Safety Science 101 (2018) 209–219

Contents lists available at ScienceDirect

Safety Science
journal homepage: www.elsevier.com/locate/safety

Employing process simulation for hazardous process deviation identification MARK

and analysis
⁎
Rafael Raonia,b, , Argimiro R. Secchia, Micaela Demichelab
a
Chemical Engineering Program-COPPE, Universidade Federal do Rio de Janeiro, Cidade Universitária, Centro de Tecnologia, 21941-914 Rio de Janeiro, RJ, Brazil
b
Department of Applied Science and Technology, Politecnico di Torino, Corso Duca degli Abruzzi 24, 10129 Torino, Italy

A R T I C L E I N F O A B S T R A C T

Keywords: To improve industrial safety, several hazard analyses of processes are available. The HAZOP is one of the most
Hazard analysis frequently employed and analyzes hazardous process deviations based on heuristic knowledge. Despite the wide
Process simulation application of the technique, new developments are especially important to enhance industrial safety. In this
Process deviation sense a systematic procedure is proposed for hazardous process deviation identification and analysis that em-
Systematic procedure
ploys process simulation and heuristic evaluation. Process simulation enables the analysis of process behaviors
Heuristic analysis
caused by device malfunctions and the performance of deviation analysis that considers the process non-line-
arities and dynamics. A comparison between the HAZOP and the proposed procedure is presented using a pump
startup system case study, wherein the better system interpretation and results regarding abnormal process
conditions are highlighted. A second case study applies the procedures to an offshore oil production process,
showing the advantages of employing process simulation for studying deviation during a dynamic process’s
abnormal behavior.

1. Introduction are introduced.

Several techniques are available to identify and analyze hazardous 1.1. Description of traditional HAZOP
conditions. A rigorous and systematic procedure followed by a multi-
disciplinary team of experts is widely employed in different methods of Basically speaking, the method examines the plant documentation
hazard identification (Crowl and Louvar, 2002; Mannan, 2005). In the with the aim of identifying the hazardous consequences of recognized
framework of process hazards, the HAZOP (hazard operability) study process deviations (Dunjó et al., 2010) as well as being a source of
(Kletz, 1997; Lawley, 1974; Swann and Preston, 1995; Tyler, 2012) is information for further quantitative risk analysis (Demichela et al.,
one of the most recognized and widely used studies in industries (Tyler, 2002; Siu, 1994). The technique’s power lies in its procedure for gen-
2012), and techniques such as FMEA (failure mode and effect analysis) erating process deviations (e.g. high pressure), which combines guide
(Kenneth, 2004; McDermott et al., 2009) are also widely used for the words (high, less, none, etc.) and process variables (pressure, tem-
identification of hazards caused by failure modes of equipment and perature, etc.). The analysis is carried out considering deviations at the
processes. Furthermore, in terms of probabilistic risk assessment, sev- identified nodes, referred to as plant sections, in which the process
eral other techniques are available, of which the fault tree (FT) is one of variables’ behavior is analyzed to allow the identification of the causes,
the most often employed (Chiacchio et al., 2011; Siu, 1994). consequences and safeguards of the deviation. Furthermore, following
Given the importance of identifying and analyzing industry hazards, some reference tables, the qualification of the scenario risk may be
it seems reasonable to improve the quality of hazard assessment by made for a certain risk focus (e.g. the environment, people, image and
mixing the concepts of different risk analyses, such as the ROA assets) and, when necessary, some observations or recommendations
(Demichela et al., 2002), which integrates the concepts of the HAZOP may be offered (Dunjó et al., 2010) to improve the process’s safety
for hazard identification and the FT for frequency assessment. Fur- concerning the identified hazard.
thermore, considering the HAZOP as one of the most important hazard The systematic procedure enables the identification of all the pos-
analyses in process industries, some of its insights and improvements sible deviations of the system (Crowl and Louvar, 2002), which,

⁎
Corresponding author at: Chemical Engineering Program-COPPE, Universidade Federal do Rio de Janeiro, Cidade Universitária, Centro de Tecnologia, 21941-914 Rio de Janeiro, RJ,
Brazil.
E-mail addresses: rbritto@peq.coppe.ufrj.br (R. Raoni), arge@peq.coppe.ufrj.br (A.R. Secchi), micaela.demichela@polito.it (M. Demichela).

http://dx.doi.org/10.1016/j.ssci.2017.09.014
Received 9 April 2017; Received in revised form 13 July 2017; Accepted 19 September 2017
0925-7535/ © 2017 Elsevier Ltd. All rights reserved.
R. Raoni et al. Safety Science 101 (2018) 209–219

Fig. 1. Sequence of undesired events caused by a valve failure.

