To those from a more traditional ‘hard hat’ safety background process safety management can seem like an élitist, and fairly woolly concept. While most will know that it’s something to do with stopping ‘dangerous installations’ from going spectacularly wrong there is still the feeling that you have to be a member of the Freemasons for the full revelation. Fret not, say David Towlson and Hasan Alardi, who provide the ‘skinny’ rather than the ‘full fat’ on PSM.
Process safety is the application of safety to the large process industries (offshore, utilities, chemicals manufacturing, etc). It is less to do with the industries themselves than the types and amounts of substances they deal with. Such industries carry large inventories of dangerous substances (and sometimes smaller inventories of highly dangerous substances), so there is an attendant potential for large release within the site and into the surrounding community and wider environment (wind dispersion, ground percolation, escape into rivers, etc).
This can lead to mass poisonings (as happened at Bhopal and Seveso), or the more traditional spectacular explosions and fireballs (the Piper Alpha oil/gas platform, Buncefield oil depot, Texas City refinery, Feyzin refinery, Flixborough chemical plant).
Such installations are often highly complex in terms of hardware, software and human-resource requirements. They may involve carefully controlled and monitored chemical and/or physical processes (reactions, distillations, bulk transfers, etc); they may be intolerant of significant excursions beyond their normal operating envelope; and may require highly-skilled operatives.
Safety relies on multiple layers of preventive and mitigatory measures, all of which need to work together (because none of them is 100-per-cent reliable all of the time). Inattention to details (like lack of maintenance) can ultimately lead to rare, but serious events, which may not be entirely appreciated, or to which people can become habituated or apathetic, beforehand. PSM is about stopping such releases and thus the ensuing catastrophes. Such industries are highly regulated in most countries, for good reason, i.e. they’ve had their explosions and releases and would rather not go there again!
It’s elemental
PSM is particularly associated with a US federal regulation (29 CFR 1910.119) and related OSHA guidance 3132 and 3133.1 The American Petroleum Institute also has guidance on this, API RP 750).2 (Note that this code doesn’t directly apply to oil and gas well drilling/servicing operations.) However, PSM concepts and terminology are now widespread; even though it may not always be called PSM, you can feel its presence in initiatives such as the chemicals industry’s Responsible Care,3 and regulatory approaches such as safety cases in the offshore sector, and the safety reports used by onshore installations.
The US 29 CFR 1910.119 famously mandates the following elements associated with PSM:
Process safety information – good information is clearly a prerequisite for hazard analysis. Typically required would be information on process chemicals (toxicity, flammability, etc), technologies (inventory, operating parameters, process chemistry, etc), equipment (materials of construction, design standards, etc). Some of this is typically shown on P&I and flow diagrams.
Process hazard analysis (PHA) – this is a core activity and involves identification of hazards and assessment of the likelihood of specific consequences, i.e. looking at ‘what if’ and identifying safety-critical elements. Typically, this would involve team-based approaches using HAZOP, FMEA, and FTA, looking at previous incidents, controls already in place, etc. This should also identify major residual risks and what more needs to be done to control them. Obviously, sensible recommendations need to be implemented, too.
Operating procedures – these include development of safe systems of work, operating procedures, safe working practices (including permit systems, where necessary) that cover things such as normal start-up/shutdown, as well as infrequent/special operations, such as maintenance/cleaning/repair, and emergency situations. Pre-startup checks of new/modified plant also fit here.
Employee participation – what is more commonly recognised as consultation (meaningful dialogue) and cooperation. It also means making information accessible. It has long been recognised that process operators know what really goes on, rather than what managers think happens. Participation is a key ingredient in developing a more positive safety culture.
Training – competence is seen as central, for obvious reasons. This will involve training/information (initial, periodic and when significant, changes) in understanding the overall process itself, as well as in the relevant operating procedures.
Contractors (control of) – there is specific emphasis on this because of the widespread and routine use of contractors in the process industries. It means proper selection, induction (site hazards, emergency arrangements, etc) and performance monitoring of contractors.
