process systems engineering, 7. abnormal events management ...€¦ · process systems engineering,...

Process Systems Engineering, 7. AbnormalEvents Management and Process Safety

GURKAN SIN, Technical University of Denmark, CAPEC, Department of Chemical and

Biochemical Engineering, Lyngby, Denmark

KAUSHIK GHOSH, National University of Singapore, Department of Chemical and

Biomolecular Engineering, Singapore

SATHISH NATARAJAN, National University of Singapore, Department of Chemical and


RAJAGOPALAN SRINIVASAN,National University of Singapore, Department of Chemical

and Biomolecular Engineering, Singapore

ARIEF ADHITYA, Institute of Chemical and Engineering Sciences, A*Star, Singapore

IFTEKHAR A. KARIMI, National University of Singapore, Department of Chemical and


STAVROS PAPADOKONSTANTAKIS, Swiss Federal Institute of Technology (ETH) Zurich,

Department of Chemistry and Applied Biosciences, Switzerland

KONRAD HUNGERBUHLER, Swiss Federal Institute of Technology (ETH) Zurich,

Department of Chemistry and Applied Biosciences, Switzerland

PER ANGELO, Maersk Oil, Copenhagen, Denmark

1. Introduction. . . . . . . . . . . . . . . . . . . . . 22. Abnormal Event Management–Process

Monitoring and Fault Diagnosis . . . . . 32.1. Introduction. . . . . . . . . . . . . . . . . . . 32.2. Process Monitoring and Diagnosis

Framework . . . . . . . . . . . . . . . . . . . 32.3. Fault Detection and Diagnosis

Methods . . . . . . . . . . . . . . . . . . . . . . 42.3.1. Fundamental Knowledge-Based

Quantitative Methods. . . . . . . . . . . . . 5

2.3.2. Fundamental Knowledge-Based

Qualitative Methods . . . . . . . . . . . . . 6

2.3.3. Evidential Knowledge-Based

Quantitative Methods. . . . . . . . . . . . . 6

2.3.3.1. Principal Component Analysis . . . . 6

2.3.3.2. Artificial Neural Network . . . . . . . . 8

2.3.4. Evidential Knowledge-Based Qualitative

Methods . . . . . . . . . . . . . . . . . . . . . . 9

2.3.5. Expert Systems . . . . . . . . . . . . . . . . . 9

2.3.6. Hybrid Methods . . . . . . . . . . . . . . . . 10

2.4. Future Directions. . . . . . . . . . . . . . . 103. Risk Assessment and Inherent Safety in

Process Design . . . . . . . . . . . . . . . . . 113.1. Introduction. . . . . . . . . . . . . . . . . . . 113.2. Process Hazard Analysis (PHA). . . . 123.2.1. Risk Assessment . . . . . . . . . . . . . . . . 13

3.2.2. Hazard Indices . . . . . . . . . . . . . . . . . 13

3.3. Design Strategies for Process RiskManagement . . . . . . . . . . . . . . . . . . 13

3.3.1. Economics of Risk Management . . . . 15

3.3.2. Inherently Safer Process Design . . . . . 16

3.4. How to Perform IS Evaluation?. . . . 173.4.1. Product Specification Stage . . . . . . . . 17

3.4.2. Route Selection Stage . . . . . . . . . . . . 17

3.4.3. Flowsheet Development Stage . . . . . . 18

3.5. Inherent Safety Practices in Industry 194. Hazards Identification in Early Stages of

Process Design . . . . . . . . . . . . . . . . . . 194.1. Introduction. . . . . . . . . . . . . . . . . . . 194.2. An index-based approach for SHE

hazard identification . . . . . . . . . . . . 204.2.1. Overview . . . . . . . . . . . . . . . . . . . . . 20

4.2.2. Methodology. . . . . . . . . . . . . . . . . . . 21

4.2.3. Application in Case Studies . . . . . . . . 23

4.3. Conclusions and Future Directions . 235. Supply Chain Risk Management . . . . 255.1. Introduction. . . . . . . . . . . . . . . . . . . 255.2. Supply Chain Risk Classification . . . 275.3. Framework for Supply Chain Risk

Management . . . . . . . . . . . . . . . . . . 275.4. Methods for Supply Chain Risk

Management . . . . . . . . . . . . . . . . . . 285.4.1. Supply Chain Risk Identification . . . . 28

5.4.2. Supply Chain Risk Quantification. . . . 29

� 2012 Wiley-VCH Verlag GmbH & Co. KGaA, Weinheim10.1002/14356007.o22_o11

5.4.3. Supply Chain Risk Mitigation . . . . . . 29

5.5. Conclusion and Future Directions . . 316. Safety Management in Industrial

Practice . . . . . . . . . . . . . . . . . . . . . . . 316.1. Management of Major Hazards in the

Process Industries . . . . . . . . . . . . . . 316.1.1. Definitions . . . . . . . . . . . . . . . . . . . . 32

6.1.2. History of Process Safety . . . . . . . . . . 32

6.2. Major Accidents-Case Studies . . . . . 33

6.3. Comprehensive Process SafetyManagement-Risk-Based ProcessSafety . . . . . . . . . . . . . . . . . . . . . . . . 35

6.3.1. Commit To Process Safety. . . . . . . . . 36

6.3.2. Understand Hazards and Risks . . . . . . 36

6.3.3. Manage Risk . . . . . . . . . . . . . . . . . . . 36

6.3.4. Learn From Experience . . . . . . . . . . . 37

6.4. How to Implement a RBPS System . 386.5. Conclusion . . . . . . . . . . . . . . . . . . . . 39

1. Introduction

This article contains contributions reporting thestate-of-the-art techniques and methods appliedfor abnormal events management and processsafety practice in chemical and (increasingly)biochemical engineering industries. Methodo-logical developments are particularly empha-sized to better fit within the scope of the processsystems engineering (PSE) keywords.

The five chapters constituting this articlecame from academia and industry, which man-aged to cover a broad range of topics andhighlight the current perspectives and principlesin research and industrial practice of abnormalevent management (AEM) and process safety.

Chapter 2 focuses on monitoring and man-aging safety during online process operationhence reporting methodologies for monitoring,detecting and diagnosing abnormal events dur-ing process operation.

Chapter 3 takes a step back and focuses onthe importance of giving considerations to pro-cess safety at early stage of process develop-ment. To this end, various safety metrics alongside health and environmental criteria are con-sidered when screening for suitable processflowsheets.

Chapter 4 provides the state-of-the-art ofhazard identification techniques (e.g., FMEA,HAZOP, etc) and risk assessment techniques(e.g., fault tree analysis, consequence analysis,etc.) andmethodologies such as layers of protec-tion in the field. As part of risk assessment meth-odologies, inherently safer process design con-cept (following the principle ‘‘what you don’thave, don’t leak’’) has also been emphasized.

Chapter 5 the riskmanagement at the logisticside of the chemical industries and the prevail-

ing methodologies used for minimizing the riskin supply chain of chemical industry is covered.

In Chapter 6, industrial perspectives on man-agement of safety and hazards where the riskmanagement theories are put to test in practiceare described. This section covers a brief historyof chemical accidents that led to the develop-ment of modern safety management systems(SMS) and also provides experiences with dif-ferent elements of SMS implementation.

Although considerable development hashappened in the process safety record of chemi-cal and biochemical industries, yet accidents dooccur from time to time. Given the accident inGulf of Mexico (USA) in 2010 at BP operatedMacando well and its huge social, economic,and environmental consequences, indeed thesignificance of process safety cannot be empha-sized more. Surely this event has already beenshaking fundamentally the process safety prac-tice in industry (especially offshore oil and gasindustries), which will have ramifications onhow process safety is managed and auditedacross the board. This and other accidents havereminded always the importance of taking andtreating safety with due care at all levels fromacademic research (e.g., safety at early stageprocess development) to the top of the executivemanagement (e.g., self-commitment and provi-sion of adequate resources for safety) in chemi-cal industries.

Ensuring safety of chemical processes andproducts are the minimum requirement from asocietal, political, and environmental point ofview. Hence, development of systematic meth-ods and techniques that support hazard identifi-cation and risk management for process safetyshall remain a highly relevant and importantresearch goal for the PSE community.

2 Process Systems Engineering, 7. Abnormal Events Management and Process Safety

2. Abnormal Event Management–Process Monitoring and FaultDiagnosis

2.1. Introduction

Abnormal event management (AEM) involvesthe timely detection of an abnormal event,diagnosing its causal origins and then takingappropriate supervisory control decisions andactions to bring the process back to a normal,safe-operating state. An abnormal event couldarise from the departure of an observed variablefrom the acceptable range. Process abnormalitysuch as high temperature in reactor or lowproduct quality could occur due to a failedcoolant pump or a controller. Such a failurecould lead to an abnormal event. Other causesinclude process parameter changes (catalystpoisoning and heat-exchanger fouling), largedisturbances (in concentration of feed streamor ambient temperature), actuator problems(sticking valve), and sensor problems. A keychallenge in the process industry today is thedevelopment and deployment of intelligent sys-tems that assist human operators during abnor-mal events particularly in the isolation of faults.

AEM is a safety issue, and safety has been atop priority for companies in the chemical pro-cess industries. Figure 1 shows how AEM re-lates to safety—successful detection and iden-tification of process faults at an early stage canincrease the success rate of fault recovery duringoperations and prevent accidents and unneces-

sary shutdowns [1]. The plant operators workwithin a simple framework that has three mainareas: normal, abnormal, and emergency opera-tions (see Fig. 1). The plants typically havewell-defined normal operating procedures; very basicabnormal operating procedure, such as for shutdown; and very good emergency planning andresponse procedures. AEM relates to the pro-cedures for ‘‘Return to Normal’’ and operatingunder abnormal conditions, its diagnosis andrecovery which can be difficult because ofprocess dynamics and the need for speedyresponse.

2.2. Process Monitoring andDiagnosis Framework

Abnormalities which occur in the process haveto be detected, diagnosed, and corrected. Deci-sion support systems should provide the plantoperator and maintenance personal informationabout the current status of the process andrecommend appropriate remedial actions tomitigate the undesired effects of abnormal pro-cess behavior. Timely detection of managingfaults result in reduced process downtime, im-proved operations safety, and higher businessefficiency. Process monitoring and diagnosismethods seek to automate this to a large extent.

Each monitoring and diagnosis method usesa priori process behavior knowledge in the formof a model (developed off-line) and on-lineprocess measurements to compute residualswhose exceeding a predefined threshold

Figure 1. Anatomy of a disaster from an operation perspective [1]

Process Systems Engineering, 7. Abnormal Events Management and Process Safety 3

indicates abnormality. Figure 2 depicts thegeneral principle behind process monitoring.Features in the on-line measurements and theresiduals could also indicate the possible rootcause of the abnormality.

Desirable Characteristics of a Fault Diag-nostic System. The performance of a pro-

cess monitoring method is determined by thenumber of false positive and false negativeresults it gives and the number of samplesrequired for developing the behavior model. Inorder to compare various process monitoringand diagnosis methods, it is first useful to iden-tify a set of desirable characteristics that such asystem should possess. Then the different meth-odsmay be evaluated against such a common setof requirements or standards. The following area set of desirable characteristics one would likethe diagnostic system to possess [2].

Early Detection and Diagnosis. Early andaccurate diagnosis is an important and highlydesirable attribute. However, quick diagnosisand tolerable performance during normal oper-ation are two conflicting goals [3]. A system thatis designed to detect a failure (particularlyabrupt changes) quickly will be sensitive tonoise and can lead to frequent false alarmsduring normal operation, which can bedisruptive.

Isolability refers to the ability of the diag-nostic system to discriminate between differentfailures. The diagnostic system should be able toassign correct fault class to an abnormal processstate with high recognition rate (accuracy).

Robustness. The diagnostic system needs tobe robust to various noise and uncertainties. Itsperformance should degrade gracefully instead

of failing totally and abruptly. Also plants op-erate in various states (operating modes) andundergo transition between them. Althoughsome transients could arise due to abnormalevents, others are part of normal process opera-tions. The diagnostic system should be cogni-zant of the various normal modes of operations.

Adaptability. Processes change and evolvedue to changes in external inputs or structuralchanges due to retrofitting and so on. The oper-ating conditions change not only due to distur-bances, but also due to other conditions likechanges in production quantities, quality of rawmaterial, etc. In order to be useful and practical,the diagnostic system, particularly the processbehavior model, should be easy to maintain.

2.3. Fault Detection and DiagnosisMethods

Numerous computer-aided methods have beendeveloped for process monitoring and diagnosisover the years. Since all process monitoring anddiagnosis methods require a priori knowledgeabout the process and its behaviors, one schemeof classifying them is based on the source ofsuch knowledge. The knowledge may be fromfundamental understanding of the process usingfirst principles, also referred to as deep, causal orfundamental knowledge-based methods. This isdeveloped usually fromunderstanding about thephysicochemical behaviors like mass, energy,momentum conservative equations, reactionkinetics, thermodynamics, etc. Alternately, thea priori domain knowledge may be gatheredfrom past experience with the process, referredto as shallow, compiled, evidential, or process

Figure 2. General framework of process monitoring and diagnosis system


history-based knowledge. Thus monitoring anddiagnosis methods could be broadly classifiedinto two major categories:

1. Fundamental knowledge-based methods2. Evidential knowledge or process history-

based methods

These two forms of knowledge about a pro-cess could be represented in either qualitative orquantitative schemes (see Fig. 3). Quantitativemethods use mathematical equations, whilequalitative methods solely rely on discrete qual-itative elements (high, low, increasing, decreas-ing, etc) to represent behavior. Thus, all processmonitoring and diagnosis methods can be clas-sified based on the source of knowledge and itsrepresentation into any of the four grids shownin Figure 3. Some of these methods in each ofthe four categories are described in detail next.

2.3.1. Fundamental Knowledge-BasedQuantitative Methods

Quantitative methods are also referred to asanalytical methods in literature [2, 4]. Basedon the measured variables analytical methodsgenerate residuals using detailed dynamicmath-ematical models. The residuals are the out-comes of consistency checks between the plant

observations and the behavior as encoded in themathematical model. The residual will be non-zero due to faults, disturbances, noise, and/ormodeling errors. In the preferred situation, re-siduals or their transformations will be relative-ly large when faults are present, and small in thepresence of other variations. In this case thepresence of faults can be detected by definingappropriate thresholds. In any case, an analyti-cal method will arrive at a diagnostic decisionbased on the values of the residuals.

The threemainways to generate residuals areparameter estimation, observers or Kalman fil-ters, and parity relations [5]. For parameterestimation, the residuals are the difference be-tween the nominal parameters and the estimatedmodel parameters. Deviations in the modelparameters serve as the basis for detecting anddiagnosing faults.

The Kalman filter or observer-based methodreconstructs the outputs of the system from themeasurements or a subset of the measurements.The difference between the measured outputsand the estimated outputs is used as the vector ofresiduals. Unlike open-loop observers that useonly inputs, closed-loop observers/filters, suchas Kalman filters, make use of both the input aswell as output measurements. Closed-loop fil-ters are therefore inherently more stable and donot require accurate knowledge of the processinitial conditions. TheKalman filter is one of the

Figure 3. Classification of process monitoring and diagnosis methods


most widely used tools for state and parameterestimation in stochastic systems and is based onminimizing the least square error criterion of theestimates. In [6], a multilinear model-basedfault detection scheme was proposed based ondecomposition of operation of a nonlinearprocess into multiple locally linear regimes.Kalman filters were used for state estimationand residuals generation in each regime. Anal-ysis of residuals using thresholds, faults maps,and logic-charts enabled on-line detection andisolation of faults.

Parity relation checks the consistency of themathematical equations of the system with themeasurements.

