OSHA requirements are set by statute, standards and regulations. Our interpretation letters explain these requirements and how they apply to particular circumstances, but they cannot create additional employer obligations. This letter constitutes OSHA's interpretation of the requirements discussed. Note that our enforcement guidance may be affected by changes to OSHA rules. Also, from time to time we update our guidance in response to new information. To keep apprised of such developments, you can consult OSHA's website at http://www.osha.gov.

February 1, 2005

Mr. Roygene Harmon
Industrial Consultants
10470 W. Devils Den Road
Winslow, AR 72959

Dear Mr. Harmon:

Thank you for your April 27, 2004, letter to the Occupational Safety and Health Administration (OSHA) regarding the interpretation of the OSHA's Process safety management of highly hazardous chemicals (PSM) rule at 29 CFR 1910.119. This letter constitutes OSHA's interpretation only of the requirements discussed and may not be applicable to any questions not delineated within your original correspondence. We apologize for the delay in our response. Your paraphrased scenario and questions, and our responses are provided below.

Scenario: The PSM rule at 29 CFR 1910.119(e)(3)(vii), states that process hazard analyses (PHA) shall address: "A qualitative evaluation of a range of the possible safety and health effects of failure of controls on employees in the workplace." Although the preamble of this particular provision of the standard states that "This evaluation is for the purpose of guiding decisions and priorities in planning for prevention and control, mitigation, and emergency response," there still seems to be a concern with respect tothe actual documentation that is needed to comply with this particular provision of the PSM standard. The concern is that this requirement is so broad that even though industrial safety management may design what they believe to be an appropriate solution, the facility may still be open to further interpretation by an OSHA compliance officer.

Question 1: What type of format of documentation will satisfy the above referenced rule?

Response 1: As you may know, the provisions contained in the PSM standard are performance-oriented. Thus, employers have flexibility in complying with the requirements of PSM. With respect to complying with the PHA requirements (1910.119(e)), OSHA requires employers to follow the general formats for documentation as they are established in the particular PHA methodology
1 they utilize. OSHA understands that even within a particular PHA methodology (e.g., HAZOP) there may be variations on the specifics of the technique and the means of documentation. In fact, there are many vendor provided PHA programs for some of the PHA methodologies and each has its own format technique and documentation. It is important that through the correct usage of the methodologies required by the standard, employers focus on and achieve the over-arching principals/requirements2 of a PHA which are to identify, evaluate, and control the hazards of the process. Specific to your question related to 1910.119(e)(3)(vii)3, OSHA stated in the PSM preamble4 that the purpose of this requirement is to have PHA teams utilize the information on process hazards it has developed to guide them in decisions and priorities related to planning for the prevention and mitigation of releases of highly hazardous chemicals. The provision at 1910.119(e)(3)(vii) is not the same as OSHA's other PHA "consequence" requirement, 1910.119(e)(3)(iv)5. The standard at 1910.119(e)(3)(iv) requires the PHA team to identify hazardous process situations involving the failure of engineering and administrative controls and to identify the consequences of those failures. The table below describes the relationship and application of the different 1910.119(e)(3) "consequence" standards and how a PHA team must apply them.

 

 

Standard 1910.119(e) What the PHA Team Is Required to Do to Comply with Each Specific 1910.119(e)(3) Standard. The PHA Team Must…
(3)(i) identify each process hazard, deviation(departure from the design intention), etc. (hazard)
(3)(iii) determine the engineering and administrative controls including safeguards (alarms, interlocks, blast-resistant walls, relief valves, etc.) that are related to each particular hazard they identify
(3)(iv) identify hazardous process situations involving the failure of engineering and administrative controls and to identify the consequences of those failures. Also, minor consequences unrelated to the potential release of highly hazardous chemicals from the covered-process are usually not considered.
(3)(vii) use the consequences of failure information developed under 1910.119(e)(3)(iv). This information is used by the team to conduct a qualitative evaluation of the possible safety and health effects related to the failure of the identified controls for each of the identified hazards. The purpose of this evaluation is to assist the PHA team in their decisions for prioritizing the planning for the control of the hazards they have identified (see discussion below and attached Appendix for more information).

