RIS 2015-08, Oversight of Counterfeit, Fraudulent, and Suspect Items in the Nuclear Industry

From kanterella
(Redirected from RIS 2015-08)
Jump to navigation Jump to search
Oversight of Counterfeit, Fraudulent, and Suspect Items in the Nuclear Industry
ML24184B841
Person / Time
Issue date: 10/05/2024
Revision: 1
From: Frankie Vega
NRC/NRR/DRO/IQVB
To:
References
RIS-2015-08, Rev 1
Download: ML24184B841 (14)


UNITED STATES

NUCLEAR REGULATORY COMMISSION

OFFICE OF NUCLEAR MATERIAL SAFETY AND SAFEGUARDS

OFFICE OF NUCLEAR REACTOR REGULATION

WASHINGTON, DC 20555-0001

October 5, 2024

NRC REGULATORY ISSUE SUMMARY 2015-08, REVISION 1 OVERSIGHT OF COUNTERFEIT, FRAUDULENT, AND SUSPECT ITEMS IN THE

NUCLEAR INDUSTRY

Note: On June 24, 2015, the U.S. Nuclear Regulatory Commission issued Regulatory Issue Summary (RIS) 2015-08 (Agencywide Documents Access and Management System Accession No. ML15008A191). Revision 1 of RIS 2015-08 references the definition of counterfeit, fraudulent, and suspect items included in Regulatory Guide (RG) 1.234, Revision 1, Evaluating Deviations and Reporting Defects and Noncompliance Under 10 CFR Part 21 (ML24038A311).

This revision also updates other references to the most updated revisions.

ADDRESSEES

All U.S. Nuclear Regulatory Commission (NRC) licensees and certificate holders, Agreement State radiation control program directors, and State Liaison Officers.

All contractors and vendors that supply bas ic components to NRC licensees. All vendors and suppliers of safety-related components and digital assets associated with Title 10 of the Code of Federal Regulations (10 CFR) 73.54, Protection of digital computer and communication systems and networks.

INTENT

The NRC is issuing this regulatory issue summary (RIS) to heighten awareness of the existing NRC regulations and how they apply to counterfei t, fraudulent, and suspect items (CFSI) within the scope of the NRCs regulatory jurisdiction.

Addressees

are expected to review this information and consider actions, as appropriate, to prevent CFSI from entering their supply chains; prevent possible installation or use of CFSI at their facilities; and raise awareness of the potential for CFSI to be used in the manufacture, maintenance, or repair of items, including sealed sources and devices (SSDs). The NRC is providing this RIS to the Agreement States for their information and for distribution to their licensees, as appropriate. Additionally, addressees may consider sharing this RIS with their contractors and suppliers, as appropriate. This RIS

requires no specific action or written response on the part of an addressee. This RIS does not transmit or imply any new or changed requirements or staff positions.

ML24184B841 RIS 2015-08, Rev. 1

BACKGROUND

The NRCs regulations are designed to protect both the public and workers from radiation hazards resulting from regulated activities. Regulated entities are responsible for the safety and security of radioactive materials, subject to the NRCs oversight programs. NRC oversight programs are designed to ensure compliance with the agencys requirements, in part, through inspection, enforcement, and, when warranted, investigations. Any organization or individual that provides counterfeit or fraudulent material to an NRC-regulated entity in violation of the agencys requirements may be subject to inspection, investigation, enforcement, and possible criminal prosecution. An addressees actions follow ing discovery of an issue that is likely of a counterfeit or fraudulent nature may impact the NRC staffs ability to perform inspection or investigation activities. Additionally, licensees or applicants that have identified a counterfeit or fraud-related condition must ensure continued compliance with NRC regulations regarding completeness and accuracy of information.

Over the past three decades, the NRC has issued multiple generic communications to inform stakeholders of counterfeit or misrepresented products and services.

On March 21, 1989, the NRC staff issued Generic Letter (GL) 89-02, Actions to Improve the Detection of Counterfeit and Fraudulently Marketed Products (ML031140060). GL 89-02 informed licensees of effective program elem ents for detecting counterfeit or fraudulently marketed products and for ensuring the quality of vendor-supplied products. The GL also identified Appendix B, Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants, to 10 CFR Part 50, Domestic Licensing of Production and Utilization Facilities; Regulatory Guide (RG) 1.28, Revision 6, Quality Assurance Program Criteria (Design and Construction) (ML23177A002); and RG 1.33, Revision 3, Quality Assurance Program Requirements (Operation) (ML13109A458), as containing appropriate discussions on procurement quality assurance controls. GL 89-02 described three characteristics of effective procurement and dedication programs that reduce the likelihood of the introduction of counterfeit or fraudulent products into their plants:

(1) the involvement of engineering staff in the procurement and product acceptance processes

(2) effective source inspection, receipt inspection, and testing programs

(3) thorough engineering-based programs for review, testing, and dedication of commercial-grade products for suitability for use in safety-related applications

On April 9, 1991, the NRC staff issued GL 91-05, Licensee Commercial-Grade Procurement and Dedication Programs (ML031140508), to communicate staff positions regarding certain aspects of licensee commercial-grade procurem ent and dedication programs that would provide acceptable methods for meeting regulatory requirements.

