Historically, the mechanical engineer has never had to bother much with the security end of the building services business, as this was left to the architect, the electrical engineer, and perhaps the security sub-consultant. Times have certainly changed, not only with the events of September 11, 2001, but also with the violent weather that recently impacted the U.S. Gulf Coast.

Today, the mechanical engineer, or more specifically the ventilation engineer, has become more involved in protecting, hardening, and fortifying both high-profile buildings and those housing important functions. Facility owners are currently spending a lot of money - especially the largest building owner, Uncle Sam - on assessing the risks imposed by various threats and hazards, determining the associated vulnerabilities with these risks, and then developing mitigation strategies.

The term "threat" is used to describe any man-made indication, circumstance, or event with the potential to cause the loss of, or damage to, an asset. Its synonyms include danger, menace, hazard, risk, and peril. Within the intelligence community, law enforcement, or the military, the word is typically used to describe an aggressor or an adversarial action or event, such as terrorists or acts of terrorism and other man-made events or hazards. Agencies such as the Federal Emergency Management Agency (FEMA) and other civil agencies use the term "hazard" instead of "threat" to refer to acts of terrorism, technological hazards, and "natural hazards" such as a flood, wind, or seismic disaster.


One of the first steps in the risk assessment process (Figure 1) is determining the asset value of the facility being examined. A common approach is to break a facility down into components and systems and to then separately evaluate each for the effect that its destruction would have on occupants as well as the specific function, operation, or mission. Facility assets typically evaluated include the building site and utilities, architectural features, structural components, the building envelope, mechanical and electrical infrastructure, fire alarm, security, IT, and communication systems. A high rating would mean that loss or damage to this asset would have grave consequences such as extensive loss of life, severe injuries, or major loss of the building's mission, whereas a low rating would mean that loss or damage to the asset would have minor consequences or impact. For example, a government command and control center or a data center for a financial institution might have a higher rating on its mechanical and electrical infrastructure than, say, a low-rise office building.

Next in the process is the threat and hazard identification and rating. Although certain threats and hazards may be obvious, such as a property sitting in the 100-yr flood plain or next to a rail yard that could convey toxic chemicals, others will require the help of government entities such as law enforcement, emergency management, and the Department of Homeland Security. They can identify possible aggressors as well as nearby industrial properties that handle volatile materials.

There are excellent checklists available to guide a team in conducting a vulnerability assessment. A good place to start is with the FEMA documents listed at the end of this article. Knowing the specific threats and hazards allows for an engineering and security analysis of the vulnerability of each component of the facility. The assessment uncovers weaknesses of the site, facility, and its infrastructure to these potential threats and hazards. In addition, a good assessment can also uncover deficiencies in the building that pose threats to the occupants or mission of the facility that were not previously considered. These can include poorly maintained systems, lack of redundancy, or building code violations.

Once the asset values are established, the threats and hazards identified, and the vulnerabilities determined, then the risk assessment can be performed. Risk is defined as the potential for a loss or damage to an asset. A simple methodology is to rank and assign numeric values to assets, threats, and hazards as well as vulnerabilities, and then multiply each of these values to determine the risk associated with each threat or hazard according to a formula that might be similar to the following:

Risk = Threat Rating x Asset Value x Vulnerability Rating

The steps outlined above provide insight into what needs to be done to more effectively protect critical assets against a terrorist attack or other malevolent act, event, or natural hazard. The vulnerability of an asset or target is generally based on the absence of measures that would prevent the asset's loss or failure given a specified threat or hazard. In this respect, the risk assessment provides a basis for determining what needs to be done to prevent the failure of an asset or function in the event of an attack or incident involving specific threats or hazards.

It is important to remember that the resulting risk value includes the probability of the threat occurring and the consequences or impact of the occurrence. Therefore, it is possible for a risk score to reflect either a very high likelihood of occurrence with very small consequences or very low likelihood of occurrence with very grave consequences. The first might require only simple low cost mitigation measures, but the latter may require more costly and complex mitigation measures. High-risk combinations of assets against associated threats, with the identified vulnerability, allow prioritization of resources to implement mitigation measures.


The results of the assessment will obviously vary considerably depending on the type of facility involved. For instance, a hospital or school will be concerned about protecting the life of the occupants above all else, where loss of life would be a secondary consideration at a facility that houses critical communications infrastructure. The last step of the process identifies options to mitigate or reduce the risk associated with asset failure. The management decisions as to where to allocate resources to implement mitigation options and reduce or minimize risks over time are commonly referred to as risk management.

Readers of this magazine will most likely be concerned with mitigation measures that deal with a building's mechanical systems. Securing and protecting the mechanical utilities that serve a facility, as well as ensuring adequate levels of redundancy, usually receive much attention when considering which mitigation measures to pursue. These physical security measures include preventing access to outdoor air intakes by either relocating or extending them well above grade and preventing public access to mechanical areas. However, when it comes to mechanical systems, ventilation issues always seem to top the list. When considering threats to the ventilation system, it is important to consider the source of the threat -- that is, whether it is internal to the building or external.

A common scenario for an internal release is a package that is delivered through a loading dock or shipping/receiving area and perhaps makes its way to a mailroom where it is then opened, releasing the airborne threat. Mitigating design features might include placing these areas on independent ventilation systems, allowing them to be isolated from the rest of the building in order to contain the threat. Lobbies and other public spaces may also warrant this type of approach. These systems could also be designed to operate at a negative pressure in order to impede migration of the aerosol into uncontaminated areas.

