Follow-up Audit of the Implementation of Action Plans
in Response to the Check Source Review
Office of Audit and Ethics
April 30, 2014
Recommended by the CNSC Audit Committee for approval by the President on
April 1, 2014
Approved by the President on July 23, 2014
Table of Contents
Executive Summary ...................................................................................................................... 1
1.
Introduction........................................................................................................................ 2
1.1
Background..................................................................................................................................... 2
1.2
Authority......................................................................................................................................... 3
1.3
Objectives and scope ...................................................................................................................... 3
1.4
Analysis of risks.............................................................................................................................. 3
1.5
Audit criteria .................................................................................................................................. 3
1.6
Approach and methodology .......................................................................................................... 4
1.7
Statement of conformance ............................................................................................................. 4
2.
Original Recommendations, Management Actions and Results of the Follow-up..... 5
2.1
Accountability for source control ................................................................................................. 5
2.2
Source inventory control ............................................................................................................... 6
2.3
Oversight......................................................................................................................................... 6
2.4
Records management..................................................................................................................... 6
3
Conclusion ......................................................................................................................... 7
3.1
Recommendation............................................................................................................................ 7
3.2
Management Action Plan .............................................................................................................. 7
Appendix 1 – Recommendations and actions (summarized by recommendation)................ 8
Executive Summary
Background
The Follow-up Audit of the Implementation of Action Plans in Response to the Check
Source Review was part of the approved Risk-Based Audit Plan for 2013–14.
Audit objectives, scope and approach
The objective for this follow-up audit was to confirm that all corrective measures
emanating from the executive VP-led review had been addressed. Since the Directorate
of Nuclear Substance Regulation (DNSR) inspection findings and resulting corrective
actions were complementary to the executive VP review, and because the licensee (for
logical reasons) tracked both together, this review is assessing the completion of action
items resulting from both exercises. This report provides assurance of completion for
those two action plans and does not purport to conclude on any other elements of
management, governance, control or risk related to the use of sources by CNSC staff.
The review began with requests for a consolidated action plan that addressed the
inspection findings and recommendations. Where the commitments were to establish
formal guidance or documentation concerning control processes those documents were
reviewed and analyzed. The audit team also conducted a site visit to the laboratory to
physically examine the implementation of new control procedures and documentation.
Results
The follow-up audit noted that all corrective actions emanating from the review and
inspection – in response to the eighteen overarching recommendations – have been
implemented, with two exceptions: (1) the commitment to provide inventory verification
updates to the Operations Management Committee (OMC) and (2) the licensee’s
commitment to hold meetings of the Radiation Safety Committee (RSC) quarterly, to
review licence conditions and to ensure continued adherence to the improved inventory
control and accountability framework. It was noted that the missed meetings were
postponed as a result of public hearings outside the headquarters region, which required
the direct participation of the licence Applicant Authority (who also chairs the RSC),
these meetings have since been rescheduled. The nature and frequency of reporting to
OMC has also been resolved.
Conclusion
The CNSC has successfully responded to the original incident in which check sources
were misplaced and not accounted for, on an ongoing basis. The control weaknesses
have been largely rectified, and there is a significantly lower risk of reoccurrence. The
organization now has an opportunity to achieve a proper balance between ongoing
management oversight, and the laboratory and the licence applicant’s authority
accountability under the CNSC’s consolidated uses licence conditions.
1
1. Introduction
1.1
Background
On July 17, 2012, three Cesium-137 check sources were discovered while preparing a
CNSC headquarters boardroom for an upcoming Commission meeting. The three
sources were part of a set of 55 obtained from the CNSC laboratory by Radiation
Protection Division staff on June 26, 2012, for use in a summer student orientation
session. During the period between June 26, 2012, and July 17, 2012, the three sources
remained unattended in room 14-032. These sources, despite having detectable
radioactivity, do not pose a security risk or a significant risk to human health.
Check sources are used to verify the operability of instruments and detector systems.
They emit low-level radiation, are safe and can be owned without a licence. They do not
require any sort of special handling or storage, and can be discarded with normal waste
when they are no longer required.
This event pointed to likely radiation sources inventory control deficiencies at the CNSC
laboratory, leading to the decision to conduct an independent review by a team reporting
directly to the Executive Vice-President (VP) and Chief Regulatory Operations Officer.
The review team was comprised of technical experts from Directorate of Nuclear
Substance Regulation (DNSR) and the Directorate of Power Plant Regulation (DPRR),
assisted by an auditor from the Office of Audit and Ethics (OAE).
