Subido por E Garcia

2010N Rossing et alA functional HAZOP methodology

Anuncio
See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/223244947
A functional HAZOP methodology
Article in Computers & Chemical Engineering · February 2010
DOI: 10.1016/j.compchemeng.2009.06.028 · Source: DBLP
CITATIONS
READS
67
3,005
4 authors, including:
Morten Lind
Niels Jensen
Technical University of Denmark
Safepark
142 PUBLICATIONS 2,612 CITATIONS
49 PUBLICATIONS 219 CITATIONS
SEE PROFILE
Sten Bay Jørgensen
Technical University of Denmark
312 PUBLICATIONS 4,082 CITATIONS
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
Combining functional modeling and reasoning with on-line event analytics View project
Bioreactor modelling for monitoring and control View project
All content following this page was uploaded by Niels Jensen on 27 November 2018.
The user has requested enhancement of the downloaded file.
SEE PROFILE
This article appeared in a journal published by Elsevier. The attached
copy is furnished to the author for internal non-commercial research
and education use, including for instruction at the authors institution
and sharing with colleagues.
Other uses, including reproduction and distribution, or selling or
licensing copies, or posting to personal, institutional or third party
websites are prohibited.
In most cases authors are permitted to post their version of the
article (e.g. in Word or Tex form) to their personal website or
institutional repository. Authors requiring further information
regarding Elsevier’s archiving and manuscript policies are
encouraged to visit:
http://www.elsevier.com/copyright
Author's personal copy
Computers and Chemical Engineering 34 (2010) 244–253
Contents lists available at ScienceDirect
Computers and Chemical Engineering
journal homepage: www.elsevier.com/locate/compchemeng
A functional HAZOP methodology
Netta Liin Rossing a , Morten Lind b , Niels Jensen c , Sten Bay Jørgensen a,∗
a
CAPEC, Chemical and Biochemical Engineering, Technical University of Denmark, Kgs. Lyngby, Denmark
Department of Electrical Engineering, Technical University of Denmark, Kgs. Lyngby, Denmark
c
Safepark Consultancy, Kannikestræde 14, DK-3550 Slangerup, Denmark
b
a r t i c l e
i n f o
Article history:
Received 19 December 2008
Received in revised form 23 June 2009
Accepted 25 June 2009
Available online 3 July 2009
Keywords:
Risk assessment
Systems engineered HAZOP analysis
a b s t r a c t
A HAZOP methodology is presented where a functional plant model assists in a goal oriented decomposition of the plant purpose into the means of achieving the purpose. This approach leads to nodes with
simple functions from which the selection of process and deviation variables follow directly. The functional HAZOP methodology lends itself directly for implementation into a computer aided reasoning tool
to perform root cause and consequence analysis. Such a tool can facilitate finding causes and/or consequences far away from the site of the deviation. A functional HAZOP assistant is proposed and investigated
in a HAZOP study of an industrial scale Indirect Vapor Recompression Distillation pilot Plant (IVaRDiP) at
DTU-Chemical and Biochemical Engineering. The study shows that the functional HAZOP methodology
provides a very efficient paradigm for facilitating HAZOP studies and for enabling reasoning to reveal
potential hazards in safety critical operations.
© 2009 Elsevier Ltd. All rights reserved.
1. Introduction
Hazard studies provide a systematic methodology for identification, evaluation and mitigation of potential process hazards which
can cause severe human, environmental and economic losses. Different methods are practiced at various stages during the plant life
cycle (Swann & Preston, 1995). Most methods require considerable
time and resources. Consequentially research has been stimulated
to develop computer aided tools to assist in and even aiming
at automating hazard analysis. Venkatasubramanian, Zhao, and
Viswanathan (2000) reviewed development of knowledge based
systems for automating HAZOP analysis. Venkatasubramanian and
Vaidhyanathan (1994) describe a knowledge based framework,
which addresses the issues of representation of process specific and
generic knowledge about chemicals in the automation of HAZOP
studies. The knowledge, which is generic and hence applicable to
a wide variety of flow sheets, is called process general knowledge,
while the remaining knowledge is considered specific to a particular process, and is called process specific knowledge. Bragatto,
Monti, Giannini, and Ansaldi (2007) build upon the notions introduced above and exploits process knowledge with the aim to
develop tools for the experts to reveal potential hazards, rooted
in a function based taxonomy for equipment and instrumentation. Thus their system includes a dictionary, the plant information
database, a reasoning and analysis engine and a knowledge reposi-
∗ Corresponding author. +45 45252872.
E-mail address: sbj@kt.dtu.dk (S.B. Jørgensen).
