Emergency Response Plan for Condensate Fraction Unit Phase 2 for two different scenarios with and without involvement of fire.pdf

Full Transcript

Handling Uncertainty in Emergency Plan
EvaluationUsing Generalized Petri Nets
Case study: Loss of a Condensate Tank Containment

Innal Fares, Hamzi Rachida, Djeddi Choayb
Institute of Health and Occupational Safety
University Hadj Lakhdar Batna
Batna, Algeria
[email protected], [email protected], [email protected]

Abstract—Emergency plans (EP) are complex systems which according to its magnitude are successively the Internal
must be executed under time and efficiency constraints. They Emergency Plan (IEP), the External Emergency Plan (EEP)
include elements of three different natures, technical, human and and Crisis Plan (CP).They include elements of three different
organizational where complex relationships exist between them. natures, namely: technical, human and organizational where
This inherent complexity may leads to a number of failures, such complex relationships exist between them. The failure of one
as unavailability of critical personnel or technical assets and of these elements during the EP execution could result in vast
inappropriate operators’ actions.In this paper we present a Petri dramatic consequences. Such failures may be inappropriate
Net-based approach to model and evaluate the performance of an operator action, non response of equipments on demand,
EP related to condensate storage tank fire scenario, where wrong decision regarding the EP achievement, etc. These
uncertainties relating to task execution durations and reliability events impact the performance of the EP and make its success
characteristics of technical equipments are considered. In fact,
uncertain. This kind of uncertainty is called “aleatory
Petri Nets are a powerful tool to describe complex systems and
uncertainty”andbelongs to the irreducible physical variability
their inherent interactions. Due to the EP complexity and
uncertainty, results are obtained thanks to Monte Carlo
(natural randomness) of a system response.
simulation. A second source of uncertainty which could affect the
emergency response is the lack of knowledge about a given
Keywords—Emergency plans (EP); performance evaluation;
system. It is termed “epistemicuncertainty” and may be
uncertainty; Petri nets; Monte Carlo simulation.
reduced when new information is provided. In general, three
sources of epistemic uncertainty are distinguished :
I. INTRODUCTION completeness uncertainty, model uncertainty, and parameter
The upset of modern industrial installations may result in uncertainty. Completeness uncertainty is about factors that are
major hazard accidents.In order to limit their consequences, not properly included in the analysis (e.g. neglecting some
regulatory bodies require the establishment of Emergency human errors).Model uncertainty is linked to the
Plans (EP) in accordance to the identified accident scenarios. simplification of the reality it is designed to represent (e.g.
Within the framework of Algerian Oil and gas industries, allocation of a constant probability rather than using a time
many factors played a major role in crisis management policy, dependent model).Parameter uncertainty is related to the lack
including: of knowledgeaboutthe parameter values used in the
- Increasing number of major accidents occurred during the quantification (e.g.: failure probability of an equipment, task
last decade, particularly: Skikda refinery fire (2004, 2005)
duration, etc.).
and Skikda LPG Unit explosion (2004),
- Lack of the experience feedback (often referred to as According to the IEP structure and the inherent
“lessons learned”), uncertainties, it may be considered as a very complex system
- Insufficiency of local regulatory related to the major hazard which requires powerful modelling and analysis tools in order
accidents. to assess its effectiveness. In this context, Petri Nets, in
particular due to their graphical representation and
Regarding this fact, the Algerian authorities –according to
mathematical tools, have been widely used in the modeling
the article 2 of the executive decree 09-335/20 October 2009 –
and the performance assessment of nowadays complex
required the establishment of so-called “Internal Emergency
systems. In our case, Petri Nets provides a suitable tool to
Plan (IEP)”, which describes the measures to be taken inside
consider both aleatory and epistemic uncertainties through
the establishment in case of a major industrial accident aiming
Monte Carlo simulation.
to protect people, property and the environment. The structure
of the IEP is shown in Fig. 1. The different plans that can The rest of this paper is organized as follows. A brief
be triggered when an emergency situation has occurred and presentation of PNs and Monte Carlo simulation are given in

