EIIP Virtual Forum Presentation November 14, 2007
The Chemical Facility Anti-Terrorism Standards
An Introduction
Myron L. Casada, P.E.
Vice President, Risk and Security Services
ABS Consulting
Amy Sebring
EIIP Moderator
The following version of the transcript has been edited for easier reading and comprehension. A raw, unedited transcript is available from our archives. See our home page at http://www.emforum.org
[Welcome / Introduction]
Amy Sebring: Good morning/afternoon everyone. Thank you for joining us today. On behalf of Avagene and myself, welcome to the EIIP Virtual Forum! Avagene is attending the IAEM conference in Reno today.
Our topic today is "The Chemical Facility Anti-Terrorism Standards: An Introduction." We have been wanting to do a session on this topic for a number of years, and finally, the timing is right.
Before I introduce today's speaker, I would like to briefly mention two brand new features we have added to our Website. First, you may be pleased to know, the EIIP has at long last ventured into the world of audio! Please see the link on our homepage to EIIP Podcasts to access our first attempt. Slightly under four minutes long, this audio commentary discusses our recently added features. We will also be sending a release out to our mailing lists this afternoon for those not here today.
The second new feature is a Forum User "Rate/Write a Review" system, also linked from our homepage. I will talk about that a little more during our closing today. We don't want to make our speaker too nervous about this today, but the rating we are asking you to do is on the usefulness of the information presented, to serve as a guide to other users in the future.
Now it is my pleasure to introduce Myron L. Casada, P.E., Vice President, Risk and Security Services for ABS Consulting. Mr. Casada has more than 30 years of engineering and risk assessment experience, including consulting for both private industry and government organizations.
Currently, Mr. Casada is assisting clients in responding to the new DHS Standards, including regulatory applicability consulting, compliance services, and security vulnerability assessments. Mr. Casada is a registered Professional Engineer in the state of Tennessee. He holds a B.S. degree in Engineering (1974) and an M.S. degree in Engineering Administration (1976), both from the University of Tennessee.
Welcome Myron. We are delighted you could join us today. I now turn the floor over to you please to start us off.
[Presentation]
Myron Casada: Thank you for the opportunity to be here with you today. We have been following the new chemical security regulation for a long time, but with the final list of chemicals being published this month, we now have to start the process of complying with a new regulation.
On April 9, 2007, the Department of Homeland Security (DHS) issued an interim final rule (72 Federal Register 17688-17745) on chemical facility security. The rule was entitled the, Chemical Facility Anti-Terrorism Standards: Interim Final Rule (Title 6 CFR Part 27), the CFATS regulation.
When applicable, the regulation will require chemical facilities possessing amounts of specific substances considered by DHS to pose a security risk to notify DHS and undergo a consequence-based screening process. DHS will then determine which of those chemical facilities are high-risk, and thus need to comply with additional requirements in the regulation. High-risk facilities will be categorized into tiers based on risk, and those with higher risk must comply with more stringent, performance-based security requirements.
The interim rule included a draft list of chemicals and Screening Threshold Quantities (STQs) as Appendix A. However, the Appendix A issued in April 2007 was only a draft, the effective date of the regulation is not until DHS publishes a final version of Appendix A in the Federal Register. We expect it this Friday (Nov. 16th). [Addendum: Final Rule was published in the Federal Register November 20th.]
On November 2, 2007, DHS released an advance copy of the revised Appendix A list. It is much improved over the earlier list. It includes several changes:
- Eliminated chemicals covered at "Any Amount."
- Provides thresholds for all chemicals.
- Raised the threshold quantity for many chemicals
- Greatly reduced potential coverage of propane
- Eliminated some chemicals (e.g., carbon monoxide, acetone, and urea)
Under the interim final rule, high-risk chemical facilities are required to create and submit to DHS a vulnerability assessment; create and submit to DHS a site security plan, addressing the vulnerability assessment and complying with the performance-based standards; and implement the site security plan at the chemical facility.
I will now provide an overview of the Chemical Security Assessment Tool (CSAT), and we can get into more detail later in response to your questions: The overview includes:
- CSAT Process and Applications
- User Registration
- Screening Questionnaire (Top-Screen)
- Security Vulnerability Assessment (SVA)
- Site Security Plan (SSP)
- Information Protection
Facility Registration:
Registration began on April 6, 2007 and will continue for as long as the Rule is in force. The registration site is at http://www.dhs.gov/chemicalsecurity.
Registration consists of:
- Filling out the registration questionnaire on the website (facility and chemical information)
- Downloading the PDF registration form
- Signing and sending the form to DHS
DHS will respond to the registration by sending the facility contact an email with a username and temporary password to use in further submissions.
