FAQ: Responsible Official

• The ARO must be able and willing to assume the full range of responsibilities of the RO, should the RO be unable to serve.
• The ARO must have the ability to assume the full authority to fulfill all of the responsibilities of the RO if needed.
• The ARO must have the knowledge and authority to ensure compliance with the select agent regulations when acting as the RO and be able to take appropriate action on behalf of the entity.
• An individual designated as an ARO on APHIS/CDC Form 1, must have an SRA conducted by CJIS, and be approved by FSAP. AROs with access to Tier 1 select agents and toxins must also have undergone the entity’s personnel suitability assessment process.
• The qualities of the ARO should be similar to the qualities of RO.

Although it is not a violation of the select agent regulations for an individual serving as an RO to have other responsibilities, FSAP would not recommend this – especially at institutions with large and/or complex select agent programs. As with any other position of responsibility having an impact on the health and safety of individuals, animals, and plants inside the entity, the entity should evaluate the individual’s duties based on the size of the entity, the number of personnel, and the scope of the RO resources.

Yes, regulations in section 9(a)(5) of the select agent regulations require that the RO have a physical (and not merely a telephonic or audio/visual) presence at the registered entity to ensure that the entity is in compliance with the select agent regulations and is able to quickly respond to on-site incidents involving select agents and toxins. Ideally, the RO should be co-located with the entity, or within reasonable distance of all the entity’s registered areas, to be able to quickly respond to emergencies and to provide appropriate oversight on a day-to-day basis. There must be an approved RO or ARO (who assumes full RO responsibilities in the absence of the RO) at a registered entity during normal business hours and the RO or ARO must be available for emergencies after normal business hours.

There are situations where registered entities have two or more registered laboratory facilities dispersed over a defined geographical location (e.g., a university campus or business complex). FSAP considers this one general physical location which can be managed as one registration. The intent of the requirement that the RO have a physical presence at the registered entity is not to require that an RO is assigned to each laboratory but to ensure that an RO is physically located on-site.

Yes, section 9(a)(6) of the select agent regulations requires the RO to ensure that annual inspections are conducted for each registered space where select agents and toxins are stored or used (all registered areas) in order to determine compliance with the requirements. Therefore, the RO does not have to specifically conduct the inspection. It should be noted that the inspections conducted by FSAP would not meet this requirement.

Establishing an internal annual inspection program provides a means for the RO to monitor compliance with the select agent regulations and identify deviations from acceptable laboratory safety or security practices. As such, the RO must ensure that annual reviews are conducted and appropriately documented, including the scope of the review, date(s) of the review, findings, and the appropriate corrective action(s) taken for any deficiencies found. The annual inspection should encompass every aspect of biosafety/biosecurity, security, and incident response at the entity, and should also include a review of the entity’s inventory procedures to ensure that individuals with access to inventories are following appropriate procedures for access and recording changes to the inventory. This can be separate from an overall periodic reconciliation of the entire inventory (recommended every 3 years).

The inspection could be conducted by the entity’s biosafety organization as long as the above requirements are met.

Yes.  For an individual to sign a document electronically, the entity should incorporate a method that:

• Identifies and authenticates a person using at least two factors of authentication, including something the person knows (i.e., email password) and something the person has (e.g., a mobile phone with SMS text message access);
• Provides a means to preserve the integrity of the signed record that is (a) portable, (b) independently verifiable, (c) tamper-evident, (d) granular, and (e) verifiable in the long-term; and
• Meets the requirements of the Government Paperwork Elimination Act, the Electronic Signatures in Global and National Commerce Act (ESIGN, 15 U.S.C. ch. 96), and the Uniform Electronic Transactions Act.

In addition, the electronic form of signature must be executed or adopted by a person with the intent to sign the electronic record (e.g., to indicate a person’s approval of the information contained in the electronic record). Not only must this intent be captured at the time of each signature, but it must also be captured for each individual signature and be provided as granular evidence within the electronic signature system’s audit trail.  Each signed document must be backed by an audit trail that captures intent to sign for each individual signature and provides granular, consistent, time stamped evidence as to every step in the entire signature process. The electronic form of signature must be attached to or associated with the electronic record being signed, and each signature should be produced according to established standards. The signature should be independently verifiable, without relying on the electronic signature service or website to be validated.