This is the accessible text file for GAO report number GAO-10-850 entitled 'Biological Laboratories: Design and Implementation Considerations for Safety Reporting Systems' which was released on October 12, 2010. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to Congressional Requesters: United States Government Accountability Office: GAO: September 2010: Biological Laboratories: Design and Implementation Considerations for Safety Reporting Systems: GAO-10-850: GAO Highlights: Highlights of GAO-10-850, a report to congressional requesters. Why GAO Did This Study: As the number of biological labs increases, so too do the safety risks for lab workers. Data on these risks—collected through a safety reporting system (SRS) from reports of hazards, incidents, and accidents—can support safety efforts. However, no such system exists for all biological labs, and a limited system—managed by the Centers for Disease Control and Prevention (CDC) and the Animal and Plant Health Inspection Service (APHIS)—applies to only a subset of these labs. While a national SRS has been proposed, design and implementation are complex. In this context, GAO was asked to identify lessons from (1) the literature and (2) case studies; and to apply those lessons to (3) assess CDC and APHIS’s theft, loss, or release (TLR) system for select agents, such as anthrax, and (4) suggest design and implementation considerations for a labwide SRS. To do its work, GAO analyzed SRS literature; conducted case studies of SRSs in aviation, commercial nuclear, and health care industries; and interviewed agency officials and biosafety specialists. What GAO Found: According to the literature, effective design and implementation of a safety reporting system (SRS) includes consideration of program goals and organizational culture to guide decisions in three key areas: (1) reporting and analysis, (2) reporter protection and incentives, and (3) feedback mechanisms. Program goals are best identified through stakeholder involvement and organizational culture, through assessment. Case studies of SRSs in three industries—aviation, commercial nuclear, and health care—indicate that (1) assessment, dedicated resources, and management focus are needed to understand and improve safety culture; (2) broad reporting thresholds, experience-driven classification schemes, and local-level processing are useful SRS features in industries new to safety reporting; (3) strong legal protections and incentives encourage reporting and prevent potential confidentiality breaches; and (4) a central, industry-level unit facilitates lesson sharing and evaluation. While the CDC and APHIS Select Agent Program (SAP) has taken steps in the three key areas to improve the usefulness of the TLR system for select agents, steps for improvement remain. Specifically, the agencies have taken steps to better define reportable events, ensure the confidentiality of reports, and dedicate resources to use TLR data for safety improvement. However, lessons from the literature and case studies suggest additional steps in the three key areas to enhance the usefulness of the system. For example, lowering reporting thresholds could provide precursor data and limited immunity could increase the incentive to report. Finally, the CDC and APHIS are in a unique position-—as recognized authorities in the lab community and with access to TLR reports from across the industry-—to guide SRS evaluation and ensure safety lessons are broadly disseminated. For a national safety reporting system for all biological labs, existing information—about labs’ organizational culture and the lab community’s limited experience with SRSs—suggests the following features in the three key areas: * Reporting and analysis. Reporting should be voluntary; available to all workers; cover hazards, incidents, and less serious accidents; accessible in various modes (Web and postal); and with formats that allow workers to report events in their own words to either an internal or external SRS system. * Reporter protections and incentives. Strong confidentiality protections, data deidentification processes, and other reporting incentives are needed to foster trust in reporting. * Feedback mechanisms. SRS data should be used at both the local and industry levels for safety improvement. An industry-level entity is needed to disseminate SRS data and to support evaluation. What GAO Recommends: GAO recommends that, in developing legislation for a national SRS for biological labs, Congress consider provisions for certain system features. GAO also recommends three improvements to the CDC and APHIS TLR system. HHS disagreed with the first two recommendations and partially agreed with the third. USDA agreed with the three recommendations. View [hyperlink, http://www.gao.gov/products/GAO-10-850] or key components. For more information, contact Thomas J. McCool at (202) 512-2642 or mccoolt@gao.gov. [End of section] Contents: Letter: Background: Program Goals and Organizational Culture Guide Safety Reporting System Design and Implementation in Three Key Areas: Case Studies Demonstrate the Need for Assessment and Resources in Design and Implementation and Suggest Certain Features in the Three Key Areas: The CDC and APHIS Have Taken Steps to Improve the Usefulness of the TLR Reporting System; Lessons from the Literature and Case Studies Suggest Additional Steps: Existing Information on Biological Labs and Lessons from the Literature and Case Studies Suggest Specific SRS Design and Implementation Considerations: Conclusions: Matters for Congressional Consideration: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendix I: Objectives, Scope, and Methods: Appendix II: Summary of Lessons from the Literature and Case Studies: Appendix III: Comments from the Department of Health and Human Services: Appendix IV: Comments from the Department of Agriculture: Appendix V: GAO Contact and Staff Acknowledgments: Bibliography of Articles Used to Develop SRS Lessons from the Literature: Bibliography of Other Literature Used in the Report: Figures: Figure 1: The Risk Pyramid for Safety Events: Figure 2: Relationship of Program Goals, Organizational Culture, and the Three Key Areas and Subcategories: Figure 3: Growth in Aviation and VA Health Care Safety Reporting, 1981 to 2008: Figure 4: Relationship of Program Goals, Organizational Culture, and the Three Key Areas: Figure 5: First Key Area--Reporting and Analysis: Figure 6: Second Key Area--Reporter Protections and Incentives: Figure 7: Third Key Area--Feedback Mechanisms: Abbreviations: ABSA: American Biological Safety Association: AHRQ: Agency for Healthcare Research and Quality: APHIS: Animal and Plant Health Inspection Service: ASAP: Aviation Safety Action Program: ASM: American Society for Microbiology: ASRS: Aviation Safety Reporting System: BMBL: Biosafety in Microbiological and Biomedical Laboratories: BSC: biological safety cabinet: BSL: biosafety level: CDC: Centers for Disease Control and Prevention: ERT: event review team: FAA: Federal Aviation Administration: FOIA: Freedom of Information Act: HHS: Department of Health and Human Services: INPO®: Institute of Nuclear Power Operators: LAI: laboratory-acquired infection: MMWR: Morbidity and Mortality Weekly Report: NAPA: National Academy of Public Administration: NASA: National Aeronautics and Space Administration: NCPS: National Center for Patient Safety: NIH: National Institutes of Health: NN®: Nuclear Network: NRC: Nuclear Regulatory Commission: NTSB: National Transportation Safety Board: OIG: Office of Inspector General: OSHA: Occupational Safety and Health Administration: PSIS: Patient Safety Information System: PSRS: Patient Safety Reporting System: SAP: Select Agent Program: SEE-IN®: Significant Event Evaluation--Information Network: SRS: safety reporting system: TMI: Three Mile Island: TLR: theft, loss, release: USDA: Department of Agriculture: VA: Department of Veterans Affairs: VDRP: Voluntary Disclosure Reporting Program: VSP: Voluntary Safety Programs Branch: [End of section] United States Government Accountability Office: Washington, DC 20548: September 10, 2010: The Honorable Joe Barton: Ranking Member: Committee on Energy and Commerce: House of Representatives: The Honorable Michael Burgess: Ranking Member: Subcommittee on Oversight and Investigations: Committee on Energy and Commerce: House of Representatives: The Honorable Greg Walden: House of Representatives: The growing federal emphasis on identifying and protecting against biological weapons attacks, as well as other factors, have led to an increase in the number of biological laboratories in the United States. Although data suggest that injury and illness rates for these labs are below that of general industry, working with infectious agents always involves inherent risk.[Footnote 1] To date, catastrophes have been avoided in the United States, although serious injuries and deaths have occurred among laboratory workers.[Footnote 2] These injuries and deaths might have been prevented had relevant data on safety been quickly shared throughout the laboratory community. For example, two microbiologists died in July and December 2000 of a laboratory-acquired infection (LAI) from exposure to bacterium Neisseria meningitidis. In a review of how often this LAI had occurred, investigators found 14 previously unreported LAIs from exposure to the bacteria--8 of which were fatal.[Footnote 3] Had these LAIs been reported and the safety issues surrounding this specific bacterium communicated earlier, the two deaths in 2000 might have been prevented. Given the increase in biological labs and therefore risks, it is essential to understand the sources of risk and how to communicate them.[Footnote 4] These sources can best be identified through the collection of safety data. Such data can come from accidents that result in injuries or deaths. However, they can also come from concerns about hazardous conditions or incidents such as errors without consequences, near misses, or close calls. Collecting data on accidents, incidents, and hazards can help identify accident precursors--the actions, nonactions, processes, and environmental or mechanical conditions that can lead to accidents.[Footnote 5] If the precursors can be identified, communicated, and eliminated, the occurrence of accidents--in particular those resulting in injury or death--might be prevented. Safety reporting systems (SRS) are a key tool industries use to collect such information. However, there is no national labwide SRS for quickly and efficiently collecting, analyzing, and communicating such information for biological labs. Nevertheless, some mechanisms exist through which such data might be communicated. For example, incidents of LAIs are sometimes reported in academic journals, in the U.S. Department of Health and Human Services' (HHS) Centers for Disease Control and Prevention's (CDC) Morbidity and Mortality Weekly Reports (MMWR), or as a result of Occupational Health and Safety Administration (OSHA) regulations. However, there are a variety of barriers to reporting through these mechanisms, and it is generally acknowledged that LAIs are underreported because of concerns about stigma or punishment. Consequently, a great deal of potential safety data is never communicated. In addition, the CDC and the U.S. Department of Agriculture's (USDA) Animal and Plant Health Inspection Service (APHIS) together maintain a mandatory reporting system for theft, loss, and release (TLR) of select agents,[Footnote 6] as required under the select agent regulations.[Footnote 7] However, we have found lapses in labs reporting to this program,[Footnote 8] suggesting the need for improvement. Moreover, the Select Agent Program regulates only those labs that possess, use, and transfer select agents and toxins, and therefore covers only a fraction of U.S. biological labs for which there is no SRS.[Footnote 9] Consequently, a great deal of valuable safety data falls through the cracks, and potentially avoidable accidents continue to occur. Recognizing the need for an effective mechanism to collect safety data, bills were introduced in both the Senate and House of Representatives that, if enacted, would establish a new SRS for all biological labs.[Footnote 10] While this legislation provides a framework for establishing such a system, questions remain about what constitutes the most effective design and implementation features for a biological lab SRS. Despite these questions, it is known that effective design and implementation include the use of existing information, such as from the literature and case studies, to identify lessons learned that can guide decisions. For example, when the health care industry began to explore the potential of SRSs for hospitals, many in the industry looked to the literature and other industries, such as aviation, to identify lessons learned for design and implementation. Similarly, for biological labs, although they are a unique working environment, information from the literature and other industries can identify lessons learned for the design and implementation of a lab SRS.[Footnote 11] You therefore asked us to identify lessons for designing and implementing an effective lab safety reporting system, from (1) the literature and (2) case studies of SRSs in the airline, commercial nuclear power, and health care industries; and to apply those lessons to (3) assess the theft, loss, and release reporting system, part of the Select Agent Program, and (4) suggest design and implementation considerations for a national safety reporting system for all biological labs. To accomplish our objectives, we (1) reviewed an extensive selection of both academic and applied literature related to safety science (organizational safety and human factors) and SRS evaluation across a wide variety of industries; (2) conducted case studies of SRSs in the aviation, commercial nuclear power, and health care industries by reviewing relevant documentation and academic literature, observing safety task force and reporting system committee meetings, and conducting open and structured interviews of agency officials, as well as SRS and human factors experts in the three industries; (3) interviewed national and international biosafety specialists, relevant HHS and USDA officials, biological laboratory directors, and biosafety officers; and (4) applied criteria--derived from our review of the literature and case studies--for improving the Select Agent Program reporting system and for designing and implementing an SRS for all biological labs. With respect to the case studies, while we collected information on a wide variety of safety reporting programs in the three industries--and in some cases comment on these different programs--we primarily developed our lessons from one reporting program in each of the three industries. Specifically, we developed lessons from the Federal Aviation Administration's (FAA) National Aeronautics and Space Administration (NASA)-run Aviation Safety Reporting System (ASRS) in aviation; the Institute of Nuclear Power Operation's (INPO") Significant Event and Evaluation Information Network (SEE-IN") system in commercial nuclear power; and the Department of Veterans Affairs' (VA) health care reporting program, which includes the Patient Safety Information System (PSIS) and the Patient Safety Reporting System (PSRS). We chose to focus on these programs because they represent fairly long-standing, nonregulatory, domestic, industrywide, or servicewide reporting programs. For more detailed information on our methods, please see appendix I. We conducted this performance audit from March 2008 to September 2010 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Background: Biocontainment laboratories--designed with specific environmental, storage, and equipment configurations--support containment efforts in the day-to-day work with biological agents. These labs are designed, constructed, and operated to (1) prevent accidental release of infectious or hazardous agents within the laboratory and (2) protect lab workers and the environment external to the lab, including the community, from exposure to the agents. For example, the biological safety cabinet (BSC) is laboratory safety equipment that is used when manipulating infectious organisms. BSCs are enclosed cabinets with mechanisms for pulling air away from the worker and into a HEPA filter, which provides protection for the worker and prevents releases into the environment. BSCs might be designed with a limited workspace opening, or they might be completely enclosed with only gloved access and air pressure indicators to alert users to potential microbial releases. The selection of the BSC would depend on the (1) lab's risk assessment for the specific agent and (2) nature of work being conducted, as guided by the Biosafety in Microbiological and Biomedical Laboratories (BMBL), and other relevant guidance, such as OSHA regulations and National Institutes of Health (NIH) guidelines for research involving recombinant DNA. There are four biosafety levels (BSL). These levels--consisting of a combination of laboratory practices, safety equipment, and laboratory facilities--are based on the type of work performed, information about the infectious agent, and the function of the laboratory. These levels include combinations of laboratory practices and techniques, safety equipment, and facilities that are recommended for labs that conduct research on infectious mircro-organisms and toxins: Biosafety level 1 (BSL-1) is suitable for work with agents not known to consistently cause disease in healthy adults and present minimal potential hazard to laboratory personnel and the environment. Biosafety level 2 (BSL-2) is suitable for work with agents that pose moderate risks to personnel and the environment. Biosafety level 3 (BSL-3) is suitable for work with indigenous or exotic agents that may cause serious and potentially lethal disease, if inhaled. Biosafety level 4 (BSL-4) is required for work with dangerous and exotic agents that pose a high risk of life-threatening disease or have aerosol or unknown transmission risk. Examples of agents and toxins used within these labs include those that primarily affect: * humans and animals, such as Botulinum neurotoxin, a naturally occurring poison, lethal to humans and animals, but used for medical and cosmetic purposes in drugs such as Botox; * animals, such as foot-and-mouth disease (FMD), a highly contagious viral disease of cloven-hoofed animals--such as cattle, swine, and sheep--that causes debilitation and losses in meat and milk production (while FMD does not have human health implications it does have severe economic consequences); and: * plants, such as certain varieties of Xylella Fastidiosa, which can kill citrus plants, but does not have human health implications. Lab levels can also vary depending on their use. For example, research that involves animal or plant pathogens may be designated as animal biosafety levels (ABSL) 1-4 or BSL-3-AG. Similarly, some people may refer to BSL-3 labs as "high-containment" labs and BSL-4 labs as "maximum containment" labs. There are also several types of labs-- including clinical, research, teaching, public health (or reference), and production (or commercial)--which are generally categorized on the basis of the work conducted. While these labs all involve work with infectious micro-organisms, there are regulatory, accrediting, and risk differences associated with each type. For example, clinical labs within hospitals test patient samples and may often be unaware of the micro-organism they are handling until their tests have identified it. In contrast, research, reference, and production (commercial) labs, while they each have different purposes and environments, tend to be aware of the micro-organisms they are handling. Clinical labs also have specific accrediting and state reporting requirements, and their control structure for handling illnesses is different from other types of labs. We use the general term "biological lab" to include biological labs of all levels or types that handle micro-organisms or clinical samples. We use this general and inclusive term because SRSs could be used in any environment with safety risks, including different types or levels of labs. However, this does not necessarily imply that a single SRS is appropriate or applicable to all labs of varying type or level, although an SRS that encompasses the largest view of a domain as possible has significant advantages. For example, one national SRS would provide information that can cross boundaries where common and similar practices exist and avoid the "stove-piping" of safety information. Many different federal agencies have some connection with biological labs. Such agencies are involved with these labs in various capacities, including as users, owners, regulators, and funding sources.[Footnote 12] The CDC and APHIS regulate entities[Footnote 13] that possess, use, and transfer select agents and toxins.[Footnote 14] In addition, entities are required to report the theft, loss, or release of any select agent or toxin to the CDC or APHIS, although we had found reporting failures at some labs subject to this requirement. [Footnote 15] Along with environmental, storage, and equipment configurations, various guidelines for lab practices support worker and public safety. These biosafety guidelines offer general and agent-specific containment and risk assessment practices. For example, the BMBL suggests microbial practices, safety equipment, and facility safeguards that vary by type of agent and intended use. These documents are updated periodically--the BMBL is currently in its fifth edition--in order to "refine guidance based on new knowledge and experiences and to address contemporary issues that present new risks that confront laboratory workers and the public health."[Footnote 16] While the BMBL and other guidelines are useful for promoting safety, they also recognize there are unknown and emerging laboratory safety risks and that ongoing efforts to gather information about those risks is essential for continued safety improvement. One of the key information sources for these updates is published reports of LAIs. However, it is widely recognized that these reports reflect only a fraction of actual LAIs. To develop evidence-based guidelines and safety-improvement initiatives, other industries with inherent risks to workers and the general public--such as aviation, commercial nuclear power, and health care--collect and analyze safety data. These data can come from safety events. Safety event levels--depicted in terms of a risk pyramid (see figure 1)--increase in severity as they decrease in likelihood. Whether and where the lines are drawn--between accidents (fatal or nonfatal), incidents, and hazards--varies (1) across industries and (2) according to whether the safety event resulted in no ill effects, minor injuries, or severe injuries or deaths. Figure 1: The Risk Pyramid for Safety Events: [Refer to PDF for image: illustration] Pyramid: Base level: Hazards; Mid level: Incidents; Top level: Accidents. Source: Based on the Heinrich Pyramid. [End of figure] Events at the top of the pyramid--generally identified as "accidents" (sometimes further divided depending on fatality)--have significant potential for harm or result in actual harm to one or more individuals. These events can include radiological exposure, industrial chemical spills or explosions, airline crashes (with or without loss of life), patient medication errors that result in illness or death, and LAIs. Accidents--especially fatal ones--are generally infrequent, hard to conceal, and often required to be reported. Events at the center of the risk pyramid--generally referred to as "incidents"--are those that could have resulted in serious harm but did not. Incidents occur more frequently than accidents and include near misses, close calls, or other potential or actual adverse events and violations, although definitions vary within and across industries. For events at the base of the pyramid--generally referred to as "hazards"--no incident or accident need occur. These events include observations about the work environment, procedures, equipment, or organizational culture that could be improved relative to safety. Safety data from accidents, incidents, and hazards provide the source information for analysis of accident precursors--the building blocks of events that can lead to injury or death. The focus on precursor data arose as a result of the limited amount of data that could be identified from accident investigations. Such data are often "too sparse, too late and too statistically unreliable to support effective safety management."[Footnote 17] In addition, the severity and sometimes fatal consequences of accidents often preclude investigators from gathering sufficient detail to fully understand systemic (as opposed to individual) causes of the accident. Incident data are a particularly rich source of precursor information because incidents occur more frequently than accidents. Moreover, incidents do not often rise to the level of regulatory or legal violation because no serious harm has occurred. Workers are therefore generally less fearful of punishment in reporting their mistakes at this level. Collection of safety data and analysis of accident precursors focus on trying to identify systemic, rather than individual, causes of error. Industries often take this system-based approach to risk management because they recognize that "blaming problems on 'human error' may be accurate, but it does little to prevent recurrences of the problem. If people trip over a step x times per thousand, how big must the x be before we stop blaming people for tripping and start focusing on the step?"[Footnote 18] The system-based approach focuses on analyzing accident precursors to understand "how and why the defenses failed." [Footnote 19] According to this approach, blaming individuals for accidents--as in the person-based approach--not only fails to prevent accidents, but also limits workers' willingness to provide information about systemic problems. When precursor information from accidents, incidents, and hazards are analyzed as part of a system, evidence- based, industrywide safety improvements are possible. For example, analysis of reports of health care workers improperly medicating patients has helped identify and address systemic problems with medication labeling and storage. In such cases, hospitals could have punished an individual for the error. Instead, they focused on learning rather than blame, which encouraged worker reporting and led to needed changes in medication labeling and storage. This, in turn, improved patient safety because any health care worker--not just the one that reported the error--will be less likely to improperly medicate patients in the future. SRSs--both mandatory and voluntary--are the key tool for capturing detailed safety data. Many industries have recognized that the costs of repeated accidents or managing the aftermath of an accident can far outweigh the costs to establish and maintain a reporting system. [Footnote 20] Despite vast differences across industries, the sources of risk--humans, technology, and environment--are the same. Consequently, the tools--such as SRSs--that industries other than biological labs use to understand these risks can also support evidence-based, industrywide biosafety improvement efforts. This is especially significant in understanding the risks in biological labs because current biosafety guidelines are based on limited information. While individual states or labs may have reporting mechanisms, no formal system exists for sharing data among all labs. In addition, while data reported through academic journals or state disease registries is accessible industrywide, there are significant reporting barriers. For example, before information about an incident becomes available to others through academic publications, infections must be recognized as laboratory-acquired, deemed scientifically interesting, written up and submitted for peer review, and accepted for inclusion in an academic journal. Furthermore, concerns about losing funding or negative publicity can create barriers to an institution's willingness to encourage publication of LAI information.[Footnote 21] Reports of infections through state disease registries are also limited because information about the source of the infection is generally not collected and not all infectious diseases are required to be reported. In addition, the infected individual must see a health practitioner who recognizes the status of the disease as reportable and takes steps to report it. Finally, releases without infection--or without recognized infection as a result of a release--are unlikely to be reported at all, despite the valuable precursor data that could be gleaned from the event. A system for collecting safety data from across the lab community has been proposed as a means to improve the evidence base for biosafety guidelines. However, as indicated by reporting lapses to the mandatory system for theft, loss, and release of select agents, implementation of a reporting system does not immediately create a highly useful one, to which all workers instantaneously submit data on their errors. Finally, when initiating any reporting system, it is important to consider up front and throughout a myriad of design and implementation issues so as to ensure the system is operating as effectively as possible. Consequently, we look to research and experience to inform design and implementation choices. Program Goals and Organizational Culture Guide Safety Reporting System Design and Implementation in Three Key Areas: According to lessons from our review of the literature,[Footnote 22] the design and implementation of an effective safety reporting system (SRS) includes consideration of program goals and organizational culture for decisions in three key areas: reporting and analysis, reporter protection and incentives, and feedback mechanisms. Each of the key areas contains subcategories of related decision areas, which should also tie into program goals and organizational culture. Figure 1 illustrates the relationship among program goals, organizational culture, and the three key areas with associated subcategories. Figure 2: Relationship of Program Goals, Organizational Culture, and the Three Key Areas and Subcategories: [Refer to PDF for image: illustration] The illustration depicts an interlocking circle of Program Goals and Organizational Culture, with the following contained inside the circle: 1. Reporting and analysis: * Level of event; * Classification of error; * Format and mode; * Reporting management; * Analytical process. 2. Reporter protections and incentives: * Anonymity; * Confidentiality; * Deidentification of data; * Limited immunity. 3. Feedback mechanisms: * Feedback to reporters; * Feedback to administrators; * Feedback to industry; * Feedback for system improvement. Source: GAO analysis of SRS evaluation literature. [End of figure] Program Goals and Organizational Culture: A program can have a variety of goals in the design and implementation of an SRS, apart from the primary goal of improving safety, according to the literature. For example, an SRS can be used for regulatory purposes or for organizational learning--a distinction that will fundamentally affect design decisions, such as whether reporting will be mandatory or voluntary, what types of reporter incentives and protections should be included, who will analyze SRS reports, and what feedback will be provided. An SRS can be designed and implemented to meet a variety of subgoals as well. Subgoals can include capabilities for trend analyses, accountability improvement, liability reduction, and performance indicators. The overall goals and subgoals should be determined in advance of design decisions, so that decisions in the three key areas support program goals. Identification and agreement on program goals is best accomplished through the involvement of appropriate stakeholders, such as management, workers, industry groups, accrediting bodies, and relevant federal entities, according to the literature. Even with well-defined goals, the success of any SRS is intertwined with the organizational culture in which it will operate. Organizational culture--the underlying assumptions, beliefs, values, attitudes, and expectations shared by those in the workplace--affects implementation of programs in general and, in particular, those designed to change that underlying culture.[Footnote 23] SRSs are fundamentally tools that can be used to facilitate cultural change--to develop or enhance a type of organizational culture known as a culture of safety. A culture of safety implies individual and organizational awareness of and commitment to the importance of safety. It also refers to the personal dedication and accountability of all individuals engaged in any activity that has a bearing on safety in the workplace.[Footnote 24] Development of a positive safety culture often involves a shift in how workers view and address safety-related events. This shift is supported by data on safety-related events provided by SRSs.