0263–8762/03/$23.50+0.

00
# Institution of Chemical Engineers
www.ingentaselect.com=titles=02638762.htm Trans IChemE, Vol 81, Part B, November 2003

INHERENTLY SAFER DESIGNÐITS SCOPE AND FUTURE

T. A. KLETZ
Department of Chemical Engineering, Loughborough University, Loughborough, UK

I
nstead of keeping hazards under control by adding on protective equipment we should use
inherently safer designs whenever they are ‘reasonably practicable’. When that is not
possible passive safety equipment is better than active equipment; simple examples are
described. Inherently safer designs have not been adopted as rapidly as other process safety
features and are often ignored in the recommendations made after accidents; the reasons are
discussed. Inherently safer designs are usually cheaper than conventional ones and are a lesser
target for terrorists.

Keywords: accidents; inherently safer design; inventory reduction; passive safety; safety.

INTRODUCTION does not have to be commissioned, either manually or

automatically.
During the last 30 years there have been many changes in The third choice is to add on protective equipment that
our approach to safety. The most important has been the contains moving parts or is commissioned automatically.
emergence of process safety as a distinct branch of chemical Unfortunately the equipment may fail to operate as it may
engineering, differing in its methods from those of the
have been switched off or neglected, or it may have
traditional safety ofŽ cer who was mainly concerned with
simple mechanical accidents rather than those that arise out undergone a random failure since it was last tested but
of the technology. Among the many new ideas introduced if testing is adequate this is unlikely.
by the practitioners of process safety the most fundamental The fourth choice is to rely on operator actions. Unfortu-
has been the concept of inherently safer design (ISD), that nately the operator may fail to act for a number of
is, avoiding hazards rather than keeping them under control. reasons: he or she may not have been told what to do,
When I started in industry and for many years afterwards it may have forgotten, may not consider it important, may
was taken for granted that once we recognized a hazard we be distracted by more urgent tasks or may have been
kept it under control by adding on protective equipment or injured by an initial explosion, Ž re or toxic release.
changing procedures. Of course, there always have been Everyone agrees in principle that we should start at the
occasional instances when an inherently safer process or top of this hierarchy and go down it no further than we have
piece of equipment has replaced a hazardous one, but it was to, but in practice the default action in many companies is to
not until after the explosion at Flixborough in 1974 that we start at the bottom and work up. The Ž rst default action in
began to recognize that we should search systematically for many companies after an accident has disclosed a hazard is
inherently safer alternatives as a matter of course. to rewrite the instructions, making them clearer and more
detailed. The instructions may then become so long and
complex that fewer people read or remember them. Some
THE SAFETY HIERARCHY companies may try to increase operators’ reliability by the
use of techniques such as behavioural science. I am not
When we realize, as the result of an accident, a Hazop or criticizing these techniques; in many cases the only reason-
just because it is obvious, that there is a hazard, the possible ably practicable action is to change or enforce the proce-
actions form a hierarchy. Today this is widely recognized, in dures, but before doing so we should start at the top of the
theory if not always in practice: hierarchy and work down to the bottom only when there is
Whenever possible we should avoid the hazard by the use no alternative. Changing instructions may seem to be a
cheap solution but it is the least effective and may not be the
of inherently safer designs.
cheapest in the long run if we take into account the cost of
If this is not ‘reasonably practicable’ (that is, either
the management effort needed to make sure that the proce-
impossible in the light of present knowledge or so dures are followed. Procedures corrode more rapidly than
expensive that there is a gross disproportion between iron and can disappear entirely once managers lose interest
the cost and the risk) we should try to keep the hazard in them.
under control by adding on passive protective equipment, Inherently safer designs are usually cheaper than those
that is, equipment that does not contain moving parts or they replace as less added-on safety equipment is needed.

401
402 KLETZ

IntensiŽ cation will usually give a further reduction in cost as

smaller equipment is usually cheaper.

