domain ontology for scenario-based hazard evaluation
TRANSCRIPT
Safety Science 60 (2013) 21–34
Contents lists available at SciVerse ScienceDirect
Safety Science
journal homepage: www.elsevier .com/locate /ssc i
Domain ontology for scenario-based hazard evaluation
0925-7535/$ - see front matter � 2013 Elsevier Ltd. All rights reserved.http://dx.doi.org/10.1016/j.ssci.2013.06.003
⇑ Corresponding author. Tel.: +86 1013910553026.E-mail address: [email protected] (X. Xu).
Wu Chong-guang a, Xu Xin a,⇑, Zhang Bei-ke a, Na Yuong-liang b
a College of Information Science and Technology, Beijing University of Chemical Technology, Beijing 100029, Chinab Beijing Strong Information System Co. Ltd., Beijing 100029, China
a r t i c l e i n f o
Article history:Received 1 November 2012Received in revised form 9 May 2013Accepted 12 June 2013Available online 16 July 2013
Keywords:Domain ontologyProcess industryHazard scenarioScenario object modelHazard evaluationHAZOP
a b s t r a c t
Among the scenario-based hazard evaluation procedures, Hazard and Operability Analysis (HAZOP) is astructured and systematic technique for process hazard examination and risk management widely usedaround the world. Information used and produced during HAZOP studies is recorded in the form of tex-tual natural language documents. Consequently, reusing this knowledge is limited by the difficulties infinding, retrieving, auditing, sharing, and analyzing HAZOP-related information. Other limitations arefaced in terms of computer-based extraction and reasoning of knowledge. To resolve such issues, adomain ontology called Scenario Object Model (SOM) is proposed in this paper, which can be used to rep-resent the contents and structures of hazard evaluation information. Automatic reasoning and semi-quantitative algorithms can be implemented on SOM. Computer-aided automatic hazard evaluationand transferring, auditing, and sharing of HAZOP information have been realized effectively throughthe use of SOM.
� 2013 Elsevier Ltd. All rights reserved.
1. Introduction
As the process industry system grows and its processes becomeeven more complex, the science and technology of process safetyhas also made great progress. Simple modes of process hazardanalysis, such as the checklist method, no longer satisfy therequirements of strict safety supervision and hazard identificationand analysis. Therefore, the structured and systematic hazard anal-ysis methods based on ‘‘hazard scenarios’’ are widely used. Themost commonly methods include the What-If, What-If/checklist,Failure Modes and Effects Analysis (FMEA), Hazard and OperabilityAnalysis (HAZOP), Fault Tree Analysis (FTA), Event Tree Analysis(ETA), Bowtie analysis, and Layer of Protection Analysis (LOPA),among others. Of these, HAZOP is probably one of the most widelyused methods of hazard evaluation.
However, the effectiveness and widespread use of such system-atic and structural hazard analysis methods depends on whether ornot they can solve information standardization issues. The mainreason is that the hazard information related to systematic safetymanagement, such as technology, equipment, automatic control,construction, operation, system maintenance and safety supervi-sion, must be transferred, audited, and shared among differentmanagement and professional teams through the different phasesof entire life cycle of process systems (i.e., design, construction, ac-
tive service, and discarding). Advanced hazard analysis methodsuse a large amount of information from various fields as well asproduce a huge amount of information. If the information (includ-ing data) is not in order, the cost collating it may exceed that of useand management.
Information used and produced during HAZOP studies is re-corded in the form of text-based documents. Consequently, thecapability to reuse this knowledge is diminished by the limitationsof natural language and text-based descriptions (Batres et al.,2008). These disadvantages mainly manifest in the aspects enu-merated below.
1. The textual definitions are informal because they are in free-form natural language and are, therefore, vague, ambiguous,and dependent on context.
2. Natural languages are arbitrary. Their vocabulary and grammarvary in different countries, and there may be many dialects andidioms even in the same country. Although the scope of naturallanguages are firmly grasped by people at a personal level, theanalysis results given by different hazard evaluation teams ordifferent analytical tools using natural languages may not beinterflowed.
3. HAZOP is a qualitative, heuristic ‘‘brainstorming’’ method, andthe analytical process usually lasts at least several weeks. Fati-gue on the part of the analysts can lead to inconsistency andincompleteness of the analysis results.
4. Due to the lack of a formal representation (and not inconsisten-cies) of HAZOP information is an obstacle for using logical rea-soning in extracting information.
Quantity
Unity
Plurality
22 C.-g. Wu et al. / Safety Science 60 (2013) 21–34
Given the limitations mentioned above, a HAZOP report mayfail to include some key information. For instance, the reportmay lack certain structural information, especially that involvingpivotal events involved in the hazard scenarios (Kuraoka andBatres, 2003). Often, the reason is that the analysis does not followthe structure of the scenarios, thus resulting in the following disad-vantages and limitations:
1. Insufficiency of causes or consequences (i.e., some mutualeffects between events are unknown);
2. Difficulty in distinguishing the importance or type of causes(i.e., root cause, initiating cause, conditional cause, or enablingcause) or consequences;
3. Insufficiency of protection layers (i.e., the lack of clarity in iden-tifying their roles or degree of importance);
4. Difficulty in adjusting the position of protection layers. Espe-cially in the review, modification or management of change(MOC), a minor adjustment may cause a major change in thestructure of the report; and
5. Difficulty in determining the independence or quantitativeprobability of the failure of protection layers.
The standardization of hazard information is the basis of itscomputerization and networking. With computer-aided hazardanalysis methods, such requirements as database informationtransfer and sharing as well as integration and cooperation be-tween different types of software, are becoming more common-place. Such a situation calls for the standardization of domaininformation.
There are several favorable conditions to realize hazard infor-mation standardization. Knowledge engineering has achieved sig-nificant progress in information standardization, and severalinternational standards have been promulgated and applied incomputer communication, software development, engineering de-sign, engineering construction, and business management of large-scale industrial enterprises (McCarthy and Hayes, 1969; Gruber,1993, 1994; Studer et al., 1998; Bayer, 2003; ISO 10303-11,1994; ISO 15926-2, 2003; Niles and Pease, 2001; Batres et al.,2007; SUO, 2001).
This article is organized as follows. Section 2 discusses the pro-gress of ontology and information standardization. Section 3 intro-duces the concept of hazard scenario. Section 4 describes ourdomain ontology called Scenario Object Model (SOM). Section 5presents two industrial cases to illustrate the effectiveness of theproposed SOM in HAZOP analysis. Section 6 presents the softwarebased on SOM, called ‘‘Computer Aided HAZOP (CAH)’’, which canaccurately track and record all the details generated during thebrainstorming, and can help the analyst to classify the informationsuch as contents, revision advice, supplement advices, and reason-ing results, among others. Finally, Section 7 presents concluding re-marks and directions for future work.
Modality
Ontology
Quality
Relation
Totality
Reality
Negation
Limitation
Inherence
Causation
Community
possibility
existenceNecessity
Fig. 1. The system of ontology category proposed by Kant.
