New Jersey's Chemical Security: Best Practices And Open Questions

On November 29, 2005, Acting Governor Codey's office announced "New Jersey Becomes First State to Require Chemical Security Measures to Protect Against Terrorist Attack." The announcement accompanied requirements pursuant to the New Jersey Domestic Security Preparedness Act. The November 29 requirements direct that chemical facilities undertake security and response capability assessments, prepare written reports of those assessments, and make the information available to the New Jersey Department of Environmental Protection ("NJDEP") and others.

Background: The New Jersey Domestic Security Preparedness Act And The New Jersey Domestic Security Preparedness Task Force

Responding quickly after the attacks of 9/11, on October 4, 2001, New Jersey enacted the Domestic Security Preparedness Act (N.J.S.A. App. A:9-64 et seq., herein "the Act"). The Act created the New Jersey Domestic Security Preparedness Task Force ("Task Force") and charged it "to preserve, protect, and sustain domestic security and to ensure a comprehensive program of domestic preparedness."1 The Task Force and NJDEP will oversee this newest safety initiative announced on November 29.

The November 29 Requirements

The November 29 requirements are set forth in a nine-page document entitled "Best Practices Standards at TCPA/DPCC Chemical Sector Facilities" signed by NJDEP Commissioner Campbell on November 21, 2005 and by Peter Harvey, the State Attorney General who is Task Force Chairman. Task Force standards, guidelines and protocols, such as the November 29 requirements, are exempt from the New Jersey Administrative Procedures Act and the pre-publication notice and comment provisions therein. The requirements provide, inter alia, that "Chemical Sector facilities," as defined therein, must comply with the Chemical Sector Best Practices.2

SVA's and Response Plans. The November 29 requirements further state that Chemical Sector facilities located in New Jersey shall, within one hundred twenty (120) days, develop a Site Vulnerability Assessment ("SVA") and make it available to NJDEP. The SVA must assess vulnerabilities and hazards that might be exploited by terrorists and must be conducted by a qualified security expert. Also, Chemical Sector facilities within New Jersey shall within 120 days develop a prevention, preparedness, and response plan ("Response Plan") that identifies the status of implementation of Chemical Sector Best Practices.

In completing the SVA and Response Plan, employers shall afford employees and their union representatives (if any) the opportunity to identify issues. The SVA and the Response Plan shall detail issues identified by employees and union representatives, and also include an Emergency Response Plan addressing issues identified by the employees, union representatives, local Office of Emergency Management and the Department of Environmental Protection.

Inherently Safer Technology ("IST"). In addition, the November 29 requirements provide that Chemical Sector facilities subject to the Toxic Catastrophe Prevention Act, N.J.S.A. 13:1K-19 et seq., ("TCPA") shall review the practicability and potential for adopting IST. The definition of IST includes reducing the amount of material that may be released, substituting less hazardous materials, using materials in less hazardous form, and designing equipment and processes to minimize potential for equipment failure and human error. This is similar to the definition of IST in Senator Jon Corzine's proposed Chemical Security Act of 2003.3

Both Senator Corzine's proposed Chemical Security Act of 2003 and the November 29 requirements mandate government-overseen IST. But risk evaluation and management is a subjective exercise best performed by process experts. For example, risk may be reduced by limiting a chemical facility's inventory which requires more frequent shipments carrying their own inherent risks. Many facilities have already reduced the risks of inventory to below the risks associated with shipping the materials. If substitution of certain materials is required, will transportation of those materials be banned? How does a process which uses nontoxic flammable materials compare with one using toxic noncombustible materials or one using noncombustible nontoxic materials but operating at a high pressure? How does material with an explosion risk compare with one with a possible risk of a long term disease such as cancer? Risk evaluation must be approached with caution. Asbestos, PCB's, chlorofluorocarbons, MTBE and underground storage tanks each was thought to be a safer technology at one time.

One expert in inherent chemical safety has written:

Regulation to improve inherent safety faces several difficulties. One, there is not presently a way to measure inherent safety. Two, the complexity of process plants essentially prevents any prescriptive rules that would be widely applicable. At most it would seem that legislation could explicitly require facilities to evaluate inherently safer design options as part of their process hazard analysis, but inherent safety would be almost impossible to enforce beyond evaluation because of unavoidable technical and economic issues.4

Information Availability and Personnel Screening and Qualification. All documents pursuant to the November 29 requirements shall be maintained on site for inspection by NJDEP or the Task Force during normal business hours, and Chemical Sector facilities shall be subject to monitoring and inspection by the Task Force. NJDEP and the Task Force shall hold all documents as privileged and confidential information pursuant to the Act (N.J.S.A. App. A:9-69.6.c and A:9-74.11.a) and the TCPA (N.J.S.A. 13:1K-29). NJDEP will handle all such documents in accordance with the requirements of TCPA regulations found at N.J.A.C. 7:31-10.8 which provides the information will be accessed only by NJDEP employees who need it and it is not subject to public access.

