Content Inherent Safety Passive Safety Active Safety Procedural / Administrative Safety
Much of the literature to do with process safety stresses its difference from occupational or personal safety. But process safety can itself be divided into the following four categories:
Of the four, the most effective is Inherent Safety because, no matter what happens, the system will always remain in a safe condition. However, what is often referred to as Inherent Safety should, strictly speaking, be assigned to one of the other process safety categories. (In practice, the term Inherent Safety is also applied when a fundamental change in a process is made. For example, if the inventory of flammable materials is reduced by 90% then that action is often referred to as being inherently safe, even though it is actually just reducing the maximum consequence of a potential event.)
The basic idea behind the Inherent Safety concept is that process facilities should be designed, built and operated such that, were there to be any type of failure, the system would maintain a safe state, regardless of the existence and effectiveness of safeguards or emergency response systems. This is not done by reducing the consequences or projected frequency of an event but by either removing a hazard altogether, or by removing people from the facility.
In his 1998 book Process Plants: A Handbook for Inherently Safer Design, Trevor Kletz told a story to do with a chemical facility that adopted inherent safety — even though the term had not been invented at that time.
Early in the 20th century a factory in England manufactured the dangerous explosive nitro-glycerine. Making nitro-glycerine was very dangerous. Concentrated acids were mixed with glycerine in huge vats. If too much glycerine was added too quickly to the mixture, it would become unstable, and a large valve would have to be opened to quickly dump the whole batch into a large vat of water. Failure to do this quickly could have led to a catastrophic explosion.
The worker in charge of this process (whose picture is shown at the top of this page) was allowed to sit down, but only on a one-legged stool. Hence, if he dozed off he would fall and wake up. Although this system worked, in as much as they never had an explosion, it was obviously not inherently safe. (In fact, it reduced the frequency term in the risk equation; the possibility of an explosion still existed, but its likelihood was much reduced.)
Later, they modified the process such that the glycerine and acids were fed into a small piece of pipe in which the reaction took place. This meant that the worst-case scenario was far less serious than the original setup. They had made the system inherently safe.
Trevor also used the explosion that occurred in Flixborough, England in the year 1974 in which 28 men died, to develop some of his ideas to do with inherent safety. For example, the severity of the event could have been reduced had the facility had lower inventories of highly flammable materials. (It should also be noted that the incident took place at a weekend when the number of people at the site was considerably lower than normal. Many more people would have died had it been a normal workday. Nevertheless, it was unfortunate that so many of the workers chose to stay on duty, long after they knew that they had lost control. Had they moved away from the site, the number of deaths would have been much lower.)
We are seeing a trend toward inherent safety in the offshore oil and gas industry. An increasing number of risky activities are now being handled by fully automated/robotic systems. Therefore, were there to be a major incident on the lines of Deepwater Horizon or Piper Alpha there would be no one present to be killed or injured (the environmental impact would, however, continue to be very serious.)
A passive safety system is one that brings an out-of-control condition back to a safe state without any action required from equipment, instruments or facility personnel. An example of a passive safeguard is to do with the containment (bund) walls that are typically located around storage tanks, as shown in the sketch. The volume of the bund is usually 110% of the volume of the tank. Thus, if the tank fails catastrophically, the spilled liquid will be contained. The wall is totally passive, requiring neither equipment nor human intervention in order to be do its job. It will always be there, regardless of what else is going on.
But this system is not inherently safe. For example, the wall has a drain valve, as shown. The valve is opened to drain off accumulated rain water that collects inside the bund. If the valve is inadvertently left open then the passive safety system has been defeated.
. . . . .