National Academies Press: OpenBook

Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence (2004)

Chapter: Section IV Risk Management7 Inherently Safer Design

« Previous: 6 Nuclear Accident Precursor Assessment: The Accident Sequence Precursor Program
Suggested Citation:"Section IV Risk Management7 Inherently Safer Design." National Academy of Engineering. 2004. Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence. Washington, DC: The National Academies Press. doi: 10.17226/11061.
×

Section IV
Risk Management

Suggested Citation:"Section IV Risk Management7 Inherently Safer Design." National Academy of Engineering. 2004. Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence. Washington, DC: The National Academies Press. doi: 10.17226/11061.
×

This page intentionally left blank.

Suggested Citation:"Section IV Risk Management7 Inherently Safer Design." National Academy of Engineering. 2004. Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence. Washington, DC: The National Academies Press. doi: 10.17226/11061.
×

Inherently Safer Design

DENNIS C. HENDERSHOT

Rohm and Haas Company

To warn of an evil is justified only if, along with the warning, there is a way of escape.

Cicero

An accident precursor can be regarded as a warning of the potential for a more serious accident, and the people responsible for the design and operation of a system must respond by identifying a “way of escape”—a risk-management strategy. The focus of this paper is on inherently safer design, that is, design that eliminates hazards, or minimizes them significantly, to reduce the potential consequences to people, the environment, property, and business. Although inherently safer design is the most robust way of addressing risk, for most facilities a complete risk-management program also includes passive, active, and procedural protections.

All systems have multiple hazards, and there can be conflicts among risks associated with different alternatives. Understanding these conflicts will enable a designer to make intelligent decisions to optimize the design. The response to an accident precursor should be similar to the response to information from any other source about hazards and risks associated with a technology. An example of how an incident-investigation team responds to an accident precursor, in this case an example from the chemical process industry, will illustrate the application of this design philosophy.

When designing or operating any engineered system, whether a chemical plant, a consumer product, a machine, or any other system, the designer must first identify specific hazards associated with the operation. Preferably, formal hazard-identification techniques are used to identify hazards as part of the design process. However, engineering design, like other human activities, is not perfect, and some hazards or specific accident scenarios that could lead to undesirable consequences will inevitably be discovered as accident precursors, and perhaps accidents, during the operation of the system. Regardless of the mechanism of

Suggested Citation:"Section IV Risk Management7 Inherently Safer Design." National Academy of Engineering. 2004. Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence. Washington, DC: The National Academies Press. doi: 10.17226/11061.
×

discovery, the design engineer must identify a strategy for managing the hazard and its associated accident scenarios.

The concept of inherently safer design, first articulated by Trevor Kletz of ICI in 1978, has been greatly elaborated since then (CCPS, 1996; Kletz, 1978, 1998). Inherently safer design can be considered a subset of “green chemistry” and “green engineering,” a more general philosophy that addresses a wide range of environmental hazards. In recent years, the chemical process industry has increasingly focused on eliminating hazards from chemical processes and plants rather than accepting their existence and designing systems to manage them; the industry has attempted to eliminate safety hazards and minimize the immediate impacts of single events, such as fires, explosions, and short-term toxic impacts. Because the strategies of inherently safer design are not specific to any industry; the example of the chemical process industry can be useful for a broad range of other technologies.

To understand the concept of inherently safer design, it is essential first to define “hazard.” For purposes of this discussion, a hazard is “an inherent physical or chemical characteristic that has the potential for causing harm to people, the environment, or property” (CCPS, 1992). A hazard is intrinsic to a material or its conditions of use and, therefore, cannot be eliminated without changing the material or the conditions of use. Some examples of hazards are listed below:

  • the sharp blade of a rotary lawn mower that rotates at high speed

  • a cylinder of compressed air at 500 psig pressure, which contains a large amount of energy

  • flammable gasoline

  • the toxicity (by inhalation) of chlorine gas

Over the years, engineers have developed many tools for identifying hazards in various areas of technology. In the chemical process industry, these tools range from checklists and informal brainstorming sessions to formal, disciplined methodologies, such as hazard and operability (HAZOP) studies and failure modes and effects analysis (FMEA) (CCPS, 1992). These tools help designers understand hazards associated with the system and identify potential accident scenarios (i.e., an undesired impact on a receptor of interest, such as people, the environment, property, or business). These tools are most effective when they are used during the design process, but they can also be used to identify risk in existing systems.

