SIST-TS CEN/TS 17159:2018

SLOVENSKI STANDARD
SIST-TS CEN/TS 17159:2018
01-junij-2018
Družbena varnost in varnost državljanov - Napotki za upravljanje varnosti v zvezi z
nevarnimi snovmi (CBRNE) v zdravstvenih ustanovah
Societal and citizen security - Guidance for the security of hazardous materials (CBRNE)
in healthcare facilities
Schutz und Sicherheit der Bürger - Leitfaden für die Sicherheit von Gefahrstoffen
(CBRNE) entlang ihres Lebenszyklus in Gesundheitseinrichtungen
Sécurité sociétale - Document d'orientation pour les établissements de soins de santé
relatif à la sécurité des substances NRBCE tout au long de leur cycle de vie
Ta slovenski standard je istoveten z: CEN/TS 17159:2018
ICS:
11.020.99 Drugi standardi v zvezi z Other standards related to
zdravstvom na splošno health care in general
13.300 Varstvo pred nevarnimi Protection against dangerous
izdelki goods
13.310 Varstvo pred kriminalom Protection against crime
SIST-TS CEN/TS 17159:2018 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------

SIST-TS CEN/TS 17159:2018

---------------------- Page: 2 ----------------------

SIST-TS CEN/TS 17159:2018


CEN/TS 17159
TECHNICAL SPECIFICATION

SPÉCIFICATION TECHNIQUE

April 2018
TECHNISCHE SPEZIFIKATION
ICS 13.300; 13.310; 11.020.99
English Version

Societal and citizen security - Guidance for the security of
hazardous materials (CBRNE) in healthcare facilities
Sécurité sociétale - Document d'orientation pour les Schutz und Sicherheit der Bürger - Leitfaden für die
établissements de soins de santé relatif à la sécurité Sicherheit von Gefahrstoffen (CBRNE) entlang ihres
des substances NRBCE tout au long de leur cycle de vie Lebenszyklus in Gesundheitseinrichtungen
This Technical Specification (CEN/TS) was approved by CEN on 10 December 2017 for provisional application.

The period of validity of this CEN/TS is limited initially to three years. After two years the members of CEN will be requested to
submit their comments, particularly on the question whether the CEN/TS can be converted into a European Standard.

CEN members are required to announce the existence of this CEN/TS in the same way as for an EN and to make the CEN/TS
available promptly at national level in an appropriate form. It is permissible to keep conflicting national standards in force (in
parallel to the CEN/TS) until the final decision about the possible conversion of the CEN/TS into an EN is reached.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania,
Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland,
Turkey and United Kingdom.





EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION

EUROPÄISCHES KOMITEE FÜR NORMUNG

CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2018 CEN All rights of exploitation in any form and by any means reserved Ref. No. CEN/TS 17159:2018 E
worldwide for CEN national Members.

---------------------- Page: 3 ----------------------

SIST-TS CEN/TS 17159:2018
CEN/TS 17159:2018 (E)
Contents Page
European foreword . 4
Introduction . 5
1 Scope . 6
2 Normative references . 6
3 Terms and definitions . 6
4 General guidance. 9
4.1 Context of CBRNE risks in HCF and other facilities within HCF responsibility . 9
4.1.1 General . 9
4.1.2 High-risk chemical materials/agents . 10
4.1.3 High-risk biological material . 10
4.1.4 High-risk radioactive sources and nuclear materials . 10
4.1.5 Explosives . 10
4.1.6 The relationship between security and safety . 11
4.2 CBRNE security management approach . 11
4.3 CBRNE security threat and risk assessment . 12
4.3.1 General . 12
4.3.2 CBRNE security threat and security risk assessment . 12
4.3.3 Graded Approach . 13
4.3.4 CBRNE security risk assessment. 14
4.3.5 Business impact analysis . 14
4.4 CBRNE security management policy . 14
4.5 CBRNE security design . 17
4.5.1 General . 17
4.5.2 Design and construction . 18
4.6 CBRNE security management plan . 19
4.7 CBRNE information security management . 19
5 General procedures . 20
5.1 Management, roles, and responsibilities . 20
5.2 Competencies . 21
5.3 Training . 21
5.4 Documentation . 22
6 Operational guidance . 22
6.1 Inventory analysis and classification . 22
2

