ML22040A058

From kanterella
Revision as of 14:17, 15 February 2022 by StriderTol (talk | contribs) (StriderTol Bot insert)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
OIG-22-A-06-Audit of the Nuclear Regulatory Commission'S Oversight of Counterfeit, Fraudulent, and Suspect Items at Nuclear Power Reactors Dated February 9, 2022
ML22040A058
Person / Time
Issue date: 02/09/2022
From: Rivera E
NRC/OIG/AIGA
To: Dan Dorman
NRC/EDO
References
OIG-22-A-06
Download: ML22040A058 (23)
v  d  e


Text

[

Audit of the Nuclear Regulatory Commissions Oversight of Counterfeit, Fraudulent, and Suspect Items at Nuclear Power Reactors OIG-22-A-06 February 9, 2022 All publicly available OIG reports, including this report, are accessible through the NRCs website at:

http://www.nrc.gov/reading-rm/doc-collections/insp-gen

MEMORANDUM DATE: February 9, 2022 TO: Daniel H. Dorman Executive Director for Operations FROM: Eric Rivera /RA/

Acting Assistant Inspector General for Audits

SUBJECT:

AUDIT OF THE NUCLEAR REGULATORY COMMISSIONS OVERSIGHT OF COUNTERFEIT, FRAUDULENT, AND SUSPECT ITEMS AT NUCLEAR POWER REACTORS (OIG-22-A-06)

Attached is the Office of the Inspector Generals (OIG) audit report titled Audit of the Nuclear Regulatory Commissions Oversight of Counterfeit, Fraudulent, and Suspect Items at Nuclear Power Reactors.

The report presents the results of the subject audit. Following the January 18, 2022, exit conference, NRC staff indicated that they had no formal comments for inclusion in this report.

Please provide information on actions taken or planned on each of the recommendation(s) within 30 days of the date of this memorandum.

We appreciate the cooperation extended to us by members of your staff during the audit. If you have any questions or comments about our report, please contact me at (301) 415-5915 or Paul Rades, Team Leader, at (301) 415-6228.

Attachment:

As stated NRC Headquarters l 11555 Rockville Pike l Rockville, Maryland 20852 l 301.415.5930

Results in Brief Audit of the Nuclear Regulatory Commissions Oversight of Why We Did This Review Counterfeit, Fraudulent, and Suspect Items at Nuclear Power The U.S. Nuclear Regulatory Reactors Commission (NRC) requires nuclear OIG-22-A-06 power plants to use products and February 9, 2022 services exhibiting the highest quality in agency-regulated activities.

Vendors, suppliers, and nuclear power What We Found plants must verify the quality of items The NRC should improve its oversight of counterfeit, fraudulent, and destined for safety-related functions in NRC-regulated activities.

suspect items (CFSI) by clarifying and communicating how the agency Verification includes inspections of collects, assesses, and disseminates information regarding CFSI, and by an items critical physical improving staff awareness of CFSI and its applicability to reactor characteristics and performance inspections.

testing to provide reasonable assurance that parts will perform their intended safety functions.

This occurs because the NRC does not have specific guidance clarifying office roles and responsibilities. The NRC also does not have specific The audit objective was to assess guidance in inspection procedures on how to identify potential CFSI and whether the NRCs oversight does not require CFSI-related qualification or training, which has activities reasonably assure nuclear contributed to the staffs varying awareness of CFSI.

power reactor licensees programs are adequately positioned to mitigate the risk of counterfeit, fraudulent, and What We Recommend suspect items in operating reactors, those under construction, and those The report contains recommendations to (1) develop processes and completed but not yet online. guidance to collect, process, and disseminate CFSI information; (2) communicate those processes; (3) develop an agencywide approach for Concurrently with this audit, OIG CFSI and identify the agencys primary objective regarding mitigation of investigators conducted a special CFSI; (4) define CFSI; (5) include a CFSI category in the Allegation inquiry in response to information from allegers with three primary areas Management System; (6) develop inspection guidance in inspection of concern: CFSI are present in most, procedures; (7) develop CFSI training; and (8) develop a knowledge if not all, U.S. nuclear power plants; management and succession plan.

the NRC has lowered the oversight standards for CFSI; and, the NRC failed to address CFSI allegations.

