Sie sind auf Seite 1von 14

Incorporation of Inherent Safety Principles in Process Safety Management

Paul R. Amyotte,a Attiq U. Goraya,a Dennis C. Hendershot,b and Faisal I. Khanc a Department of Process Engineering and Applied Science, Dalhousie University, Halifax, NS, Canada; paul.amyotte@dal.ca (for correspondence) b Chilworth Technology Inc., Plainsboro, NJ c Faculty of Engineering and Applied Science, Memorial University, NL, Canada
Published online 10 August 2007 in Wiley InterScience (www.interscience.wiley.com). DOI 10.1002/prs.10217
Process safety management (PSM) deals with the identication, understanding, and control of process hazards to prevent process-related injuries and incidents. Explicit incorporation of the principles of inherent safety in the basic denition and functional operation of the various PSM elements can help to improve the quality of the safety management effort. Numerous inherent safety examples, both technical and nontechnical, are given in this paper. Existing qualitative and quantitative tools that already include, or could incorporate, inherent safety are described. Recently developed inherent safety tools for quantitative hazard identication and assessment are identied from either the literature or the current authors work. Qualitative protocols for incorporating inherent safety into PSM elements are also presented. The language of inherent safety, although largely unused in PSM documentation, has a key role to play in enhancing the effectiveness of PSM. 2007 American Institute of Chemical Engineers Process Saf Prog 26: 333346, 2007 Keywords: inherent safety; process safety; process safety management
INTRODUCTION

The scope of the review presented in this paper is the prevention and mitigation of process incidents. The primary objective is to explicitly incorporate the principles of inherent safety within a process safety management (PSM) system. The motivation for this work stems from the authors belief that although inThis work was supported by Natural Sciences and Engineering Research Council of Canada.

2007 American Institute of Chemical Engineers

herent safety is increasingly viewed as an integral component of process safety, more effective linkages between the two concepts are required to further the usage of inherent safety principles. This explains our use in the above statement of the term, to explicitly incorporate; our intent is to increase the visibility of the opportunities for inherent safety consideration in PSM. In essence then, the paper attempts to provide a roadmap for accomplishing the primary objective described above. While the concepts described herein may be well established in some quarters of the process industries, the notion of unication within a management system is not (as shown in later sections of this paper). Further motivation for the current overview paper is found in the comments of workers who have reviewed the eld of inherent safety and inherently safer design (among others, Bollinger et al. [1], Gupta and Edwards [2], Kletz [3], and Khan and Amyotte [4]). For example, Khan and Amyotte [4] have remarked that the various elements of PSM can be seen to have at least a partial basis in inherent safety. This fact has been recognized by companies that have incorporated inherent safety as a named feature in their safety management documentation and have developed internal standards for the use of inherent safety principles. Yet the term inherent safety is typically not named as such in the general description of PSM systems. According to Bollinger et al. [1], explicit use of inherent safety terminology within such management systems is a possible means of furthering the adoption of inherent safety principles in industry. The remainder of this paper is structured in the following manner. Brief reviews of inherent safety and its basic principles, and the concept of a PSM
December 2007 333

Process Safety Progress (Vol.26, No.4)

system, are rst given. These are followed by recent incident data from the Canadian chemical industry to highlight the elements of PSM and their importance in preventing and mitigating process incidents. The subsequent section provides suggestions on how to incorporate inherent safety within the framework of a PSM system in both qualitative and quantitative manners; examples are given throughout this section. The nal section offers concluding remarks aimed at summarizing the key points of the paper.

PROCESS SAFETY MANAGEMENT

INHERENT SAFETY

Loss prevention in the chemical process industries (CPI) is generally considered in three ways: (1) engineered safety (passive and active), (2) procedural safety, and (3) inherent safety. Engineered, or addon, safety involves the addition of safety devices at the end of the design. These safety devices do not perform any fundamental operation, but are designed to act when a process upset occurs. Procedural safety measures, or administrative controls, utilize safe work practices and procedures to reduce risk. On the other hand, inherent safety uses the properties of a material or process to eliminate or reduce the hazard. The fundamental difference between inherent safety and the other two categories is that inherent safety seeks to remove the hazard at the source as opposed to accepting the hazard and looking to mitigate the effects. The formal concept of inherent safety was rst proposed in the late 1970s by Kletz in his Jubilee Lecture to the Society of Chemical Industry in Widnes, England [5]. Since that time inherent safety has made several inroads into the CPI, with its current status having been the subject of the previously mentioned reviews [14]. It is well accepted in the CPI that there exists a desired hierarchical relationship among safety measures with the order of effectiveness (highest to lowest) being inherent, passive engineered, active engineered, and procedural [6]. An inherently safer plant, by virtue of its design, generates little or no damage in the event of an incident. The principles of inherent safety describe the different ways to achieve an inherently safer plant. The four most general and widely applicable principles are minimization, substitution, moderation, and simplication. The idea behind the minimization principle is to lessen the hazard, be it through using smaller quantities of hazardous material or performing a hazardous procedure fewer times. With the substitution principle, one looks to replace a hazardous material, process route, or procedure with one that is less hazardous, thus eliminating or reducing the hazard. The principle of moderation seeks to use hazardous materials under less-hazardous conditions or in a less-hazardous form when the use of those materials cannot be eliminated or minimized. The nal principle is simplication, in which the goal is to design processes and equipment to reduce the opportunities for errors by eliminating excessive use of add-on safety features and protective devices.
334 December 2007 Published on behalf of the AIChE

