Introduction to Inherently Safer Design

Introduction to Inherently Safer Design
Prepared for Safety and Chemical Engineering Education (SACHE) by: Dennis C. Hendershot Rohm and Haas Company, retired This module will introduce the concept of inherently safer design in the chemical processing industry. Inherently safer design, or ISD, is receiving more attention in recent years from industry, community groups, and government. When feasible, ISD can be a more robust and reliable approach to managing risk in the chemical industry. Following the terrorist attacks of September 11, 2001, ISD has also been promoted as a means to reduce chemical hazards, making chemical handling facilities less attractive terrorist targets. It is important for chemical engineers to understand ISD, including its potential benefits and limitations, both to implement ISD where feasible and also to participate in public discussions about the application of ISD in the chemical industry. ©American Institute of Chemical Engineers, 2006

What is inherently safer design?
Inherent - “existing in something as a permanent and inseparable element...” Eliminate or minimize hazards rather than control hazards Safety based on physical and chemical properties of the system, not “add-on” safety devices and systems “Safer” – not “Safe” Inherently safer design (ISD) is a different philosophy for addressing safety issues in the design and operation of chemical plants. ISD focuses on eliminating or significantly reducing hazards. Often, the traditional approach to managing chemical process safety has accepted the existence and magnitude of hazards in a process, and efforts to reduce risk have concentrated on managing the risk associated with the hazards. Where feasible, ISD provides more robust and reliable risk management, and has the potential to make the chemical processing technology simpler and more economical in many cases. What do we mean by inherently safer design? One dictionary definition of “inherent” which fits the concept very well is “existing in something as a permanent and inseparable element.” This means that safety is “built in” to the process, not added on. Hazards are eliminated, not controlled, and the means by which the hazards are eliminated are so fundamental to the design of the process that they cannot be changed or defeated without changing the process. In many cases this will result in simpler and cheaper plants, because the extensive safety systems which may be required to control major hazards will introduce complexity to a plant, along with cost – both in the initial investment for the safety equipment and also for the ongoing operating cost for maintenance and operation of the safety systems. It is best to describe a design as “inherently safer” relative to another design, rather than as “inherently safe”. Describing a plant or process as “inherently safe” implies that it is not capable of causing injury or damage – it is unlikely that any process or plant will be inherently safe relative to all possible hazards. However, plants can be designed to be “inherently safer” in the context of one or more specific hazards of concern. At this point in its development, ISD should be considered to be more of a design philosophy rather than a specific set of tools and methods. While there are checklists and brainstorming aids to help a designer to identify opportunities for ISD, there is not any single set of protocols or design procedures. Also, there is no agreement on how to measure ISD for a process or plant. These are areas for continuing development.

Why Inherently Safer Design?
Bhopal, India, 1984 Flixborough, UK, 1974 Pasadena, TX, 1989 ISD has received increased attention from the chemical industry since the 1970s as a result of a number of major industrial accidents. Some examples include: Flixborough, England (1974) – a large release of cyclohexane from a caprolactam plant killed 28 workers, injured 36, and destroyed the plant. The police reported 53 casualties off site, and there were hundreds of less severe injuries which were not recorded. Pasadena, Texas (1989) – a leak of gas from a polyethylene plant formed a flammable vapor cloud which ignited, causing 23 fatalities and hundreds of injuries, and destroying the plant. Bhopal, India (1984) – the worst disaster in the history of the chemical industry occurred when water entered a storage tank containing methyl isocyanate (MIC). The resulting reaction generated heat and pressure, lifting the tank relief valve and released highly toxic MIC vapors into the city. Exact casualty figures are disputed, but several tens to hundreds of thousands of people were exposed, and the official Indian government estimate of fatalities was 4000 in 1994.

A subset of Green Engineering
Green Chemistry and Engineering Inherently Safer Design ISD focuses on the immediate impacts of single events - chemical accidents - on people, the environment, property and business. Property and business impacts are sometimes referred to as “loss prevention”. In a chemical manufacturing plant, this generally means the immediate impacts of fires, explosions, and the release of toxic materials. Of course, these types of events will also have the potential for long term impacts on people, the environment, and possibly property and business. Reducing the magnitude or potential likelihood of accidents will also have benefits from the viewpoint of the potential long term impacts. However, while engineers recognize the potential benefits of ISD in these other areas, the main intent of ISD is to reduce the frequency and potential impact of chemical plant accidents. ISD can be considered to be a subset of green chemistry and engineering. Green chemistry and engineering have a much broader scope, including, for example: Health and environmental impacts of emissions from routine plant operations Health and environmental effects of all phases of the production and use life cycle of a material, from the basic raw materials through the final product, including all by-products and wastes Sustainable development and impact on non-renewable resources Clearly, safety incidents as defined earlier, are a part of green chemistry and engineering. Fires, explosions, and toxic releases have both immediate and long term impacts in areas of concern to green chemistry and engineering. A “green” process is often also inherently safer – it may use less toxic materials, for example. Such a process may reduce safety consequences – immediate injury from exposure to released material – as well as offer reduced long term health and environmental hazards. However, there can also be conflicts. A more efficient chemistry may reduce consumption of resources and produce less waste, but the chemistry may be more energetic, increasing the safety risk of a reactive chemistry explosion.

History of inherently safer design
Not really a new concept – elimination of hazards has a long history Second half of 20th Century chemical industry – increased hazards from huge, world scale petrochemical plants Concern about cost and reliability of traditional “add on” safety systems Trevor Kletz – ICI (1977) – Is there a better way? Eliminate or dramatically reduce hazards The concept of ISD is not really new. Technologists have always recognized the value of eliminating or reducing hazards. Applying ISD without calling it by that name, they simply considered it to be good design. For example, in 1828, Robert Stevenson, who with his father George Stevenson was a pioneer in the development of steam railroad technology, discussed the need for: “... an alteration which I think will considerably reduce the quantity of machinery as well as the liability to mismanagement … in their present complicated state they cannot be managed by ‘fools’, therefore they must undergo some alteration or amendment.” Stevenson recognized that the controls of his steam locomotive were overly complex, and his solution was to eliminate the hazard of mismanagement due to that complexity by simplifying the controls, rather than through safety devices and operator training. In reaction to the 1974 Flixborough explosion, Trevor Kletz, at the time a senior safety advisor for ICI in England, questioned the need for such large quantities of flammable or toxic materials in a manufacturing plant, and also the need for processing at elevated temperature and pressure. Kletz suggested that the chemical industry should re-direct its efforts toward elimination of hazards where feasible – reducing the quantity of hazardous material, using less hazardous materials, developing technology which operates at less severe conditions – rather than devoting extensive resources on safety systems and procedures to manage the risks associated with the hazards. Kletz first advanced this proposal at the annual Jubilee Lecture of the Society of the Chemical Industry in England in 1976, and called the concept “inherently safety”. The lecture was subsequently published in 1977 as a journal article entitled “What you don’t have, can’t leak.” In this, and many subsequent publications, Kletz and others established a set of principles for ISD, and provided many examples of its implementation in industry. Reference: Kletz, Trevor A. “What You Don't Have, Can't Leak.” Chemistry and Industry. 6 May 1978, pp

Hazard An inherent physical or chemical characteristic that has the potential for causing harm to people, the environment, or property (CCPS, 1992). Hazards are intrinsic to a material, or its conditions of use. Examples Phosgene - toxic by inhalation Acetone - flammable High pressure steam - potential energy due to pressure, high temperature Because the philosophy of ISD is to eliminate or reduce the hazard of a process, it is important to understand what is meant by the word “hazard”. The Center for Chemical Process Safety (CCPS) has defined hazard as “an inherent physical or chemical characteristic that has the potential for causing harm to people, the environment, or property.” Hazards are intrinsic to a material or its conditions of use. Some examples of hazards are: Phosgene is toxic by inhalation Acetone is flammable High pressure steam contains a large amount of potential energy, both from its elevated temperature and also from the high pressure

To eliminate hazards: Eliminate the material Change the material
Change the conditions of use These hazards cannot be changed, except by changing the material or the conditions of use. In some cases there are alternative technologies which use different materials or chemistry to produce a product, eliminating the need to use a more hazardous material. Sometimes the form of a material can be changed - dilution, larger sized particles, for example – to reduce the hazard. And perhaps process research can identify technology improvements such as catalysts which allow chemical reactions to take place under less severe conditions – perhaps lower temperature or pressure.

