Why tackling PSM silos is vital to sustaining safe performance
14 August 2017
An ABB research project has found the silo factor is the main cause of the uncoordinated and disjointed approach to Process Safety Management (PSM) in high hazard industries. In this paper, Conrad Ellison and Graeme Ellis of ABB present the common PSM weaknesses that have been identified, discuss their underlying causes and present some ideas on how to eradicate the factors that can lead to silo thinking.
The research project, carried out by ABB’s global engineering and consultancy group, was based on almost 500 recommendations from 16 site process safety risk assessments carried out over recent years.
Without urgent attention to this endemic problem, we could be lowering our defences against more disasters on the scale of Buncefield, Texas City and Macondo in future. Such events have intensified focus on process safety management, leadership, key performance indicators and competence in recent years.
The uptake of these activities by operating companies’ and industry bodies is certainly encouraging. Amid tighter budgets, however, and a sharper focus on balance sheets, process safety performance is being threatened by the interminable rise of the silo factor - an inability within process safety management circles to collaborate and be consistent across all departments in the organisation.
The UK’s Health and Safety Executive (HSE) is still seeing evidence of process safety management approaches being disjointed, with a wide variation in the uptake and application of PSM. HSE investigations and inspection programmes show no shortage of serious failures to adequately manage process safety risks.
Furthermore, the latest EU Major Accident Hazard (MAH) directive ‘Seveso 2015’, calls for operators to review ‘Global’ lessons learned from industry and demonstrate that they are understood and systems implemented to reduce the likelihood of occurrence. Any company reviewing, for example, the EU’s Major Accident Reporting System (eMARs) web site will see that major incidents continue to occur, though not attracting the same media attention as given to some of the events in the last decade.
There are clear economic benefits from tackling the silo factor - for example not over specifying equipment, reducing the amount of in-service testing and inspection, more efficient sharing of process safety information and not duplicating safety studies.
The aim of this paper therefore is to encourage industry wide debate that will help to take the high hazard sector closer to an agreed and consistent approach to process safety management.
As you will see, our research highlights some interesting findings. Some are surprises, others, simply worrying. What is clear is that silo practices in process safety management are a real and present threat facing the process industries and that we have a significant job on our hands to tackle this issue.
What is the silo factor?
Modern PSM is complex and involves an array of engineering disciplines, functions, and often different businesses in ensuring that performance is sustained or improved.
Each engineering discipline, function or business involved in PSM has its own responsibilities and role to play in the overall PSM picture. However most of the parties involved are also responsible for many other day-to-day activities, such as production, quality, cost savings or process improvements.
The silo factor we are describing occurs when each of these parties thinks more about optimising their own area of responsibility and less about optimising the overall organisation’s PSM performance. Effective performance of the PSM system, however, can only be achieved through integrated and collaborative thinking and processes that encourage a constant focus on MAHs.
One way the silo factor can impact on PSM can be seen through an example of the maintenance organisation; they play a very important role in ensuring that safety critical protective systems are appropriately tested and maintained. This focus can potentially be lost however, as they also maintain many other systems that are not safety critical. The maintenance team may see benefit from standardising test intervals and maintenance methods across all of the systems they are responsible for, but in doing so can lose sight of the safety critical nature and requirements of protective systems.
Another way the silo factor can negatively impact both PSM and financial performance is linked to the inconsistencies found in sharing and passing on information. Using a maintenance example again; the technicians need information to understand how, for example, a temperature sensor is protecting against a runaway reaction so that they can assure adequate reliability of the measurement device. This needs to be communicated to others if any changes they make (for example testing less frequently or introducing a more reliable device) may reduce or increase the level of protection provided. This information could allow operations to determine that the risk is now too high to continue operations or for the process safety team to determine that another independent protective system is no longer required.
A robust management of change system is at the heart of ensuring the communications described above, but achieving effective communication flow in every instance, given the often very different systems for storing information, is a real challenge. Often the silo factor impedes this flow of information.
Findings of common weaknesses in PSM systems
At ABB, we strongly support the HSE view that any person responsible for process safety in an operating company needs to be able to answer ‘yes’ to the following three questions:
What does process safety cover?
