Primatech

PT Notes

EPA RMP Rule Amendments - Third-Party Compliance Audits

PT Notes is a series of topical technical notes on process safety provided periodically by Primatech for your benefit. Please feel free to provide feedback.

This PT Note describes amendments to EPA's Risk Management Program (RMP) regulation relating to compliance audit requirements that are part of the prevention program.

The existing RMP rule requires that facilities with Program 2 and/or Program 3 processes conduct self compliance audits every three years. An amendment to the rule provides that, in specific situations, these audits be performed by a third-party, or a team led by a third-party. Owners and operators must ensure that third-party auditors meet qualification criteria and are given certain responsibilities. Also, requirements are specified for third-party audit schedules, reports, findings, and recordkeeping.

EPA believes that an independent, third-party perspective can provide a fresh perspective and insight on the facility’s risk management program that otherwise may not be available during an internal compliance audit. EPA intends third-party auditing to improve auditing practices and outcomes by correcting biases associated with self-auditing.

EPA expects third-party auditing to ensure that regulated entities take reasonable measures to assess and ensure their own compliance. Thus, third-party audits are intended primarily to benefit owners and operators in determining whether facility procedures and practices comply with the prevention program requirements of the RMP rule and are adequate and being followed. EPA believes they will help by identifying both actual noncompliances as well as operational or equipment deficiencies, previously-unidentified risk factors, and accident release and/or regulatory noncompliance precursor conditions which, if uncorrected, could lead to releases and/or enforcement actions.

EPA expects that proactively addressing deficiencies, risk factors, and precursor conditions to accidental releases and regulatory noncompliance will provide financial, regulatory, and environmental benefits for facility owners and operators and communities.

Notably, when the requirement for a third-party audit is triggered, it applies not only to the process that triggered the requirement but also to all other covered processes at the facility. However, EPA noted that such third-party audits simply replace the next scheduled self-compliance audits, which must address each covered process.

Meaning of Third-Party Audit

A definition of third-party audit has been added to the amended rule. It is defined to mean a compliance audit conducted pursuant to the requirements of the existing RMP rule and performed or led by an entity (individual or firm) meeting competency and independence criteria described in the amended rule. Thus, third-party audits are similar to the self compliance audits already required by the existing RMP rule but they are led by a third party.

Third-Party Audit Applicability

EPA has targeted third-party audit requirements at facilities that have had an RMP reportable incident that may demonstrate weaknesses in prior self assessments and at facilities of heightened concern for implementing agencies.

Under the amended rule, regulated entities for Program 2 and Program 3 processes must either engage a third-party auditor or assemble an auditing team led by a third-party auditor to conduct the next required compliance audit when:

• An accidental release has occurred from a covered process at a stationary source that meets the five-year accident history criteria specified in the rule, or
• An implementing agency requires a third-party audit due to:
  • Conditions at the stationary source that could lead to an accidental release of a regulated substance, or
  • When a previous third-party audit failed to meet the competency or independence criteria of the amended rule.

When a facility has an accidental release or noncompliance that could lead to an accidental release of a regulated substance, EPA has determined that further self-auditing may be insufficient to prevent accidents and ensure safe operation. Hence, the requirement for third-party audits. EPA believes this approach will improve public safety overall by preventing future accidents at the source.

An implementing agency may determine that a third-party audit is necessary following inspections, audits, or facility visits, if conditions are observed at the stationary source that could lead to an accidental release of a regulated substance. The implementing agency may choose to take other action following an inspection, as appropriate.

Conditions that could lead to an accidental release may include, but are not be limited to, significant deficiencies with process equipment containing regulated substances, such as unaddressed deterioration, rust, corrosion, inadequate support, and/or other lack of maintenance that could lead to an accidental release. The presence of small ‘‘pinhole’’ releases, that do not meet the criteria for the five-year accident history for RMP accidental releases, could also constitute conditions that could lead to a larger accidental release of a regulated substance. The occurrence of several prior accidental releases at or from a facility that did not meet the reporting criteria for the five-year accident history could also constitute conditions which could lead to potentially more severe accidental releases. These releases may be a potential indicator that an owner or operator is not complying with RMP prevention program requirements and would benefit from a third-party audit to prevent future accidental releases.

