Six key areas of organisational culture are essential to prevent catastrophic incidents like the Texas City refinery explosion and loss of the space shuttle Columbia. By Scott Berger

Process safety is a disciplined framework for managing the integrity of operating systems and processes that handle hazardous materials by applying good design principles, engineering and operating practices. It deals with the prevention and control of incidents that have the potential to release hazardous materials and energy. These incidents can cause toxic release, fire or explosion, and they could ultimately result in deaths and injuries, property damage, lost production and environmental damage.

In the decades before the 1970s, process safety tended to be a matter of rules. When an incident occurred, it was because someone did not follow the rules. Incidents tended to be attributed to operator error. This changed in the 1970s when it began to be realised that humans, as everything else, have an inherent rate of failure: in the case of humans in the range of one error per 100 operations. Failure rate improves somewhat with training, but degrades dramatically during emergencies.

This led to the emergence of safety by means of engineering and design, to counter the effects of human error. For example, an operator could not overcharge a reactor if the size of the feed tank was limited to the maximum charge and the feed line diameter was restricted to permit no more than the maximum flow rate. When incidents occurred, operator error was, of course, involved, but the root cause was design error.

This approach, too, was insufficient, because components can fail, systems can be over-ridden and humans can make engineering errors. This led to a management systems approach in the 1990s, which locked process safety into a defined set of objectives and tasks, with sufficient checks and balances to ensure that workers, management and the process all lined up to ensure a reliable operation. When incidents occurred, operator error and engineering error were, of course, involved, but the root cause was management failure.

Nowhere was the safety management system stronger than at NASA. Not long before the final launch of the space shuttle Columbia, I had the opportunity to tour the Kennedy Space Center with members of the technical steering committee of the Center for Chemical Process Safety (CCPS). During our tour, we observed firsthand the loading of hypergolic thruster fuels, and we were impressed by the detailed management systems as well as the operational design and level of training.

So why, with highly trained workers, the best engineering available and excellent management systems, did the Columbia disintegrate in space on 1 February 2003?

The Columbia accident investigation board identified a mostly unsurprising list of causes, including the damage to thermal tiles caused by a foam strike, but it also said this:

"In our view, the NASA organisational culture had as much to do with this accident as the foam." 1

The implication of this statement was that even the best training, the best engineering and the best management system can be undermined when the culture works against you.

Culture problems are not limited to NASA. On 23 March 2005, a massive explosion at BP's Texas City, refinery resulted in 15 deaths and more than 170 injuries, one of the most serious US workplace disasters of the past two decades. Incident investigation reports published by BP internal investigators and by the US Chemical Safety and Hazard Investigation Board (CSB) identified many factors contributing to the incident. However, the CSB incident investigators found culture issues at the forefront of the causes:

"(BP Senior Executives) did not provide effective safety culture leadership and oversight to prevent catastrophic accidents" 2

In 2005, a CCPS subcommittee studied the Columbia accident investigation report looking for parallels to other incidents in the chemical and petroleum industries. The subcommittee identified six key areas of culture essential to prevent catastrophic incidents:

1 Maintain sense of vulnerability

2 Combat normalisation of deviance

3 Establish an imperative for safety

4 Perform valid and timely hazard and risk assessments

5 Ensure open and frank communications

6 Learn and advance the culture

We will investigate these individually.

* Maintain a sense of vulnerability

Catastrophic accidents involving hazardous materials or activities are uncommon. Memory of the last major accident tends to fade, and management and workers may come to believe that process safety is no longer an issue. A false sense of security can lead to decreased operating discipline, which can dull management system effectiveness, and lapses in critical prevention systems can result. Everyone in the organisation should remain fully aware of what could happen if process safety systems are allowed to lapse.

* Combat the normalisation of deviance

When operations are consciously or unintentionally allowed to go outside of established engineering or operational constraints without negative consequences, workers and management alike begin to develop an organisational mindset that permits repeating the action and even straying further outside constraints. Such violations are increasingly likely to lead to a serious accident. Everyone in the organisation should keep a watchful eye on creeping change, which could slowly erode process safety systems.

