Application of Extended Hazop
and Event-Tree Analysis for
Investigating Operational
Failures and Safety
Optimization of Distillation
Column Unit
Naveed Ramzan, Fred Compart, and Werner Witt
Lehrstuhl Anlagen und Sicherheitstechnik, Brandenburgische Technische Universität, Burger Chaussee 2 Lehrgebäude 4/5,
Cottbus 03044, Germany; ramzan50@hotmail.com (for correspondence)
Published online 11 May 2007 in Wiley InterScience (www.interscience.wiley.com). DOI 10.1002/prs.10202
Process safety has a high priority in the chemical
industry. And the distillation is the most widely used
unit operation in the chemical-processing industries.
The use of dynamic simulation for safety-related studies
for a distillation column has great significance for the
study of operational failures. In this article, a systematic
framework based on Extended Hazop and Event-tree
analysis is applied to a distillation column unit of a
chemical plant. Over pressuring of column is studied
and different safety system alternatives are generated
and evaluated using Event-tree analysis. This article
describes the details of an effective method used for a dis-
tillation column but it can also be used for other hazard-
ous unit operations. Ó 2007 American Institute of Chem-
ical Engineers Process Saf Prog 26: 248–257, 2007
Keywords: overpressure, distillation unit, risk poten-
tial matrix, emergency shutdown systems
INTRODUCTION
In the chemical-processing industries, a safe
design (which minimizes the likelihood of process
Ó 2007 American Institute of Chemical Engineers
248 September 2007
accidents and mitigates their consequences, and safe
operation) has a high priority. Distillation is the
workhorse separation process of the chemical-proc-
essing industries. The skylines of many refineries and
chemical plants are dominated by tall distillation
towers and they are unlikely to be displaced in near
future by any other more efficient technique. Despite
the huge progress in distillation, the number of mal-
functions reported per year rose [1]. Therefore, in
this article, methodology based on Extended Hazop
(Hazop supported by dynamic simulation) and event
trees for the identification of operational failures and
safety system optimization presented by us in [2] is
illustrated with the help of a distillation unit from an
industrial plant. The block diagram of the methodol-
ogy is shown in Figure 1.
SYSTEM DESCRIPTION AND OBJECTIVES OF ANALYSIS
Plant and Process Description
The unit under discussion is part of a hydrocar-
bon recovery plant, which removes hydrocarbons
and other solvents from the off-gases. Water, ace-
Process Safety Progress (Vol.26, No.3)
Figure 1. Simplified block diagram of methodology based on Extended Hazop.
tone, methanol, and acetic acid are the main compo-
nents of the feed stream. The product stream (ace-
tone rich) is separated from the effluent by using
live steam injection. The column has a diameter of
0.728 m and consists of 35 trays. The live steam
is entered at stage 35 at temperature 1418 C and
375 kPa pressures.
The feed, which is at its bubble point, is entered
at stage 16 (the stages are numbered from top to bot-
tom) with a column head pressure of 100 kPa. The
separation targets (mass %) are distillate: water <
10%; bottoms: acetone < 2000 ppm; methanol < 2%;
acidity < 3%, where acidity is the sum of the mass
fraction of the acids, that is, acetic acid, formic acid,
and propionic acid in the bottoms stream.
The feed rate is about 4000 kg/h. The temperature
at stage 24 is controlled via modification of the steam
rate. The design temperature of the column is 1158 C
and design pressure is 190 kPa. Figure 2 shows the
stripping column with its basic process control and
monitoring systems. The important points to be noted
in the system are
• The absence of any flow measuring device for
the bottoms stream;
• A U pipe is used for level control instead of
level control system at the column base;
• A vent line of 80 mm diameter is installed to
cope with the overpressure hazard.
In case of emergency conditions, the plant is shut-
down manually according to emergency shutdown
procedure.
Objectives of Analysis
The objective of analysis is to identify
Process Safety Progress (Vol.26, No.3) Published on behalf of the AIChE
• weak points that could lead to operational fail-
ures or potential hazards;
• examine the effect of these causes (e.g., loss of
cooling) to the dynamic behavior of the col-
umn;
• analyze the effectiveness of existing measures;
• recommend the further suitable preventive and
operative safeguards if necessary.
SAFETY/RISK ANALYSIS
Extended Hazop
Extended Hazop supported by simulation related
to process malfunctions (Figure 2) is carried out. The
situation of overpressure in the column is considered
here. Overpressure is the result of an unbalance or
disruption of the normal flows of material and
energy, or both. Analysis of the causes of overpres-
sure in a distillation column is a complex study [3].
Common causes, which may result in overpressure,
are also presented in Figure 2.
Aspen Dynamic Model
First, a steady-state simulation model is devel-
oped in Aspen plus and validated against the plant
data. Then, this steady state model is cast into
dynamic simulation model in Aspen dynamics with
somewhat modified control scheme for simulation
study of process malfunctions. Figure 3 shows the
Aspen dynamics model developed. The basic as-
sumptions are
• Unidirectional flow in the column.
• Perfect mixing on trays.
DOI 10.1002/prs September 2007 249
Figure 2. Process diagram of system and common causes for overpressure: 1. Loss of coolant, 2. Loss
of electric power 3. More steam, 4. Loss of instrument air, 5. Failure of bottom product (steam control-
ler), 6. Failure of feed controller, 7. Failure of distillate (reflux) controller, 8. More feed, 9. Failure of
exchanger tubes, 10. Exterior fire, 11. Accumulation of noncondensibles, 12. Closed column/restrictions
in outlets, 13. Internal explosion. [Color figure can be viewed in the online issue, which is available at
www.interscience.wiley.com.]

