Safety Science 107 (2018) 119–129

Contents lists available at ScienceDirect

Safety Science
journal homepage: www.elsevier.com/locate/safety

Operational readiness for the integrated management of changes in the T

industrial organizations – Assessment approach and results
⁎
David Levovnik, Marko Gerbec
Jožef Stefan Institute, Jamova 39, 1000 Ljubljana, Slovenia
Jozef Stefan International Postgraduate School, Jamova 39, 1000 Ljubljana, Slovenia

A R T I C LE I N FO A B S T R A C T

Keywords: Management of change (MOC) is part of process safety management. Traditionally, MOC is related to technical
Management of change changes. Safety implications from organizational changes have recently led to proposed integrated management
Organizational changes of both types. Inadequate or absent MOC is often among of the causes of major accidents in the process industry,
Organizational readiness as a plethora of textbook and recent cases clearly demonstrate. Despite the lack of attention in industry and in
Process safety
the scientific literature, complexity in MOC plays an important role in ensuring process safety. We propose a new
Benchmarking
approach for the evaluation of the organizational readiness on the key principles and essential features of the
safety change management (that integrates technical and organizational changes). We build on a merge of the
Nertney's wheel principles of assessing the pre-defined stages of operational readiness of the elements of the
system in question – safety change management (based on the literature/guidelines). The approach and prepared
audit type tool were applied and tested in six case industrial organizations in Europe. Results of the testing
suggest that the approach can reveal potential specific gaps in MOC procedures and practices, as well as provide
aggregated results (e.g., for the purpose of reporting, benchmarking and risk communication, alignment of
management activities). The obtained results also re-confirmed the literature that the overall readiness of safety
change management in industry is in its infancy. The research contributes to the literature and practice by
pointing out how to assess, aggregate and possibly align the MOC performance data for better risk management.

1. Introduction employees (with an average at about 10). The lesson here is that
changes in organizations can go to the hundreds per site per annum and
Management of changes (MOC) in organizations, subject to major thus, in a long term, the plant/installation renders itself to something
accident hazards, is one of the main elements of a safety management completely different from the initial design. How does this reflect on the
system (EC, 2012; US, 1992; CCPS, 2007; CSChE, 2004; Sanders, 2005). process safety risks? Obviously, that depends on how well the changes
Technical change is any addition, process modification, or substitute are managed and documented (e.g., updated process safety knowledge)
item (e.g., person or thing) that is not a replacement in kind (CCPS, and considered in updated risk assessments. While the situations before
2007), while organizational change is any change in position or re- and after might be the subject of risk assessments considering a specific
sponsibility within an organization or any change to an organizational change proposal, the analysis of the quality of the management of
policy or procedure that affects process safety (CCPS, 2013). Tradi- change activity and its safety implications are yet to be developed and
tionally, the term MOC is related to the safety management of technical proposed. Unfortunately, there seem to be a plethora of past major
changes. Interestingly, as pointed out by Gerbec (2017), there are not accidents, where serious deficiencies in the management of technical
many scientific papers related to the management of change as a part of and organizational changes were involved. Illustrative textbook ex-
safety management (Hoff, 2013; Keren et al., 2002; Koivupalo et al., amples include accidents in Bhopal, India, on 3.12.1984 (Shrivastava,
2015; Zwetsloot et al., 2007). Keren et al., 2002, performed a survey, of 1987, p. 49), Seveso, Italy, on 9.7.1976 (Jain et al., 2017, Section 7.4.2)
how often changes occur in the industry, and found among the re- and Flixborough, UK, on 1.6.1974 (Mannan, 2012, Section A2.8.16).
spondents the rate between 1 and 37 changes per annum per ten Accident databases (e.g., eMARS (EC, 2018), ARIA (BARPI, 2018) and

Abbreviations: CCPS, Centre for Chemical Process Safety; ID, Identifier code; MS, Management System; MOC, Management of Change; MOOC, Management of Organizational Change;
SCM, Safety Change Management (Gerbec, 2017)
⁎
Corresponding author at: Jožef Stefan Institute, Jamova 39, 1000 Ljubljana, Slovenia.
E-mail address: marko.gerbec@ijs.si (M. Gerbec).

https://doi.org/10.1016/j.ssci.2018.04.006
Received 1 December 2017; Received in revised form 2 March 2018; Accepted 11 April 2018
Available online 25 April 2018
0925-7535/ © 2018 Elsevier Ltd. All rights reserved.
D. Levovnik, M. Gerbec Safety Science 107 (2018) 119–129

