Process Hazard Analysis Based on Modeling and Simulation Tools

: Chemical and oil processes are intrinsically sources of potential hazards. Although traditional qualitative hazard identification methods are simple, systematic, and flexible, such methodologies present limitations related to the inherent subjectivity, dependence on the team’s level of experience, and widespread time consumption of the members involved. In this context, the present work aims to develop a systematic way to use computational modeling and simulation tools for hazard identification. After extensive literature review, the present work proposes a methodology based on the association of the main points of previous works, with new contributions regarding the preparation for the simulations and the characterization of the minimum set of process variables that can enable appropriate interpretation of the results. The propene polymerization process (LIPP ‐ SHAC process) was used as a case study to illustrate the proposed procedure. The paper explores how the model can be adapted for safety analyses and simulations for different hazard scenarios. The results obtained with different models are discussed and compared to those obtained with a traditional hazard identification approach to discuss how computational process modeling and simulation tools can sum to heuristic analysis. In conclusion, the use of simulations complementing the human ‐ based approach can indeed enhance the understanding of mechanisms of hazardous scenarios, lessen conservative decision ‐ making, and avoid overlooking device failures that can pose a severe hazard to the process.


Introduction
Chemical and oil processes are intrinsically sources of potential hazards due to the necessity of dealing with toxic compounds, higher-energy substances, and large-scale equipment.History has shown that if these processes are not adequately managed, the results can be catastrophic [1][2][3].
The causes of major accidents have been mainly related to a lack of knowledge about process and system safety [4].Over the past 40 years, many efforts have been made to develop and regulate the safe operation of industrial plants [4].Nowadays, the accident causes are often more related to cost considerations and pressure on decision-making than to lack of knowledge.Therefore, assessment of process risks, development of cost and time-saving tools, and application of systematic approaches for process safety management are crucial to allow efficient risk-informed decision-making and, thus, to avoid accidents and losses [4].
In the context of risk assessment and risk-based decisions, the hazard identification step is crucial because it is the starting point of further and more involved analyses that compose a robust process safety management system.Hazard identification techniques aim to identify the hazardous situations related to inherent weaknesses in the design and operation of a given process and generally present a qualitative nature [5].Particularly, when performing hazard identification studies, one should look for potential mechanisms of loss of containment (LOC), which means the release of chemical substances beyond the designed boundaries [6].
Hazard identification analyses should be performed throughout the whole plant lifecycle, including design, operation, and decommissioning.For each process phase and depending on the available information, characteristics of the analyzed process, and demanded results, distinct hazard identification tools can be selected [5].Although hazard identification constitutes a fundamental step of the risk assessment process, it can be performed independently from frequency estimation and risk analyses [7].
The most employed methodologies for hazard identification are based on expert and/or multidisciplinary skilled team knowledge applied to a systematic procedure.Checklists and surveys, what-if, failure mode and effect analysis (FMEA), and hazard and operability analysis (HAZOP), among others, are usually applied to perform this task [8].
Among the traditional hazard identification methods, particular importance can be assigned to HAZOP due to its worldwide application, legislation approval, and effectiveness in identifying hazards [9].Although recent studies recognize the importance and applicability of HAZOP, they also reinforce the intrinsic limitations and drawbacks of the technique, as follows:  subjected to the human factor: safety-relevant scenarios may be forgotten; for complex plants, consequence discussion may be inaccurate and unclear [10,11];  dependent on team skill and experience [12];  time-consuming and labor-intensive [6,9,13];  expensive [14];  dependent on heuristic knowledge [15,16].
Due to the drawbacks of traditional hazard identification methods, efforts have been made to develop computational tools that can minimize them [10].Many works have evaluated the application of dynamic process simulations to support hazard identification analyses in the last decades.The main reported advantages were the possibility to quantify deviations, clarify the cause-effect mechanism, and identify complex behaviors (due to process non-linearities and the possible existence of multiple steady states).The use of commercial simulation tools has been widely reported in the references, mainly due to the facility of using pre-existing models.However, concerns about model coverage and extrapolation capacity when applied to wide ranges of process deviations have also been expressed.Figure 1 presents a timeline with some works that use modeling and simulation to support the hazard identification steps.
Based on that, the main objective of the present work is to study how chemical engineering and computational technologies can be combined to enhance hazard identification procedures.Particularly, the use of modeling and simulation tools for competitive hazard assessment is investigated to understand the main challenges, advantages, and limitations of their application.