The purpose of using these tools is to identify hazards and the specific accident scenarios associated with them before an accident occurs. In some cases, however, hazards or potential accident scenarios are identified through the recognition of accident precursors during operation. In all cases, designers must understand hazards and potential accident scenarios and provide adequate safeguards in the design.

Suggested Citation:"Section IV Risk Management7 Inherently Safer Design." National Academy of Engineering. 2004. Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence. Washington, DC: The National Academies Press. doi: 10.17226/11061.
×

RISK-MANAGEMENT STRATEGIES

Risk-management strategies can be divided into four general categories: inherent, passive, active, and procedural (CCPS, 1996):

  • Inherent risk management involves the elimination of a hazard or the reduction of the magnitude of a hazard to the point that its consequences on potential subjects of interest are tolerable.

    • A string trimmer would eliminate the hazard of a sharp, rapidly rotating cutting blade for cutting grass. (Sheep or goats might be considered an inherently safer and more environmentally friendly technology for keeping grass trimmed. Of course, safety and environmental issues are also associated with keeping animals.)

    • Water-based paints and coatings would eliminate the fire and toxicity hazards associated with solvent-based paints.

    • A flammable, toxic extraction solvent could be replaced by supercritical carbon dioxide.

  • Passive risk management involves devices that control or mitigate the consequences associated with a hazard without requiring sensing elements or moving parts. Passive devices function simply because they exist.

    • The deck of a rotary, power lawn mower acts as a guard. The hazard (a sharp, rapidly rotating metal blade) still exists, but the deck effectively prevents contact with hands or feet by virtue of its design and construction.

    • A reaction capable of generating 120 psig pressure from a worst-case runaway reaction is contained in a vessel designed to withstand 200 psig. The hazard (120 psig pressure) can still occur, but it is contained by the vessel, thus eliminating the need for sensors to monitor pressure or action by any device.

  • Active risk management involves alarms, interlocks, and mitigation systems designed to detect an unsafe condition and put the system into a safe state, usually either by taking emergency action to return the system to normal operating conditions or by shutting it down. Active systems may be designed to prevent an accident or to minimize the consequences of an accident.

    • A “dead man” switch on a power lawn mower is designed to prevent an accident by disengaging the blade if the operator is not holding the mower handle.

    • A sprinkler system detects a fire and sprays it with water to minimize its spread and potential damage. This system is designed to mitigate the consequences of an accident; it does not prevent the fire, but it reduces fire damage.

Suggested Citation:"Section IV Risk Management7 Inherently Safer Design." National Academy of Engineering. 2004. Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence. Washington, DC: The National Academies Press. doi: 10.17226/11061.
×
  • A high-level switch can prevent an accident in a storage tank by detecting an impending overfill and shutting the tank feed valve and stopping the transfer pump before the contents overflow.

  • Procedural risk management involves standard operating procedures, operator training, safety checklists, and other management systems that depend on people.

    • The operator of a lawn mower can be trained to wear steel-toed safety shoes and safety glasses when mowing the lawn.

    • Many states require that seat belts be worn by drivers and passengers in cars.

    • A chemical plant operator can be trained to shut off reactant feeds and fully cool a reactor if the temperature exceeds 75°C.

Usually (but not always), the order of effectiveness of these strategies in terms of reliability and robustness is: inherent, passive, active, and procedural. But real systems have multiple hazards and thus require a combination of most or all of these strategies. In fact, strategies that inherently reduce one hazard may increase another hazard or even create a new hazard. Take, for example, the inherently safer design strategy of replacing a flammable, toxic extraction solvent with supercritical carbon dioxide. Supercritical extraction with carbon dioxide requires high temperature and high pressure, which would introduce new hazards to the process.

INHERENTLY SAFER DESIGN STRATEGIES

Four main strategies—minimize, moderate, substitute, and simplify—have been developed to help designers identify inherently safer systems. The minimizing strategy involves reducing the amount of hazardous material or energy in the system, ideally to the point that the uncontrolled release of the entire inventory of material or energy would not cause significant damage. In the chemical process industry, for example, this strategy includes considering the inventory of hazardous raw materials, in-process intermediates, and products. Other examples can be cited. The Centers for Disease Control and Prevention (CDC) reports that every day 300 young children are taken to hospital emergency rooms as a result of burns from household water that is too hot. Thus, the CDC recommends a maximum temperature of 125°F for home hot water to prevent burns (CDC, 2002). Another example involves a process that required ethylene oxide as a raw material. The ethylene oxide was shipped to the plant and stored in a large tank prior to use. To minimize the risk, a new plant was built adjacent to the ethylene oxide plant so ethylene oxide could be delivered by pipeline, thus eliminating

