APPENDIX I:  SECURITY AND VULNERABILITY ASSESSMENT GUIDELINES

 

PURPOSE

The following Security and Vulnerability Assessment (SVA) Guidelines provide guidance for performing SVA’s of stationary sources subject to the California Accidental Release Prevention (CalARP) Program within Contra Costa County.  A SVA identifies security weaknesses and vulnerabilities that could result in an unanticipated release of a regulated substance, or other extremely hazardous substance, following terrorist and/or sabotage activities.

BACKGROUND AND APPLICABILITY

The CalARP regulations require that stationary sources with Program 2 and Program 3 covered processes include consideration of external events as part of the hazard reviews and process hazard analyses of their stationary sources that contain regulated substances [Title 19 CCR 2755.2(d) and Title 19 CCR 2760.2(c)(8)].  These SVA guidelines have been developed by the Security Committee of the Contra Costa County CAER Group to assist industry in preparing the required security and vulnerability assessment(s).

These guidelines apply to all stationary sources with Program 2 and Program 3 covered processes.

SVA METHODS

CCCHSD is recognizing specific methods that can be used to perform an SVA.  The accepted methods at the time of writing this guidance revision are:

  • American Institute of Chemical Engineers Center for Chemical Process Safety:  Guidelines For Analyzing And Managing The Security Vulnerabilities Of Fixed Chemical Sites
  • Department of Justice – Sandia Labs:  Chemical Facility Vulnerability Assessment Methodology,
  • Department of Justice – Sandia Labs:  Risk Assessment Methodology for Water Systems (RAM-W)
  • American Petroleum Institute/National Petrochemical and Refiners Association Security Vulnerability Assessment Methodology for the Petroleum and Petrochemical Industries
  • Synthetic Organic Chemical Manufacturers Association, Inc. (“SOCMA”):  Manual on Chemical Site Security Vulnerability Analysis Methodology and Model
  • Air Products:  APCI Security Vulnerability Assessment
  • BASF Security Vulnerability Assessment (SVA) Methodology & Enhanced Security Implementation Management
  • ExxonMobil:  Chemical Facilities Safeguards and Security Risk Assessment Methodology
  • Georgia Pacific: Security and Vulnerability Assessment

CCCHSD can revise the list of accepted methods when new methods become available (e.g., API/NPRA SVA Method) or new information is available to change the list of accepted methods.  Any other method that a stationary source may want to use needs prior approval by CCCHSD.

The different SVA methods listed above should allow the SVA reviewer(s) performing the assessment to choose the most appropriate assessment method(s) for each stationary source or covered process within a stationary source.

CCCHSD recommends that the SVA be performed for the entire stationary source.  When the SVA has been completed, the results of the SVA should be assessable for the Program 2 hazard review and/or the Program 3 process hazard analysis so that the results are available for consideration.  CCCHSD is also recommending that the stationary sources work closely with local, state, and federal law enforcement agencies during the SVA.

Qualifications that the owner should consider for the SVA reviewer(s) include:

  1. Ability to determine the vulnerabilities for the types of systems being reviewed, including the chemicals being used and the likelihood of the stationary source being a terrorist target
  2. Ability to determine the security lapses
  3. Previous applicable SVA evaluation experience

The overall performance objective is to make the stationary source an unattractive target either by decreasing the overall vulnerabilities or increasing the overall security of the stationary source.

Completion of Recommended Action Items 

Stationary sources must develop a process to decide to implement or not implement all SVA recommended action items and the results of recommendations for additional study. This process must include the justification for not implementing any recommended actions.  Federal OSHA provided guidance for justifiably declining recommendations from incident investigations in the September 1994, OSHA Instruction CPL 2-2.45A CH-1. These criteria have since been applied to recommendations formulated during PHA’s.  NOTE: Additionally, CCHS encourages stationary sources to consider the impact on surrounding communities when declining recommendations.

  • The analysis upon which the recommendation is based contains material factual errors
  • The recommendation is not necessary to protect the health and safety of the employer’s own employees, or the employees of contractors
  • An alternative measure would provide a sufficient level of protection
  • The recommendation is infeasible

Cal/OSHA issued the following clarification in Part 4 of the June 1994 Process Safety Management Guidelines.  “…Cal/OSHA’s intent is that an employer is required to implement the teams’ findings and recommendations except to the extent that an employer can document that an alternative will be at least as effective or efficient in addressing the safety concerns that are the subject of those findings and recommendations”. 

CCCHSD AUDIT AND REVIEW OF SVA’S

CCCHSD may audit and review the stationary sources’ SVA process when an audit or inspection is performed at the stationary source.  CCCHSD will review documentation associated with the SVA that is to be maintained by the stationary source that includes the following items:  

  • Type of SVA method used by the stationary source to ensure that a recognized methods is being used  
  • The qualifications of the SVA reviewer(s) to perform the assessment  
  • Evidence that an action plan was developed to address the recommendations from the SVA  
  • How a stationary source will determine when a recommendation will not be addressed  
  • How the stationary source is tracking the actions that are being taken to address the recommendations from the SVA  
  • The status of the action plan 

CCCHSD will not review the actual recommendations that have been developed by the stationary source.  CCCHSD will not take with them any material that pertains to an SVA.  CCCHSD will allow the stationary source to review CCCHSD’s written findings to ensure that security-sensitive information associated with the stationary source will not be compromised.

 

Security and Vulnerability Assessment Guidelines January 8, 2004