Vous êtes sur la page 1sur 17

Chemical Engineering Science 142 (2016) 6278

Contents lists available at ScienceDirect

Chemical Engineering Science

journal homepage: www.elsevier.com/locate/ces

Dynamic quantitative operational risk assessment

of chemical processes
Hangzhou Wang, Faisal Khan n, Salim Ahmed, Syed Imtiaz
Safety and Risk Engineering Group, Faculty of Engineering and Applied Science, Memorial University, St. Johns, NL A1B 3X5, Canada


 Probability of event occurrence is estimated by monitoring multiple key variables.

 Probability is continuously updated considering real-time disturbances in variables.
 Consequences are estimated by dynamic loss functions with multivariate.
 Operational performance is dynamically assessed by quantitative risk value.

art ic l e i nf o a b s t r a c t

Article history: This paper presents a novel dynamic quantitative risk assessment method to analyze the operational
Received 5 March 2015 performance of chemical processes. Unlike traditional methods, the proposed method estimates the
Received in revised form probability of undesirable event occurrence by monitoring multiple key variables in the process. This
27 October 2015
probability is continuously updated considering real-time disturbances in the variables. The con-
Accepted 23 November 2015
Available online 11 December 2015
sequences are estimated using dynamic loss functions developed considering multiple key state vari-
ables. As a result, the process' operational performance is assessed dynamically in the form of quanti-
Keywords: tative risk (dollar) value. The quantitative dynamic risk value helps to make swift operational decisions to
Dynamical risk assessment maintain the process within the safer operating limits, thus preventing untoward incidents/accidents. To
Dynamical loss functions
demonstrate the efcacy of the proposed methodology, it is tested on two case studies, a simple tank
Probability updating
system and the benchmark Tennessee Eastman process.
Multiple variables monitor
Operational performance & 2015 Elsevier Ltd. All rights reserved.

1. Introduction the safety of process plants. One of the most important and
challenging issues for process safety is the early recognition of
An important shortcoming of the traditional process safety deterioration in safety performance caused by operation, main-
management (PSM) system is its isolation and lack of integration tenance, management, organization and safety culture factors
with the rest of the process operation (Garca Herrero et al., 2002). before actual events and/or mishaps occur (Khan et al., 2010).
Process industries rely heavily on failure data to monitor perfor- This paper focuses on dynamic quantitative risk assessment
mance. As a result, required improvements or changes are only and its integration with operational performance analysis, to
identied after an incident has occurred (Khan et al., 2010). The assess the safety and quality of the process facility.
United States Center for Chemical Process Safety (CCPS) suggests In order to achieve the highest levels of safety and quality, with
that: Facilities should monitor the real-time performance of the ultimate goal of fostering a zero-incident and zero-defect
culture, the aim should be to eliminate the main sources of the
management system activities rather than wait for accidents to
losses, i.e. process deviations. For process facilities the causes of
happen. Such performance monitoring allows problems to be
deviations may include process disturbances, feed variability,
identied and corrective actions to be taken before a serious
mechanical and operational integrity degradation, human errors,
incident occurs (CCPS, 2007).
wrong setting and improper methods (Hashemi et al., 2014b). To
To monitor process safety performance in a timely way, process
analyze the impact of process deviations on safety, Hashemi et al.
safety performance indicators are used to monitor and improve (Hashemi et al., 2014a) proposed the application of loss functions
to safety analysis and compared their properties. The method was
Corresponding author. further extended by integrating both safety and quality losses
E-mail address: khan@mun.ca (F. Khan). associated with process deviations (Hashemi et al., 2014b).

0009-2509/& 2015 Elsevier Ltd. All rights reserved.
H. Wang et al. / Chemical Engineering Science 142 (2016) 6278 63

The deviations are frequently caused by disturbances or mea- Zadakbar et al. (Zadakbar et al., 2012) proposed a methodology to
surement noises. In this paper we propose a dynamic quantitative calculate process risk in combination with a data based fault
risk assessment method, in which the probability of loss is upda- detection method; the approach is built upon principal component
ted over time using the measurements of multiple key variables. analysis (PCA) combined with a quantitative operational risk
At the same time, multivariate key state variables from different assessment model. They later proposed (Zadakbar et al., 2013) the
units in the process are monitored to estimate the potential con- methodology in which the Kalman lter has been combined with a
sequences in terms of loss (dollar value). Using probability and risk assessment procedure to detect an abnormal event. Yu et al.
estimated loss, risk is assessed dynamically. The developed risk (Yu et al., 2014) developed a self-organizing map based metho-
assessment method is used as a leading indicator of real time dology that can deal with abnormal events in processes with
process performance, so that it can support real time operational nonlinear and non-Gaussian features.
decision-making. Most of the above methods may be considered dynamic in
This paper proceeds as follows. The existing methods for risk- estimating the probabilities of potential events; however, there are
based operational performance analysis are reviewed in Section 2. two issues that need to be addressed. (1) It is assumed that a
The proposed methodology is described in Section 3 followed by univariate key process characteristic can be assigned to a system;
two case studies in Section 4. Finally, the discussions and con- (2) the probabilities are calculated mainly based on deviations of
clusions are presented. monitored state variable values or data of previously occurring
abnormal events. In practice, typically there is more than one key
variable associated with an abnormal end state. Regarding the
2. An overview of quantitative risk assessment second problem, the probability calculation based on measured
data considers a single target state of the key variable. However,
2.1. Probability assessment and updating there may be multiple steady states (Wang et al., 2010a, 2010b,
2010c). Due to strong nonlinear characteristics in chemical pro-
Combining loss models with the probabilities of process cesses measurement with disturbances there might be unstable
deviations provides a framework to develop a dynamic quantita- conditions, bifurcations (Wang et al., 2008, 2012a, 2012b, 2011),
tive risk-based approach to access process performance assess- even oscillatory phenomena (Wang et al., 2013, 2014b) near the
ment. As risk includes both the probability of an end process state singularity operating point (Wang et al., 2009, 2014a, 2012c) in
and its consequences, a risk-based approach reduces the potential processes.
for assigning an undue amount of resources to manage lower-risk In this paper, the probability and consequences are estimated
events, thereby freeing up resources for tasks that address higher- considering multiple key variables. At the same time, the dis-
risk events (CCPS, 2007; Khan et al., 2001). turbances of manipulated variables are monitored dynamically to
Abnormal events of varying magnitudes result in incipient update the loss occurrence and its probability. The effects of pro-
faults, near-misses, incidents, and accidents in chemical plants. cess deviations on both losses and the probability of occurrence
Their detection and diagnosis have been active areas of research are considered to estimate the dynamic quantitative risk assess-
(Venkatasubramanian et al., 2003a, 2003b, 2003c). However, ment (DQRA) for process performance analysis.
estimation of the failure probabilities of safety systems to predict
these consequences (end-states), has received little attention in 2.2. Consequence assessment
the chemical process industries (Meel and Seider, 2006). Quanti-
tative risk assessment (QRA) is used as an approach to access and Quality management and the safety management system are
manage safety of the process system. However, the conventional related; they are two sides of the same coin (Krause, 1993).
QRA methods are unable to update risk on a dynamic basis. Deviations are unavoidable during process operations. The pro-
Kalantarnia et al. (Kalantarnia et al., 2009) developed methods pagation of these deviations may result in lower quality as well as
that use Bayesian theory to update the likelihood of event occur- losses. In a processing facility, the ability to manage process safety,
rence. Using the available accident precursor data, safety system and at the same time to maintain product quality is the main
failure likelihood and the event tree, the end-state probabilities concern for its daily operation.
were revised dynamically in these techniques. As reviewed by The benets of integrating safety and quality management
Meel et al. (Meel and Seider, 2008) and Kalantarnia et al. (Kalan- systems have been discussed in the literature (Dumas, 1987; Gar-
tarnia et al., 2009), there have been efforts to make risk assess- ca Herrero et al., 2002). While quality management methods aim
ment methods dynamically adaptable with real-time changes to minimize the variability inherent in product quality, safety
occurring in a process. Kalantarnia et al. (Kalantarnia et al., 2010) management procedures aim to minimize the chances of occur-
modeled the BP Texas City renery accident using the Bayesian rence of incidents and accidents and their severity (Adams, 1995;
failure updating mechanism with consequence assessment. Krause, 1993).
Khakzad et al. (Khakzad et al., 2012) developed a risk analysis One of the most common methods to integrate safety and
method to update the probability of both causes and consequences quality is to quantify the two elements. Loss functions are com-
in a dynamic environment; failure probabilities of primary events monly used to quantify losses associated with deviations of pro-
and safety barriers were constantly revised over time, and an cess variables. Traditionally, losses are quantied either as squared
updated bowtie was used to estimate the posterior probabilities error loss functions or weighted loss functions. Recent develop-
of the consequences which in turn results in an updated risk ments consider the use of inverted probability distribution for
prole. Pariyani et al. (Pariyani et al., 2012a, 2012b) proposed a quantify losses.
dynamic risk analysis methodology that uses alarm databases to Spiring (Spiring, 1993) used an inverted normal probability
improve process safety and product quality. The methodology density loss function (INLF) to provide a more reasonable assess-
consists of tracking abnormal events over an extended period of ment of losses. Sun et al. (Sun et al., 1996) developed a modied
time. The event-tree and the set-theoretic formulations were used INLF that provided a more moderate loss representation, and
to compact the abnormal-event data, and Bayesian analyses were provided a method for tting the modied INLF to reect the
used to calculate the likelihood of the occurrence of incidents. users actual loss. The result was a nonlinear least squares method
Millions of abnormal events data were compacted to efciently for estimating the shape parameter of their modied INLF. And
calculate probability with large alarm databases in real time. later, Leung et al. (Leung and Spiring, 2002, 2004) continued to
64 H. Wang et al. / Chemical Engineering Science 142 (2016) 6278

