1 Introduction

The chemically reacting industrial facilities including the chemical and petrochemical industry may be damaged by major accidents and need to be assessed to ensure safe operations with the highly integrity and functionality (Basheer et al. 2019). Risk assessment methodologies associated with major risks becomes the key of the safety protection engineering involving technical, economic and environmental aspects (Metatla and Rouainia 2022).

The goal of the safety protection engineering (Hortal and Izquierdo 2006) is to prevent and mitigate damage states to exceed tolerable damage limits during the design and operating phases by taking into account the assumptions and recommendations offered by the risk assessment.

The complexity of dynamic changes of events leading to major accidents are not able to conduct risk assessment calculations rigorously. As a result, new approach has been developed for the risk assessment, which is referred to as dynamic risk assessment (DRA) in the process industry (Aldemir 2012).

DRA approach is performed to update the risk level by resolving the complexity dependence between the normal and the damage operation states (Paltrinieri and Khan 2020).

Among the modern methods of the DRA approach, the Theory of Stimulated Dynamics (TSD) is considered as an extension of the probabilistic safety assessment (PSA) to the Non-Markov process where the transition rates between events depend mainly on activating stimulus and delay (Labeau et al. 2000; Labeau and Izquierdo 2005). The TSD has been shown to be a good candidate for a dynamic extension to the PSA that helps solving important static PSA drawbacks and pending issues (Izquierdo et al. 2017).

The TSD method is critically supported by an adequate deterministic model in which Benikhlef et al. (2011) described the one that has been chosen in this study. A more detailed basis of TSD method is to be able to:

  1. (1)

    Compute the path frequency density to be introduced as a weighting factor of the paths in the sequence frequency aggregate.

  2. (2)

    Filter-in paths of the damage domain that lead to damage conditions by ensuring stimuli activations of header system protection, as for instance crossing set-point thresholds.

In this context, this paper describes in more detail the TSD method initially applied in the nuclear industry (Izquierdo et al. 2017). The results show the performance of TSD for a specific application for a simplified methyl-isocyanate (MIC) leak scenario from the storage tank 610 at the Bhopal plant, India in December 1984.

The general objective of this work is to show the generality of this method by applying it to a case problem in other risk assessment environments, namely significant scenarios in chemically reacting industrial facilities, like those similar to the Bhopal disaster. More specifically, to identify and assess the damage domain in a simplified case of MIC release scenario from the storage tank 610. No attempt is made to assess quantitatively the accident, rather to show how the proposed method may handle situations of its kind.

2 TSD equations

TSD may be seen as an extension of the more common Markov and semi-Markov approaches for modeling systems with discrete states.

2.1 The semi-Markov path and sequence approach

The differential semi-Markov equations for the probability πj (t) of being in state j at time t can be applied to systems whose states may change in a stochastic way as a result of transitions induced by events. Those events occur with occurrence rates \({p}_{j\to k}^{\mathbb{e}}\) where index identifies the event and j → k is the resulting transition. In semi-Markov systems these transition rates are allowed to be a function of time. As it is well known, these equations take the form of a typical probability balance involving the frequency φj (t) of entering state j at time t (ingoing density), and the probability πj (t) of being in state j at time t as follows

$$\begin{aligned}{\frac{d}{dt}\pi }_{j}\left(t\right)&= {-\pi }_{j}\left(t\right)\cdot \sum_{k\ne j}{p}_{j\to k}^{\mathbb{e}}\left(t\right){+\varphi }_{j}\left(t\right)\\ {\varphi }_{j}\left(t\right) &=\sum_{k\ne j}{p}_{j\to k}^{\mathbb{e}}\left(t\right) \cdot {\pi }_{k}\left(t\right)\end{aligned}$$
(1)

The solution can be written in terms of integral equations for φj (t) and πj (t) as follows

$$\begin{aligned}{\varphi }_{j}\left(t\right)&={\int }_{0}^{t}d\tau \sum_{k\ne j}\left[{\pi }_{k}\left(\tau \right)\delta \left(\tau \right)+{\varphi }_{k}\left(\tau \right)\right]{q}_{kj}(\tau ,t)\\ {\pi }_{j}\left(t\right)&= {\int }_{0}^{t}d\tau \left[{\pi }_{j}\left(\tau \right)\delta \left(\tau \right)+{\varphi }_{j}\left(\tau \right)\right]{e}^{-{\int }_{\tau }^{t}\sum_{k\ne j}{p}_{j\to k}^{\mathbb{e}}\left(s\right)ds}\end{aligned}$$
(2)

