Process Safety Management

Process Safety Management (PSM) is a regulation promulgated by the U.S. Occupational Safety
and Health Administration (OSHA) in February 19921. This promulgation was motivated by the
Bhopal incident occurred in 1984, where 3,800 people died and several thousand suffered
permanent injured or partial disabilities because of the release of methyl isocyanate.
The objective of PSM is to prevent or minimize the frequency and consequences of catastrophic
releases of toxic, reactive, flammable, or explosive chemicals. The PSM regulation applies to
processes which involve certain specified chemicals at or above the threshold quantities or
involve flammable liquids or gases on-site in one location, in quantities of 10,000 lbs. or more,
and processes which involve the manufacture of explosives and pyrotechnics. It is important
recognize that PSM is a process that requires the help of many division of the company.
Process Safety Management consists of 14 elements to be addressed as shown in Table 1. Each
of the elements listed in Table 1 are explained in more detail in the following sections.
Table 1. 14 Elements of PSM and OSHA standard number Element OSHA standard
PSM Element
Employee Involvement

OSHA Standard
1910.119(c)

Process Safety Information

1910.119(d)

Process Hazard Analysis

1910.119(e)

Operating Procedures

1910.119(f)

Training

1910.119(g)

Contractors

1910.119(h)

Pre-Startup Safety Review

1910.119(i)

Mechanical Integrity

1910.119(j)

Hot Work permit

1910.119(k)

Management of Change

1910.119(l)

Incident Investigation

1910.119(m)

Emergency Planning and Response

1910.119(n)

Mannan, M.S., J. Makris, and H.J. Overman. Process Safety and Risk Management
regulations: Impact on Process Industry. Encyclopedia of Chemical Processing and Design.
Ed. R.G. Anthony, vol. 69, Supplement 1, pp 168-193, Marcel Dekker, Inc., New York, 2002.

Compliance Audits

1910.119(o)

Trade Secret

1910.119(p)

Employee Involvement
Safe operation and maintenance requires the involvement of both employers and employees.
Therefore, OSHA requires employee participation to address all the major elements of Process
Safety Management program. Employees will have the opportunity to actively participate
through voluntary direct participation, through consultation, and through methods such as
anonymous communication and employee representation.
Input from employees with the understanding of chemical processes will be continuously
solicited as source of information in the development of chemical process incident prevention
plans, the performance of Process Hazards Analysis (PHA), and the conduct of incident
investigations and audits and other activity. Employees may be expected to participate different
areas in PSM is shown in Table 2.
Table 2. Area of where employees can participate in PSM

Development and gathering of process

safety information
Process Hazard Analysis
Training
Management of change
Developing and evaluating operating
procedures
Evaluating contractor safety performance

Safety meetings

Mechanical integrity procedure development

Audits
Incident investigation
Emergency preparedness

Pre-startup safety review

It is a responsibility of the group or individual leading that activity to ascertain whether the
employees have the necessary expertise to successfully carry out the work. The employer is
required to provide ready access to all information required to develop the PSM standard. Also,
the employer should ensure that information on what is being done to complete PSM is provided
to the employee. The employer must prepare a written Employee Participation Plan. This plan
should contain a clear purpose statement and statement that employees at all levels within the
plant will be directly involved with the activities related to the PSM. The next step is to explain
this employee involvement. The written employee participation statement should be posted in a
location easily accessible to employees and the employees must be kept informed on matters
regarding PSM2.
2

Spellman, Frank R. A Guide to compliance for Process Safety Management/ Risk

Management Planning. United States Occupational Safety and Health Administration, United
States Environmental Protection Agency. CRC Press: 1998.

