Biosafety prevents accidental exposure. Biosecurity prevents intentional misuse. Both depend on decontamination. This article examines the biosecurity framework for laboratories, the operational requirements that distinguish it from biosafety compliance, and where validated decontamination technology fits in the biorisk management programme.
Biosafety and biosecurity are related but fundamentally distinct disciplines. Biosafety encompasses the containment principles, technologies, and practices that prevent unintentional exposure to biological agents or their inadvertent release. Biosecurity encompasses the principles, technologies, and practices that prevent the unauthorised access, loss, theft, misuse, diversion, or intentional release of biological materials and the equipment, skills, and data related to their handling.1
The WHO LBM 4th edition dedicates Section 8 to laboratory biosecurity, the first time the WHO manual has addressed biosecurity as an integrated component of the laboratory biosafety programme, reflecting the post-COVID recognition that biosafety and biosecurity cannot be managed as independent disciplines.1 The BMBL 6th edition similarly includes a section on laboratory biosecurity within its biosafety framework.2
This article examines the biosecurity framework as it applies to laboratories working with biological agents, the distinction between biosafety and biosecurity in operational terms, the role of decontamination in both frameworks, and where validated VHP decontamination technology supports the integrated biorisk management programme.
Biosafety asks: can this agent escape by accident?
Biosecurity asks: can this agent be taken on purpose?
Decontamination is central to both answers.
1. Biosafety vs. Biosecurity: The Operational Distinction
The distinction between biosafety and biosecurity is not merely academic, it drives different operational requirements, different risk assessment approaches, and different institutional governance structures.
1.1 Biosafety: Protecting People from Agents
Biosafety is concerned with accidental exposure. Its risk assessment framework asks: what is the likelihood that a laboratory worker, the community, or the environment will be unintentionally exposed to a biological agent through normal laboratory operations, equipment failure, procedural error, or natural disaster? The control measures, containment levels, PPE, engineering controls, validated decontamination, are designed to reduce this likelihood to an acceptable level.
1.2 Biosecurity: Protecting Agents from People
Biosecurity is concerned with intentional misuse. Its risk assessment framework asks: what is the likelihood that a biological agent, or the knowledge and equipment required to produce or weaponise it, will be accessed by an unauthorised person with malicious intent? The control measures, physical security, personnel reliability, access control, inventory management, information security, and decontamination and inactivation verification, are designed to prevent this access.
1.3 Where They Converge: Decontamination
Decontamination is the operational domain where biosafety and biosecurity requirements converge. From a biosafety perspective, decontamination prevents accidental exposure during maintenance, waste disposal, and equipment decommissioning. From a biosecurity perspective, decontamination serves an additional function: it provides verified destruction of biological material, ensuring that agents are inactivated before materials leave the controlled environment. This verification function, confirming that what leaves the laboratory is genuinely non-infectious, is a biosecurity requirement that goes beyond the biosafety requirement of reducing microbial load for operator protection.
2. The Biorisk Management Framework
Biorisk management is the integrated approach that encompasses both biosafety and biosecurity within a single management framework. The concept was formalised in CWA 15793:2011, Laboratory Biorisk Management, a CEN Workshop Agreement that provides a performance-based standard for institutions that work with biological agents.3 While CWA 15793 is not a formal ISO or EN standard, it has been widely adopted as the reference framework for biorisk management programmes in laboratories globally.
The biorisk management framework requires institutions to:
- Identify biological risks: both biosafety risks (accidental exposure or release) and biosecurity risks (theft, diversion, misuse, intentional release).
- Assess the level of each risk: considering the nature of the agents, the activities conducted, the capabilities and motivations of potential threat actors, and the existing control measures.
- Implement control measures: engineering controls, administrative controls, PPE, physical security, personnel reliability, and, critically, validated decontamination and inactivation procedures.
- Verify and monitor: ongoing assurance that control measures are effective, including periodic validation of decontamination processes, security audits, and personnel training assessments.
3. Decontamination in the Biosecurity Context
3.1 Inactivation Verification
In a biosafety context, decontamination is validated to demonstrate that the process achieves a specified level of microbial reduction, typically SAL 10−6 using Geobacillus stearothermophilus biological indicators. In a biosecurity context, an additional requirement applies: the institution must be able to demonstrate, through documented, auditable processes, that biological material has been completely inactivated before it is released from the controlled environment.
This verification requirement applies to: waste streams leaving the laboratory (autoclaved waste, chemical disinfection of liquid waste); equipment being decommissioned or transferred; and laboratory spaces being downgraded, decommissioned, or repurposed. In each case, the biosecurity question is: can the institution demonstrate to a regulatory authority, an audit, or an investigation that the material leaving the controlled environment is non-infectious?
3.2 The VHP Advantage for Biosecurity Verification
VHP provides a significant advantage for biosecurity verification compared to liquid chemical disinfectants. The VHP process, with defined concentration, contact time, temperature, and biological indicator validation, generates a documented, auditable cycle record that demonstrates the conditions of decontamination were met. This record, combined with biological indicator results, provides the evidence base for verified inactivation that the biosecurity framework requires.
Formaldehyde fumigation can provide equivalent microbiological efficacy, but its documentation burden is higher (exposure monitoring, neutralisation records, aeration clearance) and its hazard profile creates an institutional liability that complicates the biosecurity governance structure. By comparison, VHP provides the same verification capability with a simpler, cleaner, and more auditable process.
