Safety Science 70 (2014) 438–464

Contents lists available at ScienceDirect

Safety Science
journal homepage: www.elsevier.com/locate/ssci

Risk-based process plant design considering inherent safety

Samith Rathnayaka a,⇑, Faisal Khan a, Paul Amyotte b
a
Safety and Risk Engineering Group, Faculty of Engineering and Applied Science, Memorial University, St. John’s, NL A1B 3X5, Canada
b
Department of Process Engineering and Applied Science, Dalhousie University, Halifax, NS B3J 2X4, Canada

a r t i c l e i n f o a b s t r a c t

Article history: An inherently safer approach is becoming a key parameter of process and plant design. However, a lack of
Received 29 November 2013 established guidelines and methods hinders most industries from utilizing inherent safety concepts to a
Received in revised form 13 May 2014 full extent. This paper presents a risk-based design decision-making tool considering inherent safety. The
Accepted 13 June 2014
tool is called the Risk-based Inherent Safety Index (RISI). The proposed indexing approach is an extension
of the Integrated Inherent Safety Index (I2SI) earlier developed by Khan and Amyotte (2004, 2005). The
RISI incorporates both consequence and probability of accident occurrence reduction through application
Keywords:
of inherently safer design principles throughout the process design life cycle. Unlike other available
Inherent safety
Process life cycle
dimensionless index-based matrices, risk components of the proposed indexing approach are expressed
Inherently safer design principles in terms of SI units. The RISI is applicable at different stages of the process design life cycle. Analytical and
I2SI subjective equations assess the damage potential of major process accidents: fire, explosion and toxic
Risk-based Inherent Safety Index release. The explosion accident scenario is studied separately in terms of vapor/gas explosion and dust
explosion. The decision-making potential based on the quantitative results of the methodology is dem-
onstrated by evaluating alternatives for biodiesel production.
Ó 2014 Elsevier Ltd. All rights reserved.

1. Introduction assessment metrics and models are broadly discussed in Khan

Traditional technical and economic aspects are not the only
consideration for product and process plant design. Different
aspects such as sustainability, environment, health and safety have
recently gained significant attention in process plant design and
development (Banimostafa et al., 2012; Ouattara et al., 2012;
Tugnoli et al., 2012). The application of inherently safer design
(ISD) principles into design and utilization of inherent safety as a
decision-making tool during the process life cycle has been identi-
fied as a reliable and better technique to produce a safer, sustain-
able and economically viable process plant. The fundamental
concept of inherent safety was first formulated by Professor Trevor
Kletz and since then, its advantages and applications have been
extensively discussed (Kletz, 1978, 1984, 1991; Kletz and
Amyotte, 2010). Further, assessment of inherent safety remains
an active topic of interest in the process safety design community.
Index-based metrics have been developed as indicators to
assess the level of inherent safety of a process system. Hence
safety–critical decisions are made based on these indicators during
various stages of the process design life cycle. The properties, lim-
itations and applicability of existing index-based inherent safety
et al. (2003), Rahman et al. (2005) and Srinivasan and Natarajan
(2012).
The present work is a continuation of earlier efforts to develop
an effective and accessible method to analyze and implement
inherent safety throughout the process design life cycle. In this
paper, a risk-based decision making tool considering inherent
safety is developed to choose an optimum design. The tool is called
the Risk-based Inherent Safety Index (RISI). The RISI is comprised of
two distinct risk elements: base design risk (RiskBD) and inherent
safety risk (ISRisk). Unlike other available dimensionless index-
based matrices, both risk calculations in the RISI methodology are
expressed in terms of units. In the present work SI units are used.
The RISI aims to improve design by applying inherently safer design
principles into different stages of the process design life cycle.
This paper is organized into two main sections: methodology
description, and testing and verification using a case study. Several
important equations and derivations are developed as part of the
methodology and are listed in the Appendices accompanying the
text.
2. Process design life cycle

⇑ Corresponding author. Tel.: +1 7097642354. Process design is a complex activity that is carried out in differ-
E-mail address: samithcr@mun.ca (S. Rathnayaka). ent stages over a period of time. Design at each stage involves

http://dx.doi.org/10.1016/j.ssci.2014.06.004
0925-7535/Ó 2014 Elsevier Ltd. All rights reserved.
 S. Rathnayaka et al. / Safety Science 70 (2014) 438–464 439

Nomenclature

V volume of the vapor cloud (m3) VU volume occupied by the units in 30 m radius (m3)
DHC heat of combustion (kJ/kg) M mass of the flammable substances (kg)
q density of the flammable material (kg/m3) S burning speed (/s); s = 2.3 Uw
OP operating pressure of the process unit (kPa) Uw wind speed at the elevation of the closed vertical center
c specific heat ratio of mass (m/s)
VP vapor pressure (kPa) CD cloud depth (m)
bC compressibility (kPa1) T0 temperature at the source (°C)
mm molar mass of the chemical (g/mol) P0 pressure at the source (kg/cm2)
DHf enthalpy of the reaction (kJ/mol) A area of the source (m2)
C explosive dust concentration (kg/m3) fv fraction of the liquid that will flash; fv ¼ HC Pv ðT s  T b Þ
VC volume of the confinement (m3) CP average heat capacity of the liquid (J/kg °C)
Pmax maximum explosion pressure (kPa) HV heat of vaporization (J/kg)
Patm atmospheric pressure (kPa) Tb normal boiling point (°C)
ca heat capacity ratio of air at maximum explosion tem- Ts operating temperature (°C)
perature qL density of the liquid release (kg/m3)
MIT minimum ignition temperature (°C) Pg pressure inside the vessel (kPa)
D diameter of the pool (m) AP pool area (m2)
u wind velocity at a 10 m height (m/s) MW molecular weight
uc characteristics velocity (m/s) TP characteristics pool temperature (°C)
g gravitational acceleration (m/s2) hL height of the liquid above the release point (m)
m0 burning rate (kg/m2 s) K constant (K = 3.14)
qa density of air (kg/m3)

assessing, analyzing and evaluating design alternatives to enhance primarily on detailed piping and instrumentation design, electrical
safety along with other objectives such as economics, quality, and insulation designs, process control and automation, utilities
productivity, energy conservation and pollution prevention. The and support equipment and safety instrumented systems. During
process design life cycle represents this evolution over time this stage, a design and commissioning team along with engineer-
(Fig. 1). Researchers and regulatory bodies have classified stages ing, procurement and construction management (EPCM) contrac-
for the process design life cycle in different ways as relevant to their tors will carry out construction and plant commissioning.
own studies (CCPS, 2009; Palaniappan et al., 2002a; Mannan, 2005; Finally the operational team will be handed over the plant for
Hurme and Rahman, 2005; Tugnoli et al., 2008). In the present start-up of operations. There is a belief that the applicability of
work, the process design life cycle is divided into five stages and inherent safety strategies is significantly limited during the opera-
they are considered as key design decision-making points. These tion and modification stage. During this stage, which is the longest
are (as shown in Fig. 1): (1) conceptual design, (2) process selection stage of the process design life cycle, many changes in operation,
and design (3) detailed engineering design and commissioning (4) personnel, maintenance and equipment will likely occur. CCPS
operation and modification and (5) decommissioning. (2009) highlighted two main tasks for consideration of inherent
Conceptual design begins with researching an idea for a new
product or process. Research is carried out to determine the tech-
nical, economic and safety feasibility. If the product is practical and
feasible, conceptual design begins. The main purpose of conceptual
design is to study the process chemistry and to evaluate available
chemical synthesis routes. The chemical reactions involved, raw
materials, intermediate and by-products, storage, transportation
and waste treatment associated with each synthesis route are fur-
ther studied.
Once conceptual design efforts lead to configuration of the pro-
cess chemistry and synthesis routes, a process flow-sheet is devel-
oped. This stage is called the process selection and design stage.
Information on desired product rates, product purity, heat transfer
fluids, solvents, catalysts, control and operational methods gath-
ered from conceptual design, laboratory and pilot scale trials and
knowledge of the existing process are used to develop the base
design flow-sheet. During this stage, key decisions on selection of
unit operations, conversion factors, process parameters such as
temperature, flow rate, pressure, and selection of solvents and
catalysts are taken into consideration.
Once the process flow-sheet is developed, further studies are
carried out to improve operating conditions, optimize product
yields and energy usage, improve product quality, and investigate
the need for recycling by using information from process engineer-
ing design principles, computer-aided simulations and expert
knowledge. The detailed engineering design stage focuses Fig. 1. Classification of stages of the proposed process design life cycle.
440 S. Rathnayaka et al. / Safety Science 70 (2014) 438–464
safety at this stage: conserving the inherent safety features and
practices which were applied during the early stages of the process
design life cycle, and seeking opportunities for continued
improvement in inherent safety. These can be incorporated and
implemented using inherent safety strategies, where applicable,
during installing, maintaining and operating the modified
equipment and practices.
The application of inherent safety strategies during the decom-
missioning stage is equally important. However, this is not
discussed in detail here as the current work is not focused on the
decommissioning stage.
3. Inherent safety tool for decision-making
Safety is a key factor in making design decisions, from the
beginning through to the end of the process design life cycle. An
unsafe plant cannot be profitable due to production loss, capital
loss, insurance cost and public liability. The risk is known as the
quantitative representation of safety. The systematic method to
manage process risks is called process risk management (PRM). It
is the application of a wide variety of strategies, techniques, proce-
dures, policies and systems that can reduce process hazards and
the probability of an accident. Inherent safety is becoming an
attractive proposition in process risk management, placed at the
top of the hierarchy of risk management strategies.
Inherent safety is an approach that focuses on eliminating or
reducing hazards by using the properties of a material or charac-
teristics of the process. Inherent safety differs from three other
strategies (passive, active and procedural safety) because it seeks
to remove the hazard at the source rather than accepting the haz-
ards and implementing add-on systems to control or to mitigate
them. ISD principles are applicable to a process at all stages of its
life cycle. As the process goes through different stages of the design
life cycle, the possibility of implementing inherent safety may vary
(Kletz, 1991; Khan and Amyotte, 2004).
A comprehensive review of the development of inherent safety
principles, matrices and models developed during the last decade
was carried out by Srinivasan and Natarajan (2012). They summa-
rized many important factors associated with inherent safety
developments. Their study revealed that the majority (87% of tech-
nical articles) on inherent safety metrics which were developed to
quantify safety associated with the process have focused on
hazards rather than risk. Key developments in inherent safety
metrics/indices are the Prototype Index for Inherent Safety (PIIS)
(Edwards and Lawrence, 1993), Inherent Safety Index (ISI)
(Heikkilä et al., 1996), i-safe (Palaniappan et al., 2002a,b), Inte-
grated Inherent Safety Index (I2SI) (Khan and Amyotte, 2004,
2005), inherent benign-ness indicator (Srinivasan and Nhan,
2008), Process Route Index (PRI) (Leong and Shariff, 2009), the
inherent occupational health index (Hassim and Hurme, 2010)
and Inherent Safety Key Performance Indicators (IS-KPIs) method-
ology (Tugnoli et al., 2012). Inherent safety assessment in terms of
the concept of risk rather than focusing on hazard reduction is also
discussed by authors such as Shariff and Leong (2009) and Shariff
and Zaini (2013). However, their methodologies are applicable only
for the preliminary design stage. Among these approaches, I2SI is
one of most referenced method by researchers and industrial
practitioners (Srinivasan and Natarajan, 2012).
I2SI is a structured guideword approach that is used to measure
the inherent safety of process units. This approach is composed of
two main sub-indices: hazard index (HI) and inherent safety
potential index (ISPI) which specify hazard potential, inherent
safety potential and add-on controls. Though it is capable of per-
forming the inherent safety evaluation along with an economic
evaluation, the index has certain limitations. I2SI addresses hazard
reduction rather than risk reduction. Decision-making depends
entirely on dimensionless index values which may sometimes pro-
vide uncertain results and may limit the comparison of design
options. I2SI shows less flexibility when applied to different stages
of the process design life cycle. Analysis of other available indices
also indicates similar limitations.
In the present work, a risk-based approach is proposed as an
extension of I2SI development as a key design decision-making
tool addressing the above mentioned limitations. Key characteris-
tics of the risk-based approach are:
 Consideration of four most credible accident scenarios sepa-
rately: fire, explosion, and toxic gas and toxic liquid release.
 Addressing hazard reduction as well as accident occurrence
probability reduction.
 Inherent safety risk and base design risk expression in units (SI)
rather than a dimensionless index, which provides a better per-
spective for decision making.
 Improved flexibility, providing applicability at different stages
of the process design life cycle.
4. Risk-based Inherent Safety Index (RISI)
RISI includes two distinct risk estimations. Figs. 2 and 3 graph-
ically illustrate the estimation of RISI. The procedure starts with
the estimation of risk for base design (RiskBD) and subsequently
the inherent safety risk for alternative designs (ISRisk). Both risks
are eventually integrated to develop the Risk-based Inherent Safety
Index (RISI). The RISI is defined as the ratio of the inherent safety
risk of the selected alternative to the risk of the base design as
given by Eq. (1).
ISRisk
RISI ¼ ; 0  RISI  1 ð1Þ
RiskBD
RISI is then used as the key decision-making parameter to select
the optimum design with maximum inherent safety. ISRisk can
also be used for decision making considering specific design
requirement criteria.
The value of the RISI varies from 0 to 1. As RISI approaches 0, the
alternative is called ‘‘perfect’’ inherently safer design. If it
approaches 1, the alternative is called ‘‘inoperative’’ inherently
safer design. The design improvement of an alternative with
respect to the base design can be estimated using Eq. (2).
% improvement of inherent safety ¼ 100  ð1  RISIÞ ð2Þ
Therefore, the terms ISRisk and RISI can be successfully utilized
for design decision-making during different stage of the process
design life cycle.
4.1. Inherent hazard assessment and accident sequence analysis
Prior to risk estimation, the design stage should be specified. As
the design stage has different activities, attributes and design crite-
ria, the information required to evaluate safety will depend on the
stage and the nature of the process. This is an iterative process that
involves a combination of synthesis, analysis and evaluation of
process alternatives. The design team first carries out initial design
to develop the base design.
Once the initial design is completed, hazard identification is
carried out to identify all potential inherent hazards associated
with the base design, and subsequently alternative designs are
developed. Inherent hazards may be associated with materials,
equipment and the process itself (Hendershot, 1997; Palaniappan
et al., 2002a).
Fire, explosion and gaseous and liquid toxic releases are studied
as they are considered the most credible accident scenarios associ-
ated with the process industries. These accident scenarios are fur-
 S. Rathnayaka et al. / Safety Science 70 (2014) 438–464 441