Top-Screen: What does it do?
The Top-Screen process identifies the security issue(s) at a facility using the DHS Chemicals of Interest list based on:
- Risk to public health and safety
- Potential targets for theft and/or diversion of potential chemical weapons or explosive precursor
- Reactive chemicals stored in transportation containers
- Concentrated capacity, the loss of which poses a risk to the economy or to the delivery of mission critical functions
It also enables DHS to directly inform a facility of its status and/or preliminary tier by letter.
The Top-Screen process addresses specific security issues, including the risk to public health and safety (i.e., death and injuries) from chemical releases, fires, and explosions. It also identifies potential targets for theft or diversion of chemicals that could contribute to chemical weapons, weapons of mass effect, and improvised explosive devices.
Another scenario of interest in the Top-Screen process is reactive chemicals stored in transportation containers that can react with water to generate poison gases. The last types of chemical inventories that Top-Screen reviews are chemicals considered critical to essential government missions or to the economy.
Top-Screen examines public health and safety impact by estimating deaths and injuries using a variation of the EPA Risk Management Program (RMP) worst case scenario methodology.
Once DHS has analyzed the Top-Screen input from a facility, it sends the facility a letter that provides:
- The preliminary facility tier (either one of the four high risk tiers or low risk)
- Chemicals at the facility that must be addressed in the SVA
- Security issue(s) associated with the identified chemical(s)
- Next steps required by the facility
The DHS letter to a facility will be protected under CVI restrictions.
Security Vulnerability Assessment (SVA):
The Security Vulnerability Assessment (SVA) approach in the CSAT software follows the SVA approach established by the Center for Chemical Process Safety (CCPS) and similar SVA approaches.
The SVA process includes:
- Asset Characterization: assets associated with chemicals identified in the post Top-Screen letter
- Threat Characterization: specific scenarios prescribed by CSAT
- Consequence Analysis: potential consequence of scenarios against identified assets
- Vulnerability Analysis: security measures in place to mitigate or reduce the likelihood of success of an attack on an asset
Rather than using the CSAT SVA methodology, Tier 4 facilities can submit alternate security plans (ASPs) for review.
The results of the SVA provide:
- The tier for each critical asset based on potential consequences
- Final facility tier based on highest asset-specific tier
DHS develops a CVI protected letter to each facility that defines:
- The final facility tier
- Asset specific tier ranking and the associated security issue(s)
- The next steps required by the facility
The information in the post-SVA letter is used by facility during development of a site security plan (SSP) to identify the applicable risk based performance standards (RBPS) based on asset tiers and security issues.
Site Security Plan (SSP):
An SSP must contain:
- All critical assets in the post-SVA letter
- All security measures in place or planned to achieve the applicable RBPS
Review of SSPs by DHS will be prioritized based upon SVA results. Facilities will be required to respond to DHS comments on initial SSPs. Site inspections are likely to be conducted as part of the regulatory process.
There are 18 types of security measures that must be addressed in a site security plan. The degree to which a facility must implement them depends on the facility risk tier. Here are some of the more important measures.
Restrict Area Perimeter. Secure and monitor the perimeter of the facility.
Secure Site Assets. Secure and monitor restricted areas or potentially critical targets within the facility.
Screen and Control Access. Control access to the facility and to restricted areas within the facility by screening and/or inspecting individuals and vehicles as they enter.
Deter, Detect, and Delay. Deter, detect, and delay an attack, creating sufficient time between detection of an attack and the point at which the attack becomes successful.
Theft and Diversion. Deter theft or diversion of potentially dangerous chemicals.
Sabotage. Deter insider sabotage.
Response. Develop and exercise an emergency plan to respond to security incidents internally and with assistance of local law enforcement and first responders.
Monitoring. Maintain effective monitoring, communications and warning systems.
Training. Ensure proper security training, exercises, and drills of facility personnel.
Personnel Surety. Perform appropriate background checks on and ensure appropriate credentials for facility personnel, and as appropriate, for unescorted visitors with access to restricted areas or critical assets.
The guidance for applying the security measures has not been released. It is the Risk-Based Performance Standards, which is a 200 to 300 page document that DHS has drafted but has not received wide public or industry input. The date for its release is not known.
Information Protection:
Some information is designated as "Chemical-terrorism Vulnerability Information" (CVI). There are a CVI Handling Manual, web-based training, FAQs, and Work Products Guide available on the http://www.dhs.gov/chemicalsecurity website.
Each person that will need access to CVI documents will need to send a CVI User Authorization Request form and a Non-disclosure Agreement Form to the DHS CSAT helpdesk. Please note that being a CVI Authorized User does not constitute need to know. Facilities have to decide who needs to know
That concludes our introductory overview, and I will be happy to respond to your questions. I will now turn the floor back over to our Moderator.
