The P3 Formalism:

A Basis for Comprehensive Diagnosis

in Complex Process Systems?

Ian Cameron
School of Engineering
The University of Queensland, Australia

HAS Budapest 2007 © Ian T. Cameron

 Overview

• Abnormal conditions and accidents

– Lessons to be learned
– Patterns to be observed
• Systems perspectives on diagnosis
– P3 perspective and implications
– Functionality and capability in complex systems
– A multiscale, multifunctional approach
– Formalizing the HAZID phase for diagnosis
• On-going work

HAS Budapest 2007 © Ian T. Cameron

 Acknowledgements

• HAS (Systems and Control):

– Katalin Hangos, Erzsebet Nemeth
• University of Pannonia:
– Rozalia Lakner
• University of Queensland:
– Penny Sanderson (Cognitive Psychology/Engineering)
• BP (Bulwer Island) Refinery, Australia
• BSL, Australia

HAS Budapest 2007 © Ian T. Cameron

 Abnormal Conditions & Accidents

• Invariably complex situations

• A four dimensional space: P3(t)
• Difficult to analyze effectively and comprehensively
• Lack of effective information re-use
• Lack of comprehensive and effective HAZID phase

HAS Budapest 2007 © Ian T. Cameron

 Major Gas Plant Fire and Explosion -1998

• ESSO Longford Gas Plant, Victoria, Australia

• Major gas loss with subsequent fire and explosion
• 2 operators dead, others badly injured
• Loss of gas supply into Victoria for 10 days
• ESSO fined $4 million
• Class action liability ~$1.3 billion

HAS Budapest 2007 © Ian T. Cameron

 ESSO Longford Gas Plant - 1998

The Age, Melbourne, Australia

HAS Budapest 2007 © Ian T. Cameron

 Societal Market forces Organizational AcciMap
PROCEDURES PEOPLE
Gov’t failure to provide
Government/regulatory system Inadequate regulatory system
alternative supply

PROCEDURES PEOPLE PEOPLE PROCEDURES

Corporate Poor change management ESSO cost cutting Exxon control failure

PEOPLE PROCEDURES
Organizational Absence of engineers Focus on LTIs
PLANT PEOPLE PROCEDURES PROCEDURES
PEOPLE
Poor engineering Maintenance Poor Failure to Failure to identify
design backlog auditing HAZOP GP1 interconnection
PEOPLE hazards
Poor supervision PROCEDURES PEOPLE
Failure of incident
PROCEDURES PROCEDURES PROCEDURES reporting system PROCEDURES PEOPLE
Operating in Poor shift Poor maintenance
alarm mode handover priorities Inadequate procedures
& training

PROCEDURES PLANT
PEOPLE
PLANT PLANT Warm oil restart Plant interconnections
Incorrect
Condensate
operation of Warm oil pump trip PLANT
overflow Loss of
manual bypass PLANT 2 week site
valve
PROCEDURES Explosion closure supply
Cold metal embrittlement

Physical accident sequence

after Hopkins, 2001
HAS Budapest 2007 © Ian T. Cameron
 BSL Steel 2001

• Significant environmental accident

• Complex intra & inter-plant coupling issues
• Potential loss of coke battery ($A250 million)
• Major EPA court proceedings and fines
• Major business interruption of coke making
• Significant, immediate bad publicity impact

HAS Budapest 2007 © Ian T. Cameron

 BSL – October 2001

© Ian T Cameron

HAS Budapest 2007 © Ian T. Cameron

 Accident causation & latent factors - AcciMap
PLANT PROCEDURES PEOPLE

PROCEDURES

PLANT PLANT

Safety Management Components

PROCEDURES PROCEDURES PROCEDURES

PEOPLE PEOPLE

PLANT PLANT PEOPLE

PROCEDURES PLANT PLANT

Accident sequence
HAS Budapest 2007 © Ian T. Cameron
 BP Texas City Refinery - 2005

• Major release of flammable hydrocarbons

• Many failed system components and latent factors
• 15 contractors dead, 170 injured, business
interruption
• Major congressional enquiry by James Baker (2007)
• Significant reputational damage to the company
• $1 billion in repairs and improvements, >$2 billion
in current litigation?

