Process Safety and Environmental Protection 9 7 ( 2 0 1 5 ) 49–60

Contents lists available at ScienceDirect

Process Safety and Environmental Protection

journal homepage: www.elsevier.com/locate/psep

Method for identifying errors in chemical process

development and design base on accidents
knowledge

Kamarizan Kidam a,b,∗ , Haslinda A. Sahak a , Mimi H. Hassim a,b ,

Haslenda Hashim a , Markku Hurme c
a Department of Chemical Engineering, Universiti Teknologi Malaysia, Johor Bahru, Malaysia
b Centre of Hydrogen Energy, Institute of Future Energy, Universiti Teknologi Malaysia, Johor Bahru, Malaysia
c Department of Biotechnology and Chemical Technology, Aalto University, Espoo, Finland

a r t i c l e i n f o a b s t r a c t

Article history: It has been claimed that the high accident rate in the chemical process industry is due to
Received 13 October 2014 poor dissemination of accident knowledge that affects directly the level of learning from
Received in revised form 1 June 2015 accidents. In response to this situation, this paper utilized past accident knowledge as a
Accepted 3 June 2015 basis to develop a safety oriented design tool whereby the accident information were directly
Available online 11 June 2015 disseminated into plant design. The method was developed based on our previous accident
analysis of design error in which the common design errors were ranked in accordance
Keywords: to their frequency and its origins during normal plant design project. Based on the design
Accident error ranking and its origin at a specific design phases, a method for design error detection
Learning from accident is proposed. The method is expected to be able to identify the possible design error and
Design error its causes throughout chemical process development and design. The main objective is to
Error detection trigger safe design thinking at the specific design phases so that appropriate action for risk
Process lifecycle reduction could be timely implemented. The Bhopal and BP Texas tragedies are used as case
Plant design studies to test and verify the method. The proposed method can detect up to 74% of design
errors.
© 2015 The Institution of Chemical Engineers. Published by Elsevier B.V. All rights reserved.

1. Introduction basis (Jacobsson et al., 2010). It is been suggested by Lindberg

The accidents rate in the chemical process industry (CPI) has
not been decreasing although large majority causes of acci-
dent (95%) have been identified (Drogaris, 1993) and could be
prevented by using existing knowledge (Kletz, 2004; Pasman,
2010). Among the basic causes of high accident rate is poor
learning from accident (Jacobsson et al., 2010). According to
(Lindberg and Hansson, 2006) the weakest link of feedback
based on experience in the process learning cycle is related
to dissemination of accident information. In fact, a recent
study found out that only one third of the accident cases
studied is considered to provide lessons learnt on a broader
et al. (2010) and Jørgensen (2008) that the current experi-
ence feedback system needs to be modified, so that it can
be systematically integrated with risk analysis methods. In
response to above statement, research has been carried out to
enhance the dissemination of accident knowledge directly to
the design activity. Therefore, in this paper, the accident infor-
mation were used as a basis to develop a design oriented safety
tool thus, the accident knowledge was disseminated into next
chemical plant design.
This paper discusses the development of error detection
method by utilizing past accident knowledge. Our previous
accident analysis shows that the contribution of design to

