Trish And Traci Podcast Hero 634044848d852

Podcast: Is Inherently Safer Design Really Safer?

March 3, 2020
Born out of Trevor Kletz's 1978 article entitled, "What You Don't Have Can't Leak," inherently safer design focuses on design philosophy. Senior Editor Traci Purdum and Trish Kerin, director of the IChemE Safety Centre, seek to answer if the concept really makes facilities safer.

This episode of Process Safety With Trish & Traci examines inherently safer design. Inherently safer design choices are actually trade-offs. We pick the least objectionable option. Trish explains the four fundamental parts or ideas to look at from inherently safer design.

Transcript

Traci: Welcome to this edition of "Process Safety" with Trish and Traci, the podcast that aims to share insights from current incidents to help avoid future events. I'm Traci Purdum, senior digital editor with Chemical Processing.

Trish: And I'm Trish Kerin, director of the IChemE Safety Centre, I'm based out in Australia.

Traci: Hey, Trish, what's new in your world today?

No Time To Listen Now?

No worries! Subscribe and listen whenever, wherever. 

Trish: Well, I think at the last podcast, I mentioned that we were having some quite severe forest fires out here but we've got fantastic news, the fires are out. So we're all really pleased about that. And the message from all of us in Australia right now is if you've got a vacation coming up, come visit us. We'd love to see you down here and show you our wonderful country.

Traci: Well, that sounds like a wonderful invitation. I hope to take you up on it one of these days. Maybe we can do one of our podcasts in person while I'm down in Australia.

Trish: That will be good.

Traci: We're going to touch on our topic for today, which is Inherently Safer Design, which seems pretty straightforward, but is it really? It stems from the concept of reducing rather than controlling hazards. And it was born out of Trevor Kletz's 1978 article entitled, "What You Don't Have Can't Leak" which is very true. Inherently safer design is not to be confused with intrinsic safety. Can you define both of those for us?

Trish: Yes, sure. So intrinsic safety or intrinsically safe devices, that's a term that's used specifically to talk about electrically based items. And it is a rating system that's used so that a particular item even if it fails, and trips out in some way, it can't produce a spark with enough energy to ignite flammable vapors. We use intrinsically safe equipment all over in our facilities. There will be EX rated pumps, even down to the flashlights you use out in the facility. Those will all have an intrinsically safe rating to them, and that will depend, the rating that we need depends on where we're going to use them in our facilities. So, it's a very specific element to do with safety.

Whereas inherently safer design is actually about the design philosophy we put into the process and how we look at it. And typically, there's said to be four fundamental parts or ideas to look at from inherently safer design. They're a little bit similar to the traditional safety hierarchy of controls, you know, where you work to eliminate first and then you minimize an engineer, etc., and you get all the identity administrative controls, a little bit similar, but not quite the same.

So the four key areas are, first of all, we've got minimize or intensification. And this is about reducing the amount of hazardous material. If we can minimize the amount of hazardous material we have to store then we're reducing the overall volume of hazard which then reduces the risk that we can see coming out of it.

Now, we've got substitution or elimination. This is can we use a less hazardous material? So, sometimes, in some chemical reactions, you know, we might be using various different solvents for a carrier mechanism for the reaction to take place. Can we change out the first solvent for a less hazardous solvent potentially? So that's a substitution or elimination type issue.

Next one is moderate, or attenuation. And this is can we minimize the hazardous conditions? Things like if we think about storing of explosives, we store explosives in small amounts in small stores all over the place. We don't put a whole lot of explosives in one big room. That's actually an example of moderate, we're breaking down the hazard and creating less hazardous conditions throughout that process.

And the last key one that we tend to talk about is simplification. And this is all about how can we make the process as simple as possible? Because every time we have a complexity in the process that potentially introduces the chance of an error, and with that error, we could then have a consequence eventually that we don't want. So, if we can actually simplify the process and create it to be more error-tolerant, a simple error then won't generate a catastrophic result for us. Whereas, if it's a really complex process, a small error could actually result in quite a significant incident occurring. They're kind of the four key areas that we do try and look at and think about when we're applying inherently safer design principles.

Traci: Now, when you think of an inherently safer design, you get the picture that it starts at the beginning. Can you implement inherently safer design after the fact? Say that a plant has not considered any of those four elements.

