An extended HAZOP analysis approach with dynamic fault tree

Journal of Loss Prevention in the Process Industries 38 (2015) 224e232

Contents lists available at ScienceDirect

Journal of Loss Prevention in the Process Industries journal homepage: www.elsevier.com/locate/jlp

An extended HAZOP analysis approach with dynamic fault tree Lijie Guo*, Jianxin Kang Hebei Key Laboratory of Applied Chemistry, College of Environmental and Chemical Engineering, Yanshan University, Qinhuangdao 066004, Hebei Province, PR China

a r t i c l e i n f o

a b s t r a c t

Article history: Received 19 December 2013 Received in revised form 6 September 2015 Accepted 9 October 2015 Available online xxx

An extended hazard and operability (HAZOP) analysis approach with dynamic fault tree is proposed to identify potential hazards in chemical plants. First, the conventional HAZOP analysis is used to identify the possible fault causes and consequences of abnormal conditions, which are called deviations. Based on HAZOP analysis results, hazard scenario models are built to explicitly represent the propagation pathway of faults. With the quantitative analysis requirements of HAZOP analysis and the time-dependent behavior of real failure events considered, the dynamic fault tree (DFT) analysis approach is then introduced to extend HAZOP analysis. To simplify the quantitative calculation, the DFT model is solved with modularization approach in which a binary decision diagram (BDD) and Markov chain approach are applied to solve static and dynamic subtrees, respectively. Subsequently, the occurrence probability of the top event and the probability importance of each basic event with respect to the top event are determined. Finally, a case study is performed to verify the effectiveness of the approach. Results indicate that compared with the conventional HAZOP approach, the proposed approach does not only identify effectively possible fault root causes but also quantitatively determines occurrence probability of the top event and the most likely fault causes. The approach can provide a reliable basis to improve process safety. © 2015 Elsevier Ltd. All rights reserved.

Keywords: HAZOP Hazard scenario DFT BDD Markov chain

1. Introduction In recent years, the chemical industry has gained substantial attention. It has generated significant benefits for society, such as extensive use of raw materials for fertilizers, shelter, and clothing. However, the occurrence of catastrophic events in chemical plants has caused serious harm to human health and safety, huge economic losses, and environmental pollution (Zhang and Lowndes, 2010). To effectively identify the potential hazards in the chemical plants, numerous safety assessment approaches have been developed, such as fault tree (FT) analysis, failure mode and effect analysis (FMEA), hazard and operability (HAZOP) analysis, and event tree (ET) analysis. Among these, FT and HAZOP are the most popular and powerful approaches used for safety assessment. HAZOP analysis is a systematic procedure to identify the abnormal causes of process deviations from normal behavior and their adverse consequences, and therefore eliminate or mitigate hazards (Srinivasan and Venkatasubramanian, 1998). This type of

* Corresponding author. E-mail address: [email protected] (L. Guo). http://dx.doi.org/10.1016/j.jlp.2015.10.003 0950-4230/© 2015 Elsevier Ltd. All rights reserved.

analysis is commonly performed by a multidisciplinary team of experts during brainstorming sessions. Although conventional HAZOP analysis is an efficient hazard assessment approach, it has three inherent weaknesses for plant management staff. First, it cannot provide quantitative assessment results because of the qualitative nature of its assessments. Second, HAZOP analysis results presented in tabular form cannot show explicit fault propagation in process plants. The digraph is the most popular method used in qualitative model fault propagation behavior (Kuo et al., 1997; Leone, 1996). Third, HAZOP analysis fails to consider fault root causes or the specific equipment failure elements that lead to derivations because the possible causes identify only the failure at the equipment level. However, identifying these fault root causes or the specific equipment failure elements is crucial to provide early warnings and appropriate safety measures to enhance the reliability of the process system (Hu et al., 2015). These arguments indicate that conventional HAZOP analysis cannot meet the increased safety and environmental management requirements of the complex process industry. Moreover, making specific decisions based on the conventional HAZOP results is usually frustrating for plant management staff. Accordingly, extending the HAZOP analysis approach to ensure plant process safety is necessary. The

