3.1 Fundamental Features

Grote (2012) provides an interesting analysis of SMSs in which the issue of system similarity for various high-risk activities is addressed. She establishes three attributes for customizing a purpose-fit SMS: (i) the types of safety being managed, (ii) how uncertainty is managed, and (iii) the regulatory regime applicable to the safety management efforts (Grote, 2012). Grote (2012) speaks of the desirability of knowledge transfer across high-risk sectoral boundaries involving the nuclear industry, chemical process industries, and aviation domains.

In a somewhat similar vein, Pillay (2015) gives an analysis of published articles to demonstrate the relationship between accident causation factors in different industries and the safety management strategies typically employed in those industries. Examples given include sociotechnical systems in the aviation industry, technological and cultural systems in the oil and gas industry, and behavioral systems in road transportation (Pillay, 2015).

Wahlstrom and Rollenhagen (2014) take a creative look at SMSs by using a metaphor based on requirements from control theory:

• a system model to enable prediction of outcomes for specific actions (e.g., SMS elements),

• observability of the system so its state can be determined (e.g., system performance indicators),

• controllability of the system so specific actions can be taken to effect changes in the system state (e.g., risk reduction measures), and

• a preference relation to distinguish between desired and undesired system states (e.g., cost/benefit analysis).

A different sort of comparison is drawn by Moorkamp, Kramer, van Gulijk, and Ale (2014) in their examination of the relationship between SMS theory and resilience engineering theory. They consider the former theory to be one in which uncertainty is minimized, while the latter involves coping with uncertainty (Moorkamp et al., 2014). One can see clear overtones of dynamic operational risk management—as discussed later in this chapter—in their comment that resilience engineering attempts to manage safety by accounting for the constantly changing nature of dynamic operational conditions (Moorkamp et al., 2014). There is thus a role for probabilistic as well as deterministic measures in managing an organization's safety efforts; this observation is in accordance with the earlier discussion of the work of Grote (2012).

Fernandez-Muniz, Montes-Peon, and Vazquez-Ordas (2007) performed a study involving 455 Spanish companies in an attempt to develop a scale for measurement of the extent to which SMSs had been implemented. The developed tool consists of 43 items spread over eight groupings: safety policy, worker incentives, safety training, communication related to prevention, preventive planning, emergency planning, internal control, and benchmarking techniques (Fernandez-Muniz et al., 2007).

Bianchini, Donini, Pellegrini, and Saccani (2017) describe their use of an Efficacy Index for the same purpose—i.e., quantitatively evaluating the effectiveness of implementation of a SMS (in this case, for occupational health and safety). The index relates the costs arising from a loss-producing event or near-miss to the estimated costs to prevent and protect with respect to the unintended event.

Finally, there is clear evidence in the general safety literature of research into concepts that are also key to the success of PSM (as discussed later in this chapter). These include knowledge management and communication (Vinodkumar & Bhasi, 2010), safety leadership (Pilbeam, Doherty, Davidson, & Denyer, 2016; Sheehan, Donohue, Shea, Cooper, & De Cieri, 2016), and leading and lagging indicators for safety performance measurement (Sheehan et al., 2016).

3.2 Sectoral Examples

As demonstrated in Table 2, the breadth of system applications for managing different types of safety in different industrial/activity sectors throughout the world is quite comprehensive. While the depth of subject matter coverage in these papers is substantial, comments here are limited to three brief points. First, it is interesting to note the adoption of a risk-based approach for occupational health and safety management in the work of Sousa et al. (2014, 2015); this is similar to developments over the past decade in the field of PSM (as subsequently explained in this chapter). Second, the role of a SMS in relation to input parameters, other core functions, and management objectives is clearly illustrated in Fig. 4 from the work of Qian and Lin (2016). Third, the coal mine SMS from the work of Wu et al. (2014), as presented in Fig. 5, can be seen to explicitly embody the cycle of plan/do/check/act that was previously described as being essential to the effective functioning of any management system.

3.3 Transportation Examples

Literature examples of SMS applications to the transportation industry exist for each of the land, sea, and air sectors. According to Warmerdam, Newnam, Sheppard, Griffin, and Stevenson (2017), work-related vehicles account for 30% of traffic volume in Australia; additionally, drivers engaged in work-related activities are more likely to suffer injury than drivers on the road for purposes unrelated to work. With this risk-based justification for their research, Warmerdam et al. (2017) present their findings on the need for improvements in organization accountability, communication practices, vehicle-related risk reduction, driver competency, and incident investigation. These improvement areas are equally applicable to the management of risks posed by flammable, explosible, and toxic materials.

Similarly, Mooren, Grzebieta, Williamson, Olivier, and Friswell (2014) cite statistical evidence for their risk-based examination of safety management of heavy vehicle transport. Heavy trucks comprise 3% of registered vehicles in the United States, account for 7% of total vehicular mileage, and are involved in 11% of all driver fatalities (Mooren et al., 2014). Again, their findings on the importance of factors such as management commitment, safety training, and worker participation (Mooren et al., 2014) are equally applicable to the field of PSM.