∗
Corresponding author at: Universiti Teknologi Malaysia, Department of Chemical Engineering, 83100 Johor Bahru, Johor,
Malaysia. Tel.: +60 7 5535519.
E-mail address: kamarizan@cheme.utm.my (K. Kidam).
http://dx.doi.org/10.1016/j.psep.2015.06.004
0957-5820/© 2015 The Institution of Chemical Engineers. Published by Elsevier B.V. All rights reserved.
50 Process Safety and Environmental Protection 9 7 ( 2 0 1 5 ) 49–60
Table 1 – Design as contributor to accidents.
Paper Industry
Drogaris (1993) Chemical (process)
Duguid (2001) Chemical (process)
HSE (2003) Chemical (general)
Kinnersley and Roelen (2007) Aviation, Railway and Nuclear
Taylor (2007a) Chemical (process)
Hale et al. (2007) Chemical (process)
Love et al. (2012) Construction projects
Kidam and Hurme (2012a) Chemical (process)
accident is significant (Kidam and Hurme, 2012a). As seen in
the table, different literatures claim that the design related
errors are responsible for at least 46% of accident. In root
causes category, studies by Drogaris (1993), Duguid (2001),
Kinnersley and Roelen (2007), Taylor (2007a) and Hale et al.
(2007) show that large majority (46–70%) of design failure are
due to erroneous errors in design. Besides, around 71–80% of
the accidents are caused by error during the design stage as
highlighted by the HSE (2003) and Love et al. (2012). However, a
clear picture to describe design error contributors to accident
in design phases is not so simple. In all cases, there are signifi-
cant contributions of design to accidents, however in reality, it
is very subjective and always questionable. Based on Table 1, it
is therefore reasonable to conclude that accident contributor
in design phases are significant in a range 50–79% in the CPI.
In considering the significant contribution of design to acci-
dent as well as poor dissemination of accident knowledge,
this paper proposed the systematic error detection method for
chemical process development and design based on accident
knowledge. The main objective of the method is to utilized
the past information and disseminate the knowledge directly
into project design. The design oriented safety method can
be used to identify the common design related error at differ-
ent phases of plant design project. The method can be used
as design check that is usually overlooked by the designer.
The idea is to encourage the design thinking at the specific
design task, so that timely, cheaper and effective risk reduc-
tion strategies could be applied suitably at the appropriate
design project phases.
2. Common method for design evaluation
There is several design methods that are commonly accepted
by process designer for design evaluation. In practice, sev-
eral design evaluation methods are undertaken throughout
the design phases of a particular project. Selection of the best
method requires a huge work experience on the similar pro-
cess families. In practice, there are common safety methods
for design evaluation such as process hazard checklist, haz-
ard survey, hazard and operability study (HAZOP) and safety
review. Table 2 shows the commonly used design evaluation
methods for design project. The table presents the advantages
and limitations of the design methods depending on their
safety evaluation criteria and in which particular stage of the
plant design lifecycle (Crawley and Tyler, 2003).
Based on the summary presented in Table 2, it can be
concluded that most of the safety methods are complex,
Findings
• 70% of accidents have the root cause attributed to erroneous design
• 52% as a primary cause of accidents arise in the design stage
• 71% of the accidents are caused by error during the design stage
• 51% of the root causes of accidents arise in the design stage for aviation
system
• 46% of the root causes of accidents occur in nuclear industries are
design related
• 50% of the root causes of accidents arise in the design stages at railway
• 50% of accidents have the root cause attributed to erroneous design
• 60% of accidents have the root cause attributed to erroneous design
• 80% of the accidents are caused by error during the design stage
• 79% of accidents cases analyzed were contributed by design error
knowledge-intensive, time consuming, requiring training and
vast working experience. In addition, large majority of the
methods cannot be used in the early process concept devel-
opment. According to Hurme and Rahman (2005), every safety
method requires a different amount of process information,
which makes it best applicable only at certain design stages.
As an example design method such as HAZOP is well accepted
for design review in the basic engineering phase; however, it
is ineffective to be applied at preliminary design phase due
to lack of process information. In practice, HAZOP required
process flow diagram (PFD) and effective to detect the design
error up to 85% (Taylor, 2007b), which is only generated at the
basic engineering and detailed engineering phases. At the pro-
cess concept development i.e. pre-design, HAZOP are lack of
mechanism or consideration for design decision such as on
process chemistry, equipment type selection, scale-up, prod-
uct and raw material specification etc. These issues needs to
be address by using others hazard identification methods such
as checklist, hazard ranking, hazard review etc.
In respect to the error detection as research area in the
CPI, there are limited research has been done on design error
(Bourrier, 2005; Busby, 1998). As a result, there are very limited
design oriented safety methods that are purposely developed
for design error detection in the CPI. Basic discussion available
in Safety Science Journal Special Edition Volume 45 Issue 1–2:
Safety by Design Based on a workshop of the New Technology
and Work Network. In general, majority of the method is focus
on the accident modelling and fault detection. In the CPI, error
detection is a popular concept used in process control which
is mainly for fault detection during the detailed engineering
phase of plant design, not at the predesign and basic engineer-
ing. In civil and mechanical engineering, most of the design
error analysis and detection are related to the structural and
mechanical error (Love et al., 2012).
The systematic design based error detection method is still
very much lacking especially at process concept development
and design. Therefore, the design error detection method for
CPI is needed to support the designer to design an error-
less chemical plant. In design project, the designer makes
error because of limited time to check their work (Kletz, 2004)
and probably overlooked same design element that not rou-
tine, rare or unexpected process condition at some design
phases (Haastrup, 1984). To detect design error that related
to non-routine, rare or unexpected process condition, the best
ways to do it by reviewing similar past accident cases. How-
ever, the current format of accident information (e.g. accident
reports) is not user-friendly to the practitioners especially pro-
cess engineers and designers. The search for a safer design
 Process Safety and Environmental Protection 9 7 ( 2 0 1 5 ) 49–60 51

Table 2 – The existing design evaluation methods.

Methods Descriptions Advantages Disadvantages

Process hazard checklist The method is a list of items and
possible problems in the process
that must be checked
Hazards surveys The method can be as simple as
an inventory of hazardous
materials, or it can be as the Dow
indexes. The Dow indexes are a
formal rating system that provides
penalties for hazards and credits
for safety equipment and
procedures
Hazards and Operability The method approached allows
(HAZOP) studies the mind to go free in a controlled
environment. Various events are
suggested for a specific piece of
equipment with the participants
determining whether and how the
event could occur and whether the
event creates any form of risk
Safety review An effective but less formal type of
HAZOP study. The results are
highly dependent on the
experience and synergism of the
group reviewing the process
Other methods What-If Analysis, Fault Tree
Analysis (FTA), and Failure Modes
and Effects Analysis (FMEA)
• Easy to use
• Can be applied at any phase of
the process lifecycle
• Systematic approaches using a
rating form
• Useful for predicting and
mitigating fire and explosion
hazards
• Useful for plant positioning and
layout
• Is a well-structured, systematic
and effective procedure to identify
process hazards as well as
operating problems
• Identify the underlying causes of
accidents and outline steps to be
implemented to prevent similar
events such as near misses
• Avoid repeating past mistakes
• Easy to use and applicable to all
human activities
• Flexible that it means some
hazards can easily be overlooked
• Not suitable for identifying
hazards resulting from improper
operation or upset conditions
• Quality of the checklist may vary
and validation is very subjective
• Must have extensive safety
knowledge and working
experience
• Very open-ended format
• Results difficult to assess
• Chances of overlooking hazards
are high
• Requires detailed plant and
process information, which makes
this method not fully applicable at
the early phase of plant design
• Needs detailed process
information
• Experienced team members
• Take a weeks to complete
• Not fully applicable at the early
phase of plant design
• Too late for error detection
• Highly dependent on the
experience and synergism of the
group reviewing the process
• Very dependent on the skill and
knowledge of the team members
• Require detailed knowledge of
the process

