by John Bisney
The U.S. Department of Homeland Security (DHS) released the Chemical Facility
Anti-Terrorism Standards (CFATS) interim final rule in April 2007, which imposes comprehensive security regulations on “high-risk” chemical facilities.
“It’s going to have far-reaching implications
across the chemical and oil and natural gas industries,”
according to Bill Erny, API senior policy analyst and
Security Team leader. “We estimate it will cover
about 40,000 facilities that possess or plan to possess
a chemical substance DHS determines to be dangerous.”
The rule is the latest, and one of the most sweeping,
of more than 150 DHS has issued since the September
11 terrorist attacks. The department projects it may
cost companies as much as $3.6 billion over three years.
The new standards are intended to fill the perceived gap in security for inland refineries, chemical plants and storage facilities, but the impact will be somewhat mitigated for oil and natural gas companies, Erny said, “because their upstream offshore, port facilities and coastal refineries are already covered by the U.S. Coast Guard under the Marine Transportation Security Act of 2002 (MTSA).” Moving oil and natural gas products by rail, truck or pipeline is regulated by the Transportation Security Administration and the U.S. Department of Transportation.
Although all of the roughly 40,000 facilities will be required to complete a preliminary assessment through the secure DHS Chemical Security Assessment Tool website to determine their risk level, some 5,000 high-risk sites, divided into four tiers, must do more. DHS will determine the appropriate tier by assessing the potential consequences to people nearby of an accident or attack, the impact of sabotage or theft and the economic consequences of any catastrophe. Questions relate to the potential loss of life, potential loss of the capability to execute a critical mission, the presence of chemicals on site, security issues associated with such chemicals and health and safety consequences, among others. Information submitted to DHS will be protected as “chemical terrorism vulnerability information” to prevent release to the public.
Each high-risk site will have to complete a security
vulnerability assessment within three months of DHS
notification in which various threat scenarios are played
out. Managers must determine whether the plant could
withstand an attack by armed assailants, for example,
or a bomb. Each plant must then develop a Site Security
Plan (SSP) within six months that will resolve those
vulnerabilities. Additionally, appropriate background
checks must be conducted, security upgrades accomplished
as required and the SSP implemented. Finally, all security-related
information must be protected by a new classification
system, called Chemical Terrorism Vulnerability Information.
Its requirements are similar to the current Sensitive
Security Information requirements for maritime facilities.
The Department of Homeland Security will then follow up with inspections. The new regulations give DHS the authority to seek compliance through civil penalties, up to $25,000 per day, and to shutter non-compliant facilities.
“The safety and security measures that we take need to be tough and balanced," said Homeland Security Secretary Michael Chertoff. “We will significantly reduce vulnerability at high-consequence chemical facilities, taking into account important efforts in certain states.
“Some states have existing laws for regulating chemical facilities. Only state laws and requirements that conflict or interfere with the new regulations will be preempted,” Chertoff said, but added that the department has no reason to conclude that any existing state laws are applied in a way that would impede the federal rule.
“It’s a little unclear right now what the exact impact will be for our members because they haven’t finalized all aspects of it yet,” explains Erny, “but we do know it will impact about half of U.S. refineries, or about 70 to 75 plants. But I suspect that the vast majority of them will already be in compliance. Many of the facilities are owned by the large integrated oil companies which have international operations, so they’ve had experience in some very dangerous parts of the world, and as a result have very mature security programs in place.”
Still, it remains a thicket of rules for some companies. API’s comments requested exclusions for onshore wellheads, product pipelines, marketing terminals, retail gas stations and research laboratories. Among unresolved issues, says Erny, are rules covering third-party inspectors and the administrative fees for CFATS, as well as potentially expanding the new standards to include facilities now covered by MTSA. Enforcement will be handled by the Federal Protective Service, with 36 agents initially detailed to CFATS to conduct compliance inspections, provide assistance and issue fines. Erny notes, however, that “we have some concern about their lack of industry knowledge and chemical facility security practices.”
The API security program has been very active in helping members prepare for the new regulations, according to Erny, including the development of security guidance for the industry. “We currently have a host of publications that have been revised, including the API Security Guidelines for the Petroleum Industry, which can be applied across industry segments, and our Security Vulnerability Assessment (SVA) Methodology for the Petroleum and Petrochemical Industries.
“We have a third revision of the SVA document now underway which will probably be published next spring,” says Erny. “It’s also been immensely valuable for educating Congress and regulators about how the industry conducts security assessments. Many elements of our guidelines, in fact, have been incorporated into the CFATS by the Department of Homeland Security. And it’s been helpful for other initiatives, such as the White House’s National Infrastructure Protection Program. That’s a broad effort that looks at all domestic infrastructure—but our SVA guidelines have been used as an example of how to conduct effective vulnerability assessments.”
API also has acted as an industry focal point to help coordinate the sharing of intelligence information between industry and the government, establishing strong communication partnerships between member companies, the FBI, the Coast Guard
and DHS.
“The initial impact of the chemical security regulations on our industry appears to be rather limited,” Erny concludes. “And since we’ve already taken many measures, we don’t expect this will be a real big hurdle, initially, to get over.”
More information on CFATS is available at the DHS website at http://www.dhs.gov/xprevprot |
