The fractionation train had been running the same feed composition for eleven months straight. When the operations team switched to a heavier feed slate from a new upstream well, they treated it as a routine adjustment — a tweak on the DCS, a revised set point, nothing that needed paperwork. Within seventy-two hours, a reboiler exceeded its design temperature limit, a relief valve lifted, and a unit that hadn’t had an unplanned shutdown in three years was offline for nine days. The feed change had altered vapor-liquid equilibrium across three columns. Nobody had assessed it. Nobody had updated the operating envelope. The process hazard analysis still reflected the old feed.
That shutdown cost more than the nine days of lost production. It cost the operations team’s credibility with the regulator, triggered a compliance audit that uncovered four other undocumented modifications, and forced a complete review of the facility’s process safety information. Every one of those consequences traced back to one failure: the absence of a functioning management of change process. MOC exists to prevent exactly this — to ensure that every change, whether it involves hardware, chemistry, procedures, staffing, or software, is evaluated for its impact on safety before it’s implemented. This article breaks down what management of change actually means in HSE and process safety practice, walks through each step of a sound MOC procedure, and explains why organizations that skip it reliably end up learning the lesson the expensive way.
What Is Management of Change?
Management of change is a structured, documented process for identifying, assessing, and controlling the risks introduced by any modification to a facility’s equipment, chemicals, technology, procedures, staffing, or organizational structure — before that modification is implemented.
The definition matters because of what it excludes. MOC is not change management in the business-consulting sense — it is not about stakeholder buy-in, communication plans, or helping people adapt to new software. In HSE and process safety, management of change is a hazard control mechanism. Its purpose is to answer one question: does this proposed change create new risks, or alter existing ones, that we haven’t accounted for?
Every operating facility is designed around a set of technical assumptions. Pipe sizes are selected for a specific flow rate. Relief devices are sized for a defined worst-case scenario. Operating procedures are written for a particular chemistry. Alarm set points reflect a known process window. When any of those assumptions change — whether through equipment replacement, chemical substitution, procedural revision, or a reorganization that moves experienced operators into different roles — the safety basis shifts. MOC ensures that shift is recognized, evaluated, and controlled before startup.
Why Management of Change Matters in HSE and Process Safety
A process safety engineer I trained under years ago described MOC with a phrase I still use in every toolbox talk on the subject: “The plant doesn’t know you changed something. It just responds to the new conditions.” That single observation captures why unmanaged change is so dangerous. Safety systems — physical barriers, interlocks, procedures, competency — are all designed for a specific operational reality. Change the reality without updating the systems, and the gap between what the plant is doing and what everyone thinks it’s doing widens silently.
The consequences are not theoretical. The 2005 BP Texas City refinery disaster, which killed 15 workers and injured 180, remains one of the most studied process safety failures in industrial history. Multiple layers of change — staffing decisions, equipment condition, procedural deviations, and startup practices that no longer matched the original design intent — compounded over years without formal assessment. The U.S. Chemical Safety and Investigation Board (CSB) has stated that properly conceived and executed MOC programs could have helped prevent or mitigate incidents it has investigated.
MOC matters because change is constant in any operating facility. Pumps get replaced. Feedstocks shift. Contractors rotate. Control systems get upgraded. Shift patterns adjust to business demands. Each of these is a potential pathway to an incident — not because change itself is dangerous, but because unassessed change removes the safety margin that the original design provided.
Watch For: The changes that cause the most harm are often the ones nobody thought were “big enough” to need a formal review. A chemical supplier change, a set-point adjustment, or a supervisor reassignment can each defeat a safety barrier designed around the original condition.
Management of Change vs. Change Management: What’s the Difference?
This distinction trips up more people than it should, and confusing the two creates real gaps in safety governance. The terms sound interchangeable. They are not.
| Aspect | Management of Change (MOC) | Change Management |
|---|---|---|
| Primary focus | Hazard identification and risk control | People adoption and organizational transition |
| Core question | Does this change create or alter risks? | How do we help people adapt to this change? |
| Regulatory basis | OSHA PSM, EPA RMP, ISO 45001, COMAH | No specific safety regulation |
| Scope | Equipment, chemicals, procedures, staffing, facilities | Strategy, technology adoption, culture, process redesign |
| Outcome | Authorized change with updated safety documentation | Successful transition with stakeholder engagement |
| Who leads | Process safety, HSE, engineering, operations | HR, project management, leadership |
Some organizations need both for the same change. A new distributed control system, for example, requires MOC to evaluate process safety impacts and change management to train operators on the new interface. The critical point is that one cannot substitute for the other. A well-communicated, widely accepted change that hasn’t been assessed for hazard impact is still a safety risk. This article addresses the HSE and process safety side — the management of change procedure that regulators require and that prevents incidents.
