12 minute read
Three key questions for compliance
Whitney Vandiver, Ph.D., Compliance Specialist, NuGen Automation, LLC, USA, discusses how operators can develop a successful compliance-driven initiative when it comes to CRM audits.
The term audit has become a four-letter word in the oil and gas industry and often sends operators into a frenzy to catch up on the little things that have been left for the last minute. Unfortunately, for most operators, those little things add up to the big requirement of compliance, and not all operators are learning from their auditing experiences, especially when it comes to control room management (CRM). However, there are several steps that operators can take to prepare for a CRM audit and shift their focus to the effectiveness of their compliance efforts. Most operators will find themselves leaps and bounds ahead of where they started if they take an honest look at their documentation and consider three primary questions.
Are operations driven by compliance – or is compliance a supplemental feature? Operators must recognise the importance of, and develop, a compliance-driven initiative within their corporate environment. Due to the nature of oil and gas operations, there are times when decisions are made and compliance is consulted or considered at a later time, which can create a negative attitude toward compliance. The result is that compliance measures are often viewed as tedious activities that must be performed to avoid being caught out – some operators see them as keeping the wolves at bay. This perspective, however, lends itself to an undesirable perception
wherein compliance is seen as an auxiliary to operations rather than an inherent part of it. This mindset can be detrimental to an operator’s operation because of the role it assigns to compliance, specifically that it is secondary to primary operations rather than a supporting aspect of safety.
To avoid this supplemental attitude, operators must be mindful of how compliance is incorporated into the operational environment. This is true of all aspects, from field maintenance to control centre documentation. When it comes to CRM audits, it is significant that operators ensure compliance is visible within their policies and procedures and that they reflect appliable regulations. Many operators neglect to understand the value of compliance-driven procedures and perform their operations without proper documentation of their operations. Procedures, especially those enforced by regulating agencies, must capture requirements as well as operational standards. Many procedures fall in this category when it comes to CRM audits, including but not limited to point-to-point verification, management of change, and emergency response. Policies must also capture the need for documentation of compliance. As an essential aspect of compliance, documentation of processes and procedures must be at the core of operations to emphasise the significance of its role in maintaining compliance.
In preparation for CRM audits, operators should consider the role compliance plays in operations and how integrated it is within their policies and procedures. Operators must question their policies, processes, and procedures, knowing it is likely to expose issues, considering aspects such as if procedures are being driven by compliance or whether compliance is an addendum, and whether compliance is being considered at every link within a chain of procedures or expected to be met with only one chain without redundancy. Compliance readiness is not simply a one-time objective but must be seen by operators as a consistent state of mind and be reflected throughout operational processes and policies – in this way, operators must begin the assessment of their readiness by honestly evaluating how thoroughly their operations are driven by compliance rather than simply how often the term is mentioned within their polices.
Is documentation consistent and accurate? In the eyes of an auditing agency, if it wasn’t documented, it didn’t happen. In this way, documentation is central to compliance and a piece without which the larger picture cannot be completed. When it comes to the readiness of CRM, documentation operators must keep three states in mind – existence, accuracy, completeness. Existence is the simplest criterion but nonetheless often overlooked by operators, neglecting to acknowledge that documentation must exist for certain events. Some cases are explicitly outlined in regulations along with what such documentation must include, as with shift turnover logs; others are left up to the operator as long as the process is documented in some fashion and key objectives are achieved.
One of the most common mantras among compliance specialists is “do what you say you do” – and we have to repeat it more often than not. Many operators believe that they are documenting procedures adequately when in reality a number of scenarios have unfolded that have led to incomplete documentation. Some operators do not have a consistent review schedule and neglect to update procedures, while others are unaware of the detail necessary to capture a full procedure, thinking that they are covered as long as the intent of the procedure is documented. Neither is a defensible situation when dealing with an auditing agency, and incomplete documentation is not only a fast track to a violation but a safety concern. Operators must understand that documentation is a two-way street: policies and procedures must be comprehensive to capture what is required when they are enacted and operators must do exactly what a policy or procedure says they do. If an operator fails to succeed in either aspect, compliance becomes a seesaw of inadequacies and incompliance.
Documentation is only considered accurate if it captures the steps that are performed, and this means that training plays a critical part in the documentation process. Whether it’s how to fill out a form or the start-up procedure for a facility, a procedure that is not well understood and performed incorrectly indicates that an operator is not doing what they say they do. If documentation is complete and accurate, operators must prioritise timely training to ensure all participants are not only knowledgeable but capable. PHMSA auditors not only talk to managers; they can visit the control room and ask questions of the personnel. One of the worst situations a CRM manager can face during an audit is having an improperly trained and unprepared controller answer an auditor’s question incorrectly – or worse, respond to a situation inadequately in front of an auditor. Training must capture not only the purpose of policies and procedures but educate personnel on the when, where, and how of necessary steps. The level of detail may vary depending on the time and function of the training, e.g., annual review training need not be as detailed as new hire training, but the significance of the relationship between documentation and how such actions are performed should never be understated during training sessions. This transparent and absolute connection between policy and procedure documentation and personnel training is as significant as showing up to the audit.