* Establish an imperative for safety

Safety should be a necessary condition for operation. It is not the responsibility of safety professionals to prove that a plant is unsafe to run and they should have absolute authority to stop operations to address a critical safety problem. Likewise, it is the plant's responsibility to prove that it can operate safely, and if the plant cannot do so, it should not operate. Management must show visible support for safety, not only through its words but also its actions, including priority setting, openness and responsiveness to feedback, and resolution of critical issues.

* Perform valid and timely hazard and risk assessments

Perfunctory assessments of potential hazards lead to flawed design and operating decisions. Likewise, last minute assessments tend to delay implementation and pressure project teams to take shortcuts to resolving critical problems. Hazard and risk assessments should be done at the appropriate level of depth and early enough in the project that addressing them can be done as part of routine design and implementation decisions. Timely and thorough hazard and risk assessments can also provide help identify means to make the process less expensive and more reliable.

* Ensure open and frank communications

Bad news filters, and emphasis on chain of command communications and silo mentalities can stifle the exchange of safety-critical information. Information must effectively flow both up and down the organisation and laterally between functional groups.

* Learn and advance the culture

We must be open to learning from our mistakes (and those of others) and to making the necessary corrections - or we will repeat those mistakes.

The path forward

While it is not feasible to provide an explicit road map here, there are some basic steps that you should consider to address the safety culture issues within your organisation.

* Create awareness. Discuss case histories at all levels of the organisation and compare these case histories to your company's current operation to help identify the more obvious issues and set the stage for further, more detailed evaluations of your process safety culture.

* Identify a champion. While every member of the organisation should be a supporter of a sound process safety culture, your organisation may require a Champion if the scope of the cultural transformation is large. Perhaps that is you. Whoever fulfils this role must understand the dynamics of safety cultures and the process for and obstacles to, implementing cultural change.

* Perform a gap analysis. Learn and evaluate how your culture is performing. Identify where the gaps are and prioritise a risk based response to closing these gaps. This is simple to state and difficult to do. However, there are likely to be some readily apparent first steps that could be taken to start the process.

* Be a steward of cultural change. When we talk of managing culture, it is important that we recognise that leadership cannot change values and beliefs through edict; they can only inspire, enable and nurture cultural change. Acceptable behaviours must be modeled at all levels of the organisation. Values must be communicated and reinforced frequently.

* Keep the organisation focused. Many organisations have already established sound safety cultures. Not uncommonly, these cultures have been developed in

response to and are reinforced by frequent reference significant to loss events in the company's past. Those organisations fortunate enough not to have experienced such a seminal event may find it helpful to draw upon the experience of others in their, or similar, industries. Many case studies are available to the public at the site of the US Chemical Safety and Hazard Investigation Board (

Of course, instilling and maintaining a strong process safety culture is important, but not sufficient. In addition, a comprehensive process safety management system is needed to tie culture together with all other aspects of process safety. The CCPS recommends the approach published in Guidelines for Risk Based Process Safety (2007), a 20 element management system that provides the framework to apply the right amount of effort appropriate to the risk of the process. CCPS' Guidelines for Risk Based Process Safety are organised in four groups of elements, linked to the four steps of quality:

* Commit to process safety (Plan)

* Understand hazards and evaluate risk (Do)

* Manage risk (Study)

* Learn from experience (Act)

The 20 elements and their explanations are described in Table 1.

Putting it all together

It should be clear that process safety is not simply a matter of rules, engineering, management or culture, but the thorough integration of all four. If we hope to prevent future recurrences of Columbia, Texas City and other catastrophic losses, we must all work hard to establish within operating companies cultures that are ever attuned to potential process hazards, implement and maintain a strong management systems to ensure the right things are done at the right times and in the right way, ensure that the best available engineering is applied in development and design, and that sensible rules are established and enforced. NASA and BP may survive their tragic losses, but many companies do not have their depth of resources. Most of the industry simply cannot afford the consequences; we must succeed in this endeavour.