Skip to content

Employee Participation and Culture


Rodin’s Thinker

The topic of “Safety Culture” is one that has received much attention in recent years. Yet “culture” is very similar to “Employee Participation” — a topic that has been part of the OSHA Process Safety standard for a generation and that is now being incorporated into BSEE’s SEMS rule. Therefore it is useful to review what has been learned about Employee Participation. The following material is extracted from the book Process Risk and Reliability Management.

Employee participation lies at the heart of any process safety management program. It is probably for this reason that OSHA placed the topic of Employee Participation, also known as Workforce Involvement, as the first of its fourteen Process Safety Management elements.

All employees (including contract workers) must be involved in the program. Although PSM programs are often conceived of primarily in technical topics such as hazards analysis, risk quantification and fire and explosion modeling, the involvement of all employees at every level is fundamental to the success of such programs. When employees feel involved they are much more likely to make suggestions for improvement, participate in new initiatives and “walk the extra mile”. Moreover, the effective involvement of the workforce provides a sanity check for new ideas, projects and analyses. Anything new or unusual should be reviewed by the employees; they will immediately identify any common sense problems because they are the ones who know the facility best.

It is important to note that this element is called Employee Participation, not Employee Communication. The intent is that employees fully engage in the spirit of the process safety program. For example, a process hazards analysis (PHA) offers an opportunity for participation in two ways.

First, all employees should be encouraged to participate in the PHA meetings themselves. They should have a chance to contribute their knowledge, experience and ideas. Second, and maybe more important, carrying out PHAs creates state of mind for all employees; they will start to look at everything they do in terms of its risk impact. The insights generated will then suggest ideas for reducing that risk. In other words, the purpose of a PHA is not just to identify hazards, but also to encourage a particular way of thinking among all employees. So, an operator working by himself at one o’clock in the morning may be about to open a valve on a line that connects two tanks. If, before doing so, he spends a few moments going through some of the PHA guidewords such as “reverse flow” or “contamination” he may identify a possible accident situation, and decide not to open the valve until he has talked over the proposed action with his supervisor or colleagues. When the operator acts in this manner both the participation and the PHA elements of the process safety program are working perfectly. Employee participation is not a stand-alone activity; instead it should be woven into the fabric of all the elements of a risk management program.

Additional examples of workforce involvement occur when a pipefitter learns that a new chemical is about to be used in the process. He may question whether the current gaskets are safe in the new service. Or an outside contractor may feel that he or she has not been given sufficient instructions as to what to do and where to go in an emergency, and makes that concern known to the host company.

Although there are many benefits to do with participation, management has to recognize that, by asking employees to get involved in decision making they are also asking those employees to take more risk with regards to their career and reputation. It is much easier for an employee merely to follow orders — even if he or she knows that those orders are not sensible — than to take initiative. Moreover, increased employee participation may run into road blocks with unions and other organizations that represent those employees. Consequently, employees must feel that they are sufficiently rewarded for participating in management programs. One way of achieving this is to provide employees with long-term rewards if the company does well, for example by giving them stock rather than cash bonuses.

Developing Employee Participation

Management and the employees should develop a written plan showing how they plan to implement Workforce Involvement. An example of one of these is shown below.

  • The PSM program will involve all employees and contract workers, as appropriate to their job function and experience level.
  • The program will involve the full participation of “employee representatives” – where such duly elected representatives exist.
  • “Employees” includes not only full-time workers, but also temporary, part-time and contract workers.
  • Decisions as to which kinds or classes of employees should be consulted regarding specific PSM matters will take into account factors such as job functions, experience, and their degree of involvement with PSM and the company’s general background.

Safety Committees

Safety committees provide a formal channel through which management and the employees can communicate with regard to process safety issues and overall company culture. There are many references to the involvement of employee representatives in the OSHA standard. These would usually be on the safety committee. If the facility is non-union, it is essential that the employees’ representative is selected by the employees, not appointed by management. But it is important to ensure that the committee is not isolated; the effective implementation of this element requires that everyone participate in the process safety program.

Involvement in PSM Elements

Employees can participate in the PSM program by taking leadership of some of the elements of process safety. This type of involvement does not have to be universal; employees will be selected based on their understanding and knowledge of the topic in question. Nevertheless, it is a good idea to involve employees with lower levels of experience wherever possible in order to train them in the details of the process safety program.

Difficulties with Workforce Involvement

Although effective workforce involvement and employee participation bring many benefits, there are costs and drawbacks, as discussed below.


Increased participation of employees in the PSM program can lead to short term inefficiencies brought about by spreading work among a large number of people, rather than assigning it to a small number of full-time specialists. For example, rotating operators through a Hazard and Operability Study means that the analysis will be slowed down because the newcomers will have to get up to speed on what has already been covered by the previous team members.

Another example of this type of problem (and opportunity) occurs when the operators are each asked to check the P&IDs for a small section of the plant. It would be much quicker to have one designer go out and do the whole job — but doing so would lose the important benefits that would be gained when the operators check their own unit line by line and valve by valve. Furthermore, the operators may be able to identify problems with the P&IDs because they know how “things really are”. Ultimately, the short term inefficiencies consequent on using all the operators to perform such tasks will be more than compensated for by the gains in the overall knowledge and understanding of the operational integrity system.

Unwillingness to Accept Change

Implementation of workforce involvement can create anxiety — particularly among managers — because they are likely to hear facts about their organization that are critical of their efforts. Moreover many workers prefer to work in a “command and control” management system because they can thereby avoid the responsibility for mistakes that are made and because thinking is such hard work.

Labor / Management Relations

It has to be recognized that the ideal workforce involvement situation depends heavily on good labor/management relations. If there is a good deal of strife and disagreement between the two parties, then, realistically, progress in this area is likely to be difficult. For this reason, it is important to set realistic goals, and not to over-commit as to how much progress can be made in this area.

OSHA Standard

The OSHA standard and guidance to do with Employee Participation are shown below.

(1)  Employers shall develop a written plan of action regarding the implementation of the Employee Participation required by this paragraph.

(2)  Employers shall consult with employees and their representatives on the conduct and development of process hazards analyses and on the development of the other elements of process safety management in this standard.

(3)  Employers shall provide to employees and their representatives access to process hazard analyses and to all other information required to be developed under this standard.


Employers are to consult with their employees and their representatives regarding the employers efforts in the development and implementation of the process safety management program elements and hazard assessments. [ Employers must ] train and educate their employees and to inform affected employees of the findings from incident investigations required by the process safety management program. Many employers, under their safety and health programs, have already established means and methods to keep employees and their representatives informed about relevant safety and health issues and employers may be able to adapt these practices and procedures to meet their obligations under this standard. Employers who have not implemented an occupational safety and health program may wish to form a safety and health committee of employees and management representatives to help the employer meet the obligations specified by this standard. These committees can become a significant ally in helping the employer to implement and maintain an effective process safety management program for all employees.