L. Guo, J. Kang / Journal of Loss Prevention in the Process Industries 38 (2015) 224e232

integration of HAZOP, LOPA, SRS, SIL (Cui et al., 2012), and FMECA (Giardina and Morale, 2015) has been developed to quantify the hazards identified by HAZOP. However, these approaches have received limited attention in analyzing fault propagation pathways and comprehensively identifying fault root causes. For this reason, an extended HAZOP analysis approach combined with the dynamic fault tree (DFT) is developed to ensure inherent safety of the system process in this paper. FT analysis is a qualitative and quantitative safety assessment technique. It graphically presents all fault causes that lead to an undesired event, which is called a top event (TE) (Chang et al., 2002). Combining HAZOP and FT analysis offers clear advantages in identifying hazards. However, the conventional static fault tree cannot evaluate the dynamic fault behavior of time-dependent complex systems, e.g., a repairable system with spare components and an event sequence-dependent system. Consequently, the disadvantage of this approach is that it cannot model real industrial conditions. Therefore, DFT approach was developed by adding new dynamic logic gates to the static fault tree. DFT involves a fault tree that contains at least one special dynamic logic gate, such as priority-AND (PAND) gate, sequence enforcing gate (SEQ), SPARE gate, and functional dependency (FDEP) gate (Rauzy, 2011). The dynamic logic gate is suitable to model the fault behavior of a timedependent system. On account of its quantitative and dynamic description characteristics, the DFT approach is introduced to extend HAZOP analysis and to graphically and hierarchically represent all of the causeeconsequence relationships of failing equipment. There are two major aims of the present paper. First, the extended HAZOP approach can not only facilitate team members to identify effectively possible fault root causes and their consequences on equipment as much as possible, but also represents fault propagation pathways. Second, it also provides a quantitative probability importance ranking of fault causes to guide the decision making of management staff to mitigate or avoid potential process hazards. This paper is organized as follows. Section 1 introduces the integration of HAZOP and DFT. Section 2 focuses on the procedure of the extended HAZOP analysis approach. Section 3 presents the quantitative analysis of DFT. Section 4 details a case study with the extended HAZOP analysis. Section 5 presents the conclusions. 2. Procedure for the extended HAZOP analysis approach To effectively identify the potential hazards in the chemical plants, an extended HAZOP analysis approach is developed. The analysis procedure of the approach is shown in Fig. 1. Extended HAZOP analysis consists of conventional HAZOP, hazard scenarios, and DFT analysis. The steps are as follows: (1) Conventional HAZOP analysis is conducted. After the related data (P&ID, PFD, operating procedure, results of previous process safety reviews, etc.) are collected, the analyzed plant is divided into sections, which are called nodes. Deviations from the design intent are determined for the specific node. They are composed of process parameters (temperature, pressure, and flow etc.), and guidewords (no, more, less and reverse etc.). For example, the deviation-“more flow” will be obtained through the combination of “flow” and “more”. The deviations are usually predefined by HAZOP chairman and then are discussed and determined in HAZOP sessions. Afterward the possible fault causes and consequences of the given deviations are identified. (2) In general, a deviation can have several fault causes and different consequences in HAZOP analysis results. It is complicated and difficult to straightforwardly convert

225

Fig. 1. Extended HAZOP analysis procedure.

HAZOP analysis result into DFT model. For this reason, the construction of the hazard scenario model is necessary. It is a representation of fault propagation process (fault chain) from the origin (cause) to consequence of the fault, which can assist the staffs to find out the cause-consequence relationships of the faults. The hazard scenario model is shown in Fig. 2. In the conversion process, the possible fault causes obtained by the HAZOP analysis are considered as initiating events, derivations as middle events, and consequences as final events. In this way, a fault chain is developed. (3) Based on the hazard scenario models, DFT analysis is subsequently performed, in which both the initiating events and middle events of hazard scenarios are used as intermediate events (IE), and final event is used as TE. Specifically, the causes that lead to initiating events are further identified at the level of parts or components of the equipment to determine the root causes, which are used as basic events (BE) in DFT. Then, DFT can be constructed by addition of a specific logic gate among events on the same layer. Accordingly, hazard scenario analysis can be seen as a link between HAZOP and DFT analysis. With the DFT model determined, quantitative analysis is performed, in which the failure probability of the TE and the probability importance of each BE are calculated. The risk ranking is then obtained, so that the safety weak point of the system can be identified. Finally, suitable safety-related actions required can be proposed to ensure or improve process safety during plant life cycle.

226

L. Guo, J. Kang / Journal of Loss Prevention in the Process Industries 38 (2015) 224e232

Fig. 2. Hazard scenario model based on HAZOP analysis.

