Process

Safety
Philosophy

Copyright BASF - 2007

Content is the responsibility of:

GEGPS (Global Expert Group Process Safety), the

expert group for process safety within the Competence Center Responsible Care, CCRC.

Rev. 0, September 2007

Introduction
This handbook provides a concise overview of the topic
Process Safety within BASF. In order to achieve a high
degree of safety, it is critical that these basic principles are
known and understood throughout the line management of
BASF.
The handbook contains four sections:
1. General Overview of Process Safety
2. Managing Process Safety
3. Managing Risk
4. Process Safety Programs
Any questions about these topics may be addressed to
the local or regional process safety experts or to the global
Process Safety Center of Expertise GUS/A or NTU/S
(NAFTA).

1. General Overview of Process Safety

At BASF, we have an obligation to our communities,
our employees and their families to operate safe
chemical plants.
From a Process Safety perspective, this means that we
must safely manage the energy and hazardous materials involved in the storage, transport, reaction, and
physical processing that occurs in our operations. We
must also be fully prepared to mitigate any accidental
release of energy or chemicals so that people and the
environment are not negatively impacted.
The safe operation of a chemical plant depends upon
several influencing factors.
x A sound plant safety concept
x Safe plant design and construction to specification
x An effective maintenance program
x Safe operation by competent personnel
A weak point in any one of these factors can result in
severe consequences to people or the environment
through the loss of containment and the uncontrolled
release of materials and / or energy.

The foundation of this safety pyramid is the design

and construction of facilities that can be operated and
maintained in a safe manner.

Safe
Operation

Maintenance
Inspection & Upkeep

Construction
Quality & Inspection

Development / Planning
Strong Plant Safety Concept

Built on this foundation are the programs or management systems that help ensure proper maintenance
and safe operation of those facilities.
Keys to Success
x

The first key for successful process safety performance is a strong process safety culture. This
includes open communication for sharing concerns as well as accomplishments. This culture
must start at the top and be supported by policies
and actions at every level of the organization.
U

The second key is maintaining strong process

safety management programs.
U

The third key is ensuring consistent, proper operation under all plant conditions by having an appropriate number of well trained operating and support personnel, using validated operating procedures, and complying with internal and external
policies and standards.
U

The fourth and final key is ensuring strong process safety knowledge at all levels in the organization, from Group Vice-Presidents to all operating
and support personnel.
U

2. Managing Process Safety

2.1. General Approach
Ensuring the safety of our processes can be boiled
down to four key points.
Point 1. Identification of Hazards
The first basic rule of
process safety is that
you cant control a
hazard that you havent identified. Logically it follows that the
hazards presented by
the substances handled, by the chemical
processes, and by the
equipment must be
identified before a
determination can be made of the best way to eliminate, reduce, mitigate or manage those hazards.
U

The primary method used at BASF for Hazard Identification in our chemical processes is the Safety, Health
& Ecology Project (Step) Review program. The program is described in more detail in Section 4.1 of this
handbook.
Point 2. Eliminate or Reduce Hazards through
Design
In process safety, it is better to avoid or eliminate a
hazard instead of trying to control it. Once a hazard is
eliminated, there is no need for the constant vigilance
and maintenance needed to control it. This concept,
known as Inherently Safer Design, can be implemented by following certain design principles:
a) Intensification Using smaller quantities
b) Substitution Using less hazardous materials
c) Attenuation Using less hazardous conditions or
a less hazardous form of the material
d) Limitation of Effects Designing the facility to
minimize the impact of a release of material or
energy
5

e) Simplification Designing facilities to reduce the

chance of operating errors and to be more forgiving of errors made
* From: CCPS - Guidelines for Engineering Design for Process
Safety, 1993

Point 3. Manage the Remaining Hazards

It is normally not possible to eliminate all hazards from
a system; therefore, we must develop control measures to manage the remaining hazards, commensurate with the risk posed by these hazards. At BASF,
we ensure a consistent maximum acceptable risk
through our use of the BASF Risk Matrix.
The BASF Risk Matrix is discussed in Section 3
Managing Risk.
Control measures used to eliminate
or adequately mitigate the remaining risk are discussed in Section 2.2
Safety Measures.
Our Zero Incident Mindset drives us
to control remaining risk using additional Layers of Protection.
Point 4. Document and Communicate the Plant
Safety Concept
Trevor Kletz, one of the founders of modern process
safety opined, Organizations have no memory.
In order to develop and maintain that corporate memory, it is crucial to document the hazards that have
been identified, the risks associated with those hazards, and the measures taken to eliminate or control
those hazards for each process. This documentation
comprises the Plant Safety Concept.
The information contained in the Plant Safety Concept
must be routinely communicated and available to the
personnel operating and maintaining our facilities.
Methods of communication include training, operating
procedures, sharing of lessons learned from incidents,
and periodic reviews / updates of the document itself.