• Murphee efficiency is assumed constant. (a) Less or total loss of cooling capacity;
• The vent line open to atmosphere for overpres- (b) Restriction or blockage of the vent line pressure
sure relief is simulated via installing a process in the column rises and are discussed in detail.
safety relief valve that opens at pressure slightly
more than the atmospheric pressure and closes
at atmospheric pressure.
• Inert gases are not considered.
• Instead of a cascade control loop for bottom
product quality, a temperature controller (Plate
24 temperature) via modification of steam rate is
used.
• The column bottom liquid level is maintained by
level controller instead of U pipe.
Some results for more pressure deviation (P >
Pdesign) from the Extended Hazop review is
described here for the illustration of methodology
and is shown in Table1. Two of the identified Figure 3. Aspen dynamics model developed.
causes/scenarios are

250 September 2007 Published on behalf of the AIChE DOI 10.1002/prs Process Safety Progress (Vol.26, No.3)
 Table 1. Output from the Extended Hazop review of distillation column unit.

Plant: DF Process: Stripping column Page No: 2

Equipment: T1701 Function: Separates HCs from effluent stream Document: HI-2
Volume: V1 operating conditions: XD,H2O < 10% Toperation ¼ 558 C–1058 C; Poperation ¼ Patm; MF ¼ 4000 kg/h; Dated: ..........
design conditions: Tdesign ¼ 1158 C; Pdesign ¼ 1.9 bara
Process
Function/
No. Parameter Detection Possible Causes Consequences FC* Recommended Actions FC Ref. No.
2 More Not direct PDI 2.1 Physical effects: 2-1
1703 PI 1704 - reflux drum V1701 may run dry
†
Less or loss of cooling - reduction of reflux
P > Pdesign capacity in E1705
and E1702 Risk-related consequences:

Process Safety Progress (Vol.26, No.3)

- product quality deteriorate 22 - pressure alarm and 20
examine
- loss of production 24 vent line capacity 33
- release of material to 48 - {automatic Emergency 75
atmosphere via vent line shutdown (ESD) system 2-1
which may or may not be
safely dispersed and can
result to jet fire or VCE

2.2 Physical effects:

- accumulation of inert gases in
condenser E1705 and E1702
††
Restriction/blockage - reduction of condenser E1702
of vent line plus capacity

Published on behalf of the AIChE

pressure rise - increase of temperature profile
Risk-related consequence:
- product quality deteriorate 31 - pressure alarm 30
- loss of production 35 - †{automatic ESD 43
system
- release of material which 68 - **examining vent line 75

DOI 10.1002/prs
may lead to fire ball
or VCE or flash fire
- Column leakage or rupture 37 –

*In FC, F represents the frequency class rating from 0–9 and C represents the consequence class rating from 0–8 [2]. Thus first digit of number below entry
‘‘FC’’ shows frequency class of occurring the consequence (F) and second digit defines the consequence class (C). The number defines the risk category in
the risk potential matrix.
**Short cut calculations.
†
Dynamic simulation.
††
Fault tree analysis or Historic databases.