Sensor failure Control failure Actuator failure Operator error

Valve failure
inappropriate opening

High flow at High pressure

node 1 at node 1

Damage on an
equipment

depending on its dimension, may be divided into smaller subsystems to or implemented in computational software, the importance of expert
facilitate a manageable analysis. The method is employed during long- opinion for hazard analysis is highlighted. In this sense a procedure that
time meetings with a multidisciplinary group of specialists and requires groups both computational advances and expert opinion seems im-
a large amount of time and work (Khan and Abbasi, 1997; Swann and portant to improve the process safety.
Preston, 1995). Its quality strongly depends on the capability of the In this work a systematic procedure that uses process simulation is
safety specialist who guides the study, on the expertise of the multi- proposed for the identification and analysis of hazardous process de-
disciplinary group and on the group’s capability to maintain accuracy viation. The procedure presents steps that can be automatized compu-
until the end of the study. tationally and is concluded in multidisciplinary meetings. The hazard
scenario is defined as one possible malfunction of devices (process
units), which must be simulated to identify the group of its dependent
1.2. Computational advances in hazard analysis process deviations. Such information is grouped and feeds a further
heuristic process hazard analysis that aims to overcome the limitations
Despite the wide application of heuristic hazard analyses, some ef- of the computational tools. In Section 2 the proposed procedure is de-
forts have been made to make computational advances in hazard as- scribed; in Section 3 two case studies that aim to exemplify the pro-
sessment techniques. Aiming to improve the HAZOP team efficiency, cedure’s application, results and technical improvements are provided;
so-called expert systems have been studied widely (Dunjó et al., 2010) and in Section 4 the conclusion of the work is presented.
and implemented in many commercial tools. The main idea of the
proposals is to analyze the propagation of the deviation throughout an
empirical model of the system (Bartolozzi et al., 2000; Boonthum et al., 2. Proposed procedure
2014; Cocchiara et al., 2001; Cui et al., 2010; Leone, 1996; Wang and
Gao, 2012), generating an “automatic HAZOP” requiring less time 2.1. Procedure description and process boundaries
(Boonthum et al., 2014) and providing constant quality during the
whole analysis and improved consequence identification due to the During normal operation, with proper action of the process devices,
deviation propagation throughout the system model (Bartolozzi et al., no problems arise. Then an abnormal system condition occurs when a
2000). Accordingly, the deviation propagation may use, among others, particular device does not operate as originally expected. To give an
a petri network (Chung and Chang, 2011; Srinivasan and example, the inappropriate opening of a control valve is an abnormal
Venkatasubramanian, 1998a, 1998b) or fuzzy logic (Guimarães and system condition that could be caused by previous events and leads to
Lapa, 2005). several further undesirable consequences, including some process de-
Other works have considered computational process dynamic si- viations. Such an example, shown in Fig. 1, represents a sequence of
mulation for hazard study to investigate the emergency process con- process behaviors in terms of cause–consequence assumptions, which
ditions (Shacham et al., 2004), for operators training in emergency si- could be extended by previous causes and further consequences until
tuations (Eizenberg et al., 2006b) and to identify the conditions in the desired level of detail is reached. Therefore, to propose a manage-
which safeguard activation occurs (Demichela and Camuncoli, 2013). able procedure, it is necessary to determine the boundaries of the
The use of dynamic simulation for deviation analysis has been em- process to be analyzed.
ployed in an extended HAZOP approach (Ramzan et al., 2006), making Aiming to identify process deviations, the identification of their
possible the identification of non-trivial consequences and better causes is defined as the starting point of the proposed analysis, and, the
system safeguards (Li et al., 2010). Furthermore, the importance of si- inappropriate manipulation of devices being the major cause of process
mulation has been highlighted for hazard analysis of non-linear pro- deviations, a study of the devices’ malfunction is needed. In this sense,
cesses with multiple steady states (Labovsky et al., 2007; Svandova despite the possibility of using any kind of procedure, the FMEA could
et al., 2005), in which an improved quantitative and sensitive deviation be understood as a good choice to identify devices’ inappropriate ma-
analysis is required. In these latter works, it was exemplified that a nipulation. Moreover, during this identification attention must be paid
small deviation can cause substantial process disturbance, highlighting to identifying device malfunctions that change the normal process
the advantages of quantitative versus qualitative deviation analysis. condition, which must include the identification of common cause
Both expert system and process simulation aim to overcome some of failures. Furthermore, the analysis of these changes during the normal
the difficulties faced during a heuristic hazard analysis. Given the process condition enables the identification of process deviations and
complexity of process plants, it seems logical to use process simulations further consequences. In addition, after an inappropriate device mal-
to understand hazardous process conditions and to implement compu- function, the transient behavior of the process determines the necessary
tational advances to automate a known systematic approach. On the time until the occurrence of the process deviations and their further
other hand, since not all anomalous process behaviors can be predicted consequences, leaving room for interventions from the system

210
R. Raoni et al. Safety Science 101 (2018) 209–219

Fig. 2. Proposed procedure structure.

Device malfunctions
Valve failure
(analysis initiation) inappropriate opening Devices manipulations

Process deviations
High pressure eǀiaƟon i, i+1,
at node 1 i+2, ...

Safeguards Displayed variables Automatic means

and alarms
Human actions

Undesired Consequences Damage of the Consequence

equipment j, j+1, j+2, ...

