Vienna, United States
Vienna, United States

Time filter

Source Type

Hazzan M.J.,Eastern Business Unit | Rose M.R.,AcuTech. Consulting Group Inc.
Chemical Processing | Year: 2010

The US Occupational Safety and Health Administration (OSHA) has issued petroleum refinery process safety management national emphasis program (NEP) in response of a high rate of fatalities and serious injuries in the chemical refining industry. The Refinery NEP features a publicly available static list of inspection questions and a dynamic list of questions restricted to OSHA personnel, to audit the facilities. The Chemical NEP will focus on the elements such as mechanical integrity, operating procedures, management of change (MOC), pre-startup safety review, and contractor safety. OSHA also will examine the interrelationship between process safety elements and will audit the flow of information among these elements. The Refinery NEP will allow inspectors to generate citations for alleged violations of general OSHA standards, such as lockout/tagout, hazard communication, and confined space.


Moore D.A.,AcuTech. Consulting Group Inc. | Hazzan M.J.,AcuTech. Consulting Group Inc.
1st CCPS Asia-Pacific Conference on Process Safety 2013, APCPS 2013 | Year: 2013

Process safety management system auditing is becoming more of a business critical function, and as PSM evolves, it is receiving more attention. Auditing is a key opportunity to validate the process and improve performance to meet expectations for success. Auditing is more effective if aligned to organizational design and goals. Many auditing processes provide an incomplete approach, without consideration of the management system design or organizational goals. Considerations such as management model, elements of the process, if the program is regulatory or performance driven, multiple performance objectives and key performance indicators should be key considerations when developing PSM management systems and the associated audit process. © Copyright (2013) By AIChE. All rights reserved.


Moore D.A.,AcuTech. Consulting Group Inc.
Journal of Loss Prevention in the Process Industries | Year: 2013

The American National Standards Institute (ANSI)/American Petroleum Institute (API) Standard 780 Security Risk Assessment (SRA) Methodology was published in June 2013 as a U. S. standard for security risk assessments on petroleum and petrochemical facilities. The standard represents a model standard for evaluating all security risks of petroleum and petrochemical infrastructure and operations and assists industries in more thoroughly and consistently conducting SRAs. The 2013 Standard is an update from the previous API/NPRA SRA Methodology (2004) and focuses on expanding functional utility without changing the basic methodology. The methodology can be applied to a wide range of assets even beyond the typical operating facilities of the industry. This includes refining and petrochemical manufacturing operations, pipelines, and transportation operations including truck, marine, and rail, as well as worker and executive security, housing compounds, and remote operational sites. The new standard describes the most efficient and thorough approach for assessing security risks widely applicable to the types of facilities operated by the industry and the security issues they face. It is voluntary but has been adopted by the Kingdom of Saudi Arabia Ministry of Interior High Commission for Industrial Security as the mandatory security risk assessment methodology for industrial facilities. This paper examines the key elements of the ANSI/API SRA process and discusses how forward thinking organizations may use risk-based performance metrics to systematically analyze facility security postures and identify appropriately scaled and fiscally responsible countermeasures based on current and projected threats. The AcuTech Consulting Group developed the methodology under contract to the API, and the author was the project manager for the project. © 2013 Elsevier Ltd.


Leith H.M.,AcuTech. Consulting Group Inc. | Piper J.W.,AcuTech. Consulting Group Inc.
Journal of Loss Prevention in the Process Industries | Year: 2013

