Printer Friendly

Of natmats, terrorists, and toxics: regulatory adaptation in a changing world.

     A. Natural Accidents
     B. Climate Change
     C. Industrial Terrorism
     A. Implementing the Dominant Paradigm
     B. Inherently Safer Design


A Category four hurricane is bearing down upon the Gulf Coast. Managers at the Trident Oil refinery in Pascagoula, Mississippi, invoke shutdown procedures three days prior to expected landfall. All crude oil, sulfuric acid, hydrofluoric acid, and other hazardous materials are drained from the process units and the nearby storage tanks and pumped to a more distant emergency storage area at the facility. Most equipment is shut down, although some steam boilers, power generating units, and cooling systems continue to run in order to maintain temperature and pressure in tanks and to support safety devices. A skeleton crew remains at the facility to deal with emergencies and to restart the facility after the storm passes. The storm arrives, lashing the plant with thick sheets of rain and howling 125 mile per hour winds. Heavy rains have overwhelmed the storm water drains throughout the plant, flooding various buildings. The automatic monitoring system associated with Tank 213, which contains a highly toxic liquid material, is located in one of the flooded buildings. High winds rip Tank 213 from its foundations, causing a massive spill of the contents. The facility operator is unaware of the release due to the failure of the submerged monitoring system, and takes no action until after the released material has reached a nearby channel to the gulf.

Just south of downtown Philadelphia, the Atlantic Refining Company's facility is nestled among several working class neighborhoods. A sprawling complex on 25 acres, the Atlantic refinery produces 350,000 barrels per day of gasoline, diesel, and jet fuel each year. In the alkylation process unit, light hydrocarbons react with a catalyst to create alkylate, an important additive used to produce high octane gasoline. At the Atlantic refinery hydrofluoric acid is the catalyst of choice. The hydrofluoric acid is stored in a large green cylindrical tank located adjacent to the alkylation process unit.

One July morning the neighborhoods surrounding the Atlantic refinery are slowly rousing. Dogs sniff grass, weeds, and flowers on morning walks or in backyards. Children rush to depart for daycare, or play in the street or in small green patches behind their homes. Distracted parents finish coffee on the run, packing up for a day of work. Unnoticed, a lone figure carrying a large duffle bag emerges from the stairs leading to the roof of a weathered apartment building. He sets it down by the roof's edge facing the refinery, and methodically removes dark machined items from the bag. Once assembled, he lifts the tubular contraption to his shoulder, sighting the dull green cylinder at the refinery some 500 yards away. A projectile erupts from the tube, streaking towards the refinery. A large puff of smoke and flame appear on the face of the cylinder, and an orange-tinted haze slowly oozes out, drifting in silence towards the neighborhood.

As the 21st century unfolds, regulators charged with overseeing chemical production and use in the United States face a perfect storm of sorts. Three important phenomena with critical implications for chemical management policy are converging at once. First, production and use of toxic chemicals continue to proliferate. Eighty thousand chemicals are in commerce in the United States, with 1,000 added each year. (1) Although current government and industrial codes are in place to minimize known risks, there are troubling gaps in our understanding of the use and impacts of these chemicals. (2) Despite best efforts, even under normal circumstances chemical releases regularly occur. "Normal accident" theory posits that unanticipated human and system failures are inevitable at complex facilities like oil refineries and chemical plants. (3)

Second, global climate change is recasting weather patterns. We can expect increasing frequency and severity of hurricanes, and the associated heavy rains, high winds, lightning, and floods. (4) These elements present ever-increasing risk of releases of toxic chemicals from the facilities in a hurricane's path, sometimes called a "natural release of hazardous materials" or a "natmat." (5) While responsible facilities plan for such events, the complex nature of industrial plants coupled with the erratic local effects of severe weather can lead to unexpected outcomes (another demonstration of the normal accident).

Third, the specter of industrial terrorism raises new concerns about the safety of chemical use and storage. By all accounts, industrial facilities such as chemical plants and oil refineries are tempting targets for terrorists. Such facilities and their dangerous raw materials and products are often located close to dense residential areas. The human costs and property damage flowing from a successful terrorist attack could be substantially compounded by the accompanying disruption of the United States economy. Terrorists have planned strikes against such facilities in the United States, and successfully attacked chemical plants elsewhere in the world. (6) Like extreme weather, a terrorist attack at a modern refinery or chemical plant could trigger a cascading series of events, resulting in a catastrophic outcome that neither the facility nor the terrorists themselves could predict.

Standing alone any one of these developments justifies a reassessment of existing chemical policy. Taken together, they render such a reevaluation essential. Of course neither the facilities themselves nor the regulators are unaware of these risks. Mature mandatory and voluntary regulatory programs for chemical management are already in place. For example, many significant chemical accidents are subjected to extensive review by the Chemical Safety and Hazard Investigation Board, (7) akin to investigations performed by the National Transportation Safety Board following airplane crashes. (8) Moreover, in the last few years, regulators and businesses alike have begun to respond to the perfect storm. In April 2007, the Department of Homeland Security (DHS) issued new regulations regarding security at chemical plants, on the heels of industry efforts such as the American Chemistry Council's adoption of the Security Code of Management Practices. (9)

Most existing chemical management programs are based on a "risk management" paradigm. In risk management, the type and amount of the chemical used or stored at a facility is accepted as a given. The goal of such programs is to minimize the risk of release and, in the event of a release, to reduce the likelihood of human exposure to the released substance. Risk management uses administrative procedures such as standard operating procedures, regular inspections, and emergency response plans to ensure careful handling of dangerous chemicals and swift reactions to any releases to the environment. Risk management also uses technological strategies, including alarm systems, emission control equipment, and specialized storage methods, to accomplish its goal. (10)

However, there is a competing approach to chemical management known as "risk prevention." Generally speaking, the risk prevention paradigm focuses on removing the risk by removing the chemical. Rather than relying exclusively on administrative procedures and technology to control risk associated with a particular chemical, risk prevention seeks to replace the chemical with a safer substitute. Where substitution is not practical, risk prevention attempts to modify the production process so as to reduce the amount of the chemical used or stored at the facility. (11) Regulators at the legislative and agency level have been reluctant to adopt a risk prevention paradigm. The Environmental Protection Agency (EPA) rejected risk prevention in developing its chemical risk management program in the early 1990s. (12) More recently, both Congress and the DHS relied upon a risk management approach in crafting security requirements for chemical facilities. (13)

This article presents the case for the adoption of mandatory risk prevention as part of our nation's chemical policy. The risk prevention paradigm underlies inherently safer design (ISD), a well-established concept in industrial hygiene. ISD challenges businesses to build safety into industrial processes. It includes generally accepted principles for the technical review of new and existing industrial processes and the evaluation of safer alternative processes and chemicals. ISD, which is already used by a number of businesses, could be integrated into existing chemical management programs by requiring all affected facilities to consider ISD, implement ISD alternatives to the extent feasible, and to document the basis for the rejection of potential ISD alternatives. Although an ISD alternative will not be available in every case, risk management will still play an important role in chemical policy.

Part I of this article describes the natural, industrial, political, and institutional backgrounds in which chemical policy reform is particularly relevant. It begins with the risk of normal accident, a baseline condition reflecting the unexpected dangers inherent in the industrial processes and operations at chemical and petrochemical plants. Part I then turns to the impacts of climate change on such plants, summarizing the ways in which more frequent severe weather along the Gulf Coast can have disastrous effects, releasing toxic chemicals to the air, water, and land. Next, Part I discusses the risks of a terrorist strike against industrial targets at which hazardous chemicals are used. Although government and business leaders recognized this risk before September 11, 2001, chemical plant security took on a new urgency after the World Trade Towers fell. Part I concludes by tracing the political response to this threat.

Part II presents the two contrasting paradigms for chemical policy regulation: risk management and risk prevention. It provides a brief overview of EPA's risk management regulations and the Occupational Safety and Health Administration's (OSHA) process safety management standard: two regulatory programs that embrace the risk management paradigm. Thereafter, Part II introduces the concept of inherently safer design, tracing its roots from a deadly explosion in Flixborough, England in 1972 through its current role in industrial safety. This section sets out examples of inherently safer design in action, and discusses barriers to its broader voluntary adoption by industry.

The last part of the article focuses on management-based regulation. Part III assesses the value of incorporating ISD into chemical policy, identifying alternative types of regulatory integration. Based upon the barriers to voluntary industry adoption of ISD discussed in Part II, Part III contends that a "strong" form of management-based regulation is needed to adequately encourage industry adoption of ISD measures. This regulation would require that firms (1) identify and evaluate ISD measures (along with conventional risk management factors) as part of their hazard and security planning, and (2) implement technically and economically feasible ISD measures.


