A Career in Process Safety: 50 Years of LPS
Arthur M. (Art) Dowell, III
A M Dowell III PE PLLC President, Houston, TX 77059; adowell3@comcast.net (for correspondence)
Published online 5 February 2016 in Wiley Online Library (wileyonlinelibrary.com). DOI 10.1002/prs.11814
Drawing from a career from 1963 through 2016 in the
chemical and process industries, this article will describe
some informal practices of process safety elements observed
during the Master-Apprentice era of the 1960s. The article
will trace the development of incident investigation, Process
Hazard Analysis, and Fault Tree Analysis tools used by the
author. It will touch on safety instrumented systems and the
development of Layer of Protection Analysis to determine
how strong the safety instrumented functions should be. V C companies. The opinions expressed here are my own and do
2016 American Institute of Chemical Engineers Process Saf Prog 35:
8–12, 2016
Keywords: risk assessment; hazards evaluation; layer of
protection analysis; process safety management; process
safety culture
BACKGROUND
In 1990, when the author asked operators, mechanics,
and engineers what they needed to do their jobs safely and
to meet operational excellence objectives, they responded
with the principles that were codified in the U.S. OSHA PSM
(process safety management) rule and later in the U.S. EPA
RMP (risk management plan) rule.
Of course, the Loss Prevention Symposium (LPS) was
there every year (the 50th is this meeting) with good papers
on new techniques, new concepts, and reminders of what
we used to know and have forgotten. The author has been
to many sessions and has contributed papers to quite a few.
So with the regulations, the good practices, the good
papers from LPS and the other symposia in the Global Con-
gress on Process Safety, why is not our record any better? In
fact, our record is better than it was 50 years ago, but should
not it be even better today than it actually is?
It is observed: “The message of the budget has been
heard throughout the globe, but the process safety message
has not been heard to the same extent.” Or, as Walt Howard
said in an early LPS paper, “We ain’t farmin’ as good as we
know how now.” We have the tools, but we have to use
them every day on every project. We can identify the hazards
and the independent protection layers (IPLs), but we have to
install them, maintain them, test them, and repair them.
INTRODUCTION
I have more than 50 years’ experience in the chemical
industry and thus equivalent experience in process safety. I
was a vacation relief operator for a chemical plant during the
summers of 1963 and 1964; an intern chemical engineer for
a chemical facility in the summer of 1965; and an intern res-
ervoir engineer for an oil company in the summer of 1966. I
started my professional career in 1967 at Rohm and Haas
C 2016 American Institute of Chemical Engineers
V review.
8 March 2016
Company as a technical support process engineer to a unit
that made hydrogen cyanide. We did not have the policies,
procedures, and resources that we think of today when we
mention process safety, but both occupational and process
safety were very important to the managers, operators, and
the engineer for the unit (me).
In this article, I will talk about my experiences learned
from both my employer and from my colleagues in other
not necessarily represent the perspective of other individuals.
As it turned out, my subsequent jobs in engineering
design, startup, technology management, and research had
elements of process safety included. We did want to under-
stand the hazards and risks of our facilities and to prevent
incidents. These assignments were a preparation for the pro-
cess safety job that I entered in 1989—the job I was meant
to do when I grew up. Some highlights from my experience
might be helpful in understanding where we are in process
safety today.
“MASTER-APPRENTICE”
Over the years, I saw informal management of change
(MOC) reviews. I also saw the hazardous results of changes
made without any review. In that era, a lot of people learned
from “Master-Apprentice” relationships. The Masters retired
and now everyone tries to do more with less, so we need
systems to capture the procedures and learnings that Masters
carried in their heads.
In 1965, two chemical engineers stopped by the lab
where I was working to consult with two chemists who had
knowledge of one of the process technologies. The engi-
neers were planning a change and wanted input on the
potential risks and problems that might be encountered with
that change. The chemists gave advice and recommended
additional personnel to consult. I did not realize it at the
time, but I had just observed my first MOC or environmental,
health and safety review. “What is the change, why are we
making it, what are the risks of the change, how can we
manage the risks?” From my memory, that review contained
most of the elements that were ultimately incorporated into
our formal MOC system in 1991. In addition, that informal
MOC review was much more effective than pro forma MOC
reviews observed in the early 2000s (at unnamed locations)
in which all the attention was focused on getting through the
checklist rapidly, and no effort was used to really understand
the changes and the potential risks.
Early in my first assignment, the operators showed me a
pipeline in the unit called the “rattlesnake” line. They said,
“You don’t ever want to use this line. If you do, it will bite
you big time!” They told me the line had been put in during
the middle of the night. I concluded, without any MOC
Process Safety Progress (Vol.35, No.1)
Table 1. Four quadrants of knowledge.
