SIST-TS CEN/TS 16595:2014

SLOVENSKI STANDARD
01-marec-2014
&%51NHPLþQDELRORãNDUDGLRORãNDLQMHGUVNDWYHJDQMD2FHQMHYDQMHUDQOMLYRVWL
LQ]DãþLWDRJURåHQLKOMXGL
CBRN - Vulnerability Assessment and Protection of People at Risk
ABC-Risiken - Verwundbarkeitsbewertung und Schutz gefährdeter Bevölkerungsteile
NRBC - Evaluation de la vulnérabilité et protection des populations à risque
Ta slovenski standard je istoveten z: CEN/TS 16595:2013
ICS:
13.200 3UHSUHþHYDQMHQHVUHþLQ Accident and disaster control
NDWDVWURI
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

TECHNICAL SPECIFICATION
CEN/TS 16595
SPÉCIFICATION TECHNIQUE
TECHNISCHE SPEZIFIKATION
September 2013
ICS 13.200
English Version
CBRN - Vulnerability Assessment and Protection of People at
Risk
NRBC - Evaluation de la vulnérabilité et protection des ABC-Risiken - Verwundbarkeitsbewertung und Schutz
populations à risque gefährdeter Bevölkerungsteile
This Technical Specification (CEN/TS) was approved by CEN on 19 August 2013 for provisional application.

The period of validity of this CEN/TS is limited initially to three years. After two years the members of CEN will be requested to submit their
comments, particularly on the question whether the CEN/TS can be converted into a European Standard.

CEN members are required to announce the existence of this CEN/TS in the same way as for an EN and to make the CEN/TS available
promptly at national level in an appropriate form. It is permissible to keep conflicting national standards in force (in parallel to the CEN/TS)
until the final decision about the possible conversion of the CEN/TS into an EN is reached.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania,
Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United
Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION

EUROPÄISCHES KOMITEE FÜR NORMUNG

CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels
© 2013 CEN All rights of exploitation in any form and by any means reserved Ref. No. CEN/TS 16595:2013: E
worldwide for CEN national Members.

Contents Page
Foreword .3
Introduction .4
1 Scope .5
2 Normative references .5
3 Terms and definitions .5
4 Abbreviated terms .5
5 Vulnerability assessment .6
5.1 Different approaches to vulnerability in social and natural science .6
5.2 Vulnerability assessment .7
6 Protection of the population at risk . 10
6.1 Vulnerability awareness . 10
6.2 Vulnerability management . 12
6.2.1 General approaches . 12
6.2.2 Use of surveys . 17
6.2.3 Use of templates . 19
Annex A (informative) Template for a general management system for CBRN vulnerability
assessment, awareness and management . 21
Annex B (informative) Historical timeline for the development of conceptual models in
vulnerability . 29
Bibliography . 33

Foreword
This document (CEN/TS 16595:2013) has been prepared by Technical Committee CEN/TC 391 “Societal and
Citizen Security”, the secretariat of which is held by NEN.
This Technical Specification (TS) on CBRN vulnerability assessment, awareness and management provides a
common frame of reference and recommends methodologies to assess the vulnerabilities of citizens, first
responders and other assets to an ‘all-hazard’, i.e. natural, incidental or intended, exposure to hazardous
substances.
These hazardous substances could be Chemical, Biological or Radiological (the latter forming the hazardous
part of Nuclear, together abbreviated to CBRN). CBRN agents can cause significant direct and indirect
damage to persons, livestock, vegetation and environment as well as disrupt the system of products and
services we need to sustain our daily livelihoods, i.e. our ‘Critical Infrastructure’.
This Technical Specification can be used as a starting point for further risk and vulnerability assessment and
for guidelines on the many issues surrounding a CBRN incident. It is intended for any organisation involved or
interested in CBRN, both in the private sector and for public authorities.
The elaboration of this European technical specification has been financially supported by the European
Commission and the CIPS programme (Grant agreement HOME /2009/CIPS/FP/CEN-003 VAPPAR).
