Apply Inherently Safer Design Concepts to Existing Facilities | AIChE

You are here

Apply Inherently Safer Design Concepts to Existing Facilities


Inherently safer design concepts are not just for the design phase. These concepts can be applied to plants throughout their entire lifecycle.

The concepts of inherent safety, where hazards are preferably eliminated rather than accepted and managed, have existed far longer than the chemical process industries (CPI). In fact, these concepts date back to prehistoric times. For example, building villages near a river on high ground rather than managing flood risk with dikes and walls is an inherently safer design (ISD) concept (1). The invention of dynamite by Alfred Nobel in 1867 involved the application of ISD concepts to improve the safety of handling nitroglycerine, i.e., by absorbing nitroglycerine in an inert carrier (2).

ISD concepts include substitution, simplification, moderation, and minimization. The 1974 Flixborough explosion inspired Trevor Kletz’s 1978 lecture entitled “What You Don’t Have Can’t Leak,” which was the first clear and concise discussion of the concept of inherently safer chemical processes and plants (3–5).

Additionally, what you don’t have also doesn’t cost anything. A common phrase from the U.S. automotive industry in the 1950s, paraphrased as “parts left out don’t cost anything and don’t cause any service problems,” refers to the practice of value engineering, where unnecessary parts, fasteners, processing steps, systems, etc. were eliminated during the construction of an automobile to drive down manufacturing costs (6). Viewed from the lens of inherent safety, this is an application of the ISD concepts of minimization, simplification, and possibly substitution.

Applying the concepts of ISD to chemical processes has been shown to reduce not only the risk of process safety incidents but also the costs of manufacturing, while improving operability. These concepts can be, and have been, applied successfully to existing plants and processes. This article reviews some real-world examples and discusses ISD strategies.

The regulatory case for ISD

Not only is it good engineering practice to evaluate potential risks and hazards of chemical processes, but process hazard analyses (PHAs) are federally regulated through the U.S. Environmental Protection Agency (EPA)’s Risk Management Plan (RMP) rule (7), as well as the U.S. Occupational Safety and Health Administration (OSHA)’s Process Safety Management (PSM) of Highly Hazardous Chemicals standard (8). While these regulations do not explicitly require ISD studies, it is possible to use the technique to reduce hazards and assist with compliance. Several jurisdictions in the U.S., including Contra Costa County, CA, and New Jersey, require ISD reviews for processes handling specific hazardous substances. In other locations, ISD reviews remain a good industry practice.

While this article focuses on the U.S. voluntary use and regulatory landscape, ISD is also encouraged globally (9) through regulations such as the Seveso II Directive in the EU (10) and Control of Major Accident Hazards (COMAH) in the U.K. (11).

Inherent safety is not as easily regulated as other PSM topics. When the EPA promulgated the RMP rule in 1996, some commenters recommended that the agency require facilities to conduct “technology options analyses” to identify inherently safer approaches. The EPA declined to do so, stating that:

“PHA teams regularly suggest viable, effective (and inherently safer) alternatives for risk reduction, which may include features such as inventory reduction, material substitution, and process control changes. These changes are made as opportunities arise, without regulation or adoption of completely new and unproven process technologies. EPA does not believe that a requirement that sources conduct searches or analyses of alternative processing technologies for new or existing processes will produce additional benefits beyond those accruing to the rule already” (1).

However, the EPA and OSHA have both recently proposed requiring this concept for the EPA Risk Management Rule and OSHA PSM Standard updates, which are currently being discussed. Their intent is to require safer technology and alternatives analysis, at least for certain processes.

ISD is not just for the design phase

Inherent safety is often perceived as a concept suited only to the design of new plants. Convincing management to conduct an ISD review may be difficult due to perceived impracticality. These attitudes may restrict focusing on ISD for existing plants.

ISD can be effective when applied during the design phase of a process and/or plant, simply because there are more opportunities for its consideration while the process is still in early development, and the cost of making significant changes may be minimal at that time. However, it’s also applicable to all phases of the lifecycle of a chemical process: construction phase, during operation of the existing process, during PHA revalidations where the analysis is risk-based and opportunities for future improvements can be made, and even during shutdown and decommissioning.

For example, during the construction phase of a project, it may be possible to apply ISD when changes are being proposed during final design decisions and modifications, or during the construction steps of the process and eventual startup itself.

Operation of existing plants. A chemical process is as good as the process technology, the materials of construction, and the work and operating practices that existed prior to and on the day of startup. Over time, newer, more efficient, and safer processes are developed; newer, stronger, more corrosion-resistant materials of construction are created; and more efficient, safer work practices are engineered. It is a challenge, both practically and cost-effectively, to incorporate these improvements into an existing chemical plant or refinery that has been operating for decades.

