Accepted Manuscript

The application of a graph of a process in HAZOP analysis in accident prevention

system

Jan Maciej Kościelny, Michał Syfert, Bartłomiej Fajdek, Andrzej Kozak

PII: S0950-4230(16)30479-X
DOI: 10.1016/j.jlp.2017.09.003
Reference: JLPP 3585

To appear in: Journal of Loss Prevention in the Process Industries

Received Date: 20 December 2016

Revised Date: 4 August 2017
Accepted Date: 2 September 2017

Please cite this article as: Kościelny, J.M., Syfert, Michał., Fajdek, Bartł., Kozak, A., The application of a
graph of a process in HAZOP analysis in accident prevention system, Journal of Loss Prevention in the
Process Industries (2017), doi: 10.1016/j.jlp.2017.09.003.

This is a PDF file of an unedited manuscript that has been accepted for publication. As a service to
our customers we are providing this early version of the manuscript. The manuscript will undergo
copyediting, typesetting, and review of the resulting proof before it is published in its final form. Please
note that during the production process errors may be discovered which could affect the content, and all
legal disclaimers that apply to the journal pertain.
 ACCEPTED MANUSCRIPT
The application of a graph of a process in HAZOP analysis in accident prevention
system
Jan Maciej Kościelny*, Michał Syfert**, Bartłomiej Fajdek***, Andrzej Kozak#
Warsaw University of Technology,
Faculty of Mechatronics,
Institute of Automatic Control and Robotics
*
jmk@mchtr.pw.edu.pl
**
m.syfert@mchtr.pw.edu.pl
***
b.fajdek@mchtr.pw.edu.pl

PT
The Office of Technical Inspection
#
andrzej.kozak@udt.gov.pl

RI
Abstract
HAZOP method does not provide the completeness of risk analysis, especially indicating all causes of
deviations of the process parameters which are the main risk. Particular difficulties occur when complex

SC
objects are concerned, which are decomposed into nodes for the needs of the HAZOP analysis. In the
majority of cases, particular nodes are not independent - there are interactions between them, that may be
overlooked. The presence of feedbacks between the nodes in the process is particularly dangerous. This
paper proves that the completeness of this analysis may be increased by applying the qualitative model of

U
the process in the form of a graph of a process. Definition of the graph of a process is provided, as well as
discussion on the methodology of the process modelling with the use of such graph. Intelligent Accident
AN
Prevention System is also presented allowing for supporting HAZOP analysis by a model in form of a graph
of a process.

Keywords: risk analysis, HAZOP, quantitative modelling, graph of process, safety system.
M

1. Introduction
D

For all installations posing a risk to human life or health, as well as the environment and property, the
existing legal regulations and technical norms introduce the requirement of providing an appropriate level
TE

of safety, i.e. reduction of the risk to the acceptable level. The first element of the sequence of actions
aimed at providing an appropriate level of safety is the analysis and assessment of the existing risks. In the
process industry, the most common method is HAZOP - hazard and operability study, i.e. the study of risks
and operational capabilities. In Europe, process industry covers chemistry, petrochemistry, gas
EP

manufacture and conventional energy production. HAZOP methodology came into existence in the sixties
of the 20th century in the United States of America, and the author of this method is considered Trevor
Kletz (Kletz, 1999).
C

The gist of this method consists in investigating the causes and results of the deviations of the process
parameters by the team of experts. It serves as the determination of the possible hazardous events
AC

(threatening human health and life, natural environment and technological installation), as well as
technological problems (causing a drop in the effectiveness of the process or in production). The study is
performed with the use of keywords.
In the first stage of the analysis, the process is divided into separate subassemblies, the so-called nodal
elements (pipelines, pumps etc.). For each node a medium and a set of characteristic physical parameters
are determined, such as temperature, flow, pressure etc. Next, using these parameters together with
keywords hypothetical situation of deviations of the given element from the normal state is defined. For a
defined situation, a team of experts attempts to find possible causes and expected results for the operation
of the installation. The team also suggests possible ways to protect the installation. Such an analysis is
performed for each of the separated nodes of the analysed installation. Relations between particular nodes
are also subject to analysis. As a result, one obtains the list of potential risks together with guidelines on
 ACCEPTED MANUSCRIPT
how to protect against their occurrence. In complicated installations (a large number of the analysed
nodes) the list of potential risks may be very long.
The main advantage of the HAZOP method is the fact that this technique is the most effective from among
all known techniques and covers the full range of the identified risks. Moreover, it provides information on
both, the risks and problems related to continuity of the installation operation. For many years HAZOP
analysis has been widely used in industry, and its results are included in further actions connected with
industrial safety e.g. for the purposes of inspection based on risk analysis (Risk-Based Inspection : API
RECOMMENDED PRACTICE 580, American Petroleum Institute, 2002). The results of HAZOP are accepted as
the starting material for developing the safety report required by the European Union law (Directive
2012/18/EU of the European Parliament and of the Council of 4 July 2012 on the control of major-accident

PT
hazards involving dangerous, 2012). At the moment, HAZOP analysis is standardized (Hazard and
operability studies (HAZOP studies)-application guide. IEC 61882, 2001).
A broad overview of the state of research within HAZOP is presented in (Dunjó et al., 2010). This work

RI
discusses the main directions of research on the development of the method, including:
• extending the scope of hazard identification, inter alia, by integration with other methods of risk
analysis, considering quantification, human factors and specific HAZOP modifications,

SC
• HAZOP for Programmable Electronics Systems and software safety assessment,
• assigning target Safety Integrity Level (SIL),

U
• automating HAZOP (expert systems),
AN
• HAZOP supported by dynamic simulation.
Due to time- and labour-consumption, as well as difficulties in performing HAZOP analyses, the majority of
works according to (Dunjó et al., 2010) concerns the construction of expert systems aimed at automation of
M

the HAZOP analysis or its computer support.

