Proceedings,16th IFAC Symposium on

Proceedings,16th IFAC
Information Control Symposium
Problems on
in Manufacturing
Proceedings,16th
Information IFAC Symposium
Control on
Available online at www.sciencedirect.com
Bergamo, Italy, JuneProblems in Manufacturing
11-13, 2018
Information Control
Proceedings,16th
Bergamo, Italy, JuneProblems
IFAC in Manufacturing
Symposium
11-13, 2018 on
Bergamo, Italy,
Information JuneProblems
Control 11-13, 2018
in Manufacturing
Bergamo, Italy, June 11-13, 2018 ScienceDirect
IFAC PapersOnLine 51-11 (2018) 939–944
Risk assessment in a chemical plant with a CPN-HAZOP Tool
Risk
Risk assessment
assessment in
in a
a chemical
chemical plant
plant with
with aa CPN-HAZOP
CPN-HAZOP Tool
Tool
Risk assessment in a chemical plant
D. Arena*, with a CPN-HAZOP Tool
F. Criscione**
D. Arena*, F. Criscione**
N. Trapani***
D. Arena*, F. Criscione**
N. Trapani***
D. Arena*,  F. Criscione**
N. Trapani***
*École Politechnique Fédérale de Lausanne  (EPFL), SCI-STI-DK ME, Station 9, CH-
N. Trapani***

*École
1015 Politechnique
Lausanne, Switzerland Fédérale (Tel: de0041-21-693-59-13;
Lausanne (EPFL), SCI-STI-DK ME, Station 9, CH-
e-mail: damiano.arena@epfl.ch).
*École
1015 Politechnique
Lausanne, Switzerland Fédérale (Tel: de0041-21-693-59-13;
Lausanne (EPFL), SCI-STI-DK