Chemical Process Safety Strategies
Inherent Passive Active Procedural We will now discuss chemical process safety strategies, which can be grouped into four categories: Inherent Passive Active Procedural The next several slides will describe these strategies in more detail. In general, inherent and passive strategies are the most robust and reliable, but elements of all strategies will be required for a comprehensive process safety management program when all hazards of a process and plant are considered.

Inherent Eliminate or reduce the hazard by changing the process or materials which are non-hazardous or less hazardous Integral to the product, process, or plant - cannot be easily defeated or changed without fundamentally altering the process or plant design EXAMPLE Substituting water for a flammable solvent (latex paints compared to oil base paints) As previously stated, the inherent approach to safety is to eliminate or greatly reduce the hazard by changing the process or materials to use materials and conditions which are non-hazardous or much less hazardous. These changes must be integral to the process or product, and not easily defeated or changed without fundamentally changing the process or plant design. Substituting water for a flammable, and perhaps toxic, solvent as a carrier for a paint or coating – using water based latex paints instead of oil based paints – is an example. The elimination of the flammable or toxic solvent is an inherent characteristic of the product and its manufacturing process. The hazards of fire and of exposure to toxic solvent vapors are eliminated, both in the manufacturing process and also throughout the manufacturing supply chain all the way to the final product user.

Passive Minimize hazard using process or equipment design features which reduce frequency or consequence without the active functioning of any device EXAMPLE Containment dike around a hazardous material storage tank Passive safety features minimize hazards using process or equipment design features which either reduce the frequency or consequence of an incident without the active functioning of any device. For example, a containment dike surrounding a storage tank for a hazardous material is a passive safety device. The containment dike works because it exists, and is designed to capture and contain a spill of the hazardous material. The dike does not have to sense that a spill has occurred and take action in response – it functions because of its dimensions – area, wall height, wall thickness, material of construction, and so on. The containment dike can be designed to be highly reliable and robust, but it is not an inherent safety feature. The hazard still exists – the flammability or toxicity of the spilled material. While the dike mitigates the potential consequence of the spill in a very reliable fashion, it can fail. For example, the dike wall might be cracked, or the dike might be full of water from a rain storm, and the spilled material could overflow the dike.

Active Controls, safety interlocks, automatic shut down systems
Multiple active elements Sensor - detect hazardous condition Logic device - decide what to do Control element - implement action Prevent incidents, or mitigate the consequences of incidents EXAMPLES High level alarm in a tank shuts automatic feed valve A sprinkler system which extinguishes a fire Active safety systems include process control systems, safety interlocks, automatic shutdown systems, and automatic incident mitigation systems such as sprinkler systems to extinguish a fire. These active systems are designed to sense a hazardous and take an appropriate action. Active systems may be designed to prevent an incident, or to minimize the consequences of an incident. For example, a tank might have a high level interlock which shuts off a pump feeding the tank and closes the feed valve – this system is designed to prevent a tank overflow. A fire sprinkler system is an example of an active safety system which mitigates the consequences of an incident. The sprinkler system is designed to reduce the consequences of a fire – it does not prevent the fire. In fact, many sprinkler systems are activated by sensing a small fire which has already occurred, and are intended to put out the fire before it becomes large. Active systems include multiple active elements. Most will include: A sensor of some kind, which will detect a hazardous condition A logic device, which receives a signal from the sensor, determines what must be done, and sends a signal to some device to implement the required action A control element, which implements the action in response to the hazardous condition For example, an interlock to prevent overflowing a tank may include: a level sensor which measures the liquid level in the tank a logic device which receives the level signal and determines if the tank level is too high, approaching overflow, and sends a signal to the control element one or more control elements, perhaps a valve on the feed to the tank which will be closed, or a pump which is filling the tank and which can be turned off This is an example of an active system which is designed to prevent an incident – it prevents the overflow of a tank. A sprinkler system includes some kind of a sensing element to detect a fire – perhaps a fusible link in a sprinkler head. This may also serve as the logic device (the selected temperature for the fusible link to melt is using the logic “if the temperature exceeds the melting point, there is a fire”), and the melting of the fusible link allows water to flow through the sprinkler and extinguish the fire. The sprinkler is an example of an active safety system which is intended to mitigate the effects of a fire. It does not prevent a fire – in fact, the sprinkler will not be activated until the fire occurs. The sprinkler is intended to minimize the consequences of a fire. All of these active elements are potential failure points in the active safety system. Reliability of the system requires ongoing maintenance and testing throughout the life of the system.

Procedural Standard operating procedures, safety rules and standard procedures, emergency response procedures, training EXAMPLE Confined space entry procedures Procedural safety features include standard operating procedures, safety rules and procedures, operator training, emergency response procedures, and management systems. For example, confined space entry procedures establish the requirements for entry into any confined space – ensuring a safer and breathable atmosphere, ensuring that mechanical equipment such an agitator in a vessel to be entered is de-energized, and so on. In general, for a high hazard process system, procedural risk management systems may not, by themselves, provide adequate risk management for a highly hazardous process operation. Human reliability is not high enough, and people often cannot diagnose a problem, determine the appropriate action, and take that action quickly enough for a chemical process. However, procedural safety systems will always be a part of a comprehensive risk management program – at a minimum they will be required to ensure ongoing maintenance and management of active and passive safety systems.

Human Reliability Available Response Time (minutes) 1 10 20 30 60
Probability of incorrect diagnosis – single control room event ~1.0 0.5 0.1 0.01 0.001 Here is some data for human response, from research done by the former US Nuclear Regulatory Commission to understand the reliability of operators of nuclear power plants. This particular data shows the probability of incorrect diagnosis of a single event in a control room as a function of the amount of time that the operator has to determine what has happened. If the operator must diagnose the event within one minute, the operator is almost certain to get it wrong – the probability of failure approaches 1. As the operator has more time to receive the information and think about what it means, the probability that he or she incorrectly diagnoses the event decreases – people become more reliable, more likely to get it right. But, even the best human performance is likely to be inadequate for managing risk for a major event. This data is for a single control room event. Now think about the many events which will occur in the course of a normal 8 hour work shift in a chemical plant, some of them perhaps signaling a deviation which could result in an accident. Even the lowest human error probability reported by Swain (1 in 1000 per event) is probably a couple of orders of magnitude too high to be considered adequate for safety in the absence of other safety systems and devices. Also, often a chemical process requires a rapid response to maintain a safe state following some kind of disturbance, and the reliability of people to correctly respond in a much shorter time will be lower. For these reasons, many chemical plants require extensive automatic safety alarms and interlocks – people cannot be expected to diagnose an event and properly respond to it quickly enough to ensure safety. Source: Swain, A.D., Handbook of Human Reliability Analysis, August 1983, NUREG/CR-1278-F, U.S. Nuclear Regulatory Commission

Batch Chemical Reactor Example
Hazard of concern – runaway reaction causing high temperature and pressure and potential reactor rupture Example – Morton International, Paterson, NJ runaway reaction in 1998, injured 9 people Lets review these safety strategies for a specific example. The process is a simple exothermic batch reaction in which two or more reactants are added to a reactor, perhaps along with other materials such as solvents, and reacted to produce a desired product. The reaction may be exothermic – it may generate heat which must be removed to keep the reaction mixture from boiling, or perhaps the reactor contents could decompose at some elevated temperature. In this case there is a potential for a runaway reaction – the temperature and pressure of the reactor cannot be controlled by the cooling system and the reactor could rupture due to high pressure – an explosion of the reactor. An example of this kind of runaway reaction occurred at the Morton International plant in Paterson, New Jersey in The explosion injured 9 people and contaminated the surrounding environment with released material. You can find a complete report on this incident at the United States Chemical Hazard and Investigation Board (the “Chemical Safety Board”) web site at

