LOPA as simply one of many views

The reader must be aware that the diagrams in SysML are views of the systems model,

1_{We used the modeling language SysML, and the software NoMagic MagicDraw 18.3 with its SysML}

which reveal portions of the model at specific levels of granularity. Under this logic, the current characterization of protective systems as a group of protection layers used in LOPA, commonly utilized in the industry, can be included in our model as one of its many views. Later, we enhance this characterization by integrating the elements from our conceptual model. A detailed view of the protection layers serves as a starting point to capture the physical components. Figure 4.1 depicts the types of protection layers and initiating causes.

Diagram 1 shows a taxonomy2of the protection layers. It displays the generalization3 between some devices and the type of protection layer into which they can be classified. Complementing this diagram, Diagram 2 has a taxonomy of initiating causes. A more detailed view of the protection layers in Diagram 3 contains not only generalizations but also composite associations4_{, reference associations}5_{, and dependencies}6_.

Figure 4.2: Portion of BDD in Diagram 3 depicting process alarms.

A portion of Diagram 3 is shown in Figure 4.2. It illustrates that process alarms belong to the Control protection layer, that they have hardware and software, and that changes to alarms hardware may affect alarms software. Another portion, shown in Figure 4.3, in- cludes pressure relief devices, knockout drums, condensers, incinerators, scrubbers, vents and two kinds of flares (ground and elevated). It exposes the unidirectional connections

2_{The type of diagram used here to convey system decomposition and type classification is a block defi-}

nition diagram (BDD).

3_{The notation for a generalization is a solid line with a hollow, triangular arrowhead on the end of the}

supertype [22]. It shows that the subtype is a type of a supertype.

4_{A composite association between two blocks conveys structural decomposition. An instance of the block}

at the composite end is made up some number of instances of the block at the part end. The notation for a composite association on a BDD is a solid line between two blocks with a solid diamond on the composite end [22]. A composition denotes a class as an aggregate and describes a whole-part hierarchy. The aggregate is existentially responsible for its parts [89].

5_{A reference association between two blocks means that a connection can exist between instances of}

those blocks in an operational system, and those instances can access each other for some purpose across the connection. A solid line between two blocks with an open arrowhead on one end conveys unidirectional access, and the absence of arrowheads on either end conveys bidirectional access [22].

6_{A dependency conveys that when the supplier element changes, the client element may also have to}

change. The notation is a dashed line with an open arrowhead, which is drawn from the client to the supplier [22].

that exist among pressure relief devices with knockout drums, condensers and incinera- tors; pressure relief devices and vents; scrubbers and vents; and scrubbers and flares. It also shows that the necessary height of the elevated flares depends on the flare stack di- ameter, the distance from the flare base, the desired heat intensity, the vapor rate, and the molecular weight of the vapor. Diagram 4 reveals the functions that these types of mechanical equipment perform in a relief system.

Figure 4.3: Portion of BDD in Diagram 3 depicting relations among various types of mechanical equipment.

Figure 4.4: Selected physical components with properties assigned at various levels.

4.1.1.2 Physical components

Another view of the taxonomy of protection layers establishes, through generaliza- tions, that most of the elements that constitute the protection layers are in fact physical components. This allows us to include the physical components from our conceptual model in our systems model, but it also gives us the possibility to assign structural and behavioral features to the block of physical components, which will be inherited automat- ically, by transitivity, to all the subtypes, and then assign further properties only to specific

subtypes.

This way, it is easy to state, as illustrated in Figure 4.4, that all physical components have maintenance procedures, installation procedures, and inspection and testing proce- dures; but only certain physical components have further properties, such as the mechan- ical equipment, which also has piping and instrument diagrams; while the various types of pressure relief devices, which are a subset of the mechanical equipment, have a relief system design and design basis as well. Diagram 5 presents the view of all the physical components of our model.

Figure 4.5: Block of the management system.

4.1.1.3 Management system

The management system is represented in our system model through several BDDs that display its various elements, including those present in OSHA PSM and some others from the models described in section 2.2.3, and their respective components, modeled as parts. The BDD in Diagram 6 shows them succinctly, and Diagrams 7 through 20 present the

BDDs of each individual element with their respective parts. Figure 4.5 exhibits the block that corresponds to the management system, with its elements displayed as part properties.

Figure 4.6: Portion of the IBD in Diagram 21 depicting information flow within the man- agement system.

The internal block diagram (IBD) in Diagram 21 reveals the information and objects that flow across the parts (elements) of the management system, and therefore, possible interactions among themselves. It emphasizes the relevance of MOC, as several other parts of the management system interact with it. A portion of it is shown in Figure 4.6.

The inputs and outputs to and from MOC are contained in various packages7displayed in Diagram 22. Figure 4.7 shows one of them. A similar diagram also reveals dependencies among the inputs and outputs, and the areas of the management system that could affect or be affected if they were modified.