1-1 Engineering Ethics

The AICHE expects all of its members, including student members, to exhibit professional conduct, as defined in its Code of Ethics for Engineers from the National Society of Professional Engineers. Every AICHE applicant must attest to knowledge of the Code of Ethics and willingness to comply with it when signing his or her membership application. As shown in Table 1-2, the first item in the Code of Ethics states that the “safety, health, and welfare of the public” must be held “paramount in the performance of their professional duties.” Item 2 is also related to process safety—chemical engineers have a responsibility to report activities that will “adversely affect the present and future health or safety of their colleagues and the public.” Engineers have a responsibility to themselves, fellow workers, family, community, and the engineering profession.

Table 1-2 American Institute of Chemical Engineers’ Code of Professional Ethics

Approved by the AICHE Board in November 2015.

1-2 Myths about Process Safety

A number of myths about process safety have emerged over the years. It is important to understand why these myths are false, as they can lead to disregard for key tenets of process safety.

Myth 2: Process safety is the same as personal or even laboratory safety.

Figure 1-1 falsifies Myth 2 by illustrating the difference between personal and process safety. Personal safety—which includes laboratory safety—applies to accidents involving individuals, such as slips and falls, cuts, and other injuries. These events tend to have a higher frequency but lower consequences. In contrast, process safety applies to events with a lower frequency but higher consequences. The process safety and personal/lab safety domains are likely to overlap to some extent, as shown in Figure 1-1.

1-3 Safety Culture

A safety culture is an essential part of any safety program, including process safety, laboratory safety, personal safety, or any safety program. Table 1-1 provides the CCPS’s definition of process safety culture. Almost all accidents, whether large or small, can be attributed to a failure of safety culture, since the safety culture is such an essential and over-reaching part of any safety program.

Klein and Vaughen¹ provide a very extensive discussion of safety culture. They define safety culture as “the normal way things are done at a facility, company, or organization, reflecting expected organizational values, beliefs, and behaviors, that set the priority, commitment and resource levels for safety programs and performance.” The same authors also provide a list of essential features for safety culture, as derived from the CCPS sources; these features are shown in Table 1-4.

¹James A. Klein and Bruce K. Vaughen. Process Safety: Key Concepts and Practical Approaches. Boca Raton, FL: CRC Press, Taylor & Francis Group, 2017.

Mannan et al.² found the following important elements of a best-in-class safety program: leadership; culture and values; goals, policies, and initiative; organization and structure; employee engagement and behaviors; resource allocation and performance management; systems, standards, and processes; metrics and reporting; continuous learning; and verification and auditing. These elements are similar to those provided in Table 1-4.

²M. S. Mannan, R. A. Mentzer, and J. Zhang. “Framework for Creating a Best-in-Class Safety Culture,” Journal of Loss Prevention in the Process Industries, 26, no. 6 (2013): 1423–1432.

Table 1-4 Essential Features of Safety Culture

Sources: AICHE Center for Chemical Process Safety. Guidelines for Risk Based Process Safety (New York, NY: Wiley/AICHE, 2007); W. L. Frank. “Process Safety Culture in the CCPS Risk Based Process Safety Model.” Process Safety Progress, 26 (2007): 203–208; James A. Klein and Bruce K. Vaughen. Process Safety: Key Concepts and Practical Approaches (Boca Raton, FL: CRC Press, Taylor & Francis Group, 2017).

In November 2010, Rex Tillerson, Chairman and CEO of ExxonMobil, testified before the National Commission on the disastrous BP Deepwater oil spill. He stated:

A commitment to safety therefore should not be a priority but a value—a value that shapes decision making all the time, at every level. Every company desires safe operations—but the challenge is to translate this desire into action. The answer is not found only in written rules, standards, and procedures. While these are important and necessary, they alone are not enough. The answer is ultimately found in a company’s culture—the unwritten standards and norms that shape mindsets, attitudes, and behaviors. Companies must develop a culture in which the value of safety is embedded in every level of the workforce, reinforced at every turn, and upheld above all other considerations. … [A] culture of safety has to be born within the organization. You cannot buy culture. You have to make it yourself. … [M]ake no mistake: Creating a strong sustainable culture is a long process.

1-4 Individual Risk, Societal Risk, and Risk Populations

Risk can be addressed from many different angles. With individual risk, one person is exposed to one or more hazards, as shown in Figure 1-2. Individual risk calculations are normally performed when considering a plant employee exposed to plant hazards. In contrast, with societal risk, a group of people is exposed to one or more hazards. Societal risk calculations are normally performed when considering the risks to a community surrounding a chemical plant and exposed to multiple plant hazards. Methods to calculate and display individual and societal risk are discussed in depth in Chapter 12, “Risk Assessment.”

For every accident, there are potentially many people and different populations at risk—the so-called risk populations. For an incident in a chemical plant, for example, risk populations would include the workers in the plant, workers in adjacent plants, and the people living nearby in the surrounding community since they may be seriously affected by a plant incident. The plant and community will likely also suffer physical damage, leading to a financial impact. The company’s stockholders are also at risk since the company’s reputation will be negatively impacted and its stock value will decline. In addition, the insurance companies for the plant and the community will suffer losses and are another risk population. The entire chemical industry, in general, will be at risk as well, since its reputation will be diminished. Other risk populations are also possible.

The primary risk population can be defined as those who suffer immediate injury or death.

1-5 Voluntary and Involuntary Risk

Chemical plant employees are aware of and trained to handle the risks that are found in their work environment—this is a legal requirement in the United States and most countries worldwide. In contrast, people in the surrounding community may not be fully aware of these risks or may not understand the risks and the associated probabilities and consequences. This difference in understanding can arise because the plant may not have properly communicated these risks to the community, new risks may have been introduced in the plant over time, or people may have moved into the community without any understanding of the risk.

People are more willing to accept risks if these are carefully explained to them—including the probabilities and potential consequences. Certainly, most car drivers understand the risks of driving a car. However, people become outraged when an industrial accident occurs that involves risks of which they were not fully aware or risks with higher actual likelihoods and/or consequences than perceived.

As an example, suppose you purchase a house for your family. Ten years later, you learn that the house was built on top of a toxic waste dump. The consequences are the adverse effects to the health of your family and a dramatic reduction in the value of your house. Certainly, you would be outraged.

A voluntary risk is “risk that is consciously tolerated by someone seeking to obtain the benefits of the activity that poses the risk.”³ An example of a voluntary risk is driving or riding in a car: Most people are aware that automobile accidents occur and accept this risk. An involuntary risk is “risk that is imposed on someone who does not directly benefit from the activity that poses the risk.”⁴ Examples of involuntary risk include riding an airplane, visiting a mall, and walking down the street. Living near a chemical plant or other manufacturing facility is also an involuntary risk. Individuals are typically willing to accept more voluntary risk (by a factor of 10 or more) versus involuntary risk.

³AICHE/CCPS glossary, accessed December 2017.

⁴AICHE/CCPS glossary, accessed December 2017.

A community outreach program is a very important part of any process safety program for a company and plant site. The plant officials must carefully explain the risks—including both the probabilities and the consequences—to any community that may be impacted by these risks. This effort is part of stakeholder outreach—where the set of stakeholders includes the employees, contractors, neighboring communities, neighboring companies, suppliers, customers, company stockholders, and other possible communities. The public considers chemical plants to pose a higher risk than is actually the case, so chemical plants must make a better effort to communicate these risks.

