See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/223244947 A functional HAZOP methodology Article in Computers & Chemical Engineering · February 2010 DOI: 10.1016/j.compchemeng.2009.06.028 · Source: DBLP CITATIONS READS 67 3,005 4 authors, including: Morten Lind Niels Jensen Technical University of Denmark Safepark 142 PUBLICATIONS 2,612 CITATIONS 49 PUBLICATIONS 219 CITATIONS SEE PROFILE Sten Bay Jørgensen Technical University of Denmark 312 PUBLICATIONS 4,082 CITATIONS SEE PROFILE Some of the authors of this publication are also working on these related projects: Combining functional modeling and reasoning with on-line event analytics View project Bioreactor modelling for monitoring and control View project All content following this page was uploaded by Niels Jensen on 27 November 2018. The user has requested enhancement of the downloaded file. SEE PROFILE This article appeared in a journal published by Elsevier. The attached copy is furnished to the author for internal non-commercial research and education use, including for instruction at the authors institution and sharing with colleagues. Other uses, including reproduction and distribution, or selling or licensing copies, or posting to personal, institutional or third party websites are prohibited. In most cases authors are permitted to post their version of the article (e.g. in Word or Tex form) to their personal website or institutional repository. Authors requiring further information regarding Elsevier’s archiving and manuscript policies are encouraged to visit: http://www.elsevier.com/copyright Author's personal copy Computers and Chemical Engineering 34 (2010) 244–253 Contents lists available at ScienceDirect Computers and Chemical Engineering journal homepage: www.elsevier.com/locate/compchemeng A functional HAZOP methodology Netta Liin Rossing a , Morten Lind b , Niels Jensen c , Sten Bay Jørgensen a,∗ a CAPEC, Chemical and Biochemical Engineering, Technical University of Denmark, Kgs. Lyngby, Denmark Department of Electrical Engineering, Technical University of Denmark, Kgs. Lyngby, Denmark c Safepark Consultancy, Kannikestræde 14, DK-3550 Slangerup, Denmark b a r t i c l e i n f o Article history: Received 19 December 2008 Received in revised form 23 June 2009 Accepted 25 June 2009 Available online 3 July 2009 Keywords: Risk assessment Systems engineered HAZOP analysis a b s t r a c t A HAZOP methodology is presented where a functional plant model assists in a goal oriented decomposition of the plant purpose into the means of achieving the purpose. This approach leads to nodes with simple functions from which the selection of process and deviation variables follow directly. The functional HAZOP methodology lends itself directly for implementation into a computer aided reasoning tool to perform root cause and consequence analysis. Such a tool can facilitate finding causes and/or consequences far away from the site of the deviation. A functional HAZOP assistant is proposed and investigated in a HAZOP study of an industrial scale Indirect Vapor Recompression Distillation pilot Plant (IVaRDiP) at DTU-Chemical and Biochemical Engineering. The study shows that the functional HAZOP methodology provides a very efficient paradigm for facilitating HAZOP studies and for enabling reasoning to reveal potential hazards in safety critical operations. © 2009 Elsevier Ltd. All rights reserved. 1. Introduction Hazard studies provide a systematic methodology for identification, evaluation and mitigation of potential process hazards which can cause severe human, environmental and economic losses. Different methods are practiced at various stages during the plant life cycle (Swann & Preston, 1995). Most methods require considerable time and resources. Consequentially research has been stimulated to develop computer aided tools to assist in and even aiming at automating hazard analysis. Venkatasubramanian, Zhao, and Viswanathan (2000) reviewed development of knowledge based systems for automating HAZOP analysis. Venkatasubramanian and Vaidhyanathan (1994) describe a knowledge based framework, which addresses the issues of representation of process specific and generic knowledge about chemicals in the automation of HAZOP studies. The knowledge, which is generic and hence applicable to a wide variety of flow sheets, is called process general knowledge, while the remaining knowledge is considered specific to a particular process, and is called process specific knowledge. Bragatto, Monti, Giannini, and Ansaldi (2007) build upon the notions introduced above and exploits process knowledge with the aim to develop tools for the experts to reveal potential hazards, rooted in a function based taxonomy for equipment and instrumentation. Thus their system includes a dictionary, the plant information database, a reasoning and analysis engine and a knowledge reposi- ∗ Corresponding author. +45 45252872. E-mail address: [email protected] (S.B. Jørgensen). 0098-1354/$ – see front matter © 2009 Elsevier Ltd. All rights reserved. doi:10.1016/j.compchemeng.2009.06.028 tory. The dictionary permits linking the terminology used in hazard analysis with that used in a particular application area. In their system objects are categorized according to a hierarchically organized function based taxonomy, which can be mapped to the corresponding standard STEP data definitions (STEP, 1994). Thus each item is classified in terms of super-function, function, and type and with an associated set of functional parameters. However these methods relate the concept of function directly to a physical implementation and therefore they limit the possibility to abstract from one layer in a goal-purpose hierarchy to another. A similar approach is taken by Zhao, Cui, Zhao, Qiu, and Chen (2009) in developing the PetroHAZOP system which uses case based reasoning. This system is based on the OntoCAPE ontology which attempts to cover the areas of unit operations, plant equipment and thermophysical properties. However areas as control and operations knowledge, which are essential for HAZOP are only indirectly covered to the