September 2007 251

{
Deterministic models.
†
Event-tree analysis.

Figure 4. Simulation of cooling failure with safety
valve in operation (vent line is open): (a) Total loss
of cooling, (b) Simulated response of pressure at
stage 1, 9, 16, and 34, (c) Simulated response of
reflux, vent, and distillate mass flow. [Color figure
can be viewed in the online issue, which is available
at www.interscience.wiley.com.]
(a) Less or Total Loss of Cooling Capacity
The total loss of cooling capacity is simulated by
‘‘NO’’ cooling medium flow by writing the following
task (edited in Aspen Dynamics)
Task ConFail runs when time ¼ 60
BLOCKS (‘‘PC1’’).automan:1;
BLOCKS (‘‘PC1’’).opman:0;
End
The task ConFail activates at simulation time t ¼
60 min. At this time, the cooling medium flow falls to
zero as shown in Figure 4a. As a response of this dis-
turbance in about 3–4 min, the pressure in the col-
umn rises rapidly (Figure 4b). This is due to the fact
that with no cooling medium, vapors are accumu-
lated in the column head section, which leads to a
rise in pressure in the column. After a short period of
252 September 2007 Published on behalf of the AIChE
time, the vapor is released via the relief vent to avoid
the overpressure as shown in Figure 4c.
The rate of material release reaches maximum to
1600 kg/h and distillate flow reduces to zero. The
reflux drum becomes empty in *30 min and reflux
flow falls to zero. Because of the release of the mate-
rial to atmosphere via relief valve, the column pres-
sure does not rise more than design pressure but
remains above normal operating pressure unless
cooling capacity is restored.
Thus risk-related consequences of this scenario
are
• Product quality deterioration with less cooling;
• Loss of production with total loss of cooling;
• Release of material to atmosphere which may or
may not be safely dispersed.
The frequency of this scenario (total loss of cool-
ing) is calculated using failure rate data of the com-
ponents. The failure rate data used is taken from
open literature [4–6] and only for the illustration pur-
pose of the methodology. The consequence class and
frequency class according to a scoring chart [2] is
established for these risk consequences using Event-
tree analysis. Event-tree analysis is applied in two dis-
tinct ways:
1. Preincident application to examine the systems in
place that prevent precursors from developing into
incidents.
2. Postincident application to identify incident out-
comes for this purpose.
Figure 5 shows Event-tree analysis for this sce-
nario. The frequency of a safe shutdown is 0.1225
per year; therefore, the frequency class for risk con-
sequence loss of production is two and conse-
quence class is four for this medium term produc-
tion disturbance according to score chart [2]. Thus,
this frequency and consequence class is docu-
mented in Extended Hazop worksheet (Table 1) for
the risk of loss of production. The release of mate-
rial may result into a range of possible incident out-
comes such as jet fire, vapor cloud explosion (VCE),
and flash fire. So, the frequency and consequence
class for the worst one (i.e., VCE with frequency
class 4 and consequence class 8 (Figure 5)) is docu-
mented in Table 1 for the risk consequence of the
release of material.
(b) Restriction or Blockage of the Vent Line When
the Pressure in the Column Rises
The increase in pressure is simulated by less or
loss of cooling capacity along with the blockage of
vent line via closed atmospheric vent. As shown in
Figure 6, the cooling water flow is reduced in three
steps: 10% reduction, 35% reduction, and 50%
reduction and finally complete loss of cooling me-
dium flow is simulated. Cooling water (7818 kg/h) is
supplied to the condenser during normal operation.
At simulation time t ¼ 2.5 h, the first step change is
introduced, which reduces the cooling water flow
rate to 7036 kg/h. Then at t ¼ 6 and 10 h, the sec-
DOI 10.1002/prs Process Safety Progress (Vol.26, No.3)
Figure 5. Event-tree analysis for scenario (a) less or total loss of cooling capacity.
ond and third step changes are introduced, which
reduced the cooling water flow rate first to 5082 and
to 3909 kg/h, respectively. Finally, at t ¼ 15 h, the
total loss of cooling capacity occurs. This stepwise
reduction in cooling capacity is shown in Figure 6a.
The simulated responses of column pressure, reflux
mass flow, and distillate mass flow in result of these
disturbances are shown in Figures 6b and 6c. At
about 35% reduction in cooling with no vent avail-
able for release of material, the maximum column
head pressure becomes more than design pressure
(190 kPa), and at a total loss of cooling, it sharply
reaches to three times the design pressure and then
stays at two times design pressure. The reflux falls
to zero at total loss of cooling-medium flow. Thus
risk consequences of this scenario are
• Product quality deterioration on less cooling;
• Loss of production on total loss of cooling;
• Instantaneous release of material due to column
rupture.
The frequency class and consequence class of
these risk-related consequences established in the
same way as for scenario (a) and documented in Ta-
ble 1 along with the recommended actions to reduce
the risk consequences. The column rupture results to
a long-term production disturbance and instantane-
ous release of the material may also result in a range
of possible incident outcomes such as fire ball, VCE,
and flash fire.
Process Safety Progress (Vol.26, No.3) Published on behalf of the AIChE
STEP III: SAFETY/RISK ASSESSMENT
Risk Potential Matrix (Hazop Decision Matrix)
The scenarios analyzed are documented before
and after improvement in the risk potential matrix
(Hazop decision matrix) as shown in Figure 7. The
numbers in the figures represent the scenarios (pos-
sible causes for different deviations) analyzed and are
given in Table2.
STEP IV: SAFETY/RISK SYSTEM OPTIMIZATION
Pressure relieve valves (PRVs), emergency shut
down systems (ESDs), and safety instrument systems
(SIS) are used in the process industry to prevent
overpressure hazards [6–8]. ESDs perform safety func-
tions by moving the process via a predetermined
way into a safe state. A complete system consists of
sensors, logic controllers (computer), and actuators.
Keeping in view the risk targets and results of the
Extended Hazop, (a) two simple optimization pro-
posals are developed during Extended Hazop dis-
cussion (SS-A, SS-B) involving installation of pres-
sure alarm system, and changing of the manual shut-
down valves to remotely operated solenoid valves
and (b) three optimization proposals (SS-C, SS-D,
SS-E) are developed after Extended Hazop. The cal-
culated value of the probability of failure on
demand (PFD) of the developed optimization pro-
posals along with their descriptions to prevent the
overpressure hazard are given in Table3. The
DOI 10.1002/prs September 2007 253

