Linking Site Security and Inherent Safety

August 14, 2000
The Honorable Janet Reno
Attorney General of the United States
Department of Justice
950 Pennsylvania Ave., NW, Room 4545
Washington, DC 20530-0001

Dear Attorney General Reno:

The Department of Justice has asserted, in response to chemical industry lobbying,¹ that extremely hazardous substances (EHS) at industrial facilities present attractive targets for criminal activity.² The Agency for Toxic Substances and Disease Registry confirms that site security at chemical-using industries ranges from fair to very poor.³

For these reasons, Congress directed the Department of Justice, in consultation with government, industry, and the public, to report on "actions, including the design and maintenance of safe facilities, that are effective in detecting, preventing, and minimizing the consequences of releases of regulated [extremely hazardous] substances that may be caused by criminal activity." Congress further directed the Department to make "recommendations…for reducing vulnerability of covered stationary sources to criminal and terrorist activity". Congress directed the Department to produce an interim report by August 5, 2000.⁴ The Department did not meet this non-discretionary deadline.

Environmental, labor, and public health organizations have vigorously supported a serious reduction in the potential for on-site and off-site consequences of chemical fires and explosions at EHS facilities. Our organizations have, in particular, championed the use of inherently safer design to reduce and eliminate chemical hazards that may be wholly unnecessary.

We strongly urge the Department not to limit its review and recommendations to the reactive control of existing EHS hazards. Rather, the Department should include, as the option of first resort, the possibility of reducing, eliminating, or removing these hazards. This proactive approach is consistent with the Department's new emphasis on preventing, rather than simply responding to, terrorism and other crimes.

The advantages of preventive design are widely acknowledged, but seldom acted upon. For example, the "Handbook of Loss Prevention and Crime Prevention" notes that:

"All too frequently insufficient consideration is given to security factors before and during construction; security protection is too often added as an afterthought, if at all." The author recommends that "model security codes must be established and built into all new construction."⁵

Further, the Environmental Protection Agency (EPA) recently encouraged EHS users to consider that:

"Facility and process design (including chemicals used) determine the need for safety equipment, site security, buffer zones, and mitigation planning. Eliminating or attenuating to the extent practicable any hazardous characteristic during facility or process design is generally preferable to simply adding on safety equipment or security measures."⁶

We therefore respectfully urge the Department in its recommendations to Congress to:

• Incorporate hazard reduction as a fundamental component of terrorism and crime prevention at EHS facilities as a first resort, and;
• Propose mandatory, uniform model safety and security standards for hazards that cannot be reduced or eliminated.

To back up these prevention policies and security standards, we urge the Department to:

• identify appropriate legal means to codify terrorism prevention standards, including an annex to the Risk Management Planning (RMP) program;⁷
• intensify compliance assistance and enforcement at EHS facilities, including facilities covered by the RMP program, and;
• encourage worker involvement in systems of safety analysis and prevention-oriented, root cause investigations of EHS incidents and near misses.

Following a prevention hierarchy, EHS facilities first reduce or eliminate the hazard where feasible, before using add-on secondary containment, control, or mitigation equipment and improving site security to address remaining vulnerabilities. As a last resort, enhanced buffer zones separate EHS facilities from surrounding areas and sensitive populations (such as schools, residences, or hospitals).⁸

We do not suggest that safer design can avoid every safety and security hazard. In fact, even the best security systems will be breached and the best safety systems will fail. Therefore, we suggest that safer design should be the first alternative in the hierarchy of safety and security options: first prevent, then control, then mitigate, and only last, buffer.

Add-on security measures (such as guards, alarms, and access controls) frequently are costly. In contrast, inherently safer design can help firms to simultaneously control costs and improve security and reduce hazards. While best considered during design, existing plants can retrofit many inherent safety features.

We recognize that the Department may not view preventive design as within its traditional field of expertise. Certainly local police and security consultants often know little about inherently safer design for EHS facilities. We therefore urge the Department to actively obtain, as needed, necessary expertise on design for inherent safety and security, both to report to Congress and to assure sufficient long-term access by local, state, and federal security agencies to such expertise.