A key engineering risk tool is a management system appropriate for the risks being addressed (e.g. health, occupational safety, process safety, equipment reliability). Safety management systems are recognized and accepted worldwide as best-practice methods for managing risk. They typically consist of 1020 program elements that must be effectively carried out to manage the risks in an acceptable way. This need is based on the understanding that once a risk is accepted, it does not go away; it is there waiting for an opportunity to happen unless the management system is actively monitoring company operations for concerns and taking proactive actions to correct potential problems. Having an effective management system for process-related hazards (re, explosion, release of toxic materials, etc.) is therefore a critical corporate objective in the CPI. An approach widely used in the Canadian chemical industries is PSM (where PSM is dened as the application of management principles and systems to the identication, understanding, and control of process hazards to prevent process-related injuries and accidents). The complete suite of PSM elements is shown in Table 1, taken from the Process Safety Management Guide of the Canadian Society for Chemical Engineering (CSChE) [7]. This guide was prepared by the Process Safety Working Group of the former Major Industrial Accidents Council of Canada (MIACC) in conjunction with the Process Safety Management Committee of the Canadian Chemical Producers Association (CCPA). With the dissolution of MIAC in 1999, rights to the guide were transferred to the CSChE. The material in the CSChE PSM guide [7] is based on that developed by the Center for Chemical Process Safety (CCPS) of the American Institute of Chemical Engineers (AIChE), e.g. [8]. This route was adopted because the CCPS approach to PSM was determined to be comprehensive, well-supported by reference materials, tools, and an organizational structure, and based on a benchmark of leading or good industry practice rather than on minimum standards [7]. Table 1 will therefore look quite familiar to PSM practitioners in the United States. There is a difference, however, between PSM practice in the two countries in that Canada does not have the full legislative and regulatory requirements of the United Sates (or European countries) in relation to the management of risks arising from major industrial hazards. The Canadian approach has typically been to rely more heavily upon voluntary initiatives for health, safety, and environmental programs. This does not mean that there are no laws in Canada to regulate public health, worker safety, environmental protection, transportation of dangerous goods, and the like. Such legislation and regulations do, of course, exist. The fact remains, though, that the general regulatory regime in Canada with respect to PSM is different than in many other parts of the world (compared with, for example, the Risk Management Program promulgated by the US Environmental Protection Agency, the Process Safety Management Rule enforced by the US Occupational Safety and
DOI 10.1002/prs Process Safety Progress (Vol.26, No.4)

Table 1. Elements and components of Process Safety Management (PSM).

No. Element 1 Accountability: objectives and goals 2 Process knowledge and documentation

3 4

Capital project review and design procedures Process risk management

5 6

Management of change Process and equipment integrity

7 8

Human factors Training and performance

9 10 11 12

Incident investigation Company standards, codes, and regulations Audits and corrective actions Enhancement of process safety knowledge

Component 1.1. Continuity of operations; 1.2. Continuity of systems; 1.3. Continuity of organization; 1.4. Quality process; 1.5. Control of exceptions; 1.6. Alternative methods; 1.7. Management accessibility; 1.8. Communications; 1.9. Company expectations 2.1. Chemical and occupational health hazards; 2.2. Process denition/design criteria; 2.3. Process and equipment design; 2.4. Protective systems; 2.5. Normal and upset conditions (operating procedures); 2.6. Process risk management decisions; 2.7. Company memory (management of information) 3.1. Appropriation request procedures; 3.2. Hazard reviews; 3.3. Siting; 3.4. Plot plan; 3.5. Process design and review procedures; 3.6. Project management procedures and controls 4.1. Hazard identication; 4.2. Risk analysis of operations; 4.3. Reduction of risk; 4.4. Residual risk management; 4.5. Process management during emergencies; 4.6. Encouraging client and supplier companies to adopt similar risk management practices; 4.7. Selection of businesses with acceptable risk 5.1. Change of process technology; 5.2. Change of facility; 5.3. Organizational changes; 5.4. Variance procedures; 5.5. Permanent changes; 5.6. Temporary changes 6.1. Reliability engineering; 6.2. Materials of construction; 6.3. Fabrication and inspection procedures; 6.4. Installation procedures; 6.5. Preventative maintenance; 6.6. Process, hardware and systems inspection, and testing; 6.7. Maintenance procedures; 6.8. Alarm and instrument management; 6.9. Decommissioning and demolition procedures 7.1. Operator-process/equipment interface; 7.2. Administrative control versus hardware; 7.3. Human error assessment 8.1. Denition of skills and knowledge; 8.2. Design of operating and maintenance procedures; 8.3. Initial qualications assessment; 8.4. Selection and development of training programs; 8.5. Measuring performance and effectiveness; 8.6. Instructor program; 8.7. Records management; 8.8. Ongoing performance and refresher training 9.1. Major incidents; 9.2. Third party participation; 9.3. Follow-up and resolution; 9.4. Communication; 9.5. Incident recording, reporting, and analysis; 9.6. Near-miss reporting 10.1. External codes/regulations; 10.2. Internal standards 11.1. Process safety management systems audits; 11.2. Process safety audits; 11.3. Compliance reviews; 11.4. Internal/external auditors 12.1. Quality control programs and process safety; 12.2. Professional trade and association programs; 12.3. CCPS program; 12.4. Research, development, documentation, and implementation; 12.5. Improved predictive system; 12.6. Process safety resource centre and reference library

Health Administration, and the Seveso II Directive mandated throughout the European Union for the control of major hazards involving dangerous substances). The paper by Lacoursiere [9] explains the voluntary, best-practice approach to control of major hazards in Canada and, most importantly, summarizes several recent happenings that herald a possible change in the Canadian regulatory climate with respect to hazard control and risk management.
PROCESS INCIDENT DATA

The CCPA Process Safety Management Committee collects and analyzes data on an annual basis for process-related incidents reported by CCPA member
Process Safety Progress (Vol.26, No.4)

companies. This occurs through a procedure known as Process-Related Incidents Measure (PRIM). The 2004 PRIM analysis of 89 incidents demonstrated that six of the PSM elements in Table 1 contributed to 85% of the total incidents (as shown in Table 2). In the context of the current paper, a possible use of the data shown in Table 2 is to prioritize the PSM elements in Table 1 for particular attention with respect to inherent safety consideration. This process could be assisted by the breakdown of each PSM element into its components (or subelements) as illustrated in Figure 1 for element 6, process and equipment integrity. Figure 1 gives incident data for 2004 as well as the ve reporting periods prior to 2004.
DOI 10.1002/prs December 2007 335

Published on behalf of the AIChE

Table 2. Incident causation according to PSM element

(2004 PRIM data). PSM Element No. 6 2 4 7 5 3 % of Incidents 23.8 21.2 16.8 8.9 7.3 6.5