 


Note, 1910.119(e)(3) also requires employers to consider: (e)(3)(ii) — the identification of any previous incident which had a likely potential for catastrophic consequences in the workplace; (e)(3)(v) — facility citing siting; and (e)(3)(vi) — human factors.

The attached Appendix is provided as an example of how PHA teams may use the 1910.119(e)(3) "consequence" requirements when conducting PHAs. The Appendix uses the two most commonly used PHA methodologies to give you examples of how the 1910.119(e)(3) "consequence" requirements were applied by a PHA team for a given hazard/deviation that they identified. The PHA worksheets provided indicate how each of the specific 1910.119(e)(3) "consequence" requirements apply to the PHA team's analysis. Additionally, we have provided an example of how the PHA team complied with the performance aspects of 1910.119(e)(3)(vii), to address a qualitative evaluation of a range of possible safety and health effects due to failure of controls. The example given is a typical risk matrix. This example risk matrix is based on a qualitative range of consequences and a qualitative range of frequencies or likelihood that engineering and/or administrative controls may fail. Based on the PHA team's evaluation of consequence and likelihood, the risk matrix is then used to determine the priority at which each identified hazard needs to be addressed.

Appendix D to 1910.119 (a non-mandatory portion of the PSM standard) provides a list of sources that may be consulted by employers in order to assist in compliance with the PSM standard. Item 2 of this appendix, "Guidelines of Hazard Evaluation Procedures
6," provides detailed guidance on the content and format of various process hazard analysis methodologies and discussions on qualitative evaluations. You may seek guidance from this book or from other such sources for an example format that can be used in documenting and conducting qualitative evaluations of the PHA outcomes. For example, to meet "qualitative evaluation" requirement of §1910.119(e)(3)(vii), a matrix-based approach, as outlined in the Tables 7.7, 7.8, and 7.9, and Figure 7.1 of the AICHE book (2nd edition), may be utilized in prioritizing the prevention and mitigation efforts for the hazards identified during the process hazard analysis required under §1910.119(e)(2).

Question 2: What criteria will be used by OSHA enforcement to judge the completeness of §1910.119(e)(3)(vii)?

Response 2: Due to the performance nature of §1910.119(e)(3)(vii), OSHA does not use a specific criteria in judging completeness of this particular provision of the standard. The compliance with this particular provision would be determined, on a case-by-case situation, by OSHA compliance personnel during the course of inspections. OSHA's enforcement of this paragraph will depend on the adequacy of the PHA team's utilization of the information it has developedwith respect to the hazards the team identifies. As discussed in Response 1 (above), the employer is required (through the PHA team) to use information related to the failure of engineering and administrative controls for each of the identified hazards addressed by the PHA team. Using information on the failure of the identified controls, the PHA team is then required to develop and document a qualitative range of possible safety and health effects which are related to the failure of the identified controls and their corresponding hazard. If the PHA identifies the hazard and its associated controls, and the PHA adequately addresses failure of those controls, then if the PHA team has not adequately evaluated (qualitative) and documented the range of safety and health effects due to failure of the identified controls, the employer would not be in-compliance with 1910.119(e)(3)(vii).

Thank you for your interest in occupational safety and health. OSHA requirements are set by statue, standards, and regulations. Our interpretation letters explain these requirements and how they apply to particular circumstances, but they cannot create additional employer obligations. This letter constitutesOSHA's interpretation of the requirements discussed. Note that our enforcement guidance may be affected by changes to OSHA rules. Also, from time to time we update our guidance in response to new information. To keep apprised of such developments, you can consult OSHA's website at
http://www.osha.gov. If you have any further questions, please feel free to contact the Office of General Industry Enforcement at (202) 693-1850.