In his study of safety and risk at sea (specifically with respect to tankers), Havold (2010) gives an extensive discussion of safety culture—a concept that underpins all SMSs. His description of safety culture being composed of values, attitudes, perceptions, and competencies (Havold, 2010) gives a good preview of our discussion later in this chapter on process safety culture. The theme of management system measurement requirements is also evident in the call for safety culture metrics that can be employed as leading performance indicators (Havold, 2010).

The Civil Aviation Safety Authority in Australia has provided a SMS guide (CASA, 2014) for aviation operators and organizations. The guide distinguishes between a SMS and a business/quality management system, and discusses principles such as safety culture that are broadly applicable (CASA, 2014). The document also considers human factors within a SMS and presents the familiar Swiss cheese model (Reason, 1990) in the context of flight operations of a Boeing 737-300 aircraft (CASA, 2014).

Cacciabue, Cassani, Licata, Oddone, and Ottomaniello (2015) also present the management system approach to safety from an aviation perspective, but again with broad applicability. They use terminology instantly recognizable to process safety practitioners—such as bow-tie analysis and risk matrix—and when describing the purpose of a SMS as being to prevent, control, and contain the consequences of hazardous events (Cacciabue et al., 2015). Cacciabue et al. (2015) further comment on the significant cultural changes that must accompany the SMS approach. This recurring notion of the critical role of safety culture in managing aviation safety is also apparent in the work of Remawi, Bates, and Dix (2011) and Liao (2015), with the latter study invoking the concepts of just, reporting, and learning cultures (as discussed later in this chapter with respect to PSM).

Before moving on to PSM, we conclude the review in this section with mention of two additional research studies on aviation safety management. Stroeve, Som, van Doorn, and Bakker (2016) present a holistic, risk-based approach for examination of a specific aviation hazard (runway incursions). The work of Nascimento, Majumdar, Ochieng, Schuster, and Studic (2016) describes the development of a SMS for a specific mode of air transport (helicopters).

4.1 Regulatory Aspects

As noted earlier in reference to the work of Grote (2012), the regulatory regime is one of the determinants in designing a SMS. Thus, our objective here is to touch on the topic of PSM regulation; a detailed review of the subject is, however, outside the analytical scope of this chapter. For this latter purpose, readers are directed to the recent paper by Sreenevasan (2015) and the comprehensive review undertaken by the Canadian Association of Petroleum Producers (CAPP, 2014).

We first comment that it would seem well advised to view the regulation of PSM—whether by prescription or based on performance (as explained in the next paragraph)—in the manner expressed by the following authors and corresponding quotes:

Mannan (2015) also remarks that regulations should be based on science and an understanding of risk, and that compliance must be enforced by the appropriate regulatory body.

The second point made here is that when PSM regulations have been introduced in various parts of the world, it has usually been in response to major process incidents (see, for example, Shin, 2013; Sreenevasan, 2015; recall also Fig. 3). Maher, Long, Cromartie, Sutton, and Steinhilber (2016) describe the US regulatory response to the 2010 Deepwater Horizon (Macondo) incident, and the resulting modified SMS requirements for offshore operations. They also distinguish between prescriptive regulations and goal- or performance-based regulations in the following manner (Maher et al., 2016):

• Prescriptive regulations state-specific actions and requirements that must be met to achieve compliance.

• Goal- or performance-based regulations state the required outcome but leave the manner in which the outcome is achieved to the implementer.

Engineering educators will recognize in these definitions an analogy with undergraduate engineering accreditation systems based on input measurements (e.g., lecture and tutorial hours), and those based on outcomes (i.e., graduate attributes such as proficiency in design and use of engineering tools).

Luo (2010) examines the relationship between PSM inspection citations in the United States (as regulated by OSHA, the Occupational Safety and Health Administration), and management system deficiencies identified in investigations conducted by the US CSB for 19 major chemical accidents. The correlation between the two datasets was found to be significant and enabled suggestions for improvements in enforcement and implementation of the OSHA-regulated PSM system. Kwon, Lee, Seo, and Moon (2016) provide another case study related to experiences with PSM regulation in a particular country (in this case, Korea).

Our third comment on regulatory aspects is that in most industrialized countries, PSM is indeed heavily regulated. A notable exception is Canada, which relies mostly on voluntary compliance and initiatives led largely by industry and industry/technical associations (e.g., the PSM Standard (Piette, 2012) developed by the Canadian Society for Chemical Engineering (CSChE, 2012b)). The CAPP (2014) report terms this voluntary compliance more perception than reality, given the bits and pieces of PSM-type requirements in existing legislation; one such example is the emergency response planning requirements for chemical accidents as specified in the Canadian Environmental Protection Act (Di Menna, 2012).

Macza (2008) provides a historical perspective for the Canadian PSM regulatory scene in terms of constitutional authority over most process industry plants resting with the provinces rather than the federal government. A complicating factor for those in favor of PSM regulation in Canada is that the vast majority of safety regulation at the provincial level deals explicitly only with occupational safety. Although some authors (e.g., Sreenevasan, 2015) have called for national PSM regulation in Canada, this sentiment is not shared by all practitioners (Di Menna, 2012).