0098-1354/$ – see front matter © 2009 Elsevier Ltd. All rights reserved.
doi:10.1016/j.compchemeng.2009.06.028
tory. The dictionary permits linking the terminology used in hazard
analysis with that used in a particular application area. In their system objects are categorized according to a hierarchically organized
function based taxonomy, which can be mapped to the corresponding standard STEP data definitions (STEP, 1994). Thus each item is
classified in terms of super-function, function, and type and with
an associated set of functional parameters. However these methods
relate the concept of function directly to a physical implementation and therefore they limit the possibility to abstract from one
layer in a goal-purpose hierarchy to another. A similar approach is
taken by Zhao, Cui, Zhao, Qiu, and Chen (2009) in developing the
PetroHAZOP system which uses case based reasoning. This system is
based on the OntoCAPE ontology which attempts to cover the areas
of unit operations, plant equipment and thermophysical properties. However areas as control and operations knowledge, which
are essential for HAZOP are only indirectly covered to the extent
they are represented within the available cases. Consequently it is
desirable to develop a HAZOP methodology based upon a model
which can encompass the purpose and functional structure of the
plant, including the operational goals. Such a functional model
should represent the system using means-end concepts, where a
system is described using goals and purposes in one dimension
and whole-part concepts in another dimension. Such a functional
modeling approach lends itself directly for implementation into a
computer aided reasoning tool to assist in HAZOP studies with cause
and consequence determination. Thereby a tool can be developed
which supports a traditional HAZOP meeting based upon a common
framework in functional modeling with foundation in action theories and cognitive science. Such functional modeling can provide a
Author's personal copy
N.L. Rossing et al. / Computers and Chemical Engineering 34 (2010) 244–253
systematic methodology for computer assisted HAZOP studies, thus
potentially relieving the engineers from a major part of a rather
cumbersome task and instead permitting them to focus attention
on judging the significance of the causes and consequences suggested by the HAZOP assistant – a task where plant operating
experience will help significantly. Such a knowledge based tool may
potentially be combined with other systems based on ontologies
for physical equipment, unit operations and thermophysical properties, e.g. OntoCAPE. Such integrated ontologies may be combined
with problem solution paradigms such as case based and logic reasoning to comprise a decision support framework for a HAZOP team
which may prove most useful for studies both on existing as well
as on newly developed technology.
The purpose of this paper is to demonstrate the potential value
of functional modeling and logical reasoning for decision support in
HAZOP. The paper presents a functional approach to hazard analysis
and develops a functional model as a basis for a logical reasoning on
causes and consequences of deviations as considered in a HAZOP
meeting. The resulting tool is called a functional HAZOP assistant.
The following section briefly introduces a traditional HAZOP, then
the functional modeling methodology and the associated reasoning
engine are described. Next the goal based HAZOP analysis methodology is presented based upon a functional model which leads to
the functional HAZOP assistant. The functional HAZOP assistant is
demonstrated on an industrial size pilot plant. Finally the presented
methodology is discussed and the conclusions are drawn.
2. Methods
The proposed methodology is based upon experiences from traditional HAZOP studies. The procedure for such studies is described
before introducing the specific functional modeling paradigm
called multilevel flow models (MFMs) and an integrated computer
aided environment for building and using MFM models.
3. Traditional HAZOP procedure
In the 1970s several articles by employees at ICI described what
was then called operability studies. These studies, see, e.g. Lawley
(1974) and Chemical Industry Association (1977), were based on
the assumption that a problem can only arise when there is a deviation from what is normally expected, and on the desire to develop
a process-oriented tool to complement the equipment oriented
norms, such as pressure vessel codes. From the deviations causes
were qualitatively identified inductively and consequences deductively. The operability studies at ICI examined each line section for
all conceivable deviations, which were constructed from a set of
guide words. The operability study could be based on either a simple process flow diagram or a detailed piping & instrumentation
diagram (P&ID). Studies based on P&IDs are what today is known as
HAZard and OPerability (HAZOP) studies (Swann & Preston, 1995),
and they have since become a cornerstone in hazard studies of process plants (Crawley & Tyler, 2000, 2003; Lees, 2001). The purpose
of the HAZOP study is to uncover causes and consequences of a
facility’s response to deviations from design intent or from normal
operation, i.e. to reveal if the plant has sufficient control and safety
features to ensure, that it can cope with expected deviations normally encountered during operation including startup, shutdown
and maintenance. The HAZOP study is traditionally performed as
a structured brainstorming exercise facilitated by a HAZOP study
leader and exploiting the collective experience of the participants.
A traditional HAZOP study has the following phases (Skelton, 1997):
• Pre-meeting phase: Here the purpose and objective of the study
is defined. The leader of the HAZOP study gathers information
245
about the facility, such as process flow diagrams (PFD), process &
instrumentation diagrams (P&ID), plant layout; chemical hazard
data, etc., and proposes a division of the plant into sections and
nodes. For each node – or for the plant as a whole – the leader
identifies relevant process variables and deviations from design
intent or normal operation based on either past experience or
company guidelines. The leader also identifies the participants
in the review of the different sections of the plant, and ensures
their availability. Typically this includes the process design engineer, the control engineer, the project engineer and an operator
besides the experienced team leader. All these people have large
demands on their time during a project. The team leader schedules a sufficient number of half-day HAZOP meetings.
• Meeting phase: At the start of the first HAZOP meeting the technique is briefly reviewed, and the specific scope of the present
study is stated. The leader describes the overall facilities, e.g.
using a 3D computer model. Then the team considers each section of each diagram, i.e. P&ID or PFD, in turn. The team leader
ensures that process variables and deviations are considered in a
rigorous and structured manner, and that any deviations meriting identified actions or further considerations are recorded with
identification of the person responsible for follow-up.
• Post-meeting phase: After the HAZOP meeting all action items are
followed up by the persons assigned to them during the meeting
and the results of the follow-up are reported to the team leader.
The team might call a review meeting to determine the status of
all actions items, and decide if additional efforts are needed.
Thus a HAZOP study requires considerable time and resources
whenever it is carried out during the plant life cycle. Consequentially research has been stimulated as reviewed in the introduction
to develop computer aided tools to facilitate HAZOP studies.
