amyotte inherent safety

8/6/2019 Amyotte Inherent Safety

1/14

Incorporation of Inherent

Safety Principles in ProcessSafety ManagementPaul R. Amyotte,a Attiq U. Goraya,a Dennis C. Hendershot,b and Faisal I. Khanca Department of Process Engineering and Applied Science, Dalhousie University, Halifax, NS,

Canada; [email protected] (for correspondence)b

Chilworth Technology Inc., Plainsboro, NJc Faculty of Engineering and Applied Science, Memorial University, NL, Canada

Published online 10 August 2007 in Wiley InterScience (www.interscience.wiley.com). DOI 10.1002/prs.10217

Process safety management (PSM) deals with theidentification, understanding, and control of processhazards to prevent process-related injuries and inci-dents. Explicit incorporation of the principles of in-herent safety in the basic definition and functionaloperation of the various PSM elements can help toimprove the quality of the safety management effort.

Numerous inherent safety examples, both technicaland nontechnical, are given in this paper. Existingqualitative and quantitative tools that already include,or could incorporate, inherent safety are described.

Recently developed inherent safety tools for quantitativehazard identification and assessment are identified

from either the literature or the current authors work.Qualitative protocols for incorporating inherent safetyinto PSM elements are also presented. The language ofinherent safety, although largely unused in PSM docu-mentation, has a key role to play in enhancing theeffectiveness of PSM. 2007 American Institute ofChemical Engineers Process Saf Prog 26: 333346, 2007

Keywords: inherent safety; process safety; process safety management

INTRODUCTION

The scope of the review presented in this paper isthe prevention and mitigation of process incidents.The primary objective is to explicitly incorporate theprinciples of inherent safety within a process safetymanagement (PSM) system. The motivation for this

work stems from the authors belief that although in-

herent safety is increasingly viewed as an integralcomponent of process safety, more effective linkagesbetween the two concepts are required to further theusage of inherent safety principles. This explains ouruse in the above statement of the term, to explicitlyincorporate; our intent is to increase the visibility ofthe opportunities for inherent safety consideration inPSM. In essence then, the paper attempts to providea roadmap for accomplishing the primary objectivedescribed above. While the concepts describedherein may be well established in some quarters ofthe process industries, the notion of unification

within a management system is not (as shown in latersections of this paper).

Further motivation for the current overview paperis found in the comments of workers who havereviewed the field of inherent safety and inherentlysafer design (among others, Bollinger et al. [1], Guptaand Edwards [2], Kletz [3], and Khan and Amyotte [4]).For example, Khan and Amyotte [4] have remarkedthat the various elements of PSM can be seen to haveat least a partial basis in inherent safety. This fact hasbeen recognized by companies that have incorporatedinherent safety as a named feature in their safetymanagement documentation and have developed in-ternal standards for the use of inherent safety princi-ples. Yet the term inherent safety is typically notnamed as such in the general description of PSM sys-tems. According to Bollinger et al. [1], explicit use ofinherent safety terminology within such managementsystems is a possible means of furthering the adoptionof inherent safety principles in industry.

The remainder of this paper is structured in thefollowing manner. Brief reviews of inherent safetyand its basic principles, and the concept of a PSM

This work was supported by Natural Sciences and Engineering ResearchCouncil of Canada.

2007 American Institute of Chemical Engineers

Process Safety Progress (Vol.26, No.4) December 2007 333


2/14

system, are first given. These are followed by recentincident data from the Canadian chemical industry tohighlight the elements of PSM and their importancein preventing and mitigating process incidents. Thesubsequent section provides suggestions on how toincorporate inherent safety within the framework of aPSM system in both qualitative and quantitative man-ners; examples are given throughout this section. The

final section offers concluding remarks aimed at sum-marizing the key points of the paper.

INHERENT SAFETY

Loss prevention in the chemical process industries(CPI) is generally considered in three ways: (1) engi-neered safety (passive and active), (2) proceduralsafety, and (3) inherent safety. Engineered, or add-on, safety involves the addition of safety devices atthe end of the design. These safety devices do notperform any fundamental operation, but are designedto act when a process upset occurs. Procedural safetymeasures, or administrative controls, utilize safe work

practices and procedures to reduce risk. On the otherhand, inherent safety uses the properties of a materialor process to eliminate or reduce the hazard. Thefundamental difference between inherent safety andthe other two categories is that inherent safety seeksto remove the hazard at the source as opposed toaccepting the hazard and looking to mitigate theeffects.

The formal concept of inherent safety was firstproposed in the late 1970s by Kletz in his Jubilee Lec-ture to the Society of Chemical Industry in Widnes,England [5]. Since that time inherent safety has madeseveral inroads into the CPI, with its current statushaving been the subject of the previously mentioned

reviews [14]. It is well accepted in the CPI that thereexists a desired hierarchical relationship among safetymeasures with the order of effectiveness (highest tolowest) being inherent, passive engineered, activeengineered, and procedural [6].

An inherently safer plant, by virtue of its design,generates little or no damage in the event of an inci-dent. The principles of inherent safety describe thedifferent ways to achieve an inherently safer plant.The four most general and widely applicable princi-ples are minimization, substitution, moderation, andsimplification. The idea behind the minimizationprinciple is to lessen the hazard, be it through usingsmaller quantities of hazardous material or perform-

ing a hazardous procedure fewer times. With thesubstitution principle, one looks to replace a haz-ardous material, process route, or procedure withone that is less hazardous, thus eliminating orreducing the hazard. The principle of moderationseeks to use hazardous materials under less-hazard-ous conditions or in a less-hazardous form when theuse of those materials cannot be eliminated or mini-mized. The final principle is simplification, in whichthe goal is to design processes and equipment toreduce the opportunities for errors by eliminatingexcessive use of add-on safety features and protec-tive devices.

PROCESS SAFETY MANAGEMENT

A key engineering risk tool is a management sys-tem appropriate for the risks being addressed (e.g.health, occupational safety, process safety, equipmentreliability). Safety management systems are recog-nized and accepted worldwide as best-practice meth-ods for managing risk. They typically consist of 1020program elements that must be effectively carried out

to manage the risks in an acceptable way. This needis based on the understanding that once a risk isaccepted, it does not go away; it is there waiting foran opportunity to happen unless the managementsystem is actively monitoring company operations forconcerns and taking proactive actions to correctpotential problems.

