ARTICLE IN PRESS

Journal of Loss Prevention in the Process Industries 20 (2007) 6978

www.elsevier.com/locate/jlp

Exploiting process plant digital representation for risk analysis

Paolo Bragattoa, Marina Montib,, Franca Gianninib, Silvia Ansaldic
a

DIPIA-ISPESL, Via Fontana Candida 1, 00040 Monteporzio Catone, Rome, Italy

Istituto di Matematica Applicata e Tecnologie InformaticheCNR, Via De Marini 6, 16149 Genova,Italy
c
CAD/CAE/PDM Consultant, Via Oberdan 40, 00040 Monte Compatri (RM), Italy

Received 2 March 2006; received in revised form 22 September 2006; accepted 16 October 2006

Abstract
Hazard analysis is a crucial task in plant design. It is expensive in terms of money and time, and involves many specialists in different
disciplines who are required to analyse aspects dispersed throughout the plant documentation. Product Lifecycle Management systems
allow all the project data to be handled in a complete, integrated and consistent manner; they permit tools to be developed for capturing
and reusing the design information necessary to evaluate specic plant aspects concerning potential hazards, thus providing automatic
verication of some safety criteria. In this paper we present a knowledge-based tool aimed at supporting the expert in performing
HAZOP studies in a plant project managed by a CAD/PLM system. The tool is based on an extended plant model that includes all the
data and relationships representing the knowledge on which the supported hazard identication method is based.
r 2006 Elsevier Ltd. All rights reserved.
Keywords: Hazard identication; Plant design; Product Lifecycle Management

1. Introduction
In the design of a process plant, decisions taken at the
beginning may affect reliability and safety, possibly leading
to later changes to the plant, such as the addition of
external safety barriers and other measures. The incorporation of inherent safety principles in design requires
thorough attention to plant details, including systematic
review by a multidisciplinary team of process and equipment experts (Hendershot & Post, 2000).
Therefore, it would be useful to have tools to support
these experts in their evaluation of design solutions in order
to identify quickly critical congurations at the various
phases and to take the necessary corrective actions as soon
as possible. Moreover, process hazard analysis is mostly
based on design drawings and it is difcult to follow
modications in the actual plant. In common practice the
plant documentation is often not regularly updated,
because it is considered too unwieldy. For this reason,
hazard analysis loses value through time, owing to
Corresponding author. Tel.: +39 0106475692; fax: +39 0106475660.

E-mail addresses: paoloangelo.bragatto@ispesl.it (P. Bragatto),

monti@ge.imati.cnr.it (M. Monti), giannini@ge.imati.cnr.it (F. Giannini),
silviaansaldi@tiscali.it (S. Ansaldi).
0950-4230/$ - see front matter r 2006 Elsevier Ltd. All rights reserved.
doi:10.1016/j.jlp.2006.10.005

continuous changes during the life of the plant. Nowadays,

benets may derive from the widespread use of Computer
Aided Design (CAD) techniques adopted in the design of
process plants. CAD systems provide many digital models,
such as drawings, diagrams and 3D models, which
represent the plant from different points of view (mechanical, electrical, functional, etc.) and offer capabilities to
automate the design process and to link together the data
produced during the various phases of project development, such as process diagrams, equipment design,
electrical distribution and layout specication. To prociently support the management and maintenance of the
huge amount of documents related to the whole product in
all lifecycle phases, CAD systems have been integrated in
so-called Product Lifecycle Management (PLM) systems.
PLM systems offer a structured organisation of the various
documents originated by different systems while handling
the related access rights and usage. They facilitate the
creation, modication and retrieval of the diverse data, and
also keep them aligned with the various changes that occur
throughout the complete product design and life cycle.
Consequently, if hazard analysis were linked to the digital
representation of the plant, it could be continuously
updated and aligned with it. Thus, it also opens the way