Use of inherent safety guidewords and checklists

PSM Element Process and equipment integrity Process knowledge and documentation Process risk management Human factors Management of change Capital project review and design procedures

at appropriate points in the protocol. Guidewords and checklists are well-established, proven tools that are widely used in process safety [11]. Validation of the inherent safety-based protocol via examples and case studies.
Inherent Safety Guidewords Recommended inherent safety guidewords and their description are shown in Table 3 [11]. These guidewords are simply the four most general and widely applicable principles of inherent safety (as previously mentioned). The description for each is purposely brief and is focused on materials, process routes, equipment, and procedures. Use of these guidewords as mind triggers during a particular process safety activity (e.g. management of change (MOC) or incident investigation) will help ensure that the concepts of inherent safety are visible within the activity. These guidewords are intended as a supplement to existing tools that may already be in use within a specic process safety protocol. Inherent Safety Checklists Four series of example checklist questions built around the guidewords (Table 3) are given in Table 4 [11]. The intention here is to use these more detailed inherent safety indicators at an appropriate time during the particular protocol. As with the guidewords themselves, the intention is not to replace existing checklists, but rather to supplement these more traditional tools with ones that directly incorporate inherent safety considerations. The checklist in Table 4 is not all-inclusive, and is in fact a mix of both process safety and occupational safety issues. It is intended as an illustrative example of the type of thinking required to move beyond the usual engineered/procedural form of checklist questions. Some companies will have their own inherent safety-based checklists; additionally, the Appendix in Bollinger et al. [1] contains a sample inherently safer process checklist. These authors also comment that Appendix B in CCPS [12] contains an extensive checklist with many questions related to inherent safety (for exampleCan the supply pressure of raw materials be kept below the working pressure of vessels receiving them?could easily fall under moderation). Another set of excellent checklists for a number of specic types of chemical processing units (heat transfer equipment, mass transfer equipment, etc.) can be found in CCPS [13]. These checklists include suggestions for inherent, passive, active, and procedural approaches to risk management for the incident scenarios described. PSM Element 2Process Knowledge and Documentation Information necessary for the safe design, operation, and maintenance of any facility should be written, reliable, current, and easily accessible by people who need to use it [7]. There are several implications of inherent safety for this element which may be identied by use of
DOI 10.1002/prs Process Safety Progress (Vol.26, No.4)

This analysis is ongoing, and at this point, only broad conclusions are being drawn as to the relative importance of particular PSM elements, and especially with respect to trend analysis from year to year (Figure 2). For example, it seems reasonable to conclude from Figure 1 that preventative maintenance and maintenance procedures have historically been thought to contribute signicantly to incident causation when process and equipment integrity has been agged. A defensible conclusion from Figure 2 is that for the past 7 years, deciencies in PSM elements 27 inclusive have been key contributors to processrelated incidents in Canadian chemical companies. The importance attached to each of these six elements has varied over this period, but each has crossed an arbitrary threshold of having contributed to at least 10% of the total incidents during a given year (at least once during the 7-year period).
INHERENT SAFETY IN PSMA FRAMEWORK

The objective in this section is to synthesize the previously discussed material into a framework for explicitly incorporating the principles of inherent safety (minimize, substitute, moderate, and simplify) within PSM (the 12 elements in Table 1). As described in the preceding section, a strategic, prioritized approach would be to focus initially on PSM elements 27 inclusive. This is the route taken here, although mainly due to space limitations. The conference paper [10] on which the current work is based reviews all 12 elements, highlighting inherent safety opportunities for each. The examples provided in the remainder of the current paper are by no means all-inclusive, but hopefully enough example-based guidance is given to enable the approach to be adopted by others if desired. The quantitative techniques proposed have all been tested with industrial data to validate their applicability in these selected cases. For the qualitative techniques, the following general methodology is recommended:
Identication or development of a suitable pro-

tocol for the activity (e.g. incident investigation, as described in a previous study [11]). The protocol must incorporate the management functions of plan, do, check, act (i.e. the continuous improvement cycle).
336 December 2007 Published on behalf of the AIChE

Figure 1. Incident causation according to PSM element 6 (PRIM data).

Figure 2. Incident causation by PSM element from 1998/99 to 2004 (PRIM data).

the guidewords in Table 3 and checklist in Table 4. For example, the guideword substitute can be applied to the documentation for the component chemical and occupational health hazards to good effect. SimProcess Safety Progress (Vol.26, No.4)

ilarly, the component process denition/design criteria contains subcomponents for which the documentation could be reviewed in light of the inherent safety guidewords (e.g. minimize as applied to maximum
DOI 10.1002/prs December 2007 337

Published on behalf of the AIChE

Table 3. Inherent safety guidewords.

Guideword Minimize Substitute Moderate Simplify

Description Use smaller quantities of hazardous materials when the use of such materials cannot be avoided. Perform a hazardous procedure as few times as possible when the procedure is unavoidable Replace a substance with a less hazardous material or processing route with one that does not involve hazardous material. Replace a hazardous procedure with one that is less hazardous Use hazardous materials in their least hazardous forms or identify processing options that involve less severe processing conditions Design processes, processing equipment, and procedures to eliminate opportunities for errors by eliminating excessive use of add-on (engineered) safety features and protective devices

Table 4. Inherent safety checklist.

Guideword Minimize

Substitute

Moderate

Simplify

Checklist Question  Is the storage of all hazardous gases, liquids, and solids minimized?  Are just in time deliveries used when dealing with hazardous materials?  Are all hazardous materials removed or properly disposed of when they are no longer needed or not needed in the next X days?  Is shift rotation optimized to avoid fatigue?  Can a less toxic, ammable, or reactive material be substituted for use?  Is there an alternate way of moving product or equipment as to eliminate human strain?  Can a water-based product be used in place of a solvent- or oil-based product?  Are all allergenic materials, products, and equipment replaced with nonallergenic materials, products, and equipment when possible?  Can potential releases be reduced via lower temperatures or pressures, or elimination of equipment?  Are all hazardous gases, liquids, and solids stored as far away as possible to eliminate disruption to people, property, production, and environment in the event of an incident?  When purchasing new equipment, are acceptable models available that operate at lower speeds, pressures, temperatures, or volumes?  Are workplaces designed such that employee seclusion is minimized?  Are all manuals, guides, and instructional material clear and easy to understand, especially those that are used in an emergency situation?  Are equipment and procedures designed such that they cannot be operated incorrectly or carried out incorrectly?  Are machine controls located to prevent unintentional activation while allowing easy access for stopping the machine?  Are all machines, equipment, and electrical installations easily isolated of all sources of power?

