When one thinks about building security one will most likely think “terrorist attack.” Some will think of life safety, access control, or surveillance systems managed from the building’s security control center. Seldom does one think about building security pertaining to HVAC systems beyond threats involving breathable air, such as the introduction of toxic chemicals through air intake louvers. The purpose of this article is to raise awareness of the need to have a HVAC security plan in place for non-nefarious but unplanned events such as non-terrorist incidents/accidents and natural events that can have a significant effect on an existing building’s HVAC systems that apply to all facility applications. O&M is key to mitigating the effects of such situations.

When the 2011 ASHRAE Handbook — HVAC Applications was published, Chapter 58 had been significantly revised, including changing its title to “HVAC security” in an effort to shed light on design intent, construction administration, commissioning and recommissioning, and some of the possible effects on buildings, their systems, and their occupants. A three-topic seminar was also provided that year at the ASHRAE annual meeting to further educate those in attendance of the importance of everyday HVAC security awareness and the importance of considering it when doing building management planning

To achieve a more specific protocol, facility management has a responsibility to update its existing HVAC security basis of design (BofD) document, and, if no such document exists, create one. To create one, management should assemble a HVAC security team and complete a risk assessment and then develop a HVAC security plan for O&M of the building. If the building is old enough to have had a major renovation or change in use, then the team will have to revise the BofD.

To undertake such an initiative, it is recommended that this team follow time-tested problem-solving procedures based on one of a number of quality control (QC) methods. The makeup of this HVAC security team should, at a minimum, consist of the building’s facility engineer as team leader and/or a third-party consultant/facilitator, the building manager, mechanical and electrical trade technician representatives, a building security representative, and a building control system computer operator, and depending on the building use, enduser representative(s). The team may consider including a state or local safety authority to make sure officials outside the building are aware of the HVAC security policies and procedures within the building.


The newly formed team must start its task of updating the O&M of HVAC systems from an HVAC security point of view by first determining and recording the BofD. It is suggested that consideration be given to posting specific parts of the document in key building locations and electronically distributing it to those who need to know the HVAC security action plan. Caution will be needed so as to not make key information available to those who would use the security plan to threaten the building.

 The security plan should contain the following components, requirements, capabilities, and limitations, which should be included in the BofD document when applicable:

• Existing systems, location, areas served, capacities, sequence of operation, and associated interlocked systems (e.g., AHU-1, located in basement, serving first floor only, providing 6 ach with a return-exhaust air economizer system and one general exhaust system resulting in a first floor positive pressure of 0.25 ach). The sequence of operation is always important to include in the BofD so that everyone on the team knows exactly when the system operates and when it is off (e.g., listing a specific day-to-day on-off schedule).

• Safety and alarm features of each system should be documented. Consideration needs to be given to who will make decisions during incidents and how they will decide which subsystems to leave on and which to shut down and when (e.g., high-security space where occupants can’t be easily removed).

• Air filtration type and capture capabilities must be documented in the system-by-system BofD so that enhancements can be made in the solution implementation phase if necessary.


Once the BofD has been finalized, the team should follow a  seven-step quality control process (data collection, data analysis, solution planning, solution implementation, monitoring and measuring, benchmarking, and continuous improvement) beginning with risk assessment (data collection) followed by risk analysis (data analysis).



The HVAC building system security team should begin risk assessment only after the most current BofD document has been completed. This will give them a clear understanding of the HVAC system’s capabilities. Skipping the BofD probably will result in a misunderstanding of how these systems are designed to function.

Even if there were limited HVAC security design intent documentation, there may be some security features within the HVAC design, such as smoke detectors in the AHUs and/or duct distribution, zone isolation smoke dampers, or an engineered smoke control system. Skipping  the BofD could cause the team to overlook other features not common to standard design. (e.g., a special chemical spill evacuation sequence of operation).

I suggest creating a checklist — a QC tool developed in anticipation of collecting operation and maintenance details — as the first step in risk assessment (Figure 1). This checklist will assist in providing thorough and consistent data collection reporting when collecting the pertinent information specific to HVAC building system security.

Some questions to be asked when compiling a risk assessment checklist include:

• What is the building use: highly critical (e.g., unique operation), enhanced (e.g., high population within), and/or baseline (e.g., commercial offices)?

• What is within the vicinity of the building that could be a security threat (railroad transportation, truck traffic, etc.)?

• What are the environmental elements that could be a threat to the building HVAC equipment (river flooding, in tornado zone, etc.)?

• What is the occupant mix in the building (government personnel, open to the public, etc.)?

• What operations will the facility and/or occupants be conducting (few occupants but mission critical operation, long-term inpatients, 9-to-5 employees, etc.)?

• What is the planned response to each type of credible incident (will occupants evacuate, shelter-in-place, remain fully operational, etc.)?

