February 1, 2005

Mr. Roygene Harmon

Industrial Consultants
10470 W. Devils Den Road
Winslow, AR 72959

Dear Mr. Harmon:

Thank you for your April 27, 2004, letter to the Occupational Safety and Health Administration
(OSHA) regarding the interpretation of the OSHA's Process safety management of highly
hazardous chemicals (PSM) rule at 29 CFR 1910.119. This letter constitutes OSHA's
interpretation only of the requirements discussed and may not be applicable to any questions not
delineated within your original correspondence. We apologize for the delay in our response.
Your paraphrased scenario and questions, and our responses are provided below.

Scenario: The PSM rule at 29 CFR 1910.119(e)(3)(vii), states that process hazard analyses
(PHA) shall address: "A qualitative evaluation of a range of the possible safety and health effects
of failure of controls on employees in the workplace." Although the preamble of this particular
provision of the standard states that "This evaluation is for the purpose of guiding decisions and
priorities in planning for prevention and control, mitigation, and emergency response," there still
seems to be a concern with respect tothe actual documentation that is needed to comply with this
particular provision of the PSM standard. The concern is that this requirement is so broad that
even though industrial safety management may design what they believe to be an appropriate
solution, the facility may still be open to further interpretation by an OSHA compliance officer.

Question 1: What type of format of documentation will satisfy the above referenced rule?

Response 1: As you may know, the provisions contained in the PSM standard are performance-
oriented. Thus, employers have flexibility in complying with the requirements of PSM. With
respect to complying with the PHA requirements (1910.119(e)), OSHA requires employers to
follow the general formats for documentation as they are established in the particular PHA
methodology they utilize. OSHA understands that even within a particular PHA methodology
(e.g., HAZOP) there may be variations on the specifics of the technique and the means of
documentation. In fact, there are many vendor provided PHA programs for some of the PHA
methodologies and each has its own format technique and documentation. It is important that
through the correct usage of the methodologies required by the standard, employers focus on and
achieve the over-arching principals/requirements of a PHA which are to identify, evaluate, and
control the hazards of the process. Specific to your question related to 1910.119(e)(3)(vii),
OSHA stated in the PSM preamble that the purpose of this requirement is to have PHA teams
utilize the information on process hazards it has developed to guide them in decisions and
priorities related to planning for the prevention and mitigation of releases of highly hazardous
chemicals. The provision at 1910.119(e)(3)(vii) is not the same as OSHA's other PHA
"consequence" requirement, 1910.119(e)(3)(iv). The standard at 1910.119(e)(3)(iv) requires the
PHA team to identify hazardous process situations involving the failure of engineering and
administrative controls and to identify the consequences of those failures. The table below

499
describes the relationship and application of the different 1910.119(e)(3) "consequence"
standards and how a PHA team must apply them.

Standard 1910.119(e) What the PHA Team Is Required to Do to Comply with Each
Specific 1910.119(e)(3) Standard. The PHA Team Must…
(3)(i) identify each process hazard, deviation(departure from the design
intention), etc. (hazard)
(3)(iii) determine the engineering and administrative controls including
safeguards (alarms, interlocks, blast-resistant walls, relief valves,
etc.) that are related to each particular hazard they identify
(3)(iv) identify hazardous process situations involving the failure of
engineering and administrative controls and to identify the
consequences of those failures. Also, minor consequences unrelated
to the potential release of highly hazardous chemicals from the
covered-process are usually not considered.
(3)(vii) use the consequences of failure information developed under
1910.119(e)(3)(iv). This information is used by the team to conduct
a qualitative evaluation of the possible safety and health effects
related to the failure of the identified controls for each of the
identified hazards. The purpose of this evaluation is to assist the
PHA team in their decisions for prioritizing the planning for the
control of the hazards they have identified (see discussion below
and attached Appendix for more information).

Note, 1910.119(e)(3) also requires employers to consider: (e)(3)(ii) — the identification of any
previous incident which had a likely potential for catastrophic consequences in the workplace;
(e)(3)(v) — facility citing siting; and (e)(3)(vi) — human factors.

The attached Appendix is provided as an example of how PHA teams may use the
1910.119(e)(3) "consequence" requirements when conducting PHAs. The Appendix uses the two
most commonly used PHA methodologies to give you examples of how the 1910.119(e)(3)
"consequence" requirements were applied by a PHA team for a given hazard/deviation that they
identified. The PHA worksheets provided indicate how each of the specific 1910.119(e)(3)
"consequence" requirements apply to the PHA team's analysis. Additionally, we have provided
an example of how the PHA team complied with the performance aspects of 1910.119(e)(3)(vii),
to address a qualitative evaluation of a range of possible safety and health effects due to failure
of controls. The example given is a typical risk matrix. This example risk matrix is based on a
qualitative range of consequences and a qualitative range of frequencies or likelihood that
engineering and/or administrative controls may fail. Based on the PHA team's evaluation of
consequence and likelihood, the risk matrix is then used to determine the priority at which each
identified hazard needs to be addressed.

