New UK Consent process for users of Ionising Radiation (as of February 2023)
Published: Feb 25, 2023
Update - October 2023
The substance of this blog entry, first issued February 2023 remains valid. What we can now report is that the HSE have updated their website and IRR17 Consent Safety Assessment Templates are now available. Feel free to go there now directly, however we feel that the background to the changes, as discussed in some detail below, will still be of significant use to many users of ionising radiation in the UK.
Update - May 2023
Since this blog article was published in February 2023, ONR have now released their new consent guidance. The guidance can be found here: Application for certificate of consent of specified practice(s) in accordance with Regulation 7. Please note that the guidance, and in particular the application process and email address, is only for work which takes place on a nuclear licensed site, regulated by ONR in the UK. However, it is likely that the HSE consent guidance (for all other workplaces where an employer needs a consent), will be near identical.
Despite this update, the information below is still valid and useful, in particular the journey from IRR85 - IRR17.
Notification, Registration and Consent
This article is about the new IRR17 consent system which will be implemented during 2023. But first, a little look backwards before looking forwards.
The 'new' Ionising Radiations Regulations 2017 (IRR17), which came into force early 2018, introduced a new system - a 'graded approach' for regulatory control involving work with ionising radiation. Prior to this, under the former IRR99 regulations there was a requirement to write to and inform HSE of the intention to work with ionising radiation (for the first time), giving 28 days notice. This was separated into sealed radioactive sources, unsealed radioactive material, x-ray generators and radon-222 (so this notification might cover more than one category). The notification under IRR99 did not require any further details of the work, and was made on a 'per site' basis and not on the legal entity anywhere in the UK. Part of IRR99 schedule 2 stated 'the address of the premises where or from where the work activity is to be carried out and a telephone or fax number or electronic mail address at such premises' (this is is not required with the current IRR17 consent process - but stay tuned...). This did cause some issues with mobile x-ray apparatus and there was a basic agreement in these cases to write 'at one or more premises, with the main premises being...'.
IRR99 also made provision for prior authorisations for certain practices, for example 'the use of X-ray sets for processing of products' (irradiation of food is an example). The HSE then issued generic authorisations (GA) which are not too dissimilar, in principle, to the wording / intention in the current consent - these covered, for example, use of accelerators above 1 MeV in medical treatments. However, unlike the proposed new consent process, it was up to the user to comply with the GA (as is the case with the current consents), there was no prior approval by the regulator.
Regardless of prior authorisations, in all cases there was no waiting for permission to proceed - the user just got on with it after 28 days. The 28 days was supposed to allow the user time to create the risk assessment and local rules (etc) after consulting with a Radiation Protection Adviser (RPA), and also allow the regulator to ask questions.
Then came IRR17 (2017 No. 1075, 1 January 2018).
IRR17 introduced the graded approach which, in increasing order of risk of potential exposure, included 'notifications' (IRR17 - 5), 'registrations' (IRR17- 6) and 'consents' (IRR17 - 7). By far the largest group is registrations (although there are around 1800 consents, many of which have been issued to employers undertaking industrial radiography).
Registration is based mostly on either quantities (i.e. activity, activity concentration etc) or generic categories (e.g. sealed source, open / unsealed radioactive material and x-ray generators) - these are known as 'certain practices'. The lower tier notification is mostly used for working in a radon atmosphere (e.g. occupational exposure to radon) and is known as 'certain work'.
The consent categories are based on 'specified practices' of which there are eight currently. Unlike the registration category, the specified categories in the consent are more prescriptive (see below for a link to all 8). For example, one specified practice is working with HASS sources (High Activity Sealed Sources). This is distinct from another specified practice - industrial radiography - which may well use HASS sources or accelerators, but is neither a HASS or accelerator specified practice.
All three options require applying via the HSE (or ONR / HSENI) website, ticking boxes to confirm answers to statements and questions and making an electronic delectation (the consent level questions naturally being more extensive and asking for selected data such as number of classified workers and expected exposures etc). The processing fee is £25 and in almost all cases results in the issue of a certificate instantly - there is no pre-assessment by the regulator. Unlike IRR99, the current IRR17 process is on a legal entity basis, so one declaration could cover several sites in UK (each individual site is not specified).
In the up and coming changes there is a drive to make sure that regulators are all singing from same hymn sheet. The regulators relevant are as follows.
- Health and Safety Executive (HSE) - covering work with ionising radiation not on a nuclear licensed site in Great Britain.