Having an effective management system for proc-ess-related hazards (fire, explosion, release of toxicmaterials, etc.) is therefore a critical corporate objec-tive in the CPI. An approach widely used in the Ca-nadian chemical industries is PSM (where PSM isdefined as the application of management principlesand systems to the identification, understanding, and

control of process hazards to prevent process-relatedinjuries and accidents). The complete suite of PSMelements is shown in Table 1, taken from the ProcessSafety Management Guide of the Canadian Societyfor Chemical Engineering (CSChE) [7].

This guide was prepared by the Process Safety Working Group of the former Major Industrial Acci-dents Council of Canada (MIACC) in conjunction

with the Process Safety Management Committee ofthe Canadian Chemical Producers Association(CCPA). With the dissolution of MIAC in 1999, rightsto the guide were transferred to the CSChE. The ma-terial in the CSChE PSM guide [7] is based on thatdeveloped by the Center for Chemical Process Safety

(CCPS) of the American Institute of Chemical Engi-neers (AIChE), e.g. [8]. This route was adoptedbecause the CCPS approach to PSM was determinedto be comprehensive, well-supported by referencematerials, tools, and an organizational structure, andbased on a benchmark of leading or good industrypractice rather than on minimum standards [7].

Table 1 will therefore look quite familiar to PSMpractitioners in the United States. There is a difference,however, between PSM practice in the two countriesin that Canada does not have the full legislative andregulatory requirements of the United Sates (or Euro-pean countries) in relation to the management of risksarising from major industrial hazards. The Canadian

approach has typically been to rely more heavily upon voluntary initiatives for health, safety, and environ-mental programs. This does not mean that there areno laws in Canada to regulate public health, workersafety, environmental protection, transportation of dan-gerous goods, and the like. Such legislation and regu-lations do, of course, exist. The fact remains, though,that the general regulatory regime in Canada withrespect to PSM is different than in many other parts ofthe world (compared with, for example, the Risk Man-agement Program promulgated by the US Environmen-tal Protection Agency, the Process Safety ManagementRule enforced by the US Occupational Safety and

334 December 2007 Published on behalf of the AIChE DOI 10.1002/prs Process Safety Progress (Vol.26, No.4)


3/14

Health Administration, and the Seveso II Directive

mandated throughout the European Union for thecontrol of major hazards involving dangerous substan-ces). The paper by Lacoursiere [9] explains the volun-tary, best-practice approach to control of major haz-ards in Canada and, most importantly, summarizesseveral recent happenings that herald a possiblechange in the Canadian regulatory climate with respectto hazard control and risk management.

PROCESS INCIDENT DATA

The CCPA Process Safety Management Committeecollects and analyzes data on an annual basis forprocess-related incidents reported by CCPA member

companies. This occurs through a procedure known

as Process-Related Incidents Measure (PRIM). The2004 PRIM analysis of 89 incidents demonstrated thatsix of the PSM elements in Table 1 contributed to85% of the total incidents (as shown in Table 2).

In the context of the current paper, a possible useof the data shown in Table 2 is to prioritize the PSMelements in Table 1 for particular attention withrespect to inherent safety consideration. This processcould be assisted by the breakdown of each PSM ele-ment into its components (or subelements) as illus-trated in Figure 1 for element 6, process and equip-ment integrity. Figure 1 gives incident data for 2004as well as the five reporting periods prior to 2004.

Table 1. Elements and components of Process Safety Management (PSM).

No. Element Component

1 Accountability:objectives and goals

1.1. Continuity of operations; 1.2. Continuity of systems; 1.3. Continuity oforganization; 1.4. Quality process; 1.5. Control of exceptions; 1.6.

Alternative methods; 1.7. Management accessibility; 1.8. Communications;1.9. Company expectations

2 Process knowledge anddocumentation 2.1. Chemical and occupational health hazards; 2.2. Process definition/designcriteria; 2.3. Process and equipment design; 2.4. Protective systems; 2.5.Normal and upset conditions (operating procedures); 2.6. Process riskmanagement decisions; 2.7. Company memory (management ofinformation)

3 Capital project reviewand design procedures

3.1. Appropriation request procedures; 3.2. Hazard reviews; 3.3. Siting; 3.4.Plot plan; 3.5. Process design and review procedures; 3.6. Projectmanagement procedures and controls

4 Process risk management 4.1. Hazard identification; 4.2. Risk analysis of operations; 4.3. Reduction ofrisk; 4.4. Residual risk management; 4.5. Process management duringemergencies; 4.6. Encouraging client and supplier companies to adoptsimilar risk management practices; 4.7. Selection of businesses withacceptable risk

5 Management of change 5.1. Change of process technology; 5.2. Change of facility; 5.3. Organizational

changes; 5.4. Variance procedures; 5.5. Permanent changes; 5.6. Temporarychanges6 Process and equipment

integrity6.1. Reliability engineering; 6.2. Materials of construction; 6.3. Fabrication and

inspection procedures; 6.4. Installation procedures; 6.5. Preventativemaintenance; 6.6. Process, hardware and systems inspection, and testing;6.7. Maintenance procedures; 6.8. Alarm and instrument management; 6.9.Decommissioning and demolition procedures

7 Human factors 7.1. Operator-process/equipment interface; 7.2. Administrative control versushardware; 7.3. Human error assessment

8 Training andperformance

8.1. Definition of skills and knowledge; 8.2. Design of operating andmaintenance procedures; 8.3. Initial qualifications assessment; 8.4. Selectionand development of training programs; 8.5. Measuring performance andeffectiveness; 8.6. Instructor program; 8.7. Records management; 8.8.Ongoing performance and refresher training

9 Incident investigation 9.1. Major incidents; 9.2. Third party participation; 9.3. Follow-up andresolution; 9.4. Communication; 9.5. Incident recording, reporting, andanalysis; 9.6. Near-miss reporting

10 Company standards,codes, and regulations

10.1. External codes/regulations; 10.2. Internal standards

11 Audits and correctiveactions

11.1. Process safety management systems audits; 11.2. Process safety audits;11.3. Compliance reviews; 11.4. Internal/external auditors

12 Enhancement of processsafety knowledge

12.1. Quality control programs and process safety; 12.2. Professional trade andassociation programs; 12.3. CCPS program; 12.4. Research, development,documentation, and implementation; 12.5. Improved predictive system;12.6. Process safety resource centre and reference library

Process Safety Progress (Vol.26, No.4) Published on behalf of the AIChE DOI 10.1002/prs December 2007 335


4/14

This analysis is ongoing, and at this point, onlybroad conclusions are being drawn as to the relativeimportance of particular PSM elements, and especially

with respect to trend analysis from year to year(Figure 2). For example, it seems reasonable to con-

clude from Figure 1 that preventative maintenanceand maintenance procedures have historically beenthought to contribute significantly to incident causa-tion when process and equipment integrity has beenflagged. A defensible conclusion from Figure 2 is thatfor the past 7 years, deficiencies in PSM elements 27inclusive have been key contributors to process-related incidents in Canadian chemical companies.The importance attached to each of these six ele-ments has varied over this period, but each hascrossed an arbitrary threshold of having contributedto at least 10% of the total incidents during a given

year (at least once during the 7-year period).

INHERENT SAFETY IN PSMA FRAMEWORK

The objective in this section is to synthesize the pre-viously discussed material into a framework for explic-itly incorporating the principles of inherent safety (min-imize, substitute, moderate, and simplify) within PSM(the 12 elements in Table 1). As described in the pre-ceding section, a strategic, prioritized approach wouldbe to focus initially on PSM elements 27 inclusive.This is the route taken here, although mainly due tospace limitations. The conference paper [10] on whichthe current work is based reviews all 12 elements,highlighting inherent safety opportunities for each.

The examples provided in the remainder of the cur-

rent paper are by no means all-inclusive, but hopefullyenough example-based guidance is given to enablethe approach to be adopted by others if desired. Thequantitative techniques proposed have all been tested

with industrial data to validate their applicability inthese selected cases. For the qualitative techniques, thefollowing general methodology is recommended:

Identification or development of a suitable pro-tocol for the activity (e.g. incident investigation,as described in a previous study [11]). The pro-tocol must incorporate the management func-tions of plan, do, check, act (i.e. the continuousimprovement cycle).

Use of inherent safety guidewords and checklistsat appropriate points in the protocol. Guidewordsand checklists are well-established, proven toolsthat are widely used in process safety [11].

Validation of the inherent safety-based protocolvia examples and case studies.

Inherent Safety GuidewordsRecommended inherent safety guidewords and

their description are shown in Table 3 [11]. Theseguidewords are simply the four most general and

widely applicable principles of inherent safety (aspreviously mentioned). The description for each ispurposely brief and is focused on materials, processroutes, equipment, and procedures. Use of theseguidewords as mind triggers during a particularprocess safety activity (e.g. management of change(MOC) or incident investigation) will help ensure thatthe concepts of inherent safety are visible within theactivity. These guidewords are intended as a supple-ment to existing tools that may already be in use

within a specific process safety protocol.

Inherent Safety ChecklistsFour series of example checklist questions built

around the guidewords (Table 3) are given in Table 4[11]. The intention here is to use these more detailedinherent safety indicators at an appropriate time dur-ing the particular protocol. As with the guidewordsthemselves, the intention is not to replace existingchecklists, but rather to supplement these more tradi-tional tools with ones that directly incorporate inher-ent safety considerations.

The checklist in Table 4 is not all-inclusive, and isin fact a mix of both process safety and occupationalsafety issues. It is intended as an illustrative exampleof the type of thinking required to move beyond theusual engineered/procedural form of checklist ques-tions. Some companies will have their own inherentsafety-based checklists; additionally, the Appendix inBollinger et al. [1] contains a sample inherently saferprocess checklist. These authors also comment that

Appendix B in CCPS [12] contains an extensive check-list with many questions related to inherent safety (forexampleCan the supply pressure of raw materials bekept below the working pressure of vessels receivingthem? could easily fall under moderation). Anotherset of excellent checklists for a number of specific typesof chemical processing units (heat transfer equipment,mass transfer equipment, etc.) can be found in CCPS[13]. These checklists include suggestions for inherent,passive, active, and procedural approaches to risk man-agement for the incident scenarios described.

PSM Element 2Process Knowledgeand Documentation

Information necessary for the safe design, opera-tion, and maintenance of any facility should be writ-ten, reliable, current, and easily accessible by peoplewho need to use it [7].

There are several implications of inherent safetyfor this element which may be identified by use of

Table 2. Incident causation according to PSM element(2004 PRIM data).

PSMElement No. PSM Element

% ofIncidents

6 Process and equipmentintegrity

23.8

2 Process knowledgeand documentation

21.2

4 Process risk management 16.87 Human factors 8.95 Management of change 7.33 Capital project review

and design procedures6.5



5/14

the guidewords in Table 3 and checklist in Table 4.For example, the guideword substitute can be appliedto the documentation for the component chemicaland occupational health hazards to good effect. Sim-

ilarly, the component process definition/design crite-ria contains subcomponents for which the documenta-tion could be reviewed in light of the inherent safetyguidewords (e.g. minimize as applied to maximum

Figure 2. Incident causation by PSM element from 1998/99 to 2004 (PRIM data).

Figure 1. Incident causation according to PSM element 6 (PRIM data).



6/14

intended inventory). The component normal andupset conditions (operating procedures) contains the

requirement that procedures be current, accurate, andreliable. The guideword simplify is especially appropri-ate here, as demonstrated by Figures 3 and 4.

An organization had decided to offer free antivirussoftware to its employees and posted the instructionsshown in Figure 3 on its website for personnel to fol-low to install the new software. The download button

was in color red (presumably to draw attention to it);several people in this organization clicked on the but-ton to download the software without reading fur-ther. Unfortunately, they missed the fine print (Figure3) advising them to uninstall any existing antivirussoftware on their computer. The results were numer-

ous computer crashes and much process time beingspent to rectify the computer problems, both by the

people directly affected and by computer supportpersonnel.

The business interruption was significant enoughthat the organization reissued the instructions asshown in Figure 4. In this second set of instructions,the steps have been reordered and have been num-bered, and the consequence of not first uninstallingexisting antivirus software is better explained. Thered download button is still present, but the oper-ators eye is not as likely to be immediately drawn toit as in Figure 3. The instructions given in Figure 4are more accurate and reliable than those in Figure 3.The new instructions are simpler to follow. (Note that

Table 4. Inherent safety checklist.

Guideword Checklist Question

Minimize Is the storage of all hazardous gases, liquids, and solids minimized? Are just in time deliveries used when dealing with hazardous materials?

Are all hazardous materials removed or properly disposed of when they are no longerneeded or not needed in the next X days? Is shift rotation optimized to avoid fatigue?

