Audit of Chemical, Biological, Radiological and Nuclear (CBRN) Material Management

March 2014

7050-64 (CRS)

Reviewed by CRS in accordance with the Access to Information Act (AIA). Information UNCLASSIFIED.

Acronyms and Abbreviations

CBRN

Chemical, Biological, Radiological and Nuclear

CRS

Chief Review Services

DRDC

Defence Research and Development Canada

ADM(S&T)

Assistant Deputy Minister (Science and Technology)

D N Safe

Director Nuclear Safety

OPI

Office of Primary Interest

DND/CAF

Department of National Defence/Canadian Armed Forces

Results in Brief

Overall Assessment

While the results of external compliance measures have been generally positive, input and involvement of Assistant Deputy Minister (Science and Technology) (ADM(S&T)) in the development of local CBRN material governance and risk management activities is required to ensure that local control initiatives are effective, appropriate, and complementary to existing external reviews and controls.

This audit was conducted in accordance with the Chief Review Services (CRS) Risk-based Internal Audit Plan for fiscal years 2013/14 to 2015/16. CRS conducted the audit of CBRN material management, focusing on high-risk materials and activities in order to assess the governance, risk management and control processes relating to the life cycle management of these materials.

In support of its defensive capabilities against CBRN threats, the Department of National Defence and the Canadian Armed Forces (DND/CAF) maintain holdings of CBRN materials for use in research and training. Additionally, the Department makes use of substances and equipment with ionizing radiation sources in a range of other applications, such as calibration and testing, industrial radiography, and irradiation.

The potential for harmful effects of these materials, and the nature of the Department’s work with them, leads to significant risks. The unique capabilities of the Department related to CBRN add to the challenge in developing systems to ensure that its programs enable the achievement of defence objectives while managing risks and maintaining an effective control framework.

Findings and Recommendations

Governance. Governance structures over CBRN activities exist at several levels. Processes are in place to address external and regulatory requirements. DND/CAF organizations that use CBRN materials tend to develop specific locally-based processes to manage specialized activities, with consideration to the technical knowledge required for material handling and control. However, local governance processes and the visibility of local material holdings and activities could be strengthened by improving departmental guidance and oversight.

It is recommended that ADM(S&T) increase its oversight of research centres working with CBRN materials to provide an additional perspective into the design of locally developed governance processes, and to increase the visibility of holdings and activities for which it is accountable.

Risk Management. Management of CBRN materials includes consideration of a range of risks that must be identified and assessed in order to design mitigating controls. Residual risks must also be recognized by management. In organizations working with CBRN materials, risk management has been largely devolved to local levels, which consider risks involved in the general operation of CBRN facilities, and establish risk management processes related to specific projects and activities. However, headquarters organizations have not defined risk tolerance levels for CBRN activities, and have provided limited oversight or guidance to subordinate organizations to ensure that risk identification, assessment and management are consistent and complete.

It is recommended that ADM(S&T) headquarters take a more active role in its accountability for CBRN activities by determining and communicating risk tolerance levels to research centres, ensuring that managers have access to current threat and risk information, and establishing mechanisms and guidance to ensure the quality of local risk management processes.

Inventory Control. Control processes are necessary to ensure the full accounting of CBRN materials throughout their life cycle. Characteristics of these materials, such as the ability for growth and replication of biological materials and the ability to dilute chemical substances, increase the difficulty in maintaining accurate inventory records.                                                                                                                                                                                                                                                                                                                     Inventory management processes could also be strengthened for some categories of materials.

It is recommended that comprehensive inventory records be maintained for chemical and radiological materials of concern to ensure a thorough accounting at all stages of their life cycle, and that procedures be implemented to ensure that inventory activities are monitored and approved on a regular basis.

Environment, Health and Safety. Proper containment of CBRN materials is necessary to prevent harm to personnel, public health, and the environment. Facilities involved in CBRN research are subject to external regulation, and were compliant with requirements for licensing, certifications and authorizations. While procedures are in place to ensure the safe handling of materials, the efforts required to maintain related infrastructure and equipment are posing an increasing burden. In addition, plans for remediation of contaminated sites have been suspended.

It is recommended that long-term solutions be developed for the replacement of facilities and remediation of sites, but interim measures are also needed to ensure that immediate risks are addressed, and that plans are in place to mitigate the outcome should these risks materialize.

Note: For a more detailed list of CRS recommendations and management response, please refer to Annex A—Management Action Plan.

Introduction

Background

In the course of its normal activities, DND/CAF handles a wide range of products and substances that pose significant hazards and risks. These materials include those that have common consumer or industrial applications, and others that are more specific to the Department’s military mandate. Materials such as fuels and lubricants, ammunition and explosives, along with other hazardous materials, are subject to management programs to protect personnel, equipment, and the environment.

CBRN materials typically refer to chemical agents, biological agents, and radiological materials, as well as weapons and devices intended to disperse these toxicological materials, and nuclear weapons and devices. While weaponization and offensive uses are prohibited under international conventions, DND/CAF holds such materials as part of its programs to develop defensive capabilities against CBRN threats. In addition, DND/CAF manages an inventory of ionizing radiation sources that includes radioactive nuclear substances and equipment with industrial applications that contain radiological components.