1-6 Safety Metrics

A very important part of any safety program is measuring the safety program effectiveness. This is done using safety metrics. Each company must identify metrics that are effective for its operations. These metrics are not universal, will change between companies and even plant sites, and will change with time.

Metrics are usually measured over a period of time and at multiple plant sites to identify any important changes or trends. Adverse changes in the metrics will trigger a management review, with resulting recommended changes for improvement.

Figure 1-3 shows the accident pyramid demonstrating the relationship between various levels of accidents based on severity. The severity level increases toward the top of the pyramid. Accidents of lower severity occur more frequently. Indeed, for every fatality, there are orders of magnitude more accidents of lesser magnitude and even more near misses. A near miss is an accident with no consequences that might have resulted in a catastrophe if conditions had been slightly different. Accidents of smaller magnitude and higher frequency, in particular near misses, provide many opportunities to recognize problems and make improvements—and, one hopes, to prevent more consequential accidents.

The problem with the accident pyramid is that the items listed are all lagging indicators. That is, the accident pyramid is based on incident outcome metrics derived after an accident or near miss has already occurred. It would be preferable to have leading indicators—that is, metrics that measure activities prior to the occurrence of an accident. Lagging metrics have historically been used more often than leading metrics because they are easier to identify and interpret, and typically must be reported to various regulators. By comparison, leading metrics are more difficult to identify and interpret.

Table 1-5 lists examples of leading and lagging metrics suitable for a chemical plant. The metrics at the top of Table 1-5 are leading indicators, while the ones at the bottom are lagging indicators. Notice that process safety culture—a leading metric—is at the very top of the table, while serious injuries and fatalities—lagging metrics—are at the bottom.

Table 1-5 Example Leading and Lagging Metrics for a Chemical Plant

1-7 Accident and Loss Statistics

Accident statistics are one metric to determine the effectiveness of any safety program. However, accident statistics are lagging indicators and are usually more indicative of personal safety rather than process safety.

Several methods may be used to calculate accident and loss statistics. All of these methods must be used carefully, because each method has strengths and weaknesses and no single method is capable of measuring all of the required aspects. The methods most commonly used to measure accident statistics are as follows:

• Total number of fatalities or injuries/illnesses.

• Fatality rate, or deaths per person per year

• Fatal injury rate based on total hours or total workers

• Incidence rate

All of these measures are lagging indicators, since they are tabulated after an accident has occurred.

The U.S. Occupational Safety and Health Administration (OSHA; www.osha.gov) has legal authority over U.S. workplace safety. OSHA is responsible for ensuring that U.S. workers are provided with a safe working environment. Many countries have government organizations similar to OSHA.

All U.S. workplaces are required by law to report to OSHA all occupational deaths, illnesses, and injuries. An injury includes medical treatment (other than first aid), loss of consciousness, restriction of work or motion, or injuries causing a transfer to another job. These accident statistics are tabulated by the U.S. Bureau of Labor Statistics (BLS; www.bsl.gov) and are made available to the public—albeit usually more than a year after the calendar year the data were collected. Table 1-6 provides sources for accident statistics; please refer to these sources for more updated statistics than presented here.

Table 1-6 Sources of Accident Statistics

The total number of fatalities is most commonly used as a lagging indicator, but does not take into account the number of people working in a particular occupation. For instance, many more auto-related fatalities occur in a big state like Texas than in a small state like Vermont.

The total number of injuries/illnesses is also dependent on the number of workers. However, it has an additional problem since it requires a definition of an injury or illness.

The fatality rate, or deaths per person per year, is independent of the number of hours exposed to the hazard and reports only the fatalities expected per person per year. The exposed population may be carefully defined to ensure that it includes only those exposed to the hazard. This approach is useful for performing calculations on the general population. Fatality rate is calculated as follows:

Fatality rate=Number of fatalities per yearTotal number of people in applicable population(1-1)

The fatal injury rate is defined in two different ways. The first approach is in terms of the number of fatalities per 100,000 full-time equivalent workers employed. Thus, the worker-based fatal injury rate is calculated using the following equation:

Worker-based fatal injury rate=Total number of fatalites during periodTotal number of employees×100,000workers(1-2)

A similar approach can be applied to a general population. This fatal injury rate is defined in terms of 100,000 people and applied to a general, exposed population. It is calculated using the following equation:

Deaths per 100,000 people=Total number of deaths during periodTotal people in exposed population×100,000workers(1-3)

A work-related fatal injury rate can be defined in terms of the total hours worked by 100,000 full-time equivalent workers. For 100,000 workers working 40 hours per week and 50 weeks per year, this results in (100,000 workers × 40 hours/week × 50 weeks/year) = 200,000,000 hours. Thus, the hours-based fatal injury rate is defined by the following equation:

Hours-based fatal injury rate=Total number of fatalities during periodTotal hours worked by all employees×200,000,000 hours(1-4)

Hours-based fatal injury rates (Equation 1-4) are generally considered more applicable than worker-based fatal injury rates (Equation 1-2). Hours-based rates use the total number of employees at work and the total hours each employee works. Worker-based rates will be similar for groups of workers who tend to work full time, but differences will be observed for worker groups who tend to include a high percentage of part-time workers.

The incidence rate is based on the cases per 100 workers. A worker year is assumed to contain 2000 hours (50 work weeks/year × 40 hours/week). The incidence rate, therefore, is based on 200,000 hours of worker exposure to a hazard (100 worker years × 2000 hours/year). The incidence rate is calculated from the number of incidents and the total number of hours worked during the applicable period. The following equation is used to calculate the incidence rate:

Incidence rate=Number of incidents during periodTotal hours worked by all employees×200,000 hours(1-5)

The incidence rate is typically used for accidents involving injuries or illnesses, although it was used for fatalities in the past. The hours-based fatal injury rate is commonly used for fatalities, whereas the incidence rate is used for injuries since fatalities occur much less frequently than injuries. Using a different number of hours for these two rates brings both rates within comparable numerical values.

OSHA also uses the incidence rate for illnesses; days away from work (DAW); and days away from work, job restriction, or job transfer (DART). Table 1-7 defines these terms in relation to occupational injuries. There are many other ways to present accident statistics depend-ing on what you wish to achieve. For instance, for airline transportation, the usual method is to report fatalities per million miles traveled.

Table 1-7 U. S. OSHA Definitions for Occupational Injuries

Source: www.osha.gov.

Table 1-8 provides OSHA statistics on the total number of fatalities, the hours-based fatal injury rates, and the total recordable incidence rates for the United States in 2015, ordered from the highest number of fatalities to lowest. In 2015, a total of 4836 occupational fatalities occurred. The peak number of fatalities was 5840 deaths recorded in 2006; the low was 4551 fatalities in 2009, primarily due to the recession of 2008—fewer workers means fewer fatalities. The total number of fatalities has been increasing slowly over the past few years (4821 in 2014) due to an increase in the number of workers, but likely at a diminished pace owing to improvements in occupational safety programs.

Table 1-8 2015 U.S. Occupational Statistics for Selected Industries, Ranked from Highest to Lowest Number of Fatalities

^a Rate per 100,000 full-time equivalent workers based on exposure hours. See Equation 1-4 and Table 1-7.