Information That I Know
I know whether I know the information Know that I know
I do NOT know whether I know Do NOT know that I know
the information
MULTIPLE CAUSES FOR MAJOR INCIDENTS
Over time, as my experience grew, I was asked to lead
investigations into the causes of explosions, fires, and other
process upsets. I observed that there was always more than
one cause (typically, at least three) for a serious incident in a
reasonably well-designed and well-maintained facility.
INHERENTLY SAFER
In 1974, I was working in the north of England on a
startup, when the Flixborough explosion occurred. It particu-
larly caught my attention because of the local media reports.
One of the causes was that the process had a large inventory
of a liquid phase flammable liquid above the boiling point.
When the leak occurred, a large vapor cloud found an igni-
tion source, exploded, and destroyed the facility with 28
fatalities. Subsequently, Trevor Kletz suggested “What You
Don’t Have, Can’t Leak” [1]. Years later, I was cochair of the
Center for Chemical Process Safety (CCPS) subcommittee
that wrote the “gold book” on inherently safer design for
chemical processes. I was a member of the subcommittee
that produced the second edition of the book [2,3].
WHEN YOU DO NOT KNOW THAT YOU DO NOT KNOW
A second cause of the Flixborough incident was MOC.
One of the reactors was removed and replaced with a tem-
porary pipe supported by scaffolding with the existing
expansion joints at both ends of the pipe. The replacement
was not engineered (a mechanical engineer was not on site)
and the staff did not know that they did not know about
appropriate support for the temporary pipe. Table 1 shows
the four quadrants of knowledge.
 If I know that I know something, I can apply that knowl-
edge appropriately (upper left quadrant).
 If I know that I do not know something, I can seek
expertise from someone who does know (upper right
quadrant). For example, as a chemical engineer, I know
that I do not know specifics of piping support; I know I
should talk to a piping engineer.
 In the lower left quadrant, I do not know that I know
something. Usually, I have to think about it, analyze it, or,
possibly, derive it from what I do know.
 The lower right quadrant is the danger quadrant. I do not
know that I do not know something. The Flixborough
staff did not know that they did not know whether the
temporary bypass needed appropriate support or not.
The Flixborough incident taught us about inherently safer
design, and the importance of knowing what we do not
know.
PROCESS HAZARD ANALYSIS AND FAULT TREE ANALYSIS
In 1978, I was introduced to process hazard analysis
(PHA), specifically, HAZOP for hazard identification. I was
also introduced to fault tree analysis (FTA) as a tool to iden-
tify the specific combination of causes for an undesired
event to occur and to calculate the frequency of the occur-
rence. “Break it on paper, fix it on paper, before the incident
in the real world.” In 1979, we conducted the first HAZOP at
the plant where I was working and we continued to do
Process Safety Progress (Vol.35, No.1) Published on behalf of the AIChE
Information That I Do NOT Know
Know that I do NOT know
Do NOT know that I do NOT
know 5 DANGER!
about 2 weeks of HAZOP every year, working our way
through one of the more hazardous processes. The unit
leader thought that this activity was a good investment of
resources to identify hazards and to implement risk mitiga-
tion layers. Remember this time period was more than 10
years before the U.S. OSHA Process Safety Management
(PSM) rule.
SAFETY INSTRUMENTED FUNCTIONS AND LAYER OF PROTECTION ANALYSIS
In the mid-1980s, I became involved in a program to bet-
ter understand and to establish standards for “interlocks”—
what we now call safety instrumented functions (SIFs). In
this work, I first became involved in layer of protection anal-
ysis (LOPA) to answer the question, “how many layers of
protection do we need and how strong should they be?”
LOPA is a simplified process risk assessment tool. We
invented LOPA to make risk-based decisions more efficiently
than we could with FTA or full quantitative risk assessment
(the latter including day/night and seasonal weather conse-
quence modeling). Our goal is to make the appropriate risk-
based decision with efficient use of resources. CCPS pub-
lished three books with LOPA guidance [4–6]. I was subcom-
mittee chair and a principal coauthor for the first book, and
a peer reviewer for the other two books.
INCIDENT INVESTIGATION
Also in this time frame, we developed an incident investi-
gation tool based on FTA principles. The tool began with the
consequence and worked backward step-by-step to deter-
mine what had to happen for the consequence to occur. We
emphasized sticking to the facts, and working back to system
causes. Correction of a system cause should prevent the inci-
dent from occurring, not only on that shift, but also on all
shifts in that unit, in that plant, and throughout the organiza-
tion. And, if the incident were shared through the LPS, or a
similar forum, the incident would be prevented throughout
the industry. I was privileged to be a member of the sub-
committee for the first CCPS incident investigation book and
a peer reviewer for the second edition [7,8].
