Tuesday, May 26, 2009

RBPS Guidance – Getting Started

This is the second in a series of blog postings that will provide a close-up look at the RBPS Guidance document. DHS recently released this document to assist high-risk chemical facilities in meeting the risk-based performance standards required for site security plans under 6 CFR §27.230. The first blog in the series was the: Risk-Based Performance Standards Guidance Document In this blog we will be taking a look at some of the information provided in the Guidance document before it starts discussing the actual risk-based performance standards (RBPS). This general information will provide a logical basis for the discussion of the RBPS. Purpose The introduction to the Guidance document provides an overview of how the document is put together and describes how DHS intends for the high-risk chemical facility to use the document. The first thing that facility security personnel must understand is that the Guidance document is not going to tell them how to secure their facility. That is the whole point of establishing performance standards; there is no single security method that is going to be applicable across the wide range of facilities that fall under the label of ‘high-risk chemical facility’. The purpose of the RBPS Guidance document is summed up well on page 13;
“High-risk chemical facilities can use this document both to help them gain a sense of what types and combinations of security measures and processes are likely to satisfy a given RBPS for a facility at their tier level and to help them identify and select processes, measures, and activities that they may choose to implement to secure their facility.”
Organization The Guidance document is set-up essentially the same way as was the draft version. It is laid out into 18 chapters corresponding to each of the 18 RPBS. There are a couple of appendixes that provide additional information on specific topics including a more in depth discussion of some of the security measures that might be employed. Included in those discussions in Appendix C are lists of references that facilities can use to learn more about the technical details involved in developing their site security plan. Each RBPS discussion is arranged in much the same manner. There are three common sections; an ‘Introductory Overview’, one covering ‘Security Measures and Considerations’, and the ‘RBPS Metrics’. Many of the sections have a table that explains what attack scenarios from the SVA are addressed by that Standard. What RBPS Apply? The CFATS regulations require that each high-risk facility must “must satisfy the performance standards” outlined in §27.230. This means that all eighteen of the RBPS must be addressed in the site security plan. The Guidance document notes that each facility will be notified which security issues and COI must be addressed in their site security plan. These security issues and COI will determine the relative emphasis that will be placed on each RBPS. Additionally the Guidance notes that: “Different security measures or activities may be more or less effective depending on the specific security issues.” There is a detailed discussion on pages 17 thru 20 on how the security issue may affect the security measures selected to secure the facility. Any facility developing a site security plan would do well to read and understand that discussion. Not only is it good advice, but it is the best summation of what DHS will be looking for in approving site security plans. Facilities with more than one security issue will find that their security situation will be very complex, but understanding the reasoning that DHS applies to the individual issues will make planning a little easier. Inherently Safer Technology DHS has not addressed the issue of the use of inherently safer technology (IST) in the RBPS Guidance document. A coalition of labor, environmental and other activist groups suggested in their response to the Draft Guidance document that DHS include a discussion of IST in the Guidance. DHS replied in their recently published response to comments that:
“While facilities may voluntarily choose to consider IST solutions as part of their overall security approach, the examination or implementation of IST is not required under CFATS to satisfy the RBPSs and thus is not addressed in the Guidance. No change to the Guidance based on this comment is warranted.”
Strictly speaking, IST is not a security measure. It generally falls into the category of risk elimination, risk reduction or risk mitigation measures. The first two categories are better addressed in the Top Screen portion of the CFATS process. If a facility either eliminates or substantially reduces the amount of a COI on site, both well established forms of IST, they need to re-submit the Top Screen as this may change their status as a high-risk facility by removing them from the list entirely or lowering their Tier level ranking. There actually is an IST provision mentioned in the Draft RBPS Guidance Comment document. On page 7 in response to questions about the ‘interdiction requirement’ DHS made the following comment:
“While an armed security force is one potential way of accomplishing this [delay] (and something high-risk chemical facilities may wish to consider), there are many other options for achieving this result (e.g., establishing capabilities to detect an attack early enough and delay it long enough so that local law enforcement can intervene; implementing process controls or systems that rapidly render a target non-hazardous even if an attack successfully breaches containment [emphasis added]).”
While this will not be a commonly available option, the rapid conversion of a COI to a non-hazardous chemical or form would certainly fall under the heading of IST. Other risk mitigation measures that provide for automatic post-release neutralization while not strictly IST also should be considered in the development of the site security plan. Facilities that have release COI as their principal security issue need to take a hard look at the whole range of IST possibilities. Looking at the RBPS it will quickly become clear that any security plan for a release COI high-risk facility will quickly become expensive. The easiest way to reduce those potential costs may be to reduce the risk associated with the chemical used on site by using any one of a number of well established inherently safer engineering alternatives.

No comments:

/* Use this with templates/template-twocol.html */