Substitute Can a less toxic, flammable, or reactive material be substituted for use? Is there an alternate way of moving product or equipment as to eliminate human strain? Can a water-based product be used in place of a solvent- or oil-based product? Are all allergenic materials, products, and equipment replaced with nonallergenic materials,

products, and equipment when possible?Moderate Can potential releases be reduced via lower temperatures or pressures, or elimination of

equipment? Are all hazardous gases, liquids, and solids stored as far away as possible to eliminate

disruption to people, property, production, and environment in the event of an incident? When purchasing new equipment, are acceptable models available that operate at lower

speeds, pressures, temperatures, or volumes?

Are workplaces designed such that employee seclusion is minimized?Simplify Are all manuals, guides, and instructional material clear and easy to understand, especiallythose that are used in an emergency situation?

Are equipment and procedures designed such that they cannot be operated incorrectly orcarried out incorrectly?

Are machine controls located to prevent unintentional activation while allowing easy accessfor stopping the machine?

Are all machines, equipment, and electrical installations easily isolated of all sources ofpower?

Table 3. Inherent safety guidewords.

Guideword Description

Minimize Use smaller quantities of hazardous materials when the use of such materials cannot beavoided. Perform a hazardous procedure as few times as possible when the procedure isunavoidable

Substitute Replace a substance with a less hazardous material or processing route with one that does not

involve hazardous material. Replace a hazardous procedure with one that is less hazardousModerate Use hazardous materials in their least hazardous forms or identify processing options thatinvolve less severe processing conditions

Simplify Design processes, processing equipment, and procedures to eliminate opportunities for errorsby eliminating excessive use of add-on (engineered) safety features and protective devices



7/14

this example could also be discussed equally as wellunder PSM elements 4, 5 and 7.)

Also relevant here, from a different perspective, isthe component company memory (management of information). The intention of this component is toensure that knowledge and information gained fromplant experience, and which is likely to be importantfor the future safety of a facility, is well-documentedso it is not forgotten, or overlooked as personnel andorganizational changes occur [7]. Hendershot [14]argues that this is especially critical when dealing

with inherent safety and inherently safer design (ISD)features. He gives several examples where ISD fea-tures have essentially been put at risk because thereasons they were implemented were not clearly andadequately documented. This results in compromis-ing of facility safety when future modifications aremade by people who do not understand the intent ofthe original designer. (Thus, this point is also perti-nent to PSM element 5 on MOC.) ISD features areparticularly susceptible to lapses in corporate mem-ory given that they are such a fundamental part of

Figure 3. First set of instructions concerning software installation.

Figure 4. Second set of instructions concerning software installation.



8/14

the design that their purpose may not be obvious,unlike an add-on device such as a high-pressurealarm [14].

PSM Element 3Capital Project Review andDesign Procedures

Many industrial practitioners hold the opinion that

careful attention to this element can have the greatestimpact on the effectiveness of PSM [15]. Because ofthe importance of considering inherent safety early inthe design sequence when changes can most readilybe made [7], inherent safety considerations are partic-ularly important in conducting hazard reviews (e.g. apreliminary hazard analysis).

As described by Khan and Amyotte [4], there havebeen several efforts made by different organizationsto develop quantitative inherent safety evaluationtools that could be used with PSM element 3. Exam-ples include the INSET tool kit sponsored by the thenEuropean Community; the overall inherent safetyindex prototype proposed by Edwards and cow-

orkers at Loughborough University, UK; the inherentsafety index proposed by Hurme, Heikkila and cow-orkers at Helsinki University, Finland; the fuzzy-basedinherent safety index proposed by Mannan, Gentileand coworkers at Texas A&M University, USA; anindex and expert system for inherent safety evalua-tion of process flowsheets developed by Palaniappanand coworkers at the National University of Singa-pore, Singapore; and a hierarchical approach forchemical process safety evaluation developed byHungerbuhler, Shah and coworkers at the Swiss Fed-eral Institute of Technology, Switzerland.

Updates on several of these indices and calculationprocedures were presented at the recent International

Conference on the 20th Anniversary of the BhopalDisaster: Bhopal Gas Tragedy and its Effects on Proc-ess Safety, IIT Kanpur, India (December 13, 2004),

with papers subsequently appearing in a special issueof the Journal of Loss Prevention in the Process

Industries, 18 (46). (See, for example, Rahman et al.[16] and Shah et al. [17].)

A quantitative methodology from the currentauthors [18] also appears in this special journal issuefrom the Bhopal conference. Kahn and Amyotte[18,19] describe an integrated inherent safety index(I2SI) developed with consideration of the life cycleof a process, economic evaluation, and hazard poten-tial identification for various design options. The

indexing procedure was successfully applied to threeacrylic acid production options [18]. The most usefulfeature of tools such as I2SI is their potential to facili-tate a relative comparison of the hazards and ensuingrisk from different processing options [20].

Qualitative, as well as quantitative, considerationof inherent safety in hazard reviews for selectingprocess options can be highly beneficial. The follow-ing example [21] illustrates this point by making useof the inherent safety guidewords (Table 3) andchecklist (Table 4). The case considered is the hand-ing of dry additive at a polyethylene production facil-ity. Key principles highlighted are minimization, sub-

stitution, and moderation; additionally, the exampleillustrates the economic tradeoffs and inter-relation-ship among inherent, engineered, and proceduralsafety measures.

In the late 1970s, dry additive was received at theplant in heavy 50-kg containers. Operators wererequired to scoop additive into a feeder that suppliedthe additive to a pre-blender to ultimately mix addi-

tive with polyethylene resin to achieve certain resinproperties. This activity caused concern over backstrains as well as the need to wear respirators to con-trol exposure to the additive dust. In the late 1980sand early 1990s, an effort was made to improve

working conditions and efficiency. A capital project was proposed to pneumatically convey additive tothe feeder. The additive is granular and has a mini-mum ignition energy of less than 10 mJ; it is thereforeignition sensitive and must be treated carefully in amanner similar to flammable gases and liquids whichalso have very low ignition energies.

A suggestion was made to consider the process

with nitrogen as the conveying medium. A number ofissues associated with this option soon materialized:

higher operating costs using nitrogen (recyclingnitrogen posed technical challenges; addition-ally, this would have been the first attempt atthe site in conveying solids using nitrogen me-dium),

the need to monitor and control oxygen contentso as not to exceed the limiting oxygen concen-tration,

a requirement for greater operator attention if amanual monitoring approach was adopted,

prohibitively high project costs for automatic

monitoring and alarms, and possible asphyxiation should nitrogen ventinside a building.