Important notice:
Whereas the original request called for a ‘risk’-based approach, CEN/TC 391 ‘Societal and Citizen
Security’ recommended to change this to a ‘vulnerability’-based approach. Terms such as ‘risk’ and
‘vulnerability’- and their assessment, awareness and management – can be approached from both a
social sciences as well as a natural sciences approach. By combining the latest academic insights with
operational lessons, this document attempts to reconcile some of the differences between these
conflicting scientific approaches.
It cannot be emphasised enough that this Technical Specification:
 is intended to meet the complex and variable needs of a wide range of different end-users;
 is an initial document of which other versions can be developed in the future;
 offers a common frame of reference and a common context;
 can be viewed in the context of being a ‘standard’, a ‘scientific paper’ and an ‘open source’ document;
 puts a stronger emphasis on ‘recommendations’ then on ‘requirements'. These advantages include the
fact that recommendations facilitate customisation by the end-users themselves and allow for an
interactive, participatory format of tools such as models, tables and checklists;
 is not a European Standard. Technical Specifications such as the VAPPAR document can co-exist with
any national standard whereby specific (national) regulations take precedence over any Technical
Specification.
According to the CEN/CENELEC Internal Regulations, the national standards organisations of the following
countries are bound to announce this Technical Specification: Austria, Belgium, Bulgaria, Croatia, Cyprus,
Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany,
Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland,
Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the United Kingdom.
Introduction
National regulations in most European countries focus on emergency responders (e.g. personal protective
equipment (PPE) and intervention procedures), and European and national regulations regulate contingency
planning of chemical, biological, nuclear and radiological plants and industries. The protection of the
population, animals, vegetation and environment from CBRN incidents is a field in need of a common
understanding of vulnerability assessment, awareness and management.
1 Scope
This Technical Specification is based on an all-hazards approach, with a specific focus on terrorism and other
security related risks. Looking at the combination of threats, vulnerabilities and values to be protected, threats
may be terrorist attacks with chemical, explosive and biological agents, or nuclear waste materials, or with
conventional means on CBRN plants, causing a similar devastating effect on a potentially large scale. Major
CBRN incidents may jeopardise critical infrastructure, while emergency services may have great difficulty
performing their response tasks.
The scope excludes the vulnerability assessment of some specific systems that comply, at the European and
Member State level, with existing sets of legal measures: network for drinking water distribution, food chain
supply and cosmetics and pharmaceutical products production and distribution chains.
The objective of this Technical Specification is to strengthen common understanding and a common frame of
reference for all organisations with an interest and involvement in CBRN. It does so by providing a number of
considerations and tools that can be used in the development of a semi-quantitative conceptual framework for
vulnerability assessment, awareness and management. The vulnerability assessment covers all members of
the population at risk including the requirements of children, the elderly and those with disabilities.
2 Normative references
Not applicable.
3 Terms and definitions
There are various documents that contain terms and definitions related to CBRN. Unfortunately, not all
documents are consistent with each other and it is therefore difficult to find a document which contains
a) all terms, and
b) meets with universal acceptance.
In the context of this document, the following documents are recommended for use by the end user of this
Technical Specification:
 ISO 31000, Risk Management – Principles and Guidelines
 ISO/Guide 73, Risk Management – Vocabulary
 ISO 22300, Societal Security – Terminology
 ISO 22301, Societal Security – Business Continuity Management Systems – Requirements
 ISO 22313, Societal security – business Continuity management systems – Guidance
 CWA 16106, PPE for Chemical, Biological, Radiological and Nuclear (CBRN) Hazards
 ISO 22320, Societal Security – Emergency management – Requirements for Incident Response
The use of the CBRN Glossary of the European Commission is mandatory in Europe
(see http://cbrn.jrc.ec.europa.eu.)
4 Abbreviated terms
B  Biological
C  Chemical
CB  Chemical, Biological
CBRN Chemical, Biological, Radiological, Nuclear
CBRNE Chemical, Biological, Radiological, Nuclear, Energy
CERT Community Emergency Response Team
ED  Emergency Department
MD  Medical Doctor
PPE Personal Protective Equipment
POC Point Of Contact
R  Radiological
RN  Registered Nurse
SWOT Strength, Weaknesses, Opportunities, Threats
VAPPAR Vulnerability Assessment and Protection of People at Risk

5 Vulnerability assessment
5.1 Different approaches to vulnerability in social and natural science
It is very difficult to find universally accepted definitions of ‘Vulnerability' [1].
