Lessons from Production, Engineering and Process Safety

The relationship between production operations, process engineering, and process safety is frequently described as if the three functions share identical goals pursued through different methods. They don't, entirely — and the friction between them, when properly understood rather than suppressed, is one of the more reliable sources of genuine risk insight available to a facility.

Three functions, three different relationships with uncertainty

Production operations is fundamentally oriented toward maintaining continuity — keeping the process running, meeting throughput targets, and minimizing unplanned downtime. Its institutional knowledge is concentrated in the accumulated experience of how the actual plant behaves, which often diverges in specific, documented-nowhere ways from how the plant's design documentation describes it.

Process engineering is oriented toward the process as a designed system — mass and energy balances, equipment sizing, control logic, and the technical basis for why the plant is configured the way it is. Its institutional knowledge is concentrated in documentation: P&IDs, design basis reports, calculation packages, and the technical rationale behind operating limits.

Process safety is oriented toward the identification and control of hazards that could lead to loss of containment, injury, or catastrophic consequence — a function that draws on both production's operational reality and engineering's technical basis, but whose primary obligation is the prevention of low-probability, high-consequence events that neither of the other two functions is structurally positioned to prioritize on a daily basis.

Where the friction is productive

The most valuable HAZOP findings consistently emerge from genuine disagreement between production and engineering perspectives in the room — not from a facilitator's checklist, and not from either function operating alone. An operator's observation that 'we actually run this valve differently than the procedure says' is exactly the kind of input a structured HAZOP technique is designed to surface, and it routinely reveals either an undocumented operational workaround masking a real design inadequacy, or an operational practice that has quietly drifted from a safety-relevant assumption embedded in the original design basis.

This is precisely why CCPS guidance and IEC 61882 both specify that a HAZOP team must include both process engineering and operations representation, not as a procedural formality but because the technique's effectiveness depends on the friction between documented design intent and actual operational reality being surfaced and reconciled in the same room, under structured guide-word discipline.

Where the friction becomes dangerous

The same friction that produces valuable hazard insight in a structured HAZOP setting can produce dangerous drift when it occurs informally, outside any structured review process. Production pressure to maintain throughput can lead to informal procedural workarounds that are never fed back into engineering's documentation or process safety's hazard basis. Individually, many of these adaptations are operationally reasonable responses to real plant behavior. Collectively, and without a feedback mechanism, they create a growing gap between the plant as documented (and as HAZOP'd) and the plant as actually operated.

The Piper Alpha investigation's central finding — a permit-to-work system breakdown that allowed maintenance and operations to lose track of a valve's actual status — is, at its root, exactly this kind of gap: a breakdown in the structured feedback loop between what operations was actually doing and what the facility's safety systems assumed was true. The lesson generalizes well beyond permit-to-work specifically: any facility relying on documentation to reflect actual operational practice needs an active, structured mechanism for catching drift, because drift is the default outcome of normal operational pressure absent that mechanism.

What process engineering owes process safety, and what it often fails to deliver

Process engineering's core obligation to process safety is a design basis that genuinely reflects the process's actual behavior, including its failure modes — and the recurring failure pattern is a design basis developed under idealized or steady-state assumptions that does not adequately characterize transient, startup, shutdown, or upset conditions, which is precisely when most process safety incidents actually originate.

What operations owes process safety, and what it often fails to deliver

Operations's core obligation to process safety is honest, complete disclosure of how the plant actually runs — including the workarounds and informal adaptations that every experienced operator knows about and that no design document captures. The recurring failure pattern here is not deception, in the overwhelming majority of cases — it is the ordinary human tendency to normalize an adaptation that has worked without incident for long enough that it no longer registers as a deviation worth mentioning.

What process safety owes both functions, and what it often fails to deliver

Process safety's core obligation to the other two functions is translating hazard analysis findings into recommendations that are genuinely implementable within real production and engineering constraints. A recommendation requiring continuous manual monitoring that the facility's actual staffing model cannot sustain is not a safeguard; it is a finding that will be implemented on paper and abandoned in practice within months.

The synthesis: why all three functions improve when they actually talk to each other under structured discipline

None of this friction is resolved by assigning blame to any one function — it is resolved by structured mechanisms that force the three perspectives into the same room, on a predictable cadence, with a technique designed to surface disagreement productively rather than suppress it. The facilities that manage this well are not the ones where production, engineering, and process safety agree easily — they are the ones where disagreement between these functions is treated as valuable signal, surfaced through structured technique, and resolved through documented engineering judgment rather than informally absorbed into whichever function has the most immediate organizational leverage at the time.