Rethink your approach to process safety

Sept. 11, 2007
Place more emphasis on avoiding hazards rather than just controlling them. Process risk reduction can involve limiting the likelihood of potential accidents or cutting their consequences.

The chemical industry relies on processes that can pose hazards due to the nature of the materials and chemistry used (chlorine is toxic by inhalation, nitration reactions usually are highly exothermic) or the characteristics of the process variables (ammonia manufacture requires elevated pressure). So, effective process safety management is crucial.

Process risk reduction can involve limiting the likelihood of potential accidents or cutting their consequences. Strategies fall into four categories:

  • Inherent. Eliminate a hazard by using materials and process conditions that are non-hazardous. For example, replace a flammable solvent with water.
  • Passive. Minimize the risk by process and equipment design features that decrease either the frequency or consequence of an incident without the active functioning of any device. For example, provide a containment dike around a flammable liquid storage tank.
  • Active. Use controls, safety instrumented systems and other emergency shutdown systems to detect hazardous process deviations and move the process to a safe state. For example, install one foot below a tank overflow a high level switch that, when tripped, will stop a pump feeding the tank.
  • Procedural. Implement operating procedures, training, administrative checks, emergency response and other management approaches to prevent incidents or to minimize their effects. For example, mandate that an operator’s supervisor verify that the amount of a critical catalyst to a batch reaction is correct by independently weighing the catalyst before charging it to the reactor.

Process safety management efforts typically start by accepting the existence and magnitude of the hazards. So, efforts concentrate on reducing the risk associated with those hazards by using passive, active and procedural strategies to provide “layers of protection.” The “layer of protection” concept is based on a simple premise. Given enough protective features and countermeasures, the prospect is sufficiently low that all will fail simultaneously when a process upset occurs that might lead to an undesired event that the risk is judged to be tolerable. This approach can be highly effective, and its application has resulted in significant improvement in the safety record of the chemical industry. But there are disadvantages:

  • The process hazard remains and some combination of failures of the layers of protection may result in an incident.
  • Every protective system or procedure layer potentially can fail because equipment is not perfect, people make mistakes, and management systems for maintenance can deteriorate over time. The likelihood of failure can increase if the protective systems aren’t properly maintained and operated throughout the life of the plant. Indeed, long term maintenance of management systems to ensure the reliability of protective systems may represent the biggest challenge for process safety in the chemical industry. Investigation reports after many serious incidents have identified the failures of management systems to ensure mechanical integrity, operating procedure integrity and personnel training, for example, as major contributing causes.
  • Because the hazard still exists, there’s always a danger that some unanticipated route or mechanism could cause a potential impact. Nature may be more creative in inventing ways by which a hazardous event can occur than experts are in identifying them. Accidents can happen by mechanisms that were unanticipated or poorly understood.
  • The layers of protection can be expensive to build and maintain throughout the life of the process. Factors include initial capital expense; operating, safety-training and maintenance costs; and diversion of scarce and valuable technical resources to maintain and operate the layers of protection.

A powerful alternative

Inherently safer design (ISD) approaches hazards differently. It focuses on eliminating or significantly decreasing them. (A process with reduced hazards is described as inherently safer, rather than inherently safe, because no technology is completely without risk.) Where feasible, ISD provides more robust and reliable risk management and, in many cases, potentially can make the processing technology simpler and more economical.

In general, ISD looks at how single events (chemical accidents) affect people, the environment, property and business. In a chemical plant, this usually means the immediate impacts of fire, explosion and the release of toxic materials. Often, however, an ISD also will reduce risk from long-term exposure to chemicals or environmental impacts from handling of toxic materials.

ISD aims to build safety into the process instead of adding it on. A hazard is eliminated, not controlled, and the means by which the hazard is removed is so fundamental to the design that it cannot be changed or defeated without altering the process. For example, replacing a combustible and toxic solvent with one that is non-combustible and non-toxic, perhaps water, would make a process inherently safer with respect to fire and toxicity hazards. However, it is highly unlikely that any technology for any process will ever be inherently safer with respect to all possible hazards. Here, for instance, while the old solvent operates at atmospheric pressure, the new one may require running at elevated pressure and thus may be inherently less safe for high pressure hazards.

