Section 0400-20-13-.03 - PHYSICAL PROTECTION REQUIREMENTS DURING USE(1) Security program.(a) Applicability. 1. Each licensee that possesses an aggregated category 1 or category 2 quantity of radioactive material shall establish, implement, and maintain a security program in accordance with the requirements of this rule.2. An applicant for a new license and each licensee that would become newly subject to the requirements of this chapter upon application for modification of its license shall implement the requirements of this chapter, as appropriate, before taking possession of an aggregated category 1 or category 2 quantity of radioactive material.3. Any licensee that has not previously implemented the Security Orders or been subject to the provisions of this chapter shall provide written notification to the Division specified in paragraph (4) of Rule 0400-20-13-.01 at least 90 days before aggregating radioactive material to a quantity that equals or exceeds the category 2 threshold.(b) General performance objective. Each licensee shall establish, implement, and maintain a security program that is designed to monitor and, without delay, detect, assess, and respond to an actual or attempted unauthorized access to category 1 or category 2 quantities of radioactive material.
(c) Program features. Each licensee's security program must include the program features, as appropriate, described in paragraphs (2) through (8) of this rule.
(2) General security program requirements.(a) Security plan.1. Each licensee identified in subparagraph (1)(a) of this rule shall develop a written security plan specific to its facilities and operations. The purpose of the security plan is to establish the licensee's overall security strategy to ensure the integrated and effective functioning of the security program required by this rule. The security plan must, at a minimum:(i) Describe the measures and strategies used to implement the requirements of this rule; and(ii) Identify the security resources, equipment, and technology used to satisfy the requirements of this rule.2. The security plan must be reviewed and approved by the individual with overall responsibility for the security program.3. A licensee shall revise its security plan as necessary to ensure the effective implementation of Division requirements. The licensee shall ensure that:(i) The revision has been reviewed and approved by the individual with overall responsibility for the security program; and(ii) The affected individuals are instructed on the revised plan before the changes are implemented.4. The licensee shall retain a copy of the current security plan as a record for 3 years after the security plan is no longer required. If any portion of the plan is superseded, the licensee shall retain the superseded material for 3 years after the record is superseded.(b) Implementing procedures.1. The licensee shall develop and maintain written procedures that document how the requirements of this rule and the security plan will be met.2. The implementing procedures and revisions to these procedures must be approved in writing by the individual with overall responsibility for the security program.3. The licensee shall retain a copy of the current procedure as a record for 3 years after the procedure is no longer needed. Superseded portions of the procedure must be retained for 3 years after the record is superseded.(c) Training. 1. Each licensee shall conduct training to ensure that those individuals implementing the security program possess and maintain the knowledge, skills, and abilities to carry out their assigned duties and responsibilities effectively. The training must include instruction in:(i) The licensee's security program and procedures to secure category 1 or category 2 quantities of radioactive material, and in the purposes and functions of the security measures employed;(ii) The responsibility to report promptly to the licensee any condition that causes or may cause a violation of Division requirements;(iii) The responsibility of the licensee to report promptly to the local law enforcement agency and licensee any actual or attempted theft, sabotage, or diversion of category 1 or category 2 quantities of radioactive material; and(iv) The appropriate response to security alarms.2. In determining those individuals who shall be trained on the security program, the licensee shall consider each individual's assigned activities during authorized use and response to potential situations involving actual or attempted theft, diversion, or sabotage of category 1 or category 2 quantities of radioactive material. The extent of the training must be commensurate with the individual's potential involvement in the security of category 1 or category 2 quantities of radioactive material.3. Refresher training must be provided at a frequency not to exceed 12 months and when significant changes have been made to the security program. This training must include:(i) Review of the training requirements of this subparagraph and any changes made to the security program since the last training;(ii) Reports on any relevant security issues, problems, and lessons learned;(iii) Relevant results of NRC inspections; and(iv) Relevant results of the licensee's program review and testing and maintenance.4. The licensee shall maintain records of the initial and refresher training for 3 years from the date of the training. The training records must include dates of the training, topics covered, a list of licensee personnel in attendance, and related information.(d) Protection of information.1. Licensees authorized to possess category 1 or category 2 quantities of radioactive material shall limit access to and unauthorized disclosure of their security plan, implementing procedures, and the list of individuals that have been approved for unescorted access.2. Efforts to limit access shall include the development, implementation, and maintenance of written policies and procedures for controlling access to, and for proper handling and protection against unauthorized disclosure of, the security plan, implementing procedures, and the list of individuals who have been approved for unescorted access.3. Before granting an individual access to the security plan, implementing procedures, or the list of individuals who have been approved for unescorted access, licensees shall: (i) Evaluate an individual's need to know the security plan, implementing procedures, or the list of individuals who have been approved for unescorted access; and(ii) If the individual has not been authorized for unescorted access to category 1 or category 2 quantities of radioactive material, safeguards information, or safeguards information-modified handling, the licensee must complete a background investigation to determine the individual's trustworthiness and reliability. A trustworthiness and reliability determination shall be conducted by the reviewing official and shall include the background investigation elements contained in parts (3)(a)2 through 7 of Rule 0400-20-13-.02.4. Licensees need