Authorized licensed use limited to: BIRLA INSTITUTE OF TECHNOLOGY AND SCIENCE. Downloaded on June 29,2024 at 17:02:23 UTC from IEEE Xplore. Restrictions apply.
 Section 2. The object of Section 3 is twofold. First, we may be assigned to transitions (e.g. required time to carry
describe the accident scenario and the related IEP used to out a given task).
demonstrate our approach. Secondly, the modelling and the - oriented arcs connecting places to transitions (upstream or
performance evaluation of this IEP are presented. Section 4 input arcs) and transitions to places (downstream or output
summaries our concluding remarks. arcs). Arcs are weighted with a positive number. For
example, the weight of an upstream arc may indicate the
required resources to achieve a given action whereas that
of a downstream arc may indicate the amount of the output
resulted from this action. This weight equals to one if it is
not explicitly mentioned on the graph.
Dynamic part:
- tokens pictured by small solid dots. Each place may
potentially hold either none or a positive number of tokens
which illustrate that the corresponding place is currently
allocated. The distribution of tokens in places is referred as
the marking. Tokens move through transitions when events
occur. A token may, for example, represent the presence or
absence of a resource.
- predicatesor guards, any formula which may be true or
false, enabling transitions.
- assertions, any equation, updating some variables when a
transition is fired.
It is useful to make a distinction between “enabling” and
“firing” of transitions:
- A transition is enabled when all input places contain at
least the number of tokens required by each input arc
(indicated by its weight) and all predicates must be ‘true’.
- A transition is fired when all preconditions are satisfied
(i.e. it is enabled) and a required delay is elapsed (duration
from the enabling until the firing). This delay may be
deterministic or stochastic (random delay, e.g. negative
exponential). If no delays exist (delay = 0) then enabling
Fig.1 IEP structure
coincides with firing.

II. OVERVIEW OF PETRI NETS (PNS) AND MONTE CARLO On the firing of a transition:
ANALYSIS - input places lose as many tokens as specified by the
weights of input arcs.
A. Petri Nets - output places gain as many tokens as specified by the
Petri Nets were developed by Carl Adam Petri during his weights of output arcs.
PhD thesis on communication with automata. Their - assertions are updated.
purpose was initially the description of causal relationships
between conditions and events in a computer system. Since In the case where deterministic and stochastic delayed
then, many extensions related to PNs have been made in order transitions are involved, which is the case for real life systems,
to enlarge their modelling capabilities. In this article, the PN the resulting PNs is termed “generalized PNs” and cannot be
presentation is deliberately limited to the necessary concepts solved easily using analytical approaches. Hence, a simulation
which are used in the following Sections. For the interested approach has to be considered to efficiently asses the expected
readers, a detailed description of PNs theory is given in. performance measures. This been the case, Monte Carlo
simulation is an effective tool to deal with stochastic
A Petri net is a graphical notation with an underlying processes. The principle of Monte Carlo simulation is
mathematical structure suited to model event-driven systems described hereafter.
(discrete event systems). It may be identified as a
particular kind of bipartite directed graph which contains two B. Monte Carlo Simulation
parts :
Its main idea is to use random numbers to animate a
Static part which include three objects: behavioural model of the real system. It is worth notingthat
- places, depicted as circles or ovals in the graphical PNs provide a very efficient support for performing Monte
representation, are states of system components. Carlo simulation.TheMonte Carlo simulation is run
- transitions, drawn as bars or boxes, corresponding to toproduce a large statistical sample from which statistical
potential events that change the state of a Petri Net. Delays results are obtained. For a given simulated parameter X, the
basic statistics allow the calculation of the average, variance

Authorized licensed use limited to: BIRLA INSTITUTE OF TECHNOLOGY AND SCIENCE. Downloaded on June 29,2024 at 17:02:23 UTC from IEEE Xplore. Restrictions apply.
 and confidence interval of the sample (Xi) which has been
simulated:
n
X = ∑ xi / n
i (1)
n
σ = ∑ ( xi − X ) / n
2 2 (2)
i

[
Confidenceinterval= X − E ⋅ (σ / n), X + E ⋅ (σ / n) ] (3)
e.g.:E = 1.6449for confidence= 90 %.