Process safety information

Process safety information (PSI) is compilation of written process safety information and made
available to all employees to facilitate the understanding and identification of hazards. Process
safety information is needed before training, process hazard analysis, management of change,
and incident investigations. In general PSI would encompass information on the following area3:

Chemicals information
o Chemical hazards
o Toxicity
o Permissible exposure limit
o Physical, thermal, reactivity and chemical stability data
o Hazardous effects of inadvertent of different materials that could foresee ably
occur
o Effect of mixing
o Material and energy balances

Technology information
o Process flow diagram or block flow diagram
o Process chemistry
o Process limitation: safe upper and lower operating conditions (pressure,
temperature, composition, flows)
o Maximum intended inventory
o Consequence of process deviation

Equipment information used on the covered processes

o Design codes employed
o Materials of construction
o Piping and Instrumentation Diagrams (P&ID)
o Electrical classification
o Relief system design & design basis
o Ventilation system design
o Material and energy balance
o Safety system: interlocks, detection, monitoring and suppression system

Process Safety Management Report for OSHA and ISO Compliance Volume 1 No.1, June
1992.

Process hazard analysis

Process Hazard Analysis (PHA) is a proactive process of identification, evaluation and
mitigation of hazards. This process should be conducted by a team of experts, which includes at
least one employee with experience and knowledge in the specific process being evaluated, one
person knowledgeable in the analysis methodology being used and process operations expertise,
chemist, industrial hygienist and other relevant specialists.
PHA requires updates every 5 years to assure that the PHA is consistent with the current process.
It also requires operating locations to retain the analysis, updates, or revalidations for each
process covered, as well as the documented resolution of recommendation, for the life of the
process. PHA must be performed by one or more of the following methods or any other
equivalent methods4:

What-If analysis
Checklist method
What-If or checklist
Hazard and Operability (HAZOP) Study
Failure modes and effects analysis (FMEA)
Fault-tree analysis

What-If analysis is an unstructured method for considering results of unexpected events. This
analysis method uses questions beginning with what if and do not take into account on how the
failures occur. The expected outcome of this analysis would be a list of potential problem areas
and suggested mitigation methods. Example of a What-If analysis is shown in Table 3.
Table 3. Example of What-If work sheet on an LNG Vaporizer system.
What-If
Water flow is stopped?

LNG flow is stopped?

Natural gas temperature is too
low?
Water flow is too low?

Consequence/ Hazard
Water in shell freezes and may
rupture shell; natural gas
temperature too low.
Not Hazardous
Downstream piping may become
brittle.
Natural gas temperature may be
too low; water may freeze on
outside of tubes.

Recommendation
Automatic interlock to stop LNG
flow if water flow is stopped.
None
Monitor gas temperature; low
temperature alarm.
Monitor flow rate; low flow
alarm.

Checklist analysis aims to identify common hazards and ensure compliance with standard
procedures. The expected result of this analysis method is the identification of existing and
lurking common hazards and means to compliance with standard procedures.
4

Idem as 1

What-If/Checklist analysis method combines the creative and brainstorming features of the
What-If with the systematic features of Checklist method.
Failure modes and effects analysis (FMEA) is a systematic tabulation of plant equipment, failure
modes (cause of the equipment failure) and the effect of the failures. FMEA only identifies single
mode failure and because of that is not useful for identifying combination of failures. This
method also does not examine operator errors. Example of FMEA is shown in Figure 1.

Figure 1. Example of FMEA table on phosphoric acid line.

Fault tree analysis is a deductive technique that focuses on one incident and then constructs a
logic diagram of all conceivable event sequences that could lead to that particular incident. As
other logic diagrams, FTA uses basic components such as shown in Figure 2. These basic
components need to occur accordingly in order for the top event to occur. From the logic
diagram, identification of pathways, both mechanical and human error to the final top event can
be structurally analyzed. The rupture of hot water tank is given as an example of FTA and shown
in Figure 3.

Figure 2. Basic component for constructing fault tree analysis.

Figure 3. Example of fault tree analysis of the rupture of hot water tank.
Hazard and Operability (HAZOP) method is a rigorous method that identifies, analyzes and
controls hazards and operability problems of a process. A HAZOP study is delivered through a
systematic team approach to identify hazards and inefficiencies in a system. HAZOP employs
scenario development and brainstorming analysis method to determine the consequences of
deviations from the intended operation. A team of HAZOP review comprises of multidisciplinary
personnel from different section of the plant.

