Microsoft Word - 1.docx


 CHEMICAL ENGINEERING TRANSACTIONS  
 

VOL. 77, 2019 

A publication of 

 
The Italian Association 

of Chemical Engineering 
Online at www.cetjournal.it 

Guest Editors: Genserik Reniers, Bruno Fabiano 
Copyright © 2019, AIDIC Servizi S.r.l. 
ISBN 978-88-95608-74-7; ISSN 2283-9216 

Implementing Critical Control Management in a Mature 
Processing Plant  

Peter J. Murphya, Peter Wilkinsonb,*  
aNoetic Group, 1500 L Street NW, Suite 525, Washington D.C., U.S.A.  
bNoetic Group, Level 2, Equinox 3, 70 Kent Street, Deakin, A.C.T., Australia. 
 peter.wilkinson@noeticgroup.com   

This paper describes how Process Safety Management (PSM) was improved at a mature asset following a 
significant process safety event. An unconventional approach was adopted to enable rapid improvements 
drawing on the “Critical Control Approach” documented in Energy Safety Canada’s A Barrier Focused 
Approach (similar to the International Council of Mining and Metals (ICMM) publication, Critical Control 
Management; Implementation Guide) as well as high reliability organisational (HRO) principles. 
The successful approach owes its intellectual origins to the concept of Safety Critical Elements (SCEs) first 
enunciated by the UK Health and Safety Executive following the Piper Alpha disaster. The history of the 
critical control approach is briefly discussed and how the original SCE idea has been enhanced. In particular, 
the paper will describe how the critical controls (or barriers) have been made more “visible” to those charged 
with implementing and managing them. 
The paper will describe the successes and difficulties of this approach including the shift in thinking required 
on the part of process safety experts as well as changes to organisational structure. The paper will also 
illustrate how the existing documentation of the critical controls was substantially reduced and rationalised to 
make the “PSM problem” (as perceived by senior managers) more manageable and sustainable. Finally, the 
paper will consider the extent to which well-known international PSM frameworks enhance or inhibit the 
adoption of this approach. 

1. Introduction 

The prevention of process safety failures through skilful design and consequent minimisation of hazards is 
well understood (Husin et al., 2017). The challenges for making a significant improvement in an established 
plant are substantial as the opportunity to minimise some hazards has past. This paper describes how 
Process Safety Management (PSM) was improved at a mature minerals processing plant by applying the 
Critical Control Approach (CCA), also known as the “barrier focused approach”. It describes how the approach 
was applied, the difficulties encountered, and the lessons learnt through implementation. The paper covers the 
essential elements of the CCA including aspects which may be regarded as unorthodox. The genesis, 
development and implementation of the idea are briefly covered. The paper also draws on experience from 
implementing this approach in a variety of other brown field facilities in mining and other industries. 

2. Background 

2.1 What is the problem? 

A decade ago the Operations Manager of a listed Australian oil company asked how risk controls for major 
incidents could be more effectively implemented. His concern was that although significant improvements 
were made following the Piper Alpha disaster to the Formal Safety Assessments (FSA), and in turn to 
identifying the controls needed to prevent major incidents, it was not so clear that improvements to the 
implementation of the risk controls had seen an equivalent improvement. Familiar types of incidents were 
repeated. What should have been well known controls for well-known risks were apparently not well known 

                                

 
 

 

 
   

                                                  
DOI: 10.3303/CET1977066 

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Paper Received: 3 February 2019; Revised: 13 May 2019; Accepted: 7  July  2019 

Please cite this article as: Murphy P., Wilkinson P., 2019, Implementing Critical Control Management in a Mature Processing Plant, Chemical 
Engineering Transactions, 77, 391-396  DOI:10.3303/CET1977066  

