Risk Assessment of Industrial Domino Effects Using Stochastic Petri Nets

Petri nets are now widely used in system safety. They offer a powerful tool that allows accounting for the various relationships that may exist. Sequential and competitive activities, synchronization, resource sharing, and mutual exclusion (conflict situations) can be easily represented. It is worth noting their ability to easily consider the temporal aspect in the model.

Petri nets were developed in 1962 by Carl Adam Petri [33], based on automata theory. A Petri net is a graphical notation with an underlying mathematical structure suitable for modeling discrete event systems. In the following, the presentation of Petri nets is deliberately limited to the necessary elements used in the context of this work. For more details, the reader can refer to references [36, 37].

2.1 Petri nets’ structure

The structure of a Petri net can contain the following elements (Figure 1):

• Places: Represented by circles and placed upstream or downstream of transitions (a place may be both an input and output place for a given transition). They can represent the states of the system’s components (working, failed, etc.).
• Transitions: Drawn as bars, they correspond to potential events that could modify the state of a Petri net if they occur (failures, repairs, etc.).
• Arcs: Connect places to transitions (upstream arcs) and transitions to places (downstream arcs). Arcs are labeled with their weights (a positive integer). This weight indicates the number of tokens consumed or created when crossing (firing) a transition. For example, the weight of an upstream arc can indicate the resources required to perform a given action, while that of a downstream arc can indicate the quantity resulting from that action. This weight is taken as 1 if it is not mentioned.

Figure 1. Petri nets elements

• Tokens: Represented by small solid dots. In basic Petri nets, tokens are the only things that characterize their dynamic structure. Each place can potentially contain zero or a positive number of tokens. The distribution of tokens at places is called marking, which defines the state of the system at a given time. Tokens go through transitions when events occur. For instance, a token can represent the presence or absence of a resource.
• Predicates or guards: Any formula that can be true or false, allowing the validation of transitions.
• Assertions: Any equation that updates certain variables when a transition is fired (triggered).
• Transition enabling and firing: A transition is valid (enabled) when all its input places contain at least the number of tokens required by each upstream arc (indicated by its weight) and all its associated predicates are ‘true’. A transition is fired if it is enabled and the required delay has elapsed, i.e., the time between enabling and firing. This delay can be deterministic (constant delay) or stochastic (random delay, for example, negative exponential). In the latter case, the Petri net is called an SPN. If the delay is zero, enabling coincides with firing. These delays can represent, for example, the time required to execute a given task, failure times, etc.
• When firing a transition: Its input places lose as many tokens as specified by the weights of the respective upstream arcs, its output places gain as many tokens as specified by the weights of the respective downstream arcs, and the related assertions are updated.

2.2 Petri nets modeling approach

The different steps to model and evaluate a system with Petri nets are depicted in Figure 2 and described in the following.

• Defining the context and objectives of the study: This step allows for clearly identifying the boundaries of the studied system and the performance indicators to be measured: reliability, production level, stock level, unwanted events frequencies, etc. These indicators depend on corporate policy, normative and regulatory framework.
• Collecting and analyzing system data (understanding the system): The model is as valuable as the data used. This involves identifying the different activities and tasks, the support elements (parts, components) that carry them out, and their characteristics (states, conditions, events, and actions that cause changes, processing time, available resources, etc.). Furthermore, the various existing interrelations and dependencies should be specified. During this step, the different quantities involved in defining the system are assigned deterministic numerical values (constant delays, resource extents, capacity, etc.) or stochastic ones (failure and repair times, probability of a given event, rates, etc.). Note that the system description could be done using free text, tables, or figures as suitable.

