OEDO-22-00082 - Evaluation of Special Inquiry Report Findings on Counterfeit, Fraudulent, and Suspect Items for Immediate Safety Concerns at Nuclear Power Plants and Nuclear Materials Facilities

ML22060A153
Person / Time
Issue date:	03/04/2022
From:	Andrea Veil Office of Nuclear Reactor Regulation
To:	Dan Dorman NRC/EDO
Armstrong A, NRR/DRO
References
Download: ML22060A153 (19)
v • d • e

Text

March 4, 2022 MEMORANDUM TO: Daniel H. Dorman Executive Director for Operations Signed by Veil, Andrea FROM: Andrea Veil, Director on 03/04/22 Office of Nuclear Reactor Regulation Signed by Lubinski, John John W. Lubinski, Director on 03/04/22 Office of Nuclear Material Safety and Safeguards

SUBJECT:

EVALUATION OF SPECIAL INQUIRY REPORT FINDINGS ON COUNTERFEIT, FRAUDULENT, AND SUSPECT ITEMS FOR IMMEDIATE SAFETY CONCERNS AT NUCLEAR POWER PLANTS AND NUCLEAR MATERIALS FACILITIES The staff conducted a review of the information presented in the Office of the Inspector General (OIG), Special Inquiry into Counterfeit, Fraudulent, and Suspect Items (CFSI) in Operating Nuclear Power Plants and OIG Report, Audit of the Nuclear Regulatory Commissions Oversight of Counterfeit, Fraudulent, and Suspect Items at Nuclear Power Reactors to assess whether there are immediate safety concerns at nuclear power plants and for materials and waste facilities. Additional staff efforts are underway to evaluate if any program improvements related to CFSI may be warranted and will be addressed separately consistent with direction in EDO tasking memo (Agencywide Documents Access and Management System (ADAMS)

ML22048A484). To provide a broader perspective, the staff supplemented the information in the OIG reports with data from recent operating experience sources. The staff performed this review in accordance with the risk-informed approaches identified in LIC-504, Integrated Risk-Informed Decisionmaking Process for Emergent Issues. Based on the review findings, the staff determined that there is no evidence that CFSIs have adversely challenged the safety of reactor facilities; defense-in-depth measures at reactor facilities are adequate to mitigate potential failures introduced by CFSIs; and failures introduced from any potential CFSIs in SSCs would have an overall small increase in risk, minimal impact on safety margin, and negligible impact to the public health and safety.

CONTACT: Aaron Armstrong, NRR/DRO/IQVB (301) 415-8396 Deanna Zhang, NRR/DRO/IQVB (301) 415-1946 Hipo Gonzalez, NMSS/DFM/IOB (301) 415-5637

D. Dorman 2 Based on the review, for facilities regulated under NMSS programs the staff determined that CFSI hazards are adequately minimized or mitigated. For these programs, adherence to the requirements and the defense-in-depth measures provides confidence that CFSI will either be prevented, identified and addressed, or mitigated in a timely manner if issues arise. Therefore, the staff concludes there are no immediate safety concerns due to CFSIs at reactor facilities and facilities regulated under NMSS programs. The details of this review are enclosed.

Enclosures:

1. Assessment of Findings within OIG Special Inquiry and Audit Report on Safety of Reactor Facilities

2. Assessment of Findings within OIG Special Inquiry and Audit Report on Safety of Facilities within NMSS Programs

ML22060A153 NRR-106 OFFICE NRR/DRO/IQVB NRR/DROQVOL NRR/DRO/IQVB NRR/DRA/APOB NAME DZhang AArmstrong KKavanagh AZoulis DATE 3/1/2022 3/1/2022 3/1/2022 3/1/2022 OFFICE NMSS/DFM NRR/DRO NMSS NRR NAME GMiller RFelts JLubinski AVeil DATE 3/2/2022 3/1/2022 3/4/2022 3/4/2022 Assessment of Findings within OIG Special Inquiry and Audit Report on Safety of Reactor Facilities I. Executive Summary The staff conducted a review of the findings presented in the Office of the Inspector General (OIG) Special Inquiry into Counterfeit, Fraudulent, and Suspect Items (CFSI) in Operating Nuclear Power Plants and OIG Report, Audit of the Nuclear Regulatory Commissions Oversight of Counterfeit, Fraudulent, and Suspect Items at Nuclear Power Reactors to determine whether there are any immediate impacts to the safety of reactor facilities. The staff used the process in Appendix B, Simplified Approach to Risk-Informed Decision making, of LIC-504, Integrated Risk-Informed Decision making Process for Emergent Issues, to perform this review. By considering CFSI as a hazard (i.e., potential for harm) to the safety of reactor facilities, the staff assessed safe operation of reactor facilities, such as the risk of CFSIs as a challenge to operating reactor safety, mitigation of hazards introduced by CFSI presence, and coping with the consequences of unmitigated CFSI hazards, into the risk-informed assessment approach defined in LIC-504.

The staff requested additional information from the OIG on the events identified in the special inquiry report to inform the staffs review. The OIG stated that the information in the special inquiry report pertaining to the specific reactor facility site, confirmation on whether the items identified as CFSI in reports reviewed by OIG were safety-related, and confirmation whether the events identified by third-party organizations as pertaining to equipment intended for safety-related applications at operating reactor facilities is confidential, and therefore, was unable to provide staff with the requested information. This prevented the staffs review and evaluation of the specific examples cited in the OIG special inquiry report.

The staff performed the review using data available from recent licensee event reports, Title 10 of the Codes of Federal Regulations (10 CFR) Part 21 reports, licensee and vendor inspection findings, discussions with industry stakeholders knowledgeable in safety-related item procurement, analysis of defense-in-depth measures at plants, and generalized plant sensitivity studies. Based on the results of this review, the staff determined the following:

1. Data collected and evaluated do not support the existence of CFSI in structures, systems, and components (SSCs) that could adversely impact plant safety and existing measures implemented to prevent and minimize the risk of CFSI in SSCs of safety significance are adequate.