Proposal of a Hazard Identification Method
As discussed before, one of the most applied methods for hazard identification used worldwide is the so-called HAZOP, which must be recognized as an important systematic and practical tool that, when applied to an experienced group, can indeed bring beneficial results regarding safety and operability.Nevertheless, it is also well-known that HAZOP is a "time-consuming", "labor-intensive" [9], and an experience-dependent approach, and sometimes it can be overly conservative once accurate process behavior against process deviations is not available.
As presented in the Introduction, a lot of effort has been made to automatize hazard analysis.Among the methods given in the literature, the malfunction procedure [16] systematically proposed the use of simulations for hazard identification.Although the proposed methodology provides variable deviations from the normal condition for sets of process disturbances, the procedure is fundamentally different from the usual HAZOP approach.The malfunction procedure assumes the occurrence of malfunctions and uses process simulation to determine the impact of the disturbance on the process variables.Differently, HAZOP starts with a list of process variables and applies the so-called "guidewords" to investigate the causes of process deviations.One must notice that HAZOP is repetitive because there is a certain correlation among the process variables.This means that, if one can simulate and analyze all relevant device malfunctions, each simulation will provide a set of process variables deviations [16].Figure 2 illustrates the characteristics of the discussed procedures.
It is important to emphasize that HAZOP (process-oriented procedure) is wellknown for its systematic and disciplined way of identifying process deviations.On the other hand, with the device-oriented procedure, one cannot assure that all device malfunctions, or at least the main ones, are actually covered in the analysis.A systematic approach based on FMEA methodology is proposed to tackle this question in the present work and applied to a general process flow chart, as illustrated in Figure 3 and recorded in Table 1, where one can obtain a generic list of device malfunctions.
An important assumption made here is that equipment materials and design conditions have been appropriately selected and that the plant can be operated safely at nominal conditions.In that manner, the relevant safety malfunctions are the ones that trigger process trajectories that potentially can exceed the plant design limits.Coupled to mass balance 2 , failure of heat transfer control 1 A control failure can be caused by any of its elements (sensors, controller, or actuators). 2 Failure modes related to the addition or removal of mass of a process node can impact the energy balance.
A malfunction can also occur at the boundaries of the process node or at the interfaces between different nodes.Therefore, the process parameters and devices placed at the boundaries and interfaces of the node must also be considered.Table 2 describes some process malfunctions related to the boundaries and interfaces that can potentially disturb the process variables.

HAZOP (process-oriented)
Malfunction Device Procedure (device-oriented)  A systematic approach is proposed for mapping the potential malfunction devices considering that process streams, node boundaries, and devices are subjected to failures that can disturb the process, as illustrated in Figure 4.After simulating all device malfunctions and building the simulation result table, a heuristic hazard analysis must be performed [16].The complementary heuristic analysis should take into account other relevant information and involve the necessary expertise to interpret the simulations results and achieve the safety analysis goal, which can vary according to the application purpose.Particularly, it is important to judge if the process variables deviations are sufficiently strong to exceed design limits, thus leading to loss of containment or damage.Therefore, one must ensure that the necessary process variables are provided as output variables for the malfunction simulations.
In a traditional HAZOP analysis, the process variables used most often to support process hazard identification are flow, pressure, temperature, level, and composition.Other less frequent variables are also used, such as agitation, speed, frequency, voltage, time (relevant for batch processes), among others [5,7].The selection of process variables required to analyze the process hazards can be performed with the help of the generic master logic diagram presented by [6].If one considers chemical processes hazards, it generally regards the identification of potential scenarios of loss of primary content (LOPC) [6].This considers the loss through the boundary that keeps process substances in their designed space.Knowing that the unexpected release of substances can cause environmental, personal, and asset damages, it is important to characterize the relation between process variables and factors that can lead to loss of primary content.Figure 5 shows a simplified view following the event tree proposed by [6] that leads to LOPC.Although this diagram has been proposed for a qualitative hazard identification procedure, it brings valuable information about how process variables deviations can lead to hazardous scenarios.
It should be observed that vibration, high temperature, and over and under pressure are the immediate causes of structural failures.Therefore, these variables are crucial for deeper heuristic analyses.Modeling the mechanisms of overfilling leading to overpressure and low temperature and low level leading to under pressure is also desirable.However, when not available, it is recommended that these variables are monitored to feed critical analyses of the trajectories of process variables.
To identify process potential hazards, it is important to model and simulate process controllers, which are part of the process operability and can be susceptible to failure, but disregard the actuation of safeguards, which are considered after the raw risk has been assessed.Estimating risks and defining the necessary safety measures constitute an important step in hazard analyses but are not the focus of the present methodology.
In this scenario, it should be highlighted that the process model should capture undesired behaviors (such as runaway reactions, contaminants side reactions, combustion, among others) and the dynamics of all relevant process variables.This is not always possible, particularly in the first stages of process design and in complex process flowsheets.In that manner, due to the required level of detail, the simulation-based tool, especially when complementing traditional hazard analysis as HAZOP, should be applied to detailed engineering and routine operation phases of plant lifecycle, when detailed and specific information about the process is already available.

