Sie sind auf Seite 1von 6

SPE 86598

Inherently Safer Design; Changing Attitudes and Relationships

G. A. Dalzell, TBS-Cubed

Copyright 2004, Society of Petroleum Engineers Inc.

simplicity, reliability and longevity, thereby taking people
This paper was prepared for presentation at The Seventh SPE International Conference on away from the hazards rather than needing their presence to
Health, Safety, and Environment in Oil and Gas Exploration and Production held in Calgary,
Alberta, Canada, 29–31 March 2004. keep them under control. It proposes a structured process
This paper was selected for presentation by an SPE Program Committee following review of
covering five areas; setting focused goals to provide a vision
information contained in a proposal submitted by the author(s). Contents of the paper, as of safer design, providing the infrastructure and contractual
presented, have not been reviewed by the Society of Petroleum Engineers and are subject to
correction by the author(s). The material, as presented, does not necessarily reflect any relationships, understanding and ownership of the hazards,
position of the Society of Petroleum Engineers, its officers, or members. Papers presented at
SPE meetings are subject to publication review by Editorial Committees of the Society of
concept selection and residual hazard management.
Petroleum Engineers. Electronic reproduction, distribution, or storage of any part of this paper
for commercial purposes without the written consent of the Society of Petroleum Engineers is
prohibited. Permission to reproduce in print is restricted to a proposal of not more than 300 A Vision of Inherently Safer Design
words; illustrations may not be copied. The proposal must contain conspicuous The conventional vision of safe design. The oil and gas
acknowledgment of where and by whom the paper was presented. Write Librarian, SPE, P.O.
Box 833836, Richardson, TX 75083-3836, U.S.A., fax 01-972-952-9435. industry, particularly the offshore sector, has progressively
increased the levels of safety through code compliance, safety
Abstract studies and the use of protection and evacuation systems. In
There is safe design and there is safer design. With safe most cases, this has served well, with lessons learned from
design, there are active safeguards to prevent the occurrence of disasters such as Piper Alpha (3) being incorporated into
hazardous events and to protect people and plant from the legislation and corporate processes. Unfortunately all efforts to
effects. With safer design, there are fewer hazards, fewer improve safety add to designs, both the processes and the
causes and fewer people to be exposed to the effects. equipment. There are more valves to shut the plant down
Currently, the majority of our designs strive to produce safe safely, better fire and gas detection systems, more instruments
designs but in doing so, the facilities are becoming more to sense process deviations, bigger firepumps and deluge
complex, with increased maintenance and human exposure. systems, and evacuation systems to deal with increasingly
This paper argues that industry has been trying too hard, and severe weather conditions. It has created designs which are
in doing so, has lost many of the opportunities to minimize capable of withstanding larger hazardous events and
risk at source. This paper offers an alternative route to design protecting or evacuating the people on board. It has however
safety, an inherently safer one, through simplification, created an increasingly complex plant which is more difficult
reliability and longevity. It uses examples from offshore to operate, has more leak points and has more people in close
facilities to illustrate these arguments. proximity to the hazards. It is better protected, but is it safer?
