ARTICLE IN PRESS

0950-4230/$ - se

doi:10.1016/j.jlp

�CorrespondE-mail addr

monti@ge.imat

silviaansaldi@t

Journal of Loss Prevention in the Process Industries 20 (2007) 69–78

www.elsevier.com/locate/jlp

Exploiting process plant digital representation for risk analysis

Paolo Bragattoa, Marina Montib,�, Franca Gianninib, Silvia Ansaldic

aDIPIA-ISPESL, Via Fontana Candida 1, 00040 Monteporzio Catone, Rome, ItalybIstituto di Matematica Applicata e Tecnologie Informatiche—CNR, Via De Marini 6, 16149 Genova,Italy

cCAD/CAE/PDM Consultant, Via Oberdan 40, 00040 Monte Compatri (RM), Italy

Received 2 March 2006; received in revised form 22 September 2006; accepted 16 October 2006

Abstract

Hazard analysis is a crucial task in plant design. It is expensive in terms of money and time, and involves many specialists in different

disciplines who are required to analyse aspects dispersed throughout the plant documentation. Product Lifecycle Management systems

allow all the project data to be handled in a complete, integrated and consistent manner; they permit tools to be developed for capturing

and reusing the design information necessary to evaluate specific plant aspects concerning potential hazards, thus providing automatic

verification of some safety criteria. In this paper we present a knowledge-based tool aimed at supporting the expert in performing

HAZOP studies in a plant project managed by a CAD/PLM system. The tool is based on an extended plant model that includes all the

data and relationships representing the knowledge on which the supported hazard identification method is based.

r 2006 Elsevier Ltd. All rights reserved.

Keywords: Hazard identification; Plant design; Product Lifecycle Management

1. Introduction

In the design of a process plant, decisions taken at thebeginning may affect reliability and safety, possibly leadingto later changes to the plant, such as the addition ofexternal safety barriers and other measures. The incorpora-tion of inherent safety principles in design requiresthorough attention to plant details, including systematicreview by a multidisciplinary team of process and equip-ment experts (Hendershot & Post, 2000).

Therefore, it would be useful to have tools to supportthese experts in their evaluation of design solutions in orderto identify quickly critical configurations at the variousphases and to take the necessary corrective actions as soonas possible. Moreover, process hazard analysis is mostlybased on design drawings and it is difficult to followmodifications in the actual plant. In common practice theplant documentation is often not regularly updated,because it is considered too unwieldy. For this reason,hazard analysis loses value through time, owing to

e front matter r 2006 Elsevier Ltd. All rights reserved.

.2006.10.005

ing author. Tel.: +390106475692; fax: +39 0106475660.

esses: paoloangelo.bragatto@ispesl.it (P. Bragatto),

i.cnr.it (M. Monti), giannini@ge.imati.cnr.it (F. Giannini),

iscali.it (S. Ansaldi).

continuous changes during the life of the plant. Nowadays,benefits may derive from the widespread use of ComputerAided Design (CAD) techniques adopted in the design ofprocess plants. CAD systems provide many digital models,such as drawings, diagrams and 3D models, whichrepresent the plant from different points of view (mechan-ical, electrical, functional, etc.) and offer capabilities toautomate the design process and to link together the dataproduced during the various phases of project develop-ment, such as process diagrams, equipment design,electrical distribution and layout specification. To profi-ciently support the management and maintenance of thehuge amount of documents related to the whole product inall lifecycle phases, CAD systems have been integrated inso-called Product Lifecycle Management (PLM) systems.PLM systems offer a structured organisation of the variousdocuments originated by different systems while handlingthe related access rights and usage. They facilitate thecreation, modification and retrieval of the diverse data, andalso keep them aligned with the various changes that occurthroughout the complete product design and life cycle.Consequently, if hazard analysis were linked to the digitalrepresentation of the plant, it could be continuouslyupdated and aligned with it. Thus, it also opens the way

ARTICLE IN PRESSP. Bragatto et al. / Journal of Loss Prevention in the Process Industries 20 (2007) 69–7870

to incremental analysis. Finally, the availability of all thedata and their mutual relationships offers better supportfor browsing the project and evaluating the level andprobability of an accident.

