Early hazard identification of chemical plants with statechart modelling techniques

Early hazard identi®cation of chemical plantswith statechart modelling techniques

H. Graf *, H. Schmidt-Traub

Department of Chemical Engineering, Chair of Plant Engineering and Design, University of Dortmund,

44221 Dortmund, Germany

Abstract

An extensive hazard identi®cation of a chemical plant as part of a sound safety analysis is

not only highly recommendable but often subject to o�cial approval of construction by thenational governmental authorities. Since established methods, e.g. HazOp studies, are mostlycarried out manually and thus still involve a lot of disadvantages, there has been a marked

increase in the research of computer-based analysis methods in the last years. This projectaims at introducing a new approach to process hazard identi®cation by simulation and ana-lysis. As a basis, a qualitative plant model formulated as statecharts has to be generated ®rstwhich bene®ts from the lack of information at early design stages. HazOp-like simulations can

be performed if stimulus to the model is given which corresponds to a HazOp guide word. Inaddition, special safety issues can be answered by reachability examinations of dangerousplant states in the model. # 2000 Elsevier Science Ltd. All rights reserved.

Keywords: Hazard identi®cation; HazOp; Statecharts; Simulation and reachability analysis

1. Introduction

In a chemical plant safe operation is greatly determined by the design of the pro-cess. To ensure and guarantee the ful®lment of the increased safety and environ-mental requirements, the plant design has to be carefully analysed. Since later plantmodi®cations are usually very complicated and expensive to carry out, safety ana-lyses are often performed at the earliest possible design stage of the plant. Such apreliminary safety analysis aims at the identi®cation, assessment and elimination ofprocess design faults resulting in potential process hazards, and its compound doc-umentation is often compulsory for o�cial approval of construction by govern-mental authorities.

Safety Science 36 (2000) 49±67

www.elsevier.com/locate/ssci

0925-7535/00/$ - see front matter # 2000 Elsevier Science Ltd. All rights reserved.

PI I : S0925-7535(00 )00034 -5

* Corresponding author. Tel.: +49-0231-755-3211; fax: +49-0231-755-2341.

E-mail address: [email protected] (H. Graf).

Established methods of initial hazard identi®cation are mainly based on expertdiscussions guided by checklists or HazOps (hazard and operability studies) (Law-ley, 1974). Since these methods are time consuming and expensive, there is a con-siderable incentive to pay attention to computer-based approaches. Thus, thiscontribution focuses on a model-based approach of process hazard identi®cationsupported by computer simulation, with the help of which an initial analysis can beperformed with reduced e�ort and increased ease.Due to improved computer software and hardware possibilities, there has been a

marked increase in the research and success of computer-based analysis methods inthe last 10 years. With the establishment of the HazOp method beside checklists,fault trees, etc., approaches which map HazOp-similar strategies into computerprograms have been making up the majority. These programs range from ¯exibledocumentation tools which help in the routine of putting the results down, e.g.CAFOS (Lihou, 1980), to expert systems and model-based approaches which candraw independently and in an intelligent manner conclusions from input scenarios.Although this article is not intended to be a review paper, some approaches shall

be discussed here. Good literature reviews are introduced by Heino et al. (1992),Venkatasubramanian and Preston (1995) or Preston et al. (1996). Furthermore, theEuropean Process Safety Centre (EPSC) presented in 1998 an updated release of atechnical report which deals with the recent progress in computer emulation ofHazOp studies (EPSC, 1998). The still ongoing projects and their main advantagesand disadvantages are outlined. In the sequel, we will partly refer to that report.In the last years, beside traditional expert system approaches so-called model-based

methods gained more importance, which describe the plant's behaviour in a plantmodel and concentrate on the pure and algorithmic model examination, e.g. aplant description as a di�erential equation system and an analytic search for dan-gerous plant states. However, no sharp distinct line between expert systems andmodel-based approaches can be drawn, e.g. in the case of Signed Digraph techni-ques in expert systems. To distinguish from expert systems, as `model-based' we nowwant to de®ne approaches which do not use data-bases and traditional inferenceengines but what is conventionally called an algorithm to draw conclusions.In this de®nition, a typical expert system for a HazOp strategy is introduced by

Shimada et al. (1996). The system comprises four knowledge-bases and an inferenceengine. The knowledge-bases store expert knowledge about the plant's topology andplant-speci®c parameters, the chemicals' speci®cations and reactions, and the plantcomponent behaviour and HazOp guide words, respectively. It is the work of theinference engine to draw conclusions from the knowledge-bases and search for con-sequences once a guide word or other stimulus to the expert system is given.Other approaches which are based on HazOp expert methods but may show

additional facilities are the expert systems introduced by Weatherill and Cameron(1989), HAZEXPERT (GoÈ ring and Schecker, 1993), PSAIS (Sanders, 1995), andHAZOPEX (Karvonen et al., 1990). In particular, the software environmentSTARS shows a wider range of possibilities (Heino et al., 1992). Starting from aplant representation in four knowledge-bases (one for the plant functional units, onefor the substances, the chemical reactions, and the plant components and systems), a

50 H. Graf, H. Schmidt-Traub / Safety Science 36 (2000) 49±67

HazOp qualitative analysis, the construction of event trees and the construction andprobabilistic analysis by fault trees is o�ered.When model-based approaches in the above-mentioned de®nition are considered,