Note that the HAZOP analysis approach has already been discussed in detail in IEC 61882. Except for the logic gate, the established procedure of the DFT model is similar to that of static FT model when existing standard procedure is used. Therefore, the next section will focus on the quantitative analysis methodology of DFT. 3. Quantitative analysis of DFT The initial step is modularization analysis before quantitative analysis of DFT. Then, two critical tasks are performed, which are probability determination of TE and probability importance determination of each BE. 3.1. Modularization analysis of DFT Breaking down the entire, original fault tree into several independent, static, and dynamic subtrees modularizes the DFT model to improve the efficiency of the analysis. A subtree is composed of no less than two failure events and a logic gate on their upper layer, but any other failure events are not constrained by the logic gate. The quantitative calculation of the static and dynamic subtrees is performed with the binary decision diagram (BDD) algorithm and Markov chains method, respectively. Then, each subtree is replaced with a new event whose failure probability is equal to the failure probability of the original subtree. The overall fault tree can then be reconstructed and solved according to the static/dynamic fault tree analysis approach. 3.2. Probability determination of TE The probability of TE is solved through both BDD algorithm and Markov chains method.

Eq. (1) means that if A event occurs, then B event occurs, or else C event occurs. Assume that each BE in the static fault tree is assigned a Boolean variable (x1, x2, … , xn). Let index(xi) ¼ i2N, and N ¼ (1, 2, … , n). The index value of each BE is determined with the bottom-top and leftright ordering rule in this paper. In this case, the index value of the event at the top and left position is assigned to 1. If we consider two arbitrary variables xi,xj2(x1,x2, … ,xn), their corresponding Boolean functions are (Xing and Gregory, 2013)


 G ¼ ite xi ; Gxi ¼1 ; Gxi ¼0

(2)

  F ¼ ite xj ; Gxj ¼1 ; Gxj ¼0

(3)

In the conversion of a static fault tree to a BDD, the following rule should be applied:

 
 G⋄F ¼ ite xi ; Gxi ¼1 ; Gxi ¼0 ⋄ite xj ; Fxj ¼1 ; Fxj ¼0
 ¼ iteðxi ; G1 ; G2 Þ⋄ite xj ; F1 ; F2
 8 x < iteðxi ; G1 ⋄F1 ; G2 ⋄F2 Þ indexðxi Þ ¼ index
 j ; G1 ⋄F; G2 ⋄FÞ indexðxi Þ < index xj ¼ iteðx i
  :
ite xj ; G⋄F1 ; G⋄F2 indexðxi Þ > index xj

where the symbol⋄ represents an AND or OR logic gate. The static fault tree is converted to a BDD in a bottom-top manner according to the ITE function rule. In other words, the conversions by ITE rule are performed starting from the bottom events to their parent logic gate until the top event, as shown in Fig. 3. Each BDD is composed of more than one disjointed path of fault propagation in DFT. The set of fault propagation paths can be described as:

3.2.1. Probability calculation of the static fault subtree The probability of the static fault subtree is solved with the BDD approach. The BDD approach has already been proved to be helpful in reliability analysis. It can provide a graph representation of a 2pass tree on the basis of the Shannon decomposition rule. Two edges are involved in BDD, with 1-edge corresponding to the failure condition and 0-edge corresponding to the operational condition. The main advantage of the BDD approach is that it is suitable to very complex static fault tree models because it provides an efficient means to analyze a system without the need to obtain minimal cut sets as intermediate results (Reay and Andrews, 2002; Remenyte-Prescott and Andrews, 2008). The conversion of static fault subtrees to BDD can be achieved by the recursion method. The if-then-else (ITE) connective is generally used to represent Boolean functions as BDDs (Bjorkman, 2013). It is defined as follows

iteðA; B; CÞ ¼ AB þ AC

(1)

(4)

Fig. 3. Conversion of a fault tree to BDD.

