Incident Response Plan: Regulatory Requirements
Section 14 (b) Requirements
Examples of what the incident response plan should describe as part of the entity’s response is included in the chart below.
Incident | Definition of Incident | Examples | Likelihood of Advance Notice |
---|---|---|---|
Inventory discrepancies | Inventory discrepancies occur when there are errors or omissions in the written inventory record. | Mislabeled vials; incomplete records | No Notice |
Security breaches/ Suspicious activity | A security breach occurs when there is a disruption in the established security network or a failure to follow the entity’s written security policies and procedures. Breaches involve all levels of security including physical security (hardened, fixed systems), operational security (personnel reliability) and information systems (electronic and hard copy material). | Computer hacking; unauthorized personnel in laboratory | No Notice |
Severe weather and other natural disasters | Severe weather and natural disasters vary from one geographic location to another within the United States. Severe weather situations and natural disasters include tropical storms, hurricanes, tornadoes, windstorms, thunderstorms, lightning, hail, floods, earthquakes,
fires and winter storms (not all inclusive). To assist in determining if the entity is in an affected area, refer to Tab IV “Evaluating Natural Hazard.” |
Tornado; Flood | Minimal Notice for tornado, severe weather or storm, hurricane, floods
No Notice for earthquakes |
Workplace violence | Workplace violence is any act or threat of physical violence, harassment, intimidation, or other threatening disruptive behavior that occurs at the work site. It ranges from threats and verbal abuse to physical assaults and even homicide. It can affect and involve employees, clients, customers, and visitors. | Active shooter, Worker-on-worker abuse, Crime in conjunction with violence (robbery, theft, trespassing) | Minimal Notice |
Bomb threats and suspicious packages | Bomb threats and suspicious packages have become common means to disrupt workplace activity. Most agencies at the academic, state, and federal levels have their own bomb threat and suspicious packages procedures. | Suspicious package or bomb threat | Minimal Notice |
Fire | Fires can occur without notice and cause death, injury, property destruction and economic loss. | Unintentional or careless, intentional (arson), electrical malfunction, heating | No Notice |
Gas leak | A gas leak is a non-expected release of natural gas that can create a potentially dangerous situation – either because the released gas is poisonous or because it can ignite and create an explosion. | Smell of gas; sound of gas being released from an open line. | Minimal Notice |
Explosion | Explosion is the sudden loud release of energy and a rapidly expanding volume of gas that occurs when a bomb detonates, or gas explodes. | Bomb detonates or gas explodes | No Notice |
Power outage | A power outage occurs when electrical power goes out unexpectedly. This may disrupt facility operations, ventilation and security features, communications, water, local utility, and transportation. | Can be caused by severe weather or natural disasters, overburdened electrical equipment, excavation or construction, downed utilities. | No Notice |
Section 14 Requirements
In the event of an incident such as a theft, loss, or release, the foundation of effective incident response planning is protecting people first, as well as animal and plant health, risk containment, and effective communication. The requirements of Section 14 of the select agent regulations come together as the foundation for creating a strong risk containment and communication strategy in an emergency.
Emergency Contact Information – Collect and document site- specific contact information for each person identified as having an incident response role. Focus on support units that are available within the geographic region of the facility, especially if the entity is relying on local support of first responders.
Entities associated with larger parent organizations (i.e., colleges, universities, federal or state campuses and research medical institutions) need to incorporate or integrate their site-specific incident response requirements with established entity-wide emergency response programs.
Personnel roles and lines of authority and communication – Assess the roles and responsibilities of each person identified as having an incident response role ahead of time. Ensure that all participants in the response understand the lines of authority and how information is communicated both up and down the chain of command.
Planning and coordination with local emergency responders – Meet with local emergency responders to discuss large scale disasters. Discuss with first responders the roles and responsibilities of each party in the event of a disaster that affects the select agent laboratory or storage area.
Procedures to be followed by employees performing rescue and medical duties – Rescue and medical duties should be limited to only those individuals that are qualified to perform these duties (e.g., paramedic, EMT, registered nurse, physician assistant, medical doctor, osteopathic physician). When qualified individuals are not available, 911 should be called. Train staff to perform emergency first aid and CPR if laboratory is located in a remote area that may cause delayed ambulance response time.
Emergency medical treatment and first aid – Establish provisions for emergency medical treatment and first aid for employees injured on the job. Since occupational injuries and illnesses are work related, workers’ compensation rules may apply. Check with the Personnel Department (Human Resources) to determine if employees must report to a prearranged emergency treatment center or clinic. Inform workers of where to go or be transported for emergency medical treatment or first aid. In laboratories that are regulated by state or federal OSHA (Occupational Safety and Health Administration), comply with all applicable regulations (e.g., complete the appropriate OSHA injury and illness recordkeeping forms).
List of personal protective and emergency equipment, and their locations – Identify what personal protective equipment (PPE) and emergency equipment is needed in response to incidents involving select agents and toxins and state where it is located. Include a floor plan showing the PPE and emergency equipment locations in the incident response plan. Examples of PPE include, but are not limited to gloves, protective eyewear, face shields, respirators, foot protection, gowns, and scrubs. Examples of emergency equipment include, but are not limited to fire extinguishers, emergency showers, fire blankets, eye wash stations, and portable lighting.
Site security and control – Maintain site security and control to the best of your ability at all times. During incident response planning, inform first responders that access to restricted areas needs to be controlled during and after each incident. Some of the typical methods used to maintain site security control include a posted armed police officer or guard, FSAP-approved individual controlling access to restricted area, and relocating BSAT to an approved secured location.
Procedures for emergency evacuation – The incident response plan should define the different types of evacuations that may be encountered during an emergency. Post floor plans that show the primary and secondary emergency exit routes on each floor. Include these floor plans in the incident response plan. Determine safe distances for evacuation in the event of a worst-case scenario. When a warning is received regarding an impending disaster, the incident response plan should designate areas for safe refuge until the warning expires or the threat no longer exists. Describe procedures for securing select agents and toxins, if able when a warning is received.
Decontamination procedures – Describe decontamination procedures in the incident response plan. Include decontamination procedures for spills, affected individuals, including emergency responders, and laboratory rooms and areas that require decontamination.
Annual Training – Provide and document annual incident response training for personnel who have access to select agents or toxins. The documentation of incident response training must include name of trained personnel, date, name of training, and how it verified that personnel understood training goals and objectives. For entities with Tier 1 agents insider threat awareness training must be conducted annually with all personnel who have access to select agents or toxins.
Tier 1 Requirements – Entities with Tier 1 agents must provide the following additional information in the incident response plan:
- A plan for how the entity will respond to the failure of the IDS or alarm system
- Procedure for how the entity will notify the appropriate Federal, State, or local law enforcement agencies of suspicious activity that may be criminal in nature and related to the entity, its personnel, or select agents or toxins