Parmar and Lees have to be mentioned who ®rst tried to automate a HazOp studyby using qualitative propagation equations and initiation and termination events(Parmar and Lees, 1987), which can be interpreted as a ®rst plant model description.This approach has been developed to the MODHAZOP project. Another approachwhich uses Signed Digraph formalisms to map a cause-and-e�ect relation into agraphical description is the SERO tool (Vecchietti and Leone, 1995). Similar togeneral Signed Digraph formalisms is the Petri Net paradigm which has been used inthe BatchHAZOPExpert tool (Srinivasan and Venkatasubramanian, 1996). Thenecessary results are gained from the play of tokens within the Petri Net.For all model-based methods, the implementation formalism is the basis for a

simulation or analysis identi®cation strategy. Here, a variety of di�erent modellingparadigms have been used. Waters and Ponton (1989) as well as Catino and Ungar(1995) with the QHI (Qualitative Hazard Identi®er) system used a set of qualitativeequations which are derived from a quantitative description of the plant behaviour,i.e. algebraic and di�erential equations. The set of equations is steady-state-simulatedsuch that conclusions can be drawn from the resulting qualitative values of processquantities. A more quantitative approach is introduced by Dimitriadis et al. (1995)who keeps the continuous description of di�erential equations, and supplements itwith discrete controller actions to a hybrid model. The hybrid state-transition-systemresults in a mixed integer optimisation problem as a hazard identi®cation strategy.Other research projects on computer-based hazard identi®cation show methods

which are similar to approaches for logic controller veri®cation, i.e. ®nite statemachine models, temporal logic speci®cations and symbolic model checking (Probst,1996) or reachability analysis (Stursberg et al., 1998).The EPSC report mentioned above introduces some more recent and still ongoing

approaches in computer-based methods, e.g. the system HAZOPExpert (Venkata-subramanian and Vaidhyanathan, 1994), COMHAZOP (Rootsaert and Harrington,1992), HAZOPTool (Karvonen et al., 1990) and the STOPHAZ project (Je�ersonet al., 1995). In particular, the STOPHAZ approach, which is a multi-country col-laborative project supported by the European Commission, is very promising toreach important results in the application of knowledge-based systems to safetyanalyses of chemical plants.Instead of describing now the introduced approaches separately, some of the more

general drawbacks of approaches for process hazard identi®cation shall be sum-marised:

1. One general disadvantage of approaches in this ®eld of research is the fact thatvery often the industrial established HazOp strategy is not used. Althoughalternatives can Ð of course Ð be interesting too, in some cases the mainquestion of the developed system is no longer what hazards may arise in aplant, but once a hazard is speci®ed if it really is realistic and how that hazardcan occur. The strategy applied is not to identify new, maybe overlooked,

H. Graf, H. Schmidt-Traub / Safety Science 36 (2000) 49±67 51

hazards but to ®nd behavioural paths of a plant on which a given hazard canbe reached. Here, one major advantage of the HazOp strategy, namely theidenti®cation of unknown hazards, cannot be applied.

2. Another important problem when qualitative modelling techniques are used isthe combinatorial explosion of discrete states: tracing di�erent faults anddetermining the consequences leads to a combination problem when manydi�erent behavioural ways of the plant are possible. This combinatorial prob-lem often prevents acceptable computation times and comfortable usage of theapproach.

3. Beside the considerable e�ort for the acquisition of the necessary knowledgeand for the data handling, one general disadvantage of such an approach oftenis the insu�cient transparency of how the results are gained. For example, ifthe system uses the HazOp strategy to identify hazards, after a HazOp devia-tion is input to the system, only the ®nal results and no step-by-step visuali-sation is o�ered by which the user is able to follow the argumentation.

4. When the industrial application of such an approach is concerned, it is obviousthat an applicability both to continuous and batch processes is important.

5. Furthermore, if an identi®ed hazard must be examined in detail, the connec-tion to quantitative methods without implementing a new plant model isdesirable (reuse of the qualitative model and model re®nement).

In this paper, we would like to introduce a new model-based approach for processhazard identi®cation which addresses most of the mentioned problems. Our systemtries to use the advantages of the qualitative modelling of chemical plants and themethods for logic controller veri®cation. In this sense, we can apply on the onehand the HazOp strategy as a real hazard identi®cation strategy by a simulationprocedure, and on the other hand a veri®cation algorithm to prove that oncea hazard is speci®ed we have not overlooked any behavioural path which leads tothat hazard. Furthermore, we show that with formalisms developed from state-transition-systems and Digraph techniques, we can model plants which show agreater complexity than most published example plants. Particular attention hasbeen paid to the detailed visualisation of HazOp consequences and an easy com-prehension for the user of the system. The approach is applicable to both con-tinuous and batch processes, but only the application to a continuous plant isdemonstrated here. The results of the examination of an industrial batch processplant are presented in Graf (2000). In the interest of space, the extension of thequalitative models to a quantitative detailed examination of the plant is discussed inanother paper (Stursberg et al., 1998).The remainder of the paper is organised as follows. In Section 2, the qualitative

modelling approach for chemical plants and its implementation formalism areexplained in detail. Section 3 outlines the two di�erent process hazard identi®cationstrategies used in our approach. In Section 4, our method is applied to an ethylacetate example plant. The overall plant model is described. The main results of thehazard identi®cation are introduced and discussed. In the last two sections,the approach is evaluated and summarised, and an outlook to future work is given.


