Incident Response Plan: Creating a Successful Incident Response Plan
Creating a Successful Incident Response Plan
FSAP has developed a six-step cycle for creating an incident response plan. These steps are general guidelines for creating the series of standard operating procedures (SOPs) to be in compliance with section 14 of the select agent regulations and provide a safe environment for the entity’s employees and community.
Step 1: Form a Team.
The incident response planning team should include the following as applicable to the entity’s organization and biosafety level (BSL):
- Incident Response Plan Team Lead – Designated individual responsible for coordinating meetings and managing the documentation and distribution of the plan
- Entity Subject Matter Experts (SMEs) – Responsible Official, Principle Investigator, Biosafety Officer
- First Responders – Fire Department, including Emergency Medical and Hazmat, Police
- Organization – Facility Manager, Security, Leadership
Once the team is formed, it should remain engaged throughout the process of developing the incident response plan. Each team member brings both skills and a unique perspective to the situation. At each step, the entity is strongly encouraged to consult team members.
Step 2: Perform a Site Specific Risk Assessment.
A site specific risk assessment provides the foundation of an effective Incident Response Plan. The Incident Response Plan must be coordinated with any entity-wide plans, kept in the workplace, and available to employees for review.
Begin the discussion by describing the entity to the responders, with particular attention to the layout of registered spaces. Each group of SMEs in the incident response planning team provides a different perspective and key pieces of information for identifying risks and mitigation methods.
- Identify risks (probable hazards, high consequence events) that cannot be mitigated before a response is required. This should include those required by regulation, regional natural disasters, and other site-specific hazards.
- Identify what protective measures/equipment is in place and where it is located.
- Discuss procedures which may take place during incidents, including man-down drills, evacuation procedures, and others.
- Identify what capabilities can be managed by first responders (Fire, including Emergency Medical and HAZMAT, police).
- Calculate response times to the entity by hazard type for multiple situations.
- Discuss contact and communication procedures beyond calling 911.
Facility Management and Safety/Security Personnel
- Be familiar with the physical capabilities of the building and available emergency equipment.
- Understand the existing organizational policies and procedures for managing incidents.
- Assign responsibility for escorting or granting access to first responders.
Step 3: Analyze Facility Capabilities against Hazards
Conduct an analysis of various hazards that may result in the loss, release, or opportunity for the theft of a select agent or toxin. FSAP requires that the entity addresses certain specific hazards, which form the core of the incident response plan. The entity should also analyze their capabilities against any additional hazards identified during the risk analysis.
To conduct a facility analysis, create scenarios that demonstrate a series of incident driven actions and events and provide a factual and logical framework for developing an SOP. The scenarios can assist in guiding discussion and help create an appropriate sequence response actions. Some different methods of working through incident response scenarios include:
- Action/Response – Each action leads to a reaction and so on until the tasks are complete.
- Functional – Each organization talks through its internal SOPs and determines where they should overlap.
- Walk-Through – The team physically determines what resources are available, where equipment sits, and where the clean/dirty areas are. Focus on the inside of the laboratory. Building codes will generally ensure the facility can survive likely disasters but may not address loss of primary and secondary containment, animal husbandry issues, spilled, loss of power to a freezer, etc.
- Second Order Effects – The team discusses and determines incidents that may lead to other incidents. For example:
- Earthquake may cause power outage or fire.
- Hurricane may prevent facility access.
- Fire suppression system may flood a containment system
As the team conducts the facility analysis, consider the following questions:
- Who must do what, when, and where?
- What must team members know for each incident type?
- Who conveys incident response information to team members?
- What crucial information must be conveyed about the lab and facility?
- What equipment is needed during a given incident/incident response?
- Who is in charge at each step of the incident response? What decisions must be made?
The answers to these questions will allow the Incident Response planning team to identify the key information that forms the basis of the incident response plan:
- Condition Expectations and Assumptions – Assumptions that must be made as a part of incident response planning but may disrupt the plan if they are not met (i.e. clear roads, first responder presence).
- Logistical Constraints – Limitations of response team members (i.e. equipment access, mobility limitations).