agencies (CSB, 2018)) are not best suited to search specifically for the identification of the possible gaps in SCM, their profiling (reporting,
more recent specific examples. However, lessons learnt1 from the ARIA aggregating, trending applications), use of the common scale (e.g.,
database (consisting of almost 49,000 events) mention examples of 28 overall SCM readiness scale for the purpose of intra and inter organi-
events where MOC was reported deficient/absent. Our review also zational benchmarking) and allow sharing a common picture among
found that 8 out of 15 closed investigations by the CSB, in the period the various stakeholders (e.g., for the purpose of aligning horizontal
from 2015 till today, explicitly list MOC issues among the causes (Flash management activities, as recently proposed by Karanikas (2017)). The
Fire at the Delaware City Refinery, 29.11.2015 (CSB, 2017a); Ex- above brief review of the past and recently reported accidents where
xonMobil Torrance Refinery, 22.11.2016 (CSB, 2017b); Air Gas, issues in the performance of the management of change activities have
28.8.2016 (CSB, 2017c); Williams Geismar Olefins Plant, 13.6.2013 been revealed, clearly suggests that there is a burning need for a
(CSB, 2016a); Tesoro Martinez Refinery, 10.3.2014 (CSB, 2016b); US structured pro-active evaluation approach and subsequent corrective
Ink/Sun Chemical Corporation, 9.10.2012 (CSB, 2015a); Macondo well, actions.
10.4.2010 (CSB, 2016c); Caribbean petroleum corporation, 23.10.2009 This paper contributes to the research and industrial practice and
(CSB, 2015b)). Of those, the first six are reportedly related to the de- introduces an approach and tool that can be used to evaluate to what
ficiencies or absence of the management of the technical changes, and extent the principles of SCM are incorporated in industrial organiza-
last two are reported in the relation of the governance issues on the tions. We envisage that, in addition to the needs outlined in the pre-
details of the prescribed MOC (e.g., relevant, but legally not required at vious paragraph, this approach should add to the better recognition of
the time). In addition, reports, as a rule, do not relate possible human & possible gaps among the necessary elements of the SCM and serve the
organizational issues encountered (e.g., inadequate staffing, etc.) to the safety management practices (e.g., as structured and coordinated input
deficient/absent management of organizational changes (MOOC) as to the audits, management reviews and investigations, at different
proposed by CCPS (2013). Thus, MOC/MOOC issues are likely under- management levels (Karanikas, 2017)).
reported. The overall conclusion at this point is that MOC plays a much In Section 2, we will explain the approach used in the proposed
more important role in process safety as considered by the industry and assessment method for organizational readiness for safety change
also by the scientific literature today. management and its testing. Section 3 will present the results of testing
Let us examine the broader context, under which the needs for of the method at the case anonymous industrial organizations. Section 4
changes arise. In the field of management, the management of the or- will provide conclusions. In Appendix A, details of the method are
ganizations and management of the changes are almost synonymous. In presented, and in Appendix B, the spreadsheet tool implementing the
that respect, there is an abundance of literature on the topic. However, method is provided as supplementary material.
to undertake the change, it should be planned like a journey: including
its purpose, the route, with whom – in simple words about its evalua- 2. Approach
tion, planning and implementation (Paton and McCalman, 2008). Si-
milarly, it is about the changes in an organization's strategy, structure A review of the available literature has led us to the concept of
or culture, due to changes in its (business) environment, technology or operational readiness as a design philosophy proposed in the military
employees (Reiss, 2012). As pointed out by Gerbec (2017), the changes domain to describe the developmental state, in essence, the state of the
usually involve many management levels and a holistic approach managed change (project) (Nertney, 1987; Frei et al., 2015). By defi-
should be applied in their evaluation and planning. In that respect, the nition, the operational readiness ensures that the right people are in the
conventional management of change procedures usually consider only right place at the right time, working with the right hardware according
the technical & technology related changes and it has been suggested to the right procedures and management controls, and are functioning
that the organizational changes are important as well (Keren et al., in a favourable physical and psychological environment. The concept
2002; Zwetsloot et al., 2007; Koivupalo et al., 2015; CCPS, 2013; HSE, has recently re-emerged in the contexts of operational system dynamics,
2003; HSE, 2016). Furthermore, both types are obviously interrelated retaining organizational memory and was proposed for the application
and should be evaluated for impacts and planned for implementation in on the issues of ageing process plants and key emerging/enabling
an integrated way (Gerbec, 2017). technologies (Kingston-Howlett et al., 2016), and is used also in acci-
How should current procedures for the management of change dent investigations (Bonsu et al., 2016).
(MOC) of the technical changes in industrial organizations incorporate As mentioned above, the concept comprehensively considers people
the principles and scope suggested for management of organizational – hardware – procedures (more will be explained in the following
changes (MOOC; see CCPS, 2013)? As a target, that should be done section), considers development dynamics and incorporates pre-defined
using an integrated approach (to make a distinction we name it a stages of the operational readiness (to be used for the common re-
“safety change management” (SCM); Gerbec, 2017). The answer is, by porting scale). Specific evaluations should be done using the audit
an initial gap analysis of its own procedures and practices against the technique. Having thus adopted the concept of operational readiness as
specifications using an audit technique. suitable to work on, on the other side, it does not go to the specific
As one of the imperatives of this study, the authors of the paper have details/criteria to be assured for the management of change activity as
been involved as consultants to various industrial organizations (in- such. In that respect, we applied the essential features of the MOC as
ternationally) for the purpose of the implementation of their formal proposed by CCPS guidelines for process industry (CCPS, 2007), as well
safety management systems. In that respect, we repeatedly found that as considered the issue of the organizational changes (CCPS, 2013;
managers are also interested in a comparison (benchmarking) of their Gerbec, 2017). That allowed us to build from the readily available list
safety management systems performance against other industrial or- of the necessary activities, terminology, key & essential features, and
ganizations (not necessary in the same country or in the same type of performance criteria. Details on the merge of the readiness concept and
the industry). Such a request brings an analyst to the issue of business specifications for MOC and MOOC are given in next section.
data confidentiality and how to compare the findings on a common
scale to ease the communication of the results. 2.1. Method
To date, reported research or available guidelines do not explicitly
address systematic evaluation approaches that would offer We built the proposed method for the assessment of the organiza-
tional readiness of the safety change management based on the
Nertney's principle, that industrial organizations shall treat their op-
1
https://www.aria.developpement-durable.gouv.fr/wp-content/uploads/2017/06/ erations and their parts as a whole: people, procedures, equipment and
Brochure_IMPEL2017_EN.pdf. conducive conditions (Nertney, 1987; Frei et al., 2015). The “whole” of

120
D. Levovnik, M. Gerbec Safety Science 107 (2018) 119–129

Personnel-procedural
interface

Procedure type and content

appropriate to personnel

Training correlated
with procedure
Personnel Procedural
subsystem People T&Q˜d to subsystem
procedure
Readiness progression direction
Verify current from the unsteady state (outside)
status to the congruent state (centre)

Ready

GO
Go

Ready

Verify current
status Generalization
of Nertney readiness
stages
Acceptance tests
Plant-personnel
interface Plant-procedural
interface
Detailed design.
Evaluate existing design

Conceptual design

# Readiness stage definition

1. Basic principles defined
Plant equipment 2. Detailed principles defined
subsystem 3. Principles subject of testing and qualifications
4. Principles verified, incl. interfaces
5. Ready
6. GO!

