Biosecurity Regulations
By most accounts, America's biosecurity culture remains a work in progress as scientists adapt to new regulatory performance standards and policy makers grapple with the emerging tensions between the new regulations and the best interests of scientific research.
Are They Working and What are the Compliance Challenges for Lab Managers?
“The threat posed by biological agents employed in a terrorist attack on the United States is arguably the most important homeland security challenge of our era. Whether natural pathogens are cultured or new variants are bioengineered, the consequence of a terrorist-induced pandemic could be millions of casualties— far more than we would expect from nuclear terrorism, chemical attacks or conventional attacks on the infrastructure of the United States such as the attacks of September 11, 2001. Even if there were fewer casualties, additional second-order consequences (including psychological, social and economic effects) would dramatically compound the effects. Bioengineering is no longer the exclusive purview of state sponsors of terrorism; this technology is now available to small terrorist groups and even to deranged individuals.” – DHS Biological Threat Risk Assessment: A Call for Change, National Research Council, 2008
The debris from the 2001 terrorist attacks on the Twin Towers still lay smoldering in Manhattan as the first volley of anthrax-laced letters were dropped into a New Jersey mailbox.
Within weeks, the diffuse concept of bioweaponry of mass destruction had coalesced into a clear and present danger. A new biosecurity regime was soon imposed on America’s scientific community. In June 2002, the Public Health Security and Bioterrorism Preparedness and Response Act was signed into law, expanding government oversight over certain select agents toxic to humans, animals and plants. The intent of the legislation was to fortify national surveillance, prevention, control and response systems in labs containing these agents, and so thwart the malicious use of pathogens that could be converted into bioweapons. Of the 73 agents on the list, 13 are found naturally in the U.S. Many of the select viruses, bacteria, toxins and rickettsia (including anthrax) on the list—including the stuff of disaster responders’ worst nightmares, like Ebola, smallpox and the reconstructed 1918 pandemic viruses—fell under the existing select agent rule prior to 9/11; the rule’s regulatory framework governed lab operations through an overlay of biosafety levels (BSLs), starting with BSL-1 and rising to BSL-4 for labs housing the most toxic agents.
Oversight for agents that infect humans is provided by the Centers for Disease Control and Prevention (CDC) under the auspices of the U.S. Department of Health and Human Services (HHS). The animal and plant side is served by the Animal and Plant Health Inspection Service (APHIS), under the direction of the U.S. Department of Agriculture (USDA). Zoonotic or overlapping agents are governed jointly by both agencies. Regulations are proscribed in the Code of Federal Regulations: provisions governing human pathogens are in Title 42, Part 73; for animals, in Title 9, Part 121.
By most accounts, America’s biosecurity culture remains a work in progress as scientists adapt to new regulatory performance standards and policy makers grapple with the emerging tensions between the new regulations and the best interests of scientific research.
According to a Congressional Research Service (CRS) report issued March 5, titled “Oversight of High-Containment Biological Laboratories,” approximately 390 entities have been certified to work with select agents, and 15,300 staff members have been approved for lab access.
Biosecurity programs are built on biosafety practices. The terms “biosecurity” and “biosafety” are sometimes used interchangeably, but they are in fact divergent considerations for lab managers.
“They are very different concepts, and one doesn’t ensure the other,” said Dr. James Swearengen, senior director of the Association for Assessment and Accreditation of Laboratory Animal Care and former deputy commander at Fort Detrick in Maryland, site of one of America’s handful of maximum biocontainment labs. “Initially there was some confusion [about the terms]. People really didn’t get the prominence of biosecurity.”
Biosafety—protecting against accidental transmission of biologic agents to scientists, the environment and other personnel—is a well-established lab protocol. Biosecurity—guarding against the deliberate diversion and misuse of virulent biologic agents—is a novel concept some scientists perceive as contrary to the free and open exchange of materials and ideas, an operating principle for so many scientific researchers.
Biosecurity stakeholders—scientists, engineers and technicians, lab safety and IT staff, law enforcement personnel, legislators and policy makers—are divided by the dual-use nature of biomaterials: their application for benevolent and malevolent purposes.
Some worry that biosecurity concerns will constrain researchers and delay development of medicines and vaccines, including those that target select agents. Others argue for a tougher approach, saying that as pathogens proliferate and the number of global labs using select agents grows, so do the risk of accidents and opportunities for bioterrorists; or they cite past incidents—mice infected with bubonic plague go missing, or live anthrax is inadvertently shipped cross-country.
The American Biological Safety Association (ABSA) has cautioned against the imposition of biosecurity management, warning of its impact on scientific collaboration and innovation. The ABSA also decries the absence of unified national biosecurity standards, joining those concerned that the post-9/11 biodefense imperative accelerated regulation beyond the capabilities of biosecurity supervision.
Good laboratory biosecurity programs combine physical and personnel security measures with secure control, accountability and transport of select agents.
“All these things have to tie together to have a good program,” said Swearengen. “When we’re talking security, there are three major categories according to the regs. The first part is physical security around the facility. Next is access control, then inventory accountability and control. It’s the combination that’s important.” He advises lab managers to consider investing in software that integrates security and safety regulations with specific select agents to provide access control. “The key is finding someone with good experience” using the software.