2. The progress of ontology and information standardization
The concept of ‘‘ontology’’ in the technology world has its rootsin philosophy. The English word ‘‘ontology’’ is formed by the com-bination of two Greek words meaning ‘‘exist’’ and ‘‘knowledge’’. Inphilosophy, ontology is mainly concerned with existence itself, i.e.,the basic character of all actual existence. Ontology was first stud-ied by the ancient Greek philosopher Aristotle who explained themost essential concepts of human cognizance (Feng, 2004), dividedthe idea of existence into different classifications, and established asystem of categories that include noumenon, quality, quantity,relationship, action, feeling, space, and time.
Subsequently, the German philosopher Immanuel Kant estab-lished the categorical framework of ontology. As illustrated inFig. 1, this framework consists of four top categories, each consist-ing three sub-categories. The research made by Kant on the cate-gory framework serves as the solid foundation of modernontological studies and applications.
The traditional view states that ‘‘ontology is the explicit criteriaof concept expression’’ or ‘‘ontology is the explicit explanation ofconcepts and the relationship among them’’ (Gruber, 1993,1994). It is used for identifying the most interesting element in acertain field and how the relevant information is constituted. Ithelps us analyze and formalize knowledge systematically, whichfacilitates computer processing. It also enables knowledge sharingbetween people and computers, resulting in knowledge deemedreusable in certain fields.
In the past 30 years, computer and Internet information stan-dards based on ontology have evolved from content to structure,i.e., from symbol, image, and grammar to semantics. These stan-dards, such as XML, DOM, UML, RDF, OWL (W3C, 2004) and DAM-L + OIL (DARPA, 2001; Horrocks, 2002), can be used in anycomputer network, digital communication systems, and equip-ment around the world. They are regarded as the most widely usedinformation standards in the world.
With the development and application of ontology, a new fieldcalled ‘‘ontology engineering’’ has become an important aspect ofcomputer science and information science (Kishore et al., 2004).The ontology applied in this field is mainly used to express the con-tent and mechanism of information. The commonly used ontolo-gies are typically constituted by computer languages. Some ofthese are used to express the content of information, others areused to express the information mechanism of certain fields, andstill others are used for information analysis and reasoning basedon given principles, depending on a specific purpose. Ontologicallanguage can be non-formalized, such as Chinese, English, andother natural languages that only express the concepts and arenot suitable for computer reasoning; semi-formalized such asUML, which is commonly used by computer software; or formal-ized, such as first-order logic and DAML + OIL, which can achievecomputer logic reasoning. In addition, ontology can be divided intotwo categories: upper ontology and domain ontology (Batres et al.,2007). The international standards usually belong to the former,but in this paper the ontology we have developed for hazard eval-uation belongs to the latter.
Gruber (1994) has proposed the following specific rules thatontology should follows:
C.-g. Wu et al. / Safety Science 60 (2013) 21–34 23
1. Clarity: using a natural language to define the intended mean-ing of ontological terms accurately, objectively, necessarilyand sufficiently;
2. Coherence: the ontology model should be logically consistentand be able to sanction inferences that do not contradict thedefinitions;
3. Expandability: one should be able to define new terms for spe-cial uses based on the existing vocabulary without changing anyexisting definitions;
4. Minimal encoding bias: the conceptualization should be speci-fied at the knowledge level without depending on a particularsymbol-level encoding, so that it can be implemented in differ-ent representation systems and styles of representation whileminimizing encoding bias; and
5. Minimal ontological commitment: ontology should require theminimal ontological commitment sufficient to support theintended knowledge-sharing activities.
Considering the latest progress of ontology engineering, wehave added three new rules to those above. These include thefollowing:
6. Graph illustration: an ontology model can be mapped into agraph illustration so that it becomes more visual and conve-nient to use;
7. Interoperability: an ontology model can interoperate withsemantic web standard language (such as OWL-based onXML); and
8. Deducibility/computability: an ontology model can be directlyused for logical reasoning, qualitative reasoning, semi-quantita-tive, or quantitative solving through the use of certainalgorithms.
The important international standards for the industrial fieldare ISO-10303 (1994) and ISO-15926 (2003). As of 2011, eight sec-tions of ISO-15926 had been promulgated, with Section 2 (‘‘datamodel’’) and Section 4 (‘‘initial reference data’’) as the key parts.ISO-15926 is a typical ontology for data integration, sharing, trans-fer, and hand-over between computer systems; it expresses theconcepts, relations, properties, and rules of specific fields througha multi-level data structure. These international standards havebeen applied in the design, construction, and management oflarge-scale petroleum and gas systems. The information based onthese standards can be transformed to and from the OWL of theW3C, thus solving the difficulties met in standard implementationand popularization. However, based on the current situation, ISO-15926 has some limitations; specifically, it is complicated and doesnot provide high-level modeling constructs, resulting in the datamodels that cannot be comprehended and used easily.
Batres et al. (2008) first considered using ISO-15926 as theinformation basis of computer-aided HAZOP. Before them, someresearchers have also proposed the idea of using ontology to ex-press hazard information (Lee, 2001). However, their studies havebeen unable to generate widespread interest. One reason is thatthe modeling is too complicated and difficult to use; another is thatthey ignore the rules of HAZOP analysis, and the scope of informa-tion are constrained by ISO-15926. We believe that Batres hasfound the right way although finding out how to use the computerto aid HAZOP and express hazard information has been a lengthyexploration. Recently, two main categories of industrial applicablecomputer-aided methods have been defined: the automatic rea-soning method based on SDG (Venkatasubramanian et al., 2002;Wu et al., 2003; Zhang et al., 2005; Wu, 2008; Na et al., 2009)and the ‘‘expert system’’ based on process information and acci-dent cases (McCoy et al., 1999).
The SDG method is close to the ontology of hazard analysis, butdoes not comprehensively express the whole content yet. There areonly two or three guide words in SDG, but generally the numbersshould be 11 (see IEC-61882). The reasoning is also quite monoto-nous. Moreover, one has to build an SDG qualitative model to applythis method. This kind of model is only applicable to continuoussystems and its nodes represent only a few specific parameters.The model structure is not well classified, and building a practica-ble model would require great knowledge, experience, and techni-cal skill. All these factors act as barriers to the widespread use ofthe SDG method.
To use the ‘‘expert system’’ method, the information of the eval-uated system should be described in detail, even if the informationdoes not have a direct relationship with the evaluation mechanism.This kind of method emphasizes the scope of knowledge but ne-glect the basic rules of ontology, making it difficult for users tounderstand and resulting in information acquisition and mainte-nance capabilities that are exhausted easily. For example, theknowledge base should be enriched by huge amounts of long-termexperience and specialized maintenance, but the time and cost re-quired establishing such a knowledge base may be more thanthose needed for the evaluation process. Moreover, even if suchrequirements were fulfilled, the evaluation process would still beconstrained by incomplete expert rules.