The chemical process industry's leading expert in inherently safer design, Trevor Kletz, has identified more than a dozen ways to reduce hazards by improving plant design:⁹

• Intensification minimizes inventories of hazardous materials.
• Substitution replaces hazardous materials with safer materials.
• Attenuation uses hazardous materials under the least hazardous conditions.
• Limitation changes designs or conditions to reduce potential effects.
• Simplification reduces complexity to reduce the opportunity for error.
• Other means include using designs that: avoid potential "domino" effects; make incorrect assembly impossible; tolerate misuse; keep controls and computer software easy to understand and use; keep process status clear; have well-defined instructions and procedures; employ passive safety; and minimize hazards throughout the material's life-cycle.

While these measures target non-criminal releases, the principle "what you don't have, can't leak" applies equally to criminal releases. The Department should foster facility-specific national benign by design standards for EHS facilities to eliminate or reduce features that allegedly make a plant attractive to criminals or that require costly add-on security arrangements. (Please refer to the attached list of Minimum Safety and Security Standards for EHS Facilities.)

In addition to the concerns raised above, some observers claim that persons outside an EHS facility could seize control electronically of key safety systems and cause a release. The Department should evaluate this claim and, if it is valid, ensure that EHS facilities effectively counter such computer intrusion. In all areas, the Department should fully and publicly document vulnerabilities, if any, and methods used to prevent and counter specific threats.

Finally, increasing electronic commerce may raise EHS security issues that parallel the Department's previously stated Internet disclosure concerns. We urge you to review industry plans for a one-stop "e-marketplace" that will present unmonitored purchasing opportunities and connect the supply chain of chemicals worldwide. We urge you to address such Internet activity in your review and recommendations, to the same degree that the Department scrutinized public communication of EHS hazards on the Internet, and to apply parallel standards of disclosure.

As you are no doubt aware, we are dismayed with the Department's role in impeding community right-to-know about chemical industry dangers while taking no apparent steps to eliminate these hazards at the source. We look forward to your Department's report to Congress, now overdue, as an opportunity to recommend affirmative steps for worker and community safety through hazard reduction and improved security at EHS facilities.

Sincerely,

John Chelen
Center for Public Data Access

Lois Epstein
Environmental Defense

Stuart Greenberg
Environmental Health Watch

Frank D. Martino
International Chemical Workers Union Council/UFCW

Thomas Natan
National Environmental Trust

Rick Engler
New Jersey Work Environment Council

Boyd Young
Paper, Allied-Industrial, Chemical, and Energy Workers International Union

Robert K. Musil
Physicians for Social Responsibility

Carl Pope
Sierra Club

Mike Wright
United Steelworkers of America

Jeremiah Baumann
U.S. Public Interest Research Group

Paul Orum
Working Group on Community Right-to-Know

For more information, please contact:
Paul Orum, Working Group on Community Right-to-Know
218 D Street, SE * Washington, DC 20003 * (202) 544-9586

CC: Carol Browner, Administrator, U.S. Environmental Protection Agency

Attachment:
Minimum Safety and Security Standards for EHS Facilities

Notes:
1. Chemical Manufacturers Association, The Terrorist Threat in America, 1998; also, Arthur F. Burk, Communication of Risk Management Plan Information: Some Principles & Concerns, March 4, 1997; also U.S. Environmental Protection Agency, Final Report of the Electronic Submission Workgroup (Section 2: Access System), 1997.
2. Federal Register, Volume 65, p. 24833, and supporting documents, April 27, 2000.
3. Agency for Toxic Substances and Disease Registry, Industrial Chemicals and Terrorism: Human Health Threat Analysis, Mitigation and Prevention, 1999.
4. Chemical Safety Information, Site Security and Fuels Regulatory Relief Act of 1999, Section 3(a)(xi).
5. Lawrence J. Fennelly, Handbook of Loss Prevention and Crime Prevention, Second Edition, 1989, p.35.
6. U.S. Environmental Protection Agency, Chemical Safety Alert, Chemical Accident Prevention: Site Security, February 2000 (EPA-K-550-002), p.3.
7. Clean Air Act Amendments of 1990, Section 112(r).
8. Senator Frank Lautenberg, United States Senate, Chemical Security Act of 1999 (S.1470).
9. Trevor Kletz, Process Plants: A Handbook for Inherently Safer Design, 1998.