391



and even where the controls were identified – they were not implemented effectively. Trevor Kletz summarised 
this in the title of his book Lessons from disaster: How organisations have no memory and accidents recur 
(Kletz, 1993).   
The introduction of the safety case as a regulatory tool led to substantial change and improvement. It removed 
much of the prescription, permitting needed innovation and forcing companies to think through their hazards, 
risks and controls, and developing more formal safety management systems. This was all beneficial. Similarly, 
Quantitative Risk Assessment (QRA) had limited but important benefits such as comparing the relative level of 
risk for different platform concepts at the design stage. But despite the improvements in designs and the 
quality of the FSAs, an important problem persisted – namely the quality of risk control implementation at the 
operational level.  Something different was needed. 
Part of the problem was the volume of paperwork. Safety Management Systems, FSAs and growing numbers 
of procedures all added to the paperwork. But there was another subtler aspect to the problem. Part of the 
safety case system was the introduction of Safety Critical Elements (SCEs). SCEs are defined as “… major 
hazard risk control measures … and the performance required of them” (UK HSE, 2005). This was an 
important innovation. The concept of SCEs explicitly involves selecting those controls which impact major 
hazards.  
However, somehow SCE had become safety critical equipment. This had the effect of focusing attention on 
the engineering aspects. In practice, even engineering controls such as an Emergency Shut Down Valve are 
dependent on maintenance practices and skilled people to use the procedures. Furthermore, the performance 
of SCEs was required to be framed in terms of functionality and reliability (which are engineering reliability 
terms). This further reinforced the idea that the SCEs were engineering issues. As is known, implementing the 
controls is more complicated than this. Maintenance induced error is a well-recognised threat that strengthens 
the importance of managing controls in a more comprehensive way. 

2.2 Developing a solution 

With the problem widely understood, practitioners have sought to address it through a variety of means. 
Certainly the use of robust hazard and risk assessment procedures as the starting point for identifying the 
controls is widely agreed. The use of bowties, the importance of identifying and promulgating the 
accountabilities (usually by job title) for controls, and lead and lag indicators for measuring control systems are 
all part of the solution. However, this is the easiest part of the process. Experience (through ongoing incidents) 
shows that it is control implementation that is the most difficult. So, while the HAZOP process can be 
challenging, the implementation of controls over two or three shifts for the remaining life of a facility is far 
greater. This challenge is exacerbated by externalities such as new owners, low commodity prices, cost 
reduction initiatives and staff turnover. 
A solution that incorporated good practice and overcame these challenges was required. The solution was 
something simpler, shorter, easier to manage but still sufficient to manage and measure the controls 
themselves were working and not just the high-level systems (such as the maintenance management system). 
It had to go to the heart of the matter – which are the most important controls – that is, the critical controls. 
Furthermore, how “visible” are these to the workforce, among all the other documents, how well are they 
working and is this information reported onwards to the most senior managers? 
Fortunately, some companies, regulators and people were working on such a solution. These included: 

• BHP Billiton’s focus on critical controls in the internal Risk Management System (personal communication 
to the authors) 

• The ideas espoused in the UK Health and Safety Executive (HSE) guidance on Developing Process 
Safety Indicators (UK HSE, 2006)  

• The Barrier Analysis Matrix developed by William R. Corcoran (Strickrod, 2008) 
This formative thinking was drawn together by the International Council of Mining and Metals (ICMM). The 
organisation’s safety committee sought a solution and commissioned work from a respected academic and 
consultancy. This led to the publication of the Health and Safety Critical Control Good Practice Guide (ICMM, 
2015a) and ICMM’s Critical Control Implementation Guide (ICMM, 2015b). This work drew on a wide range of 
sources and experience. The thinking in these documents was subsequently applied at an existing processing 
plant. 

2.3 The situation  

The processing plant, which is owned and operated by a global mining company, was first constructed in the 
1950s and had undergone successive expansions, upgrades and redevelopments. It has a range of process 

392



hazards that include carbon monoxide, sulphur dioxide and molten metal. A recent, significant PSM incident 
caused a major disruption, substantial damage and serious injuries but no fatalities.  
This incident became the catalyst for a review of PSM and to see if the CCA would deliver rapid improvement 
in process safety. Prior to the incident the plant was implementing a highly structured and linear approach to 
improving process safety. Most of the effort was going into hazard identification and risk assessment, and less 
on making field improvements to controls. In addition to this considerable effort, process safety specialists 
were seen to have responsibility for the work and this contributed to the improvement process being 
marginalised. This was the context for the practical implementation of the CCA to improve process safety at 
the plant as it sought to restart and significantly improve its process safety performance. 

