Regardless of whether chemical security legislation passes this year, common elements in the DHS plan for the chemical sector and the legislative proposals give a clear indication of what the chemical industry can expect in the coming year. Other aspects are likely to remain under debate.
Universe of regulated facilities. Both S. 2145 and H.R. 5695 and DHS’s independent efforts start with sites covered by the U.S. Environmental Protection Agency’s Risk Management Plan (RMP), 40 CFR Part 68. This list includes more than 14,500 stationary sources, some of which pose questionable homeland security threats or consequences. However, chemical manufacturing makes up only about 20% of RMP regulated processes. The rest are agriculture (29%), water and wastewater treatment (17%), energy (15%) and food and beverage (13%) sites (Figure 1).
Figure 1. Five-step methodology begins with asset characterization and finishes with countermeasure analysis.
This RMP list would have to be rationalized, with the DHS secretary setting criteria for designating a facility as a “chemical source” based on risk. Other chemical sources, such as those supplying critical government facilities or dealing with chemicals not covered by the RMP rule, could be added.
Vulnerability assessments. Both bills also require facilities to conduct vulnerability assessments. Assessment methodologies used in the chemical and petrochemical industry — including those developed by Sandia National Laboratories, AIChE’s Center for Chemical Process Safety, and the American Petroleum Institute/National Petrochemical and Refiners Association, and RAMCAP — describe a similar, multi-step process: 1) identification of critical assets within the facility; 2) analysis of threats to the facility and assets; 3) analysis of consequences of a successful attack; 4) analysis of critical asset vulnerability to attack; 5) assessment of likelihood that an attack against an asset would be successful.
Security measures. S. 245 and H.R. 5695 require chemical sources to conduct vulnerability assessments, implement appropriate security measures, and develop security management plans. Key to the regulations will be the definition of what constitutes a “security measure.”
The bills, DHS, MTSA and the industry agree that minimum security measures would include elements, such as:
- access control for persons, vehicles and shipments;
- perimeter security, including fences, gates and locks;
- technical security equipment, like security lighting, closed circuit cameras and motion detectors; and
- personnel security, including background checks for new hires, contractors and those who transport hazardous materials.
Security plans. There also is general agreement on some elements of security plans, including:
- actions to be taken at elevated threat levels;
- procedures for reporting suspicious incidences or behaviors;
- coordination of security response plans with local law enforcement and federal and state authorities;
- security awareness training; and
- regular security exercises and drills.
Inside the plant gates
Both the voluntary and state programs recognize that chemical facility security requires a multiple “layers of protection” approach made up of both enhanced perimeter security and additional measures between the perimeter and the most critical assets — such as control rooms or critical processing units. The security measures identified as a result of the vulnerability assessments should function as a security system to “deter, detect, delay and mitigate” an attack. The New Jersey mandate goes beyond this security model of protecting and defending critical assets by actually questioning the assets themselves — including the storage and processing of hazardous materials, analysis of the feasibility of alternative materials or operating conditions and of redesign of equipment and processes to minimize equipment failure and human error.
At this point, the shape of federal actions to address such aspects remains unclear. There is widespread agreement on most elements of a chemical security regulatory structure — facility prioritization to identify the most critical facility, vulnerability assessments of the critical assets within a facility, security measures to address identified vulnerabilities, security management plans to maintain a system to deter, detect, delay, and mitigate against attack. However, no agreement exists around the most contentious issue — the role of inherent safety and particularly IST in chemical security (“Inherently Safer Chemical Processes — A Life Cycle Approach,” published in 1996 by the Center for Chemical Process Safety, describes in detail the concept of IST).
Inherent safety and chemical security
The chemical industry has embraced the concept of inherent safety as a step-change approach to either eliminating or significantly mitigating hazards. In some ways, inherent safety can be looked upon as the “pollution prevention” of process safety. That is, it’s more of a philosophy and approach for seeing opportunities than a discrete action or end point. In the same way that federal and state regulatory agencies have opted for programs to encourage rather than mandate pollution prevention, OSHA and EPA have rejected suggestions to mandate inherent safety or IST — instead favoring incentives for developing and sharing of innovative and creative approaches to inherent safety. The agencies recognize that inherent safety is most easily incorporated during the design or re-engineering of a process rather than as a measure added to an existing process.