However, HAZOP also has a lot of disadvantages and limitations, which have been described in details in
(Baybutt, 2015). The main weakness of the HAZOP method, according to the authors, is its heuristic nature,
D

which does not acknowledge all potential risks and operational problems. Some of the causes of the
deviation of process variables are often overlooked in the analysis. Many difficulties are brought by the
TE

analysis of relations between the nodes separated in the installation. Thus, the completeness of the
analysis cannot be ensured. Everything depends mainly on the experience and commitment of the
participants of the HAZOP study.
Similar problems of the HAZOP analysis are emphasized by the authors of the paper by Sauk et al. (Sauk et
EP

al., 2015). They indicate that the sources of deviations arising in a given node may be located in other
nodes. This complicates the work of the team performing HAZOP analysis and increases the possibility of
overlooking such causes.
C

The above problems inspired the authors to work on the method of reducing the disadvantages of HAZOP
analysis, especially providing a high degree of completeness of the causes of deviations of the process
AC

variables.
The article presents a new approach to performing safety analysis by means of HAZOP with the use of a
qualitative model of the process. Qualitative model in the form of a graph of a process (GP) has been used
for the description of cause-and-effect relationship describing the relations between process variables of
the analysed installation. A distinctive property of the GP graph towards other used cause-and-effect
models is a direct acknowledgement of the faults and their influence on the process variables in the model.
So far, the model in the form of a GP graph was not used for HAZOP analysis support.
The purpose of this work is providing a high degree of completeness of the HAZOP analysis due to the use
of the qualitative model in the form of a GP graph of a process. Increasing the completeness of the analysis
is achieved by providing an opportunity of a systematic specification of potential risks and operational
problems and an opportunity to take into account all causes of the deviations of the process parameters. In
 ACCEPTED MANUSCRIPT
particular, the graph of a process illustrates all feedbacks (reverse impact) taking place in the process. They
are often overlooked while performing the analysis. Developing a simple cause-and-effect graph reveals
such relations and thus, increases the degree of completeness of the analysis.
The arrangement of the paper is as follows. Section 2 discusses the use of qualitative and quantitative
models in HAZOP analysis. Section 3 provides a definition of a graph of a process and exemplary
methodology of modelling of the process. Supporting HAZOP analysis by GP model is presented at an
academic example of serially connected tanks storing toxic substance. This example proves the impact of
feedbacks in the process complicating HAZOP analysis. The authors gave up on presenting industrial
example due to the need to reduce the length of the paper. Section 5 discusses the way of implementing
HAZOP analysis with the use of a GP graph in Intelligent Accident Prevention System (IAPS) developed by

PT
the authors of the paper. Section 6 is a summary of the results of the work.
2. The application of qualitative and quantitative models in HAZOP analysis
The high quality of the risk analyses may be obtained only in the case of in-depth knowledge on the process

RI
and such knowledge is represented by the process models. Such models should enable the analysis of
emergency scenarios. Qualitative and quantitative models may be distinguished. A complete description of
the process is given by quantitative dynamic models describing phenomena occurring in the process. Such

SC
models are used for the construction of process simulators. Using simulators is obligatory for training the
operators of the processes in the nuclear power industry, as well as in training of pilots and captains of the
ships. In the process industry, process simulators are not widespread yet, however, the number of their use

U
is still growing. It is due to safety reasons as human errors are a common cause of failures. However, the
certain barrier for application of simulators are high construction costs and difficulties in obtaining models
AN
allowing for simulation of different modes of process operation, and above all - emergency states.
Analytical models of the process are highly complicated and difficult to obtain also because of nonlinearity
of objects. In some cases, obtaining a mathematical description of the process is almost impossible due to
the unknown character of phenomena, e.g. incineration of biomass. In such cases, the techniques of model
M

construction may be applied based on the measurement data registered in the archives of the DCS or
SCADA control systems. These models properly reflect the functioning of the process in normal conditions
as learning data representing these states are available. However, there is usually no significantly rich
D

representation of data for emergency states that will allow for acquiring models describing the process in
those states.
TE

The use of dynamic simulation of the processes to be used in HAZOP analysis was the subject of the works
(Eizenberg et al., 2006; Labovský et al., 2007a, 2007b; Ramzan et al., 2007; Švandová et al., 2005). It can be
concluded that introducing legal regulations concerning the necessity to use process simulators for training
EP

of the operators of critical processes will cause an intense increase of interest in their use in the safety
analyses.
At the moment, the biggest usability in risk analyses is assigned to qualitative models, which are much
C

simpler than quantitative models. They were used in numerous works on HAZOP analysis support. Parmar
and Lees (J. C. Parmar and Lees, 1987; J.C. Parmar and Lees, 1987) presented a rule-based approach to
AC

automate HAZOP analysis of the water separator system. They represent the knowledge required for
propagating faults in each process unit with the use of qualitative propagation equations and event
statements for initiation and termination of faults. The main disadvantage of the proposed method is that it
finds only immediate causes and consequences. In classical HAZOP analysis, causes and consequences are
propagated to the end of the process section.
The other approach was presented by Heino et al. (Heino and Jouko, 1988). A rule-based system called
HAZOPEX was developed using hybrid expert system shell (KEE) and Lisp workstation. The HAZOPEX
system's knowledge base consisted of the structure of the process and rules for searching causes and
consequences. The main emphasis in HAZOPEX system was placed on identification of abnormal causes.
Another knowledge-based system HAZID was introduced in (Zerkani and Rushton, 1993). The HAZID
computer system has been developed to help reduce the workload involved in HAZOP studies. It uses
qualitative propagation to examine the causes and effects of failures within a process.
 ACCEPTED MANUSCRIPT
Vaidhyanathan and Vekatasubramanian (Vaidhyanathan and Venkatasubramanian, 1996, 1995;
Venkatasubramanian and Vaidhyanathan, 1994) proposed a knowledge-based framework using expert
system G2, called HAZOPExpert for automating HAZOP analysis. In the presented approach process units
are represented as HAZOP-Digraph Models (HDG). The HDG models of the process units are used for
propagating the process variable deviations and for finding abnormal causes and adverse consequences by
interacting with the process specific knowledge.
Srinivasan and Venkatasubramanian in (Srinivasan and Venkatasubramanian, 1998a, 1998b, 1996) used
HAZOPExpert in the Batch system for modelling batch process models in the form of Petri nets and
digraphs. Another approach is the development of a Qualitative Hazard Identifier (QHI) (Catino and Ungar,
1995), where for a description of the plant behaviour a set of qualitative equations derived from a

PT
quantitative description was used. In (Bartolozzi et al., 2000) qualitative models of equipment were used in
the form of a tree defining logical relations between causes and deviations of process variables (cause
model), as well as deviations and consequences (consequence model).

