Process Safety Management (PSM) Audit Consultants
OSHA 1910.119 PSM compliance audits for highly hazardous chemical processes. What the audit covers, and how to vet the consultant before you hire one.
Real US search demand (Ahrefs): ~70 searches/mo for "process safety management audit" · ~$3.00 CPC.
The buyer problem
Facilities that handle chemicals covered by OSHA's Process Safety Management standard (29 CFR 1910.119) must certify at least once every three years that they have evaluated their PSM program against the standard, per 1910.119(o). Facilities that are also EPA Risk Management Program (40 CFR Part 68) Program Level 2 or 3 sites carry a parallel three-year compliance audit obligation under 40 CFR 68.58 and 68.79. A superficial audit, one that checks boxes without testing whether procedures are actually followed, does not satisfy either requirement, and OSHA's enforcement history treats a documented-but-unacted-on finding the same as no audit at all. Buyers sourcing an outside PSM audit consultant often have no way to tell a firm that will produce a defensible, findings-driven audit from one that will return a generic checklist. This guide sets out what a real PSM compliance audit covers, who is qualified to lead one, and what to verify before signing a scope of work.
What a process safety management (psm) audit consultants vendor does
PSM audit consultants evaluate whether a facility's process safety management program, the 14 elements defined in 29 CFR 1910.119, is actually implemented and followed, rather than merely documented. The work generally follows the approach described in CCPS's Guidelines for Auditing Process Safety Management Systems: review of process safety information, process hazard analyses, operating procedures, training records, and management-of-change files, a walk-down of the physical process area, and interviews with operators, maintenance staff, and supervisors across shifts. The deliverable is a written findings report. Under 1910.119(o), the facility itself, not the consultant, is responsible for documenting its response to each finding and retaining the two most recent audit reports. Some firms also perform the parallel EPA Risk Management Program compliance audit for Program Level 2 or 3 processes, or support adjacent scopes such as PHA revalidation and mechanical integrity inspection.
Methods and techniques
- Compliance audit against the 14 elements of 29 CFR 1910.119(o): document review, physical facility walk-down, and personnel interviews across shifts, following the approach in CCPS's Guidelines for Auditing Process Safety Management Systems.
- Process Hazard Analysis (PHA) methodology review or revalidation using OSHA-recognized techniques under 1910.119(e)(2): HAZOP (Hazard and Operability study), What-If, What-If/Checklist, FMEA (Failure Mode and Effects Analysis), or Fault Tree Analysis.
- Mechanical integrity records verification against API 510 (pressure vessel inspection code), API 570 (piping inspection code), and API 653 (aboveground storage tank inspection code).
- Management of Change (MOC) file review per 1910.119(l), confirming that changes to process chemicals, technology, equipment, or procedures went through documented technical review and authorization before startup.
- EPA Risk Management Program compliance audit under 40 CFR 68.58 or 68.79 for facilities operating Program Level 2 or 3 covered processes.
What to verify before you retain
- Audit lead qualification. Ask whether the lead auditor holds a CCPS Certified Process Safety Professional (CCPSC) credential from AIChE, a Certified Safety Professional (CSP) credential from BCSP (Board of Certified Safety Professionals), or a Professional Engineer license. OSHA only requires the audit be conducted by someone knowledgeable in the process, so a named, checkable credential gives you an independent way to verify that.
- Scope: 1910.119(o) only, or 1910.119(o) plus the EPA RMP audit. Get it in writing whether the proposal covers the OSHA compliance audit only, the EPA 40 CFR Part 68 RMP compliance audit, or both. Program Level 2/3 RMP facilities have a separate three-year audit obligation under 40 CFR 68.58/68.79 that is not automatically satisfied by an OSHA-only engagement.
- PHA methodology fit. Ask which PHA methodology, HAZOP, What-If, What-If/Checklist, FMEA, or Fault Tree Analysis, the firm will apply or review, and why that methodology suits your process complexity rather than a default template.
- Mechanical integrity inspector qualifications. If the audit touches mechanical integrity records, confirm whether underlying inspections were performed to API 510, 570, or 653 by inspectors holding the corresponding API certification, rather than relying solely on internal maintenance logs.
- Findings documentation and closure tracking. Request a sample findings report and a closure-tracking format before signing. 1910.119(o) requires the employer to document a response to each audit finding, so a firm that cannot show a sample report structure is worth questioning.
