Cyber Security / Risk assessment

Make Wider Use of Process Hazard Analysis

The technique can provide important insights for strategic decisions

By GC Shah, Wood Group Mustang

Many companies miss significant opportunities to take advantage of process hazard analysis (PHA) beyond the narrow confines in which they currently use the technique. In particular, a PHA can provide crucial inputs for a number of strategic considerations. Here, we’ll look at its potential value for:

• Divestitures and acquisitions;
• Multiplant sites;
• Joint venture projects;
• New technologies;
• Differing risk perceptions;
• Information management;
• Cyber-security concerns; and
• Aging plants and legacy controls.

Six Steps To Safer Processing

Divestitures And Acquisitions

Divestitures and acquisitions (D&As) probably have occurred for as long as chemicals have been made. D&As should consider not only business-specific issues but also safety and environmental ones. This involves thorough and thoughtful due diligence. Unfortunately, some companies still make high-level decisions without properly assessing the safety and environmental implications of D&As. Some executives, although financially astute, may lack familiarity or appreciation of potential safety liabilities. Safety professionals can make valuable contributions in such cases. Here are some pointers:

• Corporate executives tend to focus on business risk — e.g., market volatility, industry-specific concerns and legal issues. So, how can safety professionals persuade the executives to appreciate safety risk? They certainly should stress that ensuring the safety of workers and neighbors is both a statutory and moral obligation of an organization. Safety professionals must convince the executives that safety makes business sense before, during and after a divestiture or acquisition. To do this effectively, they should make themselves familiar with “business terminology.”

• Perform a PHA prior to the start of “serious talks” about D&As.

• Soon after completion of an acquisition, harmonize the best safety practices of both organizations.

Multiplant Sites

Such locations present unique risks stemming from the interfaces among the plants. Typically, various operations at the site share or exchange utilities and waste management systems such as flares or incinerators. It is important to carefully consider the safety implications. Common problems are:

• Inadequate protocols to deal with management of change at one or more operations on the site;
• Poorly defined criteria to ensure compliance of environmental systems such as flares or incinerators, particularly that they have adequate capacity to deal with “worst-case scenarios” on a site-wide scale;
• Difficulties in adequately protecting workers from exposure to hazardous materials and safeguarding equipment during “loss of containment” events because of tight spacing between the units; and
• Uncoordinated emergency response systems.

Joint Venture Projects

Typically, joint ventures (JVs) involve large projects; so, the importance of clear communications can’t be overstated. Today’s project management tools are well equipped to deal with massive flows of information and interaction in an efficient manner. However, large projects also present issues that could scuttle a PHA. Project sponsors may have widely divergent perceptions of hazards and risk. They also may use different risk assessment systems. Therefore, prior to the start of the PHA, the PHA facilitator should ensure all sponsors agree on risk assessment, documentation and risk management methodologies.

New Technologies

Companies continually adopt new technology — ranging from entire processes to individual elements such as particular instruments. Introducing a new technology creates risks as well as benefits. Doing so on an ad-hoc basis is a risky move. Use a PHA to delve into a number of critical issues:

• Is there safety infrastructure (e.g., trained staff, tools to maintain technology, waste disposal, permitting and vendor support) to manage the new technology?
• What’s the fallback if the technology doesn’t function as expected? For instance, in the event of a major failure, is it possible to revert to the existing technology or systems without incurring unacceptable level of risk?
• Does the technology pose any new potential hazards? The PHA facilitator should inquire about the number of sites where the technology already is used and problems, if any, encountered. Obviously, a brand new technology requires thorough risk-based scrutiny. Several organizations use standard procedures that address the issue of new technology adoption.

Differing Risk Perceptions

Unfortunately, despite the maturing of the PHA process, widely differing risk perceptions still exist, often even within the same assessment team. This may reflect generational differences. Veteran professionals with operations experience, who have had some accidents at their plants, are much more risk-averse than others. Moreover, it’s not that uncommon even today for some members of the PHA group to regard the PHA as an unnecessary step. In addition, tight schedules and work demands may foster pressures to speed through the PHA. The facilitator must appreciate these issues and take steps to address them.

First, the person must understand the culture of the organization. Most companies regard safety as an integral and crucial part of productivity. However, a few firms have impressive safety slogans but little in terms of safety practice at the project or plant level. Project managers or plant managers at these organizations are under tacit pressure to “get things done.” In contrast, other firms go overboard, creating a safety bureaucracy that makes resolving even relatively simple issues a long, drawn-out process.

A week or so prior to the start of the PHA, consider sending team members some case histories of relevant accidents that have occurred elsewhere in the same industry. Also, if possible, try to gain an understanding of the PHA team members’ backgrounds. At the start of the PHA assessment, give examples of accidents, near-misses, or mishaps in situations germane to the PHA at hand.

Ask veteran staff to share their experiences with the other team members prior to the start of the PHA process. This is an example of where you can harness diversity to enhance safety.

Information Management

Today, leading organizations recognize that the information gleaned from collected data can serve as a powerful tool to enhance safety in the long run. However, this demands effective information management, which is a formidable task, especially for large, multinational organizations. For some multinationals with mammoth databases, it’s not uncommon to run into situations where staff avoids accessing the databases because the steps needed are so complex and tedious.

Success requires taking some strategic steps:
• Developing safety portals that house databases on plant safety (unsafe occurrences or near-misses), accident investigations, PHA assessments and follow-up actions on recommendations, and equipment failure rates.
• Employing statistical techniques to extract information and knowledge from these data.
• Providing easy-to-understand and streamlined methods to access these important safety data. A person should not have to contact information technology (IT) professionals for help accessing these data.
• Establishing processes to modify plant or processes based on findings from accident investigations and PHA assessments.
• Minimizing the frequency of modifications to IT and information-management systems.
• Performing periodic training on the use of safety systems and safety databases.

Cyber-Security Concerns

Preventing attacks on control and safety systems is rapidly becoming a crucial issue for the process industry. A PHA should look at cyber security concerns as a part of the overall risk assessment. However, given the size and complexity of large process control and safety instrumented systems, it may be appropriate to conduct a separate risk assessment just for them. Keep the following in mind:
• The priorities for IT systems differ from those for control/safety systems. So, in conducting risk assessment of the control/safety networks, IT and control/safety engineers should collaborate.
• Use a systems approach to minimize cyber risk. Employ best practices — e.g., for worker training and awareness, system monitoring, access control (physical as well as logical), patch management and defense-in-depth. Specify cyber-security-certified components and install recovery programs to ensure quick rebound from cyber mishaps. Conduct periodic risk assessments.

Aging Plants And Legacy Controls

Old plants and infrastructures pose special hazards such as corrosion, outdated design standards (under which the systems were designed and built) and frequent breakdowns, among others. In legacy control systems, the flow of information could be so slow that it could cause safety mishaps. Long-term risk considerations may dictate replacement with robust modern systems. In the meantime, you must manage risk by administrative controls (e.g., corrosion monitoring programs and plant inspections) that check system integrity on a periodic basis, and provide adequate resources for safe and efficient repairs of these systems.

An Ongoing Effort

PHA isn’t a one-time activity but a continuing process. It should account for all factors that could impact safety and security; these factors change in their form and intensity. Strategically designed PHAs should consider these dynamic changes.

GC SHAH is a senior consultant at Wood Group Mustang, Houston. E-mail him at