NSW Environmental Protection Agency NSW Government
 

Requirements for people responsible for security-enhanced sources

If you are dealing with a high activity radioactive source, you need to understand the security requirements and other rules.

Security enhanced sources are high activity radioactive sources, which have the potential to cause serious harm to people and the environment if accessed by an unauthorised person or someone with malicious intent.

The Protection from Harmful Radiation Act 1990 and Protection from Harmful Radiation Regulation 2025 contain requirements that reflect those in the national Code of Practice for the Security of Radioactive Sources

A person who is responsible for a security-enhanced radioactive source has certain obligations such as

  • ensuring that security measures are taken relating to security-enhanced sources
  • making, implementing and reviewing security plans for security-enhanced sources
  • ensuring that a source security plan is re-endorsed by an accredited radiation security assessor every 5 years
  • managing who has access to security-enhanced sources, including meeting the requirements for identity checks of persons dealing with security enhanced sources and keeping records of those checks for 5 years
  • reporting and recording security incidents.

Generally, the ‘person responsible’ will be the organisation that holds an EPA radiation management licence that includes the source. If in doubt about responsibilities for a security-enhanced source, contact the EPA for advice.

Security measures

A person responsible for a security-enhanced source must ensure that the source is protected by security protection measures relevant to the categorisation of the source.

Security measures for category 1 security-enhanced sources

Category 1 sources are considered to pose the highest risk and are subject to the most stringent security requirements. Category 1 sources include industrial irradiation facilities, larger blood or research irradiators, and gamma knife devices.

Where a category 1 security-enhanced source is in use or being stored or transported, the source must be protected by, at a minimum, physical security measures capable of providing sufficient delay to allow immediate detection and assessment of an intrusion and interruption of any unauthorised removal of the source by a guard or police officer.

Security measures for category 2 security-enhanced sources

Category 2 sources include most blood and research irradiators and industrial radiography sources.

Where a category 2 fixed or mobile security-enhanced source is in use, the source must be protected by, at a minimum, physical security measures capable of providing sufficient delay to allow immediate detection and assessment of unauthorised access to the source.

Where a category 2 security-enhanced source is being stored, the source must be protected by, at a minimum, physical security measures capable of providing sufficient delay to allow immediate detection and assessment of unauthorised access to the source location.

Where a category 2 security-enhanced source is being transported, the source must be protected by, at a minimum, physical security measures capable of providing sufficient delay to allow immediate detection and assessment of unauthorised access to the source.

Security measures for category 3 security-enhanced sources

Category 3 sources include sources used in brachytherapy and larger fixed industrial gauges.

Where a category 3 fixed or mobile security-enhanced source is in use, the source must be protected by, at a minimum, physical security measures capable of preventing unauthorised access to the source by human force,

Where the security-enhanced source is being stored or transported, the source must be protected by, at a minimum, physical security measures capable of preventing unauthorised access to the source by human force.

In the case of category 1, category 2 and category 3 sources, the appropriate procedural and administrative actions determined in accordance with Schedule D to the Security Code must be undertaken.

Categories 4 and 5 sources

Categories 4 and 5 sources include low-dose brachytherapy units, most industrial gauges, and portable soil moisture and density gauges used in road building and agriculture.

Those responsible for these sources should apply safety-based security measures for Categories 4 and 5 sources, which are outlined in the EPA licence conditions.

Source security plans

The person who is responsible for a security-enhanced source must prepare a source security plan which is reviewed by an EPA-accredited radiation security assessor. Any amendment to the plan should be discussed with the security assessor.

The source security plan must set out how the source is to be protected from unauthorised access and nominate a natural person who is to be responsible for implementing the plan.

Specifically, the plan must deal with:

  • a description of the source including the:
    • isotope
    • activity
    • date of measurement of that activity
    • source serial number
    • physical and chemical form.
  • how the source was determined to be category 1, 2 or 3 source
  • how the plan has been developed using a risk-based approach, with particular regard to:
    • the nature of the source and any dealings with the source, the environment in which those dealings occur and existing security measures
    • identification of any credible threats to the source in relation to the dealings and the likelihood and consequence of the threats eventuating
    • an assessment of the effectiveness of existing security measures in complying with the prescribed security measures for the source, having regard to the credible threats to the source, and
    • identification of further action, if any, required for compliance with the prescribed security measures for the source
  • how compliance with the prescribed security measures​ for the source will be (or is being) achieved, including the security protection measures that will be used.
  • a description of how responsibilities for security to persons are to be allocated to persons (including how those persons are competent, qualified and authorised to carry out their responsibilities)
  • a description of any specific risks to the security of the source (such as theft, sabotage or mechanical or electronic failure of a physical security measure)
  • arrangements for review and revision of the plan
  • a description of the radiation practice for which the source is used
  • the specific location of the source in the building or facility where it is used or stored
  • a plan of the building or facility in which the source is used or stored
  • a description of any surveillance or monitoring measures implemented in relation to the source (for example, CCTV, personal surveillance or security patrols)
  • a description of the administrative and procedural measures to be used in relation to the source, including:
    • access controls (including key controls)
    • any identification and security checking carried out in accordance with the Act
    • inventories and records related to the management of sources
    • information security measures
    • procedures to be followed before, during and after repair or maintenance
    • contingency and security response arrangements, including notification of security breaches
    • security education and awareness measures
    • the action to be taken in the event of a change in the threat level