---------------------- Page: 4 ----------------------

SIST-TS CEN/TS 17159:2018
CEN/TS 17159:2018 (E)
6.2 Securing the supply chain . 23
6.2.1 General . 23
6.2.2 Transportation . 24
6.2.3 Suppliers . 24
6.3 Securing controlled areas . 24
6.3.1 Designation of security controlled areas . 24
6.3.2 Access control . 25
6.4 People . 25
6.4.1 General . 25
6.4.2 Staff . 26
6.4.3 Visitors . 29
6.4.4 Patients . 29
6.5 Communication and awareness . 30
6.6 CBRNE security incident response . 31
6.6.1 CBRNE security incident response plan . 31
6.6.2 Notification of the authorities . 32
6.6.3 Incident reporting . 32
7 Evaluation of the CBRNE security management system . 33
Annex A (informative) Guidance for the implementation and operation phase of
generic management systems in HCF . 34
Bibliography . 36

3

---------------------- Page: 5 ----------------------

SIST-TS CEN/TS 17159:2018
CEN/TS 17159:2018 (E)
European foreword
This document (CEN/TS 17159:2018) has been prepared by Technical Committee CEN/TC 391
“Societal and citizen security”, the secretariat of which is held by NEN.
Attention is drawn to the possibility that some of the elements of this document may be the
subject of patent rights. CEN shall not be held responsible for identifying any or all such patent
rights.
According to the CEN/CENELEC Internal Regulations, the national standards organisations of
the following countries are bound to announce this Technical Specification: Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic
of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania,
Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia,
Spain, Sweden, Switzerland, Turkey and the United Kingdom.
4

---------------------- Page: 6 ----------------------

SIST-TS CEN/TS 17159:2018
CEN/TS 17159:2018 (E)
Introduction
Protecting citizens, institutions, infrastructures and assets is one of the four key pillars of the
EU’s Counter-Terrorism Strategy. One of its aims is to detect and mitigate risks related to the
acquirement and misuse of hazardous chemical, biological, radioactive or nuclear (CBRN)
materials, such as those referred to in the EU CBRN action plan [1]. There are indications that
terrorists would be interested in using some of these CBRN materials for executing attacks.
Securing them and preventing unauthorized access to them is therefore key to preventing their
misuse. In the action plan, EU member states have planned to enhance the security of CBRN
materials.
One of the industries that uses these hazardous materials in their regular processes is the Health
Care Industry. Possible risk scenarios for this industry could include the theft of CBRN material
from hospitals to perform (complicated) malevolent attacks such as the contamination of major
water supply systems, but also the production (and detonation) of an improvised explosive
device (IED) containing chemical and/or radiological material in public areas that would cause
panic and fear across Europe. Securing these materials in healthcare facilities (HCF) is therefore
important.
This document provides guidance for the design and implementation of a security management
approach and system to deal with security threats involving hazardous CBRNE materials.
Security management of hazardous materials also has a strong relationship with occupational
health and safety (OH&S) management. This standard does not aim to provide guidance for
safety management (i.e. occupational health and safety issues deriving from the improper use of
CBRNE material) as these are already managed via different standards and guidelines. This
relationship is discussed in 4.1.6.
NOTE It is important to emphasize that across the European Union there are several regulatory and
legislative limitations for use of security techniques and technologies, so it is important to take these
limitations into account. Use of the guidelines can vary based on the health care system in each country of
the European Union.
5