2. Qualitative modelling of chemical plants

2.1. Representation of process behaviour by state-transition-systems

In a ®rst step, a plant model suitable for simulation and analysis has to be built,for which the related piping and instrumentation diagram of the plant forms a basis.The model shall be a sound description of the system's behaviour, and must re¯ectat least all necessary characteristics which are mandatory for the purpose of exam-ining the plant's safety. However, there is no need that the model contains muchmore than the necessary extent of information. Thus, we try to develop a plantmodel which is based on as little information as possible. As a consequence, ourmodels are qualitative and abstract to the greatest possible extent from exactnumeric data. This concerns numeric time information and numeric durations ofactions too, i.e. no detailed numeric description of the plant's dynamics by di�er-ential or integral equations. Instead, we concentrate on describing the cause-and-e�ect relations and equipment interactions within the plant by qualitative expres-sions. Despite the qualitative modelling technique we decided to use, the model musthave features to express the temporal order of actions and causality.Since our qualitative modelling approach has often given cause for interesting

discussions, we shall outline some of the main arguments for a qualitative model inmore detail:

1. At such an early design stage of chemical plants, only little information isavailable, which recommends a less informative qualitative procedure. Thereare still no detailed numeric data about the plant's exact physical phenomena,equipment speci®cation, controllers or distributed control systems given.

2. Established methods like HazOps, which show a qualitative character too,demonstrate that a qualitative discussion is su�cient. If a hazard is assumedbut cannot be assessed, more detailed information is regarded in most casesindependently from the HazOp scheme, anyway. If a HazOp study shall betaken as the ideal strategy for computer-based safety examinations, a qualita-tive model seems to be a satisfactory option.

3. In most European countries, no quantitative assessment of plant hazards andrisks is demanded by national law. In the appropriate German regulationsand laws, a quantitative examination of a plant's dynamics is not explicitlyprescribed (StoÈ rfall-Verordnung, 1993). Again, a qualitative examinationseems to be justi®ed.

4. For a reachability study of dangerous plant states, a qualitative cause-and-e�ect relation model is much easier to analyse. Any numeric information cau-ses a more di�cult procedure for the analysis. This reason has to be stressedsince examples from the literature have shown that too much numeric infor-mation limits the system size heavily.

Therefore, in our approach we use qualitative, discrete domains for the representa-tion of process quantities. The process interactions are described by events andconditions such that the model results in a state-transition-system.


The creation of a qualitative plant model is done intuitively by an experiencedmodeller and can be distinguished into four steps (Fig. 1):

1. All important plant equipment pieces, which play a role in the plant safetycontext, are identi®ed from the piping and instrumentation diagram of theplant, and their order is determined. Then, all process variables for each plantequipment which in¯uence the plant's behaviour are speci®ed, e.g. liquid levels,pressures and temperatures.

2. A set of qualitative discrete states for each process variable is de®ned whichdescribes the quantity suitably enough detailed e.g. the states `full', àlmostfull', `half', àlmost empty', èmpty' for a tank level, or `high', `critical high',`normal', `low', `critical low' for a tank pressure (Fig. 1). These states are dis-junct and not overlapping qualitative partitions of a continuous variable, theexact separating thresholds of which are not of interest. It has to be noted thatthe number of states depends on the process quantity itself. For example, if theprocess variable triggers other process behaviour by phase transitions, or ifthe process variable is controlled by logic controllers with thresholds, addi-tional states for these aspects may be necessary. One state out of each set(which means one state per process variable) is de®ned as the initial state.These initial states are in italics in Fig. 1 and represent the steady plant state.

3. State transitions are de®ned which change the active state of a process variable.These transitions map the dynamic changes of the system's process variablesinto activations and deactivations of states. In Fig. 1, the dynamic changeof the process variable `tank level' (level is sinking) is re¯ected in a transitionfrom the active level state `half' to the level state àlmost empty'. This isequivalent to a deactivation of the level state `half' and an activation of thestate àlmost empty'. Such state transitions may depend on the values (in ourmodel states, respectively) of other process variables, or on other actions whichare imposed on the plant. These process interactions are expressed in eventsand conditions. As visualised in Fig. 1, the event àn input valve is closing' maytrigger a transition from the tank level state `half' to àlmost empty' if thecondition holds òutput valve is open'.

Fig. 1. Qualitative plant model with states, events and conditions.


4. As a last step, it has to be decided if the transition itself may trigger any othertransition by an additional action. Such a subsequent action can be an event orthe change of a condition. By these means, transitions can in¯uence othertransitions. The resulting states and state transitions in combination withevents and conditions deliver a suitable model for plant safety examinations.

2.2. Statecharts Ð a visual formalism for implementation

The system given by the procedure in Section 2.1 has now to be implemented. Toallow a formal analysis of the model, a discrete event-system representation of themodel has been chosen for implementation. Due to its modelling advantages,the statechart paradigm has been used (Harel, 1987). Statecharts are state-transition-diagrams which are augmented by the facilities of depth, orthogonality and broad-cast communication. These means enable an easy modelling of hierarchy and mod-ularity, which is extremely helpful for chemical plants. Statemate11 is thecommercial tool applied for implementation. An example of a statechart is shown inFig. 2. The main elements of the statechart language are now introduced.