Fig. 2. The framework for estimating the base design risk, RiskBD.

ther analyzed to construct an accident sequence. Further, parame-
ters that affect inherent safety, such as inventory, temperature,
pressure, toxicity and flammability, are also listed and analyzed
during this step.
A methodology for the identification of major accident hazards
(MIMAH) developed by Delvosalle et al. (2006) under the ARAMIS
project can be used to perform hazard identification. MIMAH used
the bow-tie technique to represent the logical cause-consequence
relationship of major accidents; hence accident scenarios can be
generated. To identify the atypical hazards that may arise in a sys-
tem, a methodology called DyPASI (dynamic procedure for atypical
scenario identification) (Paltrinieri et al., 2013) can be used along
with MIMAH.
5. Risk estimation for base design (RiskBD)
The risk of the base design (RiskBD) is computed using three
main factors: damage radius in meters (DR), occurrence probability
(PR) and risk control index (RCI). The framework and sequence of
steps involved is shown in Fig. 2. Risk for the base case is expressed
in terms of damage distance and is computed using Eq. (3).
DR  PR
RiskBD ¼ ð3Þ
RCI
The RiskBD denotes the risk level of the base design after taking
into consideration risk control measures (add-on safety controls)
applied to the base design. The risk value of the base design can
442 S. Rathnayaka et al. / Safety Science 70 (2014) 438–464

Fig. 3. The framework for estimating inherent safety risk (ISRisk) and selection of optimum design.

also be used for decision making. If the base design risk is accept-
able, further changes are not necessary. However, it is noted that
inherent safety is not taken into account in this risk calculation.
Therefore, subsequent steps are taken to generate possible
alternatives considering inherent safety and to proceed with risk
estimation.
5.1. Damage radius (DR) estimation
Damage radius addresses the damage or harm caused due to
fire, explosion, and gaseous and liquid toxic releases. It is measured
in terms of the area having a 50% probability of complete destruc-
tion. Subjective and analytical equations have been developed to
 S. Rathnayaka et al. / Safety Science 70 (2014) 438–464
estimate the damage radii for each accident scenario and are dis-
cussed in subsequent subsections.
5.1.1. Explosion damage radius estimation (EDR)
The equation to estimate the EDR is derived using a multi-
energy method. The main assumptions considered here is: defla-
grative combustion and explosion blast are composed of a number
of sub-blasts corresponding to the number of potential blast
sources identified within the vapor cloud (Assael and Kakosimos,
2010). The coefficient of the strength of the blast is considered as
its maximum, 10, and the maximum overpressure generated by
deflagration is considered as 2 atm (200 kPa). Considering these
facts, Eq. (4) is developed to estimate the EDR.
1=3
EDR ¼ 0:90  ðhazard potentialÞ
where the hazard potential is the total energy released during the
explosion and is expressed in kilo Joules. The hazard potential for
explosion is formulated using two elements: energy factor (F) and
penalty (pne). Four energy factors, F1, F2, F3 and F4 are defined to
estimate the hazard potential of a premixed gas/vapor cloud explo-
sion, which take into consideration chemical energy, physical
energy (isentropic gas expansion and liquid expansion below boil-
ing point) and energy released due to chemical reaction, respec-
tively (Khan et al., 2001).
Process units are divided into five categories: storage units, units
involving physical operations such as absorptions, adsorption, dis-
tillation, evaporation, units involving chemical reactions, transpor-
tation units and other hazardous units such as furnaces, boilers and
other similar units (Khan et al., 2001). Penalties are assigned to
address the impact of the various process and operating parame-
ters. The equations for energy factors, hazard potential, and penal-
ties assigned for different process units are listed in Appendix A.
There exist similarities of characteristics between a premixed
gas/vapor explosion and a dust explosion, except for two basic dif-
ferences: physics of the generation and accumulation of a dust
cloud and flame propagation in the cloud (Abbasi and Abbasi,
2007; Eckhoff, 2006). Considering these similarities, the equations
developed to estimate the damage radius of a gas/vapor explosion
can be used to estimate the damage radius of the dust explosion. It
is noted that the hazard potential and penalties vary considering
the factors influencing a dust explosion. For a dust explosion,
two energy factors FD1 and FD2 are introduced to take chemical
energy and physical energy into account, respectively. Chemical
energy liberated due the combustion process (FD1) is computed
by using the heat of combustion of dust particles (DHc), explosible
dust concentration (C), and the volume of the confinement (VC) as
shown in Eq. (5). FD2 estimates the physical energy release due to
the adiabatic rise in the pressure of the explosion energy. It is com-
puted using Eq. (6).
FD1 ¼ DHc  C  V C
 ðP
max  P atm Þ

FD2 ¼ 2  104 VC
ca  1
where Pmax and Patm denote the maximum explosion and atmo-
spheric pressure, respectively. ca denotes the heat capacity ratio
of air at maximum explosion temperature.
Common hazardous operations involved in a dust explosion are
listed elsewhere (Abbasi and Abbasi, 2007). Using this information,
it is agreed that process units involving chemical reaction and
physical operation such as absorption, adsorption, distillation, will
not be a candidate for the inherent safety assessment of a dust
explosion. Three other process units: storage units, transportation
units and other hazardous units such as furnaces, boilers, have to
be thoroughly studied. The behavior of dust explosion factors such
443
as maximum explosion pressure (Pmax) and maximum rate of pres-
sure rise ðdP Þ
dt max
with the parameters that effects to inherent safety
are studied using the information available in the literature
(Amyotte, 2013; Eckhoff, 2003; Mannan, 2005). The conclusions
from this study are used to decide the penalties and the guidelines
to estimate penalties are listed in Appendix B.
5.1.2. Fire damage radius estimation (FDR)
The FDR is derived using a point-source model. The principal
assumptions considered here are:
 Heat flux from the center of the fire to the target is at ground
level and the wind effect is insignificant.
 Transmissivity of the atmosphere sa is approximately equal to
ð4Þ one (1).
 All target receptors are considered to behave as black bodies.
 Damage due to fire is a direct consequence of the heat flux.
Similar to EDR estimation, the thermal radiation intensity limit
is chosen as 37.5 kW m2 considering the design for a worst-case
scenario. This intensity limit could cause property damage and
100% lethality in 1 min (1% lethality in 10 s) (Assael and
Kakosimos, 2010). Eq. (7) estimates the damage radius due to fire.
FDR ¼ 0:05  ðhazard potentialÞ
1=2
ð7Þ
where hazard potential is the total heat release rate during the fire
and is expressed in kilo Watts. The damage radius for jet fire is spe-
cifically determined by taking half the value obtained by Eq. (7).
Similar to the explosion damage radius estimation, the energy
potential is estimated using energy factor E, and penalty pnf for each
process unit. Considering the above mentioned assumptions, only
one energy factor is defined to take the radiative heat release rate
into account. Four distinguishing equations are defined for estimat-
ing the energy factor of a pool fire, fireball, jet fire and flash fire. The
most probable fire scenario associated with operating conditions
and process units is considered for design purposes. The penalties
are also defined to take into consideration the impact of the influ-
encing factors. Using available literature (Assael and Kakosimos,
2010; CCPS, 2010; Mannan, 2005; Roberts, 1982), energy factors
and penalties are developed and listed in Appendix C.
5.1.3. Toxic gas release damage radius estimation (TGDR)
The TGDR is defined as the ground level distance from the
release source to a receptor at which the downwind toxic concen-
tration is at the threshold limit value (TLV). To estimate the dam-
age radius the Pasquill–Gifford plume model is used with the
following assumptions:
 Stability class is chosen as ‘‘slightly stable’’ because it repre-
sents median atmospheric conditions (Khan et al., 2001).
ð5Þ
 Dispersion coefficients are chosen based on the slightly stable
stability class.
ð6Þ  Model characteristics considered are: plume, continuous
release, steady state, source at ground level in the direction of
wind.
 Downwind speed is 2 m/s.
The equation developed to estimate the damage radius due to
continuous release of toxic gas is:
0:6
TGDR ¼ 5:86  C G  ðhazard potentialÞ ð8Þ
The hazard potential is defined as the toxic gas (vapor) release
rate which is estimated by release factor G and assigned penalties
(png). CG is defined as the maximum allowable concentration
which is estimated using Eq. (9).
444
0:6
1 height of the liquid above the release point, AP is the pool area

CG ¼
TLV
where TLV is the threshold limit value for the released gas.
Two main gas release scenarios prevail in process units: (1) flow
of gas/vapor through holes and (2) flow of vapor through pipes. It is
assumed that flow through a pipe is controllable and accidental
release is through a hole. The released gas is assumed to behave
as ideal gas and discharge is classified as isentropic free expansion;
the release factor is then estimated using Eq. (10) (Crowl and
Louvar, 2002).
0:5
MW

