Every PHA, HAZOP, or What-If study ends the same way: a list of recommendations. Some are straightforward — update a procedure, add a label, replace a valve. Others require engineering changes that take months to complete. All of them, in theory, need to be tracked to verified closure before the facility can demonstrate it has acted on its own risk assessment findings.

In practice, most of those recommendations land in a spreadsheet.

The spreadsheet problem is not just administrative

For operators subject to OSHA PSM (29 CFR 1910.119), PHA recommendations are not optional to-do items. OSHA requires that employers establish a system to promptly address the team’s findings and recommendations, resolve them in a timely manner, document what actions are taken, and communicate those actions to operating, maintenance, and other employees whose work assignments are in the process. That’s a documented, auditable requirement — not a best-practice suggestion.

A spreadsheet can store a list. It cannot assign ownership, escalate overdue items, send automated reminders, link the recommendation back to the specific PHA node it came from, or produce an auditable record of when the action was completed and by whom. When an OSHA inspector asks to see how your facility tracked and closed the recommendations from your last PHA revalidation, “we have a spreadsheet” is not the answer that ends the conversation.

The three places PHA recommendations go to die

In facilities that lack a structured tracking system for PHA output, recommendations tend to disappear in predictable ways.

The first is assignment without accountability. The recommendation gets logged, someone’s name goes next to it, and then nothing enforces follow-up. The person with their name on the item has no automated reminder. Their supervisor has no visibility into whether it’s been acted on. The next PHA revalidation — typically required every five years under PSM — reveals that a third of the recommendations from the previous cycle were never closed.

The second is loss of context. A recommendation that reads “evaluate the adequacy of the relief valve on V-101” means something specific to the PHA team that wrote it. Six months later, when someone is assigned to close it out, the original context — which scenario triggered the recommendation, what consequence was identified, what the team’s basis for the action was — is gone. If it was only recorded as a line item in a spreadsheet rather than linked to the specific PHA node, worksheet, and cause/consequence chain it came from, the person implementing the action is working without that context.

The third is revalidation without closure. The five-year PHA revalidation comes around, and rather than starting from a clean, verified-closed set of prior recommendations, the team is looking at a spreadsheet with a mix of closed, open, and ambiguous items — some of which may have been “closed” by someone marking a cell green without any documented evidence of what was actually done.

What a structured system looks like

auditing software

When PHA recommendations are managed in an integrated process safety platform rather than a spreadsheet, each recommendation carries its context — the specific node, the cause, the consequence, the safeguard — automatically, because it’s generated directly from the risk assessment record rather than manually transcribed.

Each recommendation is assigned an owner, a due date, and a closure requirement at the point of creation. The system sends automated reminders as due dates approach and escalation notices when they pass. The recommendation can’t be marked closed without documented evidence of what was done. And when the next PHA revalidation comes around, the team can see at a glance which recommendations from the prior study are verified closed, which are still open, and which have partially completed actions — without a manual audit of a spreadsheet.

The link between the recommendation and the original PHA record also stays intact. If someone asks why a particular engineering change was made, the answer is traceable — back to the recommendation, back to the node, back to the scenario that generated it.

In VisiumKMS

Risk Assessor captures HAZOP, PHA, What-If, checklist, and JSA findings directly. Every recommendation generated in a study is automatically routed to Resolution Tracker, where it gets an owner, a due date, and an escalation path — the same workflow used for corrective actions from incident investigations, audits, and management of change.

The link between the recommendation and its source PHA record is preserved, so closure is always traceable back to the risk assessment that generated it. Overdue items surface in the Risk Intelligence dashboard automatically, so process safety managers can see the status of outstanding PHA recommendations without running a manual report.

For facilities managing PHA revalidations on a five-year cycle, this means each new study starts from a verified baseline rather than a spreadsheet that may or may not reflect reality.

If your current system for tracking PHA recommendations is a spreadsheet, an email thread, or a module that doesn’t connect back to the risk assessment that generated the action — that’s the problem VisiumKMS is built to solve.

Oil & Gas  |  Chemical Process  |  Nuclear  |  Power & Utilities  |  Heavy Manufacturing  |  Food & Beverage
Privacy Policy  |  Terms of Use  |  ©VisiumKMS 2026. All rights reserved. VisiumKMS, a division of Valsoft Corporation.