extent they are represented within the available cases. Consequently it is desirable to develop a HAZOP methodology based upon a model which can encompass the purpose and functional structure of the plant, including the operational goals. Such a functional model should represent the system using means-end concepts, where a system is described using goals and purposes in one dimension and whole-part concepts in another dimension. Such a functional modeling approach lends itself directly for implementation into a computer aided reasoning tool to assist in HAZOP studies with cause and consequence determination. Thereby a tool can be developed which supports a traditional HAZOP meeting based upon a common framework in functional modeling with foundation in action theories and cognitive science. Such functional modeling can provide a Author's personal copy N.L. Rossing et al. / Computers and Chemical Engineering 34 (2010) 244–253 systematic methodology for computer assisted HAZOP studies, thus potentially relieving the engineers from a major part of a rather cumbersome task and instead permitting them to focus attention on judging the significance of the causes and consequences suggested by the HAZOP assistant – a task where plant operating experience will help significantly. Such a knowledge based tool may potentially be combined with other systems based on ontologies for physical equipment, unit operations and thermophysical properties, e.g. OntoCAPE. Such integrated ontologies may be combined with problem solution paradigms such as case based and logic reasoning to comprise a decision support framework for a HAZOP team which may prove most useful for studies both on existing as well as on newly developed technology. The purpose of this paper is to demonstrate the potential value of functional modeling and logical reasoning for decision support in HAZOP. The paper presents a functional approach to hazard analysis and develops a functional model as a basis for a logical reasoning on causes and consequences of deviations as considered in a HAZOP meeting. The resulting tool is called a functional HAZOP assistant. The following section briefly introduces a traditional HAZOP, then the functional modeling methodology and the associated reasoning engine are described. Next the goal based HAZOP analysis methodology is presented based upon a functional model which leads to the functional HAZOP assistant. The functional HAZOP assistant is demonstrated on an industrial size pilot plant. Finally the presented methodology is discussed and the conclusions are drawn. 2. Methods The proposed methodology is based upon experiences from traditional HAZOP studies. The procedure for such studies is described before introducing the specific functional modeling paradigm called multilevel flow models (MFMs) and an integrated computer aided environment for building and using MFM models. 3. Traditional HAZOP procedure In the 1970s several articles by employees at ICI described what was then called operability studies. These studies, see, e.g. Lawley (1974) and Chemical Industry Association (1977), were based on the assumption that a problem can only arise when there is a deviation from what is normally expected, and on the desire to develop a process-oriented tool to complement the equipment oriented norms, such as pressure vessel codes. From the deviations causes were qualitatively identified inductively and consequences deductively. The operability studies at ICI examined each line section for all conceivable deviations, which were constructed from a set of guide words. The operability study could be based on either a simple process flow diagram or a detailed piping & instrumentation diagram (P&ID). Studies based on P&IDs are what today is known as HAZard and OPerability (HAZOP) studies (Swann & Preston, 1995), and they have since become a cornerstone in hazard studies of process plants (Crawley & Tyler, 2000, 2003; Lees, 2001). The purpose of the HAZOP study is to uncover causes and consequences of a facility’s response to deviations from design intent or from normal operation, i.e. to reveal if the plant has sufficient control and safety features to ensure, that it can cope with expected deviations normally encountered during operation including startup, shutdown and maintenance. The HAZOP study is traditionally performed as a structured brainstorming exercise facilitated by a HAZOP study leader and exploiting the collective experience of the participants. A traditional HAZOP study has the following phases (Skelton, 1997): • Pre-meeting phase: Here the purpose and objective of the study is defined. The leader of the HAZOP study gathers information 245 about the facility, such as process flow diagrams (PFD), process & instrumentation diagrams (P&ID), plant layout; chemical hazard data, etc., and proposes a division of the plant into sections and nodes. For each node – or for the plant as a whole – the leader identifies relevant process variables and deviations from design intent or normal operation based on either past experience or company guidelines. The leader also identifies the participants in the review of the different sections of the plant, and ensures their availability. Typically this includes the process design engineer, the control engineer, the project engineer and an operator besides the experienced team leader. All these people have large demands on their time during a project. The team leader schedules a sufficient number of half-day HAZOP meetings. • Meeting phase: At the start of the first HAZOP meeting the technique is briefly reviewed, and the specific scope of the present study is stated. The leader describes the overall facilities, e.g. using a 3D computer model. Then the team considers each section of each diagram, i.e. P&ID or PFD, in turn. The team leader ensures that process variables and deviations are considered in a rigorous and structured manner, and that any deviations meriting identified actions or further considerations are recorded with identification of the person responsible for follow-up. • Post-meeting phase: After the