Nevertheless, both the SDG method and the expert systemmethod are unable to promote the contribution of the brainstorm-ing product of HAZOP team, even there is a trend to complete thisprocedure by using related software instead. Such methods do notreflect the primary principle of hazard analysis. Given these fac-tors, hazard analysis in the process industry is still conducted man-ually, and computer-aided automatic HAZOP software is rarelyused.
Considering the limitations of the abovementioned methods,the current paper proposes a standardized information expressionbased on ontology for hazard analysis and, based on this idea,develops a computer-aided automatic HAZOP software calledCAH. This kind of software has been proven to be easy to learnand use.
3. Hazard scenarios
A scenario is a specific instance, case, experience, story, orexample which happens over time. It contains a description ofthe environment, the context, the actors, and the actions involved.It has definite beginning and end points. According to a previousstudy, ‘‘the principal objective of PHA is to identify hazard scenar-ios’’ (Baybutt, 2003).
The Center for Chemical Process Safety (CCPS, 2008) has dividedhazard evaluation methods into two categories: scenario- and non-scenario-based. Further, the work hhGuidelines for Hazard Evalua-tion Procedures, Third Editionii states that, ‘‘the full descriptionof a possible incident sequence is a scenario. A scenario is an un-planned event or incident sequence that results in a loss eventand its associated impacts, including the success or failure of safe-guards involved in the incident sequences. Thus, each scenariostarts with an initiating cause, and terminates with one or moreincident outcomes. The outcomes may involve various physicalor chemical phenomena, which can be evaluated using conse-quence analysis methodologies, to determine the lost eventimpacts’’.
Hazard scenarios have also been elaborately defined and classi-fied by Na et al. (2009). ‘‘A simple hazard scenario starts with aninitiating cause, and is driven by material, energy and informationflow; it then passes by a series of pivotal events, propagates via
24 C.-g. Wu et al. / Safety Science 60 (2013) 21–34
time and space in the system, and finally results in one or severalconsequences’’.
Scenario-based hazard evaluation helps in understanding thecontext of the hazard, the severity of the consequence, and the le-vel of existing safeguards. It also assists in locating the weaknessesof the system (if any) so that recommendations for improvementmay be given. This kind of evaluation also solves problems relatedto how safety management is performed.
4. Scenario Object Model (SOM)
Hazard scenarios are the core of hazard information, becausethey indicate both the evaluation process and the evaluation re-sults. In other words, the ontology of hazard scenarios is the basisof the standardization of hazard information.
The ontology we have developed for process hazard analysis iscalled Scenario Object Model (SOM). It is a common standardizedexpression for the complete information on hazard identification,hazard evaluation, and fault diagnosis. It provides an accurate gen-eralization of the content (state) and structure (relation). The basictype of information in SOM consists of event and relation. The basicelements of SOM include cause, pivotal event, consequence, safe-guard, and their relevant properties. These elements compose fivebasic structures: three elements, string, direct tree, inverse tree,and bowtie. The SOM can be either explicit or implicit; the explicitmodel expresses the information on the hazard evaluation results,whereas the implicit model expresses the information on the haz-ard evaluation process. It also can be directly used for automaticreasoning regardless of the model type (explicit or implicit) beingused; further, the transformation between implicit model and ex-plicit model is completed internally. The framework of the SOMis shown in Fig. 2.
4.1. Definitions of the basic elements of SOM
Pivotal event (E) (Roelen and Wever, 2005): An event that occursafter the initiating cause and before the loss event in an incidentsequence. It refers to the process of an incident sequence, whichcan change the outcome, and describes the physical and chemicalstate or the occurring event according to certain rules. The E is al-ways arranged after the R (initiating cause event) in an incident se-quence. The event could be divided into two categories (CCPS,2008): specific events, such as pressure, temperature, level, flow,rotational speed, and composition of a specific object (an equip-ment or a stream of material, etc.); and conceptual events, suchas reaction, mix, vaporization, crystallization, rectification, absorp-tion, extraction, drying, unloading, blow, metathesis, exhaust, reg-ulation, corrosion, extrusion, pollution, expansion, shake, strike,
SOM
Event
Relation
Concept event
Specific event
Guide word
Transmission (Influence degree)
Deviation (Influence)
Basic element
Pi
C
C
Sa
Fig. 2. The SOM
erosion, weathering, burning and baking, thunder, flooding, radia-tion, and others.
Guide word (D): Simple words that are used to qualify or quan-tify the design intention and to guide and stimulate the brain-storming process for identifying process hazards (CCPS, 2008).According to the international standard IEC-61882, the commonlyused guide words include ‘‘no’’, ‘‘less’’, ‘‘more’’, ‘‘part of’’, ‘‘as wellas’’, ‘‘reverse’’, ‘‘other than’’, ‘‘early’’, ‘‘late’’, ‘‘before’’, and ‘‘after’’.
Deviation (d): Departure from the design intent (CCPS, 2008).They are practically generated by combining each pivotal event(also called parameter) with guide words. The symbolic expressionof deviation is shown in
d � D \ E 2 D� E ¼ DE ð1Þ
For example : increasing � temperature¼ temperature increasingother than � reaction¼ reaction with exception
Deviation is the start of hazard scenario identification, and canbe properly called the stimulating point in principle.
Initiating cause (R): Reasons why deviations might occur. It canbe a mechanical failure, operational error, or external event. Once adeviation has been shown to have a credible cause, it can be trea-ted as a meaningful deviation (CCPS, 2008). Not all possible devia-tions obtain practical meanings, thus identifying meaningfuldeviation and credible cause is necessary.
Illustrations of hazard-initiating cause event:
1. Vessel failure: the failure of a pipeline, tube, tank, container,rubber tube, shim, seal, and so on.
2. Mechanical failure: the failure of a pump, compressor, agitator,valve, meter, sensor, controller, as well as interlocking, dis-charge, release, and similar devices.
3. Utility failure: the failure of power supply, nitrogen supply,water supply, cooling, air compression, heating, fluid transpor-tation, steam supply, ventilation, and the like.
4. Human error: operational error, maintenance error, and so on.5. External event: crane impact, bad weather, earthquake, flood,
the failure of nearby equipment, man-made destruction, sabo-taging, and similar factors.
An initiating cause refers to the origin of the hazard propagationpath, and only affects the pivotal event.
Consequence (C): Results of deviations (CCPS, 2008). For exam-ple, the release of toxic materials results from extra high tank pres-sure. Consequence is the recipient of the impact, and only receivesthe impact of the pivotal event. Thus, the same deviation combinedwith different causes may lead to different outcomes.
Implicit
Explicit
votal event
ause
onsequence
feguard
Basic Class
Three elements
String
Direct tree
Inverse tree
Bowtie
Three elements
String
Direct tree
Inverse tree
Bowtie
framework.
R C
R1 E1 C1
Fig. 3. Structure of the three elements scenario.
C.-g. Wu et al. / Safety Science 60 (2013) 21–34 25
Safeguard (P): Any device, system, or action that would likelyinterrupt the chain of events following an initiating cause or thatwould mitigate loss event impacts, e.g., process alarms, shutdowns,automatic isolation.