Sincerely,


Richard E. Fairfax, Director
Directorate of Enforcement Programs

[Corrected on 11/11/2005]

Attachment

 

 

 

 


1 110.119(e)(2) — "The employermshall use one or more of the following methodologies that are appropriate to determine and evaluate the hazards of the process being analyzed." [ back to text ]

 

 

 

 


21910.119(e)(1) — "The employer shall perform an initial process hazard analysis (hazard evaluation) on processes covered by this standard. The process hazard analysis shall be appropriate to the complexity of theprocess and shall identify, evaluate, and control the hazards involved in the process...." [ back to text ]

 

 

 

 


3 1910.119(e)(3)(vii) — "A qualitative evaluation of a range of the possible safety and health effects of failure of controls on employees in the workplace.". [ back to text ]

 

 

 

 


4 OSHA PSM Preamble [36 FR 6377], "...final paragraph (e)(3)(vii) and requires a qualitative evaluation of the possible safety and health effects of failure of engineering and administrative controls on employees in the workplace. This evaluation is for the purpose of guiding decisions and priorities in planning for prevention and control, mitigation and emergency response. [ back to text ]

 

 

 

 


5 1910.119(e)(3)(iv) — "Consequences of failure of engineering and administrative controls.. [ back to text ]

 

 

 

 


6 Guidelines of Hazard Evaluation Procedures, "published by the American Institute of Chemical Engineers (AICHE), 345 East 47th Street, New York, NY 10017, 1st edition published in 1985, 2nd edition published in 1992. [ back to text ]

 

 

 

 


 

 

Appendix

 

Example Application of 1910.119(c)(3)(vii)
[This Appendix is also available as a 136Kb PDF file]


Below are excerpts from two different PHA methodologies [What-If Checklist (Figure 1) and HAZOP (Figure 2)]. Each PHA excerpt identifies one hazard/deviation as well as its corresponding engineering and administrative controls; safeguards; recommendation/actions; and a quantitative description of consequence, likelihood, and the risk priority for the identified hazard. An example (e.g., Ž) of the application of the specific OSHA 1910.119(e)(3) "consequence" requirements are identified on the example PHA worksheets. After the PHA worksheet examples, other examples are provided to illustrate how some employers utilize a risk matrix to comply with the "qualitative evaluation" requirement (1910.119(e)(3)(vii)). As noted earlier, PSM is performance standard, and these examples may or may not be applicable to your specific situation.

The following is an example of the development and use of a risk matrix. First, a qualitative description of consequence and likelihood/frequency of the hazard, based on a failure of engineering and/or administrative controls is established. Figure 3 is the Consequence Table; it is a qualitative description of the range of degrees of consequences related to the identified hazard and its associated failure of controls. These consequences range from 1-4, with 4 being the most severe Consequence Class. Figure 4 is the Likelihood Table;it is a qualitative description of the range of likelihood/frequency that an identified engineering or administrative control might fail. The likelihood ranges from 1-4, with 4 being the most likely to fail.

Using the Consequence and Likelihood Class numbers, a Risk Priority Matrix (Figure 5) can be constructed. The Risk Priority Matrix is used to identify the Risk Class. Once the Risk Class (e.g., C) is determined from the Risk Priority Matrix, the Risk Class can be correlated to the Risk Priority Legend (Figure 6) which prioritizes the hazard as identified by the PHA team. In this case, the PHA team enters the evaluated Consequence Class, Likelihood Class, and Risk Class on the PHA worksheets, Figures 1and 2.

In the following example, PHA worksheets the abbreviations and symbols mean:

C = Consequences Class
L = Likelihood Class
R = Risk Priority Class

 

 

 

Π1910.119(e)(3)(i): address the hazards of the process.
 1910.119(e)(3)(iii): address engineering and administrative controls applicable to the hazards...
Ž 1910.119(e)(3)(iv): address consequence of failure of engineering and administrative controls.
 1910.119(e)(3)(vii): address a qualitative evaluation of a range of possible safety and health effects of failure of controls...