What Changes Require a Management of Change Review?
OSHA’s Process Safety Management standard at 29 CFR 1910.119(l) explicitly requires written MOC procedures for changes to process chemicals, technology, equipment, procedures, and facilities affecting a covered process. The EPA Risk Management Program at 40 CFR 68.75 mirrors these requirements for covered facilities under its jurisdiction. But triggering MOC is not limited to what’s printed in a regulation. Any change that could affect how hazards are controlled deserves evaluation.
The practical trigger list extends well beyond hardware swaps. During a turnaround at a gas processing complex I worked at, we caught three changes that operations hadn’t flagged for MOC: a nitrogen supply pressure adjustment to instrument air, a revised confined space entry procedure that removed a gas testing step deemed “redundant,” and a contractor substitution that replaced an experienced insulation crew with a general labor team. Each one altered the risk profile. None of them involved installing new equipment.
Common MOC triggers include:
- Equipment changes: New pump with different capacity, valve type change, piping reroute, instrument upgrade, or relief device modification
- Chemical or material changes: Feedstock substitution, catalyst change, chemical supplier switch, additive reformulation
- Technology changes: Control system upgrade, software update affecting process logic, new instrumentation
- Procedural changes: Revised startup/shutdown sequence, modified emergency procedure, changed permit-to-work requirements
- Facility changes: Layout modification, ventilation alteration, drainage reroute, electrical classification change
- Organizational changes: Shift pattern change, staffing reduction, outsourced safety-critical roles, supervisory restructuring, responsibility reassignment
HSE UK’s organisational change guidance, updated in August 2025, reinforces that staffing, outsourcing, and role changes can materially affect hazard control. This is the most under-assessed MOC trigger in practice — and one of the most consequential.
Common MOC Examples
To make the triggers concrete, here are five changes I’ve seen go through MOC review in gas processing and refining operations:
- Replacing a centrifugal pump with a positive displacement pump of different flow characteristics — changed the downstream pressure profile and required relief device revalidation
- Substituting a corrosion inhibitor from a different manufacturer — altered chemical compatibility with existing gasket materials
- Updating DCS software that changed alarm acknowledgment logic — operators lost a critical first-alert notification they’d relied on for years
- Reducing the night shift from four operators to three — removed the dedicated panel operator role and distributed monitoring across two people already managing field rounds
- Changing from annual to biennial inspection intervals on a pressure vessel based on a risk-based inspection study — required documented justification, updated maintenance procedures, and regulatory notification
What Are the Main Steps in the Management of Change Process?
The MOC process is sequential and gate-based. No step is optional, and skipping ahead — implementing before assessing, or starting up before training — is how MOC fails. The flow below reflects what OSHA 29 CFR 1910.119(l) requires and what sound process safety practice demands, organized into eight steps that take a proposed change from identification through close-out.
Step 1: Identify the Change and Scope It Properly
Every MOC begins with a clear description of what’s changing, why, and what systems, people, and documents it affects. The scope definition is where most weak MOCs start to fail — vague descriptions produce vague assessments. A good MOC initiation form captures whether the change is temporary or permanent, which process units are affected, which safety systems interact with the changed element, and who needs to be involved in the review. I’ve reviewed MOC forms that described the change as “pump replacement” with no mention of differential head, flow rate, materials of construction, or connected piping class. That level of ambiguity defeats the purpose of the entire process.
Step 2: Determine Whether It Is a Replacement in Kind or a True Change
This is the decision point that separates routine maintenance from a formal MOC. A replacement in kind — swapping a component with one that matches the original’s design specifications exactly — is exempt from MOC under OSHA PSM. But “exactly” is the operative word. Same manufacturer, same model, same materials of construction, same capacity, same pressure rating, same electrical classification. If any specification differs, it’s not a replacement in kind. It’s a change.
Audit Point: During compliance audits, the replacement-in-kind determination is one of the first things inspectors challenge. If your facility can’t produce documentation showing how the determination was made, the exemption doesn’t hold.