2.3.2. Fundamental Knowledge-BasedQualitative Methods

In qualitative model equations input–outputrelationships are typically expressed in termsof qualitative functions. The processmonitoringand diagnosis methods based on qualitativemodels can be obtained through causal model-ing of the system, a detailed description of thesystem or through fault–symptom analysis.Causal analysis techniques are based on thecause–effect modeling of fault–symptom rela-tionships. Qualitative relationships in thesecausal models can be obtained from the firstprinciples. Causal analysis techniques likesigned directed graphs [7], fault tree, qualitativephysics are based on fundamental processknowledge and use a qualitative framework fordiagnosing faults.

A signed directed graph (SDG) is a qualita-tive model that incorporates the cause-and-effect of deviations from normal operations. Indirected graph, nodes represent process variablevalues and directed arcs represent the relation-ship between them. The directed arcs have apositive (þ) or negative (�) sign attached tothem and also lead from the ‘‘cause’’ nodes tothe ‘‘effect’’ nodes. Sometimes nodes alsodepict process variables or events (system fault,component failure, or subsystem failures). Anode takes the value of 0 when its measuredvariable is within its normal range, a value of‘‘þ’’ when its measured variable is larger than ahigh threshold, or ‘‘�’’ when it’s measuredvariable is smaller than the low threshold. Arcs

take values of ‘‘þ’’ and ‘‘�’’ representingwhether the cause and effect change in the samedirection or the opposite direction, respectively.

Figure 4A shows a gravity flow-tank system.An SDG of this system is shown in Figure 4B.The following faults are considered in thisexample: (i) Leak in stream 0, (ii) Leak instream 1, (iii) Leak in tank, and (iv) Valve stuckin closed position. In this example, when ‘‘leakin stream 1’’ occurs, h will decrease. Therefore,a ‘‘�’’ sign is assigned to the arc which connectsthese two nodes. To determine root cause duringfault the deviations are propagated from theeffect nodes to cause nodes via consistent arcsuntil one ormore root nodes are identified. In theabove gravity flow-tank example, consider thecase where the observed symptoms are that theliquid level h is increasing,while the output flowrate Fout is decreasing. These symptoms indi-cate that the nodes Fin, h, and Fout take thevalues of 0, ‘‘þ’’, and ‘‘�’’, respectively. Basedon SDG shown in Figure 4B, the fault can bedetermined uniquely as ‘‘valve is stuck in theclosed position’’.

2.3.3. Evidential Knowledge-BasedQuantitative Methods

In evidential knowledge-based methods theavailability of large amount of historical processdata replaces fundamental knowledge in deter-mining process behavior. There are differentways in which this data can be transformed andpresented as a priori knowledge to a diagnosticsystem. This extraction process can be eitherquantitative or qualitative in nature.

The quantitative process history-basedmeth-ods essentially formulate the diagnostic prob-lem-solving as a pattern recognition problem.The goal of pattern recognition is the classifica-tion of data points to in general, predeterminedclasses. Statistical methods use knowledge of apriori class distributions to perform classifica-tion. Neural networks on the other hand assumea functional form for the decision rule.

2.3.3.1. Principal Component AnalysisPrincipal component analysis (PCA) is the mostwidely used statistics-based data-driven tech-nique for monitoring industrial systems [8, 9]. Itis a dimensionality reduction technique that is


capable of treating high-dimensional, noisy, andcorrelated data by projecting it onto a lowerdimensional subspace that explains the mostpertaining features of the system.

Let X 2 RnXmrepresent the data matrix.

Where n designates the number of samples(observations) and m denotes the number ofvariables ðn > mÞ. The matrixX is decomposedin terms of a new set of independent variables,the principal components, which are linear com-binations of original variables and are defined tobe orthogonal to each other. PCA relies oneigenvalue decomposition of the covariance ofX in order to reconstruct it as:

X ¼ t1pT1þt2p

T2þ . . . . . .þtap

TaþE ¼ TPTþE; a � m ð1Þ

E ¼ X�TPT ¼X

tipi ð2Þ

where, T ¼ ½t1; t2; . . . ; ta�;T 2 RnXais the

matrix of principal component scores, whichextracts the correlative information of the sam-ples. P ¼ ½p1; p2; . . . ; pa�;P 2 RmXa

. is thematrix of principal component eigenvectors orprincipal component loadings, which abstractsthe correlative information of the original vari-ables and E 2 Rn�m

is the residual matrix,which is the difference between original dataand the reconstruction.Due to the high degree ofcorrelation among the variables, one often findsthat the anterior a principal component canexplain the main variation in the original data

Figure 4. A SDG of a gravity flow-tank systemA) Gravity flow-tank system with three measured variables: a) Input flow rate Fin; b) Output flow rate Fout; c) Height of liquidlevel in tank hB) A signed directed graph for the gravity-tank system with symptoms h is increasing, while Fout is decreasing


variables. Therefore, PCA projects the trainingdata matrix X 2 RnXm

into lower dimensionalPC score matrix T as

T ¼ XP; T 2 RnXa ð3Þ

Hence, the dimensionality is greatly reducedwhich allows the dominant process variabilityto be visualized with a single plot. Fault detec-tion using PCA or its variants is usually per-formed by monitoring the squared predictionerror (SPE) and/or HOTELLING’s T2 statistic. Theformer measures the variation of an on-linesample xi from the PCA model, i.e., lack-of-fitwhile the latter measures the variation of thesample within the PCA model. The process isconsidered normal if SPEi < Qa, where Qa

denotes the upper control limit for confidencelevel 1�a based on a standard normal distribu-tion [10]. An upper control limit T2

a similar toQa can also be derived for the T2 statistic. Afault is flagged when the 95% or 99% confi-dence limits of T2 statistic and/or SPE value isviolated. For fault diagnosis, a fault reconstruc-tion scheme is usedwherein separatemodels aredeveloped for each fault class. The PCA modelthat shows an in-control status during abnormaloperations is considered to flag the right class offault.

One of the shortcomings of PCA-basedmethods is that they suffer from an inability to

explain their results, i.e., they cannot identifythe root cause or describe the fault propagationpathways. PCA-based methods just monitorand detect the abnormal behavior. Recently,PCA-based method has been extended withadditional statistical analysis such as LAMDAclustering [11] or case-based reasoning [12] toperform the root cause analysis of the abnormalbehavior in sequential batch reactor (SBR)processes.

2.3.3.2. Artificial Neural NetworkThe artificial neural network (ANN) is a non-linear mapping between input and output vari-ables consisting of a set of interconnected neu-rons arranged in layers. Neural networks havebeen used successfully for classification andnonlinear function approximation problems.Neural network-based process monitoring anddiagnosis method uses the relationship betweendata patterns and fault classes without modelingthe internal process states or structure explicitly.The three-layer feedforward ANN shown inFigure 5 is the most popular. The networkconsists of three components: an input layer(Fig. 5a), a hidden layer (Fig. 5b), and an outputlayer (Fig. 5c). Each layer contains neurons(also called nodes). Each neuron in the hiddenlayer is connected to all input layer neurons andoutput layer neurons. No connection is allowed

Figure 5. A three-layered feedforward artificial neural network (ANN)a) Input layer: Each neuron gets one input, on-line measurement; b) Hidden layer: Connects input and output layer; c) Outputlayer: Identifier of current process state


within its own layer and the information flow isin one direction only.

One commonway to use a neural network forfault diagnosis is to assign the input neurons toon-line measurements and the output neurons tothe process state indicators (i.e., normal as wellas known process faults). Therefore, the numberof input neurons becomes equal to the number ofprocess variables to be monitored while thenumber of output neurons is equal to the numberof different classes in the training data, i.e., bothnormal and known fault classes. The outputpattern corresponding to the normal conditionsand the faults can be denoted by a vector. Forexample, the vector [1 0 0 . . .] is the outputpattern for normal condition, the vector[0 1 0 0 . . .] is the output pattern for fault class1, and so on. During on-line fault detection anddiagnosis phase, the measurement is projectedon to the trained neural network to map the on-line sample to the process states (normal andknown process faults). Among the various out-put nodes, the one with the largest value isconsidered to indicate the process state if itsvalue is close to 1.

2.3.4. Evidential Knowledge-BasedQualitative Methods

In qualitative process history-basedmethods thefeature extraction is solely in terms of qualita-tive elements, such as: high, low, medium,

normal or increasing, decreasing, constant, orþ1, 0, �1, etc. Qualitative trend analysis is anexample of qualitative process history-basedmethod. The variation of a process variable(PV) with time is called the trend of that vari-able. Trend analysis involves hierarchical re-presentation of variable trends, extraction oftrends, and their comparison (estimation ofsimilarity) to infer the state of the process.Figure 6 shows the shapes of the seven primi-tives differentiated based on their first andsecond derivatives. A trend is represented asa sequence (combination) of these seven primi-tives. The trend of a process variable is demar-cated into simple shapes called atoms. The trendanalysis approach is based on monitoring theordered set of atoms that abstract the trend ofeach process variable. During each state, thevariables in the process exhibit a typical trend.So, the normal operation of the plantwould havea specific trend signature for different variables.When a fault occurs, process variables varyfrom their nominal values and ranges, and ex-hibit trends that are characteristics of the fault.Hence, different faults can be mapped to theircharacteristic trend signatures.

2.3.5. Expert Systems

An expert system is a computer program thatmimics the cognitive behavior of a humanexpert in a particular domain. In general, plant

Figure 6. Primitives for trend analysis [13]


operators and engineers have vast experience inoperating the process and they gather compre-hensive knowledge over the time from theirexperience regarding the nuances when distur-bances/faults occur in the underlying process.The knowledge can be abstracted in terms of aset of logical if-then-else rules. The rule-basedexpert system consists of a knowledge base,essentially a large set of if-then-else rules andan inference engine which searches through theknowledge base to derive conclusions fromgiven facts.

Some examples of the if-then rules are: Forthe gravity-tank system shown in Figure 4A:

. If the liquid level h in the tank increases andthe output flow rate Fout decreases, then thefault is most likely due to ‘‘valve stuck inclosed position’’

. If the liquid level h in the tank decreases andthe output flow rate Fout decreases, then thefault is most likely due to ‘‘leak in tank’’

In the expert systems the knowledge repre-sentation scheme is largely qualitative. Theknowledge base of an expert system may con-tain evidential knowledge based on heuristics,causal knowledge based on first principles, orcombination of the two. Therefore, dependingon its knowledge base an expert system could bean evidential knowledge-based qualitativemethod or could be a fundamental knowl-edge-based qualitative method or a hybrid.

2.3.6. Hybrid Methods

Each process monitoring and diagnosis methodhas its own advantages and weaknesses. Thus, amethod that works well under one circumstancemight not work well under another when differ-ent features of the underlying process come tothe fore. It is clearly difficult to design a perfectmethod that efficiently monitors a large-scale,complex industrial process in all likelyscenarios. Hence, there is a strong motivationfor developing systems that rely on collabora-tion between multiple methods so as to bringtogether their strengths and overcome theirindividual shortcomings. Some of these meth-ods can complement one another resulting inbetter diagnostic systems. Integrating these

complementary features is one way to develophybrid methods that could overcome the limita-tions of individual solution strategies. For ex-ample, a combined neural network and expertsystem tool was developed and its effectivenesswas demonstrated for transformer fault diagno-sis [14]. Other methods with other interactionsare reported by [15–17].

2.4. Future Directions

Nowadays, sensors and equipments are becom-ing ‘‘smart’’ in the sense that they are capable ofperforming self-diagnostics and determiningabnormalities within themselves. Traditionalmonitoring and diagnosis approaches aremono-lithic and do not use such information. Further,they largely rely on a single form of knowledgerepresentation. Incorporating the smarts of thesensors and intelligently combining multiplediagnostic perspectives is an important direc-tion for future research. Some further aspectswhich should be explored are discussed below:

FusionMethods. Amulti-perspective diag-nostic system which includes modern sensordiagnostics would need some form of evidenceaggregation to arrive at a cohesive conclusion.Decision fusion is expected to play a key part inachieving this so that correct decisions areamplified and incorrect ones cancelled out.Although fusion strategies have been attemptedin different fields before, there is not much workbeing done on using them for process monitor-ing and diagnosis. Fusionmethods can be broad-ly classified as utility-based and evidence-basedmethods. Utility-based methods do not utilizeany prior knowledge about the performance ofmonitoring and diagnosis method or evidencefrom its previous predictions, but are based onsome aggregating techniques which evaluatethe combined utility functions generated fromeachmethod. Examples include simple average,voting techniques, and their variants. In con-trast, evidence-based methods use a priori in-formation from previous performance of eachmethod to combine the decisions. Several evi-dence-based fusion schemes such as Bayesianprobability theory, Dempster–Shafer evidencetheory, and decision templates could be ex-plored for improving diagnostic performance.


Dempster–Shafer theory could be particularlyuseful in dealing with scenarios where faults aremutually nonexclusivewhere traditional Bayes-ian approach fails.

Cooperative/Peer Learning. Researchcould focus on establishing learning schemesamong monitoring and diagnosis methodswhich would make each method more intelli-gent with time. Cooperation strategies can usethe decisions and the results of one for guidingother methods especially in their training andmodel upkeep stages. Generally, the decisionvector is shared between monitoring methods;however, other types of information can alsobe transmitted between methods so that peer-learning can be accomplished from sharingintermediate results as well.

Ensemble learning techniques such as bag-ging, boosting, and stacking have been appliedto generate multiple pattern classifiers. Thesetechniques are based on resampling of trainingdata and theoretically more tractable. Thesemethods can be easily adopted to generate andtrain multiple process monitoring and diagnosismethods.

Finally, artificial immune systems (AIS) area new artificial intelligence methodology that isattracting much attention for monitoring engi-neered systems. In an AIS, principles and pro-cesses of the natural immune system are ab-stracted and applied in pattern recognition and avariety of other applications in the field ofscience and engineering. One popular im-mune-inspired principle is negative selectionthrough which self-tolerant T-cells are generat-ed, thus allowing the immune system to dis-criminate self-proteins from foreign (nonself)ones. This principle leads to negative selectionalgorithm (NSA) wherein a collection of spher-ical detectors is generated in the complementary(nonself) space and used to classify new (un-seen) data as self or nonself. AIS is now usedextensively in situations where only largeamount of self (normal) samples are availablebut abnormal samples are either unavailable orvery rare as is often the case in process moni-toring and fault diagnosis. Samples from a givenstate (such as normal or known fault) are con-sidered as self. These samples can be used todevelop a description of the nonself space in theform of a collection of spherical detectors. This

representation is in contrast to traditional statis-tical and pattern recognition algorithms thatstore descriptions of the space occupied by thenormal samples.

3. Risk Assessment and InherentSafety in Process Design! Plant andProcess Safety, 6. Risk Analysis

3.1. Introduction

An abnormal event in a chemical process in-dustry is a disturbance or a series of disturbancesin the process plant which causes the plantconditions to deviate from normal operation.These disturbances may be minimal or some-times catastrophic, causing production losses,off-specification products and in some casesendangering human life. The failure of equip-ment within the plant or human errors are theprimary sources of these abnormal events whichhave resulted in a number of accidents, with theFlixborough disaster, United Kingdom (1974),Bhopal gas tragedy, India (1984), Toulousefertilizer factory explosions, France (2001) andPetrobras offshore platform accident, Brazil(2001) being someof themajor ones. In addition,the risks posed by chemical industries to life,property, and environment have significantlyincreased in recent years as a result of increasedpopulation density near industrial complexes,larger size of operation, higher complexity, anduse of extreme operating conditions.

The modern approach to chemical processsafety is to apply risk management systemstheory to the process. This includes identifica-tion of the hazards posed by the process, and acontinual effort to analyze the risks, and toreduce or control them to the lowest practicallevels, while balancing other business objec-tives. A hazard (center for chemical processsafety, CCPS, 2009) in a chemical processindustry is any source of potential damage orharm to plant equipment whichmay in turn haveadverse effects on humans within or outside theprocess plant. Risk is the chance or probabilitythat a defined consequence (harm) may occur.Safety, as defined by the CCPS, 2009, is tolera-ble risk in comparison to the benefit of theactivity. To ensure safety, every chemical plant


is subjected to a process hazard analysis (PHA)in which the various hazards within a processare identified, relevant mitigation steps taken,and the overall process risk reduced.