^b Rate per 100 worker years = 200,000 hours. See Equation 1-5 and Table 1-7. This includes all recordable cases.

Source: U.S. Bureau of Labor Statistics, www.bls.gov/iif/.

Several conclusions can be reached from Table 1-8. Construction (overall) has the highest number of fatalities (937), but fishing, hunting, and trapping has the highest hours-based fatal injury rate (54.8). The difference depends on the number of workers employed in each area. Construction has a larger number of workers than fishing, hunting, and trapping, resulting in the total fatalities for construction being higher and the hours-based fatal injury rate being lower. Interestingly, hospitals have the second highest total recordable incidence rate (8.1), followed by agriculture, forestry, fishing, and hunting (5.7). Table 1-8 also shows that the traditional chemical engineering industries are near the bottom in terms of occu-pational injuries and fatalities. This group includes chemical manufacturing (28 fatalities), plastics and rubber products manufacturing (17 fatalities), oil and gas extraction (6 fatalities), and chemical and allied products merchant wholesalers (3 fatalities). The hours-based fatal injury rates and total recordable incidence rates for these industries are lower than those of many other occupational activities that are commonly considered as safer. For example, colleges, universities, and professional schools had a total of 17 fatalities in 2015. Many specific chemical companies achieve total recordable incidence rates as low as 0.2, compared to the industry average for chemical manufacturing of 2.1.

Table 1-9 provides details on the nature of the fatalities. Clearly, transportation accidents account for the largest number of fatalities in the workplace (2054 fatalities). This is followed by falls, slips, and trips (800 fatalities). With respect to the nature of the fatal injury, most of the injuries are due to multiple traumatic injuries and disorders—occupational fatalities usually involve widespread injury to many areas in the human body. With respect to the worker activity involved with the fatality, transportation accounts for the largest number of fatalities, followed by constructing, repairing, and cleaning and using or operating tools or machinery.

Table 1-9 Details on the Nature of Occupational Fatalities in 2015

^aIncludes 417 homicides and 229 suicides.

^bThe primary source is the object, substance, person, bodily motion, or exposure that most directly led to, produced, or inflicted the injury.

Source: U.S. Bureau of Labor Statistics, www.bls.gov/iif/.

Note under the “Primary Source” heading in Table 1-9 that 233 fatalities occurred due to exposure to chemicals and chemical products. However, if you look further into the U.S. Bureau of Labor Statistics data, you find that only 5 of these deaths occurred in the chemical manufacturing industry and only 1 in operations of chemical and allied products merchant wholesalers. One can easily conclude that few fatalities in the chemical industry are due to chemical exposures; instead, most of the chemical fatalities occur in industries that are not considered chemical in nature.

Table 1-10 provides more details on fatalities in the chemical industry. Surprisingly, retail gasoline stations account for the largest number of fatalities (39 fatalities—due mostly to robberies). Within chemical manufacturing, fertilizer manufacturing (6 fatalities) and basic chemical manufacturing (5 fatalities) account for the largest number of fatalities. Petroleum refineries had 4 fatalities in 2015, while crude petroleum and natural gas extraction had 6 fatalities.

Table 1-10 2015 Fatal Occupational Injuries Related to the U.S. Chemical Industry

Source: U.S. Bureau of Labor Statistics, www.bls.gov/iif/.

The Marsh and McLennan companies annually publish a report entitled 100 Largest Losses in the Hydrocarbon Industry.⁵ The most recent report tabulates losses from 1974 to 2015 and is based only on the property value losses from the ground up. It does not include the financial losses due to fatalities/injuries, environmental factors, lawsuits, fines, or business interruption—these additional losses could easily multiply the losses by many times. Table 1-11 shows the percentage of losses by industry sector and Table 1-12 shows the total property damage losses by event type. Reviewing these data, the first conclusion is that these losses are huge—totaling more than $33 billion, an amount that does not include losses to human life and environmental losses. Second, 87% of the losses occurred in upstream oil and gas production, refining, and petrochemicals. Finally, $25 billion in losses—75% of the total dollar losses—are from explosions and fires.

⁵ 100 Largest Losses in the Hydrocarbon Industry (New York, NY: Marsh and McLennan Companies, 2015).

Table 1-11 Percentage of Property Damage by Industry Sector

Source: The 100 Largest Losses 1974–2015, 24th ed. (New York, NY: Marsh and McLennan Companies, March 2016), p. 10.

Table 1-12 Property Damage Values Based on Event Type

Source: The 100 Largest Losses 1974–2015, 24th ed. (New York, NY: Marsh and McLennan Companies, March 2016), p. 10.

Table 1-13 is a list of non-occupational fatalities in the United States for the year 2014 ranked from the highest number of fatalities to lowest. Also shown is the deaths per 100,000 people, as defined by Equation 1-3. In 2014, there were 136,053 non-occupational fatalities due to unintended injuries—compared to 4836 occupational fatalities. Poisoning accounted for the highest number of fatalities, although this includes 38,718 poisoning deaths by drug overdose. This alarmingly large number of fatalities is dramatically increasing each year. Motor vehicle deaths numbered 35,398—a total that has been increasing slowly for the past few years. In 1972, the number of motor vehicle fatalities reached a peak of 56,278. In 2014, 58 people died from electrocution by exposure to electric transmission lines, while 25 died from lightning.

Table 1-13 Non-Occupational Fatalities in the United States Due to Unintentional Injuries, 2014

^aIncludes 38,718 fatalities due to drug overdose.

Source: Injury Facts (Itasca, IL: National Safety Council, Itasca, IL, 2015), www.nsc.org.

Comparing Table 1-13 with Table 1-8 shows that the total number of fatalities in the workplace is much lower than the non-occupational fatalities in the general population: The number of workplace fatalities is comparable to the number of deaths by choking. Choking, falls, motor vehicle deaths, and poisonings all exceed the total number of workplace fatalities by a large margin. Also note that the general population is much larger than the total number of workers in the general population. Nevertheless, this comparison does provide an indication of the magnitude of workplace deaths compared to non-occupational deaths.

In summary, accident statistics show that:

• The chemical industry has much lower fatalities and hours-based fatal injury rates than many other occupational activities that are commonly considered to be safer.

• The numbers of transportation and motor vehicle fatalities are high in both occupational and non-occupational environments.

• Chemical industry incidents, although infrequent, can result in huge property losses.

The chemical industry includes chemical plants, refineries, and other industrial sites using chemicals. Despite the relatively small number of fatalities that occur in the chemical industry, the potential always exists for a major incident—though such an event remains unlikely. Clearly, no unintended injury or fatality is acceptable in the workplace or elsewhere. All safety programs must drive toward zero injuries.

1-8 Risk Perception

People perceive risks in different ways, though their perceptions might not always be supported by the actual statistics. The actual risk associated with the chemical industry is generally much less than that perceived by the public. Thus, the chemical industry is held to a higher safety standard than other industries. This requires continuous improvement in chemical industry safety programs to achieve the necessary public trust, credibility, and license to operate.