develop the inverted Beta loss function (IBLF) and compared it to safety losses associated with process variations. Most of these
other types of loss functions. Hashemi et al. (Hashemi et al., 2014a) proposed loss functions are focused on a single variable system. In
reviewed several different types of loss functions, and found the chemical processes, it is hard to describe any unit with a single
modied inverted normal loss function (MINLF) and the inverted variable; typically there are multiple variables associated with
Beta loss function (IBLF) were more adaptable to depict system safety and quality losses.

Chemical process

Identify the key state

variables of system

Construct the loss

function for system

Measure all state values in

real time

Predict the remaining

times for key variables

Select the minimum

remaining time scenario

Calculate the probability

of the scenario

Trigger safety protection Calculate the loss of the

mechanism scenario

Risk acceptable Calculate the risk

Safety protection
N mechanism triggered Turn off the safety
protection mechanism

Risk acceptable Y

Activate emergency
shutdown system


Fig. 1. Dynamic quantitative risk assessment method.

H. Wang et al. / Chemical Engineering Science 142 (2016) 6278 65

In this paper, multivariate loss functions are used to estimate remaining time. For a strongly dependent system, one unit failure
operational losses in complex chemical processes. The potential can stop the entire plant.
consequences are scenario dependent, and these results are used In Fig. 3, the abscissa is the calculated remaining time. The
to quantify dynamic risk. ordinate is the rate of progression of the disturbance for the
variable. The remaining time is an estimated result based on
values in current scenario. The remaining time is calculated on line
3. The proposed methodology and is a function of time. The probability is calculated using the
remaining time. The boundary curve is the upper/lower threshold,
Risk is assessed by combining the probability that the loss if the estimated remaining time is on the left side of the boundary
would happen and the potential loss due to an abnormal condi- that means the deviation is too large to take desired action to
tion. The proposed methodology is shown in Fig. 1. eliminate the danger and bring the system to normal. It may mean
that an accident is unavoidable. When the point is on the right of
3.1. Probability assessment and updating the boundary curve and the left of the critical curve, it indicates
that a desired emergency safety action is required to bring the
We propose a model to monitor multiple variables at the same
system back to normal. When the result is on the right side of the
time as the loss occurrence probabilities are updated.
critical curve, it means the disturbance or the deviation is accep-
table because the control system and/or operator intervention can
3.1.1. Multivariate monitoring
bring the system to normal. The t is an extra time for operator to
Usually in chemical processes, when only one key variable is
selected to calculate the probability, this variable is expected to be take action to bring the system to normal. The value is estimated.
the most sensitive one in the system. Being most sensitive, it A larger t will give more action time, t is preferred to be a
triggers an alarm earlier compares to other variables when the larger value.
system encounters a disturbance. This simplication leads to two In a complex process, we could calculate the remaining time for
disadvantages: (1) when the selected variable is designed to every selected key variable in real time.
operate in a very narrow range, there would be a ooding of
alarms; (2) one variable alone may not be able to capture infor- 3.1.2. Probability assessment and updating
mation about all disturbances and deviations. As a result, mon- As stated above, the potential of accident occurrence is mea-
itoring multiple variables is required to capture the real situation sured in terms of remaining time, which can be used to formulate
of a process and to take desired actions. the probability functions to describe the accident occurrence.
An incident/accident can take place when a variable exceeds it Among probability distribution functions, the exponential dis-
upper or lower boundary. Fig. 2 presents a set of monitored vari- tribution best describes the time between events; it represents a
ables with their set points and upper and lower boundaries. process in which events occur continuously and independently at
Usually, the actual values are located between the lower boundary a constant rate. It is the continuous analog of the geometric dis-
and upper boundary. At every moment, the variables can be tribution, and it has the key property of being memoryless.
located in this gure. Also we can predict the state of these key Because of these features of exponential distribution, it is selected
variables in the process system, and the predicted states can also to formulate the function of accident occurrence probability.
be located in this gure. The probability density function of remaining time t is descri-
To monitor multiple variables, we introduce the concept of bed in Eq. (1) as follows:
remaining time. Remaining time is the time that one variable (
requires to reach the upper or lower boundary. The remaining e  t t Z 0
Pt; 1
time reects the safety margin. If the remaining time is larger, 0 t o0
there would be more time to respond to an abnormal event
situation. As a result, the remaining time can represent the In this formulation, t is the minimum remaining time of all
safety level. monitored key variables of the process. is the reciprocal of
For every important variable with boundaries, we calculate the expected value, describing minimum remaining time allowed in a
remaining time. Among these remaining times of all key variables, process.
the minimum remaining time can be used as the systems When remaining time t tr, the probability of accident occur-
rence probability is shown in Eq. (2).
12 2
Pt Z t r ; e  t dt e  tr 2
11 3
The formulation of occurrence probability reect the char-
acteristic of the process and at the same time it would not exceed
SetPointValue 1. In this way, the probability could be updated with the calculated
10 4
UpperBoundary remaining time dynamically.
9 5 3.2. Consequence assessment

In this section, we introduce the loss functions to estimate the

8 6
consequence of the process in an end process scenario. In a pro-
7 cess, different types of units are monitored. Different inverted
Fig. 2. Schematic of multiple variables monitor; there are 12 example key variables probability distribution functions are used to estimate the poten-
being monitored. tial losses.
66 H. Wang et al. / Chemical Engineering Science 142 (2016) 6278

Disturbance rate, %
Boundary Critical
Curve Curve

24 7
22 6
5 4
19 7 3
5 2
10 4 1

5 2

2 t 1
O tC t6t5 t4 t3 t2 t1 t0
Time, s

Fig. 3. Schematic of remaining time of a certain variable under disturbances, the black points describe the schematic of remaining time variations under acceptable
disturbances, and the gray points describe the situation under in the end unacceptable disturbances.