Scenario (S): The full description of a possible incident sequenceis a scenario. Each scenario starts with one or more initiatingcauses (R), propagates via one or more pivotal events (E), and ter-minates with one or more consequences (C). A complete scenarioincludes three factors: initiating cause, pivotal event, andconsequence.
In the construction of hazard scenarios, the specific events werefrequently used to identify and express the hazard propagatingchain along material flow, energy flow or information flow in pro-cess, the conceptual events were used to identify and express thehazard propagating chain from exact initiating events, enablingevents, conditions, to exact consequences, and locate safeguards.Therefore, conceptual event extends the applicable scope andavailability of ontology SOM.
4.2. Influence equation – Expression of the structural information ofSOM
The hazard information can be divided into structural informa-tion and content information; the latter can be fully expressed intwo dimension tables (i.e., subject, project, property, character,and instruction, and so on), but the former needs specific ontologyto express, restore, transfer, modify, and reuse. SOM focuses on thestructural information and leaves the content information to ISO-15926, natural language documents, or knowledge base in somesoftware platform. In general, the natural language offers certainadvantages to express content information, if guided by thestandard.
Except for conceptual event, the influence equation betweenevents is introduced to express the structural information of theSOM. Wu and Zhang et al. have presented the modeling rulesand concise expression methods for the qualitative algebraicequation (Wu et al., 2009). This method extends the qualitativemodeling to the event algebra and symbolic logic. It breaksthrough the limit stating that the node of the SDG model couldonly have three states (+, 0, �), and realizes the automatic hazardidentification and analysis with any one or more guide words bycooperating with specific qualitative reasoning engines and model-ing software platforms. Three kinds of conditions (i.e., constraint,hazard propagation, and logic inference) are introduced into theinfluence equation. It takes simple symbolic expression and logicreasoning to express all kinds of logic inference in hazard analysis.
From the internal mechanism perspective, the guide words ex-cept ‘‘more’’ and ‘‘less’’ comprise a kind of logic inference, whichoccurs between two directly neighbored nodes (cause and conse-quence). The automatic reasoning machine considers that all ofthe consistent paths.
The equation is shown in Formula (2) as follows:
Cj S �dg � EPli ;�Rk
� �
ði ¼ 1;2; . . . ;nÞ
ðj ¼ 1;2; . . . ;mÞ
ðk ¼ 1;2; . . . ; xÞ
ðl ¼ 1;2; . . . ; yÞ
ðg ¼ 1;2; . . . ; zÞ
ð2Þ
where Cj is the consequence event, S is the constructor of the eventsequence, dg is the guide word (explicit expression is single guideword, and implicit expression is guide word vector), Ei is the pivotalevent, Pl is the protection layer, and Rk is the cause event.
The primary restriction rules are listed below:
r Cj is a dependent variable, which is only listed on the left sideof the equation.s Ei and Rk are independent variables that are only listed on theright side of the equation.t All pivotal events Ei are restricted by constructor S, and mustfollow the sequence of the string hazard scenario from right toleft in order of priority, that is, the pivotal event does not followcommutative law in the influence equation.u Rk follows close behind the pivotal event it directly affects,and does not affect the sequence of the pivotal events. That is,Rk can ignore the sequence.v the sign ‘‘�’’ before the pivotal event means that the twoneighbored events are affected in the opposite direction.w the sign ‘‘�’’ before the cause event means conditional causeor enable cause.
Here are some examples of the influence equations to expressthe structural information in hazard scenarios. In the followingdiagrams, the rectangles with ‘‘R’’ represent the cause events, therectangles with ‘‘C’’ refer to the consequence events, and the circlesare the pivotal events. The solid line with arrow represents thecausal relation and influence direction, and the dotted line with ar-row refers to the causal relation between conditional cause or en-able cause and pivotal event only. For easier of understanding howinfluence equations can be express the structural information, themulti guide words and protection layers are not included in the fol-lowing examples.
Example 1: Three element scenario. It is the simplest structureof hazard scenarios. The structure is shown in Fig. 3, and its influ-ence equation is listed in
C1 E1 þ R1 ð3Þ
Example 2: String (single chain) scenario. The structure isshown in Fig. 4, and its influence equation is shown in
C1 E3 þ E2 þ E1 þ R1 ð4Þ
Example 3: Direct tree scenario. The structure is shown in Fig. 5,which shows a reverse impact between pivotal events E1 and E3. Itis usually feedback signal and can form a loop. The influence equa-tion listed in Formulas (5a) and (5b). R1 is not involved in the eventsequence, and as such, (5a) can be simplified to (5b) and still main-tain the structural information of Fig. 5.
C1 E2 þ E1 þ R1
C2 E3 þ E2 þ E1 þ R1
C2 E3 � E1 þ R1
C3 E3 þ E2 þ E1 þ R1
C3 E3 � E1 þ R1
8>>>>>><>>>>>>:
C1 E2 þ E1 þ R1
C2 E3 þ E2 þ E1
C2 E3 � E1
C3 E3 þ E2 þ E1
C3 E3 � E1
8>>>>>><>>>>>>:
Example 4: Bowtie scenario. The structure is shown in Fig. 6,and its influence equation is listed in Formula (6). The influence
R C
R1 C1E1 E2 E3
Fig. 4. Structure of the string scenario.
R
C
C
C
R1
C1
C2
C3
E1
E2
E3
Fig. 5. Structure of a direct tree scenario.
C
C
C
C1
C2
C3
RR1
RR2
RR3
E1
E 2 E 3
Fig. 6. Structure of the bowtie scenario.
26 C.-g. Wu et al. / Safety Science 60 (2013) 21–34
equations here implicitly express 9 string scenarios, and all of themcan be reasoned out through Formula (6). Hence, we can see thatinfluence equations can compress and store information.
C1 E2 � R3 þ E1 þ R2 � R1
C2 E3 þ E2 þ E1
C3 E3 þ E2 þ E1
8><>:
The advantages of the influence equation method are listed asfollows:
1. It can express all the structural information of hazard scenariosduring the hazard analysis;
2. It can realize computer-aided forward reasoning and backwardreasoning;
3. It can convert to semi-quantitative, quantitative, or differentialequations. This feature is helpful in realizing the multi-scalemodeling (Ingram et al., 2004) and in establishing the linkbetween non-formal, semi-formal and formal models (Wuet al., 2010);
4. It is the implementation of the rule ‘‘minimal ontological com-mitment’’ (compared with the existing ontologies, such asdescription logics, it is simple, clear and easy to understand,learn and use); and
5. In a sense, it is an effective method for scenario informationcompression and storage.
4.3. Definition of the explicit structure of SOM
Definition: The relationship between any two neighbored piv-otal events is unique.
As defined in Formula (6), where S3 is a subset of three elementsexplicit hazard scenarios, S3 is the concise expression of the What-If method. This formula is also illustrated in the structure shown inFig. 3.