Some of the above elements and rules are illustrated on the
basis of the following Petri Net (Fig. 2) which represents the
behaviour of a repaired component C. It has four places {P1,
P2, P3, P4} and three transitions {T1, T2, T3}. Initially (i.e., at Fig. 2. Petri Net related to a repaired component
time t = 0), the marking of the PN may be represented by the
following vector [1, 0, 0, 5], meaning that initially there is one The component C is therefore coming back in its good
token in place P1, no tokens in places P2 and P3 and five working state: the token disappears from P3 and put in P1 and
tokens in P4. Places P1, P2 and P3 correspond to states may be the variable “C_KO” becomes false. The two repairmen are
reached by the component C and respectively represent: again available: two tokens are added to the place P4 and NR
operational state (C_working), waiting for repair state is updated through the assertion “NR = NR + 2”. And so on as
(C_waiting repair) and restoration state (C_ repair). P4 is an long as the firing of next valid transition belongs to the period
auxiliary place that models the repair team availability (five underinterest [0, T].
repairmen are available). Transitions T1, T2 and T3 model the When the next firing is no longer inside [0, T], the
events occurring on component C, respectively: failure simulation is stopped and one history of the component is
(C_fails), start of repair (C_starts repair) and end of repair achieved. All along the progress of the history, relevant
(C_ends repair). Also, transitions T1 and T3 have a stochastic parameters may be recorded as the mean marking of the places
delays defined by δ1 = f (λC ) and δ 3 = g(μC ) , respectively. (i.e., the ratio of the time with one token in the place over the
We consider for example that f and g are negative exponential duration T), the transition firing frequencies, the time to the
functions: λC and μC refer to the failure and repair rates of C. first occurrence of a given event, etc. The principle of Monte
Carlo simulation is to realize a great number of such histories
Transition T2is deterministic ( δ 2 = 0 : instantaneous). and to perform classical statistics on the results in order to
assess the relevant parameters.
As indicated by the initial marking of the considered PN,
component C is in good working order. Therefore, only the
transition T1 is enabled, because the weight of its input arc C. Handling uncertainty via Monte Carlo sampling
(connecting P1 to T1) is equal to the marking of P1(=1). T1 is Uncertainty assessment allows a model-user to be more
fired as soon as its delay is elapsed (i.e. δ1 = − (1/ λC ) ⋅ ln(R1 ) , informed about the confidence that can be placed in model
results.It may be achieved by means of different
where Ri is a random variable uniformly distributed over [0, 1] approaches depending on the level of uncertainty associated to
and obtained by Monte Carlo sampling. As a result, the token the considered parameters. Monte Carlo sampling, fuzzy sets
is removed from P1 and a token appears in P2 and then the based-approach, intervals analysis are among these
variable C_KO becomes “true” (initially C_KO=false). Thus, approaches. Monte Carlo sampling method has
the component C reaches a failed state and waits for repair. become the industry standard for propagating uncertainties
Consequently, the transition T2 becomes enabled if the guard.In the following its main steps are briefly described.
“SP = true”is true, which is assumed to be the case (SP stands
for Spare Parts). SP may be updated according to the Construct a probability density function (pdf), on the basis
evolution of another PN related, for example, to a given of available knowledge, for each input parameter. In the
supply chain. The restoration of C involves two repairmen (the context of emergency response, input parametersmay
weight of the input arc connecting P4 to T2 equals to 2). As T2 include: failure probability under solicitation (γ),
is instantaneous, it is fired immediately after the marking of P2 intervention team availability, task durations, etc. Different
indicating the start of the component C restoration. This firing probability distributions can be chosen according to the state
result in the removing of the token of place P2 and two tokens of knowledge about the value of parameters, e.g.: uniform,
from the place P4 and a token appears in place P3. In addition, triangular, normal, lognormal, Chi-square, beta, gamma, etc.
the assertion “NR = NR – 2”is used to update the number of Generate one set of input parameters by using random
the available repairmen (initially NR = 5). This assertion may numbers (uniformly distributed between 0 and 1) according
be used by another PN without incorporating the place P4. The to pdfs assigned to those parameters.
marking of the PN at this stage is [0, 0, 1, 3]. Accordingly, the Quantify the output function (in our case, PNs models) using
transition T3 is enabled and fired when its associated the above set of random values. The obtained value is a
stochastic delay, δ3 = −(1/ μC ) ⋅ ln(R2 ) , is elapsed (when the realization of a random variable (X). It is worth noticing that
repair is completed). this quantification (based on PNs) requires in its turn a