---------------------- Page: 7 ----------------------

SIST-TS CEN/TS 17159:2018
CEN/TS 17159:2018 (E)
1 Scope
This Technical Specification provides guidance for managing security of (high risk) chemical,
biological, radioactive, nuclear or Explosive materials, such as those covered by the EU CBRN
action plan, that are used within healthcare facilities (HCF); it covers the lifecycle of such
materials within a HCF’s span of control. In this Technical Specification these materials are
referred to as ‘CBRNE materials’.
It covers the protection of (high risk) CBRNE materials used in healthcare facilities against
security threats relating to their deliberate misuse. It covers the protection of people, assets and
information related to CBRNE materials.
This Technical Specification also applies to circumstances where healthcare is provided at
locations remote from the normal location of the HCF.
This Technical Specification also provides guidance to all stakeholders that are responsible for
each step in a lifecycle of CBRNE materials within the HCF such as such as administrator staff,
facility management staff, logistics and transport staff, medical staff, waste management staff,
domestic staff and security staff as well as visitors and contractors working on the HCF
premises.
This Technical Specification can be applied as part of generic management systems such as
EN ISO 9001 [2], EN ISO 22301 [3], ISO 22320 [4] and possibly ISO 28001 [14].
It does not apply to occupational health and safety issues deriving from the proper and improper
use of such materials.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1
CBRNE material
chemical, biological, radioactive, nuclear or explosive material that could harm society or
individuals through their deliberate release, dissemination, or misuse and for which high levels
of security are warranted
[SOURCE: EU CBRN Action Plan [1], adapted]
3.2
CBRNE security management
set of interrelated or interacting elements (system) for managing the security of CBRNE
materials in organisations in order to prevent their deliberate misuse
3.3
design basis threat
DBT
description of the attributes and characteristics of potential insider and/or external adversaries
who might attempt unauthorized removal of CBRNE materials or sabotage against which
a physical protection system is designed and evaluated
[SOURCE: IAEA Development and Use of the Design Basis Threat [15], amended]
6

---------------------- Page: 8 ----------------------

SIST-TS CEN/TS 17159:2018
CEN/TS 17159:2018 (E)
3.4
explosive
reactive compound that contains energy, which when released quickly from the compound, can
produce an explosion that is usually accompanied by the production of light, heat, sound, and
pressure
3.5
explosive precursor
chemical substance which can be made into an explosive with relative ease e.g. by mixing or
blending with other materials, or by simple chemical processing
[SOURCE: Guidance on the EU Marketing and Use of Explosives Precursors Regulations, [8] ]
3.6
healthcare facility
HCF
facility and its organisation, personnel, management and processes which provides health care
such as hospitals, psychiatric clinics and nursing homes including pharmacies, storage and
laboratories within the healthcare facility’s control
Note 1 to entry: HCF refers to singular and plural. HCF’s refers to the possessive subject.
3.7
improvised nuclear device
IND
improvised device that is designed to cause nuclear material contained within it to produce
a nuclear explosion
3.8
life cycle
set of consecutive and interlinked stages of a product system, from raw material acquisition or
generation from natural resources, to use and final disposal
[SOURCE: EN ISO 14040:2006, 3.2 [9]]
3.9
life cycle inventory analysis
phase of life cycle assessment involving the compilation and quantification of inputs and outputs
for a product throughout its life cycle
[SOURCE: EN ISO 14040:2006, 3.3 [9]]
3.10
nuclear material
Uranium 235, Uranium 233 and Plutonium 239
Note 1 to entry: Detailed information can be found in IAEA NSS 13, Section 4, Table 1 [10].
7