INHERENT AND PASSIVE SAFETY COMPARED

If we handle hazardous materials the possible inherently
safer solutions are:
IntensiŽ cation or minimization: using so little of the
hazardous material that there is no signiŽ cant risks if it
all leaks out (‘what you don’t have can’t leak’).
Substitution: using a less hazardous material or a process
that is less likely to develop into a runaway reaction.
Attenuation or moderation: using the hazardous material
in the least hazardous form. An example is the storage of
liqueŽ ed gases at low temperature and low pressure
instead of storage at ambient temperature and high
pressure. Because of the lower pressure the  ow rate
through any leak is lower and because the temperature is
lower less of the leaking liquid evaporates. Of course, we
should consider leaks from the refrigeration equipment as
well as from storage vessels.
A simple example of ISD is the replacement of a
 ammable reactant or solvent by a non- ammable one. If Figure 1. Two ways of supporting a bundle of cables. The hangers were
that is not practicable we can protect equipment with Ž re assembled in the wrong way. As a result the upper hooks had to support
insulation. This is passive safety rather than inherent safety twice the design weight. The hooks opened out and 200 feet of cable fell
5 m to the ground. How many people would recognize the hazard? Instead
as the insulation may fall off or be removed for inspection of relying on training and instructions it would be more effective to use
and not replaced. A water spray turned on automatically hangers that can support the entire weight even when they are installed
is active safety and is more likely to fail, or be deliberately incorrectly.
disconnected, than insulation. Finally the procedural solu-
tion is water spray turned on by an operator who may be so
busy that he or she forgets to do so, may consider it
unnecessary or be injured by an initial Ž re or explosion. hooked over a metal bar. The cables had to be moved
Note that there is a procedural element in the passive and temporarily so that some other work could be carried out.
active safety systems. Insulation should be inspected regularly When the cables were put back the hangers were arranged as
and repaired when necessary; automatic equipment should be shown in Figure 1 bottom. This doubled the weight on the
tested and maintained or it may not work when required. upper hooks. The weight of the cables straitened the end of
The fundamental difference between these different solu- one of the hooks. The adjacent hangers then also failed.
tions is that passive safety systems can fail, although they Altogether a 60 m length of cable fell 5 m. One man was
are less likely to do so than active systems or procedures, injured, fortunately not seriously.
but inherently safer systems, by their very nature, cannot The hazard is one that many people might overlook. The
fail. The safety does not depend on the performance of reaction in many companies would be to explain the reason
equipment or people but is inherent in the design. for the failure to the people involved and describe the
Most nuclear reactors are pressurized water reactors in correct method in the instructions, but the job may not be
which a number of complex protective systems provide carried out again for many years and then by different
emergency cooling should the main cooling system fail. people. It would far more effective to change the design
The latest designs make more use of convective cooling and and use hangers that will still be strong enough even if they
are therefore inherently safer, but this is passive safety. Pipe are arranged as shown in Figure 1 bottom. If replacing the
failure could prevent cooling. The high temperature gas hangers is too expensive then the better design should be
reactor now being considered in South Africa is inherently noted for future designs. We should also ask if it was
more safe as it cannot overheat even if the cooling fails. This essential to hang the cables rather than support them on a
is achieved by using fuel with a high heat capacity and high tray or on the ground. That is the inherently safest solution
temperature resistance and by using small reactors with a as they cannot fall any lower (but take care that they do not
large surface area and thus high heat loss. Each power create a tripping hazard). Using stronger hangers is passive
station will consist of several reactors (Kadak, 2001). safety. However, the borderline between inherently safer
Inherently safer design has been pioneered in the chemi- design and passive safety is often fuzzy.
cal, oil and nuclear industries but can be applied more I have usually deŽ ned inherently safer designs rather
widely, as shown by the following simple mechanical narrowly, restricting them to designs that involve intensiŽ ca-
example. Simple examples often explain ideas more effec- tion, substitution, attenuation or limiting the energy available
tively than complex or sophisticated ones. (for example, using heating media that are not hot enough to
Wire hangers with a hook at each end supported a bundle overheat the substrate). I have described as user-friendly
of cables (Figure 1 top). Both ends of the hangers were rather than inherently safer concepts such as passive safety,