The chemical industry’s vision. This onshore chemical
Introduction sector has outshone all others in its efforts to define and apply
Thirty five years ago, the lone voice of Ralph Nader inherent safety. Of particular note are the efforts of Kletz (1)
harangued the car industry over safety. At the same time and Hendershot (2). This industry has certain established
Volvo and Saab were beginning to reinforce their vehicles. concepts which they endeavour to apply to the choice of
Now safety is one of the most important facets of car design processing for new designs. These are characterised by the
and marketing. It is not just a case of compliance with guide words; elimination (of processing and hazards);
minimum standards, but manufacturers actively seek ways to substitution (of hazardous chemicals with less hazardous
excel; producing not only better protected vehicles but ones ones); attenuation (reduction of processing conditions such
which are inherently less likely to be involved in an accident. as pressure to reduce the hazard effects); and intensification
What would it take to move this industry to the same position? (concentration of the processing to reduce hazardous
This paper examines the changes to the design process, inventories). This work has been immensely valuable in
attitudes and relationships between design contractor and highlighting opportunities to minimize the effects of some
operator which may be needed to realise the full potential of extremely hazardous chemicals and reactions through
inherently safer design. It is not saying that individual fundamental choices in the plant design. While they were the
designers and companies do not care and that designs are not initiators of the inherent safety movement, their concepts do
safe, rather that the contractual relationships inhibit the search not transfer easily to the oil and gas industry. Enlightened
for safer design and that the current approach does not offer process engineers can apply them to separation, and gas
the challenge, structure or process to focus their efforts. The processing but this only constitutes a portion of the risk. How
paper offers a radical view of inherently safer design based on would they be applied to mechanical problems such as the
2 SPE 86598

marine stability and anchoring of a Spar platform, or to the operating cost. Hence, RISK = (OPEX)2. As an example take
transfer of containers from a supply boat in the North Sea? the case of paint: A poorly painted platform may require
An alternative vision of safer design. This was outlined in a repainting after 5 years. It is potentially one of the most
controversial paper (4). In this work, the author examined dangerous jobs on that platform. Dropped scaffold poles and
how conventional safety systems might increase some risks grit ingress to rotating seals can cause hydrocarbon leaks. The
while reducing others. It suggested that the net benefit of some scaffolding and habitats will hinder ventilation, obstruct
systems could be negative, increasing both the likelihood of an deluge and detection, and increase explosion overpressures.
event and the numbers of people who might be exposed to it. The activity will bring many more people onto the platform
This has been further studied on an existing platform (5) with and into close proximity with the hydrocarbon hazards. Better
the results indicating that the suppositions are correct. For paint might eliminate the need to repaint at all, yet who would
example, the drawbacks listed included the increase of have considered this as safety critical. In reality a better paint
underlagging corrosion caused by deluge systems, the process specification might save more lives than a couple of firepumps
upsets caused by ESD and depressurization systems, the large but how often is that comparison made?
number of breaches of containment and heavy lifts to service This new vision appears to undermine years of genuine
safety systems such as relief valves, and the high module attempts to reduce risk. There will be resistance and this
occupancy needed to clean and maintain modern detection previous commitment will need to be refocused on a different
systems. The paper argued that a safe plant is one that doesn’t target; eliminating hazards and causes at source rather than
leak, collapse or need large numbers of people to operate and analysing effects and defending against them. It also brings the
maintain it. It is one that is so safe that it does not need management of hazards back from the specialists; the hazard
protection systems or operators. analysts and loss control engineers, and gives it back to the
To most people, whether safety specialists, generalists or core engineering disciplines of process engineering, structures,
regulators, a plant without safety systems would be vessels, piping and layout. This is now a matter of
unthinkable. We have a laudable mind set of continuous empowering the whole design team by creating a new attitude.
improvement and this translates into including every safety
feature and study from the last project and adding yet further The Creation of an Attitude
enhancements. This is the “safety ratchet” which adds ever The attitude is a simple one. It is a questioning mind which
increasing complexity. The alternative vision is one where asks, at every opportunity: What is dangerous, why is it
safety systems would be the very last things that would be put dangerous and is there a safer way? This might be anything
on to a facility, particularly an offshore platform. That is not to from the radius at a stress concentration, the choice of a pump
say that they would not be included but that they would be or instrument, the quality of that paint, through to the layout of
literally the last things to be added. It would be as though their the platform or the choice of a fixed structure. This is both an
inclusion is an admission of failure; a failure to manage the individual and a team attitude. It applies the thinking as the
hazards effectively without them. There would also clearly be opportunity arises, while the design is still fluid, rather than as
a hierarchy. Everyone would concede that there is a need to a formal retrospective process. This attitude lives within
shut a platform down safely without human intervention. everyone at all times. It is the conversation at the coffee
Wells need master and wing valves and risers need topsides machine, the opening discussions at meetings and a core
ESD valves. However, this different vision does challenge the question in everything that we do.
need for sophisticated detection, deluge and emergency This attitude applies not only to the individual but to
depressurization which are lower down the risk management organisations as well. The oil and gas companies who are the
hierarchy and have more drawbacks. customers, the design companies, the drilling contractors and
One project which took these ideas on board was the new the major suppliers should all be asking these questions as
gas field development in Eastern Indonesia. It started life as a well. However, they should not only ask them about the
fully manned offshore platform with gas dehydration to design but about the way they do business. If the search for
prevent corrosion in the pipeline from the high CO2 content. A safer design is not reflected in their investment decisions,
radical shift in thinking changed in into an unmanned design process and resourcing, then it will become just another
wellhead tower with a corrosion resistant pipeline and a target initiative.