A. Natural Accidents

Oil refining and chemical manufacturing are dangerous undertakings by nature. Flammable feedstocks and toxic materials are stored and used in large quantities. In the normal course of production, they are subject to high temperatures and pressures, creating the potential for explosive releases capable of dispersing hazardous substances over large areas of the plant and surrounding neighborhoods. (14) Occasionally, the risks associated with these activities are thrust into the public consciousness when a catastrophic accident occurs. In 1984, thousands died when a toxic cloud drifted silently through the night from the Union Carbide plant in Bhopal. (15) Eleven years later, a series of explosions crippled British Petroleum's (BP) Texas City refinery, killing fifteen workers and seriously injuring almost two hundred others. (16) But, for the most part, these plants operate without much attention from the broad populace. Yet, significant numbers of small-scale accidents continue to occur and it is likely that more tragedy is still to come. In fact, one study documented over 25,000 chemical accidents at American Chemistry Council member facilities in the United States between 1999 and 2003. (17)

Of course, the government has not ignored the dangers present in chemical and petrochemical production. Bhopal and other incidents have acted as catalysts for a variety of government-mandated industrial safety programs including both OSHA's process safety management rule and EPA's chemical risk management regulations. (18) As discussed in more detail in Part III, these programs require the affected facility to evaluate risks associated with chemical storage and use as well as to implement risk management plans designed to minimize the risks and mitigate the effects of chemical releases. Such plans include administrative procedures and technological interventions (including safety equipment, automatic shut-off valves, monitoring systems and upset alarms).

Sociologist Charles Perrow's "natural accident" theory warns that despite well-designed and carefully implemented safety programs, serious and potentially catastrophic accidents will inevitably occur in complex facilities such as chemical plants and oil refineries. (19) The near meltdown at the Three Mile Island nuclear power plant in 1979 prompted Perrow to investigate the causes of major accidents in a variety of high-risk industries. (20) Perrow concluded that such accidents are bound to occur and, thus, should be considered "normal," where the industry under consideration exhibits two characteristics: interactive complexity and tight coupling. (21)

A system such as an industrial process or plant is deemed to be "interactively complex" when the non-linear relationships among its various subsystems can result in unexpected outcomes. (22) In such cases, a series of otherwise insignificant or normally unrelated component or operator failures can combine in unpredictable ways to create substantial and disastrous results. For example, in 1969, a leak in a Texas City chemical plant's refining column was masked by erratic operating conditions. The undetected leak coalesced with "an unexpected interaction of pressures, temperatures and vapors within the column" to create dangerously unstable conditions in the unit. (23) Without warning, two major explosions occurred, destroying the column and igniting gases released from it.

A process or plant is "tightly coupled" when there is little slack between its subsystems. In other words, a change in the status of one unit within the plant affects associated units quickly. In the Texas City example, the explosions occurred before the operators were even aware of the leak. Whereas, in other examples of normal accidents, the operators were able to detect an initial malfunction, the complexity of the system interactions and the speed with which one consequence followed upon another prevented the operators from comprehending the significance and ultimate impact of the malfunction. (24) Thus, in a normal accident, interactive complexity causes a cascade of unexpected system failures, and tight coupling leaves system operators with inadequate time to evaluate, comprehend and adequately respond. (25)

After serious accidents, investigations and reviews abound, blame is assigned, and typically new safety procedures and additional monitoring and safety devices are installed. But do such responses actually prevent further accidents? Critics of normal accident theory believe so, contending that conventional and catastrophic accidents can be avoided in "high reliability organizations." Such organizations meld a strong safety culture with automated safety devices and redundant systems, (26) careful design and faithfully implemented safety procedures, and organizational learning. (27) (For these purposes, a high reliability organization has been defined as one at which a catastrophic failure occurs only once in tens of thousands of opportunities. (28)) However, normal accident theorists like Perrow remain skeptical, responding that these technical and organizational fixes themselves may actually exacerbate the risk of a normal accident. Inserted into an already complex system, safety devices can cause unanticipated events leading to unexpected failures. (29) As Perrow notes, "redundancies and safety systems are the single biggest source of catastrophic failures in complex, tightly coupled systems." (30)

Based upon a series of case studies, Perrow argues that refineries and chemical plants exhibit both interactive complexity and tight coupling and, therefore, are prone to natural accidents. (31) A later, more rigorous empirical study of 36 oil refineries by Frederick Wolf confirmed Perrow's conclusion. Having operationalized the concepts of interactive complexity and tight coupling, (32) Wolf tested whether refineries exhibiting high levels of both characteristics experienced more accidental hazardous chemical releases per unit of production than less complex, more loosely coupled refineries. (33) He found that more complex, more tightly coupled refineries experienced a statistically significant higher rate of accidental hazardous chemical releases. This result held true even for refineries that met the definition of "high reliability organization" and was unrelated to the size or capacity of the refineries. (34)

B. Climate Change

Climate change refers to a broad range of inter-related effects of global warming, including temperature increases, sea level rise, and substantial weather pattern shifts. (35) Even as scientists use sophisticated modeling techniques to predict the potentially devastating environmental, economic, and social consequences of climate change in the future, we may have already begun to see actual impacts across the world today. (36) Nevertheless, scholarly literature pays little attention to the relationship between climate change and toxic chemical exposure. Climate change can affect exposures directly and indirectly, and in nuanced ways as well as catastrophic ways. For example, researchers have discovered that some fish are rendered more susceptible to the deleterious effects of chemicals by increased water temperatures. Conversely, exposure to certain chemicals causes fish to be less able to deal with water temperature increases. (37)

Of particular interest is the effect of global warming on the frequency and intensity of extreme weather events such as hurricanes. (38) Modeling predicts that storm intensity will increase with rising sea temperatures, but is inconclusive regarding the frequency of such storms. (39) Given the natural wide variability over time in the intensity and frequency of tropical storms and hurricanes, meteorologists face real challenges in assembling the representative empirical data needed to test the models' predictions. (40) Despite these data limitations, a number of recent studies have demonstrated significant increases in the intensity of hurricane and tropical storms in the North Atlantic and elsewhere. (41)

The conclusion that hurricanes are growing fiercer has profound implications for chemical policy in the United States. Chemical plants and oil refineries are heavily concentrated along the Gulf Coast in Alabama, Mississippi, Louisiana, and Texas. That same swath of land is a common landfall destination for hurricanes traveling west from the warm waters of the North Atlantic Ocean's "hurricane alley" and elsewhere. Approximately forty major hurricanes have made landfall along the Gulf Coast since 1900. By way of example, Figure 1 shows the oil refineries and chemical plants in the region hit by Hurricanes Katrina and Rita. (42)

Hurricanes can cause a variety of dangerous releases of hazardous materials--also called "natmat" releases - through multiple and, sometimes unexpected, pathways. Turning first to the releases, three types of natmats are of particular interest: liquid spills, air emissions, and fires or explosions. (43) The potentially devastating effects of spills of petroleum and toxic chemicals from industrial facilities are well documented and need not be recounted here. (44) However, several factors unique to natmat spills could exacerbate those effects. First, during a hurricane, emergency response to spills is significantly delayed as crews at the facility and in the community are unable to react until the storm abates. (45) Even then, emergency resources will likely be scarce, further impairing the timing and capacity for response. Second, the magnitude of natmat spills will likely be more serious, perhaps even catastrophic. For example, during Hurricane Katrina, nearly fifty oil spills amounting to over eight million gallons were reported in the impacted areas, (46) including a release of one million gallons at the Murphy Oil Refinery which occurred when flood waters ripped a 250,000 barrel above-ground storage tank from its foundations. (47)


The air emissions of concern here result from storm damage to tanks or process units that allow vapors to escape into the atmosphere. Alternatively, air emissions can be traced to evaporation from spills of volatile liquids, or to the combustion associated with fires and explosions. Whatever the source, such emissions are uncontrolled and can rapidly disperse beyond the facility boundaries. Refineries store and process a variety of flammable gaseous and liquid materials that, if released, need only an ignition source to erupt into fire or explode. For example, pressurized gas leaking from a storage tank may form a vapor cloud that will drift through the facility until it is ignited. (48) During a severe storm, that ignition source could be a lighting strike or nearby fire at the plant. (49) Indeed, a 2001 study of property losses at refineries and petrochemical plants concluded that vapor cloud explosions are the most costly form of chemical release in terms of damage caused. (50)

Hurricanes cause spills, emissions, fires, and explosions through a number of common, overlapping pathways including structural damage, equipment damage, and power-related failures. Severe structural damage to a storage tank or process unit, which results primarily from high winds or flooding, can lead to a major gas or liquid release. Emergency responders can face a distillation column toppled over by howling winds, a large storage tank pulled from its foundations, or a unit whose roof has collapsed under the weight of torrential rain. Even less severe structural damage can have enormous consequences, as when pipes and connections to storage tanks are damaged, allowing the stored material to gush forth.

Wind damage or flooding of equipment such as pumps, compressors, process units, or boilers can also lead to toxic releases and fires or explosions. In 1998, the Chevron refinery in Pascagoula, Mississippi was subjected to seventeen hours of heavy rain and storm surges that left the facility under five feet of salt water. Over 2,000 motors, 1,900 pumps, and 280 turbines were damaged. (51) If the damaged equipment is essential to the containment or control of liquid or gaseous hazardous materials, a natmat release can occur. Power failures and short circuits resulting from winds, flooding, or lightning strikes constitute a third, less direct pathway for natmat releases. (52) Such a power interruption could shut down equipment required for safe storage of hazardous materials, or incapacitate alarms, monitoring devices, or automatic shut-off systems intended to mitigate developing problems.

Two or more failures can sometimes come together to create an unexpected, potentially catastrophic result. Suppose that high winds, heavy rain, and lightning are savagely thrashing a petrochemical plant. A lighting strike causes a power outage, triggering a variety of alarms just as the winds rip metal railings from scaffolding, and drive them at high velocity into a storage tank containing a highly flammable gaseous material. Intent on addressing the raft of largely false alarms blaring in the control room, the plant operators fail to identify the one accurate alarm signaling a loss of pressure in the damaged tank. A second bolt of lightning finds the tank, igniting an escaping plume and ultimately the remaining contents of the tank.

