Scenario Object Model Based On-Line Safety Analysis for Chemical Process

HAZOP (Hazard and Operability Analysis) is a method of safety analysis, which is widely used in chemical processes. The conventional methods for safety analysis consist of human based safety analysis and computer aid safety analysis. All of them are off-line and qualitative and it is difficult to carry out on-line safety analysis. Online safety analysis based on scenario object model was proposed for chemical processes. The scenario object model was built using ontology, by which the safety information can be transferred, reused and shared effectively. Deviation degree and qualitative trend were added to the model. Based on the model and new inference algorithm, on-line safety analysis can be implemented for chemical processes. Once a fault or abnormal event occurs, the causes can be traced and the consequences can be predicted. At the same time, semi-quantitative safety analysis is carried out. The resolution can be improved and it can help the operators handle the problems in time and effectively. The method was used for safety analysis of a reactor process and the effectiveness of the method was proved.


Introduction
HAZOP is one of the safety analysis methods based on system engineering. 1 It is widely used in chemical processes for safety analysis in recent years in China. [2][3][4][5][6][7] In addition, it is the most widely used safety analysis method. However, it is difficult to reuse and share the safety information in HAZOP. This problem needs to be solved. On the one hand, the results and records are usually missed and the results are difficult to research in HAZOP; on the other hand, it is very important and necessary to reuse and share the information. The information of safety analysis can be used in the full life cycle of a factory including stages of design, construction, production, maintenance of production equipment. At the same time, the information needs to be transferred between different units of factory and different teams. Non-standard information will cause huge costs of human resources and material resources.
The research on the reuse and share of safety analysis information has been carried out. The key problem of reuse and sharing of information is standardization of information. ISO-10303 and ISO-15926 are international standards about information on chemical processes. 8,9 Some researchers have begun to research the standardization of HAZOP information. [10][11][12] However, the models are too complex and difficult to use. Wu proposed a SOM (Scenario Object Model) based on ontology to realize the standardization of safety analysis information. The problems of information hiding and missing can be solved by the model. Then, based on the model, computer aid automat-ic safety analysis was proposed and developed. The safety analysis information can be transferred, reused and shared effectively. [13][14][15] The problems of safety analysis information transfer reuse and sharing have been solved. However, the model needs to be improved for on-line safety analysis. The conventional safety analysis consists of human based safety analysis and computer aid safety analysis. All of them are carried out off-line and cannot be used for on-line safety analysis. If HAZOP can be carried out on-line, once a fault or abnormal event occurs, safety analysis can be done in time, the causes of fault can be found, the consequences can be predicted in time, and more serious accidents can be avoided. It is very useful for the safety of the chemical processes.
Some researchers have attempted on-line safety analysis by searching results in the database which were obtained by off-line safety analysis. 16 Obviously, this method is unsatisfactory. Once a fault or abnormal event occurs which is not in the database, the on-line safety analysis cannot find causes and consequences. A suitable expert system is needed for on-line safety analysis. Deep knowledge model such as SDG (Signed Directed Graph) or SOM can represent the relationship between causes and consequences. Deep knowledge model can reveal the rules of faults development and evolution. It is the mathematical expression of interactions of different units in the production. 17 All the faults caused by deviation can be found by inference and calculation based on the deep knowledge model. The diagnosis completeness can be improved and the essential causes can be found using the deep knowledge model. 18,19 In this article, the scenario object model based on-line safety analysis is proposed for chemical processes. Firstly, the scenario object model was extended and improved for on-line safety analysis. New definitions, rules and properties such as deviation degree and qualitative trend were introduced into the model. Then, based on the model, new inference algorithm was proposed for on-line safety analysis. Once a fault or abnormal event occurs, the causes can be traced and the consequences can be predicted. The resolution can be improved and can help the operators handle the problems in time and effectively.
2 Improved scenario object model for on-line safety analysis The on-line safety analysis needs to carry out inference to find possible causes and predict possible consequences according to the current states of the system. The core issue is the model. The model used for on-line safety analysis should satisfy the following requirements: (1) Complex relationship between variables in chemical process, the relationship between causes and consequences and the states of system in different conditions can be stored and represented by the model. (2) The elements and rules in the model should be improved to be suitable for on-line safety analysis. The analysis resolution should be improved.
(3) The information should be transferred, reused and shared easily in the model.
The improved scenario object model is proposed to satisfy these requirements. New elements are added to the conventional scenario object model for on-line safety analysis.
The structure of the model is shown in Fig. 1.
The model includes event and relationship. The event consists of middle event, cause, consequence and safety precaution. Compared with conventional scenario object model, deviation degree and qualitative trend are added to the model to improve the accuracy. At the same time, the relationship between events is extended by adding qualitative trend relationship to the model. On one hand, the new scenario object model has the advantage of the conventional scenario object model. The information can be easily transferred, reused and shared. On the other hand, new elements are added to improve the model for on-line safety analysis.