safeguards. correctly represents the normal system condition, obtaining the

Therefore, each device malfunction must be identified as one hazard values of all the process variables in the normal operational
scenario to be analyzed. By this definition, which follows the natural condition.
order of sequenced cause and consequence events, all the deviations – 3.2 Simulation 2: The identified device malfunctions are simulated
that are dependent on the scenario device malfunction are grouped one by one to identify the behavior of the system in terms of
together for further consequence and system safeguard identification. process deviations.
The structure of the proposed procedure, using the previous example • 4. Scenario analysis: The proposed method separates the deviation
(inappropriate valve opening), is illustrated in Fig. 2. analysis obtained from the simulation results from the further con-
sequence analysis, which needs to be performed heuristically:
2.2. The use and importance of process simulation – 4.1 Simulation result analysis: This step aims to compare the normal
operation simulation with the device malfunction simulations.
The cause–consequence relationship between device malfunctions The process deviations are quantitatively identified, and the ac-
and process deviations may be described by heuristic analysis (HAZOP), tivations of the system safeguards are verified.
by heuristic assumptions with computational advances (expert systems) – 4.2 Hazard heuristic analysis: With the simulation result analysis, the
or by phenomenological models in a process simulator. Heuristic con- search for further consequences of the deviations, which requires
siderations and their qualitative approach cannot handle transient and a meeting with a multidisciplinary group, may be undertaken.
non-linear process behaviors, and, when such process characteristics Each listed consequence may activate further system safeguards
cannot be neglected, process simulation and its quantitative investiga- that must be identified, and a risk qualification for each identified
tion are the most suitable tool. In this sense the process simulation can consequence may be made. Furthermore, when needed, observa-
improve the results of a hazardous deviation analysis by quantifying the tions or recommendations for the identified hazard should be
deviations and reducing the process interpretation mistakes. proposed.
Furthermore, the procedure steps that employ process simulation are • 5. Result presentation: The proposed table, shown in Table 1, groups
presented to be automatized computationally to reduce the required all the important information obtained from the proposed proce-
time for the identification of the process deviation. Finally, given the dure.
importance of expert opinion for hazard investigation, the hazard • System under study: Refers to the system that is undergoing ana-
analysis is finished by considering expert opinion to identify further lysis.
consequences of the process deviations identified by the process simu- • Device: Refers to the analyzed device.
lation. • Scenario number: A sequential number for computing all analyzed
scenarios.
2.3. Steps of the proposed procedure • Device malfunction: Identifies which device malfunction is ana-
lyzed in the scenario.
The following steps constitute the proposed procedure: • Simulation result analysis: Covers all the analyses to be performed
based on the simulation results.
• 1. System knowledge: This step aims to introduce the system to be – Variable identification and normal value: Identifies and lists the
analyzed, which must be fed with the system documents (P & ID, variables analyzed in the simulation, pointing out their system
PFDs, data sheets, etc.); location and their value in normal process conditions;
• 2. System modeling: A phenomenological model of the system is – Variable under deviation: Points out the value of the relevant
implemented in an appropriate process simulator. To build the variable in the abnormal condition (variable deviation value);
model for such an application, the variables that represent device – Displayed variable: Indicates whether the relevant variable is dis-
configurations need to be assigned as input variables while all the played, on a supervision screen or in the field, for monitoring by
other process variables are dependent variables. As such a model is plant operators;
helpful for the process design, its development may already have – Alarms: Identify the activated alarms for the relevant variable
been undertaken during a previous design step. deviation;
• 3. Simulations: – Automatic means: Identify the activated automatic means for the
– 3.1 Simulation 1: This is carried out to verify whether the model relevant variable deviation;

211
R. Raoni et al. Safety Science 101 (2018) 209–219

Table 1
Proposed table for hazardous process deviation and identification analysis.

System under study:

Device:

Scenario number:

Device malfunction Simulation results analysis

Variable deviation information Deviation safeguards

Variable identification and normal Value under deviation Displayed variable Alarms Automatic means Possibility of human actions
value

Hazard heuristic analysis

Further consequences Consequence safeguards Risk assessment: Notes, observations,

Frequency Severity Risk recommendations

– Possibility of human actions: Since the abnormal process condition safety purposes. To mitigate such a drawback, as reported by Eizenberg
is an unexpected and not easily identifiable event, this informa- et al. (2006a), the idea of dividing the entire system into minor sub-
tion aims to determine whether, in the case of a real occurrence of systems, just as performed in the HAZOP, could be used to facilitate the
the hazard scenario, the plant operators would be able to identify modeling process. In addition, to take into account the device mal-
that the process is experiencing an abnormal condition. Such function perturbation between subsystems, simultaneous process de-
identification enables human actions to seek the cause of the ab- viations at the intersection are required. Despite the modeling process
normal condition to avoid further undesirable consequences. The drawbacks, process simulation has already been applied widely during
“possibility of human action” is positive if there is at least one several process designs, and the obtained results more than compensate
displayed variable under deviation or if there is at least one ac- for the labor involved. Therefore, it does not make sense not to apply
tivated alarm in the scenario; such technology for safety purposes, even if it requires the development
• Hazard heuristic analysis: Covers all the analyses to be performed of new procedures, with new requirements, such as those proposed in
by the group of specialists based on the obtained simulation result this work.
analysis. Furthermore, given that a non-identified scenario is a non-studied
– Further consequences: Identify the possible further consequences scenario (AIChE, 2000), attention must be paid to the identification of
based on one variable deviation or on the group of variable de- the device malfunctions to be simulated. Since some devices are ma-
viations analyzed in the scenario; nipulated by continuous variables, just like the opening of a control
– Consequence safeguards: Identify the safeguards that can avoid the valve, a large spectrum of possibilities is faced to identify the device
spreading of the relevant consequence, avoiding even more un- magnitude malfunctions to be simulated. Such identification could be
desirable events; guided by understanding how the device is manipulated normally or
– Risk assessment: Qualifies the risk based on the frequency and se- the limit at which the magnitude of the device change may cause an
verity of the consequence; undesirable consequence.
– Notes, observations and recommendations: Space destined for some Finally, knowing that one device malfunction may generate several
relevant notes, observations or recommendations proposed by the process deviations, and since not every deviation is significant in the
group of specialists. hazard framework, not every deviation needs to be identified and
analyzed. As the process simulation enables every process variable to be
Fig. 3 shows the flow chart for the execution of the proposed pro- monitored, the definition of the variables to be analyzed has great
cedure. importance for the proposed procedure. One recommendation is to
select the variables that are already monitored in the system project,
2.4. Further observation which were already identified as being important in the process design.
Furthermore, in any case, process variables may be chosen in identified
The proposed procedure aims to improve the identification and nodes, just as performed in the traditional HAZOP.
analysis of hazardous process deviations by: (i) respecting the normal
sequence of cause and consequence events; (ii) employing process si-
mulation to improve the understanding of process abnormal behavior; 3. Case studies
and (iii) ascertaining the expert opinion for consequence identification
and risk assessment during the final heuristic analysis. The proposed The proposed procedure was applied in two case studies: a pump
Table 1 separates the deviation from the consequence analysis to make recirculation system and an offshore oil treatment unit. In the first case
a distinction between the simulation and the heuristic results. Fur- study, a risk assessment of the consequences of undesirable process
thermore, given that the simulation result groups a set of deviations deviations was carried out. This case aims to illustrate the step-by-step
that can occur simultaneously during real abnormal system behaviors, application of the proposals and to compare the results with those of the
they are valuable information for seeking the root cause of real-time HAZOP approach. In the second case study, a hazard scenario was
abnormal process behaviors. dynamically investigated, and undesirable consequences for the pro-
However, the difficult task of developing a phenomenological model duction were found. Tables 2–4 were employed for the hazard assess-
for large-scale processes could raise doubts about its application for ment of both examples.