To the operators, maintenance technicians, and engineers tasked with keeping an existing plant or refinery running, including ISD as a consideration may seem to be a monumental task. The key is to take one step at a time. The various ISD strategies of minimization, simplification, moderation, and substitution should be considered across the entire palate of operations and activities at a plant. Some of these ISD opportunities will be seen as low-hanging fruit; others will take some work to fully evaluate and potentially implement. ISD becomes a design and operating philosophy, where hazards can be addressed at any time.

Many ISD opportunities have the potential to not only improve process safety, but to improve operability and profitability. Some examples of how the ISD strategies might be employed in existing plants are shown in Table 1 and presented in more detail in the next section.


Shutdown and decommissioning of plants. Inevitably, an operating unit at a chemical plant or refinery (or perhaps the entire plant or refinery itself) will come to the end of its life cycle. This could be the result of changing market conditions, insurmountable new environmental regulations, and/or a host of other reasons. Shutdown and decommissioning may sound straightforward, but these can pose a different set of potential hazards and risks. If these are not managed effectively, a catastrophic process safety or environmental incident could occur during decommissioning. Fortunately, ISD concepts can be applied during this lifecycle phase as well.

The ISD strategies of moderation, simplification, and minimization can be employed to reduce risk and ultimately reduce costs incurred as a result of incidents. Moderation is used when mechanically and electrically isolating decommissioned equipment from other portions of the plant that are still active, and by venting and purging the equipment. By removing hazardous materials from the equipment, elimination (or at least minimization) is practiced. Once the equipment is isolated, the exact state of the decommissioned equipment must be clearly documented so that any future actions taken to recommission, modify, or dismantle the equipment can be done safely. This is a form of the inherently safer strategy of simplification.

ISD success stories in existing plants

While there are many examples of ISD, this section focuses on examples applied in existing plants. Consider using these examples, following the ISD concepts discussed in Table 1, in your own ISD discussions to help brainstorm ways you can apply ISD to existing sites and processes.

Substitution examples. Substituting bleach (sodium hypochlorite) for chlorine in drinking water and wastewater treatment facilities can reduce risk at the water treatment plant but may increase the amount of chlorine required at the bleach manufacturing site and thus transfer the risk. The difference is the way in which the facility receives the chlorine and whether a change from elemental chlorine to bleach will reduce the overall risk, or just shift the risk from one place to another.

A carbon steel piping system typically requires painting to protect it from the elements and stave off exterior corrosion (including undetected corrosion under insulation). If corrosion is allowed to progress unchecked, it could lead to a loss of containment. Substituting a higher alloy (e.g., stainless steel) for carbon steel can eliminate the need for painting and greatly reduce or eliminate exterior (as well as interior) corrosion. Alloy selection is critical depending on the operating and atmospheric conditions. It is quite possible that the higher-alloy system will cost less over the service life due to lower maintenance costs, even with a higher installed cost.

Maintenance procedures also require the same attention to human-machine interface considerations as operating procedures. Designing or purchasing equipment that is easy to install and maintain improves the inherent safety of the equipment and, by extension, the process. For example, sealless pumps eliminate the potential for seal leaks and their associated hazards. However, a sealless pump that eliminates seal leaks may bring its own set of hazards, such as rapid temperature build-up if it runs dry or is operated in a dead-head condition. Additional layers of protection may be needed to avoid the new hazardous consequences.

Simplification examples. If a pipe sleeve needs to be right side up, it could be notched or pinned so that it can only be installed right side up. One plant experienced a vessel leak caused by a siphon-break hole in a dip tube that was not oriented away from the vessel sidewall. The constant impingement of corrosive liquid into the sidewall from the siphon-break hole resulted in accelerated corrosion/erosion.

It is common practice to use unique fittings for nitrogen utility service, different from those used for compressed air or water, in order to prevent cross-contamination of the nitrogen system.

One plant found key relief valves installed backward after testing and maintenance because the inlet and outlet flanges were identical. They revised the valve and piping flanges, so the relief valves could only be installed in the correct orientation.

A safe startup procedure that requires the operator to ascend and descend stairs three times to manipulate valves in the correct sequence — and where a hazard could occur if taken in the incorrect sequence — can be made safer by locating the valves so that operator must ascend the stairs only once during the startup, reducing the frequency of errors per operation.

