Environmental, Health and Safety Services

Select Agent and Toxins: Requirements

Facility and Agent Registration

Application for Registration

Any Principal Investigator seeking approval for use of a select agent or toxin must complete an application package and submit it to the University Biosafety Officer. Once the application is received, the University Biosafety Officer will:

  • review the application for completeness and contact the Principal Investigator if there are any questions; and
  • submit the application to the CDC and/or APHIS for review and approval.

While the CDC or APHIS is reviewing the application, the University Biosafety Officer will:

  • inspect the specified facilities to ensure proper biosafety levels are maintained and proper security measures are in place;
  • provide the Principal Investigator with a list of required standard operating procedures, plans, documentation, or additional information that is required for approval; and
  • work with the Principal Investigator to ensure all safety, security, and incident response plans are implemented.

The CDC and/or APHIS will:

  • review the submitted information; and
  • decide whether or not the information provided indicates the facility and related operations are sufficient to possess, use, and transfer select agents and toxins under Virginia Tech’s registration.

The CDC and/or APHIS may request additional information or written plans and conduct a facility inspection prior to issuing an approval.

Approval of Registration

The University Biosafety Officer will notify the Principal Investigator in writing if approval and permission to operate under Virginia Tech’s registration is granted.

Registrations are only valid for the specific select agents and toxins and the specific activities and locations indicated in the information provided on the application forms.

The time required for application review and registration approval varies depending upon the compliance deficiencies that may be identified during the process. If all safety, security, and incident response plans are completed and implemented and the facility meets biosafety level standards, the minimum time for processing is 12 weeks. It has been the university’s experience that 5-6 months is a more realistic timeframe.

Denial of Registration

If the CDC and/or APHIS deny approval, they will inform the University Biosafety Officer. The University Biosafety Officer will, in turn, inform the Principal Investigator. When deficiencies have been resolved, the Principal Investigator may again seek registration.

The Principal Investigator may request a review of a decision denying approval status by submitting a written request for review to the University Biosafety Officer within 30 calendar days after the decision. The appeal must state the factual basis for the appeal. The University Biosafety Officer will then forward the appeal to the CDC and/or APHIS for review.

Amendments to Registration

The University Biosafety Officer must be immediately notified of any intended updates or modifications to the information submitted in the application. This includes changes in:

  • personnel;
  • work locations;
  • protocols and procedures;
  • objectives of research; and
  • select agent strains and toxins.

The CDC and/or APHIS must approve intended modifications BEFORE they are implemented.

Personnel Registration

Personnel must be registered with and approved by the University Biosafety Officer prior to being provided access to select agents or allowed unescorted access to select agent labs or animal rooms.

Application for Registration

  • The Principal Investigator must notify the University Biosafety Officer as soon as possible of new personnel under their direction having a legitimate need to access select agents or toxins.
  • Each prospective select agent user must have the appropriate education, training, and/or experience to handle and manage select agents or toxins. An initial screening must be performed by the Principal Investigator and the University Biosafety Officer to determine if an individual’s background is sufficient or if further education, training, and/or experience is needed.
  • After the initial screening, the individual needing access must submit the required security risk assessment information to the University Biosafety Officer.
  • The University Biosafety Officer will request a unique identifying number from the CDC and/or APHIS for that individual. Once a unique number is assigned, the individual will be given a packet containing fingerprint cards and associated instructions. Fingerprints must be returned to the University Biosafety Officer for submission to the FBI.
  • Security risk assessments generally take 8-12 weeks to complete.

Approval for Access

  • The University Biosafety Officer will notify the individual and Principal Investigator of the security risk assessment results.
  • In addition to the security risk assessment, an individual must also complete university and lab-specific training prior to receiving full approval and access privileges.
  • Access approval is valid for a maximum of five years.

Denial of Access

The University Biosafety Officer will notify the individual and Principal Investigator if an individual’s access approval is denied. The individual and Principal Investigator may appeal the denial by submitting a written request stating the factual basis for the appeal to the University Biosafety Officer within 30 calendar days after the decision.

