Applicability of compliance audit provisions to non-prevention program elements
I have a Program 2 covered process and a Program 3 covered process at my stationary source. I am required (by 40 CFR Section 68.58 and 40 CFR Section 68.79) to certify compliance with prevention program requirements every three years. These compliance audits specifically address the prevention program portions of my risk management program. Am I required to audit other portions of my risk management program, such as the hazard assessment, management system, and risk management plan (RMP)? If so, will the RMP audit under 40 CFR Section 68.220 serve this purpose?
Other than the prevention program compliance audits, there is no regulatory requirement for a source to formally "audit" other aspects of its risk management program. Facilities are expected to keep all program elements up-to-date, as required by the regulation. The rule requires facilities to track changes and update their RMP when appropriate. For example, there are self review and update requirements for non-prevention program elements specifically in the regulation (68.36(b) and 68.95(a)(4)). Audits, reviews and updates are all intended to provide for vigorous self-oversight by the source. The prevention program compliance audits (40 CFR §68.58 and 68.79) and the implementing agency (IA) audit (40 CFR §68.220) serve two distinct purposes. The IA audit does not replace these obligations because it is fundamentally a different undertaking. The internal audits, review, and update requirements are management controls to minimize accidental releases and consequences, while the IA audit is an external oversight mechanism. IA audits will not be done on every source; they will be done only when an IA deems it appropriate. The relationship of the self-checks required for a sound accident prevention program to IA audits is similar to the relationship between an internal accounting system and an external financial audit in that the external oversight depends upon the company itself having its own internal controls. An IA audit does not in any way relieve a company from its obligations to have internal reviews, controls, and updates.