FIRST FULL-TIME PROCESS SAFETY JOB
In 1989, I was asked to take a 6-month temporary assign-
ment for our plant to “get all our process safety systems in
order.” When I retired from that assignment in 2009, our
group had grown from two to seven people, and the work-
load had transformed as well.
This was the ultimate job that all my previous assignments
had prepared me to accept, even though I was the first per-
son to take this job. However, my learning continued in this
new assignment.
PROCESS INTEGRITY AUDITS
In 1990, we did a series of half-day process integrity
audits for our units focusing on safety and operational excel-
lence. We suggested five principles for consideration during
the audit:
1. Know what you want to do.
2. Do it well.
DOI 10.1002/prs March 2016 9
 3. Have it documented.
4. Manage change.
5. Have the discipline to do 1–4 all the time [9,10].
Applying these five principles to the areas of operations,
maintenance, change, training, and culture, the operators,
mechanics, and engineers asked for systems to help them do
their jobs safely. The systems were the same elements that
were codified in the U.S. PSM rule and later in the EPA RMP.
They wanted process documentation and operating instruc-
tions that were accurate and correct (process safety informa-
tion [PSI]).
During the audits, we also learned that managers, opera-
tors, mechanics, and engineers could see issues more quickly
in a different operating area than the one in which they
were working. Having seen an issue in another operating
area, they realized that they had the same issue at home.
MOC PROCEDURE AND ACTION TRACKING
By 1991, we had developed a formal MOC procedure and
struggled to change the culture of the plant to follow the
procedure. Ultimately, we wrote a training package complete
with overhead projector slides, a script, exercises, and a
short test. The plant (works) manager trained his direct
reports in MOC with the training package; his reports trained
their reports; and so on until every employee and every con-
tractor on-site had all seen the same information and require-
ments for MOC. In the first year or so, operators and
mechanics frequently called the process safety folks to ask if
an MOC review was required for a particular change. We
also ensured that each MOC included a person with a quali-
fied occupational or process safety perspective. In the first
years, the qualified person was a process safety engineer. In
later years, other personnel were trained to fill this role. I
knew we had been successful in training when I audited a
MOC review and one of the managers was saying to the
other participants precisely the same that I had said in a
MOC review the year before. The difference was that, in the
prior year, it was essential that I direct the requirements to
the manager as well as the other participants. A year later,
the manager was insisting on the requirements himself.
We learned that everyone in the organization requires the
same understanding of the procedures and needs the com-
mitment to follow the procedures.
We also recognized that we needed an action tracking
system to ensure that the actions from HAZOPs, MOC
reviews, and incident investigations were completed in a
timely way. Without a good tracking system, it was easy for
actions to become lost. At the same time, the ISO-9002 qual-
ity effort and the ISO-14,000 environmental initiative gener-
ated actions that also required tracking. We were able to
develop a single action tracking system that met the needs of
all of these programs.
As we entered the cycle of PHA renewals, we found that
action tracking to closure by itself is not sufficient. Some
actions had been closed arbitrarily, some actions had been
implemented incorrectly or incompletely, and some actions
had been misunderstood. We concluded that an audit of the
quality of action closure was required by personnel who
were knowledgeable in the process technology and the tech-
nology involved in the action.
DOCUMENTATION
In response to the 1990 process integrity audit report
from operators, mechanics, and engineers about the difficulty
of obtaining up-to-date documentation, I articulated a vision
that each person in the organization could view an electronic
copy of the up-to-date documents needed for his or her job
at their workstation in real time. It took several years for the
10 March 2016 Published on behalf of the AIChE
technology (hardware and software) to catch up to the
vision. An additional driver was the ISO-9002 quality effort
and ISO-14,000 environmental effort.
Remember, if the PSI is not correct, then the PHA has
identified hazards for the facility described in the paperwork,
but it has not correctly identified the hazards in the actual
process facility.
In an unnamed facility, the plant could not be started up
after the test of one of the SIFs. The investigation found that
the design set point for the SIF was incorrect and prevented
the plant from running. The SIF specification was corrected,
but the corrected paper document had not been filed. In
fact, the correct specification was sitting on top of the file
cabinet because the file clerk had been eliminated during
the recent downturn. The instrument technician had used
the original design set point in the documentation in the SIF
folder.
TEMPORARY REPAIR PROCEDURE OR “YOU DO NOT MAKE ENOUGH
MONEY TO MAKE THAT DECISION”
In the late 1990s, I was involved in implementing a tem-
porary repair procedure for the plant that basically required
an engineering design or analysis for any temporary repair.