G ¼ 7:5  103  A  P0 
T0
where A is the area of the source, P0 is the pressure at the source, T0
is temperature at the source and MW is the molecular weight of the
substance released.
In this case, penalties are assigned to address the impact of
parameters such as operating temperature, pressure, vapor den-
sity, toxicity of chemical, site characteristics, external environmen-
tal factors and vulnerability of the area. The expressions to decide
the penalties are obtained by referring to the literature: Crowl and
Louvar (2002), Khan et al. (2001), and incorporating authors’
knowledge. Penalties developed here are listed in Appendix D.
5.1.4. Toxic liquid release damage radius estimation (TLDR)
In the case of toxic liquid release, toxic liquid may reach the
ground and form a pool that spreads according to the terrain. If
the vessel is surrounded by a dike, the liquid usually flows to the
wall of the dike, and the dimension of the pool is then equal to
dimension of the dike. In other cases, the pool is assumed to be cir-
cular. Liquid release may cause damage to soil and water in the
case of an unrestricted flow and lack of barriers. For such scenarios,
it is difficult to estimate the damage radius using a mathematical
equation and such an incident must be analyzed independently.
Instead, this work focuses on the damage due to an airborne toxic
substance which has evaporated from a liquid pool and/or flashing
of the liquid. The damage radius due to liquid release is defined as
the distance from the liquid pool or flashing unit to the threshold
limit value (TLV) concentration and is derived using Eq. (11)
(AIChE technical manual, 1994).
0:5
TLDR ¼ 6:51  C L  ðhazard potentialÞ
where
0:5
1

CL ¼
TLV
Hazard potential represents the airborne toxic quantity due to
liquid toxic release. As mentioned earlier, the airborne quantity
can be produced by pool evaporation and flashing of liquid, and
depends on the operating temperature of the unit. A momentum
balance is used to model the flow of liquid through a hole (Crowl
and Louvar, 2002), and it is assumed that the release of liquid will
continue for at least five minutes before the release can be stopped
(AIChE technical manual, 1994). The hazard potential due to flash-
ing (L1) is estimated using Eq. (13), whereas the hazard potential
due to pool evaporation (L2) is estimated using Eq. (14).
sffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi
6 1000P g
L1 ¼ 6:0  10  AqL fv  þ 9:81hL
qL

MW  VP
 (PHCI)’’ development earlier proposed by Khan and Amyotte
L2 ¼ 9:0  104  A0:95
P 
TP
where qL is the density of the liquid release, fv is the fraction of the
liquid that will flash, Pg is the pressure inside the vessel, hL is the
S. Rathnayaka et al. / Safety Science 70 (2014) 438–464
ð9Þ and TP is the characteristics pool temperature.
Similar to toxic gas release, seven penalties are assigned to take
into consideration influencing factors. The guideline to determine
the penalties and their relevant values is presented in Appendix D.
5.2. Estimation of probability of occurrence (PR) of accident scenarios
Once the hazard assessment is completed, the probability of
occurrence of a particular accident scenario is estimated. A generic
bow-tie model to represent the accident scenario is proposed here.
This will guide users to develop the accident scenario and then to
ð10Þ estimate the probability of occurrence of a particular accident
scenario. For the case of base design the model is shown in
Fig. 4. It is clear that inherent safety is not the main consideration
in the base design. The initiating event or the top event is the
release of gas or liquid under the pre-defined operating conditions.
The failure probability for the dispersion prevention barrier is com-
prised of the failure of three different barriers mentioned here. By
assigning probabilities based on industrial specific data or avail-
able statistics, the probability of failure of the dispersion preven-
tion barrier is estimated by multiplying the failure probabilities
of individual barriers. The event sequence varies according to the
process condition of release (high pressure and low pressure)
and the physical state of the material (liquid or gas). As well, the
type of ignition decides the type of accident scenario. The probabil-
ity of occurrence of delayed or immediate ignition depends on the
nature and availability of the ignition source, and it is also assigned
based on industrial specific data. Three main add-on safety barri-
ers: fire/explosion sprinkler system, fire/explosion wall, and fire-
fighting are suggested for escalation prevention. The failure
probabilities are assigned for each barrier based on industrial spe-
cific data. The probability of top event occurrence depends on the
failure probability of the release prevention barrier. Four main
immediate causes of escalation prevention barrier failure are
presented in the bow-tie model. A more comprehensive failure
analysis of the release prevention barrier can be found elsewhere
(Rathnayaka et al., 2011a). Having determined the failure probabil-
ities, simple event tree analysis is performed to estimate the end
event probability.
It is noted that probability calculation may contain a certain
degree of uncertainty. However this would be obviated due to
ð11Þ the relative analysis. During the conceptual stage, information for
the process units, operating parameters, instrumentation and util-
ities is scarce, whereas information on the chemical reactions and
properties is widely available. Therefore, the accident scenario will
ð12Þ
be determined based on the chemical and physical properties and
probability is directly obtained through available sources: the
literature and the industrial data.
5.3. Estimation of the Risk Control Index (RCI)
It is clear that inherent safety is not the sole approach for risk
reduction. Hierarchical arrangement of risk management strategies
highlights that add-on safety is the second layer of protection.
Add-on safety implies the application of both active and passive
safeguards. Therefore, it is important to quantify their effect on risk
reduction, and for this purpose, RCI is introduced. The RCI is an
objective analysis that attempts to quantify the process dependence
ð13Þ
on risk reduction by means of add-on safety measures. The analysis
is performed similar to the ‘‘Process and Hazard Control Index
ð14Þ (2004). The framework to estimate the RCI is shown in Fig. 5.
Evaluation is conducted considering application of add-on con-
trol measures to process control and risk control. The requirement
of the process control is first evaluated. Process control measures
 S. Rathnayaka et al. / Safety Science 70 (2014) 438–464
Fig. 4. The accident sequence and probability analysis bow-tie model – base design.
are applied to maintain the process parameters within the desired
region. Any deviation may cause the creation of a hazardous condi-
tion that eventually leads to a major accident. Temperature, pres-
sure, flow and level are considered four major process
parameters and the rest are considered to be one category.
Risk controls are applied to reduce the subsequent damage or
severity due to an abnormal event which is caused by a process
deviation. Risk controls reduce the probability of a particular acci-
dent occurring. For instance, emergency shutdown (ESD) is
installed to activate on demand to isolate the release; hence the
rate of release is controlled or cut off and the probability of a cat-
astrophic accident will be reduced, preventing events from escalat-
ing into a catastrophic accident. Risk control measures are
categorized into five distinct groups to analyze their requirement
and dependency. They are emergency shutdown system, isolation,
engineering control, venting and dilution, and alarm and fault
detection as shown in Fig. 5.
Process dependence and the requirement of both process and
risk control are measured using a subjective scale. The guidewords
to decide the extent of the requirement of the control arrangement
and associated scale are presented in Table 1. The guidewords are
similar to those used in the development of I2SI (Khan and
Amyotte, 2004, 2005). The maximum scale ‘‘10’’ is assigned if the
system is equipped with all necessary control arrangements and
the guideword is termed ‘‘Not required’’. Scales 1 and 2 are
assigned if the system has no or little control arrangements. The
guideword for this scenario is ‘‘Essential’’. The rest of the values
are assigned based on the analyst’s judgment on the requirement
of the control arrangements.
445
The relationship between the extent of requirement and the
index is developed. This is shown graphically using Fig. 6. If the
system is fully equipped with all control arrangements, it means
that the system no longer requires further add-on safety measures.
Therefore, the highest value of the index is assigned. The lowest
index is assigned if there is no or little control arrangement in
the system. In this case, the system requires significant add-on
safety measures to establish safety of the process. Hence, an
improved alternative design will be proposed.
Once indices for each control arrangement are estimated, RCI is
estimated by taking the summation of all indices as per Eq. (15).
RCI ¼ ½RCIT þ RCIP þ RCIF þ RCIL þ RCIOTH þ RCIESD þ RCIISO
þRCIECO þ RCIVDL þ RCIAFD  ð15Þ
6. Inherent Safety Risk for Alternative Design (ISRisk)
Design alternatives are generated when the risk of the existing
design (base design) is not acceptable. Several alternatives can be
suggested by adding safety control measures into the base design.
This could be achieved through a systematic approach of risk man-
agement strategies: inherent, passive, active and procedural safety.
As an inherently safer process design is the core protection layer
(Kletz and Amyotte, 2010), the design criterion for development
of alternatives is risk reduction through the application of inherent
safety design principles.
Once the alternative design is generated based on ISD
principles, each design is evaluated to estimate the contribution
446 S. Rathnayaka et al. / Safety Science 70 (2014) 438–464

Fig. 5. Framework for estimation of Risk Control Index (RCI).

Table 1
Guideline to decide the extent of the requirement of process and risk control
measures (adopted and revised from Khan and Amyotte (2004)).

Guideword Extent of requirement

Not required 10
Requirement does not affect the process 9
Good if available 8
Not greatly important but required 7
Requirement is moderate 6
Required 5
Important 4
Very important 3
Essential 1, 2

of inherent safety for risk reduction. Inherent safety risk, ISRisk, is

the quantitative representation of the residual risk of the alterna-
tive design after implementing inherent safety strategies into the
system. The inherent safety risk for the ith alternative is estimated
using Eq. (16).

