Quantifying human error probability in independent protection layers for a batch reactor system using dynamic simulations

Journal Pre-proof Quantifying human error probability in independent protection layers for a batch reactor system using dynamic simulations Changlong Zhu, Meng Qi, Juncheng Jiang

PII:

S0957-5820(18)31467-8

DOI:

https://doi.org/10.1016/j.psep.2019.11.021

Reference:

PSEP 1995

To appear in:

Process Safety and Environmental Protection

Received Date:

28 December 2018

Revised Date:

31 July 2019

Accepted Date:

20 November 2019

Please cite this article as: Zhu C, Qi M, Jiang J, Quantifying human error probability in independent protection layers for a batch reactor system using dynamic simulations, Process Safety and Environmental Protection (2019), doi: https://doi.org/10.1016/j.psep.2019.11.021

This is a PDF file of an article that has undergone enhancements after acceptance, such as the addition of a cover page and metadata, and formatting for readability, but it is not yet the definitive version of record. This version will undergo additional copyediting, typesetting and review before it is published in its final form, but we are providing this version to give early visibility of the article. Please note that, during the production process, errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain. © 2019 Published by Elsevier.

Quantifying human error probability in independent protection layers for a batch reactor system using dynamic simulations Changlong Zhu a, Meng Qi b,c, Juncheng Jiang a,* aJiangsu

Key Laboratory of Hazardous Chemicals Safety and Control, College of Safety Science and Engineering,

Nanjing Tech University, Nanjing 210009, China of Chemical Engineering, China University of Petroleum (Qingdao), Qingdao 266580, China

cDepartment

ro of

bCollege

of Chemical and Biomolecular Engineering, Yonsei University, 50 Yonsei-ro, Seodaemun-gu, Seoul

03722, South Korea



-p

Corresponding author. E-mail address: [email protected] (J.Jiang).

Jo

ur

na

lP

re

Abstract: The batch processing facilities with features involving in large-scale human intervention are generally considered to be relatively hazardous processes due to frequent change in operating conditions. Therefore, sufficient protection layers should be implemented against the hazards inherent in the batch processing facilities, especially for batch reactor systems. The human operations involved in the batch process play an important role to maintain process production and also take responsibility for reducing risks in specific possible accident scenarios. However, in practice, a number of companies initially did not take any credits for human actions in Layer of Protection Analysis (LOPA) or were overly optimistic in a few cases, which result in unwarranted safety expenditures or inadequate risk reductions. In this study, we propose a simulation-oriented methodology for quantifying human error probability (HEP) in independent protection layers (IPLs). The methodology integrates dynamic simulations with human reliability analysis (HRA) to give a comprehensive analysis of human actions. Case study for a batch reactor system shows that risk reductions of human response are expected to be greater than that determined using other methods. The present study provides a solution for analyzing the risk reductions of human elements within the IPL and serves as a reference for improving the emergency response for operators. Keywords: Human error probability; dynamic simulations; human reliability analysis; independent protection layer; batch reactor system

1. Introduction Numerous hazards in the chemical process can lead to serious accident consequences associated with casualties, property losses, and environmental impacts (Khan and Abbasi, 1998; Lees, 2012). 1

Jo

ur

na

lP

re

-p

ro of

These varying degrees of hazards are located in different operating units and the reaction unit maybe with the highest hazards throughout the chemical process (Berdouzi et al., 2018; Molnár et al., 2005). Therefore, sufficient protection layers should be implemented in the chemical process, especially on the reactor, to prevent possible accidents. There are three types of reactors according to the operation mode: continuous, batch and semi-batch, or according to the heat exchange mode: isothermal, adiabatic and non-isothermal non-adiabatic (Winterbottom and King, 1999). Among them, the batch and non-isothermal non-adiabatic reactors are potential with more hazardous due to most of the reactions in these reactors are exothermic reactions with extremely high thermal hazards. In the fine chemical industry, due to the limitation of small production scale and frequent catalyst replacement, reactors used are often batch reactors, so continuous injection of cooling medium is required to remove the heat released by the reaction in time (Roberge et al., 2005). If the cooling system fails, the heat cannot be removed in time, which will cause the internal temperature of the reactor to rise sharply, forming various risks of the reaction system (Luyben, 2012). In severe cases, if the released heat continues to accelerate the reaction rate and release more heat to form a vicious circle, the reaction runaway will occur, leading to catastrophic consequences. In batch reactors, thermal risk is a common risk thus should be mitigated to acceptable levels using inherently safer designs, safety techniques and other protective measures (Ni et al., 2016; Westerterp and Molga, 2006). Generally, layer of protection analysis (LOPA) is used as a practical and effective method to identify and against the risks inherent in the process (Dowell III, 1999; Summers, 2003). Typical protection layers for chemical processes are demonstrated in Fig. 1. A Serious accident is usually caused by a process deviation that begins with the initiating event. (Carlos et al., 2018). In most cases, the initiating events can be prevented from developing into deviations through the first two layers of process design and the basic process control system (BPCS). In the event of a deviation, protection layers including critical alarms and human intervention, safety instrumented system (SIS), and physical protection should be activated to prevent accidents or eliminate serious consequences.

Fig. 1. Layers of defense against a possible accident.

However, for batch operation process, the critical alarms and human intervention independent protection layer (CAHI-IPL) is critical to prevent possible accident due to frequent and large-scale

2

ro of

personnel operations. Nevertheless, a number of companies did not take any credit for human actions in LOPA as a risk reduction approach (Myers, 2013). As a result, they found it to be too conservative thus leading to unwarranted safety expenditures for reducing risks through other IPLs. However, human actions are not completely reliable. Whether a person can perform the appropriate action in an emergency is determined by a complex process consisting of multiple factors. That means the reduction of accident risk through human actions is limited by human errors and may now rely on human factors experts’ knowledge to quantify human errors probabilities (HEPs) as accurately as possible. In the determination of HEP, also known as probabilities of failure on demand (PFD) for human actions or response, there were various approaches available ranging from quite simple methods to complex calculations. Table 1 lists a summary of PFD determination for human actions or response reviewed by (Myers, 2013). It is observed that current methods tend to obscure the results because there are only integer risk reduction factors, and it is assumed that the operator performs the actions without considering their experience and abilities, making the results sometimes underestimated and sometimes too optimistic. Therefore, it is necessary to implement a quantitative human error estimation technique based on specific process accident scenarios when determining the risk reductions of CAHI-IPLs. Certainly, human reliability analysis (HRA) should be the solution to this problem. Table 1. Summary – probabilities of failure on demand for human actions or response (Myers, 2013). Conditions and/or description (Assuming adequate

after alarm

documentation, training and testing procedures)

-p

Time available

CCPS Layer of Protection Analysis (2001)

10-1 (data range from

and reliable indications that the action is required.