HAZOP meeting all action items are followed up by the persons assigned to them during the meeting and the results of the follow-up are reported to the team leader. The team might call a review meeting to determine the status of all actions items, and decide if additional efforts are needed. Thus a HAZOP study requires considerable time and resources whenever it is carried out during the plant life cycle. Consequentially research has been stimulated as reviewed in the introduction to develop computer aided tools to facilitate HAZOP studies. Although HAZOP studies is a well accepted tool for risk assessment in many industries very little has been published on a theoretical basis for HAZOP studies. HAZOP studies are used to investigate deviations from a norm: the normal operating conditions or the design intent, i.e. the goal of the system. This can be done by asking questions such as “what deviations can occur?” That is “what guide words and process parameters are relevant?”, “Why do they occur?” (causes), “How are they revealed?” (consequences). In a HAZOP study these questions are asked after first dividing the whole system into its constituent parts, i.e. sections and nodes. The questions stated relate to the goal of the system while the process represents the means for achieving these goals. Therefore it seems highly relevant to develop a HAZOP assistant based upon meansends modeling combined with whole-parts concepts to grasp the different levels of abstraction when needed, e.g. during different phases of the process design. Thus models based on means-end and part-whole concepts, such as functional models, will form a convenient basis for a HAZOP assistant. The HAZOP assistant developed in this work uses such a functional model to combine the system goal structure with the designed means to achieve these goals and to facilitate a HAZOP meeting by suggesting causes of considered deviations. In the following a methodology and tools for building and reasoning on plant function knowledge called multilevel flow modeling are described. Then the goal based methodology called functional HAZOP assistant is proposed. 3.1. Functional modeling methodology In this paper multilevel flow modeling (MFM) is used to represent the knowledge of plant functions. MFM combines the means-end dimension with the whole-part dimension, to describe the functions of the process under study and enable modeling at different abstraction levels. MFM is a modeling methodology Author's personal copy 246 N.L. Rossing et al. / Computers and Chemical Engineering 34 (2010) 244–253 Fig. 1. (a) MFM symbols for functions and objectives. (b) MFM symbols for means-end and causal roles. (c) Relation between MFM and HAZOP reasoning tasks. which has been developed to support functional modeling of process plants involving interactions between material, energy and information flows (Lind, 1990, 1994; Li, Gani, & Jørgensen, 2003). Functions are here represented by elementary flow functions interconnected to form flow structures representing a particular goal oriented view of the system. MFM is founded on fundamental concepts of action developed by VonWright (1963). Each of the elementary flow functions can thus be seen as instances of more generic action types (see, e.g. Lind, 1994). The views represented by the flow structures are related by means-end relations and comprise together a comprehensive model of the functional organization of the system. The basic modeling concepts of MFM comprise objectives, flow structures, a set of functional primitives (the flow functions) and a set of means-end relations and causal roles representing purpose related dependencies between functions. The functions, the flow structures and the relations are interconnected to form a hypergraph like structure. The symbols used to represent flow functions, objectives, flowstructures are shown in Fig. 1a. Symbols used for representing means-end and causal roles are shown in Fig. 1b. MFM models represent knowledge which is generic to several problems in HAZOP analysis as illustrated in Fig. 1c. By combining a MFM model with rules for causal reasoning (rulebase RB1) it can be used to generate fault trees and consequence trees. In combination with an operational plant goal and rules for reasoning about goals and sub-goals (rulebase RB2) it can be used to generate goal trees. These trees can then be used in reasoning about counteraction plans using planning rules (rulebase RB3). It should be mentioned that rule based reasoning in MFM also may be combined with case based reasoning techniques by using the MFM model (combined with other plant information) to represent a case. MFM is accordingly a plant model which can serve as a central core of an intelligent system for HAZOP analysis and plant control. It provides a plant representation which is more generic and less dependent on knowledge about specific situations or incidents compared to, e.g. fault trees, consequence trees, goal trees and counteraction plans. The effort in acquisition of plant knowledge for the HAZOP analysis is therefore greatly reduced compared to methods based on fault trees, consequence trees and goal trees. Better control of the consistency of the plant knowledge is also ensured. Furthermore MFM is based on a rich ontology which provides cognitive support to the model builder in knowledge acquisition. Other modeling methods, such as causal trees and Petri nets do not provide the same level of cognitive support because they are based on fewer and more abstract concepts like events, states and transitions. The suitability of MFM models for HAZOP analysis simply can be explained by their common conceptual basis in means-end concepts. MFM provides a formalization of means-end concepts which play a fundamental role in HAZOP when reasoning about causes, consequences and counteraction plans. 