- Auditor independence from your PHA or procedure writers. Ask whether the assigned firm or individual wrote your current operating procedures or led your last PHA. CCPS auditing guidance recommends independence between the auditor and the system being audited so the audit does not become a review of the auditor's own prior work.
Questions to put in your RFP
- How many 29 CFR 1910.119(o) compliance audits has your firm completed for facilities with a similar covered-chemical inventory and process count, and can you provide a sample audit report table of contents?
- Who specifically will be on-site as audit lead, and does that person hold a CCPS Certified Process Safety Professional (CCPSC) credential, a Certified Safety Professional (CSP) credential from BCSP, a Professional Engineer license, or another named, checkable qualification?
- Does your scope include review of all 14 PSM elements under 1910.119, or a subset, and if a subset, which elements are excluded and why?
- If we operate an EPA Risk Management Program Level 2 or 3 process, does your proposal include the parallel 40 CFR Part 68 compliance audit, or is that scoped and priced separately?
- Which PHA methodology will you apply or review, HAZOP, What-If, What-If/Checklist, FMEA, or Fault Tree Analysis, and why does that methodology fit our process complexity?
- Will mechanical integrity findings be checked against API 510, API 570, and API 653 inspection intervals and records, and who performs that cross-check?
- What is the format and delivery timeline for the findings report, and do you provide a corrective-action tracking log we can use to document our response to each finding as required under 1910.119(o)?
- Has your firm or any personnel assigned to this engagement had a prior role in writing our current operating procedures, leading our most recent PHA, or designing the process being audited?
- What is your confidentiality and data-handling process for process safety information, given that some of this documentation may be subject to trade secret protections under 1910.119?
Skip the cold search. Send this scope to us and we route it toward qualified process safety management (psm) audit consultants vendors.
Request vendorsRed flags
- Cannot name the specific PHA methodology (HAZOP, What-If, FMEA, or similar) it will use or review, and defaults to describing the work as a general walkthrough.
- Quotes a fixed price without asking how many covered processes, employees, or shifts are involved, when audit scope and interview coverage scale with process count.
- Will not provide a sample findings report format or a corrective-action tracking template on request.
- The assigned audit team also wrote your current operating procedures or led your most recent PHA, with no disclosure of that overlap.
- Cannot state clearly whether its scope covers the OSHA 1910.119(o) audit only or also the parallel EPA 40 CFR Part 68 RMP audit, and treats the two as interchangeable.
- No named lead auditor, or the lead's process safety background cannot be checked against a credential, license, or documented project history.
- Mechanical integrity review relies only on your internal maintenance logs with no cross-check against API 510, 570, or 653 inspection intervals.
- Sales conversation emphasizes 'passing' the audit rather than identifying and documenting gaps, which runs against the stated purpose of the audit under 1910.119(o).
Standards and governing bodies
Bodies referenced in this category. Listed for context; they do not endorse this index or any provider. Verify any credential directly with the issuing body.
- OSHA
- Occupational Safety and Health Administration. Enforces 29 CFR 1910.119, the Process Safety Management standard, including the 1910.119(o) requirement to audit PSM compliance at least once every three years.
- EPA
- U.S. Environmental Protection Agency. Enforces the Risk Management Program under 40 CFR Part 68; Program Level 2 and 3 facilities carry a parallel three-year compliance audit obligation under 40 CFR 68.58 and 68.79.
- CCPS
- Center for Chemical Process Safety (AIChE). Industry technology alliance of the American Institute of Chemical Engineers. Publishes Guidelines for Auditing Process Safety Management Systems and administers the CCPS Certified Process Safety Professional (CCPSC) credential.
- API
- American Petroleum Institute. Publishes the inspection codes commonly used to verify mechanical integrity findings during a PSM audit: API 510 (pressure vessels), API 570 (piping), and API 653 (storage tanks).
- ASME
- American Society of Mechanical Engineers. Publishes pressure equipment and piping codes referenced as recognized and generally accepted good engineering practice (RAGAGEP) alongside API and NFPA standards for mechanical integrity.
- NFPA
- National Fire Protection Association. Fire and process safety codes referenced as RAGAGEP alongside API and ASME standards; ask a vendor which specific NFPA code applies to your process rather than assuming blanket coverage.