Figure 6. Simulation of cooling failure without safety
valve in operation (vent line is in partly or in total
blocked): (a) Stepwise reduction in cooling capacity,
(b) Simulated response of pressure at stages 1, 9, 16,
and 34, and (c) Simulated response of reflux and dis-
tillate mass flow. [Color figure can be viewed in the on-
line issue, which is available at www.interscience.
wiley.com.]
assumptions and calculation procedure are
described in Appendix A.
The Event-tree analysis is carried out for the
evaluation of these optimization proposals. First, a
preincident event tree is used to evaluate the effec-
tiveness of these safety system proposals and
sequence of events leading to a safe shut down and
the core accident is identified. For each case, the
probability of occurrence of a safe shut-off and
accident is calculated. After this, postincident event
254 September 2007 Published on behalf of the AIChE
Figure 7. Risk potential matrix (Hazop decision ma-
trix).
tree is used for identifying and evaluating quantita-
tively various incident outcomes. One of the prein-
cident and postincident event trees with SS-C safety
system is shown in Figure 8 for illustration. Simi-
larly, event trees are constructed for each of the
safety-related optimization proposals. The fre-
quency of the accident scenario (failure of safety
systems) and safe shutdown (success of safety sys-
tems) obtained from preincident event trees are
shown in Figure 9. It is clear that with the
implemntation of a more reliable safety system
(from SS-A to SS-E), the frequency of occurrence of
the accident scenario reduces and the safe shut-
down increases. One can select, easily, a suitable
safety system meeting the required risk level. How-
ever, final decision also depends on the cost of the
safety system and benefit achieved.
SUMMARY AND CONCLUSION
Distillation is a widely used unit operation in the
chemical-processing industries and is always a bottle-
neck. Therefore, methodology based on Extended
Hazop (Hazop supported by Dynamic simulation and
Event-tree analysis) for the identification of opera-
DOI 10.1002/prs Process Safety Progress (Vol.26, No.3)
Table 2. Scenarios (possible causes ID analyzed) presented in Figure 7.