The NRC staff has previously considered introdu cing regulatory language to specifically address counterfeit and fraudulent items, but withdrew the advance notice of proposed rulemaking, citing that the staff believes that problems identified with respect to the quality of items dedicated for use in safety-related applications are adequately addressed by the requirements of Appendix B

RIS 2015-08, Rev. 1 to 10 CFR Part 50 and, for the most part, are problems of compliance, rather than of inadequate rules.1

Since 2008, the staff has issued three information notices (INs) related to CFSI. IN 2008-04, Counterfeit Parts Supplied to Nuclear Power Plants, dated April 7, 2008 (ML093620098), was issued to inform addressees of the potential for counterfeit parts to enter their supply chains.

IN 2013-02, Issues Potentially Affecting Nuclear Facility Fire Safety, dated March 19, 2013 (ML122840031), draws attention to reports of counterfeit fire protection equipment that had been issued by the U.S. Defense Logistics Agency Headquarters and Underwriters Laboratories, Inc. IN 2013-15, Willful Misconduct/Record Falsification and Nuclear Safety Culture, dated August 23, 2013 (ML13142A437), describes a vendors criminal actions to destroy serial numbers in an attempt to conceal a components origin before it was installed in a U.S. nuclear plant.

In the past, the NRCs generic communications regarding CFSI focused on nuclear power plants. However, awareness of and vigilance regarding CFSI has increased and expanded to affect all NRC-regulated activities and other nuclear industry stakeholders. These include fuel cycle facilities; basic component manufacturers and suppliers; supply-chain distributors, users, and entities that are specifically licensed to provide maintenance, repair, and other services for devices or sources containing byproduct materials, and manufacturers of SSDs; medical, industrial, and academic applications of nuclear materials; entities involved in the transportation, storage, and disposal of nuclear materials and waste; and the decommissioning of nuclear facilities.

It is also important to note that the Commissions Safety Culture Policy Statement (SCPS)

applies to all NRC licensees and certificate holder s, applicants for NRC licensees, certificates, permits and authorizations, as well as vendors, suppliers, and others involved in agency-regulated activities. A positive safety culture includes attributes such as maintaining an environment for raising concerns, adopting a quest ioning attitude, practicing effective problem identification and resolution, engaging in effective safety communications, and supporting continuous learning. A positive safety culture may also promote a vigilant workforce with respect to identifying and dispositioning CFSI. Additional information about the NRCs SCPS, including copies of NUREG/BR-0500, Revision 4, Safet y Culture Policy Statement, issued May 2018, can be found on the NRCs Safety Culture webpage, http://www.nrc.gov/about-nrc/safety- culture.html.

Regarding CFSI, all workers in the nuclear industry or members of the general public have the option to report nuclear safety concerns directly to the NRC through the agencys Allegation Program by contacting any NRC employee, including a resident inspector, or calling the agencys toll free safety hotline at 1-800-695-7403 (see NUREG/BR-0240, Revision 8, Reporting Safety Concerns to the NRC, issued August 2017 (ML17208A272), and the NRCs Allegations webpage, https://www.nrc.gov/about-nrc/regulatory/allegations-resp.html .

SUMMARY OF ISSUE

The increasing prevalence of CFSI in other industries may present challenges to the nuclear industrys supply chain. Although supply chains for other industrial sectors may be substantially

1 SECY-94-0277, Withdrawal of Advance Notice of Proposed Rulemaking, Acceptance of Products Purchased for Use in Nuclear Power Plant Structures, Systems, and Components, dated November 14, 1994 (ML14268A013)

RIS 2015-08, Rev. 1 affected by CFSI events, it is the NRCs position that adherence to existing NRC regulations provides adequate protection of public health and safety. As new occurrences and methods of counterfeit and fraudulent activity increase in other industrial sectors, it is in the nuclear industrys interest to evaluate its approach in this area. This RIS describes the NRCs regulatory framework relevant to CFSI.

This RIS is divided into discussions of CFSI as it applies to three general areas of the nuclear industry: nuclear reactors, nuclear materials, and radioactive waste. Each section includes a description and a discussion of NRC regulat ions that directly apply to CFSI.