Inherent Develop chemistry which is not exothermic, or mildly exothermic Maximum adiabatic reactor temperature < boiling point of all ingredients and onset temperature of any decomposition or other reactions, and no gaseous products are generated by the reaction The reaction does not generate any pressure, either from confined gas products or from boiling of the reactor contents The inherently safer design strategy for a batch chemical reaction process would be to develop a chemistry which is not exothermic, or is only mildly exothermic. To consider the reactor inherently safer with respect to runaway reaction hazard, the maximum adiabatic reaction temperature – the maximum possible temperature that the reaction mixture could reach assuming 100% reaction of all reactants and no removal of heat – would be less that the boiling point of all materials in the reactor, less than the boiling point of the reaction mixture (which might boil at a lower temperature than any of the individual components if the components form an azeotrope), and less than the decomposition temperature of all components and of the reaction mixture. This means that the reaction is not capable of causing any pressure in the reactor, either from boiling of the reactor contents or from decomposition of any materials. There is no hazard of runaway reaction.

Inherent A reactor for this process can be pretty simple. If the materials are not toxic or flammable, the reactor might not even have to be a closed vessel. From a safety viewpoint, it would not be necessary to control the rate of reactant addition, cooling is not required – although it might be provided for product quality purposes. Temperature and pressure instrumentation can be simple and basic because these measurements are not safety critical. The reaction is not capable of generating pressure, so the reaction chemistry will not impact the design of any overpressure protection system such as a relief valve or rupture disk.What kind of reaction might this be? An example would be reacting very dilute aqueous sodium hydroxide solution with vinegar (dilute acetic acid). And there are many other more useful reactions which might meet these criteria.

Passive Maximum adiabatic pressure for reaction determined to be 150 psig From vapor pressure of reactor contents or generation of gaseous products Run reaction in a 250 psig design reactor Hazard (pressure) still exists, but passively contained by the pressure vessel An example of a passive strategy for managing runaway reaction risk, assume that the chemists are not able to identify a reaction which satisfies the criteria for an inherently safer design for the production of a desired product. The best they can do is to identify a reaction which is exothermic, and which is determined to result in a maximum adiabatic reaction pressure of 150 psig, assuming 100% reaction of all reactants and no removal of heat. The pressure comes either from boiling of the volatile reactor components, or from generation of gaseous reaction products. This reaction is extremely well understood and characterized, and it is known with absolute confidence and laboratory testing that the maximum pressure is 150 psig. The engineers design a 250 psig reactor for this reaction. The reactor provides passive safety with respect to the hazard of a runaway reaction – it is capable of containing the maximum possible pressure from the reaction. But this is not inherent – the hazard can still exist – the maximum adiabatic pressure of 150 psig is possible. The 250 psig design reactor contains this pressure because of its design – the thickness of the metal, the strength of the bolts and flanges, the design of the gaskets, and all of the other aspects of pressure vessel design. But a failure is still possible, and the pressure could be released causing an explosion. The reactor vessel could be damaged, it could be improperly fabricated, it could be corroded, it could have a bad gasket, the bolts might be left out of some of the flanges. So, while a passive approach can be very robust and reliable, there is still a potential for an incident because the hazard still exists, even though it is passively contained.

Passive Now the reaction must be run in a pressure vessel. This will be more elaborate, requiring construction and operation to meet the relevant pressure vessel codes. A pressure relief valve will be required, although the design basis will not be the runaway reaction because the reaction is known to not be capable of overpressurizing the reactor. The design basis of the relief valve will be based on some other overpressure scenario – perhaps fire exposure, filling the vessel with all of the outlet line valves closed, overheating with steam, for example.

Active Maximum adiabatic pressure for 100% reaction is 150 psig, reactor design pressure is 50 psig Gradually add limiting reactant with temperature control to limit potential energy from reaction Use high temperature and pressure interlocks to stop feed and apply emergency cooling Provide emergency relief system In many cases it may not be feasible to design a reactor strong enough to contain the maximum adiabatic pressure from an exothermic reaction. Perhaps the process is to be operated in an existing reactor which has a particular design rating. Or, the maximum adiabatic pressure may be so high that it is not practical to build a reactor strong enough. In this example, a reaction capable of generating 150 psig maximum adiabatic reaction pressure is to be done in a reactor rated for 50 psig. The reaction is to be operated as a “semi-batch” process – all of the batch process ingredients – solvents, catalysts, any other additives, and all reactants which can be pre-charged without any reaction occurring are added to the reactor. Then, the remaining reactant(s) is (are) charged gradually, at a rate such that there is little or no accumulation of unreacted material in the reactor, and such that the reactor cooling is capable of removing the heat of reaction as fast as it is liberated. The reactor is provided with a high temperature and a high pressure interlock which will shut off the reactant feed if the temperature or pressure exceeds a specified safe value. Since the feed rate is specified such that there is minimal unreacted material in the reactor, if there is some kind of a deviation which causes high temperature or pressure (for example, loss of cooling), stopping the feeds will stop the generation of heat and put the reactor into a safe state. However, this is an active system and requires the proper functioning of a number of components – the temperature (or pressure) sensor; the logic device which receives the temperature (or pressure) signal, compares it to the specified safe value, and sends a signal to take the specified action; and also a field element which takes the specified action – a valve which must close or a pump which must be stopped, for example. Any of these components could fail. As a further active backup, the reactor would be provided with an emergency relief system – a pressure relief valve or rupture disk – to prevent reactor overpressure. These are also active systems – the relief valve must sense the pressure and open, or the rupture disk must burst. Also, it is important to confirm that the emergency relief system discharges to a safe place.

Active The reactor is beginning to look more complicated. It now requires a high temperature safety interlock and a high pressure interlock which shut off the reactant feed. This additional equipment costs money – and it is not just the initial installation cost. How do you know that the high temperature interlock will work if it is needed? If the reaction is run properly, the temperature will never get too high, and how do you know that this equipment will work on the day, perhaps many years later, when the temperature actually does get too high? The only way you can ensure reliability of the interlocks is through periodic testing, at an interval to be determined based on how reliable the interlock needs to be. There is a concensus standard – ISA S84.01 (ISA – International Society for Automation) which describes the procedure for determining how reliable a safety interlock needs to be, and how to design an interlock to meet the reliability requirements. And remember that this ongoing need to maintain and test the safety interlock equipment also means an ongoing operating cost through the life of the plant. For many systems, this life cycle maintenance and testing cost may be even more than the initial installation cost.

Procedural Maximum adiabatic pressure for 100% reaction is 150 psig, reactor design pressure is 50 psig Gradually add limiting reactant with temperature control to limit potential energy from reaction Train operator to observe temperature, stop feeds and apply cooling if temperature exceeds critical operating limit Another approach to controlling the reaction might be to design the reactor as shown in the previous slides, but rather than installing an automatic reactant feed shutdown system, you could train the operator to carefully observe the temperature, and have him manually shut down the reactant feed if it exceeds the specified safe value. In general, for a high hazard system, procedural risk management systems do not, by themselves, provide adequate risk management. Human reliability is not high enough, and people often cannot diagnose a problem, determine the appropriate action, and take that action quickly enough. Remember the data on human response on Slide 13 of this presentation – it is likely that for a very exothermic reaction that the operator would have to recognize and respond to the high temperature within a few minutes. However, procedural safety systems will always be a part of a comprehensive risk management program – at a minimum they will be required to ensure ongoing maintenance and management of active and passive safety systems.

Procedural The reactor looks much the same, except that, instead of an automatic system to stop the reactant feeds, we rely on the operator to observe an unsafe condition and take the required action.