Third-Party Auditors and Auditing Teams

The owner or operator must:

• Engage a third-party auditor meeting all of the competency and independence criteria specified in the amended rule (see later), or
• Assemble an auditing team, led by a third-party auditor meeting all of the competency and independence criteria specified in the amended rule. The team may include:
  • Other employees of the third-party auditor firm meeting the independence criteria specified in the amended rule, and
  • Other personnel not employed by the third-party auditor firm, including facility personnel.

Other personnel may be current or former facility personnel, personnel from other facilities owned or controlled by the owner or operator, and/or any non-independent second or third-party consultants or contractors that the owners or operators choose to include on the auditing teams, for example, because of their specialized expertise. In addition, the auditing teams may include other employees of the third-party auditor firm who meet the independence criteria.

Other personnel need not individually meet the amended rule’s third-party auditor competency and/or independence criteria as long as the independent third-party audit team leader, pursuant to his/her evaluation of audit team member competencies, determines that the full audit team includes all of the competencies required to successfully complete the audit pursuant to the requirements in the rule.

EPA clarified that retired employees qualify as third-party auditors when the retired employee’s financial attachments to the company are limited to retirement and/or health plans.

This approach allows qualified personnel from other regulated facilities or company employees to participate in the audit and enables facility personnel to provide input during the compliance audit.

EPA believes that the flexibility of the approach for assembling a third-party audit team that includes both independent and facility personnel will allow facilities to continue to conduct RMP and PSM audits simultaneously, as appropriate.

EPA believes that facility-specific experience can contribute insights that independent auditors lacking such experience would be unlikely to contribute. However, EPA also believes that the ‘‘fresh eyes’’ and perspectives that third-parties contribute to audit teams are important. EPA referenced empirical research that shows independent auditors who lack prior facility-specific experience can actually produce better audit outcomes than personnel with prior site-specific experience. Independent personnel can audit facilities with ‘‘fresh eyes’’ and thus may be more likely to identify issues of concern. Moreover, familiarity with a facility weakens an auditor’s independence and can compromise audit outcomes. It can lead to complacency that reduces the effectiveness of an audit.

Such human behavioral and psychological influences on auditing have led EPA, although not expressly required by the rule, to encourage owners or operators, when assembling both third-party audit teams and conducting self-audits under the RMP rule, to include on their teams a mix of personnel previously familiar, and unfamiliar, with the specific facilities they are tasked with auditing.

Third-Party Auditor Qualifications

EPA’s goal in specifying criteria for auditor qualifications is to ensure clarity and objectivity as to the minimum expected standards that third-party auditors must meet for competency and independence. EPA believes that such criteria are necessary to ensure that owners and operators are able to successfully identify and engage fully qualified, competent and independent third-party auditors.

Owners and operators are responsible for determining and documenting that the third-party auditors are qualified pursuant to the amended rule’s requirements. The owner or operator must determine and document that the third-party auditor(s) meet the following requirements:

• Competency requirements. The third-party auditor(s) shall be:
  • Knowledgeable with the requirements of the RMP rule.
  • Experienced with the stationary source type and processes being audited and applicable recognized and generally accepted good engineering practices.
  • Trained and/or certified in proper auditing techniques.
• Independence requirements. The third-party auditor(s) shall:
  • Act impartially when performing all auditing activities.
  • Receive no financial benefit from the outcome of the audit, apart from payment for auditing services. Retired employees who otherwise satisfy the third-party auditor independence criteria may qualify as independent if their sole continuing financial attachments to the owner or operator are employer-financed or managed retirement and/or health plans.
  • Not have conducted past research, development, design, construction services, or consulting for the owner or operator within the last two years. Consulting does not include performing or participating in third-party RMP audits. An audit firm with personnel who, before working for the auditor, conducted research, development, design, construction, or consulting services for the owner or operator within the last two years as an employee or contractor may meet the requirements of this subsection by ensuring such personnel do not participate in the audit, or manage or advise the audit team concerning the audit.
  • Not provide other business or consulting services to the owner or operator, including advice or assistance to implement the findings or recommendations in an audit report, for a period of at least two years following submission of the final audit report.
  • Ensure that all third-party personnel involved in the audit sign and date a conflict of interest statement documenting that they meet the independence criteria of the amended rule.
  • Ensure that all third-party personnel involved in the audit do not accept future employment with the owner or operator of the stationary source for a period of at least two years following submission of the final audit report. For purposes of this requirement, employment does not include performing or participating in third-party audits.

Only the individual leading the third-party audit team is subject to both the competency and independence criteria. Other employees of the third-party auditor firm that participate on the team need only meet the independence criteria.

The qualification criteria do not apply to other personnel, not employed by the third-party auditor firm, that participate on the auditing team (e.g., facility personnel).

Third-party auditors are required to have written policies and procedures to ensure thatall personnel comply with the applicable competency and independence requirements.

EPA stated that third-party auditors can meet the requirement to be knowledgeable with the RMP rule requirements, and the requirement to be experienced with the stationary source type and processes being audited and applicable recognized and generally accepted good engineering practices, through a variety of ways, including prior experience and training. Also, EPA noted that third-party auditors can meet the requirement to be trained or certified in proper auditing techniques by completing courses in environmental or safety auditing, obtaining certifications from recognized professional bodies, or having prior process safety auditing experience.

Third-Party Auditor Responsibilities

The owner or operator must provide certain responsibilities to the third-party auditor. The owner or operator must ensure that the third-party auditor:

• Manages the audit and participates in audit initiation, design, implementation, and reporting.
• Determines appropriate roles and responsibilities for the audit team members based on the qualifications of each team member.
• Prepares the audit report and where there is a team, documents the full audit team’s views in the final audit report.
• Certifies the final audit report and its contents as meeting the requirements of the rule.
• Provides a copy of the audit report to the owner or operator.

Audit team members may have varying levels of knowledge and experience with the RMP rule requirements, the stationary source being audited, the applicable or relevant engineering practices, and proper auditing techniques. EPA believes it is appropriate for the third-party auditor to be responsible for these determinations and that this approach allows the owners or operators and the third-party audit team leader to successfully collaborate to assemble an effective auditing team. Thus, third-party auditors must evaluate the audit team members’ qualifications to determine appropriate audit roles and responsibilities in order to produce audit outcomes and final audit reports meeting the applicable rule requirements.

If the third-party auditor believes that a necessary skill or expertise is lacking in the auditing team, the owner or operator and third-party auditor are responsible for augmenting the audit team with the additional team members needed to supply the missing skill or expertise. For example, an owner or operator may choose to designate an employee competent in using an infrared camera to participate on a third-party auditing team. Such an audit team member would be acceptable, even though the individual does not meet the independence criteria and lacks specific knowledge of the stationary source type and processes being audited, as long as the third-party audit team leader evaluates the employee’s qualifications to perform the specific role the employee will perform in the audit. The same standard would also apply to the participation of any other personnel the owner or operator might choose to include when assembling the third-party audit team.

Third-Party Audit Report

The audit report must:

• Identify all persons participating on the audit team, including names, titles, employers and/or affiliations, and summaries of qualifications.
• Document that third-party auditors meet the competency criteria of the rule.
• Describe, or incorporate by reference, the policies and procedures required to ensure all third-party personnel comply with the competency and independence criteria of the rule.
• Document the auditor’s compliance evaluation, for each covered process, of the owner’s or operator’s compliance with the provisions of the rule’s requirements to determine whether the procedures and practices developed by the owner or operator under the rule are adequate and being followed.
• Document the findings of the audit, including any identified compliance or performance deficiencies.
• Summarize any significant revisions between draft and final versions of the report.
• Include a certification signed and dated by the third-party auditor or third-party team member leading the audit. The language of the certification is specified in the rule.