2. The defense-in-depth measures at plants are sufficient to mitigate failures introduced by potential CFSIs in SSCs at reactor facilities that could challenge plant safety.

3. Failures introduced from any potential CFSIs in SSCs would have an overall small increase in risk, minimal impact on safety margin, and negligible impact to the public health and safety.

4. There are sufficient tools to measure and assess industry performance which provide reasonable assurance that the presence of CFSI can be mitigated under current performance monitoring strategies.

In addition, the staff determined that the regulatory concerns on CFSI reporting raised in the findings of the OIGs special inquiry report do not present a challenge to the safe operation of Enclosure 1

reactor facilities. Therefore, the staff concludes that there are no immediate safety concerns due to CFSIs at reactor facilities. Furthermore, these risk thresholds along with plant wide defense-in-depth, safety margins, and performance monitoring demonstrate that the issue can be characterized as having very low safety-significance.

II. Characterize the Emergent Issue The OIGs special inquiry report documented a set of statements related to findings of CFSIs at operating nuclear reactors that need to be evaluated to determine whether these statements reflect an immediate impact on the safe operation of US nuclear reactor facilities.

While the information presented in the OIGs special report does not identify the specific plants or provide details on the SSCs that substantiated the findings of CFSIs at nuclear power plants in the report, the staff performed an assessment of the concerns raised in the report to evaluate whether there is an immediate safety concern at US nuclear reactor facilities. The staff performed this assessment using risk-informed approaches.

In performing this review, the staff used the same definition of CFSI1 in the OIGs report to maintain consistency with the criteria used in the OIGs special inquiry.

III. Evaluation and Assessment to Determine Any Potential Safety Concern

a. Compliance with Existing Regulations Minimizes Risk of CFSI Hazards The staff reviewed measures implemented to prevent or minimize the risk of CFSIs as a hazard to the safe operation of nuclear reactor facilities. These measures include quality assurance controls established by licensees to ensure the use of high-quality products and services for safety-related SSCs, performance of in-service testing and inspections, and prompt identification and correction of failures, malfunctions, deviations, nonconformances, and defective material and equipment. The extensive inspections of a procured item's critical physical characteristics and rigorous performance testing prior to using this item in a safety-related application reduce the likelihood for undetected CFSI in safety-related applications.

Further, the licensees own processes of oversight of suppliers through use of audits and evaluations and the NRCs oversight through inspections and performance indicators verify the proper implementation of these measures and add confidence that the risk from CFSI presence in NRC-regulated activities is minimized.

The staff reviewed the regulatory concerns on CFSI reporting raised in the findings of the OIGs special inquiry report to determine whether these concerns present a challenge to the safety of reactor facilities. Specifically, the staff reviewed the concerns raised in the special inquiry report related to the lack of a CFSI definition in NRC regulations or requirements to report CFSI to the NRC. The staff determined that while the NRC does not define CFSI in the NRCs regulations, the NRCs regulatory guidance on 10 CFR Part 21 defect evaluations does clarify the need to consider counterfeit and suspect items as a deviation that should be evaluated. In addition, the 1 CFSI is defined as as an unauthorized copy or substitute that has been identified, marked, and/or altered by a source other than the items legally authorized source or has been misrepresented to be an authorized item of the legally authorized source.

2

staff determined that the current reporting requirements for CFSIs under 10 CFR Part 21 do not reduce the safety of reactor facilities since these requirements are based on the safety-significance of any adverse conditions introduced by defects, including any defects attributed to CFSIs. Therefore, the staff concludes that the regulatory concerns on CFSI reporting raised in the findings of the OIGs special inquiry report do not present a challenge to the safe operation of reactor facilities.

The staff reviewed recent licensee event reports, 10 CFR Part 21 reports, and inspection findings and did not identify any cases of CFSI in safety-related SSCs. The staff also did not identify any initiating events that could be attributed to CFSIs. The staffs exchanges with third party organizations did not substantiate the presence of CFSI in SSCs intended for a safety-related application at reactor facilities. While the staff did not identify recent cases of CFSIs in SSCs of safety-significance, the staff did assess whether there could be events with unattributed CFSI factors through a review of initiating event trends from performance indicators at operating reactor facilities and determined that these trends do not indicate plant safety is challenged by unattributed CFSI factors. Therefore, the staff concludes that data collected does not support the existence of CFSI in SSCs that could adversely impact plant safety and existing measures implemented to prevent and minimize the risk of CFSI in SSCs of safety significance are adequate.

b. Mitigation of CFSI Hazards through Defense-in-Depth Measures The staff reviewed the ability of defense-in-depth measures implemented in the designs of reactor facilities to mitigate hazards introduced by CFSIs to address the residual risk of CFSI presence in these facilities. This includes the design measures implemented to prevent loss of a safety function due to a single failure of an SSC and measures implemented to maintain adequate safety from a common cause failure of safety-related SSCs. The staff considered the effects from the failure of a single safety-related SSC from use of CFSIs and determined that the ability to achieve the intended safety-function would not be degraded due to redundancies built into a safety-related system design. For example, if a single safety-related temperature transmitter in the steam tunnel area were to fail due to use of CFSIs, the ability to detect and mitigate a postulated main steam line break would be maintained through redundant safety-related temperature transmitters in the steam tunnel area. The staff also considered the effects caused by use of CFSIs in redundant safety-related SSCs that resulted in loss of a safety function and determined that plant safety can be maintained through diverse means. For example, if all redundant safety-related temperature transmitters in the steam tunnel area were to fail from use of CFSIs, the ability to detect and mitigate a postulated main steam line break would be maintained using safety-related steam line pressure and flow sensors. Therefore, the staff concludes the defense-in-depth measures at reactor facilities are sufficient to mitigate any residual risk of CFSIs that could challenge plant safety.

c. Maintenance of Adequate Safety Margins The staff reviewed the contribution to risk from failures introduced by CFSIs at reactor facilities.

