Graeme Ellis outlines the benefits of inherent safety in design, its practical applications and how it can reduce occurrences of adverse findings in design safety cases for the offshore oil and gas sector


Author: Graeme Ellis FIChemE, global process safety leader, ABB Consulting

Major accidents causing massive damage to plant and property, loss of life and long-term damage to the environment are occurring all too frequently in the oil and gas sector. Investigations reveal a familiar story of failure to effectively control the risks associated with processing large quantities of flammable hydrocarbons. Preventing losses leading to fires and explosions requires a defence in depth using multiple ‘layers of protection’, but experience shows that lack of management controls can lead to a situation where all layers are compromised.

Incident investigations focus on the combination of equipment and human failures that lead to these accidents and the means by which failures can be prevented using better equipment, improved engineering standards or by optimising human factors.

Inherent safety for the process industry is not a new topic. The principles were developed in the 1970s by Trevor Kletz, who coined the phrase, ‘What you don’t have, can’t leak’ and more recently extolled the oil and gas sector in publications by the UK Health and Safety Executive (HSE) and Energy Institute.

The problem appears to be that inherent safety has not established itself as a design-stage tool during PHA studies, unlike recognised methods such as HAZID and HAZOP. This has resulted in a lack of awareness amongst design teams and a tendency towards ‘add-on’ safety features to control risks, causing plants to be more expensive to build and operate.

Inherent safety in oil and gas

Inherent safety, in its purest form, involves complete elimination of a hazard by using a different substance or by making the consequences of a release insignificant by minimising quantities or moderating the processing conditions. The oil and gas sector handles hydrocarbons in large quantities and at high pressure, and this raises doubts about the applicability of inherent safety.

However, the principles of segregation to prevent harm to people, and simplification to make error less likely are perfectly applicable to oil and gas processes. Whilst the greatest benefits from inherent safety are at the feasibility stage, the opportunity to apply the principles continues through the design process.

After the US Texas City refinery explosion in 2005, investigations focused on human factors during the plant start-up and the lack of an automatic shutdown of the process. The principle of segregation would, however, have prevented loss of life in this incident by connecting the relief system to the flare header to avoid loss of hydrocarbons in the plant area, and avoiding the positioning of temporary trailers in close proximity to the plant.

At the UK Buncefield fuel-storage depot explosion in 2005, a tank was overfilled due to failure of the tank level transmitter, and the independent high-level switch being left in a failed position following maintenance. The principle of simplification would have resulted in a change to the level switch design, preventing it moving to an unsafe position and thereby avoiding the need for a padlock to keep the device in an active state.

A recent report by the CSB on the US Richmond refinery fire in 2012 highlights a failure to apply inherent safety principles, leading to rupture of a line due to sulphidation corrosion. This failure mechanism was well known to the operating company, and the corrosion hazard could have been eliminated by the use of a higher specification pipe material. The report comments that whilst the company has shown some good examples of inherent safety, “the CSB has not identified any documented thorough analysis of the proposed inherently safer solutions”.

Drivers for change

Project management should challenge their design teams to identify opportunities to improve the inherent safety of the process, as this can avoid the need for ‘add-on’ safeguards that are expensive to install and maintain throughout the facility lifecycle. They should be mindful of the natural tendency for designers to reduce risks by additional active and procedural safeguards, rather than taking a more holistic view.

For example, increasing the wall thickness of a pressure vessel to contain the maximum foreseeable pressure may marginally increase the cost of the vessel, but is likely to significantly reduce the overall installation costs including a high-pressure trip and pressure-relief system plus ongoing cost savings by avoiding the need to inspect and maintain these safety systems. There should be recognition of the limitations of design contractors who usually do not focus on operational costs and therefore are unlikely to look for cheaper design options over the lifecycle.

International engineering standards and codes of practice do not explicitly promote an inherent safety approach, as they are focused towards the design and operation of fit-for-purpose safeguards. The requirement to apply inherent safety as part of a hierarchy of hazard management approaches can, however, be found explicitly in international legislation.

The European Major Accidents Hazard Bureau guidance on ‘Seveso’ Safety Reports and definition of ‘all measures necessary’, states: “Inherent safety should be considered first, when feasible (i.e. hazards should always be removed or reduced at source”. The UK HSE states in guidance for Offshore Safety Cases, “The safety case should explain how inherently safer design concepts have been applied in the design decisions taken.” There is limited evidence that the regulators are currently driving improvements based on these requirements, but this could change if the industry continues to have a poor process safety record.

Avoiding hazards by design

PHA covers a range of techniques applied through the project design to identify hazards, eliminate or minimise these hazards where possible, or otherwise apply suitable ‘layers of protection’ to reduce residual risks to a tolerable level. On typical ‘greenfield’ projects or major ‘brownfield’ modifications, PHA typically includes a HAZID study during the concept stage, followed by a HAZOP study during the execute stage.

The HAZID study is carried out on the draft process flow diagrams and identifies major accidents, and encourages some consideration of inherent safety to design out the hazard or minimise the inventories of hazardous substances. The HAZOP study is carried out on the more detailed piping and instrumentation diagrams, and identifies significant deviations from the design intent that could lead to safety or operability issues. Whilst HAZOP studies provide limited potential for inherent safety improvements, simplification of the design may be possible, for example using a key interlock system on a Pig Launcher to ensure that the manual valves are operated in the correct sequence.

The major benefits from inherent safety derive from options identified early in the design, and it is therefore recommended that a specific inherent safety study is carried out during the feasibility stage. The methodology is similar to the subsequent HAZID study, but based on a draft process block diagram to identify process hazards. The team apply the principle of elimination, substitution, minimisation or moderation to each hazard in order to identify options to prevent the hazard or reduce the severity. The team focuses on inherent safety improvements, with ‘add-on’ safeguards intentionally delayed until the HAZID study to encourage creative thinking.

Whilst all options must be assessed, implementation will in practice be subject to project constraints on cost, schedule and available technology. Experience of inherent safety studies shows considerable benefits from the focus on inherent safety leading to a safer basic design concept. A further benefit is improved awareness of the design team, who will continue to search for inherent safety options during the later design stages.


The oil and gas sector needs to improve process safety performance to avoid damaging accidents. Whilst efforts to manage safety critical elements on existing facilities is important, a challenge should be raised by project management to ‘design out’ process-safety hazards wherever possible. There is a lack of awareness and some misunderstanding of inherent safety principles in design teams in the oil and gas sector.

Whilst there are good examples of improvements to eliminate or reduce hazards, there is a lack of systematic analysis to ensure that all opportunities to reduce hazards at source have been identified and assessed. If companies implement a formal inherent safety study during the feasibility stage for projects and major modifications, they will reap the benefits from a safer process design with less capacity to cause damage, whilst at the same time reducing capital costs and ongoing operating costs. O'RiordanChemgas,oil,process engineering
  Author: Graeme Ellis FIChemE, global process safety leader, ABB Consulting Major accidents causing massive damage to plant and property, loss of life and long-term damage to the environment are occurring all too frequently in the oil and gas sector. Investigations reveal a familiar story of failure to effectively control the...