 or one of the other date-sensitive events. A number of the things that are recommended are counter to normal practice, such as minimizing inventories of products and maximizing inventories of raw materials. Am I correct in presuming that you would want to reverse that or rectify that at some point after you are past the critical time point? I am thinking in particular of maximizing raw materials where they might be hazardous. MR. SEPEDA: Yes. And I had written down in the contingency plan, 'safe' levels. You probably have what your operating level is, and beyond that what your safe maximum operating level is. A number of facilities have gone to just-in-time inventories, both inputs and outputs. So you may have reduced flexibility for your normal operations. If you suspect that you are going to have some problems -- even on a daily basis if you suspect you are going to have some supply problems, you typically may alter those inventories. Both input inventories and output inventories may change, if you have a shutdown coming up or if you know that you are going to be doing some maintenance in your plant that might reduce capacity. Well, in the Y2K arena, you have the same type of issues. You have some kind of warning, so you may want to adjust those inventories for a short period of time, but that is not forever. You are right. At the end of that time period, you would go back to your most efficient mode of operation. DR. WEAVER: And I guess the other side of that is how far ahead of the event do you build up those inventories of materials? MR. SEPEDA: That is going to be very specific to the plant, the suppliers, and the types of scenarios that you see might evolve causing you to do that and the consequences. It would fall into a risk type analysis. DR. POJE: For the sake of hearing, everybody please stand when they issue their questions just so everybody can hear it. Fred? DR. MILLAR: Either Adrian or Dan, could you say anything about whether when you were doing your identification of sensitive systems in the plant, did you find it necessary to get some help in terms of outside auditors or whatever to avoid complacency? MR. DALEY: Basically for OxyChem, I guess if you went back maybe as much as two and a half years, some internal audits were done in our plants. People tended to focus on things that they thought were going to fail. They looked at PLCs and DCS's. Then we brought in a couple consultants who were named as specialists in Y2K, and they did inventories. And we found in both plants that we did the pilots in, we found a 10:1 ratio. We found that they identified 10 times as many devices as we had identified. DR. POJE: Norm? MR. DEAN: I am interested more broadly in whether there is the likelihood of some key national shortage of components or parts or systems that will be needed for contingency plans. One that came up in a discussion that I had with some folks yesterday was back-up power generators. Almost everyone's contingency plan that I have seen includes the need for backup power generation, but I was told that there is now a two-year back order for industrial or commercial grade power generators. Do you see that as an issue or other key components or materials that may present a problem because of shortages? MR. DALEY: Certainly as people start moving toward the key dates, there are things that could fall in that category. I think the most important thing -- and to go back -- in one of the questions we were talking about the event. I think the thing is that focusing on the event may be a kind of a misnomer or a problem. For each plant, our focus is to identify all the systems and to find out which ones are likely remaining problems. It doesn't matter if it is control systems, IT systems, or if it is those external relationships. Ultimately, we have all the major utilities for our plants listed as a key critical vendor, and we are in the process of trying to identify and articulate if in fact they will be reliable sources. One of the problems that we are having is certainly finding out if in fact they are going to be reliable sources. To answer your question, are there going to be a shortage of electrical generators? There is going to be probably a shortage if, in fact, the electrical distribution networks in the United States are not reliable. On the other hand, if they are reliable, I think things will be fine. MR. SEPEDA: You also might need to look at what are you going to try to do with that. If you are going to try to buy enough portable electric generators to run a chlorine plant, you are not going to make it. So the severance of some key suppliers will automatically drive you further down that contingency planning level. You don't have to go to step one if you lose electrical power in a chlorine plant. You are already at step two. So you've got to be judicious in trying to apply what might be some of your back-up systems, recognizing that you can't continue to run your plant under some conditions. DR. POJE: Irv? DR. ROSENTHAL: I have a couple of issues. First of all, it sounds like a lot of what you are worrying about are a shut-off of infrastructure, right? Supply of electricity. But that occurs now. Isn't that already covered in your normal disaster plan? That is issue one. I have a second one and then you can respond to it. MR. DALEY: Only two issues. DR. ROSENTHAL: The second issue is I would really like to learn what have you found that is specific to disastrous failures: not shutdowns in production, not failure to deliver. Rather, I am interested in disastrous outcomes as a result of Y2K problems -- not normal shutdowns and not the normal infrastructure which your plant has to deal with at the present anyway. Those are the two issues. MR. DALEY: Okay. I will answer your second one first because I remember it. We have found situations, and there are situations with some of the older operator consoles for DCSs that effectively will go to a black screen. The date turns over and there is nothing in front of you. The question is does that produce a disastrous situation? Well, to a person who is not familiar with plants, that may appear to be that way. But on the other hand, I have worked in plants where effectively we have had an outage to