Primatech

PT Notes

Amendments to EPA's RMP Rule - Third-Party Compliance Audits

PT Notes is a series of topical technical notes on process safety provided periodically by Primatech for your benefit. Please feel free to provide feedback.

EPA has proposed several amendments relating to prevention program provisions. This PT Note addresses:

• Requiring that the next scheduled compliance audit be a third-party audit when an RMP-regulated facility experiences two RMP-reportable accidents within five years, or one RMP-reportable accident within five years by a facility with a Program 2 or 3 process classified under NAICS code 324 or 325 located within one mile of another RMP-regulated facility that also has a process classified under NAICS code 324 or 325.

• Requiring that the next scheduled compliance audit be a third-party audit when an implementing agency requires a third-party audit due to conditions at the stationary source that could lead to an accidental release of a regulated substance, or when a previous third-party audit failed to meet the competency or independence criteria of the RMP rule.

• Requiring a justification in the Risk Management Plan when third-party compliance audit recommendations are not adopted.

Further details are provided below.

EPA continues to be concerned with RMP facilities that, despite current RMP regulations, enforcement, and lessons learned from previous accidents, continue to have accidents and, in some cases, multiple accidents. When RMP facilities have multiple accidents within a short period, EPA is concerned that those facilities have not been able to identify measures on their own (through incident investigations, hazard evaluations, and compliance self-audits) to properly evaluate and apply appropriate prevention program measures to stop accidents from occurring.

EPA believes that self-auditing may be insufficient to prevent accidents, determine compliance with the RMP rule's prevention program requirements, and ensure safe operation. Also, poor compliance audits have been cited by EPA and CSB as a contributing factor to the severity of past chemical accidents.

EPA believes that stationary sources that have had multiple accidents within a short period; substantial non-compliance with RMP requirements; and / or high accident severity, frequency, and consequences pose a greater risk to surrounding communities. Therefore, EPA believes it is appropriate to require such stationary sources to undergo auditing by competent and independent third-party auditors. EPA states that independent third-party auditing can assist owners and operators, EPA (or the implementing agency), and the public to better determine whether the procedures and practices developed by owners or operators for the prevention program requirements are adequate and being followed. The proposed requirements reflect that the most accident-prone facilities have not been able to properly evaluate and apply appropriate prevention program measures for regulated processes to stop accidents from occurring.

EPA contends that its proposed third-party compliance audit provisions will help to ensure that owners and operators of RMP facilities without strong prevention programs objectively and adequately explore all opportunities to prevent or minimize accidental releases of regulated substances to protect human health and the environment.

EPA has determined, based on RMP incident reporting data, that RMP facilities within chemical manufacturing (NAICS 325) and petroleum and coal products manufacturing (NAICS 324), and facilities with NAICS code 324 and 325 Program 3 processes that have had one RMP-reportable accident and are located within a 1-mile radius of another 324 and 325 regulated facility are or particular concern.

EPA is proposing to adopt the independent third-party compliance audit provisions as outlined in the 2017 amendments rule with modifications to account for EPA's recent review of the current RMP rule.

EPA also is proposing to require facilities conducting third-party compliance audits to list in their risk management plans, for each process, findings resulting from the audit that the owner or operator chooses to decline.

EPA is also proposing to adopt the same categories for PHA recommendations for owners and operators to justify declined third-party-issued compliance audit findings, namely:

• The analysis upon which the recommendation is based contains material factual errors.
  
  
• The recommendation is not necessary to protect the health and safety of the employer's own employees, or the employees of contractors.
  
  
• An alternative measure would provide a sufficient level of protection.
  
  
• The recommendation is infeasible.

EPA is proposing to use the same definition of ''third-party audit'' as in the 2017 amendments rule:

• A compliance audit conducted pursuant to the requirements of the RMP rule, performed or led by an entity (individual or firm) meeting the competency and independence requirements described in the rule.

For facilities that are required to conduct a third-party audit, the owner or operator must either:

1. Engage a third-party auditor meeting all of the competency and independence criteria specified in the amended rule, or

2. Assemble an auditing team, led by a third-party auditor meeting all of the competency and independence criteria specified in the amended rule. The team may include:

   1. Other employees of the third-party auditor firm meeting the independence criteria specified in the amended rule.
      
      
   2. Other personnel not employed by the third-party auditor firm, including facility personnel.

The owner or operator must determine and document that the third-party auditor(s) meet the following competency and independence requirements.

Competency requirements

The third-party auditor(s) shall be:

1. Knowledgeable with the requirements of the amended rule
   
   
2. Experienced with the stationary source type and processes being audited and applicable recognized and generally accepted good engineering practices, and
   
   
3. Trained and/or certified in proper auditing techniques.

Independence requirements

The third-party auditor(s) shall be:

1. Act impartially when performing all activities of third-party auditing.
   
   
2. Receive no financial benefit from the outcome of the audit, apart from payment for auditing services. For purposes of this requirement, retired employees who otherwise satisfy the third-party auditor independence criteria may qualify as independent if their sole continuing financial attachments to the owner or operator are employer-financed or managed retirement and/or health plans.
   
