Bridging the Gap: Applying Inherently Safer Design in Operational Plants

Introduction – Bridging the Gap

Inherently Safer design (ISD) is often perceived as a luxury reserved for greenfield developments, and it's all too tempting for brownfield projects to reach for extra alarms and administrative controls instead. But escalating insurance premiums, tighter regulations and an ageing asset base is forcing operators to look again at how they manage inherent risk. Embedding ISD thinking into upgrades and the Management Of Change (MOC) cycle can lower life‑cycle cost, improve uptime and boost regulatory confidence ¹. This article sets out a journey from concept design, through the operational phase and to retrofit, showing where ISD levers fit and how simple decision tools can help engineers take inherently safer options more seriously.

ISD Across the Asset Lifecycle: From Concept to De‑commissioning

ISD rests principally on four classical strategies: minimisation, substitution, moderation and simplification ¹. In essence, they favour avoiding hazards over surrounding hazards with safeguards. Additional strategies - error tolerance, segregation, fail-safe design etc. - extend the ISD palette. The lifecycle starts at concept design, where core decisions on chemistry, inventory and layout are easiest and have the largest impact. Here is where the application of ISD and its benefits are most obvious. But there are also opportunities later in the lifecycle, when detailed design converts those decisions into specifications and control logic, and in the operational phase when periodic Process Hazard Analysis (PHA) revalidation and MOC projects can revisit design options. There are even opportunities during de‑commissioning, for example by improving isolations and removing obsolete equipment to further simplify residual risk.

Structured indices, like the Inherent System Safety Index (ISSI) offer ways of making design trade‑offs more visible, and ranking alternatives against one another (e.g. by toxicity, flammability, inventory and complexity), supporting retrofit decisions without the need for full Quantitative Risk Analysis (QRA) ². Qualitative tools like simple checklists and matrices offer lighter‑weight options.

Overcoming Barriers to ISD Adoption in Operating Plants

So why is ISD still rare beyond the drawing board? There seems to be a belief that inherent risk is “baked‑in” as soon as the steel is erected, and that can discourage creative thinking. Engineers are also somewhat conditioned to reach for QRA, and if the mitigated risk is broadly acceptable or ALARP then there can be a feeling that the job is done; if the risk is already low, why analyse alternatives? Furthermore, regulators have - until relatively recently - given few incentives to retrofit inherent safety measures; that is changing. The UK Control of Major Accident Hazards (COMAH) Competent Authority reminds duty‑holders that hazards should be avoided or reduced at source during every safety report update ³. In the United States, the USEPA’s Safer Communities by Chemical Accident Prevention rule mandates Safer Technologies & Alternatives Analysis (STAA) for higher‑hazard Risk Management Program (RMP) facilities, effectively embedding an ISD test into the approval cycle ⁴.

Economic signals can (and should) be used to reinforce a shift towards ISD. Case studies show inventory‑reduction projects pay back through lower maintenance, smaller impoundments and lower working capital requirements; ISD delivers fewer potential leak points and enables shorter turnarounds ¹.

ISD in Brownfield Retrofits: Practical Opportunities

How can we apply ISD principles in brownfield projects? Let's focus on the main four ISD strategies.

Minimisation – Reducing Hazardous Inventory

Switching large batch processes for skid‑mounted mini-processes, or implementing just‑in‑time delivery, can cut on‑site inventories significantly. Many refineries have paired such projects with capacity expansions to successfully offset capital cost ¹. Trade‑off scoring with ISSI will help highlight any intensification side‑effects before decisions are locked in ².

Substitution – Selecting Safer Chemistry

The obvious example is where operators have swapped flammable solvents for aqueous systems. Other examples include:

• Compressor seals once lubricated with mineral oil now employing inert barrier gas.
• Replacing anhydrous ammonia with low-toxicity synthetic refrigerants in non-critical systems to reduce off-site toxic impact potential.
• Moving from pyrophoric hydrogenation catalysts (e.g. Raney nickel) to non-pyrophoric supported catalysts to lower handling risks.
• Replacing hydrogen sulphide scavengers containing volatile amines with solid-phase scavengers to reduce inhalation hazards in desulphurisation units.
• Substituting methanol with environmentally benign glycols (or water-based fluids where hydrate risk is lower).

Moderation – Moving to Gentler Conditions

Moderation (sometimes referred to as attenuation) focuses on reducing the severity of process conditions – for example, by lowering pressures, temperatures, or concentrations – so that if an incident occurs, its consequences are less severe. This can also include diluting hazardous materials with inert carriers, or using equipment that inherently limits stored energy. The key is to keep the process viable while bringing conditions closer to ambient where possible, often through process intensification or improved heat and mass transfer.

Examples from high-hazard operations include:

• Lower-pressure distillation – installing high-efficiency condensers to allow one polymer plant to drop column pressure from 8 barg to 4 barg while keeping throughput constant, eliminating two relief valves and halving flare load ¹.
• Catalytic membrane reactors – enabling hydrogenation at lower temperature and pressure, although kinetics and product purity must be reassessed before adoption.
• Dilution of hazardous feeds – blending reactive monomers with inert diluents during transfer to reduce vapour hazard until they reach the point of reaction.
• Cold-side quenching – using low-temperature heat exchangers to moderate exothermic reactions early, reducing the risk of runaway and decreasing relief system load.

In retrofit contexts, moderation opportunities often arise when replacing heat exchangers, upgrading control systems, or re-rating vessels. These changes can be justified not only on safety grounds but also through reduced energy costs and lighter-duty equipment requirements.

Simplification – Designing Out Complexity

Simplification aims to remove unnecessary steps, components, or modes of operation so there are fewer opportunities for error, fewer potential leak paths, and less that can degrade over time. This can be as straightforward as reducing the number of manual valves in a run, or as strategic as eliminating entire subsystems whose function can be achieved more simply elsewhere.

General approaches include:

• Reducing the number of control loops, interfaces, and hand-offs between systems.
• Standardising equipment types and specifications to simplify operation and maintenance.
• Using passive features (e.g. welded connections, gravity drainage) in preference to active or mechanical devices that require ongoing inspection.

Examples from brownfield upgrades include:

• Welded over flanged – pipe racks renovated during turnaround can replace gasketed spools with fully welded headers, removing hundreds of potential leaks.
• Control room relocation – moving motor-control centres or operator stations outside hazardous zones reduces electrical classification requirements and simplifies maintenance regimes ³.
• One-valve isolation – rationalising manifold arrangements so that each branch has a single, clearly-identified isolation point rather than a sequence of valves with complex lock-out/tag-out requirements.
• Eliminating redundancy where not required – removing duplicated pumps or compressors in non-critical services, cutting maintenance effort and spare parts inventory without affecting uptime targets.

When planned during retrofit, simplification can deliver long-term OPEX savings by reducing inspection scope, freeing up labour for critical tasks, and improving overall plant resilience.

Integrating ISD into into PHA Revalidation and MOC

PHA & MOC Triggers

Periodic PHA revalidations are the natural home for deeper inherent-safety brainstorming. Each node/scenario should be started by asking whether the hazards can be minimised, substituted, moderated or simplified before any credit is given to existing safeguards. Pre-PHA data packs should therefore include inventory maps, alternative-chemistry options and lessons learned from prior MOCs so the team can benchmark “inherent” against “engineered” risk.

Recording ISD ideas in the PHA action log ensures they are formally considered at the same level as recommendations for additional protection layers.

For Management of Change, the same philosophy can be applied, but in a more dynamic and decision-focused way. Every MOC form should carry an explicit ISD prompt: “Could minimisation, substitution, moderation or simplification reduce the hazards?” The intent is to pause the change process and force the originator, reviewers and approvers to consider whether the proposed modification could be done in a safer, simpler or lower-energy way before committing to detailed design.

It shouldn't become "another box to tick". Responses should be specific and recorded – even a brief note such as “no alternative chemistry available” or “equipment downsizing possible” helps build a searchable history of past considerations. These entries can feed into a concise ISD checklist, and where an option scores well against feasibility, cost and hazard reduction, it should be flagged for concept development.