* Do we understand what can go wrong?
* Do we know what systems we have to prevent this happening?
* Do we have information to assure us these systems are working effectively?
By implementing robust process safety hazard identification and risk assessment processes during design, comprehensive risk controls during operations and maintenance, and implementation of reliable monitoring of these risk controls, we should all be able to answer ‘yes’ to all the above.
Yet through our analysis* of over 500 recommendations from 16 site process safety risk assessments carried out over recent years. we have identified that many operators cannot answer yes to the above due to inconsistencies and in some cases a complete lack of information sharing.
The pie chart below shows the most common areas of weakness identified in the studies. Some examples to illustrate typical issues are then described below.
Common areas of weakness
Inadequate testing of safeguards - which addresses the third of the key PSM questions. Example findings include:
* Not differentiating between safety critical and other systems. ABB found in certain cases that the term ‘safety critical systems’ was not in place and therefore no differentiation in the standard of testing for all systems
* Lack of access to design or previous inspection data
* Not completing end to end proof tests of safety instrumented systems. ABB found that in many cases the Electrical, Control and Instrumentation (EC&I) team specified the testing requirements and end to end testing of ‘barriers’ was not in place and no reference to Process Hazard Analysis (PHA) documentation was being made in determining testing requirements
* Reduced maintenance on safety critical measurement devices leading to increased plant trips
Inadequate PHA information - which addresses the first of the key PSM questions. Example findings included:
* Not reviewing PHA assessments when designs are modified or new ones introduced
* Not updating LOPA studies based on real reliability data
* Not identifying critical alarms based on the PHA
* Not documenting PHAs well enough to pass on the nature of the hazardous event or the likely consequences. This often means that the SIL determination stage has to ignore the poor PHA output and start from scratch to identify hazardous events
* Not updating PHA records following an incident or near miss. ABB found that for one company a potential fatality near miss had not been captured as part of the PHA process
Inadequate safeguards in place - which addresses the second and final of the key PSM questions. Example findings included:
* Not providing operators with information on how to respond to alarms
* Not considering some of the relief scenarios identified in the HAZOP during relief system design
* Frequent removal of some elements of trip systems during certain operations
Poor understanding of hazards - is another common theme with examples including :
* No regular training in key hazards being given to operators. When conducting reviews ABB often finds that operators are not aware of worst case credible events as a result of PHA documentation not being shared and process safety training not being carried out effectively
* Risk assessment reports not being accessible
* Not investigating incidents adequately to identify potential new weaknesses
Lack of clarity about the basis of safe operation and a lack of alignment between emergency responses and the PHA. Example findings include:
* Unnecessary protective and emergency response systems not being removed when no longer required
* Safety equipment not being positioned where hazards are located
* Procedures not being updated when new best practice is available
Our analysis of the findings suggests there are a range of common weaknesses as well as areas of best practice. That said, in most cases the weaknesses were in some way a result of silo approaches to PSM with different functions / specialists / departments not integrating effectively.
The process safety implications of many of the examples above are clear with instances of: people performing safety critical tasks without understanding the significance of these tasks and the hazards they are protecting against; protective systems not designed with an adequate understanding of the scale of consequences they need to protect against; and management systems not identifying and rectifying shortcomings.
There are also economic implications from silo thinking such as: people recreating information that exists in another silo; protective systems that are over specified and expensive to maintain; and management systems that don’t identify the true risks and therefore fail to focus scarce resources on the areas of greatest concern.
PSM requires an integrated approach across the organisation. Poor PSM performance through silo behaviour means that there is potential for the holes in the ‘swiss cheese’ model to align - each silo should be focussed on making sure that their slice of cheese has fewer smaller holes, but who is accountable for making sure that small holes don’t line up?
What leads to silo behaviour?
We can consider the six main areas of shortcoming identified in the research and use these to explore the underlying causes of the silo factor.