Considering their dangerous effects, the immediate risks related to these materials are the risk to the occupational health and safety of personnel working directly with them and the risk to staff in the event that containment is compromised. CBRN activities also involve risks to public health and the environment that must be considered. The possibility of employing such materials without managerial authorization or, far worse, the possibility of employing such materials illegally as weapons, requires appropriate security measures and inventory controls to be in place. The Department’s CBRN programs give rise to legal compliance and public scrutiny risks, in that the Canadian public and the international community need to be assured that CBRN activities are defensive in nature, and are conducted safely and professionally. These inherent risks, given the nature of the materials and their potential for harm, require that material management processes be in place to ensure appropriate control over their life cycle.

CRS completed an Audit of Security for Sensitive Inventories in 2004,1 with a follow-up in 2008,2 which included consideration of CBRN materials. The implementation of management actions resulting from these reports was assessed in the current audit, where they fell within its scope.

Objective

The objective of the audit was to assess the governance, risk management and control processes relating to the life cycle management of CBRN materials. Annex B outlines the audit criteria assessed in this audit.

Scope

The scope of this audit included chemical and biological agents, and radiological materials.

A chemical agent is “[a] chemical substance which is intended for use in military operations to kill, seriously injure, or incapacitate man through its physiological effects”, and “excludes riot control agents when used for law enforcement purposes, herbicides, smoke and flames.”3 Examples include nerve agents and blister agents. The scope of the audit did not include hazardous materials used in DND/CAF for general purposes, such as consumer or industrial chemical products.

A biological agent is “[a] micro-organism which causes disease in man, plants or animals or causes the deterioration of materiel.”4 Examples include bacteria and viruses. A toxin is “[t]he poisonous product of a living organism; [which] may also be synthesized.”5 The scope of the audit did not include other biological materials, such as mould or medical materials.

Radiation arises from nuclear activity and ionizing radiation sources. The scope of the audit included high-risk materials and equipment used in research and testing applications. Examples include sealed and unsealed radiation sources, X-ray devices, and equipment containing radiological components. The audit did not include equipment related to other applications, such as medical and security screening X-rays, light sources, non-ionizing radiation, or nuclear energy.

In this audit, “CBRN” refers to materials included within the audit scope. The audit examined the management of CBRN materials held by the Department, and did not examine the Department’s CBRN defence capability.

The primary focus of this audit is on the use of CBRN materials within the ADM(S&T) organization, as the materials and activities at its Defence Research and Development Canada (DRDC) research centres represent the highest risk with respect to such materials within the Department. Other applications for CBRN materials in the Department include their use in academic research, testing and analysis, industrial applications, military training, and operations environments. The findings and recommendations of the audit should be considered for all organizations with responsibility for the management of CBRN materials.

Methodology

The audit results are based on the following:

  • Interviews with Departmental authorities for policy, regulation, training, safety programs, materiel management, and environmental management within the ADM(S&T), Assistant Deputy Minister (Infrastructure and Environment), Assistant Deputy Minister (Materiel), Assistant Deputy Minister (Policy), Vice Chief of the Defence Staff and Chief Military Personnel organizations.
  • Review of legislation, policies and directives, manuals, instructions, and guidance documents, as well as internal and external reports and reviews.
  • Site visits to four DND/CAF organizations: DRDC Suffield, DRDC Ottawa, DRDC Valcartier, and Munitions Experimental Test Establishment Valcartier.
  • Interviews with functional personnel and subject matter experts at each DRDC research centre.
  • Walk-throughs of work processes and observation of workplaces, storage areas and disposal facilities.
  • Data analysis of information systems, including the Nuclear Safety Information Control System, Canadian Government Cataloguing System, Canadian Forces Supply System, and other relevant systems of record.

Statement of Conformance

The audit findings and conclusions contained in this report are based on sufficient and appropriate audit evidence gathered in accordance with procedures that meet the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing. The audit thus conforms to the Internal Auditing Standards for the Government of Canada, as supported by the results of the quality assurance and improvement program. The opinions expressed in this report are based on conditions as they existed at the time of the audit, and apply only to the entities examined.

Findings and Recommendations

Governance

Local governance processes require more input and oversight at the headquarters level to ensure their effective design, and to provide departmental visibility of CBRN activities.

The governance structure for CBRN management includes processes external to the Department, departmental oversight at the headquarters level, and local management within subordinate organizations over work processes. Given the small number of organizations involved and the specialized knowledge required, CBRN management has been focused on processes developed locally by independently operating organizations. While some organizations have developed comprehensive processes that have been subjected to external review, areas for improvement have been identified that may result in exploitable risks. The degree of autonomy of subordinate organizations has also limited awareness of their local activities by headquarters, and by other organizations that could benefit from sharing their best practices.

External Requirements

It is the policy of the Government of Canada to press for global, comprehensive, and verifiable treaties banning all biological and chemical weapons, but also to maintain effective defensive capabilities for as long as the threat from such weapons endures.

As a party to the Convention on the Prohibition of the Development, Production, Stockpiling and Use of Chemical Weapons and on their Destruction (Chemical Weapons Convention), Canada has committed to restrict the use of chemical agents to peaceful purposes, such as research or protection. Canada reports annually to the Organization for the Prohibition of Chemical Weapons its holdings and activities related to certain toxic chemicals; the Department’s production facilities for “Schedule 1 chemicals” at the Suffield research centre and the Royal Military College of Canada are also subject to external inspection. Implementation of the Chemical Weapons Convention is achieved through the Chemical Weapons Convention Implementation Act and related regulations, which establishes Foreign Affairs, Trade and Development Canada as the national authority.