Amy Sebring: Thank you very much Myron. Now, to proceed to your questions or comments.
[Audience Questions & Answers]
Question:
Amy Sebring: Myron, Is there any role for Local Emergency Planning Committees in this process? If not formally, then perhaps informally, perhaps in the emergency response planning?
Myron Casada: There is a requirement for "response plan." Most of the focus is on law enforcement, but I would think other emergency responders should be involved.
Question:
Aaron Morningstar: Thank you Myron, has there been a ruling on whether or not third party assessments will be allowed? Or do they have to be conducted by DHS?
Myron Casada: It is set up for assessments by the facility; however, DHS will be doing inspections and the Top-Screen process uses a DHS methodology with facility input.
Question:
Bill Thompson: Myron, I am curious how the regulations will impact health facilities. We use ETO [ethylene oxide] in the sanitizing process, and originally they had a threshold of 0. I understand it has been increased, but will even hospitals need to fill out a Top-Screen?
Myron Casada: I will look to see the new threshold. If a hospital has that quantity, they will be covered. EO is at 10,000 pounds. That amount will require registration and Top-Screen.
Question:
Bob Gold: Will facilities in compliance with the "Maritime Transportation Security Act of 2002" also be in compliance with this regulation?
Myron Casada: Yes, if you have a MTSA security plan you are exempted from this regulation. Make sure it covers all of your chemical areas, not just your dock area.
Question:
Art Francis: Myron, are there any annual review and submission requirements for SSP's?
Myron Casada: I think the requirement is bi-annual updates and addressing major changes in between.
Question:
Ed Allen: Are you aware of any DHS grant funding that is being specifically developed to support the implementation of CFATS?
Myron Casada: Not that we have seen yet.
Question:
Jonathan Clifton: Myron, who is going to determine what the security thresholds should be for a facility that provides the self-assessment?
Myron Casada: The facility reports its chemicals and facility information. That goes into Top-Screen and DHS uses it to set Tiers. The facility does an SVA and then a security plan based on the risk-based performance measures. DHS has approval rights.
Question:
Mark Wygonik: Is the draft Risk Based Performance Standard available for review?
Myron Casada: No, and that is the biggest problem I see right now. You do not need it until you start plans, but that worries me.
Question:
Sadie Whitener: Does anyone have an estimate of how many facilities nationwide may be initially affected?
Myron Casada: DHS believes that about 40,000 need to file a Top-Screen. But that was similar to their number before the list was revised.
Comment:
Stephen R Melvin: At the NASTTPO Conference last week DHS stated that they expect to end up with 7000-8000 facilities.
Myron Casada: That is the number they propose for being Tier 1 to Tier 4 (high risk).
Question:
Bill Thompson: We have a contractor who reviews and maintains our MSDS database as well as Tier 2 reporting quantities. Would your suggestion be, to a facility like a hospital, to submit the A list to them (their contractor) for comparison?
Myron Casada: I think MSDSs and Tier 2 are good starting points, as long as you are confident in them. I would also sit down with an operations and safety review team.
Question:
Fernando Arce: How does DHS determine which of the facilities are high risk? For example, does it use the CSAT-provided information only, or does it apply additional criteria not in the CSAT?
Myron Casada: For releases, it applies a process like RMP [EPA Risk Management Program], considering population. It is not clear how it will rank theft/diversion and sabotage risks. If you do not end up 1 to 4, you have nothing to do.
Question:
Isabel McCurdy: Myron, what happens when the chemicals leave the premises? Will be there a duty now to inform the cities too along its route so they can be prepared for the unexpected?
Myron Casada: Transportation risks will still be a TSA issue and are being pursued by transport mode. This regulation will not change that, except we need to see what they expect to prevent theft and diversions.
Question:
Art Francis: Is the determination for the facility based on storage capacity, actual storage at the time of assessment, or some averaging of regular reporting? Not all storage sites maintain full storage.
Myron Casada: Maximum you ever plan to have. Otherwise, you are not authorized to have it.
Question:
Vince Sakovich: How many Tier 3 and 4 facilities are expected?
Myron Casada: I hear about 100 for Tier 1. I dont have a Tier 2 number. 8000 across all tiers.
Question:
Ron Bowen: How many inspectors does DHS have to work with facilities?
Myron Casada: Less than 50 inspectors.
Question:
Mark Wygonik: Are there criminal penalties for non-compliance?
Myron Casada: Civil penalties are defined in the regulation. They can always forward something to DOJ if they see fit.
Question:
Amy Sebring: Myron, will the revised quantity for chlorine now exempt many or most municipal water suppliers?