e-mail: ME, Station 9, CH-
damiano.arena@epfl.ch).
*École
1015 Politechnique
Lausanne, **Università
Switzerland Fédérale degli
(Tel: Studi di Catania,
de0041-21-693-59-13;
Lausanne (EPFL), Catania,
SCI-STI-DK 95125 ME, Station 9, CH-
e-mail: damiano.arena@epfl.ch).
**Università
Italy (Tel:Switzerland
0039-339-6121398; degli Studi
e-mail: di Catania, Catania, 95125
francescocriscione12@gmail.com).
1015 Lausanne, **Università (Tel:
degli0041-21-693-59-13;
Studi di Catania, e-mail: damiano.arena@epfl.ch).
Catania, 95125
Italy (Tel: ***Università
0039-339-6121398; e-mail:
degliStudi
Studi francescocriscione12@gmail.com).
diCatania,
Catania,Catania,
Catania,95125 95125
**Università degli
Italy (Tel: ***Università
0039-339-6121398; e-mail: di francescocriscione12@gmail.com).
Italy (Tel: 0039-095-7382465; degli Studi di
e-mail: Catania, Catania, 95125
natalia.trapani@dieei.unict.it).
Italy (Tel: ***Università
0039-339-6121398; e-mail:
degli Studi di francescocriscione12@gmail.com).
Catania, Catania, 95125
Italy (Tel: 0039-095-7382465; e-mail: natalia.trapani@dieei.unict.it).
Italy (Tel: ***Università
0039-095-7382465; degli Studi di Catania,
e-mail: Catania, 95125
natalia.trapani@dieei.unict.it).
Italy (Tel: 0039-095-7382465; e-mail: natalia.trapani@dieei.unict.it).
Abstract: In a previous research, a tool integrating the HAZOP analysis method and Coloured Petri Net
Abstract:
formalism In to aasupport
previous theresearch,
analysis aacarried
tool integrating the HAZOP
out by specialists duringanalysis
a HAZOP method and Coloured
brainstorming Petri Net
session has
Abstract:
formalism In
to previous
support the research,
analysis tool integrating
carried out by the HAZOP
specialists duringanalysis
a HAZOP method and Coloured
brainstorming Petri Net
session hasa
been provided.
Abstract:
formalism In a In that
previous
to support work,
research,
thework,
analysis the atool
tool was used
integrating to simulate
the HAZOP the behaviour
analysis methodof a few
and components
Coloured Petri of
Net
been
chemicalprovided.
plant In thatdiverse
while the carried
abnormaltool was outused
scenarios
by specialists
to simulate
occur.
during
In the the a HAZOPofbrainstorming
behaviour
present work, of a few
other types
sessionofhasa
components
of components
formalism
been provided.to support
In thatthework,
analysis the carried
tool was outused
by specialists
to simulate during
the a HAZOP
behaviour brainstorming
a few sessionofhasa
components
chemical
have been plant
modelledwhileand diverse abnormal of
the behaviour scenarios
plantoccur.
theused In the present demonstrating
work, other types of components
been
chemicalprovided.
plant In thatdiverse
while work, the tool was
abnormal scenarios tohas
occur. been
simulate
In simulated
the the behaviour
present work, of a few
other itscomponents
types ability
of to model
componentsof a
have
more beencomplex modelled and the behaviour
components, simulate of the plant hastypes,
been simulated demonstrating itstime
ability to model
chemical
have been plant
modelledwhile diverse
and the abnormaldiverse
behaviour scenarios
of the failure
plant occur.
has In the
been hence,
present
simulated reducing
work, other
demonstratingthe totaltypes
its required
of components
ability to model to
more
complete complex
the components,
analysis compared simulate diverseHAZOP
to a standard failure assessment
types, hence, reducing the total time required to
approach.
have
more been
complex modelled and
components, the behaviour
simulate of the plant
diverse failurehastypes,
been simulated
hence, demonstrating
reducing the total itstime
ability to model
required to
complete the analysis compared to a standard HAZOP assessment approach.
more
complete complex components,
the analysis compared simulate diverseHAZOP
to a standard failure assessment
types, hence, reducing the total time required to
approach.
© 2018, IFAC
Keywords: (International
HAZOP, Coloured Federation
Petri Nets,of Automatic
Risk Assessment.Control) Hosting by Elsevier Ltd. All rights reserved.
complete
Keywords:the analysisColoured
HAZOP, comparedPetri to aNets,
standard RiskHAZOP
Assessment. assessment approach.
Keywords: HAZOP, Coloured Petri Nets, Risk Assessment. 
Keywords: HAZOP, Coloured Petri Nets, Risk Assessment. 
 achieved a quantitative HAZOP to resume the data they have
1. INTRODUCTION achieved
1. INTRODUCTION  found. aa quantitative
achieved
HAZOP to resume the data they have
quantitative HAZOP to resume the data they have
1. INTRODUCTION found.
Today safety in industrial 1. INTRODUCTION plants has a central role, in achieved found. a quantitative HAZOP to resume the data they have
Today safety within industrial plants has role, in A
a central(Directive truly innovative field of research is the synchronization
Today safety in industrial plants has a central role, in found.
compliance the “Seveso Directive” A truly innovative
between the data of field field
a DCS, of research is Control the synchronization
compliance
2012/18/EU),
Today safety with
which
in the
is
industrial the “Seveso
third
plants Directive”
update
has a of the
central (Directive
Directive
role, in A truly innovative
between the data of a DCS, of Distributed
research is Control
Distributed
System, and
the synchronization
System, and
compliance with the “Seveso Directive” (Directive Excel®, to create an automatic HAZOP analysis. In
2012/18/EU),
82/501/EEC. with
compliance
2012/18/EU),
which
In thisthe
which
iscontext
the
is the
third
Riskupdate
“Seveso
third
of the (Directive
Assessment,
Directive”
update of the which
Directive
Directive is A truly innovative
between
Excel®,
the data of field
to create
a DCS,
an
of Distributed
research is Control
automatic HAZOP
the synchronization
System, and
analysis. In
82/501/EEC.
realized in Risk
2012/18/EU), In this iscontext
Identification,
which the third Risk
Analysis Assessment,
update the which
andof Quantification,
Directive is Excel®, to create an automatic HAZOP analysis. Ina
researches
between the conducted
data of a by
DCS, Spampinato
Distributed et
Control al. (2015)
System, and
82/501/EEC. In this context Risk Assessment, which is researches
spreadsheet conducted by Spampinato et al. (2015) Inaa