option by using the current format of accident information is
very demanding and time consuming. To make the accident
and design review simpler, the accident-based error detection
method as proposed by this paper is extremely necessary.
3. Design errors and it origin
As mentioned earlier, there is significant percentage (50–79%)
of design error causing accidents in the CPI. However, major-
ity of the earlier studies related to this only provided plain
statistical information. According to Knowledge Management
Hierarchy of Ackoff (1989), statistical analysis only provides
basic information and little knowledge that limit the under-
standing how design error has been created during design. To
create a better understanding on this issue, deeper analysis is
needed.
The detailed study on the identification of the origin of
design error was started by Taylor (1975) and his student Haas-
trup in 1980s (Haastrup, 1984). According to Taylor (1975),
design error is deemed to have occurred, if the design or oper-
ating procedures are changed after an incident has occurred.
At that time the term of “design error” is not well accepted
by the designer. There is not many open literature mate-
rial discussing about this aspect. As a starts, the Haastrup
thesis classify the design project phases based on specific
design tasks such as mass and energy balance, pre-design of
equipment etc. These design tasks were used to detect the
origin of design error. Overall, Haastrup’s classification on the
design error and it origin is acceptable, however, it is been
improved by Kidam and Hurme (2012b) based on the standard
process plant design lifecycle which starts from the research
and development, preliminary engineering, basic engineering,
detailed engineering, start-up and operation.
The latest study on the origin of design errors were pub-
lished by Kidam and Hurme (2012b) that follow common
design task timeline. The author came out with the detail anal-
ysis on design error and its origin throughout process design
lifecycle (refer to Appendix 1 and 2 of paper Kidam and Hurme,
2012b). Table 3 summarizes the common design errors asso-
ciated with process development and design.
As seen from Table 3, the common design errors in research
and development phase are related to process condition and
chemical reactivity/incompatibility. This is followed by pre-
liminary engineering phase where process alternatives are
reviewed based on economic and technical potentials. The
common errors in this phase are related to process conditions
at equipment level, chemical interaction between processes,
chemical reactivity/incompatibility, unsuitable equipment,
protection, and construction material.
According to Table 3, there are many more category of
design error in basic and detailed engineering phases. The
typical design error in this phases are poor site and plant
layout, inadequate protection, wrong construction material,
inappropriate utility set-up, sizing, and automation.
52 Process Safety and Environmental Protection 9 7 ( 2 0 1 5 ) 49–60

Table 3 – Design errors associated with design phases.

Design errors Research and development Preliminary engineering Basic engineering Detailed engineering

Process condition * * * *
Reactivity/incompatibility * * *
Unsuitable equipment/part * * *
Protection * * *
Construction material * * *
Layout * *
Utility set-up * *
Sizing * *
Automation/Instrument * *

Based on the literature review on this subject matter, it
is concluded that the contribution of design to accident in
the CPI is significant (50–79%) and the accidents did take
place throughout the whole process plant design lifecycle. To
improve this condition, a systematic design oriented safety
method for error detection is proposed. Our previous accident
analysis result on the design error origin during plant design
(see Appendix 2 of paper Kidam and Hurme, 2012b) will be
used as the main data for design error ranking.
4. Systematic error detection method
The purpose of the method is to detect the design error that
commonly occurs during chemical process development and
design. These enable the designer to foresee potential error
in their design. Therefore, this method allows timely detec-
tion of common design problems and triggers the need of
serious design review at the specific design tasks or phases.
The main objective of the method is to initiate design think-
ing based on the error ranking developed from past accident
knowledge. Therefore, previous accident data and experience
were transformed directly into design procedure for possible
error detection.
The method for identifying the design errors are illustrated
in Fig. 1. The method works by screening the possible design
error based on common design error ranking. The main steps
of the method are based on the typical plant design phases
such as research and development, preliminary engineering,

Fig. 1 – Method for identifying design error in process development and design.
 Process Safety and Environmental Protection 9 7 ( 2 0 1 5 ) 49–60 53

Table 4 – Common design error in the research and development phase.

Design scoping Possible design errors Possible causes based on accident ranking

Development of process concept and scale-up Process condition 1. Process contaminations 4. More corrosive
to industrial scale 2. Effect of uneven flow/dry 5. Hold too long
• Product design condition 6. Unbalanced reactant ratio
• Process chemistry 3. High temperature 7. Wrong reaction data
• Reaction setting Chemical reactiv- 1. Reactions with contaminants 4. Heat generated
ity/incompatibility 2. Incompatible heat transfer 5. Incompatible raw material
medium 6. Reactive with cleaning agent
3. Unstable at high temperature 7. Unstable in dry condition

basic engineering and detailed engineering. Although the
design errors are probably similar at each design phases due
to their basic definition (see Table 3) however, their detailed
design scoping is different. In Step 1, i.e. research and develop-
ment, the method starts with screening of the possible design
errors associated with product design and process develop-
ment that focus on reaction chemistry. Detailed of design error
ranking with their causes are shown in Table 4. The design
error screening should cover all causes and marked with found
(YES), not found (NO) or not applicable (N/A). The finding must
be recorded properly complete with error reasoning. This is
important for detail design review later on.
The focus of the Step 2 is design check related to the
preliminary process design scoping such as process concept
selection, design specification, process parameter and pro-
cess equipment selection. Possible design error and its causes
are available in Table 5. Next, in Step 3, the detail of the
process package is determined for basic engineering specifica-
tion. In this design phase, the technical solutions, operability,
safety margin and control strategy has been set up. The design
scoping covers all process design specification for structure,
mechanical, electrical, process control etc. The possible errors
and its causes are ranked in Table 6.
The detailed engineering phase in Step 4 includes the
design of the physical process such as equipment and pip-
ing detailed specification for acquisitions and construction.
Table 7 shows a detailed possible error causes based on acci-
dent ranking related to detailed engineering design scoping.
5. Case study
The proposed method is demonstrated and tested herein by
the Bhopal and BP Texas case studies. The Bhopal gas tragedy
was chosen because it was the worst industrial accident in
the world caused by the release of toxic gas. Meanwhile, the
BP Texas City Refinery Explosion and Fire was selected to
represent among the worst industrial disaster that occurred
recently. The error detection method proposed is expected to
identify the real design related errors and its causes that had
contributed to the accidents. Both case studies were used to
test and verify the effectiveness of the method.
5.1. Bhopal tragedy
On December 3, 1984, more than 40 t of methyl isocyanate
(MIC) gas leaked from a pesticide plant in Bhopal, India, imme-
diately killing over 2000 persons immediately and causing
significant morbidity and premature death more than 200,000
people. A large proportion of these deaths were probably due
to respiratory damage. In the process, methyl isocyanate (MIC)
was an intermediate material for producing the pesticide.
MIC was used as a raw material for organic solvents and soil

Table 5 – Common design error in the preliminary engineering phase.