the power system to our controllers and we have managed to continue for some period of time operating the plant. Okay? So it is not automatic that some of the most horrendous type of failures may not lead to disastrous situations. Clearly, we don't want that to happen. But I don't think there is a direct relationship between even the things that we have found so far that appear to be very, very significant and a one to one relationship with a catastrophic type of failure. DR. ROSENTHAL: So in other words, you haven't identified any catastrophic failures just as a result of a Y2K failure. MR. DALEY: No. The other question is about the continuity of electrical distribution. Yes, we have that all the time, and we have contingency plans to deal with it. On the other hand, I am going to be asked by my management to give them an appraisal of the likelihood that each plant will survive. Part of that is being able to identify the survivability of those infrastructure items. Clearly my answer to them is going to be different if the electrical utility has a 10 percent chance of survival or a 90 percent chance of survival. So it is important to me to know that. Because we will make different decisions in terms of how we are dealing with things if we think that the electrical utility and the grid, the overall grid, is going to survive versus if it is going to fail. DR. POJE: Two more questions. Jim Makris? MR. MAKRIS: Thank you, Jerry. I think what you have just said stimulated, as often happens from Irv's questions, is that we are incredibly interdependent here. You know, you could spend an awful lot of time and money worrying about contingency planning, and you have got to do that. It is a critical thing. We are canceling leave at the federal level in several agencies -- FEMA, EPA and others for emergency workers and I suspect you are going to be doing the same thing. But, you really have to focus on the part of the problem that OxyChem can solve and work closely with the parts of the problem that the electric grid and the water systems will solve, but not try to presume that with your participation with them that we can keep that functioning. If, as you said a moment ago, your bosses are going to be asking you more questions and they are going to be more intense about the availability of everything at all of your plants at a time later in the year, right? And I can just see this enormous pressure in September or October where you cannot answer every question that you have thought about, and suddenly people are going to say go out and buy it. And it is going to be exactly what John Koskinen talked about this morning. We are going to create our own problem. We are going to create our own shortages. We are going to create our own issues. So what I think is really important is that you do as you have done here. Look closely inside your organization and provide as much help as you can to the infrastructure for its support, but let it take the lead in looking inside its organization. DR. POJE: One more question. Mark? MR. FRAUTSCHI: I wanted to ask Adrian if the contingency plans included looking far outside the organization to the level of individual families which may experience technological disruptions or social disruptions. Basically is there anything that could interfere with workers coming to work or once they are at work that their home concerns would be far enough in the background that they can focus on the very difficult facility tasks that may be at hand during that critical period? MR. SEPEDA: Yes. There is a section on that in our contingency planning. We also had consultants work with us on contingency planning, and there is a section in the contingency planning process that addresses the individual worker's concerns for his home life. Just as in our Gulf Coast facilities hurricane emergency plans there are sections in there that address worker viability to either be at the location or at least recognize the worker's concerns for his family's safety and security when a hurricane comes in. It is going to be important that the worker feel comfortable enough to do his or her job at the facility and that you prearrange scheduling, as it was mentioned before -- at the end of the year. A lot of folks are going to want to be having a party, but you've got to start working on that now to make sure that they are comfortable in being at the facility, and that they feel comfortable that their families are taken care of so that they can be effective on the job. There is a section on that. DR. POJE: The group has many more questions, but time is short. I am keeping an inventory of who I have called on to equitably distribute questions. Adrian and Dan are here for the rest of the day, so please engage them informally with any additional questions about the OxyChem activity. Now we would like to hear from Jordan Corn from Rohm & Haas on how a different company with a different line of products and a different suite of industrial processes is coping with the Y2K issue. MR. CORN: I wanted to start out with a 20-second story here. While my 15-month-old daughter was shoveling scrambled eggs down her mouth this morning, I asked her if we are we going to have a Y2K catastrophe. She looked at me very seriously and said, "No." So I said, well, are we just going to sail through. And she said, "No." Now, of course, she says no to everything. My third question was, well, since there won't be a catastrophe, can we just sort of stop working on what we are doing, and she said, "No." Now I should have stopped while I was ahead, but I went to one more question and I said, Jillian, do you know what you are talking about, and she said, "No." That said, very briefly what I would like to cover is just a few comments about basic chemical process safety and then the implications of Year 2000 on basic process safety, an overview of the program that we are following for our manufacturing systems, what we found to date, and then one final layer of protection that I would like to briefly mention. Starting with process safety, this material is not just applicable to Rohm & Haas. This is just good industry practice. When you design a chemical plant, you assume that any physical device can and eventually