Which strategy should we use?
Generally, in order of robustness and reliability: Inherent Passive Active Procedural But - there is a place and need for ALL of these strategies in a complete safety program In general, inherent and passive strategies are the most robust and reliable, but elements of all strategies will be required for a comprehensive process safety management program when all hazards of a process and plant are considered. In many cases, you may not be able to design an inherently safer system which eliminates the hazards – for example, if you are manufacturing gasoline, you cannot eliminate flammability hazards because the property of the gasoline (flammability) which makes it useful is the same property which makes it hazardous. For a chemical plant, you will need a combination of all risk management strategies. The designer should look for inherent and passive options wherever feasible, and then proceed to identify active and procedural options if there are no feasible inherent and passive options.

Layers of Protection The application of these process safety strategies is often shown as a series of “layers of protection” surrounding a process. The inherent process risk is managed by the addition of a series of passive, active, and procedural risk management systems as shown in the figure. These safety features include things like the basic process design and control, operator supervision, alarms, automatic safety systems and alarms, physical protection devices such as pressure relief valves and containment dikes, and, finally, plant and community emergency response systems.

Multiple Layers of Protection
The layer of protection concept can also be thought of as a series of barriers to the process risk, as illustrated in this picture. The width of the arrows represents the relative risk of the process as various layers of protection are applied. The inherent process risk, at the top, is reduced by a series of layers of protection. These layers are not perfect barriers – like nearly anything in the world, they can fail, so the layers of protection are like barriers with holes in them. A more reliable layer of protection will have fewer or smaller holes. Each layer reduces the process risk, but none of the layers can completely eliminate the risk. There is a small residual risk which must be accepted by those responsible for building, operating, and granting operating permission to the facility.

Degraded Layers of Protection
Layers of protection, particularly active and procedural, require constant maintenance and management to ensure that they continue to function as designed. If this is not done, the performance of the layer of protection will degrade – it will become less reliable. For example, perhaps the plant fails to properly maintain the safety interlocks, or new operators are not properly trained on all of the safety procedures. In this analogy, there will be more, or larger, holes – as shown in this picture. The actual risk of the operation will increase – perhaps to an unacceptable level.

“Inherently Safe” Process
No additional layers of protection needed Probably not possible if you consider ALL potential hazards But, we can be “Inherently Safer” An ideal “inherently safe” process would not require any additional layers of protection. The inherent risk of the process is low enough to be accepted by all stakeholders. A truly “inherently safe” process is not generally possible when considering all process hazards. It is better to describe a process as “inherently safer” compared to another alternative, and normally with reference to a particular hazard or group of hazards. An inherently safer process may still require layers of protection, but probably not as many, and they may not have to be as reliable.

Inherently Safer Process Risk
Again using the “sieve” analogy, a true “inherently safer” process, if this were possible, would not require any layers of protection. The inherent risk of the process would be sufficiently low that no additional safety systems would be required. This is not likely to ever be possible when considering all of the multiple hazards associated with any real chemical process. Management of all hazards will require a combination of all safety strategies.

Managing multiple hazards – Process Option No. 1
Toxicity Explosion Fire ….. Hazard 3 – Passive, Active, Procedures Hazard 1 - Inherent Hazard 2 – Passive, Active, Procedures Hazard n – ???? … This figure illustrates the importance of considering multiple hazards in technology selection, and also why it will always be necessary to include elements of all risk management strategies – inherent, passive, active, and procedural – in a complete risk management program for all hazards. The figure describes a generic technology which can be described as inherently safer with respect to acute toxicity hazards. However, this technology requires passive, active, and procedural risk management systems to manage explosion and fire risks to tolerable levels, and there may be other hazards in the process which are not shown in the figure.

Managing multiple hazards – Process Option No. 2
Toxicity Explosion Fire ….. Hazard 3 – Passive, Active, Procedures Hazard 2 – Passive, Active, Procedures Hazard 1 - Inherent Hazard n – ???? … This figure shows a possible alternative technology for the same product. This technology can be described as inherently safer with respect to fire hazards, but it requires active, passive, and procedural safety systems to manage acute toxicity and explosion hazards. Which technology is inherently safer – the one in this figure or the one in the previous slide? There is no general answer. It depends on the relative magnitude of the potential accidents which can result from the different hazards, and the relative importance attached to those consequences. How important is injury from fire compared to injury to toxic material exposure? In many cases, there is no correct answer, and society must make difficult choices.

Inherently Safer Design Strategies
How does the engineer go about considering ISD when designing or operating a chemical process? In the next few slides we will review some approaches to inherently safer design.

Inherently Safer Design Strategies
Minimize Moderate Substitute Simplify The Center for Chemical Process Safety has categorized strategies for designing inherently safer processes into four groups: Minimize – use small quantities of hazardous materials, reduce the size of equipment operating under hazardous conditions such as high temperature or pressure Substitute – use less hazardous materials, chemistry, and processes Moderate – reduce hazards by dilution, refrigeration, process alternatives which operate at less hazardous conditions Simplify – eliminate unnecessary complexity, design “user friendly” plants

Minimize Use small quantities of hazardous substances or energy
Storage Intermediate storage Piping Process equipment “Process Intensification” To minimize is to reduce the quantity of material or energy contained in a manufacturing process or plant. Another common term for “minimize” is intensify, and there are many literature references for process intensification. We often think of process minimization as resulting from the application of innovative new technology to a chemical process — for example, tubular reactors with static mixing elements, centrifugal distillation techniques, or innovative, high surface area heat exchangers. However, plant inventories of hazardous material can be reduced significantly by applying good engineering principles with conventional technology. When designing a plant, every piece of process equipment should be specified to be large enough to do its job, and no larger. Minimize the size of raw material and in-process intermediate storage tanks, and question the need for in-process storage of hazardous materials. Raw material and in-process storage tanks and pipelines often represent a major portion of the risk of a chemical plant. Attention to the design of storage and transfer equipment can reduce hazardous material inventory. Storage tanks for raw materials and intermediates are often much larger than really necessary, usually because this makes it “easier” to operate the plant. The operating staff can pay less attention to ordering raw materials on time, or can accept downtime in a downstream processing unit because upstream production can be kept in storage until the downstream unit is back on line. This convenience in operation can come at a significant cost in the risk of loss of containment of the hazardous materials being stored. The process design engineers and operating staff must jointly determine the need for all intermediate hazardous material storage, and minimize quantities where appropriate. Pipes carrying hazardous material should be large enough for the required flow, and should not be significantly larger. Remember that a 4 inch pipe will have an inventory 4 times as large as a 2 inch pipe, resulting in a larger potential spill if the pipe leaks or fails. Also, pay attention to equipment layout and pipe routing for hazardous materials to minimize the length of pipes. The designer should consider options to minimize the inventory of hazardous material in all process equipment – heat exchangers, distillation columns, reactors, tanks, and other equipment. Understand the inventory in each piece of equipment and look for opportunities to reduce that inventory.

Benefits Reduced consequence of incident (explosion, fire, toxic material release) Improved effectiveness and feasibility of other protective systems – for example: Secondary containment Reactor dump or quench systems Clearly, making equipment which contains hazardous material or energy is beneficial from a safety viewpoint because it reduces the amount of material or energy which is available in case of loss of containment. Ideally the quantity would be reduced so much that it would not be capable of hurting anybody or doing significant damage even if it was all released. That may not be possible, but any change in a process which reduces the quantity of hazardous material or energy in the system is a safety benefit. Also, smaller equipment may make other safety systems more practical. For example, it may be feasible to locate a small reactor in a blast proof concrete bunker for a reasonable cost. But for a large reactor, the bunker might not be feasible for two reasons – it would have to be much larger because it would have to enclose a larger vessel, and, also, it would have to be stronger because the explosion from a large reactor would be more powerful. The bunker would be considered a passive safety device – it works because of its design and strength, without any components having to take any action. Similarly, for a process containing very toxic materials, isolation in a containment building may be feasible, and it would be more feasible if the equipment which must be contained is smaller. Smaller equipment may also make active safety systems more feasible. For example, take a hazardous exothermic reaction which can be quenched by adding water. You could design the reactor with an emergency dump valve which would drain the reactor contents to an emergency quench tank which contains a large volume of water, and have the dump valve automatically open if the reactor temperature goes above a specified safe limit. But, if the reactor is very large, it would take a long time to drain the reactor – perhaps so long that the reaction mixture could not be quenched before the reactor is overpressurized. But, if the reactor could be made smaller – perhaps a few hundred gallons, it would be possible to empty the reactor into the quench tank in a few seconds – and the quench tank would also be much smaller because it would not have to quench as much reaction mixture. The nitration reaction example discussed in slides 36 to 40 is an example of a reactor which might use an emergency quench as a safety strategy.