Minimum Safety and Security Standards for EHS Facilities*
Uniform security design codes for extremely hazardous substances (EHS) at industrial facilities should protect workers and communities from criminal activity that targets EHS chemicals. Such codes should follow a prevention hierarchy and strictly regulate the design, construction, materials, location, operation, and maintenance of EHS facilities. If terrorism at chemical plants is a legitimate concern, then standards should address, at a minimum, each of the following elements:

• Crime Impact Forecasts determine the potential worst-case impact from terrorism involving EHS materials, in terms of injuries, deaths, and property damage on-site and off-site.
• Safer Design Studies weigh inherently safer alternatives and security needs during design both prior to construction and major reconstruction at EHS sites, and during safer redesign of existing security risk facilities.
• Policy Statements commit companies to determine if chemical hazards can be readily reduced or eliminated before analyzing risks and potential consequences of these hazards, and help engage senior managers and full corporate resources in design for safety and security.
• Architectural Design Standards ensure that architects incorporate safer design and security elements into new construction, reconstruction, and redesign of EHS areas.
• Construction Materials Guidelines specify materials that are appropriately resistant to fire, blast, and forced entry, among other safety and security concerns.
• Materials Accounting makes evident any theft of EHS chemicals, facilitates site safety and prevention planning, and helps managers to keep unwanted substances out of a facility (the hazardous materials pharmacy concept).
• Security Records Systems document security deficiencies, malfunctions, case reports, and corrective actions in a written retrievable format sufficient to support planning, budgeting, and maintenance schedules.
• Administrative Controls ensure that facilities operate within design capacity, and eliminate or reduce chemical hazards through mandatory review of: proposed process changes; EHS purchases; order frequency and volume; and chemical uses.
• Security Lighting provides protective illumination in all weather, including through secure automatic auxiliary systems and power sources (such as generators or batteries), underground circuits, and redundant wiring.
• Intrusion Detection Systems and Alarms protect EHS operations by detecting motion, heat, smoke, sound, or pressure at the facility perimeter, in critical areas (such as computer centers and EHS areas), and at all potential access points (such as doors, windows, floors, roof hatches and skylights, gates, manholes, drains and discharge outfalls, adjoining buildings, and air vents).
• Physical Barriers prevent unauthorized access by persons and vehicles (including air and watercraft) through building design, well-maintained and monitored fences, walls, truck barriers, locks, window bars, safety glass, etc., including compartmental barriers around EHS areas.
• Projectile Shields protect EHS tanks and vessels from airborne and propelled explosive devices and projectiles (as well as from blast fragments).
• Emergency Exits ensure that workers can quickly vacate buildings and grounds through clearly marked and maintained exits. Self-contained alarms and warning signs prevent non-emergency use.
• Blast and Fire Safe Control Rooms and Safe Rooms protect workers and visitors from explosions and fires that originate from criminal activity or plant design, and contain breathing devices, first aid supplies, and secure independent external communications.
• Cyber Barriers block persons outside a facility from electronically manipulating computers that control critical valves, pressures, temperatures, facility access, and other safety systems (using cyber "firewalls," encryption, and electronic pass keys with changing codes).
• Physical Computer Security safeguards critical computer systems through: fire/water/blast safe construction; access controls; dedicated security officers; safe distances from EHS hazards; secure air vents safe from EHS gas leaks; fully-compatible backup computers and expertise; backup electricity and communications, and; automatic shutdown capabilities.
• Failsafe Computer Backup Systems independently monitor critical security and safety systems and take over to prevent catastrophic failure.
• Closed Circuit TV maximizes intrusion-monitoring capabilities.