will fail. That can be a valve. It can be a pump. It can be a control system. Or, it can be your electrical utility. Your systems have to be designed to be able to withstand these failures. And so to do that, you build multiple layers of protection. There is basic equipment protection. There is some protection your basic control architecture provides. There are some guidelines for fail-safe design. You have operators and engineers to help achieve safety, and you have administrative features that help you. And clearly the closer you get to basic equipment, the more robust your design needs to be. If you look at typical basic equipment within a chemical plant, you are usually talking about tanks with ability to stir material, transfer it, and load it in, and requirements state that every device you have has the ability to be started and stopped locally. So even if your control system goes completely away, you are supposed to be able to bring your system to a safe state. You have also got the ability to manually shut off or shut down any vessel so that you can make sure that that material can't get in or out of it, and then we have got pressure relief devices, which you certainly hope you are not going to have to exercise, but if you do, at least save you from anything catastrophic. Basic control systems start out with the field equipment, and then above it typically you will have some hard-wired intersafety locks. These are designed to bring your plant to a safe state regardless of the state of your control system, regardless of the state of anything else going on in the plant, and they are usually pretty impervious to dates or to anything, since they are generally just electromechanical or pneumatic. Moving up the layers of safety, you typically have a PLC or a DCS control system, and this gets back to the point OxyChem's experts made. This is really where you have to start your Year 2000 work, and you have got to make sure that those things are okay, but they are designed to handle some process safety and a lot of the operation in your plant. Normally above that, you have a distributed control system or a personal computer, and you are supposed to be designed so that if that fails, your plant can still operate or shutdown safely, and certainly as we are moving up here, the more reliance there is on date. Now in the case of Rohm & Haas, we invariably isolate between are supervisory controls systems and our corporate networks, and that says that faulty transmissions back and forth should not happen ever. If anything down here fails, the remainder of your company network is okay, and if anything up here fails, your control system is okay. Now everything I have said so far is independent of the Year 2000. Additionally, every piece of that architecture that I just defined is designed so that it fails safely. You fail with your cooling system still in operation. Your valves are set so that they are powered to the state -- they are not powered in the state that you want them to fail to. So if power fails, cooling valves stay open and material distribution valves stay closed. By doing that, you have got your facility set up to survive the loss, not just of power, but by following good design practices, also the failure of any single device, any other utility and even water. I will come back to that on the next slide just briefly. Additionally, every system that you install is subject to formal design reviews, and those include hazard operability studies and failure modes and effects analyses. I would single out that one for attention because that is where you go through the plant piece of equipment by piece of equipment and say if this fails, what do I do. Now given that this whole design is geared around safe start-up and safe shutdown, why am I saying all this and what are the implications for the Year 2000. Well, probably the single biggest implication, and OxyChem's engineers already mentioned this, is that these systems are typically designed to deal with single failures -- you lose electricity, you lose a device, you lose a control system, you lose power. The big issue with the Year 2000 is that what happens if you have multiple failures -- multiple control failures, multiple utility failures, a mix of the two. And that is kind of the area that we are engaged in now. Our view of it is that safe design and a good Year 2000 program will provide you with good protection against most of this. However, as I think this was pointed out in the previous discussion, our greatest exposure is unquestionably in the utility failures, and it is also the area where we can probably do the least. We can try to work with the suppliers, but that doesn't necessarily help them get done. So what we have done is that we have focused on the equipment and the systems that we have to make sure we won't get in trouble. Rohm & Haas has identified a corporate policy that I won't read hear but essentially we have said that as a company it is our job to identify and correct all of our potential Year 2000 problems -- regardless of where they are throughout the company. To do that, we have divided our scope into eight key areas, and basically we have got some IT issues, we have got supply chain issues, and then we have got the places where you have got the embedded systems, the process control issues, and most of the process safety issues. These are the areas that I will talk about for the remainder of my 20 minutes here. We divided manufacturing systems into two classes. The first includes process control systems and the second includes other physical systems. I will come back and describe what the difference is between the two and the rationale for that division. There is a similar approach for each of the classes of equipment, but there are some slightly different requirements within that approach for the different types of systems. Both of these efforts are coordinated by the same group, and that group really means me and the people who work for me. I am based in our corporate engineering division, and I have got at this point a dotted line to the person who has Year 2000 responsibility for the entire company. Let me discuss a little bit first about control systems, and then I will come back