Fig. 1. Graphical presentation of the Nertney wheel elements and interfaces and six developmental stages. Target operational readiness (congruence) is presented by
Bull's eye “GO”. For the purpose of this paper, generalized developmental states definitions are also presented.

the system means sub-systems (people (personnel), hardware (equip- CCPS (2007), provide detailed guidelines on the key principles to be
ment, plant) and procedures (management controls)) and their matched followed (Section 15.2) and list of essential features in MOC related
interfaces (people-hardware, procedures-hardware and procedures- work activities is provided in Section 15.3. Considering suggested es-
people). That represents six elements of the system that can be subject sential features of MOC, organizational changes (CCPS, 2013; Gerbec,
to specific evaluations against the set criteria. The graphical re- 2017) and auditing guidelines (CCPS, 2011) allowed us to prepare a list
presentation of the elements is known as the “Nertney's wheel” (see of key principles and essential features of an (ideal) comprehensive
Fig. 1). SCM2 system in organizations. The list consists of 54 essential features
The essential feature of the Nertney's model, important for the and related audit type questions that are to be answered either with yes
proposed method, is the concept of stages of organizational readiness. (the feature exist or is performed) or no (the feature does not exist (e.g.,
As the Fig. 1 suggests, the initial organization's readiness can progress not implemented) or is not performed), according to the evidence
from initial unsteady (undefined) stage, at the outside of the wheel, presented at the self-assessment or audit interview3. It is important to
towards the centre where (ideally) all elements are ready and the note here that this approach allows to directly use the recognized
system is ready to “GO” (stage 6). There are six readiness stages. comprehensive industrial guidelines on the MOC and MOOC, thus fa-
However, according to Nertney (1987) or Frei et al. (2015), there are no cilitating the communication with the interviewees on the goals, ter-
formal general definitions per each stage, but there are specific defi- minology and precise criteria on the MOC features. The list is provided
nitions (goals) per each element and each stage to be reached (Fig. 1). in Appendix A in Table A.1.
In order to apply the Nertney's principle to the SCM, authors of this The essential features were next mapped to the related readiness
paper first prepared general names and definitions of the readiness
stages (Fig. 1, Table 1). 2
The term safety change management as used in this paper relates to the common
Having prepared the general definitions of the readiness stages en-
management of changes in organizations for the aspect of process safety.
abled us to search for suitable definitions of the safety related man- 3
For example, related to the first audit question A.1 (see Table A.1), the organization
agement of organizational change procedures. The CCPS (2008) and either have or does not have a specific process safety related change management pro-
cedure.

121
D. Levovnik, M. Gerbec Safety Science 107 (2018) 119–129

Table 1
Overview of the generalized definitions of Nertney's readiness stages (Nertney, 1987; Frei et al., 2015) for the purpose of this work.
Stage Stage name Definition

1 Basic principles defined Basic procedural, personnel and equipment requirements, including their interfaces, are defined for a specific management
activity/operational system
2 Detailed principles defined In addition to basic, also detailed requirements are clearly defined for procedural, personnel and equipment parts, including
their interfaces. This includes compliance with best practices/recommendations
3 Principles subject of testing and In addition to detailed, performance testing and qualifications are implemented and performed, applying to all parts and their
qualifications interfaces
4 Principles verified, including interfaces In addition to testing, internal certification processes are defined and performed related to all three parts & interfaces within
the managed activity/operational system
5 Ready Specific sub-system/interface ready
6 GO! Plant/equipment, people, procedures are congruent – GO!

Key principles of Management of Change Model of the organizational readiness

A. Maintan a dependable practice Generic readiness stages Elements of the organizational system
1. Basic principles defined Procedural subsystem
B. Identify potential change situations
Personnel procedures interface
C. Identify possible impacts 2. Detailed principles defined
Personnel subsystem
D. Decide whether to allow change 3. Principles subject of testing and qualifications Personnel-plant interface
E. Complete follow-up activities 4. Principles verified, including interfaces Equipment subsystem
5. Ready Plant-procedural interface
(CCPS, 2007/2008/2013; Gerbec, 2017) 6. GO

(Nertney, 1978; Frei et al., 2015; Figure 1, Table 1)

List of 54 SCM essential Mapping of the SCM essential features into the organizational readiness
features and audit type model
questions (authors interpretation; visualization of the results)

(Table A.1) Elements

Readiness stages

(Table A.2)

Fig. 2. Graphical presentation of the development of the proposed method for evaluation of the organizational readiness of the safety change management.

stages and organizational elements (according to their definitions) as elements per given organizational stage are to be fulfilled in order to
interpreted by the authors. The process of the merge is graphically progress to the next (higher) stage. In other words, it is about a col-
presented in Fig. 2. The mapping is documented in the matrix stages vs. lective state of readiness in accordance with the system requirements
elements in Table A.2. The reader will note that, for the sake of brevity, (Nertney, 1987, p. 6). That allows assessment of the highest SCM
we introduced identifier codes (IDs) to enumerate the essential features readiness stage reached by the organization's process safety manage-
and example audit type questions in both tables. In principle, at least ment system, as well as the readiness stages and gaps for specific ele-
one or more audit questions were mapped to each cell in the matrix as ments of the SCM system.
criteria to be fulfilled. For example, audit questions with IDs A.1 and For a practical use of the method a spreadsheet tool implementing
A.2 (Table A.1), are clearly related to the criteria for the readiness stage and linking of Table A.1 to Table A.2 was prepared and is available as
1 (basic principles defined) for the element of procedural sub-system; Supplemental material in Appendix B.
audit question D.8 (Table A.1) is related to the criteria for the readiness
stage 4 (Principles verified, including interfaces) for the element per-
2.2. Case organizations
sonnel subsystem.
Needless to say, the Nertney's model requires that criteria for all the
Sampling technique used in this research was non-probabilistic. We

122
D. Levovnik, M. Gerbec Safety Science 107 (2018) 119–129

Table 2
Summary of info on six anonymous industrial organization involved in testing the proposed method.
Organization NACEa classification Number of employeesb Classificationc

A C 20.2 Manufacture of pesticides and other agrochemical products Medium Upper tier
C 20.1 Manufacture of basic chemicals, fertilisers and nitrogen compounds, plastics and synthetic rubber in primary
forms
B C 20.13 Manufacture of other inorganic basic chemicals Medium Upper tier
C B 06.10 Extraction of crude petroleum. Larged Upper tier
D D 35.11 Production of electricity Medium Lower tier
E C 20.16 Manufacture of plastics in primary forms Medium Upper tier
F C 20.11 Manufacture of industrial gases Medium Upper tier

a
According to Eurostat (2008).
b
Micro: < 10; Small: 10–49; Medium: 50–249; Large: > 250 employees (Eurostat, 2008).
c
Lower or upper tier category according to the national legislation implementing EC (2012).
d
More than 1000 employees on the related production site.

