Perspective I: Equipment View Layer

In the Equipment View layer, the focus is on individual equipment such as reactors and distillation columns in the context of a chemical plant and their operating conditions. A chemical plant is a collection of such process units suitably organized (called a flowsheet) to meet the plant-wide goal of manufacturing a desired chemical product at targeted levels of quality, quantity, cost, time of delivery, etc., safely and optimally. This collection is seen in Perspective II, the Plant View layer. The time scale for the Equipment View layer is typically in seconds and minutes as process dynamics happens in real-time.

In the Equipment View layer, the autonomous agents involved are typically engineers and operators, and the non-autonomous agents are equipment including control systems. While regulatory control systems can exhibit a certain degree of autonomy, that is negligible compared to the range of autonomy exhibited by humans. Hence, we classify regulatory controllers as non-autonomous.

Consider, for example, a stirred tank heater process (Figure 2.3) where the goal is to control the level h and temperature T of the fluid in the tank that is subject to fluctuations

in the inlet flow rate Fi and temperature Ti. The desired level of the fluid is referred to as

the set point level hsetand the desired temperature Tset. These are accomplished by the two

feedback controllers (loops 1 and 2), which receive the current F and T in real-time from the sensors (level gauge and thermocouple), by suitably manipulating the outlet flow rate F

and steam flow rate, Fsteam, by opening or losing the respective control valves (actuators).

The seven elements of the information modeling block for this system are: (i) input: Fi,

Ti, Fset, Tset, Fsteam, (ii) output: h and T , (iii) sensors: level gauge and thermocouple, (iv)

actuator: outlet flow and steam valves, (v) controller, (vi) “core” process unit: tank and heater, and (vii) connection: pipes and wires. The constraints are lower and upper limits

on the level and the temperature of the fluid in the tank.

Figure 2.3: Stirred tank heater example (adapted from [Stephanopoulos, 1984], pp. 89)

The goal at the Equipment View is centered on the performance of individual equipment such as heaters, reactors, distillation columns, etc. – i.e., each equipment has its goal

of operating at the set point(s). At this level of granularity, typically, for engineering

applications, one can develop detailed dynamical models of the equipment and processes. These tend to be a set of DAE which are solved to simulate process/equipment behavior. Since the purpose of this chapter is not to discuss these models at length, we refer the interested reader to several standard sources in the literature [Stephanopoulos, 1984; Seborg et al., 2011; Ogunnaike and Ray, 1994; Bequette and Bequette, 1998]. As an example, we list below the dynamical model equations for the stirred tank heater.

Adh dt = Fi− F AhdT dt = Fi(Ti− T ) + Q ρCp

Another kind of model used at this level, called SDG, is based on graph theoretical ideas to represent cause and effect relationships in a process or equipment. The SDG model for the heater example is shown in Figure 2.4. The nodes represent input and output variables. The arcs represent either positive (solid lines) or negative (dotted lines) relations between

nodes. The figure is read as follows: a change in the inlet temperature Ti positively affects

affects the temperature difference T, which is the set point temperature Tset minus stirred

tank temperature T . As T increases, Tdecreases. It means that less steam Fsteamis needed

in the stirred tank, because T gets close to the set point temperature Tset. This positive

relation between T and Fsteamis depicted by a solid arc between the two nodes. Fsteam, in

turn, positively affects the temperature T in the stirred tank. This causal behavior among

T , T, and Fsteamrefers to loop 2 in Figure 2.3.

Figure 2.4: SDG for the tank heater example

Nevertheless, such cause-and-effect based qualitative models are very useful when mod- eling a social system, where DAE models are usually hard to develop, such as a bank-dealer system (which will be explained in detail in Chapter 3.3). In this case, the nodes are variables related to a bank-dealer’s investment and lending activities. In Figure 2.5, the left-hand side depicts the connections and activities within the bank-dealer, while the right- hand side shows the SDG model. A bank-dealer system consists of three major desks, among which the finance desk determines where money should go; the prime broker determines how much money to lend based on the collateral collected; and the trading desk determines whether sell to the market or buy from the market based on money received from the fi- nance desk and the leverage ratio it holds. The SDG model is read as follows: finance desk

collateral CFD positively affects the funding capacity VFD. VFD in turn positively affects

the prime broker, both the collateral amount CPBand the margin rate χPBpositively affect

the loan capacity VPB. In the trading desk, the leverage set point λSPTD and current leverage

λTDdetermine the leverage different TD, which positively affects the inventory quantity of

trading desk QT D. Using the SDG model, one can quickly examine the causal relations of

a social system like the bank-dealer system, and study unstable conditions and risks such as the fire sale and funding run scenarios.

Figure 2.5: SDG for the bank/dealer example

One can always incorporate other modeling methods with the TeCSMART framework. Usually, in order to develop a quantitative model (DAE model) or a qualitative model

(SDG model), one needs to determine the initial conditions of a system. System initial conditions at this level are values associated with equipment, such as sensor readings or controller parameters. Examining failure modes using TeCSMART framework provides a systematic way for identifying system initial conditions. By giving different system initial conditions, modelers can develop suitable models to describe the system and conduct in- depth risk analysis. Therefore, no matter what modeling methods or risk assessment tools one will use, a HAZOP-like systematic analysis using TeCSMART framework is feasible for analyzing risks in a sociotechnical system. It enables a systematic hazard identification for the risk assessment of a sociotechnical system.

The basic functional building block in Figure 2.2 allows us to model systematically the potential failures at different levels of both human and non-human elements. In the Equipment View layer, let us consider a sensor, for example. Using a commonly used model of its failure modes, we can state that a sensor can fail high, low, or zero (i.e., no response, sensor is dead). Similarly for an actuator (a valve can fail high, low, or zero) and a controller. A process might have more failure modes depending on its complexity, but it is usually not in hundreds, more like a dozen or so. The connections can fail, too, again high, low, zero, or reverse (in the case of flow rate in pipes, for example). One can modify these to make the set of failure modes more sophisticated, if needed, but even this elementary set goes a long way as we discuss below. We will show below how these failure modes can be generalized to accommodate typical human failures as well at different levels of the hierarchy.