Biorisk

Management
The AMP Model
• Biorisk management
• a system or process to control safety and security risks
associated with the handling or storage and disposal of
biological agents and toxins in laboratories and facilities
• The analysis of ways and development of strategies to
minimize the likelihood of the occurrence of biorisks.
• The management of biorisk places responsibility on the
facility and its manager (director) to demonstrate that
appropriate and valid biorisk reduction (minimization)
procedures have been established and are implemented.
A biorisk management committee should be established
to assist the facility director in identifying, developing
and reaching biorisk management goals.

• The AMP model is a simple yet effective method for

supporting the implementation of biorisk management.
The model is composed of three basic components:
assessment (A), mitigation (M), and performance (P)
 • Risk can be described as the combination of the likelihood (or probability) and
the consequences of an undesirable event. It is often described as a
mathematical equation: risk = f (likelihood, consequences).
• A risk can be based on either a hazard or a threat.
• Hazard A danger or source of danger; the potential to cause harm.
• Threat The likelihood for an adverse event to occur, as an expression of intention
to inflict evil, injury, disruption or damage.

• Desired Outcome: Guide the selection of appropriate biological safety measures

(including microbiological practices and selection of proper safety equipment),
security measures (including controlled access to the laboratory where the
biological agents exist), and other facility safeguards to mitigate risks to an
ASSESSMENT acceptable or manageable level.
• Risk assessment will demonstrate that some risks can be controlled using
relatively straightforward measures, such as properly cleaning up spills and
splashes, reducing fall hazards, and locking storage areas that contain infectious
pathogens
 • New infectious agents, toxins, reagents, or other dangerous substances
• New animal species, model, or route of administration of biological
agents
• Different procedures and practices

When to • New equipment

Perform and
• Changes in personnel
• Changes in manufacturer or supplier of consumable materials (PPE,
containers, waste disposal materials, media, etc.)
Review a • Equipment that may no longer be operating effectively because it has
deteriorated or has not had adequate repair/maintenance
Laboratory • Advances in scientific understanding and technology (new paradigms)

Risk • A relocation or renovation

• A recent accident, laboratory-acquired infection (LAI), theft, or security

Assessment violation
• National or regional changes in disease status (endemicity of disease or
disease eradication)
• Changes in reliable local infrastructure (electricity, water, roads)
• National, regional, or local changes in the threat or security
environment
 • 1. Define the situation. Consider and document the what, who, and where.
• What—Identify the hazards. The risk assessment team must identify the biological agents to
be handled (or, if the biological agent in the sample is unknown, the agents suspected to
possibly exist).
• Who—Evaluate at-risk hosts. The risk assessment team must also consider the host range for
the hazards identified.
• Where—Define the work activities and laboratory environment. In defining the work
activities, the risk assessment team must articulate and document the laboratory processes
(including locations, procedures, and equipment used)

Biosafety • 2. Define the risks. The hazards, hosts, and work activities identified should be used to define
the specific risks to be assessed (or, what can go wrong?). A single activity will likely have

Risk
many different risks associated with it.
• Risk to individuals in the laboratory (laboratory workers) of an infection
• Risk to an individual(s) outside the laboratory (the human community) of an infection

Assessment • Risk to animals outside the laboratory (the animal community) of an infection
• Risks to humans and animals as a result of a secondary exposure
• 3. Characterize the risks. To determine the risk, the risk assessment team must answer: How
likely is it to happen? What are the consequences? All the elements that influence the
likelihood of infection and the likelihood of exposure should be combined to characterize the
overall likelihood.
• • Likelihood:
• – Likelihood of infection from the biological agents
• – Likelihood of an exposure based upon the work practices
• • Consequences:
• – Consequences of infection/exposure to an at-risk host
 • A biosecurity assessment includes defining the laboratory assets,
threats, and facility vulnerabilities, as well as the current
biosecurity program in place to mitigate biosecurity risks, and the
impact or consequences of theft or destruction of the defined
assets. Determining the potential security risks based upon these
factors is the first step in implementing a biosecurity program

Biosecurity • What—Identify and define the assets. Examples of assets may

include valuable biological material, such as pathogens and
toxins, valuable equipment, intellectual property, or other
Risk sensitive information, reagents, and laboratory animals.
• Who—Define the threats. The team must then identify and
Assessment evaluate the potential adversaries who may pursue those assets.
Examples of adversarial types that could target assets at a
biological facility include competitive researchers, criminals
looking for items to sell, disgruntled employees, a terrorist
organization, and animal rights activists.
• Where—Define the facility and laboratory security
environment. In defining the environment, the risk assessment
team should consider the vulnerabilities of the facility that
contains the assets
 • Risks could include the following examples (the specific risk defined should be unique to the
biological institution):
• • Risk of an unauthorized person stealing valuable biological material for malicious use:
• – Example: A farmer intent on infecting a competitor’s flock of birds.
• • Risk of an authorized person stealing valuable biological material for malicious use:
• – Example: An employee upset with a spouse and intent on making him or her sick.
• • Risk of an unauthorized person stealing valuable biological material for personal gain:
• – Example: A criminal intent on stealing and selling biological material or equipment.
• • Risk of an authorized person stealing or destroying valuable biological material for personal gain:

Examples • – Example: An adversary intent on damaging a research project sonthat he or she may publish a
similar research study first.
• • Risk of an unauthorized person stealing equipment:
• – Example: A criminal intent on stealing a computer to subsequently sell it.
• • Risk of an authorized person stealing equipment:
• – Example: An employee intent on stealing a refrigerator for personal use.
• • Risk of an unauthorized person stealing an institution’s intellectual property (in the form of
information) or confidential information:
• – Example: A competitor intent on producing a competitive vaccine.
• • Risk of an authorized person stealing an institution’s intellectual property (in the form of
information) or confidential information:
• – Example: A disgruntled employee intent on sabotaging an institution’s reputation by leaking
confidential information to the media
 • Assets assessment. Based upon the defined risks, the risk assessment team should
define the likelihood of targeting the asset by the relevant threat.
• For valuable biological assets, the uniqueness of the asset and any potential for
misuse should be considered. For each of the defined assets, the team should review
the various properties that make this asset attractive (or likely) to be stolen or
destroyed by an adversary.
• Adversary assessment. The risk assessment team should define the intentions and
access that the specific adversaries might have to each asset.