This special inquiry examined the adequacy of the NRCs oversight of CFSI in U.S. operating nuclear power plants and addressed the allegations.

i

TABLE OF CONTENTS ABBREVIATIONS AND ACRONYMS .............................................................. iii I. BACKGROUND .......................................................................................... 1 II. OBJECTIVE ................................................................................................. 5 III. FINDINGS ................................................................................................... 5 A. The NRCs CFSI Process Needs Clarification ................................. 5 B. NRC Staff Awareness of CFSI Varies Across the Agency .............. 9 IV. CONSOLIDATED LIST OF RECOMMENDATIONS ............................. 14 V. NRC COMMENTS ..................................................................................... 15 APPENDIX A. OBJECTIVE, SCOPE, AND METHODOLOGY ...................................... 16 TO REPORT FRAUD, WASTE, OR ABUSE ....................................................... 18 COMMENTS AND SUGGESTIONS .................................................................... 18 ii

ABBREVIATIONS AND ACRONYMS AMS ...........................Allegation Management System CFR ............................Code of Federal Regulations CFSI ...........................counterfeit, fraudulent, and suspect items CGD ...........................commercial-grade dedication EPRI ...........................Electric Power Research Institute GAO ...........................U.S. Government Accountability Office INPO ..........................Institute of Nuclear Power Operations IQVB ..........................Quality Assurance and Vendor Inspection Branch NRC ...........................U.S. Nuclear Regulatory Commission NUPIC........................Nuclear Procurement Issues Corporation OI ...............................Office of Investigations OIG ............................Office of the Inspector General ROE............................Reactor Operating Experience RPS ............................Reactor Program System TRG............................Technical Review Group iii

I. BACKGROUND Counterfeit, Fraudulent, and Suspect Items The U.S. Nuclear Regulatory Commission (NRC) requires nuclear power plants to use products and services exhibiting the highest quality in agency-regulated activities.

Vendors, suppliers, and nuclear power plants must verify the quality of items destined for safety-related functions in NRC-regulated activities. Verification includes inspections of an items critical physical characteristics and performance testing to provide reasonable assurance that parts will perform their intended safety functions.

According to the Electric Power Research Institute (EPRI), counterfeit, fraudulent, and suspect items (CFSI) mean the following:

  • Counterfeit items are intentionally manufactured or altered to imitate a legitimate product without the legal right to do so. A counterfeit item is one that has been fabricated in imitation of something else with the purpose to defraud by passing the false copy for genuine or original, or is an item copied without the legal right or authority to do so;
  • Fraudulent items are intentionally misrepresented with intent to deceive; Fraudulent items include items provided with incorrect identification or falsified or inaccurate certification; and,
  • Suspect items are suspected of being counterfeit or fraudulent, but have not been verified as counterfeit or fraudulent.

Based on publicly available information, the number of potential CFSI cases appears to be small, particularly in the U.S. Third party organizations, such as the EPRI, the Institute of Nuclear Power Operations (INPO), and the Nuclear Procurement Issues Corporation (NUPIC), reported less than 10 potential CFSI cases since 2016. The CFSI population could be greater, but the OIG does not have sufficient data to make a statistically valid projection. Specifically, licensees are not required to report defective items, to include CFSI, unless the items in question substantially impact safety. The OIG continues to monitor this area.

NRC Regulations Applicable to CFSI Title 10 Code of Federal Regulations (10 CFR) Part 50, Appendix B, Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants, establishes quality assurance requirements for the design, manufacture, construction, and operation of 1

structures, systems, and components that prevent or mitigate the consequences of accidents that could cause undue risk to the health and safety of the public. 1 10 CFR Part 21, Reporting of Defects and Noncompliance, establishes requirements for firms constructing, owning, operating, or supplying components to licensed facilities to immediately notify the NRC of defects that could create a substantial safety hazard. As noted above, licensees are not required to report defective items, to include CFSI, unless the items in question substantially impact safety.