Although HAZOP studies is a well accepted tool for risk assessment in many industries very little has been published on a
theoretical basis for HAZOP studies. HAZOP studies are used to
investigate deviations from a norm: the normal operating conditions or the design intent, i.e. the goal of the system. This can be
done by asking questions such as “what deviations can occur?” That
is “what guide words and process parameters are relevant?”, “Why
do they occur?” (causes), “How are they revealed?” (consequences).
In a HAZOP study these questions are asked after first dividing the
whole system into its constituent parts, i.e. sections and nodes. The
questions stated relate to the goal of the system while the process
represents the means for achieving these goals. Therefore it seems
highly relevant to develop a HAZOP assistant based upon meansends modeling combined with whole-parts concepts to grasp the
different levels of abstraction when needed, e.g. during different
phases of the process design. Thus models based on means-end and
part-whole concepts, such as functional models, will form a convenient basis for a HAZOP assistant. The HAZOP assistant developed
in this work uses such a functional model to combine the system
goal structure with the designed means to achieve these goals and
to facilitate a HAZOP meeting by suggesting causes of considered
deviations.
In the following a methodology and tools for building and
reasoning on plant function knowledge called multilevel flow
modeling are described. Then the goal based methodology called
functional HAZOP assistant is proposed.
3.1. Functional modeling methodology
In this paper multilevel flow modeling (MFM) is used to represent the knowledge of plant functions. MFM combines the
means-end dimension with the whole-part dimension, to describe
the functions of the process under study and enable modeling
at different abstraction levels. MFM is a modeling methodology
Author's personal copy
246
N.L. Rossing et al. / Computers and Chemical Engineering 34 (2010) 244–253
Fig. 1. (a) MFM symbols for functions and objectives. (b) MFM symbols for means-end and causal roles. (c) Relation between MFM and HAZOP reasoning tasks.
which has been developed to support functional modeling of process plants involving interactions between material, energy and
information flows (Lind, 1990, 1994; Li, Gani, & Jørgensen, 2003).
Functions are here represented by elementary flow functions interconnected to form flow structures representing a particular goal
oriented view of the system. MFM is founded on fundamental
concepts of action developed by VonWright (1963). Each of the
elementary flow functions can thus be seen as instances of more
generic action types (see, e.g. Lind, 1994). The views represented
by the flow structures are related by means-end relations and
comprise together a comprehensive model of the functional organization of the system. The basic modeling concepts of MFM comprise
objectives, flow structures, a set of functional primitives (the flow
functions) and a set of means-end relations and causal roles representing purpose related dependencies between functions. The
functions, the flow structures and the relations are interconnected
to form a hypergraph like structure. The symbols used to represent
flow functions, objectives, flowstructures are shown in Fig. 1a. Symbols used for representing means-end and causal roles are shown
in Fig. 1b.
MFM models represent knowledge which is generic to several
problems in HAZOP analysis as illustrated in Fig. 1c. By combining
a MFM model with rules for causal reasoning (rulebase RB1) it can
be used to generate fault trees and consequence trees. In combination with an operational plant goal and rules for reasoning about
goals and sub-goals (rulebase RB2) it can be used to generate goal
trees. These trees can then be used in reasoning about counteraction
plans using planning rules (rulebase RB3). It should be mentioned
that rule based reasoning in MFM also may be combined with case
based reasoning techniques by using the MFM model (combined
with other plant information) to represent a case.
MFM is accordingly a plant model which can serve as a central
core of an intelligent system for HAZOP analysis and plant control. It provides a plant representation which is more generic and
less dependent on knowledge about specific situations or incidents
compared to, e.g. fault trees, consequence trees, goal trees and counteraction plans. The effort in acquisition of plant knowledge for the
HAZOP analysis is therefore greatly reduced compared to methods based on fault trees, consequence trees and goal trees. Better
control of the consistency of the plant knowledge is also ensured.
Furthermore MFM is based on a rich ontology which provides cognitive support to the model builder in knowledge acquisition. Other
modeling methods, such as causal trees and Petri nets do not provide the same level of cognitive support because they are based on
fewer and more abstract concepts like events, states and transitions.
The suitability of MFM models for HAZOP analysis simply can
be explained by their common conceptual basis in means-end concepts. MFM provides a formalization of means-end concepts which
play a fundamental role in HAZOP when reasoning about causes,
consequences and counteraction plans.
3.2. The MFM workbench
The structure of an integrated computer aided environment for
development and use of MFM models, which has been developed
using standard software such as Microsoft Visio and Java, is shown
Author's personal copy
N.L. Rossing et al. / Computers and Chemical Engineering 34 (2010) 244–253
247
Fig. 2. MFM model builder and reasoning system. On the right hand side the decanter section MFM is shown, and the causal tree for the deviation sto5 lo at the bottom left.
An integrated computer aided design environment for MFM modeling has been developed using standard software, such as Microsoft Visio and the Java based reasoning
engine Jess.
in Fig. 2. This environment is called the MFM workbench. A MFM
model builder has been implemented in Microsoft Visio. Stencils
implementing symbols for the MFM concepts shown in Fig. 1a and b
are used to build a functional model. The model builder is interfaced
with a reasoning system as illustrated in Fig. 1c, which can generate causal paths and root causes for a given fault scenario, i.e. a top
event (an MFM function deviating from the modeled scenario, e.g.
normal) and status information for selected flow functions. The reasoning system is implemented using the Java based expert system
shell Jess (Friedman-Hill, 2003). Rules for reasoning about function
states and causal relations in MFM models are implemented as a
Jess rule base.