Because of these concerns, the nitrogen conveyingoption was not considered feasible. Operationsreturned to manual handling of the dry additive, butthis time using smaller containers (25 kg) to deal withback strain concerns. The site was also continuously

working with the additive supplier to identify betterapproaches (e.g. to reduce manual handling). Thisgave rise to experimenting with a pellet-like versionof the same additive in a pneumatic conveying sys-tem. This would, in theory, also remove the concernover the presence of a flammable dust cloud having

a low ignition energy inside an air conveying system.However, the mechanical energy of the pneumaticconveying system easily broke down the pellet-likeadditive into a very fine powder, causing extensivedust buildup and resulting in operating problems dueto plugging. The dust explosion concern was alsoreintroduced.

In the late 1990s, the site installed its current sys-tem which involves the use of supersacks and totetanks. Supersacks from the supplier are emptied bygravity into tote tanks at grade level. These totes arethen taken by elevator to the appropriate floor wherethey are placed on top of a feed pipe system that



9/14

connects to the additive feeder. The feed pipe systemis filled with additive by opening a slide valve locatedbelow the tote. The slide valve is opened slowly toavoid disturbing the sensitive operation of the feeder.This also helps with minimizing the formation of dustclouds inside the pipe system as it is being filled.This current option has eliminated the followingsafety concerns:

repetitive manual handling by operators andassociated back strain,

the need to wear respirators to avoid inhalationof dust, and

excessive static charging and flammable dustcloud formation that would have been associ-ated with pneumatic conveying, and the possi-ble ignition of the ignition-sensitive dust insidean air conveying system.

A final comment is made for this PSM elementwith respect to the components siting and plot plan.In siting a proposed expansion or new plant, the ex-

posure hazard to and from adjacent plants or facilitiesis a critical consideration; similarly the location ofcontrol rooms, offices, and other buildings should becarefully considered in conducting a plot plan review[7]. This is in accordance with the guiding principleof unit segregation (the avoidance of domino or cas-cade effects) which is often considered to be anexample of the inherent safety principle of modera-tionspecifically limitation of effects. Examples

where greater attention to facility siting and plot planreview (temporary as well as capital) would haveassisted with consequence mitigation include theadministration and control buildings at Flixborough[22] and the contractor trailers at the BP Texas City re-

finery [23].

PSM Element 4Process Risk ManagementThe PSM guide comments that the component haz-

ard identification is the most important step in proc-ess risk management: If hazards are not identified,they cannot be considered in implementing a riskreduction program, nor addressed by emergencyresponse plans [7]. Several techniques are referencedin the guide [7] for identifying and assessing hazards,including the Dow Fire and Explosion Index (F&EI)and Chemical Exposure Index (CEI), HAZOP, What-Ifand Checklist.

The F&EI and CEI each have a significant basis inthe principles of inherent safety [24]. This point isalso illustrated by the work of Khan et al. [6] whoconducted a comparison of the F&EI with other in-herent safety-based indices available at the time ofthe study (2002/2003). Some of the recently devel-oped quantitative methodologies, as described underPSM element 3, would also have relevance to PSMelement 4 (the key difference being that the review isno longer at the capital project/early design stage).For example, the I2SI technique [18,19] employs astructured guideword approach in a HAZOP-typemanner.

PSM element 4 also offers a qualitative opportunityto bring inherent safety into the components hazardidentification and reduction of risk via the What-If/Checklist (WI/CL) technique (which is, of course,simply a combination of the separate What-If (WI)and Checklist (CL) methods). As well-described inCCPS [12], What-If analysis is a brainstormingapproach in which a team asks questions and voices

concerns about possible undesired events. The pur-poses are:

to identify hazards, hazardous situations, andspecific events that could produce undesirableconsequences,

to examine the currently available safety meas-ures to deal with the identified hazards andevents, and

to suggest alternatives for risk reduction basedon inherent, as well as engineered (add-on) andprocedural, safety.

WI analysis results are typically presented as a tabularlisting of hazardous situations, consequences, existing

safeguards and options for risk reduction. An illustra-tive WI example drawn from everyday life (driving ina residential area) is given in Table 5. There is a nat-ural progression from the What-If scenario, to poten-tial consequences of the event, to safety measuresthat might typically be employed, to recommenda-tions for further safety measures (based in this caseon inherent/passive safety).

In the current context, the key feature of the sim-ple example in Table 5 is the attempt to explicitlyincorporate inherent safety in the analysis. This canbe done by the guideword/checklist approach(Tables 3 and 4) in the following ways:

Once a number of WI scenarios have been iden-tified and analyzed by the team, checklists (in-herent safety-based and otherwise) can be con-sulted to determine if new hazards are identi-fied. These new hazards can then be analyzedby completion of the WI table.

In determining whether to make recommenda-tions for consideration of further safeguards, theteam can consult the checklists to see if newsafety measures are identified.

Thus, checklists can be used at either the front- orback-end of the WI methodology. In this manner, theCL analysis is combined with the WI analysis to yielda WI/CL method that combines the creative, brain-

storming features of WI with the systematic, rigorousfeatures of CL. Further, the inherent safety guideword/checklist approach helps to ensure that inherent safetyconsiderations are explicitly considered in identifyingboth hazards and safety measures. This is essentiallythe recommendation of the PSM guide: Following riskevaluation, steps must be taken to reduce those riskswhich are deemed unacceptable. Such steps mightinclude: inventory reduction, alternative processes,alternative materials, improved training and proce-dures, protective equipment, etc. [7] (with underliningadded to emphasize the inherent safety suggestionsrelated to minimization and substitution).



10/14

A final comment is made for this PSM element with respect to the components encouraging client

and supplier companies to adopt similar risk man-agement practices and selection of businesses with ac-ceptable risk. The former component is particularlyimportant because of the common practice of out-sourcing or contracting of engineering services. Thisis often the case on large projects where partnershipsand joint ventures are formed, but may also apply tosmaller projects through the awarding of subcon-tracts. Success on these projects is in large measuredetermined by the degree of commonality in riskmanagement practices among the different parties.Not the least of the concerns is whether there is acommon set of expectations for safety performanceand risk-awareness [25]. By extension, differences in

approach to inherent safety and the corporate valueplaced on this concept can be problematic.With respect to the second component above, selec-

tion of businesses with acceptable risk, CCPS [26] pro-vides helpful commentary. In explaining the businesscase for managing process safety, it is noted that effec-tive PSM means doing the right things right, thusleading to increases in revenue and productivity andreductions in product cost. It is further noted that forsmaller companies, because of product stewardshiprequirements, demonstration of good PSM practicesmay be a prerequisite to doing business with largercompanies more versed in PSM. Again by extension, amismatch with respect to the value placed on inherent

safety may lead to missed business opportunities.