NUCLEAR REACTORS

Nuclear reactors include power reactors and non-power production and utilization facilities (NPUFs).

The NRC relies on quality assurance programs to pr ovide confidence that applicable structures, systems, and components (SSCs) will perform their specified safety function(s) as described in the licensees updated final safety analysis reports (UFSARs). Each power reactor licensee has and maintains an NRC-approved quality assurance program. Reductions in commitments within these programs cannot be made without prior NRC staff approval. NPUFs generally have quality program requirements stated in their te chnical specifications. Regulations, licenses, regulatory guidance (e.g., regulatory guides and generic communications), and industry standards describe requirements and acceptable approaches to establish and maintain quality assurance programs. In addition, regulations and licenses require licensees to formally report a broad range of conditions that challenged or could have challenged the ability of equipment to perform specified safety functions.

CFSI can result in noncompliance with regulatory requirements. While potentially malicious code embedded in the software of digital electronic components does not constitute a new failure mode for these devices, this form of tampering (embedded software coding) is unique to digital electronic devices, where it can prevent a device from performing its intended safety function or cause other safety-related components to fail to perform their intended safety function(s). However, neither industry nor the NRC has identified a new or unique failure mode associated with a counterfeit or fraudulent item that could not be reasonably identified or eliminated by an effective NRC-approved qualit y assurance program. Thus, adherence to effective quality assurance programs should be effective in addressing CFSI for digital hardware. When embedded code is inserted in hardwar e, additional risks to safety and security may arise. Appendix C, Operational and Management Security Controls, to RG 5.71, Cyber Security Programs for Nuclear Facilities, issued February 2023 (ML22258A204), specifically Section C.3.3, Malicious Code Protection; Section C.3.7, Software, Firmware, and Information Integrity; and Section C.12, System and Service Acquisition, address malicious code controls and provide guidance for acceptable methods for meeting the requirements of 10 CFR 73.54.

Thus, cybersecurity programs can also be e ffective in addressing CFSI for embedded code inserted in hardware.

Power Reactors

The NRC provides oversight of power reactor lic ensee activities through the Reactor Oversight Process, which includes performance indicators, inspections, and assessment of licensee performance. Inspection activities provide a risk-informed, performance-based approach to RIS 2015-08, Rev. 1 monitoring overall plant performanceof which quality assurance is a key aspect. Enforcement measures are used to address noncompliance wi th regulatory requirements when necessary.

Nuclear power plants contain SSCs referred to as safety related because they function to prevent and mitigate the consequences of postulated accidents. Although not described as safety related, other SSCs may have functions that are important to safety. NRC-approved quality assurance programs describe the specific application of Appendix B to 10 CFR Part 50,

or simply Appendix B, to safety-related SSCs. All Appendix B criteria apply to safety-related SSCs. For equipment that is important to safety, licensees may apply a subset of Appendix B

criteria. It is important to note that while Appendix B sets forth the general requirements of quality assurance programs, licensee commitments concerning quality assurance are maintained in each licensees licensing basis documentation, which includes the NRC-approved quality assurance program that is controlled pursuant to 10 CFR 50.54, Conditions of licenses.

Appendix B serves as the foundation for NRC requirements in the area of quality assurance for nuclear reactor licensees. The 18 criteria of Appendix B provide standards that are intended to provide confidence that safety-related SSCs will perform their specified functions as described in the UFSAR. The 18 criteria of Appendix B describe regulatory requirements in six broad areas directly applicable to the area of CFSI: (1) design control, (2) procurement document control, (3) control of purchased material, equipment, and services, (4) identification and control of material, parts, and components, (5) disposition of nonconforming materials, parts, or components, and (6) corrective action and program effectiveness reviews.

NRC licensees and applicants may not be in a position to immediately determine whether a suspect item is counterfeit or fraudulent; it is more likely that either a deviation from a procurement specification or a component failure is all that will be evident. Criterion XVI,

Corrective Action, in Appendix B states that licensees must take corrective actions for conditions adverse to quality and perform root c ause evaluations for significant conditions adverse to quality. Licensees are responsible for classifying conditions adverse to quality in terms of their significance. Throughout that proce ss licensees may consider that, while certain suspect components may not in and of themselves present a significant impact on plant safety, the fact that a vendor has provided suspect components to a nuclear plant may warrant an extent of condition review to ensure that components with a higher safety significance are not similarly affected.

