SIST-TS CEN/TS 16595:2014

SLOVENSKI STANDARD
SIST-TS CEN/TS 16595:2014
01-marec-2014
&%51NHPLþQDELRORãNDUDGLRORãNDLQMHGUVNDWYHJDQMD2FHQMHYDQMHUDQOMLYRVWL
LQ]DãþLWDRJURåHQLKOMXGL
CBRN - Vulnerability Assessment and Protection of People at Risk
ABC-Risiken - Verwundbarkeitsbewertung und Schutz gefährdeter Bevölkerungsteile
NRBC - Evaluation de la vulnérabilité et protection des populations à risque
Ta slovenski standard je istoveten z: CEN/TS 16595:2013
ICS:
13.200 3UHSUHþHYDQMHQHVUHþLQ Accident and disaster control
NDWDVWURI
SIST-TS CEN/TS 16595:2014 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------

SIST-TS CEN/TS 16595:2014

---------------------- Page: 2 ----------------------

SIST-TS CEN/TS 16595:2014


TECHNICAL SPECIFICATION
CEN/TS 16595

SPÉCIFICATION TECHNIQUE

TECHNISCHE SPEZIFIKATION
September 2013
ICS 13.200
English Version
CBRN - Vulnerability Assessment and Protection of People at
Risk
NRBC - Evaluation de la vulnérabilité et protection des ABC-Risiken - Verwundbarkeitsbewertung und Schutz
populations à risque gefährdeter Bevölkerungsteile
This Technical Specification (CEN/TS) was approved by CEN on 19 August 2013 for provisional application.

The period of validity of this CEN/TS is limited initially to three years. After two years the members of CEN will be requested to submit their
comments, particularly on the question whether the CEN/TS can be converted into a European Standard.

CEN members are required to announce the existence of this CEN/TS in the same way as for an EN and to make the CEN/TS available
promptly at national level in an appropriate form. It is permissible to keep conflicting national standards in force (in parallel to the CEN/TS)
until the final decision about the possible conversion of the CEN/TS into an EN is reached.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania,
Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United
Kingdom.





EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION

EUROPÄISCHES KOMITEE FÜR NORMUNG

CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels
© 2013 CEN All rights of exploitation in any form and by any means reserved Ref. No. CEN/TS 16595:2013: E
worldwide for CEN national Members.

---------------------- Page: 3 ----------------------

SIST-TS CEN/TS 16595:2014
CEN/TS 16595:2013 (E)
Contents Page
Foreword .3
Introduction .4
1 Scope .5
2 Normative references .5
3 Terms and definitions .5
4 Abbreviated terms .5
5 Vulnerability assessment .6
5.1 Different approaches to vulnerability in social and natural science .6
5.2 Vulnerability assessment .7
6 Protection of the population at risk . 10
6.1 Vulnerability awareness . 10
6.2 Vulnerability management . 12
6.2.1 General approaches . 12
6.2.2 Use of surveys . 17
6.2.3 Use of templates . 19
Annex A (informative) Template for a general management system for CBRN vulnerability
assessment, awareness and management . 21
Annex B (informative) Historical timeline for the development of conceptual models in
vulnerability . 29
Bibliography . 33

2

---------------------- Page: 4 ----------------------

SIST-TS CEN/TS 16595:2014
CEN/TS 16595:2013 (E)
Foreword
This document (CEN/TS 16595:2013) has been prepared by Technical Committee CEN/TC 391 “Societal and
Citizen Security”, the secretariat of which is held by NEN.
This Technical Specification (TS) on CBRN vulnerability assessment, awareness and management provides a
common frame of reference and recommends methodologies to assess the vulnerabilities of citizens, first
responders and other assets to an ‘all-hazard’, i.e. natural, incidental or intended, exposure to hazardous
substances.
These hazardous substances could be Chemical, Biological or Radiological (the latter forming the hazardous
part of Nuclear, together abbreviated to CBRN). CBRN agents can cause significant direct and indirect
damage to persons, livestock, vegetation and environment as well as disrupt the system of products and
services we need to sustain our daily livelihoods, i.e. our ‘Critical Infrastructure’.
This Technical Specification can be used as a starting point for further risk and vulnerability assessment and
for guidelines on the many issues surrounding a CBRN incident. It is intended for any organisation involved or
interested in CBRN, both in the private sector and for public authorities.
The elaboration of this European technical specification has been financially supported by the European
Commission and the CIPS programme (Grant agreement HOME /2009/CIPS/FP/CEN-003 VAPPAR).
Important notice:
Whereas the original request called for a ‘risk’-based approach, CEN/TC 391 ‘Societal and Citizen
Security’ recommended to change this to a ‘vulnerability’-based approach. Terms such as ‘risk’ and
‘vulnerability’- and their assessment, awareness and management – can be approached from both a
social sciences as well as a natural sciences approach. By combining the latest academic insights with
operational lessons, this document attempts to reconcile some of the differences between these
conflicting scientific approaches.
It cannot be emphasised enough that this Technical Specification:
 is intended to meet the complex and variable needs of a wide range of different end-users;
 is an initial document of which other versions can be developed in the future;
 offers a common frame of reference and a common context;
 can be viewed in the context of being a ‘standard’, a ‘scientific paper’ and an ‘open source’ document;
 puts a stronger emphasis on ‘recommendations’ then on ‘requirements'. These advantages include the
fact that recommendations facilitate customisation by the end-users themselves and allow for an
interactive, participatory format of tools such as models, tables and checklists;
 is not a European Standard. Technical Specifications such as the VAPPAR document can co-exist with
any national standard whereby specific (national) regulations take precedence over any Technical
Specification.
According to the CEN/CENELEC Internal Regulations, the national standards organisations of the following
countries are bound to announce this Technical Specification: Austria, Belgium, Bulgaria, Croatia, Cyprus,
Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany,
Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland,
Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the United Kingdom.
3