RI
Dynamic Flowgraph Methodology (DFM) was used in HAZOP analysis in (Garrett et al., 1994; Guarro et al.,
1996). DFM is a directed digraph reflecting the relationships between process variables and also
acknowledges time dependencies between them.

SC
The most frequently used model to support HAZOP analysis was a qualitative model in the form of signed
directed graph (SDG). Nodes of the graph are the process variables regardless of whether they are
measured or not. The nodes corresponding to the measured variables are observable nodes. The branches

U
of the graph directly represent relationships between variables in a supervised process. SDG graphs are
used to represent the causal relation between alarms in industrial installations (Iri et al., 1979; Montmain
AN
and Leyval, 1994; Shibata et al., 1991; Shiozaki et al., 1985; Takeda et al., 1994; Tateno et al., 1994). They
define how the alarms are propagated along installation.
Chung (Chung, 1993) developed a qualitative analysis of the operation of the process installation, where he
M

used SDG. The system called QUEEN creates a comprehensive model of a process in the form of SDG on the
basis of elements corresponding to particular elements of the installation.
Lu and Wang (Lü and Wang, 2007) presented the approach where SDG graphs were applied to computer-
D

aided HAZOP analysis. The developed solution includes fault diagnosis that finds all possible abnormal
causes or adverse consequences. In the presented approach a new reasoning method was introduced,
TE

whereby inverse inference is combined with forward inference, to implement SDG fault diagnosis based on
a breadth-first algorithm with consistency rules. The Very similar approach was presented by Wang et al.
(Wang et al., 2009). They also developed SDG based HAZOP. The proposed method helps to identify the
most likely operating mistakes that may cause certain process variable deviating from its normal value. The
EP

effectiveness of this solution was demonstrated in a case study on polyvinyl chloride plant.
3. Qualitative modelling of the process with the use of a GP graph
C

3.1. Graph of a process - definition

GP (Graph of a Process) is a qualitative model of the process. It describes the relationships between
AC

variables in the process acknowledging the influence of possible faults. The concept of the GP graph was
established at the Institute of Automatic Control and Robotics of Warsaw University of Technology and was
presented in (Kościelny and Ostasz, 2003; Ostasz, 2007; Sztyber, 2015; Sztyber et al., 2015). GP graph is
composed of vertices representing: process variables (physical variables), measurements, control variables
and faults. Arcs reflect the influence of particular variables on each other.
There are many studies in the literature making use of cause-and-effect graphs in diagnostics. A similar
construction of the graph in relation to GP graph is demonstrated by signed directed graphs (SDG), which
are used for representation of cause-and-effect relationship between the alarms in technological
installation (Garrett et al., 1994; Iri et al., 1979; Montmain and Leyval, 1994; Shibata et al., 1991; Shiozaki et
al., 1985; Takeda et al., 1994). They specify the way of spreading of the alarms in the installation.
 ACCEPTED MANUSCRIPT
Analysing any object of diagnosis one need to isolate the variables characterizing it and faults affecting
these variables. Thus, (set of variables describing the diagnosed system) is identical with the set of GP
graph vertices and may be divided into the following disjoint subsets:
• – a subset of the process variables (physical variables),
• – a subset of the control signals from automatic control system,
• – a subset of the measurement signals registered by the automatic control system,
• – a subset of the faults affecting the process,
= ∪ ∪ ∪ . (1)

PT
Then, from the set of process variables , the following disjoint subsets may be separated:
• – a subset of the input variables (real input signals),

RI
• – a subset of internal variables,
• – a subset of the output variables (these variables are represented by a subset of measurements ),

SC
= ∪ ∪ . (2)

Control signals ∈ are generated by the control system, which, in the no faults of control paths case, are
equal to the corresponding input variables ∈ - as can be observed | | = | |. All variables ∈

U
are measured. Thus, the set of measurement signals is as numerous as the set and the values of the
AN
corresponding elements in these sets are compatible (with the accuracy of measuring devices) in the
absence of faults of the measurement paths.
As can be observed, one of the reasons for distinguishing and sets from the set of process variables
was separating the faults of the control and measurement paths from the faults affecting only process
M

variables such as component faults (Fig. 1).

D
TE

Fig. 1. The influence of faults of the measuring and control tracks on the process variables

In set of the possible faults of the process the following subsets of faults are distinguished:
EP

• – a subset of the faults of control paths,

• – a subset of the faults of the process components,
C

• – a subset of the faults of measurement paths,

= ∪ ∪
AC

. (3)

According to the theory of graphs, a GP graph is a directed graph (digraph) or simple graph (Berg graph) –
all arcs are different and the graph has no loops around individual vertices:
= ( ( ), ( )) , (4)

where: ( ) = – a set of vertices of the graph identical as (1),

( )= ⊆ × - a set of arcs of the graph represented by a set of ordered
pairs ( , ) ∈ × of its vertices, i.e. ( ) ⊆ × ; To shorten the notation it will also be
denoted as .
 ACCEPTED MANUSCRIPT
U Y
X

XU XY
XX

FC
FU FY
F

Fig. 2. The structure of a GP graph (solid line indicates empty sub-graphs)

PT
Sub-graphs in a GP graph may be separated analogically to subsets in the set of vertices. Fig. 2 presents
the decomposition of a GP graph considering the type of vertices forming it and specifies mutual relations
between sub-graphs. Solid line indicates empty sub-graphs, i.e. those not possessing arcs inside. The vertex

RI
of such sub-graph may only be a beginning and/or end of the arc coming from another sub-graph.
Exemplary sources (vertices making a beginning for the arcs) are all vertices of the set of faults . This
corresponds to the influence of particular faults on the variables of the diagnosed process.

