Security has always been a top priority for the U.S. chemical industry, and soon after the terrorist attacks of September 11, 2001, ACC member companies took the lead in securing their facilities, a critical part of our nation's infrastructure. Without waiting for government direction, ACC members adopted the Responsible Care® Security Code, an aggressive plan to further enhance security of our facilities, our communities and our products.
The Security Code - which addresses facility, cyber and transportation security - requires companies to conduct comprehensive security vulnerability assessments (SVAs) of their facilities, implement security enhancements, and obtain independent verification that those enhancements have been made. The Security Code also requires companies to create security management systems, which are documented to provide quality control and assurances.
Implementing the Security Code under a strict timeline is mandatory for ACC members and Responsible Care Partner companies. The Responsible Care Security Code has been widely recognized by local, state and federal governments as a model for other U.S. industries.
Download the Responsible Care Security Code (pdf)
Download Security Code Implementation Affirmation Statement (doc)
Security Code Summary
Purpose and Scope: The Security Code is designed to enhance security, including security against terrorist attack, throughout the chemical industry value chain. The Code emphasizes that security is a shared responsibility requiring actions by others, such as customers, suppliers, service providers and government officials and agencies.
Prioritization and Assessment: The Security Code requires that companies prioritize their sites according to a four-tier system and then conduct security vulnerability assessments (SVAs). Sites in Tiers 1-3 are assessed using methods from Sandia National Laboratories, CCPS or their equivalent. Sites in Tier 4 are assessed using a modified method provided by ACC. Companies also conduct assessments of their value-chain and cyber networks. Tools to assist companies in conducting these assessments are available in the Security Guidance Documents section of this website.
Security Measures: Companies must implement security measures commensurate with the risks identified in the SVAs. In developing these measures, companies must take into account inherently safer approaches to process design, such as modified production processes. The consideration of inherently safer approaches reflects past industry practices and consistent feedback from stakeholders. Final decisions on whether to implement such approaches are left to each company.
Additional Elements: Under the Security Code, a company's security management system must include:
- Senior leadership commitment to continuous improvement through published policies, provision of sufficient, qualified resources, and established accountability;
- Training and drills for employees, contractors, value-chain partners, and others;
- Communications, dialogue and information exchange on appropriate security issues with stakeholders balanced with safeguards for sensitive information;
- Evaluation, response and reporting of security threats as appropriate, as well as analysis, response, investigation, reporting and corrective action for security incidents; and
- Internal audit and continuous improvement processes.
Verification: Companies are required to use independent third parties who are credible in the area of security to verify that, at sites with potential off-site consequences, the physical security measures that have been identified through SVAs have been implemented. Companies have the flexibility to select the verifiers they believe will be credible in their communities. Examples of potential verifiers include local first responders (e.g., fire fighters, law enforcement), security consultants, and insurance auditors. The Code strongly encourages (but does not require) companies to "consult" with verifiers as enhanced physical site security measures are being considered and implemented.
Implementation Schedule: ACC members and Responsible Care Partners should implement all Security Code practices as soon as possible, but no later than June 30, 2005 (unless a company has joined ACC or the Responsible Care Partner Program since June 2002, and in this case, they have additional time to comply, but no more than 3.25 years from their join date).