[Footnote 25] Accordingly, an environment in which workers can report safety events without fear of punishment is a basic requirement for a safety culture and an effective SRS. In addition, an important consideration in design and implementation is where on the safety culture continuum an organization is currently positioned and where it would like to be positioned. It is unlikely that workers would report safety events in organizations with punishment-oriented cultures--where workers are distrustful of management and each other. To promote reporting in such environments, systems can be designed with features that help alleviate these worker concerns. However, understanding where the organizational culture is in relation to reporting is essential for choosing system features that will address these concerns. Changing organizational culture is also generally recognized as a long- term effort that takes at least 5 to 10 years. In high-risk industries, reporting systems are often developed in conjunction with other efforts to make safety a priority, and as the culture changes from these efforts, so might the reporting system to reflect the changing culture. For example, as safety events become more visible or well-defined, reporting forms or requirements can be modified to reflect this new understanding. Similarly, if reporting is waning but safety events continue to occur, adjustments to reporting incentives, definitions of events, and other features may be necessary to improve reporting. Such ongoing assessment of organizational culture can also help identify areas where system adjustments are needed and support efforts to evaluate the contributions of the SRS to safety culture improvement. As with any tool for cultural change, the value of the SRS will be commensurate with the investment in its use. If an SRS is to support overall safety improvement, training, outreach, and management support are necessary to instruct staff in the desired culture and use of the new system. Lessons from the literature on the role of program goals and organizational culture in SRSs include the need to: * define overarching program goals and subgoals up front; * involve stakeholders (e.g., management, industry groups, associations, and workers) in developing program goals and designing the SRS to increase support among key populations; * assess the organizational culture to guide system design choices in the three key areas; and; * ensure that reporters and system administrators receive adequate training regarding the function and application of the reporting system. First Key Area: Reporting and Analysis: Among the first design decisions for an SRS are those that cover reporting and analysis. Decisions in this key area include basic questions about the (1) level of event that should be reported to the system, (2) classification of events, (3) report format and mode, (4) management of reporting, and (5) analysis of the reported data. Level of Event: The Severity of Events Captured Generally Determines Whether an SRS Is Mandatory or Voluntary: The severity of events can vary from safety concerns to mass casualties, and what is considered a "reportable event" has implications for whether reporting should be mandatory or voluntary. Mandatory reporting is generally preferred when program goals are focused on enforcement. Serious events--such as accidents resulting in injuries or deaths--are typically the level of event collected in mandatory SRSs. Mandatory reporting is also generally preferred where there is potential or realized association with injury or death and related regulatory and legal implications, as in accidents. Voluntary reporting is generally preferred when the program goal is learning-- identifying actions, processes, or environmental factors that lead to accidents. Voluntary reporting in these cases is more appropriate because the goal is improvement rather than compliance. Events at the incident level--errors without harm, near misses, close calls, and concerns--are less serious than accidents and are typically collected through voluntary SRSs. Both mandatory and voluntary reporting systems are often employed concurrently--sometimes independently and sometimes in complementary roles--because programs face the dual requirements of regulating and promoting safety improvement. The level of event to be reported also depends on the organizational culture. Industries new to safety reporting--in particular, those in which the definition or recognition of an accident is unclear--may find it particularly difficult to identify a reportable incident or hazard. If the reporting threshold is set too high, significant safety hazards may go undetected and unreported. In such environments, a low initial threshold for reporting might be helpful, raising it over time as workers develop familiarity with reportable events. However, because of the greater frequency of incidents and safety concerns, voluntary SRSs can be overwhelmed by the volume of submitted reports. SRSs that focus on a particular type of incident or hazard area may help to counteract this problem. In addition, if the reporting threshold is set too low, reporters may feel events are too trivial for reporting and that the SRS has little value. For example, surveys of nurses and doctors have shown a range of opinions that constitute a barrier to reporting, including beliefs that not all near-miss errors should be reported or that reporting close calls could result in significant change. The prevalence of these beliefs may reflect that a "reporting culture"--one in which staff recognize and submit reportable events--is not fully established. Lessons from the literature on determining the level of event for reporting include the need to: * base the decision for mandatory or voluntary reporting on (1) the level of event of interest and (2) whether the SRS will be used primarily for enforcement or learning and; * set reporting thresholds that are not so high that reporting is curtailed, but not so low that the system is overwhelmed by the number and variety of reportable events. Classification of Error: Error Classification Can Guide Reporting and Facilitate Information Sharing, but Can Limit Information Flow if Too Restrictive: To facilitate data-sharing across the organization or industry, classification schemes provide standardized descriptions of accidents, incidents, and concerns. Effective classification schemes can facilitate safety improvement across organizations and industry by providing a common language for understanding safety events and precursors. For example, if several hospitals use a standard classification scheme to submit incident reports to a patient SRS, the resulting data can be used to examine incident data across hospitals. Such data allow benchmarking of similar occurrences and promote a better understanding of core hazards that exist across an industry. Clearly defined and familiar classification terminology can also help workers understand when and what to report. However, achieving a well- defined and clear classification scheme--especially one that can be used across an industry--can be difficult because different groups within an organization or across an industry may classify events differently. For example, one study on medical error reporting found that nurses classify late administration of medication as a medical error, whereas pharmacists do not. Classification schemes should be broad enough to capture all events of interest, but also well-defined enough to minimize receipt of extraneous information. For example, organizational learning systems, like FAA's NASA-run Aviation Safety Reporting System (ASRS), include a broad definition of safety-related events to facilitate voluntary reporting of all events. Alternatively, mandatory systems may include a more specific classification scheme to capture deviations from standard operating procedures. However, overly restrictive schemes may lead workers to focus on certain events and neglect to report others. For example, if a classification scheme is developed to consider only compliance with an industry's standard operating procedures, workers may not report safety-related incidents that involve factors other than compliance. Similarly, overly detailed classification schemes may be confusing for reporters if they do not know the appropriate codes to apply. In addition, a classification scheme must be clear enough for workers to understand what counts as a reportable incident. Otherwise, underreporting or misreporting of incidents may result. If possible, use of pre-existing industry-specific terminology in the classification scheme can support information flow across the industry and help workers--especially in industries new to safety reporting-- adapt to the SRS. Lastly, a classification scheme may require the flexibility to allow different sites to adapt fields and elements to match their own program goals and organizational cultures. Design of a classification scheme may incorporate several strategies, including (1) using an existing classification scheme from another SRS, (2) modifying an existing classification scheme for use in a new SRS, (3) developing a classification scheme based on incident reports from the new or a similar SRS, or (4) using experts to develop a classification scheme. Lessons from the literature on designing classification schemes and associated terms include the need to: * develop classification schemes and associated terms that are clear, easy to understand, and easy to use by drawing on terms already well understood in the industry; * test whether classification terms are clearly understood by different groups in the organization; * allow sufficient flexibility to (1) avoid narrowing the scope of reporting in a way that limits all events of interest at the chosen level of event, (2) allow different sites—if multiple sites will be reporting to the same system—to adapt fields and elements to match their own organizational culture, and (3) capture different types of events and precursors, as they can change over time; and; * develop a classification scheme that best suits the analytical requirements and the comfort level of the organizational culture with safety reporting and safety event terms. Format and Mode: Report Mode and Format Must Balance Needs for Quality and Quantity of Reported Information with Reporter Burden and Proclivity to Report: Reporting must be readily accessible and allow for sufficient description of safety events without overburdening reporters with extensive narrative requirements. Data collection considerations include the format of the report (that is, the types of questions included on the reporting form) and the mode of the report (that is, how a report is physically submitted to the SRS, for example, by paper or Internet). Both the report format and mode can affect the incentive to report; the ease of reporting; and the type, quantity, and quality of data collected. Decisions regarding the format and mode of reporting are closely tied to the type of data desired from the SRS and the organizational culture. Report formats affect the quantity and quality of reports. For example, question formats that allow workers to explain the incident through narrative description may yield extensive details about the incident. The literacy skills of the reporting population are important considerations as well. Long narratives might be simple for the highly educated but intimidating to those with less writing proficiency. However, if workers are resistant to reporting, structured question formats that use check-boxes or drop-down boxes with categories may decrease the time it takes to complete an incident report and thereby increase the incentive to report. Using structured question formats will also decrease the amount of coding and qualitative analysis that must be performed to examine the data. One limitation of structured question formats, however, is that in industries new to safety reporting, classification terms may not be well developed or understood by the reporting population. Options for SRS modes include paper, telephone, or electronic or Web- based form. Although Web-based forms may increase the ease with which data are collected, workers may be fearful of entering incident reports using a Web-based form because reports can be traced back to them. If workers perceive that the culture is punitive, mail reports-- especially to an outside entity that manages the system--can be the most effective mode choice to alleviate these concerns. However, accessibility of reporting forms can also affect the likelihood of reporting. For example, if paper forms are outside the immediate work area and require effort beyond the normal routine to complete, then reporting may be curtailed. Since many workers have ready access to the Web, a combination of Web and mail reporting may address both access and sensitivity concerns. Lessons from the literature on format and mode choice include the need to: * base decisions about report formats on (1) the type of data needed for analysis, (2) capabilities of the reporting population, and (3) maturity of existing safety event classification schemes within the industry and; * base decisions about report mode on (1) the accessibility of the mode to the reporting population and (2) workers’ concerns about and willingness to report. Reporting Management: SRS Administration and the Designated Reporting Population Can Affect Willingness to Report and Analytical Possibilities: Reporting management includes decisions about SRS administration--who will collect, analyze, and disseminate reports--as well as decisions about who is allowed to submit reports. The choice of the entity responsible for collecting, maintaining, analyzing, and disseminating may affect the willingness of workers to submit reports. For example, if workers perceive a punitive organizational culture or a lack of confidentiality, they may be unwilling to submit reports to an SRS within the workplace. An SRS managed by an independent, external entity might alleviate these concerns. However, an organization may have better awareness than an outside entity of internal safety issues, expertise in analyzing and addressing them, and mechanisms for encouraging participation in safety reporting. Consequently, decision makers must weigh a variety of culture-related and resource considerations in deciding how to administer an SRS. The openness of reporting--whether reporting is available to all workers or only to those in select occupations or positions--will also affect the type and volume of data collected. For example, many individuals--including pilots, ground crew, and controllers--can submit reports to FAA's NASA-run ASRS, whereas only airlines can submit reports to the Voluntary Disclosure Reporting Program (VDRP). An open SRS, which accepts reports from different staff levels or occupations, offers the potential for analysis of events from several perspectives. However, such an SRS may be subject to staff hierarchies that can limit reporting among certain employee groups or professions. For example, in the medical industry, even when reporting is open to both doctors and nurses, several studies have shown that nurses have a greater awareness of and are more likely to submit reports to an SRS than doctors. Similarly, reporting may be attenuated if events must be reported up a chain of command, rather than directly by those involved in an event. Direct reporting--regardless of position or occupation-- can increase the likelihood of reporting on a particular event. Lessons from the literature on system administration and the reporting population include the need to: * base the decision for internal or external system administration on (1) workers’ degree of concern over punishment and confidentiality and (2) availability of internal expertise and resources to analyze and encourage reporting and; * base decisions about who will be allowed to report on (1) awareness of reporting hierarchies and (2) the type of information desired for analysis. Analytical Process: Report Prioritization, Data-Mining Techniques, and Technical Expertise Can Enhance Results: Analytical processes that focus on identifying safety improvements-- using report prioritization, data-mining techniques, and safety and industry experts--can enhance the usefulness of reported information. Frequently, the first step in analyzing reported data is determining whether immediate action should be taken to address a safety concern. Subsequently, analyses that explore why a particular event may have occurred--such as root cause analysis--may be used to understand the contributing factors to safety events and to design solutions to the problem. Data-mining techniques, including those that combine safety reports with other databases, can also be used to look for patterns of events across organizations or a broad range of reports. Data mining requires the capability to search for clusters of similar events and reports that share common characteristics. Technical expertise, as well as specialized software, access to other data sources, and data format requirements, affects data-mining capabilities. For example, data-mining searches may be more complicated when error reports include both structured and open text (narrative) formats because open text must be made suitable for data mining. In addition to these retrospective analytical techniques, probabilistic risk assessment methods may also be used as a proactive approach to examine all factors that might contribute to an event. Literature on SRS use in industries, such as nuclear power and aviation, advocate using a combination of these approaches to provide a more thorough analysis of reported data. Finally, using data analysis techniques to prioritize incident reports can facilitate analysis by identifying which reports require further analysis or demand immediate review because they represent serious safety concerns. Because analysts must have the technical skills and relevant knowledge to make sense of the data, decisions about the analysis will be linked with system administration and whether technical and industry expertise reside within the organization. Thorough analysis may require multidisciplinary committees that contribute a variety of expert perspectives, but the breadth of expertise required may not be readily available within an organization. For example, analysis of medication error reports may be conducted through multidisciplinary committees that include physicians, nurses, pharmacists, quality managers, and administrators. In the airline industry, an event review team (ERT), consisting of representatives from the air carrier, the employee labor association, and the FAA, is used to analyze reports as part of the Aviation Safety Action Program (ASAP). Lessons from the literature on analytical process include the need to: * use a report prioritization process to quickly and efficiently address key safety issues as they arise and; * align analysis decisions with (1) report formats, (2) system administration and location of technical expertise, and (3) availability of other relevant data needed for analysis. Second Key Area: Reporter Protections and Incentives: SRSs--whether mandatory and voluntary--depend on the willingness of workers to report mistakes they or others have made. It is unlikely that workers would take the risk of reporting without protections that provide confidence that their reports will be kept private and incentives to report their errors. There are a variety of ways to design SRSs to protect the identity of the reporter and to encourage reporting, including (1) accepting anonymous reports, (2) providing effective confidentiality protections on reported data, and (3) deidentifying data sets. The principle reporting incentive is limited immunity--whereby workers are granted protection from certain administrative penalties when they report errors. There are advantages and disadvantages to anonymous and confidential reporting, and decisions about which to use should be guided by program goals and culture-related considerations. Anonymity Is the Surest Method for Protecting Reporter Identity, but Can Limit Reporting Data: Anonymity--reporting without identifying information--protects reporters against legal discovery should the data be requested in a subpoena. Because an individual's name is not tied to an incident report, anonymity may lower the psychological barrier to reporting, including fears about admitting a mistake or looking incompetent, disclosure, and litigation. Anonymity may be critical in motivating reporting among workers in an organizational culture seen as punitive, especially when legal protections for reporter confidentiality may not be feasible or well established. Report mode is also linked with reporter protection choices. For example, one SRS for medication errors was developed as a paper-based system because administrators felt any electronic system could not be truly anonymous. Despite the protection anonymity offers reporters, there are distinct disadvantages, including the inability to obtain clarification or further information from reporters. This limitation may compromise the integrity of system data because investigators have no means for validating and verifying the reported information. In addition, anonymous data sets tend to be less detailed than identified data sets. Initial reports from identified data sets can be supplemented by follow-up interviews with reporters. The need to follow up with reporters may also make anonymous reporting unfeasible, even in organizations where significant reporting concerns exist. Anonymous reporting also tends to limit the number of data elements that can be derived from reports, making these data sets less useful than others, particularly when trying to identify patterns of error. For example, if fields that could identify reporters--such as occupation, location, and position--are not collected, statistics on safety events across organizational subunits or occupations would be impossible. Another disadvantage of anonymity is that reporters cannot be contacted for clarification or to provide direct feedback--a useful technique for obtaining worker buy-in to the system. If reporters are given specific feedback on actions taken to address issues brought up in their reports and the outcomes of these actions, then reporters are more likely to (1) attribute value to the SRS and (2) continue submitting reports. Some SRSs have addressed this problem by offering a compromise. Reporters can receive a unique identification number that allows them to track the progress of their reports through the SRS. However, if reporters are mistrustful enough that anonymous reporting is necessary, they may not feel comfortable using an optional identification number provided by the SRS. Even anonymity may not be enough to alleviate reporters' fear of retribution. Other disadvantages of anonymous reporting include the potential for (1) workers to falsely report on the behavior of others in the absence of report validation and (2) managers to discredit information about concerns or incidents as reports of "troublemakers." Yet another disadvantage is the inability to maintain anonymity in small reporting populations or where the circumstances surrounding an incident are so specific (to an organization, individual, date, and time) that any mention of them would disclose the parties involved. Confidentiality Enables Follow-up with Reporters but Includes the Potential for Compromising Reporter Identity: Confidential reports allow investigators to follow up with reporters to gain a better understanding of reported incidents because the link between the reporter and report is maintained. However, fear of providing identifying information may limit reporting. Confidentiality is accomplished through legislative, regulatory, or organizational provisions to protect reporter privacy. Such provisions can include exemptions from subpoena or disclosure, protections against civil or criminal lawsuits for reporting, or criminalizing confidentiality breaches. For example, some state-based mandatory SRSs for medical errors include statutory provisions that protect reporters from some potential legal liability. One international aviation SRS has legislation making confidentiality breaches a punishable offense. Maintaining identifying information enables data analysis across professions and organizations, which can aid in benchmarking. Such information can reveal whether recurring incidents indicate problems within a specific organization or profession as opposed to those that are industrywide, thereby targeting interventions to areas in greatest need. Reporting formats may be less burdensome for confidential systems than for anonymous systems, which must gather all details up front. Confidential reporting allows investigators to gather significant information through follow-up interviews, so less detail needs to be provided on the reporting form. In the literature, report follow-up was associated with a variety of positive results. For example, it can (1) add to reporters' long-term recall of the event, enhancing the quantity and richness of information collected; (2) support event validation and clarification; and (3) bring closure to an incident and assure reporters their information is being taken seriously, thus increasing the likelihood of future reporting. A potential disadvantage of a confidential SRS is that workers may be fearful of the consequences--real or implied--of reporting. Moreover, for systems untried by the legal system, the surety of confidentiality provisions can be--in reality or perception--tenuous. For example, the Applied Strategies for Improving Patient Safety (ASIPS) is a multi- institutional reporting system designed to analyze data on medical errors and is funded by the Agency for Healthcare Research and Quality (AHRQ). This voluntary SRS for patient safety events relies on confidential reports provided by clinicians and office staff. While this reporting system promises reporters confidentiality within the system, the program can offer no protection against potential legal discovery. However, because ASIPS is funded by AHRQ, ASIPS reporters would be protected by the confidentiality provision in AHRQ's authorizing legislation, although the protections provided by this provision have never been tested through litigation. Because of the uncertainty of confidentiality protections, administrators of ASIPS chose to build strong deidentification procedures--removal of identifying information from reported data--into the system rather than rely solely on confidentiality protections. Another potential disadvantage of confidential SRSs is that costs may be higher than an anonymous system if follow-up interviews with reporters are part of SRS requirements. Sufficient resources are required for investigation and follow-up with reporters; however, resource constraints may limit these actions. Additional resource commitments (in the form of follow- up interviews) are also assumed by those who submit confidential reports. Data Deidentification Provides Additional Reporter Protection: Data deidentification supports confidentiality provisions since the deidentification process makes it difficult to link reports to specific individuals or organizations. Deidentification can also support feedback mechanisms because the data can be readily shared within and across organizations and industries. Data can be deidentified at the source or in summary reports and data systems. Source deidentification involves removal and destruction of all identifying information from reports after follow-up and investigation have been completed. Secondary data deidentification involves removal of identifying information in summary reports or databases for sharing safety information and alerts. Deidentification of source reports strengthens confidentiality protection because records are unavailable even if they are subpoenaed. Source report deidentification may require (1) technical solutions if reports are collected electronically and (2) special processes if collected in another format. Eliminating the link between the reporter and the report can help reinforce the confidential nature of an SRS and provide an incentive for reporting, as long as the process for deidentification is understood by the reporting population. Deidentified data can be readily shared within or across organizations and industries, enhancing analytical possibilities by increasing the number of reported incidents available for analysis. Limited Immunity Provides Reporting Incentive: Limited immunity provisions can increase the volume of reports, particularly when there are emotional barriers, such as fear about reporting one's mistakes. These provisions offer protection from certain legal or regulatory action if certain requirements are met. For example, the ASRS offers limited immunity from enforcement actions provided certain requirements are met and the incidents do not involve criminal or negligent behavior. The literature suggests that the immunity provisions offer a strong incentive to report and that pilots would not submit ASRS reports if these provisions did not exist. Numerous international SRSs also contain immunity provisions, including the Danish aviation SRS and patient care SRSs in both Australia and Israel. Lessons from the literature on choosing reporter protections and incentives include the need to: * base the choice between anonymity and confidentiality on (1) organizational culture, especially workers’ degree of concern about punishment and confidentiality, and (2) the amount of detail required for analysis and whether it can be collected without follow-up; * consider hybrid systems in which confidential and anonymous reporting are used simultaneously if there is a conflict between organizational culture and data need; * develop data deidentification measures to support confidentiality and data-sharing efforts; and; * consider limited immunity provisions to increase the reporting incentive. Third Key Area: Feedback Mechanisms: Because a primary SRS function is safety improvement, the system must include feedback mechanisms for (1) providing actionable safety information to the relevant populations and (2) improving the SRS through identification of reporting gaps across occupations or locations and evaluation of the effectiveness of the system as a safety tool. Feedback to Reporters and Industry Promotes Safety Improvement and Reinforces Reporting: To support its primary function of safety improvement, an SRS must include feedback mechanisms for providing actionable safety information to the relevant populations. A variety of populations can benefit from SRS feedback, including (1) reporters, (2) managers, (3) organizations and the industry at large, and (4) system administrators. Feedback to reporters is essential in order to promote safety and reinforce the benefits of reporting. If workers who report safety events do not see any evidence that their report has been used, they may question the value of the system and discontinue reporting. Feedback among managers promotes management awareness of safety concerns, management buy-in, and top-level efforts to address those concerns. Feedback across the organization or industry can provide tangible evidence of the value of the SRS by alerting management and workers to important safety issues. Industry feedback can also provide a benchmark to compare safety across similar organizations when data are (1) collected at the local level and (2) compiled in a centralized regional or national database. Use of such benchmarks may help decision makers identify gaps in performance and practices that may improve safety conditions in their own organization. Feedback on System Performance Supports Targeted Outreach and System Improvement: Feedback mechanisms for system evaluation are also important in ensuring the SRS's continued effectiveness. Feedback on reporting gaps across occupations or locations can help identify nonreporting populations. When these reporting gaps are compared with other data-- such as reports from comparable sites--they can help identify areas in need of targeted outreach and training. In addition, feedback from safety culture and system-user surveys, which assess safety and reporting attitudes, can be used to evaluate the effectiveness of an SRS. Performance metrics on safety improvement can be incorporated into these surveys, providing information on the degree to which program goals are being met and identifying areas of needed system improvement. Lessons from the literature on choosing feedback mechanisms include the need to: * provide direct feedback to reporters to foster worker-specific buy- in for reporting; * provide regular, timely, and routine feedback—for example, in the form of newsletters, alerts, Web sites, and searchable databases—to support overall organizational buy-in for reporting; * provide positive feedback to managers who receive a high volume of reports to demonstrate the importance of reporting and counteract the perception that error reporting reflects poorly on management; * use the data to identify reporting gaps for targeted outreach and training; and; * evaluate the effectiveness of the SRS to support ongoing modification and improvement. Case Studies Demonstrate the Need for Assessment and Resources in Design and Implementation and Suggest Certain Features in the Three Key Areas: Lessons from case studies of safety reporting systems (SRS) in three industries--aviation, commercial nuclear power, and health care-- indicate the importance of cultural assessment and resource dedication in SRS design and implementation, and suggest certain features in the three key areas.[Footnote 26] Although the industries differ in type of work, regulation, and ownership, all three face substantial inherent risks to health and public safety and have made significant investments in promoting safety through voluntary SRS programs. Consequently, their experiences suggest lessons that can be applied to the design and implementation of an SRS for biological labs. Collectively, these SRSs reflect 70 years of safety reporting experience. In particular, the FAA's NASA-run Aviation Safety Reporting System (ASRS) in aviation, the Institute of Nuclear Power Operation's (INPO") Significant Event Evaluation--Information Network (SEE-IN®) system in commercial nuclear power, and VA's internally managed Patient Safety Information System (PSIS) and NASA-run Patient Safety Reporting System (PSRS) in VA health care provide the basis for the following four lessons for SRS design and implementation:[Footnote 27] 1. Assessment, dedicated resources, and management focus are needed to understand and improve safety culture. 2. Broad reporting thresholds, experience-driven classification schemes, and processing at the local level can be useful SRS features in industries new to safety reporting. 3. Strong legal protections and incentives encourage reporting and help prevent confidentiality breaches. 4. A central industry-level entity facilitates lesson sharing and evaluation. Lesson 1: Assessment, Dedicated Resources, and Management Focus Are Needed to Understand and Improve Safety Culture: The case studies demonstrate that establishing a robust safety culture is neither quick nor effective without a multipronged effort-- involving assessment, dedicated resources, and management focus--to recognize safety challenges and improve safety culture. Despite the costs and challenges of implementing an SRS, the industries recognized they could not continue to operate without safety improvements and their SRSs were a key tool in these efforts. Assessing Safety Culture Can Alert Management to Workplace Safety Issues: Each of the three industries created its SRS after recognizing that existing operations and safety culture posed an unacceptable risk to workers and the public. In both the aviation and the commercial nuclear power industries, SRS initiation was prompted by serious accidents rather than a proactive assessment of the safety culture. The Veterans Health Administration proactively initiated an SRS program after its administrators and patient safety advocates recognized the need to redesign systems "to make error difficult to commit."[Footnote 28] Such assessments can reveal systemic safety culture problems before they become critical. Aviation: The concept of a voluntary aviation reporting system was suggested in 1975 by the National Transportation Safety Board (NTSB), the FAA, and the aviation industry following an investigation of a fatal airline accident near Berryville, Virginia. The NTSB found that the accident might have been averted if previous crews' reports about their near- miss problems in that area had been shared. These problems included inadequate aviation maps and the cockpit crews' misunderstanding related to the air traffic controllers' terminology. The NTSB reported that the industry culture made it difficult to report these problems. These cultural barriers were apparently known, although a safety culture assessment might have afforded proactive efforts to correct them. As one solution to these problems, the NTSB suggested an aviation SRS, initially managed by the FAA and known as the Aviation Safety Reporting Program. But within a few months, the FAA had received few reports. It therefore transferred operation and management of the program to NASA and renamed it the Aviation Safety Reporting System (ASRS).[Footnote 29] Commercial Nuclear Power: In 1979, the partial meltdown of a reactor at Three Mile Island (TMI) in Pennsylvania led to the creation of INPO, an industry-initiated technical organization that collects, studies, and shares safety lessons throughout the industry using the SEE-IN program. The INPO program was developed and is managed independently of the Nuclear Regulatory Commission (NRC) regulatory requirements. Although the NRC regulates the safety of commercial nuclear power generation,[Footnote 30] at the time of TMI, nuclear utilities had been operating with a high degree of autonomy and were fairly insular, according to a 1994 study.[Footnote 31] The 1994 study of the safety culture at nuclear reactors found that the management style reflected the culture of conventional energy plants--a "hands-off management" and "fossil fuel mentality" that emphasized maximum energy production as the highest value.[Footnote 32] An industry official explained that the TMI accident was a shock for the industry, which became determined to operate its nuclear reactor facilities safely and reliably, thereby convincing the American public it could be responsible and safe. The entire U.S. commercial nuclear power industry joined INPO within months of the TMI incident, and remains members today. The industry focused early efforts on plant evaluations to understand the culture that had led to the TMI accident. Within a year, INPO produced the first of its Significant Operating Event Reports, which provide information on identified safety problems and make recommendations for improvement. Despite safety advances in the decades after INPO was established, the industry was once again reminded of the importance of safety culture assessment in 2002, when corrosion ate a pineapple-sized hole in the reactor vessel head at the Davis-Besse plant in Ohio.[Footnote 33] Prior to this incident, INPO had given individual plants the responsibility for assessing their safety culture--assuming that they had a good understanding of it. Investigation revealed that a weak safety culture contributed to the incident. After the Davis-Besse incident, INPO re-emphasized the importance of proactively assessing safety culture before critical safety failures occur. In response to the incident, they recommended that safety culture assessments be a permanent, periodic requirement. Health Care: After VA hospital accidents that had resulted in harm to patients, the VA established the National Center for Patient Safety (NCPS) in 1999. That unit designed and launched two options for reporting--one internal (the PSIS) and one contracted (the PSRS) to the same NASA center that operates ASRS for the FAA.[Footnote 34] The VA launched its SRS program guided by a vision emerging in the medical community to "create a culture in which the existence of risk is acknowledged and injury prevention is recognized as everyone's responsibility." [Footnote 35] The VA hired management with experience in NASA's safety programs, who surveyed safety culture as they initiated the SRS. In addition, the NCPS has conducted three nationwide safety culture surveys, beginning in 2000, to understand the attitudes and motivations of its frontline workers. The most recent, in 2009, allowed the NCPS to identify a subcategory of caregivers for intervention. Improving Safety Culture Requires Dedicated Resources, Including Time, Training, and Staff Investment: Safety culture improvement depends on a robust reporting culture, which requires considerable investment of time and resources. As the experiences of the three industries demonstrate and as shown by SRS data from two of the case industries, these investments pay off in an increase, over time, in the volume of safety reports. Figure 3 illustrates time frames and growth in SRS reporting for FAA's ASRS and the VA's PSIS. Figure 3: Growth in Aviation and VA Health Care Safety Reporting, 1981 to 2008: [Refer to PDF for image: multiple line graph] Calendar year: 1981; ASRS: 3,791. Calendar year: 1990; ASRS: 34,000. Calendar year: 2000; ASRS: 37,000; PSIS: 300. Calendar year: 2005; ASRS: 41,000; PSIS: 75,000. Calendar year: 2008; ASRS: 50,000; PSIS: 108,000. Source: VA, NASA. Note: Comparable data from the commercial nuclear power industry are not available. The earliest data for the ASRS are in 1981, although the system began in 1976. [End of figure] Through conventional classroom and seminar training, workers in some industries learned the terms, goals, and instruments of the new voluntary SRS. Several innovative training opportunities were also marshaled, including on-the-job training and employee loan and training programs focused on improving teamwork. Both types of training supported safety culture change and developed trust in the SRS. Staff time and investment at all levels were necessary to accomplish these training goals. Aviation: From the inception of ASRS, the volume of aviation safety reports grew slowly, indicating an increasing understanding among reporters of the multiple factors that contribute to safety. However, a 1994 National Academy of Public Administration (NAPA) evaluation, requested by the FAA, found that FAA funding provided to NASA for the operation and management of the ASRS had not kept pace with the work.