Application of Automated Hazard Analysis by New Multiple Process

Jung Chul Suh. Kanagawa Industrial ... They are used to describe chemical processes from a safety-oriented point of view. From these models, three ...
1 downloads 0 Views 740KB Size
Ind. Eng. Chem. Res. 2001, 40, 1891-1902

1891

PROCESS DESIGN AND CONTROL Application of Automated Hazard Analysis by New Multiple Process-Representation Models to Chemical Plants Byounggwan Kang* and En Sup Yoon School of Chemical Engineering, Seoul National University, Seoul 151-742, Korea

Jung Chul Suh Kanagawa Industrial Technology Research Institute, Ebina 243-0435, Japan

It has been recognized that traditional hazard-analysis methods have had drawbacks because they are arduous, tedious, and time-consuming works, require multidisciplinary knowledge, and demand considerable cognitive efforts from the analysts. To overcome these problems, using multiple modeling concepts, new process-knowledge representation models for hazard analysis are devised. The models consist of the unit function model, the unit behavior model, the process structure model, and the process material model. They are used to describe chemical processes from a safety-oriented point of view. From these models, three hazard-analysis algorithms (deviation analysis, malfunction analysis, and accident analysis algorithm) are proposed. In this article, the overall system, which is embodied using G2 language, is described and applied to olefin dimerization plants. The results show that more possible accidents can be identified and that the developed methodology has the ability to capture process hazards in terms of both functional failure and unexpected variable deviations, thereby improving the quality of the hazard analysis. Introduction Hazard analysis, which is carried out to identify potential hazards existing in a process, is one of the basic tasks required to ensure the safety of chemical plants.1 Traditionally, hazard analysis has been performed by human experts. There are many kinds of hazard identification methods at each process stage. For example, there are techniques such as checklists; whatif analysis; preliminary hazard analysis (PHA), hazard and operability study (HAZOP); failure modes, effects, and criticality analysis (FMECA); fault tree analysis (FTA); and so on. Regardless of the method used, however, there is no guarantee that all of the accident causes and effects in the plant have been considered.2-4 Currently used hazard-analysis methods have both favorable and unfavorable characteristics. General unfavorable aspects of hazard analysis are that it is an arduous, tedious, and time-consuming work that requires multidisciplinary knowledge and demands considerable cognitive efforts from the analysts. To overcome these problems, various attempts were made to automate this work by utilizing computer technology, particularly in the area of knowledge-based techniques.5-10 However, these approaches have essentially been limited to the specific hazard-analysis techniques such as HAZOP, FMEA, or FTA. Most of the past approaches also have several drawbacks as follows: (1) The existing systems do not consider safe* Corresponding author. Telephone: +82 (2) 887 7232. Fax: +82 (2) 889 1101. E-mail: [email protected].

guards. (2) They are limited in the variety of accidents they represent. (3) The existing systems present only causes and consequences of variable deviations, so it is hard to determine what happens during the development of accidents. (4) The existing systems either infer hazards from variable deviations or identify hazards by positing fault but do not attempt to combine both methods. These drawbacks that the existing systems have are due to their limitations in capturing and utilizing all forms of available information. Thus, it is important to develop an appropriate process-representation model that is suitable for the objectives of hazard analysis. The models developed here are based on the multiple modeling concepts suggested by Chittaro.11 The advantage of using multimodel concepts is the improvement in the effectiveness and efficiency of reasoning processes through cooperation of multiple models. The central idea in this article is to represent a chemical process adequately for hazard analysis in terms of function, behavior, structure, and material properties; to organize the representations into reasoning algorithms; and to apply these algorithms to real chemical processes. In this article, the models and algorithms are explained briefly. More rigorous details for the models and algorithms are provided in previously published papers.12,13 Some modifications and the proper rearrangement of the primitively suggested models and algorithms from the previous publications are done in this paper. The constructed automated PHA system AHA (automatic hazard analyzer) is introduced, and the user interfaces

10.1021/ie000745d CCC: $20.00 © 2001 American Chemical Society Published on Web 03/16/2001

1892

Ind. Eng. Chem. Res., Vol. 40, No. 8, 2001

Figure 1. General accident-development sequence.