not subject the following individuals to the background investigation elements for protection of information:(i) The categories of individuals listed in parts (5)(a)1 through 13 of Rule 0400-20-13-.02; or(ii) Security service provider employees, provided written verification that the employee has been determined to be trustworthy and reliable, by the required background investigation in parts (3)(a)2 through 7 of Rule 0400-20-13-.02, has been provided by the security service provider.5. The licensee shall document the basis for concluding that an individual is trustworthy and reliable and should be granted access to the security plan, implementing procedures, or the list of individuals who have been approved for unescorted access.6. Licensees shall maintain a list of persons currently approved for access to the security plan, implementing procedures, or the list of individuals who have been approved for unescorted access. When a licensee determines that a person no longer needs access to the security plan, implementing procedures, or the list of individuals who have been approved for unescorted access or no longer meets the access authorization requirements for access to the information, the licensee shall remove the person from the approved list as soon as possible, but no later than seven working days, and take prompt measures to ensure that the individual is unable to obtain the security plan, implementing procedures, or the list of individuals who have been approved for unescorted access.7. When not in use, the licensee shall store its security plan, implementing procedures, and the list of individuals who have been approved for unescorted access in a manner to prevent unauthorized access. Information stored in nonremovable electronic form must be password protected.8. The licensee shall retain as a record for three years after the document is no longer needed: (i) A copy of the information protection procedures; and(ii) The list of individuals approved for access to the security plan, implementing procedures, or the list of individuals who have been approved for unescorted access.(3) LLEA coordination. (a) A licensee subject to this rule shall coordinate, to the extent practicable, with an LLEA for responding to threats to the licensee's facility, including any necessary armed response. The information provided to the LLEA must include: 1. A description of the facilities and the category 1 and category 2 quantities of radioactive materials along with a description of the licensee's security measures that have been implemented to comply with this rule; and2. A notification that the licensee will request a timely armed response by the LLEA to any actual or attempted theft, sabotage, or diversion of category 1 or category 2 quantities of material.(b) The licensee shall notify the Division within 3 business days if:1. The LLEA has not responded to the request for coordination within 60 days of the coordination request; or2. The LLEA notifies the licensee that the LLEA does not plan to participate in coordination activities.(c) The licensee shall document its efforts to coordinate with the LLEA. The documentation must be kept for 3 years.(d) The licensee shall coordinate with the LLEA at least every 12 months, or when changes to the facility design or operation adversely affect the potential vulnerability of the licensee's material to theft, sabotage, or diversion.(4) Security zones. (a) Licensees shall ensure that all aggregated category 1 and category 2 quantities of radioactive material are used or stored within licensee-established security zones. Security zones may be permanent or temporary.(b) Temporary security zones must be established as necessary to meet the licensee's transitory or intermittent business activities, such as periods of maintenance, source delivery, and source replacement.(c) Security zones must, at a minimum, allow unescorted access only to approved individuals through: 1. Isolation of category 1 and category 2 quantities of radioactive materials by the use of continuous physical barriers that allow access to the security zone only through established access control points. A physical barrier is a natural or man-made structure or formation sufficient for the isolation of the category 1 or category 2 quantities of radioactive material within a security zone;2. Direct control of the security zone by approved individuals at all times; or3. A combination of continuous physical barriers and direct control.(d) For category 1 quantities of radioactive material during periods of maintenance, source receipt, preparation for shipment, installation, or source removal or exchange, the licensee shall, at a minimum, provide sufficient individuals approved for unescorted access to maintain continuous surveillance of sources in temporary security zones and in any security zone in which physical barriers or intrusion detection systems have been disabled to allow such activities.(e) Individuals not approved for unescorted access to category 1 or category 2 quantities of radioactive material must be escorted by an approved individual when in a security zone.(5) Monitoring, detection, and assessment.(a) Monitoring and detection. 1. Licensees shall establish and maintain the capability to continuously monitor and detect without delay all unauthorized entries into its security zones. Licensees shall provide the means to maintain continuous monitoring and detection capability in the event of a loss of the primary power source, or provide for an alarm and response in the event of a loss of this capability to continuously monitor and detect unauthorized entries.2. Monitoring and detection must be performed by:(i) A monitored intrusion detection system that is linked to an onsite or offsite central monitoring facility;(ii) Electronic devices for intrusion detection alarms that will alert nearby facility personnel;(iii) A monitored video surveillance system;(iv) Direct visual surveillance by approved individuals located within the security zone; or(v) Direct visual surveillance by a licensee designated individual located outside the security zone.3. A licensee subject to this chapter shall also have a means to detect unauthorized removal of the radioactive material from the security zone. This detection capability must provide: (i) For category 1 quantities of radioactive material, immediate detection of any attempted unauthorized removal of the radioactive material from the security zone. Such immediate detection capability must be provided by:(I) Electronic sensors linked to an alarm;(II) Continuous monitored video surveillance; or(III) Direct visual surveillance.(ii) For category 2 quantities of radioactive material, weekly verification through physical checks, tamper indicating devices, use, or other means to ensure that the radioactive material is present.(b) Assessment. Licensees shall immediately assess each actual or attempted unauthorized entry into the security zone to determine whether the unauthorized access was an actual or attempted theft, sabotage, or diversion.