This method traces flow of materials through the system operation. To ease the tracing process,
the system operation is divided into nodes or sections. Figure 4 shows an example of node or
section from a batch reactor system used for polymerization. Different guide words that
characterize deviation of normal operation condition are used to direct the scenario development
on each node. Variety of HAZOP guide words and the process parameter subject to these guide
words for deviation are shown in Table 4 and Table 5 respectively.
Table 4. HAZOP Guide Words.
Guideword Meaning
Meaning
No, not, none
None of the design intent is achieved
More, more of, higher
Quantitative increase in a parameter
Less, less of, lower
Quantitative decrease in a parameter
As well as, more than
An additional activity occurs
Part of
Only some of the design intention is achieved
Reverse
Logical opposite of the design intention occurs
Other than, other
Complete substitution another activity occurs
Where else
For flows, transfers, sources, destination
Before, after
Step occurs out of sequence
Early, late
Timing is different than the intention
Faster, slower
Step is/is not with the right timing
Table 5. Process Parameter Examples.
Flow
Pressure
Temperature
Composition
Addition
Separation
Mixing
Stirring
Transfer

Level
Time
Sequence
Particle size
Reaction
Phase
Speed
Measure
Control

Viscosity
pH
Signal
Start/stop
Operate
Maintain
Services
Communication

An example of HAZOP study in shown in Figure 4 using batch reactor system used in
polymerization process. The format that may be used as a guide in HAZOP study is shown in
Table 6.

Figure 4. Process and Instrumentation Diagram of Polymerization batch reactor5.

Table 6. HAZOP study applied to the feed line (Intent: Feed reactants into the reactor)
Parameter
Flow

Guide
Word
No

More

Deviation
No Flow

More Flow

Causes

Consequence

Recommendation

V-1 to V-5 closed.

V-6 closed.

Over-pressurization of
the lines with potential
fracture.

Flow indicators after

valves.

Plugged line.
No monomers,
solvent, initiator, and
transfer agent in
storage tanks.

No contents in the
reactor. Potential damage
of equipment in other
sections of the process.

Level indicators in
storage tanks.

Fracture of line.

Fire hazard. Spill of

flammable materials.

V-1 to V-5 fails

open.

Increase released heat.

Cooling could be not
enough. Runaway

Periodic maintenance
of lines. Include dikes
and appropriate fire
control equipment.
Training.
Updated operating

Center for Chemical Process Safety. Guidelines for Hazard Evaluation

Procedures. American Institute of Chemical Engineers: New York, 1992.

V-6 is accidentally
left open.

reaction.

procedure. Checklist.

Increase of level in the

reactor.

Interlocks to
automatically stop
reactants feed.
Level indicator with
alarms for high levels.

Less

Temperature

Higher

Lower

Less Flow

Higher
Temperature

Lower
Temperature

Implement semi-batch
process.
Flow indicators with
alarms for low flow.

Leak in the pipes.

Incomplete reactions.
Accumulation of
reactants.

V-1, V-2, V-3, V-4,

V-5 or V-6 partially
closed.
Summer season.

Potential hazard for the

product.

Level indicator in the

reactor.

Boiling of reactant
causing overpressure in
the lines.

Temperature indicators
and alarms in storage
tanks and lines. Set
temperatures before
boiling points.
Temperature indicators
in storage tanks and
lines.

High temperature
when loading.
Winter season.

No hazard.

Isolate pipes. Heaters

in the storage tank to
maintain the desired
temperature.

The result of PHA is used to determine proper safety measures that need to be added to the
process or values of process variables might be changed if they are set too high or too low. Other
advantage of PHA result is that it can be used to define critical equipment that requires
preventive maintenance, inspection, and testing programs, and also help the plant develops a
focused emergency response programs that suits the plant needs and conditions. There are
several publications that provide detail guidance on completing PHA such as Guidelines for
Hazard Evaluation Procedures by CCPS.

Operating procedures
Operating procedure that addresses the safe operation of the plant must be documented and
available to personnel that require it. Besides normal operation steps, operating procedures for
upset conditions, temporary operations, start-up, and shutdown should also be properly
documented and make readily available. These operating procedures have to be clearly written
instruction and consistent with the process safety information6.
The procedures have to take into account general and special hazards of the chemical involved in
the process, hazards of exceeding operational limits, appropriate response to upset conditions,
safety and health information, and emergency operations. Up to date and reliability of the
operating procedures must be performed frequently. This element of PSM also serves as a critical
element in training of personnel7.