An external release could be the result of a terrorist act, or simply a technological hazard such as a chemical spill. The simplest approach is the "shelter-in-place" concept, which involves shutting off the outside supply to the building's HVAC systems until the airborne threat has passed. This scenario relies on timely notification from authorities and a quick response from building management. Not only should the outside air dampers be closed, but also exhaust fans should be turned off, otherwise the building would be pulling negative pressure and jeopardize the success of the sheltering concept.

It is important to note that no matter what the situation, outside air intakes of an occupied facility should never be permanently closed off. Additionally, the facility should not modify the HVAC system without first understanding the effects on other building systems such as fire protection and life safety systems. In short, control strategies must not compromise building performance during normal conditions.

If the threat to a particular building is more likely and the facility is more critical in nature, perhaps requiring an extended occupancy, then it is not feasible to stop ventilation entirely. Sheltering in place may only be feasible for short time periods, perhaps up to two hours in duration. In this case, an emergency ventilation system (Figure 2) would be required to replenish the oxygen consumed and to remove CO2 and other contaminants. This system might consist of a filtration system capable of removing the airborne threat as well as a control system to handle the switchover from normal to emergency operation. This type of system has the added advantage of pressurizing the facility to limit infiltration of the airborne threat.

Sensors, monitors, and other means of forewarning are not presently available or not reliable for many contaminants. Therefore, a simple manual toggle switch to activate shelter-in-place or emergency ventilation mode may be the best approach for the foreseeable future. The concept of trigger sensors should be explored as an alternative to manual switchover. This could involve using readily available sensors to detect a proxy such as VOCs or particles in unusual concentrations for activation until verification of an actual threat can be determined by other means.


Certain types of facilities will be able to justify costs associated with the installation, operation, and maintenance of advanced air cleaning technologies designed to protect against chemical, biological, and radiological (CBR) attack. These critical facilities may have systems that continually pass all conditioned air through banks of filters before distributing it to occupied areas. This requires large filter surface areas, additional mechanical space, and extra fan horsepower. A less expensive approach is to install an emergency bypass filter system that would handle only the quantity of outdoor air required for minimum ventilation. This system would have a booster fan to overcome the resistance of these specialized filters. It is important to note that this type of system would only protect the facility when indexed to the emergency mode.

The development of the HEPA filter during World War II was critical in providing the necessary protection for researchers working on atomic energy programs. These filters are constructed of fiberglass "paper" that is pleated to maximize the surface area of the filter and have a minimum particulate removal of 99.97% for particles of 0.3 microns. The randomly oriented microfibers cause the particles in the airstream to move in a circuitous path, forcing even the smallest particles to collide with and adhere to the filter. These filters can contain radioactive dust particles and biological agents, as well certain chemical aerosols.

Particulate filters are not capable of removing gases and vapors, which is why sorbent filters are used in conjunction with them to protect facilities from airborne threats. Activated carbon is the most common sorbent material and works by providing an incredibly large surface area of up to 10,000 sq ft/gram, for gases and vapors to attach by chemical attraction in the process called adsorption. Materials such as coal, wood, and coconut shells are heated to high temperatures and treated with steam to produce a highly porous end product.

Sorbent filters should be placed downstream of particulate filters so as to absorb gases and vapors that might off-gas from particles captured in the particulate filters upstream. Two beds of sorbent filters are often used in series to achieve the residence time required for an adequate level of protection. Residence time is the amount of time that an agent is in contact with the sorbent and is a function of the bed volume and fluid flow rate.

The filter housings on contaminated airstreams should be constructed to facilitate decontamination or should be of the bag-in/bag-out design. The bag-in/bag-out design should also be of the fluid seal type that incorporates a knife-edge that mates into a fluid-filled perimeter channel on the face of the filter. As a safety measure, the filter locking arm and access door should interface in such a manner that minimizes the possibility of the door being closed until the filters are correctly seated in the housing.

Although UV light cannot clean air like a filter does, it certainly can be employed to disinfect an airstream. A specialized part of the UV spectrum termed UVC is especially detrimental to the DNA of microorganisms, rendering them incapable of reproduction. A good strategy is to place the lamp array on the final filter bed to irradiate the captured particles. It should be noted that design precautions should be taken as UV light can cause skin irritation and severe eye damage. Access doors to UV chambers should have warnings or cutout switches.


Conducting risk assessments and vulnerability analyses may be a burgeoning field, but a whole team of subject matter experts is required to execute them properly. These experts can discern weakness to physical security and structural systems as well as mechanical and electrical infrastructure components. When it comes to a facility's ventilation system, it is important to consider both internal and external threats and hazards and make sure the potential mitigation measures do not compromise the comfort of occupants during normal operation or interrupt life safety systems at any time. ES


U.S. Department of Health and Human Services, Centers for Disease Control and Prevention and National Institutes of Health, Guidance for Filtration and Air-Cleaning Systems to Protect Building Environments, April 2003.
U.S. Department of Health and Human Services, Centers for Disease Control and Prevention and National Institutes of Health, Guidance for Protecting Building Environments from Airborne Chemical, Biological or Radiological Attacks, May 2002.
Federal Emergency Management Agency, Reference Manual to Mitigate Potential Terrorist Attacks Against Buildings (FEMA 426), December 2003.
Federal Emergency Management Agency, Risk Assessment, A How-To Guide to Mitigate Potential Terrorist Attacks Against Buildings (FEMA 452), January 2005.