C. Industrial Terrorism

Even prior to the terrorist attacks of September 11, 2001, United States government officials and industry leaders were concerned about potential terrorist assaults on industrial facilities. In 1999, the Department of Justice concluded that "based upon our analysis of trends in international and domestic terrorism and upon the burgeoning interest in weapons of mass destruction among criminals and other terrorists.... the risk of terrorists attempting in the foreseeable future to cause an industrial chemical release is both real and credible." (53) Similarly, in separate studies, both the EPA and the Government Accounting Office (GAO) identified industrial terrorism in the United States as a likely occurrence. (54) While no successful terrorist attacks on industrial targets have taken place in the United States, several significant near misses have been documented, including attempted bombings of chemical storage facilities and refineries in 1991, 1996, and 1999. (55) Yet, despite the very real risk of industrial terrorism, government regulation of industrial security has historically been both limited and diffuse. (56)

Oil refineries and chemical plants are likely targets because such facilities fit the goals and needs of terrorist organizations. (57) Terrorist attacks are typically designed to have maximum physical and symbolic impacts upon the relevant community. Thus, a terrorist group would seek a target situated near a concentrated population of victims, such as a residential, commercial, or business center. Likewise, attacks often focus on targets important to the economy, governance, or infrastructure of a region, such as business centers, government buildings, or industrial facilities. Refineries and chemical plants, which are often nestled within or near residential or industrial areas, meet both of these criteria. Moreover, they offer relatively easy access to toxic, mobile, industrial chemicals. Chemical and biological agents such as nerve gas or anthrax are difficult to obtain, and require special skill to manage and deploy. (58) In contrast, industrial chemicals such as chlorine or hydrofluoric acid, which can devastate an area if released in an explosion, are found in large quantities at many refineries and chemical plants. (59)

In the aftermath of 9/11, businesses and regulators paid significantly greater attention to the issue of terrorist acts against industrial facilities. The American Chemistry Council, a trade association representing many of the leading chemical manufacturers, adopted the Responsible Care Security Code in response to the attack. The Security Code requires member companies to conduct security vulnerability assessments, implement security measures, and receive third party verification that those measures have been adopted. The member companies must supplement their existing business management systems with a "security management system" to ensure ongoing quality control of security practices. (60) Other trade associations quickly followed suit. (61)

In 2003, the DHS was named the lead agency responsible for coordinating federal efforts to protect critical infrastructure and resources, including the chemical sector. (62) In that role, DHS took steps to promote voluntary enhancement of industrial security and provided technical assistance and grant funding for private efforts. (63) Meanwhile, Congress debated whether government should act as a regulator as well as a facilitator in order to promote increased security at industrial facilities. (64) Ultimately, the DHS sought explicit authority to promulgate mandatory performance standards for high risk chemical facilities. Major industrial players such as the American Chemistry Council concurred with the DHS, as did the GAO in a report to Congress in early 2006. (65) On October 4, 2006, the DHS's wish was granted in the form of Section 550 of the Homeland Security Appropriations Act of 2007. (66) In April of 2007, the DHS issued an interim final rule establishing a mandatory security program for high-risk chemical facilities, (67) which is taken up in the next part of this article.


Policymakers are aware of the risks associated with normal accidents, natmat releases, and terrorism. Existing regulations deal to a limited extent with each of the three. EPA's chemical risk management program and OSHA's process safety hazard programs focus on managing the risks of the first two. The DHS's Chemical Facility Anti-Terrorism Standards address the third. These three agencies, and the statutes from which they draw their authority, share a common regulatory paradigm in responding to risk. Generally speaking, each essentially accepts the risk as given, and seeks to manage the risk or mitigate its effects should that risk become reality. (68) Consequently, each agency has rejected inherently safer design, a competing paradigm which seeks to eliminate or substantially reduce the risk itself. (69)

The difference between risk management and risk prevention is easiest understood through a real life example. Many oil refineries use hydrofluoric acid in the alkylation process, a crucial step in the production of high-quality gasoline. Hydrofluoric acid, a colorless liquid, is both corrosive and hazardous, and upon release will often form a toxic vapor cloud. (70) Over the past decade, there have been a series of accidental releases of it in liquid and gaseous form at major United States refineries. (71) Refineries typically attempt to manage the risk of a hydrofluoric acid release through engineering controls such as the installation of concrete containment curbs around alkylation reactor and hydrofluoric acid storage vessels. To mitigate releases into the air, refineries often rely upon remotely or manually operated water cannons which would suppress a vapor cloud by spraying it with large quantities of water. In addition, standard operating procedures and emergency response plans for the reactor and storage vessel would be in place, and employees would be trained regarding the plan and procedures. Yet, each of these engineering, mitigation, and administrative measures begins and ends with the assumption that large quantities of a dangerous, mobile, toxic chemical must be kept on-site. A risk prevention approach such as inherently safer design prioritizes the removal of the risk itself. Thus, the refinery would seek a less dangerous substitute for the hydrofluoric acid, or revise its operations so as to keep substantially smaller quantities of the hydrofluoric acid at the facility.

A. Implementing the Dominant Paradigm

OSHA's process safety management (PSM) program is intended to minimize worker exposure to catastrophic releases of dangerous chemicals in a broad range of industries. (72) The PSM program is a form of management-based regulation; that is, regulation which establishes generic performance standards and requires the regulated entities to develop facility-specific plans and procedures to attain those standards. (73) OSHA's program mandates that employers develop and implement systematic, formal management systems focused on chemical safety. Among other things, such a management system must provide for performance of "hazard analysis" for each process at the facility to identify and evaluate hazards involved in the process. (74) Once risks to employees are identified, the facility must identify and ultimately implement appropriate mitigation strategies (such as control technologies, monitoring equipment, automatic safety devices, and alarms) and safety procedures. (75)

EPA's chemical risk management program is likewise designed to prevent accidental chemical releases, although it is more limited in terms of the facilities covered. (76) It imposes similar planning and implementation obligations, requiring most chemical and all petroleum refineries to develop and execute comprehensive risk management plans (RMP). (77) The RMP must document the facility's five-year accident history, one or more "worst-case release scenarios," and "alternative release scenarios" for covered processes. The RMP must also incorporate a prevention program (requiring process hazard analysis and implementation of safety procedures, monitoring, and training) as well as an emergency response plan. (78)

The EPA's prevention program does not encourage or require the use of inherently safer design (ISD), such as process changes, just-in-time inventory practices, or substitution. Rather, it only directs facilities to consider and implement "engineering and administrative controls" as part of prevention efforts. (79) The absence of any reference to inherently safer design was deliberate. In response to comments on the proposed rule advocating inclusion of ISD, the agency denied that "a requirement that owners or operators conduct searches or analyses of alternative process technologies for new or existing processes will produce significant additional benefits." (80) EPA reached that conclusion on several grounds. First, ISD has the most benefit in the development of new processes as compared to existing processes. Second, industry generally engages in alternatives analysis voluntarily in an effort to avoid engineering and administrative controls. Third, risks from most existing processes can be safely managed without "spending resources searching for unavailable or unaffordable new process technologies." (81) Fourth, alternative technologies can inadvertently impose greater individual or societal risks. (82)

The DHS chemical facility's anti-terrorism standards follow EPA's lead. Those standards require that any chemical facility identified as presenting "a high level of security risk" (83) perform a security vulnerability assessment and subsequently submit a site security plan for approval by DHS. The site security plan must establish security measures tailored to the facility's recognized vulnerabilities and identify which measures meet or exceed risk-based performance standards set out in the regulations. (84) The performance standards, which articulate in broad terms the outcomes to be achieved by security measures, focus on risk management. For example, they include such things as securing and monitoring the facility perimeter, screening and controlling access, detecting and delaying attacks, developing emergency response plans, and training staff. (85)

The introduction of ISD as a security strategy was discussed in Congress and as part of the subsequent administrative rulemaking. Several bills introduced during Congressional debate mandated that facilities consider ISD as a security measure. (86) The DHS opposed such provisions, arguing that safer technologies would not generally result in more secure chemical facilities. Echoing EPA's previous assessment of its chemical risk management program, DHS also contended that "use of inherently safer technologies tends to shift risks rather than eliminate risks, often with unintended consequences." (87) Industry groups and others typically aligned with business interests likewise contested the value of ISD in this context. (88) Ultimately, the statute was silent regarding the role of ISD, but did prohibit the DHS from disapproving a site security plan "based on the presence or absence of a particular security measure." (89) The DHS relied upon this language during later rulemaking proceedings in rejecting suggestions that the DHS require or even encourage consideration of ISD as part of site security plan development. (90)

B. Inherently Safer Design

The notion of inherently safer design has been part of engineering for hundreds of years. For example, in 1828, Robert Stephenson simplified the complicated controls of his steam locomotive so as to avoid the likelihood of operator error. (91) Of course, Stephenson and other early practitioners of inherently safer design did not use that term, or probably even recognize it as a design paradigm. The first person to articulate the concept of ISD as a systematic approach to engineering was Trevor Kletz, a safety engineer for Imperial Chemical Industries (ICI). After a major explosion at the Flixborough, England chemical plant in 1978, Kletz called for the chemical industry to focus safety efforts towards hazard elimination rather than risk management. (92) Since then, Kletz, Dennis Hendershot, and other industry engineers have developed ISD principles more fully. In 1996, the Center for Chemical Process Safety published a comprehensive guide for the implementation of inherently safer design which has become an industry standard, commonly known as the "Gold Book." (93)