ARTICLE IN PRESS
70

P. Bragatto et al. / Journal of Loss Prevention in the Process Industries 20 (2007) 6978

to incremental analysis. Finally, the availability of all the

data and their mutual relationships offers better support
for browsing the project and evaluating the level and
probability of an accident.
In this paper we present a prototype system, developed
within the framework of a research project carried out in
collaboration between CNR and ISPESL, aimed at supporting the experts in the identication of critical congurations in a plant project. It differs from many related
works, in that the objective of the research presented in this
paper is not the creation of software tools automatically
performing risk analysis, supplanting the specialist. Here,
the ultimate objective is to provide the specialists with tools
that may guide them during the analysis of the plant documentation, highlighting all the potential risk situations as
well as making promptly available the electronic documents
that describe the relevant component and/or plant area,
thereby allowing a deeper investigation of the conguration.
Section 2 discusses the advantages offered by computersupported risk analysis integrated within a PLM environment. Section 3 presents the developed software prototype.
Section 4 shows an example of the use of the system and
Section 5 concludes the paper.
2. Plant hazard identication in the PLM environment
Process hazard analysis (PHA) is the systematic identication, evaluation and mitigation of potential process
hazards, which can be devastating for humans and
environment, as well as causing serious economic losses.
In the literature and in common practise, several methods
are considered. They use different types of information and
may be applied in various phases of the plant life cycle.
Some of them require detailed plant description; others
consider more general aspects of the process and are
therefore more suitable at the conceptual stage.
Hazard and Operability Analysis (HAZOP) (Crawley &
Tyler, 2003; Howat, 2002; Kletz, 1992; Lees, 1980) is one of
the most frequently used methods for identifying hazards in
process plants. It is a systematic process or operation
review, aimed at identifying and analysing deviations from
the design intent that could lead to undesirable consequences. To apply this method, expertise in design, process,
operation, and maintenance is needed. Typically, HAZOP
analysis is conducted by a team of specialists who examine
the plant documentation from different points of view on
the basis of their expertise. A HAZOP study always
requires considerable time and resources. This stimulated
research into the development of computer-based tools that
would reduce the effort and automate the hazard analysis of
process plants. Venkatasubramanian, Zhao, and Viswanathan (2000) give a critical overview of research aimed at
developing intelligent systems for automating HAZOP
analysis; all the systems considered are knowledge-based,
but are weakly integrated in the plant development
environment, thus insufciently supporting the browsing
of the data relating to the whole project for a comprehen-

sive risk evaluation. On this aspect, among the important

challenges in automating HAZOP analysis, Yang and
Chung (1998), Chung and McCoy (2001) and Yet-Pole
(2003) indicate the management of the huge amount of
information needed and the lack of context-independent
tools for the analysis of a wide variety of processes.
Further examples of the application of knowledge-based
technologies to process plant design and operation may be
found in Mizoguchi, Sano, and Kitamura (2000) and
Posada, Toro, Wundrak, and Stork (2005). In the former,
the messages exchanged in an oil-renery plant are modelled
through an ontology that formalizes both the application
domain and the tasks that group the activities in the plant. In
Posada et al. (2005), ontology has been employed for the
semantics-driven simplication of CAD models, applied to
the visualisation and design review of large plant models.
For a more efcient access to the large amount of diverse
data, PLM characteristics can be exploited by the team
devoted to the HAZOP analysis. Moreover, the results
obtained by a PHA could become themselves part of the
plant documentation. Including HAZOP results in the PLM
database permits their management as a living updateable
resource, which may become a real support tool. When
modications occur, such as substitution of equipment, or
slight changes in the parameters during the plant operation
(e.g. material, or, especially for batch plant, process variations), the possibility of easily and quickly updating a hazard
analysis may be extremely useful. Therefore, even though an
automatic revision of the hazard analysis reports is still not
realistic, access to the PLM database offers remarkable
advantages in creating updated plant documentation. In fact,
if modications occurring in the actual plant are reported in
its digital representation, PLM systems can keep track of the
new version, thus making explicit the misalignment of the
hazard analysis. Experts can be automatically notied by
PLM systems that changes have been made in the project
data; thus, following any document modications, they may
incrementally update the new PHA to identify new potential
hazards. Moreover, each hazard, previously identied and
present in the PHA documentation, may be reviewed in the
light of the modications made to the plant, to point out
possible interferences or interconnections, and eventually to
examine closely the situation. This approach would offer the
advantage of reducing the time required for the hazard
analysis, and in any case it would represent an interesting
starting point for a further hazard identication.
3. IRIS: a prototype for hazard identication support
The IRIS tool has been developed for verifying the
feasibility of the integration of hazard analysis methods in
the PLM environment (Ansaldi, Giannini, Monti, & Bragatto,
2005). It has been conceived as an addendum to an integrated
CAD/PLM system. It supports the experts in the hazard
analysis by allowing browsing throughout the plant project
data. The system is based on the HAZOP method and it is
appropriate for use by any of the HAZOP team members. The