Written Plan of Action

OSHA requires that the Employee Participation program be written down. This can be difficult to do well because Employee Participation is involved in so many areas of process safety and because participation represents a state of mind rather than a specific program.

The plan of action should identify who is responsible for the management of the PSM program, how employees can learn about it, and how suggestions for improvement can be implemented.


As already discussed, employees must be involved in all aspects of PSM, not merely informed about decisions that have been made by other people.  Their opinions matter, and should always be acted on. Even when an idea is rejected, management should always communicate with the employee as to why that decision was made.

On union plants, the employee representatives will be appointed by the union. On non-union plants, the employees may choose someone to represent their interests. The appointment must be made by the employees, not management.

Access to Information

In addition to consulting with employees, it is important that management makes sure that employees know that they have a right to access to information to do with process safety. The fact that Process Hazards Analyses (PHAs) are specifically identified within this element has prompted many companies to make sure that operators participate in the PHAs, often on a rotating basis.

How to Read and Why


Harold Bloom

Recent posts at this blog have discussed the importance of written communications as part of the process safety profession. They include:

Much of the discussion in these posts has been to do with the importance of writing well — process safety professionals often have to write reports based on tasks and projects such as hazards analyses, incident investigations and prestartup reviews. These reports need to be clear, succinct and readable. Yet writing well is not sufficient. It is equally important that the reader of the report actually knows how to read. (It is often assumed that, if a written report fails to communicate its message, then the writer has a problem and needs to improve his or her technique. But another response to the difficulty is that maybe the reader needs to improve his or her reading skills.)

Now, in this context the word ‘read’ does not mean the ability to understand written statements such as “Reverse flow could cause corrosion of the impeller of Pump, P-101”. It means understanding the underlying causes of the problem and developing an understanding of management system failures; reading well will help identify hidden messages.

Harold Bloom

How-to-Read-and-WhyIn the year 2000 Yale Professor Harold Bloom (b. 1930) published the book How to Read and Why. Although his book is directed to those reading classical literature some of his thoughts and insights can be applied to the more banal activity of reading process safety reports.

His aphorism, “Clear your mind of cant” is particularly important. Cant means, “Monotonous talk filled with platitudes” or “Hypocritically pious language”. The safety business is prone to such platitudes and to pious language. For example, when discussing a major incident that has killed and injured many people it is common to use the word ‘tragedy’ when describing the event. And of course it is a tragedy – for those affected personally. But for people who were not involved in the event in any way use of the word ‘tragedy’ often seems to be somewhat sanctimonious. It is probably best simply to use the word ‘incident’.

More broadly, Bloom’s advice can mean simply “Clear your mind”.

Francis Bacon (1561-1626) expressed the same concept when he said,


Francis Bacon

Read not to contradict and confute, not to believe and take for granted, not to find talk and discourse, but to weigh and consider.

What both of these writers are saying is that, when reading, we should refrain from being ‘prejudiced’ in the literal sense of the word: ‘pre + judge’. We should open our minds, as best we are able, to understanding what the writer is really saying, not to what we think he or she is saying.

Wilde-Oscar-1This is difficult. As Oscar Wilde (1854–1900) said, “A truth ceases to be a truth as soon as two people perceive it.” In other words facts are never truly objective; each person has their own perception of what they perceive to be the same reality. His insight also suggests that there is no such entity as ‘common sense’ — no two people have a common view of the world so they can never share a ‘common sense’.

In addition to his condemnation of cant Bloom suggests that an understanding of irony is also part of deep reading. But this insight does not apply to the process safety world. All reports should be written ‘straight’, with no use of word play.


Effective reading in the process safety world is analogous to incident analysis and attempting to identify root causes.

For example, a report to do with a Prestartup Safety Review may state, “The start-up of the modified system could not proceed because the safety-critical pressure gauge downstream of Pump, P-101A had not been installed”.

The plant manager on reading this may react in a ‘prejudiced’ manner by stating that he always knew that the company that makes that type of gauge was not to be trusted. But a deeper reading of the report may proceed as follows.

  • The safety-critical pressure gauge was not installed.
    Why not?
  • The gauge had been delivered on time but it had been put in the wrong location in the facility warehouse.
  • The warehouse manager was on vacation and her substitute did not understand the parts data base system.
    Why not?
  • No one in the warehouse has ever received formal training.
    Why not?
  • Because the process safety training program is directed just to line operators and maintenance personnel.

A deep reading of just one sentence has led to useful process safety insights.


Many companies encourage their employees to attend courses on improving their “Communication Skills”. Such courses tend to focus on how to write clearly and economically. Such training can be invaluable, but its effect would be greatly enhance were process safety professionals and their managers also trained in deep and thoughtful reading.

The Risk Management Consultant


The material in this post is extracted from Chapter 20 of the book Process Risk and Reliability Management.

Last week’s post — The Risk Management Professional — discussed some of the attributes that help make a successful risk management/process safety professional. This week we take a look at a related topic: the attributes of an effective process risk management consultant.

When it comes to consulting the most important fact that consultants need to remember is they are not wanted. The only reason for hiring a consultant is to solve a problem — a problem that the client management wishes would just go away. The presence of the consultant is a constant, nagging reminder that time and money are being spent on solving the problem. Therefore, even if the client and consultant get on well personally, their relationship will always be tense; the best thing that the consultant can do is solve the problem and then go away.

Companies hire consultants to help them with their risk management programs for the following reasons.

  • Some of the elements of the program may be new to a company; in such cases a consultant can help them get started. For example, in the late 1980s and early 1990s Process Hazard Analyses (PHAs) were a new technique in most facilities. Hence a small consulting and software industry developed to conduct PHAs and to train clients in their use and application. Now that PHAs are part of the furniture for most companies the need for this particular consulting service is not so great (although many of the same people continue to assist with the implementation of the PHAs — but as such they are serving as contract workers, not consultants).
  • A company may be struggling with the logistics of its risk management program. Costs may be out of hand and/or the program may be way behind schedule. A consultant can work with the management team to bring the project back on track.
  • Consultants often make good auditors. Their expert knowledge of the principles of risk management of process safety regulations provides a solid foundation for their findings. And consultants are particularly well qualified to conduct assessments of a facility’s risk management program.
  • A consultant can provide fresh ideas as to how to perform well-understood tasks. For example, in Chapter 5 it was pointed out there is a wide variety of process hazards analysis techniques that can be used. If a company has become stuck with one method, say the HAZOP technique, a consultant can help them evaluate and use other methods, such as What-If or FMEA.
  • A company may require detailed help concerning the interpretation of a regulation or ruling. A consultant can provide benchmarks from other companies. Indeed, one of the most common questions that consultants have to answer is, “How do other people do it?”, where the word ‘it’ refers to an activity that they themselves are having trouble addressing.