Characterize • Adversarial types can be further categorized into persons with authorized access to
the laboratory or facility (insiders), and persons with no authorized access

the risks: (outsiders).

• Facility vulnerability assessment. The risk assessment team should assess the

biosecurity likelihood of successful acquisition of the asset based upon the asset’s location, the
facility’s vulnerabilities, and the capabilities of the adversary.

• • Likelihood:
• – Likelihood of targeting the asset for theft or destruction based upon
intent/motivation of adversary (or threat)
• – Likelihood of successful theft or destruction based upon facility vulnerabilities and
the threat’s capabilities
• • Consequences:
• – Consequences of the theft or destruction of the asset
 • Biorisk mitigation measures are actions and
control measures, based on a robust laboratory
risk assessment, that are put into place to reduce
or eliminate the risks associated with biological
agents and toxins.
• Assessing the risks determines the actions and
MITIGATIO control measures that will be most effective in
reducing and eliminating those particular risks.
N • Biorisk mitigation can be divided into five areas
of control:
• elimination or substitution
• engineering controls
• administrative controls
• Practices and procedures
• personal protective equipment
• elimination or substitution
• Elimination involves not doing the intended work, or
deciding not to work with a specific biological agent.
• Obviously, elimination provides the highest degree of risk
reduction.
• However, in many situations, eliminating the risk is not
always feasible. For those cases, it may be necessary to use
a substitute, or to replace or exchange the source of the
identified risk with another source that poses less of a
hazard/threat than the original risk.
• For example, a laboratory conducting research with the
pathogen Bacillus anthracis, responsible for causing the
acute fatal disease anthrax, could potentially substitute a
less dangerous experimental surrogate, such as Bacillus
thuringiensis, an organism most commonly used in
biological pesticides worldwide.
• This decision would significantly reduce the risk of
infection while perhaps not compromising the research
objectives.
• engineering controls
• These control measures are physical changes to work
stations, equipment, production facilities, or any other
relevant aspect of the work environment that reduces or
prevents exposure to hazards.
• A biosafety cabinet, which comes in three levels of
protection, is an example of an engineering control;
Class I and II cabinets are designed with unidirectional,
laminar airflow to direct potentially contaminated air
away from workers and through HEPA filters before
exiting to the environment.
• The Class III cabinets add additional rigorous
containment, using gas-tight glove boxes and other
features.
• Even the simple method of locking laboratory doors is an
example of security-related engineering controls.
• administrative controls.
• These controls are policies, standards, and
guidelines used to control risks.
• Proficiency and competency training for
laboratory staff would be considered an
administrative control.
• Displaying biohazard or warning signage,
markings, and labeling, controlling visitor and
worker access, and documenting written standard
operating procedures are all forms of
administrative controls.
• Practices and procedures
• This includes practices to minimize splashes,
sprays, and aerosols to avoid laboratory-acquired
infections or following standard operating
procedures (SOPs).
• personal protective equipment (PPE)
• These are devices worn by workers to
protect them against chemicals, toxins,
and pathogenic hazards in the laboratory.
• Gloves, gowns, and respirators are all
examples of PPE.
• PPE is considered the least effective
control because it only protects the person
who is wearing it, and only if it is used
correctly. Its failure or inappropriate use,
a rip in the material, or a manufacturing
defect, for example, would likely result in
exposure.
Fit test for N95 mask
• The implementation of engineering controls,
administrative controls, practices and
procedures, and PPE should decrease the
likelihood of risk. Substitution will affect the
consequence side of the equation; elimination of
the hazard will eliminate the risk altogether
 • Performance management is a systematic process
intended to achieve improved levels of organizational
objectives and goals.
• Performance management, as it pertains to the AMP
model, provides direct evidence that an organization can
substantively understand and effectively reduce its
PERFORMA operational risks to an acceptable level.
NCE • The primary goal of performance evaluations is to ensure
that the implemented mitigation measures are indeed
reducing or eliminating risks. Performance evaluations
also help to highlight biorisk strategies that are not
working effectively. Measures that are not effective or are
shown to be unnecessary can be eliminated or replaced.
• Measuring performance is not a short-term goal or
something that can be purchased, but rather a long-term
and evolving goal—it is an iterative process that must be
continually evaluated and adjusted over time.
• 1. Plan: Plan a change and develop goals.
Objectives and processes should be
established to meet targets and goals. PDCA model
• 2. Do: Implement the plan, execute the
process, and test the change.
• 3. Check: Study the actual results and
compare them against the expected
results. Review the test, analyze the
results, and identify what has been
learned. Measure performance. Assess
how the risks are being controlled and if
aims are being achieved.
• 4. Act: Request corrective actions to
address differences between actual and
planned results. Analyze differences to
determine causes. Take action based on
what has been learned. Use what has
been learned to plan new improvements,
beginning the cycle again. Review
performance.