Integration of HAZOP and FMEA analysis

in an interactive support system

M. Galluzzo, V. Bartolozzi*, V. Puccia,

University of Palermo, Dipartimento di Ingegneria Chimica dei Processi e dei Materiali,

Viale delle Scienze, 90128 Palermo, Italy
E-mail: galluzzo@unipa.it
*Regional Environmental Protection Agency, ARPA Sicilia,
Via Ugo La Malfa 162, 90100 Palermo, Italy

Abstract
Some results of the implementation of a new support tool for automated hazard
analysis are presented in this paper.
We describe in detail the further progresses on the application of intelligent systems to
the hazard analysis and especially to the HAZOP and FMEA analysis.
A previously developed program, that allows the automatic generation of the report of
the HAZOP analysis as regards the determination of causes and consequences of
variable deviations, has been enriched with the knowledge useful to perform a part of
the FMEA analysis for the components of the control and the interlock systems of the
plant.
The advantages and limits of the use of the support tool for the HAZOP and FMEA
analyses and of the qualitative modelling adopted for the knowledge representation are
critically discussed.

Keywords: HAZOP, FMEA, Safety analysis, Automatic support systems

Introduction

The identification of the risk of a potentially dangerous installation plays a fundamental

part in attaining a desired level of safety. This phase consists of identifying the possible
significant incidents through applying systematic investigation techniques. In the
process industry the principal investigation method for this objective is the Hazard and
Operability Analysis (HAZOP) proposed by Lawley (1974). The HAZOP analysis is
conducted by a team of plant experts (process and instrument technicians, process and
control engineers, etc.) led by a safety analyst through the careful examination of the
possible consequences of the disturbances in the plant originated by component failures
or human errors.
In fact the HAZOP analysis of a plant requires a wide variety of knowledge which
ranges from the method in itself to the plant layout and to the equipment, both in
functional and structural terms, from the chemical-physical characteristics of substances
to the plant instrumentation, from the operative procedures to the protection systems.
In order the HAZOP analysis be automated, it must be translated in a series of
procedures and rules, which will define a systematic application of keywords to the
main process variables of the nodes in which the plant is subdivided. A computer
support for the HAZOP analysis, which goes beyond the simple recording of the
analysis, a common characteristic of several commercially available products, must be
able to provide at least a guide in carrying out the analysis.
During the last years several researches have been conducted into using computer
systems to facilitate where possible the work of the analysts and at the same time
prevent errors when applying the technique (McCoy et al. 1999, Bartolozzi et al. 2000).
Venkatasubramanian, Zhao and Viswanathan (2000) reviewed the progress in this area
over the past few years.
All approaches to automated hazard analysis still consist in academic prototypes that are
usually shown applied to simple industrial case.
In a previous work (Bartolozzi et al. 2000) we also addressed the issue of automating
the HAZOP analysis for continuous, semi continuous and batch chemical plants,
starting from the support system for hazard analysis STARS, Software Tool for
Analysis of Reliability & Safety (European Commission 1997), modified in order to
include a new module, HAST, HAZOP Support Tool (Cocchiara et al. 2001). By the
same authors a new prototype support system WiTH, Windows Tool for HAZOP
analysis, dedicated to the automatic hazard analysis has been recently proposed
(Galluzzo et al. 2004).
The Failure Modes and Effects Analysis, FMEA (King and Rudd 1972), is a systematic
approach to identifying, analysing and prioritising the potential failure modes, failure
rates, and root causes of known failures. The FMEA is a disciplined analysis that allows
the identification of potential or known failure modes, providing when necessary
corrective actions. It involves the application of various technologies and methods to
produce an effective analysis output.
FMEA provides a framework for a detailed cause and effect analysis and requires a
team to thoroughly examine and quantify the relationships among failure modes,
effects, causes, current controls, and recommended actions.
Several authors (Stamatis, 1995) have reported problems in using the FMEA process.
They pointed out that a manual FMEA often produces an unwieldy document and that
the traditional brainstorming process for FMEA is tedious, time-consuming, and error-
prone. They also pointed out that FMEA often suffers from inconsistency and
incompleteness. They also noted that FMEA expertise tends to be concentrated in the
hands of relatively few specialists. To solve all these problems the automation could be
relevant.
Phugh and Snooke (1996) discussed a qualitative knowledge-based system for FMEA.
Price (1996) extended their work to include a facility for iterative analysis of electrical
systems.
Montgomery et al. (1996) described a pilot program to link tools for qualitative and
quantitative FMEA automation in the automotive industry.
The present paper, mainly concentrated on the modelling topic, describes the
application of the equipment unit models specialized for HAZOP and FMEA analysis,
in a automatic support system. The qualitative models considered for the integration of
HAZOP and FMEA analyses at this stage are the models of the components of control
and interlock systems, that are very critical from the point of view of the hazard
analysis.
1. HAZOP analysis and FMEA analysis