S3 2 fR; E;Cg [ R;X
Ei;Cn o
ð7Þ
Meanwhile, in Formula (7), Sc is a subset of string explicit haz-ard scenarios, which is the expression of the Root Cause Analysis (5Whys), HAZOP, and LOPA. It is illustrated in the structure shown inFig. 4 and is expressed as follows:
Sc 2 fR; E1; E2; E3; . . . ; Ei;Cg ð8Þ
In Formula (8), Str is a subset of inverse tree explicit hazard sce-narios and is a concise expression of classic qualitative fault treemethod. It is also known as the Master logic diagrams method(MLD) and is expressed by:
Str 2X
Ri; E1; E2; E3; . . . ; Ej;Cn o
ð9Þ
In Formula (9), Stl is a subset of direct tree explicit hazardscenarios, which is a concise expression of classic qualitative eventtree method (also known as Event Sequence Diagram or ESD). Thisis also illustrated in the structure shown in Fig. 5 and is givenby:
Stl 2 R; E1; E2; E3; . . . ; Ei;X
Cj
n oð10Þ
As defined in Formula (10), Sbt is a subset of explicit hazard sce-narios in bowtie analysis. This is shown in Fig. 6 and is expressedby:
Sbt 2X
Ri; E1; E2; E3; . . . ; Ej;X
Ck
n oð11Þ
As shown in Formula (11), S is a set of mixed hazard scenarios. Itincludes both the discrete type (i.e., there is no relationship be-tween subsets) and the simultaneous type (i.e., there is an explicitrelationship between subsets). Discrete mixed scenario is the con-cise expression of both hazard propagation information in batchprocesses and the whole structural information in hazard analysis(generally, human cognitive level to the objective world is discreteand incomplete). This is expressed as:
S 2X
S3 [X
Sc [X
Str [X
Stl [X
Sbt
n oð12Þ
Inference 1: S3 is a subset of Sc, i.e., S3 � Sc.Inference 2: Sc is a subset of Str, i.e., Sc � Str.Inference 3: Sc is a subset of Stl, i.e., Sc � Stl.Inference 4: Sc is a subset of Sbt, i.e., Sc � Sbt.Inference 5: According to the four inferences above, Sc is thebasic subset of the qualitative model.Inference 6: According to the inferences above and the exhaus-tive enumeration, the mixed hazard scenario set S representsthe normality of the explicit SOM model.Inference 7: The explicit structure of the scenario-based hazardevaluation results comprises one of the subsets above.
4.4. Definition of the implicit structure of SOM
Definition: The relationship between any two neighboredevents is not all unique.
The subset of the implicit structure is the same as that of the ex-plicit one. The explicit structure can be extracted from the implicitstructure with the help of computer-aided automatic reasoning.
4.5. Definition of scenario propagation sequence and computer-aidedHAZOP reasoning
Scenario propagation sequence DS is defined as the path,through which hazard propagates through space and time.
The identification of scenario propagation sequence starts bymeans of the deviation of a pivotal event DEi, and then ends with
C.-g. Wu et al. / Safety Science 60 (2013) 21–34 27
the initiating cause in the backward reasoning and theconsequence in the forward reasoning, in accordance with the‘‘consistency principle’’.
The consistent operator represented by the symbol ‘‘´’’ refersto the direct effect from Ei to Ei+1, when deviation DEi occurs, i.e.,DEi ´ Ei+1 or Ei�1 ´ DEi. The definition above is explicit, indicatingthat the relationship between neighbored events in the scenariopropagation sequence is unique.
Examples of consistent scenario propagation sequences be-tween neighbored events are listed below.
‘‘Liquid flow rate to a tank increases ´ tank level rises’’;‘‘Mal-operation ´ valve opened by mistake’’;‘‘Valve opened by mistake ´ material enters into the wrongtank’’; and‘‘Material enters into the wrong tank ´ reaction ´ tank tem-perature rises rapidly ´ tank vapor space is pressurized ´ tankrupture explosion ´ toxicants leak ´ disaster’’.
Among the string hazard scenario subset Sc, at least onesequence DSc�i (inf I P 1) exists. As shown in Formula (12), DEx
Impl
Select p
Add guigenerat
Automat
Resu
Alwords
Update guide word
Allevents
Update pivotal event
NO
NO
Reason
Explicit s
Delete repe
Expl
Fig. 7. Flowchart of compute
represents deviation. It is evident that DSc�i is the expectedconsequence form of HAZOP, LOPA, and fault diagnosis.
DSc�i 2 fR#E1#E2#E3# . . . #DEx# . . . #Ei#Cgi ðinf i P 1Þð13Þ
Fig. 7 shows the computer-aided HAZOP analysis process. Thereasoning is based on the influence equations and starts at thedeviation of pivotal events; it then searches the cause eventsbackward and the consequence events forward. The candidate re-sults are identified only if the string scenario is searched out,regardless of whether the manifestations of influence equationsare discrete or unlinked fragments. The reasoning engine we havedeveloped is based on the depth first and breadth first, and cansearch 1,900,000 scenarios per second on a regular laptop com-puter. When there is no other influence between neighbored piv-otal events, the reasoning inevitably generates the repeatedscenarios. Hence, we need to delete them.
To illustrate the role of SOM (including explicit and implicit),we extend the ‘‘Figure 5.3 Overview of the HAZOP StudyTechnique’’ (CCPS, 2008), as shown in Fig. 8.
icit SOM
ivotal event
de words to e deviation
ic reasoning
lts export Explicit string scenarios
l guide finished?
pivotal finished?
YES
ing finished
YES
cenario base
titive scenarios
icit SOM
r-aided HAZOP analysis.
Influence degree
Gi
Response time
Ti
R C
Gi = 0.7 - 1.0 Gi = 0.3 - 0.7 Gi = 0.1 - 0.3
Fig. 9. Graphical representation of influence degree and response time.
28 C.-g. Wu et al. / Safety Science 60 (2013) 21–34
4.6. Semi-quantitative description of transmission
To evaluate the intensity and duration of complex hazard sce-narios more conveniently, the concept of channel sensitivity andtime constant, which are often used in the process control field,could be introduced. In hazard analysis, we often use the semi-quantitative magnitude-based estimation method because accu-rate relative gain and time constant between events are difficultto obtain. The influence degree of two neighbored events is an esti-mated number between 0 and 1. If the influence is high, the num-ber ranges from 0.7 to 1.0, and if moderate, it could range from 0.3to 0.7. If the influence is low, the number could be 0 to 0.3. For thesimple explicit scenario, the total intensity (GS) is approximatelyequal to the product of all neighbored influence degrees, includingcauses and consequences, as shown in Formula (13). For the mixednetwork scenario, the total intensity can be calculated using thenetwork topology method (Wu, 2008; Wu et al., 2010). Responsetime starts from initiation of the cause to the occurrence of theconsequence; the total response time (TS) of the simple explicitscenario is equal to the sum of that of all the neighbored events,as shown in Formula (14). The physical meanings of the two quan-titative parameters are depicted in Fig. 9.