Definitions of elements
(1) Middle event. Middle event is used to describe the physical state or chemical state of a process such as temperature, pressure, level, flow etc. The states of the middle event are described by qualitative state, deviation degree, and qualitative trend.
Qualitative state is described by deviation and guide words. The state can be "positive deviation" ("+"), "negative deviation" ("−") or "normal" ("0"). For example, the state of a variable's temperature, which is higher than normal value, can be represented by "positive deviation". Besides qualitative state, deviation degree and qualitative trend are both used to describe the state of middle event.
Deviation degree represents the degree to which the event or variable exceeds its limits. It is calculated by Eq. (1).
(1) P is deviation degree, v is measured value, v set is set point, v max is maximum value, v min is minimum value. The deviation degree is between 0 and 1.
Qualitative trend represents the trend of the middle event. Compared with qualitative state and deviation degree, the qualitative trend can describe the state in more details. The qualitative trend is represented by six basic primitives. They are shown in Fig. 2. The state of middle event is described by positive state ("positive deviation", "negative deviation" and "normal") in conventional scenario object model. The states of the middle event are described in three levels: qualitative state, deviation degree, and qualitative trend in the new scenario object model. The accuracy of model can be improved.
(2) Cause. Cause is the reason of an accident happening, including device failure, device fault, and wrong operation. For example, control system failure, pressure regulator failure, instrument failure, value fault, etc.
(3) Consequence. Consequence is the result caused by the fault or accident including explosion, fire, device damage, decrease of product quality, etc.
(4) Safety precaution. Safety precaution is used to prevent the accident or reduce the loss such as control system, safety instrument system and emergency shutdown system, etc.

Definition of relationship between events
The relationship between events is qualitative in conventional safety analysis. It consists of "positive effect" and "negative effect". Its advantage is simple and easy for modelling. Its disadvantage is that a too simple relationship leads to low accuracy and poor analysis resolution. In order to improve the accuracy and resolution, qualitative trends are used for representing relationship between events. The relationship between events is described by the six basic trend relationships and their combinations. It is shown in Table 1.
The qualitative trend relationship between events can be determined by the signs of first-order derivative and second-order derivative.

Scenario object model based on-line safety analysis
There are two steps for on-line safety analysis. The first step is to build the new scenario object model. The second step is to do on-line safety analysis once the fault occurs based on the model.

Modelling procedure
The modelling procedure is shown in Fig. 3.
The procedure includes nine steps: (1) Simplifying and modifying the model of the sub-system; (2) Dividing the system into sub-systems; (3) Analysis of energy flows, feed flows, information flows, hazards, dangerous devices, and operation points; (4) Listing key middle events for every sub-system; (5) Listing influence equations to find the middle events that have influence on the key middle events; (6) Determining the relationships between middle events including qualitative relationships and qualitative trend relationships; (7) Adding cause events and consequence events to the model of the sub-system; (8) Simplifying and modifying the model of the sub-system; (9) Connecting all the models of sub-systems to build the entire model of the process. In the sixth step, the relationship between events is described in two levels: the first level is qualitative relationship and the second level is qualitative trend relationship. The qualitative trend relationship can be determined by the following rules: (1) The qualitative trend relationship should be determined according to the rules in Table 1 if the relationship between events can be described by algebraic equation or differential equation. (2) The qualitative trend relationship should be determined by experience if the relationship between events cannot be described by algebraic equation or differential equation.

On-line safety analysis
The procedure of on-line safety analysis is shown in Fig. 4.
On-line safety analysis includes four parts: data monitoring; identifying states of events; inference according to consistent rules; sorting results.

On-line data monitoring
All the variables are monitored in this part. Once a fault occurs, the values of some middle events will be above the high alarming limits or below the low alarming limits. The system is in abnormal state. Then, the states of all events will be calculated or identified, forward and backward inference will be carried out to predict the consequences and find the causes.

Identification of states of middle events
The states of the middle event are described in three levels: qualitative state, deviation degree and qualitative trend in the new scenario object model. The accuracy of model can be improved.
(1) Identification of qualitative state The qualitative states of events are determined by Eq. (2).
Adding cause events and consequence events to the model of the subsystem Collecting information of the process (P&ID, PFD et al.)

Dividing the system into sub-systems
Analysis of energy flows, feed flows and information flows Analysis of hazards, dangerous devices and operation points Listing key middle events for every subsystem Listing influence equations to find the middle events which have influence on the key middle events Determining the relationships between middle events including qualitative relationships and qualitative trend relationships Simplifying and modifying the model of the S is qualitative state, v i is measured value of a variable, v high is the high alarming limit, v low is the low alarming limit. "Positive deviation" is represented by "+". "Negative deviation" is presented by "−". "Normal" is represented by "0".

(3) Extraction and identification of qualitative trends
There are two steps to obtain the qualitative trends. The first step is the extraction of trends. The second step is the identification of trends. A qualitative trend analysis method with a sliding window is used for extraction and identification of qualitative trends. 20

Forward and backward inference algorithm
The forward and backward inference will be carried out after the states of middle events have been identified. Forward inference is used to predict the possible consequences and propagation paths. Backward inference is used to find the possible causes and propagation paths.
Forward and backward inferences are both carried out according to consistent rules. The consistent rules are used to determine whether the fault can propagate from one event to another. It is shown in Fig. 5  One-level consistent rule is based on qualitative state and qualitative relationship. Two-level consistent rule is based on deviation degree and qualitative state. Three-level consistent rule is based on qualitative trend and qualitative trend relationship. If the three-level consistent rule can be satisfied, the possibility that the fault propagates from one event to another is highest. The targets of forward and backward inference are different; therefore, the consistent rules are different. ( Deviation i is the deviation degree of E B influenced by event i.

Three-level consistent rule
The qualitative trend of E B is determined by the qualitative trend of E A and the qualitative trend relationship between E A and E B when E B is only influenced by E A . It is shown in Table 2.
The qualitative trend of E B is the superposition of the influences of all the events when there are other events that influence E B besides E A . For example, if E B is influenced by E A and E C . The qualitative trend of E B is the superposition of the influences of E A and E C . The rule is shown in Table 3. The state "?" represents that the state of E B is uncertain. The rule can also be used for superposition of more than two events that influence the state of E B. The possible propagation paths (consistent paths) and consequences can be predicted according to the above consistent rules. (

2) Consistent rule of backward inference
Backward inference is used to find possible fault causes and propagation paths. For example, event E B is influenced by event E A . If E B is in abnormal condition, the backward inference is carried out from E B . The consistent rule is as follows: 1 One-level consistent rule The arc from E A to E B is consistent if the product of the qualitative state of E B and E A and the qualitative relation between E A and E B is positive. It is shown in Eq. (7).

(7)
It is consistent if the Eq. (7) can be satisfied. If the formula cannot be satisfied, there will be two conditions: a) if E A is influenced by one event, the arc from E A to E B is not consistent; b) if E A is influenced by more than one event, the arc from E A to E B is supposed to be consistent. Backward inference continues.
2 Two-level consistent rule The arc from E A to E B is consistent if the sign of product of the deviation degree of E B and E A and the qualitative relation between E A and E B is positive. It is shown in Eq. (8).
It is consistent if the Eq. (8) can be satisfied. If the formula cannot be satisfied, there will be two conditions: a) if E A is influenced by one event, the arc from E A to E B is not consistent; b) if E A is influenced by more than one event, the arc from E A to E B is supposed to be consistent. Backward inference continues.

Three-level consistent rule
Whether the arc from E A to E B is consistent is determined by the qualitative trend of E A and E B and the qualitative relationship between E A and E B . The qualitative trends "A", "B" and "C" are called "Increase". The qualitative trends "D", "E" and "F" are called "Decrease". The arc from E A to E B is consistent if one of the two conditions can be satisfied: The qualitative trend of E A and E B are the same ("Increase" or "Decrease") and the relationship is "Increase". The qualitative trends of E A and E B are different (one is "Increase" and the other is "Decrease") and the relationship is "Decrease". If the arc from E A to E B is not consistent according to the above rule, there will be two conditions: a) if E A is influenced by one event, the arc from E A to E B is not consistent; b) if E A is influenced by more than one event, the arc from E A to E B is supposed to be consistent. Backward inference continues. The possible propagation paths (consistent paths) and causes can be found according to above consistent rules.