3.2. Process Hazard Analysis (PHA)

PHA is a set of organized and systematic assess-ments of the potential hazards associated withan industrial process. A PHA provides informa-tion intended to assist managers and employeesin making decisions for improving safety andreducing the consequences of unwanted or un-planned releases of hazardousmaterials. A PHAis directed toward analyzing potential causesand consequences of fires, explosions, releasesof toxic or flammable chemicals, and it focuseson equipment, instrumentation, utilities, humanactions, and external factors that might impactthe process. The first step in PHA is hazardidentification, for which there are a variety ofmethods [18–20]:

. What/if analysis: An early method of hazardidentification is to review the design by askinga series of questions beginning with ‘‘WhatIf?’’. The method is a team exercise andtypically makes use of predetermined ques-tions, but otherwise tends not to be highlystructured.

. Failure mode and effect criticality analysis(FMECA): Another method of hazard identi-fication is the FMECA. It involves the analy-sis of the failure modes of an entity, theircauses, effects, and associated criticality ofthe failure.

. Hazard and operability studies (HAZOP): Amethod widely used by the process industriesfor the identification of hazards at, or close to,the engineering line diagram (ELD) stage isthe HAZOP study! Plant and Process Safe-ty, 6. Risk Analysis. It is a team exercise,which involves examining the design intent inthe light of guidewords. The purpose of theHAZOP study is to uncover causes and con-sequences of a facility’s response to devia-tions from design intent or from normal oper-ation, i.e., to reveal if the plant has sufficientcontrol and safety features to ensure, that itcan cope with expected deviations normallyencountered during operation including start-

up, shutdown, and maintenance. Most HA-ZOP methods require considerable time andresources, lasting anywhere between 1–8weeks and costing around $20 000 perweek [21]. The traditional HAZOP method-ology was developed for plants in whichcontrol systems were predominantly basedon analogue controllers. In recent years, pro-cess engineers have increasingly chosen touse programmable logic controllers (PLCs),distributed control systems (DCSs) and com-puters for process control. While these sys-tems provide flexibility and close control ofthe process, they introduce an additionalmode of failure to the plant. The processengineer who is going to start up and operatethe plant no longer writes the instructionshimself but explains what he wants to anapplications engineer who writes a specifica-tion which is given to a programmer (thoughthe same person can be an applications engi-neer and programmer). The process andapplications engineers usually speak differentlanguages and may not understand eachother’s problems; they may belong to differ-ent departments and work in different parts ofthe building; these factors can introduce er-rors. A useful summary of different schemesfor CHAZOP is provided by [22]. Consider-ation of three aspects in CHAZOP are sug-gested by [23]: computer system/environ-ment, input/output (I/O) signals and complexcontrol schemes. The questions relating to thecomputer system/environment are essentiallylarger scale, almost overview-type issues thatare better addressed within a preliminarydesign review of the control scheme. Addi-tional information on CHAZOP can be foundin [24, 25].

. Event tree and fault tree analysis: Event treesand fault trees are logic diagrams used torepresent, respectively, the effects of an eventand the contributory causes of an event.

. Consequence analysis and modeling: Exami-nation of different scenarios of plant distur-bance and loss of containment is a centralactivity in hazard identification. The scenari-os may relate to the events before release or toevents involved in escalation after release.Hazard identification, therefore, includesmethods of developing and structuringscenarios.


. Human error analysis: It is well establishedthat human actions play a large role in acci-dents. Human error analysis is used to take thisaspect into account. As a hazard identificationtechnique, human error analysis is qualitative,although a similar term is also sometimes usedto describe a quantitative method.

Once the hazards in a plant have been iden-tified through one or more of the above hazardidentification techniques, the safety risks asso-ciated with them are estimated.

3.2.1. Risk Assessment

Quantitative risk assessment (QRA), alsoknown as probabilistic risk assessment (PRA)or probabilistic safety assessment (PSA), usual-ly deals with major hazards that could cause ahigh death toll. A full-risk assessment involvesthe estimation of the frequency and conse-quences of a range of hazard scenarios and ofindividual and societal risk. In QRA, risk ischaracterized by two quantities: 1) the magni-tude (severity) of the possible adverse conse-quence and 2) the likelihood (probability) ofoccurrence of each consequence. Consequencesare expressed numerically (e.g., the number ofpeople potentially hurt or killed) and their like-lihoods of occurrence are expressed as proba-bilities or frequencies (i.e., the number ofoccurrences or the probability of occurrenceper unit time). The total risk is the expectedloss: the sum of the products of the conse-quences multiplied by their probabilities. Oncethe hazards in the process have been identifiedthe following steps are followed in the quanti-tative risk assessment:

1. Identify vulnerable targets2. Develop hazardous and escalation scenarios3. Identify mitigating features4. Estimate consequences5. Estimate frequencies6. Compute and present risk. Comparewith risk

criteria7. Either accept system or modify system to

reduce risk or abandon design

Although the results of a QRA are typicallyexpressed in terms of deaths or of casualties,

appropriately defined, there are generally otherconsequences that need to be consideredincluding [18]:

. The write-off of the plant

. The impact on the surrounding area

. The anxiety factor

. Consequential detriment

. The ‘What if?’ factor

3.2.2. Hazard Indices

The safety of a process may be determined by anumber of indices, which are in essence conse-quence model-based hazard estimation meth-ods. These are the Dow fire and explosion index(F&EI), Dow chemical exposure index, mondindex (ICI), instantaneous fractional annual lossindex and mortality index.

Dow Fire and Explosion Index. The origi-nal purpose of the F&EI was to serve as a guidefor the selection of fire protectionmethods. Thiswas the first practiced safety index, and is stillthemostwidely used one.Most other indices areexpansions of this basic index. Once a processunit has been identified for evaluation the F&EIis calculated as follows. First a material factor(MF) that is a characteristic of the most ener-getic material in the process is obtained. Thentwo penalty factors (F1 and F2), one for generalprocess hazards (GPHs) and one for specialprocess hazards (SPHs), respectively, are deter-mined, and the process unit hazards factor(PUHF) (F3), which is the product of these, iscalculated. The product of the MF and PUHF isthe F&EI.

3.3. Design Strategies for ProcessRisk Management

Process risk management is the term given tocollective efforts to manage process risksthrough a wide variety of strategies, techniques,procedures, policies and systems that can reducethe hazard of a process, the probability of anaccident, or both. The risks in a process could bemanaged by having multiple safeguardsdeployed in a plant, typically like the layers ofprotection. This concept was introduced in themid-1990s and is now widely adopted and


included in safety codes such as independentsafety assessor (ISA) 84.01. The basic idea isillustrated in Figure 7 which is self-explanatory.The innermost layer is the process design, fol-lowed by basic control systems (BPCS), criticalalarms, automatic actions such as the safetyinterlock systems (SIS); physical protection,dikes, and emergency responses, both plant andcommunity-wide. Each safety layer is indepen-dent, specific, dependable and auditable, pro-viding an order ofmagnitude protection over theprevious layer.

Other methods of classifying the risk mitiga-tion strategies are as follows:

. Inherent–Eliminating the hazard by usingmaterials and process conditions that arenon-hazardous.

. Passive–Minimizing the hazard through pro-cess and equipment design features that re-duce either the frequency or consequence ofthe hazard without the active functioning ofany device.

. Active–Using controls, alarms, safety instru-mented systems and mitigation systems todetect and respond to process deviations fromnormal operation.

. Procedural–Using policies, operating proce-dures, training, administrative checks,

Figure 7. Layers of protection in a chemical plant–each layer adds a magnitude of protection over previous layer [18]


emergency response and other managementapproaches to prevent accidents.

These four strategies could be used in thevarious layers in the layers of protection that arepresent in a chemical plant.

3.3.1. Economics of Risk Management

Process RiskManagement is concernedwith theavoidance both of personal injury and of eco-nomic loss. In both spheres there is an economicbalance to be struck. Some costs arise throughfailure to take proper loss prevention measures;others are incurred through uninformed andunnecessarily expensive measures. In today’senvironment, many loss prevention measuresthat were optional in the past are now mandatedby government regulation.

The result of not taking adequate measuresgives rise to losses and costs such as: accidents,damage, plant design delays, plant commission-ing delays, plant downtime, restricted output,

etc. But taken safety measures have their owncosts as well which add on to total project costs.These costs incurred due to enhanced safetyeffort may be due to management effort,research effort, design effort, process route,operational constraints, plant siting, plant layoutand construction, process instrumentation (tripsystems), fire protection, and emergency plan-ning. Often a balance is required between in-creased safety efforts and benefits to the com-pany. Figure 8 shows typical trends of cost andfunctional attributes for the various design cat-egories. The initial capital is maximum forinherently safer design, is lesser for passive andactive and the least for procedural designsolutions. The operating costs, however, isminimum if an inherently safer design is chosenand is higher for other solutions. The plantscomplexity is minimum and reliability maxi-mum with the selection of an inherently saferdesign solution. Ideally, a safety measure whichprovides acceptable risks while at the sametime not hindering business activity must bechosen.

Figure 8. Comparison of cost and functional attributes for design categories (typical trends)A) Cost for design categories;a) Initial capital; b) Operating costs;B) Functional attributes;a) Complexity; b) Reliability


3.3.2. Inherently Safer Process Design

Inherent safety (IS) is an approach to chemicalprocess safety that focuses on eliminating orreducing the hazards associated with a set ofconditions. The process design which includesinherent safety principles is referred to as aninherently safer process design. An inherentlysafer process should not, however, be consid-ered as ‘‘absolutely safe’’. Implementing inher-ent safety concepts will move a process in thedirection of reduced risk; however, it will notremove all the risks.

Inherent safety is in fact amodern term for anage-old concept: to eliminate hazards ratherthan accepting and managing them. Since pre-historic times humans have used these princi-ples for their survival, like for example, buildingvillages near a river on high ground rather thanmanaging flood risk by building dikes andwalls.But this concept started to be embraced by thechemical process industries only after an articletitled ‘‘What you don’t have, can’t leak’’ onlessons from the Flixborough disaster (1974).The name ‘‘inherent safety’’ comes from anextension of this article published as abook [26].

Design Strategies. The search for inherent-ly safer process options begins early and con-tinues throughout the process life cycle. Thegreatest potential opportunities for impactingprocess safety occur early in process design anddevelopment. Early in development, there is agreat deal of freedom in the selection of chem-istry, solvents, raw materials, process inter-mediates, unit operations, plant location andprocess parameters. Approaches to the designof inherently safer processes and plantshave been grouped into four major strategiesby [27, 28]:

Minimize means to reduce the quantity ofmaterial or energy contained in amanufacturingprocess or plant. Often, the inventory of haz-ardousmaterials on-site is driven by operationaland business considerations, like number oftransportation containers used, railroad dis-patching schedules, trucking schedules, etc.Sometimes inventories are determined by on-site purchasing considerations, such as incom-ing and outgoing shipments related to prices.Careful coordination with shippers and carriers

is required to minimize inventory. The reader isreferred to CCPS [29] for examples of processminimization.

Substitute means to replace a hazardous ma-terial or process with an alternative that reducesor eliminates the hazard. Examples includesubstitution in reaction chemistry, solvent us-age, materials of construction, heat-transfermedia, insulation and shipping containers. Forinstance, in the Reppe process for manufactur-ing acrylic esters an alcohol reacts with acety-lene and carbon monoxide, in the presence of anickel carbonyl catalyst having both acute andlong-term toxicity. The alternative propyleneoxidation process uses less hazardous materialsto manufacture acrylic acid followed by esteri-fication with the appropriate alcohol [30] tomake the corresponding ester. An EPA re-port [31] contains an extensive review of inher-ently safer process chemistry options that havebeen discussed in the literature. This reportincludes chemistry options that have been in-vestigated in the laboratory, as well as some thathave advanced to pilot-plant and even produc-tion scale.

Moderate, also called attenuation, meansusingmaterials under less hazardous conditions.Moderation of conditions can be accomplishedby strategies that are either physical (i.e., lowertemperatures, dilution) or chemical (i.e., devel-opment of a reaction chemistry which operatesat less severe conditions). Dilution reduces thehazards associated with the storage and use oflow boiling hazardous materials in two ways:By reducing the storage pressure; by reducingthe initial atmospheric concentration if a releaseoccurs. Some materials can be handled in adilute form to reduce the risk of handling andstorage, like being stored in an aqueous formrather than in anhydrous form. Many hazardousmaterials, such as ammonia and chlorine, can bestored at or below their atmospheric boilingpoints with refrigeration. A series of case stud-ies that evaluate the benefits of refrigeratedstorage for six materials–ammonia, butadiene,chlorine, ethylene oxide, propylene oxide andvinyl chloride is provided by [32]. Operatingunder less severe conditions, as close to ambienttemperature and pressure as possible, increasesthe inherent safety of a chemical process.

Simplify means to eliminate unnecessarycomplexity, thereby reducing the opportunities


for error and wrong operation. Some sugges-tions on use of simple technologies in lieu ofhigh or more recent technologies are offeredin [26]:

. Fire protection systems should be as simple aspossible. For example, new technology fordetecting fires by using sophisticated detec-tors to measure smoke, heat, ultraviolet radi-ation from fires, is often less reliable than asimple detector that allows the fire to burnthrough a filament and break an electricalcircuit.

. Flare systems should be kept as simple aspossible and not be equipped with other ap-purtenances, such as flame arrestors, waterseals, filters, etc. These components are proneto plugging and reduce flare capacity.

While the above four strategies are the mainones, others such as limitation of effects, avoidincorrect assembly and making status clear arealso available in literature.

3.4. How to Perform IS Evaluation?

A methodology for performing inherent safetyreview at various stages of the process life cycleis described in the following sections. Drawingfrom the principles described by [26], this ap-proach would guide the designer in identifyingalternatives that preempt the identified hazardsduring the various stages of process design.

3.4.1. Product Specification Stage

The objective of inherent safety analysis duringthe product specification stage is to identifysafety issues associated with the product andto challenge the design team to consider alter-natives to the product, means of transportation,and handling systems. The inherent hazardsrelated to storage, handling, transportation andincompatibility of materials are identified basedon physical, toxicological, chemical, and reac-tive properties such as flammability limits, me-dian lethal dose (LD50), stability, reactivity, etc.The physical and chemical properties of thematerial such as its vapor density, boiling point,freezing point, and particle size are considered

when evaluating the impact of the hazard. Thevapor density of a material determines its atmo-spheric dispersion characteristics in the atmo-sphere. The design alternatives at this stage, ingeneral, relate to the use of safer materials ormodification of hazardous material into a lesshazardous form. The burgeoning field of greenchemistry offers general guidelines for design-ing safer chemicals and modifying hazardouschemicals while preserving the efficacy of func-tion through masking or replacement of func-tional groups, identifying alternate functionalgroups, and minimizing bioavailability bychanging the shape, size, structure, dilution, andaltering properties. However, specific alterna-tives such as the use of bleaching powder in-stead of chlorine, the use of toluene instead ofbenzene as a solvent, handling of solids in theform of pellets or granules, processing withsolution, or wetting instead of fine powders canbe derived with the help of heuristics [33, 34].