HAZOP studies have become a significant part of the design of new process plants
and of the revision of existing plants in the process industry.
The HAZOP analysis systematically identifies all the possible causes and consequences
within the system for each hypothesised deviation of one of the variables of the
process: the research is carried out applying a set of “guide words” to the process
variables of the plant and determining all process variable deviations.
A HAZOP analysis is normally executed by a multidisciplinary team of experts in
process plant design, operation and maintenance, who analyse the process P&ID to find
out the causes and consequences of every abnormal deviation of the process variables.
The analysis is time consuming and requires a large amount of work by the group of
experts.
In order to reduce the analysis work and increase its reliability, computerised support
systems have been considered. Some of these, commercially available, consist of
simple spreadsheet applications and can be useful in producing a standardised final
report.
The FMEA analysis is similar to HAZOP analysis: both of them subdivide a plant in
elementary parts for the scope of the analysis, hypothesize a deviation from a normal
condition of operation and evaluate the consequences, have a similar final report in form
of table in which causes and consequences of the deviations has been indicated.
Whereas the HAZOP analysis hypothesizes process parameters deviations in a node in
which the plants has been subdivided and investigates cause and consequences, during
the FMEA analysis the experts focus the attention to particular equipment units,
hypothesizes typical malfunctions of components, list the failure modes, investigate the
failure case and estimates the failure effect on other system components.
FMEA involves the investigation and assessment of the effects of the possible failure
modes on a system. This analysis must be carried out during the design stage as it is
important that designs are analysed for all hazardous critical situations. This is an
extremely tedious process because it demands detailed and systematic examination of a
part of the design. However this work requires professional engineers and extensive
experience.
These two elements indicate the great benefit of automation analysis: producing a
support system capable of providing a help to reproduce a part of the safety analysis and
significantly reducing the procedure application time.
The hypothesis of a complete automated hazard analysis, both HAZOP and FMEA,
appears unrealistic at it least for the moment, in so far as would be necessary to supply
the support system with an extensive knowledge base that is not a priori definable. On
this account it is realistic to think of an interactive support system which automates just
one part of the safety analysis, i.e. the part linked to the elements which may be
generalised and are therefore less dependent on specific information relative to the
particular plant. These elements are those more closely linked to the functional aspects
of the equipment.
2. Qualitative models for hazard analysis automation

A key part of the HAZOP methodology is the analysis of the causes and consequences
of the possible deviations of the variables associated with the nodes in which the plant is
subdivided.
This analysis is usually made on the basis of the knowledge of the input-output and/or
cause-consequence relations among the variables associated with the different
equipment units and the typical failures mode of a single equipment unit.
For this objective the analysts use a modelling of the different components in qualitative
terms. The research of the causes or consequences of a particular deviation is carried out
using a procedure of backward or forward logic propagation.
The qualitative models of the equipment unit are similar to those developed by Lees and
Kelly (1986) to analyse and simulate the propagation of faults in chemical process plants
and they contain the reasoning mechanisms and the knowledge used by the process
technicians and by the other experts during the analysis, in the research of the causes and
the consequences of a deviation.
It seemed evident than the main characteristics of the knowledge base should be therefore a
representation of the single units of the plant by models allowing the propagation of
variable deviations. The model is formed of a certain number of elements, linked to each
other, each of which is destined for a particular application of the model. More details
about the models used can be found in Bartolozzi et al. (2000).
The heart of the qualitative models of equipment units is the “cause” and the
“consequence” model. These models contain the necessary information to the search for
the causes and consequences of deviations of the main variables of the plant units and to
propagate variable deviations from one unit to previous one or next one.