The NRC requires that power reactor licensees a nd applicants periodically evaluate their quality assurance programs through audits and program reviews to ensure adequacy and effectiveness. Criterion II, Quality Assurance Program, states that regular reviews of the status and adequacy of quality assurance programs shall be performed, and Criterion XVIII, Audits, states that periodic audits of quality assurance programs shall be carried out. Industry guidance, to which some licensees have committed within their quality assurance programs, suggests that recent industry experience should be used to inform the processes for conducting both internal and external audits. As more industry experience concerning a specific condition adverse to quality becomes available (e.g., CFSI), it is in industrys interest to incorporate the insights from that experience within their program reviews.

Several Appendix B criteria provide assurances that quality is maintained during material procurement processes. For example, Criterion IV , Procurement Document Control, states in part that requirements which are necessary to assure adequate quality are suitably included or referenced in the documents for procurement of material. Implementing guidance for this RIS 2015-08, Rev. 1 criterion provides several considerations that purchasers should explore when developing procurement documents: (1) the component or materials impact to nuclear safety, (2) the components complexity of design and ability to be adequately tested/inspected, and (3) the components quality history. Additionally, GL 89-02, Actions to Improve the Detection of Counterfeit and Fraudulently Marked Products, de scribes three characteristics of effective procurement programs, one of which is the involv ement of engineering staff in the procurement process. For example, the engineering staff can help establish the importance of the procured item to nuclear safety and an effective acceptance process.

Criteria VII, VIII, X, and XIV (Control of Purchased Material, Equipment, and Services;

Identification and Control of Materials, Parts, and Components; Inspection; and Inspection, Test, and Operating Status, respectively) all deal with the procurement process. The general process consists of licensees and applicants establishing measures to ensure that material is appropriately purchased from suppliers that are selected on the basis of objective evidence of the quality of the product or service they provide; that those products and services conform to the applicable procurement specification; and that the material is properly inspected on receipt and marked so that the level of inspection is evident to potential users. NRC RG 1.33 endorses American National Standards Institute (ANSI) and American Nuclear Society (ANS) standard ANSI/ANS 3.2-2012, Managerial, administrative, and quality assurance controls for the operational phase of nuclear power plants, which provides guidance for control of purchased material that is applicable to the CFSI issue. ANSI/ANS 3.2-2012 states the following:

A procedure (or procedures) shall be implemented to aid in the identification of counterfeit and fraudulently marketed products. As a minimum, a procedure (or procedures) should include selective inspections and testing of products to verify compliance with procurement requirements when products are suspect.

It should be noted that endorsement of ANSI/ANS 3.2-2012 by RG 1.33 is guidance and not a requirement to adopt ANSI/ANS 3.2-2012.

Criterion XV, Nonconforming Materials, Parts, or Components, requires that nonconforming items be controlled to prevent their inadvertent use or installation. These controls should include marking, segregation, dispositioning of the item, and notification of affected organizations.

Criterion XV serves many purposes in terms of CFSI, including marking and separating suspect material from quality material to ensure that the suspect material is not used, and documentation and notification measures that could be useful in the case of a formal investigation. American Society of Mechanical Engineers (ASME) NQA-1-2017, ASME NQA-1-

2019, and ASME NQA-1-2022, Quality Assurance Requirements for Nuclear Facility Applicationsapproved for use by RG 1.28 in September 2023provide additional acceptable approaches for this area. Notification of affected organizations may feed recent experience into corrective action programs, which could be used to improve the procurement process or inform quality assurance program reviews and audits.

The NRC provides several mechanisms for licensees to provide information to the agency, and since reports to the agency are generally publicly available, this information is available for dissemination to industry and other stakeholders. Regulations governing reporting, notably

10 CFR 50.72, Immediate notification requirements for operating nuclear power reactors;

10 CFR 50.73, Licensee event report system; and 10 CFR Part 21, Reporting of Defects and Noncompliance, establish criteria for reporting ev ents or significant issues to the NRC within a specified amount of time. These reports are typi cally focused on events or conditions that have RIS 2015-08, Rev. 1 a certain level of safety significance regardless of the specific causal factors. In general, it is the effect of the condition on plant safety that drives the determination of reportability and corrective action warranted by licensees. Causal factors for an event or condition could include CFSI. In most cases, a CFSI event would not be reportable to the NRC on its own merits; the exceptions being events that satisfy the requirements of 10 CFR Part 21 and 10 CFR 50.9, Completeness and accuracy of information.

