This chapter recognises that enterprises have primary responsibility for chemical accident prevention and that safety should be an integral part of all phases of an enterprise from design and construction, through operation and maintenance, to decommissioning/closure/demolition. In addition to addressing the role of management, it also includes provisions relating to the role of labour (defined to be all employees other than management working at or on behalf of a hazardous installation including (sub)contractors).
OECD Guiding Principles for Chemical Accident Prevention, Preparedness and Response - Third Edition
2. Prevention of chemical accidents: Principles to industry
Abstract
Corporate governance and process safety management
“Corporate governance involves a set of relationships between a company’s management, its board, its shareholders and other stakeholders. Corporate governance also provides the structure through which the objectives of the company are set, and the means of attaining those objectives and monitoring performance are determined.” (OECD, 2015[1])
“The major objective of Process Safety management of highly hazardous chemicals is to prevent unwanted releases of hazardous chemicals especially into locations that could expose employees and others to serious hazards.” (OSHA, 1994[2])
At hazardous installations, there is a need for high standards of corporate governance and safety management.
Analysis of past incidents reveals that inadequate leadership, poor organisational culture and lack of safety management have been recurrent features, with:
A failure to recognise things were out of control (or potentially out of control), often due to a lack of competency at different levels of the organisation.
A failure to manage process safety effectively and take the necessary actions.
An absence of, or inadequate, information on which to base strategic decisions – including the review and evaluation of safety management systems.
A failure to understand the full consequences of changes, including organisational ones.
There are four key components to achieving high standards of corporate governance and safety management that are described in this section (see Figure 2.1).
Recognise the essential elements of corporate governance for safety
Corporate decisions have a direct bearing on process safety outcomes. They set the vision and culture for the whole organisation.
Be a leader in process safety
Senior leaders should:
Keep process safety on their agenda, prioritise it strongly and remain mindful of what can go wrong.
Encourage people to raise process safety concerns and be transparent about negative situations which may involve significant costs or disruption to operation to deal with them. This requires the development of a climate of trust within the organisation.
Be aware of situations where people may feel compromised due to loss of face.
Take every opportunity to be a role model, promoting and discussing process safety.
Delegate appropriate process safety duties to competent personnel whilst maintaining overall responsibility and accountability.
Be visibly present in their businesses and at their sites, asking appropriate questions and constantly challenging the organisation to find areas of weakness and opportunities for continuous improvement.
Promote a safety culture that is known and accepted throughout the enterprise (see section on developing and maintaining a safety culture below).
Understand the vulnerabilities and risks
Senior leaders should know the hazards and risks at installations. They should:
Know the importance of process safety throughout the life cycle – whether the design, operation and maintenance phases of their manufacturing facilities, or storage, logistics and decommissioning at those locations.
Understand the critical and different layers of protection that are in place between a hazard and an accident and seek to strengthen those layers continually.
Ensure appropriate and consistent management systems for analysing, prioritising and managing the risk, including strong management of change processes for people, technology and facilities.
Personally involve themselves in risk assessing the process safety impact of any proposed budget reductions and production at the expense of process safety risk.
Take responsibility for emergency planning for the range of consequences from a process safety incident including the credible worst-case scenario.
Know the hazards and risks at installations where there are hazardous substances.
Share information and ensure data drive process safety programmes
Senior leaders should have metrics which help to monitor the health of the process safety culture and management systems. They should:
Ensure that the organisation analyses audit and assessment results.
Monitor site- and corporate-level process safety key performance indicators and near misses.
Have metrics which help to monitor the health of the process safety culture and management systems.
Actively share experiences and learning within their own organisation and within other high-hazard sectors and ensure an appropriate, high-quality follow-up.
Establish safety management systems and monitor/review their implementation. Seek continuous improvement (see section on maintaining and establishing a safety management system below).
Ensure the organisation’s competency to manage the hazards of its operation
Senior leaders should ensure the continual development of process safety expertise and learn from new regulations and guidance. They should:
Understand which questions to ask their personnel and know which follow-up actions are necessary.
Ensure there is competent management, engineering and operational personnel at all levels.
Ensure continual development of process safety expertise and learning from new regulations and guidance.
Provide resources and time for expertise-based hazard and risk analyses, effective training and comprehensive scenarios planning for potential accidents.
Defer to the expertise of personnel and do not dismiss expert opinions. They provide a process or system to ensure company leaders get expert process safety input as a critical part of the decision-making process for commercial projects or activities.
Ensure that the organisation monitors and reviews the process safety competency of contractors and third parties.
Be capable of openly communicating critical aspects of process safety with all internal and external audiences.
Articulate and drive active monitoring and plans
Senior leaders should engage in articulating and driving active monitoring and plans. They should:
Ensure practices are consistent with corporate process safety policies.
Ensure that safety measures are incorporated at the earliest conceptual and engineering design stages of an installation to enhance the intrinsic (inherent) safety of the installation wherever practicable.
Incorporate process safety considerations into major capital investments, long range planning and integration of mergers or acquisitions.
Ensure process safety risk mitigation plans and emergency response plans are developed and maintained for all sites within their business and at an organisation-wide level, with appropriate levels of competent resources available to execute the plans.
Ensure implementation of both process safety risk mitigation plans and reviews of progress versus the plans at the site and corporate levels.
Monitor that corrective actions are applied and closed out promptly following audits and after thorough root cause investigations of all incidents, including potentially high-consequence near misses.
Senior leaders should refer to the OECD Corporate Governance for Process Safety: Guidance for Senior Leaders in High Hazard Industries (2012[3]), which highlights the skills and knowledge required to actively develop and maintain a mature safety culture (see Box 2.1).
Box 2.1. OECD Guidance on Corporate Governance for Process Safety: Guidance for Senior Leaders in High Hazard Industries
The OECD Programme on Chemical Accidents established “best practice” for senior decision makers who have the authority to influence the direction and culture of their organisation. This guidance aims to identify the essential elements of corporate governance for process safety.
With its checklist, the guidance encourages every director, chief executive officer (CEO) and president of a major hazard company to check themselves against a set of self-assessment questions organised around the following themes:
Do you know what the major accident risks are for your organisation?
Do you know what your main vulnerabilities are?
What are you doing about them?
How concerned are you about the level of risk?
How confident are you that all the safety systems are performing as they should?
Do you seek out the “bad news” as well as the good?
If there is an incident, who do you blame? Others, or yourself?
Are you doing all you can to prevent a major accident?
Source: OECD (2012[3]), Corporate Governance for Process Safety: Guidance for Senior Leaders in High Hazard Industries, https://www.oecd.org/chemicalsafety/corporategovernanceforprocesssafety.htm.
Develop and maintain a mature safety culture
Recognise the elements of a mature safety culture
Enterprises should develop and maintain an effective corporate safety culture, reflected in a corporate safety policy. A safety policy statement is a written document reflecting the corporate safety culture and the overall aims and principles with respect to chemical safety. Safety should be an integral part of the business activities of an enterprise.
An effective safety culture is an essential element of safety management. The safety culture should:
Reflect the rules established by the enterprise concerning the roles, rights and obligations of all those concerned with the assurance and maintenance of safety.
Derive from the values, attitudes and behaviour of senior management and the communication of these throughout the organisation. It starts with the visible commitment of the board members and senior executives of the enterprise, who should set an example and demonstrate leadership by being actively involved in safety.
In addition to management’s commitment to safety as a priority, there should be a similar commitment by all employees. Inherent in the safety culture, all employees should be dedicated to doing their jobs in a safe manner, following established procedures and assisting their colleagues in carrying out their tasks.
“The safety culture of an organisation is the product of individual and group values, attitudes, perceptions, competencies, and patterns of behavior that determine the commitment to, and the style and proficiency of, and organisation’s health and safety management. Organisations with a positive safety culture are caracterised by communications founded on mutual trust, by shared perceptions of the importance of safety and by confidence in the efficacy of preventive measures.” (ACSNI Human Factors Study Group, 1993[4])
Assessment of the safety culture has proven to be an important tool to promote safety.
Assessment should address the beliefs and actions of management and other employees. Management/leadership behaviour is a crucial target when assessing safety culture.
Assessment should go beyond the individual mindset and stated values. It should address group‑level phenomena, such as: the beliefs and motivations of employees; social and group dynamics; shared basic assumptions that influence beliefs and behaviour; learning processes; and informal leadership.
Assessment techniques need to be tailored to specific enterprises, organisations and groups.
A characteristic of a mature safety culture of an enterprise is an open, learning attitude including in its relations with the public and other stakeholders.
Eliminate complacency, encourage alertness
The safety culture should help guard against complacency or structural/procedural shortcomings, all of which lead to unsafe acts or practices.
Management should promote the idea of “constant vigilance” and that continuous efforts are needed to maintain safety.
The main objective is to avoid the perception that accidents are rare events that will not happen during the management’s tenure and to prevent complacency if there have not been any accidents at an installation over a period of time.
The safety culture should encourage initiative and alertness in the interest of safety.
Promote a just culture
The term “Just Culture” has been principally used in the aviation and medical sectors. For example, Just Culture has been described as a culture that “considers wider systemic issues where things go wrong, enabling professionals and those operating the system to learn without fear of retribution. […] generally in a just culture inadvertent human error, freely admitted, is not normally subject to sanction to encourage reporting of safety issues. In a just culture investigators principally attempt to understand why failings occurred and how the system led to sub-optimal behaviours. However a just culture also holds people appropriately to account where there is evidence of gross negligence or malicious acts.” (Williams, 2018[5])
The safety culture should be associated with a just culture.
One important characteristic is “error tolerance”:
A safety culture should develop the capacity of employees to effectively perform their duties and not be focused on assessing blame or punishing errors.
The safety culture should encourage an atmosphere of co-operation and openness in which employees feel comfortable about discussing errors and near misses in order to improve learning.
An error-tolerant culture nevertheless requires appropriate responsibility and accountability.
To promote such a safety culture, employees and their representatives should be provided with opportunities to participate in the development and review of procedures and should be empowered to take action consistent with safe operation and/or protection of life without fear of reprisals.
Ensure employees know their roles and responsibilities, and have the necessary competency
Management should take the appropriate actions to ensure that all employees are aware of their roles and responsibilities, and have the necessary skills, education, training and support to assume these roles and responsibilities. These should be appropriately resourced.
Management should ensure that all safety procedures are up to date, disseminated, well known and understood by all employees (and others, as appropriate).
Apply the safety culture in the case of affiliated operations
When an enterprise has an investment in but not operational control over another enterprise operating hazardous installations, the enterprise making the investment should consider, where appropriate, entering into contractual arrangements to assist in the establishment and maintenance of safety standards.
An enterprise should provide each of its affiliates and subsidiaries full access to all safety-related information – including newly discovered information, research results, technology and management techniques that could reduce the likelihood of accidents or mitigate the consequences should an accident occur – at the location of the affiliate or subsidiary.
Financial institutions, in determining the level of funding to be provided to enterprises for investment in a hazardous installation, should take into account the number of resources needed to comply with safety requirements as well as with corporate safety policies and guidelines.
Develop and maintain a safety policy
A safety policy is a written statement reflecting the corporate safety culture and the overall aims and principles with respect to chemical safety.
Have a clear and meaningful written safety policy statement
Each enterprise should have a clear and meaningful written statement of its safety policy that reflects the corporate safety culture and contains the overall aims and principles with respect to chemical safety. The safety policy should:
Address the fundamental goals for accident prevention, preparedness and response, including the elements of the safety management system.
Incorporate safety objectives established by public authorities together with the “zero incident” goal.
Incorporate, as an essential element, the goal that all accidents are preventable.
Set out to protect the safety and health of all persons involved in or who may be affected by the production, process, handling, use, storage, disposal or elimination of hazardous substances, as well as to safeguard the environment and property.
Address measures to assess and improve the safety culture.
Be at the top of a hierarchy of documentation related to chemical safety at an enterprise. Subsequent levels in the hierarchy explain in more detail the application of the policy.
Be agreed, promulgated and applied throughout the enterprise.
Be reviewed regularly and amended, as appropriate, in light of experience gained and any relevant changes in technologies, laws and regulations.
Commitment from management is evidenced by practices such as:
Clear and visible management interest in safety performance through personal involvement in safety matters.
Good communication on safety issues among and between management and other employees.
Positive feedback concerning actions taken to increase safety.
Quick response to remedy identified faults.
Financial and career incentives for good safety performance.
Participation of employees at all levels in developing and reviewing safety management procedures.
Timely investigations of all accidents and relevant near misses, and rapid dissemination of the findings of the investigations.
Involve employees at all levels in developing, reviewing and complying with the safety policy
In developing, reviewing and amending the safety policy, management should consult with and involve employees at all levels.
Management and other employees should co-operate to comply with the enterprise’s safety policy and meet its safety goals.
Management and labour have different but complementary roles and responsibilities in the prevention of chemical accidents by carrying out their jobs in a safe manner, by contributing actively to the development and implementation of safety policies and practices, and by co-operating with each other and with other stakeholders.
Labour and their representatives should co-operate with management in promoting chemical safety and should be provided with effective means (structures and processes) to do so.
Co-ordinate the safety policy with activities relating to occupational safety, health and environmental protection
The objectives of the safety policy should be reviewed with respect to other safety, health and environment policies and potential conflicts should be resolved.
In the same way, management should co‑ordinate the safety policy with their sustainable development goals. It should be recognised that it is not possible to have sustainable development without a high standard of safety, health and environmental protection.
Communicate the safety policy
The safety policy should be widely communicated throughout the enterprise. Management should strive to ensure that the intent of the policy is understood and appreciated by all employees throughout the enterprise.