visit frequency of less than a month (6). Every safety system Creating this attitude needs leadership. Most major
was challenged, until it only has the minimum of shutdown organisations have an HSE management system with between
systems and detection. It is orders of magnitude safer than the 10 and 16 elements each with specific expectations. In almost
manned processing facility simply because people are not all cases, the first element is leadership. We get what we ask
present to make mistakes or at risk from the consequences. for; from our staff, design contractors and our suppliers. If
Another paper took this concept of inherently safer design senior management takes a direct interest in safety and it is
one step further. It suggested that risk in proportional to the obviously considered in every one of their activities and
square of the operating cost. (7). It made a simple argument: decisions, then everyone who works with them will follow by
Risk is likelihood times consequence. Likelihood is a function example. As DuPont so clearly demonstrate in their factories
of cause which is almost always related to human error or and operations, it works, and is good business.
omission and this relates directly to the amount of activity But what about design? Leadership by project managers
needed to run the plant and therefore the operating cost. can be as effective in delivering safer designs as it is in
Consequence is the number of people killed or injured, which ensuring safe operations. A clear statement of expectations
is related to the numbers working on the site and therefore the relating to design safety, a continuous interest in the hazards,
SPE 86598 3

and a demonstrable commitment to reducing risks, by and to search for ways to minimize them at source. This
allocating time and resources, will set an example which will should cover every member of the design team, from project
spread through the entire design and supply process. But how directors to draughtsmen, and it should be written into their
often does this take place and, when we do address safety, are job specification as an essential requirement.
we seen to be more interested in accidents in the design office A procurement strategy which rewards longevity and
than the product? On an offshore installation, new starts reliability. As highlighted earlier, plant, structures and fabric
routinely meet the platform manager when they arrive in order with a short lifespan or a high service requirement are major
to hear the expectations for safe operation from the top. Does contributors to risk. Specific agreements will be required to
the project manager ever have such meetings in the design guide the incremental investment to achieve the required
office, and, if they does take place, do the discussions relate to longevity. It may also lead to a lifetime relationship with the
design or office safety? If the project manager asks about the vendors where they are rewarded for the durability and lower
hazards and seeks to find safer solutions, then everyone else servicing of their products.
will too. An effective hazard and risk management process. Both the
client and design contractor should develop their own
Establishing New Relationships processes to deliver inherently safer design. Both will have
The design process is a complex one, with possibly more than different experience and can contribute to a better common
one client, perhaps two design contractors, one for FEED and approach. This process will provide structure to the designers’
the other for detail, a multitude of subcontractors and thinking. It should ensure that all opportunities are evaluated
suppliers. Established processes determine what is needed and systematically. It is one thing to inspire the whole design team
how it should be designed. All of these processes presume the to seek safer solutions but, without structure, the whole
need for safety studies and systems. Almost as soon as a activity will be disorganized and without focus. There are two
contract is signed the project sets about sourcing them. These key facets to any effective process; hazard understanding and
processes create (or copy) discrete default pieces of a safety proactivity. It the design team does not understand what is
jigsaw but fail to consider the possibility of a radically dangerous and why, it cannot design out the hazard and
different picture which may not need them. causes. If that information arrives too late, then it will be
If inherently safer design is to succeed, everyone needs to impossible to implement the majority of the ideas. An
be committed to the search for it. This needs a fundamentally overview of a possible process is given later.
different relationship between the clients and the primary A selection and funding process for safer options. The
design contractors. The two usual primary metrics are capital design process should specifically include a method whereby
cost and schedule. Safety is usually measured by regulatory options can be evaluated against agreed criteria; i.e. deciding
approval, the delivery of safety studies, safety systems and whether an option is worthwhile. Conventional processes use
positive, recommendation free feedback from reviews. These the concept of the Incremental Cost to Avert a Fatality
are not appropriate metrics for inherent safety. The problem is (ICAF). These are appropriate to judge the need for further
that it is difficult to measure either in the finished product or in protection systems but may not be suitable for inherent safety.