212
R. Raoni et al. Safety Science 101 (2018) 209–219

1. System study System Pre-analysis

documents

- Operational conditions; - Devices identification;

- Process variables. - Type of devices malfunctions.

No 2. Modeling
Computational
- Choice of the simulator; tools and process
Does the simulation
- Phenomenological modeling simulators.
result agree with the
of the system
normal operational
conditions?
3.1 Simulation 1

- Normal operational
conditions;
- Stationary and/or dynamic

Simulation results analysis

Hazard analysis
Yes Choice of one device
All-important
3.2 Simulation 2 Choice of one device device
malfunction malfunctions
- Device malfunction; were
- Stationary and/or identified?
All identified devices
dynamical.
malfunctions were
analyzed?

4. Scenario analysis
Yes No
4.1 Simulation results
analysis: All the devices were
- Deviations analysis; analyzed?
- Safeguards;

Yes No
The chosen nodes
and variables are Hazard heuristic analysis
good representation
4. Scenario analysis All-important
of the system
behavior? consequences
4.2 Hazard heuristic analysis of were identified?
all scenarios:
5. Simulation result analysis - Consequences; Multidisciplinary
Table - Risk; team
- Notes

5. Hazard heuristic analysis

END
Table
Legend
Main tasks Verifications Important questions Feed to the method

Logic sequence of the method Data/Information feed

Fig. 3. Proposed procedure flow chart.

Table 2 Table 3
Severity classification. Frequency classification.

Severity Frequency classification

1 Negligible Process is not stopped; repair costs < 10,000 Euros. 1 Remote Any occurrence in industry is unknown or appears unlikely
2 Low Process is stopped briefly without following-up costs; repair 2 Unlikely Has occurred in the industry
costs < 50,000 Euros 3 Likely Has occurred within the company sector
3 Moderate Partial shut-off of the facility (max. 1 day), process can (possibly) 4 Several Has occurred within the operating company
be continued; repair costs < 500,000 Euros 5 Many Can occur in the company several times a year
4 High Partial shut-off of the facility from 2 days to max 2 weeks; repair
and following-up costs < 5 million Euros
5 Critical Complete shut-off of the facility; repair and follow-up
costs > 5 million Euros

213
R. Raoni et al. Safety Science 101 (2018) 209–219

Table 4
Risk matrix.

3.1. Pump startup system Table 5

Alarms and automatic means of the FIs.
3.1.1. System description
Value (m3/h) Alarm Automatic meansa
A pump startup system is found in installations with high-capacity
pumps (large flow and high discharge pressure), commonly used for FI1 250 FAL1 FSL1 - Shut down BP
long-distance transportation of petroleum through ducts, for example. FI2 600 FAL2 FSL2 - Shut down MP
It consists of an arrangement of pipes that connect the pump discharge a
BP = booster pumps and MP = main pumps.
to its suction, allowing the recirculation of the product, and a pipe
accident (i.e. restriction orifice ISO-5167-2 (2003)), required to stabi-
will be analyzed. HVs means hand valves, XVs automatic on–off valves
lize the pump discharge and suction pressures. The recirculation pro-
and UV the control valve. The indicators PIs and FIs allow the mon-
cedure is required at pump startup to minimize the required power and
itoring of the pressure and flow rate at the indicated point, and the FIs
avoid possible electrical damage, which could cause fire or other un-
also activate alarms and automatic means, as presented in Table 5.
desirable consequences.
In this work the procedure is applied after the booster pump startup,
The system under analysis is composed of two recirculation systems
which does not need a low flow rate, and during the startup of the main
of two different groups of pumps (“main pumps” and “booster pumps”)
pump, which does need a low flow rate.
that are connected in series and suctioning from a petroleum tank. The
recirculation system of each group of pumps was designed to operate
with only one pump at a time using an arrangement with two restriction 3.1.2. Mathematical modeling
orifices in series. For each group of pumps, there are two orifice ar- As showed by Raoni et al. (2016), the system needs to be modeled
rangements, one used normally and another as backup. as a looped pipeline network problem and may be solved by simulta-
A simplified flow chart of the described system is shown in Fig. 4, neous modular simulation. The specifications of the model are shown in
where “Pi” refers to the pipes, “Ai” refers to the restriction orifice ar- Table 6, and the steady-state assumption was applied. The model was
rangements and “Ni” refers to the nodes where the process variables built in Matlab, and the fsolve function was used to solve its non-linear
system of equations.

