Session No.

526

Process Safety Management: A Legal and Technical Overview

Hamid R. Kavianian, Ph.D., CSP
Department of Chemical Engineering
California State University Long Beach

ABSTRACT
Unexpected release of toxic, reactive, or flammable liquids and gases in processes involving highly
hazardous chemicals have occurred numerous times in industry. The Occupational Safety and Health
Administration (OSHA) estimates that losses can be reduced tremendously if proper safety precautions
and preparation at job sites are initiated.
Elements of process safety management from both legal and technical viewpoints are discussed.
Application of hazard evaluation methodologies to the safe design and operation of potentially
hazardous chemical and petroleum processes are demonstrated. These procedures identify the hazards
that exist, the consequences that might occur as a result of the hazards, the likelihood that events might
take place that would cause an accident with such consequences, and the likelihood that the safety
systems and emergency alarms and evaluation plans would function properly and eliminate or reduce
the consequences.
System application of Preliminary Hazard Analysis, What If Analysis, Fault Tree Analysis and Hazard
and Operability Analysis are discussed. Elements of OSHAs Process Safety Management Standard
are also discussed. This OSHA standard contains requirements for preventing or minimizing the
consequences of catastrophic releases of toxic, flammable, reactive, or explosive chemicals.

INTRODUCTION
The advent of complex and high-energy hazardous processes has made process safety management an
integral element of process design and operation. Catastrophic events such as Flixboro explosion,
Seveso Dioxin release and Bhopal toxic plume release, and a host of others are examples of disasters
which could have been prevented by proper application of process safety management techniques.
The Flixboro event showed the importance of proper controls when administering changes in plant
design such as engineering verification of changes and effects of vapor cloud explosion. The Bhopal
event showed the importance of maintenance and administrative controls.
The major objective of process safety management is to prevent unwanted releases of hazardous
chemicals especially into locations, which could expose employees and others to serious hazards. An
effective process safety management program requires a systematic approach to evaluating the whole
process. Using this approach the process design, process technology, operational and maintenance
activities and procedures, non-routine activities and procedures, emergency preparedness plans and
procedures, training programs and other elements which impact the process are all considered in the
evaluation. The various lines of defense that have been incorporated into the design and operation of
the process to prevent or mitigate the release of hazardous chemicals need to be evaluated and
strengthened to assure their effectiveness at each level. Process safety management is the proactive
identification, evaluation and mitigation or prevention of chemical releases that could occur as a result
of failures in process, procedures or equipment.

Elements of Process Safety Management (PSM) 1,2,3,4

1. Employee Participation
A successful Process Safety Management program must be based on the concept of teamwork between
management and employees. It is imperative for management to consult with their employees
regarding the managements efforts in the development and implementation of the PSM program
elements and hazard assessments. A sound management approach to employee participation allows
more and more employees to influence decisions and have access to process information.

2. Process Safety Information

Complete and accurate written information on process definition and design criteria, process and
equipment design, documentation of risk management decisions, protective systems, normal and upset
conditions, and chemical and occupational health hazards is essential to an effective PSM program.
This information is a necessary resource to a variety of users including the team that will perform the
process hazard analysis. This information must be comprehensive and provide accurate assessment of
the fire and explosion characteristics, reactivity hazards, the safety and health hazards to workers and
the corrosion and erosion effects on the process equipment and monitoring tools.

3. Process Hazard Analysis

A process hazard analysis is one of the most important elements of the Process Safety Management
program. This is an organized and systematic effort to identify and analyze the significance of
potential hazards associated with the processing or handling of hazardous chemicals. The selection of
a process hazard analysis methodology or technique will be influenced by many factors including the
amount of existing knowledge about the process.
Is it a process that has been operated for a long period of time with little or no innovation? Or, is it a
new process or one that has been changed frequently by the inclusion of innovative features? Also,
the size and complexity of the process will influence the selection of the appropriate process hazard
analysis methodology.