Even if operators correctly document their policies and procedures and consistently implement them via training and response, this level of success can only be maintained if operators regularly review their documentation for accuracy and effectiveness. Operations change over time, and while the majority of a procedure might remain the same, small alterations can slip through the cracks. Documentation should never be considered accurate if it has not gone through a review process within the assigned timeframe. Operators may choose to review some procedures every three or five years, but certain procedures must be reviewed annually with a three-month grace period, translating to the ever-present phrase every 12 months not to exceed 15 months. This requirement is consistent for all CRM aspects of operations, in that the stipulation applies to CRM manuals and related documentation, and PHMSA does not consider the documentation contained within a CRM manual accurate if it has not been reviewed in a timely manner. This means that operators might have the right documentation and be doing what they say they do but still miss the mark by neglecting to verify certain documentation’s veracity when necessary. It’s an easy mistake to make but can be costly, especially if the lack of review allowed errors in procedures to go unnoticed.
Is the big picture compliant – or is it missing pieces of the puzzle? At its core, a CRM audit is investigating the validity and compliance of control room operations, and many operators can become stuck on this fact. They become so focused on what is right beneath their noses that they develop blinders when it comes to an audit’s consideration of how CRM interacts with other operations beyond the immediate control room environment. Operators must remember that CRM is a significant piece of a very intricate and complicated puzzle. General operations would have a very high likelihood of failure without CRM, and safety would be much less quantifiable – but that doesn’t mean that CRM necessarily leads the way for all other operations. When it comes to documentation, everything CRM-related might be in perfect order, but that doesn’t translate to an identical setup beyond the control room.
A CRM audit focuses on control room operations, but it also takes into consideration how those operations interact with and influence field operations. An auditor, for example, can ask to see the control room’s procedure for responding to planned maintenance via the management of change process, which in the CRM manual might explain the steps as expected; however, if this procedure references a field procedure outside of the CRM manual, that procedure is now open for review as well because auditors want to ensure operational consistency. If an aspect of the external procedure does not match every aspect of the CRM procedure – which could be something as simple as the procedures disagreeing on how the control room is notified of a maintenance request – the process is no longer compliant. Regardless of what the CRM documentation states, if it does not seamlessly fit into the operational puzzle, the big picture is now incompliant.
Big picture compliance is the ultimate goal of auditing agencies and operators alike, but this is often easier said than done. Regulations change, assets are sold and acquired, and operators transition and merge, all of which has a direct impact on how operations are run in every corner of a company. However, the biggest influence over compliance is the human mind. Taking a page from the NTSB, PHMSA began considering human factors as a significant influence on compliance nearly a decade ago, and this has become one of the most difficult aspects of operational management. People make thousands of decisions a day, and operators are at the mercy of their personnel’s decisions every single moment they are pulling, transporting, or storing product. Ensuring that everyone is on the same page so that decisions are informed by the same information is crucial when it comes to big picture compliance, especially with regard to the control room’s operational role. The same accuracy and consistency expected of CRM documentation must be reflected in every procedure within every department – from the steps involved to cross-referencing across procedures. Without this understanding, an operator can only be confident in their CRM compliance until the first external reference takes the auditor’s attention beyond the CRM manual.
What to do next? While PHMSA provides specific regulations for CRM, it is widely accepted that they are in some respects purposefully vague to allow operators to interpret them in different ways, depending on their operational needs. This can benefit smaller operators but leads to confusion when larger operators are faced with a digital mountain of documentation and only a few months to determine if they are in compliance. When it comes to preparing for a CRM audit, operators can do a few things to get ahead of the curve.
The simplest things to do is verify everything. From the steps involved in a procedure to the references to other procedures, operators must confirm that every aspect of their documentation is correct. In this case, no error is too small to overlook, as even incorrect document numbers can be noted by auditors if they feel it could lead to confusion and therefore affect safety. No matter the size of the operator, verifying so much information will be a large undertaking; however, it is the most significant step in assuring compliance.
In the same vein, operators must confirm that all policies and procedures are complete. A procedure that has been in use for ten years might be accurate as far as those steps that are listed in the documentation, but if an additional step was added to the process the previous year in light of an incident, the procedure is not complete without that step being documented. Operators should walk through the procedures and ensure that not only managers approve the content but the personnel who are responsible for physically enacting the procedure agree as well. At times a simple discussion will suffice, but operators should remember that the human mind is easily deceived when it comes to processes, especially those that are commonly performed – and it is best to double-check all steps before signing off on a procedure as complete.
Operators must also foster communication within their departments. A PHMSA audit might only be interested in CRM compliance, but that does not exclude other teams from assisting with compliance. Not only should other teams be involved via reviewing their own compliance, but be ready to assist with confirming any cross-referenced procedures that can affect CRM compliance. Operators should be transparent about upcoming CRM audits to related groups such as IT and ensure they understand how they might be involved in CRM compliance, even if they will not take part in the audit.
Many operators will find these steps to be overwhelming, especially if they have not been maintaining compliance as a regular activity. The good news is that operators can update their processes to review and confirm compliance in their day-to-day operations. Small changes such as verifying cross-referenced documents when updating procedures and establishing an accountability team within the control room personnel that includes more than just the CRM manager will help operators create a compliance-driven culture. Thankfully, operators do not have to face CRM compliance and PHMSA audits on their own. Industry-specific third-party compliance assistance is available to assess operator compliance and guide operators through the auditing process. Such services leverage compliance expertise with an intimate understanding of CRM and its many facets, providing operators with an industrydriven solution that can help them not only survive their next audit but establish a philosophy that guides future operations and documentation for more successful compliance in the coming years.