Canada is also a party to the Convention on the Prohibition of the Development, Production, Stockpiling and Use of Bacteriological (Biological) and Toxin Weapons (Biological and Toxin Weapons Convention), and makes certain declarations annually as a confidence-building measure, including on aspects of the Department’s biological defence programs. The Department of Health Act, Health of Animals Act, Human Pathogens and Toxins Act, and related regulations, establish a legislative and regulatory framework for activities involving biological materials. As regulatory authorities, the Public Health Agency of Canada and the Canadian Food Inspection Agency have established standards and certify laboratories working with infectious agents. DRDC Suffield operates two laboratories for work with high-risk agents, which are certified to Biosafety Level 3. Biosafety Level 1 and 2 facilities are also operated by the Suffield research centre, and by other areas of the Department, for work with lower-risk agents.

The DND/CAF chemical and biological defence programs are also subject to review by the Biological and Chemical Defence Review Committee, which was established to provide the Minister with independent, third-party review of all DND/CAF biological and chemical defence research, development and training activities. The Committee works to assure the Canadian public and the international community that the Government’s policy of maintaining only a defensive capability is always fully respected, and that its activities are conducted in a professional manner with minimal risk to public safety or the environment.

Because of the specialized nature of the radiological and nuclear activities of the Department, most DND/CAF activities are excluded from civilian regulation through the Nuclear Safety and Control Act. Instead, Director Nuclear Safety (D N Safe), an organization of the Assistant Deputy Minister (Infrastructure and Environment), serves as the regulatory authority for all nuclear activities conducted by the Department. D N Safe also administers the Radiation Emitting Devices Act within the Department, which applies to equipment such as X-ray devices.

The management of CBRN materials is also subject to additional requirements that apply to the use of other general classes of hazardous substances. Compliance with the Canadian Environmental Protection Act is also particularly important at DRDC. Policy and legislation in areas such as occupational health and safety, environmental protection, dangerous goods transportation, and hazardous materials management, also apply to CBRN materials.

External examinations involving CBRN facilities and activities, such as inspections by the Organization for the Prohibition of Chemical Weapons, the Biological and Chemical Defence Review Committee, and D N Safe, have been generally positive. Required authorizations, licences and permits have been granted by issuing authorities.

Departmental Oversight

The use of chemical and biological agents is limited to a small number of organizations within the Department. Management of these materials requires specialized technical knowledge, which is not duplicated at the headquarters level. As a result, material management responsibilities are held at the local level, and a departmental functional authority for chemical and biological materials does not exist.

DRDC Suffield provides an annual report of certain inventory holdings and activities to the ADM(S&T) Head Office. However, this information does not provide a complete accounting of all high-risk materials, and it is subject to the research centre's material accounting and control processes. ADM(S&T) is not involved in the development or review of material management policies and procedures for research centres, nor is the Head Office routinely provided with results of external certifications, inspections and reviews.

Good Practice

D N Safe tries to reduce the compliance burden for client organizations by simplifying policies and procedures, reducing requirements for low-risk materials, and providing practical advice.

D N Safe is the Department’s functional authority for radiological and nuclear materials. D N Safe regulates activities within the Department by establishing nuclear safety orders, directives, instructions and other guidance, and providing technical advice to client organizations. Organizations carrying on radiological and nuclear activity must be authorized by D N Safe, and approval is required for life cycle activities such as procurement, transportation and disposal of substances and equipment, commissioning and decommissioning of facilities, and procedures for use, handling and storage. D N Safe also carries on an inspection program to ensure compliance with its policies and procedures.

D N Safe operates according to a comprehensive set of policies and procedures that provide direction and guidance to its client organizations, as well as detailing its internal operations. Ongoing policy development by D N Safe will address policy gaps to ensure consistent practices, and to document work processes and decision models.

D N Safe has also established a departmental radiation safety functional community, and works closely with it to encourage collaboration and partnership. A key success factor of the radiation safety program is in the technical subject matter expertise and professional judgement of D N Safe personnel and its network of radiation safety officers. In organizations holding ionizing radiation sources, command and formation radiation safety officers act as functional advisors at the headquarters level. Local base or unit radiation safety officers provide direct oversight and advice to users. In the organizations examined, the role of the command radiation safety officer is limited, and material management is primarily performed by local organizations with oversight by D N Safe.

Local Management

Management of chemical and biological agents is dependent on differing locally developed governance structures. Research centres develop a series of procedures in areas such as health and safety, environment, material management, laboratory practices, security, and project approval. At DRDC Suffield, for example, chemical and biological safety officers, section heads or defence scientists develop manuals and instructions, consistent with relevant legislation and standards. Safety committees are in place to review proposed projects and processes, and provide a forum to raise issues and concerns. Reviews of best practices in Allied organizations have also been undertaken to identify improvements to local procedures.

Despite the efforts of each organization, insufficient oversight over local governance processes has limited the comprehensiveness of governance structures, risk management, and control processes.

In some areas, employees were assigned to incompatible responsibilities that weakened control over materials, while concentration of responsibilities within key positions could lead to succession issues.

  • At the Suffield research centre, projects involving chemicals listed in Schedule 1 of the Chemical Weapons Convention are required to undergo independent review by a senior scientist for appropriateness before being submitted for approval by the centre director. As a result of personnel reductions, the supervisor of the Canadian National Single Small-Scale Facility has recently been performing this function, even though most work with such chemicals involves his facility.
  • For some substances, individual employees had responsibilities in multiple areas of material management, including receipt, storage, recordkeeping, and disposal. Without the corresponding checks and balances needed for proper oversight, such structures may expose a risk for inventory records to be altered.