are explained. As an implementation of the developed system, an olefin dimerization plant, which is a real chemical process plant, is considered and shown to yield fairly good results. Process-Knowledge Representation Models The object of hazard analysis is to identify potential hazards in process plants. To achieve this goal, an approach to automated hazard analysis must be based on an understanding of the possible accidents. If a process is designed properly, every accident begins with a malfunction of a certain process unit. The cause of this malfunction can be classified as mechanical failure, human error, or an external event (we call these ultimate malfunctions). The pathway through which an accident occurs can be described as follows: First, an immediate malfunction of a process unit occurs by an ultimate malfunction such as mechanical failure, human error, or an external event. This immediate malfunction causes variable deviations by influencing process variables within the unit. The variable deviations propagate via stream integration to the adjacent unit. These malfunctions and deviations result in various accidents according to the chemical properties or characteristics of the process units. Figure 1 shows a general accidentdevelopment sequence. From the above accident-development sequence, it is obvious that functional failure and unexpected variable deviations should be modeled. However, none of the past approaches include process-knowledge representation models in this way. In this effort to build better process models for hazard analysis, a multimodel is adopted. It is known that, in general, no single model is adequate for a wide range of problem-solving tasks.11 Therefore, it can be said that a multimodel approach, in which different models are used for different tasks and reasoning algorithms effectively use them in a cooperative way, is adequate for chemical processes, which are generally regarded as large and complex. The types of information chosen as the core elements of chemical process representation in this study are as follows: hierarchical structure between ultimate malfunction and immediate malfunction in a process unit; relationship between variable deviation and malfunction; causal relationship among variables of a process unit; relationship among malfunction, deviation, and accident; spatial arrangement of process units (process topology); function of safety unit and control system; and connective relationships with process units. Generally, these knowledge bases can be derived from fundamental physical principles, past process operation history, and the prior experience of process experts. Figure 2 shows the relationships of the knowledgerepresentation models developed here.

Figure 2. Relationships of the required information for automated hazard analysis.

Figure 3. Slots of the process structure model.

Process Structure Model. The process structure model includes information about the spatial arrangements of units and the connective relationships among process units. This type of knowledge describes which units constitute the plant and how they are connected to each other. It is used in reasoning about the causes and effects of malfunctions or deviations throughout the entire process. This information can show the propagation path of the process fault, allow for the failed unit to be identified, and represent the diversity of accidents

Ind. Eng. Chem. Res., Vol. 40, No. 8, 2001 1893

Figure 4. Example process structure model.

Figure 5. Concept of the hazard index.

according to the characteristics of the equipment. The process structure model is represented by a frame structure for the process stream and the side stream. Each unit equipment is represented through the following slots: name, unit ID, connected from, connected to, safety unit, materials, and so on. Figure 3 shows a format for the process structure model, and Figure 4 shows the process structure model of a feed section of the olefin dimerization plant that will be discussed in the case study. Process Material Model. The process material model represents hazard indices, and for each material,

Figure 6. Example reaction matrix.

the hazard index is composed of the flammability hazard rating (Nf), the health hazard rating (Nh), and the reactivity hazard rating (Nr). Each index has a number varying from 0 to 4, and the larger number implies the more hazardous material. The NFPA (National Fire Protection Association) code is adopted for this index.14,15 The concept of the hazard index is shown in Figure 5. In addition to the hazard indices of each process material, knowledge about the reaction hazards must also be captured. A variant of the basic reaction matrix16

1894

Ind. Eng. Chem. Res., Vol. 40, No. 8, 2001

Figure 7. Unit behavior model of a pipe.

