The Swiss cheese model familiar to many safety professionals clearly illustrates that when weaknesses in barriers align, hazards can manifest [1]. If these barriers are selected via a risk-based methodology, the probability of failure is calculable. Because many companies use some type of semi-quantitative risk matrix and require mitigation of risks to a category level commensurate with a very low probability of failure, multiple barriers rarely should fail at the exact same time.
Yet, our experience in industry is that most large consequence process safety incidents occur due to coincidental failures of multiple layers of protection (LOPs). A likely reason for this is that, while these layers are assumed independent — and, thus, give the illusion of protection — they actually aren’t because they fall under the same management system. A weak management system can be a common cause of the multiple failures.
This article examines the elements of an integrated process safety management system. It describes one system that can be created and used to prevent the illusion of protection.
What Is A Management System?
Since the Center for Chemical Process Safety (CCPS) issued its 20-element risk based process safety element model, a clear distinction has existed between process safety and the process safety management (PSM) regulation of the U.S. Occupational Safety and Health Administration (OSHA). The former term is defined as: “A disciplined framework for managing the integrity of operating systems and processes handling hazardous substances by applying good design principles, engineering, and operating practices” and is in place to prevent incidents [2]. The later term refers to the rule that regulates industry. The two shouldn’t be used interchangeably. Similarly, PSM shouldn’t be confused with a management system. PSM simply consists of the 14 elements that OSHA regulates in covered processes.
Common characteristics used to describe management systems include a combination of people and systems, as illustrated in Figure 1.
Figure 1. People and systems both play key roles in achieving success.
Weak systems executed by weak people lead to chaos. Strong people can provide a strong management system. However, if that system isn’t documented, the organization will lose knowledge when people leave. Similarly, a management system only made up of procedures either leads to people blindly following them without critical thinking, or ignoring the procedures. An effective management system requires knowledgeable people executing the necessary process safety elements with discipline to produce repeatable results. This type of system leads to operational excellence and continuous improvement.
CCPS’s Vision 20/20 describes the characteristics of a vibrant management system as “all employees must clearly understand their role in managing process safety.” Furthermore, the management system: “is documented, accessible, and easily used; defines how operations are conducted at the workplace; promotes safety in design, operations, and maintenance; and is agile and continuously improved” [3].
With these characteristics in mind, a management system is: “a formally established set of activities designed to produce specific results in a consistent manner on a sustainable basis” [4]. Definition of these activities is the next logical step in creating a management system.
The past 20 years has seen the development of several process safety models, including those published by CCPS, the American Chemistry Council, the American Petroleum Institute, OSHA, the U.S. Environmental Protection Agency and the European Union [4]. The comprehensive model developed by CCPS appears in “Guidelines for Risk Based Process Safety” [5]; it’s summarized in Table 1 and used for discussion purposes here.
The CCPS model includes 20 elements categorized into four pillars (Table 1). These pillars — management commitment; understanding hazards and risks; management of risks; and learning from experience — make up the key elements of an effective management system.
Table 1. Its four pillars include a total of 20 essential elements.
Integrating Management System Elements
The illusion of protection arises when the various process safety elements aren’t connected in a management system. The selection and use of safe operating limits (SOLs) illustrates the importance of interconnectivity of process safety elements in a management system [6].
Selecting SOLs requires choosing appropriate process safety information (PSI) to understand the hazards of a process. This enables identifying high risk scenarios as a hazard identification and risk assessment (HIRA) process proceeds. The team might assign SOLs to those scenarios that operator action — taking into account equipment design and the dynamics of the process — could prevent [7]. Once selected, the SOLs become part of the PSI.
The SOLs then must be documented and accessible. In addition, operators must receive initial and then refresher training. One way to integrate these parts of the management system is to transfer the information gained with PSI and HIRA to standard operating procedures (SOPs) and operator certification/recertification materials. Critical alarms often accompany SOLs; therefore, attention to alarm management is crucial to ensure the distributed control system’s configuration aligns with the HIRA results. This process should be documented. Because failure to act on an SOL could lead to significant consequences, preventative maintenance of instruments that measure the deviations from normality deserves serious consideration.
Auditing ensures each of the elements described above are interconnected and working as intended. The risk associated with changes to anything in this process must be evaluated through a management of change procedure. Finally, any of these elements can fail without the common tie-in of management commitment and review. Figure 2 illustrates how each of the process safety management system elements are interconnected.