Regulations in 10 CFR Part 21 establish requirements for reporting defects and noncompliances. As they pertain to 10 CFR Part 21, counterfeit and fraudulent items are departures from technical requirements in applic able procurement documents; therefore, they are deviations that must be evaluated to determi ne whether they create a substantial safety hazard.2 Items that are suspected of being counterfeit and fraudulent represent deviations only if the suspected condition results in a departure from a technical requirement that is sufficiently specified in the procurement document. If a suspected counterfeit or fraudulent condition is determined to represent a deviation, then the condition must be evaluated to determine whether it creates a substantial safety hazard. If it is determined that a deviation results in a substantial safety hazard, then the condition must be reported to the NRC. The NRC describes this position, along with its updated CFSI definition, in RG 1.234, Revision 1, Evaluating Deviations and Reporting Defects and Noncompliance Under 10 CFR Part 21, issued March 2024 (ML24038A311).

Regulations in 10 CFR 50.9(b) require a licensee to notify the NRC of information that the licensee has identified as having a significant im plication for public health and safety or the common defense and security. It is useful to note that, for a violation of 10 CFR 50.9 to occur, the licensee must recognize the significance of t he information and fail to report it to the NRC. In the final rule for 10 CFR 50.9 published in the Federal Register (52 FR 49362, December

31, 1987), the NRC stated the following:

What is expected is a professional attitude toward safety throughout a licensees or applicants organization such that if a person identifies some potential safety information, the information will be freely provided to the appropriate company officials to determine its safety significance and reportability to the Commission.

To date, most CFSI-related events have not risen to the safety thresholds established by

10 CFR Part 21 and 10 CFR 50.9. Nonetheless, licensees, applicants, and vendors may submit voluntary reports to communicate significant devi ations from procurement specifications with potentially generic implications, as in most ca ses, safety significance must be determined on a plant-specific basis. Section 2.7, Voluntary Reporting, of NUREG-1022, Revision 3, Event Report Guidelines 10 CFR 50.72 and 50.73, issued January 2013 (ML13032A220), contains guidance on how to make voluntary reports. This guidance encourages the use of the licensee event report because this format provides the information needed to support NRC review of the event and facilitates administrative processing, including data entry.

Regulations in 10 CFR 73.54 apply to CFSI because each licensee is required to provide high assurance that digital computer and communication systems and networks are adequately protected against cyberattacks. RG 5.71 discusses an acceptable approach for supply chain

2 In 10 CFR 21.3, Definitions, Substantial safety hazard means a loss of safety function to the extent that there is a major reduction in the degree of protection provided to public health and safety for any facility or activity licensed or otherwise approved or regulated by the NRC, other than for export, under parts 30, 40,

50, 52, 60, 61, 63, 70, 71, or 72 of this chapter.

RIS 2015-08, Rev. 1 protection measures to maintain the integrity of digital assets acquired by licensees. Criteria listed in the RG are directly applicable to prevent or detect the introduction of CFSI into the cybersecurity supply chain.

Non-Power Production and Utilization Facilities

The NRC provides guidance to Non-Power Prod uction and Utilization Facilities, including research and test reactors (RTRs), in RG 2.5, Revision 1, Quality Assurance Program Requirements for Research and Test Reactors, issued June 2010 (ML093520099). RG 2.5 endorses ANSI/ANS-15.8-1995 (reaffirmed in S eptember 2005), Quality assurance program requirements for research reactors. Although the guidance in ANSI/ANS-15.8-1995 is not as detailed as the guidance found in this RIS for power reactors, NPUFs may still find the information in this standard useful for handling CFSI.

NUCLEAR MATERIALS

Nuclear materials include uses of nuclear materials in medical, industrial, and academic settings and facilities that produce nuclear fuel.

Regulations in 10 CFR 21.21, Notification of failure to comply or existence of a defect and its evaluation, contain the requirements for eval uating and reporting deviations and failures to comply associated with substantial safety hazar ds. Counterfeit and fraudulent items installed as basic components in nuclear facilities or used as basic components in activities regulated by the NRC (i.e., nuclear material used in medical, industrial, and academic settings) could create a substantial safety hazard by not performing their intended safety function when needed. In accordance with 10 CFR Part 21, the licensee would be required to report a defective basic component (i.e., the counterfeit or fraudulent part) if an evaluation determines that the deviation could create a substantial safety hazard.

Sealed Sources and Devices

Regulations in 10 CFR Part 32, Specific Domestic Licenses to Manufacturer or Transfer Certain Items Containing Byproduct Material, contain requirements for manufacturers or initial distributors of sealed sources or devices ( SSDs) containing sealed sources. The NRC reviews the design and construction of SSDs containing byproduct material to make a determination that the product meets quality and safety standards required by 10 CFR 32.210, Registration of product information, for acceptability for licensing purposes. The registration, as conducted by the NRC, consists of issuance of a registration ce rtificate that (1) confirms that the SSD design meets the regulatory requirements of 10 CFR 32.210 and (2) lists the provisions of use for the product. As stated in NRC SSD registration certificates, holders of those certificates must adhere to the commitments made in their applications for SSDs. As part of a request for the registration of a sealed source or a device, an applicant for a registration certificate must include sufficient information about its quality control program to provide reasonable assurance that the radiation safety properties for the source or device will be maintained as designed and registered to protect health and minimize danger to life and property during the manufacturing process. Certificate holders should remain vigilant and maintain effective quality assurance programs to reduce the potential for introduction of fraudulently misrepresented parts into their supply chains.