---------------------- Page: 5 ----------------------

SIST-TS CEN/TS 16595:2014
CEN/TS 16595:2013 (E)
Introduction
National regulations in most European countries focus on emergency responders (e.g. personal protective
equipment (PPE) and intervention procedures), and European and national regulations regulate contingency
planning of chemical, biological, nuclear and radiological plants and industries. The protection of the
population, animals, vegetation and environment from CBRN incidents is a field in need of a common
understanding of vulnerability assessment, awareness and management.
4

---------------------- Page: 6 ----------------------

SIST-TS CEN/TS 16595:2014
CEN/TS 16595:2013 (E)
1 Scope
This Technical Specification is based on an all-hazards approach, with a specific focus on terrorism and other
security related risks. Looking at the combination of threats, vulnerabilities and values to be protected, threats
may be terrorist attacks with chemical, explosive and biological agents, or nuclear waste materials, or with
conventional means on CBRN plants, causing a similar devastating effect on a potentially large scale. Major
CBRN incidents may jeopardise critical infrastructure, while emergency services may have great difficulty
performing their response tasks.
The scope excludes the vulnerability assessment of some specific systems that comply, at the European and
Member State level, with existing sets of legal measures: network for drinking water distribution, food chain
supply and cosmetics and pharmaceutical products production and distribution chains.
The objective of this Technical Specification is to strengthen common understanding and a common frame of
reference for all organisations with an interest and involvement in CBRN. It does so by providing a number of
considerations and tools that can be used in the development of a semi-quantitative conceptual framework for
vulnerability assessment, awareness and management. The vulnerability assessment covers all members of
the population at risk including the requirements of children, the elderly and those with disabilities.
2 Normative references
Not applicable.
3 Terms and definitions
There are various documents that contain terms and definitions related to CBRN. Unfortunately, not all
documents are consistent with each other and it is therefore difficult to find a document which contains
a) all terms, and
b) meets with universal acceptance.
In the context of this document, the following documents are recommended for use by the end user of this
Technical Specification:
 ISO 31000, Risk Management – Principles and Guidelines
 ISO/Guide 73, Risk Management – Vocabulary
 ISO 22300, Societal Security – Terminology
 ISO 22301, Societal Security – Business Continuity Management Systems – Requirements
 ISO 22313, Societal security – business Continuity management systems – Guidance
 CWA 16106, PPE for Chemical, Biological, Radiological and Nuclear (CBRN) Hazards
 ISO 22320, Societal Security – Emergency management – Requirements for Incident Response
The use of the CBRN Glossary of the European Commission is mandatory in Europe
(see http://cbrn.jrc.ec.europa.eu.)
4 Abbreviated terms
B  Biological
C  Chemical
5

---------------------- Page: 7 ----------------------

SIST-TS CEN/TS 16595:2014
CEN/TS 16595:2013 (E)
CB  Chemical, Biological
CBRN Chemical, Biological, Radiological, Nuclear
CBRNE Chemical, Biological, Radiological, Nuclear, Energy
CERT Community Emergency Response Team
ED  Emergency Department
MD  Medical Doctor
PPE Personal Protective Equipment
POC Point Of Contact
R  Radiological
RN  Registered Nurse
SWOT Strength, Weaknesses, Opportunities, Threats
VAPPAR Vulnerability Assessment and Protection of People at Risk