4. The Post-COVID Landscape: Why Biosecurity Matters Now
The COVID-19 pandemic transformed the biosecurity landscape for laboratories in three specific ways:
- Public and political scrutiny: the debate over the origins of SARS-CoV-2, whether zoonotic or laboratory-related, placed biosecurity practices in high-containment laboratories under unprecedented public and political scrutiny. Institutions that cannot demonstrate robust biosecurity governance, including verified decontamination, face reputational and regulatory risk.
- Expansion of high-containment capacity: the pandemic drove a global expansion of BSL-3 laboratory capacity, including in countries and institutions with limited prior experience in high-containment operations. New BSL-3 laboratories require fully integrated biorisk management programmes, not just biosafety compliance, from day one.
- Dual-use research governance: enhanced oversight of dual-use research of concern (DURC) and potential pandemic pathogen (PPP) research has increased the documentation and verification requirements for laboratories working with enhanced pathogens. Validated decontamination with auditable cycle records is a relevant component of this governance.
5. Practical Implementation: Building a Biorisk-Integrated Decontamination Programme
For biosafety officers and institutional biosecurity committees, integrating decontamination into the biorisk management programme requires addressing four elements:
5.1 Standard Operating Procedures
SOPs for decontamination must address both biosafety and biosecurity objectives. This means that the SOP for room-level decontamination at BSL-3, for example, must specify not only the process parameters (agent, concentration, contact time, biological indicator placement) but also the chain of custody for biological indicator results, the documentation and archiving requirements for cycle records, and the authorisation process for releasing the space after decontamination.
5.2 Validation and Revalidation
Initial validation of the decontamination process must be documented and the validation repeated at defined intervals (typically annually or after any change to the process, equipment, or space configuration). VHP validation per ISO 22441:2022 provides a harmonised international framework for this process.4
5.3 Training and Competency
Personnel responsible for decontamination must be trained in both the technical operation of the decontamination system and the biosecurity significance of the verification process. This training should be documented as part of the biorisk management programme and refreshed at defined intervals.
5.4 Audit and Continuous Improvement
The decontamination programme should be included in the scope of both internal biosafety audits and biosecurity assessments. Cycle records, biological indicator results, training records, and SOP revision histories are all auditable elements that contribute to the institution’s demonstration of biorisk management maturity.
6. Conclusion
Biosecurity and biosafety are distinct but converging disciplines, and decontamination is the operational domain where they meet. The post-COVID expansion of BSL-3 capacity, the tightening of dual-use research governance, and the increasing public and regulatory scrutiny of high-containment laboratory operations all demand that institutions move beyond biosafety compliance towards integrated biorisk management, where decontamination is not merely a procedural step but a verified, documented, and auditable component of the institution’s accountability framework.
Vaporized hydrogen peroxide, delivered through the DeloxHP formulation, provides the decontamination technology that this integrated framework requires: validated sporicidal efficacy, documented cycle records for biosecurity verification, no carcinogenic exposure for operators, no toxic residues, and a process that is operationally compatible with the routine decontamination demands of BSL-3 facilities. For institutions building or upgrading their biorisk management programmes, the decontamination system is not an afterthought, it is a foundational element.
Frequently Asked Questions
What is the difference between biosafety and biosecurity?
Biosafety encompasses the containment principles, technologies, and practices that prevent unintentional exposure to biological agents or their inadvertent release. Biosecurity encompasses the principles, technologies, and practices that prevent the unauthorised access, loss, theft, misuse, diversion, or intentional release of biological materials. Both converge at decontamination: biosafety requires decontamination for operator protection, while biosecurity requires decontamination for verified destruction of biological material.1
What is CWA 15793 and how does it relate to laboratory biosecurity?
CWA 15793:2011 is a CEN Workshop Agreement titled Laboratory Biorisk Management that provides a performance-based framework for managing both biosafety and biosecurity risks in laboratories. It is widely adopted as the reference standard for biorisk management programmes globally, though it is not a formal ISO or EN standard. CWA 15793 requires institutions to identify, assess, control, and verify both biosafety and biosecurity risks as part of an integrated management programme.3
Why is decontamination a biosecurity requirement?
In a biosecurity context, decontamination provides verified destruction of biological material, ensuring that agents are completely inactivated before materials, waste, or equipment leave the controlled environment. This verification function supports the institution’s ability to demonstrate to regulators, auditors, or investigators that no viable biological material has been released from the laboratory. VHP, with its documented cycle records and biological indicator validation, provides the auditable evidence base for this verification.
How has COVID-19 changed biosecurity requirements for laboratories?
The COVID-19 pandemic transformed laboratory biosecurity in three ways: unprecedented public and political scrutiny of high-containment laboratory operations (laboratory origin debate); global expansion of BSL-3 capacity in countries and institutions with limited prior experience; and tightened governance of dual-use research of concern (DURC) and potential pandemic pathogen research, with increased documentation and verification requirements for decontamination and inactivation processes.
References
- World Health Organization. Laboratory Biosafety Manual. 4th ed. Section 8: Laboratory biosecurity. Geneva: WHO; 2020. Available from: https://www.who.int/publications/i/item/9789240011311
- Meechan PJ, Wilson DE, eds. Biosafety in Microbiological and Biomedical Laboratories. 6th ed. Atlanta (GA): CDC; Bethesda (MD): NIH; 2020. Available from: https://www.cdc.gov/labs/bmbl/index.html
- European Committee for Standardization. CWA 15793:2011, Laboratory biorisk management. Brussels: CEN; 2011.
- International Organization for Standardization. ISO 22441:2022, sterilization of health care products: low temperature vaporized hydrogen peroxide. Geneva: ISO; 2022.