Sites in the United States that produce, use or store hazardous chemicals must comply with Chemical Facility Anti-Terrorism Standards (CFATS), which are enforced by the U.S. Department of Homeland Security (DHS). A report, “DHS Action Needed to Verify Some Chemical Facility Information and Manage Compliance Process,” recently released to Congress by the U.S. Government Accountability Office (GAO) points both to progress and continuing challenges in DHS’s efforts to monitor sites and enforce the standards.
[pullquote]
The GAO evaluated the efforts of DHS’s Infrastructure Security Compliance Division (ISCD), which is responsible for collecting and assessing data provided by sites. Since 2007, ISCD has received data from about 37,000 facilities and categorized around 2,900 as having high risk for potential toxic release threats.
“ISCD has taken steps to identify chemical facilities but used unverified data to categorize thousands of facilities,” warns the report.
In particular, the GAO notes that ISCD doesn’t verify data from sites it doesn’t categorize as high risk. Yet, explains the GAO, a key factor in deciding whether a site poses a high risk is the “distance of concern,” the area within which short-term exposure to a toxic chemical cloud could cause serious injuries or fatalities, that the facility itself reports — and this often is too conservative. Using a generalized sample of facility-reported data in a DHS database, GAO reckons that more than 2,700 facilities (44%) of an estimated 6,400 sites posing a toxic release threat misreported that distance. So, it recommends that ISCD verify the accuracy of “distance of concern” data submitted by facilities to “better ensure it has identified the nation’s high-risk chemical facilities.”
On the positive side, the GAO commends ISCD for substantial progress in approving site security plans. “As of April 2015, GAO estimates that it could take between 9 and 12 months for ISCD to review and approve security plans for approximately 900 remaining facilities — a substantial improvement over the previous estimate of 7 to 9 years GAO reported in April 2013.”
However, facilities’ noncompliance with their approved site security plans poses an important concern, cautions the GAO. Nearly half (34 of 69) of the sites ISCD had inspected by February 2015 hadn’t implemented some measures by the deadlines specified in their plans. ISCD has been handling noncompliance on a case-by-case basis. This has led to variations in responses, such as in how much additional time was allowed to get into compliance and whether or not a follow-up inspection was scheduled, notes the GAO. It adds that ISCD should adopt a consistent approach. “…Having documented processes and procedures would ensure that ISCD has guidelines by which to manage noncompliant facilities to ensure they close security gaps in a timely manner. Additionally, given that ISCD will need to inspect about 2,900 facilities in the future, having documented processes and procedures could provide ISCD more reasonable assurance that facilities implement planned measures and address security gaps.”
Finally, the GAO report questions how ISCD now measures CFATS performance. Current results reflect existing and planned measures identified in a site’s security plan. Instead, the GAO says they only should consider measures actually implemented and verified by ISCD.
The GAO notes that DHS concurs with the recommendations to verify “distances of concern” and establish documented processes and procedures for managing compliance.
The full report is available at: http://goo.gl/47GDHU