INHERENTLY SAFER AND MORE USER-FRIENDLY DESIGN
Introduction For many years the usual procedure in plant design was to identify the hazards, by one of the systematic techniques described later or by waiting until an accident occurred, and then add protective equipment to control them or to protect people from their consequences. This protective equipment is often complex and expensive and requires regular testing and maintenance. It often interferes with the smooth operation of the plant and is sometimes bypassed. Gradually the industry came to realize that, whenever pos-sible, we should design user-friendly plants that can withstand human error and equipment failure without serious effects on safety (and out-put and efficiency). When we handle flammable, explosive, toxic, or corrosive materials, we can tolerate only very low failure rates, of peo-ple and equipment, rates which it may be impossible or impracticable to achieve consistently for long periods.
The most effective way of designing user-friendly plants is to avoid, when possible, large inventories of hazardous materials in process or storage. “What you don’t have, can’t leak.” This sounds obvious, but until the explosion at Flixborough in 1974, little systematic thought was given to ways of reducing inventories. The industry simply designed a plant and accepted whatever inventory the design required, confident it could be kept under control. Flixborough weak-ened that confidence, and 10 years later Bhopal almost destroyed it.
Plants in which we avoid a hazard, by reducing inventories or avoiding hazardous reactions, are usually called inherently safer.
The principle ways of designing inherently safer plants, and other ways of making plants user-friendly, are summarized below, with examples (Kletz, Process Plants: A Handbook for Inherently Safer Design, Taylor & Francis, 1998).
Intensification or Minimization One approach is to use so lit-tle hazardous material that it does not matter if it all leaks out. For example, at Bhopal methyl isocyanate (MIC), the material that leaked and killed over 2000 people, was an intermediate that was convenient but not essential to store. Within a few years many companies had reduced their stocks of MIC and other hazardous intermediates.
Intensification is the preferred route to inherently safer design as the plants, being smaller, are also cheaper (Bell, Loss Prevention in the Process Industries, Institution of Chemical Engineers Symposium Series no. 34, 1971 p. 50).
Substitution If intensification is not possible, then an alternative is to use a safer material in place of a hazardous one. Thus it is possi-ble to replace flammapossi-ble solvents, refrigerants, and heat-transfer media by nonflammable or less flammable (high-boiling) ones, haz-ardous products by safer ones, processes that use hazhaz-ardous raw mate-rials or intermediates by processes that do not. As an example of the latter, the product manufactured at Bhopal (carbaryl) was made from three raw materials. Methyl isocyanate is formed as an intermediate.
It is possible to react the same raw materials in a different order so that a different and less hazardous intermediate is formed.
Attenuation or Moderation Another alternative to intensifica-tion is attenuaintensifica-tion, or using a hazardous material under the least haz-ardous conditions. Thus large quantities of liquefied chlorine, ammonia, and petroleum gas can be stored as refrigerated liquids at atmospheric pressure instead of under pressure at ambient
tempera-ture. (Leaks from the refrigeration equipment should also be consid-ered, so there is probably no net gain in refrigerating quantities less than a few hundred tons.) Dyestuffs that form explosive dusts can be handled as slurries.
Limitation of Effects of Failures Effects of failures can be lim-ited by equipment design or change in reaction conditions, rather than by adding protective equipment. For example:
• Heating media such as steam or hot oil should not be hotter than the temperature at which the materials being heated are liable to ignite spontaneously or react uncontrollably.
• Spiral-wound gaskets are safer than fiber gaskets because if the bolts work loose or are not tightened correctly, the leak rate is much lower.
• Tubular reactors are safer than pot reactors as the inventory is usu-ally lower and a leak can be stopped by closing a valve.
• Vapor-phase reactors are safer than liquid-phase ones as the mass flow rate through a hole of a given size is much less. (This is also an example of attenuation.)
• A small, deep diked area around a storage tank is safer than a large shallow one as the evaporation rate is lower and the area of any fire is smaller.