True Expertise

Consultants must be true experts. Many people know “quite a lot” about a topic, but that does not make them true experts. In the example quoted above concerning PHAs, by the early 1990s many engineers and other technical specialists had become very familiar with the process of leading hazard analyses. This did not, however, qualify them to become PHA consultants. Their experience merely qualified them to lead hazards analyses, not to design, implement and run PHA systems.

The Consultant as Outsider

The consultant should be an outsider. This is important because he or she may be called upon to present unpalatable truths to management. In many situations the cause of a problem such as a deteriorating safety record is understood by the people at the working level. However, no one within the organization feels that they can present “the truth” to management for fear of retribution. (This is not always a management problem, however.  The consultant may find that management is quite flexible, and willing to adopt new techniques.  The resistance may come from supervisors and working-level people who have become entrenched in the current mode of operating.)

A consultant may be able to successfully present bad news more effectively than an employee for three reasons. First, the worst that the client company can do is to terminate the consultant’s contract. Since the consultant usually has other assignments, this loss of work is not as critical as it would be to full-time employee. Second, outsiders are often perceived as being more credible than insiders, even though they present exactly the same facts. (This is why consulting companies themselves sometimes have to hire consultants to tell them “the truth”. It is also the rationale behind the quotation, “An expert is someone who is more than fifty miles away.”) The third advantage of using an outsider to present bad news is that management is not quite sure where to “place” the consultant.  Consultants are often perceived as being “above” line employees, particularly if it is suspected that they have the ear of senior management. Therefore, comments from consultants are often treated with a good deal of respect and consideration.

The importance of being an outsider raises a concern about the use of “internal consultants” — a phrase which some might regard as being an oxymoron. If the consultant and the client work for the same organization, sooner or later their chains of command will meet. Hence, neither is truly independent from the other. Furthermore, as their respective careers progress, it is possible that they will find themselves working for or with one another. This knowledge is likely to cloud the objectivity of the client-consultant relationship.

The consultant should also be an outsider because it his knowledge of “how other people do it” that can be so valuable to an organization that has become trapped in its own systems and ways of thinking.

Ironically, one of the problems that consultants can run into is that they themselves can become stuck in their own rut; they may have trouble accepting that other people’s ideas may be as good as or even better than theirs.  Therefore, it is important to make sure that the consultant is truly up to date, and that he or she is constantly evaluating and testing their own ideas, and abandoning those that are out of date. This being the case, one question that the client company may want to ask a consultant before hiring him or her is, “Which of your opinions and ideas have you changed during the last few years?”

Consultants — Not Contractors

An appropriate analogy can be made here with respect to education and training, as discussed in Chapter 7. Someone who is educated in a topic understands its fundamental principles whereas someone who is merely trained in that topic knows “how to do it.” So it is with consultants and practitioners. Consultants provide insights to do with fundamental principles; practitioners, on the other hand, simply know what to do.

Consultants provide advice — they do not put that advice into practice. A consultant looks at organizational issues, and advises management on how to address them. This is why the end product of most consulting contracts is a report and a presentation to management. If he or she is asked to implement some of the recommendations contained in the report, he or she has switched roles from being an adviser to a doer.

Good consultants work by generalizing from the specific and then drawing specific conclusions from their generalizations. They go into a situation and investigate the facts of the current situation. From these facts they come up with a general analysis from which they develop specific recommendations. This ability to form general conclusions is also an important attribute of an incident investigator.

Consultants must possess good client-relations skills. They have to be aware not only of technical issues, but also of the internal company dynamics and politics. Process safety consultants frequently have a technical background — many of them are chemical engineers — and therefore tend to perceive the world as being rational and objective. They may fail to grasp that their clients, like all customers, base many of their decisions on a combination of both emotion and fact.

The distinction between “doing” and “consulting” can be frustrating for many consultants. Many of them have had a career in industry, often at quite senior levels.  They are used to taking charge and having their ideas put into practice. Hence, the need to persuade rather than command can be a challenge for such consultants, particularly when the client chooses to ignore the consultant’s recommendations.

A facility may choose to use contract help with many of its risk management activities, particularly those that are labor-intensive, such as writing operating procedures. Using consultants or contract workers in this manner moves away from the principles of employee participation and involvement.

Cuts Gordian Knots

gordian-knot-1In the 4th century B.C. King Midas in the city of Gordium in what is now the nation of Turkey tied his ox-cart/chariot to a post with an intricate knot. It was prophesied that whoever could undo the knot would become the next king of Persia. In 333 B.C. Alexander the Great attempted to untie the knot. He could not find an end to the rope, so he simply cut through the knot with his sword. He went on to conquer most of the known world, including Persia.

The story symbolizes the resolution of an intractable problem with a swift, unconventional stroke. Good consultants have the ability to cut the Gordian knots that clients have created for themselves.

Quick Study

Although a consultant may be expert in many areas of business or technology he will never possess the detailed technical knowledge to do with every task he or she faces. For example, each new assignment will require him to work with a new type of chemical process technology. This means that an effective consultant is a quick study, i.e., he or she must be able to enter a situation, learn it sufficiently well to understand the management issues involved and then make sensible recommendations. This is analogous to what a trial lawyer does. He will learn the details of a case very rapidly, organize the case that is to be presented to the court, make the presentation, and then almost immediately forget the details as he moves on to the next case.

Role of the Client

The client must realize that the success of the consultant’s work will depend largely on the attitude and degree of cooperation provided by the facility employees. In particular, client personnel must try to be open-minded and objective. The consultant has been hired because he or she represents an outside point of view. Hence the findings are likely to upset some people on the client side because old and comfortable ways of doing business will be challenged. The client should try to understand that there may be new and better ways of operating; in particular, everyone should try to avoid using the phrase, “we’ve always done it that way and it’s never been a problem” (with the implication that it never will be a problem.)

Response to Criticism

Consultants must have thick skins. It is almost certain that their ideas and recommendations will be critiqued and criticized. Oftentimes, the people doing the criticizing will be considerably less qualified than the consultant. Also they will have spent less time studying the problem being analyzed, and will probably have motives and agendas of their own. In these situations, the consultant must work as hard as possible to communicate the findings of the analysis to all concerned, but he or she must also recognize that the client is paying the bills, and ultimately makes the final decisions. The consultant is an advisor, not a decision-maker.