Section supervisors and safety officers also conduct inspections of various aspects of CBRN life cycle management. These inspections are generally done informally, without a checklist or schedule, providing no documented assurance as to the effectiveness of material control activities.

While the ADM(S&T) Head Office is responsible for formulating the CBRN science and technology program, it has limited involvement in the management of CBRN materials. Oversight for material management occurs primarily at the external or functional levels, through organizations such as Foreign Affairs, Trade and Development Canada, Public Health Agency of Canada, D N Safe, and, at local levels, through governance structures at each research centre.

Summary

For organizations involved in highly specialized activities involving CBRN materials, it may be appropriate for life cycle management programs to be developed locally by subject matter experts most familiar with their requirements. Nevertheless, ADM(S&T) is accountable for the activities of subordinate organizations and, as such, the Head Office should participate in the management of CBRN materials to ensure an adequate understanding of local holdings and activities, and to identify and address potential gaps in local governance processes. Reducing the autonomy at local levels is also consistent with the recommendation of the Biological and Chemical Defence Review Committee for organizations to share ideas for best practices in the life cycle management of CBRN materials.

Recommendation

1.         ADM(S&T) should ensure that local managers have the guidance and information necessary to develop and implement the processes and controls required to safeguard CBRN materials, and ensure the visibility to ADM(S&T) of holdings and activities, including the results of external reviews, such as certifications and inspections.

OPI: ADM(S&T)

Risk Management

The consistency and quality of risk identification, assessment and management practices could be improved through additional guidance and oversight.

With the inherent risks posed by CBRN materials, it is important that risks be identified and assessed so that management can make informed decisions about the need for mitigating controls, and understand the nature of any residual risks it chooses to accept.

Risk management processes for CBRN materials can be considered in terms of risks to the Department or overall program; risks within a particular organization or installation, including facility infrastructure and equipment; and risks related to a specific project or activity.

Program Risk

As a functional authority, D N Safe manages nuclear activities and ionizing radiation sources of higher risk. In order to adapt to resource constraints, D N Safe assessed the degrees of risk posed by ionizing radiation sources held by the Department, and balanced its management and oversight activities accordingly. D N Safe focuses its compliance activities on organizations carrying out activities of higher risk through measures such as eliminating expiry dates for unit permits, and adjusting the frequency of unit inspections. D N Safe also considers risks in its review of project and training proposals. Risk assessment within D N Safe is based on the professional judgement of subject matter experts and, therefore, risk identification tends to be intuitive. Formal risk management methodologies have not been established.

Within ADM(S&T), research centres operate autonomously to identify and assess risks related to installations and activities, and to implement mitigating controls. Without guidance or oversight from ADM(S&T) Head Office, risk management activities tend to be informal, and their effectiveness is not confirmed. Despite its responsibility for organizational risk management, ADM(S&T) Head Office has not communicated the extent of its tolerance for risk, leaving these decisions to local management of the research centres.

Installation Risk

Risks at the level of the local installation relate primarily to facilities and infrastructure, and to general work practices not specific to an individual project that impact on CBRN materials.

Health and safety risks are a primary consideration for personnel working with CBRN materials. Job hazard investigations are a requirement of the Canada Labour Code, Part II, and are used to identify and assess hazardous substances in the workplace as the basis for implementing safety controls. At the locations visited, job hazard investigations were not complete at some sites, while others were not completed to the extent of detail needed to identify relevant risks. Departmental guidance has not been developed to communicate the expectations for job hazard investigations, or to provide instructions on how they should be performed.

Security risks include threats to physical security and access, personnel security, and threats from external sources.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               Without a comprehensive and current understanding of threats to installations, the adequacy of security controls cannot be appropriately assessed.

Risks related to activities that may have an environmental impact need to be assessed so that preventive measures can be implemented. Environmental assessments have been completed for sites and facilities. These assessments establish designated areas within installations (buildings, training areas and experimental proving grounds), and the general type of activity that can be performed within each area. Activities outside the scope of the completed environmental assessment would require additional consideration.

Good Practice

DRDC Suffield recently implemented an improved project approval process that more explicitly documents and considers major risk areas. Risks identified through this process trigger reviews by relevant functional experts before a project is approved.

Activity Risk

Each research centre has established local processes for project approval. Project approval documents generally include a description of the proposed experiment or training activity, including the materials to be used, methodology to be employed, and safety practices to be applied.

The chemical and biological agents employed in research projects are those required to address specific operational requirements. Scientists play a significant role in proposing projects that meet requirements identified by the operational environments. Chemical agents, biological agents, and radiological materials employed in training are selected on the basis of safety, availability and training objectives.

Project approval documents generally included a risk assessment. Depending on the project, risks considered included health and safety, environmental impact, and public scrutiny. Local project approval processes considered risk, but were not consistent in their assessment. There is a heavy reliance on the diligence and professional judgement of subject matter experts within research centres to identify risks; however, subject matter experts in a technical area may not be qualified or have all the information necessary to perform risk management. This, in combination with the lack of national guidance, means that local risk management processes may not be sufficient. Adequate controls cannot be developed or implemented if risks are not properly identified and assessed.

There are no standard requirements for project approval processes. CBRN project approval processes vary in terms of formality and rigour. Projects at one site required section head approval only, while another had an online application and approval process with a list of potential risks requiring multiple sign-offs. The risk assessment structure does not give reasonable assurance that all the risks of undertaking a new project have been considered.

