DISC PD2000-3 DISC Logo - Understanding the Century Date Change Problem

© British Standards Institution 1998

1 UNDERSTANDING THE CENTURY DATE-CHANGE PROBLEM

WHY ALL THE FUSS?

You’ve probably seen a lot of articles on the "Year 2000 problem" or the "Millennium Bomb" in the trade and national press and you may have caught occasional programmes on the radio and television. So what’s all the fuss abo ut?

Today, virtually every business employing more than a few people, every service we rely on (electricity, gas, water, telephones) and a great deal of the equipment we use (in factories, laboratories and hospitals) depends on computer programs and comput er chips. The logic in many of these uses dates and that logic is likely to fail either on the 1st of January 2000 or as we approach the new century.

When the logic fails, so does the process on which we depend.

In other words, much of the fabric of our society is in danger of suffering interruption, disruption or, in some cases, total breakdown, unless we take corrective action and do so NOW. That is what the fuss is all about.

MY BUSINESS IS RELATIVELY SMALL; WHY SHOULD I BE CONCERNED?

Small businesses generally have a smaller problem to deal with than large businesses in an absolute sense but not in proportion to their size and capacity to deal with it. The expense and effort in resolving the problem will probabl y hurt businesses of all sizes just as much. Nor is it true that small businesses have much more time to deal with the problem, even if their task is relatively smaller. There are two main reasons for this.

Firstly, since the problem represents a risk to all businesses, organisations such as banks, credit agencies, insurance companies and regulation agencies (HSE, Data Privacy, etc) are already re-assessing the risk businesses such as yours may represent to them and they won’t be waiting until the last minute to act on their findings. Customers also need to ensure that suppliers won’t let them down and, indeed, some of your customers may already have written to you on this matter. If you cannot satisfy th em that you are tackling the problem seriously, they will start to seek alternative sources of supply.

Secondly, you may well need outside help to tackle the problem. Most do and they all need it in the same timescale (the next 18 months) from the same limited pool of skilled people. We can already see that there will not be enough such people to go rou nd, so businesses tackling the problem late will inevitably pay more or indeed, find that there are no suitably skilled people available at all.

 WHAT EXACTLY IS THE PROBLEM?

The fundamental problem you must understand is that your business has been issued with a "Health Risk" warning. You can disregard it but it is unlikely that your business partners, customers or competitors will.

Your attitude to this challenge will affect, one way or another, the trading position of your business. There are both technical and trading relationship reasons for this assertion.

The technical reason is simple to explain but has wide-reaching implications. Nearly all computer and computer-chip based systems conventionally hold dates with just two digits to represent the year. Thus, 1998 is held as 98. The century is inferred an d assumed to be the 20th century. Thus 98 is assumed to

represent 1998. Unless remedial action is taken, the same logic may fail when we reach the first year of the next century, which will be represented as 00. This may be assumed to represent 1900.

Some very general consequences of this misinterpretation of dates, applied logically, rigorously and uncritically by machines, are as follows. Firstly, very few of the populace will have been born, so virtually all personal/personnel records must be in valid. Secondly, all permits and validity/security checks (e.g. for access or financial verification) will fail if they detect that they are being used before they were granted.

Thirdly, all processes that involve sorting (generally around a third of commercial processes) will produce results in the wrong sequence; aged debtor lists and schedules quite generally, for instance, won’t work.

Trading relationships are affected in two ways. Firstly, all businesses have dependencies on suppliers and customers and, since a general "Health Warning" has been issued, all businesses must be concerned as to whether their suppliers and customers wil l resolve the issue appropriately. Secondly, many of these relationships involve electronic transfer of information (orders, invoices, payments, etc) between the parties.

There are various solutions to the date-change problem but these must be compatible between any two parties if the information transfer is to continue to work. Testing that this is so can only take place, after remedial work has been completed on both sides; this is just one more reason for urgency now.

HOW FAR DOES THE PROBLEM EXTEND?

Both locally and globally, the problem has few boundaries and many concerns are outside the control of individual businesses. The need for time to establish confidence on this scale is yet another reason for action now.

All businesses depend to some extent on their local and national infrastructure. Organisations that supply power, other forms of fuel or energy, water, telecommunications and transport are no less affected than any other business. The consequences of a ny disruption of supply of any of these facilities must be considered on a contingency basis. Many businesses also depend on the public sector, If not as customers then for prompt VAT repayments, payment of sickness allowances, Customs clearance, etc. Eve n small businesses often rely on a high percentage of export trade. In such cases, they face the same risks but on an international scale and sometimes with countries less aware of the problem than the UK.