This was a step change from the prior practice of sticking on
some fiberglass, starting up, and seeing if it holds. This effort
evolved into mechanical integrity inspections and fitness for
service systems.
Sometime in the late 1990s, I heard from an unnamed
manager at an unnamed facility, “We can’t afford to follow
these new procedures. We can’t run our process profitably.”
My response was, “We can’t afford not to follow the new
procedures. Neither of us makes enough money to accept
the risk of not following the procedures. It’s our responsibil-
ity to communicate up the ladder to our management. We
need to make sure they understand the cost, the time, and
the resources needed to run our processes according to the
process safety requirements that the corporation has estab-
lished. Top management can make the decision, ‘yes, we
will give you more resources,’ or, ‘no, we will shut the pro-
cess down,’ or, ‘we will sign off on tolerating the additional
risk.’ We hope that top management does not choose the
third option.”
HUMAN FACTORS
Along the way, I took a human factors course from Alan
Swain. I was amazed at the number of systems that build in
error by the nature of their design. Instead, equipment and
procedures should be designed to ensure that the right tasks
are done in the right sequence and in the right way. Atten-
tion to human factors is critical for good process safety.
In the preliminary design of the second unit for a facility,
the engineers wanted to copy the layout of the original unit
so that many of the drawings could be reused by simply
adding a digit to the equipment numbers. The original unit
required the operator to move up and down the stairs sev-
eral times during a startup to manipulate the valves in the
correct sequence. (In practice, the elusive “E” shift probably
started the unit by setting all the valves on the second floor,
then setting the valves on the first floor even though that
was not the correct sequence. Note that the “E” shift makes
all the errors in a 4-shift operation [A, B, C, and D shifts].)
The operators, supervisors, and I were able to convince the
engineers to redesign the valve layout so that all the valves
needed for startup were on the same level. The valves were
also located about waist high for ease of operation. Yes, the
initial capital cost was slightly higher, but the return on
investment came from reduced errors over the life of the
plant.
DOI 10.1002/prs Process Safety Progress (Vol.35, No.1)
DO NOT ADD LAYERS TO MEET REGULATIONS AND REQUIREMENTS,
BUILD A SYSTEM
Over the years, I saw the addition of requirements from
regulation, competitive pressures, and energy efficiency.
New programs with additional requirements came regularly
and added burdens to the operating and support person-
nel. I suggested that we need to integrate all the require-
ments into a single system—the way that we make
chemicals [11].
Recall the discussion under Action Tracking and
Documentation.
POLICIES ARE NOT ENOUGH
In 2007, I concluded from the Baker report for the BP
Texas City explosion [12] that having policies for process
safety in place at the top of the organization does not neces-
sarily mean that the appropriate procedures and practices
are in place in the field. The incident reiterated the impor-
tance of commitment to process safety by everyone in the
organization from the top to the bottom.
WHY ARE NOT WE BETTER
From 1966 through 2016, the LPS has been there every
year with good papers on new techniques, new concepts,
and reminders of what we used to know and have forgotten.
While I did not attend the first LPS, I have been to many ses-
sions and have contributed papers to quite a few. I wish I
could have gone to every session.
For number of years, I was privileged to hear Walt Howard
come to the microphone to ask a question or offer a comment
after a paper. He typically said, “Walt Howard, process safety
consultant. Thank you for your paper. . .” As the years have
advanced, now that I am retired, I find myself going to the
microphone, “Art Dowell, process safety consultant. Thank
you for your paper. . .” So, I have gone from a young man lis-
tening to the old-timers at LPS to a gray-haired veteran making
comments and asking questions that I hope are of value.
In reviewing the past 50 years, I am very impressed with
the amount of effort that has gone into loss prevention and
process safety. A large number of people in the industry,
insurance, academia, the professional societies, and govern-
ment have contributed their efforts in designing tools, in
building and giving training, and in sharing the tools and the
lessons learned across industry. Organizations that are lead-
ers in process safety have freely shared their systems and
observations.
So with the regulations, the good practices, the CCPS
books, National Fire Protection Association publications,
American Petroleum Institute practices, investigation reports
from the Chemical Safety Board, and the good papers from
LPS and the other symposia in the Global Congress on Pro-
cess Safety, why is not our record any better?
I have observed:
“The message of the budget has been heard
throughout the globe, but the process safety message
has not been heard to the same extent.”