2.2. Safety Measures

2.2.1 Classification
The primary hazard associated with a chemical
plant is the release of energy and/or hazardous
substances.
Control measures designed to prevent a release
of materials are known as primary measures.
Primary measures must be designed not only for
periods of stable operation of the process, but
also deviations from those stable conditions.
For the case that primary measures might fail,
other measures must be used to mitigate the effects of a release and limit the affected area /
population. These mitigating controls are called
secondary measures. Examples include vapor
detectors to detect a release, fire fighting equipment, and pressure resistant design of control
rooms.
Site safety
Concept

Plant safety concept

Secondary safety
measures

Primary safety measures

Emergency
response

Unwanted release
on-site effects
off-site effects

Avoidance of releases
Managing the
process
Operability

Managing failures
with unacceptable
consequences

Managing
releases
Mitigation

Limitation of
impact on
neighborhood

Management of
- chemicals
- reactions
- process
during:
- start-up
- normal
operation
- shut-down

Management of
- technical failures
- chemical failures
- human errors
- external events
Through:
- equipment and
process design
- instrumentation
- administrative
controls

- Fire protection
- Fire extinguisher
- Fire brigade
- gas detectors
- block systems
- relief systems
- catch systems
- chambers
- facility siting
- control room
design

- Site planning
adequate to risk
- Alarm systems
- Plans for mutual
aid
- Coordination
with local
emergency
response units

If an impact to larger areas, especially those outside the fence line, cannot be excluded, the facilitys Emergency Response Plan comes into effect. The emergency response plan should be coordinated with local authorities. Emergency response plans are typically developed on a sitewide basis and are therefore usually not devel7

oped in conjunction with the Step Reviews, which

focus on primary and secondary measures. However, the creation of a new facility or operation on
a plant site requires the review and possible updating of that sites Emergency Response Plan.
It is also possible that the sites Chemical Security
Plan / Security Vulnerability Assessment must either be created or modified based on the introduction of new substances or quantities of highly
hazardous materials as part of a new project or
modification.
2.2.2 Terminology
We use the following terminology to distinguish
the type and reliability of risk reduction measures
or safeguards.
Operational devices serve to keep the plant running under normal operating conditions. These
control systems include not only simple indicators
and controls, but also complex batch master systems that provide for fully automated operation of
different recipes.
Monitoring devices activate when the process
starts to leave the identified normal operating
conditions or the good range. They are designed
to prevent an unwanted but not unacceptable
event, i.e. those events that have an acceptable,
but higher than desired risk.
Monitoring devices include alarms that require the
operator to take action and basic interlocks that
work to bring the process back into normal operating conditions. Monitoring devices are often implemented in the DCS or other Basic Process
Control System
Protective devices are specifically designed to
prevent events resulting in unacceptable consequences. They are designed and maintained to
ensure a high degree of reliability. This distinguishes protective devices from operational or
monitoring devices. Most commonly, we see
8

pressure relief valves (PSVs) or safety instrumented interlocks as protective devices.

2.2.3 Hierarchy of Control Measures
When selecting alternatives for risk reduction
measures, it is BASFs philosophy to apply inherently safer design principles first.
Passive control measures such as dikes, fireproofing of structural steel, or a pressure-proof
reactor design are the next to be used.
If those principles are not feasible, mechanical
protective devices like pressure relief valves
(PSVs) are considered.
If the use of a mechanical protective device is not
feasible, instrumented protective devices should
be used. These devices are known as Safety Instrumented Functions (SIF), part of a Safety Instrumented System (SIS), and designated ZFunctions within BASF. Their design and maintenance are governed by a global procedure, G-PEI 201.

4.
Administrative
Controls

3. Active I/E Devices

Control Mechanical
Measures Devices

2. Passive Control
Measures

Engineering
Controls

1. Inherently Safer Design

(Eliminate or Reduce)
If none of these measures are feasible as protective devices, only then should high-level administrative controls be applied to manage a safetyrelevant issue.

The hierarchy of controls is principally used to select the primary safeguard for a scenario. To
make certain our designs are tolerant of one or
more faults, we apply a layers of protection concept, ensuring protection of our personnel and our
neighbors.
A diagram depicting the concept of Layers of Protection is found below. Each layer is designed to
complement the others, and prevent unacceptable
consequences in case one or more layers should
fail.

10

3. Managing Risk
Risk is defined as the product of the probability (frequency), P, of an event and the severity, S, of the consequences of that event.