Vulnerability assessment is only one component of loss estimation and risk assessment. Risk involves
forecasting of loss (and/or gain) and is composed of several components – hazard, vulnerability, exposure,
and coping capacity. Risk and its components are not specific to any feature or field, but are instead
ubiquitous notions applicable to any situation or experience. It is the conceptualisation of these components
(how they are considered, defined, divided, measured, and recombined) that differs.
Which components are considered to contribute to risk and how they are evaluated varies between
disciplines. Investigations in the social sciences consider a more general view of risk for societies at large and
for individuals, while investigations in the natural sciences and engineering give detailed consideration to
structural damage to the built environment and to life-loss.
In natural science, emphasis is placed on characterisation of hazard and exposure, which is quantitatively
strong. Vulnerability is considered a static factor that modifies the amount of loss caused by threats. Coping
capacity receives little, if any, attention.
In social science, emphasis is placed on vulnerability and coping capacity, which are considered as dynamic
and complex properties of a (social) system. Due to the complexity, qualitative methods are favoured. Hazard
is viewed as a static state of the physical/cultural environment and receives minimal attention.
The complementary strengths of natural science and social science perspectives can improve the
understanding and analysis of vulnerability. This requires an adaptation of the comprehensive views on
vulnerability in the social sciences to the more quantitative approaches that are typical of the natural sciences.
One of the challenges is that certain qualities can be dimensioned in a probabilistic fashion and some cannot.
While hazard and risk can be expressed in probabilistic fashion, this is much more difficult with vulnerability.
The often used formalisations of ‘risk’ and ‘vulnerability’ (such as Risk = Probability x Consequence,
Risk=Hazard x Vulnerability, Risk=Hazard x Vulnerability/Coping Capacity) are generalisations that provide
little conceptual understanding and cannot, in and by themselves, be used to consider losses with different
metrics.
Understanding of vulnerability and coping capacity also requires clear and consistent risk terminology, which
is often lacking between and within disciplines.
A further complicating factor is the requirement that both ‘intentional’ and ‘incidental’ causes for a CBRN
events are considered in this Technical Specification. This necessitates a CBRN-specific differentiation
between ‘security’ (= intentional) and ‘safety’ (= incidental).
5.2 Vulnerability assessment
The vulnerability assessment is the overall process of the identification, analysis and evaluation of
vulnerabilities which can be used as a methodology for measures and procedures for CBRN prevention,
detection, decontamination, collective protection for emergency staff, mass protection for the citizens and
mitigation.
A methodological, STEP-BY-STEP approach is needed because even though a vulnerability assessment is
part of comprehensive emergency management, i.e. combining risk, response and consequence-
management approaches, the vulnerability assessment in and by itself is also a complex, systematic process.
Amongst others, it brings together elements such as:
Exposure and Coping Capacity When assessing vulnerability, ‘exposure’ can be considered as the “external”
side of vulnerability and ‘coping capacity’ as the “internal” side of vulnerability.
Environment: local (physical) or context (culture/history)
Consequences: Physical, Economic, Environmental, Administrative, Health
STEP 1: A vulnerability assessment starts by determining the strategic focus of the assessment, such as:
 Geographical scale;
 Time frame (e.g. direct losses or long term losses);
 Which type of consequences to be evaluated (life/health, economic, environmental).
STEP 2: A vulnerability assessment then seeks answers to questions such as:
 Should vulnerability include exposure? Coping capacity? Resilience?
 What is the unambiguous definition of vulnerability?
 Vulnerability of what (elements)? Vulnerability to what (threats)?
STEP 3: A systemic vulnerability assessment model needs to be developed in order to conceptualise and
clarify the relation(s) within and between elements.
The model below can be used as a reference point for vulnerability conceptualisation within risk assessment
context [1].
