Under the provisions of 40 CFR Part 68, at § 68.58 EPA requires audits of Risk Management Plans at least once every three years. Specifically: Sec. 68.58 Compliance audits.
The owner or operator shall certify that they have evaluated compliance with the provisions of this subpart at least every three years to verify that the procedures and practices developed under the rule are adequate and are being followed.
The compliance audit shall be conducted by at least one person knowledgeable in the process.
The owner or operator shall develop a report of the audit findings.
The owner or operator shall promptly determine and document an appropriate response to each of the findings of the compliance audit and document that deficiencies have been corrected.
The owner or operator shall retain the two (2) most recent compliance audit reports. This requirement does not apply to any compliance audit report that is more than five years old.
In order to clarify the above requirements, EPA posted questions and answers on their web site. Below are several of the questions and answers that appeared on this site.
Question: How often must owners or operators of stationary sources subject to the risk management program regulations perform compliance audits?
Answer: The regulations … state that owners or operators must certify that they have evaluated compliance with the applicable prevention program provisions at least once every three years to verify that established procedures and practices are adequate and are being followed.
Question: I have a Program 2 covered process and a Program 3 covered process … and I am required to conduct compliance audits certifying that I have evaluated compliance with my prevention program requirements … Do these provisions require me to audit my emergency response program as well?
Answer: No, the audit provisions in the prevention programs refer only to the prevention program. However, section 68.95(a)(4) provides that the Emergency Response program must include “[p]rocedures to review and update, as appropriate, the emergency response plan to reflect changes at the stationary source and ensure that employees are informed of changes”. Each facility must determine what is needed for this review and how often it will be carried out.
Question: … Am I required to audit other portions of my risk management program, such as the hazard assessment, management system, and risk management plan (RMP)? If so, will the RMP audit under 40 CFR Section 68.220 serve this purpose?
Answer: … there is no regulatory requirement for a source to formally “audit” other aspects of its risk management program. Facilities are expected to keep all program elements up-to-date, as required by the regulation. The rule requires facilities to track changes and update their RMP when appropriate. … Audits, reviews and updates are all intended to provide for vigorous self-oversight by the source….