Risk

R= PxS

A quantitative risk assessment for chemical plants may

be theoretically possible, but reliable statistics are difficult to obtain since most chemical plants are unique.
BASF therefore uses a more qualitative risk assessment methodology utilizing the safety review system
and an internally developed risk matrix related to health
effects. The BASF Risk Matrix is a tool to perform
semi-quantitative risk assessments (a qualitative risk
assessment using a quantitatively-based tool).
The BASF Risk Matrix must be used for all risk assessments concerning health and safety consequences since it reflects BASFs philosophy on maximum acceptable risk and the determination of what
measures may be necessary to reduce the risk adequately. This includes all Safety Integrity Level (SIL)
determinations for safety relevant instrumented protective devices.
The BASF Risk Matrix yields a risk class and the corresponding minimum risk reduction requirements for a
given scenario.
The risk determined by using the BASF Risk Matrix is
known as the raw risk. This is the basic risk for a plant
without considering the action of any safeguards including relief devices, interlocks and operator intervention. It acknowledges basic, good engineering design
features normally associated with BASF petrochemical
facilities.
Once the raw risk is determined, the existing safeguards are evaluated to determine if they are sufficient
for that risk. Application of this methodology has been
found to be more consistent than considering the active
safeguards during the risk assessment process.

11

In order to obtain reliable results from the risk matrix, a

consistent approach must be followed. The following is
a list of the steps to use the matrix.
Basic Risk Assessment Steps:
1. Identify the
sources of
potential danger.
(Hazards)
2. Identify what can
go wrong.
(Deviations)
3. Identify the
Initiating Causes
of the Deviation (Independent Primary Faults) in
order to be able to determine the likelihood.
4. Determine the result of this Deviation
(Consequence) in order to be able to
determine the severity.
5. For each Cause, determine the Probability of
the initiating event.
6. Determine the Severity of a particular
consequence and refine the probability of the
initiating event to match that consequence.
7. Determine the Level of Risk by locating the
intersection of the Probability and Severity
values on the Risk Matrix.
8. Determine the Risk Reduction Measures
needed to move the risk to the acceptable
level (if necessary).
9. Determine if further risk reduction is needed.
Additional guidance for properly completing each step
can be found in the BASF Risk-Based Decision Making Guide or by contacting the global Process Safety
Centers of Expertise, GUS/A or NTU/S.

12

BASF Risk Matrix

Severity
Probability
P0
P1
P2
P3
P4
B

S1
A
A/B*
B
C
E
B

S2
B
B
C
D
F
B

S3
D
E
E
F
F
B

S4
E
E
F
F
F
B

* Determined on a case-by-case basis decision whether A or B is

needed.

Probability:
P0 Happened a couple of times (once per year or more often)
P1 Happened once (Approx. once in 10 years)
P2 Almost happened, near miss (Approx. once in 100 years)
P3 Never happened, but is thinkable (Approx. once in 1,000
B

years)
Not a credible scenario (less than once per 10,000 years)

P4
B

Severity:
S1 On site: Potential for one or more fatalities
S2 On site: Potential for one or more irreversible injuries
S3 On site: Potential for one or more lost time injuries
S4 On site: Potential for minor injuries, or irritation
B

Minimum Requirements:
A
Process or design change preferred
B
Process / design change, or one protective measure of
SIL 3 equivalent (PSV, SIS, etc.)
C
Process / design change, or one protective measure of
SIL 2 equivalent (PSV, SIS, etc.)
D
One monitoring device of high quality with documented
testing
E
One monitoring device
F
None
Risk Class:
Extreme, totally unacceptable risk
A
B

Very large, unacceptable risk

Large, unacceptable risk

Medium, acceptable risk, which should be further reduced

Small, acceptable risk, which may be further reduced

Very small, acceptable risk

13

4. Process Safety Programs

The success of process safety programs is demonstrated by a lack of negative events and therefore can
be difficult to measure. Nevertheless, it is important to
rigorously apply these programs to maintain a good
track record. An audit system can help determine if
process safety programs are performing well.

4.1. Safety, Health & Ecology Project Reviews

A principle activity within BASF for planning the execution of capital projects is the Safety, Health & Ecology
Project Review process, also known as the Step Review process.
The Safety, Health & Ecology Step review process is a
comprehensive internal BASF tool for use in developing the plants safety concept and defining the measures to be taken to ensure its safe operation. It is applied Group-wide within BASF.
The reviews function to compliment the design process
during the stages of increasing engineering detail, by
focusing on identifying the hazards, evaluating the associated risk, then applying methods for managing and
controlling the hazards identified.
Finally, the completed design is checked for adequacy
in achieving an acceptable level of risk.
Details of the Step Review process are found in the
BASF Group Directive, Safety, Health and Environmental Protection (SHE) at the Planning and Construction of Process Plants.
4.1.1 Steps in the Review Process
The objective for each of the individual steps varies
due to the level of information available at each
phase of the project.
Step 0 Review Objectives
x Identify the key potential hazards associated with
the substances and the process or the plant.
x Address options for inherent safety.
x Carry out a preliminary decision as to the process to be used, and site selection.
14