Given the unavailability of specific information regarding potential affected SSCs in the OIG special inquiry report, the assessment of CFSI impacts on plant consequences relies on a qualitative review of any potential increase in risk through a generalized sensitivity study.

Current Probabilistic Risk Assessment (PRA) models capture random single failures and common-cause failures. Any potential failures related to CFSI are already included within the failure rates in the PRA models. Furthermore, trending of both current and age-related failures continues to provide accurate probabilities in the PRA models and databases. Additionally, any 3

substantial changes in failure rates associated with CFSI is addressed through PRA model updates. The associated risk of cliff edge effects due to unknown aspects of CFSI are mitigated by other NRC programs such as Fukushima-related mitigation strategies and therefore minimally impact safety margins.

The staff used the Standardized Plant Analysis Risk models to obtain risk-informed insights.

Specifically, core damage frequency (CDF) from internal events was reviewed for multiple boiling water reactor and pressurized water reactor internal event category groups. This assessment focused on groups related to loss of alternating current power, loss of feedwater, and loss of service water as these events most closely mirrored a selection of possible impacted events inferred from the OIG special inquiry report.

In most initiating event cases identified, the CDF and change in CDF (CDF) were removed from consideration due to truncation (CDF < 1E-7) and had negligible impact (CDF < 10-6/year) on plant risk in accordance with the criteria in LIC-504, Figure 3. A subset of cases contained a higher CDF which required further refinement to determine impact. Increasing CDF impact by 10 to 20 percent to account for undefined increased failures due to CFSI, the assessment determined that the resulting change in CDF increased slightly but still had a negligible contribution on overall risk (10-6/year < CDF < 10-5/year). Further, the assessment identified several cases where the higher impact on change in CDF overlapped between a negligible and small (5x10-6/year < CDF < 5x10-5/year) change in overall risk. Any additional staff effort to conduct a more refined analysis would likely determine that these cases are also negligible and have negligible impact on the safety margin. Therefore, the staff concludes that failures introduced from any potential CFSIs in SSCs would have an overall small increase in risk, minimal impact on safety margin, and negligible impact to the public health and safety.

d. Performance Monitoring The operating reactor fleet is under continuous performance monitoring. This is accomplished both through the reactor oversight process (ROP) and its associated inspection programs as well as other regulatory requirements. Specifically, the ROP baseline, reactive, and supplemental inspection programs are implemented as needed to address any performance issues that may arise. Numerous inspections focus on analyzing negative trends and identifying appropriate implementation of corrective actions to address those issues. Problem identification and resolution, maintenance effectiveness, and surveillance testing, are some of the examples available to inspectors and are conducted on a yearly and periodic basis.

Regulatory requirements such as implementation of 10 CFR 50.65, Requirements for monitoring the effectiveness of maintenance at nuclear power plants, continuously addresses SSC reliability and availability. NRC resident inspectors inspect industrys implementation of this maintenance effectiveness program requirement as part of the baseline inspection program.

At present there are no specific indications of negative trends or singular evidence to suggest a systemic failure of the maintenance effectiveness program. Current evidence supports the robustness of these programs and industrys implementation. Additionally, from a risk-informed perspective, both the industry and NRC staff are engaged in activities to track and trend the performance of SSCs for PRA modeling purposes and therefore provide constant updates on trends of SSC performance that impact defense-in-depth and safety margin.

The results of inspection findings, licensee performance indicators, ongoing testing and maintenance programs and other NRC and industry monitoring programs provide evidence to conclude reasonable assurance of adequate performance in this area. The NRC staff 4

concludes there are sufficient tools to measure and assess industry performance to provide reasonable assurance that the presence of CFSI can be mitigated under current performance monitoring strategies.

IV. Conclusions The results of the staffs review determined that the existence of CFSI in SSCs that could adversely impact plant safety are not supported by events and data assessed. The staff found that the existing measures implemented to prevent and minimize the risk of CFSI in SSCs of safety significance are adequate; defense-in-depth measures at plants are sufficient to mitigate failures introduced by any potential CFSIs, including failures of safety-related SSCs; failures introduced from any potential CFSIs in SSCs would have an overall small increase in risk, minimal impact on safety margin, and negligible impact to the public health and safety; and there are sufficient tools to measure and assess industry performance which provide reasonable assurance that the presence of CFSI can be mitigated under current performance monitoring strategies. The staff also determined that the regulatory concerns on CFSI reporting raised in the findings of the OIGs special inquiry report do not present a challenge to the safe operation of reactor facilities. Therefore, the staff concludes that there are no immediate safety concerns due to CFSIs at reactor facilities. Furthermore, these risk thresholds along with plant wide defense-in-depth, safety margins, and performance monitoring demonstrate that the issue can be characterized as having very low safety-significance.

5

Assessment of Findings within OIG Special Inquiry and Audit Report on Safety of Facilities within NMSS Programs I. EXECUTIVE

SUMMARY

The staff conducted a review on the findings identified in the Office of the Inspector General (OIG) report on Special Inquiry into Counterfeit, Fraudulent, and Suspect Items in Operating Nuclear Power Plants, dated February 9, 2022, to determine whether there are any immediate safety concerns or items of risk significance for facilities with the Office of Nuclear Material Safety and Safeguards (NMSS) programs. For agencywide consistency, the staff adapted, for this review of materials and waste facilities, the simplified approach to risk-informed decision-making documented in the NRR Office Instruction, LIC-504, Integrated Risk-Informed Decisionmaking Process for Emergent Issues, dated March 4, 2020, in performing this review.