Termination of Access

  • The Principal Investigator must immediately notify the University Biosafety Officer if an individual plans to leave the university or no longer requires access to select agents or toxins.
  • An individual’s access privileges will be terminated if the individual is reasonably suspected by any Federal law enforcement or intelligence agency of:
    • committing a crime punishable by more than one year in jail;
    • knowing involvement with an organization that engages in domestic or international terrorism or with any other organization that engages in intentional crimes of violence; or
    • being an “agent of a foreign power.”
  • An individual’s access privileges will be terminated if it is determined such action is necessary to protect public health and safety.

Security Requirements

Risk Assessment

  • Each research group, in conjunction with the University Biosafety Officer, must conduct a systematic risk assessment in which threats are defined, vulnerabilities are examined, and risks associated with these vulnerabilities are minimized with a security systems approach.
  • Documentation of security risks and steps taken to minimize these risks should be included in the laboratory’s written security plan.

Written Security Plan

  • Each research group must develop and maintain a site-specific written plan or summary of security measures adopted to prevent unauthorized access of a select agent or toxin. The CDC/NIH guidelines for lab security and emergency response planning must be used when developing the plan.
  • The plan must:
    • include a description of each security risk identified during the assessment phase;
    • at a minimum, adopt the university security requirements;
    • contain a description of any security measures that are specific to their particular facility or research;
    • be submitted to the University Biosafety Officer as part of the application package; and
    • be reviewed by the University Biosafety Officer and Principal Investigator on an annual basis, after any incident, and after any drill or exercise.
  • Drills or exercises must be conducted at least annually to test and evaluate the effectiveness of the plan.
  • The CDC and APHIS have posted guidance and a security plan template intended to assist entities in complying with security requirements:

Inventory and Access Control Requirements

Inventory and Access Control at the Point of Storage

  • Each select agent user or group of users must maintain a current and accurate inventory of each select agent and/or toxin, including viral genetic elements and recombinant nucleic acids, and recombinant organisms, held in long-term storage.
  • Inventory and storage access records must be:
    • located near the storage area and kept secure;
    • maintained by the laboratory for at least three years;
    • reviewed periodically (e.g., at least quarterly by low use areas, at least monthly by high use areas) by the laboratory supervisor for any discrepancies; and
    • provided to the University Biosafety Officer or other regulatory agency during an inspection.

Access Control at the Point of Entry into Secure Area

  • An Entry/Exit Log (pdf) must also be maintained for each secure area. This record must include the:
    • name of each individual entering the area, including the names of escorted individuals (e.g., visitors, Physical Plant personnel, contractors, CDC/APHIS inspectors);
    • date and time the individual(s) entered the area; and
    • date and time the individual(s) exited the area.
  • Entry/exit records must be:
    • placed right inside the first door of the anteroom or right inside the entry door;
    • maintained at least three years; and
    • provided to the University Biosafety Officer or other regulatory agency during an inspection.

Personnel Security Requirements

  • All personnel having a legitimate need for accessing select agents or toxins or areas in which these materials are stored must be registered with and approved by the University Biosafety Officer prior to being provided access. Procedures for registration and approval are described in the Personnel Registration section.
  • While the FBI is conducting its security risk assessment, an individual is allowed to work in a secure area ONLY if an approved individual accompanies them at all times. In addition, the individual may not manipulate select agents or toxins but may observe an approved individual manipulate them.
  • All visitors, maintenance personnel, and other individuals not approved for access must be escorted in secure areas at all times by an approved individual.

Physical Security Requirements

At a minimum, laboratories possessing select agents and toxins must implement the following security measures:

  • Select agents and toxins must be stored and used in areas separated from public use and access areas.
  • All doors to laboratories or storage areas that contain select agents and toxins must be lockable (via key, card key, key pad, biometric device, or a combination of any of these measures). If key locks are used, they must be keyed “direct to control.”
  • A record of the distribution of keys, card keys, combinations, or codes to approved individuals must be maintained by the Principal Investigator. The date of issue, access information (e.g., building, room, freezer), and date of key return must be logged and a signed agreement describing the requirements for possessing the key must be maintained.
  • Quarterly visual key checks must be conducted and documentation must be maintained with the key distribution log.
  • Any loss of key or card key (i.e., any key that cannot be accounted for within 24 hours) or compromise to combinations or codes will require “rekeying” of the secure area(s). The University Biosafety Officer must be notified immediately of any loss or compromise of keys, combinations, passwords, etc.
  • Combinations and codes accessible by all approved individuals must be changed following any staff changes. A rekeying of the secure area must occur if the vacating staff does not return their key within 48 hours of termination of service to Virginia Tech.
  • No sharing of keys or combinations among approved individuals or among approved and non-approved individuals is permitted. Anyone that shares their means of entry into a secure area with another individual will be denied entry into the secure areas until an investigation is complete. Termination of access privileges may occur.
  • All laboratories and storage areas containing select agents and toxins must remain locked except when entering or exiting.
  • All visitors, maintenance/service personnel, or other individuals not approved for access must be escorted in secure areas at all times by an approved individual.
  • Equipment used to store or process select agents and toxins (e.g., freezers, refrigerators, cabinets, incubators, shakers) must be lockable and remain locked unless removing or replacing the select agent or toxin.
  • All unexpected or suspicious packages must be inspected by visual or noninvasive means before they are brought into, or removed from, areas where select agents are stored or used.
  • Suspicious persons or activities must be immediately reported to the Virginia Tech Police and the University Biosafety Officer.

Information Security Requirements

  • Information related to select agents and toxins (e.g., inspection reports; application information; transfer documentation; safety and security information; notifications of releases, loss, or thefts; and research results) is not subject to the Freedom of Information Act (5 USC 552). Sharing of any logs, records, documents and/or other information related to select agent and toxin use areas without the express permission of the University Biosafety Officer is prohibited.
  • Specific security requirements must be developed by each research group and documented. Each research group must establish policies for access, use, storage, and transfer of sensitive files and data. These must be included the site-specific written security plan.
  • Paper Storage Systems
    • All paperwork associated with select agents and toxins (e.g., transfer documents, application information, list of individuals approved for access) must be kept confidential and in a secure location (e.g., locked filing cabinet).
    • Only approved individuals may have access to select agent and toxin information.
  • Computer Information Systems

Incident Response Requirements

Written Incident Response Plan

  • Each research group must develop and maintain an incident response plan to address site-specific procedures for managing:
    • the theft, loss, or release of a select agent or toxin;
    • inventory discrepancies;
    • security breaches;
    • severe weather and other natural disasters;
    • workplace violence;
    • bomb threats;
    • suspicious packages; and
    • emergencies (e.g., fire, gas leak, explosion, power outage).
  • The plan must contain the following information:
    • the hazards associated with the use of select agents and toxins;
    • any hazards associated with response actions that could lead to a spread of a select agent or toxin;
    • emergency contact information;
    • personnel roles and lines of authority and communication;
    • planning and coordination with local emergency responders;
    • procedures to be followed by employees performing rescue or medical duties;
    • emergency medical treatment and first aid;
    • list of personnel protective and emergency equipment, and their locations;
    • site security and control;
    • procedures for emergency evacuation (including type of evacuation, exit route assignments, safe distances, and places of refuge); and
    • decontamination procedures.
  • The written plan must be submitted as part of the application package.
  • The plan must be reviewed by the University Biosafety Officer and Principal Investigator and revised as necessary:
    • at least annually;
    • after any drill or exercise; and
    • after any incident.
  • Drills or exercises must be conducted at least annually with local emergency responders and approved personnel to test and evaluate the effectiveness of the plan. Drills must provide for a debriefing and question and answer session so issues may be discussed and improvements made to incident procedures.

Incident Response Requirements

  • An incident response coordinator must be designated for each research group. This person should have the responsibility and authority to implement requirements of the site-specific incident response plan.
  • All non-emergency incidents must be immediately reported to the University Biosafety Officer. All emergencies must be immediately reported to the Virginia Tech Police and then the University Biosafety Officer.
  • Each entry door into a secure area must list emergency contact information to include:
    • name(s) of designated emergency contact(s);
    • office location(s);
    • work and home phone numbers; and
    • university emergency contact information.