- ISO
- International Organization for Standardization. Publishes ISO 45001, the international occupational health and safety management system standard. Relevant for multinational buyers layering a global OH&S system on top of US compliance, but ISO 45001 certification does not substitute for the 1910.119(o) audit.
Notable process safety management (psm) audit consultants providers
Real, publicly-documented providers active in this category. Sourced and verified; not a ranking or endorsement.
Process Safety Management (PSM) Audit Consultants: buyer FAQ
Is the OSHA-required PSM compliance audit really only every three years, or can enforcement demand one sooner?
29 CFR 1910.119(o) sets three years as the outer limit, not a target to coast toward. OSHA's own compliance and enforcement directive for the standard lets inspectors request the two most recent audit reports at any time, and a facility with a history of incidents, near misses, or prior citations often gets pulled into shorter audit cycles by its own insurer or corporate EHS policy well before the statutory three-year mark. Treat three years as the ceiling for avoiding a citation, not the schedule that actually keeps a facility out of trouble.
We're covered by both OSHA's PSM standard and EPA's Risk Management Program. Do we need two separate audits?
EPA has stated that a source in compliance with OSHA's PSM prevention-program elements is generally already meeting the closely parallel requirements of RMP Program 3 under 40 CFR 68.65 through 68.87. The two rules are not identical, though. EPA's RMP package adds obligations OSHA's audit does not touch, a hazard assessment, an emergency response program, and a risk management plan addressing offsite and community consequences, since EPA's focus extends beyond the fence line while OSHA's does not. Most integrated compliance programs run a single combined audit that maps findings to both regulatory citations rather than paying for two separate walkthroughs of the same unit.
What's the difference between the compliance audit and a process hazard analysis revalidation, and are they on the same clock?
They are separate obligations with separate cycles inside 1910.119. The compliance audit, paragraph (o), checks whether the PSM program elements, written procedures, training records, management-of-change documentation, and so on, are actually being followed in practice, and it runs at least every three years. The process hazard analysis, paragraph (e), is a hazard-identification exercise on the process itself and must be revalidated at least every five years. A consulting proposal that bundles both into one engagement isn't wrong, but confirm the deliverable produces two distinct, separately dated reports, since inspectors ask for both on their own timelines.
Where do CCPS, API, and NFPA guidance fit in if OSHA's regulation is the only one with legal teeth?
1910.119 is written as a performance standard. It specifies outcomes, written operating procedures, a mechanical integrity program, and so on, without dictating exactly how to build them. CCPS, the AIChE-affiliated Center for Chemical Process Safety, API recommended practices such as RP 754 on process safety performance indicators, and NFPA's combustible dust and fire protection standards fill that gap as recognized industry good-practice references. OSHA compliance officers routinely look at whether a facility followed an applicable consensus standard when judging whether a recognized hazard was adequately addressed, so an auditor will often flag a gap against CCPS or API guidance even though those documents are not independently enforceable the way the OSHA regulation itself is.
If an audit turns up deficiencies, is there a hard deadline to fix them, and what happens if that deadline slips?
The standard requires the employer to determine and document an appropriate response to each audit finding and to document that deficiencies have been corrected, but it does not set a universal fix-by date, that's left to the facility's own corrective action plan. The real risk is that an open, undocumented, or repeatedly deferred finding from a prior audit becomes evidence of employer knowledge if an incident later occurs in that same area, which is the fact pattern that turns a routine citation into a willful one carrying a materially higher penalty tier. Keep the corrective action log current and dated, since it is typically the first document an inspector asks for once a corrective action timeline has clearly lapsed.
From Insights
Deep dives for process safety management (psm) audit consultants
PSM Audit Standards in 2026: What Changed Across OSHA, EPA, API, ASME, NFPA, and ISO
The core process safety code stack moved on five fronts since 2021. Here is the edition currently in force for each governing body, what changed and when, what is still pending, and the questions a buyer should put to a PSM audit consultant before signing a scope of work.
Cost & ROIWhat Drives the Cost of a Process Safety Management (PSM) Audit
Scope, crew size, mobilization, accreditation, and urgency move a Process Safety Management audit quote more than any single line item on the invoice. Here is how those variables work, how to budget for one, how to compare bids without comparing apples to oranges, and what an inadequate audit actually costs later.