Integration of HAZOP and FMEA analysis in an interactive support system

M. Galluzzo, V. Bartolozzi*, V. Puccia,

University of Palermo, Dipartimento di Ingegneria Chimica dei Processi e dei Materiali, Viale delle Scienze, 90128 Palermo, Italy

E-mail: galluzzo@unipa.it *Regional Environmental Protection Agency, ARPA Sicilia,

Via Ugo La Malfa 162, 90100 Palermo, Italy

Abstract Some results of the implementation of a new support tool for automated hazard analysis are presented in this paper. We describe in detail the further progresses on the application of intelligent systems to the hazard analysis and especially to the HAZOP and FMEA analysis. A previously developed program, that allows the automatic generation of the report of the HAZOP analysis as regards the determination of causes and consequences of variable deviations, has been enriched with the knowledge useful to perform a part of the FMEA analysis for the components of the control and the interlock systems of the plant. The advantages and limits of the use of the support tool for the HAZOP and FMEA analyses and of the qualitative modelling adopted for the knowledge representation are critically discussed. Keywords: HAZOP, FMEA, Safety analysis, Automatic support systems Introduction The identification of the risk of a potentially dangerous installation plays a fundamental part in attaining a desired level of safety. This phase consists of identifying the possible significant incidents through applying systematic investigation techniques. In the process industry the principal investigation method for this objective is the Hazard and Operability Analysis (HAZOP) proposed by Lawley (1974). The HAZOP analysis is conducted by a team of plant experts (process and instrument technicians, process and control engineers, etc.) led by a safety analyst through the careful examination of the possible consequences of the disturbances in the plant originated by component failures or human errors. In fact the HAZOP analysis of a plant requires a wide variety of knowledge which ranges from the method in itself to the plant layout and to the equipment, both in functional and structural terms, from the chemical-physical characteristics of substances to the plant instrumentation, from the operative procedures to the protection systems.

In order the HAZOP analysis be automated, it must be translated in a series of procedures and rules, which will define a systematic application of keywords to the main process variables of the nodes in which the plant is subdivided. A computer support for the HAZOP analysis, which goes beyond the simple recording of the analysis, a common characteristic of several commercially available products, must be able to provide at least a guide in carrying out the analysis. During the last years several researches have been conducted into using computer systems to facilitate where possible the work of the analysts and at the same time prevent errors when applying the technique (McCoy et al. 1999, Bartolozzi et al. 2000). Venkatasubramanian, Zhao and Viswanathan (2000) reviewed the progress in this area over the past few years. All approaches to automated hazard analysis still consist in academic prototypes that are usually shown applied to simple industrial case. In a previous work (Bartolozzi et al. 2000) we also addressed the issue of automating the HAZOP analysis for continuous, semi continuous and batch chemical plants, starting from the support system for hazard analysis STARS, Software Tool for Analysis of Reliability & Safety (European Commission 1997), modified in order to include a new module, HAST, HAZOP Support Tool (Cocchiara et al. 2001). By the same authors a new prototype support system WiTH, Windows Tool for HAZOP analysis, dedicated to the automatic hazard analysis has been recently proposed (Galluzzo et al. 2004). The Failure Modes and Effects Analysis, FMEA (King and Rudd 1972), is a systematic approach to identifying, analysing and prioritising the potential failure modes, failure rates, and root causes of known failures. The FMEA is a disciplined analysis that allows the identification of potential or known failure modes, providing when necessary corrective actions. It involves the application of various technologies and methods to produce an effective analysis output. FMEA provides a framework for a detailed cause and effect analysis and requires a team to thoroughly examine and quantify the relationships among failure modes, effects, causes, current controls, and recommended actions. Several authors (Stamatis, 1995) have reported problems in using the FMEA process. They pointed out that a manual FMEA often produces an unwieldy document and that the traditional brainstorming process for FMEA is tedious, time-consuming, and error-prone. They also pointed out that FMEA often suffers from inconsistency and incompleteness. They also noted that FMEA expertise tends to be concentrated in the hands of relatively few specialists. To solve all these problems the automation could be relevant. Phugh and Snooke (1996) discussed a qualitative knowledge-based system for FMEA. Price (1996) extended their work to include a facility for iterative analysis of electrical systems. Montgomery et al. (1996) described a pilot program to link tools for qualitative and quantitative FMEA automation in the automotive industry. The present paper, mainly concentrated on the modelling topic, describes the application of the equipment unit models specialized for HAZOP and FMEA analysis, in a automatic support system. The qualitative models considered for the integration of HAZOP and FMEA analyses at this stage are the models of the components of control and interlock systems, that are very critical from the point of view of the hazard analysis.

1. HAZOP analysis and FMEA analysis HAZOP studies have become a significant part of the design of new process plants and of the revision of existing plants in the process industry. The HAZOP analysis systematically identifies all the possible causes and consequences within the system for each hypothesised deviation of one of the variables of the process: the research is carried out applying a set of “guide words” to the process variables of the plant and determining all process variable deviations. A HAZOP analysis is normally executed by a multidisciplinary team of experts in process plant design, operation and maintenance, who analyse the process P&ID to find out the causes and consequences of every abnormal deviation of the process variables. The analysis is time consuming and requires a large amount of work by the group of experts. In order to reduce the analysis work and increase its reliability, computerised support systems have been considered. Some of these, commercially available, consist of simple spreadsheet applications and can be useful in producing a standardised final report. The FMEA analysis is similar to HAZOP analysis: both of them subdivide a plant in elementary parts for the scope of the analysis, hypothesize a deviation from a normal condition of operation and evaluate the consequences, have a similar final report in form of table in which causes and consequences of the deviations has been indicated. Whereas the HAZOP analysis hypothesizes process parameters deviations in a node in which the plants has been subdivided and investigates cause and consequences, during the FMEA analysis the experts focus the attention to particular equipment units, hypothesizes typical malfunctions of components, list the failure modes, investigate the failure case and estimates the failure effect on other system components. FMEA involves the investigation and assessment of the effects of the possible failure modes on a system. This analysis must be carried out during the design stage as it is important that designs are analysed for all hazardous critical situations. This is an extremely tedious process because it demands detailed and systematic examination of a part of the design. However this work requires professional engineers and extensive experience. These two elements indicate the great benefit of automation analysis: producing a support system capable of providing a help to reproduce a part of the safety analysis and significantly reducing the procedure application time. The hypothesis of a complete automated hazard analysis, both HAZOP and FMEA, appears unrealistic at it least for the moment, in so far as would be necessary to supply the support system with an extensive knowledge base that is not a priori definable. On this account it is realistic to think of an interactive support system which automates just one part of the safety analysis, i.e. the part linked to the elements which may be generalised and are therefore less dependent on specific information relative to the particular plant. These elements are those more closely linked to the functional aspects of the equipment.

2. Qualitative models for hazard analysis automation A key part of the HAZOP methodology is the analysis of the causes and consequences of the possible deviations of the variables associated with the nodes in which the plant is subdivided. This analysis is usually made on the basis of the knowledge of the input-output and/or cause-consequence relations among the variables associated with the different equipment units and the typical failures mode of a single equipment unit. For this objective the analysts use a modelling of the different components in qualitative terms. The research of the causes or consequences of a particular deviation is carried out using a procedure of backward or forward logic propagation. The qualitative models of the equipment unit are similar to those developed by Lees and Kelly (1986) to analyse and simulate the propagation of faults in chemical process plants and they contain the reasoning mechanisms and the knowledge used by the process technicians and by the other experts during the analysis, in the research of the causes and the consequences of a deviation. It seemed evident than the main characteristics of the knowledge base should be therefore a representation of the single units of the plant by models allowing the propagation of variable deviations. The model is formed of a certain number of elements, linked to each other, each of which is destined for a particular application of the model. More details about the models used can be found in Bartolozzi et al. (2000). The heart of the qualitative models of equipment units is the “cause” and the “consequence” model. These models contain the necessary information to the search for the causes and consequences of deviations of the main variables of the plant units and to propagate variable deviations from one unit to previous one or next one.

VARIABLEDEVIATION

CAUSE 1 CAUSE 2 CAUSE 5CAUSE 3 CAUSE 4

Figure 1. Example of a cause tree

The “cause” model contains a certain number of mini logic trees, which are indicated as cause tree (Figure1); these have as a “Top Event” a deviation of one of the variables which define the specific unit and as “Basic Events” events which take place within the unit itself or deviations of the input variables. In some cases such events are connected with OR/AND logic gates and form a single level of events under the Top Event (it is for this reason that mini logic trees are referred to).

The “consequence” model for an equipment unit can be set up by considering for each input variable deviation the set of mini-trees of the “cause” model of the equipment unit in which the considered deviation is present, and making a logical link between the deviation and the final events of these mini-trees. Finally the HAZOP model also contains cause trees, but only those corresponding to deviations examined during the HAZOP analysis and that must be indicated therefore in the final forms. For each unit a selection has been carried out of the deviations examined in the cause models and those significant for the HAZOP analysis have been identified. All other deviations will be used only for the propagation. In this manner a model library has been constructed and includes the most common chemical units. As said, failure mode and effect analysis (FMEA) is a technique used to define, identify and eliminate potential failures, problems, errors, and so on from the system, process, or design. The analysis of the evaluation may consider historical and reliability data to identify and define the inherent failures and to analyse the impact on the connected equipment units and on the total process. Generally is accepted that the FMEA involves four aspects, relative to a characteristic analysis carried out on the system, the design, the process, or the service. In our work a “system FMEA” has been considered, and used to analyse systems and subsystems in the early concept and design stage. A system FMEA focuses on potential failure modes between the functions of the systems caused by system inefficiencies. It includes the interactions between systems and elements of the systems. The output of the system FMEA could be:

• A list of potential failure modes • A list of system functions that could detect potential failure modes • A list of design actions that can eliminate failure modes or reduce their

occurrence. The models to be used for the FMEA present some information and data more specific than the models specialized for the HAZOP analysis, relative to the failure modes and malfunctions of component units. The choice of the functional data is made according to a priority order typical of FMEA methodology. In particular, three components help to define the priority of failures:

• Occurrence (O) • Severity (S) • Detection (D)

where, Occurrence is the frequency of the failure, Severity is the seriousness of the failure, Detection is the ability to detect the failure before it affects the system.. The priority of the possible failures is ranked by the Ranked Product Number (RPN), that is the product of the occurrence, severity and detection.

3. Qualitative model of a generic control loop To consider the hazard analyses of control systems a general qualitative model is proposed. The modelling starts from the type of the controlled variable (ycontr.) and consequently, from the type of controllers, of measurement devices, etc.

In order to insert this knowledge in an automatic support system it is necessary to make available models that are representative of the functions and the typical failure modes of control loop components. The models hypothesised for this aim are represented by a collection of logic trees which link the deviations of the generic controlled variable to the possible causes and consequences of the same deviations. The cause tree of the generic controlled variable is shown in Figure 2:

More/Less/Noycontr.

Disturbancesout of control

Control loopsaturation

Control loopinefficiency

Figure 2. The generic cause tree of the controlled variable In the very common circumstance in which the final element to be tested is a valve and therefore the manipulation variable is a flow rate, two possible cases of control loop inefficiency can be considered. The first case, indicated as a “failure of the control loop in closing”, is when the final effect of the inefficiency of one of the components of the loop results in opening the valve to a greater extent than desired. The final effects “defect of the control loop in opening”, results in opening the control valve to a lesser extent than desired. The causes of these inefficiencies are looked for within the same control loop and are traceable usually to malfunctions of the components of the loop. This part of the hazard analysis is well carried out by the MEA, reducing potential and known failure modes. Changing the type of control loop varies the number and type of its components, as well as the control logic. As a consequence the causes which generate the inefficiency of the components of the control loop are different. In the model it is also assumed that the controlled variable might “deviate” from its set value for two other reasons besides the inefficiency of the control loop: disturbances beyond control and the saturation of the control loop. Disturbances beyond control determine deviations of the controlled variable from its set point that may not be compensated by the loop since the manipulation variable has no influence on this. The saturation of the control loop is the case where in spite of the control loop intervening to its maximum capacity, the disturbance is so great that the controlled variable will feel the effects for all cases. In these cases disturbances consisting in very

large deviations of some variables intervene which influence the controlled variable. These large disturbances require the use of additional keywords compared with those normally considered in HAZOP i.e. MORE MORE / LESS LESS to distinguish such deviations from the MORE / LESS deviations which the system is able to control. To extend the hazard analysis considering the failure modes and the failure causes of the typical components of control loops let us consider the analysis of the simple temperature control loop shown in Fig. 3.

Computer

Air

F

T

Operator

T

Fs

Ts

Thermocouple

DCSControl

D/AI/P

p

p

Tsp A/D Transmitter

Figure 3. Example of typical control loop

SENSOR ACTUATOR CONTROLLER TRANSMITTER TEMPERATURE PRESSURE TRANSDUCER

Cracked or Flawed

Erratic output Erratic output Off calibration Plugged line to pressure sensor

Maximum output

Excessive valve deadband

No change of output with change of input

No change of output with change of input

Buildup of material on the thermowell

No output

Improperly sized control valve

Filtering on the measured value of the controlled variable

Improperly calibrated

Improperly located thermowell

No change of output with change of input

Valve packing tightened too much

Tuning on the controller

Excessive signal filtering

Erratic output

Properly tuned valve positioner

Leakage

Rupture

Table 1. Common Subsystem Failure Modes

For the complete system it is possible to hypothesize the malfunctioning of the control loop and is possible to check the single subsystems:

– Actuator – Controller – Sensor – Process

In table 1 the most common problems encountered with the single subsystems are reported. In addition to those reported in Table 1 other less obvious failure modes, depending on not investigated failure causes may exist. In this case a new or a modified verification technique is needed.

4. The support system for automatic hazard analysis In order to set up an automatic hazard analysis tool it is necessary to identify and incorporate into the system the knowledge used by the safety analyst and the other members of the team during a complete study. This together with the specific rules and procedures of the analysis method, includes the knowledge of the plant layout, of the processes, equipment and materials involved, of the control and safety systems. Among the main features the support system includes the possibility of building the plant P&I diagram using a graphical interface environment and a library of models. In particular, the system is able to perform several tasks:

• drawing a plant P&I diagram on the basis of a groups of equipments unit previously defined;

• identifying possible infinite loop; • development of hazard analysis and research of the causes and the

consequences of any component variable deviations, propagating the deviation backwards or forwards;

• final report generation. The support system uses graphic objects corresponding to the single units of the plant, available from a library provided in the system but that can be integrated, if necessary, with other graphical objects. Specific elements are associated with each graphical object, in different forms - tables, rules, etc. - which make up the whole model of the single component. The library of component models defines the fundamental knowledge base necessary to carry out a HAZOP and FMEA analysis. An editor allows to define the properties and characteristics of the components, grouping them in classes, with the possibility of transferring them from more general classes to more specific ones. The most important part of a component model consists of a collection of mini trees, which may be considered as cause logic trees and consequence logic trees, each one of them corresponding to a deviation of one of the variables, normally considered in the HAZOP analysis. Specific models regarding FMEA analysis aspects, have been implemented containing detailed information about functioning data and failure modes of control and interlock systems. The proposed software WiTH aims to enhance the potential of HAZOP in terms of depth and efficiency of the analysis. This enhancement is reached through the continuation of the hazard and operability analysis, limited to a group of equipment

units and events which may lead to high risks for the plant and/or surrounding environment. For this scope the contemporary application of FMEA analysis can be very useful being a systematic approach to identify and quantify the failure modes, failure rates, and root causes of known failures of specific very sensible parts of the plant. The search process of the causes and consequences of variable deviations starts from the selection of variable deviations in the equipments units. The inferential engine manages the searching of the causes and consequences of deviations by a superstructure of the Access database: the interrogation query consists in some filters on the database records, that select only the specific relevant records by means of some dynamic data pointers. The flow diagram in Fig. 4 summarizes the inferential process.

Select Variable Deviation

Data from Query1 - mini-tree string - Other data (Variable, Dev. Type, Failure mode, etc.)

String splitting up Filling of cause /

consequence vectors

Data from Query2

Causes and consequences determination

Inference process 1 (General

knowledge)

Data allocation of first stage results of the inference process

Data from Query 3 Propagation of causes

and consequences variable deviation

Inference process 2 (specific knowledge)

Aggiornamento d ella bitboard delle

deviazioni attive

Search routine on equipment units

Bit board Refreshing

Activation flag to prevent propagation

infinite loop

Figure 4. Flow diagram of the inferential process

4.1 A brief note about the main aspects adopted to implement the support system Wi.T.H. The support system Wi.T.H. has been implemented using Microsoft Visual Basic, and Microsoft Access to develop the general knowledge data-base. In the support system the object library of Microsoft Excel has been included, in order to have a better visualization of results or intermediate data. The system uses the tools of high level Windows applications for the management of the interfaces as controls, i.e. buttons and bars sliding, associated with advanced types of controls (ADO). The formulation of the query in the database has requested the specific language SQL (Structured Query Language).

5. Qualitative models in automatic hazard analysis From the first unit of the plant P&I diagram all HAZOP nodes are examined. For each node the deviations contained in the corresponding HAZOP model of the unit will be considered. The FMEA analysis will be limited to the equipment units considered critical for the plant safety.

Figure 5. P&I visualized in the support system

A fundamental first stage of the HAZOP analysis is the choice of nodes, i.e. of the parts in which a plant is subdivided for the scope of the analysis. The choice may be made in various ways: often the node is intended as the collection of the equipment units, which contribute in carrying out a single function. The requirements of automation impose a high grade of generalisation and detail at the same time. It is for this reason that with the aim of constructing a support system, it is preferable to define the nodes as single functional units. This choice is indispensable owing to the necessity of making the equipment models as general as possible and to consider the characteristic details relative to the FMEA. The causes of each deviation are the basic events of the corresponding cause tree and will be indicated in the column of the causes in the HAZOP form. At this level the causes will be the deviations of the input variables of the particular unit or an internal failure. Searching upstream for the causes of a deviation, the support system must be asked to indicate the possible causes of all or of some of the causes of deviation found at this level (basic events of the tree). These in turn are deviations of the output variables of another unit for which a cause model has been composed, and therefore the logic trees consent to extend the research further upstream. The research of the consequences may be carried out in a similar way, defining consequence models for the single equipment unit.

For a specific equipment unit - node the consequences of a determined variable deviation could be or the output events of all cause trees of the unit, which show the deviation as a basic event, or the output events of the cause trees of the following output equipment unit - node which have the considered deviation as a basic event. For a specific equipment unit a detailed FMEA allows to consider specific information about function modes, failure modes and failure causes of its elementary components. Further data could be introduced in the final report in an interactive way.