intended inventory). The component normal and upset conditions (operating procedures) contains the requirement that procedures be current, accurate, and reliable. The guideword simplify is especially appropriate here, as demonstrated by Figures 3 and 4. An organization had decided to offer free antivirus software to its employees and posted the instructions shown in Figure 3 on its website for personnel to follow to install the new software. The download button was in color red (presumably to draw attention to it); several people in this organization clicked on the button to download the software without reading further. Unfortunately, they missed the ne print (Figure 3) advising them to uninstall any existing antivirus software on their computer. The results were numer338 December 2007 Published on behalf of the AIChE

ous computer crashes and much process time being spent to rectify the computer problems, both by the people directly affected and by computer support personnel. The business interruption was signicant enough that the organization reissued the instructions as shown in Figure 4. In this second set of instructions, the steps have been reordered and have been numbered, and the consequence of not rst uninstalling existing antivirus software is better explained. The red download button is still present, but the operators eye is not as likely to be immediately drawn to it as in Figure 3. The instructions given in Figure 4 are more accurate and reliable than those in Figure 3. The new instructions are simpler to follow. (Note that
DOI 10.1002/prs Process Safety Progress (Vol.26, No.4)

Figure 3. First set of instructions concerning software installation.

Figure 4. Second set of instructions concerning software installation.

this example could also be discussed equally as well under PSM elements 4, 5 and 7.) Also relevant here, from a different perspective, is the component company memory (management of information). The intention of this component is to ensure that knowledge and information gained from plant experience, and which is likely to be important for the future safety of a facility, is well-documented so it is not forgotten, or overlooked as personnel and organizational changes occur [7]. Hendershot [14] argues that this is especially critical when dealing
Process Safety Progress (Vol.26, No.4)

with inherent safety and inherently safer design (ISD) features. He gives several examples where ISD features have essentially been put at risk because the reasons they were implemented were not clearly and adequately documented. This results in compromising of facility safety when future modications are made by people who do not understand the intent of the original designer. (Thus, this point is also pertinent to PSM element 5 on MOC.) ISD features are particularly susceptible to lapses in corporate memory given that they are such a fundamental part of
DOI 10.1002/prs December 2007 339

Published on behalf of the AIChE

the design that their purpose may not be obvious, unlike an add-on device such as a high-pressure alarm [14]. PSM Element 3Capital Project Review and Design Procedures Many industrial practitioners hold the opinion that careful attention to this element can have the greatest impact on the effectiveness of PSM [15]. Because of the importance of considering inherent safety early in the design sequence when changes can most readily be made [7], inherent safety considerations are particularly important in conducting hazard reviews (e.g. a preliminary hazard analysis). As described by Khan and Amyotte [4], there have been several efforts made by different organizations to develop quantitative inherent safety evaluation tools that could be used with PSM element 3. Examples include the INSET tool kit sponsored by the then European Community; the overall inherent safety index prototype proposed by Edwards and coworkers at Loughborough University, UK; the inherent safety index proposed by Hurme, Heikkila and coworkers at Helsinki University, Finland; the fuzzy-based inherent safety index proposed by Mannan, Gentile and coworkers at Texas A&M University, USA; an index and expert system for inherent safety evaluation of process owsheets developed by Palaniappan and coworkers at the National University of Singapore, Singapore; and a hierarchical approach for chemical process safety evaluation developed by Hungerbuhler, Shah and coworkers at the Swiss Federal Institute of Technology, Switzerland. Updates on several of these indices and calculation procedures were presented at the recent International Conference on the 20th Anniversary of the Bhopal Disaster: Bhopal Gas Tragedy and its Effects on Process Safety, IIT Kanpur, India (December 13, 2004), with papers subsequently appearing in a special issue of the Journal of Loss Prevention in the Process Industries, 18 (46). (See, for example, Rahman et al. [16] and Shah et al. [17].) A quantitative methodology from the current authors [18] also appears in this special journal issue from the Bhopal conference. Kahn and Amyotte [18,19] describe an integrated inherent safety index (I2SI) developed with consideration of the life cycle of a process, economic evaluation, and hazard potential identication for various design options. The indexing procedure was successfully applied to three acrylic acid production options [18]. The most useful feature of tools such as I2SI is their potential to facilitate a relative comparison of the hazards and ensuing risk from different processing options [20]. Qualitative, as well as quantitative, consideration of inherent safety in hazard reviews for selecting process options can be highly benecial. The following example [21] illustrates this point by making use of the inherent safety guidewords (Table 3) and checklist (Table 4). The case considered is the handing of dry additive at a polyethylene production facility. Key principles highlighted are minimization, sub340 December 2007 Published on behalf of the AIChE

stitution, and moderation; additionally, the example illustrates the economic tradeoffs and inter-relationship among inherent, engineered, and procedural safety measures. In the late 1970s, dry additive was received at the plant in heavy 50-kg containers. Operators were required to scoop additive into a feeder that supplied the additive to a pre-blender to ultimately mix additive with polyethylene resin to achieve certain resin properties. This activity caused concern over back strains as well as the need to wear respirators to control exposure to the additive dust. In the late 1980s and early 1990s, an effort was made to improve working conditions and efciency. A capital project was proposed to pneumatically convey additive to the feeder. The additive is granular and has a minimum ignition energy of less than 10 mJ; it is therefore ignition sensitive and must be treated carefully in a manner similar to ammable gases and liquids which also have very low ignition energies. A suggestion was made to consider the process with nitrogen as the conveying medium. A number of issues associated with this option soon materialized:
higher operating costs using nitrogen (recycling