Authorized licensed use limited to: BIRLA INSTITUTE OF TECHNOLOGY AND SCIENCE. Downloaded on June 29,2024 at 17:02:23 UTC from IEEE Xplore. Restrictions apply.
 Monte Carlo simulation of the constructed PNs (m histories) - 3 gas detectors (GD): at least the working of one GD is
for each generated set of input parameters. required. Also, each GD may fail under solicitation with a
Repeat steps 2 to 3 n times (until a sufficient number, e.g., probability equals to 0.05.
1000) producing n independent output values. These n - Programmable Logic Controller (PLC), which has a
output values represent a random sample from the probability of failure equals to 0.022.
probability distribution (empirical distribution) of the output - Gas indicator (GI: situated in the control room), which has a
function. Note that the total number of Monte Carlo histories probability of failure equals to 0.01.
is equal to m*n, since the resulting process (quantification +
uncertainty propagation) represents a double-loop Monte In addition, the LOC could be detected by on-site operator
Carlo simulation. (witness). According to portion of time the operator should be
Generate statistics from the obtained sample for the output near the storage tank, he can fail to detect the incident with a
result (e.g., probability of extinguishing fire under a given probability equals to 0.2.Once the LOC is detected, the alert is
required time): mean, standard deviationσ, confidence triggered instantaneously in case of automatic detection,
interval (percentiles), etc. whereas it takes 4 min with operator detection. Then the IEP
(level 1) is deployed. It aims to limit and therefore control the
condensate LOC. For this level, the necessary emergency
III. SCENARIO DESCRIPTION AND ITS IEP ANALYSIS actions should be carried out with respect to the following
chronological order.
A. Scenario description
The chosen accident scenario relies on the Loss Of Operational team intervention. It consists in closing valves
Containment (LOC) in a condensate storage tank and pumps, allowing the filling of the condensate tank, in
(appertaining to SONATRACH/DP Hassi R’mel: Algerian Oil order to limit the condensate leakage amount. Note that this
company). Note that the description and the data given operation must be achieved under a specified time (Critical
hereafter are provided by operational and intervention teams Time = 15 min). Beyond this time, the LOC may lead to a
in charge of the installation. The situation of the considered band fire which is difficult to control. One has to consider the
tank regarding the whole installation is depicted in Fig. 3. following element:
- The closing of pumps may be achieved according to three
The studied scenario is described in Fig.4. A complete ways: (1) instantaneously if the Emergency Shutdown
scenarios description resulting from a LOC is given in. Push Button works (probability of failure = 0.044), else (2)
We assume that the initiating event, the condensate Loss Of after 5 min if the whole operational team (team 1) is
Containment (LOC), is produced on the piping enabling the available or after 10 min if the team number is not
storage tank filling. sufficient.
- The closing of valves may be achieved according to three
ways: (1) instantaneously if they work automatically
(probability of failure = 3.28E-3), else (2) after 10 min if
the whole operational team (team 2) is available or after 16
min if the team number is not sufficient.
Emergency team intervention. Its actions are delayed 3 min
regarding the first intervention and are the following:
- Safety bounder establishment: this operation has an
efficiency of 90% (the 10% of inefficiency is due to the
Fig. 3.Condensate tank situation large area to be prevented).
- Ignition sources prevention: its efficiency = 91 % (due to
mobiles, synthetic clothes, cars).
- Foam film establishment: it depends on the water pumps
and emulsifier. There are 5 water pumps (3 on-site and 2
off-site). The starting of Water pumps may be performed
according to three ways: (1) instantaneously if the ESD
Push button works (probability of failure = 0.044) and the
pumps work (with probability of failure for each pump =
0.019) or the off-site pumps work (probability of failure=
0.019), else (2) after 3.50 min if the whole operational
team (team 3) is available or (3) after 7 min if the team
Fig. 4. Scenario description number is not sufficient. The emulsifier tank may fail
according to a probability = 0.09 (provided after 5 min). In
The LOC should be detected thanks to a gas detection case of its failure, a rescue emulsifier is provided within 2
system, made up of the following: min.
If the first level emergency deployment fails in limiting the
condensate LOC under the Critical Time constraint (15 min), a