---------------------- Page: 9 ----------------------

SIST-TS CEN/TS 17159:2018
CEN/TS 17159:2018 (E)
3.11
occupational Health & Safety
OH&S
conditions and factors that affect, or could affect, the health and safety of employees or other
workers (including temporary workers and contractor personnel), visitors, or any other person
in the workplace
[SOURCE: OHSAS 18001:2007 [11] ]
3.12
radioactive material
material designated in national law, regulation or by a regulatory body as being subject to
regulatory control because of its radioactivity, or, in the absence of such a designation by a State,
any material for which protection is required by the current version of the International Basic
Safety Standards
[SOURCE: IAEA NSS Risk Informed Approach for Nuclear Security Measures, No 24-G, [12],
modified]
3.13
radioactivity
phenomenon whereby atoms undergo spontaneous random disintegration, usually accompanied
by the emission of radiation
[SOURCE: IAEA Safety Glossary [13]]
3.14
radiological dispersal device
RDD
device designed to disperse, usually with explosives, radioactive material in an uncontrolled
way, without the need of nuclear explosion
3.15
risk
expression of the combination of the consequences of an event (including changes in
circumstances) and the associated likelihood of occurrence
[SOURCE: ISO 31000 [21], modified]
3.16
security
resistance to intentional acts designed to cause harm or damage to or by the supply chain
Note 1 to entry: Harm includes psychological and societal harm.
[SOURCE: ISO 28001:2007, 3.20, [14]]
3.17
security risk
expression of the combination of the consequences of a threat once enacted and the associated
vulnerability to that threat at a specific location
8

---------------------- Page: 10 ----------------------

SIST-TS CEN/TS 17159:2018
CEN/TS 17159:2018 (E)
3.18
security threat
situation where an adversary has the capability and the intent to violate security of CBRNE
materials
3.19
security threat scenario
means by which a potential security incident might occur
[SOURCE: ISO 28001:2007, 3.26 [14]]
3.20
security controlled area
area which has specific controls to restrict access to authorized persons only
[SOURCE: CEN/TS 16850:2015, 2.1 [8]]
3.21
security management
systematic and coordinated activities and practices through which an organization optimally
manages its security risks, and the associated potential threats and impacts therefrom
[SOURCE: ISO 28000:2007, 3.3 [5]]
3.22
security management policy
overall intentions and direction of an organization, related to the security of and the framework
for the control of security-related processes and activities that are derived from and are
consistent with the organization’s policy and regulatory requirements
[SOURCE: ISO 28000:2007, 3.5 [5]]
3.23
vulnerability
weakness within the security arrangements which could, at some point, be exploited by a threat
3.24
visitor
person authorized to visit restricted areas who is not a visitor for patients during visiting hours
or person authorized to visit restricted areas who is not part of the HCF´s organization
4 General guidance
4.1 Context of CBRNE risks in HCF and other facilities within HCF responsibility
4.1.1 General
To understand the context of security risks in healthcare facilities, associated with CBRNE
materials, a brief overview is presented below. Recommendations regarding approaches to
security are then presented in subsequent paragraphs.
The major threat from CBRNE materials is that they could be deliberately used for executing
criminal and/or terrorist acts. These materials can, for instance, be placed in locations where
people would be directly harmed by them or they could be deliberately distributed into the
environment through dispersal devices or other means.
9

