Use Elegant Design to Bolster Inherent Safety

Embrace a variety of strategies that can eliminate hazards from operations

By Kelly K. Keim and Scott W. Ostrowski, ExxonMobil Research and Engineering

Trevor Kletz was able to simplify the concept of inherent safety in such a way that everyone “gets it.” His mantra “What you don’t have can’t leak” is so clear and powerful that it has grabbed the attention of all stakeholders, including owner/operators, labor, community members and regulators, who have an interest in safer processing facilities of all types. It expresses a vision that we all seek, one where no harm comes from the operation of process facilities that manufacture the materials that make our lives better every day.

Of course, the concept of inherent safety goes beyond simply not having materials that potentially could damage the pipes, vessels and equipment that make up manufacturing facilities. We must understand all the ways those materials can be involved in incidents that harm people, the environment and our facilities. Without a thorough understanding of those scenarios and how they can occur, we can’t properly evaluate the risks posed by different technological approaches and effectively apply inherently safer technologies.

For example, the lower annual corrosion rate of a stainless alloy compared to carbon steel in some processes may seem compelling. However, chloride exposure may cause stress corrosion cracking in the alloy; this damage is difficult to detect before a catastrophic component failure occurs. So, in fact, the inherently safer option may be to use carbon steel while implementing a strong inspection and replacement program that manages the hazard of corrosion effectively.

>>>>> Chemical Processing Webinar: Process Safety -- register now

Fundamental Strategies

Kletz in his groundbreaking 1984 paper [1] described four basic strategies for achieving inherently safer processes:

• intensification;
• substitution;
• attenuation; and
• limitation of effects.

In its 2007 book, “Inherently Safer Chemical Processes: A Life Cycle Approach” [2], the Center for Chemical Process Safety translated those terms into simpler ones readily understood by a wider audience than just safety professionals:

• substitute — replace a material with a less hazardous one;
• minimize — reduce the quantities of hazardous substances;
• moderate — use less hazardous conditions, a less hazardous form of a material or facilities that minimize the impact of a release of hazardous material or energy; and
• simplify — design facilities that eliminate unnecessary complexity and make operating errors less likely, and that accommodate errors that occur.
Let’s consider their application to the use of a chlorine cylinder:
• substitute — change from chlorine to a bromine tablet;
• minimize — keep only one cylinder on the site;
• moderate — connect a vacuum inductor to the cylinder; and
• simplify — adopt a distinct design with unique connections for chlorine hoses.

Other strategies can complement these simple ones. Here, we introduce the phrase “elegant design” to represent the selection of process technology, equipment, design or layout that makes higher-potential-consequence scenarios non-credible. Elegant design may take advantage of a number of Kletz’s strategies — and may even go beyond them to achieve risk reduction, minimization, or elimination.

Simply put, the concept of inherently safer design is: “What can’t happen can’t happen.”

Any number of design features can contribute to preventing something from happening. Substitution and some elegant design solutions can provide absolute certainty against an occurrence. Minimization, moderation and other elegant designs can afford a reasonable certainty. Instructions and procedures can help but offer the least degree of certainty. All are desirable steps toward a safer processing facility.

Every strategy doesn’t have to result in the complete elimination of the hazard or risk scenario. When we can make an incorrect action or assembly impossible (or at least very difficult) or design to accommodate the error without harm, we use the term “mistake proofing.” Where doable at a reasonable cost, this may be an attractive strategy because it rarely introduces alternative scenarios. For our chlorine cylinder example, mistake proofing might include using unique connections for the hoses.

In contrast, mistake tolerant systems provide timely feedback when a mistake happens, the means (either before or after loss of containment) to correct the error before an undesirable outcome occurs, or, if not corrected, reduced consequences from the mistake. For the chlorine cylinder, a mistake tolerant strategy might involve isolating chlorine inside buildings that have a chlorine vapor recovery system.

Putting The Strategies To Use

To illustrate the application of inherent safety strategies, let’s look at several real-world situations: sulfonic acid plant design, aluminum chloride (AlCl3) handling, a utility station and an electrical switchgear.