SC
On the basis of the structure of a GP graph (Fig. 2) the division of a set of faults into subsets may be
defined in a more formal way:
= ∈ : ( , ) ∈ ∧ ∈ ,

U
(5)

= ∈ : ( , ) ∈ ∧ ∈ ( ∪ ) , (6)
AN
= ∈ : ( , ) ∈ ∧ ∈ . (6)
M

The possibility of the impact of the faults on several variables within the same subset of faults is allowed.
In the course of development and analysis, it is convenient to limit the set of vertices of a GP graph only to
the variables. Sub-graph created this way will be called the graph of process variables and determined as
D

follows:
= , ( )!. (7)
TE

GP graph, as any simple graph, may be unambiguously determined by an adjacency matrix of that graph:
1⇔ %, &! ∈ ( )
" = #$%& '(×( , $%& = )
EP

, (8)
0⇔ %, &! ∉ ( )

where: %, & ∈ – the vertices corresponding to the indices of . – lines and / – columns of the " matrix,
C

0 = | |.
By adequate grouping of the elements, the " matrix may be divided into submatrices defining the relations
AC

between particular subsets of the vertices belonging to .

3.2. The methodology of construction of a GP graph of a process
The methodology of construction of a GP graph of a process will be presented in the example of the
development of the graph for the assembly of serially connected tanks storing toxic substance. The scheme
of this object is presented in Fig. 3.
 ACCEPTED MANUSCRIPT

PT
RI
Fig. 3. The assembly of the tanks storing toxic substance

SC
The first step is:
• determining a set of process variables and labelling them,
• pre-specifying a set of possible faults (usually based on expert knowledge),
• determining the following sets: , , , ,
U
, , , .
AN
These sets are determined in tables 1…3.
Table 1. Description of the symbols (Italic) from Fig. 3
M

Symbol Description
control signal from the controller

1 measurement signal of the water flow to T1 tank

D

21 measurement signal of the level of liquid in T1 tank

23
TE

measurement signal of the level of liquid in T2 tank

24 measurement signal of the level of liquid in T3 tank
56 pressure behind P pump
EP

7 8 control signal passed to the servo motor

58 pressure in the servo motor's chamber

8 location of the piston rod of the V valve

C

98 flow area of the V valve

flow to "1 tank
AC

:1 level in "1 tank

51 hydrostatic pressure at the bottom of "1 tank

13 flow between "1 and "3 tanks

:3 level of liquid in "3 tank
53 hydrostatic pressure at the bottom of "3 tank

34 flow between "3 and "4 tanks

:4 level of liquid in "4 tank
54 hydrostatic pressure at the bottom of "4 tank
 ACCEPTED MANUSCRIPT
4 outflow from "4 tank

Table 2. A list of possible faults of the three tanks system

Fault Description
1 fault of 1 measurement path

3 fault of 21 measurement path

4 fault of 23 measurement path

; fault of 24 measurement path

PT
< fault in the path of U control signal

= fault of the servo motor - valve assembly

> no medium in front of P pump

RI
? fault of P pump

@ clogging of the channel between "1 and "3 tanks

clogging of the channel between "3 and "4 tanks

SC
1A

11 clogging of the outflow channel from "4 tank

13 leak from "1 tank

U
14 leak from "3 tank
leak from "4 tank
AN
1;

Table 3. The list of elements of particular sets

Set Elements
M

1, 21 , 23 , 24
D

7 8

13 , 34 , 4, 51 , 53 , 54 , 56 , 58 , 8, 98
TE

, :1 , :3 , :4

<
EP

= , > , ? , @ , 1A , 11 , 13 , 14 , 1;

1, 3, 4, ;
C

The following symbols were adopted for indicating vertices of the graph:
B∈
AC

– control signal,
B∈ – measurement signal,
B∈ – internal variable,
B∈ – fault.
The construction of a GP graph can start from input variables. The analysed process is a singleton.
signal from the controller in the absence of faults is equal to 7 8 signal which affects the pressure in the
chamber of a 58 servomotor, thus, the position of the piston rod of 8 servomotor, and finally, the opening
degree (flow area) of 98 control valve. The flow through the control valve depends not only on its opening
degree, but also on the differential pressure across the valve. As at the outflow, atmospheric pressure is
observed (approximately constant) thus, only the value of the pressure in front of the valve is important.
 ACCEPTED MANUSCRIPT
The level in each tank is dependent on the difference between the values of the medium inflow and
outflow. This means that there are internal feedbacks in the process. Outflows influence the levels in the
tanks. Pressures at the bottom of the open tanks are directly dependent on the level.
Fig. 4 illustrates GPx graph for the entire process.

Fig. 4. GPx graph of the process

PT
In the next step, GPx graph needs to be supplemented by adding vertices of the faults and measurement
paths, as well as branches defining relations of these vertices and GPx graph. The set of measurements has
earlier been specified and this element of extending the graph does not cause problems. The set of possible

RI
faults has also been pre-determined, but in the case of expanding GPx graph to the full GP graph, it is
reasonable to analyse possible faults again, focusing on the specific parts of the process. Usually, faults are
then noticed which had been overlooked initially. GP graph of the process is presented in Fig. 5.

