It is becoming increasingly obvious that the Democrats on
both the House and Senate Homeland Security Committees are concerned about the
role of emergency response in the Chemical Facility Anti-Terrorism Standards
(CFATS) program. This means that it is becoming increasingly likely that some
sort of emergency response provision will find its way into whatever final bill
comes out of the 116th Congress reauthorizing the CFATS program.
Thus, the topic bears more discussion.
EPCRA
The CFATS regulations are not the base law in the United
States for emergency response information sharing and planning for most
chemical facilities. The base law for that requirement is found in the Emergency
Planning and Community Right-to-Know Act (EPCRA) codified at
42
USC Chapter 116 with the regulations established at
40
CFR 355. Among other things that Chapter establishes the Local Emergency
Planning Committees, provides for the preparation of comprehensive emergency
response plans, and details what facilities are covered under the provisions of
EPCRA.
Under the EPCRA regulations a facility is subject to the
emergency planning requirements of the regulation if they have any chemicals on
either of the extremely hazardous substance lists {Appendixes A (alphabetical
order) & B (CAS # order) to §355}
in excess of the threshold planning quantity listed in those appendixes. For
chemicals on those lists that were included in the DHS list of chemicals of
interest (COI), a large portion of the toxic-release hazard chemicals on the
COI list, were taken with the same TPQ (called screening threshold quantity in
the CFATS program).
Most of the chemicals on the EPCRA lists were not included
in the CFATS COI list. Only the most toxic chemicals from the list were
included as DHS concluded that only the most toxic would form the basis for a
credible terrorist attack on a facility holding those chemicals.
Interestingly, two other categories of chemicals that are
included in the DHS COI as release hazard chemicals are not addressed in the
EPCRA emergency planning regulations or statutes; flammable and explosive
chemicals. Congress intended for the EPCRA requirements only to apply to
toxic-release hazard chemicals.
Actually, the EPCRA regulations do not require companies or
facilities holding extremely hazardous chemicals to do any sort of emergency
planning. Those facilities are simply required to report the following types of
applicable information to their Local Emergency Planning Committee (LEPC) {§355.21 table}:
• Provide notice that the facility
is subject to the emergency planning requirements of EPCRA;
• Designate (and provide notice to
the LEPC of) a facility representative who will participate in the local
emergency planning process as a facility emergency response coordinator;
• Provide notice of any changes
occurring at the facility that may be relevant to emergency planning; and
• Provide any information necessary for developing or
implementing the local emergency plan if requested by the LEPC.
All of the responsibility for planning, training,
coordinating and exercising the emergency plan fall to the LEPC {42 USC
11003(c)}. Unfortunately, Congress has provided no funding to, or even provided
provisions for funding, the LEPCs. With the Federal government providing no
funding for these organizations, there is no effective way for the EPA to regulate
the operation of LEPCs or their emergency planning function. Congress has
essentially left that responsibility to the States.
CFATS
The CFATS regulations (
6
CFR part 27) were originally authorized as part of a DHS spending bill over
10 years ago, but have been more recently been authorized by
6
USC Part XVI. Nothing in the current authorizing statute specifically
mentions ‘emergency response planning’ at CFATS covered facilities. That is
addressed, very briefly, in the CFATS regulations at
§27.230(a)(9) as part
of the risk-based performance standards used to develop and evaluate site
security plans. That sub-paragraph states:
“Response. Develop and exercise an emergency
plan to respond to security incidents internally and with assistance of local
law enforcement and first responders”
The CFATS
Risk-Based
Performance Standards Guidance manual emphasizes that RBPS #9, Response, is
targeted at the response to a security situation and that ‘emergency response’
is only a relatively small part of the response obligation of the facility
under the CFATS program. The manual explains the difference this way (pg 84):
“It is important not to confuse a
“security response” intended to engage and hopefully neutralize the adversaries
with the broader “emergency response” that follows an attack and attempts to
reduce the severity of the event and lessen the consequences in terms of loss
of life and destruction of property or production capability. The initial
“security response” has tactical considerations addressed in RBPS 4 – Deter,
Detect, and Delay, whereas the “emergency response” relates to the more
traditional efforts to contain the damage and lessen the consequences after a
security event. These planning considerations overlap to some degree, and both
involve establishing strong, functional, relationships with the various
response organizations and personnel that may be needed to support this
performance standard. It should be noted that individuals involved in security
response activities also often have an integral role in emergency response, and
this dual role should be taken into consideration when developing comprehensive
crisis management plans.”
In the metrics included at the end of the RBPS 9 that
facilities and DHS use to evaluate a CFATS site security plan (SSP), there are
only mentions of ‘emergency response’ (Metric 9.1; pg 85):
“Documented agreements and/or
written procedures for emergency response, including off-site responder
services, such as ambulance support, explosive device disposal support,
firefighting support, hazardous material spill/recovery support, and medical
support.”
There are other requirements within the RBPS 9 metrics for
outreach to ‘local law enforcement and emergency responders’ (including LEPCs),
but these are not planning requirements; though the metric does note that
facilities can fulfill this measure by participation “in incident response
drills and exercises in conjunction with off-site responder organizations”
(Metric 9.4; pg 86).