Design scoping Possible design errors Possible causes based on accident ranking

Preliminary process design for the feasibility Process condition 1. Process contaminations 8. Hazardous material
study 2. High temperature generate
• Process concept development 3. Secondary reaction 9. More reactant
• Design specification 4. More corrosive 10. Store at high
• Process parameter setting 5. Hold too long temperature
• Process equipment selection 6. Uneven flow/dry condition 11. High pressure
7. Effect of physical condition 12. Hold too short
13. Long usage/aging
Chemical reactiv- 1. Reactions with contaminants 6. Unstable at high
ity/incompatibility 2. Secondary reaction temperature
3. Contaminated/reactive waste 7. Incompatible raw
4. Hazardous material generated material
5. Heat generated 8. Unstable by-product
9. Unstable in dry
condition
10. Unstable new
material
11. Unstable off-spec
product
12. Water reactive
Unsuitable equipment 1. Measurement error 3. Open storage
2. Mixing effects 4. Open tank
Protection 1. No inhibitor 2. Reactive with iron
rush
Construction material 1. React with content
54 Process Safety and Environmental Protection 9 7 ( 2 0 1 5 ) 49–60

Table 6 – Common design error in the basic engineering phase.

Design scoping Possible design errors Possible causes based on accident ranking

Creation the process data for detailed Process condition 1. Inadequate ventilation 2. Flow velocity
engineering Chemical reactiv- 1. Incompatible heat transfer 2. Reactive with
• Detailed process design and optimization ity/incompatibility medium cleaning agent
• Process design of equipment and piping Unsuitable part 1. Mechanical specification 6. Difficult to clean
system 2. Miss-used 7. Heating/cooling error
• Basic automation and instrument 3. Small volume 8. Lack of sensor
engineering 4. Waste handling 9. Lack of
• Preliminary layout design 5. Chemical resistant specification vacuum/exhaust
• Utility design 10. Wrong absorption
• Waste minimization system
• Hazard and operability study Protection 1. Single valve 5. No gas treatment
2. No check valve 6. No insulation
3. Friction/impact 7. No relief valve
4. No flame arrester 8. No vacuum breaker
Construction material 1. Chemical resistance 3. Sizing/Thickness
specification 4. Friction/impact
2. Mechanical specification 5. Non-conductive
material
Layout 1. Physical arrangement 3. Positive isolation
2. Share piping 4. Single valve
Utility set-up 1. Over design heat transfer 6. Corrosive heat
capacity transfer medium
2. Incompatible heat transfer 7. Incompatible purging
medium medium
3. Flammable sealing/cleaning 8. No mixing effects
agent 9. Normal condition
4. No cooling/natural sizing
5. Blockage-gummy material 10. Sharing cooling
source
11. Single valve
12. Waste handling
Sizing 1. Small
Automation/Instrument 1. Lack of detection

fumigants. Chemically, MIC is a toxic, reactive, volatile and
flammable substance. The leakage accident began with the
contamination of water in the MIC storage tank. The MIC
storage tank (T610) was contaminated by water through the
overhead pressure venting system. MIC reacts with water in
an exothermic way. The reaction is catalyzed by rust and
other compounds. Water flowed into intermediate storage
tank T610, probably because of errors in water washing opera-
tion and piping layout. A runaway reaction occurred resulting
in high temperature, vaporization of MIC and high pressure
activating a safety valve. Due to multiple failures of the pro-
tection system, a large amount of MIC gas leaked. The leaked

Table 7 – Common design error in the detail engineering phase.

Design scoping Possible design errors Possible causes based on accident ranking

Design of the physical process (equipment, Process condition 1. Inadequate ventilation/exhaust

piping etc.) for acquisitions and construction Unsuitable part 1. Feeding mechanism 4. Sampling tools
• Detailed piping design 2. Spark generation part 5. Shape miss-match
• Detailed layout design 3. Non-conductive part 6. Part positioning
• Instrumentation and automation design Protection 1. No nitrogen blanket 4. No coating/painting
• Mechanical, structure, civil and electrical 2. Static electricity 5. Aging/tear wear
design 3. Non explosion proof 6. Drain without cap
• Design of utilities/services. Construction material 1. Non-conductive material 3. Fire rating
2. Thermal expansion
Layout 1. Dead end 8. Venting shape
2. Physical shape error 9. Accessibility
3. Support arrangement 10. Direct connection
4. U-shape-de 11. Positive isolation
5. Vertical positioning 12. Similar appearance
6. Flow restriction 13. Too closed
7. Venting positioning 14. Trap condition
Utility set-up 1. Difficult to clean 4. Direct connection
2. Positioning 5. No vacuum/exhaust
3. Power failure-no back-up
Sizing 1. Size miss-match 2. Small venting
Automation/Instrument 1. Setting error 3. No interlock
2. Sensor failed 4. Uneven speed
 Process Safety and Environmental Protection 9 7 ( 2 0 1 5 ) 49–60
gas spread towards the city zone, covering residential areas
and causing multiple casualties (Chouhan, 2005).
5.1.1. Method application and results
As a demonstration on the method procedure, the method was
applied to Bhopal pesticide plant in order to detect the design
errors and its origin during project design. The analysis also
considers the detailed design of the MIC storage tank T610 that
failed and releases toxic gas. The basis of the error detection
and its reasoning are accordance to the following references:
book from ex-employee of MIC plant (Chouhan et al., 2004),
a book from a medical doctor (Ingrid Eckerman, 2001), jour-
nal paper of Chouhan (2005) and accident report from Failure
Knowledge Database (FKD, 2014). The detection of possible
design error follows the procedure below:
Step 1: Select the first design phase which is the research
and development (R&D) phase.
- Step 1a: Select possible design error as listed in Table 4 i.e.
process condition.
- Step 1b: Select the root cause of error-based on the table, the
possible causes are process contamination, high tempera-
ture, wrong reaction data etc.
- Reasoning: Process chemist fail to consider the effect of con-
taminant such as water etc. and their reaction behaviour
during product design and process development.
- Step 1c: Go through Table 4 and detect possible design error
and its causes. Record your finding before started to step 2.
Step 2: Select the second design phase which is the prelim-
inary engineering (PE) phase.
- Step 2a: Select possible design error as listed in Table 5 i.e.
chemical reactivity and incompatibility.
- Step 2b: Select the root cause of error-based on the table, the
possible auses are reactions with contaminants, secondary
reaction, protection etc.
- Reasoning: In the process concept development, the process
engineer may be aware that MIC is reactive with iron rust,
however he/she fail to analyze and predict the impact of the
iron rust as a catalyst due to lack of analysis. Therefore no
specific warning was made when carbon steel was chosen
as the construction material for the piping system.
- Step 2c: Go through Table 5 and detect possible design error
and its causes. Record your finding before started to step 3.
Step 3: Next, go to third design phase which is the basic
engineering (BE) phase.
- Step 3a: Select possible design error as listed in Table 6 i.e.
utility set-up.
- Step 3b: Select the root cause of error-based on the table,
the possible causes are reactive and incompatible cleaning
agents, cooling medium etc.
- Reasoning: The utility and support system such as cleaning
activity are decided in the basic engineering phase. The pro-
cess engineer may not aware that MIC is reactive with water,
so he/she erroneously chose water as a cleaning agent with
minimum protection system.
- Step 3c: Go through Table 6 and detect possible design error
and its causes. Record your finding before started to step 4.
55
Step 4: Next, go to forth design phase which is the detailed
engineering (DE) phase.
- Step 4a: Select possible design error as listed in Table 7 i.e.
layout.
- Step 4b: Select the root cause of error-based on the table,
the possible causes are positioning, shape, support arrange-
ment etc.
- Reasoning: The process and piping engineer may over-
look the layout (43%)/positioning of pipeline/tank (40%) that
increases the likelihood of unplanned flow-in of contami-
nates to T610 due to gravity force.
- Step 3c: Go through Table 7 and detect possible design error
and its causes. Record your finding.
As an example, the results of error detection for the basic
engineering phases are presented in Table 8. In the table, “YES”
means the design error is found by the method; “NO” means
there was no error found in the Bhopal plant related to this
type of error category; and “N/A” means the error category is
not applicable or relevant to the design of the Bhopal plant and
T610. The basis of error detection is explained in the subsec-
tion reasoning of each step. The design error and their cause’s
in-term of safe design adequacy are identified based on our
comprehensive reading on Bhopal tragedy. The results of error
identification for both case studies are shown in Tables 8 and 9.
As seen from Table 8, out of 26 relevant design error listed
in Bhopal case study related to the research and development
stages, the method is capable to identify 15 of them i.e. 58%
of errors. Only 11errors are not detected (42%). Most of the
errors found are related to layout and positioning (4), protec-
tion system (2), construction material section (2) and utility
set-up (2). In BP Texas case study, a better detection result was
recorded where 71% of error was found out of 28 relevant error
listed. Majority of the errors found are related to utility set-up
(5), unsuitable equipment/part (4), construction material sec-
tion (3) and layout and positioning (3). The overall result for
all process development and design of both case studies is
summaries in Tables 10 and 11.
5.1.2. Result of Bhopal case study
As seen from Table 10, in overall, the method has success-
fully detected 41 errors related to Bhopal plant and T610 which
represents about 31% of possible design error as listed by the
method (see Tables 4–7). Majority of error is originated in the
basic engineering (15 errors), followed by detailed engineering
(13), preliminary engineering (9) and research and develop-
ment phases (4).
Although only 4 design errors were identified in the
research and development phase, this is acceptable in term
of percentage (29%) since only two design errors that are com-
monly occurred at this phase. Major problem with the Bhopal
plant is related to inadequate risk analysis on chemical reac-
tivity and incompatibility (43%). Beside, in the preliminary
engineering phase, 9 errors were detected which is also related
to reactivity and incompatibility (42%). Other than that, errors
were also found at unsuitable equipment category (25%). On
average, 28% design error has been detected in this phase.
Majority of the design error were detected in basic engi-
neering phase (33%). As much of 15 design errors were
identified which are layout (4 errors), construction material
(2), protection (2), unsuitable equipment (2), utility set-up (2)
and one error for chemical reactivity/incompatibility, process
condition, sizing and automation/instrumentation. From the
56 Process Safety and Environmental Protection 9 7 ( 2 0 1 5 ) 49–60

Table 8 – Comparison of the method results with the Bhopal tragedy.

Design errors category Inadequate consideration during Found by method
design based on accident ranking

Yes NO found N/A

Process condition Inadequate ventilation ×

Flow velocity ×
Reactivity/incompatibility Incompatible heat transfer medium
Reactive with cleaning agent ×
Unsuitable equipment/part Mechanical specification × ×
Miss-used ×
Small volume ×
Waste handling
Chemical resistant specification ×
Difficult to clean ×
Heating/cooling error ×
Lack of sensor × ×
Lack of vacuum/exhaust
Wrong absorption system
Protection Single valve × ×
No check valve × ×
Friction/impact ×
No Flame arrester
No Gas treatment ×
No Insulation × ×
No Relief valve ×
No vacuum breaker
Construction material Chemical resistance specification ×
Mechanical specification × ×
Sizing/Thickness ×
Friction/impact
Non-conductive material
Layout Physical arrangement × ×
Share piping × ×
Positive isolation ×
Single valve ×
Utility set-up Over design heat transfer capacity
Incompatible heat transfer medium
Flammable sealing/cleaning agent ×
No cooling/natural ×
Blockage-gummy material ×
Corrosive heat transfer medium ×
Incompatible purging medium ×
No mixing effects ×
Normal condition sizing × ×
Sharing cooling source ×
Single valve ×
Waste handling ×
Sizing Small ×
Automation Lack of detection × ×
Total 15 33% 11 24% 19 43%

table, the method was able to detect 100% errors in layout
category (4 out of 4) that shows the main weakness of the
design of the Bhopal plant. At the detailed engineering phase,
the methods identify 32% (13 out of 41) of the design error
in Bhopal plant, which is mainly poor detailed layout (6) and
utility set-up (2).
In summary for Bhopal case study, the method was capa-
ble to detect 31% (41 out of 132) design error. However; some
error were not detected (18%) and another (51%) was not rel-
evant to the design of Bhopal plant. In general, the result
was acceptable since the Bhopal plant has already go through
series of design check before the plant was commission and
operated. The main weakness of the Bhopal plant is related
to chemical reactivity and incompatibility issues in process
concept development as well as poor layout in the basic and
detailed design. In theory, if proper analysis on the chemi-
cal reactivity and incompatibility being carried out early and
the reaction capability of MIC-water are well understood,
the water contamination could be prevented through proper
design of piping connectivity and plant layout.
5.2. Texas explosion and fire
On March 23, 2005, the BP Texas City refinery explosion and fire
killed 15 people and another 180 was injured. The explosion
and fire occurred during the startup of isomerization (ISOM)
unit when a raffinate splitter tower was overfilled and acci-
dentally opened the pressure relief devices. This unfortunate
event led to spilling of a flammable liquid geyser from a blow
down stack that was not equipped with flare, resulting in an
explosion and fire (CSB, 2014). From the accident investiga-
tion reports obtained from the Chemical Safety and Hazard
Investigation (CSB) database, the origins of design errors in the
process design lifecycle are then determined. The analysis also
 Process Safety and Environmental Protection 9 7 ( 2 0 1 5 ) 49–60 57

Table 9 – Comparison of the method results with the BP Texas tragedy.

Design errors category Inadequate consideration during Found by method
design based on accident ranking

Yes NO found N/A

Process condition Inadequate ventilation ×

Flow velocity
Reactivity/incompatibility Incompatible heat transfer medium ×
Reactive with cleaning agent × ×
Unsuitable equipment/part Mechanical specification
Miss-used ×
Small volume ×
Waste handling ×
Chemical resistant specification × ×
Difficult to clean
Heating/cooling error × ×
Lack of sensor ×
Lack of vacuum/exhaust ×
Wrong absorption system
Protection Single valve × ×
No check valve
Friction/impact × ×
No Flame arrester
No Gas treatment × ×
No Insulation ×
No Relief valve ×
No vacuum breaker
Construction material Chemical resistance specification × ×
Mechanical specification ×
Sizing/Thickness ×
Friction/impact ×
Non-conductive material
Layout Physical arrangement × ×
Share piping ×
Positive isolation ×
Single valve
Utility set-up Over design heat transfer capacity × ×
Incompatible heat transfer medium ×
Flammable sealing/cleaning agent ×
No cooling/natural ×
Blockage-gummy material
Corrosive heat transfer medium × ×
Incompatible purging medium
No mixing effects ×
Normal condition sizing × ×
Sharing cooling source ×
Single valve ×
Waste handling
Sizing Small × ×
Automation Lack of detection ×
Total 20 44% 8 18% 17 38%

considered the detailed design of the raffinate splitter tower
of an isomerization (ISOM). The method application and work
example are similar in Bhopal case study. The overall results
are summarized in Table 11.
As seen from the table, the average 64% (9 out of 14) design
error were found in research and development phase which
is 4 errors related to process condition category and another
5 errors in chemical reactivity/incompatibility category. Only
1 (7%) error were not found and 4 (29%) of the error listed
in Table 5 are not applicable to BP Texas plant design case
study.
Similar design issues have been detected in the pre-
liminary engineering phase which is related to chemical
reactivity/incompatibility (5 errors) and process condition (5
errors). On average, 40% errors have been detected in the pre-
liminary engineering phase, 44% errors in basic engineering
phase, and 37% in detailed engineering phase.
Based on the full design errors listed in Tables 5–8, the
method only failed to detect about 15% of the errors and 42%
of were not applicable to BP Texas case study. Technically, the
method has successfully highlighted the basic issues of the BP
Texas plant design which is related to the lack of understand-
ing of the chemical stability at the high temperature as well
as basic and detailed design on equipment and its limitation.
5.3. Analysis of results and discussion
Table 12 summarized the prediction capability of the method
by using Bhopal and BP Texas case studies. In overall, the
method found 98 errors in both case studies which represents
74% of the possible design error as listed in Tables 5–8. In accor-
dance to the design phases, around 28% to 64% error is found
in process concept while 32% to 44% errors are detected in pro-
cess design. In overall analysis of both cases, high percentage
58 Process Safety and Environmental Protection 9 7 ( 2 0 1 5 ) 49–60

Table 10 – Results of the method application to Bhopal tragedy.

Possible design errors Research and development Preliminary engineering

Common Found Not found Not relevant Common Found Not Found Not relevant Common
errors errors errors
No. % No. % No. % No. % No. % No. %

Process condition 7 1 14 1 14 5 71 13 2 15 3 23 8 62 2
Reactivity/incompatibility 7 3 43 2 29 2 29 12 5 42 0 0 7 58 2
Unsuitable equipment/part – – – – – – – 4 1 25 2 50 1 25 10
Protection – – – – – – – 2 0 0 1 50 1 50 8
Construction material – – – – – – – 1 1 100 0 0 0 0 5
Layout – – – – – – – – – – – – – – 4
Utility set-up – – – – – – – – – – – – – – 12
Sizing – – – – – – – – – – – – – – 1
Automation/Instrument – – – – – – – – – – – – – – 1

Total/average 14 4 29 3 21 7 50 32 9 28 6 19 17 53 45

Possible design errors Basic engineering Detailed engineering

Found Not found Not relevant Common Found Not found Not relevant
errors
No. % No. % No. % No. % No. % No. %

Process condition 0 0 2 100 0 0 1 – 0 1 100 0 0

Reactivity/incompatibility 1 50 0 0 1 50 – – – – – – –
Unsuitable equipment/part 2 20 4 40 4 40 6 1 17 1 17 4 66
Protection 2 25 4 50 2 25 6 1 17 0 0 5 83
Construction material 2 40 1 20 2 40 3 1 33 0 0 2 67
Layout 4 100 0 0 0 0 14 6 43 1 7 7 50
Utility set-up 2 17 0 0 10 83 5 2 40 0 0 3 60
Sizing 1 100 0 0 0 0 2 1 50 0 0 1 100
Automation/Instrument 1 100 0 0 0 0 4 1 25 1 25 2 50

Total/average 15 33 11 24 19 43 41 13 32 4 10 24 58

Table 11 – Results of the method application to BP Texas City refinery explosion and fire.
Design errors Research and development Preliminary engineering

Common Found Not found Not relevant Common Found Not found Not relevant
errors errors
No. % No. % No. % No. % No. % No. %

Process condition 7 4 57 1 14 2 29 13 5 38 3 24 5 38
Reactivity/incompatibility 7 5 71 0 0 2 29 12 5 42 2 16 5 42
Unsuitable equipment/part – – – – – – – 4 1 25 2 50 1 25
Protection – – – – – – – 2 1 50 0 0 1 50
Construction material – – – – – – – 1 1 100 0 0 0 0
Layout – – – – – – – – – – – – – –
Utility set-up – – – – – – – – – – – – – –
Sizing – – – – – – – – – – – – – –
Automation/Instrument – – – – – – – – – – – – – –

Total/average 14 9 64 1 7 4 29 32 13 40 7 22 12 38

Design errors Basic engineering Detailed engineering

Common Found Not found Not relevant Common Found Not found Not relevant
errors errors
No. % No. % No. % No. % No. % No. %

Process condition 2 1 50 0 0 1 50 1 0 0 0 0 1 100

Reactivity/incompatibility 2 1 50 0 0 1 50 – – – – – – –
Unsuitable equipment/part 10 4 40 0 0 6 60 6 2 33 1 17 3 50
Protection 8 1 12 4 50 3 38 6 1 17 0 0 5 83
Construction material 5 3 60 1 20 1 20 3 1 33 0 0 2 67
Layout 4 3 75 0 0 1 25 14 5 36 3 21 6 43
Utility set-up 12 5 42 3 25 4 33 5 2 40 0 0 3 60
Sizing 1 1 100 0 0 0 0 2 1 50 0 0 1 50
Automation/Instrument 1 1 100 0 0 0 0 4 3 75 0 0 1 25

Total/average 45 20 44 8 18 17 38 41 15 37 4 10 22 53
 Process Safety and Environmental Protection 9 7 ( 2 0 1 5 ) 49–60 59

Table 12 – Comparison of the results of both case studies.

Design phases No. of common Bhopal case study BP taxes case study Total found
design error
Found Not Found N/A Found Not Found N/A

No. % No. % No. % No. % No. % No. % No. %

R&D 14 4 29 3 21 7 50 9 64 1 7 4 29 13 93
Pre-Eng. 32 9 28 6 19 17 53 13 40 7 22 12 38 22 69
Basic Eng. 45 15 33 11 24 19 43 20 44 8 18 17 38 35 78
Detailed Eng. 41 13 32 4 10 24 58 15 37 4 10 22 53 28 68