1-9 Risk Tolerance/Acceptance and Risk Matrix

Risk tolerance or acceptance is defined as “the maximum level of risk of a particular technical process or activity that an individual or organization accepts to acquire the benefits of the process or activity.”⁶ We cannot eliminate risk entirely—all activities inevitably involve risk. Indeed, people accept risks many times during their daily activities. For instance, simply crossing the street involves a risk assessment as to where and when to cross. People accept risks based on their perceived risk—which may or may not be the actual risk. The risk accepted is voluntary based on the perceived risk, while any additional actual risk not perceived will be involuntary.

⁶AICHE/CCPS Glossary, accessed September 2017.

Engineers must make every effort to minimize risks within reasonable constraints. No engineer should ever design a process that he or she knows will result in certain human loss or injury. For a chemical plant, at some point in the design stage or at every point in the operation of the plant, the corporation (this decision involves both the workers and management) must determine whether the risks are acceptable. The risk acceptance must be based on more than just perceived risks.

Risk tolerance may also change with time as society, regulatory agencies, and individuals come to expect more from the chemical industry. As a consequence, a risk that was considered tolerable years ago may now be deemed unacceptable.

A risk matrix is a semi-quantitative method to represent risk and to help companies make risk acceptance decisions. A typical risk matrix is shown in Table 1-14. The consequence or severity of the incident is found in columns 1, 2, and 3, and the likelihood of that incident occurring appears in columns 4 through 7. The incident severity is used to estimate the severity category and the safety severity level. The likelihood level is selected based on the frequency of the incident, as shown in columns 4 through 7. The combination of the severity category row and the likelihood column is used to determine the risk level, A through D.

Table 1-14 Risk Matrix for Semi-Quantitative Classification of Incidents

^aLost time injury (LTI): The injured worker is unable to perform regular job duties, takes time off for recovery, or is assigned modified work duties while recovering.

^bRecordable injury: Death, days away from work (DAW), restricted work or transfer to another job, medical treatment beyond first aid, or loss of consciousness.

The severity levels are listed under columns 1, 2, and 3 in Table 1-14. They include human health impacts; direct costs of fire and explosion in dollars; and chemical impacts. The chemical impact is based on a chemical release quantity called a threshold quantity (TQ). Table 1-15 lists TQs for a number of common chemicals.

Table 1-15 Threshold Quantities (TQ) for a Variety of Chemicals

Source: AICHE/CCPS. Details on how to compute the TQ are available from AICHE/CCPS Process Safety Metrics: Guide for Selecting Leading and Lagging Indicator (New York, NY: American Institute of Chemical Engineers, 2018).

The target mitigated event frequency (TMEF) listed with the safety severity level is the minimum frequency level desired for this level of severity. It defines the frequency for acceptable risk.

Some risk matrixes include a severity column based on environmental impacts. However, the environmental impact is implicitly related to the quantity of chemical released: The greater the chemical release, the greater the environmental impact. Thus, environmental impact is implicit in this risk matrix.

The procedure for using the risk matrix of Table 1-14 is as follows:

1. Select the severity levels from columns 1, 2, and 3 and select the highest level from any of these columns.

2. Read the Risk Category and Safety Severity Level from the highest row.

3. Select the likelihood from columns 4 through 7.

4. Read the risk level from the intersection of the Safety Severity Level row and the Likelihood column.

The risk levels are identified just below the table and define the risk and the required response. The Safety Severity Level contains the TMEF. The TMEF will be useful for the layer of protection analysis (LOPA) method presented in Chapter 11.

The risk matrix provided in Table 1-14 is one specific example; that is, most companies customize the risk matrix to work for their particular situation. Additional methods for determining risk are presented in Chapter 12 on risk assessment.

1-10 Codes, Standards, and Regulations

Codes, standards, and regulations are an important part of chemical process safety.

• A code is a set of recommendations developed by a team of knowledgeable people, who are most likely to be associated with an industrial professional organization. Codes do not have legal authority, but governments might adopt one by turning it into law.

• A standard is more elaborate, explaining in a lot more detail how to meet the code. That is, codes tell you what you need to do, and standards tell you how to do it. Standards do not carry the weight of legal authority, but governments might adopt them by turning them into laws.

• A regulation is developed by a government and has legal authority. It may be based on a code or standard. Violations of regulations could result in fines and/or jail time.

Table 1-16 lists a number of regulations, codes, and standards important to process safety in the United States.

Table 1-16 Selected Regulations, Codes, and Standards That Apply to the Chemical Industry

^aCode of Federal Regulations.

Codes, standards, and regulations vary considerably between countries around the world. This creates challenges for engineers in one country who are designing a plant to operate in another country, or even for shipping chemicals from one country to another. Codes, standards, and regulations also change with time.

In the United States, OSHA and EPA use the codes and standards as a basis for Recognized and Generally Accepted Good Engineering Practices (RAGAGEP). RAGAGEP means that each plant site must keep its facility up to date with respect to codes and standards that apply to that plant, even though these codes and standards do not have regulatory authority. RAGAGEP is a complex regulatory and legal issue, well beyond the scope of this book.

1-11 Safeguards

Figure 1-4 shows the sequence of events in an incident. The hazard is shown on the left side of the figure, and the consequences are shown on the right side. The initiating event, or cause, may be “a device failure, system failure, external event, or improper human inaction that begins a sequence of events leading to one or more undesirable outcomes.”⁷ It is usually caused by internal plant events such as operational problems, equipment failures, human error, and design deficiencies, to name a few possibilities. The initiating event may also be caused by events external to the plant, including natural phenomena such as lightning strikes, floods, tornadoes, or other influences outside the plant boundaries.

⁷Center for Chemical Process Safety, Guidelines for Initiating Events and Independent Protection Layers in Layer of Protection Analysis (New York, NY: Wiley, 2015).

The enabling conditions are “operating conditions necessary for an initiating cause to propagate into a hazardous event. Enabling conditions do not independently cause the incident, but must be present or active for it to proceed.”⁸ An enabling condition makes the beginning of the scenario possible. Such conditions are represented as probabilities—for example, the probability of a unit being in a particular state of operation (e.g., recycle mode, startup), the probability that a particular raw material or catalyst is in the process, or the probability that the temperature or pressure is within high or low values.

⁸Ibid.

Conditional modifiers are conditions that occur after initiation and impact a step in the sequence either before or after the incident has occurred. They could include weather conditions (wind direction and speed), presence of people, and probability of ignition, among other factors.

Chemical plants use several types of safeguards to prevent incidents or to reduce the impact of an incident. Once an initiating event has occurred, safeguards come into play, as shown in Figure 1-4. A safeguard is a design feature, equipment, procedure, or even software that is in place to prevent or mitigate the consequences of an initiating event. Two types of safeguards are distinguished: preventive and mitigative. A preventive safeguard (also called a protection layer) intervenes after the initiating event to stop the event from developing further into an incident. A mitigative safeguard is a safeguard that reduces the consequences after an incident has occurred. Thus, preventive safeguards stop the propagation of the initiating event to an incident while mitigative safeguards reduce the consequences after an incident has occurred. Table 1-17 lists a variety of common preventive and mitigative safeguards used in the chemical industry.

Table 1-17 Common Preventive and Mitigative Safeguards Used in the Chemical Industry

Source: Guidelines for Risk Based Process Safety, AICHE Center for Chemical Process Safety (Wiley, NY), 2007.

In reality, not all safeguards are 100% effective or are working all the time. Figure 1-5 shows these safeguards as slices of Swiss cheese, where the holes represent defects in the safeguards. These kinds of defects in safeguards are dynamic and can come and go—that is, the “hole” size can change with time and even move around on the Swiss cheese. Only a few Swiss cheese safeguards are shown in Figure 1-5 to simplify the figure—the actual number of safeguards depends on the magnitude of the hazard.

Preventive maintenance of equipment at specified frequencies is designed to ensure that safeguards work properly, even as equipment ages. Only one preventive safeguard must work successfully for the incident to be stopped. Since multiple safeguards are present, if one safeguard has a defect, the initiating event will propagate through the defective safeguard but will be stopped by another safeguard. If the defects or “holes” in all the preventive safeguards line up, however, then the initiating event will propagate to an incident. Many well-known catastrophic incidents have occurred with many safeguards in place.

Once an incident has occurred, consequences are expected, although they might be minimal at this point. If mitigative safeguards are lacking, it is possible that the incident could expand in scope. For instance, the incident might be the leak of a flammable liquid from the process to the surroundings. If the flammable liquid ignites, then a fire or explosion might occur, greatly expanding the consequences. Thus, the mitigative safeguards, in this case, are intended to prevent the ignition of the released flammable liquid and the expansion of the consequences. In this example, the mitigative safeguards might be foam, water sprays, or other fire protection methods to prevent ignition.

It is possible that the mitigative safeguards could completely contain the incident and prevent it from increasing in scope and consequences. However, if some of the mitigative safeguards are not working or not effective, then additional consequences are expected.

Mitigative safeguards may be effective for only a specific incident outcome. For instance, safeguards designed to reduce the probability of ignition of a flammable material may not be effective in reducing the toxicity of the vapor if it does not ignite.

To see how preventive and mitigative safeguards work together, consider the following example: A chemical reactor vessel can be damaged by the effects of high pressure, maybe even resulting in the destructive bursting of the reactor vessel. The basic process control system (BPCS) controls the operation of the reactor to prevent high pressure. However, high pressure can arise from many sources—almost too numerous to completely prevent using the BPCS. Thus, reactor vessels are also equipped with relief devices in the form of spring-operated valves that open with high pressure, discharging the reactor contents to reduce the pressure. The BPCS is a preventive safeguard since it prevents the buildup of pressure in the reactor—but it cannot be expected to work all the time or to handle all possible situations. The relief device is a mitigative safeguard since it operates after the high-pressure incident has occurred and reduces the consequences of the incident. As a result of the relief device’s actions, the consequences of the high pressure incident are loss of product from the reactor and a clean-up of the relief discharge. Without the relief device, the consequences of the high-pressure incident might be permanent pressure damage to the reactor vessel or maybe even destructive bursting of the vessel, leading to substantial damage to the surrounding equipment and workers. Since there are many ways for high pressure to build up in a reactor vessel, many preventive and mitigative safeguards are usually present.

1-12 The CCPS 20 Elements of Risk-Based Process Safety

In 2007, the AICHE Center for Chemical Process Safety published Guidelines for Risk Based Process Safety.⁹ The risk-based process safety (RBPS) approach

⁹Center for Chemical Process Safety, Guidelines for Risk Based Process Safety (New York, NY: Wiley, 2007).

recognizes that all hazards and risks in an operation or facility are not equal; consequently, apportioning resources in a manner that focuses effort on greater hazards and higher hazards is appropriate. … The RBPS system may encompass all process safety issues for all operations involving the manufacture, use, storage, or handling of hazardous substances or energy. However, each organization must determine which physical areas and phases of the process life cycle should be included in its formal management systems, based on its own risk tolerance considerations, available resources, and process safety culture. … The RBPS elements are meant to apply for the entire process life cycle.

The 20 elements of RBPS are listed in Table 1-18. These elements are organized in four major foundational blocks: (1) commit to process safety, (2) understand hazards and risks,(3) manage risk, and (4) learn from experience.

Table 1-18 The 20 Elements of Risk-Based Process Safety

Source: AICHE Center for Chemical Process Safety, Guidelines for Risk Based Process Safety (Hoboken, NJ: Wiley Interscience, 2007).

OSHA has a similar set of 14 elements that are included as part of 29 CFR 1910.119 on process safety management.¹⁰ The OSHA elements of this regulation are (1) employee participation, (2) process safety information, (3) process hazards analysis, (4) operating procedures,(5) training, (6) contractors, (7) pre-startup safety review, (8) mechanical integrity, (9) hot work permits, (10) management of change, (11) incident investigation, (12) emergency planning and response, (13) audits, and (14) trade secrets. While these 14 elements are contained within the CCPS 20 elements, the OSHA regulation has legal authority.

¹⁰OSHA 1919.119, Process Safety Management (1992). www.osha.gov.

The 20 CCPS RBPS elements are described here:¹¹

¹¹AICHE/CCPS online glossary, www.aiche.org, accessed October 27, 2017.

Element 1—Process Safety Culture: A positive environment in which employees at all levels are committed to process safety. This starts at the highest levels of the organization and is shared by all. Process safety leaders nurture this process. (See Section 1-3, “Safety Culture.”)

Element 2—Compliance with Standards: Applicable regulations, standards, codes, and other requirements issued by national, state/provincial, and local governments; consensus standards organizations; and the company itself. Interpretation and implementation of these requirements. Includes development activities for corporate, consensus, and governmental standards. (See Section 1-10, “Codes, Standards, and Regulations.”)

Element 3—Process Safety Competency: Skills and resources that the company needs to have in the right places to manage its process hazards. Verification that the company collectively has these skills and resources. Application of this information in succession planning and management of organizational change.

Element 4—Workforce Involvement: Broad involvement of operating and maintenance personnel in process safety activities, to make sure that lessons learned by the people closest to the process are considered and addressed.

Element 5—Stakeholder Outreach: A process for identifying, engaging, and maintaining good relationships with appropriate external stakeholder groups. This would include the surrounding community, suppliers of raw materials, customers, government agencies and regulators, professional societies, contractors, and more.

Element 6—Process Knowledge Management: The assembly and management of all information needed to perform process safety activities. Verification of the accuracy of this information. Confirmation that this information is correct and up-to-date. This information must be readily available to those who need it to safely perform their jobs.

Element 7—Hazard Identification and Risk Analysis: Identification of process safety hazards and their potential consequences. Definition of the risks posed by these hazard scenarios. Recommendations to reduce or eliminate hazards, reduce potential consequences, and reduce frequency of occurrence. Analysis may be qualitative or quantitative, depending on the level of risk.

Element 8—Operating Procedures: Written instructions for a manufacturing operation that describes how the operation is to be carried out safely, explaining the consequences of deviation from procedures, describing key safeguards, and addressing special situations and emergencies.

Element 9—Safe Work Practices: Procedures to safely maintain and repair equipment, such as permits to work, line breaking, and hot work permits. This applies to nonroutine operations.

Element 10—Asset Integrity and Reliability: Activities to ensure that important equipment remains suitable for its intended purpose throughout its service. Includes proper selection of materials of construction; inspection, testing, and preventive maintenance; and design for maintainability.

Element 11—Contractor Management: Practices to ensure that contract workers can perform their jobs safely, and that contracted services do not add to or increase facility operational risks.

Element 12—Training and Performance Assurance: Practical instruction in job and task requirements and methods for operation and maintenance workers, supervisors, engineers, leaders, and process safety professionals. Verification that the trained skills are being practiced proficiently.

