Risk Analysis Using System Theoretic Methods STAMP/STPA Applied in Petroleum Process

The People’s Democratic Republic of Algeria
Ministry of Higher Education and Scientific Research

University of 20 August 1955 SKIKDA
Faculty of Technology
Petrochemical Industries Department
Thesis for the Degree of Master

Section : Petrochemical industries
Speciality : Automation and control
Risk analysis using system theoretic methods

STAMP/STPA applied in petroleum process
Presented by : ARIBI Aya
In : 18/ 07/ 2021 in the presence of the following jury members :
President : MBC. BOUNEZZOUR Hicham U-Skikda
Supervisor : MCB. MECHHOUD El-Arkam U-Skikda
Co-supervisor: MCB. BENDIB Riyad U-Skikda
Examiner : MCB. MENIGHED Kamel U-Skikda
Promotion : 2020/2021

Thanks :

First of all, we thank Allah for giving me the strength of daring to overcome all difficulties.
I would like to thank the head and the first responsible of the Petrochemical industries
department, the faculty of science and technology at the University August 20, 1955-SKIKDA,
‘Mr.BENDIB Riyad’ for his encouragement and advice throughout the preparation of this work,
despite the Corona pandemic, he was in constant contact with us.
I would also like to express my sincere thanks to chef course, Mr.MENIGHED Kamel, for his
orientations, the useful directives and the time he has kindly provided. Devote myself and without
whom this work would never have seen the light.
I would like to express my sincere thanks to my supervisor ‘Mr.MECHHOUD El-Arkam’,

who agreed to supervise and direct this work, and who was always present with his orientations and
precious advices.
To Mr.BOUGHIOUT Ahmed and Mr.BOUSBA Walid, who were able to guide and advise
me during my intership, which allowed me to go further and progress throughout this work, and also
to outline the lines and objectives of future research work. May they find here the expression of all
my gratitude for their great availability, thank you very much.
I wloud like to express my sincere thanks to the members of the jury for the honor they do me
by accepting to judge this work.
A big thank to all my family, my father and my mother who were the reason i am here today,
to all my brothers, and also my friends.
Finally, all my thanks go to those who, from near or far, have given me their help. I was
obviously thinking of all those who were available until the last moment.
I

Abbreviations list :
STAMP: system theoretic accident model processes
STPA: system theoretic process analysis
HAZOP: hazard and operability
FMEA: failure mode and effect analysis
FTA: fault tree analysis
RPA: preliminary risk analysis
CAST: causal analysis based on system theory
UCA: unsafe control action
HDPE: high density poly-Ethylene
PE: poly-Ethylene
CP2K: complex petrochemical two Skikda
XPF: catalyzer type ziegler
DCS: distributed control process
PLC: programmable logic controller
PID: proportional, integral, derivative
II

Figure list:
Figure I.1 Chemical structure of the polyethylene…...………………………………….…………...5
FigureI.2 Implementation of CP2K complex…..……………………………………………….……7
Figure I.4 Photo shows the main installations of the CP2K unit………………………………...…..8
Figure I.5 Overview of the process used to have a final product of a polyethylene powder……….13
Figure I.6 Organization chart of the maintenance department……………………………….……..15
Figure I.7 Organization chart of the instrumentation service………………………………….……16
Figure II.1 HAZOP method………………………………………………………………….……...20
Figure II.2 FMEA method…………………………………………………………………………..23
Figure II.3 The FTA method ‘fault tree analysis’…………………………………………………...26
Figure II.4 fault tree diagram……………………………………...……………………………..….27
Figure II.5 Event symbols………………………………………………………………………......28
Figure II.6 Gate symbols…….………………………………………………………………………28
Figure II.7 Transfer symbols……...…………………………………………………………………28
Figure III.1 Using systems thinking will provide the leverage we need to get beyond simple event-
based thinking and reduce accidents in complex systems…………………………………………...32
Figure III.2 Accidents occur when the system gets into a hazardous state, which in turn occurs
because of inadequate control in the form of enforcement of the safety constraints on the system
behavior……………………………………………………………………………………………...35
Figure IV.1 The polymerization process……………………………………………….………..…..42
Figure IV.2 Diagram of the reactor temperature loop……………………………………………….43
Figure IV.3 A DCS view of settling paws…………………………………………………...………45
Figure IV.4 Control structure of the HDPE reactor…………………………………………….……46
Figure IV.5 Hierarchical control structure of CP2K unit………..……………………………….….47
Figure IV.6 creating a new Tristation window………………………………………………...…….52
Figure IV.7 build the process temperature logic……………………………………………………..53
Figure IV.7 build the process pressure control…………………………………………………........53
Figure IV.8 naming the variables and setting items…………………………………………….……54
III

Figure IV.9 running the program…………………………………………………..………..……….54
Figure IV.10 connecting to InTouch software……………………………………………..…..…….55
Figure IV.11 creating a new InTouch window………………………………………….…..…….…55
Figure IV.12 access to symbol factory…………………………………………………….….……..56
Figure IV.13 building the process……………………………………………………………..…….56
Figure IV.14 the on show of the normal conditions of pressure and temperatue………….………..57
Figure IV.15 the on show of the over temperature case……………...……………………………..57
Figure IV.16 the on show of the over pressure case………………………………….……….…….58
Figure IV.17 the on show of the High-High pressure case……………………………..……….…..58
IV

Table list:
Table II.1: Key words………………………………………………………………………………21
Table III.1 Define UCAs…………………………………………………………………………...39
Table IV.1 Hazard identification…………………………………………………………………...47
Table IV.2: STPA table…………………………………………………………………………….48
V

Table of content:
Thanks
Abbreviations list
Figure list
Table list
General introduction
Chapter 01: presentation of CP2K unit

Introduction:…………………………………………………………………………………. 4
I.1 Polyethylene:………………………………………………………………………….. 4
I.2 POLYMED presentation……………………………………………………………….6
I.2.1 POLYMED implementation…………………………………………………...6
I.2.2 Description of the plant………………………………………………………...8
I.2.2.1 splitting of the complex………………………………………………………9

I.3 Phillips Procedure Particle Form Process (PF Process)……………………………….10
I.4 Industrial maintenance…………………………………………………………………13

I.4.1 Definition ……………………………………………………………………...13
I.4.2 Types of maintenance…………………………………………………….……13
I.4.2.1 Corrective Maintenance………………………………………………….…..13
I.4.2.1.1 Delayed Corrective Maintenance………………………………………….19
I.4.2.1.2 Emergency Corrective Maintenance………………………………………14
I.4.2.2 Preventive maintenance……………………………………………………...14
I.4.2.2.1 Systematic preventive maintenance…………………………………….….14
I.4.2.2.2 Conditional preventive maintenance………………………………………14
I.4.2.2.3 Predictive preventive maintenance………………………………………...14
VI

I.5 Industrial Instrumentation………………………………………………….…………..15
Conclusion……………………………………………………………………………….…….16
Chapter02: traditional risk analysis techniques
Introduction……………………………………………………………………………………18
II.1 The goal of operational safety………………………………………………………….18
II.2 Traditional risk analysis methods………………………………………………………18
II.2.1 HAZOP method………………………………………………………………..19

II.2.1.1 Definition…………………………………………………………………….19
II.2.1.2 Objective……………………………………………………………………..19
II.2.1.3 General principles of the HAZOP method…………………………………..20
II.2.1.4 Technique…………………………………………………………………….20
II.2.1.5 Parameters……………………………………………………………………21
II.2.1.6 The most commonly used parameters pairs………………………………….22
II.2.2 The FMEA method…………………………………………………………….22

II.2.2.1 Definition……………………………………………………………………22
II.2.2.2 Basic terms………………………………………………………………...…23
II.2.3 The FTA method ‘fault tree analysis’………………………………………….25
II.2.3.1 Definition………………………………………………………………….....25
II.2.3.2 Method…………………………………………………….…………………25
II.2.3.3 Usage……………………………………………………….……………...…26
II.2.3.4 Graphic symbols …………………………………………….…………….…27
II.2.3.5 Event symbols……………………………………………….…………….....27
II.2.3.6 Gate symbols………………………………………………….…………..….28
II.2.3.7 Transfer symbols……………………………………………….…………….28
II.2.3.8 Advantages and limitations ……………………………...…….……………29
VII

Conclusion………………………………………………………………………….…………..29
Chapter03: Definition of STAMP/STPA method

Introduction……………………………………………………………………………………31
III.1 System Theory………………………………………………………………………...31
III.2 Systems Thinking………………………………………………………….…………..31
III.3 Why the traditional approach is not enough?................................................................32
III.4 Why Do We Need Something Different? …………………………………….……...33
III.5 Stamp (Systems-Theoretic Accident Model and Processes)…………………….…....34
III.6 STPA (system theoritic process analysis)………………………………………..……35
III.7 The STPA process………………………………………………………………....….36
III.8 Why using STAMP-STPA? ……………………………………………………….….37
III.9 STPA Process……………………………………………………………………….…38
III.9.1 Establishing the System Engineering Foundation………………………….…38
III.9.2 Identifying Unsafe Control Actions (STPA Step 1)……………………….…38
II.9.3 Identifying the Causes of the Unsafe Control Actions (STPA Step 2)………...39
Conclusion……………………………………………………………………………………..39
Chapter04: Study case: Application of STPA method on the HDPE reactor
Introduction……………………………………………………………………………..……..42
IV.1 The polymerization process……………………………………………………….……42
IV.2 Application of STPA and results…………………………………………….…………45
IV.2.1 Hazard identification…………………………………………………………47
IV.2.2 STPA table…………………………………………………………………...48
IV.2.3 Result and discussion…………………………………………………………51
IV.2.4 Safety recommendations……………………………………………………..52
VIII

IV.2.5 InTouch simulation…………………………………………………………...52
Conclusion ……………………………………………………………………………………59
General conclusion…………………………………………………………………….………61
Abstract
Résumé
‫ملخص‬
IX