5 Vulnerability assessment
5.1 Different approaches to vulnerability in social and natural science
It is very difficult to find universally accepted definitions of ‘Vulnerability' [1].
Vulnerability assessment is only one component of loss estimation and risk assessment. Risk involves
forecasting of loss (and/or gain) and is composed of several components – hazard, vulnerability, exposure,
and coping capacity. Risk and its components are not specific to any feature or field, but are instead
ubiquitous notions applicable to any situation or experience. It is the conceptualisation of these components
(how they are considered, defined, divided, measured, and recombined) that differs.
Which components are considered to contribute to risk and how they are evaluated varies between
disciplines. Investigations in the social sciences consider a more general view of risk for societies at large and
for individuals, while investigations in the natural sciences and engineering give detailed consideration to
structural damage to the built environment and to life-loss.
In natural science, emphasis is placed on characterisation of hazard and exposure, which is quantitatively
strong. Vulnerability is considered a static factor that modifies the amount of loss caused by threats. Coping
capacity receives little, if any, attention.
In social science, emphasis is placed on vulnerability and coping capacity, which are considered as dynamic
and complex properties of a (social) system. Due to the complexity, qualitative methods are favoured. Hazard
is viewed as a static state of the physical/cultural environment and receives minimal attention.
The complementary strengths of natural science and social science perspectives can improve the
understanding and analysis of vulnerability. This requires an adaptation of the comprehensive views on
vulnerability in the social sciences to the more quantitative approaches that are typical of the natural sciences.
One of the challenges is that certain qualities can be dimensioned in a probabilistic fashion and some cannot.
While hazard and risk can be expressed in probabilistic fashion, this is much more difficult with vulnerability.
6

---------------------- Page: 8 ----------------------

SIST-TS CEN/TS 16595:2014
CEN/TS 16595:2013 (E)
The often used formalisations of ‘risk’ and ‘vulnerability’ (such as Risk = Probability x Consequence,
Risk=Hazard x Vulnerability, Risk=Hazard x Vulnerability/Coping Capacity) are generalisations that provide
little conceptual understanding and cannot, in and by themselves, be used to consider losses with different
metrics.
Understanding of vulnerability and coping capacity also requires clear and consistent risk terminology, which
is often lacking between and within disciplines.
A further complicating factor is the requirement that both ‘intentional’ and ‘incidental’ causes for a CBRN
events are considered in this Technical Specification. This necessitates a CBRN-specific differentiation
between ‘security’ (= intentional) and ‘safety’ (= incidental).
5.2 Vulnerability assessment
The vulnerability assessment is the overall process of the identification, analysis and evaluation of
vulnerabilities which can be used as a methodology for measures and procedures for CBRN prevention,
detection, decontamination, collective protection for emergency staff, mass protection for the citizens and
mitigation.
A methodological, STEP-BY-STEP approach is needed because even though a vulnerability assessment is
part of comprehensive emergency management, i.e. combining risk, response and consequence-
management approaches, the vulnerability assessment in and by itself is also a complex, systematic process.
Amongst others, it brings together elements such as:
Exposure and Coping Capacity When assessing vulnerability, ‘exposure’ can be considered as the “external”
side of vulnerability and ‘coping capacity’ as the “internal” side of vulnerability.
Environment: local (physical) or context (culture/history)
Consequences: Physical, Economic, Environmental, Administrative, Health
STEP 1: A vulnerability assessment starts by determining the strategic focus of the assessment, such as:
 Geographical scale;
 Time frame (e.g. direct losses or long term losses);
 Which type of consequences to be evaluated (life/health, economic, environmental).
STEP 2: A vulnerability assessment then seeks answers to questions such as:
 Should vulnerability include exposure? Coping capacity? Resilience?
 What is the unambiguous definition of vulnerability?
 Vulnerability of what (elements)? Vulnerability to what (threats)?
STEP 3: A systemic vulnerability assessment model needs to be developed in order to conceptualise and
clarify the relation(s) within and between elements.
The model below can be used as a reference point for vulnerability conceptualisation within risk assessment
context [1].
7

---------------------- Page: 9 ----------------------

SIST-TS CEN/TS 16595:2014
CEN/TS 16595:2013 (E)

Figure 1 - Vulnerability conceptualisation within risk assessment context [1]
STEP 4: The selected factors of vulnerability need to be quantified by use of indicators and criteria. Criteria
are often defined as: ‘conditions that need to be met’ and Indicators as: ‘measurable states which allow the
assessment of whether or not criteria are being met’. Their weighting shall be taken in local context.
Consequently, weighting of vulnerability through indicators and criteria is expected to vary with context but will
yield some quantitative estimation of overall vulnerability.
The components of the conceptual model below can be used as a reference point for the quantification of
vulnerability [1].
8