Simplification and minimization strategies can be applied when developing or revising operating procedures to address human factors. Applying inherently safer techniques to the design of procedures requires consideration of the following (1):

  • Completeness and accuracy: The procedure must have enough information for the user to perform the task safely and correctly.
  • Appropriate level of detail: The level of detail must consider the experience and capabilities of the users, their training, and their responsibilities.
  • Conciseness: Conciseness means eliminating detail and language that does not contribute to work performance, safety, or quality.
  • Consistent presentation: This requires consistent terminology for naming components and operations, with corresponding labels in the field, a standard, effective format and page layout, and a vocabulary and sentence structure suitable for the intended user.
  • Administrative control: All procedures should be reviewed thoroughly before use and periodically thereafter. A “job cycle check” is an effective means followed in the industry to ensure that personnel are periodically practicing the procedures, and it also helps get feedback on ease of operating with the procedures.

Moderation examples. A sampling procedure for a hot process stream requires the operator to don heavy and cumbersome protective gloves and a face shield before opening the sample valve. A sample cooler (with local temperature indicator) can be installed, reducing the risk of thermal burns to the operator.

Piping vibration is a major concern at piping tees where the energy of the flowing fluid is transferred to the piping. Using energy-reducing tees can decrease vibration and the need for extra piping supports.

Relocating process equipment to a less-hazardous location can lower the design requirements and simplify the installation. For example, electrical control equipment or a switchgear can be relocated outside of the classified electrical area, rather than be designed for it. This makes the installation inherently safer (by removing, rather than reducing, the risk of ignition), and less expensive (standard electrical enclosure vs. one designed for classified locations) (1).

Relocating personnel who could be potentially impacted from a fire, explosion, or toxic release is another moderation strategy that can be employed. One refinery moved its control building and plant personnel offices to a remote location and purchased property around the site to create a buffer zone. This approach is a common facility siting technique that does not remove the chemical hazard but separates people from the hazard.

If it is not feasible to contain a runaway reaction within a reactor, it may be possible to moderate the consequences by piping the emergency device effluent to a separate pressure vessel for containment and subsequent treatment. Quench drums, vapor-liquid separation vessels, vapor-liquid separators, and other similar devices can be used to contain the effluent from exothermic/runaway reactions (12).

Blast walls, heat shields, and other barriers can moderate the impact of explosions by absorbing the energy and limiting their radius of effect. These barriers can also absorb other potentially hazardous energy sources, such as sound and thermal energy.

At one plant, operators were required to monitor a bulk solids railcar unloading operation. The pneumatic blower and hydraulic vibrator used for the task created a very high noise area around the railcar, requiring the operator to wear both earplugs and earmuffs as they monitored the unloading operation. This led to operators monitoring the process from afar. An operator’s shed was installed with very effective sound insulation, which allowed the operators to closely monitor the process safely and ergonomically.

A facility that manufactures rocket propellant designed their processing building (in which the propellant was formulated and mixed) with large earthen berms surrounding the building to absorb the force of any explosions and help direct the explosion away from any sensitive receptors such as people and buildings.

Adding energy to a chemical process is often required. The method of energy addition used can result in excess energy being added because its design does not incorporate ISD principles. Examples of proper matching of required energy include (1):

  • using a heating medium for a distillation reboiler at a temperature such that it cannot overpressure the tower in case of loss of cooling flow to the condensers
  • limiting process heating to using steam at or below the saturation temperature, which adds the needed amount of heat and no more; in cases where the heating medium maximum heat flux cannot be reduced, the heat transfer area should be adjusted to limit the energy transfer
  • limiting pump or compressor discharge pressures to less than the downstream relief valve setpoints or the maximum allowable working pressure of any downstream components
  • ensuring that residual heat cannot be transferred inadvertently to a material via conduction or radiation, such as a hot vessel wall that transfers heat to a material that is sufficient to cause a runaway reaction.

Minimization examples. The minimization strategy can be applied to alarm functions. It is easier to train personnel to respond to a smaller number of alarms, ensuring that the proper, timely response will be made during process upsets or emergency conditions. The American National Standards Institute (ANSI) and International Society of Automation (ISA) 18.2 standard (13) and International Electrotechnical Commission (IEC) 62682 standard (14) for alarm system management address this topic in more detail.

To reduce the potential for exposure to chemicals, some sites are eliminating filters that require changing or replacement. This may require a redesigned filter (such as a self-cleaning design), or a process change that eliminates the need for a filter.

After encountering leaking sample station valves that resulted in loss of containment (LOC), one plant installed a closed loop sampler. This reduced the operator interaction with the valve and reduced the potential for LOC incidents.