Case Study: Bulk Polymerization of Propene
The case study is based on the liquid polymerization of polypropylene with super high activity catalyst, LIPP-SHAC, process.It consists of a bulk polymerization process (the suspending medium is the monomer) in a single continuous three-phase stirred tank reactor to produce PP powder suspended in liquid propylene [17][18][19].A fourth-generation Ziegler-Natta catalyst system ( /  ) is used in the considered process.Due to its high activity, catalyst removal and polymer purifications are not necessary [20].
The model used to perform simulations is based on the work of [17][18][19], with some new aspects that will be discussed in the sequence.
The reactor is fed by five continuous fresh streams: catalyst; 2 additive streams of PEEB (para-ethyl 4-etoxybenzoate), the electron donor used to improve the polymer quality, and TEAL (tri-ethyl aluminum), the co-catalyst; hydrogen (chain transfer agent); and monomer (liquid propylene).The addition of hydrogen is necessary to adjust the molecular mass distribution of the polymer.Hydrogen interrupts the growth of the polymer chain and restores the activity of the original catalyst sites.
The reactor temperature is controlled via condensation of the vapor phase (boiling propylene) in the top condenser refrigerated with cooling water.The temperature of the cooling water is controlled through the manipulation of the cooling water flow.The reactor level is controlled through manipulation of the automatic valve placed at the outlet stream of the reactor, which contains essentially non-reacted monomer and polymer [20].
The non-reacted monomer is recovered in a gas separator via pressure reduction.The vapor phase carries the monomer and volatile impurities, while the solid phase carries the polymer, solid additives, and catalyst, which are incorporated into the PP product with no need for further purification.
The impurities in the monomer feed contain mostly propane (inert), so that the recirculation of non-reacted monomer leads to accumulation of propane, which must be purged [17,21].In order to control the propane accumulation inside the reactor, a control loop manipulates the purge valve placed at the recirculation, according to the monomer purity measured in the recirculation stream.Besides that, the monomer feed rate is controlled by manipulating the monomer make-up flow to keep the monomer concentration inside the reactor constant.
The described process is represented in Figure 6. and  are respectively the mass flowrate and mass fraction of stream i, as shown in Table 3. TC, AC, FC, and LC are respectively the temperature, analytical, flow, and level controllers.

Model Adaptation
As discussed in the literature review, when simulating the model over a wide range of operation conditions, the validity of model parameters and numerical convergence may be jeopardized.Therefore, model results must be checked regarding consistency.Figure 7 shows the strategy for numerical simulations used for the proposed safety analysis.Model 1 is based on previous publications [17,18,20] as described in the following sections.Propane was considered as the main impurity of the inlet monomer stream, and the reactor pressure was modeled as a function of temperature.
Model 2 is the first modification of Model 1 and considers the TEA/PEEB ratio effect on the catalyst activity.Figure 9 shows that the kinetic factor, , elaborated for applications in narrow ranges of operation conditions [20], can be inconsistent when extrapolation is needed.The proposed adjustments were: 1. introduce a linear approximation up to zero in the region of low  concentrations, since it is known that  (co-catalyst) is needed to activate the catalyst [22]; 2. assume a constant behavior of 80% of deactivation in the region of low  concentrations, since it is known that the excess of PEEB jeopardizes mainly the quality of the final product and is not able to kill the reaction [23].
The proposed modifications can be seen in Figure 9, which shows the modified factor, .In addition, Model 2 considered a limiting flowrate in the compression and condensation unit,  , |max.It was considered that the normal recycled rate is about 60% of the maximum compression capacity, so that: Finally, it was also assumed that when the reactor is flooded with liquid, condensation cannot take place.This can lead to very dangerous operation due to the simultaneous increase of pressure and temperature and should be avoided.
Model 3 is an improvement of Model 2 regarding the thermodynamic behavior of propene, motivated by the fact that the operating temperature,  343 K, and the propene critical temperature,  365.57K, are close [24].Due to the proximity to the critical temperature, the assumption of liquid-vapor equilibrium during simulations may not be correct in all conditions.Moreover, the remaining thermodynamic properties are subject to significant variations in the proximities of the critical point.For this reason, Model 3 was developed to take into account the more precise thermodynamic description of the reaction system.
In the region of liquid-vapor equilibrium, the reactor pressure,  , was assumed to be equal to the monomer saturation pressure,  , however, the equation was modified in the form [24]: where  is the critical pressure of propylene,   1  4 are auxiliary coefficients, and  1 / .Outside the region of liquid-vapor equilibrium, the reactor pressure was assumed to follow the modified virial equation in the form: where   is the density of propene,  is the universal gas constant,  is the propene temperature,   1  21 are auxiliary coefficients, and   1  21 are contributory terms that depend on   / and   / , where  and  are the critical temperature and critical density, respectively, of propylene.
The global density of propene can be obtained in the form: where  and  are, respectively, the mass of propylene and polymer inside the reactor,  is the reactor total volume capacity, and  is the polymer density.At saturation conditions, the propylene liquid and vapor densities (function of the temperature), ρ Pe,liq and  , , respectively, are [24]: (supercritical or subcooled liquid) (10) where V is the volume occupied by the liquid phase inside the reactor.
Finally, the slurry composition, given by the mass fraction of the monomer,   , and the polymer,   , can be calculated as: , .  .
where  is the mass of propane (monomer impurity) inside the reactor and  , is the total liquid mass inside the reactor, where the reaction takes place, and the slurry density, , is obtained based on the liquid composition.Propene heat capacity,  , was also calculated more precisely for the operation near the critical temperature [25]: where Cp is the ideal gas isobaric heat capacity,  are numerical values given by [24] and  ,  , and  are contributory independent terms of the state equation relating   / and   / .As one can see in Figure 10, the heat capacities of saturated liquid,  , and saturated vapor,  , increase asymptotically near the critical point.This behavior has been shown experimentally for propylene [26] and also other products [27,28].The densities can also change significantly near the critical point, as shown in Figure 11.Model parameters required for simulation are presented in [24].