and talk about physical systems. We define control systems as the computer based equipment that directly controls the manufacture of chemicals, and these include typical process control systems: distributed control systems, programmable logic controllers, PCs, anything that you bought as a single utility, like perhaps a waste treatment system that you plug in and go. Really this includes anything that product or effluent or raw materials would pass through. That is purchased equipment containing computers. We excluded pneumatic and electromechanical control because those things do not have date dependencies and they typically do not have chips in them. Physical systems were defined as other physical plant equipment used in the manufacturing process, anything that distributes your raw materials to where they reside prior to coming into your process stream, including monitoring systems like vibration analysis equipment, any test equipment you might have, laboratory analytical equipment, some waste treatment systems -- and yes, there is a fuzzy line there between what is process control and what is another physical system. It also includes other physical equipment necessary to insure the uninterrupted operation of the plant. That is where you get into perimeter security systems, making sure that people can get in or out of the plant, or at least have a contingency plan if they can't, any other security systems like cameras, more importantly fire detection and suppression systems and HVAC systems. And in fact, we distributed a list to our sites of approximately 60 or 70 different classes of equipment that they needed to look at. Why did we separate categories this way? A lot of it has to do with how we started. We got started on this back in early 1997, and certainly much less was known about the problem at that point than is today. And we originally chose to focus on control systems for a handful of reasons, and this still prevails to this date. This is your highest degree of risk within your process operation. All of your operators' view of the process comes from here. All of your control of the process comes from here. Your sequences originate here. Your data is acquired here. Your products are kicked off here. If that thing goes, you are out of production. You may be able to shut down safely, and in fact you will be able to, but if it goes, you are going to lose material and we didn't want that. Second, we were an engineering group. We had a strong central understanding of these systems. Most of them were put in by the central engineering group. And that allowed us some leverage with the suppliers we use. We only use a handful of suppliers for most of this equipment; not all of it, but most of it. And that gave us good access to those suppliers and to the information they had, more than just the pro-forma exchange of letters that says we are working on it. We really want to know what is the status of this equipment. We also felt that a consistent approach was required for these critical systems. Anything that touched the process in making chemicals had to be approached in a common format. Our original intent was to let sites manage other physical equipment independently because the range of equipment was substantially more diverse, a lot of that equipment was selected and installed locally, and from a central standpoint, we didn't know quite as much about it. We should have listened to OxyChem's talk about a year ago. Because what we found was that the different sites took very different approaches with these other physical systems. Some of them, not knowing any better, reported them in with process control systems. Others reported them in with their infrastructure and IT issues. Some reported directly to the company's Y2K manager. Some kept great records but didn't report anything because they didn't know what they were supposed to do. And so we found, I guess going back about six months now, that there would be substantial benefit in centrally coordinating that process. That is one of the first things that we will admit that we should have done right up front that we did wrong. We should have coordinated that right up front from a central group. By doing that, we have created better communication and information sharing. We have imposed some more uniform guidelines on those systems. And perhaps most importantly, we get a good corporate view of what is happening at each site. And, we get the ability to report that up to our management to understand the issues at each site and to know what it is that is on their critical paths. For control systems, we defined what we called a five-tier safety net. You will see that this is a mix of system analysis and remediation and also the roots of contingency planning. We asked sites to obtain vendor certification of every process control component that they had, whether it was a Programmable Logic Controller (PLC), a PC, a Distributed Control System (DCS), a computer used in control, one of these package systems that they bought. We then have asked them to test every operating system. Many of the companies we share information with are not in a position to be able to do this. We are because just about all of our processes are batched, and they have got some schedule time where they can shut down, roll the date ahead and do a test. Without getting into too much detail, what we asked them to do is demonstrate that their systems will successfully roll through midnight and then demonstrate that they can make material following midnight. We also asked them, and this goes back almost a year now, if they intended to operate through midnight, they needed to demonstrate that their control equipment would allow them to do that. Now I will come back and say some more about that a little bit later. The third level of the safety net is we told them to analyze their code for dates where critical. We went out ahead as we started this program, talked to a number of the people who had written code for us both internally and externally, and all of them said we didn't use dates. We had a number of systems scanned for dates and found none in any control equipment. Data acquisition obviously is a separate story. Reporting and logging is separate. But