More on CFATS Threats

I’ve had some interesting feedback on yesterday’s blog post about the congressional letter to the Secretary. Rather than try to quote some un-named sources we’ll just blame me for the ideas which are mine in any case. They just threw up the observations and I make the ideas out of whole cloth.

General Duty Clause

As I have made clear on a couple of occasions, the Clean Air Act General Duty Clause (GDC) is not a piece of security regulation. It is a piece of good regulation writing that allows the Administrator of the EPA to go after obvious environmental and safety problems that Congress and the regulation writers overlooked or couldn’t foresee. When used in that manner it is valuable regulatory tool that makes us all safer.

If the CFATS program were to be defunded or otherwise eliminated without a replacement, the political reality is that someone would have to step in to regulate high-risk chemical facilities. The only law that I know of that is currently in place that could be stretched to fit that need is the GDC. Does the EPA want to do this? Not hardly, they are understaffed and underfunded in their efforts to enforce the Risk Management Plan program. Having to reinvent the wheel with even less congressional advise and support than the CFATS folks had would be a thankless job at best.

Would it happen? I think so. Any administration with a trace of gumption and any idea of the potential threat would have to take some action. I hope that Representative McCaul, Upton and Carter remember that as they move forward with their threats. And, of course they will; they are already fighting hard against efforts of organizations in the environmental community to force EPA to turn the GDC into a security rule.

The point I was trying to make in my earlier post was not a suggestion to use the GDC as a substitute for an ineffective CFATS program, but rather to remind people that you have to be careful when you make threats. At some point in time the victim is likely to tell the bully ‘go ahead and do your worst’. Be sure you have the stomach for the consequences.

CFATS and RMP

Apparently some people have been making the point in Washington that the EPA’s RMP program and OSHA’s PSM program regulate many of the same facilities covered by CFATS and they do a better regulatory job with fewer people and less money. The information about the comparative resources is certainly true, but the ‘better regulatory job’ is not even an apple and oranges comparison; it is more like apples and orangutans comparison.

Both the RMP and PSM programs are safety programs not security programs. They specify what types of things must be covered and provide some pretty clear and specific guidance on how to go about accomplishing the program goals. There are also pretty extensive academic and self-regulation communities that provide technical support to these two programs that are currently absent from the chemical security community.

More importantly though is that the enforcement side of things is more reactive than proactive. There are no requirements for EPA or OSHA to pre-approve these safety plans. Inspectors will eventually show up at sites to inspect the adequacy of the programs. Unless there has been a complaint or a significant accident there will be a single inspector on site for part of a day. Fines will be levied for program deficiencies and then negotiated with organization by the folks back at Headquarters. The inspector has moved on to the next facility, probably to never return to yesterday’s site.

BTW: I’m hearing second and third hand rumors that the House Homeland Security Committee is going to be holding a hearing to look at a comparison of the effectiveness of these three programs. That would be an interesting circus. Maybe they need to talk to the folks as ACC or SOCMA about the differences between the programs.

No Required Security Measures

ISCD has certainly had their share of ineptitude in the implementation of the CFATS program. They did identify many of the problems internally and appear to be hard at work at fixing their systemic problems while they continue their regulatory work. Having said that, they are Constitutionally (and that is deliberately capitalized) unable to fix the biggest problem to rapid authorization and approval of site security plans.

Congress saddled them with an almost impossible restriction on their authority. In the authorizing language {§550(a) of the  Homeland Security Appropriations Act of 2007 (Public Law 109-295) is the following statement:

“Provided further, That the Secretary may not disapprove [emphasis added] a site security plan submitted under this section based on the presence or absence of a particular security measure, but the Secretary may disapprove a site security plan if the plan fails to satisfy the risk-based performance standards established by this section”.

This means that the Department (and its Inspectors) cannot tell a facility what security measures are necessary. The facility may submit a plan and DHS may decide that it does not meet the Risk-Based Performance Standard. DHS is, however, forbidden by Congress from telling the facility management what they need to do to correct the deficiency. Every deficiency becomes a matter for debate and negotiation.

To be sure, this was added at the insistence of industry, but it greatly strings out the time necessary to get a site security plan authorized. To hold ISCD’s feet to the fire to correct these time delays without correcting this requirement is a sure way to make ISCD inspectors violate the letter and intent of the congressional mandate.

Now it is certainly true that most chemical facilities are custom built unique entities. They will each have their own particular security issues that will not be met by cookie cutter security plans. The CFATS regulations need to take that into account. But one only has to read the Risk-Based Performance Standard Guidance document to see how badly the wording of the authorization language has affected the site security planning and authorization process.

Changes Need to be Made

If ISCD is going to be able to effectively administer the CFATS program, it is going to have to have some legislative help from Congress. It is obvious that a comprehensive chemical security bill is beyond the capability of any congress in the current balance of power situation. So any changes are going to have to be incremental and relatively non-controversial.

The first thing that needs to be done is to remove the current requirement that all covered facilities have to have their site security plans authorized and approved by ISCD. A good argument could be made for the Tier 1 facilities having their plans approved, but the other three tiers should only be required to submit their plans to DHS. Since the Tier 1 plans are mostly done, this would allow ISCD to start inspecting facilities to ensure that their site security plans are being properly implemented and maintained. This would be much easier to do than to determine if the site security plans are actually adequate.

This could be achieved by amending the language of the fourth ‘provided further’ of §550(a) to read:

Provided further, That the Secretary shall review and approve the site security plan of each of the highest-risk covered facilities under this section, the Secretary will ensure that all covered facilities will be periodically inspected to ensure that their site security plans are properly implemented and maintained:

The second thing that would need to be done is to ease the current prohibition of telling the facility management what needs to be done to a Tier 1 site security plan to get it approved. This could be done by amending the second ‘provided further’ of §550(a) to read:

Provided further, That the Secretary may not disapprove a site security plan submitted under this section based on the presence or absence of a particular security measure, but the Secretary may disapprove a site security plan if the plan fails to satisfy the risk-based performance standards established by this section; when a plan fails to satisfy those standards the Secretary will provide multiple suggestions as to appropriate actions that could be taken to satisfy those requirements:

Finally, there needs to be a time standard under which the Secretary will authorize and approve a Tier 1 site security plan. This could be achieved by adding a new ‘provided further’ after the revised fourth ‘provided further’ of §550(a) that would read:

Provided further, That the Secretary will provide timely approval or disapproval of all Tier 1 site security plans; all plans, unless disapproved prior, will be considered to be approved on the 180^th day after their submission or re-submission.

More to Come

This is a good first start for changes to be made to the current CFAT program to make it more effective. There are certainly other things that could be done and you can be sure that I will get around to mentioning them at some later date.