The safety policy should be made accessible to the public.
Establish and maintain a safety management system
The safety management system is a set of activities that ensures that hazards are effectively identified, understood and minimised to a tolerable level. The safety management system establishes objectives to facilitate ongoing understanding and awareness of the risk associated with the presence of hazardous substances and the selection of “lines of defence” at all levels of the organisation.
Management should establish a safety management system (as a fully integrated part of its general management system) that addresses chemical accident prevention, preparedness and response. An effective safety management system is good business practice.
The safety management system should include the organisational structure, practices, procedures and resources for implementing the safety policy.
The safety management system should reflect the safety culture of the enterprise and there should be a commitment to the system from the highest level of the enterprise.
There should also be a commitment from all employees, from frontline operatives to senior employees, to the safety management system. The enterprise should involve employees and their representatives in the development of the safety management system so that they can develop a sense of ownership and trust in the system.
Adequate resources and personnel should be allocated for the implementation of the safety management system. There should be a clear allocation of responsibilities for each element.
“Effectively managing for health and safety is not just about having a management or safety management system. The success of whatever process or system is in place still hinges on the attitudes and behaviours of people in the organization.” (UK HSE, 2013[6])
Leading performance indicators should be used as one way to measure safety and determine whether actions being taken are leading to reduced risk. Such indicators could help to focus audits and inspections on areas with the highest priority.
Efforts can be made towards the integrated management of safety, health and environment (SHE) throughout the regular business operations of an enterprise. The integration of management systems for SHE issues and the development of enterprise-wide procedures applicable to all sites lead to improvements in safety.
The safety management system should address at least the following areas (see Figure 2.2):
Organisational structure: including the roles, responsibilities, education, training, qualifications and inter-relationship of individuals, as well as contracted organisations and personnel, involved in work affecting safety.
Identification of hazards and evaluation of risks: developing and implementing formal procedures to systematically identify hazards and evaluate them – including their likelihood and severity – arising from, for example:
Normal and abnormal operations.
Substances handling, production, transportation, storage, or disposal.
The location and surroundings of the site and other external factors of the site, in particular, the impact of natural hazards that may result in Natural Hazard Triggered Technological Accidents (Natech) (see Box 2.2).
Hazard refers to an inherent property of a substance, agent, source of energy or situation having the potential to cause undesirable consequences.
Risk means the likelihood of a specific effect occurring within a specified period or in specified circumstances.
Facilities and operational control: addressing design and construction, as well as the procedures for safe operation, including maintenance of plant, processes, equipment and temporary stoppages, taking account of ageing.
Management of change: planning and controlling changes, including temporary changes, in: organisation, personnel, ownership, installation, processes, including pre-start-up reviews, maintenance and decommissioning, materials, equipment, procedures, software, design and external circumstances that are capable of affecting safety.
Planning for emergencies: related to developing, adopting, implementing, reviewing, testing and, when appropriate, revising and updating emergency plans.
Monitoring performance: concerning the ongoing assessment of compliance with the safety policy and safety management system, and mechanisms for taking corrective action in the event of non-compliance.
Audit and review: addressing the periodic, systematic assessment of the safety policy and effectiveness and suitability of the safety management system.
Chemical accident investigation and learning from experience.
Box 2.2. Natech – Natural Hazard Triggered Technological Accidents
Natural hazards, such as earthquakes, floods or storms, can initiate events which may challenge the safety and operation of hazardous installations and trigger an accident. Those accidents are referred to as Natural Hazard Triggered Technological Accidents or Natech.
Most of the installations that process, store or handle hazardous substances can, in principle, be vulnerable to the impact of natural hazards. Many past natural disasters have caused major damage to installations resulting in loss of life, health effects, environmental pollution and economic losses.
Data and projections show that the frequency and intensity of natural hazards linked to climate change will increase in the decades to come and some may occur at locations where they have never been observed before. Coupled with a growing human expansion (industrialisation, urbanisation), integration of climate change risks and uncertainties into Natech risk management is essential to the prevention of, preparedness for and response to Natech accidents.
The collection and analysis of data from past Natech accidents have shown that lightning, flood and low temperature are the three most common triggers of Natech events. Other natural hazards have caused Natech accidents. For instance, loss of containment during earthquakes is very common and flammable releases are likely to ignite, often causing high-severity accidents.
Since 2008, the OECD Programme on Chemical Accidents investigates the specificities of Natech for the prevention of, preparedness for and response to chemical accidents, and supports the exchange of experience across countries (e.g. good practices, lessons learnt from accidents). Specific guidance for Natech risk management has been developed (https://www.oecd.org/chemicalsafety/chemical-accidents/).
Review and evaluate the safety management performance
All enterprises should establish monitoring programmes, consisting of several levels of audits, to check various technical and management systems within an installation. Such monitoring programmes allow management to review their operations to ensure that no previously unrecognised risks have been introduced and that there is the required degree of compliance with relevant national and international legislation, standards, codes and guidance, as well as with the enterprise’s own requirements and guidance. In addition to identifying any deficiencies or potential problems in the installation, the audit should also recognise successful actions, learning experiences and improvements made with respect to safety.
All monitoring should be defined in terms of a “feedback” loop (i.e. plan, do, check, act), designed to achieve continuous improvement. The key elements in monitoring programmes (Figure 2.3) to support the continuous improvement of safety performance are:
Establish monitoring programmes (Plan).
Define monitoring programmes to achieve continuous improvement (Do).
Use audits as an effective tool in the review and evaluation of safety management performance (Check).
Implement and share results of audits (Act).
Plan – Establish monitoring programmes (developing a monitoring plan)
Monitoring activities by industry should include:
Continuous assessment of environmental, health and safety management.
Self-assessment by the facility.
Corporate audits of the facility.
Third-party audits/inspections.
Systematic approach with a monitoring plan that includes:
Regular reviews for each installation.
Involvement of labour and their representatives.
Periodic detailed checks on specific activities and procedures.
Overall audit of performance.
Annual safety assurance reports from different leaders in the hierarchy.
Monitoring of aspects that are vital for the particular installation.
General aspects to be covered in all monitoring: organisation and management, training, plant integrity, fire protection and prevention, accidents and incidents investigation and reporting, emergency procedures.
Do – Define monitoring programmes to achieve continuous improvement
Clearly defined goals.
Identified scope.
Schedule (plan of action with timeframes).
Experts trained and qualified for the specific tasks and goals.
Reviews of appropriate documentation, interview with key personnel.
Identification of deficiencies and proper practices.
Formal report of findings.
Management review to define responsibilities and timescale for follow-up actions to ensure that they are carried out.
Demonstration that the follow-up actions have been carried out.
Check – Use audits as an effective tool in the review and evaluation of safety management performance
The term audit is used to describe different types of self-assessment activities carried out within a company. An audit can be a tool for evaluating safety programmes, strategies and practices within an organisation. It is therefore a good methodology for the review and evaluation of safety management performance. The following offer relevant keywords for how audits can be performed:
Audit can be performed at a plant level.
Audit can be performed at the corporate level.
Follow-up of audits is crucial for lessons learning.
Audit can be an element of the safety management system.
Audits can be a basis for reviewing the adequacy of the safety management system.
The use of a third party to conduct audits might be relevant.
Audits include interview with key employees, labour and management.
An audit team should be established for each audit activity.
Audit team members should have practical experience and be well-trained.
Act – Implement and share results of audits
A plan for follow-up actions and how these have been implemented.
Creating a system for improving the exchange of information and experiences among installations within an enterprise and between enterprises.
Transparency in the conduct of audits is a good way of building trust within and outside the organisation. This will help the public to better understand the nature of risk and the risks posed by the hazardous installation.
Making information publicly available on the relevant policies, monitoring programmes and outcomes from audits.
Inclusion of community representatives in audits.
Share experience on audits and inspections within the country and internationally.
Management of change
“The management of change (MOC) is a review and authorization process for evaluating proposed adjustments to plant design, operations, organization or activities prior to implementation, to make certain that no unforeseen new hazards are introduced and that the risk of existing hazards to personnel, the public, or the environment is not unknowingly increased. It also includes steps to help ensure that potentially affected personnel are notified of the change and that pertinent documents, such as procedures, process safety knowledge, training programs, are kept up–to-date. The design and authorisation procedures of changes should involve all departments and units concerned as well as other specialised employees involved in the operations, such as maintenance, health and safety”. (EC, 2017[7])
The MOC over the life of a hazardous installation is one of the basic elements in an effective safety management system. Even installations that have management of change procedures can be vulnerable to chemical accidents if the management of the change process is incomplete or not systematically applied to all changes.
There are four types of changes that are described in this section:
Intentional changes (modifications).
Unintentional/incremental changes.
Organisational change, including change of ownership.
Changes in the vicinity of a site (related to land-use planning).
Studies from past accidents, (e.g. Flixborough, United Kingdom, 1974, BP, Texas City, United States, 2005, as well as many less well-known accidents) clearly show that a vast portion of chemical accidents have resulted from a failure to screen or analyse the impacts of a proposed change on risk, whether temporary or permanent.
Intentional changes (modifications)
Establish formal procedures to ensure that no modification compromises safety
Management of a hazardous installation should establish formal procedures to ensure that no modifications to plant, equipment, processes, software (including automated controls), facilities or procedures compromise safety.
Modification procedures should apply to both permanent and temporary changes and should be based on appropriate up-to-date process documentation and, where appropriate, a physical inspection of the installation.
All proposals to make modifications to a hazardous installation should be recorded, documented and assessed so that the necessary hazard analyses and risk assessments are carried out, the appropriate design changes are made and the modifications are properly engineered and recorded.
Proposals for significant modifications should be reviewed by competent technicians who are independent of those directly responsible for the proposals.
The level of management approval necessary for a modification should be based on the associated level of risk.
Supervisors having the authority to make a modification (for example, to change a manufacturing procedure or operating instruction) should be fully aware of the hazards involved and should consult the relevant competent specialist(s) before initiating such a change.
Major modifications should be subject to the same notification and reporting requirements to public authorities as new installations.
Review hazard analysis in the event changes are made to a process that could affect safety
In cases where changes made to a process could affect safety – for example, use of different process materials, alterations of conditions, increase in batch size or use of larger/different equipment – the original risk assessment should be reviewed and the documentation supplemented accordingly.
Make aware all employees, including contractors when relevant, of any modification to the installation
All relevant employees should be aware of any modifications to the installation. Any significant modifications to the plant, processes, facilities, personnel, software or other aspects that might affect safety should trigger a review of training and education practices to determine whether additional training and education are needed.
Contractors involved in any modifications should be subject to the same procedures, including the same requirements for registration, reporting and assessment, as an employee of the installation. Procedures should be in place to ensure that contractors involved in modifications inform the management of any safety-related concerns.
Ensure procedures are in place for the start-up of a plant after modification of the plant, equipment or software
Procedures should be in place for the start-up of an installation after modification, repair and/or overhaul of a plant, equipment or software. These procedures should require test runs and safety checks to be carried out to ensure the integrity of the installation. Test runs should be conducted in the presence of a manager responsible for the operation of the installation. The manager should be required to formally approve the restarting of operations.
Unintentional/incremental changes
It should be recognised that the sum of minor changes can be equivalent to a major change. Minor changes may be unintended results of alterations elsewhere in the process.
Techniques should be developed to assess how a series of minor changes in the installation, taken together, could affect safety and what could be done to mitigate any increased potential for chemical accidents.
Organisational change, including change of ownership
Procedures should exist to ensure that changes in management, labour and organisation do not compromise safety (including, for example, changes in corporate structure or financing, downsizing of staff and outsourcing of certain activities). Such changes should trigger review procedures to ensure safety has not been adversely affected (see Box 2.3).
Ensure safety is a priority when a company undergoes a reorganisation or significant personnel changes
When a company undergoes a reorganisation or significant personnel changes, the management of safety should be a priority.
Procedures should exist to ensure that changes in management, labour and organisation do not compromise safety (including, for example, changes in corporate structure or financing, downsizing of staff and outsourcing of certain production activities). Such changes should trigger review procedures to ensure safety has not been adversely affected.
It is important to manage any reorganisation or significant personnel changes with respect to its impact on the corporate safety culture.
Box 2.3. Organisational change
The organisation is the structure within which individuals and groups of people interact with each other. The organisation defines hierarchies, fields of responsibility and activity. This means that changes in the organisation are changes in hierarchies, responsibilities and activities. Such changes can have an impact on the safety of facilities that handle hazardous substances. Examples of organisational changes that can have a significant impact are as follows:
Change of ownership
New owners may have a different safety culture, different levels of knowledge and competency with respect to safety and the prevention of and preparedness for chemical accidents. They are also likely to have different organisational structures and a different distribution of responsibilities.
Outsourcing and reduction of internal capacities
If maintenance activities or the engineering department are externalised, i.e. moved off site away from the installations or, more extreme, are outsourced and become a separate company then this can have a significant impact on chemical accident prevention and preparedness. Interventions that have to be requested have a hidden hurdle; this hurdle is greater when explicit costs are involved. Such costs may be internal charging mechanisms or external contracts. If changes in access to knowledge and expertise are made, then management must be aware of the potential consequences and the need for compensation. The explosion at the Esso Gas Plant in Longford, Victoria (Australia) on 25 September 1998 is a case where organisational change was a significant contributor to the event.