Myron Casada: Not if they have multiple one ton containers. The threshold is at 2500 lbs.
Comment:
Stephen R. Melvin: Municipal water suppliers were exempted by the law itself.
Myron Casada: The chlorine threshold is only 500 pounds for theft and diversion. You are right about water systems. Public water systems under SDWA are exempted.
Question:
Paula Gordon: The role of DHS in the implementation and monitoring of the process would seem to require a very large workforce. Do you think that these efforts will likely be outsourced or will DHS increase its workforce?
Myron Casada: That has been pointed out several times. There is the issue of using contractors, who would not have law enforcement authority, which is what the DHS people have. They are using Federal Protective Services Agents.
Comment:
Jonathan Clifton: My understanding is that DHS contracted out the responsibilities for assessments through ICF International.
Myron Casada: DHS is hiring contract support for the Program Implementation Office. I do not see that as assessments.
Question:
Art Francis: What about underground storage sites that use natural forming domes for gas storage. Must they submit?
Myron Casada: Yes, that is clear in the new Appendix A.
Question:
Isabel McCurdy: Myron, are international chemical companies that do business with American companies subject to these standards too?
Myron Casada: Not until they store chemicals in the U.S. Seems like that gives us an economic disadvantage.
Question:
Amy Sebring: Myron, is there a process for requesting extensions for the 60 day deadline?
Myron Casada: Not that I have seen.
Question:
Aaron Morningstar: Why would contractors need law enforcement authority?
Myron Casada: It depends on what they are doing. I never understood why DHS chose law enforcement agents as their inspectors.
Comment:
Aaron Morningstar: Most likely its because FPS has the most experience and just so happens to be law enforcement, but there is a lot of security assessing going on in the federal government that is done by contractors.
Myron Casada: Absolutely, we do a wide variety of SVAs. But DHS has said they will review SVAs done by facilities, so there is no need for a large number of federal assessors.
Question:
Amy Sebring: Are there any specific cautions or recommendations you would have to those beginning this process now?
Myron Casada: Register now. Begin collecting your Top-Screen input and wait. Listen to what happens and submit on time. We think the process is likely to overwhelm the system and will get longer than planned, but you need to study the regulation now.
Question:
Amy Sebring: I have one fundamental question. Do you think these regulations will have any real impact on reducing our vulnerability?
Myron Casada: That is a great question. I have doubts in that regard, but I need to wait and see what the expectations in the performance standards are. I might be surprised.
Question:
Ron Bowen: Do you see some information currently available to SERC/LEPCs under EPCRA being restricted under these new regulations?
Myron Casada: No, the same information that is freely available under EPCRA will now be restricted under CVI by DHS. Go figure. It will remain unrestricted in forms other than this regulation.
[Closing]
Amy Sebring: Let's wrap it up for today. Thank you very much Myron for an excellent. We hope you enjoyed the experience. Please stand by just a moment while we make a couple of quick announcements.
Again, the formatted transcript will be available later today. If you are not on our mailing list and would like to get notices of future sessions and availability of transcripts, just go to our home page to Subscribe.
We are also pleased to welcome two new Partners today:
The Center for Hazard and Risk Research (CHRR) at Columbia University; http://www.ldeo.columbia.edu/chrr/; POC: Arthur Lerner-Lam, CHRR Director, Associate Director for Seismology, Geology and Tectonophysics (AND a previous presenter in the Forum). "The mission of the Columbia Center for Hazards and Risk Research is to advance the predictive science of natural and environmental hazards and the integration of science with hazard risk assessment and risk management."
We are also honored to have the Federal Reserve Bank of San Francisco - Office of Emergency Management; URL: http://www.FRBSF.org; POC: Andrea E. Davis, District OEM Manager. "The Mission of the Federal Reserve Bank of San Francisco's Office of Emergency Management is to coordinate homeland security emergency preparedness services by providing leadership, planning, technical capabilities, and resources to help the Federal Reserve better prepare for, respond to, mitigate, and recover from natural and man-made disasters, including acts of terrorism."
If your organization is interested in becoming an EIIP Partner to show your support, please see the link to Partnership for You from our home page.
Finally, before we adjourn, I would again like to mention the Rate/Write a Review feature. We would really like to test it out with today's session. You can access the form either from today's Background Page, or from our Home Page. If you do not have time to write a short review or comment, then please just take a moment to do the rating. It should take less than a minute.
Once we have the rating results, I will calculate an overall rating, and it will be posted on the Transcript Index page, Category All, in the form of 1 to 5 stars. Any reviews will be posted to the Background Page, and also linked from the index.
Thanks to everyone for participating today. We stand adjourned but before you go, please help me show our appreciation to Myron for a fine job.