EPA Risk Management Plan Midnight Rule Poses Facility Security Threats and Imposes Huge Costs
Time 11 Minute Read

Just before Christmas, the U.S. Environmental Protection Agency (EPA) released controversial regulations, titled Accidental Release Prevention Requirements: Risk Management Programs under the Clean Air Act; Prepublication Final Rule, that EPA states will “modernize” the Clean Air Act Section 112(r)(7) Risk Management Program (RMP) regulations. These 1990s-era regulations, covering about 12,500 facilities across the country, require that facilities storing certain amounts of specified chemicals develop risk management plans to prevent the accidental release of those substances into the air and mitigate impacts of accidental releases that do occur. EPA initiated these RMP rule revisions under the directive of President Obama’s August 1, 2013, Executive Order (EO) 13650, Improving Chemical Facility Safety and Security. After proposal on March 14, 2016, EPA received more than 44,000 comments, making rule issuance in just over six months’ time remarkable, especially given that the final rule and response to comments total about 600 pages.

Given national security concerns, the costs, and lack of benefits, these regulations have been cited by many as potentially worthy of Congressional Review Act action or other administrative action to pull them back once the Trump administration begins.

The final rule addresses five primary areas:

  1. Requirements to disclose to Local Emergency Planning Committees (LEPCs) and to members of the public extensive information regarding facilities’ operations and chemicals
  2. Imposition of new compliance auditing requirements, including use of a third-party auditor
  3. Expanded incident investigation requirements
  4. Increased requirements for facilities, state and local governments, and first responders to engage in practice exercises and to plan for releases
  5. Requirement for Safer Technology Alternatives Analysis (STAA)

Provided below are highlights of the resolution of key issues in the final rule.

1. Information Disclosure and National Security 

A. Issues Proposal and Government and Commenter Concerns

EPA proposed to compel release of extensive information about facilities that it stated would “better inform” communities about the risks of the facilities in their areas. See Response to Comments on the 2016 Proposed Rule Amending EPA’s Risk Management Program Regulations (March 14, 2016; 81 FR 13637) at 20, 25, 199 (Dec. 19, 2016) (Response to Comments). Even before EPA released the proposed rule [i], however, federal government stakeholders raised concerns, specifically during the Office of Management and Budget’s (OMB) pre-proposal review. For example, during the interagency review process, one sister agency commenter stated that it had “concerns regarding the sharing of all the elements listed in [proposed Section 68.210] with the public” because doing so “is essentially providing a listing of vulnerabilities” that “could be used by a terrorist to either target a certain facility or the vulnerabilities could be exploited to increase the magnitude of an attack.”[ii] Another agency commenter stated, “there are national security concerns with four data points in §68.210,” which “could assist terrorists in selecting targets and/or increasing the severity of an attack by decreasing first responder capability.”[iii]

After proposal, state law enforcement joined the chorus of concerns. Attorneys General from Louisiana and Texas filed comments raising “serious concerns” with several aspects of EPA’s proposal, including information dissemination, stating that the “information sharing provisions give us great pause.” They noted release of the information would do “nothing to prevent accidents or reduce potential harm, but likely increases the vulnerability of multiple facilities.” In July, Attorneys General from 11 states (Oklahoma, Alabama, Arizona, Arkansas, Florida, Georgia, Kansas, Nevada, South Carolina, Utah, and Wisconsin) wrote to Administrator McCarthy, alerting her to and endorsing the Louisiana and Texas Attorneys General comments. On exploitation of security vulnerabilities, they said:

The rule potentially covers … facilities in the agriculture, food processing, chemical manufacturing, oil and gas, and water treatment sectors. The safety of these manufacturing, processing and storage facilities … encompasses more than preventing accidental releases of chemicals, it also encompasses preventing intentional releases caused by bad actors seeking to harm our citizens.… [C]ompiling that information and making it easily accessible also aids those who might seek to cause an intentional release for nefarious purposes, by providing those bad actors with information that would help them both select a target and exploit any security vulnerabilities their target might have. [iv]

The Chemical Safety Advocacy Group (CSAG), an industry group, which in the spirit of full disclosure is represented by Hunton & Williams LLP, also submitted comments on these issues, noting in particular that LEPCs are often composed of volunteers that they have not been vetted for security clearance, that they have no capacity to protect information that they obtain the way a federal agency would have, and that EPA had stated in the proposal that any information obtained by local committees would also be available to the public.