ADM(S&T) has recently undergone a restructuring of its organization and work processes in order to ensure the alignment of scientific programs with research projects. As part of this reorganization, ADM(S&T) Head Office will have improved oversight of research projects, which would include the opportunity to review project risks, standardize project approval processes, and develop guidance for research centres on project management.

Summary

ADM(S&T) is responsible for the management of CBRN activities carried on by DRDC research centres, including the consideration of risks associated with the overall program, the operations of each installation, and with specific projects. However, research centres have tended to operate based on locally-developed processes, resulting in the implementation of risk management processes that have been inconsistent and incomplete. ADM(S&T) has not provided direction on an organizational basis regarding its approach to risk that communicates management’s risk tolerance, and guidance is not in place to provide for consistent project management practices that include methodologies for risk identification and assessment.

Recommendation

2.         ADM(S&T) should support risk management over CBRN activities by establishing and communicating risk tolerance levels, ensuring managers have access to current threat and risk information, providing guidance that includes formalized project identification and approval processes, and exercising oversight over research centres to monitor and report on related risks.

OPI: ADM(S&T)

Inventory Control

Inventory management control needs to be strengthened to ensure the safeguarding of CBRN materials.

CBRN materials include products and substances that are sensitive in nature, and are subject to strict controls to prevent their unauthorized use. As a custodian of these materials, the Department is responsible for maintaining necessary controls throughout their life cycle.

Chemical Agents

Good Practice

Schedule 1 chemicals at DRDC Suffield are subject to strict procedures for laboratory operations, accounting and control, and external oversight.

Chemical agents at DRDC Suffield are managed according to their classification within the schedules of the Chemical Weapons Convention. Inventories of Schedule 1 chemicals are strictly controlled, and are subject to reporting to and inspection by Foreign Affairs, Trade and Development Canada. Records of the Canadian National Single Small-Scale Facility, a segregated section of the research centre, are inspected by the Organization for the Prohibition of Chemical Weapons. Schedule 1 inventories are also reported annually to the ADM(S&T) Head Office.

The Single Small-Scale Facility maintains inventories of chemical agents for dispensing to scientists. In order for scientists to access Schedule 1 chemicals, an approved project form must be submitted. The project approval process includes a review of the rationale for the types and quantities of agent requested, which may be challenged and modified at various stages in the approval process. Once chemical agents have been dispensed, scientists are responsible to self-report to the Single Small-Scale Facility on their use or destruction. An annual inventory is performed of Schedule 1 holdings within the facility and of stocks held by scientists elsewhere at DRDC Suffield. Synthesis of Schedule 1 agents is also subject to reporting. The synthesis of chemical agents is subject to detailed laboratory procedures, which include the involvement or notification of multiple personnel to serve as safety backups.

DRDC Suffield also works with other chemical agents,                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                

                                                                                                                        Procedures for the management of chemical agent inventories should be based on an assessment of risks, which may consider, but should not be limited to, the need to comply with external requirements.

Biological Agents

Biological agents are categorized within the Human Pathogens and Toxins Act by risk group, based on the individual risk and communicability risk of the substance. The agent risk group, considered with the nature of the activity to be performed, determines the biosafety level of the laboratory in which work is to be performed and materials are to be stored, including consideration of engineering controls, handling procedures, decontamination measures, laboratory access controls, etc., in accordance with established laboratory standards.

The acquisition of new biological materials at DRDC Suffield requires the involvement of the biosafety officer and the bioarchivist. The bioarchivist maintains a catalogue of all biological materials held in research laboratories. Facilities at DRDC Suffield include laboratories operating at Biosafety Level 2 and 3, for bacteriology and virology.                                                                                                                                                                                                                                                                                                                                                                                                                                                   Personnel screening measures are in place to assess the suitability and reliability of employees with access to materials and facilities.

Inventories for biological agents are recorded for Risk Group 3 materials, which are tracked by physical location                     using a grid position system. The Biological and Chemical Defence Review Committee tests the accuracy of the Risk Group 3 inventories during its annual inspections.

Risk Group 2 materials are stored                    , but specific locations in each               are not recorded. While inventory control practices conform with external requirements, inherent risks associated with holding Risk Group 2 materials could be further reduced. The maintenance of additional inventory information would facilitate the location of stocks within                        , and prevent the unnecessary culturing of new stocks. The research centre is taking the initiative to catalogue its Risk Group 2 inventories with the same level of detail as Risk Group 3 inventories in anticipation of regulatory changes.

Control of biological materials involves inherent difficulties given their nature for growth and replication. It is therefore important that the Department demonstrate diligence over residual risks. Biosecurity measures include rigorous personnel screening and monitoring, robust inventory controls, and maintaining a posture of general awareness and vigilance.

Radiological Materials

Procurement of radioactive nuclear substances or equipment is regulated by D N Safe. Local procedures for the procurement of ionizing radiation sources were in place at each location visited; these involve the requisition of materials through a local procurement office. Local procurement offices are expected to recognize requisitions involving radiological materials, and to ensure that required approvals are in place prior to executing a purchase. However, procurement specialists interviewed at some locations were not familiar with these procedures, and rely on information provided by the requestor as presented. An instance was noted at one DRDC research centre where radiological materials had been procured or obtained without prior knowledge or approval of the appropriate authorities, and an authorization was issued only after the materials were discovered by a local radiation safety officer.