the design processes. How do you measure an attitude? It is an The contribution which reliability and longevity make to
even greater problem to write the contracts that will deliver it. reducing risk cannot easily be measured. Instead, it may be
The earlier introduction to the car industry points us in the appropriate to have clearly defined project goals and
right direction. Rather than being a contractual requirement investment criteria for these specific aspects; i.e. agreed
which is rewarded, it should be a minimum requirement for investment levels for specific reductions in the man days to
doing business. Operators should not countenance doing maintain the fabric over the lifecycle. This is the criteria by
business with a design contractor who in not committed to which to decide how much to spend on that better paint.
actively seeking a safer solution from the concept to the detail. Operator input: The future operators must be happy with the
Reliability and longevity should be fundamental requirements inherently safer design approach. Their perception of design
in any design and be key selection criteria for all major safety will probably be based on that to which they have
components. Design contractors should actively compete become accustomed. They will be used to extensive safety
against each other, not just on cost and schedule but on their systems and expect to see them. They need to be comfortable
excellence in design safety. Unlike cars where the products with the concept that the facilities will be so well designed and
cab be compared, it would be the attitudes, resourcing and built that they may not be necessary. That confidence can only
processes within the company which will sell it. The key come from being an integral part of the design team from day
features of the contractual relationship are as follows: one. Once they are on board, they can make sure that this
Management time and commitment to leadership. It should vision is turned into reality. They know what works and what
not be necessary to write this into a contractual relationship. doesn’t. They can judge vendors claims about the reliability
However, there is a long way to go before everyone and longevity of their product based on that experience. They
understands their role in design and it would be as well to spell know what leaks and is likely to fail and can help to design
it out. It defines the requirement for personal commitment these problems out. Where they cannot do so, then they must
from every senior manager in the whole design and supply be happy with their responsibilities for management of the
process, from the client to the equipment suppliers. hazards that remain. The client and contractor must decide
A contractual strategy to reward the search for safer what authority the operations representative should have;
design. This would define the resources, both people and their advisory or executive. It may be appropriate for them to have
time, which are earmarked to identify and consider hazards
4 SPE 86598

the casting vote on critical inherent safety investment picture as a daily reference in their search for ideas to reduce
decisions. risk. Where elimination of the hazard or cause is not possible,
each designer would identify the measures which they need to
Training: This new approach requires everyone to participate provide to deal with the causes. If it is decided that there
both in understanding the hazards and finding a safer way. It is should be systems to limit and protect against the
common sense but it requires a different attitude and way of consequences, then they should also determine what is
working. Everyone has the potential to deliver ideas to appropriate.
enhance the inherent safety, but it may need to be reawakened This approach to risk assessment differs from conventional
and broadened into new areas. One example where this type of “safe design” in two ways; it is proactive – the information is
training has paid off is in the example given in (6). In this in place in time to make changes; and secondly, every
case, three days were put aside for the whole design team to be designer knows exactly the role they and everyone else plays
given the vision of the inherently safer unattended platform in managing the hazards. They can stand back at the end of the
and to challenge everything from the concept to the detail. project with confidence that they have delivered a
This completely transformed the project with their search for fundamentally safer design and put together an effective
safer design challenging every item of equipment on the hazard management system, rather than simply taking pride in
facility and proposing virtually maintenance free fabric. delivering safety systems.
Specialised engineering resources. Risks can only be Concept development and selection. It is tempting to do
eliminated at source if the hazard characteristics are fully what has been done before and what everyone else is doing.
understood. Projects must provide whatever specialists are It’s relatively quick and free from problems but it will only
required to analyse both the causes and consequences. This is produce “safe design”. If there is to be a step change, then
essential for new problems such as the vortex generation and radically different ideas must be considered. This may involve
fatigue loadings on risers in deep water. Similarly, if the new technology such as down-hole separation or two phase
causes and effects of fires and explosions are not understood subsea production. There are many similarities between
there may be unwarranted or inappropriate provision of management of innovation and inherent safety (8). The
protection. The types of specialisms should be identified by barriers are the same too; “not on my project”; “it’s too risky”
considering the underlying risk drivers, problem areas and “what if the regulators don’t approve?” Every development
inherent safety goals early in the project. whether it is a small inshore platform or a large complex
project should have at least one radical challenge to
An Inherently Safer Design Process. convention, which is driven by the inherent safety challenge.