Opportunities for process intensification in reactors
Understand what controls chemical reaction to design equipment to optimize the reaction Heat removal Mass transfer Mixing Between phases/across surfaces Chemical equilibrium Molecular processes Reactors are often the major contributors to risk from a chemical process. A complete understanding of reaction mechanism and kinetics is essential to the optimal design of a reactor system. This includes both chemical reactions and mechanisms, as well as physical factors such as mass transfer, heat transfer, and mixing. A reactor may be large because the chemical reaction is slow. However, in many cases the chemical reaction actually occurs very quickly, but it appears to be slow due to inadequate mixing and contacting of the reactants. Innovative reactor designs which improve mixing may result in much smaller reactors. Such designs are usually cheaper to build and operate, as well as being safer due to smaller inventory. In many cases, improved product quality and yield also result from better and more uniform contacting of reactants. With a thorough understanding of the reaction, the designer can identify reactor configurations that maximize yield and minimize size, resulting in a more economical process, reducing generation of by-products and waste, and increasing inherent safety by reducing the reactor size and inventories of all materials.

Generic Nitration Reaction
H2SO4 Organic substrate (X-H) + HNO3 Nitrated Product (X-NO2) + H2O Reaction is highly exothermic Usually 2 liquid phases – an aqueous/acid phase and an organic/solvent phase Solvent The development of an inherently safer nitration process will be described as an illustration of ISD. This example shows how a good understanding of a chemical reaction process can be used to apply the ISD principle “minimize” to design a smaller, more efficient, and safer reactor. The generic chemistry for this organic nitration process is shown in the slide. This chemistry is extremely exothermic, and frequently involves multiple phases – an organic phase containing the substrate, and an aqueous phase containing the acids.

Semi-batch nitration process
The original manufacturing plant used a large batch reactor, approximately 6000 US gallons, for this reaction, as shown in the slide. The nitric acid feed took many hours – the acid had to be fed very slowly so the large heat of reaction could be removed from the batch and the appropriate batch temperature could be maintained, both for safety and product quality reasons.

What controls the rate of this reaction?
Mixing – bringing reactants into contact with each other Mass transfer – from acid/aqueous phase (nitric acid) to organic phase (organic substrate) Heat removal If the chemists and engineers understand what controls this reaction, they can use this knowledge to design a smaller and more efficient reactor. It turns out that the actual chemical reaction for the particular material being nitrated occurred very quickly, nearly instantaneously, once the molecules actually came into contact with each other. The reaction was slow in this particular reactor because the materials did not efficiently come into contact in the large reactor, and the heat of reaction could not be efficiently removed. The controlling factors for this reaction were: Bulk mixing of the nitric acid feed into the reaction mass in the reactor Mass transfer of nitric acid from the aqueous phase to the organic phase, where the organic substrate was located Removal of the heat of reaction With this knowledge, the engineer can design a reactor to maximize: bulk mixing of materials interfacial surface area between the aqueous and organic phase to maximize mass transfer (in other words, to create smaller droplets of the suspended phase) heat transfer area in the reactor

CSTR Nitration Process
This drawing shows a continuous stirred tank reactor which accomplishes these objectives. It provides vigorous agitation and a large heat transfer capability. The volume of the reactor is approximately 100 US gallons, and it has the same manufacturing capacity as the 6000 gallon batch reactor.

Can you do this reaction in a tubular reactor?
Further intensification of this reaction may be possible. In some cases, a reaction of this type can be done in a tubular or eductor reactor with an inventory of only a few kilograms of reaction mass, as shown in this sketch. Kletz has reported in some of his publications on ISD that this process has been used for the manufacture of nitroglycerine.

“Semi-Batch” solution polymerization
This semi-batch solution polymerization process is conceptually similar to the nitration process. A solvent, several additives, and an initial small charge of a mixture of vinyl monomers is fed to the reactor and heated to the reaction temperature. When the batch reaches the polymerization temperature, a gradual addition of monomer and polymerization initiator is started at the proper ratio to give the desired polymer properties. The feed rate is selected such that the monomer reacts as it is fed, and there is little or no buildup of unreacted monomer. If something goes wrong – for example, loss of cooling – the monomer and initiator feeds can be stopped and there is little or no potential energy of reaction in the reactor because the monomer reacts as fast as it is fed. This is an inherently safer design compared to a batch reactor in which all of the reactants are charged at once, but can we do better?

What controls this reaction
Contacting of monomer reactants and polymerization initiators Heat removal Temperature control important for molecular weight control Think about what controls this reaction. In this case, there are two important factors that control the reaction – bringing the monomers and initiator into contact with each other so they can react, and heat removal so the reaction mixture does not boil and possible overpressurize the reactor – and the reaction temperature is also important to controlling the polymer molecular weight and is important for product quality.

Tubular Reactor It turns out that this reaction can be done in a plug flow reactor – actually a static mixer – a pipe with internal mixing elements that divide and re-combine the flow through the mixer to provide very efficient mixing. The monomer, solvent, and additives are pre-mixed in a feed tank, and this mixture is fed to the static mixer/reactor along with the polymerization initiator. The mixer/reactor is jacketed for cooling – and the heat transfer is very efficient with a high heat transfer area per unit volume of reactor, and when the mixture exits the static mixer/reactor the reaction is complete and the polymer is ready for use.

Substitute Replace a hazardous material with a less hazardous alternative Substitute a less hazardous reaction chemistry Substitution means the replacement of a hazardous material or process with an alternative which reduces or eliminates the hazard. Process designers, line managers, and plant technical staff should continually ask if less hazardous alternatives can be effectively substituted for all hazardous materials used in a manufacturing process. Examples of substitution in two categories are discussed - reaction chemistry and solvent usage. There are many other areas where opportunities for substitution of less hazardous materials can be found, for example, materials of construction, heat transfer media, insulation, and shipping containers. Going back to basic process research, the engineer should ask if there are alternate chemical synthesis routes using less hazardous raw materials or chemical intermediates which can be used to produce the desired product. Even if these synthesis routes are less desirable from a chemistry viewpoint, they may be more economical on a commercial scale if they avoid the expenses associated with safe handling of highly hazardous materials or processing steps.

Substitute materials Water based coatings and paints in place of solvent based alternatives Reduce fire hazard Less toxic Less odor More environmentally friendly Reduce hazards for end user and also for the manufacturer Replacement of volatile organic solvents with aqueous systems or less hazardous organic materials improves safety of many processing operations and final products. Some examples of solvent substitutions include: • Water based paints and adhesives, replacing solvent based products. Water based paints eliminate the fire and toxicity hazards of many common organic solvents, reduce the odor of the final paint product, eliminate volatile organic solvent pollution in the final application, and thereby reduce hazards both in manufacture and also in use by the final consumer. • Less volatile solvents with a higher flash point, used for agricultural formulations. In many cases, aqueous or dry flowable formulations for agricultural chemicals may be used instead of organic formulations. • Aqueous and semi-aqueous cleaning systems, used for printed circuit boards and other industrial degreasing operations. An understanding of the relationship between chemical structure and hazardous properties of materials is valuable in identifying inherently safer material substitutions. For example, hydrocarbons of higher molecular weight are generally less of a fire hazard than lower molecular weight materials of a similar structure. Benzene is a greater fire hazard than toluene, and toluene is more of a fire hazard than xylene. Similarly, longer chain aliphatic hydrocarbons are less of a fire hazard than shorter chain materials. Structure-property relationships can be developed for toxicological and other properties, and these can provide useful guidance in selecting potential alternate materials for use in a chemical manufacturing process.