Training
Training serves as a way of communicating knowledge of the process, communicating skills in
performing operating and emergency procedures, communicating hazards related to the process
and many other aspects of process operation and maintenance to plants personnel. An effective
and properly scheduled training are very important because they determine the end result of the
training. Industry codes and government regulations recommend, and, in some cases, require
specific trainings for plants workers. Consequently, PSM programs need to identify and
document training requirements covering all levels of management and employees, including
contractor personnel, who manage, operate, maintain, and support the process units8.

Contractors
Contractors who are considered under the PSM program are those who are involved in the
installation or maintenance of equipment and systems at a facility that has one of the following
processes:

Involves a chemical at or above the specified threshold quantities.

Involves a flammable liquid or gas on site in one location, above a quantity of 10,000
pounds except for:
1. Hydrocarbon fuels used solely for workplace consumption as a fuel, if
such fuels are not a part of a process containing another highly hazardous
chemical covered by this standard;

Lees Loss Prevention in The Process Industries Vol.1, Vol.2 and Vol.3 Hazard Identification,
Assessment and Control 3rd Edition, Elsevier, 2004.
7

http://www.saic.com/environment/psm/elements.html

Center for Chemical Process Safety. Guidelines for Process Safety

Documentation. American Institute of Chemical Engineers.

2. Flammable liquids stored in atmospheric tanks or transferred which are

kept below their normal boiling point without benefit of chilling or
refrigeration.
Employer is responsible to obtain and evaluate information regarding the contract employer's
safety performance, and inform contract employers of the known potential fire, explosion, or
toxic release hazards related to the contractor's work.

Pre-Startup Safety Review

Pre-Startup safety review mandates a safety review for new facilities and significantly modified
work sites with objectives as follows9:

To confirm that the construction and equipment of a process are in accordance with
design specifications.
To assure that adequate safety, operating, maintenance and emergency procedures are
in place.
To assure process operator training has been completed. Also, especially for new
facilities.
To assure that the PHA must be performed and recommendations resolved and
implemented before start up. Modified facilities must meet management of change
requirement.

Mechanical Integrity
Mechanical Integrity (MI) is committed to provide the benefits of the most up-to-date inspection
technologies to support chemical plants operating efficiently and in an environmentally safe
condition, and provide the benefits to the petrochemical industries. The objective of MI is to
ensure equipment does not fail in a way that causes a release of chemicals. Equipment means
hardware that helps contain the chemicals in the process. MI covers the proper design,
fabrication, construction/installation and operation of equipment throughout the entire process
life cycle.
In detail, it includes management system, codes and standards, equipment maintenance, MI
training and procedure, inspection and testing, controlling and managing deficiencies and so on.
It is not just maintenance, although maintenance is a major part of an MI program. Information is
required to identify the code or standard for the design and construction of the vessel or tank and
the specific design values, materials, fabrication and inspection methods. Most of the vessels in
service in the US will be designed and constructed in accordance with one of the following
design codes:

The ASME Code, or Section VIII of the ASME (American Society of Mechanical
Engineers)

Idem as 3

The API Standard 620 or the American Petroleum Institute Code provides rules for
lower pressure vessels not covered by the ASME Code.

Hot work permit

Hot Work Permit is required for any operation involving open flames or producing heat and/or
sparks. It includes brazing, torch cutting, grinding, soldering, welding and others. The purpose of
this element is to assure that the employer is aware of the hot work being performed and that
appropriate safety precautions have been taken prior to beginning the work10.
The permit requires date authorized for hot work, equipment involved in the work, a system to
maintain and document certification, identification of openings where sparks may drop, the types
and number of fire extinguishers, identification of fire watches, an inspection before the work,
authorization signatures, identification of flammable materials in the area, verification that the
surrounding area is not explosive, verification that combustible materials are isolated properly,
identification and closure of open vessels or ducts, and verification that the welded walls are not
flammable. Figure 5 shows an example of the form that is required to complete before a hot
work is performed.

