Friday, October 24, 2008

RBPS Guidance – Introduction

This is the first in a series of blog posts that looks at the recently released draft DHS guidance document for implementing the Risk-Based Performance Standards (RBPS) in site security plans (SSP) for high-risk chemical facilities. The RBPS are a key component of the Chemical Facility Anti-Terrorism Standards (CFATS). This first post is a general introduction to the document. Background When Congress authorized DHS to establish the CFATS regulations they included a provision that prohibited DHS from requiring any specific security program or procedure. Instead it dictated that DHS should develop risk-based performance standards that high-risk chemical facilities could use to develop a security program best suited to their unique situation. The big problem with RBPS is that it can be difficult to tell when one meets the standards. With command type regulations that specify what must be done, it is relatively easy to determine when the regulations have been complied with. With RBPS it is less clear. When RBPS are applied to a new field like chemical facility security, it becomes even more difficult. That is the reason that DHS is publishing this guidance document. It is an effort to make it easier for facilities to understand the complexity of the standards. According to this draft the purpose of the guidance document is:
“To assist high-risk facilities in selecting and implementing appropriate protective measures and practices and to assist DHS personnel in consistently evaluating those measures and practices for purposes of the Chemical Facility Anti-Terrorism Standards (CFATS), 6 CFR Part 27”.
RBPS Guidance Document Disclaimer At the top of the Overview page and the beginning page of the discussion for each performance standard DHS has included a text box that contains an official disclaimer. While the disclaimer is rather extensive the important parts are covered in just two sentences:
“This guidance reflects DHS’s current views on certain aspects of the Risk-Based Performance Standards (RBPSs) and does not establish legally enforceable requirements for facilities subject to CFATS or impose any burdens on the covered facilities. Further, the specific security measures and practices discussed in this document are neither mandatory nor necessarily the 'preferred solution' for complying with the RBPSs.”
It is obvious that DHS takes the Congressional mandate requiring RBPS very seriously. Wording similar to these two sentences from the disclaimer shows up repeatedly throughout the text. DHS wants to make sure that no one mistakes the RBPS guidance for a prescriptive, command-type regulatory document. General Guidance While the Guidance document provides detailed discussions about how to select appropriate security measures for each of the 18 performance standards, the introductory portion provides some general guidelines or ‘considerations’ that facilities should take into account when selecting and developing their security procedures. Briefly stated those considerations (pages 15 – 19) are:
“The Non-Prescriptive Nature of Risk-Based Performance Standards. “The Impact of the Nature of the Security Issue Underlying the Facility’s Risk Determination. “The Impact of the Type of Facility and Its Physical and Operating Environments. “An Individual Measure May Support Achievement of Multiple Risk-Based Performance Standards. “Layered Security/Combining Barriers and Monitoring to Increase Delay. “Asset-Specific vs. Facility-Wide Measures.”
These considerations (to be discussed in more depth in later blogs in this series) reflect the varied nature of the different high-risk chemical facilities covered by the CFATS regulations. They also go a long way toward explaining why the RBPS are so critical to the CFATS process; it is highly unlikely that any specific security procedure would support these considerations for a significant number of high-risk facilities. COI and RBPS Requirements The various types of security problems that a high-risk chemical facility will have to deal with in their SSP will vary with the COI that are stored or used on site. The guidance document provides some examples of how this might work. For instance, “if a facility has no dangerous chemicals for which theft or diversion is a security issue, then it does not need to implement any additional measures to comply with RBPS 6 – Theft and Diversion” (page 11). This does not mean that a facility can ignore any of the 18 RBPS listed in 6 CFR § 27.230. They must all be addressed in the SSP. However, when “a facility believes it can satisfy a RBPS without the implementation of any specific security measures or practices, the basis for this belief should be clearly articulated in the facility’s Site Security Plan”. Tier Level Affects RBPS Requirements The other major factor that will affect a high-risk chemical facilities selection of security measures is the level of risk found at that facility. This risk level is reflected in the Tier level to which the company was assigned after their SVA submission. This reflects the intent of Congress to insure that the facilities that presented the highest risk to the public would have to take the most precautions to protect the public. Some of the RBPS are less affected by facility tier level than others. The response to the ‘Restrict Area Perimeter’ (RBPS #1) standard will certainly be more robust for Tier 1 facilities. The facility SSP provisions for the ‘Reporting of Significant Security Incidents’ (RBPS #15) will be less dependant on the facility tier status. This will be reflected in the discussion for each RBPS. Future Blogs In future blogs I will take a more detailed look how this Guide is organized and at the individual RBPS. When this document becomes publicly available I will certainly note that and provide information on where to download this lengthy (178 pages) document. In the next week or so we can expect to see this published in the Federal Register along with notification of how the public and industry can provide their comments on the document.

1 comment:

Anonymous said...

PJ: The corresponding vital process/function in the rail hazmat routing rule -- which you might want to compare to the facility security process with RBPS) is for the railroads to use 27 new "factors" (economic, safety and security) to compare alternative routes and select one(s) they will use, by end of 2009. In both cases the industry-friendly Bush Admin is refusing to order the most effective security measures (IST in facility security, re-routing in rail security), so has devised a Rube Goldberg-like complex process that will allow regulated companies to avoid using these most effective measures. The rail equivalent to your Guide may be the Routing Tool being developed with a $5 million grant by that independent objective group (not)-- the Railroad Research Foundation. Good luck getting a copy of that, also... Fred Millar

/* Use this with templates/template-twocol.html */