is introduced to represent this type of information. This matrix has rows and columns labeled with the various types of materials that are present in plants, and each element of the matrix represents the potential reaction phenomena for each material pair. The hazard indices and reaction matrix compose the process material model. This model provides additional information to the accident found by inference algorithms and finds the possibility that an accident that has occurred will propagate to other accidents according to the hazards that each material has. Figure 6 shows the reaction matrix. Unit Behavior Model. The unit behavior model needed in hazard analysis is used to describe the causal influences of variable deviations in every process unit. Identifying causal relationships of process variable deviations is very important because it describes the behavior of the system along the process structure.17-19 Among many variables showing states of process, the variables of interest in hazard analysis are pressure (P),

temperature (T), flow rate (F), composition (C), level (L), reaction (r), and so on. Using these variables, the fault propagation relationship can be identified. Each variable has three states (high, low, and no) and is separated into inlet, internal, or outlet according to its location within a process unit. For each variable, classes are defined, and the locations and kinds of variables are identified independently by name. To derive the unit behavior model of a unit, meaningful inlet, internal, and outlet variables are identified. Then, causal relationships between these identified variables are specified. Internal variables and outlet variables are assumed to be effect variables, and high and low deviation states of these variables are connected to immediate causal variable deviations that are elicited by the specified causal relationships. In Figure 7, the unit behavior model of a pipe is shown. Unit Function Model. The unit function model is intended to show a malfunction hierarchy of process equipment failure. It also shows how a process unit

Ind. Eng. Chem. Res., Vol. 40, No. 8, 2001 1895

Figure 8. Unit function model of a heat exchanger.

affects the variables within it. There have been many attempts to represent information about process units in terms of function, and each approach adopts a different concept of function.20-24 In this study, the concept of function is defined as an action that the unit performs on the substances flowing through it (more precisely, its role on the variables representing the state of the unit). This model determines the causes inducing each process unit to a high or low malfunction state for each inlet, internal, and outlet variable. The same malfunction can affect more than two variables, and the number of malfunctions varies according to factors such as the kind of unit, scope of analysis, and so on. Here, “high malfunction state” means “to function on a vari-

able more than the designer’s intention”, and “low malfunction state” means “to function on a variable less than the designer’s intention”. The procedure for developing the unit functional model is summarized as follows. First, meaningful inlet, internal, and outlet variables are selected regarding the characteristics of the unit. Then, the root malfunctions of the high and low malfunction states that have effects on the variables are identified and connected to the variables. The ultimate and intermediate malfunctions that cause the immediate malfunction are inferred by backward reasoning, and through this procedure, the malfunction hierarchy is established for the process unit. The unit function model of a heat exchanger is

1896

Ind. Eng. Chem. Res., Vol. 40, No. 8, 2001

Figure 11. Flowchart of the accident analysis algorithm.

Figure 9. Flowchart of the deviation analysis algorithm.

Figure 12. Overall system architecture. Figure 10. Flowchart of the malfunction analysis algorithm.

shown in Figure 8. In this figure, we can see that the malfunction hierarchy is presented from the ultimate malfunction to the immediate malfunction and that each immediate malfunction is connected to the corresponding high or low deviated variable. The unit function model provide pathways for accident development. Development of Hazard-Analysis Algorithms The system developed in this paper includes the following three hazard-analysis algorithms: the deviation analysis algorithm, the malfunction analysis algorithm, and the accident analysis algorithm. Each of the above models has its own basic reasoning utilities provided by the model itself. These algorithms, though, support the opportunistic navigation among models in

order to allow each individual step of the problemsolving activity to exploit the most appropriate knowledge source. Deviation Analysis Algorithm. In the deviation analysis algorithm, inference is started from the given variable deviation. This algorithm searches the root malfunction, which is the cause for a given deviation, from the unit function model of the target unit. Next, from the unit behavior model, the algorithm identifies all variable deviations in other units that result in the given deviation. These are called cause deviations. The algorithm then searches cause malfunctions for cause deviations in those units. Finally, possible accidents are inferred by the accident analysis algorithm, and corresponding safeguards are suggested. Deviation analysis results are composed of the root malfunction, given deviation, cause deviation, effect

Ind. Eng. Chem. Res., Vol. 40, No. 8, 2001 1897

Figure 13. Screen capture of the accident analysis algorithm implemented on AHA.