• Changing the order of operations, reducing the temperature, or changing another parameter can prevent many runaway reactions.
• Reduce the frequency of hazardous operations such as sampling or maintenance. We should consider the optimum balance between reliability and maintenance.
Simplification Simpler plants are friendlier than complex ones as they provide fewer opportunities for error and less equipment which can go wrong. Some of the reasons for complication in plant design are
• The need to control hazards. If we can intensify or carry out one of the other actions already discussed, we need less added protective equipment and plants will therefore be simpler.
• A desire for flexibility. Multistream plants with numerous crossovers and valves, so that any item can be used on any stream, have numer-ous leakage points, and errors in valve settings are easily made.
• Lavish provision of installed spares with the accompanying isolation and changeover valves.
• Continued adherence to traditional rules or practices that are no longer necessary.
• Design procedures that result in a failure to identify hazards until late in design. By this time it is impossible to avoid the hazard, and all we can do is to add complex equipment to control it.
Knock-on Effects Plants should be designed so that those inci-dents that do occur do not produce knock-on or domino effects. This can be done, e.g., by
• Providing firebreaks, about 15 m wide, between sections, similar to firebreaks in a forest, to restrict the spread of fire.
• Locating equipment that is liable to leak out-of-doors so that leaks of flammable gases and vapors are dispersed by natural ventilation.
Indoors a few tens of kilograms are sufficient for an explosion that can destroy the building. Outdoors a few tons are necessary for seri-ous damage. A roof over a piece of equipment, such as a compres-sor, is acceptable, but walls should be avoided. If leaks of toxic gases are liable to occur, it may be safer to locate the plant indoors, unless leaks will disperse before they reach members of the public or employees on other units.
INHERENTLY SAFER DESIGN AND OTHER PRINCIPLES 23-39
• Constructing storage tanks so that the roof-wall weld will fail before the base-wall weld, thus preventing spillage of the contents. In gen-eral, in designing equipment we should consider the way in which it is most likely to fail and, when possible, locate or design the equip-ment so as to minimize the consequences.
Making Incorrect Assembly Impossible Plants should be designed so that incorrect assembly is difficult or impossible. For example, compressor valves should be designed so that inlet and exit valves cannot be interchanged; hose connections of different types or sizes should be used for compressed air and nitrogen.
Making Status Clear It should be possible to see at a glance if equipment has been assembled or installed incorrectly or whether it is in the open or shut position. For example:
• Check valves should be marked so that installation the wrong way round is obvious. It should not be necessary to look for a faint arrow hardly visible beneath the dirt.
• Gate valves with rising spindles are friendlier than valves with non-rising spindles, as it is easy to see whether they are open or shut.
Ball valves and cocks are friendly if the handles cannot be replaced in the wrong position.
• Figure 8 plates are friendlier than slip plates (blinds) as their posi-tion is apparent at a glance. If slip plates are used, their projecting tags should be readily visible, even when the line is insulated. In addition, spectacle plates are easier to fit than slip plates, if the pip-ing is rigid, and are always available on the job. It is not necessary to search for one, as with slip plates.
Tolerance Whenever possible, equipment should tolerate poor installation or operation without failure. Expansion loops in pipework are more tolerant of poor installation than are expansion joints (bel-lows). Fixed pipes, or articulated arms, if flexibility is necessary, are friendlier than hoses. For most applications, metal is friendlier than glass or plastic.
Bolted joints are friendlier than quick-release couplings. The for-mer are usually dismantled by a fitter after issue of a permit-to-work.
One worker prepares the equipment and another opens it up; the issue of the permit provides an opportunity to check that the correct precautions have been taken. In addition, if the joints are unbolted correctly, any trapped pressure is immediately apparent and the joint can be remade or the pressure allowed to blow off. In contrast, many accidents have occurred because operators opened up equip-ment that was under pressure, without independent consideration of the hazards, using quick-release couplings. There are, however, designs of quick-release coupling which give the operator a second chance.