Device Malfunction Identification
As proposed in the hazard identification method, all inlet and outlet process streams, node boundaries, and interfaces should be eligible to malfunction.Figure 12 shows all potential process malfunctions highlighted in orange and numbered sequentially, resulting in 13 devices.Following the proposed methodology, the failure modes of each device were evaluated, resulting in 38 failure modes to simulate.Table 4 shows some examples of the identified failure modes related to the devices numbered in Figure 12.

Simulations
The normal operation condition considered for simulations leads to a product grade with   15 g 10 min ,    7% / , and  0.45, with recycled monomer purity set to 80%, as presented in [19,20,29].As discussed in the hazard identification method, the critical process variables for safety are pressure, temperature, and level.Vibration is investigated here since models are not available for vibrations of pumps and compressors.Due to the slow agitator speed, vibration was not considered in the agitator system.
A critical variable that is particularly important for this case study is the polymer mass fraction inside the reactor,  .As the polymer is in the solid phase, the polymer must be kept in suspension in the liquid phase.Experience shows that when the polymer mass fraction is higher than 0.5, the hydrodynamic collapse of the suspension can occur.This phenomenon can cause significant damage to the reactor mechanical components and can lead to loss of primary containment, thus constituting a critical variable for safety.The maximum allowed limits were defined as follows:  Volume (V): the normal operation condition represents 60% of the design limit of 50 m . Pressure (P): the normal operation condition represents 60% of the maximum allowed working pressure (MAWP) of 50 bar. Temperature (T): the normal operation condition is approximately 50 K below the design temperature of 400 K.

Malfunction Simulations
The malfunctions were simulated as step disturbances in the model parameters and model input conditions.In the simulation figures, the dashed colored lines represent disturbances in the direction of decreasing a parameter (or an input condition) normal value.The continuous colored lines indicate disturbances in the direction of increasing values.In all cases, the continuous grey lines represent the normal steady states, as presented in [19,20,29].
As discussed in device malfunction identification, 38 failure modes were identified, thus leading to 38 different simulations.For the present paper, 13 simulations were selected based on their contribution to further discussion on the subject.The selected cases are shown as follows.

S-1 (No Monomer Make-Up Flowrate) and S-2 (Lower Monomer Make-Up Flowrate)
Four different steps were applied to the monomer make-up flowrate in order to simulate scenarios S-1 and S-2.Freezing the monomer make-up flow at lower values represents the loss of control of the monomer inlet flowrate, leading to an immediate increase in residence time and, thus, monomer conversion.Consequently, the polymer fraction increases, and the recovered gas decreases, contributing even more to the reduction of monomer feed rates.This creates a self-sustained effect that can lead to hydrodynamic collapse, even after small disturbances of the make-up flow, since the volume control procedure actuates on the slurry valve closing it to keep the volume stable.All models were able to capture this effect but with different dynamics, as one can see in Figures 13 and 14.
The slightly different temperature and pressure trajectories results are related to the different thermodynamic equations when the process approaches the critical point.
Figure 15 shows the behavior of the monomer liquid fraction.The reduction of the monomer liquid fraction reduces propene and propane concentrations in the slurry.As the monomer is consumed and its liquid fraction is reduced, the reactor volume decreases even when the slurry valve is already closed, as the polymer is denser than its monomer.The oscillatory behavior observed for Model 3, when the make-up flow is reduced to 90% of its normal value, is related to the purge control.After the failure, the slurry valve closes, the propene mass inside the reactor decreases, and the purity of the recycled stream decreases, triggering an increasing response of the purge rate, up to the point where the monomer is not recycled anymore.At this condition, the monomer feeding into the reactor is provided only by the fresh monomer stream, which increases the mass of propene inside the reactor and the monomer purity of the recycled stream.This triggers the opposite effect, reducing the purge and increasing the recycled stream back to the reactor, which reduces the propene concentration and closes a cycle of oscillatory behavior.It is believed that the distinct dynamic behavior of Model 3, after the hydrodynamic collapse, is related to modeling the liquid fraction,  , which depends on the monomer mass inside the reactor and is accounted for using the calculation of the slurry composition (which affects the recycled stream composition).However, it is important to observe that the oscillatory behavior is unreal, as the operation is not possible after the hydrodynamic collapse of the slurry stability.
The numerical "wash-out" effect after the hydrodynamic collapse, observed for Model 3, when the make-up flow is reduced to 99% of its normal value, is caused by the increase of the recycle stream flowrate after closing of the purge valve, which leads to reduction of residence time and, hence, to reduction of monomer conversion.Nevertheless, the event of interest in this analysis is the safety impact of the process variables, which results in hydrodynamic collapse, even when small disturbances are introduced into the make-up flowrate, characterizing this scenario as a potential hazard for the operation.Model 1 and 2 can describe the safety critical behavior, although Model 3 indicates faster dynamic responses until the hydrodynamic collapse.Thus, if dynamic information is desired, the simpler model can underestimate the propagations speed of the potential hazard.