Making ISD review a routine gate in the MOC workflow means it's applied consistently, even when time pressures or the absence of an ISD champion might otherwise cause it to be overlooked.

Governance & Metrics

Strong governance is what turns good intentions into routine practice. Many organisations have now inserted an ISD review gate before projects progress to funding or detailed design. This ensures that proposals have at least been tested against ISD principles before funding is committed.

Progress is far easier to defend when it’s visible ³, so it's important to track meaningful metrics. These might include “kilograms of hazardous inventory permanently removed per project”, “percentage of changes using welded over flanged joints”, or “number of high-temperature systems replaced with ambient-temperature alternatives”. The trick is to focus on measures that clearly connect to hazard reduction – not just activity counts – so teams can see the benefit and the management can recognise the achievements.

Tools & Competence

Even the best ISD ideas will stall if teams lack the tools or confidence to develop them. Where resources allow, digital twins can be used to quickly model sensitivity cases, showing how a proposed change might reduce (or shift) the hazards. Where resources are more limited, spreadsheet-based ISSI tools or hazard-ranking checklists can still support quick, qualitative screening ².

ISD competence should extend beyond the process safety team. Training operations, maintenance, and procurement staff in ISD vocabulary may also help eliminate cultural resistance and preserve the basis of safety so future projects don't erode any gains made. A fitter who knows that welded joints reduce fugitive emissions is more likely to query an unnecessary flange; a buyer who understands “basis of safety” is less likely to source a cheaper but risk-eroding alternative. This shared vocabulary can prevent well-meaning changes from chipping away at earlier hazard reductions.

Challenges, Trade‑offs & Mitigation

We live in the real world, though, so we probably shouldn't expect that our ISD proposals will be straightforward to implement. Common friction points include:

Capital and Pilot Risk. Some inherently safer options carry higher front‑end cost, but life‑cycle costing - usually including lower maintenance and sometimes attracting reduced insurance premiums - often tips the balance in favour of ISD.

Hazard Trade‑offs. Some compromises are inevitably required. For example, a substitution proposal could suppress a flammability hazard while simultaneously increasing a corrosivity hazard; multi‑hazard indices can help expose such shifts before they’re locked in ².

Operational Resistance. Operators may see ISD changes as disruptive or unproven. Involving them early on, using transparent scoring, and linking proposals to tangible workload reductions will help build trust.

Design‑Intent Drift. Even a strong concept can be diluted by cost-cutting, procurement substitutions, or construction shortcuts. Maintaining a clear, traceable basis of design – and linking specs directly to ISD principles – helps protect intent through to commissioning without execution dilution ⁴.

Regulatory Thresholds. Changes to inventory or hazardous properties can affect regulatory status – for example, moving a site between COMAH tiers. Engaging regulators early on will avoid last-minute surprises ³.

Roadmap for Operators

Here's a practical starting point for embedding ISD into day-to-day operations:

1. Select a pilot retrofit project with enough multi-disciplinary visibility to gather lessons and build internal credibility. Record hazards, costs, and operability metrics from day one.
2. Insert ISD checkpoints into both PHA and MOC workflows. If inherent-safety options haven’t been considered, send the proposal back – make it a non-negotiable gate.
3. Provide a retrofit‑focused toolkit - a simple mix of checklists, worked examples, and decision aids – so that teams can identify opportunities without starting from scratch.
4. Train cross‑functional teams so that designers, process safety engineers, operators, maintainers and procurement speak the same ISD language.
5. Share internal success stories backed by numbers: inventory removed, reduced planned and unplanned maintenance, cost savings. Evidence builds momentum faster than slogans.

Conclusion

The gulf between design‑stage ISD theory and live‑plant reality is narrowing. Regulatory drivers, economic pressures and a maturing suite of decision tools mean that ISD in the operational phase is no longer forgotten. By embedding lifecycle thinking into governance gates, using simple but visible metrics, and protecting the basis of safety through execution, operators can turn plant changes into opportunities to remove hazards rather than simply manage them. Adopters will reap lower costs, improved operability and a stronger licence to operate, setting a benchmark for inherently safer, more resilient facilities.