In their study of the effect of complex occupational health and safety rule sets on the behavior of managers and corporations, Hale, Borys, and Adams (2015) state that their findings are applicable to any externally imposed regulations (e.g., those promulgated by government). They further comment on the likely applicability of their analysis to internal company standards, and the desirability of extending their research to rules that are not legally binding such as in the case of industry standards (Hale et al., 2015). The current situation in Canada with respect to PSM regulation would seem to afford an excellent opportunity in this regard.

In summary, PSM regulations are best viewed as minimum standards for which compliance should be an outcome not an objective. Major process incidents are a key driving force for governments to introduce or alter a PSM regulatory framework. PSM regulation, although prevalent globally, is not universal as evidenced by the largely voluntary compliance regime in Canada.

4.2 Systems

We now present a number of PSM systems utilized in countries and regions throughout the world. The elements for each system are given in a series of tables and figures drawn from pertinent references. The primary objective in this section is to present the various frameworks of PSM elements, with the elements themselves being the subject of the next section.

Table 3 gives both the elements, and the components for each element, in the PSM system recommended by the Canadian Society for Chemical Engineering (CSChE). Details can be found in the form of a 4th edition Guide (CSChE, 2012a) and a 1st edition Standard (CSChE, 2012b). As noted in CSChE (2012a), the purpose of the Guide is to provide an overview of PSM and an introduction to the Standard; the objective of the Standard is to identify performance requirements that are auditable for continuous improvement purposes (CSChE, 2012b).

The PSM approach in Canada (Table 3) is based on an earlier system shown in Table 4 that was originally developed by the Center for Chemical Process Safety (CCPS) in the United States. Table 5 gives the PSM Standard regulated by the US Occupational Safety and Health Administration (OSHA) under 29 CFR 1910.119; descriptions of this system are given in groupings of the first 3 elements by Mason (2001a) and the remaining 11 elements by Mason (2001b). PSM elements regulated by the US Environmental Protection Agency (EPA) under 40 CFR 68 in the Risk Management Plan (RMP) Rule are shown in Table 6 (CFR=Code of Federal Regulations).

Table 7 illustrates the newer risk-based PSM (RBPS) system now recommended by CCPS; the arrangement is by accident prevention pillar (4) and PSM element (20). The evolutionary thinking behind the development of this system is shown in Fig. 6 from CCPS (2014), which gives an updated overview of the risk-based approach. The fit of RBPS within CCPS's Vision 20/20 is explained in the following passage quoted from CCPS (ccpsonline.org) in Amyotte, Berger, et al. (2016): [Vision 20/20…] looks into the not-too-distant future to demonstrate what perfect process safety will look like when it is championed by industry; driven by five tenets of culture, standards, competency, management systems and lessons learned; and enhanced by community passion and four global societal themes. The American Institute of Chemical Engineers publication Chemical Engineering Progress has recently introduced a new column, Process Safety Values, to communicate the Vision 20/20 tenets and themes—e.g., a committed process safety culture (PSV, 2016). (See also McCavit, Berger, & Nara, 2014; McCavit, Berger, Grounds, & Nara, 2015 for discussion of CCPS's Vision 20/20.)

Rosen (2015) provides an interesting and personal look at risk-based PSM in the form of ten commandments (several of which—in particular I, IV, and VI—will be quite familiar by now). Thou shalt (Rosen, 2015):

I. Always honor thy container.

II. Always maintain a sense of vulnerability.

III. Eliminate normalization of deviation (i.e., not accept operation outside set limits).

IV. Know thy chemistry.

V. Educate, train, and drill employees.

VI. Create and nurture a strong risk-based process safety culture.

VII. Recognize those who exemplify process and occupational safety.

VIII. Not tolerate omissions in documentation.

IX. Not manage from behind thy desk.

X. Not violate rules.

There are clearly many similarities among the PSM systems displayed in Table 3 (CSChE), Table 4 (original CCPS), Table 5 (OSHA), Table 6 (EPA), and Table 7 (RBPS CCPS). There are also differences in the naming, number, and arrangement of elements in each of the systems. Detailed comparisons are given in: (i) CAPP (2014) for the CSChE PSM system (Table 3) and the OSHA PSM (Table 5)/EPA RMP (Table 6) systems, (ii) CCPS (2007) for the original CCPS PSM system (Table 4), the OSHA PSM (Table 5)/EPA RMP (Table 6) systems, and the RBPS CCPS system (Table 7), and (iii) CCPS (2016a) for the OSHA PSM (Table 5)/EPA RMP (Table 6) systems and the RBPS CCPS system (Table 7).

The comparison given in CCPS (2016a) demonstrates that at least in terms of element identification, the following concepts are made explicit in the risk-based approach to PSM management promoted in CCPS (2007, 2014):

• process safety culture,

• process safety competency,

• conduct of operations,

• measurement and metrics, and

• management review and continuous improvement.

This move by professional industry organizations to identifying more system elements and grouping them in thematic areas is also reflected in the PSM system recently developed by the Energy Institute in the United Kingdom. One again sees in Table 8 the explicit naming of key process safety concepts—e.g., competency. Defining and ensuring process safety competency at all levels in a company is critical to the success of PSM efforts (CCPS, 2015).