Consultants must market their services. At the same time they must maintain a professional profile. For most consultants their marketing will be based on a web page that provides information on services offered. This will be supplemented by direct mails and carefully managed email campaigns (which are best done through a service that provides full opt-out capabilities).

Social media also provide an opportunity for professional marketing. By writing articles and blogs for LinkedIn and other similar sites, the professional gains exposure (and also develops his or her own ideas).

Maintaining a professional and independent profile is particularly important for consultants who serve as expert witnesses (a topic that is discussed below). He or she has to avoid the perception that he is a “professional expert” — a hired gun.

The Risk Management Professional

P&IDA successful risk management professional needs to have personal attributes that match his or her technical knowledge and skills. Some of these attributes are discussed below. Of course, no single person can possess all of them, but the list does provide an outline as to goals to aim for.

Education and Certification

Most risk management professionals have a technical education — often in engineering or environmental science. Such an education provides the necessary skills to handle the technical and quantitative aspects of the work, particularly with regard to the analysis or risk, fires and explosions and gas dispersion.

Technical Knowledge

The risk management professional should have a thorough understanding of the many technical topics that the discipline covers. Obviously, no one person can be an expert in all of the technical areas that make us risk analysis, but he or she should possess enough knowledge of them in order to develop the correct parameters for risk analyses and to understand the findings and reports that the experts provide.


A person who thinks and works holistically is not limited to a single, narrow detailed specialized sphere; instead he can understand management, technical and human systems, and how they interact with one another. A risk management professional understands how his or her profession is composed of a wide range of disparate topics such as human factors engineering, Boolean algebra, government regulations, starting up a process plant and the design of instrument systems.

If a risk management professional is to be effective at integrating different types of knowledge, he or she must possess a good grasp of those topics. This does not mean that the professional has to be an expert in everything ­— such a goal is obviously unrealistic — but it does mean that he or she needs to have a working knowledge of multifarious topics, and to have a comprehension as to how they fit together. The phrase, “jack of all trades, but master of none”, is usually considered pejorative. However, with regard to the risk management professional, it is a sensible job description.


As has been stressed throughout this book, risk has both objective and subjective elements. The objective part of the work means that those working in the area of risk management need to be numerate; they need to be comfortable with a variety of quantitative topics such as gas dispersion modeling, the development of F-N curves and the use of Boolean algebra.

Communication Skills

Risk management professionals spend much of their time communicating with others in a variety of ways such as writing reports, listening to client needs, delivering presentations and listening to anecdotes. Hence the risk management professional must be a good speaker, writer, listener and reader. Discussion of these topics is provided later in this chapter.

Industrial Experience

There is really no substitute for industrial experience. It is one thing to learn about a topic from books such as this, and by reviewing incidents that have occurred elsewhere, but it is quite another to actually learn from the school of hard knocks. Industrial experience includes not only a hands-on knowledge of industrial processes and equipment, but also an understanding of the realities of client/consultant relationships, the resistance that managers have toward spending money on safety, problems at the management/union interface and how government agencies actually enforce regulations.

Knowledge of Past Events


Watson and Holmes

The risk management professional should know about incidents and events (both good and bad) that have occurred in other companies and locations. He or she can use these events to understand and identify patterns in current operations.

The importance of understanding the past is illustrated with regard to (the fictional) Dr. Watson’s ruminations as to what new friend Sherlock Holmes does for a living, not long after they first meet. Watson summarizes Holmes’ attributes. The list includes the following statement:

< knowledge of . . .> Sensational Literature — Immense. He appears to know every detail of every horror perpetrated in the century.

So it is for the risk management professional; he or she should possess an “immense knowledge” of incidents that have occurred and what lessons can be drawn from them. An overview of some major incidents in the process industries is provided in Chapter 1.

In this context it is interesting to note that the recently released proposed update to the OSHA PSM standard (Chapter 2) relies heavily on actual incidents. Almost all of the proposed changes are justified by showing how such changes could have helped prevent the cited incident.

Professional Involvement

Risk management professionals should be involved in their community. This is usually done by working with professional societies or independent trade organizations — often by helping with the organization of meetings, editing papers and articles, and writing technical standards. Reasons for being involved include the following:

  • It is a way for experienced professionals to give back to their community and to help young people who are entering the field.
  • Development of personal reputation and contacts within the community that could lead to more interesting and rewarding work and assignments.
  • Enhancement of the reputation for the company or organization that the professional works for.
  • The writing of articles and papers requires the author to carry out thorough research on the topic about which he or she is writing.
  • Helping others to prepare and publish their work increases the knowledge and skills of all parties.


A well-known proverb states, “It’s not what you know, it’s who you know”. This proverb is only half correct — technical knowledge and personal skills are vital to any professional. Yet it is important to maintain a network of qualified contacts. In particular, when an expert is has to address a challenging problem it is useful to have someone to call who can help out as a friend and colleague.

The Resumé / CV

The expert’s knowledge, skills and attributes are summarized in his or her or resumé or curriculum vitae (CV).

It is critical that the resumé be accurate and verifiable, especially with regard to statements, such as the possession of advanced degrees, or major work experience. Accuracy of the resumé is particularly important when the risk management professional is involved in litigation. He or she must expect to have his qualifications challenged because, if the resumé can be discredited, then the expert‘s statements can be discredited also.

Many professionals fail to keep their resumés up to date. It is a good idea to check it and modify as needed every three months or so, particularly when new types of work or project are being carried out.

a)            Level of Detail

An expert’s resumé can become very lengthy because he or she is likely to have years of experience in a wide range of tasks and projects. Such length has its drawbacks — it can make the resumé difficult to read and lacking in focus. For this reason it is often a good idea to have a short (say half page) summary of at the start of the resumé, supplemented by an attachment that provides the detailed information.

b)            Publications

An expert’s resumé is greatly enhanced if he or she has published professional papers, articles and books. Books, in particular, can make a very strong impact — the risk management professional can say, “I wrote the book on that. Here it is!”

Involvement with professional societies, as discussed in the previous section, also looks very good on the resumé.

c)            Gaps / Negative Facts

After many years of work experience, no one will have a perfect work record. Everyone’s career hits the occasional bump in the road. In particular, there will often be gaps in the work record for the times that the professional was unemployed or was trying to land new contracts. These gaps can be filled with information to do with background work such as the preparation of seminars or professional papers, or with time spent on continuing education.

d)            Multiple Resumés

Some risk management professionals have multiple resumés, with each version emphasizing particular qualities. For example, one version may stress say design experience, whereas another may place a greater emphasis on field operational work.

