Journal of Intelligent Manufacturing (1997) 8, 517 524

A knowledge-based approach to safety evaluation for plant start-up

S A N G G Y U L E E and S U N W O N P A R K *
Process Systems Laboratory, Department of Chemical Engineering, Korea Advanced Institute of Science and Technology, 373-1 Kusong-dong, Yusong-gu, Taejon 305-701, Korea

Received October 1996 and accepted March 1997

To improve the safety of plant start-up operation, a safety evaluation system has been developed. As a key component in an operational design support system, the evaluation system examines any potential hazards during start-up operation simulation. The evaluation system is integrated into an operational design methodology which designs operable processes by proposing alternatives, examining process safety and operability, and modifying operating procedures or plant structures. Issues for both methodology and implementation of a G2based expert system are discussed. Finally, the system is applied to an industrial hydrodesulphurization process. Keywords: Safety evaluation, hazard analysis, operational design, plant start-up, hydrodesulphurization process

1. Introduction Issues for the safety of chemical plants have to be considered from the basis of design. Safety analysis is an important activity to improve the safety of chemical plants, but it requires a considerable amount of time and eort from many specialists. Hazards are everywhere in chemical plants, but unfortunately a hazard is not always identied until an accident occurs, so it is essential to identify the hazards and reduce the risk well in advance of an accident (Crowl and Louvar, 1990). Therefore, many methods have been investigated to identify possible accidents before they occur: safety review, checklist analysis, relative ranking, what-if analysis, what-if/checklist analysis, hazard and operability analysis (HAZOP), failure modes and eects analysis (FMEA), fault tree analysis, event tree analysis, cause-consequence analysis, human reliability analysis, control system HAZOP (CHAZOP), and so on (Centre for Chemical Process Safety, 1992; Nimmo, 1994). Safety evaluation methods are becoming more sophisticated because of the increasing number of regulations and the complexity of technical problems. Manual process safety analysis can be too costly and incomplete, and the number of existing specialists is not enough to satisfy the increasing demand for ensuring process safety. To overcome these diculties, several computer-aided HAZOP
* Corresponding author.

analysis systems have been reported by Venkatasubramanian and Vaidhyanathan (1994a, 1994b), Catino and Ungar (1995), and Vaidhyanathan and Venkatasubramanian (1995, 1996). However, the existing safety analysis methods and their implementations do not specically address plant start-up situations. According to the analyses of several accidents in petrochemical plants, a large number of accidents occurred during transient operations such as process start-up and shutdown. Our objective is to develop a safety evaluation method that can be applied to plant design and operation planning for start-up. An eort to develop operational design methodologies and support systems has been going on in order to design an operable process plant by designing both plant structures and behaviours, including operating procedures (Naka and McGreavy, 1994). Start-up operation is the rst target for operational design. It is therefore natural for us to consider integrating the safety evaluation into the operational design for safer start-up operation (Lee et al., 1996). Attention here is directed to both the safety evaluation and operational design methodology. We present the development of a safety evaluation methodology and its system architecture for start-up that aims at (1) assisting the engineers in the design of a more operable and safer plant; and (2) providing the necessary computer tools to guarantee safer start-up operations. We have developed a knowledge-based expert system for an o-line safety evaluation of plant start-up in an object-

0956-5515

1997 Chapman & Hall

518 oriented architecture using Gensym's G2 expert system shell. The expert system analyses possible hazards during the start-up of a chemical plant then makes design recommendations to avoid those hazardous situations, and displays the modied topology. First we will give an overview of the operational design methodology and its computer support system structure so as to identify the role and position of safety evaluation. Then detailed issues with safety analysis such as the evaluation procedure, knowledge organization and implementation will be discussed. Finally, an HDS industrial process case study will be used to demonstrate the use and advantages of the methodology. 2. Safety evaluation methodology for plant start-up Starting from the design phase, the operational design methodology attempts to accommodate the plant structure in order to improve the future plant operability in terms of safety, reliability, and availability. Operational design starts from a process ow diagram (PFD) and considers modifying the process structures and adding more facilities to the PFD toward a piping and instruments diagram (P&ID). This is done by proposing design alternatives that are evaluated against several operating criteria, like process constraints or safety limits. The design alternatives are then used for design modication. Here we pay attention to the safety evaluation criteria. The expert system for safety evaluation and operational design evaluates safety during start-up in two steps. In the rst step the expert system evaluates safety during start-up when the equipment works free of failures. In the next step the expert system evaluates safety during start-up when the process has a failure mode. The failure mode describes how the equipment fails to perform as expected (open, closed, on, o, leaks, etc.). In both cases design alternatives and modications are performed in order to reduce hazardous situations. The methodology for safety evaluation when the equipment works free of failures (Fig. 1) can be described as follows: (1) Accommodate a plant topology (PFD is a suitable candidate). (2) Plan a set of actions (operations) for the plant startup. (3) Simulate the start-up of the plant, and simultaneously evaluate safety using the simulation results. All process variables like pressure, temperature and concentration are checked to see if all specied safety limits are satised. If any safety problem is found in any equipment of the plant there are two possible alternatives that must be explored: (i) Modify the plant topology around the equipment that has a detected safety problem.