There are four key parts to an inherently safer design process; Is it possible to make the development so simple and reliable
the understanding and ownership of the hazards by the design that it could be run unmanned for the majority of its working
team, choosing the right concept, minimizing the risks from life and thereby do without systems other than those to support
the residual hazards at source and choosing the optimum the plant, keep the oil and gas in the pipe and shut it down
hazard management philosophy. These depend upon the three safely? It may prove that this is a better economic option due
underlying aspects described above; creating the vision of a to the drastically reduced operating costs and the elimination
safer design through the setting of project goals, the right of capital expenditure on secondary safety systems and the
attitudes and a project infrastructure and relationships which accommodation. This was clearly the case in (6). Taking this
allow it to flourish. route may require some tolerance of potential shutdowns and
Setting project goals: The vision of a safer design needs to be delayed startups in the business case. However, the simplicity
translated into specific goals for each project. These will target of the development may offset these concerns in practice as
the underlying aspects of a design upon which the team should there is so little to go wrong. There are no spurious fire and
concentrate. Typical goals may target minimizing well gas trips if that system is not required or is simplified.
intervention, live breaches of containment, or the resupply Many developments, particularly those in deep water have
requirements of platforms. They may go further with a unique hazards which are poorly understood. They are also of
conscious decision to operate facilities unmanned with goals a scale where running unmanned is unthinkable, particularly
to eliminate fabric maintenance altogether. Every engineer can when the drilling programmes are considered. There are
relate to these goals. They mean more than vague clearly a number of potentially catastrophic hazards which
requirements to minimize risk. could affect larger numbers of people. For larger more
Hazard understanding: Engineers cannot minimize risks if complex developments such as these, it is better to have a
they don’t understand the dangers. Projects should series of radically different concepts developed at the same
progressively build a living picture of risk and share it with the time. Each of these will have their own particular risk drivers.
whole team. Initially, it will be a listing of the inherent risks With FPSOs; storage, hull integrity and riser swivels be
such as the reservoir fluids and conditions, the weather, or the critical; with twin pontoon floating facilities the focus will be
difficulties of developing the reservoir. As more information on marine stability; and on spars, well design, tensioning and
becomes available, this picture will develop into a pattern of the effects of fires and explosions on the accommodation will
risk by hazard and a deeper understanding of the causes, predominate. The differences in the concepts should not just
severity, consequences and the potential for escalation. Each be confined to the choice of support structure or process, but
time new information is added, there should be a simultaneous different production options might also be considered.
challenge to minimise the risks associated with it. Every Different throughputs, target availabilities, production profiles,
member of the design team should use this hazard and risk partial processing and export product qualities may be viable
SPE 86598 5

options too. The difference between 95% and 99% uptime units doubles or triples the number of rotating seals. It adds a
might make the difference between the facility being manned multitude of extra flanges, piping, valves and manifolds in
and unmanned. Each of the different concepts should be order to interconnect them. There is also the inferred
optimized to minimize the inherent risks and then an open hazardous maintenance procedure involving the removal of a
minded comparison should take place. broken unit from a live facility with heavy lifts and module
Conventional thinking might use Quantitative Risk occupancy. What would it take in terms of design
Assessment (QRA) to determine the relative risks and then the specification, investment, supplier relationships and the
selection would consider both the risks and the relative capital acceptance of plant downtime in order to depend upon a single
costs. This frames the usual two questions, which is safest and unit?
can we afford it. With inherently safer design, these questions Similarly in examining dropped objects such as resupply
can be framed in a different way. The first is to find out why containers, the frequency of these activities can be studied and
each one is different; which are the predominant risks and why all future operations challenged to see if they can reduce the
are they so high? It may be that the continuous variation of the numbers of containerized loads needed to run the platform.
loading pattern in an FPSO in an ocean environment leads to Changing to a corrosion resistant alloy for piping not only
high fatigue loading on the hull; or that the inherently square eliminates the possibility of corrosion, it also removes the
characteristics of a Spar topsides cause large gas clouds and corrosion inhibitor pumps, the small bore injection points in
make it difficult to locate the accommodation to avoid smoke the piping, the people to run the system, the food they eat, all
engulfment. If we know why each one is dangerous, then it is of the tote tanks containing the chemicals and the lifetime of
possible to determine how inherent safety can be used to heavy lifts to bring them on board and return them. One
minimize the risks from residual hazard risks at source, for change can ripple all the way through the design.