in just making the chemicals, we found no occurrences of date. So instead of trying to analyze everything, we defined a threshold of criticality based on a hazard index for the site, based on the number of other systems within the company that the unit supplies, and based on whether there was any likelihood at all that they might use dates. And if any of those three thresholds were cleared, code analysis was required. We were not too specific on how to do that. One of the things we will be doing next year is going back and providing better tools for people who want to do that. To this date, we have yet to find an application where somebody used a date. Now that doesn't mean we haven't found systems with problems. But we have yet to find anything where we added a problem to what the vendor provided us. I show a dotted line because the last two elements here are really the beginning of contingency planning. They are not part of the assessment or repair of systems. The first is we have told every site that they are going to have to arrange technical coverage through and beyond midnight. We have already recognized that people will have to be on site. The sites we have talked to, we have run into a number of engineers who fully expect that they will not be drinking champagne, so they won't be contributing to the champagne shortage and they know they have got to be there. And lastly, we have asked each site to identify how they handle upsets and how they shut down their plant in the event of an emergency, and we are collecting all of that and recording it, and we also asked them when and how often they test that and how often they have to respond to upsets in their units. So the theory is that if something gets through these layers and gets remediated and retested and still doesn't work, we are prepared to deal with it if it has a problem and we are prepared to shut down in the event that it has a worse problem. In terms of the documentation that we have kept, our sites have submitted inventories of their control systems. We have got about 40 sites worldwide. We have a mixed data base of control and physical systems. We have in the vicinity of 1200 identified control systems. And again, I keep saying that there is a gray area between the two, but that should give you some sense of the magnitude for that. Testing -- as each site tests their systems, we check it off. Actually, they check it off and report to us that they have done it and report the details of the test. We are collecting the upset handling procedures that I discussed previously. And we are asking sites to tell us of their remediation requirements and also to tell what they have spent and us when the remediation is done. And, we have each site certified that they would either face acceptable risk, or they know what they have to do to get there and when they have done that they will have to recertify. One thing that should be clear from all this is that we have very clearly placed this responsibility on the sites. I think is the right thing to do because they know the equipment they have, they know the criticality of it, they know how they can respond to it, they are the ones who go through the drills, and they are the ones who deal with the upsets every day. There are things we have left to do. We need to complete contingency planning. We are talking about a framework of it. We recognize that it will be hierarchical, ranging from devices to production units, meaning a segment within a plant to plant, and then you have sort of got suppliers and customers off on the side. Then you get up to business. But really at this point we are just starting that. We have been focusing on the bottom level of it, which is what are sites going to do to respond to emergencies. We also have to get sites to complete their transition and staffing plans. We felt it was really too early to do that when we put this program out early this year. Because at that point, sites really didn't know whether they would be running or how big a problem they might be facing. And lastly, as I already mentioned, at the end of everything we are going to have the site managers certify that they believe that the risk they face is acceptable. I mentioned that the requirements for other physical systems are a bit different and I will talk through that quickly. Again, an instrument is required. OxyChem referred to triage. We have asked our sites to write the criticality of these systems, and in a fine demonstration of sharing information, we borrowed a good ranking system directly from Merck, which uses five scales ranging from critical to irrelevant. Critical would be something like an analyzer that you cannot ship a product without or an environmental monitoring system that if it doesn't run, you must shut down. In other words, anything where there is an imminent risk to product to safety or to equipment or health. And irrelevant at the other end would be something like a wall clock. So there are five levels in-between there. We then asked for each piece of equipment for the sites to outline what they felt the appropriate assessment techniques were, and the ones we recommended were vendor certification, testing, code analysis and anything else they could think of. The reason we couldn't prescribe it is because the spread is much more diverse than it is for process control systems. In some of this equipment, you may have a date but you can't set it. In some of it, it may just be impossible to test it. In some of it, it may not be critical enough that anything beyond vendor certification is necessary. For example, we have one plant who has an analyzer and they say we have got vendor information on it, but the vendor tells us it fails. They don't tell us how it fails, but we have a second one. So if it fails and it is catastrophic, we just won't use it. It will have some minimal impact on productivity, but we don't really care. Then we asked them to determine and implement their remediation requirements. We asked them to report all of the above and then to go back and determine their approach for less critical items. And by less critical, we are really down to the things that have a minimal impact on production. So we are going after the things