• Add-on Safety Equipment contains, controls, and mitigates releases (such as containment buildings, water spray curtains, automatic shutoff valves, and blast mitigation barriers).
• Safe Shutdown Procedures enable operators to shut down facilities in emergencies; they must be clearly documented, simple, and robust enough to function in urgent situations, including clear procedures, exercises, and authority.
• On-site Response Teams shut down or reestablish power or water, contact outside assistance (police, fire, medical, bomb squad), provide first aid, direct evacuations, and operate and troubleshoot backup computer systems.
• Joint Response Planning coordinates, revises, and exercises response plans with local emergency responders and planning committees (LEPCs), addressing emergency notification and response, hazmat response teams, decontamination facilities, drills, evacuation routes, medical care and pharmaceutical stockpiles, trauma counseling, community restoration, emergency resources, and additional elements listed in Section 303 of the Emergency Planning and Community Right-to-Know Act.
• Transportation Planning reduces hazards through delivery route planning (avoiding tunnels, downtown areas, and sensitive populations), random timing, alternate routes, driver training, security escorts, equipment maintenance, secure valves, compatible cargoes, and appropriate volume packaging.
• Testing and Maintenance Schedules ensure that firms evaluate security equipment and systems, including periodic fire and emergency drills, and daily review of grounds, fences and barriers, utilities, backup systems (such as lighting and computers), fire and intrusion detection systems, alarms, sprinklers, and other security elements.
• Access Controls address personal identification and clearance, key control, parcel inspection, metal detection, visitor logs, escorts for outside service vendors, remote locks, and lock change schedules (including upon changes in employees).
• Security Device Standards specify suitable materials, hardware, construction, inspection, and maintenance of locks and frames.
• Secure Backup Utilities ensure continuous safety and emergency response capabilities upon loss of electricity, telephones, water, sewers, or cyber systems, including redundant wiring (on-site and incoming), secure electrical panels, and backup generators.
• Grounds Maintenance and Landscaping keep EHS zones and sightlines free from obstructions, such as double fences with vegetation-free medians.
• Guard Force Requirements ensure sufficient and well-prepared staffing, with accurate and updated written duties and standards for supervision, training, and performance evaluation.
• Certified Training prepares and certifies security and other staff on safety, fire protection, weapons, bomb threats, hostage situations, arson, access controls, security devices, first aid, self defense, case reports and records, communications, human relations, and special training on EHS dangers and response.
• Labor Dialogue ensures that workers are involved in security problem solving.
• Theft Prevention Guidelines ensure that firms track and safely store EHS materials to prevent theft, and address legal liability for harm associated with inadequate theft and fraud prevention.
• Financial Analysis Standards ensure that prevention investments receive comprehensive treatment during the capital budgeting process, including costs of EHS operations avoided through specific projects (such as heightened security, liability, regulatory compliance, add-on safety equipment, and remedial cleanups).
• Line Item Security Budgeting informs senior managers about security costs for EHS operations in existing and proposed projects.
• Internal Security Audits periodically assess security systems and safer alternatives.
• Certified Third-party Audits regularly review security systems and propose safer alternatives.
• Buffer Zone Setback Guidelines provide land use planners and zoning boards with guidelines for establishing sufficient separation between EHS facilities and public receptors such as schools, homes, day care centers, sports arenas, shopping malls, major highways, businesses, and hospitals.

* These safety and security elements are derived from, among other sources: Lawrence J. Fennelly, Handbook of Loss Prevention and Crime Prevention, Second Edition, 1989; and Russell L. Bintliff, The Complete Manual of Corporate and Industrial Security, 1992. Elements related to inherent safety are derived from, among other sources: Trevor Kletz, Process Plants: A Handbook for Inherently Safer Design, 1998.

[TOP]