[Footnote 36] According to a NASA ASRS official, because resources were insufficient to perform a detailed analysis on all the reports, reports are triaged. Only those deemed most hazardous receive deeper analysis. The NAPA report also noted that the aviation community broadly affirms the safety value of ASRS and uses the data for training and safety awareness. By contrast, some FAA line employees said ASRS was of limited use. As a result of the NAPA report and congressional actions, the FAA modestly increased funding. After the NAPA recommendation to modernize, the ASRS transitioned from paper to electronic report submissions. A recent FAA-sponsored study recognizes the importance of training and retraining all SRS stakeholders, offering best practices for formal and informal training. Reporting has increased. ASRS currently receives about 50,000 reports per year, which demonstrates a sustained level of trust in reporting. However, the study of best practices in FAA's voluntary reporting options recommended that SRS managers assess the availability of resources and plan for acquiring them, as resource needs are likely to increase over time.[Footnote 37] In further recognition of the importance of resources to ASRS, the latest Memorandum of Understanding between the FAA and NASA also includes a yearly inflation factor for the ASRS budget. Commercial Nuclear Power: Safety reporting to INPO's SEE-IN program began in 1980. The volume of reports forwarded to INPO from the plants is between 3,000 and 4,000 annually.[Footnote 38] Early safety reports tended to focus on technical failures and INPO realized that reporting on human error needed to increase, according to an INPO liaison.[Footnote 39] Moving beyond reporting equipment failure required significant training. To encourage reporting of both equipment and human factor issues, INPO established and continues to accredit training courses. Recognizing the importance of having staff with industry knowledge to communicate the relevance of safety and reporting in a way that is palatable to industry, INPO began a second wave of hiring of people with nuclear industry experience to ensure the safety science message was managed and communicated in a way that both sides could understand. Despite increases in reporting, however, the Davis-Besse incident in 2002 highlighted the serious consequences of lapses in safety culture. Among other actions, INPO issued its safety principles document in 2004, which provides a framework for assessing safety culture. The document outlines aspects of positive safety culture, such as workers' questioning attitudes that support reporting and managers' demonstrated commitment to safety through coaching, mentoring, and personal involvement in high-quality training. Health Care: Reporting to the VA's PSIS grew strongly, from 300 incidents reported annually at local hospitals in 2000 to 75,000 in 2005. Yet, the initiation of a voluntary safety reporting system in the VA health care facilities has faced considerable cultural and institutional challenges. For example, one study found the various professions within hospitals disagreed--when presented with scenarios such as late administration of medication--as to whether an error had occurred. In congressional testimony in 2000,[Footnote 40] we had observed that if the VA hospital system was to implement an SRS, the VA would face a challenge in creating an atmosphere that supports reporting because hospital staff have traditionally been held responsible for adverse patient outcomes. In our 2004 report, we also found that power relationships, such as nurses reluctant to challenge doctors, can be obstacles to patient safety. However, after the first 3 years of the VA health care system's SRS, the cultural change that supports safety reporting was under way at three of four facilities studied, as a result of experiential training in addition to conventional classroom training. The growth in reported events to the VA SRS over the last 10 years and our 2004 study suggest that the actions that the VA took can be successful in supporting a safety culture and reporting. Experiential--that is, on-the-job--training, in addition to conventional classroom experience, fostered the habit of reporting safety events at many VA hospitals. Since the initial years of the VA's hospital SRS, clinicians and other VA workers have been selected to participate in the hospital-based analysis of SRS reports so that they could learn how the reports would be used. Once patient safety managers prioritized reports, interdisciplinary teams of hospital staff, including local frontline clinicians, looked for underlying causes and devised systemic fixes. Through this experience, clinicians and other hospital staff saw first-hand the rule-driven and dispassionate search for root causes that resulted in a systemic fix or policy change rather than punishment. We found that (1) this training fostered a cultural shift toward reporting systemic problems by reducing fear of blame, and (2) staff were impressed with the team analysis experience because it demonstrated the switch from blame and the value of reporting close calls.[Footnote 41] In addition, the VA brought together facility-level workers, including patient safety managers from VA medical centers across the nation, to introduce them to the SRS. Through these seminars, staff were introduced to SRS terms, tools, goals, and potential obstacles. They heard success stories from industry and government, findings from the early VA safety culture surveys, and recent alerts and advisories. Changing Safety Culture Requires Management Focus: To overcome cultural barriers to safety reporting--such as fear of punishment, lack of trust between coworkers and management, and hierarchical prohibitions on communication--management demonstrations of support for the SRS are important. In the three industries, this support was demonstrated through the deliberate use of tactics shown to be effective at changing safety culture and supporting safety reporting such as (1) open communication across the workplace hierarchy encouraged in small group discussions and meetings with managers; (2) storytelling, a tool to direct changes in norms and values; and (3) rewards for participation in safety reporting or open communication in meetings. Aviation: The three decades of ASRS experience demonstrate the importance of consistent focus versus episodic efforts to publicize and support the SRS. In the early stages of ASRS implementation, the FAA and ASRS staff relied on small group briefings and promotional documents to foster awareness and trust in reporting. For example, the FAA, through its Advisory Circular, notified the aviation community that the system was operational and, along with NASA, issued press releases and conducted briefings about the system. In addition, industry groups and airlines publicly expressed support for the system, and, according to a 1986 NASA report, an advisory group carried "the word about ASRS program plans and accomplishments back to their respective constituencies."[Footnote 42] Other early promotional efforts included the distribution of descriptive brochures and posters to operators, FAA field offices, air traffic control facilities, and airline crew facilities. As a result of these efforts, according to NASA's 1986 report, the number of reports coming into the system in the early years exceeded expectations. However, a NAPA study 8 years later raised concerns about the lack of publicity. That study found that pilots lacked knowledge of the ASRS and the immunity features[Footnote 43] and questioned the FAA's credibility. NASA responded with a second promotional surge by (1) publishing its first CALLBACK, a monthly online bulletin, and (2) touring FAA regional headquarters to promote the SRS. However, the NAPA study concluded that the lack of internal FAA support for the ASRS had limited the degree to which FAA uses ASRS data, and led to questioning the legitimacy of ASRS products and activities. That study also found that FAA line officers (with the exception of the Office of Aviation Safety) thought the ASRS had limited utility, and some even suspected bias in reporting as a result of reporters' interest in earning immunity from FAA enforcement actions. To address these concerns, the FAA has recently been advised to elevate the importance of establishing an initial shared vision among all stakeholders through open discussion and training and sustained promotion efforts.[Footnote 44] Commercial Nuclear Power: INPO focused on leaders and employee loan programs to change the industry's safety culture one employee and one plant at a time. Leadership's demonstrated commitment to safety is a key INPO principle for a robust safety culture. This key principle stems from the philosophy of having "eyes on the problem." That is, plant managers must be out in the work areas, seeing things and talking to employees in order to reinforce a safety culture. This principle also includes reinforcing standards and encouraging candid dialogue when safety issues arise. Such reinforcement can be in the form of rewards for reporting, such as being congratulated at plant meetings for a "good catch." Managers also have incentives to encourage workers to report. Following its biannual inspections, INPO summarizes its assessment of the plant's safety conditions, providing a numeric score, partly based on the robustness of the plant's SRS. These safety scores are important to plant managers because they can affect regulatory oversight and insurance premiums. Scores range from 1 to 5, with 1 as the top safety rating. While these assessments may result in more attention and assistance for safety improvements, they also instill pride in the plant, and at annual managers' meetings, managers of plants with the highest scores receive recognition. INPO has also facilitated active peer review and employee loan programs to break down the insularity of the TMI era. When individuals with in-depth industry experience participate in the inspection process and work at INPO headquarters, they see firsthand the excellence other plants practice and how those practices relate to INPO safety initiatives. Health Care: The VA hospitals used small group meetings, storytelling, and small rewards to reinforce safety reporting. At the most successful VA hospital we reviewed in 2004, administrators held more than 100 small group meetings where storytelling was used in order to introduce the new SRS.[Footnote 45] VA hospital administrators used examples from aviation wherein two airline pilots failed to communicate well enough to avoid a fatal crash. The crash might have been avoided had the first officer challenged the captain. This story raised parallels with the medical hierarchy and led to discussions about similar unequal power relationships in the hospital. Administrators introduced more effective ways to challenge authority, naming it "cross-checking." An early report to the VA SRS, which involved nearly identical packaging for an analgesic and a potentially dangerous drug, was made into a poster as part of the campaign for the SRS. The more successful VA hospitals rewarded the month's best safety report with a plate of cookies or certificates to the cafeteria. This playful openness reduced secrecy and fears of punishment and increased comfort with reporting, according to our 2004 analysis. Lesson 2: Broad Reporting Thresholds, Experience-Driven Classification Schemes, and Processing at the Local Level Are Useful Features in Industries New to Safety Reporting: After the three industries instituted a voluntary SRS, workers experienced a sharp learning curve in recognizing a reportable event and developing trust in reporting. The industries encouraged early reporting in a variety of ways. Overall, their experiences demonstrate that reporting is enhanced when (1) reportable events are broadly defined and allow reporting from a wide range of workers; (2) workers are able to describe the details of an incident or concern in their own words, with classification schemes applied by specialists at a higher level; and (3) both internal and external reporting options are available, along with some degree of report processing at the local level. Broad Thresholds and Open Reporting Are Useful Features When Starting an SRS: In the three case industries, an early challenge was workers' lack of understanding of what should be reported. In each of the industries, the creation of an SRS involved broadening workers' concepts of safety events, in addition to accidents, that were worthy of reporting. Nevertheless, early reporting still tended toward accidents and technical issues--accidents because they were fairly evident and harder to hide and technical issues (as opposed to human factors) because the external nature of the fault provided some distance from individual blame. Reporting these technical events helped workers become more comfortable with reporting and provided objective links between their reports and systemic safety improvements, according to several industry officials. Over time, workers' ability to identify less concrete, but equally unsafe, nontechnical issues grew. The industries managed this growth, in part, by keeping the threshold and definitions for reportable events simple. In some cases, direct reporting--as opposed to reporting hierarchically, up the chain of command--was used to eliminate the fear that workers might have about reporting a mistake to the boss. Open reporting of events from several workers--especially those in different occupations--provided more raw data in the search for underlying causes, as well as information about the event from a variety of perspectives. Aviation: The ASRS used a broad definition of reportable events and allowed all frontline aviation personnel to report them. Any actual or potential hazard to safe aviation operations are included in reportable events, thus expanding to areas on the risk pyramid beyond "accident." Serious accidents are not reported to the ASRS, since they are already covered by the NTSB. While reporting is available to all participants in the national aviation system, for several decades, the majority of reports were from pilots. After outreach and initiatives--such as revised specialized forms--the ASRS has in recent years seen modest increases in reports from diverse groups of workers, such as maintenance workers, enhancing the potential for analysis of single incidents from a variety of perspectives. To reduce the loss of information that could occur if reports from frontline workers are filtered through work hierarchies, the ASRS makes it possible for individual aviation workers to report directly to the central collection unit within NASA. Commercial Nuclear Power: Individual nuclear plants operate corrective action reporting programs, which feed into INPO's SEE-IN system. The plant-level corrective action programs have a zero threshold for reporting--that is, workers can report anything of concern. To make the definition for reporting clear to workers, INPO characterizes the reporting threshold in terms of asking workers to report events that they would want to know about if the event had happened elsewhere.[Footnote 46] In addition to establishing low reporting thresholds, a broad spectrum of workers are encouraged to report to the plant's corrective action programs. Open reporting and low reporting thresholds are necessary to ensure the fullest coverage of significant event reporting, according to an INPO liaison. While the individual plants are expected to assess and address the bulk of reports, they must also identify the most significant reports to send to INPO. Plants forward between 3,000 and 4,000 concerns to INPO each year from the estimated 400,000 concerns reported and resolved at the plant level through their corrective action programs. To ensure all staff are encouraged to report any event of interest, INPO examines the robustness of the plant's reporting culture during biannual plant inspections. As part of this process, INPO also compares corrective action reports to SEE-IN data to determine whether there are reports in the corrective action system that were not forwarded to INPO that should have been. If such discrepancies arise, these cases are discussed with plant managers to educate and clarify the plant's reporting thresholds to INPO. Health Care: Prior to the SRS program, VA hospital workers were accustomed to reporting only the most serious events, such as inpatient suicides or wrong-site surgery. The VA SRS program expanded the definition of reportable events to include incidents--such as close calls or errors that caused no patient harm--in recognition of the value of incident data in detecting systemic safety problems.[Footnote 47] Despite the conceptual shift in reporting expectations, in our 2004 report, we found that 75 percent of clinicians we surveyed at four facilities understood these new reporting requirements. In addition, the SRS program was designed to allow direct reporting from any member of the medical center staff to the patient safety manager. This expansion-- beyond the previous expectation that nurses would report to their supervisors--was made in recognition of the power relationships among clinicians that might inhibit reporting. As a patient safety manager noted, the change in reporting expectations was evidenced when a chief surgeon came to report instances of mistaken patient identity in the surgery. Encouraging Workers to Report Incidents in Their Own Words Facilitates Reporting Initially: In all three industries, delaying the launch of an SRS for development of a formal error classification scheme would have been unpalatable in light of significant pressure to implement solutions following serious events. Further, some safety experts believe rigid early classification of error can limit new knowledge and insights. In the absence of such schemes, the industries allowed reporters to give detailed narrative accounts of the incidents or concerns in their own words. As the industries' comfort with error terminology develops, some SRSs may encourage reporters to classify certain aspects of events in order to facilitate industrywide analyses. Aviation: ASRS reports are primarily experiential narratives in the words of the reporters. Although the heavily regulated aviation industry had event definitions for rule enforcement, studies have concluded that the ASRS was begun without a formal classification of errors.[Footnote 48] The unstructured nature of the narrative reports is an analytic challenge. However, the ASRS has developed a set of 1,200 separate codes that facilitate the analysis of aviation risk. Recent FAA activities are focused on the benefits of an integrated data system for safety events that combines ASRS's narrative reports and other reporting systems. Understandably, international aviation safety organizations have declared common reporting methods--including terms and forms--best practices. Commercial Nuclear Power: The corrective action reporting programs at each plant collect information as narratives in the workers' own words. Corrective action reports are reviewed at the plant level by a team of managers and specialists. As part of this review, the team determines what actions, if any should be taken to address the issue, and reports are sorted and some level of classification is applied. Most corrective action reports are dealt with at the plant level. Only reports that rise to a defined level of significance--as determined through the review process--are sent on to INPO. While the reports sent to INPO do maintain narrative description of the event, they also classify specific aspects of the event. INPO further sorts and classifies these reports and produces various levels of industry alerts based on this review. Health Care: According to a VA official, the SRS program was launched without an error classification system at the reporter level. Considering that even now the science for developing a formula for public reporting is evolving, he noted that the time it would have taken the VA to develop such a system would have delayed the launch by several years. Instead, the classification is done centrally. The VA has maintained this process because it believes that application of an error classification scheme is best done at higher levels by, for example, the patient safety managers. The VA official observed that the Agency for Healthcare Research and Quality (AHRQ) has been working on a set of error terms for nearly 5 years; however, there is, to date, no industrywide agreement on error or adverse event terminology in health care, although one for select health care institutions is under review.[Footnote 49] Reporting Options with Some Local-Level Processing Facilitates Reporting Initially: The initiation of SRS programs in two industries was driven by urgent circumstances, before there was time to assess workers' willingness to report. However, while program developers did not know everything about the problem, they did know that existing knowledge about the workforce culture could provide some basis for planning--that is, if employers suspect they have a mistrustful workforce, they can plan for it. In addition, the industries recognized that the value of local- level processing for improving safety culture and awarding responsibility for safety to the frontline was too great to completely give to an outside entity. Therefore, they developed a bi-level process for assessing safety data at both the local and industry levels. Aviation: The airline industry manages the tension between trust and ownership in SRS reporting by offering a variety of internal and external, as well as local-and industry-level, reporting options. The ASRS (an external reporting option) was originally managed by the FAA, but within a year, it was moved to NASA--an honest broker--because of concerns that reporting directly to the regulator would discourage reporting. While separating the reporting function from regulation encouraged reporting, it may have fostered unconstructive perceptions of the ASRS among some FAA staff. Specifically, the 1994 NAPA evaluation found that FAA workers may not understand the ASRS and, consequently, devalue it. While the ASRS receives reports directly from reporters, the FAA's Voluntary Safety Programs branch (VSP) launched a bi-level SRS program in which 73 airlines are primarily responsible for receiving and processing reports and implementing solutions. By selecting a private structure for these SRSs, the FAA gets the entity closest to the local context to analyze reports and develop and implement solutions. A selection of the systemic problem reports is transmitted to the FAA's Aviation Safety Information Analysis and Sharing program, which the FAA uses to develop industrywide guidance and regulations to improve safety.[Footnote 50] More than 60 percent of reports to the ASRS also appear in the other VSP's SRSs. Commercial Nuclear Power: In the commercial nuclear power industry, most safety reports--an estimated 400,000 annually--are managed at the plant level, according to an INPO liaison. There is no confidentiality for individual reporters to their plant's SRS; instead, the reporting system relies on developing an open reporting culture. Each plant is responsible for sorting, analyzing, and implementing corrections for most of the reports to their corrective actions program. The reporter's identity is not revealed when the more serious events are sent on to INPO. INPO created a bi-level reporting structure because it lacked the resources to handle 400,000 reports annually and because it sought to involve the plants by giving them some ownership of the safety improvement system. However, recognizing the need for an industry-level assessment of safety data, INPO uses the more serious event reports from plants to develop industry alerts and safety recommendations. Health Care: In the absence of specific information about workers' trust in reporting to an internal system, the VA could not be certain it had a safety culture that would support open local reporting. However, they knew nurses and pharmacists were "rule followers," while physicians had more discretion. The VA handled this uncertainty by initiating both internal and external reporting options. One reporting option, which emulated the ASRS model, was designed to enable workers to report directly to NASA--a contracted, external entity-- confidentially. After operating both reporting options for nearly 10 years, the NASA-run system was discontinued for budgetary reasons at the end of fiscal year 2009. While the PSIS enables workers to report to an internal entity--the hospital's patient safety manager--the external NASA option provided more confidentiality and some measure of anonymity; the internal option provides personal contact and confidentiality, but not anonymity. Even with its much lower report volume--about a 1 to 1,000 ratio of reporting for the PSRS compared to the PSIS--for over 8 years, the system contracted to NASA provided a confidential alternative for workers who felt that they could not report to their own hospital, providing a safety valve or insurance policy of sorts. In addition to dual reporting options, the VA also planned for internal and external processing options. The NCPS intended that hospital-level report collection and processing-- including root cause analysis and the development of systemic changes-- be deliberately assigned to the individual hospitals to give workers on-the-job learning, and we found the experience drove home to clinicians that the SRS was a nonpunitive, solution-developing system. While reports are processed by a higher-level entity, the NCPS, to facilitate identification of issues with systemwide safety implications, local-level processing is also maintained because it provides a sense of ownership and immediacy in solving problems. Lesson 3: Strong Legal Protections and Incentives Encourage Reporting and Help Prevent Confidentiality Breaches: Each industry we examined grappled with how to balance the regulatory tradition of punishing workers (or entities) for safety events with legal protections and incentives for reporting. Under most current laws, reports generated before an accident are considered discoverable evidence afterwards.[Footnote 51] Such laws may deter companies from soliciting and collecting reports about safety problems and workers from reporting them. To address these concerns, the three industries offered a variety of mechanisms for protecting and encouraging reporting, including confidentiality provisions, process protections, and reporting incentives. Confidentiality provisions, rather than anonymous reporting, are the most common approach to protecting reporters' identities because they allow follow-up with the reporters; however, their protections are not ironclad. And, as SRS program managers in some of the industries discovered, even the perception that confidentiality can be, or has been, breached can discourage reporting. In the three industries, most of the laws supporting SRS confidentiality protections are a patchwork of older laws not originally intended to back up an SRS. Most also have exceptions to confidentiality if Congress or law enforcement agencies demand access to the protected documents. Some of the systems rely on existing laws, such as exceptions in the Freedom of Information Act (FOIA); other systems have a legal and regulatory basis crafted for related purposes. As SRS failures in other countries illustrate,[Footnote 52] legal protections can be strengthened or weakened through legislative action. Recognizing the fragility of confidentiality provisions, the three industries also relied on processes and incentives to protect and encourage reporting. Processes, such as deidentification of reports, support confidentiality provisions. Some industries apply it to both the reporter and the organization or unit involved. Data deidentification at the organizational level supports organizational buy-in for reporting, makes it less likely that reporters will be discouraged from reporting, and facilitates industrywide sharing by removing fear of reprisal. In addition, limited immunity provisions or small rewards were used, in some industries, as incentives to encourage safety reporting, especially in environments of mistrust. Limited immunity provisions apply when certain requirements--such as timely reporting--are met. These provisions provide reporters (individuals or organizations) with a means for avoiding or mitigating civil or regulatory penalties. With respect to rewards, even seemingly small incentives can be effective in promoting trust in reporting. Aviation: The FAA protects its reporters through a combination confidentiality and limited immunity, relying on regulation, policy statements, and procedural or structural arrangements. For the much older ASRS, confidentiality is maintained both as part of the interagency agreement between NASA and the FAA and through procedural efforts, such as deidentification of reports, as well as regulation. Section 91.25 of the Federal Aviation Regulations prohibit the FAA from using information obtained solely from these ASRS reports in enforcement actions against reporters unless criminal actions or accidents are involved. Specifically, after following up with the reporter and analyzing the report, the NASA office removes information that could identify the reporter, including the reporter's name, the facility, airline, or the airport. NASA destroys the identity portions of the original reports so that no legal demands could reveal them. The ASRS's information processing and deidentification of reports has ensured the confidentiality of its reports for over 30 years, despite pressures from the regulator and outside entities to reveal them. To strengthen the confidentiality agreement between the FAA and NASA, the FAA has determined by regulation that it will generally not use reports submitted to NASA in enforcement actions and provides some disciplinary immunity for pilots involved in errors.[Footnote 53] In contrast, for several of the carrier-run SRSs initiated since 1997, reports are protected from legal enforcement action by the FAA only by policy.[Footnote 54] However, despite the combined legal and procedural bases for protecting aviation SRS data--for both the ASRS and the other SRSs the FAA supports--there are pressures to violate SRS confidentiality. After recent judicial decisions forced disclosures from an SRS managed by the VSP branch, four major airlines withdrew from a voluntary program but have since rejoined.[Footnote 55] Commercial Nuclear Power: INPO operates under considerable confidentiality and maintains the ability to withstand legal challenges. Protecting the confidentiality of plants was central to the inception of INPO's safety efforts, according to industry officials. While guaranteeing its member utilities confidentiality similar to that in a doctor-patient relationship, INPO has also cultivated an open questioning attitude as the wellspring of safety reporting. While individual reporters receive no confidentiality, the reporting system relies on developing an open reporting culture. Under an INPO-NRC Memorandum of Agreement, reports and information that INPO makes available to the NRC will be treated as proprietary commercial information and will not be publicly disclosed.[Footnote 56] INPO maintains legal resources for future confidentiality challenges. In INPO's bi-level system, reports sent to INPO do not identify the reporter, and INPO's confidentiality includes carefully guarding the identity of individual plants or utilities. For example, INPO does not reveal plants' safety scores. NRC officials reported that their process also guards against release of INPO information, such as looking at INPO's reports but not taking possession of them.[Footnote 57] Plants' interests in avoiding negative consequences also serve as an incentive for reporting. In particular, plants' fear of exclusion from INPO and interest in avoiding negative comparisons to other plants are tools the industry uses to promote reporting and workplace safety. An industry reality is that U.S. nuclear power plants are "hostages of each other," in that poor safety on the part of one plant could damage the entire industry's future.[Footnote 58] In addition, the NRC and insurers would be made aware of a plant's exclusion from INPO, leading to increased insurance costs, as well as a loss of accreditation for training programs, which would result in more regulatory involvement by the NRC. The NRC and INPO identified other incentives that encourage nuclear plants in their current safety efforts, including (1) NRC credit on penalties if a plant identifies and corrects its own accident precursors, (2) the high cost of corrections, (3) the negative effect of safety events on stock values, (4) the loss of public confidence, and (5) insurance rates. Health Care: The confidentiality of the SRS records that the VA hospital administration maintains is protected from disclosure by 38 U.S.C. § 5705--a law that predated the establishment of the SRS by over 15 years. This law prohibits the disclosure of records that are part of programs to improve the quality of health care. Sanctions, including monetary fines, are attached to disclosure violations, but there are exceptions to the confidentiality of the records, including demands by law enforcement agencies or Congress. More recently, the Patient Safety and Quality Improvement Act of 2005[Footnote 59] provided similar confidentiality provisions, including fines for disclosure, for voluntarily submitted SRS-related documents from all U.S. hospitals.