3.4.2. Route Selection Stage

The process route selection is the heart of thedesign process and determines the inherenthazards associated with the reactor in additionto the number of downstream separation unitsand the need for recycle. The objective duringthis stage is to (1) identify the hazards andprocessing problems that are associated withreactions and chemicals involved in the processroute and (2) rank the available process routes.During this stage, raw materials, byproducts,intermediates, catalysts, and the reaction con-ditions are selected. To evaluate the inherentlysafe nature of a route, reactions can be classifiedinto intended and unintended reactions. Mainreactions and side reactions fall under the cate-gory of intended reactions and are defined by theprocess chemistry. Main reactions are those inwhich raw materials or intermediates are trans-formed to products or intermediates. In contrast,side reactions result in the formation of bypro-ducts from raw materials, products, or inter-mediates. Unintended reactions occur duringabnormal process conditions such as utilityfailure, disproportionate reactants or missingingredients, contact between incompatible ma-terials, etc. Decomposition due to thermal run-away is an example of an unintended reaction.


Reaction hazards can be identified by focusingon intended and unintended reactions occurringin the process. Hazardous reactions are charac-terized by high temperature or pressure, largeheat release, unstable materials, or chemicalsthat are sensitive to air, water, rust, or oil.Material properties have to be evaluated toensure that chemicals that are benign atambient conditions do not become hazardousat process conditions. This will result in thedefinition of a safe operating regime for thereaction. Inherent safety analysis during thisstage can be performed at two levels, prelimi-nary and detailed, based on the amount ofinformation available.

Process routes available can be ranked usinginherent safety indices. It must be simple touse, applicable to both continuous and batchprocesses at all design stages, and capable ofranking individual hazards with apparent fun-damental causes. The index should also pro-mote simplified processes without penalizingnovel technology. Finally, a normally accept-able range, which aids comparison with otherprocesses, should be available. The existingindices, prototype index for inherent safety(PIIS) and inherent safety index (ISI), satisfymost of these criteria. PIIS focuses on the mainreactions and considers factors such as temper-ature, pressure, and reaction yield, heat ofreaction, flammability, toxicity, explosive-ness, and inventory. It can, therefore, be usedonly during the chemistry selection stage. ISIaccounts for side reactions, corrosion, inven-tory (both inside and outside battery limits),type of equipment, and process structure inaddition to the factors considered by PIIS (seeChap. 4).

3.4.3. Flowsheet Development Stage

After a process route has been selected, theflowsheet for the process has to be developed.The major difference between alternate flow-sheets is the type and number of unit opera-tions, reactors, number of recycles, and proces-sing aids involved. Opportunities to substituteor eliminate hazardous materials and to alterprocess conditions are limited at this stagebecause these are largely determined by pro-cess chemistry. Despite the lower impact of

design changes on inherent safety, opportu-nities for influencing the inherent safety of theprocess still exist. The choice of unit opera-tions, the nature and amount of material han-dled, operating conditions, and operationalphilosophy determines the risk associated withequipments. The effectiveness of inherentsafety analysis largely depends on the knowl-edge available to identify hazards, developalternative designs and to rank process flow-sheets. Inherent safety analysis during theflowsheet development stage is envisioned toidentify opportunities to eliminate or reducethe need for equipments and instruments, re-duce the size of process equipments, identifyunit operations that do not require processingaids and involve milder operating conditions,eliminate or reduce the use of hazardous utili-ties, and minimize the chance of fugitive emis-sions and accidental leaks. Using availableinformation, the analysis must identify hazardsunder normal operating conditions as well asunder foreseeable abnormal conditions, rec-ommend design rectifications, and rank alter-native flowsheets.

Inherent Safety Index for Flowsheets. Theflowsheet index (FI) is a measure of the hazard-ous nature of the process as a whole and iscomposed of the chemical index (CI) and theprocess index (PI). The FI is the sum of CI andPI. The CI is based on the maximum index ofparameters related to chemicals involved in thewhole process. The CI is calculated by thesummation of the following sub-indices: heatof main reaction sub-index, heat of side reactionsub-index, flammability sub-index, toxicitysub-index, explosiveness sub-index, reactivitysub-index, chemical interaction sub-index, andcorrosion sub-index. The PI is calculated bytaking into account the operating conditions,inventory and nature of the equipment. Furtherdetails on calculation of these indices are givenin [33, 34].

After performing IS evaluation, the particu-lar design option under consideration is eitherchosen for production, provided risk criteria aresatisfied, otherwise the design is iterated untilacceptable risks are achieved. While it is possi-ble to minimize risk by making the processinherently safer, it must always be kept in mindthat the risk is not completely eliminated.


3.5. Inherent Safety Practices inIndustry

The quantity of literature on company inherentsafety policies and procedures has continued toincrease during the last years, indicating thatawareness is improving. IS reviews are nowmandated by regulation for high-risk facilitiesin someUS states. A number of companies havepublished descriptions of their inherent safetyreview practices:

. Bayer [35] uses a procedure based on hazardanalysis, focusing on the application of inher-ent safety principles to reduce or eliminatehazards.

. Dow [36] uses the Dow fire and explosionindex and the Dow Chemical exposure indexas measures of inherent safety [37, 38].

Companies like Exxon Chemical, BASF,Rohm and Haas, ICI, Berger, and DuPont haveinherently safer design practices incorporatedinto their overall process system managementprogram.

The general view of safety personnel inindustries is that they realize the importanceand advantages of IS design and would like touse it if the procedures were simple and did notrequire too much time since they already haveseveral mandated safety protocols to follow andfile periodic reports on them with the regulatorybodies.

4. Hazards Identification in EarlyStages of Process Design

4.1. Introduction

The importance of the concepts involved inprocess risk analysis is best illustrated by thefact that they are included directly or indirectlyin at least half of the ‘‘Twelve Principles ofGreen Chemistry’’ [39], i.e., prevention, atomeconomy, less hazardous chemical syntheses,use of safer solvents and auxiliaries, reductionof derivatives, real-time analysis for pollutionprevention, and inherently safer chemistry foraccidental prevention. However, it is also truethat the implementation of these principles isnot always straightforward since trade-offs may

exist between hazard or risk minimization andother green chemistry principles and financialobjectives (e.g., optimal use of resources andraw materials).

Moreover, quantifying the effect of the ap-plication of these principles through robust, yetnot too complicated or data-intensive assess-ment methods remains a challenging researchfield. The motivation to look for such simpletools and methodologies arises from the wish tointegrate hazard identification and analysismethods into decision-making during early pro-cess development phases. These early stages ofprocess design are characterized by more de-grees of freedom for implementing changes, butalso by more scarce process data for detailedmethods to be applied. For instance, this can be alimiting factor for the applicability of methodslike HAZOP, fault tree analysis (FTA) FMEA(see Chap. 3) as far as hazard identification andanalysis methods are concerned. The applica-tion of these detailed methodologies stipulatesspecialized teams consisting of process andcontrol systems engineers, production opera-tors, maintenance teams, and advisors for plantsafety policies (e.g., perhaps in cooperationwithinsurance companies). The composition of theseteams already implies that the respective meth-ods are suitable for later stages of process designwhere significant process experience has beengained, or even for retrofitting processes alreadyin operation, and not for preliminary designstages, e.g., during the selection of the chemicalroute and the design of the required downstreamprocesses (Fig. 9).

Starting from information about processchemistry (i.e.; synthesis routes for a givenproduct (P), using raw material (R) and chemi-cal auxiliaries like catalysts (Cat) and solvents(Solv) data are gathered about substance prop-erties and process conditions either from exist-ing databases or lab experiments. Safety, health;and environmental (SHE) hazards assessmentprocedures can be then implemented eitherbefore or after the development and analysis ofprocess flowsheets.

For the problem of hazard identificationduring these early stages of process design,various index-based methodologies have beenproposed, mainly during the 1990s and2000s [40–45]. A qualitative and quantitativecomparison of suchmethods can be found in the


work of [46], where one of themain conclusionswas that there is no unique merit of one methodover the other in any of the SHE aspects takeninto account. Among the compared methods inthis study is the one of [47], which has been latermodified and integrated into a general multi-objective screening framework for early stagesof process design by [48, 49].

4.2. An index-based approach forSHE hazard identification

4.2.1. Overview

An important feature of SHE hazard identifica-tion approaches is the kind of data required forthe assessment. Generally, two categories ofinput data can be distinguished:

. Substance related data: including for in-stance physical properties (e.g., boilingpoint), substance classification methods(e.g., EC risk phrases and hazard symbols),toxicity data (e.g., immediately dangerous tolife and health concentrations (IDLH)), deg-radation data (e.g., half-life values and bio-degradability data after 28 days (OECD28d)), accumulation data (e.g., octanol–water partition coefficients) and variousemission limits.

. Process related data: about operating condi-tions (e.g., temperature and pressure) andperformance (e.g., yield of reaction)

The required data imply that the SHE assess-ment practitioner should have a complete list ofthe chemical substances involved in the processand at least an estimation of the main processoperating conditions, which could be the resultof preliminary modeling or lab experiments.The required substance data of all categoriescan be obtained from available databases, e.g.,Design Institute for Physical Properties(DIPPR-801, 2007) [50], National Institute ofStandards and Technology (NIST, 2010) [51],International Uniform Chemical InformationDatabase (IUCLID-5, 2008) [52] (), CanadianCentre for Occupational Health and Safety(CHEMpendium, 2006) material safety data-sheets (MSDS) [53], using property estimationmethods and quantitative structure-activityrelationship (QSAR) techniques or even byconducting lab experiments to fill in data gaps.

The data collection part is a common featureof all the index-based methods and the requiredeffort depends heavily on the SHE effects con-sidered by each method. On the other hand, theprocess modeling at these early stages of pro-cess design involves mainly the construction ofsimple linear mass balances taking into accountreaction yields and separation efficiencies based

Figure 9. Early stages of process design and hazard assessment


on empirical correlations and shortcut models.Rigorous modeling is avoided at these earlydesign stages because of lack of necessaryprocess information (e.g., reaction kinetics)and often overwhelming amount of alternativesthat have to be checked regarding availabletechnologies.

4.2.2. Methodology

As mentioned above, the data collection proce-dure is directed by the settings of each SHEhazard identification method with regard to theeffects taken into account. The framework forSHE hazard assessment proposed by [47]attempts to estimate the relevant hazards byusing a set of characteristic dangerous proper-ties for each SHE category. More specifically, itis assumed that the dangerous properties con-tributing to the safety hazard are:

. Mobility

. Fire/explosion

. Reaction/decomposition

. Acute toxicity

Those, contributing to the health hazard are:

. Irritation

. Chronic toxicity

Water- and air-mediated effects which mustbe considered for the environmental hazard like:

. Solid waste

. Degradation

. Accumulation

The calculations proposed by the authorscomprise the following three steps:

1. Step 1: A set of m aspects (Ai;j;m) is used todefine an index-value (IVi;j) for each danger-ous property i and substance j. For thispurpose, a ‘‘scaling and prioritization’’meth-odology has been proposed, which isexemplified for the dangerous property‘‘accumulation (i ¼ Acc)’’ belonging to en-vironmental hazards by the following calcu-lations:

AIAcc;j;1 ¼ f1ðlogðBCFÞÞ ¼ linear mapping ½2; 4�!½0; 1� ð4Þ

AIAcc; j;2 ¼ f2ðlogðKowÞÞ linear mapping½3; 5�!½0; 1� ð5Þ

AIAcc; j;3 ¼ f3ðRcodesÞ ¼1; if R-code ¼ 48; 53; 58

0:5; if R-code ¼ 33

0; if R-code ¼ other value

8><>:

ð6Þ

AIAcc;j;4 ¼ f4ðqualit:inpÞ ¼

1; if qualit:inp ¼ high

0:75; if qualit:inp ¼ probable

0:5; if qualit:inp ¼ possible

0:25; if qualit:inp ¼ low

0; if qualit:inp ¼ no

8>>>>>><>>>>>>:

ð7Þ

AIAcc;j;5 ¼ f5ðno dataÞ ¼ 1 ð8Þ

where AIAcc; j;m denotes an index value foraspect AAcc; j;m, BCF is the bioconcentrationfactor, Kow is the octanol–water partitioningcoefficient, R-codes refer to EC risk phrases,qualit.inp stands for qualitative informationabout possible accumulation and no datarefers to the situation that no data for theabove categories are available for substancej. These calculations are typically mentionedas scaling of relevant parameters for SHEindex calculation, while prioritization refersto the fact that the final index value for thedangerous property ‘‘accumulation’’ (IVAcc;j)is calculated according to AIAcc;j;1, if BCFdata are available for substance j, otherwiseaccording to AIAcc;j;2, if Kow data are avail-able for substance j, and so on.

2. Step 2: After all IVi;j values are calculated,they are translated with empirical equationsinto some kind of physical unit per unit mass,which is then multiplied by the substancemass (mj) to result in a ‘‘so-called’’ potentialof danger (PoDi;j). For instance, for thepreviously calculated IVAcc;j:

PoDAcc;j ¼ mj�10ð2�IVAcc;jÞ ½kg� ð9Þ

The reasoning behind this transformation ofIVi; j to PoDi; j depends on the dangerousproperty, i.e., different types of formulaswith different constants are proposed foreach dangerous property. For example, inthe case of ‘‘accumulation’’, as it is clearfrom the previously described ‘‘scaling andprioritization’’ scheme, theBCF orKow para-meters are used to provide a physical mean-ing to this scale, i.e., a value of BCF equal to


100 or lower indicates low potential for asubstance to accumulate in the food chain,and therefore in a steady-state scenario therelative factor for potential to accumulate inthe food chain is set to 1 kg per kg ofsubstance released to the environment, whileat the same time IVAcc; j ¼ 0. Then the casesof BCF ¼ 1000 and BCF ¼ 10000, whichcorrespond to relative factor values of 10 and100, respectively, were used to define themiddle (IVAcc; j ¼ 0:5) and maximum(IVAcc; j ¼ 1) values of the index scale, andtherefore also defined the formula forPoDAcc; j. Examples of the physical meaningof PoDi; j for other dangerous propertiesare: amount of air or water polluted toemission limit (m3/mg) for air- or water-mediated effects, respectively, belongingto environmental hazard and probableenergy potential for reaction with oxygen(kJ/kg) for fire/explosion dangerous propertybelonging to safety hazard. A detailed defi-nition of the physical meaning and the for-mulas involved in the calculation of thePoDi; j can be found in [47]. These PoDi;j

values can be then aggregated for all sub-stances resulting in a total potential of dangerof the process for each of the SHE dangerousproperties.

3. Step 3: The last step of the calculation pro-cedure is to reduce the PoDi;j values toacceptable levels by applying technologyfactors (Ti; j; k) representing the effect oftechnology k for a specific substance j intoconsidered dangerous property i. The overallcosts associated with the technologies to beapplied can be considered as an unbiasedaggregation procedure for estimating theoverall effect of SHE hazards for a givenprocess. Despite the advantage of such aprocedure that avoids subjective weightingand aggregation of index values representingdifferent hazards, the additional scalingparameters needed to transform the indexvalue into a relevant physical unit and thenot always trivial task to define the appropri-ate technology factors and associated costsincrease the complexity of calculations andthe amount of required data. As alreadymentioned, this can be a serious limitationfor the applicability of this approach, sinceusually in the earliest stages of process

design a fast screening is desirable makingsimpler approaches more attractive.

Therefore, [48] have modified the methoddescribed above by substituting the last twosteps with a weighting and aggregation schemefor the SHE hazards based on the number ofdangerous properties taken into account fortheir calculation, so that at the end each danger-ous property has equal importance. In this wayan overall SHE hazard score is calculated,which can be used to rank process alternativesaccording to the following formulation:

Sr ¼Xc

wc� �Hrc

HrE ¼

Xi;ði2EÞ

Xj

ðz�maxF

ðmFj Þ�IVi;jÞþ

Xi;ði2EÞ

Xjo

ðmoutjo�IVi;jÞ

HrH ¼

Xi;ði2HÞ

maxF

ðXj

IVi;jÞ

ð10Þ

HrS ¼

Xi;ði2SÞ

maxF

ðXj

mFj �IVi;jÞ

�Hrc ¼ Hr

c

maxrðHrcÞ

ð11Þ

where Sr refers to the overall score of a process rfor the production of a given chemical com-pound, �H

rc refers to the overall normalized

hazard for category c (c ¼ E, H, or S standingfor environmental, health, and safety categories,respectively), mF

j is the specific mass flow ofsubstance j in flow F of the process, mout

jois the

specific mass flow of substance jo leaving theprocess (excluding the main product of theprocess), and z is a fraction of mass emitted tothe environment in an accidental case.