In 2010 and 2011, the OIG published audit reports 2 with recommendations specifically addressing reporting defective items in accordance with 10 CFR Part 21. To meet the OIGs recommendations, a 10 CFR Part 21 rulemaking was proposed by agency staff to clarify reporting requirements; however, staff terminated the Part 21 rulemaking under the Commissions direction in April 2016. Nevertheless, in April 2018, agency staff issued Regulatory Guide 1.234, Evaluating Deviations and Reporting Defects and Noncompliance Under 10 CFR Part 21, to aid in minimizing compliance challenges, and meeting the intent of the OIGs recommendations.

Additionally, 10 CFR 50.55, Conditions of Construction Permits, Early Site Permits, Combined Licenses, and Manufacturing Licenses, requires similar reporting of defects.

Commercial-Grade Dedication Commercial-grade dedication (CGD) is a process by which a commercial-grade item is designated for use as a basic component. 3 Licensees use this acceptance process to provide reasonable assurance that a commercial-grade item, designated for use as a basic component, will perform its intended safety function. In addition, the acceptance process is equivalent to an item designed and manufactured under a 10 CFR Part 50, Appendix B, Quality Assurance Program. This assurance is provided by the purchaser or third-party dedicating entity identifying the critical characteristics of the item and verifying its acceptability by inspections, tests, or analyses.

1 The requirements of 10 CFR Part 50, Appendix B, Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants, apply to all activities affecting the safety-related functions of those structures, systems, and components including designing, purchasing, fabricating, erecting, installing, inspecting, testing, operating, maintaining, repairing, and modifying.

2 In 2010, the OIG conducted an audit of the NRCs vendor inspection program, and published OIG-10-A-20, Audit of NRCs Vendor Inspection Program. Additionally, the OIG audited the NRCs implementation of 10 CFR Part 21, Reporting of Defects and Noncompliance, and published OIG-11-A-08, Audit of NRCs Implementation of 10 CFR Part 21, Reporting of Defects and Noncompliance.

3 Basic component means a structure, system, component, or part.

2

The NRCs Vendor Inspection Program The vendor inspection program verifies that reactor applicants and licensees are fulfilling their regulatory obligations with respect to providing effective oversight of the supply chain. It accomplishes this through activities, including:

  • performing vendor inspections that will verify the effective implementation of the vendors quality assurance program;
  • establishing a strategy for vendor identification and selection criteria; and,
  • ensuring vendor inspectors obtain necessary knowledge and skills to perform inspections.

Licensee Receipt Inspections Licensees inspect parts upon receipt to ensure the parts match their respective purchase orders. To identify potential CFSI, licensees examine parts documentation for correction fluid, proper signatures, copies, changed dates, different fonts, part numbers, correct country of origin, and labels on top of labels. Licensees also examine parts for workmanship quality, original packaging, serial numbers, logos, and other manufacturing information. They also examine parts for suspicious features, such as extra packaging tape, surfaces that have been re-painted, weld repairs, or other suspect markings. When licensees identify suspect items, they put the items into holding for resolution with the manufacturer and generate corrective action reports. 4 Licensees communicate with each other about problems with parts through third party organizations, such as the EPRI and the INPO.

Third Party Organizations - Nuclear Industry Groups Quality assurance programs, which include receipt inspections and CGD programs, are licensees first line of defense against the intrusion of CFSI into their supply chains. The NRC requires power reactor licensees and applicants to periodically evaluate these programs through audits and program reviews to ensure their adequacy and effectiveness.

Licensees accomplish these activities, in part, through membership in organizations such 4

NRC inspectors follow up on corrective actions through problem identification and resolution inspections, which are conducted biennially and on a sampling basis. Inspectors preparing for problem identification and resolution inspections spend time reviewing prior inspection findings and violations.