L. Guo, J. Kang / Journal of Loss Prevention in the Process Industries 38 (2015) 224e232

o n 8 pathð1Þ ¼ x1;1 ; x1;2 ; :::; x1;n1 ; x1;n1 þ1 ; x1;n1 þ2 ; :::; x1;n1 þm1 ; > > n o > > > > pathð2Þ ¼ x2;1 ; x2;2 ; :::; x2;n2 ; x2;n2 þ1 ; x2;n2 þ2 ; :::; x2;n2 þm2 ; > < :::; n o > > pathðiÞ ¼ xi;1 ; xi;2 ; :::; xi;ni ; xi;ni þ1 ; xi;ni þ2 ; :::; xi;ni þmi ; > > > > > :::; n o : pathðkÞ ¼ xk;1 ; xk;2 ; :::; xk;nk ; xk;nk þ1 ; xk;nk þ2 ; :::; xk;nk þmk :

Therefore, the occurrence probability of the TE in the static subtree obtained by BDD is expressed as (Ji, 2002):

subtree Pstatic ðTEÞ

¼

k X

PðpathðiÞÞ ¼

i¼1

¼

k X i¼1

k P

ni Y

i¼1

j¼1


 P xi;j

mk Y

0 @

1 mk  ni  Y
Y P xi;j P xi;ni þj A j¼1

(3) More than one BE cannot simultaneously occur in the system. (4) Each of the BEs has an exponential failure distribution, i.e., the failure rate of the BEs is constant. (5) The occurrence of any two BEs is mutually independent.

9 > > > > > > > = > > > > > > > ;

j¼1

1

 1  P xi;ni þj A

227

Fig. 4 indicates that the state transition matrix P(t) at mission time t can be expressed as:

PðtÞ ¼ PðtÞ ¼ 2 p00 6 p10 6 6 « ¼6 6 pj0 6 4 « pn0



 Pij ðtÞ ¼ fPðXðtÞ ¼ jjXð0Þ ¼ iÞg 3 p01 ::: p0i ::: p0n p11 ::: p1i ::: p1n 7 7 « « « « « 7 7 i; j2f0; 1; …; ng pj1 ::: pji ::: pjn 7 7 « « « « « 5 pn1 ::: pni ::: pnn

(6)

Let A matrix be a state transition coefficient matrix, which can be defined as:

j¼1

(5) where k denotes the number of disjointed paths in the BDD, ni indicates the number of events with 1-edge in the ith path, and mk is the number of events with 0-edge in the ith path. 3.2.2. Probability calculation of the dynamic fault subtree The Markov chain is a widely used tool for the state transition analysis of events following exponential distribution in a dynamic system. It can graphically illustrate time-dependent dynamic event behavior. Therefore, the Markov chain approach is applied to solve a dynamic fault subtree. The Markov chain with n transition states is shown in Fig. 4, where l stands for the failure rate of the component or part, and 0 means that the system is in operation state when all elements are in operation, and n means that no. 1 through n element are in failure state while the system can be operational or failed. Fig. 4 shows that each transition process represents a component failure process in the system. In other words, a Markov chain corresponds to the occurrence of failure in a particular order of events. If the final state (nth state) in the Markov chain is in a fault system, a combination of all of the failure modes of the elements that resulted in state transition in a particular sequence can be considered as a failure mode of the system. For example, a failure mode of the system in Fig. 4 is ! Element 1; Element 2; ::::::; Element n. This sequence means that the entire system will only fail if the element failures occur in this particular order. To simplify the analysis, the main hypotheses used for the Markov chain are as follows: (1) The system is a repairable binary state (operation or failure) system; if the element fails, then it will be replaced by a new spare element, i.e., the system is in an as-good-as-new state. (2) The conditional probability of BE is ldt in the interval (t, dt).

2

l01 6 0 6 6 « 6 A¼6 6 0 6 « 6 4 0 0

l01 l12 « 0 « 0 0

0 l12 « ::: « ::: :::

::: 0 « lr;rþ1 « ::: :::

::: ::: «

lr;rþ1 « 0 :::

::: ::: « 0 « 0 0

0 0 « ::: «

ln1;n 0

0 0 0 0 «

3

7 7 7 7 7 7 7 7 ln1;n 5 1 (7)

where lr,rþ1 represents the failure rate of the state transition from rth to (rþ1)th state. Therefore, we have the following differential equations:



0

P ðtÞ ¼ PðtÞA Pð0Þ ¼ ð 1 0

0

…

0

(8)

0Þ

where P0 (t) is a matrix that is composed of the derivative of each component in the P(t) matrix, whereas P(0) is the initial probability matrix at time t ¼ 0. With the use of Laplace transformation and inverse Laplace transformation, the failure probability in a Markov chain with n state transitions is determined as follows (Gao, 2005):

0 pn ðtÞ ¼

n1 Y r¼0

1

n BX B lr;rþ1 B @ k¼0

n Y

C elk;kþ1 t C C
A lr;rþ1  lk;kþ1

(9)

r¼0;rsk

In Eq. (9), when lr,rþ1 ¼ lk,kþ1, let 1/l0 r,rþ1 ¼ 1/lr,rþ1þ10 and l0 k,kþ1 ¼ lk,kþ1 (Yang, 2006). In this case, lr,rþ1 and lk,kþ1 are replaced with l0 r,rþ1 and l0 k,kþ1, respectively. In this way, for the dynamic subtree with m branched Markov chains, the occurrence probability of the failure can be determined

Fig. 4. State transition diagram of the Markov chain.