3. What is the Critical Control Approach? 

The CCA is a modified version of what is currently and typically done. However, it differs in a number of 
qualitative but important ways. For example, rigorous hazard identification and risk assessment using 
appropriate tools and techniques is still required. However, it accepts that risk control improvements can still 
take place even if the hazard identification and risk assessment are not complete. This is because there are 
numerous actions which can be taken to improve controls based on experience, data and standards. 
The CCA approach accepts that not all controls have equal value.  Bowties typically include generic or 
marginally relevant controls, however too many controls can make it difficult to manage controls effectively. 
The method recognises that less can be more (Hoffman and Wilkinson, 2011) and applies a methodology to 
identify the critical controls. Once these are identified, the essential elements of the critical controls are 
summarised on a one-page Critical Control Data Sheet (CCDS). The essential elements include the technical 
aspects of the control, any maintenance requirements, human and organisation aspects, including 
accountabilities and how the critical control is checked and reported upon. In this way the technical (or 
engineering), human factors associated with individual skills and their application, and the organisational 
aspects of monitoring and reporting on the controls are documented and integrated in a succinct document. 
Finally, the CCA provides guidance on suitable senior management practices to support and drive the CCA.  
 

 

Figure 1: Illustration of the place of CCA 

4. How was the Critical Control Approach implemented? 

The CCA was implemented through a structured approach that relied on working with the plant’s PSM 
implementation team of both line management and PSM experts.  This section describes the main steps and 
observations on the implementation process. 

4.1 Is hazard identification and risk control the starting point? 

The plant’s high-level PSM guidance document required hazard identification to be the starting point. Had 
there been ample time, this approach would have been ideal. However, time was limited, as were resources. 
Hazard identification and risk assessment is important. However, it does not mean that improvements cannot 
be made in parallel to carrying out Process Hazard Analyses (PHAs). For example, if a company uses 
methane at 110 bar, a risk assessment is not required to know that a program to manage high pressure 
flanges is needed. Effective CCA implementation should draw on published data, standards and experience to 
make improvements that can be done in parallel with doing HAZID and risk assessment process. 

393



Consequently, the implementation of the CCA would rely on the available knowledge and expertise available 
at the plant as a starting point.  

4.2 Controls, Critical Controls and Bowties 

The CCA approach explicitly advocates an approach which says that some controls are more important than 
others. Critical controls are: 

controls that are crucial to preventing or mitigating the consequences of… [a major incident]. The 
absence or failure of a critical control will significantly increase the risk of … [a major incident] … 
occurring, despite the existence of the other controls (ICMM, 2015b) 

 
For example, a bowtie produced by an upstream oil and gas company had the “top event” as a loss of 
containment of process fluids including oil and gas under pressure. One of the controls, in relation to the make 
of joints in the process pipework, was the companywide Job Hazard Analysis (JHA) tool which was intended 
to be applied to all tasks before starting work. It was based on the premise that by taking five steps back from 
the job and spending five minutes to think through the work, this will improve hazard management. When 
interrogated further – it was found that there was nothing specific in this tool about making up joints. This was 
a companywide tool which did not need to be on the bowtie and was removed in favour of specific guidance 
on joint make up.   
There was an interesting discussion with the plant’s process safety team on this approach. Their initial 
reaction was one of concern when the JHA was removed from the bowtie because of a perception of a 
reduction in the defence in depth. However, on reflection this was accepted by the team as the JHA control 
(which appeared multiple times on the bowtie) was not specific to the risk, made the bowties more 
complicated than needed and tended to overstate the number of controls in place. There were many other 
examples of generic controls appearing on bowties which did not materially contribute to hazard management. 

4.3 Critical Control Data Sheets 

Arguably the most important part of the CCA approach is the concept of the CCDS. In many companies, the 
transition from the bowtie to field operations is often made in reference to procedures and/or maintenance 
routines described in the maintenance management system. However, this is one of the weakest areas of the 
hazard management process due to the volume of information and the difficulty of discerning what really 
matters in procedures and hence using them in practice in the field. The CCDS is a one-page document which 
summarises the essential elements of the control and is explicitly intended to make the key parts of each 
critical control clear in a succinct document. It also provides the basis of reporting. The CCDS contains the 
following: 
 

• the name of the major hazard the critical control relates to  
• the “owner” of the hazard (or risk) at a senior level 
• the name of the critical control (and a unique identifying number) 
• who is accountable for ensuring the critical control is effectively implemented 
• the purpose and performance criteria of the critical control (what it must achieve to be effective)  
• how the critical control is checked to ensure it is working as intended 
• who is responsible for carrying out this checking (normally one of the control owner’s team) 
• the frequency of carrying out the checking and reporting on its status to the control owner 