Trans IChemE, Vol 81, Part B, November 2003

 INHERENTLY SAFER DESIGN 403

simpliŽ cation and designs that cannot be assembled incor- Another psychological brake on the adoption of ISD is
rectly. Other writers have called them all inherently safer. This that many engineers see themselves as practitioners of
is acceptable but we should not lose sight of the difference established techniques rather than as innovators. ‘How to’
between inherent safety, in the narrower sense, and passive books sell better than ideas books. Magazines contain far
safety. We should not let the deŽ nition of inherent safety more articles on ways of doing better what we already do
become too broad. All techniques tend to degrade as they than articles that question whether or not we are doing the
increase in popularity. As Hazop has become more wide- right things. We do not want everybody questioning every-
spread and demanded in some countries by law, I suspect that thing all the time but we do need at least some people who
in some companies it has become little more than a meeting to will question from time to time.
discuss the line diagrams. Let us hope that inherently safer
design is not treated in the same way. However, the problem
today is not overuse but underuse. ISD AND ACCIDENT INVESTIGATION
Although designers have been slow to recognize the
CONSTRAINTS AND OVERCOMING THEM scope of ISD, accident investigators have been even
slower. The following is a brief summary of the oppor-
Inherently safer design has been adopted much more tunities missed by the investigators of some major incidents
slowly than other advances in process safety. The Ž rst and by most of the commentators on them.
paper on Hazop was published in 1974 (Lawley, 1974); it
aroused interest from the start and within 10 years the
technique had been widely adopted. The Ž rst paper on the Bhopal (1984)
use of quantitative risk assessment in the chemical industry Methyl isocyanate, the material that leaked and killed
was published in 1971 (Kletz, 1971) and again uptake was over 2000 people, was not a raw material or product but an
rapid. In 1974 the Flixborough explosion showed the need intermediate. It was convenient to store it but not essential to
for the management of change and many companies soon do so. If it had been made continuously and used as it was
set up schemes. There have been changes in recent years in made, the worst possible leak would have been a few
accident investigations where much more attention is now kilograms from a ruptured pipeline. After Bhopal many
given to underlying causes. There has been a change in our companies did reduce their stocks of hazardous interme-
attitude to human error where there is now more willingness diates. Alternatively, the production of methyl isocyanate
to look to for ways of avoiding opportunities for error could have been avoided by reacting the three raw materials
instead of telling people not to make slips or have lapses in a different order (Kletz, 2001).
of attention. In contrast, since the publication of the Ž rst
paper in 1978 (Kletz, 1978) the growth of ISD has been
slower. Flixborough (1974)
Possible reasons are discussed in detail elsewhere (Kletz,
1999; Gupta and Edwards, 2002). Many of them apply to all The leak and explosion were so large because only 6% of
innovations. MansŽ eld et al. (1996a,b) have emphasized the the raw material was converted in the reactors. The rest had
lack of tools. While the early papers on Hazop and QRA to be recovered and recycled. Developing a more efŽ cient
told us how to do it, with examples, the early papers on ISD process is not easy. A research programme showed promise
told us what we ought to do but did not provide detailed but was abandoned because the company concerned could
aide-memoires. The INSIDE project (MansŽ eld et al., see no hope of a new plant.
1996a) provided a set of tools for the participating compa-
nies, but it has not so far been made widely available. Chernobyl (1986)
Another reason for the slow take-up of ISD is that it
requires a major change in the design process: more time in This design of nuclear reactor was inherently less safe than
the early stages for the discussion of alternatives. This time every other commercial design. At low output any rise in
will not become available without the active involvement of temperature caused the heat output to increase, thus providing
the most senior managers. In contrast, the other techniques positive feedback and a runaway rise in temperature.
such as Hazop and QRA can be and often were introduced
because people at somewhat lower levels saw the need for
Aberfan (1966)
them (or were persuaded to do so) and introduced them.
When lecturing on ISD I have often been told that I am Coalmining produces a lot of waste. A tip of this waste
speaking to the wrong audience: ‘You should be speaking to collapsed onto the village of Aberfan, killing 144 people,
our mangers, not us’. In time, of course, many in my most of them children. The tip was badly sited and inade-
audience may become senior managers but is the next quately inspected. Tips can be managed safely, although
generation of chemical engineers learning enough about many others have collapsed. Oil and natural gas produce
ISD at university? little or no solid waste but do produce carbon dioxide. There
In recent years I have wondered if there may also is opposition to coal because of the pollution it causes but
be psychological reasons for the relatively slow uptake of not because of the hazard of waste tips. Nuclear power
ISD. Perhaps the concept is too simple for people to grasp. produces very little waste, most of it of low hazard, but there
Perhaps it seems so obvious that senior people, remote from is much public concern over the small amounts of high-level
the detail, instinctively feel that their companies must surely waste produced even though, if all electricity was nuclear,
be doing this already and that there is no need for them to each person’s life-time consumption would produce a piece
actively encourage it. of high-level waste the size of an orange.