“We couldn’t get the exact model, so we got the next one up — same brand, just slightly bigger.” I’ve heard that sentence from maintenance supervisors more times than I can count. That “slightly bigger” pump creates a different flow profile, different downstream pressure, and potentially different NPSH requirements. It’s a change.
Step 3: Assess the Technical Basis and Safety Impact
OSHA 29 CFR 1910.119(l)(2) requires that the following be addressed before any change: the technical basis for the proposed change, the impact on safety and health, modifications to operating procedures, the necessary time period for the change, and authorization requirements. This is the analytical core of MOC.
The assessment should evaluate:
- Process safety information impact: Do P&IDs, process flow diagrams, equipment data sheets, or material safety data need updating?
- Process hazard analysis validity: Does the change invalidate any assumptions in the existing PHA?
- Operating procedure accuracy: Will operators need different steps, different limits, or different emergency responses?
- Safety system adequacy: Are relief devices, interlocks, alarms, and detection systems still sized and configured correctly?
- Training requirements: Do affected workers need new knowledge or skills before the change goes live?
Step 4: Update Procedures, Documents, and Safeguards
A change that’s been assessed but not documented is a time bomb. Every drawing, operating procedure, maintenance instruction, alarm set point, training material, and emergency plan affected by the change must be updated before startup. This is where the CCPS framework for risk-based process safety is particularly useful — it treats document integrity as a core MOC deliverable, not an afterthought.
I once walked into a control room three weeks after a compressor modification and found operators running the unit from a procedure that still referenced the old discharge pressure limit. The MOC had been “completed.” The operating procedure hadn’t been touched. Small undocumented changes accumulate into what the industry calls normalization of deviation — and that drift compounds until the gap between documented reality and actual conditions becomes a direct pathway to an incident.
| Document Type | Update Trigger | Consequence of Not Updating |
|---|---|---|
| P&IDs and PFDs | Any physical or instrumentation change | Incorrect isolation during maintenance, wrong emergency response |
| Operating procedures | Changed limits, sequences, or chemicals | Operators follow outdated steps during abnormal conditions |
| Maintenance procedures | New equipment specs or materials | Wrong parts ordered, incorrect torque values, seal failures |
| Alarm and interlock settings | Changed process window | False alarms cause desensitization; missed alarms cause incidents |
| Emergency response plans | Changed chemicals, layout, or staffing | Evacuation routes wrong, responders unprepared for new substances |
| Training materials | Any change affecting worker tasks | Competency gap at the point of exposure |
Step 5: Approve the Change and Set the Time Period
Authorization must come from personnel with the technical knowledge and organizational authority to accept the residual risk. For temporary changes, OSHA requires that the time period be defined. This isn’t a formality — temporary changes without expiration dates have a documented tendency to become permanent installations that nobody reassesses, nobody maintains to the correct standard, and nobody includes in the next PHA.
Step 6: Inform and Train Affected Workers and Contractors
OSHA 29 CFR 1910.119(l)(3) is explicit: employees involved in operating a process, and contract employees whose tasks will be affected by a change, must be informed of, and trained in, the change prior to startup. “Prior to startup” is the regulatory language, and it means what it says. Training delivered after the unit is already running doesn’t satisfy the requirement, and more importantly, it doesn’t protect the workers who are operating a changed system without understanding what’s different.
During a control system migration at a gas processing facility, we ran three separate training sessions — day shift, night shift, and contract maintenance — before the new system went live. One night-shift operator asked a question during training that revealed a critical gap: the new alarm management philosophy suppressed an audible alarm that the old system had always generated. Without that training session, the first abnormal event on night shift would have been invisible to the panel operator until it escalated.
Field Test: After training, ask three affected workers to describe what’s changed and how it affects their specific tasks. If they can’t, the training wasn’t effective — regardless of the sign-off sheet.
Step 7: Implement, Verify, and Conduct Pre-Startup Review Where Needed
Implementation is not the endpoint. The change must be verified in the field to confirm it matches the approved scope, the updated procedures are in place, and the safety systems function as intended. For process changes that fall under PSM, a pre-startup safety review (PSSR) is required to confirm that construction and equipment are in accordance with design specifications, that safety and operating procedures are in place and adequate, that a PHA has been performed for new facilities and recommendations resolved, and that training has been completed.