Restructuring of safety responsibilities
There are two common forms of organisation for safety responsibilities. One is to have a centralised safety department in which expertise is built up and made available to the facilities and operating plant as they require it. This may also entail carrying out periodic safety audits and checks to ensure compliance with corporate standards and expectations. The second form is to have decentralised responsibility for safety, where each facility or plant is responsible for its own safety-related activities. Each form has advantages and disadvantages. Where centralised forms can build expertise, they may not be as aware of the individual requirements, cultures and situations on site. Decentralised forms can take account of local needs but not be as able to build up expertise in some areas of special knowledge.
Any changes in organisational structures related to roles and responsibilities should take into account the impact on specialist expertise and local requirements. Often, reorganisations lead to personnel-related consequences (relocation, redundancy, retirement). Management must be aware of the consequences of what losing particular employees may mean to the level of safety within the organisation.
Shift patterns
Many facilities use shift work to enable operations to run for a maximum number of hours. The reasons for this may be economic, i.e. the more hours of operation, the more product can be manufactured. The reasons may be the result of the process: a continual process such as in a petroleum refinery or a power plant has to be run 24 hours a day and cannot be shut down at the end of a working day. There are a number of different shift patterns which are implemented in the process industries and these regulate who works when, how shifts move through cycles to ensure that people work at different times of day and also have recuperation time. Any change to the staffing levels, numbers of shifts, length of shifts, recovery times and shift make-up (which trades and professions work which shifts) are organisational changes. Management needs to be aware of what changes in shift patterns can mean for the safe operation of the plant.
Organisational change is a special case of management of change. The consequences of any organisational change, however superficial it may seem, must be investigated and the risks to chemical accident prevention and preparedness assessed.
Source: Dawson, D. and J. Brian (1999[8]), The Esso Longford Gas Plant Accident, http://www.parliament.vic.gov.au/papers/govpub/VPARL1998-99No61.pdf; Hopkins, A. (2000[9]), Lessons from Longford: The Esso Gas Plant Explosion, CCH Australia Limited.
Ensure safety is a priority when an installation goes through a change of ownership
Ownership change transactions are very common in hazardous installations and can potentially affect the safety management of an installation. If not handled well, the effects of a change of ownership can be severe and significant, creating uncertainty in the companies involved and leading to an increase in occupational, process safety, environmental and chemical accident risks.
In particular, when an installation is going through a change of ownership, the management of safety should be a priority for all:
Stakeholders involved in an ownership change should be able to identify, understand and minimise the risks before, during and after a change of ownership at a hazardous installation.
The current owner of an installation should know the information and documentation necessary to be provided to the prospective new owner to support the evaluation of the safety status of the installation. The prospective new owner should know what documentation to ask for throughout the process.
Prior to the acquisition of or investment in an existing or planned hazardous installation, an enterprise should carry out a hazard evaluation to determine the nature and level of hazards at the installation. The enterprise should also determine the requirements for operating the installation in conformity with its own standards.
The “seller” of an existing installation should be responsible for disclosing all known or suspected safety problems associated with the installation involved.
The “purchaser” also has a responsibility to ensure that disclosure is complete and that the necessary actions have been taken to ensure safe operation following the takeover.
All relevant corporate safety policies and guidelines for chemical accident prevention, preparedness and response should be applicable to acquisitions.
Following an assessment, when an enterprise acquiring an existing installation concludes that the installation does not meet the standards of the enterprise or internationally accepted safety levels, the installation should be brought up to such safety levels within a reasonable period of time.
In cases where retrofitting cannot be accomplished to meet these levels, the investing enterprise should, in a timely manner, inform the public authorities, employees and employee representatives of the situation and their intended plans.
Stakeholders can refer to the OECD Guidance on Change of Ownership in Hazardous Facilities (2018[10]) for more information on key aspects to take into account during a change of ownership (see Box 2.4).
Box 2.4. OECD Guidance on Change of Ownership in Hazardous Facilities
The OECD Guidance on Change of Ownership in Hazardous Facilities (2018[10]) is a concise document providing a framework to assist stakeholders in identifying, understanding and minimising the risks during and after a change of ownership at a hazardous facility and help make the change of ownership a better-informed process.
The guidance provides:
A list of risk drivers prior to, during and after the change of ownership.
A set of self-assessment questions for the original owner and prospective owner so that they can evaluate how well their organisation is managing the ownership change.
A “template for transparency” as a structured approach to carrying our technical due diligence with a list of documents and information which those selling a facility should be expected to provide.
A list of factors for the regulators to consider before, during and after the change of ownership.
Source: OECD (2018[10]), Guidance on Change of Ownership in Hazardous Facilities, OECD, Paris.
Changes in the vicinity of a site (also related to land-use planning)
Changes in the vicinity of a site include the construction of new buildings and infrastructure. It also covers the change in the use of existing buildings. These changes may lead to increased or new risks to the installation from outside the site, it may also lead to an increase in vulnerable people, assets or environmental resources that may be affected by a chemical accident.
Operators should be aware of existing activities in the vicinity of their installation and ensure that they receive information and are involved in consultations on changes in the vicinity at the planning stage.
Risk assessment and safety reports
“Risk assessment is a tool used in risk management to help understand risks and inform the selection and prioritisation of prevention and control strategies. It consists of a number of sequential steps, including hazard identification; event scenario assessment; consequence assessment; likelihood assessment; and risk integration and comparison.” (ISO, 2019[11])
With risk assessment, risks can be ranked on a relative scale and technical/organisational/policy options can be evaluated. Risk assessment also provides information to policy makers to help them develop risk acceptability or tolerability criteria against which different objectives or programmes can be assessed.
When there is a national requirement for safety reports, these should be directly linked to risk assessment. Safety reports are a documented demonstration that the hazardous installations are designed, constructed and operated in a safe manner, that the hazards related to the location, process plant and hazardous substances have been identified and that their risks are managed appropriately. In addition, it should be demonstrated that a safety policy and safety management system have been put in place in view of the assessed risks. Safety reports can be used to demonstrate and communicate that hazards associated with an establishment have been systematically identified and that their risks are adequately controlled, leading to suitable chemical accident prevention, preparedness and response. Safety reports do not usually contain detailed information related to the risks of malicious acts. This detailed information is usually to be found in a Security and Vulnerability Analysis (SVA) or additionally in a cyber security analysis, for example, according to ISO 27001 or other national or international standards. These are separate documents that need to be treated with confidentiality.
This section will provide more information on how to conduct a risk assessment based on thorough hazard identification and the preparation of safety reports (see Figure 2.4).
Conduct risk assessment based on thorough hazard identification
Conduct a hazard identification taking into account the diverse risks at an installation
Management should undertake a risk assessment in a systematic way for all hazardous installations, starting with a hazard identification process that follows a fixed predetermined scope, identifying and assessing every possible hazard within that scope.1 All types of hazards (e.g. technical hazards, human factors, natural hazards) able to cause accidents should be considered. It is the first and a critical step in the risk assessment process – the quality of its results depends on the accuracy and reliability of the hazard identification.
Risk assessments and risk management decisions should take into account the full range of risks at a hazardous installation, as well as the multidisciplinary nature of risks. It is important to recognise that some sites have complex technical, organisational and/or social issues that should be addressed (such as staff shift patterns and language differences among employees).
The possibility of human errors and technological failures, as well as the possibility of natural hazards and/or malicious acts triggering a chemical accident, should be taken into consideration when deciding what accident scenarios should be included in the risk assessment process.
A scenario is always an undesirable event or a sequence of such events characterised by the loss of containment or the loss of physical integrity and the immediate or delayed consequences of this occurrence.
Risk assessments should take into account the possibility of “domino effects” between hazardous installations, and between transport systems and fixed installations.
Take into account all consequences, including environmental and health
Risk assessments related to hazardous installations should take into account all possible consequences, including possible health and environmental consequences.
When death/health consequences are the only quantified parameters in the risk assessment process and the non-quantifiable parameters are not considered, the process may result in misleading or otherwise inadequate conclusions. The non-quantifiable parameters can often be assessed in a qualitative manner and give further insights into other risks of the chemical accident. This will lead to improved decision making.
Assessing environmental consequences is complex due in part to the large number of receptors and pathways. Management and public authorities should work toward improving the quality of the assessment of environmental consequences through co‑operation and exchange of experience.
Often, substances that are not expected by themselves to be hazardous to the environment can, in combination with other substances and/or factors, create significant hazards or there can be synergistic effects involving small quantities of chemicals causing significant impacts.
Consider various approaches and methods to conduct a risk assessment
When undertaking a risk assessment, management should carefully consider the various possible approaches and methods available. They should choose an approach/method that is appropriate for the particular circumstances since all approaches/methods have strengths and weaknesses and none are perfect.2 The choice of a particular approach/method should be governed by a number of factors, including:
The objective/purpose of the risk assessment.
The estimated extent and nature of the risks (including the possibilities of malicious acts or accidents resulting from natural hazards or disasters).
The availability and adequacy of data.
The expertise and resources needed for a particular approach/method, and their availability.
The history of accidents at the installation and other related installations.
Unavoidable constraints on the process.
The socio-political context in which the assessment will be carried out.
The assumptions on which the approach/method is based.
Risk assessments should be accompanied by information concerning the assumptions, data limitations and uncertainties imbedded in risk assessment approaches/methods, as well as in decision-making processes so that the results of risk assessments can be appropriately utilised:
It is important to address possible data limitations and inappropriate selection of data in order for the results of the assessments to be reliable and comprehensive.
There may be gaps and inadequacies in the data available on, for example, equipment failure rates and modes, human error predictions, long-term or delayed health effects of acute exposures, the likelihood and extent of natural hazards, and the effects of chemicals on the environment.
Data limitations can be managed, in part, through the use of less detailed, more generic approaches/methods, or the use of comparative assessments to aid in choosing among alternative options. The use of comparative assessments normally involves similar assumptions, limitations and uncertainties and therefore their effect on the assessment results is dissipated.
Ensure transparency in the risk assessment process
All parties should strive for transparency in the assessment process, to permit better communications and understanding and to allow for comparisons.
For assumptions that cannot be eliminated, it is advisable to seek consensus with all parties involved in the decision-making process. Failure to do this can lead to a lack of credibility and support for the assessment.
Any efforts towards improving consistency and communication concerning risks should take into account the various methods used by different countries and organisations.3
A shared understanding of the concepts that underpin risk assessment is important, particularly where the people who assess risks and the people who make risk management decisions are different.
The decisions that are influenced by risk assessments may be of fundamental importance to employees (including long-term and regular contract employees), the public potentially affected in the event of an accident and emergency response personnel for example.
Review and reassess risk periodically and document risk management decisions
Risk assessment should be a continuous and evolving process. Assessments should be reviewed and reassessed periodically and when there are indications that a revision may be needed.
A risk assessment may need to be revisited when there are changes, new findings or other particular circumstances, for example, when:
There are new or changed substances, processes or equipment at hazardous installations, or significant changes in transport of hazardous substances, or significant increase in inventory.
Accidents occur
New technology offers scope for improvements.
Perception of labour and management conflicts with the outcome of the risk assessment.
New information about the behaviour or effects of substances, which may lead to a new hazard classification and processes, becomes available.
New information about the potential for natural hazards or disasters that could trigger a chemical accident becomes available.
There are proposals for new construction or other developments inside the premises of the installation or nearby.
Risk assessments should be reviewed routinely to test assumptions, try to resolve uncertainties and take advantage of experience and improvements in methods.
Risk management decisions should be well documented. This is important for a number of reasons: for example, documentation helps to support further decision making, comply with legal requirements, understand what went wrong when an accident occurs, assist with enforcement and facilitate communications.
Exchange experience in risk assessment with other enterprises and industrial organisations
Enterprises and industrial organisations, in particular nearby industries, should exchange information concerning risk assessment methods and outcomes so that competency in the use of risk assessment approaches/methods is enhanced. Such information exchange can also be used to facilitate training to increase the expertise available.
Prepare safety reports describing significant hazards at installations
Within the process of preparing a safety report, operators should systematically identify all possible significant accident hazards and be able to demonstrate that they have sufficiently controlled the risk.
Management of hazardous installations should prepare reports describing the significant chemical hazards at these installations and demonstrating that appropriate steps have been taken to prevent chemical accidents and to limit their consequences.4
The extent of the safety report should be proportional to the extent of potential consequences and the complexity of the installation/process/systems involved.
One of the main elements of the safety report is the definition of reference accident scenarios. These scenarios are normally the basis for demonstrating that the necessary measures are adequate. For this purpose, the description of the scenarios should be structured and evidence provided to highlight the consistency between the scenario selected and the measures taken.
The safety report should be of a summarising character, in which the information provided is limited to its relevance in regard to chemical accident hazards. However, the information should be sufficient to demonstrate that the requirements with regard to chemical accident hazards have been met and allow the competent authority to come to justified conclusions.
The description of measures should be limited to the explanation of their specific objectives and functions. Specific technical details should be provided within the safety report when this is necessary to demonstrate that the measures are sufficient, i.e. the measures have the required reliability and effectiveness.
Other areas of safety legislation may have an impact on the scope of the assessment.
The reports should be reviewed regularly and updated, as appropriate. They should include a description of, or a reference to, documents addressing:
The identification of installations and other activities of the establishment that could present a major accident hazard. The installations of an establishment to be submitted to a detailed risk analysis should be selected through a screening method such as a preliminary hazard analysis. The selection may flow through the use of index methods or threshold criteria for hazardous substances or other suitable methods. Those installations that have not been selected will not be considered an essential element of the safety report. For this reason, this part of the analysis is particularly sensitive in terms of the safety report study.
The installation or establishment, including its purpose, activities, processes, layout, intrinsic hazards, personnel, services and technical equipment.