[Footnote 60] The bi-level structure of the VA's internal SRS facilitates deidentification. Individual hospitals collect and analyze reports and develop systemic fixes for their own hospital. Subsequently, the hospital sends reports and analyses--which are stripped of information that could identify individuals--to the central NCPS. The external, NASA-run SRS also deidentified reports. In addition, NASA destroyed the identification section of original reports in a process similar to that used for ASRS reports. The VA does not grant immunity for intentionally unsafe acts or criminal behavior, nor does the safety program replace VA's existing accountability systems. However, individual facilities have used rewards as incentives, such as cafeteria coupons or cookies, to encourage reporting. In addition, hospital-level awards, such as awards to VA Medical Center directors from the NCPS, have also been used to encourage their support for reporting, analyzing selected reports in a timely way, and following up to mitigate risks identified in their reports and analyses. Lesson 4: A Central, Industry-Level Entity Facilitates Lesson-Sharing and Evaluation: While some of the SRSs in the three industries have local-level processes for analyzing safety reports, they also have a central, industry-level entity that collects, analyzes, and disseminates safety data and makes recommendations. These industry-level entities facilitate feedback and evaluation by (1) elevating facility-level safety data to industrywide lessons and disseminating them across the industry, including internationally, and (2) assessing safety culture and identifying units or worker subgroups in need of outreach or intervention. Some industry SRSs offer direct reporting to a central, industry-level entity, which is responsible for processing, analysis, and dissemination. For others, reporting takes place at the local level. While some level of report processing, analysis, and dissemination takes place at these local facilities, full or deidentified safety data are sent to a central, industry-level entity. Sending reports up to a central entity ensures that safety fixes identified through local processes are not lost to the rest of the industry. At the same time, local analysis and feedback can demonstrate the system's value to workers and reinforce reporting. Because the central entity receives safety data from multiple organizations--whether through direct reporting or from local-level systems--the volume and variety of information increase the potential for identifying systemic issues and improving safety industrywide. In addition, the industries recognize that a central, industry-level entity might be necessary for bringing some difficult safety problems to light. This is because the central entity is more likely to consider the interests of the industry, whereas local-level managers might resist identifying systemic issues that would put personal or organizational interests at risk. These central entities, because of their position as industry representatives, are also in a better position to disseminate lessons across the industry and internationally. They provide a single source for industrywide notices of varying urgency, regular online newsletters, policy changes, briefings, and data systems. In addition, some of these entities have staff with internationally recognized safety experts--expertise which has been leveraged worldwide to inform international safety recommendations and SRS design. The central, industry-level entities are also in a better position to facilitate evaluation, including safety culture assessment; identification of reporting gaps (access to safety data from across the industry offers the potential for analysis of gaps across particular locations, organizations, or occupations); and needed system modifications. Furthermore, such entities often have access to other safety data, such as inspection information. This information can be compared with reporting data in order to identify sites in need of outreach and training. Such systemwide visibility provides an ideal position from which to conduct SRS evaluations. Industry experts we spoke with believe that their industries are safer, in part, as a result of their SRS programs. In limited cases, the central entities have been able to conduct evaluations or use performance metrics to assess safety culture improvements and the role of the SRS in those efforts, as is recommended under the Government Performance and Results Act. Aviation: The ASRS shares lessons with all levels of the domestic aviation community and has served as a model of aviation safety reporting worldwide. NASA's ASRS issues a series of industrywide notices based on ASRS reports, which are graded on the basis of the urgency and importance of identified safety issues, and it has been recognized worldwide as a model for collecting data from frontline workers. NASA provides "alerting" messages to the FAA and the airlines on safety issues that require immediate attention. NASA also disseminates ASRS information via a monthly online bulletin, CALLBACK, to 85,000 members of the aviation community on safety topics such as summaries of research that have been conducted on ASRS data. Unions and airlines use this information in safety training. Among the SRSs we are aware of, only the ASRS offers access to its event database for outside researchers to conduct analysis and for ASRS staff to perform specially requested analyses for the FAA, NTSB, and others. The FAA also maintains an industry-level office--the VSP branch--which oversees seven different voluntary reporting systems, including the ASRS. Data from these SRSs provide information on events that would otherwise be unknown to FAA or others, and VSP's role is to facilitate sharing of these data at the airline and industry levels. We observed VSP and ASRS staff representing U.S. airline safety interests at an international aviation safety reporting meeting to share lessons on aviation safety and SRS design and implementation. Such participation offers opportunities for safety improvement in aviation worldwide. For example, VSP and ASRS staff have supported efforts to develop safety reporting systems worldwide because aviation safety does not stop at the U.S. border. Most foreign aviation SRSs have been based on the ASRS model. The international aviation safety organization, the International Civil Aviation Organization, has called for each country to have an independent aviation safety reporting system similar to ASRS. Despite the benefits of these SRSs, formal evaluation has provided insights for system improvement. For example, the FAA requested the NAPA evaluation of ASRS, which recommended the ASRS modernize by implementing actions, such as collecting and disseminating reports in electronic formats to better meet the needs of the aviation community. [Footnote 61] Currently, ASRS safety reports and monthly newsletters are primarily transmitted by e-mail. In addition to ASRS-specific evaluations, the FAA has access to more investigations of aviation safety culture conducted over the last decade. For example, special studies of aviation specialists, such as controllers and maintenance workers, have identified reasons for their lower reporting rates. These studies revealed specific aspects of cultures in these professions that would discourage reporting. For example, controllers were highly focused on bureaucratic boundaries that enabled them to define away--rather than report--unsafe conditions they perceived to be outside their responsibility. Alternatively, according to FAA officials, they found a strongly punitive culture among maintenance workers that led workers to assume that if a supervisor told them to violate a rule, it did not create an unsafe--and hence reportable-- condition. These studies made possible targeted efforts, such as a reporting program just for controllers, that resulted in a growing proportion of safety reports from nonpilots. Commercial Nuclear Power: INPO's lesson-sharing program uses the Nuclear Network--an industry intranet--for sharing safety information. This network houses event data that plants can access and is a platform for INPO to disseminate alerts. Information transmitted via this system includes Significant Operating Event Reports--the highest-level alert document--as well as experiential and nuclear technical information. Plants can also use the network to ask questions or make comments that can be sent to one, several, or all users. Apart from the direct feedback reporters receive from the plant, the key to getting workers to participate in reporting was through seeing--via the Nuclear Network--the corrective actions developed in response to reports they had made, according to the INPO liaison. INPO is seen as a model for other national and supranational nuclear safety organizations, such as the World Association of Nuclear Operators, an organization representing the global nuclear community. As such, INPO has recently begun to participate in the Convention on Nuclear Safety, a triannual international commercial nuclear safety effort.[Footnote 62] INPO also evaluates plants' safety improvement programs, although the evaluations are generally not publicly available, according to an INPO liaison. INPO performs a type of "gap analysis" at the biannual on- site plant inspections and conducts safety culture surveys with a sample of staff before each.[Footnote 63] Reporting gaps are evaluated at the plant level (not by occupation or work group) by looking for reductions in report volume and mining the plant's corrective action reports. A reduction in reporting year to year is interpreted as an indicator of a potential problem rather than an improvement in safety conditions, because such reductions can indicate a lack of management support for reporting. In addition, if a plant receives a low safety score as a result of inspection findings, INPO provides extra attention and assistance by assigning a team of industry experts to engage in weekly consultations with plant directors, review corrective actions, discuss plant needs, develop solutions, and provide peer assistance and accompaniment to seminars. Health Care: In its position as the industry-level entity responsible for the VA SRS, NCPS creates and disseminates key policy changes to the VA health care system in response to trends identified from patient safety reports. For example, the NCPS (1) designed and implemented a program that promotes checklist-driven pre-and post-surgical briefings that, according to the SRS program director, have been associated with reduced surgical mortality across the VA hospital system and (2) developed new requirements for CO2 detectors on every crash cart for checking safe intubations outside of operating room settings. The NCPS has played a role in disseminating its SRS model and tools for safety improvement to other U.S. states and federal agencies, including the AHRQ. Specifically, the NCPS provided training to all 50 states and the District of Columbia via the Patient Safety Improvement Corps, a program funded by the AHRQ.[Footnote 64] The VA -supplied state training contributed heavily toward building a common national infrastructure to support implementation of effective patient safety practices.[Footnote 65] Further, after attending the VA seminars, several foreign countries implementing their own SRSs have adopted tools developed by the VA. The NCPS has also conducted evaluations of the SRS program, which have provided information for SRS and safety culture improvements. For example, in 2008, the NCPS published a study of the effectiveness of actions hospitals developed in response to SRS reports of adverse drug events.[Footnote 66] They found that changes in clinical care at the bedside--such as double-checking high-risk medications--and improvements to computers and equipment were effective solutions, but training was not. In addition NCPS has conducted three safety culture surveys, the most recent of which enabled identification of safety culture differences among staff subgroups in order to target outreach and training. To support future evaluations of this kind, the NCPS established several criteria to assess the quality of local-level processes for reporting, analysis, and safety improvement. The CDC and APHIS Have Taken Steps to Improve the Usefulness of the TLR Reporting System; Lessons from the Literature and Case Studies Suggest Additional Steps: The CDC and APHIS Select Agent Program (SAP) has taken steps to improve reporting and enhance the usefulness of the theft, loss, and release (TLR) reporting system as a safety tool.[Footnote 67] Additional steps to improve the TLR system, as suggested by the literature and case studies, include increased awareness of the culture in biological labs and improvements in the three key areas-- reporting and analysis, protections and incentives, and feedback mechanisms. See appendix II for a summary of lessons derived from the literature and case studies that can be applied to the TLR system. The CDC and APHIS Recognize the TLR Reporting System's Usefulness as a Safety Tool; Lessons Indicate That Increased Awareness of Labs' Culture Could Enable Targeted Outreach and Training: Recognizing the usefulness of the TLR system as a safety tool, the CDC and APHIS SAP has dedicated resources to manage the system. The TLR reporting system for select agents was developed in 2002, after the 2001 anthrax attacks.[Footnote 68] As the number and types of reported incidents increased, an outcome of the new reporting requirements, the agencies implemented processes to utilize the TLR system as a tool to manage the Select Agent Program. In addition, the CDC reassessed its administration of the system to consider how it could be used as a safety tool, rather than just a recording system. To its credit, the CDC employed a safety science expert to manage the TLR reporting system and is now exploring ways of using the TLR data to identify systemic safety issues. APHIS has also utilized the TLR as a tool to identify trends such as (1) gaps in administrative oversight of personnel and training and (2) weaknesses in safety and security policies and procedures in regulated entities. Each TLR is reviewed by a compliance officer, security manager, and subject matter experts to identify trends and areas of concern. Identified issues are subsequently discussed with the reporting facility's senior management, with additional monitoring and inspections as needed. The CDC and APHIS also rely on periodic on-site lab inspections to get an understanding of the culture, with respect to safety and reporting, and identify areas for outreach and training. The agencies inspect labs to ensure that they are in compliance with the safety, security, training, and record-keeping provisions outlined in the regulations. As part of this process, the agencies use checklists developed from regulations and nationally recognized safety standards to review laboratory safety and security and to develop observations. In addition, the agencies interview lab staff and examine documentation, such as medical surveillance documents, exposure or incident records, and minutes from Institutional Biosafety Committee meetings. Review of such documentation can provide an indication of possible incidents with select agents or toxins. During these inspections, the CDC and APHIS officials seek to (1) identify gaps in knowledge about safety and reporting and (2) report on areas needing improvement. The information the agencies derive from these inspections and from TLR reports can provide useful information about the culture of safety and reporting within labs. However, lessons from the literature also suggest that systematic assessment of the culture, such as through ongoing surveys or studies, can provide invaluable information about how the specific working environment can affect perceptions of safety and reporting requirements.[Footnote 69] These perceptions--and variations, for example, within or across working environments or occupations--can affect what is considered a reportable event; feelings of responsibility for or fear of reporting; and the value of reporting safety events. For example, studies examining the effects of culture on safety and reporting in the aviation and health care industries have found that perceived occupational hierarchies, such as between doctors and nurses or pilots and cabin crew;[Footnote 70] authority structures;[Footnote 71] organizational factors;[Footnote 72] concepts of justice;[Footnote 73] and other factors can affect safety and reporting. According to CDC and APHIS officials, they have no plans to arrive at such an awareness through cultural assessment. Nevertheless, agency officials agree that culture matters when it comes to safety and reporting. For example, they noted that culture may differ by a lab's size and level of resources. Larger labs or labs with more resources tend to have better safety and reporting. Other agency officials noted that, based on career experiences, they have become aware of safety differences across different types or levels of labs. According to a CDC official, staff in higher-level labs, such as BSL-4 labs, have recognized the danger of the material they are working with. These facilities are also more likely to have biosafety officers, whose presence, according to the CDC official, tends to make workers more conscientious about safety. Another official noted that, while you might find sandwiches or soda in the refrigerator of a BSL-2 lab, these items would never be found in BSL-4 labs. Safety culture differences between clinical and research labs were also noted by CDC officials. Such variation in culture across labs was also noted by domestic and international biosafety specialists we spoke with. Despite recognition of such variation across labs, officials stated, the CDC does not have a unified position on the issue, and the research does not exist to definitively establish safety culture differences by lab type, occupation, or sector. Greater awareness of cultural influences and how they affect safety and reporting in the labs could (1) help the agencies better target outreach and training efforts and (2) provide insights into whether reporting system design and implementation changes are needed to address lab variations in safety and reporting. The CDC and APHIS Have Taken Steps to Better Define Reportable Events; Lessons Indicate That a Broadened Definition Could Further Enhance Collection of Safety Data: The CDC and APHIS SAP has taken steps to better define reportable events, which can increase the likelihood that workers will report when required. For example, in early 2008, the CDC and APHIS published the Select Agents and Toxins Theft, Loss and Release Information Document,[Footnote 74] which includes detailed scenarios on what and when to report. Since the TLR reporting program was established in 2002, the agencies have seen reports increase substantially; since a 2008 initiative to better inform the lab community of incident- reporting requirements, the CDC and APHIS noted that they receive approximately 130 incident reports per year. The types of labs reporting have also broadened. According to the CDC, the increased reporting is the result of better awareness of and compliance with reporting requirements, rather than an increase in thefts, losses, or releases.[Footnote 75] Indeed, of the reported TLRs, there have been no confirmed thefts, one loss, and only eight confirmed releases. To clarify reportable events, the Select Agent Regulations require that the individual or entity immediately notify the CDC or APHIS upon discovery of a release of an agent or toxin causing occupational exposure, or release of a select agent or toxin outside of the primary barriers of the biocontainment area. The agencies' Select Agents and Toxins Theft, Loss and Release Information Document further clarifies reportable events. The document defines a release as a discharge of a select agent or toxin outside the primary containment barrier due to a failure in the containment system, an accidental spill, occupational exposure, or a theft. Furthermore, any incident that results in the activation of medical surveillance or treatment should also be reported as a release. The document also emphasizes that occupational exposure includes any event in which a person in a registered facility or lab is not appropriately protected in the presence of an agent or toxin.[Footnote 76] For example, a sharp injury from a needle being used in select agent or toxin work would be considered an occupational exposure. While these reporting requirements are fairly broad, they do require a degree of certainty about the occurrence of an event. But, in some cases, recognition of a reportable event may come only when consequences are realized. While the agencies' steps to better define reportable events can increase the likelihood that recognized events will be reported, according to the literature and biosafety specialists, lab workers are often unaware that a release has occurred unless or until they become sick. For example, early studies of LAIs found that as many as 80 percent of all reported LAIs could not be traced back to a particular lab incident. A more recent study found similar results.[Footnote 77] The absence of clear evidence of the means of transmission in most documented LAIs highlights the importance of being able to recognize potential hazards because the likely cause of these LAIs is often unobserved. While a great deal is known about micro-organisms to support safe lab practices, microbiology is a dynamic and evolving field. New infectious agents have emerged, and work with these agents has expanded. In addition, while technological improvements have enhanced safety, they can also introduce new safety challenges. For example, failures in a lab system designed to filter aerosols led to a recent company recall of this system.[Footnote 78] The dynamic nature of the field, coupled with the difficulty of identifying causal incidents in LAIs, suggests substantial potential for unintentional under-reporting. In such an environment--where workers are waiting for an obvious event to occur before reporting--a significant amount of important, reportable safety information could be lost. Consequently, while reporting requirements for releases may now be clear for many incidents or for observed consequences, broader reporting thresholds may be necessary to accommodate emerging safety issues and the unobserved nature of many LAI events. According to lessons from the literature and case studies, expanding reporting thresholds--in this case, to include observed or suspected hazards--can help capture valuable information for accident prevention. The industries in the case studies all struggled with how to recognize, and thus report, such events. However, over time, the feedback they received from these reports, in the form of specific safety improvements, helped workers develop familiarity and comfort with recognizing and reporting such events. An example in the lab community might be the practice of mouth pipetting, drawing an agent into a pipette by sucking on one end. At one time, mouth pipetting was a common practice, despite the high risk of exposure. Even though not every instance resulted in exposure or an LAI, some did, and eventually the activity was recognized as a potential hazard--an accident precursor. Expanding the TLR reporting threshold to include hazards could provide additional data that might be useful for safety improvement efforts. For example, INPO encourages reporting of events at all levels of the risk pyramid--including the hazard level--for the corrective actions reporting programs of nuclear power plants. This level of reporting ensures as complete coverage as possible of potential safety issues. For the TLR, reporting at this level could be voluntary or mandatory. Moreover, until a labwide voluntary reporting system is implemented, reporting at this level could further develop the reporting culture among select agent labs. The CDC and APHIS Have Taken Steps to Protect Confidentiality, Which Can Encourage Reporting; Lessons Indicate That Limited Immunity Could Further Encourage Reporting: The CDC and APHIS SAP has taken steps to incorporate deidentification measures to further protect the confidentiality of entities reporting thefts, losses, or releases. While entity-specific information is protected from release under FOIA,[Footnote 79] there was an instance when specific entity information was somehow leaked to the media after the CDC provided the data in response to a congressional request. As a result, the agency provides only deidentified report forms in response to congressional requests. In addition, to further support reporter confidentiality in the event of audit or congressional requests to view TLR information, the CDC has established an access-controlled reading room for viewing these reports. It expects these measures to prevent any future prohibited disclosure of entity-specific data, while special-need access to information about thefts, losses, or releases is provided.[Footnote 80] According to lessons from the literature and case studies, even the perception of a confidentiality breach can quash reporting. Consequently, the agencies' measures to ensure confidentiality can increase confidence in reporting. Apart from the requirement to report, labs also have some incentive for reporting. One such incentive, according to CDC officials, is labs' interest in avoiding increased oversight.[Footnote 81] In addition, lab officials know that (1) select agents are on the list because they are dangerous and (2) it is of critical importance to promptly report incidents to ensure proper care of workers and the public. CDC officials stated, however, that too much discretion about what and when to report could result in the under-reporting of more serious events. As the experiences of the case industries illustrate, protection of reporter confidentiality is an ongoing effort, even when strong legislative provisions exist to protect reporters' identities. Because, as mentioned above, even the perception of a confidentiality breach can quash reporting, strong incentives for reporting--such as limited immunity provisions--can balance these fears and encourage continued reporting, according to lessons from the literature and case studies. If the CDC or APHIS discovers possible violations of the select agent regulations, the following types of enforcement actions may occur: (1) administrative actions, including denial of application or suspension or revocation of certificate of registration, (2) civil money penalties or criminal enforcement, and (3) referral to the Department of Justice for further investigation or prosecution.[Footnote 82] Currently, even if entities report violations, there are no provisions for receiving immunity from these enforcement actions. In the aviation industry, pilots face the possibility of similar enforcement actions for violations of regulations. However, the FAA provides some disciplinary immunity for pilots reporting violations of regulations to ASRS.[Footnote 83] Such immunity is in recognition of the fact that (1) information about pilots' errors is essential for identification of systemic problems and (2) pilots would be unlikely to report their errors without some incentive to do so. Similar provisions for limited immunity from administrative action or reduced monetary penalty could be offered to labs for some violations of select agent regulations. Although the CDC and APHIS have not yet explored this option, such an incentive could be a powerful tool for ensuring reporting compliance. The CDC and APHIS are Uniquely Positioned to Support Data Sharing and Feedback Efforts, Including Evaluation: The CDC and APHIS are uniquely positioned to support feedback and evaluation efforts that are based on TLR information. The agencies' oversight responsibilities for registered labs and their recognized expertise in laboratory safety practices provides them visibility and authority across the lab community. Such a position, according to lessons from the literature and case studies, is ideal for (1) disseminating feedback from SRSs and (2) evaluating the effectiveness of the reporting program. Currently, the agencies have a process for providing feedback to the reporting institution, and are beginning to explore avenues for sharing safety lessons across the labs and internationally. In addition, the CDC has begun using the data to develop lessons learned from reported information. Although deidentified reports are not available to the general public, they are being used for special research studies sponsored by the Select Agent Program. For example, information from deidentified reports has been used for conferences such as the yearly Select Agent Workshops, sponsored by the CDC, APHIS, and the Federal Bureau of Investigation. The agencies are also analyzing data on select agent release reports and plan to publish the findings in a publicly available, peer-reviewed journal. Such feedback demonstrates the value of reporting, according to lessons from the literature and case studies. Lessons from the case studies also indicate that using SRS data to develop guidance and sharing such information internationally can support industrywide safety improvement efforts. For example, TLR data could provide valuable information for updates to the BMBL and World Health Organization guidelines, which can benefit the worldwide lab community. When a lab reports a TLR, the CDC or APHIS provides feedback and, if necessary, follows up to determine the root cause or initiate surveillance. While the CDC recognizes the usefulness of TLR reports for generating data that can (1) help spot trends, (2) highlight areas for performance improvement, and (3) show limitations in current procedures, it is just beginning to collect enough data to see patterns of nonreporting, according to CDC officials. The CDC expects that in the future, it will have collected enough data, including inspection data, to identify reporting patterns and conduct targeted outreach to nonreporting labs. However, the agencies do not yet have a specific plan to identify reporting gaps in order to develop targeted outreach and training or to assess the system's effectiveness. To further support targeted outreach, as well as system modification, evaluation is needed. As we have previously reported, such evaluation can be a potentially critical source of information for assessing the effectiveness of strategies and the implementation of programs.[Footnote 84] Evaluation can also help ensure that goals are reasonable, strategies for achieving goals are effective, and corrective actions are taken in program implementation. For example, an evaluation of the ASRS program revealed the need to improve the usefulness of the system through system modifications and increased outreach to certain populations. According to CDC Select Agent Program officials, they have had general reviews, such as an HHS Office of Inspector General review and a federally funded, third-party review of procedures conducted by Homeland Security. However, these reviews did not focus on the effectiveness of the TLR reporting system. Existing Information on Biological Labs and Lessons from the Literature and Case Studies Suggest Specific SRS Design and Implementation Considerations: Safety reporting system evaluation literature and case studies of SRSs in three U.S. industries--aviation, commercial nuclear power, and health care--provide lessons for design and implementation considerations for a national biological lab SRS.[Footnote 85] First among these lessons is the need to set system goals and assess organizational culture, as illustrated in figure 4. However, assessment of organizational culture is difficult in the context of U.S. biological labs because there is an unknown number of labs and, except for labs in the Select Agent Program, no entity is responsible for overseeing all labs. While many federal agencies have labs and are involved in the industry, no single regulatory body has the clear responsibility or directive for the safety of all laboratories. [Footnote 86] Consequently, an important part of the goal-setting and assessment process for a biological lab SRS is determining the scope of labs to which the system would apply. For example, specific system goals, such as the ability to identify trends or incidence rates, may be possible with one type or level of lab, but not another. Similarly, assessment may reveal that differences in organizational cultures across lab types is so significant that appropriate SRS features for one type of lab would not apply well to another. Consequently, the scope of labs to which an SRS might apply could be addressed as part of the goal-setting and assessment process. Figure 4: Relationship of Program Goals, Organizational Culture, and the Three Key Areas: [Refer to PDF for image: illustration] The illustration depicts an interlocking circle of Program Goals and Organizational Culture, with the following contained inside the circle: 1. Reporting and analysis. 2. Reporter protections and incentives. 3. Feedback mechanisms. Source: GAO analysis of SRS evaluation literature. [End of figure] Until such a goal-setting and assessment process is completed, design and implementation options in the three key areas--reporting and analysis, reporter protections and incentives, and feedback mechanisms--can be considered in the context of available information on organizational culture in biological labs and potential goals for a biological lab SRS. In particular, the following can provide some context to guide early decisions for the design and implementation of an SRS for the lab community: biosafety research, experiences with the TLR reporting system and biosafety specialists' perspectives. Such context can be further refined once assessment and stakeholder input are obtained. In addition, the NIH has begun developing a prototype reporting system for a subset of its intramural research labs. Lessons from how this prototype system works for a subset of labs could also inform design and implementation considerations for a national biological lab reporting system. In the Context of Existing Information, Lessons Suggest Several Features for Reporting and Analysis: Existing information about the potential goals for a biological lab SRS and the organizational culture of these labs suggest certain design and implementation features in the first key area: reporting and analysis. Figure 5 shows the relationship of program goals and organizational culture to this key area. Figure 8: First Key Area--Reporting and Analysis: [Refer to PDF for image: illustration] The illustration depicts an interlocking circle of Program Goals and Organizational Culture, with the following contained inside the circle: 1. Reporting and analysis: * Level of event; * Classification of error; * Format and mode; * Reporting management; * Analytical process. Source: GAO analysis of SRS evaluation literature. [End of figure] Level of Event, Learning Goal, and Culture Suggest Voluntary Reporting: The level of event of interest, probable SRS goals, and organizational culture all suggest voluntary reporting for a biological lab SRS. While the TLR reporting system for select agents is focused on incidents or accidents that pose the greatest danger to workers and the public, an SRS for nonselect agents could be used to gather information on hazards and potentially less serious incidents and accidents in order to collect precursor data. Systems that focus on less serious events and that collect precursor data to support learning rather than enforcement goals are generally associated with voluntary reporting, according to lessons learned. Voluntary reporting for a biological lab SRS also corresponds with the views of biosafety specialists we spoke with. Laboratory Community's Limited Experience with Reporting to an SRS Suggests an Initially Open Classification Scheme: Reporting to an SRS--especially for incidents beyond LAIs or the theft, loss, or release of select agents--would be relatively new to the lab community. And although select agent labs have become familiar with reporting theft, loss, or release incidents, previous reporting failures indicate that, even among this subset of labs, reportable events may still be unclear. In such situations, allowing workers to report events in their own words, rather than asking them to classify the event as a certain type of hazard or error in order to report, can facilitate reporting. Classifying events--that is, applying standardized descriptions of accidents, incidents, and hazards--can facilitate safety improvement across the industry by providing a common language for understanding safety events. But classification can also limit reporting if workers are unsure of how to apply it. One solution for industries new to SRS reporting is to apply classification at a higher level, for example, through the event review or analysis process. Ensuring the reporting process is as clear and simple as possible is especially important for the lab community. Although LAIs are widely recognized as under-reported, there is, at least, a long history of reporting these events among lab workers. However, lab workers do not have as much experience reporting events without an obvious outcome, such as an LAI. Many of the biosafety specialists we spoke with had difficulty envisioning the types of events--apart from LAIs--that might be reportable. In addition, even when LAIs do occur, many are never linked with a specific causative incident, so information about potential event precursors is never communicated or is difficult to identify. Difficulty recognizing exposure is a reality of work in these labs. LAIs often occur through aerosol exposure, and the activities that can create such conditions are numerous. However, all three case-study industries grappled with similar difficulties in recognizing and reporting events that did not result in obviously negative outcomes. One way the industries addressed this difficulty was to allow workers to report a broad range of events in their own words. Over time, as workers saw concrete results from their reports, such as improved processes or guidance, their ability to identify less concrete, but equally unsafe hazards and incidents--even those without obvious consequences--grew. Expecting lab workers to classify events in order to report them would likely limit reporting. In such situations, lessons learned suggest allowing workers to report events in their own words to facilitate reporting. Diversity of Lab Community and Uncertainty about Reporting Population Suggest Multimode and Open Format Reporting Options, with Direct and Open Reporting: The lab community is organizationally diverse and the population of labs is unknown. Opening reporting to all workers, and offering multiple reporting modes (e.g., Web and postal), and using forms with open-question formats that allow workers to report events in their own words can facilitate reporting in the face of such uncertainty, according to lessons from the literature and case studies. Biological labs operate across a wide range of employment sectors, locations, and levels of containment. There are BSL-2, 3, and 4 labs in private, academic, and public settings across the United States. Staffing models for these labs are likely as different as the lab populations. Safety culture and reporting proclivity also vary across lab types. For example, according to biosafety specialists, clinical and academic labs--in contrast to government and private labs--face greater challenges to creating a safety