Tag: Compliance Audits

How to respond to a Compliance Audit Report

Both PSM and RMP require a 3-year audit to “verify that the procedures and practices developed under the standard are adequate and are being followed.” While it is not required, this Compliance Audit is traditionally done through a 3rd party. A common failing I see in this element is end-users not understanding what to do with the Compliance Audit once they’ve received it. What follows are my thoughts on best-practices once you’ve received the Compliance Audit report.

  • Verify the Report
  • Certify the Report
  • Address the Findings / Recommendations
    1. Assess validity
    2. Decide on a solution to address valid recommendations
    3. Implement the solution including any needed interim solutions
    4. Document the resolution as closed

 

Verify the Report

You will want to ensure the report meets the requirements of the PSM/RMP rules as well as your internal Compliance Audit element Written Plan. First thing to do is to read through the report and any findings / recommendations to familiarize yourself with it. Your report may look different than the ones I deliver, but mine have five main parts:

  • An introduction letter describing the audit methodology and the report’s format
  • Closing meeting notes discussing highlights of the report and next steps.
  • An Audit Certification Page (discussed in the next section)
  • Statement of Qualifications: Qualifications of Company and PHA Facilitator / Compliance Auditor, Conflict of Interest Statement & Disclosure. This is basically a written answer to common “Who did this audit and why should we trust them” questions.
  • Compliance Audit worksheets & Findings / Recommendations

Once you understand the format of the report, decide if it met the goals of a Compliance Audit. I use the 3-levels of compliance as my performance basis.

Once you’ve established that the Compliance Audit report meets this performance basis, make sure it is:

  • Complete
  • Free of any copy-paste errors
  • Lacking any blank spaces / questions

If you have any questions or concerns, work with your auditor to address them at this stage, because once we go to the next step, this report is “set in stone.”

 

Certify the Report

Both PSM and RMP require that the employer/owner/operator certify the Compliance Audit report. I include a letter to be dated and signed. This step is often missed but it’s a very simple thing. You are not certifying that the report is 100% accurate, found every single thing wrong, etc. All you are certifying is that “you have evaluated compliance…to verify that the procedures and practices developed under the standard are adequate and are being followed.” In some sense, you’re really certifying that this collection of documents is your Compliance Audit, that you have received it, and that you believe it to be accurate.

 

Address the Findings /Recommendations

Each non-compliance finding will require some sort of action on your part. To assist in this endeavor, I personally rate the findings on a 4-level scale.

A simpler explanation of that rating system might be:

Green: All Good.

Yellow: It’s good, but there might be a better way.

Orange: This is wrong and can get you fined bur probably won’t get anyone hurt in the short-term.

Red: This is wrong and can get someone hurt or even killed.

Below is the flowchart from our model PSM/RMP program on dealing with recommendations. Please see this longer post on the subject for more information. Properly Addressing PSM / RMP Findings & Recommendations

Recommendations will be considered “addressed” when a plan has been put in place to address them. In some cases, a recommendation will not be accepted. OSHA considers an employer to have resolved recommendations when the employer has either adopted the recommendations or justifiably declined to do so. According to OSHA, an employer can justifiably decline to adopt a recommendation where it can document that:

  • The recommendation contains material factual errors;
  • The recommendation is not necessary to protect the health of employees or contractors, the public or the environment;
  • An alternative measure would provide a sufficient level of protection; or,
  • The recommendation is not feasible.

Whether accepting or rejecting a recommendation, it is important that you document your reasoning for doing so and any progress you are making, or have made. In our system we rely on an Implementation Policy called “Resolution of Recommendation” to do this. Below is an example of a recommendation that was tracked to resolution. Note that since it is now complete, they have shaded it green.

Conclusion: While it’s time consuming and labor-intensive, dealing with Compliance Audit recommendations is a fairly straight-forward task. As always, feel free to Contact Us if you have any questions, and check out our Compliance Audit section if you would like us to perform your next Compliance Audit.

Note: Nearly everything in this article is equally true for reports and recommendations from PHA’s, independent Mechanical Integrity Audits, etc.

Compliance Auditing and the Karenina Principle

Over the years I’ve audited well over one hundred Ammonia Refrigeration Process Safety (PSM / RMP) programs and one of the things that I always try and remember during the audit is something called the “Anna Karenina” principle. The first line in that Leo Tolstoy novel is:

“All happy families are alike; each unhappy family is unhappy in its own way.”

 

Put another way: Success requires certain key factors are addressed. Meeting those requirements means that those successful systems will be similar to other successful systems. For Process Safety programs, there are many key factors to success, but I think they all boil down to three main categories:

  • Does the facility have a written Process Safety Program that (on paper) meets the safety & compliance requirements of the law, the process, and the people, in a manner that meets the business needs of the company? If so;
  • Is the written Process Safety Program implemented as written? If so;
  • In the actual day-to-day process, does the written Process Safety Program as implemented address the safety & compliance requirements of the law, the process, and the people, in a manner that meets the business needs of the company adequately?

I often call this the “Three Levels of Compliance.” Shown in a flowchart:

While there are nearly infinite ways a Process Safety program can fail, but ALL successful programs will pass these three levels of compliance checks. Understanding this concept will help you be a better auditor, but it can also help you be a better implementer!

 

In Auditing, how does this work in practice?

Let’s look at an example of an identified deficiency of rusted pipe found during the walkthrough portion of an audit. Note, we’ve kind of started at the 3rd level of compliance here because we’ve found a problem in the field and therefore know that the plan as implemented isn’t adequate!

First-pass question concerning written plan could include:

    • Are there written instructions on their inspection frequency and acceptable conditions?
    • Is there a written plan on training to perform these inspections?
    • Does the written Mechanical Integrity Plan address these specific pipes?

The answers to these questions will help you define a finding / recommendation to improve the program.

Second-pass questions concerning implementation could include:

    • Is the written Mechanical Integrity Plan that addresses these pipes being conducted when it is scheduled to be?
    • Are the written instructions being followed?
    • Was the inspector trained in accordance with the written plan?

Again, if the answers to these questions may prompt a finding / recommendation to improve the program. If you have a written MI plan and you are implementing it, but you still have rusting pipes; then you need to fix either the plan or your implementation of it!

 

How can this concept help me be a better implementer?

Your Process Safety Program is, by its very nature, artificially bringing order to chaos. Because of Entropy, we know that all systems and processes will eventually decline into disorder and fail. This decay happens with no effort on your part but, with effort, it can be thwarted.

Ultimately. I believe the only way to continuously, sustainably maintain your Process Safety Program is by forcing a feedback loop. A feedback loop is where you ensure that the output of a system is routed back to the input of the system. In our earlier worked example, we need to ensure that the output (physical condition, daily practices, etc.) of the system is routed back to the input (written plan and implementation of it) so we can know how well the system is performing and make changes as needed.

When it comes to the mechanical world, there is no better feedback loop that actual inspections and tests. If it is properly designed, your Mechanical Integrity program should be providing this information. Your team needs to understand that (no matter how small) every single deficiency you find, or breakdown that you have, is a sign that your plan can be improved.

When it comes to the operation of the system (policies, procedures, etc.) your PSM team is supposed to be providing this feedback. I say “supposed to be” because more and more I see that this important feedback loop is not being properly utilized. For more information on what the purpose of a PSM team is and what it should do see this earlier article: What is the purpose of a PSM Team?