Radiological sources and devices are stored at every research centre and used for various applications, such as detection training and scientific research. Radiation safety officers are responsible for managing these materials, including inventory management and controlling their access to authorized users.

The Nuclear Safety Information Control System, managed by D N Safe, is intended as the system of record for ionizing radiation sources. However, inventory records in the system were not accurate at all DRDC research centres. In a sample of 131 material records at three research centres, 22 exceptions were identified. These included four instances of incorrect quantities reported, 17 instances of incorrect location recorded, and one instance where the device could not be located. An additional 16 records were found to be duplicate entries. Furthermore, 11 items observed during inventory counts were not recorded in the system. Discrepancies identified in the audit have since been addressed.

Radiation safety officers reported limitations to the system that prevented the maintenance of accurate inventory records. The system is also not intended to record inventories of materials and waste with low levels of radioactivity. As a result, separate local inventory records are maintained. However, these records were not reconciled to the Nuclear Safety Information Control System. Radiation safety officers were also observed to have the ability to modify inventory records in the system. The ability to update records without approval or audit trails creates a risk of unauthorized modifications.

While radiation safety officers reported the conduct of checks and inspections of storage areas, they did not perform formal, documented, periodic stocktaking against complete inventory records. D N Safe inspections also did not include full inventory counts. Access controls, records and logs over storage areas are in place; however, they are limited by the interval period between inventory counts. Robust controls and proper tracking of radiological materials from procurement to disposal will prevent any potential losses from being undetected for extended periods of time.

These control issues impact the ability to ensure the safeguarding of radiological materials, particularly sources and materials that are susceptible to loss.

Summary

Inventory controls for CBRN materials do not provide a complete and accurate accounting of materials. While the nature of some materials presents inherent risks that prevent detailed material accounting, improvements are needed to ensure the control of all high-risk materials and to ensure that inventory reports are reviewed at an appropriate level.

Recommendation

3.         ADM(S&T) should take appropriate action to ensure that inventory records of chemical agents and ionizing radiation sources are tracked from procurement to disposal, and that procedures are implemented to ensure that stockkeeping and inventory management activities are monitored and approved on a regular basis.

OPI: ADM(S&T)

Environment, Health and Safety

Controls are in place to protect human health and the environment; however, the management of infrastructure and equipment, and the remediation of contaminated sites, require attention to ensure the sustainability of CBRN activities.

Infrastructure and Equipment

Safe handling of CBRN materials involves the operation of complex facility systems and equipment. Equipment such as fume hoods, biosafety cabinets, and radiation-emitting devices is used directly in the handling of CBRN materials, while building systems such as ventilation, water and power provide critical support to facility operations. Infrastructure and equipment have been certified or licensed in accordance with relevant requirements. However, aging systems have declined in their suitability and condition, resulting in increased maintenance costs and restrictions on research capability. While emergency procedures and backup systems are in place, failures in infrastructure and equipment have the potential to increase risks to health and safety, environmental contamination, or business continuity.

At DRDC Suffield, the infrastructure is aging, and while designed to meet the requirements and standards of its day, it requires extensive preventative maintenance to meet current standards to be licensed by external regulators. The Biological and Chemical Defence Review Committee has also recommended as a best practice that administrative and laboratory functions be physically separated. Local utilities have been unreliable, leading to periodic power outages and the potential of equipment failures in laboratories. The resulting risk to the loss of containment and spoilage of biological materials is addressed through redundant systems and recovery plans. Plans are in place for the construction of new laboratory facilities that will resolve these concerns. In the interim, the issue will be partially addressed through the construction of modular laboratory facilities.

Irradiation equipment at DRDC Ottawa is no longer supportable. There have been difficulties in acquiring spare parts or services to maintain equipment. The irradiation equipment is slated for replacement, however, and is a priority project within the DRDC Major Equipment Project.

Life cycle management for infrastructure and equipment is needed to ensure that preventive maintenance is undertaken, and that recapitalization and replacement projects are planned to avoid interruptions to operations.

Material Handling

Good Practice

Comprehensive emergency plans are in place at DRDC Suffield, and regular exercises are conducted to promote preparedness for serious incidents.

Overall, work procedures and laboratory practices are in place to protect human health and the environment. Organizations using CBRN materials have developed detailed standard operating procedures consistent with relevant standards, outlining each step that must be followed for their safe life cycle management. Personnel are required to undergo training and orientation before being allowed to work with high-risk materials, and formal training and certification programs are under development in some areas. Safety committees are in place to provide a forum for the discussion of concerns.

Project plans describe experimental and training methods that emphasize the safety of personnel and material containment. End users are aware of relevant procedures and the risks related to CBRN materials. Personal protective equipment is available and is used by personnel. Some observations were noted where freezers or individual containers of materials were not properly labelled to identify hazardous contents.

Despite the implementation of mitigating measures, the risk of an accident involving CBRN materials remains. While some sites have implemented incident response measures, emergency response plans are not in place at all locations, or have not been tested through periodic exercises.

Contaminated Sites

Past practices related to CBRN activities have resulted in contaminated sites. These include sites of decommissioned facilities, dump sites, and ranges containing possible unexploded ordnance. Contaminated sites are managed by headquarters organizations within DND/CAF.