Trish: Yeah, so fundamentally, because inherently safer design is all around the initial principles of how you've designed it. It's much, much easier at the beginning. It's a lot easier when you've got a blank sheet of paper and you're designing something to design it inherently safer than when you've got an established plant that's already built. Having said that though there are things that can be done though there will generally always be some sort of engineering control that needs to be put in place to change and modify what you've got to introduce that inherently safer principle to it. So, it certainly can be done.

For example, you might have a facility where you're storing a certain toxic chemical, and it's currently stored in a very large tank. You may choose to change out that tank when it needs to be changed out because it has a corrosion issue, it needs to be repaired, etc. You're going to change the system anyway. You might choose to put in place several smaller tanks so that if you lose a lot...if you have a loss of containment of one of the smaller tanks, you're losing a smaller volume rather than a larger volume. That would be a way that you could retrofit something in. You can change how you're design of your operating process works, you control process, to simplify the process. So that would also be another control that could be put in after the fact.

We need to be at times a little bit creative in thinking about so how can we actually introduce something that is more inherently safer? For a couple of examples, if we think back to the Texas City refinery incident and the fact that there was still a vent stack on the blowdown drum being used. There were several options or opportunities they had throughout that time to actually replace that with connecting it to the flow system. Connecting it to the flow system would have been an inherently safer design option for them than the atmospheric vent stack that they had in place. And they had opportunities to do that because the vent stack of the blowdown drum was replaced at various points in time because it had corroded out. So when opportunities present you that taking that step and actually saying, "Okay, we are going to make that change, we are going to move towards something that's inherently safer."

I once worked at a facility where we did handle a very toxic chemical. And we only ever imported it in 200-liter drums. And then those drums, two drums only were decanted into a storage tank that was used to charge into the process. So, the maximum volume we could actually have in any one location was 400 liters because we didn't want our entire stock of that leaking. It wasn't put in a big tank because we wanted to make sure that we kept it segregated should we have a loss of containment because of its level of toxicity. There's some examples of how you can actually look at trying to put some of these things in after the fact.

Traci: Now, I'm thinking of other incidents, the Bhopal disaster in India. Didn't something come out of that where there was a lot of lessons learned and a lot of...I think the Toxic Catastrophe Prevention Act came out of that. Similar or is that what we're talking about here?

Trish: Yeah, look at it. In Bhopal, there was a range of different things. It was actually some things they tried to do throughout the process and modifying it where they thought they were creating a safer outcome. So, at one stage in that process, they were having a lot of pump fuel leaks so they decided that the pump fuel leaks were the problem because it was leaking the MIC, which we know now. There was through the results of Bhopal, it was a highly toxic chemical. They knew at the time it was highly toxic, as well. There's a lot of pump fuel leaks, so they actually stopped using the pumps and started using nitrogen purging to move the product around.

Now, in theory, that should have been an inherently safer process because you were removing a piece of rotating equipment that had several leak points and substituting it with something more passive. There were other issues around that, and that's one of the key things about inherent safety. It's not absolute safety, inherently safer design choices are actually trade-offs. We trade something for another, we pick the least objectionable option, basically, is what we need to do in this particular instance.

What they then did do in Bhopal though was they started to slowly strip away all of the engineered safety systems they had in place. They started to do things like only running their refrigeration system circulation pumps intermittently, again, so that the pumps wouldn't leak. They stopped running the refrigeration system because of the energy input into running it. Now, these were all safety-critical devices that they put in to the process for very good reason. And they slowly started to take them all out. So eventually, when that incident did happen, they actually had no options of how to control and mitigate the release they were seeing. There was no flair operational, there was no scrubber operational, the refrigeration system was not operational. And their firefighting water system didn't have enough capability to spray to knock down the vapor cloud as it was being released.

So, we certainly did learn a lot from Bhopal in that space of inherently safer design and trying to improve and focus on not having the hazards of the same magnitude, which is really that Trevor Kletz, you know, beautiful quote of, "What you don't have can't leak." You know, there's a story about Trevor, he actually used to live in a single-story bungalow because you couldn't fall down a set of stairs if you didn't have any. In theory, it's an inherently safer design. But if you're in a floodplain area, you've got nowhere to go. So, you see, there's a tradeoff here of, you know, do you give away something for the benefit of something else? You need to determine what risk is the more acceptable one or tolerable one to you.