Risk Analysis
Before selection and application of any process hazard analysis methodology, a comprehensive risk
assessment must be conducted. This assessment must provide information on the degree of risk as a
result of system component failures. Although risk analysis can be conducted either on a quantitative
or qualitative basis, the important issue is that both the severity and probability (frequency) of the
undesirable events must be taken into account. The combination of probability and severity of
undesirable events must provide the management with the information on whether the risk is
acceptable or not. In the event that risk is unacceptable, the system must be modified to lower either
the probability or severity or both the probability or severity of the undesirable events. For example,
consider a high-pressure jacketed reactor with a highly exothermic reaction. Assume that the heat of
reaction is removed by pumping a coolant through the reactor jacket. A risk assessment of this
process reveals that failure of the pump can result in a runaway chemical reaction and explosion. This
is, obviously, an unacceptable risk. Adding a spare pump can modify the system. This lowers the
probability of an explosion as a result of pump failure because two pumps must fail for the system to
fail.
Once a risk assessment has been completed, the appropriate process hazard analysis methodology can
be selected and applied to the process. This analysis must identify different types of hazards within
the system components and to propose possible solutions to eliminate the hazards. These procedures
are extremely useful in identifying system modes and failures that can contribute to occurrence of
accidents, and should be an integral part of different phases of process development from conceptual
design to installation, operation and maintenance.
The following process hazard analysis
methodologies are useful as an element of a successful Process Safety Management program.

Preliminary Hazard Analysis (PHA)

A preliminary hazard analysis (PHA) is a general, qualitative study that yields a rough assessment of
potential hazards and means of their rectification within a system. It is called "preliminary because it
usually is refined through additional studies. This method focuses special attention on sources of
energy for the system and on hazardous materials that might adversely affect the system or
environment. Resources needed to conduct a PHA include plant design criteria, equipment and
material specifications.
The results of a PHA study can be summarized in the form of a table (see Table 1) or logic diagram
(Figure 1). In either format, potential hazards that pose a high risk are identified, along with their
cause and major effects. In addition, for each hazard identified, a preliminary means of control is
prescribed in the analysis. Thus a PHA is not performed just to develop a list of possible hazards, but
is used to identify those hazardous features of a system that can result in unacceptable risks, and to
assist in developing preventive measures in the form of engineering or administrative controls or the
use of personal protective equipment.

What If Analysis
The main purpose of this method is to identify the hazards associated with a process by asking
questions that start with What if. This method can be extremely useful if the design team
conducting the examination is experienced and

Table 1 Summary table for PHA.

Hazard

Cause

1.

a1
a2

Major
Effects

Corrective/
Preventive
Measures
a1
a2

Hazard

Cause

Major
Effects

Means of
Control

Figure 1 Logic diagram for use in conjunction with preliminary hazard analysis

knowledgeable about the operation; otherwise, the results are incomplete. The examination usually
starts at the point of input and follows according to the flow of the process. Each of the what if
questions is addressed by identifying the hazard and its consequence, and recommending solutions for
alternatives to alleviate risk.

Failure Modes Effects and Criticality Analysis (FMECA)6

Failure Mode Effects and Criticality Analysis (FMECA), also known as Failure Modes and Effect
Analysis (FMEA), is a systematic method by which equipment and system failures and resulting
effects of these failures are determined. FMECA is an inductive analysis; that is, possible events are
studied, but not the reasons for their occurrences. FMECA has some disadvantages; human error is
not considered, and the study concentrates on system components, not system linkages that often
account for system failures. FMECA provides an easily updated systematic reference listing of failure
modes and effects that can be used in generating recommendations for equipment design
improvement. Generally, this analysis first is performed on a qualitative basis; quantitative data can
be applied later to establish a criticality ranking, often expressed as probability of system failures.

Hazard and Operability Study (HAZOP) 3,5

The purpose of a hazard and operability study (HAZOP) is to identify problems associated with
potential hazards and deviations of plant operation from the design specifications. A multidisciplinary
team following a structure that includes a series of guidewords carries it out. The results of this study
are dependent upon the quality of information on the process or plant and the experience of the team
members.

A thorough HAZOP study can be accomplished in five steps, the first step being to define the scope
and purpose of the study. The scope includes the specific areas of the process to be studied as well as
what type of hazard consequences will be considered. The object of the study is included within the
purpose.
The second step in classic HAZOP is to select a team to carry out the study. Ideally this team includes
five to seven members from different areas within the operation. A team leader is chosen who should
have a good general knowledge of the process being studied as well as experience in conducting
HAZOP studies.
Once the team has been formed, information gathering must begin. The quality of the study depends
on the source of the information used in conducting it. Suggested materials include piping and
instrumentation diagrams, flow diagrams, layouts, and any equipment information that may be
available. During data collection, the team leader should determine the sequence of study, or study
nodes. Each study node is a specific portion of the design that will be studied individually. The leader
also should compose a list of guidewords such as those summarized in Table 2.
The team then will carry out a review of the process; examining each study node individually and
applying all guide words to each of its components. The flow diagram in Figure 2 suggests a typical
sequence to follow when carrying out this study. Each member of the team should contribute equally
to the hazard analysis and the final tabulated report.