S-3 (Higher Monomer Make-Up Flowrate)
After increasing the monomer make-up flowrate, the residence time decreases, and the unreacted monomer mass flowrate ( increases, leading to an increase of the recycled monomer flowrate sent back to the reactor.
As no limit was imposed on the recycled mass flowrate,  , the recovered gas is sent back to the reactor, creating the self-sustained increase of the monomer inlet flowrate to the point that it exceeds the reactor output flowrate capacity, leading to overfilling of the reactor, as shown in Figure 16.However, it is known that the recycled gas is compressed and condensed before returning to the reactor.In this circuit, pipelines and equipment have a maximum designed flowrate capacity limiting the maximum recycled mass flowrate to the reactor.Figure 17 shows the process behavior when this effect is considered.
Consequently, attaining the maximum recycled flowrate to the reactor, the residence time decreases, the unreacted monomer mass flowrate increases, but the recycled monomer sent back to the reactor becomes limited, which leads the operation to irrelevant safety effects regarding temperature, pressure, and level.On the other hand, although the limit of the recycle mass flowrate prevents the reactor from overfilling, it triggers other process hazards: the overload of the compression and condensation unit.As one can see in Figure 18, the recycle flowrate is lower than the gas generation, which in practical terms means the occurrence of the overload of the compressing unit, with possible overpressure.Similar results were obtained with Model 3, but slightly different dynamic paths are observed when more detailed assumptions are made.In conclusion, in this simulation case, Model 1 leads to a wrong understanding of the hazardous scenario, it being necessary to deepen the modeling level of detail.Model 2 is sufficient to describe the safety critical scenario.Despite that, the simulations confirm that the analyzed scenario constitutes an important hazard for the process operation.Four different steps from the normal value were applied to the inlet  mass flowrate in order to simulate scenarios S-10 and S-11.The normal operating ratio between / represents the optimum point of catalyst activity.Thus, it is expected that any modification on this variable is able to reduce the reaction rate inside the reactor and, therefore, the polymer fraction.Simulation results obtained with Model 1 capture this effect when the  mass flowrate is reduced but leads to reaction death when feed is interrupted.This effect is not consistent with practical experience, as the interruption of the  feed flowrate is detrimental to polymer quality but does not lead to reaction shutdown.The extrapolation of the operating conditions parameter leads to a wrong understanding of the physical behavior in this case.Model 2 captures the deactivation effect related to the reduction of the  feed flowrate but limits the impact of the disturbance on the reaction rate, which is more consistent with the practical experience.Figure 19    Four different steps from the normal value were applied to the  inlet mass flowrate in order to simulate scenarios S-13 and S-14.As discussed in the previous simulations, the / normal operating ratio represents an optimum point of catalyst activity.However, the absence of  can lead to complete deactivation of the catalyst system, as  is a co-catalyst for the reaction system.
Simulation results obtained with Model 1 are shown in Figure 21 and do not capture the effect of deactivation when the  mass flowrate is null.Again, this limitation is related to the extrapolation of the original operation condition, leading to a wrong understanding of the physical behavior.As shown in Figure 22, when Model 2 is used, the deactivation effect is captured when the  flowrate is interrupted.When the reaction does not occur, the gas generation is equivalent to the monomer inlet flowrate.Thus, if the setpoint of the monomer flowrate is higher than the capacity of the recycle system, the compression and condensation unit become overloaded.On the other hand, if the setpoint of the monomer flowrate is lower than the capacity of the recycle system, no safety issue is posed, and the monomer is recirculated through the process equipment.Despite the slightly different dynamic trajectories, similar results can be obtained with Model 3. In conclusion, for scenarios S-13 and S-14, Model 2 is sufficient to describe the safety critical scenarios.

