Discover more from Net Zero by 2050
OSHA's PSM Update: What's Not There — PSM Updates
We have been working our way through OSHA’s proposed changes to its process safety standard. Our reviews to date have focused on what the agency said in its 24 change items. What can be equally interesting is discussing those topics that seem to be relevant, but that were not mentioned.
Inherent safety is an example of such a non-change.
The Dog That Did Nothing
In the story Silver Blaze, published in the year 1892 (exactly 100 years before OSHA’s process safety standard) the detective Sherlock Holmes is investigating an apparent murder. This story is famous for the dog that did not bark.
Gregory (Scotland Yard detective): “Is there any other point to which you would wish to draw my attention?”
Sherlock Holmes: “To the curious incident of the dog in the night-time.”
Gregory: “The dog did nothing in the night-time.”
Sherlock Holmes: “That was the curious incident.”
When it comes to OSHA’s proposed changes, the fact that Inherent Safety is not mentioned is a “curious incident”.
Inherent Safety is a topic that has rightly received considerable attention since OSHA introduced its standard in the year 1992. It has been the focus of many papers and articles. Moreover, even though OSHA does not use the term in its proposed changes, it seems as if that this is what they are driving toward. with many of their statements — for example, to do with RAGAGEP. (Other agencies, such as the UK Health and Safety Executive, have explicitly incorporated inherent safety into their regulations.)
The importance of inherent safety is that it is the most effective way of improving a facility’s safety.
There are three ways of reducing risk: (1) Remove the hazard, (2) Reduce the consequences of the hazard, (3) Reduce the likelihood of occurrence. Of these, the only one that can reduce risk to zero is the first of these options: remove the hazard. Inherent safety focuses on ways of removing hazards altogether — not on reducing the risk associated with a situation that already exists.
Trevor Kletz was one of the first people to write on this topic in his 1978 paper What you don't have, can't leak.
He and others developed the following five categories of inherent safety. They are generally addressed in the order shown, i.e., those at the top of the list provide greater security than those at the bottom.
Moderate (Limit Effects)
Simplify (Error Tolerance)
Strictly speaking, the ‘Eliminate’ option is the only one that provides true inherent safety; all the others reduce risk, but do not eliminate it.
The only way of reducing risk to zero is to remove the hazard that creates that risk. (Safety can also be made perfect if no one is present.) Therefore inherent safety can best be achieved by totally removing the items that creates the hazard. (“If a tank’s not there, it can’t leak.”) For example, if a pump is being used to transfer a liquid from one tank to another it may be found that there are other means of effecting the transfer that don't need a pump. Options may include gravity flow or the use of air at high pressure. (But the use of compressed air may create greater risk than that associated with having a pump. One always has to be aware of the Law of Unintended Consequences.)
Where possible, smaller quantities of hazardous materials should be used. This philosophy derives in part from the Bhopal tragedy. That facility stored large quantities of the intermediate compound methyl isocyanate that created the toxic cloud. Had the facility been designed so as to greatly reduce this inventory — a technically feasible solution — then the consequences of the event would have been much less severe.
There is one situation where minimization may not be appropriate, and that is to do with adding over-capacity to equipment. Although design engineers are under constant pressure to reduce the size of equipment so as to save costs, some over-design can help take care of operational upsets and changes in performance. For example, adding extra tubes to a heat exchanger may help handle temperature surges and they may reduce the intervals between exchanger cleanings, thus reducing the exposure of maintenance personnel.
Another way of achieving inherent safety is to replace a hazardous material with one that is less hazardous. Thus, the consequences of a release are fundamentally less dangerous. For example, if it is possible to use a water-based solvent rather than a hydrocarbon solvent, the system becomes inherently safer.
A classic example of substitution concerns the use of hydrogen fluoride (HF) as an alkylation catalyst in oil refineries. The properties of HF that make it such an effective catalyst also make it a highly corrosive and toxic chemical in the event of a release. An alternative alkylation catalyst is sulfuric acid. Although sulfuric acid is also a hazardous material, it cannot cause a catastrophic accident when released in the way that HF can.
Another example of substitution includes the use of aqueous rather than anhydrous ammonia.
Moderation accepts that a certain condition exists but aims to reduce its impact. Safety through modification is generally achieved either by changing equipment, or by increasing the spacing between equipment items, or by moving people away from the site of a potential incident. (Arguably, this approach is not truly inherent safety since the hazard is not removed.)
In the case of the pump that is transferring liquid from one tank to another the greatest risk may occur if the pump is blocked in while running and achieves dead-head pressure. In such a case the risk can be moderated by using a lower pressure pump curve.
An important aspect of moderation concerns the use of space between equipment items. Blast overpressure and concentrations of toxic gas from releases fall off exponentially with distance. Inherent safety suggests that it is better to protect systems from the effects of an explosion by moving them apart from one another than by putting a blast wall between them.
If equipment items are spaced well apart from one another there is also less risk of a confined vapor cloud forming with its potential for a very destructive explosion.
For onshore facilities it is generally better to run utilities such as electrical cabling and instrument lines underground. This will protect them from fires and explosions (a particularly important consideration if some of the utility systems need to be kept in operation as part of the facility’s emergency response program). The protection of utilities is also important because it is often found that, following a major accident, large equipment items and piping are soon back in service, but it can take a long time to repair the damaged utility systems, particularly instrumentation runs.
Putting utilities underground does have drawbacks. There is an “out of sight, out of mind” problem — buried systems may not be inspected and checked as those above ground. They may also be more subject to corrosion than if they were above ground. A sensible compromise is to place utility lines below grade in open trenches.
“If a man’s not there, he can’t be killed”. The risk associated with a system can be moderated by moving personnel away from the equipment. Ideally, people will not be present at all.
An excellent example of the effect of removing people occurs almost every year in the Gulf of Mexico. Typically, three or four destructive hurricanes enter the Gulf each year. These hurricanes can and do cause serious damage to offshore oil and gas platforms. Yet the number of people who are killed or injured is zero because the platforms are evacuated well before the hurricane arrives.
The final step in achieving Inherent Safety is to make systems as simple as possible. Simplification can be achieved by making equipment and systems simpler, and/or by reducing the potential for human error (and making sure that the system fails safe if someone does make an error).
A simple system is easier for operations personnel to understand. The chance of operating and maintenance errors is reduced. And, if things do go awry, the operators will probably have a better grasp of the situation. (Once more, this approach is not truly to do with inherent safety; it is more to do with consequence reduction.)
Simple equipment is less likely to fail than equipment that is more complex. Referring to the pump example once more, it is possible that another vendor can provide the same piece of equipment but with many fewer moving parts - thus reducing both the chance of failure and the number of maintenance tasks to be carried out.
An important part of simplification concerns making systems error tolerant. The system should also be designed such that, if a person does make a mistake, operations fail into a safe condition. For example, different types of hose nozzles can be used for different chemicals. Therefore, if an operator tries to connect the wrong hose to a truck or rail car, the nozzle type will prevent him from doing so.
Index of Posts
For a list of the posts that we have published to do with OSHA’s proposed updates, please visit Update to OSHA’s Process Safety Management Regulation: An Index.
Thanks for reading Net Zero by 2050! Subscribe for free to receive new posts.