culture and reporting events. According to one biosafety specialist, in academic labs, students expected to complete lab work before they have received adequate safety training may not feel they are in a position to demand such training. Specialists also indicate that higher-level labs (BSL-3 and 4)--especially the larger ones with better resources--have personnel, equipment, and/or processes to better support safety culture than lower-level, smaller labs with fewer resources. Furthermore, the consequences of accidents are so great at higher-level labs that the culture is generally more cautious. At lower-level labs, the perception of risk and actual risk are lower, so practices are not as stringent as they would be at higher-level ones. The work environment at biological labs also varies. In particular, some work is done in teams and some individually, and some is completed overnight because of time-sensitive experiments in the research. In addition, the solo nature of much lab research means that a single lab worker may be the only one who knows about an incident. For lab work, the external visibility of accidents and incidents present in aviation or some areas of health care may not exist. Bioresearch errors are also a lot harder to spot than errors in other industries. For example, nuclear safety officers can use radiation detectors to determine whether breaches of protocol have occurred by identifying hot spots in suspicious areas, such as a phone outside the lab. No similar tracking mechanism exists for bioresearch. Therefore, the only objective proof of most accidents is that someone became ill. In addition, lab workers have little incentive to report if the incident occurred as a result of their own error, according to biosafety specialists. Although one specialist believes there is a fair degree of reporting on equipment failures because researchers generally want to ensure that the equipment is fixed. Such variation has consequences for reporting. According to lessons from the literature and case studies, assessments can provide information about aspects of organizational cultures, structures, or processes that can affect reporting. However, a comprehensive assessment of this sort is difficult because (1) the population of labs is unknown and (2) no entity is responsible for conducting such an assessment. Given the uncertainty about cultural influences that may affect reporting behavior, more inclusive reporting options can facilitate reporting, according to lessons from the literature and case studies. For example, uncertainty about lab workers' access to reporting forms or ability to complete detailed forms can be minimized if (1) workers can report in whichever mode is most accessible to them (Web or postal) and (2) the forms do not require overly detailed or technical explanations. In an environment where much of the work is done alone and incentives may not exist for reporting, an SRS that is open to all lab workers (including security and janitorial staff) can facilitate reporting where none might occur. Accepting reports from workers not directly involved in research can increase the volume of safety data that can be obtained. Multimode and open-reporting formats, as suggested above, support open reporting since staff with varying knowledge of biosafety terms--such as janitorial, security, or animal care staff--are still able to report incidents or hazards in their own words in the way that is most convenient to them. Historically, the preferred model of biosafety reporting is hierarchical. This ensures that workers receive timely medical intervention and surveillance. Although it is important that workers have a mechanism for receiving immediate medical attention and surveillance when needed, a lot of important safety information could be lost if only supervisors or managers are allowed to report. Hierarchical reporting structures may limit the amount of useful safety data that can be received because a filtering process takes place at each level in the reporting hierarchy. As the information moves up the reporting structure, each person assesses whether the event is reportable. If the person decides that it is, he or she will report his or her own interpretation of events. Allowing all workers to directly report to an SRS removes this filter and can increase the number of reports and the amount of information collected from reports. For example, reports from multiple sources can enable analysis of events from multiple perspectives. While workers should always be encouraged to report potential exposures and other hazards to their supervisors so that they can receive timely medical attention, they should also be able to report incidents directly to an SRS. Advantages and Disadvantages Inherent in Industry-Level and Local- Level SRS Administration Suggest a Dual Reporting Option: The HHS and USDA--as central, recognized authorities in the biological lab community--represent the kind of industry-level entities that, according to lessons learned, are necessary for effective dissemination and evaluation activities. However, the agencies' regulatory role in the Select Agent Program could inhibit voluntary reporting, suggesting that an alternative reporting mechanism may be necessary. According to lessons from the case studies, dual reporting options can facilitate reporting in such situations. For example, if workers are concerned about reporting safety events--either to an internally managed SRS or to the regulator--an external, independently managed SRS can be useful. Alternatively, if workers are comfortable reporting to a local SRS, these programs can be very effective when the information from local systems is fed to a central, industry-level entity that can analyze data across the industry and disseminate safety improvements industrywide. While each case study industry differs in its approach, all three rely on dual (or multiple) reporting options. Specifically, the FAA relies on the independently run ASRS, as well as seven other key reporting programs, to collect safety data. Events that meet reporting requirements can be reported to the ASRS--meeting the need for an independent reporting mechanism for those concerned about reporting to either their local (airline-run) SRSs or to the regulator. In addition, as part of the FAA's other reporting programs, the FAA receives SRS data from the airlines, which they use to develop industrywide safety improvements. The commercial nuclear power industry also has reporting options. While each plant has a reporting system for corrective actions, a portion of the more significant reports are passed on to INPO for development of industrywide safety improvements. Individuals and plants also have the option to report to NRC's Allegation Program. Finally, in designing its reporting program, the VA created two reporting options--one externally managed by NASA and one local, hospital-based program in which safety data are sent on to VA's National Center for Patient Safety (NCPS) for development of industrywide safety improvements. While the industries might encourage workers to use one option over another, they are still able to report to the system most comfortable for them. Both options, however, utilize an entity with industrywide visibility and recognized authority to disseminate SRS information and direct system evaluations. An external, independently managed SRS for the lab community offers several advantages, including the (1) potential to reduce workers' fear of being punished for reporting, (2) ability to contract for system management, and (3) centralization of safety data. Nevertheless, since the individual labs have the most intimate knowledge of staff, pathogens, and operations, several biosafety specialists adamantly indicated that the lab facility was the appropriate level for reporting and analysis. According to lessons from the literature, as well as the perspectives of biosafety specialists, analysis of safety reports should be done by qualified biosafety professionals and others with appropriate expertise or knowledge. In addition, processes for local-level collection and analysis of SRS reports can facilitate worker buy-in for reporting, according to lessons from the case studies. However, not all labs have the same resources for collecting and analyzing reports. Furthermore, the focus on safety culture across the lab community may not be sufficient to support an SRS program that operates only at the local level. But local-level support--as well as encouragement of reporting, receptivity to safety concerns, and regard for the field of biosafety-- is central to a robust reporting program. Even if there is receptivity to biosafety issues, when safety is the responsibility of those internal to the organization, there may be conflicts of interest in addressing safety issues. While safety improvements are most useful when shared across the lab community, sharing this information may raise institutional concerns about funding streams, public perception of the institution, and professional standing of lab workers, according to biosafety specialists we spoke with. Given the advantages and disadvantages of SRS administration at both the local and agency levels, dual reporting options may be necessary, at least initially. For example, the VA initiated its safety reporting program with both internal and external options. Although the VA canceled the NASA-run program after nearly 10 years, in recognition of the importance of an external reporting option, some efforts to reestablish the system continue. In the Context of Existing Information, Lessons Suggest Several Features for Reporter Protections and Incentives: Existing information about the potential goals for a biological lab SRS and the organizational culture of these labs suggest certain design and implementation features in the second key area: reporter protections and incentives. Figure 6 shows the relationship of program goals and organizational culture to this key area. Figure 6: Second Key Area--Reporter Protections and Incentives: [Refer to PDF for image: illustration] The illustration depicts an interlocking circle of Program Goals and Organizational Culture, with the following contained inside the circle: 2. Reporter protections and incentives: * Anonymity; * Confidentiality; * Deidentification of data; * Limited immunity. Source: GAO analysis of SRS evaluation literature. [End of figure] TLR Reporting History and Biosafety Specialists' Views of Lab Culture Suggest Strong Confidentiality Protections, Data Deidentification, and Other Reporting Incentives Are Needed to Foster Trust in Reporting: Voluntary reporting to an SRS--especially of incidents that do not result in LAIs--would be a new expectation for some lab workers. As mentioned earlier, even the perception of a confidentiality breach can quash reporting. And given that entity information from the TLR reporting system was leaked to the press,[Footnote 87] lab workers might have reason for concern about reporting similar incidents to a voluntary system. In addition, the literature and biosafety specialists noted, confidentiality concerns are among the barriers SRS managers will face in implementing a successful reporting program. Therefore, concerns about confidentiality suggest that a biological lab SRS will require strong confidentiality protections, data deidentification processes, and other incentives to encourage reporting, according to lessons learned. In addition, while the literature suggests anonymous reporting as one solution for minimizing confidentiality concerns, it is not an ideal one here. The complexity of biosafety issues would require a mechanism for follow-up with the worker or reporting entity because interpretation of the incident from a written report can often differ from interpretation of the incident from talking with the reporter, according to biosafety specialists. Biosafety specialists also noted that developing trust in reporting has the potential to be problematic because of labs' existing reporting culture. For example, specialists noted the following influences on lab workers' likelihood of reporting accidents or incidents: * realization that there is risk associated with laboratory work; * difficulty recognizing that an incident has occurred, and knowing that this incident is reportable; * disincentives for reporting, such as the threat of punishment for reporting or concerns about (1) the reputation of both the worker and the institution, (2) the potential loss of research funds, and (3) the fact that reporting may take time away from work; and: * lack of perceived incentives for reporting, such as the failure to see the value of reporting accidents or incidents, as well as the fact that lab work may be done alone, which does not provide an incentive for self-reporting of errors. Given the confidentiality concerns and other difficulties of introducing a voluntary reporting system into the biological lab community, deidentification of safety reports takes on more importance. For example, according to biosafety specialists at one university, a primary concern with the establishment of their SRS was anonymity, especially for those in the agricultural labs. These researchers were concerned that if their identities became known, they could suffer from retaliation from organizations opposed to their research. While the SRS managers chose to make the reports available to the public via the Web, they also deidentified the reports to prevent individuals outside the lab community from being able to identify individuals or specific labs. However, because the university research community is a small one and lab work is fairly specific, it is not overly difficult for those in the lab community to determine who was involved in an incident if a report mentions a particular pathogen and what was being done with it. As a result, deidentification measures may have to go beyond simply removing reporter information. In addition, if deidentification measures are insufficient for maintaining confidentiality, workers and entities may need added incentives to encourage reporting in light of the fact that their identities may become known. There are several incentives for the lab community to report, according to biosafety specialists. For example, deidentified SRS data can enhance the evidentiary foundation for biosafety research since it provides an extensive, heretofore unavailable data source. Such analyses benefit the overall lab community by providing greater evidentiary basis for risk based decisions for--or against--expensive or burdensome lab safety protocols. In addition, workers' trust in reporting can be developed over time at the local level, through rewarding, nonpunitive reporting experiences. The relationship workers have with the lab's safety staff is central to this effort, according to biosafety specialists. Trust in an institution's Occupational Health Service, biosafety officer, or other official responsible for safety encourages workers to overcome ignorance, reluctance, or indifference to reporting. Biosafety specialists at one university credit the success of their nonpunitive SRS to the safety-focused relationship among the biosafety officer and lab staff. At first, according to these biosafety specialists, the researchers were afraid that SRS reports would be used to punish them academically or professionally. Over time, however, they saw the implementation of a nonpunitive system that had positive outcomes for safety improvements in the lab. While biosafety specialists believed that development of a reporting culture might be difficult, they offered a number of suggestions for overcoming reporting barriers, including (1) developing a safety office in conjunction with the research staff, (2) ensuring continued interaction and shared conferences on safety issues with researchers and the biosafety office to show the value of reported information, and (3) reinforcing the importance of reporting by showing a concern for the individual that is exposed rather than focusing on punishment. In addition, the CDC noted the importance of biosafety training, which is an important part of laboratory safety culture that has an impact on workers' ability to recognize and report safety issues. This type of continued support for reporting--as evidenced through positive feedback, awards, and nonpunitive experiences and training--fosters trust and willingness to report, according to lessons learned. In the Context of Existing Information, Lessons Suggest Several Features for Feedback Mechanisms: Existing information about the potential goals for a biological lab SRS and the organizational culture of these labs suggest certain design and implementation features in the third key area: feedback mechanisms. Figure 7 shows the relationship of program goals and organizational culture to this key area. Figure 7: Third Key Area--Feedback Mechanisms: [Refer to PDF for image: illustration] The illustration depicts an interlocking circle of Program Goals and Organizational Culture, with the following contained inside the circle: 3. Feedback mechanisms: * Feedback to reporters; * Feedback to administrators; * Feedback to industry; * Feedback for system improvement. Source: GAO analysis of SRS evaluation literature. [End of figure] Lessons Suggest Industry-Level Entities, Such as the CDC or NIH, Can Facilitate Dissemination of SRS-Based Safety Information across the Lab Community: The CDC and NIH--as recognized authorities on working safely with infectious diseases--disseminate safety information to the entire lab community. For example, documents such as the BMBL and recombinant DNA guidelines provide the foundational principles for lab safety practices; they are updated periodically to reflect new information about infectious agents and routes of exposure. In addition, the CDC's MMWR reports provide alerts as emerging safety issues are identified. Lessons suggest that entities with industrywide visibility and recognized authority are ideally situated to ensure SRS data and safety improvement initiatives are disseminated across the industry. Such entities would be better positioned than individual labs, facilities, states, or others to disseminate SRS-based alerts or other safety reports in a way that reaches all labs. In addition, in order to counter the potential conflicts of interest that can arise with sharing data across labs, biosafety specialists we spoke with supported the notion of an "industry-level" entity for disseminating safety data. In particular, the specialists noted that the typical reporting relationship between the biosafety officer and lab management is not independent; this relationship might therefore inhibit sharing of safety data beyond the individual lab. Thus, a central, industry-level unit--responsible for collecting and disseminating SRS reports from either workers or organizations-- minimizes such concerns and facilitates industrywide sharing of SRS data, according to lessons learned. SRS data can also support training, which is a key component of biosafety. These data can provide the experiential basis for specific safety precautions. For example, one biosafety specialist noted that staff want to know this information in order to accept the need for precautions and procedures. Currently, there is no such experiential database; however, an industry-level entity could facilitate the creation and maintenance of such a database from SRS data. Biosafety Specialists Note the Importance of Monitoring Safety Culture: Some of the biosafety specialists we spoke with noted the importance of ongoing monitoring of safety culture, for example, through a lab director's personal investment of time and direct observation and communication with lab workers. Without such observation and communication, as well as feedback from workers, managers will remain unaware of areas where the safety culture is likely to lead to serious problems. While specialists did not specifically note the need for formal evaluation to solicit this feedback, lessons learned suggest that evaluation is useful in this regard. Specifically, evaluation can help identify (1) problem areas in the safety culture and (2) where targeted outreach and training or program modification might lead to better reporting and safety improvement. Such evaluation is important in ensuring the system is working as effectively as possible, according to lessons from the literature and case studies. Conclusions: Safety reporting systems (SRS) can be key tools for safety improvement efforts. Such systems increase the amount of information available for identifying systemic safety issues by offering a means through which workers can report a variety of events that shed light on underlying factors in the work environment that can lead to accidents. Our extensive review of SRS evaluation literature and case studies of SRS use in three industries provides an empirical, experience-based foundation for developing a framework for SRS design and implementation. This framework can be applied across a wide variety of industrial, organizational, professional, and cultural contexts. The industries we studied, despite their differences, shared similar experiences designing and using SRSs for safety improvement. The commonalities they shared provide the basis for our lessons--the pros and cons and successes and failures--relating to particular design and implementation choices across a wide variety of work environments. However, it is important to recognize the uniqueness of any work environment. The biological lab community is undoubtedly a unique working environment and blindly applying an SRS from one industry to the lab community would be a mistake. This observation underlies the leading finding among our lessons: in choosing the system features most appropriate for the environment in which the SRS will operate, consideration of program goals and organizational culture is essential. Such consideration provides the context for choosing features in three key areas of system design and implementation-- reporting and analysis, reporter protections and incentives, and feedback mechanisms. The Centers for Disease Control and Prevention (CDC) and Animal and Plant Health Inspection Service (APHIS) Select Agent Program (SAP) manage a mandatory reporting system for theft, loss, and release (TLR) of select agents. Although this system is compliance-based, it can be used--like the SRSs in our study--to identify systemic safety issues. In fact, the agencies have taken steps to use the system in this way. For example, the agencies have dedicated expert resources to manage the system, developed guidance to clarify reportable events and procedures to ensure reporter confidentiality, and used information from the system to provide feedback about safety issues to the select agent lab community. However, lessons from the literature and case studies suggest additional actions in assessment and the three key areas that could further improve reporting and the usefulness of the system as a source for safety data. These elements include an assessment of organizational culture, a lower threshold for reportable events, limited immunity provisions, and mechanisms for international lesson sharing and evaluation. Through these actions, efforts to identify areas for system improvement, target outreach and training, and encourage reporting could be supported. While other industries have developed industrywide SRSs, one does not exist for the broader laboratory community. However, recognizing the potential of such a system for the laboratory community, an interagency task force on biosafety recommended it and Congress proposed legislation to develop one. While current safety guidance for biological labs is based on many years of experience working with infectious organisms and analyses of laboratory-acquired infections (LAI), there are some limitations to these data. For example, a widely recognized limitation is the high rate of under-reporting of LAIs. In addition, accident and illness data are incomplete, and reported information usually does not fully describe factors contributing to the LAIs. Such issues limit the amount of information available for identification of systemic factors that can lead to accidents. A national laboratorywide voluntary SRS that is accessible to all labs and designed around specific goals and organizational culture would facilitate collection of such data to inform safety improvements. Analysis of these data could support evidence-based modifications to lab practices and procedures, reveal problems with equipment use or design, and identify training needs and requirements. Establishing such an SRS for the lab community, however, would require addressing some unique issues. Although our findings suggest that reporting systems should be tied to program goals and a clear sense of the organizational culture, this is problematic for biological labs because they are not a clearly identified or defined population. In addition, there is no agency or entity with the authority to direct such assessments across the entire lab community. Proposed federal legislation, if enacted, would establish a role for an SRS for the lab community to be administered by the Department of Health and Human Services (HHS) and the Department of Agriculture (USDA). If HHS and USDA are directed to develop such an SRS, certain features for the three key areas are suggested by existing studies, the CDC's and APHIS's experiences with the TLR reporting system, and biosafety specialists' knowledge of organizational culture in labs and experiences with safety reporting. Lessons developed from experiences with the National Institutes of Health's (NIH) prototype reporting system for its intramural research labs might inform design and implementation considerations as well. In addition, stakeholder involvement in goal setting is particularly important given the issues related to visibility and oversight of the broader lab population. The greater the stakeholder involvement, the greater the likelihood the perspectives of labs with varying environments and cultures will be represented. Stakeholders may also have knowledge of, and access to, labs that can support cultural assessments and encourage reporting. Such assessments are important for understanding differences in organizational cultures across the diverse types and levels of labs that could affect choices for system scope and features. Until a cultural assessment is conducted, existing information about likely system goals and labs' organizational culture suggests certain features in the three key areas--reporting and analysis, reporter protections and incentives, and feedback mechanisms. With respect to reporting and analysis, a variety of factors suggest voluntary reporting for labs outside the Select Agent Program, including likely system goals for learning rather than enforcement and the need to collect information on incidents and hazards as opposed to serious accidents. In addition, the lab community's limited experience with this type of reporting, the diversity of lab environments, and uncertainty about the reporting population suggest an initially open classification scheme that allows workers to report events in their own words, using multimode (Web or postal) and open-format reporting options that are available to all workers. These options can facilitate reporting in such situations. Lastly, the advantages and disadvantages inherent in SRS administration at either the local or higher level suggest that dual reporting options may be necessary. Such options--present in different forms in all three case industries-- allow workers to submit reports to whichever level is most comfortable for them. For example, workers would have the choice of whether to report to an internal, lab-managed reporting program that feeds data to a central authority or to an independent, externally managed SRS. Both of these reporting options will also require strong confidentiality protections, data deidentification, and other reporting incentives to foster trust in reporting. Finally, feedback mechanisms for disseminating safety data or recommendations and evaluations are needed to promote worker buy-in for reporting, identify areas for targeted outreach and training, and identify areas for system improvement. Matters for Congressional Consideration: In developing legislation for a national reporting system for the biological laboratory community, Congress should consider provisions for the agency it designates as responsible for the system to take into account the following in design and implementation: * include stakeholders in setting system goals; * assess labs' organizational culture to guide design and implementation decisions; * make reporting voluntary, with open-reporting formats that allow workers to report events in their own words and that can be submitted by all workers in a variety of modes (Web or postal), with the option to report to either an internal or external entity; * incorporate strong reporter protections, data deidentification measures, and other incentives for reporting; * develop feedback mechanisms and an industry-level entity for disseminating safety data and safety recommendations across the lab community; and: * ensure ongoing monitoring and evaluation of the safety reporting system and safety culture. Recommendations for Executive Action: To improve the system for reporting the theft, loss, and release of select agents, we recommend that the Centers for Disease Control and Prevention and Animal and Plant Health Inspection Service Select Agent Program, in coordination with other relevant agencies, consider the following changes to their system: * lower the threshold of event reporting to maximize collection of information that can help identify systemic safety issues, * offer limited immunity protections to encourage reporting, and: * develop (1) mechanisms for sharing safety data for international lab safety improvement efforts and (2) processes for identifying reporting gaps and system evaluation to support targeted outreach and system modification. Agency Comments and Our Evaluation: We provided a draft of this report to the Department of Transportation (DOT), HHS, INPO, NASA, NRC, USDA, and VA for review and comment. In written comments, the DOT, INPO, NASA, NRC, and VA agreed with our findings and conclusions and provided technical comments, which we addressed, as appropriate. The DOT's FAA and NASA also provided positive comments on the quality of our review. In particular, the FAA reviewer indicated that it was an excellent report that addressed the factors that should be considered by an organization planning to implement a safety reporting system. Similarly, the NASA reviewer noted that this was an excellent document describing the many aspects of safety reporting systems, and that it had captured the complexity and dynamic nature of the SRS approach to obtaining safety information from the frontline. In written comments, the HHS noted that GAO's thorough case studies of long-standing industrywide safety reporting systems would be helpful when considering the important issue of reporting systems in biological laboratories. However, the HHS disagreed with two of our recommendations, and partially agreed with a third, to improve the theft, loss, and release (TLR) reporting system for select agents. Specifically, the HHS disagreed with our first recommendation--to lower the threshold for reportable events to maximize information collection--noting that their current mandatory reporting thresholds for the Select Agent Program (SAP) provides sufficiently robust information. While we appreciate the CDC and APHIS Select Agent Program's efforts to clarify reporting requirements to ensure all thefts, losses, and releases are reported, lowering reporting thresholds could further ensure all relevant reports are received. With lower reporting thresholds, questionable events are less likely to go unreported because of confusion about whether to report. Furthermore, we note that reporting below the currently established threshold could be voluntary, thereby offering registered entities a convenient, optional mechanism for sharing identified hazards. This is similar to the agencies' recently initiated, anonymous fraud, waste, and abuse reporting system. However, reporting to the TLR system would enable follow-up and feedback with the reporting lab because of its confidential, as opposed to anonymous, nature. Lastly, biosafety specialists we spoke with, as well as HHS staff involved in updating the BMBL, specifically noted the lack of available data for developing evidence-based biosafety guidelines. Data collected through the TLR system--especially if it is more comprehensive--could provide such data. The HHS also disagreed with our second recommendation--to offer limited immunity protections to encourage reporting. While the HHS agrees that identification of safety issues is important, they believe they do not have statutory authority to offer limited immunity. The Public Health Security and Bioterrorism Preparedness and Response Act of 2002 required the Secretary of HHS to promulgate regulations requiring individuals and entities to notify HHS and others in the event of the theft, loss, or release of select agents and toxins. Violations of the Select Agent Regulations may result in criminal or civil money penalties. While we do not want to suggest that the HHS waive these penalties under a limited immunity provision, the Act sets maximum civil money penalties for Select Agent Regulations violations at $250,000 for individuals and $500,000 for entities, which provides the HHS Secretary, now delegated to the HHS Inspector General, discretion to charge penalties up to those maximum amounts. In addition, while reporting is required by law, individuals or entities may be concerned that reporting thefts, losses, or releases may lead to increased inspections by the CDC or referral to the Inspector General of the Department of Health and Human Services for investigation and possible penalties. Therefore, we recommend the CDC, in conjunction with other pertinent oversight agencies, examine whether adding limited immunity protections into the TLR reporting system would ease individuals' and entities' fears of reporting and encourage them to provide more complete information on thefts, losses, and releases. One possible way to incorporate limited immunity protections into the TLR reporting system would be to lower the civil money penalty for those individuals or entities who properly filed a TLR report should penalties be appropriate for the theft, loss, or release being reported. We believe the Secretary of HHS has sufficiently broad authority under the Public Health Security and Bioterrorism Preparedness and Response Act of 2002 to provide such immunity protections. The literature and our case studies identified limited immunity as a key incentive for reporting, and HHS' Trans- Federal Task Force on optimizing biosafety and biocontainment oversight noted the potential of the Aviation Safety Reporting System-- and its associated immunity provisions--as a model for a national SRS for biological labs. Lastly, the HHS partially agreed with the third recommendation. While the agency agreed with the recommendation to develop processes for identifying reporting gaps and system evaluation to support targeted outreach and system modification, they disagreed with the recommendation to share TLR data for international lab safety improvement efforts. In particular, the HHS notes its lack of authority to regulate foreign laboratories and suggests such activities might be better placed elsewhere in the CDC. As the literature and case studies illustrate, it is important to share safety lessons as broadly as possible. Sharing TLR lessons does not involve regulation of foreign labs, so additional authority is not required. Furthermore, the recommendation is directed to the CDC SAP because they manage the TLR system. If the CDC SAP wished to delegate the responsibility for sharing TLR lessons with the international lab community to another HHS entity, it would satisfy the intent of the recommendation. The HHS also commented on the matters for congressional consideration, for example, suggesting additional matters that fall outside the scope of this review. The agency disagreed with GAO on several issues, such as (1) the scope of the recommendations, (2) the extent to which the biological lab industry might benefit from an SRS, (3) particular SRS features noted in the matters for congressional consideration, and (4) reporting thresholds and system management. These general comments and our responses to them are included in appendix IV. The HHS also provided technical comments which we addressed, as appropriate. In written comments, the USDA concurred with our recommendations, although they noted several disagreements in their detailed responses. With respect to our first recommendation--to lower reporting thresholds--the USDA noted, like the HHS, that (1) they believe the current reporting thresholds (providing 130 reports a year) are sufficiently robust and (2) APHIS's other monitoring and surveillance activities are sufficient for monitoring safety and security conditions in select agent labs. As noted above, we believe that with lower reporting thresholds, questionable