Appendix D to 1910.119 (a non-mandatory portion of the PSM standard) provides a list of

sources that may be consulted by employers in order to assist in compliance with the PSM

500
standard. Item 2 of this appendix, "Guidelines of Hazard Evaluation Procedures," provides
detailed guidance on the content and format of various process hazard analysis methodologies
and discussions on qualitative evaluations. You may seek guidance from this book or from other
such sources for an example format that can be used in documenting and conducting qualitative
evaluations of the PHA outcomes. For example, to meet "qualitative evaluation" requirement of
§1910.119(e)(3)(vii), a matrix-based approach, as outlined in the Tables 7.7, 7.8, and 7.9, and
Figure 7.1 of the AICHE book (2nd edition), may be utilized in prioritizing the prevention and
mitigation efforts for the hazards identified during the process hazard analysis required under
§1910.119(e)(2).

Question 2: What criteria will be used by OSHA enforcement to judge the completeness of
§1910.119(e)(3)(vii)?

Response 2: Due to the performance nature of §1910.119(e)(3)(vii), OSHA does not use a
specific criteria in judging completeness of this particular provision of the standard. The
compliance with this particular provision would be determined, on a case-by-case situation, by
OSHA compliance personnel during the course of inspections. OSHA's enforcement of this
paragraph will depend on the adequacy of the PHA team's utilization of the information it has
developedwith respect to the hazards the team identifies. As discussed in Response 1 (above), the
employer is required (through the PHA team) to use information related to the failure of
engineering and administrative controls for each of the identified hazards addressed by the PHA
team. Using information on the failure of the identified controls, the PHA team is then required
to develop and document a qualitative range of possible safety and health effects which are
related to the failure of the identified controls and their corresponding hazard. If the PHA
identifies the hazard and its associated controls, and the PHA adequately addresses failure of
those controls, then if the PHA team has not adequately evaluated (qualitative) and documented
the range of safety and health effects due to failure of the identified controls, the employer would
not be in-compliance with 1910.119(e)(3)(vii).

Thank you for your interest in occupational safety and health. OSHA requirements are set by
statue, standards, and regulations. Our interpretation letters explain these requirements and how
they apply to particular circumstances, but they cannot create additional employer obligations.
This letter constitutesOSHA's interpretation of the requirements discussed. Note that our
enforcement guidance may be affected by changes to OSHA rules. Also, from time to time we
update our guidance in response to new information. To keep apprised of such developments,
you can consult OSHA's website at http://www.osha.gov. If you have any further questions,
please feel free to contact the Office of General Industry Enforcement at (202) 693-1850.

Sincerely,

Richard E. Fairfax, Director

Directorate of Enforcement Programs

[Corrected on 11/11/2005]

501
Attachment

1
110.119(e)(2) — "The employermshall use one or more of the following methodologies that are
appropriate to determine and evaluate the hazards of the process being analyzed." [ back to text ]

2
1910.119(e)(1) — "The employer shall perform an initial process hazard analysis (hazard
evaluation) on processes covered by this standard. The process hazard analysis shall be
appropriate to the complexity of theprocess and shall identify, evaluate, and control the hazards
involved in the process...." [ back to text ]

3
1910.119(e)(3)(vii) — "A qualitative evaluation of a range of the possible safety and health
effects of failure of controls on employees in the workplace.". [ back to text ]

4
OSHA PSM Preamble [36 FR 6377], "...final paragraph (e)(3)(vii) and requires a qualitative
evaluation of the possible safety and health effects of failure of engineering and administrative
controls on employees in the workplace. This evaluation is for the purpose of guiding decisions
and priorities in planning for prevention and control, mitigation and emergency response. [ back
to text ]

5
1910.119(e)(3)(iv) — "Consequences of failure of engineering and administrative controls.. [
back to text ]

6
Guidelines of Hazard Evaluation Procedures, "published by the American Institute of Chemical
Engineers (AICHE), 345 East 47th Street, New York, NY 10017, 1st edition published in 1985,
2nd edition published in 1992. [ back to text ]

Appendix

Example Application of 1910.119(c)(3)(vii)

[This Appendix is also available as a 136Kb PDF file]

Below are excerpts from two different PHA methodologies [What-If Checklist (Figure 1) and
HAZOP (Figure 2)]. Each PHA excerpt identifies one hazard/deviation as well as its

502
corresponding engineering and administrative controls; safeguards; recommendation/actions; and
a quantitative description of consequence, likelihood, and the risk priority for the identified
hazard. An example (e.g., Ž) of the application of the specific OSHA 1910.119(e)(3)
"consequence" requirements are identified on the example PHA worksheets. After the PHA
worksheet examples, other examples are provided to illustrate how some employers utilize a risk
matrix to comply with the "qualitative evaluation" requirement (1910.119(e)(3)(vii)). As noted
earlier, PSM is performance standard, and these examples may or may not be applicable to your
specific situation.

