Management of Change — PSM-grade change control for a chemical plant

A full-stack MOC system for a nylon manufacturing site: 5×5 risk matrix, three-discipline approvals, pre-startup safety reviews, and an immutable audit trail. Replaces a five-figure-a-year commercial EHS platform.

$30K/yr

Recurring savings

vs. a commercial EHS platform

250/yr

Hours returned

≈ $12K of staff time

3 disciplines

Approval gates

EHS · Operations · QC

44 items

PSSR checklist

across 10 categories

Chemical manufacturing runs on Process Safety Management. Any change to a process, a chemical, or a piece of equipment has to go through a formal Management of Change — risk-assessed, reviewed by the right disciplines, and verified safe before the plant starts back up. Most sites do this on paper, or in a generic EHS SaaS that costs tens of thousands a year and still doesn't fit how the plant actually runs.

I built a Management of Change system tailored to a nylon-from-base-chemicals operation: the full lifecycle from draft to closure, a 5×5 risk matrix with before/after controls, mandatory sign-off from EHS, Operations, and Quality, a Pre-Startup Safety Review checklist built for this process, and an immutable audit trail on every action. It's the system of record for change in a regulated environment.

Stack

Next.js 15 (App Router) + Tailwind
Express + TypeScript API
PostgreSQL with Knex migrations
Zod schemas shared client + server
JWT auth with role-based access control
Full-text search (Postgres tsvector), JSONB audit diffs

Why this is hard, and why generic tools fall short

Management of Change is an OSHA Process Safety Management requirement, not a nice-to-have. The workflow has to match the plant: the disciplines that sign off, the risk language, the pre-startup checks. Generic EHS platforms are expensive and force your process into their mold — you end up with a tool people work around instead of through.

A change-control system that doesn't fit gets bypassed, and a bypassed safety process is worse than none because it looks like compliance on paper. The bar was a system the plant would actually use.

The lifecycle

Every MOC moves through a gated state machine. A change can't skip ahead — it advances only when the right people have done the right thing.

draft → submitted → risk assessment → under review → approved → implementing → PSSR pending → PSSR complete → closed
Each transition is permission-checked and recorded; nothing moves silently.

Risk, controls, and a three-discipline gate

Risk is scored on a 5×5 severity/likelihood matrix with explicit before- and after-controls, so the residual risk of a change is visible, not implied.

EHS, Operations, and Quality each have to approve before a change advances. No single person — including an admin — can push a change through alone. That separation is the whole point of MOC.

Pre-Startup Safety Review

Before anything restarts, the change has to clear a Pre-Startup Safety Review — a 44-item checklist across 10 categories written for nylon manufacturing. The system blocks closure until the PSSR is complete, so 'we'll verify it later' isn't an option the workflow allows.

Audit and compliance, built in

Every action writes an immutable JSONB diff — who changed what, when. Full-text search runs across titles, descriptions, and justifications, and reports export to CSV for PSM audits.

When an auditor asks for the complete change history on a specific reactor or line, it's one search instead of a week of digging through binders and email.

Why build it

The cost avoidance against a commercial EHS platform is real — tens of thousands a year. But the better reason is fit: a safety-critical workflow that matches the plant instead of making the plant match the software, owned in-house, changeable when the process changes. That's worth more than any license.