For its evaluation, the staff used the NRCs Abnormal Occurrence policy1 to inform its definition for immediate safety concern or item of risk significance for the NMSS program areas.

The staff performed the review using data available from event reports, 10 CFR Part 21 evaluations, inspection findings, and licensing reviews. The staff considered the licensees layers of protection (both design and administrative) for preventing, mitigating, and responding to the range of events a counterfeit, fraudulent, and suspect items (CFSI) could cause for a given regulated activities. In addition, the staff determined that there are sufficient tools to measure and assess industry performance which provide reasonable assurance that the presence of CFSI can be mitigated under current performance monitoring strategies. Based on the review, the staff does not have immediate safety concerns or issues of risk significance, for NMSS facilities, due to the potential presence of CFSI.

II. Characterize the Emergent Issue Although the OIGs audit and special inquiry reports are limited to CFSIs at operating nuclear reactors, the staff considered whether the presence of CFSI at materials and waste program facilitates could present immediate safety concerns or increased risk significance.

The staff performed this assessment using risk-informed approaches. For its evaluation, the staff used the NRCs Abnormal Occurrence policy to inform its definition for immediate safety concern or item of risk significance for the NMSS program areas. For example, the staff considered the impact of a CFSI causing degradation of essential or critical components and safety features, deficiencies in design, construction, use of, or management controls for, facilities or licensed materials/devices that would result significant harm to workers or members of the public.

By considering CFSI as a hazard (i.e., potential for harm) to the safety for NMSS licensed facilities, the staff adopted hazard analysis concepts, such as preventing or minimizing the risk of introduction of CFSIs into facilities and preventing or mitigation of hazards introduced by CFSI presence at NMSS licensed facilities using the risk-informed assessment approach defined in LIC-504.

1 NRC Management Directive 8.1, Abnormal Occurrence Reporting Procedure (ADAMS Accession No. ML18127B179)

Enclosure 2

As was the case for reactor programs, the staff used the same definition of CFSI3 in the OIGs report to maintain consistency with the criteria used in the OIGs special inquiry.

III. Programs Areas Considered The staff performed a scoping review across all materials and waste program areas to identify and assess any risks that CFSI, if present, might present.

Radioactive Materials Transportation

a. Compliance with Existing Regulations Minimizes Risk of CFSI Hazards About 3 million packages of radioactive materials are shipped each year in the United States, either by highway, rail, air, or water. Regulating the safety of these shipments is the joint responsibility of the NRC and the U.S. Department of Transportation, and regulatory requirements are compatible with worldwide standards. In addition, several NRC-sponsored studies over the years have focused on the risk related to radioactive materials transport have concluded that risks are very low and provide additional confidence in the current regulations to assure safety.

Applicants, licensees, and certificate of compliance (CoC) holders for the packaging and transportation of radioactive material are required to establish and maintain programs and procedures that ensure public safety and demonstrate compliance with the regulatory requirements of 10 CFR Part 71, Packaging and Transportation of Radioactive Material.

These regulatory requirements include design requirements, procedures, and quality assurance for radioactive materials transportation. The NRC performs rigorous reviews of the transportation packaging design and the applicants quality assurance program. In addition, the NRC performs oversight of the licensees and CoC holders through inspections. The NRC quality assurance requirements and inspection oversight are described in the following paragraphs.

The applicants for packaging design approvals (i.e., CoC holders) and licensees are required to submit information about and maintain a quality assurance program that meets the requirements of Subpart H, Quality Assurance, of 10 CFR Part 71. Subpart H provides measures such as 10 CFR 71.115, Control of purchased material, equipment, and services; 10 CFR 71.117, Identification and control of materials, parts, and components; and 10 CFR 71.131, Nonconforming materials, parts, or components. These measures are analogous to criteria in Appendix B to 10 CFR Part 50.

NRC has an established regulatory framework to evaluate an applicants quality assurance program. Applicants are required to follow these regulations to have a program in place to provide adequate controls in material procurement, receipt inspection, handling and storage, fabrication requirements, material traceability, measuring and testing, nonconforming material, corrective actions, and personnel qualifications.

3 CFSI is defined as an unauthorized copy or substitute that has been identified, marked, and/or altered by a source other than the items legally authorized source or has been misrepresented to be an authorized item of the legally authorized source.

2

b. Mitigation of CFSI Hazards through Defense-in-Depth Measures and Maintenance of Adequate Safety Margin Defense-in-depth is provided by design requirements, fabrication oversight, and personnel response. Radioactive materials transportation packages for higher quantities of material (those that present significant risk for accidents) are designed to withstand hypothetical accident conditions. In the U.S. and internationally, these designs must pass a series of tests that mimic accident forces. The NRC reviews packages to ensure they meet the design standards and test conditions in the regulations. These containers must be able to survive four tests involving impact, puncture, fire, and submersion in water. During and after the tests, the casks must contain the nuclear material, limit radiation doses to acceptable levels, and prevent a nuclear reaction. Most transportation packages are designed with multiple barriers that must be compromised for radiological releases, or multiple components that must fail in addition to a containment or confinement barrier. For example, in the unlikely event a CFSI component was introduced into the one of the containment or confinement barriers and failed, a second barrier would ensure there is no radioactive releases under normal or accident conditions. Additionally, in the event of a transportation accident, event responders would be expected to take appropriate precautions consistent with hazardous material events which would reduce the likelihood of significant exposures.

c. Performance monitoring and oversight NRC inspectors routinely inspect the preparation of transportation packages for shipment, for reactors, materials, and waste facility licensees. NRC inspectors also routinely inspect transportation receipts by licensees.