that will have a major impact first. So what are our findings? And this gets to Irv's question in the previous session. So far in control systems, we have yet to find a failure that the vendor didn't report. We went into this guessing that the vendors would probably be the best source of information for control systems, and that was all just based on our thought process saying, hey, if we find problems, what are we going to do. We are going to go to the vendor. So the vendor is probably going to be logging these and tracking them. And as the months have gone by, we have found that to be more and more the case. There are reports of anywhere initially up to 3 percent of vendor information being incorrect. And what that says is you have to go back and recheck it, and we do that. We went out ahead for the central vendors that we have the most equipment from, built links to their sites or got their information, and we periodically go back and recheck it or someone at a site goes and checks it and says, hey, this information has changed and you better update it and do something about it. Now we are hearing numbers under 1 percent in terms of information from vendors that turns out to require reclassification. What is the use of dates? We have found -- I already mentioned this -- limited to data acquisition and reporting. We have yet to find one in the direct manufacture of chemicals. Generally we find our old control systems do require upgrades. That will be for various reasons. Often it will be more the open computer component. Not the part that actually runs the plant, but the part where the operator has got their window to the process or the part that you use to configure the system, and those tend to run more on off-the-shelf equipment. Those tend to need upgrading. We have found -- and this has not been true of all of our peer companies -- we have found our vendors to be generally cooperative. Maybe it is because we chose the right ones, or maybe it is because we have just been lucky. But by and large, we have had good fortune with our vendors. To date, we have found only one catastrophic control system failure, and let me qualify that a bit. Catastrophic meaning that the control system itself went to an unpredictable state from which you could not recover. The process could still have been shutdown safely, but the control system itself was rendered completely inoperative. I won't mention the vendor's name, but basically that was in a lab test. It was erratically reproducible. So sometimes it happened and sometimes it didn't depending on the configuration. Needless to say, the production one is being replaced. A question -- yes? MR. SUSIL: Just to clarify. So on that previous slide, your definition of catastrophic failure was that the system just wouldn't operate, not that it would have lead to a release and all of that sort of thing. MR. CORN: That is correct. MR. SUSIL: Okay. MR. CORN: That is probably a poor choice of word. There was one control system failure that locked the system and rendered it inoperable. Good question though. With other physical systems, we are typically finding -- when I wrote this slide, it was 5 to 7 percent required remediation. It is probably closer to the 7 percent side requiring remediation, and usually what that involves is replacement of computers within systems. If you get an analyzer, it has got to read out on a computer. If the PC itself has a problem, the analytical equipment may or may not. Very few of them turn out to be critical. We have found no catastrophic failures yet. That doesn't mean there aren't any. We are still working through this. But we just haven't found any at this point. Many of the identified failures have reasonably straightforward workarounds. And one thing I think we are going to have to do next year is get into some sort of tagging procedure for the devices where a workaround is required. This includes: manual reset of the data after 1/1/00, elimination of the systems, like that analyzer I mentioned earlier, manual intervention, again where you have to either reset a date or when you file something make a note on it that says the date on this is incorrect. And there are a number of cases where you can just do nothing. We do have some systems that will fail, but all they will do is report an incorrect date. The information is transient. It is used and gotten rid of. And the question is why do anything about it. It is not like we keep it for records and we don't submit it with products. So in some cases, we are saying it is okay to do nothing. My final comment is it is our opinion that most of the major problems that will occur will occur while a plant is running. And we have believed from the beginning that shutting down operations through the millennium is a prudent precaution. We are very close to -- we don't have it yet, but we are very close to having a statement from the president of our company that it will be company policy to shut down operations. Now I know once we put that stake in the ground there will be some pushback. There will be some people who say it will be safer for us to run than to shut down and restart. Our position will be you will be down unless you give us an extensive plan for how you are going to run and cover and you get the explicit authorization of the president, who has set this policy. That is all I have. I was almost 20 minutes. DR. POJE: Yes. Thank you very much. Sam? DR. MANAN: I have so many questions, I don't know where to start. But I will start by saying that we must laud the efforts of OxyChem and Rohm & Haas in doing all these prudent things. One of the questions I have is that these are only two companies and there are a host of other companies small and large. In your opinion, what percent of the companies are doing something similar to that? And secondly, what percent of the problems are you catching? That is one part of the question. The other part is I realize that you are saying that not running the plant during the Y2K cycle is a prudent initiative. That could very well be true. But on the other hand, I feel that human factors is a big issue that we haven't yet addressed. And starting of the plant later on, if you look at the Seattle explosion, it happened