Chemical Facility Anti Terrorism Standard (CFATS) came into force on Nov. 20, 2007 as a Federal Regulation under 6 CFR 27. This set into motion the process of assessing threats to chemical plants and refineries in the U.S.
Step 1: Is Your Facility Covered?
Under CFATS, if a facility posses a chemical of interest (COI) above a certain threshold quantity (TQ), it must submit a Top Screen to assist Department of Homeland Security (DHS) in screening for high-risk facilities. DHS reviews the submission to make an initial determination if a facility is high-risk and categorizes it into a risk tier (Tier 1, 2, 3, 4). To view COI and corresponding TQ click here.
If your facility has COI above TQ, you should have submitted top screen via Chemical Security Assessment Tool (CSAT) by January 2008.It is expected that around 40,000 top screens have been submitted to DHS. DHS plans to track facilities by checking their business records to verify if they are covered and have not submitted top screen. Facilities that plan to have a COI above TQ on-site at some future time are encouraged to file a Top Screen.
Step 2: Understand the Risks
The results from the Top Screen allow DHS to assign facilities to a preliminary risk tier and make an initial determination of facilities at higher risks. High-risk facilities are notified by DHS and these facilities must complete a Security Vulnerability Assessment (SVA) – i.e. analysis of high-risk scenarios, threat characterization, and associated risk reduction measures. The actual determination of high-risk status and the actual Tier ranking is made by DHS after SVA is submitted.
Tiers 1, 2, and 3 must use CSAT SVA tool to conduct SVA. Following the submission of the SVA, DHS will determine if the facility is indeed high-risk and it will notify the facility of its exact risk tier.
Step 3: Developing Site Security Plan (SSP)
Facilities determined as high-risk by DHS following a review of their SVA should prepare a Site Security Plan (SSP). Instructions for preparing Site Security Plan (SSP) were released in May 2009. SSP should document how a high-risk facility meets (or intends to meet) the requirements of the 18 Risk Based Performance Standards (RBPS). RBPS guidelines include restrict area perimeter, screen and control assets, etc., and are intended to serve as a guidance. Preparation of SSP and submission thus appears to be a documentation exercise – it may be tedious but not difficult.
The RBPS document provides very general guidance on most topics but at the same time DHS is prohibited from providing specific guidance. However, it is fair to say that RBPS guidelines reflect DHS’ view on various security measures.
Once the SSP is submitted, DHS will notify the facility if the SSP is approved, or if it requires revision. DHS will work with facilities on revisions. Once the SSP is approved it becomes essentially a contract between DHS and the facility and will provide the basis for future facility inspections.
The SSP does not correlate directly with the RBPS and thus at the end of SSP submission a facility owner is not able to analyze the additional work needed to meet RBPS requirements. Thus an on-going task for facility security manager would be to figure out gaps between their existing security measures in place and the RBPS requirements.
For detailed information on Chemical Security, please refer to an excellent blog by Patrick Coyle.
If you have any specific questions about applicability of chemical security regulations to your facility, please contact me.