228

L. Guo, J. Kang / Journal of Loss Prevention in the Process Industries 38 (2015) 224e232

by Eq. (10): subtree Pdyn ðtÞ ¼

m X

Pini ðtÞ

(10)

i¼1

where ni is the step number of state transitions for the ith branched chain, and m is number of branched chains. Eq. (10) denotes the probability of state transition and is calculated by summation of the probabilities of all branched Markov chains. 3.3. Probability importance determination of BEs The failure of any BE can lead to the occurrence of a TE. However, different events may have different influences on the occurrence of a TE. In fact, except for the failure probability of the TE, operators and plant management staffs are concerned with the most likely fault causes that may lead to the occurrence of a TE, so that they can make appropriate decisions to prevent or avoid occurrence of the TE. Performing the probability importance analysis of BEs is necessary to measure the effect of the reliability of each BE on the TE. The following two approaches are used: (1) BE probability importance in the static subtree For BEs in the static subtree, an algorithm based on BDD is used in which the probability of the TE is calculated under the conditions in which ith BE occurs (xi ¼ 1) and the ith BE does not occur (xi ¼ 0). Psubtree jxi ¼1 and Psubstree jxi ¼0 represent the failure probability of the ith BE with respect to the corresponding subtree of the above two states. Then, the probability importance of the ith BE at time t for the subtree can be determined by the following equation: pr

Isubtree ðijtÞ ¼ Psubtree jxi ¼1  Psubtree jxi ¼0

(11)

(2) BE probability importance in the dynamic subtree For the probability importance of the ith BE in the dynamic subtree, an approximation algorithm derived from the Markov chain is used as follows (Ou and Dugan, 2003):

bI Pr subtree ðijtÞ ¼

Ri

1  qi



Ri qi

(12)

Pr

where bI Subtree ðijtÞ is the probability importance of the ith BEs with respect to the corresponding kth subtree at time t. Ri is the sum of the probabilities of states where the system is operational when the ith BE occurs. Ri is the sum of the probabilities of states where the system is operational when ith BE does not occur. qi is the failure probability of the ith BE at time t. When each static and dynamic subtree is replaced with probability equivalent BEs, the probability importance of the kth subtree Pr ðkÞ) can be calculated in a with respect to the entire system (ISys bottom-top manner according to the above algorithm. Finally, the ith BE probability importance with respect to the entire system Pr ðiÞ) is given as follows: (ISys Pr Pr Pr ISys ðijtÞ ¼ ISys ðkÞ  ISubtree ðijtÞ

(13)

4. Case study To validate the effectiveness of the extended HAZOP approach presented, a case study on a gas fractionation unit is conducted. The process flow diagram of the plant is shown in Fig. 5. Liquid

