Recent changes in security affect pharma facilities
By Evan Wolff, Maida Oringher Lerner, and Matthew Melewski
Chemical security in the U.S., at least at the federal level, has traditionally been the province of private sector cooperative partnerships. That changed inexorably in late 2006, when Congress shifted responsibility to the federal government. Buried within the Department of Homeland Security Appropriations Act of 2007 was a provision that, for the first time, vested the Department of Homeland Security (“DHS”) with regulatory authority over the nation’s chemical security. Charged with developing and implementing regulations to enhance the security of “high-risk” chemical facilities, DHS introduced the Chemical Facility Anti-Terrorism Standards (“CFATS”) in 2007.
The scope of this regulatory authority stretches well beyond traditional chemical manufacturing facilities. CFATS applies to every facility in the U.S. that possesses, or plans to possess, a chemical listed in the regulation at the quantity and concentration designated. Many of these chemicals are widely used in the development and manufacturing of pharmaceuticals, including:
- Ethyl ether
- Ammonia (20% or greater or anhydrous)
- Hydrogen peroxide
- Hydrogen sulfide
- Potassium permanganate
- Boron trifluoride
- Ethylene oxide
- Ethyl chloride
These chemicals and others covered by CFATS are “possessed” on site by many pharmaceutical companies. In addition, chemicals produced by pharmaceutical manufacturers in a batch process may also be covered, even though they only exist for a short period.
The provisions of CFATS impose a series of mandatory security obligations on covered facilities. In addition to compiling a detailed chemical inventory, covered facilities are required to prepare a security vulnerability assessment and a comprehensive site security plan, both of which must be approved by DHS. These requirements are also subject to tight regulatory deadlines and impose the threat of civil penalties and other injunctive relief for noncompliance. As the initial implementation of CFATS nears its final stage, organizations with covered facilities will begin to see the full impact of the regulation on their operations and their bottom line.
CFATS is a risk-based regulation that is being implemented in phases. The first step is known as the Top-Screen, a questionnaire that DHS uses to preliminarily identify so-called “high-risk” facilities. All facilities in possession of a listed chemical, in an amount in excess of the DHS significant threshold quantity, must submit this questionnaire. To date, more than 30,000 facilities have completed a Top-Screen. After reviewing the Top-Screens, DHS categorizes facilities that it determines “present a high level of security risk” by one of four risk tiers. Tier 1 facilities are deemed by DHS to pose the greatest security risk and, consequently, are required by the CFATS regulations to have the most stringent security. Tier 4 facilities, by contrast, are deemed to pose the smallest risk among tiered facilities and have less stringent security requirements. Facilities that DHS determines do not present a high level of security risk are not tiered and are not subject to CFATS. The preliminary tiering designations were mailed to facilities in mid-2008, with approximately 7,000 facilities receiving a tiering designation between 1 and 4.
After DHS provides a facility with its preliminary tiering designation, the facility is required to complete a security vulnerability assessment, or “SVA.”The SVA is intended to provide DHS with the information it needs to accurately evaluate and assess a facility’s specific circumstances, security issues and vulnerabilities. Based on the SVA, DHS will reevaluate and may adjust the preliminary tierings, taking into account many site-specific factors, such as the type of facility and any existing security and consequence mitigation measures the facility has or will implement. Many of these preliminarily-tiered “high risk” facilities — which include energy companies, pulp and paper mills, food and agricultural facilities, metal production and manufacturing facilities, and other manufacturers like the pharmaceutical industry — have submitted their SVAs to DHS and are awaiting their final tiering designations.
Site Security Plan
A facility that is still considered high risk after DHS' analysis of its SVA is required to develop a Site Security Plan (“SSP”). The SSP may be tailored to a facility’s specific circumstances and risk profile, but it must reflect appropriate risk-based measures designed to satisfy each of the 18 Risk-Based Performance Standards (“RBPS”) promulgated by DHS. Each facility will need to analyze whether its current security plan, if it has one, satisfies the RBPS, given the facility’s risk profile. If it does not, the facility will have to determine what additional security measures must be adopted to comply with the standards. Complying with the RBPS, which include standards for perimeter security and access controls as well as personnel surety and incident reporting, are likely to result in significant costs for covered facilities. For example, high-risk facilities may have to implement crash-related anti-vehicle barriers, and some may have to provide video surveillance around some or all of the perimeter of the site. In addition, facilities may have to employ on-site security forces and coordinate more closely with off-site forces.
On May 15, 2009, DHS released a guidance on developing an SSP, as well as an RBPS guidance document that details the types of security measures a facility may have to employ to meet the RBPS. Now that these guidance documents have been released, DHS has begun notifying facilities of their final tiering status. The 140 most high risk facilities (Tier 1) have already been notified, and DHS will be releasing the remaining final tiering designations in the coming months. Once apprised of their final status, facilities will have 120 days to complete and submit their SSPs.
In addition to the other procedural and substantive requirements of CFATS, each facility’s SSP must be approved by DHS. As part of the SSP approval process, DHS may enter, inspect, and audit covered facilities. To carry out these inspections, DHS has developed and trained a core group of “chemical security inspectors,” positioned throughout the country. Authorized Department officials may enter, inspect, and audit the property, equipment, operations, and records of covered facilities.
Failure to adequately comply with CFATS may have significant repercussions. DHS may order a facility to cease operations, or it may assess civil penalties of as much as $25,000 per day, per violation, if DHS determines that a facility is in violation of any regulatory requirement. This includes failure to submit the Top-Screen or failure to submit an SSP that DHS has determined meets the RBPS.
What Lies Ahead
Even after DHS issues a final tiering designation to a facility, that facility may be able to take certain actions on-site and submit new information to DHS to affect the Department’s determinations. Some tiered facilities may even be able to influence DHS to re-tier the facility or remove it from CFATS. It seems likely, however, that CFATS is here to stay. Although CFATS is set to expire in October 2009, Congress is currently working on legislation to make the program permanent. One such bill, introduced last session, would not only make CFATS permanent, but would also mandate additional safety obligations. DHS has also expressed concern that facilities that use a system of batch-processing, among them pharmaceutical facilities, are not taking into account chemicals created in the batch process, however temporary their existence may be. This is a point that DHS has been actively pursuing with the pharmaceutical industry, and one that may lead to new or clarified requirements.