See Introduction to Inherently Safer Chemical Process for more information relating to The Role of Inherently Safer Design Concepts in Process Risk Management.

How does inherently safer design fit into an overall process risk management program? To answer this question, it is first necessary to understand the definition of risk. Risk is defined as a measure of economic loss, human injury, or environmental damage in terms of both the incident likelihood and the magnitude of the loss, injury, or damage. Any effort to reduce the risk arising from the operation of a chemical processing facility can be directed toward reducing the likelihood of incidents (incident frequency); reducing the magnitude of the loss, injury or damage should an incident occur (incident consequences), or some combination of both. In general, the strategy for reducing risk, whether directed toward reducing frequency or consequence of potential accidents, can be classified into four categories. These categories, in decreasing order of reliability, are:

  • Inherent: Eliminating the hazard by using materials and process conditions which are nonhazardous; e.g., substituting water for a flammable solvent.
  • Passive: Minimizing the hazard by process and equipment design features which reduce either the frequency or consequence of the hazard without the active functioning of any device; e.g., the use of equipment rated for higher pressure.
  • Active: Using controls, safety interlocks, and emergency shutdown systems to detect and correct process deviations; e.g., a pump that is shut off by a high level switch in the downstream tank when the tank is 90% full. These systems are commonly referred to as engineering controls.
  • Procedural: Using operating procedures, administrative checks, emergency response, and other management approaches to prevent incidents, or to minimize the effects of an incident; e.g., hot-work procedures and permits. These approaches are commonly referred to as administrative controls.

Risk control strategies in the first two categories, inherent and passive, are more reliable because they depend on the physical and chemical properties of the system rather than the successful operation of instruments, devices, procedures, and people. Inherent and passive strategies differ, but are often confused. A truly inherently safer process will reduce or completely eliminate the hazard, rather than simply reducing its impact. Table below gives examples of the four risk management strategy categories. These categories are not rigidly defined, and some strategies may include aspects of more than one category.

Risk Management Strategy Category




An atmospheric pressure reaction using nonvolatile solvents which is incapable of generating any pressure in the event of a runaway reaction.

There is no potential for overpressure of the reactor because of the chemistry and physical properties of the materials.


A reaction capable of generating 150 psig pressure in case of a runaway, done in a 250 psig reactor.

The reactor can contain the runaway reaction. However, if 150 psig pressure is generated, the reactor could fail due to a defect, corrosion, physical damage or other cause.


A reaction capable of generating 150 psig pressure in case of a runaway, done in a 15 psig reactor with a 5 psig high pressure interlock to stop reactant feeds and a properly sized 15 psig rupture disk discharging to an effluent treatment system.

The interlock could fail to stop the reaction in time, and the rupture disk could be plugged or improperly installed, resulting in reactor failure in case of a runaway reaction. The effluent treatment system could fail to prevent a hazardous release.


The same reactor described in Example 3 above, but without the 5 psig high pressure interlock. Instead, the operator is instructed to monitor the reactor pressure and stop the reactant feeds if the pressure exceeds 5 psig.

There is a potential for human error, the operator failing to monitor the reactor pressure, or failing to stop the reactant feeds in time to prevent a runaway reaction.

Note: These examples refer only to the categorization of the risk management strategy with respect to the hazard of high pressure due to a runaway reaction. The processes described may involve trade-offs with other risks arising from other hazards. For example, the nonvolatile solvent in the first example may be extremely toxic, and the solvent in the remaining examples may be water. Decisions on process design must be based on a thorough evaluation of all of the hazards involved.

There are also opportunities for making active and procedural risk management systems inherently safer. For example, consider two alternative designs for a high pressure interlock for a vessel:

  1. A pressure sensor giving a continuous indication which is displayed on the control panel and can be observed by the operator. The sensor has a high pressure safety interlock set at a predetermined pressure that activates an emergency shutdown system.
  2. The same system, but with an on-off pressure switch set to activate the emergency shutdown system if the pressure reaches the predetermined point. The pressure switch remains inactive as long as the pressure is below its trip point.

Design alternative 1 is inherently safer because the pressure sensor provides continuous feedback to the operator. The operator has some confidence that the pressure sensor is working (although not complete assurance as it could be indicating incorrectly), and may observe that pressure is increasing before it reaches the high pressure trip point. However, both design alternatives are still classified as active systems. The first alternative is an inherently safer implementation of an active safety system.

In general, strategic approaches are best implemented at an early stage in the process or plant design. Tactical approaches include the active and procedural risk management categories. Tactical approaches tend to be implemented much later in the plant design process, or even after the plant is in operation, and often involve much repetition, increasing the costs and potential for failure.

See Consideration for Inherently Safer Options for more information relating to The Role of Inherently Safer Design Concepts in Process Risk Management.