events are less likely to go unreported because of confusion about whether to report. Furthermore, we note that reporting below the currently established threshold could be voluntary, thereby offering registered entities a mechanism for sharing identified hazards in a system that would enable follow-up and feedback with reporters. Lastly, data collected through the TLR system--especially if it is more comprehensive--could provide data for updates to biosafety guidelines. In response to our second recommendation--to offer limited immunity protections--the USDA, like the HHS, believes it lacks statutory authority to offer such protections. As noted above, we believe the Secretary of USDA has sufficiently broad authority under the Agricultural Bioterrorism Protection Act of 2002 to provide such immunity protections for the TLR reporting system. However, in recognition that such provisions might require coordination with other agencies, we added this clarification to the recommendations. Lastly, in response to our third recommendation--to (1) share TLR data for international lab safety improvement efforts and (2) identify reporting gaps and conduct system evaluation--the USDA noted that they did not believe additional regulatory oversight was needed and that targeted education and safety training in high-risk areas would likely be more cost effective. Our recommendation does not suggest any additional regulatory oversight. It is focused on broadly sharing lessons learned from the TLR system and on identifying areas--through analysis of TLR data and evaluation--for targeted outreach and training and system modification. These actions are methods through which the USDA can better identify the "high-risk areas" the agency notes should be targeted for education and training. The USDA also noted that an example we provided of unreported LAIs demonstrates that these types of infections are infrequent. However, this is just one example of LAI underreporting and their consequences. As noted in the footnote prior to this example, in a review of LAI literature, the authors identified 663 cases of subclinical infections and 1,267 overt infections with 22 deaths. The authors also note that these numbers "represent a substantial underestimation of the extent of LAIs." [Footnote 88] SRSs are key tools for bringing forward such safety information--currently recognized as substantially underreported--in order to benefit the entire industry. USDA's written comments are included in appendix IV. As agreed with your offices, unless you publicly announce the contents of this report earlier, we plan no further distribution until 30 days from the report date. At that time, we will send copies of this report to the appropriate congressional committees and other interested parties. In addition, the report will be available at no charge on the GAO Web site at [hyperlink, http://www.gao.gov]. If you or your staffs have any questions about this report, please contact me at (202) 512-2642 or mccoolt@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made major contributions to this report are listed in appendix V. Signed by: Thomas J. McCool: Director, Applied Research and Methods: [End of section] Appendix I: Objectives, Scope, and Methods: This appendix details the methods we used to identify lessons for designing and implementing an effective safety reporting system (SRS) from (1) the literature and (2) case studies of SRSs in the airline, commercial nuclear power, and health care industries; and apply those lessons to (3) assess the theft, loss, and release (TLR) reporting system for the Select Agent Program and (4) suggest design and implementation considerations for a national SRS for all biological labs. To develop lessons from the literature, we used an iterative approach to search several venues (academic journals, agency and organization publications, and grey literature) for literature related to human factors, safety science, and SRS evaluation. We reviewed the publications generated through automated searches to identify (1) search terms for additional automated queries and (2) citations for publications that might be within our scope of interest. We ended the formal search for additional literature after reaching saturation in the publications generated from our search (i.e., no or few new publications). The literature we reviewed generally fell into one of two categories--safety science (including human factors and organizational safety) literature and descriptions of SRS features and evaluations. The safety science literature serves as background information and was also used to develop familiarity with safety science terms and theories required for our assessment of the SRS evaluation literature. The literature related to SRS features and evaluations was used to develop lessons for the first objective. We assessed the SRS evaluation literature for both methodological rigor and findings related to SRS design and implementation. For the methodological review, we assessed the appropriateness of the methods relative to the study objectives for all articles, and a sample (about half) received a secondary, independent review of methodological rigor. Studies that met our standards of methodological rigor were incorporated into the assessment, and findings related to system goals, cultural considerations, reporting and analysis features, reporter protections and incentives, and feedback mechanisms were coded to identify effective features and processes for SRS design and implementation. See the Bibliography of Articles Used to Develop SRS Lessons from the Literature for a list of the literature used to develop these lessons. To develop lessons from case studies of three industries, we (1) reviewed studies and documentation on a variety of SRSs in the three industries; (2) interviewed agency and organization officials knowledgeable about safety science and human factors engineering, reporting systems, and their own SRS programs; and (3) attended a variety of SRS and safety conferences. We chose to focus on the aviation, commercial nuclear power, and health care industries because they are moderate-to high-risk industries that represent a variety of (1) organizational cultures, (2) length of experience using SRSs for safety improvement, and (3) feature and design choices in their SRS programs. While we collected information on a wide variety of safety reporting programs and systems in these industries--and in some cases comment on these different programs--we primarily developed our lessons from one reporting program in each of the three industries. Specifically, we developed lessons from the Federal Aviation Administration's (FAA) National Aeronautic and Space Administration (NASA)-run Aviation Safety Reporting System (ASRS) in aviation, the Institute of Nuclear Power Operation's (INPO") Significant Event Evaluation-Information Network (SEE-IN®) system in commercial nuclear power, and the VA's internally managed Patient Safety Information System (PSIS) and NASA-managed Patient Safety Reporting System (PSRS) in VA health care. We chose to focus on these systems because they represent fairly long-standing, nonregulatory, domestic, industrywide or servicewide reporting programs. For example, NASA's ASRS has been in operation for 34 years; INPO's SEE-IN, for 30 years; and VA's PSIS and PSRS, for 10 years. Although we primarily developed our lessons from these key SRSs, we also collected information on other notable SRSs in the industries, including the Nuclear Regulatory Commission's (NRC) Allegations Program, the FAA's Aviation Safety Action Program (ASAP), and the Agency for Healthcare Research and Quality's (AHRQ) Patient Safety Organizations (PSO) program, among others. To assess the TLR reporting system, we interviewed agency officials, reviewed agency and other documentation, and applied lessons from the literature and case studies to these findings. Specifically, using a standard question set, we interviewed HHS officials from the Coordinating Center for Infectious Disease, Office of Health and Safety, and Division of Select Agents and Toxins, and received responses to our question set from the USDA's Animal and Plant Health Inspection Service (APHIS). In addition, we attended an agency conference on select agent reporting and reviewed documents from this conference and from the National Select Agent Registry (NSAR) Web site, detailing TLR reporting requirements and scenarios. We also reviewed GAO testimony and reports on previously identified TLR reporting issues. Using the lessons for SRS design and implementation derived from the literature and case studies, we applied these criteria to identify areas for TLR improvements. To propose design and implementation considerations for a national biological laboratory reporting system, we reviewed studies and other reports on biosafety, interviewed HHS officials and domestic and international biosafety specialists, attended conferences on biosafety and incident reporting, and applied lessons from the literature and case studies to these findings. We interviewed HHS officials and biosafety specialists to get a sense of the culture-related context for, and potential barriers to, an SRS for biological labs. Specifically, we used a standardized question set to gather specialists' views about overall design and implementation considerations for a labwide reporting program, as well as how lab culture and safety orientation (1) vary by level and type of lab; (2) affect reporting under current requirements; and (3) might affect reporting to a national biological lab SRS. We conducted this performance audit from March 2008 through September 2010 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. [End of section] Appendix II: Summary of Lessons from the Literature and Case Studies: Area: System goals and organizational culture; Lessons from the literature: (1) Define overarching program goals and subgoals up front; (2) Involve stakeholders (e.g., management, industry groups, associations, and workers) in development of program goals and SRS design to increase support among key populations; (3) Assess organizational culture to guide system design choices in the three key areas; (4) Ensure that reporters and system administrators receive adequate training regarding the function and application of the reporting system; Lessons from case studies: (1) Assessment, dedicated resources, and management focus are needed to understand and improve safety culture; (1a) Assessing safety culture can alert management to workplace safety issues; (1b) Improving safety culture requires dedicated resources, including time, training, and staff investment; (1c) Changing safety culture requires management focus. Area: Reporting and analysis; Lessons from the literature: Level of event: (1) Base the decision for mandatory or voluntary reporting on (a) the level of event of interest and (b) whether the SRS will be used primarily for enforcement or learning; (2) Set reporting thresholds that are not so high that reporting is curtailed, nor so low that the system is overwhelmed by the number and variety of reportable events; Lessons from case studies: (2) Broad reporting thresholds, experience-driven classification schemes, and processing at the local level can be useful SRS features in industries new to safety reporting; (2a) Broad thresholds and open reporting are useful features when starting an SRS. Area: Reporting and analysis; Lessons from the literature: Event classification; (1) Develop classification schemes and associated terms that are clear, easy to understand, and easy to use by drawing on terms already well understood in the industry; (2) Test whether classification terms are clearly understood by different groups in the organization; (3) Allow sufficient flexibility to (a) avoid narrowing the scope of reporting in a way that limits all events of interest at the chosen level of event, (b) allow different sites--if multiple sites will be reporting to the same system--to adapt fields and elements to match their own organizational culture, and (c) capture different types of events and precursors as they can change over time; (4) Develop a classification scheme that best suits analytical requirements and the comfort level of the organizational culture with safety reporting and safety event terms; Lessons from case studies: (2b) Encouraging workers to report incidents in their own words facilitates reporting initially. Area: Reporting and analysis; Lessons from the literature: Mode and format; (1) Base decisions about report mode on (a) the accessibility of the mode to the reporting population and (b) workers' concerns about and willingness to report; (2) Base decisions about report formats on the (a) type of data needed for analysis, (b) capabilities of the reporting population, and (c) maturity of existing safety event classification schemes within the industry. Area: Reporting and analysis; Lessons from the literature: System administration; (1) Base the decision for internal or external system administration on (a) workers' degree of concern over punishment and confidentiality and (b) the availability of internal expertise and resources to analyze and encourage reporting; (2) Base decisions about who will be allowed to report on (a) awareness of reporting hierarchies and (b) the type of information desired for analysis; Lessons from case studies: (2c) Reporting options with some local- level processing facilitates reporting initially. Area: Reporting and analysis; Lessons from the literature: Analysis; (1) Use a report prioritization process to quickly and efficiently address key safety issues as they arise; (2) Align analysis decisions with (a) report formats, (b) system administration and location of technical expertise, and (c) availability of other relevant data needed for analysis. Area: Reporter protections and incentives; Lessons from the literature: Confidentiality and anonymity: (1) Base the choice between anonymity and confidentiality on (a) organizational culture, especially workers' degree of concern about punishment and confidentiality, and (b) the amount of detail required for analysis and whether it can be collected without follow-up; (2) Consider a hybrid system in which confidential and anonymous reporting are used simultaneously if there is conflict between organizational culture and data need; Data deidentification: (1) Develop data deidentification measures to support confidentiality and data-sharing efforts; Limited immunity: (1) Consider limited immunity provisions to increase the reporting incentive; Lessons from case studies: (3) Strong legal protections and incentives encourage reporting and help prevent confidentiality breaches. Area: Feedback mechanisms; Lessons from the literature: Feedback; (1) Provide direct feedback to reporters to foster worker-specific buy- in for reporting; (2) Provide regular, timely, and routine feedback--for example in the form of newsletters, e-mail alerts, Web sites, and searchable databases--to support overall organizational buy-in for reporting; (3) Provide positive feedback to managers who receive a high volume of reports to demonstrate the importance of reporting and counteract the perception that error reporting reflects poorly on management; Evaluation: (1) Use the data to identify reporting gaps for targeted outreach and training; (2) Evaluate the effectiveness of the SRS to support ongoing modification and improvement; Lessons from case studies: (4) A central, industry-level unit facilitates lesson sharing and evaluation. Source: GAO analysis of SRS literature and case studies. [End of table] [End of section] Appendix III: Comments from the Department of Health and Human Services: Note: GAO comments supplementing those in the report text appear at the end of this appendix. Department Of Health & Human Services: Office Of The Secretary Assistant Secretary for Legislation: Washington, DC 20201: August 16, 2010: Tom McCool, Director: Applied Research and Methods: U.S. Government Accountability Office: 441 G Street N.W. Washington, DC 20548: Dear Mr. McCool: Attached are comments on the U.S. Government Accountability Office's (GAO) report entitled: "Biological Laboratories: Design and Implementation Considerations for Safety Reporting Systems" (GA0-10- 850). The Department appreciates the opportunity to review this report before its publication. Sincerely, Signed by: Jim Esquea: Assistant Secretary for Legislation: Attached: [End of letter] General Comments Of The Department Of Health And Human Services (HHS) On The Government Accountability Office's (GAO) Draft Report Entitled. "Biological Laboratories: Design And Implementation Considerations For Safety Reporting Systems" (GA0-10-850): We appreciate GAO's review of this important issue. HHS is committed to improving biosafety in laboratories across the United States. This draft report from GAO thoroughly outlines examples of safety reporting systems in other industries, which is helpful in considering how to improve safety reporting systems in biological laboratories. Scope of Draft Report: This report addresses two separate but related issues—safety reporting for biological laboratories in general and the theft, loss, and release reporting system for laboratories that are subject to the Select Agent Regulations (42 CFR part 73, 9 CFR part 121, and 7 CFR part 331). The issues, challenges, and implementation considerations are related, but not interchangeable. We note that the safety reporting programs chosen by the GAO for their case study represented fairly longstanding, non-regulatory, domestic, industry wide reporting programs. Though the draft GAO report addresses broad issues for consideration in implementing a safety reporting system for all biological laboratories in the United States, the recommendations do not logically follow from the data presented in the report, as the recommendations are only focused on the Select Agent Programs at the Centers for Disease Control and Prevention (CDC) and the United States Department of Agriculture's Animal and Plant Health Inspection Service (APHIS). The narrow scope of the recommendations raises concerns that the GAO views the mission of the Select Agent Programs as including a responsibility to improve biosafety at all U.S. laboratories. The GAO report should recognize that the scope of the statutory authority for the Select Agent Programs is limited to the oversight of biosafety at registered entities and that creation of a new regulatory safety reporting system would require new authority and resources. [See comment 1] The premise of the report is that a new, highly comprehensive, and presumably costly reporting system is necessary for the U.S. Government and research community to understand the etiology and consequences of, as well as preventative strategies for, laboratory accidents: NIII does not believe that this is the ease. Under the current reporting requirements of the Select Agent Program (SAP) and the NIH Guidelines for Research Involving Recombinant DNA Molecules, there is likely sufficient data to perform the kinds of analyses that arc described in the GAO report. It would, however, necessitate sharing the reported information between the two programs and supporting a common analysis, something that is not currently done. It makes more sense to begin with the Federal Government sharing and analyzing data already collected under current requirements. To the extent warranted by the need for additional data, the Government could then assess the need for a more universal incident-reporting system. [See comment 2] Furthermore, the characteristics of the reporting system advocated in the report—one that would he accessible to all and utilize free-form reporting—would greatly undermine the quality of the data and only frustrate efforts to conduct meaningful analyses and draw specific conclusions. While appreciating the arguments for a system that is accessible and encourages reporting, these particular approaches to achieving those aims pose innumerable problems, such as unintelligible reports, redundant data, lack of quality control, and unreliable statistics that, in the end, would preclude meaningful trend analysis and improvements to specific institutional settings, and thus result in a system that provides little marginal value for what is likely to he a major investment. Scope of Safety Reporting Systems: In the draft report, GAO notes the need to understand the safety culture in laboratories. GAO realizes that the occupational setting varies widely from clinical laboratories to research laboratories. We encourage GAO to recognize that the design of a safety reporting system or systems for biological laboratories should be targeted to the specific types of laboratories that will be subject to this system (i.e., clinical laboratories vs. research laboratories), in order to design an appropriate reporting system. [See comment 4] This draft report proposes a national safety reporting system and notes that some institutions already require safety reporting within the institution. We encourage GAO to clarify the scope of the proposed system (to he less confusing to those who already have local safety reporting requirements), and specify that they are describing a "national" safety reporting system when referring to the national system. [See comment 5] Threshold for Reporting: We believe that the GAO confuses the Select Agent Programs' "theft, loss, and release" reporting requirements with a laboratory safety reporting system. The Select Agent Programs' statutory authority only requires that registered entities report actual releases of select agents or toxins "causing occupational exposure or release of a select agent or toxin outside of the primary barriers of the biocontainment." While the Select Agent Programs urge, and registered entities for the most do, the reporting of accidents and incidents that might have resulted in a release (it being better to confirm that an accident or incident did not result in a release than not properly report a release), it is only a violation of the Select Agent regulations if an actual release goes unreported. The presumption that lowering the threshold for reportable events would lessen the confusion about what to report should be discussed in the context that there is no national system for reporting and correspondingly no standard for what that "threshold" might be. This could be an area for additional exploration. [See comment 6] Considerations for Implementing a Safety Reporting System vs. Deciding to Create Such a System: GAO's draft report points out those things that should be considered in implementing a safety reporting system for all biological laboratories, but does not fully assess the merit of deciding to create and implement such a system. Resources and the relative priority of such a system as compared to other things that can improve biosafety in all biological laboratories must be considered before a decision is made to create such a system. The federal government needs a greater understanding of opportunity costs and potential benefits before deciding to pursue such a system as compared to other biosafety improvements. [See comment 7] Accordingly, we recommend that the Matters for Congressional Consideration section include resources and the relative priority of implementing a safety reporting system as compared to other biosafety improvements as additional matters for Congressional consideration. Also, should a decision be made to create a voluntary safety reporting system for all biological laboratories, there will have to be careful consideration of which federal entity will be responsible for implementing the system. Laboratories and laboratorians that are not currently subject to the Select Agent Regulations may be hesitant to voluntarily report incidents to a regulatory body (i.e., the CDC and APHIS Select Agent Programs). If a safety reporting system were the responsibility of the CDC and APHIS Select Agent Programs, this may reduce voluntary reporting. GAO recognizes this concern on page 64 of the draft report. Accordingly, we recommend that the Matters for Congressional Consideration section include consideration of the specific type of program (i.e., regulatory vs. non-regulatory) that should be adopted as a safety reporting system. [See comment 8] There is also potential for confusion about mandatory versus voluntary reporting. The NIH is concerned that compliance with mandatory reporting requirements may go down because lab personnel think that all reporting is voluntary, or that if a reportable incident was entered into the voluntary system that it would suffice for the mandatory reporting to the SAP or NIH. [See comment 9] Comments on Recommendations: To improve the system for reporting the theft, loss, and release of select agents, we recommend that CDC and APHIS consider the following changes to their system: Recommendation 1: Lower the threshold of event reporting to maximize collection of information that can help identify systemic safety issues. CDC disagrees with.this recommendation. The CDC and APHIS Select Agent Programs provide registered entities with guidance on the defined triggers for reporting a possible theft, loss, or release, to help ensure that they are not in violation of the Select Agent Regulations' requirement to report actual releases. We believe that the current thresholds provide a sufficiently robust information flow to monitor safety incidents in regulated laboratories, without imposing an excess reporting burden on the regulated community. [See section: Agency Comments and Our Evaluation] The triggers are: * Occupational exposure: Any event that results in any person in a registered entity facility or laboratory not being appropriately protected in the presence of an agent or toxin. This may include reasonably anticipated skin, eye, mucous membrane, or parenteral contact with blood or other potential infectious materials that may result from the performance of a person's duties. For example, a sharps-related injury from a needle being used in select agent or toxin work would be considered an occupational exposure. * Release: A discharge of a select agent or toxin outside the primary containment barrier due to a failure in the containment system, an accidental spill, occupational exposure, or a theft. Any incident that results in the activation of a post exposure medical surveillance/prophylaxis protocol should be reported as a release. - Primary containment barriers are defined as specialized items designed or engineered for the capture or containment of hazardous biological agents. Examples include biological safety cabinets, trunnion centrifuge cups, and aerosol-containing blenders. For the purposes of assessing a potential select agent release, the laboratory room may be considered a primary containment barrier in facilities meeting the requirements of biosafety level-4 (BSL-4) or BSL-3Ag as described in the 5th edition of the Centers for Disease Control and Prevention/National Institutes of Health (CDC/NIH) Biosafety in Microbiological or Biomedical Laboratories manual. In 2008, the CDC and APHIS Select Agent Programs provided enhanced guidance to the regulated community regarding the reporting of releases of Select agents or toxins.[Footnote 1] This guidance includes examples of reportable incidents and scenarios that can be used by the regulated community to help them identify when they have a reportable incident.[Footnote 2] Since this guidance was published, the CDC Select Agent Program has experienced an increase in the reporting of incidents from the regulated community. We currently receive approximately 130 reports per year. Although we have seen a dramatic increase in the number of reports of incidents, our follow-up investigations have detected little to no increases in confirmed releases. Though GAO focused only on safety reporting systems as a way to strengthen biosafety, the CDC Select Agent Program uses other mechanisms to monitor safety conditions in facilities working with select agents and toxins. These mechanisms help ensure that biosafety incidents arc prevented and, when incidents occur, they are reported and assessed promptly. Assistance also is provided to meet the biosafety requirements of the Select Agent Regulations. The mechanisms are summarized below: Biosafety Planning Training, and Inspections: The Select Agent Regulations (See 42 C.F.R. 73.12) require an entity to develop and implement a written biosafety plan that is commensurate with the risk of the agent or toxin, given its intended use and to provide biosafety training for all individuals working or visiting laboratories. The training must address the particular needs of the individual, the work they will do, and the risks posed by the select agents or toxins. All registered laboratories also must undergo a biosafety inspection by the Programs as a condition for registration and on a routine basis thereafter. The Select Agent Programs may also perform non-routine inspections at registered entities at any time to verify the resolution of findings from a routine inspection, to authorize work in a new building, to investigate a laboratory-acquired infection or other significant incident, or to resolve any other concern that the Select Agent Programs may have. Surveillance of Exempted Laboratories for Thefts Losses and Releases: While clinical and diagnostic laboratories arc exempt from the Select Agent Regulations (42 C.F.R. 73.5, 73.6), they are required, to report any identified select agents contained in a specimen presented for diagnosis, verification, or proficiency testing to the CDC or APHIS Select Agent Program. In addition to the reporting requirement when a select agent is identified, the select agent must be secured against theft, loss, or release during the period between identification and final disposition. In.the event that a release has occurred, exempted laboratories-must report this release.to the CDC or APHIS Select Agent Program. Any reports of possible theft, loss, or release from exempted laboratories are investigated by the Select Agent Programs. Outreach and Guidance: The CDC and APHIS Select Agent Programs provide guidance and support to assist registered laboratories in meeting their biosafety requirements. Each regulated entity is assigned a file -manager to assist the entity in maintaining its registration. The file manager is available by phone, fax, or e-mail to the entity's responsible official to answer questions and provide advice on maintaining the entity's registration. hi addition, the Select Agent Programs maintain the National Select Agent Registry (NSAR) website (www.selectagents.gov) with up-to-date information, including guidance documents, biosafety and security checklists based on national standards, other resource materials, and an e-mail link for questions or requests. Since 2008, the Select Agent Programs have hosted an annual workshop to inform individuals of their legal responsibilities for implementing the select agent regulations. The last workshop was held on June 15, 2010 in Sparks, NV and included a session on the "Inspection Trends and Best Practices for Preventing Occupational Exposures and Biocontainment Breaches." Recommendation 2: Offer limited immunity protections to encourage reporting. CDC disagrees with this recommendation, as the CDC Select Agent Program currently lacks the statutory authority required to offer limited immunity protection as recommended by GAO. Further, we are not aware of any analysis assessing the merit of limited immunity protections as a means to encourage reporting. In accordance with the HHS. Select Agent Regulations, the CDC Select Agent Program refers non- compliance issues, such as a significant biosafety or security concern, to the Department of Health & Human Services, Office of Inspector General (HHS-OIG) for further investigation and enforcement (e.g., assessment of civil money penalties). [See section: Agency Comments and Our Evaluation] However, CDC agrees with the GAO that the identification of safety issues is important and that laboratorians should have an anonymous way to report safety concerns. On April 26, 2010, the CDC and APHIS Select Agent Programs established an anonymous means for reporting select agent safety and security issues through the HHS-OIG fraud, waste, and abuse hotline. This hotline is now available for anyone to anonymously report safety or security, issues related to select agents and toxins. Our communication outreach efforts for this hotline have included sending an c-mailed notification to all responsible officials and alternate responsible officials, posting information regarding the hotline on an international biosafety listserver, and discussing the hotline at the Select Agent Workshop held on June 15, 2010. Information for accessing the hotline is also available on the national select agent website (www.selectagents.gov). Recommendation 3: Develop (1) mechanisms for using safety data for international lab safety improvements efforts and (2) processes for identifying reporting gaps and system evaluation to support targeted outreach and system modification. [See section: Agency Comments and Our Evaluation] For part 1 of this recommendation, CDC agrees that helping to improve international laboratory biosafety is an important activity for CDC as a whole, but disagrees that this should be a specific responsibility for the CDC Select Agent Program. The CDC agrees with part 2 of this recommendation. In the final report, we recommend that GAO clarify the scope of the recommendation and to whom this recommendation is directed (as the recommendations as a whole arc currently only directed at the CDC and APHIS Select Agent Programs). The CDC and APHIS Select Agent Programs' statutory authority to regulate individuals and entities that possess, use, or transfer select agents does not include the authority to regulate laboratories outside the United States. Accordingly, the Select Agent Programs do not receive theft, loss, or release reports from foreign laboratories. Due to the scope of its statutory authority, the Select Agent Programs are not the appropriate programs to focus on improving international biosafety efforts. Other federal government entities (which could include programs in CDC and APHIS other than the Select Agent Programs) would be a more appropriately responsible for such efforts. For example, as a co-publisher of Biosafety in Microbiological and Biomedical Laboratories (currently in its 5d' edition), CDC already has one key mechanism for using safety data for international laboratory safety improvement. CDC also funds and is working with the World Health Organization to update its Laboratory Biosafety Manual. The CDC also provides biosafety training in a variety of countries (through its Global Aids Program funding and the Office of Health and Safety staff) and uses the compiled safety data to assist those counties to improve biosafety. compliance. As for the CDC Select Agent Program, it is working with international partners to increase collaboration on mutual matters of interest. Since 2007, the CDC Select Agent Program has participated in two multinational meetings with biosafety regulators from Canada, the United Kingdom, Australia, Germany, Switzerland, Brazil, Singapore, Japan, and the World Health Organization. The Select Agent Program plans to continue its engagement with this group, and utilize this forum for data-driven discussions an biosafety improvements. For part 2 of the recommendation, we are taking the following actions as noted in HHS' response to the recommendations in the GAO report High-Containment Laboratories: Coordinated National Oversight is Needed (GAO-09-574): "HHS also agrees that lessons learned from laboratory accidents should be synthesized and shared with the broader laboratory community. The APHIS/CDC Form 3 collects information on thefts, losses, and releases of select agents. CDC will work with APHIS to synthesize the data that have been gathered about releases in laboratories registered with the select agent programs, and it will publish and share this analysis in a public report. Please note that HHS and USDA have the ability to gather such data only for laboratories that work with select agents. A separate mechanism must be identified to gather information about releases in laboratories that do not work with select agents." Sharing such information publicly will help inform both domestic and international laboratory biosafety improvements. Footnotes: [1] Section 73.19 of Title 42, Code of Federal Regulations (Notification of theft, loss, or release) requires that upon discovery of a release of an agent or toxin causing occupational exposure or release of a select agent or toxin outside of the primary barriers of the biocontainment area, an individual or entity must immediately notify CDC or APHIS. [2] A previous GAO report (High-Containment Laboratories: Coordinated National Oversight is Needed; GAO-09-574) recommended that the Select Agent Programs develop "a clear definition of exposure." The theft, loss, and release guidance document was updated with additional examples in 2010, to respond to this GAO recommendation. The following are GAO's comments on the Department of Health and Human Services' letter, dated August 16, 2010. GAO Comments: 1. We disagree. We do understand that the scope of statutory authority for the Select Agent Program is limited to registered entities. That is why our recommendations for improvements to the TLR program are directed to the CDC and APHIS, while recommendations for a national SRS for all labs are directed to Congress through matters for consideration. We do not make recommendations for the national SRS to the CDC or APHIS because they do not have authority for labs outside the Select Agent Program. Furthermore, the recommendations, as well as the matters for congressional consideration, are directly linked and logically follow from the data presented in the report. This report has two objectives (the third and fourth) related to an SRS for biological labs and two sets of recommendations that flow from those objectives. We have structured our report this way because we recognize that the statutory authority for the Select Agent Program is limited to the oversight of biosafety at registered entities and that creation of a new safety reporting system would require new authority and resources, in particular: * Objective 3--applying lessons from SRS literature and case studies to assess the theft, loss, and release (TLR) reporting system, part of the Select Agent Program--focuses on the TLR system, and thus applies to only registered entities and associated labs. The recommendations derived from this review of the TLR system are directed to the CDC and APHIS Select Agent Program because they have the statutory authority for this system. * Objective 4--applying lessons from SRS literature and case studies to suggest design and implementation considerations for a national safety reporting system--applies to all biological laboratories, in particular those outside the Select Agent Program. Because there is currently no agency with specific authority for such a system to whom we could direct recommendations, they are directed to Congress through Matters for Congressional Consideration. 