deviation, accidents, and safeguards. Figure 9 shows a flowchart of the deviation analysis algorithm. Malfunction Analysis Algorithm. The malfunction analysis algorithm starts inference from malfunctions in a unit selected by user. Effects that the given malfunctions bring to the variables are determined. Those variable deviations might be one or more than two. Then, the algorithm searches possible effects of these deviations in other units, using the process structure model and the unit behavior model. After all possible effects are identified, the accident algorithm determines the possible accidents and safeguards as in the deviation analysis algorithm. Malfunction analysis results are composed of the given malfunction, the effect deviation, accidents, and safeguards. In Figure 10, a flowchart of the malfunction analysis algorithm is presented. Accident Analysis Algorithm. The accident analysis algorithm infers every possible accident occurring in a plant from information about the physical states in all of the units and about materials flowing within the units. To accomplish this objective successfully, the algorithm gets information from the process material model for each material in terms of flammability, reactivity, and toxicity. The unit knowledge models support the identified malfunctions and variable deviations. The process structure model also provides specific unit characteristics. With these kinds of information, using the rule representation method, possible types of accidents are

deduced, and information about the safeguard arrangement status is given by the process structure model. Typical accident types are as follows: (1) situations associated with malfunctions and material properties, e.g., leaking + toxic material f personnel injury; (2) situations associated with variable deviations and material properties, e.g., high temperature + flammable material f fire; and (3) situations associated with variable deviations and characteristics of the unit, e.g.; no inlet flow + pump f pump damage. The accident analysis algorithm assists the deviation analysis and malfunction analysis algorithms by generating potential accidents from given hazard information at the last step of the deviation and malfunction analysis algorithms. Figure 11 shows the concept of the accident analysis algorithm. Overall System Architectures. Figure 12 shows an overall architecture for the developed system. It is composed of a global inference engine that controls the whole inference process, three subsidiary inference algorithms, and four process-knowledge representation models. System Development. Using the above processknowledge representation models and hazard-analysis algorithms, an automated hazard analyzer (AHA) is constructed using the expert system development tool G2.25 For each process and unit model, analysis algorithm, and inference engine, workspace is provided to make it easy to add new process units or to modify them. In the process-structure model, connective relationships

1898

Ind. Eng. Chem. Res., Vol. 40, No. 8, 2001

Figure 14. Generation of undesired deviation in a pipe.

of process units are made in such a way that they are easy to connect, split, and modify. Therefore, implementing them in G2 is very easy, and such types of connective information are automatically stored in G2. Figure 13 shows a screen capture of an accident analysis algorithm implemented on an AHA system. The unit behavior, unit function, and process material models are made using the “Class” and “Relation” representation methods, and the process structure model is made using the “Frame” representation method. In reasoning algorithms, the “Rule” and “Procedure” representation methods are used. The currently developed system starts the analysis by putting a malfunction or undesired deviation in specific equipment, as shown in Figure 14. Hazard Analysis for Feed Section of Olefin Dimerization Plant Case Study. As a case study using AHA, an analysis is performed for the feed section of olefin dimerization plant, which is shown in Figure 15. This process is cited from Loss Prevention in the Process Industries.4 An alkene/alkane fraction containing small amounts of suspended water is continuously pumped from bulk intermediate storage via a 0.5-mile pipeline section into a buffer/settling tank. Residual water is settled out prior to passing via a feed/product heat exchanger and preheater to the reactor section. The water, which has an adverse effect on the dimerization reaction, is run

off manually from the settling tank at intervals. The residence time in the reaction section must be held within closely defined limits to ensure adequate conversion of the alkene and to avoid excessive formation of polymer. A process structure model for the feed section of this process, which has already been shown in Figure 4, consists of pumps, valves, pipes, and a settling tank. For the feed section of olefin dimerization process, the process materials are just a hydrocarbon mixture and water. Therefore, the only essential material hazard information is the fire hazard of the hydrocarbon mixture. Table 1 shows a conventional HAZOP study result for the deviation “NO FLOW in PIPE-4”.4 The suggested causes and consequences are primary ones, and they do not show the accident development paths because they are just a collection of individual reasons for or effects of the given undesirable deviation. Figure 16 shows a result screen of the deviation analysis for this process by AHA, when no flow occurred in a pipe connected at the input of buffering/settling tank (named PIPE-4 here), and the corresponding treestructured result is shown in Figure 17. Here, the analysis result is not presented for the entire process but only for the part around the PIPE-4. Deviation Analysis. The procedure of the deviation analysis applied here is as follows: First, the deviation analysis searches the root malfunction using the unit function model of pipe. As a result, CB (completely

