PSI - Issue 48

Aleksandar Šotić et al. / Procedia Structural Integrity 48 (2023) 266 – 273 Šotić et al / Structural Integrity Procedia 00 (2023) 000 – 000

270

5

Based on such process models, management actions are taken for planned changes, but also adaptive changes in response to disturbances from the environment - nature, and in this way the system resilience is build. process model must have the same information: (a) about the required connections between the system variables (control rules), (b) the current state of the system (the current values of the system variables), and (c) about the ways in which the system changes status/state. This model, which also has its own hydrologic-hydraulic component, is up dated through various forms of feedback. The controlled process model is not only needed at the level of physical process, but at all levels of hierarchical control structure. The manager of the waterworks (or HPP) must be acknowledged about current state of safety, equipment, employee training, as well as the degree of established safety constraints, among other responsibilities. Process models are used both during system/process management, as well as during its development. The designer uses models of the system he is designing and process models (models of system operation), and system safety is compromised if either of them is wrong. The accidents at the Al Jubail water desalination plant (KSA) and the Abatemarco pipeline in Italy (Ivetić, 2004) were caused by the designer's wrong process model (unacceptable simplification of the hydraulic model of transition regimes), that is, by the contractor's wrong model (change in the designed control valve specification for pipeline discharge). Traditional hazard analysis techniques (such as the event-chain models) are limited by the focus on the unwanted event and the role of component failure and human errors in them, while they cannot include flaws during planning and design, nor do they include organizational and management flaws. System theory-based process analysis (STPA) (Leveson, 2011) is a hazard analysis tool-technique derived from the STAMP concept and represents the basis for effective integration of the results of previous analyzes of system engineering processes. At the same time, STPA represents the model of accident causation. The technique consists of four iterative steps: (i) Establishing the basis for analysis, (ii) Modeling the control structure, (iii) Analysis of potentially unsafe control actions, and (iv) Identification of potential causes/scenarios of hazardous control actions. By applying this technique, the possible causes of adverse events (with damages and losses) are determined, based on inappropriate safety requirements and constraints enforced on controlled system, so that they can be eliminated in a timely manner during system development process. Causes can be sought (and found) in design and construction (inadequate hazard analysis and inadequate design and implementation of control and mitigation measures), system operation (controls that are assumed to exist do not exist, are not used, or turn out to be ineffective, as well as that controls exist and are used and were originally effective, but changes over time violate the assumptions underlying their design), and in system management (which may be deficient in a number of ways). The STAMP/STPA methodology can be applied from a blank piece of paper, from the very intention and idea behind the project, and the results can be subsequently detailed, with each new step and detail, as design develops and knowledge increases. Therefore, as there is no insight into the detailed technical characteristics of the system and organizational activities and relations of individual actors in connection with HPP Pirot, the analysis will be conducted at a preliminary level, for the purposes of this paper. 3. Results This chapter presents some details of the application of the STAMP/STPA methodology to the operation of HPP Pirot. The HPP Pirot system, the physical HE components, as well as the con-trolled processes (as designed), are listed in chapter 2.1. It can be stated that the production of electricity is the basic process that is carried out and that needs to be controlled, while storage of flood wave from the Visočica River and Temska River basins and enrichment of small waters are safety requirements. Also, recreation (swimming) was not included in the original intention and design of the system. Defining system accidents and damages/losses for the system level, which we may be interested in are: A1 Damage to downstream areas (human, material) A2 Damage to the built and natural environment (in water bodies and the coast) A3 Loss of electricity production A4 Loss of trust - public image degradation A5 Financial losses System Hazards are defined based on the previous step, as: H1. The discharge of water is outside the safe range of flow (lower - higher) [in relation to A1, A2]