10-1 to 1.0)

Human response to BPCS indication or alarm. Simple, well-

10-1 (＞10-1 allowed

lP

40 min

failure on demand

Human action with simple, well-documented action with clear

re

10 min

Probabilities of

documented action with clear and reliable indications that the

by IEC/ISA)

action is required.

Human action with simple, well-documented action with clear

10-1 (data range from

and reliable indications that the action is required.

10-1 to 10-2

na

40 min

CCPS guidelines for safe and reliable instrumented protective systems (2007) any response time ＜10 min

Operator action is complicated.

1.0

Operator must troubleshoot to determine what the appropriate

1.0

ur

response is.

2-10 min

Drilled and practiced response, also known as a “never exceed,

10-1

Jo

never deviate” response. If the alarm is received, the operator

≥10min

must execute the safe state action without delay. Alarm is independent of the BPCS. Operator response does not require troubleshooting or

10-1

investigation prior to action. Alarm maybe implemented in the BPCS or independent of the BPCS.

≥40min

Operator response requires minor troubleshooting or

10-1

investigation prior to action. Alarm may be implemented in the BPCS or independent of the BPCS. 24h

Multiple operators can take action. Alarm should be automatically repeated at an interval necessary to ensure that 3

10-2

each shift is notified of the process condition. Minor troubleshooting may be performed prior to action. Alarm is independent of the BPCS.

Jo

ur

na

lP

re

-p

ro of

Numerous HRA methods have been presented in the fields of reliability, safety engineering, and risk analysis, which have been widely used in nuclear plants, aviation, manufacturing, transportation, and other industries (Pan et al., 2017). HRA methods can be generally classified into three generations. The first generation HRA methods include technique for human error rate prediction (THERP), human cognitive reliability (HCR) and success likelihood index methodology (SLIM). The second generation HRA methods, which combine behavioral science, psychology, and other areas of scientific studies, include a technique for human error analysis (ATHEANA) and cognitive reliability and error analysis method (CREAM). HRA methods based on the cognitive simulation model (COSIMO) are called third-generation. The typical HRA methods can also be divided into three categories, that is, task-related (THERP, SLIM, etc.), time-related (HCA, etc.) and contextrelated (CREAM, SPAR-H, etc.), which are elaborated in some literature (Pan et al., 2017; Yingkai et al., 2018). In order to determine the probability of human reliability, the context-related PSFs (Performance Shaping Factors), PIFs (Performance Influencing Factors), and CPCs (Common Performance Conditions) are important factors to determine the human performance. However, expert judgment always plays a critical role in the these factors (Liu et al., 2018). To overcome the subjective experience, artificial intelligence will be used to calculate the reliability of human body in different situations based on complex simulators and big data algorithms. These methods not only have the relative correctness of the theoretical model, but also can observe, test or verify the reliability of the model through massive data. In all of these methods, although advanced HRA method can obtain relatively accurate results, but the estimation is complicated with a lot of experts’ judgments. The first generation HRA method, such as the HCR method, can be easily used to estimate the HEP in the chemical industries because the available time and the personnel skill have a significant impact on operator response in an emergency. The method is simple and is more suitable for HEP estimation of human emergency response without a large amount of subjective experience. Since the human element within the IPL is an important way to address risk reductions of possible accidents, the purpose of this study is to quantify HEP by combining HRA and process dynamic simulations to better determine the reasonable risk reduction of human actions in the batch operation process. The remainder of this paper is organized as follows. First, the methodology is generally illustrated and explained in Section 2. Then a batch reactor system is studied to demonstrate the implementation of the proposed methodology in Section 3. The system is described in detail and dynamic simulation of three identified possible accident scenarios is performed. In Section 4, the HCR method is employed to estimate the HEPs of three scenarios. The LOPA was conducted using the calculated HEPs, and risk reductions of CAHI-IPLs in this study are compared to that determined by CCPS guidelines. Finally, discussions and conclusions are made in Section 5.

2. Methodology For the process in which the initiating event develops into a possible accident, the time sequence in which the process deviation propagates through the protection layers is as shown in Fig. 2. Process parameters will deviate from normal operating values when an initial event may occur that is caused by equipment failure, human error or natural disaster. Deviation parameters such as temperature, 4

na

lP

re

-p

ro of

pressure and flow rate that may cause an accident tend to increase, and in few cases decrease. In general, active IPL first prevents the propagation of deviations, starting with the CAHI-IPL and going to the SIS-IPL. When the process parameters reach the set point of the alarm, this means that BPCS fails to return the parameters to normal, so human intervention is required to bring the process back to the safe state or shutdown the plant. The general process of human response to alarms and abnormal conditions consists of four steps: observe, diagnose, decision making, and then take action to reduce or eliminate the undesired consequence. The operator whether in the control room or in the plant observe the abnormal conditions or receive the alarms should diagnose the situation and decide what to do. In considering CAHI-IPLs, the operator expected to take action must have sufficient time to do so, and the maximum allowable time decides the success rate of performing a response task. In Fig. 2, this study defines the maximum allowable time for human actions to bring the process to the safe state from the time of alarm activated to the time of SIS activated. This time is regarded as the “time available after the alarm” as it is shown in Table. 1. It is no doubt that reduced available time leads to higher risk reductions for CAHI-IPLs.

Fig. 2. Time sequences for process deviations developing into accidents.

Jo

ur

The “time available after the alarm” is an important consideration when evaluating CAHI-IPLs versus engineered solutions, and it can be determined using simulation tools. Based on this time, a methodology is presented in Fig. 3 that combines HRA and process dynamic simulation to quantify HEPs in IPLs. The simulation-oriented approach provides a convenient and objective way to quickly quantify the HEP. We interpret our methodology as the following 4 steps. In the first step, a mathematical model of process should be established, including mass balance equations, energy balance equations, with process initial conditions to obtain process parameters under normal operations. The first step can be performed using numerical analysis software (MATLAB, PLOYMATH) or professional simulation software (ASPEN PLUS and HYSYS). Then the second step focuses on the identification of process accident scenario. The scenarios selected for dynamic simulation come from three main areas: accidents analysis, literature review and personal experience. These scenarios must involve critical hazards in the process and each scenario should correspond to a process hazard as it describes a single cause-consequence pair. In the third step, dynamic simulation is performed for each identified scenario by modifying the initial process