Inventory of hazardous substances (physical, chemical, toxicological characteristics and an indication of the hazards, both immediate and delayed for humans and the environment).
The area surrounding the installation, including a description of the establishment, sensitive environments, the population and activities in the area of the establishment (including commercial, residential and industrial activities) and general geological context, including type and conditions of the ground/underground.
Natural hazards in the area which are potential triggers for Natech, such as those related to extreme temperatures, high winds, floods, storms, earthquakes and wildfires with relevant descriptive data such as average and maximum precipitation levels, thunderstorm severity, lightning probability, indices or values on humidity, fog, frost and winds, stability classes, maximum and minimum recorded temperatures.
Hazard identification and risk assessment of the installation.
An outline description of the procedures for safe operation in all process stages for the installations identified in the report as hazardous, together with the appropriate maintenance programme.
The onsite emergency plan, including the relationship with offsite plans and communication and co-ordination with emergency response personnel.
The corporate safety policy.
The enterprise’s safety management system.
The procedures for reporting incidents and learning from accidents and near misses.
The safety report does not need to contain detailed information on structural characteristics and other design data of the storage or process installation handling the dangerous substances, only summarising descriptions.
The demonstration in the safety report must be “convincing”. This means that the rationale for deciding the completeness of hazard identification and the adequacy of the measures employed should be supported and accompanied by all assumptions made and conclusions drawn.
The safety report should provide evidence that the process in its preparation was systematic which means that it followed a fixed and pre-established scope.
Safety reports should be submitted for review by public authorities.
Siting, design and construction
In making planning decisions about siting new hazardous installations, significant modifications to existing ones or the development of land around a site, safety is a critical element to be considered by industry, which should follow a number of requirements.
The design stage has a critical role to play in ensuring safety throughout the lifespan of a hazardous installation. It should help reduce maximum risks during the operation of an installation. A hazardous installation should be “smart” and “safe” by design. Design can be the design of an entire installation, only part of it and also includes redesign or modification to an existing design.
Construction is also a stage bringing particular risks. A plan should be developed to ensure that risks at each stage from the beginning to the end of construction have been identified and a strategy to manage them defined, which should be effectively communicated to those involved.
Siting
Use land-use planning and zoning requirements and guidance when choosing sites for new hazardous installations
Management of an enterprise, when choosing possible sites for new hazardous installations, should comply with land-use planning and zoning requirements and guidance. Management should:
Seek sites which would minimise the adverse effects to health, the environment and property in the event of an accident at the installation or as a result of transport of hazardous substances to and from the installation. For large sites, the same should be considered for the location of new installations on the site.
Take into account neighbouring activities including technical hazards (risks linked to technical activities around the site) and the risk of domino effects.
Take into account the risks posed by natural hazards when considering possible sites.
Management and public authorities (in particular, those responsible for land-use planning decisions) should co-operate in order that hazardous installations are located and built so as to minimise the risks to human health, the environment and property.
Develop maps and plans to scale in case of construction of a new installation or significant modification to an existing one
Management of an enterprise proposing to construct a new hazardous installation or make a significant modification to an existing installation should develop maps and plans to scale of the proposed development. They should reflect information made available by public authorities and should show:
The locations and quantities of the hazardous substances present on site relative to the surrounding area.
Areas that may be affected by natural hazards, for example flooding zones.
Technological activities such as industrial activities and major transports.
Recreational areas.
The nature of land use in adjacent areas.
The local population, in particular centres of higher density, and local areas of environmental significance.
The potential offsite effects posed by their proposal.
For the location of an installation close to regional or national borders, that the situation beyond those borders has been considered.
Management should describe details of the processes which will involve hazardous substances, the inventory of hazardous substances to be stored, the conditions under which the hazardous substances are to be handled and the risks associated with possible sites (including risks of accidents resulting from natural hazards/disasters or malicious acts).
Management should develop an assessment of the consequences for human health and the environment from the proposed installation. These assessments should be carried out in conjunction with local authorities and the public as early as possible in the process of planning for the installation so as to facilitate siting decisions and consideration of cost-effective alternatives.
The maps and plans, related information and assessment should then be provided to the appropriate authority.
Reduce risks and resolve land-use planning conflicts associated with hazardous installations
Management of hazardous installations and public authorities should make themselves aware of the risks of chemical accidents in the context of the existing land-use planning situation. The public authorities responsible in the land-use planning and construction permitting processes may not be the same authorities that oversee the permitting and operation of the hazardous installations. Therefore, it is very important to ensure that all relevant authorities are involved.
Management and public authorities should elaborate and adopt measures at existing sites so that they achieve, as far as practicable, a reduction of risks to an acceptable level and fulfil the requirements of current land-use planning and zoning laws and guidance.
Management and public authorities should work with other stakeholders in the community to ensure that inappropriate developments of residential areas and other vulnerable uses do not take place in areas potentially exposed to significant chemical accident risks.
Design
Integrate “inherently safer” technology, equipment, facilities and engineering procedures at the design stage
Safety measures should be incorporated at the earliest conceptual and engineering design stages of an installation to enhance its inherent safety wherever practicable.
The terms “inherent safety” or “inherently safer” when used in connection with hazardous installations should not be read to imply that there is no residual risk. The facility will be designed to be safe but there are hazards that will still remain. The need for “traditional” safety equipment such as a blowdown system and stoppers for runaway reactions remains necessary.
The design of a hazardous installation should integrate the appropriate technology, equipment, facilities and engineering procedures that would reduce the risk from hazards as far as is reasonably practicable (i.e. all measures to reduce risk should be taken until the additional expense would be considered to far exceed the resulting increase in safety). The aim is to:
Use inherently safer technology in the manufacture, transport and use of chemicals (e.g. reducing inventories of hazardous substances, using safer production processes and enhancing secondary containment).
Use inherently safer processes and installation designs to reduce risk. Inherently safer approaches involve careful selection of the process, along with the good design of the installation (in effect designing out certain hazards, minimising the effects of human error and better tolerating errors which might occur).
The principles of inherently safer design should not be used in isolation but rather as part of an integrated approach to safety (Box 2.5).
Box 2.5. Principles of inherent safety
Inherent safety is based on a set of principles which, when applied reduce the hazards, include:
Minimise (intensify): Reducing the amount of hazardous substances present at any one time by using smaller batches, reducing the storage of intermediates to the quantities required. However, this should not be misunderstood to mean that bulk storage of fuels should be in small tanks. The transfer operations (coupling and uncoupling of hoses, transportation) are the most hazardous parts of the process.
Substitute: Replacing a hazardous substance with a substance of lesser hazard, e.g. lower toxicity or non-carcinogenic to avoid exposure of the workforce or the public in the event of an accident, higher flammable limits (to avoid explosive atmospheres).
Moderate (attenuate): Using less hazardous conditions, a less hazardous form of a material or facilities that minimise the impact of a hazardous material or energy.
Simplify: Eliminating problems by design and thus avoiding complexity rather than adding additional equipment to deal with the problems and making operating errors more likely.
In addition to these two further principles are used by some:
Error tolerance: Designing equipment and processes to be sufficiently robust so that they can withstand possible faults or deviations from design, for example, piping and joints being designed for the maximum possible pressure when valves are closed.
Limit effects: By designing the system so that the worst possible condition will be automatically mitigated, for example sloping the concrete surface below a horizontal tank to take flammable liquid away towards a safer place, providing bunds and retention to prevent hazardous liquids spreading to undesired locations.
Source: Edwards, D. et al. (2015[12]), “Inherent safety: It’s common sense, now for common practice!", Symposium Series No. 160, Hazards 25, https://www.icheme.org/media/8500/xxv-paper-33.pdf.
Care should be taken to ensure that design choices or modifications do not inadvertently increase or transfer risk. For example, in some cases, reducing inventories of hazardous substances may increase overall risk due to the need for more frequent transport and handling (e.g. loading and unloading) of the substances.
Hazardous installations should be designed to take into consideration the possibilities of human and/or technical errors.
Hazardous installations should also be designed so that exposure of employees to hazardous substances is prevented or minimised, thereby reducing the need for personal protective equipment.
Identify the need for enhanced protective systems and for systems minimising effects
Although emphasis should be on inherent safety in design and operation, the need for enhanced protective systems should be identified using a systematic process, thereby assuring safety through mitigation measures.
Procedures should be designed to minimise the chance of failure and, should there be a failure, to prevent or minimise adverse effects.
Systems/mechanisms to contain leaks, spills or firefighting waters (using, for example, containment walls or catch basins) should also be incorporated in the design of hazardous installations, bearing in mind the quantity of hazardous substances which could be released. Such systems/mechanisms could also include an increased number of barriers to prevent the release of hazardous substances, e.g. double encapsulation.
If there is a loss of containment, adverse effects may be minimised by other mitigation measures, such as using fire protection equipment and emergency procedures.
Take into account human factors at the design stage
Tests should be used to determine whether the operating design of the installation is feasible and practical (e.g. that it takes into account the limited quantity of information that can be processed by humans under conditions operators might face at the installation). This will help avoid designing a facility that has latent operating errors.
Systems should be designed so that individual component failures will not create unsafe process conditions (i.e. they should be "fail safe") and/or will be capable of accommodating possible human errors.
Involve relevant personnel in the planning and design
Relevant personnel who will be involved in the operation of a hazardous installation should be involved in the planning, design and construction phases of the installation. Employees, and their representatives, should participate in decisions concerning the design of their workplace and should be given the opportunity to provide input in the design, application and improvement of equipment so that employee know-how and experience can be utilised.
Incorporate the most up-to-date national and international standards, codes of practice and guidance to the design of new installations and when operating significant modifications to existing ones
To achieve a high level of safety, the design of new installations and significant modifications of existing installations should incorporate the relevant, most up-to-date national and international standards, codes of practice and guidance, relevant to hazardous installations, which have been established by public authorities, industry and professional associations, and other bodies.
Standards, codes of practice and guidance should take into account process risks associated with technological or process-related accidents as well as risks associated with accidents caused by malicious acts or natural hazards/disasters.
Such standards, codes of practice and guidance should be considered minimum requirements. Improving safety is a dynamic process that should reflect advances in knowledge and technology. Therefore, these should be supplemented by documentation developed from within the enterprise, embodied in inhouse engineering design guides and specifications, as well as based on operational experience and specialist knowledge.
Existing installations should be assessed to determine whether they meet these standards, codes and guidance. Where they do not meet the standards, appropriate improvements should be carried out as soon as practicable.
Incorporate an appropriate level of automated control systems and decision support systems into design
An appropriate level of automated control systems and decision support systems should be incorporated into the design of a hazardous installation.
While automation and decision support systems can increase safety due to rapid diagnosis and response, such systems only address “known” or predicted abnormal events. Events which are not within the design specifications, or which were not predicted, need to be dealt with manually. Thus, the presence of an operator who is well informed and well trained to respond is indispensable.
If the system is automated to the extent that the operator has very limited tasks, the operator may not be sufficiently aware or experienced to handle rare abnormal situations.
Process control systems are an important component of operating safety. They should:
Support operators in carrying out their tasks and provide easy and rapid access to operating procedures and related information.
Be able to capture information useful for determining the root causes of incidents and provide easy and rapid access to documentation on the enterprise, for emergency planning and for training and education.
Safety systems, whether automated or requiring human intervention, should be designed according to criteria5 and tested so that critical signals get through to the operator (even when there are several simultaneous failures) and so that the systems cannot be overloaded and therefore fail to work (see also the issue of alarm management in Box 2.9).
The use of smart technologies in the design and operation of hazardous installations provides opportunities to enhance safety (Figure 2.5) but brings new challenges such as cyber security (see section on physical and cyber security).
Pay special attention to the site layout with safety goals in mind
In the design phase, management should ensure there is adequate consideration of the site layout guided by overall safety goals. Particular regard should be given to:
The establishment of safe separation distances to minimise any “knock-on” or “domino” effects6 either on site, within the boundaries of the installation or off site involving other enterprises.
The location of hazardous processes and substances relative to the location of personnel and to critical safety-related equipment and instruments.
The location of hazardous processes and substances in light of natural hazards, in order to minimise the likelihood of an accident in the event of a natural disaster.
The location of offices, control rooms and other premises so as to minimise the adverse effects on health and increase the ability to maintain control of the installation in the event of an accident.
Possible effects on the local community and environment.
Design a storage facility or any hazardous installation that stores hazardous substances according to the nature and quantity of hazardous substances
A storage facility, or any hazardous installation that stores hazardous substances including waste, should be designed taking into account the nature and quantity of hazardous substances to be stored in the facility.
The design of storage facilities should incorporate safety features to minimise the likelihood and extent of a chemical accident. In this regard, the design should allow for the separation of incompatible substances and subdivision of inventories by the use of, for example, separate buildings or fire walls. Furthermore, the facility should be designed in a way that reduces the likelihood of domino effects should an accident occur.
Particular attention should be given to incorporating automated systems for handling hazardous substances, for example, automated high-rack warehouse systems.
The design should enable access for inspection of hazardous substances and permit firefighting and effective evacuation. Fire protection equipment should be available and adequate retention facilities (e.g. fire water retention, bunded areas) should be provided to facilitate the activation of spill mitigation procedures.
Security measures should also be in place, such as fencing and limited access to unauthorised personnel.
Give consideration to special issues, such as the risk of natural events and malicious acts
At the design stage, special consideration should be given to:
The possibility of malicious acts occurring at an installation.
Maximising protection of vulnerable parts of the enterprise in order to avoid damage from malicious acts.