decided to employ purposive sampling to select cases (organizations) questionnaire tool (provided in Appendix B). This allowed immediate
that will correspond to our objective. Therefore, our sample does not visual interpretation of the results and the readiness stage reached per
statistically represent the population of process industry subject to elements and in overall.
major accident hazards.4 Organizations in our sample were selected
based on the previous collaboration with authors (where we have 3. Results and discussion
managed to ensure access through existing contacts). Because organi-
zations were included in the sample based on the established re- Findings from individual organization audits are best presented in
lationship with the contact, this implies convenience sampling. How- the filled out Table A.2, which we automated using the spreadsheet
ever, our sample also fulfils purposive sample selection criteria that tool. As an example, colour coded results obtained for organization A
were relevant for our research (Saunders et al., 2016). Our selection of are presented in Table 3. It can be observed that it failed to reach
organizations corresponds to the so-called typical case sampling and readiness stage 1 (Basic principles defined) due to negative findings
serves as an illustrative profile for a representative case. The proposed related to required essential feature in element plant-procedural inter-
method for the assessment of the organizational readiness was applied face (ID = B.1) “Types of technical changes are defined (extensive
and tested on six industrial organizations. The sample provides an il- lists)” with audit question “Is the scope of technical changes defined in
lustration of a typical process industry organization that is subject to a detail (extensive lists, referencing applicable guidelines and prac-
major accident hazards. All organizations are from the European Union tices)?”. The finding is based on the reported fact that simple check lists
or candidate countries and belong to the process industry. Each of the are used, but the details to be examined, assurance on their complete-
organizations, that were selected, falls under a slightly different eco- ness and referencing on them were not available. Related to the
nomic activity. Organizations conduct operations on, between one and readiness stage 2 – Detailed principles defined, there are eight audit
six, operational sites. Anonymous summary of their economics classi- questions with negative findings (left to right: B.5, A.5, C.10, C.7, C.8,
fication, number of employees and “Seveso III” classification (EC, 2012) E.6, E.7), rendering only personnel-procedure interface and equipment
is provided in Table 2. subsystem ready. Similar observations can be reached for other ele-
ments and readiness stages, summarizing to 25 negative findings in
total considering six readiness stages and six elements. However, or-
2.3. Procedure
ganization A did not reach stage 1 due to a specific deficiency in the
plant-procedural interface, despite the fact that, for example, equip-
First, each organization's representative was contacted by phone to
ment subsystem reached a high readiness stage of 3. Such a conclusion
announce the purpose, scope and expected benefits from the audit type
is in accordance with Nertney wheel principle (Section 2.1). As the
interview. Next, an email was sent to all participating organizations
organization A did not reach stage 1, let us conclude that it remained at
with an extended description of the topic and a questionnaire tool
the stage 0 (despite the fact that this is not a Nertney readiness stage).
(Appendix B) that was later used in the testing of the proposed method.
Furthermore, the results collected from all six organizations can be
In this way, the participating organizations were able to familiarize
compared. In general, results are similar and their SCM elements pro-
themselves in advance with the questions.
files and are presented graphically for the sake of clarity as a bar type of
In the second part, a meeting was organized. Through the interview,
graph in Fig. 3. It can be observed that none of the organizations that
representatives of the organization (auditees) reported their positions.
participated in the testing had met all of the requirements (essential
The role of authors was to provide additional explanations on the topics
features) needed to reach the readiness stage 1. This comes as a kind of
and audit questions. Thus auditees reported if they have or don’t have
surprise, yet the list of essential features required and the Nertney
the specific essential features of the SCM system within their organi-
wheel concepts applied are demanding in that respect.
zation's safety management system. Usually, one or two mid-managers
However, as authors have noticed, overall understanding of SCM
appointed for process safety, MOC and development projects partici-
requirements among the auditees was good. In most cases, organiza-
pated. The interview usually lasted up to about two hours, depending
tions had established some sort of informal or partly defined manage-
on the familiarity of participants with the topic, and covered all 54
ment of change procedures. The findings for all case organizations can
essential features that are required by the proposed method. Answers to
be summarized per readiness stages as follows:
audit questions, names of the auditees, presented evidence, and any
additional explanations or comments were then entered into the ques-
a. Generally, the organizations did not clearly define the procedures
tionnaire tool. Then, answers were mapped automatically using the
and criteria for SCM; related to the stage of basic readiness stage,
non-transparent change impacts evaluation method (e.g., scope and
4
According to the eSPIRS database (https://minerva.jrc.ec.europa.eu/en/espirs/ details of the evaluations are not defined in advance, but based on
Content) there are more than 10.000 establishments reported in 2017 by EU manager/expert personal experiences; trustworthy checklists are not
28 + EEA/EFTA countries.

123
D. Levovnik, M. Gerbec Safety Science 107 (2018) 119–129

Table 3
Example of summarized findings for the test organization A. Essential features and answers (yes, in green colour; no, in red colour) per six elements of the safety
change management system and six operational readiness stages are presented. In this example, organization A failed to reach stage 1 (Basic principles defined) due
to a negative answer to the audit question B.1 related to Plant-procedural interface element (see Table A.1 for reference).

prescribed, etc.) as well as undefined replacement-in-kind term feature B.6) – thus the consideration of any impacts from organi-
comes to mind here (essential features B.1 and B.3, respectively). In zational changes or integrated evaluation is at its very beginning.
other words, addressing those two essential features in test organi- c. Most of the participating organizations also achieved some essential
zations would render a large part of them to reach the basic readi- features related to the third readiness stage. In this stage, the biggest
ness stage. In most cases, we have observed that organizations un- issue is the absence of a definition for any performance indicators,
derstand the importance of technical changes and they also take including the rate of all requested changes. Two organizations
them into account when assessing the impact of proposed change. reached this readiness stage in equipment subsystem (essential
However, the formal definition has not been established. feature E.14), while others bound equipment testing and re-certifi-
b. Related to the second readiness stage, specific (SCM related) cation only to investment projects and not to changes as such.
training of managers and experts presented the largest and the most d. The main issue related to the fourth readiness stage is that organi-
common problem for the majority of participants. Compliance with zations do not plan or perform internal audits (essential feature A.9)
this requirement would allow managers and experts to obtain ad- and management reviews (essential feature A.10) on the changes
ditional knowledge of the impact that change can have on the or- management activity, thus the feedback loop seems to be missing
ganization. Another most common problem at this stage represents here. On the other side, general change goals are pre-defined and
the lack of analytical techniques and methods that should be defined evaluated for (essential features E.10, E.11, E.12) in four organiza-
for each type of change. The absence of defined techniques and tions. The periodic planned verification of the interfaces (essential
methods impedes consistent and accurate implementation of SCM. features E.9, E.10, E.15) is performed in three organizations.
Only two organizations reported that they manage and evaluate the
organizational changes (essential feature B.5) and none of them The note on the duration of the audits given in Section 2.3 should be
considers the change impacts across management levels (essential considered with a reservation. As the results imply, a considerable part