PSM Element 5Management of ChangeA system to manage change is critical to the opera-

tion of any facility. A written procedure should berequired for all changes except replacement-in-kind.The system should address: a clear definition of change (scope of application); a description and tech-nical basis for the proposed change; potential impactof the proposed change in health, safety and environ-ment; authorization requirements to make thechange; training requirements for employees or con-tractors following the change; updating of documen-

tation including process safety information, operating procedures, maintenance procedures, alarm and

interlock settings, fire protection systems, etc.; andcontingencies for emergency changes [7].Simply put, inherent safety involves change, and

change in the process industries must be managed.Potential hazards brought about by inherent safetychanges must therefore be identified and the ensuingrisk reduced to an acceptable level. This point is atleast as important (perhaps more) than the conceptof looking for inherent safety opportunities whenmaking a process change.

A generic inherent safety-based protocol for MOCis shown in Figure 5. This sequence of steps is basedon the MOC process presented by Kelly [27]. By rec-ommending the use of inherent safety guidewords in

the first step, identify need for change, the protocolrecognizes that inherent safety is both a driving forcefor MOC and an opportunity during MOC (as previ-ously mentioned). Use of the guidewords and achecklist during the hazard review and control stepsis again a recognition that the techniques used for thesepurposes are easily adaptable to explicit incorpora-tion of inherent safety (such as the What-If/Checklistapproach described in the previous section).

As an example, Figures 3 and 4 may again be con-sidered, this time from an MOC perspective. The pro-

vision of system-wide antivirus software representeda change for the organization from the previous prac-tice of computer users purchasing and installing such

software individually and from a number of different vendors. The change was not adequately managedbecause the potential hazards arising from the change

were not identified, and steps were not taken toreduce the risk of downloading without first uninstal-ling existing antivirus software. Use of the guideword

simplify and the checklist question, Are all manuals, guides, and instructional material clear and easy tounderstand?, might have led to the following What-Ifscenario being posed: What if someone clicks on thedownload button before uninstalling existing soft-ware? Likely, risk reduction measures such as thoseeventually taken after-the-fact would have been

Table 5. What-If analysis example with inherent safety considerations.

What If Consequences/Hazards Existing Safeguards Recommendations

A pedestrian suddenlycrosses the street infront of your car?

You may hit thepedestrian causinginjury

Being attentive inresidential areas

Do not drive throughresidential areas except

when necessary.(substitute)

You may hit anothervehicle causing damage

Always keeping asafe distance fromother vehicles

Consider providingfences between roadsand areas with likelypedestrian exposureforexample, schools orplaygrounds. (substitute)

You may stop suddenly,causing injury in your

vehicle

Wearing seatbelt atall times

Drive slowly inresidential areas.(moderate)



11/14

implemented as preventive measures. This rather sim-ple example also illustrates the overlap between PSM

elements and how inherent safety considerations in aparticular element can have multiple benefitsthroughout the suite of PSM tools.

Further consideration of the antivirus softwareupgrade process in a MOC review might lead to thefollowing question being asked: Can the hazard of installing new antivirus software without removing

previously installed antivirus software be eliminated?While we are not programming experts, it seems thatthis might be possible in many cases; one could pos-sibly design an installation routine which eliminatesthe hazard. Perhaps the installation program for thenew antivirus software could canvass the computerhard disk for previous installations of commonly used

antivirus software, and refuse to install if it finds one.Or, it could check for antivirus software already run-ning; the Microsoft Windows XP Security Center is ca-pable of monitoring the status of many antivirus pro-grams, so presumably an installation program couldcheck this same information. Some consumer soft-

ware does this sort of thing nowfor example, theinstallation routine for Intuits Quicken 2006 personalfinance software checks for the presence of a previ-ous version and uninstalls that previous version iffound (after getting permission from the user).

In accordance with our previous comment onqualitative techniques, there remains a need for vali-

dation of the generic protocol shown in Figure 5.The fact that there is no shortage of candidatecasesboth technical and nontechnical [14] as wellas organizational [28]is somewhat of a soberingreality. Flixborough represents a classic example ofinadequate MOC [22] that is worth examining, in partbecause of the motivation it has provided for ISD.More recent examples are also available: the 2004 fire

and explosion at Giant Industries Ciniza oil refinery[29] and the 2005 hydrogen reformer furnace failureat Syncrude Canada Ltd. [30].

PSM Element 6Process and EquipmentIntegrity

Procedures for fabricating, inspecting, and main-taining equipment are vital to process safety. Written

procedures should be used to maintain ongoing in-tegrity of process equipment such as: pressure vesselsand storage tanks; piping, instrumentation, and elec-trical systems; process control software; relief andvent systems and devices; emergency and fire protec-tion systems; controls including monitoring devicesand sensors, alarms and interlocks; and rotatingequipment. A documented file should be maintained

for each piece of equipment [7]. As illustrated in Figure 2, this element is of

obvious importance in preventing process-relatedincidents. Figure 1 shows the particular significanceof the components preventative maintenance andmaintenance procedures. With respect to the formercomponent, risk-based integrity modeling (RBIM) ofprocess equipment holds much promise. Concerningthe latter component, a 1997 Chemical Safety Alertfrom the US EPA [31] offers the advice that facilities

with storage tanks containing flammable vaporsshould review their equipment and operations in thefollowing areas:

design of atmospheric storage tanks, inspection and maintenance of storage tanks, hot-work safety, and ignition source reduction.

Investigation of qualitative and quantitative linkagesamong the above items is a fruitful line of future

work. The first and last items in the list have clear in-herent safety overtones, while the middle two arelargely procedural. Nevertheless, there may be an op-portunity here to again highlight the interplay amonginherent, engineered, and procedural safety. A possi-

ble case study has been identified as the 1998 refin-ery fire at North Atlantic Refining Limited in New-foundland, Canada [32,33].