The possibility for natural hazards that could trigger a chemical accident including, for example, extreme temperatures, floods, high winds, wildfires, earthquakes and landslides.
Collate all safety-related information on process and associated equipment
The management of hazardous installations should collate all safety-related information on the process and associated equipment concerning, for example, design, construction, operation, maintenance and emergencies.
Such a file or dossier is essential for training, as well as operational purposes.
The file or dossier is also needed for developing safety reports, which may be required by public authorities and for inspections/control by public authorities.
The operating concept/procedures should document the safety features incorporated in the design (including automated safety systems) as well as the role of operators, managers, maintenance staff and others.
In addition, this process documentation file or plant dossier should include information concerning:
Manufacturing procedures.
Process and operating instructions (including safe start-up and shutdown).
Line diagrams of process flow showing key equipment.
Quantities and properties of substances produced, stored or handled on site.
Results of safety tests and safety data on raw materials, solvents, catalysts, intermediates and by‑products and reaction materials and products.
Secondary reactions and chemistry.
Data resulting from hazard studies.
Waste treatment (containment and disposal).
The process documentation file or plant dossier should be kept up to date.
Construction
Pay attention to quality assurance during construction, in particular with equipment suppliers, contractors and other third parties
The management of a hazardous installation should pay particular attention to quality assurance during the construction phase of a project.
Safety checks and inspections should be routinely carried out during the construction phase to ensure that the integrity of the original design is maintained. This involves checking if:
Plans are being followed properly.
Requirements of the hazard studies are being fully implemented.
Associated equipment is being correctly installed.
Correct materials (for example for construction), methods (such as welding techniques) and tests (such as pressure/leak tests) are being used by suitably qualified personnel (employees and contractors), in accordance with recognised standards.
Any modifications to the original design of an installation should be documented and these modifications should be reflected in quality assurance and safety reviews prior to commissioning and start-up of the installation.
Quality assurance (QA) systems can provide useful tools to ensure the conformity of equipment with standards and other requirements.
An enterprise should purchase equipment only from reputable suppliers and should formally inspect equipment to ensure that it conforms to design specifications and safety requirements before being put into use.
In the construction of a hazardous installation, an enterprise should do business only with contractors who are able to satisfy the enterprise that their services will be carried out in compliance with all applicable laws and regulations, as well as in compliance with relevant safety standards and policies of the enterprise, so as not to increase the risk of a chemical accident.
Contractors should be provided with the necessary documentation and information to be able to carry out their tasks. Contractors should work to the standards set by the management of the installation and, to the extent appropriate, under the direct surveillance of management.
Pay particular attention to the start of the operation
Management should ensure that the operation of an installation is not started while it is under construction and before the safety checks and inspections at the commissioning have been conducted with success. In some regulatory regimes, the authorities require notification before start-up is permitted.
Safety checks should also be carried out at the commissioning and start-up phases of a project (e.g. new construction on an existing site) to ensure that the design intent has been completely fulfilled, if modifications have taken place or if changes are necessary. Functional tests should be carried out for all components, controls and safety devices critical to the safety of the installation.
Operation
The safe operation of a hazardous installation is multi-aspect. It includes a range of disciplines and actions that should be co‑ordinated at different levels and that are based on a mature safety culture in the enterprise and the implementation of a safety management policy and system.
Safe operation includes the development and implementation of procedures for safe operation, the management of personnel and the recognition of the role of human factors, strong internal communication and proper education and training (Figure 2.6).
Develop and implement procedures for safe operation
Implement the enterprise safety policy
It is the management’s responsibility to ensure that the corporate safety policy (see section on corporate governance and process safety management) is implemented through appropriate organisational arrangements.
The chain of command and layers of responsibility for ensuring safety should be clearly defined. The roles and responsibilities of all employees (i.e. management and labour, including contractors) related to safety should also be clearly identified.
Have easily accessible written operating procedures and instructions for operation under normal and abnormal conditions
Management should ensure that each installation in an enterprise has written and easily accessible operating procedures and instructions. These should:
Establish the conditions necessary in order to satisfy the design intent of the installation and maintain its integrity to protect the safe operation of the plant.
Take into account relevant standards, codes and guidance in order to ensure that equipment, installation and premises provide a safe place of work under both normal and abnormal operating conditions.
Written procedures should:
Include detailed work instructions and simple job aids, such as checklists.
Be clear and easily accessible, in a form those involved can understand and use (for example including pictures, photographs and diagrams).
Be understood by all relevant employees and contractors. There should be education, training, review and monitoring systems for ensuring that all employees know, understand and follow at all times appropriate procedures.
Be periodically reviewed and updated to take into account any significant changes in plant design or operation.
Be designed and developed with the active involvement of those who use them. This helps ensure that procedures are realistic, workable and consistently applied, and facilitates the idea that those who have to follow procedures “own” them.
Written procedures should, in addition to the normal operation of the plant as covered by standard operating procedures (SOPs), cover the following:
All maintenance tasks.
Isolation and making the area safe for maintenance and activities.
Management of overrides of process safeguarding systems and process safety alarms.
Permit to work (Box 2.10).
Supervision of contractors.
All periodic examination and assessment (“operator inspection”) tasks.
Fitness to work, including fatigue management and supervisor referral to a health professional if concerned about an individual’s fitness to work.
Any other human factors good practice applicable to the task.
What to do in an emergency or if a safety risk emerges.
Management of changes to the maintenance task as planned, in particular those changes which extend the length of time of the task or function of any safety or control systems in the installation.
Communication within and between shifts, including handover and status of any ongoing maintenance operations or activities of contractors under supervision.
Procedures and arrangements should be introduced at a hazardous installation for the safe handling of chemicals and the prevention of explosions, fires and releases of hazardous substances. There should be appropriate arrangements for the protection of personnel, buildings and equipment, the environment and for response (e.g. firefighting) should an explosion, fire or release occur.
A high standard of housekeeping (i.e. cleanliness and tidiness) and operational efficiency should be maintained at hazardous installations, including storage facilities, since there is a clear correlation between these functions and good safety performance.
Procedures should exist to help manage the unexpected and ensure effective protection against chemical accidents during abnormal conditions. Abnormal conditions could include, for example:
When critical instruments, alarms and emergency equipment are not functioning.
When there are unusual (short-term) production demands, extreme overtime work or a slow-down in production.
When there are resource constraints (including staffing and financial resources).
When there are emergency shutdowns or evacuations.
When there is a natural hazards impact such as extensive precipitation, floods, earthquake, seismic event, tsunami, high winds or extreme temperatures.
In case of electrical power failures.
In case of failures of an electronic control system including cyber attacks.
Procedures should mention how to react in case of a change or modification (see section on management of change).
Develop procedures for the storage of hazardous substances
Procedures should be established at facilities where hazardous installations are present, including storage facilities, to minimise the risks of accidents and, in particular, to prevent the degradation of hazardous substances or packages, labels or other markings.
The operators should ensure that all relevant legislative requirements and applicable codes of practice for the safe storage of hazardous substances are strictly applied, wherever applicable.
In order to prevent explosions and fires, consideration should be given to whether the conditions of storage (including, for example, temperature and pressure) create special risks. Consideration should also be given to avoiding potential sources of ignition (e.g. hot surfaces, open flames, electrical spark and sources of static electricity).
A plan should be drawn up by the operator showing the nature of the hazardous substances in each part of the facility.
The storage plan should be made available to first responders and relevant local authorities. Employees should know how to react in case of an accident.
Information concerning hazardous substances held in a storage facility should be maintained up to date and be easily accessible to employees, labour representatives and emergency responders.
Where storage is the responsibility of a third party (off site), the owner of the hazardous substances (products, raw materials and intermediates) should confirm that the facility for the storage is suitable for these substances and that the operator of the storage is competent. The outsourcing of activities such as storage should be in compliance with the safety policy of the establishment. This could involve the owner/supplier of the substances monitoring the storage facility and training employees of the offsite facility.
The owner/supplier of hazardous substances should provide the necessary information to the operators’ third-party storage to ensure substances are stored in appropriate manners, incompatible substances are segregated and the hazard associated with the materials are understood.
Develop procedures for handing over new chemicals/substances, processes or equipment
Management should ensure that relevant written, agreed operating procedures and safety instructions accompany new chemicals/substances, processes or equipment before they are handed over from one department to another (or from one owner to another) so that knowledge and experience gained in research, development, pilot plant and production are passed on. This handover should be formalised by an appropriately signed handover/clearance report.
Operating procedures and safety instructions should also be provided whenever installations, or technology, are transferred.
Manage personnel to ensure safe operation
Ensure each operation has an appropriate staffing level for safe operation
It is the management’s responsibility to ensure that each operation has appropriate staffing, which allows for the safe operation of installations at all times. Consideration should be given to the ability of employees to fulfil their tasks and responsibilities in a safe manner (taking into account both physical and psychological factors).
In this respect, employees should not be assigned tasks if such assignments may compromise the safe operation of the installation.
Special attention should be given to tasks:
Carried on by lone workers/monotonous tasks.
That may imply working under high-stress conditions.
That require particular strength or size.
Not suitable for particular people considering physical limitations, allergies, unskilled and cognitive abilities.
Employees and their representatives should participate in decision making concerning the organisation of their activities and the staffing needs of the installation, to the extent that these may affect safety.
Management should establish performance indicators to review the staffing level.
Management should give special consideration to ensuring sufficient staffing and supervision during nights and weekends, and during periods when there are difficult or unusual situations, as well as to controlling overtime work or irregular work patterns if these may present an increased risk of a chemical accident.
In planning staffing schedules, consideration should be given to avoiding stress of personnel and overwork. For example, hours of work and rest breaks should be compatible with safety requirements. Overtime and rest days worked by any individual should not be excessive. A record of all such abnormal hours should be maintained to facilitate control of hours worked.
Management should identify and address the need for special staffing requirements and technical skills posed by start-ups, shutdowns, abnormal or unique operating situations, periods when there are unusual production demands, resource constraints or emergency situations, or other situations that might create stress in personnel.
Sufficient professional safety personnel should be available within an enterprise. Their role should be to remain impartial and independent of line management, to provide expert advice and, as such, to function as the enterprise’s safety conscience. In this regard, safety professionals should:
Have the necessary authority to carry out their responsibilities and should be seen as having management support.
Interact with and be respected by employees at all levels in the enterprise.
Be technically competent, either through specialised training or adequate experience (preferably both).
Possess good interpersonal and communication skills.
The number of safety professionals should be appropriate for the size, technology and complexity of the enterprise.
Management should consider rotating employees between line management and the safety function in order to increase understanding of safety-related problems, generate better solutions to safety-related problems and strengthen the safety culture within the enterprise.
Consideration should be given to whether reductions in staffing levels, related to both labour (such as operators) and management, may have an adverse effect on safety.
This is an important issue since economic conditions can lead to a reduction in the number of employees and changes in corporate structures.
Reductions in staff manning levels do not necessarily affect safety since there are other factors involved, including design, management and operation. However, it is possible that staff cuts can lead to reduced safety communications, a disconnect between policy and hands-on action, increased stress and less time for training, voluntary inspections and time-off between shifts. It can also result in the loss of experience and a greater number of operators working alone rather than with colleagues.
Special consideration should be given to the impact of external factors on staffing, for example in case of public health events (e.g. influenza pandemics), large-scale strikes, industrial actions and natural events.
Consideration should be given as to whether certain tasks, because of their relationship to the prevention of accidents, should be subject to specific management controls, for example a requirement for a specific authorisation such as a permit to work.
Specific policies with respect to personal activities that may affect the safe operation of an installation – smoking, substance abuse and similar matters – should be agreed on and included in every individual employee’s contract or conditions of employment. There should be an evaluation of “fitness for service” with respect to specific activities.
Give special consideration to the engagement of contractors
When engaging contractors, management should ensure there is no negative impact on safety.
Management should only hire contractors who are:
Capable of performing their tasks to a sufficiently high standard of safety.
Competent to carry out the contracted work in accordance with all applicable laws and regulations, safety policies and standards of the enterprise, and any additional practices particular to their task.
Compliance with relevant laws, regulations, safety policies and standards should be an integral part of the contract with contractors.
Management should monitor the safety performance of their contractors and, in general, contractors should be subject to the same safety management systems as staff at the enterprise. Contractors should also have equivalent rights and responsibilities with respect to safety as staff at the enterprise.
Third parties are responsible for involving personnel with appropriate skills and training such that the work is performed safely and the finished work meets all relevant technical standards and safety requirements. Third parties should keep records and be able to provide these records of competency assessments and provide training, supervision and other support delegated in the contract.
In any event, management retains the responsibility for the safety of installations.
Consider safety as an essential component of every employee’s performance, including managers
Safety performance should be considered an essential component of every employee’s overall performance and should be reviewed periodically. The role of managers and labour (at all levels) regarding safety should be clearly defined so that safety performance can be appropriately monitored and reviewed.
Co-operation between management and labour, at all levels, is essential to assuring safe operation of hazardous installations.
Management should encourage and facilitate the ability of employees to fulfil their roles and responsibilities.
Labour may make use of the experience and support of unions, confederations and their international organisations to help them.
Plans for personnel development and rotation of jobs should always be consistent with maintaining operational safety requirements. This applies to employees at all levels, including management.
Ensure personal protective equipment for employees
Management should ensure that all employees and contractors know what personal protective equipment (PPE) is required, have the correct PPE where necessary and ensure that such equipment is currently fitted, maintained in good condition and used.
Management should also ensure that regular training is provided on the use of PPE.