By regulation in Australia, major hazard facilities (MHFs) are required to establish and implement a comprehensive system to safely manage the hazards and risks encountered during operations (SWA, 2012). Table 9 shows guidance on such systems provided by Safe Work Australia (SWA, 2012). Concepts such as leadership, competency, and improvement are again present, along with the familiar technical requirements for hazard identification, risk management, permit-to-work systems, confined space entry procedures, etc.

As a direct result of the 1976 dioxin release in Seveso, Italy, the European Union (EU) operates in a highly regulated environment for the control of major-accident hazards involving dangerous substances (Meyer & Reniers, 2016). Table 10 gives a listing of the primary requirements in this regard for upper tier (Seveso high or tier 2) facilities under the EU Seveso III Directive; Table 11 identifies the broad issues that must be addressed by the SMS referenced in Table 10. Implementation of the Seveso III Directive in Great Britain is accomplished by the Control of Major Accident Hazards (COMAH) Regulations (HSE, 2015).

Of particular note in Table 10 is the obligation to consider intersite domino effects. A case in point here is the 1986 Sandoz/Schweizerhalle chemical warehouse fire in Basel, Switzerland, which resulted in far-reaching pollution of the Rhine River (Meyer & Reniers, 2016). Process safety incidents do not respect facility or even national boundaries.

Three examples from Asia help to illustrate the efficacy and widespread adoption of the core principles embodied in the PSM systems found in Tables 3–6. Fig. 7 shows the PSM elements mandated by the State Administration of Work Safety (SAWS) in China. Tables 12 and 13 present similar information for PSM in Korea and Singapore, respectively. As part of a special issue of the journal Process Safety and Environmental Protection to commemorate the 30th anniversary of the Bhopal disaster, Goh, Tan, and Lai (2015) reviewed what happened at Bhopal in relation to the practice of PSM in Singapore. This is an excellent example of leadership in driving the continuous improvement loop critical to the success of any PSM system.

In a document intended primarily for senior leaders in high-hazard industries, the Organization for Economic Cooperation and Development (OECD) provides helpful advice to ensure an appropriate process safety culture lives in the corporate boardroom as well as the facility workspaces (OECD, 2012). The notion from the previous paragraph that leadership and culture sit at the center of a continuous improvement cycle from risk-awareness through to action is also illustrated in Fig. 8.

We close our discussion of PSM systems with a brief mention of the safety case approach which is prevalent in regulation of the nuclear, aerospace, and offshore oil and gas industries. AcuTech (2012) describes the Safety and Environmental Management Program (SEMP), developed in 1993 by the offshore oil and gas industry, as a process safety-like program that was published in API RP 75 (American Petroleum Institute, Recommended Practice 75). Current US SEMS (Safety and Environmental Management System) offshore regulations have incorporated SEMP/API RP 75 by reference (AcuTech, 2012).

Sutton (2014) identifies the use of a safety case as another manner in which offshore safety can be managed. He defines a safety case as the case that the designers and operators of a facility make to all interested parties that the facility is safe (Sutton, 2014), and gives three principles upon which a safety case is built:

1. Risk control is the responsibility of the people who create the risk.

2. Setting and achieving goals, not following prescriptive regulations, is how safe operations are achieved.

3. Risk must be reduced below an acceptable threshold.

Sutton (2014) argues that the difference between the SMS and safety case approaches is not as great as one might think, with both sharing the first two principles in the above list. He comments that the heart of a safety case is in fact a SMS, and that the safety report required under the Seveso III Directive (Table 10) is essentially a safety case (Sutton, 2014).

The same statement concerning the Seveso safety reports is made by the US CSB in the safety case analysis conducted as part of its regulatory review following the 2012 Chevron refinery fire in Richmond, CA (CSB, 2014a). Key among the CSB's recommendations (CSB, 2014a) is the recommended requirement within PSM for continuous risk reduction to ALARP (as low as reasonably practicable). This, coupled with the need for more goal-based and fewer activity-based or compliance-driven regulations, addresses the second and third safety case principles in Sutton's list (Sutton, 2014).

Readers are referred to Sutton (2014) and CSB (2014a) for further ideas on the relationship between safety cases and PSM (regulated or otherwise). Both documents offer clearly written, authoritative information.

4.3 Elements

There is, of course, no substitute for careful examination of the relevant technical documentation if one wishes to learn the theoretical underpinning for a given PSM element (e.g., CSChE (2012a, 2012b) with respect to the elements in Table 3). Then follows the incubation period of practical experience with respect to the element and how it interacts in an integrated manner with its counterparts in the entire system. This experience can be personal and can also be learned from others in the form of case studies.

In this section, therefore, we review the recent process safety literature for guidance and practical examples related to individual PSM elements. We first draw attention to an innovative study by Aziz, Shariff, and Rusli (2016) in which the interrelationship among the OSHA PSM Standard elements (Table 5) is examined. Table 14 gives the interrelations among the 14 PSM elements and a subset of seven elements deemed critical on the basis of OSHA citations. While the authors recognized the importance of all elements working together as an integrated whole, process hazard analysis (PHA) and mechanical integrity (MI) were the most highly correlated with other elements in their analysis (Aziz et al., 2016).

Table 15 provides references for papers related to elements of the RBPS system (CCPS, 2007) shown in Table 7. The analysis was limited to papers having an explicit management focus; thus, the numerous works available on topics such as specific hazard identification and risk analysis techniques are not referenced here.