General
introduction:
General introduction:
The petroleum and petrochemical industries occupy an important place in the sources of the
economy and energy of the nations, and usually work with great amounts of potentially dangerous
materials (toxics, explosives, flammables … ), very often under extreme conditions (high
temperature and/or pressure), however, these industries are based on complex systems that present
many parameters to control, this generates several types of risks, such as the explosion which causes
damage to both human and environment , for that , it is necessary to have effective risk management
rather than trying to definitely eliminate risk out of project which may often be impossible .
In order to avoid or reduce the extent of damage caused by major accidents, it is necessary to
model the functions and relationships between the components of an industrial system.
For this, in this thesis, we will be using the modeling approach by the STPA(System
Theoretic Process Analysis) based on STAMP method (Systems-Theoretic Accident Model and
Processes) to represent the hierarchical structure of the system, as well as the control mechanisms
necessary to preserve the safety of an industrial process. In order to address issues related to
industrial safety controls, we suggest the use of the Intouch simulation tool, this tool makes it
possible to model and simulate the behavior of the system under study.
The objective of this work is therefore to propose an approach based on both modeling and
simulation to analyze the risks. and prevent accidents in HDPE reactor of the CP2K unit at Skikda.
The work consists of 4 chapters:
Chapter 1: Presentation of CP2K unit: in this chapter we will be introducing the petrochemical
complex CP2K in a detailed way, talking about its role in the Sonatrach community, including its
geographic location, its main units, different raw materials and final products.
Chapter 2: Traditional risk analysis techniques: in this chapter we will be talking about risk
assessment methodology and different hazard analysis techniques that have been used so far.
Chapter 3: Definition of STAMPS/STPA method: in this chapter we will be presenting the new
hazard analysis technique STPA based on STAMP method, focusing the light on its advantages,
talking about the future of risk assessment, and the reason why we became more interested to these
young techniques.
Chapter 4: Study case: Application of STPA method on the HDPE reactor of CP2K unit: in this
chapter we are going to see the application of the STPA method on the process under study (HDPE
reactor of the CP2K unit in Skikda), using the Intouch simulation tool to model the process behavior
and provide the possible recommendations for a better manage of risk in the HDPE reactor.
And we finish this work with a general conclusion which includes all the possible results we
have been looking for through our study.
Chapter 01: presentation
of CP2K unit
Chapter01: Presentation of CP2K unit
Introduction:
Petrochemicals are the science and technology that corresponds to petroleum chemistry, the
industry that uses oil and natural gas as raw materials for the development of many chemicals.
Petrochemical brings knowledge and mechanisms for the extraction of chemicals substances from
fossil fuels. Gasoline, diesel, kerosene, propane, methane and butane are some of the fossil fuels used
to develop petrochemicals [17]. It is also used to produce fertilizers, pesticides and herbicides, to
obtain asphalt and synthetic fibers and to manufacture several kinds of plastics. Gloves, gums and
paints, among many other everyday items, are part of petrochemical production [17]. Processes for
obtaining petrochemicals occur in refineries and involve physical and chemical changes in
hydrocarbons. The basic process, which divides oil and natural gas into various lighter compounds,
takes the name of cracking (molecules divide) [17]. The combination of basic petrochemicals with
the different chemical inputs makes it possible to obtain intermediate petrochemicals such as
methanol-based resins (used in the manufacture of gums, plastics, detergents and lubricants),
polyurethanes (For the manufacture of mattresses and plastics) and acetaldehydes (perfumes, flavor
enhancers, etc.) [17]. The petrochemical industry requires important safety measures to avoid
environmental damage as their processes are potentially contaminating and have a high
environmental impact [17]. Ethylene and propylene have one feature: they can agglomerate into
giant molecules, which form long chains, threads of infinitesimal size that intertwine in different
ways. It is the polymers that form the raw material of plastic [18]. They are often in the form of
pellets, but also powders or pastes or liquids. By working them, we will manufacture various families
of plastics: • Polyethylene, the most widely used in the world, is a must for packaging (supermarket
bags, milk bottles and flasks), toys, pipes, films, etc [18]. Polypropylene can be made stiffer and
shock resistant, used in car bumpers or dashboards, in furniture, etc [18]. Polystyrene will be used in
televisions, home appliances, CD and DVD cases, yoghurt containers, insulation, etc [18].
I.1 Polyethylene:
The most well-known plastic, produced at more than 85 Mt / year, is the simplest of the
commercial polymers, made up solely of CH2 groups. This material, which has such varied uses, has
a very simple structure resulting from the coupling of a very large number of molecules of ethylene
represented by the chemical symbolic shown in figure I.1 [19]:
4
Figure I.1: Chemical structure of the polyethylene[17]
 Polyethylene (PE) was prepared in 1898 by Hans von Pechmann, a German chemist who
obtained it by heating diazomethane CH2N2, an unstable and toxic product with the
release of dinitrogen. This waxy product was subsequently characterized as polymethylene
[19]. Two chemists from Imperial Chemical Industries (ICI), Eric Fawcett and Reginald
Gibson, accidentally discovered the first practical synthesis of polyethylene using a more
readily accessible molecule, ethylene, C2H4. By heating a mixture of ethylene and
benzaldehyde under high pressure (several hundred bar) in the presence of traces of
oxygen, they obtained a white, waxy material. This reaction was included in 1935 and then
developed to yield in 1939 industrial production by ICI of a polyethylene characterized by
a density of 0.95 and other interesting properties. It is said that the use of this material as
insulation for the wires and cables used in the first radar installations contributed to the
British victory at the Battle of Britain [19]. The search for milder conditions of temperature
and pressure for the polymerization of ethylene led in the 1950s to the development of
catalytic systems based on transition metals: chromium trioxide, discovered in 1951 by
Robert Banks and J Paul Hogan at Phillips Petroleum (USA), combinations of titanium
chlorides and organoaluminum reducing compounds, developed in 1953 by Karl Ziegler at
the Max-Plack Institute für Kohlenfoschung (Germany). Karl Ziegler's seminal work on
the transition metal-organoaluminum salt combinations earned him the Nobel Prize in
Chemistry, shared with Giulio Natta. A third type of catalytic system, based on the
combination of a particular family of organometallic complexes, metallocenes, and new
organometallic reducers, alkylaluminoxanes, was discovered in 1976 in Hamburg by
Walter Kaminsky and Hansjörg Sinn. The search for new catalytic systems is still current
and leads to highly efficient catalysts capable of producing several tons of PE per gram of
catalyst! [3]. These different families of catalysts make it possible to obtain various types
of polyethylene and the copolymerization of ethylene with other olefins, thus leading to a
wide range of polyethylenes which, by their properties, respond to very specific
applications. The polyethylenes may be linear or branched and classified according to [19]:
5
 Their density, which depends on the number and length of the branches present on the
molecular chains: PE-TBD (very low density polyethylene), PE-BDL (linear low density
polyethylene 0.91-0.94), PE-HD (high density polyethylene,> 0.94),
 Their molar mass: very low molecular weight polyethylene, high molecular weight
polyethylene, very high molecular weight polyethylene,
 Their degree of crosslinking, reflecting the presence of covalent bonds between chains
created by chemical reactions after polymerization: cross-linked polyethylene (PE-R), high
density cross-linked polyethylene (PE-RHD). The branched polyethylene is produced by
vinyl radical polymerization. Linear polyethylene is manufactured by a more complicated
method called Ziegler-Natta polymerization. UHMWPE is manufactured by metallocene
catalytic polymerization [19]. The best known use of polyethylene is the plastic bag. With the
use of high density PE, the bag crumbles easily under the hand, with a crackling noise and
returns more or less spontaneously to its original form. With the low-density PE the touch is
more "greasy", the bag crumbles without noise and is easily pierced with the finger [19].
High-density PE is used for the manufacture of rigid products: bottles, jars, jerry cans,
automotive fuel tanks, hoses ..., whereas low-density PE is used for flexible products: Bags,
films, sachets, flexible tubes ... The PE-R is reserved for the manufacture of cable ducts. The
high molecular weight PE is used for its high mechanical performances, superior to those of
aramids like the Kevlar: bulletproof vests, sports articles [19]. Although polyethylenes are
recyclable, most commercial applications end up in landfills, seas and oceans. In fact,
polyethylenes are not biodegradable [19].
I.2 POLYMED presentation:

I.2.1 POLYMED implementation:
6
FigureI.2: Implementation of CP2K complex[17]
The HDPE (High Density Polyethylene) complex is located inside the industrial zone of
Skikda, with an area of 166800 m² 16.68 hectares of which 10% are built. The HDPE project is
located on the side at 06 km to the east of the main town of the wilaya of Skikda and at an average
height of about 06 m above the sea. Limited geographical position illustrated on figure I.3 as follows:
In the North: The Mediterranean Sea To the south: the main road of the industrial zone In the East:
FIR (The Response and Reserve Force). In the West: CP1K (plastic material complex).
Figure I.3: Diagram shows the installation of HDPE production unit[17]
7
I.2.2 Description of the plant:
The purpose of the HDPE project is to produce a high-density polyethylene production unit
with a capacity of 130000 t / year. The raw materials used are [20]:
A. Ethylene
B. Hexene-1
C. Isobutane
D. Propane
E. Hydrogen
F. Nitrogen
G. Catalyst - Type 989 MS,
without activating
H. Catalyst - Type 909 ID,
without activating
I. Catalyst - Type 963 Magnapore
Tergel
J. Activated Catalyst
K. Catalyst - Lynx 100 (XPF
Catalyst)
L. Co-Catalyst - Triethyl
Aluminum (TEA)
M. Zinc diethyl (DEZ)
N. Triethyl boron (TEB)
O. 3-3 'Dilauryl Thiodipropionate
(DLTDP)
P. Irganox 1010
Q. Irganox 1024
R. Irganox 1076
S. Tinuvin 144
T. Pump seal oil
U. Isopropyl Alcohol
V. Ultranox 626
W. Armostat 310
X. Stadis 450
8
Y. Calcium Stearate
Z. Zinc Stearate
AA. UV 531
BB. Carbowax 400
The complex is designed for the manufacture of high density polyethylene HDPE, it is
intended for the supply of the domestic plastic processing industry and for the surplus export. The
national clientele consists of various public enterprises such as ENPC, ENCG, and also private sector
processing companies. Notably the different applications that are: Agricultural films, fishing nets,
Bag, Household articles and packaging ... etc.
TECHNICAL SHEET [20]:
 PRODUCTION CAPACITY: 130 000 T / AN