example by changing the FPSO hull design, and thereafter to What is the severity and how can I minimize it? The
determine what else is needed in the way of additional safety severity is the potential for harm from the hazardous event. It
systems to manage them. The selection process moves from might be the explosion overpressure, the size and heat of a fire
being a questionable numerical risk ranking to a pragmatic or the impact energies of dropped containers or errant supply
comparison of the residual difficulty in managing what is left. boats. The classic area for minimization is in fires and
This residual difficulty is the sum of the effort to maintain explosions where smaller instrument tappings, lower
process and structural integrity and to maintain all of these pressures, smaller inventories and less congested plant can all
additional systems, or to put it another way, the comparison reduce the potential for harm. How often is a conventional fire
looks at the lack of inherent safety and the extent of dependent and explosion analysis used as a real challenge to optimize
safety. these aspects of the design? Ideally, the design team should
carry out these analyses so that they can see the results
Reducing the risks from the residual hazards at immediately and act upon them. If these studied are externally
source. Once the concept has been chosen and the design are subcontracted, we will revert to the old reactive hazard
moves into front end engineering design, there is still immense management.
scope to reduce risks at source. This is totally tied to a What are the immediate consequences and can I create a
structured approach to hazards analysis, with the design that avoids them? This examines the effect that these
understanding of the hazard characteristics leading errant vessels, dropped containers, fires and explosions have
immediately to a challenge to minimize them. The simple on people and critical plant. In simple terms if people are not
questions and steps are as follows: there, they cannot be killed. Again that comes back to an
What’s the hazard and can I design it out? The concept inherently reliable and long lived plant. We might not be able
selection process will have eliminated some of the core major to run a large platform unmanned but might it be possible to
hazards such as bulk oil storage but there will still be many shift our thinking such that areas which are classified as
opportunities to design out smaller hazards or hazardous hazardous would require so little attention, that it would be
activities. If the conventional design of a structure requires practical to allow entry only under permit? If a wellhead tower
inspection by diving or entry into hazardous confined spaces, only requires a visit every month, the why should a wellbay on
could this activity be designed out by changing the fatigue life, a manned facility not be the same? As for critical plant
altering the stress concentrations, node design or design safety damage, it is a case of optimizing the layout so that the more
factors. frequent initial events such as explosions from compressor gas
What are the causes and can I eliminate them? leaks do not impact on major inventories or their weaker plant
Conventional risk assessment looks at likelihood rather than a such as instruments.
complete examination of the causes and their manageability. If What is the potential for escalation to catastrophe and
one of the causes of hydrocarbon releases is the intervention can the facilities be designed so that they are not
into the process plant for repair, there should be a challenge to overwhelmed or disintegrate? This requires an examination of
minimize the frequency of these activities through investment the worst credible events that could realistically occur and the
in the quality of the plant. This is where the client’s input is arrangement of the facilities so that the primary structure,
invaluable both from their discipline engineers experience and floatation, stability and safe refuges would not be
the hands on knowledge of the facilities operators. overwhelmed or destroyed. It is the attempt to make the
Duplication, particularly of pumps and compressors is an facilities almost bombproof, not by containment of the event
indication of a failure to deliver an inherently safe plant. but by the inherent layout. If the worst happens, the facility
Multiple arrangements, providing 3 by 50% or 2 by 100% would not need to rely on evacuation.
6 SPE 86598

Choosing the optimum hazard management Conclusion

philosophy. It will not be practical to manage all hazards by There is a radically different alternative way to achieving a
the use of inherent safety alone. The concept of a large safe design than the current increasingly complex approaches.
complex facility without safety systems is a distant vision. However, it requires a major shift in perceptions of what
Systems will be required but there is a wide variation in the constitutes safe design by operators, designers and regulators.
types, their reliability and their dependence upon people. If we It can only succeed if the whole industry is committed to it.