5

Jo

ur

na

lP

re

-p

ro of

conditions as the process deviations. The critical deviations can be confirmed from the simulations results, then the “time available after the alarm” can be obtained from the critical deviation situation thus further calculating the HEPs. It is no doubt that simulation process using professional simulation software is more complicated, but the results are more reliable and accurate, especially when dealing with lengthy and complex process systems. However, the numerical analysis software for dynamic simulation has advantages in the face of relatively simple process so as to get the results in an efficient and convenient manner. The following part summarizes the advantages and disadvantages of the two options for performing simulations to provide a basis for users to select the simulation method.  Option 1: Numerical analysis software To perform the simulation using Option 1, only fundamental process information should be provided. The parameters are simple to modify and the simulation speed is fast, which is especially suitable for a variety of simple scenario simulations. However, the simulation cannot deal with complex process systems involving multiple operations. It is also difficult to simulate complex accident scenarios of simple systems.  Option 2: Professional simulation software Option 2 can be used to simulate any processes and operation units with high accuracy and reliability, which can truly reflect the dynamic changes in process parameters with the basic process control logic. However, the process information required to perform Option 2 is too detailed compared to Option 1, such as Piping & Instrument Diagram (P&ID), equipment size, and instrument operating parameters. Incomplete and inaccurate input information has a significant impact on the results, and the simulation is time-consuming and with difficulty to convergence.

Fig. 3. Methodology proposed in this study.

The fourth step is estimating the HEP using HCR method based on the allowable time for human

6

actions. In this work, a batch reactor system was used as a case study to demonstrate the implementation of our methodology. The dynamic simulation of the batch reactor was performed by Option 1 and runs in the Polymath environment. The reason for choosing Option 1 is that the case study involves only one batch reactor with limited information available, and the batch operation process is straightforward. Three deviation scenarios were identified then the HEPs under critical deviations were calculated with HCR method. With the proposed methodology, risk reductions of CAHI-IPLs were investigated and the improvement of SIL selection in the batch operation plant was analyzed.

3. Dynamic simulations of the batch reactor system 3.1 Description of the batch reactor system

-p

ro of

An exothermic batch reactor system (Arpornwichanop et al., 2005; Podofillini and Dang, 2012) is used as a case study. The reactor system consists of a batch reactor and a jacket temperature control system. The schematic diagram of the reactor system is shown in Fig. 4. The batch reactor is fed from two pipe inlets: reactant A and reactant B. When the two reactants are thoroughly mixed, the reaction begins and gradually becomes stable under normal operating conditions. The temperature sensors (𝑇𝑟 𝐸, and 𝑇𝑗 𝐸) detect the inner temperatures of the reactor and jacket (𝑇𝑟 and 𝑇𝑗 ), respectively. The inner temperature of the jacket can be controlled by a temperature controller (𝑇𝑗 𝐶) that automatically adjusts the flow rate of the cooling and heating fluid. Under normal operations, the set value of 𝑇𝑗 𝐶 is 71℃ and the flow rate 𝐹𝑗 of the fluid entering the

ur

na

lP

re

jacket is 0.348 m3/min.

Fig. 4. The schematic diagram of an exothermic batch reactor system.

Jo

According to the process design requirements, the temperature of the reactor 𝑇𝑟 cannot exceed 90℃ under normal operation. If there is an operational error or a component fail that causes an unexpected scenario, the heat balance will be disturbed and excessive heat will be generated due to the exothermic reaction. If the internal temperature of the reactor reaches the set value of the high temperature alarm (TAH), the first alarm will be activated. At this point, the operator receiving the alarm should be instructed to lower the setpoint temperature of the jacket temperature controller (𝑇𝑗 𝐶) below 40℃. Excessive heat will cause the reactor temperature to rise rapidly if effective human actions are not taken in time. Therefore, the second alarm - high-high temperature alarm (TAHH) will be activated. Once the second alarm is activated, the SIS will shut down the reactor and the quench water will discharge to cool the reactor. 7

The time interval of the two alarms is considered to be the allowable operator response time in the CAHI-IPL. After the second alarm, the SIS is responsible for bringing the reactor back to the safe state, thus, the second alarm set value is also the set value of the SIS. Regarding the reactor system, the set values of TAH and TAHH are assumed to be 90℃ and 100℃ (Luyben, 2012; Podofillini and Dang, 2012), respectively.

3.2 Mathematical model It is assumed that two parallel highly exothermic liquid-phase reactions are carried out in the batch reactor, the reaction equations are as follows: 𝑘1

(1)

𝐴+𝐵→𝐶 𝑘2

(2)

𝐴+𝐶→𝐷

-p

𝑑𝑀𝐴 = −𝑘1 𝑀𝐴 𝑀𝐵 − 𝑘2 𝑀𝐴 𝑀𝐶 𝑑𝑡

ro of

Where A and B are reactants, the C and D are desirable product and undesirable by-product, respectively. The rate constants k1 and k2 are temperature-dependent according to the Arrhenius relation. The batch reactor is modeled by the following equations: Mass balances in the reactor:

(3) (4)

𝑑𝑀𝐶 = 𝑘1 𝑀𝐴 𝑀𝐵 − 𝑘2 𝑀𝐴 𝑀𝐶 𝑑𝑡

(5)

𝑑𝑀𝐷 = 𝑘2 𝑀𝐴 𝑀𝐶 𝑑𝑡

(6)

𝑑𝑇𝑟 𝑄𝑟 + 𝑄𝑗 = 𝑑𝑡 𝑀𝑟 𝐶𝑝𝑟

(7)

lP

re

𝑑𝑀𝐵 = −𝑘1 𝑀𝐴 𝑀𝐵 𝑑𝑡

na

Energy balances around the reactor:

𝑑𝑇𝑗 𝑑𝑡

Jo

ur

With,

=

𝐹𝑗 𝜌𝑗 𝐶𝑝𝑗 (𝑇𝑗𝑠𝑝 − 𝑇𝑗 ) − 𝑄𝑗 𝑉𝑗 𝑗 𝐶𝑝𝑗

(8)

𝑘1 = 𝑒𝑥 𝑝 (𝑘11 −

𝑘12 ) 𝑇𝑟 + 273.15

(9)

𝑘2 = 𝑒𝑥 𝑝 (𝑘21 −

𝑘22 ) 𝑇𝑟 + 273.15

(10)

W = M𝑊𝐴 𝑀𝐴 +𝑀𝑊𝐵 𝑀𝐵 + 𝑀𝑊𝐶 𝑀𝐶 + M𝑊𝐷 𝑀𝐷

(11)