ISD is a process as well as a paradigm. It begins with an assessment of the hazards associated with the industrial operation in question, in the style of the hazard analysis performed in OSHA's PSM program. There the similarity ends, for ISD next asks whether the identified hazards can be addressed by changes to the basic design of production process or storage operation. Using a menu of design strategies described below, the ISD engineer will identify technically and economically feasible ISD options. Recognizing that any design change could itself produce equal or greater risks, ISD next evaluates the hazards associated with each option. Where the option involves changes at off-site locations--such as alterations in shipping procedures for hazardous materials, or storage at remote locations--the assessment would gauge the hazards associated with those off-site changes. Finally, ISD considers how any hazards remaining after implementation of the ISD options could be managed. (94)

ISD measures fall into four basic categories: (1) moderation, (2) substitution, (3) minimization, and (4) simplification. (95) They can be best understood through the example of hydrofluoric acid use which opened this section. Recall that many refineries store large quantities of hydrofluoric acid on-site for use in the alkylation process. The hazards associated with that operation could be significantly reduced through moderation, which alters the operation so as to create less hazardous conditions. For instance, the hydrofluoric acid could be mixed with an inert ingredient which impairs its ability to condense and form a vapor cloud. (96) Alternatively, in substitution, a less hazardous material--such as sulfuric acid--is used in place of hydrofluoric acid. To be sure, sulfuric acid creates its own dangers, but formation of a highly mobile vapor cloud is not one of them. Nonetheless, the residual risks surrounding sulfuric acid use would likely be addressed through risk management measures.

On the other hand, the facility may use a minimization measure, perhaps adopting "just-in-time" inventory management to reduce the amount of hydrofluoric acid on site. In just-in-time inventory management, a firm keeps the minimum amount of raw materials on hand necessary to assure efficient, timely production (97) However, in evaluating the value of minimization the facility must consider whether it would shift risks elsewhere upstream and at the facility, including increased transportation risks caused by the greater number of hydrofluoric acid shipments to the facility, longer storage at the hydrofluoric acid production plant, and greater risk of release during the repeated deliveries of the material at the facility. Of course these residual risks could be addressed through standard risk management measures, or through simplification, an ISD measure which eliminates unnecessary complexity. In this case, the facility could simplify the off-loading process by using hose connections which make incorrect assembly impossible, and thus minimize the risk of spills during deliveries.

This basic summary of the ISD process illustrates two important yet often overlooked aspects of ISD. First, not every ISD measure will completely eliminate hazards from the relevant production process or industrial operation. Although risk prevention is the primary focus, in some cases ISD measures will only partially eliminate risk. What distinguishes ISD from the dominant risk management paradigm is that ISD seeks to reduce risk by altering the basic production process itself. The risk management paradigm tends to manage risk through technological controls, monitors and alarms, and through administrative procedures. Second, because there may be residual risks even after ISD implementation, standard risk management measures often supplement the ISD measures.

ISD brings a variety of benefits to the facility as well as to the public welfare. Most importantly for our purposes, ISD can substantially reduce the risk of catastrophic releases by altering the basic process or operations to make them safer. Field studies of ISD efforts at a variety of industrial plants indicate that such efforts yield other dividends as well. ISD measures often reduce the complexity of production processes and minimize the number and length of shutdowns needed for maintenance and repair. This results in greater reliability and reduced costs, two classic goals of business firms. (98) Indeed, one study of several Dutch and Greek firms found that the vast majority of ISD measures for those firms had very short economic pay-back times-in one case the payback was estimated to have occurred in a year or less. (99) In some circumstances, such as when a facility switches from a heavily regulated toxic solvent to a non-toxic alternative, ISD measures may also reduce regulatory compliance costs. (100)

Even beyond economic benefits, ISD implementation can also significantly improve communication and cooperation between different divisions and disciplines within the firm. By its nature, the ISD process requires staff and managers in safety, operations, and administration to interact in meaningful way. A properly conducted ISD assessment relies upon extensive input and interaction among this diverse group in developing a full understanding of technical, health and safety, and economic aspects of the production processes under review. (101) Through such interaction individuals often overcome communication barriers, and gain appreciation of the goals and perspectives of other departments within the firm. (102)

Given the potential benefits of ISD, one would expect that industry would need no external encouragement to adopt this paradigm. Indeed, ISD finds its roots in voluntary efforts of safety engineers within industry, and has developed into a well established sub-discipline with little government intervention over the last thirty years. It is practiced by a variety of companies, and its use is supported by the American Chemistry Council. Yet, risk management remains the dominant paradigm. (103) Why would rational businesses largely ignore such a potentially valuable management tool?

Research regarding the adoption of innovative technologies and management practices links the slow diffusion of inherently safer design principles to a suite of factors. Those factors include: informational barriers, organizational obstacles such as poor cross-departmental communication, scarce resources, limited power of environmental and health and safety departments, and the entrenched nature of corporate business routines. (104) With regard to information, ISD proponents often lament the fact that few safety engineers and even fewer process engineers are trained in or familiar with ISD methods. (105) Even among those engineers who are acquainted with ISD, some believe (mistakenly) that ISD is only relevant to the design and construction of new facilities. (106) Thus, the most natural advocates for ISD within the firm--the engineers themselves--often neither promote ISD among other staff and managers nor integrate ISD into the hazard analysis and evaluation performed under OSHA and EPA risk management programs. (107)

Even where engineers recognize the value of ISD measures, they may face substantial obstacles to the adoption of such measures within the firm. Although the relative power and prestige of environmental and health and safety (EHS) personnel has increased over time, for most firms the EHS function continues to play an ancillary, service role within the firm. This "supporting actor" role, coupled with the typical cross-discipline communication difficulties, undermines the EHS staff's capacity to participate as a full partner in operational planning and implementation. Thus, they may be invited into the process after basic design is complete, and inclusion of ISD measures is impractical or significantly more costly.

Current regulation takes a neutral stance, content to assume that businesses will use ISD without the need for a regulatory mandate. But, given the reluctance to use ISD in practice, it is time to integrate ISD into those regulatory programs.


There are a variety of tools available to the regulator seeking to integrate ISD into preparedness and security planning. Among the usual suspects are market-based approaches (such as using taxes, tax benefits, or direct subsidies as incentives), information-based strategies (including education as well as facility disclosure of the extent of ISD used), management-based regulation, and more traditional direct regulation. As a general matter, the manner of regulatory integration should match the barriers it is meant to surmount. For example, if a lack of information were the sole barrier, then outreach and technical assistance may be adequate to increase use of ISD. Indeed, such educational strategies would be appropriate. It appears that there is currently a lack of information and expertise in addition to a prevailing misconception about the applicability of ISD to existing facilities which dissuade its use.

However, more than just ignorance is at play here. As discussed above, ISD faces significant organizational barriers in many large businesses. Bureaucratic inertia in the form of deeply engrained procedures and culture can be a substantial obstacle to the adoption of new concepts and procedures within a mature business enterprise. (108) Management-based regulation, which forces change in firm procedures and communication channels, can be effective in overcoming that inertia. First, by creating enforceable planning and reporting obligations, such regulation can lead to improvements in the flow of information among divisions of the firm. (109) In order to comply with the law, staff and managers in disparate corners of the firm must interact in meaningful ways. Second, management-based regulation can also substantively influence the attention paid to health and safety issues within the firm by placing ISD on the management agenda. ISD becomes important to the firm because the law requires it. (110) Accordingly, management-based regulation could require that ISD analysis be performed as part of PSM, RMP, or security planning. Such a "soft" management-based regulation would not mandate the implementation of ISD options uncovered through the analysis. Rather, it would simply require consideration of such options in addition to other conventional approaches. (111)

Yet, the distribution of power and resources within the firm will likely remain a significant barrier to implementation of feasible ISD options in many firms. Environmental and safety managers--the most likely advocates for ISD options within the firm--will often find themselves at odds with other divisions, such as production, sales, or engineering. Given their close linkage to strategically important core function of the firm, those other divisions typically have greater power within the firm. In some instances the conflict may stem from the higher relative cost of the ISD option, or from perceived or actual production delays, or from other uncertainties associated with its implementation. (112) In other cases the ISD benefit may yield a positive financial return over time, yet create opportunity costs by siphoning limited capital away from other potential projects championed by the more powerful divisions. (113) In such cases, the ISD advocates will often lose out to other divisions in the competition for scarce resources within the firm. Thus, successful implementation of ISD will require more than simply the obligation to include ISD analysis in facility preparedness or security planning. It will require management-based regulations "with teeth." Such regulations would move beyond mere procedural requirements and also mandate the implementation of technically and economically feasible ISD options. (114) The mandatory nature of such a program would provide advocates for ISD within the firm with internal leverage because actions required by law are typically funded without having to compete with discretionary projects for funding. (115)