Although this practice may help in specific situations, it is generally best not to have more than one resumé. This is particularly true with respect to litigation work because an opposing attorney may use the two documents to “demonstrate” that the witness is not to be trusted, particularly if the professional appears to have a “plaintiff resumé” and a “defendant resumé”.

e)            Declining Experience

One of the traps that experts can fall into is that, if they fail to keep up with the latest knowledge and practice in their field, they may not really be qualified to help a client in an area that is shown on their resumé. The expert may fail to recognize that his or her knowledge and judgment is out of date.

A related problem is that some process risk experts may have worked for just one company for the duration of their careers. On retirement they seek to become consultants with other companies, but find that their deep, but narrow, experience can be quite limiting.


Monthly PSM Report

Sutton Technical Books

If you would like to receive a copy of our monthly letter “ThePSM Report” please register at our our Sutton Technical Books site. We use Constant Contact software to ensure privacy and to control spam. A sample letter is available here.

Thank you.

The Seven Gods of Fortune

Gods of Fortune

The Seven Gods of Fortune

Over the last few months some our posts that have referred to the slow-motion, ongoing, multiple crises at the Fukushima-Daiichi nuclear power plant complex. A very brief overview of the event is provided at the post Two Too Many Common Causes. Some of our posts to date that are to do, at least in part, with the event include:

In spite of the importance of what has already happened and what could happen, particularly were there to be another large earthquake, there has been little public discussion as to what is going on at Fukushima-Daiichi. One reason for this may be that there have been fewer public reports than we saw with other major process safety events such as Piper Alpha, Texas City and Deepwater Horizon/Macondo. Indeed, the Japanese government recently passed a law that restricts investigative journalism into events such as Fukushima-Daiichi. (The Japan Federation of Bar Associations has expressed strong concern that the new law on state secrets may embolden the government’s propensity to hold back crucial information on nuclear safety (Ashahi Simbum)). The lack of reporting may also reflect the non-visual nature of the event. After the first few days, in which the earthquake and tsunami were followed by one or more hydrogen explosions, there has been little to see except for the construction of a large number of tanks to hold radioactive water. The dangers associated with radioactive releases are invisible.

Nevertheless, in spite of its low profile this event has the potential to be very serious indeed. Were there to be another earthquake or were one of the Reactor 4 fuel rods to be dropped or broken while being transferred the consequences could be such that large scale evacuation of the communities around the site would be required.

Process Safety Input

We have argued in previous posts, and continue to argue, that the situations is one that the process safety community should be following closely. Not only are there important lessons to be learned but it could be that process safety professionals may be able to make a contribution to the overall remediation process.

Seven Events

Gods-of-Fortune-2During the research for this post we came across the Japanese folklore of “The Seven Gods of Fortune”, also known as the Seven Lucky Gods. The image seemed appropriate for a discussion to do with Fukushima-Daiichi because there are actually seven scenarios at that site to need to be taken care of, and it seems as if good fortune will be needed to make sure that they are all handled properly.

The Fukushima-Daiichi complex consists of six nuclear reactors, all of a similar design. Units 1-4 were badly damaged by the Tōhoku subsea earthquake. Their backup power systems, which were at low elevation, were disabled by the tsunami that followed the the earthquake. Units 5-6 are newer and at a higher elevation and appear to have suffered less damage.

The seven events are:

  1. Presumed partial meltdown in Reactor 1;
  2. Presumed partial meltdown in Reactor 2;
  3. Presumed partial meltdown in Reactor 3;
  4. Removal of spent fuel from the Reactor 4 storage facility;
  5. Damage to Reactor 5;
  6. Damage to Reactor 6; and
  7. On-going flow of ground water through the complex and the integrity of the temporary water storage tanks.

Reactor 4

Fukushima Reactor 4

Figure 1

Most of the remediation work presently taking place is at Reactor 4. At the time of the earthquake it was out of service with its spent fuel rods in a water pool located directly above the reactor (not inside the reactor containment building). The explosions that followed the earthquake blew the roof off the building that contains the stored fuel rods (Figure 1).

The integrity of the building is questionable. Were it to collapse some of the fuel rods could be exposed to air. Given that these rods are cased in highly flammable zirconium they could catch fire and generate a plume containing large quantities of radioactive material. Therefore the facility operator, Tepco (Tokyo Electric Power Company), is currently moving the spent fuel rods from this building to a safer location. This operation is expected to take at least fifteen months and is itself hazardous. If any of the rods (many of which are already damaged) were to be dropped or broken they could also burn.


Figure 2

A new building has been erected so that heavy equipment for the removal of fuel rods can be installed (Figure 2).


Figure 3

In spite of the current focus on Reactor 4 it is likely that the long-term problems to do with Reactors 1-3 (Figure 3) are actually more serious. The cores appear to have melted down. They are still in the containment building, but eventually action will have to be taken. But entering these buildings will be a very hazardous enterprise. And deciding how to remove and dispose of the melted cores will be a challenge, to say the least.

Years and Years and Years

Three of the most striking features of these events have been

  1. The lack of Inherent Safety (Two Too Many Common Causes);
  2. The paucity of publicly available incident analyses; and
  3. The absence of a long-range emergency plan (The Two Second Rule).

A fourth feature is the amount of time (and money) that it is going to take to remediate the site. Even the relatively simple matter of moving the spent fuel rods from Reactor 4 to a safer location is estimated to take 15 months (and, given the extent of the damage to the building, it is sensible to assume that that estimate is on the optimistic side). But that time estimate pales in comparison with the years, and even decades, it is going to take to deal with Reactors 1, 2 and 3. And all the time the threat of another earthquake looms.

OSHA PSM Standard: Proposed Changes

oshaIn the year 1992 the United States Occupational Safety & Health Administration (OSHA) published its Process Safety Management (PSM) standard (29 CFR 1910.119). This was a landmark document for two reasons. First, it required large numbers of companies in the process industries to develop and implement a PSM program. Second, the standard was used by many companies and in many nations to provide the basis for their own PSM programs and rules.

However, 21 years is a long time, and the original PSM rule needs updating in many areas. So OSHA has published a list of 17 proposed changes. The agency is requesting comments on those changes through their Request for Information (RFI) process.

quill_logoWe have written a short, informal overview of the suggested changes. It can be downloaded from

The following general comments can be made about the RFI.

  • Much of the discussion and justification for changes refer to actual incidents. OSHA seems to be using a case-based approach to process safety.
  • There is considerable cross-referencing to other federal and state standards, including New Jersey’s TCPA, the EPA’s RMP and BSEE’s SEMS.
  • It is likely that the number of companies and facilities covered by the standard will increase substantially. Many of them will be small organizations that do not currently have process safety programs.
  • The proposals to do with RAGAGEP reflect a healthy focus on engineering.