4. A functional HAZOP assistant
The MFM workbench described above is the basis for the development of a functional HAZOP assistant supporting a goal oriented
approach to HAZOP analysis during HAZOP meetings.
Traditionally the division of the plant into sections may be carried out by defining each major process component as a section. A
section could also be a line between each major component with
additional sections for each branch off the main process flow direction. Usually the function of a section or of a node is not directly
specified, many HAZOP formats only identify the part of the process considered by project number, P&ID number and line number.
The design intent of the node may go unrecorded, even though the
purpose of the HAZOP study is to consider deviations from design
intent.
The herein proposed goal based methodology for HAZOP analysis provides a structured approach where the study is divided into
three phases, corresponding to the traditional approach described
above. The first phase corresponds to the pre-meeting phase, the
second phase to the meeting phase and the third phase to the postmeeting phase. Thus the Functional HAZOP assistant involves the
following steps:
Phase 1:
1. State the purpose of the plant.
2. Divide the plant into sections each of which has a clear subpurpose contributing to the overall purpose of the plant.
3. Divide each section into nodes, the function of which can be
directly described by physical or chemical phenomena. Examples of such phenomena are: gas transport, liquid transport,
liquid storage and gas–liquid contact or reaction.
4. At this point an MFM model may be directly developed using
the model builder as described above (if a model is not already
available) provided that the physical and chemical phenomena
are included in the existing model set.
5. For each type of node, i.e. each physical or chemical phenomenon, describe the process variable(s), which identifies
design intent or normal operation. For a node with the function ‘gas transport’ normal operation could be described by
flow rate, temperature, pressure and number of phases.
6. For each process variable specify the relevant deviations. For
flow rates typical deviations are qualitative, e.g. more, less and
reverse. In this work the deviation ‘no flow’ is considered a
limiting situation of ‘less flow’, and hence is not considered
separately.
Phase 2:
7. Perform the diagnosis on the MFM workbench by working
through the plant functions in sequence and analysing the
deviations one by one facilitated by the qualitative reasoning
capability in MFM.
8. Analyze the identified causes of hazardous conditions by using
experience to judge their likelihood, and perhaps by refining
the analysis through a more detailed study in case of serious
causes.
9. Record the identified causes and the underlying reasoning for
later reference.
10. For each cause with a reasonable likelihood of occurrence analyze the possible consequences and their severity.
Author's personal copy
248
N.L. Rossing et al. / Computers and Chemical Engineering 34 (2010) 244–253
Fig. 3. (a) Simplified P&ID of column part of IVaRDiP at DTU. (b) Simplified P&ID of heat pump part of IVaRDiP at DTU.
Phase 3:
11. For identified hazards then investigate and decide how to manage these, through either (a) definition of an alarm with a
consequential response potential for the operator, (b) implementation of on line control of the plant, (c) redesign of a part
of the plant, or (d) another action.
12. Record the final decision and the underlying reasoning for later
reference.
Phase 1 may be carried out in a straightforward manner by
using the functional modeling approach. For example the purpose
of the plant could be to produce 50 tons of polyethene (PE) per
hour. In order to achieve this we need sections which: feed reactants to the reactor, feed catalyst to the reactor, reaction, remove
excess heat from the reactor, remove product from the reactor,
removal of unreacted hydrocarbons from product, add additives to
virgin PE, etc. The reaction section could be considered as a single node with the purpose of providing suitable conditions, such
that raw materials react to form products. For a Unipol PE reactor this would require maintaining fluidization of the PE particles
to facilitate their growth as well as the transport of heat of reaction away from the PE particles to ensure they do not melt or fuse
together.
Using this approach to model the plant all that is needed
is a basic understanding of chemical unit operations, their purposes and the fundamentals on which these purposes are built, i.e.
transport phenomena, thermodynamics and kinetics. This means
that phase 1 of a HAZOP study may be efficiently performed by
less experienced personnel. Phase 2 requires more experience,
and will benefit from the synergy created in a meeting environment.
The above proposed three phase procedure clearly becomes
a significant task even though the functional HAZOP assistant
enables automated consistent reasoning not only within the single
nodes but also between nodes and sections and thereby facilitates revealing more complex causes of deviations than possible
using the traditional approach. The workflow during phase 2 would
indeed be expected to be significantly facilitated though the functional HAZOP assistant. During phase two and three the functional
modeling may actually also be utilized for consequence analy-
sis. However, this has not been further studied in the present
work.
The application of the functional HAZOP assistant is illustrated
in the following through performing a HAZOP study on an industrial
scale pilot plant at the Technical University of Denmark.
5. Functional HAZOP of distillation pilot plant
The Indirect Vapor Recompression Distillation pilot Plant
(IVaRDiP) at the Department of Chemical and Biochemical Engineering consists of a distillation column which is energy integrated
with a heat pump (Li, Andersen, Gani, and Jørgensen, 2006). Process
schematics of the column and the heat pump are shown in Fig. 3a
and b.
The purpose of the column is to separate a feed stream into two
pure product streams while minimizing energy used. To accomplish
this, the following sub-systems are defined:
1. Column section. Purpose: Gas–liquid contact to facilitate separation.
2. Reflux section. Purpose: Provide a liquid stream to the column
and remove excess liquid as top product.