realized
has beenin
82/501/EEC.
Risk Identification,
proved to becontext
In Identification,
this
Analysis
very useful
Risk for and
Assessment,
Quantification,
risk-driven design
which researchesto with
Excel®,
is spreadsheet
create
conducteda dynamic fault
an byautomatic tree HAZOP
Spampinato was etimplemented
al.analysis.
(2015) with
realized
has been in Risk
proved to be very Analysis
useful and
for2009; Quantification,
risk-driven data
researches with
comingwith
conducteda
in areal dynamic
time fault
by fault tree
fromtree
Spampinato was
thewas implemented
DCS,
et showing
al. (2015) with
thea
phase of in
realized industrial plants
Risk Identification, (Petrone et al.,
Analysis and Trapanidesign
Quantification,et al., spreadsheet
data comingwith
dynamic implemented with
has
phasebeen
of proved
industrial to be very
plants (Petroneuseful
et for2009;
al., risk-driven
Trapani design
et al., probabilities
spreadsheet
data coming ofin
in a real
some timeevents
top
dynamic
real time
fromtree
fault
from
thewas
and
the
DCS,
updating showing
implemented
DCS, a HAZOP
showing
the
with
the
2015),
has of however,
phasebeen proved to
industrial thisbe may
plants very
(Petrone require
useful
et al.,forbeing
2009; continuously
risk-driven
Trapani design probabilities
et al., analysis of some top events and updating a HAZOP
2015), however, this may require being continuously data where
coming
probabilities ofinwere real
some highlighted
time
top from
events thethe
and faulty
DCS, components
updating showing
a HAZOP and
the
revalued,
2015), for example,
phase of however,
industrial this when
plants may process
(Petrone updates,
et al.,
require change
2009; Trapani
being in
et the
continuously al., the analysis where were highlighted the faulty components and
revalued, for example, when process updates, change in the possible
probabilities
analysis whereabnormal
of some
were scenarios.
top events
highlighted and
the updating
faulty a
components HAZOP and
operative
2015), however,
revalued, conditions
for example, thisor may
when significant
process incidents
requireupdates,being change occur.in The
continuously the possible abnormal scenarios.
the analysis
operative
Seveso conditions
Directive suggestsor significant
some incidentschange
well-known occur.in The
methods for the possiblewhere were highlighted
abnormal scenarios. the faulty components and
revalued, for example, when process updates,
operative conditions or significant incidents occur. The the possible the The use of Petri Nets has proven to be efficient and powerful
Seveso Directive
Risk Identification suggests
and or Analysis some well-known methods for The use of abnormal
Petri Nets scenarios.
has proven to be efficient and powerful
operative
Seveso conditions
Directive suggests someof well-known
significant complex
incidents industrial
occur.plants,
methods The
for when it comes to modelling
The use of Petri Nets has proven distributed dynamic
to be efficient andsystem.
powerful In
Risk
i.e. Identification
FMEA
Seveso and
(Failuresuggests
Directive Mode Analysis
and of
Effect
some complex
Analysis)
well-known industrial
and
methods plants,
HAZOP for this when it comes to modelling distributed dynamic system. In
Risk
i.e. Identification
FMEA (Failure and
Mode Analysis
and of
Effect complex
Analysis) industrial
and plants,
HAZOP The context,
whenuse it of Arena
PetritoNets
comes et al. (2014)
has proven
modelling developed
to be efficient
distributed an
dynamicinnovative
andsystem. tool
powerful In
(HAZard
RiskFMEA and
IdentificationOPerability
and Analysis).
Analysis The
of complex latter isand
a structured
industrial plants, when this
based context,
itoncomesArena
CPNs et al.
totomodelling (2014) developed an innovative tool
i.e.
(HAZard and(Failure Mode
OPerability and Effect
Analysis). Analysis)
The latter is a HAZOP
structured this context, Arena etmodel and
al. (2014) simulate dynamic
distributed
developed the
an propagation
system.tool
innovative of
In
technique
i.e. FMEAand
(HAZard used
(Failureto Mode
OPerabilityexecute andaEffect
Analysis). systematic
Analysis)
The latterexamination
isand
a HAZOP
structured of based failures
this onthrough
context,CPNs
Arena a tosection
model
et al. of and
a
(2014) simulateplant.
chemical
developed the
an propagation
As a result,
innovative of
the
tool
technique used to execute a systematic examination of based on CPNs to model and simulate the propagation of
process
(HAZardrisks
technique and inOPerability
used major hazard
to execute plants
Analysis). (Rausand,
The latter
a systematic 2013).
is a structured
examination of failures
based
failures onthrough
simulation CPNs
throughof aato section
the ofand
system
model
section
a chemical
simulateplant.
behaviour
of a chemical
As a result,
theprovided
plant. propagation
As a result,
the
someof
the
process
technique risks in
used major
to hazard
execute plants
a (Rausand,
systematic 2013).
examination of simulation of the system behaviour provided some
process risks in major hazard plants (Rausand, 2013). indications
failures
simulation that
throughof could
a the be
section translated
of
system a chemical– through
behaviour plant. aAsVBAa
provided (Visual
result, the
some
One of the
process risksfirst attempt
in major to create
hazard plantsan automatic2013).
(Rausand, HAZOP was indications that could be translated – through a VBA (Visual
HAZOP was indications Basic for Applications)
simulation of could
that the be macro
system – into
translated a HAZOP-like
behaviour provided report.
some
One of the
“HAZOPExpert” first attempt to create an automatic
One of the first attempt to create an automatic HAZOP wase indications
developed by Vaidhyanathan Basic for Applications) macro – into–athrough
HAZOP-likea VBA (Visual
report.
“HAZOPExpert”
Venkatasubramanian developed
(1996). This by Vaidhyanathan e Basic for that could
Applications) be translated
macro – into – athrough
HAZOP-likea VBA (Visual
report.
One of the first attempt
“HAZOPExpert” to create
developed by software,
an automatic thanks towasea In this work, the number and the types of modelled
HAZOP
Vaidhyanathan Basic for work,
Applications) macro –and into the
a HAZOP-like
Venkatasubramanian