The influence degree and response time is used to compensatefor the loss of intermediate information in HAZOP analysis, thusleading to results that are comprehensive and objective. When ascenario is complicated, the total intensity may be very small,and the severity of the scenario cannot be accurately evaluatedby simply using one parameter to analyze the situation. In a sce-nario with high risk and long response time, there is sufficienttime to prevent the consequence; furthermore, the severity ofthe scenario can be kept within a certain range. These twosemi-quantitative parameters indicate the computability ofSOM, and they are just recommended—not required—ways ofrepresentation. The decision to use them also depends on the
HAZOP Team
Review
Attitude
Preparation
Management commitment
Knowledge / experience
Information for study(P&IDs, PFDs, SOPs, etc.)
Team’s HAZOP
experience
Docu
Scen
Computer au
CBC report DBD report Bowtie r
Deviation Caus
Implicit SOM
Explicit SOM
Fig. 8. The role of SOM and com
possibility of the data acquisition and the willingness of theanalysts.
GS ¼Ymi¼1
Gi ði ¼ 1;2;3; . . . ;mÞ ð14Þ
TS ¼Xm
i¼1
Ti ði ¼ 1;2;3; . . . ;mÞ ð15Þ
5. Case study
To demonstrate the effectiveness of the proposed scenario ob-ject model, we give two examples in this section. Case study 1
mentation Follow-up
ario table
tomated reasoning
eport Safeguard report…
Further evaluation of selected scenarios (e.g., using LOPA)
Management response to findings/recommendations
Completion of action itemsCommunication of actions to
affected employees
e Consequence Safeguards Action
HAZOP report
puter in HAZOP analysis.
C.-g. Wu et al. / Safety Science 60 (2013) 21–34 29
takes the Bhopal gas leak, which appeared in ‘‘Table 7.1 Scenariosare unique initiating cause/loss event combinations’’ (CCPS, 2008),to illustrate the advantage of this graphical method. Case study 2deals with hazard analysis of the pipe network, and focuses onthe importance of structure information, which cannot beexpressed in traditional hazard analysis report.
Table 1Sample scenarios of the gas leak case.
Scenario Initial cause Intermediate events
1 Caustic unloaded into wrong storagetank
Caustic mixed with formaldehyde sinitiated;Vapors generated;Tank vapor space pressurized
2 Caustic unloaded into wrong storagetank
Caustic mixed with formaldehyde
Polymerization reaction initiated;Vapors generated;Tank vapor space pressurized;Ignition source present
3 Caustic unloaded into wrong storagetank
Caustic mixed with formaldehyde
Polymerization reaction initiated;
Vapors generated;Tank over pressurized
4 Caustic unloaded into wrong storagetank
Caustic mixed with formaldehyde
Polymerization reaction initiated;
Vapors generated;Tank over pressurized;Ignition source present or created
5 Etc.
R C
Mixed ReactedVapors
generatedVapor space pressurized
Expose to Atmosphere
Operationfailure
Opf
Tank over-pressurized
R
Mixed ReactedVapors
generatedOperation
failure
C
Tank rupture & contents leaks
O
Tank opressur
R
Mixed ReactedVapors
generatedOperation
failureVapor space pressurized
(i) Scenario 1: string type
(iii) Scenario 3: string type
(v) SOM: direct tree type
R
Rust
Not corrosion resistant material
R
Poor design
Unreasonable pipes and valves layout
Fig. 10. SOM for the
5.1. Case study 1: gas leak scenarios analysis
With commonly used approaches, the scenarios of the hazardevaluation are organized and demonstrated as in Table 1. Thedescription in this way is so cumbersome and redundant evidently.Even the first 4 scenarios listed are the same at the beginning, but
Consequence
olution; Polymerization reaction Toxic formaldehyde vapors released fromtank vent
solution; Flash fire
solution; Tank rupture explosion and fire;
Contents energetically released tosurrounding area
solution; Tank rupture explosion and fire;
Contents energetically released tosurrounding area
by failing tank
R
Mixed ReactedVapors
generatedVapor space pressurized
erationailure
C
Flash fireIgnited
Tank over-pressurized
R
Mixed ReactedVapors
generatedperationfailure
C
FireIgnited
ver-ized
C
Fire
Ignited
C
Tank rupture & contents leaks
C
Flash fire
Ignited
C
Expose to Atmosphere
(ii) Scenario 2: string type
(iv) Scenario 4: string type
Preventive safeguard
Mitigative safeguard
gas leak case.
3000PSIG
FilterD.P. = 720 PSIG
PI PI
FC1500 | 300
PT
PIC
ATM
CSO
Set at 720 PSIG
PSV
3000PSIG
FilterD.P. = 720 PSIG
PI PI
FC1500 | 300
PT
PIC
ATM
CSO
Set at 720 PSIG
PSV
What the drawing showed
What was there
3-1500CS-I
3-300CS-I
3-1500CS-I
3-300CS-I
3000PSIG
FilterD.P. = 720 PSIG
PI PI
FC
PT
PIC
ATM
CSO
Set at 720 PSIG
PSV
3000PSIG
FilterD.P. = 720 PSIG
PI PI
FC
PT
PIC
ATM
CSO
Set at 720 PSIG
PSV
What Engineering Specified
What the Fitter Installed
3-1500CS-I
3-300CS-I
3-1500CS-I
3-300CS-I
FC1500 | 300
PT
PIC
FC1500 | 300
PT
PIC
(iii)
(iv)
(ii)
(i)
Fig. 11. Importance of structural information in HAZOP study.
30 C.-g. Wu et al. / Safety Science 60 (2013) 21–34
the consequences are different because of the distinct incitingevents. Unfortunately, it is just the tip of the iceberg. In most cases,the report of the PHA could contain many reduplicated informationlike this. However, the scenarios that expressed in SOM are con-cisely and intuitively, as shown in Fig. 10.
From Fig. 10, we can see that the SOM in this case has strongexpressing ability. It can be decomposed into 4 parts, which arecorresponding to the first 4 scenarios that listed in Table 1. Thisgraphical expression can help analysts find the root causes, initiat-ing cause, enabling cause and consequences without incurring
R C
(i) What the design specified
…...
Safety Valve
Check Valve
Operationfailure
Filter rupture
Route I:
R C
…...
Safety Valve
Check Valve
Operationfailure
Filter ruptureRoute II:
…...
Route I:
R C
…...
Safety Valve
Check Valve
Operationfailure
Filter ruptureRoute II:
…...
(ii) Check valve is in correct location
(ii) Check valve is in wrong location
Fig. 12. Scenario-based model of the pipe network case.
C.-g. Wu et al. / Safety Science 60 (2013) 21–34 31
omissions, but it cannot form the overall concept in traditional re-port due to its dispersed in several places. In addition, in the sub-sequent risk analysis, LOPA, the location, importance or effect areoften not very precise. When we check the results, SOM can helpanalysts see the whole hazard scenario at a glance. And it willinevitably cause some changes if we need to modify the protectionlayers, but SOM can adapt to these changes of structural informa-tion. Moreover, SOM also can segment the HAZOP results, whichwill facilitate the analyst to give a more precise conclusion. For in-stance, the safeguard can be segmented into preventive safeguardand mitigative safeguard, as is shown in Fig. 10v.