SC
f1 f2 f3 f4

U
F1 L1 AN L2 f13 L3 f14

U CVv pv Xv Sv F1 l1 p1 F12 l2 p2 F23 l3 p3 F3

f5 f6 pp f12 f11
M

f9 f10
D

f7 f8

Fig. 5. GP graph of the process

TE

The construction of the graph may start from any variable. Different parts of the graph may be designed
independently by separate people (groups of people) and then combined.
EP

4. Supporting HAZOP by GP model

To study hazardous of the given system (Fig. 3, Table 1 and 2) a modelling and simulation (M&S) approach
can be applied. It is possible to build analytical models of individual components (pumps, valves, tanks), and
C

also model their interactions as communications (connections) among different objects. Faults are
modelled as the deviation of some object attributes and these can be inputs of simulation. Such an
AC

approach gives the opportunity to investigate the impact of threats on the variation of process variables
but requires more work and cost. Therefore, a simpler approach based on the use of GP graphs is
proposed.
Performing HAZOP analysis results in obtaining a list of potential risks together with identifying the causes
of deviations of the parameters and suggestions how to secure the process against their occurrence. GP
graph is particularly useful when determining the causes of deviations of the process parameters. These
causes are determined by the team performing the analysis, and usually, a separate node is investigated. In
most cases, individual nodes are not independent – there are interactions between them, which may be
overlooked. Especially dangerous is the occurrence of internal feedbacks between the nodes. The situation
gets particularly complicated when the analysed process is large and the nodes interrelate by complex
dependencies. The team performing the analysis may encounter a problem with following through the
relations occurring in the entire process. The quality of the analysis depends only on the competencies of
the team.
 ACCEPTED MANUSCRIPT
The main advantage of an application of GP graph in HAZOP analysis is an opportunity to acknowledge in
the analysis dependencies between the nodes of the examined installation. Particularly important is the
fact that GP graph illustrates these relations, including relations resulting from feedbacks existing in the
process.
The above advantages of using a GP graph for HAZOP analysis support will be presented on the examples of
defining the causes of emergency states consisting in overflow in the first tank in the group of tanks storing
toxic substance and leakage from this tank (Fig. 3). Division of the object into two nodes was assumed and
presented in Fig. 6. Parts of a GP graph from Fig. 7 correspond to these nodes.

PT
RI
U SC
AN
Node 1 Node 2
M

Fig. 6. Division of the object into nodes

The first node comprises a pump, control valve and tank "1 , and the second node includes two tanks with
toxic substance. Due to the serial connection of the tanks and control of the level in tank "4 , the biggest
D

threat is overflowing of the tank "1 . Equally dangerous are also lacks of tightness of the tanks associated
with the possibility of leakage of the toxic substance.
TE

Node 1 Node 2
C EP
AC

Fig. 7. Nodes of the process indicated in a GP graph

Typical HAZOP analysis of the causes of level deviations performed for node 1 was presented in Table 4.
 ACCEPTED MANUSCRIPT
Table 4. A fragment of HAZOP analysis for node 1

No Parameter Deviation Cause

1 level in "1 too high • jamming of the valve in the open position
tank • failure in the level control system (damage to 24 measuring circuit,
damage to U control circuit)
• clogging of the channel between "1 and "3 tanks
too low • leak from the tank T1
• pump failure
• no medium

PT
• jamming of the valve in the closed position
• failure in the level control system (damage to L4 measuring circuit,
damage to U control circuit)

RI
Table 5 presents the results of the analysis of the causes of level deviation conducted for node 1 with the
use of a GP graph. It proves that the cause of overflow in tank "1 , regardless of the causes occurring in node

SC
1, may be clogging of the channel between "3 and "4 tanks and clogging the outflow channel from "4 tank,
whereas too low level in tank "1 can also occur as a result of the leaks from the tanks in node 2. A set of
tanks storing toxic liquid is characterized by the existence of feedbacks in the process what impedes risk

U
analysis, particularly when the division of the object into nodes is concerned. Omitting interdependences
between the nodes is a common cause of incompleteness of HAZOP analysis.
AN
Table 5. A fragment of HAZOP analysis for node 1 acknowledging GP graph. Added causes are bolded

No Parameter Deviation Cause

1 level in "1 tank too high • jamming of the valve in the open position
M

• failure in the level control system (damage to L4 measuring

circuit, damage to U control circuit)
• clogging of the channel between T1 and T3 tanks
D

• clogging of the channel between FG and FH tanks

• clogging of the outflow channel from FH tank
TE

too low • leak from the tank T1

• pump failure
EP

• no medium
• jamming of the valve in the closed position
• failure in the level control system (damage to L4 measuring
circuit, damage to U control circuit)
C

• leak from the tank FG

• leak from the tank FH
AC

On the basis of a GP graph, a tree of cause-and-effect relationship that occurs in the process may be
constructed which illustrates the influence of the faults on the analysed process variable. Fig. 8 presents
such a tree created for the level of medium in tank "1 .
 ACCEPTED MANUSCRIPT

PT
RI
SC
Fig. 8. A tree of cause-and-effect relationship illustrating the influence of the faults on the level of
medium in tank "1

U
A suggestion for the modification of the procedure of conducting HAZOP analysis is presented below. As a
AN
result of introducing this procedure one can expect:
• visualisation of cause-and-effect relationship in the process in the form of a graph,
• supplementing the analysis by identification of potential dependencies between the nodes,
M

• increasing the degree of completeness of the performed analysis.

In the modified procedure a qualitative model is used in the form of a GP graph. Deductive analysis, due to
D

the way of processing from causes to effects, will be the main tool supporting HAZOP analysis with the use
of this model.
TE

The procedure of designing dependency trees for the major events and performing HAZOP analysis is as
follows (Fig. 9):
1. Development a GP graph for the whole system or the chosen nodes on the basis of the flow
EP

diagram and expert knowledge.

2. Separation of GPx graph on the basis of a GP graph.
C

3. Identification of the nodes present in the system.

4. Isolation of a node from GPx graph and development a GPx sub-graph.
AC

5. Defining the major event, i.e. selecting one of the vertices in GPx sub-graphs.
6. Development of a tree of cause-and-effect relationship based on a combination of interrelated
internal variables and faults affecting them. Visualisation of the dependencies may also be
conducted directly on the graphic representation of a GP model (depending on the
implementation).
7. Performing HAZOP analysis for the prepared tree, or actually defining the scenarios related to the
analysed major event.
8. The procedure needs to be repeated from step 6 to 8 until all the necessary trees are drawn.
9. The procedure needs to be repeated from step 5 to 9 until the end of the non-analysed nodes.
 ACCEPTED MANUSCRIPT
Start

Development of GP graph
for the whole system Defining the major event
chosen nodes

Development of a tree of
Separtating GP graph cause-and-effect
relationship based on a
combination of interrelated
internal variables and faults

PT
affecting them

Identyfication of the nodes

present in the system
Performing HAZOP analysis

RI
for the prepared tree

Isolation of a node from

GPx graph and developing a

SC
All the necessary NO
GPx sub-graph
trees are drawn?