2. We disagree. We recognize that implementation of any program has costs. However, evidence from the literature indicates that the benefits of an SRS can far outweigh the costs; this position was also endorsed by experts from the three case study industries. While we certainly encourage the NIH and CDC Select Agent Program efforts to share information that is currently reported, assessing the sufficiency of existing data was not within the scope of this engagement. In its comments to an earlier report on oversight of high- containment labs (GAO-09-574), the HHS agreed with our recommendation that lessons learned should be synthesized and shared with the broader community. They further noted that while the HHS and USDA have the ability to gather such data for laboratories registered with the Select Agent Program, a separate mechanism must be identified to gather information about releases in laboratories that do not work with select agents. A national SRS for all biological laboratories is such a mechanism. In addition, the Trans-federal Task Force on Optimizing Biosafety and Biocontainment Oversight--co-chaired by the HHS and USDA--recommended a new voluntary, nonpunitive incident- reporting system, and pending legislation in both the House and Senate would establish such a system. For these reasons, we did not revisit the issue of whether a nationwide SRS for biological labs is necessary. Instead, we agreed to examine the literature and SRSs in other industries to support effective design and implementation of such a system, should it be established. 3. The concerns raised here do not accurately characterize the message and matters conveyed in the report, and are not supported by evidence from the literature and our case studies. Specifically, (1) our recommendation to allow workers to report in their own words does not equate to "free-form reporting." Rather, it relates to how errors are classified and labeled and where in the process that should take place. (See sections "Lesson 2: Broad Reporting Thresholds, Experience- Driven Classification Schemes, and Processing at the Local Level Are Useful Features in Industries New to Safety Reporting" and "Encouraging Workers to Report Incidents in Their Own Words Facilitates Reporting Initially" for further detail.) In commenting on this issue, an internationally recognized SRS expert at NASA noted that, while highly structured reporting forms may decrease the analytical workload, the data quality is largely sacrificed for this false sense of efficiency. Requiring the reporter to also be the analyst--evaluating aspects of the event--creates unreliable assessments because of the variability in workers' perspectives. Open- field narrative has the best hope of providing insights that are largely unknown by personnel who invent the structured questions. Consequently, allowing workers to report in their own words and applying error classifications at the analytical level serve to improve, rather than degrade, data quality. In addition, an SRS does not inherently produce unintelligible reports, redundant data, lack of quality control, and unreliable statistics. One of our key messages is that determining system goals-- such as for specific analytical capabilities or means to identify specific locations or groups--is essential to do up front, in order to select system features compatible with these goals. In the section "Program Goals and Organizational Culture Guide Safety Reporting System Design and Implementation in Three Key Areas," we describe the pros and cons of different system features and how choices for specific features should logically flow from system goals and assessment of organizational culture. We have recommended, for congressional consideration, certain features for a national SRS for biological labs that appear best aligned with existing information about system goals and lab culture. 4. The importance of culture in SRS design and implementation is foundational in our report, and is reflected in our graphics, findings, conclusions, and matters for congressional consideration. 5. We agree that this is a useful clarification and have made this change, as appropriate, throughout the report. 6. We do not confuse the TLR with a safety reporting system. We are aware that the system serves a regulatory function, and recognize this in the body of the report. However, we also recognize that this is not a dichotomy--the TLR's regulatory function does not preclude its usefulness as a safety tool. In fact, we commend the CDC and APHIS Select Agent Program for recognizing the TLR's potential beyond its mere regulatory function. In particular, in the section "The CDC and APHIS have Taken Steps to Improve the Usefulness of the TLR Reporting System; Lessons from the Literature and Case Studies Suggest Additional Steps," we comment on the agencies' recognition of the system's usefulness for providing safety improvement data and our recommendations reflect enhancements to the system for this purpose. In addition, while we agree that a national reporting system might address the issue of capturing events (such as near misses or identified hazards) that are below the threshold for reporting to the TLR system, no such system currently exists. Consequently, the TLR system is the only system ideally situated to capture this information. 7. We recognize that implementation of any program has costs. However, evidence from the literature indicates that the benefits of an SRS can far outweigh the costs, a position that was also endorsed by experts from the three case study industries. We agree that dedicating resources is essential to successfully implement an SRS program, and this is reflected in the first lesson derived from the case studies-- "Assessment, dedicated resources, and management focus are needed to understand and improve safety culture." However, it is outside the scope of this report to add a matter for congressional consideration to assess the relative priority of implementing a safety reporting system as compared to other biosafety improvements. See also comment #2 above, in response to HHS's earlier remark about evaluating whether, and not how, to develop a national SRS for biological labs. 8. We agree this is an important consideration. In the section "Level of Event: The Severity of Events Captured Generally Determines Whether an SRS Is Mandatory or Voluntary," we note that mandatory reporting is generally preferred when program goals are focused on enforcement of regulations. Serious events--such as accidents resulting in injuries or deaths--are typically the level of event collected in mandatory SRSs, whereas voluntary reporting is generally preferred when learning is the goal. The purpose of a national SRS for all labs would likely be for learning rather than compliance because the SAP program, through the TLR system, already manages the regulatory function for the most dangerous pathogens. Accordingly, it is logical that a national SRS for all biological labs would be a voluntary, nonregulatory system. 9. Evidence from the literature and our case studies does not support this argument. While we appreciate the NIH's concerns about the clarity of reporting requirements, we found that mandatory and voluntary systems are often employed concurrently--sometimes independently and sometimes in complementary roles--because programs face the dual requirements of regulating and promoting safety improvement. In order to ensure appropriate levels of reporting, however, we also note the importance of setting clear goals and reporting thresholds for each system and communicating reporting requirements to the lab community. In addition, evaluation is an important tool for identifying and addressing such problems. Consequently, we recommended evaluation for both the TLR system and the national SRS for biological labs. [End of section] Appendix IV: Comments from the Department of Agriculture: USDA: United States Department of Agriculture: Office of the Secretary: Washington, D.C. 20250: August 30, 2010: Ms. Rebecca Shea: Assistant Director: United States Government Accountability Office: 441 G Street, NW: Washington, DC 20548: Dear Ms. Shea: The United States Department of Agriculture (USDA) has reviewed the U.S. Government Accountability Office's (GAO) draft report, "Biological Laboratories: Design and Implementation Considerations for Safety Reporting Systems" (10-850), and appreciates the opportunity to comment on this report. Thank you for your review of this important issue. While we concur with the Recommendations for USDA, we offer the following perspectives on our ongoing and planned activities to address these Recommendations. GAO Recommendation: To improve the system for reporting the theft, loss, and release of select agents, we recommend that CDC and APHIS consider the following changes to their system: lower the threshold of event reporting to maximize collection of information that can help identify systemic safety issues. USDA Response: Section 331.19 of Title 7 and Section 121.19 of Title 9, Code of Federal Regulations (Notification of theft, loss, or release) requires that upon discovery of a release of an agent or toxin causing occupational exposure or release of a select agent or toxin outside of the primary barriers of the biocontainment area, an individual or entity must immediately notify Centers for Disease Control (CDC) or the Animal and Plant Health Inspection Service (APHIS). In 2008, the APHIS and CDC Select Agent Programs provided enhanced guidance to the regulated community regarding the reporting of releases of select agents or toxins. This guidance includes examples of reportable incidents and scenarios that can be used by the regulated community to help them identify when they have a reportable incident. Key definitions in this guidance document are as follows: * Occupational exposure: Any event which results in any person in a registered entity facility or lab not being appropriately protected in the presence of an agent or toxin. This may include reasonably anticipated skin, eye, mucous membrane, or parenteral contact with blood or other potential infectious materials that may result from the performance of a person's duties. For example, a sharps injury from a needle being used in select agent or toxin work would be considered an occupational exposure. * Primary containment barriers: Specialized items designed or engineered for the capture or containment of hazardous biological agents. Examples include biological safety cabinets, trunnion centrifuge cups, and aerosol-containing blenders. For the purposes of assessing a potential select agent release, the laboratory room may be considered a primary containment barrier in facilities meeting the requirements of biosafey biocontainments level-4 (BSL-4) or BSL-3Ag as described in the 5th edition of the Centers for Disease Control and Prevention/National Institutes of Health (CDC/NIH) Biosafety in Microbiological or Biomedical Laboratories manual. * Release: A discharge of a select agent or toxin outside the primary containment barrier due to a failure in the containment system, an accidental spill, occupational exposure, or a theft. Any incident that results in the activation of a post exposure medical surveillance/prophylaxis protocol should be reported as a release. Since this guidance was published, the APHIS and. CDC Select Agent Programs have experienced a greater than 10-fold increase in the reporting of theft, loss, or release incidents from the regulated community. We currently receive approximately 130 reports annually from the approximately 381 registered entities. Although we have seen a dramatic increase in the number of reports of theft, loss, and release incidents, our follow-up investigations have detected little to no increases in confirmed thefts, losses, or releases. For these reasons, we believe that the current thresholds provide a sufficiently robust information flow to monitor safety and security incidents, without imposing an excess reporting load on the regulated community. In addition to the theft, loss, and release.reporting system, the APHIS Select Agent Program uses other mechanisms to monitor safety and security conditions in facilities working with select agents. These other systems are summarized as follows: Monitoring biosafety/biocontainments through the Select Agent Program Inspections: The Select Agent Program regulatory oversight of laboratories registered to possess, use, or transfer select agents and/or toxins includes biosafety/biocontainment. See 7CFR 331.12 and 9 CFR 121.12. All registered laboratories must undergo a biosafety/biocontainment inspection by the Select Agent Program as a condition for registration and on a routine basis thereafter. The Select Agent Program may also perform non-routine inspections at registered entities at any time to verify the resolution of findings from a routine inspection, to authorize work in a new building, to investigate a laboratory-acquired infection or other significant incident, or to resolve any other concern that the Select Agent Program may have. Surveillance of Exempted Laboratories: The select agent regulations (7 CFR 331.5 and 9 CFR 121.5 and 9 CFR 121.6) exempt clinical or diagnostic laboratories from the requirement of the select agent regulations for so long as they take the specific actions required and/or meet the specific conditions prescribed. Clinical or diagnostic laboratories and other entities (exempted laboratories) that have identified select agents and toxins contained in a specimen presented for diagnosis, verification, or proficiency testing are required by the select agent regulations to report this identification to Select Agent Program by completing APHIS/CDC Form 4, Report of the Identification of a Select Agent or Toxin. In addition to the reporting requirement, the identified select agent or toxin must be secured against theft, loss, or release during the period between identification and final disposition. In the event that a release has occurred, the laboratories must report this release using APHIS/CDC Form 3. Since the isolation of a select agent has the potential for significant public health implications, diagnostic laboratories typically send these isolates to registered reference laboratories for confirmation. Upon confirmation, the registered laboratory files an APHIS/CDC Form 4 with the Select Agent Program, which includes contact information for the submitting laboratory. The Select Agent Program then follows up with the submitting laboratory, and any other laboratory in the transfer chain, to determine if the laboratories have met the requirements outlined in 7 CFR 331.5 and 9 CFR 121.5 and 9 CFR 121.6, including biosafety/biocontainment. Outreach: The APHIS/CDC Select Agent Programs provide guidance and support to assist registered laboratories in meeting their biosafety/biocontainment requirements. Each regulated entity is assigned a file manager to assist the entity in maintaining its registration. The file manager is available by phone, FAX, or Email to the entity's responsible official during normal business hours to answer questions and provide advice on maintaining the entity's registration. In addition, the APHIS/CDC Select Agent Program maintains the National Select Agent Registry (NSAR) website (www.selectagents.gov) with up to date information, including guidance documents, biosafety and biocontainment and security checklists based on national standards, other resource materials, and an e-mail link for questions or requests. Since 2008, the APHIS/CDC Select Agent Program has hosted annual workshops to inform individuals of their legal responsibilities for implementing the select agent regulations. The last workshop was held June 15, 2010 in Sparks, Nevada and included a session on the "Inspection Trends and Best Practices for Preventing Occupational Exposures and Biocontainment Breaches." GAO Recommendation: To improve the system for reporting the theft, loss, and release of select agents, we recommend that CDC and APHIS consider the following changes to their system: offer limited immunity protections to encourage reporting. USDA Response: The APHIS/CDC Select Agent Programs agree that the identification of safety issues is important. On April 26, 2010, Select Agent Program established a confidential means for reporting select agent safety and security issues through the United States Department of Agriculture, Office of Inspector General fraud, waste, and abuse hotline. This hotline is now available for anyone to anonymously report safety or security issues related to select agents and toxins. Our communication outreach efforts for this hotline have included sending an mailed notification to all responsible officials and alternate responsible officials, posting information regarding the hotline on an international biosafety/biocontainment listserver, and discussing the hotline at the Select Agent Workshop held on June 15, 2010. InfOrmation for accessing the hotline is also available on the national select agent website (www.selectagents.gov). In accordance with the APHIS Select Agent Regulations, the APHIS Select Agent Program refers non-compliance issues, such as a significant biosafety/biocontainment or security concern, to the APHIS Investigative and Enforcement Service (IES) for further investigation and enforcement (e.g., assessment of civil money penalties). APHIS, IES, USDA, OIG and HHS, OIG work collaboratively on non-compliance issues that cross departmental jurisdictions. The APHIS Select Agent Program lacks the specific statutory authority required to offer limited immunity protections as recommended by GAO. GAO Recommendation: To improve the system for reporting the theft, loss, and release of select agents, we recommend that CDC and APHIS consider the following changes to their system: develop (1) mechanisms for using safety data for international lab safety improvements efforts and (2) processes for identifying reporting gaps and system evaluation to support targeted outreach and system modification. USDA Response: USDA appreciates the intent of GAO's recommendation in this critical area Further, USDA appreciates GAO's highlighting of the risk involved in working in laboratories that handle human pathogens. As the draft report makes clear, the safety of personnel is and must be paramount importance in those settings. USDA firmly agrees with that position. Indeed, APHIS' processes, procedures, and oversight of safety have been and will remain a priority. It is unclear, however, based on the data presented in the report, that additional regulatory oversight is required in the area of safety. As the report indicates, data suggest that injury and illness rates for these labs are below that of general industry. While deaths have occurred, the numbers are low despite the risk of working with human pathogens. The draft report cites the deaths of 2 laboratory workers in 2000 and notes that a review indicated 14 previously unreported cases resulting in 8 deaths. While those statistics provide additional useful perspective, it is important to note that those 14 cases occurred over the previous 15 years worldwide. This data demonstrates that these types of infections are infrequent. APHIS and CDC laboratory personnel always strive to improve safety. However, it is not clear that adding more regulatory oversight will significantly affect conditions. Anonymous reports, for example, may have their own inherent problems, such as erroneous reports from uninformed employees that will still require follow-up. Targeted education and safety training in high risk areas would likely have the same or better effect, at a fraction of the cost. USDA and APHIS will continue to prioritize laboratory safety. Thank you for allowing us the opportunity to comment on this report. Sincerely, Signed by: Edward Avalos: Under Secretary: Marketing and Regulatory Programs: [End of section] Appendix V: GAO Contact and Staff Acknowledgments: GAO Contact: Thomas J. McCool, (202) 512-2642 or mccoolt@gao.gov: Staff Acknowledgments: In addition to the contact named above, Rebecca Shea, Assistant Director; Amy Bowser; Barbara Chapman; Jean McSween; Laurel Rabin; and Elizabeth Wood made major contributions to this report. [End of section] Bibliography of Articles Used to Develop SRS Lessons from the Literature: Aagaard, L., B. Soendergaard, E. Andersen, J. P. Kampmann and E. H. Hansen. "Creating Knowledge About Adverse Drug Reactions: A Critical Analyis of the Danish Reporting System from 1968 to 2005." Social Science & Medicine, vol. 65, no. 6 (2007): 1296-1309. Akins, R. B. "A Process-centered Tool for Evaluating Patient Safety Performance and Guiding Strategic Improvement." In Advances in Patient Safety: From Research to Implementation, 4,109-125. Rockville, Md: Agency for Healthcare Research and Quality, 2005. Anderson, D. J. and C. S. Webster. "A Systems Approach to the Reduction of Medication Error on the Hospital Ward." Journal of Advanced Nursing, vol. 35, no. 1 (2001): 34-41. Arroyo, D. A. "A Nonpunitive, Computerized System for Improved Reporting of Medical Occurrences." In Advances in Patient Safety: From Research to Implementation, 4, 71-80. Rockville, Md.: Agency for Healthcare Research and Quality, 2005. Bakker, B. "Confidential Incident Reporting Systems For Small Aviation Communities on a Voluntary Basis." Aviation Safety (1997): 790-720. Baldwin, I., U. Beckman, L. Shaw and A. Morrison. "Australian Incidence Monitoring Study in Intensive Care: Local Unit Review Meetings and Report Management." Anaesthesia and Intensive Care, vol. 26, no. 3 (1998): 294-297. Barach, P. and S. D. Small. "Reporting and Preventing Medical Mishaps: Lessons from Non-medical Near Miss Reporting Systems." British Medical Journal, 320 (2000): 759-763. Battles, J. B., H. S. Kaplan, T. W. Van der Schaaf and C. E Shea. "The Attributes of Medical Event-Reporting Systems: Experience with a Prototype Medical Event-Reporting System for Transfusion Medicine." Archives of Pathology & Laboratory Medicine, vol. 122, no. 3 (1998): 231-238. Battles, J. B., N. M. Dixon, R. J. Borotkanics, B. Rabin-Fastmen and H. S. Kaplan. "Sensemaking of Patient Safety Risks and Hazards." Health Services Research, vol. 41, no. 4 (2006): 1555-1575. Beaubien, J. M. and D. P. Baker. "A Review of Selected Aviation Human Factors Taxonomies, Accident/Incident Reporting Systems, and Data Reporting Tools." International Journal of Applied Aviation Studies, vol. 2, no. 2 (2002): 11-36. Beckett, M. K., D. Fossum, C. S. Moreno, J. Galegher and R. S. Marken. "A Review of Current State-Level Adverse Medical Event Reporting Practices Toward National Standards." RAND Health: Technical Report. 2006. Berkowitz, E. G., M. E. Ferrant, L. B. Goben, K. E. McKenna, and J. L. Robey. "Evaluation of Online Incident Reporting Systems." Duke University School of Nursing (2005): 1-27. Billings, C. E. Some "Hopes and Concerns Regarding Medical Event- Reporting Systems." Archives of Pathology & Laboratory Medicine, vol. 122, no. 3 (1998): 214-215. Bloedorn, E. Mining Aviation Safety Data: A Hybrid Approach. The MITRE Corporation, 2000. Braithwaite, J., M. Westbrook, and J. Travaglia. "Attitudes Toward the Large-scale Implementation of an Incident Reporting System." International Journal for Quality in Health Care, vol. 20, no. 3 (2008): 184-191. Centers for Disease Control and Prevention. CDC Workbook on Implementing a Needlestick Injury Reporting System. 2008. Chidester, T. R. Voluntary Aviation Safety Information-Sharing Process: Preliminary Audit of Distributed FOQA and ASAP Archives Against Industry Statement of Requirements. DOT/FAA/AM-07/7. A report prepared at the request of the Federal Aviation Administration. 2007. Clarke, J. R. "How a System for Reporting Medical Errors Can and Cannot Improve Patient Safety." The American Surgeon, vol. 72, no. 11 (2006): 1088-1091. Connell, L. J. Cross-Industry Applications of a Confidential Reporting Model, 139-146. Washington D.C.: National Academy of Engineering, 2004. Council of Europe: Expert Group on Safe Medication Practices. Creation of a Better Medication Safety Culture in Europe: Building Up Safe Medication Practices. P-SP-PH/SAFE. 2006. Dameron, J. and L. Ray. Hospital Adverse Event Reporting Program: an Initial Evaluation. Oregon Patient Safety Commission, 2007. Daniels, C. and P. Marlow. Literature Review on the Reporting of Workplace Injury Trends. HSL/2005/36. Buxton, Derbyshire, UK: Health and Safety Laboratory, 2005. Department of Defense. Assistant Secretary of Defense for Health Affairs. Military Health System Clinical Quality Assurance Program Regulation. DoD 6025.13-R. 2004. Desikan, R., M. J. Krauss, W. Claiborne Dunagan, E. C. Rachmiel, T. Bailey, and V. J. Fraser. "Reporting of Adverse Drug Events: Examination of a Hospital Incident Reporting System." In Advances in Patient Safety: From Research to Implementation, 1, 145-160. Rockville, Md.: Agency for Healthcare Research and Quality, 2005. Evans, S. M., J. G. Berry, B. J. Smith, A. Esterman, P. Selim, J. O'Shaughnessy and M. DeWit. "Attitudes and Barriers to Incident Reporting: A Collaborative Hospital Study." Quality and Safety in Health Care, 15 (2006): 39-43. Fernald, D. H., W. D. Pace, D. M. Harris, D. R. West, D. S. Main and J. M. Westfall. "Event Reporting to a Primary Care Patient Safety Reporting System: A Report from the ASIPS Collaborative." Annals of Family Medicine, vol. 2, no. 4 (2004): 327-332. Flack, M., T. Reed, J. Crowley, and S. Gardner. "Identifying, Understanding, and Communicating Medical Device Use Errors: Observations from an FDA Pilot Program." In Advances in Patient Safety: From Research to Implementation, 3, 223-233. Rockville, Md.: Agency for Healthcare Research and Quality, 2005. Flink, E., C. L. Chevalier, A. Ruperto, P. Dameron, F. J. Heigel, R. Leslie, J. Mannion and R. J. Panzer. "Lessons Learned from the Evolution of Mandatory Adverse Event Reporting Systems." In Advances in Patient Safety: From Research to Implementation, 1-4, 135-151. Rockville, Md.: Agency for Healthcare Research and Quality, 2005. Flowers, L. and T. Riley. State-based Mandatory Reporting of Medical Errors: An Analysis of the Legal and Policy Issues. National Academy for State Health Policy, 2001. Frey, B., V. Buettiker, M. I. Hug, K. Waldvogel, P. Gessler, D. Ghelfi, C. Hodler and O. Baenziger. Does Critical Incident Reporting Contribute to Medication Error Prevention?" European Journal of Pediatrics, vol. 161, no. 11 (2002): 594-599. Ganter, J. H., C. D. Dean, and B. K. Cloer. Fast Pragmatic Safety Decisions: Analysis of an Event Review Team of the Aviation Safety Action Partnership. SAND2000-1134. Albuquerque, N.M.: Sandia National Laboratories, 2000. Gayman, A. J., A. W. Schopper, F. C. Gentner, M. C. Neumeier, and W. J. Rankin. Crew Resource Management (CRM) Anonymous Reporting System (ARS) Questionnaire Evaluation. CSERIAC Report CSERIAC-RA-96-003. 1996. Global Aviation Information Network (GAIN) Working Group E. "A Roadmap to a Just Culture: Enhancing the Safety Environment." Flight Safety Digest, vol. 24, no. 3 (2005): 1-48. Grant, M. J. C. and G. Y. Larsen. "Effect of an Anonymous Reporting System on Near-miss and Harmful Medical Error Reporting in a Pediatric Intensive Care Unit." Journal of Nursing Care Quality, vol. 22, no. 3 (2007): 213-221. Harper, M. L. and R. L. Helmreich. "Identifying Barriers to the Success of a Reporting System. Advances." In Advances in Patient Safety: From Research to Implementation, 3, 167-179. Rockville, Md.: Agency for Healthcare Research and Quality, 2004. Hart, C. A. "Stuck on a Plateau: A Common Problem." In Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence, 147-154. Phimister, J. R., V. M. Bier, and H. C. Kunreuther, Eds. Washington, D.C.: National Academies Press, 2004: Holden, R. J. and B.-T. Karsh. "A Review of Medical Error Reporting System Design Considerations and a Proposed Cross-Level Systems Research Framework." Human Factors; the Journal of the Human Factors Society, vol. 49, no. 2 (2007): 257-276. Holzmueller, C. G., P. J. Pronovost, F. Dickman, D. A. Thompson, A. W. Wu, L. H. Lubomski, M. Fahey, D. M. Steinwachs, L. Engineer, A. Jaffrey, et al. "Creating the Web-based Intensive Care Unit Safety Reporting System." Journal of the American Medical Informatics Association, vol. 12, no. 2 (2005): 130-139. International Atomic Energy Agency. The IAEA/NEA Incident Reporting System: Using Operational Experience to Improve Safety. International Atomic Energy Agency. Safety Culture. A Report by the International Nuclear Safety Advisory Group. Safety Series: 75-INSAG- 4. International Nuclear Safety Advisory Group, 1991. Johnson, C. "Software Tools to Support Incident Reporting in Safety- Critical Systems." Safety Science, vol. 40, no. 9 (2002): 765-780. Kaplan, H. and P. Barach. "Incident Reporting: Science or Protoscience? Ten Years Later." Quality and Safety in Health Care, vol. 11, no. 2 (2002): 144-145. Kaplan, H., J. Battles, Q. Mercer, M. Whiteside and J. Bradley. A Medical Event Reporting System for Human Errors in Transfusion Medicine, 809-814. Lafayette, Ind.: USA Publishing, 1996. Kaplan, H.S. and B. R. Fastman. "Organization of Event Reporting Data for Sense Making and System Improvement." Quality and Safety in Health Care, vol. 12 (2003): ii68-ii72. Khuri, S. F. "Safety, Quality, and the National Surgical Quality Improvement Program." The American Surgeon, vol. 72, no. 11 (2006): 994-998. Krokos, K. J. and D. P. Baker. Development of a Taxonomy of Causal Contributors for Use with ASAP Reporting Systems, 1-59. American Institutes for Research, 2005. Leape, L. L. Reporting of Adverse Events. The New England Journal of Medicine, vol. 347, no. 20 (2002): 1633-1639. Lee, R. The Australian Bureau of Air Safety Investigation, in Aviation Psychology: A Science and a Profession, 229-242. U.K.: Ashgate Publishing, 1998. Martin, S. K., J. M. Etchegaray, D. Simmons, W. T. Belt and K. Clark. Development and "Implementation of The University of Texas Close Call Reporting System." Advances in Patient Safety, vol. 2 (2005): 149-160. Morters, K., and R. Ewing. "The Introduction of a Confidential Aviation Reporting System into a Small Country." Human Factors Digest, vol. 13 (1996): 198-203. Murff, H. J., D. W. Byrne, P. A. Harris, D. J. France, C. Hedstrom, and R. S. Dittus. "'Near-Miss' Reporting System Development and Implications for Human Subjects Protection." In Advances in Patient Safety: From Research to Implementation, 3, 181-193. Rockville, Md.: Agency for Healthcare Research and Quality, 2005. Nakajima,K., Y. Kurata and H. Takeda. "A Web-based Incident Reporting System and Multidisciplinary Collaborative Projects for Patient Safety in a Japanese Hospital." Quality and Safety in Health Care, vol. 14 (2005): 123-129. National Academy of Engineering of the National Academy. 2004. "The Accident Precursors Project: Overview and Recommendations." In Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence, 1-34. Phimister, J. R., V. M. Bier, and H. C. Kunreuther, Eds. Washington, D.C.: National Academies Press, 2004. National Aeronautics and Space Administration. ASRS: The Case for Confidential Incident Reporting Systems. Pub 60. 2001. National Transportation Safety Board. Current Procedures for Collecting and Reporting U.S. General Aviation Accident and Activity Data. NTSB/SR-05/02. 2005. Nguyen, Q.-T., J. Weinberg, and L. H. Hilborne. "Physician Event Reporting: Training the Next Generation of Physicians." In Advances in Patient Safety: From Research to Implementation, 4, 353-360. Rockville, Md.: Agency for Healthcare Research and Quality, 2005: Nielsen, K. J., O. Carstensen, K. and Rasmussen. "The Prevention of Occupational Injuries in Two Industrial Plants Using an Incident Reporting Scheme." Journal of Safety Research, vol. 37 (2006): 479-486. Nørbjerg, P. M. "The Creation of an Aviation Safety Reporting Culture in Danish Air Traffic Control." CASI (2003): 153-164. Nosek, Jr., R. A., J. McMeekin, and G. W. Rake. 2005. "Standardizing Medication Error Event Reporting in the U.S. Department of Defense." In Advances in Patient Safety: From Research to Implementation, 4, 361- 374. Rockville, Md.: Agency for Healthcare Research and Quality, 2005. O'Leary, M. J and S. L. Chappell. Early Warning: Development of Confidential Incident Reporting Systems. NASA Center for AeroSpace Information, 1996. Page, W. D., E. W. Staton, G. S. Higgins, D. S. Main, D. R. West and D. M. Harris. "Database Design to Ensure Anonymous Study of Medical Errors: A Report from the ASIPS Collaborative." Journal of the American Medical Informatics Association, vol. 10, no. 6 (2003): 531- 540. Patankar, M. S. and J. Ma. "A Review of the Current State of Aviation Safety Action Programs in Maintenance Organizations." International Journal of Applied Aviation Studies, vol. 6. no. 2 (2006): 219-233. Phillips, R. L., S. M. Dovey, J. S. Hickner, D. Graham and M. Johnson. "The AAFP Patient Safety Reporting System: Development and Legal Issues Pertinent to Medical Error Tracking and Analysis." In Advances in Patient Safety: From Research to Implementation, 3, 121-134. Rockville, Md.: Agency for Healthcare Research and Quality, 2005. Phimister, J. R., V. M. Bier and H. C. Kunreuther. "Flirting with Disaster." Issues in Science and Technology (2005). Pronovost, P. J., B. Weast, C. G. Holzmueller, B. J. Rosenstein, R. P. Kidwell, K. B. Haller, E. R. Feroli, J. B. Sexton, and H. R. Rubin. "Evaluation of the Culture of Safety: Survey of Clinicians and Managers in an Academic Medical Center." Quality and Safety in Health Care, vol. 12, no. 6 (2003): 405-410. Ramanujam, R., D. J. Keyser and C. A. Sirio. "Making a Case for Organizational Change in Patient Safety Initiatives." In Advances in Patient Safety: From Research to Implementation, 2, 455-465. Rockville, Md.: Agency for Healthcare Research and Quality, 2005. Raymond, B. and R. M. Crane. Design Considerations for Patient Safety Improvement Reporting System. Kaiser Permanente Institute for Health Policy, NASA Aviation Safety Reporting System, and The National Quality Forum, 2000. Rejman, Michael H. Confidential Reporting Systems and Safety-Critical Information, 397-401. Columbus, Ohio: Ohio State University, 1999. Reynard, W.D., C.E. Billings, E.S. Cheaney and R. Hardy. The Development of the NASA Aviation Safety Reporting System, Pub 34. NASA Reference Publication, 1986. Ricci, M., A. P. Goldman, M. R. de Leval, G. A. Cohen, F. Devaney and J. Carthey. "Pitfalls of Adverse Event Reporting in Pediatric Cardiac Intensive Care." Archives of Disease in Childhood, 89 (2004): 856-859. Ruchlin, H. S., N. L. Dubbs, M. A. Callahan and M. J. Fosina. "The Role of Leadership in Installing a Culture of Safety: Lessons from the Literature." Journal of Healthcare Management, vol. 49, no. 1 (2004): 47-59. Schleiffer, S. C. "We Need to Know What We Don't Know." International Air Safety Seminar, 35 (2005): 333-340. Snijders, C., R. A. van Tingen, A .Molendijk, and W. P. F. Fetter. "Incidents and Errors in Neonatal Intensive Care: A Review of the Literature." Archives of Disease in Childhood, Fetal and Neonatal Editon, vol. 92, no. 5 (2007): 391-398. Staender, S., J. Davies, B. Helmreich, B. Sexton and M. Kaufmann. "The Anaethesia Critical Incident Reporting System: An Experience Based Dataset." International Journal of Medical Informatics, vol. 47, no. 1- 2 (1997): 87-90. Stainsby, D., H. Jones, D. Asher, C. Atterbury, A. Boncinelli, L. Brant, C. E. Chapman, K. Davison, R. Gerrard, A. Gray et al. "Serious Hazards of Transfusion: A Decade of Hemovigilance in the UK." Transfusion Medicine Reviews, vol. 20, no. 4 (2006): 273-282. Stalhandske, E., J. P. Bagian, and J. Gosbee. "Department of Veterans Affairs Patient Safety Program." American Journal of Infection Control, vol. 30, no. 5 (2002): 296-302. Stump, L. S. "Re-engineering the Medication Error-Reporting Process: Removing the Blame and Improving the System." American Journal of Health-System Pharmacy, vol. 57, no. 24 (2000): S10-S17. Suresh, G., J. D. Horbar, P. Plsek, J. Gray, W. H. Edwards, P. H. Shiono, R. Ursprung, J. Nickerson, J. F. Lucey, and D. Goldmann. "Voluntary Anonymous Reporting of Medical Errors for Neonatal Intensive Care." Pediatrics, 113 (2004): 1609-1618. Tamuz, M. "Learning Disabilities for Regulators: The Perils of Organizational Learning in the Air Transportation Industry." Administration & Society, 33 (2001): 276-302. Tamuz, M. and E. J. Thomas. "Classifying and Interpreting Threats to Patient Safety in Hospitals: Insights from Aviation." Journal of Organizational Behavior, 27 (2006): 919-940. Taylor, J. A., D. Brownstein, E. J. Klein, and T. P. Strandjord. "Evaluation of an Anonymous System to Report Medical Errors in Pediatric Inpatients." Journal of Hospital Medicine, vol. 2, no. 4 (2007): 226-233. Tuttle, D., R. Holloway, T. Baird, B. Sheehan, and W. K. Skelton. "Electronic Reporting to Improve Patient Safety." Quality and Safety in Health Care, 13 (2004): 281-286. U.S. Department of Energy. Office of Environment, Safety and Health. Occurrence Reporting and Processing of Operations Information. DOE 231.1-2. 