𝑀𝑟 = 𝑀𝐴 + 𝑀𝐵 + 𝑀𝐶 + 𝑀𝐷

(12)

𝐶𝑝𝑟 =

𝐶𝑝𝐴 𝑀𝐴 + 𝐶𝑝𝐵 𝑀𝐵 + 𝐶𝑝𝐶 𝑀𝐶 + 𝐶𝑝𝐷 𝑀𝐷 𝑀𝑟

(13)

𝑄𝑟 = −∆𝐻1 (𝑘1 𝑀𝐴 𝑀𝐵 ) − ∆𝐻2 (𝑘2 𝑀𝐴 𝑀𝐶 )

(14)

𝑄𝑗 = 𝑈𝐴(𝑇𝑗 − 𝑇𝑟 )

(15)

8

A=

2𝑊 𝜌𝑟

(16)

Where 𝑀𝑖 is the mole amount component “i”, 𝑇𝑟 is the reactor temperature, 𝑇𝑗 is the jacket temperature, and 𝑇𝑗𝑠𝑝 is the set point value of the jacket temperature controller (𝑇𝑗 𝐶). 𝑄𝑟 and 𝑄𝑗 are the heat produced by the reaction and the heat exchanged through the jacket-reactor interface, respectively; 𝐹𝑗 is the mass flow in the jacket. Other variables and parameters are represented in

ro of

Appendix A. The mathematical model is explained as follows: Eqs. (3) – (6) describe the change of substances in the reactor over time. Eqs. (7) – (8) describe the change of temperature of the reactor and jacket over time. The reaction kinetics are expressed as Eqs. (9) – (10). Eqs. (11) – (12) calculate the total weight and total moles of the substances in the reactor. Eqs. (13) – (16) calculate the average heat capacity, heat input, heat removal, and the heat transfer area of the reactor, respectively. For more information on equations and initial parameters, see Appendix B. The dynamic performance of the reactor can be simulated by solving the mathematical model in the Polymath software. The initial conditions for MA, MB, MC, MD used in all simulation studies are derived from (Arpornwichanop et al., 2005; Podofillini and Dang, 2012), assuming 12, 12, 0, and 0 kmol, respectively. The initial values of the reactor and jacket temperatures are set to 20℃ and the duration of the batch is 240 mins. Some key variables of simulation results are shown in Table 2.

Initial value

Minimal value

Maximal value

Final value

1

A (reactant, mol)

12

4.53

12

4.53

2

B (reactant, mol)

12

5.09

12

5.09

3

C (product, mol)

0

0

6.36

6.36

4

D (by-product, mol)

0

0

0.56

0.56

5

Tr (reactor temperature, ℃)

20

20

87.29

73.14

6

Tj (jacket temperature, ℃)

20

20

75.56

71.60

re

Variable

lP

No.

-p

Table 2. Some key variables of the batch reactor under normal operation.

na

It can be seen that the maximum temperature (87.29℃) of the reactor is lower than the set value of the first alarm of 90℃. The final value of the jacket temperature (71.60℃) is close to the set value of the jacket temperature controller (𝑇𝑗 𝐶) of 71℃. The temperature profile in the reactor and jacket

Jo

ur

over time is shown in Fig. 5. After one batch operation, the amount of the desired product C is 6.355 kmol and the amount of the undesired by-product D is 0.558 kmol. The mole profile of A, B, C and D over time is shown in Fig. 6. The values obtained under normal operation are consistent with the results of (Podofillini and Dang, 2012). Thus, the correctness of the model has been verified and it is possible to proceed with the preparation of the dynamic simulation program.

9

re

-p

ro of

Fig. 5. The temperature profile in the reactor and jacket over time.

lP

Fig. 6. The mole profile of A, B, C and D in the reactor over time.

3.3. Identification of possible accident scenarios

Jo

ur

na

The identification of the possible accident scenarios is conducted with the literature review and accidents analysis. This study evaluated comprehensive factors that could pose a risk in the batch reactor to identify possible accident scenarios. The analysis part is presented as follows. 1) Literature review (Luyben, 2012) used dynamic simulation for predicting the process dynamic changes in critical variables. He studied temperature and pressure changes under the failure scenarios of the reactor cooling system in different processes. A common example was loss of coolant, which could be refrigerant, cooling water or boiler feed water. (Lou et al., 2006) conducted a study on the changes in the temperature, pressure and reaction conversion rate of the reactor under the scenarios of decrease of feed and cooling water rate. (Eizenberg et al., 2006) combined HAZOP analysis to study the thermal runaway of the reactor caused by the reduction of the cooling medium flow rate, effective heat transfer rate and effective jacket volume. (Janošovský et al., 2017) studied reactor system deviations caused by changes in cooling medium flow rate, feed temperature and composition. (Berdouzi et al., 2018) studied reactor parameter deviations caused by cooling failure, controlled temperature changes and abnormal reactant concentrations in a batch reactor. To conclude, the failure of the cooling system and the changes in the composition and temperature of feed material were the most common scenarios that cause accidents in the reaction system.

10

ro of

2) Accidents analysis (Westerterp and Molga, 2006) gave statistical data on the prime causes of batch reactor incidents from 1960 to 1990, in which at least more than 60% of the incidents could probably be avoided, if a proper design of the reactor plant and choice of the safe operating conditions had been performed. (Saada et al., 2015) investigated 30 runaway incidents involving thermal chemical reactions in the UK over the past 25 years (1988–2013). The study showed that the factors of operator errors, management failures and lack of organized operating procedures had been the possible causes of about 77% of all the thermal runaway. Through our analysis, the main reasons for accidents in the batch reactor could be attributed to three aspects: 1) changes in the concentration of raw materials or impurities; 2) cooling system failures resulting in reduced or no flow of cooling media; 3) inappropriate parameter setting values of instrumentation and control system. The most hazardous scenarios for the batch reaction system are listed as follows: Scenario 1: “More moles of reactant A enters the reactor (The normal feed of A is 12 kmol.)”; Scenario 2: “High set temperature value of 𝑇𝑗 𝐶 (The normal value of 𝑇𝑗𝑠𝑝 is 71℃.)”; Scenario 3: “Reduction of the flow rate of cooling media into the jacket (The normal value of 𝐹𝑗 is 0.384 m3/min.)”.