DRi  PRi
 the process system. As the system hazard and probability reduc-
ISRiski ¼ ðaH aL Þ1 
RCIi
where RCIi is the risk control index for the ith design alternative
which is estimated using a similar procedure explained in Section
5.3.
There are two key factors that need to be considered while
assessing the inherent safety of the system: applicability and
impact. The applicability of inherent safety indicates how ISD prin-
ciples are applicable to the process system. The indices, aH and aL,
are used to estimate the extent of applicability of inherent safety
options for hazard and probability of accident occurrence reduc-
tion, respectively. The estimation of applicability of ISD principles
is discussed in Section 6.1.
The impact of inherent safety indicates the degree of hazard and
its probability reduction upon application of inherent safety into
Fig. 6. Graphical relationship between requirement of process and risk control
measures and risk control index.
ð16Þ tion are quantified using the DR and PR, it is not required to per-
form the evaluation of the impact using an indexing approach.
Therefore, no index values are assigned for this feature. The dam-
age radius for the alternative design DRi is estimated using the
same procedure as described in Section 5.1. It is mandatory to per-
form inherent hazard identification and scenario analysis for each
alternative prior to risk estimation and risk reduction.
During the hazard identification and scenario analysis, possible
causes and consequences are identified and assessed. This informa-
tion is subsequently utilized to apply ISD principles.
A base design bow-tie model is then modified to develop acci-
dent scenarios and to estimate the end event occurrence probabil-
ity. The modified model is shown in Fig. 7. The primary objective of
alternative design generation is to apply ISD principles as much as
possible into the system. The additional barriers are applied or
 S. Rathnayaka et al. / Safety Science 70 (2014) 438–464
existing barriers are modified adopting ISD principles. Thus the
branch of the event tree shifts backwards creating more branches.
On the fault tree side of the bow-tie model, events that lead to fail-
ure of the release prevention barrier are improved by using ISD
principles. Add-on safety measures are utilized only if required.
In Fig. 7, the revised immediate event (IE-R) may have a lower fail-
ure probability than the base design which eventually results in a
comparatively low probability of occurrence of gas or liquid release
(top event). Further, ISD principles can be applied to prevent igni-
tion sources or change the nature of the ignition sources, which
eventually reduces the probability of the occurrence of delayed
or immediate ignition. The combined effect lowers the probability
of a particular accident occurrence. The probability of alternative
design i (PRi) is estimated using the event tree calculation.
6.1. Determination of applicability of inherently safer design options
In the present work key ISD principles considered are: minimi-
zation, substitution, moderation (attenuation and/or limitation of
effects) and simplification. The definitions are readily available.
In the present work, the authors have referred to definitions from
Kletz and Amyotte (2010).
To estimate the applicability of ISD options, two indices are
used: aH is used to present the applicability of ISD principles to
Fig. 7. The accident sequence and probability analysis bow-tie model – alternative design.
447
reduce the hazards, and consequently the severity of conse-
quences. The index aL is used to represent the applicability of
inherent safety principles to reduce the probability of a particular
accident occurrence. It is difficult to analyze applicability in terms
of an analytical or mathematical model. Therefore, a subjective
scaling method is used based on authors’ knowledge and is
expressed in terms of non-dimensional index value.
The applicability of each ISD principle to a process system in
different design stages varies. It is not always possible to apply
all ISD principles to one system for the given process conditions.
Most importantly, a change of design or component that reduces
one hazard or probability may create a new hazardous condition
or increase the magnitude of an existing condition (CCPS, 2007).
The evaluation of such conflicts and tradeoff of hazards using
inherent safety concepts has been discussed elsewhere (Rusli
et al., 2013). Therefore, those factors are also to be considered
when deciding on the scale.
6.1.1. Estimation of applicability index of inherently safer design
principles to reduce the hazard, aH
Applicability index aH is obtained based on the applicability
score. The applicability score for hazard reduction is assigned by
answering two questions: to what extent a particular ISD principle
can be applied to a system, and how much hazard reduction can be
448 S. Rathnayaka et al. / Safety Science 70 (2014) 438–464
Table 2
Guideline to decide the applicability index of inherently safer design options for
hazard reduction, aH (adopted and revised from Khan and Amyotte (2004)).
Guideword
Extent Hazard
Completely applicable Eliminated
Significantly reduced
Applicable May be eliminated
Significantly reduced
Reduced
Applicable but process Reduced
dependent May be reduced
May be applicable Reduced
May be reduced
Not applicable No hazards reduced or
eliminated
obtained. Five guidewords are assigned to answer the first ques-
tion, and six guidewords are assigned for the second question.
Based on these guidewords, the user develops the scenario for
the applicability. Each scenario is then assigned a numerical score
as shown in Table 2.
Score 1, Not applicable, means that hazards are neither reduced
nor eliminated. The guideword May be applicable is used when the
user is uncertain whether a particular ISD option is applicable or
not. Two hazard reduction guidewords associate with it: May be
reduced and Reduced. Score 2 is assigned if the user is uncertain
about both the applicability of ISD principles and hazard reduction.
Score 3 is assigned for the case where the user assumes that there
is moderate hazard reduction if the ISD option is applicable.
The guideword Applicable but process dependent indicates that
the user compromises the application of the ISD option owing to
process and product limitations, tradeoff and hazards conflicts.
Score 4 is assigned to take the user’s uncertainty of hazard reduction
into consideration under this condition. On the other hand, score 5 is
assigned to consider the user’s certainty of hazard reduction. The
guideword Reduced is used to indicate moderate hazards reduction.
Significant applicability of the ISD option to a process system is
denoted by the guideword Applicable. Upon significant application
of the ISD option, the user decides on one of these hazard reduction
cases: hazards moderately reduced, hazards significantly reduced,
and hazards may be eliminated. The guidewords, Reduced, Signifi-
cantly reduced, and May be eliminated, denote these scenarios,
respectively. Scores 6, 7, and 8 are assigned to each scenario,
respectively.
When the system can accept many ISD options, the applicability
is denoted by Completely applicable. This will lead to complete
elimination or significant reduction of the hazard. The hazard
reduction guideword Eliminated represents the complete elimina-
tion of hazard presence in the system. Score 9 is assigned where
the user believes there is a significant reduction of hazards. The
maximum score 10 is assigned if the hazard is completely elimi-
nated. This is an ideal case.
To estimate an inherent safety applicability index associated
with each applicability scenario, the graph based approach is used.
Hazard reduction using moderation is assessed considering two
aspects: using hazardous materials under less hazardous condi-
tions (attenuation) and changing the design (limitation of effects).
Khan and Amyotte (2004) developed graphs for the ISD principles
minimization, substitution, attenuation and limitation of effects.
These graphs are used in the present work. An additional graph
to estimate the applicability index for simplification is introduced
here.
Once the applicability score is decided, the relevant inherent
safety applicability index for hazard reduction is located by using
graphs as shown in Fig. 8. The index varies from 1 to 10. Index 1
is the minimum value which represents the case of no process
improvement or no hazard reduction in the system due to the
Score application of ISD options. Indices 2 to 9 represent the gradual
increment of system inherent safety as hazards are reduced. Index
10
10 is the maximum value. This indicates that the system is com-
9 pletely improved (e.g. process is minimized to a large extent) in
8
terms of inherent safety and hazards are no longer present in the
7 system.
6 The overall inherent safety applicability index for the ith alter-
5 native is then estimated by combining all applicability indices
4 using Eq. (17).
3 h i1=2
2 aH;i ¼ ðami Þ2 þ ðasu Þ2 þ ½aat  ali  þ ðasi Þ2 ð17Þ
1
6.1.2. Estimation of applicability index of inherently safer design
principles to reduce the probability of accident occurrence, aL
Probability of accident occurrence depends on the performance
and availability of safety barriers. The logical arrangement of the
safety barriers and possible consequences are shown in Fig. 7. To
change the end event probability, either new safety barriers can
be introduced or existing safety barriers can be improved for better
performance. The present work examines the applicability of ISD
principles to carry out both options. The inherent safety applicabil-
ity index for probability reduction aL is introduced to measure the
extent of applicability of ISD principles to reduce the occurrence
probability of accident scenarios.
Based on accident sequences described in Rathnayaka et al.
(2011a), four main stages are considered: release, dispersion, igni-
tion and escalation (Fig. 7). The ISD options can be applied to pre-
vent, mitigate and control each of these steps. Hence the
occurrence probability is reduced. These design options also
reduce the severity of the consequences. It is clear that the applica-
bility of the ISD option to a reduction in occurrence probability will
be varied at each stage of the accident sequence. Therefore, each
stage is assessed separately and consequently combined together.
Similar to aH calculation, the graphical approach is used here.
The graphs are developed for each ISD option. Applicability score
is assigned answering two questions: to what extent can a partic-
ular ISD principle be applied to the system and how much reduc-
tion of occurrence probability can be obtained. To answer the
first question, the guidelines developed for index aH calculation
are used. The guideline to answer the second question is modified
as required. Based on these guidewords, the user develops the sce-
nario for the applicability and decides the numerical score using
Table 3. Similar definition used in deciding scores during estima-
tion of applicability index of inherently safer design principles to
reduce hazards are used deciding scores for estimation of applica-
bility index of inherently safer design principles to reduce proba-
bility of accident occurrence.
Using authors’ knowledge and expertise in this area, four graphs
are developed and presented in Fig. 9. Similar to aH calculation, the
inherent safety applicability index varies from 1 to 10. Each index
is interpreted similarly to the estimation of hazards reduction
applicability index. The index value is decided considering how
ISD principles reduce occurrence probability and balance the
trade-off and conflicts of hazards. Therefore, even though a higher
score may be assigned for a particular ISD principle, the inherent
safety index may still be low.
During aL calculation, the inherently safer design options limita-
tion of effects and attenuation are studied together under the ISD
option called moderation. Attenuation is the use of hazardous
materials under least operating conditions which has been already
incorporated during hazards reduction process. Thus it has insig-
nificant applicability for reduction of probability of occurrence,
 S. Rathnayaka et al. / Safety Science 70 (2014) 438–464 449

Fig. 8. Graphical relationship to estimate the inherent safety availability index for hazard reduction, aH (adopted and revised from Khan and Amyotte (2004)).

Table 3 The inherent safety applicability index is estimated for each

Guideline to decide the applicability index of inherently safer design options for accident scenario distinctly. To illustrate the applicability index
occurrence probability reduction, aL.
estimation, the accident scenario ‘‘fire’’ is used here.
Guideword Score Step 1: Decide the score for the extent of applicability of the ISD
Extent Occurrence probability option to reduce the accident sequence using guidewords
Completely applicable Completely reduced 10
(Table 3).
Significantly reduced 9 Step 2: Read the applicability indices for each guideword to
Applicable May be completely reduced 8
reduce the probability of release (are,k: where k = 1, 2, 3, 4 which
Significantly reduced 7 represent minimization, substitution, moderation and simplifica-
Reduced 6 tion, respectively) from the relevant graph (Fig. 9).
Applicable but process dependent Reduced 5 Step 3: Estimate the inherent safety applicability index to
May be reduced 4 reduce occurrence probability of release (aL,re) for ISD options using
May be applicable Reduced 3 Eq. (18).
May be reduced 2 h 2 2 i1=2
þ ðare;su Þ2 þ ðare;mo Þ2 þ are;si

Not applicable No change 1 aL;re ¼ are;mi ð18Þ

Step 4: Perform steps 2 and 3 for all stages of accident

especially later stages of accident sequences process. Therefore sequences: dispersion, ignition and escalation.
authors choose inherently safer design option of moderation to Step 5: Considering that at least three steps (release, dispersion
represent the both attenuation and limitation of effects. and ignition) need to exist to cause a fire, the overall index of
450 S. Rathnayaka et al. / Safety Science 70 (2014) 438–464

Fig. 9. Graphs to estimate the inherent safety availability index for occurrence probability reduction, aL.

applicability to reduce the occurrence probability of fire is derived
taking the geometric mean of indices estimated for each stage of
the accident sequence. (Eq. (19))
" #1=j
jP3
Y methanol and catalyst is heated to reaction temperature to pro-
aL;i ¼ aL;j
j¼1
where j = 1, 2, 3, 4 represent four accident sequence stages: release,
dispersion, ignition and escalation, respectively.
7. Application of the methodology
Numerical feasibility of this methodology is tested by perform-
ing a simple case study. The case study is based on the design of a
biodiesel production plant using palm oil as the main raw material.
The process description, process modeling and simulation results
can be found in detail elsewhere (Gómez, 2013). For overall under-
standing, a brief process description is presented here.
Palm oil and the methanol are the main feedstock materials for
this study. Refined, bleached and deodorized palm oil which con-
tains triglyceride is produced through a palm oil extraction pro-
cess. It is noted that triolein is used as the main component in
this work because of the limitation of the process simulator (Aspen
Plus) used for the simulation in this work. Triolein is hydrolyzed to
produce fatty acid, mainly oleic acid and byproduct glycerol. Glyc-
erol is separated out from oleic acid using a phase separator. Sep-
arated fatty acid is then mixed with methanol before being fed into
the transesterification reactor. The acid in the presence of excess
ð19Þ
duce the biodiesel. After the reaction complete, excess methanol
is recovered from the distillation column as the overhead product
and biodiesel is obtained from the bottom product. The methanol
is further purified using a distillation process, recycled and used
as a reactant.
7.1. Base design risk estimation
In the base design, the plug flow reactor (PFR) is used for the
transesterification reaction. An atmospheric pressure distillation
column is used to separate the methanol from the biodiesel.
Fig. 10 presents the process flow sheet of the base design.
The credible accident scenario associated with each unit is
determined based on the operating conditions, properties, and
state of the materials. The reactor is operated under high pressure
and temperature. The concentration of biodiesel and methanol
released at any time varies with the conversion rate of the reaction.
Vapor Cloud Explosion (VCE) is determined as the most credible
accident scenario (MCAS) associated with the plug flow reactor
 S. Rathnayaka et al. / Safety Science 70 (2014) 438–464
Fig. 10. Simplified process flow diagram of base design (Gómez, 2013).
Table 4
Summary of results of the base design.
Unit Description Type of the unit
R-102 Plug Flow Reactor (PFR) Units involving chemical reaction
T-101 Distillation column 1 Units involving physical operation
T-102 Distillation column 2 Units involving physical operation
(R-102) and distillation column 1 (T-101) where biodiesel separa-
tion primarily takes place. Distillation column 2 (T-102) is occu-
pied with a high concentration of liquid methanol and is
operated in a vacuum at a low temperature. Therefore, pool fire
is determined as the most credible accident scenario associated
with distillation column 2 where methanol purification takes
place. Table 4 summarizes the results of damage radii analysis
for the base design. For the damage radius calculation for pool fire,
the pool diameter is taken to be as 5 m. The operating conditions
required for detailed calculation are primarily obtained through
the process simulation.
Each unit is then analyzed using the bow-tie model (Fig. 4) to
estimate the probability of occurrence. The top event is chosen
as the release of flammable material. Basic event failure probabil-
ities are estimated using the Offshore Reliability Data Handbook
(OREDA, 2002), Crowl and Louvar (2002), HSE (2012), Mannan
(2005), Rathnayaka et al. (2011b). The results are summarized in
Table 5.
Considering the complexity of the process operation and the
operating conditions, the extent of the requirements of the process
and risk control measures are subjectively analyzed. For example,
assuming the plug flow reactor which is operating under high pres-
sure and high temperature does not have enough pressure and tem-
perature control, the extent of requirement is described as
‘‘essential’’ and ‘‘very important’’. The relevant RCIs for pressure,
temperature and flow are then formulated using Fig. 6 as 3, 3 and
3, respectively. It is estimated that the plug flow reactor required
a moderate improvement of control measures. For two distillation
columns, RCIs are estimated as 68 which implies that these two
units have used both risk and process control measures moderately.
Table 4 summarizes the base design risk (RiskBD) for each units.
The PFR shows a comparatively higher risk as it has a large
damage radius, but a low probability of occurrence. The damage
radius due to VCE of distillation column 1 is considerably lower
451
Most credible Damage Probability of Risk control RiskBD (m)
accident scenario radius, occurrence, PR index, RCI
(MCAS) DR (m)
VCE 265.3 1.3439E-04 69 5.1671E-04
VCE 66.6 1.5269E-04 68 1.4943E-04
Pool fire 4.7 1.3970E-04 68 9.5431E-06
than the damage radius produced by the PFR. However, the risk
of VCE for both units is slightly different as their probability of
VCE occurrence is approximately equal. In this stage, decision mak-
ing is performed based on the risk acceptance criteria. However, it
is noted that inherent safety is not taken into consideration.
7.2. Inherent safety risk analysis for alternative design
Alternative designs are suggested considering design improve-
ment primarily in terms of ISD principles. For this particular case
study, two distinct alternatives are suggested focusing mainly on
the PFR, distillation column 1 and distillation column 2.
7.2.1. Alternative 1
Alternative 1 uses the same reaction system as the base design.
The simplified process flow diagram is shown in Fig. 11. Alternative
1 uses the ISD principles of minimization, moderation and simpli-
fication for hazard reduction. The inventory of methanol flow is
reduced by approximately half of the initial value, achieving the
same throughput of biodiesel. The operating pressures of the
methanol purification unit (distillation column 2) are reduced by
applying the moderation option; as a result, the boiling point of
the substances maintains a lower value. The process has been sim-
plified further by eliminating the unit used for methanol purging
and piping. Reduction of the probability of accident occurrence is
achieved through the application of the ISD principles of simplifi-
cation and substitution. This can be accomplished by using the
bow-tie model. Each basic event of the fault tree part is analyzed
for reliability improvement. Both inherent safety and engineered
safety measures are then suggested to improve the reliability of
the events. It is required to emphasize the inherent safety conflicts
in this stage. Further, additional inherent safety barriers are
applied to prevent, control and mitigate accident propagation in
the event tree side of the bow-tie model. Subsequently, revised
452 S. Rathnayaka et al. / Safety Science 70 (2014) 438–464

Table 5
Suggested safety measures to improve the reliability of basic events of fault tree of distillation column 1of alternative 1.

Event Causal factors (or basic event) Inherent safety measure to prevent the accident Other safety measures
propagation or probability reduction
1 Failure of pressure safety valve Perform periodic functional testing of pressure relief
valves; carry out regular calibration, set the safe
operating limit wider than narrow set point
2 Failure of automatic isolation Substitute existing control instruments with high SIL Use redundant system design; conduct regular proof
(SIL 3 or 4) equipment (substitution) testing without interrupting the operation
3 Failure of tower pressure indicator Use the diaphragm seal for pressure gauges Incorporate an international industrial standards and
(moderation); substitute existing pressure gauges with upgrade accordingly
digital pressure gauges (substitution)
4 Failure of overhead product pressure Substitute existing control instruments with high SIL
transmitter (SIL 3 or 4) equipment (substitution)
5 Failure of overhead product pressure Use digital pressure recorders (substitution)
recorder failure
6 Inadequate detector coverage Install adequate sensors; conduct proper area
classification
7 Delayed response Simplify plant by reducing additional pipework and Apply an efficient visual numbering and sign system;
valves so that operators can easily reach isolation valve conduct regular operator training through a simulated
(simplification) environment as well as actual environment; measure
response time versus different alarm rate and operator
characteristics to establish a proper training protocol
8 Lack of accessibility Simplify plant by reducing additional pipework, valves
and equipment (simplification)
9 Failure to identify high pressure alarm or Simplify the existing alarm system to avoid operator Establish proper alarm management procedures;
misinterpretation overloading the alarms (simplification) conduct regular operator training; improve control
dashboard to easily and timely identify the alarms; use
different operator emphasizing systems
10 Loss of cooling water supply to condenser Monitor cooling water feed
11 Failure of condenser due to rupture Change design using high reliable construction
material (moderation)
12 Fouling or blockage of condenser tubes Install cooling water pre-treatment unit to remove
impurities, hardness materials, salts, etc.; install a
device to measure the overall heat transfer resistance
(OHTR) and predict micro and macro-fouling using
these data, introduce proper and timely cleaning
mechanism
13 Failure of reflux flow control valve Substitute the conventional positioners with highly an Conduct preventive maintenance to avoid the external
advance digital positioners (substitution) leakages of valves; apply tough coating to the linkage
so that linkages are less susceptible to vibration; make
sure that no dirty process air supply
14 Uncontrolled feed Apply control system to properly control the feed
15 Failure of level control valve of the bottom Substitute the conventional positioners with highly Conduct preventive maintenance to avoid the external
product advance digital positioners (substitution) leakages of valves; apply tough coating to the linkage;
make sure that no dirty process air supply
16 Failure of tower level control transmitter Substitute existing control instruments with high SIL
(SIL 3 or 4) instruments (substitution)
17 Failure of tower temperature transmitter Substitute existing control instruments with high SIL
(SIL 3 or 4) instruments (substitution)
18 Failure of re-boiler steam control valve Substitute the conventional positioners with highly Conduct preventive maintenance to avoid the external
advance digital positioners (substitution) leakages of valves; apply tough coating to the linkage
19 Failure of temperature indicator controller Advance the controller with better control algorithm
(moderation); place the sensor at proper place
(moderation); choose solid state relay or DC voltage
since they contain no moving parts (moderation)
20 Failure of temperature indicator Substitute existing control instruments with high SIL
(SIL 3 or 4) instruments (substitution)
21 Failure of flanges and connection attached Minimize the number of connections (minimization) Perform regular weld degradation monitoring; use high
to the distillation column reliable sealing material
22 Leaks through pumps Install piping and tubing according to a manufacturer’s
recommendations; avoid pinching, cocking or incorrect
installing
23 Material defects Promote offsite (before purchasing) inspection to make
sure proper material quality
24 Inadequate strength of material Estimate the material properties required to properly
construct
25 Erroneous maintenance Apply fool proof design (moderation) Estimate optimum number of maintenance intervals
through risk based maintenance process
26 Failure of preventive maintenance of Simplify the design by reducing the number of Implement risk-based maintenance management
valves/pumps/fittings maintenance points/intervals (simplification) system (RBM)
27 Inadequate maintenance program Implement RBM with good safety culture
28 Failure of regular corrosion inspection Identify the minimum inspection points; implement
methods to predict the corrosion rate
29 Failure of leak testing protocol Substitute existing detectors with the high sensitive Perform regular area based leak detection; conduct
leak (gas) detectors (substitution) proper area classification
30 Failure of weld degradation monitoring Reduce connection as much a possible (simplification) Determine the optimum number of degradation points;
 S. Rathnayaka et al. / Safety Science 70 (2014) 438–464 453

Table 5 (continued)
Event Causal factors (or basic event) Inherent safety measure to prevent the accident Other safety measures
propagation or probability reduction
develop theoretical models to predict the degradation;
utilize the suitable welding method
31 Inadequate inspection program Implement risk-based inspection (RBIM) with good
safety culture
32 Lack of supervision or training Provide regular awareness about new technology and
operating methods; implement safety oriented work
environment
33 Operator negligence or mistakes Design fool proof design (moderation) Implement safety oriented work environment
34 No safe work procedures or industrial best Establish an international recommended industrial
practices best practice; perform periodical review and updating
35 Leaks during start up and shutdown Perform Start-up shutdown based on the
recommended practice

Fig. 11. Simplified process flow diagram for alternative design 1 (Gómez, 2013).

Table 6
Summary of the results of alternatives.

Unit operation Description Category Most credible accident Damage radius, Probability of Risk control aH aL ISRisk1 (m)
scenario (MCAS) DR (m) occurrence (PR) index (RCI)
Alternative 1
R-102 Plug Flow Reactor (PFR) 3 VCE 248.8 9.7737E-05 62 4.4 4.9 1.8151E-05
T-101 Distillation column 1 2 VCE 60.9 1.0823E-04 73 4.3 5.0 4.2287E-06
T-102 Distillation column 2 2 Pool fire 5.3 1.0151E-04 73 4.3 5.0 3.4747E-07
Alternative 2
RT-101 Reactive distillation column 3 VCE 183.5 9.4411E-05 73 8.9 4.9 3.1105E-07
T-102 Distillation column 2 2 Pool fire 4.2 1.0151E-04 83 4.3 5.0 7.7198E-08

failure probabilities are used to perform the quantitative analysis.
For illustration, the basic events of the fault tree for distillation col-
umn 1of alternative 1 or causal factor that lead to vapor cloud
explosion in distillation column 1 are listed in Table 5. Inherently
safer design options that can be used to reduce the probability of
accident occurrence or to prevent or control the propagation of
accident process are also listed in column tow (2) of Table 5. Prob-
ability of accident occurrence highly depends on the failure of
safety barriers that apply to prevent and control the accident
sequence process. Application of inherent safety measures to
improve the performance of safety barriers lead authors to think
broader view of inherent safety measures rather than considering
the formal definition of ISD options. Engineered and procedural
safety measures required to improve the reliability of the system
are also listed in column three of Table 5.
It is determined that the most credible accident scenarios asso-
ciated with the PFR, distillation column 1 and distillation column 2
are the same as those in the base design. The damage radii for the
three units are then estimated using the equations developed,
revised process parameters and operating conditions obtained
through the process simulator. Damage radii of the PFR and distil-
lation column 1 have been reduced whereas the damage radius of
454 S. Rathnayaka et al. / Safety Science 70 (2014) 438–464
distillation column 2 has slightly increased even after the applica-
tion of safety measures. The operating temperature of distillation
column 2 of alternative 1 has increased significantly compared to
the base design. This leads to the increment of the penalty due to
temperature; hence, the damage radius is increased. The occur-
rence probability (PR) is obtained using the revised fault tree esti-
mation. The results clearly indicate that the application of safety
measures has reduced the probability of occurrence of VCE and
pool fire associated with the units studied. Risk control indices
for each unit are estimated similarly to the base design. It is noted
that RCIs are estimated as 62, 73 and 73 for the PFR, distillation
column 1, and distillation column 2, respectively. The higher RCIs
indicate that the units are equipped with process and risk control
measures to a reasonably large extent.
The inherent safety applicability indices for alternative 1 vary
between 4 and 5. These values imply that inherent safety is slightly
below the moderate value. Inherent safety risk (ISRisk) is then esti-
mated and the results are presented in Table 6. The results demon-
strate that the PFR has highest inherent safety risk which is
1.8151  105 and distillation column 2 has the lowest inherent
safety risk of 3.4747  107. The inherent safety risk of distillation
column 1 lies between the PFR and distillation column 2.
7.2.2. Alternative 2
Alternative 2 uses a different reactor system with the same
reaction synthesis. To develop alternative 2, all four inherent safety
design options are used. The process flow diagram for alternative 2
is shown in Fig. 12. In alternative 2, the plug flow reactor and first
separation distillation column have been replaced by one unit, the
reactive distillation column. Using the reactive distillation column
reduces the inventory of hazardous material (methanol and biodie-
sel) (minimization), the number of process operations which leads
Fig. 12. Simplified process flow sheet for alternative design 2 (Gómez, 2013).
Table 7
RISI results for each process unit of alternatives 1 and 2.
Unit Description Base design
R-102 Plug flow reactor 5.1671E-04
T-101 Distillation column 1 1.4943E-04
T-102 Distillation column 2 9.5431E-06
RT-101 Reactive distillation column
to fewer transfer operations and less pipework and the frequency
of shutdown and startup operations (simplification). Further, the
atmospheric pressure methanol separation distillation column is
replaced by a vacuum distillation column. As a result fewer vapors
will be produced during an unexpected release of methanol. The
inventory of methanol used for the complete process has been sig-
nificantly reduced as a result of the characteristics of the reaction
system. The process has been significantly simplified by removing
heat exchangers and additional mixer. Three key ISD options (mod-
eration, substitution and simplification) are used to reduce the
occurrence probability of a particular accident (ISD options to
reduce the accident sequence). For instance, existing control instru-
mentation is replaced by instrumentation with a high safety integ-
rity level (SIL) (substitution); the existing alarm system is simplified
to avoid operator overloading with alarms (simplification).
For alternative 2, there are only two major units considered: the
reactive distillation column (RT-101) where both reaction and sep-
aration occur and distillation column 2 (T-102) where methanol
purification occurs. Considering the process parameters and operat-
ing conditions, it is determined that the most credible accident sce-
narios associated with the reactive distillation column and
distillation column 2 are a vapor cloud explosion (VCE) and pool fire,
respectively. The damage radii for these two units are then esti-
mated as 183.5 m and 4.2 m, respectively. The pool diameter for this
case is considered as 4 m as the unit runs with less inventory of
methanol (689.65 kg/h). It is clear that the damage radii of both units
have been considerably reduced when compared to the base
design and alternative 1. The occurrence probability of a VCE
(9.4411  105) has lessened slightly and the occurrence probability
of a pool fire (1.0151  104) remains the same when compared to
alternative 2. Estimation of the risk control indices for each unit uses
the procedure explained in the methodology. RCIs are estimated as
Alternative 1 Alternative 2
RISI % RISI %
0.035 96.5
0.028 97.2
0.036 96.4 0.025 97.5
0.011 98.9
 S. Rathnayaka et al. / Safety Science 70 (2014) 438–464 455

73 and 83 for the reactive distillation column and distillation column ing two alternative processes of biodiesel manufacturing. Three
2, respectively. It is noticed that RCIs for alternative 2 also reach a key hazardous units are selected for evaluation. Based on the risk
higher value, indicating that the units are equipped with process estimation, it is found that both alternative 1 and 2 are better
and risk control measures to a large extent. options than the base design. With the implementation of inherent
The estimation of the applicability index of ISD principles to safety design options and necessary engineered safety measures,
reduce both hazards (aH) and their probability of occurrence (aH) damage radius and probability of accident occurrence of both alter-
follows the procedure described in the methodology. Values for
aH and aL of the reactive distillation column are obtained as 8.92
and 4.87, respectively. It is clear that the designed reactive distilla-
tion column uses the inherently safer design options to a consider-
ably higher extent in terms of hazards reduction, whereas the
inherently safer options are used to a moderate extent in terms of
the probability of occurrence reduction. Values for aH and aL of dis-
tillation column 2 remain similar to alternative 1. Inherent safety
risk (ISRisk) is then estimated and presented in Table 6. The inher-
ent safety risk of reactive distillation column (3.1105  107 m) is
slightly lower than alternative 1. Here, reactive distillation is com-
pared with only PFR of alternative 1. Note that the distillation col-
umn 1 used in alternative 1 has been eliminated in alternative 2.
The inherent safety risk of distillation column 2 has also shown a
slight decrease compared with alternative 1.

7.3. Risk-based Inherent Safety Index (RISI) for alternative designs

To provide a better comparison between alternatives and to Fig. B1. Penalty due to size of the dust particle for storage units.
choose the ‘‘best’’ alternative, the risk-based inherent safety index
is estimated. Percentage improvement with respect to base design
is also estimated using Eq. (2). The results are shown in Table 7.
In alternative 1, the risk-based inherent safety index value of all
three units is very low. These are 0.0351, 0.0238 and 0.0364 for
PFR, distillation column 1, and distillation column 2, respectively.
Results are closer to 0 than 1, indicating that units are inherently
safer than the base design. Based on the percentages of improve-
ment, how much risk reduction has been achieved through appli-
cation of the inherently safer design option compared with base
design can be explained. The PFR has obtained 96.5% improvement
after applying inherent and engineered safety design options. Dis-
tillation column 1 has obtained slightly higher improvement than
distillation column 2. In alternative 2, instead of using both PFR
and distillation, one single unit, reactive distillation, is introduced.
In this study, the reactive distillation column is evaluated com-
pared to the plug flow reactor. The RISI for the reactive distillation
column is 0.0106 and percentage improvement is 99. This result
clearly indicates that reactive distillation is a better option than
using integrated PFR and distillation. The RISI of distillation col- Fig. B2. Penalty due to initial pressure of the containment.
umn 2 is also slightly lower than that of alternative 1 as it operates
with a lower pressure and temperature range than alternative 1.
Comparison of the RISI values demonstrates that alternative 2 is
a better option than alternative 1.

8. Summary and conclusion

A proper tool is required to assess a system’s inherent safety,

and subsequently to improve process safety using ISD principles
throughout the process design life cycle. The Integrated Inherent
Safety Index (I2SI), first developed by Khan and Amyotte (2004,
2005), effectively supports inherent safety implementation as a
quantitative tool. However, I2SI is limited to perform only hazard
reduction. As ISD principles can apply to hazards and probability
reduction, the Risk-based Inherent Safety Index (RISI) is proposed,
incorporating the ability of risk reduction using inherently safer
design options. RISI consists of two risk estimation: base design
risk and inherent safety risk. Risk estimation involves both
subjective and objective estimations. The proposed indexing Fig. C1. Penalty for proximity of the unit to other hazardous unit due to the pool
approach is demonstrated by application to a case study compar- fire/jet fire.
456 S. Rathnayaka et al. / Safety Science 70 (2014) 438–464
Fig. C2. Penalty for proximity of the unit to other hazardous unit due to the fire ball.
Fig. C3. Penalty for operating pressure of the process unit effected to jet fire.
Fig. C4. Penalty due to ambient wind speed for flash fire.
natives are considerably reduced. Between the two alternatives, the
inherently safer alternative is chosen using the Risk-based Inherent
Safety Index (RISI) and percentage of improvement. Alternative 2
has the lower RISI and the higher percentage improvement com-
pared to the other alternative; hence, alternative 2 is selected as
the best alternative. Similar to I2SI, the proposed method also
allows assessing each unit individually. It helps to identify the most
critical units based on the index value. It is observed that the RISI
values of all three units in alternative 1 are close to 0 indicating that
the units are inherently safer than the base design. Alternative 2
Fig. D1. Penalty due to operating pressure for toxic gas release.
Fig. D2. Penalty due to operating pressure for toxic liquid release.
uses substitution and minimization design options; thus the pro-
cess is significantly modified using a reactive distillation column
instead of a plug flow reactor and distillation column 1. This will
result in the production of a comparatively low RISI (0.0106) and
high inherent safety improvement (98.5%). Though the RISI value
of distillation column 2 of alternative 1 is 0.0364, this does not
imply that it is perfectly inherently safer. It is apparent that the dis-
tillation column is still operating under moderate temperature and
pressure and contains a significant amount of methanol. This
implies this unit has further potential to improve in terms of inher-
ent safety. With further implementation of inherent safety design
options in distillation column 2 of the alternative 1, the RISI of dis-
tillation column 2 of alternative 2 is raised to 0.0251. With the help
of the numerical case study, it is proven that this methodology pro-
duces meaningful results.
The risk-based inherent safety indexing approach is a system-
atic decision-making support tool to improve system safety with
the application of inherent safety design options. The proposed
methodology is flexible to perform along with other hazard identi-
fication and quantitative risk analyses to produce safer, more sus-
tainable, and economically profitable process plants.
Acknowledgments
The authors gratefully acknowledge the financial support pro-
vided by the Natural Sciences and Engineering Research Council
(NSERC) of Canada, Research and Development Corporation
(RDC), Atlantic Canada Opportunities Agency (ACOA) and Vale
Newfoundland and Labrador Limited.
Appendix A. Penalties, energy factors and hazard potential to estimate the explosion damage radius (EDR)

Process unit Penalty Energy factor Hazard potential

Storage unit pne1 – Operating temperature (OT) Gas/vapour explosion
If fire point > OT > flash point, pne1 = 1.34 (F1  pne1+F  pne2)  pne3  pne4  pne5
 pne6  pne7  pne8
If AIT > OT > fire point, pne1 = 1.55 F1 = 0.1 M  DHC/K
Otherwise, pne1 = 1.10

pne2 – Operating pressure (OP)

 
F2 ¼ 1:0  103  VOP
c1
If (VP > AP)
If (OP > VP) F3 = 5  10-4  bC  (OP - VP)2  V
F = F2 + F3
pne2 = f(Operating presure)
else
F = F2 F4 = (M/mm)  DHf
pne2 = f(Operating presure)
else

S. Rathnayaka et al. / Safety Science 70 (2014) 438–464

F = F3
pne2 = f(Perating presure)
Estimate as shown in SWeHI method (Khan et al., 2001)

pne3 – Location of the nearest hazardous unit

Estimate as shown in SWeHI method (Khan et al., 2001)

pne4 – Capacity of the unit

Estimate as shown in SWeHI method (Khan et al., 2001)

pne5 – Characteristics (flammable or reactivity)

pne5 = max (1, 0.30  (NR + NF)
NR and NF are NFPA ranks for reactivity and flammability of the
chemical.

pne6 – Obstructed region

pne6 ¼ ð1:1 þ Volume of obstructed region
Total v olumeð56520Þ
Þ
Note: 30 m radius hemisphere is considered

pne7 – External environmental factors

If occurs every year, pne7 = 2.0
If occurs once in 5 years, pne7 = 1.5
If occurs once in 20 years, pne7 = 1.1

pne8 – Vulnerability of surroundings

If highly prone to accident, pne8 = 2.0
If not prone to accident, pne7 = 1.1

(continued on next page)

457
 (continued)

458
Appendix A

Process unit Penalty Energy factor Hazard potential

Unit involving pne1 – Operating temperature (OT) (F1  pne1 + F  pne2)  pne3  pne4  pne5
physical operations If fire point > OT > flash point, pne1 = 1.45  pne6  pne7  pne8
If 0.75 AIT > OT > fire point, pne1 = 1.75
If OT > 0.75 AIT, pne1 = 1.95
Otherwise, pne1 = 1.10

pne2 - Operating pressure (OP)

If (VP > AP and OP > VP)
pne2 = fp1(OP, AP, VP)
F = F2 + F3
else
pne2 = fp2(OP, AP, VP)
F = F2
If (AP > VP and OP > AP)
pne2 = fp3(OP, AP, VP)

S. Rathnayaka et al. / Safety Science 70 (2014) 438–464

F = F3
else
pne2 = 1.1
F = F3
fp1 = 1 + ((OP – VP)/OP)  0.6
fp2 = 1 + ((OP – VP)/OP)  0.4
fp1 = 1 + ((OP – VP)/OP)  0.2
If the process is under vacuum penalty is assigned a value ranging
from 1.2 to 1.65 depending upon the extent of vacuum.
Estimate as shown in SWeHI method (Khan et al., 2001)

pne3 – Location of the nearest hazardous unit

Estimate as shown in SWeHI method (Khan et al., 2001)

pne4 – Capacity of the unit

Estimate as shown in SWeHI method (Khan et al., 2001)

pne5 – Characteristics (flammable or reactivity)

pne5 = max (1, 0.30  (NR + NF)

pne6 to pne8
Estimate similar to storage unit
pne1 – pne8
Unit involving Estimate similar to units involving physical operation (F1  pne1 + F  pne2 + F4  pne9  pne10)
chemical reaction  pne3  pne4  pne5  pne6  pne7  pne8
pne9 – Nature of the reaction
Estimate as shown in SWeHI method (Khan et al., 2001)
pne10 – Impact of the side reaction
Estimate as shown in SWeHI method (Khan et al., 2001)

Transportation units pne1 – Transportation temperature (TT) (F1  pne1 + F2  pne2)  pne3  pne4  pne5
Estimate similar to storage units  pne6  pne7  pne8  pne11
Appendix A (continued)
Process unit Penalty Energy factor Hazard potential

pne2 – Transportation pressure (TP)

If (3  AP > TP > AP), pne2 = 1.2
If (5  AP > TP > 3  AP), pne2 = 1.4
If (TP > 5  AP), pne2 = 1.6
If the transportation is under sub-atmospheric pressure, pne2 = from
1.2 to 1.8

pne3 – Location of the nearest hazardous unit

Estimate similar to storage units

pne4 – Capacity of the unit

If transportation in bulk, pne4 = f(quantityintons)
Estimate is similar to storage unit
If transportation through pipeline,
pne4 ¼ 1 þ quantity transport ðkg=minÞ
1000

S. Rathnayaka et al. / Safety Science 70 (2014) 438–464

pne5 – Characteristics (flammablity or reactivity)
pne5 = max (1, 0.20  (NR + NF)

pne6 – pne8
Estimate similar to storage units

pne11 – Physical state of the chemical

Gaseous, pne11 = 1.45
Liquefied gas, pne11 = 1.65
Liquid, pne11 = 1.25
Solid particles, pne11 = 1.20

Other hazardous units pne1 and pne3 F1  pne1  pne3  pne4  pne5
Estimate similar to units involving physical operations  pne6  pne7  pne8  pne11
pne4 – Capacity of the unit
NF
pne4 ¼ 1:0 þ 1000  rate ðtons=hÞ
pne5 – Characteristics (flammability or reactivity)
pne5 = max (1, 0.35  (NR + NF)

pne6 – Obstructed region

Estimate similar to units involving physical operations

pne7 and pne8

Estimate similar to storage units

pne11 – Physical state of the chemical

Solid dust particle size >150 lm, pne11 = 1.25
Solid dust particle size <150 lm, pne11 = 1.40
Liquefied gas, pne11 = 1.80
Liquid, pne11 = 1.35
Gaseous; pne11 = 1.65

459
460 S. Rathnayaka et al. / Safety Science 70 (2014) 438–464

Appendix B. Penalties, energy factors and hazard potential to estimate the dust explosion damage radius (D-EDR)

Process unit Penalty Energy factor Hazard potential

Storage unit (production pnd1 – Operating FD1 = DHc  C  VC (FD1  pnd1  pnd2  pnd3  pnd4
storages, intermediate temperature (OT)  pnd5 + FD2  pnd4)  pne3
process inventories, pnd1 = f(MIT, OT)  pne6  pne7  pne8
silos, and bins) If OT > MIT, pnd1 = 1.55 FD2 ¼ ð2  104 Þ ðPmax P atm Þ
VC
c 1 a
If OT < MIT, pnd1 = 1.10

pnd2 – Dust particle size

Estimate using Fig. B1 Note: Penalties pne3 to pne8 are
obtained from the Appendix A
pnd3 – Moisture content
pnd3 = f(% of moisture content)

If 10% < moisture content < 30%,

pnd3 = 1.60
If moisture content < 10%, pnd3 = 1.30
If moisture content > 30%, pnd3 = 1.10

pnd4 – Initial pressure of the

chamber
Estimate using Fig. B2

pnd5 – Type of the process

equipment
Estimate using Table B1

Transportation units pnd1 – pnd5 (FD1  pnd1  pnd2  pnd3  pnd4

(pneumatic conveyers, Estimate similar to storage unit  pnd5  pnd6)  pne3  pne6
belt conveyers, cranes,  pne7  pne8
bucket conveyers,
manual handling, and
grain elevators)

pnd6 – Initial turbulence

pnd6 = f(degreeofturbulence)
High initial turbulence, pnd6 = 1.5
Moderate initial turbulence, Note: Penalties pne3 to pne8
pnd6 = 1.3 are obtained from the Appendix A
Low turbulence, pnd6 = 1.1

Other hazardous units pnd1 – Operating temperature (OT) (FD1  pnd1  pnd2  pnd3  pnd4
(screening, If OT 6 0.3 MIT, pnd1 = 1.25  pnd5  pnd6 + FD2  pnd4)
classification, If 0.3 MIT < OT 6 0.7 MIT, pnd1 = 1.45  pne3  pne6  pne7  pne8
separations, size If 0.7 MIT < OT 6 MIT, pnd1 = 1.65
reduction, ancillary If OT > MIT, pnd1 = 1.85
units such as dryers,
heaters, and conveyer,
and packaging units)

pnd2 – pnd5 Note: Penalties pne3 to pne8

Estimate similar to storage unit are obtained from the Appendix A

pnd6 – Initial turbulence

High initial turbulence, pnd6 = 2.0
Moderate initial turbulence,
pnd6 = 1.5
Low turbulence, pnd6 = 1.1

(See Figs. B1 and B2 and Table B1).

 S. Rathnayaka et al. / Safety Science 70 (2014) 438–464 461

Table B1
Guideline to assign the penalty due to type of the process equipment.

Category Process operation Process units involved Penalty

1 Screening, classification and Cyclones, dust handling units, settling chambers, filters, electrostatic precipitator, screening and sieving devices, 2.00
separation pneumatic separation
2 Size reduction (dry Crushers, hammer mills, roller mills, ball mill, plate mill 1.80
operation)
3 Dryers, heaters, and Furnace, tray dryers, rotary dryers , fluidized bed dryers, spray dryers, vacuum dryers, manual conveying, 1.75
conveyers pneumatic conveying, belts, bucket conveyers
4 Packaging Screw feeders, pneumatic and manual fillings machines, packaging machine 1.55
5 Mixing and blending Mixers, blenders 1.45
6 Storage units Storages, silos, bins 1.35
7 Others units Reactors, evaporators, distillations 1.10

Appendix C. Penalties, energy factors and hazard potential to estimate the fire damage radius (FDR)

Process unit Pool fire Fire ball Jet fire Flash fire
Storage units pnf1, pnf5, pnf8, pnf9 pnf1, pnf5, pnf9, pnf9 pnf1, pnf5, pnf8, pnf9 pnf1, pnf5, pnf8, pnf9
Estimate similar to EDR Estimate similar to EDR Estimated similar Estimate similar to EDR
EDR

Units involving physical pnf2 pnf2 pnf2 pnf2

operation Pressure effect is negligible Case 1: VP < AP Estimate using Pressure effect is
Fig. C3 negligible
pnf3 If OP < VP, pnf2 = 1.1 pnf3 pnf3
If u/uc 6 1, pnf3 = 1.1 If AP > OP > VP, Wind effect is Estimate using Fig. C4
negligible

Units involving reactionx If u/uc > 1, pnf3 = u/uc pnf 2 ¼ 1:1 þ ðOPVP
OP Þ  0:2
pnf4 pnf4
Case 2: VP > AP Estimate using Negligible effect
Fig. C1
If VP > OP P AP,
pnf 2 ¼ 1:1 þ ðOPVP
OP Þ  0:4
If OP > VP,

Transportation units u
¼ ðgm
0D 1=3
pnf 2 ¼ 1:1 þ ðOPVP
OP Þ  0:6
uc q Þ
a

Other hazardous units pnf4 pnf3 pnf6 pnf6

Estimate using Fig. C1 Wind effect is negligible Vu
pn7 ¼ ð1:1 þ 56520Þ Negligible effect
pnf6 pnf4 pnf7 pnf7
Vu
pn6 ¼ ð1:1 þ 56520Þ Estimate using Fig. C2 Estimate using Estimate using Table C1
Table C1
pnf7 pnf6
Estimate using Table C1 Vu
pn7 ¼ ð1:1 þ 56520Þ
pnf7
Estimate using Table C1

Energy Factor Epf = 0.785  D2  m0  DHC Efb = 2.2  DHC  M0.67 Ejf = m0  DHC S
Eff ¼ M  DHC  ðCD Þ

Hazard potential Epf  pnf1  pnf3  pnf4 Epf  pnf1  pnf3  pnf4 Ejf  pnf1  pnf2 Eff  pnf1  pnf3  pnf5
 pnf5  pnf6  pnf7  pnf5  pnf6  pnf7  pnf4  pnf5  pnf6  pnf6  pnf8  pnf9
 pnf8  pnf9  pnf8  pnf9  pnf7  pnf8  pnf9
pnf1 – operating temperature, pnf2 – operating pressure, pnf3 – metrological condition (wind velocity), pnf4 – distance to nearest hazardous unit, pnf5 – quantity of chemical,
pnf6 – possibility of domino effect, pnf7 – physical state of the material, pnf8 – external environmental effect, pnf9 – vulnerability of surrounding

(See Figs. C1–C4 and Table C1).

462 S. Rathnayaka et al. / Safety Science 70 (2014) 438–464

Table C1
Penalties due to the physical status of the chemicals to estimate the damage radius due to fire.

Category Physical status Penalty

1 Liquefied gaseous 1.85
2 Gaseous 1.65
3 High volatile liquids 1.55
4 Low volatile liquids 1.35
5 Solid dust 1.25
6 Others 1.10

Appendix D. Penalties, energy factors and hazard potential to estimate the toxic release damage radius (TDR)

Process unit Toxic gas release (TGDR) Toxic liquid release (TLDR)
Storage units png1 – Operating temperature pnl1 – Operating temperature

Units involving If(OT > 4  AT), png1 = 1.55 Case 1: OT 6 BP, then fv = 0 (Pool evaporation only)
physical If(OT > 2  AT), png1 = 1.35 L = L2
operation Else, png1 = 1.11 pnl1 ¼ 1:1 þ ðBPOT
BP Þ

Units involving png2 – Operating Pressure Case 2: OT > BP

reaction Estimate using Fig. D1 If 0.2 > fv > 0,

Transportation png3 – Density of the released substance L = L1 + L2

units png3 ¼ 1:2  v apour density pnl1 ¼ 1:1 þ ðOTBP
OT Þ
air density
If fv > 0.2,

Other L = L1
hazardous png4 – Toxicity of the released chemical If fv > 0.2, then there is no any pool is formed. It is logical
units png4 = 1.0 + 0.6  NH that the amount of airborne should be less than or equal to
liquid release rate. Therefore, in a case of fv > 1.0, the value is
set up to one.
png5 – Characteristics of the proximity of plant
pnl2 – Operating pressure
Urban area with high density population = 1.55 Estimate using Fig. D2
Suburb area with moderate density population = 1.35
Rural area with low density population = 1.11 pnl3 – pnl7
Estimate similar to toxic gas release

png6 – External environmental factors

Refer Appendix A (As similar to EDR Estimation).

png7 – Vulnerability of area

Refer Appendix A (As similar to EDR Estimation).
0:5
qffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi
Release factor G ¼ 7:5  103  A  P 0  ðMW
T0 Þ L1 ¼ 6:0  106  AqL fv 
1000P g
q þ 9:81hL
L

L2 ¼ 9:0  104  A0:95

P  ðMWVP
TP Þ

Hazard G  png1  png2  png3  png4  png5  png6  png7 Hazard potential due to the pure liquid pool evaporation:
potential L2  pnl1  pnl2  pnl3  pnl4  pnl5  pnl6  pnl7
Hazard potential due to the pure flashing
L1  pnl1  pnl3  pnl4  pnl5  pnl6  pnl7
Hazard potential due to both liquid pool evaporation and
flashing
(L1 + L2  pnl2)  pnl1  pnl3  pnl4  pnl5  pnl6  pnl7

See Figs. D1 and D2.