At one research centre, a project to manage risks related to potential CBRN-impacted sites is on hold due to technical, health and safety, and capability issues. The potential presence of CBRN significantly increases a project's technical complexities and, correspondingly, health and safety risks. The management of contaminated sites will be considered separately in a CRS Audit of Contaminated Sites and Unexploded Ordnance Liabilities.

Summary

Comprehensive procedures for the safe handling of CBRN materials are in place. However, the inherent dangers of CBRN materials require that organizations remain vigilant and prepared for accidents. The use of marginally adequate infrastructure and equipment increases this risk. An ADM(S&T) Infrastructure Strategy is being implemented to address capital deficiencies in the long term. In the short term, emergency response plans are needed to address continued risk to CBRN programs.

Recommendation

4.         ADM(S&T) should ensure that life cycle planning for infrastructure and equipment will address maintenance and recapitalization requirements. Plans for contingencies should also be put in place and tested to address residual risks to the containment of CBRN materials.

OPI: ADM(S&T)

General Conclusion

The use of CBRN materials involves the consideration of a range of specific risks. Characteristics of these materials, such as their lethality, communicability, scalability, and the persistence of harmful effects, increase the risks to the safety of personnel, public health and the environment. Legal compliance, public scrutiny and security are also considerations requiring strict accounting and control of materials.

Many of the CBRN activities conducted within ADM(S&T) represent functions that are unique to the Department, and that may be carried out by few other organizations in Canada. As a user and producer of Schedule 1 chemicals, DND/CAF is subject to international oversight. DRDC Suffield operates the Department’s only laboratory facilities certified for work with highly infectious biological agents. ADM(S&T) is the Department’s largest user of diverse radiological and nuclear materials, making it important that DND/CAF’s self-regulatory frameworks adequately address the specialized activities carried on in its research centres.

DRDC research centres have developed governance structures that are customized to each organization and the CBRN materials that they manage. Some aspects of these structures are subject to external review, and efforts are made for continuous improvement. Nevertheless, opportunities remain to improve the design of governance processes to ensure their rigour, while providing further visibility of their activities to the ADM(S&T) Head Office.

Similarly, research centres have been responsible for ensuring the management of risks within their facilities and in relation to the experiments and training conducted. Inconsistencies in risk management have resulted from a lack of guidance from the ADM(S&T) Head Office as to its organizational level of risk tolerance and advice on risk identification and assessment methodologies.

While detailed procedures are in place for the control of CBRN inventories, their adequacy has varied for some types of material. Efforts are also needed to ensure the sustainable operation of facilities, including the identification of risks and planning for contingencies.

The unique capabilities of the Department have required the development of comprehensive systems of management, often with few points of reference and through autonomously operating organizations that serve as centres of expertise. While research centres have established extensive local processes for CBRN material management, active guidance and participation of the ADM(S&T) Head Office is required to improve the effectiveness and appropriateness of governance, risk management and control activities.

Annex A—Management Action Plan

CRS uses recommendation significance criteria as follows:

 

High—Controls are not in place or are inadequate. Important issues are identified that could negatively impact the achievement of program/operational objectives.

Moderate—Controls are in place but are not being sufficiently complied with. Issues are identified that could negatively impact the efficiency and effectiveness of operations.

Low—Controls are in place but the level of compliance varies.

Governance

CRS Recommendation (Moderate Significance)

1.         ADM(S&T) should ensure that local managers have the guidance and information necessary to develop and implement the processes and controls required to safeguard CBRN materials, and ensure the visibility to ADM(S&T) of holdings and activities, including the results of external reviews, such as certifications and inspections.

Management Action

Action Plan 1.1. ADM(S&T) will put in place a framework to guide DRDC in the consistent identification, assessment, control and reporting of environmental and occupational health and safety risks related to CBRN activities. ADM(S&T) will develop and implement a Health and Safety Management System by end of fiscal year 2015/16. This System will complement the existing Environmental Management System by providing focused and strategic guidance to DRDC Centres about any need to establish processes and controls to manage occupational health and safety and environmental risks related to CBRN activities.

This Health and Safety Management System will be an Agency-level system. The System will be used to manage a coordinated and uniform approach to health and safety risks related to CBRN activities across all the DRDC Centres.

OPI: ADM(S&T)

Target Date: March 2016

Action Plan 1.2. By the end of fiscal year 2014/15, ADM(S&T) will designate a national authority responsible for the oversight and the provision of direction related to the compliance, control and risk management of CBRN activities performed at DRDC.

OPI: ADM(S&T)

Target Date: March 2015


Risk Management

CRS Recommendation (Moderate Significance)

2.         ADM(S&T) should support risk management over CBRN activities by establishing and communicating risk tolerance levels, ensuring managers have access to current threat and risk information, providing guidance that includes formalized project identification and approval processes, and exercising oversight over research centres to monitor and report on related risks.

Management Action

Action Plan 2.1. ADM(S&T) will develop and implement a standard operating procedure to establish and communicate risk tolerance levels for CBRN activities to appropriate managers. Risk tolerance levels will be established based on the review of departmental and ministerial threat and risk assessments, as well as on recommendations from external review committees—such as the Biological and Chemical Defence Review Committee. The mentioned standard operating procedure will also define the processes required to monitor and ensure that routine threat and risk assessments are provided through the appropriate intelligence and security sources. 

Milestones: a) Complete initial standard operating procedure by March 31, 2015; and b) final standard operating procedure implemented by March 31, 2016.