graphic interface, avails (1996).
HAZOP Thisteam software, createthanks
toVaidhyanathan pipingto a In this the number types of report. modelled
“HAZOPExpert”
Venkatasubramanian developed
(1996). Thisby software, thanks toandea components
In this work,have the been number extended,
and thethus, typesincreasing
of modelled the
graphic
instrument interface,
diagrams
Venkatasubramanian availsand HAZOP
(1996). to automateteam
Thisteam to
some
software, create piping
aspects
thanks and
oftoand
thea In components have been extended, thus, increasing the
graphic interface, avails HAZOP to create piping complexity of
this work,have
components the chemical
the been number process which
and thethus,
extended, is under analysis.
typesincreasing
of modelled the
instrument
routine of diagrams
the analysis. and to automate
Eizenberg et al.some aspects of the complexity of the chemical process which is under analysis.
graphic
instrument interface,
diagrams availsandHAZOP to automateteam to (2006)
some create
aspectsrealized
piping theaa components
of and complexity of have the chemicalbeen process
extended, which thus, increasing
is under analysis.the
routine of the analysis. Eizenberg et al. (2006) realized
significant
instrument study,
diagrams integrating
andEizenberg dynamic
to automate some simulation
aspects the The document
ofwith is chemical
structuredprocessas follows,
whichin Section 2 a brief
routine of the
significant analysis.
study, integrating et al.
dynamic (2006)
simulation realizedwithaa complexity
The document
description
of the
of is structured
the HAZOP as follows,
analysis is inisSection
under analysis.
introduced 2 a brief
HAZOP
routine
significant analysis,
of the study, with
analysis. the
integratingaid of
Eizenberg MATLAB®.
et al. (2006)
dynamic They
simulation created
realizedwith The document
description of is structured
the HAZOP as follows,
analysis is in Sectionto2 give
introduced
to an
a brief
give an
HAZOP
dynamic
significant analysis,
model of
study, with
a the
semi-batch
integratingaid of MATLAB®.
reactor
dynamic with They
Polymath,
simulation createdthen
with a overview
The document of isthe methodology.
structured as follows, Section
in 3
Section describes
2 a brief
HAZOP analysis, with the aid of MATLAB®. They created a description overview
of the HAZOP analysis is introduced to give an
of the methodology. Section 3 describes
dynamic model of a semi-batch reactor with Polymath, then
they
HAZOP
dynamicexport it of
analysis,
model inwith
aMATLABthe aid oftranslating
semi-batch MATLAB®.
reactor withthePolymath,
Theymodel thena synthetically
in
created overview ofColoured
description
synthetically
thetheHAZOP
Coloured
Petri analysis
Net modelling
methodology.
Petri deepening.
Net modelling
isSectionlanguage
introduced
language
and
givegive
3 todescribes
and
an
give
they export
function
dynamic to it of
in aMATLAB
simulate
model the behaviour
semi-batch translating
of
reactor the thePolymath,
system
with model
to in
changing
then a some overviewreferences
synthetically of for
the
Coloured further
methodology.
Petri Net modelling In Section
Section 3
language 4, the
and case
describes
give
they export it in MATLAB translating the model in a some references for further deepening. In Section 4, the case
function
conditions
they to (e.g.
export simulate
it in the behaviour
reactor
MATLAB temperature, of the
translating system
liquid theflow to and
modelchanging
rate)a study
in some of theColoured
synthetically
references chemical
for further plant
Petri Netismodelling
deepening. described with 4,the
language
In Section and CPN
give
the CPN
case
function to simulate the behaviour of the system to changing study of the chemical plant isoutcomes
described withthe the
conditions
with a useful
function (e.g. reactor
GUIreactor
to (e.g.
simulate (Graphical temperature,
the behaviour User of liquid
Interface).
the systemflow and
Thetosimulation rate)
changing proposed
some references
study of model.
the chemical Simulation
for further deepening.
plant is described and
In Section
with 4,the related
the CPN
case
conditions
with temperature, liquid flow and rate) proposed model. Simulation outcomes Finally,and theSection related5
helpsaatouseful
conditions
with useful
GUI (Graphical
understand
(e.g.
GUI the limit
reactor
(Graphical
User Interface).
values
temperature,
User and liquid
Interface).
The simulation
the safety
flow
The for performance
rangerate)
and
simulation study
proposed of the analysis
model.chemical areplant
Simulation also isreported.
describedand
outcomes withthetherelated
CPN
helps to understand the performance analysis are also reported. Finally, Sectionand5
every parameter
with ato
helps useful GUI
understand with thelimit
(Graphical aid of values
graphs
User
and and
Interface).
thetables
safety
Theand
range for contains
so they
simulation proposed some model. conclusions
Simulation around the method
outcomes and strengths
theSection
related
every parameter withthe thelimit
aid of values
graphs and and thetables
safety and range for contains
so they performance
weaknesses,
performance
some analysis
conclusions
together
analysis
are also
with
are an around reported.
insight
also
the
on
reported.
Finally,
method
future strengths
developments.
Finally, Section
and5
helps
every to understand
parameter withthe thelimit
aid of values
graphs and and thetables
safety and range for weaknesses,
so they contains some conclusions around the method
together with an insight on future developments. strengths and5
every parameter with the aid of graphs and tables and so they contains weaknesses, some conclusions
together with anaround
insightthe on method strengths and
future developments.
2405-8963 © 2018,
Copyright IFAC (International Federation of Automatic Control)
2018 IFAC weaknesses,
958Hosting together
by Elsevier Ltd. with an insight
All rights reserved. on future developments.
Peer review©under
Copyright 2018 responsibility
IFAC of International Federation of Automatic
958Control.
Copyright © 2018 IFAC
10.1016/j.ifacol.2018.08.487 958
Copyright © 2018 IFAC 958
IFAC INCOM 2018
940
Bergamo, Italy, June 11-13, 2018 D. Arena et al. / IFAC PapersOnLine 51-11 (2018) 939–944