In California, Contra Costa County incorporated just such a program in its Industrial Safety Ordinance (ISO) in 1998 following a series of chemical accidents at industrial facilities in the county. (116) The ordinance, which applies to seven major oil refineries and chemical plants located in Contra Costa County, layers additional planning and implementation obligations over those already mandated under EPA's RMP program and OSHA's PSM program. In particular, the ordinance requires that each facility consider the use of ISD measures for reducing significant hazards associated with both existing and new processes. (117) Eschewing the soft style of management-based regulation, the ordinance obligates facilities to "select and implement Inherently Safer Systems to the greatest extent feasible." (118) "Feasible" is defined as "capable of being accomplished in a successful manner within a reasonable period of time, taking into account economic, environmental, legal, social, and technological factors." (119) In its Program Guidance Document, the Contra Costa Health Services Department sets out fairly specific criteria for feasibility determinations, identifying limited circumstances in which relevant ISD measures may be rejected. Rejection is permitted where the ISD measure conflicts with law or with good engineering practices; is economically impracticable; or causes a net increase in overall risk. (120)

Given the relative youth of the Contra Costa program, there is sparse information available from the Health Services Department regarding its operation and outcomes. However, the little information that is available supports two notes of cautious optimism about the effectiveness of the program and its mandatory ISD. First, it appears that the ordinance may be contributing to a reduction in chemical accidents in the county. In its 2006 Annual Performance Review and Evaluation Report, the Department reported that "[t]he number and severity of Major Chemical Accidents and Releases have been decreasing since implementation of [the] Industrial Safety Ordinance." (121) I say cautious optimism because with only six facilities in the program and only seven years of coverage, the small number of data points makes it difficult to draw any certain conclusions about whether there actually is a downward trend, and if so whether it is causally linked to the Contra Costa County ISO. For example, serious accidents among covered facilities dropped from one in 1999 to zero from 2000 through 2006.

Second, half of the six facilities covered by the ordinance report have implemented ISD measures under the ordinance. Over a three year period, those three facilities adopted fifty ISD measures, including substitution of hazardous materials with safer alternatives, reduction of inventories of hazardous materials, and process simplification. (122) Again, these results must be approached with cautious optimism for a number of reasons. It is unclear whether the measures resulted from the ordinance's intervention rather than from facility design and safety procedures in place prior to the ordinance. Moreover, from the limited public information available, one cannot gauge the substantive impact of the measures. It is important to ask whether they significantly affected safety or whether they were simply exercises in "green-washing?" Furthermore, any optimism about ISD must be tempered because three other facilities reported that no ISD measures were adopted. Thus, while the Contra Costa County ISO provides a functioning example of how ISD can be integrated into management-based regulation, it remains to be seen how well the ordinance actually integrates it.

Critics of ISD integration have strong opinions regarding the feasibility of ISD integration. (123) The temptation to brand these criticisms as political rhetoric and posturing is strong and, in some cases, justified. However, in other cases, well-respected academics and safety engineering practitioners involved in the development of ISD as a discipline have raised serious, principled concerns regarding integration. Any attempt at integration must take those concerns into account in crafting the specifics of a regulatory program including ISD. As I discuss below, prior experience with management-based regulation suggests that a portion of these concerns can be addressed through careful regulatory design and implementation. Moreover, some of these concerns may simply reflect misunderstanding on the part of industrial safety academics and practitioners of the nature and goals of management-based regulation.

Let us begin with the critiques that are more rhetoric than reason. Ironically, the best example of this type of challenge is the claim that ISD integration is nothing more than an environmentalist ruse that uses fear of terrorism to advance a green agenda. (124) No doubt, many of the usual suspects associated with progressive environmental policy positions likewise advocate for ISD integration in the chemical plant security debate--the author of this article included. (125) Yet, there is little disagreement from any quarter that the events of 9/11 increased the need for urgent chemical management reform. It is unsurprising that those harrowing events would induce advocates of toxics use reduction and pollution prevention to shift attention from generic operational risks to risks of terrorism. Community members exposed to hydrofluoric acid will die just the same regardless of whether the toxic cloud originated from an industrial accident or a terrorist attack. Perhaps more importantly, well-respected safety engineers in industry and academia as well as the GAO have echoed the environmentalists' contention that proper ISD integration can reduce the risk of terrorist acts against industrial facilities. (126)

The DHS, the American Chemical Council, and others also argue that ISD measures can actually increase net risk or simply shift it from one population to another. (127) Inventory reduction is the example most commonly deployed in support of this argument. When a facility reduces on-site risks by keeping less hazardous material on hand, it increases upstream risks by requiring additional shipments of smaller volumes of chemicals and more storage of the material at the manufacturing or distribution facility. (128) While the possibility of such 'risk-shifting is quite real, the criticism is off the mark. This particular criticism obscures the fact that ISD is a process rather than a result. The ISD process considers the benefits and trade-offs associated with all available safety measures--inherent, passive, active, and procedural. (129) A proper ISD analysis would take upstream and downstream risks into account in evaluating whether the ISD measure on balance is appropriate. (130) For example, the Contra Costa County ISO Program Guidance Document specifically declares that an ISD measure need not be implemented where the measure "may decrease the hazard, but would otherwise increase the overall risk." (131)

Safety engineers experienced in ISD have voiced concerns about the relatively subjective nature of contemporary inherently safer design. ISD at any particular plant requires evaluation of multiple hazards, identification and consideration of potential ISD measures, and comparative analysis of the net benefits and costs of the ISD measures and conventional safety measures. At present there is no widely accepted, specific methodology or protocol for performing those evaluations and analyses. Critics conclude that absent such uniform, detailed guidance, ISD analyses would be very subjective in nature and result in widely divergent results. (132) The critics also raise fairness concerns flowing from the subjective nature of ISD analysis. Without clear protocols and without standards to constrain the regulators' discretion, facilities would be subject to the whim of the reviewing agency staff. (133) This creates exposure to noncompliance penalties and to possible imposition of excessive costs for ISD planning and implementation.

While these subjectivity concerns rightfully support caution in designing management-based regulation in this context, they do not justify rejection of ISD integration altogether. In fact, for several aspects of the ISD analysis, regulators and businesses have significant experience in articulating and applying fairly objective criteria. For example, the issue of whether a particular measure is feasible or achievable arises in a variety of regulatory programs and business contexts. (134) In defining "feasibility" for purposes of its ISO, Contra Costa County adapted pre-existing OSHA guidance which set out criteria for justifiably declining recommendations from occupational safety incident investigations. (135) Contra Costa County also relied upon Recognized and Generally Accepted Good Engineering Practices and fairly standard principles of financial analysis. (136) Likewise, as part of risk management planning and process hazard analysis, environmental and safety engineers routinely identify and assess process hazards, and select among competing mitigation approaches. (137) The tools regularly used in those contexts, such as chemical reaction matrices, Hazard and Operability Analysis (HAZOP), and risk-ranking lists are equally relevant in ISD analysis. (138)

Other aspects of the ISD review process--such as identifying and evaluating innovative ISD measures and assessing the life cycle impacts of those and other conventional safety measures--are significantly less familiar to many engineers and regulators. (139) The Center for Chemical Process Safety's (CCPS) "Gold Book" provides conceptual overviews of and checklists for these two aspects of ISD review, but does not provide a formal protocol or methodology. Nonetheless, a variety of such methodologies do exist, and have been in use by numerous companies in the United States for some time. (140) Recently, the INSIDE Project (an effort by a consortium of European companies to encourage adoption of ISD integration) developed a comprehensive, web-based toolkit providing a comprehensive yet adaptable methodology for all aspects of ISD review. (141) Regulators can rely upon such protocols and methodologies in establishing criteria to guide facilities required to conduct ISD reviews, or perhaps more wisely, permit the individual facilities to select the most appropriate methodology from a list of acceptable candidates.

No doubt, ambiguities exist in the INSIDE toolkit protocols and in the methodologies used by current ISD practitioners. Additionally, subjectivity will continue to influence outcomes of ISD reviews performed under those protocols. Yet, ambiguity and subjectivity are regular passengers on the regulatory train, and not necessarily unwelcome ones. To some degree, ambiguity and subjectivity provide slack in the relationship between the government and the regulated entity. In practice, regulation is often a series of interactions in which the parties reach consensus about how generally applicable yet ambiguous rules will be applied to a particular facility or activity. (142) This slack is especially useful where, as in the case of ISD for chemical processes and operations, conditions are highly variable and thus case-by-case adaptation is necessary.

One critic of ISD integration rightfully notes that "the complexity of process plants essentially prevents any prescriptive rules that would be widely applicable." (143) ISD integration would not involve the promulgation of technology-based performance standards or the imposition of specific, generally applicable technology requirements. Rather, the goal of ISD integration through management-based regulation is to ensure meaningful consideration of ISD and implementation of viable ISD measures by the firm. It achieves this goal by overcoming barriers to ISD consideration and adoption within the firm, such as poor communication, inertia, and the potentially limited power of the health and safety department at many firms. Where the goal is to affect a process within the firm rather than to obtain specific outcomes, variability in the substantive outcomes across firms is not necessarily problematic.