Fig. 4. Recirculation pump system.

214
R. Raoni et al. Safety Science 101 (2018) 209–219

Table 6 Table 8
Specification of the simulation. Process variables’ values.

P0 (petroleum column) 110.2 kPa Process variables Variable locationa Normal condition
Pressure drop equation Darcy-Weisbach
Roughness 4.572 × 10−5 m PN1 N1 - BP discharge 13.9 × 105 Pa
Straight length of the pipes [20 30 10 10 70 16.5 6 15.9 80 10 10 20 10] m FN1 N1 - BP discharge 0.31 m3/s
(for the 13 pipes) PN2 N2 - MP discharge 96.5 × 105 Pa
Diameter of the pipes (for the [1.40 1.407 0.74 0.58 1.04 0.58 0.48 0.23 0.58 FN2 N2 - MP discharge 0.21 m3/s
13 pipes) 0.23 0.18 0.38 0.18] m FN3 N3 - A1 0.21 m3/s
Density 937 kg/m3 FN4 N4 - A2 0 m3/s
Viscosity 206.14 cP FN5 N5 - A3 0.10 m3/s
Main pump ΔP equation (F (−1.8 × 10−8 F3 + 1.8 × 10−4 F2 − 0.28 F FN6 N6 - A4 0 m3/s
[=] m3/h) + 8456.53) kPa FN7 N7 - Duct 0 m3/s
Booster pump ΔP equation (F (2.8 × 10−8 F3 − 8.3 × 10−5 F2 + 0.051 F
[=] m3/h) + 1303.1) kPa a
BP = booster pumps and MP = main pumps.
Restriction condition of the Fmain.pump > 720 m3/h (0.20 m3/s)
main pump flow
the wrong position of XV-03 and HV-01 would lead to the same de-
Restriction condition of the Fbooster.pump > 320 m3/h (0.09 m3/s)
booster pump flow viations, their malfunction analyses are listed together in a single sce-
Orifice diameter of all four 2.6 in (0.0660 m) nario (scenario 3). Furthermore, since the normal system operation
orifices at A1 and A2 must be maintained during a minimal period of time to stabilize the
Orifice diameter of all four 2.8 in (0.0711 m) startup of the main pump, an analysis of the early pump alignment with
orifices at A3 and A4
Static head of the duct 600 m
the duct was needed (scenario 5).
Straight length of the duct 200000 m Simulating all the device malfunctions presented in Table 10, all the
Diameter of the duct 36 in (0.91 m) information required for the simulation result analysis may be obtained.
Given the employment of the simulation, the identification of the de-
viations in all the nodes presented in Fig. 4 does not make the analysis
3.1.3. Simulations: Normal operation larger. With the simulation results, the heuristic analysis can be per-
The normal operation includes the startup of one main pump with a formed to conclude the proposed procedure. The results of scenario 4
low flow rate (between 5% and 10% higher than the minimum flow are shown in Table 11, and its recommendation and note are presented
rate) aligned with A1 and one booster pump with no flow rate re- in Table 12.
striction aligned with A3. To understand the system behavior, the
pressure and flow rate at the discharge of the booster pump (PN1 and
3.1.6. Comparison between the results of the HAZOP and the proposed
FN1, respectively, at node N1), the pressure and flow rate at the dis-
procedure
charge of the main pump in operation (PN2 and FN2, respectively, at
The results of the HAZOP (Table 9) shows that “low pressure” at N2
node N2), the flow rate through the four orifice arrangements (FN3 for
is a consequence of several causes, including the inappropriate opening
A1, FN4 for A2, FN5 for A3 and FN6 for A4, respectively, at nodes N3, N4,
of HV-02 analyzed by the proposed procedure (Table 11). However, due
N5 and N6) and the flow rate at the duct (FN7 at node N7) were chosen
to the difference in the scenario characterization, the consequences of
as the process variables to be analyzed. The valve conditions are shown
the two scenarios are not the same. Furthermore, analyzing the results
in Table 7 and the operating values of the analyzed variables in Table 8.
of the other scenarios investigated by the proposed procedure, it was
possible to note that the further consequences of the HV-02 malfunction
3.1.4. HAZOP results are not the same as all the other analyzed device malfunctions that also
To apply the HAZOP method, the nodes proposed in Fig. 4 may be cause low pressure at N2. Table 13 shows the relations between the
employed. Here the method was applied only at nodes N1, N2 and N7, cause and the further consequences, obtained by the proposed proce-
which were enough for the purpose of the present work. Choosing dures, which have “low pressure” at node N2 as one of the process
“pressure” and “flow” as process variables and “high,” “low” and deviations.
“none” as guide words (“none” only for “flow”), 15 scenarios may be The analysis of Table 13 provides an understanding that different
analyzed. In Table 9 the result for the deviation “low pressure” at node causes can lead to different consequences, even if they have the same
N2 is shown. process deviation. Such a conclusion highlights the HAZOP’s difficulty
in identifying the scenario consequences given a unique deviation.
3.1.5. Proposed hazard analysis results Understanding that this same reasoning can be applied to safeguard
Having identified the system devices and their malfunctions, pre- identification, the employment of the natural sequence of cause and
sented in Table 10, the steps shown in Fig. 3 were applied. consequence events for hazard and safeguard identification is high-
Regarding the identified scenarios (Table 10), as it was considered lighted, since it is an important improvement for deviation hazard
that the booster pump recirculation system was correctly aligned, it was analysis.
not necessary to consider malfunctions of HV-03 and HV-04; given that
3.2. Offshore oil production
Table 7
Normal valve positions.
In this example the proposed procedure is applied to a unique de-
Valve Position vice malfunction (scenario) of a dynamic process of offshore oil pro-
duction. The risk assessment focused on the capacity and quality of the
UV-01 Close production, and therefore only some of the process deviations were
XV-01 Open
analyzed.
XV-02 Open
XV-03 Open
HV-01 Open 3.2.1. System description
HV-02 Close
During offshore oil production, the platform separates the produced
HV-03 Open
HV-04 Close water, oil and gas (the primary treatment) and controls the oil pro-
duction by injecting produced gas (gas-lift) into its wells. The