during start-up. So have you factored those in? And if you are talking about putting extra people during the Y2K cycle, again human factors is an issue. So I would like for you to address these two issues if you can. MR. CORN: Sure. The first one I can answer for large companies -- and Occidental, feel free to contribute to this. We share information with as best as I can tell somewhere between 40 and 50 large companies. I am currently involved in three information exchange groups. One is the Chemical Manufacturers' Association (CMA), one is the Chemical Information Technology Association, and the other is a branch of the World Batch Forum dealing specifically with Year 2000. All of those companies have active programs that are similar to either what you saw with Occidental or what you saw with us. They are all doing the work they need to do in my opinion. They are all doing it differently, but with similar frameworks in place. I can't speak for the companies that we don't exchange information with. The one pattern I can state is that if I look at the companies we do share information with, most of them are large. And from that I can conclude reasonably well, I think, that large companies are doing what they need to do. I really can't draw a conclusion about small companies. MR. DALEY: Basically I think our information reflects what Jordan is saying. The kind of feedback that we have gotten, and it is not explicit, is that smaller companies are having a harder time of it. So basically in terms of support needed to help companies, it is probably something that would be packaged for companies that maybe don't have full-time IT people or full-time control systems people and need help getting through a program. MR. CORN: Regarding the second question about shutting down through midnight. Is that safe or what risks do you run in restart? I did mention that most of our facilities are batched. And as batch operations, most of them go through routine shutdowns and start-ups. I have a semantic debate with a friend of mine as to whether stopping between batches and restarting constitutes a shutdown. He claims it does and I say it doesn't. But in all seriousness, the fact that they are constantly introducing different chemicals and they are constantly going through idle states says it shouldn't be that big a risk. I expect the pushback will come from the continuously operating units, the ones that typically run for six months or a year. We do not have any units that run for years on end. So every one of our units does at least shut down once during the year, which says we have got a history of doing it and supposedly we know how to do it. And again, that is something that I have got to rely on the inherent design of the plant, the training of the operators, and the ability to do that. Regarding the personal factors of having people around and staffing, that is something we still have to address. And I think one thing we are going to have to do is accelerate the time frame in which we tell plants you have got to get your support figured out. We were thinking third quarter and it might need to be earlier. DR. POJE: Paul? MR. HUNTER: I have two comments. One concerns the actual trusting of vendor certification. I think I heard a stronger trust in the first presentation than the second. And I just want to put out a cautionary note. In other sectors, in health care and transportation, we have had witnesses, technical people not management, come before us and say they have had vendor certification and then they have ran a test and the device failed: sometimes in a nonrecoverable way and sometimes in a nuisance way. But in one life critical medical technology, the device failed and was not recovered. So I would caution the whole group about vendor certification as a means of testing. It is certainly something you would like to obtain, but if it is a critical device or life safety device or an environmental safety device, I would strongly recommend that it be certified independently. The second was something I didn't hear in terms of contingency plans for global corporations. You may be aware that the Senate committee has asked the administration to try to do something about a worldwide alert system to track effects around the world in the different time zones as the time clicks by and we go midnight to midnight. It occurred to me sitting here that with global situations, you may not be running the same process or developing the same product, but you probably have similar technology and you can take advantages. And even if your leading edge companies are having problems, at least your ones that are going to hit the date later on in the day can take appropriate contingency actions. So I think for global corporations, that is an important contingency item. MR. CORN: I would point out that we haven't done anything formal there, but we have so far identified the key sites we would want to look at for that, and I think we will do something in that field. MR. DALEY: One comment I would make. You had mentioned our reliance on testing. And I tried to underline the point that it is testing -- or it is vendor certification based on testing. And I had mentioned going back to like the Semitech test or some standard testing. Clearly we have got a lot of certification early on in which vendors said that they were compliant but they didn't reply back and identify what kind of test they used to certify their device. Clearly if a vendor has tested it, and they can show results that they have tested it, then that is something that I don't think we need to duplicate. MR. HUNTER: Yes, I would agree. I think it goes back to the old Reagan dictum of trust but verify. Just don't take a piece of paper. DR. POJE: Mike Sprinker? MR. SPRINKER: Actually one of the things I didn't hear specifically addressed was the whole issue of worker communication and worker involvement as a policy that is actually enforced at the various plant sites. We have members in various multinational companies, and it is always amazing the differences that exist at times between what corporate policy is and what really happens at each individual plant. I think this may be particularly important here. Different plants may make