Inherently safer design is a philosophy of process safety management that focuses on eliminating hazards, or significantly reducing their magnitude, rather than using add-on safety devices, systems and procedures to manage the risks [1, 2]. Inherently safer design is a potentially more reliable, robust and economic approach to chemical process risk management. After all, what you don't have can't leak.
Many materials and processes, such as those listed in Table 1, pose intrinsic hazards. Such hazards only can be avoided by changing the material or its conditions of use. Table 2 details some strategies for achieving this.
Since the terrorist attacks of Sept. 11, 2001, the press have discovered the idea of inherently safer design, particularly as a tool for reducing security concerns -- a plant without hazardous materials poses no threat of hazardous material release. One response to this increased media attention has been a call for regulations to promote inherently safer design alternatives for facilities handling hazardous chemicals.
Such proposals are not new. The initial draft of the risk-management plan regulations for compliance with the Clean Air Act of 1990 included a requirement, subsequently dropped, to identify potential inherently safer alternative designs. In 1998, Contra Costa County, Calif., passed an Industrial Safety Ordinance that mandates facilities "consider the use of Inherently Safer Systems in the development and analysis of mitigation items resulting from a process hazard analysis." (Moore  discusses experience with the implementation of this ordinance.) At the federal level, legislation has been proposed since 2001, but has not passed. However, based on committee discussions in October 2003, some language calling for consideration of inherent safety options is likely to be included in any chemical security legislation that passes Congress . So, it is important for industry, government and the public to understand inherent safety, including potential conflicts among the inherent safety characteristics of design alternatives.
All materials and processes have multiple hazards. For example, Table 3 lists a few of the hazards for an everyday example (a rotary power lawn mower) and a chemical process (solution polymerization of a vinyl monomer in an organic solvent). A process can be described as inherently safer with respect to one or more of these multiple hazards if it eliminates or significantly reduces that hazard. However, a process that is inherently safer with respect to one hazard may or may not be inherently safer with respect to other hazards. It is highly unlikely that any alternative process will be inherently safer with respect to all hazards. It is almost never possible to simultaneously maximize all desirable characteristics of any design.
So, optimization efforts must focus on identifying the design that gives the best overall combination of desirable characteristics; it may not maximize any single desirable characteristic. Optimization also requires some decision about the relative importance of different process characteristics. In many cases, the relative importance of various factors is clear, and there will be widespread agreement about which alternative represents the inherently safer design. However, this is not always true.
The processes for optimization and decision-making for process safety are the same as for any other engineering decision. The science and theory of these processes are well developed, and the Center for Chemical Process Safety has published a book on the application of these methods to process safety decisions . Approaches range from simple voting and weighted scoring methods, through mathematical programming and cost-benefit methods, to sophisticated decision-making tools such as decision analysis and multi-attribute utility analysis.
All of these approaches require the decision-maker to understand the alternative designs, identify the parameters upon which to base a choice, relate each alternative to those selected parameters, and determine the relative importance of each of those parameters.
The last requirement is not a technical question, but a value judgment. Other factors, such as capital investment, operating costs and impact on the community's economy, must be considered.
There is no right answer to a question such as "what is the relative importance of increased risk of cancer from chronic exposure to Material X compared to the increased risk of fire and explosion from Material Y?" Each design group, plant, company or society as a whole must address these difficult questions to determine the relative importance for the specific case.
Even if they agree on all of the "facts," interested parties, because they have different values and priorities, often will still disagree on what to do. Yet, they must discuss the alternatives to reach a consensus.
The question of how to assess the appropriate inventory of a hazardous material versus the frequency of its delivery illustrates a typical plant conflict. Use of a smaller shipping container or on-site storage tank decreases the largest possible release should containment be lost. However, this benefit may come at the expense of more frequent shipment of the material. For example, a plant might replace a 50,000-gal. storage tank with a 5,000-gal. one, reducing on-site inventory by a factor of 10. But, if the annual usage of material remains the same, the plant most likely will receive the material in smaller, but more frequent, truck shipments, rather than large rail car shipments. So, plant operators will have to do the loading and unloading operations more often.
Similarly, a plant might have a choice between using chlorine in 1-ton cylinders or from a 90-ton rail car. A resident of a town a couple of miles away would consider the 1-ton cylinder to be inherently safer, because even a complete failure of a cylinder wouldn't likely impact the town. However, the operators, who would now have to connect and disconnect 90 cylinders instead of one rail car, would consider the rail car to be inherently safer, because even a small leak would be hazardous to them. Both the community residents and the operators are right in their assessments of the inherent safety of the alternatives, but they are concerned about different kinds of events. The task of the designer is to make informed and logical decisions taking into account these conflicts.
There are well-developed tools for understanding the relative risk of such alternatives. Accident consequence models (e.g., for vapor cloud dispersion, fire and explosion) and accident likelihood estimation tools (such as fault tree analysis) can provide information about the relative risks of the alternatives and also on the effectiveness of passive, active and procedural safety systems to manage the inherent hazards of each alternative. However, other aspects of the decision still will require value judgments because the design alternatives impact different groups of people in different, and conflicting, ways.