Imagine Thinking Backwards


A useful discussion entitled Why Have We Dumbed-Down Safety? at the EHSQ Elite LinkedIn site prompted some thoughts to do with the way we approach hazards analysis.

If the premise of the original post – that safety has indeed been dumbed down – is accepted then one reason may be that we treat safety as a discrete topic: one that is its own discipline rather than being the outcome of the work of all other disciplines and activities. This creates a paradigm in which the “dumbed down” safety professionals think primarily in terms of safeguards such as PPE and emergency response. Yet a safeguard is the last stop in the safety process — indeed if a safeguard is needed then it shows, to a degree, that we have given up on avoiding incidents from occurring in the first place. For example, if the consequence of a hazard is a fire then the use of the fire brigade is not really a barrier, it is an after-the-event safeguard.

Thinking Backwards

Risk is generally divided into three main elements: hazard, consequences and likelihood, as illustrated in the following simple equation:

Risk hazard = Consequence * Likelihood

  1. A hazard — an action or situation that has the potential to cause harm;
  2. The consequences of the hazard: safety, environmental, economic;
  3. The likelihood of the hazard actually occurring.

Many people, particularly safety professionals, tend to approach safety from the right hand side of the equation. For example, a facility may have a pump handling a flammable, toxic chemical. The seal on the pump fails quite frequently. Potential consequences of a seal leak include workers in the area being sprayed with the chemical, a fire at the pump, and health problems for the maintenance workers who have to replace the seal. Management determines that theses seal problems are unacceptable and that the risk should be reduced to an acceptable level.

The first reaction of many people will be to improve the safeguards. For example, the maintenance workers, they can be provided with better PPE. Or maybe additional emergency procedures can be put in place so that someone can be quickly rescued if he or she is overcome.

Of course, there is nothing wrong with these measures, and they may be needed in the short term. But a better long-term approach is to work backwards along the risk equation and to ask if the frequency of pump seal failures can be reduced. Actions that can be taken to reduce likelihood include installing a more reliable seal, improving the training of the maintenance workers, and filtering the liquid being pumped so that solids do not damage the seal.

A better approach, however, is to to continue to move to the left along the risk equation and to reduce the consequence of the hazard, should it occur. In the case of the pump means of doing this could include replacing the liquid with one that is less toxic or flammable, or reducing the inventory of liquid in the pumping system so as to reduce the worst case scenario.

Kletz-Trevor-1However, the best approach of all is to continue moving left along the equation and remove the hazard itself. Adding yet another tribute to the memory of Trevor Kletz, one of his quotations was, “If a tank’s not there, it can’t leak”. So, in the case of the leaking pump seal the undumb safety professional asks questions such as, “Can we use a canned/seal-less pump?” or “Can we replace the pump with a gravity feed system?” (Naturally, these new concepts introduce a new set of risks that also must be analyzed and deemed to be acceptable before they are implemented.)


One of the topics that developed at the LinkedIn discussion referred to at the start of this post was the role of thinking in safety. Although people should always be encouraged to think about what they are doing and how their work could be done more safely, there is value in having people carry out routine tasks in an automated manner — thinking could actually cause them to make mistakes.


Monty Python Gumbies

With regard to the elimination of hazards, however, not only is there a need for thinking, there is a particular need for imaginative thinking. And this type of thinking is hard work. To think imaginatively and creatively puts one in mind of the Monty Python quotation, “My brain hurts”. Therefore, one response as to whether we have “dumbed down” safety is for process safety professionals to do what they can to get people to think about hazards can be removed, and to encourage discussions and analyses that help with the hard work of creative thinking.

Two Too Many Common Causes

Fukushima-2We write the occasional post to do with the on-going, slow motion crisis at the Fukushima-Daiichi nuclear power plant in Japan. The focus of the posts is to look at this event through process safety management eyes to see what lessons we can learn and possibly to come up with insights that can help the managers who are trying to cope with this situation.

This post looks at the topic of common cause events issues and their relevance to the Fukushima-Daiichi situation.


Disclaimer: The writer of this blog does not possess special knowledge of the nuclear power industry, has not worked in a nuclear power plant and is relying entirely on public information gleaned mostly from the Internet to write this material. Hence it is more than likely that many of the thoughts and conclusions presented here will have to be updated or changed as new data or insights are provided. If any nuclear power expert can correct what is written here, particularly with regard to the number of redundant systems, we would be very pleased to publish an update with the appropriate accreditation.


The Timeline

On March 11th2011 north eastern Japan was devastated by the Tōhoku subsea earthquake — the most powerful ever to have hit Japan since records have been kept. The earthquake was followed about 50 minutes later by a tsunami of 14 meters in height. It is estimated that the earthquake and tsunami together resulted in 15,883 deaths, with many others injured or missing. Up to 1 million buildings were destroyed or damaged. Many videos on YouTube and elsewhere illustrate the enormity of these two events: the earthquake and the tsunami. They are not easy to watch.

The earthquake caused extensive damage to the structures of the Fukushima-Daiichi power plant and knocked out the pump systems that supply cooling water to the reactors and the spent fuel pools. The tsunami then overwhelmed the facility’s inadequate 5.5 meter seawall and, most important from a process safety point of view, it knocked out the safety systems designed to keep the reactors cool. Consequently the cores of the reactors overheated leading to  partial meltdowns and follow-on problems, such as the generation of hydrogen gas that exploded. A considerable amount of radioactive material leaked to the ground, the sea and the air — and those leaks appear to be on-going.

At least six consequences

Sign-1Although this catastrophe occurred two and a half years ago, the current state of the facility is still a long way from being properly understood. One reason for this is that there are at least six separate events that need to be considered, and they are all different from one another. They are:

  1. The presumed partial meltdown in Reactor #1;
  2. The presumed partial meltdown in Reactor #2;
  3. The presumed partial meltdown in Reactor #3;
  4. The removal of spent fuel from the Reactor #4 storage facility;
  5. The on-going flow of ground water; and
  6. The integrity of the temporary water storage tanks,

    which are not seismically rated.

(Items not included in the above list are the newer Reactors #5 and #6, which seem to have suffered less damage, and the long-term storage of the nuclear fuel rods after they have been recovered.)

In summary, three large nuclear power plants have probably suffered a partial meltdown and the structure containing the spent fuel rods of Reactor #4 is seriously damaged, and could collapse and/or  allow cooling water to escape — particularly were there to be another large earthquake. Given that this this structure is 30 meters above grade and is outside the containment building, and given that the rods are clad in zirconium that catches fire when exposed to air, this is, to say the least, a tricky situation – one that the operator Tepco (Tokyo Electric Power Company) started to address in November of this year.

