Dear Dr. Z – I’ve been hearing about new source security regulations in 10 CFR part 37 but I’m not quite sure what they mean or how they might affect me – can you fill me in?
Without knowing exactly what sorts of sources you have I can’t give a precise answer to this. But let me tell what I’ve noticed in these regs and how they’ve affected me – hopefully this will help you out with your program.
I was Radiation Safety Officer at a major university and hospital from the late 1990s through the first few years of the oughts and one of my responsibilities was to help assure the safety and security of our radioactive materials. When I took the job (pre-September 11) my major concern was that a disgruntled grad student would try to dump low levels of radioactive materials into a colleagues lunch – this had happened at Brown University, NIH, and a few other places in the previous decades. But in the aftermath of the 9/11 attacks and the subsequent arrest of putative “dirty bomber” Jose Padilla in May, 2002 my worries changed dramatically – instead of theft of relatively small amounts of radioactivity by an amateur, I had to worry about trying to thwart an attack by terrorists or professional thieves; an entirely different kettle of fish.
Most of the time I am in favor of less-prescriptive regulatory guidance – as an experienced radiation safety professional I’d rather come up with my own solutions to, say, keeping radiation exposures as low as reasonably achievable (ALARA, the guiding philosophy of radiation safety in most of the world’s nations). But faced with so sudden and so dramatic a change in paradigm – and when faced with a problem that was outside my expertise in radiation safety – I found myself wishing for more guidance from my regulators. Nobody will be injured by swallowing minor amounts of radioactivity – the worst that had happened before 9/11 – but even if the radioactivity from a dirty bomb attack is not dangerous, the explosion and panic can be deadly (not to mention the cost of a cleanup). I’m a health physicist, not an expert in security or counter-terrorism – what I really wanted from my regulators was advice on how to secure my potentially dangerous sources from a threat that was outside all of my experience.
While the regulators didn’t exactly spring into prompt action, the Nuclear Regulatory Commission did issue a series of orders beginning in 2005 that helped clarify measures that could be taken to help safeguard high-risk radioactive materials. These are about to be collected into a single new regulation, 10 CFR 37, that will put much of this information in one place.
As a former Radiation Safety Officer (RSO) I think it’s great to collect all of the disparate NRC orders into a single new regulation, but I find myself wishing the NRC had gone further, keeping in mind that most radiation safety professionals aren’t security experts. For example, the upcoming rule has tons of verbiage devoted to telling licensees how to establish a program to ensure the trustworthiness and reliability of workers granted access to radioactive materials, but it doesn’t provide any guidance on how to actually secure specific radioactive materials (For example, are normal locks OK, or is keycard access needed to control access to a 1 Ci Cs-137 source?).
One of the keystones of these rules is the requirement that people must be deemed “trustworthy and reliable” before they are permitted to have unescorted access to high-activity radioactive sources, and this is one of the parts that I’m not sure I’d feel comfortable with as an RSO. Part of the T&R program is specified in the rules – requiring fingerprinting and a background check. But part of it is left to the judgment of the T&R officer. The T&R officer is required to have a background check and to be fingerprinted, and the NRC verifies their trustworthiness and reliability. But not much more is written – the T&R officer can be the RSO, the head of security, a manager in Human Resources, or virtually anyone else proposed by the licensee. The reason this gives me pause is that, as an RSO I was our organization’s most knowledgeable radiation safety professional, but security is not my game – I know how to select technically competent staff and how to find a technician who will give me a full day’s work, but I’m not trained in how to evaluate a person as a possible saboteur or terrorist. I’d rather have Security handle this task, but under the new regulation there’s no requirement that security evaluations be performed by security professionals.
The NRC will undoubtedly be developing guidance on how to implement the new regulations – there is a draft out (dated 2010) that I hope will be updated and issued to help licensees figure out how to comply with both the letter and the intent of the new regulations. Absent such guidance we are likely to end up with a hodge-podge of approaches to radioactive source security by RSOs who are professional health physicists, physicians or medical technologists, industrial radiographers, and so forth. It would have been helpful for the NRC to have required participation by a security professional – the head of institutional security for large organizations or a security consultant for smaller ones (there are a number of relatively small businesses that possess dangerously high-activity sources).
OK – so what? We’ve got a new law on the way that should help to consolidate a lot of the existing rules and orders on radioactive materials security, and (hopefully) some guidance on how to implement these new laws. It doesn’t seem to do any harm, and by putting so much in one place it can certainly make things easier for the licensee. What’s not to love?
The biggest thing is that this seems to be a rule written by administrators, for administrators. Don’t get me wrong – the administrative stuff is important! It’s nice to know the standards I should meet in order to decide (and demonstrate) that a person should be allowed to have unescorted access to high-activity radioactive sources. It’s also good to force licensees to have a security plan, to know when to notify law enforcement agencies that something has gone wrong, and so forth. But there’s more to security than getting the paperwork right, and that’s where licensees could use some more help – what would be great would be specific practical guidance.
Say I’m applying for a new radioactive materials license and I am to be RSO at a small facility with just enough radioactive materials to fall under this new rule, but we’re not large enough to have its own security force. I know that I need to secure the sources, but what constitutes adequate security? Is a padlock sufficient, or should I have a full-blown safe or vault? Should I put in motion detectors and, if so, what specifications should they meet? What about cameras (and if so, what kind and how many)? Do I need to have an alarm that automatically sounds at the local police precinct? And so forth and so on…. I need more than a bunch of file folders filled with plans and lists – what I need is a list of vendors and model numbers, or at least a list of minimum acceptable specifications for my cameras and locks. In short, I want a radioactive materials security program that will keep secure my sources against theft in addition to meeting paperwork requirements.
All in all, the new rule is a good start – at the least it makes it easier to figure out where all of the requirements are located. But from a practical standpoint it’s no more than a start – let’s hope that more practical assistance is on its way.