Notification of Theft or Loss

  • Any theft or loss must be immediately reported to the University Biosafety Officer. Thefts or losses must be reported even if the select agent or toxin is subsequently recovered or the responsible parties are identified.
  • The following information must be reported:
    • name of select agent or toxin and any identifying information;
    • an estimate of the quantity lost or stolen;
    • an estimate of the time during which the theft or loss occurred;
    • the location from which the theft or loss occurred; and
    • the list of Federal, State, or local law enforcement agencies to which a report was made.
  • A completed APHIS/CDC Form 3 must be presented to the University Biosafety Officer and APHIS/CDC within seven calendar days.

Notification of Release

  • Any release causing occupational exposure or release occurring outside primary barriers of the biocontainment area must be immediately reported to the University Biosafety Officer. If the University Biosafety Officer is not available, contact the Virginia Tech Police.
  • The following information must be reported:
    • name of select agent or toxin and any identifying information;
    • an estimate of the quantity released;
    • an estimate of the time and duration of the release;
    • the location from which the release occurred;
    • the environment into which the release occurred (e.g., in building or outside of building, waste system);
    • number of potentially exposed individuals;
    • actions taken to respond to the release; and
    • hazards posed by the release.
  • A completed APHIS/CDC Form 3 must be presented to the University Biosafety Officer and APHIS/CDC within seven calendar days.

Biosafety Requirements

Written Biosafety Manual

  • Each research group must develop and maintain a biosafety plan that addresses the risk and resulting containment procedures for working with select agents and toxins and any animals infected with these agents or toxins.
  • The written plan must be submitted as part of the application package.
  • The biosafety manual must be reviewed by the University Biosafety Officer and Principal Investigator and revised as necessary:
    • at least annually;
    • after any drill or exercise; and
    • after any incident.
  • Drills and exercises must be conducted at least annually to test and evaluate the effectiveness of the manual.

Laboratory Safety Requirements

Infectious Agent Research

Toxin Research

Recombinant DNA Research

  • All laboratories working with recombinant DNA must comply with the requirements listed in the NIH Guidelines.

Vertebrate Animal Laboratory Safety Requirements

Infectious Agent Research

Toxin Research

Recombinant DNA Research

  • All recombinant DNA research using animals must comply with the requirements listed in the NIH Guidelines.

Invertebrate Animal Laboratory Safety Requirements

Arthropod Vector Use

  • All arthropod handling associated with biological agent research must comply with the appropriate arthropod containment level requirements as specified by the American Committee of Medical Entomology, a subcommittee of the American Society of Tropical Medicine and Hygiene.

Plant Biocontainment Requirements

Recombinant DNA Research

  • All recombinant DNA research using plants must comply with the requirements listed in the NIH Guidelines.

Training

Approved Individuals

  • Each individual approved for access to select agents and toxins must be trained on all aspects of program requirements. The University Biosafety Officer provides training on all university requirements and each Principal Investigator must provide research-specific training.
  • Each individual must be trained PRIOR to being granted unescorted access to select agents.
  • An annual refresher must be provided by the University Biosafety Officer (for university requirements) and by the Principal Investigator (for research-specific requirements).
  • A record of training (doc) must be maintained for at least three years to document an individual’s training and must include the:
    • individual’s name;
    • date of training;
    • topics covered during the training; and
    • methods used to verify that the individual understood all the requirements for working with select agents and toxins.

Non-approved Individuals

  • Non-approved individuals who must enter secure areas with an escort must be made aware of the hazards associated with select agents and toxins, security requirements, and emergency response procedures prior to entering the area.
  • A record of training must be maintained for at least three years to document an individual’s training and must include the:
    • individual’s name;
    • date of training;
    • topics covered during the training; and
    • methods used to verify that the visitor understood the information.
  • For frequent visitors (i.e., greater than or equal to once a month), the initial training documentation may be dated and signed each time the individual must be escorted rather than using a new form each time. However, if any changes to the hazards, security requirements, or emergency response procedures occur, the visitor must be retrained and new documentation maintained.
  • For infrequent visitors (i.e., less than once a month), a new training and information session must occur each time with documentation maintained.

Transfers

  • Transfer of select agents and toxins may only occur between entities that are approved to possess, use, and transfer the particular agent or toxin to be transferred.