Biosafety in Microbiological and Biomedical Laboratories (BMBL), a CDC publication, is generally considered the standard for best biosafety practices. An advisory document, it is the authoritative reference for labs working with select agents that infect human populations. The fifth edition of BMBL, published in 2006, was updated to include a new section on biosecurity.
The heart of Section VI of BMBL, Principles of Laboratory Biosecurity, begins at the beginning of any security program—a risk assessment that identifies and evaluates threats, starting with what Swearengen called the lab’s “low-hanging fruit” and working its way through lab practices and procedures.
Other program elements include management, physical security, personnel, inventory and accountability, information security, transport, accident and injury response plans, training, and reevaluations.
Compliance with these provisions is “a huge challenge for lab managers,” said Debra Sharpe, an industry consultant who began managing federal high-containment biolabs after Congress toughened the select agent rule. “And it doesn’t help your bottom line.”
When Sharpe arrived at Southern Research Institute, where she oversees security and compliance, the firm was doing “BSL-3 research with really no oversight. The institution really didn’t know at any given time what researcher was contracting with what company to do what kind of work, and in some places that might still be true.”
Biosecurity, Sharpe said, “covers two types of scenarios— insider threats and outsider threats. Outsider threats are pretty straightforward and easy to deal with—locks, fences and a security force. You want deterrents to the point where somebody would notice” an external breech.
“There are lots of pieces to the puzzle, and physical security is just one piece. The insider threat is how you’ll likely find loss of agents. [The industry] is still pretty dependent on people to self-identify. So there are people who will be registered to work with select agents who have gone though FBI clearance and come back clean, but they may have issues you’re not fully aware of,” she said, with a nod to the 2001 anthrax letters, which the FBI concluded were manufactured and mailed by a biodefense researcher at Fort Detrick’s U.S. Army Medical Research Institute of Infectious Diseases.
So Sharpe doesn’t want any solitary operators; her lab employees work in pairs. She recommends surveillance cameras because they cut manpower, and perimeter security. “If you’re relying on badge readers right outside your facility, it’s an opportunity for people to piggyback in on others.
“There is always risk if we want to do bioresearch. There are only so many bells and whistles we can put in place. To be honest, if anybody wants to get agent out of any facility in the U.S, they can probably do that.”
Others are more sanguine. The industry “has made real progress over the last four to five years,” said Swearengen.
After more than 40 years of lab management, Deborah Miller, Quality Management consultant and president, DMJ Miller & Assoc., Inc., has developed a high tolerance for regulations. “There is a given algorithm with regs, regardless of your workload or number of staff—a front-loaded baseline of effort you have to put in, tedious stubby-pencil paperwork to overcome the inertia that is not workload or size-of-lab dependent.
“For a small, focused lab, it’s a huge burden. The amount of effort is disproportional to the amount of work you have. And you usually don’t have a dedicated staff, so there’s no return on investment to show the bean counters.
“If you’re a bigger lab, the initial effort is still the same, but it’s more balanced with everything else going on in the lab. But once you design your system and get it in place, if you’re not just doing it to satisfy a government official, sustaining the regulations isn’t that hard.
“The trick is to go beyond satisfying the minimum of the regulations. If you don’t, you will always be behind, because regulations change. They rise about every two years.”
Biosecurity regulations are not “prescriptive,” said Miller, in the sense that they “don’t say you need seven of these.” Under this “mainly self-regulatory approach,” as construed in the CRS report, lab managers are given flexibility and latitude to implement the regulations. Instead of specifying training requirements, the Code of Federal Regulations (CFR) says that “training must address the specific needs of the individual, the work they will do, and the risks imposed by select agents and toxins.”
“Training? That mostly means training your employees to your own procedures,” said Sharpe. “And it’s not just training to the regs, but mentoring training too.” Swearengen recommends mentoring programs as a means of “validating competency,” providing additional assurance that tasks are implemented skillfully.
“Training does not equal competency,” said Swearengen. When dealing with select agents, biosecurity training “must be taken to a new level” to ensure that lab personnel are technically proficient in handling specific agents and species. Working with animals in a biocontainment environment presents lab managers with certain “logistical” challenges and gives staff “additional stressors.”
Although commissioned facilities can minimize compliance issues— “commissioning,” said Swearengen, “is the long pole in the tent”—the process is often time-consuming. But the benefits are compelling. When Sharpe was co-director of safety and environmental health at Auburn University, she ran its architects and engineers through a design course to the point where “every research building on campus was routinely commissioned.” Both tout whistle-blower mechanisms that enable lab technicians and animal care and use staff to bring issues to the attention of lab managers.
The 111th Congress has introduced legislation in both chambers to extend the select agent program and broaden criteria used by the CDC and the USDA to determine whether toxins are select agents. Both bills also require a review of the select agent program by the National Academy of Sciences.
Legislators are also reviewing biosecurity gaps. The U.S. Department of Health and Human Services, through the Office of Inspector General, issued a 2004 report critical of biosecurity at 11 universities whose operations it reviewed during 2002 and 2003.
It’s an “academic freedom issue,” said Sharpe. “It’s part of their nature. Some university labs are in urban settings where people can walk in off the street. They won’t change unless the word comes down from the university president or provost or VP for research. It can’t just come from university scientists.”