Step 8: Close Out the MOC and Capture Lessons Learned
Close-out is where institutional discipline shows. A completed MOC file should contain the original request, the hazard assessment, all approvals, evidence of training, updated documents, field verification records, and — for temporary changes — a confirmed reversion or formal conversion to permanent status. The close-out review also captures what the organization learned: what worked, what was missed, what took longer than expected, and what should be changed about the MOC process itself.
The CSB’s management of change safety bulletin reinforces that close-out and lessons learned are essential to preventing recurring failures. Without them, MOC becomes a filing exercise rather than a learning system.
Who Should Be Involved in an MOC?
MOC is not an HSE department exercise. The most effective MOC reviews I’ve participated in had five or six disciplines at the table — and the least effective were the ones where process safety filled out the form alone and circulated it for rubber-stamp signatures.
The cross-functional nature of MOC review reflects a simple reality: no single discipline understands all the ways a change can affect a facility. Operations knows how the unit actually runs. Engineering knows the design intent. Maintenance knows the equipment history. HSE knows the regulatory obligations and the incident record. Supervision knows the crew’s competency and the shift dynamics.
| Role | MOC Responsibility |
|---|---|
| Operations | Assess operational impact, validate procedure changes, confirm operator readiness |
| Engineering | Evaluate technical basis, verify design adequacy, update drawings |
| Maintenance | Confirm equipment compatibility, update maintenance plans, identify spare parts needs |
| HSE / Process Safety | Review hazard assessment quality, verify regulatory compliance, ensure training delivery |
| Supervisors | Communicate to frontline workers, verify field implementation, flag practical concerns |
| Contractors / Specialists | Provide technical input on specialized equipment or services they supply |
| Management | Authorize risk acceptance, allocate resources for implementation and training |
What Are the Benefits of Management of Change?
The value of management of change becomes most visible in its absence — in the investigations, shutdowns, and compliance findings that follow unmanaged modifications. But framing MOC only as incident prevention undersells its operational value.
A functioning MOC process delivers measurable benefits across safety, compliance, and operational performance:
- Reduced incident and injury risk: Every assessed change is a prevented surprise. MOC catches hazard introductions before they reach workers, not after. The technical review, document updates, and training requirements collectively maintain the integrity of safety barriers.
- Improved regulatory compliance and audit readiness: OSHA PSM, EPA RMP, and ISO 45001 Clause 8.1.3 all require formal change management. A well-maintained MOC register demonstrates to regulators and auditors that the facility manages change systematically, not reactively.
- Prevention of unplanned downtime: Changes that haven’t been assessed for equipment compatibility, operating limits, and safety system adequacy are changes that fail in service. MOC front-loads the engineering review that would otherwise happen during an emergency shutdown investigation.
- Stronger communication and accountability: The MOC workflow forces communication between disciplines that might otherwise work in silos. When operations, engineering, maintenance, and HSE all review the same change, assumptions get challenged before they become problems.
- Organizational learning and operational discipline: Every closed MOC is a documented record of how the facility manages risk. Over time, this record reveals patterns — recurring change types, common assessment gaps, training shortfalls — that drive continuous improvement.
Common Management of Change Mistakes to Avoid
Seven years into my career, I audited a facility that had an impressive-looking MOC procedure — thirty-two pages, flowcharts, approval matrices, the works. They’d completed over two hundred MOCs in three years. When I pulled ten at random for field verification, seven had no evidence that documents had been updated, four had no training records, and two described changes that had never actually been implemented as approved. The procedure existed. The discipline didn’t.