Figure 1 - Vulnerability conceptualisation within risk assessment context [1]
STEP 4: The selected factors of vulnerability need to be quantified by use of indicators and criteria. Criteria
are often defined as: ‘conditions that need to be met’ and Indicators as: ‘measurable states which allow the
assessment of whether or not criteria are being met’. Their weighting shall be taken in local context.
Consequently, weighting of vulnerability through indicators and criteria is expected to vary with context but will
yield some quantitative estimation of overall vulnerability.
The components of the conceptual model below can be used as a reference point for the quantification of
vulnerability [1].
Figure 2 - Quantification of vulnerability [1]
Suggestions for CBRN Vulnerability indicators
This list presents suggestions for CBRN vulnerability indicators. The list is not intended to be complete but
serves as a mere start to find most appropriate indicators for the specific situation. The measurement of
performance against these indicators may involve fundamentally different scales. An indication is given of the
likely scaling involved and compliance with published criteria.
 Awareness (citizens, responders, management);
 Responsiveness and effectiveness intelligence;
 Social control (neighbourhood watch (who, where, what);
 Willingness to act (citizens, guards, police);
 Possibility of chain effects in storage/transport of CBRN agents;
 Accessibility of indoor public area’s for CBRN agents;
 Accessibility of air inlet or direct vicinity of indoor public area’s for CB vapour/aerosol;
 Accessibility of primary life lines (water, electricity generation and distribution, electronic communication,
food distribution centres);
 Preparedness (training / equipment) (citizens, responders, management);
 Quality of warning systems (C/B/R different detection);
 Total response time;
 Information systems: quality and resilience/back up;
 Prepositioning of resources;
 Response of civilians / community emergency response teams (CERT);
 Amount of citizens within danger range of CBRN industry/storage/transport;
 Ventilation capacity of homes/public area’s after alarm;
 Amount/capacity of responders;
 Amount/capacity of medical aid;
 Redundancy of mass transport possibilities;
 Possibility of chain effects of CBRN agent on critical infrastructure, i.e. ‘cascading’ effects or ‘systemic’
risk (see below).
6 Protection of the population at risk
6.1 Vulnerability awareness
As stated in the scope, a vulnerability assessment covers all members of the population at risk including
groups that are less self-reliant such as children, the infirm, the elderly and those with disabilities. The
population at risk often does not realise that it is in fact ‘at risk’ unless the (potential) consequences become
visible. When intentional or incidental CBRN events cannot be prevented, these potential consequences need
to be considered ahead of time in order to initiate measures and pre-position resources that are required to
reduce the adverse effects.
The required level of awareness is often lacking at the level of (organisations responsible for) the population at
risk because most planning, procedures and policies in Europe tend to focus on pre-impact risk management
(prevention) instead of post-impact consequence management (preparedness).
The level of awareness however, is an important factor in determining the capacity of individuals and groups
of individuals (communities) to anticipate, to cope and to recover from CBRN events (community resilience).
Vulnerability awareness requires, amongst others:
 a focus on consequence management;
 attention directed at the psychological-emotional dimensions of risk (“fear”);
 an effective risk/crisis communication strategy;
 the use of scenarios.
Consequence Management
CBRN agents can cause significant direct and indirect damage to persons, livestock, vegetation and
environment as well as disrupt the system of products and services we need to sustain our daily livelihoods,
i.e. the ‘Critical Infrastructure’.
The European Program for Critical Infrastructure Protection, governed by legislative instrument Council
Directive 2008/114/EC [2], defines critical infrastructure as those physical resources, services, and information
technology facilities, networks and infrastructure assets, which, if disrupted or destroyed would have a serious
impact on the health, safety, security, economic or social well-being of two or more member states.
CBRN incidents can mean rapidly cascading consequences in such diverse areas as energy, communication,
transport, food, water, information technology, manufacturing, financial services, health, government services.