2003. U.S. Nuclear Regulatory Commission. Working Group on Event Reporting. Final Report of the Working Group on Event Reporting. 2001. Ulep, S. K. and S. L. Moran. 2005. "Ten Considerations for Easing the Transition to a Web-based Patient Safety Reporting System." In Advances in Patient Safety: From Research to Implementation, 3, 207- 222. Rockville, Md.: Agency for Healthcare Research and Quality. Underwood, P. K (LTC). Medical Errors: An Error Reduction Initiative,1- 75. U.S. Army--Baylor University Graduate Program in Healthcare Administration, 2001. van der Schaaf, T. W. and L. Kanse. Checking for Biases in Incident Reporting, 119-126. Washington D.C.: National Academy of Engineering, 2004. van der Schaaf, T. W. "Medical Applications of Industrial Safety Science." Quality and Safety in Health Care, vol. 11, no. 3 (2002): 205-206. Wallace, B., A. Ross and J. B. Davies. "Applied Hermeneutics and Qualitative Safety Data: The CIRAS Project." Human Relations, vol. 56, no. 5 (2003): 587-607. Webster, C. S. and D. J. Anderson. "A Practical Guide to the Implementation of an Effective Incidence Reporting Scheme to Reduce Medication Error on the Hospital Ward." International Journal of Nursing Practice, vol. 8, no. 4 (2002): 176-183. Weinberg, J., L. H. Hilborne, Q.-T. Nguyen. "Regulation of Health Policy: Patient Safety and the States." In Advances in Patient Safety: From Research to Implementation, 1, 405-422. Rockville, Md.: Agency for Healthcare Research and Quality, 2005. Weiner, B. J., C. Hobgood, and M. Lewis. "The Meaning of Justice in Safety Incident Reporting." Social Science & Medicine, vol. 66, no. 2 (2008): 403-413. Wiegmann, D. A. and T.L. von Thaden. The Critical Event Reporting Tool (CERT); Technical Report. University of Illinois at Urbana-Champaign: Aviation Research Lab, Institute of Aviation. ARL-01-7/FAA-01-2. 2001. Wilf-Miron, R., I. Lewenhoff, Z. Benyamini, and A. Aviram. "From Aviation to Medicine: Applying Concepts of Aviation Safety to Risk Management in Ambulatory Care." Quality and Safety in Health Care, vol.12, no. 1 (2003): 35-39. Wu, A. W, P. Pronovos and L. Morlock. "ICU Incident Reporting Systems." Journal of Critical Care, vol. 17, no. 2 (2002): 86-94. Yong, K. "An Independent Aviation Accident Investigation Organization in Asia Pacific Region--Aviation Safety Council of Taiwan." International Air Safety Seminar Proceedings, 173-180. 2000. [End of section] Bibliography of Other Literature Used in the Report: Barhydt, R. and C. A. Adams. Human Factors Considerations for Area Navigation Departure and Arrival Procedures. A report prepared for NASA. 2006. Besser, R. E. Oversight of Select Agents by the Centers for Disease Control and Prevention. Testimony before Subcommittee on Oversight and Investigations, Committee on Energy and Commerce, United States House of Representatives. 2007: Center for Biosecurity. University of Pittsburgh Medical Center. Response to the European Commission's Green Paper on Bio-preparedness. 2007. Gronvall G. K., J. Fitzgerald, A. Chamberlain, T. V. Inglesby, and T. O'Toole. "High-Containment Biodefense Research Laboratories: Meeting Report and Center Recommendations." Biosecurity and Bioterrorism: Biodefense Strategy, Practice, and Science, vol. 5, no. 1 (2007): 75- 85. Gronvall G. K. Germs, Viruses, and Secrets: The Silent Proliferation of Bio-Laboratories in the United States. University of Pittsburgh Medical Center, Center for Biosecurity, 2007. Gronvall G. K., J. Fitzgerald, T.V. Inglesby, and T. O'Toole. "Biosecurity: Responsible Stewardship of Bioscience in an Age of Catastrophic Terrorism." Biosecurity and Bioterrorism: Biodefense Strategy, Practice, and Science, vol. 1, no. 1 (2003): 27-35. Hallbert, B., R. Boring, D. Gertman, D. Dudenhoeffer, A. Whaley, J. Marble, J. Joe, and E. Lois. Human Event Repository and Analysis (HERA) System, Overview, vol 1. Idaho National Laboratory, U.S. Nuclear Regulatory Commission, Office of Nuclear Regulatory Research. NUREG/CR-6903, 2006. Hallbert, B and A. Kolaczkowski, eds. The Employment of Empirical Data and Bayesian Methods in Human Reliability Analysis: A Feasibility Study. Office of Nuclear Regulatory Research, United States Nuclear Regulatory Commission. NUREG/CR-6949. 2007. Hallbert, B., A. Whaley, R. Boring, P. McCabe and Y. Chang. Human Event Repository and Analysis (HERA): The HERA Coding Manual and Quality Assurance, vol 2. Idaho National Laboratory, U.S. Nuclear Regulatory Commission, Office of Nuclear Regulatory Research. NUREG/CR- 6903. 2007. Harding, A. L. and K. B. Byers. "Epidemiology of Laboratory-Associated Infections." In Biological Safety: Principles and Practices, Third Edition, 35-56. Fleming, D. O. and D. L. Hunt, eds. Washington D.C.: ASM Press, 2000. Helmreich, R. L. "On Error Management: Lessons from Aviation." British Medical Journal, vol. 320, no. 7237 (2000): 781-785. Helmreich, R.L., and A. C. Merritt. Culture at Work in Aviation and Medicine: National, Organizational, and Professional Influences. Brookfield VT: Ashgate Publishing, 1998. Kortepeter, M. G., J. W. Martin, J. M. Rusnak, T. J. Cieslak, K. L. Warfield, E. L. Anderson, and M. V. Ranadive. "Managing Potential Laboratory Exposure to Ebola Virus Using a Patient Biocontainment Care Unit." Emerging Infectious Diseases. (2008). Lentzos, F. "Regulating Biorisk: Developing a Coherent Policy Logic (Part II)." Biosecurity and Bioterrorism: Biodefense Strategy, Practice, and Science, vol. 5, no. 1 (2007): 55-61. Lofstedt, R. "Good and Bad Examples of Siting and Building Biosafety Level 4 Laboratories: A Study of Winnipeg, Galveston and Etobicoke." Journal of Hazardous Materials, 93 (2002): 47-66. Miller, D. and J. Forester. Aviation Safety Human Reliability Analysis Method (ASHRAM). Sandia National Laboratories. SAND2000-2955. 2000. Minnema, D. M. Improving Safety Culture: Recognizing the Underlying Assumptions. Powerpoint presentation for the ISM Workshop, Defense Nuclear Facilities Safety Board, 2007. National Academy of Public Administration for the Federal Aviation Administration. A Review of the Aviation Safety Reporting System: A Report. 1994. Newsletter of the European Biosafety Association. Biosafety Organisation in Spain. EBSA 2001 Newsletter, vol. 1, no. 3 (2001). Paradies, M., L. Unger, P. Haas, and M. Terranova. Development of the NRC's Human Performance Investigation Process (HPIP). NUREG/CR-5455. System Improvements, Inc. and Concord Associates, Inc.,1993. Patankar, M. S. and E. J. Sabin. Safety Culture Transformation in Technical Operations of the Air Traffic Organization: Project Report and Recommendations. St. Louis, Mo.: Saint Louis University, 2008. Patankar, M. S. A "Study of Safety Culture at an Aviation Organization." International Journal of Applied Aviation Studies, vol. 3, no. 2 (2003): 243-258. Patankar, M. S., J. P. Brown, and M. D. Treadwell. Safety Ethics: Cases from Aviation, Healthcare, and Occupational and Environmental Health. Aldershot, U.K.: Ashgate Publishing, 2005. Patankar, M. S. and D. Driscoll. "Preliminary Analysis of Aviation Safety Action Programs in Aviation Maintenance." Proceedings of the First Safety Across High-Consequence Industries Conference, St. Louis, Mo., 97-102. 2004. Patankar, M.S. and J. C. Taylor. Risk Management and Error Reduction in Aviation Maintenance. Aldershot, U.K.: Ashgate Publishing, 2004. Patankar, M. S., T. Bigda-Peyton, E. Sabin, J. Brown, and T. Kelly. A Comparative Review of Safety Cultures. St. Louis, Mo.: Saint Louis University, 2005. Peterson, L.K., E. H. Wight, and M.A. Caruso. "Evaluating Internal Stakeholder Perspectives on Risk-Informed Regulatory Practices for the Nuclear Regulatory Commission." Paper presented at the WM '03 Conference, Tuscon Ariz., 2003. Pounds, J. and A. Isaac. Development of an FAA-EUROCONTROL Technique for the Analysis of Human Error in ATM. DOT/FAA/AM-02/12. Federal Aviation Administration, Office of Aerospace Medicine. 2002. Race, M. S. "Evaluation of the Public Review Process and Risk Communication at High-Level Biocontainment Laboratories." Applied Biosafety, vol. 13, no. 1 (2008): 45-56. Race, M. S. and E. Hammond. "An Evaluation of the Role and Effectiveness of Institutional Biosafety Committees in Providing Oversight and Security at Biocontainment Labs." Biosecurity and Bioterrorism: Biodefense Strategy, Practice, and Science, vol. 6, no. 1 (2008): 19-35. Reason, J. "Human Error: Models and Management." British Medical Journal, vol. 320, no. 7237 (2000): 768-770. Rusnak, J. M., M.G. Kortepeter, R.J. Hawley, A.O. Anderson, E. Boudreau, and E. Eitzen. "Risk of Occupationally Acquired Illnesses from Biological Threat Agents in Unvaccinated Laboratory Workers." Biosecurity and Bioterrorism: Biodefense Strategy, Practice, and Science, vol. 2, no. 4 (2004): 281-93. Scarborough, A., L. Bailey and J. Pounds. Examining ATC Operational Errors Using the Human Factors Analysis and Classification System. DOT/FAA/AM-05/25. Federal Aviation Administration, Office of Aerospace Medicine. 2005. Schroeder, D., L. Bailey, J. Pounds, and C. Manning. A Human Factors Review of the Operational Error Literature. DOT/FAA/AM-06/21. Federal Aviation Administration, Office of Aerospace Medicine. 2006. Sexton, J. B., E. J. Thomas, and R. L. Helmreich. "Error, Stress and Teamwork in Medicine and Aviation: Cross-sectional Surveys." British Medical Journal, vol. 320, no. 7237 (2000): 745-749. Shappell, S. and D. Wiegmann. Developing a Methodology for Assessing Safety Programs Targeting Human Error in Aviation. DOT/FAA/AM-06/24. Federal Aviation Administration, Office of Aerospace Medicine. 2006. Shappell, S., C. Detwiler, K. Halcomb, C. Hackworth, A. Boquet, and D. Wiegmann. Human Error and Commercial Aviation Accidents: A Comprehensive, Fine-Grained Analysis Using HFACS. DOT/FAA/AM-06/18. Federal Aviation Administration, Office of Aerospace Medicine. 2006. GAO. NASA: Better Mechanisms Needed for Sharing Lessons Learned. [hyperlink, http://www.gao.gov/products/GAO-02-195]. Washington, D.C.: January 30, 2002. U.S. Nuclear Regulatory Commission. Advisory Committee on Reactor Safeguards. Review and Evaluation of the Nuclear Regulatory Commission Safety Research Program. NUREG-1635, vol. 7. 2006. U.S. Nuclear Regulatory Commission. Division of Risk Analysis and Applications, Office of Nuclear Regulatory Research. Perspectives Gained From the Individual Plant Examination of External Events (IPEEE) Program. NUREG-1742, vols. 1-2. 2002. Wedum, A. G. "Pipetting Hazards in the Special Virus Cancer Program." Journal of the American Biological Safety Program, vol. 2, no. 2 (1997): 11-21. West, D.L., D. R. Twardzik, R. W. McKinney, W. E. Barkley, and A. Hellman. "Identification, Analysis, and Control of Biohazards in Viral Cancer Research." In Laboratory Safety: Theory and Practice, 167-223. New York, N.Y.: Academic Press, 1980. Wiegmann, D. A. and S. A. Shappell. "Human Error Perspectives in Aviation." International Journal of Aviation Psychology, vol. 11, no. 4 (2001): 341-357. [End of section] Footnotes: [1] Report Of The Transfederal Task Force On Optimizing Biosafety And Biocontainment Oversight. July, 2009. See Appendix D Of The Task Force Report For Injury And Illness Information. [2] In a review of literature published between 1979 and 1999, Harding and Byers (2000) identified 663 cases of subclinical infections and 1,267 overt infections with 22 deaths. Five deaths were of fetuses aborted as the consequence of a maternal LAI. The authors note the general acknowledgment that these numbers "represent a substantial underestimation of the extent of LAIs." Harding, L. And K. Beyers, "Epidemiology Of Laboratory-Associated Infections," in Biological Safety: Principles And Practices, Third Edition (Washington, D.C.: ASM Press, 2000), P. 37. [3] Morbidity And Mortality Weekly Report (MMWR), Vol. 51, No. 07 (Feb. 22, 2002): 141-4. [4] While risks from radiation, toxic and flammable chemicals, and mechanical and electrical hazards are also present in these labs, for the purposes of this report we are primarily focused on the biological risks. [5] The National Academy Of Sciences defines precursors broadly as "the conditions, events, and sequences that precede and lead up to accidents." this definition includes events that are both internal and external to an organization. Phimister et al., Accident Precursor Analysis And Management: Reducing Technological Risk Through Diligence (Washington, D.C.: National Academies Press, 2004). [6] Select Agents are those biological agents and toxins determined by the CDC And/or APHIS to have the potential to pose a severe threat to public health and safety, animal or plant health, or animal or plant products. See 42 C.F.R. §§ 73.3 & 73.4 (CDC - Human And Overlap Agents); 7 C.F.R. § 331.3 (APHIS - Plant); 9 C.F.R. §§ 121.3 & 121.4 (Aphis - Animal And Overlap Agents). [7] Unless exempted under 42 C.F.R. Part 73, 7 C.F.R. Part 331, or 9 C.F.R. Part 121, an entity or individual may not possess, use, or transfer a select agent or toxin without a certification of registration from the CDC Or APHIS. An Individual or entity must immediately notify the CDC Or APHIS And appropriate federal, state, or local law enforcement agencies upon discovering a theft or loss of a select agent or toxin, and notify The CDC or APHIS upon discovering the release of a select agent or toxin. See 242 C.F.R. § 73.19; 7 C.F.R. § 331.19; 9 C.F.R. § 121.19. C.F.R. § 73.19; 7 C.F.R. § 331.19; 9 C.F.R. § 121.19. [8] GAO, High-Containment Biosafety Laboratories: Preliminary Observations On The Oversight Of The Proliferation Of BSL-3 And BSL-4 Laboratories in The United States, [hyperlink, http://www.gao.gov/products/GAO-08-108T] (Washington, D.C.: Oct. 4, 2007) and High-Containment Laboratories: National Strategy For Oversight Is Needed, [hyperlink, http://www.gao.gov/products/GAO-09-574] (Washington, D.C.: Sept. 21, 2009). [9] Labs not working with select agents can be BSL-1, 2, or 3. Some examples of nonselect agents include the micro-organisms that cause HIV, tuberculosis, and typhoid fever. [10] H.R. 1225, 111th Cong. § 203 (2009); S. 485, 111th Cong. (2009). [11] Such an approach--in particular, learning from the experiences of other industries--was recommended in the report of the Transfederal Task Force on Optimizing Biosafety and Biocontainment Oversight. [12] These Agencies include the CDC, NIH, USDA, VA, The Food and Drug Administration (FDA), The Department Of Commerce (DOC), The Department Of Defense (DOD), The Department Of Labor's (DOL) OSHA, The Department Of State (State), The Department Of Justice's (DOH) Federal Bureau Of Investigation (FBI), The Department Of Homeland Security (DHS), The Department Of Energy (DOE), The Department Of The Interior (DOI), and the Environmental Protection Agency (EPA). [13] An entity is defined in the select agent regulations as any government agency (federal, state or local), academic institution, corporation, company, partnership, society, association, firm, sole proprietorship, or other legal body. A registered entity may operate multiple labs within a single facility. 42 C.F.R. §773.1; 7 C.F.R. § 331.1; 9 C.F.R. § 121.1. [14] The Secretary of HHS developed the select agent program in the CDC in response to the Antiterrorism and Effective Death Penalty Act of 1996. The Public Health Security and Bioterrorism Preparedness And Response Act of 2002 revised and expanded the Select Agent Program within the CDC and granted comparable authority to regulate select agents and toxins affecting plants and animals to the Secretary of Agriculture, a responsibility then delegated to APHIS. [15] [hyperlink, http://www.gao.gov/products/GAO-08-108] and [hyperlink, http://www.gao.gov/products/GAO-09-574]. [16] Biosafety In Microbiological And Biomedical Laboratories, Fifth Edition. [17] J. Reason in S.C. Schleiffer, "We Need To Know What We Don't Know," International Air Safety Seminar, 35 (2005): 333-340. [18] C.A. Hart, "Stuck on a Plateau: A Common Problem," In Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence, James R. Phimister, Vicki M. Bier, Howard C. Kunreuther, Eds. (Washington, D.C.: National Academies Press, 2004), 151. [19] J. Reason, "Human Error: Models and Management,"British Medical Journal, Vol. 320 (2000): 768. [20] Barach and Small, "Reporting and Preventing Medical Mishaps: Lessons from Non-Medical Near Missreporting Systems," British Medical Journal, Vol. 320 (2000): 759-763. [21] Gronvall et al., "High-Containment Biodefense Research Laboratories: Meeting Report and Center Recommendations," Biosecurity And Bioterrorism: Biodefense Strategy, Practice, And Science, Vol. 5, No. 1 (2007). [22] A Bibliography of articles used to develop SRS lessons from the literature is available at the end of this report. [23] GAO, Organizational Culture: Techniques Companies Use to Perpetuate or Change Beliefs And Values, [hyperlink, http://www.gao.gov/products/GAO/NSAID-92-105] (Washington, D.C.: Feb. 27, 1992). [24] GAO, Nuclear Safety: Convention on Nuclear Safety is Viewed By Most Member Countries as Strengthening Safety Worldwide, [hyperlink, http://www.gao.gov/products/GAO-10-489] (Washington, D.C.: Apr. 29, 2010). [25] Reason, "Human Error: Models and Management," 768-770. [26] See more about the three key areas of SRS design in a review of the literature in the previous section of this report: Program Goals and Organizational Culture Guide Safety Reporting System Design and Implementation In Three Key Areas. [27] While we collected information on a wide variety of safety reporting programs and systems in the three industries--and in some cases comment on these different programs--we primarily developed our lessons from one reporting program in each of the three industries. We chose to focus on these programs because they represent fairly long- standing, non-regulatory, domestic, industrywide or servicewide reporting programs. [28] Lucian L. Leape Et Al., "Promoting Patient Safety By Preventing Medical Error," Journal Of The American Medical Association, Vol. 280, No.16 (Oct. 28, 1998): 1444-47. [29] National Transportation Safety Board, Aircraft Accident Report-- Transworld Airlines, Inc. Boeing 727-231. NTSB-AAR-75-16 (Washington, D.C., 1975.) [30] According To The NRC, their Allegation Program Evaluates A Broad Range Of Nuclear Safety Concerns Associated With NRC-regulated activities, including, for example, complaints of retaliation for raising nuclear safety concerns. [31] Joseph V. Rees, Hostages of Each Other: The Transformation of Nuclear Safety Since Three Mile Island (Chicago, Ill.: The University of Chicago Press, 1994). [32] Rees, Hostages of Each Other. [33] The Davis-Besse nuclear power plant in Ohio was shut down between 2002 and 2004 because leakage had caused extensive corrosion on the vessel head--a vital barrier preventing a radioactive release. Significant to the failure and to the delay in restarting the plant were NRC's concerns over the plant's safety culture. GAO, Nuclear Regulation: NRC Needs to More Aggressively and Comprehensively Resolve Issues Related to the Davis-Besse Nuclear Power Plant's Shutdown, GAO- 04-415 (Washington, D.C.: May 17, 2004). [34] The PSRS Was discontinued at the end of fiscal year 2009. We Include the PSRS in our case study with the PSIS because it was central to the design of VA's safety reporting program and it operated for nearly 10 years, providing valuable insights for SRS lessons learned. [35] L. Leape Et Al., "Promoting Patient Safety by Preventing Medical Error." [36] National Academy Of Public Administration, A Review of the Aviation Safety Reporting System (1994). [37] GAO, Aviation Safety: Improved Data Quality and Analysis Capabilities Are Needed as FAA Plans a Risk-Based Approach to Safety Oversight, [hyperlink, http://www.gao.gov/products/GAO-10-414] (May 6, 2010). The FAA runs a number of safety reporting systems, several of which are reviewed in this recent GAO Report. See also American Institutes for Research, Best Practices for Event Review Committees (December 2009): 1-2.Ember 2009): 1-2. [38] Despite the increase in the overall number of reports, the proportion of serious reports has declined over the years. Rather than suggesting an increase in safety problems, the increasing number of reports--especially those at the lower half of the risk pyramid-- indicates a robust reporting culture, where workers are more aware of and willing to report safety issues at the incident or concern level. [39] INPO Afforded us substantial access to their liaison. In multiple interviews over the period of the investigation, the liaison explained details of INPO history and policy that are not widely available because of the centrality of confidentiality to INPO's safety operations from its initiation. We confirmed these details, when possible, from documents. The facts we report were further vetted by an official INPO spokesman. We explain inpo's confidentiality efforts later in this report. [40] GAO, Va Patient Safety: Initiatives Promising, but Continued Progress Requires Culture Change, [hyperlink, http://www.gao.gov/products/T-HEHS-00-167] (Washington, D.C.: July 27, 2000). [41] GAO, Va Patient Safety Program: A Cultural Perspective At Four Medical Facilities, [hyperlink, http://www.gao.gov/products/GAO-05-83] (Washington, D.C.: Dec. 22, 2004). [42] W.D. Reynard, C.E. Billings, E.S. Cheaney and R. Hardy, The Development of the NASA Aviation Safety Reporting System, Pub 34, NASA Reference Publication (1986): 25. [43] These Are known as "enforcement incentives" inside the FAA. [44] American Institutes For Research, Best Practices for Event Review Committees. [45] [hyperlink, http://www.gao.gov/products/GAO-05-83]. [46] INPO has specifically defined the criteria for reports "noteworthy" enough that they should be sent onto INPO for central analysis. The criteria include events that caused an unexpected change in conditions or had the potential to cause these changes under slightly different circumstances. [47] In Terms of the risk pyramid, the VA SRS programs expanded reporting from top-level events (accidents) to include midlevel events (incidents). [48] J.M. Beaubien and D. P. Baker, "A Review Of Selected Aviation Human Factors Taxonomies, Accident/Incident Reporting Systems, and Data Reporting Tools," International Journal of Applied Aviation Studies, Vol. 2, No. 2 (2002); M. Tamuz and E. J. Thomas, "Classifying and Interpreting Threats to Patient Safety In Hospitals: Insights from Aviation," Journal Of Organizational Behavior, 27 (2006): 9919-940. [49] In September 2009, The AHRQ published for review a follow-up version to its 2008 Common Formats for adverse medical events, required by the Patient Safety and Quality Improvement Act of 2005. The process of developing these codes stretched over 3 to 4 years. [50] [hyperlink, http://www.gao.gov/products/GAO-10-414]. [51] Academy Of Engineering, Accident Precursor Analysis and Management: Reducing Technological Risk through Diligence (Washington, D.C.: National Academies of Science, 2004): 14. [52] Several Aviation SRSS in other countries have suffered from perceptions they failed to maintain the confidentiality of reporters or from lack of funding. The Canadian Securitas--responsible for receiving safety reports from aviation, rail, and marine industries-- is so under-resourced that its budget supports less than one employees per province. The original aviation reporting system in New Zealand failed due to a breach of confidentiality. An Australian aviation reporting system that had functioned for many years was weakened under social pressures for redress and pressure from the regulator after a fatal aviation accident. Those pressures resulted in an indirect breach of identity and a change in the law toward "natural justice" for reporters. A representative of the Australian SRS reported in 2008 that the number of reports to the SRS had fallen. [53] 14 C.F.R. § 91.25. If the incident is found to involve a violation of regulations, neither civil penalties nor certificate suspension will be imposed as long as the reported action (1) is not deliberate and (2) does not involve a criminal offense, accident, or evidence of incompetence, and the reporter (1) has not been in violation for 5 years and (2) completed and submitted a report under ASRS within 10 days of the incident. Advisory circular AC-00-46d. [54] several other voluntary SRS programs, such as ASAPS, stress corrective actions over punishment, although the FAA can prosecute cases involving egregious acts (e.g., substance or alcohol abuse or the intentional falsification of information). ASAPS provide previously unavailable information rapidly and directly from those responsible for day-to-day aviation operations. While the FAA has limited access to ASAP data, these programs are expected to lead to improvements in aviation safety. [55] [hyperlink, http://www.gao.gov/products/GAO-10-414]. [56] This policy of protecting INPO reports from public disclosure was tested by a request under the freedom of information act (FOIA) for INPO safety reports that had been provided to the NRC. In Critical Mass Energy Project v. Nuclear Regulatory Commission, the U.S. Court of Appeals for the District of Columbia upheld the lower court decision that information voluntarily provided by INPO to the NRC, which was commercial in nature and not customarily released to the public, was confidential and therefore exempt from disclosure under FOIA. 975 F.2d 871 (D.C. Cir. 1992), cert. denied, 507 U.S. 9849 (1993) [57] The NRC also runs a reporting system--the allegations program-- for nuclear safety or regulatory concerns involving NRC regulated facilities and licensed nuclear material. For this program, there are exceptions to FOIA and related regulations that may justify withholding information that would identify an alleger or other confidential source. See 5 U.S.C. §§ 552(b)(6), (7); 10 C.F.R. §§ 9.17(a)(6), (7). Confidentiality is not routinely offered; however, when reporters request it, it is formalized in a letter that establishes several conditions under which confidentiality will not be preserved, such as a request from Congress or state or federal law enforcement bodies. [58] Rees, Hostages Of Each Other. [59] Pub. L. No. 109-41, 119 Stat. 424 (July 29, 2005). [60] GAO, Patient Safety Act: HHS is in the Process of Implementing the Act, So Its Effectiveness Cannot Yet be Evaluated, [hyperlink, http://www.gao.gov/products/GAO-10-281] (Washington, D.C.: Jan. 29, 2010). [61] National Academy of Public Administration, A Review of the Aviation Safety Reporting System. [62] GAO, Nuclear Safety: Convention on Nuclear Safety Viewed by Most Member Countries As Strengthening Safety Worldwide, [hyperlink, http://www.gao.gov/products/GAO-10-489] (Washington, D.C.: Apr. 29, 2010). [63] There are four major parts of the inspection review process: (1) performance indicators, (2) analysis of corrective action reports (data mining that looks for word trending), (3) plant evaluation process (on-site interviews with a variety of staff areas and levels), and (4) safety culture surveys. [64] See The AHRQ Web Site, [hyperlink, http://www.ahrq.gov/about/psimpcorps.htm]. [65] Rand Corporation, Evaluation of the Patient Safety Improvement Corps: Experiences of the First Two Groups Of Trainees (2006). [66] P.D. Mills, J. Neily, L.M. Kinney, J. Bagian, W.B. Weeks, "Effective Interventions and Implementation Strategies To Reduce Adverse Drug Events in the Veterans Affairs (VA) System," Quality and Safety In Health Care, 17 (2008): 37-46. [67] While we sometimes refer to the agencies generally, this section specifically applies to the CDC and APHIS Select Agent Program. [68] Under the Select Agent Regulations, individuals or entities must immediately notify the CDC or APHIS and appropriate federal, state, or local law enforcement agencies upon discovering a theft or loss of a select agent or toxin, and notify the CDC or APHIS upon discovering the release of a select agent or toxin. See 42 C.F.R. § 73.19; 7 C.F.R. § 331.19; 9 C.F.R. § 121.19. The individual or entity that discovered the theft, loss, or release must submit an APHIS/CDC form 3 (report of theft, loss, or release of select agents and toxins) within 7 calendar days lease of select agents and toxins) within 7 calendar days. [69] For example, patankar et al. note that, "There are three key issues regarding research and measurement of safety culture: (a) survey instruments take a 'snapshot' measurement of safety climate. When such measurements are repeated across multiple organizational units and conducted repeatedly over a reasonably long time (over five years), a cultural assessment can be developed. (b) A rigorous analysis of the various factors that influence safety climate/culture needs to be conducted so as to better understand the inter- relationship among these factors and their individual, group, and cumulative influence on the overall safety climate/culture... (c) Results from measurements need to be distributed consistently throughout the organization so that everyone is fully aware of their contributions to the goals and are able to make timely actions/changes that are consistent with the organizational goals." M. S. Patankar, T. Bigda-Peyton, E. Sabin, J. Brown, and T. Kelly, A Comparative Review Of Safety Cultures (St. Louis, Mo.: Saint Louis University, 2005). [70] GAO, Va Patient Safety Program: A Cultural Perspective at Four Medical Facilities, [hyperlink, http://www.gao.gov/products/GAO-05-83] (Washington, D.C.: Dec. 15, 2004); and R.L. Helmreich and A.C. Merritt, Culture at Work in Aviation And Medicine: National, Organizational, and Professional Influence (Brookfield VT, U.K.: Ashgate Publishing, 1998). [71] National Nuclear Security Administration, Lessons Learned and Recommendations from Review Off NASA's Columbia Accident Investigation Board Report (2004). [72] S.M. Evans Et Al., "Attitudes and Barriers to Incident Reporting: A Collaborative Hospital Study," Quality and Safety in Health Care, 15 (2006): 39-43; And Tamuz, M. And E. J. Thomas, "Classifying and Interpreting Threats to Patient Safety in Hospitals: Insights from Aviation," Journal of Organizational Behavior, 27 (2006): 919-940. [73] B.J. Weiner, C. Hobgood, and M. Lewis, "The Meaning of Justice in Safety Incident Reporting," Social Science & Medicine, Vol. 66, No. 2 (2008): 403-413. [74] Also Available At [hyperlink, http://www.selectagents.gov/resources/CDC- APHIS_Theft_Loss_Release_Information_Document.pdf.] [75] The literature and case studies also suggest that reporting increases do not necessarily signal an increase in safety problems, but rather an increased awareness of reportable incidents and trust in the reporting system. [76] This may include reasonably anticipated skin, eye, mucous membrane, or parenteral contact with blood or other potential infectious materials that may result from the performance of a person's duties. [77] A.L. Harding and K. B. Byers, "Epidemiology of Laboratory- Associated Infections," in Biological Safety: Principles and Practices, Third Edition, D.O. Fleming and D. L. Hunt, eds. (Washington D.C.: ASM Press, 2000), 35-56. [78] BD Biosciences' Aerosol Management Option (AMO) System, Model 333728 (US) And 333729 (Europe). [79] 42 U.S.C. § 262a(h) (Disclosure Of Information). [80] In April 2010, the labs were provided a confidential means, by the agencies, for reporting safety and security issues associated with the possession, use, and transfer of select agents and toxins. HHS's Office of Inspector General Maintains a hotline that allows individuals to anonymously report fraud, waste, and abuse in all departmental programs. This hotline is now available to anonymously report safety or security issues related to select agents and toxins. [81] Entities That continue to have repeat noncompliance of the Select Agent Regulations can be placed on a performance improvement plan. Entities can also be referred to the Office of Inspector General (OIG) for Select Agent violations, which can result in civil monetary penalties. [82] (1) Administrative Actions: The CDC And APHIS may deny an application or suspend or revoke a registered entity's certificate of registration. (2) Civil money penalties or criminal enforcement: the CDC refers possible violations of the select agent regulations to the HHS's Office of Inspector General (OIG). The HHS-OIG can levy civil money penalties (for an individual, up to $250,000 for each violation and, for an entity, up to $500,000 for each violation) or recommend criminal enforcement (imprisonment for up to 5 years, a fine, or both). APHIS relies on its own investigative unit, USDA Marketing And Regulatory Programs--Investigative And Enforcement Services (IES), for initial investigations of potential select agent violations. Like the HHS-OIG, IES can levy civil money penalties or recommend criminal enforcement. IES refers potential criminal violations to USDA'S OIG. (3) Referral to the Department Of Justice: the CDC or APHIS can refer possible criminal violations involving select agents to the department for further investigation or prosecution. [83] 14 C.F.R. § 91.25. If the incident is found to involve a violation of regulations, neither civil penalties nor certificate suspension will be imposed as long as (1) the reported action is not deliberate and does not involve a criminal offense, accident, or evidence of incompetence and (2) the reporter has not been in violation for 5 years and completed and submitted a report under ASRS within 10 days of the incident. FAA Advisory Circular 00-46D. [84] GAO, Results-Oriented Government: GPRA Has Established a Solid Foundation For Achieving Greater Results, [hyperlink, http://www.gao.gov/products/GAO-04-38] (Washington, D.C.: Mar. 10, 1994). [85] See appendix II For a summary of lessons derived from the literature and case studies that can be applied to an SRS for biological labs. [86] The total number and locations of all biological laboratories is unknown, and, as a result, in a 2009 report (GAO-09-574), we recommended that a process to identify them be initiated. In addition, there is no centralized oversight responsibility for labs except for those registered with the select agent program. Lab safety is generally covered through the OSHA or state regulations for general organizational safety. The principles of biosafety and biocontainment have been articulated in two key documents, the NIH guidelines for research involving recombinant DNA Molecules (NIH Guidelines) and the CDC-NIH Manual, Biosafety in Microbiological and Biomedical Laboratories. Research that involves recombinant DNA molecules may be subject to the NIH Guidelines. Compliance with the NIH guidelines is a term and condition of NIH grants and thus is mandatory for all institutions that receive NIH funding for recombinant DNA research. In addition, a number of other federal agencies (e.g., the Department Of Energy, Department of the Army, USDA, And VA to name a few) have made compliance with the NIH guidelines a term and condition of research grants and a requirement for their own intramural research activities. Although adherence to the BMBL is voluntary, the manual is a widely accepted code of practice for biosafety and biocontainment in all microbiological and biomedical laboratories in the United States and in many other countries. [87] While entity-specific information is protected from release under FOIA, after the CDC provided the data in response to a congressional request, specific entity information was somehow leaked to the media. [88] Harding, L. and K. Beyers, "Epidemiology of Laboratory-Associated Infections," In Biological Safety: Principles And Practices, Third Edition (Washington, D.C.: ASM Press, 2000), P. 37. [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s Web site, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: