Risk-Based Process Safety

Design
ioM osa ic C or p or a tion

Introduction

The Concept of Risk Focus U.S. and European Process Safety

Regulations and Guidelines Case Study: Reducing Mitigation
Costs Using a Risk-Based Approach

A Systematic Approach

Nine Steps to Cost-

Cost-Effective Risk-
Risk-Based Design

Guidelines for Risk Tolerability Focus: Representative Risk Toler-

ability Criteria

Design Solutions: Understanding the Options

Safe designdesign that effectively minimizes the likelihood of process

accidents and mitigates their consequenceshas long been a priority in
the process industries. Today, process industry companies need to be
certain that their stakeholders have confidence in how they manage the
environmental, health, and safety implications of industrial activities. A
safeand documenteddesign basis, together with a formal safety man-
agement system and safety practices, procedures, and training, is criti-
cal for providing that level of confidence required for risk management.

Risks cannot be completely eliminated from the handling, use, process-

ing, and storage of hazardous materials. Instead, the goal of process
safety management is to consistently reduce risk to a level that can be
tolerated by all concernedby facility staff, company management, sur-
rounding communities, the public at large, and industry and government
agencies. A systematic, risk-based approach to safety design can help
eliminate hazards that pose intolerable risk from the process and miti-
The goal of process
gate the potential consequences of hazards. safety management is to
To achieve a consistent, effective approach to risk reduction, designers consistently reduce risk to
must be able to define tolerable and intolerable risks. To meet the a level that can be
expectations of shareholders, employees, regulators, and the communi-
ties that surround process facilities, design engineers need to be able to tolerated by all
document how risk is addressed in the design process. concerned.
At the same time, to meet the business needs of the company, the proc-
ess safety solutions designers propose must be as cost-effective as pos-
sible. A risk-based approach to design safety enables designers to an-
swer the needs of all process safety stakeholders without compromis-
ing on safety or spending too much on excessive prevention and mitiga-
tion measures.

Copyright 2002, ioMosaic Corporation. All rights reserved.

 ioMosaic Corporation
The Concept of Risk
In chemical process safety design, risk is understood in terms of the likelihood
and consequences of incidents that could expose people, property, or the envi-
ronment to the harmful effects of a hazard. Hazards, as defined by the Center for
Chemical Process Safety of the American Institute of Chemical Engineers, are po-
tential sources of harm, including chemical or physical conditions or characteris-
tics that can damage people, property, or the environment. Incident likelihood
encompasses frequency and probability; consequences refers to outcomes and
impacts.

It is always possible to identify scenarios that would be catastrophic for the sys-
tem being designed. Process and emergency relief system (ERS) design does not
necessarily need to address the worst scenario someone can identify. A line must
be drawn (or a gray area defined) between likely scenarios and unlikely ones. For
example, a process might use substance chloride, which is known to react vigor-
ously with water. If water is not present at the site, there is no need to address
that reaction scenario in ERS design. If water is on-site, but is not used in the
same process as chloride there is still no need to address B in ERS design. If wa-
ter is not used in the same process as chloride, but they share a storage facility,
then, depending on the circumstances, it might make sense to include a chlo-
ride/water reaction scenario in ERS design.

Risk-based approaches to decision-making have gradually gained ground in proc-

ess safety. In other business areas, risk analysis has been an important part of
decision-making for some time. Risk-based approaches can benefit process
safety environmental mangers by supporting a clear, consistent approach to de-
cision-making about risks and by providing about safety design choices that key
stakeholders. can understand. The technical nature of many aspects of process
safety risk analysis has made this area something of a specialists preserve. With
an approach to risk analysis that combines technical sophistication with out-
comes that clearly communicate risks and choices, companies can achieve a
greater degree of confidence about the management of process risk.

Risk-based approaches
to decision-making have
gradually gained ground
in process safety.

Copyright 2002, ioMosaic Corporation. All rights reserved.

 ioMosaic Corporation

Figure 1
Process Safety Design: Some Recent Regulatory Requirements and Industry Guidelines
In many cases, companies have been revisiting process design basis issues to meet recent regula-
tory requirements and industry guidelines. These include:

United States Regulations

Risk Management Program (RMP) Rule. The U.S. Environmental Protection Agencys risk manage-
ment program rule, published in final form on June 20, 1996 as part of the Clean Air Act Amend-
ments of 1990, requires facilities with regulated substances to prepare a risk management plan.
These substances include 77 toxic substances, 63 flammables, and certain high explosives. The
program required by the RMP rule includes an emergency response program, a hazard assessment
program, a prevention program, and an overall system for developing and implementing a risk man-
agement program.

Process Safety Management (PSM) Rule. The Occupational Safety and Health Administrations PSM
rule, issued in 1992, addresses the process safety management of highly hazardous chemicals.
The rules process safety information, process hazard analysis, and pre-startup safety review ele-
ments address activities related to process design and documentation. Under the process hazard
analysis element, for example, regulated facilities must conduct a process hazard analysis and es-
tablish priorities for implementing risk-reduction measures. But while the OSHA rule requires hazard
evaluation and prioritization, it does not emphasize risk-based approaches to managing process
hazards.

State Regulations. The OSHA PSM rule follows the regulatory lead taken by California, New Jersey,
and Delaware for the management of process hazards. In California, facilities that store acutely
hazardous materials (AHMs) must prepare a Risk Management and Prevention Program (RMPP) to
document how AHMs are handled to minimize the possibility of a release. The RMPP law states that
the RMPP shall be based upon an assessment of the processes, operations, and procedures of the
business, and shall consider the results of a HAZOP study . . . and an offsite consequence analysis.
From these studies, facilities develop risk assessments that guide risk mitigation and emergency
response planning.

Regulations in European Countries

The Seveso Directives. Under the first Seveso Directive, passed by the European Community in
1982, specific industries are to meet safety requirements such as carrying out safety studies, pro-
viding hazard notification, develop, and maintaining emergency response plan. Seveso II, passed in
1984, covers the transport of hazardous wastes that cross national borders within the European
Community.

Industry Guidelines
AIChE CCPS Guidelines. Since 1985, the Center for Chemical Process Safety, a part of the American
Institute of Chemical Engineers, has worked to promote process safety among those who handle,
use, process and store hazardous materials. CCPs publishes a series of publications covering the
full range of technical and management issues in process safety and design, including the forth-
coming ----- [Guidelines for Selecting the Design Basis for Process Safety Systems].

Responsible Care. Introduced in 1988, the Responsible Care program of the Chemical Manufactur-
ers Association requires each member organization to establish six key program elements, including
guiding principles, codes of management practice, and public advisory panels. Management prac-
tice codes include the Process Safety Code. Its four elements cover management leadership, tech-
nology, facilities, and personnel, emphasizing company objectives rather than specific prescribed
standards.

API/CMA Recommended
Recommended Practice 752. Issued in 1995, this recommended practice employs a risk-
based approach for management of hazards associated with location of process plant buildings.
Both flammable and toxic hazards are addressed as well as the frequency and consequences of
hazardous material releases. The intent is that the relative risk of individual buildings should be
identified and used in planning and projects that involve building changes.

Copyright 2002, ioMosaic Corporation. All rights reserved.

 ioMosaic Corporation
A Systematic Approach
In designing a process, designers first address the mechanics of making the prod-
uct. A core design is defined by heat and material balances and basic process
controls. Once the core design is determined, engineers examine ways in which
the system could break down. They look at issues concerning the reliability,
safety, quality control, and environmental impact of the system. They try to deter-
mine what failures might occur, what effect these failures (impact scenarios)
might have in terms of quality, safety, cost, and the environment would be, and
how likely these scenarios are. As they answer these questions and proceed with
system design, engineers are continually making risk-based decisions. But all too
often, their decisions may not be based on measurements of riskonly percep-
tions. The process used may be neither systematic nor comprehensive.

Case Study
Reducing Mitigation Costs Using a Risk-Based Approach
A worldwide chemical manufacturer investigated best available technology options for risk
reduction in two processes and found that optimal results would require a $2.5 million capital
expenditure. Seeking a fresh angle on the technology and science of risk reduction, the com- A core design is defined
pany asked Arthur D. Little to help its technical staff explore cost-effective alternatives for reach-
ing an equalor superiorlevel of risk reduction. Working closely with the companys scientists by heat and material
and process engineers, we used a risk-based approach to develop and rank risk-reduction
measures and their costs. The approach, which included the evaluation of areas such as the
design basis for pressure relief system sizing, drew on recent advances in emergency relief sys-
balances and basic process
tem and mitigation design. controls.
After collaborating with the company team on the development of risk matrices for risk-
reduction alternatives, we helped present the alternatives to their senior management. The ma-
trices showed that the most significant risk reduction could be achieved at a cost of $200,000,
and that almost no further reduction could be achieved by spending additional money. The com-
pany immediately benefited from this work by achieving optimal risk reduction in two processes
for one-tenth of the original cost estimate. The study also provided documentation for meeting
new U.S. process safety management regulations. Most important, the savings increased the
capital available for technology upgrades and risk reduction in the companys other processes.

Copyright 2002, ioMosaic Corporation. All rights reserved.

The approach presented here offers a disciplined, consistent thought process ioMosaic Corporation
and flexible implementation options. When the process for selecting the design
basis lacks consistency, it is difficult to know whether the same risk-
management philosophy supports all of a companys process safety and risk de-
cisions. As a result, inconsistencies in approach can develop between different
processes and facilities, and, in the case of large, complex design projects, differ-
ent design engineers on the same project may be using different philosophies.

Ideally, safety should be a theme at each stage in a systematic design cycle

laboratory, pilot, production design, operations. But the most cost-effective solu-
tions tend to emerge in the earliest design stage. A systematic approach does
not necessarily mean a quantitative one. Quantitative analysis is most time- and
cost-effective when it is used selectively. In many simple design situations, quali-
tative approaches are sufficient for selecting process safety system design
bases. More complex design cases may occasionally require quantitative risk
analysis. But even then, quantitative methods should only be used up to the
point where a decision can be made.

For example, consider a company that has toxic-impact criteria limiting off-site
vapor cloud concentrations to a specific, quantified level of concern. By perform-
ing vapor cloud dispersion calculations (through a quantitative characterization
of the consequences of potential releases) the company can determine whether
specific loss-of-containment scenarios associated with specific failures exceed
the toxic impact criteria. If the scenario consequences do not exceed off-site
toxic impact tolerability criteria, then there is no need to continue with an analy-
sis of event likelihood or further risk quantification.

By performing vapor
cloud dispersion
calculations the company
can determine whether
Case Study specific loss-of-containment
Evaluating Risk Reduction Alternatives Using a Risk-Based Approach scenarios associated with
A facility belonging to a large chemical manufacture was producing a family of chemicals that
specific failures exceed the
react vigorously with water, generating corrosive and toxic by-products. The production process
utilized water-cooled heat exchangers for condensing and cooling the process streams. Given toxic impact criteria.
the hazard potential due to exchanger leaks, the facility had embarked of a program to reduce
the risk of such and event. However, they needed a way to determine which risk reduction op-
tion or combination of measures was the most effective.

Working closely with the companies operations and design engineers, we utilized elements of a
risk-based approach to determine the relative benefit of various risk mitigation alternatives. The
approach involved a qualitative estimate of the consequences of exchanger leaks, since almost
any size leak would result in an undesirable outcome. A quantitative determination of the likeli-
hood of such events for different risk reduction measures, was also conduced to establish the
relative benefit of the various options. The results were presented to a group of engineers and
managers, to allow them to decide which option would meet their risk tolerability criteria. The
company opted for the inherently safer solution of substituting a non-reactive coolant for water.

While the selected design approach was not the lowest capital cost alternative, there were off-
setting operating cost benefits in terms of less maintenance cost, down-time, and administrative
complexity.

Copyright 2002, ioMosaic Corporation. All rights reserved.

 ioMosaic Corporation
Nine Steps to Cost-Effective Risk-Based Design
The technique outlined here derives from process design engineers characteris-
tic problem-solving methods and can be applied to all design cases, from the
simplest to the most complex. The technique provides for a disciplined thought
process and flexibility in its application. It comprises a sequence of analysis and
testing steps in the form of a decision tree.

1. Identify failure scenarios. When designers have established a core process de-
sign, they can address things that can go wrongfailure scenarios that might re-
quire a process safety system. Process hazard analysis techniques and past ex-
perience provide information on possible failure scenarios.

2. Estimate the consequences. In this step, designers establish the conse-

quences of the failure scenarios identified in Step 1. These scenarios typically
involve quality, safety, health, and environmental impacts. Consequences of in-
terest include fires, explosions, toxic materials releases, and major equipment
damage. Some potential consequences can be determined through direct obser-
vation, engineering judgment, or the use of qualitative consequence criteria.
Other cases require experimentation or analytical approaches such as the calcu-
lation of maximum hazard distances of vapor cloud dispersion.

3. Determine the tolerability of the consequences. Answering this question re-

quires guidance from established tolerability criteria. These include: company-
specific criteria; engineering codes and standards; industry initiatives such as
Responsible Care; and regulatory requirements. For ERS design, the focus of this
Step is on comparing the potential rise in pressure to the mechanical limits of
the equipment under consideration.

Copyright 2002, ioMosaic Corporation. All rights reserved.

4. Estimate likelihood and risks. Estimates of likelihood rest upon an understand- ioMosaic Corporation
ing of the mechanism and frequency with which failure scenarios such as those
identified in Step 1 might occur. When historical data is available about equip-
ment and processes, these data can be used to arrive at failure scenario fre-
quency estimates. When data is lacking, methods such as fault tree analysis help
in developing quantified estimates. Measures of risk are arrived at by combining
risk and consequence estimates. A detailed review of methods for combining
likelihood and consequence estimates to obtain risk measures can be found in
Guidelines for Chemical Process Quantitative Risk Analysis. Some cases can be
resolved through comparisons with similar systems or through the use of qualita-
tive tools such as risk matrices. Others will require quantified approaches such
as risk profiles and risk contours.

5. Determine
Determine risk tolerability. Determining risk tolerability means asking Can
weand our stakeholderstolerate this level of risk? Guidance on tolerable lev-
els of risk can be gained from established risk criteria. If the criteria, when
applied, indicate a tolerable level of risk, then the design of the process or the
emergency relief system is satisfactory from a risk standpoint. If the criteria indi-
cate intolerable risk, the next Step is to reduce risk through further design.

6. Consider enhanced and/or alternative designs. In the overall risk-based de-

sign sequence, this step is an opportunity to consider the entire process design
and define changes that can reduce risk to a tolerable level. Risk reduction con-
cepts have been classified by CCPS as inherently safer, passive, active, and pro-
cedural in declining order of reliability.In emergency relief system design, this
step focuses on mitigationlessening or controlling the consequences of an acci-
dental release.

7. Evaluate enhancements and/or alternatives. A design change intended to re-

duce risk can introduce new failure scenarios and new risks. Therefore, the
evaluation of design changes should treat these changes as an integral part of
the process. Following Steps 1-4, the review should re-estimate process risk. The
review should also estimate the cost of the proposed changes.

8. Determine tolerability of risk and cost. As in Steps 3 and 5, established risk

criteria can provide guidance on risk tolerability. Cost becomes an issue in this
step because, like all designs, process safety designs must meet business crite-
ria. Coupling estimates of cost and risk reduction provides a basis for assessing
the cost-benefit tradeoff of each alternative design or mitigation solution. The
cost-benefit analysis can be qualitative or quantitative. A quantitative approach is
especially useful when a large number of competing process safety systems are
being considered. If the analysis yields tolerable risk and cost for a design option,
the results should be documented (Step 9). If not, it may be necessary to con-
sider further design enhancements and alternatives (Steps 6-8).

9. Document results. The failure scenarios and associated consequence, likeli-

hood, and risk estimates developed during this process document the design ba-
sis for process safety systems and emergency relief systems. Documenting the
process safety system and ERS design basis retains essential information that is
extremely valuable for risk management situations such as hazard evaluations,
management of change, and subsequent design projects. When the findings
from Step 3 or Step 5 show that consequences and risk meet tolerability criteria,
results still need to be documented. Doing so will cut down on needless repeti-
tions of the analysis and ensure that design or operational changes reflect an un-
derstanding of the base-line risk of the design.

Copyright 2002, ioMosaic Corporation. All rights reserved.

 ioMosaic Corporation
Guidelines for Risk Tolerability
Underlying this entire approach is the understanding that risk levels range along
a continuum. In most cases, risks cannot be eliminated, only reduced to a level
that everyone who has a stake in the activity or process finds acceptable when
weighed against the advantages and benefits of the activity or process.

Because attitudes about the tolerability of risks are not consistent, there are no
universal norms for risk tolerability. What your stakeholders view as a tolerable
risk will depend upon a number of factors, including the following:

The nature of the risk. Is it a voluntary risk, one that those who are at risk accept
as part of a choice? Or is it involuntary?

Who or what is at risks. Does it affect a single person or many people? What
about the surrounding environment? Is it an industrial landscape already altered
by past uses, or a pristine or prized natural setting? Are important water or other
resources at risk? Residential neighborhoods? Schools?

The degree to which the risk can be controlled or reduced. Process safety design
and especially emergency relief system design focus in large part on this issue.
Making the case for a tolerable risk requires that the methods supporting the
design basis be technically sound and defensible, clearly documented, and accu-
rate.

Past experience. Uncertainty regarding the risk impact influences the risk takers
tolerability. For example, the average person understands the risk of driving an
automobile but is uncertain regarding the risk of nuclear power generation.
Finally, attitudes toward risk change over time. Given all of these variables, how
does a company establish risk tolerability criteria that can effectively contribute
to decisions about the tolerability of certain consequences, likelihoods, and
risks?

Companies that have successfully established risk criteria focus on providing

consistency in their decisions about risk. These criteria typically represent levels
of risk that the company believes will minimize impacts to continued operations.
This approach does not explicitly mention specific stakeholder concerns such as
protection of the surrounding environment and communities. However, risk deci-
sions that protect operations are very likely to help reduce risk across the board
for facilities, employees, surrounding property, and the environment. Moreover,
since demonstrably safe operations have become a cornerstone of a companys
franchise to operate in many places, well-thought-out risk criteria that make con- Companies that have
tinued operation their objective will also address most other stakeholder con-
cerns. successfully established risk
Risk criteria should also fit with a companys philosophy and culture and match
criteria focus on providing
the type of analysis its engineers normally conduct in the design stage. The selec- consistency in their
tion of appropriate risk criteria is a corporate responsibility and requires the in-
volvement and support of senior management, as it establishes the levels and decisions about risk.
types of risks the company will tolerate.

Once a company has established specific risk criteria, they can be used to check
outcomes throughout the design process, at Steps 3, 5, and 8 of the approach
outlined above. This iterative approach builds consistency into the process and
increases the likelihood of making risk-based choices early in design--where they

Copyright 2002, ioMosaic Corporation. All rights reserved.

are often most cost-effective. Figure 4 provides examples of some accepted ioMosaic Corporation
risk criteria.

Figure 4:
Representative Risk Tolerability Criteria

Release Limits address the tolerability of potential release consequences by considering

the amount of material that could be released. Tolerable quantities depend upon the
physical states and hazardous properties of released materials. A hypothetical release limit
for gasoline, for example, might be as much as 5,000 pounds, while for chlorine, it would
be only 200 pounds.

Threshold Impact Criteria for Fence or Property Line employ standard damage criteria,
such as toxicity, thermal radiation, or blast overpressure, together with consequence mod-
eling, to determine whether potential impact at the facilitys fence or property line exceeds
a tolerable threshold.

Single ver
versus
sus Multiple Component Failures provide a qualitative approach to how many
component failures will be tolerated. For example, a company might choose to tolerate
event scenarios that require three independent component failures; to conduct further
analyis of event scenarios triggered by two failures, and not to tolerate events arising from
single failures.

Critical Event Frequency addresses event scenarios with a defined high-consequence im-
pact. Examples would be a severe injury, a fatality, critical damage to the facility, or im-
pacts on the surrounding community. Companies often use a range of threshold frequen-
cies for these scenarios, depending upon the extent and nature of potential worst-case
consequences.

Risk Matrix criteria use qualitative and semiquantitative frequency and severity categories
to estimate the risk of an event. Events with a low risk ranking are considered tolerable.

Individual Risk Criteria consider the frequency of the event or events to which an individual
might be exposed, the severity of the exposure, and the amount of time for which the indi-
vidual is at risk. While no consensus exists on appropriate thresholds, a maximum risk to Risk managers and
the public of 1 x 10-5 fatalities per year is not unusual among companies that use these
criteria. environmental managers at
Societal Risk Criteria can be used instead of or in addition to individual risk criteria and many companies face
provide a more detailed evaluation of the distribution of risk. In other words, societal risk
criteria explicitly address both events with a high frequency and low consequence and unremitting pressure to run
events with a low frequency and high consequences. This class of criteria can be useful to
companies that have recently experienced an adverse event and cannot tolerate another, their activities lean and
no matter how small its likelihood.
control and justify costs.
Risk Matrix and Cost Threshold can account for the risk reduction level provided by a de-
sign enhancement and its cost. In cases where the benefit of a risk reduction step is large
and its cost is small, the way forward is obvious. But most design situations are not that
simple, For example, an enhancement or alternative that reduces a high risk to a medium
risk and costs $15,000 may be considered feasible and effective, as might an alternative
that costs $450,000 and reduced a high risk to a low risk. In these situations, a risk matrix
and cost threshold with definite rules can help clarify decision-making.

Copyright 2002, ioMosaic Corporation. All rights reserved.

 ioMosaic Corporation
Design Solutions: Understanding the Options
The purpose of the procedure described above is to enhance designers ability to
make consistent choices about safe design and to introduce modifications where
they can do the most good for the least cost. These design choices for safety sys-
tem design are of four types. All of these approaches help to minimize risk. But
they vary in terms of factors such as cost, reliability, and maintenance. Compa-
nies are in the best position to manage these design choices when they are pre-
pared to follow consistent risk tolerability levels, understand how a specific facil-
ity or process fits into their overall business plan, and know what the cost limitia-
tions are for the safety component of a process.

When deciding among the hierarchy of mitigation options, designers should avoid
the pitfall of project mentality, i.e., focusing only on minimizing capital cost. As
Figure 5 suggests, inherently safer approaches may have higher initial invest-
ment, however, the cost of maintaining an active system to obtain an equivalent
level of risk reduction can be significant. Therefore, the correct approach should
be to consider the life-cycle cost of the design options, before making the final
selection.

Figure 5 Inherently Safer Design

Inherently safer
approaches may have
Inherently Safer design solutionseliminate or mitigate the identified hazard by
using materials and process conditions that are less hazardous. For example, higher initial investment,
faced with the hazard posed by a flammable solvent, designers might seek to however, the cost of
substitute water. When large inventories of hazardous intermediates increase
risk levels, there may be a way to reduce or eliminate these inventories. maintaining an active
Passive design solutions offer a high level of reliability by operating without any system to obtain an
devices that sense and/or actively respond to a process variable. Examples of equivalent level of risk
passive design solutions include incompatible hose couplings for incompatible
substances and process components, equipment designed to withstand internal reduction can be
deflagration and other very high-pressure hazards, and dikes that contain haz- significant.
ardous inventories with a bottom sloping to a remote impounding area.

Copyright 2002, ioMosaic Corporation. All rights reserved.

Active design solutions employ devices that monitor process variables and acti- ioMosaic Corporation
vate to mitigate a hazardous situation. Active solutions, sometimes called engi-
neering controls, are often less reliable than passive or inherently safer design
solutions because they require more maintenance and more operating proce-
dures. The following are characteristic active design solutions:
A pressure safety valve or rupture disk that prevents vessel overpressure
A high-level sensing device interlocked with a vessel inlet valve and pump motor to prevent
overfilling
Check valves and regulators

Procedural design solutions, also known as administrative controls, avoid hazards

by requiring a person to take action. These actions might include reacting to an
alarm, an instrument reading, a leak, a strange noise, or a sampling result and
might involve steps such as manually closing a valve after an alarm sounds to pre-
vent a vessel from overfilling or carrying out preventive maintenance to reduce the
likelihood that equipment will fail. Involving a person in the safety solution means
incorporating human factors in the analysis. These human factors, including an
inappropriate division of tasks between machine and person and an unsupportive
safety culture, contribute to making procedural solutions generally less reliable
than other design solutions.

Choosing among these types of solutions is not simply a matter of selecting the
most reliable approach. Inherently safer and passive solutions tend to offer high
reliability and low operating costs, but may involve an initial cost that does not fit
with the budget or business plan for the process. Active and procedural solutions
cost less to begin with, but typically involve higher operating costs and are less
reliable (See Figure 6)].

Consider the case of a company that was handling a very energetic substance Involving a person in the
with a highly hazardous reaction. The company had faced incidents with the sub-
stance and was now reviewing two options for reducing the risk posed by the sub-
safety solution means
stance. The first, total containment of the substance in a vessel rated to withstand incorporating human
a maximum pressure level of 1,200 psi, was an inherently safer approach. How-
ever, the cost of this vessel was very high. Furthermore, using such a vessel factors in the analysis.
meant having it sit continually within the facility at a very high pressurea hazard
in and of itself.

The second option was to construct a catch system and allow the reactor to acti-
vate an emergency pressure relief system. This required a reactor vessel with a
lower pressure rating and a large vessel to be used as a catch/quench tank. While
this approach was less expensive, it required the facility to deal with the potential
of a hazardous effluent and to address the reliability of the release system. This
option was found to provide a tolerable risk level and a lower cost of implementa-
tion.

In another case, a company was using water-cooled heat exchangers in a process

that included a material that reacts violently with water, producing corrosive and
toxic by-products. The companys designers considered various combinations of
passive solutions such as heat exchangers that use non-pressurized water, active
solutions such as advanced leak-detecting sensors, and procedural solutions
such as enhanced testing, inspection, and maintenance. All of the alternatives re-
duced risk levels, but none met the companys risk tolerability criteria. Faced with
the prospect of sustaining high operating costs and staff efforts for a less-than-
satisfactory risk effort, management chose a design that substituted a compatible
heat transfer fluid for water. This choice required a higher initial investment in
equipment replacement but eliminated a host of maintenance and administrative
complexities down the line.
Copyright 2002, ioMosaic Corporation. All rights reserved.
 ioMosaic Corporation
Next Steps in Cost-Effective Reduction
In recent years, industrial standards for tolerable risk have tended to become in-
creasingly stringent. This trend reflects a convergence of public opinion, govern-
ment regulations, and industry initiatives. The momentum for controlling and re-
ducing risk is likely to continue, with leaders in the process industry setting stan-
dards for their companies that are well in excess of what is required.

The momentum for

controlling and reducing
risk is likely to continue.

Cost-
ost-Effective Risk Reduction

Incorporating systematic risk assessment in process safety design is some-

times viewed as an expensive way to achieve greater risk reduction. The
reality, however, is that when risk assessment is left out of the design proc-
ess, two problems are likely to occur. The system may be overdesigned,
with safety protection costing more than it needs to, or the facility may be
unprotected from significant, unidentified risks.

Systematic risk-based design helps companies more fully identify signifi-

cant risks, rank them, and prioritize steps to address them. The result is
that capital expenditures, operating expenses, staffing, and other re-
sources are better allocated to risks, enabling companies to buy more risk
reduction at a cost that is the same or less.

Copyright 2002, ioMosaic Corporation. All rights reserved.

 ioMosaic Corporation At the same time, risk managers and environmental managers at many com-
panies face unremitting pressure to run their activities lean and control and
justify costs. The ability to reach decisions about process safety design based
on a clear understanding of both the risk reduction options and costs can
greatly strengthen managers ability to meet the needs of internal and external
stakeholders for process safety.

ioMosaics Consulting
Services:

Auditing

Calorimetry, Reactivity, and

Large-Scale Testing

Due Diligence Support

Effluent Handling Design

Facility Siting

Fire and Explosion Dynam-

ics

Incident Investigation and

Litigation Support

Pressure Relief Design

Process Engineering Design

and Support

Process Hazards Analysis

Risk Management Program

Development

Risk Assessments

Software

Structural Dynamics

Training

About the Authors

Dr. Georges Melhem is a General Partner at ioMosaic Corporation. Prior to ioMosaic Corpo-
ration, Dr. Melhem was president of Pyxsys Corporation; a technology subsidiary of Arthur D.
Little Inc. Prior to Pyxsys and during his twelve years tenure at Arthur D. Little, Dr. Melhem
was a vice president and managing director of Arthur D. Little's Global Safety and Risk Man-
agement Practice and its Process Safety and Reaction Engineering Laboratory.

Dr. Melhem is an internationally known pressure relief design, chemical reaction systems,
and fire and explosion dynamics expert. In this regard he has provided consulting and design
W E RE ON THE WEB : services, expert testimony and incident investigation support and reconstruction for a large
WWW .IOMOSAIC . COM number of clients.

93 Stiles Road Dr. Melhem holds a Ph.D. and an M.S. in Chemical Engineering, as well as a B.S. in Chemi-
Suites 103 and 104 cal Engineering with a minor in Industrial Engineering, all from Northeastern University. In
Salem, New Hampshire 03079 addition, he has completed executive training in the areas of Finance and Strategic Sales
U.S.A. Management at the Harvard Business School.

Phone: 603.893.7009 x100 R. Peter Stickles is a consultant with ioMosaic Corporation. He focuses on the development
and implementation of quantitative risk assessment and emergency relief systems design
Fax: 603.893.7885 and has been a lead contributor on many hazard and operability studies involving major pet-
Email: [email protected] rochemical and energy facilities in Europe and North America.

Copyright 2002, ioMosaic Corporation. All rights reserved.