• acc 
• responsible care toolkit 
• faqs

Frequently Asked Questions (FAQs) are grouped according to the main navigation categories used throughout this website. To narrow your search, select from the hyperlinks below, or to search for specific terms, activate your Web browser's internal search/find mechanism by pressing (CTRL + F)

Management Systems | Security | Certification | Partners

Management System FAQs

1. What is ACC’s definition of a “management system”?

   Although the term has been defined many ways, ACC has used the following definition since the 2002 Responsible Care® workshops: “A management system is the organizational structure, responsibilities, practices, procedures, processes and resources for developing, achieving, reviewing and maintaining the company’s (EHS, Quality, Responsible Care, etc.) policy.”

2. Our company’s management system is global. I am concerned about the documentation and other RCMS® requirements relative to our global system.

   ACC is not asking its companies to abandon their long-standing internal management system models. Companies will need to review the RCMS and understand the accompanying guidance; conduct a gap analysis against their existing management system; and fill any gaps accordingly. When it is time to be audited, companies will likely need to develop a roadmap for their auditors showing the linkage between the RCMS requirements and the company’s internal management systems. The auditor will look for conformance to the requirements of RCMS.

3. Where can an ACC member company obtain additional RCMS implementation assistance?

   In addition to the materials described above, ACC is providing members the opportunity to utilize its team of Responsible Care Special Advisors for on-site visits at member company offices and/or manufacturing sites. ACC members are also encouraged to seek implementation information via existing regional mutual assistance groups and through one-on-one interaction with industry peers. As issues arise, ACC will determine if formal implementation workshops on specific issues are warranted.

« back to top

The Code

1. None of our industry's facilities or products has yet been attacked, and our security measures are already pretty significant. Why do anything more?

   The chemical industry, along with other industries, has been identified by government agencies and legislators as being vulnerable to organized terrorist attacks. Industry representatives must satisfy both themselves and the public that all practical and effective measures have been taken to reduce the risks and severity of potential attacks.

2. The development of the Security Code seems largely predicated on the belief that Congress will impose severe regulatory requirements on our industry. How can you be certain that Congress or the Administration will, in fact, enact legislation and regulations?

   Federal Agencies are under pressure to contribute to Homeland Defense, and the public believes that government has an important role in domestic security. One proposed bill would require companies to make extensive process changes. The ACC Board believes the right course of action is to implement management systems that directly address security risks. By demonstrating our industry's commitment to act decisively, we will earn valuable credibility with policy makers as they formulate their actions. This is simply the right thing to do.

Vulnerability Assessments

1. My company doesn't even make high hazard products. Why should I have to go through a vulnerability assessment?
   
   Attractiveness of a target to terrorists or other criminals is not limited to a material's hazard. In addition to the threat of the uncontrolled releases of a hazardous substance, facilities may also be the target of theft or product contamination. Our industry must demonstrate that everyone in the chemical industry is making security a top priority and is doing the right thing to address all these threats. The Board's policy clearly recognizes that chemical operations do not fall into a one-size-fits-all category, and calls for actions that are commensurate with a facility's potential risks.
   


2. What is the ACC definition of 'facility'?
   
   For the purpose of prioritization and vulnerability assessment, "facility" means domestic, US sites at which operations occur that involve chemicals, e.g., manufacturing, storage, processing, handling, laboratories, or pilot plants. This prioritization does not apply to non-chemical activity sites such as administrative or sales offices, nor does it apply to transportation sites outside operating facilities. Transportation will be addressed through the "Distribution/Value Chain" portion of the Responsible Care Security Code.
   


3. Does ACC recommend that companies use one particular methodology for assessing site security?
   
   A methodology to assess the security at a site is the vital tool that assists companies with deciding what resources at a site need protection, what threats may be directed at those resources, and how to protect those resources. Under the Responsible Care Security Code, member companies are to use one of two nationally recognized site security methodologies or an equivalent company methodology. The national methodologies are ones that have been developed by Sandia National Laboratories and by the Center for Chemical Process Safety (CCPS). For a member to use a company methodology, the methodology must have been determined by CCPS as equivalent to the CCPS methodology. Several company methodologies have now been determined to be equivalent and are available for use by all member companies. The Security Code provides companies flexibility to determine which of these nationally recognized or equivalent methodologies to use in light of their particular circumstances. Beyond this, the Code does not mandate that companies use any one of these approved methodologies, nor does ACC endorse or recommend any particular one of these methodologies. Visit the Security Section for a complete discussion of security vulnerability assessment methodologies.