Employees should be responsible for using suitable PPE in accordance with safety procedures and policies.
Efforts should be made to design installations so that the need for PPE is minimised.
Ensure that all employees, including contractors, are informed of the hazardous substances they may be exposed to
Management should take all reasonable measures to inform onsite employees, including those of contractors, of the hazardous substances to which they may be exposed in the case of an accident.
Adequate information on hazards (including emergency exposure levels), on the procedures to be followed for safe handling of all substances at the installation (including those used, manufactured as intermediates, stored or available for sale) and on the procedures to be followed during a chemical accident should be obtained, kept up to date and disseminated widely, in a language(s) which all employees can understand.
Special attention should be given to working under abnormal conditions.
Ensure that employees follow procedures and take care of their personal safety and the safety of others
Each employee should be responsible for following the procedures laid down by management and for taking reasonable care of his or her personal safety and the safety of others who may be affected by his or her acts or omissions at work.
Each employee should support the ability of others to carry out their jobs in a safe manner and co-operate actively with management in the application of safety procedures and arrangements.
Employees at all levels should be given the education, training and resources they need to carry out their tasks and, at the same time, for them to accept responsibility (and be held accountable) for carrying out their tasks, both as individuals and as part of a team.
While the individual has responsibility for his/her own safety performance, the enterprise has to provide the conditions that allow the individual to act responsibly and effectively. Experience suggests that safety benefits when an organisation gives employees responsibility in an atmosphere of trust and provides the tools needed to work and make decisions.
Build internal communication for safety
Establish “formal” mechanisms to communicate about safety
Management should use mechanisms that will allow for open communication that encourages truthful exchanges and finding out about problems. These mechanisms can take different forms and should allow for two-way communication channels between management and employees, with feedback loops to management on safety issues that directly threaten the operation of a plant or the safety of the plant. These mechanisms should help create and maintain a high level of motivation for all employees to operate the installation safely.
The regular communication channels should be reinforced through a formal mechanism for consultation between management, labour and their representatives on safety matters, for example by the establishment of safety committee(s) in the case of larger enterprises or the establishment of regular safety meetings for smaller enterprises. The safety committees should support - but not be a substitute for – direct communication between management and employees, and individual and line management responsibilities for safety.
Safety committees should operate at different levels in an enterprise. Such committees could, depending on the size of the enterprise, consist of:
Employees at various levels (including safety representatives7 where they exist).
Managers with the authority to implement the committee’s recommendations.
Safety specialists.
Contractors, where appropriate.
Safety committee members should receive safety training and specialist advice as necessary.
Resources (for example people, time, a place to meet and finances) should be available for the safety committee to undertake its activities. Participation in the committee should be considered an integral part of an employee’s time.
Management should act upon the recommendations of the safety committee, recognising that the ultimate responsibility for safety remains with management.
In addition to safety committees at individual hazardous installations, the establishment of similar mechanisms at corporate, sectoral, national or international levels may be considered useful in helping to disseminate safety information and providing input to the relevant decision-making processes concerning safety.
Communication should be based on the use of a commonly understood “language” that is plain and simple and which takes into account the different nationalities working (or which need to intervene) on site. Management should recognise the need to address possible language differences so that employees can understand the education and training, and are able to communicate with their co-workers:
Where appropriate, education and training should be available in languages other than the primary language used at the installation, for example where there are foreign employees or where the installation is located in a multilingual area.
Where employees speak different languages, management should provide the necessary language training, so that there is a common language for communication needed to operate the installation safely and to respond in the event of an emergency.
Ensure that internal communication is based on a mature safety culture with no fear of reprisals for reporting safety issues
Internal communication should aim for the plant to be safer.
No measures prejudicial to an employee should be taken if, in good faith, the employee complains to competent authorities or other employees with responsibilities for safety, of what he/she considers to be a breach of statutory requirements or an inadequacy in the measures taken with respect to safety or information on incidents or potential causes of accidents. Management should support this approach if the necessary “open” attitude to safety matters is to be achieved.
An employee should have the right to refuse to perform any tasks that he/she believes may create an unwarranted risk of a chemical accident.
The employee should immediately report to management the reasons for refusing to perform these tasks.
In certain cases, an employee or a safety representative where one exists, may interrupt hazardous activities in as safe a manner as possible when he/she has reasonable justification for believing that these activities present an imminent and serious danger to safety.
Employees should immediately report to management, without fear of reprisals, any situations that they believe could present a deviation from normal operating conditions, in particular situations which could develop into a chemical accident.
Management should investigate these reports within a reasonable timeframe.
Any employee should be entitled to report unsafe conditions to relevant public authorities.
Ensure proper education and training
Ensure that all employees, including temporary employees and contractors, receive appropriate education and training to perform their tasks under normal and abnormal conditions
Management should take all reasonable measures to ensure that all those employed at a hazardous installation, on any level and including temporary employees and contractors, receive appropriate education and training and are competent to carry out their tasks under both normal and abnormal conditions.
Education and training should address the needs and requirements of each individual appropriate to their role and associated tasks (see Box 2.6 for special considerations for engineers and safety specialists). It should address, as appropriate, the following:
Hazard identification, risk identification, evaluation, mitigation and appropriate corrective measures to address safety concerns.
Any special hazards unique to their job.
Actions that should be taken in abnormal or emergency situations, including the prediction or occurrence of a natural hazard or disaster.
Correct procedures for handling hazardous substances including waste.
Human factors and risk communication.
Box 2.6. Special considerations related to engineers and other safety specialists
Engineers and other safety specialists have a duty to identify safety issues and to provide leadership with respect to safety issues to others in their communities. Managers should recognise the important role of engineers and safety specialists in risk management decision making and seek input and reasoning as to why a situation may be safe or unsafe.
In this regard, engineers and other safety specialists should:
Be called on to raise the awareness of management and other employees, and educate them with respect to issues concerning safety and risk.
Be able to communicate effectively to their colleagues and to management about safety and risk issues, recognising that others in the enterprise or organisation may have different objectives and use different terminology.
Be aware of which forces drive the decision-making process and ensure that good engineering practices with respect to safety, health and the environment are considered appropriately.
Be aware of the limits of their own knowledge with respect to their role in the safe siting, design construction, operation, maintenance and/or decommissioning of hazardous installations. They should seek ways to continue acquiring additional information and training, as appropriate.
Must maintain their level of competency taking into account new technological, legal and other developments. This could be done through in-house training programmes, continuing education courses, online and written materials, external training activities, etc.
Enterprises and other organisations that employ engineers and other safety specialists should support continuing professional development and maintaining their level of competency (including with respect to risk assessment and risk management). The training of engineers and safety specialists should, at a minimum, include the concepts of risk and risk management, operational deviations, probability of failure and failure consequences recognising that specific training programmes will take into account the different educational systems in different localities.
Safety training should be part of the initial induction training given to all new employees to create safety consciousness and commitment. There should also be regular follow-up training and education and specialised training as appropriate.
Training should be structured to give all employees the skills they need to do the job which they have been assigned and be sufficiently broad-based so that employees understand the workings of the installation, equipment, operations and processes, and possibilities for abnormal situations.
The approach to education and training should create the high level of awareness necessary not only to prevent accidents but also to respond to abnormal occurrences quickly and effectively.
Training should make clear not only what employees are required to do but also why certain actions are necessary for safety. In this regard, training should instil in employees the confidence to raise concerns related to safety (both technical and management issues), when appropriate.
Training should include practising the different modes of operations so that recovery from abnormal situations can be achieved safely. Operational perception, especially with respect to making decisions in an emergency situation, is an important factor in operational safety. Perception can be complex, drawing on previously acquired information and on existing understanding of systems.
Records should be kept and maintained up to date of all safety-related education and training of all personnel, including managers and contractors.
Employees and their representatives should be involved in the development of education and training programmes. This support could take the form of direct training of individuals or by facilitating the training activities of others through, for example, the development of a syllabus, provision of training materials and programmes, supplying tutors and speakers, and assisting with the sharing of experience related to training.
Labour organisations should facilitate co-operation with management at the national and international levels. For example, as one of the tripartite constituent groups of the International Labour Organization (ILO), labour organisations have had and continue to have a leading role in the development and promotion of ILO conventions and recommendations (Box 2.7).
The experience and understanding gained by labour organisations from their training and education programmes and from their practical day-to-day experience can be used to help improve prevention policies and activities.
Box 2.7. International Labour Organization (ILO) – Prevention of Major Industrial Accidents Convention and Recommendation, 1993
In the last 100 years, the ILO has adopted more than 50 legal instruments for the protection of workers, as well as the public and the environment, from chemical hazards. In addition to legally binding instruments, the ILO also offers technical assistance programmes and provides training and guidance tools to global stakeholders.
In 1993, the ILO issued the Prevention of Major Industrial Accidents Convention (No. 174) and Recommendation (No. 181) (ILO, 1993[14]). The purpose is the prevention of major accidents involving hazardous substances and the limitation of the consequences of such accidents. It provides for the development of a coherent national policy concerning the protection of workers, the public and the environment” and measures involving central and local government, employers and workers, and it establishes roles and responsibilities at the workplace level.
The ILO developed a Code of Practice: Major Industrial Accidents as a complementary practical guidance to Convention 174, which aims to provide guidance for setting up an administrative, legal and technical system for the control of major hazard installations.
Source: ILO (1993[14]), Prevention of Major Industrial Accidents Convention (No. 174) and Recommendation (No. 181), https://www.ilo.org/dyn/normlex/fr/f?p=NORMLEXPUB:55:0; ILO (1997[15]), Code of Practice: Major Industrial Accidents, https://www.ilo.org/safework/info/standards-and-instruments/codes/WCMS_218624/lang--en/index.htm.
Consider the most effective methods for training
In developing and implementing training programmes, consideration should be given to the most effective methods of training for particular circumstances, including training for day-to-day operations and for dealing with abnormal or emergency situations.
Different approaches to training could include, for example, operator-to-operator training, online systems and electronic simulation models. The use of simulator training provides a means for learning about the application of diagnostic and corrective actions in the operation of automated systems as well as the simulation of highly hazardous operations.
Consideration should be given to training employees in groups rather than individually. Group training can be an effective way of developing a shared safety culture developing positive group behaviour and establishing increased ability for group members to predict potential safety problems and develop solutions. There should also be joint training activities for managers and labour to facilitate understanding of each other’s roles and responsibilities.
Assess changes in safety training and education needs
Requirements should be assessed on a regular basis, any changes identified and the training and education programmes amended as required.
Education and training programmes should be modified to reflect changes in processes used, technology applied and procedures followed at an installation.
This evaluation and revision process is particularly important in times of change, such as when employees, including managers and supervisors, are being assigned to a new or different installation.
Ensure that managers keep themselves informed about safety standards and risks
Managers have an obligation to keep themselves informed about safety standards and risks. They should know and fully understand the properties and behaviour of the hazardous substances being used, the limitations of the equipment and technology, and should be competent to implement the measures to be taken in case of an emergency.
Every manager should ensure that those on his or her team know how to safely carry out the tasks entrusted to them and how to maintain a high level of safety awareness. To achieve this, they should receive appropriate training in communication techniques, safety leadership, accident investigation and reporting procedures, safety and health analyses, and the conduct of safety meetings.
Recognise the importance of human factors
Give particular attention to the role of human factors in preventing accidents
Particular attention should be given to the role of “human factors” (Box 2.8) in preventing incidents at hazardous installations and in being able to respond during abnormal events.
Box 2.8. Introduction to human factors
"Human factors refer to environmental, organisational and job factors, and human and individual characteristics, which influence behaviour at work in a way which can affect health and safety.” (UK HSE, 2021[16])
It should be recognised that humans will, on occasion, fail and that the majority of accidents are in some part attributable to human error, meaning human actions or inactions which unintentionally exploit weaknesses in equipment, procedures, systems and/or organisations. However, human error is never the single root cause of an accident but the result of a more complex situation.
The term “human factor” is often used in a negative context (equating it to human error). However, humans are often the only means for effectively responding to abnormal situations since they have the capability to reason and then override automatic reactions of machines. Humans have (a limited) capacity to forecast action, integrate complicated information and understand how to address unusual situations based on experience and training. Thus, an employee may be able to remedy potentially unsafe situations if he/she is provided with sufficient information and training, and the workplace is designed in a way which allows him/her to take corrective action.
Take into account the human factor in all phases of the functioning of a hazardous installation
The “human factor” should be taken into account in all phases of a hazardous installation including: design, construction, hazard identification and risk assessment, operation, alarm management (Box 2.9) training and education, maintenance, shutdown and decommissioning.
The human factor, including both positive and negative aspects of human behaviour, is applicable to all employed in a hazardous installation (i.e. managers and labour, including contractors).
The demands of tasks that may affect the safe operation of an installation should be analysed so that employees can be placed at tasks that are appropriate to their physical and psychological abilities and to help ensure that employees are not overloaded or excessively stressed.
Box 2.9. Human factors and alarm management
There is significant evidence that poorly designed alarm systems have a role in major accidents. Every hazardous installation should have a clear and well-defined alarm management strategy, as part of its safety management system.
Good alarm management will help prepare for unanticipated events by providing: detection of failure(s); identification of problems and causes; and implementation of countermeasures aimed at returning the process to a normal or safe situation.
The alarm management strategy should include means to prevent: alarm flooding; overloading of the operator; complacency by the operator when an alarm is triggered; and/or operator(s) ignoring alarms he/she considers to be unimportant.
The alarm management strategy should provide for an effective alarm system, which provides a signal in response to any deviation from the normal situation which requires immediate action.