nitrogen posed technical challenges; additionally, this would have been the rst attempt at the site in conveying solids using nitrogen medium), the need to monitor and control oxygen content so as not to exceed the limiting oxygen concentration, a requirement for greater operator attention if a manual monitoring approach was adopted, prohibitively high project costs for automatic monitoring and alarms, and possible asphyxiation should nitrogen vent inside a building.
Because of these concerns, the nitrogen conveying option was not considered feasible. Operations returned to manual handling of the dry additive, but this time using smaller containers (25 kg) to deal with back strain concerns. The site was also continuously working with the additive supplier to identify better approaches (e.g. to reduce manual handling). This gave rise to experimenting with a pellet-like version of the same additive in a pneumatic conveying system. This would, in theory, also remove the concern over the presence of a ammable dust cloud having a low ignition energy inside an air conveying system. However, the mechanical energy of the pneumatic conveying system easily broke down the pellet-like additive into a very ne powder, causing extensive dust buildup and resulting in operating problems due to plugging. The dust explosion concern was also reintroduced. In the late 1990s, the site installed its current system which involves the use of supersacks and tote tanks. Supersacks from the supplier are emptied by gravity into tote tanks at grade level. These totes are then taken by elevator to the appropriate oor where they are placed on top of a feed pipe system that
DOI 10.1002/prs Process Safety Progress (Vol.26, No.4)

connects to the additive feeder. The feed pipe system is lled with additive by opening a slide valve located below the tote. The slide valve is opened slowly to avoid disturbing the sensitive operation of the feeder. This also helps with minimizing the formation of dust clouds inside the pipe system as it is being lled. This current option has eliminated the following safety concerns:
repetitive manual handling by operators and

associated back strain,


the need to wear respirators to avoid inhalation

PSM element 4 also offers a qualitative opportunity to bring inherent safety into the components hazard identication and reduction of risk via the What-If/ Checklist (WI/CL) technique (which is, of course, simply a combination of the separate What-If (WI) and Checklist (CL) methods). As well-described in CCPS [12], What-If analysis is a brainstorming approach in which a team asks questions and voices concerns about possible undesired events. The purposes are:
to identify hazards, hazardous situations, and

of dust, and excessive static charging and ammable dust cloud formation that would have been associated with pneumatic conveying, and the possible ignition of the ignition-sensitive dust inside an air conveying system.
A nal comment is made for this PSM element with respect to the components siting and plot plan. In siting a proposed expansion or new plant, the exposure hazard to and from adjacent plants or facilities is a critical consideration; similarly the location of control rooms, ofces, and other buildings should be carefully considered in conducting a plot plan review [7]. This is in accordance with the guiding principle of unit segregation (the avoidance of domino or cascade effects) which is often considered to be an example of the inherent safety principle of moderationspecically limitation of effects. Examples where greater attention to facility siting and plot plan review (temporary as well as capital) would have assisted with consequence mitigation include the administration and control buildings at Flixborough [22] and the contractor trailers at the BP Texas City renery [23]. PSM Element 4Process Risk Management The PSM guide comments that the component hazard identication is the most important step in process risk management: If hazards are not identied, they cannot be considered in implementing a risk reduction program, nor addressed by emergency response plans [7]. Several techniques are referenced in the guide [7] for identifying and assessing hazards, including the Dow Fire and Explosion Index (F&EI) and Chemical Exposure Index (CEI), HAZOP, What-If and Checklist. The F&EI and CEI each have a signicant basis in the principles of inherent safety [24]. This point is also illustrated by the work of Khan et al. [6] who conducted a comparison of the F&EI with other inherent safety-based indices available at the time of the study (2002/2003). Some of the recently developed quantitative methodologies, as described under PSM element 3, would also have relevance to PSM element 4 (the key difference being that the review is no longer at the capital project/early design stage). For example, the I2SI technique [18,19] employs a structured guideword approach in a HAZOP-type manner.
Process Safety Progress (Vol.26, No.4)

specic events that could produce undesirable consequences, to examine the currently available safety measures to deal with the identied hazards and events, and to suggest alternatives for risk reduction based on inherent, as well as engineered (add-on) and procedural, safety.
WI analysis results are typically presented as a tabular listing of hazardous situations, consequences, existing safeguards and options for risk reduction. An illustrative WI example drawn from everyday life (driving in a residential area) is given in Table 5. There is a natural progression from the What-If scenario, to potential consequences of the event, to safety measures that might typically be employed, to recommendations for further safety measures (based in this case on inherent/passive safety). In the current context, the key feature of the simple example in Table 5 is the attempt to explicitly incorporate inherent safety in the analysis. This can be done by the guideword/checklist approach (Tables 3 and 4) in the following ways:
Once a number of WI scenarios have been iden-

tied and analyzed by the team, checklists (inherent safety-based and otherwise) can be consulted to determine if new hazards are identied. These new hazards can then be analyzed by completion of the WI table. In determining whether to make recommendations for consideration of further safeguards, the team can consult the checklists to see if new safety measures are identied.
Thus, checklists can be used at either the front- or back-end of the WI methodology. In this manner, the CL analysis is combined with the WI analysis to yield a WI/CL method that combines the creative, brainstorming features of WI with the systematic, rigorous features of CL. Further, the inherent safety guideword/ checklist approach helps to ensure that inherent safety considerations are explicitly considered in identifying both hazards and safety measures. This is essentially the recommendation of the PSM guide: Following risk evaluation, steps must be taken to reduce those risks which are deemed unacceptable. Such steps might include: inventory reduction, alternative processes, alternative materials, improved training and procedures, protective equipment, etc. [7] (with underlining added to emphasize the inherent safety suggestions related to minimization and substitution).
DOI 10.1002/prs December 2007 341

Published on behalf of the AIChE

Table 5. What-If analysis example with inherent safety considerations.

What If A pedestrian suddenly crosses the street in front of your car?