Fig. 2. A statechart for a tank level in Statemate.

1 Statement is a product of I-logix Inc., Andover MA, USA.


2.2.1. StatesThe partitions of a process variable are de®ned as states. States are symbolised by

rounded rectangles (Fig. 2). States o�er means of expressing hierarchy and depthby `zooming in' and `zooming out' of states. Parent states and children states can bede®ned. In Fig. 2, the superstate `Tank_Level' is speci®ed by the substates `Full', etc.Children states can be AND- or OR-states meaning that all substates or exactly onesubstate is active if the parent state is active (not shown in Fig. 2). With the help ofAND-states, independent orthogonal behaviour can be described.

2.2.2. TransitionsThey are represented by arrows from state to state. If the state where the arrow

starts, is active and all expressions involved in the transition are satis®ed, thetransition is ®red i.e. the starting state becomes inactive and the ending statebecomes active. Transitions without starting states mark the initial transitions to theinitially active states.

2.2.3. Events and conditionsEvents are signals which can be de®ned to occur when something happens. They

can be input and output of the model and can force transitions to ®re. If notimmediately consumed, the signal is lost. Conditions are logic expressions whichsense which states are active or not, and which can hold true or false over severalsimulation steps. Usually, they are used to allow or prevent transitions from being®red. In Fig. 2, the labels `Tran21', etc., of the arrows are items which are de®ned ina data dictionary as events or conditions or logic Boolean combinations of both.The label `Tran53' is de®ned to express the scenario of Fig. 1 as: ``Tran53 is satis®edsuch that the transition is ®red if the event ìnput valve closes' occurs and the con-dition òutput valve is open' holds true''. To model a chemical plant, all processequipment interactions are expressed as events or conditions or logic Booleancombinations.

2.2.4. VariablesVariables can be introduced for mass and volume balances and the examination of

critical pressures, etc. They can be integers, reals, strings, etc., organised in arrays,records or other user-de®ned data-items.

2.2.5. ActionsActions can be events or conditions, which are produced and its values changed

if a transition is ®red. In Fig. 1, actions may be de®ned like ``set condition `tanklevel is sinking' to true''. If the level becomes empty which is equivalent to a tran-sition from àlmost empty' to the state èmpty', a reasonable action is ``generateevent: `tank is empty now''' which would account for a further propagation of thescenario.With the help of these notations, visual models of each plant equipment are

generated, and the communication of the plant equipment with each otherensured.


2.3. An object-oriented model hierarchy

The model hierarchy within Statemate is supported by three di�erent kinds ofcharts: modulecharts, activitycharts and statecharts, which are semantically identical.In Fig. 3, the systematic model hierarchy is visualised. Modulecharts describe thephysical structure of the plant, the process equipment and the arrangement ofthe equipment pieces. Modules within a modulechart (equivalent to states) are, forexample, pumps, reactors and tanks. Since modulecharts are determined by theorder of the process equipment, they are plant speci®c. Modulecharts are the highestof the hierarchy levels.Activitycharts capture the various functions of a process equipment, e.g. chemical

reaction, heat transfer of controller device, and are the next lower hierarchy level.Here, input and output signals can be de®ned. Activitycharts as well as statechartscan be plant speci®c.Statecharts denote the behaviour of the equipment functions. Di�erent statecharts

have to be designed to express every behaviour which is necessary for safety exam-inations. The detailed dynamic behaviour is described by states and state transitions.

Fig. 3. Model hierarchy of a chemical plant by di�erent chart types.


All the di�erent charts represent the plant model. By broadcast communication,every event, condition or action de®ned in a low-level statechart can be understoodand seen in all levels of the state hierarchy.In our approach, we have developed an object-oriented model library for module-

charts and activitycharts. This has been proven advantageous since a lot of processequipment occurs in a chemical plant more than once and is identical, e.g. valves,tanks, pumps. Therefore, a lot of modulecharts can be reused.Furthermore, important equipment characteristics can be inherited to other

equipment by our model library of activitycharts. As an example, we have de®nedactivitycharts for the ¯uid dynamic, heat transfer and special controller device oftanks. If an ordinary tank is now needed, we take a modulechart `Tank' from ourlibrary with only the function/activitychart `Fluid Dynamic'. If the tank is used asa distillator, the activitychart `Heat Transfer' is added. If the tank is a heatedchemical reactor with special controller device, we use a modulechart composedof the activitycharts `Fluid Dynamics', `Heat Transfer', `Chemical Reaction' andthe appropriate activitycharts for the needed `Controller Device'. In this way, wesave a lot of modelling expenditure and make the modelling of a plant morecomfortable.The procedure of creating a new plant model is now to examine the structure of

the plant, choose modulecharts from the plant library or de®ne new ones, andarrange the modules such that the plant is well described. Then, interactions betweenthe equipment have to be supplemented and if needed other input and output func-tions de®ned. The produced model is then ready for examination.

3. Strategies for process hazard identi®cation

To account for a hazard identi®cation strategy, there are two di�erent ways whichcan be thought of once an appropriate process model has been built: the simulationof conceivable deviations from design intent of the process components and itspropagation in the plant, similar to HazOp methods, and a reachability study ofdangerous states of the plant model.