Sanggyu Lee and Sunwon Park

Fig. 1. Methodology for safety evaluation when the equipment works free of failures.

(ii) Plan a new set of plant actions. (4) Go to step 2 and repeat the procedure until no hazardous situations exist. If all process variables have their values within the safety limits then the plant could be considered safe in terms of the procedure performed. Although unsafe conditions have not been found from the above procedure, it is still possible that a failure of a piece of equipment during start-up can make the process unsafe. So the expert system analyses the eects of the possible failure modes in the equipment so as to propose the modications of the topology or the set of operations that could overcome these hazardous situations. The methodology for safety evaluation when the process has a failure mode (Fig. 2) is described as follows: (1) Identify the possible equipment failure modes; (2) Assume a failure mode in the equipment; (3) Plan a set of actions for the plant start-up; (4) Simulate the plant and the equipment failure mode, and simultaneously evaluate the eects of the failure mode according to the safety constraints. If any safety problem is found, then determine how to avoid the failure eects by means of:

A knowledge-based approach to safety evaluation

519

Fig. 3. Architecture of the safety evaluation system.

Fig. 2. Methodology for safety evaluation when the process has a failure mode.

(i) A modication of the topology; (ii) A new set of plant actions; (5) Go to step 3 until no hazardous problems exist for the assumed failure mode; (6) Go to step 2 until no more failure modes remain to be analysed.

3. Architecture of the safety evaluation system The overall architecture of the safety evaluation system is shown in Fig. 3. The users access the system through the graphical user interface. The safety evaluation system makes use of the resources provided by the supporting environment. The plant topology is the owsheet of the plant (PFD) containing the instances of the required equipment objects.

Once the user constructs the owsheet, every instance of equipment should be instantiated with the precommissioning values of temperature, pressure, component compositions, etc. The simulation models represent the behaviour of each unit operation attached to each piece of equipment. These models are composed of rules and dynamic equations that allow a rough dynamic simulation of the plant during transient states in start-up. Only simplistic models are used, because a more detailed dynamic simulator is beyond the scope of this work. To start the safety evaluation procedure, the action planning module receives the input of the plant topology and the initial conditions to establish the necessary operations, either for start-up or for safety evaluation. The operations for start-up are those related with opening and closing valves or turning on and turning o the equipment (e.g. pumps, compressors). The timing of each operation is registered and displayed in a tabular form, so the user can consult the time when a particular valve has been closed or opened. These operations for start-up are spaced by the time required for the uid to pass along the equipment, taking into account the time for hold-up in vessels and the time for satisfying process conditions (Batres et al., 1995). The knowledge for hazard identication detects any possible abnormality by checking process variables against constraints such as mechanical integrity, equipment metallurgical limits including temperature and pressure, and catalyst operating requirements. For example, a pressure decrease in a purge valve less than the allowable limit could cause an unexpected mixing and reactions, and this could be the cause of a potential hazard. After the hazardous situation is detected, the safety evaluation system generates information for the action planning module. Then the action planning module suggests a modication in the set of operations for start-up or it may suggest a transformation

520
Table 1. Hierarchical structure for action planning module Level Level Level Level 1 2 3 4 Change the start-up procedure Modify the topology Attach safety equipment Provide an alarm and fault diagnosis system (not yet implemented)

Sanggyu Lee and Sunwon Park planning module applies the knowledge of the next priority method or the next level until no hazardous situation exists. Figure 4 shows the graphical user interface of the safety evaluation system. The table in the middle of the gure shows the open or closed states of the valves and ow rates through the valves.

of the plant topology. The interaction between the action planning module and the knowledge for start-up is made by the generation of new rules for start-up. Should it suggest transforming the topology, the action planning module proposes a modication to the topology structure of the process and generates new rules for start-up based on that modication. Each knowledge base for safety and start-up can be divided into generic and application-specic kinds of knowledge. General knowledge is applicable to almost any kind of chemical plants and the specic knowledge is specied by user for the individual pieces of equipment or for the particular behaviour of the process. The action planning module for the design modication has a hierarchical structure of four levels for the knowledge which if required are executed hierarchically from level 1 to level 4 as shown in Table 1. The action planning module initially applies the knowledge of level 1 to the set of operations for start-up, then the safety evaluation system analyses the safety based on the situation modied to see if the modication is satised. In each level, more than one solution method is proposed for a given problem, and several methods may be available. Every solution method in each level has its rule priority governing the order of application. If the modication is not satised, the action