Implementation of these provisions must be harmonized with existing federal rules governing control of security information. Federal regulations at 49 C.F.R. Parts 15, 172 and 1520, define Sensitive Security Information (SSI) to include vulnerability assessments, security plans, inspections and investigative information, as well as other information. Those rules mandate that reasonable steps must be taken to safeguard SSI, which shall only be disclosed to a "covered person" as defined in the rules who must, in addition, possess a need to know.

At this point, it is not clear that SSI as defined by the federal rules may be made available to NJDEP and the Task Force. It is also not clear under what circumstances information required by NJDEP and the Task Force will be made available to federal agencies.

Chemical Sector facilities, NJDEP and other agencies need to take steps to ensure that state and federal instructions are not duplicative or conflicting and that sensitive information such as vulnerability assessments and response plans are accessible only to those who are screened, qualified, and have a need to know.

Other Provisions of the November 29 Requirements. The November 29 requirements state that each facility receiving a citation for violation of the federal Process Safety Management Standard, 29 C.F.R. 1910.119, must within three (3) business days forward a copy to the NJDEP. And all Chemical Sector facilities in New Jersey shall report a breach of security to the local law enforcement entity, the Office of Counter Terrorism, and the New Jersey State Police within 15 minutes of discovery and to NJDEP within 24 hours.

Other Federal And State Chemical Security Laws And Rules

The November 29 statement issued by Acting Governor Codey's office is misleading if it is read as stating that New Jersey has not previously required chemical security measures. First, the Task Force and NJDEP had already been conducting inspections pursuant to the Chemical Sector Best Practices adopted in 2003. And, in 2004, New Jersey Attorney General Harvey announced a "zero tolerance" policy for compliance by certain facilities.5

Also, the Toxic Catastrophe Prevention Act, N.J.S.A. 13:1K-19 et seq., which is referenced in the November 29 requirements, has mandated chemical security measures since it was passed in 1985. Facilities covered by the TCPA must register and they must prepare and submit risk management plans for approval by NJDEP.

Further, the New Jersey Spill Compensation and Control Act, N.J.S.A. 58:10-23.11 already requires Chemical Sector facilities to prepare and submit to NJDEP Discharge Prevention, Containment and Countermeasures (DPCC) and Discharge Cleanup and Removal (DCR) plans (DPCC/DCR plans). DPCC/DCR plans must reflect compliance with NJDEP requirements to prevent and control discharges, including standards for storage tanks, piping, drainage and containment, illumination, inspections and monitoring, housekeeping and maintenance, employee training, security, written procedures, and recordkeeping. N.J.A.C. 7:1E.

The New Jersey Pollution Prevention Act, N.J.S.A. 13:1D-35 et seq., requires facilities to identify ways to minimize hazardous substances in industrial activity. The PPA requires facilities to develop Pollution Prevention Plans, but it does not mandate that facilities implement them.

Federal rules already address aspects of security at Chemical Sector facilities in New Jersey. For example, Department of Homeland Security Coast Guard regulations impose security requirements on facilities transferring oil or hazardous substances in bulk to or from vessels on navigable waters. Those rules specify that the facilities must maintain certain equipment and procedures relating to prevention and mitigation of, and response to, discharges and other emergencies from and at these facilities. Facilities must submit response plans to the Coast Guard. 33 C.F.R. Part 154. Also, federal regulations promulgated by the Department of Homeland Security, Transportation Safety Administration, Department of Transportation and Coast Guard require vulnerability assessments and security plans. 49 C.F.R. Parts 15, 172 and 1520.

Conclusions

Since 9/11, Homeland Security and Chemical Security have been at the forefront of the news, our workplaces and daily lives. America's chemical industry has spent $2 billion improving security since 9/11, a significant portion of it here in New Jersey. Requirements of the Task Force, which are not subject to public review and comment, may cause sensitive security information to become available and may also remove decisions regarding risk from the process experts who are most qualified to make them.

1N.J.S.A App. A:9-68.
2 The Chemical Sector Best Practices were reviewed by the Task Force's Infrastructure Advisory Committee (IAC), adopted by the Task Force, approved by Governor McGreevey on September 18, 2003, and they have been used by Task Force and NJDEP in inspections and assessments of chemical sector facilities. They were made available to the general public in August 2005.
3Senator Corzine first introduced chemical security legislation in the United State Senate in October 2001. The most recent version, the Chemical Security Act of 2003 would move chemical security from the Department of Homeland Security to the Environmental Protection Agency and require chemical companies to evaluate and use Inherently Safer Technology (IST). S.157, 108th Congress, 1st Session, Chemical Security Act of 2003.
4Dr. M. Sam Mannan, PE, CSP, Mary Kay O'Connor Process Safety Center, Chemical Engineering Department, Texas Engineering Experiment Station, Texas A&M University System, "Challenges in Implementing Inherent Safety Principles in New and Existing Chemical Processes - White Paper," August 2002.
5"On June 24, 2004, the Domestic Security Preparedness Task Force adopted a 'Zero Tolerance Policy' regarding the failure to implement Best Practices at the facilities on the [Critical Infrastructure] List." Letter from Peter Harvey, New Jersey Attorney General, November 19, 2004.

Published .