3

as the NUPIC and the INPO. 5 NRC Organizations Responsible for CFSI The NRCs Office of Nuclear Reactor Regulation, Division of Reactor Oversight, is responsible for reviewing quality assurance programs for operating power reactor licensees, vendors, applicants, and entities holding construction licenses. This division also verifies implementation of CGD programs, systems for reporting defects under 10 CFR Part 21, and processes to prevent use of counterfeit and fraudulent items. The Quality Assurance and Vendor Inspection Branch (IQVB) within the Division of Reactor Oversight is responsible for the CFSI Technical Review Group (TRG). 6 Sources of CFSI Information External information regarding CFSI can come from multiple sources, see figure 1.

Figure 1. External Sources of CFSI Information.

Source: OIG generated.

5 The NUPIC, a non-profit corporation with about 250 members including all NRC reactor licensees, conducts audits every 3 years, of utilities and their vendors. During audits, NUPIC inspectors check processes for CFSI and provide some CFSI training for its members. Similarly, the INPO conducts detailed evaluations of nuclear power plants operations, processes, and procedures. The NRC conducts direct observation of the NUPICs audits through Inspection Procedure 43005, NRC Oversight of Third-Party Organizations Implementing Quality Assurance Requirements.

6 The CFSI TRG performs periodic searches related to operating experience data streams, including licensee event reports, inspection findings, international reports, operating experience communications and 10 CFR Part 21 and 10 CFR 50.55(e) notifications for potential CFSI.

4

II. OBJECTIVE The audit objective was to assess whether the NRCs oversight activities reasonably assure nuclear power reactor licensees programs are adequately positioned to mitigate the risk of counterfeit, fraudulent, and suspect items in operating reactors, those under construction, and those completed but not yet online.

III. FINDINGS The NRC should improve its oversight of CFSI by clarifying and communicating how the agency collects, assesses, and disseminates information regarding CFSI, and by improving staff awareness of CFSI and its applicability to inspections.

A. The NRCs CFSI Process Needs Clarification The NRC should create and then communicate its CFSI process to all staff with responsibilities related to CFSI. The NRC lacks a process for collecting, assessing, and disseminating information about potential CFSI. This occurs because the NRC lacks a coherent agencywide approach for CFSI including defining CFSI, the agencys role in mitigating CFSI, and specific guidance clarifying offices roles and responsibilities for CFSI. As a result, the NRCs position regarding CFSI may not be readily understood by staff, and there is an increased risk that CFSI could go undetected.

5

What Is Required Create and Communicate CFSI Process Federal standards require agencies to collect What is internal control?

and communicate quality information to staff Internal control is a process used and external stakeholders. The U.S. by management to help an entity Government Accountability Office, Standards achieve its objectives.

for Internal Control in the Federal Government, 7 (GAO Green Book) states How does internal control work?

management should internally and externally Internal control helps an entity:

communicate the necessary quality information

  • Run its operations efficiently to achieve the entitys objective. Therefore, and effectively; agency managers are responsible for clarifying
  • Report reliable information and communicating their CFSI process for about its operations; and, collecting, assessing, and disseminating
  • Comply with applicable laws information internally and externally. Agency and regulations.

staff could use such information to make informed decisions regarding the use and prioritization of resources, as well as to evaluate potential risk areas that could affect the agencys safety mission.

The GAO Green Book also states that management should select appropriate methods to communicate internally and externally. Management should consider such factors as the purpose and type of information being communicated, the availability of the information to its audience when needed, and any requirements in laws and regulations that may impact communications.

Agency Policies The NRCs Principles of Good Regulation require the NRC to seek clarity in its regulations so that there is a clear nexus between regulations and agency goals and objectives, enabling the public and licensees to readily understand the agencys positions and apply them easily.

7 Government Accountability Office, Standards for Internal Control in the Federal Government, GAO-14-704G, September 2014.

6

What We Found The NRC Needs to Create a CFSI Process The NRC does not have a process for collecting, assessing, and disseminating information regarding CFSI. Potential CFSI information comes in through different channels and is treated differently by different NRC offices. Sometimes offices flag information as CFSI, sometimes they do not. Information about potential CFSI can come in from the Operating Experience Branch, the Office of Enforcement, the Office of Investigations (OI), and other NRC offices both in headquarters and the regions.