---------------------- Page: 10 ----------------------

SIST-TS CEN/TS 16595:2014
CEN/TS 16595:2013 (E)

Figure 2 - Quantification of vulnerability [1]
Suggestions for CBRN Vulnerability indicators
This list presents suggestions for CBRN vulnerability indicators. The list is not intended to be complete but
serves as a mere start to find most appropriate indicators for the specific situation. The measurement of
performance against these indicators may involve fundamentally different scales. An indication is given of the
likely scaling involved and compliance with published criteria.
 Awareness (citizens, responders, management);
 Responsiveness and effectiveness intelligence;
 Social control (neighbourhood watch (who, where, what);
 Willingness to act (citizens, guards, police);
 Possibility of chain effects in storage/transport of CBRN agents;
9

---------------------- Page: 11 ----------------------

SIST-TS CEN/TS 16595:2014
CEN/TS 16595:2013 (E)
 Accessibility of indoor public area’s for CBRN agents;
 Accessibility of air inlet or direct vicinity of indoor public area’s for CB vapour/aerosol;
 Accessibility of primary life lines (water, electricity generation and distribution, electronic communication,
food distribution centres);
 Preparedness (training / equipment) (citizens, responders, management);
 Quality of warning systems (C/B/R different detection);
 Total response time;
 Information systems: quality and resilience/back up;
 Prepositioning of resources;
 Response of civilians / community emergency response teams (CERT);
 Amount of citizens within danger range of CBRN industry/storage/transport;
 Ventilation capacity of homes/public area’s after alarm;
 Amount/capacity of responders;
 Amount/capacity of medical aid;
 Redundancy of mass transport possibilities;
 Possibility of chain effects of CBRN agent on critical infrastructure, i.e. ‘cascading’ effects or ‘systemic’
risk (see below).
6 Protection of the population at risk
6.1 Vulnerability awareness
As stated in the scope, a vulnerability assessment covers all members of the population at risk including
groups that are less self-reliant such as children, the infirm, the elderly and those with disabilities. The
population at risk often does not realise that it is in fact ‘at risk’ unless the (potential) consequences become
visible. When intentional or incidental CBRN events cannot be prevented, these potential consequences need
to be considered ahead of time in order to initiate measures and pre-position resources that are required to
reduce the adverse effects.
The required level of awareness is often lacking at the level of (organisations responsible for) the population at
risk because most planning, procedures and policies in Europe tend to focus on pre-impact risk management
(prevention) instead of post-impact consequence management (preparedness).
The level of awareness however, is an important factor in determining the capacity of individuals and groups
of individuals (communities) to anticipate, to cope and to recover from CBRN events (community resilience).
Vulnerability awareness requires, amongst others:
 a focus on consequence management;
 attention directed at the psychological-emotional dimensions of risk (“fear”);
 an effective risk/crisis communication strategy;
10

---------------------- Page: 12 ----------------------

SIST-TS CEN/TS 16595:2014
CEN/TS 16595:2013 (E)
 the use of scenarios.
Consequence Management
CBRN agents can cause significant direct and indirect damage to persons, livestock, vegetation and
environment as well as disrupt the system of products and services we need to sustain our daily livelihoods,
i.e. the ‘Critical Infrastructure’.
The European Program for Critical Infrastructure Protection, governed by legislative instrument Council
Directive 2008/114/EC [2], defines critical infrastructure as those physical resources, services, and information
technology facilities, networks and infrastructure assets, which, if disrupted or destroyed would have a serious
impact on the health, safety, security, economic or social well-being of two or more member states.
CBRN incidents can mean rapidly cascading consequences in such diverse areas as energy, communication,
transport, food, water, information technology, manufacturing, financial services, health, government services.
Intentional or incidental CBRN events represent a systemic risk not only for their disruption of the critical
infrastructure but also because of the accompanying societal unrest and collapsing public order, safety and
security. The potentially devastating impact depends on factors such as:
 the extent of the geographic area affected (scope);
 effect of time (i.e. the crossing of for example a radiological cloud across borders);
 level of interdependency (i.e. electricity network failure in one MS effecting another);
 severity (degree of the loss): public, economic, environment, political, psychological.
Attention directed at the psychological-emotional dimensions of risk (“fear”)
Policies and measures that are primarily based on scientific data and probabilistic approaches to untoward
events have a tendency to give the population at risk a false sense of security and often fail to increase the
level of vulnerability awareness.
CBRN events however, are likely to induce fear and are perceived as threatening because of their ability to
spread rapidly, unnoticed and in unpredictable patterns.
An effective risk/communications strategy depends largely in the level of trust between public authorities and
the population at risk. Operational experience from the past indicates that an effective risk/communication
strategy should focus on the three questions most often asked by the population at risk:
 What is my/our risk? (also during a crisis)
 What are you doing to help me/us?
 What can I/we do to help ourselves?
When preparing messages related to each of these three questions, each end-user can create their own
subheadings and decide on the most appropriate timing, channels and target audiences of the message.
The use of scenarios
From the perspective of the population at risk, the use of scenarios, particularly when accompanied by media
attention, the use of non-scientific jargon coupled with strong visualisations of the consequences, and the use
of interactive, participatory techniques are often considered to be most effective in raising awareness.
11