2. HAZOP METHODOLOGY Petri net, which represents an occurrence of an event, may

Hazard and Operability (HAZOP) study (see an example on
Figure 1) is one of the most used methodologies for hazard
identification, useful in the design phase – as well as in
operational phase – for analysing process hazards. A
multidisciplinary team of experts (process engineer, safety
responsible, maintenance expert, etc.) applies a set of
guidewords on the process sections analysis of complex
industrial systems to identify causes and consequences of
behaviour deviations from reference parameters by
leveraging structured brainstorming sessions (Rausand,
2013), knowledge of the industrial plant and – certainly –
experience. This includes not only risks, but also operative
problems (usually 80% of the advices are about problems
caused by internal operations in on-design conditions).
fire if it is enabled, so if there are sufficient tokens in all of its
input places; when the transition fires, it consumes the
required input tokens and creates tokens in its output places.
According to its formal definition, a non-hierarchical CPN-
based model is a nine-tuple CPN {, P, T, A, N, C, G, E, I}
satisfying the following requirements: i) Σ is a finite set of
non-empty types, called colour sets; ii) P is a finite set of
places; iii) T is a finite set of transitions; iv) A is a finite set
of arcs such that ; v) N is a
node function; vi) C is a colour function; vii) G is a guard
function; viii) E is an arc function; ix) I is an initialization
function. Further details on CPN can be found in (Jensen et
al., 2007; Jensen, 2013).
4. CASE STUDY: HAZOP ASSESSMENT OF A
CHEMICAL PLANT

4.1 Plant description

This plant is based on the “Giammarco Vetrocoke” process

(Tomasi, 1992) of CO2 extraction, which absorbs the gas
using a water solution of K2CO3, called “GV Solution”. This
solution absorbs CO2 from the shale gas, made of methane,
sulphide and other gases with a reaction that transforms
K2CO3 in KHCO3.
The plant consists of several sections and so-called nodes
Figure 1 HAZOP Example (Shooks et al., 2014) (drawn with different colours), as shown in Figure 2.
The skillset of the team leader is an important factor affecting
the analysis duration, because his experience can reduce
irrelevant discussions and can improve the organization of
time and sessions, resulting in brief and cheaper analysis
(Nolan, 2014). Usually it is used for the risk assessment in
chemical and petrochemical plants, however, it’s really time-
consuming (Khan and Abbasi, 1997) and requires significant
human and economic resources. In this regard the aim of the
research presented by Arena et al. (2014) was to develop a
CPN-based innovative tool to overcome the limits of a
traditional HAZOP analysis. In that paper, the failure model
of one section of a chemical plant was implemented showing
the feasibility of such an approach. In this paper, instead,
different types of components have been modelled, hence,
allowing to generate the model of an entire plant, saving a lot
of time during the analysis as shown in Section 4.

3. COLOURED PETRI NET MODELLING LANGUAGE

Coloured Petri Net (CPN) is a graphical and mathematical
modelling language for the description of distributed
dynamics system (Jensen et al., 2007). It offers a graphical
notation for the description of processes thanks to its directed
bipartite graph made of arcs, places and transitions.
Arcs are links between a place and a transition or vice versa,
never between places or between transitions. Places in a Petri
net can contain a discrete number of marks called tokens.
Any distribution of tokens over the places will represent a
configuration of the net called a marking. A transition of a
Figure 2 Extract of nodes partition of the plants
The mapping between the components analysed in this work
and the related process variables is presented in Table 1. As
far as the type of components already analysed and modelled
in (Arena et al., 2015) are concerned, minor modifications
have been applied and described below. Here, we introduce
the analysis of three more components, namely, a reactor, a
heat exchanger, and a filter, thus, increasing the overall
complexity of the case study and computational effort needed

959
 IFAC INCOM 2018
Bergamo, Italy, June 11-13, 2018 D. Arena et al. / IFAC PapersOnLine 51-11 (2018) 939–944 941

to simulate the behaviour and compute the state space
analysis of the systems. Moreover, the introduction of new
components – although taking into account the same process
variables analysed in the initial work- paves the way towards
the generalization of the presented modelling and analytics
approach.
Table 1. Modelled components vs process variables
Process Variables
the behavioural response of the system in both directions. In
particular, the modelling choice done here allows the
exploration of two positive and two negative steps: Very Low
(VL), Low (L), High (H), and Very High (VH).
To define the state of some components, such as valves and
pumps, other colorsets were created:
 colset PSTATE= with W|F; (*Working, Failed*)
 colset VSTATE= with C|FO|FC; (*Controlled,
FailOpen, FailClose*)