revert to a default provision of conventional safety systems to This commitment must be demonstrated in investment, time
manage the hazard that remain, we will still end up with the leadership and processes. There will always be the argument
same complex labour intensive plant. However, if active that plants leak so we have to protect against the effects. Let’s
hazard management is undertaken using the knowledge of the challenge that notion and ask what it would take to build a
hazard characteristics from the previous five questions, then plant that didn’t leak, one that could operate on its own and
we will be in a much better position to minimize this one that didn’t deteriorate. It is a design culture that moves
complexity and personnel exposure. from “ I do therefore I comply”, to “I understand , therefore it
A structured approach to residual hazard management is is safe” and yet further to “ I think, therefore it is safer”. That
described in (9). This argues that a conscious decision should is the new vision of inherently safer design.
be made on design events; that prevention on its own is a
robust strategy for many hazards and that in others, their References
severity and potential for harm can be reduced to such an 1. Kletz T.A., A Handbook for Inherently Safer Design; published
extent that no protection is necessary. It also highlights the by Taylor and Francis 1998
benefits of passive systems which require no maintenance 2. Hendershot D.C., “Designing Safety into a Chemical Process”; 5th
Asia Pacific Responsible Care Conference, Shanghai; 1999
rather than active and operational ones which are less reliable
3. Cullen W.D., Lees F., Ford M.F., Appleton, B., The Public
and bring people into proximity wit hazards. The optimum Inquiry into the Piper Alpha Disaster; HMSO 1990
strategy is also that which is the cheapest to operate; i.e. it 4. Dalzell G.A., Chesterman A; “ Nothing, is Safety Critical”
doesn’t need many people or moving machinery. Hazards XIII, Process Safety, The Future; I Chem E; 1997
5. Crawley F., “ALARP – How do we achieve it”; Hazards Forum
Measurement Autumn 2003 Newsletter
Our society is fascinated with measurement, and no more so 6. Chia S.,Walshe K., Corpuz E.; Application of an Inherent Safety
than within the oil and gas industry and those that regulate it. Challenge to an Offshore Platform Design for a new Gas Field
But how do you measure inherent safety? It is measuring what Development – Approaches and Experiences”; Hazards XVII
isn’t there; the accident that cannot happen, the plant that Process Safety – Fulfilling Our Responsibilities; I. Chem E 2003
7. Dalzell G.A., “Is Operating Cost a Direct Measure of Inherent
doesn’t corrode, the well that doesn’t need workover. There Safety” T 03054, Journal of Process Safety and Environmental
have been a number of attempts to measure inherent safety Protection, Autumn 2003, I. Chem. E.
within the chemical industry (10) and (11). One approach to 8. Kletz T. A. “The Constraints on Inherently Safer Design and
measurement might be the comparison of the final result Other Innovations”; Process Safety Progress Vol 18, No 1;
against the original design. The problem with that is that a true Spring 1999
inherently safer design culture would never have developed 9. Dalzell G. A., Risk Assessment of Hazard Management”; OECD
the original design. The existence of an original more Workshop on the Education of Engineers in Risk; Montreal
hazardous option is an indication that the process is reactive September 2003
and therefore failing. 10. Khan F.I., Amyotte P.R., “Integrated Inherent Safety Index (I2SI):
A Tool for Inherent Safety Evaluation”; American Institute for
An alternative approach is being developed at Cranfield Chemical Engineers; 37th Annual Loss Prevention Symposium;
University on behalf of the Health and Safety Executive with New Orleans 2003
cooperation from UKOOA. This does not examine the design 11. Edwards D.W., Lawrence D., Rushton A.G., “Quantifying the
at all but takes the pulse of the design organisation, both client Inherent Safety of Chemical Process Routes”; 5th World Congress
and design contractor. It asks the question “is this of Chemical Engineering Vol II; San Diego 1996
organisation capable of delivering inherently safer design?” It 12. Sharp J., Strutt J., The Design Capability Maturity Model
interviews a diagonal slice from project directors to Developed for the Health and Safety Executive; Cranfield
draughtsmen and from designers to suppliers. It examines 11 University
different parameters, such as leadership, hazard understanding,
the handling of novel problems and contractual relationships.
It has been trialled several times with promising results. It
ranks the design team with five levels of excellence with the
top three equating to a reactive hazard management, proactive
and truly innovative.
The concept of RISK = (OPEX)2 mentioned earlier (7)
might be another way forward but as yet it is little more than a
concept. It would need significantly greater refinement and
accurate prediction of the lifecycle operating and maintenance
requirements of all subassemblies. However, the greater
emphasis in accurate operating cost predictions in the latest
projects might work well with this idea.