VARIABLE
DEVIATION

CAUSE 1 CAUSE 2 CAUSE 3 CAUSE 4 CAUSE 5

Figure 1. Example of a cause tree

The “cause” model contains a certain number of mini logic trees, which are indicated as
cause tree (Figure1); these have as a “Top Event” a deviation of one of the variables
which define the specific unit and as “Basic Events” events which take place within the
unit itself or deviations of the input variables. In some cases such events are connected
with OR/AND logic gates and form a single level of events under the Top Event (it is
for this reason that mini logic trees are referred to).
The “consequence” model for an equipment unit can be set up by considering for each
input variable deviation the set of mini-trees of the “cause” model of the equipment unit in
which the considered deviation is present, and making a logical link between the deviation
and the final events of these mini-trees.
Finally the HAZOP model also contains cause trees, but only those corresponding to
deviations examined during the HAZOP analysis and that must be indicated therefore in
the final forms. For each unit a selection has been carried out of the deviations
examined in the cause models and those significant for the HAZOP analysis have been
identified. All other deviations will be used only for the propagation.
In this manner a model library has been constructed and includes the most common
chemical units.
As said, failure mode and effect analysis (FMEA) is a technique used to define, identify
and eliminate potential failures, problems, errors, and so on from the system, process, or
design. The analysis of the evaluation may consider historical and reliability data to
identify and define the inherent failures and to analyse the impact on the connected
equipment units and on the total process.
Generally is accepted that the FMEA involves four aspects, relative to a characteristic
analysis carried out on the system, the design, the process, or the service.
In our work a “system FMEA” has been considered, and used to analyse systems and
subsystems in the early concept and design stage. A system FMEA focuses on potential
failure modes between the functions of the systems caused by system inefficiencies. It
includes the interactions between systems and elements of the systems.
The output of the system FMEA could be:
• A list of potential failure modes
• A list of system functions that could detect potential failure modes
• A list of design actions that can eliminate failure modes or reduce their
occurrence.
The models to be used for the FMEA present some information and data more specific
than the models specialized for the HAZOP analysis, relative to the failure modes and
malfunctions of component units.
The choice of the functional data is made according to a priority order typical of FMEA
methodology. In particular, three components help to define the priority of failures:
• Occurrence (O)
• Severity (S)
• Detection (D)
where, Occurrence is the frequency of the failure, Severity is the seriousness of the
failure, Detection is the ability to detect the failure before it affects the system..
The priority of the possible failures is ranked by the Ranked Product Number (RPN),
that is the product of the occurrence, severity and detection.

3. Qualitative model of a generic control loop

To consider the hazard analyses of control systems a general qualitative model is

proposed. The modelling starts from the type of the controlled variable (ycontr.) and
consequently, from the type of controllers, of measurement devices, etc.
In order to insert this knowledge in an automatic support system it is necessary to make
available models that are representative of the functions and the typical failure modes of
control loop components.
The models hypothesised for this aim are represented by a collection of logic trees
which link the deviations of the generic controlled variable to the possible causes and
consequences of the same deviations.
The cause tree of the generic controlled variable is shown in Figure 2:

More/Less/No
ycontr.

