A Root-Cause Approach to PSM Audits [Chemical Engineering Progress]

Tracing audit findings back to the management system that allowed the failure to occur is an effective way to uncover deficiencies in an organization's process safety management system. Follow the guidance provided in this article to apply root-cause-based auditing to your facility.

The U.S. Occupational Safety and Health Administration (OSHA) process safety management (PSM) standard requires covered facilities to conduct PSM audits every three years. These audits have historically involved an element-by-element approach, in which each of the 14 elements of the OSHA-defined PSM program (1) is evaluated via interviews, document and inspection reviews, comparison of current conditions with standards, and the identification of discrepancies between what exists and what is required, followed by recommendations.

By applying root-cause analysis, as practiced during incident investigations, to audit findings, it is often possible to trace back from the individual findings to their underlying sources (i.e., root causes). These root causes are typically cultural and system-based (e.g., insufficient managerial training, tolerance of backlogs of large safety-related action items, or a reluctance to accept tasks considered above and beyond compliance), rather than technical, one-off findings. Identifying and correcting these root causes may result in longer-lasting improvement to a site, group, or corporate PSM program.

Root-cause-based audit findings are often related to process safety culture. For example:

* Compliance-only culture. Such a process safety culture is characterized by a narrow focus on basic compliance with regulations, such as the OSHA PSM, the Seveso Directive, and others. Facilities with a compliance-only philosophy comply with - but do not go beyond - the applicable regulations. These sites would benefit from aiming to exceed compliance and focusing on a PSM system that is commensurate with the process safety risks they face.

* Inwardly focused culture. Sites that have this culture develop their PSM programs internally, without incorporating the expertise embodied at other sites or in industry best practices. PSM audits of an inwardly focused company are conducted largely by site personnel, process hazard analyses (PHAs) are led by site personnel, the mechanical integrity program is developed by site personnel, and so on. A lack of proper follow-up to action items generated during past audits and PHAs is evidence of an inwardly focused culture.

* Normalization-of-deviation culture. In facilities with this safety culture, plant personnel fail to notice issues that are readily apparent to outside observers. Employees at such a site may, for example, consider it acceptable to have large numbers of overdue and known yet unresolved action items, or to not react to unsafe activities or conditions during plant walkthroughs.

This article outlines a process that can be used to conduct PSM audits with a focus on identifying root causes, and provides examples of how to develop overarching recommendations to address these issues.

Engage management in the audit process

A successful root-cause-based audit starts with a rootcause mindset. It does not simply add an extra root-cause step after the findings have been identified.

The first step of the audit, therefore, is to identify the appropriate corporate and management contacts within the organization. Since the root causes identified in an audit could extend throughout the organization, it is imperative that the right upper-level managers are actively engaged in the audit program from the beginning. Such managers lend credibility to the audit, and serve as drivers for the audit program. They also act as liaisons between the audit team and upper management, providing a means to communicate the audit results, which may involve corporate practices and/or culture.

The scope and objectives of the audit should be clearly defined and then communicated throughout the organization. A key audit objective is always improvement of an organization's PSM program. Depending on the scope of the audit program, deeper objectives may, for example, address specific cultural issues identified in incident investigations to ensure that identified weaknesses in one area do not spread throughout a site or entire organization.

Develop an audit protocol

Another necessary step in preparing for a root-causebased audit is the development of a consistent audit protocol. PSM programs vary globally, so a one-size-fits-all protocol is not practical. While there are common themes or elements across most industrialized regions and countries (e.g., management of change, training, and operating procedure requirements), they are not similar enough that a universal protocol will suffice for all. Auditing a European or Asian chemical plant against the U.S.-based OSHA PSM standard might identify many "noncompliance" issues while missing the true robustness (or lack of it) of that site's PSM program. Auditing a U.S. site using an audit protocol derived strictly from the U.K.-based Occupational Health and Safety Advisory Services (OHSAS) 18001 standard (2) might generate similarly inconclusive results. Likewise, because not all plants in the European Union are subject to the Seveso Directive (3) or the same interpretation of it, what is required in one region of Europe may not be in another. Therefore, an organization must develop its own common, consistent audit protocol in order to fairly compare one plant with another.

A versatile protocol might incorporate questions derived from multiple sources, both regulatory standards and industry best practices. For example, a protocol based on the CCPS risk-based process safety elements (see sidebar) can be adapted to make it appropriate for facilities operating worldwide. Whatever the source of the audit questions, once the protocol is developed, all plants and corporate representatives of the organization must agree to use this protocol, with the knowledge that there may be plants and/or regions for which some of the protocol requirements have not yet been implemented.

