“But how they can be charged with negligence because they were not wizards, appellant’s brief does not make clear.”  — Osmond K. Fraenkel, successfully arguing before the New York Supreme Court, 1935

In a world where companies tout “Zero Incidents,” not as an aspirational definition of perfect safety, but as a measurable and achievable target, incidents still occur. Why?  After all, wasn’t there a process hazard analysis, a PHA?  Aren’t PHAs supposed to keep incidents from happening? Why didn’t the PHA catch this?

Three Reasons

PHAs are excellent tools for identifying process hazards and prompting a team to consider the consequences of each hazard and whether there are sufficient safeguards. Sloganeering notwithstanding, there are typically three reasons that a PHA does not prevent all incidents:

  1. A PHA doesn’t look for all hazards.
  2. When a PHA finds a hazard, it must then determine if the risk is tolerable.
  3. A PHA, being a human endeavor, is not perfect.

A PHA Doesn’t Look for All Hazards

A process hazard analysis—typically a HazOp, but there are other methods—looks for process hazards.  A process hazard is one that can result in a fire, an explosion, or a toxic release. There are other kinds of hazards; transportation, workplace violence, slips, trips, or falls, and struck by or against objects are the other major categories of workplace hazards. PHAs are not designed and not intended to look for these kinds of hazards.  Sometimes a PHA will address a non-process hazard, but that is not its purpose.

When someone is injured while evacuating, perhaps by slipping down a ladder or tripping over a curb, that injury is not caused by a process hazard, even if it is in response to one.  The person is no less injured, but the hazard is not something the PHA was intended to identify.

Why didn’t the PHA catch this? It wasn’t looking for it.

A PHA Determines Whether Risk is Tolerable

While there are certain hazards a PHA is simply not designed to look for, a PHA is designed to look for process hazards. Many incidents occur, not because the PHA did not recognize the process hazard, but because the PHA determined that, with the existing safeguards and any recommended safeguards, the risk of the hazard had been reduced to a tolerable level.

The PHA team asks, “What have we got that will prevent this incident.”  “We have X!” they proudly exclaim.  “Yeah, but what if X doesn’t work?  After all, nothing is perfect.”  “Then we also have Y,” they answer.  “And if Y doesn’t work either?”  “Then we have Z.”  “And if Z doesn’t work?”

At some point, the team acknowledges that zero risk is unachievable, that the best they can hope for is risk that is low enough, risk that is tolerable.  To tolerate the risk is not to embrace it, but to endure it.  At some point, the risk becomes endurable, tolerable.  Not because it can’t be lower, but because the team believes, given the risk tolerance criteria of the analysis, that it is low enough.

Why didn’t the PHA catch this?  It did.  But tolerable risk isn’t zero risk.

We’re Engineers, Not Wizards

PHA teams are not omniscient—all-knowing, all-seeing wizards striding god-like through the process safety landscape, using their magical staff, the “pha”, to point out all hazards to their weary fellow-travelers. PHA teams consist of engineers, operators, supervisors, and technicians doing the best they can with the finite time and finite resources they have.

A Venn diagram of all process hazards

Consider a Venn diagram of all process hazards. A real PHA team will find most of the hazards and perhaps identify some things as hazards which are not.  But it won’t find everything.  A second team, or even the first team at a different time, will find most of the same hazards.  It will probably find some hazards the first team didn’t find, but it will also miss some hazards the first team did find.  The same is true for a third team.  But no PHA method, regardless of how many times it is repeated, is perfect.

Why didn’t the PHA catch this?  Because we’re engineers, not wizards.


“Why didn’t the PHA catch this?” is a question that often raises hackles, especially among those that participated in the PHA.  They know they put serious effort into identifying hazards, evaluating the consequences, and determining whether the existing safeguards were sufficient or whether additional safeguards should be recommended. They know that there is always more that could be done, that judgment was required. They know they did the best job they could, given the time and resources they had.

So, when the question is asked, people become defensive. It is easy to see the question as applying the benefit of hindsight and retrospection to second-guess a completely prospective analysis. It feels like blame is being assigned when it shouldn’t be.

Improving PHAs and Hazard Recognition

If the intent of the question, “Why didn’t the PHA catch this?”, is not to blame, but to improve PHAs in the future, then it is a fair question.  A better question, though, is “How do we catch this kind of hazard in the future?” There are always opportunities to improve. Incidents are learning experiences. There is a reason that OSHA requires that PHAs consider previous incidents. While we learn from our own experiences, ideally, we learn from the experience of others. Especially for new facilities or facilities not yet built, where we have no experience at all, we must learn from the experience of others. That is where the real wizardry is.


This blog is based on an earlier version, “We’re Engineers, Not Wizards: Why Didn’t the PHA Catch This”, posted on 19-Dec-2017 by Elsevier in Chemicals & Materials N


  • Mike Schmidt

    With a career in the CPI that began in 1977 with Union Carbide, Mike was profoundly impacted by the 1984 tragedy in Bhopal and has been working on process safety ever since.