Managing and proving compliance of a seemingly endless number of rules and regulations is a complex, intricate, and often underappreciated responsibility. New and changing compliance requirements, particularly within the past decade, are challenging even the most sophisticated organizations.
Compliance demands come from all areas of government and industry, domestic and international, and some are stipulated internally such as corporate performance requirements and service level agreements. Even voluntary standards, such as ISO 55000 for asset management, are being actively adopted.
The contents and behavior of compliance reports are governed by the various authorities and reference standards. Managing a task of this magnitude requires accountability and proper controls, because errors or delays have consequences that extend far beyond regulatory fines and administrative burdens.
To better understand the priorities, challenges, costs and resolutions, four industry professionals were invited to share their perspectives on compliance reporting.
Urgency drives best practices
Compliance reporting concerns can vary by industry and company size, but the highest priority obligations – those with the greatest consequences of noncompliance – tend to garner the greatest attention. Effective reporting practices and systems for the most urgent needs could serve as a model for other compliance requirements.
For example, compliance for some facilities is driven by corporate mandates. Directives of this nature are automatically a priority. “This may include the results of condition monitoring for assurance of reliability, safety, and environmental traceability. It is accomplished by following OSHA, NEC’s NFPA 70B and 70E, and possibly the EPA,” says Roy Huff, principal at The Snell Group (www.thesnellgroup.com).
For many companies, insurance providers are driving compliance of infrared inspections (Figure 1). “Reporting on this varies with the provider,” remarks Huff. “In some cases, simply a hard-bound copy of the results of the required annual infrared inspection is all that is needed. But in most situations, there needs to be some method of verification that repairs were successfully completed. That requirement may be supported by a facility’s CMMS program or an information management solution that integrates the results of the condition-based monitoring program.”
Safety is a universal concern. “Perhaps the most consequential compliance requirements for any industry are those that are safety related. Trumping these would be the requirements that marry safety, reliability, and process; specifically, those identified by OSHA’s 29 CFR 1910.119, Process Safety Management (PSM) of Highly Hazardous Chemicals,” says John Ross, senior consultant at Marshall Institute (www.marshallinstitute.com).
“Within PSM, two of the most critical compliance reports are the Process Safety Information (PSI) and the Process Hazard Analysis (PHA). They both require update on a prescribed basis,” explains Ross. “The PSI package is meant to provide information for processes engaging the 155 identified Highly Hazardous Chemicals (HHCs). For PHAs, the regulation is very clear: ‘The employer shall perform an initial process hazard analysis (hazard evaluation) on processes covered by CFR 29 1910:119. The PHA shall be appropriate to the complexity of the process and shall identify, evaluate, and control the hazards involved in the process.’ ”
Certain industries face unique demands. “In power generation, compliance reporting can be as simple as meeting corporate mandates with an emphasis on environmental requirements in the coal industry, or as complex as meeting Nuclear Regulatory Commission (NRC), National Nuclear Security Administration Production Office (NPO), Nuclear Electrical Insurance Limited (NEIL), Environmental Protection Agency (EPA) and site-specific requirements where results of condition monitoring must be completed and fully documented for compliance in the nuclear industry,” says The Snell Group’s Huff.
“In the operations department at a nuclear plant, probably the most important reporting requirement is for emergency situations,” says Steven Turrin, training superintendent at Perry Nuclear Power Plant (www.firstenergycorp.com). “There are standards that have to be met, a protocol for how the information is relayed, and short timeframes are involved. We fill out a formatted form called the 50.72 and provide it to the NRC when there’s an emergency declaration on the site. It’s a regulated process for the nuclear industry based on the Event Reporting Guidelines in 10 CFR 50.72, so we all pretty much do it the same way.”
For users of hazardous or chemical substances, there are comprehensive regulations like the European RoHS and REACH, which most companies are complying with today, says Reid Paquin, manufacturing research analyst at Aberdeen Group (www.aberdeen.com). “A recent U.S. regulation, which came into effect on May 31, 2014, is a section of the Dodd-Frank Act that requires the reporting of conflict minerals to the Securities and Exchange Commission. Basically, the rule applies to any company that uses minerals including tantalum, tin, tungsten, or gold (3TG). The company must report its products as either ‘Conflict Free’ or ‘Not Conflict Free.’ ”
Face the barriers
Improper alignment of people, processes, and technology will hinder any efforts to manage compliance reporting.
“A lack of awareness is always a challenge we see when it comes to compliance reporting, especially as compliance requirements increase and become more complex,” says Paquin. “We conducted a survey in April 2014, a month before conflict mineral reporting was required, and found that roughly 30% of respondents weren’t even aware of this new reporting requirement” (see Figure 2).
The second most common challenge Aberdeen sees when it comes to compliance reporting is the manual or spreadsheet-based processes some companies rely upon. “This is especially a concern for something like conflict mineral reporting, as the time required to trace all of your components back to the substances used would be too burdensome if performed manually,” explains Paquin.
“The challenges companies face are very simple: they don’t have the processes in place to consistently comply with the requirements, and even if they do, they don’t have the processes or the culture typically to continue to address the requirements. Sort of a one-and-done mentality prevails,” says Marshall Institute’s Ross.
“For example, too often, companies that start a Management of Change (MOC) process soon discover that their process has become its own worst enemy; nothing gets done or everything gets ‘pencil-whipped.’ Or, for PHAs, most participating organizations don’t adhere to any prescribed fault analysis protocol,” adds Ross. “Honestly, in industry, some are having trouble developing and building an effective and efficient preventive maintenance (PM) program. What’s the probability that an average plant is going to get a Failure Mode and Effects Analysis (FMEA) right?”