3.1. HazOp Ð simulation of deviations and failures

The simulation is carried out in Statemate, and is user interactive (Fig. 4). Theuser has to give in the scenario as input to the simulation. The scenario is formulatedas an event and follows the HazOp strategy. Events like none, less of, more of, etc.,can be generated for particular plant models which are under consideration. If theevent is produced, the simulator checks if any triggering requirement of a transitionis satis®ed, and if so the transition is carried out. If other new actions involved in thetriggered transitions produce new events, these are then executed. In this way, con-sequences of malfunctions, failures or human operator error input to the simulationcan be propagated through the plant and assessed. If the consequences cause anyhazards, the safety can be improved.


Fig. 4. Simulation concept with user inputs and user decisions.

H.Graf,H.Schmidt-T

raub/Safety

Scien

ce36(2000)49±67

59

Due to the nature of this way of qualitative modelling non-determinism may occur,which is a choice of two or more di�erent behaviours caused by one triggering eventor condition. In our simulation, such a choice is solved by the user who in that waycan manipulate the simulation itself. Worst-case scenarios can thus be developed.All non-deterministic choices and the simulation itself are fully visualised by

simulation panels which show the progress by buttons. These buttons are connectedto states and show if a state is active or not. In Fig. 4, a part of a panel is shown.This is explained in more detail in Section 4.2.

3.2. Formal veri®cation by model checking

In addition to the simulation strategy, there is a considerable incentive in devel-oping a formal proof if a hazard is not reachable under particular conditions. Suchconditions may be the restriction of single faults or no faults by human operators,although sometimes these circumstances can be of interest. Such a proof gives theguarantee that no scenario is overlooked which still can cause a hazard. Thus, one ofthe major disadvantages of a HazOp study is avoided: the lack of the guarantee thatevery scenario which can lead to a potential hazard is found.This can be done by a reachability study of dangerous states with a model checking

algorithm. Model checking has originally been used for software veri®cation, but hasrecently provided interesting results for chemical plant safety analyses (Probst, 1996).Generally, a model checker tests whether a property or speci®cation is valid in a givenmodel. The model is usually represented in a discrete event system or state-transition-system, which has been a major reason for our statechart implementation formalism(Section 2.1). The property expresses the safety requirement of the plant which isunder consideration, e.g. the question if a dangerous state can be reached or if acombination of events and conditions can ever become true. The method examinessystematically every possible behaviour of the plant with given inputs. No possiblepath resulting from the execution of the model is left out. The result of such a ver-i®cation is whether the safety requirement is ful®lled or not. If not, a counter exampleis usually generated showing a path from the initial steady state of the plant to thehazard. Thus, a hazard is identi®ed and counter measures can be worked out.In general, several model checkers have been developed in other project groups to

verify statechart models, e.g. Day (1993), Brockmeyer and Wittich (1998) or Mikk etal. (1997). In our approach, we use the Dynamic Test Tool of Statemate and thesymbolic model checking algorithm of Brockmeyer and Wittich (1998) for examina-tions. An example of the application of the veri®cation strategy is given in Section 4.2.

4. Application to an example plant

4.1. The example plant

To illustrate our approach we have chosen an example plant, the complexity ofwhich exceeds those of most plants published in the literature. The example plant


under consideration is a process to produce ethyl acetate with a purity of 96 wt.%(Fig. 5) (German Patent, 1998). Ethyl acetate is an ester, and is used as a solvent forcoatings, resins and inks. It is produced from ethanol and acetic acid in the presenceof a mineral acid as a catalyst and with water as a byproduct in a continuous man-ner. The technical equilibrium reaction is characterised by an excess of ethanol.A mixture of acetic acid and a mineral acid (10 wt.%) is stored in tank B1. Etha-

nol with a low percentage of water (not more than 4%) is held in tank B2. Bothliquids are fed into a distillation reactor C1 through the pumps P1 and P2 in a well-de®ned molar ratio of 1:1.5 (which is controlled by the united controller UC203).In the reactor C1, ethyl acetate is produced via esteri®cation of acetic acid and

ethanol. The key to a high yield of product is the continuous removal of the esterand water out of the reactor by an azeotropic distillation. Since ethyl acetate, etha-nol and water forms a ternary azeotrope at the boiling temperature of 70.3�C, thevapour stream which is to purify consists of 83.2 wt.% ethyl acetate, 9 wt.% ethanoland 7.8 wt.% water. This stream is condensed in the heat exchanger W1. The pres-sure and temperature in the reactor is registrated. The switch LS-A-207 switches thereactor heater o� if the level sinks under a discrete threshold.In the extractor F1 the condensed stream is washed with water. With ethyl acetate

being less dense than both ethanol and water, it can easily be removed as the organiclayer in the supernatant of the extractor with a purity of 96 wt.%. Impurities of theproduct stream occur due to a small solubility of water and ethanol in ethyl acetate.In the extractor, the temperature and pressure is indicated and the level controlledby a valve which manipulates the water addition. A discrete controller stops theremoval of the supernatant in the case that the liquid level in the extractor risesabove a certain critical level in order to limit the amount of impurities in the productstream.

Fig. 5. P&I diagram of an ethyl acetate production plant as illustrative example.