Control loop Disturbances Control loop

inefficiency out of control saturation

Figure 2. The generic cause tree of the controlled variable

In the very common circumstance in which the final element to be tested is a valve and
therefore the manipulation variable is a flow rate, two possible cases of control loop
inefficiency can be considered.
The first case, indicated as a “failure of the control loop in closing”, is when the final
effect of the inefficiency of one of the components of the loop results in opening the
valve to a greater extent than desired. The final effects “defect of the control loop in
opening”, results in opening the control valve to a lesser extent than desired.
The causes of these inefficiencies are looked for within the same control loop and are
traceable usually to malfunctions of the components of the loop. This part of the hazard
analysis is well carried out by the MEA, reducing potential and known failure modes.
Changing the type of control loop varies the number and type of its components, as
well as the control logic. As a consequence the causes which generate the inefficiency
of the components of the control loop are different.
In the model it is also assumed that the controlled variable might “deviate” from its set
value for two other reasons besides the inefficiency of the control loop: disturbances
beyond control and the saturation of the control loop.
Disturbances beyond control determine deviations of the controlled variable from its set
point that may not be compensated by the loop since the manipulation variable has no
influence on this.
The saturation of the control loop is the case where in spite of the control loop
intervening to its maximum capacity, the disturbance is so great that the controlled
variable will feel the effects for all cases. In these cases disturbances consisting in very
large deviations of some variables intervene which influence the controlled variable.
These large disturbances require the use of additional keywords compared with those
normally considered in HAZOP i.e. MORE MORE / LESS LESS to distinguish such
deviations from the MORE / LESS deviations which the system is able to control.
To extend the hazard analysis considering the failure modes and the failure causes of the
typical components of control loops let us consider the analysis of the simple
temperature control loop shown in Fig. 3.

Fp Fs
Tp Ts

T
Air I/P D/A Thermocouple

Tsp DCS
Operator Control A/D Transmitter
Computer

Figure 3. Example of typical control loop

ACTUATOR CONTROLLER SENSOR

TRANSMITTER TEMPERATURE PRESSURE TRANSDUCER
Cracked or Erratic output Erratic output Off calibration Plugged line to Maximum output
Flawed pressure sensor
No change of No change of Buildup of material No output
Excessive output with output with change on the thermowell
valve change of input of input
deadband
Improperly Filtering on the Improperly Improperly located No change of
sized control measured value of calibrated thermowell output with
valve the controlled change of input
variable

Valve packing Tuning on the Excessive signal Erratic output

tightened too controller filtering
much

Properly tuned
valve
positioner

Leakage

Rupture

Table 1. Common Subsystem Failure Modes

For the complete system it is possible to hypothesize the malfunctioning of the control
loop and is possible to check the single subsystems:
– Actuator
– Controller
– Sensor
– Process
In table 1 the most common problems encountered with the single subsystems are
reported.
In addition to those reported in Table 1 other less obvious failure modes, depending on
not investigated failure causes may exist. In this case a new or a modified verification
technique is needed.

4. The support system for automatic hazard analysis

In order to set up an automatic hazard analysis tool it is necessary to identify and

incorporate into the system the knowledge used by the safety analyst and the other
members of the team during a complete study. This together with the specific rules and
procedures of the analysis method, includes the knowledge of the plant layout, of the
processes, equipment and materials involved, of the control and safety systems.
Among the main features the support system includes the possibility of building the
plant P&I diagram using a graphical interface environment and a library of models.
In particular, the system is able to perform several tasks:
• drawing a plant P&I diagram on the basis of a groups of equipments unit
previously defined;
• identifying possible infinite loop;
• development of hazard analysis and research of the causes and the
consequences of any component variable deviations, propagating the
deviation backwards or forwards;
• final report generation.
The support system uses graphic objects corresponding to the single units of the plant,
available from a library provided in the system but that can be integrated, if necessary,
with other graphical objects.
Specific elements are associated with each graphical object, in different forms - tables,
rules, etc. - which make up the whole model of the single component. The library of
component models defines the fundamental knowledge base necessary to carry out a
HAZOP and FMEA analysis. An editor allows to define the properties and
characteristics of the components, grouping them in classes, with the possibility of
transferring them from more general classes to more specific ones.
The most important part of a component model consists of a collection of mini trees,
which may be considered as cause logic trees and consequence logic trees, each one of
them corresponding to a deviation of one of the variables, normally considered in the
HAZOP analysis. Specific models regarding FMEA analysis aspects, have been
implemented containing detailed information about functioning data and failure modes
of control and interlock systems.
The proposed software WiTH aims to enhance the potential of HAZOP in terms of
depth and efficiency of the analysis. This enhancement is reached through the
continuation of the hazard and operability analysis, limited to a group of equipment
units and events which may lead to high risks for the plant and/or surrounding
environment. For this scope the contemporary application of FMEA analysis can be
very useful being a systematic approach to identify and quantify the failure modes,
failure rates, and root causes of known failures of specific very sensible parts of the
plant.
The search process of the causes and consequences of variable deviations starts from the
selection of variable deviations in the equipments units.
The inferential engine manages the searching of the causes and consequences of
deviations by a superstructure of the Access database: the interrogation query consists in
some filters on the database records, that select only the specific relevant records by
means of some dynamic data pointers.
The flow diagram in Fig. 4 summarizes the inferential process.