Consequences/Hazards  You may hit the pedestrian causing injury  You may hit another vehicle causing damage

Existing Safeguards  Being attentive in residential areas  Always keeping a safe distance from other vehicles

You may stop suddenly, causing injury in your vehicle

Wearing seatbelt at all times

Recommendations  Do not drive through residential areas except when necessary. (substitute)  Consider providing fences between roads and areas with likely pedestrian exposurefor example, schools or playgrounds. (substitute)  Drive slowly in residential areas. (moderate)

A nal comment is made for this PSM element with respect to the components encouraging client and supplier companies to adopt similar risk management practices and selection of businesses with acceptable risk. The former component is particularly important because of the common practice of outsourcing or contracting of engineering services. This is often the case on large projects where partnerships and joint ventures are formed, but may also apply to smaller projects through the awarding of subcontracts. Success on these projects is in large measure determined by the degree of commonality in risk management practices among the different parties. Not the least of the concerns is whether there is a common set of expectations for safety performance and risk-awareness [25]. By extension, differences in approach to inherent safety and the corporate value placed on this concept can be problematic. With respect to the second component above, selection of businesses with acceptable risk, CCPS [26] provides helpful commentary. In explaining the business case for managing process safety, it is noted that effective PSM means doing the right things right, thus leading to increases in revenue and productivity and reductions in product cost. It is further noted that for smaller companies, because of product stewardship requirements, demonstration of good PSM practices may be a prerequisite to doing business with larger companies more versed in PSM. Again by extension, a mismatch with respect to the value placed on inherent safety may lead to missed business opportunities. PSM Element 5Management of Change A system to manage change is critical to the operation of any facility. A written procedure should be required for all changes except replacement-in-kind. The system should address: a clear denition of change (scope of application); a description and technical basis for the proposed change; potential impact of the proposed change in health, safety and environment; authorization requirements to make the change; training requirements for employees or contractors following the change; updating of documen342 December 2007 Published on behalf of the AIChE

tation including process safety information, operating procedures, maintenance procedures, alarm and interlock settings, re protection systems, etc.; and contingencies for emergency changes [7]. Simply put, inherent safety involves change, and change in the process industries must be managed. Potential hazards brought about by inherent safety changes must therefore be identied and the ensuing risk reduced to an acceptable level. This point is at least as important (perhaps more) than the concept of looking for inherent safety opportunities when making a process change. A generic inherent safety-based protocol for MOC is shown in Figure 5. This sequence of steps is based on the MOC process presented by Kelly [27]. By recommending the use of inherent safety guidewords in the rst step, identify need for change, the protocol recognizes that inherent safety is both a driving force for MOC and an opportunity during MOC (as previously mentioned). Use of the guidewords and a checklist during the hazard review and control steps is again a recognition that the techniques used for these purposes are easily adaptable to explicit incorporation of inherent safety (such as the What-If/Checklist approach described in the previous section). As an example, Figures 3 and 4 may again be considered, this time from an MOC perspective. The provision of system-wide antivirus software represented a change for the organization from the previous practice of computer users purchasing and installing such software individually and from a number of different vendors. The change was not adequately managed because the potential hazards arising from the change were not identied, and steps were not taken to reduce the risk of downloading without rst uninstalling existing antivirus software. Use of the guideword simplify and the checklist question, Are all manuals, guides, and instructional material clear and easy to understand?, might have led to the following What-If scenario being posed: What if someone clicks on the download button before uninstalling existing software? Likely, risk reduction measures such as those eventually taken after-the-fact would have been
DOI 10.1002/prs Process Safety Progress (Vol.26, No.4)

dation of the generic protocol shown in Figure 5. The fact that there is no shortage of candidate casesboth technical and nontechnical [14] as well as organizational [28]is somewhat of a sobering reality. Flixborough represents a classic example of inadequate MOC [22] that is worth examining, in part because of the motivation it has provided for ISD. More recent examples are also available: the 2004 re and explosion at Giant Industries Ciniza oil renery [29] and the 2005 hydrogen reformer furnace failure at Syncrude Canada Ltd. [30]. PSM Element 6Process and Equipment Integrity Procedures for fabricating, inspecting, and maintaining equipment are vital to process safety. Written procedures should be used to maintain ongoing integrity of process equipment such as: pressure vessels and storage tanks; piping, instrumentation, and electrical systems; process control software; relief and vent systems and devices; emergency and re protection systems; controls including monitoring devices and sensors, alarms and interlocks; and rotating equipment. A documented le should be maintained for each piece of equipment [7]. As illustrated in Figure 2, this element is of obvious importance in preventing process-related incidents. Figure 1 shows the particular signicance of the components preventative maintenance and maintenance procedures. With respect to the former component, risk-based integrity modeling (RBIM) of process equipment holds much promise. Concerning the latter component, a 1997 Chemical Safety Alert from the US EPA [31] offers the advice that facilities with storage tanks containing ammable vapors should review their equipment and operations in the following areas:
design of atmospheric storage tanks, inspection and maintenance of storage tanks, hot-work safety, and ignition source reduction.

Figure 5. An inherent safety-based management of

change protocol.

implemented as preventive measures. This rather simple example also illustrates the overlap between PSM elements and how inherent safety considerations in a particular element can have multiple benets throughout the suite of PSM tools. Further consideration of the antivirus software upgrade process in a MOC review might lead to the following question being asked: Can the hazard of installing new antivirus software without removing previously installed antivirus software be eliminated? While we are not programming experts, it seems that this might be possible in many cases; one could possibly design an installation routine which eliminates the hazard. Perhaps the installation program for the new antivirus software could canvass the computer hard disk for previous installations of commonly used antivirus software, and refuse to install if it nds one. Or, it could check for antivirus software already running; the Microsoft Windows XP Security Center is capable of monitoring the status of many antivirus programs, so presumably an installation program could check this same information. Some consumer software does this sort of thing nowfor example, the installation routine for Intuits Quicken 2006 personal nance software checks for the presence of a previous version and uninstalls that previous version if found (after getting permission from the user). In accordance with our previous comment on qualitative techniques, there remains a need for valiProcess Safety Progress (Vol.26, No.4)

Investigation of qualitative and quantitative linkages among the above items is a fruitful line of future work. The rst and last items in the list have clear inherent safety overtones, while the middle two are largely procedural. Nevertheless, there may be an opportunity here to again highlight the interplay among inherent, engineered, and procedural safety. A possible case study has been identied as the 1998 renery re at North Atlantic Rening Limited in Newfoundland, Canada [32,33]. PSM Element 7Human Factors Human factors are a signicant contributor to many process accidents. Three key areas are operator-process/equipment interface, administrative controls, and human error assessment [7]. This PSM element on human factors has a strong relationship with the principles of inherent safety [1]. The rst component, operator-process/equipment interface, refers to issues such as [7]:
DOI 10.1002/prs December 2007 343