A scoring system can be developed and integrated into the protocol. Such a scoring system should weight the elements as well as each of the questions within each element based on their relative importance to process safety. Scoring systems provide a means to compare plants.

A potential drawback of a scoring system is that plants and managers may focus too intently on the audit score and neglect the objective of the audit with respect to the overall health of the PSM program. For example, two plants may receive identical scores, but while one has all of the program elements in place and is lacking some written procedures, the other facility has a well-developed program on paper but poor execution in the field. Scoring systems can be tweaked to filter out some of these potential inconsistencies. Scoring should account for implementation, not just program structure and content.

Preparing for and conducting the audit

Some preparation must be done at the facility level, primarily to ensure that site personnel and documents are readily available to the audit team. Prior to the audit, the team should submit an assessment plan to the site that details the facility personnel to be interviewed (by discipline) and the documentation and records required (such as procedures, forms, and reports, delineated by PSM element). The site will be better prepared if the auditors also identify any logistical needs (e.g., a dedicated conference room for the auditors' use, access to copiers and the Internet, etc.) and provide a schedule of audit activities.

The onsite audit then proceeds in the typical manner (4), starting with an opening meeting to kick off the audit. All parties involved in the audit should attend so that the scope and objectives of the audit can be communicated to them. This is also an opportunity to emphasize that, while evidence collection is taking place primarily at the site, the organization as a whole is being audited. The audit team will then use the protocol it developed previously as a basis for performing the audit. Evidence collection is done by reviewing records, inspecting onsite conditions, and interviewing personnel.

Daily wrap-up meetings of the auditors and plant staff are highly recommended. At these meetings, the auditors describe their major findings of the day and invite feedback from the facility team. They also detail their plans for the next audit day. Auditors and site personnel need to be flexible as issues arise, necessary personnel become unavailable, or specific auditing areas are identified as more or less important and so require more or less time.

At a closing meeting after the evidence collection has been completed, the auditors will summarize their findings and explain the next steps, including the development of the audit report.

Root-cause audit analysis

While audit findings tend to identify specific instances of a failure, recommendations should focus on tracing the problem back to the specific management system that has allowed the failure to take place. This is especially true, and most beneficial, for multiple-site auditing programs.

The principles of root-cause analysis can be applied to audit findings as well as the subsequent recommendations. When seeking the root cause of a failure, the auditors should continue to ask "why" until they arrive at the overarching management system that has failed or was insufficient.

Example: Connecting seemingly unrelated findings

Consider the following seemingly unrelated audit findings:

* improperly locked-out and tagged-out (LOTO) hotwork project

* operator unaware of the methods to prevent a critical operating parameter from exceeding its safe upper or lower limit, or to correct it if it does

* incorrectly sized relief device.

By evaluating the improper LOTO project at a detailed level, the auditor determined that a contracted foreman responsible for the LOTO job needs to be retrained. How- ever, the deeper investigation continued to ask why. Reviewing the training records, the auditor found that the contractor was trained two years ago, but the LOTO procedure was revised nine months ago. The auditor then asked: Why was the contractor not trained on the new LOTO procedure? Examination of the management-of-change (MOC) documentation for the LOTO procedure revision showed that contractor training on the new procedure was not requested, even though the MOC indicated the need for such training and the MOC form included the means to request such training. The failure occurred because the person preparing the MOC was not properly trained on the MOC procedure, which should have led him or her to request training for the affected personnel, in this case a contractor.

The second finding involved an operator who was unaware of the methods to prevent a critical operating parameter from exceeding its safe upper or lower limit, as well as ways to correct it if it did drift outside the safe range. As with the LOTO finding, the immediate cause was an individual's lack of knowledge. However, with further investigation, the auditor traced the failure back to a change in the standard operating procedure. The MOC for the change did not identify the need for retraining, as required by the MOC protocol. This finding, too, was the result of an improperly conducted MOC because personnel were not adequately trained on the MOC procedure.

The relief device was incorrectly sized because an equipment change increased the backpressure on a venting system. Since the equipment change did not involve hazardous chemicals, the MOC for this change did not require a process hazard analysis (PHA). However, a PHA should have been required to examine the process hazards associated with modifying a shared venting system. The root cause of this finding was the failure to properly apply the MOC procedure.

Once a common root cause was identified (Figure 1), the auditor formulated a three-tiered recommendation:

1. Fix the specific problem, i.e., retrain the contractor and the operator, and conduct a PHA on the equipment change.

2. Identify and correct other similar issues, i.e., retrain all contractors and relevant employees on the revised LOTO procedure, identify and retrain all operators on the revised operating procedure, and identify other equipment or process-change MOCs that should have required PHAs.