 
The CCDS provides all the essential information to manage the control, including accountabilities, 
implementation, checking and reporting. This contrasts with SCEs discussed earlier which are predominantly 
engineering focused. However, as is acknowledged by the International Association of Oil and Gas Producers 
(OGP) “barriers” is a synonym for controls, “…typically includes a mix of plant (equipment), process 
(documented and ‘custom and practice’) and people (personal skills and their application).” (OGP, 2008).  
The brevity of the CCDS means it is readily used by frontline workers including on handheld devices. 
Furthermore, by providing a copy of the simplified bowtie and a concise example of how this control has failed 
in the past (either from the company’s records or from published sources), the document provides additional 
context and rationale to the user on why the control and its checking are important. People tend to do things 
more reliably when given the reasons and context for doing so. This is a practical application of Human and 
Organisational Factors applied to risk control management. 

394



4.4 Developing the Critical Control Data Sheets 

The process for developing the CCDS is a critical step and was a challenging one for the plant’s PSM team. 
How was it possible to reduce a multi-page procedure to one page? The key was to have people present in 
the room with relevant operational knowledge, supplemented by subject matter expertise in process safety. 
The right mix of skills and knowledge needed was remarkably like that for a HAZOP. Operations, 
maintenance, subject matter experts as well as front line supervisors and members of the workforce. As with 
HAZOPs, an independent chair proved helpful while an understanding of the CCA was essential.  
An early criticism of the CCA from those with knowledge of High Reliability Organisation (HRO) principles was 
that by using the one-page CCDS important details would be lost. In practice the reversed happened. Much of 
the content of the procedure was relevant, but not essential, to help manage the control. The procedures 
remained so the information was not lost. However, by using the CCDS template it encouraged discussion on 
the key elements of the control. This included defining what the control had to do to achieve its objective as 
well as getting clarity around accountabilities for the control. For example, in one part of the plant a fan was 
important to remove toxic and flammable gas from a closed drain. One of the checks was to confirm the fan 
was working as intended. When this aspect of the control was discussed, a question was raised as to why it 
was not possible to provide a range of quantitative values for the differential pressure across the fan. It was 
quickly found that acceptable values, differential pressures requiring further investigation, and ones requiring 
shutdown, could be calculated and these were added to the elements of the critical control on the one-page 
CCDS. In this case, important detail was not lost but added. This proved common across the implementation 
process. 

4.5 Checking the critical controls and reporting 

As described above, the CCA identifies the hazard (or risk) owner, the control owner and who does the 
checking of the critical control. All of these are line management roles. The assumption is line management is 
responsible for managing process safety as with other aspects of health, safety and environment and it is their 
responsibility to implement the critical controls effectively. An important aspect of this is checking (or 
monitoring) that the control is working as intended. Experience shows that the hazard (or risk) owner concept 
works best when this role is held at a senior level. Control owners are generally the direct reports of the 
hazard owner (usually superintendents).  In turn, responsibility for checking the controls is typically allocated 
to the most appropriate member of the superintendent’s team depending on the nature of the control and 
knowledge required. Reporting on the results of the checks provides a direct indication of the “health” or 
effectiveness of the critical controls. This is a key benefit of the CCA approach.  
Business “rules” on how the reporting is done proved essential. Reporting was integrated into existing 
reporting systems and used traffic light reporting. A typical approach is that if the control has not been 
checked as scheduled, it cannot be “green” and must be “amber” or “red”. Green means the critical control 
was checked on schedule and all aspects of the critical control were working as intended. The rules to 
determine red and amber are also required. An important learning was that some space should be provided to 
allow some limited commentary on why it was green, amber or red. This proved important since it enabled 
people to report problems and explain what was being done about it. An unanticipated aspect of the 
requirement for a short explanation to supplement the colour was that there was some inconsistency between 
the colour and what was reported. The discussion that followed at the plant’s leadership team meeting usually 
provided useful insights on how the control was managed.     
Another important learning from the implementation of CCA was how leaders react to the reporting. It is well 
established that the reporting of bad news must be welcomed and seen as an opportunity to improve. Senior 
leaders at the plant have been encouraged on their “field” visits to comment favourably on the ambers and 
reds while paying close attention to the greens. Their line of questioning includes “Why are they green?” 
“What has gone right?” and for them to check that they really deserve that status in the reporting. 