Regarding fabrication, NRC staff performs routine onsite inspections encompassing both design and fabrication activities to determine whether the 10 CFR Part 71 CoC holders maintain controls and processes to ensure the transportation packages that are produced meet the approved design. NRC staff also performs onsite inspections of licensees to ensure appropriate use of NRC approved packages. The NRC inspections verify that the 10 CFR Part 71 CoC holders and licensees quality assurance program includes processes to mitigate the procurement of CFSI through the use of approved vendors for important to safety items that have the greatest impact on safety, and for the identification of and corrective actions for CFSI if received. The NRC inspections verify that 10 CFR Part 71 CoC holders and licensees perform regular audits and evaluations of their approved suppliers. Commercial grade dedication programs are also reviewed during inspections to verify the proper testing and/or controls are in place to ensure materials and items procured as commercial grade, and then used in important to safety applications having the greatest impact on safety, meet the critical characteristics to perform the required safety function. The NRC inspections sample 10 CFR Part 71 CoC holders and licensees non-conformance reports to verify that the corrective action program evaluates identified non-conformances as required, and, when necessary, implements actions to preclude recurrence. In addition, the NRC inspections verify that CoC holders and licensees are identifying and placing potential 10 CFR Part 21, Reporting of Defects and Non-Compliance Issues, findings into the corrective action program and appropriately evaluating them.

The staff conducted a limited initial search of CFSI related events using readily available tools (e.g., NMED, Fuel Cycle Operating Experience Database, and previous assessments on inspection findings related to spent fuel storage facilities and vendors). However, the results of a search of the NMSS (NMED) database or the agencys event reporting database would likely provide an incomplete picture of the instances of CFSI because the reporting requirements do 3

not explicitly require events to be attributed to CFSI issues and therefore may not be classified as such in the database.

d. Conclusions Based on the assessment, the staff concludes that there are no immediate safety concerns or areas of increased risk significance related to CFSI for radioactive materials transportation. The staff review of available data concludes it is highly unlikely that CFSI in SSCs have been introduced that could adversely impact safety, and existing programs and processes implemented to prevent and minimize the risk of CFSI in SSCs impacting safety are adequate to conclude there is no immediate safety concern. Adherence to the requirements in the aforementioned regulations and the defense-in-depth measures provides confidence that CFSI will either be prevented, identified and addressed, or mitigated in a timely manner if issues arise.

Storage of Spent Fuel, High-Level Waste, and Reactor-Related Greater Than Class C (GTCC) Waste

a. Compliance with Existing Regulations Minimizes Risk of CFSI Hazards Applicants, licensees, and certificate of compliance (CoC) holders for the licensing of the independent storage of spent nuclear fuel, high-level waste, and reactor-related GTCC waste are required to establish and maintain programs and procedures to ensure public safety and demonstrate compliance with the regulatory requirements of 10 CFR Part 72, Licensing Requirements for the Independent Storage of Spent Nuclear Fuel, High-Level Radioactive Waste, and Reactor-Related Greater Than Class C Waste. These regulatory requirements include design requirements, procedures, quality assurance, and criteria for the issuance of licenses to receive, transfer, and possess power-reactor spent fuel, power-reactor-related GTCC waste, and other radioactive materials associated with spent fuel storage in an independent spent fuel storage installation (ISFSI). The NRC performs rigorous reviews of the storage system design and the applicants quality assurance program. In addition, the NRC performs oversight of the licensees and CoC holders through inspections. The NRC design review, quality assurance requirements and inspection oversight are described in the following paragraphs.

As part of its reviews of applications, the NRC staff review the design and technical specifications of storage systems for spent fuel, high-level waste, and reactor related GTCC to ensure the design of the storage systems meet the regulatory requirements of 10 CFR Part 72.

NRC has regulatory processes in place to identify important to safety (ITS) items in three categories to provide controls and requirements for each. The NRC review specifically evaluates the storage system component safety functions in the review of the storage system component specifications, fabrication methods, inspection requirements and acceptance criteria, and operational procedures to verify regulatory compliance.

The NRC requires dry storage systems to meet NRC safety requirements at all times, including during or after a design basis accident. The following risk assessments performed by the NRC and the Electrical Power Research Institute (EPRI) have concluded that the risk of the public receiving a dose above regulatory limits is very low:

4

NUREG-1864, A Pilot Probabilistic Risk Assessment of a Dry Cask Storage System at a Nuclear Power Plant, March 2007 (ML071340012)

(https://www.nrc.gov/docs/ML0713/ML071340012.pdf).

EPRI Technical Report 1002877, Probabilistic Risk Assessment (PRA) of Bolted Storage Casks: Quantification and Analysis Report, December 2003 (https://www.epri.com/research/products/1002877.

Applicants, licensees, and CoC holders are required to submit information about and maintain a quality assurance program that meets the requirements of Subpart G, Quality Assurance, to 10 CFR Part 72. Subpart G includes measures such as those of 10 CFR 72.154, Control of Purchased Material, Equipment, and Services; 10 CFR 72.156, Identification and control of materials, parts, and components; and 10 CFR 72.170, Nonconforming Materials, Parts, or Components. These measures are analogous to criteria in Appendix B to 10 CFR Part 50.