Prior to Transfer

  • An APHIS/CDC Form 2 must be completed by both the sending and receiving entities.
  • Other appropriate permits must be obtained by the recipient:
  • The CDC and/or APHIS must review and approve the transfer PRIOR to its transfer. If approved, the CDC and/or APHIS will issue a transfer authorization number that is valid for 30 days after issuance.

Receipt of Select Agents/Toxins by Virginia Tech

  • All transfers must be coordinated through the University Biosafety Officer. The University Biosafety Officer must be notified at least three working days in advance that the Sender is ready to ship the select agent or toxin to Virginia Tech.
  • All receipts must be made to an approved individual at an approved location.
  • Upon receipt, the receiver must:
    • visually inspect the package for leaks or damage;
    • ensure that the material is entered into the lab’s inventory records; and
    • immediately notify the University Biosafety Officer and the Sender that the package has been received. The University Biosafety Officer will notify the CDC/APHIS within two business days of receipt that the package arrived.
  • If the select agent or toxin is not received within 48 hours of the expected delivery time, the package received is leaking or otherwise damaged, or if the amount received differs from that indicated by the Sender, the University Biosafety Officer must immediately notify the CDC and/or APHIS as well as the Sender.

Transfer of Select Agents and Toxins from Virginia Tech

  • Anyone offering a package for shipment by a commercial carrier must be trained. The University Biosafety Officer is trained and must review all shipments of select agents and toxins.
  • The packaging, labeling, and required shipping documentation must comply with the Department of Transportation Hazardous Materials Regulations and the International Air Transport Association (IATA) guidelines since most shipments are handled by air courier.
    • The IATA publication, Infectious Substances and Diagnostic Specimens Shipping Guidelines is available for purchase from IATA.
    • The World Health Organization (WHO) publishes Guidelines for the Safe Transport of Infectious Substances and Diagnostic Specimens which are applicable to the transport of infectious substances and diagnostic specimens both nationally and internationally. The CDC and IATA requirements for proper packaging and labeling mirror the WHO guidelines.
  • Transfer of select agents and toxins must be by USPS Registered First-Class Mail with return receipt or an equivalent system (e.g., FedEx) that allows for tracking.
  • Pick-up of packages by the courier must occur from an approved location and individual.

Intra-entity Transfers

  • Transfers of select agents and toxins between approved individuals within an approved facility operating under the same registration are exempt from completing an APHIS/CDC Form 2 provided that for each transfer:
    • the Principal Investigator maintains a chain-of-custody record (for at least three years) that includes the:
      • name of select agent or toxin,
      • amount of agent or toxin transferred,
      • date of transfer;
      • sender and recipient names; and
      • the reason for the transfer.
    • And, the movement of the agent or toxin is conducted under the supervision of an approved individual and the University Biosafety Officer approves the transfer.

Records

  • All records related to select agent possession, use, and transfer must be maintained for at least three years and promptly presented upon request to the University Biosafety Officer and governmental officials.
  • Records that must be maintained include:
    • Facility and agent application documentation
      • Current lab layout diagrams
      • Denial, revocation, or suspension appeal documentation
    • Current list of approved individuals
    • Inventory acquisition logs
    • Inventory access logs
    • Entry/exit Logs
    • Security Plan
      • Key distribution logs
      • Rekeying documentation
      • Quarterly visual checks documentation
      • Drills/exercise documentation
      • Annual review documentation
    • Incident Response Plan
      • Incident debriefing documentation
      • Drills/exercise documentation
      • Annual review documentation
    • Biosafety Plan
      • Risk assessments
      • Lab-specific Policies and Procedures
      • Drills/exercise documentation
      • Annual review documentation
    • Annual facility verification documentation
    • Training records
      • Approved individuals
        • Initial training
        • Annual refresher
      • Non-approved individuals
    • Transfer documentation
    • Inspection documentation
      • Reports
      • Plans for correcting deficiencies
      • Documentation of corrected deficiencies
    • Notifications of theft, loss, or release
  • Sharing of any logs, records, documents and/or other information related to select agent and toxin use areas without the express permission of the University Biosafety Officer is prohibited.