3. Fix the root cause, i.e., retrain all MOC preparers to ensure that the MOC procedure is being properly implemented.

Root-cause-based auditing is an iterative process. The third tier of an auditing recommendation can often be subject to root-cause analysis itself. In this example, the team could apply root-cause analysis to their finding of improperly trained MOC preparers by asking the question: Why were MOC preparers improperly trained on the MOC procedure? Perhaps the training detail or frequency was insufficient. The focus can then shift to higher-level recommendations: Determine whether training is insufficient for any other procedures and provide retraining where necessary. Next, fix the management mechanism that validates and audits training frequency and sufficiency, which allowed this training failure to take place.

Example: Improving multiple sites

A root-cause-based approach is beneficial for single-site audits, but has the potential for even greater benefits when root causes are identified that are common to multiple sites. Such findings are often addressed at a group or corporate level, thereby impacting the organization at a higher level than a site-specific finding, as this example of a multiplesite audit demonstrates. Among its site-specific findings:

* Site A - During tours of the facility, auditors saw managers fail to correct company and contract personnel who were not wearing all of the required personal protective equipment (PPE).

* Site B - Auditors of this site noticed forklift opera- tors driving through the plant with loads that obstructed their vision.

* Site C - Here, auditors observed multiple flanges with missing bolts and stainless steel flanges with carbon steel bolts.

The auditors presented these seemingly unrelated findings to the company as evidence of a trend toward normalization of deviations and a lack of operational discipline. They recommended that the company develop guidance on these topics for all of its plant locations.

Wrap up

A root-cause-based approach to PSM auditing, instead of focusing narrowly on specific findings, can expose deeper, ingrained deficiencies in an organization's safety management system. This allows us to reap the greatest benefit from the resource-intensive audit process. Instead of patching the individual cracks that appear on the surface, we can uncover and permanently repair the structural deficiencies in our foundation.

This article is based on a paper presented at the 9th Global Congress on Process Safety. April 28 - May 1,2013, San Antonio, TX.

CCPS Expands PSM Elements

AlChE's Center for Chemical Process Safety has expanded on the PSM elements outlined by OSHA. The CCPS risk-based process safety (RBPS) guidance (5, 6) includes new elements, such as process safety culture, conduct of operations, and process safety competency.

The RBPS approach is not new. It was used, for example, by the Baker Panel as part of its analysis of BP's 2005 Texas City incident to evaluate process safety culture at BP's five U.S. refineries (7). The investigators concluded:

"Although the refineries do not share a common process safety culture, they do share similar process safety cultural weaknesses. Based upon interviews of the refinery workforce, the process safety culture survey, the technical reviews that the Panel's consultants performed, and a review of BP documents, the Panel finds that a lack of operating discipline, toleration of serious deviations from safe operating practices, and apparent complacency toward serious process safety risks existed at each of BP's U.S. refineries."

OSHA PSM Elements

1. Employee Participation

2. Process Safety Information (PSI)

3. Process Hazard Analysis (PHA)

4. Operating Procedures

5. Training

6. Contractor Safety

7. Pre-Startup Safety Review (PSSR)

8. Mechanical Integrity

9. Hot Work Program

10. Management of Change (MOC)

11. Incident Investigation

12. Emergency Planning and Response

13. Compliance Audits

14. Trade Secrets

CCPS PSM Elements

1. Process Safety Culture

2. Compliance with Standards

3. Process Safety Competency

4. Workforce Involvement

5. Stakeholder Outreach

6. Process Knowledge Management

7. Hazard Identification and Risk Analysis

8. Operating Procedures

9. Safe Work Practices

10. Asset Integrity and Reliability

11. Contractor Management

12. Training and Performance

13. Management of Change

14. Operational Readiness

15. Conduct of Operations

16. Emergency Management

17. Incident Investigation

18. Measurement and Metrics

19. Auditing

20. Management Review and Continuous Improvement

While root-cause analysis is beneficial for single-site audits, its benefits are even more pronounced when it is used for multiple-site audits.