Element 13—Management of Change: Process of reviewing and authorizing proposed changes to facility design, operations, organization, or activities prior to implementing them, and ensuring that the process safety information is updated accordingly.

Element 14—Operational Readiness: Evaluation of the process before startup or restart to ensure the process can be safely started. Applies to restart of facilities after being shut down or idled as well as after process changes and maintenance. Also applies to startup of new facilities.

Element 15—Conduct of Operations: Means by which the management and operational tasks required for process safety are carried out in a deliberate, faithful, and structured manner. Managers ensure workers carry out the required tasks and prevent deviations from expected performance.

Element 16—Emergency Management: Plans for possible emergencies that define actions in an emergency; resources to execute those actions; practice drills; continuous improvement; training or informing employees, contractors, neighbors, and local authorities; and communications with stakeholders in the event that an incident does occur.

Element 17—Incident Investigation: Process of reporting, tracking, and investigating incidents and near misses to identify root causes; taking corrective actions; evaluating incident trends; and communicating lessons learned.

Element 18—Measurement and Metrics: Leading and lagging indicators of process safety performance, including incident and near-miss rates as well as metrics that show how well key process safety elements are being performed. This information is used to drive improvement in process safety. (See Section 1-6, “Safety Metrics.”)

Element 19—Auditing: Periodic critical review of process safety management system performance by auditors not assigned to the site to identify gaps in performance and identify improvement opportunities, and track closure of these gaps to completion.

Element 20—Management Review and Continuous Improvement: The practice of managers at all levels of setting process safety expectations and goals with their staff and reviewing performance and progress toward those goals. May take place in a staff or “leadership team” meeting or on a one-on-one basis. May be facilitated by process safety leader but is owned by the line manager.

Table 1-19 presents common chemical plant activities associated with each of the 20 elements. When a chemical plant incident occurs, the incident investigation usually finds deficiencies in many of the elements. The 20 elements provide a comprehensive management system to handle risks|in chemical plants and other facilities. All of the elements are important, and all must be given adequate consideration. Chemical engineers are involved in all aspects of the 20 elements.

Table 1-19 Typical Activities Associated with the 20 Risk Based Process Safety (RBPS) Elements

1-13 Inherently Safer Design

Section 1-11, “Protecting Against Hazards: Safeguards,” described how hazards are protected with safeguards to prevent initiating events from propagating into more serious incidents with consequences. These safeguards add considerable cost to the process and also require testing and maintenance—and even with these actions, the safeguards can still fail.

If we could design a process with fewer hazards, then the process would be simplified, and the safeguards reduced. This is the essence of inherently safer design—to eliminate hazards rather than to provide complex safeguard hierarchies around the hazards. An inherently safer plant uses the elimination of hazards to prevent accidents rather than depending on control systems, interlocks, redundancy, special management systems, complex operating instructions, or elaborate procedures. Inherently safer plants are tolerant of errors; are generally cost-effective; and are simpler, easier to operate, and more reliable.

Table 1-20 provides examples of the four inherently safer design strategies: minimize, substitute, moderate, and simplify. Other references¹² provide more detailed strategies, but many of these additional strategies can be included in the four shown in the table. The four strategies listed in Table 1-20 are the traditional strategies, though they might go by other names (shown in parentheses in the table).

¹²Trevor Kletz and Paul Amyotte. Process Plants: A Handbook for Inherently Safer Design, 2nd ed. (Boca Raton, FL: CRC Press, 2010).

Table 1-20 Inherently Safer Design Strategies

The minimize strategy entails reducing the hazards by using smaller quantities of hazardous materials in the process. When possible, hazardous materials should be produced and consumed on site—this minimizes the storage and transportation of hazardous raw materials and intermediates.

The substitute strategy entails replacing hazardous materials with less hazardous materials. For example, a nonflammable solvent could replace a flammable solvent.

The moderate strategy entails using hazardous materials under less hazardous conditions. This includes using these materials at lower temperatures and pressures. Other approaches include (1) refrigeration to lower vapor pressures, (2) diluting solutions to a lower concentration, and (3) using larger particle-sized solids to reduce dust explosions, to name a few.

The simplify strategy is based on the fact that simpler plants are friendlier than complex plants, because they provide fewer opportunities for error and because they contain less equipment that can cause problems. Often, the complexity in a process is driven by the need to add equipment and automation to control the hazards. Simplification reduces the opportunities for errors and mis-operation.

In the strictest sense, inherently safer design applies only to the elimination of hazards. Some of the inherently safer design strategies shown in Table 1-20 treat hazards by making the hazard less intense or less likely to occur. For instance, simplifying a complex piping system reduces the frequency of leaks and operator error, but does not completely eliminate the hazard—the remaining pipes and valves can still leak. The inherently safer design strategies that eliminate the hazard are called first-order strategies, whereas strategies that make the hazard less intense or less likely to occur are called second-order strategies.

Although inherently safer design should be applied at every point in a process life cycle, the potential for major improvements is the greatest at the earliest stages of process development. At these early stages, process engineers and chemists have the maximum degree of freedom in the selection of the reaction, chemicals, process technology, and plant design and process specifications.

Inherently safer design can significantly reduce the hazards in a process, but it can go only so far. Many chemicals and products are used precisely because of their hazardous properties. For instance, if gasoline is the product, then flammability is the necessary hazardous property for this product—this hazard cannot be eliminated.

After we have applied inherently safer design as much as possible, we can use a hierarchy of management systems to control the remaining hazards, as shown in Table 1-21. Inherently safer design appears at the top of the hierarchy and should be the first approach, followed by passive, active, and procedural strategies. The strategies closer to the top of Table 1-21 are more robust than the lower strategies and should be preferred.

Table 1-21 Hierarchy of Process Risk Management Strategies. The strategies at the top of the table are more robust

Active safeguards require the physical motion or activity in the performance of the equipment’s function; a valve opening or closing is an example. A passive safeguard is hardware that is not physically actuated to perform its function; dikes around storage vessels are an example. Procedural safeguards, often called administrative safeguards, are administrative or management safeguards that do not directly involve hardware; an operating procedure is an example.

One potential problem with inherently safer design is risk shifting. That is, application of inherently safer design strategies might shift the risk from one population to another. For example, one company used a highly toxic chemical as a catalyst in a process. The chemical was highly effective and was recycled with little make-up. The company decided to replace the highly toxic catalyst with one that was considerably less toxic—an inherently safer approach by substitution. The less toxic catalyst required a substantial amount of make-up, necessitating regular and substantial truck shipments. While the risk to the company’s employees was reduced, the risk to the community was increased due to the truck shipments along municipal roads.

Environmental impacts should also be considered in inherently safer designs. A classic example of this is refrigeration systems. In the very early days of refrigeration, ammonia was used as a refrigerant. Ammonia is toxic, and leaks of this gas can affect both employees and the surrounding communities. Later, chlorofluorocarbons (CFCs) were developed to replace ammonia. Since these refrigerants are not toxic, CFCs were inherently safer than ammonia. However, in the 1970s, CFCs were found to deplete the ozone layer. Hydrochlorofluorocarbons (HCFCs) were used for a short period since these had less impact on the environment. More recently, many refrigeration systems have returned to ammonia as a preferred refrigerant primarily to reduce environmental impacts.