10 0 1
Inverted Normal Loss Function y1 T1
B C B T2 C X
B y2 C B C
is small
B C; T B C; ij nn
is medium @ A @A
is large yn Tn
Estimated Max. Loss2
In this formulation, yi, i 1,2n, denotes the ith quality char-
acteristic, L(Y) is the actual loss at Y, Ti, i1,2n, is the ith target
Estimated Max. Loss1
value, EML is the estimated maximum loss, is the distance from
the target to the point where the maximum loss EML rst occurs,
and is the vector of the shape parameter.
Particularly, the bivariate inverted normal loss function is for-
mulated as below. This can be applied in a reactor unit for tightly
coupled temperature and pressure in reaction, as shown in Eq. (5).
0  1
y1  T 1 2 y1  T 1 y2  T 2 y2  T 2 2
 2 U U
1 B 21  2 2 1 2 2 C
Max. Negative Deviation TargetValue Max. Positive Deviation LY EML 2
@1  e 1 2
Deviations from TargetValue 1e 2

Fig. 4. Inverted normal loss functions. 5

here, , 1 , 2 are the shape parameters. A typical bivariate
3.2.1. The modied inverted normal loss function INLF is shown in Fig. 5.
The univariate modied inverted normal loss function (MINLF)
is formulated in Eq. (3) below. 3.2.2. The inverted Beta loss function
 Based on the Beta probability distribution function, the inver-
1  y  2T
Ly EML 2
1e 2 3 ted Beta loss function is described in Eq. (6).
1  e 2 2  
1T 1
1T 1
Ly EML 1  T 1  T T y1  y T 6
here, y denotes the process variable, L(y) is the actual loss at y, T
is the target value, EML is the estimated maximum loss, is the In the formulation of IBLF, y denotes the quality characteristic,
distance from the target to the point where the maximum loss L(y) is the actual loss at y, T is the target value, EML is the esti-
EML rst occurs, and is the shape parameter that needs to be mated maximum loss, and are shape parameters and need to
determined from additional process historical information. Fig. 4 be determined from additional process historical information for
shows a typical MINLF. IBLF. The in IBLF is represented by and T; the relationship
In certain situations, there are multiple variables in one unit, between them is described in Eq. (7) below.
and the multivariate loss function is to be used. The n-dimension,  11  T
1 7
modied inverted normal loss function, is described in Eq. (4) as T
below. Fig. 6 shows the loss trajectories for different and values.
 P1  The inverted Beta loss function can be applied to the asymmetrical
1 0
1  e  2YT YT
4 situation where the rate of loss during positive deviations is dif-
1 e ferent from that during negative deviations.
H. Wang et al. / Chemical Engineering Science 142 (2016) 6278 67

Bivariate Inverted Normal Loss Function



Estimated Max. Loss4


Estimated Max. Loss3 -0.5MD2

-MD1 -0.5MD1 TV1 0.5MD1 MD1
Estimated Max. Loss2

Estimated Max. Loss1 EML4

Max.Deviation2 EML1
0.5Max.Deviation2 Max.Deviation1
0.5Max.Deviation1 EML1
0 0
Deviations from TargetValue2 -Max.Deviation2 -Max.Deviation1 -MD1 -0.5MD1 TV1 0.5MD1 MD1
Deviations from TargetValue1

Fig. 5. Bivariate inverted normal loss functions.

Inverted Beta Loss Function variable, and Lj;k xj;k t  represents the loss of a unit with k
monitored variables.
=10, =4
= 7, =3
= 4, =2
4. Case studies
Estimated Max. Loss
4.1. Tank system case study

This is a simple process to show the proposed concept. The loss

can be estimated by loss functions and the probability would be
calculated by function with the remaining time.

4.1.1. Flowchart of tank system

The owchart of this process is shown in Fig. 7. In this process,
the tank is fed in through the inlet ow, and the feed out pipeline
Max. Negative Deviation TargetValue Max. Positive Deviation is controlled by an automatic controller, which measures the level
Deviations from TargetValue
and adjusts the valve to change the outow rate so that the level of
Fig. 6. Inverted Beta loss functions. the tank can be maintained at a set value. Usually for a typical
process, when the inlet ow rate is in a reasonable range, the
3.2.3. The aggregated loss for a scenario process would work properly as designed.
Using the loss functions, total loss of a scenario can be esti- However, to ensure safety, more factors have to be considered,
mated. The losses are estimated continuously, with every state of and more critical situations have to be considered to guarantee
deviation from the target value. The aggregated loss is the sum of safety, lower system risk and prevent device damage. To design a
all unit losses. In a process operation there are two types of unit more safe process, a bypass pipeline is introduced; also a risk
loss: i) unit loss described by a single variable; ii) unit loss controller is implemented to assess risk and manage the risk. The
described by multiple variables. In rst type of loss calculation, safety layers of this process are shown in Fig. 8.
single variable deviation from target is used to estimate the loss. In In a normal situation, only the outlet pipeline controller plays a
second type of the loss calculation, integration of maximum of role to maintain the level of the tank. The risk controller measures
different variables loss is used to estimate the loss. all state values and calculates the potential risk of the system. If
After estimating every unit loss, the aggregated loss for a sce- the risk increases to a certain level, the safety layer utility would
nario can be calculated. be triggered to lower the risk. In this system, the rst triggered
In a given process system, the key variables are denoted as Xt, mechanism is the bypass pipeline valve. When the level of the
m of these variables individually describe a unit, and the others are tank keeps increasing, even if the outlet ow rate reaches its
described as the n units left. maximum value, the bypass would be turned on to reduce the
The loss function of system will be formulated as Eq. (8): inlet ow rate. Usually this will work to successfully decrease the
feed volume into the tank so that the level can be maintained at
m X
the set value. After a while, when the risk decreased to a certain
LXt  Li xi t  Max Lj;k xj;k t  8
i1 j1
k A jtotal level, the bypass would be turned off. The system is controlled by
the outlet controller. Due to the nite volume of the buffer tank
In this formulation, t  denotes a certain moment during process this buffer can only function during a limited time. If the inlet ow
operation, Xt  denotes all the variable values at that moment. rate increases rapidly, even if the bypass pipeline cannot prevent
Li xi t  represents the loss of a unit with only one monitored the increase of level, in this situation, the risk controller would
68 H. Wang et al. / Chemical Engineering Science 142 (2016) 6278

Risk Management

Original Feed In Feed In

Fio K ES Fi
Height Level


Tank Feed Out
K Fo
Fig. 7. Flowchart of tank system.