RIS 2015-08, Rev. 1 As a reminder to users of SSDs licensed under 10 CFR 30.32, Application for specific licenses, only those entities that are specifically licensed by the NRC or an Agreement State by license condition may provide maintenance, repair , and other services for devices or sources containing byproduct material. No changes can be made to devices or sources containing byproduct material that would affect the commitments made in the SSD registration without the prior approval of the proper regulatory authority.

Fuel Cycle Facilities

Fuel cycle facilities (FCFs) include conversion and deconversion facilities subject to

10 CFR Part 40, Domestic Licensing of Source Material, and enrichment and fuel-fabrication facilities subject to 10 CFR Part 70, Domestic Licensing of Special Nuclear Materials, and

10 CFR Part 76, Certification of Gaseous Diffusion Plants.

Regulations in 10 CFR 70.23, Requirements for the approval of applications, apply to CFSI

because they require the applicant to demonstrate to the Commission that its proposed equipment and facilities are adequate to protect health and minimize danger to life or property.

Measures established by the applicant to satisfy 10 CFR 70.23 may aid in the prevention and detection of counterfeit and fraudulent equipment that could otherwise lead to a failure that could affect public health and safety.

Regulations in 10 CFR 70.39, Specific licenses for the manufacture or initial transfer of calibration or reference sources, contain requirements for calibration of reference sources, including requirements to perform tests on sources containing plutonium. Tests such as these may provide results that call into question the quality of a source and could potentially indicate CFSI.

Quality assurance programs directly apply to the identification and disposition of CFSI. FCFs are subject to quality assurance requirements in 10 CFR 70.62(d); 10 CFR 76.93, Quality assurance; Appendix B to 10 CFR Part 50; and other license conditions made either voluntarily or as a result of an NRC order. Specifically, applicants and licensees for a uranium enrichment and fuel fabrication facility under 10 CFR Part 70 are required to establish and maintain a safety program that demonstrates compliance with 10 CFR 70.61, Performance requirements. The safety program includes management measures that are functions performed by the licensee to provide reasonable assurance that items relied on for safety are available and reliable to perform their functions when needed. Management measures such as maintenance, incident investigations, and other quality assurance elements (including elements such as inspections and tests) can be useful in identifying suspec t items through evaluation of item quality before use, performance during use, and investigation of failures.

Further, FCFs licensed under 10 CFR Parts 40, 70, and 76 implement elements of corrective action programs that may be applied to the identification, assessment, prevention, and resolution of CFSI issues at these facilities. Chapter 11 of NUREG-1520, Revision 2, Standard Review Plan for the Review of a License Application for a Fuel Cycle Facility, issued June

2015, and chapter 15 of NUREG-1718, Standard Review Plan for the Review of an Application for a Mixed Oxide (MOX) Fuel Fabrication Fac ility, issued August 2000, provide guidance to applicants and licensees on the use of corrective actions as part of their management measures and/or quality assurance programs. FCF licensees may voluntarily implement corrective action programs that meet the guidance in RG 3.75, Corrective Action Programs for Fuel Cycle Facilities, issued July 2014 (ML14139A321). RG 3.75 describes the programmatic elements of RIS 2015-08, Rev. 1 a corrective action program for FCFs that the NRC considers acceptable for applying section 2.3.2.a of the NRC Enforcement Policy.

Applicants and licensees for the receipt, possession, and use of source and byproduct material under 10 CFR Part 40 do not have specific requirements related to quality assurance; however, certain facilities have conditions incorporated in their licensing basis to comply with the safety program requirements in 10 CFR Part 70. Certificate holders under 10 CFR Part 76 are required to comply with the quality assurance criteria of ASME NQA-1-1989, Quality Assurance Program Requirements for Nuclear Facilities, which contains elements analogous to the criteria in Appendix B to 10 CFR Part 50. Applicants and licensees for a plutonium processing and fuel fabrication facility under 10 CFR Part 70 are required to comply with the requirements of Appendix B to 10 CFR Part 50 for quality assurance. Activities performed under Appendix B to

10 CFR Part 50 include inspections, tests, procurement document control, and control of purchased material and equipment. These and other elements of Appendix B can provide evidence of potential counterfeit or fraudulent items through identification of poor or reduced quality, increased failure frequency, and inadequate documentation of material sourcing and item manufacture.