CFSI Information Sharing Among Offices and Regions Information about CFSI is not always shared among offices. For example, the OI liaison to the U.S. Department of Homeland Security National Intellectual Property Rights Center did not inform the Operating Experience Clearinghouse about the Centers reports of potential CFSI, nor was the liaison required to do so. Furthermore, although information about a potential CFSI case may be protected for legal reasons if it pertains to an ongoing OI investigation, these protections do not necessarily prevent OI from sharing certain information about the case with the agencys CFSI TRG or staff in the IQVB. In practice, however, OI has not shared CFSI information in such situations.

Additionally, information about CFSI can be shared more effectively among agency headquarters and regional staff. For instance, the OIG interviewed 37 staff assigned to headquarters and the regions, and found that 11 regional and two headquarters staff were unaware of a report of potential counterfeit circuit breakers at power plants in Region I.

CFSI Information Dissemination Information about CFSI has not been promptly disseminated to external stakeholders.

The NRC has issued no new Information Notices about CFSI since 2018; however, one third party organization within the commercial nuclear power sector has collected reports of six potential CFSI cases from 2019 up to mid-2021. Additionally, the NRC has not yet published an Information Notice about counterfeit circuit breakers found at a Florida-based utility in February 2021, even though the manufacturer subsequently confirmed that counterfeit breakers were being produced illegally using its name. The NRC did, nevertheless, send a notice to the international community through the Nuclear Energy Agency in August 2021.

7

CFSI Data System Misalignment Two NRC data systemsthe Allegation Management System (AMS) and the Reactor Program System (RPS), Reactor Operating Experience (ROE) modulecontain CFSI information, but the information does not always align between the two systems and is not easily searchable. The OIG compared potential CFSI cases between the AMS and the RPS/ROE and found little overlap between the two systems, although information about potential CFSI cases existed in both. Searches conducted using CFSI, or terms intended to approximate CFSI, yielded items that were not CFSI. For example, a search conducted in the AMS using the search terms wrongdoing and falsification 8 produced 70 items; however, the OIG found only 2 of the 70 were potential unsubstantiated CFSI cases.

Similarly, the OIG conducted a search in RPS/ROE, which has a search field specifically for CFSI. Lastly, the OIG found 3 of the 18 potential CFSI cases appeared to have little relevance to CFSI, even though they were marked as potential CFSI in the RPS/ROE.

Why This Occurred The NRC Lacks Specific CFSI Guidance and a Coherent Agencywide Approach for CFSI Oversight The NRC does not have specific guidance clarifying office roles and responsibilities.

The CFSI TRG has a desktop guide describing how potential CFSI concerns are assessed.

NRC staff can access that guide, which is summarized on the CFSI TRG Nuclepedia page; however, the guide is applicable to internal TRG processes but does not address roles and responsibilities for the NRC at an agencywide level. In addition, the TRG desktop guide suggests, but does not require, systematic collection of information related to potential CFSI cases. For example, the OI could provide information to the TRG for synthesis into existing issue communication or for the purpose of determining if generic communication on a specific issue is warranted, but this is not required. Similarly, the TRG desktop guide does not describe what happens after an allegation has been transferred to the OI, and whether the TRG is able to track whether any allegations of CFSI have been substantiated.

Additionally, the agency has not communicated its goals for CFSI oversight. NRC management interviewed about CFSI said prevention is not the NRCs role; however, the NRCs role with respect to broader agency goals (e.g., monitoring, mitigation, or prevention) is not clear. The agency also lacks an official definition of CFSI, in contrast 8

The OIG used the search terms wrongdoing and falsification because agency staff said CFSI could be classified under those terms since the AMS lacks a specific CFSI search term.

8

to other federal government and international entities, such as the U.S. Department of Energy and the International Atomic Energy Agency.