The Center for Chemical Process Safety’s “Inherently Safer Chemical Processes: A Life Cycle Approach” [1] categorizes strategies for designing inherently safer processes into four groups:

  • Minimize. Use small quantities of hazardous materials and decrease the size of equipment operating under hazardous condition such as high temperature or pressure;
  • Substitute. Switch to less hazardous materials, chemistry and processes;
  • Moderate. Reduce hazards by dilution, refrigeration and process alternatives that operate at less hazardous conditions; and
  • Simplify. Eliminate unnecessary complexity and design “user friendly” plants.

Applying the approach

The best opportunities for implementing ISD are early in product or process research and development. At this point, there’s no commitment to a particular technology, most R &D work hasn’t yet taken place, potential customers haven’t committed to using products made by a certain technology and developed their processes to fit this product, and capital hasn’t been spent to build a plant. As the process moves through the life cycle, it becomes more difficult to change the basic technology. However, it’s never too late to consider ISD — although implementation options may be more limited in an existing plant.

To illustrate how ISD can be applied at various levels of process development and design, let’s consider production of a generic chlorinated organic chemical.

Selection of basic technology. There may be a variety of chemistry options for producing the molecule of interest. Some may use elemental chlorine, while others may rely on other chlorinating agents or be based on other readily available chlorinated organic chemicals that eliminate the need for a chlorination step. The research chemists should search for alternative synthesis routes, consider the hazards associated with the available chemistries and look for options that reduce the inherent hazards of the process.

Implementation of the technology. There may be many options available for implementing the technology chosen. For instance, if the chemistry requires elemental chlorine, the process engineers and chemists should consider whether to ship in or generate the element at the site. Each option has specific ISD characteristics relative to various hazards of concern. Other factors such as economics and availability of technology also come into play, of course.

Plant design. At this point in the process life cycle, the designer must consider ISD for a variety of factors, including:

  • location of the plant relative to surrounding population and sensitive environmental areas;
  • general layout of the equipment on the plant site;
  • number of parallel systems and size of those systems (one big unit, or two or more smaller trains, for example); and
  • size of storage facilities for hazardous materials.

Detailed equipment design. There are many options in the design of equipment such as heat exchangers, chlorine vaporizers and other devices that might be included in the plant. Different equipment designs will have different ISD characteristics — for example, the inventory of material in the equipment or the operating temperature and pressure. Also, the detailed layout of the equipment will impact plant safety characteristics such as the length and diameter of piping containing hazardous materials. In addition, ISD demands consideration of human factors for equipment, to minimize the potential for mis-operation and errors by personnel.

Operation. ISD should be considered in the development of operating and maintenance procedures. These must be clear, logical and consistent with actual human behavior. Also, the plant should keep ISD options in mind throughout the operational lifetime, particularly when modifications are made or if new technology becomes available.

Inevitable conflicts

ISD is not a magic bullet that will eliminate all potential risks associated with chemical processing. After all, in many cases the characteristic of a material or technology that makes it hazardous is the same that makes it useful. For example:

  • Jet airplanes travel several hundred miles per hour. So, they can transport people long distances in a short time. But the speed also makes an airplane hazardous because its kinetic energy can cause major damage if the plane hits something.
  • Vinyl monomers contain a double bond that can be highly reactive. When properly controlled, this reactivity allows the manufacture of a wide variety of polymers with useful properties. But, if the reactivity isn’t properly controlled, a runaway polymerization can prompt an explosion and fire, with potential for injury or fatality and significant property damage.

In some cases alternative technologies may be less hazardous or easier to control. But, for many technologies, inherently safer technologies don’t exist or aren’t economically feasible; so, we must rely on passive, active and procedural safety strategies to manage the risk. These strategies can be highly effective — travel by airplane, despite the significant inherent risks of flying, is extremely safe because of the highly effective safety management systems in place in the air transport system.

As discussed previously, any change to a technology designed to reduce one or more hazards may perhaps increase or introduce others. Chlorofluorocarbon (CFC) refrigerants provide an example. When first developed in the 1930s, CFCs were considered to be safer alternatives to existing refrigerants such as ammonia and light hydrocarbons. CFCs have low acute toxicity and are not flammable.

Toward the end of the 20th century, their adverse environmental impacts were recognized and many CFCs have since been phased out. While CFCs are still inherently safer than many alternatives with respect to flammability and acute toxicity hazards, society has decided that the previously unknown hazard of adverse environmental impact is unacceptable and is willing to apply passive, active and procedural strategies to manage the hazards associated with replacement refrigerants.