An additional barrier to compliance is misdirected efforts. Safety is a good example. “The current focus on production within industry is most likely going to miss the nuance that is PSM, and cause plant leadership to incorrectly place PSM responsibility under the plant’s safety department,” cautions Ross. “PSM is not a safety program; it is a way of life for the entire plant. It’s serious work and requires serious attention.”
Costs of compliance are relative
The cost of reporting compliance depends on the maturity of a company’s processes and systems. “From our April 2014 study, it was found that respondents anticipated approximately $100K to comply with the new conflict mineral law. However, since best-in-class companies have better processes in place, their estimated cost of compliance was lower – about $66K,” says Aberdeen Group’s Paquin.
Regardless, the costs of noncompliance can be significantly more damaging and lasting. “Failure to execute either the PSI or the PHA could be costly in the best sense, and deadly in the worst,” says Marshall Institute’s Ross. “In 2013, the average fine from OSHA for noncompliance, per site, was $16,000, for PSM violations. But failure in PSM doesn’t have the same effect as a slip, trip or fall, or even an ergonomic result; get PSM wrong and a news helicopter could be flying over your plant.”
“The reality is probably more important than the regulatory consequence. If your plant is in some type of emergency situation, the reality of Form 50.72 noncompliance is that the public could be left uninformed for some period of time, and you would not get the necessary responses of outside agencies,” explains Perry Nuclear’s Turrin. “And that’s really the more important part: the information you provide out is not just informational, it’s also for outside people to come and help you. The major consequence is not having the help you need in a timely fashion, or at all, when you need it.”
With regard to conflict minerals, reporting noncompliance or filing as ‘Not Conflict Free’ introduces a large amount of risk into the business. “This is a growing sustainability movement and some companies refuse to do business with others that use conflict minerals in their products. If your largest customer decides it no longer will do business with companies that use conflict minerals, then that business will be lost,” says Aberdeen Group’s Paquin.
How to comply
The ideal situation would be a single, centralized, information management tool to support all compliance efforts, without niche products addressing individual reporting elements, or costly integrations between systems. As shown in Figure 3, in best-case compliance reporting:
- Audits are planned and executed, non-conformances (NCRs) are documented, corrective and preventive actions (CAPAs) are taken, and capital projects are set up for large-magnitude initiatives
- Data is captured on asset structures and hierarchies, technical data, measurements, all work history, and MOC
- Maintenance programs include standard jobs, job programs, action plans, work types, projects, NCRs, and CAPAs
- Protection of people, facilities, and the environment is aided by visibility into employee data, skills and competencies, incidents, permits, and isolations
- All documents are centrally stored and tracked, ensuring that the right information is available to the right people at the right time
Getting to this point requires time, effort, and close coordination. “There are two main actions that successful companies take to optimize their compliance reporting,” says Aberdeen Group’s Paquin. “First, eliminate the spreadsheets. Successful companies turn to software to manage their compliance efforts. The second action is to constantly review compliance status. This is a good action to take no matter the compliance concern, but for conflict minerals, for example, it really needs to be done through every step of the design process.”
“Equipment history reports of ‘motor broke’ and ‘motor fixed’ will not cut it in the PSM universe," claims Marshall Institute’s Ross. "The use and execution of work orders (with feedback documentation from the technicians), and the utilization of the entire bandwidth of the CMMS needs to be brought to bear to facilitate a world-class PSM culture.”
“PSI requires a strong technical library and engineering presence. An MOC process has to be in place, and followed. PHA specifically requires that one of the auditing team members be trained in the use of the methodology employed,” adds Ross.
Training plays heavily in ensuring reporting compliance. “The licensed operators in a nuclear plant’s control room are typically the first ones making emergency communications to the regulators, and they’re trained and requalified on a regular, ongoing basis on handling emergency situations,” says Perry Nuclear’s Turrin.
“Of course there are different levels of electronic aids available across the nuclear power plant industry, along with software that allows you to fill out your forms accurately and transmit them quickly, and the communications technologies to make sure the transmission is timely and done properly. But, the more important side is the people aspect and the training. We have a very highly trained, highly skilled workforce,” adds Turrin.
Filling knowledge gaps may require seeking outside assistance. Industry analysts, consultants, training firms, and solution vendors are among the sources of compliance reporting expertise.
“Appropriate reporting to meet compliance is discussed in our training courses. It is frequently an area that we try to provide guidance in when conducting infrared or electric motor testing program audits or assessments,” says The Snell Group’s Huff. The requirements and budgets to support compliance reporting can vary widely, he observes. For example, they may involve:
- Creating a report in the test equipment OEM software and distributing it to the appropriate department
- Creating a simple spreadsheet to track and document equipment, routes (including adherence and compliance), inspection frequency, and asset health
- Utilizing a standalone information management tool or integrating it into a CMMS, but either way include lifecycle tracking, equipment management, integrated condition monitoring results, repair analysis, history, and repair status information
- “We recommend coaching for process development and training on all equipment reliability related matters,” says Marshall Institute’s Ross. “We provide process consulting in terms of developing sound preventive maintenance practices, which are the cornerstone of the Mechanical Integrity element, another compliance requirement under PSM. Clients are coached through the FMEA process and the participants leave with the tools to continue to be successful with this in-depth, fault-finding process.”
- Compliance reporting is a critical function that is particularly difficult due to constantly evolving demands. Understanding the scope and urgency of this responsibility is the first step in coming to terms with the need to manage it correctly.