As an example of how a given reference citation was categorized in Table 15, consider the title of Dennis Hendershot's paper (Hendershot, 2012): Process Safety Management—You Can’t Get It Right Without a Good Safety Culture. It seems clear that this reference relates primarily to the element process safety culture, and this is indeed the case. Note, however, that the second column in Table 15 is headed Representative PSM Element. When reading Hendershot (2012), one sees additional references to the influence of safety culture on activities such as PHA and incident investigation, as well as the following section heading: A Good Culture—Critical to all PSM Activities (Hendershot, 2012). This is in accordance with the previously described work of Aziz et al. (2016).

Our presentation now touches on a sampling of Table 15 references to illustrate some features of specific PSM elements. Olewski et al. (2016) describe the importance of safety culture from a university perspective—in their case, managing a major research project on the consequences of ground spills of LNG (liquefied natural gas). As recent events have demonstrated, serious incidents involving hazardous materials are not restricted to industry (CSB, 2010a).

Scholtz and Maher (2014) provide helpful advice on the development of effective operating procedures. They suggest consideration of the following points (Scholtz & Maher, 2014):

• approval of the procedure template by all stakeholders,

• use of a user-friendly procedure format that is consistently applied across the facility,

• breaking down processes into separate units to facilitate referencing of procedures, and

• establishing an appropriate depth of information to be included in procedures, with subsequent adjustment of the training program.

Hayes (2015) gives an illustrative case study of the importance of effective asset integrity management by examining a gas transmission pipeline rupture. This 2010 incident in San Bruno, CA caused eight fatalities (members of the public), and resulted from the failure of a longitudinal seam weld on a line that had not been inspected or tested since installation in 1956 (Hayes, 2015). Among the many excellent points made by the author is the following key observation (Hayes, 2015): The primary strategy for ensuring public safety was the management of system integrity by means of compliance with regulations. The key question in people's minds was “does it comply?,” rather than “is it safe?” One is reminded of the earlier quote from Hendershot (2016) that PSM regulatory compliance should be an outcome not an objective (quote attributed to M. Broadribb in Hendershot, 2016).

MOC is a powerful system that enables continuous improvement through change. If it is not properly applied, however, it can cripple an organization and inhibit such progress (Kelly, 2013). These statements by Brian Kelly aptly summarize the multifaceted nature of MOC—management of change. Change is inevitable for progress, yet it must be effectively managed so as not to impede the very thing it enables; Kelly (2013) refers to MOC as one of the more fundamental elements of PSM. It must be well understood that risk can be heightened not only by technical changes involving valves, pumps, and compressors, but also by organizational changes that occur in the normal course of business and in major events such as mergers and acquisitions (Philley, 2002; Wincek et al., 2015).

As identified in CCPS (2007, 2016a), conduct of operations is one of the new PSM elements appearing in the risk-based PSM system shown in Table 7. CCPS (2014) describes this element as the execution of operational and management tasks in a deliberate and structured manner. Further details can be found in CCPS (2011a, 2012) for both conduct of operations and its subcomponent operational discipline (defined in CCPS (2012) as displaying behaviors within a system of checks and balances that help ensure that things are done correctly and consistently). Conduct of operations has strong ties to the cultural dimension of an organization (CCPS, 2014), as well as other PSM elements such as operating procedures, training and performance assurance, and management of change (Haesle et al., 2009). Forest (2012) offers a timely reminder in Fig. 9 that effective conduct of operations requires discipline not only by process operators (operational discipline), but also by engineering and management personnel (engineering discipline and management discipline, respectively).

There are other examples in the literature that do not correspond directly by element name to the RBPS system given in Table 7—such as the work of Abu-Khader (2004) on human factors and Majid, Shariff, Rusli, and Azman (2016b) on trade secrets. These papers do, however, correlate by specific element name to the CSChE system (Table 3) and the OSHA Standard (Table 5), respectively; they would also be relevant to risk-based PSM (Table 7) by virtue of the various subcomponents of the 20 primary elements. For example, Forest (2012) comments on how conduct of operations helps to reduce the likelihood of human error.

Before moving on to the measurement of PSM performance, we conclude this section by making note of the usefulness of CSB investigation reports and case studies for learning about the functioning of a PSM system and, in particular, the individual elements. This is a theme that reappears later in this chapter when discussing important process safety concepts and their relation to PSM. In a similar vein, Amyotte (2013b) remarks on how CSB reports and videos have significant value in teaching process safety to undergraduate engineering students.

The cover page of each CSB report (which are freely available at csb.gov) typically contains a listing of key issues related to some aspect of incident root causation (management system deficiency, process safety concept, regulatory concern, etc.). The reports therefore afford excellent learning opportunities and should constitute a critical component of a company's efforts to enhance process safety knowledge. The final component (process safety resource center and reference library) under this PSM element (no. 12) in Table 3 includes case histories concerning incidents illustrating PSM principles (CSChE, 2012a). There is of course no reason for library resources to be restricted to books on shelves. Table 16 provides a snapshot of what is possible using resources available in the public domain.

