734 5 Safety and Risk i n Engineering Design Fig. 5.88 Monte Carlo simulation of RBD and FTA models During the simulation process, the model will be able to determine wh ether the system will fail, by examining the developed network diagram. The model does this by determining whether there are any open paths from the input node or block to the output node or block. An open path is a path that does not cross any failed component or sub-system blocks. Network diagrams may also be used to represent voting arrangements. Nodes to the right of a parallel arrangement may be given a vote number to indicate h ow many success paths must be available through the parallel arrangement (if a vote number is not specified, then only one path need be available). The simple parallel arrangementof thefourblocks 1, 2, 3 and 4 in Fig. 5.88,with a votenumber(number of available paths required for success) of 2, would result in the truth table given in Table 5.27. Figure 5.89 illustrates the use of the fault-tree diagram in determining potential system failuresin a parallelcontrol valve configurationof a high-integrity protection system (HIPS). This is developed from the imbedded Isograph AvSim c  Availabil- ity Simulation Model (Isograph 2001). Fault-tree diagrams graphically represent the interaction of failures and other events within a system. Basic events a t the bottom of the fault tree are linked via logic symbols (known as gates) to one or more TOP events. These TOP events represent identified hazards or system failure modes for 5.4 Application Modelling of Safety and Risk in Engineering Design 735 Table 5.27 Simple 2-out-of-4 vote arrangement truth table Valve 1 Valve 2 Valve 3 Valve 4 System Working Working Wo rking Working Working Failed Working Wo rking Working Working Working Failed Working Wo rking Working Working Working Failed Working Wo rking Working Working Wo rking Failed Working Working Working Failed Failed Working Working Failed Working Failed Working Working Failed Failed Working Working Failed Working Wo rking Working Failed Failed Working Failed Failed Working Failed Failed Working Wo rking Working Working Failed Failed Failed Failed Failed Working Failed Failed Failed Failed Failed Working Failed Failed Failed Failed Failed Working Failed Failed Failed Failed Failed Failed which predicted reliability or availability data are required. Basic events at the bot- tom of the fault tree generally represent component failures, although they may also represent other events such as operator actions. Fault trees ma y be used to analyse large and complex systems, and are p articularly adept at representing and analysing redundancy arrangements. Figures 5.90 and 5.91 illustr ate the Monte Carlo simulatio n results in the form of a Weibull cumulative failure probability graph, and an unavailability profile of the HIPS. The Weibull analysis module (Isograph 2001) analyses the simulation data by assigning probability distributions that represent the failure or repair characteris- tics of a given failure mode. In the integration of complex systems, the purpose of determining equipment criticality, or combinations of critical equipment, is to as- sess the times to wear-out failures. The Weibull d istribution is particularly useful because it can be applied to all three phases of the hazard rate curve. The failure distribution assigned to a given set of times to failure (known as a dataset) may be assigned to failure models that are attached to blocks in a network diagram or events in a fault-tree diagram. The model automatically fits the selected distribution to the data and displays the results graphically in the form of cumulative probability plots, unconditional probability density plots, and conditional probability density plots. Figure 5.90 illustrates Monte Carlo simulation results of unreliability displayed in the form of a Weibull cumulative failure probability graph. Unavailability profile graphs display the mean unavailability values for each time interval. Unavailability values may be displayed for several sub-systems, assemblies and components of a system, or integrated systems, which are concurrently being designed. Figure 5.91 illustrates the Monte Carlo simulation results in the form of an unavailability profile of the high-integrity protection system (HIPS). 736 5 Safety and Risk in Engineering Design Fig. 5.89 FTA modelling in designing for safety As stated in Sect. 4.4.1, dynamic system simulation in engineering design pro- vides for virtual prototyping of engineering processes, making design verification faster and less expensive. To fully exploit the advantages of virtual prototyping, dy- namic system simulation is the most efficient and effective. Dynamic system sim- ulation provides various design teams in a collaborative design environment with immediate feedback on design decisions, allowing for a comprehensive exploration of design alternatives and for optimal final designs. However, dynamic simulation modelling can be very complex, resulting in a need for simulation models to be easy to create and analyse. To take full advantage of virtual prototyping (i.e. developing PEMs), it is neces- sary for dynamic system simulation modelling to be integrated with the design en- vironment (through the AIB blackboard), and to provide a simple and intuitive user interface that requires a minimum of analysis expertise. Figure 5.92 illustrates the AIB blackboard model selection menu with the process flow diagramming (PFD) option that includes systems modelling and systems simulation. Access to a simula- tion modelling capability by design engineers in a collaborative design environment is a powerful feature provided by the AIB blackboard. Many engineered installations have a modular architecture that is based on the optimum selection and composition of systems, assemblies and components from 5.4 Application Modelling of Safety and Risk in Engineering Design 737 Fig. 5. 