          B. Final Rule

EPA deleted proposed provisions requiring disclosure of a list of specific information to LEPCs, citing concerns by states, by industry, and within the federal family. Unfortunately, this deletion was accompanied by a new provision that requires companies to provide “any other information that local emergency planning and response organizations identify as relevant to local emergency planning,” but provides no safeguards to ensure that the information is protected. Prepublication Final Rule at 204, 240, 321. EPA deleted the requirement to post information on the Internet but now requires facilities to release information based on receipt of a request from the public. Prepublication Final Rule at 40 C.F.R. § 68.210. Accordingly, the final rule’s changes to the disclosure provisions fail to address the national and facility security concerns raised by law enforcement, the Department of Homeland Security, and the regulated community.

2. Compliance Auditing/Third-Party Auditing Requirements

A. Proposal and Commenter Concerns

EPA proposed expanded compliance audit requirements, including that a company must hire an independent and impartial third-party auditor whenever a reportable accident occurred or upon a finding of noncompliance. Proposed Rule, 81 Fed. Reg. at 13,659-60. The proposal required that third-party auditors be professional engineers and that they not have any connection to the company being audited for three years prior to and after completion of an audit. Id. In addition, the proposal vastly expanded compliance auditing requirements from the prior rules by imposing them on “each covered process.” Proposed Rule, 81 Fed. Reg. at 13,704 (Proposed 40 C.F.R. § 68.58).

Industry and some state commenters objected to these requirements, noting, among other things, that (1) triggering an audit based on noncompliance would be extremely burdensome and not rationally related to when a third-party audit (or even an internal audit) is appropriate; (2) internal audit teams are actually better suited to evaluate compliance than third-party auditors; (3) the requirements to be a professional engineer are not related to whether a person is a skilled auditor and the six-year bar on affiliation with a company actually removes a highly skilled set of auditors—retired employees—from the pool of available auditors; and (4) auditing “each covered process” is unnecessary and would be extremely costly, such that statistical sampling should be allowed. See, e.g., CSAG Comments at 1-7; Louisiana et al. Comments at 1-2.

B. Final Rule

The final rule removed the noncompliance trigger but substituted in the ability for the agency responsible for the RMP program to require a third-party audit if it finds conditions that could lead to an accidental release of a regulated substance. EPA deleted the requirement for a professional engineer and allowed company personnel as members of the audit team, so long as the team is “led” by an independent third party. In addition, EPA altered the six-year ban for affiliation with the company to a four-year ban and provided that merely receiving a pension from a company would not be considered to compromise independence. Finally, EPA retained the proposed requirement that compliance audits address “each covered process.” Prepublication Final Rule at 54-61.

3. Incident Investigation Requirements

A. Proposal and Commenter Concerns

EPA proposed to require incident investigations and root cause analyses of a significantly broader set of occurrences than is covered under the existing rule. EPA proposed to revise the definition of “catastrophic release” to include a range of minor incidents that would not be catastrophic, and to require extensive investigations of each of these incidents. Commenters stated that the proposed new definition did not make sense and that expanding investigations in this manner would detract from safety overall because of dilution of resources.

B. Final Rule

EPA decided not to adopt its proposed revision of the catastrophic release definition, which means that the trigger for investigations will be correspondingly narrower. EPA retained its proposed requirement to investigate near misses, but provided no definition of that term. While EPA maintained the requirement for “root cause analysis,” it deleted the reference to management system failures in response to comments that indicated this definition inappropriately presumed a management system failure in the case of any accident, which is not always the case.