Composition
Temperature  colset RSTATE= with S|NS. (*Product Standard,
Not Standard*)

Reaction
Components
Pressure

Level Places and the related transitions have the same colour. This
Flow

is in order to make the interpretation of the net easier. In

Table 2 there is a detailed list of different colors used in this
Reactor - Column X X X X X
model along with a description of their relation to the
Heat Exchanger HAZOP analysis.
X X X
(pipe and vessel)
Valve X Table 2. CPN colors meaning
Tank X X X X Relation to
Places Description
Pump X X HAZOP
Support a STRING colorset
Filter X X X
and contain internal and
Green Failure
external causes using a
Places Causes
textual token, which can start
4.2 Proposed modelling approach
a parameter deviation.
CPN is a general-purpose modelling language, thus, it does Support a UNIT colorset, so
not aim at modelling a specific class of systems but rather a Red the value of the token can be Failure
very broad class of systems that can be characterized as Places set only at “1” and they are Consequences
concurrent systems. The modelling assumptions – about CPN initialized empty.
primitives to be used while representing the industrial system
Contain a VAL token, set at
components, parameters, and flow – on which Arena et al. Process
built up the CPN-based behaviour model for risk assessment Grey “Normal” level
Parameter
of an industrial system just proved to be valid also for the Places (colset VAL = with
Deviations
study case presented in this work. Z|VL|L|N|H|VH).
Support a STRING colorset
Coloured Petri Nets preserve useful properties of Petri nets
and used to express the
and at the same time extend initial formalism to allow the Purple Failure
distinction between tokens so that they can have different consequences as a string
Places Consequences
data value attached to them. The different type of data value message to include in the
is called color or colorset; the default type of colorset are int, HAZOP assessment report.
string, time, bool, real and unit. CPN Tools Initialized empty, allow the
(http://cpntools.org/) is one of the most powerful software to Gold Failure
passage of a UNIT token
create, edit and simulate CPNs and thanks to Standard ML, a Places Consequences
with No-Flow information.
programming language, is possible to define other types of
colorset.
To represent the main variable used by most of the Each deviation starts in a component, then, it can propagate
components’ model we defined a colorset VAL, which is the through the components until it ends in the same or in
bearer of the information related to a parameter deviation: another component of the net, as shown in Figure 3. We can
distinguish Internal and External Causes and Consequences:
 colset VAL= with Z|VL|L|N|H|VH; (*Z= Zero, VL=
Very Low, L= Low, N= Normal, H= High, VH=  Internal Cause: every internal issue on a
Very High*) component that can cause one or more deviations
(e.g. accidental event);
It is useful to simulate the positive and negative variations of  External Cause: every deviation caused by the
a specific parameter (e.g. Temperature, Flow, Pressure, propagation of an issue from an upstream
Level, Reaction) from the Normal value in order to analyse component;

960
IFAC INCOM 2018
942
Bergamo, Italy, June 11-13, 2018 D. Arena et al. / IFAC PapersOnLine 51-11 (2018) 939–944
 Internal Consequence: every internal fault on a
component that is caused by a deviated process
variable;
 External Consequence: every consequence that is
propagated through downstream components; it can
become an external cause for a downstream
deviation.
Figure 3 Issues sequence through different components
In the next example (see Figure 5 at next page), which is
taken from the Reactor’s Model, the process variables are
Temperature, Pressure, and Reaction. The causes of an
increase of temperature, for example, are related with the
“High Outdoor temperature” and/or “Warmer Oil”; instead
the temperature decrease is caused by “Low outdoor
temperature” and/or “Colder Oil”.
An increase in the Reactor’s Pressure can be caused by
“Insufficient venting”, on the contrary, Pressure decrease is
caused by a generic “Loss of pressure” or by “Pressure loss
by foaming”.
There is a positive correlation between Temperature and
Pressure and also Temperature and Reaction, but every
variation in Pressure evolves with a decrease of the Reaction.
The transitions firing priorities play a crucial role while
simulating the CPN. Those parameters, in fact, affect the
behaviour of the components, hence, the sequence of steps
that substantially characterize the propagation of the faults
within the system model. This model provides for the use of
four priority levels, defined by a label and a numeric value:
the smallest the value the higher the priority.
 Normal priority (val P_NORMAL = 400) → used
with green transitions to fire all the transitions
containing internal and external causes. In the start
condition, these causes have all the same probability
of occurrence;
 High priority (P_HIGH = 100) → associated to red
transitions, it is the highest level of priority and it is
the first firing after a start event so that the
component state or the process variable level can
change immediately;
961
It is also associated with gold transitions, modelled
to simulate the No Flow conditions in every
component;
 Reset priority (300 < P_RESET < 399) → used with
grey transitions, it allows the net reset when some
specific conditions, or stop conditions, are reached.
Differently from Arena et al. (2015), in this paper
was not used only a reset priority, but were used
several in the range between 300 and 399, in
increasing order in each component, following the
substance flow;
 Medium priority (P_MED = 200) → used with
purple transitions, so it is associated with the firing
of the consequence transition.
When the net is in the start condition, it can evolve by firing a
random green transition; then a red one will be enabled and
all the red transitions bounded downstream will fire.
At the end of the red transitions flow, there will be a
consequent text message from a purple place. If the net
reaches a stop condition, for example, one of the variables
reaches VH or Z, the grey transitions will be enabled and the
net will be reset to the start condition (or initial net marking).
4.3 Simulation results
Once the CPN model has been created, it is possible to
extract data to build a HAZOP scheme useful in the next
steps for the HAZOP experts. After the simulation of failure
propagation in the modelled net in CPN Tools, it is possible
to extract raw data from a .txt file about its response to those
typical component failures. An example of the file is reported
in Figure 54.
1 Valve2_ExtOF
- vs = C
- ExtC = "Manually open valve"
- nvs = FO
2 Valve2_MoreFlowOut
- fout = N
3 Valve_ExtCF
- vs = C
- ExtC = "Manually closed valve"
- nvs = FC
4 Valve_ZF
- fout = N
- fin = N
Figure 4 Extraction of Raw data
 IFAC INCOM 2018
Bergamo, Italy, June 11-13, 2018
D. Arena et al. / IFAC PapersOnLine 51-11 (2018) 939–944 943

