PT Notes
EPA RMP Rule 2024 Amendments - Third-Party Compliance Audits
PT Notes is a series of topical technical notes on process safety provided periodically by Primatech for your benefit. Please feel free to provide feedback.
EPA has defined third-party audit as:
A compliance audit conducted pursuant to the requirements of the RMP rule performed or led by an entity (individual or firm) meeting the competency and independence requirements described in the amended RMP rule.
The third-party requirements in the amended RMP rule apply to Program 2 and Program 3 processes. Here are the requirements:
Compliance Audits
The owner or operator shall certify that they have evaluated compliance with the audit provisions of the rule at least every three years to verify that the procedures and practices developed under the rule are adequate and are being followed. When required as set forth in the amended rule, the compliance audit shall be a third-party audit.
EPA notes that under the existing RMP rule, sources with any Program 2 and/or Program 3 processes are already required to conduct compliance audits every three years. The amended rule does not change the requirement that RMP facilities regularly conduct RMP compliance audits, but rather adds that, in specific situations, those audits must be performed by a third-party or a team led by a third-party, pursuant to the requirements specified in the amended rule.
EPA also notes that having a third party conduct a compliance audit does not preclude the facility from conducting an in-house compliance audit in tandem. If the goal is to ensure that preventative measures are in place to prevent future accidents, EPA hopes that a facility would want to implement all such measures to ensure it is compliant.
The third-party audit provision in the amended rule is intended to reduce the risk of future accidental releases by requiring an objective auditing process to assist owners and operators in determining whether facility procedures and practices comply with the prevention program requirements, are adequate, and are being followed.
The next required compliance audit shall be a third-party audit when one or more of the following conditions applies:
(1) An accidental release from a covered process at a stationary source has occurred that meets the criteria for the five-year accident history, or
(2) An implementing agency requires a third-party audit due to conditions at the stationary source that could lead to an accidental release of a regulated substance, or when a previous third-party audit failed to meet the competency or independence criteria of the amended RMP rule.
If an implementing agency makes a preliminary determination that a third-party audit is necessary, the implementing agency will provide written notice to the owner or operator that describes the basis for this determination.
Within 30 days of receipt of such written notice, the owner or operator may provide information and data to, and may consult with, the implementing agency on the determination. Thereafter, the implementing agency will provide a final determination to the owner or operator.
If the final determination requires a third-party audit, the owner or operator shall comply with the requirements for third-party audits pursuant to the required schedule.
The owner or operator may appeal a final determination made by an implementing agency within 30 days of receipt of the final determination. The appeal shall be made to the EPA Regional Administrator or, for determinations made by other implementing agencies, the administrator or director of such implementing agency. The appeal shall contain a clear and concise statement of the issues, facts in the case, and any relevant additional information. In reviewing the appeal, the implementing agency may request additional information from the owner or operator. The implementing agency will provide a written, final decision on the appeal to the owner or operator.
EPA clarifies that, whichever criterion triggers the requirement for a third-party audit, a third-party need only be engaged for the next required compliance audit(s), which is no later than 3 years from the previous compliance audit. For example, if a facility conducted an internal compliance audit in August 2024 and had an RMP-reportable accident in October 2024, the next compliance audit, required by August 2027, would be a third-party audit. EPA believes this approach is appropriate because it will allow the source to remain within their already required scheduled timing for audits. Furthermore, when an accident occurs, the source will be required to conduct a root cause analysis within12 months and the 3-year timeframe for the audit will give the source flexibility to accomplish both within their compliance due dates.
If the third-party audit is completed after the root cause analysis, it will give the source an additional opportunity to uncover deficiencies that led to the accident. In other words, the third-party audit will be a follow-up to review the root cause analysis and ensure all practices to prevent an accident have been resolved.
The audit and audit report shall be completed as specified in the RMP rule, unless a different timeframe is specified by the implementing agency.
Third-Party Audits - Applicability
The owner or operator shall engage a third party to conduct an audit that evaluates compliance with the provisions of the RMP rule in accordance with its third-party audit requirements when any criterion for a third-party audit is met.
Third-Party Auditors and Auditing Teams
The owner or operator shall either
(1) Engage a third-party auditor meeting all of the competency and independence criteria of the amended RMP rule, or
(2) Assemble an auditing team, led by a third-party auditor meeting all of the competency and independence criteria of the amended RMP rule.
The team may include:
(i) Other employees of the third-party auditor firm meeting the independence criteria of the amended RMP rule; and
(ii) Other personnel not employed by the third-party auditor firm, including facility personnel.
Third-Party Audits - Auditor Qualifications
The owner or operator shall determine and document that the third-party auditor(s) meet the following competency and independence requirements:
(1) The third-party auditor(s) shall be:
(i) Knowledgeable with the auditing requirements of the RMP rule,
(ii) Experienced with the stationary source type and processes being audited and applicable recognized and generally accepted good engineering practices, and
(iii) Trained and/or certified in proper auditing techniques.