Pre-startup safety review – this overlaps with PHA and also management of change (see below) and is applicable to new and modified processes. It is considered important enough to have a separate element. At its simplest, it is a formal checkpoint to confirm that everything is in place (design, PHA, operating procedures, training, etc) before hazardous chemicals are introduced into the process.
Mechanical integrity of equipment – also called asset integrity this means making sure all your critical equipment is fit for purpose (specification, quality), installed correctly and, especially, maintained properly – both through scheduled maintenance and condition/fault monitoring and testing. Critical equipment (and the level of criticality) needs defining by the organisation but is typically things such as pressure-relief and emergency shutdown devices, alarms and sensors, as well as certain process vessels.
Non-routine work authorisation – control of non-routine, high-risk work – e.g. hot work, confined-space entry, cutting into process lines – typically by using Permit-to-Work systems.
Management of change (MOC) – a formal system for looking at potential consequences of change (process, equipment, personnel, etc). Many disasters have occurred through a failure to appreciate the consequences of changes that did not seem important at the time. This clearly overlaps with the point about pre-startup review/checks required after plant/process modifications (see below).
Incident investigation – a ‘learning from incidents’ (continuous improvement) mindset is expected, so this feeds into both PHA and MOC. It is also essential that people understand the process to identify both the root causes and what might have happened (hence, the critical need for competence). For example, a faulty level-sensor or alarm, abnormal pressure/temperature excursions, if ignored or undiscovered, could so easily lead to a release.
Emergency planning and response – the realisation that preventive measures are never 100-per-cent effective may come as a shock but it needs to be faced and plans to mitigate consequences formulated. This will involve procedures/plans, personnel and facilities to cope with foreseeable major emergencies (both on and off site).
Audit – the intention here is (internal) compliance auditing to check performance of all elements of the PSM system, so its use as an element of PSM is somewhat recursive. Audit data (along with other relevant performance data, including incidents) would ordinarily feed into management reviews for improvement.
At first glance, these elements may look like a fairly random, albeit important, selection of topics. They appear more like a list of recommendations arising from a major accident investigation report, which isn’t all that surprising. Examined more closely, you can detect conventional safety management, but with an emphasis on topical issues in the industry.
The ‘safety report’ and ‘safety case’ regimes (as required by the Control of Major Accident Hazards Regulations and Offshore Installations (Safety Case) Regulations) are perhaps less prescriptive than 29 CFR 1910.119, but no less onerous or rigorous. They require an evidence-based (i.e. justified) written demonstration of safety for the installation, and amount to having all those PSM elements, and more, in place.
Leadership
One thing that is seen as core to PSM (missing from the list of PSM elements, but clearly implied) is leadership. This is something that is more prominently referenced in ‘safety case’ regimes (fitting into the ‘Policy’ element of OHSAS 18001), where strong leadership to manage process safety is seen as a priority. Allied to this is the careful formulation of PSM-specific KPIs (known as PSIs) used to drive improvements (see, for example, the UK’s HSG254 document on this subject4).
Examples of PSIs include: number of overdue scheduled maintenance tasks (or the time for which they have been overdue); number of unintended releases (spillages, etc). In low-risk environments, such indicators might be of relatively little use but in process safety, they can indicate, for example, that critical maintenance is being neglected.
Management of change
PSM covers a wide range of issues but one of the most critical is management of change. It is possibly one of the most difficult elements of the PSM programme, as, in common with most businesses, change takes place at all times. The fear is that changes could impact negatively on the safety of the process. It is natural to be enthused by new ideas that could improve the way we do business, but we could overlook (or downplay) any undesirable consequences that may result from the change.
Undesirable consequences may not be immediate, appearing to confirm continued safety in the short-term. However, months or years later the carnage of unappreciated consequences ensues (e.g. release of hydrocarbons, equipment failure, explosions).
In 1974, a vapour-cloud explosion at a chemical plant in Flixborough killed 29 people, seriously injuring many others and destroying the site. Flammable vapour had escaped from a modified section of the plant. In order to continue production, a reactor, which had previously leaked, had been bypassed using a section of pipework. The pipe appeared to operate successfully at first but failed after two months, releasing large amounts of flammable vapour, which subsequently ignited.