The silo factor related causes of PSM weaknesses linked to inadequate PHAs include:
* Poor initial PHAs due to a lack of availability of relevant information
* PHA findings not being clearly recorded in a way that takes into account the needs of the subsequent users (silos)
* PHA results not being shared with the right people or in the right format
* PHA actions not being well specified or closed out robustly
* Consequences not adequately described or modelling results not made available in a consistent manner
Weaknesses linked to inadequate safeguards arise from failure to:
* Validate that the specified safeguards adequately deliver the risk reduction required by the PHA
* Robustly ensure all risk reduction requirements are identified, designed and installed
* Appropriately prioritise efforts towards major accident hazards
The other silo related causes of shortcomings, covering the other four themes, include:
* Safeguard test intervals and procedures not consistent with PHA findings
* Test results not being reviewed and fed back to PHA teams to update assessments
* People carrying out safety critical tasks not being informed and trained in plant risks and PHA findings
* Hazard identification and risk control documentation not being simplified in a suitable format for all staff to understand
* Management of change not considering every step of the risk process from PHA to auditing and training
Analysis of PSM shortcomings from sample audits.
It can readily be concluded that the majority of the above causes relate to effective and clear two way communication of all relevant process safety information between the various departments in the organisation.
How can the silos be broken down?
In concluding it is important to point out that removing silo behaviour, whilst vitally important, is not enough on its own to assure good process safety performance - that line of thinking is a good example of silo thinking. Effective PSM requires each area / silo to operate effectively in its own right, but in addition there must be no impediments to the flow of information between each of the many groups involved in delivering PSM. Indeed, there needs to be careful thought around the implementation of processes and protocols to ensure formal two way communication is consistent and becomes embedded as ‘business as usual’ within operators.
The aim of this paper, as previously stated, is to spark some debate as to how to overcome the organisational factors that can lead to silo thinking. So we conclude by suggesting three key areas that must be considered to avoid silo thinking.
Accountability and oversight
Who in your organisation is accountable for the overall management of process safety risk? These are the people who must look across the slices of cheese and make sure that the holes don’t align. They must ensure that information in a consistent format flows freely between the different parties and that the whole system is healthy by having an adequate range of audit programmes and other measures of performance in place.
What needs to be communicated to and by each party?
A shared understanding of this information flow is a good starting point for making sure that it is achieved. Identifying the barriers to the smooth flow of information and taking them down may mean looking at procedures, systems and information storage. A key requirement is to ensure that there is an effective relationship between MAHs and safeguards and that this relationship is managed continuously during the safety lifecycle.
How to simplify PSM and pass on the information everyone needs in ways that they can understand and act on? PSM can be very complex and some elements of it very technically challenging, but many groups need only the clear simple messages. The output from a HAZOP is not for the HAZOP team, but for the people that need that information to determine criticality, understand the top site hazards etc.
So can the output be simplified to give them something that meets their needs? Can aids to communication, like bow- ties, be used more effectively to share the overall picture more widely?
We would be very interested to hear your feedback on the ideas in this paper and about your own related experiences. Please do get in touch and express your interest in this topic so we can share with you more information on our research. Go to: firstname.lastname@example.org
About the authors
Conrad Ellison is a Fellow of the Institution of Chemical Engineers and a chartered environmentalist with 28 years of process engineering and process safety experience.
He has supported numerous organisations across the process industries with their COMAH Safety Reports and has extensive Hazard Study experience majoring on HAZOP and Process Hazard Review studies across the chemicals, petrochemicals, pharmaceuticals, power and oil and gas sectors. He also advises and supports companies on aspects of Process Safety Management.
Graeme Ellis is a Principal Lead Consultant with ABB with 35 years’ experience in the process industry, now specialising in Process Safety for major hazard installations. He is a Fellow of the IChemE and initially worked as a Process Engineer in design for MW Kellogg and Hercules before gaining operational experience and training as a hazard study leader with ICI. Since 1994 Graeme has provided PSM consultancy services in all sectors of the process industry, specialising in PHA revalidation for existing operations. He is a member of the UK Energy Institute Process Safety Committee, and completed an update of EI guidance on Inherent Safety in Design in 2014.
Contact Details and Archive...