4. Hydrodesulphurization process case study Hydrodesulphurization (HDS) is a well-known process for removing sulfur from diesel oil through a reaction with hydrogen. Figure 5 shows the PFD of the HDS process. Figure 6 shows the sequence of valve operations before safety evaluations. The shaded portion indicates the operation of the valve that is open. After activating the rules for safety and using all the capabilities of the safety evaluation system, the rst hazard detected was deactivation of the catalyst in the reactor. Contact with hydrogen alone below the limiting temperature (205 C) damages the catalyst. This knowledge is expressed in the G2 shell as follows:
if the t-minimum-bound T-min of the catalyst-class named by the catalyst of any reactor R b the temperature of R and the hydrogen-flow-rate of R b minimum-value-for-flow-rate then conclude that main-work-situation is design-modification and conclude conclude conclude conclude that that that that physical-property is temperature and status-of-property is low and status-constraint-value T-min and object-focused the name of R

Fig. 4. Graphical user interface of the safety evaluation system.

A knowledge-based approach to safety evaluation

521

Fig. 5. PFD of HDS process before safety evaluations.

reactor, and minimum-value-for-ow-rate is the threshold value to check a material ow inside. So, this rule is red when the temperature of a reactor is less than the temperature limitation of the catalyst used in the reactor and there is a material ow inside the reactor. If the system detects an operability problem, the safety evaluation system generates information for the action planning module as follows: main-work-situation indicating next step (actions planning); physical-property, status-of-property, and status-constraint-value indicating the physical problem status of the unit; object-focused indicating the name of the unit; and so on. Then the action planning module tries to solve the problem according to the methods in the design modication. For the catalyst deactivation problem, the action planning module suggests the following methods: (1) It nds the rst valve (here the valve is CV2) in the forward direction of the reactor, and creates a temporal rule which describes `keep the valve closed until the temperature of the unit (here the unit is FURNACE-1) forward-connected to the reactor becomes the value of statusconstraint-value (205 C)'. The module tries to plan a new operating procedure based on the modication, but the system cannot generate a start-up procedure, because the furnace would not be turned on without any material inside, so the temperature of the furnace cannot reach the temperature within the time given by the system. The method becomes `fail'. (2) It adds a new valve on the inlet pipe of the reactor (Fig. 7a), and creates a temporal rule which describes `keep the valve closed until the temperature of the unit (here the

Fig. 6. Valve actions for start-up before safety evaluations.

where R is the name of the reactor, and T-min is the minimum operating temperature of the catalyst used in the

522

Sanggyu Lee and Sunwon Park An example of the knowledge for design modication, the modication method of item 3 is expressed in the G2 shell as follows:
if main-item is hazard-analysing-for-startup-itself and main-work-situation is design-modification and the object named by object-focused is a reactor and physical-property is temperature and status-of-property is low then start create-bypass-valve-and-find-changing-time (the object named by object-focused, temperature, low, status-constraint-value

Fig. 7. Modications to avoid temperature problems within a reactor: (a) adding an inlet valve; (b) adding a bypass valve; (c) adding an extra reservoir.

unit is FURNACE-1) forward-connected to the valve becomes the value of status-constraint-value (205 C).' A new operating procedure is planned based on the modied topology. But the module discovers a hazardous situation `operating the furnace without any ow is dangerous' during the simulation of plant start-up. The method becomes `fail'; (3) It creates a bypass valve beside the reactor (Fig. 7b), an inlet valve is also created, and creates a temporal rule to determine the opening and closing time of the valves. This method does not create any problems, so the method is acceptable to avoid the operability problem of the reactor. However, if the problem cannot be solved via this method, there are other alternatives; for example: (4) It creates an extra reservoir and two valves (Fig. 7c), and reserves the inlet material until the temperature of FURNACE-1 becomes 205 C.