-p

3.4. Dynamic simulations

Jo

ur

na

lP

re

The dynamic simulation of the three scenarios can be achieved by changing the process input by increasing or decreasing the fixed percentage at each step. The simulation results of Scenario 1 with the initial moles of A increasing by 5% per step are shown in Fig. 7. When the initial moles of A reaches 14.4 kmol (120% of the normal value), alarms will be activated successively, otherwise the temperature cannot exceed the second alarm set value, so there will be no serious consequences. The first alarm (TAH) is activated at 76 min (t11) and the second alarm (TAHH) is activated at 94 min (t12). In general, the time interval of t11 and t12 can be considered as the maximum allowable response time for the operator to perform actions to prevent accidents. The reaction rate will then gradually decrease over time due to the decrease in residual reactants. Finally, as the cooling medium continues to be added to the jacket, the reactor temperature drops to about 70 °C. If the initial moles of A reaches 15 kmol (125% of normal) or higher, the thermal risk can lead to unintended consequences, as shown in Figs. 8 and 9. The highest temperature of the reactor is close to 130 °C, resulting in more undesirable by-products D.

Fig. 7. The temperature profiles in the reactor and jacket over time (Scenario 1).

11

re

-p

ro of

Fig. 8. The temperature profiles in the reactor and jacket when A reaches 15 kmol.

Fig. 9. The mole profiles of product (C) and by-product (D) when A reaches 15 kmol.

Jo

ur

na

lP

For Scenario 2, the simulation is performed by changing the set temperature (𝑇𝑗𝑠𝑝 ) to increase by 1℃ per step, the results are shown in Fig. 10. When the 𝑇𝑗𝑠𝑝 is set to 73℃, alarms will be activated successively. The first alarm (TAH) is activated at 72 min (t21) and the second alarm (TAHH) is activated at 96 min (t22). If 𝑇𝑗𝑠𝑝 is set above 74℃, serious accidents may occur, as shown in Figs. 11 and 12.

Fig. 10. The temperature profiles in the reactor and jacket over time (Scenario 2).

12

lP

re

-p

ro of

Fig. 11. The temperature profiles in the reactor and jacket when the Tjsp is set to 74℃.

Fig. 12. The mole profiles of product (C) and by-product (D) when the Tjsp is set to 74℃.

Jo

ur

na

For Scenario 3, the reduction in flow rate is assumed to be 70%, 60%, 50% of the normal value. The simulation results are shown in Fig. 13. When the flow rate drops to 50% of the normal value, the alarms will be activated successively. The first alarm (TAH) is activated at 93 min (t31) and the second alarm (TAHH) is activated at 109 min (t32). Similarly, if the flow rate is less than 40% of the normal value, serious accidents may occur, as can be seen from Figs. 14 and 15.

13

Fig.13. The temperature profiles in the reactor and jacket over time (Scenario 3).

lP

re

-p

ro of

Fig.14. The temperature profiles in the reactor and jacket when the flow rate is 40% of the original.

Fig.15. The mole profiles of product (C) and by-product (D) when the flow rate is 40% of the original.

ur

na

This section simulates and analyzes three identified scenarios that may cause thermal risks associated with vessel rupture and reduced productivity. Table 3 summarizes the allowable operator response time for the three scenarios. As can be seen from the results, the time available in the CAHI-IPL in the same process may vary greatly for different scenarios, and the available time in Scenario 2 is much longer than in Scenarios 1 and 3. Table 3. The allowable operator response time for three scenarios. Critical deviations

Scenario 1

The moles of A cannot exceed 120%

Jo

Scenarios

The activated time of the first and

The allowable

second alarms

response time

t11=76(min); t12=94(min)

t12- t11=18(mins)

t21=72(min); t22=96(min)

t22- t21=24(mins)

t31= 93(min); t32=109(min)

t32- t31=16(mins)

of the normal value.

Scenario 2

The set temperature of TCS cannot exceed 73℃.

Scenario 3

The flow rate cannot be lower than 50% of the normal value.

4. Human reliability analysis 14

4.1 Human reliability analysis methods

-p

ro of

As we know that human reliability analysis is a highly complicated task since it involves a lot of variables which include external and internal factors related to the scenario. The external factors include the physical environment, ergonomics, system design, contexts, personnel relationship, the crew composition and group behavior, emergency operating procedure (whether written correctly, physically available when required at emergency, unambiguous, etc.), training level and task complexity. The internal factors would be governed by the state of personnel psychology and physical health. There is no HRA method is comprehensive in its coverage of human errors. Each method represents strength and weaknesses in terms of its coverage and quantification. The document (Bell and Holroyd, 2009), gives a brief summary of 17 HRA methods along with their advantages and disadvantages. Among these HRA methods, human cognitive reliability (HCR) (Hannaman et al., 1984) method is considered to be a better method for quantifying human error probability in emergency-centered scenarios (Boring et al., 2010). The HCR method is widely acceptable to use to estimate human reliability with uncertainty methodology. The method proposed the Skill, Rule and Knowledge (SRK) framework for categorizing the crew response and considered the performance shaping factors (PSFs) such as operator experience, stress level and quality of operator/plant interface. The HCR method considered that HEP was mainly related to the ratio of operation allowable time (t) and operation execution time (T1/2). The relationship could be expressed with a three-parameter Weibull distribution function, which is shown in Eq. 17. 𝛽 𝑡 −𝛾 𝑇1⁄2 𝑃(𝑡) = 𝑒𝑥 𝑝 [− ( )] 𝛼

re

(17)

na

lP

Where P(t) was the human error probability (HEP). , ,  were dimension, shape and location parameters, and their values were determined by operation category. The cognitive processing type including skill-based, rule-based, and knowledge-based should be determined before the calculation. As shown in Table 4, the coefficients of different operation category, which were obeyed Weibull distribution, was assigned. t was the operation allowable time which was determined by scenario characteristic; T1/2 was the operation execution time which could be obtained by Eq. 18. (18) 𝑇1⁄2 = 𝑇1⁄2,𝑛 ∗ (1 + 𝐾1 ) ∗ (1 + 𝐾2 ) ∗ (1 + 𝐾3 )

Jo

ur

Where T1/2,n was the average execution time in regular situation, which could be obtained according to the statistics. The coefficients K1, K2, and K3 were the value of PSFs to modify the execution time of various operators considering their experience, stress level, and the human-machine interface. K1 referred to operator experience, K2 referred to stress level and K3 referred to quality of operator/plant interface. These coefficients of PSFs were shown in Table 5. Table 4. Cognitive correlation coefficients. Operation category