An unannounced DNSR inspection was also conducted on July 23, 2012, for the
purpose of verifying compliance with the consolidated uses licence (Licence number
10180-2-13.9) issued to the CNSC. Many of the deficiencies identified during the July
23, 2012, DNSR compliance inspection confirmed the findings of the independent
review.
Two distinct but complementary sets of recommendations (summarized in Appendix
One) emanated from both the executive VP-led review and the DNSR compliance
inspection. The Directorate of Environmental and Radiation Protection and Assessment
(DERPA) and the CNSC laboratory (part of DERPA) responded to both inspections by
way of establishing a formal action plan to address noted deficiencies. These were
merged and tracked simultaneously by the laboratory, to ensure completion of all
requirements. A timeline of key events is provided in the table below:
Date
Event
July 17, 2012
Three cesium-137 check sources discovered at CNSC HQ.
July 23, 2012
DNSR licence compliance and independent review inspection.
July 24, 2012
Action plan in response to inspection prepared.
2
September 17, 2012
Action plan in response to executive VP-directed review prepared
and sent to executive VP.
December 12, 2012
All source inventories reconciled, barcoded and scanned into
inventory system.
January 16, 2013
Update on incident provided to Commission (Commission
Member Document 13.M7-A).
May 22, 2013
Visit by DNSR inspectors to follow-up on compliance inspection
report.
August 20, 2013
Final DNSR inspection report notes closure of corrective actions
related to the licence.
December 18, 2013
DNSR inspection for consolidated licence. Two minor items
related to shipping were noted.
December 2013
Initiation of Follow-up Audit of Check Source Action Plans by
CNSC Office of Audit and Ethics.
1.2
Authority
The Follow-up Audit of the Implementation of Action Plans in Response to the Check
Source Review was part of the approved 2013–14 Risk-Based Audit Plan.
1.3
Objectives and scope
The objective for this follow-up audit was to confirm that all corrective measures
emanating from the executive VP-led review had been addressed. Since the DNSR
inspection findings and resulting corrective actions were complementary to the executive
VP review, and because the licensee (for logical reasons) tracked both together, this
review is assessing the completion of action items resulting from both exercises. This
report provides assurance of completion for those two action plans and does not purport
to conclude on any other elements of management, governance, control or risk related
to the use of sources by CNSC staff.
1.4
Analysis of risks
The analysis of risk for this follow-up was limited to the risks associated with the original
findings, recommendations and corrective actions resulting from the inspections.
1.5
Audit criteria
The criteria applied for this follow-up were the review and DNSR inspection
recommendations, as well as the commitments made by the licensee with respect to
them. The audit team used those specific commitments as the basis for evaluating
completion of required actions to address deficiencies noted in the inspections.
3
1.6
Approach and methodology
The review began with requests for a consolidated action plan that addressed the
inspection findings and recommendations. Where the commitments were to establish
formal guidance or documentation concerning control processes, those documents were
reviewed and analyzed. The audit team also conducted a site visit to the laboratory, to
physically examine the implementation of new control procedures and documentation.
Fieldwork was conducted between December 2013 and March 2014.
1.7
Statement of conformance
This work conforms to the Internal Auditing Standards for the Government of Canada, as
supported by the results of the Quality Assurance and Improvement Program.
4
2. Original Recommendations, Management
Actions and Results of the Follow-up
The inspections conducted in response to the incident resulted in eighteen overarching
recommendations (many containing sub-recommendations that prescribed specific
steps), the vast majority of which were made to the laboratory. One recommendation
was made to the CNSC was to apply a higher level of scrutiny and oversight to internal
licensees, such as the laboratory. Given the attention that has been placed on the
laboratory by inspectors and the Commission itself, this recommendation is now deemed
to have been met. This type of oversight must continue, and CNSC management must
ensure that the improvements (made in response to the recommendations of the
inspections) are sustained. This greater scrutiny, combined with internal laboratory
management efforts to achieve a state-of-the-art control environment, has resulted in
significant improvements.
The CNSC has been re-licensed under a consolidated uses licence, and the lab has
implemented compliance self-assessments for licence conditions. A process to conduct
an external compliance review (recommended by the Commission) will begin in Q1 of
fiscal year 2014–15. The combination of these efforts is deemed to be a comprehensive
oversight framework for the laboratory.
For the technical recommendations assigned to the laboratory, we found that each of the
eighteen overarching recommendations had been implemented, with two exceptions:
(1) the commitment to provide inventory verification updates to the Operations
Management Committee (OMC) and (2) the licensee’s commitment to hold meetings of
the Radiation Safety Committee (RSC) quarterly, to review licence conditions and to
ensure continued adherence to the improved inventory control and accountability
framework. Note that although the missed meetings were postponed as a result of public
hearings outside the headquarters region, which required the direct participation of the
licence Applicant Authority (who also chairs the RSC), these meetings have since been
rescheduled. The nature and frequency of reporting to OMC has also been resolved.