YES

U
End of the non- NO
analysed nodes
AN
End

Fig. 9. The flowchart of the procedure of designing dependency trees for the major events and
M

performing HAZOP analysis

D

5. Implementation of HAZOP analysis with the use of a GP graph in IAPS

TE

The IAPS (Intelligent Accident Prevention System) is an information system supporting introduction and
monitoring of the safety system in plants posing the risk of a serious industrial accident. The system was
implemented by the Institute of Automatic Control and Robotics of Warsaw University of Technology in
cooperation with the experts from Central Institute for Labour Protection, State Fire Service, the Chief
EP

Inspectorate of Environmental Protection and the Office of Technical Inspection within the 3rd stage of the
long-term program entitled "Improving the safety and working conditions" funded by the National Centre
for Research and Development.
C

The operation of the system lies in: gathering digital documentation related to the safety of the plant,
monitoring and supervision of the tasks connected with implementation and realization of Accident
AC

Prevention Program and Safety Management System, as well as supporting data execution and collection in
the area of the conducted risk analyses, including HAZOP.
Within support of the conducted risk analyses, with special regard to HAZOP method, IAPS functions may
be divided into two areas of tasks:
• supporting analyses by providing tools allowing for development and analysis of qualitative models in
the form of GP graphs – a task realized by QMod modelling module,
• collecting and storing the results of conducted risk analysis for the separated nodes of a technological
installation in particular plants, including mechanisms for sharing them and tracking the changes – a task
performed by HAZOP documentation module.
 ACCEPTED MANUSCRIPT
5.1. Quality modelling in QMod module
QMod module is a simple graphic interface designed to:
• develop qualitative models of the process in the form of a GP graph,
• manage the developed models (adding, deleting, viewing) by linking them to the elements of
hierarchical structure describing the components and sub-systems of the technological process in
the plant,
• conduct inductive and deductive analyses for the selected nodes of a GP model.
Graphical user interface of a QMod module is presented in Fig. 10.

PT
RI
U SC
AN
M
D
TE

Fig. 10. The interface layout of QMod editor

EP

The procedure of using the QMod module for a new installation is carried out according to the following
stages:
• configuring the structure of the process (hierarchical description of components) and the process
C

variables, control signals, measurement signals and faults used in the analysis of the process. The degree
of detail of the developed structure of the process depends on the designers and may be selected
AC

depending on particular needs;

• making qualitative models in the form of GP graphs. It is possible to model entire installations, as well as
only selected, most important pieces;
• when performing risk analysis for particular nodes, the developed models are used on a current basis for
the assessment of possible causes and results of the analysed deviations related to the chosen nodes of
the model.
The exemplary analysis conducted with the use of QMod module is presented in Fig. 11.
 ACCEPTED MANUSCRIPT

PT
RI
SC
Fig. 11. Exemplary analysis of a GP graph for the chosen node: visualisation of the possible causes on a
graph (left) and the record of the results of the analysis in the form of a report (right)

U
5.2. Storing the results of the analysis on IAPS server
Within IAPS system, a module has been developed allowing for collecting data on the conducted and
AN
realized HAZOP analyses. The module is composed of a series of components of the graphical user
interface, which allow for displaying information on the previously or currently performed HAZOP analyses
stored in a central database. There is also a possibility to introduce new analyses. In order to provide the
M

proper functioning of the module, it was necessary to implement the main elements of the system's
framework. The following elements of the IAPS user interface were implemented:
• administering the users (general data, responsibilities, training etc.),
D

• screens for the description of the plant:

TE

screens for visualisation of plant general data (description of the plant, technological processes
and installations etc.),
screens for visualisation of data on installation such as division into sections, on-the-job
EP

documentation etc.,
screens for visualisation of data on dangerous situations.
• screens for data service related to HAZOP analysis:
C

screens for visualisation of data on risk analyses,

AC

screens for visualisation of data on the scenarios (description of a failure scenario, consequences,
protection against failure, protection reducing the consequences etc.).
One of the screens of IAPS allowing for defining new risk analysis is presented in Fig. 12.
 ACCEPTED MANUSCRIPT

PT
RI
Fig. 12. Screen of adding new risk analysis

SC
From the level of the user interface, it is possible to introduce basic data on the analysis, such as the name
of the analysis, status of the analysis, the name of installation being an object of the analysis, the date of
performing analysis, the date of accepting analysis, information on the accepting person etc. From the level

U
of the user interface, accepting the conducted analysis is also feasible. Access to this option is given only to
the users with adequate permissions on the system. The dedicated screen also presents a list of people
AN
involved in the HAZOP analysis. In IAPS each analysis may have assigned numerous scenarios of failures.
After activating particular action, a screen is displayed on the list of risk analyses including a list of scenarios
associated with the chosen risk analysis.
Other screens have been developed and implemented in an analogical way. Screens being a part of the
M

HAZOP module enable complete data archiving related to performing risk analyses. It is possible to browse
them freely and use in further analyses. In IAPS all stored information is versioned, i.e. subsequent versions
of the content that have been modified, added or deleted from the system are stored. Such approach
D

significantly increases the safety of data storage and protects against accidental deleting of important
information. Thus, the safety of the whole plant is increased.
TE

6. Summary
HAZOP method does not provide the completeness of risk analysis, especially indicating all causes of
deviations of the process parameters which are the main risk. Particular difficulties occur when complex
EP

objects are concerned, which are decomposed into nodes for the purposes of HAZOP analysis. In the
majority of cases, particular nodes are not independent - there are interactions between them, that may be
overlooked. The presence of feedbacks between the nodes in the process is particularly dangerous. This
C

paper proves that the completeness of this analysis may be increased by applying the qualitative model of
the process in the form of a GP graph.
AC