ARTICLE IN PRESS
P. Bragatto et al. / Journal of Loss Prevention in the Process Industries 20 (2007) 6978

software is also suitable for simple HAZOP studies, which

could be performed by a single person. The adopted approach
is the analysis of the process, related to a specic logic unit,
line by line, to evaluate the possible deviations from the normal
plant performance, correlated to unexpected process parameter values, using ow diagram and operating procedures as
working documents. In HAZOP, causes are the events that
may lead to a deviation, while consequences are the effects of
the deviation. Deviations are composed by a parameter,
characteristic of the equipment or the device considered, and
an attribute, i.e. a guide word, representing qualitative
divergence from the foreseen values of the process variables.
Corrective actions may be decided to prevent deviation causes.
Safeguards are designed to mitigate deviation consequences.
The analysis is directly based on the Process and Instrumentation Diagram (P&ID) document of interest, which is no more
intended as a simple graphical representation, but it is a CAD
document including its semantics.
As has been recognised (Venkatasubramanian et al., 2000),
while the results of a HAZOP study vary from plant to plant,
the approach is systematic, and many aspects of this analysis
may be applied to different processes. Conversely, the specic
process/plant information has to be exibly integrated with the
generic models in an opportune way. To this aim, the IRIS
system maintains a clear differentiation between two types of
knowledge, while preserving the correct mutual relationships
(i.e. between the general concepts and the items in the plant
project). In fact, in hazard identication both the information
available and the knowledge acquired may be divided into the
process/plant-specic and the general categories. The process/
plant-specic knowledge is related to the plant under
examination, while the general concepts represent what is
context-independent, valid and usable for different plants.
The process-specic information corresponds to the
detailed description of the process, such as the materials
treated and their properties, whereas the plant-specic
information is related to the description of the plant, its
components, equipments and instrumentations and layout.
This information is represented in electronic form in the
documents related to process and plant characteristics, at
different levels of detail, and may be directly acquired and
accessed from the PLM repository.
In contrast, the general knowledge is independent of the
process and plant considered and refers to rules and
specications of the adopted method of analysis; furthermore, it includes information related to the object types to
which the hazard analysis refers, and to their functional
descriptions. For example, equipment is characterized by a
type, usually indicating its function (e.g. mixer, reactor,
heat exchanger), but also by its functional parameters, such
as design and operating pressure, ow rate, temperature.
This a priori knowledge is developed starting from a
fundamental understanding of the process.
To make the tool as exible as possible, and to avoid
hardwiring a priori knowledge, a function-based taxonomy
of the equipment and instrumentation is considered (see
Section 3.1). Fig. 1 illustrates the overall architecture of the

71

IRIS prototype, in which two environments are shown, one

referring to IRIS, the other to the adopted PLM system.
From the functional point of view, the framework consists of
the following main components: a dictionary, the plant
information database, the reasoning and analysis engine and
the knowledge repository. The dictionary module permits
management of the link between the terminology used in the
denition of the hazard analysis rules and the terminology
adopted in the environment that is using IRIS; the latter can
be specic to the company and even to the plant project
under examination. In this way, the independence of the
stored rules from both the IT tools and plant data is ensured.
The plant information database is the one provided by
the adopted CAD/PLM system and contains all the data
related to the specic plant project. The reasoning and
analysis engine provides functionalities for navigating
through design documents and possible reference documents (general norms, laws) and for applying HAZOP
analysis. It accesses the project database through ad hoc
functionalities using the Application Programming Interfaces (APIs) provided by the adopted CAD/PLM system.
The knowledge repository includes three data models,
which depend on the type of information considered and
are represented in a unique database. They are:

General Hazard Identication Model, representing the

general knowledge upon which the criteria and rules are
based;
Plant Hazard Identication Model, representing the
information related to specic plant congurations,
linked to the previous model and to the PLM database;
Hazard Analysis Result Model, containing the knowledge specic to a particular analysis.




3.1. General Hazard Identification Model and editor

functionalities
The General Hazard Identication Model (HAZID
Model) is related to the characteristics of the PHA
methodology considered, and to the types of objects
constituting a plant. Objects are categorized according to
a hierarchically organised functionality-based taxonomy,
which can be naturally mapped to the corresponding
STEP1 data denition (STEP, 1994). Therefore, each
item is classied in terms of super-function, function, and
type, and has an associated set of functional parameters.
Super-function is the most generic class type in the system,
and it is the root of the hierarchical taxonomy. It includes
the following types: Equipment, the components of the
plant performing an action; Piping components, the devices
connected to piping and equipments (e.g. valves); Instrumentation, control devices; and Infrastructure, all the other
objects not directly related to the process itself but which
might interfere in the hazard identication analysis. Each
of these types is further detailed in one or more process
1

STEP ISO-10303-1, AP227.

ARTICLE IN PRESS
72

P. Bragatto et al. / Journal of Loss Prevention in the Process Industries 20 (2007) 6978

Fig. 1. IRIS architecture.

Fig. 2. IRIS editor: compilation of a cause phrase. Two lower frames: classes and list of available tokens, respectively. Upper text box: echo of the
composed phrase.

function categories: for example some of the functional

classes associated with Equipment are separation, heat
exchanger, storage, and pumping. At the lowest level in the
taxonomy, classes corresponding to specic entities are
included, such as column, reactor, and pump. Furthermore,
each entity is related to a set of functional parameters
specic of the entity, and to others inherited from the upper
classes in the taxonomy. In particular, we focused on those
specically meaningful for the hazard analysis; for
example, for a column, temperature, pressure and level are
the considered parameters.

Other types of entities strictly dependent on the adopted

hazard methodology and considered in this model are
Deviation, Causes, Consequences, Actions and Safeguards.
They correspond to a phrase; each phrase is decomposed
into an ordered sequence of typed elements called tokens;
the semantics and the position of each token give meaning
to the entire statement. Tokens are typed according to their
role within the sentence, and can have values within
specied sets. These sets also include the plant object types
and functional parameters as well as actions. In some cases
they may also correspond to a rule or a formula and then

ARTICLE IN PRESS
P. Bragatto et al. / Journal of Loss Prevention in the Process Industries 20 (2007) 6978

73

Fig. 3. IRIS tool: example of correspondence between dictionaries.

Start

Select Logic Unit

HAZOP Study
focus

Select Line

Select Component

Select Deviation

Causes

Examine possible Causes

Add New Causes

Indicate Action/Safeguards

Add New Actions/Safeguards

Examine Consequences

Add New Consequences

Indicate Safeguards

Add New Safeguards

Consequences

Fig. 4. The HAZOP process for the IRIS software.

they might be associated with computational algorithms

that may run when applied to a plant model. They refer to
general concepts, still independent of the considered plant,
and are used to store the a priori knowledge related to
causes of accidents. Since this knowledge is mainly due to
experience, the possibility of incrementally enlarging the
knowledge data set is crucial if an effective HAZOP
analysis is to be achieved throughout the time. To this
purpose the system provides an editor, based on a
grammar formalisation, of the above phrases, thereby
allowing a typed insertion of new tokens in the database, a
guided composition of the phrase, and the creation of
essential links. Fig. 2 depicts the user interface developed
for the denition of causes. The content of the token list
frame is automatically updated when a new class is
selected.

