Back to Safety
  1. Home
  2. Processes & Safety
  3. Safety
  4. Inherent Safety and Inherently Safer Design

Inherent Safety and Inherently Safer Design

After the Flixborough accident in 1974, Trevor Kletz had the idea that it is best to avoid dangerous situations, rather than try to control them. He developed this idea of Inherent Safety(IS) in his many books and papers and tirelessly promoted what he called Inherently Safer Design (ISrD) right up to his death in 2013.
Simply put, Inherently Safer (ISr) designers render a plant safer by implementing four principles of ISrD:

  1. Eliminate the potential for harm (hazards)
  2. Reduce the severity or scale of the consequences of the hazards
  3. Reduce the likelihoods of the hazards occurrence
  4. Separate or protect people from the hazards

They achieve this by careful attention to the fundamental design and layout, with less reliance placed on ‘added-on’, engineered safety systems and procedural controls, which can and do fail.

For example, at Flixborough there was a large inventory of volatile and flammable hydrocarbon (cyclohexane) at elevated temperature and pressure. When there was a catastrophic leak, there was almost bound to be a large explosion – Trevor always said that ‘ignition sources are free’, that is one should assume ignition. An ISr plant would have had a drastically reduced inventory, which might have dispersed sufficiently to not ignite and the fire / explosion would have been in any case much less damaging. This could have been achieved by implementing principle 2 - by better reactor design.

An example of an incident where many lives might have been saved by the implementation of principle 4 is provided by the Piper Alpha disaster. Figure 1 shows that the Living Quarters (LQ) of this platform was on top of what became a huge blow torch, which killed 167 people. As Paul Davison, Chairman of the Safety and Reliability Society (SaRS) has pointed out in their Newsletter, number 278 [SaRS, 2014], ‘No Lifeboats were used to save the 67 survivors…’ and helicopters could not have helped either. Paul concludes: ‘… lifeboat evacuation will never be as reliable as escaping from a hazardous event onshore or on a bridge-linked platform, where you could run away from the danger’.

Memorial in Hazlehead Park, Aberdeen to the victims of the 1988 Piper Alpha disaster (Source: Wikipedia Creative Commons, attributed to Lizzie)

If the LQ had been on a separate platform, bridge-linked to the production platform, most would not have died. Therefore, if you cannot eliminate a hazard, then separate people from it. In a case like this, reducing the estimated likelihood of such a catastrophic event is surely not an adequate safeguard, because the consequences are too dire and must be avoided.


IS is often described as common sense but for a long time it was not common practice. However, after many years of Trevor ploughing a lonely furrow, it has now been adopted widely.


ISrD is now the foundation of the hazard-focussed, risk-based approach to design. Where, risk is the combination of an estimate of the consequences of a realised hazard and an estimate of the likelihood of this happening.


Eliminating or separating people from hazards is definitive, because it does not rely on reducing the estimated likelihood of events. Professor Andrew Hopkins (the author of many influential books on the organisational and cultural causes of major accidents) puts it well: ‘The fact that you’ve gone for 20 years without a catastrophic event is no guarantee that there won’t be one tomorrow.’


ISrD is the first step in risk-based regulatory regimes, after which risks must be reduced to be As Low As Reasonably Practicable (ALARP) by passive, then active and finally procedural safety measures. In the UK, a demonstration of ALARP must be made to the regulator as part of a safety case in order to be allowed to operate an installation.


Designs used to be checked for safety when almost complete by engineers in a distinct safety discipline; there was little scope for ISrD. Nowadays IS an attitude of mind of all engineers and the safety discipline work with the other discipline engineers as part of the mainstream design effort to achieve a design which is as IS as possible. Hazard reviews are held early in the conceptual design process, so that the design team are well aware of the hazards and can apply ISrD.