HAS Budapest 2007 © Ian T. Cameron

 Texas City, USA 2005

Associated Press, 2005

HAS Budapest 2007 © Ian T. Cameron

 PSMS AcciMap
Process & Control
System Design PROCEDURES PLANT PEOPLE PROCEDURES PLANT
Inadequate Key operating Atmosph. vent
level indicator parameters not design
design available inadequate

Training & performance PROCEDURES PEOPLE

Incorrect Poor
operating diagnostic
procedure training

Process knowledge PEOPLE PROCEDURES

Unrecogn High pressure
-ized high cause not
level diagnosed

Process Equipment PROCEDURES PROCEDURES PLANT

PLANT
Integrity Faulty Faulty Faulty
HH level Pressure high level alarm on
alarm relief valve blowdown

Risk management PROCEDURES

Poor siting
of
contractors

Splitter base level Feeding with

Feed overheated Hydrocarbons Liquid to blow- Explosion
alarm activates and no no discharge and
and high column to down tank and
action taken high level in
vent overflow
and death
column pressure atmospheric vent

Accident sequence

HAS Budapest 2007 © Ian T. Cameron

 Key components in complex process systems

Components

Plant

People

Procedures

HAS Budapest 2007 © Ian T. Cameron

 Key characteristics affecting diagnosis
• System components (plant, people, procedures: P3)
• System time scales
– 108 (s) at legislative level to 10-3 (s) at plant level
• System complexity
– Increasingly complex systems design involving many
processing stages (e.g. micro-chip manufacture)
– Inability to truly understand the technology
• System coupling and interfaces
– Degree of coupling from loose to extremely tight
– Many more potential pathways for failure propagation
– Internal timescales important in fault diagnosis and
effective response
HAS Budapest 2007 © Ian T. Cameron
 Normal Accident Theory (Perrow 1984, 1999)
• Interactions
– Linear or complex (manufacturing vs. chemical plants)

• Coupling
– Loose or tight (energy and control integration levels)

HAS Budapest 2007 © Ian T. Cameron

 Abnormal Condition Management (ACM)

• USA petro-chemical losses of at least $20 billion per year

• Significant “gaps” between theory and practice in industry:
– Mismatch between operator dynamics and system dynamics
– Inability to isolate “root” causes in available time frames
– Still many DCS/PLC systems with poor alarm management
strategies
– Ignorance on effects of incorrect actions by operating
personnel

Raman & Cameron, 2005, Abnormal Situation Management – Is it in control?, WWCE 2005, IChemE, UK

HAS Budapest 2007 © Ian T. Cameron

 Systems Perspectives on Diagnosis

Function, Capability & Analysis Tools

HAS Budapest 2007 © Ian T. Cameron

 A systems view (strategic level)
Economy
Legislation
Market demand
Weather
…
d

Personnel
Production rates
Raw materials
u S y Product volumes
Profit
Environmental
Energy sources Performance
Finance Risk levels
…
x, p …

y = S[u,d]
HAS Budapest 2007 © Ian T. Cameron
 A functional perspective of the system
d
S Components The intended effects Desired end

make up
Plant of the capabilities point

u People Structure Function Goal y

Procedures

possess achieves realizes

Capabilities x
Ci = {CiP, j : j = 1… m CSi ,k : k = 1… n}

HAS Budapest 2007 © Ian T. Cameron

 1. Harm to the environment from system failures
2. Harmful environmental
4.Human pressures
impact from on the
abnormal system
plant states
3. Abnormal plant
5.Abnormal
7.Human Principal system interactions
states
plant due to equipment
stateswith
actions fromimpacts failures
humanon errors/actions
software and procedural components
6.Harmful human
8.Actions actions
from causing
software and other human
procedural impacts
faults on people
9.Software and procedural actions on plant equipment and process states
10.Process states impacting on procedures and software performance
11.Self-interactions of software and procedures

Procedures

HAS Budapest 2007 © Ian T. Cameron

 The scale issues

• Plant and time

Phases Equipment Subunits Units Site

• People and time

Operators Supervisors Plant Managers Site Managers CEO

• Procedures and time

RTC Operations Maintenance OH&S Corp strategy

HAS Budapest 2007 © Ian T. Cameron

 Diagnosis – the main issues
• It is a multi-scale issue:
– Temporal (time scale importance)
– Spatial (length scale importance)
– Detail (information scale importance)
• It is a multi-capability issue:
– Plant, people, procedures/software
• It is an integrative issue
– The physical, informational and cognitive processes
and their interactions are vital

HAS Budapest 2007 © Ian T. Cameron

 Challenges for design/operations

• Improving the hazard identification phases

• Understanding more clearly the intra-system and
inter-system interactions
• Improving and extending the use of HAZID outcomes
• Integrating capabilities from components
• Addressing more effectively abnormal condition
management (ACM)

HAS Budapest 2007 © Ian T. Cameron

 Some Analysis Tools for HAZID

• Hazard & Operability Study (HAZOP)

• Failure Modes, Effects Analysis (FMEA)
• Action Error Analysis (AEA)
• Human Reliability Analysis (HRA)
• TRIPOD (Shell Global Solutions)
• What if? studies
• FTA, ETA, Barrier Analysis

HAS Budapest 2007 © Ian T. Cameron

 Complementary & Blended HAZID

• Hazard identification requires complementary

techniques focused on each system component, such as:
– HAZOP, FMEA (Plant, People, Procedures)
– HRA, THERP, OAT (People)
– SVM (Software)
• Inherent danger in “one size fits all”
• Importance of understanding interactions and scales