Why This Is Important The NRCs Unstated Position Regarding CFSI May Not Be Readily Understood by Staff Without having clear guidance and communicating it effectively, staff may not understand the NRCs position regarding CFSI, and act in compliance therewith.

Consequently, there is a risk that potential CFSI could go undetected by licensees or NRC inspectors. For example, the IQVBs Vendor Datasheet does not reflect information about CFSI from RPS/ROE or AMS. The IQVB uses the Vendor Datasheet to assist in its process of selecting roughly 20 vendors to inspect each year.

Additionally, by not having a clear CFSI approach, the NRC also communicates to the international community that it does not consider CFSI important, a message that the U.S.

may not wish to send to countries, such as China, that have embarked on a rapid and large expansion of their nuclear sector.

Recommendations The OIG recommends that the Executive Director for Operations:

1. Develop processes and guidance to collect, process, and disseminate CFSI information;
2. Communicate those processes across the agency, or at least to the divisions affected by CFSI;
3. Develop a coherent agencywide approach for CFSI, identifying the agencys primary objective regarding mitigation of CFSI into agency-regulated equipment, components, systems, and structures;
4. Clearly define CFSI; and,
5. Include a CFSI category in the AMS.

B. NRC Staff Awareness of CFSI Varies Across the Agency The NRC should ensure staff are aware of CFSI and how it relates to inspections.

Specifically, inspectors should be trained on what to look for during inspections to help identify potential CFSI, and how potential CFSI should be handled once identified.

However, staff awareness and understanding of CFSI, and how it relates to inspection, 9

varies. This occurs because the NRC does not require training on the subject, and there are no specific CFSI inspection procedures to instruct inspectors to look for potential CFSI. Inconsistent awareness of CFSI is a concern because staff could miss opportunities to identify potential deficiencies in licensees ability to identify and properly address CFSI under their quality assurance programs, which could lead to CFSI components being installed at nuclear power plants.

What Is Required The NRC Should State its Position on CFSI, and Ensure Staff Understand that Position and its Applicability to Inspections Federal Standards The GAO Green Book states management should internally and externally communicate the necessary quality information to achieve the entitys objective. Therefore, agency managers are responsible for ensuring staff understand their position on CFSI and its application to inspections. The staff can then use such information to make informed decisions regarding potential risk areas that could affect efficiency and effectiveness.

According to the International Atomic Energy Agency, training is typically required in the recognition of counterfeit and fraudulent items. Training raises awareness levels and increases the possibility of detection of counterfeit and fraudulent items. Vigilant inspections at the source (factory), at the warehouse (receipt inspection) and pre-installation (by the installers) are key barriers to counterfeit and fraudulent items. A wide number of commercial providers offer training in counterfeit and fraudulent item detection, and the EPRI has produced a computer-based course for this purpose.

Additionally, according to the Nuclear Energy Agency, inspectors normally do not undergo training specific to CFSI, but rather, are trained in general quality assurance.

Regulators should determine if inspector training needs to include specific areas to cover fraudulent and counterfeiting activities as part of regular inspections. A small dedicated CFSI inspection team may be warranted when fraud or counterfeiting issues are anticipated. Both the Nuclear Energy Agency and the International Atomic Energy Agency cite training for regulators and industry as a key element for preventing CFSI in nuclear supply chains.

10

What We Found Staff Awareness and Understanding of CFSI and How it Relates to Inspections Varies Across the Agency NRC staff awareness and understanding of CFSI and how it relates to inspections varies across the agency.

Staff Awareness and Understanding of CFSI NRC staff awareness and understanding of CFSI varies, but a significant portion of staff interviewed by the OIG expressed little familiarity with the subject. Notably, 15 of 34 staff stated they were neither aware of nor could describe the agencys position on CFSI.

When asked to describe the NRCs CFSI program, agency staff responses included statements such as:

  • Is there a program?
  • I dont know anything about it.
  • I did not know there is one.
  • Im not familiar with it.
  • I dont have a big picture understanding of it.