According to the aforementioned formula-tion the material balances of the process arenecessary in order to calculate the environmen-tal and safety hazards, while health hazards areevaluated on the basis of an inventory-freescenario. The reasoning for this choice is thathealth hazards in this framework are meant tocapture effects due to the normal operation ofthe plant and not due to an accidental case.Therefore, the relevant mass would be the dosea worker takes up during a specified period oftime. This mass depends on unknown para-meters during early phases of process design,like the equipment and the working conditionsrather than the inventory. Moreover, some ofthe scales for the chronic toxicity refer to non-threshold effects, like for instance those of


carcinogens and allergens, a single molecule ofwhich can theoretically be harmful. For thiskind of compounds it is often just the presenceand not the amount that is critical for safetymeasures to be taken in order to avoid harm tothe personnel. However, it should be understoodthat this inventory-free formulation for the cal-culation of the health hazards is a proposition ofthe authors that heavily depends on which dan-gerous properties are taken into account (e.g.,acute toxicity, for which mass balances shouldbe clearly taken into account, is considered as adangerous property only for the safety hazard inthe original formulation of [47] as well as inthose of [48, 49], while it could be argued thatacute toxicity should be also considered for thehealth hazard) as well as on which effects arehighlighted for the evaluation of these danger-ous properties (e.g., effects of carcinogenicity,mutagenicity, etc.). If the practitioner judgesthat health hazards should be evaluated on thebasis of material balances then the formula forthe calculation ofHr

H will be similar to the one ofHr

S. Finally, the formulation presented abovecan be either applied once for the whole processor separately for each process step.

4.2.3. Application in Case Studies

A simplified version of the methodology of [47]has been used for the assessment of some of themost frequently used solvents in chemical in-dustry. The dangerous properties for the cate-gories SHE have been rearranged according toFigures 10–12.

In this simple case where different sub-stances and not different process alternativesare compared the assessment can be performedby simple addition of the index values for eachdangerous property, since mass-flow informa-tion is not relevant. Therefore, the maximumSHE score for any substance will be nine. As anexample, the values for acetone are presented inTable 1.

In Figure 13, the SHE score results are pre-sented for 11 selected solvents. An extensiveevaluation of organic solvents has been per-formed by [54], including a two-dimensionalanalysis according to SHE scores and cumula-tive energy demand (CED) values. This type ofanalysis can provide a preliminary screening fordecision-making during early stages of processdesign for solvents and other auxiliaries to beused in chemical synthesis.

More detailed examples where this SHEassessment framework has been applied forthe selection of process alternatives havebeen reported by [48, 49], comparing six andseven different chemical synthesis routes inthe case of methyl methacrylate (MMA)and 4-(2-methoxyethyl)phenol production,respectively.

4.3. Conclusions and FutureDirections

Index-based approaches, like the SHE frame-work based on the work of [47], are popular inearly stages of process design due to their

Figure 10. Dangerous properties and scaling approaches taken into account for an index-based hazard estimation in category‘‘environment’’*: Category persistency estimates the persistency of substances in the water using aquatic half-life**: Maximum index value is taken when there is more than one parameter at the same priorityWGK: Wassergefahrdungsklasse (German water hazard class)L(E)C50aquatic: Aquatic lethal or effect concentration using Daphnia magna


simplicity and the fact that lack of detailedinformation about the process set-up makes theimplementation of more rigorous approachesmeaningless. These simple index-based ap-proaches can be used either for substance orfor process assessment and they have beenapplied in various case studies presented in

scientific literature. However, points of criti-cism regarding these approaches about the sub-jective nature of scaling andweighting schemes,the different coverage of SHE aspects by differ-ent frameworks, and the resolution of the overallscores of the proposed indices have also beenreported [44, 55].

Figure 11. Dangerous properties and scaling approaches taken into account for an index-based hazard estimation in category‘‘health’’*: Category irritation estimates the effect of eye or skin irritation**: Maximum index value is taken when there is more than one parameter at the same priority***: Used only when there is no LD50 value availableLD50 dermal: Lethal dose via dermal exposure using rat, mouse, rabbitMAK: Maximale Arbeitsplatzkonzentration (workplace threshold value)GK: Giftklasse (swiss poison class)

Figure 12. Dangerous properties and scaling approaches taken into account for an index-based hazard estimation in category‘‘safety’’Partial pressure: Partial pressure of pure component at process temperatures (25�C)DBoiling point: Temperature difference between standard boiling point and process temperature (25�C)DFlash point: Temperature difference between flash point and process temperature (25�C)IDLH: Immediately dangerous to life and healthGK: Giftklasse (swiss poison class)


Recently, [55] have proposed a new ap-proach for screening inherently benign chemi-cal process routes based on PCA. Although thisapproach provides a promising alternative tosubjective weighting and can be quite flexibleregarding missing data and extensibility to newcategories for process assessment, there are stilla few issues to be resolved regarding its settings.Finally, more emphasis should be given to casestudies that compare SHE hazard identificationresults obtained with simple methods in earlystages of process design with more rigorous riskanalysis and life-cycle analysis approaches ap-plied in later design stages or even for process inoperation. This can improve the robustness ofthe index-based methods used in early designstages by enriching them with features for pres-ently unaccounted effects, lead to more uniform

formulations of these methods, especially withregard to the environmental and the healthhazards category and finally enhance the bridgeof continuity between different stages in theprocess design and retrofitting life cycle.

5. Supply Chain Risk Management

5.1. Introduction

A supply chain (SC) is the system of organiza-tions, people, activities, information, and re-sources involved in transforming raw materialsinto a finished product and delivering it to theend customer. Supply chain management(SCM) encompasses the planning and manage-ment of all activities involved in sourcing,procurement, conversion, and logistics to en-sure smooth and efficient operations. SCM is animportant element in enterprise managementand a preferred way to reduce costs, improveperformance, and manage the business amidstvarious uncertainties. In a global survey ofcompanies in both discrete and process indus-tries, the median SCM cost was reported to be10% of revenue [56]; however, the cost in theprocess-based industries could be as high as30% [57].

In recent years, due to increasing competi-tion and tightening profit margins, companieshave adopted a number of strategies to operate

Table 1. SHE hazard identification for acetone

Dangerous property Index value Considered aspect

Persistency 0.13 half life ¼ 1.8 d

Air hazard 0.18 Ind.Val chronic tox.

Water hazard 0.00 LC50 ¼ 7000 mg/L

Acute toxicity 0.30 IDLH ¼ 6500 mg/m3

Chronic toxicity 0.18 MAK ¼ 1200 mg/m3

Irritation 0.63 R-code ¼ 36

Release potential 0.70 vapor pressure ¼ 0.3 bar

Fire/explosion 1.00 flash point ¼ �18�CReaction/decomposition 0.00 NFPA ¼ 0

Overall score 3.12

Figure 13. Results of the SHE hazard identification for 11 selected pure organic solventsa) Environment; b) Health; c) Safety


more efficiently and reduce SC costs. In general,lower cost and higher efficiencies are accom-plished through a globalized SC, higher capaci-ty utilization, lower inventories, and just-in-time activities. However, there is a trade-offbetween efficiency and vulnerability. For in-stance, a survey by the Procurement StrategyCouncil reveals that 40% of large businessesrely on a single supplier [58]. Single sourcingdecreases cost, but production continuity hingesupon the single supplier. Similarly, outsourcingleads to a more complex SC with more linksexposed to a greater variety of disruptions.Sourcing from and distributing to other coun-tries in other continents result in a globalized SCwith exposure to new risks including political,cultural, and security risks. Just-in-time produc-tion and inventory reduction eliminate bufferswhich could be critical for business continuitywhen an unexpected event strikes. Hence, thereis a clear need for enterprises to manage SC riskand reduce vulnerability so that they can re-spond and recover from disruptions promptlyand efficiently. However, a recent survey re-veals that only 42% of businesses have corpo-rate standards and practices for overseeing themitigation of SC risk [59].

Some recent events highlight the importanceof SC risk management. Hurricane Katrina dis-rupted operations of Chevron Oronite’s lubeadditive plant in Belle Chasse, Louisiana, USA,and tipped the marine lubricants industry into acrisis [60]. In 2000, there was a fire accident at aPhilips’ chip plant in Albuquerque, New Mex-ico, disrupting supply of radio frequency chipsto Ericsson. Slow in managing the supply dis-ruption and securing alternate supplies, Erics-son consequently lost significant market shareand eventually left the mobile handset mar-ket [61]. These examples illustrate the dominoeffects inherent in SCs, which directly or indi-rectly translate into financial losses. It is re-ported that SC glitches negatively impactedstock prices by nearly 20% [62]. Another studyreported that when chief financial officers(CFOs) and risk managers were asked whatwould cause the most disruption to the business,SC matters came second only to laborissues [58].

In the SC context, risk is defined as thepotential negative impact that may arise froman adverse situation such as a disruption to SC

operations, which will be discussed inSection 5.2. This definition of risk includes, butis not limited to, financial risk, where it primar-ily refers to investment loss. SC risk is oneaspect of enterprise risk management, whichcan be broadly classified into market, credit,and operational risks [63]. SC risk falls underoperational risk.

Disruption can be defined as any event orsituation that causes deviation from normal orplanned SC operations. Disruptions bring aboutadverse effects such as blockage of material andinformation flow, loss of ability to deliver theright quantity of the right product to the rightplace and at the right time, inability to meetquality requirements, loss of cost efficiency,under- or oversupply, and process shutdown.The complex interactions among the constituententities make the SC inherently vulnerable todisruptions. A disruption in the production sideof a supplier can have implications for the webof transportation and logistics services thatmove material from one plant to another, andeventually propagate to final products deliveredto customers. Similarly, disruptions in the in-formation and communication technologies thatsupport the SC operation can simultaneouslypropagate across the entire network rapidly.Such disruptions occur not only from disastersbut also due to ‘‘normal’’ dynamics, such aslimited capacity in a fast-growing industry,demand changes due to new competitors, orsudden loss of customer confidence.

Risk management and disruption manage-ment are closely related. Risks are often mea-sured in two dimensions—frequency and sever-ity. Risk management aims to reduce either orboth to acceptable levels by having proper safe-guards and mitigating procedures which protectagainst the risks. Disruption management aimsto minimize the impact of disruptions as theyoccur and restore the SC to normal operation assoon as possible. Having a reliable disruptionmanagement system will reduce the severity ofthe disruption when it strikes. Hence, disruptionmanagement can be viewed as a part of riskmanagement.

SC risk can be an implicit consideration inSCM at the different levels: strategic, tactical,and operational. For example, at the strategicand tactical levels, demand uncertainties aretaken into account in SC design [64] and


planning [65]. At the operational level, uncer-tainties in supply, demand, and other risks areconsidered in robust scheduling [66, 67]. On theother hand, SC risk management—the focus ofthis chapter—is explicitly aimed at dealing withand managing SC risk. It is a growing researcharea [68] and continues to attractmore attention,especially in the operations research, SCM, andlogistics communities [69].

5.2. Supply Chain Risk Classification

SC risk can be classified in several differentways. Based on the source, SC risk can beclassified into [70]:

. Environmental: these are any uncertaintiesarising from the SC–environment interaction,e.g., accidents, socio-political actions, andnatural disasters

. Network: these risks arise from interactionsbetween organizations within the SC, e.g.,outsourcing risks, distorted information, andlack of responsiveness of SC partners

. Organizational: these risk sources lie withinthe boundaries of the SC parties, e.g., laborstrikes, machine failures, and IT-systemdisruptions

Based on the scale, SC risk can be classifiedinto [71]:

. Single-stage (or company): affecting justa single organization or member of the SC

. Supply chain: affecting an entire SC

. Regional: affecting a whole region, not justthe SC

Based on its measures, SC risk can be gener-ally classified into:

. High-probability, low-severity: these risksarise from day-to-day variability anduncertainties

. Low-probability, high-severity: managementof these risks has also been termed as businesscontinuity or disaster management [72]. Forexample, these are disruptions caused byterrorist attacks, natural disasters, and otherphysical events such as industrial accidentsand labor strikes [73] or chemical, biological,radiological, and cyber events [74]

Another classification is based on whetherthe risk is controllable (e.g., cost, design), par-tially controllable (e.g., fire accidents, employeeaccidents), or uncontrollable (e.g., earthquake,hurricane) [75].

5.3. Framework for Supply ChainRisk Management

The general framework for SC riskmanagementis shown in Figure 14 and comprises the fol-lowing steps:

1. Risk identification: The first step is to recog-nize uncertainties and risks faced by the SC.

Figure 14. Supply chain risk management framework [76]


With globalization and increased outsour-cing practices, the number of parties in-volved in the SC and the links connectingthem have increased significantly. Hence,some risks may not be obvious and need tobe identified in this step.

2. Risk quantification: Risk is usually quanti-fied in financial terms and/or ranked accord-ing to some predefined criteria. Both riskdimensions (frequency and severity) need tobe considered, taking into account the effectsof safeguards and mitigating actions, if any.

3. Risk assessment: The risk management teamdecides whether the risk quantified in theprevious step is acceptable based on experi-ence, industry standards, benchmarks, orbusiness targets. If not, additional mitigationactions or safeguards are required.

4. Risk mitigation:Mitigating actions and safe-guards such as emergency procedures andredundancies have to be developed for therisks, based on both the SCmodel and inputsfrom the risk management team or relevantpersonnel. Two types of mitigating actioncan be differentiated–preventive and respon-sive. Once the risks have been deemed ac-ceptable, SC operations proceed with theappropriate safeguards and mitigating ac-tions in place.

5. Risk monitoring: The SC structure and op-eration do not remain stationary but changesregularly due to, for example, new suppliers,new regulations, new operating conditions,new products, etc. The risk managementteam should continually monitor the SC fornew risks. The team might be required tostart from step (1) to consider the new risksarising from these changes.

This framework is comparable to the riskmanagement process in [70, 77].

5.4. Methods for Supply Chain RiskManagement

5.4.1. Supply Chain Risk Identification

Two of the tools used for risk identification arerisk checklist and risk taxonomy [78]. Riskchecklist is a list of risks that were identifiedon previous projects, and often developed from

managers’ past in-house experience. The risktaxonomy provides a structure to organize thechecklist of known enterprise risks into generalclasses. For example, enterprise risks are divid-ed into internal processes and business environ-ment. Each can be further classified, for in-stance, internal processes can be divided intofinancial, operational, and technological risks.Risk identification is performed by goingthrough each item in the checklists and taxo-nomies and evaluating their applicability andimplications in the situation at hand. The keystrength of these methods is their flexibility,which makes them applicable to diverse situa-tions. Two shortcomings arise from applicationof these methods to SC risk identification. First,they are rather ad-hoc and not systematic.Second, they are not tailored to SC and thus donot consider the complexity which arises fromthe interconnections among supply chain enti-ties. Both of thesemay lead to ‘‘blind spots’’ andunidentified risks.

Risk identification could also be donethrough stress testing, i.e., identifying key sup-pliers, customers, plant capacity, distributioncenters and shipping lanes, and asking ‘‘whatif’’ questions to probe potential sources of riskand assess possible SC impacts [79]. Role-play-ing or ‘‘red-blue teaming’’ is a similar approachcommonly used in the military [80]. In thisapproach, a red team generates a set of scenariosthat they believe can lead to serious disruptions.The blue team attempts to provide mitigation orcountermeasures against the scenarios. Thesemethods are also flexible but suffer the sameshortcomings of checklists and taxonomies,they are ad-hoc and not systematic.