In this paper we present a prototype system, developedwithin the framework of a research project carried out incollaboration between CNR and ISPESL, aimed at sup-porting the experts in the identification of critical config-urations in a plant project. It differs from many relatedworks, in that the objective of the research presented in thispaper is not the creation of software tools automaticallyperforming risk analysis, supplanting the specialist. Here,the ultimate objective is to provide the specialists with toolsthat may guide them during the analysis of the plant docu-mentation, highlighting all the potential risk situations aswell as making promptly available the electronic documentsthat describe the relevant component and/or plant area,thereby allowing a deeper investigation of the configuration.

Section 2 discusses the advantages offered by computer-supported risk analysis integrated within a PLM environ-ment. Section 3 presents the developed software prototype.Section 4 shows an example of the use of the system andSection 5 concludes the paper.

2. Plant hazard identification in the PLM environment

Process hazard analysis (PHA) is the systematic identi-fication, evaluation and mitigation of potential processhazards, which can be devastating for humans andenvironment, as well as causing serious economic losses.In the literature and in common practise, several methodsare considered. They use different types of information andmay be applied in various phases of the plant life cycle.Some of them require detailed plant description; othersconsider more general aspects of the process and aretherefore more suitable at the conceptual stage.

Hazard and Operability Analysis (HAZOP) (Crawley &Tyler, 2003; Howat, 2002; Kletz, 1992; Lees, 1980) is one ofthe most frequently used methods for identifying hazards inprocess plants. It is a systematic process or operationreview, aimed at identifying and analysing deviations fromthe design intent that could lead to undesirable conse-

quences. To apply this method, expertise in design, process,operation, and maintenance is needed. Typically, HAZOPanalysis is conducted by a team of specialists who examinethe plant documentation from different points of view onthe basis of their expertise. A HAZOP study alwaysrequires considerable time and resources. This stimulatedresearch into the development of computer-based tools thatwould reduce the effort and automate the hazard analysis ofprocess plants. Venkatasubramanian, Zhao, and Viswa-nathan (2000) give a critical overview of research aimed atdeveloping intelligent systems for automating HAZOPanalysis; all the systems considered are knowledge-based,but are weakly integrated in the plant developmentenvironment, thus insufficiently supporting the browsingof the data relating to the whole project for a comprehen-

sive risk evaluation. On this aspect, among the importantchallenges in automating HAZOP analysis, Yang andChung (1998), Chung and McCoy (2001) and Yet-Pole(2003) indicate the management of the huge amount ofinformation needed and the lack of context-independenttools for the analysis of a wide variety of processes.Further examples of the application of knowledge-based

technologies to process plant design and operation may befound in Mizoguchi, Sano, and Kitamura (2000) andPosada, Toro, Wundrak, and Stork (2005). In the former,the messages exchanged in an oil-refinery plant are modelledthrough an ontology that formalizes both the applicationdomain and the tasks that group the activities in the plant. InPosada et al. (2005), ontology has been employed for thesemantics-driven simplification of CAD models, applied tothe visualisation and design review of large plant models.For a more efficient access to the large amount of diverse

data, PLM characteristics can be exploited by the teamdevoted to the HAZOP analysis. Moreover, the resultsobtained by a PHA could become themselves part of theplant documentation. Including HAZOP results in the PLMdatabase permits their management as a ‘‘living’’ updateableresource, which may become a real support tool. Whenmodifications occur, such as substitution of equipment, orslight changes in the parameters during the plant operation(e.g. material, or, especially for batch plant, process varia-tions), the possibility of easily and quickly updating a hazardanalysis may be extremely useful. Therefore, even though anautomatic revision of the hazard analysis reports is still notrealistic, access to the PLM database offers remarkableadvantages in creating updated plant documentation. In fact,if modifications occurring in the actual plant are reported inits digital representation, PLM systems can keep track of thenew version, thus making explicit the misalignment of thehazard analysis. Experts can be automatically notified byPLM systems that changes have been made in the projectdata; thus, following any document modifications, they mayincrementally update the new PHA to identify new potentialhazards. Moreover, each hazard, previously identified andpresent in the PHA documentation, may be reviewed in thelight of the modifications made to the plant, to point outpossible interferences or interconnections, and eventually toexamine closely the situation. This approach would offer theadvantage of reducing the time required for the hazardanalysis, and in any case it would represent an interestingstarting point for a further hazard identification.