Figure 2. Petri nets modeling steps

• Modeling the structure of the system using Petri nets: The established model depends on the understanding of the system and the identified performance indicators. The states, conditions, or resources are represented as places (circles), and the events, actions, or processes that change the state of the system are described by transitions (rectangles). Relationships between states and events are characterized by directed arcs to show dependencies and flows. Arcs from places to transitions indicate the conditions required for events to occur, and arcs from transitions to places show the new conditions or states that result from the event's realization. Tokens should be added in the appropriate places to represent the initial state of the system. Petri nets should model all relevant states that may hold and all possible cause-and-effect relations that may take place. Successive refinements of the model could be necessary until the required level of detail for the analysis is reached. In addition, the analyst may adopt a modular approach (hierarchy) in order to simplify the model validation and maintenance.
• Validating the constructed model: Debug the constructed model and verify that it accurately represents the real system. This activity can be carried out using model property verification, step-by-step simulation (interactive simulation), etc.
• Animating the constructed model: This animation is performed by drawing random numbers (Monte Carlo simulation). In this paper, we consider the evaluation of Petri nets by Monte Carlo simulation, since analytical approaches based on transforming Petri nets into Markov chains are not applicable to most real systems. The unfolding of histories for a given observation period is carried out as follows:

1. Randomly generate a value for each of the model parameters (according to their distributions).

2. Place the parameter values representing durations (transitions firing times) in a schedule according to an ascending order.

3. Evolve the system marking based on these times and update the schedule (transitions firing times) iteratively, and return to the first step if necessary.

4. Continue the simulation (previous steps) until the first instant of the schedule exceeds the observation period for which the calculations are to be performed. A history is created.

5. Repeat steps 1 to 4 a large number of times (e.g., 10,000) to gather a statistically representative sample of what we are trying to evaluate.

• Estimating the performance indicators of interest: The evolution of the system simulated over a large number of histories makes it possible to statistically evaluate the information sought after, according to the objectives of the study, in terms of mean value, standard deviation, confidence intervals, etc.
• Interpreting the results: The results of the analysis shall be interpreted in a clear and concrete way. As such, informed decisions could be taken accordingly in order to improve the system performance: system reconfiguration, use of redundant equipment, adding a safety barrier, etc.

4.1 System description

To demonstrate the proposed methodology, we apply it to a hypothetical case study of a gasoline tank farm. For the sake of simplicity, the studied scenario is demonstrated in a facility containing three identical atmospheric storage tanks (Tank 1, Tank 2, and Tank 3). Each tank has a diameter of 40 m and a height of 20 m, enclosed within an 80 m × 80 m retention bund. The tanks are arranged with 40 m spacing between Tank 1 and Tank 2, and between Tank 2 and Tank 3 (Figure 4). This configuration represents a common industrial layout where domino effects can propagate through HR or blast impacts.

This simplified layout provides a controlled environment to test and validate the proposed methodology, allowing clear observation of domino effect pathways and escalation probabilities.

Figure 4. Schematic of the gasoline tank farm

We assume that a loss of containment (LOC) occurs in Tank 1, followed by an ignition (in our case, ignition probability of = 0.7), which causes a fire in Tank 1. The potential escalation scenarios relating to fire spreading to the neighboring tanks (Tanks 2 and 3) are presented in Figure 5. We will also examine which scenario is most likely to occur, while considering synergistic effects: the simultaneous burning of two tanks could increase the impact on the third tank. Through this process, we want to test whether our approach can help improve the safety system by enhancing our understanding and management of domino effect phenomena.

4.2 Estimation of escalation vectors

For each primary event, escalation vectors, specifically HR intensities, are calculated at neighboring tanks. The generic formula of the heat flux (thermal radiation) emitted by a pool fire and received by a target located at x meters from the center of the flame is given by Eq. (1) [39]:

$\emptyset(x)=\emptyset_0 \cdot F(x) \cdot \tau(x)$      (1)

where,

$\emptyset(x)$: heat flux at a certain distance $x$ (received heat flux) (kW/m²).

$\emptyset_0$: flame surface emissive power (kW/m²).

$F(x)$: view factor. It is the fraction of the radiation falling directly on the receiving target.

$\tau(x)$: atmospheric transmissivity to thermal radiation.

There are several correlations for calculating these quantities. More details are given in the Purple Book [27]. The following considerations are taken into account during the calculation process: air relative humidity 70%, ambient temperature 15℃, wind speed 5 m/s, air density 1.161 Kg/m³, gasoline mass burning rate per unit area 0.055 Kg/(m² s).