This is not a good situation.

Common Cause

There are number of inherent safety/process safety issues to do with the above events. For example, the decision to locate the spent fuel storage pool at a high elevation is a concern, as is the fact that the basement sections of the Reactors 1-4 are below sea level.

However, the issue that this post focuses on is that of two separate common causes. An explanation to do with common cause events is provided in an earlier post in this series (Let’s not make common cause). Briefly, a common cause event is one that causes two separate, supposedly independent systems to fail simultaneously. For example, solid materials in a liquid system may cause both a pressure controller instrument and the high pressure shutdown system to be blocked at the same time. The normal control and the interlock are not independent of one another.


It is critical that the cores (and spent fuel pools) of nuclear reactors be kept cool by a continuous flow of cooling water, even if the reactor is shut down. If this does not happen then a Loss of Coolant Accident (LOCA) takes place.

We do not have copies of the Fukushima-Daiichi P&IDs (Piping and Instrument Diagrams). Therefore, just for sake of argument, we make the assumption that there are two sets of pumps: three operating pumps (O1, O2 and O3) driven by electricity and two backup pumps (B1 and B2) that are diesel-powered pumps and that do not require electrical power. The Fault Tree for this assumed set up is shown in Figure 2. It consists entirely of AND Gates.

We welcome any feedback that will tighten up these assumptions.

Two Too Many Common Causes - Fig 1

Figure 2

We then make the further assumption that the operating pump, O1, fails twice a year and that the two backup operating pumps have a failure to start on demand of 0.05 (i.e., the likelihood that they will start on demand is 95%). Hence the overall failure rate for the operating pumps is (2 * 0.05 * 0.05) yr-1, or 0.005 yr-1 or once in 200 years.

If this system were to fail then the backup diesel pumps would take over. Assuming a failure on demand probability for each backup pump of 0.01 then the failure rate of the backup system is 0.0001. Combining the two systems we get an overall failure rate of one in 20 million years. Which is a big number.

Now comes the earthquake; it knocks out electrical power. Hence all three of the operating pumps fail due to the first common cause: Electrical Power Failure caused by the earthquake. This is bad, but the backup pumps, which together have a probability of failure of 1 in a 1000, can be trusted to work since they have their own, independent source of power (diesel). But, 40 minutes later, the tsunami disables the backup pumps due to a second common cause: sea water flooding. The reactor core continues to generate substantial amounts of heat, but there is no means of removing that heat.

Probabilistic Risk Analysis

The Fault Tree shown in Figure 2 is a highly simplified version of a Probabilistic Risk Analysis (PRA). As can be seen from the example, PRAs often give very low values for the likelihood of a major event taking place. They provide some of the justification for statements such as the following from the Japanese Nuclear Commission in the year 2003,

A fatality due to radiation exposure from an accident at one of its facilities should happen less than once per million years.

The probability of complete core meltdown about 1 in 20,000 per reactor per year.

Although there are no indications to date of there being a fatality due to radiation exposure at Fukushima-Daiichi some of the workers have been exposed, so the possibility of a fatality is real. The “once per million years” has become “once per thirty years”.

And within the last three decades there have been three major nuclear power plant events:

  • Three Mile Island (1979)
  • Chernobyl (1989)
  • Fukushima-Daiichi (2010)

One reason for the disconnect between expected failure rates and actual failure rates is that PRA analysts may overlook common cause events such as earthquakes and tsunamis.

That would be telling


We published this post almost two years ago in recognition of the contributions to process safety made by Trevor Kletz. We are reorganizing some of our blog sites and have re-posted this one here. It’s as relevant as ever.

The Kletz Legacy

Kletz-Trevor-1In recent weeks many of us who work in the process safety discipline have of written of our appreciation for the work of Trevor Kletz, who passed away in October of this year. Probably his best eulogy is also the simplest, “He saved lives.”

As we reflect on Trevor’s contributions it is clear that one of his greatest gifts was that of telling stories. He wrote extensively on technical topics such as hazards analysis and inherent safety, but he is probably best remembered for his story-telling books such as Learning from Accidents and What Went Wrong? Human beings learn best from stories and Trevor knew it.


The lesson to do with the importance of story-telling was recently driven home for me when reading the first part of the Book of Exodus as part of a homework assignment. It’s a real page turner, replete with the infant Moses in the bullrushes, the Pharaoh’s daughter, the Nile full of blood, plagues of frogs and boils and locusts, the slaughter of first-born sons, and lambs’ blood on doorposts. All of human life is there.

As part of the same study I read a modern, earnest, thoroughly researched book that explained these phenomena in sensible terms (for example, the “blood” in the Nile could have been red soil washed down from the mountains of Ethiopia). The book further pointed out that there is little non-Biblical evidence of an exodus from Egypt. Guess which book caught my attention? The one that told the story, of course. The other book? Worthy as it was, I remember neither its title nor the name of the author.

The catch is that few people who work in the process industries have Trevor’s communications skills. Process safety professionals typically have a technical background, often engineering; they are not skilled at story-telling and have no training in it. Probably the nearest they get to telling a story is when they have to write the report following the investigation of an incident, and then company guidelines and legal advice provide little freedom for telling a story.

Safety Communication

The need to communicate is one of the most important rôles of process safety professionals. For example, most companies start formal meetings with a Safety Moment. This is an ideal time to tell a story about some process safety event. Indeed, many such meetings include either a Process Safety Beacon from the Center for Chemical Process Safety or a video from the Chemical Safety Board for just these reasons.

We are also developing a library of process-oriented Safety Moments. Here is the list at the time of writing. Please check in at our videos index for the latest list.

Publications and videos such as these are useful for all employees, but they are particularly useful at facilities that have a good safety record. It reminds the people who work there that “It” can happen anywhere, any time.

These Safety Moment videos can also serve as the basis of workshops. For example, the Mumbai High North event is structured so as to have participants analyze what happened in terms of the elements of process safety.

Elements of a Story

A properly structured story has five elements:

  1. Characters
  2. Setting
  3. Plot
  4. Conflict
  5. Resolution


Stories are about people. In the process industries we cannot generally reveal names and personal details for both ethical and legal reasons. However, we can often identify the persons involved with a job title such as “Operations Superintendent” or “Lead Instrument Engineer”. These titles usually give the reader enough information to visualize the persons involved and what their roles and responsibilities were likely to have been.

The excellent video of the Piper Alpha catastrophe presented by Brian Appleton is very much worth watching in its entirety. But it is the final few minutes (42:12 to 46:03) that are the most attention-grabbing because the whole tragedy is cast in human terms.