 

 

 

 

Figure 1 — Example Worksheet Excerpt from What If/Checklist PHA Methodology

 

 

C = Consequence Class, L = Likelihood Class, R = Risk Class
What If... Consequences/
Hazard
Safeguards C L R Recommendations/
Action
Emergency Shutdown Valve 23 (ESD-23) fails to close when needed? (This can occur due to extremely cold weather, reliability due to inspection/ testing/maintenance or design problems.)
 
Œ Ž
Release of highly flammable materials in the operating area. Potential for fire/explosion with employee injuries/fatalities.
 
Œ Ž
1. Specific Inspection/testing/ maintenance program for ESDs.

2. Valve actuator sizing.

3. ESD-23 is fail closed design.
 

4


2


B


1. Due to cold weather modify MI procedures to increase ESD valve testing to 1/2wks.

2. Inspection records for ESD-23 not in file, follow-up to assure ESD-23 inspected as required by MI procedures.

3. No equipment data sheet was found for actuator for ESD-23, follow-up with engineering to assure design is correct.

4. Consider over sizing valve actuator.

 

 

Figure 2 — Example Excerpt from HAZOP PHA Methodology

 

 

C = Consequence Class, L = Likelihood Class, R = Risk Class
Deviation Causes Consequences Safeguards Recommendations/
Actions
C L R
Loss of Agitation.
 
Œ
Agitator motor fails.

Electrical utility lost.

Agitator mechanical linkage fails.

Operator fails to activate agitator.
 
Œ 
Unreacted HHC in the reactor carried over to Storage Tank 3 (ST-3) and is released to the enclosed work area. Probable injuries or fatalities to workers due to highly acute toxic material hazard.
 
Ž
HHC detector and alarm.
 

  1. Consider adding alarm/shutdown of the system for loss of agitation to the reactor.
     
  2. Ensure adequate ventilation exists for enclosed work area and/or use an enclosed ST-3.
     
  3. Update PSI file and Op. Procedure HHC-39 to include consequence of deviation, engineering controls including safety system information, e.g., SIS and emergency ventilation.
4
 

2
 

B
 


 

 

Figure 3 — Consequence Table

 

 

Consequence Class Qualitative Employee Safety Consequence Criteria
1 No employee injuries
2 One Loss Time Injury or Illness
3 Multiple Lost Time Injuries or Illnesses
4 Multiple Lost Time Injuries or Illnesses w/one or more fatalities

 

 

Figure 4 — Likelihood Table

 

 

Likelihood Class Qualitative Likelihood Criteria
1 Not expected to occur during the lifetime of the process. Examples — Simultaneous failures of two or more independent instrument or mechanical systems
2 Expected to occur only a few times during the life of the process. Examples — Rupture of product piping, trained employees w/procedures injured during LOTO operation
3 Expected to occur several times during the life of the process. Examples — hose rupture, pipe leaks, pump seal failure
4 Expected to occur yearly. Examples — instrument component failures, valve failure, human error, hose leaks

 

 

Figure 5 — Example Risk Priority Matrix

 

 

Consenquences (up arrow to indicate increasing in value on a Y-Axis) 4 C B A A
3 C B B A
2 D C B B
1 D D C C
  1 2 3 4
Likelihood Right arrow indicating increasing value on an X-axis

 

 

Figure 6 — Example Risk Priority Legend

 

 

Risk Class Explanation of Risk
A Risk intolerable — needs to be mitigated within 2 weeks to at least a Class C, if that cannot be accomplished, process needs to be shutdown
B Risk undesirable — needs to be mitigated within 6 months to at least a Class C
C Risk tolerable with controls (engineering and administrative)
D Risk acceptable — no further action required