Enhancements

1. Can facilities fulfill their Responsible Care Security Code site enhancement requirement by prioritizing their security enhancements that resulted from an SVA, and complete those considered "high priority" within 12 months, while extending the implementation time for other lower priority enhancements beyond 12 months?
   
   All site security enhancements -with the few specific exceptions noted below - that were identified as necessary and committed to as a result of an SVA must be completed within the 12 months, as required by the Security Code. While companies should prioritize their list of required enhancements that were identified as a result of an SVA to address the most critical needs first, all enhancements should be completed within one year of the SVA deadline. When developing the Security Code, ACC recognized that some complex projects, such as those requiring major capital expenditures or major system changes may require longer than 12 months to implement. Such situations are addressed in the question below.
   


2. What if a facility cannot complete a site security enhancement within 12 months due to circumstances outside its control? For example, an enhancement required regulatory agency permitting approval that was not granted in time for the enhancement to be completed in 12 months, or an enhancement required a major process change and significant capital expenditure, and the project could not be completed within 12 months.
   
   ACC recognizes that such situations can occur. However, these situations do not include those caused by inadequate planning, lack of appropriate implementation oversight, poor company economic performance, desire to allocate resources elsewhere in the facility, or convenience in delaying enhancement projects due to associated cost savings. Therefore, ACC expects facilities that cannot complete enhancements due to circumstances beyond their control to document such situations early in the enhancement implementation process. Consequently, ACC encourages facilities to document such potential delays and the associated reason for missing the Security Code enhancement implementation deadline. Although a project may be complex and take longer than 12 months to complete, it should be initiated as soon as possible to demonstrate progress and conformance with ACC's Responsible Care Security Code.
   


3. A company is in a situation where circumstances beyond its control prevent certain enhancements from being completed within 12 months. How should the third-party verification be conducted in regards to the incomplete enhancements?
   
   The third-party verification should be conducted, per the Security Code deadline for all enhancements that are completed. For those that are incomplete, the facility should show the third party verifier progress toward completing the enhancement via permit applications, requests for investment capital, or other documentation showing positive progress toward implementation. Since the Security Code envisions that third-party verification occur only once, it is not required that the third party return to the facility to verify the enhancement in progress once it is complete. However, some facilities may choose to do so to foster open communication and information sharing with stakeholders, per Management Practice #7 of the Security Code. Also remember that a facility's overall security management system will be certified under the RCMS certification process, such that future enhancements will be subject to third party oversight during the RCMS audit.

« back to top

Verification

1. Is the proposed third party verification process mandatory? Who is supposed to be the external verifier? Local police, LEPCs, etc.?
   
   The verification process is required for physical security enhancements only and will be used to assure that the action steps identified from the site security vulnerability assessments have been taken. There will be no third party verification of the assessments themselves. The verifier can be anyone you believe is credible in the area of security. Factors to consider when determining credibility of a potential verifier can include considerations such as areas of expertise, affiliation, education and accreditation. Companies might consider the following in selecting verifiers: local first responders, state emergency planners, other security-related government agency personnel, security consultants, insurance company auditors, etc. The Security Code provides companies with the flexibility to determine which of these or other potential verifiers would be viewed by their communities and other stakeholders as credible and are most appropriate in their circumstances. Neither the Security Code nor ACC mandate, recommend or endorse any particular group of verifiers.
   


2. Why specify a verification process that involves third parties like LEPCs or local police?
   
   There is ample evidence to suggest that the public and public officials are concerned about the health, safety, security and environmental impacts of our facilities and products. The recent terrorist attacks in America have heightened these concerns. Including third parties in the security vulnerability assessment process, both as enhanced physical security measures are being considered and after they are implemented, will be helpful in developing an appropriate local supportive resource in the event of an actual threat or attack.
   


3. Security risks and vulnerabilities should not be made public. Aren't there confidentiality issues with verification and reporting of security?
   