Of course, the partially subjective nature of ISD review could be used by the firm to avoid otherwise reasonable ISD measures or by the regulator to impose unreasonable ones. However, this concern is not unique to ISD-facilities and regulators face it in many contexts, including the review and adoption of conventional security measures under the Department of Homeland Security (DHS) chemical plant security regulations. In the DHS regulations, government oversight is broadly stated. The DHS may disapprove a site security plan that "fails to satisfy" a set of very general performance standards. (144) However, the facility retains a fair amount of discretion. Both the Homeland Security Appropriations Act of 2007 and the regulations preclude the DHS from disapproving a site security plan based on the presence or absence of a particular measure. (145) Contra Costa County fashioned a stronger role for the regulator. Under the Contra Costa County ISO, the firms are required to submit extensive documentation regarding the rejection of potentially applicable ISD measures including "sufficient evidence to demonstrate to the County's satisfaction that implementing this inherently safer system is impractical." (146) In crafting management-based regulations, the government must strike a balance between providing flexibility to the facility and retaining a meaningful review role for itself.


The conflict between risk management and risk prevention arises in many contexts in environmental and health policy. In the past, risk prevention (whether cast as pollution prevention, inherently safer design, toxics reduction, or otherwise) has played a subsidiary role, relegated primarily to voluntary programs. Regrettably, our world is becoming more dangerous and risky, and policymakers can ill-afford to ignore the potential of risk prevention as another element of mainstream mandatory regulation. Clearly, the risk prevention paradigm raises significant design and implementation issues that require careful attention and reasonable resolution. Yet, these issues are not unlike those faced by existing risk management programs and, thus, justify caution rather than rejection of this valuable regulatory approach.



(3.) See infra text accompanying notes 31-34.

(4.) See infra text accompanying notes 38-41.

(5.) See Ana Maria Cruz et al., Identifying Hurricane-Induced Hazardous Material Release Scenarios in a Petroleum Refinery, 2 NAT. HAZARDS REV. 203, 208 (2001).

(6.) See infra text accompanying notes 53-56.

(7.) The Chemical Safety Board was created by the Clean Air Act Amendments of 1990. 49 U.S.C. [section](6) (1990).

(8.) 49 U.S.C. [section] 1131 (1990). See S. REP. No. 101-228 (modeling Chemical Safety Board after the NTSB).


(10.) See infra text accompanying notes 72-75.

(11.) See infra text accompanying notes 94-97.

(12.) See infra text accompanying notes 79-82.

(13.) See infra text accompanying notes 83-90.

(14.) According to the Occupational Safety and Health Administration's IMIS database, 36 "fatality/catastrophe" (FAT/CAT) incidents related to the release of highly hazardous chemicals have occurred in the petroleum refining sector between May 1992 and June 2007. These incidents resulted in 52 employee deaths and 250 employee injuries, 98 of which required hospitalization. The number of refinery FAT/CAT incidents exceeds the combined total of the next three highest industries (general chemical manufacturing, organic chemical manufacturing, and explosives production). OSHA, PETROLEUM REFINERY PROCESS SAFETY MANAGEMENT NATIONAL EMPHASIS PROGRAM, CPL 03-00-004 (2007).

(15.) CHARLES PERROW, NORMAL ACCIDENTS 354-56 (Princeton Univ. Press 1999).

(16.) On March 23, 2005, flammable liquids erupted from an over-pressurized distillation column at the BP Texas City refinery, and were ignited in a series of explosions. Fifteen workers died, and 180 others were injured. U.S. CHEM. SAFETY AND HAZARD INVESTIGATION BD., INVESTIGATION REPORT: REFINERY FIRE AND EXPLOSION 17 (2007), available at CSBFinalReportBP.pdf.


(18.) Cary Coglianese & David Lazer, Management-Based Regulation: Prescribing Private Management to Achieve Public Goals, 37 LAW & SOC'Y REV. 691, 698 (2003).

(19.) PERROW, supra note 15, at 5.

(20.) PERROW, supra note 15, at vii.

(21.) PERROW, supra note 15, at 4-5.

(22.) PERROW, supra note 15, at 77-78.

(23.) PERROW, supra note 15, at 107-08.

(24.) PERROW, supra note 15, at 108-110, 115-118.

(25.) Karen Marais et al., Beyond Normal Accidents and High Reliability Organizations: The Need for an Alternative Approach to Safety in Complex Systems 2 (Mar. 24, 2004), available at

(26.) Redundancy refers to duplicative technical systems as well as redundant personnel. SCOTT D. SAGAN, THE LIMITS OF SAFETY: ORGANIZATIONS, ACCIDENTS AND NUCLEAR WEAPONS 20 (Princeton Univ. Press 1993).

(27.) Karlene H. Roberts, Managing High Reliability Organizations, 32 CAL. MGMT. REV. 101 (1990); Karl E. Weick et al., Organizing for High Reliability: Processes of Collective Mindfulness, in RESEARCH IN ORGANIZATIONAL BEHAVIOR 81 (R. Sutton & B. M. Staw eds., 1999). Organizational learning refers generally to the ability of an organization to change its routines based on trial and error. SAGAN, supra note 26, at 25.

(28.) Karlene H. Roberts, Some Characteristics of High Reliability Organizations, 1 ORG. Sol. 160 (1990); Frederick G. Wolf, Operationalizing and Testing Normal Accident Theory in Petrochemical Plants and Refineries, 10 PRODUCTION & OPERATIONS MGMT. 295 (2001).

(29.) Charles Perrow, Organizing to Reduce the Vulnerabilities of Complexity, 7 J. OF CONTINGENCIES & CRISIS MGMT. 151-152; SAGAN, supra note 26, at 36-43.

(30.) Perrow, Organizing, supra note 29, at 152.

(31.) PERROW, NORMAL ACCIDENTS, supra note 15, at 101-122.

(32.) Wolf, supra note 28, at 292. For interactive complexity, Wolf calculated a "complexity index" based upon the number of nodes (or points of connection with and between various process units) and the possible number of states for various parameters at each node. Id. at 297. Coupling was defined by reference to resource availability. Id. at 298.

(33.) Id. at 297-99.

(34.) Id. at 304.

(35.) The United Nations Framework Convention on Climate Change refers to climate change as "a change of climate which is attributed directly or indirectly to human activity that alters the composition of the global atmosphere and which is in addition to natural climate variability observed over comparable time periods." United Nations Framework Convention on Climate Change, art. 1.2.

(36.) Kerry Emanuel, Increasing Destructiveness of Tropical Cyclones Over the Past 30 Years, 436 NATURE 686 (2005) (discussing weather impacts). Intergovernmental Panel on Climate Change, Climate Change 2007: Impacts, Adaptation, and Vulnerability, Contribution of Working Group II to the Fourth Assessment Report of the Intergovernmental Panel on Climate Change 639 (concluding North America has "experienced substantial social, cultural, economic and ecological disruption from recent climate-related extremes ...").

(37.) Ronald W. Patra et al., The Effects of Three Organic Chemicals on the Upper Thermal Tolerances of Four Freshwater Fishes, 26 ENVTL. TOXICOLOGY & CHEMISTRY 1454 (2007).

(38.) A hurricane is an organized, rotating storm system with a maximum sustained surface wind of at least 74 miles per hour (mph). Under the Saffir-Simpson Hurricane Scale, hurricanes are categorized as level one through five on the basis of wind speed. Category 4 hurricanes (with a wind speed of between 131-155 mph) and Category 5 hurricanes (with a wind speed greater than 155) are the most severe.

(39.) Kerry Emanuel, The Dependence of Hurricane Intensity on Climate, 326 NATURE 483 (1987); Kerry Emanuel, Increasing Destructiveness, supra note 36; P. J. Webster et al., Changes in Tropical Cyclone Number, Duration, and Intensity in a Warming Environment, 309 SCI. 1844, 1845 (2005).

(40.) Kevin E. Trenberth et al., Observations: Surface and Atmospheric Climate Change, Climate Change 2007." The Physical Science Basis 304-05 (S. Solomon et al. eds., 2007), available at

(41.) Emanuel, Increasing Destructiveness, supra note 36, at 687; Webster, supra note 39, at 1846.

(42.) This figure is courtesy of Epodunk, drawing upon information from FEMA, EPA Toxics Release Inventory, Texas Governor's Division of Emergency Management, and the National Hurricane Center, available at

(43.) Cruz et al., supra note 5, at 208.

(44.) Craig E. Colten, Rusting of the Chemical Corridor, 47 TECH. & CULTURE 95 (2006).

(45.) Cruz et al., supra note 5, at 206.

(46.) John C. Pine, Hurricane Katrina and Oil Spills: Impact on Coastal and Ocean Environments, 19 OCEANOGRAPHY 37 (2006).

(47.) AGENCY FOR TOXIC SUBSTANCES AND DISEASE REGISTRY, HEALTH CONSULTATION MURPHY OIL SPILL 2 (Dec. 9, 2005): Pine, supra note 46, at 38 (stating that only 819,000 gallons were spilled at the Murphy Oil Refinery).

(48.) Cruz et al., supra note 5, at 208.



(51.) MARSH RISK CONSULTING, PROPERTY LOSSES, supra note 49, at 5.

(52.) Cruz et al, supra note 5, at 206-08.



(55.) U.S. ENVTL. PROT. AGENCY, SECURITY STUDY, supra note 54, at 6: DO J, Assessment, supra note 53, at 23-24.


(57.) U.S. DEPT. OF JUSTICE, ASSESSMENT, supra note 53, at 22-30.

(58.) GAD, COMBATING TERRORISM, supra note 54, at 10-14; DOJ, ASSESSMENT, supra note 53, at 15-19.