The high quality of risk analysis may be obtained only when acquiring adequate knowledge about the
process and such knowledge is represented by quantitative and qualitative models of the process. The use
of quantitative models is a very difficult and expensive solution. These models should be capable of
simulating all kinds of threats. Therefore, this solution shall be applied to critical objects. GP graph is a
qualitative model and requires significantly lesser design expenditures than quantitative models.
The application of a GP graph increases the likelihood of acknowledging all causes of risks due to their
systematic modelling in the GP graph and explicitly determined connections between the separated nodes.
As far as HAZOP analysis support is concerned, it is possible to show a sub-graph covering all possible risks
(faults/human errors) for a given deviation of a process parameter. Obviously, there is no guarantee that
graph includes all causes. However, the mere fact of the need to model them, makes us presume that the
completeness of the conducted analysis will be higher. This is shown by the example from section 4.
 ACCEPTED MANUSCRIPT
The proposed procedure of supporting HAZOP analysis with the use of a GP graph of a process allows for
visualisation of the cause-and-effect relationship that occurs in the process in the form of a graph and
supplements the analysis by identifying potential dependencies between the nodes.
GP graph as a model of the process has many advantages:
• its use is intuitive and simple, does not require in-depth knowledge of the process,
• to develop a GP graph it is sufficient to know the basic knowledge of the laws and physical dependencies
of the process,
• another source of knowledge may be the experience of operators and process engineers.

PT
The use of a GP graph is significantly wider than the support of HAZOP analysis. It may be used for (Heino
and Jouko, 1988; Iri et al., 1979; Kletz, 1999; Kościelny and Ostasz, 2003; Labovský et al., 2007a, 2007b):
• developing a quantitative model (this is the first stage of constructing simulators),

RI
• designing alarms – the reduction of the group of alarms and defining the rules of inference on the faults
on the basis of the alarms,

SC
• visualisation of alarm propagation in the process,
• the choice of optimal sets of measurements and tests for the advanced process diagnostics (based on
quantitative models),

U
• designing algorithms for fault detection - on the basis of a graph. The structures of the models can be
determined in order to detect faults which will be identified;
AN
• determining the faults-symptoms relation necessary for isolation of faults. On the basis of the graph the
structures of the models for detection of faults can be specified, and then determining the subset of
faults for each of them, that they are sensitive for.
M

Acknowledgements
Developed on the basis of the results of the 3rd stage of the long-term program entitled "Improving the
D

safety and working conditions" funded by the Ministry of Science and Higher Education/ National Centre
for Research and Development in the years 2014-2016 in the field of research and development.
TE

Coordinator of the program: Central Institute for Labour Protection - National Research Institute.
Bibliography
EP

Bartolozzi, V., Castiglione, L., Picciotto, A., Galluzzo, M., 2000. Qualitative models of equipment units and
their use in automatic HAZOP analysis. Reliab. Eng. Syst. Saf. 70, 49–57. doi:10.1016/S0951-
8320(00)00042-9
Baybutt, P., 2015. A critique of the Hazard and Operability (HAZOP) study. J. Loss Prev. Process Ind. 33, 52–
C

58. doi:10.1016/j.jlp.2014.11.010
Catino, C.A., Ungar, L.H., 1995. A model-based approach to automated hazard identification of chemical
AC

plants. AIChE J. 41, 97–109. doi:10.1002/aic.690410110

Chung, P.W.H., 1993. Qualitative analysis of process plant behaviour, in: Proceedings of the 6th
International Conference on Industrial and Engineering Applications of Artificial Intelligence and
Expert Systems. Edinburgh, Scotland, pp. 277–283.
Directive 2012/18/EU of the European Parliament and of the Council of 4 July 2012 on the control of major-
accident hazards involving dangerous, 2012. , Official Journal of the European Union L.
Dunjó, J., Fthenakis, V., Vílchez, J.A., Arnaldos, J., 2010. Hazard and operability (HAZOP) analysis. A
literature review. J. Hazard. Mater. doi:10.1016/j.jhazmat.2009.08.076
Eizenberg, S., Shacham, M., Brauner, N., 2006. Combining HAZOP with dynamic simulation - Applications for
safety education. J. Loss Prev. Process Ind. 19, 754–761. doi:10.1016/j.jlp.2006.07.002
Garrett, C., Yau, M., Guarro, S., Apostolakis, G., 1994. The dynamic flowgraph methodology: a methodology
 ACCEPTED MANUSCRIPT
for assessing embedded system software safety. Int. Conf. Probabilistic Saf. Assess. ….
Guarro, S., Yau, M., Motamed, M., 1996. Development of tools for safety analysis of control software in
advanced reactors.
Hazard and operability studies (HAZOP studies)-application guide. IEC 61882, 2001. , International
Electrotechnical Commission.
Heino, P., Jouko, S., 1988. An expert system in process design - Analysis of process safety and reliability, in:
International Workshop on Artificial Intelligence for Industrial Applications. IEEE, pp. 225–231.
doi:10.1109/AIIA.1988.13298
Iri, M., Aoki, K., O’Shima, E., Matsuyama, H., 1979. An algorithm for diagnosis of system failure in the
chemical process. Comput. Chem. Eng. 3, 489–493. doi:10.1016/0098-1354(79)80079-4

PT
Kletz, T.A., 1999. Hazop & Hazan: Identifying ans Assessing Process Industry Hazards, Fourth Edition
Hardeover.
Kościelny, J.M., Ostasz, A., 2003. Application of Causal Graph GP for Description of Diagnosed Process. IFAC

RI
Proc. Vol. 36, 801–806. doi:10.1016/S1474-6670(17)36591-6
Labovský, J., Švandová, Z., Markoš, J., Jelemenský, L., 2007a. Mathematical model of a chemical reactor—

SC
useful tool for its safety analysis and design. Chem. Eng. Sci. 62, 4915–4919.
doi:10.1016/j.ces.2007.01.071
Labovský, J., Švandová, Z., Markoš, J., Jelemenský, L., 2007b. Model-based HAZOP study of a real MTBE
plant. J. Loss Prev. Process Ind. 20, 230–237. doi:10.1016/j.jlp.2007.03.015

U
Lü, N., Wang, X., 2007. SDG-Based HAZOP and Fault Diagnosis Analysis to the Inversion of Synthetic
Ammonia. Tsinghua Sci. Technol. 12, 30–37. doi:10.1016/S1007-0214(07)70005-6
AN
Montmain, J., Leyval, L., 1994. Causal Graphs for Model Based Diagnosis. IFAC Proc. Vol. 27, 329–337.
doi:10.1016/S1474-6670(17)48049-9
Ostasz, A., 2007. Causal Graph GP and its application in determining a set of residuals and diagnostic
M

relations (in Polish). Warsaw University of Technology.