Table 2 Guidewords for HAZOP

no
more
part of
less
as well as
other than
reverse
sooner
Time parameters
later
other than
where else
Position, source parameters
other than
Temperature, pressure parameters higher
lower
more
less
General parameters

Select
A Study
Node

Apply
Guidewords

Record
Causes and
Consequences

Yes

Any
Hazard/Op.
Problems?

No

Suggest
Solutions

Figure 2 Flow diagram for a hazard and operability analysis (HAZOP)

The final report for a HAZOP study should contain all information in tabular format. Each table
should include the guide words used, the deviation from the expected operation, the causes of that
deviation, any consequences and suggested actions to alleviate or eliminate the problem. The main
purpose of HAZOP studies is to find problems, not to solve them; so only obvious solutions need be
suggested. Each parameter should be addressed in an individual table. These tables may be
accompanied by a report that includes the scope of the study and any suggestions or general
recommendations.

Fault Tree Analysis (FTA)

This method of hazard evaluation visually demonstrates the interrelationship among equipment failure,
human error, and environmental factors that can result in the occurrence of an accident. FTA is a
backward analysis; a system hazard, or top event, is the starting point and the study traces backward
to find the possible causes of the hazard. Analysis is restricted to the identification of system elements
and events that led to the specified failure or accident. FTA employs Boolean logic; this requires that
any statement, condition, act, or process be described as only one of the two possible states, such as
on/off, fully open, and so on. FTA can be computerized, and probabilities of events occurring can be
calculated using minimum cut sets. A minimum cut set is the most direct path to a top event; a higher
number of cut sets indicate a lower probability of the event occurring.

Three steps are required to conduct a fault tree analysis thoroughly and accurately. First, the undesired
event, or top event, is defined. In the second step investigators develop a thorough understanding of
the system to be analyzed. This can be accomplished by studying design drawings, equipment
specifications, the literature, and operation procedures, as well as any other source of information that
may be available. The third step is construction of the fault tree. The symbols used in fault tree
analysis are displayed in Figure 3. The fault tree will begin with

Event

Inhibit
Gate

Conditional
Event

Basic
Fault
Trasfer
Out

Undeveloped
Event

Transfer
In
And
Gate

Or
Gate

External
Event

Figure 3 Fault tree analysis symbols.

the top event, and will address any possible equipment failure, human error, or environmental factors
that could result in the top event. AND gates are used when the existence of all conditions indicated
will contribute to the top event; OR gates indicate that any one of the conditions indicated leads to
the top event. Undeveloped events are occurrences that are not further addressed, either for lack of
necessary information or for other reasons (e.g., the particular event goes beyond the scope of study).
Basic faults are the primary cause of the top event. Basic faults represent a malfunction of equipment
that occurs in the environment in which the equipment was intended to operate. Each branch of the

fault tree eventually should end up in either a basic fault or perhaps an undeveloped event. Triangles
are used for transfer of the fault tree to another location or another page.

CASE STUDY
Application of FTA to the Pyrolysis Furnace of an Ethylene Plant
Ethylene is one of the major feedstocks used by the petrochemical industry for production of a variety
of synthetic polymers, and is produced by the steam cracking of hydrocarbons such as ethane,
propane, naphtha and gas oil.
Ethylene production involves high temperature (15000F) in the pyrolysis section and cryogenic
temperatures in the purification section. The feedstocks, products and by-products of pyrolysis are
flammable and pose severe fire hazards. Benzene, which is produced in small amounts, is a known
carcinogen.
Figure 4 demonstrates the initial steps for a fault tree analysis; the top event, bounds, configurations
and unallowed event are specified, and the level of resolution is shown. Once all the limits have been
determined, the fault tree is constructed, as in Figure 5. Note that every branch of fault tree ends in a
basic fault or cause leading to the top event.

Steam

Ethane
Valve

T1
Temp
Alarm
T2
T3

P1
Fuel
(CH4)
Valve

Air

T4

Outlet
Valve

Pressure
Sensor/
Alarm

Cracked Product

Temp
Alarm

Top Event - Fire Explosion in the Furnace.