Or, as Walt Howard said in an early LPS paper, “We Ain’t
Farmin’ as Good as We Know How Now.” Quoting from that
paper [13]:
“An enthusiastic young farm agent, recently grad-
uated from agricultural college, was visiting a kindly
old farmer. While the farmer patiently listened, the
young man spoke at length and glowingly of the many
ways by which the farmer could improve his farming
practices. When the young farm agent finally finished
his long discourse, the farmer smiled a bit and said,
Process Safety Progress (Vol.35, No.1) Published on behalf of the AIChE
‘Wal, thank you young feller. But shucks, I ain’t farmin’
as good as I know how now.’ In the prevention of
accidents in the process industries we really ain’t
farmin’ as good as we know how now.”
We have the tools, but we have to use them every day on
every project. We can identify the hazards and the IPLs, but
we have to install the IPLs, maintain them, test them, and
repair them. We have to train our people and manage
change.
TO SUM UP
Yes, as an industry we are doing a better job than we
were 50 years ago when the LPS was started. But, “we still
ain’t farmin’ as good as we know how now”, as Walt
Howard pointed out 32 years ago. What should we do? Here
is what I learned.
1. Keep it simple and safe. (Yes, I know you have heard
the last word differently, but this expression is more
powerful.)
2. Everyone in the organization must be on the same page
for process safety. Everyone must be committed.
3. A management system is needed to manage process
safety.
4. The PSM system must include audits.
5. MOC is critical, including management of personnel
change.
a. “No good deed goes unpunished.” That is, hazards
can be introduced by systems intended to prevent
other hazards.
6. The personnel at the bottom and middle of the organi-
zation must communicate process safety issues and defi-
ciencies to the top of the organization.
a. The PSM system should protect the messenger from
being “shot.”
7. Use the tools we have.
8. Learn from using the tools we have and close the loop
to improve the tools.
9. Build systems to identify what we do not know that we
do not know, and then seek the expertise that is needed.
10. When using the tools such as PHA and MOC, apply the
sports analogy “Keep our heads in the game!”
a. Go beyond pro forma checklists to really understand
the hazards and the risks and the layers of protection.
11. Always look at inherently safer design, but recognize it
is always a trade-off.
12. Apply human factors tools to minimize mistakes and to
provide recovery. We must recognize that humans are
not perfect. Our job is to build systems that detect and
correct mistakes before something serious occurs.
13. Investigate incidents and near misses and seek system-
level changes.
14. Measure what you want to know.
a. But be careful what you measure, because unex-
pected results can occur.
15. Keep the documentation up to date and available to
those who need it.
LITERATURE CITED
1. T.A. Kletz, What you don’t have, can’t leak, Chem Ind 42
(1978), 287–292.
2. CCPS, Inherently Safer Chemical Processes: A Lifecycle
Approach, AIChE, New York, 1996.
3. CCPS, Inherently Safer Chemical Processes: A Lifecycle
Approach, 2nd Edition, AIChE, New York, 2009.
DOI 10.1002/prs March 2016 11
 4. CCPS, Layer of Protection Analysis: Simplified Process
Risk Assessment, AIChE, New York, 2001.
5. CCPS, Guidelines for Enabling Conditions and Condi-
tional Modifiers in Layer of Protection Analysis, AIChE,
New York, 2014.
6. CCPS, Guidelines for Initiating Events and Independent
Protection Layers in Layer of Protection Analysis, AIChE,
New York, 2015.
7. CCPS, Guidelines for Investigating Chemical Process Inci-
dents, AIChE, New York, 1992.
8. CCPS, Guidelines for Investigating Chemical Process Inci-
dents, 2nd Edition, AIChE, New York, 2003.
9. A.M. Dowell III, S.E. Anderson, and D.K. Martin, An
audit system for process safety, In: Texas Chemical
12 March 2016 Published on behalf of the AIChE
Council Process Safety Management Seminar, Galveston,
TX, USA, June 1990.
10. A.M. Dowell III and S.E. Anderson, An audit system for
process safety one year later. . . Discussion of phase II
system, In: Texas Chemical Council Process Safety Man-
agement Seminar, Galveston, TX, USA, June 1991.
11. A.M. Dowell III, Regulations: Build a system or add
layers, AIChE Spring National Meeting, March 21, 1995,
Process Saf Prog 20 (2001), 247–252.
12. J.A. Baker, The Report of the BP US Refineries Independ-
ent Safety Review Panel, U.S. Chemical Safety Board,
www.csb.gov, January 30, 2007.
13. W.B. Howard, Efficient time use to achieve safety of
processes or ‘we ain’t farmin’ as good as we know how,
Plant/Oper Prog 3 (1984), 129–132.
DOI 10.1002/prs Process Safety Progress (Vol.35, No.1)