HAS Budapest 2007 © Ian T. Cameron

 Hazard & Operability Study (HAZOP)

• Systematic examination of Piping &

Instrumentation Diagrams (P&IDs) plus layout
• Clear knowledge of designer’s intention
• Consideration of deviations from intention
• Discovery of causes and consequences
• Actions to eliminate/mitigate
• Applicable to batch and continuous processes

HAS Budapest 2007 © Ian T. Cameron

 Case study: Solvent Delivery System

HAS Budapest 2007 © Ian T. Cameron

 Solvent Delivery System for Printing Press

Plant Functional Description

Deliver solvent at a stated and controlled rate
to a head tank from a bulk storage tank

Bulk storage for holding Delivery system to transfer solvent Head tank to hold solvent for
solvent at a controlled rate the press

Pumping system to Liquid flowrate

Transfer liquid
provide pressure control

Pump Drive system Piping Valving

HAS Budapest 2007 © Ian T. Cameron

 HAZOP – Analysis Objective + Specification

Flowsheet section: ……………… Line/Vessel: …………………. Goal to be achieved

Intention: ………………………………..

Parameter Guideword Deviation Possible Causes Consequences Action required

{<no><flow>} ≡ {<s_condition><state>}
Flow No No flow ….. ….. …...
Variance in {<valve><fails><closed>} ≡ {<com><action><state>}
State of …...
the system Less a state
Less or
flow ….. {<operator><¬start><conveyor>}
….. ≡ {<com><action><com>}
…...
“malfunction”
Component …...
{<flow>} ≡ {<state>}
More More flow ….. failure …..
Variance {<refrig’n><flow><less>} ≡ {<function><state><s_condition>}
Function
Reverse Reverse ….. …..
{<no>} ≡ {<s_condition>} failure
flow

Input induced
Pressure More More ….. failure …..
pressure {<ambient><temperature><less>} ≡ {<disturb><state><s_condition>}
Disturbance
induced failure

{P, GW, D} {C} {Con} {A}

HAS Budapest 2007 © Ian T. Cameron

 HAZOP – Analysis Objective + Specification

Flowsheet section: ……………… Line/Vessel: …………………. Goal to be achieved

Intention: ………………………………..

Parameter Guideword Deviation Possible Causes Consequences Action required

Flow No No flow ….. ….. …...

Component
State of Variance in …...
impact
the system Less a state
Less or
flow ….. {<vessel><pressure><high>}
….. …...
“malfunction” ≡ {<com><state><s_condition>}
Component …...
Functional
More More flow ….. failure ….. impact
Variance
{<vessel><containment><fails>}
Sub-function ≡ {<com><function><condition>}
Reverse Reverse ….. …..
failure Environmental
flow
impact
Input induced
Pressure More More {<hydrocarbon><vapour><released>}
….. failure ….. ≡ {<com><state><condition>}
pressure {<hydrocarbon><liquid><released>} ≡ {<com><state><condition>}
Disturbance
induced failure
{<hydrocarbon><fire><radiation>} ≡ {<com><state><condition>}

{P, GW, D} {C} {Con} {A}

HAS Budapest 2007 © Ian T. Cameron

 Failure Modes Effects Analysis (FMEA)
• Systematic analysis of all components and their
failure modes
– Fails to open, close, start, stop, …
– Spurious failure
– Degradation
• Analysis of human/procedural failures
– Fail to perform certain tasks
– Incorrect task performance
– Include/exclude task
– Out-of-sequence task
– Fail to perform in time

HAS Budapest 2007 © Ian T. Cameron

 FMEA – Analysis
{ <valve><fails><open> } → { <valve><fails><open>< because of><defective maintenance > }

Component Component Failure Failure Effects Detection Criticality Corrective

ID Description Mode Causes Method Actions
Local System

PA Main pump Stopped Shaft No flow Production Flow High Change

broken loss measurement maintenance
Fundamental mode FRC101 regime.
of component failure. Yearly ND
(Loss of capability) inspection

{<valve><fails><open>} ≡ {<com><action><state>}
Provides the basis for Fault Tree
Underlying causes segments
of the failure mode
(Reason for incapability)
Automatic generation

{<open><because of><defective maintenance>} ≡ {<state><prep_phrase><com>}

{<open><because of><material selection>} ≡ {<state><prep_phrase><com>}
{<open><because of><cost reductions>} ≡ {<state><prep_phrase><input>}
{<open><because of><freezing weather>} ≡ {<state><prep_phrase><disturbance>}
{Com} {ComDes} {FM} {FMC} {EL, ES} {Det} {Crit} {A}