petroleum gas (LPG) from an external device is charged into the feed tank of the depropanizer. Then, the LPG is heated to bubbling point in the feed preheater and feed-condensate heat exchanger. The feed is channeled into the depropanizer at stage 27. The column consists of 70 stages and has a diameter of 3800 mm. In the column, C2 and C3 components are the main overhead product, and C4 and C5 components are the main bottom product. The overhead product is cooled and condensed before it is placed into a reflux drum. Here, a part of the condensed product is pumped into the depropanizer as reflux, whereas the remaining product is fed into a deethanizer. Finally, the bottom product of the depropanizer is fed into a deisobutanizer. 4.1. HAZOP analysis The conventional HAZOP analysis is performed. Table 1 shows the HAZOP analysis results of the depropanizer. Because of space limitations, only six resulting deviations are listed, which include temperature, level, and pressure. “More” is used as a guide word. 4.2. DFT analysis Based on the HAZOP analysis results, hazard scenarios are subsequently established. Fig. 6 is a hazard scenario of column overpressure and equipment damage. Afterward, a fault consequence, which is overpressure of the column and equipment damage, is selected as the TE of the DFT. A DFT model is then constructed (see Fig. 7). The DFT is composed of 1 TE, 19 IEs, and 26 BEs. The model includes a PAND gate and two SPARE gates. A PAND logic gate is used to model the causes of the too high column feed temperature. Two SPARE logic gates are used to model the redundancy behavior of the system, i.e., a principal pump can be replaced by another standby pump when the principal pump fails. According to modularization rule, the entire DFT is broken down into 16 static subtrees and 3 dynamic subtrees. A mission time of 8000 h (per year) is set in the following analysis. The failure rate data of each BE are shown in Table 2. The failure probability of IE in the each static or dynamic subtree is solved through the BDD (Eqs. (5), (9)) and Markov chain approach (Eq. (10)), respectively. Table 3 shows failure probability of each IE and TE in the DFT. The occurrence probability of the TE is 0.047781 per year, which is low, but its consequence is very serious. Therefore, providing recommendations to prevent fault occurrence is necessary. The most likely fault causes that lead to TE occurrence are then investigated. To address this concern, the probability importance of the BEs with respect to the entire system is calculated based on Eqs. (12)e(14). The calculation results are illustrated in Table 4. Table 4 shows that BE1, BE3, and BE2 are the most dominant factors that influence the cause of the occurrence of the TE. Preventive and control measures for BE1, BE3, and BE2 should be proposed to avoid the outburst of these BEs. For BE1, the data signal from the local column top pressure gauge should be connected to the DCS, so that the column top pressure can be monitored in real time. For BE2, the pressure alarm and valve-site detector of the pressure control value should be installed at the top of the column. For BE3, the temperature detector and temperature alarm in the reboiler return line should be installed, and the data signal obtained should be connected to the DCS. Again, the probability importance of BE16 and BE24 is moderate even if their failure rates are the highest among all BEs. The reason is the spare equipment in the two pump systems. These spare equipment can improve the reliability of the system in real industry systems. Therefore, the failure probability of the event decreases, and this eventually results in a decreased probability

L. Guo, J. Kang / Journal of Loss Prevention in the Process Industries 38 (2015) 224e232

229

Fig. 5. Process flow diagram of the depropanizing unit.

Table 1 HAZOP analysis results. Node: depropanizer

Guide word: More

Process parameters

Deviations

Possible causes

Consequences

Temperature

1. High feed temperature

1.1 Control loop inactive in the condensed water-feed heat exchanger 1.2 Control loop inactive in the hot water-feed heat exchanger

2. High reflux temperature

2.1 Air cooler failure 2.2 Condenser failure

3. High reboiler temperature

3.1 Temperature control loop inactive at the bottom of the column

4. High temperature at the top of the column

4.1 to 4.3 Refer to deviation numbers 1 to 3 e 6.1 Column top pressure control loop inactive 6.2 to 6.6 Refer to deviation numbers 1 to 5

1.1 Increase in temperature at the top of the column, product quality deterioration 1.2 Column overpressure and equipment damage 2.1 Increase in temperature at the top of the column, product quality deterioration 2.2 Column overpressure and equipment damage 3.1 Increase in column temperature, product quality deterioration 3.2 Flooding column, operation balance disruption 3.3 Lower column liquid level, damage of heating tubes in reboiler 3.4 Column overpressure and equipment damage e

Level Pressure

5. High level of reflux drum 6. High pressure at the top of the depropanizer

importance. To achieve this, the redundancy behavior of this repairable system is modeled with the cold spare logic gate in DFT. Consequently, the result of the DFT is more realistic and more consistent with actual failure records compared with that of static fault tree analysis.

e 6.1 Column overpressure and equipment damage 6.2 Product quality deterioration

5. Conclusions In this paper, an extended HAZOP analysis approach with a dynamic fault tree has been proposed to identify the potential hazards in chemical plants. The conventional HAZOP analysis is

230

L. Guo, J. Kang / Journal of Loss Prevention in the Process Industries 38 (2015) 224e232

Fig. 6. A hazard scenario of column overpressure and equipment damage.

Fig. 7. DFT model of the depropanizing unit.

