Monday, March 2, 2009

Chemical Processing Article

There is an interesting article on ChemicalProcessing.com about the upcoming Site Security Plan process. While the authors, David A. Moore, Harry M. Leith and Lee Salamone from AcuTech Consulting Group, don’t provides us with any of the particulars of the SSP tool that DHS has yet to roll-out, they do have some good ideas on how facilities ought to proceed while we are waiting for the roll-out to take place. All Threats Plan The article does read a little rough, but there are a couple of important points that they make. First, they suggest that the DHS Site Security Plan (SSP) is just one step on the way to a real facility security plan (FSP). They explain that filling out the latest CSAT tool is a long way from actually having a plan for security at the facility, particularly since DHS is focusing their efforts, as required by law, on just terrorism. They note that there are a number of other security risks that facilities might face that should also be addressed by such an all threats plan. Risk-Based Performance Standards Apparently AcuTech, and many other people in the industry, do not believe the wide variety of disclaimers in the DHS draft Risk-Based Performance Standards Guidance document that DHS will not require any of the ‘suggested’ standards as a minimum standard for measuring compliance. The authors warn that “it’s prudent to believe that they (RBPS metrics) will be seen by inspectors as the “text book” solution set”. While many people believe that this will be the case, DHS has been careful to point out that even meeting one of the metrics provided in the draft will not guarantee that the facility will meet that RBPS standard. This is going to be one of the most interesting things to watch over the next six months or so. Many of us would like to believe DHS when they insist that the appropriate levels of security for high-risk chemical facilities will be decided on a facility by facility basis. This is going to depend, in large measure, on the training given to the inspectors that have not yet been hired. We have been hearing rumors of a one-year Chemical Security Academy for these inspectors, but details have not yet been made available. If you thought that you noticed a timing disparity in the previous paragraph, it was entirely intended. DHS is apparently going into the SSP roll-out with the same 80 or so inspectors that they have had since the first Top Screens were done almost two years ago. These people are going to be very busy. The Tier I facilities are obviously going to be the first ones targeted by these inspectors. I personally doubt that the Tier 4 facilities will be visited before the current CFATS rules expire in October. Compliance Tricks The authors make an interesting point. If the facility does prepare an all-risks facility security plan, they recommend that the SSP is included as an annex to that plan. This anti-terrorism annex would be the only part of the plan that would be shown to DHS inspectors when they came to verify implementation/compliance with the CFATS SSP. They note that if the entire FSP is presented to the DHS inspector then that plan becomes the basis for that and subsequent implementation inspections. There is an important underlying point that is not explicitly stated in this article. The approved SSP becomes the inspection document for the facility. The § 550 prohibition against specifying a particular security method only applies to the approval of the SSP. Once the SSP is approved, that SSP becomes, in effect, the CFATS regulation for that facility. Past Time to Begin The final point that the article makes should have been made last fall, it is too late to begin preparing for the SSP development process when DHS sends out their SSP letters this month. Actually filling in the blanks on the SSP tool will not take too long. What will take time is determining what security procedures and tools will be necessary to support that SSP and getting the appropriate corporate approval for those tools that will require capital expenditures. DHS is not going to expect to see everything in place when they approve the SSP. What they are going to expect however is proof that the critical components of the SSP are ‘in process’. That is going to require showing purchase orders or approved budget line items that the facility is actually prepared to move forward. The larger the organization, the more lead time it is going to take to get the internal approval process completed for these actions.

No comments:

 
/* Use this with templates/template-twocol.html */