If this rule is red, the evaluation system calls a procedure create-bypass-valve-and-nd-changing-time: it does this (1) to seek the opening and closing time of the valves which will be created and (2) to create a bypass valve beside the reactor. After solving the problem, the safety evaluation system enters a loop of evaluation and modication until no hazardous situations exist. As a result of the safety evaluation, the system detected some pressure problems that could be corrected by modifying the opening time of the purge valve and the switching time of the compressor. After the system evaluates the safety during start-up when the process works free of failures, the possible failure modes during start-up are identied and simulated in order to evaluate safety during start-up. In this case study we consider `fail to open' and `fail to close' of each valve as the possible failure modes. The safety evaluation system applies `fail to open' to each valve in sequence. These faults occur in practice when `the control system could not open the valve which has to be open according to the start-up procedure.' For example, if the valve CV7 cannot be opened at a given time, hydrogen sulphide gas is dispersed through purge valve CV8. To prevent such a problem, the system suggests opening valve CV7 earlier so that if the valve cannot be open an appropriate action can be taken before the next start-up sequence follows. This becomes a schedule modication that requires the timing changes of other valve actions. Not only does it consider the problem `fail to open' but also `fail to close'. The safety evaluation system analyses the situations of `fail to close,' i.e. `a valve must be closed but remains open'. As a result of the failure analysis of `fail to open', the system identied potential hazards on CV7, CV9, CV11, and CV13. The system changed the start-up procedure to solve the problems concerned with CV7 and CV11, and recommended to install safety valves on the related units of CV9 and CV13. Figure 8 shows the modied PFD and Fig. 9 indicates the valve actions as the nal results of the safety evaluations.

A knowledge-based approach to safety evaluation

523

Fig. 8. PFD of HDS process after safety evaluations.

5. Conclusions For safer process start-up operation, a safety evaluation system has been developed and integrated into an operational design support system. As a key component, it examines the potential hazards during start-up. The evaluation result is used for plant topology modication and start-up operation regeneration. This system also assumes failure modes and checks the consequences of the assumptions so as to eliminate any potential hazards. A prototype evaluation system is implemented in Gensym's G2 expert system shell in which the above methodology has been applied to a hydrodesulphurization (HDS) process. The system uses an object-oriented structure so that both generic and application-specic knowledge are managed conveniently. This will make the application of such a system to the other chemical processes fairly easy because only application-specic knowledge needs to be modied. A case study has been carried out on the HDS plant which shows how to improve the plant structure and the operating procedures for the process safety. For example, the evaluation system recommended installing a bypass valve around the reactor and safety valves on the low pressure separator and the overhead receiver, and changing the start-up procedure to prevent hazardous situations. For further work, a more rigorous and powerful dynamic simulator is necessary to deal with all possible abnormal situations. The developed system can be improved by adding more knowledge on interlock and alarm systems.

Fig. 9. Valve actions for start-up after safety evaluations.

524 Acknowledgements Partial nancial support from the Korea Science and Engineering Foundation through the Automation Research Centre at POSTECH is gratefully acknowledged. The authors express their appreciation to Professor Y. Naka at the Tokyo Institute of Technology for valuable ideas on plant start-up safety. References
Batres, R., Naka, Y., Adriani, A., Arai, K., Lu, M. L., Pradubsripetch, D., Lee, S. and Yamada, I. (1995) Operational design for startup and shutdown of chemical plants based on a topological approach, in Proceedings of First International Plant and Design Conference, AIChE Spring Meeting, pp.211219. Catino, C. A. and Ungar, L. H. (1995) Model-based approach to automated hazard identication of chemical plants. Journal of the American Institute of Chemical Engineers, 41, 97109. Centre for Chemical Process Safety (1992) Guidelines for Hazard Evaluation Procedures, 2nd edn, American Institute of Chemical Engineers, New York.

Sanggyu Lee and Sunwon Park

Crowl, D. A. and Louvar, J. F. (1990) Chemical Process Safety: Fundamentals with Applications, Prentice Hall, Englewood Clis NJ. Lee, S., Batres, R., Lu, M. L. and Naka, Y. (1996) Study on safety evaluation for startup, in Proceedings of the 5th World Congress of Chemical Engineering, San Diego CA. Naka, Y. and McGreavy, C. (1994) Modular approach for startup operational procedures of chemical plants, in Proceedings of PSE 94, Kyangju, Korea, pp. 10071013. Nimmo, I. (1994) Extend HAZOP to computer control systems. Chemical Engineering Progress, 90, 3244. Vaidhyanathan, R. and Venkatasubramanian, V. (1995) Digraphbased models for automated HAZOP analysis. Reliability Engineering and System Safety, 50, 3349. Vaidhyanathan, R. and Venkatasubramanian, V. (1996) Experience with an expert system for automated HAZOP analysis. Computers and Chemical Engineering, 20, S15891594. Venkatasubramanian, V. and Vaidhyanathan, R. (1994a) HAZOP Expert: a knowledge-based system for HAZOP analysis in Proceedings of PSE 94, Kyangju, Korea, pp.1117 1122. Venkatasubramanian, V. and Vaidhyanathan, R. (1994b) A knowledge-based framework for automating HAZOP analysis. Journal of the American Institute of Chemical Engineers, 40, 496505.