Requirements for people responsible for security-enhanced sources

From 1 July 2013, requirements of the Code of Practice for the Security of Radioactive Sources incorporated in the Radiation Control Act 1990 and the Radiation Control Regulation 2013 will commence.

A person who is responsible for a security-enhanced radioactive source has certain obligations such as

  • ensuring that security measures are taken relating to security-enhanced sources
  • making security plans for security-enhanced sources
  • managing who has access to security-enhanced sources
  • reporting security incidents.

Generally, the ‘person responsible’ will be the organisation that holds an EPA management licence that includes the source. If in doubt about responsibilities for a security-enhanced source, contact the EPA for advice.

Security measures

A person responsible for a security-enhanced source must ensure that the source is protected by security protection measures relevant to the categorisation of the source.

Security measures for category 1 security-enhanced sources

Category 1 sources are considered to pose the highest risk and are subject to the most stringent security requirements. Category 1 sources include industrial irradiation facilities, larger blood or research irradiators, and gamma knife devices.

Where a category 1 security-enhanced source is in use or being stored or transported, the source must be protected by, at a minimum, physical security measures capable of providing sufficient delay to allow immediate detection and assessment of an intrusion and interruption of any unauthorised removal of the source by a guard or police officer.

Security measures for category 2 security-enhanced sources

Category 2 sources include most blood and research irradiators and industrial radiography sources.

Where a category 2 fixed or mobile security-enhanced source is in use, the source must be protected by, at a minimum, physical security measures capable of providing sufficient delay to allow immediate detection and assessment of unauthorised access to the source.

Where a category 2 security-enhanced source is being stored, the source must be protected by, at a minimum, physical security measures capable of providing sufficient delay to allow immediate detection and assessment of unauthorised access to the source location.

Where a category 2 security-enhanced source is being transported, the source must be protected by, at a minimum, physical security measures capable of providing sufficient delay to allow immediate detection and assessment of unauthorised access to the source.

Security measures for category 3 security-enhanced sources

Category 3 sources include sources used in brachytherapy and larger fixed industrial gauges.

Where a category 3 fixed or mobile security-enhanced source is in use, the source must be protected by, at a minimum, physical security measures capable of preventing unauthorised access to the source by human force,

Where the security-enhanced source is being stored or transported, the source must be protected by, at a minimum, physical security measures capable of preventing unauthorised access to the source by human force.

In the case of category 1, category 2 and category 3 sources, the appropriate procedural and administrative actions determined in accordance with Schedule D to the Security Code must be undertaken.

Categories 4 and 5 sources

Categories 4 and 5 sources include low-dose brachytherapy units, most industrial gauges, and portable soil moisture and density gauges used in road building and agriculture.

Those responsible for these sources should apply safety-based security measures for Categories 4 and 5 sources, which are outlined in the EPA licence conditions.

Source security plans

The person who is responsible for a security-enhanced source must prepare a source security plan.

The source security plan must set out how the source is to be protected from unauthorised access and nominate a natural person who is to be responsible for implementing the plan.

Specifically, the plan must deal with

  • the category of the source and how the source has been categorised as a security-enhanced source
  • how the plan has been developed using a risk-based approach, with particular regard to:
    • the nature of the source and any dealings with the source, the environment in which those dealings occur
    • identification of any credible threats to the source in relation to any such dealings and the likelihood and consequence of the threats eventuating
    • an assessment of the effectiveness of existing security measures, and
    • identification of further action required to achieve compliance with the prescribed security measures for the source
  • how compliance with the prescribed security measures for the source is to be (or is being) achieved
  • a description of the source including the:
    • isotope
    • activity
    • date of measurement of that activity
    • source serial number
    • physical and chemical form
  • a description of the allocation of responsibilities for security to persons (including how those persons are competent, qualified and authorised to carry out their responsibilities)
  • a description of any specific risks to the security of the source (such as, for example, theft, sabotage or mechanical or electronic failure of a physical security measure)
  • a description of the physical security measures that will be used to ensure compliance with the prescribed security measures for the source
  • arrangements for review and revision of the plan
  • a description of the radiation practice for which the source is used
  • the specific location of the source
  • a plan of the building or facility in which the source is used or stored
  • a description of any surveillance or monitoring measures implemented to ensure compliance with the prescribed security measures for the sources (for example, CCTV, personal surveillance or security patrols)
  • a description of the administrative and procedural measures that are to be used to ensure compliance with the prescribed security measures for the source, including:
    • access controls (including key controls)
    • any identification and security checking carried out in accordance with the Act
    • inventories and records related to the management of sources
    • information security
    • procedures to be followed before, during and after a technical service
    • contingency and security response arrangements, including notification of security breaches
    • security education and awareness
    • the action to be taken in the event of a change in the threat level