Low Leak Rate If friendly equipment does leak, it does so at a low rate which is easy to stop or control. Examples already mentioned are spiral-wound gaskets, tubular reactors, and vapor-phase reactors.
Ease of Control Processes with a flat response to change are obviously friendlier than those with a steep response. Processes in which a rise of temperature decreases the rate of reaction are friend-lier than those with a positive temperature coefficient, but this is a dif-ficult ideal to achieve in the chemical industry. However, there are a few examples of processes in which a rise in temperature reduces the rate of reaction. For example, in the manufacture of peroxides, water is removed by a dehydrating agent. If magnesium sulfate is used as the agent, a rise in temperature causes release of water by the agent, dilut-ing the reactants and stoppdilut-ing the reaction (Gerrison and van’t Land, I&EC Process Design, 24, 1985, p. 893).
Software In some programmable electronic systems (PESs), errors are much easier to detect and correct than in others. Acciden-tally pressing the wrong key should never produce serious conse-quences. If we press the delete key on our computers, sometimes we are asked if we really want to do so; but stocks and currency have been accidentally sold or bought because someone pressed the wrong key.
If we use the term software in the wider sense to cover all procedures, as distinct from hardware or equipment, some software is much friendlier than others. For example, if many types of gaskets or nuts and bolts are stocked, sooner or later the wrong type will be installed.
It is better, and cheaper in the long run, to keep the number of types stocked to a minimum even though more expensive types than are strictly necessary are used for some applications.
Actions Needed for the Design of Inherently Safer and User-Friendly Plants
1. Designers need to be made aware that there is scope for improv-ing the friendliness of the plants they design.
2. To achieve many of the changes suggested above, it is necessary to carry out much more critical examination and systematic consider-ation of alternatives during the early stages of design than has been customary in most companies. Two studies are suggested, one at the conceptual or business analysis stage when the process is being chosen and another at the flow sheet stage. For the latter the usual hazard and operability study (HAZOP) questions may be suitable but with one difference. In a normal HAZOP study on a line diagram, if we are dis-cussing “more of temperature,” say, we assume that it is undesirable and look for ways of preventing it. In a HAZOP of a flow sheet, we should ask if “more of temperature” would be better. For the concep-tual study, different questions are needed.
Many companies will say that they do consider alternatives during the early stages of plant design. However, what is lacking in many compa-nies is a formal, systematic structured procedure of the HAZOP type.
When a new plant is needed, it is usually wanted as soon as possible, and so there is no time to consider and develop inherently safer designs (or other innovations). When we are designing a new plant, we are con- scious of all the improvements we could have made if we had had more time. These possible improvements should be noted and work on their feasibility started, ready for the plant after next. Unless we do so, we will never innovate and will ultimately lose to those who do.
3. To achieve the more detailed improvements suggested above, it may be necessary to add a few questions to those asked during a nor-mal HAZOP. For example, what types of valve, gasket, blind, etc. will be used?
INCIDENT INVESTIGATION AND HUMAN ERROR Although most companies investigate accidents (and many investigate dangerous incidents in which no one was injured), these investigations are often superficial and we fail to learn all the lessons for which we have paid the high price of an accident. The collection of evidence is usually adequate, but often only superficial conclusions are drawn from it. Identifying the causes of an accident is like peeling an onion.
The outer layers deal with the immediate technical causes and trig-gering events while the inner layers deal with ways of avoiding the hazard and with the underlying weaknesses in the management sys-tem (Kletz, Learning from Accidents, 3d ed., Gulf Professional, 2001).
Dealing with the immediate technical causes of a leak, e.g., will pre-vent another leak for the same reason. If we can use so little of the hazardous material that leaks do not matter, or a safer material instead, as discussed above, we prevent all significant leaks of this haz-ardous material. If we can improve the management system or improve our designs, we may be able to prevent many more accidents.