PSM Element 7Human Factors Human factors are a significant contributor to

many process accidents. Three key areas are opera-tor-process/equipment interface, administrative con-trols, and human error assessment [7].

This PSM element on human factors has a strongrelationship with the principles of inherent safety [1].The first component, operator-process/equipmentinterface, refers to issues such as [7]:

Figure 5. An inherent safety-based management ofchange protocol.



12/14

the design of equipment increasing the potentialfor error (e.g. confusing equipment, positioningof dials, color coding, different directions foron/off), and

the need for a task analysis (a step-by-stepapproach to examine how a job will be done)to determine what can go wrong during the task

and how potential problem areas can be con-trolled.

This component therefore affords ample opportunitiesfor use of the WI/CL technique described earlier. Thisrelatively straightforward tool would likely have iden-tified the need for consideration of human factors inthe example given by Figures 3 and 4, as well as therecent case reported in the media of a $225-million typo [34]. This latter example involved the lossto a securities company of 27 billion yen ($225 millionUS) on a stock trade because of a typing error.

From a technical perspective, an inherent safety-based WI/CL task analysis may have identified the

hazard posed by the design of a particular valve actu-ator at the Giant refinery [29]. The plug valve in ques-tion was originally designed to be opened and closedby a gear-operated actuator. This actuator wasreplaced by a valve wrench (2-ft-long bar) that wasinserted into a square collar. (Thus, as previouslymentioned, this is also an MOC incident.) Althoughthere was a position indicator on the valve itself,operators had become accustomed to determining

whether the valve was open or closed by the orienta-tion of the valve wrench. If the wrench was perpen-dicular to the direction of flow through the valve,then the valve was thought to be closed. Reliance onthis on/off determination ultimately proved to be

flawed because of the fact that the wrench collaritself was removable and could be repositioned onthe valve stem in different directions. On the day ofthe incident, the valve was thought to be closed

when it was in fact open, and a flammable liquidrelease occurred followed by a fire and explosion.

The description of the second component of thisPSM element, administrative control versus hardwarecontrol, contains these statements:

Hazards may be controlled by the use of proce-dures or by the addition of protective equipment. Thisbalance is often a matter of company culture and ec-onomics. If procedures are well understood, kept cur-rent and are used, then they are likely to be effective.

Similarly protective systems need regular testing andmaintenance to be effective. The problem of adminis-trative versus hardware controls should be consideredand a balance selected by conscious choice ratherthan allowing it to happen by default [7].

This description may leave some readers with theunfortunate impression that only procedural (admin-istrative) and engineered (add-on) measures are avail-able, or are effective, for hazard control. Although

well-written and understood procedures will beinherently safer, there is much more to inherentsafety than facilitating effective procedural safety.This component is one of the most important places

in the PSM guide [7] where explicit use of the terminherent safety would be highly beneficial.

The third and final component of human factors,human error assessment, is perhaps one of the morechallenging areas of PSM. Human error assessment byitself can seem quite daunting, let alone trying toincorporate the principles of inherent safety. Neverthe-less, human error assessment is becoming increasingly

important in industry and is a growing area of concernfor the public and for regulators. As demonstrated inrecent work by the current authors, it is possible toquantitatively assess the probability of human errorand to use these results to help achieve an inherentlysafer design.

DiMattia et al. [35] and Khan et al. [36] describe amethod for determining human error probabilitiesduring the process of emergency musters on offshoreoil and gas production platforms. This process con-sists of 18 separate tasks beginning with alarm detec-tion and ending with the actions performed in thetemporary safe refuge (TSR) before standing down or

moving on to the platform abandonment stage. An expert judgment technique known as SuccessLikelihood Index Methodology (SLIM), developed inthe nuclear industry, was used by DiMattia et al. [35].Factors affecting human performance (performanceshaping factors such as stress, training, and experi-ence) were quantitatively analyzed by means of ateam of judges and the SLIM technique to yield ahuman error probability for each of the 18 mustertasks and three different muster initiators (man over-board, gas release, and fire and explosion). Thesedata were then generalized to any muster initiatorand scenario by a questionnaire and reference graphmethodology developed by Khan et al. [36].

The usefulness of human error probability data was illustrated by Khan et al. [36] in the followingmanner. First, a consequence table was developedand used to qualitatively assess the impact of notcompleting a given muster task. This severity ranking

was then paired with the quantitative probabilityvalue by means of a risk matrix to identify those tasksmost in need of risk reduction measures (inherent,engineered and procedural). For example, failure todetect the muster alarm (first action) in the fire andexplosion scenario has a probability of 0.4 and con-sequences ranging from delay of time to musterthrough to loss of critical time needed to respond to

the problems that initiated the alarm, and possibleloss of life. Risk reduction measures from an inherentsafety perspective were identified as:

eliminate obstructions near the alarms, minimize the amount of noise-producing ma-

chinery when possible, substitute alarms with ones that give an easily

recognizable tone, moderate the electrical dependence of the

alarms that are used on the platform, and simplify the alarms, making maintenance easier,

as well as lowering the possible risk of an alarmmalfunctioning.



13/14

Quantitative human error assessment is therefore notonly possible, but quite valuable in attempting toreduce risk by employing the principles of inherentsafety. What is required in this application is a scien-tifically rigorous method of determining probabilitydata for human error, such that objectivity is broughtto an otherwise potentially subjective process.

CONCLUDING REMARKS

We have attempted in this paper to present thecase that inherent safety is an integral component ofeffective PSM. In spite of its widespread applicabilitythroughout all of the PSM elements, the term inher-ent safety is not used in standardized PSM documen-tation such as the PSM guide [7] referenced in thecurrent work. Explicit naming and use of the princi-ples of inherent safety (minimize, substitute, moder-ate, and simplify) within PSM standards is thereforeneeded.

Various inherent safety examples, both technicaland from everyday life, have been given for severalPSM elements. Existing tools have been identified foreither inherent safety inclusion or increased visibil-ityfor example, the What-If/Checklist methodology(qualitative) and the Dow Fire and Explosion andChemical Exposure Indices (quantitative). New inher-ent safety tools for quantitative identification andassessment of hazards have been described, andqualitative protocols for incorporating inherent safetyinto specific PSM elements have been presented. The12 PSM elements [7] are interwoven with one anotherby means of the common thread of inherent safety.

ACKNOWLEDGMENTS

The authors gratefully acknowledge the Canadian

Chemical Producers Association for permission touse the PRIM data and analysis results in ourresearch, and the many colleagues in the processsafety community who have assisted us with technicaladvice and critiques of our research.

