Tuesday, July 7, 2009

RBPS Guidance – RBPS #5 Shipping Receipt and Storage

This is another in a series of blog postings that will provide a close-up look at the RBPS Guidance document. DHS recently released this document to assist high-risk chemical facilities in meeting the risk-based performance standards required for site security plans under 6 CFR §27.230. The other blogs in the series were the: Risk-Based Performance Standards Guidance Document RBPS Guidance – Getting Started RBPS Guidance – RBPS #1 Restrict Area Perimeter RBPS Guidance – RBPS #2 Secure Site Assets RBPS Guidance – RBPS #3 Screen and Control Access RBPS Guidance – RBPS #4 Deter, Detect and Delay This posting looks at RBPS #5, Shipping Receipt and Storage. The provisions of this RBPS will help facilities to “minimize the risk of theft or diversion of any of its hazardous materials[emphasis added]” and “helps to prevent tampering or sabotage” (pg 59). Interestingly, DHS, in footnote 17, notes that the term hazardous materials “generally means COI as listed in Appendix A of CFATS” but may also include “other chemicals at a covered facility that pose risks comparable to, or that substantially contribute to, the risks posed by COI listed in Appendix A”. Legally, these statements do not require facilities to address security for chemicals other than COI listed in their notification letter. As with everything else in the Guidance document, this footnote ‘does not establish any legally enforceable requirements’ (see footer on every page of RBPS Guidance Document). It does seem clear that DHS would like to see facilities extend their security measures to chemicals other than just those listed in Appendix A. DHS suggests that facilities with questions about what chemicals are covered by this RBPS may request technical assistance from DHS. There are only two security measures addressed in this RBPS; product stewardship and inventory control. Product Stewardship DHS notes that Product Stewardship is a concept that has been in use in the chemical industry for a number of years. Originally developed by the industry to address concerns about product safety, DHS expands the concept to include “reducing the potential for theft, contamination, or misuse of toxic or flammable chemicals” (pg 60) by allowing a facility:
To know where its product is located at all times; To ensure that the material is being delivered to or received from a known, approved individual or entity; and To help prevent the theft or diversion of materials through force or deception.
A key component of the Product Stewardship responsibility is an active and documented ‘know your customer’ program. DHS suggests that such a program would require that facilities would only sell/deliver hazardous materials to pre-cleared customers that meet certain security criteria. Those criteria would include:
“Verification and/or evaluation of the customer’s on-site security, “Verification that shipping addresses are valid business locations, “Confirmation of financial status, “Establishment of normal business-to-business payment terms and methods (e.g., not allowing cash sales), and “Verification of product end-use.”
Most of these criteria are already well established parts of a variety of industry product stewardship programs. The relatively new provision is the requirement to review the customer’s on-site security program. This may cause some interesting problems for facilities because of chemical-terrorism vulnerability information (CVI) requirements for CFATS covered facilities. Sharing information on facility security measures requires verification of authorized user status and need-to-know. Presumably DHS will facilitate such information exchange. Other areas of Product Stewardship that DHS expects to see impact facility security measures include:
Vehicle and shipping control procedures that are periodically tested and evaluated; Unknown vehicle/driver control procedures; Chemical shipping and receiving procedures that identify shipments in advance; Customer pick-up procedures that provide for identification and verification of orders; and Process review procedures for all shipping and receiving processes.
Inventory Control DHS expects that covered facilities will be using an inventory control process appropriate to their facility. System capabilities that DHS believes are appropriate to help protect covered COI include:
Listing of all hazardous material on site; Tracking of quantity and location of all hazmat; Monitoring use of hazmat by authorized personnel; Generating reports on location/use of hazmat; Tracking containers of hazmat; Tracking disposal of hazmat and empty hazmat containers; Recording purchasing/receiving records for materials management; and Providing linkage to Material Safety Data Sheet information.
DHS notes that inventory control procedures can be enhanced by the use of appropriate physical security measures to control access to covered materials. The security measures listed in this RBPS have been addressed in earlier RBPS sections. Metrics The summary metric suggests that all covered facilities will have “documented processes for securing and monitoring the shipment, receipt, and storage of hazardous materials” (pg 62). The effectiveness of these processes in preventing unauthorized personnel from gaining access to covered materials will vary according to the Tier ranking of the facility. Processes for Tier 1 facilities will such unauthorized access “make it extremely unlikely’ while Tier 2 facilities would be expected to meet an ‘unlikely’ standard. Procedures at Tier 3 and 4 facilities would “reduce the likelihood” such access. The Metric 5.1 ‘standards’ for security of transportation containers are the same for all facilities. Adequate security measures will be provided for all shipping containers not actively involved in transportation. All such containers would be stored within the facilities security perimeter and will be addressed in the facility’s SSP. This would imply that the containers or their storage area would be ‘assets’ covered under RBPS #2. Metric 5.2 require that all facilities have a ‘know our customer program’ with Tier 1, 2, and 3 facilities refusing to sell hazmat to customers not meeting prescribed criteria. Similarly Metric 5.3 requires all facilities to have procedures in place to identify and authorize vehicle access to the facility with accompanying shipping and receiving control procedures. Again all but Tier 4 facilities would include procedures for staging/vetting unexpected vehicles/drivers. Metric 5.4 addresses the requirement for procedures that address confirmation of inbound and outbound hazmat shipments. Procedures for Tier 1 and 2 facilities would address all such shipments while Tier 3 and 4 facilities would cover most shipments. Tier 1, 2 and 3 facilities are expected (Metric 5.5) to have a written procedure for verifying the receipt of orders for hazmat and controlling the sales and storage of hazardous materials. A review process to ensure the effectiveness of these procedures will be included in the procedure.

No comments:

 
/* Use this with templates/template-twocol.html */