The management system unites the process safety elements. Without integrating these elements, the barriers and LOPs identified in the HIRA only are an illusion of protection. If those LOPs aren’t considered in building competency, documented for ease of access, taken into account for equipment maintenance and other elements of the process safety management system, it’s easy to understand how this common failure mechanism can occur.
Figure 2. Failure to properly integrate elements can lead to the illusion of protection.
Building A Management System
There are many ways to design a management system. Companies that have ISO certification may have management systems documented following the International Organization for Standardization requirements. “Guidelines for Implementing Process Safety Management” [4] also describes how management systems are built.
When building a management system, adhere to some important best practices:
• Document roles and responsibilities for all levels of the organization.
• Keep written procedures simple and short, and include instructions and requirements, not descriptions.
• Group similar requirements together. For example, list all training requirements in one document rather than dispersing them through several.
• Include instructions in the system for maintaining uniformity in the documents.
• Establish an approval process for changes.
• Develop formal auditing protocols to ensure that elements of the management system are being followed.
With these items in mind, adopt a three-tiered approach for the management system.
Tier 1. In this tier, documents describe how a company or a site does business. For process safety, the Tier 1 document might detail CCPS’s 20 elements of process safety, the high requirements for each, and how every element is addressed. Some elements only might have a Tier 1 requirement. This gives individual sites or units the flexibility to comply with the higher level requirements commensurate with applicability.
Tier 2. Here, documents cover aspects requiring more prescription. They describe what is required. For example, a Tier 1 requirement might be that each process undergoes a HIRA review once every 5 years. Because this element is essential to understand the hazards and the risks of a process, the Tier 2 document describes specifics of the HIRA, such as team composition, methodology, minimum PSI used, reporting and approval — to name a few.
Tier 3. In this tier, documents describe who is responsible for what, and how it gets done. Let’s consider, for example, incident investigation. The Tier 1 document might mandate reporting of all incidents. Tier 2 might have more prescriptive requirements, such as an incident must be reported within 24 hours, categorized (with instructions provided on how to classify), and communicated in a certain way. A Tier 3 document describes who reports incidents and how they report them. This might differ among sites or even units at a site. (Incident investigations often reveal deficiencies in Tier 3 documents that need addressing.)
Success of such a tiered management system depends upon strong ongoing management support. It also requires adequate training for all involved, auditing for effectiveness, and periodic management review and continuous improvement.
Forestall Failings
The CCPS 20-element process safety model, if used properly, provides a basis for effective protection against incidents. You can’t just pick and choose portions. Rather, the various process safety elements must share an intimate connection. This connection is made possible by a functioning and vibrant management system that: “is documented, accessible, and easily used; defines how operations are conducted at the workplace; promotes safety in design, operations, and maintenance; and is agile and continuously improved” [3]. Without this vibrant management system, we only have the illusion of protection.
JERRY J. FOREST is senior director, process safety, for Celanese, Dallas. Email him at [email protected].
REFERENCES
1. “ANSI/API RP 754 — Process Safety Performance Indicators for the Refining and Petrochemical Industries,” 2nd ed., Amer. Petr. Inst., Washington, D.C. (April 2016).
2. “Process Safety Glossary,” www.aiche.org/ccps/resources/glossary/process-safety-glossary/process-safety, Ctr. for Chem. Proc. Safety (CCPS), New York City, accessed July 4, 2018.
3. “Vision 20/20,” www.aiche.org/ccps/resources/vision-2020/five-industry-tenets/vibrant-management-systems, CCPS, accessed July 4, 2018.
4. “Guidelines for Implementing Process Safety Management,” 2nd ed., CCPS, John Wiley & Sons, Hoboken, NJ (2016).
5. “Guidelines for Risk Based Process Safety,” CCPS, John Wiley & Sons, Hoboken, NJ (2007).
6. Forest, Jerry, “Know Your Limits,” pp. 498–501, Proc. Safety Progr. (Dec. 2018).
7. “Process Safety Glossary,” www.aiche.org/ccps/resources/glossary/processsafety-glossary/safe-operating-limits, CCPS, accessed January 8, 2018.
ADDITIONAL READING
“Guidelines for Integrating Management Systems and Metrics to Improve Process Safety Performance,” CCPS, John Wiley & Sons, Hoboken, NJ (2016).
“Process Safety Visions, Vibrant Management Systems,” p. 55, Chem. Eng. Progr. (Jan. 2017).