A more structured risk identification ap-proach is based on the HAZOP analysis methodfrom chemical process risk management [76].SC networks are in many ways similar to chem-ical plants. Drawing from this analogy, SCstructure and operations can be representedusing flow diagrams, equivalent to process flowdiagrams (PFDs). Following the HAZOP meth-od, SC risk identification can be performed bysystematically generating deviations in differ-ent SC parameters, and identifying their possi-ble causes, consequences, safeguards, and miti-gating actions. The deviations are generatedusing a set of guidewords in combination withspecific parameters from the flow diagrams.


Table 2 gives a nonexhaustive list of theseguidewords and parameters. The guideword‘‘low’’ can be combined with a flow to resultin, for example, the deviation ‘‘low demand’’.Possible causes and consequences can be iden-tified by tracing the flows in the flow diagrams.Safeguards are any items or procedures whichhelp to protect against a particular deviation. Itcould protect against the deviation before itoccurs, i.e., reducing the frequency, or help torecover quickly and minimize impact after itoccurs, i.e., reducing the severity. An exampleof the former is safety stock, which protectsagainst demand uncertainty; an example of thelatter is insurance. Mitigating actions are addi-tional items or procedures on top of any existingsafeguards which are deemed necessary toman-age the deviation. Table 3 shows a sample SC-HAZOP result for the deviation ‘‘no crudearrival’’ in a refinery SC.

SC-HAZOP has two notable advantages. It issystematic, because the deviations studied aregenerated using predefined guidewords and per-tinent system parameters. It is also complete,because it is structured around a representationof the whole process in the form of flow dia-grams. A possible disadvantage is that the SC-HAZOP life cycle requires considerable effortand resources, from developing the diagrams,analyzing deviations, identifying safeguardsand mitigating actions, to documenting theresults.

5.4.2. Supply Chain Risk Quantification

Risk quantification can be done through riskestimation and risk mapping [81, 82]. In thisapproach, the identified risks are rated on theirprobability and severity. Relevant personneland domain experts are asked to fill a surveyform (Fig. 15) to estimate the risks’ probabilityand severity. The risks are then placed on a riskmap, a two-dimensional map with one axis forprobability and another for severity, accordingto its aggregate probability and consequencesrating (Fig. 16). Based on the risk map, thedecision maker can decide a priority of risks tofocus on, e.g., thosewith higher probability and/or higher severity. This approach quantifies therisks in terms of probability and severity ratingsand results in a qualitative ranking of the iden-tified risks.

A more quantitative output for further riskquantification can be obtained through simula-tion [83, 84]. Simulation models of the SC areused to capture the behavior of the SC entities,their interactions, the resulting dynamics, andthe various uncertainties. Given a set of inputparameters, the SC operation can be simulatedand the SC performance can be quantified ascaptured in a number of KPIs (key performanceindicators) such as profit, total cost, and demandfulfillment level. Different risk scenarios andrisk mitigating strategies can be simulated toquantify their benefits and costs.

5.4.3. Supply Chain Risk Mitigation

Six general risk mitigation strategies are:

Redundancy. Additional resources to guardagainst uncertainty, e.g., safety stock, backupequipment. Redundancy involves additionalcost and thus, the trade-off between vulnerabil-ity and cost. Redundancy can be reduced with-out increasing vulnerability by improving riskmitigation capabilities through other strategies.

Table 2. Sample guidewords and parameters for HAZOP

Guidewords Meaning

No none of the design intent is achieved

High quantitative increase in a parameter

Low quantitative decrease in a parameter

Early/late the timing is different from the intention

Parameters Examples

Material flow raw material, side product, energy, utility, etc.

Information flow order, quote, forecast, message, signal

for action, etc.

Finance flow cash, credit, share, receivables, pledge, etc.

Table 3. Sample SC-HAZOP result

Deviation Causes Consequences Safeguards Mitigating actions

No crude

arrival

jetty unavailability;

shipper disruption;

supplier stock-out

low stock, out-of-crude;

operation disrupted;

demand unfulfilled

safety stock; emergency

suppliers

more reliable shipper; frequent

check with supplier/logistics;

rescheduling


Risk Sharing. Risk is shared among differ-ent members of the SC through contractualrequirements, e.g., buy-back contract and reve-nue sharing contract. A similar strategy is risktransfer, usually through insurance.

Visibility. Uncertainties in production,transportation, and other variables could propa-gate through the SC leading to a lack of confi-dence in its overall operation. This can bemanaged by improving visibility and con-trol [85]. The key to improved visibility isshared information among supply chain mem-bers which translates to less ‘‘just-in-case’’safety stock, shortened lead-time, and reducedcost. Visibility also significantly minimizes thebullwhip effect, i.e., the amplification of orderfluctuations as one moves upstream in the SC.Control of SC operations is essential as infor-mation is useful only if necessary actions can betaken accordingly, for example, if a flexible

production line can efficiently handle orderchanges once the information arrives.

Flexibility. Companies can reduce redun-dancy without increasing vulnerability by hav-ing inherently flexible SC designs that are de-mand-responsive. Reducing the number of partsand product variants allows aggregate forecast-ing, which is more accurate and creates inherentflexibility–inventory can be deployed to servemultiple products and markets. Other measuresto build flexibility include interchangeability,postponement, and supplier and customer rela-tions management [86].

Agility. The ability to thrive in a continu-ously changing, unpredictable business envi-ronment. This can be achieved, for example,by working with highly responsive suppliers.Agility is a key for inventory reduction, as itallows the enterprise to adapt to market

Figure 15. Sample survey form for risk estimation

Figure 16. Sample risk mapa) Machine breakdown; b) Transportation failure; c) Supplier quality problems; d) Supplier failure; e) Increasing raw materialprices; f) Accident (e.g., fire); g) Terrorist attack


variations more efficiently and respond to con-sumer demandmore quickly. Combining agilitywith leanness (inventory reduction) enables costeffectiveness of the upstream chain and highservice levels even in a volatile marketplace inthe downstream chain [87].

Disruption Management. A disruptionmanagement system should be capable of de-tecting abnormal situations before they occur,diagnosing the root cause, and proposingcorrective actions as required [88]. It shouldalso be capable of coordinating SC resources toreturn the SC to normal and planned operation[89].

For other and more specific riskmitigation strategies, the reader is referred to[80, 86, 87, 90].

5.5. Conclusion and FutureDirections

Today’s SCs strive to be increasingly efficientand effective by adopting strategies such asoutsourcing, globalized operation, just-in-timepractices, and lean inventory. However, thesemeasures to operate the SC more efficientlyoften lead to increased fragility and risk expo-sure. As uncertainties become more prevalentand disruptions arise from many sources, SCrisk management has become imperative. TheSC risk management framework comprises riskidentification, risk quantification, risk assess-ment, risk mitigation, and risk monitoring.Various methods for risk identification, riskquantification, and risk mitigation have beenpresented.

Going forward, new risks are entering theSC. Energy source and cost will continue to beuncertain. This could have a significant impactfor SCs as energy and fuel cost makes up themajority of logistics cost. The uncertain globalpolitical climate will impact SCs operatingacross national borders. Demand could be vola-tile as new markets emerge, shifting the longer-term demand pattern from Japan to China andfrom Europe to Middle East and North Africa.Increased focus on sustainability of SCs bringsabout new risks and opportunities [91]. In theliterature, there has not been much attention oncommon cause failure, i.e. multiple things going

wrong due to a common root cause, e.g. wide-spread power failure.

6. Safety Management in IndustrialPractice

6.1. Management of Major Hazardsin the Process Industries

The chemical process industry has been thesource of some of the largest accidents anddisasters caused by human activity! Plant andProcess Safety, 1. Introduction.

Considering the risks involvedwith chemicalprocessing most, if not all, organizations work-ing in the chemical process industries have tomanage major hazards. The actual types ofhazards vary widely over the industries, fromwell blow-outs in the oil industry, dust explo-sions in huge storage silos, to poisoning andbiohazards associated with the release of micro-scopic quantities of toxic or biological material.There will obviously be differences in the detailof how the very industry specific hazards aremanaged.However, the current theory and prac-tice of how to overall manage such hazards isapplicable over the full spectrum of hazards inthe chemical processing industries.

The accidents associated with major ha-zards are often termed process safety accidentsas opposed to workplace safety accidents. Theworkplace safety accidents comprise individ-ual accidents, e.g., slips, trips, and falls. Both ofthe terms major hazards and process safety willbe used in the following. It is worth noting thatthe methods for managing process safety canbe used for all industries with major hazards,e.g., transportation including airlines, nuclearplants, etc., and conversely the experiencesfrom these industries have proven extremelyrelevant to better manage the risk associatedwith the more narrow chemical industry defi-nition of process safety. Therefore both exam-ples from chemical process industries and fromother major hazard industries will be relevantwhen developing an understanding of processsafety issues.

Aside from some truly unforeseeable naturaldisasters like meteors, accidents happen be-cause of failure of humans. Such human failingsmay involve the failure of a frontline operator,


whether a chemical plant operator or an airlinepilot. However, investigations will almost inev-itably be flawed if they conclude that humanerror at the frontline operator level was the rootcause of an incident. Very often accidents arecaused by latent human error, such as a flaw inthe original design, by an error in maintenance,or by a change in the construction, procedures,etc. which was not thoroughly checked. Like-wise actions or omissions of the higher organi-zational levels are frequent causes of accidents.A thorough incident investigation will thusgenerally reveal failings at several differentlevels of an organization.

Therefore,managing themajor hazardswith-in an organization is the responsibility of thechief executive officer (CEO) and the widermanagement team. They have to clearly statetheir commitment to process safety and ensurethat the resources in terms of funds, staffing,standards, competencies, etc, are available.Subject to ownership structure, local legislation,etc. the board and owners will also carry re-sponsibility for ensuring that process safetyactivities are resourced and managed responsi-bly in the organization.

6.1.1. Definitions

. Accident: an undesirable event leading toinjury or death

. Barrier is a protective measure to preventincidents from happening, could be a physicalprotective device, e.g., a pressure relief valveor a procedure, a training programme, etc.

. Dormant factors are often part of the causa-tion for an incident, whether a weakness ofdesign carried out years before the incident, aweakness in operating procedures etc.

. Hazard is a condition that has potential tocause an accident. That is, what can go wrongin a specific plant or activity.

. Human factors are with extremely few ex-ceptions part of the causation for all accidents,whether human factors affect the originaldesign, the leadership for a plant, the operat-ing practices, etc.

. Immediate cause: e.g., the immediate causefor a gas escape was a hole in a pipe

. Intermediate cause: the hole that caused a gasescape was caused by corrosion

. Incidentmore broadly includes both accidentsand near misses

. Latent factors are typically a weakness in thedesign which have not been detected and thuslies dormant for years to be exposed whenseveral barriers fail

. Major hazard is about the hazards which canresult in a major accident, e.g., serious inju-ries, fatalities, major plant, or environmentaldamage

. Nearmiss: an undesirable event which has thepotential to lead to injury or death

. Process safety incident: an incident where theapplication of complex technology is in-volved. When investigating these incidentsthey often have complex causation, including,e.g., design error, operating error, lack ofsupervision, lack of maintenance, inadequatemanagement of change, etc. and combina-tions thereof. In the broadest definition pro-cess safety incidents includes both those di-rectly related to the chemical process indus-tries, and other incidents with similar causa-tion and complexity, e.g., airplane incidents.

. Risk is the combined impact of a hazard, i.e.,how likely is that a certain hazardwill result infatalities

. Root cause initiating cause for an incident,e.g., the cause for the hole was that the pipewas not being maintained. This could go evendeeper, e.g., new management had decided tocut maintenance costs because they did notappreciate the risks involved.

. Workplace safety incident a relatively simpleincident involving a single person or a fewpersons and their interactions. Examples are,slips trips and falls, hand tool accidents,working at heights, dropped objects, workingwith chemicals, etc. Workplace incidentshave the potential to cause injury or death ofa single or a few persons.

6.1.2. History of Process Safety

Using the broad definition of process safetyincidents as part of major hazards incidents,process safety incidents became part of humanlife as the technologies developed.

One of the early technologies with majorhazard potential was ship transportation, goingback at least a couple of thousand years. Theearly development of ship designs was based on


generations of trial and error. When the designfailed, it often resulted in a sunken ship andpossibly a number of fatalities. Over genera-tions the designs became better and as the theoryfor ship design became more well understoodrobust standards were developed and applied.Likewise the safety associated with the opera-tion of ships developed as navigational chartsand instruments became available and moresophisticated. Over centuries, navigators com-petencies were developed and formalizedthrough apprenticeships and formal education.Even better safety was obtained as improvedweather forecasting was introduced, icebergpositions were mapped and made available toships en route, and GPS was introduced, etc.

However, despite the major progress sinceantiquity in ship building technology, in propul-sion systems, in crew competency, in weatherforecasting, in navigational charts and naviga-tion methods, electronic equipment, etc., inci-dents still occur, often as a result of complexcausation where several barriers have failed,e.g., General Slocum (1904, 1021 fatalities) (seeFig. 17), Titanic (1912, 1517 fatalities), andmore recently Herald of Free Enterprise(1987, 193 fatalities).

Generally as a technology develops, the oc-currence of simple failure modes graduallybecome rarer as barriers are put in place foreach likely failure mode. These barriers couldbe better design, better maintenance, bettercompetency of staff, operating procedures, etc.,i.e., the sum of the progress in experience andtheory. However, over time barriers get testedagain and again, occasionally individual bar-riers fail and on rare occasions all barriers failsimultaneously and an accident occur. Thisconcept has been described by JAMES REASON

in the ‘‘swiss cheese model’’ [92] (Fig. 18].The swiss cheese model has been used uni-

versally from, e.g., road safety to hospital safetyand chemical process safety.

6.2. Major Accidents-Case Studies

Major accidents resulting in multiple fatalities,major environmental damage, etc. are subject ofdetailed investigation and are often followed bylitigation and prosecution of responsible indi-viduals and organizations. Suchmajor incidentshave often had major long term impact on theirrespective industries.

Figure 17. Firefighters working to extinguish the fire on the grounded General Slocum


It is obviously essential to understand indetail the specific processes which an organiza-tion is responsible in order to efficientlymanageprocess safety. However, the study of past in-dustry incidents will provide important inspira-tion, insights, and knowledge for process safetyactivities in an organization.

Short descriptions are given below of a fewselected accidents, highlighting the main eventsand causation for illustration if the issues dis-cussed here. For comprehensive case storiesplease refer to the literature, e.g., [93, 94].

Flixborough. On 1 June 1974, the Nyprofactory at Flixborough exploded resulting in 28on-site fatalities as well as injuries and exten-sive damage in surrounding villages ! Plantand Process Safety, 4. Chemical Process SafetyRegulations.

The major issues in the case of the Flixbor-ough disaster were:

. The original plant design relied on a processconfiguration with massive inventories of hotpressurised flammable components, a processwith much smaller inventory could have beendesigned. That is, a latent factor that wouldgreatly increase the risk in case of a leak.

. With the office block within the plant, therewas amajor unnecessary exposure, which dueto fortunate timings did not influence thenumber of deaths. Another latent factor thatduring some 30% of the time would greatlyincrease the consequences of an explosion.

. A temporary modification was allowed to beinstalled without full engineering designverification. A failing at supervisory and

management level allowing such a change tothe plant to be made without appropriateengineering checks.

Seveso. On 10 July 1976, reaction productscontaining highly toxic dioxin happened from aherbicide plant near the village of Seveso innorthern Italy. Several hundred people devel-oped the skin disease chloracne, but there wereno immediate fatalities.