The purpose of an alarm system is to direct the operators’ attention towards conditions at the installation requiring timely assessment and/or action.
Every alarm presented to the operator should be useful and relevant to the operator. Alarm systems should be designed taking into account the operators’ needs.
Every alarm should have a defined response and adequate time should be allowed for the operator to carry out this response.
There should be a system that helps prioritise when multiple alarms are activated at the same time.
When a high alarm is reached, the automated process safety system should take over.
The alarm system should be continuously monitored, tested, analysed and improved.
The alarm system should accommodate human capabilities and limitations.
Any overriding or bypassing of alarms should be: assessed as a temporary measure, consistent with the management of change process; logged through manual or computer-generated written documentation; regularly reassessed; and reinstated when the override or bypass is no longer necessary. The reinstatement should also be documented.
For more information, see Standard IEC 62682 on the management of alarms systems for the process industries (https://webstore.iec.ch/preview/info_iec62682%7Bed1.0%7Db.pdf).
Encourage employees to share their experiences to reduce the risk of human error
Employees should be encouraged to share their experiences in order to reduce the risk of human error.
This can be accomplished through, for example, safety workshops, discussions of near misses and other group discussions, as well as through inspection and observation of the workplace by employees and, where appropriate, by safety representatives.
Experiences relating to human errors should also be shared among different enterprises and, to the extent possible, among public authorities.
Certain situations can lead to conditions where employees can be placed under elevated levels of stress that can then lead to human errors. Measures should be taken to identify these potential situations and consider appropriate steps to reduce the potential for failure. Possible situations could be when there are unusual short-term production demands, extreme overtime work or a slow-down in production, when there are resource constraints, or when there is a change of ownership at an installation.
Stress affecting safety could result from pressure on individuals or groups of employees or on the enterprise as a whole (for example, to increase production or cut costs), during and after modifications and maintenance, during shutdown/start-up, and following outages, since human errors tend to increase during and after these periods.
Management should communicate that safety considerations take precedence over other considerations.
Maintenance
Maintenance means keeping the workplace, its structures, equipment, machines, furniture and facilities operating safely, while also making sure that their condition does not decline (UK HSE, 2021[17]).
The maintenance programme should have in place a number of structural elements that form the logical basis for making rules, taking decisions and performing actions involving maintenance interventions. With a well‐structured maintenance programme, the operator should be able to identify and track the mechanical integrity of each safety critical element throughout its life on the basis of demonstrated knowledge about its actual condition and potential degradation pathways. The aim is to ensure that all necessary information is available and that all systems and processes are primed to ensure that equipment in operation is always fit for service (EU, 2019[18]).
Maintenance-related accidents are very frequent and remain a serious cause of concern.
Establishing a maintenance programme
Management of hazardous installations should establish programmes for regular maintenance, including inspection, testing, servicing and repair of equipment (and where necessary replacement with identical components) to ensure that it is at all times fit for the purpose for which it was designed.
Maintenance programmes should:
Take into account information obtained from hazard identification and risk evaluation procedures. Activities in maintenance programmes should be subject to risk assessment, including identification of the special hazards, if they are made during the operation of the installation or while hazardous substances are present.
Ensure that alarms, instrumented systems, protective devices and emergency equipment, and all devices critical to controlling and responding to the incident and the orderly shutdown of operations, are regularly inspected and maintained.
Be adhered to strictly and be reviewed periodically to ensure they continue to be appropriate in relation to safety requirements.
Special attention should be paid during periods of maintenance since there is a higher risk of accidents during such periods. Maintenance standards and procedures should be developed to ensure the safety of each operation and all jobs should be performed according to such procedures.
Where the function of these systems is related to mitigation and response activities by public authorities, maintenance should be carried out in co‑ordination with these authorities.
“Ageing” should be considered a key aspect of maintenance programmes:
Ageing is a multi-aspect phenomenon: everything associated with a site and its processes can age, not only equipment but people, procedures and technologies.
The physical ageing of equipment is not necessarily linked to chronological ageing per se but to the degradation of equipment over time from its initial condition.8
The operator should integrate the different aspects of ageing into maintenance programmes.
Carrying out maintenance
Undertaking maintenance activities can potentially expose the personnel involved and others in and outside of the installation to a range of risks:
Permit to work procedures should exist for particular activities (Box 2.10).
Mechanisms should be established for safe operation, such as Lock out, Tag out and Try out (LOTOTO).
Management should ensure that all contractors responsible for maintenance or repairs are aware of, and follow, all relevant standards and procedures (see section on operation).
Procedures should exist for the safe shutdown and start-up of installations during the maintenance of equipment. Special efforts should be made to avoid potential causes of risk such as communication problems and split responsibility; this may be a particular concern when contractors are involved (who may not be fully aware of the details of an installation’s operations, policies and procedures).
Box 2.10. Permit to work (PTW)
Permit to work (PTW) is a particular element of the safety management system, which is used to ensure that work recognised as hazardous is carried out safely. In particular, the PTW is used for standardised activities, which are carried out at particular times or in conjunction with particular modes of operation of the plant. The PTW is a document that enables the responsible person to be able to identify the hazards and assess the risks in a structured manner, to document the necessary measures for safe forms of work and to ensure that those carrying out the work are appropriately informed. The PTW is an important element of all maintenance work. Operations that involve the issuing of a PTW are, for example:
General work (activities which are not usually carried out on a day-to-day basis and covered by other workplace risk assessments).
Entry into confined spaces.
Isolation of equipment.
Breaking into a line which has been carrying a hazardous substance by opening a flanged or screwed joint, or by cutting.
Hot work (such as welding, soldering, grinding and drilling), i.e. any flame, spark-producing or heating activity.
Positioning a crane and carrying out the lifting of loads in the vicinity of a plant.
Erecting of scaffolding.
Excavation (to ensure that no cables, underground pipes, foundations or the stability of the excavation work are compromised).
Connected to the PTW system are certain good practices, which support safe operating practices. In particular, the LOTOTO procedure is a means of ensuring that equipment which has been made safe for maintenance by isolating it from energy sources and hazardous chemicals cannot be reactivated without authorisation.
Documenting maintenance
Records should be kept of:
All safety-related maintenance work carried out and equipment reviews and reliability assurance procedures should be established.
Any faults found during maintenance of equipment that might materially affect safety and prompt action should be taken to rectify such faults.
Decommissioning, closure and demolition
Appropriate procedures and organisational structures should be developed for the safe shutdown, decommissioning and demolition of hazardous installations.
Such procedures should be designed to ensure that risks are controlled during the shutdown process and while the installation is out of operation, to avoid leaving a contaminated site once the installation has been decommissioned and to ensure that the demolition process is conducted in a safe manner and the site meets all relevant environmental and safety laws.
Management should ensure that contractors involved in shutdown and decommissioning follow the safety procedures.
Responsible risk management – responsible management of hazardous substances and technology
This section addresses three specific areas of responsible risk management: the safe management of hazardous substances throughout their life cycle (product stewardship), the transfer of technology, investments and physical and cyber security.
“Product stewardship” and assistance to other enterprises
Promote the safe management of the produced substances throughout their life cycle, including handling and use by downstream users
Producers of hazardous substances should promote the safe management of substances they produce throughout the total life cycle of the substances, from their design through production and use, to their final disposal or elimination, consistent with the principle of product stewardship. Producers should make special efforts to help prevent accidents during the handling and use of a hazardous substance by downstream users.
Product stewardship is the responsibility to understand, manage and communicate the health and environmental impacts of chemical products at each point in their life cycle.
The International Council of Chemical Associations (ICCA) has published Product Stewardship Guidelines to assist companies in designing and implementing product stewardship programmes built on a management systems approach.
For more information, see the ICCA Global Product Strategy webpage (https://www.icca-chem.org/global-product-strategy-gps/).
Producers of hazardous substances have a responsibility for their products and, therefore, should create a full awareness of any potential hazards that could arise in the use, handling, storage, transportation or disposal of their products and they should provide assistance and/or guidance, as necessary.
In this regard, producers should provide technology, information and assistance to their contractors, distributors, transporters, customers and users so that they can follow appropriate prevention practices. Producers should be encouraged to voluntarily provide their customers’ education, training, information and other services related to risks and safe handling of chemicals.
Producers of hazardous substances should ensure that a complete safety data sheet is prepared for each substance in accordance with the Global Harmonized System (GHS) and relevant additional national regulations and is being kept up to date and made available to all customers in the appropriate language(s).
Enterprises should seek to co-operate with others in their region or within their industry sector, or establish partnerships, help facilitate sharing of information and learn from experience (Box 2.11).
Box 2.11. The role of industry/trade associations, local chambers of commerce and other industrial and professional organisations
Industry/trade associations, local chambers of commerce and other industrial and professional organisations should provide a useful means of disseminating information related to the prevention of chemical accidents.
Industry/trade associations and industrial/professional/standards organisations should be critical sources of guidance, consultant services, training and other technical tools, providing a mechanism for channelling the collective experience of their members towards the development of resources which can be made available to both members and non-members.
Enterprises and industry/trade associations should strongly encourage enterprises that act less responsibly to improve and meet appropriate safety objectives.
Larger enterprises and/or industry/trade associations should offer encouragement and assistance to companies needing help. This could include, for example, mentoring, outreach activities and encouragement to participate in industry-led initiatives relating to safety such as the chemical industry’s Responsible Care® programme. They should share their experience and provide guidance and assistance to suppliers, customers, contractors and others with whom they have influence and/or business relationships.
Smaller enterprises with limited resources should actively engage with their relevant industry association and use the assistance provided.
Actively determine whether customers can safely handle substances and take decisions on whether to sell accordingly
Enterprises selling hazardous substances should actively try to determine whether their customers can safely handle the substances (including, as appropriate, processing, use and disposal of the substances).
If this cannot be determined, judgement should be exercised to decide whether to accept such customers.
If customers are found to be incapable of safely handling the hazardous substances, the seller of the substances should take appropriate action (such as assisting the customer to obtain this capability) or else not accept such customers.
Suppliers and distributors of hazardous substances should be key information channels for enterprises that might need information and assistance.
Box 2.12. Responsible Care® programme of the chemical industry
Responsible Care® is an initiative developed and adopted by chemical industry associations to improve the health, safety and environmental performance of their member companies’ operations and products, and the level of community involvement and awareness of the industry.
Through Responsible Care®, participating companies are committed to supporting a continuing effort to improve the industry’s responsible management of chemicals and specifically agree to:
Continually improve their health, safety and environmental performance.
Listen and respond to public concerns.
Assist each other to achieve optimum performance.
Report their goals and progress to the public.
Source: ICCA (2023[19]), Homepage, http://www.icca-chem.org/; ACC (2023[20]), Responsible Care®: Driving Safety & Industry Performance, https://responsiblecare.americanchemistry.com/.
Transfer of technology
The transfer of technology is the introduction of technology or hazardous substances to a location that does not have prior experience and knowledge.
Whenever an enterprise transfers process technology or other safety-related technology, the management of that enterprise should strive to ensure that the technology will be applied in a way which will result in a level of safety equivalent to that achieved in the technology supplier’s own installations using that technology.
Enterprises transferring process or other safety-related technology for hazardous installations have a responsibility to develop the technology and associated operating procedures so that installations can be operated to an acceptable level of safety, recognising that certain safety technology may not be appropriate in all locations.
For the transfer of technology, a process should be established that involves the supplier of the technology and the recipient. This process should clearly establish roles and responsibilities throughout the transfer.
As a first step in the transferring of technology, an assessment of the local situation in which the technology is to be transferred should be carried out. This assessment should take into account:
Local meteorological conditions and natural hazards and their potential impact on the safe operation of the installation.
The regulatory situation and requirements regarding the siting, construction and operation of the installation, including inspection by the public authorities.
The local cultural and administrative conditions which may have a significant effect on the practices of management and other employees.
The ability of the receiver to safely apply the technology under the existing condition, respective of the need to adapt both the technology and local conditions, as far as reasonably possible, to enable the safe operation to take place.
The requirements for regular inspection and maintenance, particularly with regard to the use of particular technologies for testing and the availability of replacement parts in the intended location.
The assessment should involve, where appropriate, local authorities and community representatives, and should ensure that local authorities are given the results of the evaluation. Those carrying out the assessment should have access to all the necessary information and should use currently accepted techniques for the identification of hazards and evaluation of risks.
The technology supplier should not seek to transfer technology to another location that would not be acceptable on grounds that it is a legally prohibited technology or that the technology cannot be operated safely at its own existing sites.
The technology supplier should assist the technology receiver with education and training and all such transfers of technology should be accompanied by related safety information.
Technology should not be transferred unless the supplier and receiver are satisfied, having conducted a fact-finding study and a review of an appropriate risk assessment, that the technology receiver can apply and use the technology in a safe manner, taking into account local circumstances as well as the legal and administrative infrastructure necessary for its safe operation.
There should be a contract governing the transfer of the technology and this contract should, among other matters, clearly define and regulate the division of responsibilities between the parties involved with regard to effective control of operations, prevention of accidents and emergency preparedness and response.
If appropriate, this contract should also have provisions relating to the procedure for the handover of a turnkey plant.
The sections of the contract relating to the areas described above should be available, on request, to competent public authorities and to employees and employee representatives.
When a hazardous installation involving the transfer of technology has been built to the specified design and its capability to be operated safely (in accordance with specified procedures) has been satisfactorily demonstrated in an acceptance test run, a handover document should be signed by all parties involved, including contractors.