Published on behalf of the AIChE

the design of equipment increasing the potential

for error (e.g. confusing equipment, positioning of dials, color coding, different directions for on/off), and the need for a task analysis (a step-by-step approach to examine how a job will be done) to determine what can go wrong during the task and how potential problem areas can be controlled.
This component therefore affords ample opportunities for use of the WI/CL technique described earlier. This relatively straightforward tool would likely have identied the need for consideration of human factors in the example given by Figures 3 and 4, as well as the recent case reported in the media of a $225million typo [34]. This latter example involved the loss to a securities company of 27 billion yen ($225 million US) on a stock trade because of a typing error. From a technical perspective, an inherent safetybased WI/CL task analysis may have identied the hazard posed by the design of a particular valve actuator at the Giant renery [29]. The plug valve in question was originally designed to be opened and closed by a gear-operated actuator. This actuator was replaced by a valve wrench (2-ft-long bar) that was inserted into a square collar. (Thus, as previously mentioned, this is also an MOC incident.) Although there was a position indicator on the valve itself, operators had become accustomed to determining whether the valve was open or closed by the orientation of the valve wrench. If the wrench was perpendicular to the direction of ow through the valve, then the valve was thought to be closed. Reliance on this on/off determination ultimately proved to be awed because of the fact that the wrench collar itself was removable and could be repositioned on the valve stem in different directions. On the day of the incident, the valve was thought to be closed when it was in fact open, and a ammable liquid release occurred followed by a re and explosion. The description of the second component of this PSM element, administrative control versus hardware control, contains these statements: Hazards may be controlled by the use of procedures or by the addition of protective equipment. This balance is often a matter of company culture and economics. If procedures are well understood, kept current and are used, then they are likely to be effective. Similarly protective systems need regular testing and maintenance to be effective. The problem of administrative versus hardware controls should be considered and a balance selected by conscious choice rather than allowing it to happen by default [7]. This description may leave some readers with the unfortunate impression that only procedural (administrative) and engineered (add-on) measures are available, or are effective, for hazard control. Although well-written and understood procedures will be inherently safer, there is much more to inherent safety than facilitating effective procedural safety. This component is one of the most important places
344 December 2007 Published on behalf of the AIChE

in the PSM guide [7] where explicit use of the term inherent safety would be highly benecial. The third and nal component of human factors, human error assessment, is perhaps one of the more challenging areas of PSM. Human error assessment by itself can seem quite daunting, let alone trying to incorporate the principles of inherent safety. Nevertheless, human error assessment is becoming increasingly important in industry and is a growing area of concern for the public and for regulators. As demonstrated in recent work by the current authors, it is possible to quantitatively assess the probability of human error and to use these results to help achieve an inherently safer design. DiMattia et al. [35] and Khan et al. [36] describe a method for determining human error probabilities during the process of emergency musters on offshore oil and gas production platforms. This process consists of 18 separate tasks beginning with alarm detection and ending with the actions performed in the temporary safe refuge (TSR) before standing down or moving on to the platform abandonment stage. An expert judgment technique known as Success Likelihood Index Methodology (SLIM), developed in the nuclear industry, was used by DiMattia et al. [35]. Factors affecting human performance (performance shaping factors such as stress, training, and experience) were quantitatively analyzed by means of a team of judges and the SLIM technique to yield a human error probability for each of the 18 muster tasks and three different muster initiators (man overboard, gas release, and re and explosion). These data were then generalized to any muster initiator and scenario by a questionnaire and reference graph methodology developed by Khan et al. [36]. The usefulness of human error probability data was illustrated by Khan et al. [36] in the following manner. First, a consequence table was developed and used to qualitatively assess the impact of not completing a given muster task. This severity ranking was then paired with the quantitative probability value by means of a risk matrix to identify those tasks most in need of risk reduction measures (inherent, engineered and procedural). For example, failure to detect the muster alarm (rst action) in the re and explosion scenario has a probability of 0.4 and consequences ranging from delay of time to muster through to loss of critical time needed to respond to the problems that initiated the alarm, and possible loss of life. Risk reduction measures from an inherent safety perspective were identied as:
eliminate obstructions near the alarms, minimize the amount of noise-producing ma-

chinery when possible,


substitute alarms with ones that give an easily

recognizable tone, the electrical dependence of the alarms that are used on the platform, and simplify the alarms, making maintenance easier, as well as lowering the possible risk of an alarm malfunctioning.
moderate DOI 10.1002/prs Process Safety Progress (Vol.26, No.4)

Quantitative human error assessment is therefore not only possible, but quite valuable in attempting to reduce risk by employing the principles of inherent safety. What is required in this application is a scientically rigorous method of determining probability data for human error, such that objectivity is brought to an otherwise potentially subjective process.
CONCLUDING REMARKS

We have attempted in this paper to present the case that inherent safety is an integral component of effective PSM. In spite of its widespread applicability throughout all of the PSM elements, the term inherent safety is not used in standardized PSM documentation such as the PSM guide [7] referenced in the current work. Explicit naming and use of the principles of inherent safety (minimize, substitute, moderate, and simplify) within PSM standards is therefore needed. Various inherent safety examples, both technical and from everyday life, have been given for several PSM elements. Existing tools have been identied for either inherent safety inclusion or increased visibilityfor example, the What-If/Checklist methodology (qualitative) and the Dow Fire and Explosion and Chemical Exposure Indices (quantitative). New inherent safety tools for quantitative identication and assessment of hazards have been described, and qualitative protocols for incorporating inherent safety into specic PSM elements have been presented. The 12 PSM elements [7] are interwoven with one another by means of the common thread of inherent safety.
ACKNOWLEDGMENTS

The authors gratefully acknowledge the Canadian Chemical Producers Association for permission to use the PRIM data and analysis results in our research, and the many colleagues in the process safety community who have assisted us with technical advice and critiques of our research.
LITERATURE CITED

