Bow Tie Analysis
Process Safe Limits
Affiliates / Social Sites
|The root cause of all accidents is uncontrolled change. Leaving aside sabotage and other malicious acts, all industrial facilities are designed and operated to be safe, clean and profitable - yet incidents continue to occur. In every case, the fundamental cause of the incident is that someone, somewhere lost control of the operation, i.e., they allowed operating conditions to deviate beyond their safe range. |
Hence, the proper management of change is the foundation of all safety and accident prevention programs; an effective Management of Change (MOC) creates an atmosphere of "no surprises". Likewise, the day-to-day lives of everyone associated with that operation will flow more smoothly and productively when operations are stable. It is when there are upsets and unexpected problems that managers are subject to out-of-hours telephone calls from the plant, complaints from unhappy customers and unsolicited offers of help from corporate headquarters.
Because of its central role in assuring safety, Management of Change is a critical component of all Process Safety Management (PSM) programs.
The Meaning of the Word "Change"
It is imperative to clearly define the word "change" in the context of a Management of Change program. OSHA considers a change that is not a "replacement in kind" as one that requires an MOC review. However the term "replacement in kind" needs further definition. After all, as discussed below, all changes are "not in kind" if examined closely enough.
Some thoughts on the types of change that take place in a process facility are provided below.
An initiated change occurs when someone, usually a manager or an engineer, decides that he or she would like to modify the operation so that conditions move outside the current safe operating range. The following are examples of initiated change:
The key to all of these situations from a Management of Change point of view is that the person involved proposes to operate the plant at conditions that have never been experienced before. Hence, there is no direct operating knowledge or experience as to what will happen following the change. Therefore, changes of this type will generally need to be analyzed carefully, often through use of a multi-discipline hazards analysis team.
- A process engineer proposes an increase in reactor temperatures in order to increase production.
- The operations manager plans to manufacture a new grade of chemical using existing equipment.
- A chemist suggests the use of a new additive to improve yields.
- An operator requests that the logic of a control loop on a distillation column be changed in order to improve product quality.
- A maintenance engineer proposes that the size of a pump motor be increased in order to reduce the number of times that the pump trips.
Reactive ChangeA reactive change is one that occurs spontaneously; unlike initiated change a reactive change is not created by a person's conscious decision. Corrosion is a common example of a reactive change; a vessel or a pipe may be gradually losing wall thickness without anyone knowing about it until an unplanned incident, such as a leak from a pipe, occurs.
Organizational and personnel changes are often reactive. For example, management may decide to eliminate a night-shift position in the lab, not realizing that they system has now "changed" and that safety-critical analyses may not be available to the operations personnel.
Reactive changes cannot be effectively controlled by the Management of Change program because they occur by themselves, not because someone wishes for them to occur. Therefore reactive changes have to be through other elements of the facility's Process Safety Management (PSM) program. These elements include Equipment and Instrument Integrity, Process Hazards Analysis and Incident Investigation.
Reactive Changes can be either overt or covert. An overt change is one that is known about, and whose consequences can be mitigated before an accident actually takes place. For example, if an operator notes that a key variable such as a reactor temperature or a tank level is getting out of control, he or she is witnessing an overt reactive change. If allowed to continue, an accident may occur, so some sort of action must be taken.
Overt change is often gradual and can be controlled when detected. For example, if the facility has an equipment integrity program to monitor changes in wall thickness caused by corrosion then potentially critical situations can be corrected before they result in a leak.
Overt, reactive changes can sometimes be identified if it is found that the operations or maintenance personnel have developed "work-arounds" in response to a problem that they are experiencing. The following are examples of such work-arounds.
- Operators start a certain compressor in a non-standard manner because the way in which it is currently done frequently causes electrical surges that upset operations in other parts of the facility.
- A warehouse worker suggests that spare parts be stored in a different way because the current system had led to a number of mix-ups, some of which could have led to an accident.
- A pipe fitter suggests that a certain nozzle be made of a higher grade of steel. An investigation as to why he made the recommendation reveals that the existing system is suffering from excessive erosion, and that it has to be repaired frequently. Failure of the nozzle identified by the pipe fitter could lead to a release of hazardous chemicals.
A covert change is not known about before it "announces" itself - often quite suddenly. For example, if no one knows that a particular pressure vessel is corroding, then the first indication of a problem will be when the vessel starts to leak. It is not generally possible to install safeguards to identify covert, reactive changes because those changes are inherently unpredictable.
Covert changes sometimes occur to utility systems that serve more than one operating unit. Each operating unit may make properly controlled changes to its own equipment, not realizing that such changes are having a system effect. For example, new equipment that has been added to the facility over a period of years may have created an unidentified overload of passive safety systems such as the flare header and the closed drain system. In an emergency, these overloaded safety systems may fail to provide adequate protection. The changes in one area thus have an impact on other areas.
Another example of covert change occurs if a plant installs a new process that handles a highly toxic gas. If there were to be a release, the gas could cross the plant boundary and enter another plant that is owned by a different company. This second plant may not have the appropriate emergency response program to handle a release of this gas.
In-Kind / Not-In-Kind ChangeThe phrase "not-in-kind" change is used extensively in Management of Change literature, and has already been referred in the discussion to do with the OSHA standard. If an equipment item is to be replaced with one that is functionally identical, i.e., if the new item is built to the same specification as the old one, then the change is "in-kind". Otherwise it is "not-in-kind", and the MOC process has to be followed before the change can be implemented.
The In-Kind/Not-In-Kind decision is critically important. The most challenging aspect of managing change is identifying that the proposed modification is in fact a change. An incorrect assumption that a proposed change is not-in-kind could lead to the occurrence of a serious incident. (The opposite scenario is less of a concern. If the change is incorrectly determined to be not-in-kind, but later turns out to be in-kind, then the only loss is that some time has been wasted on unnecessary evaluation.)