3. Feed section. Purpose: Provide a feed stream as close as possible
to the conditions on the feed plate.
4. Reboiler section. Purpose: Provide a gas stream to the column and
remove excess liquid as bottoms product.
5. Low pressure heat pump section. Purpose: Transport energy from
reflux section to compressors.
6. High pressure heat pump section, including compressors. Purpose:
Increase the heat pump fluid energy content by compression and
transport energy from compressors to reboiler.
7. Excess heat removal section. Purpose: Transport of excess energy
from the heat pump to the environment.
8. Tank park. Purpose: Provide storage for raw material and products.
In the above the IVaRDiP is divided into 8 sections thus performing step 2 of the functional HAZOP approach. In the next step each
section is further divided into nodes according to their function. For
example the reflux section, which consists of the piping from the
top of the column through the condenser and accumulator back to
Author's personal copy
N.L. Rossing et al. / Computers and Chemical Engineering 34 (2010) 244–253
249
the column as well as the piping from the accumulator to the top
product storage tank, is divided into the following nodes during
step 3:
Table 1
Realizations of MFM functions in the physical equipment of IVaRDiP.
These realizations are listed to facilitate the interpretation of the
results from the reasoning engine.
• Node 1. Function: Gas transport. Piping from the column to the
condenser (HECOND) including the emergency shutdown valve
(V3) and other instrumentation.
• Node 2. Function: Liquid transport. Condenser and piping from
condenser to accumulator including a pump (PC) and other
instrumentation.
• Node 3. Function: Liquid storage. Accumulator (DEC) and associated instrumentation.
• Node 4. Function: Liquid transport. Piping from accumulator to
top product storage including the product pump (PT) and product
cooler (HETW) with the associated instrumentation.
• Node 5. Function: Liquid transport. Piping from the accumulator
to the column, where reflux enters, including the reflux pump
(PR) and associated instrumentation.
MFM function
Realization in IVaRDiP
sou1
tra2
sto3
tra4
sto5
tra6
bal7
tra8
sin9
tra10
bal11
tra12
bal13
tra14
sin15
Gas from column
Emergency valve V3
Condenser HECOND
Condensate pump PC
Accumulator DEC
Product pump PT
Product cooler HETW
Control valve CV2
Top product tank
Selenoid valve BV54
Pipe from BV54 to pump PR
Reflux pump PR
Pipe from pump PR to BV49
Selenoid valve BV49
Liquid to column
Upon this subdivision of the section it is directly possible to
construct the MFM in step 4 using the MFM workbench described
above. The other sections of the distillation pilot plant are similarly
divided into nodes, i.e. each node relates to a function described by
physical or chemical phenomena. In this way a total of 20 nodes
are defined. However, several nodes belong to the same function
type, as can already be seen from the above sub-division of the
reflux section. In fact 7 of the 20 nodes have the function type ‘liquid transport’. In step 5 from the function of the node the variables
necessary to describe design intent follows directly. For example,
the process variables and deviations relevant for the function ‘liquid
transport’ will be:
• Flow: more, less, reverse, as well as.
• Temperature: lower, higher.
• Phase: other (than expected).
and similarly for the function ‘gas transport’:
•
•
•
•
Flow: more, less, reverse, as well as.
Temperature: lower, higher.
Pressure: lower, higher.
Phase: other (than expected).
Having completed phase 1 it is now possible to enter phase
2, where the reasoning engine is used to identify possible causes
in step 7. During this step the functional HAZOP assistant can be
extremely helpful in providing the reasoning necessary to identify
potential causes of hazards. Initially it is recommended to perform
the exhaustive evaluation for each variable in each node. Later as
experience is accumulated it may be possible to facilitate also this
step further. Below it is shown how this is done on an MFM model
for the reflux section of IVaRDiP.
During step 8 of the HAZOP meeting the reasoning engine is used
to uncover possible causes of deviations. This is illustrated in the
following first for the reflux section. Subsequently the MFM model
is expanded further.
column is condensed and stored in the accumulator (sto5) before it
is split between the reflux to the column (sin15) and the distillate
product (sin9). This model describes some of the process functions
from the top of the distillation column to top product storage tank
and the point, where reflux enters the column and includes the
functions of the condenser HECOND, the condensate pump PC, the
accumulator DEC, the top product pump PT, the top product cooler
HETW, the top product storage, and the reflux pump PR.
For the deviation ‘high level in the accumulator’ (sto5 hi) the
possible causes identified by the reasoning engine using the model
in Fig. 4 are shown in Fig. 5. They are:
• Low flow through solenoid valve BV54 (tra10 lo, primary cause)
caused by reflux pump PR running too slow (tra12 lo, secondary
cause) or pipe between valve and pump partly blocked (bal11 fill,
secondary cause). The cause of pump PR running too slow (tra12
lo) could be valve BV49 partly blocked (tra14 lo, tertiary cause) or
pipe partly blocked (bal13 fill, tertiary cause).
• Condensate pump PC running too fast (tra4 hi, primary cause).
• Product pump PT running too slow (tra6 lo, primary cause) caused
by HETW cooler partly blocked (bal7 hi) caused by control valve
CV2 too much closed (tra8 lo).