1-14 The Worst Chemical Plant Tragedy: Bhopal, India, 1984¹³

¹³John F. Murphy, Dennis Hendershot, Scott Berger, Angela E. Summers, and Ronald J. Willey. “Bhopal Revisited.” Process Safety Progress, 33, no. 4 (2014): 310–313.

The Bhopal, India, tragedy occurred on December 3, 1984, in a pesticide plant jointly owned by Union Carbide (USA) and its affiliate Union Carbide India Limited (UCIL). More than 2500 lives were lost due to inhalation and exposure to methyl isocyanate (MIC) vapor released from the plant. Another 200,000 people suffered various levels of exposure, with the adverse effects ranging from blindness to nausea. Many people who survived the incident suffered from severe health effects for the rest of their lives.

MIC was used as an intermediate chemical in pesticide production and was stored on-site. This compound is reactive, toxic, volatile, and flammable. The maximum exposure concentration of MIC for workers over an 8-hour period is 0.02 ppm (parts per million). Individuals exposed to concentrations greater than 21 ppm experience severe irritation of the nose and throat. Death at larger concentrations of MIC vapor is due to respiratory distress.

MIC demonstrates a number of other hazardous physical properties. Its boiling point at atmospheric conditions is 39.1°C, and its vapor pressure is 348 mm Hg at 20°C. The vapor is about twice as heavy as air, meaning that the vapors stay close to the ground once released. In addition, MIC reacts exothermically with water. Although the reaction rate is slow, with inadequate cooling the temperature will increase and the MIC will begin to boil. MIC storage tanks are typically refrigerated to prevent this.

At the time of the MIC release, the Bhopal plant was under extreme financial pressure. It was able to sell only about one-third of its design capacity on the Indian market. In June 1984, the plant’s managers decided to turn off the refrigeration system on the 15,000-gallon liquid MIC storage tank in an effort to reduce costs. A flare system was also present to burn any MIC vapors from the storage tank, but the flare was taken out of service several weeks prior to the incident due to a corroded pipeline. A sodium hydroxide (NaOH) scrubber system was also present to handle small releases, but it had been taken out of service for cost savings. With the shutdown of the refrigeration system, flare, and scrubber, no mitigative safeguards remained between the MIC storage tank and the external environment.

The area around the plant was zoned for industrial use. However, the siting of a major chemical manufacturing plant at the city’s edge created a large opportunity for employment. Several shanty towns were built immediately adjacent to the plant and were inhabited by more than 30,000 people. Zoning laws were in place to prevent the establishment of such shanty towns, but local politicians looked the other way regarding the enforcement of the zoning laws.

The incident was initiated by water contamination of the 15,000-gallon liquid MIC storage tank. Many theories have been proposed to explain how this happened, but there is no publicly available evidence confirming any of these theories. The water caused the MIC to heat up and boil. The pressure in the storage tank increased until the relief system opened, discharging the MIC vapors directly into the air. The temperature of the MIC in the vessel was reported to reach 100°C—well above its boiling point. An estimated 25 tons of toxic MIC vapor was released. The incident occurred during the night when most residents in the adjacent shanty towns were asleep. The toxic cloud dispersed into the shanty town areas, with tragic consequences: The residents of the shanty towns suffered many of the deaths and the severest of injuries during the MIC release.

Prior to the incident, Union Carbide was viewed as a large, well-respected, high-tech American company. In 1980, its annual sales totaled $9 billion. The company had 116,000 employees at 500 sites. It had successfully operated the Oak Ridge National Lab for 40 years—a very important facility for the U.S. nuclear program. Union Carbide produced many well-recognized consumer products, including Eveready batteries, Prestone antifreeze, and Linde gases. Graduating chemical engineers considered Union Carbide a “must interview” company and a very desirable employer.

Before the incident, Union Carbide stock traded for a price between $50 and $58. In early 1985, after the Bhopal incident, the stock price dropped to $32 to $40. Union Carbide also became the target of a hostile takeover by GAF Corporation. To repel this takeover, Union Carbide was forced to sell its consumer products division—its most profitable division. In 1986, the company sold assets worth $3.3 billion to repurchase 38.3 million shares of stock in an effort to protect the company from further takeovers. It was able to retain its commodity chemicals division.

In February 1989, the Supreme Court of India mediated payment of $470 million from Union Carbide and Union Carbide India. Union Carbide paid the settlement within 10 days of the order.

The downward spiral of Union Carbide continued until the remaining assets were purchased by Dow Chemical in 1999. The Bhopal incident was the beginning of the end for Union Carbide.

In March 1985, the AICHE, responding to industry concerns about the Bhopal incident and chemical plant safety, established the Center for Chemical Process Safety. According to the Center, CCPS is “dedicated to improving the ability of engineers to deal with process hazards.” Today, CCPS is a world leader in chemical process safety.

The Bhopal incident also resulted in a considerable number of industry initiatives and government regulations related to process safety. Clearly, incidents have a lasting impact on the reputation of the chemical industry and can change the practice of chemical engineering forever.

Root causes are defined as “failures … that lead to an unsafe act or condition resulting in [an] accident.”¹⁴ For any accident, there are typically multiple root causes. If any of those root causes did not occur, then the accident would not have occurred. For the Bhopal incident, the immediate root cause of the incident was the presence of water in the MIC storage tank.Several other root causes occurred, including turning off the refrigeration system, the flare, and the NaOH scrubber system. If a detailed incident report were publicly available, other root causes would likely be identified. Although no official, publicly available, and detailed report of the Bhopal incident was ever published, publicly available information suggests almost all of the 20 elements of RBPS, as shown in Table 1-18, were involved.

¹⁴AICHE/CCPS glossary, accessed November 27, 2017.

1-15 Overview of Chemical Process Safety

Process safety includes hazard identification and evaluation, as well as risk analysis. It can be simplified to the following questions:

1. What are the hazards?

2. What can go wrong and how?

3. How bad can it be?

4. How often can it happen?

5. What is the risk?

6. How do we control and manage this?

Question 1 is discussed in Chapter 2, Toxicology; Chapter 3, Industrial Hygiene; Chapter 6, Fires and Explosions; Chapter 8, Chemical Reactivity; and Chapter 11, Hazards Identification. Questions 2 and 3 are discussed in Chapter 4, Source Models; Chapter 5, Toxic Release and Dispersion Models; Chapter 6, Fires and Explosions; and Chapter 12, Risk Assessment. Questions 4, 5, 6, and 7 are discussed in Chapter 12, Risk Assessment.

Chapters 7, 9, 10, and 13 focus on systems designed to prevent specific types of incidents. Chapter 7, Concepts to Prevent Fires and Explosions, discusses common fire and explosion prevention methods. Chapter 9, Introduction to Reliefs, and Chapter 10, Relief Sizing, discuss the primary method to protect process systems from the damaging effects of high pressure. Chapter 13, Safety Procedures and Designs, presents incident prevention systems in general.

Suggested Reading

Problems

1-1. Engineering ethics: Write an essay on why you think safety (and process safety) is an important part of any engineering ethics statement.

1-2. Classify the following from 0 to 5 based on the hierarchy of safety programs provided in Table 1-3. Explain why.

1. The company and plant executive teams are very receptive to any safety suggestions and the suggestions are reviewed and implemented on a timely basis.