Total 132 41 31 24 18 67 51 57 43 20 15 55 42 98 74

(31–43%) of design error was found especially in the research
and development (93%).
These data shows that the method is capable to detect
design error consistently throughout process development
and design. In general, the method is quite sensitive to fire
and explosion event (43%, BP Texas) if compared to the toxic
release (31%, Bhopal) type of accident. This may be due to the
accident ranking used. As mentioned in Section 3, the design
error ranking is based on the accident analysis. According to
Crowl and Louvar (2011), large majority types of accident in
CPI are related to fire and explosion. Little only are related to
toxic release. This is the reason why design error in BP Texas
is higher than Bhopal.
In practical, the method has some limitations. As seen from
Table 12, the percentages of the design error were not found
(18–20%) and not applicable (42–51%) is high. More compre-
hensive accident ranking with high number of accident cases
could improve this situation.
In plant design, the effectiveness of the method i.e. high
percentage of design error detected; is not the basis of the
acceptance by the designers and practitioners in the CPI. The
most important is the capability of the method to detect the
design error. Once design error is found, the detailed design
review should be made immediately. Here the main agenda
of the method is to detect and review the design early so
that timely, cheaper and effective hazard control could be
implemented through design changes. This will promote risk
reduction through hazard avoidance or eliminate that reduce
the dependency to add-on safety protection system.
According to Section 2, the majority of the existing design
oriented safety methods i.e. HAZOP, are not applicable at
early phases of plant design due to lack of process informa-
tion. Here, both case studies prove that this method could
detect from 28% up to 64% of design error in process concept
development and another 32% to 44% in basic and detailed
engineering phases. Therefore, the proposed method could
help the designer to build a safer chemical plant by early
detection and elimination of possible design error throughout
process development and design.
6. Conclusions
The design oriented safety method for error detection at pro-
cess development and design is proposed. The aim of the
method is to detect the design errors that are commonly over-
looked by the designer. The method has been demonstrated
and tested using the Bhopal and BP Texas accident cases
for validation. The result shows that the method is capable
to detect design error throughout process development and
design. On average, the proposed method can predict up to
31% of common design errors associated with plant design of
Bhopal and 43% for BP Texas explosion and fire. The overall
design error found for both case studies are 74%.
In conclusion, the proposed method has several advan-
tages which manage to overcome some of the limitations of
the current design or safety methods. In fact, the method
could detect potential design error at different phases of
plant design. Furthermore, the method fully utilized the past
accident knowledge and disseminated it directly into design
project. Direct dissemination of accident information into
design activity will increase the level of learning from acci-
dent. However, the development of the method is not meant to
substitute the existing design method. It can be used together
to support design quality procedure. The method somehow
serves as a support to the designer by systematically identifies
the possible design error at designated design project phases.
The method will trigger safer design thinking and detailed
design review could be done upon needed. Therefore, timely
corrective action could be done easily at moderate cost.
References
Ackoff, R.L., 1989. From data to wisdom. J. Appl. Syst. Anal. 16,
3–9.
Bourrier, M., 2005. The contribution of organizational design to
safety. Eur. Manage. J. 23 (1), 98–104.
Busby, J.S., 1998. The neglect of feedback in engineering design
organizations. Des. Stud. 19 (1), 103–117.
Chouhan, T.R., Alvares, C., Jaising, I., Jayaraman, N., 2004. Bhopal:
The Inside Story, second ed. The Apex Press, Goa, India.
Chouhan, T.R., 2005. The unfolding of the Bhopal disaster. J. Loss
Prev. Process Ind. 18 (4–6), 205–208.
Crawley, F., Tyler, B., 2003. Hazard Identification Methods.
IChemE, Rugby.
Crowl, A.D., Louvar, F.J., 2011. Chemical Process Safety, third ed.
Pearson International, New York, NY.
CSB, 2014. Investigation Report of BP Texas Explosion and Fire.
U.S. Chemical Safety Board, Online available and access on
7th Oct. 2014
http://www.csb.gov/assets/1/19/CSBFinalReportBP.pdf.
Drogaris, G., 1993. Learning from major accidents involving
dangerous substances. Saf. Sci. 16, 89–113.
Duguid, I.M., 2001. Take this safety database to heart. Chem. Eng.
108 (7), 80–84.
FKD, 2014. Failure Knowledge Database, Available online 29th Jan
2014 http://www.sozogaku.com/fkd/en/.
Hale, A., Kirwan, B., Kjellen, U., 2007. Safe by design: where are
we now? Saf. Sci. 45 (1), 305–327.
Haastrup, P., 1984. Design error in the chemical industry. In:
Report RISØ-R-500. Riso National Laboratory, Roskilde,
Denmark.
HSE., 2003. Out of control—Why Control Systems Go Wrong and
How to Prevent Failures, second ed. HSE Books, Sudbury, UK.
60 Process Safety and Environmental Protection 9 7 ( 2 0 1 5 ) 49–60
Hurme, M., Rahman, M., 2005. Implementing inherent safety
throughout process lifecycle. J. Loss Prev. Process Ind. 18,
238–244.
Eckerman, Ingrid, 2001. Chemical Industry and Public Health.
Bhopal as an Example. Chemical Industry and Public Health.
Jacobsson, A., Sales, J., Mushtaq, F., 2010. Underlying causes and
level of learning from accidents reported to the MARS
database. J. Loss Prev. Process Ind. 23 (1), 39–45.
Jørgensen, K., 2008. A systematic use of information from
accidents as a basis of prevention activities. Saf. Sci. 46 (2),
164–175.
Kidam, K., Hurme, M., 2012a. Design as a contributor to chemical
process accidents. J. Loss Prev. Process Ind. 25,
655–666.
Kidam, K., Hurme, M., 2012b. Origin of equipment design and
operation errors. J. Loss Prev. Process Ind. 25, 937–949.
Kinnersley, S., Roelen, A., 2007. The contribution of design to
accidents. Saf. Sci. 45 (1), 31–60.
Kletz, T.A., 2004. Learning from experience. J. Hazard. Mater. 115
(1–3), 1–8.
Lindberg, A.-K., Hansson, S.O., 2006. Evaluating the effectiveness
of an investigation board for workplace accidents. Polic. Pract.
Health Saf. 4 (1), 63–79.
Lindberg, A.-K., Hansson, S.O., Rollenhagen, C., 2010. Learning
from accidents—what more do we need to know? Saf. Sci. 48
(6), 714–721.
Love, P.E.D., Lopez, R., Edwards, D.J., Goh, Y.M., 2012. Error begat
error: design error analysis and prevention in social
infrastructure projects. Accid. Anal. Prev. 48, 100–110.
Pasman, H.J., 2010. Will a safe process be sufficient or do we have
to do a bit more? In: 13th International Symposium on Loss
Prevention and Safety Promotion in the Process Industries,
June 6–9, 2010, Bruges, pp. 17–21, vol. 1.
Taylor, J.R., 1975. A study of abnormal occurrence reports. In:
Report RISØ-M-1837. Risø National Laboratory, Roskilde,
Denmark.
Taylor, J.R., 2007a. Statistics of design error in the process
industries. Saf. Sci. 45 (1), 61–73.
Taylor, J.R., 2007b. Understanding and combating design error in
process plant design. Saf. Sci. 45 (1), 75–105.