4.4 Metrics

Much has been written over the past 5–10 years on the subject of process safety performance indicators (PSPIs)—or more generally, safety performance indicators (SPIs), and what would have been referred to earlier as key performance indicators (KPIs). Table 17 provides a listing of research and case study references taken from the recent process safety literature on PSM performance measurement.

We also draw attention to the comprehensive review of the literature on process safety indicators given by Swuste, Theunissen, Schmitz, Reniers, and Blokland (2016), and the very accessible treatment of PSPIs written by Azizi (2016). These two papers collectively form an excellent entry point to the world of PSM metrics for novice readers, as well as a thoughtful refresher for those who are more experienced in this field. Hence, our further discussion here on PSM performance measurement is brief.

From a fundamental perspective, Fig. 10 outlines a general, four-step methodology for program operation with respect to process safety performance measurement. The deliverables from the second step are the sets of leading and lagging indicators for identified safety critical activities (WSHCouncil, 2012). [As an aside—it is well established that occupational safety indicators are typically not appropriate for process safety purposes. For example, near-miss indicators must be directly related to process events such as pressure or temperature excursions, not occupational safety-type activities such as working at height.]

Azizi (2016) describes two methods for PSPI selection which rely either on the use of barriers (Fig. 11) or tiers (Fig. 12). The barrier-based approach utilizes Reason's Swiss cheese model (Reason, 1990), whereas the tier-based approach comes from the accident pyramid concept of consequences escalating from base to tip (Azizi, 2016). Azizi (2016) identifies the barrier-based approach with the UK Health and Safety Executive (HSE, 2006), and the tier-based approach with the American Petroleum Institute (API, 2010), International Association of Oil and Gas Producers (OGP, 2011), and Center for Chemical Process Safety (CCPS, 2011b).

Examples of PSPIs drawn from ANSI/API Recommended Practice (RP) 754 (API, 2010) include the following:

• Tier 1 (Lagging)

– hospital admission and/or fatality of a third party

– officially declared community evacuation or shelter-in-place

– fire or explosion resulting in direct company cost of $25,000 or more

• Tier 2 (Lagging)

– employee, contractor, or subcontractor recordable injury

– fire or explosion resulting in direct company cost of $2500 or more

– discharge of a pressure relief device to atmosphere resulting in liquid carryover

• Tier 3 (Leading)

– safe operating limit excursions

– primary containment inspection results outside acceptable limits

– demands on safety systems

• Tier 4 (Leading)

– completion of process hazard evaluations

– work permit compliance

– management of change and prestartup safety review compliance

It should be noted that the above examples are for illustration only. ANSI/API RP 754 (API, 2010) and HSE (2006) should be consulted for all other purposes related to the development and use of tier-based and barrier-based PSPIs, respectively. For information on SPI development related to chemical accident prevention, preparedness, and response—in this case for public authorities and the general public—OECD (2008) provides guidance in relation to activities such as land-use planning and emergency coordination with facilities processing hazardous materials.

4.5 Improvements

The need for continual improvement has been mentioned several times to this point in our discussion of PSM systems and their constituent elements. Here we present practical advice on this point with reference to the recent process safety literature. First though, we make note of a recently published CCPS book: Guidelines for Implementing Process Safety Management, 2nd edition (CCPS, 2016c). Although not yet reviewed by the current authors, it is expected that this new addition to the CCPS guideline series will provide helpful information on many PSM-related topics including the subject of this section. Chapter 6 in CCPS (2016c) is titled Improving an Existing PSM Element or System.

While the need to improve PSM elements and systems is perhaps self-evident, additional motivation can be found in the review by Shariff, Aziz, and Majid (2016) who remark on the continued occurrence of major process accidents decades after the formal adoption of PSM by industry. Having said this, the study by Bottani, Monica, and Vignali (2009) reminds us that companies operating without a SMS at all are at a distinct disadvantage with respect to activities like risk analysis, corrective actions, and employee training.

Nevertheless, PSM systems do sometimes fail. Kelly (2011) gives 10 contributing reasons for these failures (in no particular order of priority): (i) failure by senior management to understand and support the goals of a process safety program, (ii) focus of PSM activities primarily on regulatory compliance, (iii) inappropriate assignment of resources to support process safety, (iv) discipline of workers involved in an incident for reasons other than policy/protocol violations, (v) mismatch between the type of operation and the process safety framework selected, (vi) competition among process safety and other management programs and initiatives, (vii) ineffective risk communication to management resulting in poor understanding of risk by corporate decision makers, (viii) lack of engagement/commitment to process safety by all staff, (ix) management failure to learn from previous incidents, and (x) failure to hold middle managers accountable for process safety deliverables.

On the final item in the above list, a recent paper by Rezvani and Hudson (2016) highlights the indispensable role of middle management in effectively managing safety in the process industries. In an overall sense, Arendt (2006) provides practical suggestions for strategies to improve PSM (e.g., adding new PSM activities to existing PSM elements and creating new PSM elements), as well as sources of information for improvement (e.g., sharing best practices within industry groups and benchmarking within a peer group). Several authors have written on the development and improvement of PSM systems in small companies (Bragatto, Ansaldi, & Agnello, 2015; Goddard, 2012; Herber, 2012; Louvar, 2008).