2. A change is made in a laboratory apparatus after a valve has leaked.

3. A change is made in a laboratory apparatus after a JSA review is completed.

4. The faculty member in charge of a laboratory has very little knowledge about safety.

5. The faculty member in charge of a laboratory states that “Safety is very important!” but does nothing after a small accident.

6. The company uses several leading safety metrics to assess its safety program.

7. The laboratory meets all the rules in the safety manual.

8. The faculty member in charge of a laboratory states that the safety program is interfering with the research efforts.

9. The laboratory is a mess.

1-3. Safety culture: Classify the following activities as either strengthening or weakening process safety culture. Explain why.

1. The plant manager schedules an important safety meeting that everyone must attend. At the meeting, the plant manager introduces a person from corporate safety and then excuses himself, stating that he has a more important meeting to attend elsewhere.

2. The faculty member in charge of a research lab states that not everyone in the laboratory needs to wear safety glasses—only people who are doing hazardous operations. Visitors also do not need to wear safety glasses.

3. The faculty member in charge of a research laboratory states that “No work is ever done in a clean lab!”

4. The faculty member in charge of a research laboratory states that his students—not him—are in charge of the safety program and does little else.

5. The plant manager institutes a suggestion box for safety ideas, and these ideas are discussed and resolved at the required safety meeting.

6. A suggestion box for safety ideas is implemented, but it takes the plant management many months to respond to the suggestions.

7. A research laboratory requires safety glasses, but the workers in the lab must purchase their own safety glasses.

8. A research laboratory requires safety glasses. The safety glasses are provided but are available only in a room down the hallway.

9. The laboratory safety manual has not been reviewed or updated in many years.

10. The faculty member in charge of a teaching lab tells the students that they have primary responsibility for safety, and the faculty member provides the training, resources, management and continuous auditing to ensure that the students are successful.

1-4. Individual and societal risk: For the following cases, identify the primary risk population, classify the case as involving individual risk and/or societal risk, and identify the risk as voluntary or involuntary.

1. A worker does not wear the required personal protective equipment for the chemicals being used.

2. A large butane storage facility is built next to a congested neighborhood.

3. A person drives a car from New York to Los Angeles.

4. A person drives a car without wearing the seat belt.

5. A person drives a car while intoxicated.

6. An airplane is produced with a manufacturing defect.

7. A tank truck containing gasoline is driven from the refinery to the gas station for unloading.

8. An underground pipeline is routed through a residential area.

9. A person climbs a cliff face solo.

1-5. Safety metrics: Classify the following as either leading or lagging safety metrics. Explain why.

1. Number of reports of unsafe activities in a plant

2. Number of near-miss incidents

3. Money spent on insurance claims

4. Number of visits to the plant first aid facility

5. Number of process alarms that were managed without incident

6. Time duration to complete maintenance

1-6. Accident and loss statistics: Return to Example 1-1. For parts (b) and (c), the length of time for both the hours-based fatal injury rate and the recordable incidence rate was 1 year. What time period is required for the hours-based fatal injury rate and the recordable incidence rate to be equal to the chemical manufacturing rates?

1-7. Accident and loss statistics: If the U.S. population in 2014 was 325 million people, calculate the deaths per 100,000 people from lightning strikes using the total fatalities from lightning in Table 1-13. Also calculate the fatality rate.

1-8. Use the risk matrix in Table 1-14 to determine the risk level for the Bhopal incident. Estimate the severity category, the safety severity level, the likelihood, and the risk level.

1-9. Codes, standards, and regulations: Go to the www.osha.gov web site and look up the OSHA regulation CFR 1910.119: Process Safety Management of Highly Hazardous Chemicals. Use Appendix A to determine the threshold quantities for the following chemicals. If your plant site exceeds this threshold quantity, then this standard applies.

1. Ammonia, anhydrous

2. Chlorine

3. Hydrogen fluoride

4. Propylene oxide

1-10. Safeguards: Classify the following safeguards as either preventive or mitigative.

1. A safety instrumented system to shut down a process if an unsafe operating condition occurs.

2. A foam system to reduce evaporation from a pool of leaked hydrocarbon.

3. A dike around a storage vessel.

4. A flow limiter is installed on a feed line to a chemical reactor to ensure that the reaction rate does not exceed a maximum value.

5. Covers are placed over pipe flanges to prevent liquid spraying.

6. A containment pond is built to collect any liquid runoff from a plant.

7. A relief device is installed on a chemical reactor to protect the reactor vessel from the damaging effects of high pressure.

8. A containment system is installed to collect the effluent from a relief device.

9. The basic process control system.

10. An emergency alarm system.

11. An alarm system to notify the operator of out-of-limits process conditions.

12. A gas chromatograph is installed to confirm chemical concentrations in a process.

13. All plant operations personnel are given yearly emergency response training.

1-11. CCPS elements: Classify the following activities as being most directly related to one of the 20 elements of RBPS. Although many elements may be involved, list only the single most applicable element. An element may be used more than once.

1. The plant has an open house for the local community.

2. A plant-wide emergency response drill is completed once each quarter.

3. A wide selection of courses on process safety are made available to the employees, and they are given the time and the motivation to enroll and complete the courses.

4. The plant manager demonstrates a shared responsibility for the plant safety.

5. All contractors on site are required to watch a video with an overview of the plant process safety and may be required to complete additional safety training depending on the type of work.

6. Participation in monthly safety meetings is required of all workers.

7. A small incident is investigated by the safety committee, with a final report being issued with recommendations and follow-through.

8. A permit system is developed to ensure that no welding or open flames are present when flammable liquids are handled.

9. Critical safety instrumentation is calibrated on a regular basis by the instrumentation personnel.

10. The plant site is audited on a regular basis by the corporate safety personnel.

11. Plant operating procedures are reviewed and updated to ensure that they conform to actual practice.

12. A management system is developed to ensure that all replacement equipment is identical in function to the original equipment.

13. When the electrical code changes, the plant staff reviews the changes to ensure that the plant meets the revised codes.

14. A hazard identification procedure is implemented for all existing processes.

15. Technical documents, engineering drawings and calculations, and equipment specifications are placed online for all workers to use.

16. A shutdown process is verified to be in a safe condition for restart.

17. A documented operations program is established to maintain reliable worker performance.

18. Leading and lagging metrics are established to gauge process safety performance.

19. An annual evaluation is developed to determine if management systems are performing as intended.

20. Appropriate information is made available to people who need it.

1-12. Inherently safer design: Which inherently safer design strategy applies to each of the following?

1. A flammable solvent is used to control the temperature in a reactor. The solvent is replaced by a nonflammable solvent.

2. A valve that requires 10 turns to close is replaced by a quarter-turn valve.

3. The equipment in a process can withstand 10 bar gauge (barg) of pressure even though the actual process operates normally at 5 barg. The pressure relief valve opening pressure is reduced from 10 barg to 8 barg.

4. A plant stores a large quantity of a hazardous intermediate chemical to keep the plant operating during upsets in the upstream process. The intermediate storage is eliminated and the process reliability is improved to prevent upsets and downtime.

5. An alternative reaction pathway is used that involves less hazardous raw materials.

6. The trays on a distillation column are replaced by structured packing, which operates over a wider range of operating conditions.

Additional homework problems are available in the Pearson Instructor Resource Center.