4.6 Organisational factors 

Prior to starting the CCA project, the PSM implementation team had limited support from line managers. This 
was changed, and responsibility given to a team of line managers supported by the PSM experts. Initially, this 
was not universally welcomed by the process safety specialists, who now advised line managers (who now 
had the responsibility). This is the conventional approach to safety and other business support functions such 
as Human Resources. Crucially, it provided an opportunity to integrate the PSM work into the broader asset 
management arrangements including “Lean Manufacturing” techniques that had been implemented into plant 
operations, with PSM progress reported as part of the “Lean” business improvement process.   

395



This was more important than it was first realised. To line managers, PSM experts with deep technical 
expertise can sometimes appear intimidating and their knowledge far removed from day to day operations. 
However, the line managers in the PSM implementation team proved to be excellent translators of PSM jargon 
and integrated the work to simplify bowties and inject frontline experience into the one-page summaries. This 
ensured quick uptake of CCA by frontline managers and the workforce. 

5. Lessons and outcomes 

The CCA implementation was quickly judged a success by both workforce and management at the plant. This 
is validated by the company’s global headquarters mandating this approach be applied to all the company’s 
processing plants to improve PSM. Perhaps the most consistent piece of feedback on the CCA is that for the 
first time all the key information needed to manage a critical control is in a succinct document.   
In reflecting upon the implementation process there were two important factors which influenced people’s 
views on the CCA approach. First, whether they had experienced a major process safety event. Those who 
had, listened intently and were happy to try and apply the critical control approach. Those who had not were 
generally much less interested. Second, there was a distinct difference between senior managers and safety 
professionals. Senior managers liked the simplicity of the CCA approach and they also saw parallels with the 
work already underway on quality and reporting systems. Measuring the variance of inputs compared with the 
intended inputs to a manufacturing process was a core concept to many from their “lean manufacturing” 
experience. At its heart the CCA requires performance criteria to be defined for the controls. This enables the 
variance between what is required and what is being achieved to be identified. This variance is a measure of 
how well the critical controls are being implemented. The variance can also be regarded as a “weak signal” in 
high reliability organisational theory and practice (Weick and Sutcliffe, 2007). 

6. Conclusions 

In some ways there is nothing new in the critical control approach. All the components described have long 
been in regular use except perhaps the CCDS as the basis of managing the hazard. What is relatively new 
though is the documentation of the CCA and how it can be applied. Before the ICMM and Energy Safety 
documents, there was no documented description of the process.  This is an important step from several 
perspectives. This makes the approach subject to peer review. Finally compared with other methods of 
developing safety indicators, this approach to reporting on process safety is not dependent on lagging 
measures such as losses of primary containment, “…challenges to barrier systems…” (API, 2016) or the three 
types of lag and lead measures advocated by the UK HSE (UK HSE, 2006). Reporting on the “health” of the 
critical controls provides a much more direct measure of risk control. 

References 

API, 2016, Process Safety Performance Indicators for the Refining and Petrochemical Industries, Edition 2, 
Washington, D.C., USA. 

ENFORM, 2016, A Barrier Focused Approach: How to Get Started with Process Safety Volume 2, Edition 1, 
Calgary, Canada. 

Hoffman I., Wilkinson P., 2011, The Barrier Based System for Major Accident Prevention, A Systems 
Dynamics Analysis, System Dynamics Society 2011, Washington, D.C., USA. 

Husin M.F., Hassim M.H., Ng, D.K.S., 2017, A heuristic framework for process safety assessment during 
research and development design stage, Chemical Engineering Transactions, 56, 739-744. 

ICMM, 2015a, Health and Safety Critical Control Management Good Practice Guide, International Council on 
Mining and Metals, London, UK.   

ICMM, 2015b, Critical Control Implementation Guide, International Council on Mining and Metals, London, UK. 
Kletz T., 1993, Lessons from Disaster: How Organizations have no Memory and Accidents Recur, Gulf 

Professional Publishing, Houston, USA. 
OGP, 2008, Asset integrity – the key to managing major incident risks, Report No.415, London, UK, 6. 
Stickrod A. (Ed), 2008, High Reliability Operations: A practical guide to avoid the system accident, B&W 

Pantex, 139. 
UK HSE, 2005, A guide to offshore installations (safety case) regulations 2005, Health and Safety Executive, 

London, UK, 23-24. 
UK HSE, 2006, Developing process safety indicators, HSG254, Health and Safety Executive, London, UK. 
Weick K., Sutcliffe, K., 2007, Managing the unexpected: Resilient performance in an age of uncertainty, 

Jossey Bass, San Francisco, USA. 

396