---------------------- Page: 13 ----------------------

SIST-TS CEN/TS 16595:2014
CEN/TS 16595:2013 (E)
6.2 Vulnerability management
6.2.1 General approaches
Based on the models and approaches described above, it cannot be emphasised enough that any
organisation involved in CBRN needs to develop its own version of the vulnerability assessment. A general
template for organisations and their management systems is included as Annex A.
Among the lessons learned, on how to approach CBRN vulnerability assessment, awareness and
management from, for example the national government perspective such as is the case in France, the
following practical factors have emerged as worthy to be considered when setting up a vulnerability
management system:
1) Define the desired outcome first and then built in the measures needed to get there.
2) Ensure cross-departmental cooperation at the local level.
3) Ensure it is a framework leaving (local) authorities to deviate when specific circumstances require
this.
4) Define clearly the levels of military involvement (secure, back-up, support).
5) Utilise a scenario and situation-based approach.
Scenarios and situation-based approaches in making CBRN preparations should consider key assumptions
regarding communication, resources, and victims, such as:
 Up to 50 % of personnel may not be available because they left the danger area themselves;
 Due to direct damage or lack of personnel and other resources, multiple sectors of the (local) critical
infrastructure may not be functioning, such as communication, logistics and transport, water, food and
energy;
 Victims will arrive with little or no warning to the treatment facility;
 Societal disruption can cause major problems with maintaining public order and safety;
 Information regarding the hazardous agent(s) will not be available immediately;
 A large number of victims will be self-referred (as many as 80 percent of the total number of victims);
 Victims will not necessarily have been decontaminated prior to arriving at treatment facilities;
 A high percentage of people arriving at a treatment facility will have little or no actual exposure and this
eventuality should be considered in decontamination plans;
 Most victims will go to treatment facilities closest to the site where the emergency occurred;
 Victims will attempt to use other entrances to treatment facilities in addition to designated ones, such as
the emergency department (ED) of a hospital.
12

---------------------- Page: 14 ----------------------

SIST-TS CEN/TS 16595:2014
CEN/TS 16595:2013 (E)
Table 1 — Example of a listing of measures for the protection of population at risk by government
(gov) and/or population (pop)
Pre-attack Vulnerability Reduction Measures
gov pop
Safe procedures for handling, storage, shipping, packaging, information flow X
a Assess by intelligence the chemical threat, potential risk, and likelihood of attack X
b Implement coordinated CBRN-defence plan (procedures/responsibilities/budget) X
Select and obtain necessary equipment X
c Conduct training individual and collective, do expectation management X X
d Designate proposed decontamination sites X X
e Designate and prepare shelters. X X
f Prepare to provide first aid for casualties X X
g Conduct medical coordination of warning, establishing a baseline X
h Determine and implement the appropriate personal protection level. X X
i Minimise skin exposure. X
j Continue good hygiene and sanitation practices. X
k Deploy and activate detectors. X
lL Watch for attack indicators (see/smell a chemical cloud or release of agent). X X
m Cover unprotected mission-essential equipment. X
n Establish local procedures for reporting and declaring an “all clear.” X

During-Attack Vulnerability Reduction Actions
Alarm, inform and update (mutual and internal) X X
o Adhere to Attack Warnings, take cover and use protective measures. Warn and assist X X
bystanders to leave contaminated area perpendicular to the wind
p Avoid potentially contaminated surfaces and areas. X
q Obtain and report observations or evidence of an attack. X X
r Survey, control, and mitigate health hazards. Distribute means, Ensure that personnel X X
perform immediate decontamination and self- and buddy-aid.
s Adjust to lowest possible protection level consistent with the threat assessment. X X
t Document individual exposure by Medical staffs. X
u Sample, monitor, and analyse the area for residual hazard. X
v Plan and implement decontamination and conta
...