Physical and cyber security
The management of facilities handling hazardous substances should be aware of the need to control access to their site and the operations on site. This access covers not only physical access but also virtual access through a computer network and control systems. The control is to ensure that any undesired access is prevented as far as practically possible regardless of whether this is deliberate (Box 2.13) or inadvertent.
To understand the level of threat to the site and its operations, an assessment of the security and vulnerability should be carried out. The results of this assessment should assist management in defining the necessary measures to maintain the necessary level of security on site.
In considering the vulnerability of the site, management needs to be aware that this may be influenced by a number of factors which are independent of their operations involving hazardous substances. This includes amongst other factors: the location of the site, including the political geography; name and reputation of the company and its corporate owners; trading partners (suppliers and customers); past and current activities of the company.
Box 2.13. Malicious acts
Malicious acts are defined for the purposes of these Guiding Principles to be actions by an individual(s) purposely intended to create harm. This would include sabotage, cyber attack, terrorism, vandalism and theft. Thus, it does not include such actions as slips or lapses (actions that were not as planned) or unintended actions, mistakes (errors of judgement or decision making) or violations (non-compliances, shortcuts and workarounds which are intentional but usually well-meaning deviations from the correct procedure) where the operator has no malicious intent to cause harm or damage.
Both public authorities and management of hazardous installations have roles and responsibilities with respect to security and safety in the prevention of accidents caused by malicious acts. This subsection focuses on the role of industry but also addresses some aspects of the authorities’ roles. Consideration should be given to which authorities should be involved in addressing chemical accidents caused by malicious acts. This will generally include agencies responsible for domestic/national or international security and the police, in addition to the various public authorities that are normally involved in chemical accident prevention, preparedness and response.
It is beyond the scope of this document to address the range of issues associated with site security at hazardous installations, which are the concern of national and international security agencies. However, these guiding principles are relevant to the prevention of, preparedness for, and response to accidents involving hazardous substances irrespective of their cause.
It is important to keep in mind that, in some situations, it may be necessary to balance safety and security concerns where there are competing interests.
Security and vulnerability assessments
With regard to security and vulnerability assessment, some countries have published regulations with specific requirements for security and vulnerability assessment within the framework of national safety and security programmes. Operators of sites handling hazardous substances should make themselves aware of any specific local requirements.
Other organisations have published guidance, recommendations and standards covering a variety of aspects relevant to security.
Physical access to the site
To control physical access to the site it is necessary to define the site boundaries. This is often achieved with a fence of an appropriate height and construction type. If the site is part of a chemical or industrial park, then there may be a fence surrounding the whole park. There may also be agreements within the contracts and regulations governing the chemical park regarding the construction of fences and control of site access. When a fence is erected, then access is controlled through the use of gates, which may be operated through staff in a gatehouse or through electronic devices such as chip cards, transponders, vehicle number plate recognition, etc. In addition, traditional mechanical keys may be used, in particular where the number of people requiring access is low or infrequent.
Within the fence line, access to particularly sensitive areas may be restricted through the use of internal fences or by locked doors, which require mechanical or electronic keys. Areas may be considered sensitive due to the access to hazardous substances, in particular toxic substances in readily transported containers or due to access to process control systems and equipment which when operated maliciously may lead to a process disturbance and release of a hazardous substance.
Measures for personnel
Management should decide which members of staff have access to which areas and buildings within the site. Appropriate measures should be taken to ensure that this is achieved. This may involve staff being issued with keys or electronic chip cards to gain access as required.
Management should ensure that the necessary personal security and reliability assessments of individual employees and contractors are carried out where this is necessary. The legal requirements of the local jurisdiction with respect to this are to be applied.
Procedures should be established for authorising access to non-site personnel. Non-site personnel may include:
Contracted staff such as cleaners and grounds maintenance personnel who are on site on a regular basis.
External contractors who are on site for a limited period of time for a defined activity.
Company personnel from a different site.
Site visitors.
The procedures should define the limits of access (location and time period), whether movement on site is accompanied or unaccompanied, and the length of time the access is valid for. Non-site personnel should be identifiable and should be monitored appropriately.
Procedures should be established for ensuring that, when contracts are terminated, measures are undertaken to ensure that access is no longer possible. This includes surrendering keys and code-/chip cards as well as changing access codes, passwords, etc.
Employees should be trained in the security rules on site, in particular made aware of the action to take should they discover unauthorised persons on site or in particular locations on site, or become aware of any suspicious activity related to the security of the site.
Transportation modalities and supply chain
Operators should protect their facilities and transportation and supply chains with the goal of preventing malicious activities leading to chemical accidents. Controls should be established for the transportation of hazardous substances, including the setting of routes, to take into account the need to protect against malicious acts.
Security for purposes of accident prevention entails not just site security but necessarily extends to the management of chemicals from supply chain sourcing and transportation to the environmentally sound disposal of hazardous wastes. It includes secure operations information systems as well as health, safety and emergency response regimes.
Operators should put procedures in place to manage the cyber security of their supply chain, such as: specifying security requirements for third parties, use of trusted third parties, periodic assessment of the suitability of third parties and ensuring clear roles and responsibilities for third parties and contractors.
Cyber security
Reducing the risk of a major accident often includes the use of electronic control plant or equipment (known as Industrial Automation and Control Systems [IACS], Industrial Control Systems [ICS] or operational technology [OT]). Such technology is often programmable and connected to a network and so vulnerable to cyber threats. Cyber security is the term used to define measures taken to protect such technology against threats – accidental or deliberate. International standards exist and should be used.
Procedures should be established for the purchasing, installation and commissioning of process control equipment and software. Appropriate expertise should be involved in the decision making. In particular interactions between OT and information technology (IT) systems must be systematically analysed, documented and regularly reviewed and maintained.
Employees should be made aware and trained in issues relevant to cyber security relevant to their role, in particular with regard to the connection of mobile devices for charging purposes or the use of mobile data storage media.
Industry should take measures to ensure its operations are protected from malicious acts. This may involve other national and local regulations or public authorities, for example security services.
Co‑operation with public authorities and non-governmental organisations (NGOs)
Industry, public authorities and NGOs should co-operate and establish partnerships to enhance the security of hazardous installations and improve their ability to prevent, detect and mitigate malicious acts intended to cause chemical releases, explosions or fires.
Balancing safety and security
Operators of hazardous installations should give appropriate attention to the security of their site, including the threats posed by malicious acts such as sabotage, cyber attacks, terrorism, vandalism and theft.
Public authorities with responsibility for industrial safety and domestic/international security should co‑operate to ensure installations are not given conflicting advice or required duplicate actions.
Box 2.14. Examples of guidance on cyber security
UK HSE Guidance on Cyber Security for IACS, Second Edition
This guidance describes the required cyber security countermeasures to address low levels of cyber security risk. The following guiding principles were used in producing this guidance:
Protect, detect and respond. It is important to be able to detect possible attacks and respond in an appropriate and timely manner in order to minimise the impacts.
Defence in depth. No single cyber security countermeasure provides absolute protection as new threats and vulnerabilities can be identified at any time. To reduce these risks, implementing multiple organisational, protective and detect-and-respond countermeasures in series avoids single-point failures, i.e.:
Organisational countermeasures – Governance, risk management, asset.
Management, supply chain management, policy and procedures.
Competence and awareness.
Protective countermeasures – Identity and access control, data security.
System security and resilience.
Detect and respond countermeasures – Security monitoring, Incident response.
Source: UK HSE (n.d.[21]), Guidance on Cyber Security for Industrial Automation and Control Systems (IACS), Second Edition, https://www.hse.gov.uk/foi/internalops/og/og-0086.pdf.
OECD Recommendation of the Council on Digital Security of Critical Activities
Digital transformation is accelerating the digital reliance on critical economic and social activities while digital security threats are growing in number and sophistication. Many governments are anticipating a greater occurrence and severity of digital security incidents affecting critical activities in the coming years, potentially leading to large-scale disasters. This situation pushes governments to adopt policies that strengthen the digital security of critical activities. However, such policies should not undermine the benefits of digital transformation in critical sectors through constraints that would inhibit innovation or unnecessarily restrict the use, dynamic nature and openness of digital technologies.
The OECD Recommendation of the Council on Digital Security of Critical Activities sets out a range of policy recommendations to ensure that policies targeting operators of critical activities focus on what is critical for the economy and society without imposing unnecessary burdens on the rest.
Source: OECD (2019[22]), Recommendation of the Council on Digital Security of Critical Activities, https://legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0456.
References
[20] ACC (2023), Responsible Care®: Driving Safety & Industry Performance, American Chemistry Council, https://responsiblecare.americanchemistry.com/.
[4] ACSNI Human Factors Study Group (1993), Third Report - Organising for Safety, HSE Books, http://www.hse.gov.uk/humanfactors/topics/common4.pdf.
[8] Dawson, D. and B. Brooks (1999), The Esso Longford Gas Plant Accident, Report of the Longford Royal Commission, http://www.parliament.vic.gov.au/papers/govpub/VPARL1998-99No61.pdf.
[7] EC (2017), Management of Change, Common Inspection Criteria Series, Major Accident Hazards Bureau, Joint Research Centre, European Commission, https://minerva.jrc.ec.europa.eu/en/shorturl/minerva/managementofchangefinalv1formattedpdf.
[12] Edwards, D. et al. (2015), “Inherent safety: It’s common sense, now for common practice!”, Symposium Series, No. 160, Hazards 25, https://www.icheme.org/media/8500/xxv-paper-33.pdf.
[18] EU (2019), “Maintenance of primary containment systems”, Seveso Common Inspection Criteria Series, No. 9, Major Accident Hazards Bureau, European Union.
[9] Hopkins, A. (2000), Lessons from Longford: The Esso Gas Plant Explosion, CCH Australia Limited.
[19] ICCA (2023), Homepage, International Council of Chemical Associations, http://www.icca-chem.org/.
[15] ILO (1997), Code of Practice: Major Industrial Accidents, International Labour Organization, https://www.ilo.org/safework/info/standards-and-instruments/codes/WCMS_218624/lang--en/index.htm.
[14] ILO (1993), Prevention of Major Industrial Accidents Convention (No. 174) and Recommendation (No. 181), International Labour Organization, https://www.ilo.org/dyn/normlex/fr/f?p=NORMLEXPUB:55:0.
[11] ISO (2019), ISO Guide 51, https://www.iso.org/standard/53940.html.
[22] OECD (2019), Recommendation of the Council on Digital Security of Critical Activities, OECD, Paris, https://legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0456.
[10] OECD (2018), Guidance on Change of Ownership in Hazardous Facilities, OECD, Paris.
[13] OECD (2017), The Next Production Revolution: Implications for Governments and Business, OECD Publishing, Paris, https://doi.org/10.1787/9789264271036-en.
[1] OECD (2015), G20/OECD Principles of Corporate Governance, OECD Publishing, Paris, https://doi.org/10.1787/9789264236882-en.
[3] OECD (2012), Corporate Governance for Process Safety: Guidance for Senior Leaders in High Hazard Industry, OECD, Paris, https://www.oecd.org/chemicalsafety/corporategovernanceforprocesssafety.htm.
[2] OSHA (1994), Process Safety Management Guidelines for Compliance, Occupational Safety and Health Administration, United States Department of Labor, https://www.osha.gov/sites/default/files/publications/osha3133.pdf.
[17] UK HSE (2021), Hazards during Maintenance, United Kingdom Health and Safety Executive, https://www.hse.gov.uk/safemaintenance/hazards.htm.
[16] UK HSE (2021), Introduction to Human Factors, United Kingdom Health and Safety Executive, https://www.hse.gov.uk/humanfactors/introduction.htm.
[6] UK HSE (2013), Health and Safety Management System, United Kingdom Health and Safety Executive, https://www.hse.gov.uk/managing/health.htm.
[21] UK HSE (n.d.), Guidance on Cyber Security for Industrial Automation and Control Systems (IACS), Second Edition, United Kingdom Health and Safety Executive, https://www.hse.gov.uk/foi/internalops/og/og-0086.pdf.
[5] Williams, N. (2018), Gross Negligence Manslaughter in Healthcare, UK Department of Health and Social Care, https://www.gov.uk/government/publications/williams-review-into-gross-negligence-manslaughter-in-healthcare.
Notes
← 1. See ISO 31000:2018 – Risk Management, guidelines that provide principles, framework and a process for managing risk (https://www.iso.org/iso-31000-risk-management.html).
← 2. See IEC 31010:2019 – Risk Management – Risk Assessment Techniques, which provides guidance on the selection and application of techniques for assessing risk in a wide range of situations (https://www.iso.org/standard/72140.html).
← 3. See ISO 31000:2018 – Risk Management, guidelines that provide principles, framework and a process for managing risk (https://www.iso.org/iso-31000-risk-management.html); and ISO/IEC 31010:2009 – Risk Management – Risk Assessment Techniques (https://www.iso.org/standard/72140.html).
← 4. Such reports are known in some countries as “safety reports” or “risk management plans”.
← 5. See for example the “Functional safety of electrical/electronic/programmable electronic safety-related system (BS IEC 61508)”, https://www.hse.gov.uk/comah/sragtech/techmeascontsyst.htm.
← 6. Domino effects occur when an accident causes greater adverse effects or triggers further accidents as a consequence of the proximity of other parts of the installation or nearby installations and their inventories of hazardous substances.
← 7. Safety representatives are responsible for dealing with the health and safety interests of fellow employees. They also play important roles with respect to mediation and communication between management and other employees.
← 8. See definition of ageing from HSE Research detailed in Research Report 509 (http://www.hse.gov.uk/research/rrhtm/rr509.htm).