Trans IChemE, Vol 81, Part B, November 2003

404 KLETZ

Nitration if we can intensify, the equipment will be smaller and

therefore cheaper; structures will be smaller and will take
This has been called the most hazardous chemical process.
up less land.
Most of the products are further reacted to make amines.
There is no other commercial route to them, but has anyone Since the events of 11 September 2001 greater attention
ever looked for another route? has been paid to security and this is an added reason for
reducing inventories of hazardous materials whenever it is
reasonably practicable to do so. In the US Senate a bill was
SPADS introduced by Senator Corzine and supported by Hilary
Clinton, amongst others, requiring all oil and chemical
There has much concern over railway signals passed at plants to be inherently safe. Unfortunately both the propo-
danger. Until recently drivers were blamed but the railways sers and opponents of the bill did not understand the concept
are now paying more attention to engineering factors such as and its limitations (Summers, 2002; Johnson, 2003). In
the visibility of signals. The SPADS that are most likely to the UK the Health and Safety Executive has encouraged
result in a collision are those in which one train has to cross the design of inherently safer plants, particularly offshore
the path of another rather than just follow it down the line. (MansŽ eld et al., 1996b).
Such con icting movements are inevitable at junctions but In recent years it has become customary to advocate
many could be avoided by changes in track layout. inherent SHE (safety, health and environment) instead of
inherent safety. Preventing adverse effects on health by
avoiding the use of materials with long- or short-term
INHERENTLY SAFER CHEMISTRY health effects has been an accepted policy for many years.
It is also widely recognized that preventing the production of
While design engineers have many opportunities to pollutants and waste products is better than ‘end-of-pipe’
use inherently safer designs they may be limited by the solutions; however I know of no systematic survey of what
processes developed by the research chemists who, on the has been and could be done similar to those surveys of
whole, are less aware of the need for inherently safer inherently safer designs that are available (Kletz, 1998;
designs. An experienced process designer (Grossel, 2003) Crowl, 1996; Amyotte and Khan, 2003; see also the many
writes, publications of Ramshaw and co-workers on intensiŽ cation
I have been involved in the process design of many chemical and Hendershot and co-workers).
processes. Quite often, I have been given a technology transfer Finally, according to Max Planck (1936):
package and told to design suitable plant. When I informed my
management that the process was hazardous (it involved the use An important scientiŽ c innovation rarely makes its way by
of very  ammable, explosive, and=or toxic chemicals) and that gradually winning over and converting its opponents. . . What
the process should be modiŽ ed to be safer, I was then told that it does happen is that its opponents gradually die out and that the
was too late and that too much time and money had already been growing generation is familiarized with the idea from the
expended, and that I should use as many safety measures and beginning.
equipment as necessary to make the process safer. Yet this will occur only if the growing generation is taught
Based on my often frustrating experiences with a ‘fait
about the new ideas. Industry may have to make up the
accompli’ process, I feel strongly that the concepts of ‘inher-