Suggested Citation:"Section IV Risk Management7 Inherently Safer Design." National Academy of Engineering. 2004. Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence. Washington, DC: The National Academies Press. doi: 10.17226/11061.
×

the need for transportation and storage (Orrell and Cryan, 1987). In another case, a company in Europe used phosgene to manufacture fine chemical intermediates. The phosgene was manufactured in a separate process, and intermediate storage of many tons of toxic phosgene was required. A new, continuous process to manufacture phosgene “on demand” was developed to reduce the inventory dramatically. The new manufacturing process was continuous, essentially a “phosgene machine.” When the consumer process needed phosgene, the new continuous process was started up and brought quickly to steady state to produce acceptable quality phosgene; the phosgene was then fed directly to the consumer process with no intermediate storage (Delseth, 1998; Osterwalder, 1996). In still another example, a chlorination process in a batch-stirred tank reactor was replaced by a process using a loop reactor with intensive mixing. The new reactor was one-third the size of the original, reduced batch time by 75 percent, and reduced chlorine consumption by 50 percent, to the theoretical minimum amount (CCPS, 1996).

The substitution strategy involves using a less hazardous reaction chemistry, or replacing a hazardous material with a less hazardous substitute. Here are some examples. In a municipal swimming pool, a solid chlorinating agent can be used instead of cylinders of chlorine gas to disinfect water. Early refrigeration systems used a variety of hazardous refrigerants, including hazardous materials, such as ammonia (toxic and flammable), light hydrocarbons (flammable), and even sulfur dioxide (toxic and corrosive). In the 1930s, chlorofluorocarbon (CFC) refrigerants were introduced to eliminate these hazards. Since the potential impact of CFCs on the environment was discovered, their use is being phased out. The challenge to engineers now is to develop refrigeration systems that eliminate fire, explosion, and toxicity hazards without causing environmental damage. In some cases, creative redesign of refrigeration systems can minimize the hazards associated with refrigerants, such as light hydrocarbons. Home refrigerators that use as little as 120 grams of isobutane refrigerant have been designed—a good example of the inherent safety strategies of minimizing and substituting.

Another example of the substitution strategy is in reaction chemistry. For many years, acrylate esters were manufactured using the Reppe process:

This process involves numerous hazards: acetylene is reactive and flammable; carbon monoxide is toxic and flammable; nickel carbonyl is toxic, an environmental hazard (heavy metal), and a suspected carcinogen; and anhydrous hydrogen chloride is toxic and corrosive. Today, most acrylate production uses a propylene oxidation process:

Suggested Citation:"Section IV Risk Management7 Inherently Safer Design." National Academy of Engineering. 2004. Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence. Washington, DC: The National Academies Press. doi: 10.17226/11061.
×

Although the propylene oxidation process cannot be described as inherently safe (there are hazards, primarily flammability, that must be managed), it is clearly inherently safer than the Reppe process.

The moderating strategy involves using a material in a less hazardous form, or under less severe conditions. Plastic materials used in molding and fabrication processes, for example, are safer if they are handled as pellets or granules rather than as fine powders, which have the potential to form explosive dust clouds. In another example, Alfred Nobel, in 1867, invented dynamite, a safer way of using nitroglycerine because it was absorbed in an inert carrier. A third example of the moderating strategy is the substitution of 28-percent aqueous ammonia solution for anhydrous (100 percent) ammonia in a neutralization application. This change reduced the downwind distance for a hazardous vapor cloud in case of a leak by a factor of up to 10, depending on weather conditions and the exact conditions of the leak.

The fourth strategy is simplification, which involves eliminating unnecessary complexities to reduce the likelihood of human error. A few examples follow. In 1828, Robert Stevenson, one of the pioneers of railway development, argued for simplifying controls on early steam locomotives. Stevenson recognized that complex controls made it much more likely that locomotive drivers would make mistakes that could lead to accidents. In describing existing controls, he said, “In their present complicated state they cannot be managed by ‘fools,’ therefore they must undergo some alteration or amendment” (Rolt, 1960). In Turn Signals Are the Facial Expression of Automobiles, D.A. Norman (1992) describes the poor design of a kitchen stove (Figure 1), which seems to be designed to encourage operator error.