(59.) MEGHAN PURVIS & MARGARET HERMAN, NEEDLESS RISK: OIL REFINERIES AND HAZARD REDUCTION 4-7 (U.S. PIRG EDUCATION FUND 2005), available at new-energy-future/new-energy-future /needless-risk-oil-refineries-and-hazard-reduction (last visited Aug. 30, 2007).

(60.) American Chemistry Council, Responsible Care Security Code of Management Practices, (last visited Aug. 27, 2007).

(61.) GAO, VOLUNTARY INITIATIVES, supra note 56, at 23-24.

(62.) Homeland Security Presidential Directive 7 (Dec. 17, 2003), available at


(64.) GAO, HOMELAND SECURITY, supra note 63, at 52.

(65.) Id. at 2; Chemical Facility Security: What is the Appropriate Federal Role? Hearing Before the S. Comm. on Homeland Sec. and Governmental Affairs, 109th Cong. 7-8 (July 13, 2005) (testimony of Martin J. Durbin, Managing Director, American Chemistry Council).

(66.) Homeland Security Appropriations Act of 2007, H.R. 5441, 109th Cong. [section] 550 (2006).

(67.) 72 Fed. Reg. 17688 (Apr. 9, 2007) (codified at 6 C.F.R. pt. 27).

(68.) Dennis C. Hendershot, Senior Technical Fellow, Rohm and Hass Co., Presentation at the 20th Annual CCPS International Conference: An Overview of Inherently Safer Design 2 (Apr. 11-13, 2005).

(69.) See supra text accompanying notes 80, 90.


(71.) Id.; PURVIS & HERMAN, supra note 59, at 9-10.

(72.) 29 C.F.R. [section] 1910.119.

(73.) Coglianese & Lazer, supra note 18, at 698.

(74.) The concept of "process" is broadly defined to include any use, storage, handling, or manufacture of covered chemicals. 29 C.F.R. [section] 1910.119(a). In performing a process hazard analysis, the employer may use any of a variety of standard methodologies, including a "Hazard and Operability Study" or a "Failure Mode and Effects Analysis." 29 C.F.R. [section] 1910.119(e)(2).

(75.) 29 C.F.R. [section] 1910.119(e).

(76.) EPA's program covers any stationary source that has more than a threshold amount of certain "regulated substances" listed in Part 68. Processes within one facility are subject to one of three "programs" depending upon such factors as the process' accident history, industry sector, and coverage by OSHA's process safety management program. All petroleum refineries and most chemical plants would be subject to the most stringent requirements, which are imposed in Program 3. 61 Fed. Reg. 31667, 31670 (June 20, 1996).

(77.) 40 C.F.R. [section][section] 68.150-68.190.

(78.) 42 U.S.C. [section] 7412(r)(7)(B)(ii)(II).

(79.) 40 C.F.R. [section] 68.67(c)(3).

(80.) 61 Fed. Reg. 31667, 31674 (June 20, 1996).

(81.) Id.

(82.) 60 Fed. Reg.13525, 13535 (Mar. 13, 1995).

(83.) Such facilities are identified by the Assistant Secretary of Homeland Security following assessment of information submitted by chemical facilities through the "Top-Screen process" and other mechanisms. See 6 C.F.R. [section][section] 27.200 & 27.205 (2007).

(84.) 6 C.F.R. [section][section] 27.225 & 27.205 (2007). Section 550 of the Homeland Security Appropriations Act of 2007 requires that the Department establish "risk-based performance standards for security of chemical facilities." Pub. L. No. 109-295. By specifying "performance standards," Congress apparently sought to prevent the Department from mandating specific security measures for any particular facility, preferring instead that the Department establish the desired ends, but leave the specific means to the individual companies. See 71 Fed. Reg. 78275, 78285 (Dec. 28, 2006).

(85.) 27 C.F.R. [section] 27.230 (2007).

(86.) See Jeff Johnson, Simply Safer. 81 Chem. & Engineering News 23-24 (2003); Joseph A. Siegel, Terrorism and Environmental Law: Chemical Facility Site Security vs. Right-to-Know?, 9 WIDENER L. SYMP. J. 339 (2003).

(87.) Letter dated Dec. 8, 2005, from Steven J. Pecinovsky, DHS, to John Stephenson, GAO, in GAO, HOMELAND SECURITY, supra note 63, at 74.

(88.) Durbin, supra note 65, at 8-11.

(89.) Pub. L. No. 109-295, supra note 84, at Section 550(a).

(90.) 67 Fed. Reg. 17687, 17718 (Apr. 9, 2007).


(92.) Trevor A. Kletz, What You Don't Have, Can't Leak, CHEMISTRY & INDUSTRY 287 (1978); Dennis C. Hendershot, Senior Technical Fellow, Rohm and Haas Co., An Overview of Inherently Safer Design 4 (Apr. 11-13, 2005) (presented at the 20th Annual CCPS International Conference).

(93.) CENTER FOR CHEMICAL PROCESS SAFETY (CCPS), INHERENTLY SAFER CHEMICAL PROCESSES: A LIFE CYCLE APPROACH (1996). CCPS subsequently published GUIDELINES FOR DESIGN SOLUTIONS TO PROCESS EQUIPMENT FAILURES. CCPS is a not-for-profit, corporate membership organization within the American Institute of Chemical Engineers that identifies and addresses process safety needs within the chemical, pharmaceutical, and petroleum industries. Its members include business and governmental agencies., About CCPS, (last visited Sept. 13, 2007).

(94.) Hendershot, An Overview of Inherently Safer Design, supra note 92, at 9.

(95.) CCPS, LIFE CYCLE APPROACH, supra note 93, at 27-52. These four categories correspond to the four used by Kletz: intensification, substitution, moderation and simplification. TREVOR A. KLETZ, PROCESS PLANTS: A HANDBOOK FOR INHERENTLY SAFER DESIGN 2-3 (Taylor and Francis 1998).


(97.) See CCPS, LIFE CYCLE APPROACH, supra note 93, at 34-35.

(98.) J.P. Gupta et al., The Real Cost of Process Safety--A Clear Case for Inherent Safety, 81 PROCESS SAFETY & ENVTL. PROT. (B6 SPECIAL ISSUE) 406 (2003); Trevor A. Kletz, Inherently Safer Design--Its Scope and Future, 81 PROCESS SAFETY & ENVTL. PROT. (B6 SPECIAL ISSUE) 401 (2003).

(99.) Nicholas A. Ashford & Gerard Zwetsloot, Encouraging Inherently Safer Production in European Firms: A Report from the Field, 78 J. HAZARDOUS MATERIALS 123, 138 (2000).

(100.) Timothy F. Malloy & Peter Sinsheimer, Innovation, Regulation and the Selection Environment, 57 RUTGERS L. REV. 183, 207 (2004); Gupta, supra note 98, at 412.

(101.) Ashford and his colleagues coined the term "Technology Options Analysis" for a process by which the firm would expand the traditional Hazard Assessment to include evaluation of alternative production technologies and other ISD safety measures. NICHOLAS A. ASHFORD ET AL., THE ENCOURAGEMENT OF TECHNOLOGICAL CHANGE FOR PREVENTING CHEMICAL ACCIDENTS: MOVING FIRMS FROM SECONDARY PREVENTION AND MITIGATION TO PRIMARY PREVENTION VIII-2 (Center for Technology, Policy and Industrial Development (CTPID) 1993), available at The CCPS describes a variety of administrative mechanisms for ISD review, including identification of appropriate team members, timing of review, and the format of the review process. CCPS, LIFE CYCLE APPROACH, supra note 93, at 115-124.

(102.) Oerard I.J.M. Zwetsloot & Nicholas Askounes Ashford, The Feasibility of Encouraging Inherently Safer Production in Industrial Firms, 41 SAFETY SCIENCE 219, 228 (2003); Timothy F. Malloy, Regulation, Compliance and the Firm, 76 TEMPLE L. REV. 451, 495-497 (2003).

(103.) Kletz, Inherently Safer Design, supra note 98, at 401,403: see supra text accompanying notes 72-90.

(104.) ASHFORD, supra note 101, at VII-1 to VII-14; See also Malloy, Regulation, Compliance and the Firm, supra note 102, at 501-11 (discussing why firms would not adopt valuable management systems).

(105.) Kletz, Inherently Safer Design, supra note 98, at 404; Johnson, supra note 86, at 24-25; DAVID A. MOORE, INCORPORATING INHERENTLY SAFER DESIGN PRACTICES INTO PROCESS HAZARD ANALYSIS 1-2.

(106.) Dennis C. Hendershot et al., Implementing Inherently Safer Design in an Existing Plant l(Apr. 10-14, 2005) (presented at the 7th Biennial Process Plant Safety Symposium).

(107.) MOORE, supra note 105, at 1-2; ASHFORD, supra note 101, at VII-5.

(108.) Malloy, Regulation, Compliance and the Firm, supra note 102, at 502-11; Richard Rumelt, Inertia and Transformation, in RESOURCES IN AN EVOLUTIONARY PERSPECTIVE: TOWARDS A SYNTHESIS OF EVOLUTIONARY AND RESOURCE-BASED APPROACHES TO STRATEGY 101, 105-06 (C. Montgomery ed. 1995) (discussing various causes of organizational inertia).

(109.) Malloy, Regulation, Compliance and the Firm, supra note 102, at 495.

(110.) Id.