- Office for Nuclear Regulation (ONR) - covering work with ionising radiation on a nuclear licensed site, AND covering transport of radioactive materials by road by any legal entity in the UK.
- Health and Safety Executive for Northern Ireland (HSENI) - covering the above matters for Northern Ireland.
Why change the consent process?
The UK is a member of the International Atomic Energy Agency (IAEA). Prior to Brexit, the IAEA recommendations (e.g. GSR Part 3 Radiation Protection and Safety of Radiation Sources: International Basic Safety Standards), and former IAEA standards, would have been taken by the EU and a Directive produced e.g. Council Directive 2013/59/Euratom of . This Directive was then used to create IRR17.
Now outside the EU, there is a direct link between IAEA and the UK (as is the case with other members of IAEA who are not in the EU). However, regardless of EU / Brexit (etc), the IAEA will carry out an Integrated Regulatory Review Service (IRRS) mission to members from time to time. The most recent IRRS for the UK took place during October 2019. The report and UK government response can be found here: The Integrated Regulatory Review Service (IRRS): 2019 mission report.
Of several recommendations from the IRRS report was the following:
- Recommendation 11 : The ONR, HSE and HSENI should request the applicants seeking authorization for the safety significant activities and facilities to submit a safety assessment (SA) in accordance with IRR17, which should be reviewed before granting the authorization. When deemed necessary, the ONR, HSE and HSENI should be able to impose limits, conditions and controls on the authorized party’s subsequent activities.
What this implies is that the current consent process is a 'rubber stamp' with no prior regulator assessment or site inspection (prior to consent being issued).
[Ionactive comment - whilst no way as detailed, this recommendation is a slight move towards nuclear safety cases required by nuclear licensed sites regulated by ONR. Such safety cases are generally several cm's thick (!), but the writing and submission of a SA, it's approval with inspections, and authority to operate (carry out the specified practice) is not dissimilar to how it works on nuclear licensed sites]
It is UK policy to comply with IAEA, hence why recommendation of the 2019 IRRS report is being implemented.
New consent process (2023 -)
Broadly speaking the approach is the same for all three regulators identified above.
The process is as follows:
- The user (employer) will determine the relevant regulator (ONR, HSE and HSENI).
- Submit application online (via regulator online system).
- Submit a Safety Assessment (SA).
- The SA will be reviewed by the appropriate regulator inspector.
- The regulator will inspect the practice (this is a significant change compared to the current consent process).
- Consent will only be issued if the SA and site inspection are successful.
- Forget the £25 current application fee, future fees are likely to be in the £1000's.
It is understood (at the time of writing) that the SA will be submitted using an online portal and will consist of several parts, i.e. the SA is not a single document. Information will be submitted online using templates and forms, after successful completion of one template, the next will appear until all are completed. All completed templates / forms will then form the SA. It may be appropriate in certain circumstances to copy and paste the required information from an internal company document (risk assessment, work procedure, ALARP assessment etc) into the SA template. However employers will have to accept that despite having their own comprehensive set of documents, information has to be entered fresh into the new online portal. The only documents that can be submitted complete is the local rules and contingency arrangements (the upload is a requirement of the application process).
The basic submission and processing of the application is likely to be as follows:
- Employer chooses the appropriate category of consent (might be more than one).
- Provides required information that is common to all content types (see likely content required in later sections below).
- Completes the online SA templates and forms.
- Uploads local rules and contingency plans.
- Regulator reviews submission*
- Regulator undertakes site inspection of the practice**
- Employer pays the application fees
- Consent certificate issued to employer
The above simple process has a couple of hold points which could be problematic or even terminal if the application is not suitable and sufficient. There are two feedback loops in the assessment process that work as follows.
*Once submission is completed the safety assessment is reviewed by the appropriate specialist inspector. If the initial review is positive (successful) the assessment process continuous and a site inspection is arranged. If the initial review is unsuccessful the application is passed back to the employer with feedback and a request to resubmit. If a subsequent review still shows deficiencies the application is rejected completely. Fees still have to be paid for regulator work already completed.
** Following successful review of the safety assessment the regulator will conduct an initial site inspection. If the outcome of the initial inspection is positive (successful) then fees are paid and a consent certificate is issued. If the initial site inspection is unsuccessful the regulator will explain the deficiencies and ask the employer to correct them. If a subsequent inspection still shows deficiencies then the application is rejected completely with fees still requiring payment.
The employer is only allowed a second go at completing the application and passing a site inspection. It will be interesting to see if there is any flexibility, especially in the early days when the process will be new to both regulator and employer.