Third-Party Audit Schedule

The audit and audit report must be completed within 12 months of an accidental release or within 12 months of the date of the determination by an implementing agency that a third-party audit is required, unless a different time frame is specified by the implementing agency. However, if a final determination is appealed, the audit and audit report must be completed within 12 months of the date of the final decision on the appeal.

The implementing agency has flexibility to grant an extension to complete the audit, or to specify a shorter time frame, as appropriate. For example, an implementing agency may grant an extension if a source can demonstrate that it has had difficulty finding a qualified third-party auditor to conduct or lead the audit team, or that the audit will require extra time due to the complexity or number of processes, due to extensive damage to the facility following an incident, or due to resource constraints. Alternatively, the implementing agency may specify a shorter time frame to complete the audit after considering the severity of the release or determining that unsafe conditions exist at the source.

EPA acknowledged that in some cases, the default result of these time frames may be that a gap of greater than three years may occur between completion of the previous compliance audit and a subsequent third-party audit (e.g., if an accident triggering a third-party audit occurs shortly before the facility’s next regular compliance audit is due). In these cases, the owner or operator will still have 12 months to complete the third-party audit unless a different time frame is specified by the implementing agency.

Stationary sources are required to audit compliance at least every three years, and a third-party compliance audit counts toward meeting this recurring requirement for purposes of determining the timing of the stationary source’s next compliance audit.

Third-Party Audit Findings

Several requirements apply to audit findings. The owner or operator must:

• As soon as possible, but no later than 90 days after receiving the final audit report, determine an appropriate response to each of the findings in the audit report, and develop a findings response report that includes:
  • A copy of the final audit report.
  • An appropriate response to each of the audit report findings.
  • A schedule for promptly addressing deficiencies.
  • A certification signed and dated by a senior corporate officer, or an official in an equivalent position, of the owner or operator of the stationary source. The language of the certification is specified in the rule.
• Implement the schedule to address deficiencies identified in the audit findings response report and document the action taken to address each deficiency, along with the date completed.
• Immediately provide a copy of the findings response report and schedule to implement deficiencies, when completed, to the owner or operator’s audit committee of the Board of Directors, or other comparable committee or individual, if applicable.

The schedule to implement corrective actions can extend beyond the 90-day period for developing the findings response report. EPA noted that in many instances an owner or operator may receive prior information about the audit’s findings before receiving a final audit report, particularly when the third-party audit team includes facility personnel. This will give the owner or operator additional time to consider its responses.

In determining an appropriate response to audit findings, owners or operators may follow EPA’s existing guidance for addressing PHA team findings and recommendations, which is based on OSHA PSM guidelines. Under these guidelines, EPA considers an owner or operator to have resolved a finding or deficiency when the owner or operator either has adopted or implemented the associated recommendations or has justifiably declined to do so. An owner or operator can justifiably decline to adopt a recommendation where the owner or operator can document, in writing and based upon adequate evidence, that one or more of the following conditions is true:

• The analysis upon which the recommendation is based contains material factual errors.
• The recommendation is unnecessary to protect public health and safety or the health and safety of the owner or operator’s employees, or the employees of contractors.
• An alternative measure would provide a sufficient level of protection, or
• The recommendation is infeasible.

Where a recommendation is rejected, the owner or operator must communicate this rejection to the audit team and expeditiously resolve any subsequent recommendations of the team. The owner or operator complies with the requirement to determine an appropriate response to audit findings provided that they address the audit report’s findings by implementing the findings or by justifiably declining to do so. If an implementing agency concludes that a justification is inadequate and brings an enforcement action regarding this requirement, then the owner or operator may dispute the enforcement action through the normal adjudication process.

EPA does not consider findings by third-party auditors or third-party audit teams, in and of themselves, to be determinations of regulatory violations.

