Review – OSHA Announces PSM Stakeholders Meeting – 9-28-22

Today, DOL’s Occupational Safety and Health Administration published a meeting notice in the Federal Register (87 FR 53020-53021) for a “Process Safety Management (PSM); Stakeholder Meeting” on September 28^th, 2022. According to the notice, OSHA is inviting “interested parties to participate in an informal virtual stakeholder meeting concerning the rulemaking project for OSHA's Process Safety Management (PSM) standard, at which OSHA will provide a brief overview of its work on the PSM rulemaking project to date.”

Registration and Comments

Personnel wishing to participate in the WebEx meeting can register on-line (NOTE: the link currently returns a ‘404 – File Not Found’ message). Presumably, that link can also be used to register to provide oral comments. Personnel wishing to submit written comments may do so via the Federal eRulemaking Portal (www.Regulations.gov; Docket OSHA-2013-0020).

Commentary

When this rulemaking was initiated back in 2013, chemical manufacturing control systems were becoming much more common, even in smaller facilities. Cybersecurity for those systems, was not much of a concern because the air-gapped-systems myth was still generally accepted even though the first successful control-system cyberattack against an air-gapped system had been conducted three years earlier. OSHA needs to consider including some sort of cybersecurity language in the PSM standard. That language should include requirements to:

• Identify safety critical control systems and the electronic systems connected to them,

• Identify security controls (physical and electronic) in place to protect both of those systems,

• Identify system logging and response responsibilities, and

• Identifying processes to be used to identify and fix system vulnerabilities.

Process safety information identification standards in §1910.119(d) should include a requirement to list industrial control system equipment that controls, protects or monitors covered processes. Additionally, process hazard analysis requirements of §1910.119(e) should specifically include requirements to identify industrial control system elements that are involved in the control or monitoring of the identified process hazards associated with the covered processes; this should include a failure mode analysis (including cyberattack) and failure consequence analysis.

For more details about this meeting notice, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/osha-announces-psm-stakeholders-meeting - subscription required.