The resulting HR against distance is plotted in Figure 6.

Figure 5. Potential escalation scenarios

Figure 6. Heat flux versus distance

4.3 Time-to-failure calculation

Using the HR intensity, the TTF for each exposed Tank is calculated with the following correlation [39]:

$\ln \mathrm{TTF}_{T a \rightarrow T b}=-1.13 \cdot \ln \left(\mathrm{HR}_{T a \rightarrow T b}\right)-2.67 \cdot \frac{V}{10^5}+9.9$      (2)

where, HR is the heat radiation intensity (kW/m²) emitted from tank a to tank b, and V is the tank volume (m³). This formula captures the dynamic vulnerability of tanks exposed to thermal radiation, reflecting how longer exposure reduces structural integrity [39]. Note that HR_T1→T2 = 17.11 KW/m² (for a distance of 20 m between the bund wall of Tank 1 and the wall of Tank 2) and HR_T1→T3 = 10.87 KW/m² (for a distance of 36 m between the bund wall of Tank 1 and the wall of Tank 3).

4.4 Probit model for escalation probability

Once the value of ln TTF is calculated, it is possible to estimate the probability of escalation (PES) using the probit function. In this paper, only HR is considered as escalation vector. The corresponding probit function is given by Eq. (3) [39]:

$\left\{\begin{array}{c}Y=12.54-1.847 \cdot \ln \mathrm{TTF}_{T a \rightarrow T b} \\ P E S=\frac{1.005}{\left(1+\exp \left(\frac{-Y}{0.6120}+\frac{5.004}{0.6120}\right)\right)}\end{array}\right.$      (3)

Eq. (3) allows us to quantify the likelihood that the heated Tank will fail and propagate the accident, integrating both intensity and duration of exposure [39]. The different PES related to the case study and the other relevant data are given in Table 1.

4.5 Construction of the Petri nets model

The Perti net of Figure 7 depicts the studied scenario, which addresses the potential fire propagation from Tank 1 to the neighboring Tanks 2 and 3. The GRIF software (Petri module) has been used for the establishment and simulation of the Petri net [41]. The different parameters used within the Petri net are gathered in Table 1. Note that equations of Table 2 were inserted in the Petri net module, and the quantities related to ln TTF and PES were automatically determined.

Table 2. Used parameters

Places 1, 7, and 10 represent the normal states of Tank 1, Tank 2, and Tank 3, respectively (each place has 1 token). Initially, the transition Tr1 is the sole enabled transition. This transition characterizes the event related to the Tank 1 LOC with a stochastic delay F_LOC = 5E-6 y^-1. During the simulation, this delay is generated randomly according to the exponential law: d = -ln z /F_LOC, where z is a random number. After firing Tr1, the token is removed from place 1, and a token is added to place 2 corresponding to the LOC of Tank 1. The transition Tr2, relating to ignition possibility, becomes then enabled and triggered instantaneously (delay = drc 0, drc for Dirac law) according to a solicitation law (sol Pignition), where Pignition refers to the ignition probability = 0.7. During the simulation, a random number between 0 and 1 is generated. If this number is between 0 and 0.7, the token moves from place 2 to place 3, indicating that Tank 1 is on fire. In the contrary case, the token ends up in place 4, and therefore the LOC is controlled. If Tank 1 is on fire (place 3), there will be a possibility for Tank 2 and Tank 3 to be impacted. Thus, Transition Tr5 is immediately fired, and places 5 and 6 get one token each, making transitions Tr4 and Tr6 enabled, indicating a potential escalation for Tank 2 and Tank 3, respectively. These potential escalations are calculated according to Eq. (3). The triggering principle for transitions Tr4 and Tr6 is the same as for Tr2 (solicitation law according to the respective probability). If the fire propagates from Tank 1 to Tank 2 (according to the probability PEST12 = 2.842E-3), a token appears in each place 15 and 16. Note that place 15 is added to address the propagation of fire from Tank 2 to Tank 3 (same thing for place 11: to address the propagation of fire from Tank 3 to Tank 2). In case there is no direct propagation from Tank 1 to Tank 2 (marking of place 17 with one token), Tank 2 is still subject to fire propagation if Tank 3 is on fire. This reflects the synergic aspect of fire propagation. In fact, Tank 3 on fire (place 11) contributes with Tank 1 to the propagation of fire toward Tank 2: Tank 2 receives HR from the two tanks (HR_T32 = 34.22 kW/m²). This results in a probability of escalation PEST32 = 0.03. Tank 2 may catch fire according to this probability by the firing of transitions Tr8 and Tr10, leading to the marking of place 16 with one token. The same explanations can be made regarding the spread of fire from Tanks 1 and 2 to Tank 3.