90 Weibull cumulative failure probability graph of HIPS older designs. When the new design is created, these system compositions are se- lected and then connected together in a systems configuration. Figures 5.93 to 5.97 illustrate the overall systems configuration of an extend process simulation model with PEM blocks. Multiple logical flow configurations can represent a particular system composi- tion, and are bound to the system’s configuration interface. The industrial systems simulation option of the Extend c  Performance Modelling (Extend 2001) software has been modified and imbedded into the AIB blackboard to include a wide range of process equipment models (PEMs). These PEMs are held in a general systems simulation database library that can be accessed by various programming options in the AIB blackboard (either imbedded as third-party software or as developed application software). A PEM system can be represented either as a single block (model component) or as a configuration of several blocks. These configurations are equivalent PEM specifications of the same blocks, and the choice of configuration is independent of the PEM system behaviour. Figure 5.93 shows a specific section’s process flow diagram (PFD) consisting of ten systems, each system graphically represented by a virtual prototype process equipment model (PEM). The systems, or PEM blocks, are linked together with logical flows. 738 5 Safety and Risk in Engineering Design Fig. 5.91 Profile modelling in designing for safety In many process designs, the physical or real-world systems are designed using model components. In such processes, these model components are selected, con- figured and assembled in such a way that the design specifications are met. A model component is a modular design entity with a complete specification describing how it may be connected to other model components in a model configuration. A model configuration is created when two or more model components are connected to each other via their interfaces. A model component can itself encapsulate a configura- tion of numerous model components, thus allowing for a hierarchical structure of sub-models as illustrated in Fig. 5.94. Each block pertaining to a PEM has connectors that are the interface points of the block. Connections are lines used to specify the logical flow from one model component to another, as illustrated in Fig. 5.94. As will be shown later, a model component is instantiated in the design by specifying instantiation parameters that describe its specification. Figures 5.95 and 5.96 illustrate the PEM simulation models process informa- tion. This information is generated either in a document layout of system perfor- mance variables (such as system contents, flows and surges, in the case of Fig. 5.95) or in a graphical display of system performance variables (such as in the case of Fig. 5.96). 5.4 Application Modelling of Safety and Risk in Engineering Design 739 Fig. 5. 92 AIB blackboard model with system simulation option Figure 5.95 illustrates system p erformance variables that describe PEM spec- ifications. In this case, the PEM specifications are represented by the modelling component called ‘holding tank’, relating to the PEM system, ‘reverse jet scrub- ber’. These PEM specifications include performance variables such as operating contents, maximum contents, minimum contents, initial inflow, final inflow, initial outflow, final outflow, initial contents, final contents, initial flow surge, final flow surge, and accumulative surge. Several simulation run options are available, such as for operating contents going below minimum contents, or for steady-state flow (outflow=inflow). The graphical display (plotter) shows both a graphical representation of the pro- cess values o f a performance variable during a simulation run, as well as a table of the numerical values of the performance variable. A powerful feature of the graph- ical display in engineering design is that plots of a performance variable taken in previous simulation runs is ‘remembered’ (up to four previous simulation runs), to allow for a comparative analysis in the event a performan ce variable is ch anged for design cost/performance trade-off. Such a trade-off would not be considered in as- sessing safety criteria related to a specific performance variable, where an increase in safety might result in a decrease in performance as shown in previous simulation runs. 740 5 Safety and Risk in Engineering Design Fig. 5.93 PFD for simulation modelling Figure 5.96 illustrates the graphical display model component for system be- haviour of the performance variable ‘operating contents’ of the PEM system ‘re- verse jet scrubber’, indicating a trend towards steady state. Petri net-based optimisation algorithms are usefully applied in dynamic systems simulation—in this case, the determination of pressure surge through a continuous process flow line. Petri nets have been used as mathematical graphicaltools for mod- elling and analysing systems of which the dynamic b ehaviours are characterised by synchronousand distributed operation, as well as non-determinism.A b asic Petri net structure consists of places and transitions interconnected by directed arcs. Places are denoted by circles and represent conditions, while transitions are denoted by bars or rectangles and represent events. The directed arcs in a Petri net represent flow of control where the occurrence of events is controlled by a set of conditions that can be either instantaneous or gradual (averaged). The pressure surge Petri net depicted in Fig. 5.97 includes conditions of flow surge criteria such as outlet diameter and fluid modulus, together with events repre- senting the combination and manipulation of criteria in the flow surge algorithm to obtain results in graphical displays. Design automation (DA) environments typically contain a design representation or design database through which the design is controlled. The design automation 5.4 Application Modelling of Safety and Risk in Engineering Design 741 Fig. 5. 94 PEMs for simulation modelling environment usually interacts with a set of resident computer aided design (CAD) tools and will attempt to act as a manager of the CAD tools by handling input/output requirements, invocation parameters and, possibly, automatically sequencing the CAD tools. Thus, a DA environment provides a design framework that, in effect, shields the designer from cumbersome details and enables the designer to work at a high level of abstraction. Design automation environments have great potential in CAD because they can encapsulate expert design knowledge as well as rapidly changing domain knowledge, typical of process engineering design. Since they can be easily extended and modified, rule-based systems allow for limited automated design. Figure 5.98 illustrates the AIB blackboard data browser option with access to a database library of integrated CAD d ata r elevant to each PEM. CAD models provide a comprehensive and detailed knowledge source for the AIB blackboard, which can be integrated with an expert systems knowledge base for process information. The most useful CAD model for knowledge integration is the three-dimension al CAD (3D CAD), which entails p arametric solid modelling that requires the user to apply what is referred to as ‘design intent’. Some soft- ware packages provide the ability to edit parametric as well as non-parametric ge- ometry without the need to understand or undo the design intent history of the 742 5 Safety and Risk in Engineering Design Fig. 5.95 PEM simulation model performance variables for process information geometry by use of d irect modelling functionality. Parametric designs require the user to consider the d esign sequence carefully, especially in a collaborative design environment. What may be a simple d esign now could be worst case later. Figure 5.99 shows a three-dimensional CAD model of process configuration in- formation, accessed from a database library of integrated CAD data relevant to each PEM in the AIB blackboard. Knowledge training is an important application of three-dimensional CAD mod- elling, especially for training operators and engineers for th e engineered installation, notably during the ramp-up and warranty stages. A CAD modelling system can be seen as built up from the interaction of a graphical user interface (GUI) with bound- ary representation data via a geometric modelling kernel. A geometry constraint engine is employed to manage the associative relationships between geometry,such as wire frame geometry in a schematic design or components in a detail design. Ad- vanced capabilities of these associative relationships have led to a new form of pro- totyping called digital prototyping. In contrast to physical prototypes, digital proto- types allow for design verification and testing on screen, enabling three-dimensional CAD to be more than simply a documentation tool (representing designs in graphi- cal format) but, rather,a more robust designing tool that assists in the design process as well as post-design testing and training. 5.4 Application Modelling of Safety and Risk in Engineering Design 743 Fig. 5. 96 PEM simulation model graphical display of process information Figure 5.100 shows a typical CAD integrated training data library in the AIB blackboard of performance variable data relevant to each PEM. Artificial neural network (ANN) computation, unlike more analytically based information processing methods, effectively explores the information contained within input data, without further assumptions. Statistical methods are based on cer- tain assumptions about the input data (i.e. a priori probabilities, probability density functions, etc.). Artificial intelligence encodes deductive human knowledge with simple IF THEN rules, performing inference (search) on these rules to reach a con- clusion. Artificial neural networks, on the other hand, identify relationships in the input datasets, through an iterative presentation of the data and intrinsic mapping characteristics of neural topologies (referred to as learning). There are two basic phases in neural network operation: the training or learning phase,wheresample data are repeatedly presented to the network, while their weights are updated to ob- tain a desired response; and the recall or retrieval phase, where the trained network is applied to prototype data. Figure 5.101 shows the AIB blackboard ANN computation option with access to an imbedded NeuralExpert c  program (NeuroDimension 2001). A neural expert program (Lefebvre et al. 2003) is a specific knowledge source of the AIB blackboard for processing time-varying information, such as non-linear . rather,a more robust designing tool that assists in the design process as well as post -design testing and training. 5.4 Application Modelling of Safety and Risk in Engineering Design 743 Fig. 5 in the form of an unavailability profile of the high-integrity protection system (HIPS). 736 5 Safety and Risk in Engineering Design Fig. 5.89 FTA modelling in designing for safety As stated in. Working Working Working Failed Working Wo rking Working Working Working Failed Working Wo rking Working Working Wo rking Failed Working Working Working Failed Failed Working Working Failed Working Failed