ently safer design’ should be taught at the undergraduate universities’ omissions. At present most companies are not
chemical engineering and chemistry curricula. It may be even doing so.
more important for chemists to become aware of this technique
as they are the ones that conceptualize and develop chemical
processes. If they were aware of the technique they might come
up with inherently safer processes from the start. . . . This would REFERENCES
result in savings in both initial plant costs and minimize Amyotte, P.R. and Khan, F.I., 2003, How to make inherent safety practice a
accidents, which then involve costs for replacing equipment, reality, Can J Chem Eng, 81: 2–16.
business interruption, and very often, law suits. Crowl, D.A. (ed.), 1996, Inherently Safer Chemical Processes (AIChE, New
York).
Grossel, S.S., 2003, Letter: safety issues, Chem Eng News, 17 March: 4.
Gupta, J.P. and Edwards, D.W., 2002, Inherently safer design—present and
future, Trans IChemE, Part B, Proc Safety Environ Prot, 80(B3): 115–125.
WHAT ARE THE PROSPECTS? [See also the letter from the same authors in 80(B4): 220.]
Johnson, J., 2003, Simply safer, Chem Eng News, 3 February: 23–26.
I can see no way of increasing the use of ISD other than Kadak, A.C., 2001, Nuclear reactor, in McGraw-Hill Yearbook of Science
the ones we are following already: continuing to preach the and Technology (McGraw-Hill, New York, USA), pp 281–284.
advantages of ISD and illustrating them by examples, Kletz, T.A., 1971, Hazard analysis—a quantitative approach to safety, in
especially after accidents that could have been prevented Major Loss Prevention in the Process Industries, Symposium Series No.
by inherently safer designs. Accident reports grab our 34 (Institution of Chemical Engineers, Rugby, UK), pp 75–81.
Kletz, T.A., 1978, What you don’t have can’t leak, Chem Ind, 6 May:
attention more effectively than naked advice. We should 287–302.
emphasize the fact that ISDs are usually cheaper than Kletz, T.A., 1998, Process Plants: a Handbook for Inherently Safer Design
conventional ones for the two reasons mentioned above: (Taylor and Francis, Philadelphia, PA, USA).
Kletz, T.A., 1999, The constraints on inherently safer design and other
if we can replace or reduce large inventories of hazardous innovations, Proc Safety Prog, 18(1): 64–69.
materials we need less added-on protective equipment Kletz, T.A., 2001, Learning from Accidents (Butterworth-Heinemann,
Oxford, UK), Chapter 10.
such as trips, interlocks, alarms and Ž re insulation; safety Lawley, H.G., 1974, Operability studies and hazard analysis, Chem Eng
distances between units can be reduced; Prog, 70(4): 45–56.

Trans IChemE, Vol 81, Part B, November 2003

 INHERENTLY SAFER DESIGN 405

MansŽ eld, D.P., Malmen, Y. and Suokas, E., 1996a, The development of an ADDRESS
integrated toolkit for inherent SHE, in International Conference and
Workshop on Process Safety Management and Inherently Safer Processes Correspondence concerning this paper should be addressed to Professor
(AIChE, New York). T. A. Kletz, Department of Chemical Engineering, LoughboroughUniversity,
MansŽ eld, D.P., Poulter, L. and Kletz, T.A., 1996b, Improving Inherent Loughborough, Leicestershire LE11 3TU, UK.
Safety, Report no. OTH 96 521 (HSE Books, Sudbury, UK). E-mail: [email protected]
Planck, M., 1936, quoted by de Grasse Tyson, N., 1998, Natural History,
November: 70. The manuscript was received 23 January 2003 and accepted for
Summers, A.E., 2002, Houston Chronicle, 13 January. publication after revision 3 June 2003.

Trans IChemE, Vol 81, Part B, November 2003