Ind. Eng. Chem. Res., Vol. 40, No. 8, 2001 1899

Figure 15. Olefin dimerization plant. Table 1. Results of Conventional HAZOP Study Conventional HAZOP Study Causes No hydrocarbon available at intermediate storage Pump-1 fails Line blockage or LCV fails shut Line fracture Conventional HAZOP Study Consequences Loss of feed of reaction section and reduced output Polymer formed in heat exchanger under no flow conditions Pump-1 overheats Hydrocarbon discharged out Pump-2 overheats

blocked) and FR (fracture) are suggested as the possible primary (or direct) root malfunctions (mechanical failures) of the deviation “NO FLOW in PIPE-4”. The algorithm then finds “no inlet flow” as a cause deviation from the unit behavior model. From the position of this variable (inlet variable), the control valve CV-1, which is connected at the input of the pipe, is detected through the process structure model. The unit behavior model of the control valve then suggests “no outlet flow” as an effect deviation and “no internal flow” as a cause deviation, and a cause malfunction of that cause deviation is identified from the unit function model of the control valve. In the unit function model of the control valve, the major variable deviations are connected to the cause malfunctions. In this case, FC (failed closed) and SC (stuck closed) of the control valve can be found. In this way, the algorithm identifies all causes of the given deviation for the backward (against the direction of process material flow) units of PIPE-4. In the same way, consequences of the given deviation can be found through the reasoning of the AHA system. For example, the unit right after PIPE-4 is SETTLER1. If there is no flow in PIPE-4, there might be no material supply to the settler; hence, accidents such as

“settler running dry” might occur. Malfunctions are not considered in the evaluation of consequences because malfunctions are always in a causal position relative to the undesired variable deviations. After evaluating causes and consequences of the given deviation, the accident analysis algorithm starts generating possible process accidents from the existing hazardous components. For example, there is fire hazard because of the process material. There are also other hazardous components such as CB or FR. The accident analysis algorithm generates possible accidents in PIPE-4 with its rule-based framework as follows: fracture + flammable material f material release f fire. The algorithm generates other accidents in the backward and forward units. For example, no flow + pump f equipment damage in PUMP-1, no flow + settler f running dry in SETTLER-1, and so on. These accidents are shown in Figure 17. After evaluating potential accidents by accident analysis algorithm, the deviation analysis algorithm finally generates the safeguards based on the generated possible accidents. In Figure 17, LC (level controller) and LI (level indicator) are suggested as preventive safeguards against “running dry of the settler”. Characteristics of the Developed System. We can see that AHA has found many more causes and consequences than the conventional HAZOP study and that AHA suggests more detailed results. The results show that accidents such as pressure buildup, material release, fire, and running dry can occur in this process. In addition, for accident “running dry in settling tank”, for example, a level controller or level indicator is suggested as a safeguard. In conventional automatic PHA systems, safeguards were seldom considered. Another difference in the suggested system, unlike other automatic hazard-analysis techniques or systems,

1900

Ind. Eng. Chem. Res., Vol. 40, No. 8, 2001

Figure 16. Deviation analysis result screen for “NO FLOW in PIPE-4”.

is that the result of the developed system shows the intermediate steps of the accident. From the results of the case study, several accident development pathways in the case of “NO FLOW in PIPE-4” can be easily evaluated. As we can see in Figure 17, causes of “NO FLOW” can be in PIPE-4, CV-1, CECKV-1, or PUMP1. For example, accidents can develop along the following pathways: (1) power failure of PUMP-1 f pump failure f no flow in PUMP-1 f equipment damage in PUMP-1, (2) overtight packing of CECKV-1 f stuck closed of CECKV-1 f no flow in CECKV-1 f no flow in CV-1 f pressure buildup, (3) lubrication dried out in CV-1 f stuck closed of CV-1 f no flow in CV-1 f no flow in PIPE-4 f no flow in SETTLER-1 f running dry of SETTLER-1, and (4) fracture of PIPE-4 f no flow in PIPE-4 f material release in PIPE-4 f fire. Whereas conventional HAZOP or the other automatic PHA systems only suggest primary causes and consequences of the given deviation, the system established here not only evaluates these causes and consequences but also generates various accident development pathways. Therefore, it can be said that the devised system offers intuitive, transparent explanations of its reasoning process, thereby enhancing the reliability of the inference result. With regard to convenience in performing an analysis, the current system requires some users’ efforts in preparing the input data. The system already has much information containing the malfunction and variabledeviation characteristics of typical units. They are