Figure 7. Petri net model for escalation paths

4.6 Petri nets simulation and numerical results

In the GRIF software, Petri nets are coupled with the Monte Carlo technique to simulate the model and statistically extract the quantities of interest. 1E+10 history has been performed over an observation period of 1E+3 years. The different transition frequencies related to escalation events (domino effects) are grouped in Table 2. In addition to these results and for comparison and validation purposes, Table 2 also presents the frequencies of the different scenarios obtained from other modeling approaches, namely: Bow-Tie (BT), Fault Tree (FT), and Bayesian Network (BN). The associated models are presented in Figures 8-10, respectively. The BT and FT models were created using GRIF software [41], while the BN model was developed using Netica software [42]. It should be noted that with the FT and BN approaches, it was necessary to build two separate models to capture the different escalation scenarios. This limits their ability to provide a holistic picture of the potential scenarios, and the modeling becomes unmanageable in case of several escalations. In contrast, BT and Petri nets offer a full and clear graphical representation of these escalations.

Moreover, the underlying mathematical expression of the BN does not allow for directly calculating the scenario frequencies, since the BN is a probability-based approach and the algorithm for frequency calculation is not yet available. Hence, in Table 2, the probabilities and frequencies are presented for each scenario, where the different frequencies were simply derived by multiplying the corresponding probabilities by the LOC frequency (5E-6 y^-1). This is not the case with the FT technique, for which frequency calculation codes have been available for a long time.

It should be noted that the BT formalism implemented in the GRIF software has a higher modeling power than traditional BT. This explains the relative simplicity of the model in Figure 8, thanks to the use of the AND gate.

The inspection of Table 3 reveals the following statements:

• BT, FT, and BN approaches unsurprisingly induce exactly the same numerical values, since the frequency derivation is based on the same analytical expressions backed by Boolean algebra.
• SPNs produce results almost identical to the previous ones thanks to statistical processing of the experienced behaviors associated with each history (10E+10 in total). This can be seen as a validation of the developed model and the proposed methodology in general. Note that the case study was defined in a way that it can be modeled using traditional approaches. SPNs could consider many features beyond their capabilities.

Figure 8. Bow-tie model for escalation paths

Figure 9. Fault tree model for escalation paths

Figure 10. BN model for escalation paths

Table 3. Domino effects sequences frequencies (y-1)

The direct escalation from Tank 1 to Tank 2 is more likely (9.95E-09 y^-1) than that from Tank 1 to Tank 3 (2.125E-09 y^-1). This is explained by the greater distance between the bund of Tank 1 and the wall of Tank 3 (36.6 m) compared to that between the bund of Tank 1 and the wall of Tank 3 (20 m).

• The most probable full domino escalation path is: Tank 1→Tank 2→Tank 3, with a frequency of 1.51E-10 y^-1. The sequence Tank 1 → Tank 3 → Tank 2 happens with a lower frequency (6.3300E-11 y^-1). The previous statement explains these results.
• The different escalation sequences exhibit low frequencies compared to those usually used in risk acceptance criteria (for instance, 10^-5 and 10^-6 y^-1), indicating that the domino effect risk is acceptable and the current tank configuration may be adopted.
• Synergistic effects, such as combined HR from Tank 1 and Tank 2 on Tank 3 (see Table 2), significantly increase escalation probability (from PEST13 = 6.062E-4 to PEST23 = 0.015), demonstrating the importance of considering multiple simultaneous sources and therefore taking domino effects into account in risk assessment.