124
D. Levovnik, M. Gerbec Safety Science 107 (2018) 119–129

6
A B C D E F

5
Readiness stage reached

0
Procedural subsystem Personnel-procedures Personnel subsystem Personnel-plant Equipment subsystem Plant-procedural
interface interface interface

Elements of the operational readiness

Fig. 3. Example of the graphical presentation of the profiles of the operational readiness stages reached for six elements of the safety change management system for
six test organizations (A–F). We can conclude that none of the organizations reached minimum readiness stage (1 – Basic principles defined) considering all six
elements.

of the essential features searched for was typically immediately openly seriously lagging behind available best practices, thus possible issues
reported by the interviewees as not present in the organizations (in the seem to be of low relevance.
example from organization A on Table 3, 25 out of 54) thus sig- Next possible limitation comes from the author's application of MOC
nificantly shortening the duration of the interview. Examples: (i) if the essential features into the concept of organizational readiness, which
details of the types of technical changes were not defined (essential required some interpretations in terms of related SCM system elements
feature B.1) than, as a rule, also the types of organizational changes and readiness stages, however, due to clear and consistent definitions in
were not defined (B.3); (ii) if the performance indicators are not set/ the guidelines used (CCPS, 2007) and extensions (CCPS, 2013; Gerbec,
collected (essential feature A.8), than as a rule, performance reviews 2017), authors are reasonably confident that the mapping was carried
are not planned/done (A.10), decision making criteria are not subject of out correctly. The method uses the binary answers to the audit ques-
verification (D.7), audits are not planned/done (D.8) and periodic tions (thus possible additional grading between yes and no is not con-
plant/equipment validation is not planned/done (E.9). Such, or similar, sidered). We understand possible limitations only in terms of con-
patterns of presence or absence of essential features were found in all sistently defining and following the evaluation criteria per each
case organizations. essential feature; in that respect CCPS (2007), Section 15.3 is very
Lastly, the auditees were, after the interviews, interested in the re- helpful.
sults, the readiness stages reached and how do they compare to other Another possible issue in the application of the proposed approach
case organizations. As none of the organizations reached the basic relates to how the audit interview and self-assessment are carried out.
readiness stage, the questions at hand were what exactly is missing, The auditees should clearly understand the topics discussed and provide
what would be the way ahead and if they can further use the tool. The honest answers. The aid for the first is the use of the available guide-
presentation of the results, as shown in Table 3, was commented as easy lines (mentioned above), briefing and training on SCM topics; for the
to follow (related to the planning of the corrective actions on the SCM second, following the principles of auditing technique (selection of
procedure and practice), and for the intra or inter organizational auditor(s) and auditees, documenting evidence) should provide rea-
benchmarking on the reporting of the overall readiness stage or pro- sonable assurances.
filing per elements was also found useful (as it enables the con- Finally, considering the summarized results from the testing in six
fidentiality of specific organizational business data). industrial organizations, we repeat that the sample cannot be re-
presentative for the whole process industry in the EU. However, the
results, in general, are congruent with the previous MOC benchmarking
4. Limitations
results from US industry as reported by Keren et al. (2002) and MOC
issues revealed in recent accident investigations discussed in section
The presented approach to the evaluation of the organizational
Introduction.
readiness of the safety management of changes builds on the existing
method (Nertney, 1987; Frei et al., 2015) and its application on the
proposed essential features of rather advanced MOC and MOOC 5. Conclusions
guidelines (CCPS, 2007, 2013). In that respect, the proposed method is
bound by the possible issues in scope, completeness and consistency of Integrated management of changes in process industry seems to be
both. On the other side, the results of application and testing of the still in its infancy. Available literature, textbook cases & recent cases of
method suggest that current readiness in industrial organizations are major accidents involving deficiencies in management of change concur

125
D. Levovnik, M. Gerbec Safety Science 107 (2018) 119–129

with the general results of this study: case industrial organizations, readiness elements & stages for the purpose of audits, management
evaluated using the proposed approach and tool are on one side clearly reviews, incident investigations; see rationale at end of section
aware of the importance of the topic, but on the other side, their in- Introduction).
ternal procedures and practices are all having difficulties in reaching
the first stage with defined SCM basic principles (for example, based on While the sample of the case organizations is small, the consistent
the essential features, as suggested by the industrial guidelines that are results and congruence with the literature and accident investigations
readily available). The proposed approach to evaluate the readiness mentioned above, suggest that management still relies on personal
stage of SCM in industrial organizations can serve a number of pur- experience (when and how to perform SCM cases) and are reluctant to
poses: preserve the knowledge in written and verified procedures and criteria.
In that respect, we recall that the late Trevor Kletz perfectly said:
i. provide insight into potential gaps on the specific essential features “Organizations have no memory, only people have memory”.
of SCM (the basis for the corrective actions),
ii. Summarize the gaps in relation to the specific elements of the SCM
operations readiness (aggregation of the results for the purpose of Acknowledgement
risk communication, statutory supervision, etc.),
iii. Report overall readiness stage, as well as specific readiness stages The authors acknowledge the financial support from the Slovenian
reached per its elements (aggregation of results for benchmarking), Research Agency (research core funding No. P1-0045).
and The authors would like to thank the six anonymous industrial or-
iv. Provide structured input on the SCM gaps to the management for ganizations and their managers for applying and testing the proposed
better horizontal alignment of their activities (e.g., on SCM method.

Appendix A

Tables A1 and A2.