In these equations, δ stands for Dirac’s function and qkj (τ,t) is the probability density of entering state j from state k at time t, after remaining in state k from τ to t. It is given by

$${q}_{kj}\left(\tau , t\right)= {p}_{k\to j}^{\mathbb{e}}(t)\cdot {e}^{-{\int }_{\tau }^{t}\sum_{l\ne k}{p}_{k\to l}^{\mathbb{e}}\left(s\right)ds}$$
(3)

Equations (2) account for the contribution of all the possible states to the probability of each state as a function of time. An alternative format results from the consideration of every possible trajectory from the initial state k to the final state j, which will be called a path, composed by a set of n transitions caused by dynamic events \({\mathbb{e}}_{1}, \cdots , {\mathbb{e}}_{n}\). The ordered set of such events is called a sequence, represented by \(\overrightarrow{\mathbb{e}}\) and a sequence ending in state j will be represented by \({\overrightarrow{\mathbb{e}}}_{j}\). The initial conditions of the system are given by the probability \({\pi }_{k}(0)\) of being in state k at t = 0. This alternative representation allows for rewriting \({\varphi }_{j}(t)\) as

$${\varphi }_{j}\left(t\right)= \sum_{\forall {\overrightarrow{\mathbb{e}}}_{j}}{\varphi }_{j}^{{\overrightarrow{\mathbb{e}}}_{j}}\left(t\right) \equiv \sum_{k,\forall {\overrightarrow{\mathbb{e}}}_{j}}{\pi }_{k}(0)\cdot {\int }_{{V}_{n-1,{\overrightarrow{\mathbb{e}}}_{j}}({\tau }_{i}<t)}d{\overrightarrow{\tau }}_{n-1}\cdot {Q}_{k,j}^{{\overrightarrow{\mathbb{e}}}_{j}}(t|{\overrightarrow{\tau }}_{n-1})$$
(4)

Summations in Eq. (4) extend to all the possible sequences entering state j at time t. Each sequence starts from an initial state k, goes through intermediate states \({j}_{1}, \cdots , {j}_{n-1}\) and ends in state j. Vector \({\overrightarrow{\tau }}_{n-1}\equiv ({\tau }_{1}, {\tau }_{2}, \cdots {\tau }_{n-1})\) represents the occurrence times of events \({\mathbb{e}}_{1}, {\mathbb{e}}_{2}, \cdots {\mathbb{e}}_{n-1}\) and the final event \({\mathbb{e}}_{n}\) occurs at time t. The space of all the \({\overrightarrow{\tau }}_{n-1}\) vectors such that \(0<{\tau }_{1}<\cdots <{\tau }_{n-1}<t\) is represented by \({V}_{n-1, {\overrightarrow{\mathbb{e}}}_{j}}({\tau }_{i}<t)\) and \({Q}_{k,j}^{{\overrightarrow{\mathbb{e}}}_{j}}(t|{\overrightarrow{\tau }}_{n-1})\), which is a frequency density, is given by

$${Q}_{k,j}^{{\overrightarrow{\mathbb{e}}}_{j}}(t{|\overrightarrow{\tau }}_{n-1}) = {q}_{{j}_{n-1}j}({\tau }_{n-1}, t)\cdot {q}_{{j}_{n-2}{j}_{n-1}}({\tau }_{n-2}, {\tau }_{n-1})\cdots {q}_{{j}_{1}{j}_{2}}({\tau }_{1},{\tau }_{2})\cdot {q}_{k{j}_{1}}(0, {\tau }_{1})$$
(5)

While vector \({\overrightarrow{\mathbb{e}}}_{j}\) represents only a sequence of events, the couple of vectors (\({\overrightarrow{\mathbb{e}}}_{j}, {\overrightarrow{\tau }}_{n})\) represents a particular path through that sequence, i.e., a transient with events of the sequence occurring at specified times. It should be noted that the integral in Eq. (4) extends to all paths in a given sequence. The integrand, Eq. (5), is then called the path Q-kernel and this type of solution is called the path and sequence approach.