In comparison, responses from staff familiar with the agencys CFSI program include statements such as:

  • It is a robust program.
  • There has been positive development the past year.
  • The program is where it needs to be.
  • It is not a proactive program as much as its a reactive program.

CFSI and Inspection Sampling The OIG was told inspectors use Inspection Procedure 71111.12, Maintenance Effectiveness, to select samples to assess licensees CGD, quality parts, or quality assurance programs. This allows for inspector judgement when selecting the best samples to review. However, opinions about which samples to select vary from plant to plant depending on individual inspectors expertise. For example, the OIG reviewed 55 inspection reports published between 2019 and 2020 and found:

  • 39 inspections reviewed quality parts;
  • 13 inspections reviewed CGD; and,
  • 5 inspections reviewed quality assurance programs. 9 9

The total does not equal to 55 because two reports reviewed two types of samples.

11

Agency staff stated that quality parts was the most frequently reviewed sample, due to risk and availability of parts to sample during inspections. Furthermore, licensees do not frequently perform CGD, so new CGD actions are not always available for sampling.

Additionally, licensees do not commonly make changes to quality assurance programs.

Once the NRC has reviewed a licensees program, further review through periodic sampling is not required.

Why This Occurred Inspectors are Not Instructed to Look for CFSI at Nuclear Power Plants and Lack Training The NRC does not have specific guidance in inspection procedures on how to identify potential CFSI and does not require CFSI-related qualification or training, which has contributed to the staffs varying awareness of CFSI.

Guidance/Inspection Procedures The NRC ensures only that licensees have proper programs in place to mitigate the risk of CFSI. Inspectors are not instructed through regular baseline inspection procedures to look for potential CFSI.

CFSI is mentioned in three inspection procedures. 10 However, these inspection procedures neither specify how to identify potential CFSI, nor how to handle potential CFSI once it is identified. They instruct inspectors to be mindful of CFSI in the supply chain and ensure licensees have programs in place to mitigate the risk of fraudulent parts through identification and control.

Therefore, inspectors at operating reactors are not instructed to look for potential CFSI.

Inspectors with professional construction experience are more likely to have awareness of CFSI because new components are more frequently received and screened for CFSI during construction.

CFSI Training The NRC lacks CFSI training for resident and regional inspectors. Inspection Manual Chapter 1245 Appendix B, General Proficiency-Level Training and Qualification Journal, does not reference CFSI training for power reactor inspectors, whereas vendor and construction inspectors are referred to agency CFSI documents. By not requiring CFSI training for inspectors, the NRC is missing an opportunity to use industry best practices to prevent and detect CFSI in the supply chain.

10 CFSI is only mentioned in three Inspection Procedures: 43002, Routine Inspections of Nuclear Vendors; 43003, Reactive Inspections of Nuclear Vendors; and 43004, Inspection of Commercial-Grade Dedication Programs.

12

Why This Is Important The NRC Could Miss Opportunities to Identify Potential CFSI The NRC requires nuclear power reactor licensees to use only those products and services exhibiting the highest quality in agency-regulated activities. However, without appropriate CFSI inspection guidance and training for staff, the NRC is potentially missing opportunities to identify possible CFSI, which could compromise the function of reactor safety systems if the components fail to meet specifications and quality standards of genuine components.

Furthermore, several NRC CFSI subject matter experts declared their intention to retire by the end of calendar year 2021. Proper knowledge management and transfer is therefore necessary to preserve institutional knowledge and transfer it to staff who will lead the NRCs CFSI oversight efforts into the future.

Recommendations The OIG recommends that the Executive Director for Operations:

6. Develop inspection guidance with examples pertaining to identifying CFSI in inspection procedures;
7. Develop CFSI training for inspectors; and,
8. Develop a knowledge management and succession plan for CFSI.