Table 2 Failure rate data of each basic event in the DFT. Name

Event description

Failure rate (per 106 h)

BE1 BE2 BE3 BE4 BE5 BE6 BE7 BE8 BE9 BE10 BE11 BE12 BE13 BE14 BE15 BE16 BE17 BE18 BE19 BE20 BE21 BE22 BE23 BE24 BE25 BE26

Pressure sensor failure Valve opening too small because of being struck Temperature sensor failure Valve opening too large because of being struck Bypass pipeline of the control valve opened by mistake Cooling pipe blockage Motor failure Fan damage Increase in fouling thermal resistance Reduction of circulating water Temperature sensor failure Valve opening too large because of being struck Temperature sensor failure Valve opening too large because of being struck Active pump failure Standby pump failure Flow sensor failure Valve opening too small because of being struck Instrument-air regulator failure Liquid level sensor failure Valve opening too small because of being struck Instrument-air regulator failure Active pump failure Standby pump failure Flow sensor failure Valve opening very large because of being struck

3.52 6.89 9.65 2.71 0.08 3.92 21.53 10.8 3.04 6.19 9.65 2.71 9.65 2.71 23.33 30.83 6.83 7.85 6.41 5.57 7.85 6.41 23.33 30.83 6.54 2.71

L. Guo, J. Kang / Journal of Loss Prevention in the Process Industries 38 (2015) 224e232

231

Table 3 Failure probability of each immediate event and top event in the DFT. Name

Event description

Failure probability (8000 h)

TE IE1 IE2 IE3 IE4 IE5 IE6 IE7 IE8 IE9 IE10 IE11 IE12 IE13 IE14 IE15 IE16 IE17 IE18 IE19

Column overpressure and equipment damage Column top pressure increase Pressure control loop failure Excessive high temperature of the column top Much too high liquid level of the reflux drum Much too high reflux temperature Much too high feed temperature Much too high reboiler temperature Less of the reflux flow rate Less of the deethanizer feed flow rate Too much depropanizer feed flow rate Air cooler failure Condenser failure Control loop inactive in the feed-condensate heat exchanger Control loop inactive in the feed preheater Reflux pump failure Control loop inactive in the reflux pipe Control loop inactive in the reflux drum Deethanizer feed pump failure Feed control loop inactive

0.047781 0.597968 0.079906 0.374323 0.357444 0.305001 0.006178 0.094149 0.172106 0.163719 0.071923 0.171519 0.071180 e e 0.019949 0.155254 0.146697 0.019949 0.071329

Table 4 Ranking results of the probability importance of BEs with respect to the entire system. No.

BE no.

Pr ðiÞ (103) ISys

No.

BE no.

Pr ðiÞ (103) ISys

1 2 3 4 5 6 7 8 9 10 11 12 13 14

1 3 2 22 4 23 19 21 18 26 20 27 5 6

952.22 576.73 561.39 34.45 34.43 34.05 33.93 33.82 33.66 33.58 33.55 32.57 32.57 31.89

15 16 17 18 19 20 21 22 23 24 25 26 27

8 9 7 16 24 17 25 14 15 11 10 13 12

10.26 9.42 8.91 7.11 7.11 5.54 5.54 3.37 3.19 3.18 3.11 1.22 0.39

used to identify the possible causes and consequences that correspond to deviations. To represent fault propagation pathways, the hazard scenario model is constructed on the basis of the HAZOP analysis result. DFT analysis is a quantitative safety assessment approach that can intuitively represent hazard scenarios to obtain all failure modes and locate fault origins. With the advantages of DFT analysis considered, the DFT approach is introduced to extend HAZOP analysis. With the use of the extended HAZOP analysis approach, the root causes that lead to TE occurrence can be identified. More importantly, the failure probability of the system and the probability importance of the BE can be quantitatively solved through the BDD and Markov chain approach. Basing on the result of the extended HAZOP analysis, the management staff can make appropriate decisions and propose safety-related actions. Finally, a case study has been performed on a depropanizing unit. The results show that the assessment data obtained with the approach are consistent with the actual failure records. The operators and technicians involved in the analysis have also helped in further enhancing understanding of the plant fault mechanism. Overall, the findings indicate that the extended HAZOP analysis approach proposed is an efficient safety assessment method for the complex chemical industry. In further research, we will introduce a dynamic procedure for atypical scenarios identification (DyPASI) (Paltrinieri et al., 2013) in HAZOP scenario analysis, which can perform a comprehensive