Other points to watch when you are drawing conclusions from the facts are as follows:
1. Avoid the temptation to list causes we can do little or nothing about. For example, a source of ignition should not be listed as the pri-mary cause of a fire or explosion as leaks of flammable gases are liable to ignite even though we remove known sources of ignition. The cause is whatever led to the formation of a flammable mixture of gas or vapor and air. (Removal of known sources of ignition should, however, be included in the recommendations.)
Similarly, human error should not be listed as a cause. See item 7 below.
2. Do not produce a long list of recommendations without any indi-cation of the relative contributions they will make to the reduction of risk or without any comparison of costs and benefits. Resources are not unlimited, and the more we spend on reducing one hazard, the less there is left to spend on reducing others.
3. A named person should be made responsible for carrying out each agreed recommendation, and a completion date agreed with him or her. The report should be brought forward at this time; otherwise, nothing will happen except a repeat of the accident.
4. Avoid the temptation to overreact after an accident and install an excessive amount of protective equipment or complex procedures that
23-40 PROCESS SAFETY
Do not use expansion joints in lines carrying hazardous materials More involvement by process safety experts in design
FIG. 23-17 An example of the many ways by which an accident could have been prevented.
are unlikely to be followed after a few years have elapsed. Sometimes an accident occurs because the protective equipment available was not used, but nevertheless the report recommends installation of more protective equipment; or an accident occurs because complex procedures were not followed, and the report recommends extra pro-cedures. It would be better to find out why the original equipment was not used or the original procedures were not followed.
5. Remember that few, if any, accidents have a single cause. In most cases many people had an opportunity to prevent it, from the chemist who developed the process to the operator who closed the wrong valve. Figure 23-17 shows by example the opportunities that were available to prevent a fire or minimize the consequences of an apparently simple incident: an expansion joint (bellows) was incor-rectly installed in a pipeline so that it was distorted. After some months it leaked, and a passing vehicle ignited the escaping vapor.
Damage was extensive as the surrounding equipment had not been fire-protected to save on costs.
The fitter who installed the expansion joint incorrectly could have prevented the fire. So could the person who was responsible for her or his training and supervision; so could the designers if they had not specified an expansion joint, had carried out a HAZOP, or had con-sulted experts; so could the author of the company’s design standards, and those responsible for the training of designers; those responsible for inspection of workmanship, and anyone who kept his or her eyes open when walking round the plant.
6. When you are reading an accident report, look for the things that are not said. For example, a gland leak on a liquefied flammable gas pump caught fire and caused considerable damage. The report drew attention to the congested layout, the amount of redundant equip-ment in the area, the fact that a gearbox casing had been made of alu-minum, which melted, and several other unsatisfactory features. It did not stress that there had been a number of gland leaks on this pump over the years, that reliable glands are available for liquefied gases at
ambient temperatures, and therefore there was no need to have toler-ated a leaky pump on this duty.
7. At one time most accidents were said to be due to human error, and in a sense they all are. If someone, designer, manager, operator, or maintenance worker had done something differently, the accident would not have occurred. However, the term human error is not very helpful as different types of error require quite different actions to prevent their happening again. The following classification of errors is recommended as it helps us see the type of action needed to prevent a repeat (Kletz, An Engineer’s View of Human Error, 3d ed., Institu-tion of Chemical Engineers, United Kingdom, and Taylor and Fran-cis, 2001).
7. At one time most accidents were said to be due to human error, and in a sense they all are. If someone, designer, manager, operator, or maintenance worker had done something differently, the accident would not have occurred. However, the term human error is not very helpful as different types of error require quite different actions to prevent their happening again. The following classification of errors is recommended as it helps us see the type of action needed to prevent a repeat (Kletz, An Engineer’s View of Human Error, 3d ed., Institu-tion of Chemical Engineers, United Kingdom, and Taylor and Fran-cis, 2001).