S-18 (Higher Catalyst Feed Flowrate)
The increase of the catalyst mass flowrate leads to an increase of polymer mass fraction inside the reactor and can lead to hydrodynamic collapse.For the two higher positive disturbance steps, Model 1 predicted oscillatory behavior, as shown in Figure 23.It can be noticed that the increase of the catalyst feed flowrate leads to an increase in the reaction rate and thus reduction of the monomer mass inside the reactor.As a result, the purity of the recycle stream decreases, and the rate of purge increases, up to the point where the whole generated gas is purged, and no recycled monomer is sent back to the reactor.Then, the make-up flowrate increases in order to keep the monomer inlet flowrate stable.The effect of injecting pure monomer reduces the propane concentration in the reactor and increases monomer purity in the recycled stream.This triggers the actuation of the purge control in the direction of decreasing purge flowrates up to the point that all gas is recycled back to the reactor.This fast increase of pure gas sent back to the reactor leads to an increase of reaction rates again, increasing the polymer fraction, reducing the propene concentration, and generating the observed oscillatory behavior.The described flow responses can be seen in Figure 24, for an increase of 50% of the catalyst's normal flowrate.The presence of periodic oscillatory responses associated to the bulk polypropylene process has been reported in the works of [30,31] when catalyst deactivation and the temperature controller are considered [30], and when unstable behavior with multiple steadystates exists due to the existence of recycle stream [31].
The consideration of a maximum recycle rate capacity, included in Model 2, eliminates this effect, as can be seen in Figure 25.
Results obtained with Model 3 were similar, with slightly different dynamic trajectories.Nevertheless, the event of interest in this analysis is the impact of the disturbance on safety, which in all cases resulted in the hydrodynamic collapse of the suspension when the inlet catalyst flowrate was sufficiently high.Four different steps from the normal value were applied to the slurry mass flowrate in order to simulate scenarios S-29 and S-30.All models were able to capture the undesired consequences caused by the loss of level control, in the direction of decreasing slurry mass flowrate, which leads to reactor overflow.These two effects occur because the inlet flowrates are kept constant, and the slurry mass flowrate does not precisely remove the amount of mass that enters the reactor.As a result, mass accumulates inside the reactor (the case of lower slurry mass rate than required) or is drained from the reactor (the case of higher slurry mass rate than required).The magnitude of the disturbance only affects the time to achieve the final consequence.As a consequence, this poses serious operation hazards.
For all models, reactor overfilling is also followed by the hydrodynamic collapse of the suspension due to increasing residence time inside the reactor.As one can see in Figure 26, for Model 1, no relation between the reactor volume variations and condensation heat can be observed, resulting in a false safety perception regarding the observed temperature and pressure trajectories.The small disturbances of these variables are related to the accumulation of catalyst, which increases the reaction rates and heat release.According to Model 2, shown in Figure 27, condensation is not possible when the reactor is full (liquid phase).The introduction of this assumption directly affects the temperature and pressure trajectories.Model 2 assumes that pressure is a function of temperature only (vapor pressure), although it is known that the hydraulic expansion of a liquid can lead to overpressuring.This additional modeling feature, included for Model 3, results in the simultaneous increase of volume and pressure beyond the allowed maximum limits, as shown in Figure 28.It can be observed that the reactor can be overpressured 1.3 times its MAWP before hydrodynamic collapse can occur.It can also be seen that the pressure increase is related to the mass accumulation and not to the temperature increase, since the temperature remains stable until the reactor overfilling.The positive disturbances on the purge mass flowrate exert an effect that leads to an increase of monomer concentration, reaction rate, and finally, the polymer fraction.For the sudden and complete opening of the purge valve, the inlet monomer flowrate control is not sufficiently fast to respond to the interruption of the recirculation rate, as one can see in Figure 29.The effect of the reduced inlet flowrate increases the residence time and causes a peak on the polymer fraction, leading to the hydrodynamic collapse of the suspension, as one can see in Figure 29.The interesting observation in this simulation is that changing the inlet monomer flowrate controller parameters can change the safety result.If the integral parameter of monomer inlet control,  , is reduced to 0.1 (dividing by 10 the original value), the behavior presented in Figure 30 can be observed.This case exemplifies the importance of the controller and controller tuning for identifying process hazards, an issue that has been systematically overlooked in the literature.

Safety Considerations after Simulation Results
After the simulations, the impact of the device malfunctions on safety and the riskrelated consequence (heuristic analysis from the simulation results) should be registered and attached to the simulation results.In summary, the simulation results emphasize the relevance of hydrodynamic collapse of the reaction suspension for process safety.This undesired consequence is related to different failures, for instance, of the inlet monomer feed control, the catalyst feed control, the reactor volume control, the purge control, the recycle stream equipment, and the agitator.
With the support of the simulations, the thermal runaway of the reaction was investigated, leading the operation to the critical thermodynamic region (as discussed in Section 2.2.1), which can pose serious hazards for the process operation and can also lead to the collapse of the suspension.The direct effect of the thermal runaway on the reactor temperature and pressure were limited below the equipment's maximum allowed conditions.Decomposition reactions were not taken into account and should also be investigated as a consequence of the thermal runaway.
The dynamic nature of the simulations enabled the quantification of threshold values of process disturbances that may lead to hazardous consequences and the identification of process hazards related to tuning of the process controllers, such as the inlet monomer flowrate control leading to collapse of the suspension due to tuning problems.The purge control was also the subject of attention related to high failure rates leading to undesired consequences regarding the collapse of the suspension.Despite that, simultaneous failures were considered rare.
Therefore, preventive and mitigating safety measures must be designed to control the identified hazards.Particularly, monitoring the occurrence of the hydrodynamic collapse of the reaction suspension (as discussed in Section 3.2) seems crucial for process safety.Apart from traditional safety barriers, indirect monitoring of the polymer content in the suspension, online soft sensors [21], and other technologies should be investigated to enhance process safety and reliability.