decisions to get around problems, both in testing and when the actual event occurs in different ways. And, unless the workers have some real input, they may say, "Wait a minute, we can't be out there looking if the screen goes blank. We don't have enough people there to be able to communicate what is going on at different tanks and different levels. If you have got tanks that are dual-use tanks where you could end up with product or incompatible product going in at the same time." So I am wondering what happens there? And also, how do you handle the whole issues of potential problems during actual tests on your processes and on Occidental's processes? Because it seems to me that would fall into the -- certainly the OSHA mandate, the management of change issues, and maybe more. Has that been formally worked on? MR. CORN: Well, let me see if I can remember both questions. The first one, how do we make sure what is happening at sites is reasonably standard and that the workers are involved and that there aren't sort of things going on that are counter to the program or that we don't know about or issues not getting surfaced. We are engaged in a program of going to every site in North America and probably every site in Europe and then representative sites in the Asia Pacific region and in our Latin America region to do interviews. I hesitate to call them audits, because what we really do is focus on what are you doing with this program, who is involved, what are they doing, what have you found, and how are you executing it. To date we have been to I think 10 sites. So we have got a mechanism in place where we are trying to deal with that. Another way we deal with it is we have got centralized reporting and we are in frequent contact with the sites, both through e-mail and teleconference. And is there a possibility that an issue like that happens where one site does something slightly different? Yes. But between site visits, contact, and we will do some form of formal auditing next year, I think we are going to catch most of it. And again, layering this onto the very minimal number of critical problems that we found and the fact that we are not going to be running, I don't think we have got a major risk factor. MR. SPRINKER: But when you say you are in contact with the sites, is that merely with plant management and engineering staff and all, or is it actually some discussion with the actual plant operators and maintenance folks and so on, which is a key issue? MR. CORN: It is generally with management and engineering. But those people -- the engineers are the ones who are going to be on staff during the transition. MR. SPRINKER: You mean you are not going to have any hourly people on staff? MR. CORN: Well, we are going to have hourly. I grant that is something we probably ought to do more of. MR. SPRINKER: Yes, I think so. MR. KURLAND: Can I add to that a little bit? I am from the same company. In addition to being the company's Year 2000 lawyer, I turned out to be the company's OSHA lawyer and environmental lawyer as well. So all these seemingly divergent parts of my job are really converging here. But many of our sites are OSHA VPP sites, and that mandates worker involvement. Also, if Year 2000 issues at the plants are going to require some unusual action beyond normal standard operating procedure, you've got to go through management of change. To go through management of change, you need a Haz Op and you need a safety review and procedures say you've got to have workers involved. You can't do that without worker involvement. So normal management of change and safety reviews at the plants require that hourly workers and employees and operators be involved in those activities if it is something outside of standard operating procedure. And if it is an SOP, then it has been developed with worker input. MR. CORN: There was a second part to that about testing. Should I answer it? DR. POJE: I would prefer to have more people asking their questions. Steve, you have one? MR. VIEDERMAN: I have two generic ones again. Koskinen noted the importance of transparency in all of this to avoid problems if nothing does occur. And I am concerned that I have heard very little about how, when, and with whom the companies are dealing with communities. At the Noyes Foundation, we work with communities of color, poor communities. Talking to the mayor is not necessarily sufficient. The people we are talking to are trying to get information and are not getting it. And I think that the whole question, if we are coming up with recommendations at the end of this, the whole question of the periodicity and with whom you talk in the communities is going to be very important if we are going to avoid problems. Secondly, the question of testing still concerns me. And I am not an engineer. I have been looking at the banking industry or finance industry for things and they are all saying they will be compliant at the end of the year and they start their testing in January. The point is made that all banks are now operating their systems at about 95 percent capacity. So it is hard to test the system when it is already operating like that. Then there is the question that I haven't heard about the linkages between your systems and systems of other companies with whom you are in regular contact. We know the story of the Union Pacific/Southern Pacific merger where now it is two years down the line and they are still not talking to each other by computer. So it strikes me that we are dealing with systems of systems, and what I hear you talking about is testing devices, and that is worrisome. MR. CORN: Dave, you might want to talk about the community issues. I will be glad to talk about the testing ones. MR. KURLAND: Yes. Briefly on community issues -- although my company has got a Website, some of the folks you are dealing with might not have access to that. All of our plants have community advisory counsels. They usually include LEPCs and representatives of the communities, the fence-line neighbors, business leaders in the community. So there is a mechanism there if those community leaders have questions about the plant or the company's Year 2000 status, the Community Advisory Panel (CAP) is one avenue. The