3.2. The MFM workbench The structure of an integrated computer aided environment for development and use of MFM models, which has been developed using standard software such as Microsoft Visio and Java, is shown Author's personal copy N.L. Rossing et al. / Computers and Chemical Engineering 34 (2010) 244–253 247 Fig. 2. MFM model builder and reasoning system. On the right hand side the decanter section MFM is shown, and the causal tree for the deviation sto5 lo at the bottom left. An integrated computer aided design environment for MFM modeling has been developed using standard software, such as Microsoft Visio and the Java based reasoning engine Jess. in Fig. 2. This environment is called the MFM workbench. A MFM model builder has been implemented in Microsoft Visio. Stencils implementing symbols for the MFM concepts shown in Fig. 1a and b are used to build a functional model. The model builder is interfaced with a reasoning system as illustrated in Fig. 1c, which can generate causal paths and root causes for a given fault scenario, i.e. a top event (an MFM function deviating from the modeled scenario, e.g. normal) and status information for selected flow functions. The reasoning system is implemented using the Java based expert system shell Jess (Friedman-Hill, 2003). Rules for reasoning about function states and causal relations in MFM models are implemented as a Jess rule base. 4. A functional HAZOP assistant The MFM workbench described above is the basis for the development of a functional HAZOP assistant supporting a goal oriented approach to HAZOP analysis during HAZOP meetings. Traditionally the division of the plant into sections may be carried out by defining each major process component as a section. A section could also be a line between each major component with additional sections for each branch off the main process flow direction. Usually the function of a section or of a node is not directly specified, many HAZOP formats only identify the part of the process considered by project number, P&ID number and line number. The design intent of the node may go unrecorded, even though the purpose of the HAZOP study is to consider deviations from design intent. The herein proposed goal based methodology for HAZOP analysis provides a structured approach where the study is divided into three phases, corresponding to the traditional approach described above. The first phase corresponds to the pre-meeting phase, the second phase to the meeting phase and the third phase to the postmeeting phase. Thus the Functional HAZOP assistant involves the following steps: Phase 1: 1. State the purpose of the plant. 2. Divide the plant into sections each of which has a clear subpurpose contributing to the overall purpose of the plant. 3. Divide each section into nodes, the function of which can be directly described by physical or chemical phenomena. Examples of such phenomena are: gas transport, liquid transport, liquid storage and gas–liquid contact or reaction. 4. At this point an MFM model may be directly developed using the model builder as described above (if a model is not already available) provided that the physical and chemical phenomena are included in the existing model set. 5. For each type of node, i.e. each physical or chemical phenomenon, describe the process variable(s), which identifies design intent or normal operation. For a node with the function ‘gas transport’ normal operation could be described by flow rate, temperature, pressure and number of phases. 6. For each process variable specify the relevant deviations. For flow rates typical deviations are qualitative, e.g. more, less and reverse. In this work the deviation ‘no flow’ is considered a limiting situation of ‘less flow’, and hence is not considered separately. Phase 2: 7. Perform the diagnosis on the MFM workbench by working through the plant functions in sequence and analysing the deviations one by one facilitated by the qualitative reasoning capability in MFM. 8. Analyze the identified causes of hazardous conditions by using experience to judge their likelihood, and perhaps by refining the analysis through a more detailed study in case of serious causes. 9. Record the identified causes and the underlying reasoning for later reference. 10. For each cause with a reasonable likelihood of occurrence analyze the possible consequences and their severity. Author's personal copy 248 N.L. Rossing et al. / Computers and Chemical Engineering 34 (2010) 244–253 Fig. 3. (a) Simplified P&ID of column part of IVaRDiP at DTU. (b) Simplified P&ID of heat pump part of IVaRDiP at DTU. Phase 3: 11. For identified hazards then investigate and decide how to manage these, through either (a) definition of an alarm with a consequential response potential for the operator, (b) implementation of on line control of the plant, (c) redesign of a part of the plant, or (d) another action. 12. Record the final decision and the underlying reasoning for later reference. Phase 1 may be carried out in a straightforward manner by using the functional modeling approach. For example the purpose of the plant could be to produce 50 tons of polyethene (PE) per hour. In order to achieve this we need sections which: feed reactants to the reactor, feed catalyst to the reactor, reaction, remove excess heat from the reactor, remove product from the reactor, removal of unreacted hydrocarbons from product, add additives to virgin PE, etc. The reaction section could be considered as a single node with the purpose of providing suitable conditions, such that raw materials react to form products. For a Unipol PE reactor this would require maintaining fluidization of the PE particles to facilitate their growth as well as the transport of heat of reaction away from the PE particles to ensure they do not melt or fuse together. Using this approach to model the plant all that is needed is a basic understanding of chemical unit operations, their purposes and the fundamentals on which these purposes are built, i.e. transport phenomena, thermodynamics and kinetics. This means that phase 1 of a HAZOP study may be efficiently performed by less experienced personnel. Phase 2 requires more experience, and will benefit from the synergy created in a meeting environment. The above proposed three phase procedure clearly becomes a significant task even though the functional HAZOP assistant enables automated consistent reasoning not only within the single nodes but also between nodes and sections and thereby facilitates revealing more complex causes of deviations than possible using the traditional approach. The workflow during phase 2 would indeed be expected to be significantly facilitated though the functional HAZOP assistant. During phase two and three the functional modeling may actually also be utilized for consequence analy- sis. However, this has not been further studied in the present work. The application of the functional HAZOP assistant is illustrated in the following through performing a HAZOP study on an industrial scale pilot plant at the Technical University of Denmark. 