3. IRIS: a prototype for hazard identification support

The IRIS tool has been developed for verifying thefeasibility of the integration of hazard analysis methods inthe PLM environment (Ansaldi, Giannini, Monti, & Bragatto,2005). It has been conceived as an addendum to an integratedCAD/PLM system. It supports the experts in the hazardanalysis by allowing browsing throughout the plant projectdata. The system is based on the HAZOP method and it isappropriate for use by any of the HAZOP teammembers. The

ARTICLE IN PRESS

1STEP ISO-10303-1, AP227.

P. Bragatto et al. / Journal of Loss Prevention in the Process Industries 20 (2007) 69–78 71

software is also suitable for simple HAZOP studies, whichcould be performed by a single person. The adopted approachis the analysis of the process, related to a specific logic unit,line by line, to evaluate the possible deviations from the normalplant performance, correlated to unexpected process para-meter values, using flow diagram and operating procedures asworking documents. In HAZOP, causes are the events thatmay lead to a deviation, while consequences are the effects ofthe deviation. Deviations are composed by a parameter,characteristic of the equipment or the device considered, andan attribute, i.e. a guide word, representing qualitativedivergence from the foreseen values of the process variables.Corrective actions may be decided to prevent deviation causes.

Safeguards are designed to mitigate deviation consequences.The analysis is directly based on the Process and Instrumenta-tion Diagram (P&ID) document of interest, which is no moreintended as a simple graphical representation, but it is a CADdocument including its semantics.

As has been recognised (Venkatasubramanian et al., 2000),while the results of a HAZOP study vary from plant to plant,the approach is systematic, and many aspects of this analysismay be applied to different processes. Conversely, the specificprocess/plant information has to be flexibly integrated with thegeneric models in an opportune way. To this aim, the IRISsystem maintains a clear differentiation between two types ofknowledge, while preserving the correct mutual relationships(i.e. between the general concepts and the items in the plantproject). In fact, in hazard identification both the informationavailable and the knowledge acquired may be divided into theprocess/plant-specific and the general categories. The process/plant-specific knowledge is related to the plant underexamination, while the general concepts represent what iscontext-independent, valid and usable for different plants.

The process-specific information corresponds to thedetailed description of the process, such as the materialstreated and their properties, whereas the plant-specificinformation is related to the description of the plant, itscomponents, equipments and instrumentations and layout.This information is represented in electronic form in thedocuments related to process and plant characteristics, atdifferent levels of detail, and may be directly acquired andaccessed from the PLM repository.

In contrast, the general knowledge is independent of theprocess and plant considered and refers to rules andspecifications of the adopted method of analysis; further-more, it includes information related to the object types towhich the hazard analysis refers, and to their functionaldescriptions. For example, equipment is characterized by atype, usually indicating its function (e.g. mixer, reactor,heat exchanger), but also by its functional parameters, suchas design and operating pressure, flow rate, temperature.This a priori knowledge is developed starting from afundamental understanding of the process.

To make the tool as flexible as possible, and to avoidhardwiring a priori knowledge, a function-based taxonomyof the equipment and instrumentation is considered (seeSection 3.1). Fig. 1 illustrates the overall architecture of the

IRIS prototype, in which two environments are shown, onereferring to IRIS, the other to the adopted PLM system.From the functional point of view, the framework consists ofthe following main components: a dictionary, the plantinformation database, the reasoning and analysis engine andthe knowledge repository. The dictionary module permitsmanagement of the link between the terminology used in thedefinition of the hazard analysis rules and the terminologyadopted in the environment that is using IRIS; the latter canbe specific to the company and even to the plant projectunder examination. In this way, the independence of thestored rules from both the IT tools and plant data is ensured.The plant information database is the one provided by

the adopted CAD/PLM system and contains all the datarelated to the specific plant project. The reasoning andanalysis engine provides functionalities for navigatingthrough design documents and possible reference docu-ments (general norms, laws) and for applying HAZOPanalysis. It accesses the project database through ad hocfunctionalities using the Application Programming Inter-faces (APIs) provided by the adopted CAD/PLM system.The knowledge repository includes three data models,which depend on the type of information considered andare represented in a unique database. They are:

�

General Hazard Identification Model, representing thegeneral knowledge upon which the criteria and rules arebased; � Plant Hazard Identification Model, representing the

information related to specific plant configurations,linked to the previous model and to the PLM database;

� Hazard Analysis Result Model, containing the knowl-

edge specific to a particular analysis.

3.1. General Hazard Identification Model and editor

functionalities

The General Hazard Identification Model (HAZIDModel) is related to the characteristics of the PHAmethodology considered, and to the types of objectsconstituting a plant. Objects are categorized according toa hierarchically organised functionality-based taxonomy,which can be naturally mapped to the correspondingSTEP1 data definition (STEP, 1994). Therefore, eachitem is classified in terms of super-function, function, andtype, and has an associated set of functional parameters.Super-function is the most generic class type in the system,and it is the root of the hierarchical taxonomy. It includesthe following types: Equipment, the components of theplant performing an action; Piping components, the devicesconnected to piping and equipments (e.g. valves); Instru-

mentation, control devices; and Infrastructure, all the otherobjects not directly related to the process itself but whichmight interfere in the hazard identification analysis. Eachof these types is further detailed in one or more process

ARTICLE IN PRESS

Fig. 1. IRIS architecture.

Fig. 2. IRIS editor: compilation of a cause phrase. Two lower frames: classes and list of available tokens, respectively. Upper text box: echo of the

composed phrase.

P. Bragatto et al. / Journal of Loss Prevention in the Process Industries 20 (2007) 69–7872

function categories: for example some of the functionalclasses associated with Equipment are separation, heat

exchanger, storage, and pumping. At the lowest level in thetaxonomy, classes corresponding to specific entities areincluded, such as column, reactor, and pump. Furthermore,each entity is related to a set of functional parametersspecific of the entity, and to others inherited from the upperclasses in the taxonomy. In particular, we focused on thosespecifically meaningful for the hazard analysis; forexample, for a column, temperature, pressure and level arethe considered parameters.

Other types of entities strictly dependent on the adoptedhazard methodology and considered in this model areDeviation, Causes, Consequences, Actions and Safeguards.

They correspond to a phrase; each phrase is decomposedinto an ordered sequence of typed elements called tokens;the semantics and the position of each token give meaningto the entire statement. Tokens are typed according to theirrole within the sentence, and can have values withinspecified sets. These sets also include the plant object typesand functional parameters as well as actions. In some casesthey may also correspond to a rule or a formula and then

ARTICLE IN PRESS

Fig. 3. IRIS tool: example of correspondence between dictionaries.

HAZOP Study

focus

Causes

Consequences

Start

Select Logic Unit

Select Line

Select Component

Select Deviation

Examine possible Causes

Indicate Action/Safeguards

Add New Causes

Add New Actions/Safeguards

Examine Consequences Add New Consequences

Indicate Safeguards Add New Safeguards

Fig. 4. The HAZOP process for the IRIS software.

P. Bragatto et al. / Journal of Loss Prevention in the Process Industries 20 (2007) 69–78 73

they might be associated with computational algorithmsthat may run when applied to a plant model. They refer togeneral concepts, still independent of the considered plant,and are used to store the a priori knowledge related tocauses of accidents. Since this knowledge is mainly due toexperience, the possibility of incrementally enlarging theknowledge data set is crucial if an effective HAZOPanalysis is to be achieved throughout the time. To thispurpose the system provides an editor, based on agrammar formalisation, of the above phrases, therebyallowing a typed insertion of new tokens in the database, aguided composition of the phrase, and the creation ofessential links. Fig. 2 depicts the user interface developedfor the definition of causes. The content of the token listframe is automatically updated when a new class isselected.

The advantages of capturing and maintaining thesemantics of each phrase and its tokens seem to be variousand remarkable. First of all, with such an approach, thesystem is more flexible and adaptable to different types ofprocess and HAZOP method. This implies that theinformation in the hazard analyser database can becollected directly by the experts, avoiding the hardwiringof a priori knowledge into the database. Furthermore, ahazard analysis may be extended, taking advantage of theknowledge stored and managed in other studies, as long asthe same methods have been adopted.Another remarkable advantage is the use of tokens,

which makes it possible to create links with computationalentities, for example with objects present in the plantdesign, components or characteristics. Obviously, thedefinition of such links may be fulfilled only when the

ARTICLE IN PRESS

Fig. 5. At the first step the user selects a line in the HAZOP window and the line indicated is highlighted (bold grey) in the CAD window.

Fig. 6. The component selected (Desalter D-1001) is highlighted in the CAD window.

P. Bragatto et al. / Journal of Loss Prevention in the Process Industries 20 (2007) 69–7874

ARTICLE IN PRESSP. Bragatto et al. / Journal of Loss Prevention in the Process Industries 20 (2007) 69–78 75

phrases (i.e. cause or consequence) are instantiated in aspecific plant design, as specified in the next section.

3.2. Plant hazard identification model and interface to PLM

system

A hazard analyser tool may be effectively accepted andused within a PLM system if it does not put too manyadditional constraints on the design process; in particular, itshould be as far as possible general and independent of thecontext. It is then crucial to specify capabilities for creating abridge between the specific project data and the generalknowledge base. In this perspective, IRIS has been developedas a sort of shell containing the types of structurescharacterizing a general plant, and this shell has to becustomised on the basis of the specific plant project. Theproblem has been reduced to mapping the differentdictionaries involved; the capability of managing severaldictionaries, both for defining the hazard analysis rules andfor designing a plant, insures independence from both the ITtools and the plant data. The correspondence between theplant data and the general information is managed through alook-up table: this correspondence, explicitly indicated by theuser, as illustrated in Fig. 3, is necessary to link the twodifferent nomenclatures adopted, and it mainly involves thetokens corresponding to plant object types and parameters.The adopted CAD system is CATIAr, which automaticallyprovides dictionaries in external files. The direct link to the

Fig. 7. Example of selection of a cause and indication of a preve

plant data stored in the PLM repository has been achievedthrough the development of functionalities, which, by meansof the API provided by the PLM system, are able to obtainall the information stored in the PLM database that isnecessary to perform hazard analysis. Nevertheless, to speedup the analysis, a subset of information is imported from thePLM database and stored directly in the Plant HazardIdentification model.

3.3. Hazard Analysis Result Model and HAZOP analyser

functionalities

The Hazard Analysis Result Model contains adminis-tration data (i.e. the organisational team who havedeveloped it, the date of release of the version, andreference documents used in the study) and the technicalresults obtained. The HAZOP report can also be printedout and stored as a document in a format compatible withIT office tools. Each result is characterised by the followinginformation: the component that is the objective of thestudy, the corresponding deviation considered, and the listof the related selected causes, consequences, actions andsafeguards. Each element of the list is an occurrence thatrefers to a generic element describing the phrase (e.g.general cause, consequence, etc.), and to specific equipmentor instrumentation present in the plant design examined.Fig. 4 summarizes the logic flow of the analytical process,starting from the selection of a component within a line in a

ntive action for the deviation ‘‘temperature less’’ for D1001.

ARTICLE IN PRESSP. Bragatto et al. / Journal of Loss Prevention in the Process Industries 20 (2007) 69–7876

chosen unit, and proceeding with the selection of adeviation from the design intent and the evaluation of therelated possible causes, consequences, actions and safe-

guards. IRIS offers the necessary functionalities to supporteach step of the logic flow, and provides further capabilitiesfor making the HAZOP report more complete and directlyrelevant to the plant design documentation.

4. A test case

In the following we will illustrate the workflow of ahazard analysis session, driven by the IRIS tool. Theselected test case is the topping unit of a real hydroskimmingcycle refinery operating in Italy. In the topping unit thefeedstock is treated to separate products in an atmosphericdistillation tower. Basic functions are preheating, desalting,preflash, final heating, distillation, and condensation. Thefeedstock is preheated by removing heat from products asthey leave the unit. The preheating chain consists of 24exchangers: 7 upstream and 17 downstream of the desalter.

Once the user has completed the configuration of thesystem, he/she imports into IRIS the basic hierarchicalstructure of the plants from the CATIA P&ID module.Afterwards, driven by IRIS, he/she selects the unit in theplant he/she wants to analyse. In a transparent way, IRIScreates the appropriate relationships with the digital docu-ments describing the selected plant unit, and stores them inthe Plant Hazard Identification Model. The stored informa-

Fig. 8. Insertion of a new potential consequence linke

tion includes data on the equipment, instrumentation andpiping lines, such as identification code, types of attributesassociated with functional parameters, and relations amongall components and lines. Once a specific unit has beenselected, IRIS shows the user the list of the lines present inthe unit. When the user interactively selects a line, it isautomatically highlighted in the CAD window (see Fig. 5).When the user selects a component of the line in the

database, it is automatically highlighted in the CADwindow (see Fig. 6). IRIS then retrieves the parametersrelated to the selected component (e.g. temperature) andthe applicable guide words (e.g. ‘less’) from the deviationsdatabase. Then the user selects a deviation. IRIS auto-matically retrieves all the causes present in the database,and assesses whether they may apply to the current plant.Then, only the applicable causes are contextualised andproposed to the user. The same occurs for the con-sequences. In this way the user is guided by the system inbuilding the sentences describing causes and consequencesof the deviation. If the cause is not present it has to beconstructed by adding new nouns or adjectives, as needed.The user may, in the CAD window, select upstream anddownstream equipment and find components that are inthe cause and consequence chain. The name of suchcomponents is retrieved and can be used to construct thesentence describing the cause. In a similar way, the user canalso build sentences for consequences, as well as for actionsand safeguards. In the example considered, the user is

d to the deviation ‘‘temperature less’’ for D1001.

ARTICLE IN PRESSP. Bragatto et al. / Journal of Loss Prevention in the Process Industries 20 (2007) 69–78 77

analysing the deviation ‘‘temperature less’’ for the compo-nent D1001. The system proposes a list of possible causesand the user selects the one corresponding to the failure onexchanger E-1003 A–B. Furthermore, the user adds anaction (an extra control on temperature), which could beconsidered to prevent the cause of the deviation (seeFig. 7). Analogously, he adds new consequences, as shownin Fig. 8: the deviation ‘‘temperature less’’ in D1001compromises the desalting efficiency, and consequently afaster and deeper corrosion of all vessels and pipesdownstream is expected.

To better understand consequences, such as failure ofcomponents which could affect also buildings or structuresnot represented in P&ID, 2D and 3D layout representa-tions can be accessed (Fig. 9); these representations showthe user all the pipes and the vessels close to a specifieditem. At the end of the session the user obtains thedocument illustrated in Fig. 10, which reports the results ofthe analysis of the Desalter D-1001, with causes, con-sequences and possible safeguards.

5. Conclusions

This paper has highlighted the potential offered by PLMsystems to support hazard analysis along the lifecycleof a process plant. PLM systems are aimed at an integratedmanagement of the plant digital 2D and 3D models, as well

Fig. 9. Retrieval and interrogation of the 3D layout model (e.g. distance betwee

environment.

as of other digital documents. In such a way theycan provide a complete digital representation of theplant, which may be updated throughout the lifetime ofthe plant.To show the feasibility of integrating PLM systems and

hazard analysis, IRIS, a prototype software tool, has beendeveloped; this supports the well known HAZOP method.IRIS is versatile, being useful both for enriching andadapting the knowledge gained by analysis and forintegrating the different documents managed by PLMsystems. Summarizing, the main advantages of IRIS are:

�

n co

Easy access to a wide range of technical documents; useof the capabilities provided by PLM systems allowsbrowsing of plant-related data, such as the 2D and 3Dlayout, piping, mechanical drawing and building design.

� Direct link with a CAD database: the integration with

an advanced CAD/PLM allows the user to directly re-analyse the plant project without the need to insert newdata when changes occur in the project.

� Knowledge sharing; HAZOP sentences, which are built

using a customisable glossary, are kept in the IRISdatabase as general knowledge and may be reusedseveral times in successive HAZOP studies.

� Easy updating of the report: HAZOP reports may be

retrieved from the IRIS database and modified recordby record, according to the plant modifications thathave occurred.

mponents) to evaluate consequences of a potential accident in the built

ARTICLE IN PRESS

Fig. 10. HAZOP report of all the deviations considered for the Desalter D-1001.

P. Bragatto et al. / Journal of Loss Prevention in the Process Industries 20 (2007) 69–7878

In conclusion, it has been demonstrated that severallong-term benefits derive from the implementation of PLMin terms of engineering and of savings in product cost andquality; we may say that from the integration of toolssupporting HAZOP analysis and PLM, additional benefitsderive in terms of product quality and time savings, since itsupports the user in designing an inherently safer plantwhile expending less time and fewer resources than thosenecessary for a traditional HAZOP study.

Acknowledgement

This work has been partially supported by ISPESL—Dipartimento Insediamenti Produttivi ed Interazione conl’Ambiente (Contract ISPESL B64/DIPIA/02).

References

Ansaldi, S., Giannini, F., Monti, M., & Bragatto, P. (2005). PDM-based

tool for hazard identification in plant design. In Proceedings of

PLM’05-emerging solutions and challenges for global networked

enterprise (pp. 251–260). New York: Interscience.

Chung, P. W. H., & McCoy, S. A. (2001). Trial of the ‘‘HAZID’’ tool for

computer-based HAZOP emulation on the medium-sized industrial

plant, HAZARDS XVI: Analysing the past, planning the future.

Institution of Chemical Engineers, IChemE Symposium Series No. 148,

Manchester, UK, pp. 391–404.

Crawley, F. & Tyler, B. (2003). HAZOP identification methods. European

Process Safety Centre, I.Chem.E.

Hendershot, D. C., & Post, R. L. (2000). Inherent safety and reliability in

plant design. In Proceeding of Mary Kay O’Connor Process Safety

Center, Annual Symposium: Beyond Regulatory Compliance, Making

Safety Second Nature, pp. 268–281. Texas: Ottobre 2000.

Howat, C. S. (2002). Process hazard identification using hazard and

operability studies, Lecture notes, University of Kansas /http://

www.engr.ukans.edu/�ktl/S.

Kletz, T. A. (1992). HAZOP and HAZAN—identifying and assessing

process industry hazards (3rd ed.). Rugby: IChemE.

Lees, F. P. (1980). Loss prevention in the process industries (Vol. 1).

London: Butterworth.

Mizoguchi, R. K., Kozaki, K., Sano, T., & Kitamura, Y. (2000).

Construction and deployment of a plant ontology. Proceedings of

EKAW, 113–128.

Posada, J., Toro, C., Wundrak, S., & Stork, A. (2005). Ontology

supported semantic simplification of large data sets of industrial plant

CAD models for design review visualization. In R. Khosla (Ed.),

Proceedings of knowledge-based intelligent information and engineering

systems, Lecture notes in computer science (Vol. 3683) (pp. 184–190).

Berlin, Heidelberg, New York: Springer.

STEP ISO 10303-1. (1994). Industrial automation systems and integra-

tion—product data representation and exchange—Part 1: Overview

and fundamental principles. /http://www.iso.org/iso/en/Catalogue-

DetailPage.CatalogueDetail?CSNUMBER=18348S.

Venkatasubramanian, V., Zhao, J., & Viswanathan, V. (2000). Intelligent

systems for HAZOP analysis of complex process plants. Computers &

Chemical Engineering, 24, 2291–2302.

Yang, S., & Chung, P. W. H. (1998). HAZARD analysis and support tool

for computer controlled processes. Journal of Loss Prevention in the

Process Industries, 11(5), 333–345.

Yet-Pole, I. (2003). Development and applications of CASEHAT—a

multipurpose computer hazard analysis automation system used in

semiconductor manufacturing industry. Journal of Loss Prevention in

the Process Industries, 16, 271–279.