   
3. Ensure that all third-party personnel involved in the audit sign and date a conflict of interest statement documenting that they meet the independence criteria.
   
   
4. Ensure that all third-party personnel involved in the audit do not accept future employment with the owner or operator of the stationary source for a period of at least two years following submission of the final audit report. For purposes of this requirement, employment does not include performing or participating in third-party audits.

The auditor must have written policies and procedures to ensure that all personnel comply with the competency and independence requirements.

The owner or operator must ensure that the third-party auditor:

1. Manages the audit and participates in audit initiation, design, implementation, and reporting.
   
   
2. Determines appropriate roles and responsibilities for the audit team members based on the qualifications of each team member.
   
   
3. Prepares the audit report and, where there is a team, documents the full audit team's views in the final audit report.
   
   
4. Certifies the final audit report and its contents as meeting the requirements of the amended rule.
   
   
5. Provides a copy of the audit report to the owner or operator.

The audit report must:

1. Identify all persons participating on the audit team, including names, titles, employers and/or affiliations, and summaries of qualifications. For third-party auditors, information must be included that demonstrates that the competency requirements are met.
   
   
2. Describe or incorporate by reference the policies and procedures required of the third-party auditor.
   
   
3. Document the auditor's evaluation, for each covered process, of the owner or operator's compliance with the provisions of the amended rule to determine whether the procedures and practices developed by the owner or operator under the rule are adequate and being followed.
   
   
4. Document the findings of the audit, including any identified compliance or performance deficiencies.
   
   
5. Summarize significant revisions (if any) between draft and final versions of the report.
   
   
6. Include the following certification, signed and dated by the third-party auditor or third-party audit team member leading the audit:

''I certify that this RMP compliance audit report was prepared under my direction or supervision in accordance with a system designed to assure that qualified personnel properly gather and evaluate the information upon which the audit is based. I further certify that the audit was conducted and this report was prepared pursuant to the requirements of subpart C of 40 CFR part 68 and all other applicable auditing, competency, independence, impartiality, and conflict of interest standards and protocols. Based on my personal knowledge and experience, and inquiry of personnel involved in the audit, the information submitted herein is true, accurate, and complete.''

The third-party audit and audit report must be completed as follows, unless a different timeframe is specified by the implementing agency:

1. For third-party audits required by facilities with two accidental releases within five years, within 12 months of the second of two releases.
   
   
2. For third-party audits required by facilities with one accidental release in proximity to other facilities in the same NAICS code, within 12 months of the release.
   
   
3. For third-party audits required by an implementing agency, within 12 months of the date of the final determination by the agency, unless the final determination is appealed, in which case the due date is within 12 months of the date of the final decision on the appeal.

As soon as possible, but no later than 90 days after receiving the final third-party audit report, the owner or operator must determine an appropriate response to each of the findings in the audit report, and develop a findings response report that includes

1. A copy of the final audit report.
   
   
2. An appropriate response to each of the audit report findings.
   
   
3. A schedule for promptly addressing deficiencies.
   
   
4. A certification, signed and dated by a senior corporate officer, or an official in an equivalent position, of the owner or operator of the stationary source, stating:

''I certify under penalty of law that I have engaged a third party to perform or lead an audit team to conduct a third-party audit in accordance with the requirements of 40 CFR 68.59 and that the attached RMP compliance audit report was received, reviewed, and responded to under my direction or supervision by qualified personnel. I further certify that appropriate responses to the findings have been identified and deficiencies were corrected, or are being corrected, consistent with the requirements of subpart C of 40 CFR part 68, as documented herein. Based on my personal knowledge and experience, or inquiry of personnel involved in evaluating the report findings and determining appropriate responses to the findings, the information submitted herein is true, accurate, and complete. I am aware that there are significant penalties for making false material statements, representations, or certifications, including the possibility of fines and imprisonment for knowing violations.''

The owner or operator must implement the schedule to address deficiencies identified in the audit findings response report and document the action taken to address each deficiency, along with the date completed.

The owner or operator must immediately provide a copy of each document required under the audit report and the findings response report paragraphs of the amended rule, when completed, to the owner or operator's audit committee of the Board of Directors, or other comparable committee or individual, if applicable.

The owner or operator must retain at the stationary source, the two most recent final third-party audit reports, related findings response reports, documentation of actions taken to address deficiencies, and related records.

EPA is soliciting comments on the proposed amendments and has posed questions regarding them.

If you would like further information, please click here.

To comment on this PT Note, click here.

You may be interested in:

Process Safety Auditing Training Course

Process Safety Auditing Software

Process Safety Auditing Certifications

Process Safety Auditing Consulting

Back to PT Notes