5. Functional HAZOP of distillation pilot plant The Indirect Vapor Recompression Distillation pilot Plant (IVaRDiP) at the Department of Chemical and Biochemical Engineering consists of a distillation column which is energy integrated with a heat pump (Li, Andersen, Gani, and Jørgensen, 2006). Process schematics of the column and the heat pump are shown in Fig. 3a and b. The purpose of the column is to separate a feed stream into two pure product streams while minimizing energy used. To accomplish this, the following sub-systems are defined: 1. Column section. Purpose: Gas–liquid contact to facilitate separation. 2. Reflux section. Purpose: Provide a liquid stream to the column and remove excess liquid as top product. 3. Feed section. Purpose: Provide a feed stream as close as possible to the conditions on the feed plate. 4. Reboiler section. Purpose: Provide a gas stream to the column and remove excess liquid as bottoms product. 5. Low pressure heat pump section. Purpose: Transport energy from reflux section to compressors. 6. High pressure heat pump section, including compressors. Purpose: Increase the heat pump fluid energy content by compression and transport energy from compressors to reboiler. 7. Excess heat removal section. Purpose: Transport of excess energy from the heat pump to the environment. 8. Tank park. Purpose: Provide storage for raw material and products. In the above the IVaRDiP is divided into 8 sections thus performing step 2 of the functional HAZOP approach. In the next step each section is further divided into nodes according to their function. For example the reflux section, which consists of the piping from the top of the column through the condenser and accumulator back to Author's personal copy N.L. Rossing et al. / Computers and Chemical Engineering 34 (2010) 244–253 249 the column as well as the piping from the accumulator to the top product storage tank, is divided into the following nodes during step 3: Table 1 Realizations of MFM functions in the physical equipment of IVaRDiP. These realizations are listed to facilitate the interpretation of the results from the reasoning engine. • Node 1. Function: Gas transport. Piping from the column to the condenser (HECOND) including the emergency shutdown valve (V3) and other instrumentation. • Node 2. Function: Liquid transport. Condenser and piping from condenser to accumulator including a pump (PC) and other instrumentation. • Node 3. Function: Liquid storage. Accumulator (DEC) and associated instrumentation. • Node 4. Function: Liquid transport. Piping from accumulator to top product storage including the product pump (PT) and product cooler (HETW) with the associated instrumentation. • Node 5. Function: Liquid transport. Piping from the accumulator to the column, where reflux enters, including the reflux pump (PR) and associated instrumentation. MFM function Realization in IVaRDiP sou1 tra2 sto3 tra4 sto5 tra6 bal7 tra8 sin9 tra10 bal11 tra12 bal13 tra14 sin15 Gas from column Emergency valve V3 Condenser HECOND Condensate pump PC Accumulator DEC Product pump PT Product cooler HETW Control valve CV2 Top product tank Selenoid valve BV54 Pipe from BV54 to pump PR Reflux pump PR Pipe from pump PR to BV49 Selenoid valve BV49 Liquid to column Upon this subdivision of the section it is directly possible to construct the MFM in step 4 using the MFM workbench described above. The other sections of the distillation pilot plant are similarly divided into nodes, i.e. each node relates to a function described by physical or chemical phenomena. In this way a total of 20 nodes are defined. However, several nodes belong to the same function type, as can already be seen from the above sub-division of the reflux section. In fact 7 of the 20 nodes have the function type ‘liquid transport’. In step 5 from the function of the node the variables necessary to describe design intent follows directly. For example, the process variables and deviations relevant for the function ‘liquid transport’ will be: • Flow: more, less, reverse, as well as. • Temperature: lower, higher. • Phase: other (than expected). and similarly for the function ‘gas transport’: • • • • Flow: more, less, reverse, as well as. Temperature: lower, higher. Pressure: lower, higher. Phase: other (than expected). Having completed phase 1 it is now possible to enter phase 2, where the reasoning engine is used to identify possible causes in step 7. During this step the functional HAZOP assistant can be extremely helpful in providing the reasoning necessary to identify potential causes of hazards. Initially it is recommended to perform the exhaustive evaluation for each variable in each node. Later as experience is accumulated it may be possible to facilitate also this step further. Below it is shown how this is done on an MFM model for the reflux section of IVaRDiP. During step 8 of the HAZOP meeting the reasoning engine is used to uncover possible causes of deviations. This is illustrated in the following first for the reflux section. Subsequently the MFM model is expanded further. column is condensed and stored in the accumulator (sto5) before it is split between the reflux to the column (sin15) and the distillate product (sin9). This model describes some of the process functions from the top of the distillation column to top product storage tank and the point, where reflux enters the column and includes the