Skill-based

0.407

1.2

0.7

Rule-based

0.601

0.9

0.6

Knowledge-based

0.791

0.8

0.5

Table 5. Performance shaping factors (PSFs). Performance shaping factors

coefficient

Operator experience (K1) 15

1. Expert, well trained

-0.22

2. General, knowledge training

0.00

3. Poor, minimum training

0.44

Stress level (K2) 1. Situation of grave emergency

0.44

2. Situation of potential emergency

0.28

3. Active, no emergency

0.00

4. Low activity, low vigilance

-0.28

Quality of operator/plant interface (K3) -0.22

2. Good

0.00

3. Fair

0.44

4. Poor

0.78

ro of

1. Excellent

4.2 Quantifying human error probability in independent protection layers

na

lP

re

-p

For different critical deviation scenarios, the operation allowable time (t) is considered to be time interval between the first and the second alarms activated. As shown in Table 3, they are 19 mins, 24 mins and 16 mins, respectively. If the deviation is higher than the critical condition, the allowable response time (t) could be less than the time listed in Table 3. The approximate data for operation execution time (T1/2) can be obtained or designated from statistical or empirical value according to the different operation and procedure involved. This time depends on the characteristics of the specific accident scenario and the associated response actions. Generally, it should be less than the allowable operator response time. Taking into account the operator's response to observation, diagnosis, decision making, and action, assume that each T1/2 in the three scenarios is 5 mins. Obviously, for the abnormal exothermic reaction process, the stress level is in the situation of grave emergency. Human-machine interface is presumed to be excellent in some plants. So the K2 and K3 values of PSFs are determined to be 0.44 and -0.22, respectively. For the different level operator, the value of K1 is chosen from Table 5.

ur

The cognitive processing type is considered as knowledge-based. According to Table 4, , ,  are 0.791, 0.8 and 0.5, respectively. The modified average execution time (T1/2,n) of operators and human reliability probability are calculated as shown in Table 6. Table 6. Human reliability probability under the allowable response time.

Jo

Scenarios

Scenario 1

Scenario 2

Scenario 3

The allowable

Average execution time of

response time (min)

operators (T1/2, min)

18

24

16

Human reliability probability under maximum allowable response time

Operator (Expert): 4.38

0.9655

Operator (General): 5.62

0.9310

Operator (Poor): 8.09

0.8453

Operator (Expert): 4.38

0.9872

Operator (General): 5.62

0.9695

Operator ((Poor): 8.09

0.9167

Operator (Expert): 4.38

0.9513

Operator (General): 5.62

0.9083

16

Operator (Poor): 8.09

0.8078

5. Results discussion

ur

na

lP

re

-p

ro of

Since this study quantifies the HEP, it can be used to correct the PFD for human response in LOPA. In general, the PFD considered in three scenarios is 0.1 in the CCPS guidelines shown in Table 1. The human reliability probabilities at different residual allowable response time for operators with different levels in three scenarios are shown in Fig. 16. It is obvious that the human reliability of well-educated operators is certainly higher than that of poor-educated operators. The human reliability probability declines along with the decreasing of the residual response time. Once the alarm is activated, the operator should respond as quickly as possible and perform the appropriate action to ensure that the process can return to the safe state. For Scenarios 1 and 3, setting the PFD for human response to 0.1 is a conservative result for the expert and generally skilled operator, but underestimate for the poorly skilled operator. For Scenario 2, the PFD for both expert, generally, and poorly skilled operators are considered to be less than 0.1. The use of CCPS guidelines in the case study to determine the PFD for human response to 0.1 is a result of underestimating the effects of human actions. The investigation of the case study shows that using quantified HEP through our proposed methodology to correct the PFD for human response provides an effective way to understand the importance of human actions for accidents prevention, thereby avoiding unnecessary safety expenses for other protection layers.

Jo

Fig. 16. The human reliability probability over time for different skilled level operators.

Furthermore, the LOPA was used to determine the safety integrity level (SIL) of the safety instrumented function (SIF) implemented against the above three possible accident scenarios. The original LOPA worksheet of the batch reactor system is illustrated in Table 9. Since the three scenarios can cause the same consequence of reactor rupture, resulting in potential chemicals release, personnel injury, and environmental notification, they are included in one LOPA worksheet. Assuming that the feed time for reactants A and B is both 20 mins and the discharge time is 20 mins, the total time for one batch operation is supposed to be 280 mins. The calculated occupancy factors for three initiating events are 0.0714, 0.857, and 0.857, respectively. According to Table 8, the ignition probability in three scenarios where the chemical release causes the explosion is 17

conservatively considered to be equal to 0.5 in the plant area (Eini et al., 2018). Since the PFD of the CAHI-IPL consists of three parts including observation (sensor, alarm), diagnose (human), and final element (valves), we assumed that the PFD from the observation and final element are negligible. Thus, the PFD of the CAHI-IPL is equal to the PFD of human response in this work. Setting the PFD of the CAHI-IPL to 0.1, the calculated risk reduction factor is 475.5, and the SIL required is level 2. Table 7. Probability of delayed ignition in one minute for various ignition sources (Eini et al., 2018). Probability

High equipment density

0.5

Medium equipment density

0.25

Low equipment density

0.1

Confined space with no equipment

0.02

ro of

Source

-p

Assuming the operator skill is expert level, the PFDs of the CAHL-IPL in each scenario are 0.0291, 0.0128, and 0.0487, respectively. As shown in Table 10, the calculated risk reduction factor is 76.7, and the SIL required is level 1. The SIL selections for expert, generally, and poorly skilled operators are shown in Table 8.

Table 8. SIL selection for different cases. Risk reduction factor

SIL

CCPS guidelines

475.5

2

re

Determination of PFD for human response

Expert skilled operators

Poorly skilled operators

1

172.1

2

444.4

2

lP

Generally skilled operators

76.7

Jo

ur

na

It can be seen that the risk reduction factors with expert, generally, and poorly skilled operators are lower than the risk reduction factors determined by the CCPS guidelines. The results indicate that the proposed methodology quantifying the HEP in CAHI-IPLs can break through the limitations of previous determination methods of subjective personal judgment, and the simulation can be accurately correlated with the accident scenario, thus giving relatively objective results. Human actions are expected to provide more risk reductions, thereby saving unnecessary costs in other layers of protection, especially on the implementation of the SIS. However, it should also be noted that in this case, the SIL only reaches level 1 when the expert skilled operator performs the action. In practice, it is recommended to set SIL 2 of the SIF based on the generally skilled operator level. Although SIL 1 can avoid unwarranted expenditures, it should be implemented under the premise of the professional skilled and well-trained operators.