Now, \({\pi }_{j}(t)\) becomes

$$\begin{aligned}{\pi }_{j}(t) &= {\int }_{0}^{t}d{\tau }_{n}{\varphi }_{j}({\tau }_{n}){e}^{-{\int }_{{\tau }_{n}}^{t}\sum_{k\ne j}{p}_{j\to k}^{\mathbb{e}}(s)ds} \\&= \sum_{k,{\overrightarrow{\mathbb{e}}}_{j}}{\pi }_{k}(0)\cdot {\int }_{{V}_{n,{\overrightarrow{\mathbb{e}}}_{j}}({\tau }_{i}<t)}d{\overrightarrow{\tau }}_{n}{Q}_{k,j}^{{\overrightarrow{\mathbb{e}}}_{j}}({\tau }_{n}|{\overrightarrow{\tau }}_{n-1}) {e}^{-{\int }_{{\tau }_{n}}^{t}\sum_{k\ne j}{p}_{j\to k}^{\mathbb{e}}(s)ds} \equiv \sum_{{\overrightarrow{\mathbb{e}}}_{j}}{\pi }_{j}^{{\overrightarrow{\mathbb{e}}}_{j}}(t) \end{aligned}$$
(6)

The contribution of a single path to \({\pi }_{j}(t)\) is given by

$$d{\pi }_{j}^{{\overrightarrow{\mathbb{e}}}_{j}}({\overrightarrow{\tau }}_{n},t)=\sum_{k}{{\pi }_{k}(0)\cdot Q}_{k,j}^{{\overrightarrow{\mathbb{e}}}_{j}}({\tau }_{n}|{\overrightarrow{\tau }}_{n-1}) {e}^{-{\int }_{{\tau }_{n}}^{t}\sum_{k\ne j}{p}_{j\to k}^{\mathbb{e}}(s)ds}\cdot d{\overrightarrow{\tau }}_{n}$$
(7)

This differential magnitude can be properly called path probability, that accumulated over the damage domain give us the sequence probability. Though Eq. (1) the frequency of exceedance is obtained.

2.2 Application of the path and sequence approach to safety assessment

In the general case of previous section, all events are assumed to occur at unspecified times, and there may be many states. When applied to safety assessment, the plant states are represented by the success k = 1 or failed k = 2 state of their systems, so plant states are a set of N values of k, each 1 or 2, with N the number of systems. For instance, in case of no recovery, where all events are failures, after n failures the set of different k states are identified with k = 2 in all.

Time zero is the start of the plant operation, where all systems are in their success state, and the plant is in a steady state, so all its process variables are steady. Well until a dynamic event occur, as a result of these sequences of static events, the plant systems transit to a state at T that may be calculated by Eq. (6) with all \({\pi }_{k}\left(0\right)={\delta }_{1k}\) and constant rates.

2.3 The TSD methodology in case of deterministic stimuli. Path dependent rates

Usually in safety assessments, the activation/deactivation events are deterministic, i.e., the event does not takes place unless the stimuli limits are crossed. In this case, because the evolution of variables x on which the rates \({p}_{k\to j}^{\mathbb{e}}(x)\) depend are known for each path,

$${{p}_{k\to j}^{{\mathbb{e}},path}(t)\equiv p}_{k\to j}^{\mathbb{e}}(xpath(t))$$
(8)

The problem become a particular case of the semi-Markov equations given above. For instance, if the stimuli activate at τs, and does not deactivate later

$${q}_{k\to j}^{{\mathbb{e}},path}\left({\tau }_{s},t\right)= {p}_{k\to j}^{{\mathbb{e}},path}(t)\cdot {e}^{-{\int }_{{\tau }_{s}}^{t}\sum_{l\ne k}{p}_{k\to l}^{\mathbb{e}}\left(u\right)du}$$
(9)

Equations (46) can then be maintained if, in the calculation of the q factors, event transition rates are null unless x is out the stimuli limits, a situation determined by the transients of stimuli variables. Situation that defines the intervals that actually contribute to Eq. (9). The influence of the combinations of the activated/deactivated stimuli is accounted for and different paths will have different rates. The fault trees associated with the events are also factored here, but they are computed at the end for each sequence, to account for common elements and support systems.