Emergency shutdown system

Bypass system

Control system

Tank system


Investment Maintenance EML1 EML2

Fig. 8. Tank system with safety layer barriers.

capture these features, and calculate the risk of overow. If the Ht 0 H 0

risks continue to increase, the risk controller calculates the risk in
real time, and when the risk increases to a certain value, the nal In this tank, the level of the tank is the key variable of the
emergency shutdown system will be activated. The inlet pipe line process; it is monitored by the risk management system, and the
valve would be turned off so that there would be no volume of inlet ow rate is the manipulated variable, which is measured
feed at all. The system would shut down before the system actually constantly, and the value is used to predict the remaining time.
faces the danger. The normal operation values are listed in Table 1. In this pro-
cess, the maximum bypass rate is 50% of the total original inow
4.1.2. Model of tank system feed, the maximum outlet ow rate Fo is set to 0.1 m3/s, the
In this tank, the level of the tank can be described by the maximum original inlet ow rate is 0.2 m3/s, and we assume
dynamic system model in Eq. (9): disturbance is D; it is a percent, from 1% to 50%. In this tank the
controller gain of K is 0.1 m2/s; this controller adjusts the owrate
dH 1 of feed out.
F  F o
dt A i The loss function of the tank process is as follows. We use the
modied inverted normal loss function. In the process the over-
F o t 1 F o t KH  H set 9 ow is the accident, so the right half space (level height above the
H. Wang et al. / Chemical Engineering Science 142 (2016) 6278 69

Table 1 20
Parameters in the tank model.
Parameter Value Unit
A 10.0 m2
H 1.0 m 14

Estimated loss, ($)

Hset 0.5 m
D 0  50 % 12
Fio 0.05 (1 D) m3/s
Fi 0  Fio m3/s 10
Fo 0  0.1 m3/s

Loss Function
700 0 20 40 60 80 100
Estimated losses, ($)

Time, (s)
Fig. 10. Estimated loss change with time.


0 0.2 0.4 0.6 0.8 1 0.12

Level height of tank, (m)

Fig. 9. Potential loss of tank process in operation.
set value) is considered. The loss function is shown in Eq. (10).
8  2

> 1

 h  0:5
; by pass pipeline not open
> EML by pass 1 e 2 2

1  e 2 2
>  h  0:5
2 0.02
> 1
1  e 2 2 ; by pass pipeline open
: EMLemergency
> 2 
1e 2 2 0
0 20 40 60 80 100
10 Time, (s)

As we have analyzed, there are two situations, when the bypass Fig. 11. Probability of overow changes with time.
is turned on and the emergency system activated. In these two
situations, the maximum estimated losses (EML) were judged here bypass pipeline. The outlet ow rate started at 0.05 m3/s; after
as EMLby pass $1000 and EMLemergency $10,000, respectively. The that the outlet ow rate value is determined by the controller.
shape parameter 1.4, the distance 0.3 m. When bypass In a normal operating situation, the disturbances varied all the
pipeline is not open, the curve of loss function is showed in Fig. 9. time. When the disturbance is simulated randomly for 0  50%, the
When bypass pipeline is open, the curve of loss function is similar estimated loss is estimated by the value of the height level in the
except the EML increased to $10,000. tank process, and it changes with time.
The probability density function is a function of remaining When the current value of tank level height is lower than the
time; the detail is shown in Eq. (11): set point, the estimated loss is zero in Fig. 10.
( With the dened risk function, we could update the probability
0:01e  0:01t t Z 0 of occurrence in real time. The calculated results are shown in
Pt 11
0 t o0 Fig. 11 below.
Together with the estimated dynamic loss and continuously
here we assume the expected remaining time is 100 s, as a updating probability, we can calculate the dynamic risk in the tank
result, the value of is 0.01 s  1. The estimated loss of the tank process, and the result is shown in Fig. 12.
process is shown in Fig. 9. We can see that the dynamic risk value changed accordingly
with time. In Fig. 12, initial risk was zero, which means, at this
4.1.3. Scenario 1: normal operation moment, the outlet ow rate is larger than inlet, or the level is
The normal operation values are listed in Table 1; we can see under the set point. In these situations the corresponding risk
here the disturbance is assumed to be 0  50% of the inlet ow values were zero.
rate. When given the value Fio 0.05 m3/s, with disturbance, the In a normal situation, the control system in the tank process
maximum actual feedstock of inlet is 0.075 m3/s, which is smaller can deal with the disturbance well, and the dynamic risk is low.
than the maximum outlet ow rate (Fo 0.1 m3/s), and this means With continuously increased ow rate, the situation changes
the controller will handle all disturbances without triggering the gradually.
70 H. Wang et al. / Chemical Engineering Science 142 (2016) 6278

2 results of the real time risk assessment were shown in Fig. 13(b).
This is a safety mechanism, which makes the extra inlet ow turn
back in the bypass pipeline. As a result, the stress would reduce a
1.6 lot when the risk management system detected a trend indicating
the tank would overow. Here the bypass pipeline safety utility
plays a role to stop the level from increasing too quickly. This is
1.2 controlled by the risk management system; with a predicted value,
the bypass pipeline was controlled to decrease the risk in the
Risk, ($)

1 system.
The dynamic risk in this situation was shown in Fig. 13(c).
Compared to the dynamic risk in a normal situation (Fig. 12) the
0.6 dynamic risk in the current situation increased signicantly.
When the inlet ow rate changed continuously, with an ever
increasing inlet ow rate, the bypass pipeline safety feature would
0.2 not be able to prevent the overow. In this situation, the emer-
gency shutdown system would be activated to lower the risk of an
0 emergency situation.
0 20 40 60 80 100
Time, (s)
4.1.5. Scenario 3: emergency shutdown
Fig. 12. Dynamic risk of tank process change with time.
As we continue to increase the inlet ow rate to 0.2 m3/s,
because this ow rate is very large, in spite of the activated bypass
Table 2
pipeline, the level still goes up, and there would be the possibility
Parameters in the tank model. of overow. The ranges of variables are listed in Table 3.
The estimated minimum remaining time is formulated in
Parameter Value Unit Eq. (13) as follows:
A 10.0 m2 AH  Ht
t remained
H 1.0 m F i 1 D  F o
Hset 0.5 m
AH  Htmax
D 0  50 % Z 13
Fio 0.1(1 D) m3/s F i 1 Dmax  F o
Fi 0  Fio m3/s
Fo 0  0.1 m3/s
In this situation, the minimum remaining time t15 s, when H
(t)max 0.7H and Dmax 0.5. The corresponding occurrence prob-
ability, Ps 0.86.
4.1.4. Scenario 2: bypass pipeline open Here, when the remaining time is less than 15 s, we turn off the
The bypass pipeline system was implemented in the tank sys- valve of the inlet pipeline as an emergency shutdown strategy.
tem to prevent the rapid increase of the level in the tank process. However, if the risk management system detects the probability
First of all, we can estimate the boundary of this situation. The value is larger than Ps, the emergency shutdown system would be
minimum remaining time can be estimated by Eq. (12). triggered, and the inlet ow would be stopped immediately.
AH Ht However, the outlet ow continued at 0.05 m3/s.
t remained In this situation, the estimated loss was shown in Fig. 14(a). We
F i 1 D  F o
AH Htmax see that when the bypass pipeline was opened, the estimated loss
Z 12 increased greatly. Also we can see the real time varied risk in
F i 1 Dmax  F o
Fig. 14(b). Compared to Fig. 13(b) and Fig. 11, the average risk value
After calculating, we nd the minimum remaining time is 60 s, increased a lot, and the risk increased gradually in this situation.
when H(t)max 0.7H and Dmax 0.5. With this result, we can set After about 50seconds, the risk reached the shutdown value,
the lower boundary. If the risk management system predicts that Ps0.86, the system shut down as an emergency situation, and
the tank process system will not eliminate the potential risk after that the risk decreased gradually. Finally the risk was elimi-
within 60 s, the safety utility will be turned on; that is, the bypass nated after the system shut down. Adding estimated loss and its
valve would be opened so that the extra volume can return to probability, we could calculate the dynamic risk in the tank pro-
lower the risk. This situation occurred when the inlet ow rate cess, and the result was shown in Fig. 14(c).
continuously increased to a low rate of 0.1 m3/s, and the ranges of As stated above, in this simple tank process, we implemented
variables are as listed in Table 2. With disturbance, the inlet ow the method to determine process dynamic risk. The risk consisted
rate will always be larger than the maximum outlet ow rate. As a of loss and probability; the former was calculated by loss function
result, there would be some situations when the predicted at all times, the latter updated with the predicted remaining time.
remaining time is smaller than 60 s and the bypass pipeline valve With continuously updated loss and probability, we calculate the
will open automatically. Then, as assumed, half of the inlet ow dynamic risk in the tank process operation.
will ow into the bypass to eliminate the level increasing speed. In this case, only one key variable, the tank level, was mon-
The outlet ow rate started at the value of 0.05 m3/s, and then the itored, and only one manipulated variable, the inlet ow rate, were
value was determined by controller. measured dynamically. In the next section, multiple key variables
The disturbances were random, as the expected maximum and manipulated variables were involved to demonstrate the
disturbance was less than 50%. The estimated loss with time is effectiveness of the proposed method.
shown in Fig. 13(a). With an increasing inlet ow rate, the esti-
mated loss increases accordingly. When the bypass pipeline was 4.2. Tennessee Eastman process case study
opened, the estimated maximum loss in the loss function changed
from $1000 to $10,000. Consequently, the estimated loss value In this section, the effectiveness of the proposed dynamic
increased greatly. Also we can calculate the potential risk. The quantitative risk assessment method was veried by further
H. Wang et al. / Chemical Engineering Science 142 (2016) 6278 71

