(96b) Process Safety Auditing: Thinking Beyond Compliance

The PSM rule requires a ‘compliance audit’ at least every three years.  This description implies that the purpose of the audit is to ensure that legal requirements are met.  Thoughtful companies recognize that meeting the minimum legal requirements may not be sufficient, and also audit for conformance with their internal company standards and procedures. However, in audit programs designed to check compliance with either legal or legal + internal requirements, there is an implicit assumption that conformance will result in an acceptable process safety performance.  In other words, if all of the ‘inputs’ are right (compliance with the standards and procedures), then process safety is being managed effectively—the desired ‘outputs’ will follow.  This assumption may not be valid!  In reality, managing process safety requires the meshing or connecting of several related work processes or activities in order to effectively deliver the desired results.  Checking each activity for compliance with standards does not necessarily ensure that the sum of the connected activities is delivering what was intended. 

Take, for example, the identification and control of major risk scenarios.  The process safety management intention is that risk scenarios are identified in either the initial HAZOP or subsequent PHA , sufficient controls are provided to meet the corporate risk criteria, the controls are maintained throughout the operating life, the operating, technical and management teams are trained in and understand the scenarios and that the scenarios are well documented in the operating procedures.   Compliance auditing typically checks that all of the individual activities are ‘compliant’ (PHA conducted on time and actions closed, trip system testing completed per schedule, training records complete, operating procedures updated on time, etc.).  Such an approach does not typically track that the content is carried consistently through the collection of processes and that the knowledge and controls for the identified scenarios are in place and robust.   

This paper proposes an audit approach which checks both that the organization is compliant with the prescribed activities and procedures, and that the activities and procedures are effectively delivering the intended results.  The main focus is on applying this approach to the aspects of process safety management that address specific risk scenarios and their associated controls.