hazard identification of previously unrecognized atypical scenarios. Thus, the knowledge base on standard fault scenarios for the typical chemical process can be set up to provide effective support to establish the DFT that contributes to the extended HAZOP analysis. Zhao et al. developed a learning HAZOP expert system by integrating of case-based reasoning and ontology in HAZOP analysis, which can help automate both “routine” and “non-routine” HAZOP analysis (Zhao et al., 2009). The proposed approach can provide an effective way for our future research. We are gradually collecting HAZOP cases and establishing database in order to improve the completeness of HAZOP analysis. However, the application of our database still requires some time. Acknowledgments The authors would like to acknowledge the support of the National Natural Science Foundation of China (Approved Grant No. 51205340) and Project of Education Department of Hebei Province (Approved Grant No. Z2013031). References Bjorkman, K., 2013. Solving dynamic flowgraph methodology models using binary decision diagrams. Reliab. Eng. Syst. Saf. 111, 206e216. Chang, S.Y., Lin, C.R., Chang, C.T., 2002. A fuzzy diagnosis approach using dynamic fault trees. Chem. Eng. Sci. 57 (15), 2971e2985. Cui, L., Shu, Y.D., Wang, Z.H., Zhao, J.S., Qiu, T., Sun, W.Y., Wei, Z.Q., 2012. HASILT: an intelligent software platform for HAZOP, LOPA, SRS and SIL verification. Reliab. Eng. Syst. Saf. 108, 56e64. Gao, S.C., 2005. Dynamic Fault Tree Analysis Method and Implementation (Master thesis). National University of Defense Technology, China. Giardina, M., Morale, M., 2015. Safety study of an LNG regasification plant using an FMECA and HAZOP integrated methodology. J. Loss Prev. Process Ind. 35, 35e45. Hu, J.Q., Zhang, L.B., Cai, Z.S., 2015. Fault propagation behavior study and root cause reasoning with dynamic Bayesian network based framework. Process Saf. Environ. Prot. 97, 25e36. Ji, H.Y., 2002. Investigation on Dynamic Fault Tree Analysis Method (Master thesis). National University of Defense Technology, China. Kuo, D.H., Hsu, D.S., Chang, C.T., 1997. A prototype for integrating automatic fault tree/event tree/HAZOP analysis. Comput. Chem. Eng. 21 (Sup.), S923eS928. Leone, H., 1996. A knowledge-based system for HAZOP studies.: the knowledge representation structure. Comput. Chem. Eng. 20 (Suppl. 1), S369eS374. Ou, Y., Dugan, J.B., 2003. Approximate sensitivity analysis for acyclic Markov reliability models. IEEE Trans. Reliab. 52 (2), 220e230. Paltrinieri, N., Tugnoli, A., Buston, J., 2013. Dynamic procedure for atypical scenarios identification (DyPASI): a new systematic HAZID tool. J. Loss Prev. Process Ind. 26 (4), 683e695. Rauzy, A.B., 2011. Sequence algebra, sequence decision diagrams and dynamic fault trees. Reliab. Eng. Syst. Saf. 96 (7), 785e792.

232

L. Guo, J. Kang / Journal of Loss Prevention in the Process Industries 38 (2015) 224e232

Reay, K.A., Andrews, J.D., 2002. A fault tree analysis strategy using binary decision diagrams. Reliab. Eng. Syst. Saf. 78 (1), 45e56. Remenyte-Prescott, R., Andrews, J.D., 2008. An enhanced component connection method for conversion of fault trees to binary decision diagrams. Reliab. Eng. Syst. Saf. 93 (10), 1543e1550. Srinivasan, R., Venkatasubramanian, V., 1998. Automating HAZOP analysis of batch chemical plants: part I. The knowledge representation framework. Comput. Chem. Eng. 22 (9), 1345e1355. Xing, L.D., Gregory, L., 2013. BDD-based reliability evaluation of phased-mission

systems with internal/external common-cause failures. Reliab. Eng. Syst. Saf. 112, 145e153. Yang, J., 2006. Study on Subway Main Control System Reliability Evaluation Method Based on DFTA (Master thesis). Southwest Jiaotong University, China. Zhang, R.L., Lowndes, I.S., 2010. The application of a coupled artificial neural network and fault tree analysis model to predict coal and gas outbursts. Int. J. Coal Geol. 84 (2), 141e152. Zhao, J.S., Cui, L., Zhao, L.H., Qiu, T., Chen, B.Z., 2009. Learning HAZOP expert system by case-based reasoning and ontology. Comput. Chem. Eng. 33 (1), 371e378.