Engineering Management of Change

Engineering Management of Change

  Engineering Management of Change 
Before we start a quick introduction to myself and this series of articles. Over the last 11 years I have worked with two key operators in oil and gas in process and process safety roles. These roles have ranged from working at the ‘coal face’ to managing a team of people to deliver technical or process safety as part of operations and project teams. To share some of the knowledge I have been fortunate enough to develop through the help of specific experiences and working with some very experienced colleagues I have decided to write a series of articles focused on Process Safety. 
As this is the first article please feel free to in mail me and give me feedback on any aspect of the article. If you want to add technical content to the article or some of your examples or experiences please comment on the article. Needless to say if you find the article interesting or of use please like it so I know the level of interest and effort to put into future articles.
Management of change..... We all know we should do it and do it well to improve not only our process safety performance but our business performance but do we all know what management of change means for our part in the project chain or what good looks like. If you feel you're not 100% or you're new to management of change (MoC) then read on. Or if you're new to managing an engineering team and want to check in on their processes I'll give tips to let you know how you can make sure things are running smoothly on the slides and off. Alternatively if you feel you’re managing endless changes on changes then also read on as I’ve been part of a team doing that and with some focus on the steps we managed to turn things around.
So what is Management of Change and who should pay attention? Management of Change or Change Management is a process which allows you to systematically plan, develop, implement and embed a change. In essence all industries could benefit from good MoC process and execution however it is particularly important in high hazard industries where the information about the facility may be used for emergency response and to assess the overall risk of the facility. Misinformation in these high hazard facilities can also lead to a high consequence event being realised.  
The first step is to understand that MoC is not a thing that you or your lead engineer do behind your desk late at night and then everything is going to be fine. It is a process which involves many people of different backgrounds and levels in the organisation. It involves diligence and it requires practice to get right. Not the sorts of things you want to hear right but it is true. 

The following sections will outline the 5 key stages to MoC and an extra pre-stage which is often the most difficult. Each section will give a brief overview of what is required, an example of what can go wrong if this step is missed or not executed properly and then some helpful tips to getting it right. In the end section I will describe some of the differences between the types of MoC (emergency, temporary, permanent, commissioning, maintenance, design and construction). Although they all have the same stages the stages can mean different things.


 Before a management of change process can be initiated the change has to be identified to have occurred or that it is about to occur and that it is significant enough to trigger a management of change. As the name suggests it requires your team to know when something has changed. This is the most difficult part of the process. Change can be creeping, a level controller is slowly blocking so operators are raising the liquid level in the tank or the pressure in the vessel to maintain flow. This is a slow change over time which may result in increased number of over rides on level or pressure, it may lead to manual control of the level controller or disabling other safety systems even for a short time. 
At the beginning this is not classified as a change but when the change has the potential to impact a safety system then it should be assessed more thoroughly. Another change which may not be seen as a change is when a new engineer starts in a key position (process, electrical, instrument, mechanical or technical safety). How is the information hand over managed?

Bohpal where a large quantity of methyl isocyanate was released into the local environment killing in the order of 1000 people in 1984 as several safety systems were out of use. Leading up to the accident there were several safety systems (scrubber, refrigeration, flare, water curtain) which were over ridden or bypassed or partly decommissioned leaving the protection measures for the scenario which occurred on the night ineffective. If even one of these had been effective then the severity of this incident would have been significantly reduced. 
Each of these changes should have been assessed and the effectiveness of the other remaining barriers should have been determined clearly defining which activities were still safe to continue at the facility. This type of management of change can be called an operational risk assessment or maintenance related management of change. To visualise the effect of this a bowtie could have been used, this is a very effective way of managing barriers day to day (see future article on Bowtie - Visual Management of Complex Risks).
It cannot be stressed how important the identification step is. This is linked to the later section about key resources ensuring people are trained to recognise changes in the form of material change, set point change, procedure change, alarm/trip change. They key is that in this phase the intent and perceived benefit of the change is clearly articulated. This will allow the next phase to be most effective setting up the rest of the process for success.