We would prefer to blame the design of the stove on somebody in the marketing department who thought this would be a clever design that would increase sales for some reason. One would like to think that engineers designing a chemical plant would never do anything this silly. However, I actually worked in a plant where the control room and process equipment were laid out as shown in Figure 2, which exhibits essentially the same design error as the stove (Figure 1). Engineers can’t blame marketing for this one!

A final example of the moderating strategy is of a company that developed a process for manufacturing methyl acetate that used reactive distillation to reduce the number of major pieces of equipment from eight columns, one extraction

Suggested Citation:"Section IV Risk Management7 Inherently Safer Design." National Academy of Engineering. 2004. Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence. Washington, DC: The National Academies Press. doi: 10.17226/11061.
×

FIGURE 1 Poorly designed kitchen stove. Source: Norman, 1992.

FIGURE 2 Poorly designed control room. Source: Norman, 1992.

Suggested Citation:"Section IV Risk Management7 Inherently Safer Design." National Academy of Engineering. 2004. Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence. Washington, DC: The National Academies Press. doi: 10.17226/11061.
×

column, and a reactor (Figure 3a) to one reactive distillation column and two additional columns (Figure 3b). The changes also eliminated all of the condensers, reboilers, instrumentation, piping, flanges, and other support equipment required for the original process (Agreda et al., 1990; Siirola, 1995).

CONFLICTS IN INHERENTLY SAFER DESIGN

A design can only be described as inherently safer in the context of a particular hazard. The design may or may not be inherently safer with respect to another hazard of the system. Therefore, design must be evaluated separately for each hazard. Thus, a water-based acrylic latex paint is inherently safer than a solvent-based paint with respect to flammability. It is also inherently safer with respect to the toxicity of the solvent (a water carrier for the latex paint). However, because of the low toxicity, latex paints may be capable of supporting the growth of microorganisms in the paint, which may make the paint useless and may also present a hazard to users. This hazard can be overcome by adding a biocide, but this is an “add-on” safety/usability feature, probably best described as “procedural” (because the manufacturer’s procedures must include adding the biocide), rather than “inherent.”

Designers must always remember that any modification, even one intended to improve safety, changes the system, and all changes have the potential to introduce new hazards or to increase the magnitude of existing hazards. The world is complex and interconnected. As John Muir said in My First Summer in the Sierra (1911), “When we try to pick out anything by itself, we find it hitched to everything else in the universe.” A system designer must always be aware that any modification to a system, including the introduction of new safety features, can create or increase hazards. He or she must work to identify those hazards and make decisions based on the optimal design.

A recent example of a safety device that introduced or increased hazards is the original design of air bags in automobiles. Air bags are active safety devices. The air bag system includes one or more sensors to detect a collision, logic elements to receive the signals from the sensors and deploy the air bag, and, finally, the air bag itself. The system is intended to protect the occupants of the front seat of an automobile from injury in case of a collision. Following the large-scale commercial introduction of air bags, it was found that they sometimes caused serious injuries, even deaths, to small people (usually women and children) when the air bags were activated in collisions judged to be not severe enough to have resulted in serious injury without them. The initial response to this discovery was to recommend that children always ride in the back seat of a car equipped with air bags (a procedural response) and to allow people to disarm air bags (an inherent response that eliminated the hazard but exposed occupants to increased risk from a different hazard in the event of a serious collision). Subsequent generations of automobile air bags have been designed to be less

Suggested Citation:"Section IV Risk Management7 Inherently Safer Design." National Academy of Engineering. 2004. Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence. Washington, DC: The National Academies Press. doi: 10.17226/11061.
×

FIGURE 3 Process for manufacturing methyl acetate. 3a. Original process. 3b. Moderated process.

Suggested Citation:"Section IV Risk Management7 Inherently Safer Design." National Academy of Engineering. 2004. Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence. Washington, DC: The National Academies Press. doi: 10.17226/11061.
×

energetic, providing adequate protection in case of a serious collision but not causing serious injury in less severe impacts. This change might also be considered an example of an inherently safer design, based on the principle of moderating risk.

RESPONDING TO ACCIDENT PRECURSORS THROUGH DESIGN

Accident precursors are one way designers learn about potential hazards in consumer products, industrial machines, chemical plants, or any other engineered system. Ideally, a designer will respond to accident precursors by reevaluating the original assumptions about potential hazards and risks and redesigning the system accordingly. If the accident precursors identify new hazards or indicate a higher risk of previously known hazards, the designer should ask himself or herself a series of questions as a basis for redesigning the system.