The water layer is pumped (P3) into a distillation tank D1 where the product ethylacetate is removed, again, with the ternary azeotropic composition at 70.3�C, con-densed in W2 and fed back into the extractor F1. The pressure of the distillationtank is indicated and the temperature controlled via the ¯ow of heating steam.Furthermore, the level is regulated by an input valve. In the case that the level sinksunder a certain critical level, the heating steam is switched o� by a discrete controllerwhich overrides the temperature controller.The remaining mixture of ethanol and water is puri®ed in another distillation tank

D2 at a temperature of 78.2�C. The evaporated ethanol is condensed in W3 and ®llstank B2, supplemented with fresh ethanol. The distillation tank D2 is equipped withthe same controller and switching device as D1. The remaining water is fed to awastewater plant.

4.2. The plant model

The modelling of the example plant is concentrated on the ¯uid dynamics as well ason the aspects of temperature and pressure of the plant elements. After applying themodelling procedure described in Section 2, the overall plant model comprises 758di�erent states, 1699 state transitions and 16 564 di�erent triggering combinations ofevents and conditions which can cause transitions to ®re. These triggering combina-tions are scenarios which represent the dynamics of the plant. The modelling results ofthe overall model are introduced in Table 1. The table shows the results listed for thedi�erent models developed and stored in the model library. Since the models arereused, the overall number of states and state transitions for the whole plant model ismuch higher than the simple addition of the single model results.The model for the distillator is sketched in detail (Table 2). The distillator model

comprises states for the in- and output ¯ow rates, the states of aggregation, theheating steam ¯ow rate, temperature, liquid level, and pressure, and the change ofthe level and the pressure. To reduce the model complexity, only important scenar-ios are modelled, which results in only three states for the level change, but ®vestates for the pressure and pressure change. As a summary, the model consists of 12

Table 1

Results of the modelling of the ¯uid dynamics of the example plant

Model of equipment No. of states No. of state transitions No. of triggering scenarios

Tank/reactor 28 88 760

Extractor 39 109 3660

Condenser 34 94 770

Controller and switches 3 4 4

Pump 28 50 225

Stream connector 21 47 325

Valve 27 49 200

Distillator 39 109 1800

Overall model 758 1699 16 564


process variables and 39 states. The distillator model is augmented by the controllerand switching device models for the equipment D1 and D2.

4.3. Hazard identi®cation by simulation and analysis

By simulation, a full HazOp-based hazard identi®cation has been performed.Guide words formulated as events have been applied, and the propagations of theevents within the model have been examined. Here, the guide words `none, less of,more of, part of, other, as well as, and reverse' have been used and examples foreach could be given. As simulation results, hazards and availability problems of theplant have successfully been identi®ed and counter measures have been introduced.However, due to the limited space, only one easy application of a guide word is

explained in detail: the application of `none' or `no ¯ow' to the input valve of tankB1 (Fig. 6). The consequences in the ®rst part of the plant are visualised in Fig. 6 asa panel (Section 3.1). Please note that each button in the panel is observing a state ina statechart, although only the most important states are represented. The blackbutton shows the active state of a process variable in that simulation step. In thepanel, the consequences of the guide word are visualised as arrows. All simulationsteps are visualised as a kind of summary screen shot; in reality, the simulation stepsand results follow a temporal order.At the beginning, the input ¯ow to tank B1 is set to `=0' (see arrow and button).

In the next simulation steps, the level of the tank B1 is sinking until it is empty(actually in two steps: in the beginning, the middle level state which is `half' is active,then `half empty' becomes active, then èmpty'). After that, the pump P1 is runningdry, since no means against that is known from the P&I diagram. This is clearly anundesired situation which has to be avoided. Thus, even if such a means is alreadysuggested elsewhere, it should not be forgotten.Next, due to the united controller UC203 which controls the ¯ow of pump P1 and

P2 and Ð above all Ð their ratio, the valve after pump P2 is closed (as a con-sequence of the missing ¯ow through P1, the ratio has ®rst priority) which causes P2to pump against a closed valve. Again, another safety-related fact has been foundwhich should be kept in mind. A counter measure should be added.

Table 2

The distillator modela

Variable States

Input/output/steam ¯ows Positive, zero, negative

Input/output ¯ows: states of aggregation Gas, liquid

Temperature Above, equal, below boiling point

Level Full, almost full, half, almost empty, empty

Level change Positive, constant, negative

Pressure Critical high, high, normal, low, critical low

Pressure change Fast positive, positive, constant, negative, fast negative

a The initial states are in italics. Liquid is the initial state for the input state of aggregation, gas for the

output state of aggregation.