Sulfonic acid plant design. Reacting sulfur trioxide (SO3) dissolved in sulfur dioxide (SO2) with an alkylate feed produces sulfonic acid. This is an exothermic reaction that boils off SO2 as its primary means of heat removal. The SO2 performs the role of mutual solvent to allow intimate contacting between alkylate and SO3, which otherwise would only react at their mutual surface. All of the materials are flammable. The SO2 and SO3 are both inhalation toxics.

The heat of reaction boils the SO2 and SO3 from the reactor. In the traditional plant design (Figure 1), two drums collect the boiled-off vapor and allow the return of SO3 and any knocked-out liquid to the reactor. A compressor and cooling water exchanger provide cooled, liquefied SO2 for recycling to the reactor.

Following inherently safer design principles, the process was modified to eliminate the compressor and collector drums and replace the standard pumps with seal-less ones (Figure 2). This very significantly reduced the inventory of SO2 required to operate the process and removed two pieces of rotating equipment, each of which had the potential to leak toxic material to the air. In addition, because a Freon refrigerant is used, the bulk of the SO2 now is at a temperature not far from its boiling point, which minimizes vaporization in the event of a leak. However, these process safety improvements were achieved by using an ozone reactive material rather than cooling water.

The minimization and moderation strategies enhanced process safety — but opportunities exist to make the process even more inherently safe:

• Use the cooling exchanger as knockout pot and provide for gravity drain of cooled SO2 back to the reactor, eliminating the pump. (This requires relocation of the SO3 injection point.)
• Find a safer solvent than SO2.

In addition, even greater inherent safety may be possible by avoiding the process altogether, such as by switching to sulfonic acid alternatives that are made via inherently safer processes.

Aluminum chloride handling, part 1. Figure 3 depicts part of a process that uses AlCl3 as an ionic polymerization catalyst. AlCl3 is a powder that reacts violently with water to form toxic hydrogen chloride (HCl) gas and aluminum hydroxide (Al(OH) 3). Its contact with skin results in burns. Low-pressure nitrogen is used to unload AlCl3 from delivery trucks and transport the material to smaller vessels from which it is conveyed into the reactor. The AlCl3 is a very fine powder, some of which will travel with the nitrogen. All conveying nitrogen is returned to a silo that can contain as much as 80,000 lb of AlCl3. It then passes through a filter that returns most of the AlCl3 to the silo. What passes through the filter is scrubbed from the nitrogen in a packed tower where water is sprinkled down through the bed as the nitrogen rises and is released from an elevated vent stack. The slightly acidic water drops through a “p-trap” and then goes to the wastewater sewer.

This is a fairly simple process — but what happens if the p-trap plugs? Water will flood the scrubbing tower and back up in the line towards the silo. Because the top of the vent from the scrubber is considerably higher than the filter on top of the silo, the water eventually will reach the silo, resulting in a highly exothermic reaction and generation of HCl gas that can’t be contained within the silo.

The normal way to address this issue would have been to install level sensors in the packed tower with alarms and automated trip of the scrubbing water. An elegant and inherently safer design was to provide an air break in the water to the scrubbing tower (Figure 4). The top of the funnel is at an elevation considerably lower than that of the filter — thus, if a plug occurs in the drain line, the water runs out the top of the funnel. Little-to-no pressure head was required to get the water through the distributor inside the tower.

This modification was far less costly than installing the safety critical devices first considered.

It’s difficult to put this inherent safety strategy into any of the four basic ones. It’s simply an elegant design solution that works to make the scenario of water backing into the silo non-credible.

Aluminum chloride handling, part 2. Figure 5 shows the situation that existed at the reactor in the same plant with the AlCl3 silo. The AlCl3 passes at a controlled rate through a rotary feeder into the reactor. The AlCl3 has a tendency to plug the standpipe between the feeder and the reactor. An operator’s natural inclination is to blow the plug free and into the reactor using 140-psi nitrogen available close by. Fortunately, there’s never enough catalyst in the standpipe to cause a runaway reaction.

What can go wrong in this situation? If the valve between the bleeder where the nitrogen is injected and the day pot is left open or leaks, the nitrogen overpressures the day pot, blowing the rupture disk and sending fine AlCl3 powder over several acres.