---------------------- Page: 11 ----------------------

SIST-TS CEN/TS 17159:2018
CEN/TS 17159:2018 (E)
4.1.2 High-risk chemical materials/agents
These are chemicals with the potential to be used to cause death, temporary incapacitation or
permanent harm to humans or animals. This includes all such chemicals, regardless of their
origin or of their method of production, and regardless of whether they are produced in
facilities, in munitions or elsewhere [16].
The wide range of chemicals and materials used in healthcare treatment and associated research
implies that HCF are potential sources of high risk chemical materials / agents or their pre-
cursors.
HCF should consult their national authority to define what is high/medium/low risk material.
4.1.3 High-risk biological material
When speaking of security of biological material the focus lies on pathogens, or parts of them,
and toxin-producing organisms [17]. These can be plant, animal, microorganism and human
derived.
Toxins are also classified as biological agents. These are naturally occurring poisonous chemicals
produced by biological organisms, including plants, animals and microorganisms (although
some may be artificially synthesized).
Some of these materials are extremely important for research and development in the domains
of medicine, biology and agriculture, but on the other hand can be used as biological weapons.
This means that many of them can therefore be used for two purposes. The term used by the
international community for these types of materials is ‘dual use’ [18].
Clearly, HCF and their processes are potential sources of high risk biological materials / agents.
HCF should consult their national authority to define what is high/medium/low risk material.
4.1.4 High-risk radioactive sources and nuclear materials
Radioactive materials give rise to two types of radiological hazard. Firstly, the hazard of external
exposure to the radiation they emit and secondly, internal exposure if radioactive material
enters the body.
Nuclear materials are a special class of radioactive materials which have the potential to be used
to construct devices that also generate large amounts of energy as well as highly penetrating
radiation, through the process of nuclear fission. HCF are extremely unlikely to be sources of
nuclear materials but they may be the source of other radioactive materials that could be used to
aid the construction of an IND or used in a RDD.
HCF should consult their national authority to define what is high/medium/low risk material.
4.1.5 Explosives
Explosives are not routinely used in HCF, but in the context of this Technical Specification the
term Explosives should also be taken to refer to explosive pre-cursor chemicals such as those
listed in Annex I or Annex II of [19] (as amended from time to time) on the marketing and use of
explosives precursors, in a concentration higher than the corresponding limit value set out
therein.
Therefore, such materials are included in the term of high-risk materials/agents for the rest of
this document.
10

---------------------- Page: 12 ----------------------

SIST-TS CEN/TS 17159:2018
CEN/TS 17159:2018 (E)
4.1.6 The relationship between security and safety
It is important to note that safety management and security management serve some common
objectives – the protection of workers, the public and the environment – and that they typically
reflect a common philosophy [6]. To put it simply, in the context of CBRNE materials, the main
difference is that safety is about protecting people from hazardous materials and security is
about protecting hazardous materials from people. Safety incidents are always unintentional
(errors). Safety incidents are errors caused by humans, natural disasters or by failing of
structure (inferior material). Safety incidents are reported widely and shared with peers, to
learn and to avoid new incident. Security incidents are always committed deliberately and
unlawfully or wilfully.
Security management of hazardous materials therefore has a strong relationship with
occupational health and safety (OH&S) management of these materials. Many features of
equipment design or operation serve to enhance both safety and security simultaneously; they
also act to prevent deliberate misuse by intruders.
EXAMPLE Secure storage of hazardous (CBRNE) materials to prevent accidents may also help to
restrict unauthorised access.
In addition, actions undertaken to advance or modify one purpose could adversely affect the
other. This means that decisions regarding OH&S or security require an integrated management
approach and that safety and security issues should be evaluated on mutually supporting and
reinforcing terms.
4.2 CBRNE security management approach
A CBRNE security management approach should be part of an organisations’ overall security
management approach with primary focus on the protection of CBRNE materials and security of
information relating to them. Therefore, a CBRNE security management approach for HCF
should (also see CEN/TS 16850:2015, 3.1 [20]):
— be consistent with the organization’s overall risk and business continuity management
approach;
— be consistent with other security and safety management systems, policies and approaches;
— provide a framework which enables the specification of CBRNE security management
objectives and targets (see Figure 2);
— train staff accordingly on security and security awareness (see 6.5);
— provide operational guidance (standard operating procedures) for the execution of CBRNE
security management tasks/targets;
— be visibly endorsed by top management;
— be documented, implemented, monitored and maintained;
— be communicated to all staff, patients, visitors and other stakeholders present in controlled
areas;
— respect the rights of stakeholders;
— align with the OH&S management approach for hazardous material; and
— be coordinated with OH&S activities to ensure that they do not compromise each other’s
goals.
11

---------------------- Page: 13 ----------------------

SIST-TS CEN/TS 17159:2018
CEN/TS 17159:2018 (E)
4.3 CBRNE security threat and risk assessment
4.3.1 General
For establishing the range and type of security issues that will be addressed in their CBRNE
security management system, HCF should undertake security threat assessments as set out in
4.3.2. The threats that are identified by the threat assessment should each be graded according
to the potential consequences that could arise
...