STEP 1: Assess/Screen  

This is a step which should be completed by a multidisciplinary team including a member of management who is responsible for budget (could be called the Decision Executive). The purpose of this stage is:
  1. Confirm that the change proposed is a change
  2. Confirm that the process being applied is the best process to manage the change being proposed (see later section on types of change management systems)
  3. Confirm that the change has some benefit (safety, economic etc.) and define urgency of change (if applicable).
  4. Confirm that at this early stage the change does not increase the risk of the facility disproportionately to the benefit of the change
  5. Define the level of engineering required for this change (hazard studies, document updates etc.) and the engineering focal point 
  6. Confirm the level of further study approved at this stage before next review
  7. Sanction the study work required to mature the change proposal
To allow this stage to work effectively the change should be risk assessed by a multidisciplinary team prior to the management meeting (that is steps 1 to 5). This will allow the disciplines to raise any concerns but also to understand the change properly from the initiator. This can result in the change being recycled to allow the correct engineer to be involved in framing the change. This stage which may seem insignificant is crucial in your management of change process. If executed well it will ensure that your system does not get ‘clogged up’ with loads of changes which are distracting but do not add any measurable value to your process. 
It will also ensure that you are not working on proposals that erode the safety factors that were engineered into your process by sanctioning changes which for example increase production but significantly reduce safety margins. If the proposal are not well thought through and risk assessed it can lead to the management panel sanctioning the incorrect studies. It also requires that ‘what a change is and isn’t’ is well defined to allow the team to determine if this is in fact a change requiring the effort of your team. 

In the 1972 Flixborough incident where one of the 6 vessels operated in series were removed for maintenance replaced with a bellowed connection while the vessel was being repaired which lead to loss of containment and subsequent ignition. The reviewing board at this phase and at the end of the next phase were made up almost entirely of chemical engineers who sanctioned the change without recognising the potential for vibration which would have been identified easily by a mechanical engineer. This could have ensured correct mitigations to dampen the vibration were put in place prior to the change being executed potentially preventing the 28 deaths that occurred.

STEP 2: Prepare/Design/Detailed Engineering  

In this step usually the lead discipline drives forward the change proposal by maturing the design. This will involve preparation of drawings, completing preliminary calculation and most importantly organising the relevant multidisciplinary risk assessments (HAZOP, HAZID, Dropped Objects etc.). The size of these workshops depends on the size of the change. For example a small change to the bunding area around a diesel tank to improve secondary containment which has been completed on other tanks on the facility may only require a review of the previous HAZID completed by the team to familiarise the new work party with the hazards and the specific required outcomes of the job. This could be in the order of 20 minutes. However the change of the size of a control valve could require revisiting the HAZOP and SIL reports to assess the potential impacts and may require a small HAZOP to ensure there are no unintended consequences. The intended outcome of this stage is to
  1. Have a matured the understanding of the risk of executing this change and the risk during execution of this change. This requires all actions from safety studies relevant to the design to be closed.
  2. Have a design proposal which is sufficiently mature to make budgetary decisions. This design should be in accordance with relevant internal and external standards. This design will then be frozen and used as the basis for approval and procurement.
  3. Have an understanding of the cost and schedule for this change which is mature enough for an investment decision.
When the Herald of Free Enterprise sank on March 6 1987 a significant contributing factor was that the port where the vessel had last docked was not one of the ports originally designed to take this type of ferry. This resulted in new hazards being introduced by modified operating procedures to ballast the ship to allow offloading of both decks. These hazards were not systematically identified and subsequent procedures for departure were not amended to mitigate these hazards (specifically to ensure the the trim of the vessel was returned to normal operating window before departure to prevent rapid water ingress into the lower main deck).

STEP 3: Plan/Approval.  

This step sees management approval for the intended execution of the work and allows the work to be slotted into relevant execution plans as required. After this approval but before implementation is where procurement will occur and any more detailed engineering steps such as choosing of valves in accordance with data sheets etc. In this phase disciplines are generally working in silos to executed their elements of the scope which may or may not be coordinated by the lead discipline depending on the timeline and scale of the job. 

The intended outcome of this step is:
  1. Management approve changes which they know (based on the engineering information from the previous phases) will optimise efficiency, safety performance, flexibility, longevity etc.     
  2. Management accept the execution and residual risk associated with this change     
  3. The relevant parties have budgetary approval for procurement.     
  4. The execution of this change can be planned into your plant plan as people understand the importance and urgency of this change
As this step is simply budgetary approval it is difficult to find an incident which is related however if this step is not done properly (the person approving doesn't understand fully the risks of the facility or they approve very expensive modifications early in the financial year leaving no money for emergent safety issues this can be problematic) it can cause problems in the next stage. Particularly with regards to scheduling critical safety work (see the examples in the next step).

STEP 4: Implementation/Execute  

In this phase of work the actual physical changes will happen. The valve will be changed the set points adjusted etc. The intended outcome of this phase is 
  1. for the change to be executed as described by the engineers in the preceding phases achieved the outcome assessed in the first phase.
  2. for the relevant temporary information to be provided to the key teams (redlined drawings etc.) until the next step is complete.
  3. for the change to be implemented in a timely manner dependant on the drivers for work execution.
  4. for the change to be executed safely.
It is normal to require formal feedback from someone senior in the operations team that the change has been executed as described. It is possible to have changes arise in this phase if for example something unforeseen occurs (bolts are difficult to remove because of deterioration and a higher than specified toque must be used or if when fitting the valve the stem is longer than anticipated so needs to be trimmed to fit in place, this would be raised as an engineering query which is a simplified form of change management).
There are several examples in the incident databases of engineering recommendations being made but no action being taken but there are also incidences of the engineering being completed but the work not getting executed. Work can often get 'hung up' in this phase if the drivers for work execution are not clear to the team. Production will always be assumed to be the primary driver and this work will be executed first. Two examples where this occurred are in the years before the Texas City 2005 refinery incident (11 fatalities) and in the years before the DuPoint 2010 Phosgene incident (one fatality). 
In both incidents the engineering solution which could have significantly reduced the severity of the incident was known to management. In the case of DuPoint an active decision was made to not build the phosgene enclosure which could have enclosed the phosgene and prevented the worker being inadvertently exposed to the release because the cost would set a precedent for other protection measures. In the case of BP Texas city it was found that in the 15 years prior to the incident several attempts were made to remove the localised vent however they were all rejected mainly due to cost.

STEP 5: Sustain/Close/Look back  

This may sound like the easiest stage and it will be if you completed all the ground work effectively earlier. The key to this stage is to
  1. make sure all documentation for the facility represent the change that has been made (that is the documents are as built) and there is no reference to a pre-change state unless it is to say it was changed.    
  2.  ensure that there is no chance that people become confused.
For example you have increased the trim for the control valve mentioned earlier. The control valve was not listed on any relief valve data sheet as the controlling case however it was identified that it became the controlling case for relief downstream in the HAZOP that was convened. In the preparation of the documents for engineering review the data sheet of the relief valve for the downstream system was not amended but replaced. 
Therefore in this phase there is a potential that the new data sheet is added to the system and the old data sheet is not retired. This could result in the smaller valve being ordered in the future by an unsuspecting procurement agent. The key to this phase it to have it in mind in the first phase. This also helps you identify which disciplines need to be involved in the change as when the key documents are identified it will naturally identify the disciplines. 

In the past there have been many times when operators have found a 'work around' which is not documented in the procedure. Or maintenance have made a small mark on equipment to remember what the outcome of a test should be as this is not documented in the test procedure adequately. Two severe examples where out of date or inadequate documentation have had fatal consequences are BP Texas City 2005 explosion as the start up procedure for the ISOM unit was viewed as inadequate and was not followed by operators with supervisor knowledge. Another example is during the start up of Bayer CropScience methomyl unit in 2008 where operators routinely over-rode a start up protection to increase the temperature of the unit quicker. This lead to a runaway reaction and overpressure of the vessel with two fatalities.

Finally another unofficial stage of management of change is to monitor the whole process, are changes moving through the process well? Are they being caught up? Are only one disciplines changes being implemented? See the Audit/KPI section later for risk based questions you could use to monitor your process. This reviewing can be done monthly or quarterly depending on how mature your process is and the improvements you want to drive.