Table A.1
Key principles of safety change management, their essential features and example audit questions. Please refer to Fig. 2 and main text for application in relation to
Table A.2. Column ID (identifier code) provides a mapping aid to use Table A.2.
Key principles ID Essential features Example audit questions

A. Implement SCM A.1 Safety Change Management (SCM) procedure is Is there a safety change management (SCM) procedure formally adopted by the
procedure defined organization?
A.2 SCM procedure owner is defined Did the organization assigned the responsible person/position as owner of the SCM
procedure?
A.3 Types of changes are clearly defined (technical, Are the technical/technology, equipment and organization (roles, procedures)
equipment, organizational) changes at given organizational areas & levels mandatory managed?
A.4 Roles for SCM defined in a structured way Are the personnel roles in managing changes defined across organizational
hierarchy?
A.5 SCM related management & experts specifically Are the manager positions and subject matter experts with roles in SCM subject of
trained specific training about their roles?
A.6 Employees & contractors trained on SCM awareness Are the employees & contractors subject of initial and periodic refresher training
about change management principles (basic awareness)?
A.7 SCM log is accessible to all affected personnel Are the records of past change proposals (all types) available to all interested
personnel (preservation of process safety knowledge)?
A.8 SCM performance indicators are collected regularly Is part of SCM procedure also collection of data on the changes and change activity
based performance indicators?
A.9 SCM cases are regularly audited for quality Are the records of carried-out SCM cases subject of periodic regular audits for
compliance and rigor applied in evaluation and implementation?
A.10 SCM performance reviews are done regularly Is the overall performance of the SCM procedure and activities subject of periodic
formal management reviews?

B. Define scope of SCM B.1 Types of technical changes are defined (extensive Is the scope of technical changes defined in a detail (extensive lists, referencing
lists) applicable guidelines and practices)?
B.2 Relevant areas, locations, processes and equipment Is the scope of change management in terms of geographical locations, plants and
are defined processes defined?
B.3 Clear definition of equipment Replacement in Kind Is a “replacement in kind” term clearly defined (definitions, examples of what is not a
(RIK) change case)?
B.4 Plant, equipment, process conditions and work Is detailed evaluation for plant equipment, process conditions and work procedures
procedures subject of detailed evaluation carried out?
B.5 Types of organizational changes are defined (impact Are the organizational changes defined as any change in position, responsibility in
on various management aspects) organization, its policy or procedure, that can affect process safety (like structure,
staff, skills, systems, strategy, style and shared values)?
B.6 Technical and organizational changes are Does the SCM procedure clearly considers and evaluates the fact that the technical
interrelated and the organizational changes are usually interrelated?
B.7 Sources of changes vs. RIK are monitored Do managers having a role in change management have an obligation to periodically
monitor and report for unrecognized sources of a changes (e.g., allegedly “RIKs”)?

(continued on next page)

126
D. Levovnik, M. Gerbec Safety Science 107 (2018) 119–129

Table A.1 (continued)

Key principles ID Essential features Example audit questions

C. Identify possible change C.1 Structured input, e.g., checklists, are used for input Does the formal SCM procedure considers use of structured documents, requiring
impacts information rationale for the proposed change, hazards checklist reminders, etc., in order to
transparently evaluate the proposal?
C.2 Review rigor & authorizers are defined per each type Are the detailed evaluation questions, analyses, reviewers and authorizers related to
of change the specific types of proposed changes (in contrast to pre-defined list of)?
C.3 Analytical methods/techniques are defined per each As changes can be diverse in nature, are safety implications evaluation methods
type of change defined for each type of (e.g., for each type of a hazard)?
C.4 The integrity of the identified management aspects Does the SCM procedure considers evaluation of possible impacts on the managed
and their elements is maintained aspects and their elements in a structured and documented way?
C.5 Cross type impacts are formally identified Does the formal SCM procedure evaluate the possible safety implications from one
type of a change to the second or third type - e.g., across management aspects?
C.6 Change alternatives/optimizations are to be Are during evaluation & planning change alternatives considered and optimized for
considered more than one aspect?
C.7 Temporary changes are explicitly identified and Does the SCM procedure allow for temporary changes and their duration and
managed retraction are to be duly considered?
C.8 Emergency changes are defined and subject of Does the SCM procedure allow for emergency changes and their normal evaluation is
specific SCM procedure to be duly considered in defined time?
C.9 SCM reviewers' qualifications are specified Is the list of specific change reviewers defined including their required qualifications?
C.10 Each change type requires specific review disciplines Is it defined for each change type which specific evaluations by expert reviewers are
to be done?
C.11 Risk evaluation is done by competent reviewers Does the SCM procedure requires that risk evaluation for the specific hazards is done
by specific competent reviewers/experts?
C.12 Risk evaluation is based on organization's risk Are the reviewers provided with guidance on organizations risk tolerance, or risk
tolerance, or risk controls criteria controls criteria for each hazard type in order to coordinate their results?
C.13 SCM data records and review retained for the Does SCM procedure requires that data records and reviews are retained for the
performance evaluations performance evaluations?
C.14 Personnel's attitude towards all types of changes is Does the organization monitor in any way (pro-actively or re-actively) the attitude
subject of management's attention (culture) of the personnel towards organizational or technical changes?

D. Decide whether to allow D.1 Authorizer(s) for proposed change are defined Is the list of authorized person(s)/position(s) to approve/reject change proposals
change defined in advance?
D.2 Authorizer(s) are defined per type of change Does the authorized person(s)/position(s) needed depend on the type of the change
(variable) (is variable on the nature of the proposed change)?
D.3 Authorizer's duties are specific per each type of Is the authorizer's duty specific and only related to each type of change?
change
D.4 Deputies of authorizer(s) are defined Is there a policy/praxis that a deputy is assigned in addition to the specific authorizer
(in a case of unavailability)?
D.5 Authorizers are provided with options in approval Does the SCM procedure requires that authorizer(s) are provided with options
decisions (specific for each type of change) when reaching decisions?
D.6 Authorizers are trained in org. formal risk Are the authorizers internally trained about organization's risk tolerability criteria
tolerability criteria related to the SCM decisions to be reached?
D.7 Verification of decision making criteria is made Is decision making criteria subjected to any type of verification?
D.8 Follow up audits of authorizers performance is done Is the performance of a liable authorizer(s) subjected to the follow up audit(s)?

E. Complete follow-up E.1 Process knowledge documentation affected must be Does the SCM procedure require that the process documentation is updated before
activities updated before change is effective the change is effective?
E.2 Changes are formally communicated to personnel Does the SCM procedure require that the pending change (any type) is communicated
before being implemented to the related personnel before it is implemented?
E.3 Training materials affected must be updated before Does the SCM procedure among other actions in principle requires that that the
implemented change affected training materials are updated about the pending change (any type)?
E.4 Personnel (own/contracted) is retrained and Does the SCM procedure requires that the personnel/contractors are first re-trained
evaluated for understanding about updated training materials related to pending change?
E.5 Change action items are formally tracked till Does the SCM procedure require that the approved changes are duly planned by
completion action items that are formally tracked till completion and then closed?
E.6 Temporary changes are explicitly restored to normal Does the SCM procedure require that the approved temporary changes are restored
state back to original state within the specified time?
E.7 Emergency changes are completed as normal SCM Does the SCM procedure require that the approved emergency changes are evaluated
procedure within specified time and completed as normal changes within specified time?
E.8 SCM records and updated process knowledge Does the SCM procedure require that the records on all change proposals, evaluation
documentation are archived for the life of the process procedure and actions are archived for the life of the process?
E.9 Periodic plant/equipment validation against process Does the SCM require periodic validation of plant/equipment against process
knowledge documentation knowledge documentation?
E.10 Periodic plant procedures validation against process Does the SCM require periodic validation of work procedures against the process
knowledge documentation knowledge documentation?
E.11 Change impacts are followed up Does the SCM require that the change impact(s) are followed up (which aspects,
safety?)?
E.12 Personnel is appointed to the task (evaluation) Does the SCM require that a certain personnel is appointed to the evaluation task?
E.13 Principles/criteria were defined in advance Does the SCM require that principles/criteria are defined in advance?
E.14 Changes in equipment are subject of test and Does the SCM require that any changes made in equipment are subjected to testing
qualification and qualification?
E.15 Personnel-equipment match is subject of periodic Does the SCM require periodic verification of personnel-equipment match?
verification

127
 D. Levovnik, M. Gerbec

Table A.2
Mapping of the required essential features of the safety change management per readiness stages and elements of the SCM system. Please refer to Table A.1 for definitions of IDs of essential features.
Safety Change Management (SCM) system elements

Readiness stage Procedural subsystem Personnel-procedures interface Personnel subsystem Personnel-plant interface Equipment subsystem Plant-procedural interface

Stage Description Description ID Description ID Description ID Description ID Description ID Description ID

1 Basic principles Basic procedural, personnel Select basic MOC A.1, Change management C.1, Selection of A.4, When change in A.3 Plant concept subject B.3 Plant procedural B.1,
defined and equipment procedure A.2, procedure is taken D.1, personnel related E.2, E.3 equipment occur, of change format and content B.2
requirements, including into account when E.1 to basic MOC possible impacts to management matched to
their interfaces, are defined proposals and other requirements personnel are hardware being
for a specific management documents are considered preserved
activity/operational system prepared by personnel

2 Detailed In addition to basic, detailed Select advanced A.3, Training correlated to C2, Basic and A.5, Detailed A.5, Plant detailed concept B.4 Organization and E.5,
principles requirements are clearly SCM procedure B.5, the required C.3, specialized A.6, ergonomics. C.7, and liaison with plant procedures E.6,
defined defined for procedural, B.6, competences of the D.2, training C.9, Training designed C.8 people and procedures correlated with E.7
personnel and equipment stakeholders in the D.3, developed and C.10, to fit the hardware subject of change hardware design
parts, including their SCM procedure D.4 applied E.4 management being preserved

128
interfaces. This includes
compliance with best
practices

3 Principles In addition to detailed, Establish SCM B.7, Personnel, reviewers A.7, Test & qualify C.11, Tested by users in E.11, Changes made on E.14 Plant procedures E.8
subject of testing performance testing and procedure liaison C.4, and approvers trained A.8, (performance C.12, realistic conditions E.12, equipment are validated against
& qualifications qualifications are with shop floor staff C.5, and qualified to use D.5 assurance) C.13 E.13 subjected to testing plant equipment
implemented and and all C.6 the SCM procedure
performed, applying to all management levels
parts and their interfaces

4 Principles In addition to testing, SCM procedure A.10 When SCM procedures A.9, Verify current D.8 People present E.15 Verify that E.9 Plant procedures E.10
verified, internal certification recognized and are changed, D.6, competence status match hardware documentation of all are validated
including processes are defined and supported on shop reviewers are D.7 change proposals are against plant
interfaces performed related to all floor and all acquainted with properly equipment
three parts and interfaces management levels changes (verification administrated
within the managed is also made)
activity/operational system

5 Ready Ready Ready Ready Ready Ready Ready

6 Plant/equipment, personnel and procedures are congruent – GO
Safety Science 107 (2018) 119–129
D. Levovnik, M. Gerbec Safety Science 107 (2018) 119–129

Appendix B. Supplementary material

Supplementary data associated with this article can be found, in the online version, at http://dx.doi.org/10.1016/j.ssci.2018.04.006.

References Gerbec, M., 2017. Safety change management – a new method for integrated management
of organizational and technical changes. Saf. Sci. 100, 225–234. http://dx.doi.org/
10.1016/j.ssci.2016.07.006.
BARPI, 2018. Bureau for Analysis of Industrial Risks and Pollutions. ARIA Database. Hoff, R., 2013. MOC scoping – ensuring that MOC action items are correctly and com-
< https://www.aria.developpement-durable.gouv.fr/?lang=en&s= > (22.2.2018). pletely described. J. Loss Prevent. Process Ind. 26, 499–510.
Bonsu, J., van Dyk, W., Franzidis, J.-P., Petersen, F., Isafiade, A., 2016. A systems ap- HSE, 2003. Organisational Change and Major Accident Hazards. Chemical Information
proach to mining safety: an application of the Swiss Cheese Model. J. S. Afr. Inst. Min. Sheet No CHIS7. < http://www.hse.gov.uk/pubns/chis7.pdf > (13.1.2016).
Metall. 116, 777–784. http://dx.doi.org/10.17159/2411-9717/2016/v116n8a10. HSE, 2016. UK HSE Website Guidance “Plant Modification/Change Procedures”.
CCPS, 2007. Guidelines for Risk Based Process Safety. Wiley, Center for Chemical Process < http://www.hse.gov.uk/comah/sragtech/techmeasplantmod.htm > (20.4.2017).
Safety, Hoboken, New Jersey. ISBN 978-0-470-16569-0. Jain, P., Pasman, H.J., Waldram, S.P., Rogers, W.J., Mannan, M.S., 2017. Did we learn
CCPS, 2008. Guidelines for the Management of Change for Process Safety. Wiley, Center about risk control since Seveso? Yes, we surely did, but is it enough? An historical
for Chemical Process Safety, Hoboken, New Jersey. ISBN 978-0-470-04309-7. brief and problem analysis. J. Loss Prevent. Process Ind. 49, 5–17. http://dx.doi.org/
CCPS, 2011. Guidelines for Auditing Process Safety Management Systems, second ed. 10.1016/j.jlp.2016.09.023.
Wiley, Center for Chemical Process Safety, Hoboken, New Jersey. ISBN 978-0-470- Karanikas, N., 2017. Evaluating the horizontal alignment of safety management activities
28235-9. through cross-reference of data from safety audits, meetings and investigations. Saf.
CCPS, 2013. Guidelines for Managing Process Safety Risks During Organizational Change. Sci. 98, 37–49.
Wiley, Center for Chemical Process Safety, Hoboken, New Jersey. ISBN 978-1-118- Keren, N., West, H.H., Mannan, M.S., 2002. Benchmarking MOC practices in the process
37909-7. industries. Process Saf. Prog. 21 (2), 103–112.
CSB, 2015a. < http://www.csb.gov/us-ink-fire/ > (22.2.2018). Kingston-Howlett, J., Frei, R., Garforth, A., Lindhout, P., 2016. More than process restart/
CSB, 2015b. < http://www.csb.gov/caribbean-petroleum-refining-tank-explosion-and- pre-start: operational readiness – alive and kicking. In: IchemE, Hazards 26
fire/ > (22.2.2018). Conference, Edinburgh. < http://www.nri.eu.com/Hazards%2026%20paper.
CSB, 2016a. < http://www.csb.gov/williams-olefins-plant-explosion-and-fire-/ > (22.2. pdf > (22.2.2018).
2018). Koivupalo, M., Sulasalmi, M., Rodrigo, P., Väyrynen, S., 2015. Health and safety man-
CSB, 2016b. < http://www.csb.gov/tesoro-martinez-sulfuric-acid-spill/ > (22.2.2018). agement in a changing organisation: case study global steel company. Saf. Sci. 74,
CSB, 2016c. < http://www.csb.gov/macondo-blowout-and-explosion/ > (22.2.2018). 128–139.
CSB, 2017a. < http://www.csb.gov/delaware-city-refining-company/ > (22.2.2018). Mannan, S., 2012. Lees' Loss Prevention in the Process Industries, fourth ed. Elsevier.
CSB, 2017b. < http://www.csb.gov/exxonmobil-refinery-chemical-release-and-fire/ ISBN: 978-0-12-397189-0.
> (22.2.2018). Nertney, R.J., 1987. Process Operational Readiness and Operational Readiness Follow-
CSB, 2017c. < http://www.csb.gov/airgas-facility-fatal-explosion-/ > (22.2.2018). On. System Safety Development Center, SSDC-39, DOE-76-45/39. Available at: <
CSB, 2018. US Chemical Safety Board. < http://www.csb.gov > (22.2.2018). http://www.nri.eu.com/SSDC39.pdf > (8.5.2017).
CSChE, 2004. Managing the Health and Safety Impacts of Organizational Change. Paton, R.A., McCalman, J., 2008. Change Management: A Guide to Effective
Canadian Society for Chemical Engineering, Ontario. < http://www.cheminst.ca/ Implementation. Sage, London.
sites/default/files/pdfs/Connect/PMS/Managing the Health and Safety Impacts of Reiss, M., 2012. Change Management – A Balanced and Blended Approach. BoD GmbH,
Organizational Change.pdf > (13.1.2016). Norderstedt.
EC, 2012. Directive 2012/18/EU of the European Parliament and of the Council of 4 July Sanders, R.E., 2005. Chemical Process Safety Learning from Case Histories, third ed.
2012 on the Control of Major-accident Hazards Involving Dangerous Substances, Elsevier Butterworth–Heinemann. ISBN 0-7506-7749-X.
Amending and Subsequently Repealing Council Directive 96/82/EC. < http://eur- Saunders, M., Lewis, P., Thornhill, A., 2016. Research Methods for Business Students,
lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32012L0018 > (13.1.2016). seventh ed. Pearson, Harlow (Essex).
EC, 2018. European Commission, eMARS (Major Accident Retrieval System) Database. Shrivastava, P., 1987. Bhopal: Anatomy of a Crisis. Ballinger Publishing Company. ISBN
< https://minerva.jrc.ec.europa.eu/en/emars/accident/search > (22.2.2018). 0-88730-084-7.
Eurostat, 2008. Eurostat Methodologies and Working Papers. NACE Rev. 2: Statistical US, 1992. 40 CFR Part 68, Subpart D – Program 3 Prevention Program; < http://www.
Classification of Economic Activates in the European Community. ISBN 978-92-79- ecfr.gov/cgi-bin/text-idx?SID=24363918a1da6e6c82f419fa327e6979&mc=true&
04741-1. < http://ec.europa.eu/eurostat/documents/3859598/5902521/KS-RA-07- node=sp40.16.68.d&rgn=div6 > (13.1.2016).
015-EN.PDF > (22.5.2017). Zwetsloot, G.I.J.M. Gerard, Gort, J., Steijger, N., Moonen, C., 2007. Management of
Frei R., Garforth A., Kingston J., Pegram J., 2015. Using Operational Readiness to change: lessons learned from staff reductions in the chemical process industry. Saf.
Improve the Management of Risk, Volume 1: Concepts. The Noordwijk Risk Initiative Sci. 45, 769–789.
Foundation. ISBN 978-90-77284-12-4. Available at: < http://www.nri.eu.com/
WHITE%20PAPER%202.1.pdf > (8.5.2017).

129