Process safety audits [1, 2] serve two main purposes: (1) feedback on process safety program implementation and effectiveness to identify potential opportunities for improved performance, and (2) compliance with process safety regulations such as the 29 CFR 1910:119 Process Safety Management (PSM) regulation of the U.S. Occupational Safety and Health Administration (OSHA) and the 40 CFR 68 Risk Management Program (RMP) rule of the U.S. Environmental Protection Agency (EPA).
A facility with a process covered by these regulations must conduct compliance audits every three years. Facilities in existence when OSHA promulgated its regulation in 1992 now have performed seven to nine compliance audits. A review of recent audit findings for both long-established and newer plants suggests certain shortcomings continue to commonly arise. This article looks specifically at issues related to operating limits, required under the operating procedure (OP) element, and safe limits, required under the process safety information (PSI) element — and provides guidance on how to avoid such findings through appropriate development and implementation of limits tables. Future articles will focus on other common PSM findings (see sidebar).
Operating limits and safe limits tables are important because they define the ranges of safe operation for a process, both as operating limits in the OPs and as the ultimate safe (or design) limits in PSI. Exceeding operating limits can prompt process upsets, quality issues and other problems. Deviating outside safe limits likely will cause significant process incidents and result in possible equipment damage, personnel injuries and environmental harm. Failure to properly document these limits can lead to improper operation as well as major operability and safety issues. So, a plant must spell out the consequences of the deviations from these limits, including the safety and health effects on personnel. The OPs must specify correct operator responses to regain desired control of the process. Many companies choose to combine these sets of limits tables as part of the OPs for ease of reference and use; this, while common, sometimes also becomes a source of confusion if the information is not clearly presented.
Based on our experience, having a complete, accurate and thorough set of operating limits and safe limits tables available to process operators (particularly board operators) as well as engineers, maintenance staff, etc., is invaluable in (1) focusing them on the important process parameters, (2) reminding them of the worst-case consequences associated with going beyond these parameters, and (3) providing a ready reference for actions to take when parameters are exceeded. Limits tables, therefore, are important training tools. Exceeding one flow rate may have minor consequences but exceeding a different flow rate could lead to destruction of the plant. Knowing these differences and how to respond to these deviations are fundamental to safe design, operation and maintenance of the plant.
Figure 1. Creating distinct tables can avoid confusion about the type of limit.
Many companies refer to “safe operating limits” (SOLs), which also can lead to confusion because the OSHA regulation refers only to safe limits and operating limits. SOL implies that safety, rather than other considerations, determined the operating limits. However, SOLs should not necessarily be equated to safe limits. Auditors should understand company intent and practice relative to the OSHA PSM regulation to determine if requirements are being met.
The OSHA PSM requirements for operating limits and safe limits appear in OSHA 29 CFR 1910:119. OSHA provides additional guidance in its “Petroleum Refinery Process Safety Management National Emphasis Program”  and “Process Safety Management Supplement B, Voluntary Protection Program” . EPA mandates basically the same requirements in its RMP rule.
Two basic approaches exist for meeting these requirements:
1. Implementing the PSI and OP requirements separately, with the PSI safe limits tables providing the basic process variables to be addressed in the operating limits tables in the OPs (Figure 1); or
2. Combining the PSI and OP requirements into limits tables in the OPs (Figure 2).
Both approaches are valid for meeting the regulatory requirements — and both have pluses as well as minuses if not implemented and maintained appropriately. For example, combined tables help reduce discrepancies that could develop over time in separate tables as process equipment changes occur. Combined tables also undergo periodic scrutiny as part of OP reviews to confirm they are current and accurate; therefore, they frequently are part of refresher training activities. However, improper design and implementation of combined tables can lead to confusion around whether limits are safe limits, operating limits or something else (e.g., control system alarm points). Table 1 shows an example combined limits table.
Figure 3 provides a typical way of thinking of limits. Most processes will have a normal operating zone, such as a temperature range from 100–120°C, based on safety, quality and other operability considerations. This range is used to define the desired upper and lower operating limits. Deviations above or below the operating limits will result in troubleshooting activities by operators and/or automatic response by the control system to return to normal conditions. Usually a response zone is defined before safe limits are exceeded, although the available response time may be very short. In some cases, a buffer zone may exist above the safe limits before worst-case consequences can occur. However, in many cases, the safe limit defines the point where undesirable safety consequences are possible without a buffer. Figure 4 shows these limits and the activation points for possible process safeguards for pressure in a reactor due to a runaway reaction, based on layers of protection as evaluated in a process hazard analysis (PHA).
Figure 2. A table containing both kinds of limits can reduce the chance of discrepancies arising over time.
Common Audit Issues
While the limits table requirements, as shown in Figures 1 and 2, seem relatively straightforward, large processes may need to document literally hundreds of limits. Critical variables may include temperature, pressure, flow rates, levels and many other variables for each piece of process equipment. Developing this information can be a challenge, especially for older processes, due to limited availability of the PSI. With multiple requirements for developing, documenting and maintaining limits, it is not surprising that process safety audits often identify compliance or improvement opportunities related to limits tables. In addition, changing equipment design or regulatory direction may raise issues not found in previous audits.
So, let’s now look at five common issues with operating/safe limits observed in PSM compliance audits:
1. Separate operating and safe upper/lower limits are not provided. The OSHA regulation and good industry practice clearly require/expect each covered process to have two separate sets of limits:
• Operating limits, defining the boundaries outside of which a system upset or abnormal operating condition could occur; and
• Safe limits, representing the design safe upper and lower limits of the equipment or process, above or below which operation is considered unsafe.
However, some facilities still:
• Establish only one set of documented “limits” rather than two sets; it often is not clear whether they are operating or safe limits.
• Specify operating limits in tables in the OPs but do not include safe limits in these OP tables or in separate tables as part of the PSI. The reverse of this (i.e., establishing safe limits in tables in the PSI but not operating limits in tables in the OPs) occurs less commonly.
• Reference the alarm/interlock settings in the distributed control system (DCS) and the pressure safety valve (PSV) settings as providing the operating/safe limits.
The first and second instances clearly do not comply with the regulations because they do not provide both sets of required limits. In the third instance, many DCS alarm settings are not established for safety reasons but for quality or operability purposes. Therefore, defaulting to the DCS parameters may indicate the requirements of operating limits are not well understood. In some cases, safe limits also may appear in the tables but be difficult to distinguish from quality, environmental and other limits.
Figure 3. Most processes have a normal operating range with various limits addressing excursions.
Guidance: Ensure (1) both operating and safe limits are provided in the PSI, OPs or combined tables, and (2) the limits documentation addresses, as applicable, the different zones of operation shown in Figure 3. Also, avoid imprecise terminology when possible.
2. All pertinent operating/safe limits are not addressed. In some cases, inspection of the limits tables may suggest certain critical variables are missing (e.g., temperature in a reactor), leading to additional discussion with site personnel to understand (1) how the limits tables were developed and (2) why, in the case of high temperature in a reactor, the particular limits have not been established. Operating/safe limit tables for all the pertinent process parameters can be effectively evaluated (as time permits) by comparing the limits tables data to the current PHA for the process and other PSI documentation. This can be done by:
• Reviewing the PHA report worksheets for parameter deviations leading to potential hazardous events (e.g., loss of containment) that are not addressed in the operating/safe limits. For example, if high flow or high level in a hazard and operability (HAZOP) table is shown to lead to hazardous events in the PHA, then it would be reasonable that limits for these variables should appear in the limits tables. Note: PHAs typically do not provide the actual limits. Use the PSI to find this information.
• Checking listed safeguards in the PHA (e.g., alarms, interlocks and PSVs) or a separate safeguards table (if available) to determine if the operating/safe limits table includes the associated process parameters. If a high flow alarm or PSV appears as a safeguard, then it would be reasonable for the limits table to contain limits for flow or pressure.
• Scrutinizing PSI documentation (e.g., process and instrumentation diagrams and equipment design files) for specific equipment to see if the limits table correctly lists design limits.
A review of PHAs and other PSI documentation may show the operating/safe limits tables lack a significant number of pertinent process parameters. This situation often develops because the operations and engineering personnel developing/updating the limits tables perform this work independently, without ever looking at the operating/safe limits through the “lens” of the PHA reports or PSI documentation. Audits also provide an opportunity to review the “reasonableness” of the limits. For instance, if the limits table lists a high pressure safe limit of 100 psig while the PSI or PHA shows the related PSV setpoint as 150 psig, a further discussion to understand the difference is warranted.
Figure 4. This chart is a modified version of one in “Process Safety: Key Concepts and Practical Approaches” .
Guidance: (1) Review PHAs and other PSI documents to ensure the limits table contains appropriate process variables and values appear correct, (2) clearly address both upper and lower limits and note as “not applicable” where no high/low limit exists, and (3) check relevant process change documentation to see if limits tables have been updated as needed.