3000 0.25


Estimated loss, ($)





0 0
0 20 40 60 80 100 0 20 40 60 80 100
Time, (s) Time, (s)




Risk, ($)






0 20 40 60 80 100
Time, (s)

Fig. 13. Estimated losses, probability and risk change with time (a) estimated loss, these very high valued appear at the opened bypass. At this moment, the estimated
maximum loss is 10 times more than it is when closed (b) probability of overow (c) risk of tank process.

4.2.2. Model of Tennessee Eastman process

Table 3
Parameters in the tank model.
The process produces two products (G and H) and one bypro-
duct (F) from four reactants (A, C, D, E). These reactions are
Parameter Value Unit described in Eq. (14).

A 10.0 m2 Ag Cg Dg-Gl
H 1.0 m
Hset 0.5 m
D 0  50 % Ag Cg Eg-Hl
Fio 0.2(1 D) m3/s
Fi 0  Fio m3/s Ag Eg-Fl
Fo 0  0.1 m3/s
3Dg-2Fl 14

Three gaseous reactants are fed to the reactor, where catalyzed

testing on the Tennessee Eastman chemical process. In this pro- chemical reactions occur to form liquid products. The product stream
cess, multiple state variables were monitored to estimate potential exits the reactor as vapor and is condensed at the condenser. Sub-
losses and also disturbances to multiple manipulated variables sequently, the product stream from the condenser passes through
the vaporliquid separator where the condensed product and the
were measured to update the probabilities.
non-condensed product are separated. The non-condensed product
stream is then recycled back to the reactor feed through a centrifugal
4.2.1. Flowchart of Tennessee Eastman process compressor. Meanwhile, the undesirable by-products and inert
There are ve major operation units in the Tennessee Eastman reactants are purged from the process as vapor. Finally, the con-
chemical process: a reactor, a product condenser, a vaporliquid densed product stream moves further into the stripper to be stripped
separator, a recycle compressor, and a product stripper (Downs with stream 4 to remove the residual reactants. The nal product
and Vogel, 1993). The owchart of the Tennessee Eastman process stream exits from the base of the stripper and is pumped to the
is shown as Fig. 15 (Downs and Vogel, 1993). downstream section for further renement (Downs and Vogel, 1993).
72 H. Wang et al. / Chemical Engineering Science 142 (2016) 6278

6000 1


Estimated loss, ($)


3000 0.5



0 0
0 10 20 30 40 50 0 10 20 30 40 50
Time, (s) Time, (s)




Risk, ($)






0 10 20 30 40 50
Time, (s)

Fig. 14. Disturbance, estimated losses, probability and risk change with time (a) Estimated losses (b) probabilities of overow, the process shutdown at the 48th second
(c) dynamic risk of tank process.

The monitored variables of the Tennessee Eastman chemical process the reactor level. In calculation, the maximum result would be
system are listed in Table 4. selected to estimate the dynamic loss of the reactor.
In this process, we calculate the critical boundary use of 70% of The product separator unit and stripper loss were formulated
the space for limitations, and the calculated results are shown in by the inverted Beta loss function for the product separator level
Table 5. These variables were monitored to estimate the dynamic and stripper base level, respectively.
potential losses in the process operation. First, these target values of key state variables are listed in Table 7.
At the same time, there are 12 manipulated variables listed in The dynamic losses are formulated as follows.
Table 6 below. They were measured to track the inuences of Loss functions for the reactor unit.
disturbances at all times. 0  1
P r  T P 2 Pr  T P Tr  TT T r  T T 2
In the dynamic model of the Tennessee Eastman process, 5 key 1 B
21  2 2
r  2 U 1
r U 2
Lreactor_unit P r ; T r EMLreactor 2
@1  e 1 2
state variables were selected to be monitored in the process from 1 e  2

3 units to construct the loss functions, and also disturbances to 12

manipulated variables were measured to determine the prob-
ability updating.
In this situation, unlike for the simple tank process, there were The loss function that was formulated to estimate reactor unit
consequence by pressure and temperature is shown in Fig. 16.
multivariable as manipulated input, which was shown in Table 6.
Also the reactor unit loss can be estimated by the reactor level.
As a result, the disturbances of the input would be a vector.
The formula is in Eq. (16) below. Loss function construction. The monitored key state variables
reactor pressure and temperature were tightly coupled, so the 1  T L  r  1
 1  T Lr 1  r r

bivariate modied inverted normal loss function was introduced to Lreactor_unit Lr EMLreactor 1  T Lr 1  T Lr T Lr L r 1  L r T Lr
formulate the potential loss of the reactor unit. Also the loss of the
reactor unit would be estimated by the inverted Beta loss function by
H. Wang et al. / Chemical Engineering Science 142 (2016) 6278 73

Fig. 15. Flowchart of the Tennessee Eastman chemical process system (Downs and Vogel, 1993).

Table 4
Monitored variables of the Tennessee Eastman Chemical process system.

Variable Description Variable Description

X1 A feed (stream 1) X12 Separator level

X2 D feed (stream 2) X13 Separator pressure
X3 E feed (stream 3) X14 Separator underow (stream 10)
X4 A and C feed (stream 4) X15 Stripper level
X5 Recycle ow (stream 5) X16 Stripper pressure
X6 Reactor feed rate X17 Stripper underow (stream 11)
(stream 6)
X7 Reactor pressure X18 Stripper temperature
X8 Reactor level X19 Stripper steam ow
X9 Reactor temperature X20 Compressor work
X10 Purge rate (stream 9) X21 Reactor cooling water outlet
X11 Separator temperature X22 Separator cooling water outlet

Table 5
The critical boundary for real time risk control.

Process variable Normal operating limits Shut down limits Critical boundary

Low limit High limit Low limit High limit Low limit High limit

Reactor pressure (Pr) None 2895 kPa None 3000 kPa None 2968.5 kPa
Reactor level (Lr) 50%(11.8 m3) 100%(21.3 m3) 2.0 m3 24.0 m3 13.9% 109.9%
Reactor temperature (Tr) None 150 C None 175 C None 167.5 C
Product separator level (Lp) 30%(3.3 m3) 100%(9.0 m3) 1.0 m3 12.0 m3 10.2% 125.8%
Stripper base level (Ls) 30%(3.5 m3) 100%(6.6 m3) 1.0 m3 8.0 m3  9.5% 122.1%
74 H. Wang et al. / Chemical Engineering Science 142 (2016) 6278

The dynamic estimated loss of reactor was summarized in Loss function for the product separator unit.
Eq. (17) 0 !1  p
1  TL

Lproduct_separator_unit Lp EMLproduct_separator @1  T Lp 1  T Lp TL

Lreactor_unit P r ; T r ; Lr maxLreactor_unit P r ; T r ; Lreactor_unit Lr 17

1  TL
!p  1 1

Lp 1 Lp
p A 18
Table 6
Manipulated variables in TE process.

Variable name Base case value Low High limit Units Loss function for the stripper unit.
1  T L  s  1
(%) limit
 1  T Ls 1  s s
Lstripper_unit Ls EMLstripper 1  T Ls 1  T Ls T Ls L s 1  L s T Ls
D feed ow 63.053 0 5811.000 kg/h
E feed ow 53.980 0 8354.000 kg/h
A feed ow 24.644 0 1.017 kscmh
A and C feed ow 61.302 0 15.250 kscmh
Compressor recycle valve 22.210 0 100 %
Purge valve 40.064 0 100 %
The loss functions of reactor, product separator and stripper
Separator pot liquid ow 38.100 0 65.710 m3/h estimated by levels are shown in Fig. 17.
Stripper liquid product ow 46.534 0 49.100 m3/h
Stripper stream valve 47.446 0 100 % Loss function for Tennessee Eastman process. The total esti-
Reactor cooling water ow 41.106 0 227.100 m3/h
mated loss was the sum of these losses in every unit, as shown in
Condenser cooling water 18.114 0 272.600 m3/h
ow Eq. (20).
Agitator speed 50.000 150 250 rpm
LTEP P r ; T r ; Lr ; Lp ; Ls Lreactor_unit P r ; T r ; Lr Lproduct_separator_unit Lp
Lstripper_unit Ls 20

Table 7 Probability updating. There are 5 key state variables mon-
Target values of key state variables (normal operating set point). itored, which are shown in Table 5. Consequently, when the risk
Process variable Values Unit
management system tried to calculate the remaining time to cri-
tical boundaries, there would be one remaining time for every key
Reactor pressure (Pr) 2705.0 kPa state variables upper/lower boundaries, and totally there would
Reactor level (Lr) 75 % be 8 remaining times at most in the process to achieve the critical
Reactor temperature (Tr) 120.4 C
Product separator level (Lp) 50 %
boundaries in theory. They are: remaining time of upper reactor
Stripper base level (Ls) 50 % pressure, remaining time of lower/upper reactor level, remaining
time of upper reactor temperature, and remaining time of lower/

x 10

Reactor temperature, (

x 10
120 8

8 100

7 80
Estimated lossess, ($)

6 6
2400 2600 2800 3000 3200
Reactor pressure, (kPa)
3 x 10
Estimated lossess, ($)

160 2
3200 4
Re 3000
ac 120 1
tor 2800 2
tem 100
pe 2600 a)
rat , (kP
ure 80 2400 sure
,( r pres 0 0
) 60 2200 Reacto 2400 2600 2800 3000 3200
Reactor pressure, (kPa)

Fig. 16. Estimated Losses of reactor unit by reactor pressure and temperature values. The target values are (2705.0 kPa, 120.4 C), the rst EML value is pressure at 2968.5 kPa,
or temperature at 167.5 C.
H. Wang et al. / Chemical Engineering Science 142 (2016) 6278 75

5 Table 9
x 10
10 Remaining time for every variable to cross the critical boundary.

9 Variable name Lower boundary Upper boundary

IBLF of reactor unit, TV=75%,
Lower=13.9% Upper=109.9%
8 Reactor pressure NAa 1.1034
IBLF of product separator unit, TV=50%,
Lower=10.2%, Upper=125.8% Reactor level 1.0648 NA
7 Reactor temperature NA 1.1079
IBLF of stripper unit, TV=50%,
Estimated losses, ($)

Lower=-9.5%, Upper=122.1% Product separator level NA 1.0048

6 Stripper base level NA 0.3548

5 a
NA: means not available.

3 Table 10
Disturbance of manipulated variables.
Disturbance Value Disturbance Value
d1  0.2198 d7  0.1040
0 d2  0.0504 d8  0.0342
-20 0 20 40 60 80 100 120 140 d3 0.0134 d9  0.2423
Level height, (%) d4  0.0416 d10 0.2420
d5 0.0784 d11  0.1664
Fig. 17. Estimated losses of reactor unit, product separator unit and stripper unit by
d6 0.0640 d12  0.1969
reactor level, product separator level and stripper base level respectively. The TV is
the target value and is the same as set point operating value. The Lower is the rst
EML value at the lower boundary, the upper is the rst EML value at the upper
Table 11
Disturbance of manipulated variables.
Disturbance Value Disturbance Value
=20 d1 0.0429 d7 0.1291
0.8 d2  0.1629 d8 0.1935
d3 0.1143 d9  0.2156
0.7 d4 0.0171 d10  0.1582
d5  0.1235 d11 0.1185
0.6 d6 0.2085 d12 0.0984

failed unit would stop the whole process. As a result, in practice
0.4 we would not have to wait for the second remaining time when
the rst danger had already occurred; consequently, the minimum
remaining time would be selected as the remaining time of the
0.2 disturbance.

t TEP P r ; T r ; Lr ; Lp ; Ls mint upper P r ; t upper T r ; t upper Lr ; t lower Lr ;
0 0.5 1 1.5 2
Remaining time,(h) t upper Lp ; t lower Lp ; t upper Ls ; t lower Ls 21
Fig. 18. Probability of loss change with remaining time.
With the remaining time of the Tennessee Eastman process, we
could update the probability of the process. The probability den-
sity function was in Eq. (22) as follows and the calculated prob-
Table 8
ability curve is shown in Fig. 18.
Disturbance of manipulated variables.
TEP e  TEP tTEP ; t TEP Z 0
Disturbance Value Disturbance Value Pt TEP ; TEP 22
0; t TEP o 0
d1 0.2079 d7 0.1583
d2  0.1995 d8  0.1919
d3  0.1821 d9  0.0057 4.2.3. Dynamic risk in Tennessee Eastman process
d4 0.1792 d10  0.0763 For the normal case, calculate the remaining time to trigger the
d5  0.2407 d11 0.1369
d6 0.1142 d12  0.1074
critical boundary. The rst achieved critical boundary was the
upper reactor pressure. The remaining time was 1.01 h, and the
second achieved critical boundary was the lower critical line of the
upper product separator level, and remaining time of lower/upper product separator level; the remaining time was 1.15 h. Also we
stripper base level. could continue to calculate the remaining times of other critical
Usually there will be 5 remaining times for these ve mon- lines. As analyzed above, the remaining time should be the mini-
itored state variables. But sometimes, there were less than mum of these two already achieved remaining times, that is,
5 remaining times because the process would be shut down before 1.01 h. We observed that in this normal situation, the process was
the process continued operating to cross another certain critical running well, and there was plenty of remaining time. The system
boundary. Because the chemical process is strongly coupled, one was safe in the current situation, and the risk was low. In a normal
76 H. Wang et al. / Chemical Engineering Science 142 (2016) 6278

operating condition, the estimated loss is $527555.73, and the the product separator level, the lower boundary of the reactor
occurrence probability is 1.69e  9, and thus the risk is about level, the upper boundary of the reactor pressure and the upper
$8.90e  4, which can be regarded as zero. boundary of the reactor temperature, respectively.
In this situation, the remaining time is 0.35 h, and rst achieved Scenario 1: stripper base level triggered. In another situa- was the upper critical line of the stripper base level. In this sce-
tion, consider the disturbance of each manipulated variable. The nario, the estimated total loss was $1311779.85, the probability is
value is shown in Table 8. 9.12e  4, and the risk is $1196.19.
With the disturbance described in Table 8, the risk manage-
ment system would calculate all remaining time of monitored key
state variables. The result is shown in Table 9. Scenario 2: reactor pressure triggered. In another situation,
From Table 9 we can see that with the same disturbance, the consider the disturbance of each manipulated variable in Table 10.
remaining time of these key variables to reach the critical In this situation, the remaining time is 0.16 h, and rst achieved
boundary varies. The rst met critical boundary is the upper was the reactor pressure critical line. In this scenario, the esti-
boundary of the stripper base level. Next, it is upper boundary of mated total loss was $554656.22, the probability is 4.08e  2, and
the risk is $22609.01. This case is a very high risk situation; the
Table 12 disturbance was found to demonstrate the process rst reached
Disturbance of manipulated variables. the upper boundary of reactor's pressure.