Figure 5 Example of the Reactor’s Model

This data has been, therefore, translated into a HAZOP-like previous case studies. According to the model introduced
report through an Excel VBA macro created to filter, remove Khan and Abbasi (1997), the variables identified as the most
duplicates, and rearrange the data, as shown in Table 3. impactful are:
 Size of the team;
Table 3 Example of final HAZOP in an Excel Spreadsheet
 Previous experience in the HAZOP team, especially
PARAMETER GUIDEWORD CAUSE CONSEQUENCE for the team leader;
Flow More Valve ExtC = "Manually open valve" Valve MoreFlowOut
Reactor MoreFlowIn  Assigned time for the study;
Valve2 IntC = "Locked-open valve" Valve2 MoreFlowOut
Valve IntC = "Locked-open valve" Valve MoreFlowOut
 Proper planning;
Reactor MoreFlowIn  Participation of team members;
Reactor MoreFlowOut
HeatExc MoreFlowIn  Availability of information.
HeatExc MoreFlowOut
HeatExc MoreTemp
In this study, the HAZOP analysis is divided based on a
By simulating the CPN-based model we could HeatExc2 explore all the 4-step procedure:
MoreFlowIn
HeatExc2 MoreTemp
possible causes and consequences of system’sHeatExc2 failures. For
MoreFlowOut  Selection of study team and research for the
instance, referring to Table 3, More Flow caused by the
Valve2 MoreFlowIn
preliminary information;
Valve2 ExtC = "Manually open valve" Valve2 MoreFlowOut
Valve ExtCmay
Locked-open ValveIntC result
= "Increase in gasin More Flow
inflow" Out of the
Valve MoreFlowIn  Brainstorming discussion;
Valve, More Flow In/Out in the Reactor or More Valve MoreFlowOut
Flow In/Out
Reactor MoreFlowIn  Discussion over unclear points;
in the Heat-Exchanger.
Flow Less Valve IntC = "Leakage" Valve LessFlowOut
 Report writing.
Reactor LessFlowIn
HeatExc IntC = "Loss from Heat Exchanger" HeatExc LessFlowIn The time to complete the HAZOP analysis of the case study
4.4 Performance analysis HeatExc LessFlowOut
HeatExc2 LessFlowIn estimated by using this mathematical model – excluding the
HeatExc2 LessTemp
There are many studies focused on creating a model
HeatExc2 LessFlowOut
to report writing – is about 18 hours. Then, the time to build and
estimate the duration of a HAZOP analysis. Most them are simulate a node was calculated in order to make a
ofLessTemp
HeatExc
Valve2 LessFlowIn
based on the verification of the precision of theValve2 mathematical
LessFlowOut comparison with the CPN Tools model. Here, we reasonably
model comparing the results with the timing regarding assume that every component is already modelled, as part of
Low flowof fuel to the engines