These are the mistakes I see most consistently:
| Mistake | Why It Matters | Better Practice |
|---|---|---|
| Completing MOC paperwork after the change is already installed | The entire purpose of MOC — assessing risk before exposure — is defeated. You’re documenting what happened, not controlling what will happen. | Initiate MOC at the proposal stage, before procurement or scheduling. |
| Ignoring organizational changes | Staffing reductions, outsourced roles, and restructured responsibilities can degrade hazard control without touching a single piece of equipment. HSE UK explicitly flags this. | Include staffing, competency, and responsibility changes in MOC triggers. |
| Misclassifying changes as replacement in kind | “Close enough” replacements bypass hazard review while introducing specification mismatches that cause failures in service. | Require documented specification comparison before granting RIK status. |
| Failing to update documents | Outdated P&IDs, procedures, and training materials create a growing gap between documented and actual plant conditions. | Make document updates a close-out prerequisite, not a follow-up task. |
| Weak contractor communication | Contractors working on or near a changed system without knowing what’s different are exposed to hazards they can’t recognize. | Include contractor briefing as a mandatory MOC step with sign-off. |
| No follow-up on temporary changes | Temporary changes without expiration tracking become permanent modifications without permanent controls. | Log every temporary MOC with an expiration date and assign an owner for reversion or conversion. |
| No field verification after implementation | Approving on paper doesn’t mean the change was installed correctly. Field verification catches misalignment between plan and reality. | Require physical verification by a qualified person before startup authorization. |
Management of Change Best Practices
The difference between an MOC program that exists on paper and one that actually prevents incidents comes down to operational discipline and practical design. These are the practices that separate the two:
- Define clear, documented MOC triggers with examples so that initiators — not just HSE staff — can recognize when a change requires review. Post the trigger list at permit boards, in control rooms, and in maintenance planning offices.
- Use a simple screening form as the first step. A one-page form with five to seven questions is enough to determine whether a full MOC assessment is needed. Overengineered intake forms discourage reporting.
- Involve the right disciplines early — at the proposal stage, not the approval stage. Late involvement produces shallow reviews and resentful sign-offs.
- Require document updates before startup, not after. If the operating procedure isn’t revised before the operator walks into the field with the changed system, the procedure is wrong at the moment it matters most.
- Track temporary changes to closure with automated reminders. Every temporary MOC should have an owner, an expiration date, and a defined reversion or conversion path.
- Audit the MOC process itself at least annually. Pull a sample of completed MOCs and verify field implementation, document updates, training records, and close-out quality. The audit should answer one question: did the MOC process actually control the risk, or just create a paper trail?
Pro Tip: The best leading indicator of MOC health isn’t the number of MOCs completed — it’s the ratio of MOCs initiated before versus after the change. If more than 10% of your MOCs are retroactive, the system isn’t functioning as a control.
What Regulations and Standards Refer to Management of Change?
MOC isn’t a best practice suggestion — it’s a regulatory requirement across multiple jurisdictions and frameworks. The table below maps the key standards to their practical requirements.
| Standard | Key Requirement | Practical Meaning |
|---|---|---|
| OSHA PSM 29 CFR 1910.119(l) | Written MOC procedures for changes to chemicals, technology, equipment, procedures, and facilities in covered processes | If you operate a PSM-covered process, you must have a documented MOC procedure, assess every change before implementation, and train affected workers before startup |
| EPA RMP 40 CFR 68.75 | MOC requirements for Program 3 prevention processes | Mirrors OSHA PSM’s MOC provisions for facilities covered under the EPA’s Risk Management Program |
| ISO 45001:2018 Clause 8.1.3 | Process for managing planned temporary and permanent changes affecting OH&S performance | Applicable beyond chemical process industries — any organization with an OH&S management system should manage change formally |
| HSE UK / COMAH guidance | MOC as part of safety management systems for major accident hazard establishments | Both plant modifications and organisational changes must be assessed for safety impact |
Where OSHA, EPA, and HSE UK standards specify different thresholds or scope for the same type of change, apply the stricter requirement as the baseline. For facilities operating across jurisdictions, this approach prevents compliance gaps and simplifies the management system.
Frequently Asked Questions
Conclusion
The management of change failures I’ve investigated over a decade of process safety work share a common feature: the change itself was rarely the problem. Facilities swap pumps, update software, revise procedures, and reorganize teams routinely. What creates incidents is the gap between what changed and what the organization knew had changed — the undocumented feed composition shift, the “equivalent” replacement that wasn’t quite equivalent, the night shift reduction that nobody assessed for its impact on emergency response coverage.
The single highest-impact improvement most facilities can make to their MOC program is brutally simple: stop treating MOC as paperwork that follows the change and start treating it as authorization that precedes the change. When the MOC review happens before procurement, before scheduling, before anyone touches the equipment, it functions as a genuine risk gate. When it happens after — when the form gets filled out because the audit is next month — it’s a filing exercise that protects the compliance folder but not the workforce.
MOC is not a bureaucratic obstacle to getting work done. It is the mechanism that keeps a facility’s actual operating condition aligned with its documented safety basis. Every unassessed change widens that gap. Every properly executed MOC keeps it closed.