The accident resulted in major new legisla-tion based on the European Community SevesoDirective ! Legal Aspects, Chapter 5.

The incident revealed several weaknesses:

. The safety of shutdown the batch processes atdifferent stages of completion was not wellunderstood, especially in light of the unfortu-nate legislation requiring untimely shut-downs. The potential relief cases for thebursting disk were incomplete, hence, omit-ting the liquid collection vessel downstream.That is, the process was poorly understoodand poorly designed.

. The heating system design was not fail safe inthe sense that it was able to overheat theprocess.

. The local communities had no knowledge ofthe hazards associated with the nearby chem-ical plant, thus an example of poor stakehold-er management.

. The emergency response was ineffective.

Bhopal. The Bhopal accident happened on3 December 1984 and was the worst accident inthe history of the chemical industry. There issignificant uncertainty about the number of

Figure 18. Swiss cheese model with successive layers of defences


fatalities, ranging from an official number of2259 immediate deaths to unofficial estimatesincluding long term deaths of some 10 000–20 000! Plant andProcess Safety, 4.ChemicalProcess Safety Regulations.

The main issues in the Bhopal disaster were:

. The use of hazardous chemicals (MIC) in-stead of less hazardous ones. Latent designissue.

. Storing these chemicals in large tanks insteadof much smaller steel drums. Latent designissue.

. Possible corrodingmaterial in pipelines. Lackof integrity management issue.

. Poor maintenance after the plant ceased pro-duction in the early 1980s. Lack of integritymanagement issue.

. Failure of several safety systems (due to poormaintenance and regulations).

. Safety systems being switched off to savemoney—including the methyl isocyanate(MIC) tank refrigeration system which alonewould have prevented the disaster.

. The problem was made worse by the plant’slocation near a densely populated area, non-existent catastrophe plans and shortcomingsin health care and socioeconomic rehabilita-tion. Analysis shows that the parties respon-sible for the magnitude of the disaster are thetwo owners, Union Carbide Corporation andthe Government of India, and to some extent,the Government of Madhya Pradesh.

Piper Alpha. The Piper Alpha platform inthe United Kingdom North Sea was destroyedon 6 July 2008 by a series of explosions andfires, killing 167 men. The initiation and esca-lation of this accident had a complex causationwhere several barrierswere ineffective. Someofthe main issues were:

. The permit to work system was ineffective.

. The firewater could not be used due tothe electrical pumps being knocked outby the explosion and the diesel driven pumpswere onmanual start due to diver work earlierin the day, but were inaccessible due to thefires so they could not be started.

. The high-pressure pipeline risers wereexposed to the fires and eventually failedcatastrophically causing massive fires and

explosions. This was aggravated by nearbyplatforms continuing to produce into the com-mon pipeline system rather than initiatingdepressurization.

. Escape from the muster area in the accom-modation became impossible as the firesprogressed.

6.3. Comprehensive Process SafetyManagement-Risk-Based ProcessSafety

The above examples in combination with thou-sands of others show that managing processsafety effectively requires a comprehensive ap-proach covering a considerable number of sub-jects, in order that sufficient effective barriersexist to prevent major accidents fromhappening.

Organizations have thus established compre-hensive systems for how to manage processsafety. Such systems have several elementscovering the all aspects necessary for effectivemanaging process safety.

In the following such a system, the risk-basedprocess safety (RBPS) elements will be de-scribed. This system was published by the Cen-ter for Chemical Process Safety (CCPS) underAIChE [95].

The RBPS has four main categories:

1. Commit to process safety: Ensure that man-agement and employees care about processsafety, ensure that there is acceptance andcompliance with standards and demonstratecommitment to stakeholders

2. Understand hazard and risk: Know what youoperate, identify hazards and manage andminimize risk through analysis etc.

3. Manage risk: Know how to operate andmaintain the process, control changes andmanage incidents

4. Learn from experience: Investigate inci-dents, monitor performance through re-views, audits and KPIs, and ensure thatfindings are acted effectively upon

These four main categories have been divid-ed into 20 elements, described in this section,covering all aspects of process safety:

Each element will require careful consider-ation, but will take on different substance and


importance subject to the type of industrialactivity at hand, location, country, organization-al context, etc. It is essential that dependablepractices are established and maintained foreach element.

6.3.1. Commit To Process Safety

Process Safety Culture. In order that pro-cess safety can be managed efficiently, an openand questioning environment must be in placewhere process safety issues and concerns can beraised by all stakeholders and be dealt with in atimely fashion. There must be a sense of vul-nerability, i.e., nobody should take processsafety for granted, also when there have notbeen major incidents for a long time.

The process safety culture requires the in-volvement of and is a responsibility for theentire organization, but the strong commitmentby top management is indispensable if a strongculture is to develop.

Compliance with Standards. Standardscomprise international industry standards, leg-islation and company standards for how to, e.g.,design, operate, and maintain a process plant.An organization needs to determine which stan-dards apply and ensure that they are availableand updated to all relevant staff.

A culture of compliance with mandatorystandards, whether internal or external, isessential. Notwithstanding, deviations fromstandards may occasionally be required. Hence,a formalized system for approval of such devia-tions must be in place. Company standards mustbe effective, i.e., written to be useful for theend user, possible to comply with and kept upto date.

Process safety competency of an organiza-tion comprises continuous learning and im-provement of process safety competency, andfurther that the knowledge is available to therelevant people and applied.

In order for effective learning and sharing ofknowledge to take place, top management mustencourage openness and sharing of knowledgebetween shifts, plants, business units, etc.

Workforce Involvement. The workforce atall levels obtain valuable experiences

and knowledge of how systems andequipment actually work. Hence, the activeinvolvement of the workforce will be necessaryto ensure that this knowledge is effectivelycaptured and made available to, e.g., futureplant designs.

The active involvement of theworkforcewillalso assist in developing a questioning andlearning environment.

Stakeholder Outreach. A process plant willhave a number of stakeholders, in some casesthis may be a very considerable number. Thesestakeholders will both be internal, e.g., theworkforce, and external, such as regulatorybodies, business partners, customers and ven-dors, environmental interest groups, fishermenand other business potentially affected, and thewider public especially those living close to theplant.

6.3.2. Understand Hazards and Risks

Process Knowledge Management. Devel-oping and maintaining process information inthe form of written technical documentsand specifications, engineering drawings andcalculations, specifications for design and fab-rication, material safety sheets, etc. is key tounderstanding risks and developing other RBPSelements. For example, risk analysis, proce-dures, training material, management ofchange, etc.

Hazard identification and risk analysisconcerns the identification of hazards and eval-uation of the risk. Identification of hazardsshould take place early on to ensure that theappropriate remedial actions are put in place andto ensure that the risk level is commensuratewith the risk appetite of the organization.

6.3.3. Manage Risk

Operating Procedures. In order to ensure aconsistent high performance in executing criti-cal activities, these activities should be docu-mented in the form of operating procedures.Operating procedures are written instructions,whether stored in hardcopy or electronically,


which lists the steps and describes how specifictasks are to be performed.

Safe working practices includes proceduresfor nonroutine activities such as work permitsincluding hot work and entry into confinedspaces etc.

Asset integrity and reliability is about en-suring that equipment and systems are properlydesigned, installed, and remains fit for use untilits retirement.

Asset integrity comprises:

. Verification and documentation of the integ-rity of the initial design, construction, andinstallation of equipment and systems.

. Ensuring that during operation of the equip-ment and systems, they remain within thedesign envelope.

. The execution and documentation of inspec-tion, testing, and preventivemaintenance pro-grams by qualified personnel.

. Controlled and documented repairs and ad-justments to equipment.

. A quality assurance and control program toensure the quality of initial fabrication, instal-lation, and subsequentmaintenance activities.

Contractor Management. In many indus-tries, contractors execute many work scopes onbehalf of the company. For example, it is cus-tomary in the oil industry to contract a wholedrilling rig including crew to drill oil and gaswells on behalf of the oil company. The con-tractor must have procedures and systems inplace which ensures that the contractor canoperate to the same standards as the company.

Training and performance assurance cov-ers the training and instruction of staff to spe-cific job and task requirements as well as theassurance that workers have understood thetraining to the level required.

Management of change (MOC) is the dis-cipline of ensuring that changes to a chemicalprocess plant or other technical installation areadequately evaluated, risk assessed, and appro-priate corrective action taken before implemen-tation. Ineffective MOC is one of the commoncontributory or root causes of incidents.

Operational readiness comprises the activ-ities to verify that new plants or existing plantsthat have been shut down for modification orother activities are ready for start-up.

Conduct of Operations. To ensure thatoperations consistently remain within safeoperating limits, the objectives must be clearlystated and the operations executed by qualifiedstaff.

Emergency Management. Organizationsresponsible for hazardous activities must beable to deal effectively with emergencies. Aclear line of command must be established andthe organization must be empowered to dealwith the required emergency response.

6.3.4. Learn From Experience

Incident Investigation. Accidents and nearmisses provide important opportunities forlearning and thereby preventing recurrence.Through effective investigation, organizationaland other weaknesses can be exposed and ap-propriate action taken to rectify suchweaknesses.

Measurement and Metrics. Defining andmonitoring critical key performance indicators(KPIs) is an important method to judge theefficiency of the overall process safety man-agement activities. Based on low or decliningperformance corrective action can be takenahead of reaching the lowest acceptablelevel.

Auditing provides another set of observa-tions of the efficiency of the process safetymanagement activities. Programmes should beestablished covering all relevant activities andRBPS elements. Effective follow-up on auditsand monitoring of the follow-up is important tomaintaining high standards.

Management Review and ContinuousImprovement. Management review is the

routine monitoring of the performance of themanagement system. It should be planned andrecurring covering the entire managementsystem and the 20 RBPS elements.


6.4. How to Implement a RBPSSystem

The 20 RBPS elements provide a catalogue ofissues to address subject to the type of industryand risks involved.Many companies have set upprocess safety management systems to addresssome if not all of these issues. Others may haveless elaborate systems, which they wish toimprove or are considering how to arrange theprocess safety management system in the firstplace. For those initiating a process safety man-agement program, a detailed strategy for stake-holder management may not be the first issue toaddress, hence, an example of a prioritized listof actions is given below for inspiration on howto commence building process safety perfor-mance in an organization. These first steps mustover time be broadened, considering all 20elements.

Management Commitment. In order for alllevels of an organization to take process safetyseriously, the senior management must demon-strate a strong commitment to process safety andthat they support an open dialogue about anyissue that could affect process safety.

Employee Involvement. Actively engageemployees in the work to improve processsafety including the activities below.

IdentifyHazards. Identify the hazards (HA-ZID) associated with the activities the organi-zation is engaged in.

Incident Investigation. Clearly demon-strate that all process safety incidents will beinvestigated and that the results will be actedeffectively upon. In cases where disciplinaryaction is involved, it is important that suchactions are just.

Management System. Provide a simple ac-cessible management system comprising high-level policies and the necessary procedures andstandards for safety-criticalwork activities, e.g.,operational, and maintenance procedures.

Management of Change. Develop an un-derstanding of the importance of identifying andmanaging changes, whether associated with the

technical plant, feed-streams, products, proce-dures, organization, etc.

Changes affecting process safety can beassociated with a wide range of activities, anonexhaustive list comprises:

. Design changes

. Changes to raw materials and/or productspecification

. Temporary changes (repairs, bypasses, tem-porary equipment, etc.)

. Organizational changes (planned reorganiza-tion, new staff, absence due to illness)

. Legislative changes

. Procedural changes

. Change of subcontractors and vendors

. Budget cuts

Inadequate MOC is one of the commoncauses for incidents and often there have beenno MOC activities carried out, because thechange was not recognized in the first place.Changes can be very subtle and difficult torecognize in a busy work environment. Forexample, an experienced operator not turningup for the night shift should cause a rescheduleof critical activities planned for the shift. How-ever, the issue may not be spotted by the shiftmanager or if spotted, it may be that many otheractivities are contingent on the work that thisoperator should have performed, hence, a po-tentially inadequate replacement is found not todelay other activities.

Managing change requires firstly awarenesstraining so staff at all levels become aware of theneed to manage change and aware of the criticaltypes of changes which should be considered.Secondly, processes should be in place to regis-ter and handle the different types of changes, e.g., design review, HAZOP, and approval by atechnical authority for an engineering designchange.

Process Safety Competency. Establish anoverview of competencies required and a sys-tem to register the available competencies in theorganization. Develop programmes to developstaff.

Quantitative Risk Assessment (QRA). Sup-plement the hazard register with more quantita-tive evaluations to prioritize activities, e.g,.


maintenance, where the impact on risk ishighest.

6.5. Conclusion

For an organization to develop a high perfor-mance in process safetywill require a strong andconsistent drive and long-term commitment atall levels. Applying RBPS or other similarlycomprehensive approaches will ensure that pro-cess safety is promoted over a sufficiently broadrange of issues that the chance of success greatlyincreases.

The approach and implementation of aRBPSor similar systems will require adaption to theindustrial hazards and complexities, local leg-islation, workforce, stakeholders, etc. in orderthat a practical process safety management sys-tem can built which will be effective for theparticular plant.

References

1 I. Nimmo: ‘‘Adequately address abnormal operations’’, Chem.

Eng. Prog. 91 (1995) no. 9, 36–45.

2 V. Venkatasubramanian et al.: ‘‘A review of process fault

detection and diagnosis Part I: Quantitative model-based meth-

ods’’, Comput. Chem. Eng. 27 (2003) 293–311.

3 A.S. Willsky, H.L. Jones: ‘‘A generlized likelihood ratio ap-

proach to the detection and estimation of jumps in linear

systems’’. IEEE Trans. Autom. Control AC-21 (1976) 108–

112.

4 L.H. Chiang, E.L. Russell, R.D. Braatz: Fault detection and

diagnosis in industrial systems, Springer Verlag, Berlin 2001.

5 P.M. Frank, S.X.Ding, T.Marcu: ‘‘Model-based fault diagnosis

in technical processes’’, Transactions of the Institution of

Measurement and Control 22 (2000) no. 1, 57–101.

6 A. Bhagwat, R. Srinivasan, P.R. Krishnaswamy: ‘‘Fault detec-

tion during process transitions: a model-based approach’’,

Chem. Eng. Sci. 58 (2003) 309–325.

7 Y. Tsuge et al.: ‘‘Fault diagnosis algorithm based on the signed

directed graph and its modifications’’, Ind. Chem. Eng. Symp.

Ser. 92 (1985) 133–144.

8 P. Nomikos, J.F. MacGregor: ‘‘Monitoring of Batch Processes

usingMulti-way Principal Component Analysis’’. AIChE J. 40

(1994) no. 8, 1361–1375.

9 J.F. MacGregor, T. Kourti: ‘‘Statistical Process control of

multivariate processes’’, Control Engineering Practice 3

(1995) 403–404.

10 J.E. Jackson: A User’s Guide to Principal Components, J.

Wiley & Sons, New York 1991.

11 K. Villez, M. Ruiz, G. Sin, C. Rosen, J. Colomer, P.A.

Vanrolleghem: ‘‘Combining Multiway Principal Component

Analysis (MPCA) and clustering for efficient data mining of

historical data sets of SBR processes’’, Water Sci. Technol. 57

(2007) no. 10, 1659–1666.

12 M.L.R. Ordonez: Multivariate Statistical Process Control and

Case-Based Reasoning, for Situation Assessment of Sequential

Batch Reactors, PhD Thesis, University of Girona, Girona

2008.

13 R. Rengaswamy, V. Venkatasubramanian: ‘‘A syntactic pat-

tern- recognition approach for process monitoring and fault

diagnosis’’, Engineering Applications of Artificial Intelligence

8 (1995) no. 1, 35–51.

14 L. Wang, Y. Liu, P.J. Griffin: ‘‘A combined ANN and expert

system tool for transformer fault diagnosis’’. IEEE Trans.