HAS Budapest 2007 © Ian T. Cameron

 FMEA – Analysis
Component Component Failure Failure Effects Detection Criticality Corrective
ID Description Mode Causes Method Actions
Local System

PA Main pump Stopped Shaft No flow Production Flow High Change

broken loss measurement maintenance
Local effects: FRC101 regime.
{<no><flow>} ≡ {<s_condition><state>} Impacts on the local function Yearly ND
inspection
{<contaminant><flow><starts>} ≡ {<comp><state><s_condition>}

System effects:
Impacts on wider functions

{<production><rate><less>} ≡ {<function><state><s_condition>}
{<production><quality><less>} ≡ {<function><state><s_condition>}
{<hydrocarbon><liquid><released>} ≡ {<com><state><condition>}
{<corrosion><rate><increase>} ≡ {<function><state><s_condition>}

{Com} {ComDes} {FM} {FMC} {EL, ES} {Det} {Crit} {A}

HAS Budapest 2007 © Ian T. Cameron

 A systems perspective on HAZID
‘Component’ driven
FMEA analysis
‘Function’ driven
analysis
HAZOP
Components
The intended effects The end
Plant of the capabilities point

People Structure Function Goal

Procedures make up

achieves realizes
possess
Capabilities
Abilities of a component to affect
the states of the system

HAS Budapest 2007 © Ian T. Cameron

 Complementary methods – an overview
e s
rs s c
• HAZOP e rd
ns en
et w o
t i o s e qu
n s
a m e ia s e s io
r id v u n c t
pa gu de ca co a
Hi = [ {P,GW,D} {C} {Con} {A} ]

Correspondence & complementarity

• FMEA
Fj = [ {Com} {FM} {FMC} {EL, ES} {Det} {A} ]
co

FM
fa

de
loc

ac
ef /sys
il
m

ur

te
fe te
al

t io
ca
po

cti
cts m

ns
us
ne

on
es
od
nt
s

es

HAS Budapest 2007 © Ian T. Cameron

 General observations on HAZID methods

• HAZOP basic causes {C} are contained in FMEA

failure modes {FM}
• HAZOP can directly add Input (u) and Disturbance
(d) related causes that are part of FMEA {FMC}
• Analyzing effects {EL, ES} of failure modes provides
better hazard coverage than from deviations alone
• FMEA provides explicit analysis of failure/deviation
detection method {Det} which HAZOP does not
• A “blended” and extended method could be valuable

HAS Budapest 2007 © Ian T. Cameron

 On-going work …

HAS Budapest 2007 © Ian T. Cameron

 Multiscale-Multifunctional (MSMF) Framework
Key research areas

Multiscale
τ-L-D
Scale-map
Diagnostic

Assess and Interpret

“Normal”
modes System

New blended- τ-L-D

New or Interface
extended Scale-map
Existing Design
HAZID “Abnormal”
Plant
methods modes

Initial design Initial design Extended Extended

functionality capabilities capabilities functionality
Multifunction

HAS Budapest 2007 © Ian T. Cameron

 MSMF Framework – Focus change

Multiscale
τ-L-D
Scale-map
Diagnostic

Assess and Interpret

“Normal”
modes System

New blended- τ-L-D

New or Interface
extended Scale-map
Existing Design
HAZID “Abnormal”
Plant
methods modes

Initial design Initial design Extended Extended

functionality capabilities capabilities functionality
Multifunction

HAS Budapest 2007 © Ian T. Cameron

 A Multiagent Diagnostic Approach
Monitoring Corroborating Pre-processor Control
PROCESS
Agent Agent Agent Agent

Real-time Agents
based on R-T ontology
Real-time ACL messaging
Database Remote Agent
Directory
Monitoring Agent Management
Facilitator
GUI System

RMI Communication Server

ACL messaging ACL messaging

Completeness Co-ordinator
Parameter Estimator
Symptom Generator

State & Diagnostic

Conflict Resolver
Loss Preventor

Conflict Resolver

Conflict Resolver
Conflict Resolver
Fault Detector

Fault Isolator

Diagnostic Agents Process Agents

Based on HAZID ontology Based on process specific ontology
 MSMF Ecological Interface Design

Sensors Computation Action

u y

Information Decision
Acquisition Responses and
ofOperator
processing + making
information (goal driven) physical activity
(logic)
interface

y u
S

d disturbances
see Rasmussen, Vicente, Sanderson

HAS Budapest 2007 © Ian T. Cameron

 Final remarks
• Analysis of complex socio-technical systems requires
a holistic functional systems perspective on design
and operations
• The hazard identification task needs complementary
methods across Plant, People and Procedures
• Structured HAZID information provides opportunities
for generating effective diagnostic systems
• Industry has significant interest in improved
methodologies that deliver demonstrable outcomes

HAS Budapest 2007 © Ian T. Cameron