Existing Event - Abnormal temperature and radiant tube rupture.
Unallowed Events - Electric power failures.
Physical Bounds - As shown in the figure.
Equipment Configurations - Inlet feed valves open, outlet valve open.
Level of Resolution - Equipment shown in figure.

Figure 4.
plant.

Fault tree analysis preliminary steps for an ethylene production

Fire, Explosion
in the Furnace

Damage Due to
High Temperature

Excessive
Fuel Combustion

Temp. Sensor 3
Fails to Adjust
the Fuel Valve

Radiant Tube Rupture

Due to Machanical Stress

Mechanical
Stress
Cracking

Pressure Build-Up
in the Furnace Tube

Operator Fails
to Open Outlet Valve
Manually

Operator Fails to
Adjust the Fuel Valve
to the Desired
Set-Point Manually

Outlet
Valve Fails
to Open

Temp.
Sensor 3 Fails
to Detect
Temp. Rise
in Furnace

Alarm Fails
to Alert
Operator

Operator Fails
to Obey Alarm
& Close the
Fuel Valve

Alarm
Fails
Off

Temp.
Sensor 4
Fails to
Detect
Temp. Rise

Alarm Fails
to Alert
Operator

Operator Fails
to Obey Alarm
& Open
Outlet Valve

Alarm
Fails
Off

Press.
Sensor 1
Fails to
Detect
Press. Rise

Figure 5 Application of fault tree analysis to an ethylene plant preliminary

design.

4. Operating Procedures
Operating procedures describe tasks to be performed, data to be recorded, operating conditions to be
maintained, samples to be collected, and safety and health precautions to be taken. The procedures
need to be technically accurate, understandable to employees, and revised periodically to ensure that
they reflect current operations. The process safety information package is to be used as a resource to
better assure that the operating procedures and practices are consistent with the known hazards of the
chemicals in the process and that the operating parameters are accurate. Operating procedures should
be reviewed by engineering staff and operating personnel to ensure that they are accurate and provide
practical instructions on how to actually carry out job duties safely.

Operating procedures and instructions are important for training operating personnel. The operating
procedures are often viewed as the standard operating practices (SOPs) for operations. Control room
personnel and operating staff, in general, need to have a full understanding of operating procedures. In
addition, operating procedures need to be changed when there is a change in the process as a result of
the management of change procedures. The consequences of operating procedure changes need to be
fully evaluated and the information conveyed to the personnel. For example, mechanical changes to
the process made by the maintenance department (like changing a valve from steel to brass or other
subtle changes) need to be evaluated to determine if operating procedures and practices also need to be
changed.

5. Employee Training
All employees, including maintenance and contractor employees, involved with highly hazardous
chemicals need to fully understand the safety and health hazards of the chemicals and processes they
work with for the protection of themselves, their fellow employees and the citizens of nearby
communities. Training in subjects such as operating procedures and safe work practices, emergency
evacuation and response, safety procedures, routine and nonroutine work authorization activities and
other areas pertinent to process safety and health will need to be covered.
In establishing the training programs, we must clearly define the employees to be trained and what
subjects are to be covered in their training. In setting up the training program, we need to clearly
establish the goals and objectives we wish to achieve with the training that is provided. The learning
goals or objectives should be written in clear measurable terms before the training begins. These goals
and objectives need to be tailored to each of the specific training modules or segments.

6. Contractors
Employers, who use contractors to perform work in and around processes that involve highly
hazardous chemicals, will need to establish a screening process so that they hire and use contractors
who accomplish the desired job tasks without compromising the safety and health of employees at a
facility.

7. Pre-Startup Safety Review

For new processes, the employer will find a process hazard analysis helpful in improving the design
and construction of the process from a reliability and quality point of view. Making use of the
recommendations before final installations are completed will enhance the safe operation of the new
process. The Piping & Instrumentation Diagrams (PID) are to be completed along with having the
operating procedures in place and the operating staff trained to run the process before startup. The
initial startup procedures and normal operating procedures need to be fully evaluated as part of the
pre-startup review to assure a safe transfer into the normal operating mode for meeting the process
parameters.
For existing processes that have been shutdown for turnaround, or modification, etc., the management
must assure that any changes other than replacement in kind made to the process during shutdown
go through the management of change procedures.

