During the past three years, there has undoubtedly been a run on memo pads, name badges and the other devices for setting up staff meetings. The reason: the implementation of guidelines covering the physical security of chemical plants across the United States and the world. Prodded by a general concern to improve plant security, due to liability or insurance issues, or by membership in one of several organizations that abide by the requirements of the Responsible Care program of the American Chemistry Council (ACC), Alexandria, Va., thousands of chemical plants have performed site vulnerability assessments (SVAs) to identify security weaknesses.
A comparable number have implemented capital improvements or procedural changes to enhance security. A portion of these, the high- and moderate-risk sites, again to meet the strictures of Responsible Care, have had, or are about to have, third-party verification of the completeness of their SVA and physical enhancements to comply with an ACC timetable.
“In our Texas operations, we have a team comprising security, process safety, emergency services and IS [information systems] that has met every other week since Sept. 11, 2001,” says Tom Scott, who is both director of security for the Texas operations of Dow Chemical, Freeport, Texas, and global director for emergency services and security for the corporation. This team was brought together to address the varying technical and operational issues that must be considered in the process of performing SVAs, implementing and then executing enhancements.
More than 2,000 plants, representing all those of ACC members, have completed SVAs and implemented improvements, and nearly all of them have undergone a third-party verification of the assessments and improvements. Along the way, ACC has enlarged the scope of its security guidelines; now, its members will be shooting for a June 30, 2005, deadline to review cybersecurity measures, supply-chain security (shipping and storage) and several other elements. Within the past couple years, the Synthetic Organic Chemical Manufacturers Association (SOCMA), Washington, D.C., licensed the Responsible Care program from ACC and made it a requirement for membership. So, SOCMA members have been proceeding with SVAs and related work. The National Petrochemical and Refiners Association, as well as the much larger American Petroleum Institute (API), both of Washington, D.C., have developed SVA guidelines similar to ACC’s, although neither includes a verification step.
Where all this leaves the overall chemical industry is hard to say. The U.S. Environmental Protection Agency last year put the count of chemical facilities that represent a risk to more than 1,000 nearby residents at more than 7,700. A similar analysis, but using more restrictive criteria, from the Department of Homeland Security (DHS) reckoned the number at almost 4,400. No one can say how many plants in either of these figures have undergone assessments or security hardening, but it is clear that there’s more work to be done.
SVA evolution
While some plants apparently have not had any sort of security assessment, others are contemplating the next steps or are already gearing up. Dow’s Tom Scott says that even before there was any clear requirement for updates, Dow had already begun updating its earliest assessments because it has an internal mandate to perform such reviews on a three-year cycle (and the third anniversary of Sept. 11, 2001, was five months ago). Certain aspects of the Responsible Care Management System (RCMS) — an umbrella version of Responsible Care that brings all of its features under one program — mandate periodic reviews.
One of the first methodologies for performing SVAs came out of the Center for Chemical Plant Safety (CCPS), a group under the auspices of the American Institute of Chemical Engineers (AIChE), New York. Scott Berger, director, says that the center continues to pay attention to developments in the field, but does not have an active program of refining the methodology. “Site security regularly shows up on the agenda of our meetings, and we are contributing to discussions at DHS or ACC,” he says. “Ultimately, we think there will be an all-encompassing guideline from DHS.”
At API, Cindy Gordon, security team leader, says the organization is already on the second revision of its guideline. “This is an evergreen topic; we will be revisiting it practically on an annual basis.” The guideline is evolving to adapt to new situations, such as the protection of pipelines, Gordon says. And, because its members operate all over the world, “We have a history of attention being paid to site security even before Sept. 11, 2001, from practices developed often in hostile environments.”
Improved methods
A number of private-sector initiatives are going on as well. Primatech, Columbus, Ohio, a risk and environmental consulting firm, has adapted several SVA methodologies, says Paul Baybutt, president. “The first types of SVAs were either ‘asset-based’ or ‘scenario-based.’ People with a security background are comfortable with the former, and people with a process safety background are comfortable with the latter,” he says. Asset-based evaluations begin with the identification of a particular item that poses a risk — a fuel storage tank, say — and then look to build security around it. Scenario-based methods start with a likely threat, such as a truck bomb or intrusion, and then look at potential outcomes.
Primatech has developed a methodology that is a blend of the two, which can be helpful in addressing the perspectives of both security and process-safety people. Called the “sneak path” methodology, it originated in guided-missile security. “By blending the two approaches, you can sometimes uncover deeper detail,” he says. The company has used it in SVAs that it performs for chemical-industry clients.
Another upgrade to SVAs is that they are now computer-based. The earliest versions were simply templated sheets that allowed the security manager to list risks or security problems, rank them numerically and derive some type of overall risk assessment. Shortly after the CCPS guideline was codified, Dyadem International, Toronto, in alliance with CCPS, took the guideline and organized it as a database and analysis tool, called SVA-Pro. “Your SVA can become the most important asset your company has in the event of an incident or attack,” says Kevin North, executive vice president for the company. “You don’t want to have it as a scattered pile of word-processing documents and spreadsheets.”
Besides organizing and storing the data and entries that a security team would put into an SVA, SVA-Pro has libraries of asset information and scenarios loaded into it, which is the result of studies that Dyadem has done for clients, as well as literature surveys and the like. Security analysts can use these libraries as a baseline for specific plants or situations.