Appendix One provides the recommendations and actions by control area. However, for
ease of reference and clarity, they are summarized by the following themes:
1. Accountability for source control
2. Source inventory control
3. Oversight
4. Records management
2.1
Accountability for source control
Accountability for sources has been firmly established through a consolidated uses
licence. Accountability for sources under the control of the laboratory has been
established through the licence and the designation of a Radiation Safety Officer. When
sources are loaned to other CSNC staff, these must be designated as authorized users
5
and work in an area covered by the licence. These designations are endorsed by their
management, and authorized users undergo training relative to their use of sources.
This training prescribes how to access, transport, store, use and return sources in their
custody. Records relative to the designation of authorized users, as well as accessing
and returning sources, are kept at the laboratory.
2.2
Source inventory control
After the inspections, the laboratory conducted an accounting of all sources, both
present and loaned out. Subsequently, a barcode inventory control system was
designed and implemented, allowing the laboratory to track each source as it enters or
exits their control. The database can be queried at any time to reveal the current
holder/location of the source, providing continuous, unbroken control and accountability
for the sources. Quarterly reconciliations are conducted; to date, these have not resulted
in any missing or lost sources.
2.3
Oversight
A diverse and robust suite of oversight control mechanisms was implemented at the
laboratory after the incident. The two inspections (including a follow-up Directorate of
Security and Safeguards inspection and relicensing) served to subject the laboratory’s
source control procedures to a high level of scrutiny. The application for relicensing
involved the inclusion of the revised procedures in response to the earlier inspections. A
licence was granted in May 2013,requiring the ongoing application of the new
procedures. A follow-up compliance inspection, in December 2013, determined that all
conditions were being upheld, with the exception of some inconsistencies around
transportation and packaging documentation (which have since been rectified). It is
deemed that the combination of these oversight and accountability mechanisms have
been successful in ensuring the laboratory fulfills its commitments to increase control
over sources.
As noted earlier, ongoing management oversight (in the form of ongoing reporting to
OMC and the RSC, as envisioned in the original action plans) has not yet been fully
implemented. This oversight would serve to ensure the continuity and sustainability of
the improvements made by the laboratory for source control. In light of the
improvements made by the laboratory at this time, an opportunity exists to re-examine
these accountability mechanisms and determine the most effective and efficient means
of providing ongoing oversight.
2.4
Records management
In addition to the robust inventory management and control system implemented at the
laboratory, records have also been established to track the proper transportation of
sources to and from the laboratory. The records currently maintained include details of
the packaging requirements, package testing results, shipping documents, and CNSC
and external visitors.
6
3
Conclusion
In assessing the implementation of actions in response to the eighteen previous
recommendations, we found that sixteen have been fully implemented and two remain
partially implemented.
The CNSC has successfully responded to the original incident, where check sources
were misplaced and not accounted for on an ongoing basis. The control weaknesses
have been largely rectified, and there is a significantly lower risk of reoccurrence. The
organization has now an opportunity to achieve a proper balance between ongoing
management oversight, and the laboratory and the licence applicant’s authority
accountability under the CNSC’s consolidated uses licence conditions.
3.1
Recommendation
It is recommended that Vice-President of the Technical Support Branch (TSB), in
consultation with the Executive Vice-President, determine the nature and frequency of
updates to Operations Management Committee (OMC) on check source inventory
control, and implement the reporting once this has been established.
3.2
Management Action Plan
As of April 2014, the report to OMC is made only in the event that a quarterly inventory
identifies unaccounted sources, or that an internal or external audit/evaluation identifies
gaps in inventory controls. This was accepted by the OMC Chair; therefore, this action is
considered closed.
7
Follow-up Audit of the Implementation of Action Plans in response to the Check Source Review
Office of Audit and Ethics
April 30, 2014
Appendix 1 – Recommendations and actions (summarized by
recommendation)
Rec #
Requirement
Actions completed/Assessment
Status
CA-4.2
A formal training plan and procedure should be
established whenever check sources are being
used.
While the Radiation Protection Division (RPD)
does not continue to conduct training with
sources, other divisions that do (e.g., Chemical,
Biological, Radiological and Nuclear [CBRN]
training) are required to develop plans that
comply with the radiation protection regulations,
and have authorized users and valid permits to
use sources.