The financial success of the chemical and petrochemical industry will increasingly depend upon the security of process control systems. This paper presents recommendations and insights gleaned from over 100 security risk assessment (SRA) and process control analyses, using requirements baselines extracted from the National Institute of Standards and Technology (NIST) special publication 800-53 (and Appendix A), the Recommended Security Controls for Federal Information Systems and Organizations, in conjunction with NIST special publication 800-82, Guide to Industrial Control Systems(ICS) Security, to provide the bridge in application of 800-53 controls to IC/SCADA. The paper identifies how current and projected malevolent threats posed by insiders, outsiders, collusion, and system-induced threats can erode system performance in terms of shut downs, sabotage, production disruption, and contamination. The issue is not whether there are clear and present cyber threats, nor whether there are business prudent practices that can be implemented to counter those threats; but rather that there is such a diverse compendium, at times conflicting and often technically obtuse guidance, that clarity is needed to narrow the focus of this guidance to assist those responsible for implementing effective process control security. The paper focuses on application of business-prudent controls and discusses how disparities in implementation of controls can exacerbate system vulnerabilities. Topics include issues of processes control system management, systems documentation, use of contractors and remote contractor access, system authorities that exceed user needs, misalignment of staff perception of information asset values, exposures related to use of USB ports, lack of encryption, and background surety gaps for individuals and contractor companies with access to process control systems. The paper examines the dynamics of communicating information from process control systems to business IT systems and the pressure from business operations to capture process data and make it available in near real-time through administrative networks. Such pressures may influence systems administrators to overlook or ignore firewall and systems engineering architecture, increasing potentials for two-way interface between business and process control that significantly increases exploit exposures. Despite the availability of excellent guidelines for physical and technical security of IT related assets, these practices are too often unheeded in favor of expediency or expanded access. The paper includes a discussion of Risk Management Framework models that should be considered to enhance the correspondences and relationships between multiple organizational domains, thereby promoting more effective cyber security for current and future process control systems. The paper summarizes the process for establishing security for industrial control systems (ICS), and addresses cyber security baseline requirements and expectations, within a risk management framework that provides a decision basis, threat dynamics, common vulnerabilities, and prudent mitigation measures. Much of this summary has been derived from The Information Technology Laboratory at the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Recommended Security Controls for Federal Information Systems and NIST SP 800-82, Guide to Industrial Control Systems (ICS) Security. NIST has also published Applying NIST SP 800-53 to Industrial Control Systems which demonstrates the relationship of 800-53 to ICS security and the application of more than 20 control families and over 625 control elements to ICS security. Although originally designed for Federal systems, portions of these publications also provide a solid foundation for critical commercial and industrial information control systems in terms of addressing the basic questions that companies in the process industry should consider when selecting security controls, including: • What controls are actually needed to protect process systems, while supporting operations and safeguarding critical assets? • Can the selected controls suggested for Federal systems effectively be implemented for systems in the process industry? • Once selected and implemented, will these controls really be effective in protecting the processes? NIST SP 800-53, Recommended Security Controls for Federal Information Systems, helps answer questions to strengthen commercial processes information security programs. The security controls articulated in NIST SP 800-53 provide guidance and recommend practices applicable to security systems in process industries, to provide a foundation for understanding the fundamental concepts of security controls. The introductory material presents the concept of security controls and their use within well-defined information security programs. Some of the issues discussed include the structural components of controls, how the controls are organized into families, and the use of controls to support information security programs. The guide outlines the essential steps that should be followed to determine needed controls, to assure the effectiveness of controls, and to maintain the effectiveness of installed controls. The appendices in NIST SP 800-53 provide additional resources including general references, definitions, explanation of acronyms, a breakdown of security controls for graduated levels of security requirements, a catalog of security controls, and information relating security controls to other standards and control sets. The controls are organized into classes of operational, management, and technical controls, and then into families within each class. To maintain parity and applicability with advances in technology, NIST also plans to review and to update the controls in the catalog as technology changes and new safeguards and new information security countermeasures are identified. NIST SP 800-53 and related documents are available at http://csrc.nist.gov/publications/nistpubs/index.html. The extensive reference list in SP 800-53 includes standards, guidelines, and recommendations that process industry companies can use as the foundation for comprehensive security planning and lifecycle management processes. Additionally, a significant effort of broad commercial and government cooperation, the Consensus Audit Guideline (CAG) provides a 20-element cyber security controls roster supporting a common commercial framework for cyber security, correlating to the NIST 800-53 Control Library. © 2013 Elsevier Ltd.


Heller D.M.,AcuTech. Consulting Group Inc. | Santo Jr. R.A.,AcuTech. Consulting Group Inc. | Kahn D.A.,AcuTech. Consulting Group Inc.
AIChE 2013 - 2013 AIChE Spring Meeting and 9th Global Congress on Process Safety, Conference Proceedings | Year: 2013

Process safety management auditing has consisted of examining a facility on an element-by-element basis, developing findings, and making recommendations to address these specific findings. When audits that exceed minimum OSHA regulatory requirements and include the expanded list of process safety management are conducted, these findings were easy to identify, as they were often evident in the newer elements found in risk based process safety. The Baker Panel, as part of their examination of BP's 2005 Texas City incident, assessed process safety culture at BP's five US refineries. The process of identifying root causes while conducting audits and examples of how to develop overarching recommendations to address these issues are presented. This is an abstract of a paper presented at the 2013 AIChE Spring Meeting & 9th Global Congress on Process Safety (San Antonio, TX 4/28-5/2/2013).


Moore D.A.,AcuTech. Consulting Group Inc. | Hazzan M.J.,AcuTech. Consulting Group Inc. | Heller D.M.,AcuTech. Consulting Group Inc. | Rose M.R.,AcuTech. Consulting Group Inc.
AIChE 2013 - 2013 AIChE Spring Meeting and 9th Global Congress on Process Safety, Conference Proceedings | Year: 2013

With the experience of numerous catastrophic and highly publicized events, the need for improving process safety is paramount. This fact was made clear in the Baker Panel Report of the BP Texas accident. A critical aspect of any management system is the need to review performance and then make corrections to the way it is designed or being implemented to improve results. An approach is presented for defining corporate objectives, understanding options available, defining a process safety management (PSM) program, defining performance objectives and key process indicators, designing an audit program, and executing the process. Widening the scope of the PSM audit to include all of the now recognized necessary elements and program support issues will help ensure the fullest picture of PSM effectiveness emerges. This is an abstract of a paper presented at the 2013 AIChE Spring Meeting & 9th Global Congress on Process Safety (San Antonio, TX 4/28-5/2/2013).


Moore D.A.,AcuTech. Consulting Group Inc.
10th Process Plant Safety Symposium, Topical Conference at the 2008 AIChE Spring National Meeting | Year: 2014

Section 550 of the Homeland Security Appropriations Act of 2007 ("Section 550"), enacted on October 4, 2006, provided the Department of Homeland Security (DHS) with authority to promulgate "interim final regulations" for the security of certain high risk chemical facilities in the United States. The Chemical Facility Anti-Terrorism Standards (CFATS) regulation (6 CFR Part 27) is risk-based and performance-based, which makes it both particularly progressive and flexible and yet challenging due to the nature of the rule. The asset owners of high risk chemical facilities must interpret regulatory requirements and DHS guidance, and then stand up a set of security measures that achieve risk-based performance standards depending on their Tier level. Congress prohibited the DHS from requiring specific security measures while giving them the authority to approve site security plans. DHS must then interpret the security posture established by the asset owner and evaluate the proposed measures against the risk-based performance standards to judge the level of compliance. Two key issues emerge - the need to define adequate security and compliance in a completely performancebased regulation. Copyright © (2008) by the American Institute of Chemical Engineers.


Heller D.M.,AcuTech. Consulting Group Inc. | Kahn D.A.,AcuTech. Consulting Group Inc.
Chemical Engineering Progress | Year: 2013

Tracing audit findings back to the management system that allowed the failure to occur is an effective way to uncover deficiencies in an organization's process safety management system (PSM). The first step of the audit is to identify the appropriate corporate and management contacts within the organization. The scope and objectives of the audit should be clearly defined and then communicated throughout the organization. Another necessary step in preparing for a root-cause based audit is the development of a consistent audit protocol. An organization must develop its own common, consistent audit protocol in order to fairly compare one plant with another. A scoring system can be developed and integrated into the protocol. Such a scoring system should weight the elements as well as each of the questions within each element based on their relative importance to process safety. Some preparation must be done at the facility level, primarily to ensure that site personnel and documents are readily available to the audit team.


Moore D.A.,AcuTech. Consulting Group Inc.
Global Congress on Process Safety 2012 - Topical Conference at the 2012 AIChE Spring Meeting and 8th Global Congress on Process Safety | Year: 2012

This paper explains several recent experiences in inherent safety where, despite substantial progress in the reduction of risk, the public or regulators were not satisfied with the outcome. The key reason for this is believed to be due to the lack of any accepted methodology, set of criteria, and requirement for 'tolerable risk' decision-making. This, combined with public outrage on the issue if there is an extreme aversion to risk or possibly a threat or perceived threat, such as from a past accident or the fear of terrorism, results in an environment where irrational decisions are possible. The author believes this will occur more frequently in the future as the degree of the public's risk tolerance is diminishing. Inherent safety as a regulatory concept has known complicating issues, such as the lack of metrics to judge the adequacy of the efforts employed. More so, experience has shown that the public and regulators may not be satisfied with inherent safety improvements even if they are substantial reductions in risk. The key expectation with most persons exposed to a potential release of hazardous materials is that the reduction of risk results in zero exposure to them. The final expectation is the reduction of consequences v. the reduction of risk. Inherent safety (substitution or minimization) becomes the preferred mechanism in the eyes of the public for achieving that reduction. The paper will show how these decisions are both challenging technically as well as emotionally and go beyond technical 'precision'. The current system lacks incentives for industry to use IST if the investments will not be fairly judged on a clear and transparent basis. Given the lack of specific guidance on decision-making in this situation, the benefits and impacts of intended changes, and the lack of specific guidance on how regulatory burdens may be reduced and safety and security risks improved, industry may be uncertain on the value of IST investments. ©2012 AcuTech Group, Inc.


Moore D.A.,AcuTech. Consulting Group Inc. | Heller D.M.,AcuTech. Consulting Group Inc. | Santo Jr. R.A.,AcuTech. Consulting Group Inc.
Global Congress on Process Safety 2012 - Topical Conference at the 2012 AIChE Spring Meeting and 8th Global Congress on Process Safety | Year: 2012

This paper will summarize an analysis of the supply chains of three separate Toxic Industrial Chemicals (TICs) with respect to prevalence in industry, hazards posed by the processes, potential risk for both accidental and intentional (sabotage and/or terrorist activity-related) releases, and inherently safer technology (IST) techniques that could be employed to reduce risks associated with the manufacture and/or end use of the TICs. Information in the following areas was gathered and examined for each TIC: • Production and use • Chemical and technological processes including processing steps, conditions, capacities, catalysts, and solvents for all major production routes • Annual domestic production volumes • Uses and required formulations • Manufacturing and consumption sites; extent of on-site production and us•e Transportation volumes, conditions, distances and transport modes • Storage volumes and conditions • Alternative processing technologies including inherently safer technologies (IST) concepts This paper will illustrate the complexity of applying IST to reduce hazards along the supply chain. ©2012 AcuTech Group, Inc.

Loading AcuTech. Consulting Group Inc. collaborators
Loading AcuTech. Consulting Group Inc. collaborators