functions of the condenser HECOND, the condensate pump PC, the accumulator DEC, the top product pump PT, the top product cooler HETW, the top product storage, and the reflux pump PR. For the deviation ‘high level in the accumulator’ (sto5 hi) the possible causes identified by the reasoning engine using the model in Fig. 4 are shown in Fig. 5. They are: • Low flow through solenoid valve BV54 (tra10 lo, primary cause) caused by reflux pump PR running too slow (tra12 lo, secondary cause) or pipe between valve and pump partly blocked (bal11 fill, secondary cause). The cause of pump PR running too slow (tra12 lo) could be valve BV49 partly blocked (tra14 lo, tertiary cause) or pipe partly blocked (bal13 fill, tertiary cause). • Condensate pump PC running too fast (tra4 hi, primary cause). • Product pump PT running too slow (tra6 lo, primary cause) caused by HETW cooler partly blocked (bal7 hi) caused by control valve CV2 too much closed (tra8 lo). These causes are identical to causes identified in a traditional HAZOP performed prior to development of the integrated computer aided environment for development and use of MFM models, the 6. Building, using and improving an MFM model of IVaRDiP In this section an MFM model of the reflux section of IVaRDiP, shown in Fig. 3a and b, using the symbols from Fig. 1a and b is developed. Then this MFM model is expanded by including more and more of the functions of IVaRDiP. Table 1 shows how the MFM functions are physically realized in IVaRDiP. The MFM model of the reflux section is shown in Fig. 4 where the vapor (sou1) from the Fig. 4. MLM model of the mass flow in the reflux section of IVaRDiP. This model consider the functions of nodes 1–5 of section 2 as described in the functional HAZOP of the distillation pilot plant. Author's personal copy 250 N.L. Rossing et al. / Computers and Chemical Engineering 34 (2010) 244–253 Fig. 5. Causal tree with suggested causes of deviation sto5 hi, i.e. high level in the accumulator. The tree indicates three potential primary causes: tra10 lo, tra4 hi and tra6 lo, and for tra10 lo and tra6 lo several secondary causes, e.g. tra12 lo and bal11 fill for tra10 lo. MFM workbench. In the above analysis the MFM functions have been associated with actual physical parts of the plant. Such one to one associations are not always possible for MLM models, since it depends on the level of abstraction. At higher levels of abstraction a number of components are needed to achieve a certain function. The benefit of this type of analysis during the preparation for a HAZOP meeting is that it allows identification of the deviations which the meeting needs to consider together with a list of potential causes of these deviations. Thus the meeting can focus on ensuring, that sufficient systems are in place to cope with the deviations without significant negative consequences for the plant. For the deviation ‘low level in the accumulator’ (sto5 lo) the possible causes identified by the reasoning engine based on the model in Fig. 4 are shown in Fig. 6, and are: • Condensate pump PC running too slow (tra4 lo, primary cause); • Product pump PT running too fast (tra6 hi, primary cause), or • High flow through solenoid valve BV54 (tra10 hi, primary cause). As expected this is the opposite of the result in Fig. 5. A traditional HAZOP identify similar causes. The MFM model in Fig. 4 can also be used to find suggested consequences of a particular deviation. Due to the physical implementation of the reflux section the consequences of sto5 hi, i.e. high level in the accumulator, are very limited, since level has very little influence on the transport tra6 (the top product pump PT) or the transport tra12 (the reflux pump PR). The MFM model shown in Fig. 4 only considers mass flow in the reflux section of IVaRDiP. However, a very simple extension with an energy flowstructure to represent the energy transport in the heat pump is shown in Fig. 7. In this MFM model the reflux section and the heat pump are modeled at different levels of abstraction. The energy flow structure only includes the energy transport from the condenser (sou49) through the compressors (tra50) to the reboiler (sin51). This means the MFM function sou49 represents the function of HECOND, GLSEP and CV9 in Fig. 3b, and the MFM function tra50 represent the function of HECI and COMP. Fig. 6. Causal tree with suggested causes of deviation sto5 lo, i.e. low level in the accumulator. There are 3 potential primary causes: tra4 lo, tra6 hi and tra10 hi, and for tra10 hi one secondary cause is suggested, i.e. tra12 hi. Fig. 7. MFM model from Fig. 4 extended with the simplest possible heat pump energy flow structure. This model includes functions of section 2 and some functions of sections 5 and 6 as described in functional HAZOP of distillation pilot plant. Section 2 is modeled at a different abstraction level than sections 5 and 6. The MFM model in Fig. 7 gives the same possible causes for the deviations sto5 hi and sto5 lo as the MFM model in Fig. 4. However, it allows the investigation of the influence of deviations in the energy flow structure on the mass flow structure of the reflux section. The causal trees for the deviations tra50 hi and tra50 lo using the model in Fig. 7 are shown in Figs. 8 and 9, respectively. The result indicates that a suggested cause of high energy transport in the heat pump is high gas transport from the column. A further extension of the model is shown in Fig. 10. In this MFM model a simple mass flow loop is used to represent the gas–liquid interaction in the column, where feed and bottoms product flows are included. Fig. 11 shows the causal tree for the deviation sto5 hi, and in Fig. 12 for the deviation tra50 lo, which represents lower energy generation in the condenser. By comparing the causal path three shown in Fig. 11 with the one shown in Fig. 5 the following is observed: Fig. 8. Causal tree with suggested causes of deviation tra50 hi using the MFM model in Fig. 7. This shows that suggested causes of a deviation in the energy flow structure can be found in the mass flow structure, even with a simple