The advantages of capturing and maintaining the

semantics of each phrase and its tokens seem to be various
and remarkable. First of all, with such an approach, the
system is more exible and adaptable to different types of
process and HAZOP method. This implies that the
information in the hazard analyser database can be
collected directly by the experts, avoiding the hardwiring
of a priori knowledge into the database. Furthermore, a
hazard analysis may be extended, taking advantage of the
knowledge stored and managed in other studies, as long as
the same methods have been adopted.
Another remarkable advantage is the use of tokens,
which makes it possible to create links with computational
entities, for example with objects present in the plant
design, components or characteristics. Obviously, the
denition of such links may be fullled only when the

ARTICLE IN PRESS
74

P. Bragatto et al. / Journal of Loss Prevention in the Process Industries 20 (2007) 6978

Fig. 5. At the rst step the user selects a line in the HAZOP window and the line indicated is highlighted (bold grey) in the CAD window.

Fig. 6. The component selected (Desalter D-1001) is highlighted in the CAD window.

ARTICLE IN PRESS
P. Bragatto et al. / Journal of Loss Prevention in the Process Industries 20 (2007) 6978

phrases (i.e. cause or consequence) are instantiated in a

specic plant design, as specied in the next section.
3.2. Plant hazard identification model and interface to PLM
system
A hazard analyser tool may be effectively accepted and
used within a PLM system if it does not put too many
additional constraints on the design process; in particular, it
should be as far as possible general and independent of the
context. It is then crucial to specify capabilities for creating a
bridge between the specic project data and the general
knowledge base. In this perspective, IRIS has been developed
as a sort of shell containing the types of structures
characterizing a general plant, and this shell has to be
customised on the basis of the specic plant project. The
problem has been reduced to mapping the different
dictionaries involved; the capability of managing several
dictionaries, both for dening the hazard analysis rules and
for designing a plant, insures independence from both the IT
tools and the plant data. The correspondence between the
plant data and the general information is managed through a
look-up table: this correspondence, explicitly indicated by the
user, as illustrated in Fig. 3, is necessary to link the two
different nomenclatures adopted, and it mainly involves the
tokens corresponding to plant object types and parameters.
The adopted CAD system is CATIAr, which automatically
provides dictionaries in external les. The direct link to the

75

plant data stored in the PLM repository has been achieved

through the development of functionalities, which, by means
of the API provided by the PLM system, are able to obtain
all the information stored in the PLM database that is
necessary to perform hazard analysis. Nevertheless, to speed
up the analysis, a subset of information is imported from the
PLM database and stored directly in the Plant Hazard
Identication model.
3.3. Hazard Analysis Result Model and HAZOP analyser
functionalities
The Hazard Analysis Result Model contains administration data (i.e. the organisational team who have
developed it, the date of release of the version, and
reference documents used in the study) and the technical
results obtained. The HAZOP report can also be printed
out and stored as a document in a format compatible with
IT ofce tools. Each result is characterised by the following
information: the component that is the objective of the
study, the corresponding deviation considered, and the list
of the related selected causes, consequences, actions and
safeguards. Each element of the list is an occurrence that
refers to a generic element describing the phrase (e.g.
general cause, consequence, etc.), and to specic equipment
or instrumentation present in the plant design examined.
Fig. 4 summarizes the logic ow of the analytical process,
starting from the selection of a component within a line in a

Fig. 7. Example of selection of a cause and indication of a preventive action for the deviation temperature less for D1001.