OPI: ADM(S&T)

Target Date: March 2016

Action Plan 2.2. By the end of fiscal year 2014/15, ADM(S&T) will have implemented fully the D N Safe Ionizing Radiation Source Authorization Permit, which uses a management system approach to permit ADM(S&T) to operate within a certain risk envelope.

OPI: ADM(S&T)

Target Date: March 2015

Action Plan 2.3. ADM(S&T) will define and implement processes for the approval and monitoring of CBRN activities. Health, safety and environmental risks will be assessed in accordance with the new systems (Environmental Management System, Health and Safety Management System) being implemented as described in Action 1.1. Projects will be approved only if they conform to the acceptable residual risk established by ADM(S&T) and disseminated as per Action 2.1. 

Milestones: a) Review of current processes by September, 2015; b) recommendations for standard agency process by January 31, 2016; and c) new procedures implemented by March 31, 2016.

OPI: ADM(S&T)

Target Date: March 2016


Inventory Control

CRS Recommendation (High Significance)

3.         ADM(S&T) should take appropriate action to ensure that inventory records of chemical agents and ionizing radiation sources are tracked from procurement to disposal, and that procedures are implemented to ensure that stockkeeping and inventory management activities are monitored and approved on a regular basis.

Management Action

Action Plan 3.1. ADM(S&T) will review procedures for monitoring the inventory of chemical agents, identify all substances that require improved controls, and propose additional monitoring practices for implementation when appropriate. These practices will be reviewed with departmental and national authorities to ensure that they are compliant with all requirements. 

Milestones: a) Monitoring procedure options report complete by September 30, 2014, b) Consultation and validation complete by February 28, 2015, c) Implementation complete by March 31, 2015.

OPI: ADM(S&T)

Target Date: March 2015

Action Plan 3.2. ADM(S&T) will review inventory management procedures for ionizing radiation sources, identify requirements for improved controls, and propose additional inventory management practices for implementation. These practices will be reviewed with the departmental authority to ensure that they are compliant with all requirements.

Milestones: a) Review inventory management procedures by October 31, 2014; b) consultation and validation complete by January 31, 2015; and c) implementation initiated by March 31, 2015.

OPI: ADM(S&T)

Target Date: March 2015


Environment, Health and Safety

CRS Recommendation (Moderate Significance)

4.         ADM(S&T) should ensure that life cycle planning for infrastructure and equipment will address maintenance and recapitalization requirements. Plans for contingencies should also be put in place and tested to address residual risks to the containment of CBRN materials.

Management Action

Action Plan 4.1. As of April 1, 2014, Assistant Deputy Minister (Infrastructure and Environment) will have custodianship of DRDC’s Real Property. The infrastructure renewal requirements of ADM(S&T) will be incorporated into DND/CAF’s infrastructure management plans, as will potentially contaminated DRDC sites. DRDC will adopt DND/CAF’s standards for life cycle management of infrastructure and potentially contaminated sites. DRDC requirements for new or renovated infrastructure will continue to be enunciated to Assistant Deputy Minister (Infrastructure and Environment) through a detailed Statement of Requirements (Infrastructure), in accordance with the Vice Chief of the Defence Staff Project Approval Directive.

OPI: ADM(S&T)

Target Date: June 2014


Annex B—Audit Criteria

Criteria Assessment

The audit criteria were assessed using the following levels:

Assessment Level and Description

Level 1: Satisfactory

Level 2: Needs Minor Improvement

Level 3: Needs Moderate Improvement

Level 4: Needs Significant Improvement

Level 5: Unsatisfactory

Governance

  1. Appropriate governance frameworks for the life cycle management of CBRN materials at DND/CAF are in place.

Assessment Level 3—Local governance processes require more input and oversight at the headquarters level to ensure their effective design, and to provide departmental visibility of CBRN activities.


Risk Management

  1. Management identifies the risks that may preclude the achievement of its objectives in the life cycle management of CBRN materials.

Assessment Level 3—The consistency and quality of risk identification, assessment and management practices could be improved through additional guidance and oversight.


Inventory Control

  1. Adequate controls are in place to govern the material management of CBRN.

Assessment Level 3—Inventory management control needs to be strengthened to ensure the safeguarding of CBRN materials.


Environment, Health and Safety

  1. Adequate controls are in place to protect human health and the environment.

Assessment Level 3—Controls are in place to protect human health and the environment; however, the management of infrastructure and equipment, and the remediation of contaminated sites, require attention to ensure the sustainability of CBRN activities.


Sources of Criteria

The audit criteria were derived from the following sources, and in discussion with management:

  1. Committee of Sponsoring Organizations of the Treadway Commission. Internal Control—Integrated Framework, 1992.
  2. National Defence. DAOD 4002-0, Nuclear Technology Regulation and Control, May 2000.
  3. National Defence. DAOD 4002-1, Nuclear and Ionizing Radiation Safety, May 2000.
  4. National Defence. DAOD 8006-0, Chemical, Biological, Radiological and Nuclear Defence, June 2009.
  5. Office of the Comptroller General. Audit Criteria related to the Management Accountability Framework: A Tool for Internal Auditors, March 2011.

___________________________________________________________________________________________________________________________

Footnote 1 CRS, Audit of Security for Sensitive Inventories, May 2004.

Footnote 2 CRS, Follow-up on Audit of Security for Sensitive Inventories, August 2008.

Footnote 3 NATO, NATO Glossary of Chemical, Biological, Radiological and Nuclear Terms and Definitions, July 2006.

Footnote 4 Ibid.

Footnote 5 Ibid.

Date modified: