Predicting major hazard accidents in the process industry based on organizational factors: A practical, qualitative approach

OCI Nitrogen seeks to gain knowledge of (leading) indicators regarding the process safety performance of their ammonia production process. The current sub-study raises the question whether major hazard accidents in the ammonia production process can be predicted from organizational factors, also called management delivery systems. This paper links organizational factors to accident processes and their barrier systems, using the bowtie metaphor. It is shown that organizational factors indirectly impact accident processes as they strongly inﬂuence the quality or trustworthiness of the barrier systems. By putting the right focus on organizational factors during audits or reviews, major accident processes get the attention they deserve, and the necessary actions are taken at the right management level. Qualitative and quantitative monitoring of organizational factors can provide a picture of their operation and efﬁ- ciency. Using an example on retrospective data it is demonstrated that information from organizational factors could have stopped the development of the near-accident prematurely. However, organizational factors should ﬁrst be qualitatively assessed before they are quantitatively monitored. A quantitative assessment has been worked out for one of the management delivery systems so to provide an exam- ple of management indicators. Determining these (management) indicators from threshold values is an intricate matter due to the complicated inﬂuence of organizational factors on accident processes, and requires more research.


Introduction
In 2015, several major process-related accidents occurred at a few site users of Chemelot, a chemical industrial park in Geleen, The Netherlands (OVV, 2018). The increase in the frequency and severity of the accidents made the Chemelot Board decide to have an external investigation conducted. One of the conclusions was that process safety did not receive the necessary attention due to an increased focus on personal safety (Crisislab, 2016). Apparently, the focus on occupational safety is so high that the potential hazards of the plant and the chemical processes do not receive the attention they deserve. In other words, there is insufficient anticipation ofëarly warningsfrom the chemical processes. OCI Nitrogen, one of Chemelot's larger site users, has faced several serious process safety related accidents, including those at its two ammonia plants. In some occurrences, the relevant ammonia production process had to be shut down immediately to prevent worse from happening.
The management of OCI Nitrogen initiated its own research of whether process safety can be measured and monitored. The aim of this research is to take targeted and timely measures and thereby prevent future major process safety accidents. The question that arises is which indicators provide information concerning the development of the major hazard accidents of the ammonia production processes. Three sub-studies have already been published concerning 'ranking' of the most dangerous process equipment of the ammonia production process (Schmitz et al., 2018), assessing mechanical failure mechanisms (Schmitz et al., 2020a(Schmitz et al., , 2019 and predicting the likelihood of scenarios based on the barrier status (Schmitz et al., 2020b).
This sub-study investigates the organizational factors which are closely related to major hazard accident processes and answers the following research question: Can major hazard accident processes related to the ammonia production process be influenced by monitoring organizational factors?
The associated sub-questions to be investigated are: 1) What are organizational factors? 2) How are organizational factors linked to the accident processes?
3) What are the organizational factors in the ammonia production process of OCI Nitrogen? 4) What information can organizational factors provide about the accident processes? 5) How can the information from the organizational factors influence the accident processes of OCI Nitrogen?
Accident processes related to occupational safety that originate from working conditions are excluded in this sub-study. This paper is exclusively concerned with potential accidents related to process safety and, in addition, only those that are major or catastrophic.
This paper starts with definitions and examples of organizational factors from the literature, followed by their relationship with the safety management system and the process barrier systems to link them to accident processes. A list of organizational factors or management delivery systems applicable for OCI Nitrogen has been compiled which outlines their information about accident processes. An example shows how the information from some organizational factors could have influenced a near-accident. In a high pressure scenario example the management delivery systems are named which are relevant to maintain barrier system's quality.

Organizational factors
The term "organizational factors" has many synonyms. It has been argued since the late 1970s that major hazard accident processes often start less conspicuously (Turner, 1978;Perrow, 1984;Kletz, 1988). The attention to latent factors in an organization led Turner to introduce his idea of incubation time. Incubation refers to mechanisms in organizations that deny dangers and risks. In the Swiss cheese metaphor of Reason (1987Reason ( ,1997, the latent factors ("pathogens") are visualized through the holes in barriers, later elaborated as basic risk factors of the Tripod model (Swuste et al., 2016b. The Joint Research Centre of the European Commission started two projects at the beginning of this millennium to develop a structure of risk management for the process industry. ARAMIS (Accident Risk Assessment Methodology for Industries) and I-Risk (the development of an integrated technical and management risk methodology for chemical installations) both examined the position and influence of organizational factors. In the context of ARAMIS they are called delivery systems  and with reference to I-Risk they are named management delivery systems (Guldenmund et al., 2006). Kongsvik, Almklov and Fenstad (2010) refer to organizational factors as organizational safety conditions, Øien et al. (2011) as functional areas and Hassan and Khan (2012) as activity indicators. But organizational factors are also described as secondary management processes (Papazoglou et al., 2003) or support safety barriers Ale et al., 2008), emphasizing the indirect impact on accident processes. Delivery systems are principal management systems that influence and ensure the continuous functioning of barriers (Duijm & Markert et al., in Li et al., 2020). In professional literature, organizational factors or delivery systems can often be elements of a (process) safety management system (CCPS, 2016;OSHA, 2021) or parts of a risk management system (HSE, 2006). Finally, organizational factors can be extracted from research methods, such as the basic risk factors of the Tripod model (Wagenaar et al., 1994).
In this paper, in addition to organizational factors, the term "management delivery systems" is also used as a synonym. The term "management delivery systems" has been used more often in the context of this research, while "organizational factors" are easier to translate into practical reality. Table 1, a (non-exhaustive) overview of organizational factors or management delivery systems, taken from referred literature

Safety management system
The organizational factors or management delivery systems support the overall management of safety barriers (Li et al., 2020). They are an integral part of the safety management system (Hale, 2005). The integrity of the primary barriers (barriers with a direct influence on the accident process, see Fig. 2) is maintained by the safety management system . The management delivery systems that support the primary barriers are considered non-technical because their working method is based on work processes and procedures in which human actions and decision-making predominate.
In order to reduce the number of accidents it is, according to Hale's concept of a safety management system, necessary to identify the hazards, determine the risks and to lower them by means of barriers, manage the barriers using management delivery systems and to review and learn from this process (Li, 2019). This paper provides a guide for the last two steps: which management delivery systems are necessary to manage the barrier systems and what do they provide to prevent future accidents? Fig. 1 shows the role of the management delivery systems in risk management (based on Fig. 3.1 from Li, 2019). In Hale's concept (2005) the management delivery systems are incorporated in the safety management system (SMS), in this context also referred to as process safety management (PSM). The influence of the management delivery systems on the accidents and nearaccidents is indirect, meaning via the barrier systems. In addition to the SMS element "review and audit", Fig. 1 shows three feedback loops based on which the safety management system can be improved.
The information from the three feedback loops can be used to develop indicators. They can provide information concerning the quality of the management delivery systems (loop 1) and of the barrier systems (loop 2). This paper aims to develop the indicators of loop 1. The loop 2 indicators, which provide insight into the status and quality of the barrier systems, are described in a previous sub-study (Schmitz et al., 2020b). The loop 3 indicators can be found in analysed (near) accident processes and are an informative feedback loop regarding learning from accidents and the functioning of the safety management system. The loop 3 indicators, also called lagging indicators, are no part of this study.

Barrier systems
Since the management delivery systems strongly influence the quality of the barrier systems, the question arises where the influence of the management delivery systems on the barrier systems takes place. And how barrier systems are constructed. A barrier system is a set of barriers that are present to prevent causes from developing into consequences (Schmitz et al., 2020b). A barrier consists of elements that detect, decide or act (Guldenmund et al., 2006). Barrier elements can be physical and non-physical or technical and non-technical but can also be subdivided as hardware (with or without software/logic) and humans (Duijm, 2009;Pitblado et al., 2016;Sobral and Guedes Soares, 2019;Li et al., 2020). The human acts as an individual based on his/her knowledge and experience or acts as part of an organization with its agreements and procedures. In this paper, the influence of the management deliv-  ery systems on the barrier elements (detection, decision, action) is investigated. It is assumed that barrier elements are technical or non-technical, whereby non-technical can be organizational or human in the form of an action or a behaviour. Occasionally a distinction is made between life cycles for barrier systems. In this sub-study, however, a subdivision per life cycle is not meaningful, because this paper concerns a characterization of the various management delivery systems and an overview of the activities of each of them.

Management indicators
What information can organizational factors provide about the accident processes? From scientific and professional literature many indicators can be linked to management delivery systems or organizational factors (Swuste et al., 2016a). Indicators are measures used to describe the state of a broader phenomenon or aspect of reality (Øien, 2001a). According to this definition, management indicators should provide information concerning the operation  Left-hand side of the bowtie of a ruptured pipe due to hydrogen embrittlement (P/T: pressure/temperature; FFS: fitness for service; SU/SD: start-up/shutdown). and efficiency of the management delivery systems or organizational factors.
To assess the quality of the management delivery systems, both qualitative and quantitative measurements must be taken (Nunen van et al., 2018). For example, a management indicator, such as the number of employees who have received safety training, can give a false impression of the quality of the training program, as it is measured quantitatively but does not consider the content (quality) of the training. Vinnem (2010) cites the preventive maintenance program as an example: if inspection intervals are too long, there may be no inspection backlog, while the risk may be unacceptably high. On the other hand, if the inspection intervals are very short, the risk of a backlog may still be acceptable.
Audits are the principle tools to assess the quality of management delivery systems. Broadly speaking, there are two types of audits: one focused on compliance and one on risks.

Compliance versus risk-based audits
The 2005 explosion at the BP Texas City refinery is perhaps one of the best investigated incidents and provides a wealth of new insights. One of these insights is the Baker Panel's concern on BP's principal focus of the audits on compliance and verifying that required management systems were in place to satisfy legal requirements (Baker Report, 2007). This was also emphasized in BP's own investigation in which it was stated that audits must include physical verification of the work activity being undertaken to ensure that the practice matches the documented procedure (Mogford, 2005). Numerous audits had been conducted at the site in line with regulatory and corporate requirements, but they had generally failed to identify the systemic problems with work practices (CSB, 2007). However, requiring compliance rather than risk assessments prevents endless discussions about whether certain risk mitigation strategies are needed (Hopkins, 2008). There is clearly a difference in audits that take place on the basis of compliance with legislation, and regulations and audits where risk plays a prominent role.
There is a growing interest in what is called "scenario based auditing" (Guldenmund et al., 2006;Zemering and Swuste, 2005). Where regulatory inspections tend to be focused at the technical level, Hopkins (2008) suggests an additional focus on organizational issues. According to Hopkins, root causes of major accidents, like the BP Texas City refinery incident, are to be found at the organizational level in decisions made by senior managers who are remote from the accident. This paper provides a way to conduct audits or reviews which are both compliance and risk-based, and which focus on organizational factors that influence the qual-ity of barriers and thus influence the major accident processes. By doing so, major accident processes get the attention they deserve, and the necessary actions are taken at the right management level.

Methodology
Management must ensure that barriers work effectively via the management delivery systems (Guillaume, 2011). In Fig. 2 the management delivery systems are indicated below the bowtie, which shows the integration with the organization according to De Ruijter and Guldenmund (2016). The bottom-up arrows in Fig. 2 indicate the influence of the management delivery systems on the primary barriers. The primary barriers are drawn as thick, vertical lines in the scenario. They stop the development of an accident process and consist of both technical and non-technical barrier elements. Management delivery systems are non-technical in nature. They are work processes and procedures in which human action and decision-making predominate. Fig. 2 also shows arrows that do not point at barriers but at scenarios. There are management delivery systems that may promote errors and create latent, dangerous conditions if not properly managed. They are called "performance influencing factors" or "error producing conditions". They may have a general influence on scenarios and impair the effectiveness of the barrier systems (Sonnemans et al., 2010). An example of this is communication such as shift (transfer) reports and work agreements between the maintenance and production departments.
Management delivery systems provide support to the primary barriers. A plan must be drawn up to guarantee this support. The plan may include a course of action or strategy as well as the roles and responsibilities of staff and the deployment of resources. In addition, the plan may contain success factors and goals, and address items like backlog in planning, quality of the work delivered, follow-up of actions, reporting, qualifications of personnel and evaluation of the implementation. The plan must be checked and approved, known and accessible. The design and quality of the plan influence the results of the implementation, both quantitative and qualitative. The results determine the extent to which the primary barriers receive and benefit from the necessary support. The plan must therefore not only be well designed, but also be properly implemented.
When monitoring management delivery systems, it should be determined whether and to what extent they deliver such an output that 1. the barrier systems can be expected to be trustworthy, meaning reliable/available and effective (Schmitz et al., 2020b); 2. no latent, dangerous conditions are created. To assess the management delivery systems, both the plan and the implementation should be monitored qualitatively as well as quantitatively. Existing laws and regulations, the applicable internal requirements and guidelines, current 'good practices' and 'expert judgment' largely set the standard.

Case study
A safe installation requires a robust design based on "defence in depth". For any barrier installed to prevent a dangerous scenario from developing, the essential conditions must be identified by the organization for it to work (Hale, 2005). Once this has been completed, it will then have to be monitored to determine whether the conditions are always being met. Monitoring can be done not only at the level of the (primary) barriers (loop 2 in Fig. 1), but also at the level of the management delivery systems (loop 1, Fig. 1). In any case there should be a focus on potential changes (Øien, 2001b). In this way, management delivery systems, as part of the safety management system, contribute to the safe management of organizational to operational level.

The management delivery systems of OCI nitrogen
In Table 2, the organizational factors from Table 1 are combined into nine management delivery systems, which are able to support all primary barriers of the accident processes at OCI Nitrogen. They are each described regarding their function and purpose. A management delivery system does not necessarily have to be implemented by one department or team, but can be divided within an organization, whereby the responsibility may lie with several departments, teams or roles. For example, inspections of pressure equipment are conducted by an independent or external notified body, whereas the testing of instrumental safeguards is done by a maintenance department. Training and education is provided by a number of instructors, who are part of the operational staff. Selection and competence management is done by the HR department in consultation with operational management. Table 2 also provides an overview of the main activities of the nine management delivery systems. The activities are divided into actions related to the plan to achieve the goals and to the implementation of the plan. In the next sections, a number of management delivery systems is elaborated on the basis of two examples.

A near-accident as a result of hydrogen embrittlement
Ammonia was smelled during an operator round in 2018. Further investigation by the plant operator revealed that the insulation shell of a pipe was partially coloured and that synthesis gas and ammonia were leaking out. The ammonia plant was immediately stopped and depressurized. After the insulation material was removed, a crack could be seen along a weld of the pipe. As local repairs were not possible, part of the pipework was removed and replaced. The pipe was cracked circumferentially and partly through the entire wall of 50 mm, indicating high stresses in the pipe system. This was confirmed by the fact that all spring hangers of the pipe system were out of reach. The piping system is provided with spring hangers to balance slight vertical displacements. If the spring hangers are not properly adjusted or do not function properly, large, local tensions can arise in the pipe system.
Metallurgical research has shown that there were no weld defects and the weld met the standards. The conclusion of the metallurgical investigation was that internal, high stresses caused the cracking due to incorrect mounting, too high hardness and a notching effect of the weld. The failure mechanism was classified as hydrogen embrittlement, also known as stable crack growth.
Further investigation revealed that this pipe section was replaced in 2012 when a new heat exchanger was installed. The spring hangers of the pipe system were not fixed when the old pipe was dismantled at the time, after which the new pipe was measured incorrectly. In addition, the bend and the pipe were forcibly aligned before the pipe joint was welded. This resulted in permanent, high tensions at the location of the weld.
The left side of the bowtie of this accident process has been drawn up based on two internal, non-public investigation reports (Fig. 3). This part of the bowtie shows two (primary) barriers, of which the first primary barrier has one barrier element and the second primary barrier has three elements. The first barrier concerns welding according to a procedure, the so-called golden weld procedure. The golden weld procedure is used in pipelines and piping networks where (hydrostatic) pressure tests can not be performed. The golden weld procedure ensures that safety-critical steps are taken. Failure to follow the procedure properly can lead to a latent, unsafe condition (Schmitz, 2012). The management of predictive, preventive and corrective maintenance programs (execution, planning and registration) of all hardware and software structures, systems and components.

Plan
Preventive maintenance plan, corrective maintenance goals, quality goals, and strategy regarding outstanding activities Implementation Preventive maintenance backlog, corrective maintenance completion, quality of work and reporting, availability of plant equipment and backup systems, and action tracking Inspection and testing The management of the inspection and testing programs (execution, planning and registration) of all hardware and software structures, systems and components.

Plan
Inspection plan, quality goals, strategy regarding outstanding activities, and inspection and test procedures Implementation Inspection & testing backlog, quality of work and reporting, and action follow-up Training and competence The management of selection and training of personnel that guarantees sufficient knowledge and skills for the safe execution of the critical business processes and activities.

Plan
Training program, training goals, and competence matrix including tasks and responsibilities Implementation Knowledge and skills, education and training, and qualifications and certifications

Management
The management of a company or organization in which the following aspects play a role: policy, commitment and motivation, goals, planning and availability of personnel, workload, safety culture, conflict management, leadership, and communication with the workforce.

Plan
Planning of work, availability of resources, and production, quality and safety goals Implementation Staffing of teams, workload, follow-up of HSE actions, order and tidiness, committed and informed staff, and safe and healthy working environment, and supervision

Procedures
The management of a system in which rules, working methods and agreements are described concerning, among other things, changes in the plant (MoC, Management of Change), work permits (Permit to Work), job safety analysis (JSA), last minute risk assessment (LMRA), overriding, pre-start-up safety review (PSSR), LoToTo (log-out, tag-out, try-out), and special repair and golden weld procedures.

Plan
Procedures and working methods that are practically feasible and that comply with legislation and regulations Implementation Implementation in accordance with the procedure

Plant documentation
The management of plant related documentation including operating instructions.

Plan
Review plan, and archiving policy Implementation Readability (clarity and completeness), resemblance to the current situation, availability, and accessibility Communication and coordination All oral and written communication and coordination between the different departments of the primary business process.

Plan
Agreements about cooperation, communication, and reporting Implementation Work and shift transfer, cooperation between Operations and Maintenance department, shift reporting, project transfer to the Operations department, and (near) accident reporting Plant design and operations The technical design and operation of the plant including the man-machine interface, ergonomics and physical environment.

Plan
Plant specbook, operating instructions, environmental permits, and safety studies including action plans Implementation Plant performance, plant failure, trustworthiness of safety systems (override), plant control system performance (manual mode), use of backup systems, design & safety operating windows, alarm overload, permit violations, and action follow-up from safety studies

Hardware integrity
The condition of the hardware, including the safety critical systems.

Plan
Policy regarding plant availability and spare parts, legislation and regulations, and hardware assessment studies (FMEA, corrosion and mechanical failure mechanisms) including action plans, maintenance programs, and condition monitoring Implementation Hardware condition incl. safety systems, availability of plant equipment, backup systems and safety critical equipment, integrity operating window, and action follow-up from hardware studies The second barrier comprises of three elements: a different pressure and temperature image during start-up or shutdown of the installation is an indication that hydrogen can become trapped in the metal grid. In combination with increased stresses (including stresses caused by a malfunctioning spring hanger), this may lead to hydrogen embrittlement and cracking. A fitness-for-service analysis and/or a stress calculation can show whether and where an inspection or non-destructive examination should take place. An inspection or non-destructive examination may reveal to what extent cracking has occurred and whether repair or replacement of the weld is necessary.
This accident process could develop because the two barriers did not function or were not present. The golden weld procedure has been in place for a long time and was a mandatory procedure at the time of the new heat exchanger. The investigation established that the procedure was not (fully) followed, meaning that the first barrier was not reliable/available and/or not effective. Knowledge regarding hydrogen embrittlement in this pipeline system was only acquired during the accident investigation. That means the second barrier was not present. A deviating pressure/temperature picture during the start-up and shutdown of the ammonia installation was not reported because it was not deemed necessary. The position of the spring hangers was not considered because their importance has been lost over time.
The four barrier elements of the two primary barriers can be linked to one or more of OCI Nitrogen's nine management delivery systems (Table 2) as is shown in Fig. 3 for the first two barrier elements. The question here is to what extent the malfunctioning of the management delivery systems contributed to the failure of the barrier elements. In Table 3, the management delivery systems of the barrier elementsgolden weld procedureänddeviating P/T imageäre elaborated. • What is in the plan (selection, planning)?
• What goals have been set?
• Are the plan and goals known?
• Is there a plan regarding outstanding activities?
• Are the plan, goals and strategy periodically evaluated?
• What is the quality of the inspection and test protocols? • Who has checked and approved these protocols?
• Do the protocols meet standards and legislation? Implementation: • Inspection & testing backlog • Quality of work and reporting • Action follow-up • Are the inspectors sufficiently qualified?
• How and to whom is reported?
• Who assesses and approves the reports?
• What should be done in case of deviations?
• Who assesses and approves repairs and corrective actions?
• To what extent has the plan been implemented according to schedule? • How many inspections meet the set quality?
• When is the inspection backlog too extensive?
• How is the follow-up of actions arranged?
• Is the implementation process periodically evaluated?
Procedures Plan: • Procedures and working methods that are practically feasible and that comply with legislation and regulations • Are the procedures known and understood?
• Are the procedures accessible?
• What is the quality of the procedures?
• Are the procedures practically feasible?
• Do the procedures comply with laws and regulations?
• Are the procedures periodically evaluated? Implementation: • Implementation in accordance with the procedure • How is the application of the procedures monitored?
• Who assesses deviations in the implementation of the procedures?
• What happens if the procedures are not applied or applied incorrectly?
• What percentage of the procedures is applied as agreed?
• Is the implementation process periodically evaluated?

Training and competence
Plan: • Training program • Training goals • Competence matrix • What is the quality of the training program?
• Are the goals realistic and achievable?
• Are all roles addressed in the competence matrix?
• Who has drawn up, checked and approved the training program, goals and competence matrix? • Are the program, goals and competence matrix periodically evaluated? Implementation: • Knowledge and skills • Education and training • Qualifications & certifications • Is the training program being carried out according to plan? • How are knowledge and skills tested?
• Who assesses the substantive depth of the training courses?
• Do the training courses correspond with practice?
• Are non-standard situations also trained?
• Is the practice supported by theory?
• Are major hazard accident processes also discussed?
• What happens if someone is insufficiently qualified?
• What qualifications do the trainers have?
• Is the implementation process periodically evaluated?

Hardware integrity
Plan: • Policy regarding plant availability and spare parts • Legislation and regulations • Hardware assessment studies (FMEA, corrosion and mechanical failure mechanisms), including action plans • Who has drawn up the policy?
• Who has checked and approved the policy?
• Is the policy periodically evaluated?
• Are the latest laws and regulations being acted upon?
• Have the corrosion and mechanical failure mechanisms been identified?
• Who did the hardware assessment?
• How often does a hardware assessment take place?
• What are the starting points?
• Who checks and approves the assessment studies? • What is the general condition of the hardware?
• How many safety systems are inoperative and why?
• How often is the plant availability due to deteriorated hardware condition?
• What is the availability of backup systems "on demand"?
• Has an integrity operating window been defined?
• How often has the integrity operating window been exceeded?
• What is the procedure when the integrity operating window has been exceeded?
• How is the follow-up of actions from hardware studies arranged?
• What is the size of the backlog?
• Is the implementation process periodically evaluated?
For the golden weld procedure, the management delivery systems "inspection and testing" and "procedures" play a role and for deviating P/T image these are "training and competence" and "hardware integrity". Table 3 shows a non-exhaustive list of in-depth questions regarding the plan and implementation of the four management delivery systems, which can be answered during an audit or peer review. In order to be able to assess the plan, questions must be asked that elaborate on the development of the plan (control, approval), the familiarity and accessibility, the content (scope, goals, planning, success factors, tasks and responsibilities) and the evaluation. In order to gain insight into the implementation, questions should be raised concerning the realization of the activities, the backlog of the planning, the quality of the work, the follow-up of actions, the reporting, the qualifications of personnel, and the final evaluation.
The golden weld procedure is a well-known procedure which importance and content should be understood by the users. The procedure has been adjusted at times but has never been thoroughly evaluated. Too often the use of the procedure has been supervised from the desk and too little in the field, whereas this is stated in the procedure. It relied on verbal feedback rather than on field verification. This also applied to the welding in 2012: the bend and the pipe were forcibly aligned before the pipe joint was welded. Had the inspector been on site, the work would have been rejected before welding had even started. The question of how the application of the procedure was supervised, should have provided an indication that the method used in practice deviates from what is stated in the procedure and may have led to dangerous situations.
Knowledge regarding hydrogen embrittlement plays a major role in the second barrier. There was no knowledge concerning the failure mechanism and deviating pressure/temperature images were not reported because their danger was unknown. Until recently, only the corrosion and mechanical failure mechanisms that could develop during normal operation of the ammonia plant had been assessed. It was only very recently that this was also done for the operational phases of start-up and shutdown, which resulted in knowledge regarding hydrogen embrittlement, and stable crack growth in particular. The studies conducted in the past had never been assessed by an (external) expert. Substantive questions about the results and starting points of the assessment studies could have discovered this gap.

An example of an overpressure scenario
Major hazard accidents are prevented by barriers, which are divided into eleven types by Guldenmund et al. (2006). Three of the most common barrier types are: "activated -manual, human action triggered by active hardware detection(s)", "activated -automated", and "activated -hardware on demand". As explained in section 1.3, barrier elements can be technical or non-technical, meaning that they are either hardware or software related, or human or organization related. The following example examines the management delivery systems of a human barrier element (activated -manual, human action triggered by active hardware detection(s)) and a hardware barrier element (activated -hardware on demand).
Once ammonia is formed, it is cooled and collected in vessel V3304 at 200 bar. From this level controlled vessel the liquid ammonia is depressurized through an orifice and collected in another vessel (V3305) at much lower pressure. The receiving vessel V3305 may be overpressurized when the orifice is not working properly. This is the case when vessel V3304 is empty and is releasing ammonia gas in stead of liquid. The overpressure scenario is safeguarded by two low level alarms (LAL3045 and LAL3046) installed at V3304 followed by an operator action to close both drain valves (LPV3045 and LPV3046), and a (mechanical) pressure relief valve (PSV3014) at the receiving vessel, as shown in Fig. 4.
The barrier system basically consists of two different barrier elements: human and hardware. For the barrier element human (the operator action) the management delivery systems training & competence, plant documentation, and management come into consideration. For the hardware barrier elements, these are maintenance, inspection & testing, procedures, and hardware integrity.
The operator is, as it were, the acting barrier element of the alarm. He/she should know what to do according to the operating instructions. The operator should be trained, know his tasks and responsibilities, and have the most recent information. The organization should maintain the level of knowledge and ensure that the operators are competent and focused on their tasks. The "training & competence" plan outlined in Table 2 should ensure that there is a training program that reflects reality, training goals are defined, and a competence matrix is in place including tasks and responsibilities. The department responsible for maintaining the plant documentation also plays an important role. For example, not only should operating instructions be regularly reviewed to ensure they are up to date, but they should also be readily accessible. An archiving policy must ensure that only the most recent version can be requested. Based on the planning and the availability of resources, management must ensure a proper workload, staffing of teams, and supervision on the shopfloor. Because even if the operator has received the right knowledge and operating instructions, unnecessary mistakes are made under work pressure and when supervision is lacking.
Good maintenance, testing and inspections are necessary to guarantee the trustworthiness of the (hardware) barriers. The hardware should at least be maintained according to the manufacturer's manual so that the most common defects are avoided. And if a barrier fails, it must be determined in advance with what priority it will be restored. The maintenance regime can be judged by its backlog of preventive maintenance and the completion of corrective maintenance, but also by the quality of the work and ultimately the availability of the hardware. In addition to proper maintenance, the trustworthiness of barriers must also be guaranteed through testing and inspection. A plan must be drawn up for this, whereby the implementation takes place according to established procedures under the supervision of qualified personnel. Its implementation can be checked based on the measured backlog, the quality of the work and its reporting, and the action followup. An override procedure should control the barriers' availability by an established working method and responsibilities. Finally, the assessment of the hardware condition provides a general picture. Use of hardware under extreme conditions make hardware failures more likely. Hardware studies such as a failure mode and effect analysis and condition monitoring can contribute to a better trustworthiness of safety critical equipment, including safety barriers. Fig. 1 shows that there are several feedback loops from which information can be obtained to predict major hazard accidents or detect flaws in the process safety management. Qualitative information of management delivery systems can be generated from audits or peer reviews that are conducted once every three to four years by internal and/or external experts. Management delivery systems can also be partly monitored by self-assessments on a more frequent basis, say annually, by anyone not belonging to the management delivery system but to the organization and therefore familiar with the organizational issues and work processes. Quantitative monitoring on a more frequent basis should only be conducted when audits or peer reviews do not reveal major shortcomings or findings.

Results and discussion
In both the near-accident and the overpressure example, only a qualitative consideration of the management delivery systems has been made. The questions of Table 3 are closed questions, to be answered by a yes or no, or by a statement. It is up to the auditors to give their judgement on the plan and implementation. Only if they are confident that the management delivery system is able to guarantee the barrier system's quality, it is meaningful to monitor some critical elements in a quantitative way. An example of a quantitative assessment of the (activities of the) management delivery system "inspection and testing" is shown below. Note that the threshold values are indicative and can serve as management indicators once they are established.
• Periodic evaluation of the plan, goals and strategy: the evaluation is on time and the report is finished no later than two weeks after that; • Approval of inspection and test protocols: at least 90 % has been approved by a third party before execution; • Protocols meeting standards and legislation: at least 75 % has to be compliant; • Inspectors qualifications: no underqualified inspectors; • Reporting approval: at least 75 % is checked by a peer inspector within the deadline; • Reporting quality: at least 75 % is right the first time; • Inspection backlog: 90 % inspections are done on time and right the first time; • Action follow-up: no actions overdue longer than 1 month.
Organizational factors or management delivery systems are non-technical in nature and must be regarded as work processes and procedures in which human actions and decision-making predominate. Humans are partly influenced by the environment in which they work and by the systems with which they work, in the course of which they will always try and find the easiest way, even if it is more dangerous. It cannot be assumed that humans always act rationally. Only when an organization has the right questioning attitude it will be able to find the mechanisms obstructing their work processes and procedures. Conducting an audit or peer review requires more than just asking questions. According to Hale (2005), safety auditing is an art with very little scientific basis. Both an audit or review and a self-assessment of the plan and its implementation should in any case be substantiated with sufficient samples. It is hard to direct how many samples should be checked from which the auditor or assessor can give an opinion about the functioning and quality of a management delivery system. It mostly depends on the auditee's answers whether follow-up questions are being asked or not.
The questions in Table 3 are mainly procedural in nature and largely ignore interpersonal relationships. Communication and cooperation (not understanding, poor communication, not being informed) are vital and necessary for work processes and procedures to function properly. In addition, there may be contradictory goals or limitations in time and/or resources, as a result of which choices must be made, making it not always possible to follow the procedure in full. It is up to the auditor to discover these sensitiv-ities and determine to what extent they hinder the functioning of the management delivery systems as a whole.

Conclusions
The main question of this sub-study is whether major hazard accidents related to the ammonia production process can be predicted by monitoring organizational factors. This question has been answered from five sub-questions. A (non-exhaustive) overview has been provided of organizational factors or management delivery systems from the scientific and professional literature. The relation of the organizational factors with the accident processes runs through the barrier systems. Organizational factors indirectly impact accident processes as they strongly influence the quality or trustworthiness of the barrier systems. Qualitative and quantitative monitoring of organizational factors can provide a picture of their operation and efficiency. A list of nine organizational factors or management delivery systems has been compiled which are applicable for OCI Nitrogen. By putting the right focus on organizational factors during audits or reviews, major accident processes get the attention they deserve, and the necessary actions are taken at the right management level. From an example on retrospective data it has been demonstrated that targeted questions could have provided such an insight into several organizational factors or management delivery systems that it is conceivable that further indepth investigation would have prevented the near-accident from happening.
Malfunctioning management delivery systems can promote a major hazard accident process. Management delivery systems like management, and communication and coordination could also be considered as "performance influencing factors" or "error producing conditions". Their influence on scenarios is more general in nature and not through the barrier systems, but via promoting errors and creating latent, dangerous conditions if they are not properly managed.
A quantitative assessment has been worked out for one of the management delivery systems so to provide an example of management indicators. But as the examples shows, determining threshold values for which action is required is an intricate matter, because the influence on the accident processes is difficult to determine. More retrospective research into accidents is required to validate these threshold values. Once threshold values have been set, (management) indicators can be developed, which are measured at a frequency of, for example, once a month or once a quarter.