There may be circumstances where the employer cannot complete the safety assessment until the practice commences (for example certain dose rate measurements cannot be confirmed until a radiation source is on site). It is understood that an interim consent could be issued which would be converted to a full consent once the missing data was available.
Safety Assessment (SA)
- The SA will ensure that the minimum requirements of the IAEA standards (noted above) are met.
- The SA is compatible with IRR17 (so there is no extra work required unless IRR17 compliance is not already assured). The application process will specifically require a map / diagram (etc) so that the regulator can review this with the application and prepare for a site inspection.
- In the SRP presentations, the regulators have made clear that the SA is not satisfied alone by a Radiation Risk Assessment (RRA) made under IRR17 (8). However, a good IRR17 risk assessments, dealing with Para 70 and 71 of the ACoP to IRR17 is a significant part of the SA.
Overall, the SA is a reality check - is the consent level practice, defined in IRR17, in compliant with IRR17?
Safety Assessment (SA) Content
This is a work in progress, but as noted above, a good risk assessment for compliance with IRR17 (8) is a good start.
At the time of writing it is understood that the 9 consent practices will eventually translated into 16 SA templates.
Helpfully, HSE, ONR and HSENI will all use the same templates.
Likely safety assessment information required for consent (applicable to all practices)
The following summary below is derived from an HSE document with draft status, so liable to change.
- Applicant name and, if different, the name of the employer’s legal entity.
- Company registered address.
- Contact details.
- Name, address and phone number of each fixed premises where the specified practice will be carried out*
- Total Number of employees (total number of all employees).
- Number of employees engaged in work with ionising radiation.
- Number of classified persons.
- The name of the employer’s Radiation Protection Adviser(s) (RPA)**
- Names, position and contact details of the person submitting the consent application***
* Note the subtle difference regarding name, address and phone number etc (as compared to current consent process). The regulator will require information for each fixed premises where the practice is carried out (currently it is only the details of the legal entity that is required). This is not the same as the old IRR99 requirement for notification at each premises. The idea is that one particular consent will cover all premises carrying out the relevant specified practice. There will obviously be some flexibility, since an employer who operates linear accelerators and conducts work at hospitals around the UK cannot list each (but they are 'fixed').
** Note that requiring the name of the RPA for consent is a new requirement.
***Note that this cannot be the RPA, unless the RPA is an employee of the employer making the consent application and has been authorised to do so.
Example safety assessment information required for a particular specified practice
A significant change in the consent process is that during the submission of safety assessment, questions will be asked which are specific to a particular practice. This is unlike the current consent process where all questions are more generic and apply to any specified practice.
The following example relates to industrial radiography and is a summary of the HSE draft offered to those attending the SRP meeting. We have only included the questions and not the guidance (we will post official guidance when available).
[Industrial Radiography is a very specific use of ionising radiation in the field of NDT (non destructive testing). Be sure you know what you are undertaking since the operation of an x-ray room for imaging of objects is not NDT and requires only a registration. The link in this paragraph will take you to an October 2023 blog on this very subject.]
- A general summary of the type of industrial radiography (enclosure and site) to be carried out and details of the premises at which the practice is performed.
- A summary of the arrangements for managing radiation protection during industrial radiography.
- Details of the frequency of use of the industrial radiography sources of radiation to be used, or likely to be used.
- Details of the nature of other sources of radiation in the working environment (e.g. radon exposures, occupational exposure from other sources of radiation not directly related to industrial radiography).
- Estimates of the radiation dose rates which employees and public can be exposed (e.g. maximum dose rates outside the radiographic controlled area, maximum dose rates possible resulting from radiation accidents, specific equivalent and effective whole body doses, annual exposure estimates).
- A summary of the engineering control measures and design features already in place, or planned, to comply with the requirements of IRR17 Regulation 9 (Restriction of Exposure).
- A summary of the maintenance and testing schedules for engineering controls, safety critical controls such as interlocks, warning devices and other safety features [Ionactive - sounds like a light version of EMIT (Examination, Maintenance, Inspection and Testing) used in the nuclear industry].
- A summary of, and results of, a Critical Examinations that will be or have been conducted in accordance with IRR17-32.
- Summary of the planned radiation dose rate monitoring regime for radiography areas and their surroundings including any areas to which the public may have access.
- Summary of the personal dosimetry to be used including types, wear periods, approved dosimetry services (includes active and passive dosimetry).
- The rationale for designating employees as Classified Persons.