An even more essential impact of the activation of stimuli is due to the fact that the more the number of protective events in a sequence, the lower is its contribution. In particular, one failure sequence where a stimulus doesn't activate corresponds to another failure sequence with one header less. Thus, to take credit for a header, it is essential to guarantee its stimulus activation. Otherwise the results are non-acceptable from a regulatory stand-point.

Finally, it is noted that for static events, where x does not depend on time, there is no transient associated, rates are expected constant in time and x is not expected to activate any stimuli.

3 Identification of damage domains and path assessment

To obtain the damage domain, (DD) several specific search algorithms have been implemented including the one described below (Izquierdo et al. 2004; 2009). In the process of the identification, a lot of transients are to be simulated providing the dynamic information required to then find the transition probabilities associated to its path, that become essential ingredients to the calculation of the Q-kernels that constitute the contribution of each path to the exceedance frequency.

3.1 Damage domain search algorithm

A sequence of events is characterized by the set of similar dynamic transitions result of protective actions or stochastic phenomena differing only in the transition times. Let's call subsequence to the sequence formed only by the transitions whose dynamic times are stochastic. Let's also call dimension of a sequence the number of events of its associated subsequence. Figure 1 shows the example of a 3-dimension sequence containing stochastic events 1, 2 and 3, where X1 X2 and X3 are the sampling variables of the occurrence times of events 1, 2 and 3 respectively. The time limits of the sequence are tini (initiating event occurrence time) and tAD (accident duration time), and X1, X2, X3 ∈ [tini, tAD]. It can be graphically represent the sampling domain where the damage exceedance frequency of the sequence must be computed. Each point of the sampling domain corresponds to a specific path, so a simulated transient. The volume V of any of those domains is given by the following expression in the general case of a domain of N dimension

$$V\left( {X_{{i_{1} }} \le X_{{i_{2} }} \le ... \le X_{{i_{N} }} } \right) = \frac{{\left( {t_{AD} - t_{ini} } \right)^{N} }}{N!}\quad \quad \left( {i_{1} ,i_{2} ,...,i_{N} = 1,2,...,N;\;\;i_{1} \ne i_{2} \ne ... \ne i_{N} } \right)$$
(10)
Fig. 1
figure 1

Sampling domains (shadowed): a The 2D sequence [2 1], b The 3D sequence [3 2 1]

Full size image

It is possible to associate to any damage point in the N-dimensional sampling domain, an incremental volume of the form:

$$\Delta V = \prod\limits_{i = 1}^{N} {\Delta t_{i} }$$
(11)

Each point in the sampling domain represents a path, and those paths can be divided into three types: damage paths, safe paths and impossible paths, the last due to the fact that one must first fix the event times to simulate a path that belongs to a sequence to discover via the results if the stimuli conditions were or not satisfied. In this last case the path is meaningless so it should be removed.

Any implementation of the methodology should try to minimize the number of useless simulations and, therefore, the delimitation of the damage domain is of primary importance. Therefore, it will be interesting to design a sampling strategy that:

  1. (a)

    Minimizes the number of non-damage paths (safe and impossible paths) being sampled and analyzed;

  2. (b)

    Is able to search and define the shape and size of the damage domain within the sampling domain.

An adaptive search algorithm has been designed, based on the mesh grid sampling strategy, to refine the search there in the domain where damage paths are detected. The basic idea is to analyze the neighbours of each damage path, and to sample in a finer mesh grid around it until non-damage paths (limits of the damage domain) are found. The adaptive search algorithm is divided mainly in three parts:

  • The initial stage in which an initial mesh grid is identified. Each point within that grid is sampled and analyzed, by simplified dynamic models in order to determine whether it corresponds to a success, impossible, or damage path.

  • The adaptive search stage in which a loop is performed with a succession of higher scales until reaching a stopping criterion.

  • The growing stage in which the algorithm generalizes the sampling throughout the whole zone of the damage domain. The combination of the growing stage and refining stage allows to optimize the number of points being sampled while refining the whole damage domain.

4 TSD tool implementation

4.1 Damage domain tool

A computer code called TSD1-DDS1 (Damage Domain Search) (Izquierdo and Cañamón 2006) has been developed by CSN-UPM (Universidad Politécnica de Madrid) to implement this algorithm in order to delineate a first iteration damage domain, and it has been used by LMSS to obtain the results shown in Sect. 5.