215
R. Raoni et al. Safety Science 101 (2018) 209–219

Table 9
HAZOP analysis: “low pressure” at node N2.

Table 10 3.2.2. Mathematical modeling

Studied device malfunctions. The building of a phenomenological model to represent the process
presented in Fig. 5 requires hard work. Process simulation is widely
Device Device malfunction Scenario number
applied for different process design purposes, it being possible to em-
XV-01 Valve closed 1 ploy the same built model for safety analysis. In this case the phe-
XV-02 Valve closed 2 nomenological model of the described process was built with the con-
XV-03 or HV-01 Valve closed 3 tributions of several studies (Ribeiro, 2012) for different purposes,
HV-02 Valve opened 4
UV-01 To early opening 5
which include the evaluation of the economic benefits of employing
Main pump Stop 6 slugging flow advanced control (Bendia, 2013). Thus, there was no
Booster pump Stop 7 need to build a new phenomenological model, since it had already been
implemented in the EMSO (Soares and Secchi, 2003), a dynamic pro-
cess simulator with simultaneous resolution.
representative flow chart of the process referred to is shown in Fig. 5.
To operate the system, a set of equipment and instruments is con-
trolled to maintain the needed pressures, flows, temperatures and le- 3.2.3. Simulations: Normal operation
vels. If some of the process devices do not operate as expected, the For the normal operation, the study considered the dynamic beha-
process starts to operate in an abnormal condition and its deviations vior of all the equipment and devices, the continuum production of the
may lead to undesirable consequences, such as out-of-specification oil, three wells and an efficient quality control of the produced oil, analyzed
out-of-specification water, changes in the production capacity and so by the BSW (basic sediments and water), and of the produced water,
on. analyzed by the OGC (oil and grease content). To understand the pro-
cess’s abnormal behavior, the process variables presented in Table 14

Table 11
Scenario 4 results: Pump recirculation system.

216
R. Raoni et al. Safety Science 101 (2018) 209–219

Table 12
Note and recommendation.

Note 1
As the “focus of fire” is a further consequence of the “high potency” and not necessarily the “high potency” lead to focus of fire, it was considered the frequency of the “focus of fire”
lower than the frequency of the “high potency”

Recommendation 1
Given the marginal risk, it is needed forecast some system safeguard, such as new alarms or automatic means, for the monitored variables (FI1, PI1, FI2, PI2)

Table 13 Table 14
Cause-consequence with “low pressure” deviations. Chosen process variables.

Cause Further consequences Process variables Variables description

HV-02 opened and UV-01 to *Damage to the main pump (high potency); Fgas Total gas flowrate production
earlier opening *Focus of fire Fwater Total water flowrate production
XV-02 closed *Damage to the main pump (no suction flow) Foil Total oil flowrate production
Booster pump stop *Damage to the main pump (flow lower than Pheader Pressure at the production manifold header
the minimum) OGC Oil and grease content
Main pump stop *No further undesirable process BSW Basic sediments and water
consequences Fflaregas Total gas flowrate relieved to the flare