The following is an example of the development and use of a risk matrix. First, a qualitative
description of consequence and likelihood/frequency of the hazard, based on a failure of
engineering and/or administrative controls is established. Figure 3 is the Consequence Table; it is
a qualitative description of the range of degrees of consequences related to the identified hazard
and its associated failure of controls. These consequences range from 1-4, with 4 being the most
severe Consequence Class. Figure 4 is the Likelihood Table;it is a qualitative description of the
range of likelihood/frequency that an identified engineering or administrative control might fail.
The likelihood ranges from 1-4, with 4 being the most likely to fail.

Using the Consequence and Likelihood Class numbers, a Risk Priority Matrix (Figure 5) can be
constructed. The Risk Priority Matrix is used to identify the Risk Class. Once the Risk Class
(e.g., C) is determined from the Risk Priority Matrix, the Risk Class can be correlated to the Risk
Priority Legend (Figure 6) which prioritizes the hazard as identified by the PHA team. In this
case, the PHA team enters the evaluated Consequence Class, Likelihood Class, and Risk Class
on the PHA worksheets, Figures 1and 2.

In the following example, PHA worksheets the abbreviations and symbols mean:

C = Consequences Class
L = Likelihood Class
R = Risk Priority Class

Π1910.119(e)(3)(i): address the hazards of the process.

1910.119(e)(3)(iii): address engineering and administrative controls applicable to the
hazards...
Ž 1910.119(e)(3)(iv): address consequence of failure of engineering and administrative controls.
1910.119(e)(3)(vii): address a qualitative evaluation of a range of possible safety and health
effects of failure of controls...

Figure 1 — Example Worksheet Excerpt from What If/Checklist PHA Methodology

C = Consequence Class, L = Likelihood Class, R = Risk Class
What If... Consequences/ Safeguards C L R Recommendations/
Hazard Action
Emergency Shutdown Release of highly 1. Specific 4 2 B 1. Due to cold weather
Valve 23 (ESD-23) flammable Inspection/testing/ modify MI procedures

503
fails to close when materials in the maintenance to increase ESD valve
needed? (This can operating area. program for ESDs. testing to 1/2wks.
occur due to extremely Potential for
cold weather, reliability fire/explosion with 2. Valve actuator 2. Inspection records
due to inspection/ employee sizing. for ESD-23 not in file,
testing/maintenance or injuries/fatalities. follow-up to assure
design problems.) 3. ESD-23 is fail ESD-23 inspected as
ŒŽ closed design. required by MI
ŒŽ procedures.

3. No equipment data
sheet was found for
actuator for ESD-23,
follow-up with
engineering to assure
design is correct.

4. Consider over
sizing valve actuator.

Figure 2 — Example Excerpt from HAZOP PHA Methodology

C = Consequence Class, L = Likelihood Class, R = Risk Class
Deviation Causes Consequences Safeguards Recommendations/ C L R
Actions
Loss of Agitator Unreacted HHC in the HHC 1. Consider adding 4 2 B
Agitation. motor fails. reactor carried over to detector and alarm/shutdown of the
Storage Tank 3 (ST-3) alarm. system for loss of
ΠElectrical and is released to the agitation to the reactor.
utility lost. enclosed work area.
Probable injuries or
Agitator fatalities to workers 2. Ensure adequate
mechanical due to highly acute ventilation exists for
linkage toxic material hazard. enclosed work area
fails. and/or use an enclosed
ST-3.
Ž
Operator
fails to 3. Update PSI file and
activate Op. Procedure HHC-39
agitator. to include consequence
of deviation,
Πengineering controls
including safety system
information, e.g., SIS
and emergency

504
 ventilation.

Figure 3 — Consequence Table

Consequence Class Qualitative Employee Safety Consequence Criteria
1 No employee injuries
2 One Loss Time Injury or Illness
3 Multiple Lost Time Injuries or Illnesses
4 Multiple Lost Time Injuries or Illnesses w/one or more fatalities

Figure 4 — Likelihood Table

Likelihood Class Qualitative Likelihood Criteria
1 Not expected to occur during the lifetime of the process. Examples —
Simultaneous failures of two or more independent instrument or
mechanical systems
2 Expected to occur only a few times during the life of the process.
Examples — Rupture of product piping, trained employees
w/procedures injured during LOTO operation
3 Expected to occur several times during the life of the process. Examples
— hose rupture, pipe leaks, pump seal failure
4 Expected to occur yearly. Examples — instrument component failures,
valve failure, human error, hose leaks

Figure 5 — Example Risk Priority Matrix

4 C B A A
3 C B B A
2 D C B B
1 D D C C
1 2 3 4

Likelihood

Figure 6 — Example Risk Priority Legend

Risk Class Explanation of Risk
A Risk intolerable — needs to be mitigated within 2 weeks to at least a Class C,
if that cannot be accomplished, process needs to be shutdown

505
B Risk undesirable — needs to be mitigated within 6 months to at least a Class
C
C Risk tolerable with controls (engineering and administrative)
D Risk acceptable — no further action required

506