Intentional or incidental CBRN events represent a systemic risk not only for their disruption of the critical
infrastructure but also because of the accompanying societal unrest and collapsing public order, safety and
security. The potentially devastating impact depends on factors such as:
 the extent of the geographic area affected (scope);
 effect of time (i.e. the crossing of for example a radiological cloud across borders);
 level of interdependency (i.e. electricity network failure in one MS effecting another);
 severity (degree of the loss): public, economic, environment, political, psychological.
Attention directed at the psychological-emotional dimensions of risk (“fear”)
Policies and measures that are primarily based on scientific data and probabilistic approaches to untoward
events have a tendency to give the population at risk a false sense of security and often fail to increase the
level of vulnerability awareness.
CBRN events however, are likely to induce fear and are perceived as threatening because of their ability to
spread rapidly, unnoticed and in unpredictable patterns.
An effective risk/communications strategy depends largely in the level of trust between public authorities and
the population at risk. Operational experience from the past indicates that an effective risk/communication
strategy should focus on the three questions most often asked by the population at risk:
 What is my/our risk? (also during a crisis)
 What are you doing to help me/us?
 What can I/we do to help ourselves?
When preparing messages related to each of these three questions, each end-user can create their own
subheadings and decide on the most appropriate timing, channels and target audiences of the message.
The use of scenarios
From the perspective of the population at risk, the use of scenarios, particularly when accompanied by media
attention, the use of non-scientific jargon coupled with strong visualisations of the consequences, and the use
of interactive, participatory techniques are often considered to be most effective in raising awareness.
6.2 Vulnerability management
6.2.1 General approaches
Based on the models and approaches described above, it cannot be emphasised enough that any
organisation involved in CBRN needs to develop its own version of the vulnerability assessment. A general
template for organisations and their management systems is included as Annex A.
Among the lessons learned, on how to approach CBRN vulnerability assessment, awareness and
management from, for example the national government perspective such as is the case in France, the
following practical factors have emerged as worthy to be considered when setting up a vulnerability
management system:
1) Define the desired outcome first and then built in the measures needed to get there.
2) Ensure cross-departmental cooperation at the local level.
3) Ensure it is a framework leaving (local) authorities to deviate when specific circumstances require
this.
4) Define clearly the levels of military involvement (secure, back-up, support).
5) Utilise a scenario and situation-based approach.
Scenarios and situation-based approaches in making CBRN preparations should consider key assumptions
regarding communication, resources, and victims, such as:
 Up to 50 % of personnel may not be available because they left the danger area themselves;
 Due to direct damage or lack of personnel and other resources, multiple sectors of the (local) critical
infrastructure may not be functioning, such as communication, logistics and transport, water, food and
energy;
 Victims will arrive with little or no warning to the treatment facility;
 Societal disruption can cause major problems with maintaining public order and safety;
 Information regarding the hazardous agent(s) will not be available immediately;
 A large number of victims will be self-referred (as many as 80 percent of the total number of victims);
 Victims will not necessarily have been decontaminated prior to arriving at treatment facilities;
 A high percentage of people arriving at a treatment facility will have little or no actual exposure and this
eventuality should be considered in decontamination plans;
 Most victims will go to treatment facilities closest to the site where the emergency occurred;
 Victims will attempt to use other entrances to treatment facilities in addition to designated ones, such as
the emergency department (ED) of a hospital.
Table 1 — Example of a listing of measures for the protection of population at risk by government
(gov) and/or population (pop)
Pre-attack Vulnerability Reduction Measures
gov pop
Safe procedures for handling, storage, shipping, packaging, information flow X
a Assess by intelligence the chemical threat, potential risk, and likelihood of attack X
b Implement coordinated CBRN-defence plan (procedures/responsibilities/budget) X
Select and obtain necessary equipment X
c Conduct training individual and collective, do expectation management X X
d Designate proposed decontamination sites X X
e Designate and prepare shelters. X X
f Prepare to provide first aid for casualties X X
g Conduct medical coordination of warning, establishing a baseline X
h Determine and implement the appropriate personal protection level. X X
i Minimise skin exposure. X
j Continue good hygiene and sanitation practices. X
k Deploy and activate detectors. X
lL Watch for attack indicators (see/smell a chemical cloud or release of agent). X X
m Cover unprotected mission-essential equipment. X
n Establish local procedures for reporting and declaring an “all clear.” X

During-Attack Vulnerability Reduction Actions
Alarm, inform and update (mutual and internal) X X
o Adhere to Attack Warnings, take cover and use protective measures. Warn and assist X X
bystanders to leave contaminated area perpendicular to the wind
p Avoid potentially contaminated surfaces and areas. X
q Obtain and report observations or evidence of an attack. X X
r Survey, control, and mitigate health hazards. Distribute means, Ensure that personnel X X
perform immediate decontamination and self- and buddy-aid.