   This is a legitimate concern. The last thing ACC wants is to create a roadmap to sites that pose risks to the public. Prioritization results and vulnerability assessments must be kept confidential, and will not be reported to ACC. Third party verification would only encompass verification that appropriate security measures to which a site commits are in place.
   


4. Do third parties need to document their verification in writing by providing an official signature?
   
   No. It is advisable that companies document that the third party verification was completed, by whom and when, but the verifier is not required to sign any documentation at the facility.
   


5. Is third party verification required for cyber security or value chain enhancements?
   
   No. The third party verification component of Security Code Management Practice #11 pertains only to physical/facility/site enhancements.

More FAQs on Security Code Verification

« back to top

Security Code & Partner Companies

1. How can Partner companies implement the Security Code when it is written for chemical manufacturers?
   
   Responsible Care Partner companies should apply the same process to implementing the Responsible Care Security Code as they have with other Codes. The purpose and intent of each practice should be reviewed and then applied to your company and industry.
   


2. Does the verification called for in the Security Code apply to Partner Companies?
   
   The verification requirements of Management Practice #11 of the Responsible Care Security Code are applicable to 'chemical operating facilities', which Partners do not, by definition, have. Partners are, however, held accountable for their implementation of the Responsible Care Security Code through the Security Code Implementation Affirmation Statement that each Partner company Executive Contact must sign, and additionally through ongoing third-party certification audits of the company's Responsible Care management system.

 « back to top

Implementation & Guidance

1. When does the Security Code need to be implemented and how will we report our progress?
   
   The Security Code must be implemented by June 30, 2005. Three types of reports to ACC's contractor are required: 1) Reports on completion of SVAs and third party verification (for ACC members), 2) Interim Code implementation progress reports that include a general affirmation of progress in meeting the three-year deadline for Security Code implementation (for ACC members and Responsible Care Partners), and 3) a final affirmation letter of Security Code compliance to be submitted at the end of the implementation process (for members and Responsible Care Partners.)
   


2. What tools and resources is ACC providing to help me implement the Security Code?
   
   ACC has developed Security Code implementation guidance that addresses the site, value chain and cyber aspects of the Security Code. As additional pieces of guidance are complete, they will be posted to this website or ACC's Member Exchange . Already existing mutual assistance mechanisms, like Responsible Care Coordinators' meetings, conference calls and workshops, will also provide implementation assistance.

« back to top

ISAC

1. What is the Chemical Sector ISAC?
   
   ACC, in cooperation with the FBI's National Infrastructure Protection Center (NIPC), has established the Chemical Sector Information Sharing and Analysis Center (ISAC) to provide the business of chemistry with timely and critical information concerning potential or actual threats against the chemical industry. ACC's CHEMTREC manages the chemical sector ISAC. A primary goal of the Chemical Sector ISAC is to enable NIPC to disseminate timely and actionable assessments, advisories and alerts to appropriate government and private sector entities when such incidents are deemed to have possible serious national security, economic or social consequences.
   
   The Chemical Sector ISAC is intended for those companies or other organizations involved in the manufacture, storage, transportation, distribution or handling of chemical products.

« back to top

Value Chain Security

1. What additional assistance will be available on the value chain aspects of security?
   
   In addition to the general value chain guidance, there are specific documents available for rail and road activities.
   


2. Is there a special deadline for value chain vulnerability assessments? Are they expected to follow a similar timeline to the other SVAs?
   
   The deadline for Security Code implementation is June 30, 2005, however all practices should be fully in place as soon as practical. For the value chain, there are no separate timing requirements for conducting vulnerability assessments, implementing security measures, or conducting verification, as there are for facilities. The deadline for activities relating to the value chain is the Code implementation deadline of June 30, 2005.
   


3. Is there a required methodology for conducting value chain vulnerability assessments?
   
   No. Companies can use whatever methodology is appropriate.
   


4. Is third party verification required for value chain enhancements?
   
   No. The third party verification component of the Security Code pertains only to physical/site/facility enhancements.

« back to top

Cyber Security

1. When will the cyber security guidance be available?
   
   The guidance for implementing the Security Code to cyber security activities is posted on this website. This guidance was prepared jointly by ACC and the Chemical Industry Data Exchange (CIDX) and describes how to apply the Responsible Care Security Code to your company cyber systems, including information technology and process control systems. Additionally, more recent, cyber security guidance relevant to the chemical sector as a whole is available through the Chemical Sector Cyber Security Program.
   