(2) The third-party auditor(s) shall:
(i) Act impartially when performing all auditing activities,
(ii) Receive no financial benefit from the outcome of the audit, apart from payment for auditing services,
Retired employees who otherwise satisfy the third-party auditor independence criteria may qualify as independent if their sole continuing financial attachments to the owner or operator are employer-financed or managed retirement and/or health plans.
(iii) Ensure that all third-party personnel involved in the audit sign and date a conflict-of-interest statement documenting that they meet the independence criteria of the amended RMP rule, and
(iv) Ensure that all third-party personnel involved in the audit do not accept future employment with the owner or operator of the stationary source for a period of at least two years following submission of the final audit report.
Employment does not include performing or participating in third-party audits pursuant to the RMP rule.
(3) The auditor shall have written policies and procedures to ensure that all personnel comply with the competency and independence requirements of the amended RMP rule.
Third-Party Audits - Auditor Responsibilities
The owner or operator shall ensure that the third-party auditor
(1) Manages the audit and participates in audit initiation, design, implementation, and reporting,
(2) Determines appropriate roles and responsibilities for the audit team members based on the qualifications of each team member,
(3) Prepares the audit report and, where there is a team, documents the full audit team’s views in the final audit report,
(4) Certifies the final audit report and its contents as meeting the auditing requirements of the RMP rule, and
(5) Provides a copy of the audit report to the owner or operator.
Third-Party Audits - Audit Report
The audit report shall:
(1) Identify all persons participating on the audit team, including names, titles, employers and/or affiliations, and summaries of qualifications. For third-party auditors, include information demonstrating that the competency requirements in the amended RMP rule are met,
(2) Describe or incorporate by reference the policies and procedures required for third-party auditors,
(3) Document the auditor’s evaluation of the owner’s or operator’s compliance with the audit provisions of the RMP rule to determine whether the procedures and practices developed by the owner or operator are adequate and being followed,
(4) Document the findings of the audit, including any identified compliance or performance deficiencies,
(5) Summarize any significant revisions between draft and final versions of the report, and
(6) Include the following certification, signed and dated by the third-party auditor or third-party audit team member leading the audit:
I certify that this RMP compliance audit report was prepared under my direction or supervision in accordance with a system designed to assure that qualified personnel properly gather and evaluate the information upon which the audit is based. I further certify that the audit was conducted and this report was prepared pursuant to the requirements of subpart C (or D, as applicable) of 40 CFR part 68 and all other applicable auditing, competency, independence, impartiality, and conflict of interest standards and protocols. Based on my personal knowledge and experience, and inquiry of personnel involved in the audit, the information submitted herein is true, accurate, and complete.
Third-Party Audits - Findings
The owner or operator, as soon as possible, but no later than 90 days after receiving the final audit report. shall determine an appropriate response to each of the findings in the audit report, and develop a findings response report that includes
(i) A copy of the final audit report,
(ii) An appropriate response to each of the audit report findings,
(iii) A schedule for promptly addressing deficiencies, and
(iv) A certification, signed and dated by a senior corporate officer, or an official in an equivalent position, of the owner or operator of the stationary source, stating:
I certify under penalty of law that I have engaged a third party to perform or lead an audit team to conduct a third-party audit in accordance with the requirements of 40 CFR 68.59 (or 68.80, as applicable) and that the attached RMP compliance audit report was received, reviewed, and responded to under my direction or supervision by qualified personnel. I further certify that appropriate responses to the findings have been identified and deficiencies were corrected, or are being corrected, consistent with the requirements of subpart C (or D, as applicable) of 40 CFR part 68, as documented herein. Based on my personal knowledge and experience, or inquiry of personnel involved in evaluating the report findings and determining appropriate responses to the findings, the information submitted herein is true, accurate, and complete. I am aware that there are significant penalties for making false material statements, representations, or certifications, including the possibility of fines and imprisonment for knowing violations.
Third-Party Audits - Schedule Implementation
The owner or operator shall implement the schedule to address deficiencies identified in the audit findings response report and document the action taken to address each deficiency, along with the date completed.
Third-Party Audits - Submission to the Board of Directors
The owner or operator shall immediately provide a copy of each document required under the Findings Response Report and Schedule Implementation, when completed, to the owner’s or operator’s audit committee of the Board of Directors, or other comparable committee or individual, if applicable.
Third-Party Audits - Recordkeeping
The owner or operator shall retain at the stationary source, the two most recent final third-party audit reports, related findings response reports, documentation of actions taken to address deficiencies, and related records. This requirement does not apply to any document that is more than five years old.
If you would like further information, please click here.
To comment on this PT Note, click here.
You may be interested in:
Process Safety Auditing Training Course
Process Safety Auditing Certifications
Process Safety Auditing Consulting
Process Safety Auditing Software
Disclaimer: This PT Note provides Primatech’s interpretation of regulatory requirements. The actual regulatory requirements can be found at: https://www.epa.gov/rmp