THE PROJECT MANAGEMENT PROBLEM

The prediction of increasingly scarce, suitably skilled human resources has already been made. Two further factors must be mentioned.

The first is that the process of remediation (see Section 2) involves examining computer-chip related. When potential points of failure have been established and remedial action carried out, there still remains the task of testing that all the remedies work and putting the changed processes back into production running again. These latter tasks are generally estimated to account for some 60% of the total effort involved.

It is natural to focus on what is needed to "fix" the problem. However, that work will count for nothing if revised/renewed IT systems and equipment cannot be tested and re-installed in good time. Businesses focusing schedules on "time to fix" alone may be missing the fact that that is the smaller part of the job.

Because resolving the problem is less a matter of technical skill than the ability to coordinate very many minor activities and deliver the results altogether on time, the key skill required is project management.

Unfortunately, this is an area in which IT in particular has a poor record to date.

THE PROBLEM OF TIME

Because of the immutable end-of-century deadline, date-change projects cannot be scheduled in the normal way, taking given resources and tasks to be completed and arriving at a completion date. Planning must start with the requi red delivery date and work back from there. Ideally, the latest completion date should be the end of 1998 or whatever earlier date will allow compliant systems to be proven over a full financial year.

If that is not feasible, then the earliest feasible completion date must be set as a target. The reason is not just to prove the compliance of systems in normal operation but also to allow for testing of interfaces between suppliers and customers. This work cannot even begin until both parties to transactions consider their systems to be compliant.

SUMMARY OF SECTION 1

The objective of this section is to enable you to understand the nature of the century date-change problem.

The most important aspects of this understanding are:

  1. The problem affects all businesses, including yours
  2. The problem affects not only IT systems (of all kinds) but also potentially plant and equipment, the products you manufacture/assemble and your business relationships
  3. You must allow for possible disruption of local, national and, if relevant, international infrastructure of various kinds.
  4. Compliance projects are much more complex and difficult to manage than they superficially appear.
  5. Time is of the essence; there is very little left

Given these points, you should understand why there is a "fuss" about the century date-change issue and also be persuaded that you need to act now. Sections 2 and 3 explain respectively what you should be doing and what sources of information and help are available to you. A definition of Year 2000 conformity (PD2000-1) and a code of practice for managing the problem, designed specifically for SMEs (PD2000-2), are both available from BSI.

2 WHAT DO I NEED TO DO?

First, ensure that you fully understand all aspects of the problem. Don’t fall into the common traps of thinking that this is just an IT problem or that your IT suppliers will deal with it for you. Section 1 will help you in thi s.

Then you must embark on the steps listed below.

APPOINT A YEAR 2000 MANAGER

You should appoint someone to have overall responsibility for your Year 2000 programme and that person

should be as senior as possible. The person must, for instance, have the authority to give Year 2000 work priority where necessary over any other projects within your business. If your business has a Board of Directors, then a suitable choice would be for the Managing or Financial Director to take overall responsibility, with a senior member of staff reporting directly to him/her managing the programme.

MOUNT AN AWARENESS PROGRAMME

The very first action of the Programme Manager should be to make everyone within the business aware of the problem. In a small business, this could be effected by means of a staff meeting; larger businesses should use whatever n ormal means they have of disseminating information to all staff. The messages conveyed should be that compliance is obligatory and top priority, that guarantees of compliance are required for all new purchases and that it is everyone’s job to think of all aspects of the business’s operations that could be affected and to bring anything they think of to the programme manager’s attention.

Regular follow-up meetings or other means of communication should be scheduled to report on progress.

PRIORITISE BUSINESS PROCESSES

The programme manager’s next job is to conduct an outline survey of business processes, consider which may be affected and prioritise them for attention according to the risk that their failure would represent to the business. T here may not be time or budget/resources to correct all business processes; the most critical ones must therefore be dealt with first. Also, there may be some processes where risk is minimal and investigation cost will be high, in which case the business may decide to take the risk. In between, there may be cases where risk and cost are high and value to the business is low, in which case the decision may be to scrap the process.

It is important that this step is properly informed at the highest level in the business and that the decisions are taken on a business, not a technical, basis.

CREATE AN INVENTORY

The next step is to create an inventory of all IT systems, equipment and products and chains of supply that may be affected.