Comparison with Traditional HAZOP
In order to provide a comparison benchmark for the computational approach, the HAZOP traditional methodology (human knowledge-based) was applied to the same case study.The HAZOP was performed by a group composed of a team of four people, consisting of a HAZOP facilitator, a process engineer, a process control engineer, and a specialized LIPP-SHAC process specialized engineer.The study was developed in two sections of two hours each, and the simulation results were not shared with the group so that the two approaches could be regarded as independent from each other.
The selected deviations for the HAZOP application were: low, no, high, as well as and reverse flow; low and high temperature; low and high pressure; and low and high level.
The study was used as a benchmark for the comparative computational analysis.The objective of the performed HAZOP analyses and the computational-based analysis was the identification of potential hazards.The proposed analyses were not focused on designing safeguards or estimating risks.
Using the process-oriented approach, as for the HAZOP analyses, the complete study registered fifty-six discussions.On the other hand, thirty-seven scenarios were generated through the device-oriented approach, the same as for the computational-based procedure.The significantly higher number of HAZOP scenarios is related to the expressive number (40%) of repetitive discussions (from the perspective of the device malfunction) that were necessary from the perspective of the process variable.
Disregarding the effect of repetitiveness due to different deviations related to the same malfunction and grouping similar scenarios, both analyses identified 31 different hazard scenarios.Figure 31 shows the main differences observed for both applications.Approximately half of the discussions achieved the same results.This is an important observation, taking into account the effort needed to develop a robust model capable of describing all simulation conditions, as discussed regarding malfunction simulation.Assuming that human-based reasoning can identify a significant part of the existing hazards, the application of the simulation should be perhaps directed to the complex scenarios and the ones in which human reasoning is prone to conservative decision-making due to lack of detailed comprehension of the process potential hazards and the process dynamics.
Considering the differences between the systematic structure of both methods, the device-oriented approach used in the computational procedure detected more causes, although many of them were irrelevant.Those causes were not even discussed during the HAZOP analysis due to the group's capacity to filter relevant discussions.On the other hand, the device-oriented approach was assertive in embracing all process devices, while the process-oriented approach, depending on the scope of HAZOP deviations, can sometimes be difficult covering all process devices.Nevertheless, the HAZOP method can trigger creative thinking, which was the main reason for the additional causes identified in the heuristic-based study, which the computational-based one did not cover.
Approximately one-third of the discussions started from the same causes but resulted in different safety impacts.When the computational-based results were less assertive than the human-based approach, it can be observed that the human-based approach counted on the thinking-together capacity of the team members allowing for correlation of effects beyond the limited result given by the simulation results of the safety-critical variables.However, since no quantitative and dynamic information about the process behavior was available, the HAZOP group is prone to conservative conclusions, which can imply misdirected resource prioritization and unnecessary investments in posterior process decision-making.
Some important learning can be extracted from the comparison between the two methods:  Both HAZOP teams had the perception of being unconservative or conservative when they, in fact, were (comparing with the simulation results) and would recommend process simulations to check their understandings.In the cases of significant different results, in 60% of the cases, the HAZOP team was not confident and recommended the simulation.


In some cases, the inclusion of a flow model with pressure drop and pressure propagation would be helpful to support understanding of the final consequences.


The HAZOP team's creativeness allowed for the identification of mid-and long-term effects after the failure occurrence.In addition, possible effects regarding start-up after the failure condition were discussed.This introduces a relevant aspect that should have been added to the computational-based methodology: simulate a malfunction step and, from the malfunction condition, simulate a step back to the normal value.

Conclusions
The present study investigated the use of a computational-based hazard identification method, discussing the model development, the hazard identification systematic, and the simulation results to compare to a traditional human-based procedure.
Thirty-eight simulation scenarios were identified, providing dynamic responses of critical process variables to support the precise identification of hazard mechanisms.In the present work, the heuristic approach was generally more conservative than the computational-based study, which, in some cases, led to the overestimation of process hazards.In fewer cases, the human-based study also overlooked some hazard mechanisms.
Nevertheless, it was shown that in almost 50% of the discussed scenarios, the human experience was sufficiently precise to identify the process responses when disturbed by malfunctions, especially when scenarios were not safety critical.When the scenario complexity increased and moved nearer safety relevant consequences, the differences between the computational and human-based methods were emphasized.However, for approximately 60% of the cases where major differences were observed between the methodologies, the HAZOP team was able to diagnose that the proposed discussion could be imprecise and was able to recommend a computational analysis to supplement their known limitation.
It is also remarkable that, in some cases, the traditional method boosted human creativity and encouraged reasoning beyond the immediate relation between cause and consequence.The interpretation of simulation results caused by malfunctioning devices somehow limited the extrapolation of consequences.The computational-based procedure was more systematic and allowed better documentation of hazards.The simulations enabled the observation of multiple behaviors of state variables, some of which are not usually measured in the real plant, providing a better understanding of the critical scenario occurrence mechanism and dynamic information of process behavior and threshold values for critical deviations.
It was also noticed that, depending on the procedure, different causes could be identified.Thus, it is important to recognize that, although the computational approach is more precise and systematic, it is based on a heuristic identification of malfunctions and still carries the possibility of uncovered hazards.
It was shown that the process-oriented approach was more repetitive and that reasoning the process in nodes (grouping many pieces of equipment and pipelines) may contribute to overlooking potential hazard sources.The limitation of the used HAZOP deviations may also have contributed to this factor.However, reasoning the process in terms of deviations of process variables triggered more creative thinking.
Regarding the human effort to perform the different approaches, the computationalbased method and model development depended on the collaboration of different authors [17,18,20], while the HAZOP required a team of a few members.In addition, the HAZOP was performed in a couple of hours, while the modeling process took some months to capture all malfunction scenarios and finally the simulations.
By comparing models with different levels of detail, it was observed that, in most cases, the simplest model was able to describe the scenario satisfactorily.Therefore, one could conclude that the model's level of detail should be adaptable to the demand.For example, in some cases, a flow model with pressure drop would be sufficient to evaluate pressure propagation since this is a crucial variable for assessing process safety.However, this work did not develop a model to fill this gap, and the heuristic analysis was necessary to extrapolate the consequences from the simulation results.Thus, one can notice that a more detailed process model is less dependent on the heuristic approach.
In conclusion, one could notice that the modeling process for safety applications constitutes an important, time-consuming step since the assumptions and parameters must cover a wide range of operational conditions.Besides that, simulation tools are processspecific and cannot be easily adapted for other processes.
Nevertheless, the simulations can indeed enhance the understanding of mechanisms of hazardous scenarios, avoid conservative decision-making and avoid overlooking device failures that can pose a severe hazard to the process.Moreover, the obtention of process models can enable other computational applications such as optimizations, soft sensors, and process predictions.
Based on the experience achieved in this work, it could be noticed that human experience and process knowledge can indeed save time from the "low added value simulations".It is recommended then that, instead of doing a complete computational-based analysis, the scenarios should be evaluated first according to human perception to discard non-critical scenarios, saving some time.When it is not clear if maximum allowed conditions could be exceeded or if the dynamic behavior could introduce additional hazards, then the simulation results can be valuable and support understanding of pre-selected complex scenarios, avoiding under-or overestimating the potential hazards.
Finally, this work can be a starting point for other safety applications regarding: • Stationary simulation and multiple steady-states analyses in the context of hazard identification, since oscillatory and unstable behavior has been reported for this process [30,31]and can complement hazard identification studies [12,32]; • Risk assessment for each scenario and the design of safety barriers, since the present hazard identification study alerted for different hazard situations, mainly related to the hydrodynamic collapse of the reaction suspension, that must be prevented and mitigated; • Design of a safety-based control layer, since the present hazard study identified different device failures leading to the undesired hydrodynamic collapse of the reaction suspension, which poses a significant risk of process shutdown [23]; • Proposal of online model-based risk in order to indicate the evolution of the process safety and allow for predictive maintenance and effective decision-making that can