4.2 Exceedance frequency tool

The code also computes the exceedance frequency associated with it according to Eq. 9. The TSD code assumes an adequate deterministic code implementing the deterministic model, in our case the GASTEMP code (Izquierdo et al. 2007), but it may be any other. The reference TSD1-DDS1-GASTEMP1 identifies the tool used in this case. The Bhopal scenarios as well as GASTEMP were described in Benikhlef et al. (2012).

4.3 TSD analysis of the Bhopal accident

To illustrate the performance capabilities of the TSD-DDS1-GASTEMP1 dynamic reliability code, the Bhopal scenario is considered with different sequences of events involving the deluge and Freon cooling systems as the only protections (Benikhlef et al. 2011). The events involved are given in Table 1. The cooling systems are supposed to be initiated manually as an operator action. The sequences are described below.

Table 1 Dynamic events
Full size table

4.4 Sequences description

The combination of different events provide the following sequencies:

  • Sequence [1 2]: after initiating event, deluge cold water event occurs at t2 and nothing happens until the end of the transient.

  • Sequence [1 2 3]: after initiating event, deluge cold water event occurs at t2, Freon injection failure event occurs at t3 > t2, and then nothing happens until the end of the transient.

  • Sequence [1 2 4]: after initiating event, deluge cold water event occurs at t2, reaction event occurs at t3 > t2, and then nothing happens until the end of the transient.

  • Sequence [1 2 4 3]: after initiating event, deluge cold water event occurs at t2, reaction event occurs at t3 > t2, Freon injection event occurs at t4 > t3 > t2 and then nothing happens until the end of the transient.

and similar descriptions for sequences [1 2 3 4], [1 3 2], [1 3 4], [1 3 4 2], [1 3 2 4].

4.5 Description of stimuli and delays

As the accident simulation ends at a fixed time after the safety disc rupture stimulus is activated, the rupture disk pressure setting becomes the damage stimulus activation point and pressure is its stimulus variable. Being the ultimate damage means that we are not interested in further possible events as a result of the occurrence of the damage so there is no necessity to include it in the events sequence vector.

On the other hand, in this type of scenarios there is a trend towards a runaway phenomenon, considered a necessary condition for overpressure, so the runaway stimulus activation is also required, and may be considered as an anticipatory damage stimulus filtering out many paths from the overpressure damage domain.

The runway stimulus activation is studied in terms of reaching critical conditions. Those conditions identify critical situations where the cooling system is unable to cope with the accumulation of chemical reaction heat rates through time.

Reaching critical conditions gives no margin for cooling, so the cooling systems ought to actuate before. One useful criterion is to impose that at the time of intervention sufficient net cooling energy may be provided, i.e.

$$\int_{{\tau_{cool}^{I} }}^{TNR} {\left[ {\dot{Q}_{cool} \left( {T\left( \tau \right)} \right) - \dot{Q}_{chem} \left( {T\left( \tau \right)} \right)} \right]} d\tau = 0$$
(12)

For instance, for Newton law cooling

$$\int_{{\tau_{cool}^{I} }}^{TNR} {\left[ {UA\left( {T\left( \tau \right) - T_{cool} } \right) - \dot{Q}_{chem} \left( {T\left( \tau \right)} \right)} \right]} d\tau = 0$$
(13)

4.6 Damage domains

Once the sequences and the event stimuli have been described, it may now indicate the dimensions of the damage domain. Because the cooling systems are manually activated, they give rise to stochastic subsequences so the time damage domain is bi-dimensional, (one-dimensional), in the two, (one), cooling systems.

Here it is considered as uncertain sensitive parameters, the mass of initial water and temperature in the tank, and the cooling systems parameters Tcool and \(\kappa \equiv U_{1} A_{1} T_{cool1} + U_{2} A_{2} T_{cool2}\).