2. Where can I find additional information on strategies for addressing cyber security issues?
   
   ACC leverages the work of the Chemical Sector Cyber Security Program in the area of cyber security. The Chemical Sector Cyber Security Program has developed additional tools and practices for addressing cyber security issues, and ACC encourages Responsible Care companies to become involved with the Program. See response to question 1 above, as well.
   


3. Is there a special deadline for cyber security vulnerability assessments? Are they expected to follow a similar timeline to the other SVAs?
   
   The deadline for Security Code implementation is June 30, 2005, however all practices should be in place as soon as practical. For cyber security, there are no separate timing requirements for conducting vulnerability assessments and implementing security measures as there are for facilities. The deadline for activities relating to cybersecurity is the Code implementation deadline of June 30, 2005.
   


4. Is there a required methodology for conducting cyber security vulnerability assessments?
   
   No. Companies can use whatever methodology is appropriate for a given site or circumstance. For more information, see Security Guidance: Cyber Security.
   


5. Is third party verification required for cyber security enhancements?
   
   No. The third party verification component of the Security Code pertains only to physical/site/facility enhancements. However, under the Responsible Care Management System®, third-party auditors will be covering security aspects; including facility, value chain, and cyber security. A calendar of RCMS deadlines is available on http://www.americanchemistry.com/s_rctoolkit/sec.asp?CID=1780&DID=6608.

« back to top

MS Certification FAQs

1. Can RCMS/RC14001 audits be conducted outside the United States?
   
   Only ACC members and Partner companies may conduct RCMS audits. These audits may be conducted at their facilities outside the United States. RC14001 audits may be conducted at any organization regardless of its location or business operations. RCMS and RC14001 audits must be conducted in accordance with ACC’s certification procedures.
   


2. Is there any difference between the requirements in RCMS and RC14001?
   
   Because it includes the entire text of ISO 14001, there are some differences in the environmental areas of the two technical specifications. In the areas of health, safety, security and other Responsible Care activities, ACC believes the two documents are consistent and essentially cover the same requirements.
   


3. Since RC14001 includes all of ISO 14001, are there additional obligations for companies electing this option?
   
   Yes. Companies electing the RC14001 audit must ensure that they meet all the requirements of the ISO 14001 standard which is included in its entirety within the RC14001 technical specification. Additionally, the RC14001 audits must be conducted in accordance with existing requirements for ISO audits including mandatory surveillance in order to maintain certification.
   


4. What are ACC’s expectations for HQ audits?
   
   ACC purposely included HQ audits as part of the certification process due to the important role senior management plays in the effective implementation of Responsible Care. HQ audits are intended to review the overall management processes governing Responsible Care/EHSS within the organization especially in those areas such as product stewardship and supply chain EHSS management that reach beyond the traditional company fence line. HQ audits should also look at general EHSS issues related to the location, but not to the same degree as these issues would be covered at a manufacturing (or equivalent location for Partners) site.
   


5. How are sites selected for a company’s facility sample group?
   
   During the first audit cycle (2004-07), ACC members and Partners have the ability to choose which sites the auditors certify for their sample group. Beginning in January 2008, auditors will have the opportunity to select sites that will be audited during the second audit cycle (2008-10).
   


6. Does guidance exist on the duration of audits?
   
   Yes. Audit duration guidance can be found in RC201.03.
   


7. What are the possible outcomes of a RCMS/RC14001 audit?
   
   At the conclusion of an audit (RCMS/RC14001), a company can either be certified or have non-conformances identified. Non-conformances will be categorized as “minor” or “major.” The company will be required to provide the auditor with evidence that the non-conformances have been addressed.
   