s Adjust to lowest possible protection level consistent with the threat assessment. X X
t Document individual exposure by Medical staffs. X
u Sample, monitor, and analyse the area for residual hazard. X
v Plan and implement decontamination and contamination containment actions. X X

Post-attack Mitigation Actions
w Follow emergency response procedures, X X
x Coordinate interaction with emergency management agencies as required. X
y Rescue, protect, and decontaminate and treat exposed victims X X
z Establish control measures, such as entry control points X
aa Evacuate and decontaminate the area. X X
bb Conduct early hazard identification. X
cc Preserve evidence as required by current regulations. X
dd Conduct unmasking procedures (upon all clear, else stay protected) X
ee Give “all clear”, restore “business as usual” X
a
ff X X
Post event analysis
a
please note that this example limited to an intentional CBRN attack

A CBRN checklist can also be used as a self-assessment tool. The example below list one that was
developed by the Centre for Excellence in Emergency Preparedness (CEEP) in Canada in 2009 for use in
healthcare facilities but can be easily adapted for use in any other facility or organisation.
NOTE In addition to Chemical, Biological, Radiological and Nuclear, CEEP considers Energy as well. Therefore the
example checklist below mentions CBRNE instead of CBRN.
The instructions for use of this checklist read as follows [3]:
 Items should be answered as follows: Y = yes; N = No; N/A = Not applicable; U= Unsure.
 For every’ ‘U’, the Facility shall identify someone who will clarify the response. In some cases, numerical
information was felt to be more useful.
 The majority of the questions are in the Yes/No/Not Applicable (N/A) format. While it is assumed that a
‘yes’ answer means the issue raised by the question has been addressed, the converse is not true. A ‘No’
or ‘N/A’ answer may mean that the Facility has a gap in its readiness or it may be that the answer was a
product of an active decision.
 This document is not meant to be proscriptive but rather one that is thought-provoking and generates
discussion.
Section 1: Foundational considerations
Person responsible for completing section 1:
a) Has a risk assessment been performed that specifically considers CBRNE incidents?
b) Does the facility disaster plan include specific consideration of CBRNE incidents?
c) Is there a CBRNE planning committee?
d) Is there currently a collaborative relationship with the local Emergency Response Agencies and Public
Health regarding CBRNE incidents?
e) Does the plan detail actions to be taken for both internal and external disasters?
f) Does the CBRNE plan detail how it links with local Emergency Response Agencies?
g) Is the plan widely distributed and readily available throughout the hospital/healthcare facility? (distribution
should include hard copies of the plan and an automated method that is readily available to all staff
members)
h) Does your hospital’s CBRNE preparedness plan address requesting appropriate local, provincial, or
federal resources for assistance?
i) Does the plan specify the number and location of isolation or protective environment rooms?
j) Are these locations clearly identified in a document readily available to the disaster coordinator or
command team?
k) Are isolation facilities monitored to ensure adequate airflow?
Section 2: Planning
Person responsible for completing section 2:
a) Does your facility have a coordinator designated to oversee all CBRNE preparedness efforts?
b) Does your facility have a medically trained person who oversees all training and preparedness efforts as it
relates to your facility’s CBRNE preparedness efforts?