Reporting requirements in 10 CFR Parts 30, 40, 70, and 76 may also provide indication of CFSI

by identifying increased failure frequency and inadequate performance of items that may be associated with CFSI in the supply chain. FCF applicants, licensees, and certificate holders should remain aware of the correlation between existing regulatory requirements and opportunities to prevent the introduction of CFSI into, or to aid in the detection and removal of CFSI from, their facilities and activities.

RADIOACTIVE WASTE

Radioactive waste includes transportation, storage, and disposal of nuclear materials and waste; storage and transportation of spent nuclear fuel; and decommissioning of nuclear facilities.

Applicants and licensees for the packaging and transportation of radioactive material are required to establish and maintain programs and procedures that ensure public safety and demonstrate compliance with the regulatory requirements of 10 CFR Part 71, Packaging and Transportation of Radioactive Material. These regulatory requirements include management measures, packaging content, packaging evaluations, quality assurance, and transport conditional requirements.

These applicants and licensees are required to submit information about and maintain a quality assurance program that meets the requirements of Subpart H, Quality Assurance, of

10 CFR Part 71. Subpart H provides measures such as 10 CFR 71.115, Control of purchased material, equipment, and services; 10 CFR 71.117, Identification and control of materials, parts, and components; and 10 CFR 71.131, Nonconforming materials, parts, or components.

These measures are analogous to criteria in Appendix B to 10 CFR Part 50.

Applicants, licensees, and certificate holders for the licensing of the independent storage of spent nuclear fuel, high-level waste, and reactor-related greater-than-Class-C (GTCC) waste are required to establish and maintain programs and procedures to ensure public safety and demonstrate compliance with the regulatory requirements of 10 CFR Part 72, Licensing Requirements for the Independent Storage of Spent Nuclear Fuel, High-Level Radioactive RIS 2015-08, Rev. 1 Waste, and Reactor-Related Greater Than Class C Waste. These regulatory requirements include management measures, requirements, procedures, and criteria for the issuance of licenses to receive, transfer, and possess power-reactor spent fuel, power-reactor-related GTCC waste, and other radioactive materials associated with spent fuel storage in an independent spent fuel storage installation. The regulations in this part also establish requirements, procedures, and criteria for the issuance of certificates of compliance approving spent fuel storage cask designs.

Applicants, licensees, and certificate holders are required to submit information about a quality assurance program that meets the requirements of Subpart G, Quality Assurance, to

10 CFR Part 72. Subpart G includes measures such as those of 10 CFR 72.154, Control of purchased material, equipment, and services; 10 CFR 72.156, Identification and control of materials, parts, and components; and 10 CFR 72.170, Nonconforming materials, parts, or components, which are analogous to criteria in Appendix B to 10 CFR Part 50.

The program elements of 10 CFR Part 71 and 10 CFR Part 72 discussed in this section, in conjunction with 10 CFR Part 21, provide the regulatory framework to prevent the possible use of suspect items. The NRC also inspects lic ensees quality assurance programs to verify compliance.

BACKFITTING AND ISSUE FINALITY DISCUSSION

This RIS discusses NRC regulations relevant to CFSI within the scope of the agencys regulatory jurisdiction.

This RIS does not set forth any new or changed NRC requirement, or new or changed guidance or position on compliance with any existing agency regulatory requirement. The RIS does not require any action by any addressee, nor does this RIS request or suggest that any addressee submit information to the NRC that is not al ready required to be submitted by existing agency requirements (e.g., 10 CFR Part 21). For these reasons, this RIS does not represent backfitting as defined in 10 CFR 50.109(a)(1); 10 CFR 70.76, Backfitting; 10 CFR 72.62, Backfitting; or

10 CFR 76.76, Backfitting, and is not otherwise inconsistent with any issue finality provision in

10 CFR Part 52, Licenses, Certifications, and Approvals for Nuclear Power Plants. Therefore, the NRC did not prepare a backfit analysis for this RIS or further address the issue finality criteria in 10 CFR Part 52.

FEDERAL REGISTER NOTIFICATION

The NRC published a notice of opportunity for public comment on this RIS in the Federal Register (79 FR 59521) on October 2, 2014. The agency received comments from eight commenters. The staff considered all comments, wh ich resulted in minor clarifications to the RIS. The evaluation of these comments and the resulting changes to the RIS are discussed in a publicly available memorandum dated June 9, 2015 (ML15008A192).