1. R.E. Bollinger, D.G. Clark, R.M. Dowell III, C. Ewbank, D.C. Hendershot, W.K. Lutz, S.I. Meszaros, D.E. Park, and E.D. Wixom, Inherently Safer Chemical Processes: A Life Cycle Approach, D.A. Crowl (Editor), American Institute of Chemical Engineers, New York, NY, 1996. 2. J.P. Gupta and D.W. Edwards, Inherently safer designPresent and future, Process Saf Environ Prot 80 (2002), 115125. 3. T.A. Kletz, Inherently safer designIts scope and future, Process Saf Environ Prot 81 (2003), 401405. 4. F.I. Khan and P.R. Amyotte, How to make inherent safety practice a reality, Can J Chem Eng 81 (2003), 216. 5. T.A. Kletz, What you dont have, cant leak, Chem Ind May 6 (1978), 287292. 6. F.I. Khan, R. Sadiq, and P.R. Amyotte, Evaluation of available indices for inherently safer design options, Process Saf Prog 22 (2003), 8397.
Process Safety Progress (Vol.26, No.4)

7. CSChE, Process Safety Management, 3rd ed., Canadian Society for Chemical Engineering, Ottawa, ON, 2002. 8. CCPS, Guidelines for technical management of chemical process safety, Center for Chemical Process Safety, American Institute of Chemical Engineers, New York, NY, 1989. 9. J.-P. Lacoursiere, Bhopal and its effects on the Canadian regulatory framework, J Loss Prev Process Ind 18 (2005), 353359. 10. P.R. Amyotte, A.U. Goraya, D.C. Hendershot, and F.I. Khan, Incorporation of inherent safety principles in process safety management, Proceedings of 21st Annual International ConferenceProcess Safety Challenges in a Global Economy, Center for Chemical Process Safety, American Institute of Chemical Engineers, Orlando, FL, April 2327, 2006, pp. 175207. 11. A. Goraya, P.R. Amyotte, and F.I. Khan, An inherent safety-based incident investigation methodology, Process Saf Prog 23 (2004), 197205. 12. CCPS, Guidelines for Hazard Evaluation Procedures, 2nd ed., American Institute of Chemical Engineers, New York, NY, 1996. 13. CCPS, Guidelines for design solutions to process equipment failures, American Institute of Chemical Engineers, New York, NY, 1998. 14. D.C. Hendershot, Tell me why, Eighth Annual International Symposium, Mary Kay OConnor Process Safety Center, Texas A&M University, College Station, TX, Oct. 2526, 2005. 15. G. Creedy, Personal communication (with permission), 2005. 16. M. Rahman, A.-M. Heikkila, and M. Hurme, Comparison of inherent safety indices in process concept evaluation, J Loss Prev Process Ind 18 (2005), 327334. 17. S. Shah, U. Fischer, and K. Hungerbuhler, Assessment of chemical process hazards in early design stages, J Loss Prev Process Ind 18 (2005), 335352. 18. F.I. Khan and P.R. Amyotte, I2SI: A comprehensive quantitative tool for inherent safety and cost evaluation, J Loss Prev Process Ind 18 (2005), 310326. 19. F.I. Khan and P.R. Amyotte, Integrated inherent safety index (I2SI): A tool for inherent safety evaluation, Process Saf Prog 23 (2004), 136148. 20. G. Phillips, Personal communication (with permission), 2005. 21. M. Marta, Personal communication (with permission), 2005. 22. R.E. Sanders, Designs that lacked inherent safety: Case studies, J Hazard Mater 104 (2003), 149161. 23. CSB, http://powerlink.powerstream.net/002/ 00174/051222bp/BPAnimations.asx, US Chemical Safety and Hazard Investigation Board, Washington, DC, 2006. 24. C.B. Etowa, P.R. Amyotte, M.J. Pegg, and F.I. Khan, Quantication of the inherent safety aspects of the Dow indices, J Loss Prev Process Ind 15 (2002), 477487. 25. J. Horwood, The impact of expectations and culture on project safety performance, Process Safety and
DOI 10.1002/prs December 2007 345

Published on behalf of the AIChE

26. 27. 28.

29.

30.

Loss Management Symposium, 55th Canadian Chemical Engineering Conference, Canadian Society for Chemical Engineering, Toronto, ON, Oct. 1619, 2005. CCPS, Making EHS an Integral Part of Process Design, American Institute of Chemical Engineers, New York, NY, 2001. B.D. Kelly, Management of Change in Process PlantsA Participative Workshop, Calgary, AB, Nov. 2000. R. Cairns, G. Creedy, and Y. Ivanovich, Managing the health and safety aspects of organizational change, Process Safety and Loss Management Symposium, 52nd Canadian Chemical Engineering Conference, Canadian Society for Chemical Engineering, Vancouver, BC, Oct. 2023, 2002. CSB, Oil renery and explosion (Giant Industries Ciniza oil renery), Case study, US Chemical Safety and Hazard Investigation Board, Washington, DC, 2005. M. Rogers, Lessons learned from an unusual hydrogen reformer furnace failure, Process Safety and Loss Management Symposium, 55th Canadian

31. 32. 33.

34. 35.

36.

Chemical Engineering Conference, Canadian Society for Chemical Engineering, Toronto, ON, Oct. 1619, 2005. EPA, Catastrophic failure of storage tanks, Chemical safety alert, US Environmental Protection Agency, Washington, DC, 1997. W.M. Glenn, A tale of two reneries, OHS Can 22 (2006), 3643. P.J. Kennedy (Judge), Inquiry report on explosion and re at come by chance renery, District of Clarenville, Provincial Court of Newfoundland, Aug. 8, 2005. Chronicle Herald, Tokyo market suffers after $225-million typo, Newspaper article, Halifax, NS, Dec. 10, 2005. D.G. DiMattia, F.I. Khan, and P.R. Amyotte, Determination of human error probabilities for offshore platform musters, J Loss Prev Process Ind 18 (2005), 488501. F.I. Khan, P.R. Amyotte, and D.G. DiMattia, HEPI: A new tool for human error probability calculation for offshore operation, Safety Science 44 (2006), 313334.

346 December 2007

Published on behalf of the AIChE

DOI 10.1002/prs

Process Safety Progress (Vol.26, No.4)

Das könnte Ihnen auch gefallen