In the next simulation steps, the reactor C1 is becoming empty and no vapour isproduced. As a consequence, the heating steam of the reactor C1 is switched o� (notvisualised; Section 4.1). Then, the heat exchanger W1 is becoming empty, and theextractor F1 does not get product any longer. Since the level controller LIC404manipulates only the water input (Fig. 6), the threshold of the level is held and theproduct output stream contains more and more water. Here, our product buttonwhich observes the product quality in the output stream is warning us. Anotheravailability problem has been identi®ed. The consequences for the rest of the planthas no safety importance.After simulations have been undertaken, reachability studies are performed to

prove that no behavioural path from normal operation to a speci®ed hazard hasbeen overlooked. The reachability analyses have been carried out in co-operationwith the OFFIS Institute at the University of Oldenburg, Germany. One example ofthese examinations shall be introduced here. The speci®cation (i.e. the hazard) whichhas been examined is: how can a rapid pressure increase in the distillation tank D1occur? This speci®cation shows that for reachability analyses the hazard mustalready be identi®ed, and just the ways which lead the plant to that hazard are ofinterest. Since the hazard must be expressed as a search for model states, the reach-ability problem has to be formulated as: can the two independent model statesD1:Pressure_change:fast_postive and D1:Pressure:critical_high be active at the sametime? The analysis has been computed on a SUN Ultra 60 (one 300 MHz processor,1 GB RAM) and needed 9 minutes for the result. The answer of the algorithm pointsout that the hazard can indeed occur if the valve after the pump P3 blocks tempora-rily and the controller LS-A-601 fails. In that case, the distillation tank runs emptyand the heating pipe gets overheated since it is not switched o�. If the valve opensagain, cold liquid touches the heating pipe and a ¯ash evaporation takes place. The

Fig. 6. Simulation panel for the results of the guide word `none' in the ®rst part of the plant.


solution has now to be interpreted and in case counter measures applied. Here, thehazard can only occur if a double fault takes place, which is often `safe enough'.Although the veri®cation is limited to only small problems, it is an interesting optionof computer-based safety studies.

5. Discussion

As a discussion of the approach, some advantages and disadvantages of theintroduced method shall now be examined in detail.

1. If the main aim of a computer-based approach shall be a comfortable support ofa manual HazOp study, it is important that the computer tool is integrated inindustrially used software systems and Computer Aided Design (CAD) tools.This means that any information given as a CAD project shall be usable for thehazard identi®cation tool too. Up to now, no such interface has been generated.

2. Generally speaking, the generation of plant models is a time-intensive task. Asan example, the creation of the whole model for the ethyl acetate plant wascarried out by two persons and took about 1 month. This was done withoutusing the model library (the model library was set up with the ethyl acetateplant models). However, with the use of the model library, which currentlyincludes 15 modulecharts and 25 activitycharts, the e�ort to build a plantmodel can be comfortably reduced. With the help of the model library, anotherplant model for the production of nitrobenzene introduced in Graf (2000) wasgenerated within 1 week. This is a more acceptable e�ort for an industrialapplication, but still has to be improved.

3. In a manual HazOp study, after a HazOp guide word is applied, possible cau-ses for the applied deviation are considered and consequences evaluated. Inthis approach, only the consequences are visualised and no help is o�ered forthe detection of any causes. These aspects are left for future work.

4. The documentation of a HazOp study is often di�cult to understand and quitecomplicated. One advantage of our approach is that simulations can be storedin play-back ®les. These ®les save every model status and all the user interac-tions at every simulation step. They can be loaded after the simulations havebeen ®nished, and show the simulation without any user interaction as a sce-nario `movie', i.e. they show the play of lights in the panels. This is very easy tounderstand even weeks after the simulations have been undertaken.

5. HazOps can go into more detail, if additional plant knowledge is required. Incontrast, a simulation can zoom out particular aspects of the plant behaviour,and can study details, e.g. by developing quantitative models as described inStursberg et al. (1998).

6. Simulations can examine the whole plant as one model, which is often inter-esting but not considered in a HazOp study. However, if the whole plant is inthe simulation scope, the user interactions become quite uncomfortable dueto the many questions to the user which he has to answer.


7. The strategies for a reachability analysis of dangerous plant states enhance thee�ciency of a computer-based HazOp study and deliver important additionalinformation. The counter example of such an analysis is given as a simulationplay-back ®le and can be easily examined in a simulation. However, due to thewell-known problem of the state space explosion of discrete event systems,such examinations are limited to smaller parts of the plant.

6. Conclusions

This contribution has introduced a new approach for a model-based hazardidenti®cation by computer simulation and analysis. As a basis, qualitative equip-ment models are created which are implemented with the help of the statechart lan-guage and stored in a model library. To model a plant, the appropriate equipmentmodels are taken from the library and put together. For a hazard identi®cationstrategy, simulations of HazOp guide words can be carried out. The simulationresults are user friendly visualised by panels. Furthermore, reachability analyses ofdangerous plant states can be performed to prove that no speci®ed hazard is over-looked. The approach has been applied to an example plant, and the results havebeen discussed. Some main drawbacks of computer-based hazard identi®cationprograms have been addressed and remedied. Other papers of this approach whichdeal with the application to a batch process example plant and the extension to amore quantitative examination have been cited. Thus, our approach is a promisingnew method for computer-based hazard identi®cation, and it is a further step in theongoing research.

Acknowledgement

This work is supported by the German Research Council (DFG) within the post-graduate research program Modelling and Model-based Development of ComplexTechnological Systems.

References

Brockmeyer, U., Wittich, G., 1998. Tamagotchis need not die Ð veri®cation of Statemate designs. Pro-

ceedings of TACAS First International Conference on Tools and Algorithms for the Construction and

Analysis of Systems, Lisbon, Portugal.

Catino, C.A., Ungar, L.H., 1995. A model-based approach to automated hazard identi®cation of chemi-

cal plants. AIChE Journal 41 (3), 97±109.

Day, N., 1993. An example of linking formal methods with case tools. Proceedings of CASCON, Tor-

onto, Canada, pp. 97±107.