ARTICLE IN PRESS
76

P. Bragatto et al. / Journal of Loss Prevention in the Process Industries 20 (2007) 6978

chosen unit, and proceeding with the selection of a

deviation from the design intent and the evaluation of the
related possible causes, consequences, actions and safeguards. IRIS offers the necessary functionalities to support
each step of the logic ow, and provides further capabilities
for making the HAZOP report more complete and directly
relevant to the plant design documentation.
4. A test case
In the following we will illustrate the workow of a
hazard analysis session, driven by the IRIS tool. The
selected test case is the topping unit of a real hydroskimming
cycle renery operating in Italy. In the topping unit the
feedstock is treated to separate products in an atmospheric
distillation tower. Basic functions are preheating, desalting,
preash, nal heating, distillation, and condensation. The
feedstock is preheated by removing heat from products as
they leave the unit. The preheating chain consists of 24
exchangers: 7 upstream and 17 downstream of the desalter.
Once the user has completed the conguration of the
system, he/she imports into IRIS the basic hierarchical
structure of the plants from the CATIA P&ID module.
Afterwards, driven by IRIS, he/she selects the unit in the
plant he/she wants to analyse. In a transparent way, IRIS
creates the appropriate relationships with the digital documents describing the selected plant unit, and stores them in
the Plant Hazard Identication Model. The stored informa-

tion includes data on the equipment, instrumentation and

piping lines, such as identication code, types of attributes
associated with functional parameters, and relations among
all components and lines. Once a specic unit has been
selected, IRIS shows the user the list of the lines present in
the unit. When the user interactively selects a line, it is
automatically highlighted in the CAD window (see Fig. 5).
When the user selects a component of the line in the
database, it is automatically highlighted in the CAD
window (see Fig. 6). IRIS then retrieves the parameters
related to the selected component (e.g. temperature) and
the applicable guide words (e.g. less) from the deviations
database. Then the user selects a deviation. IRIS automatically retrieves all the causes present in the database,
and assesses whether they may apply to the current plant.
Then, only the applicable causes are contextualised and
proposed to the user. The same occurs for the consequences. In this way the user is guided by the system in
building the sentences describing causes and consequences
of the deviation. If the cause is not present it has to be
constructed by adding new nouns or adjectives, as needed.
The user may, in the CAD window, select upstream and
downstream equipment and nd components that are in
the cause and consequence chain. The name of such
components is retrieved and can be used to construct the
sentence describing the cause. In a similar way, the user can
also build sentences for consequences, as well as for actions
and safeguards. In the example considered, the user is

Fig. 8. Insertion of a new potential consequence linked to the deviation temperature less for D1001.

ARTICLE IN PRESS
P. Bragatto et al. / Journal of Loss Prevention in the Process Industries 20 (2007) 6978

analysing the deviation temperature less for the component D1001. The system proposes a list of possible causes
and the user selects the one corresponding to the failure on
exchanger E-1003 AB. Furthermore, the user adds an
action (an extra control on temperature), which could be
considered to prevent the cause of the deviation (see
Fig. 7). Analogously, he adds new consequences, as shown
in Fig. 8: the deviation temperature less in D1001
compromises the desalting efciency, and consequently a
faster and deeper corrosion of all vessels and pipes
downstream is expected.
To better understand consequences, such as failure of
components which could affect also buildings or structures
not represented in P&ID, 2D and 3D layout representations can be accessed (Fig. 9); these representations show
the user all the pipes and the vessels close to a specied
item. At the end of the session the user obtains the
document illustrated in Fig. 10, which reports the results of
the analysis of the Desalter D-1001, with causes, consequences and possible safeguards.

as of other digital documents. In such a way they

can provide a complete digital representation of the
plant, which may be updated throughout the lifetime of
the plant.
To show the feasibility of integrating PLM systems and
hazard analysis, IRIS, a prototype software tool, has been
developed; this supports the well known HAZOP method.
IRIS is versatile, being useful both for enriching and
adapting the knowledge gained by analysis and for
integrating the different documents managed by PLM
systems. Summarizing, the main advantages of IRIS are:

5. Conclusions
This paper has highlighted the potential offered by PLM
systems to support hazard analysis along the lifecycle
of a process plant. PLM systems are aimed at an integrated
management of the plant digital 2D and 3D models, as well

77

Easy access to a wide range of technical documents; use

of the capabilities provided by PLM systems allows
browsing of plant-related data, such as the 2D and 3D
layout, piping, mechanical drawing and building design.
Direct link with a CAD database: the integration with
an advanced CAD/PLM allows the user to directly reanalyse the plant project without the need to insert new
data when changes occur in the project.
Knowledge sharing; HAZOP sentences, which are built
using a customisable glossary, are kept in the IRIS
database as general knowledge and may be reused
several times in successive HAZOP studies.
Easy updating of the report: HAZOP reports may be
retrieved from the IRIS database and modied record
by record, according to the plant modications that
have occurred.

