Drills and Exercises Guidance

Conducting Drills/Exercises for Security, Biosafety, and Incident Response Plans

The select agents and toxins regulations for Security (42 CFR § 73.11, 9 CFR § 121.11 and 7 CFR § 331.11), Biosafety (42 CFR § 73.12, 9 CFR § 121.12 and 7 CFR § 331.12), and Incident Response (42 CFR § 73.14, 9 CFR § 121.14 and 7 CFR § 331.14) state that registered entities are required to conduct drills or exercises at least annually to test and evaluate the effectiveness of their security, biosafety and incident response plans and revise them as necessary.  A drill and/or exercise provides an opportunity to detect flaws in entity’s plans by revealing possible gaps and shortfalls in policies and/or procedures.

Drills and exercises are activities that test and evaluate the response to a particular event. Testing an entity’s plan helps to clarify roles, evaluate policies and procedures, build relationships with partners and develop knowledge.  Whether an event is natural or man-made, the goal of the security, biosafety, and incident response plans should be to provide the best possible preparation to safeguard select agents and toxins and to protect human, plant and animal health. For a low probability, high consequence event, mistakes or misunderstandings in executing a plan can result in undesirable and preventable outcomes. Therefore, proper preparation not only in written format but in practice is necessary to establish greater consistency in maintaining security and biosafety and responding to an incident.

Drills and exercises should be based on vulnerabilities that identify the types of risks or potential hazards that have a probability of occurring at an entity, an actual event that did not have the anticipated or required response or outcome, or critical operational gaps that have been previously identified. The following are a few questions that an entity should discuss after conducting a drill or exercise. 

  • Do our procedures and policies work?
  • What worked well and what did not work well (success/failures)?
  • Did we identify any critical operational gaps?
  • Are responsibilities clearly defined?
  • Is the response appropriate, efficient and sufficient?
  • How clear are written policies and procedures for the intended audience?
  • What are the consequences for issues not addressed?
  • Have we documented our drill or exercise with names, dates and findings?
  • Do we need to refine, revise, or update our plan(s)?
  • If plan(s) have been revised significantly, have appropriate staff been retrained on the changes?
  • When do we need to schedule our next drill or exercise for security, biosafety and/or incident response?