These causes are identical to causes identified in a traditional
HAZOP performed prior to development of the integrated computer
aided environment for development and use of MFM models, the
6. Building, using and improving an MFM model of IVaRDiP
In this section an MFM model of the reflux section of IVaRDiP,
shown in Fig. 3a and b, using the symbols from Fig. 1a and b is
developed. Then this MFM model is expanded by including more
and more of the functions of IVaRDiP. Table 1 shows how the MFM
functions are physically realized in IVaRDiP. The MFM model of the
reflux section is shown in Fig. 4 where the vapor (sou1) from the
Fig. 4. MLM model of the mass flow in the reflux section of IVaRDiP. This model
consider the functions of nodes 1–5 of section 2 as described in the functional HAZOP
of the distillation pilot plant.
Author's personal copy
250
N.L. Rossing et al. / Computers and Chemical Engineering 34 (2010) 244–253
Fig. 5. Causal tree with suggested causes of deviation sto5 hi, i.e. high level in the
accumulator. The tree indicates three potential primary causes: tra10 lo, tra4 hi and
tra6 lo, and for tra10 lo and tra6 lo several secondary causes, e.g. tra12 lo and bal11
fill for tra10 lo.
MFM workbench. In the above analysis the MFM functions have
been associated with actual physical parts of the plant. Such one to
one associations are not always possible for MLM models, since it
depends on the level of abstraction. At higher levels of abstraction
a number of components are needed to achieve a certain function.
The benefit of this type of analysis during the preparation for
a HAZOP meeting is that it allows identification of the deviations
which the meeting needs to consider together with a list of potential
causes of these deviations. Thus the meeting can focus on ensuring, that sufficient systems are in place to cope with the deviations
without significant negative consequences for the plant.
For the deviation ‘low level in the accumulator’ (sto5 lo) the
possible causes identified by the reasoning engine based on the
model in Fig. 4 are shown in Fig. 6, and are:
• Condensate pump PC running too slow (tra4 lo, primary cause);
• Product pump PT running too fast (tra6 hi, primary cause), or
• High flow through solenoid valve BV54 (tra10 hi, primary cause).
As expected this is the opposite of the result in Fig. 5. A traditional HAZOP identify similar causes.
The MFM model in Fig. 4 can also be used to find suggested
consequences of a particular deviation. Due to the physical implementation of the reflux section the consequences of sto5 hi, i.e. high
level in the accumulator, are very limited, since level has very little
influence on the transport tra6 (the top product pump PT) or the
transport tra12 (the reflux pump PR).
The MFM model shown in Fig. 4 only considers mass flow in the
reflux section of IVaRDiP. However, a very simple extension with an
energy flowstructure to represent the energy transport in the heat
pump is shown in Fig. 7. In this MFM model the reflux section and
the heat pump are modeled at different levels of abstraction. The
energy flow structure only includes the energy transport from the
condenser (sou49) through the compressors (tra50) to the reboiler
(sin51). This means the MFM function sou49 represents the function of HECOND, GLSEP and CV9 in Fig. 3b, and the MFM function
tra50 represent the function of HECI and COMP.
Fig. 6. Causal tree with suggested causes of deviation sto5 lo, i.e. low level in the
accumulator. There are 3 potential primary causes: tra4 lo, tra6 hi and tra10 hi, and
for tra10 hi one secondary cause is suggested, i.e. tra12 hi.
Fig. 7. MFM model from Fig. 4 extended with the simplest possible heat pump
energy flow structure. This model includes functions of section 2 and some
functions of sections 5 and 6 as described in functional HAZOP of distillation
pilot plant. Section 2 is modeled at a different abstraction level than sections 5
and 6.
The MFM model in Fig. 7 gives the same possible causes for the
deviations sto5 hi and sto5 lo as the MFM model in Fig. 4. However, it
allows the investigation of the influence of deviations in the energy
flow structure on the mass flow structure of the reflux section. The
causal trees for the deviations tra50 hi and tra50 lo using the model
in Fig. 7 are shown in Figs. 8 and 9, respectively. The result indicates
that a suggested cause of high energy transport in the heat pump
is high gas transport from the column.
A further extension of the model is shown in Fig. 10. In this MFM
model a simple mass flow loop is used to represent the gas–liquid
interaction in the column, where feed and bottoms product flows
are included. Fig. 11 shows the causal tree for the deviation sto5
hi, and in Fig. 12 for the deviation tra50 lo, which represents lower
energy generation in the condenser.
By comparing the causal path three shown in Fig. 11 with the
one shown in Fig. 5 the following is observed:
Fig. 8. Causal tree with suggested causes of deviation tra50 hi using the MFM model
in Fig. 7. This shows that suggested causes of a deviation in the energy flow structure
can be found in the mass flow structure, even with a simple model.
Fig. 9. Causal tree with suggested causes of deviation sto5 hi using the MFM model
in Fig. 7. As expected the result is the reverse of the causal tree in Fig. 8.
Author's personal copy
N.L. Rossing et al. / Computers and Chemical Engineering 34 (2010) 244–253
Fig. 10. MFM model shown in Fig. 4 extended with a simple energy flowstructure
representing the connection between the mass transport in the column and the
energy transport in the heat pump. This model includes functions from sections 1–6
as described in functional HAZOP of distillation pilot plant.
• The primary causes are the same in Figs. 5 and 11, i.e. condensate
pump PC running too fast (tra4 hi), product pump PT running too
slow (tra6 lo), and solenoid valve BV 54 partly blocked (tra10 lo).