Businesses must decide for themselves whether it is better to do this "across the board" or following the priorities set earlier. If an "across the board" approach to discovering inventory endangers ability to complete work on critical processes in tim e, then a staged approach to inventory will be preferable: take one process or set of processes at a time, in order of criticality, create an inventory for that and start on subsequent remedial stages, and start inventory on the next most critical process when time allows

UNDERTAKE AN IMPACT ANALYSIS

Once an inventory has been established, whether for a critical process or for the business as a whole, detailed investigation needs to be undertaken to establish where failures will occur and what their consequences will be. It is only at this point that the degree of risk and cost associated with any business process can be fully understood and thus a business decision made. It is thus also only at this point that a suitable plan for remediation (and a corresponding budget) can be created.

GATHER BACKGROUND FOR A REMEDIATION PLAN

A remediation plan for each (and eventually all) processes needs to be established. As background to this activity, sources of help (tools, advice and human resources) and sources of external risk (suppliers from whom you may re quire warranties, customers and sources of credit you may need to reassure) need to be investigated and inventoried if that has not already been done. These "inventories" need to be added to those of items/processes suspected to be affected that have alre ady been created.

A short list of all inventories, as follows, may help here.

Your IT programs developed in-house

Your IT hardware and its suppliers

Your IT software and its suppliers

IT tools, consultancy and services suppliers

Office equipment and buildings (and suppliers)

Manufacturing or other equipment and suppliers

Components of products you make (and their suppliers)

Engineering services suppliers

Suppliers of any other services you use, particularly where electronic interfaces (e.g. EDI) are involved

Other suppliers on whom you depend

Customers who depend on you

This may seem a daunting list but perhaps only because we have tried to make it complete. For smaller organizations, some items will not apply at all and others will individually involve very little work.

CREATE THE REMEDIATION PLAN

With risks and costs understood and possible remedies investigated, a remediation plan can be created. The plan should cover all business processes either initially or cumulatively as the previous steps for additional processes are completed. The broad possibilities for remediation in any one case are to scrap the item/process, to take some action to repair it or to replace it.

The most technically complex decision relates to ways of fixing programs developed in-house. This is discussed at some length in BSI PD2000-2 and so we will not discuss it here. General watchpoints are as follows:

  1. If an item/process will be expensive to remedy, time/resources are scarce and the item/process is not essential to the business, priority should be given to scrapping it.
  2. Where replacement/upgrade is the preferred option, progress on this option must be carefully monitored as part of the overall programme plan to ensure that the solution is implemented on time.
  3. In all critical cases, a contingency option should be planned and the time needed to fall back to it included in the plan.
  4. Dependencies between different items in the plan need to be carefully noted and tracked.

Because of the immovable Year 2000 deadline (or an earlier potential failure date in the case of some systems) Year 2000 projects should be scheduled back from the date when they must be ready. This may create resource conflicts that tend to force the scrap/fix/replace decision.

PROGRESSING THE PLAN

Clearly, the remediation plan should be carefully progressed. However, this must be stressed because of the probably very high number of individual items that will be subjected to change and which need to be re-instated in the w orking environment together.

This aspect of the programme will test the coordination skills of the best project managers.

TESTING THAT COMPLIANCE HAS BEEN ACHIEVED

When individual items/processes are believed to have been made compliant, it would be foolhardy not to test that that was true. Items/processes should be tested both individually and in conjunction with other items/processes wit h which they interact. Where software or equipment from external sources is claimed to be compliant, it may be dangerous to accept such claims without testing them for yourself or seeking independent confirmation. It would similarly be dangerous to assume that items/processes will pass tests immediately and not allow time for repeated testing in programme schedules.

IMPLEMENTATION/ROLL-OUT

It is important to recognize that putting back into production systems that have been fixed, upgraded or replaced can involve considerable time and effort. This must be allowed for when plans are created. Contingency plans shoul d be in place where deadlines are very tight.

SUMMARY OF SECTION 2

The purpose of this section has been to briefly describe the actions that need to be taken in a Year 2000 programme, based on the understanding of the problem provided in section 1.

There are a number of stages through which Year 2000 projects have to progress but we would like to emphasise here that Year 2000 projects are not characterised by excessive technical complexity and do not generally require great technical expertise or understanding; common sense, above all common business sense, should be a good guide. What is most usually underestimated is the degree of control required tocoordinate very many individually simple actions and the amount of time/effort needed for testin g and re-installing systems and equipment. Those points should be the focus of plans.