Sorting results
The possible causes, consequences and consistent paths (propagation paths) have been found by forward and backward inference. All the paths will be sorted according to confidence indexes to improve the analysis resolution. Confidence index of a consistent path represents the possibility that the fault propagates along the path. The higher the index is, the higher the possibility that the fault propagates along the path. The confidence index is calculated by Eq. (9). (9) C path is the confidence index of the path. N is the number of consistent arcs in the path. C arci is the confidence index of the ith consistent arc. The confidence index of every consistent arc is decided by its consistent level: (1) if the three-level consistent rule can be satisfied, the confidence index of consistent arc is 3; (2) if the two-level consistent rule can be satisfied, the confidence index of consistent arc is 2; (3) if only the one-level consistent rule can be satisfied, the confidence index of consistent arc is 1.

Case study
The scenario object model based on-line safety analysis is used for a reactor process. The pipe & instrument diagram is shown in Fig. 6.
The description of devices and variables in the process is shown in Table 4.
The process is as follows: materials A and B enter into tank V101, and then the mix material including A and B enter into the reactor R101 through the heat exchanger E101. The mix material will exchange heat with water from the jacket of the reactor. The heat exchanger is used to preheat the mix material. The catalyser enters into the reactor after the mix material including A and B enter into the reactor. In the reactor, A and B react to produce D and E in the presence of the catalyser. The reaction is exothermic so cold water is used to control the reaction temperature. The cold water enters into the jacket of the reactor. Part of the water is sent to utilities and the remainder is sent to heat exchanger to preheat the mix material. The bottom material including A, B, D, and E of the reactor enter into the flash tank V102 to separate the products D, E, and A, which are not entirely consumed in the reactor and will be separated into the top of the flash tank for distillation unit.
The real product enters into the next unit from the bottom of the flash tank.
The on-line scenario object model of the above process is built using the software called SDGHAZOP v3.0., developed by us, and the latest version is 3.0. Scenario object model including deviation degree and qualitative trend is added to the software. The model is shown in Fig. 7.
The "R" rectangle is the cause event where the fault causes are stored. The "C" rectangle is the consequence event where the consequences are stored. The circle is middle event. The relationship between middle events is described in two ways: (1) Qualitative relationship. Real line means positive effect and dotted line means negative effect. (2) Qualitative trend relationship. The relationship between events is described by qualitative trends such as A, B, C, D, E, and F, shown in Table 1.
The qualitative trends are also extracted and identified using a qualitative trend analysis method with a sliding window. 20 The qualitative trend of TI1103 is B.
"+" represents the current state ("positive deviation"), "0.8" represents the deviation degree calculated, represents the qualitative trend. The possible consequences, paths, and trends are revealed by the four paths.
It should be pointed out that forward inference aims to predict the possible consequences from the abnormal variable. Therefore, the states of the other variables including qualitative states, deviation degrees and qualitative trends are all predicted according to consistent rule of forward inference. In this case, for example, the deviation degree of TI1103 is calculated by Eq. (1) and the other deviation degrees are predicted according to consistent rule of forward inference.
Consistent path found by backward inference is as follows: TI1103(+/0.8/ )←FI1201(+/1.0/ )←Reasons(controller fault, value fault, and worker wrong operation). The path is the real path along which the fault propagates. The process of the fault occurring and its propagation are revealed by the path. Backward inference aims to find the possible causes from the abnormal variable. So the states of variables in the path are calculated according to Eq. (1), Eq. (2) and the qualitative trend analysis method with a sliding window. 20 The advantages of on-line safety analysis are shown by the example. It can not only find the consequences and fault causes in time, but can also predict the development by deviation degrees and qualitative trends. The example is quite simple. More complex objects, conditions and multiple faults occurring will lead to many results. In this situation, the advantages of on-line safety analysis can show its advantages including consequences prediction and fault causes location, especially high diagnosis resolution (sorting by confidence index).

Conclusion
It is essential that on-line safety analysis can be used for chemical processes. However, the conventional safety analysis is carried out off-line and most of them are qualitative. For this problem, scenario object model based on-line safety analysis was proposed for chemical processes. The advantages of the method are as follows: (1) The method is based on the improved scenario object model. The transfer, reuse and sharing of safety information can be satisfied and the method can be used on-line.
(2) Once a fault or abnormal event occurs, on-line safety analysis is carried out to find causes and predict the possible consequences supplying the instruction for fault treatment.
(3) Some semi-quantitative information such as deviation degree, qualitative trend, etc., have been added to the scenario object model to improve the accuracy of the model. Based on the model, on-line safety analysis is carried out and the diagnosis resolution can be improved. It is helpful for fault location and treatment in time.
How to improve the model according to its application is the next research target.