8. Mechanical Integrity
Management will need to review their maintenance programs and schedules to see if there are areas
where breakdown maintenance is used rather than an on-going mechanical integrity program.
Equipment used to process, store, or handle highly hazardous chemicals needs to be designed,
constructed, installed and maintained to minimize the risk of releases of such chemicals. This requires
that a mechanical integrity program be in place to assure the continued integrity of process equipment.
Elements of a mechanical integrity program include the identification and categorization of equipment
and instrumentation, inspections and tests, testing and inspection frequencies, development of
maintenance procedures, training of maintenance personnel, the establishment of criteria for
acceptable test results, documentation of test and inspection results, and documentation of
manufacturer recommendations as to meantime to failure for equipment and instrumentation.

9. Non-routine Work Authorizations

Non-routine work which is conducted in process areas needs to be controlled by the management in a
consistent manner. The hazards identified involving the work that is to be accomplished must be
communicated to those doing the work, but also to those operating personnel whose work could affect
the safety of the process. A work authorization notice or permit must have a procedure that describes
the steps the maintenance supervisor, contractor representative or other person needs to follow to
obtain the necessary clearance to get the job started.

10. Management of Change

To properly manage changes to process chemicals, technology, equipment and facilities, one must
define what is meant by change. Change includes all modifications to equipment, procedures, raw
materials and processing conditions other than replacement in kind. These changes need to be
properly managed by identifying and reviewing them prior to implementation of the change. For
example, the operating procedures contain the operating parameters (pressure limits, temperature
ranges, flow rates, etc.) and the importance of operating within these limits. While the operator must
have flexibility to maintain safe operation within the established parameters, any operation outside of
these parameters requires review and approval by a written management of change procedure.

11. Investigation of Incidents

Incident investigation is the process of identifying the underlying causes of incidents and
implementing steps to prevent similar events from occurring. The intent of an incident investigation is
to learn from past experiences and thus avoid repeating past mistakes.

12. Emergency Preparedness

Management must address what actions employees are to take when there is an unwanted release of
highly hazardous chemicals. Management will need to decide if they want employees to handle and
stop small or minor incidental releases. Whether they wish to mobilize the available resources at the
plant and have them brought to bear on a more significant release; or whether employers want their
employees to evacuate the danger area and promptly escape to a pre-planned safe zone area, and allow
the local community emergency response organizations to handle the release; or whether the employer
want to use some combination of these actions. Employers will need to select how many different

emergency preparedness procedures they plan to have and then develop the necessary plans and
procedures, and appropriately train employees in their emergency duties and responsibilities and then
implement these lines of defense.

13. Audits
Management needs to select a trained individual or assemble a trained team of people to audit the
process safety management system and program. A small process or plant may need only one
knowledgeable person to conduct an audit. The audit is to include an evaluation of the design and
effectiveness of the process safety management system and a field inspection of the safety and health
conditions and practices to verify that the systems are effectively implemented. The audit should be
conducted or led by a person knowledgeable in audit techniques and who is impartial towards the
facility or area being audited. The essential elements of an audit program include planning, staffing,
and conducting the audit, evaluation and corrective action, follow-up and documentation.

CONCLUSION
Application of the Process Safety Management techniques to processes that use, produce, or store
highly hazardous chemicals can greatly reduce the probability of a catastrophic accident. These
techniques are designed to aid management in their efforts to prevent or mitigate chemical releases
that could lead to a catastrophe in the workplace and in the surrounding community. To control these
types of hazards, the management needs to develop the necessary expertise, experiences, judgement,
and proactive initiative within the workplace to properly implement and maintain an effective Process
Safety Management program.

BIBLIOGRAPHY
1. United States Department of Labor. Hazardous Materials Guidelines and Recommendations,
Subpart H, 1996.
2. American Institute of Chemical Engineers, Center for Chemical Process Safety. Guidelines for
Hazard Evaluation Procedures, 1995.
3. Kavianian H. R., C. A. Wentz; Occupational and Environmental Safety Engineering and
Managemen. New York: Van Nostrand Reinhold, 1990.
4. Hammer, W. Handbook of System and Product Safety. New York: Prentice Hall, 1979.
5. Knowlton, E. Creative Checklist Hazard and Operability Studies. Arlington, VA: Chemical
Manufacturers Association, 1985.
6. Lambert, H. E. Failure Modes and Effect Analysis, NATO Advanced Study Institute, 1978.