Substitute Reaction Chemistry Acrylic Esters
Acetylene - flammable, reactive Carbon monoxide - toxic, flammable Nickel carbonyl - toxic, environmental hazard (heavy metals), carcinogenic Anhydrous HCl - toxic, corrosive Product - a monomer with reactivity (polymerization) hazards Reppe Process The Reppe process for manufacture of acrylic esters uses acetylene and carbon monoxide, with nickel carbonyl catalyst having high acute and chronic toxicity, to react with an alcohol to make the corresponding acrylic ester. This process was used for the manufacture of acrylic monomers for use in polymers for paints and coatings, and many other applications, for many years until the 1970s. It involves many highly hazardous materials: Acetylene – highly flammable, and with a carbon-carbon triple bond, highly reactive Carbon monoxide – highly toxic (and particularly dangerous because it is odorless), and also flammable Nickel carbonyl – a very toxic material used as a catalyst in the Reppe process, it is also carcinogenic, and a major environmental hazard because of the nickel. Anhydrous HCl is very toxic by inhalation and also highly corrosive The product – the acrylic monomer – is self reactive (it will polymerize, which is why it is useful, but if it polymerizes in an uncontrolled manner, it can cause a storage vessel to explode), and the product must be stabilized with polymerization inhibitors.

Propylene Oxidation Process
Alternate chemistry Propylene Oxidation Process Inherently safe? No, but inherently safer. Hazards are primarily flammability, corrosivity from sulfuric acid catalyst for the esterification step, small amounts of acrolein as a transient intermediate in the oxidation step, reactivity hazard for the monomer product. Since the 1970s, most acrylic esters have been manufactured using the propylene oxidation process shown. Propylene is oxidized to acrylic acid, and the acid is then esterified with the appropriate alcohol (for example, ethanol to make ethyl acrylate) with a strong acid catalyst to make the desired ester. Is this process inherently safe? No – the process still has significant hazards. Propylene is a flammable gas, the reactions are exothermic, sulfuric acid is highly corrosive, the propylene oxidation process forms acrolein, a toxic material, as a transient intermediate which is present in the reactor, and, of course, the product acrylic monomer is still self reactive and can be unstable if not properly inhibited. However, overall, the hazards are inherently reduced, and the process, while not “inherently safe,” is “inherently safer” when compared to the Reppe process.

Moderate Dilution Refrigeration Less severe processing conditions
Moderate means using materials under less hazardous conditions. This is also called attenuation. Moderation of conditions can be accomplished by physical means such as lower temperature or dilution, and by chemical means such as using a different reaction chemistry which requires less severe conditions. Dilution Dilution reduces the hazards associated with the storage and use of a low boiling hazardous material in two ways — by reducing the storage pressure, and by reducing the initial atmospheric concentration if a release occurs. Materials which boil below ambient temperature are often stored in pressurized systems. The pressure in the storage system can be lowered by diluting the material with a higher boiling solvent. This reduces the pressure difference between the storage system and the outside environment, reducing the rate of release in case of a leak in the system. If there is a leak, the atmospheric concentration of the hazardous material at the spill location is reduced. The reduced atmospheric concentration at the source results in a smaller hazard zone downwind of the spill. Refrigeration Many hazardous materials, such as ammonia and chlorine, can be stored at or below the atmospheric boiling points with refrigeration. Refrigerated storage reduces the magnitude of the consequences of a release from a hazardous material storage facility in three ways: • lower storage pressure • reduced immediate vaporization of leaking material, and subsequent evolution of vapors from the spilled pool of liquid • reduced or no liquid aerosol formation Less Severe Processing Conditions Processing under less severe conditions, close to ambient temperature and pressure, in-creases the inherent safety of a chemical process. Some examples include: • Semi-batch or gradual addition batch processes limit the supply of one or more reactants, and increase safety when compared to batch processes in which all reactants are included in the initial batch charges. For an exothermic reaction, the total energy of reaction available in the reactor at any time is minimized. • Advances in catalysis will result in the development of high yield, low waste manufacturing processes. Catalysts frequently allow the use of less reactive raw materials and intermediates, and less severe processing conditions.

Dilution Aqueous ammonia instead of anhydrous
Aqueous HCl in place of anhydrous HCl Sulfuric acid in place of oleum Wet benzoyl peroxide in place of dry Dynamite instead of nitroglycerine Examples of materials which have been handled in a dilute form to reduce the risk of handling and storage include: Aqueous ammonia or methylamine in place of the pure material Muriatic acid (approximately 37% aqueous HCl) in place of anhydrous HCl Sulfuric acid in place of oleum (SO3 solution in sulfuric acid) Benzoyl peroxide (a solid material) is a common polymerization initiator. In its pure form, it is very unstable and has caused a number of explosions. (See, for example, the Catalyst Systems Inc. Reactive Chemical Explosion, Gnadenhutten, OH investigation report from the United States Chemical Safety and Hazard Investigation Board - But, benzoyl peroxide is much more stable if handled as a water wetted paste. A very familiar example is dynamite. We all know that nitroglycerine is very unstable and explosive. Alfred Nobel discovered that if nitroglycerine is absorbed on an inert carrier, such as clay, it becomes much more stable, and safer to use as an explosive. While not inherently safe, it is inherently safer than pure nitroglycerine.

Effect of dilution The graph shows how the area impacted by a leak of hazardous material can be reduced significantly by dilution. It compares the centerline concentration of ammonia as a function of distance for two ammonia release scenarios – a rupture of a 2 inch transfer pipe filled with either pure ammonia or aqueous ammonia solution. At any given distance, the concentration is much lower for the aqueous ammonia system.

Impact of refrigeration
The table illustrates the reduction in hazard distance, as defined by the distance to the Emergency Response Planning Guideline 3 (ERPG 3) concentration, which can be obtained by refrigeration of monomethylamine (CH3NH2). The ERPG-3 concentration is defined as the concentration below which it is believed nearly all individuals could be exposed for up to one hour without experiencing or developing life-threatening effects. Marshall, et al. provide a series of case studies which evaluate the benefits of refrigerated storage for six materials – ammonia, butadiene, chlorine, ethylene oxide, propylene oxide, and vinyl chloride. They conclude that “refrigerated storage is generally safer than pressurized storage” for all of the chemicals studied except ammonia. Ammonia was reported to be an exception “due to a density shift with temperature making it heavier than the surrounding air.” Other materials may give similar results, and it is essential that the designer fully understand the consequences of potential incidents. Marshall, J., A. Mundt, M. Hult, T. C. McKealvy, P. Myers, and J. Sawyer (1995). “The Relative Risk of Pressurized and Refrigerated Storage for Six Chemicals.” Process Safety Progress 14, 3 (July),

Less severe processing conditions
Ammonia manufacture 1930s - pressures up to 600 bar 1950s - typically bar 1980s - plants operating at pressures of bar were being built Result of understanding and improving the process Lower pressure plants are cheaper, more efficient, as well as safer Improvements in ammonia manufacturing processes have reduced operating pressures. In the 1930’s ammonia plants operated at pressures as high as 600 bar. In the 1950’s, process improvements had reduced operating pressures to bar. By the 1980’s, ammonia processes operating in the bar range were being built. Besides being safer, the lower pressure plants are also cheaper and more efficient. Kharbanda, O. P., and E. A. Stallworthy (1988). Safety in the Chemical Industry. London: Heinemann Professional Publishing, Ltd.

Simplify Eliminate unnecessary complexity to reduce risk of human error QUESTION ALL COMPLEXITY! Is it really necessary? Simplify means designing to eliminate unnecessary complexity, reducing the opportunities for error and incorrect operation. A simpler plant is generally safer and more cost effective than a complex one.