Completed
CA-5.2
CBRN procedures related to these training
exercises should be reviewed, updated and
submitted to the Radiation Safety Officer
(RSO). This should include a thorough review of
program ownership, staff training and
qualifications, procedures, plans and
authorization for the use of sources, and type of
training exercises conducted.
The required reviews were conducted leading to
procedures being drafted for CBRN training,
detailing responsibilities of authorized users (AU)
when in control of sources.
Completed
8
Follow-up Audit of the Implementation of Action Plans in response to the Check Source Review
Office of Audit and Ethics
April 30, 2014
Rec #
Requirement
Actions completed/Assessment
Status
CA-8.3.1 – 8.3.6
At the next licence renewal in 2013, the
laboratory should be required to fully comply
with all requirements of RD-371 and submit the
application well in advance of the deadline. This
will allow time to conduct a thorough review of
the application to be conducted and address
any deficiencies. Prepare application and
ensure it is signed (by both signing and
applicant authorities).
A gap analysis vis-à-vis the requirements in RD371 was conducted and reviewed. This gap
analysis informed the development of the licence
application, which was submitted on December
14, 2012.
Completed
CA-9.4.1
There should be only one person designated as
RSO at the CNSC. The designated RSO should
be the head of the Radiation Protection
Division.
The RSO is the Senior Analyst permanently
based at the Laboratory. The Director is
accountable, but it is impractical for the Director
to carry out day-to-day RSO responsibilities; the
Senior Analyst was assigned to manage on a
day-to-day basis.
Completed
CA-9.4.2
Implement fully a system of internal and
temporary permits for authorized users, under
the CNSC consolidated users licence.
Two internal permits exist (Laboratory and
Emergency Management Programs Division).
Authorized users fall under either permit, and
each AU attests to having read the applicable
requirements and procedures.
Completed
CA-255025-01.101.2
Implement procedures which describe all steps
necessary to maintain unbroken control and
accountability of nuclear substances at all
times. These procedures must identify all
workers who are authorized to handle or
transport nuclear substances.
Procedures have been drafted and implemented,
detailing unbroken control and accountability for
substances (sources) that are loaned out by the
laboratory to approved authorized users.
Completed
9
Follow-up Audit of the Implementation of Action Plans in response to the Check Source Review
Office of Audit and Ethics
April 30, 2014
Rec #
Requirement
Actions completed/Assessment
Status
CA-255025-02.102.3
Create a single inventory record (from the six
currently existing) of all nuclear substances at
all locations identified under this licence,
including all source details required by
regulation and the licensee’s internal
procedures. This record must reconcile all
existing inventory records, and declare as lost
any sources that cannot be accounted for.
A full sources inventory took place initially,
declaring some as lost. Subsequently, the
laboratory has implemented a single system for
the tracking of source inventories (Laboratory
Inventory Management System) which are all
under the laboratory’s licence. This system is
updated in real time, as sources are moved out of
or back into the laboratory.
Completed
CA-255025-03.103.2
Implement a self-assessment program that
demonstrates compliance with CNSC
regulations and internal procedures, including a
quarterly inventory verification check and
reporting to OMC.
Internal assessments are planned and conducted
at least annually, to ascertain the extent of
compliance with regulations and procedures.
Reporting to OMC has not occurred to date. The
Directorate of Environmental and Radiation
Protection and Assessment (DERPA) will go to
OMC in the near future, to provide an update and
clarify expectations around inventory reporting.
Partially
completed
A proposal to address the reporting issue was
submitted to OMC in March 2014, and has since
been accepted.
CA-255025-04.104.3
Direct CNSC security personnel to conduct an
inspection of the physical security of the facility
and sources.
This inspection was undertaken, and an action
plan was prepared in response.
Completed
10
Follow-up Audit of the Implementation of Action Plans in response to the Check Source Review
Office of Audit and Ethics
April 30, 2014
Rec #
Requirement
Actions completed/Assessment
CA-255025-05.105.2
The licensee can demonstrate that sampling
and counting methods can meet licence criteria.
No loose contamination is detected in amounts
exceeding the limits specified in the licence.
A review of the Radiation Safety Manual confirms
the existence of procedures (i.e., methodology,
frequency, criteria) regarding indirect
contamination monitoring.
Status
Completed
Further audit inquiry conducted at the laboratory
revealed that surveys are taking place, and
results are physically stored in a secure cabinet.
CA-255025-06.2
The licensee has implemented a radiation
protection program that keeps doses as low as
reasonably achievable, and includes:
(i) management control over work practices
(ii) personnel qualification and training
(iii) control of occupational and public exposure
to radiation
(iv) planning for unusual situations.