were chosen to be analyzed, and Fig. 6 shows their normal values. and increases the oil (BSW) and water (OGC) contamination
(Fig. 6(e) and (f)); such oil and water contamination could be even
3.2.4. Proposed hazard analysis greater without the control system. The quantitative and time-depen-
In this example the inappropriate opening of the flare relief valve, dent deviation analysis identified a large amount of out-of-specification
located just after the safety gas K.O. drum and before the flare system, oil and water delivered to their downstream system, which could not be
was chosen as the device malfunction to be analyzed. The valve is de- designed to handle such a scenario. Table 15 shows the results of this
signed to relief gas to the flare to maintain the downstream pressure scenario simulation and heuristic analysis, in which the deviation va-
lower than 10.1 × 105 Pa (10 atm). In the normal condition, the valve lues were picked at 2000 s of the simulation.
downstream pressure is lower than 10 atm, and then the valve is closed
normally. The dynamic simulation considered the normal operation 4. Conclusions
until 1000 s, when a 40% inappropriate opening of the flare relief valve
was imposed. The dynamic simulation was continued until 3600 s to In this work a new procedure for the identification and analysis of
identify the consequent dynamic process behavior. The behavior of the hazardous process deviation based on process simulation was proposed,
chosen process variables (Table 14) is shown in Fig. 6. resulting in the following main achievements:
It can be noted in Fig. 6 that all the analyzed variables suffered
deviation with dynamic behavior given the simulated device malfunc- • The employment of an adequate sequence of cause and consequence
tion, and some of them did not reach their steady-state condition is events to manage hazard deviation analysis, which requires the
3600 s. The analyzed scenario reduces the manifold pressure characterization of a hazard scenario as device malfunctions;
(Fig. 6(d)), increases the production of gas, water and oil (Fig. 6(a)–(c)) • The analysis of the process abnormal behaviors caused by all

Fig. 5. Offshore oil production flow chart.

217
R. Raoni et al. Safety Science 101 (2018) 209–219

Fig. 6. (a) Fgas (kmol/h) – total gas flow rate production; (b) Fwater (kmol/h) – total water flow rate production; (c) Foil (kmol/h) – total oil flow rate production; (d) Pheader (atm) –
pressure at the production inlet header; (e) OGC (adm) – oil and grease content; (f) BSW (atm) – basic sediments and water; (g) Fflaregas (kmol/h) – total gas flow rate relieved to the flare.

possible system device malfunctions leads to a complete study of the undergo risk assessment;
process deviations; • The process hazard behaviors presented in the proposed table can be
• The employment of process simulation is necessary to understand used for real-time failure diagnosis in real plants, enhancing the
the non-linearities and dynamic behaviors of the process and to safety of their daily operation.
allow the quantification of the deviations, improving the quality of
the process deviation analysis results; The main characteristics of the proposed procedure consist of: (i)
• The separation of the computer-aided and heuristic consequence identifying the hazard scenario as a device malfunction, (ii) using
analysis. The “simulation result analysis” identifies and analyzes process simulation to identify and analyze process deviations and (iii)
deviations with advanced computational tools, and the “hazard analyzing the results of the simulation with a multidisciplinary group of
heuristic analysis” identifies and analyzes further consequences of specialists.
the deviations with expert opinion to cover hazard identification Comparing the proposed procedure with the traditional HAZOP,
and risk analysis that cannot be modeled computationally; which also analyzes process deviations, (i) the steps followed are more
• A unique device malfunction can lead to several deviations; conse- coherent with real process abnormal behavior; (ii) the understanding of
quently, several undesirable consequences can be identified and the process deviations is more accurate; (iii) the time required for

218
R. Raoni et al. Safety Science 101 (2018) 209–219

Table 15
Offshore oil production – Flare valve malfunction.