 S. Rathnayaka et al. / Safety Science 70 (2014) 438–464 463

Appendix E. Derivations of equations used to estimate the rz ¼ 0:082x0:82 ðE7Þ

damage radii due to explosion, fire and toxic release
Downwind speed is considered as 2 m/s.
Eq. (E5) is simplified after substituting dispersion coefficients
E.1. Derivations of EDR (Eq. (4))
and downwind speed.
Equation for EDR was derived based on the multi-energy 
1
0:6
method. The correlations and equations are referenced by Assael x ¼ 5:86   Q 0:6
m ðE8Þ
CX
and Kakosimos (2010).
The relationship of explosion overpressure and distance from Damage radius x is the distance where the concentration reaches
the center of explosion which is considered as damage radius can the TLV, which is the threshold limit value of released gas. Qm is
be written using the equations: considered as hazard potential.
 1=3
E 0:6
r0 ¼ x ðE1Þ TGDR ¼ 5:86  C G  ðhazard potentialÞ
Pa 0:6
1
C G ¼ ðTLV Þ
In this equation, x represents the damage radius and E represents
the hazard potential. The equation can be rearranged as:
E.4. Derivation of TLDR (Eq. (11))
r0 1=3
EDR ¼ 1=3
ðhazard potentialÞ ðE2Þ
ðPa Þ The equation developed to estimate the airborne quantity for
where Pa is the ambient pressure (100 KPa) and r0 is the scaled dis- liquid release in AIChE technical manual (1994) is directly used
tance which can be estimated using Eq. (E3). and rearranged to develop the equation for TLDR.
0 0:5
Ps ¼ 10blog10 r c TLDR ¼ 6:51  C L  ðhazard potentialÞ
1 0:5
where Ps is the overpressure caused by the explosion, and maxi- C L ¼ ðTLV Þ
mum overpressure generated by deflagration is considered as
2 atm (200 kPa). The coefficients b and c are chosen considering
References
the maximum coefficient of the strength of the blast which is 10.
Finally values for r0 and Pa are assigned to Eq. (E2). Abbasi, T., Abbasi, S.A., 2007. Dust explosions – cases, causes, consequences, and
1=3 control. J. Hazard. Mater. 140 (1–2), 7–44.
EDR ¼ 0:9ðhazard potentialÞ AIChE Technical Manual, 1994. Dow’s Chemical Exposure Index Guide, first ed.
Published by the American Institute of Chemical Engineers, New York, USA.
Amyotte, P., 2013. An Introduction to Dust Explosions: Understanding the Myths
E.2. Derivations of FDR (Eq. (7)) and Realities of Dust Explosions for a Safer Workplace. Elsevier/Butterworth-
Heinemann, Waltham, MA.
Assael, M.J., Kakosimos, K.E., 2010. Fires, Explosions, and Toxic Gas Dispersions:
Using the point source model, the equation for heat flux gener- Effects Calculation and Risk Analysis. CRC Press, Taylor and Francis Group, FL,
ated from fire can be written using Eq. (E3) (Assael and Kakosimos, USA.
2010). Banimostafa, A., Papadokonstantakis, S., Hungerbühler, K., 2012. Evaluation of EHS
hazard and sustainability metrics during early process design stages using
1 principle component analysis. Process Saf. Environ. Prot. 90 (1), 8–26.
q0 ¼ gmk DHc ðE3Þ CCPS, 2007. Guidelines for Risk-based Process Safety. John Wiley & Sons Inc.,
4p X 2 Hoboken, New Jersey, USA.
CCPS, 2009. Inherently Safer Chemical Processes: A Life Cycle Approach, second ed.
Considering X as the damage radius and mkD Hc as hazard potential, John Wiley & Sons Inc., New Jersey, USA.
Eq. (E3) can be rearranged as: CCPS, 2010. Guidelines for Vapour Cloud Explosion, Pressure Vessel Burst, BLEVE,
1=2 and Flash Fire Hazards, second ed. John Wiley & Sons Inc., Hoboken, New Jersey,
1

1=2 USA.
FDR ¼ g ðhazard potentialÞ ðE4Þ Crowl, D., Louvar, J.F., 2002. Chemical Process Safety. Fundamentals with
4p q0
Applications, second ed. Prentice Hall Inc., NJ.
Delvosalle, C., Fievez, C., Pipart, A., Debray, B., 2006. ARAMIS project: a
where g is the combustion efficiency which is assumed as 100% for
comprehensive methodology for the identification of reference accident
simplicity, and the thermal radiation intensity limit, q0 is chosen as scenarios in process industries. J. Hazard. Mater. 130 (3), 200–219.
37.5 kW m2 considering the design for a worst-case scenario. After Eckhoff, R.K., 2003. Dust Explosions in the Process Industries, third ed. Gulf
substituting these values, the damage radius of fire (FDR) can be Professional Publications, USA.
Eckhoff, R.K., 2006. Differences and similarities of gas and dust explosions: a critical
expressed as: evaluation of the European ‘ATEX’ directives in relation to dusts. J. Loss Prev.
1=2 Process Ind. 19 (6), 553–560.
FDR ¼ 0:05  ðhazard potentialÞ Edwards, D.W., Lawrence, D., 1993. Assessing the inherent safety of chemical
process routes: is there a relation between plant costs and inherent safety?
Chem. Eng. Res. Des. 71, 252–258.
E.3. Derivation of TGDR (Eq. (8)) Gómez, G., 2013. Application of the Inherent Safety Strategies into the Biodiesel
Production. Thesis Submission for Masters in Engineering, Universidad de los
Andes, Colombia.
The Pasquill-Gifford plume model is used to derive the TGDR. Hassim, M.H., Hurme, M., 2010. Inherent occupational health assessment during
Considering the model characteristics of continuous release, preliminary design stage. J. Loss Prev. Process Ind. 23 (3), 476–482.
steady-state, and source at ground level in the direction of the Heikkilä, A.M., Hurme, M., Järveläinen, M., 1996. Safety considerations in process
synthesis. Comput. Chem. Eng. 20 (1), 115–120.
wind, the downwind concentration can be written as: Hendershot, D.C., 1997. Inherently safer chemical process design. J. Loss Prev.
Process Ind. 10 (3), 151–157.
Qm HSE, 2012. Failure Rate and Event Data for Use Within Risk Assessment. <http://
CX ¼ ðE5Þ
pry rz u www.hse.gov.uk/landuseplanning/failure-rates.pdf>.
Hurme, M., Rahman, M., 2005. Implementing inherent safety throughout process
Assuming stability class as ‘‘slightly stable’’, the dispersion coeffi- lifecycle. J. Loss Prev. Process Ind. 18 (4–6), 238–244.
cients can be written as: Khan, F.I., Amyotte, P.R., 2004. Integrated inherent safety index (I2SI): a tool for
inherent safety evaluation. Process Saf. Prog. 23 (2), 136–148.
ry ¼ 0:091x0:91 ðE6Þ Khan, F.I., Amyotte, P.R., 2005. I2SI: a comprehensive quantitative tool for inherent
safety and cost evaluation. J. Loss Prev. Process Ind. 18 (4–6), 310–326.
464 S. Rathnayaka et al. / Safety Science 70 (2014) 438–464
Khan, F.I., Husain, T., Abbasi, S.A., 2001. Safety weighted hazard index (SWeHI): a
new, user-friendly tool for swift yet comprehensive hazard identification and
safety evaluation in chemical process industries. Process Saf. Environ. Prot. 79
(2), 65–80.
Khan, F.I., Sadiq, R., Amyotte, P.R., 2003. Evaluation of available indices for
inherently safer design options. Process Saf. Prog. 22 (2), 83–97.
Kletz, T.A., 1978. What you don’t have can’t leak. Chem. Ind. 6, 287–292.
Kletz, T.A., 1984. Cheaper, Safer Plants, or Wealth and Safety at Work. IChemE,
Rugby.
Kletz, T.A., 1991. Plant Design for Safety: A User-friendly Approach. Hemisphere
Publishing Corporation, New York, USA.
Kletz, T., Amyotte, P., 2010. Process Plant: A Handbook for Inherently Safer Design,
second ed. CRC Press, Taylor & Francis group, FL, USA.
Leong, C.T., Shariff, A.M., 2009. Inherent safety index module (ISIM) to assess
inherent safety level during preliminary design stage. Process Saf. Environ. Prot.
86 (2), 113–119.
Mannan, S., 2005. Lee’s Loss Prevention in the Process Industries, vol. 3. Elsevier Inc.
OREDA, 2002. SINTEF Industrial Management: Det Norske Veritas.
Ouattara, A., Pibouleau, L., Azzaro-Pantel, C., Domenech, S., Baudet, P., Yao, B., 2012.
Economic and environmental strategies for process design. Comput. Chem. Eng.
36 (10), 174–188.
Palaniappan, C., Srinivasan, R., Tan, R., 2002a. Expert system for the design of
inherently safer processes. 1. Route selection stage. Ind. Eng. Chem. Res. 41 (26),
6698–6710.
Palaniappan, C., Srinivasan, R., Tan, R., 2002b. Expert system for the design of
inherently safer processes. 2. Flowsheet development stage. Ind. Eng. Chem.
Res. 41 (26), 6711–6722.
Paltrinieri, N., Tugnoli, A., Buston, J., Wardman, M., Cozzani, V., 2013. Dynamic
procedure for atypical scenarios identification (DyPASI): a new systematic
HAZID tool. J. Loss Prev. Process Ind. 26 (4), 683–695.
Rahman, M., Heikkilä, A.M., Hurme, M., 2005. Comparison of inherent safety indices
in process concept evaluation. J. Loss Prev. Process Ind. 18 (4–6), 327–334.
Rathnayaka, S., Khan, F., Amyotte, P., 2011a. SHIPP methodology: predictive
accident modeling approach. Part I: Methodology and model description.
Proc. Safety Environ. Protect. 89 (3), 151–164.
Rathnayaka, S., Khan, F., Amyotte, P., 2011b. SHIPP methodology: predictive
accident modeling approach. Part II: Validation with case study. Process Saf.
Environ. Prot. 89 (2), 75–88.
Roberts, A.F., 1982. The effect of conditions prior to loss of containment on fireball
behaviour. IChemE Symp. Series 71, 397–429.
Rusli, R., Shariff, A.M., Khan, F.I., 2013. Evaluating hazard conflicts using inherently
safer design concept. Saf. Sci. 53, 61–72.
Shariff, A.M., Leong, C.T., 2009. Inherent risk assessment – a new concept to
evaluate risk in preliminary design stage. Process Saf. Environ. Prot. 87 (6), 371–
376.
Shariff, A.M., Zaini, D., 2013. Inherent risk assessment methodology in preliminary
design stage: a case study for toxic release. J. Loss Prev. Process Ind. 26 (4), 605–
613.
Srinivasan, R., Natarajan, S., 2012. Developments in inherent safety: a review of the
progress during 2001–2011 and opportunities ahead. Process Saf. Environ. Prot.
90 (5), 389–403.
Srinivasan, R., Nhan, N.T., 2008. A statistical approach for evaluating inherent
benign-ness of chemical process routes in early design stages. Process Saf.
Environ. Prot. 86 (3), 163–174.
Tugnoli, A., Khan, F., Amyotte, P., 2008. Inherent safety implementation throughout
the process design lifecycle. In: International Conference on Probabilistic Safety
Assessment and Management (PSAM), 18–23 May, Hong Kong, China.
Tugnoli, A., Landucci, G., Salzano, E., Cozzani, V., 2012. Supporting the selection of
process and plant design options by inherent safety KPIs. J. Loss Prev. Process
Ind. 25 (5), 830–842.