The Occupational Safety and Health Administration (“OSHA”) published a Request for Information (“RFI”)  on December 9, 2013 concerning possible changes to the Process Safety Management (“PSM”) program codified at 29 C.F.R. 1910.119.  See 78 Fed. Reg. 73756 (Dec. 9, 2013 ).  Likewise, the Environmental Protection Agency (“EPA”) published an RFI on July 31, 2014 relating to possible changes to the similar Risk Management Program (“RMP”) rules codified at 40 C.F.R. Part 68.  See 79 Fed. Reg. 44604 (July 31, 2014).  At the time of this writing, the respective comment periods have closed and we are waiting to see new proposed regulations. This is the fifth article in a series of articles concerning these potential rulemaking actions.

OSHA and the EPA requested comments concerning revising the audit requirements in PSM and RMP to require third-party audits.  Comments received by OSHA and the EPA requests were similar in nature.  Although many comments addressed third-party audits, this article will compare comments from four organizations:  The American Fuel & Petrochemical Manufactures (AFPM), the American Petroleum Institute (“API”), the Mary Kay O’Conner Process Safety Center (“MKOPSC”) at the Texas A&M Engineering Experimental Station, and the U.S. Chemical Safety Board (“CSB”).

Compliance audits are required for Program 2 and 3 RMP facilities.  See 40 CFR 68.58 and 68.79.  Likewise, compliance audits are required under PSM.  See 29 CFR 1910.119(o).  Both programs provide a single minimal requirement for the audit team: “at least one person knowledgeable in the process.”  29 CFR 1910.119(o)(2) and 40 CFR 68.58 (b) and 68.79(b). In requesting comments related to adding a third-party audit requirement, both OSHA and the EPA provide the same information: highest degree of objectivity, Bureau of Safety and Environmental Enforcement (“BSEE”) rules,[1] and CSB’s findings[2] in the BP Texas City incident.  See 78 Fed. Reg. at 73762 and 79 Fed. Reg. at 44618.

Whereas the CSB generally supported requiring third-party audits, several concerns were expressed.  The CSB remarked that such should not reduce any on-going inspection and auditing.[3]  The CSB also remarked that third parties may not in reality be completely objective.  As a result of this later concern, the CSB expresses concern that the addition of a third party auditing requirement may diminish OSHA oversight by “contracting out what it should be doing as a regulator.”  See CSB Comments to OSHA, pp. 22-23 (Mar. 31, 2014) and CSB Comments to EPA, pp. 26-27 (Oct. 29, 2014).

The MKOPSC seemed to be more concerned that the audit be led by an accredited auditor.  Consistent with such, an “auditor should have worked in PSM-related activities or have considerable years of experience in PSM-related work” and an “auditor should have undergone formal and recognized training on PSM audit procedures.”  MKOPSC comments to OSHA, p. 46 (Mar. 31, 2014).  Without making a specific recommendation, the MKOPSC provided a list of advantages and disadvantages related to requiring an audit by a third-party.  The advantages included:

1.  Third party auditors introduce an external view.  It is expected that third party audits are even more objective and less biased than any internal First or Second Party Audits.

2. The potential for greater subject matter expertise exists with a third party auditor compared to internal audits; thus resulting in quality output.

3.  The facility is bound to respond quickly and effectively to the audit recommendations due to the higher profile that is created with the incorporation of third party audits.

Id. at 48.

The disadvantages include:

1.  Third party audits can be expensive and not all facilities can afford this.

2.  By their very nature, third party audits do not allow for development and maturity of a company’s own audit program, steeped in first-hand and in-depth knowledge of internal processes (including technical and chemical process), and operational and managerial systems.

3.  Contentious discussion over specific findings and recommendations can consume valuable time and test the relationship between auditors and those being audited.

4.  Third party auditors may not be familiar with the facility’s culture, technology, or corporate standards and site procedures.

5.  Third party auditors can lose their objectivity over time and fail to identify lapses.  This was seen in the financial community where auditors become financially dependent upon those they audit.[4]

Id. at 48-49

In opposing the requirement to require third-party audits, the API and AFPM stated that OSHA had failed to provide any documentation showing a causal relationship between the failure to use third party auditors and PSM auditing failures.  API Comments to OSHA, p.12. (Mar. 31, 2014) and AFPM Comments to EPA, third page (Sec. VI) (Oct. 29, 2014). Without showing a causal relationship, there is no way to say that a requirement to use third-party auditors would improve safety.  The API suggested “that it is more important for OSHA to focus on the audit program/requirements and the quality and competency of the auditors.”[5]  API at 13.  Collectively, comments from the API and AFPM state that internal personnel are better suited to auditing for a number of reasons:  the company’s auditor’s intimate knowledge of the organization and how it functions and the process-related experience of those familiar with the varied processes. Finally, according to the AFPM, “the problem is not with the auditors but, rather the failure to implement many audit findings.”  AFPM at second page (Sec VI).  The AFPM also believes that the BP Incident is an outlier and should not be used to reflect the industry’s approach as a whole.  AFPM at third page (Sec. VI).

Whereas an audit by a third-party has its advantages, according to the comments made to the proposition, it has its disadvantages.  Comments point out that the use of third-party auditors, by itself, did not prevent problems within financial audits as there is a difference between being a third party and being completely independent.  Many parties believe that the emphasis should be on assuring that auditors are properly trained and accredited.  That said, both the API and AFPM expressed concern about the current supply of qualified and accredited third-party auditors.  Conversely, the CSB believes that the best approach is to have more direct auditing performed by the regulators.  At some point OSHA and the EPA will propose rules that reflect their balance of the pros and cons.

____________________________________________________

[1] Oil and gas and sulfur operations which occur in the outer continental shelf comply with a similar but different process safety type program:  Safety and Environmental Management Systems (“SEMS”).  The lead person of a SEMS audit must be “an employee, representative, or agent of the ASP, and must not have any affiliation with the operator.” 30 C.F.R. 250.1920.  Unlike PSM and RMP, an operator must submit a Corrective Action Plan (“CAP”) to BSEE following each audit.  See 30 C.F.R. 250.1920(d).

[2]  It should be noted that the CSB’s Final Investigation report on the BP Incident did not identify auditing failures to be a Root Cause or Contributing Root Cause to the incident.  CSB Investigation Report, Refinery Explosion and Fire, Sec. 12.1 and 12.2, (Mar. 23, 2005), found at  http://www.csb.gov/assets/1/19/csbfinalreportbp.pdf (last visited Apr. 7, 2015).

[3] It should be noted that PSM and RMP have inspection requirements that are independent of the auditing requirements.  That said, the audit should ascertain whether the employer or operator is properly inspecting equipment.  Neither PSM or RMP have any requirement to audit facilities directly on a consistent basis.

[4] This comment is consistent with concerns expressed by the CSB that auditors may not be completely objective.

[5] By comparison to BSEE rules, an Audit Service Provider (“ASP”) must be accredited by a BSEE-approved Accreditation Body (“AB”).  See 30 C.F.R. 250.1921(b).