10

Idem as 1

Figure 5. Example of Hot Work Permit form.

Management of change
PSM requires employee to develop and implement documented procedures to manage changes in
the process chemistry, process equipment and operating procedures through Management of
Change (MOC). MOC is a tool that can be effectively used to ensure the continued integrity of
the other PSM elements. However, MOC also requires other elements (e.g. process knowledge
and mechanical integrity) be in place and functioning; otherwise MOC will not be effective. For
example, process hazard analysis (PHA) can be used to assess the safety of the current design
and operating procedures; this establishes a baseline against which the significance of future
changes can be assessed.
The objective of MOC is to provide a system of administrative controls that ensures:

The proper consideration of direct and indirect hazard potential before the change is
implemented;
That procedures are modified and retraining, where relevant, occurs before the
modification is put into service;
Enhanced emphasis on the preparation and retention of records of each change; and
The ability to audit the changes.

At plants with a strong PSM program, MOC can be expected to play a key role in maximizing
the value of the PSM program. Older plants may present a greater challenge in implementing
MOC since documentation of parts of their PSM program information may be out of date, or
missing. As a result, it may be difficult to readily determine whether a change is safe to
implement. In such situations, for a MOC program to be effective, priority attention should be
given to updating documentation that supports the plant PSM program. Effective, up-to-date
documentation is important to enable the facility to be operated safely and profitably.

Incident investigation
Under the incident investigation section of PSM, chemical industries are highly encouraged to
perform a complete investigation of incidents to determine their causes and to seek ways of
preventing their recurrence. The key to preventing disaster first lies in recognizing the leading
indicators. These leading indicators exist in incidents that are less than catastrophic. They can
even be seen in so-called near misses that may have no discernable impact on routine operation.
By examining lower-consequence, higher-frequency occurrences, companies may avoid those
rare incidents that cause major consequences.
The process of incident investigation generally utilizes a team-based approach involving:
gathering and analyzing the evidence; drawing conclusions as to the causes of the incident;
generating corrective or preventive actions; and summarizing, documenting, and disseminating
the findings. Proper documentation of incident investigation results provides the basis for
corrective actions leading to improvements in the organization's process safety management
(PSM) program and, accordingly, should enhance plant safety.

Role of Incident Investigation

The Center for Chemical Process Safety (CCPS) of the American Institute of Chemical
Engineers (AIChE) recognized the role of incident investigation and published the original
Guidelines for Investigating Chemical Process Incidents in 1992. This book helps to define and
refine the incident investigation systems to achieve positive results effectively and efficiently by
presenting a timely treatment of incident investigation represented in four stages as follows:
1. The first step in conducting a successful incident investigation is to recognize when
an incident has occurred so that it can be investigated appropriately. The heart of the
issue is that members of an operating investigation team all share a common language
that supports their investigation objectives efficiently and accurately. For this reason,
in order to enhance effective recognition and communication during an investigation,
the following definitions for key terms are applied.
Incidentan unusual or unexpected occurrence, which either resulted in, or had the
potential to result in: serious injury to personnel, significant damage to property,
adverse environmental impact, or a major interruption of process operations.
The definition implies three categories of incidents:
a. Incident is an occurrence in which property damage, material loss, detrimental
environmental impact, or human loss (either injury or death) occurs.
b. Near miss is an occurrence in which an accident (that is, property damage,
material loss, environmental impact, or human loss) or an operational
interruption could have plausibly resulted if circumstances had been slightly
different.
c. Operational interruption is an occurrence in which production rates or product
quality is seriously impacted.

2. The second step in conducting a thorough investigation is to assemble a qualified

team to determine and analyze the facts of the incident. This teams charter, using
appropriate investigative techniques and methodologies, is to reveal the true
underlying root causes. The terms causal factor and root cause help investigators
analyze the facts and communicate with each other during the investigation phase.
Causal factor, also known as a critical factor or contributing cause, is a major
unplanned, unintended contributor to the incident (a negative occurrence or
undesirable condition), that if eliminated would have either prevented the
occurrence, or reduced its severity or frequency.

