Key Questions and Answers in Process Safety

Utilities of concern for PHA are those that can impact on or affect a release of the regulated chemicals in the process. They should be included in the PHA. Utility failures usually are addressed as causes of hazard scenarios.

OSHA’s PSM standard requires that MOC addresses the “impact of change on safety and health”. There is no specific requirement to perform a PHA except for new facilities. Some companies perform PHA for major, extensive, or high risk changes.

No. If the functionality or operability of a device is unclear or uncertain, the device should not be claimed as part of a safeguard. The team could have sent an instrument tech to field-verify the operability of the device.

It consists of the attitudes and behaviors of facility personnel towards safe process operations. It is significant because it determines how an organization approaches process safety management. A weak process safety culture has been found to be a factor in serious incidents.

Generic failure data can be used from references such as the book, "Initiating Events and IPLs in LOPA". However, site-specific failure rate data from individual facilities are preferable as they apply to actual operating conditions.

Usually, scenario information including causes, consequences, and safeguards is already established by the PHA team and that information can be transferred into LOPA worksheets prior to conducting the LOPA study. The initiating event frequency, enabler multipliers, and probability of failure on demand (PFD) values should be developed in conjunction with the LOPA team and not be pre-populated prior to the LOPA.

If the earlier PHA is to be replaced, then a different method could be used. If the earlier PHA is being revised, a change from the previous PHA may not be practical. Changing methods will need to be justified but switching to a more sophisticated method would be easier to justify. However, the process safety regulations are performance-based so the choice is whatever is appropriate and justifiable.

Although there are no specific regulatory requirements for listing safeguards individually in PHA worksheets, the best practice is to keep safeguards separate. A single cause may have multiple different consequences and the safeguards listed may not apply to every consequence. Thus, identifying applicable safeguards for individual consequences is difficult. Also, combining safeguards makes risk ranking and the identification of appropriate recommendations more difficult.

Omission errors and commission errors are the easiest human failures to address because they are the most obvious. Procedures spell out specific actions to be taken and those actions either may not be performed or may be performed incorrectly.

Extraneous acts are more difficult to address because of the numerous possibilities outside those actions required. Credible violations of procedures are easier to envision, such as bypassing a nuisance alarm by an operator.

A management system that organizes and integrates all the activities needed to manage competency properly. It helps in ensuring competent performance by individuals and groups of people.

The ability to perform work activities to a relevant standard, as necessary to ensure process safety and prevent major accidents. Competency requires individuals to possess various attributes such as appropriate knowledge, skills, experience, behaviors and attitudes.

A survey to help an organization identify pervasive attitudes or beliefs regarding risk tolerance in the workplace. It is conducted to provide a basis for improving the safety culture.

Ideally, a scribe should be technically-oriented. They need a knowledge of processes in order to understand the discussions that occur during PHA studies. Also, they need to understand the process that is followed in performing a PHA study and be familiar with the technical terms and acronyms used. Sometimes, the role is filled by a junior engineer, although administrative personnel with appropriate experience also have acted successfully as scribes.

Values, beliefs, perceptions and attitudes that shape behaviors exhibited towards safety within an organization. Put simply, factors that influence how people in an organization behave with respect to safety when no one is watching.

Many PHA team leaders act as their own scribe. Use of PHA recording software gives leaders a subtle but powerful form of control over the team. They can direct the team's attention to highlighted entries in the worksheet and readily display checklists and other documents. Of course, leaders who scribe should have reasonable keyboard skills and be comfortable with all the other responsibilities of leading studies so that scribing does not impair their performance as a leader.

Node order typically follows the primary process flow. Side streams are addressed as they are encountered.

Node intention defines relevant aspects of the process design intent for each node, for example, safe ranges of operating parameters. Node intentions and parameter intentions often are defined in ranges (e.g. 100 to 150 gpm, or 20% to 80% tank fill height).

No. The owner cannot know all the implications of the change. The PHA team should be reconvened to discuss the change and modify the PHA accordingly.

Node order typically follows the primary process flow. Side streams are addressed as they are encountered.

OSHA and EPA process safety regulations address the consequences of catastrophic releases of toxic, reactive, flammable, or explosive chemicals that may result in toxic, fire or explosion hazards. OSHA's regulation addresses impacts on employees in the workplace including contractors. EPA's regulation addresses impacts on the public and the environment. Other types of consequences, such as business loss, property damage, loss of production, harm to business reputation, etc. are evaluated at the discretion of company management.

OSHA and EPA process safety regulations require that PHA be performed by a team with expertise in engineering and process operations, and the team must include at least one employee who has experience and knowledge specific to the process being evaluated. Also, one member of the team must be knowledgeable in the specific PHA method being used. For a small company, roles may be combined, such as the person with process or engineering experience also being the PHA facilitator. However, the PHA team should consist of at least three people at a minimum, and preferably more, in order to ensure that brainstorming and meaningful discussions are possible during the study sessions.

Plants with limited personnel may wish to perform PHA studies for a few hours each day for a few days each week. This approach requires longer to complete PHA studies but lessens the daily time burden on team members.

Simpler methods, such as What-If analysis, may be appropriate for processes that have extensive operating experience with little or no innovation or change, and for simple processes.

More sophisticated methods, such as HAZOP and MHA, should be considered for high risk processes, new processes, processes that have experienced many changes, and processes that have installed new, innovative features.

Although there are no specific regulatory requirements for listing causes individually, the best practice is to keep causes separate if there is any doubt that the scenario consequences or safeguards could be different and result in different risk rankings and/or recommendations for each scenario.

Combining similar causes may be sensible in some cases, such as when any of the manual valves in the discharge of a pump may be misaligned. However, the PHA team must be sure that there are no considerations that would invalidate grouping of all the valves, such as the presence of a recirculation line back to the tank or a takeoff line between two of the valves.

OSHA's process safety management standard requires that PHA studies address "consequences of failure of engineering and administrative controls". Usually, this requirement is interpreted to mean that the consequence severity for a hazard scenario be evaluated assuming the failure of safeguards, that is, existing engineered or administrative controls.

Some companies make exceptions for certain passive safeguards. For example, a large spill of flammable material from a vessel within a diked area can be addressed assuming the dike fails and releases flammable material to the surrounding area or the dike can be assumed to maintain its integrity resulting in a contained flash or pool fire. The first case produces a larger pool fire area than the second case with higher potential for personnel injury. In the first case, the severity is higher than in the second case, but the likelihood is lower because the probability of containment failure is factored in.

LOPA is a form of risk analysis. It is subject to over-conservative and non-conservative risk calculation. The former results in unnecessary IPLs that cause additional life-cycle costs and spurious trips. The latter results in under-protected processes and unacceptable risks.

One way it to analyze some previous incidents using LOPA. The results may be surprising. Often, the risk will be higher than was perceived and the recommendations that were developed may not reduce risk as much as believed. This may result in a managerial epiphany.

There are multiple reasons including:

• Meet regulatory requirements or expectations
• Comply with industry standards
• Apply good industry practices
• Avoid competitive disadvantages
• Focus resources on the most important safeguards
• Help manage liabilities from process risks

Four key pieces of information are needed:

• Descriptions of hazard scenarios
• Failure rate data for initiating event frequencies, IPL PFDs, and enabler multipliers
• Estimates of severities of scenario consequences
• Risk tolerance criteria for receptors of concern

Not easily. Often, operability scenarios cannot be recognized until much of the work of scenario identification has been completed.

Not necessarily, although it is advantageous. Scribes must be proficient with the means of recording studies, typically a software tool, and understand the technical terms used in PHA and to describe the process.

Yes, weather events that vary by location, such as flooding, tornadoes, hurricanes, and lightning, can cause process safety incidents.

OHSA's PSM standard requires that process hazard analyses, updates and revalidations, and documented resolutions of recommendations be retained for the life of the process.

No, a change in one part of the process could affect other parts of the process. The possible impact of changes should be evaluated across the entire process, not just the area where they were made. It is important to review every scenario in a PHA to ensure that any changes made do not have unrecognized consequences elsewhere in the process.

Utilities that serve a covered process are considered part of the process where they can have an impact on or affect a release of the highly hazardous chemical in the process. Utility system failure such as loss of instrument air, heating and cooling mediums, and electric power have been major causes of upset conditions in chemical processes. These utility systems are subject to all of the provisions of the PSM standard until such point where a failure in a component of a system can no longer affect a potential release of a covered chemical, or where the utility leaves the control of the employer.

Commercial railroad tank cars and commercial tank motor vehicles (CTMVs) when remaining on a worksite and used to store threshold quantities or greater amounts of specified HHCs are covered by the PSM standard. They are covered by the PSM standard to the extent that they are not covered another regulatory authority. For example, the Hazardous Material Regulations of the Department of Transportation (DOT) (see 49 CFR Subchapter C and particularly, Part 177-Carriage by Public Highway) cover CTMVs. These DOT regulations cover cargo tank design, construction, maintenance (including repairs) and certain operations of CTMVs. Generally speaking if the cars are considered "in transit" by DOT, OSHA will defer jurisdiction to DOT.

OSHA 1910.119 is a performance-oriented standard and does not require use of a risk matrix. However, in a letter of interpretation, OSHA suggested that the use of a risk matrix would meet the requirement in the standard that PHA address, "A qualitative evaluation of a range of the possible safety and health effects of failure of controls on employees in the workplace".

Basic guidelines for communicating PHA results are:

• Provide proactive communication
• Access to PHA reports alone is not sufficient
• Tailor the communication to the audience
• Provide information that is relevant to their job, e.g. for operators and mechanics
• Provide information on:
• Hazard scenarios found
• Recommendations to be implemented

It can be useful to add such a column to a PHA worksheet for several reasons including:

• Helps to avoid confusion over entries in the "Consequences" column when there are multiple consequence entries to be recorded for a scenario.
• Provides a cleaner, more organized worksheet.
• Useful when LOPA studies are planned.

It may be considered as a safeguard but care should be exercised in how much credit is taken, since the basic process control system is a fundamental part of the process and PHA scenarios are often based on a control system failure as an initiating event

Safeguards should be qualified before being entered into the PHA worksheet for a scenario and it is a good practice to use criteria to accomplish this qualification. Suggested criteria for qualifying safeguards include:

• Reliability: Will it work in the scenario being considered?
• Adequacy: Is it enough to help reduce the scenario consequences?
• Applicability: Does it really apply and is it directly applicable?
• Effective: Does it adequately accomplish its purpose?
• Functionality: Is it inactive or removed? Is it or can it be easily bypassed or disabled?

• Do not lead studies where they have a vested interest in the outcome or are not impartial.
• Avoid leading studies on processes for which they are a technical expert or have day-to-day responsibilities.
• Ask the scribe or another team member to alert them if it happens.

• Follow-up on study recommendations
• Provides proof that the study was conducted
• Reference by stakeholders
• Review by persons or organizations that have a legitimate interest in the PHA
• Auditing
• Revalidation of the study
• Management of change reviews

• The number of process changes that have been made and the extent of the process operations that the changes impact.
• New requirements (federal, state, or local) and omissions / deficiencies found in the previous PHA.

Endorse - No modifications are needed to the previous PHA and a simple letter is added to the file stating that no changes have been made.

Revision – The previous PHA is modified to account for the changes that have occurred since the last PHA. The modification may be done by updating / revising the original PHA worksheets or by generating an addendum to the previous PHA that documents the changes and their impact of the previous PHA.

Replacement – The team generates a new PHA as if it were an initial PHA (some companies refer to this type of revalidation as a "clean sheet"or "re-do" PHA).

• Five years from the first PHA session of previous PHA
• Five years from the last PHA session of previous PHA
• Five years from the report of previous PHA (issued to management for acceptance)
• Five years from management acceptance of previous PHA

Since PHA sessions can span weeks, the PHA report may not be issued for months, and acceptance by management may be delayed, one of the most common methods for planning the date of a PHA Revalidation is to base it on the report date of the previous PHA.

OSHA's PSM standard states: "At least every five (5) years after the completion of the initial PHA, the PHA shall be updated and revalidated by a team meeting the requirements in paragraph (e)(4) of this section, to assure that the PHA is consistent with the current process."

However, a periodic PHA revalidation may need to be performed more frequently for any of the following reasons:

• Cumulative number of changes
• Major changes
• Significant incidents or an unfavorable trend
• Knowledge of significant omissions and deficiencies
• Concern about the quality of the previous PHA
• High risk processes
• Reconciliation of PHA approaches after mergers / acquisitions

Risk ranking uses estimates of severity and likelihood to estimate the risk for hazard scenarios. Severity estimates assume that the plausible "worst-case" set of conditions is in effect, and that safeguards are disabled or ineffective. Likelihood estimates factor in the probability of failure of safeguards and conditional modifiers.

Conditional modifiers are adjustment factors that are applied to the scenario likelihood. Three common ones are:

• Probability that a person will be present to be exposed to a hazard. This value may be very low for some process areas, such as a remote tank farm.
• Probability that a flammable / explosive material will be ignited. Historically, many flammable releases have occurred without subsequent ignition.
• Probability that harm will occur if an individual is exposed. An individual in the area of release may be able to evacuate the area safely.

The consideration of conditional modifiers may make the risk of a worst-case scenario tolerable. Correctly applied, these modifiers can produce more realistic risk estimates.

PHA teams should take time to address enablers for several reasons including:

• Enablers are often key parts of hazard scenarios.
• Their inclusion produces more accurate risk estimates.
• The effort required to include enablers is normally not substantial.
• Conservative assumptions can be made to help avoid risk underestimation.

By definition, IPLs must be independent of other elements of the scenario, such as the initiating event. If the initiating failure was attributable to the same operator who is to intervene, the IPL cannot be credited as it is not independent of the initiating event.

Some possible guidelines for considering multiple failure scenarios are:

• Two concurrent human failures are credible.
• A single equipment failure coupled with a single human failure is credible.
• The simultaneous failure of two or more independent pieces of equipment may not be credible.
• A single equipment or human failure with an external event may not be credible.
• Simultaneous occurrence of two or more independent external events may not be credible.

The primary argument for addressing only single cause failures is that corrective actions taken to protect against them will also protect against multiple failures. While it is true that actions taken to prevent single failures that can contribute to multiple failures will help to prevent the multiple failures, there are several reasons to consider multiple failures as credible PHA scenarios including:

• Multiple failures may occur as a result of dependency between the single failures, such as miscalibration of identical instruments on two different vessels resulting in simultaneous overfill of both vessels.
• Multiple failure scenarios may have more severe consequences than scenarios involving any one of their contributors.
• Protective actions against single failures may not have been necessary because of the lower level of consequence for the single failure versus the higher level of consequence for the multiple failure case.

PHA teams should take time to address enablers for several reasons including:

• Enablers are often key parts of hazard scenarios.
• Their inclusion produces more accurate risk estimates.
• The effort required to include enablers is normally not substantial.
• Conservative assumptions can be made to help avoid risk underestimation.

OSHA has provided these examples but other factors should also be considered:

• Operator / process and operator / equipment interface.
• Number of tasks operators must perform and the frequency.
• Evaluation of extended or unusual work schedules.
• Clarity and simplicity of control displays.
• Automatic instrumentation versus manual procedures.
• Operator feedback.
• Clarity of signs and codes.

• Design
• Engineering
• Construction
• Operation
• Maintenance
• Operation
• Receiving
• Management

• Design
• Engineering
• Construction
• Operation
• Maintenance
• Operation
• Receiving
• Management

• There are no stupid questions
• There are no bad ideas
• Team consensus is sought for worksheet entries
• All participants are considered to be peers for the performance of the PHA
• Everyone contributes
• Start on time, end on time
• Frequent breaks will be taken
• How you will handle common situations that may arise
• E.g. use of the flip chart as a parking lot for issues outside the scope and objectives of the study

• Review by regulators
• Use in decision-making
• Linking to later studies
• Revalidation
• Use with other PSM elements, e.g. MOC, II, Audits
• Operator training and writing procedures
• Process troubleshooting
• Contractual obligations
• Insurance company requirements
• Future reference

• Introduce team members
• Record attendance
• Orient team members to the study and PHA method to be used
• Provide a briefing on the process design, operation and maintenance
• Review hazards of the process
• Review the study purpose, scope and objectives
• Ensure needed information is available
• Conduct initial review of the process subdivision
• Review “rules of the road” and “ground rules”
• Conduct a walk-through of the process

• Most commonly, pipe sections and vessels in which process chemicals are, or may be, present
• Also, a step in a procedure, or
• A process function (e.g. control loop)

• Formal training or previous documented experience as a PHA team leader
• Leadership / facilitation skills
• Motivational / interpersonal skills
• Communications skills
• Project management skills
• Experience as a team member
• No day-to-day responsibilities for the process being studied
• Should not be an expert on the process under study
• Able to understand processes and their operation quickly
• Able to read engineering drawings easily

• Facilitator (who may also act as the scribe)
• Process expert (often a process engineer)
• Operator (who is directly engaged in the process being studied)
• Maintenance technician or engineer (recommended)
• Controls and instrumentation engineer (recommended)
• Safety engineer (recommended)