Authorized licensed use limited to: BIRLA INSTITUTE OF TECHNOLOGY AND SCIENCE. Downloaded on June 29,2024 at 17:02:23 UTC from IEEE Xplore. Restrictions apply.
 band fire may occur if both ignition sources exists and the Condensate LOC and Gas detection. At time = 0, we made
failure of foam film establishment in due time (10 min). In the assumption that the LOC is occurred. This fact is modeled
that case, a second level emergency has to be implemented: by the PN of Fig. 5(a). Fig. 5(b) model the behavior of Gas
Cooling actions, carried out by fixed means, to answer the detector 1 (GD1) under solicitation (?? LOC==true). Note
protection of LPG spheres and Condensate tanks in the that all component behaviours under solicitation are modelled
vicinity of the damaged condensate tank. The cooling according to the general scheme of Fig. 5(b). Once the
system success depends on the functioning of water system detection is performed, the Alert must be given (!! Alert =
(described above) and two nozzles (sphere and tank). Each true) to deploy the IEP of level 1, see Fig. 5(c).
nozzle may fail according to a fixed probability equals to Operational team intervention. We recall that its function is
0.023. to control the LOC through the closing of pumps and valves,
Fire extinguishing actions using four trucks (two trucks see Fig. 6.
among them are needed to control the fire). Each truck has a
probability of failure = 0.01, due to emulsifier storage failure Emergency team intervention. We only present the foam
or truck mechanical failure. film PNs models, which depends on water pumps (not
depicted hereafter) and emulsifier availability: ??(#81==1 or
B. IEP performance indicators #86==1) and #89==1 (Fig. 7).
The aim of this paragraph is to describe the performance Fire starting and extinguishing. Fig. 8(a) presents the three
indicators of the IEP described above. These indicators are conditions that the junction is required to trigger the fire:
based on the duration taken to perform the two emergency (ignition, foam insufficiency and uncontrolled LOC (within 15
levels. In particular, we are interested in the following min), whilst Figure 8(b) shows the fire extinguishing process.
indicators: Note that trucks behavioursare note depicted below.
Condensate LOC emergency. As we have mentioned, we
assume that operation should at most take 15 min. Beyond
this critical time, the LOC could result in a fire band. The
performance of this action is evaluated through the
probability (P1) that LOC control duration be lower than 15
min. (a)
Fireextinguishing. This operation is assessed according to
the fire extinction duration. In other word, the time elapsed
between the starting and the extinguishing of the band fire.
That performance is measured with respect to the probability
(P2) that this duration be lower than 60 min.
Avoiding domino effects. Its performance is characterized by
the probability (P3) of either the fire extinction in due time
(60 min) or that of cooling system working.

IV. PNS MODELS AND PERFORMANCE ASSESSMENT
(b)
A. PNs Models Construction
In order to compute all the specified probabilistic
quantities, PNs models relating to the described scenario have
been established.Some explanations related to their related
syntax are given:
# i (i is an integer > 0) is the marking of the place number i on
the network.
jets indicates the number of tokens.
!! introduces a list of variables assignments (these
assignments take place when the transition is launched).
?? specifies a list of conditions that must be verified for the
transition to be valid.
drc d is Dirac’s law of duration d.
@ (k) (e1, e2, …, en) is a the k out-of n Logic (ei are Boolean
expressions).
(c)
We present in the following some of these PNs.Note that
the interaction between these PNs is achieved through Fig. 5. (a) Condensate LOC, (b) Gas Detector 1 (GD1) behaviour and (c) Gas
variables (guards and assertions). detection system

Authorized licensed use limited to: BIRLA INSTITUTE OF TECHNOLOGY AND SCIENCE. Downloaded on June 29,2024 at 17:02:23 UTC from IEEE Xplore. Restrictions apply.
 (a)

(a)

(b) (b)
Fig. 6. (a) Closing of pumps and (b) Closing of valves PNs models Fig. 8. (a) Fire starting and (b) Fire extinguishing