1. Can I redesign the system to eliminate the identified hazard completely?

This is the inherently safer design approach. For a chemical process, for example, many checklists are available for specific types of equipment to help the designer identify inherently safer design strategies (CCPS, 1998). These checklists expand on the general principles of inherently safer design described above, focusing on the specific characteristics of common chemical processing equipment, such as distillation columns, reactors, and heat exchangers.

2. Can I modify the system to reduce the potential damage from the hazard?

Although the ultimate goal of inherently safer design is to eliminate hazards completely, this is not always possible. A secondary goal is to reduce the magnitude of a hazard significantly, thereby reducing the potential consequences to the receptor of concern. Checklists for inherently safer design will also help the designer identify opportunities to reduce the magnitude of the consequences of an incident. Ideally, if a hazard cannot be completely eliminated, its magnitude can be reduced to the point that it is no longer capable of causing serious injury or damage to the environment or property.

3. Do the modifications to the system identified in Questions 1 and 2 introduce new hazards or increase the potential damage from existing hazards?

Once potential system improvements have been identified, a designer must recognize that the system will be changed. While the designer was focused on improving safety, he had concentrated his efforts on a particular hazard or set of hazards. Now, the designer must step back and reevaluate the entire system, considering all hazards, using the appropriate system hazard identification tools (e.g., process safety checklists, a HAZOP, or FMEA for a chemical process). If a new hazard is identified or existing hazards are increased, the benefits of the changes must be evaluated in terms of the initial hazard and in terms of the cost

Suggested Citation:"Section IV Risk Management7 Inherently Safer Design." National Academy of Engineering. 2004. Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence. Washington, DC: The National Academies Press. doi: 10.17226/11061.
×

of introducing new hazards or increasing the magnitude of potential damage from other existing hazards.

The designer may also evaluate the relative difficulties, cost, and effectiveness of other risk management strategies (passive, active, procedural) for managing the overall risk. This is the central problem of all engineering design. It is rarely possible to optimize a design in a way that maximizes all desirable attributes and minimizes all undesirable attributes. The true art of engineering is understanding the trade-offs and conflicts in alternative designs and selecting the one that best meets the needs of all stakeholders.

4. What passive, active, and procedural design features are necessary to manage the risk from the hazards that inevitably remain in the design?

It is unlikely that any design can eliminate all hazards in a technology. Passive, active, and procedural layers of protection are always necessary to meet safety goals. Too often, engineers accept the hazards in a system and immediately look for systems and procedures to control and manage them. A better approach is to ask first if the hazards can be eliminated or significantly reduced. Perhaps the answer is no, but it is absolutely certain that they will not be eliminated or reduced if nobody ever asks the question.

5. What general lessons can be derived from my understanding of this hazard, and how can this knowledge be applied to other systems?

Specific incidents or accident precursors are always instances of a general type of incident. Engineers often focus exclusively on the details of an occurrence and fail to recognize the general lessons that can be derived from the event. The greatest improvements to overall safety are derived from an understanding of general lessons and their broad application throughout a technology, company, or industry. This requires that the engineer step back from the specific details of the incident, identify the general technical or managerial root causes, identify other processes, equipment, or products to which these causes might also apply, and share the incident, actions, and general lessons with all interested parties. The exact circumstances that led to a specific incident are unlikely to recur in precisely the same way, even if nothing is changed. But similar incidents are likely to occur, and lessons from an event in one facility can result in improvements in other facilities that appear to have little in common with the facility where the incident occurred.

CASE STUDY

This precursor event at a chemical processing plant illustrates how the design strategies I’ve described can be applied. The accident precursor was the rupture of a pipe in an unoccupied building in a plant that had been operating for many

Suggested Citation:"Section IV Risk Management7 Inherently Safer Design." National Academy of Engineering. 2004. Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence. Washington, DC: The National Academies Press. doi: 10.17226/11061.
×

years. An investigation of the incident revealed previously unknown reactive chemistry hazards, and the follow-up to the incident included significant modifications in the design of equipment, which, at first glance, did not appear to have much to do with the equipment where the incident occurred.

The plant, which had been in operation for many years, manufactured methyl isothiocyanate (H3CN=C=S). The process reacts ammonium thiocyanate with methyl chloride to form methyl thiocyanate, which is isomerized to form methyl isothiocyanate. The process also involves a number of distillation and purification steps. In one part of the plant, a number of waste streams were collected for distillation to recover valuable materials for recycling before disposal of the residue as hazardous waste; some of the waste streams contained water.