LITERATURE CITED

1. R.E. Bollinger, D.G. Clark, R.M. Dowell III, C.Ewbank, D.C. Hendershot, W.K. Lutz, S.I. Mes-zaros, D.E. Park, and E.D. Wixom, InherentlySafer Chemical Processes: A Life Cycle Approach,D.A. Crowl (Editor), American Institute of Chemi-cal Engineers, New York, NY, 1996.

2. J.P. Gupta and D.W. Edwards, Inherently saferdesignPresent and future, Process Saf EnvironProt 80 (2002), 115125.

3. T.A. Kletz, Inherently safer designIts scope andfuture, Process Saf Environ Prot 81 (2003), 401405.

4. F.I. Khan and P.R. Amyotte, How to make inher-ent safety practice a reality, Can J Chem Eng 81(2003), 216.

5. T.A. Kletz, What you dont have, cant leak, ChemInd May 6 (1978), 287292.

6. F.I. Khan, R. Sadiq, and P.R. Amyotte, Evaluationof available indices for inherently safer designoptions, Process Saf Prog 22 (2003), 8397.

7. CSChE, Process Safety Management, 3rd ed.,Canadian Society for Chemical Engineering, Ottawa,ON, 2002.

8. CCPS, Guidelines for technical management ofchemical process safety, Center for ChemicalProcess Safety, American Institute of ChemicalEngineers, New York, NY, 1989.

9. J.-P. Lacoursiere, Bhopal and its effects on the Ca-

nadian regulatory framework, J Loss Prev ProcessInd 18 (2005), 353359.

10. P.R. Amyotte, A.U. Goraya, D.C. Hendershot, andF.I. Khan, Incorporation of inherent safety princi-ples in process safety management, Proceedingsof 21st Annual International ConferenceProcessSafety Challenges in a Global Economy, Centerfor Chemical Process Safety, American Instituteof Chemical Engineers, Orlando, FL, April 2327,2006, pp. 175207.

11. A. Goraya, P.R. Amyotte, and F.I. Khan, An inher-ent safety-based incident investigation methodol-ogy, Process Saf Prog 23 (2004), 197205.

12. CCPS, Guidelines for Hazard Evaluation Proce-

dures, 2nd ed., American Institute of ChemicalEngineers, New York, NY, 1996.

13. CCPS, Guidelines for design solutions to processequipment failures, American Institute of Chemi-cal Engineers, New York, NY, 1998.

14. D.C. Hendershot, Tell me why, Eighth AnnualInternational Symposium, Mary Kay OConnorProcess Safety Center, Texas A&M University, Col-lege Station, TX, Oct. 2526, 2005.

15. G. Creedy, Personal communication (with permis-sion), 2005.

16. M. Rahman, A.-M. Heikkila, and M. Hurme, Com-parison of inherent safety indices in process con-cept evaluation, J Loss Prev Process Ind 18

(2005), 327334.17. S. Shah, U. Fischer, and K. Hungerbuhler, Assess-

ment of chemical process hazards in early designstages, J Loss Prev Process Ind 18 (2005), 335352.

18. F.I. Khan and P.R. Amyotte, I2SI: A comprehen-sive quantitative tool for inherent safety and costevaluation, J Loss Prev Process Ind 18 (2005),310326.

19. F.I. Khan and P.R. Amyotte, Integrated inherentsafety index (I2SI): A tool for inherent safety eval-uation, Process Saf Prog 23 (2004), 136148.

20. G. Phillips, Personal communication (with per-mission), 2005.

21. M. Marta, Personal communication (with permis-

sion), 2005.22. R.E. Sanders, Designs that lacked inherent safety:

Case studies, J Hazard Mater 104 (2003), 149161.23. CSB, http://powerlink.powerstream.net/002/

00174/051222bp/BPAnimations.asx, US Chem-ical Safety and Hazard Investigation Board, Wash-ington, DC, 2006.

24. C.B. Etowa, P.R. Amyotte, M.J. Pegg, and F.I. Khan,Quantification of the inherent safety aspects of theDow indices, J Loss Prev Process Ind 15 (2002),477487.

25. J. Horwood, The impact of expectations and cultureon project safety performance, Process Safety and



14/14

Loss Management Symposium, 55th Canadian Chemi-cal Engineering Conference, Canadian Societyfor Chemical Engineering, Toronto, ON, Oct. 1619,2005.

26. CCPS, Making EHS an Integral Part of ProcessDesign, American Institute of Chemical Engineers,New York, NY, 2001.

27. B.D. Kelly, Management of Change in Process

PlantsA Participative Workshop, Calgary, AB,Nov. 2000.

28. R. Cairns, G. Creedy, and Y. Ivanovich, Managingthe health and safety aspects of organizationalchange, Process Safety and Loss ManagementSymposium, 52nd Canadian Chemical EngineeringConference, Canadian Society for Chemical Engi-neering, Vancouver, BC, Oct. 2023, 2002.

29. CSB, Oil refinery and explosion (Giant IndustriesCiniza oil refinery), Case study, US ChemicalSafety and Hazard Investigation Board, Washing-ton, DC, 2005.

30. M. Rogers, Lessons learned from an unusualhydrogen reformer furnace failure, Process Safety

and Loss Management Symposium, 55th Canadian

Chemical Engineering Conference, Canadian Soci-ety for Chemical Engineering, Toronto, ON, Oct.1619, 2005.

31. EPA, Catastrophic failure of storage tanks, Chemi-cal safety alert, US Environmental Protection

Agency, Washington, DC, 1997.32. W.M. Glenn, A tale of two refineries, OHS Can 22

(2006), 3643.

33. P.J. Kennedy (Judge), Inquiry report on explosionand fire at come by chance refinery, District ofClarenville, Provincial Court of Newfoundland,

Aug. 8, 2005.34. Chronicle Herald, Tokyo market suffers after

$225-million typo, Newspaper article, Halifax, NS,Dec. 10, 2005.

35. D.G. DiMattia, F.I. Khan, and P.R. Amyotte, Deter-mination of human error probabilities for offshoreplatform musters, J Loss Prev Process Ind 18(2005), 488501.

36. F.I. Khan, P.R. Amyotte, and D.G. DiMattia, HEPI:A new tool for human error probability calcula-tion for offshore operation, Safety Science 44

(2006), 313334.


amyotte inherent safety

Documents