B. Obtained Results
Two sets of results, with respect to the aforementioned
performance indicators, are presented in the following. The
first one is related to the simulation of the developed PNs
without taking into account parameters uncertainties, i.e.,
uncertainties related to the emergency plan task execution
(a) durations and failure probabilities. Thus, only aleatory
uncertainties are taken. For this end, 105 histories have been
performedwhich results in the numerical values provided in
Table 1.The second set considers parameters uncertainties as
gathered in Table 2. 103 sets of input parameters have been
generated tanks to Monte Carlo sampling. The used
probability density functions are Uniform (lower bound, upper
bound) and Lognormal (Mean (M), Error Factor (EF)). Lower
and upper bounds for the Lognormal law are: (M/EF, M*EF).
For the PNs quantification and for each generated set, the
previous number of histories is maintained. So, the total
(b) number of histories is 108. The derived numeric values are
Fig. 7. (a) Foam film and (b) Emulsifier availability
gathered in Table 3.

Authorized licensed use limited to: BIRLA INSTITUTE OF TECHNOLOGY AND SCIENCE. Downloaded on June 29,2024 at 17:02:23 UTC from IEEE Xplore. Restrictions apply.
 TABLE I. OBTAINED RESULTS(ALEATORY UNCERTAINTY) V. CONCLUSION
Performance Averages Standard Lower bounds Upper bounds Emergency plans play a major role in limiting the
indicators deviations (σ) (90%) (90%) consequences of hazardous accidents. Therefore, a particular
P1 9.932E-1 8.242E-2 9.927E-1 9.936E-1 attention should be paid during their development. This paper
P2 9.707E-1 1.686E-1 9.698E-1 9.716E-1 presents a novel approach aiming to assess the efficacy of an
P3 9.988E-1 3.389E-2 9.987E-1 9.990E-1 emergency response; based on a high level model: Petri Nets.
A particular accident scenario was studied and which concerns
TABLE II. PARAMETER UNCERTAINTIES
the loss of containment (LOC) of a condensate storage tank.
Parameters Initial Uncertainties Its related emergency plan performance indicators were
values defined in terms of three probabilistic measures: (i) probability
Gas detector failure probability 0.05 Uniform (0.02, 0.08) that the LOC control duration be lower than a given critical
PLC failure probability 0.022 Uniform (0.01, 0.035) time (15 min in our case), (ii) the probability that the fire
Gas indicator failure probability 0.01 Uniform (0.009, 0.015) extinction duration be lower than 60 min and (iii) the
On-site operator non-detection 0.2 Uniform (0.1, 0.3) probability of avoiding domino effects. Moreover, two
probability
quantifications have been performed relying on Monte Carlo
Alert triggering time 4 min Lognormal (4, 1.5)
Critical Time 15 min Constant (15)
simulation. The first one considers onlyaleatory uncertainty,
Shutdown Push Button failure 0.044 Uniform (0.03, 0.06) whereas the second one takes parameters uncertainties into
probability account. This second quantification is more realistic and thus
Closing of pumps duration if the whole 5 min Lognormal (5, 1.5) gives credit to the obtained results. In our case, the second
operational team is available indicator is low such that the emergency plan cannot be
Closing of pumps duration if the team 10 min Lognormal (10, 1.5) validated.
number is not sufficient.
Valves failure probability 3.28E-3 Uniform (2.9E-3, 3.5E-3) REFERENCE
Closing of valves durationif the whole 10 min Lognormal (10, 1.5)
operational team is available DET NORSKE VERITAS (DNV), Plan d’Intervention Interne (PII),
Rapport N° EP002720 N° 6 – HRM Centre, SONATRACH, 2010.
Closing of valves durationif the team 16 min Lognormal (16, 1.5)
number is not sufficient. R. Ferdous, F. Khan, R. Sadiq, P. Amyotte, and B.Veitch,“Analyzing
Teams unavailability 0.1 Uniform (0.09, 0.15) system safety and risks under uncertainty using a bow-tie diagram: an