• The secondary, tertiary and quaternary causes for the primary
cause tra6 lo are the same.
251
Fig. 12. Causal tree of suggested causes of deviation tra50 lo using the MFM model
in Fig. 10.
This coincidence is due to the fact that the parts of the two MFM
models involved are identical. The difference is observed for the
causal path from the accumulator and back to the column, where
the MFM model has been expanded. The path towards tra4, does not
lead to secondary and other causes to the logical relation between
sto3 and tra4, which indicate, that sto3 is a participant in the function of tra4, but not an agent. This is due to the condenser being
an inherently safe barrier for liquid overfilling the accumulator and
flowing back to the column through the condenser – because in the
physical IVaRDiP the condenser is located below the accumulator.
This example shows the importance of specific plant knowledge in
order to properly interpret possible causes of deviations during the
HAZOP meeting.
Fig. 12 shows part of the causal paths in the MFM model in Fig. 10
for the deviation tra50 lo, and indicates one primary cause: sou49
lo, with tra2 lo as the sole secondary cause, i.e. low gas flow from
the distillation column. There are three suggested tertiary causes:
tra14 lo (solenoid valve BV49 partly blocked), tr34 hi (high liquid
transport in column) and tra35 lo (low gas transport in column).
The benefit of the extended model is, however, that it facilitates
investigating the influence of changes in the energy transport in the
heat pump on the reflux section, thus indicating, that reasoning on
even simple MFM models allows one to easily discover causes in the
mass flow structure for deviations in the energy flow structure. This
indicates, that there will be benefits from developing even a quite
simple MFM model of the whole plant, and using it to investigating
possible causes behind deviations from normal operation.
7. Traditional versus and functional HAZOP
Fig. 11. Causal tree of suggested causes of deviation sto5 hi using the MFM model in
Fig. 10. The primary causes are tra4 hi, tra6 lo and tra10 lo. The more detailed MFM
model allows suggested causes to be found further away from the location of the
deviation being considered.
The result of a traditional HAZOP of the reflux section of the distillation pilot plant when compared to the results of the functional
HAZOP assistant shows that similar causes of the deviations are
Author's personal copy
252
N.L. Rossing et al. / Computers and Chemical Engineering 34 (2010) 244–253
Fig. 13. Simple MFM model of IVaRDiP including both the column and the heat pump
and the couplings between the two sub-systems. This model includes functions of
sections 1–6 as described in functional HAZOP of the distillation pilot plant.
found. An exact comparison is not possible, since the methodology
by its very nature means, that knowledge about the system is accumulated as the analysis is performed. This means the results cannot
be said to be independent. However, the functional HAZOP assistant
allows the HAZOP meeting to change focus from identifying possible causes of deviations to being concerned with evaluating the
likelihood of the different causes, and similarly for consequences.
In addition the availability of such a scientifically based systematic approach to performing the HAZOP provides an interesting
potential for the HAZOP study to cover the possible hazards in a
plant which are foreseeable with the applied abstraction level in
the MFM modeling.
8. Plant wide HAZOP
The ability of the functional HAZOP assistant to reveal more
complex relations between deviations and their possible causes
has also been investigated. Here a simplified functional model was
developed for the IVaRDiP as shown in Fig. 13, which encompasses
the six first sections mentioned in the functional HAZOP. Using this
model it was shown that the functional HAZOP assistant facilitates
the discovery of root causes of deviations, which originate far from
the node in which the deviation occurs. The causal tree for the deviation tra50 hi, i.e. a high energy flow to the compressors is shown
Fig. 14. Causal tree of suggested causes of deviation tra50 hi using the MFM model
in Fig. 13. The top level of this tree is equivalent to the causal tree shown in Fig. 8.
in Fig. 14, and the primary cause is found to be sou49 hi, i.e. a high
energy input to the heat pump, which has the secondary causes
tra2 hi, i.e. a high gas flow from the column, or bal33 fill, i.e. flooding in the top of the column or tra35 hi, i.e. large gas flow in the
stripping section. The MFM model hence suggests causes of a deviation far from the node of the considered deviation. Some recent
loss events in the chemical industry have involved such situations
(Mogford, 2005). The ability of MFM models to suggest possible
causes of deviations allows them to be used to facilitate the discussions during a HAZOP meeting. Note, that the sub-causes of tra34
lo are not shown in Fig. 14, since this branch of the causal tree has
not been expanded in this figure. Table 2 indicates the physical
Author's personal copy
N.L. Rossing et al. / Computers and Chemical Engineering 34 (2010) 244–253
253
Table 2
Physical interpretation of first four levels of causal tree in Fig. 14. For the deviation tra50 hi there is one primary cause: sou49 hi, which has one secondary cause tra2 hi.
However, four possible causes of tra2 hi are suggested: bal33 fill, tra35 hi, tra14 hi and tra34 lo. The physical interpretation of each cause is shown worded as an alarm message.
Deviation
Primary cause
Secondary cause
Tertiary cause
tra50 hi
Heat pump energy transport high
sou49 hi
Heat pump energy input high
tra2 hi
Overhead gas flow high
bal33 fill
Stripper section flooding
tra35 hi
Stripper gas flow high
Quarternary cause
bal36 fill
Feed plate flooding
tra34 hi
Stripper liquid flow high
tra41 hi
Feed flow high
tra61 hi
Rectifier gas flow high
tra14 hi
Reflux flow high
tra12 hi
Reflux flow high
bal13 fill
Pipe from PR partly blocked
tra34 lo
Stripper liquid flow low
interpretation of the first four causal levels in the causal tree in
Fig. 14. The interpretations are formulated as alarm messages to
indicate the operational situation they relate to.
ronment with existing integrated tools for computer aided process
engineering such as ICAS (Gani, Hytoft, Jaksland, & Jensen, 1997) in
order to enable direct access to performing quantitative analysis for
special safety critical cases.