4. Practice Exercise and Planning Requirements

A. Proposal and Commenter Concerns

EPA proposed that facilities conduct annual notification and tabletop exercises with local responders and full field exercises every five years. EPA also proposed to convert facilities that had considered themselves “non-responders,” meaning that they rely on government resources in the event of an accident, to “responders,” such that these facilities would now need to obtain full fire and other incident response capability. Commenters raised numerous concerns, including that the full field exercises would be very burdensome and essentially an unfunded mandate for state and local governments. They also suggested that the frequency should be agreed upon by the responders and facilities and that EPA should not set a minimum.

B. Final Rule

While maintaining a distinction between non-responding and responding facilities, EPA deleted provisions that would have required conversion of non-responding facilities to responding facilities. EPA deleted the proposed requirement to develop an emergency response program contingent on the outcome of local coordination activities. EPA also deleted the proposed requirement to develop an emergency response program upon receiving a written request to do so from the LEPC or local response authorities.

Notification exercises are required annually, but tabletop exercises are required every 3 years and field exercises every 10 years, with the ability for more frequent exercises as determined in coordination with local responders. In response to comments, the final rule also allows responses to actual accidents to satisfy the requirement to conduct tabletop/field exercises so long as the response meets certain criteria and an after-action report is completed.

5. Safer Technology and Alternatives Analysis (STAA) Requirements

A. Proposal and Commenter Concerns

EPA proposed that companies must conduct a STAA as part of the process hazard analysis (PHA) conducted every 5 years as well as a “feasibility analysis” to show whether implementation would be feasible. EPA did not propose to require implementation of any safer technologies or alternatives, as doing so would have required the costs of the technologies to be considered in evaluating the costs and benefits of the rule. Commenters stated that STAA is only properly applied to new processes and that the trigger for conducting the STAA must be limited to instances where the PHA team recommends action be taken to address an identified risk, noting that existing controls are often better than alternative processes.

B. Final Rule

EPA rejected commenters concerns, making only one minor change in the rule, changing the word “feasibility” to “practicability.”

6. Substantial Costs and Speculative Benefits

Numerous stakeholders raised concerns about the costs of the proposed rule, focusing on EPA’s failure to: consider time required to implement new requirements (e.g., a mere 4 hours to evaluate new requirements), account for facilities with multiple covered processes, and account for local responder costs. In the final rule, EPA admitted these failures and revised estimates, some of which are orders of magnitude higher than the originals.

As to benefits, EPA admitted it was “unable to quantify what specific reductions may occur as a result of these proposed revisions.” Proposed Rule, 81 Fed. Reg. at 13,642. This concern was raised during the proposed rule’s comment period as well as the concern that EPA was double-counting the benefits accruing from OSHA’s PSM program as benefits associated with the RMP proposed rule. In the final rule, EPA simply reiterates the inability to quantify benefits because accidents “have highly variable impacts that are difficult to predict” and stating that RMP accident data and other available data show chemical accidents “impose substantial costs on firms, employees, emergency responders, the community, and the broader economy.” Prepublication Final Rule at 300; Response to Comments at 220.

[i] EPA, Accidental Release Prevention Requirements: Risk Management Programs Under the Clean Air Act; Proposed Rule, 81 Fed. Reg. 13,638 (Mar. 14, 2016) (Proposed Rule).

[ii] EPA, Interagency Communications Regarding EO 12866 Interagency Review of Risk Management Modernization, RIN 2050-AG8, Summary of Interagency Working [Group] Comments on Draft Language Under EO12866/13563 Interagency Review, at 8-9 (Jan. 13, 2016), EPA Docket No. EPA-HQ-OEM-2015-0725-0007.

[iii] Id. at 11.

[iv] Letter from Scott Pruitt, Attorney General, State of Oklahoma et al. to Gina McCarthy, Adm’r, EPA (July 27, 2016), EPA Docket No. EPA-HQ-OEM-2015-0725-0624.

  • Partner

    Chuck Knauss has been repeatedly lauded by clients in Chambers USA. From 2011 through 2023, Chambers USA has reported that Chuck impresses clients with his “extraordinary strategic and analytical capabilities—he finds ...


Subscribe Arrow

Recent Posts





Jump to Page