Section 3: Training and awareness
Person responsible for completing section 3:
a) Does every person working in your facility know how to identify signs and symptoms of exposure to
CBRNE agents?
b) Does every person working in the facility know whom to contact internally upon identification of
exposure/symptoms related to CBRNE agents?
c) Is there specific on-going training for personnel assigned to the facility’s CBRN response?
d) Does your facility plan include identification of roles and responsibilities specific to a CBRN event, to
include:
 Security;
 Identification, chain of custody, and storage of contaminated items;
 Analysis of contaminated specimens;
 Transport of contaminated items;
 Transport of contaminated deceased persons;
 Triage personnel;
 Decontamination team;
 Patient care teams;
e) Does your facility’s plan identify positions/individuals to fill roles/responsibilities required for CBRNE
response?
f) Does every person who is part of the CBRNE response team know where the equipment is/how to access
it?
g) Have all members of the CBRNE response team been trained in CBRNE Preparedness?
Section 4: Procedures
Person responsible for completing section 4:
a) Has a method of communication been developed which allows staff to communicate easily with each
other with and without PPE?
b) Has a method of communication been developed that will allow staff to communicate while wearing PPE
with a large number of people simultaneously?
c) Does the facility currently have a baseline established for numbers of patients seen in the facility
Emergency Department, outpatient clinics, or via direct admission, stratified according to clinical
symptoms?
d) Is there a process available to gather and evaluate clinical information when conducting surveillance for
disease secondary to a CBRNE emergency?
e) Does your agency have an internal 24/7 Point of Contact (POC) for CBRNE incidents?
f) If the CBRNE event was criminal, is there a procedure in place to collect and protect evidence?
g) Does your agency have procedures to receive patients who are exposed to CBRNE agents and require
medical care?
h) Is there a plan to segregate/isolate disaster victims from the rest of the hospital if those victims are
contaminated (e.g. by hazardous materials)?
i) Is there a separate entry to the ED for contaminated patients, if necessary?
j) Is there a dedicated facility, area, or portable device for decontamination, if necessary?
k) Has staff assigned to prepare the facility/portable device for use been trained on how to do this?
l) Does the dedicated decontamination area have a “hot” and “cold” zone?
m) Is there a hot and cold water supply to the decontamination area?
n) Is the decontamination area separate (i.e. outside) from the Emergency Department?
o) Can water run-off from the decontamination area be contained?
p) Is the necessary equipment readily available to the ED staff?
q) Can the ventilation system in the ED be isolated from the rest of the facility, if necessary?
r) Does the facility have the ability to shut down air intakes?
s) Have arrangements been made for police or other appropriate support in maintaining order in the vicinity
of the facility, including control of vehicular and pedestrian traffic adjacent to the decontamination site?
t) Are there standard orders developed for various defined CBRNE events?
u) Does your agency have access to dosage requirements for antidotes and therapies for patients (adults
and paediatric) who are exposed to CBRNE agents?
v) Is the necessary drug administering equipment available for the on-hand quantities of antidotes and
therapies?
w) Does your agency have a staff member designated to accept deliveries from the National Pharmaceutical
Stockpile in the event of a CBRNE event?
x) Has your facility ascertained the regulatory requirements for Personal Protective Equipment (PPE) for
employees in the workplace in this type of incident?
y) Have PPE requirements been identified for each group below?
1) Decontamination team;
2) Triage;
3) Caregivers (MD, RN, etc.);
4) Support staff/Maintenance;
5) Administration;
6) Suppliers;
7) Patients/Visitors;
z) Have arrangements for handling of the media be organised?
6.2.2 Use of surveys
A questionnaire on citizen vulnerability towards CBRN can contain elements such as the following:
Table 2 — Elements of a questionnaire on citizen vulnerability towards CBRN
Phase Capability Assessment Comment
Planning Are intelligence services, neighbourhood watch, citizens

instructed correctly to inform authorities in time about
possible dangerous events/situations
Is this information regularly distributed to and
implemented by the responsible persons/groups
Are rules in place to optimise public indoor safety
against CBR incidents, is this regularly checked
Are regular inspections/checks carried out that major Annual inspection?
institutions have appropriate stocks of equipment in
place to deal with the initial stages of a CBRN incident?