The incident occurred when waste material was transferred from a collection tank to the distillation vessel through a steam-heated, insulated pipe. Following the transfer, the pipe was left full of the material, following standard operating procedures that had been in use for more than 20 years. This occurred late on a Friday night. The unit was then shut down and the building left unoccupied over the weekend. Early Saturday morning, the pipe ruptured, damaging some nearby piping and releasing a small amount of material. There were no injuries because the building was not occupied when the incident occurred. (For a more complete description, see Hendershot et al., 2003.)

Initially, it was believed that the rupture was most likely the result of hydrostatic pressure in a heated, liquid-filled line with valves closed on both ends. But other possibilities were also investigated, and subsequent laboratory work revealed that the cause was a decomposition reaction of the material in the pipe. The reaction was promoted by the presence of water in the combined waste stream and was initiated by a failure of the steam-pressure controller, resulting in maximum steam pressure and temperature on the pipe heat tracing. The decomposition reaction was previously unknown. It had taken more than 20 years for the right combination of events (sufficient water mixed with the organic components, a completely closed system, and heating to a temperature sufficient to initiate the decomposition reaction) to cause a rupture.

Actions

The investigation team did an excellent job of generalizing the lessons from the incident and identifying improvements that would contribute to the overall safety of the facility. Specifically, they asked themselves if the decomposition reaction that occurred in this pipe could occur elsewhere in the process. Laboratory experiments revealed several other areas where a similar decomposition could occur, and the team recommended improvements to eliminate the hazard, reduce its likelihood, or mitigate its effects.

Suggested Citation:"Section IV Risk Management7 Inherently Safer Design." National Academy of Engineering. 2004. Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence. Washington, DC: The National Academies Press. doi: 10.17226/11061.
×
Inherent Risk Management

First, the company eliminated sources of water or water-contaminated process streams to all vessels, wherever this was feasible. This was an application of the minimizing inherently safer design principle. The amount of energy from the chemical decomposition reaction was minimized by eliminating the water necessary for the reaction to occur.

Passive Risk Management

No passive design improvements were identified in this example. However, if existing vessels are replaced in the future, or if a new plant is built, it may be feasible to build stronger vessels (higher design pressure) to contain potential decomposition reactions.

Active Risk Management

Several steps were taken to manage the risk of a recurrence. First, high-temperature interlocks to shut off steam heating were provided for several vessels that could potentially have been heated to the decomposition temperature. Second, existing rupture disks or relief valves on several vessels were determined to be too small to protect the vessels from overpressurization from the newly discovered decomposition reaction. To address the problem, adequate-size relief devices were designed and installed. Third, the faulty pressure regulator on the steam tracing for the ruptured pipe was replaced with a new one, and a pressure-relief valve was installed downstream of the regulator to limit the possible pressure (and temperature) in the event of a future failure of the regulator. Finally, several vessels were provided with a dry nitrogen blanket to prevent water from humid air entering the vessels when they were emptied.

Procedural Risk Management

Standard operating procedures were modified to include draining or blowing all heated liquid lines following transfers. In addition, the preventive maintenance program for the steam pressure regulators for pipeline steam tracing was upgraded.

DESIGN STRATEGIES

We can now analyze how the design team responded to the questions for hazard and risk management.

Suggested Citation:"Section IV Risk Management7 Inherently Safer Design." National Academy of Engineering. 2004. Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence. Washington, DC: The National Academies Press. doi: 10.17226/11061.
×

1. Can I redesign the system to completely eliminate the identified hazard?

The design team eliminated the potential for reaction in many vessels by eliminating all sources of water.

2. Can I modify the system to reduce the potential damage from the hazard?

In places where the risk of water contamination could not be completely eliminated, the system was modified to reduce the amount of water that could get into that part of the system. Thus, the potential energy of the decomposition reaction was reduced.

3. Do the modifications to the system identified in Questions 1 and 2 introduce new hazards or increase the potential damage from existing hazards?

The investigation team recognized that process streams that contained water, which had previously been recycled, would now have to be disposed of. The team evaluated the relative costs and determined that the risk associated with the potential for a decomposition reaction outweighed the costs and risks associated with the disposal of a relatively small waste stream.

4. What passive, active, and procedural design features are required to adequately manage risk from the hazards which inevitably will remain in the design?

The investigation team identified the active and procedural changes described above to manage the residual risks.

5. What general lessons are derived from my understanding of this hazard and how can this knowledge be applied to other systems?