Statement of Ownership, Management and Circulation of October 1, 2013 for CEP, Publication No. 101-920, issued monthly, for an annual subscription price of $185 from 120 Wall Street, New York, NY 10005, which is the location of its publication and business offices. The name and address of the Publisher is Stephen R. Smith, 120 Wall Street, New York, NY 10005. The owner is the American Institute of Chemical Engineers, 120 Wall Street, New York, NY 10005. The known bondholders, mortgages or other securities are: None. The purpose, function and non-profit status of this organization, and the exempt status for federal income-tax purposes have not changed during the preceding 12 months. The following figures describe the nature and extent of the circulation of the September 2013 issue. In each category, the first number (in italics) is the average number of copies of each issue during the preceding 12 months. The number next to it, within parentheses ( ), is the actual number of copies of the single issue published nearest to the filing date. Total number of copies (net press run): 28,890 (28,850). Paid circulation (by mail and outside the mail): 1. Mailed outside-county paid subscriptions stated on PS Form 3541:23,833 (22,998). 2. Mailed in-county paid subscriptions stated on PS Form 3541: none (none). 3. Paid distribution outside the mails including sales through dealers and carriers, street vendors, counter sales, and other paid distribution Outside USPS: 2,902 (2,874). 4. Paid distribution by other classes of mail through the USPS: 121 (116). Total paid distribution: 26,856 (25,988). Free or nominal rate distribution (by mail and outside the mail): 1. Free or nominal rate Outside-County copies included on PS Form 3541: 941 (922). 2. Free or nominal rate In-County copies included on PS Form 3541 : none (none). 3. Free or nominal rate copies mailed at other classes through the USPS: 10 (5). 4. Free or nominal rate distribution outside the mail: 339 (707). Total free or nominal rate distribution: 1,290 (1,634). Total distribution: 28,146 (27,622). Copies not distributed: 744 (1,228). Total: 28,890 (28,850). Percent paid: 95% (94%). I certify that the statements made by me are correct and complete. Stephen R. Smith, Publisher.

Literature Cited

1. U.S. Occupational Safety and Health Administration, "Process Safety Management of Highly Hazardous Chemicals," 29 CFR 1910.119, OSH A, Washington, DC ( 1989).

2. U.K. Occupational Health and Safety Advisory Services, "Occupational Health and Safety Standard," OHS AS 18001, www.ohsas-18001 -occupational-health-and-safety.com/what.htm, OHSAS, Macclesfield, Cheshire, U.K. (1999).

3. The Council of the European Union, "Council Directive 96/82/EC, Seveso II Directive on the Control of Major-Accident Hazards Involving Dangerous Substances" (Dec. 9,1996).

4. Center for Chemical Process Safety, "Guidelines for Auditing Process Safety Management Systems," American Institute of Chemical Engineers, New York, NY (March 2011).

5. Center for Chemical Process Safety, "Guidelines for Risk Based Process Safety," American Institute of Chemical Engineers, New York, NY (March 2007).

6. Sepeda, A. L., "Understanding Process Safety Management," Chem. Eng. Progress, 106 (8), pp. 26-33 (Aug. 2010).

7. The BP U.S. Refineries Independent Safety Review Panel, "The Report of the BP U.S. Refineries Independent Safety Review Panel," www.bp.com/liveassets/bp_intemet/globalbp/ globalbp_uk_english/SP/STAGING/local_assets/assets/pdfs/ Baker_panel_report.pdf, p. 120 (Jan. 2007).

DAVID M. HELLER

DAVID A. KAHN

ACUTECH CONSULTING GROUP

DAVID HELLER, CSP, CPSA, is the manager of the Washington, DC, business unit of the AcuTech Consulting Group, which provides process safety, risk management, and security services to industries handling hazardous materials (Phone: (609) 751-2828; Email: dheller® acutech-consulting.com). He has 38 years of experience in the chemical process industries, 29 of which were in safety-related positions. He was formerly a lead investigator and investigations manager with the U.S. Chemical Safety and Hazard Investigation Board, where he led root-cause investigations of significant chemical incidents throughout the U.S. He also held the position of Safety Manager with Cytec Industries, Inc., and Process Safety Manager at American Cyanamid Co. He has conducted process hazard analyses and process safety audits around the world. Heller received his BS in chemical engineering from Rensselaer Polytechnic Institute. A member of AlChE, he is a Certified Safety Professional (CSP) and a Certified Process Safety Auditor (CPSA).

DAVID KAHN, CFSP, is a senior associate engineer at the AcuTech Consulting Group (Phone: (415) 314-4880; Email: [email protected]). He is a process and functional safety expert with global experience in PSM auditing and program development, as well as in the facilitation of both quantitative and qualitative approaches to risk assessment. Prior to entering the field of PSM consulting, he developed a foundation in process automation and instrumentation, including design, programming, and integrity level verification of safety instrumented systems in the chemicals and refining industries. He holds a BS in chemical engineering from the Univ. of Texas, is a member of AlChE, and is a Certified Functional Safety Professional (CFSP).