Disturbance Value Disturbance Value Scenario 3: reactor level triggered. This scenario considers
d1 0.1965 d7 0.2069
d2 0.1016 d8 0.1034 the disturbance of each manipulated variable in Table 11.
d3 0.0279 d9 0.0289 In this situation, the remaining time is 1.33 h; rst achieved
d4  0.1578 d10  0.0933 was the lower critical line of the reactor level. In this scenario, the
d5  0.1440 d11  0.1669 estimated total loss was $1100529.00, the probability is 2.80e  12,
d6  0.2113 d12 0.0612
and the risk is $3.09e  6, it is approximately zero.

x 10
12 0.014


Estimated losses, ($)





0 0
0 20 40 60 80 100 0 20 40 60 80 100
Time, (min.) Time, (min.)





Risk, ($)






0 20 40 60 80 100
Time, (min.)

Fig. 19. Estimated loss, probability and risk change with time, (a) Estimated losses, (b) probability and (c) risk.
H. Wang et al. / Chemical Engineering Science 142 (2016) 6278 77

Table 13
Remaining time for every variable to cross the critical boundary.

Variable name Threshold 30% Threshold 50% Threshold 70% Threshold 90%

Reactor pressure 1.0977 1.1033 1.1033 1.1078

Reactor level 0.8748a 1.0048 1.0648 1.1033
Reactor temperature 1.0911 1.1033 1.1078 NAb
Product separator level 0.9348 0.9848 1.0048 1.0448
Stripper base level 0.2948 0.3248 0.3548 0.3948

Reactor level triggered lower critical boundary, others triggered the upper boundaries.
NA, process has shut down because of an excess of the reactor liquid level before getting the value.

1.4 Table 15
Times for trigger critical boundary lines (total: 10,000 times).

1.2 Variable name Lower boundary Upper boundary

Reactor pressure NAa 5830

1 Reactor level 1 20
Remaining time, (h)

Reactor temperature NA 0
Reactor pressure Product separator level 648 394
0.8 Reactor level Stripper base level 1819 1288
Reactor temperature
Product separator level NA: means not available.
Stripper base level
5. Discussion
5.1. The safety threshold
In this paper the safety threshold was set to 70%; that is, the
point was set at 70% from the normal allowed value to the danger
30 50 70 90 value. The value of the safety threshold denotes how close the
Safety threshold, (%) process system operating point was allowed to approach the
danger operating point. If the value is small, and if it is very close
Fig. 20. Remaining time under different safety threshold value.
to the normal operating point, the warning would be frequently
triggered, and if the value is large, close to 100%, it means the
operating point was allowed to get much closer to the danger
operating point, and the risk in this situation is very high. As a
Table 14
Remaining time in different ranges of result, the value will be identied carefully in a tradeoff between
disturbance. frequent warnings and high risk. In this paper, the value is set to
70%, and here we study 30%, 50% and 90%, with the same dis-
Disturbance range (%) Remaining time (h)a
turbances studied in Case 1 of the Tennessee Eastman process
25 0.1981 (Table 13).
50 0.1847 From Fig. 20, we can see that, as the safety threshold increased,
75 0.0916 the remaining time increased accordingly.
100 0.0675

The range limit the maximum variation
5.2. The disturbance ranges
from base value. The result would be slight
changed with different disturbances. In this paper, the disturbances of the Tennessee Eastman pro-
cess are limited to a range of [  0.25, 0.25]. Here we studied the Scenario 4: product separator level triggered. This situation disturbances using the different values of 25%, 50%, 75% and 100%
considers the disturbance of each manipulated variable in (Table 14).
Table 12. Here we change the disturbance range of disturbance, and then
In this situation, the remaining time is 0.57 h; rst achieved calculate the remaining time of the process. We found that with a
was the lower critical line of the product separator level. In this larger disturbance we get less remaining time, which means the
scenario, the estimated total loss was $1350129.68, the probability disturbances were harmful to the system's safety.
is 1.12e  5, and the risk is $15.12.
5.3. The distribution of trigger variables Scenario 5: the dynamic risk and disturbances change with
time. In this process, we simulate the dynamic system, and In our method, the rst trigger for the critical boundary
introduce the disturbance randomly to test the proposed method. remaining time is the remaining time of the process with the
We calculate the dynamic risk change with time. The risk and current disturbance. Here we simulate the process 10,000 times
disturbances change with time as shown in Fig. 19. and collect the numbers of every critical boundary. The result is
In Fig. 19, the process risk is monitored in real time, which is shown in Table 15.
helpful to manage the risk. The dynamic risk of the process under From Table 15, we can see the upper boundary of reactor
disturbance is accessed and its value can be used to take action to pressure was very sensitive, and more than half of the remaining
manage the risk. times were based on the value of the remaining time for the
78 H. Wang et al. / Chemical Engineering Science 142 (2016) 6278