Simplify - eliminate equipment
Reactive distillation methyl acetate process (Eastman Chemical) Which is simpler? The combination of several unit operations into a single piece of equipment can eliminate equipment and simplify a process. There may be inherent safety conflicts resulting from this strategy. Combining a number of process operations into a single device increases the complexity of that device, but it also reduces the number of vessels or other pieces of equipment required for the process. Careful evaluation of the options with respect to all hazards is necessary to select the inherently safer overall option. Reactive distillation is a technique for combining a number of process operations in a single device. The slide compares a reactive distillation process (left) for the manufacture of methyl acetate to an older process (right). The reactive distillation process reduces the number of distillation columns from eight to three, and eliminates an extraction column and a separate reactor Inventory is reduced and auxiliary equipment (for example, reboilers, condensers, pumps, and heat exchangers) is eliminated. The reactive distillation process also has significant reductions in both capital investment and operating cost. Agreda, V. H., L. R. Partin, and W. H. Heise (1990). “High-Purity Methyl Acetate Via Reactive Distillation.” Chemical Engineering Progress, (February), Doherty, M., and G. Buzad (1992). “Reactive Distillation by Design.” The Chemical Engineer, (27 August), s17-s19. Siirola, J. J. (1995). “An Industrial Perspective on Process Synthesis.” AIChE Symposium Series 91,

Modified methyl acetate process
Fewer vessels Fewer pumps Fewer flanges Fewer instruments Fewer valves Less piping ...... By eliminating major pieces of process equipment, you eliminate all of the associated equipment and piping. Equipment which does not exist cannot leak. The reactive distillation process has fewer opportunities for leaks from all of the equipment listed in the slide.

But, it isn’t simpler in every way
Reactive distillation column itself is more complex Multiple unit operations occur within one vessel More complex to design More difficult to control and operate But, inherently safer design, like any other engineering design problem, may involve trade-offs. “No good deed goes unpunished!” While the overall plant for the reactive distillation process is simpler and has fewer pieces of equipment, the reactive distillation column itself is more complex and multiple operations go on at the same time in the column – primarily reaction and separation by distillation. It is more complex to design, requires a more thorough understanding of the chemistry and physics of the operations, and is more difficult to control and operate. The design engineer must understand all of the conflicts in alternative designs in order to choose the best alternative to meet all of the objectives of the plant design.

Single, complex batch reactor
This batch reactor is used for a complex multi-step organic synthesis. All process steps are done in the single reactor vessel. The first step is an extremely exothermic reaction (Solvent A, and reactants B and C are charged to the reactor in this step) which is very fast and must be done at very low temperature. So, the reactor requires refrigerated brine cooling to allow the reaction temperature to be maintained at about 0 degrees C. Because the reaction is very exothermic, a large rupture disk is required to provide overpressure protection in case of loss of control. The next reaction step is a slow reaction which liberates a small amount of heat. Reactant D, a very toxic material, is added to the reaction product from the first step, and the reaction temperature is about 30 degrees C. The batch is allowed to warm up to 30 degrees C when the reactant is fed, and then cooling is required to remove the relatively small amount of heat. Refrigerated brine cannot be used because the reaction product will freeze on the cooling coils at low temperature. So, in this step, cooling tower water at about 20 degrees C is used on the reactor jacket to provide cooling. The final step is a solvent exchange. Solvent A must be replaced with Solvent E. Solvent A is batch distilled from the batch by heating with steam, with the vapors condensed and collected in a receiver for recycle to a subsequent batch. When the distillation is complete, Solvent E is added to the batch. This single reactor has a number of possible hazardous interactions. First of all, all reactants are connected to the same reactor, and could be accidentally charged at the wrong time because of human error or equipment failure. You could have steam on the reactor jacket during the first, highly exothermic reaction step. You could have refrigerated brine on the coils during the second reaction step, and freeze material on the coils. The large rupture disk could fail, releasing the very toxic Reactant D during the second reaction step. Also, the reactor is not optimized for any of the process steps. The same vessel must accomplish all tasks, and so compromises must be made, the design cannot be optimized for any single step.

A sequence of simpler batch reactors for the same process
Now, let’s take that same process and run it in three separate vessels. Each can be optimized for the intended service, and each vessel only has the required materials and utilities connected to it. Now it is not possible to have refrigerated brine cooling during the second reaction step, or steam heat during either of the reaction steps. The potential for hazardous interactions due to human error or mechanical failure is greatly reduced. But, in some ways the single vessel might be considered more inherently safe – it does not require the transfer of material from one vessel to another. This may be desirable if some of the process intermediates are highly toxic or otherwise hazardous. Again, the designer needs to consider all aspects of the hazards for the process options when making the choice, and the best solution will depend on all of the specific characteristics of a real process.

Inherent Safety Considerations through the Process Life Cycle
(Use manufacture of acrylate esters as an example) Process design starts with the selection of a basic technology for a process operation, and then gets into more and more detailed design as the development continues through the construction and operation of a plant. The philosophy of ISD applies at all stages in the process design, but the available options change. The best opportunities for implementation of inherently safer design are early in product or process research and development. At this point, there has not been any commitment to a particular technology, resources have not been expended on research and development which would have to be done over again, potential customers have not committed to using products produced by a certain technology and developed their processes to fit this product, and capital has not been extended to build a plant to implement a particular technology. As the process moves through the life cycle, it becomes more difficult to change the basic technology. However, it is never too late to consider ISD – but options for implementation may be more limited in an existing plant. To illustrate how ISD can be applied at various levels of process development and design, acrylic ester manufacture, as discussed earlier, will be used as an example.

Research Basic technology Reppe process
Propylene oxidation followed by esterification Other alternatives propane based Others - ???? There are many ways to manufacture acrylic esters – for example, the Reppe process, the propylene oxidation process, and others which have not been discussed in detail, such as oxidation of propane. These various technologies have differing ISD characteristics relative to different hazards of concern, as discussed earlier. To consider ISD for basic technology selection, the decision maker must understand the hazards of concern and the inherent safety characteristics of the available process options relative to those hazards. It is important to evaluate the inherent hazards associated with various chemical synthesis routes for a desired product, and to encourage research chemists to search for alternative routes that eliminate hazards.

Process Development Implementation of selected technology
Oxidation catalyst options Temperature Pressure Selectivity Impurities Catalyst hazards Esterification catalyst options Sulfuric acid Ion exchange resins or other immobilized acid functionality catalysts Once the basic technology has been selected, there may be many options available for actual implementation of that technology. Again, using the acrylic ester example, there are a variety of catalyst options which will have different temperature and pressure requirements. Improved selectivity of the catalyst will reduce formation of impurities and reduce the size of downstream purification equipment (minimize). But the different catalyst options may have different hazard characteristics themselves – most are heavy metal catalysts on a inert carrier. And there are options for catalyst selection in the acrylic acid esterification step as well – the classical esterification that most students do in the organic chemistry laboratory uses sulfuric acid catalyst, but there are other options such as ion exchange resins or other catalysts which provide the acid functionality in an immobilized (and safer) form. These decisions cannot be made solely on the basis of inherent safety – this is one of the many considerations which must be made when selecting the best process – you need to consider all important parameters – product quality, investment cost, operating cost, raw material cost, environmental emissions, waste generation, state of the art and technical feasibility of the process, etc.

Preliminary Plant Design
Plant location Plant site options Plant layout on selected site Consider People Property Environmentally sensitive locations At this point in the process life cycle, the designer must consider ISD for a specific plant design. Factors might include: • location of the plant relative to surrounding population, in-plant occupied areas, sensitive environmental areas, etc. • general layout of the equipment on the plant site once it has been selected • number of parallel systems and size of those systems (one big plant, or two or more smaller plants, for example)

Detailed Plant Design Equipment size Inventory of raw materials
Inventory of process intermediates One large train vs. multiple smaller trains Specific equipment location … The designer should consider ISD in the detailed design of each piece of equipment in the plant. There are many options in the design equipment such as heat exchangers, propylene vaporizers, and other devices that might be included in an acrylic ester plant. Different equipment designs will have different ISD characteristics, for example, the inventory of material in the equipment. Also, the detailed layout of the equipment will impact things such as the length and diameter of piping containing hazardous materials. Consideration of human factors in the design of equipment, to minimize the potential for mis-operation and human error, will also result in an inherently safer plant.