Fig. 9. Retrieval and interrogation of the 3D layout model (e.g. distance between components) to evaluate consequences of a potential accident in the built
environment.

ARTICLE IN PRESS
78

P. Bragatto et al. / Journal of Loss Prevention in the Process Industries 20 (2007) 6978

Fig. 10. HAZOP report of all the deviations considered for the Desalter D-1001.

In conclusion, it has been demonstrated that several

long-term benets derive from the implementation of PLM
in terms of engineering and of savings in product cost and
quality; we may say that from the integration of tools
supporting HAZOP analysis and PLM, additional benets
derive in terms of product quality and time savings, since it
supports the user in designing an inherently safer plant
while expending less time and fewer resources than those
necessary for a traditional HAZOP study.
Acknowledgement
This work has been partially supported by ISPESL
Dipartimento Insediamenti Produttivi ed Interazione con
lAmbiente (Contract ISPESL B64/DIPIA/02).
References
Ansaldi, S., Giannini, F., Monti, M., & Bragatto, P. (2005). PDM-based
tool for hazard identication in plant design. In Proceedings of
PLM05-emerging solutions and challenges for global networked
enterprise (pp. 251260). New York: Interscience.
Chung, P. W. H., & McCoy, S. A. (2001). Trial of the HAZID tool for
computer-based HAZOP emulation on the medium-sized industrial
plant, HAZARDS XVI: Analysing the past, planning the future.
Institution of Chemical Engineers, IChemE Symposium Series No. 148,
Manchester, UK, pp. 391404.
Crawley, F. & Tyler, B. (2003). HAZOP identication methods. European
Process Safety Centre, I.Chem.E.
Hendershot, D. C., & Post, R. L. (2000). Inherent safety and reliability in
plant design. In Proceeding of Mary Kay OConnor Process Safety

Center, Annual Symposium: Beyond Regulatory Compliance, Making

Safety Second Nature, pp. 268281. Texas: Ottobre 2000.
Howat, C. S. (2002). Process hazard identification using hazard and
operability studies, Lecture notes, University of Kansas /http://
www.engr.ukans.edu/ktl/S.
Kletz, T. A. (1992). HAZOP and HAZANidentifying and assessing
process industry hazards (3rd ed.). Rugby: IChemE.
Lees, F. P. (1980). Loss prevention in the process industries (Vol. 1).
London: Butterworth.
Mizoguchi, R. K., Kozaki, K., Sano, T., & Kitamura, Y. (2000).
Construction and deployment of a plant ontology. Proceedings of
EKAW, 113128.
Posada, J., Toro, C., Wundrak, S., & Stork, A. (2005). Ontology
supported semantic simplication of large data sets of industrial plant
CAD models for design review visualization. In R. Khosla (Ed.),
Proceedings of knowledge-based intelligent information and engineering
systems, Lecture notes in computer science (Vol. 3683) (pp. 184190).
Berlin, Heidelberg, New York: Springer.
STEP ISO 10303-1. (1994). Industrial automation systems and integrationproduct data representation and exchangePart 1: Overview
and fundamental principles. /http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=18348S.
Venkatasubramanian, V., Zhao, J., & Viswanathan, V. (2000). Intelligent
systems for HAZOP analysis of complex process plants. Computers &
Chemical Engineering, 24, 22912302.
Yang, S., & Chung, P. W. H. (1998). HAZARD analysis and support tool
for computer controlled processes. Journal of Loss Prevention in the
Process Industries, 11(5), 333345.
Yet-Pole, I. (2003). Development and applications of CASEHATa
multipurpose computer hazard analysis automation system used in
semiconductor manufacturing industry. Journal of Loss Prevention in
the Process Industries, 16, 271279.