Such switches aren’t necessarily easy or straightforward. For a home refrigerator, it may not be a good idea to    simply replace the CFC with another refrigerant — say, a light hydrocarbon. The quantity of light hydrocarbon (perhaps several kilograms), if it leaked, would be sufficient to create an explosive atmosphere in a room the size of a kitchen. Many “green” refrigerators feature a complete redesign to significantly reduce the amount of refrigerant to as little as a couple of hundred grams to minimize the fire and explosion hazard in case of a leak. This illustrates the importance of considering the design of a complete system when implementing ISD to ensure that all known hazards are adequately managed.

Different groups may perceive the inherent safety of technology options differently. A plant using chlorine has a choice between getting it in 1-ton cylinders or 90-ton railroad tank cars. Neighbors several miles away from the plant would consider the 1-ton cylinders to be inherently safer because a leak from one of these containers probably wouldn’t affect them. But plant operators would have to connect and disconnect 90 cylinders instead of one tank car, and each time they are at risk from chlorine exposure. So, the operators would consider the railroad car to be inherently safer because it requires less handling.

Of course, procedures, personal protective equipment and other safety-management systems can control the risk to the operator, but these are not inherent. Both the neighbors and the operators are correct in their perceptions of the ISD characteristics of the chlorine supply options but they are concerned about different kinds of incidents. To make an intelligent choice, the designer not only should understand these conflicting requirements but also the potential role of all risk-management systems (inherent, passive, active and procedural).

It also is important to consider whether an ISD option just transfers risk somewhere else. For instance, a plant might reduce its risk by decreasing the size of a hazardous material storage tank on the site and thus its inventory of the substance. However, the smaller tank may require a switch from getting the material via railroad tank cars (typically about 300,000-lb. shipments) to trucks (typically about 30,000 lb.). There will be ten times as many shipments, and they will go by road rather than by rail — depending upon the particular location, road shipment may be inherently more hazardous. So, while the site risk is reduced, the overall risk to society actually may be increased.

Think differently

The chemical industry will benefit if designers and operators consider ISD options throughout a process’s life cycle, from initial conception through R & D, plant design (including detailed design of equipment and operating procedures), construction, operation, modification and eventual shutdown.

ISD is not a specific program or design technique but a philosophy and mindset. It challenges you to rethink how to approach hazards — not just to accept them and concentrate on control, but to seek to eliminate or minimize them. It can lead to choices that better reflect differences in particular situations and environments, while taking into account other factors such as economics, resource allocation, and the feasibility, reliability and effectiveness of conventional process risk-management features.

A designer should ask the following questions, in this order, once a hazard has been identified:

  1. Can the hazard be eliminated?
  2. If not, can the magnitude of the hazard be reduced?
  3. Do the process options identified from the first two questions increase the scale of any other hazards or create new ones? If so, consider all hazards in selecting the best alternative.
  4. What passive, active and procedural protective systems are required to manage the hazards that remain?

Too often we skip directly to the fourth question and focus on hazard management without striving to eliminate or reduce hazards. We accept the hazards, believing they are unavoidable. This may be true but we can never eliminate or reduce hazards if we never challenge ourselves to do so.


  1. “Inherently Safer Chemical Processes: A Life Cycle Approach,” D. A. Crowl, ed., Center for Chemical Process Safety, American Institute of Chemical Engineers, New York (1996).

Updated ISD reference

The Center for Chemical Process Safety in currently developing the 2nd Edition of “Inherently Safer Chemical Processes: A Life Cycle Approach” [1], with publication anticipated around the end of 2007. It will incorporate the latest developments and literature on ISD and will greatly enhance the checklists and tools for helping identify ISD options for new and existing processes and plants.

Dennis C. Hendershot is principal process safety specialist for Chilworth Technology, Plainsboro, N.J. E-mail him at [email protected].

Sponsored Recommendations

Keys to Improving Safety in Chemical Processes (PDF)

Many facilities handle dangerous processes and products on a daily basis. Keeping everything under control demands well-trained people working with the best equipment.

Get Hands-On Training in Emerson's Interactive Plant Environment

Enhance the training experience and increase retention by training hands-on in Emerson's Interactive Plant Environment. Build skills here so you have them where and when it matters...

Managing and Reducing Methane Emission in Upstream Oil & Gas

Measurement Instrumentation for reducing emissions, improving efficiency and ensuring safety.

Micro Motion 4700 Coriolis Configurable Inputs and Outputs Transmitter

The Micro Motion 4700 Coriolis Transmitter offers a compact C1D1 (Zone 1) housing. Bluetooth and Smart Meter Verification are available.