The setting is where the action takes place. The location for process safety events is usually clearly defined and can often be associated with pictures or videos. (There are exceptions. If one of the causes of an event was a design error, then the setting is likely to be a nondescript, air-conditioned office in a suburban office park.)


It is unusual for a process safety event to involve conflict between people (although it was a factor in the Deepwater Horizon catastrophe). However, conflicting departmental goals are often a factor — particularly the perceived clash between safety and “getting the job done”. We may instill the mantra, “There’s always time to do a job safely” into people. But they do not always behave that way.


Events in the process industries may not have a plot in the sense of anticipating what happens. After all, it is usually the conclusion in the form of a fire or explosion that raises the initial awareness. Nevertheless the multiple parallel timelines that converge on the final event provide the makings of an excellent plot.

Of course, as Peter Cook points out in his video (2:30 to 7:26) to do with the coal mining industry, it is good if some romance can be added to the plot. This is rarely possible in the process industries.


The stories we tell should have a resolution. In the case of major events such as Piper Alpha or Deepwater Horizon the resolution could be new ways of managing safety (Safety Cases) or the introduction of new regulations (SEMS). Even less dramatic stories should always provide guidance to better behaviors or improved management systems.

A Picture Tells a Thousand Words

iPad-1Not only do people learn from stories, they also learn from pictures and videos. And this is one area where the process safety business has a huge arsenal of tools, ranging from quick safety moments to more lengthy recordings captured by security cameras. And these pictures and videos are now quickly disseminated through social media sites and then viewed on tablets and other portable devices.

A video clip such as The True Meaning of Offshore Safety has an impact that no written report can ever have. This is not to say there is no role for written text. On the contrary, the video provides no background information on issues such as fire protection on the riser, the presence of subsea isolation valves, and coordination with other platforms. Videos and text work together.

Barriers to Sleep


What keeps executives and managers in the process industries awake at night? We are not aware of any survey on this topic, but a reasonable guess is that they worry about being woken up to hear that their organization has suffered a catastrophic event similar to Flixborough, Macondo, Texas City, Piper Alpha, or Bhopal. They fear catastrophes.

So how do they reassure themselves? What audit tools can help them get a good night’s sleep? A previous post in this series – Black Swans and Bow Ties – noted that the Bow Tie method for analyzing and communicating risk has gained considerable traction – in large part because it can be good communication tool. But, although normally used for hazards analyses, Bow Ties have other applications. It is suggested in this post that one of those applications is to measure the organization’s exposure to catastrophic events.

However, before looking into this use of Bow Ties it is useful to look at two other tools that can help achieve the same goal: Culture and Key Performance Indicators.


Deepwater Horizon ReportThere has been much discussion in the process industries in recent years concerning culture. For example the National Commission’s report to the President to do with the Deepwater Horizon uses the word culture many times. The following quotation from that report is representative,

It is critical . . . that that companies implement and maintain a pervasive top-down safety culture . . .

Although improvements in culture will undoubtedly reduce the risk of a catastrophic event, the practical challenge is how to measure those improvements. For example, in response to the various recommendations regarding culture from reports such as the one just cited, the Bureau of Safety and Environmental Enforcement (BSEE) issued a Culture Policy Statement. It contains nine guidance topics of which the following is representative.

3. Personal Accountability. All individuals take personal responsibility for process and personal safety, as well as environmental stewardship.

Certainly personal accountability is an important part of culture – but identifying and measuring it is a challenge. And the BSEE document provides little guidance.

OGP 456

Computer workstation isolatedThe International Oil and Gas Producers (OGP) Report No. 456 (November 2011) is entitled Process Safety — Recommended Practice on Key Performance Indicators. (The API Recommended Practice 754 is similar.) The report identifies Tier 3 and 4 Key Performance Indicators (KPIs) that can help managers understand track the likelihood of occurrence of high consequence events.

The KPIs are organized into barrier categories such as Plant Design, Safety Instrumentation and Start-ups and Shutdowns. For each barrier various Tier 3 and 4 indicators are provided. The following are examples.

Tier 3 KPI for Operational Procedures:

Number of operational shortcuts identified by near misses and incidents.

Tier 4 KPI for Hazard Identification and Risk Assessment:

Average number of hours per P&ID for conducting (a) baseline PHAs, (b) PHA revalidations.

As with Culture these barriers are difficult to assess quantitatively. Some of the difficulties to do with the above selections include:

  • The reporting of near misses is problematic. For example, if an operator takes a shortcut and is about to open the wrong valve but then realizes her error and opens the correct valve, it is unlikely that this potentially serious event will be reported. She may not even recognize that she just had a near miss. And even if she does understand she may not report the incident for fear of reprimand. What’s in it for her?
  • It may not even be obvious as to what constitutes a shortcut. No written procedure can spell out literally every step that must be taken to run a process plant.
  • With regard to the second of the above KPIs, the guidance seems to assume that the quality of a Process Hazards Analysis (PHA) will improve if more hours are spent on it. Yet a lengthy analysis may be a symptom of inefficient leadership or a poorly qualified team. A well-lead team of experts will move both briskly and effectively.

Bow Tie

Bow Tie Risk ManagementIn order to make the use of barriers more helpful to the sleepless manager it is suggested that a system is needed that meets the following criteria.

  1. Only quantifiable parameters should be used. Topics such as “personal responsibility” which are qualitative and subjective are excluded.
  2. The barriers should be should be easy to audit.
  3. The audit results should provide enough data to allow for the statistically significant  derivation of conclusions.

One way in which the above requirements could be addressed is as follows.

  1. Develop a series of bow tie diagrams covering a range of different types of operating and maintenance activities.
  2. List the barriers in each diagram.
  3. Conduct regular audits to determine the quality of the barriers. Assign a value to each barrier: ‘0’ broken, ‘1’ degraded, ‘2’ functioning.
  4. Develop a spreadsheet to measure trends. If there are say 20 bow ties with an average of 30 barriers each then a perfect score is 20 x 30 x 2 = 1200 points.
  5. Repeat the audit frequently so as to develop trend lines.

Barriers should be strictly verifiable. For example, the barrier “High level alarm sounds” can be readily checked. The barrier “Instrument technician trained” can also be checked by reviewing training records, although this is slightly more subjective since attendance at training does not assure competence in the field. The barrier “Instrument technician takes shortcuts” is almost impossible to validate — at least in the short term — so it should be excluded from the list.

Clock-2If the number of failed barriers is low, and if the trend line is favorable, then the manager can go to bed confident that the only thing that will wake him is the alarm clock (or the Black Swan mentioned at the start of this post).