9. Discussion and conclusions
References
A goal based methodology for HAZOP analysis using a functional HAZOP procedure is introduced, which allows even fresh
chemical engineers to contribute meaningfully to a HAZOP study.
The approach reduces the work involved in a HAZOP of a plant by
dividing the plant along functional lines and analysing nodes with
the same function once only. This approach significantly reduces
the effort involved. Furthermore functional models of chemical
plants are demonstrated to provide a useful basis for development
of a functional HAZOP assistant. On a simple model of a part of
an indirect vapor recompression distillation pilot plant the functional HAZOP assistant finds the same causes as a traditional HAZOP
study. It is furthermore demonstrated, that the proposed functional
HAZOP assistant is able to find causes far from the node of the
deviation. This promising development calls for a more systematic study of the workflow involved in HAZOP studies to further
enable design of efficient tools for supporting the important HAZOP
studies for improvement of safety critical operations in industry.
It is important to point out that model based HAZOP analysis can
revel hazards which are related to the model development purpose. Hence, if a MFM model covers normal operation, then hazards
derived from deviations from normal operation may be uncovered.
If non-routine cases are to be investigated then MFM models for
such a purpose must be used. This is analogous to, e.g. case based
reasoning which only can cover the cases which are included in the
case base.
The effective use of MFM models to facilitate HAZOP meetings
requires further development of the integrated computer aided
design environment for MFM modeling to allow the causal trees
to be mapped to the P&ID’s familiar to process engineers, and rules
of the reasoning engine to be extended to facilitate identification of
possible consequences. The integration with other ontologies, e.g.
OntoCAPE and with the combined usage of case based and logic
reasoning provides a most promising avenue for future work. It is
furthermore desirable to integrate such a knowledge based envi-
View publication stats
Bragatto, P., Monti, M., Giannini, F., & Ansaldi, S. (2007). Exploiting process plant
digital representation for risk analysis. Journal of Loss Prevention in the Process
Industries, 20, 69–78.
Chemical Industry Association (UK). (1977). Hazard and operability studies. London:
IChem. E.
Crawley, F., & Tyler, B. (2000). HAZOP: Guide to best practice. Rugby, UK: The Institution
of Chemical Engineers.
Crawley, F., & Tyler, B. (2003). Hazard identification methods. Rugby, UK: The Institution of Chemical Engineers.
Friedman-Hill, E. (2003). Jess in action. Greenwich, USA: Manning Publications.
Gani, R., Hytoft, G., Jaksland, C., & Jensen, A. K. (1997). An integrated computer aided
system for integrated design of chemical processes. Computers and Chemical
Engineering, 21, 1135–1146.
Lawley, H. G. (1974). Operability studies and hazard analysis. Chemical Engineering
Progress, 70(4), 45–56.
Lees, F. P. (2001). Loss prevention in the process industries (3rd ed.). Oxford, UK:
Butterwords-Heinemann. (Chapter 8).
Li, H., Andersen, T. R., Gani, R., & Jørgensen, S. B. (2006). Operating pressure sensitivity of distillation—Control structure consequences. Industrial & Engineering
Chemistry Research, 45, 8310–8318.
Li, H., Gani, R., & Jørgensen, S. B. (2003). Integration of design and control for energy
integrated distillation. In Kraslawski, & Turunen (Eds.), Computer-Aided Chemical
Engineering, Vol. 14. Elsevier Science B.V, pp. 449–454.
Lind, M. (1990). Representing goals and functions of complex systems. An introduction to
multilevel flow modeling. Dept. of Automation, Technical University of Denmark.
Lind, M. (1994). Modeling goals and functions of complex industrial plant. Applied
Artificial Intelligence, 8(2), 259–283.
Mogford, J. (2005). Fatal accident investigation report. Isomerization Unit Explosion.
Final Report, BP. Texas City, TX, USA.
Skelton, B. (1997). Process safety analysis—An introduction. UK: IChemE.
STEP ISO 10303-1. (1994). Industrial automation systems and integration-product data
representation and exchange—Part I: Overview and fundamental principles. ISO.
Swann, C. D., & Preston, M. L. (1995). Twenty-five years of HAZOPs. Journal of Loss
Prevention in the Process Industries, 8(6), 349–353.
Venkatasubramanian, V., & Vaidhyanathan, R. (1994). A knowledge-based framework for automating HAZOP analysis. AIChE Journal, 40(3), 496–505.
Venkatasubramanian, V., Zhao, J., & Viswanathan, S. (2000). Intelligent systems for
HAZOP analysis of complex process plants. Computers and Chemical Engineering,
24, 2291–2302.
VonWright, G. H. (1963). Norm and action. London: Routledge & Kegan Paul.
Zhao, J., Cui, L., Zhao, L., Qiu, T., & Chen, B. (2009). Learning HAZOP expert system
bycase-based reasoning and ontology. Computers and Chemical Engineering, 33,
371–378.
Descargar