- Capability Gaps – Required capabilities that team members do not have (i.e. missing Personal Protective Equipment, training, etc.).
Step 4: Develop Plans by Incident Type
Create a series of standard operating procedures (SOPs) based on each scenario. An SOP should be a list of simple instructions that anyone can quickly read and follow. Focus on creating plans with common steps that can be applied to various incidents to improve comprehension and reduce training.
Entities are encouraged to develop playbooks. A playbook is a series of simple plans / SOPs that cover the multiple incidents identified in the analysis stage. Instead of focusing on nuances of each event, focus on common steps and then apply them to various incidents. This not only makes incident response easier for individuals to understand it also makes it much easier to train.
- No Notice
- Minimal Notice
- With Notice
- After the Fact
- High (Potential for serious threat/damage)
- Natural Disasters
- Facility Emergencies
- Severe Weather
Each SOP should include the following information:
- What incidents does the plan cover?
- Concept (What are you trying to do? When are you done?)
- Entity and organizational responsibilities/tasks (What will the entity do? Who does it/when? What is the entity responsible for?)
- First responder actions/tasks (What will they/won’t they do?)
- Risk containment strategies (How do you prevent further exposure, what is the potential impact on public health, animal and plant health or animal and plant products, and how to minimize the impact an incident has on to these concerns)
- Entity lines of authority (Who has the authority to call this kind of response? Who’s next in charge? Include contact information for these individuals.)
- Decontamination procedures (Do you doff? If not, how do you separate contaminated personnel?)
- Emergency equipment (Where is it? How does it apply? Who uses it?)
- Procedures for emergency evacuation, including type of evacuation, exit route assignments, safe distances, and places of refuge (How do you get out? Where do you go once you leave the lab?)
- Personnel accountability (Who accounts for personnel and who is notified once personnel are accounted for?)
- Procedures to be followed by employees performing rescue or medical duties and the location (Where do you conduct immediate care? Where do you conduct follow up?)
- Location where the first responders will pick up a patient and what amount of decontamination must be done (Doffing, showering out—consult the first responders on their requirements for transport)
- Contacts and communication plan (Who calls 911? Who notifies the RO or management? Is anyone else notified?)
- Site security and control (How do you manage access to the facility during and after the incident, where’s the perimeter, etc.?)
- Return procedures (Under what conditions and how do you return to the lab, check containment, etc.)
- Select agent and toxin (and other high value items) accountability
- Medical Surveillance (if required)
- Who conveys incident response information to FSAP and public health and agriculture authorities (e.g., local or state Department of Health, state veterinarians) and how are these authorities contacted?
Create a Recovery Plan
Create a recovery phase for incidents that may cause damage to a laboratory. The recovery plan should include procedures for emergencies that would prevent entities from returning to normal operating conditions (i.e. laboratory is damaged and nonoperational). This section of the plan should answer the following questions:
- What happens when the laboratory cannot return to normal operations after an incident?
- When will the laboratory be able to return to normal operations?
- Will work with select agents and toxins continue in another registered space?
- Will select agents and toxins be stored in another registered space until the damaged area is operational?
- Will select agents be transferred to another registered entity until the damaged laboratory is operational?
Step 5: Review and Test the Incident Response Plan
To stay in compliance with Section 14 of the select agent regulations, review and exercise the incident response plan at least once annually. See the Drills and Exercise guidance document for FSAP recommendations for successful drills and exercises.
Step 6: Refine and Update Plans
Refine and update their plan(s) at least annually, after each exercise or after a plan is executed. Work with the incident response planning team to review the document and make any necessary changes to address the following:
- Results of training (what went well, what can be improved, changes made)
- Any changes to threats or hazards
- Any changes to expectations or assumptions from the original plan
- Any new equipment, its capabilities and locations including first responders (new PPE, new HAZMAT vehicle)
- Any changes to the entity (additional registered space)
- Any changes in key personnel or organizations, including first responders
- Changes to the agents which affect response (adding a Tier 1 agent)
- Specific threats against the entity or its personnel
- Any changes in communications
- Critical changes to regulatory requirements, including those which affect first responders