13

IV. CONSOLIDATED LIST OF RECOMMENDATIONS The OIG recommends that the Executive Director for Operations:

1. Develop processes and guidance to collect, process, and disseminate CFSI information;
2. Communicate those processes across the agency, or at least to the divisions affected by CFSI;
3. Develop a coherent agencywide approach for CFSI, identifying the agencys primary objective regarding mitigation of CFSI into agency-regulated equipment, components, systems, and structures;
4. Clearly define CFSI;
5. Include a CFSI category in the AMS;
6. Develop inspection guidance with examples pertaining to identifying CFSI in inspection procedures;
7. Develop CFSI training for inspectors; and,
8. Develop a knowledge management and succession plan for CFSI.

14

V. NRC COMMENTS An exit briefing was held with the agency on January 18, 2022. Prior to this meeting, NRC management reviewed a discussion draft and later provided comments that have been incorporated into this report, as appropriate. As a result, NRC management stated their general agreement with the findings and recommendations of this report and chose not to provide formal comments for inclusion in this report.

15

Appendix A OBJECTIVE, SCOPE, AND METHODOLOGY Objective The audit objective was to assess whether the NRCs oversight activities reasonably assure nuclear power reactor licensees programs are adequately positioned to mitigate the risk of counterfeit, fraudulent, and suspect items in operating reactors, those under construction, and those completed but not yet online.

Scope This audit focuses on the NRCs oversight activities related to CFSI. We analyzed potential CFSI cases for the period between January 1, 2016 and August 31, 2021. The OIG conducted this performance audit from May 6, 2021 through December 13, 2021 at NRC headquarters in Rockville, Maryland.

Internal controls related to the audit objective were reviewed and analyzed. Specifically, the OIG reviewed the components of control environment, risk assessments, control activities, information and communication, and monitoring. Within those components, the OIG reviewed the principles of commitment to integrity and ethical values; organizational structure, responsibilities, and delegation of authority; recruit, develop, and retain competent individuals; define objectives to clearly identify risks; identifying, analyzing, and responding to risk; assessing fraud risk; designing control activities; designing activities for the information system; implementing control activities through policies; communicating internally and externally; performing monitoring activities; and, evaluating issues and remediating deficiencies.

Methodology The OIG reviewed relevant criteria for this audit, including, but not limited to:

  • Government Accountability Office, Standards for Internal Control in the Federal Government, GAO-14-704G, September 2014.

16

  • Inspection Procedure 35007, Quality Assurance Program Implementation During Construction and Pre-Construction Activities, December 8, 2016.
  • The NRCs Enforcement Manual, December 1, 2020.

The OIG analyzed inspection reports from calendar years 2019 and 2020 to determine which Inspection Procedure 71111.12, Maintenance Effectiveness, samples were reviewed; CGD, quality parts, or the quality assurance program.

The OIG reviewed potential CFSI cases in the AMS, the RPS/ROE, and the TRG databases to determine how cases were documented and if there was overlap among agency data systems used to capture CFSI information.

Additionally, the OIG interviewed 37 NRC staff, and 10 nuclear power industry personnel representing licensees, the Nuclear Energy Institute, the INPO, the NUPIC and the EPRI, to understand their processes for identifying and handling potential CFSI.

We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Throughout the audit, auditors considered the possibility of fraud, waste, and abuse in the program.

The audit was conducted by Paul Rades, Team Leader; Avinash Jaigobind, Audit Manager; John Thorp, Senior Technical Advisor; Julie Corwin, Senior Management Analyst; Brigit Larsen, Senior Auditor; Melissa Chui, Auditor; and Justyn Alexander, Student Intern.

17

TO REPORT FRAUD, WASTE, OR ABUSE Please

Contact:

Email: Online Form Telephone: 1-800-233-3497 TTY/TDD: 7-1-1, or 1-800-201-7165 Address: U.S. Nuclear Regulatory Commission Office of the Inspector General Hotline Program Mail Stop O5-E13 11555 Rockville Pike Rockville, MD 20852 COMMENTS AND SUGGESTIONS If you wish to provide comments on this report, please email the OIG using this link.

In addition, if you have suggestions for future OIG audits, please provide them using this link.

18

Retrieved from "https://kanterella.com/w/index.php?title=ML22040A058&oldid=3424474"