Emergency team intervention delay 3 min Lognormal (3, 1.5) innovative approach,”Process Saf. Environ. Protect, vol. 91, pp. 1–18,
2013.
Safety bounder efficiency 0.9 Uniform (0.85, 0.95)
Ignition sources prevention efficiency 0.91 Uniform (0.85, 0.97) M. Abrahamsson,Uncertainty in Quantitative RiskAnalysis -
Water pumps failure probability 0.019 Uniform (0.015, 0.025) Characterisation and Methods of Treatment.Ph. D. thesis, Department of
Fire Safety Engineering, Lund University, Sweden, 2002.
Water pumps starting delay if the 3.5 min Lognormal (3.5, 1.5)
whole operational team is available NUREG1885, Guidance on the treatment of uncertainties associated
Water pumps starting delay if the team 7 min Lognormal (7, 1.5) with pras in risk-informed decision. Technical report, United States
number is not sufficient. Nuclear Regulatory Commission, 2009.
Emulsifier tank failure probability 0.09 Uniform (0.08, 0.1) T.Gu and P.A Bahri, “A survey of Petri net applications in batch
Emulsifier duration 5 min Lognormal (5, 1.5) processes,” Computers in Industry, vol. 47, pp. 99-111, 2002.
Rescue Emulsifier duration 2 min Lognormal (2, 1.5) R.David and H.Alla, Discrete, continuous and hybrid Petri nets. 2nd ed.
foam film establishment due time 10 min Uniform (8, 12) Berlin, Germany: Springer Publishing Company, 2010.
Nozzle failure probability 0.023 Uniform (0.02, 0.03) C.-C.Huang and W.Y. Liang, “Object-oriented development of the
Truck failure probability 0.01 Uniform (0.0095, 0.02) embedded system based on Petri-nets,” Computer Standards &
Interfaces, vol. 26, pp. 187-203, 2004.
TABLE III. OBTAINED RESULTS(ALEATORY UNCERTAINTY AND IEC 61508 standard, Functional safety of
PARAMETER UNCERTAINTY) electrical/electronic/programmable electronic safety-related systems.
Performance Averages Standard Lower bounds Upper bounds 2nd ed. Geneva, Switzerland: International Electrotechnical
Commission, 2010.
indicators deviations (σ) (90%) (90%)
H. Blume, T. Von Sydow, D. Becker and T.G. Noll, “Application of
P1 9.843E-1 9.459E-3 9.838E-1 9.848E-1
deterministic and stochastic Petri-Nets for performance modeling of
P2 6.510E-1 3.416E-1 6.333E-1 6.687E-1 NoC architectures,” Journal of Systems Architecture, vol. 53, pp. 466-
P3 9.828E-1 1.692E-2 9.819E-1 9.837E-1 476, 2007.
EPA, Guidance on the development, Evaluation, and application of
Environmental models. U.S. Environmental Protection Agency, 2009.
Table 1 shows that the performance indicators that we are
looking for are very high. Therefore, the robustness of the N.Buratti, B.Ferracuti, M.Savoia, G.Antonioni and V.Cozzani, “A
fuzzy-sets based approach for modelling uncertainties in quantitative
established emergency plan can be validated. However, when risk assessment of industrial plants under seismic actions,” Chemical
parameter uncertainties are considered, the previous indicators Engineering Transactions, vol. 26, pp. 105-110, 2012.
are reduced (see Table 3). If that reduction is minor for P1 and T. Aven and E.Zio, “Some considerations on the treatment of
P3, it is significant in the case of P2(probability of fire uncertainties in risk assessment for practical decision-making,”
extinction within 60 min = 0.651). Hence, about 1/3 of fire Reliability Engineering and System Safety, vol. 96, pp. 64-74, 2011.
extinctions last more than 60 min, which is very dangerous. NASA, Probabilistic Risk Assessment Procedures Guide for NASA
Given this fact, the existing emergency plan has to be Managers and Practitioners. NASA Office of Safety and Mission
Assurance,Washington, 2002.
improved, for example, by increasing the reliability of water
J.Casal, M.Gomez-Mares, M.Munoz and A.Palacios, “Jet Fires: a
pumps or that of the emulsifier storage tank. “Minor” Fire Hazard?,”Chemical Engineering Transactions, vol. 26, pp.
13-20, 2012.

Authorized licensed use limited to: BIRLA INSTITUTE OF TECHNOLOGY AND SCIENCE. Downloaded on June 29,2024 at 17:02:23 UTC from IEEE Xplore. Restrictions apply.