6. Conclusions The protection layer of human intervention in chemical processes is vital for reducing risks of possible accident scenarios. In this study, we propose a methodology for quantifying HEP in IPLs based on process dynamic simulation. The operator available time after the alarm is obtained from the simulation and is applied to the HRA to quantify the HEP. Since previous methods may have limitations in addressing PFDs for human response in CAHI-IPLs, the use of dynamic simulations can provide an objective and effective way to determine the reasonable risk reduction factors. The 18

Jo

ur

na

lP

re

-p

ro of

quantified HEPs of the three scenarios in the batch reactor system indicates that the PFD for human response of CAHI-IPLs is lower than it determined by the CCPS guidelines, which saves unnecessary risk reduction and unwarranted safety expenditures in other protection layers. The HRA involved in the methodology is related to a specific scenario, but more influencing factors may be considered in the future to obtain accurate results. For human intervention, available time is an important factor and thereby accounts for a majority weight compared to other factors. The present work combines process dynamic simulations to obtain available time and overcomes the subjective assumptions the of scenario; however, other influencing factors may also have a reasonable effect on the results. Further studies related to this subject should use the advanced HRA method to calculate the HEP with more detailed process information.

19

f Condition modifiers

description

likelihood (freq/ year)

The temperature

More moles of

of the reactor is

reactant A enters the

too high cause

reactor High set temperature

potential

value of of TjC

0.0714

0.1

0.857

chemicals Reduction of the

injury, and

flow rate of cooling

environmental

media into the jacket

0.1

Probability of ignition

Basic

0.5

0.857

0.5

0.5

Alarm &

Other

Intermediate

Tolerable

Risk

Other

event

risk

reduction

likelihood

likelihood

factor

1E-5

475.5

control

operator

protection

mitigation

system

action

devices

measures

0.1

0.1

-

-

3.57E-5

-

0.1

-

-

4.29E-3

0.1

0.1

Jo ur

notification

na l

release, personnel

factor

0.1

reactor to rupture, resulting in

Occupancy

pr

description

(probability of failures on demands)

Initiation

e-

Initiating cause

Protection layers

Pr

Consequence

oo

Table 9. LOPA worksheet for the batch reactor system.

20

-

-

4.29E-4

Condition modifiers

description

likelihood (freq/year)

The temperature

More moles of

of the reactor is

reactant A enters the

too high cause

reactor High set temperature value of TjC

potential

0.0714

0.1

0.857

chemicals Reduction of the

injury, and

flow rate of cooling

environmental

media into the jacket

0.1

f

Probability

Basic

of ignition

Alarm &

0.5

0.857

0.5

0.5

Other

Tolerable

Risk

Other

event

risk

reduction

likelihood

likelihood

factor

1E-5

76.7

control

operator

protection

mitigation

system

action

devices

measures

0.1

0.0291

-

-

1.04E-5

0.0128

-

-

5.48E-4

-

0.1

0.0487

Jo ur

notification

na l

release, personnel

factor

0.1

reactor to rupture, resulting in

Occupancy

Intermediate

pr

description

(probability of failures on demands)

Initiation

e-

Initiating cause

Protection layers

Pr

Consequence

oo

Table 10. LOPA worksheet for the batch reactor system (with expert skilled operators).

21

-

-

2.09E-4

Acknowledgments This work was sponsored by National Key R&D Program of China (No. 2016YFC0800100), the key program of National Natural Science Foundation of China (No. 21436006) and Jiangsu Government Scholarship for Overseas Studies.

Appendix A. Nomenclature

ur

na

lP

re

-p

ro of

Center of Chemical Process Safety Critical Alarm and Human Intervention Layers of Protection Analysis Basic Process Control System Emergency Shutdown Device Safety Instrumented System Safety Instrumented Function Independent Protection Layer Probability of Failure on Demand Performance Shaping Factors Human Reliability Analysis Human Error Probability Human Cognitive Reliability Piping & Instrument Diagram Safety Integrity Level rate constant for reaction x(kmol-1/s) heat transfer area (m2) mass heat capacity (kJ/(kg℃)) molar heat capacity of component i (kJ/(kmol℃)) mass flow in the reactor jacket (kg/min) heat of reaction of reaction x (kJ/kmol) number of moles of component i (kmol) molecular weight of component i (kg/kmol) heat flow through the jacket (kJ/min) heat released from reactions (kJ/min) time (min) a set point value of the jacket temperature control system (℃) jacket temperature (℃) reactor temperature (℃) heat transfer coefficient (kJ/(min m2℃)) reactor volume (m3) reactor content (kg) density (kg/m3)

Jo

CCPS CAHI LOPA BPCS ESD SIS SIF IPL PFD PSF HRA HEP HCR P&ID SIL k x1, kx2 A Cp Cpi Fj △Hx Mi MWi Qj Qr t Tjsp Tj Tr U V W ρ

22

Appendix B. Mathematical model of the reactor Equation

Comments

1

t(0) = 1

Starting time

2

t(f) = 240

Final time (min)

3

MA(0)=12

Number of moles of material (A) at t = t0

4

MB(0)=12

Number of moles of material (B) at t = t0

5

MC(0)=0

Number of moles of product (C) at t = t0

6

MD(0)=0

Number of moles of by-product(D) at t = t0

7

Tr(0) = 20

Temperature in the reactor at t =t0 (℃)

8

Tj(0) =20

Temperature in the jacket at t =t0 (℃)

9

Tjsp=71

The set point temperature by TjC (℃)

10

MWA=30

Molar mass of A (kg/kmol)

11

MWB=100

Molar mass of B (kg/kmol)

12

MWC=130

Molar mass of C (kg/kmol)

13

MWD=160

Molar mass of D (kg/kmol)

14

k11= 20.9057

Specific reaction rate 1 (parameter 1)

15

k12=10000

Specific reaction rate 1 (parameter 2)

16

k21=38.9057

Specific reaction rate 2 (parameter 1)

17

k22=17000

Specific reaction rate 2 (parameter 2)

18

r=0.5

Radius of the reactor (m)

19

Fj=0.348

Flow rate of coolant in the jacket (m3/min)

20

U=40.842

21

CpA= 75.31

22

CpB= 167.36

23

CpC= 217.57

24

CpD= 334.73

25

H1= - 41840

26

H2=- 25105

27

density=1000

The average density of A,B,C and D (kg/m3)

28

densityj=1000

The density of coolant (kg/m3)

29

Cpj=1.8828

Heat capacity of coolant in the jacket (J/kg/℃)

30

Vj =0.6912

d(MA)/d(t)= - k1*MA*MB - k2*MA*MC

Number of moles of reagent (A) from mole balance

d(MB)/d(t)= - k1*MA*MB

Number of moles of reagent (B) from mole balance

re

-p

ro of

No.