Root cause is a fundamental, underlying, system-related reason why an incident

occurred that identifies a correctable failure(s) in management systems. There is
typically more than one root cause for every process safety incident.
3. The third step in incident investigation is to generate a report detailing facts, findings,
and recommendations. Typically, recommendations are written to reduce risk by:
o Improving the process technology
o Upgrading the operating or maintenance procedures or practices
o Upgrading the management systems. (When indicated in a recommendation,
this is often the most critical area.)
4. After the investigation is completed and the findings and recommendations are issued
in the report, a system must be in place to implement those recommendations. This is
not part of the investigation itself, but rather the follow-up related to it. It is not
enough to put a technological, procedural, or administrative response into effect. The
action should be monitored periodically for effectiveness and, where appropriate,
modified to meet the intent of the original recommendation.
These four steps will result in the greatest positive effect when they are performed in an
atmosphere of openness and trust. Management must demonstrate by both word and deed that
the primary objective is not to assign blame, but to understand what happened for the sake of
preventing future incidents.
Notification of Chemical Incidents
CSB and OSHA will be notified of chemical releases through the National Response Center
(NRC) and other media. In addition, both agencies will notify each other of chemical incidents
that meet one or more of the following criteria:
1.
2.
3.
4.

Result in one or more worker fatalities.

Result in the hospitalization of three or more workers.
Cause property damage of more than $500,000.
Present a serious threat to worker health or safety; or are events of significant public
concern. It requires employers to investigate as soon as possible (but no later than 48
hours after).

The standard calls for an investigation team, including at least one person knowledgeable in the
process involved, a contract employee when the incident involved contract work and others with
knowledge and experience to investigate and analyze the incident, and to develop a written
report on the incident. Reports must be retained for five years. Following link XX presents
selected OSHA and EPA incident investigation regulations.

Emergency planning and response

Emergency planning and response requires employers to develop and implement an emergency
action plan as a respond effectively to the release of hazardous chemicals. Regulation requires
companies with more than 10 employees to prepare an emergency plan and response in case of
hazardous chemical release but nevertheless, the smallest company should always be ready to
handle hazardous chemicals. The emergency action plan must include procedures for handling
small releases as well. This is done by taking into accounts several factors such as11:

Facility siting, the location of the control room to the process, and indicate clearly
identified area of refuge.
Indicate whether the plant is down-wind of a community
Community emergency action plans.

This element requires employers to develop and implement an emergency action plan according
to the requirements of 29 CFR 1910.38(a) and 29 CFR 1910.120(a), (p), and (q). Another source
of information on preparing emergency planning and response is the NFPA 471
Recommendation Practice for Responding to Hazardous Materials Incidents can be used as a
guidance to develop safe emergency plan and response to an incident.

Compliance audit
Compliance audit is a tool to help contractors identify PSM weaknesses and develop
recommendations. Each operating location that is required to utilize the PSM Performance
Baseline shall be subject to an audit of the PSM systems. The audit is a technique used to gather
sufficient facts and information to verify compliance with standards. The purpose of the audit is
to ensure that the PSM program is operating in an integrated and effective manner. The
performance baseline is based on industry standards and is designed to satisfy the regulatory
requirements.
All the contractors must conduct internal audits or self assessments for compliance with the PSM
Rule at least every 3 years to determine the degree to which plans and programs have been
implemented. There are two major objectives of audits. The first is to assess whether the
management system in place adequately addresses all elements of the PSM rule. The second
objective is to assess whether the management system has been adequately implemented for
every facility or process. Some types of audit are shown below:

11

Self-audit and independent audits

PSM system audit
Detailed PSM performance audit
Regulatory compliance audits (OSHA PSM and EPA RMP)

Idem as 3

Trade secrets
The trade secrets provision of PSM requires that the employer provide all information necessary
to comply with PSM to all persons who need it. This does not preclude the employer from taking
steps necessary to safeguard the integrity of any information disclosed. It merely prohibits the
employer from using trade secrets as an excuse not to provide information to either employees or
contractors12.

12

Idem as 7