NRC has an established regulatory framework to evaluate an applicants quality assurance program. Applicants are required to follow these regulations to have a program in place to provide adequate controls in material procurement, receipt inspection, handling and storage, fabrication requirements, material traceability, measuring and testing, nonconforming material, corrective actions, and personnel qualifications.

b. Mitigation of CFSI Hazards through Defense-in-Depth Measures and oversight Defense-in-depth is provided by design requirements and personnel response. Storage systems are designed with multiple containment or confinement barriers where multiple safety components must be compromised for radiological releases. For example, in the unlikely event a CFSI component was introduced into the one of the containment or confinement barriers and failed, the second barrier would ensure there is no release of radioactive material under normal or accident conditions. Additionally, if an event were to occur, facility policies and procedures are in place for personnel to recognize and react to an event to mitigate the consequences to the workers and the public. Furthermore, all storage facilities are required to have administrative controls and emergency plans for detection of accidents and mitigation of accident consequences, including but not limited to training of local emergency responders, as well as notification and coordination with emergency responders.

c. Performance monitoring and oversight NRC staff performs routine onsite inspections encompassing both design and fabrication activities, to determine whether the 10 CFR Part 72 licensees and CoC holders maintain controls and processes to ensure the storage systems produced meet the approved design and technical specifications. The NRC inspections also verify that the 10 CFR Part 72 licensees and CoC holders quality assurance programs include processes to mitigate the procurement of CFSI through the use of approved vendors for important to safety items that have the greatest impact on safety, and for the identification of, and corrective actions for CFSI, if received. The NRC inspections verify that 10 CFR Part 72 licensees and CoC holders perform regular audits and evaluations of their approved suppliers. Commercial grade dedication programs are also reviewed during inspections to verify the proper testing and/or controls are in place to ensure materials and items procured as commercial grade and then used in important to safety applications having the greatest impact on safety meet the critical characteristics to perform the required safety function. The NRC inspections sample 10 CFR Part 72 licensees and CoC holders non-conformance reports to verify that the corrective action program evaluates identified non-conformances as required, and, when necessary, implements actions to preclude 5

recurrence. In addition, the NRC inspections verify that licensees and CoC holders are identifying and placing potential 10 CFR Part 21, Reporting of Defects and Non-Compliance Issues, findings into the corrective action program and appropriately evaluating them.

NRC inspections of licensees at operating ISFSIs include reviews of operational activities and their associated procedures, site-specific design evaluations, maintenance activities, inspection requirements, nonconformances, and corrective actions. The NRC inspections include a review of the radiation protection program as it applies to the ISFSI to verify that the facility meets the regulatory requirements of 10 CFR Part 72 that are necessary for public safety.

The staff conducted a limited initial search of CFSI related events using readily available tools (e.g., NMED, Fuel Cycle Operating Experience Database, and previous assessments on inspection findings related to spent fuel storage facilities and vendors). However, the results of a search of the NMSS (NMED) database or the agencys event reporting database would likely provide an incomplete picture of the instances of CFSI because the reporting requirements do not explicitly require events to be attributed to CFSI issues and therefore may not be classified as such in the database.

d. Conclusions Based on the assessment, the staff concludes that there are no immediate safety concerns or areas of increased risk significance related to CFSI at storage of spent fuel, high-level waste, and reactor-related greater than class C waste. The staff review of available data concludes it is highly unlikely that CFSI have been introduced that could adversely impact safety, and existing programs and processes implemented to prevent and minimize the risk of CFSI impacting safety are adequate to conclude there is no immediate safety concern. Adherence to the requirements in the aforementioned regulations and the defense-in-depth measures provides confidence that CFSI will either be prevented, identified and addressed, or mitigated in a timely manner if issues arise.

Fuel Cycle Facilities

a. Compliance with Existing Regulations Minimizes Risk of CFSI Hazards The regulations in 10 CFR Part 40, Domestic Licensing of Source Material, and 10 CFR Part 70, Domestic Licensing of Special Nuclear Material, cover uranium enrichment, conversion, and fabrication.

For certain Part 70 fuel cycle facilities, an Independent Safety Analysis (ISA) is conducted to assess the risk of events leading to an accident. The ISA assesses failures of the various structures, systems, and components (SSCs) of the facilities that are relied on to minimize risk.

Defense-in-depth is provided by management measures, QA requirements, procedures, training, etc., which are applied to IROFS, to ensure the items are available and reliable to perform their functions when needed.

Management measures are functions performed by the licensee to ensure that IROFS are available and reliable to perform their functions when needed. Management measures are submitted as part of the license application for NRC review and approval and include such topics as configuration management, maintenance, training, qualifications, procedures, audits and assessments, incident investigations, records management, and other quality assurance elements. Management measures perform a function similar to Quality Assurance Programs for reactors, transportation, and fuel storage.

6

The NRC staff use the guidance in NUREG-1520, Standard Review Plan (SRP) for Fuel Cycle Facilities License Applications, to perform safety and environmental impact reviews of applications to construct or modify and operate nuclear fuel cycle facilities. Changes to the approved license require the licensees to submit an annual facility change report as required by 10 CFR 70.72, Facility changes and change process. Fuel cycle facilities use an integrated safety review approach for all modifications of, or additions to, existing structures, systems, and components at their facilities, and these changes are reviewed by NRC licensing and inspection staff.

b. Mitigation of CFSI Hazards through Defense-in-Depth Measures and Maintenance of Adequate Safety Margin Defense-in-depth is provided by design requirements and personnel response. For fuel cycle facilities, an Independent Safety Analysis (ISA) is conducted to assess the risk of events leading to an accident. The ISA assesses failures of the various structures, systems, and components (SSCs) of the facilities that are relied on to minimize risk. Defense-in-depth is provided by management measures, QA requirements, procedures, training, and personnel response which are applied to IROFS, to ensure the items are available and reliable to perform their functions when needed. In the unlikely event a CFSI component was introduced into the one of the safety features at a fuel facility, in most instances, multiple failures would have to be present because multiple IROFS would have to be breached before an accident could occur. Some fuel facilities also have additional layers of design, although not credited as IROFS, which add additional protection for upset conditions. The most significant accident of concern at a fuel facility is an inadvertent criticality. An additional level of protection for a criticality accident sequence is the use of the double contingency principle. Additionally, if an event were to occur, plant policies and procedures are in place for personnel to recognize and react to an event to mitigate the consequences to the workers and the public.

c. Performance monitoring and oversight The staff conducted a search of the agencys event reporting database identified no instances of CFSI for the fuel cycle facilities over the last ten years. A more detailed review of inspection report searches has begun first starting with the Category I fuel facilities due to the higher risk associated with these facilities, followed by the rest of the facilities. The staff concludes the available data reviewed do not support the existence of CFSI in SSCs that could adversely impact safety, and existing programs and processes implemented to prevent and minimize the risk of CFSI in SSCs impacting safety are adequate to conclude there is no immediate safety concern.