Parmar, J.C., Lees, F.P., 1987. The propagation of faults in process plants: Hazard identification. Reliab. Eng.
17, 277–302. doi:10.1016/0143-8174(87)90093-X
D

Parmar, J.C., Lees, F.P., 1987. The propagation of faults in process plants: Hazard identification for a water
separator system. Reliab. Eng. 17, 303–314. doi:10.1016/0143-8174(87)90094-1
TE

Ramzan, N., Compart, F., Witt, W., 2007. Methodology for the generation and evaluation of safety system
alternatives based on extended hazop. Process Saf. Prog. 26, 35–42. doi:10.1002/prs.10161
Risk-Based Inspection : API RECOMMENDED PRACTICE 580, American Petroleum Institute, 2002.
EP

Sauk, R., Markowski, A.S., Moskal, F., 2015. Application of the graph theory and matrix calculus for optimal
HAZOP nodes order determination. J. Loss Prev. Process Ind. 35, 377–386.
doi:10.1016/j.jlp.2015.01.007
C

Shibata, B., Tateno, S., Tsuge, Y., Matsuyama, H., 1991. Fault Diagnosis of the Chemical Process Utilizing
Signed Directed Graph - Improvement and Evaluation of the Diagnosis Accuracy. IFAC Proc. Vol. 24,
AC

553–558. doi:10.1016/S1474-6670(17)51199-4
Shiozaki, J., Matsuyama, H., Tano, K., O’shima, E., 1985. Fault diagnosis of chemical processes by the use of
signed, directed graphs. Extension to five-range patterns of abnormality. Int. Chem. Eng. 37, 651–659.
Srinivasan, R., Venkatasubramanian, V., 1998a. Automating HAZOP analysis of batch chemicals plants: Part
I. The knowledge representation framework. Comput. Chem. Eng. 22, 1345–1355. doi:10.1016/S0098-
1354(98)00018-0
Srinivasan, R., Venkatasubramanian, V., 1998b. Automating HAZOP analysis of batch chemical plants: Part
II. Algorithms and application. Comput. Chem. Eng. 22, 1357–1370. doi:10.1016/S0098-
1354(98)00019-2
Srinivasan, R., Venkatasubramanian, V., 1996. Petri net-Digraph models for automating HAZOP analysis of
batch process plants. Comput. Chem. Eng. 20, S719–S725. doi:10.1016/0098-1354(96)00129-9
 ACCEPTED MANUSCRIPT
Švandová, Z., Jelemenský, L., Markoš, J., Molnár, A., 2005. Steady States Analysis and Dynamic Simulation
as a Complement in the Hazop Study of Chemical Reactors. Process Saf. Environ. Prot. 83, 463–471.
doi:http://dx.doi.org/10.1205/psep.04262
Sztyber, A., 2015. Sensor placement for fault diagnosis using Graph of a Process (in Polish). Warsaw
University of Technology.
Sztyber, A., Ostasz, A., Kos̈cielny, J.M., 2015. Graph of a process - A new tool for finding model structures in
a model-based diagnosis. IEEE Trans. Syst. Man, Cybern. Syst. 45, 1004–1017.
doi:10.1109/TSMC.2014.2384000
Takeda, K., Shibata, B., Tsuge, Y., Matsuyama, H., 1994. The Improvement of Fault Diagnosis Algorithm
Using Signed Directed Graph. IFAC Proc. Vol. 27, 351–356. doi:10.1016/S1474-6670(17)48052-9

PT
Tateno, S., Shibata, B., Tsuge, Y., Matsuyama, H., 1994. Optimal Allocation of Sensors for Fault Diagnosis
System Using the Signed Directed Graph. IFAC Proc. Vol. 27, 713–718. doi:10.1016/S1474-
6670(17)48109-2

RI
Vaidhyanathan, R., Venkatasubramanian, V., 1996. A semi-quantitative reasoning methodology for filtering
and ranking HAZOP results in HAZOPExpert. Reliab. Eng. Syst. Saf. 53, 185–203. doi:10.1016/0951-
8320(96)00061-0

SC
Vaidhyanathan, R., Venkatasubramanian, V., 1995. Digraph-based models for automated HAZOP analysis.
Reliab. Eng. Syst. Saf. 50, 33–49. doi:10.1016/0951-8320(95)00052-4
Venkatasubramanian, V., Vaidhyanathan, R., 1994. A knowledge-based framework for automating HAZOP

U
analysis. AIChE J. 40, 496–505. doi:10.1002/aic.690400311
Wang, H., Chen, B., He, X., Tong, Q., Zhao, J., 2009. SDG-based HAZOP analysis of operating mistakes for
AN
PVC process. Process Saf. Environ. Prot. 87, 40–46. doi:10.1016/j.psep.2008.06.004
Zerkani, H., Rushton, A., 1993. Computer aid for hazard identification, in: Proceedings of the 6th
International Conference on Industrial and Engineering Applications of Artificial Intelligence and
M

Expert Systems. pp. 102–109.

D
TE
C EP
AC
 ACCEPTED MANUSCRIPT

 Qualitative modelling of the process with the use of a GP graph is presented.

 The methodology of construction of a GP graph of a process is described.
 The procedure of supporting HAZOP analysis with the use of a GP graph is presented.
 Implementation of HAZOP analysis with the use of a GP graph in IAPS id presented.

PT
RI
U SC
AN
M
D
TE
C EP
AC