While my first two columns explored resilience and its relationship with sustainability, this column will provide some basic information about HVACR security with an eye toward covering the topics in more detail in the future. 

Most of the time, when we talk about security our thoughts run to terrorism or other deliberate acts; however, it’s much more likely that an accidental event, whether a chemical spill from a truck overturning outside a building or from human error in operations, is what will drive the need for HVACR security in your building systems. That means that at least some consideration of security issues is part of every project.

Because of this, basic security steps are, or at least should be, implemented in all buildings regardless of the presence of any higher level security risks. These include items such as providing locks on mechanical room doors, taking measures to prevent unauthorized persons from manipulating the temperature controls, etc. In addition to enhancing basic security, these precautions also address issues such as controlling the indoor environment, making sure filters stay in place, and preventing accidental damage to the equipment.

Once you start considering higher levels of security, the appropriate countermeasures necessarily involve some level of risk analysis. The reason for this is that different buildings or facilities obviously have different risks. The potential security issues for a suburban residential building are clearly fewer than those for a high-profile corporate skyscraper, government facility, or an industrial plant handling hazardous materials. The nature of the risk assessment can vary greatly, ranging from, possibly, past experience or a simple thinking through of the possibilities for a low-risk project to a full-fledged risk analysis performed by experienced professionals using the latest knowledge and tools.

There is some guidance available to help with security design for HVACR systems. ASHRAE Guideline 29 presents a framework for risk analysis, and the American Society of Civil Engineers (ASCE) has published a Building Security Rating System that contains a simplified method for risk analysis. The ASCE method considers both the threat — how likely is a given threat to occur for your building — and the impact — what are the consequences of an event. The combination of the threat and impact determines the appropriate level of risk for design consideration, and thus the countermeasures that should be implemented.

A useful set of questions that can help focus design efforts is found in FEMA 426, Reference Manual to Mitigate Potential Terrorist Attacks Against Buildings. The questions are paired with guidance and range from “Where are the air intakes and exhausts located?” to “What are the types and efficiency of air filtration?” to “Does the HVAC maintenance staff have the proper training, procedures, and preventive maintenance schedule to ensure CBR equipment is functional?” This last question is crucial, since even the best design will not serve its intended purpose, whether for resilience, security, or normal operations, if the system is not properly installed, commissioned, and maintained. 

Chapter 61 of the ASHRAE Applications Handbook discusses risk analysis and security measures in a general sense but also provides some basic steps that can be used to reduce risks. In addition, the handbook provides descriptions of the threats posed by chemical, biological, radioactive, and explosive events with some references for obtaining further information. As yet there is no single reference that provides all the material needed to design HVACR systems for enhanced security, but with a little digging and connecting of the dots, an engineer can put together a security plan for most typical facilities.

Cybersecurity was not addressed in this column, even though it is a major concern as our buildings and their systems become more interconnected, accessible, and, therefore, more vulnerable. The recent hacking of a water treatment facility has highlighted the cybersecurity threat for what are commonly considered nontraditional targets. Any system connected to the outside world is potentially subject to unwanted intrusions, while internal actors remain the greatest threat for most facilities. Cybersecurity is a complex topic on its own, which I’ll discuss further in future columns.