Figure 2 .
Figure 2. Characteristics of HAZOP and malfunction device procedures.

Figure 4 .
Figure 4. Systematic approach for device malfunction identification.

Figure 5 .
Figure 5.A simplified view of the generic master logic diagram (adapted from [6]).

Figure 6
Abbreviation for Stream  Nomenclature Cat Catalyst stream TEA Triethyl aluminum stream PEEB Para-ethyl 4-ethoxybenzoate stream H2 Hydrogen stream M Monomer stream M,Rec Monomer recycle stream M,Cond Monomer stream to condenser M,mkp Monomer make-up stream w Water stream to condenser s Slurry stream from reactor gas Gas stream from separator purge Purge stream Pol Polymer stream

Figure 7 .
Figure 7. Strategy for numerical simulations.During the model development stage, three different versions of the model were proposed.Each model considered different assumptions and demanded new parameters to provide consistent simulation results.This concept is illustrated in Figure 8.

Figure 8 .
Figure 8. Hierarchical structure of developed models.

Figure 9 .
Figure 9. Adjustment of the kinetic factor.

Figure 10 .
Figure 10.Comparison of heat capacity near the critical temperature.

Figure 11 .
Figure 11.Densities of the saturated liquid near the critical temperature.

Figure 13 .
Figure 13.Behavior of critical variables in scenarios S-1 and S-2 with Model 1 and 2.

Figure 14 .
Figure 14.Behavior of critical variables in scenarios S-1 and S-2 with Model 3.

Figure 15 .
Figure 15.Behavior of liquid fraction of monomer in scenarios S-1 and S-2 with Model 3.

Figure 16 .
Figure 16.Behavior of critical variables in scenario S-3 with Model 1.

Figure 17 .
Figure 17.Behavior of critical variables in scenario S-3 with Model 2.

Figure 19 .
Figure 19.Behavior of critical variables in scenarios S-10 and S-11 with Model 1.

Figure 21 .Figure 22 .
Figure 21.Behavior of critical variables in scenarios S-13 and S-14 with Model 1.

Figure 23 .
Figure 23.Behavior of critical variables in scenario S-18 with Model 1.

Figure 29 .Figure 30 .
Figure 29.(a) Behavior of critical variables in scenario S-35 with Model 1; (b) effects of the polymer fraction; (c) effects of the inlet monomer mass flowrate,  .

Figure 31 .
Figure 31.Stratified comparison between the standard and the computational-based methods.

Table 1 .
Typical failure modes of general process streams.

Table 2 .
Failure modes of boundaries and interfaces of process nodes.
liq ρ Pe,c exp c 7 θ 13/6 c i θ  ,  , exp  1  0.5  2   3  1.5  4  2  5  4  6  5.5  7  9 1  / and c i 1 to 7 and   1 to 8 are auxiliary coefficients.It is necessary to verify two conditions to identify the thermodynamic state.Above the critical temperature, a supercritical state is assumed to occur.Below the critical tem- 1  8  1 (5)where  , is the propylene critical density,  a dimensionless number given by 1