High-risk chemical facilities, while they are planning on preventing a successful terrorist attack on their facility, need to consider the very reasonable possibility of a successful attack occurring despite their best preventive effort. Developing an effective emergency response plan (ERP) will help reduce the effects of a successful attack on the facility; both on-site and off-site effects. Counter-Terrorism ERP Facilities with toxic release chemicals of interest (COI) and flammable release COI should have already established ERP’s for most of those COI under EPA regulations. Those plans would have been designed to deal with an EPA worst case scenario based upon an accidental release. Those scenarios are based upon reasonable expectations about COI release rates for typical industrial accidents such as failed valves or broken hoses. They also typically only take into account the release of the single largest container on site. An ERP for a terrorist event is going to have to be based upon a much more expansive definition of the ‘worst case’ scenario. An IED or a VBIED will result in an almost instantaneous of the entire contents of a storage tank instead of the draining of the tank through an existing 4” line. Instead of focusing on a single storage tank, a terrorist attack based ERP will have to assume catastrophic failure of multiple storage tanks simultaneously. This could lead to the release of chemically incompatible materials that would expand the adverse effects that must be dealt with in the ERP. On-Site Planning Facility management will mainly be responsible for the on-site portion of the ERP. The on-site planning will focus on the protection of on-site personnel and efforts to mitigate the off site consequences of the release. These are the same things that a typical accidental release ERP would deal with, but there will still be some fundamental differences with the terrorist attack ERP. The most obvious difference will be the fact that the CFATS site security plan will provide a basic focus on detecting a terrorist attack as early as possible. This will potentially allow the facility management some advance notice for the initiation of the ERP. Thus the terrorist attack ERP should include protection and mitigation measures that can begin before the actual release takes place. Unfortunately, this advance notification will also require actions to protect on-site personnel from physical attack by terrorists. Personnel evacuation plans will have to take into account the potential desire of the terrorist attackers to kill or capture key facility personnel. Key personnel will potentially include operations personnel who would be conducting mitigation operations to limit the effectiveness of the successful terrorist attack. Thus, control rooms should be hardened against physical assault by terrorists to allow personnel the most time to conduct mitigation operations. Off-Site Planning There is a certain disconnect between authority and responsibility for off-site emergency response planning that has become very clear in the response to the BP extended oil release (I refuse to call this a spill a totally inadequate term in my opinion for this situation) in the Gulf of Mexico. It should be clear to nearly everyone that there is both a moral and legal obligation for the off-site results of an on-site release. Unfortunately, facility management has no authority over the organizations that are responsible for the off-site emergency response planning and execution. Facility management does have a clear legal obligation to provide adequate information to local and State government organizations about the potential off-site consequences of an EPA delineated worst case scenario. It is less clear that similar information must be communicated for the potentially more serious potential releases resulting from a truly successful terrorist attack. DHS is prohibited from requiring such communications under the §550 restrictions on requiring any specific security measures. ERP responsibilities should not stop with the planning phase of the ERP. Proper execution of the ERP is dependant on a continued flow of information about the status of the release and on-site mitigation efforts. Emergency response personnel need the timely flow of this information to adjust their plans to the realities of the situation. Facility management needs to provide for this flow of information in their on-site ERP planning because managers are going to be rightfully more concerned about their on-site responsibilities for responding to the attack. This means that the communications protocols need to be established in advance so that management does not need to remember to take care of this information exchange during incident management. Part of Site Security Plan The emergency response planning for a terrorist attack should be an integral part of the development of the site security plan (SSP). That it was not included in the list of risk-based performance standards is not unusual. Security personnel frequently overlook the post incident consequences of an attack. Their focus is on preventing and stopping terrorist attacks. ERP does not fit neatly into the process of deter, detect and delay that is the keystone of the CFATS security process.
But everyone needs to remember that the purpose of a terrorist attack is not to destroy the chemical facility (though it may be a motivator for some terror groups). The purpose of a terror attack is to inspire terror in the population to affect some political goal. A well prepared ERP will help to lessen that terror and reduce the effectiveness of the attack. Facilities and communities that publicly communicate their ERP to the populous will actually be part of the deterrence purpose of the security plan. A terrorist attack on a well prepared community is doomed to failure.