Traci: And in talking about those trade-offs, and my question to you and you've already started answering it is, does it really make things safer? Or does it give you a false sense of security where the other things might be of more danger? Does that make sense?

Trish: It does. The other really important thing to remember about inherently safer design is you not only need to design it, right? You then need to install it as per the design, and you then need to operate it and maintain it. And if you don't do all of those things together, then no, it's not going to be safer because if you don't maintain it appropriately, then you're going to have an issue come up at some point. And so that is a real catch that comes in here that we need to be aware of. Does it really make things safer? Look, I think it does, I really do. I worked in a facility that was actually the first major facility that ICI, at the time, built following the Flixborough disaster in the U.K. And this facility was designed with the early stages of inherently safer design principles. I'm going to describe a couple of the design principles that were in this facility. And I do believe that it made this facility a lot safer potentially.

So, it was handling a carcinogenic substance. And the substance was stored in tanks, and they were stored at one end of the facility, literally as far away as possible from where the people were stored in the facility. We had all the office buildings and all those sorts of things literally be directly opposite part of the facility as far away as possible because we then created distance and space between the two. But we had to get the product from those tanks up into reactors. The pipeline to get the product from those tanks into the reactors was a continually welded pipe the entire way so there was a flange at the pump and a flange at the reactor. There were no other flanges because flanges are potential leak sources. And we all know that flanges do have fugitive emissions to them. And we were dealing with a carcinogenic product.

The sheer lack of flanges on that pipeline meant we couldn't physically have a flange leak except at either end. For that whole distance, and it rained a couple of hundred, several hundred yards, we didn't have a potential for a flange leak. But that didn't mean we didn't need to inspect the pipeline to make sure we weren't having internal corrosion issues that we're going to create a pinhole leak. So, we still have to maintain the facility. We still have to do all the inspection processes to make sure that we were safe in that particular path. And again, then the reactors were stored a long way from the product source. So that if we had an issue either at the product tanks or at the reactors, they were far enough away so they didn't create a domino impact to each other. And the tanks were even put in such a location that if they had leaked, the prevailing wind and the land geography would have kicked the vapor cloud away from the people.

There were all sorts of design processes. It was the same plant that had the 200-liter drums of a highly toxic substance that would only ever handled at most of 400 liters in one hit. All these sorts of things were actually really clear, inherently safer design principles applied in practice. And it was one of the most enjoyable plants I ever worked in, I have to say, because of how it was laid out. And when we went to start work there, we all actually were taught the basis of safety of why the plant is designed, how it's designed. We all knew that there were no flanges in that pipeline. But we did need to make sure we didn't have pinhole corrosion in it. All these sorts of things.

So, it did create a plant that actually did operate quite safely. It didn't have flange leaks, it didn't have pinhole leaks, we didn't lose containment of the product. We were able to segregate and separate what was going on in the facility. I think there is definitely some benefits to inherently safer design principles if you can get to embed them. I've often worked with clients that had no inherently safer design principles applied, but literally they just grew and you'd need to put a new tank in, so you sort of you cut off the bum of one tank and you squeeze another one in somewhere. That wasn't as enjoyable a place to work, I've got to say because you were, you know, constantly worried and on edge about everything. I think it does create that safer environment. But the thing is you got to maintain it. It's not a set and forget, it doesn't happen forever.

Traci: And yeah, my next question, you keep reading my mind, is you have to brush up on these and talking about the one part of simplifying, but you can complicate something that was simple at once. You know, so how often do you need to maintain, is it a yearly thing that you look at to make sure that you're still following the principles you need to follow?

Trish: One of the things that we do, sort of, over here, and certainly within the Europe, U.K. region as well, with the safety case regime that we operate under, you're actually required to take a detailed look and you actually have the same requirements in the U.S. as well. You need to do your...is it five-yearly PHA? So you know, you have to repeat the PHA activity, you have to continue to do your process hazard analysis, your risk assessment, your hazard whatever your risk methodology you're using. You actually have to sit down periodically and take a detailed look at your facility and take into account over that period of time what management change activities have happened? And is there a cumulative effect that you haven't noticed? Because each management of change has been tackled individually and separately. We've done all these little changes, do we have a creeping change issue appearing here? We need to reevaluate and go back and take a look at it.

