The question of how to assess the appropriate inventory of a hazardous material versus the frequency of its delivery illustrates a typical plant conflict. Use of a smaller shipping container or on-site storage tank decreases the largest possible release should containment be lost. However, this benefit may come at the expense of more frequent shipment of the material. For example, a plant might replace a 50,000-gal. storage tank with a 5,000-gal. one, reducing on-site inventory by a factor of 10. But, if the annual usage of material remains the same, the plant most likely will receive the material in smaller, but more frequent, truck shipments, rather than large rail car shipments. So, plant operators will have to do the loading and unloading operations more often.
Similarly, a plant might have a choice between using chlorine in 1-ton cylinders or from a 90-ton rail car. A resident of a town a couple of miles away would consider the 1-ton cylinder to be inherently safer, because even a complete failure of a cylinder wouldn't likely impact the town. However, the operators, who would now have to connect and disconnect 90 cylinders instead of one rail car, would consider the rail car to be inherently safer, because even a small leak would be hazardous to them. Both the community residents and the operators are right in their assessments of the inherent safety of the alternatives, but they are concerned about different kinds of events. The task of the designer is to make informed and logical decisions taking into account these conflicts.
There are well-developed tools for understanding the relative risk of such alternatives. Accident consequence models (e.g., for vapor cloud dispersion, fire and explosion) and accident likelihood estimation tools (such as fault tree analysis) can provide information about the relative risks of the alternatives and also on the effectiveness of passive, active and procedural safety systems to manage the inherent hazards of each alternative. However, other aspects of the decision still will require value judgments because the design alternatives impact different groups of people in different, and conflicting, ways.
Much of the literature about inherently safer design focuses on steady state hazards of processes. But process dynamics can impact inherent safety and pose conflicts. For instance, minimizing the size of equipment reduces the quantity of material or energy that can be released if containment is lost. However, from a process dynamics viewpoint, a smaller piece of equipment will respond more rapidly, and quantitatively more, to a disturbance. This faster response may make it more likely that operating parameters will exceed critical safety limits and put the process into a hazardous state. The consequence of an incident from smaller equipment may be less, but the likelihood of an incident may be greater.
Luyben and Hendershot  review several specific examples, including the following one: A nitration reaction can be done in a 20 m3 semi-batch reactor, depicted in Figure 1, or a much smaller (0.5 m3) continuous stirred tank reactor (CSTR), as shown in Figure 2. The reaction mixture is combustible and contains moderately toxic materials. The reaction is highly exothermic, with thermal runaway possible from failures such as loss of cooling, excessive nitric acid feed rate or breakdown of the temperature control system. Also, if there is a large amount of excess nitric acid (above 15 mole%) present in the reaction mixture, it becomes highly unstable, essentially detonable. The two options have inherent safety advantages and disadvantages, as summarized in Table 4.
A failure of the feed flow control systems for the small CSTR could result in a hazardous reactor composition very quickly. Figure 3 shows that the reaction mixture would become unstable in about three minutes if the organic feed stopped (for example, because of pump failure, a plugged line or shutting of a manual valve) and the nitric acid feed continued because of a failure of the feed ratio controls and safety interlocks. Clearly, we can provide safety equipment and procedures to manage all of these hazards (and others not listed) for both designs, but these are not inherent safety systems.
A decision about which is the best system for a particular plant must be made with full knowledge of all of the hazards and also with consideration of the engineering and procedural safeguards that can be applied to manage the inherent hazards for each design option.
Figure 1. The size of the reactor in this batch process leads to a larger inventory of material, but less risk of an unstable reaction mixture.
There are good engineering tools, such as dynamic process simulation, to assess the likelihood and consequences of potential accidents in the design alternatives. Use of these tools requires a thorough understanding of all process characteristics, including reaction kinetics and thermodynamics. For a particular scenario (specific chemistry, equipment size, plant site and surrounding environment), these tools may provide sufficient information to make a decision based on relative risks. For this nitration example, that very likely is the case. The accident scenarios of concern are fires and explosions. While the potential fires and explosions for the two process options are different, the risks can be quantified and compared using quantitative risk analysis methods. But this may not always be true, and value judgments about the relative importance of different kinds of impacts may also affect the decision for many design questions.