The staff conducted a limited initial search of CFSI related events using readily available tools (e.g., NMED, Fuel Cycle Operating Experience Database, and previous assessments on inspection findings related to spent fuel storage facilities and vendors). For example, the results of a search of the agencys event reporting database for fuel cycle facilities identified no instances of CFSI for the over the last ten years. However, the results of a search of the NMSS (NMED) database or the agencys event reporting database would likely provide an incomplete picture of the instances of CFSI because the reporting requirements do not explicitly require events to be attributed to CFSI issues and therefore may not be classified as such in the database.

Although the NRC does not have specific CFSI inspection guidance for fuel facilities, licensees are required to submit an annual facility change report as required by 10 CFR 70.72. Fuel cycle 7

facilities use an integrated safety review approach for all modifications of, or additions to, existing structures, systems, and components at their facilities. This integrated review is conducted by the various regulatory disciplines, including Nuclear Criticality Safety, Radiation Safety, Environmental Protection, Safeguards, Fire Safety, Chemical/Industrial Safety and other applicable Health and Safety experts when necessary. A key aspect of this review is a determination that the change is not prohibited by 10 CFR Part 70, a license condition, or a governing order. The reviewers also determine whether NRC pre-approval and license amendment changes are required prior to implementation. The NRC reviews and inspects the facility changes at the fuel facilities. In addition, inspections are conducted of IROFS and their management measures as described above. Given the effectiveness of the facility change process and the regular inspections of management measures associated with IROFS that can contribute to the identification and prevention of CFSI, the staff believes that the risk of this issue is low.

d. Conclusions Based on the assessment, the staff concludes that there are no immediate safety concerns or areas of increased risk significance related to CFSI at Fuel Cycle Facilities. The staff review of available data concludes it is highly unlikely that CFSI have been introduced that could adversely impact safety, and existing programs and processes implemented to prevent and minimize the risk of CFSI impacting safety are adequate to conclude there is no immediate safety concern. Adherence to the requirements in the aforementioned regulations and the defense-in-depth measures provides confidence that CFSI will either be prevented, identified and addressed, or mitigated in a timely manner if issues arise.

Nuclear Materials Users

a. Compliance with Existing Regulations Minimizes Risk of CFSI Hazards Licensees that are authorized to use sealed sources or devices are licensed under 10 CFR Part 30 to Part 39 or equivalent Agreement State regulations. Licensees must adhere to the requirements in the regulations and are not authorized to make any unapproved changes to the sealed sources or devices registered in accordance with 10 CFR 32.210, Registration of product information or equivalent Agreement State regulation.

For nuclear materials users, the staff assessed potential immediate safety concerns due to CFSI to be the failure of sealed source or devices safety features during normal and accident conditions. The NRC requires that applicants manufacturing or distributing sealed source and devices for use in commercial, industrial, academic, medical, and research and development applications, demonstrate that the sealed sources and devices will maintain their integrity during normal use and likely accident conditions. Generally, devices are designed so that the sealed sources are able to return to a shielded position in a likely accident situation. NRC and Agreement State regulations also require that certain users of byproduct material have sufficient training and experience to conduct licensed activities and to have emergency procedures in case of equipment malfunctions or damage. Materials licensees are required to use, to the extent practical, procedures and engineering controls based on sound radiation protection principles to achieve occupational doses and doses to members of the public that are as low as reasonably achievable in accordance with 10 CFR Part 20.

The NRC, and those Agreement States with authority to perform safety evaluations of sealed sources and devices, review the design and construction of sealed sources or devices 8

containing byproduct material to assess whether the product meets quality and safety standards for acceptability for licensing purposes. The safety review confirms that the product design meets the applicable regulatory requirements and documents the provisions of use for the product. As part of a request for the registration of sealed sources or devices, an applicant for a registration certificate must include sufficient information about its quality control (QC) program to provide reasonable assurance that the radiation safety properties of the product will be maintained as designed and registered. The QC program is a component of a licensees QA program that provides control over all activities applicable to the design, fabrication, inspection, testing, maintenance, repair, modification, and distribution of the sealed sources or devices.

This puts more emphasis on the overall management structure and on the program that covers construction of the device from the time of initial design through refurbishment.

b. Mitigation of CFSI Hazards through layers of protection Defense-in-depth is provided by equipment safety features, management measures, QA/QC requirements, operating and emergency procedures, and training and experience to ensure that sealed sources and devices perform their functions as needed and to ensure that materials licensees minimize the risk of radiation exposure to their workers and the public during normal and likely accident conditions. Most sealed sources and devices are designed with multiple containment barriers to prevent release of radioactive material and most devices are designed in such a manner that the sealed sources are able return to a shielded position in a likely accident situation. In addition, if CFSI parts were introduced into devices containing radioactive material that caused a sealed source from returning to a safe or shielded position, licensees have administrative controls in place to serve as a defense-in-depth to mitigate the consequences to the individuals using the devices. For example, high dose rate (HDR) afterloaders, used to treat prostate cancer, operate by extending a radioactive source from a shielded position inside of the medical device to the treatment area of a patient via a set of guide tubes. The patient and device are located inside of a shielded room at a medical facility.