Overarching Principals and Requirements  

Following the above steps will significantly improved your management of change process however if you don't have the following in place you will be set to fail:
  1. Competent people at each phase. This means that those who are likely to spot the changes are trained to spot the changes, the engineers involved int he process are competent and understand their responsibility when reviewing the change and the management clearly understand the risks of the facility to allow them to make informed decisions.     
  2. Resources are available for all phases of MoC     
  3. Change is clearly defined and the change management system is clearly defined. This many be several systems (or just one see end thought). For more information on types of MoC see the next section
Types of MoC
  •  Engineering technical query - used for single discipline changes such as change of supplier of a part
  •  Maintenance change management - this is used for delaying maintenance on safety critical equipment or to document problems found with safety critical equipment. This can be done in the form of an Operational Risk Assessment.
  •  Document control system - used to manage routine changes to documents
  •  Organisational change - This is normally managed by HR and is applied to organisation or personnel change. See future article on organisational change where I will discuss the details of the key elements.
  • Emergency change - This is applied when something happens in the facility which requires immediate action and is outwit the MoC cycle. This may be at night or over the weekend when key people are out of the office. Typically this is applied to something which is safety or production critical. An example could be if a valve on the discharge of the cooling water for a key heat exchanger fails shut or partially closed. If the heat exchanger is taken out of service the plant will shutdown within hours. The operator has identified an open drain and a connection to route the water out of the exchanger. Locally the team meet and run through the steps of MoC and execute the change. Critical to the success of this type of change is when the crisis has been averted the change should be assessed in the normal way with the relevant engineers. Repair will be scheduled. The assessment by the engineers may result in the change being reversed and the system being returned to fault state with a plant shutdown. For example if the fault was on the inlet valve and the source of temporary water was not of the same quality as the normal cooling medium it could result in enhanced corrosion or microbial growth.
  •  Temporary change - This is a change which is normally planned to be in place for a short period of time. Usually 3 months and no more than a year. These changes normally carry more risk so may be reviewed at regular intervals to help drive the engineering change forward or to ensure temporary controls are working. These changes have all the steps mentioned above except that during the implement step temporary procedures and documents will be deployed and training will occur to ensure that all shifts are aware of the change. During the sustain step the temporary equipment will be removed and all temporary documents will be removed to return the plant to normal operations. This type of change may be implemented to manage an unsafe condition while the permanent fix is engineered or it may be put in place to trial a new operating envelope before changes are made or equipment is ordered. In a future article I will discuss temporary changes and some of the things to consider when implementing them.
  •  Permanent change - This is the type of change the article has been based on and is typically what people talk about when they talk about MoC.
  •  Commissioning change - during plant startup and commissioning equipment is tested before being put into service. Unexpected things can happen during this phase leading to requests to engineers to modify test conditions or accept some alternative proof of performance (typically done through engineering technical query route). Typically these are single discipline changes and normally they are only applicable during the construction phase however where they will be in place post startup or will impact performance of safety functions after startup they must be elevated to multidisciplinary review before the plant starts up and documented accordingly.
  •  Design change - these changes typically occur after the concept has been selected but before the facility is built. These are actually changes to design documents rather than physical changes in the field. To reduce the potential for confusion during construction or operation these changes must be executed well, especially the sustain phase. Confusion especially in construction and procurement can increase costs and introduce schedule delay and needless to say depending not he change it could introduce unacceptable risk in the operate phase. The key difference to the permanent change we have been discussing before is that any change to design will increase the cost of the project therefore it is normal for a project to have a management of NO change policy. That is the project will identify strict criteria for changes and if these are not met then a change will not be sanctioned. For example if there is a significant reduction in risk without increasing budget by X%, or a reduction in schedule of 5% or more without increasing budget by x%; or reduction in budget of more than y% without more the Y% increase in schedule or significant change in risk profile.

A refreshing revolutionary thought

What if we all used the same management of change process (HR, engineers, designers, construction etc.)? Then we could talk the same language when discussing organisation change and an update to the IT system. They all have the same phases with very slight variations to accommodate some nuances with approval and applicability. 

Audit questions and KPIs  

So I'm sure you've been able to glean some useful audit questions from the text above however if you want to know what I'd ask or monitor at my site details are below:
  • How many temporary MoCs are in place right now? That includes operational risk assessments for maintenance. If this number is in the tens for a medium to large site you should be paying attention.
  • How many temporary MoCs are older than one year? If this is more than 50% you have a bigger problem that change or temporary arrangements are accepted as normal. I would look into operating procedures and see how they are adhered to especially during start up.
  • How many MoCs were as a result of a release or loss of containment or control? If this number is high this could indicate an issue with your integrity management system.
  • Do all your temporary MoCs have a plan to close them before they expire? This will indicate good control of work at your site.
  • In the last 12 months were at least two of your high risk MoCs closed in addition to production improvement ones? This will indicate that there is some consideration for risk in the decision making however this is a great space to dig deeper and understand the thought process of your engineers and managers.
  • How many MoCs have been implemented but not closed? If this number is greater than the number of changes you execute per year at your site you're loading yourself a ticking time bomb. This will either result in a stop in engineering and executing MoCs until updates are done (due to resource constraint) or will require complete rework of critical documents such as safety case, process diagrams etc. which will be accompanied by the associated studies to allow you to have assurance that when required the documents you want to rely on can be relied on. Remember these safety critical documents are the ones first responders use if something goes wrong and what may be used in a longer term emergency response incident.
  • Was there a high number of changes initiated at your facility within one year of startup or some major modification? This could indicate that project work is not delivered well (either engineering is not a good quality or there is a problem with the execution phase).
All but one of the above could be seen to be leading key performance indicators (KPIs) as they indicate to an issue in one of your systems before a loss of containment or serious incident occurs. Keep up to date with what's coming by visiting


These are a few sites and reports I used in the preparation of this article. They all hold a wealth of information and are worth a look.
  2. - report and video
  3. - report and video
  4. Atherton & Gil. (2008). Incidents that Define Process Safety. New Jersey: John Wiley & Sons, 25
  5. Atherton & Gil. (2008). Incidents that Define Process Safety. New Jersey: John Wiley & Sons, 202-207
  6. Atherton & Gil. (2008). Incidents that Define Process Safety. New Jersey: John Wiley & Sons, 220-226
Disclaimer: My articles are based on my engineering experience in two major operators over 11 years. They do not reflect the processes of either and are not endorsed by either. If you find an error in the text please feel free to correct me as I too am prone to human error (although I like to think at a lower than average frequency). The intent of these articles are to educate. From beginners to experienced engineers. I hope that through the article or reference material you all get something from it. If you find the content too basic or too advanced again get in touch. Any improvement suggestions welcome. 
Kindly reviewed by João Abruzzini and Yosef Aljasem

                                                                                   Louise Whiting CEng MEng MIChemE FSaRS

Passionate about Process Safety and methodical in my approach to problem solving. Often decisions I influence have a major impact on cost or feasibility. Using an intent based approach I ensure that we achieve the intended risk reduction rather than focussing on the solution which may be very costly. Often with a bit of thought the same intent is achieved in a more cost effective way. When it comes to improving the understanding of others my approach allows people to work to the solution at their pace whilst still be guided by my extensive experience. Some examples can be seen on my website  In these new times we found ourselves in I am adapting as I am sure you are. 
This means I am working on two fronts. The typical services my business offers are listed below however I am also pursuing non-executive director roles as I bring a specific skillset which is often missing in these key decision making forums. Being able to very quickly understand complex technical problems, identify a solution (or at least an initial path) and then being able to assimilate and communicate this information to others in a way that allows them to act is an invaluable skill. 
I have used this not only in my professional life which has definitely been characterised by large changes (from location to discipline) but also in the voluntary work I do. For example I used these skills to organise over 400 sewists around the country to sew over 2000 scrubs, countless masks and other items. From sourcing patterns and materials to arranging logistics and finances I made this happen. In less than 3 months during lockdown
Traditional services are listed below:
- High quality workshop facilitation particularly focussed on technical workshops such as HAZOP, LOPA, HAZID, WhatIf and SIL. Also adaptive to completing new workshops such as Energy Optimisation and other key brainstorming sessions.  
- Safety Case Compilation - Training both face to face and remote which can be customised for your hazards - Bowtie Reviews and Generation - Audit (pre-startup, FSA1 and FSA2 etc.) 
- PSM Inspections (both remote and physical - in the UK) 
- Coaching on hazards, hazard management and process safety management (PSM) 
- Given operational and project experience more than willing to help with stand-in and other operational tasks like operational risk assessments, technical assurance, action tracking or approval etc. 
- Expert Witness - Insurance Audits
Don't be shy to contact me. I generally will reply within 24 hours. I'm discrete and will tailor the sessions to you and your requirements.

Post a Comment

Previous Post Next Post