heuristic analysis is shorter; and (iv) the results assemble a wider range Engineering, pp. 389–384.
Eizenberg, S., Shacham, M., Brauner, N., 2006b. Combining HAZOP with dynamic si-
of abnormal conditions with a lower number of scenarios. mulation – applications for safety education. J. Loss Prev. Process Ind. 19, 754–761.
Furthermore, given the current importance of the process simula- Guimarães, A.C.F., Lapa, C.M.F., 2005. Hazard and operability study using approximate
reasoning in light-water reactors passive systems. Nucl. Eng. Des. 236, 1256–1263.
tion research area, its employment for safety purposes is the future of ISO-5167-2, 2003. Measurement of fluid flow by means of pressure differential devices
PHAs. In addition, given the proposed procedure, the use of computa- inserted in circular-cross section conduits running full. Part 2: Orifice Plates.
tional software enables the automation of the “simulation result ana- European Committee For Standardization, Brussels.
Kenneth, W.D., 2004. The FMEA Pocket Handbook, first ed.. Kenneth W. Dailey, USA.
lysis,” which is the main objective of “expert system” HAZOP research. Khan, F.I., Abbasi, S.A., 1997. Mathematical model for HAZOP study time estimation. J.
Loss Prev. Process Ind. 10 (4), 249–257.
Kletz, T.A., 1997. Hazop-past and future. Reliab. Eng. Syst. Saf. 55, 263–266.
Acknowledgments
Labovsky, J., Svandova, Z., Markos, J., Jelemensky, L., 2007. Model-based HAZOP study
of a real MTBE plant. J. Loss Prevent. Ind. 20 (3), 230–237.
The present work was accomplished with the support of CNPq, Lawley, H.G., 1974. Operability studies and hazard analysis. Chem. Eng. Prog. 70 (4),
45–56.
Conselho Nacional de Desenvolvimento Científico e Tecnológico – Leone, H., 1996. A knowledge-based system for hazard studies – The Knowledge re-
Brasil and CAPES, Coordenação de Aperfeiçoamento de Pessoal de presentation structure. Comput. Chem. Eng. 20, 269–274.
Nível Superior - Brasil. Li, S., Bahroun, S., Valentin, C., Jallut, C., De Panthou, F., 2010. Dynamic model based
safety analysis of a three-phase catalytic slurry intensified continuous reactor. J. Loss
Prevent. Ind. 23, pp. 437–445.
References Mannan, S., 2005. Lee’s Lost Prevention in the Process Industries – Hazard Identification,
Assessment and Control, vol. 1, third ed. Elsevier Butterworth-Heinemann, Oxford.
McDermott, R.E., Mikulak, R.J., Beauregard, M.R., 2009. The basic of FMEA, second ed.
AIChE, 2000. Guidelines for chemical process quantitative risk analysis, second ed. Center CRC Press Taylor & Francis Group, New York, USA.
for Chemical Process Safety of the American Institute of Chemical Engineers, New Ramzan, N., Compart, F., Witt, W., 2006. Methodology for the generation and evaluation
York. of safety system alternatives based on extended Hazop. AlChe 26 (1), 35–42.
Bartolozzi, V., Castiglione, L., Picciotto, A., Galluzzo, M., 2000. Qualitative models of Raoni, R., Secchi, A.R., Biscaia, E.C. Novel method for looped pipeline network resolu-
equipment units & their use in automatic HAZOP analysis. Reliab. Eng. Syst. Saf. 70, tion. Comput. Chem. Eng. < http://dx.doi.org/10.1016/j.compchemeng.2016.10.
49–87. 001 > .
Bendia, R.M., 2013. Economic Evaluation of Control Strategies for Slug Flow in the Ribeiro, C.H.P., 2012. Multivariable predictive control on platforms for production of oil
Separation Process of Offshore Platforms. Master dissertation (in Portuguese). with quality constrains. Master dissertation (in Portuguese). Electrical Engineering
Electrical Engineering Program – COPPE, Universidade Federal do Rio de Janeiro, Program – COPPE, Universidade Federal do Rio de Janeiro, Brazil.
Brazil. Shacham, M., Brauner, N., Cutlip, M.B., 2004. Open architecture modelling and simula-
Boonthum, N., Mulalee, U., Srinophakun, T., 2014. A systematic formulation for HAZOP tion in process hazard assessment. Comput. Chem. Eng. 24, 415–421.
analysis based on structural model. Reliab. Eng. Syst. Saf. 121, 152–163. Siu, N., 1994. Risk assessment for dynamic systems: an overview. Reliab. Eng. Syst. Saf.
Chiacchio, F., Compagno, L., D’Urso, D., Manno, G., Trapani, N., 2011. Dynamic fault tree 43, 43–73.
resolution: A conscious trade-off between analytical and simulative approach. Reliab. Soares, R.P., Secchi, A.R., 2003. EMSO: A new environment for modelling, simulation and
Eng. Syst. Saf. 96, 1515–1526. optimization. Comput. Aided Chem. Eng. 14 (C), pp. 947–952.
Chung, L., Chang, C., 2011. Petri-net models for comprehensive hazard analysis of Srinivasan, R., Venkatasubramanian, V., 1998a. Automatic HAZOP analysis of batch
MOCVD processes. Comput. Chem. Eng. 35, 356–371. chemical plants Part I: the knowledge representation framework. Comput. Chem.
Cocchiara, M., Bartolozzi, V., Picciotto, A., Galluzzo, M., 2001. Integration of interlocks Eng. 22 (9), 1345–1355.
system analysis with automated HAZOP analysis. Reliab. Eng. Syst. Saf. 74, 99–105. Srinivasan, R., Venkatasubramanian, V., 1998b. Automatic HAZOP analysis of batch
Crowl, D.A., Louvar, J.F., 2002. Chemical Process Safety Fundamentals with Applications, chemical plants Part II: Algorithms and application. Comput. Chem. Eng. 22 (9),
second ed. Prentice Hall International Series in the Physical and Chemical 1357–1370.
Engineering Sciences, New Jersey. Svandova, Z., Jelemensky, L., Markos, J., Molnar, A., 2005. Steady states analysis and
Cui, L., Zhao, J., Zhang, R., 2010. The integration of HAZOP expert system and piping and dynamic simulation as a complement in the HAZOP study of chemical reactors.
instrumentation diagrams. Process Saf. Environ. Prot. 88, 327–334. Process Saf. Environ. Prot. 83 (B5), 463–471.
Demichela, M., Camuncoli, G., 2013. Risk based decision making. Discussion on two Swann, C.D., Preston, M.L., 1995. Twenty-five years of HAZOPs. J. Loss Prev. Process Ind.
methodological milestones. J. Loss Prevent. Ind. 28, 101–108. 8 (6), 349–353.
Demichela, M., Marmo, L., Piccinini, N., 2002. Recursive operability analysis of a com- Tyler, B.J., 2012. HAZOP study training from the 1970s to today. Process Saf. Environ.
plex plant with multiple protection devices. Reliab. Eng. Syst. Saf. 77, 301–308. Prot. 90, 419–423.
Dunjó, J., Fthenakis, V., Vílchez, J.A., Arnaldos, J., 2010. Hazard and operability Wang, F., Gao, J., 2012. A novel knowledge database construction method for operation
(HAZOP) analysis. A literature review. J. Hazard. Mater. 173, 19–32. guidance expert system based on HAZOP analysis and accident analysis. J. Loss Prev.
Eizenberg, S., Shacham, M., Brauner, N., 2006. Combining HAZOP with dynamic process Process Ind. 25, 905–915.
model development for safety analysis. In: 16th European Symposium on Computer
Aided Process Engineering and 9th International Symposium on Process Systems

219