Install heating sources and cooling sources with electrical drivers on a common electrical bus. If cooling is lost, then heating is also lost, thus eliminating an electrical power failure relief case.

Equipment that can be reached for inspection, repair, or monitoring from permanent platforms is more likely to be safely inspected, calibrated, repaired, and replaced than equipment that requires climbing with a safety harness or scaffold.

These examples and more are discussed in greater detail in the Center for Chemical Process Safety (CCPS) book, Guidelines for Inherently Safer Chemical Processes: A Life Cycle Approach (1).

ISD implementation guide

Now that the importance of ISD has been established and some examples from existing plants have been reviewed, the next phase is ISD implementation. A good place to start this discussion is by using inherent-safety-focused checklists in risk review meetings that are already being conducted, such as those for PHAs, management of change (MOC) reviews, and pre-startup safety reviews (PSSRs). The checklists provide a conversation guide and questions that focus on inherent safety, and will help in communicating the principles of ISD.

Some companies include a related checklist in their PHAs for discussion. Table 2 provides a comprehensive example of what an inherent safety checklist for a PHA could look like.


Inherent-safety-focused checklists can also be a useful component in PSSRs, which are often one of the last steps in the MOC process. While the safety review of the proposed change is similar to the PHA review described in Table 2, MOC-related questions help focus the review (Table 3).


Opportunities and challenges

This article has shown how ISD concepts can be applied to process operations in existing facilities and has highlighted success stories from industry where ISD concepts were applied to existing operations/facilities. These ISD concepts resulted in many safety improvements, as well as process operability and cost performance improvements.

Industry and policymakers have a major opportunity and a major challenge ahead to develop effective programs to encourage the broad adoption of ISD — whether through voluntary industry initiatives or government regulations. First, both industry and policymakers need a more consistent understanding of ISD — what it is and how it can be applied. Secondly, new analytical tools for conducting inherent safety reviews and measuring progress, as well as decision-making criteria, will be needed.

While it is generally accepted that ISD has the potential to reduce process safety hazards, the implementation is generally not straightforward. The tools presented here can be used to implement ISD improvements for existing manufacturing plants in a variety of ways (1).

Literature Cited

  1. Center for Chemical Process Safety, “Guidelines for Inherently Safer Chemical Processes: A Life Cycle Approach,” 3rd edition, CCPS, AIChE, New York, NY (2019).
  2. Kravitz, F., “Dynamite and the Ethics of its Many Uses,” ACS Committee on Ethics, (accessed Feb. 22, 2023).
  3. Kletz, T. A., “What You Don’t Have, Can’t Leak,” presented at the Annual Jubilee Lecture to the Society of Chemical Industry in Widnes, England (Dec. 14, 1977).
  4. Kletz, T. A., “What You Don’t Have, Can’t Leak,” Chemistry & Industry, pp. 287–292 (May 6, 1978).
  5. Hendershot, D. C., “Inherently Safer Design: The Fundamentals,” Chemical Engineering Progress, 108 (1), pp. 40–42 (Jan. 2012).
  6. Miles, L. D., “Techniques of Value Analysis and Engineering,” 2nd edition, McGraw Hill, New York, NY (1972).
  7. U.S. Environmental Protection Agency, “Risk Management Plan,” 40 CFR 68 Subpart G, (accessed Feb. 22, 2023).
  8. U.S. Occupational Safety and Health Administration, “Process Safety Management of Highly Hazardous Chemicals,” 29 CFR 1910.119, (1974).
  9. Edwards, D., et al., “Inherent Safety: It’s Common Sense, Now for Common Practice!” IChemE Symposium Series No. 160, (2015).
  10. European Commission, “The Seveso Directive – A Contribution to Technological Disaster Risk Reduction,” (accessed Feb. 22, 2023).
  11. U.K. Health and Safety Executive, “Control of Major Accident Hazards (COMAH),” (accessed Feb. 22, 2023).
  12. Center for Chemical Process Safety, “Guidelines for Pressure Relief and Effluent Handling Systems,” 2nd edition, CCPS, AIChE, New York, NY (2017).
  13. International Society of Automation, “Management of Alarm Systems for the Process Industries,” ANSI/ISA-18.2-2016, (2016).
  14. International Electrotechnical Commission, “Management of Alarm Systems for the Process Industries,” IEC 62682 (2022).


Copyright Permissions 

Would you like to reuse content from CEP Magazine? It’s easy to request permission to reuse content. Simply click here to connect instantly to licensing services, where you can choose from a list of options regarding how you would like to reuse the desired content and complete the transaction.