The investigation team applied the knowledge about the decomposition chemistry throughout the plant. In fact, most of the modifications were far removed from the pipe in which the incident occurred. Furthermore, this incident is an example of a general concern about reactive chemistry hazards, and particularly, reactive chemical structures. The investigation results were shared throughout the company, along with additional information about structures where the possibility for decomposition reactions should be evaluated. The incident was also shared with the entire industrial community through a presentation at a meeting of the American Institute of Chemical Engineers (AIChE) and subsequent publication in an AIChE journal (Hendershot et al., 2003). In fact, with the present paper, we continue to share the general lessons from this incident in the hope that we will raise awareness of reactive chemistry hazards and the importance of looking for general lessons from incident precursors throughout industry.

Suggested Citation:"Section IV Risk Management7 Inherently Safer Design." National Academy of Engineering. 2004. Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence. Washington, DC: The National Academies Press. doi: 10.17226/11061.
×

SUMMARY

An effective program for recognizing and responding to accident precursors must include actions taken in response to the lessons learned from the precursors. Unless action is taken, the precursor program will be simply an exercise in data collection, and no changes or improvements will be made in the system. Responding to accident precursors requires a combination of management and engineering-design activities. Accident precursors provide new information about hazards, potential accident scenarios, and the effectiveness of existing safeguards. They either reveal hazards that were previously unrecognized or provide real information about potential risks associated with hazards or accident scenarios that are already known. The engineering-design response to this information involves a combination of inherent, passive, active, and procedural strategies. In general, the most effective strategy is to eliminate, or greatly minimize, the hazard (inherently safer design). However, most real systems require a combination of layers of protection incorporating features of all four categories of response.

REFERENCES

Agreda, V.H., L.R. Partin, and W.H. Hesie. 1990. High-purity methyl acetate via reactive distillation. Chemical Engineering Progress 86(2): 40–46.


CCPS (Center for Chemical Process Safety). 1992. Guidelines for Hazard Evaluation Procedures, 2nd ed. New York: American Institute of Chemical Engineers.

CCPS. 1996. Inherently Safer Chemical Processes: A Life Cycle Approach. New York: American Institute of Chemical Engineers.

CCPS. 1998. Guidelines for Design Solutions for Process Equipment Failures. New York: American Institute of Chemical Engineers.

CDC (Centers for Disease Control and Prevention). 2002. Hot Water Burns. Available online at http://www.cdc.gov/nasd/docs/d000701-d000800/d000702/d000702.html.


Delseth, R. 1998. Production industrielle avec le phosgene. Chemia 52(12): 698–701.


Hendershot, D.C., A.G. Keiter, J. Kacmar, J.W. Magee, P.C. Morton, and W. Duncan. 2003. Connections: how a pipe failure resulted in resizing vessel emergency relief systems. Process Safety Progress 22(1): 48–56.


Kletz, T.A. 1978. What you don’t have, can’t leak. Chemistry and Industry. May 6 (No. 9): 287–292.

Kletz, T.A. 1998. Process Plants: A Handbook for Inherently Safer Design. Philadelphia, Pa.: Taylor and Francis.


Muir, J. 1911. My First Summer in the Sierra. Boston: Houghton Mifflin.


Norman, D.A. 1992. Turn Signals Are the Facial Expressions of Automobiles. Reading, Mass.: Addison-Wesley.


Orrel, W., and J. Cryan. 1987. Getting rid of the hazard. The Chemical Engineer, August 1987, pp. 14–15.

Osterwalder, U. 1996. Continuous Process to Fit Batch Operation: Safe Phosgene Production on Demand. Pp. 6.1–6.6 in Symposium Papers, Institute of Chemical Engineers, Northwest Branch. Rugby, U.K.: Institute of Chemical Engineers.


Rolt, L.T.C. 1960. The Railway Revolution: George and Robert Stevenson. New York: St. Martin’s Press.


Siirola, J.J. 1995. An industrial perspective on process synthesis. American Institute of Chemical Engineers Symposium Series 91: 222–223.

Suggested Citation:"Section IV Risk Management7 Inherently Safer Design." National Academy of Engineering. 2004. Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence. Washington, DC: The National Academies Press. doi: 10.17226/11061.
×

This page intentionally left blank.

