Introduction to Auditing

ELEMENT OVERVIEW

Critical evaluation of the RBPS management system is one of four elements in the RBPS pillar of learning from experience. This chapter covers formal methods for performing periodic RBPS management system audits, which should reduce risk by proactively identifying and correcting weaknesses in management system design and implementation. Section 21.2 describes the key principles and essential features of a management system for this element. Section 21.3 lists work activities that support these essential features, and presents a range of approaches that might be appropriate for each work activity, depending on perceived risk, resources, and organizational culture. Sections 21.4 through 21.6 include (1) ideas for improving the effectiveness of management systems and specific programs that support this element, (2) metrics that could be used to monitor this element, and (3) issues that may be appropriate for management review.

What Is It?

The audits element is intended to evaluate whether management systems are performing as intended. It complements other RBPS control and monitoring activities in elements such as management review (Chapter 22), metrics (Chapter 20), and inspection work activities that are part of the asset integrity and conduct of operations elements (Chapters 12 and 17). The audits element comprises a system for scheduling, staffing, effectively performing, and documenting periodic evaluations of all RBPS elements, as well as providing systems for managing the resolution of findings and corrective actions generated by the audits. The following terms, as used in these Guidelines, have these meanings: An audit is a systematic, independent review to verify conformance with prescribed standards of care. It employs a well-defined review process to ensure consistency and to allow the auditor to reach defensible conclusions. An RBPS management system audit is the systematic review of RBPS management systems and is used to
verify the suitability of these systems and their effective, consistent implementation. Standards of care are established guidelines, standards, or regulatory requirements against which an audit is conducted. Standards of care also typically include the self-imposed requirements of the organization being audited. A finding is a conclusion reached by an auditor based upon data collected and analyzed during the audit. While findings could be either positive or negative, the usage here will be consistent with that adopted by most organizations; in other words, findings will indicate a deficiency in the construction or implementation of an RBPS element based on the requirements established by the standard(s) of care. An observation is a conclusion reached by the auditor that is not directly related to compliance with the
standard of care. Some organizations use the term observation to cite good programs, procedures, or practices identified during the audit. Other organizations use the term to indicate conclusions that, while the requirements established by the standard(s) of care have been met, opportunities remain for improving the construction or implementation of an RBPS element. The latter context is used in these Guidelines. A recommendation is a proposed remedial activity intended to correct a deficiency that resulted in a finding.

Why Is It Important?

The audits element evaluates RBPS management systems to ensure that they are in place and functioning in a manner that protects employees, customers, communities, the environment, and physical assets against process safety risks. Audits are important control mechanisms within the overall management of process safety. In addition, audits can provide other benefits such as the identification of opportunities for improved operability, increased safety awareness, and greater confidence regarding compliance with regulatory requirements.

Where/When Is It Done?

Audits are conducted throughout the development and implementation of the RBPS management system. The nature and frequency of the audits will be governed by factors such as the current life cycle stage of the facility, the maturity (degree of implementation) of the RBPS management system, past experience (e.g., prior safety performance and audit results) and applicable facility, corporate, legal, regulatory, or code requirements. The audits element applies during all life cycle stages, but primarily focuses on operating facilities. The audits should be performed where access to process safety management records and subject matter experts is most convenient. Depending on the life cycle stage, that might be the pilot plant, the engineering offices, or the facility. While they can be scheduled on an as-needed basis, audits of a particular RBPS management system are typically conducted at some predetermined interval, for example, frequencies ranging from once per year to once every three years are common.

Who Does It?

Audits can be conducted by qualified personnel selected from a variety of sources, depending upon the scope, needs, and other aspects of the specific situation. Audits are typically conducted by teams. Team members might be selected from staff at the facility being audited, from other company locations (e.g., from another operating facility or from corporate staff functions), or from outside the company, for example, a consulting firm.

What Is the Anticipated Work Product?

The short-term product of the audits element is a review of the implementation of one or more RBPS elements against identified standards of care, addressing the manner, degree, quality, and effectiveness of the implementation. A report of observations, findings, and recommendations for any needed improvements is typically prepared to document the results of an audit. Longer-term results include the implementation of the remedial activities necessary to address the findings of the audit, the consequent enhancement in the effectiveness of the management system for other RBPS elements, and the resultant improvements in process safety performance. 

How Is It Done?

An audit involves a methodical, typically team-based, assessment of the implementation status of one or more RBPS elements against established requirements, normally directed by the use of a written protocol. The audits effort will be primarily focused on operating facilities; however, companies may choose to augment the audit function with information generated by other processes. This information may have been obtained during different life cycle stages, such as research and development or design; during other, related functions, such as vessel fabrication or inspection; or at such non-operational locations as a company corporate office or supplier. This additional information can greatly increase the effectiveness of the audit by taking advantage of the full range of systematic, independent evaluation processes within an organization, minimizing the duplication of effort. Data are gathered through the review of program documentation and implementation records, direct observations of conditions and activities, and interviews with individuals having responsibilities for implementation or oversight of the element(s) or who might be affected by the RBPS management system. The data are analyzed to assess compliance with requirements, and the conclusions are documented in a written report. Recommendations for addressing any performance gaps identified by the audit are proposed, responsibilities and schedules for addressing the recommendations are assigned, and recommendations are tracked to their resolution. The report and documentation of the resolution of the recommendations are maintained as required to meet programmatic needs and any regulatory requirements. Audit results should be trended over time to determine whether or not RBPS performance is improving, with program adjustments made as necessary.