The person responsible for a security-enhanced source must ensure that any source security plan in respect of the source is

  • implemented and complied with
  • made available to the EPA at such times as the EPA may require
  • is reviewed at least every 12 months.

Source transport security plans

A person who is responsible for a security-enhanced source that is being transported must prepare a source transport security plan.

The source transport security plan must set out how the source is to be protected from unauthorised access and nominate a natural person who is to be responsible for implementing the plan.

A source transport security plan must also deal with the following

  • the purposes or reasons for which the source is being transported
  • a description of the conveyance in which the source will be transported and the arrangements for securing the shipment during transfer between different conveyances or during other stops en route
  • the name, address and business and after hours contact details for the consignor, consignee, carrier and, where used, guard or police services
  • a description of the administrative and procedural security measures security measures that are to be used to meet the security outcomes relevant to the source, including:
    • contact details for local police and the EPA and arrangements for notifying local police or the EPA, or both, depending on the issue
    • contingency and emergency procedures for vehicle accidents or breakdown (including, for category 1 sources, a planned principal route and an alternative route)
    • security response arrangements, including notification of any security breach to local emergency services (police, fire and ambulance) and the EPA as appropriate
    • security briefings for persons involved in transporting the source, including the nature of any threats, the threat level and contingency and security response arrangements
    • any identification and security checking carried out in accordance with the Act and Regulation
    • information security
    • the means of communication between persons involved in transporting the source
    • actions to be taken in the event of a change in the threat level
       
  • A person responsible for a security-enhanced source must ensure that any source transport security plan in respect of the source is provided to the EPA:

    1. in the case of a category 1 source - at least 7 days prior to transportation of the source, and
    2. in the case of a category 2 or 3 source - at least 7 days prior to transportation of the source or, if the source is to be transported on a regular basis, at least 7 days prior to the first transportation of the source.

    If a source transport security plan is amended for any reason, the person responsible for transporting the source must provide the EPA a copy of the amended plan, as soon as reasonably practicable after the plan is made or amended.

Identity checking

A person who is responsible for a security-enhanced source must ensure that the following persons have undergone and satisfied an identity check that ascertains the identity and residential address of the person (in accordance with the document 'Requirements for identity checks' published by the EPA)

  • the person nominated as being responsible for implementing a security plan in respect of the source
  • a person who deals with the source
  • a person who transports the source.

A person who deals with a source (other than to transport the source) is not required to have undergone a check if they are under the direct supervision when dealing with a source and the person providing supervision has undergone and satisfied an identity check.

Security incidents

If there is a breach of a prescribed security measure that results in a security-enhanced source being lost or stolen, intentionally damaged or accessed without authority, the person responsible for the source must

  • immediately notify the EPA and the NSW Police Force of the incident, and
  • within 7 days of the notice, submit a report of the incident to the EPA that contains the following information:
    • the circumstances of the loss, theft, damage or unauthorised access
    • the steps taken to rectify the loss, theft, damage or unauthorised access
    • if the source is lost or stolen - any information that may assist in the recovery of the source.

If there is a breach of a security measure (other than an incident as described above) relating to a security-enhanced source, the person responsible must submit a written report of the incident to the EPA within 7 days.

The report must include details of the circumstances of the breach and the steps taken to rectify the breach.

Page last updated