Select Variable
Deviation
Data from Query 3
Propagation of causes
and consequences
Aggiornamento variable deviation
Bit board Refreshing
della bitboard delle Inference process 2
deviazioni attive (specific knowledge)

Search routine on equipment units

Data allocation of
Data from Query1
- mini-tree string first stage results of
- Other data the inference
(Variable, Dev. Type, Failure process
mode, etc.)

Data from
Query2
Causes and
Activation flag to String splitting up consequences
prevent propagation Filling of cause / determination
infinite loop consequence vectors Inference process 1
(General
knowledge)

Figure 4. Flow diagram of the inferential process

4.1 A brief note about the main aspects adopted to implement the support system Wi.T.H.
The support system Wi.T.H. has been implemented using Microsoft Visual Basic, and
Microsoft Access to develop the general knowledge data-base.
In the support system the object library of Microsoft Excel has been included, in order to
have a better visualization of results or intermediate data. The system uses the tools of
high level Windows applications for the management of the interfaces as controls, i.e.
buttons and bars sliding, associated with advanced types of controls (ADO).
The formulation of the query in the database has requested the specific language SQL
(Structured Query Language).
5. Qualitative models in automatic hazard analysis

From the first unit of the plant P&I diagram all HAZOP nodes are examined. For each
node the deviations contained in the corresponding HAZOP model of the unit will be
considered. The FMEA analysis will be limited to the equipment units considered
critical for the plant safety.

Figure 5. P&I visualized in the support system

A fundamental first stage of the HAZOP analysis is the choice of nodes, i.e. of the parts
in which a plant is subdivided for the scope of the analysis. The choice may be made in
various ways: often the node is intended as the collection of the equipment units, which
contribute in carrying out a single function. The requirements of automation impose a
high grade of generalisation and detail at the same time. It is for this reason that with the
aim of constructing a support system, it is preferable to define the nodes as single
functional units. This choice is indispensable owing to the necessity of making the
equipment models as general as possible and to consider the characteristic details
relative to the FMEA.
The causes of each deviation are the basic events of the corresponding cause tree and
will be indicated in the column of the causes in the HAZOP form. At this level the
causes will be the deviations of the input variables of the particular unit or an internal
failure.
Searching upstream for the causes of a deviation, the support system must be asked to
indicate the possible causes of all or of some of the causes of deviation found at this
level (basic events of the tree). These in turn are deviations of the output variables of
another unit for which a cause model has been composed, and therefore the logic trees
consent to extend the research further upstream.
The research of the consequences may be carried out in a similar way, defining
consequence models for the single equipment unit.
For a specific equipment unit - node the consequences of a determined variable
deviation could be or the output events of all cause trees of the unit, which show the
deviation as a basic event, or the output events of the cause trees of the following output
equipment unit - node which have the considered deviation as a basic event. For a
specific equipment unit a detailed FMEA allows to consider specific information about
function modes, failure modes and failure causes of its elementary components. Further
data could be introduced in the final report in an interactive way.