 PROCESS: CHEVRON PHILIPS
 RAW MATERIAL: ETHYLENE
 STARTING THE PLANT: March 23, 2005
 OPERATION: 1 May 2005
MATERIALS USED [20]:
 ETHYLENE: 133 000 T / AN (CP1.K & IMPORT)

 ISOBUTANE: 2,500 T / AN (GL1.K)
 HEXENE-1: 1,430 T / AN (IMPORT)
 NITROGEN: 20 Million Nm
 HYDROGEN: 52 T / AN
I.2.2.1 splitting of the complex:

The complex consists of 04 important areas which are:
A) Off-site area
 Utilities (boilers, nitrogen air, desalinated water, fire-fighting water, drinking water and gas
expansion)
 The flare;
 Isobutane and hexene storage;
 Wastewater treatment;
9
 Activation catalyst.
B) Wet area
 Treatment columns.
 Reactor.
 Compressors and Pumps.
C) Dry area
 Extruder.
 Blowers.
 Storage silos for finished products (powder and pellets).
 Bagging.
D) Building area
 ADM and finance block.
 Canteen and changing rooms.
 Nurse safety block.
 Store spare parts, workshops and technical block.
 High and low voltage substations.
 Control room and laboratory.
Figure I.4: Photo shows the main installations of the CP2K unit[17]
I.3 Phillips Procedure Particle Form Process (PF Process):
The polymerization reaction takes place in a pipe loop reactor forming solid particles in a diluent
carrier. The Phillips Petroleum Company particle form process consists of the following steps: feed
preparation, reaction, polymer concentration, hydrocarbon recovery and purification, polymer
10
devolatilization, extrusion, bagging, and storage. The product is a pellet of consistent size and quality
readily usable by any manufacturer of finished consumer goods. Feedstock to the process is
principally ethylene of high quality. A small amount of hexene-1 is used as a comonomer to produce
copolymer resins of specific properties for certain end uses [21]. The hydrocarbon carrier or diluent,
isobutane, Makeup quantities are degassed as they enter the process to remove light molecular
weight gasses and then dried. The isobutane must be of high quality [21]. The recycle isobutane,
fresh isobutane, ethylene, and catalyst are introduced into a special Phillips Petroleum Company
developed and designed reactor. The resin is separated from the isobutane and any unreacted
ethylene. The recovered isobutane is purified and recycled to the reactor. After the resin is
thoroughly dried, antioxidants and other additives are added for desired end use. The resin is
extruded using large commercial extruders and then pelletized. The pellets so obtained are
transferred pneumatically to large blending tanks, sufficiently large to hold and blend one complete
resin lot. In the case of Polymed, resin lots can be produced and blended in nominal 100,000
kilogram quantities. By blending single lot quantities in one blender, greater consistency throughout
the resin lot can be obtained. The blend is then normally stored in natural pellet bulk tanks of
100,000 kilograms for bagging or in 300,000 kilograms’ capacity tanks for loading into trucks [21].
The diluent, isobutane, after purification and drying is used in the catalyst system as both a carrier
and a pressure maintenance medium and in the reactor as a carrier for the suspended
polymer. The hexene-1 is degassed, dried, and added to the total composite reactor feed stream.
Reaction grade ethylene is dried and treated to remove carbon dioxide for use in the reactor.
Ethylene (and hexene-1 for copolymers) is reacted in a liquid full, pipe loop reactor in the presence
of polymerization catalyst [21]. The polyethylene is formed as discreet particles in a rapidly
circulating isobutane-polymer slurry [21]. The polymer slurry from the reactor discharges from the
settling legs and is heated in flash lines as it flows to the flash chamber. In the flash chamber, most of
the isobutane is removed from the polymer. The flashed vapor passes to the entrained polymer
removal equipment (cyclone, bag filter, and guard filter) [21]. The polymer drops from the bottom of
the flash chamber through two sequentially operated ball valves and into the purge column.
Hydrocarbon vapor is displaced from the polymer by recycled purge gas flowing from the bottom of
the vessel up through the bed of polymer. Displaced hydrocarbon vapor can be recovered and
returned to the process via the Purge Gas Compressor and Purge Gas Recovery System. The nitrogen
is also recovered for recycle in the system. The polymer level in the purge column is automatically
controlled by a gamma ray level controller which varies the speed of the rotary valve on the bottom
of the purge column. From the purge column the polymer is conveyed by means of a closed-loop
11
nitrogen system to one of the fluff tanks where additional purging with nitrogen is done. Alternately,
the fluff can be conveyed directly to the extruder feed tank, by-passing the fluff storage [21].
Entrained polymer is removed in the flash gas cyclone and bag filter from the flashed recycle
isobutane diluent. Cartridge type guard filters provide a backup in the event of bag breakage in the
bag filter. The diluent vapors are compressed and flow to the diluent purification system. In the
diluent purification system, the recycle isobutane diluent stream from the reactor is compressed for
injection into the Recycle Isobutane Column. Hexene-1 and other heavy components (polymers, oils,
hexane from XPF catalyst usage, etc.) are removed as a bottom draw from the column and directed
to the Dehexanizer Column (Hexene-1 Recovery Column). Hexene-1 and isobutane are recovered
from the system as an overhead stream and is returned to the Recycle Isobutane Storage Tank where
it combines with recycle isobutane which has been degassed for feed to the reactor. The heavy
stream from the bottom of the Dehexanizer Column is disposed of to the flare. The overhead vent of
the Dehexanizer Column Overhead Accumulator is returned to the Recycle Compressor [21]. Light
components along with ethylene are removed overhead from the Recycle Isobutane Column. To
reduce diluent losses, the vapor from the column overhead accumulator passes
through the Ethylene Vent Column and refrigerated condenser before being returned to the Ethylene
Plant [21]. Polymer from the Purge Column can be stored as fluff in fluff tanks or sent directly to the
extruder feed tank. Normally, the fluff is extruded into pellets which are blended into predetermined
lot sizes. The results of the specification analysis determine further disposition of the lot. The lot may
be bagged and shipped, bagged and stored, loaded into trucks, or blended with another lot to bring it
within sales specification. Figure I.5 represents the Overview of the process used in polymed unit .
12
Figure I.5: Overview of the process used to have a final product of a polyethylene powder[1]
I.4 Industrial maintenance:

I.4.1 Definition :
Maintenance is the set of all technical, administrative and management actions during the life
cycle of an asset, intended to maintain or restore it in a state in which it can perform the required
function [22]. The technical actions set are [22]:
1. The concept of maintenance (training of agents, technical documentation, adequate equipment

(tools) and supplies (spare parts)).
2. The execution of the various maintenance operation.
3. Monitoring the quality and reliability of equipment, management of the maintenance tool and
durability of the equipment.
I.4.2 Types of maintenance
I.4.2.1 Corrective Maintenance:
Maintenance performed after a fault has been detected and intended to return a property to a
state in which it can perform a required function [22].
13
I.4.2.1.1 Delayed Corrective Maintenance:
Corrective maintenance that is not executed immediately after a failure is detected but is
delayed in accordance with given maintenance rules [22].
I.4.2.1.2 Emergency Corrective Maintenance:
Corrective maintenance performed immediately after a failure is detected to avoid

unacceptable consequences [22].
I.4.2.2 Preventive maintenance:
Maintenance performed at predetermined intervals or according to prescribed criteria and

intended to reduce the probability of failure or degradation of the operation of an asset [22].
I.4.2.2.1 Systematic preventive maintenance:
Preventive maintenance carried out at pre-established intervals of time or according to a

defined number of use units but without prior checking of the condition of the asset [22].
I.4.2.2.2 Conditional preventive maintenance:
Preventive maintenance based on a monitoring of the operation of the property and / or

significant parameters of this operation integrating the actions that result from it [22].
I.4.2.2.3 Predictive preventive maintenance:
Conditional maintenance executed following the extrapolated predictions of the analysis and
evaluation of parameters significant to the degradation of the asset [22].
Figure I-6 shows the organization chart proposed by the direction of the polymed unit for the
maintenance department.
14
Figure I.6: Organization chart of the maintenance department[1]
I.5 Industrial Instrumentation:
Instrumentation is a field that includes the methods of implantation, adjustment and operation
of all measuring, calculation and action devices required for the control of the industrial process,
including the aspects of protection and safety [23]. The instrumentation related on observation is
provided by sensors, transmitters and indicators which provide continuous measurements and
detectors delivering binary information. The instrumentation used for the action concerns the control
elements such as regulating valves, fans, pumps, electrical power resistors and pre-actuators such as
signal converters, positioners, and variable speed drives [23]. All input and output cards of
controllers and programmable logic controllers (PLCs) are part of the instrumentation [23]. Figure
I.7 shows the proposed organization chart by direction of the polymed unit for instrumentation
service.
15
Figure I.7: Organization chart of the instrumentation service[1]
Conclusion:
Petrochemical is an important field to invest in it. polymed is one of the Algerian

petrochemical investment, increasing the productivity of polymed unit and building similar units is
an obligation now to rise the country economic, especially after the economic crisis.
16
Chapter02: traditional
risk analysis techniques
Introduction:
Operational safety means the absence of unreasonable risk under the occurrence of hazards
resulting from functional insufficiencies of the intended functionality ( missed or false detection of
measures ), operational disturbances (environmental conditions), it consists of knowing, evaluating,
measuring, preventing and managing failures of a system or human mistakes to avoid possible losses
and consequences on the personal and environmental safety.
The operational safety analysis consists of 3 main steps:
 Structural and functional analysis of the system.