Suggested Citation:"Section IV Risk Management7 Inherently Safer Design." National Academy of Engineering. 2004. Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence. Washington, DC: The National Academies Press. doi: 10.17226/11061.
×
Page 101
Suggested Citation:"Section IV Risk Management7 Inherently Safer Design." National Academy of Engineering. 2004. Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence. Washington, DC: The National Academies Press. doi: 10.17226/11061.
×
Page 102
Suggested Citation:"Section IV Risk Management7 Inherently Safer Design." National Academy of Engineering. 2004. Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence. Washington, DC: The National Academies Press. doi: 10.17226/11061.
×
Page 103
Suggested Citation:"Section IV Risk Management7 Inherently Safer Design." National Academy of Engineering. 2004. Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence. Washington, DC: The National Academies Press. doi: 10.17226/11061.
×
Page 104
Suggested Citation:"Section IV Risk Management7 Inherently Safer Design." National Academy of Engineering. 2004. Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence. Washington, DC: The National Academies Press. doi: 10.17226/11061.
×
Page 105
Suggested Citation:"Section IV Risk Management7 Inherently Safer Design." National Academy of Engineering. 2004. Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence. Washington, DC: The National Academies Press. doi: 10.17226/11061.
×
Page 106
Suggested Citation:"Section IV Risk Management7 Inherently Safer Design." National Academy of Engineering. 2004. Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence. Washington, DC: The National Academies Press. doi: 10.17226/11061.
×
Page 107
Suggested Citation:"Section IV Risk Management7 Inherently Safer Design." National Academy of Engineering. 2004. Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence. Washington, DC: The National Academies Press. doi: 10.17226/11061.
×
Page 108
Suggested Citation:"Section IV Risk Management7 Inherently Safer Design." National Academy of Engineering. 2004. Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence. Washington, DC: The National Academies Press. doi: 10.17226/11061.
×
Page 109
Suggested Citation:"Section IV Risk Management7 Inherently Safer Design." National Academy of Engineering. 2004. Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence. Washington, DC: The National Academies Press. doi: 10.17226/11061.
×
Page 110
Suggested Citation:"Section IV Risk Management7 Inherently Safer Design." National Academy of Engineering. 2004. Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence. Washington, DC: The National Academies Press. doi: 10.17226/11061.
×
Page 111
Suggested Citation:"Section IV Risk Management7 Inherently Safer Design." National Academy of Engineering. 2004. Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence. Washington, DC: The National Academies Press. doi: 10.17226/11061.
×
Page 112
Suggested Citation:"Section IV Risk Management7 Inherently Safer Design." National Academy of Engineering. 2004. Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence. Washington, DC: The National Academies Press. doi: 10.17226/11061.
×
Page 113
Suggested Citation:"Section IV Risk Management7 Inherently Safer Design." National Academy of Engineering. 2004. Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence. Washington, DC: The National Academies Press. doi: 10.17226/11061.
×
Page 114
Suggested Citation:"Section IV Risk Management7 Inherently Safer Design." National Academy of Engineering. 2004. Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence. Washington, DC: The National Academies Press. doi: 10.17226/11061.
×
Page 115
Suggested Citation:"Section IV Risk Management7 Inherently Safer Design." National Academy of Engineering. 2004. Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence. Washington, DC: The National Academies Press. doi: 10.17226/11061.
×
Page 116
Suggested Citation:"Section IV Risk Management7 Inherently Safer Design." National Academy of Engineering. 2004. Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence. Washington, DC: The National Academies Press. doi: 10.17226/11061.
×
Page 117
Suggested Citation:"Section IV Risk Management7 Inherently Safer Design." National Academy of Engineering. 2004. Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence. Washington, DC: The National Academies Press. doi: 10.17226/11061.
×
Page 118
Next: 8 Checking for Biases in Incident Reporting »
Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence Get This Book
×
Buy Paperback | $48.00 Buy Ebook | $38.99
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

In the aftermath of catastrophes, it is common to find prior indicators, missed signals, and dismissed alerts that, had they been recognized and appropriately managed before the event, could have resulted in the undesired event being averted. These indicators are typically called "precursors." Accident Precursor Analysis and Management: Reducing Technological Risk Through Diligence documents various industrial and academic approaches to detecting, analyzing, and benefiting from accident precursors and examines public-sector and private-sector roles in the collection and use of precursor information. The book includes the analysis, findings and recommendations of the authoring NAE committee as well as eleven individually authored background papers on the opportunity of precursor analysis and management, risk assessment, risk management, and linking risk assessment and management.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    Switch between the Original Pages, where you can read the report as it appeared in print, and Text Pages for the web version, where you can highlight and search the text.

    « Back Next »
  6. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  7. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  8. ×

    View our suggested citation for this chapter.

    « Back Next »
  9. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!