model. Fig. 9. Causal tree with suggested causes of deviation sto5 hi using the MFM model in Fig. 7. As expected the result is the reverse of the causal tree in Fig. 8. Author's personal copy N.L. Rossing et al. / Computers and Chemical Engineering 34 (2010) 244–253 Fig. 10. MFM model shown in Fig. 4 extended with a simple energy flowstructure representing the connection between the mass transport in the column and the energy transport in the heat pump. This model includes functions from sections 1–6 as described in functional HAZOP of distillation pilot plant. • The primary causes are the same in Figs. 5 and 11, i.e. condensate pump PC running too fast (tra4 hi), product pump PT running too slow (tra6 lo), and solenoid valve BV 54 partly blocked (tra10 lo). • The secondary, tertiary and quaternary causes for the primary cause tra6 lo are the same. 251 Fig. 12. Causal tree of suggested causes of deviation tra50 lo using the MFM model in Fig. 10. This coincidence is due to the fact that the parts of the two MFM models involved are identical. The difference is observed for the causal path from the accumulator and back to the column, where the MFM model has been expanded. The path towards tra4, does not lead to secondary and other causes to the logical relation between sto3 and tra4, which indicate, that sto3 is a participant in the function of tra4, but not an agent. This is due to the condenser being an inherently safe barrier for liquid overfilling the accumulator and flowing back to the column through the condenser – because in the physical IVaRDiP the condenser is located below the accumulator. This example shows the importance of specific plant knowledge in order to properly interpret possible causes of deviations during the HAZOP meeting. Fig. 12 shows part of the causal paths in the MFM model in Fig. 10 for the deviation tra50 lo, and indicates one primary cause: sou49 lo, with tra2 lo as the sole secondary cause, i.e. low gas flow from the distillation column. There are three suggested tertiary causes: tra14 lo (solenoid valve BV49 partly blocked), tr34 hi (high liquid transport in column) and tra35 lo (low gas transport in column). The benefit of the extended model is, however, that it facilitates investigating the influence of changes in the energy transport in the heat pump on the reflux section, thus indicating, that reasoning on even simple MFM models allows one to easily discover causes in the mass flow structure for deviations in the energy flow structure. This indicates, that there will be benefits from developing even a quite simple MFM model of the whole plant, and using it to investigating possible causes behind deviations from normal operation. 7. Traditional versus and functional HAZOP Fig. 11. Causal tree of suggested causes of deviation sto5 hi using the MFM model in Fig. 10. The primary causes are tra4 hi, tra6 lo and tra10 lo. The more detailed MFM model allows suggested causes to be found further away from the location of the deviation being considered. The result of a traditional HAZOP of the reflux section of the distillation pilot plant when compared to the results of the functional HAZOP assistant shows that similar causes of the deviations are Author's personal copy 252 N.L. Rossing et al. / Computers and Chemical Engineering 34 (2010) 244–253 Fig. 13. Simple MFM model of IVaRDiP including both the column and the heat pump and the couplings between the two sub-systems. This model includes functions of sections 1–6 as described in functional HAZOP of the distillation pilot plant. found. An exact comparison is not possible, since the methodology by its very nature means, that knowledge about the system is accumulated as the analysis is performed. This means the results cannot be said to be independent. However, the functional HAZOP assistant allows the HAZOP meeting to change focus from identifying possible causes of deviations to being concerned with evaluating the likelihood of the different causes, and similarly for consequences. In addition the availability of such a scientifically based systematic approach to performing the HAZOP provides an interesting potential for the HAZOP study to cover the possible hazards in a plant which are foreseeable with the applied abstraction level in the MFM modeling. 8. Plant wide HAZOP The ability of the functional HAZOP assistant to reveal more complex relations between deviations and their possible causes has also been investigated. Here a simplified functional model was developed for the IVaRDiP as shown in Fig. 13, which encompasses the six first sections mentioned in the functional HAZOP. Using this model it was shown that the functional HAZOP assistant facilitates the discovery of root causes of deviations, which originate far from the node in which the deviation occurs. The causal tree for the deviation tra50 hi, i.e. a high energy flow to the compressors is shown Fig. 14. Causal tree of suggested causes of deviation tra50 hi using the MFM model in Fig. 13. The top level of this tree is equivalent to the causal tree shown in Fig. 8. in Fig. 14, and the primary cause is found to be sou49 hi, i.e. a high energy input to the heat pump, which has the secondary causes tra2 hi, i.e. a high gas flow from the column, or bal33 fill, i.e. flooding in the top of the column or tra35 hi, i.e. large gas flow in the stripping section. The MFM model hence suggests causes of a deviation far from the node of the considered deviation. Some recent loss events in the chemical industry have involved such situations (Mogford, 2005). The ability of MFM models to suggest possible causes of deviations allows them to be used to facilitate the discussions during a HAZOP meeting. Note, that the sub-causes of tra34 lo are not shown in Fig. 14, since this branch of the causal tree has not been expanded in this figure. Table 2 indicates the physical Author's personal copy N.L. Rossing et al. / Computers and Chemical Engineering 34 (2010) 244–253 253 Table 2 Physical interpretation of first four levels of causal tree in Fig. 14. For the deviation tra50 hi there is one primary cause: sou49 