Klein and Dharmavaram (2012) write on achieving higher levels of PSM performance by focusing on improvements in, among other areas, maintaining a sense of vulnerability, risk management practices, and operational discipline. Young and Hodges (2012) suggest establishing a mentoring program to enhance competencies with regard to the CCPS risk-based PSM system (Table 7).

Paradies (2011) makes an interesting comparison between safety management in the process industries and in the US nuclear navy. He identifies a number of PSM gaps that can be viewed as potential areas for PSM improvement (Paradies, 2011): (i) assuming of ultimate responsibility for research, design, operations, and maintenance of process facilities by senior management, (ii) appropriate management resolution of conflicts between PSM priorities and production/budget issues, (iii) requirements for advanced technical training and competence of PSM-facility leadership, (iv) strict standards for operational and supervisory personnel training, both on hiring and on a continuing basis, (v) performance auditing and direct reporting requirements of audit results to senior leadership, (vi) emphasis on regular self-assessments, (vii) strict enforcement of compliance with procedure and management standards, and (viii) emphasis on design to prevent plant upsets and accidents.

Table 18 gives several case studies that afford excellent learning opportunities on PSM improvement needs and techniques. (Although presented in a previous section as avenues for understanding specific PSM elements, industry examples such as Hayes (2015) and the CSB reports in Table 16 have additional value as improvement motivators.) While only one representative PSM improvement topic was selected for most of the entries in Table 18, the source references contain a wealth of information in this regard. For example, Cazabon and Erickson (2010) comment on process safety information, PHA, and prestartup safety review in addition to MOC. The exception to this single-entry rule for the third column in Table 18 is the paper on Bhopal by Vaughen (2015). Given the extreme nature of Bhopal, and its global and enduring impact, we have included Fig. 13 from the work of Vaughen (2015). Readers interested in further consideration of the PSM legacy of Bhopal are referred to the paper by Amyotte, Berger, et al. (2016) in the journal Current Opinion in Chemical Engineering.

The final piece of advice in this section comes from John Bresland—a former member and chair of the US CSB, and also someone with a long and continuing career in the process industries. He comments in Bresland (2016) that he saw three types of companies during his time at the CSB: (i) those that do not understand the hazards in their operations, lack an appropriate process safety program, and thus experience major accidents, (ii) those that do understand the hazards they face and the pertinent regulations, have an excellent process safety program driven by qualified people, yet still experience process incidents having minor and also severe consequences, and (iii) those that understand the hazards and regulations, have an excellent safety program and well-qualified people, and do not have serious process incidents.

The third category above is clearly the desired state for a process industry company. To help achieve this goal, Bresland offers his top 10 rules for process safety success (Bresland, 2016):

1. Having leadership that is committed to process safety, including CEOs, managers, and supervisors—anyone in a leadership position.

2. Attracting the best possible people from senior managers to control room operators by means of strict hiring procedures.

3. Ensuring equipment reliability through an effective mechanical (asset) integrity program.

4. Being passionate about attention to detail.

5. Carefully monitoring operations with process safety metrics.

6. Taking a long-term view on risk; shutting down when necessary to resolve problems.

7. Preparing for injuries and off-site consequences of process incidents.

8. Investigating all accidents in a comprehensive manner.

9. Refusing to let complacency set in.

10. Developing and nurturing a strong process safety culture.

5.1 Inherently Safer Design

ISD, or simply inherent safety, is a maturing area within the broader field of process safety. Book treatments are available (e.g., CCPS, 2009; Kletz & Amyotte, 2010) and research is actively underway (e.g., Abidin, Rusli, Shariff, & Khan, 2016; Roy et al., 2016).

How then does ISD dovetail with PSM? Amyotte, Goraya, Hendershot, and Khan (2007) comment that explicit incorporation of the principles of inherent safety in the basic definition and functional operation of the various PSM elements can help to improve the quality of the safety management effort. They then give several illustrations of ISD incorporation in the elements of the CSChE-recommended PSM system shown in Table 3 (Amyotte et al., 2007). An example from an earlier paper by Goraya, Amyotte, and Khan (2004) is given in Fig. 14, which demonstrates how inherent safety guidewords and checklist items can enhance a traditional incident investigation protocol. The guidewords are simply the primary ISD principles of minimization, substitution, moderation, and simplification; these principles are identified in CSChE (2012a) under the reduction of risk component of the process risk management element.

The usefulness of CSB investigation reports as a learning tool for PSM enhancement is demonstrated once again in the work of Amyotte, MacDonald, and Khan (2011). They analyzed a set of 63 CSB reports and identified over 200 examples from the hierarchy of controls for risk reduction: inherent safety, passive engineered safety, active engineered safety, and procedural safety (Amyotte et al., 2011). Fig. 15 shows that it is possible to assign each safety measure example to a specific PSM element, thus establishing a quantitative link between a process safety concept—ISD, or more broadly, the hierarchy of controls—and PSM (Amyotte et al., 2011). A similar study has recently been conducted for the period 2011–16 (Irvine, Amyotte, & Khan, 2016) and will be the subject of a future archival journal submission.