Possible Causes ID Description

1.1 More direct steam flow or high steam temperature
1.2 Too much feed or HC slipping from S1601
1.3 Fouling of base pipe work or E1701 or wrong valve position of
bottom line
1.4 Too much reflux flow
2.1 Less or loss of cooling capacity in E1705 and E1702 (Table 1)
2.2 Restriction/blockage of vent line plus pressure rise (Table 1)
3.1 More cooling capacity in E1705 and E1702
3.2 Less or loss of Reflux flow because of pump failure
4.1 Restriction in bottom outlet valve or base pipework
4.2 Foaming
5.1 Column bottom by pass valve fail open
5.2 Rupture of pipe (column bottom outlet)
6.1 Faulty level measurement of V1701
7.1 Controller loss LC1703

Table 3. Safety system alternatives and their probability of failure on demand.

Safety
System Description PFD
SS-A Manual shutdown system with 1oo2D configuration for the pressure 0.55
alarm system
SS-B Remote shutdown system with 1oo2D configuration for the pressure 0.1004
alarm system and 1oo2 configuration for the shutdown valves
SS-C Automatic shutdown system using Non redundant PLC System with 6.18 3 10
3
1oo2D configuration for the pressure sensors and 1oo2
configuration for the shutdown valves and parallel 1oo1 pressure
alarm system
SS-D Automatic shutdown using Relay Logic with 2 trip amplifiers and 4 8.3 3 10
4
relays with 1oo2D configuration for the pressure sensors and 1oo2
configuration for the shutdown valves and parallel 1oo1 pressure
alarm system
SS-E Automatic shutdown using PLC TMR System with 2oo3 configuration 4.30 3 10
4
for the sensor and 1oo2 configuration of shutdown valves and
parallel 1oo1 pressure alarm system

PFD, Probability of failure on demand; PLC, Programmable logic controllers; TMR System, Triple modular
redundant system. 1oo2D, 1 of 2 with diagnostics, i.e., fault tolerant configuration. The diagnostic may be pro-
vided by an additional alarm monitor or built into the sensor. 1oo2, 1 of 2. Two valves are installed but only
one is required to shutdown. 1oo1, 1 of 1, i.e., single device. 2oo3, 2 of 3. Three devices are installed and two
are required to shut down.

tional failures and analyzing the effect of design
improvements in safety system is illustrated with the
help of stripping column. The operational failures
leading to column overpressures are identified. The
purpose of this article is to illustrate this systematic
methodology, and so common cause failures are not
included in this study. The column behavior is stud-
ied using dynamic simulation in ASPEN Dynamics.
Every effort is made to validate the model against
actual process data. Dynamic simulation in combina-
tion with Hazop is a powerful tool for safety exami-
nations. The result obtained helps in designing the
safety system and making decisions at the time of the
design of the process. Although this method is illus-
trated with a distillation column, it can be used for
any hazardous unit operation.
FUTURE WORK
Increasing social pressures and strict legislations
have resulted in changing the approach of traditional
design practices to incorporate risk in the design of
process plant. The risk decision process is very com-
plex because not only technical aspects but also eco-
nomical, environmental, comfort related, political,
psychological, and societal acceptance plays an im-

Process Safety Progress (Vol.26, No.3) Published on behalf of the AIChE DOI 10.1002/prs September 2007 255
Figure 8. Evaluation of safety proposal SS-C using preincident and postincident application of Event tree.

APPENDIX A

Calculations for PFD of Safety System Alternatives

Analysis of Relay System (3 Trip Amplifiers and 4 Electro-
mechanical Relays)
Assumptions:

• One relay for each input and output

• 98% fail safe
• Test interval ¼ 12 months
• MTBF ¼ 100 years for combined one relay and
one trip amplifier
so, k ¼ 1/100 ¼ 0.01 per year
PFDavg ¼ k (TI/2) ¼ 4 3 10
4.
Analysis of Nonredundant PLC System
Figure 9. Results of Event-tree anaylsis of different Assumptions:
safety optimization proposals.
• One PLC module with one input and output
module
• Test interval ¼ 12 months
portant role. So, the future work is to integrate the • For CPU
safety/risk objectives with economics and environ- MTBF ¼ 10 years; diagnostic covering ¼ 90%;
mental objectives in design. Fail safe ¼ 60%.

256 September 2007 Published on behalf of the AIChE DOI 10.1002/prs Process Safety Progress (Vol.26, No.3)
• I/O module SS-A ¼ 0.55
SS-B ¼ 0.00017 þ 0.1 þ 0.00026 ¼ 0.1004
MTBF ¼ 50 years; diagnostic covering ¼ 50%; SS-C
Fail safe ¼ 75%. Shutdown system ¼ 0.00017 þ 0.00575 þ 0.00026
PFD avg ¼ k (TI/2) ¼ 5.75 3 10
3. ¼ 0.00618
Pressure alarm ¼ 0.05
Analysis of TMR PLC System SS-D
Assumptions: Safety shutdown system ¼ 0.00017 þ 0.0004 þ
0.00026 ¼ 0.00083
• One PLC module with one input and output Pressure alarm system ¼ 0.05
module SS-E
• Test interval ¼ 12 months Safety shutdown system ¼ 0.00017 þ 7.56 3 10
8
• For CPU þ 0.00026 ¼ 0.0004
MTBF ¼ 10 years; diagnostic covering ¼ 99%; Pressure alarm system ¼ 0.05.
Fail safe ¼ 60%
• I/O module
MTBF ¼ 50 years; diagnostic covering ¼ 99%; LITERATURE CITED
Fail safe ¼ 75% 1. H.Z. Kister, What caused tower malfunctions in the
• Ignoring common cause failures last 50 years? Trans I Chem E 81A (2003), 5–26.
2. N. Ramzan, F. Compart, and W. Witt, Methodology for
PFD avg ¼ (k 3 TI)2 ¼ 7.56 3 10
8.
generation and evaluation of safety system alterna-
tives based on extended Hazop and event tree analy-
For 1002 Configuration of Shutdown Valves sis, Process Safety Progress 26 (2007), 35–42.
Shutdown valves ¼ (k 3 TI)2/3 ¼ 0.00026. 3. H.Z. Kister, Distillation Operation, McGraw Hill,
New York (1989), pp 229–251.
For 1002D Pressure Sensors 4. D.A. Crowl and J.F. Louvar, Chemical Process
Assumptions: Safety: Fundamentals with Applications, Prentice
Hall, New York (1999), pp 471–508.
• diagnostic coverage ¼ 60%
5. F.P. Lees, Loss Prevention in CPI, Butterworths,
• mean time to repair (MTTR) ¼ 12 h
London, UK (1996).
• test interval (TI) ¼ 12 months
6. Paul Gruhn, P.E., Harry L, Cheddie P.E. Safety
PFDavg ¼ kDD 3 MTTR þ (kDU 3 TI)2/3 ¼ 0.00017 Instrumented Systems: Design, Analysis and Justifi-
Now using formula [4,9] cation, ISA-The Instrumentation, Systems, and Au-
tomation Society, U.S., 2nd ed., 2006. ISBN: 1-
1. Series link of components 55617-956-1.
7. P. Williams, Reliability for Safety Instrumented Sys-
Y
n tems, Chem Eng Prog (2004), 27–32.
P ¼1
ð1
Pi Þ 8. Safeguarding of industrial process plants by means
i¼1 of process control engineering—Classification of
process control systems, realisation, operation and
testing of safety instrumented systems, Part 2,
2. Parallel link of components VDI/VDE 2180, German Standard.
Y
n 9. CCPS-Center for Chemical Process Safety, Guide
P¼ Pi Lines for Chemical Process Quantitative Risk Anal-
i¼1 ysis, Center for Chemical Process Safety, American
Institute of Chemical Engineers, New York (2000),
The PFD for systems calculated are pp 297–387.

Process Safety Progress (Vol.26, No.3) Published on behalf of the AIChE DOI 10.1002/prs September 2007 257