Organisations that have endeavoured to include standards in their companies’ business and IT strategies and policies will find their Year 2000 tasks correspondingly reduced. Where this has not been the case, the Year 2000 problem provides an opportunit y to start this practice; guidance is given in BSI PD0011. Some wider implications of the Year 2000 problem, such as legal admissibility from electronic records (BS7799, PD0008), are covered in other BSI documents. Organisations that make regular referenc e to standards in their work will have this documentation to hand.

Various other sources of help of one kind or another are available, albeit some at a price, and business and IT managers should not feel that they need to carry the burden alone. Sources of help and advice are the subject of section 3.

3 SOURCES OF HELP

Where can you obtain help in resolving the Year 2000 issue for your business? This section is designed to answer that question, on the assumption that you have an understanding of the problem based on reading section 1 and an aw areness of the project steps based on section 2.

WHAT KIND OF HELP?

Most organisations that have been working on the problem for some time have opted to divert their own staff to do much of the work. It is therefore probable that you will want to do the same. A lot of the work involved is mundan e, repetitious and boring, so you may need to create some incentives to get the work done. However, if staff levels are low or staff cannot easily be diverted from existing jobs, then you may need some extra "warm bodies" on a temporary basis.

That apart, there are five possible areas in which you may need specialist expertise, as follows:

1 Year 2000 consultancy advice, to check or help set up your initial plans and, perhaps, periodically check progress and trouble-shoot.

2 Specialised IT expertise, if you have little or none in-house 3 Specialised engineering expertise, to check/modify equipment 4 Legal advice to determine:

(a) your potential rights and liabilities under contracts into which you have already entered

(b) the position you should adopt in relation to contracts you negotiate from now on

(c) how to reply to compliance questionnaires you may receive

(d) what enquiries you should make of your suppliers

  1. what steps you should consider taking now to protect your position You may already have sources for all of these which you use occasionally. If so, they may be the best sources for you to use in that they will already understand the relevant aspect of your business. You should, however, check that they have a good understanding of the year 2000 problem specifically.

Whatever tasks you decide to have carried out externally, you must be prepared to check the results of thiswork (and allocate time/resources to do so). You must be responsible for the outcome of Year 2000 projects yourself. In practice, you will find t hat external organisations will want to define responsibility for work very narrowly and will guarantee results on only a "best efforts" basis.

The following is a short survey of sources of general information and the specific types of expertise mentioned above, biased towards those that are free or inexpensive and biased also towards the needs of SMEs.

GENERAL INFORMATION

Your first point of contact should be the one you have now: BSI. BSI has produced a definition of conformity with accompanying notes (PD2000-1), which is available free of charge, and a code of practice (PD2000-2) which provides both a detailed understanding of the problem and a method of tackling it; the latter costs £14.95.

There are various sources of worthwhile information packs, although the information in most of them is not particularly detailed. They are generally free of charge or make only a small charge for postage and packing.

Firstly, you should ask any of the major suppliers (e.g. IBM, ICL, Microsoft, Oracle) if they have one available. Most of these also have web sites which you can look at if you are connected to the Internet. A second major source is the high street ban ks, most of whom have produced booklets. Then there are more specialised IT bodies such as the British Computer Society, The National Computing Centre, The Institution of Electrical Engineers (IEE), The Federation of Electronic Industries (FEI), the Compu ter Services and Software Association (CSSA) and Taskforce 2000. Finally, there are trade associations, Chambers of Commerce, Business Links and the Dept of Trade & Industry (DTI) itself; the DTI has an information pack and most of the other bodies me ntioned now do too.

Incidentally, it is worth noting that many of the above bodies are running seminars, again free or at a nominal charge, and it is worth enquiring to see if any are being run locally to your organisation. Many IT suppliers are running similar events but , in this case, we would caution you that such seminars may cover only part of the problem (depending on the supplier’s wares) and may erroneously suggest that a supplier has a "total solution"; look for independent speakers at these events.

More substantial information is often available from the above sources at charges which vary considerably.

Two books that we would recommend, apart from BSI PD2000-2, are "A Business Guide To The Year 2000" from the Year 2000 Support Centre (£6.95) and "The Year 2000 Computer Problem" from NatWest (£2 to customers, £9 otherwise). You can purchase BSI PD2000 -2 and "A Business Guide To The Year 2000" as a single package from BSI as HB10145 for a combined price of £18.95.