cool surface heat transfer coefficient (W/℃) Heat capacity of A (J/kg/℃)

lP

Heat capacity of B (J/kg/℃) Heat capacity of C (J/kg/℃) Heat capacity of D (J/kg/℃) Specific heat of reaction 1 (J/kmol)

ur

na

Specific heat of reaction 2 (J/kmol)

Volume of the jacket (m3)

33

d(MC)/d(t)= k1*MA*MB - k2*MA*MC

Number of moles of product (C) from mole balance

34

d(MD)/d(t)= k2*MA*MC

Number of moles of by-product (D) from mole

31

Jo

32

balance

35

d(Tr)/d(t) = (Qr+Qj)/(Mr*Cpr)

Temperature in the reactor (℃) from energy balance

36

d(Tj)/d(t)=(Fj*densityj*Cpj*(Tjsp-Tj)-

Temperature in the jacket (℃) from energy balance

Qj)/(Vj*densityj*Cpj) 37

k1 = exp( k11 – k12/(273.15+Tr))

Specific reaction rate 1

38

k2 = exp( k21 – k22/(273.15+Tr))

Specific reaction rate 2

39

W= MWA*MA +MWB*MB +MWC*MC

Total weight of A,B,C and D (kg)

23

+MWD*MD 40

Mr=MA+MB+MC+MD

Total mole of A,B,C and D (kmol)

41

Cpr=( CpA*MA

Average heat capacity of A,B,C and D (J/kg/℃)

+CpB*MB+CpC*MC+CpD*MD)/ Mr Qr =- H1*(k1*MA*MB)-H2*(k2*MA*MC)

Heat input due to reactant addition (W)

43

Qj = U*A*(Tj-Tr)

Heat removed by the cooling jacket (W)

44

A=2*W/(density*r)

The surface area of heat transfer (m2)

Jo

ur

na

lP

re

-p

ro of

42

24

References Arpornwichanop, A., Kittisupakorn, P., Mujtaba, I., 2005. On-line dynamic optimization and control strategy for improving the performance of batch reactors. Chemical Engineering and Processing: Process Intensification 44, 101-114. Bell, J., Holroyd, J., 2009. Review of human reliability assessment methods. Health and Safety Laboratory. Berdouzi, F., Villemur, C., Olivier-Maget, N., Gabas, N., 2018. Dynamic simulation for risk analysis: Application to an exothermic reaction. Process Safety and Environmental Protection 113, 149-163. Boring, R.L., Hendrickson, S.M., Forester, J.A., Tran, T.Q., Lois, E., 2010. Issues in benchmarking human reliability analysis methods: A literature review. Reliability Engineering & System Safety 95, 591-605. Carlos, M., Fatine, B., Nelly, O.-M., Nadine, G., 2018. Deviation propagation analysis along a cumene process by using dynamic simulations. Computers & Chemical Engineering 117, 331-350.

ro of

Dowell III, A.M., 1999. Layer of protection analysis and inherently safer processes. Process Safety Progress 18, 214-220.

Eini, S., Javidi, M., Shahhosseini, H.R., Rashtchian, D., 2018. Inherently safer design of a reactor network system: A case study. Journal of Loss Prevention in the Process Industries 51, 112-124.

Eizenberg, S., Shacham, M., Brauner, N., 2006. Combining HAZOP with dynamic simulation—

-p

applications for safety education. Journal of Loss Prevention in the Process Industries 19, 754-761.

Hannaman, G., Spurgin, A., Lukic, Y., 1984. Human cognitive reliability model for PRA analysis. NUS-4531. Janošovský, J., Danko, M., Labovský, J., Jelemenský, Ľ., 2017. The role of a commercial process simulator

re

in computer aided HAZOP approach. Process Safety and Environmental Protection 107, 12-21. Khan, F.I., Abbasi, S., 1998. Techniques and methodologies for risk analysis in chemical process industries. Journal of loss Prevention in the Process Industries 11, 261-277.

lP

Lees, F., 2012. Lees' Loss prevention in the process industries: Hazard identification, assessment and control. Butterworth-Heinemann.

Liu, P., Qiu, Y., Hu, J., Tong, J., Li, Z., 2018. (PE-AT)Expert Judgments for Performance Shaping Factors’ Multiplier Design in Human Reliability Analysis. Reliability Engineering & System Safety.

na

Lou, H.H., Chandrasekaran, J., Smith, R.A., 2006. Large-scale dynamic simulation for security assessment of an ethylene oxide manufacturing process. Computers & chemical engineering 30, 1102-1118. Luyben, W.L., 2012. Use of dynamic simulation for reactor safety analysis. Computers & Chemical

ur

Engineering 40, 97-109.

Molnár, A., Markoš, J., Jelemenský, L., 2005. Some considerations for safety analysis of chemical reactors. Chemical Engineering Research and Design 83, 167-176.

Jo

Myers, P.M., 2013. Layer of Protection Analysis–Quantifying human performance in initiating events and independent protection layers. Journal of Loss Prevention in the Process Industries 26, 534-546. Ni, L., Mebarki, A., Jiang, J., Zhang, M., Pensee, V., Dou, Z., 2016. Thermal risk in batch reactors: Theoretical framework for runaway and accident. Journal of loss prevention in the process industries 43, 75-82.

Pan, X., Lin, Y., He, C., 2017. A review of cognitive models in human reliability analysis. Quality and Reliability Engineering International 33, 1299-1316. Podofillini, L., Dang, V.N., 2012. Conventional and dynamic safety analysis: Comparison on a chemical batch reactor. Reliability Engineering & System Safety 106, 146-159. Roberge, D.M., Ducry, L., Bieler, N., Cretton, P., Zimmermann, B., 2005. Microreactor technology: a

25

revolution for the fine chemical and pharmaceutical industries? Chemical Engineering & Technology: Industrial Chemistry‐Plant Equipment‐Process Engineering‐Biotechnology 28, 318-323. Saada, R., Patel, D., Saha, B., 2015. Causes and consequences of thermal runaway incidents—will they ever be avoided? Process Safety and Environmental Protection 97, 109-115. Summers, A.E., 2003. Introduction to layers of protection analysis. Journal of Hazardous Materials 104, 163-168. Westerterp, K., Molga, E., 2006. Safety and runaway prevention in batch and semibatch reactors—a review. Chemical Engineering Research and Design 84, 543-552. Winterbottom, J.M., King, M., 1999. Reactor design for chemical engineers. CRC Press. Yingkai, B., Chuangxin, G., Zhang, J., Jiaxin, W., Suhong, P., Zhang, Z., 2018. Impact analysis of human factors on power system operation reliability. Journal of Modern Power Systems and Clean Energy 6,

Jo

ur

na

lP

re

-p

ro of

27-39.

26