And then overlaid on that, you should have your standard reliability processes. So you will have pressure release cells in your system that need to be tested on a particular frequency, and you need to understand the results of those tests. So, if you release that, if you take it out to testing and it fails, well, you need to go and reevaluate your test period and how long you're leaving it before you testing it because you actually don't know how long it had been failed for if it fails. So you were at risk during that time and you don't know for how long. You need to really dig in and, using the risk-based inspection processes, determine what frequency things need to be done it and then make sure you apply those frequencies. You need to be doing your inspection of the pipework to make sure that you don't have corrosion in it. You know, we saw the Philadelphia Refinery issue where they inspected several parts of the pipework but not the pipe that filed. And we've seen that countless times. That happened in the Richmond Refinery as well, several parts of the pipe had been inspected, they knew there was a potential corrosion issue, but one part of it wasn't inspected. And we then started to see that we had the corrosion developing there.

In terms of simplifying, you've got to be careful that you don't make it simplistic. Simplification is not simplistic. We're still dealing with complex processes. But the idea is, if we can eliminate unnecessary steps, then that will create a safer process. Because every step that's in the process has a chance of something going wrong. If we've got unnecessary steps that we're doing, and we can take them out, then we're removing that potential right there. But understanding that the idea is sometimes you say, "So we need to put more control systems on, more indicators, more alarms, more trip systems," all those sorts of things. Every single system you put in has a failure potential.

So just adding in multiple detection systems that will shut down something doesn't necessarily make it safer. You actually do have to sit down do the math behind it with the statistics to determine, because of the potential the rate of failure of the equipment, whether you're actually making it safer or, in fact, making it worse. So, this is an area that is not clear-cut. It's not straightforward. It does require some detailed engineering work to go into it to really understand what the trade-offs are, and then what benefit, what risk reduction you can actually get by implementing various different control measures to produce the risk target that you're after.

Traci: Now, what about on the other side of the coin, can you overdesign?

Trish: Yes, absolutely. You can. I've seen or I've heard stories of facilities that were so over-designed from a safety perspective that you actually designed them out of existence. They either just will never be built because you just can't financially set it up because they are so over-designed. There were so many extra things put into them that you just will never build it. I had heard a story, I don't know how true it is, of an offshore platform that was being designed and it was being designed in such a way there was so many extra safety devices that just kept getting put on this thing that the weight meant it could never be built. Because remember, these things have to float.

So yeah, you can go over the top, and that's where you need to actually do the risk calculations and determine at what level you're going to stop at. You know, it is the argument of, you know, do you go and buy a Mercedes when a Ford will do perfectly fine and has all the same safety features in it, for example? You know, we do need to be engineering to the right level, not over-engineering. Over-engineering...the days of where we got to go apply things and over-engineer things, you know, in the heyday of oil prices, I think, they're way gone now, I don't think they're coming back. I think we need to be a bit more pragmatic in our engineering decisions.

And remember that whilst it is about doing it safely, at the end of the day, designing and building things for businesses, and businesses are designed to deliver a return to their shareholders in some way. So, they do need to make money, they're not there to lose money. And a key way to make money is to actually have a functioning plant that's safe that operates that is reliable. So you have to have the safety inbuilt into it, or you're not going to make money. But if you overbuild the safety, you're also not going to make money. And if you overbuild the safety, you can create these issues where you have created a less safe situation because it is far too complex. There are too many steps in it. It is just unnecessary. And remember, every piece of equipment you put in needs to be maintained. If you don't let your maintenance slip, you're going to create an issue as well.

Traci: Now, speaking of pragmatic, what about the plants that just can't reduce or substitute the amount of hazardous materials or their operations, what happens then?

Trish: So I think then you need to say, "Well, okay, can we simplify in some way? Is the process over-complex? Can we actually reduce it down? Do we need all of the things we've got? Or can we actually reduce it?" Now, keep in mind, we do have that little bit in the back of their mind flashing saying, "Yes, Bhopal remove what they thought they could remove." They've basically removed all their safety systems. That's not what I'm saying, obviously. But are there some things that you can remove? How is the material being stored? Can it be stored slightly differently? Are there small things that can be done incrementally to create increased safety if you can't change out the fundamental chemical you're processing? I mean, the fact is, if we talk about oil refineries, they are refining oil, oil is a flammable substance. You can't remove the oil from an oil refinery, otherwise, it's empty.