(c) Personnel communications and data transmission. For personnel and automated or electronic systems supporting the licensee's monitoring, detection, and assessment systems, licensees shall:
1. Maintain continuous capability for personnel communication and electronic data transmission and processing among site security systems; and2. Provide an alternative communication capability for personnel, and an alternative data transmission and processing capability, in the event of a loss of the primary means of communication or data transmission and processing. Alternative communications and data transmission systems may not be subject to the same failure modes as the primary systems.(d) Response. Licensees shall immediately respond to any actual or attempted unauthorized access to the security zones, or actual or attempted theft, sabotage, or diversion of category 1 or category 2 quantities of radioactive material at licensee facilities or temporary job sites. For any unauthorized access involving an actual or attempted theft, sabotage, or diversion of category 1 or category 2 quantities of radioactive material, the licensee's response shall include requesting, without delay, an armed response from the LLEA.
(6) Maintenance and testing. (a) Each licensee subject to this chapter shall implement a maintenance and testing program to ensure that intrusion alarms, associated communication systems, and other physical components of the systems used to secure or detect unauthorized access to radioactive material are maintained in operable condition and are capable of performing their intended function when needed. The equipment relied on to meet the security requirements of this chapter must be inspected and tested for operability and performance at the manufacturer's suggested frequency. If there is no suggested manufacturer's suggested frequency, the testing must be performed at least annually, not to exceed 12 months.(b) The licensee shall maintain records on the maintenance and testing activities for 3 years.(7) Requirements for mobile devices. Each licensee that possesses mobile devices containing category 1 or category 2 quantities of radioactive material must:
(a) Have two independent physical controls that form tangible barriers to secure the material from unauthorized removal when the device is not under direct control and constant surveillance by the licensee; and(b) For devices in or on a vehicle or trailer, unless the health and safety requirements for a site prohibit the disabling of the vehicle, the licensee shall utilize a method to disable the vehicle or trailer when not under direct control and constant surveillance by the licensee. Licensees shall not rely on the removal of an ignition key to meet this requirement.(8) Security program review. (a) Each licensee shall be responsible for the continuing effectiveness of the security program. Each licensee shall ensure that the security program is reviewed to confirm compliance with the requirements of this chapter and that comprehensive actions are taken to correct any noncompliance that is identified. The review must include the radioactive material security program content and implementation. Each licensee shall periodically (at least annually) review the security program content and implementation.(b) The results of the review, along with any recommendations, must be documented. Each review report must identify conditions that are adverse to the proper performance of the security program, the cause of the condition(s), and, when appropriate, recommend corrective actions, and corrective actions taken. The licensee shall review the findings and take any additional corrective actions necessary to preclude repetition of the condition, including reassessment of the deficient areas where indicated.(c) The licensee shall maintain the review documentation for 3 years.(9) Reporting of events. (a) The licensee shall immediately notify the LLEA after determining that an unauthorized entry resulted in an actual or attempted theft, sabotage, or diversion of a category 1 or category 2 quantity of radioactive material. As soon as possible after initiating a response, but not at the expense of causing delay or interfering with the LLEA response to the event, the licensee shall notify the Division. In no case shall the notification to the Division be later than 4 hours after the discovery of any attempted or actual theft, sabotage, or diversion.(b) The licensee shall assess any suspicious activity related to possible theft, sabotage, or diversion of category 1 or category 2 quantities of radioactive material and notify the LLEA as appropriate. As soon as possible but not later than 4 hours after notifying the LLEA, the licensee shall notify the Division at (615) 532-0364. For after-hours notifications, the licensee shall contact the Tennessee Emergency Management Agency, (615) 741-0001.(c) The initial telephonic notification required by subparagraph (a) of this paragraph must be followed within a period of 30 days by a written report submitted to the Division by an appropriate method listed in paragraph (4) of Rule 0400-20-13-.01. The report must include sufficient information for Division analysis and evaluation, including identification of any necessary corrective actions to prevent future instances.Tenn. Comp. R. & Regs. 0400-20-13-.03
Original rule filed June 14, 2017; effective September 12, 2017. Amendments filed December 4, 2023; effective 3/3/2024.Authority: T.C.A. §§ 4-5-201, et seq.; 68-202-101, et seq.; and 68-202-201, et seq.