The person responsible for a security-enhanced source must ensure that any source security plan in respect of the source is

  • implemented and complied with
  • made available to the EPA at such times as the EPA may require
  • is reviewed at least once every 12 months.

Source transport security plans

A person who is responsible for a security-enhanced source that is being transported must prepare a source transport security plan.

The source transport security plan must set out how the source is to be protected from unauthorised access and nominate a natural person who is to be responsible for implementing the plan.

A source transport security plan must also deal with the following

  • the purposes or reasons for which the source is being transported
  • a description of the conveyance in which the source will be transported and the arrangements for securing the shipment during transfer between different conveyances or during other stops en route
  • the name, address and business and after hours contact details for the consignor, consignee, carrier and, where used, guard or police services
  • a description of the administrative and procedural security protection measures​ that are to be used for the source, including:
    • contact details for local police and the EPA and arrangements for notifying local police or the EPA, or both, depending on the issue
    • contingency and emergency procedures for vehicle accidents or breakdown (including, for category 1 sources, a planned principal route and an alternative route)
    • security response arrangements, including notification of any security breach to local emergency services (police, fire and ambulance) and the EPA as appropriate
    • security briefings for persons involved in transporting the source, including the nature of any threats, the threat level and contingency and security response arrangements
    • any identification and security checking carried out in accordance with the Act
    • information security
    • the means of communication between persons involved in transporting the source
    • actions to be taken in the event of a change in the threat level

The person responsible for a security enhanced source must ensure the source transport security plan for the source is given to the EPA:

  1. in the case of a category 1 source - at least 7 days prior to transportation of the source, and
  2. in the case of a category 2 or 3 source - at least 7 days prior to transportation of the source or, if the source is to be transported on a regular basis, at least 7 days prior to the first transportation of the source.

Amendments to security plans

The following amendments to security plans do not require review by the radiation security assessor:

  • the replacement of a security enhanced source by a new source of the same or lower category
  • minor changes to contact details for a person with security responsibilities
  • the addition or omission of details of identity checks and security background checks of personnel
  • changes to the date of travel or planned principal route or alternative route in a transport security plan.

If a source transport security plan is amended for any other reason, the person responsible for transporting the source must provide the EPA a copy of the amended plan, as soon as reasonably practicable after the plan is made or amended.

Identity checking

A person who is responsible for a security-enhanced source must ensure that the following persons have undergone and satisfied an identity check that ascertains the identity and residential address of the person (in accordance with the document 'Requirements for identity checks' published by the EPA)

  • the person nominated as being responsible for implementing a security plan in respect of the source
  • a person who deals with the source
  • a person who transports the source.

Records of the identity checks must be made and kept for 5 years by the person responsible for the security enhanced source.

A person who deals with a source (other than to transport the source) is not required to have undergone a check if they are under direct supervision when dealing with a source and the person providing supervision has undergone and satisfied an identity check.

Security incidents

If there is a breach of a prescribed security measure that results in a security-enhanced source being lost or stolen, intentionally damaged or accessed without authority, the person responsible for the source must

  • immediately notify the EPA and the NSW Police Force of the incident, and
  • within 7 days of the notice, submit a report of the incident to the EPA that contains the following information:
    • the circumstances of the loss, theft, damage or unauthorised access
    • the steps taken to rectify the loss, theft, damage or unauthorised access
    • if regulated material is lost or stolen - other information that may assist in the recovery of the material.

If there is a breach of a security measure (other than an incident as described above) relating to a security-enhanced source, the person responsible must submit a written report of the incident to the EPA within 7 days.

The report must include details of the circumstances of the breach and the steps taken to rectify the breach.

The person is not required to provide the report if a report has already been made by another person responsible for the source or a report has already been given for another related matter.