Are regularly updated, ethnographic, scalable records Bi-annual surveys might be
kept of populations at risk including citizen, visitors, suggested for this.
business people and individuals in transit?
Are there regularly updated records kept of institutions An annual update may be
where vulnerable people at risk are housed including appropriate which would also
hospitals, homes for the elderly, schools, sanatoria? include ‘under-construction’
institutions.
are procedures in place to record transient population
movements or assemblies of people such as at sporting
venues, public marches?
Have a set of pre-determined public warnings and
instructions been agreed for broadcast of a CBRN
incident? Are they adequate to respond to anxiety?
Has the distribution and content of warning messages
been considered under various failure modes (e.g. loss
of surface transport, loss of communications networks)
and its impact of reaching all the categories of people at
risk?
Has appropriate consideration been given in the design
of warnings and instructions to language and media in
relation to broadcasting of CBRN warnings?
Have budgets, responsibilities and materiel been
appointed and evaluated adequately
Where alternative, commercial services are offered in private hospitals
connection with CBRN events, what measures are in
cleaning companies
place concerning registration, effective policing and

certification
Phase Capability Assessment Comment
Are appropriate modelling techniques available for the
This model would enable a
authorities to predict the likely impact of different agents prioritisation in the
in respect of a different groups of population at risk e.g. deployment of limited
children, those with specific ailments resources.
Mitigation Do the authorities have in place exercise programmes
and have these been undertaken?
Have the authorities put into place CBRN-related Including local first
training programmes for carers looking after vulnerable aid/precautionary measures
individuals? Has the population been informed?
Have citizen representatives been involved in the
planning for CBRN incidents and any exercise and
training programmes?
During Have mechanisms been put in place for the balancing of
Incident citizen privacy interests and the necessary use of
confidential information?
Has accessibility to suitably qualified psychiatrists and
sociologists been arranged who can assist in minimising
panic reactions?
During decontamination and treatment can the support This might include religious
of appropriate individuals be called on to deal with considerations/working with
cultural issues - particularly when treating vulnerable children
members of the population or where cultural issues
might arise?
Return to Where a return to the site of a CBRN incident is not
Normality feasible have options been considered for longer-term
solutions for large numbers of displaced individuals?
Are mechanisms in place for those who have been at
risk to seek redress from the authorities for any failures?
Are mechanisms in place to seek the views of those
who have been at risk, on the way in which the
authorities have performed?
An example of how a template can be prepared which combines elements of a vulnerability assessment in the
form of a survey of the population is the following:
Figure 3 - Template for combining elements of vulnerability assessment in the form of a survey of the
population
6.2.3 Use of templates
A general template, one that can be used to link vulnerability management to risk assessment, contains the
following standard questions:
1) What can cause harm?
2) How often or how likely can danger happen?
The answer to these questions provides the following relevant information:
 Danger identification
 Estimation of frequency of occurrence (hazard)
 Evaluation of loss based on vulnerability of elements at risk (consequence)
 Assessment of severity of consequence and risk
 Acceptability/tolerability of risk, decision-making and mitigation
Another example of step-by-step approach to manage CBRN vulnerability, in this case of a project from
France which focuses on intentional CBRN attack on chemical plants, is the following:
 Step 0: Project planning
 Step 0bis: Initial selection of critical sites
 Step 1: Short description of the studied site
 Step 2: Identification of potential targets and existing countermeasures
 Step 3: Threat assessment
 Step 4: Vulnerability and effects assessment
 Step 5: Identification of complementary countermeasures
Annex A
(informative)
Template for a general management system for CBRN vulnerability
assessment, awareness and management
A.1 General context of the organisation
A.1.1 Understanding the organisation and its context
The organisation should determine external and internal issues that are relevant to its purpose and that affect
its ability to achieve the intended outcome(s) of its CBRN vulnerability assessment, awareness and
management system. This can for instance be done through a SWOT (Strength, Weaknesses, opportunities,
Threats) analysis.
A.1.2 Understanding the needs and expectations of interested parties
The organisation should determine:
 the interested parties that are relevant to the CBRN vulnerability assessment, awareness and
management system, and
 the requirements of these interested p
...