If the introduction of CFSI into the HDR would prevent the return of the sealed source to the shielded position, the trained operator performing the procedure would be alerted. Devices such as HDRs have emergency features such as manually operated cranks that would allow the operator to attempt to manually return the source to its shielded position. In addition, the licensees would use emergency procedures and their own judgement to minimize exposure to the unshielded source.

c. Performance Monitoring and Oversight The staff performs periodic inspections of licensed facilities using byproduct material or some types of source material and works with the Agreement States, and the Food and Drug Administration (FDA), regarding CFSI. During inspections, the NRC verifies that any sealed sources or devices conform to the conditions of the license and to the specifications in the sealed source and device (SSD) registration certificate. In addition, the NRC verifies that the licensees implement their QC programs in accordance with commitments made in their license or in the SSD registration certificate. Furthermore, the NRC inspections verify that licensees identify and place potential 10 CFR Part 21 findings into their corrective action program and appropriately evaluate them. As part of the National Materials Program, the Agreement States also implement similar oversight programs of their licensees. The NRC and Agreement State regulations include multiple reporting requirements, including reports of equipment failures.

The NRC has over 50 years of event data for materials users licensed to use, distribute, and possess radioactive material across the U.S. and its territories. For most devices, it is generally 9

the sources that are replaced, and the sources can only be obtained from an NRC or Agreement State-licensed manufacturer and distributor. In March 2013, the staff issued Regulatory Issue Summary (RIS) 2013-01, Use of Aftermarket Sealed Sources Registered under 10 CFR 32.210. The RIS was issued to those licensed under 10 CFR Part 30, Rules of General Applicability to Domestic Licensing of Byproduct Material. In the RIS, the staff provided guidance regarding the use in devices of replacement sealed sources (also called aftermarket sealed sources) that might be equivalent to original sources but are not identified as such in the devices SSD registration certificate. The staff also clarified that devices containing sealed sources may only be serviced by an NRC or Agreement State-licensed service provider.

The requirement to use a licensed service provider is a condition of a device holders radioactive materials license.

The staff regularly evaluates event reports received from NRC and Agreement State licensees involving sealed sources and devices containing byproduct material and have not identified any events that were the result of CFSI. In NUREG-1556, Consolidated Guidance About Materials Licenses, Volume 3, Revision 2, Applications for Sealed Source and Device Evaluation and Registration, published in September 2015, the staff provided specific guidance for SSD registration certificate holders to report defects or non-compliances as required by 10 CFR Part

21. Based on available information to date on the use of radioactive material, and the mitigation measures that the procedures, regulations, and license conditions provide, the staff concludes that there are no immediate safety concerns. The staff continues to evaluate medical event trends and promptly communicate any generic findings to licensees and the Agreement States.

In addition, the NRC staff and the Advisory Committee on the Medical Uses of Isotopes evaluate medical events on an annual basis and communicate their evaluations to the public.

To date, the NRC has not identified any issues related to the use of CFSI in medical activities regulated by the NRC or Agreement States.

d. Conclusions Based on the assessment, the staff concludes that there are no immediate safety concerns or areas of increased risk significance related to CFSI for nuclear materials users. The staff review of available data concludes it is highly unlikely that CFSI have been introduced that could adversely impact safety, and existing programs and processes implemented to prevent and minimize the risk of CFSI impacting safety are adequate to conclude there is no immediate safety concern. Adherence to the requirements in the aforementioned regulations and the defense-in-depth measures provides confidence that CFSI will either be prevented, identified and addressed, or mitigated in a timely manner if issues arise.

Reactor Decommissioning Assessment of Risk of CFSI Hazards and Conclusions The NRC staff had previously evaluated the decommissioning stage of a nuclear power reactor and determined that the activities performed by the licensee during decommissioning do not have a significant potential to impact public health and safety as published in the Federal Register dated July 29, 1996 (61 FR 39278). Once a reactor ceases operation and is defueled, there is no need to purchase safety related items which would contribute to a potential CFSI concern.

SSCs that are required for the safe storage, control, and maintenance of spent fuel, either in the fuel pool or in dry cask storage, are addressed through other regulatory programs discussed 10

above. In addition, the potential hazards of CFSI introduced prior to a reactor transitioning to decommissioning are addressed in the Assessment of Findings within OIG Special Inquiry and Audit Report on Safety of Reactor Facilities. Accordingly, the staff assesses that there is no immediate safety concerns or increased risk significance associated with the presence of CFSI.

Uranium Recovery and Materials Decommissioning Assessment of Risk of CFSI Hazards and Conclusions The staff assesses that the activities performed at uranium recovery and materials decommissioning sites do not present risks such that CFSI could cause failure of a component resulting in an immediate safety concern. Analyses of postulated accidents and associated consequences have been examined in NUREG-0706 (ML032751663), NUREG-1140 (ML062020791), and NUREG/CR-6733 (ML012840152). The accident source terms in these analyses included fires, failures of air cleaning systems, tailings pond releases, other liquid field spills, tornadoes, and seismic events. The calculated dose to an offsite member of the public was less than 100 mrem for these scenarios. Accordingly, the staff assesses that there is no immediate safety concerns or increased risk significance associated with the presence of CFSI.

IV. Conclusions The results of the staffs review determined that the existence of CFSI in materials and waste program facilities that could present immediate safety concerns or areas of increased risk significance are not supported by information available and assessed. The staff has reasonable assurance that the existing measures implemented in the materials and waste programs provide the tools to prevent, mitigate, and respond to the presence of potential CFSI. Therefore, the staff concludes that there are no immediate safety concerns or areas of increased risk significance due to CFSIs at facilities regulated by NMSS.

11