hi, which has one secondary cause tra2 hi. However, four possible causes of tra2 hi are suggested: bal33 fill, tra35 hi, tra14 hi and tra34 lo. The physical interpretation of each cause is shown worded as an alarm message. Deviation Primary cause Secondary cause Tertiary cause tra50 hi Heat pump energy transport high sou49 hi Heat pump energy input high tra2 hi Overhead gas flow high bal33 fill Stripper section flooding tra35 hi Stripper gas flow high Quarternary cause bal36 fill Feed plate flooding tra34 hi Stripper liquid flow high tra41 hi Feed flow high tra61 hi Rectifier gas flow high tra14 hi Reflux flow high tra12 hi Reflux flow high bal13 fill Pipe from PR partly blocked tra34 lo Stripper liquid flow low interpretation of the first four causal levels in the causal tree in Fig. 14. The interpretations are formulated as alarm messages to indicate the operational situation they relate to. ronment with existing integrated tools for computer aided process engineering such as ICAS (Gani, Hytoft, Jaksland, & Jensen, 1997) in order to enable direct access to performing quantitative analysis for special safety critical cases. 9. Discussion and conclusions References A goal based methodology for HAZOP analysis using a functional HAZOP procedure is introduced, which allows even fresh chemical engineers to contribute meaningfully to a HAZOP study. The approach reduces the work involved in a HAZOP of a plant by dividing the plant along functional lines and analysing nodes with the same function once only. This approach significantly reduces the effort involved. Furthermore functional models of chemical plants are demonstrated to provide a useful basis for development of a functional HAZOP assistant. On a simple model of a part of an indirect vapor recompression distillation pilot plant the functional HAZOP assistant finds the same causes as a traditional HAZOP study. It is furthermore demonstrated, that the proposed functional HAZOP assistant is able to find causes far from the node of the deviation. This promising development calls for a more systematic study of the workflow involved in HAZOP studies to further enable design of efficient tools for supporting the important HAZOP studies for improvement of safety critical operations in industry. It is important to point out that model based HAZOP analysis can revel hazards which are related to the model development purpose. Hence, if a MFM model covers normal operation, then hazards derived from deviations from normal operation may be uncovered. If non-routine cases are to be investigated then MFM models for such a purpose must be used. This is analogous to, e.g. case based reasoning which only can cover the cases which are included in the case base. The effective use of MFM models to facilitate HAZOP meetings requires further development of the integrated computer aided design environment for MFM modeling to allow the causal trees to be mapped to the P&ID’s familiar to process engineers, and rules of the reasoning engine to be extended to facilitate identification of possible consequences. The integration with other ontologies, e.g. OntoCAPE and with the combined usage of case based and logic reasoning provides a most promising avenue for future work. It is furthermore desirable to integrate such a knowledge based envi- View publication stats Bragatto, P., Monti, M., Giannini, F., & Ansaldi, S. (2007). Exploiting process plant digital representation for risk analysis. Journal of Loss Prevention in the Process Industries, 20, 69–78. Chemical Industry Association (UK). (1977). Hazard and operability studies. London: IChem. E. Crawley, F., & Tyler, B. (2000). HAZOP: Guide to best practice. Rugby, UK: The Institution of Chemical Engineers. Crawley, F., & Tyler, B. (2003). Hazard identification methods. Rugby, UK: The Institution of Chemical Engineers. Friedman-Hill, E. (2003). Jess in action. Greenwich, USA: Manning Publications. Gani, R., Hytoft, G., Jaksland, C., & Jensen, A. K. (1997). An integrated computer aided system for integrated design of chemical processes. Computers and Chemical Engineering, 21, 1135–1146. Lawley, H. G. (1974). Operability studies and hazard analysis. Chemical Engineering Progress, 70(4), 45–56. Lees, F. P. (2001). Loss prevention in the process industries (3rd ed.). Oxford, UK: Butterwords-Heinemann. (Chapter 8). Li, H., Andersen, T. R., Gani, R., & Jørgensen, S. B. (2006). Operating pressure sensitivity of distillation—Control structure consequences. Industrial & Engineering Chemistry Research, 45, 8310–8318. Li, H., Gani, R., & Jørgensen, S. B. (2003). Integration of design and control for energy integrated distillation. In Kraslawski, & Turunen (Eds.), Computer-Aided Chemical Engineering, Vol. 14. Elsevier Science B.V, pp. 449–454. Lind, M. (1990). Representing goals and functions of complex systems. An introduction to multilevel flow modeling. Dept. of Automation, Technical University of Denmark. Lind, M. (1994). Modeling goals and functions of complex industrial plant. Applied Artificial Intelligence, 8(2), 259–283. Mogford, J. (2005). Fatal accident investigation report. Isomerization Unit Explosion. Final Report, BP. Texas City, TX, USA. Skelton, B. (1997). Process safety analysis—An introduction. UK: IChemE. STEP ISO 10303-1. (1994). Industrial automation systems and integration-product data representation and exchange—Part I: Overview and fundamental principles. ISO. Swann, C. D., & Preston, M. L. (1995). Twenty-five years of HAZOPs. Journal of Loss Prevention in the Process Industries, 8(6), 349–353. Venkatasubramanian, V., & Vaidhyanathan, R. (1994). A knowledge-based framework for automating HAZOP analysis. AIChE Journal, 40(3), 496–505. Venkatasubramanian, V., Zhao, J., & Viswanathan, S. (2000). Intelligent systems for HAZOP analysis of complex process plants. Computers and Chemical Engineering, 24, 2291–2302. VonWright, G. H. (1963). Norm and action. London: Routledge & Kegan Paul. Zhao, J., Cui, L., Zhao, L., Qiu, T., & Chen, B. (2009). Learning HAZOP expert system bycase-based reasoning and ontology. Computers and Chemical Engineering, 33, 371–378.