Dimitriadis, V.D., Shah, N., Pantelides, C.C., 1995. Modelling and safety veri®cation of discrete/con-

tinuous processing systems using discrete time domain models. Workshop on Analysis and Design of

Event-Driven Operations in Process Systems, London.


EPSC, 1998. Knowledge-based HazOps progress in computer emulation. Technical Report No. 4. Eur-

opean Process Safety Centre, London.

German Patent, 1989. O�enlegungsschrift DE OS 3814095 A1, Deutsches Patentamt MuÈ nchen, 9.11.89.

Graf, H., 2000. Ein modellbasierter Ansatz zur rechnergestuÈ tzten Sicherheitsbetrachtung von Che-

mieanlagen waÈ hrend der Planungsphase. PhD thesis, University of Dortmund, Department of Chemi-

cal Engineering, VDI-Verlag, DuÈ sseldorf, Germany.

GoÈ ring, M., Schecker, H.G., 1993. HAZEXPERT: an integrated expert system to support hazard analysis

in process plant design. Computers Chem. Engng. 17, 429±434.

Harel, D., 1987. Statecharts: a visual formalism for complex systems. Sc. Comp. Progr. 8, 231±274.

Heino, P., Poucet, A., Suokas, J., 1992. Computer tools for hazard identi®cation, modelling and analysis.

Journal of Hazardous Materials 29, 445±463.

Je�erson, M., Cheung, P., Rushton, A., 1995. Automated hazard identi®cation by emulation of HAZOP-

studies Ð STOPHAZ 8th Int. Conf. on Industrial and Engineering Applications of AI and Expert

Systems, Melbourne, Australia, pp. 765±770.

Karvonen, I., Heino, P., Suokas, J., 1990. Knowledge-based approach to support HAZOP-studies.

Research Report. Technical Research Centre of Finland.

Lawley, H.G., 1974. Operability studies and hazard analysis. Chem. Eng. Prog. 70, 105±116.

Lihou, D.A., 1980. Computer-aided operability studies for loss control. Proceedings of 3rd Int. Symp. on

Loss Prevention and Safety Promotion in the Process Industries, Basle, Switzerland, pp. 448±454.

Mikk, E., Lakhnech, Y., Petersohn, C., 1997. On formal semantics of statecharts as supported by State-

mate. Proceedings of 2nd BCS-FACS Northern Formal Methods Workshop. Springer-Verlag,

Germany.

Parmar, J.C., Lees, F.P., 1987. The propagation of faults in process plants: hazard identi®cation for a

water separator system. Reliability Engineering 17, 303±314.

Preston, M., Richards, D., Rushton, A., 1996. CAPE Ð crusading for process safety: an industrial per-

spective. Computers Chem. Engng. 20 (Suppl.), 1533±1538.

Probst, S.T., 1996. Chemical process safety and operability analysis using symbolic model checking. PhD

Thesis, Carnegie Mellon University Pitsburgh, USA.

Rootsaert, T., Harrington, J., 1992. A knowledge-based computer program COMHAZOP as an aid for

hazard and operability studies in process plants. 6th Int. Symp. On Loss Prevention and Safety Pro-

motion in the Safety Industries, Taormina.

Sanders, J.W., 1995. Process safety arti®cial intelligence system. Proceedings of 8th Int. Symp. on Loss

Prevention and Safety Promotion in the Process Industries, Antwerpen, Netherlands, pp. 657±666.

Shimada, Y., Suzuki, K., Sayama, H., 1996. Computer-aided operability study. Computers Chem. Engng.

20 (6/7), 905±913.

Srinivasan, R., Venkatasubramanian, V., 1996. Petri Net-Digraph models for automating HAZOP ana-

lysis of batch process plants. Computers Chem. Engng. 20, 719±725.

StoÈ rfall-Verordnung, 1993. 12. Verordnung zur DurchfuÈ hrung des Bundes-Immissionsschutzgesetzes.

German Law BGBl. I, 1782.

Stursberg, O., Graf, H., Engell, S., Schmidt-Traub, H., 1998. A concept for safety analyses of chemical

plants based on discrete models with an adapted degree of abstraction. Fourth International Workshop

on Discrete Events Systems WoDES 98, Cagliari, Italy.

Vecchietti, A., Leone, H., 1995. SERO: a knowledge-based system for HAZOP-studies. AIChE Symp.

Series 132 92, Intelligent Systems in Process Engineering, Snowmass Village, Colorado, USA, pp. 287±

290.

Venkatasubramanian, V., Vaidhyanathan, R., 1994. HAZOPExpert: a model-based expert system for

HAZOP analysis. AIChE Spring National Meeting 34d, Atlanta, USA.

Venkatasubramanian, V., Preston, M., 1995. A perspective on intelligent systems for process hazards

analysis. Intelligent Systems in Process Engineering, Snowmass Village, Colorado, USA.

Waters, A., Ponton, J.W., 1989. Qualitative simulation and fault propagation in process plants. Chem.

Eng. Res. Des. 67, 407±422.

Weatherill, T., Cameron, I.T., 1989. A prototype expert system for hazard and operability studies. Com-

puters Chem. Engng. 13 (11/12), 1129±1234.


Documents

Early hazard identification of chemical plants with statechart modelling techniques