Much of the literature about inherently safer design focuses on steady state hazards of processes. But process dynamics can impact inherent safety and pose conflicts. For instance, minimizing the size of equipment reduces the quantity of material or energy that can be released if containment is lost. However, from a process dynamics viewpoint, a smaller piece of equipment will respond more rapidly, and quantitatively more, to a disturbance. This faster response may make it more likely that operating parameters will exceed critical safety limits and put the process into a hazardous state. The consequence of an incident from smaller equipment may be less, but the likelihood of an incident may be greater.
Luyben and Hendershot  review several specific examples, including the following one: A nitration reaction can be done in a 20 m3 semi-batch reactor, depicted in Figure 1, or a much smaller (0.5 m3) continuous stirred tank reactor (CSTR), as shown in Figure 2. The reaction mixture is combustible and contains moderately toxic materials. The reaction is highly exothermic, with thermal runaway possible from failures such as loss of cooling, excessive nitric acid feed rate or breakdown of the temperature control system. Also, if there is a large amount of excess nitric acid (above 15 mole%) present in the reaction mixture, it becomes highly unstable, essentially detonable. The two options have inherent safety advantages and disadvantages, as summarized in Table 4.
A failure of the feed flow control systems for the small CSTR could result in a hazardous reactor composition very quickly. Figure 3 shows that the reaction mixture would become unstable in about three minutes if the organic feed stopped (for example, because of pump failure, a plugged line or shutting of a manual valve) and the nitric acid feed continued because of a failure of the feed ratio controls and safety interlocks. Clearly, we can provide safety equipment and procedures to manage all of these hazards (and others not listed) for both designs, but these are not inherent safety systems.
A decision about which is the best system for a particular plant must be made with full knowledge of all of the hazards and also with consideration of the engineering and procedural safeguards that can be applied to manage the inherent hazards for each design option.
Figure 1. The size of the reactor in this batch process leads to a larger inventory of material, but less risk of an unstable reaction mixture.
There are good engineering tools, such as dynamic process simulation, to assess the likelihood and consequences of potential accidents in the design alternatives. Use of these tools requires a thorough understanding of all process characteristics, including reaction kinetics and thermodynamics. For a particular scenario (specific chemistry, equipment size, plant site and surrounding environment), these tools may provide sufficient information to make a decision based on relative risks. For this nitration example, that very likely is the case. The accident scenarios of concern are fires and explosions. While the potential fires and explosions for the two process options are different, the risks can be quantified and compared using quantitative risk analysis methods. But this may not always be true, and value judgments about the relative importance of different kinds of impacts may also affect the decision for many design questions.
Figure 2. The small size of this reactor cuts inventory but makes the process more susceptible to an unstable reaction mixture.
A designer should ask four key questions when he identifies a hazard.
1. Can I redesign the system to completely eliminate the hazard? This is the inherently safer design approach. The extensive literature available provides guidance and checklists to help determine specific approaches for a particular system.
2. Can I modify the system to reduce the potential damage from the hazard? This is the second phase of a search for inherently safer alternatives. If the hazard cannot be eliminated, can it be significantly decreased in magnitude?
3. Do the modifications to the system identified in Questions 1 and 2 introduce new hazards or increase the potential damage from existing hazards? This is an important question that the designer must always ask. After focusing on a particular hazard or set of hazards and identifying potential improvements, the designer must step back and evaluate the entire system, considering all hazards, using the appropriate system hazard identification tools, such as process safety checklists or HAZOP. Any new or increased hazards must be evaluated against the overall benefits of the proposed changes, using engineering tools for process simulation, accident consequence analysis and accident likelihood. The designer also can evaluate the relative difficulty, cost and effectiveness of other risk-management strategies (passive, active and procedural). It also may be appropriate to apply decision-making tools that consider the relative importance of various kinds of hazards or different impacted populations.
4. What passive, active and procedural design features are required to adequately manage risk from the remaining hazards? It is almost impossible to develop a design that eliminates all hazards. So, there always will be a need to incorporate passive, active and procedural layers to reach safety goals. However, engineers too often accept the hazards in a system and jump directly to identifying systems and procedures to control and manage those hazards. A better approach is to first ask if the hazards can be eliminated or significantly reduced. But, it also is important to avoid focusing on only one or a few of the many hazards. Good decisions about inherently safer design require full knowledge and consideration of all hazards.
The next steps
Inherently safer design is an important tool for improving safety in the chemical industry. Properly applying it requires recognition that all systems have multiple hazards and that decisions should be based on the best available information about all of those hazards. Unfortunately, the concept does not get the attention it deserves. There needs to be continuous publicity, further development of methods and, perhaps most importantly, increased attention to the concept in the education of chemical engineers and chemists.
Figure 3. After loss of organic feed to the continuous reactor, it only takes about three minutes to an unstable reaction mixture to form.
Engineers should consider inherent safety in all of their activities. This extends from product and process research and development through plant design and operation -- and even to decommissioning and shutdown.
Regulations mandating consideration of inherently safer design will be difficult to implement and enforce. The language in proposed legislation is very general, requiring consideration of inherently safer technology. What does that mean? Inherently safer with respect to which of the many hazards in a process? Inherently safer to whom? Different organizations may evaluate the same technology options and make different choices because of local circumstances and considerations. If there are conflicts, how are choices to be made? Furthermore, these questions only consider the safety aspects of the choices. Other factors, such as economic and technical feasibility and the state of knowledge on the proposed alternatives, also are important.
Dennis Hendershot is senior technical fellow for the Engineering Division of Rohm and Haas Co., Croydon, Pa.