310  Chapter 8 Instrumentation, Automation of Operation and Control
                Specifically, CCPS (1996) is approaching inherently safer design which should be
                considered as part of this book. The strategy for process risk management in rela-
                tion to inherently safer design is reflected in Figure 8.12 (CCPS, 1996). The illustra-
                tion shows a decreasing reliability for process risk management in sequential order:
                inherent; passive; active; and procedural. The inherently safer design strategies are
                projected over the process risk strategies. The inherently safer design strategies are
                ordered as: minimize; substitute; moderate; and simplify, and are applicable for
                each process risk in management strategy. The approach reflects that for all safety
                protection layers ± that inherently safer considerations are required. For the instru-
                mental protection of a process, the plant concentrates on:

                  .   Preventing loss of containment by equipment failure.
                  .   Preventing the release of hazardous materials by a single instrument failure.
                To achieve this, the different protection levels for the process are:

                  ±   Process design (eliminate/minimize the hazard).
                  ±   Basic control, including process pre-alarms (control the process).
                  ±   Critical alarms (warning operation for an approaching unsafe situation,
                      where immediate action is required).
                  ±   Automated action, SIS (interlocking) or ESD (emergency shut-down).
                  ±   Physical protection (relief devices).
                These represent the process protection layers that are directly connected to the pro-
                cess; all other measures are external provisions to reduce the effect of an event.
                  The instrumental and physical protection level ranges are shown in reference to
                the operating range (Figure 8.13). The safeguarding of a process plant depends for a
                large part on instrumentation, as the attempt is made to avoid activation of physical
                protection devices for hazardous releases. Activation of these devices often causes
                leakage of relief devices or mechanical damage, for example rupture discs and safety
                or crush pins. Rupture disks are not preferred as any subsequent release is much
                greater than would be, for instance, with a spring-loaded relief device.
                In principle, the philosophy of inherently safer design starts with the elimination or
                minimization of the hazard, and this is especially applicable to simple and robust
                process plants. If this situation has been passed, protection should start at the point
                of initiation. The basic approach should be driven by the principle of:

                  Prevent versus cure

                In order to determine instrumentation selection, all process equipment must be evalu-
                ated systematically, unit by unit, with the potential of exceeding design values for: pres-
                sure, temperature, overfill, speed, and vibration. Each time a need for a protection ele-
                ment is determined, the standard question should be: ªcan this situation be prevented?º
                This is fully in line with the inherently safer design principles. It is essential to follow
                this approach, and any prevention may include hardware modifications to the process.
                The prevention of releases and the related design of the SIS with interlocking needs to
                be based on the appropriate SIL level, all in line with IEC 61508 (see Section 8.2.4).