3. Consequences of deviation are not clearly documented. The impact of exceeding both operating and safe limits must be documented. For operating limits, a simple description such as “process upset” or something similar often appears — but this does not adequately describe the possible consequences. The PSI element also requires the consequences of deviation from safe limits include those “affecting the safety and health of employees,” which often is not addressed as part of the consequences. Fundamentally, all these consequences should (1) be consistent, (2) appear in the PHA worksheets, and (3) describe potential safety and health impacts on personnel, as well as effects on processes and equipment. For example, the PHA and safe limits table for high pressure in a reactor might indicate overpressure leading to loss of containment and potential toxic exposure to a specific chemical(s) or fire/explosion hazards.
Audits of consequences of deviation often find:
• Worst-case consequences are not adequately addressed (no column provided or left blank).
• Consequences are worded “leading to a high pressure interlock” or “lifting the PSV” rather than providing the potential worst-case consequence of overpressuring a vessel and loss of containment. Note that activation of a PSV also may result in a hazardous release at the discharge point.
• No mention is made of the safety and health effects on personnel, such as potential toxic exposure resulting from the release of a hazardous chemical.
• Safety consequences are mixed with operability/quality/environmental consequences.
Guidance: (1) Review PHAs to ensure proper documentation of the consequences of deviation outside the safe limits, including possible worst cases and potential safety and health effects on personnel, and (2) clearly distinguish between operating/safe limits and quality, environmental and other limits.
4. Corrective actions are not detailed adequately. OPs must include the steps required to avoid or correct deviation from operating limits. However, this information is not always provided or corrective actions are given for only some operating limits or with varying degrees of clarity. Although the regulation does not specifically require the documentation of corrective actions for deviations from safe upper/lower limits, OSHA’s guidance indicates that “emergency shutdown” should be a final corrective action. Obviously, the steps to correct a deviation outside operating limits will help prevent upset situations or going beyond safe limits but the necessary actions likely will differ as a potential deviation approaches or exceeds documented safe limits. For example, operators typically are encouraged to safely shut down a process — even before it reaches an interlock/trip point or safe limit — when in doubt about continued safe operation.
Table 1. Clearly differentiating between normal operating limits and safe limits is essential.
Guidance: Review PHAs, OPs, emergency procedures and other documents as needed to ensure clear guidance is provided on corrective actions for deviations outside both operating and safe limits.
5. Process safeguard setpoints are not included. It is a best practice to detail at what point various process safeguards will activate because this helps operators handle process deviations. What alarms and interlocks are provided and when will they activate? What are the setpoints for pressure relief? This information may be included in the DCS, in the OPs, in training materials or PSI documents. Consider adding this information to the limits tables so an operator immediately can put them in context with the defined limits listed in the table. For example, Figure 4 shows a chart that details several safeguards for high pressure in a reactor to activate as the upper safe limit is approached. Knowledge of these setpoints as operators respond to process deviations is important, both so the operators can anticipate safeguard action and can respond appropriately if the safeguard fails to activate as expected.
Guidance: Consider including process safeguard setpoints, as appropriate, in the limits tables.
Avoid Common Issues
Well-documented operating and safe limits are an important foundation for safely and reliably operating processes containing highly hazardous chemicals. So, process safety regulations and industry best practices require clear documentation in OPs and PSI of limits, consequences of deviation, and corrective actions. Unfortunately, process safety audits continue to find poor understanding and ineffective implementation of these requirements.
Hopefully, the information provided here will help you better evaluate and improve your operating/safe limits documentation before you receive a regulatory citation or compliance audit finding.
As already noted, future articles will cover other common findings.
Findings Flag Divers Failings
Process safety management audits often identify important issues that need addressing. The failings that commonly appear fall into several categories. This article, the first in a series, focuses on operating and safe limits. Future articles will cover shortcomings in operating procedures, training and safe work practices; mechanical integrity issues; and problems in other elements.
JIM KLEIN, CCPSC, CPSA, is a Minneapolis, Minn.-based process safety consultant with ABSG Consulting Inc. JIM THOMPSON, CPSA, is a Louisville, Ky.-based process safety consultant with ABSG Consulting. Email them at [email protected] and [email protected].
1. “Guidelines for Auditing Process Safety Management Systems,” 2nd ed., Center for Chemical Process Safety/John Wiley & Sons, Hoboken, N.J. (2011).
2. “Guidelines for Risk Based Process Safety,” Center for Chemical Process Safety/John Wiley & Sons, Hoboken, N.J. (2007).
3. “Petroleum Refinery Process Safety Management National Emphasis Program,” OSHA CPL 03-00-004, U.S. Occupational Safety and Health Admin., Washington, D.C. (2007).
4. “Process Safety Management Supplement B, Voluntary Protection Program,” U.S. Occupational Safety and Health Admin., Washington, D.C. (2011).
5. Klein, J.A., and Vaughen, B.K., “Process Safety: Key Concepts and Practical Approaches,” CRC Press, Boca Raton, Fla. (2017).