5.2. Case study 2: pipe network hazard analysis
Let us consider the HAZOP analysis in the pipe network pre-sented in Fig. 11. The P&ID shows that a gas stream at 3000 psigbeing let down through a pressure controller, and then passingthrough a filter before entering the process. The filter has a designpressure of 720 psig and is protected from overpressure by a safetyvalve.
As shown in Fig. 11i, the safety valve and the check valve aresafeguards, and their locations usually are not allowed to change.But the real situation is that the check valve, which was thoughtto be downstream of the second pressure indicator, was actuallyupstream, as shown in Fig. 11ii. In the traditional HAZOP report,the location, that is, the structural information cannot be de-scribed. Even if no matter how the relative location between checkvalve and second pressure indicator has been changed, the reportstays the same. But in the SOM, this structural information canbe exactly recorded, although the location of the check valve wasnot important as long as there was only one flow path to the filter.However, the location became important when another flow path
to the filter was installed. In this case, because the pressure con-troller in Fig. 11i did not allow sufficient flow, another pressurecontroller was installed in parallel. The parallel controller was tobe installed using the bleeder connection at each pressure indica-tor, as shown in Fig. 11iii and iv. The former is what engineeringspecified, and the latter is what the fitter installed. At this time,it reflects the importance of the location of the check valve andthe safety valve evidently. In Fig. 11iv, an overpressure potentialfor the filter has been introduced because now the check valve iso-lates the filter from the safety valve. However, in the traditionalhazard analysis, it is difficult to identify the hazard which is causedby those misplaced safeguards. In this case, unfortunately, whenthe system was re-pressurized the filter exploded, and killing aworker.
The scenario object model of the case is shown in Fig. 12. Thesethree figures are arranged corresponding to the contents of Fig. 11respectively. So it can be seen that had the SOM accurately re-flected what was in the field, the analyst would have likely beenable to recognize the lack of overpressure protection on the filtercaused by the modification.
6. Computer-aided HAZOP software based on SOM
To realize computer-aided HAZOP analysis, we should be able toidentify the answers to these questions:
� What is the essence of hazard analysis information?� How can the hazard analysis process be tracked and recorded
simply and easily?� How can hazard information be transferred, exchanged, or
shared between different professionals or in different stagesof safety design?
32 C.-g. Wu et al. / Safety Science 60 (2013) 21–34
� What is the internal mechanism of hazard analysis?� How can automatic analysis be realized with multiple guide
words?� How can the hazard scenarios be identified automatically or
how can the repetitive work in hazard analysis be left to thecomputer?� How can automatic analyze the multidimensional hazard infor-
mation from the HAZOP report?
The SOM we have developed and the qualitative reasoning tech-nology are keys to solving these problems. SOM separates thestructural information from the hazard information, and treatscontent information related to specific systems as knowledge base.The knowledge base can be shared with existing standards (such asISO-15926) and expanded by users.
We have developed computer-aided HAZOP software calledCAH, which is completely follow the traditional hazard analysisprocess. But the difference is that it requires the hazard evaluationteam to set up the graphical SOM of the target system. The graph-ical SOM is constructed throughout the whole process of hazardanalysis. When analysis finished, the SOM is completed at the sametime. The modeling seems to require extra work than it actually is,but all the content that modeling required has been involved inhazard analysis process. Plenty of experienced applications showthat the high-quality SOM model retains the whole structuralinformation process.
For industrial applications, we have used CAH software formany HAZOP projects, such as, large-scale ethylene plant, styreneplant, coal gasification process, FCCU, PTA, LNG, and sewage watertreatment device. The effect is much pleased with not only therealization of computer-aided automatic HAZOP, but also improves
Fig. 13. Graphical user
the quality and efficiency in analysis. Our practice has proved thatHAZOP knowledge transferring, auditing, sharing, reuse, and visu-alization can be realized by SOM and SOM based CAH software. Ascreenshot of a large LNG storage tank system in the software isshown in Fig. 13.
CAH uses the event-centered graphical modeling method andcombines the data collection and modeling stages in hazardanalysis. With the assistance of CAH, 50–70% of the modeling canbe accomplished immediately. The architecture of CAH is pre-sented in Fig. 14. It sets 5 properties for event node, equipmentdescription, parameter and guide word, root cause, consequenceand layer of protection. The cause or the consequence node mustbe a single event that frequently occurs and dangerous. Duringthe modeling process, the mutual influence relationship betweentwo nodes with multiple guide words are discussed and confirmedby the hazard evaluation team. When the SOM is partially or fullyfinished, we can use computer to conduct qualitative reasoning.Furthermore, the SOM can implement different qualitativereasoning methods, such as constraint reasoning, propagationreasoning and multiple logical reasoning, in different conditions(see Fig. 14).
Once the reasoning result is confirmed and accepted, we canprocess the analysis results. The SOM provides three kinds of dis-play and process modes as listed below.
r Provide a visual image of hazard scenario information. Wecan accurately locate the existing protection layer through sce-narios, and then distinguish the independent protection layerand non-independent protection layer among them. Theseimportant factors are hardly concerned with conventionalhazard analysis.
interface of CAH.
Equipment description Node
Root cause
Layer of protection
Consequence
Parameter and Guide word
KB of Layer of protection
Risk matrixKB of Root cause
HAZOP check list
P&IDProcess data
SOM_GModel check using Affection matrix
Reasoning engine
Route of hazard scenario Analysis and modification
Finished ?NO
Automated generate HAZOP report
YES
Report print
Guide word list of pre-selection
Fig. 14. Structure of CAH.
C.-g. Wu et al. / Safety Science 60 (2013) 21–34 33
s Process the hazard analysis results. Hazard scenario informa-tion, risk matrix information, semi-quantitative frequency, andinfluence degree are added to the report. We can also use theLOPA method.t Generate and print the hazard analysis report automatically.It can produce information output in any kind of format, such asCBC table, DBD table, and bowtie table.
CAH focuses precisely on the details of the HAZOP analysismeeting, and provides a powerful graphical platform for discussionand recording. Once the meeting is over, the results of the qualita-tive model can be immediately generated by reasoning engine. Thehazard scenarios are then revealed completely and efficiently.
The hazard analysis methods integrated in CAH include the fol-lowing: checklist, What-If, qualitative event tree, qualitative faulttree, bowtie analysis method, HAZOP and LOPA, all of which ensurecomplementary advantages.
7. Conclusion
This paper presents the SOM developed on the basis of ontolog-ical design rules. According to industrial practice, standardizedSOM can be used as a powerful means to transfer, share, and com-puterize information, thereby facilitating the conduct of hazardanalysis. The main advantages of SOM are listed below.
1. It records all the valid details of a brainstorming session, suchthat the evaluation can be tracked, checked, and revised inter-actively. It also helps analysts in the tasks of searching for andrevising results and even in generating reports.
2. Automatic reasoning by computer can improve completeness ofanalysis and reduce the manual duplicated work significantly.
3. It can solve the problems present in hazard evaluation, specifi-cally the difficulties involved in transferring, inheriting, andsharing the information.