process-generic. However, when users want to perform a hazard analysis for a process, they should compose the process structure and process material models for the specific process; such models are process-specific. In the case of the process material model, hazard indices are process-generic, but the reaction matrix is processspecific. Sometimes efforts for the construction of processspecific knowledge bases can be considerable. However, because the G2 workspace provides an easy means for the connection, splitting, and modification of object components, those efforts can be much reduced. To perform HAZOP, teams of experts should brainstorm for a few days to evaluate process hazards, and the results of their study must be rearranged and written as a report. Compared to that, the developed system has strengths in its time- and labor-saving aspects, although a more convenient method for process-specific data input should be devised. The Scope of the Model. Figure 18 represents the arrangement and causal relationships of the overall process model. The process structure model is a fundamental workspace where reasoning processes are executed. The malfunction and deviation analysis algorithms search hazard components using the unit knowledge model. Actual accidents are identified using rule-based reasoning in the accident analysis algorithm, and all possible hazardous situations and accident development pathways are evaluated. Concerning analysis of complex plants containing many recycle and bypass flows, this system first tries to decompose

Ind. Eng. Chem. Res., Vol. 40, No. 8, 2001 1901

Concluding Remarks

Figure 17. Result of deviation analysis for “NO FLOW in PIPE4” in AHA as a tree structure.

Many process models intended to represent chemical plants have been proposed. However, most of them were developed for control, fault diagnosis, or process simulation. Such models do not deal with the malfunction concept. In this study, a methodology for automated hazard analysis of chemical plants was presented, and an AHA system was developed for implementation of the proposed strategy. The information required for hazard analysis is identified through the accident propagation path, and the models that represent these kinds of information are constructed from the viewpoints of function, behavior, structure, and material properties. The developed system is composed of four process-knowledge representation modelssthe unit behavior model, the unit function model, the process structure model, and the process material modelsand three hazard-analysis algorithms sthe deviation, malfunction, and accident analysis algorithms. The developed system could perform hazard analysis in terms of both malfunctions and deviations. These results can be mutually complementary, so this system can detect the potential accident more exhaustively than other hazard-analysis systems with narrower viewpoints. As a result, the quality of the hazard analysis is much improved. The accident analysis algorithm incorporates the physical state of the process with the material knowledge base, by which all conceivable types of accidents can be represented. The developed system shows intermediate steps leading to an actual accident, so it provides valuable information for understanding accidents, and the information can be used for other hazard-assessment activities. An analysis example was provided by applying this method to the feed section of an olefin dimerization plant, and an enhanced hazardanalysis capability was demonstrated. Acknowledgment We acknowledge the financial aid for this research provided by the Brain Korea 21 Program supported by the Ministry of Education and the National Research Lab Grant of the Ministry of Science & Technology.

Figure 18. Conceptual arrangement of the overall processrepresentation model.

Literature Cited

streams into process (main) stream and side stream12,13 and then performs analyses for the process streams. In many cases, therefore, complex plant streams can be simplified to main process streams that do not have recycle streams. However, when there are recycle streams that are main flows and cannot be decomposed into side streams, it is generally difficult to construct the unit behavior model and to apply the system to such plants. This topic needs more research for applicability. With regard to the application phase of this automated PHA system, this analysis technology is appropriate for the generation of additional safety protection layers and for the basic design review phase when the control systems are not completely designed. Therefore, the analysis results often include suggestions for control or sensor system installation. In hazard analysis, the control system is considered through two aspects: it can be a process unit that causes variable deviations when a malfunction occurs in a sensor, controller, and/ or control valve and a safeguard when it works in a normally functioning state.

(1) Greenberg, H. R.; Cramer, J. J. Risk Assessment and Risk Management for the Chemical Process Industry; Van Nostrand Reinhold: New York, 1991. (2) Center for Chemical Process Safety (CCPS). Guidelines for Hazard Evaluation Procedures, 2nd ed.; American Institute of Chemical Engineers: New York, 1992. (3) Crowl, D. A.; Louvar, J. F. Chemical Process Safety: Fundamentals with Applications; Prentice Hall: New York, 1990. (4) Lees, F. P. Loss Prevention in the Process Industries; Butterworth: London, 1980. (5) Weatherill, T.; Cameron, I. T. A Prototype Expert System for Hazard and Operability Studies. Comput. Chem. Eng. 1989, 13, 1229. (6) Catino, C. A.; Ungar, L. H. Model-Based Approach to Automated Hazard Identification of Chemical Plants. AIChE J. 1995, 41, 97. (7) Vaidhyanathan, R.; Venkatasubramanian, V. Digraph-based models for automated HAZOP Analysis. Reliab. Eng. Syst. Saf. 1995, 50, 33. (8) Khan, F. I.; Abbasi, S. A. TOPHAZOP: A knowledge-based software tool for conducting HAZOP in a rapid, efficient yet inexpensive manner. J. Loss Prev. Process Ind. 1997, 10, 333. (9) Schubach, S. A modified computer hazard and operability study procedure. J. Loss Prev. Process Ind. 1997, 10, 303.

1902

Ind. Eng. Chem. Res., Vol. 40, No. 8, 2001

(10) Galluzo, M.; Bartolozzi, V.; Rinaudo, C. Automating HAZOP analysis of batch process. Comput. Chem. Eng. 1999, 23, S661. (11) Chittaro, L.; Guida G.; Tasso C.; Toppano, E. Functional and Teleological Knowledge in the Multimodeling Approach for Reasoning About Physical Systems: A Case Study in Diagnosis. IEEE Trans. Syst., Man Cybernet. 1993, 23, 1718. (12) Suh, J. C.; Lee, S.; Yoon, E. S. New strategy for automated hazard analysis of chemical plants. Part 1: Knowledge modeling. J. Loss Prev. Process Ind. 1997, 10, 113. (13) Suh, J. C.; Lee, S.; Yoon, E. S. New strategy for automated hazard analysis of chemical plants. Part 2: Reasoning algorithm and case study. J. Loss Prev. Process Ind. 1997, 10, 127. (14) NFPA Code 325M Fire Hazard Properties of Flammable Liquids, Gases, and Volatile Solids; National Fire Protection Association: Quincy, MA, 1991. (15) NFPA Code 49 Hazardous Chemical Data. National Fire Protection Association: Quincy, MA, 1991. (16) Taylor, J. R. Risk Analysis for Process Plant, Pipelines and Transport; E&F N Spon: London, 1994. (17) Kuipers, B. Commonsense Reasoning about Causality: Deriving Behavior from Structure. Artificial Intelligence 1984, 24, 169.

(18) De Kleer, J.; Brown, J. S. A Qualitative Physics Based on Confluences. Artif. Intell. 1984, 24, 7. (19) Iwasaki, Y.; Simon, H. A. Causality in Device Behavior. Artif. Intell. 1986, 29, 3. (20) Finch, F. E.; Kramer, M. A. Narrowing Diagnostic Focus Using Functional Decomposition. AIChE J. 1988, 34, 25. (21) Keuneke, A. M. Device RepresentationsThe Significance of Functional Knowledge. IEEE Expert 1991, April, 22. (22) Lind, M. Modeling goals and functions of complex industrial plants, J. Appl. Artif. Intell. 1994, 8, 259. (23) Rasmussen, B.; Whetton, C. Hazard identification based on plant functional modelling. J. Loss Prev. Process Ind. 1997, 55, 77. (24) Modarres, M.; Cheon, S. W. Function-centered modeling of engineering systems using the goal tree-success tree technique and functional primitives. J. Loss Prev. Process Ind. 1999, 64, 181. (25) G2 Reference Manual, version 4.1; Gensym Corporation: Cambridge, MA, 1999.

Received for review August 11, 2000 Accepted January 24, 2001 IE000745D