Problems With Current Models
The two regulatory models described above take two different
approaches to the emergency response planning problem. The EPA model calls for
unfunded agencies, the LEPCs, to conduct the emergency response planning for
all facilities in their operations area. The CFATS model calls places the
planning responsibility with the covered facility. Both models contain serious
disconnects from reality.
The first problem common to both models is the funding
issue. Emergency response planning takes time and expertise to accomplish the
frontend work; develop the plan. That requires money to pay for the expert’s
time. Even if the expert is volunteering their time there is the cost of the
time lost to that expert’s normal job. Next, in order to be an effective plan,
the plan must be reviewed, revised, exercised, reviewed and revised on a
periodic basis. Again, the time involved in the process is costly and limited.
LEPCs in large urban areas may be able to absorb this cost by having a full-time
professional planner on staff with a local agency, but that is not going to be
an option for most communities.
For large CFATS facilities, it may be possible to have a
full-time emergency response planner on staff or finances may be available to
pay for an emergency response contractor to undertake the planning necessary.
At some point, however, as facility’s decrease in size that professional
capability is going to be impossible to afford. But even where the facility has
the financial resources to fund a planner, the community is still going to have
to fund the review and exercise portion of the emergency planning process.
Again, smaller communities are going to find this extremely difficult or
impossible to afford.
The second problem is the information sharing issue. At
first glance, in the EPA model this does not seem to be much of a problem.
Facilities are required to provide LEPCs with the required information, either directly
by law or by response to requests from the LEPC. Unfortunately, the amount
required directly by statute is relatively limited and the LEPC can only request
the information that it knows that it needs. There is no incentive for
facilities to share additional information such as the presence of other
chemicals on site that may complicate the emergency response process.
For CFATS covered facilities this problem is aggravated by
the statutory restrictions on the sharing of Chemical-Terrorism Vulnerability
Information (CVI). Now the information about CFATS facility holdings of the
toxic-release hazard chemicals covered under the EPCRA rules is not generally
going to be classified as CVI, at least as that information relates to the
type, amount and location of the Highly Hazardous Chemicals listed in the EPCRA
regulations. As noted earlier, however, flammable and explosive release hazard
chemicals covered under CFATS are not addressed in EPCRA and the sharing of
information about those chemicals (which also need emergency response planning
under CFATS) is limited to only those individuals that have been trained in
handling of CVI materials and have the appropriate means to protect that
information. Again, there is a time cost associated with receiving the CVI
training (the training is free) and the cost of the physical security and
cybersecurity for protecting that information is not negligible.
And the final problem with the current models is that both EPA
and DHS have made it difficult to share information with the potentially
affected neighbors about the emergency response planning. Both agencies have
done this with the intent to deny information to potential attackers. The EPA
restricts access to the facility data to people who physically access an EPA
reading room (limited locations), and DHS prohibits sharing of CVI information
with the public. While done with the best of motives, both agencies have
ensured that in most cases the public does not have access to the necessary
information to promptly respond to an emergency response situation.
Fixing the Problem
Because of the size of the universe of EPCRA covered
facilities, I do not foresee Congress attempting to provide enough funding to
allow LEPCs to fix the emergency response planning problems identified above.
If they are fixed it will be on a case by case basis where either the local
community or large chemical facility is able to provide the necessary funding.
Because the CFATS covered facility universe is much smaller
(3,330
as of March
1st) some of these issues may be more tractable. I have
addressed in some detail how I would modify the current authorization in a
blog
post from last year. The money issue still remains, my suggestion to allow
(gently require) FEMA to use grant funds for emergency response planning for
CFATS covered facilities only partially addresses the issue due to the limited
nature of those funds and I did not propose increasing them because that would
increase the problems with getting the reauthorization bill passed. Realistically,
FEMA needs a specific emergency response planning grant authority and is
probably going to have to be required (and funded) to provide professionals to
help LEPCs conduct both the planning and exercises of those plans. That will almost
certainly have to be addressed in separate legislation.
Finally, none of my suggestions in the earlier post address
the issue of information sharing with the local, potentially directly affected
population. It is easy to say that information must be shared but legislating
that in an effective manner is going to be difficult. Defining who the potentially
affected population is will be hard enough. Crafting language describing an
effective outreach program that will overcome what is unfortunately in many
cases a mistrust of the chemical industry based upon decades of poor,
incomplete and often misleading information is going to be difficult.
The best I can suggest at this point is adding an additional
sub-paragraph to the end of §636(b)
proposed in that earlier blog post:
(6)
Conduct an annual outreach class for the immediate neighbors potentially
affected by a full release of any toxic-release COI on the facility describing:
(A) What such a release might look and or sound like;
(B) What measures the facility has in place to warn neighbors of such a
release;
(C) What immediate actions neighbors should take to best protect
themselves in the event of such a waring;
(D) How neighbors will be made aware of an all-clear status after an incident;
(E) What medical treatment should be sought after such a release.
(F) A point of contact for reporting suspicious activities in the
neighborhood that may be directed at the facility.