4. Through the classification and visualization of scenario struc-ture, the quality and efficiency of hazard evaluation, includingcompleteness, comprehensiveness and resolution, can beimproved.
5. The effect of evaluation is improved through the combination ofvarious scenario-based hazard evaluation methods.
According to system engineering methodology (Leveson, 2004),the commonly used hazard evaluation methods are based on thestatic linear event chain model; however, these methods neglectthe system factor and complex feedback. Thus, a dynamic modeland dynamic analysis method should be introduced. Future re-search can consider the process of using ontological concepts toexpress the dynamic hazard scenarios model and realize com-puter-aided dynamic hazard analysis.
References
Batres, R., West, M., Leal, D., Price, D., Masaki, K., Shimada, Y., Fuchino, T., Naka, Y.,2007. An upper ontology based on ISO 15926. Computers & ChemicalEngineering 31 (5–6), 519–534.
Batres, R., Suzuki, T., Shimada, Y., Fuchino, T., 2008. A graphical approach for hazardidentification. In: 18th European Symposium on Computer Aided ProcessEngineering (ESCAPE 18).
Baybutt, P., 2003. Major hazards analysis – an improved process hazard analysismethod. Process Safety Progress 22 (1), 21–26.
34 C.-g. Wu et al. / Safety Science 60 (2013) 21–34
Bayer, B., 2003. Conceptual Information Modeling for Computer Aided Support ofChemical Process Design. VDI Verlag GmbH, Düseldorf, ISBN 3-18-378703-2.
Center for Chemical Process Safety (CCPS), 2008. Guidelines for Hazard EvaluationProcedures, third ed. American Institute for Chemical Engineers, New York, NY.
DARPA, 2001. A Model-Theoretic Semantics for DAML + OIL. <http://www.daml.org/2001/03/model-theoretic-semantics.html>.
Feng, Z.W., 2004. Studies of SCI-TECH Translation. China Translation & PublishingCorporation, Beijing.
Gruber, T.R., 1993. A translation approach to portable ontology specifications.Knowledge Acquisition 5, 199–220.
Gruber, T.R., 1994. Toward principles for the design of ontologies used forknowledge sharing. International Journal of Human–Computer Studies 43 (5/6), 907–928.
Horrocks, I., 2002. DAML + OIL: a reasonable web ontology language. In: Proc. EDBT2002. Lecture Notes in Computer Science. Springer-Verlag, Heidelberg, pp. 2–13.
Ingram, G.D., Cameron, I.T., Hangos, K.M., 2004. Classification and analysis ofintegrating frameworks in multiscale modeling. Chemical Engineering Science59, 2171–2187.
ISO 10303-11, 1994. Industrial automation systems and integration-product datarepresentation and exchange – Part 11: description methods. The EXPRESSLanguage Reference Manual.
ISO 15926-2, 2003. ISO-15926:2003 Integration of Lifecycle Data for Process PlantIncluding Oil and Gas Production Facilities: Part 2 – Data Model.
Kishore, R., Sharman, R., Ramesh, R., 2004. Computational ontologies andinformation systems: I. Foundations. Communications of the Association forInformation Systems 14, 158–183.
Kuraoka, K., Batres, R., 2003. An ontological approach to represent HAZOPinformation. Process Systems Engineering Laboratory, Tokyo Institute ofTechnology, Technical Report TR-2003-01.
Lee, B.H., 2001. Using FMEA models and ontologies to build diagnostic models.Artificial Intelligence for Engineering Design, Analysis and Manufacturing 15,281–293.
Leveson, N., 2004. A new accident model for engineering safer systems. SafetyScience 42 (4), 237–270.
McCarthy, J., Hayes, P.J., 1969. Some philosophical problems from the standpoint ofartificial intelligence. In: Michie, D., Meltzer, B. (Eds.), Machine Intelligence.Edinburgh University Press, pp. 463–502.
McCoy, S.A., Wakeman, S.J., Larkin, F.D., Jefferson, M.L., Chung, P.W.H., Rushton, A.G.,Lees, F.P., Heino, P.M., 1999. HAZID, a computer aid for hazard identification 1.
The STOPHAZ package and the HAZID code: an overview, the issues and thestructure. Transactions of the Institution of Chemical Engineers, Part B 77, 317–327.
Na, Y.L., Wu, C.G., Xia, Y.C., Zhang, W.H., 2009. Classification of process hazardscenario and SDG qualitative identification method. Journal of the ChemicalIndustry and Engineering Society of China 60 (10), 2503–2508.
Niles, I., Pease, A., 2001. Towards a standard upper ontology. In: 2nd InternationalConference on Formal Ontology in Information Systems (FOIS), Ogunquit,Maine, October 17–19, 2001.
Roelen, A.L.C., Wever, R., 2005. Accident Scenarios for an Integrated Aviation SafetyModel, Report No. NLR-CR-2005-560.
Standard Upper Ontology (SUO), 2001. The IEEE Standard Upper Ontology Web Site,2001. <http://suo.ieee.org>.
Studer, R., Benjamins, V.R., Fensel, D., 1998. Knowledge engineering: principles andmethods. Data & Knowledge Engineering 25, 161–197.
Venkatasubramanian, V., Zhao, J.S., Viswanathan, S., 2002. Intelligent systems forHAZOP analysis of complex process plants. Computers & Chemical Engineering24, 2291–2302.
W3C, 2004. McGuinness, D.L., Van Harmelen, F. (Eds.), OWL Web OntologyLanguage Overview. W3C Recommendation, 10 February 2004.
W3C, 2004. OWL Web Ontology Language Reference. W3C Recommendation, 10February 2004. <http://www.w3.org/TR/owl-ref/>.
W3C, 2004. OWL Web Ontology Language Semantics and Abstract Syntax. W3CRecommendation, 10 February 2004. <http://www.w3.org/TR/owl-semantics/>.
W3C, 2004. RDF Vocabulary Description Language 1.0: RDF Schema. W3CRecommendation, 10 February 2004. <http://www.w3.org/TR/rdf-schema/>.
Wu, C.G., 2008. System Modeling and Simulation. Tsinghua University Press,Beijing.
Wu, C.G., Xia, T., Zhang, B.K., 2003. The qualitative simulation based on deepknowledge model of signed directed graph. Journal of System Simulation 15(10), 1351–1355.
Wu, C.G., Zhang, W.H., Xia, Y.C., Na, Y.L., Wu, F.B., 2009. Concise expression methodsof qualitative algebra equation–affection equation and modeling. Journal ofSystem Simulation 21 (19), 5990–5993.
Wu, C.G., Xia, Y.C., Na, Y.L., Zhang, W.H., Zhang, B.K., 2010. The relationship ofqualitative simulation and artificial intelligence and computational methodsystem. Journal of System Simulation 22 (2), 306–312.
Zhang, Z.Q., Wu, C.G., Zhang, B.K., Xia, T., Li, A.F., 2005. SDG multiple fault diagnosisby real-time inverse inference. Reliability Engineering and System Safety 87,173–189.