• Will occupants be required to remain within the building (high-security prison, etc.)?

• How will building management become aware of an event, and what is the likely lead time (immediately from explosion, anticipated from pending weather, etc.)?

• What level of protection is required against threats (isolate the incident area, evacuate the floor or building, etc.)?

• Will some occupants have planned responses that differ significantly from the general building plan?

• Does the building have its own security team and/or consultant?

• What life-safety measures are part of the HVAC system (engineered smoke system, emergency power, etc.)?

• Are there any unique environmental health concerns within the building (explosive atmosphere, laboratory, etc.)?


Other things to consider when developing the risk assessment checklist are:

• Potential materials that could be hazardous if spilled or used:

• Chemical and biological agents

• Radiological fallout

• Toxic industrial chemicals

• Conventional explosions


• What dispersal mechanisms could occur?

• Sprayers

• Munitions/explosions

• Direct release

• Aerial release


• The source resulting in this breach of security:

• An internal release by accident or intentionally

• An external release also occurring by accident or intentionally

• By mail/package delivery most likely occurring intentionally

• By personal transportation either occurring intentionally or unintentionally



While labs and research facilities probably have HVAC security plans in place for common accidents, such as chemical spills and the use of flammable and/or explosive items, thought needs to be given to other accidents, including:

• Unintentional transfer of hazardous materials that may collect on the bottom of an occupant’s shoes

• Loss of space pressure, whether designed to be under negative or positive pressure, resulting in the transfer of airborne hazards

• Recirculation of hazardous gases from hood exhausts of the same or nearby buildings to building air intakes under certain wind directions and contaminant levels

• Recirculation of hazardous gases from building exhausts to emergency egress paths


Accidents such as one involving a truck carrying hazardous chemicals that overturns on a nearby road releasing airborne toxic fumes are more common than many may think (one Pennsylvania county has seen 271 truck accidents involving hazardous materials, ranging from 35 in 2001 to 25 in 2010). Without an HVAC security plan, response time to shut down the facility’s outdoor air ventilation system may not happen quickly enough to prevent toxic fumes from entering the building.

An example of a vulnerability to natural disaster affecting HVAC system can be the location of the emergency ventilation system motor control center in the basement of a building adjacent to a river that could flood. In addition to life safety, the risk assessment should consider the costs associated with reinvesting to mitigate risk, based on operational limits and financial impact if not corrected (lost business revenue, further losses waiting for long-lead items to replace damaged equipment, etc.).

Also on the risk assessment checklist should be the identification of HVAC security measure constraints (e.g., adding emergency ventilation systems into a building with physical constrictions that would obstruct corridor egress on each floor level). Each of the HVAC system vulnerabilities will need to be evaluated during the data analysis phase of the risk assessment.



The solution planning and solution implementation phase should start with the retrocommissioning of the HVAC systems to be assured that these systems will operate per the BofD. Facility management should not assume HVAC systems would shut down as designed if the associated automatic control system was never commissioned and/or recommissioned on a predetermined schedule for operation verification. Live testing should be conducted. The same can be said for specific safety systems starting when required (e.g. smoke exhaust fan) and operating per the BofD.

It will be important to have a plan identifying an incident commander with appropriate training on the required decisionmaking and system operation. Training should be conducted at least annually, perhaps in association with regularly scheduled building fire drills, so that all occupants are cognizant of their specific responsibilities. Operation personnel must be well versed in not only making sure equipment and systems automatically respond, but also in verifying the response occurred.

Routine planned maintenance workorders should be edited/updated to include planned maintenance of security components (change out of special air filters, checking the tightness of filters in their housings, calibration of toxic gas detectors, tightening of damper linkage, etc.). Further maintenance duties include cleaning protective screening and grating to ensure that nothing obstructs the introduction of outdoor air when an emergency ventilation fan is required.

Facility management should also research and purchase the appropriate reference manuals and papers for their building application, such as:

• ASHRAE Guideline 29-2009: Guideline for the Risk Management of Public Health and Safety in Buildings

• UFC 4-024-01 Security Engineering: Procedures for Designing CBR Protection for Buildings

• NIOSH 2002-139: Guidance for Protecting Building Environments from Airborne CBR Attacks



Good HVAC security requires a BofD up to current security standards, a risk assessment plan in place, the HVAC security plan active, routine training based on the planned maintenance workorder system, and recommissioning the final solution plan-system modifications. Facility management should implement some form of continuous commissioning of the security control components and maintain a regularly-scheduled HVAC security plan reporting process. This will maintain safety awareness for all the building occupants and provide the needed information to the appropriate first-response groups (and to the general public) so that if an everyday security event occurs, the preparations will lead to reduced consequences. ES