Louise Whiting, Chemical Industries Association

The fundamental fact is that, regardless of technological advances since the start of the industrial revolution, key aspects of every process safety management system rely on human beings.

The unfortunate facts about people which weaken our process safety management systems can also be strengths in our system:

People move on – Especially in the last decade we have seen a crisis of aging workforces with mass exodus of skills. If not managed correctly this can result in significant gaps in our process safety knowledge. However, migration can also keep perspectives fresh and help share best practices.

People normalize risk – It is natural for humans to normalize risk, something that allows us to cope with highly stressful situations, but it can also lead to complacency.

Subconscious Automation – While we have evolved to complete many tasks using our subconscious brains this can lead to errors on routine tasks.

People are not Perfect – From the project manager who is pushing the engineering team to complete deliverables in parallel to the operator who routinely misses a step in the procedure because it caused a plant trip once, we are not willing poor process safety performance, but this can be the result. The ability to respond accordingly to differing input is what makes us invaluable in process safety management, but it can also make us the weak link.

Has the Past Taught Us Nothing?

From the widespread adoption of the seatbelt to the spreading requirement of a risk-based process safety management system, we have taken measures to improve our process safety performance. This is also evident in workplace injury and fatality data (REF www.hse.gov.uk/statistics/pdf/fatalinjuries.pdf).

However, there is also growing evidence that the cost (financial, people and environmental) of doing business is going up due to an increase in the magnitude and frequency of major process safety incidents since the 2017 (REF www.marsh.com/us/insights/research/100-largest-losses-hydrocarbon-industry.html).

These incidents when looked at in detail are never new incidents. One or more of the causes are in common with a previous incident and in some cases the incident can be a direct copy of a previous incident. So why do we learn better from some incidents than others?

Learning and embedding knowledge requires a willingness to learn by the individual. It also requires a personal connection with the messaging especially when it requires a behavioural change.

Some things we have identified over time as too important to leave to the individual. For example, it is now law to wear seatbelts with most cars fitted with a suitably annoying audible alarm to help us embed this learning.

In the high hazard environment, this translates to the inclusion of statements in industrial standards or health and safety legislation.

Tthe cornerstone of good process safety management is:

1. Defining the scope of the work

2. Identifying the associated hazards

3. Identifying the industrial standards applicable

4. Identifying the industrial best practices

5. Identifying past incidents to learn from

How Should We Change to Change the Future?

Learn from the past. Apply Inherently Safer Design (ISD) principles in every decision made in the business from development of the concept to managing organisational change and even the response to COVID. The definition of the principles is linked back to Trevor Keltz and his experience learning from incidents (REF www.hse.gov.uk/research/othpdf/500-599/oth521.pdf)

The key principles are:

1. Eliminate – can the hazard be eliminated?

2. Minimise – can the potential consequences, causes or duration of a potential hazard be minimised?

3. Control – can hazard be prevented through control?

4. Mitigate – If the hazard is realised, can the consequences be mitigated?

To answer any of the questions the first question that needs to be answered is ‘What is the hazard and what are the potential consequences?’


At the Union Carbide India Ltd plant in Bhopal in 1984, the manufacture of pesticides used methyl isocyante (MIC), stored in large quantities. This intermediate was reactive, generating heat, which means storage required cooling and other safety measures, such as a water curtain to prevent toxic gasses escaping.

On the evening of the incident, critical safeguards were not active and a runaway reaction in a storage vessel resulted in the release of 30 tonnes of the toxic gas and the death of several thousand people. At other facilities at the time and particularly after Bhopal, the process was optimised to eliminate the storage of this reactive intermediate.


An article on the outcome of the Tradeston Flour Mill Explosion in 1872 stated “that exhaust boxes and stive rooms should be housed outside mill buildings and designed to “be readily blown to pieces” so that when similar fires happened they would be drawn out of buildings themselves and the force of any explosion expended externally.”

It was understood you could not eliminate the hazards associated with handling dust when milling flour and therefore one should minimise the consequences by segregating the most likely explosion site from other valuable assets. In 2005 at Texas City Refinery, 15 people died when the ISOM unit overfilled the blowdown drum and ignited, causing a large explosion. Here, the consequences could have been minimised by locating the temporary buildings away from the ISOM unit or by ensuring they were not occupied during the start-up process.


If the hazard is integral to the activity or process, then it must be controlled to prevent the hazard from being realized. This is the fundamental reason for the development of many standards, not least the boiler code in 1915 which was developed to reduce the number of steam boiler explosions (REF www.asme.org/topics-resources/content/the-history-of-asmes-boiler-and-pressure). Every incident has an element of loss of control.


Emergency responders often fall victim to large process incidents. Chernobyl reactor core explosion is no different (REF https://world-nuclear.org/information-library/safety-and-security/safety-of-plants/chernobyl-accident.aspx) where several of the 28 further fatalities in the months after the incident were first responders.

Every person who could be affected by an incident needs to know what to do in a timely manner and to have the ability to do it (the tools, protection etc.) Knowing what to do should processes fail is equally important.

In a changing world where weather events are proving to be more and more severe, regular evaluation of mitigations can be critical.

In the 2017 incident in the US where extensive flooding impacted a facility storing organic peroxides in refrigerated facilities, one of the findings was that common mode failure caused the failure of the power generation when the generator house was flooded. REF www.csb.gov/arkema-inc-chemical-plant-fire If the more up to date flood maps had been used to evaluate the flooding risk, then the mitigation of the emergency generator could have been more effective.