Because of the criticality of this decision, the supervisors and lead operators need to be thoroughly trained on deciding whether a change should be in‑kind/not-in-kind, particularly since the choice of in-kind change offers a tempting way of by-passing the whole Management of Change process.
Unfortunately, the distinction between in-kind and not-in-kind changes is not as simple as it might appear. In particular, there are two difficulties that must be considered in the context of Management of Change, the first of which is to do with circularity of meaning of the following type:
In other words, the terms "Management of Change" and "Not-in-Kind" tend to be defined in terms of one another.The second difficulty to do with the In-Kind/Not-In-Kind decision, noted above, is that all changes are, when analyzed deeply enough, not-in-kind. Even if an item of equipment is being replaced with a supposedly identical spare, there will always be differences between the replacement and original items. For example, the new item will have been made by different people, at a different time, possibly with different machinery. It may have been stored for a different length of time, and may be installed by different people, who have different levels of training and experience from those who made the first installation. When evaluated rigorously in this manner, all changes are not-In-kind.
- Management of Change is needed if the change is Not-In-Kind.
- A Not-In-Kind change is one where Management of Change is needed.
Generally, differences such as those just described will not be significant, but small changes can cause large accidents. On one facility, for example, a very serious accident resulted when a supposedly in-kind replacement gasket was inserted into a filter housing as part of a routine operation. The new gasket leaked, and a major fire ensued resulting in extensive equipment damage and many weeks of lost production (fortunately no one was injured). After the event it was determined that the new gasket was not in fact identical to the old one, even though all parties concerned had thought that it was. (A further significance of this incident was that the uncontrolled change occurred in the facility's warehouse - an area that would not normally be considered when developing Management of Change programs.)
Based on the above discussion, a replacement equipment item can be judged to be in-kind if it meets the following criteria:
- Same Specification
If the replacement item has the same technical specifications as the original, then it is In-Kind. These specifications typically include material(s) of construction, dimensions and weight.
- Same Service
The service in which the item is being used should not have changed. Process conditions, including pressure, temperature and process materials, must be the same as for when the original item was in service. Also, the inspection and maintenance requirements should not have changed.
- Procedural Replacement
The replacement should be a routine operation - one carried out by operations and maintenance technicians with a consistent level of training and experience. Either the item is replaced as part of a preventive maintenance program, or experience has shown that it wears out within a known period of time and then must be replaced. If the original item is failing inexplicably, then simply putting in a replacement part is not sufficient. There must be some reason for the system failures - they could be occurring because the system has changed in some undetected manner. Hence use of the MOC system is required.
- Replacement - Not Improvement
The new item should be a genuine replacement - not an improvement on the old one. If the purpose of the replacement is to upgrade the operation in some manner, then the change is not in-kind. For example, if a new vendor is used to replace an identical part to the same specification as the old part, the change may not be In-Kind. After all, the reason for using the new vendor is that management wanted to make a change to the system (probably to reduce costs or improve system reliability). Therefore, there must be some difference between the old and the new products in order to explain why the new vendor was chosen. For this reason, decision to change a vendor or a supplier should generally be validated using the Management of Change process.
The Change ProcessAn eight-step process for implementing a Management of Change (MOC) process is illustrated in Figure 1 below. This structure attempts to address all the issues that need to be covered when evaluating and recommending change. Even if a different system is being used, each of the topics described in this eight-step approach should be covered by whatever Management of Change system is being used.
Eight-Step MOC Process
Section A - Initiator RequestThe change process starts when someone identifies a problem that needs to be corrected, or believes that there is a better way of operating the process. That person is referred to here as the Initiator. Usually, the initiator will be a manager, a supervisor or an engineer. However, the Management of Change system should be open to all; anyone should feel free to propose changes that they believe will make the facility safer, cleaner and more profitable.
The ultimate success of the Management of Change system depends on people being willing to suggest changes. There is little value in having a high quality change review process if it is never used or if it routinely bypassed.
Section B - First Review Following the initiation of the Management of Change process, the next step is to carry out the First Review, which should be informal and relatively unstructured. It is sometimes referred to as the "red-face" test.
Section C - Detailed Evaluation Up to this point, the change process has involved only a few people, and has been relatively informal. If the proposed change still seems to have merit it can now be submitted to the Management of Change system, where it will be evaluated by a team of people representing different disciplines and specialties. This is the detailed evaluation step.
Section D - Selection and Approval Once the proposed change has been thoroughly evaluated, and a list of possible recommendations prepared, facility management must select what is considered to be the best choice, and formally approve that choice.
Before a change can be implemented, it must be formally approved and accepted by the plant management. This approval is necessary to meet the requirements of the process safety regulations. The approval also serves as a formal record should there ever be an accident in which the implicated as a possible cause. In practice, if the detailed evaluation in Section C was carried out thoroughly this formal acceptance step should not take long, and should be little more than a formality.
Section E - New Limits / Process Safety Update Once the change has been approved, new safe operating limits are defined and the engineering documentation can be updated. All persons that are affected by the new values must be informed. They must also be trained in what to do if the new limits are exceeded.
Section F - Notification Before the change is actually implemented, all affected parties should be notified. This is usually done via e-mail. The notification process is distinct from training; it concerns those people who have some peripheral involvement with the consequences of the change, but who are not directly affected by it.
Section G - ImplementationFinally, the change can be implemented.
Section H - Follow-Up Once the change has been implemented, there should be a follow-up to make sure that all precautions and preparations were handled properly.