- Summary of the radiological protection training that will be or has been provided to employees and other persons, including planned frequency and refresher training.
- Summary of the information supplied to employees concerning their work with ionising radiations in connection with pregnancy and breast feeding.
- A summary of possible radiation accident situations as identified in the radiation risk assessment, their likelihood and potential severity (including human failure, failure of systems of work, failure of engineering controls, interlocks, active warning signs).
You will note this is personalised for industrial radiography. Whilst it is likely there will some overlap of questions between the specified practices, the employer should expect to answer specific questions relating to their practice. Specific questions is no bad thing, and together with the guidance, should not be too arduous to complete.
Timeline (as of February 2023)
The timeline is a little different depending on the regulator.
- HSE- the new IT system to capture the data will in place by 23 July 2023.
- The new HSE consent process will start from October 2023 (but could be earlier)
- New consents (under new system) will have a 3 month turnaround.
- Over the next 5 years, existing consent holders will need to submit a SA for review (this will include an inspection). This will be via 'invitation' so might imply that HSE have a campaign to target certain sectors on a rolling programme.
- ONR - new IT system in place by April 2023
- The ONR consent process will start April 2023
- New consents (under new system) will have a 3 month turnaround.
- Over the next 5 years, existing consent holders will need to submit a SA for review etc (i.e same as HSE above)
At time of writing we are not sure of the HSENI times scales, but would assume it will mirror HSE.
Note: current consent holders will be selected at random over the next 5 years. The HSE presentation indicates there will be a 1 month submission requirement (with some flexibility if required). This indicates that the regulator expects current consent holders to have everything already in place (e.g. local rules, radiation risk assessment and contingency arrangements), therefore preparation of the safety assessment should be a relatively swift process.
Ionactive RPA Advice. Our advice to our own clients who have consents, and extending to any consent holder in the UK, is to get on and do this now (!) once the regulator issues the final guidance and the system goes live. Ionactive is already working with clients to produce safety assessments (using draft information from HSE already issued) - these may not be perfect, but the bulk of the work will be done and small edits when final guidance is released is better than waiting for the regulator to call. This is also a good time for a detailed review of your radiation risk assessment, local rules and contingecy plans.
Ultimately, revocation would require the cessation of the practice.
The regulator notes that existing enforcement methods remain available including:
- Notice of Contravention (NoC) - not on the public record.
- Improvement Notice - on the public record.
- Prohibition Notice - immediate cessation of work (i.e. the actions / conditions which lead to the notice being issued)
Notwithstanding the likely options outlined below, all cases could lead to prosecution by the regulator.
Employer does not have a consent, but conducts a specified practice
Whilst it is unlikely a UK employer would carry out a specified practice without a consent (since there would need to be multiplicative failures including not having a RPA), it could nevertheless happen. The approach adopted is likely to be:
- Determine if there is a serious risk of personal injury (this is defined sections 22 and 23 of the HSWA74). If YES, then a prohibition notice would be issued, followed by a Notice of Contravention (NoC) and instruction to cease the practice via a formal warning letter.
- If NO, then a decision depends on if the practice is carried out in the medical sector. If NO, the practice is not carried out in the medical sector, then the route is NoC and instruction to cease the practice via a formal warning letter.
- If the practice is carried out in the medical sector (i.e. YES), then the decision process depends on the likelihood of detriment to patient diagnosis or treatment. If patient diagnosis or treatment is likely to be compromised then the regulator may issue an interim consent. If patient diagnosis or treatment is not likely to be compromised then the route is NoC and instruction to cease the practice via a formal warning letter.
Employer not conducting the practice in accordance with a safety assessment
This would include situations where there are radiation accidents / incidents or general poor compliance with the safety assessment (and / or systems and procedures derived from the assessment).
Ultimately it is for the regulator to decide what action to take, and this will likely be proportional to the nature and significance of the breach. Options could include:
- Revoke the consent.
- Suspend the consent.
- Provide a notification that the consent will be revoked unless improvement actions are taken to the satisfaction of the regulator, and within the time frame permitted.
- For minor breaches, a warning letter may be issued but no enforcement action required.
We hope you have found this useful. Treat all of this information as 'draft' at present as there could be changed before formal implementation. Once this process is in place with formal regulator guidance we will produce our own guidance (as we always do).
Radiation Protection Adviser
Ionactive Consulting Limited
25 February 2023 (updated May 2023)
New (August 2023). If you have read all you need about consents, then head over to the latest Ionactive blog article on registrations, yes they are changing too!