(111.) Coglianese 8: Lazer, supra note 18, at 706-07. During the 2001-02 legislative debates over chemical plant security, the Corzine bill incorporated soft management-based ISD regulation within its chemical plant security policy. Under that bill, each high priority chemical facility was required to prepare a prevention, preparedness, and response plan including "safer design and maintenance," defined elsewhere to include both conventional control and mitigation equipment and inherently safer technology. See S. 1602, 107th Cong. [section][section] 3(6), 4(a)(3) (as passed by Senate, Nov. 15, 2002). The bill established no express obligation to implement ISD or any objective criteria to guide the facilities or regulators in determining whether ISD was necessary, perhaps leaving those issues to agency rulemaking. However, Section 5(a)(2)(B) suggests that government review may have been limited to simply ensuring that the facility in question considered the use of ISD. ("A certification of the Administrator [that a facility's plan complies with the implementing regulations] shall include a checklist indicating consideration by a chemical source of the use of 4 elements of safer design and maintenance ..."). S. 1602, 107th Cong. [section] 5(a)(2)(B).

(112.) Timothy F. Malloy, Regulating by Incentives: Myths, Models and Micromarkets, 80 TEX. L. REV. 531, 568 (2002).

(113.) Malloy, Regulating by Incentives, supra note 112, at 574-78; ASHFORD, supra note 101, at VII-12.

(114.) See Coglianese & Lazer, supra note 18, at 706-07 (discussing various forms of management-based regulation).

(115.) Malloy, Regulating by Incentives, supra note 112, at 578-79; PHILIP BROMILEY, CORPORATE CAPITAL INVESTMENT: A BEHAVIORAL APPROACH 131 (1986).

(116.) CONTRA COSTA COUNTY, CAL., ORDINANCE 98-48 (Dec. 4, 1998) [hereinafter "ISO Ordinance"]; Industrial Safety Ordinance Annual Performance Review and Evaluation Report (Contra Costa Health Services Hazardous Materials Program, Contra Costa County, Cal.), Oct. 19, 2004, at 3. For a description of a variety of accidents in Contra Costa, including a controversial fatal accident at the Tosco refinery, see CEERT, CRUDE RECKONING: THE IMPACT OF PETROLEUM ON CALIFORNIA'S PUBLIC HEALTH AND ENVIRONMENT 25-27 (2002).

(117.) ISO Ordinance, supra note 116, at [section] 450-8.016(D)(3). For existing processes, the ISD measures must be considered as part of the process hazard analysis conducted every five years. For new units, the ISD consideration must occur as part of the design process. Id.

(118.) ISO Ordinance, supra note 116, at [section] 450-8.016(D)(3) (emphasis added).

(119.) ISO Ordinance, supra note 116, at [section] 450-8.016(c).

(120.) Contra Costa Safety Program Guidance Document (Contra Costa Health Services Hazardous Materials Program, Contra Costa County, Cal.), Jan. 15, 2001, at D-11 to D-12.

(121.) Industrial Safety Ordinance Annual Performance Review and Evaluation Report, CONTRA COSTA SAFETY PROGRAM GUIDANCE DOCUMENT, (Contra Costa Health Services Hazardous Materials Program, Contra Costa County, Cal.), Dec. 5, 2006, at 2.

(122.) Id. at 13 tbl. III; Industrial Safety Ordinance Annual Performance Review and Evaluation Report (Contra Costa Health Services Hazardous Materials Program, Contra Costa County, Cal.), Nov. 15, 2005, at 15 tbl. 3; Industrial Safety Ordinance Annual Performance Review and Evaluation Report (Contra Costa Health Services Hazardous Materials Program, Contra Costa County, Cal.), Oct. 19, 2004, at 12 tbl. 3.

(123.) Durbin, supra note 65; Editorial, Mr. Corzine's Chemical Attack, WALL ST. J., May 2, 2003.

(124.) Angela Logomasini, Greening a Homeland Bureaucracy: Chemical Plant Security Issue Hijacked by Green Activists, CEINPOINT (May 2, 2006); Mr. Corzine's Chemical Attack, supra note 123.

(125.) See U.S. PIRG EDUCATION FUND, supra note 96, at 12 (recommending adoption of ISD); M. PURVIS & M. HERMAN, NEEDLESS RISK: OIL REFINERIES AND HAZARD REDUCTION (Penn Environment Research & Policy Center ed., 2005).

(126.) Kletz, Inherently Safer Design, supra note 98, at 404; Dennis C. Hendershot, Powerpoint Presentation at the American Institute of Chemical Engineers, Inherently Safer Design as an Approach to Enhancing Chemical Plant Security (Mar. 30, 2003).

(127.) Durbin, supra note 65, at 9; Letter from Steven J. Pecinovsky, Dep't of Homeland Sec., to John Stephenson, Gen. Accounting Office (Dec. 8, 2005) (on file with Gen. Accounting Office, Combating Terrorism 74); Angela Logomasini, Utopian Policymaking, NAT'L REV. ONLINE (May 5, 2003),

(128.) Durbin, supra note 65, at 9.

(129.) Contra Costa Safety Program Guidance Document, supra note 120, at D-11 to D-12.

(130.) CCPS, LIFE CYCLE APPROACH, supra note 93, at 34-35.

(131.) Contra Costa Safety Program Guidance Document, supra note 120, at D-12.

(132.) Chemical Site Security, The Senate Environment and Public Works Com., 109th Cong. 8 (June 21, 2006) (testimony of David A. Moore, AcuTech Consulting Group), available at; MARY KAY O'CONNER PROCESS SAFETY CENTER, CHALLENGES IN IMPLEMENTING INHERENT SAFETY PRINCIPLES IN NEW AND EXISTING CHEMICAL PROCESSES 4 (Aug. 2002).

(133.) MARY KAY O'CONNER PROCESS SAFETY CENTER, supra note 132, at 4.

(134.) See South Coast Air Quality Management District Rule 1302(h)(2) (defining best available control technology to include control techniques that are technologically feasible); OFFICE OF SOLID WASTE AND EMERGENCY RESPONSE, U.S. ENVTL. PROT. AGENCY, GUIDANCE FOR EVALUATING THE TECHNICAL IMPRACTICABILITY FOR GROUND-WATER RESTORATION: INTERIM FINAL (1993) (setting out standards for determining when groundwater remediation is technically impracticable).

(135.) Contra Costa Safety Program Guidance Document, supra note 120, at D-11.

(136.) Id. at D11. The Program Guidance Document defines economic impracticability as inability to operate a process unit financially, taking into consideration capital investment, product quality, total direct manufacturing costs, operability of the plant, and decommissioning costs. Id. at D-12; CCPS, LIFE CYCLE APPROACH, supra note 93, at 18.

(137.) See supra text accompanying notes 72-79.

(138.) See CCPS, LIVE CYCLE APPROACH, supra note 93, at 58-67 (describing existing resources available for hazard identification and assessment, as well as alternatives evaluation).

(139.) CCPS, LIFE CYCLE APPROACH, supra note 93, at 115-16; Moore, supra note 132, at 4-5.

(140.) See CCPS, LIFE CYCLE APPROACH, supra note 93, at 116 (identifying published information regarding ISD review procedures at a number of major companies).

(141.) The INSIDE Project was set up in 1994 to explore and encourage the use of ISD. The webpage for the INSIDE projects explains that the toolkit:

"provides chemists and engineers with the tools and methods to systematically identify, evaluate, optimise and select inherently SHE chemical processes and designs. Whether the project is completely new, an existing chemical process in a new plant, or whether considering modifications to an existing plant and process, safety, health and environmental hazards are treated in an integrated way to ensure the conflicts and synergies between these aspects are recognised and effectively managed."

INSPIRE, (last visited Oct. 19, 2007).

(142.) See Daniel A. Farber, Taking Slippage Seriously: Noncompliance and Creative Compliance in Environmental Law, 23 HARV. ENVT'L L. REV. 297 (1999) (discussing "slippage").

(143.) MARY KAY O'CONNER PROCESS SAFETY CENTER, supra note 132, at 4.

(144.) 27 C.F.R [section] 27.245(a)(2) (2007). The performance standards include obligations to restrict the facility perimeter, deter theft and diversion of chemicals, maintain effective communication and monitoring systems, and secure critical assets. 27 C.F.R [section] 27.230 (2007). They provide little guidance regarding the specific types of measures to be used.

(145.) Department of Homeland Security Appropriations Act of 2007, H.R. 5441, 109th Cong. [section] 550 (2007); 27 C.F.R [section] 27.240(a)(3) (2007).

(146.) ISO Ordinance, supra note 116, at [section] 450-8.016(D)(3).

Timothy F. Malloy, UCLA School of Law
COPYRIGHT 2007 University of California at Los Angeles, School of Law
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2007 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Author:Malloy, Timothy F.
Publication:UCLA Journal of Environmental Law & Policy
Date:Dec 22, 2007
Previous Article:Challenges of adapting to a changing climate.
Next Article:The role of U.S. insurance regulators in responding to climate change.

Related Articles
U.S. air only fair. (Air Pollution).
Send toxics law to voters.
Restore right to know.
An approach for assessing human health vulnerability and public health interventions to adapt to climate change.
Avoiding disaster.
Climate change, adaptation, and development.
Challenges of adapting to a changing climate.

Terms of use | Privacy policy | Copyright © 2019 Farlex, Inc. | Feedback | For webmasters