Figure 6. Results of cause-deviation research

6. Final considerations and results The considered models of the equipment units, contain the specific knowledge relative to the normal behaviour but also that relative to anomalous operation conditions: both these types of knowledge are necessary to carry out the HAZOP analysis. The single model is constituted by several modules to efficiently code the various types of knowledge used by the experts during the analysis, searching the possible causes and consequences of variable deviations and detecting the failure modes and the failure causes of particular equipment units to extend the hazard analysis with FMEA. The developed model library of the equipment units that are commonly found in a chemical plant is the general knowledge database of the prototype. The system might be of particular interest because it could concur to obtain not only a considerable cost reduction of the analysis but also more standardized and reproducible results. A comparison between the output forms produced by the support system Wi.T.H. for particular nodes and the corresponding output forms obtained as result of traditional hazard analysis meetings makes possible the following considerations. The choice of elementary units, among which are included components such as pumps, tubes, etc., as nodes, made in order to allow the automatic propagation of deviations, leads to the production of a complex and highly detailed output form. The analysis results obtained using the support system are encouraging: the automatic report reproduces on the whole, qualitatively and quantitatively, the same results obtained by the traditional hazard analysis in the search of the causes and the consequences of variable deviations. The extension of the automatic investigation to the failure modes and causes of some components, enhances the potential of hazard analysis

in terms of depth and efficiency of the analysis. This enhancement is reached through the continuation of the hazard and operability analysis that, although limited to a group of components, may prevent high risks for the plant and/or surrounding environment. The use of qualitative models is partially successful in the identification of the significant causes of deviations; however in some cases the models are dependent on the context. The interactive use of the system allows information to be added, when necessary, in order to prevent the propagation of a deviation towards an unproductive direction. 7. References Bartolozzi, V., Castiglione, L., Picciotto, A. and Galluzzo, M. (2000), Qualitative models of equipment units and their use in automatic HAZOP analysis, Reliab Engng Syst Safety, 70, pp. 49-57 Cocchiara, M., Bartolozzi, V., Picciotto, A. and Galluzzo, M. (2001), Integration of interlock analysis with automated HAZOP analysis, Reliab Engng Syst Safety, 74, pp. 99-105 European Commission (1997). STARS II: User Manual. JRC, Ispra, Italy Galluzzo, M., Bartolozzi, V. and Puccia, V. (2004), A New Prototype System For Automatic HAZOP Analysis, in Senni Buratti, S. (ed.) Chemical Engineering Transactions, Vol.5, pp. 229-234, AIDIC, Milan Kelly, B.E. and Lees, F.P. (1986), The Propagation of Faults in Process Plants: 1. Modelling of Fault Propagation, Reliability Engineering, 16, pp. 3-38 King, C.F. and Rudd, D.F. (1972), Design and maintenance of economically failure-tolerant processes, AIChE J., 18, pp. 257-269 Lawley, H.G. (1974), Operability study and hazard analysis, Chem Engng Prog, 70 (4), pp. 45-56 McCoy, S.A., Wakeman, S.J., Larkin, F.D., Jefferson, M.L., Chung, P.W.H., Rushton, A.G., Lees, F.P. and Heino, P.M. (1999), HAZID, a computer aid for hazard identification I. The STOPHAZ package and the HAZID code: An overview, the issues and the structure, Process Safety and Environmental Protection, 77 (B6), pp. 317-327 Montgomery, T. A., Pugh, D.R., Leedham, S.T. and Twitchett, S.R. (1996), FMEA automation for the complete design process. 1996 Proceedings Annual Reliability and Maintainability Symposium, IEEE, pp. 30-36

Price, C.J. (1996), Effortless incremental design FMEA. 1996 Proceedings Annual Reliability and Maintainability Symposium, IEEE, pp. 43-47

Pugh, D. R. and Snooke, N. (1996), Dynamic analysis of qualitative circuits for failure mode and effects analysis. 1996 Proceedings Annual Reliability and Maintainability Symposium, IEEE, pp. 37-42 Stamatis, D.H. (1995), Failure Modes and Effects Analysis, ASQ Quality Press, Milwaukee, Winsconsin, USA Venkatasubramanian, V., Zhao J. and Viswanathan S. (2000), Intelligent Systems for HAZOP analysis of complex process plants. Comput Chem Engng, 24, pp. 2291-2302