To make the situation more mistake tolerant, the nitrogen source within a hose length of the bleeder was reduced in pressure to 75 psi, well below the set pressure of the rupture disc on the AlCl3 day pot. To prevent an operator from being tempted to adjust the pressure of that regulated nitrogen, a safety valve that relieves to an elevated location limits the pressure.

This didn’t prevent one ambitious operator from stringing two nitrogen hoses together to bring 140-psi nitrogen to the day pot after working unsuccessfully for several hours to remove a clogged drop line using the 75-psi source.

Utility station. The use of a hose connected to a utility station is one of the most common ways that operators interact with process facilities. Figure 6 depicts a typical set-up for a utility station near the point of use that provides water, steam, nitrogen and air.

What could go wrong here? How could this set-up be improved?

In the modified utility station design, each utility was given a different type of connection. Each line not only was labeled but also color coded in a fashion that allowed even those suffering from color blindness to distinguish the utility based on the line’s lightness or darkness. The distinct connector and color of each hose made mismatching, and therefore mistaking, the utility being connected to the process very unlikely. In addition, the arrangement of the utility station was modified to separate the air and nitrogen supply to provide one more barrier to mistakenly using nitrogen to drive a tool in a confined space.

It remains possible for some ambitious soul to prepare a crossover connection by appropriating the right set of fittings. Therefore, you must carefully control these utility station fittings.

This is an application of the mistake proofing form of inherently safer design.

Electrical switchgear. Figure 7 depicts an electrical switchgear in 2,300-V service. It serves as the primary electrical disconnect and lockout point for isolating a large pump when it needs service.

Where does the lock go to ensure that the equipment can’t be re-energized while repairs are being made? There is a hasp conveniently placed in plain view on the handle that opens the cabinet door. However, the lock actually should go through a little tab above the disconnect switch that can be pulled out when the switch is in the off position.

You could try training your personnel on the proper location for the lock. You could put a sign on the cabinet to indicate where the lock goes. Then you could realize operators will hang the lock in the wrong location before they look for a sign that would tell them the right location — and put another sign on the wrong location that says: “Lockout lock does not go here!” However, eventually even that sign becomes just background noise.

We tried all these things before happening upon a solution that worked — cutting off the hasp on the door handle!

An operator knows a lock must be placed on the switchgear. Now, if the operator forgets exactly where the lock should go, the person will think about it and either come up with the right — and only — solution or ask. The possibility of making a mistake no longer exists.

Is this an inherently safer switchgear? Yes.

Does it fall into one of the four basic inherent safety strategies? Not really, although it may be a form of mistake proofing.

The Key To Success

Application of inherent safety principles is just one aspect of making safety second nature. For each situation, other approaches may be equally effective as the basic four and may be economically feasible when none of the four are. Moreover, it’s important to realize that mandating the use of inherent safety is like placing signs throughout the workplace that say: “Be Safe.” Each has little benefit until you have translated the mindset into practical application.

You achieve expertise in the practical application of inherent safety principles through the diligent and repeated search for and application of inherently safer solutions. This experience is what makes a safety engineer effective and a process plant a safer place to earn a living. You train your brain to spot applications for solutions you’ve seen before and you apply principles you’ve used before to solve new problems. The end result is a mindset that makes safety second nature.

KELLY K. KEIM is chief process safety engineer for ExxonMobil Research and Engineering, Baytown, Texas. SCOTT W. OSTROWSKI is a senior process safety engineering associate for ExxonMobil Research and Engineering in Baytown. E-mail them at and

Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.


  • <p>One of the flaws in the scrubber solution may be the need for a high-pressure spray nozzle to provide semi-atomized droplets to the face of the scrubber packing. I've tried troughs in this application but they are quickly plugged and replaced by spray nozzles. </p> <p>Typically, these spray nozzles operate at about 7.5 psig up to 12-15 psig. Much beyond 10 psig the typical nozzle produces atomized spray. The spray can carry over bring dissolved or partially dissolved chemicals. You would need to include a 17-23 ft elevation in the location of the water trough to compensate for the (unplugged) drop through the spray nozzle. This is quite do-able but it is something to be aware of.</p>


RSS feed for comments on this page | RSS feed for all comments