Biological Risk Assessment: General Considerations for Laboratories


What is it?

CDC’s Division of Laboratory Systems knows that incidents involving biological, chemical, physical, and radiological hazards can have a significant impact on the safety and health of those who work in laboratory settings. Risk management is a continuous process to identify, assess (evaluate), control, and monitor risks. The risk assessment components of the overall risk management process are:

Risk Management Process

Illustration of the risk management process, a cycle that follows the steps listed on this page.

See ISO 35001 for the complete risk management process.

Why is it needed?

Many laboratory activities have been linked to undesirable events, including laboratory-acquired infections. These can result from direct contact of the infectious agent with mucous membranes of the eyes, nose or mouth via sprays, splashes, or droplets; inhalation of infectious aerosols generated during activities such as mixing and centrifugation; or from percutaneous inoculation via sharps, needle sticks, or non-intact skin (e.g., scratches and cuts).

To minimize risks and provide a safe work environment, a risk assessment should be performed to evaluate what could go wrong by determining the likelihood that an undesirable incident (e.g., injury, exposure) may occur and the consequences (e.g., infection or disease) if that undesirable incident were to occur.

When is it performed?

Formal risk assessments should be performed before work begins, and repeated when any change is introduced into the activity (e.g., changes in practices, personnel, instrumentation, or facilities). Informal risk assessments, which include short discussions among staff about current risks and mitigations, should occur much more frequently, ideally daily.

Who is involved?

A team should perform risk assessments to ensure various perspectives are considered and to reduce bias. This team could be comprised of senior leadership, clinical laboratory scientists, safety professionals, facility engineers, and others familiar with the site-specific and activity-specific laboratory and testing activities.

How is it conducted?

Overview of the Risk Assessment Process

In general, risk assessments can be broken down into Steps 1-2 in the figure above. The risk assessment should include considerations about the hazards (e.g., biological agent), the specific processes and procedures, existing control measures, the facility and testing environment, and the competency of the testing personnel.

Step 1: Identify the hazards and risks

In this section, learn how to answer these questions:

  • What, where, and how is the work occurring?
  • Who is involved in the work?
  • What can go wrong?

For a specific activity or procedure, identify the hazards in each step or task that must be completed. Ask what, where, and how the work is occurring and who is doing the work. Then, determine what could go wrong in every step of the activity or procedure and the result of the undesirable incident (e.g., injury, exposure, infection, disease). One method of accomplishing this is to perform a job hazard analysis. Examples are depicted below.

Diagram of hazards and related risks, such as sharps that could be needle sticks and potential infection from exposure.

Step 2: Evaluate the risks

In this section, learn how to answer these questions:

  • How likely is a risk and how severe is it?
  • Is the risk acceptable or unacceptable?

a. Characterize the risks  

There are various and multiple risks involved in performing laboratory testing. The risk assessment should evaluate each risk against a standard set of criteria so that the assessed risks can be compared against each other. The criteria should focus on both the likelihood of the undesirable incidents occurring and the consequences if those undesirable incidents were to occur.

Diagram of pre-incident likelihood of risk and post-incident consequences associated with the risk.

Source: Sandia National Laboratory Biosafety and Biosecurity Risk Assessment Technical Guidance Document, 2014.

Likelihood and Consequences of Risk

The likelihood component of risk includes factors that affect whether or not the incident happens and occurs before the actual incident occurs; the consequences of risk considers factors that affect the severity of an incident after it has occurred.

It is important to define what is being evaluated because some factors can affect the likelihood and consequences. For example, the availability of appropriate personal protective equipment (PPE) can reduce the likelihood of exposure but wearing the appropriate PPE correctly can also reduce the consequences if an exposure occurs.

Likelihood of Risk

Some factors to consider that can affect the likelihood of an undesirable incident (such as exposure to a biological agent in this example) include:

  • Biological agent factors
    • Stability in the environment (e.g., ability to produce spores, resistance to disinfectants)
    • Potential routes of transmission (direct mucosal contact, inhalation, ingestion, injection)
    • Endemicity of biological agent in the local environment and population (e.g., endemic or exotic) and host range
    • Life stage/form of the biological agent (e.g., dimorphic fungi, antigenic shift)
    • Communicability
  • Laboratory/testing environment factors
    • Physical infrastructure and existing controls: the type of facility, presence of engineering/safety controls, type of equipment used, function/reliability of ventilation systems
    • Procedural: existence of administrative controls such as policies and training; availability of appropriate PPE; generation of aerosols and use of sharps; amplification of the biological agent by culturing, and the types and complexity of procedures being conducted
  • Human factors
    • Competency of personnel, level of training
    • Behavioral aspects
      • Stress, risk perception, risk tolerance
      • Following safe work practices

To evaluate the consequences after an undesirable incident occurs, assess the characteristics of the hazard(s) or biological agents, the health and immune status of the laboratory/testing personnel, and the availability of vaccines, prophylaxis, or therapies.

Consequences of Risk

Some factors to consider that can affect the consequences of an undesirable incident (such as infection in this example) include:

  • Biological agent factors
    • Virulence factors: adhesion, invasiveness, toxigenesis, production of exoenzymes, antigenic variation, resistance to antibiotics, tissue tropism, multiple replication sites within-host, ability to elicit autoantibodies against host)
    • High communicability
    • Severity of infection/disease (morbidity/mortality rate)
    • Infectious dose
  • Administrative controls
    • Availability of vaccines, prophylaxis, therapeutic interventions, and emergency response procedures
  • Host factors
    • Health and immune status of staff: immunocompetent or immunocompromised, pregnancy, pre-existing medical conditions, allergies, age, large susceptible population
    • Behavioral aspects
      • Willingness to accept vaccines
      • Adherence to safe work practices and proper use of PPE

b. Prioritize the risks and determine if risks are acceptable

It is important to acknowledge that risks can be reduced, but generally cannot be completely eliminated unless the work is discontinued entirely (e.g., elimination) or modified to incorporate less harmful activities such as using surrogates (e.g., substitution).

The risk assessment team should use the results to determine which risks are relatively higher or lower than other risks. Based on the risk assessment, the institution/testing site should determine which risks are acceptable (work can proceed with the existing controls), and which risks are unacceptable (work cannot proceed until additional mitigation controls are implemented to reduce the risk to an acceptable level).

Steps 3-4: Implement a Risk Mitigation Plan

For risks that are determined unacceptable by the institutiona mitigation control plan should be implemented.

Step 5: Evaluate Effectiveness of Controls

The effectiveness of implementing additional controls (e.g., engineering controls, administrative and work practice controls, and use of PPE) should be reviewed and evaluated

For more information on mitigation and evaluation of the performance of controls, see Biosafety in Microbiological and Biomedical Laboratories (BMBL) (6th Edition). 

Contact Us

For more information about this Division of Laboratory Systems biorisk assessment resource, contact us at