5.2 Recognition of Warning Signs

There are—or rather, there should be—no black swan (unforeseen and unpredictable) process incidents (Amyotte, Margeson, Chiasson, Khan, & Ahmed, 2014). In theory there are always warning signs of an impending undesirable event; in practice these precursor signals can be weak and conceptual or cultural, as opposed to strong and material or physical. A slow decline in a critical feature such as a willingness to report near-misses might be more difficult to identify than a mechanical integrity issue with a visibly corroded process vessel or pipeline. Nevertheless, both are important to the assurance of process safety.

As with ISD, numerous references are available on the subject of warning sign recognition. The publications of Andrew Hopkins (e.g., Hopkins, 2000, 2009a) are especially helpful in understanding the relationship between warning signs and the elements of an effective safety culture and SMS (Amyotte et al., 2014). The previous discussion on PSPIs and the PSPI references cited should also be viewed as relevant to the topic of warning signals for process incidents.

CCPS (2012) deals with the following areas as potentially beneficial in the identification of warning signs: (i) leadership and safety culture, (ii) training and competency, (iii) process safety information, (iv) procedures (operating and maintenance), (v) asset (mechanical) integrity, (vi) risk analysis and management of change, (vii) audits, (viii) learning from experience, and (ix) near-miss and incident reporting/investigation. The close correspondence of this list to the CCPS risk-based PSM system pillars and elements (Table 7) is not a coincidence. Like ISD, warning sign recognition is an integral PSM concept.

In his own review of CSB investigation reports, Baybutt (2016b) concludes that his analysis can be used by companies to improve their PSM performance by focusing on areas in which other companies have experienced difficulty. This epitomizes the concept of learning from experience as expressed in the above list from CCPS (2012). The final item in this list is the subject of a recent study by Gnoni and Saleh (2017) in which consideration of near-misses as accident precursors was shown to generate opportunities for system redesign, improved operational procedures, and worker training.

5.3 Process Safety Culture

Several compilations of thoughts and advice from the literature have been given in this chapter: (i) Rosen (2015) and his 10 commandments for risk-based PSM, (ii) Kelly (2011) on why PSM systems fail, (iii) Paradies (2011) with a comparison between PSM and safety management in the US nuclear navy, and (iv) Bresland (2016) and his top 10 rules for process safety success. Common to all is the concept of process safety culture—either explicitly in the case of Rosen (2015) and Bresland (2016), or clearly evident as the motivating force to effect the changes advocated by Kelly (2011) and Paradies (2011).

Text references on safety culture abound—e.g., Goetsch (2010) on developing a safety-first corporate culture; the fundamental treatise on safety culture by Hopkins (2005); and the compendium of lessons from high reliability organizations also provided by Hopkins (2009b). Whether a separately defined and named element as in Table 7 (RBPS), or an implicit component throughout a given system, process safety culture considerations have a significant impact on PSM success.

Hopkins (2005) is an excellent resource for understanding the basic principles of safety culture. He considers three concepts—safety culture, collective mindfulness, and risk awareness—and explains the similarities and overlaps in each approach (Hopkins, 2005). The breakdown of safety culture into just, reporting, learning, and flexible (decision-making) cultures (Hopkins, 2005) helps relate the overall concept to specific PSM elements (e.g., incident investigation). Collective mindfulness involves several features such as preoccupation with failure and sensitivity to operations (Hopkins, 2005); these correlate well with avoiding complacency and maintaining a sense of vulnerability, respectively, as expressed earlier in this chapter. Risk awareness incorporates the avoidance of normalizing evidence (Hopkins, 2005), sometimes called normalization of deviance or deviation. This is an extremely undesirable state in which abnormal events (such as “small” process fires) are accepted as the norm, eventually leading to a process incident with much more severe consequences.

Table 19 is a summary of the analysis involving ISD, warning signs, and process safety culture conducted by Amyotte, Khan, and Lupien (2016), which in turn builds on the work of Amyotte and Khan (2016). Six CSB-investigated incidents were reviewed with respect to these three common causation factors as referenced in Table 19 and Figs. 16–21. Each hazard is defined in terms of loss or generation of containment, and both hazards and incident causes are related to a specific PSM element from Table 3. Inadequate consideration of ISD, warning signs, and process safety culture increases risk by permitting the existence of hazards and creating management system deficiencies.

5.4 Dynamic Risk Assessment

Just as ISD is most effective when considered at the earliest possible stage in the design phase of a process plant, there is a concurrent need for dynamic risk assessment during the operational phase (Amyotte, Berger, et al., 2016). Khan et al. (2016) define dynamic risk assessment as a method that updates estimated risk of a deteriorating process according to the performance of the control system, safety barriers, inspection and maintenance activities, the human factor, and procedures.

Fig. 22 schematically represents the potential evolution of safety standards enabled by the familiar PDCA (plan, do, check, adjust/act) cycle embodied in both dynamic risk assessment and PSM. Based on name alone, dynamic risk assessment should be expected to interface with any PSM activities related to hazard identification and risk analysis, assessment, and management. Because one of the focal points of dynamic risk assessment is the potential degradation of safety barriers, its use is also relevant to the analysis of PSPIs (whether developed from a barrier- or tier perspective). Readers are referred to Khan et al. (2016) for a review of the current state-of-the-art with respect to dynamic risk assessment.