Detailed Equipment Design
Inventory of hazardous material in each equipment item Heat transfer media (temperature, pressure, fluid) Pipe size, length, construction (flanged, welded, screwed pipe) …… Inherent safety should be considered in the design of each piece of process equipment. For example, how can you design a heat exchanger to minimize the amount of hazardous material it contains? Different kinds of heat exchangers vary widely in the amount of material they contain for each square foot of heat transfer area. There may be options in selection of heat transfer media – for example, it might be better to use something other than water or steam to cool a material which reacts violently with water, in case the heat exchanger leaks. Pipes should be sized to carry the required flow, and should not be made significantly larger for very hazardous materials, to minimize the size of a potential leak. Welded pipes are less likely to leak than flanged piping, and flanged piping is generally less likely to leak than screwed pipe.

Operation “User friendly” operating procedures Management of change
Consider inherently safer options when making modifications Identify opportunities for improving inherent safety based on operating experience, improvements in technology and knowledge Once a plant is built, ISD should be considered in the development of operating procedures and maintenance procedures. These must be clear, logical, and consistent with actual human behavior. Also, the plant should consider ISD options throughout the operational lifetime, particularly when modifications are made, or if new technology becomes available. Technology changes and improves, and there may be new technology worthy of consideration which improves the inherent safety of an existing plant.

When to consider Inherent Safety?
Start early in process research and development NEVER STOP looking for inherently safer design and operating improvements Designers must think about ISD at all levels of design, from process and product conception and basic technology through detailed design of specific pieces of equipment and operating procedures. Inherently Safer Design is not a specific program or design technique. It is more of a design philosophy, a way of thinking. The designer is challenged to think about ways to eliminate or minimize hazards, rather than accepting that the hazard exists and focusing his efforts on controlling that hazard. This philosophy can be applied to design and operation of any technology at any level of detail. Inherent safety options are most effective early in process development – in selection of the basic technology. If hazardous chemicals and process operations can be eliminated, the overall process will be inherently safer from the start. But it is never too late, and there have been significant enhancements to inherent safety in plants which have been in operation for many years. Start early, and never stop.

Questions designers should ask when they have identified a hazard
Ask, in this order: Can I eliminate this hazard? If not, can I reduce the magnitude of the hazard? Do the alternatives identified in questions 1 and 2 increase the magnitude of any other hazards, or create new hazards? (If so, consider all hazards in selecting the best alternative.) At this point, what technical and management systems are required to manage the hazards which inevitably will remain? A designer should ask the following questions, in this order, once he has identified a hazard: Can I eliminate this hazard? This is the inherently safest option, if it is feasible. Any of the inherently safer design strategies could potentially eliminate a hazard. If not, can I reduce the magnitude of the hazard? Ideally, the magnitude of the hazard would be reduced to a level where it was not capable of causing serious injury or damage – an application of the inherently safer design strategy “minimize”. The “moderate” strategy can also reduce the magnitude of a hazard. Do the alternatives identified in questions 1 and 2 increase the magnitude of any other hazards, or create new hazards? If so, consider all hazards in selecting the best alternative. Any change to a process, even one which is intended to improve safety and eliminate a hazard, has the potential to create new hazards, or to increase the magnitude of other existing hazards. Remember that chlorofluorocarbon refrigerants were intended to eliminate fire and toxicity hazards with refrigerants in use at the time that CFCs were first developed – refrigerants such as light hydrocarbons and ammonia. Years later, they were determined to cause significant environmental damage, and many of the early CFC refrigerants are being phased out. We must do our best to understand all of the implications of any change to a chemical technology, and avoid “tunnel vision” – focusing on reducing or eliminating a single hazard and forgetting about other hazards. What technical and management systems are required to manage the hazards which inevitably will remain? It is possible that there will be no inherently safer design option which is technically or economically feasible. For example, as long as we continue to burn large amounts of gasoline in automobiles, we will not be able to avoid the storage of large quantities of flammable gasoline. Also, it is unlikely that any design for a process will eliminate all hazards. Passive, active, and procedural safety systems will always be required to manage all of the hazards of a process, and these must be designed and specified as a part of the plant design process. Designers and operators often skip directly to the 4th question, and focus risk management on managing hazards whose existence is accepted and believed to be unavoidable. This may be true in many cases, but no designer of a system will ever eliminate or reduce a hazard if he does not ask himself if that is possible. Designers should challenge themselves to eliminate or reduce hazards, and, if this is not possible, then they can focus on designing systems to manage risk.

Inherently Safer Design and Regulations
Contra Costa County, CA Industrial Safety Ordinance (1999) Requires evaluation of inherently safer technologies Reviewed by enforcement agencies Allows consideration of feasibility and economics New Jersey Department of the Environment (2005) Facilities covered by the New Jersey Toxic Catastrophe Prevention Act (TCPA) must review the practicality of adopting inherently safer technology as an approach to reducing the potential impact of a terrorist attack United States Federal requirements Several “chemical security” bills which include requirements for consideration of inherently safer design have been introduced in Congress, but, as of June 2006 none of these have been enacted. Inherently safer design has received increasing attention from the news media, environmental groups, and government. Some examples include: PBS – NOW with Bill Moyers, March 21, 2003 ( National Public Radio, Morning Edition, Daniel Zwerdling, April 15, 2003 ( Philadelphia Inquirer, April 20-21, 2003, ( Fox News, Steven Milloy, May 9, 2003, ( Some of these may still be available on the Internet, and an Internet search will reveal more, and more recent, references. Particularly in the wake of terrorist activity in recent years, inherently safer design has come to be viewed as an approach to reducing the vulnerability of chemical plants to terrorist attack. Indeed, inherently safer design is one way to address these concerns, although it must be considered as one of many tools available to the design engineer and chemical plant operator. Contra Costa County, California (on the east side of San Francisco Bay) has required certain facilities within its jurisdiction to demonstrate that they have considered inherently safer design for their facilities since In 2005, as a part of its efforts to regulate the security of chemical facilities, New Jersey established requirements that certain high hazard facilities in the state demonstrate that they have considered inherently safer design options. There have been a number of efforts to establish regulations at the US Federal level to require consideration of inherently safer design, going back to the original proposed Environmental Protection Agency Risk Management Program regulations in the early 1990s, which included a “Technical Options Analysis” requirement. This requirement was not included in the final regulation, but, since then there have been several attempts to include this requirement through legislation. Since 2001, there have been several bills introduced in the US Congress, often in various chemical plant security bills, but, as of June 2006, none of these bills have been approved. Since legislative and regulatory efforts continue, this situation may change significantly in the future.

Resources Kletz, T. A., Process Plants - A Handbook for Inherently Safer Design, Taylor and Francis, London, 1998. Inherently Safer Chemical Processes - A Life Cycle Approach, American Institute of Chemical Engineers, New York, 1996. Note: A second edition is being written in 2006.

Resources Guidelines for Engineering Design for Process Safety, Chapter 2 “Inherently Safer Plants.” American Institute of Chemical Engineers, New York, 1993. Guidelines for Design Solutions for Process Equipment Failures, American Institute of Chemical Engineers, New York, 1998.

Resources INSIDE Project and INSET Toolkit, Commission of the European Community, available for download from: Extensive journal and conference proceedings literature

Introduction to Inherently Safer Design

Similar presentations

Presentation on theme: "Introduction to Inherently Safer Design"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Introduction to Inherently Safer Design

Similar presentations

Presentation on theme: "Introduction to Inherently Safer Design"— Presentation transcript:

Similar presentations

About project

Feedback