reactor pressure to achieve its upper boundary. On the other hand, Kalantarnia, M., Khan, F., Hawboldt, K., 2010. Modelling of BP Texas City renery
the boundaries of the reactor level and the temperature were accident using dynamic risk assessment approach. Process. Saf. Environ. Prot.
88, 191199.
seldom encountered. As we discussed before, the safety threshold Khakzad, N., Khan, F., Amyotte, P., 2012. Dynamic risk analysis using bowtie
determines the remaining time to some extent, so we can con- approach. Reliab. Eng. Syst. Saf. 104, 3644.
clude that the safety threshold of reactor pressure may be too Khan, F., Abunada, H., John, D., Benmosbah, T., 2010. Development of risk-based
process safety indicators. Process. Saf. Prog. 29, 133143.
small and the temperature may be too high. Khan, F.I., Iqbal, A., Ramesh, N., Abbasi, S.A., 2001. SCAP: a new methodology for
Based on the distribution, we could improve our safety strategy safety management based on feedback from credible accident-probabilistic
so that these boundaries would play a function for a similar fault tree analysis system. J. Hazard. Mater. 87, 2356.
Krause, T.R., 1993. Safety and quality: two sides of the same coin. Occup. Hazards 55
situation. For example, we can select a critical operating point 47-47.
closed to the upper limit and at the same time reduce the Leung, B.K., Spiring, F., 2002. The inverted beta loss function: properties and
threshold of reactor level and temperature so that there is more applications. IIE Trans. 34, 11011109.
Leung, B.P., Spiring, F.A., 2004. Some properties of the family of inverted probability
chance for the reactor level and temperature trigger the safety loss functions. Qual. Technol. Quant. Manag. 1, 125147.
mechanism. Meel, A., Seider, W.D., 2006. Plant-specic dynamic failure assessment using
Bayesian theory. Chem. Eng. Sci. 61, 70367056.
Meel, A., Seider, W.D., 2008. Real-time risk analysis of safety systems. Comput.
Chem. Eng. 32, 827840.
6. Conclusion Pariyani, A., Seider, W.D., Oktem, U.G., Soroush, M., 2012a. Dynamic risk analysis
using alarm databases to improve process safety and product quality: Part I
data compaction. AIChE J. 58, 812825.
In this paper, we propose a dynamic quantitative risk assess- Pariyani, A., Seider, W.D., Oktem, U.G., Soroush, M., 2012b. Dynamic risk analysis
ment (DQRA) method, in which a consequence loss function of a using alarm databases to improve process safety and product quality: Part II
process consisting of multiple units with multiple monitored Bayesian analysis. AIChE J. 58, 826841.
Spiring, F.A., 1993. The reected normal loss function. Can. J. Stat. 21, 321330.
variables is formulated to estimate loss dynamically, and also Sun, F.-B., Larame, J.-Y., Ramberg, J.S., 1996. On Spiring's normal loss function. Can.
remaining time is introduced to update the occurrence prob- J. Stat. 24, 241249.
ability with the currently measured disturbances with multiple Venkatasubramanian, V., Rengaswamy, R., Kavuri, S.N., 2003a. A review of process
fault detection and diagnosis: Part II: qualitative models and search strategies.
manipulated variables. A simple tank system and a typical Ten- Comput. Chem. Eng. 27, 313326.
nessee Eastman process are tested to show the effectiveness of the Venkatasubramanian, V., Rengaswamy, R., Kavuri, S.N., Yin, K., 2003b. A review of
proposed method. According to this method, the risk of the pro- process fault detection and diagnosis: Part III: process history based methods.
Comput. Chem. Eng. 27, 327346.
cess is estimated dynamically, and as a result, we conclude it is Venkatasubramanian, V., Rengaswamy, R., Yin, K., Kavuri, S.N., 2003c. A review of
more proactive to assess and manage risk in a chemical process process fault detection and diagnosis: Part I: quantitative model-based meth-
operation. ods. Comput. Chem. Eng. 27, 293311.
Wang, H.Z., Chen, B.Z., He, X.R., Qiu, T., Zhao, J.S., 2008. Stability analysis based
In this work, the loss estimation is considered to be the method for inherently safer process design at conceptual design stage. In:
deviation from the normal operating point, but considering the World Conference on Safety of Oil and Gas Industry. 801 University Drive East,
result in the consequence of the end process scenario, it also has College Station, Texas, United States.
Wang, H.Z., Chen, B.Z., He, X.R., Qiu, T., Zhao, J.S., 2009. Singularity theory based
impacts on the environment, human health, etc., and these losses stability analysis of reacting systems. Comput. Aided Chem. Eng. 27, 645650.
also should be considered as part of the potential losses. Also, the Wang, H.Z., Chen, B.Z., He, X.R., Zhao, J.S., Qiu, T., 2010a. Modeling, simulation and
probability of loss occurrence is dynamically updated with the analysis of the liquid-phase catalytic oxidation of toluene. Chem. Eng. J. 158,
remaining time of the process, and the remaining time is based on Wang, H.Z., Chen, B.Z., He, X.R., Zhao, J.S., Qiu, T., 2010b. Numerical analysis tool for
the current measured values. It would be more accurate to con- obtaining steady-state solutions and analyzing their stability characteristics for
sider the historical data at the same time to predict the remaining nonlinear dynamic systems. J. Chem. Eng. Jpn. 43, 394400.
Wang, H.Z., Chen, B.Z., Qiu, T., He, X.R., Zhao, J.S., 2012a. An Approach Considering
time while updating the probability. These problems will be
Both Operation Stability and System's Hopf Bifurcations to Chemical Process
improved in future work. Design. 2012 AIChE Annual Meeting, Pittsburg, PA.
Wang, H.Z., Chen, B.Z., Qiu, T., He, X.R., Zhao, J.S., 2012b. An integrated quantitative
index of stable steady state points in chemical process design. In: Proceedings
of the 11th International Symposium on Process Systems Engineering-PSE2012,
Acknowledgments Singapore.
Wang, H.Z., Yuan, Z.H., Chen, B.Z., He, X.R., Zhao, J.S., Qiu, T., 2011. Analysis of the
stability and controllability of chemical processes. Comput. Chem. Eng. 35,
The authors gratefully acknowledge the nancial support pro-
vided by the Vale Research Chair grant, and the Natural Sciences Wang, H.Z., Yuan, Z.H., Chen, B.Z., Zhao, J.S., Qiu, T., 2010c. Inherently safer design
and Engineering Research Council of Canada. oriented segregation of chemical process operating region. In: Mary Kay
OConnor Process Safety Center International Symposium. Hilton Conference
Center, 801 University Drive East, College Station, Texas, United States.
Wang, H.Z., Zhang, N., Qiu, T., Zhao, J.S., Chen, B.Z., 2014a. Method for regulating
References oscillatory dynamic behavior in a zymomonas mobiliz continuous fermentation
process. Ind. Eng. Chem. Res. 53, 1239912410.
Wang, H.Z., Zhang, N., Qiu, T., Zhao, J.S., He, X.R., Chen, B.Z., 2012c. Analysis of Hopf
Adams, E.E., 1995. Total quality safety management: an introduction. American points for a zymomonas mobilis continuous fermentation process producing
Society of Safety Engineers Des Plaines. ethanol. Ind. Eng. Chem. Res. 52, 16451655.
CCPS, 2007. Guidelines for Risk Based Process Safety. John Wiley & Sons, 768 pages, Wang, H.Z., Zhang, N., Qiu, T., Zhao, J.S., He, X.R., Chen, B.Z., 2013. A process design
ISBN is 978-0-470-16569-0. framework for considering the stability of steady state operating points and
Downs, J.J., Vogel, E.F., 1993. A plant-wide industrial process control problem. Hopf singularity points in chemical processes. Chem. Eng. Sci. 99, 252264.
Comput. Chem. Eng. 17, 245255. Wang, H.Z., Zhang, N., Qiu, T., Zhao, J.S., He, X.R., Chen, B.Z., 2014b. Optimization of a
Dumas, R., 1987. Safety and quality: the human dimension. Prof. Saf. 32, 1114. continuous fermentation process producing 1,3-propane diol with Hopf sin-
Garca Herrero, S., Mariscal Saldaa, M.A., Manzanedo del Campo, M.A., Ritzel, D.O., gularity and unstable operating points as constraints. Chem. Eng. Sci. 116,
2002. From the traditional concept of safety management to safety integrated 668681.
with quality. J. Saf. Res. 33, 120. Yu, H., Khan, F., Garaniya, V., Ahmad, A., 2014. Self-organizing map based fault
Hashemi, S.J., Ahmed, S., Khan, F., 2014a. Loss functions and their applications in diagnosis technique for non-gaussian processes. Ind. Eng. Chem. Res. 53,
process safety assessment. Process. Saf. Prog. 33, 285291. 88318843.
Hashemi, S.J., Ahmed, S., Khan, F.I., 2014b. Risk-based operational performance Zadakbar, O., Imtiaz, S., Khan, F., 2012. Dynamic risk assessment and fault detection
analysis using loss functions. Chem. Eng. Sci. 116, 99108. using principal component analysis. Ind. Eng. Chem. Res. 52, 809816.
Kalantarnia, M., Khan, F., Hawboldt, K., 2009. Dynamic risk assessment using failure Zadakbar, O., Imtiaz, S., Khan, F., 2013. Dynamic risk assessment and fault detection
assessment and Bayesian theory. J. Loss Prev. Process. Ind. 22, 600606. using a multivariate technique. Process. Saf. Prog. 32, 365375.