There are a number of web sites that provide wide coverage of the subject, although these often require some work to dig out specific information. We would mention three:

www.year2000.com

www.year2000.co.uk

www.cssa.co.uk

SOURCES OF SPECIFIC HELP

Consultants And Contractors

As noted previously, we suggest you use your usual sources, if you have any, provided they can demonstrate competence in the problem. Checking whether they are familiar with, for instance, PD2000-2 would be one way to determine this. Other wise, you could "network" locally or contact the CSSA for suitable sources.

Equipment with Embedded Chips

There are very few service suppliers currently with detailed knowledge or experience of this aspect of the problem but fortunately one very good central source of information: the IEE. The IEE has published a large report on the subject, p riced at £50, and cut-down version for SMEs. We suggest you make the IEE your primary contact for any matter to do with embedded chips but the Health & Safety Executive has also produced an excellent report entitled "Safety and the year 2000", price £ 15.

Information On IT Product Conformity

Various lists of IT products claimed to be compliant are available on web sites and in trade publications.

We believe it is very dangerous to rely on these and suggest the following.

First, contact all your suppliers yourself. Secondly, if you have an Internet connection, look at www.weblaw.co.uk. This contains a questionnaire aimed at suppliers and comp leted information from some of them. The questionnaire alone is helpful in detailing the questions you need to have answered by your suppliers.

Legal Advice

Many large solicitors practices, particularly those that have a section specialising in IT matters, have general information on legal aspects of the problem available free of charge. Among those known to provide this are Bird and Bird, Hal berstam Elias, Masons, Tarlo Lyons and Withers.

Information on PCs

The question of PC conformity is quite complex. A good report on the problem and an evaluation of system fixes is available from Solace Consultancy Services (£30, including updates). Similar but much more limited information may be obtaine d free of charge from Tecfacs and good information on applications software aspects of the PC problem is available from Greenwich Mean Time. There is one further web site we would recommend: www.right ime.com.

Public Sector

The public sector has some bodies specific to it, although they may also provide services more widely. The Central Computers and Telecommunications Agency (CCTA) has published a 6-tome set of solid advice available for £300 and is also a s ource of manpower that is well-informed in public sector matters. The Society of Information Managers (SOCITIM) is dedicated to the local government and the NHS Executive has created an excellent body of information on most aspects of the problem and shou ld be a primary source for all healthcare organisations.

CONTACT DETAILS

The list of contacts suggested below is far from exhaustive but contains a good selection of sources, many of which themselves hold lists of other sources.

Banks

Contact the business advisor in your local main branch

Bird & Bird

0171 415 6000; www.twobirds.com

British Computer Society (BCS)

0171 637 1471; www.bcs.org.ik/millenn.htm

British Standards Institution (BSI)

0181 996 9000; www.bsi.org.uk

Business Links

Contact your local branch or, centrally, National Businee Links Helpline 0345 567765

Chambers Of Commerce

See local telephone directory

Central Computer and Telecommunications Agency (CCTA)

01603 704704; www.open.gov.uk/ccta/mill/mbhome.htm

Computer Services and Software Association (CSSA)

0171 405 2171; www.cssa.co.uk

Department of Trade & Industry (DTI): Action 2000

0845 601 2000; www.open.gov.uk/bug2000.htm

Greenwich Mean Time

0171 681 1661; www.gmt-2000.com

Halberstam Elias

0171 405 5382; www.weblaw.co.uk

Health & Safety Executive

01787 881165

IBM

0800 973 219; www.ibm.com/year2000

ICL

01344 424842 (Year 2000 Marketing);

Institution of Electrical Engineers (IEE)

0171 344 5410; www.iee.org.uk/2000risk

Masons

0171 490 4000

Microsoft

www.microsoft.com

National Computing Centre (NCC)

0161 228 6333; www.ncc.co.uk/y2k.html

Sage

0191 255 3000; www.sage.com

Solace Consultancy Services

01424 734277; www.solace.co.uk

Tarlo Lyons

0171 405 2000

Taskforce 2000

0171 562 7650; www.taskforce2000.co.uk

Tecfacs

0118 977 6645; www.tecfacs.com

Trade Associations

There are too many to list; you should have contact details for

any relevant to your business

Year 2000 Support Centre

0800 146 020; www.support2000.com