4.7 Exceedance frequency model

Because the focus of this work is on damage domains, very simple assumptions are taken concerning transition rates, namely it is assumed in all parameters an equal value probability distribution function \(f\left( {\vec{p}ar} \right)\) in between two given extreme values and that the operators have a probability of failing his action during a given time, tAD, HAD. Then

$$\begin{gathered} p = \ln H_{AD} \,\,\,;\,\,\,\,\,f\left( {\vec{p}ar} \right) = \prod\nolimits_{j} {f\left( {\vec{p}ar_{j} } \right)} \hfill \\ Q_{j}^{{seq\,\vec{j}}} \left( {t/\vec{\tau }_{n} /\vec{p}ar} \right) = H_{rup} \int_{0}^{{\tau_{rup} }} {q_{32} } \left( {\tau_{rup} ,\tau } \right)q_{21} \left( {\tau ,0} \right)d\tau \hfill \\ \end{gathered}$$
(14)

5 Results and discussions

The TSD1 code has been originally developed at CSN to compute the damage exceedance frequency. It includes the use of DDS1 to search the damage domain. TSD1 has been used by LMSS to quantify the results of the simulations shown in Tables 2 and 3. The different sequences are showed, as long as the number of paths going to damage, the number of safe paths and the number of impossible paths (the ones whose headers are not demanded on time). The last column shows the damage frequency associated to each sequence. The results where verified in this relatively simple case with the analytical result for the simplified case of equal and constant transition rate.

Table 2 Numerical results for the damage exceedance frequency considering the activation of runway exothermic reaction damage stimulus and disc rupture failure (events 1 2 and 3)
Full size table
Table 3 Numerical results for the damage exceedance frequency considering the activation of runway exothermic reaction damage stimulus and disc rupture failure (events 1 2 3 and 4)
Full size table

The damage domain generated considering the activation of the runway exothermic reaction damage stimulus leading to disk rupture failure is shown in Tables 2 and 3.

The results show that the sequence is not necessarily a damage, or a safe sequence but may be a sequence with a probability of damage and a probability of safe.

Integrating the product of PDFs inside the damage domains with taking into account the failure probabilities of all headers, the damage exceedance frequency of every sequence is obtained.

The damage exceedance frequency is obtained by integrating the equations of the Theory of Stimulated Dynamics (TSD) inside the damage domain of each sequence.

The results obtained for every sequence of the event tree are shown in Tables 2 and 3. Some comments can be made out from the damage domain results. As shown, there are some impossible paths within each damage domain, which means that the sequence has physical meaning only in a tight timeframe of header events occurrence times.

The ratio of damage paths compared to the safe paths is higher and it is the result of the damage domain obtained from the adaptive search algorithm.

The sampling process deals with the damage domain areas. More damage paths are detected through the sampling process involving exceedance frequency computations with more efficiency and precision.

The worst sequences in Table 3 are the [1 2 4], the [1 2 3 4], and the [1 3 2 4], which together account for around 99.5% of the total damage exceedance frequency.

The damage domain reflects the contribution of stimuli setpoints on safety safeguards and through them, the influence on the protection system design. The damage domain obtained by the activation of the safety disc rupture represents the violation of the rupture threshold.

The damage domain of all possible sequences shown in Table 3 is more important than the damage domain obtained in Table 2. This is due to the time of no return (TNR), which was reached while the time to maximum rate under adiabatic conditions (TMRad) was elapsed.

6 Conclusions

An adequate tool has been developed to transfer some dynamic risk assessment methods proven their efficiency in the nuclear industry to chemically reacting facilities, necessary when the risk related decision making requires the performance of a large number of scoping deterministic analysis.

To verify its feasibility, the tool has been tested in a reference case for chemical/petrochemical industries taking into account the possibility of future developments. Our application to study how the simplified chemical reactions and system configurations affected to Bhopal disaster verifies a significant analysis power that can be adapted to different purposes in the industry.

Because of the relation of deterministic and probabilistic safety approaches, the both are connected, as a practical specific module with the objective of assessing the safety space. The safety space in the context of probabilistic safety can be understood as an extension of the PSA event trees and the uncertainty analysis methods, aimed at obtaining an estimation of the exceedance frequencies of specified safety limits.

In general, the results have shown the capability of the TSD methodology to obtain accurate results that take into account the time delay on operator response and parameter uncertainty in the evaluation of the safety in a chemically reacting industrial facilities.

Future applications to be performed with our tool will introduce binary mixture equilibrium as well as two-phase non-equilibrium transient conditions and will use the gas–liquid-solid transitions to increase the computing power. Some module currently under development will provide the possibility for introducing binary mixtures to compute thermodynamic properties by using different equations of state for all phases.