Quarterly meetings of the new Radiation Safety
Committee were to be set up (as part of terms of
reference) to provide oversight of the required
areas. Initial audit procedures confirmed the
occurrence of two meetings: February 14, 2013
and November 25, 2013.
Meetings planned for May and August 2013 did
not occur, due to overlapping Commission
meetings.
Partially
completed
Discussions with the laboratory revealed that
quarterly meetings are now set-up in advance by
the Director General of DERPA.
The quarterly meetings for 2014 are scheduled
as follows: Feb. 17, May 14, Sept. 15, and Dec.
3.
11
Follow-up Audit of the Implementation of Action Plans in response to the Check Source Review
Office of Audit and Ethics
April 30, 2014
Rec #
CA-25502607.1
Requirement
Prior to decommissioning an area, room or
enclosure the following items have been
confirmed:
(a) loose contamination levels meet the licence
criteria
(b) release of any room that contains fixed
contamination has been approved in writing by
the CNSC
Actions completed/Assessment
Status
Procedure CNSC RSP-LP-07: Control of
Processes – Sealed Source Control includes the
responsibility for an authorized user to complete
decommissioning activities following training/use
of a check source. It describes, in detail, the
specific actions/procedures the authorized user
must take to meet the decommissioning
requirements.
Completed
Initial analysis found that procedures have not
been elaborated for clothing. However, given the
nature of the sources being handled, this should
not be an issue. Also, supporting documentation
outlines what specific equipment is needed, but
not how to use it.
Completed
(c) all nuclear substances and radiation devices
have been removed
(d) all radiation warning signs have been
removed.
CA-25502608.1
Licensee ensures appropriate equipment,
clothing and procedures are used at the work
site.
Since AUs are required to undergo training
relative to safe handling and storage prior to be
authorized to use sources, this is sufficiently
addressed through existing training and
procedure manuals.
12
Follow-up Audit of the Implementation of Action Plans in response to the Check Source Review
Office of Audit and Ethics
April 30, 2014
Rec #
Requirement
Actions completed/Assessment
Status
CA-255026-9.1
A current list of nuclear energy workers
(including names and job categories) is
available.
A list of names of people (including their
workplaces) authorized by their management to
use and work with nuclear substances is kept up
to date. Responsible managers are required to
provide updates to the list as necessary, and
have been doing so.
Completed
CA-25502610.1
The package has been tested to confirm
surface contamination is below 4 Bq/cm2 for
beta and gamma emitters and low toxicity alpha
emitters, and 0.4 Bq/cm2 for all other alpha
emitters. PTNS 16 (4) and TS-R-1 508, 509.
Record requirement NSRD 36 (1) (e)
The Radiation Safety Manual has a section called
“Preparing Expected and Type A Packages for
Transport”, which communicates the procedure
and steps in preparing excepted and type A
package for transport under the CNSC
consolidated uses license. It also describes the
responsibility, authority and procedure, and
includes hazard labels (activity in Bq).
Completed
13
Follow-up Audit of the Implementation of Action Plans in response to the Check Source Review
Office of Audit and Ethics
April 30, 2014
Rec #
Requirement
Actions completed/Assessment
CA-255026-11
Type A package design, test results and
packaging instructions kept on file for two years
after last shipment.
The manufacturer of the container was unable to
provide additional documentation for test results.
The laboratory is currently working with the
Transportation Division to test Type A packages.
Stack, drop and penetration testing is being done
to confirm manufacturer claims. The results of
testing will be documented in a Type A package
evaluation document.
Status
Complete
Reacting to this, the laboratory completed the
evaluation and a test report. The two documents
were reviewed by the CNSC’s Transport
Licencing and Strategic Support Division, and
were found satisfactory. The copies will be
maintained as records at the laboratory. To
address and close the inspection findings, they
were also sent to the DNSR inspector for
consideration.
CA-25502612.1
Shipping documents used are kept on file for 2
years - PTNS 15 (1).*
The requirement has been met, and is supported
by the following audit tests:
Complete
Preliminary documentation analysis confirmed
the existence of a process for controlling the
transfer of sources.
Follow-up verification at the laboratory revealed
that shipping documents were being filed in a
secure cabinet.
14
Follow-up Audit of the Implementation of Action Plans in response to the Check Source Review
Office of Audit and Ethics
April 30, 2014
Rec #
CA-255026-13
Requirement
A copy of the Transport of Dangerous Goods
(TDG) certificate(s) is kept on file for two years
and is available to the inspector.
Actions completed/Assessment
Observations made at the laboratory revealed
that records for authorized users are filed in a
secure cabinet. These records demonstrated that
authorized users who require TDG training have
the checklist completed and signed (observed at
laboratory).
Status
Complete
15