x Define permitting requirements for environmental

protection.
Step 1 Review Objectives
x Define the hazards associated with the chemicals and the process in greater detail.
x Review the proposed basic Plant Safety Concept.
x Confirm that the process selected can be implemented at the proposed site.
x Review the proposed environmental protection
concept and the strategy to obtain authority approvals.
Step 2 Review Objectives
x Review the detailed design to ensure that proposed safe guards are adequate for the level of
risk presented by the identified hazards.
x Finalize and document the Plant Safety Concept.
x Ensure that general safety requirements are met.
x Document the environmental protection concept.
Step 3 Review Objectives
x Closely evaluate the design documentation, especially the P&IDs associated with highly hazardous plant sections, to ensure conformance
with the Plant Safety Concept and general safety
requirements for the purposes of plant safety.
x All Step 3 reviews are executed by means of the
HAZOP methodology.
Step 4 Review (Pre-Startup Safety Review
PSSR) Objectives
x Verify that the environmental, health, and safety
concept has been implemented in the construction of the plant.

15

4.1.2 Step Review Timing

The timing of the step reviews is ideally integrated into
the project schedule according to the following:
x

The Step 0 Review is performed at the stage of

process development prior to or at the beginning
of basic engineering, i.e. the conceptual stage.

The Step 1 Review is performed at Phase 1 (basic

engineering) prior to project definition approval.

The Step 2 Review is performed at Phase 2 (detailed engineering) prior to preparing the project
appropriation approval package.

The Step 3 Review, if necessary, is performed

during Phase 3 (detailed design) of the plant, following appropriation approval.

The Step 4 Review is performed upon mechanical

completion, but prior to introduction of chemicals
into the plant and subsequent startup.

Execution of the Step 0, 1, and 2 reviews according to

this schedule allows for the necessary EHS input to
Commission S for project authorization purposes.
All capital projects, regardless of investment value,
are required as a minimum, to have Step 1, 2 and 4
reviews executed as part of the project life cycle.

4.2. Key Elements in a Successful Process

Safety Program
Successful process safety performance depends in large
part on the use of management programs that integrate
the principles of process safety into our daily work. The
following are key management systems designed to help
maintain strong process safety programs:
a. Process Safety Information (PSI) acquiring and
updating information relevant to the chemical
process, the chemicals in the process, and the
equipment used in the process. This includes Material & Energy Balance information (PFDs), stability & reactivity data, P&IDs, MSDSs, equipment
data sheets, process safety concepts, relief device design calculations and more.
U

16

b. Operating Procedures ensuring consistent operating information, including identification of special or unusual hazards, the limits of safe operations, and special personal protective equipment.
Operating procedures are validated periodically to
ensure they reflect current proper operating practices.
U

c. Process Hazard Analysis / Existing Plant Reviews

regularly performing safety reviews of existing
plants to document the plant safety concept and
keep it up-to-date.
U

d. Management of Change (MOC) identifying and

evaluating changes to the chemical process, the
chemicals, the equipment, the facilities, extending
even to personnel or the organization, before the
change is made, in order to properly control any
new hazards introduced by the change.
U

e. Training ensuring strong process safety knowledge at all levels in the organization, from Group
Vice-Presidents to all operating and support personnel. The Process Safety CoE provides seminars on a routine basis, as well as specific training
as needed, including such topics as:
U

Process Safety Fundamentals

EHS Project Review Process

Control of Exothermic Reactions

Risk-Based Decision Making

f.

Incident Investigation and Communication learning from incidents and ensuring that similar incidents do not occur again at other locations by
openly communicating the lessons learned.
U

g. Mechanical Integrity (MI) maintaining the functionality and integrity of the process equipment,
piping, control systems and safety systems in our
facilities through regularly scheduled inspection
and testing.
U

Such elements are important for all facilities, not just

those regulated by the authorities.

17

Final Thoughts
Process safety is vital to maintaining our license to operate. Our governments and communities will not allow
businesses to operate if they pose an imminent risk to the
population. Striving for continuous improvement is also
part of our commitment to Responsible Care.
By following the basic principles detailed in this handbook,
we can design, construct, operate and maintain safe
chemical processes protecting our employees and our
neighbors from the hazards they present and also fulfill
the process safety performance expectations as described
in the Responsible Care Management System (RCMS):
1. Safety reviews are conducted for existing and new
processes / facilities (BASF-Group Directive
Safety, Health and Environmental Protection at
Planning and Construction of Process Plants).
2. Plant safety concepts and periodic reviews are
documented.
3. Current, complete documentation is available, e.g.
process safety information including safety relevant parameters, protective devices, P&I diagrams, hazardous area-classification, fire protection concept, etc.
4. All incidents are investigated and lessons learned
communicated.

5. A management of change system is implemented.

18

Notes:

19