8. If an organization disagrees with an auditor’s findings, what is the organization’s recourse?
   
   If a company disagrees with an auditing firm on its findings, it should follow the following process:
   
   a) Discuss the finding with the auditor and attempt to ascertain more information on the non-conformance. The auditor cannot give specific implementation advice, but may be able to clarify the reasons for the finding.
   
   b) Review your internal processes, determine whether evidence exists that can be provided to the auditor to meet the requirement in the technical specification.
   
   c) If the ACC company does not agree with the auditor’s findings, it can request the auditing firm open a formal appeals process. All auditing firms are required to have an appeals process.
   
   d) If the ACC company does not agree with the outcome of the auditing firm’s appeals process, it may request that the appropriate accrediting body, BEAC or ANAB, open an appeals process on the audit finding.
   
   e) If the ACC company does not agree with the accrediting body’s appeals process findings, it may petition the ACC’s Technical Oversight Board (TOB) to initiate an appeals hearing on the issue. The TOB’s decision on the dispute shall be final.
   
   The overwhelming majority of disputes between companies and auditors are usually be resolved on a one-on-one basis. It should be noted that appeals processes at the auditing company level are rare and those at the accrediting body level even rarer still.
   


9. Can external stakeholders participate in the audit process?
   
   Yes. ACC encourages external stakeholder participation on audits and a number of member companies have included them on their audits. If a company seeks to include an external party on the audit, it should consult with its auditing firm to determine how the process will work.
   


10. What is the role of ANAB, BEAC and RABQSA International in the Responsible Care certification process?
    
    All three of these organization serve as “gatekeepers” to the Responsible Care certification process on behalf of ACC. RABQSA and BEAC can both certify/approve individual auditors who meet ACC requirements (RC205.03) and auditor training courses (RC206.03) that meet ACC requirements.
    
    BEAC and ANAB approve/accredit auditing firms that want to participate in the Responsible Care certification process. These firms must meet the requirements established by ACC (RC201.03, 204.03).
    


11. Is it possible to consolidate other audits (e.g., ISO 9001/2) with RCMS/RC14001?
    
    Yes. A number of ACC members have completed or are planning to conduct audits that integrate RCMS/RC14001 with ISO 9001. ACC’s Super Matrix document provides information on the links between multiple management systems.
    


12. Is an auditor certified by BEAC qualified to perform both RCMS and RC14001 audits?
    
    Individuals certified by BEAC are eligible to perform both RCMS and RC14001 audits. Individuals conducting RC14001 audits may need to meet additional ISO qualifications as required under existing ISO procedures.

« back to top

Partners FAQs

Security Code

1. What input did you receive from smaller companies and Partners in the development of the Security Code, and how did you factor in the reality that most of us have severe resource constraints?
   
   A core group of executives representing a cross section of members - including smaller member companies and the Partner Company Steering Group - provided comments which were integrated in both the code and implementation guidelines. In all cases, the concern for effective and efficient use of existing resources to achieve desired end points was a crucial focal point.
   


2. How can Partner companies implement the Security Code when it is written for chemical manufacturers?
   
   Partner companies can apply the same process to implementing the Security Code as they would have with other Codes. New partners should review the code elements and determine how they apply to your company and sector. Going forward, since the Security Code has been integrated into the management system technical specification, it is expected that most, if not all, of the code elements will apply to Partner companies. 
   


3. Does the verification called for in the Security Code apply to Partner Companies?
   
   Verification of the Security Code for Partners will be addressed through the Responsible Care certification process. The verification requirements of Management Practice #11 of the Responsible Care Security Code are applicable to "chemical operating facilities", which Partners do not, by definition, have. Partners are, however, held accountable for their implementation of the Responsible Care Security Code through the Security Code Implementation Affirmation Statement that each Partner company Executive Contact must sign, and additionally through ongoing third-party certification audits of the company's Responsible Care management system."
   


4. What are Partner company deadlines for the Security Code?
   
   For Partner companies who were a part of the program prior to January 1, 2004, their commitment is to implement the entire Security Code by June 30, 2005. At that time, a final affirmation letter of Code compliance must be submitted at the end of the implementation process (June 30, 2005). All partners joining the program following January 1, 2004 must complete implementation of the code by the end of their second year of partner program membership.

Responsible Care Management System

1. Do Partner companies need to implement the Responsible Care Management System? How will the Responsible Care Management System address Partner company industries?
   Partner companies need to implement the Responsible Care Management System (RCMS®). The RCMS includes a general approach to EHS and security management systems, and is therefore compatible with Partner company operations. To help Partner companies implement the RCMS, sector-specific guidance relative to the management system has been developed along with sector-specific technical questions which can be used by partners to supplement their certification process. These items are available on this website.