We’re not saying remove the oil, but how's it being stored? How is it being processed? How is it being moved through the facility? Can that be done in a different way? Can you change...you might still be dealing with the same base product, but can you be reacting it or dealing with it at a different pressure or a different temperature? And, you know, if we think about the fundamental pressure, volume, temperature equations, these are all trade-offs with each other, you know. So, you might be able to reduce the pressure you operate at, but you might have to increase the temperature, which is going to be the greater risk to you? Can you actually change some of your parameters to start to moderate some of the issues that you've got to introduce it?

There are some ways that it can be done, even when you do need to deal with very dangerous or hazardous chemicals that you can't move away from dealing with that substance. But you know, what temperature or pressure are you handling that substance? And what flow rate are you pumping it? Because if you're pumping it through a pipeline from one area to another, do you need to be pumping at such a high rate? Because even that will make a difference. If you can pump at a lower rate and you get a leak, you've got less coming out over the same period of time than if you're pumping at five times the flow rate. So there's all these sorts of things that can be thought about in that process. That also needs to be weighed up with, you know, "Well, if I can't fill the tank fast enough, then it slows my production," okay, maybe that's not a feasible option for you. But if there's something else you can be doing.

Traci: Trish, any final thoughts on this topic? I know we've touched a lot of bases that needed to be touched, but do you have any other final thoughts for us?

Trish: I think really just be open to the idea of thinking about the principles of inherently safer design and how that can be applied. Because we're often just closed off to, "But I've already got an existing facility, existing process, I can't change it." Well, actually, is that really true that you can't change it? Because we make all sorts of other changes. We make all sorts of other changes for good business reasons. Maybe we can change it, we're just not thinking hard enough and thinking creatively enough around how we do it. So my closing words to people on this one is, be open to the idea, be open to embracing it and seeing how you can apply it to your existing facilities, as well as taking that step to commit to apply it to new facilities as well.

Traci: Well, once again, thank you for all of your expertise on this topic. Unfortunate events happen all over the world and we will be here to discuss and learn from them. On behalf of Trish, I'm Traci and this is "Process Safety" with Trish and Traci.

Trish: Stay safe.

Check out all the episodes of Process Safety With Trish & Traci.

Want to be the first to know? Subscribe and listen to Process Safety With Trish & Traci on these platforms

Trish Kerin, director, IChemE Safety Centre, Institution of Chemical Engineers, spent several years working in design, project management, operational, safety and executive roles for the oil, gas and chemical industries. She currently sits on the board of the Australian National Offshore Petroleum Safety and Environmental Management Authority (NOPSEMA) and is a member of the Mary Kay O'Connor Process Safety Center steering committee. You can email her at [email protected].
Traci Purdum, an award-winning business journalist with extensive experience covering manufacturing and management issues, joined Chemical Processing as senior digital editor in 2008. Traci is a graduate of the Kent State University School of Journalism and Mass Communication, Kent, Ohio, and an alumnus of the Wharton Seminar for Business Journalists, Wharton School of Business, University of Pennsylvania, Philadelphia. You can email her at [email protected].

Sponsored Recommendations

Keys to Improving Safety in Chemical Processes (PDF)

Many facilities handle dangerous processes and products on a daily basis. Keeping everything under control demands well-trained people working with the best equipment.

Get Hands-On Training in Emerson's Interactive Plant Environment

Enhance the training experience and increase retention by training hands-on in Emerson's Interactive Plant Environment. Build skills here so you have them where and when it matters...

Rosemount™ 625IR Fixed Gas Detector (Video)

See how Rosemount™ 625IR Fixed Gas Detector helps keep workers safe with ultra-fast response times to detect hydrocarbon gases before they can create dangerous situations.

Micro Motion 4700 Coriolis Configurable Inputs and Outputs Transmitter

The Micro Motion 4700 Coriolis Transmitter offers a compact C1D1 (Zone 1) housing. Bluetooth and Smart Meter Verification are available.