With the benefit of hindsight, the need to manage such changes is obvious. But not all changes should be treated equally – some are trivial and inconsequential, and a complicated procedure in such cases would undermine credibility. In any MOC procedure you need to first agree on what constitutes a significant change, requiring a review, before implementation is authorised. This may be illustrated by example rather than a definitive list, depending on the context.
In general, any change to process parameters (operating envelope), pressure, temperature, flow, etc. or any changes to process chemicals, technology, equipment, procedures and facilities, must be reviewed and authorised by the relevant parties of the process management team. Changes in personnel (numbers, experience level) may also constitute a significant change.
The panel on the previous page outlines the typical steps in an MOC procedure. The change process starts when someone (the ‘change initiator’) identifies a need for a change. This could be triggered by many things, such as a problem that needs to be fixed, legislative changes (e.g. tighter emission controls), or simply an identified opportunity. Usually, the initiator will be an engineer or a supervisor. However, the management of change system should be open to all; anyone should feel free to propose changes that they believe will make the facility safer, cleaner and more profitable.
The ultimate success of the management of change system depends on people being willing to flag changes before they happen. There is little value in having a high-quality change review process if it is never used, or is routinely bypassed.
The heart of the MOC procedure is the review process, which should be conducted by a multidisciplinary team, normally nominated by a senior management-team member from the owner department where the change is proposed.
In some organisations, there are three levels of review: the first is informal and is conducted to evaluate the need for the change and gather sufficient information for the detailed review to be conducted in the second review level. The second review team may then see the need for a full PHA study, such as a HAZOP study. HAZOPs are methodical and thorough but, if done over extended periods, can wear down the contributors and devalue the process.
(We recall from our own experience some implementations of this as being like a modern form of torture – a team of specialists being locked up in a room for two weeks to study the impact of the change; after two days, even the most determined member might be tempted to say anything just to get the study completed!)
Temporary changes have to be dealt with in exactly the same way as permanent ones, apart from the fact that a record is kept of when they should be reversed (that is why they are called temporary). A reminder is sent to the relevant department/person to take action to bring the process conditions back to what they were before the change (i.e. change reversal). In fact, on many occasions the temporary change may end up being a permanent one. In such cases, a new MOC request should be raised to approve changing it from temporary to permanent.
Emergency changes may be necessary to avert an undesirable event. For example, increasing the flow, temperature, or sometimes diverting a product to a vessel that was not normally used for that purpose. In such cases, a team comprising at least three members from different disciplines would attend the site to informally discuss and agree the changes needed. At a later stage (it could be within 24 hours) all the formal paperwork is completed and records made of the implemented change.
This adapted procedure may seem less formal but recognises the compressed timescales and maintains at its heart the review process, which is what really matters.
(If you would like to experience what a change could do to your own performance, try to wear a gas-tight suit and walk a few metres. You will feel that even walking, which we normally do without thinking, is much more difficult. You could run into walls or structures as your vision is limited. But to take the experience further, any potentially Fatal Release of Toxic – FaRT – gas inside the suit will have further drastic effects. . .)
Summary
Process safety management is essentially safety management applied to sites that have the potential for catastrophes. A collection of seemingly insignificant incidents can add up to something with high consequence. History has shown that poor control of process change authorisation is often a contributing factor to incidents. At the heart of the change management process is a rigorous review of the potential impact of such changes.
References
1 http://1.usa.gov/WSJqhB
2 http://bit.ly/YcmGca
3 www.chemical.org.uk/responsiblecare.aspx
4 HSE (2006): Developing process safety indicators: A step-by-step guide for chemical and major hazard industries (HSG254), ISBN 9780717661800 – www.hse.gov.uk/pubns/books/hsg254.htm
David Towlson is director of training and quality for RRC Training, and Hasan Alardi is director of RRC Middle East.
The Safety Conversation Podcast: Listen now!
The Safety Conversation with SHP (previously the Safety and Health Podcast) aims to bring you the latest news, insights and legislation updates in the form of interviews, discussions and panel debates from leading figures within the profession.
Find us on Apple Podcasts, Spotify and Google Podcasts, subscribe and join the conversation today!