 Qualitative and quantitative forecasting analysis of the system.
 Synthesis of previous analysis and a conclusion.
II.1 The goal of operational safety:

The goal of operational safety is to assess potential risks, to foresee the occurrence of failures
and try to minimize the consequences of the situation catastrophic when they arise.
II.2 Traditional risk analysis methods:

Since the 1960s, methods of risk analysis have experienced a strong development in number,
as well as a specialization, according to their fields application.
To this end, we briefly detail some methods from the control of risks and giving rise to the
development of new methods, there are many tools and techniques for identifying potential hazards
and techniques for identifying potential hazards and usability issues, ranging from checklists to
HAZOP, passing through the analysis of failure modes and their effects (FMEA), the preliminary
analysis risk (APR)and others.
Some techniques such as checklists and what-if analysis (WHAT-IF), can be used early in the
system life cycle while it is little information exists or in later phase n if a less detailed analysis is
necessary. HAZOP studies require more details on the considered system, but provide more complete
information on dangers and errors, in the system design.
Before carrying out a risk analysis, it is essential to analyze the system that we wish to study,
since ‘a problem without a solution is a badly posed problem’ (Albert Einstein), that is to say:
18
 Define the limits of the system

 Define the scales of the study
 Define the content of the product and the environment studied , in the sense of a systemic
approach
 Define the links and interactions between this products and these environment
 Define the global functioning of this system by a functional analysis
II.2.1 HAZOP method:

II.2.1.1 Definition:
Hazard and operability study (HAZOP) is a structured and systematic examination of a

complex planned or existing process or operation in order to identify and evaluate problems that may
represent risks to personnel or equipment. The intention of performing a HAZOP is to review the
design to pick up design and engineering issues that may otherwise not have been found. The
technique is based on breaking the overall complex design of the process into a number of simpler
sections called 'nodes' which are then individually reviewed. It is carried out by a suitably
experienced multi-disciplinary team (HAZOP) during a series of meetings. The HAZOP technique is
qualitative, and aims to stimulate the imagination of participants to identify potential hazards and
operability problems. Structure and direction are given to the review process by applying
standardized guide-word prompts to the review of each node. The relevant international standard
calls for team members to display 'intuition and good judgment' and for the meetings to be held in 'a
climate of positive thinking and frank discussion [11].
II.2.1.2 Objective:
The objectives of this method are:
• Identify all deviations from the way a system is intended to function: their causes, and all
the hazards and operability problems associated with these deviations.
• Decide whether actions are required to control the hazards and/or the operability problems,
and if so, identify the ways in which the problems can be solved.
• Identify cases where a decision cannot be made immediately, and decide on what
information or actions are required.
19
• Ensure that actions decided are followed up.
Figure II.1: HAZOP method[11]
II.2.1.3 General principles of the HAZOP method:
As a basis for the HAZOP study the following information should be available:
• Process flow diagrams

• Piping and instrumentation diagrams (P&IDs)
• Layout diagrams
• Material safety data sheets
• Provisional operating instructions
• Heat and material balances
• Equipment data sheets Start-up and emergency shut-down procedures
II.2.1.4 Technique:
1) Divide the system into sections (i.e., reactor, storage)
2) Choose a study node (i.e., line, vessel, pump, operating instruction)
3) Describe the design intent
4) Select a process parameter
20
5) Apply a guide-word
6) Determine cause(s)
7) Evaluate consequences/problems
8) Recommend action: What? When? Who?
9) Record information
10) Repeat procedure (from step 2)
II.2.1.5 Parameters:
The team applies (systematically, in order [3]) a set of Guide Words to each node in the
process in order to identify deviations, to ensure completeness, it may also be helpful to explicitly
consider appropriate parameters which apply to the design intent. These are general words such as
Flow, Temperature, Pressure, and Composition. The current standard [1] notes that Guide Words
(key words) should be chosen which are appropriate to the study and neither too specific (limiting
ideas and discussion) nor too general (allowing loss of focus).
It goes as shown in the table below:
TableII.1: Key words
Key words Signification

NO OR NOT Complete negation of the design intent
MORE Quantitative increase
LESS Quantitative decrease
AS WELL AS Qualitative modification/increase
PART OF Qualitative modification/decrease
REVERSE Logical opposite of the design intent
OTHER THAN / INSTEAD Complete substitution
EARLY Relative to the clock time
LATE Relative to the clock time
BEFORE Relating to order or sequence
AFTER Relating to order or sequence
21
II.2.1.6 The most commonly used parameters pairs:
Flow, Pressure, Temperature, Mixing, Stirring, Transfer, Level, Viscosity, Reaction,

Composition, Addition, Separation, Time, Phase, Speed, Particle, size, Measure, Control, pH,
Sequence, Signal, Start/stop, Operate, Maintain, Services, Communication
"The term HAZOP has been often associated, in a generic sense, with some other hazard
identification technique. The use of the term with such techniques is considered to be inappropriate
and is excluded from this document" [11].
II.2.2 The FMEA method:

Failure mode and effects analysis (FMEA; often written with "failure modes" in plural) is the
process of reviewing as many components, assemblies, and subsystems as possible to identify
potential failure modes in a system and their causes and effects. For each component, the failure
modes and their resulting effects on the rest of the system are recorded in a specific FMEA
worksheet. There are numerous variations of such worksheets. An FMEA can be a qualitative
analysis [8], but may be put on a quantitative basis when mathematical failure rate models [12]. are
combined with a statistical failure mode ratio database. It is a step by step course of action that
analyzes each phase or progression of the study. FMEA will also take into consideration the potential
effects of the failures to the overall process goal, help planners and managers identify and prioritize
failure modes and review on the results of action plans implemented.
22
Figure II.2: FMEA method[12]
When performing an FMECA, interfacing hardware (or software) is first considered to be

operating within specification. After that it can be extended by consequently using one of the 5
possible failure modes of one function of the interfacing hardware as a cause of failure for the design
element under review. This gives the opportunity to make the design robust for function failure
elsewhere in the system. In addition, each part failure postulated is considered to be the only failure
in the system (i.e., it is a single failure analysis). In addition to the FMEAs done on systems to
evaluate the impact lower level failures have on system operation, several other FMEAs are done.
Special attention is paid to interfaces between systems and in fact at all functional interfaces. The
purpose of these FMEAs is to assure that irreversible physical and/or functional damage is not
propagated across the interface as a result of failures in one of the interfacing units. These analyses
are done to the piece part level for the circuits that directly interface with the other units. The FMEA
can be accomplished without a CA, but a CA requires that the FMEA has previously identified
system level critical failures. When both steps are done, the total process is called an FMECA [8].
II.2.2.2 Basic terms:
The following covers some basic FMEA terminology [9].
23
*Failure: The loss of a function under stated conditions.
*Failure mode: The specific manner or way by which a failure occurs in terms of failure of the part,
component, function,equipment, subsystem, or system under investigation. Depending on the type of
FMEA performed,failure mode may be described at various levels of detail. A piece part FMEA will
focus on detailed part or component failure modes (such as fully fractured axle or deformed axle, or
electrical contact stuck open,stuck short, or intermittent).A functional FMEA will focus on functional
failure modes. These may be general (such as No Function, Over Function, Under Function,
Intermittent Function, or Unintended Function) or more detailed and specific to the equipment being
analyzed. A PFMEA will focus on process failure modes (such as inserting the wrong drill bit).
*Failure cause and/or mechanism: Defects in requirements, design, process, quality control,
handling or part application, which is the underlying cause or sequence of causes that initiate a
process (mechanism) that leads to a failure mode over a certain time. A failure mode may have more
causes. For example; "fatigue or corrosion of a structural beam" or "fretting corrosion in an electrical
contact" is a failure mechanism and in itself (likely) not a failure mode. The related failure mode
(end state) is a "full fracture of structural beam" or "an open electrical contact". The initial cause
might have been "Improper application of corrosion protection layer (paint)" and /or "(abnormal)
vibration input from another (possibly failed) system".
*Failure effect: Immediate consequences of a failure on operation, or more generally on the needs
for the customer / user that should be fulfilled by the function but now is not, or not fully, fulfilled .
*Indenture levels (bill of material or functional breakdown): An identifier for system level and
thereby item complexity. Complexity increases as levels are closer to one.
*Local effect: The failure effect as it applies to the item under analysis.
*Next higher level effect: The failure effect as it applies at the next higher indenture level.
*End effect: The failure effect at the highest indenture level or total system
*Detection: The means of detection of the failure mode by maintainer, operator or built in detection
system, including estimated dormancy period (if applicable)
*Probability: The likelihood of the failure occurring.
*Risk Priority Number (RPN): Severity (of the event) × Probability (of the event occurring) ×
Detection (Probability that the event would not be detected before the user was aware of it)
*Severity: The consequences of a failure mode. Severity considers the worst potential consequence
24
of a failure, determined by the degree of injury, property damage, system damage and/or time lost to
repair the failure.
*Remarks / mitigation / actions: Additional info, including the proposed mitigation or actions used
to lower a risk or justify a risk level or scenario.
II.2.3 The FTA method ‘fault tree analysis’:
Fault tree analysis (FTA) is a top-down, deductive failure analysis in which an undesired state of a
system is analyzed using Boolean logic to combine a series of lower-level events. This analysis
method is mainly used in safety engineering and reliability engineering to understand how systems
can fail, to identify the best ways to reduce risk and to determine (or get a feeling for) event rates of a
safety accident or a particular system level (functional) failure. FTA is used in the aerospace, [14].
nuclear power, chemical and process, pharmaceutical, petrochemical and other high-hazard
industries; but is also used in fields as diverse as risk factor identification relating to social service
system failure[13]. FTA is also used in software engineering for debugging purposes and is closely
related to cause-elimination technique used to detect bugs.
II.2.3.2 Method:
25
Figure II.3: The FTA method ‘fault tree analysis’[14]
II.2.3.3 Usage:
Fault tree analysis can be used to:

❖ Understand the logic leading to the top event / undesired state.
❖ Show compliance with the (input) system safety / reliability requirements.
❖ prioritize the contributors leading to the top event- creating the critical equipment/parts/events
lists for different importance measures
❖ Monitor and control the safety performance of the complex system
❖ Minimize and optimize resources.
❖ Assist in designing a system. The FTA can be used as a design tool that helps to create (output /
lower level) requirements.
26
❖ Function as a diagnostic tool to identify and correct causes of the top event. It can help with the
creation of diagnostic manuals / processes.
The tree is usually written out using conventional logic gate symbols. A cut set is a
combination of events, typically component failures, causing the top event. If no event can be
removed from a cut set without failing to cause the top event, then it is called a minimal cut set [15].
Figure II.4: fault tree diagram[15]
II.2.3.4 Graphic symbols: The basic symbols used in FTA are grouped as events, gates, and transfer
symbols. Minor variations may be used in FTA software.
II.2.3.5 Event symbols: Event symbols are used for primary events and intermediate events. Primary
events are not further developed on the fault tree. Intermediate events are found at the output of a
gate. The event symbols are shown below:
27
Figure II.5: Event symbols [15]
II.2.3.6 Gate symbols: Gate symbols describe the relationship between input and output events. The
symbols are derived from Boolean logic symbols:
Figure II.6: Gate symbols [15]
II.2.3.7 Transfer symbols: Transfer symbols are used to connect the inputs and outputs of related
fault trees, such as the fault tree of a subsystem to its system.
Figure II.7: Transfer symbols [15]
28
II.2.3.8 Advantages and limitations:
The main advantage of the fault tree analysis is that it allows considering combinations of
events that can ultimately lead to a dreaded event. This possibility allows a good fit with the analysis
of past accidents which shows that the major accidents observed most often result from the
conjunction of several events which alone could not have caused such claims. Furthermore, by
aiming at estimating the probabilities of occurrence of events leading to at the final event, it provides
criteria for determining priorities for the prevention of potential accidents. The failure tree analysis
relates to a particular event and its application to everything a system can be tedious. In this sense, it
is advisable to implement beforehand inductive methods of risk analysis.
Conclusion:
In this chapter we have discussed the different risk analysis methods that have usually been
used in the industrial domains we noticed that each one have its uses and effectiveness in certain
areas of the industry they also display some weaknesses and lack of precision in some situations
though, the choice of the risk analysis method is done according to its using domain and properties.
The next chapter will focus on a new method which we consider as the most effective when
it comes to risk analysis, it can be used in industry or in other domains, it is known under the name
of STPA(system theoretic process analysis) .
29
Chapter03: Definition of
STAMP/STPA method
Introduction:
Traditional approaches to process safety are not enough. Accidents keep occurring everyday
across the globe. Technology advances make systems more complex and their behavior more
nonlinear and unpredictable. This trend will increase in the coming years mainly due to the new
industrial paradigm that will change production processes to fully digital [4].
The basic premise underlying this new approach to safety is that traditional models of
causality need to be extended to handle today’s engineered systems. The most common accident
causality models assume that accidents are caused by component failure and that making system
components highly reliable or planning for their failure will prevent accidents. While this assumption
is true in the relatively simple electromechanical systems of the past, it is no longer true for the types
of complex sociotechnical systems we are building today. A new extended model of accident
causation is needed to underlie more effective engineering approaches to improving safety and better
managing risk[3].
III.1 System Theory:

Systems theory was developed to deal with these modern systems. It forms the basis for
system engineering, where the whole is considered to be more than the sum of the parts and top-
down analysis and development is used. Systems theory deals with properties (called emergent
properties) that can only be handled adequately holistically, taking into account all the technical and
social aspects. These properties arise in the relationships and interactions among system components
or behavioral events. That is, systems theory treats systems as a whole and not the components and
events separately. In systems theory, instead of breaking systems into interacting components,
systems are viewed (modeled) as a hierarchy of organizational levels. At the lowest level of road
traffic, there are the individual vehicles, such as cars and trucks. At the next level there is the design
of the roads, which controls the movement of the individual vehicles and their interactions. At a
higher level, one can conceive of the entire highway system including the roads but also the rules and
policies imposed on the drivers of the vehicles[2].
III.2 Systems Thinking:

System thinking is a term that denotes processes and ways of thinking that follow the
principles of systems theory and incorporate systemic causality. Senge (1990) writes: [Systems
thinking] shifts thinking from blaming a single individual or department, to recognizing that
sometimes the problem or fault lies in the entire system and that everybody plays a significant role.
31
Causation becomes multi-causal. In mastering systems thinking, we give up the assumption that there
must be an individual or individual agent, responsible. The feedback perspective suggests that
everyone shares responsibility for problems generated in a system [5].
By applying systems thinking to safety engineering, we will be able to handle more

complexity and more causal factors in safety engineering [6].
Figure III.1: Using systems thinking will provide the leverage we

need to get beyond simple event-based thinking and reduce
accidents in complex systems [3]
III.3 Why the traditional approach is not enough? :

Reliability is not enough to guarantee safety; almost 20 years ago Pasman (1998) extracted
some conclusions from the analysis of past accidents:
Conditions that lead to an accident are often complex and difficult to reproduce.
Test methods are often inadequate for making reliable predictions. A system approach appears
crucial for successful prevention. Following these conclusions we present additional reasons that
support our previous claim:
1. Systems are becoming more complex (being software the main contributor) which means:
a. There are accidents that result from interactions among components not just from component
failure (Venkatasubramanian (2011)).
32
b. The increasing complexity impedes to anticipate all potential interactions.
c. Component interactions are usually non-linear and their behavior is difficult to predict.
2. Traditional techniques omit or oversimplify some important factors:
a. Human factor. This is a crucial element when considering safety, although some
methodologies, like HAZOP, can consider human errors when applied, they only do it to a quite
limited extent. Besides, only operator errors are taken into consideration and not the human
factors in all the levels of the hierarchy of the plant (management-supervision operation).
b. Technology evolution. In the last decades, technology is evolving very fast and is affecting
(and will affect much more) to existing systems. Particularly, software is every day more
embedded in many manufacturing processes. The new industrial revolution (name it industry 4.0,
advanced manufacturing process or intelligent manufacturing) will definitely augment this effect.
c. Safety culture and management. Many accidents happen not because the protective barriers
were not enough but because of a lack of safety culture in a company
d. Lack of safety maintenance. Safety deteriorates over time and a plant that was safe when
started may be in an accident prone condition after some time. Understanding and preventing or
detecting system migration to states of higher risk requires that our accident models consider the
processes involved in accidents and not simply the events and conditions. (Leveson and
Stephanopoulos (2014)) [3].
III.4 Why Do We Need Something Different? :

A new approach to building safer systems that departs in important ways from traditional
safety engineering. While the traditional approaches worked well for the simpler systems of the past
for which they were devised, significant changes have occurred in the types of systems we are
attempting to build today and the context in which they are being built. These changes are stretching
the limits of safety engineering:
 Fast pace of technological change

 Reduced ability to learn from experience
 Changing nature of accidents
 New types of hazards
 Increasing complexity and coupling
33
 Decreasing tolerance for single accidents

 Difficulty in selecting priorities and making tradeoffs
 More complex relationships between humans and automation
 Changing regulatory and public views of safety [3].
III.5 Stamp (Systems-Theoretic Accident Model and Processes):

STAMP (System-Theoretic Accident Model and Processes) is the name of the new accident
causality
model based on systems theory, which provides the theoretical foundation for STPA. It expands the
traditional model of causality beyond a chain of directly-related failure events or component failures
to include more complex processes and unsafe interactions among system components, and it
underlies STPA and other tools.
In STAMP, safety is treated as a dynamic control problem rather than a failure prevention
problem.
No causes are omitted from the STAMP model, but more are included and the emphasis changes
from preventing failures to enforcing constraints on system behavior.
Some advantages of using STAMP are that:
 It works on very complex systems because it works top-down rather than bottom up.
 It includes software, humans, organizations, safety culture, etc. as causal factors in accidents
and other types of losses without having to treat them differently or separately.
 It allows creating more powerful tools, such as STPA, accident analysis (CAST),
identification and management of leading indicators of increasing risk, organizational risk
analysis, etc.
Because STAMP applies to any emergent property, STPA can be used for any system
property,
including cybersecurity.
The two most widely used STAMP-based tools today are STPA (System Theoretic Process
Analysis)
and CAST (Causal Analysis based on Systems Theory). STPA is a proactive analysis method that
34
analyzes the potential cause of accidents during development so that hazards can be eliminated or
controlled.
CAST is a retroactive analysis method that examines an accident/incident that has occurred
and identifies the causal factors that were involved. This handbook concentrates on the use of STPA.
future, similar handbook is planned for CAST [2].
Figure III.2: Accidents occur when the system gets into a hazardous state,
which in turn occurs because of inadequate control in the form of
enforcement of the safety constraints on the system behavior [2]
III.6 STPA (system theoritic process analysis):

STPA is a hazard analysis technique that embodies the STAMP accident causality model. As
such, it is based on control and system theory rather than the reliability theory underlying most
existing hazard analysis techniques. STPA is a new hazard analysis technique with the same goals as
any other hazard analysis technique, that is, to identify scenarios leading to hazards and thus to losses
so they can be eliminated or controlled. STPA does not generate a probability number related to the
hazard. The only way to generate such a probability of an accident for complex systems is to omit
important causal factors that are not stochastic or for which probabilistic information does not exist
(particularly new designs for which historical information is not available). In contrast to the
traditional hazard analysis techniques, however, STPA is more powerful in terms of identifying more
causal factors and hazardous scenarios, particularly those related to software, system design, and
human behavior. Because STPA is a top-down, system engineering approach to system safety, it can
35
be used early in the system development process to generate high-level safety requirements
and constraints. Because it works on the hierarchical safety control structure, it can be used both on
technical design and on organizational design (Leveson and Thomas (2013)) [4].
III.7 The STPA process:
The STPA applying procedure has four steps that are necessary to complete the process. The
steps are (detailed in Leveson (2011a,b), Leveson and Thomas (2013)):
1. Identify Hazards and Accidents. The first step consists in defining what accidents will be
taken into consideration and identifying the hazards associated to those accidents,
understanding hazard as ”a system state or set of conditions that together with a particular set
of worst-case environmental conditions, will lead to an accident (loss)“ Leveson (2011a,b).
This step is completed matching the hazards to safety constraints (requirements). For
example, if the hazard is a toxic release in a chemical plant the safety constraint is that toxic
chemicals must never be released from the plant.
2. Draw the functional control structure. This step generates the document to perform the STPA
process (steps 3 and 4). It contains the whole socio-technical structure of the system under
analysis and the relationships between the different elements.
3. Identify potentially unsafe control actions. Unsafe control actions (UCAs) are actions that
lead to a hazard. The four types of unsafe control action are:
a. A control action required for safety is not provided.
b. b. An unsafe control action is provided that leads to a hazard
c. A potentially safe control action provided too late, too early, or out of sequence.
d. . A safe control action is stopped too soon or applied too long (for a continuous or non-
discrete control action).
4. Identify the causes of the unsafe control actions. This step identifies new safety constraints to
be added. In this phase the information provided allows the engineers to change the design
to eliminate or mitigate the causes of the hazards. This is the most important step of the
analysis but also de most difficult one [4].
36
III.8 Why using STAMP-STPA? :

The first reason to use STAMP-STPA comes from defining safety as a control problem (vs. a
failure problem). Enforcing safety constraints on system behavior allows the detect and control
migration of the system to states of higher risk which finally is the main cause of most accidents.
Other reasons for using STAMP methodology:
 It applies to very complex socio-technical systems.

 It includes software, human and new technology.
 It is based on systems theory and systems engineering.
 It expands the traditional model of accident causation- not just a chain of directly related
failure events.
When comparing STPA features with HAZOP-SIL we can find what STPA does (and
HAZOP-SIL doesn’t):
 Include socio-technical analysis

 Include systemic factors
 Include all the hierarchy (from regulations to the final process): safety culture
 Fill the design operation gap: avoid higher risk states
And what STPA does not do (vs. traditional safety methods as HAZOP-SIL):
 Put the blame on you (many times an accident investigation stops when a human error is
found)
 Consider only reliability and probability
 Work only in the design stage (or after changes in the plant)
 Doesn’t follow chains of events
37
III.9 STPA Process:
STPA supports and builds on top-down system engineering. This fact should not be a surprise
as systems theory provides a common theoretical foundation for both. The process can be separated
into four parts, although the various activities could be intertwined and, in the most effective uses,
STPA becomes an iterative process with detail added as the system design evolves [1]:
1. Establish the system engineering foundation for the analysis and for the system development
2. Identify potentially unsafe control actions
3. Use the identified unsafe control actions to create safety requirements and constraints
4. Determine how each potentially hazardous control action could occur.
III.9.1 Establishing the System Engineering Foundation:
STPA starts from the basic early system engineering activities associated with safety:
defining what accidents or losses will be considered in development, identifying the hazards
associated with these accidents, and specifying safety requirements (constraints). After this
foundational information is specified, a special STPA process is added: drawing the preliminary
(high-level) functional control structure. The actual STPA analysis will use this control structure [1].
III.9.2 Identifying Unsafe Control Actions (STPA Step 1):
While it is convenient to separate STPA into two steps, first identifying the unsafe control
actions and then the causes of the unsafe control actions, this separation is not necessary. The two
steps could be integrated in various ways, for example, identifying an unsafe control action and
immediately looking for its causes [1]. The four types of unsafe control action described in Chapter 1
are:
• A control action required for safety is not provided
• An unsafe control action is provided that leads to a hazard
• A potentially safe control action provided too late, too early, or out of sequence
• A safe control action is stopped too soon or applied too long (for a continuous or non-discrete
control action) .
38
We have found that a table is a convenient way to document the specific unsafe control
actions but any format could be used. The general form of the table that we use is:
Table III.1 Define UCAs:
II.9.3 Identifying the Causes of the Unsafe Control Actions (STPA Step 2):
Once the safety control actions are identified (or once any of the unsafe control actions are
identified, i.e., the process does not have to be completely serial), the second and final step in STPA
is to identify the potential causes of (scenarios leading to) unsafe control. Here is where the fifth type
of scenario, inadequate execution of a control action required for safety, is considered. Step 2
requires the most thought and prior experience by the analyst and there is, so far, much less help
provided compared to Step 1. Therefore, we have found that sometimes STPA is stopped after Step
1. Step 2 is critical, however, Step 2 identifies additional safety requirements both on the controller
in the loop being analyzed and on the overall system. It is also where information is generated to
assist the designers in eliminating or mitigating the potential causes of the hazards. The most
important reason to do a hazard analysis at all is to get the causal information generated by Step 2.
Basically, the Step 2 process involves examining the control loop and its parts and identifying how
they could lead to unsafe control. Care should be taken here to not turn this step into a form of
FMEA by simply looking at each of the “guidewords” and seeing whether they lead to the hazard.
The goal is not to find just failures or inadequate operation of individual components in the control
loop, but to find scenarios and combinations of problems that could lead to unsafe control. The
process should start with the unsafe control actions and determine how they could occur as well as
how actions required for safety might not be executed correctly.
Conclusion:
The studies show how STPA could replace or at least complement HAZOP as the hazard
analysis technique for chemical, oil and gas industries. Although the differences between both
39
techniques are not very important in the lowest level, the great advantage of using STPA lies in its
systemic nature and its application to the whole socio-technical hierarchy. Another advantage of
STPA is that it can give a potential recommendation to eliminate hazards using the same analysis.
However, STPA is a promising method that can substitute or more likely complement
traditional approaches but it still is a young methodology and more work has to be done, especially
regarding its application to the process industry [3].
40
Chapter04: Case study:
Application of STPA
method on the HDPE
reactor
Chapter 4: Study case: Application of STPA method on the HDPE reactor
Introduction:
This chapter will be the practical side of our thesis in which we will be studying the HDPE
reactor located in CP2K unit in polymed complex sonatrach-Skikda. The study will consist of
describing how the polymerization process occur, then apply the STPA method on this industrial
process, in order to improve their safety and show how STPA could replace or at least complement
HAZOP as the hazard analysis technique in order to complete the risk study.
IV.1 The polymerization process:
The particle process is divided into a series of steps or system treatment of raw material
activation and addition of the catalyst , polymerization in a reactor in the form of a loop , system of
flash and drying of the polymer and purification of the recycle gas , the process ends with the
finishing system of the polymer extrusion and drying thereof. The result is granulated of a certain
size and of a quality suitable for a wide variety of application [1].
Figure IV.1: The polymerization process
42
The reaction takes place at a temperature of 85-110C° and at a pressure of 42-44kg/cm². As

the reaction is exothermic, the supply of thermal energy produced is ensured by a heat transfer fluid
(cooling water) circulating in the two double jackets of the reactor [1].
The TIC17169 temperature regulator is responsible for maintaining the reactor temperature
constant by acting on the external setpoint of the TIC17184 refrigerant temperature regulator. Note
that the internal loop controlled by the TIC17184 controller is a slit-range loop [1].
Figure IV.2: Diagram of the reactor temperature loop
The objective of setting up cascade control is to make the system faster, which rapidly
dampens the appearance of disturbances [1]. Where:
SP: the setpoint.
PV: the value of the process.
TIC17169: PID corrector of the external loop.
TIC17184: PID corrector of the internal loop.
D1(t): the disruptive component of the inner loop.
D(t): the disruptive component of the external loop.
The principal disturbance of the temperature in the reactor is the excess of the quantity of one
of the reactants in the reactor (the Ethylene, catalyzer injected etc …) which is described by the
43
component d(t) on the one hand, and on the other hand the temperature foiling when the loop is
cascaded: due to the drift of the cooling circuit described by the disturbing component d1(t) of the
control cooling circuit. Generally speaking, the amount of ethylene reacted is released by the
reaction, which will cause the temperature in the reactor to rise. During this temperature rise, the
TIC17184 cooling temperature controller impact on the supply flow of the cooling to the hot/cold
lines, by increasing the opening of the TV17184B/C/D cooling supply valves on the lines of coolers
410-153 A/B/C respectively and decrease the opening of the TV17184A/E cooling supply valve to
the heater (scale sharing), including its steam line. So it is an internal cascade control loop made up
of an internal split-range loop [1].
This temperature control system is a closed circuit of treated water (water softened with
chemical additives: refrigerant), this refrigerant passes through two insulated shirts with certain flow
showed in DCS (FU,FV,FIC), every shirts involves two settling paws [1].
The temperature control of the refrigerant which regulates the reactor’s temperature is done
through the PID TIC-17184 controller, which commands the TV-17184B/C/D valves to lead the
refrigerant to the cooling lines. It also commands the TV17184A valve to lead the refrigerant to the
heating lines (vapor exchanger) [1].
The pressure in the reactor is controlled by means of the indicator of the pressure controller
PIC-16147 with indication on DCS, the reactor has two high and low pressure pressostats (PLL-
PHH), integrated into the PLC[1].
We ensure the pressure control in the polymerization reactor by the PIC-16147 regulator
which acts directly and sequentially on the 06 settling valves (06 settling paws); each paw has at the
head a blocking valve and at the bottom a product discharge valve, these latter valves work
alternatively with a gap of 3 seconds: in order to maintain the pressure in the stable reactor, it is to
say in an interval of 42-44 bar. In certain cases of emergency or the pressure increases suddenly
beyond 50 bar the controller PIC-16143 intervenes immediately on the two on-off valves called the
vent valves which open leave evacuate excess pressure to atmosphere [1].
44
Figure IV.3: A DCS view of settling paws[18]
IV.2 Application of STPA and results:
As known, there are four types of unsafe control actions (UCA) in STPA methodology. On
one hand, hazards can occur when a control action is ”Provided” or ”Not provided” and, on the other,
when a control action has been carried out ”Too late or too early” or it is provided ”Too long or
stopped too soon”. Thus, the first two UCAs are related to control action status and the second two
with control action timing. In general, they work very well for the great amount of real systems, but
for chemical systems there are two extra unsafe control actions that could lead to hazards and have to
be taken into consideration to enforce system safety. These ”new” unsafe control actions are related
with direction of control action deviation. In many (stationary) chemical plants, many hazards are
due to an increasing or decreasing of state parameters (temperature, pressure...)[4].
Process plants are, usually, continuous plants and the control is achieved using conventional
PID controllers that send the control action to the final element, typically a control valve. The
operation of the valve is also continuous, and as it is not an On/Off controller (the valve is not just
open/closed) the Provided/Not Provided UCAs are not sufficient to describe the control action status.
45
They have to be extended to include if the control action is more or less than it should be. So the
UCAs for this system are Provided (we consider that provided means provided correctly, in the
expected amount), More and Less (both of them constitute the Not Provided type).
More or Less are directly related to the final value (after the control action) of the manipulated
variable. In most of the cases the Less type effect includes the None effect on the process although
there are some specific situations where None has to be specified besides the Less type. This could
be considered as a third type of the Not Provided control action [4].
Nowadays, STPA tables are individually generated for each UCA of each controller, studying
hazards for different scenarios (comprised of context variable states).
In the approach proposed herein, all UCAs are studied in the same table (resulting in a very
big table). Scenarios (context variable) are also 165 discretized in ”Desired”, ”None”, ”Less” and
”More”. As it will be seen later, adding new UCAs and states (”Less” and ”More”) to be studied,
greatly increases the number of possible scenarios. So, for real systems, the size of STPA tables will
be very big. The STPA Table Size (STS) can be calculated by:
STS =
∏ ∏
In order to have more detailed safety measures it is necessary to develop a refined control
structure, For this, a section of the process plant is selected and control structure is drawn to
operator:
Figure IV.4: Control structure of the HDPE reactor
46
Figure IV.5: Hierarchical control structure of CP2K unit
IV.2.1 Hazard identification:
Table IV.1 Hazard identification
Accident Hazard Safety constraints

H1: too high temperature Temperature must never violate
Explosion a maximum value
H2: too high pressure Pressure must never violate a
maximum value
In our case study, we will be considering the variation of the temperature and pressure
parameters, caused by the variation in the flow of the entering products (Ethylene, Hexene, and
Isobutane), in addition to the actions on the cooling water valves and the settling paws discharge
valves.
We choose (MORE, LESS, PROVIDED and NOT PROVIDED) as UCAs on each state. In
this case, if we consider all the UCAs possible related to all states, we get:
STS= 4*4*4*4*4 =1024
47
Which is a huge number of rows including a very large number of cases to be studied, for
that, we try to eliminate some UCAs that are not really leading to a hazard, so we just consider
MORE, LESS, and NOT PROVIDED concerning the entering products (Ethylene and Hexane) and
the cooling valve (for that it work continuously) , PROVIDED (1) and NOT PROVIDED (0)
concerning the flow of Isobutane and the opening of the discharging valves, in this case we get:
STS= 3*3*3*2*2 = 108 as rows number
IV.2.2 Case study (STPA table):
Table IV.2: STPA table
ID Cooling Settling hazard

valve paws valves
01 + + + 0 0 H2
02 + + - 0 1 H1
03 + + 0 1 0 H1.H2
04 + - + 1 1 NO
05 + - - 0 0 NO
06 + - 0 0 1 H1
07 + 0 + 1 0 H2
08 + 0 - 1 1 H1
09 + 0 0 0 0 NO
10 - + + 0 1 NO
11 - + - 1 0 H1
12 - + 0 1 1 H1
13 - - + 0 0 NO
14 - - - 0 1 NO
15 - - 0 1 0 NO
16 - 0 + 1 1 NO
17 - 0 - 0 0 NO
18 - 0 0 0 1 NO
19 0 + + 1 0 H2
20 0 + - 1 1 NO
21 0 + 0 0 0 H2
48
22 0 - + 0 1 NO
23 0 - - 1 0 NO
24 0 - 0 1 1 NO
25 0 0 + 0 0 NO
26 0 0 - 0 1 NO
27 0 0 0 1 0 NO
28 + + + 1 1 NO
29 + + - 0 0 H1.H2
30 + + 0 0 1 H1
31 + - + 1 0 H2
32 + - - 1 1 NO
33 + - 0 0 0 H2
34 + 0 + 0 1 NO
35 + 0 - 1 0 H1.H2
36 + 0 0 1 1 H1
37 - + + 0 0 H2
38 - + - 0 1 NO
39 - + 0 1 0 H1.H2
40 - - + 1 1 NO
41 - - - 0 0 NO
42 - - 0 0 1 NO
43 - 0 + 1 0 NO
44 - 0 - 1 1 NO
45 - 0 0 0 0 NO
46 0 + + 0 1 NO
47 0 + - 1 0 H2
48 0 + 0 1 1 H1
49 0 - + 0 0 NO
50 0 - - 0 1 NO
51 0 - 0 1 0 NO
52 0 0 + 1 1 NO
53 0 0 - 0 0 NO
49
54 0 0 0 0 1 NO
55 + + + 1 0 H2
56 + + - 1 1 H1
57 + + 0 0 0 H1.H2
58 + - + 0 1 NO
59 + - - 1 0 H1.H2
60 + - 0 1 1 H1
61 + 0 + 0 0 NO
62 + 0 - 0 1 NO
63 + 0 0 1 0 H1.H2
64 - + + 1 1 NO
65 - + - 0 0 H2
66 - + 0 0 1 H1
67 - - + 1 0 NO
68 - - - 1 1 NO
69 - - 0 0 0 NO
70 - 0 + 0 1 NO
71 - 0 - 1 0 NO
72 - 0 0 1 1 NO
73 0 + + 0 0 NO
74 0 + - 0 1 NO
75 0 + 0 1 0 H1.H2
76 0 - + 1 1 NO
77 0 - - 0 0 NO
78 0 - 0 0 1 NO
79 0 0 + 1 0 NO
80 0 0 - 1 1 NO
81 0 0 0 0 0 NO
82 + + + 0 1 NO
83 + + - 1 0 H1.H2
84 + + 0 1 1 H1
85 + - + 0 0 NO
50
86 + - - 0 1 NO
87 + - 0 1 0 H1.H2
88 + 0 + 1 1 NO
89 + 0 - 0 0 NO
90 + 0 0 0 1 NO
91 - + + 1 0 H2
92 - + - 1 1 H1
93 - + 0 0 0 H1.H2
94 - - + 0 1 NO
95 - - - 1 0 NO
96 - - 0 1 1 NO
97 - 0 + 0 0 NO
98 - 0 - 0 1 NO
99 - 0 0 1 0 NO
100 0 + + 1 1 NO
101 0 + - 0 0 NO
102 0 + 0 0 1 NO
103 0 - + 1 0 NO
104 0 - - 1 1 NO
105 0 - 0 0 0 NO
106 0 0 + 0 1 NO
107 0 0 - 1 0 NO
108 0 0 0 1 1 NO
IV.2.3 Result and discussion:
From the STPA table we can see that the UCAs which lead to hazard are: more (+)
concerning the entering flow of Ethylene and Hexene, and not provided (0) concerning the opening
of the pressure valves (settling paws and safety valves).
STPA analysis results not only in the detection of hazardous situations but also in the
solution. In this case, it can be easily seen that all of those scenarios (colored on green) corresponds
to no flow in and lines.
51
IV.2.4 Safety recommendations:
For that the safety recommendations to avoid the hazardous situations in this case are:
 Close the reactive flows when the cooling valves are not open.
 Open the pressure valves when the pressure in the reactor violate a maximum value because of
the over flow of the reactives.
 Verify the timing settings concerning the opening of the discharging valves of the settling paws
for that the high pressure could be easily discharged.
 Display textual messages on the HMI of DCS control room for that we ensure that the safety
actions needed to be applied on the process can be easily done by any available operator in the
control room in order to improve safety measures in the plant.
IV.2.5 InTouch simulation:
First of all we need to implement the process logic in the Tristation software, these are the main
steps:
1- We open the Tristation program and we open a new window and name it:
Figure IV.6 creating a new Tristation window
2- We build the process temperature and pressure logic using the different Tristation tagnames,
name every variable and set its initial and the final value and give it an address (item):
52
Figure IV.7 build the process temperature logic
Figure IV.7 build the process pressure control
53
Figure IV.8 naming the variables and setting items
3- After building the logic we run it:
Figure IV.9 running the program
54
4- Then we connect it to the InTouch program:
Figure IV.10 connecting to InTouch software
5- We open InTouch software and create a new window and name it:
Figure IV.11 creating a new InTouch window
55
6- We clique on symbol factory and build the process:
Figure IV.12 access to symbol factory
Figure IV.13 building the process
56
7- After building the process and giving the items to every component according to the
Tristation logic we run the program:
Figure IV.14 the on show of the normal conditions of pressure and temperatue
In this case we got all the valves closed because we are in the normal conditions ( normal pressure 42-
44 bar and normal temperature 92-110◦C).
Figure IV.15 the on show of the over temperature case
57
In case of over temperature, we got the cooling valve open.
Figure IV.16 the on show of the over pressure case
In case of over pressure, we got the discharge valves of the settling paws open.
Figure IV.17 the on show of the High-High pressure case
In case of High-High pressure, we get the safety pressure valves open evacuating the over
charge to the atmosphere.
58
Conclusion:
In the analysis of process plant, hazards were first identified. Then controllers were evaluated
to identify UCAs. The causes of UCAs and improper execution of control actions were determined to
define loss scenarios. And finally, recommendations were generated to prevent, control or mitigate
loss scenarios.
Analysis methods based on component failure and reliability cannot fully analyze Complex
systems. The reason is that these methods do not consider the entire system and interactions between
components. In that sense, systemic methods are promising and in this study STPA is applied to a
process plant which is needed to be taken into consideration in risk assessment studies.
59
General conclusion
General conclusion:
Major accidents and potential risks present at the industry level remain one of the biggest
interests in the sense that they degrade the functioning of the system, therefore for the safety of the
industrial system or the industry itself we have always made a risk analysis technique.
The work presented in this brief gives an analysis of the risks associated with the
polymerization process in the CP2K unit at sonatrach Skikda in which we applied STPA
methodology.
The great advantage of using STPA lies in its systematic nature and its application to the
whole sociotechnical hierarchy. Another advantage of STPA is that it can give a potential
recommendation to eliminate the hazards using the same STPA analysis technique, not only of the
detection of dangerous situations but also of the solutions with the proposed scenarios and the safety
recommendations in order to improve safety for a better manage of risk.
61
References
References:
[1]: Manuel opératoire de PHILIPS pour CP2K SKIKDA
[2]: Levenson Nancy. ‘STPA handbook’ . March 2018
[3]: Levenson Nancy. ‘Engineering a safer world’. 2011
[4]: Manuel Rodríguez , Ismael Díaz ‘Journal of Loss Prevention in the Process Industries’, 2016
madrid-spain
[5]: Senge 1990.p.78
[6]: Levenson Nancy. an STPA primer version 1. August 2013
[7]: http://www.hrdp-idrm.in/e5783/e17327/e27015/e27713/( 2020/08/23).April 2021
[8]: Marvin Miley. system reliability theory: models, statistical methods, and applications, marvin
wiley series in probability and statistics—second edition page 88. 2004
[9]: Langford, j. w. LOGISTICS: PRINCIPLES AND APPLICATIONS. MCGRAW
HILL.P. 488. 1995
[10]: U.S. department of labor occupational safety and health administration .process safety
management guidelines for compliance(pdf).u.s. government printing office.osha 3133. 1994
[11]: british standard bs: iec61882: hazard and operability studies (hazop studies)- application guide
british standards institution. "this british standard reproduces verbatim iec 61882:2001 and
implements it as the UK national standard." 2002
[12]: Tay k. m. lim c.p. "n on the use of fuzzy inference techniques in assessment models: part ii:
industrial applications". fuzzy optimization and decision making.7 (3): 283–302.
doi:10.1007/s10700-008-9037-y. 2008
[13]: Lacey, peter. "an application of fault tree analysis to the identification and management of
risks in government funded human service delivery".proceedings of the 2nd international conference
on public policy and social sciences.ssrn 2171117. 2011
References
[14]: Goldberg, b. e.; Everhart, k.; Stevens, r.; Babbitt, n.; Clemens, p.; Stout, l. "3". system
engineering toolbox for design-oriented engineers.marshall space flight center. pp. 3–35 to 3–48.
1994
[15]: ‘FAULT TREE ANALYSIS’. EDITION2.0.international electrotechnical commission . ISBN

978-2-8318-8918-4. IEC 61025. 2006
[16]: https://en.m.wikipedia.org/wiki/Fault_tree_analysis ( 2020/09/07). Juin 2021
[17]: CP2K unit SKIKDA documentation
[18]: CP2K DCS photos

Abstract :
Major accidents continue to occur in chemical process industry, which may have serious
consequences costing billion dollars and what is worse many human lives. That means the traditional
Hazard analysis techniques are not becoming enough due to the increasing complexity of industrial
plants. The main objective of this work is to present a new accident analysis technique based on
system theory that has been developed lately changing the focus from reliability to system theory, in
order to improve safety and for a better manage of risk.
Key words: STAMP, STPA, risk analysis, HDPE, petrochemical industries, chemical plants, safety,
hazard.
Résumé:
Des accidents majeurs continuent de se produire dans l'industrie des procédés chimiques, ce
qui peut avoir des conséquences graves coûtant des milliards de dollars et pire encore, de
nombreuses vies humaines. Cela signifie que les techniques traditionnelles d'analyse des risques ne
suffisent pas en raison de la complexité croissante des installations industrielles. L'objectif principal
de ce travail est de présenter une nouvelle technique d'analyse des accidents basée sur la théorie des
systèmes qui a été développée récemment, en passant de la fiabilité à la théorie des systèmes pour
améliorer la sécurité et pour une meilleure gestion des risques.
Les mots clé : STAMP, STPA, analyse des risques, PEHD, industries pétrochimiques, les
procédés chimiques, sécurité, danger.
‫ملخص‬
‫ و ما ھو أسوأ العديد من الخسائر‬،‫الزالت المنشآت الصناعية تشھد العديد من الحوادث و الكوارث التي تكلف مليارات الدوالرات‬
‫ ما يعني أن التقنيات القديمة المستعملة لتحليل المخاطر لم تعد كافية نظرا لزيادة حجم و تعقيدات المنشآت الصناعية الحديثة تزامنا مع‬،‫البشرية‬
‫التكنولوجيات المتطورة و لھذا فإن الھدف الرئيسي لھذه الدراسة ھو التعريف بتقنية حديثة لتحليل المخاطر بنا ًء على نظرية النظام التي تم‬
‫تطويرھا مؤخرا لالنتقال من دراسة دقة و إمكانية عمل النظام لتسليط الضوء على نظرية النظام من أجل تحسين ظروف السالمة في المنشآت‬
‫الصناعية و إلدارة أفضل للمخاطر‬
.‫ األخطار‬.‫ السالمة‬.‫ المنشآت الكيميائية‬.‫ الصناعات البتروكيميائية‬.‫ تحليل المخاطر‬STPA, STAMP: ‫الكلمات المفتاحية‬

Risk Analysis Using System Theoretic Methods STAMP/STPA Applied in Petroleum Process

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Risk Analysis Using System Theoretic Methods STAMP/STPA Applied in Petroleum Process

Uploaded by

Copyright:

Available Formats

The People’s Democratic Republic of Algeria

Ministry of Higher Education and Scientific Research

Thesis for the Degree of Master

Speciality : Automation and control

Risk analysis using system theoretic methods

Presented by : ARIBI Aya

In : 18/ 07/ 2021 in the presence of the following jury members :

President : MBC. BOUNEZZOUR Hicham U-Skikda

Supervisor : MCB. MECHHOUD El-Arkam U-Skikda

Co-supervisor: MCB. BENDIB Riyad U-Skikda

Examiner : MCB. MENIGHED Kamel U-Skikda

I would like to express my sincere thanks to my supervisor ‘Mr.MECHHOUD El-Arkam’,

STAMP: system theoretic accident model processes

STPA: system theoretic process analysis

HAZOP: hazard and operability

FMEA: failure mode and effect analysis

FTA: fault tree analysis

RPA: preliminary risk analysis

CAST: causal analysis based on system theory

UCA: unsafe control action

HDPE: high density poly-Ethylene

CP2K: complex petrochemical two Skikda

XPF: catalyzer type ziegler

DCS: distributed control process

PLC: programmable logic controller

PID: proportional, integral, derivative

FigureI.2 Implementation of CP2K complex…..……………………………………………….……7

Figure I.6 Organization chart of the maintenance department……………………………….……..15

Figure I.7 Organization chart of the instrumentation service………………………………….……16

Figure II.1 HAZOP method………………………………………………………………….……...20

Figure II.2 FMEA method…………………………………………………………………………..23

Figure II.3 The FTA method ‘fault tree analysis’…………………………………………………...26

Figure II.4 fault tree diagram……………………………………...……………………………..….27

Figure II.5 Event symbols………………………………………………………………………......28

Figure II.6 Gate symbols…….………………………………………………………………………28

Figure II.7 Transfer symbols……...…………………………………………………………………28

Figure IV.1 The polymerization process……………………………………………….………..…..42

Figure IV.2 Diagram of the reactor temperature loop……………………………………………….43

Figure IV.3 A DCS view of settling paws…………………………………………………...………45

Figure IV.4 Control structure of the HDPE reactor…………………………………………….……46

Figure IV.5 Hierarchical control structure of CP2K unit………..……………………………….….47

Figure IV.6 creating a new Tristation window………………………………………………...…….52

Figure IV.7 build the process temperature logic……………………………………………………..53

Figure IV.7 build the process pressure control…………………………………………………........53

Figure IV.8 naming the variables and setting items…………………………………………….……54

Figure IV.9 running the program…………………………………………………..………..……….54

Figure IV.10 connecting to InTouch software……………………………………………..…..…….55

Figure IV.11 creating a new InTouch window………………………………………….…..…….…55

Figure IV.12 access to symbol factory…………………………………………………….….……..56

Figure IV.13 building the process……………………………………………………………..…….56

Figure IV.15 the on show of the over temperature case……………...……………………………..57

Figure IV.16 the on show of the over pressure case………………………………….……….…….58

Figure IV.17 the on show of the High-High pressure case……………………………..……….…..58

Table III.1 Define UCAs…………………………………………………………………………...39

Table IV.1 Hazard identification…………………………………………………………………...47

Table IV.2: STPA table…………………………………………………………………………….48

Chapter 01: presentation of CP2K unit

I.2 POLYMED presentation……………………………………………………………….6

I.2.1 POLYMED implementation…………………………………………………...6

I.2.2 Description of the plant………………………………………………………...8

I.2.2.1 splitting of the complex………………………………………………………9

I.4 Industrial maintenance…………………………………………………………………13

I.4.2 Types of maintenance…………………………………………………….……13