Power Delivery 13 (1998) 1224–1229.

15 D. Mylaraswamy, V. Venkatasubramanian: ‘‘A hybrid frame-

work for large scale process fault diagnosis’’, Comput. Chem.

Eng. 21 (1997) 935–940.

16 B. Ozyurt, A. Kandel: ‘‘A hybrid hierarchical neural network-

fuzzy expert system approach to chemical process fault diag-

nosis’’, Fuzzy Sets and Systems 83 (1996) 11–25.

17 H. Vedam, V. Venkatasubramanian: ‘‘PCA-SDG based process

monitoring and fault diagnosis’’,Control Engineering Practice

7 (1999) 903–917.

18 S. Mannan: ‘‘Hazard Identification, assessment and control’’,

in Loss Prevention in Process Industries, 3rd ed., Elsevier,

Amsterdam 2005.

19 F. Crawley, B. Tyler: Hazard Identification Methods, Institu-

tion of Chemical Engineers, Rugby 2003.

20 G.L. Wells: Hazard Identification and Risk Assessment, Insti-

tution of Chemical Engineers, Rugby 1996.

21 V. Venkatasubramanian, J. Zhao, S. Viswanathan: ‘‘Intelligent

systems for HAZOP analysis of complex process plants’’,

Comput. Chem. Eng. 24 (2000) 2291–2302.

22 T. Kletz, P. Chung, E. Broomfield, C. Shen-Orr: Computer

Control and Human Error, Institution of Chemical Engineers,

Rugby 1995.

23 P. Andow: Guidance on HAZOP procedures for Computer

Controlled Plants, HSMO, London 1991.

24 J.B. Lear: ‘‘Implementing Safe, Operable Control Systems’’,

Control 95, 1995.

25 I. Nimmo, S.R. Nunns, B.W. Eddershaw: Loss Prevention

Bulletin, vol. 111, Institution of Chemical Engineers, Rugby

1993, p. 13.

26 T.A. Keltz: Process Plants: A Handbook for Inherently Safer

Design, Taylor & Francis, Philadelphia 1998.

27 T.A. Kletz: Plant Design for Safety, The Institution of

Chemical Engineers, Rugby 1991.

28 The Institution of Chemical Engineers and The International

Process Safety Group: Inherently Safer Process Design, The

Institution of Chemical Engineers, Rugby 1995.

29 CCPS: Inherently Safer Chemical Processes: a life cycle

approach, 2nd ed., ‘‘Center for Chemical Process Safety’’,

J. Wiley & Sons, New York 2009.

30 S. Hochheiser: Rohm and Haas, History of a Chemical

Company, University of Pennsylvania Press, Philadelphia

1986.

31 D. Lin, A. Mittelman, V. Halpin, D. Cannon: ‘‘Inherently Safer

Chemistry: A Guide to Current Industrial Processes to Address

High Risk Chemicals’’, U.S. Environmental Protection Agen-

cy, Washington 1994.

32 J. Marshall, A. Mundt, M. Hult, T. McKealvy, P. Myers, J.

Sawyer: ‘‘The relative risk of pressurized and refridgerated

storage for six chemicals’’, Process Saf. Prog. 14 (1995) no. 3,

200–211.

33 C. Palaniappan, R. Srinivasan, R. Tan: ‘‘Expert system for

design of inherently safer processes 1. Route Selection Stage’’,

Ind. Eng. Chem. Res. 41 (2002) no. 26, 6698–6710.


34 C. Palaniappan, R. Srinivasan, R. Tan: ‘‘Expert system for

design of inherently safer processes 2. Flowsheet Development

Stage’’, Ind. Eng. Chem. Res. 41 (2002) no. 26, 6711–6722.

35 V. Pilz: Bayers procedure for the design and operation of safe

chemicalk plants, Inherently Safer Process Design, The Insti-

tution of Chemical engineers, Rugby 1995, 4.54–4.56.

36 N.E. Scheffler: ‘‘Inherently safer latex plants’’, Process Safety

Progress 15 (1996) no. 1, 11–17.

37 Dow Chemical Company: Dow’s Chemical Exposure Index

Guide, 1st ed., American Institute of Chemical Engineers, New

York 1994.

38 Dow Chemical Company: Dow’s Fire and Explosion Index,

Hazard Classification Guide, 7th ed., American Institute of

Chemical Engineers, New York 1994.

39 P.T. Anastas, J.C. Warner: Green Chemistry: Theory

and Practice, Oxford University Press, Oxford 1998,

p. 30.

40 D.W. Edwards, D. Lawrence: ‘‘Assessing the inherent safety of

chemical process routes: is there a relation between plant costs

and inherent safety?’’, Proc. Saf. Environ. Protect, Trans

IChemE 71 (1993) PartB, 252–258.

41 A.M. Heikkila, M. Hurme, M. Jarvelainen: ‘‘Safety considera-

tions in process synthesis’’, Comput. Chem. Eng. 20 (1996)

115–120.

42 S.R. Cave, D.W. Edwards: ‘‘Chemical process route selection

based on assessment of inherent environmental hazard’’, Com-

put. Chem. Eng. 21 (1997) 965–970.

43 F.I. Khan, S.A. Abbasi: ‘‘Multivariate hazard identification and

ranking system’’, Process Saf. Prog. 17 (1998) 157–170.

44 J.P. Gupta, D.W. Edwards: ‘‘A simple graphical method for

measuring inherent safety’’, J. Hazard. Mater. 104 (2003)

15–30.

45 C. Palaniappan, R. Srinivasan, R. Tan: ‘‘Selection of inherently

safer process routes: a case study’’, Chem. Eng. Proces. 43

(2004) 647–653.

46 I.K. Adu et al.: ‘‘Comparison of methods for assessing envi-

ronmental, health and safety (EHS) hazards in early phases of

chemical process design’’, Process Saf. Environ. Protect. 86

(2008) 77–93.

47 G. Koller, U. Fischer, K. Hungerbuhler: ‘‘Assessing safety,

health, and environmental impact early during process devel-

opment’’, Ind. Eng. Chem. Res. 39 (2000) 960–972.

48 H. Sugiyama, U. Fischer, K. Hungerbuhler: ‘‘Decision frame-

work for chemical process design including different stages of

environmental, health, and safety assessment’’, AIChE J. 54

(2008) 1037–1053.

49 T. Albrecht, S. Papadokonstantakis, H. Sugiyama, K. Hunger-

buhler ‘‘Demonstrating multi-objective screening of chemical

batch process alternatives during early design phases’’ Chem.

Eng. Res. Des. 88 (2010) 529–550.

50 Design Institute for Physical Properties, American Institute of

Chemical Engineers (AIChE), USA 2007, http://dippr.byu.edu/

(accessed 19.01.2012).

51 National Institute of Standards and Technology (NIST), USA

2010, http://www.nist.gov/srd/ (accessed 19.01.2012).

52 International Uniform Chemical Information Database, Euro-

pean Chemicals Agency (ECHA), Helsinki, Finland 2008,

http://iuclid.eu/ (accessed 19.01.2012).

53 Canadian Centre for Occupational Health and Safety (CHEM-

pendium), Hamilton, Canada 2006 http://www.ccohs.ca/

(accessed 19.01.2012).

54 C. Capello, U. Fischer, K. Hungerbuhler: ‘‘What is a green

solvent? A comprehensive framework for the environmental

assessment of solvents’’, Green Chem. 9 (2007) 927–934.

55 R. Srinivasan, N.T. Nhan: ‘‘A statistical approach for evaluating

inherent benignness of chemical process routes in early design

stages’’, Process Saf. Environ. Protect. 86 (2008) 163–174.

56 J. Roussel: Can supply chain planning systems deliver the

goods?, PRTM’s Insight, 2002.

57 I. Karimi, R. Srinivasan, L.H. Por: ‘‘Unlock Supply Chain

Improvements through Effective Logistics’’,Chem. Eng. Prog.

5 (2002) 32–38.

58 K. Sadgrove: The Complete Guide to Business Risk Manage-

ment, Gower Publ., Aldershot 2005.

59 The McKinsey Quarterly: Understanding supply chain risk: A

McKinseyGlobal Survey, http://www.mckinseyquarterly.com/

Understanding_supply_chain_risk_A_McKinsey_Global_

Survey_1847 (accessed 17 January 2012).

60 T. Sullivan: ‘‘Special Report: Road to Recovery–Oronite

Strives to Regain Customer Confidence’’, Lube Report 6

(2006) no. 25.

61 A. Norrman, U. Jansson: ‘‘Ericsson’s proactive supply chain

risk management approach after a serious sub-supplier acci-

dent’’, International Journal of Physical Distribution & Logis-

tics Management 34 (2004) no. 5, 434–456.

62 J.M. Kilgore: ‘‘Mitigating Supply Chain Risks’’, 89th Annual

International Supply Management Conference, Philadelphia,

2004, pp. 25–28.

63 J. Lam: Enterprise Risk Management: From Incentives to

Controls, J. Wiley & Sons, New York 2003.

64 G. Guillen et al.: ‘‘Multiobjective supply chain design under

uncertainty’’, Chem. Eng. Sci. 60 (2005) 1535–1553.

65 Z. Li, M.G. Ierapetritou: ‘‘Process scheduling under uncertain-

ty: Review and challenges’’, Comput. Chem. Eng. 32 (2008)

715–727.

66 B. Karri, R. Srinivasan, I.A. Karimi: ‘‘Robustness measures for

operation schedules subject to disruptions’’, Ind. Eng. Chem.

Res. 48 (2009) no. 20, 9204–9214.

67 J. Li, I.A. Karimi, R. Srinivasan: ‘‘Robust crude oil scheduling

under uncertainty’’, 18th European Symposium on Computer

Aided Process Engineering (ESCAPE 18), Lyon, France, June

1–4, 2008.

68 U. Paulsson: ‘‘Managing risks in supply chains–an article

review’’, NOFOMA, Oulu, Finland, June 12–13, 2003.

69 C. Brindley: Supply Chain Risk, Ashgate Publ., Hampshire

2004, pp. 14–27.

70 U. Juttner, H. Peck, M. Christopher: ‘‘Supply Chain Risk

Management: Outlining an Agenda for Future Research’’,

International Journal of Logistics: Research and Application

6 (2003) 197–210.

71 N.Malini, I. Capar, A. Narayanan: ‘‘Managing supply chains in

times of crisis: a review of literature and insights’’, Interna-

tional Journal of Physical Distribution & Logistics Manage-

ment 39 (2009) no. 7, 535–573.

72 O.K. Helferich: ‘‘Securing the supply chain against disaster’’,

Distribution Business Management Journal 2 (2002) no. 3,

10–14.

73 C.B. Pickett: ‘‘Strategies for Maximizing Supply Chain Resil-

ience: Learning from the Past to Prepare for the Future’’,

Massachusetts Institute of Technology. Ph.D. Thesis, Massa-

chusetts, 2003.

74 R.P. Lensing: ‘‘Historical Events and Supply Chain Disruption:

Chemical, Biological, Radiological and Cyber Events’’,

Massachusetts Institute of Technology, Ph.D. Thesis,

Massachusetts, 2003.

75 T. Wu, J. Blackhurst, V. Chidambaram: ‘‘A model for inbound

supply risk analysis’’, Computers in Industry 57 (2006)

350–365.


76 A. Adhitya, R. Srinivasan, I.A. Karimi: ‘‘Supply chain risk

identification using a HAZOP-based approach’’, AIChE J. 55

(2009) no. 6, 1447–1463.

77 J. Hallikas et al.: ‘‘Risk management processes in supplier

networks’’, International Journal of Production Economics

90 (2004) 47–58.

78 R.J. Chapman: Simple Tools and Techniques for Enterprise

Risk Management, J. Wiley & Sons, New York 2006.

79 S. Chopra,M.S. Sodhi: ‘‘ManagingRisk toAvoid SupplyChain

Breakdown’’, MIT Sloan Management Review 46 (2004),

53–61.

80 P.R. Kleindorfer, L.N. Van Wassenhove: ‘‘Managing Risk in

Global Supply Chains’’, in H. Gatigon, J. Kimberly (eds.): The

Alliance on Globalization, Cambridge University Press,

Cambridge 2004.

81 A. Oke, M. Gopalakrishnan: ‘‘Managing disruptions in supply

chains: A case study of a retail supply chain’’, International

Journal of Production Economics 118 (2009) 168–174.

82 J.-H. Thun, D. Hoenig: ‘‘An empirical analysis of supply chain

risk management in the German automotive industry’’, Inter-

national Journal of Production Economics 131 (2009) no. 1,

242–249.

83 G. Tuncel, G. Alpan: ‘‘Risk assessment and management for

supply chain networks: A case study’’, Computers in Industry

61 (2010) 250–259.

84 S.S. Pitty et al.: ‘‘Decision support for integrated refinery supply

chains: Part 1. Dynamic simulation’’, Comput. Chem. Eng. 32

(2008) no. 11, 2767–2786.

85 M. Christopher, H. Lee: ‘‘Mitigating supply chain risk

through improved confidence’’, International Journal of

Physical Distribution & Logistics Management 34 (2004)

388–396.

86 Y. Sheffi: The Resilient Enterprise: Overcoming Vulnerability

for Competitive Advantage, MIT Press, Cambridge 2005.

87 M.N. Faisal, D.K. Banwet, R. Shankar: ‘‘Supply chain risk

mitigation: modeling the enablers’’, Business Process Manage-

ment Journal 12 (2006) no. 4, 535–552.

88 A. Adhitya, R. Srinivasan, I.A. Karimi: ‘‘A model-based

rescheduling framework for managing abnormal supply chain

events’’, Comput. Chem. Eng. 31 (2007) 496–518.

89 C.W Craighead, J. Blackhurst, M.J. Rungtusanatham, R.B.

Handfield: ‘‘The Severity of Supply Chain Disruptions: Design

Characteristics and Mitigation Capabilities’’, Decision

Sciences 38 (2007) no. 1, 131–156.

90 D. Elkins et al.: ‘‘Eighteen ways to guard against disruption’’,

Supply Chain Management Review 9 (2005) 46–53.

91 The McKinsey Quarterly. (2010) . McKinsey Global Survey

results: How companies manage sustainability. http://www.

mckinseyquarterly.com/Energy_Resources_Materials/Strategy_

Analysis/How_companies_manage_sustainability_McKinsey_

Global_Survey_results__2558(accessedon7April2010).

92 J. Reason: ‘‘Human error: models and management’’, Br. Med.

J. 18 (2000) no. 320, 768–770.

93 Trevor Kletz: AHandbook for Inherently Safer Design, Taylor

& Francis, Philadelphia 1998.

94 Trevor Kletz: Learning from Accidents, 3rd ed., Gulf Publ.,

Houston 2001.

95 Center for Chemical Process Safety: Guidelines for the Man-

agement of Change for Process Safety, Wiley-VCH Verlag,

Weinheim 2007.

96 D. Beaty: The Naked Pilot–The Human Factor in Aircraft

Accidents, Airlife Publishing Ltd., Marlborough 1995.

97 Center for Chemical Process Safety: Guidelines for Chemical

Process Quantitative Risk Analysis, 2nd ed., Wiley-VCH,

Weinheim 2000.

98 Center for Chemical Process Safety: Guidelines for Hazard

Evaluation Procedures, 3rd ed.,Wiley-VCH,Weinheim 2008.

99 J.R. Chiles: Inviting Disaster–Lessons from the Edge of Tech-

nology, Harper Business, New York 2001.

100 J. Groeneweg: Controlling the Controllable–Preventing Busi-

ness Upsets, 5th ed., Global Safety Group, Den Haag 2002.

101 C. Perrow: Normal Accidents–Living With High-Risk Technol-

ogies, Basic Books Inc., New York 1984.


process systems engineering, 7. abnormal events management ...€¦ · process systems engineering,...

Documents