962
IFAC INCOM 2018
944
Bergamo, Italy, June 11-13, 2018 D. Arena et al. / IFAC PapersOnLine 51-11 (2018) 939–944
a set of libraries of CPN-based models for typical industrial
components. Thus, running an average of several trials for
each different node, we obtained the following evaluations:
 Assembly- about 3 minutes for each component;
 Causes and consequences check - about 2 minutes
per component (depending on the plant complexity);
 Simulation - about 1 second;
 Excel-based HAZOP report - about 2 minutes.
It was calculated an average time of 27 minutes to do a
HAZOP analysis of a node made of 5 components, as it was
done with the first node, which is a medium-high complexity
node in this plant. As an example:
T1 = NComp  (TAssembly + TCausesConsequences + TSimulation + TExcel)
= 5  (3+2+0.0167+2)=27.0167 min
Eventually, considering the six nodes with their complexity
(depending on the number of components), the average times
for each node are:
T1= 27 min; T2= 47 min; T3= 22 min;
T4= 32 min; T5= 12 min; T6= 12 min.
So the total time to have a complete analysis of this plant will
be around 152 min (about 2.5 h) instead of 18 h estimated
with the mathematical model for a traditional analysis. This
represents a reduction of about 86%.
5. CONCLUSIONS
The use of a PN to model and analyse fault propagations in
industrial plants has proven to be effective in literature. The
approach presented in a previous work has been here
extended. In particular, the model was extended by adding
new types of failure, components and components state, thus,
allowing the use of this method in a broader range of cases.
Leveraging one of the most accurate mathematical models for
HAZOP analysis time estimation, a reduction of about 86%
of the total time to complete the analysis of a medium
complexity case study using the proposed solution based on
CPN-HAZOP has been shown. In both new and traditional
approaches, the reporting phase was not considered. The
HAZOP study resulting from the translating macro, indeed,
does not represent the final step of the analysis but it surely is
a useful and quick guide for the team of experts
brainstorming phase.
Further research is required in order to extend the library with
more CPN-based component models, translate the
information into a more detailed user-friendly report, and to
integrate the so-called “safeguards” in the CPN model.
Eventually, next developments of this smart tool should also
include the introduction of stochastic data values in order to
better simulate the occurrence likelihood of the failure causes
and allow a semi-quantitative risk assessment.
963
REFERENCES
Arena, D.N., Kiritsis, D., Trapani, N. (2015). A Behaviour
Model for Risk Assessment of Complex Systems Based
on HAZOP and Coloured Petri Nets. In: Advances in
Production Management Systems: Innovative Production
Management Towards Sustainable Growth. IFIP
Advances in Information and Communication
Technology, 459, 573-581. ISBN: 978-3-319-22755-9,
ISSN: 1868-4238.
Eizenberg, S., Shacham, M., and Brauner, N. (2006).
Combining HAZOP with dynamic simulation —
Applications for safety education. Journal of Loss
Prevention in the Process Industries, 19 (6), 754-761.
Jensen, K., Kristensen, L.M., Wells, L. (2007). Coloured
Petri Nets and CPN Tools for Modelling and Validation
of Concurrent Systems. International Journal of
Software Tools for Technology Transfer, 9 (3-4), 213-
254.
Jensen, K. (2013). Coloured Petri nets: basic concepts,
analysis methods and practical use (Vol. 1). Springer
Science & Business Media.
Khan, F.I., and Abbasi, S.A. (1997). Mathematical model for
HAZOP study time estimation. Journal of Loss
Prevention in the Process Industries, 10 (4), 249-257.
Nolan, D.P. (2014) Safety and Security Review for the
Process Industries 4th Edition, Application of HAZOP,
PHA, What-IF and SVA Reviews, Gulf Professional
Publishing 2015.
Petrone, A., Scataglini, L., and Fabio, F. (2009). Process
Methodological relationship between RAM and QRA.
International Petroleum Technology Conference,
January 1.
Rausand, M. (2013). Risk Assessment: Theory, Methods, and
Applications. John Wiley & Sons.
Shooks, M., Johansson, B., Andersson, E., & Lööw, J.
(2014). Safety and Health in European Mining: A report
on safety and health, statistics, tools and laws, produced
for the I2Mine (Innovative Technologies and Concepts
for the Intelligent Deep Mine of the Future) project.
Spampinato, S., Martino, B., Chiacchio, F., Compagno, L.,
and D’Urso, D. (2015). An evolutionary decision support
system for the top event early detection. Safety and
Reliability of Complex Engineered Systems: ESREL
2015, 1717-1723.
Trapani, N., Macchi, M., Fumagalli, L. (2015). Risk Driven
Engineering of Prognostics and Health Management
Systems in Manufacturing. In: 15th IFAC Symposium on
Information Control Problems in Manufacturing —
INCOM 2015. 48, 995-1000, Ottawa, Canada, 11-13
May 2015.
Tomasi, L. (1992) Energy-Efficient CO2 Removal Process.
GV Low-Energy Process, Fertiliser News, 37(12), 25-31.
Vaidhyanathan, R., and Venkatasubramanian, V. (1996).
HAZOPExpert: an expert system for automating HAZOP
analysis. Reliability Engineering & System Safety, 53 (2),
185-203.
CPN Tools web page http://cpntools.org/ (last access on
November 14th, 2017)