CONGRESSIONAL REVIEW ACT

This RIS is not a rule as defined in the Congressional Review Act (5 U.S.C. §§ 801-808).

RIS 2015-08, Rev. 1

RELATED GENERIC COMMUNICATIONS

AND OTHER NRC DOCUMENTS

GL 84-01, NRC Use of the Terms, Important to Safety and Safety Related (Generic Letter 84-01), January 5, 1984 (ML031150515)

GL 89-02, Actions to Improve the Detection of Counterfeit and Fraudulently Marketed Products, March 21, 1989 (ML031140060)

GL 91-05, Licensee Commercial-Grade Procurement and Dedication Programs, April 9, 1991 (ML031140508)

IN 2008-04, Counterfeit Parts Supplied to Nuclear Power Plants, April 7, 2008 (ML093620098)

IN 2013-02, Issues Potentially Affecting Nuclear Facility Fire Safety, March 19, 2013 (ML122840031)

IN 2013-15, Willful Misconduct/Record Falsification and Nuclear Safety Culture, August 23, 2013 (ML13142A437)

NUREG-1022, Revision 3, Event Report Guidelines 10 CFR 50.72 and 50.73, January 2013 (ML13032A220)

NUREG/BR-0240, Revision 6, Reporting Safety Concerns to the NRC, May 2012 (ML12146A003)

RG 1.28, Revision 6, Quality Assurance Program Criteria (Design and Construction),

September 2023 (ML23177A002)

RG 1.33, Revision 3, Quality Assurance Program Requirements (Operation), June 2013 (ML13109A458)

RG 1.164, Revision 1, Dedication of Commercial-Grade Items for Use in Nuclear Power Plants, April 2024 (ML24038A310)

RG 1.234, Revision 1, Evaluating Deviations and Reporting Defects and Noncompliance Under

10 CFR Part 21, March 2024 (ML24038A311)

RG 2.5, Revision 1, Quality Assurance Program Requirements for Research and Test Reactors, June 2010 (ML093520099)

RG 3.75, Revision 0, Corrective Action Programs for Fuel Cycle Facilities, July 2014 (ML14139A321)

SECY-94-277, Withdrawal of Advance Notice of Proposed Rulemaking, Acceptance of Products Purchased for Use in Nuclear Power Plant Structures, Systems, and Components, November 14, 1994 (ML14268A013)

RIS 2015-08, Rev. 1

PAPERWORK REDUCTION ACT STATEMENT

This RIS does not contain new or amended informat ion collection requirements that are subject to the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.). Existing requirements were approved by the Office of Management and Budget (OMB), approval numbers 3150-0035,

3150-0017, 3150-0001, 3150-0020, 3150-0011, 3150-0009, 3150-0008, 3150-0132, 3150-0104, and 3150-0002.

Note: NRC generic communications may be found on the NRC public website, http://www.nrc.gov, under NRC Library/Document Collections.

PUBLIC PROTECTION NOTIFICATION

The NRC may not conduct or sponsor, and a person is not required to respond to, a collection of information unless the document requesting or requiring the collection displays a currently valid OMB control number.

CONTACT

Please direct any questions about this matter to the technical contacts listed below.

/RA/ /RA/

Kevin Williams, Director, Division of Materials Russell Felts, Director Safety, Security, State, and Tribal Programs Division of Reactor Oversight Office of Nuclear Material Safety and Safeguards Office of Nuclear Reactor Regulation

Technical Contacts: Deanna Zhang, NRR/DRO/IQVB

(301) 415-1946 E-mail: Deanna.Zhang@nrc.gov

Frankie Vega, NRR/DRO/IQVB

(301) 415-1617 E-mail: Frankie.Vega@nrc.gov

Note: NRC generic communications may be found on the NRC public Web site, http://www.nrc.gov, under NRC Library/Document Collections

ML24184B841 EPID:L-2024-GEN-0003 OFFICE NRR/DRO/IQVB NRR/DRO/IQVB NRR/DRO/IQVB QTE* NMSS/DFM

NAME FVega DZhang KKavanagh JDougherty CRoman DATE 7/3/2024 7/8/2024 7/3/2024 7/12/2024 7/18/2024 OFFICE NSIR OI OE OGC NRR/DRO/IOEB

NAME RLagios CRios-Collazo JCai NMertz LRegner DATE 7/18/2024 7/12/2024 7/18/2024 9/19/2024 8/2/2024 OFFICE NRR/DRO/IOEB OCIO NRR/DRO NMSS/MSST NRR/DRO

NAME PClark DCullison IBetts KWilliams RFelts DSilberfeld for DATE 8/1/2024 8/20/2024 7/31/2024 9/27/2024 10/5/2024