A specific time frame or due dates by which deficiencies must be addressed is not required as part of the schedule for addressing deficiencies . Thus, under the amended rule, the owner or operator must exercise best judgement to determine how, and when, to prioritize and address actions, consistent with the normal definition of ‘‘promptly’’ as meaning quickly, without delay. EPA believes that this approach best provides the flexibility owners or operators will need to address a potentially very wide range of deficiencies and other findings noted in third-party audit reports. This allows the facility owner or operator to develop a reasonable schedule for addressing audit findings that would be based on the types of findings and the resulting efforts to implement them appropriately.

In the event that a schedule must change due to unforeseen circumstances, EPA recommends that the owner or operator document the reasons for the change and update the schedule to reflect revised dates.

Certification by the owner or operator that deficiencies are being corrected reflects EPA’s view that implementation of corrective actions to address findings from compliance audits is critical. EPA believes that certification will minimize corporate failures to properly address and implement compliance audit findings and recommendations. EPA expects that the senior corporate official certification of the audit findings will improve facility and public confidence that third-party audit report findings and recommendations are promptly and properly addressed.

A “senior corporate official” is one who ensures accountability and oversees corporate prioritization, budgeting, and operations. For smaller entities without corporate officials, the “official in an equivalent position” may include the owner or operator, or designated representatives of the owner or operator, including facility manager, operations manager, or another official at or above that level.

EPA believes that providing the audit committee of the Board of Directors with third-party audit findings will ensure the committee and its Board of Directors are aware of any deficiencies and have the opportunity to properly budget for any required corrective actions in a timely manner. The requirement is intended to provide an additional measure to ensure accountability. EPA expects that this approach will improve facility and public confidence that third-party audit report findings and recommendations are promptly and properly addressed.

EPA recommends that the facility documents how the owner or operator complied with the requirement to submit findings to the audit committee and maintains that documentation with the findings response report. This may include identifying who received a copy of the report and the date it was provided. EPA noted that if there is no audit committee of the Board of Directors, or a comparable committee or individual, then the owner or operator should consider documenting that no committee or individual exists.

Recordkeeping

The owner or operator must retain at the stationary source the two most recent final third-party audit reports, related findings response reports, documentation of actions taken to address deficiencies, and related records. These requirements do not apply to any document that is more than five years old.

Records retention is needed in order to ensure that records are readily available to stationary source staff to review and utilize, and for implementing agency inspectors to access during site inspections. Documents may be retained electronically as long as they are immediately and easily accessible to the owner or operator and the owner or operator retains the signed original documents, where appropriate.

EPA’s view is that the third-party audit reports and related records, like other documents prepared pursuant to the RMP rule, such as process safety information, PHAs, operating procedures and others, are not protected under evidentiary privileges. EPA stated that neither the audit report nor the records related to the audit report provided by the third-party auditor are covered by attorney-client privilege (including documents originally prepared with assistance or under the direction of the audited source’s attorney). Nevertheless, EPA recognizes that the ultimate decision makers on questions of evidentiary privileges are the courts.

Implementing Agency Notification and Appeals

A facility owner or operator has the opportunity to challenge the determination by an implementing agency that a third-party audit is required.

The implementing agency must provide written notice to the facility owner or operator that describes the basis for the implementing agency’s determination that a third-party audit is necessary. Within 30 days of receipt, the owner or operator may consult with, and provide information and data to the implementing agency on the preliminary determination. The implementing agency will then consider this information and provide a final determination to the owner or operator.

The owner or operator may appeal a final determination made by an implementing agency within 30 days of receipt of the final determination. The implementing agency will provide a written, final decision on the appeal to the owner or operator.

The final rule may be found at:

40 CFR Part 68, Accidental Release Prevention Requirements: Risk Management Programs Under the Clean Air Act, Final Rule

You may contact Primatech for further information by clicking here.

To comment on this PT Note, click here.

Copyright © 2017, Primatech Inc. All rights reserved.

Back to PT Notes