Figure 6. Results of cause-deviation research

6. Final considerations and results

The considered models of the equipment units, contain the specific knowledge relative
to the normal behaviour but also that relative to anomalous operation conditions: both
these types of knowledge are necessary to carry out the HAZOP analysis. The single
model is constituted by several modules to efficiently code the various types of
knowledge used by the experts during the analysis, searching the possible causes and
consequences of variable deviations and detecting the failure modes and the failure
causes of particular equipment units to extend the hazard analysis with FMEA.
The developed model library of the equipment units that are commonly found in a
chemical plant is the general knowledge database of the prototype. The system might be
of particular interest because it could concur to obtain not only a considerable cost
reduction of the analysis but also more standardized and reproducible results.
A comparison between the output forms produced by the support system Wi.T.H. for
particular nodes and the corresponding output forms obtained as result of traditional
hazard analysis meetings makes possible the following considerations.
The choice of elementary units, among which are included components such as pumps,
tubes, etc., as nodes, made in order to allow the automatic propagation of deviations,
leads to the production of a complex and highly detailed output form.
The analysis results obtained using the support system are encouraging: the automatic
report reproduces on the whole, qualitatively and quantitatively, the same results
obtained by the traditional hazard analysis in the search of the causes and the
consequences of variable deviations. The extension of the automatic investigation to the
failure modes and causes of some components, enhances the potential of hazard analysis
in terms of depth and efficiency of the analysis. This enhancement is reached through
the continuation of the hazard and operability analysis that, although limited to a group
of components, may prevent high risks for the plant and/or surrounding environment.
The use of qualitative models is partially successful in the identification of the
significant causes of deviations; however in some cases the models are dependent on the
context. The interactive use of the system allows information to be added, when
necessary, in order to prevent the propagation of a deviation towards an unproductive
direction.

7. References

Bartolozzi, V., Castiglione, L., Picciotto, A. and Galluzzo, M. (2000), Qualitative

models of equipment units and their use in automatic HAZOP analysis, Reliab Engng
Syst Safety, 70, pp. 49-57

Cocchiara, M., Bartolozzi, V., Picciotto, A. and Galluzzo, M. (2001), Integration of

interlock analysis with automated HAZOP analysis, Reliab Engng Syst Safety, 74, pp.
99-105

European Commission (1997). STARS II: User Manual. JRC, Ispra, Italy

Galluzzo, M., Bartolozzi, V. and Puccia, V. (2004), A New Prototype System For
Automatic HAZOP Analysis, in Senni Buratti, S. (ed.) Chemical Engineering
Transactions, Vol.5, pp. 229-234, AIDIC, Milan

Kelly, B.E. and Lees, F.P. (1986), The Propagation of Faults in Process Plants: 1.
Modelling of Fault Propagation, Reliability Engineering, 16, pp. 3-38

King, C.F. and Rudd, D.F. (1972), Design and maintenance of economically failure-
tolerant processes, AIChE J., 18, pp. 257-269

Lawley, H.G. (1974), Operability study and hazard analysis, Chem Engng Prog, 70 (4),
pp. 45-56

McCoy, S.A., Wakeman, S.J., Larkin, F.D., Jefferson, M.L., Chung, P.W.H., Rushton,
A.G., Lees, F.P. and Heino, P.M. (1999), HAZID, a computer aid for hazard
identification I. The STOPHAZ package and the HAZID code: An overview, the issues
and the structure, Process Safety and Environmental Protection, 77 (B6), pp. 317-327

Montgomery, T. A., Pugh, D.R., Leedham, S.T. and Twitchett, S.R. (1996), FMEA
automation for the complete design process. 1996 Proceedings Annual Reliability and
Maintainability Symposium, IEEE, pp. 30-36

Price, C.J. (1996), Effortless incremental design FMEA. 1996 Proceedings Annual
Reliability and Maintainability Symposium, IEEE, pp. 43-47
Pugh, D. R. and Snooke, N. (1996), Dynamic analysis of qualitative circuits for failure
mode and effects analysis. 1996 Proceedings Annual Reliability and Maintainability
Symposium, IEEE, pp. 37-42

Stamatis, D.H. (1995), Failure Modes and Effects Analysis, ASQ Quality Press,
Milwaukee, Winsconsin, USA

Venkatasubramanian, V., Zhao J. and Viswanathan S. (2000), Intelligent Systems for

HAZOP analysis of complex process plants. Comput Chem Engng, 24, pp. 2291-2302