Research Article … · 2019. 7. 31. · by addressing all the relevant safety lifecycle stages including the design, implementation, operation, and maintenance through to decommissioning.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Hindawi Publishing CorporationInternational Journal of Quality, Statistics, and ReliabilityVolume 2008, Article ID 263895, 12 pagesdoi:10.1155/2008/263895
Research Article
Fuzzy Risk Graph Model for Determining Safety Integrity Level
R. Nait-Said,1 F. Zidani,2 and N. Ouzraoui1
1 LARPI Laboratory, Safety Department, Institute of Health and Occupational Safety, University of Batna,Road Med El-Hadi Boukhlouf, Batna 05000, Algeria
2 LSPIE Laboratory, Electrical Engineering Department, Faculty of Engineering, University of Batna,Road Med El-Hadi Boukhlouf, Batna 05000, Algeria
Correspondence should be addressed to R. Nait-Said, r nait [email protected]
Received 15 August 2007; Revised 15 November 2007; Accepted 14 January 2008
Recommended by Nagi Gebraeel
The risk graph is one of the most popular methods used to determine the safety integrity level for safety instrumented functions.However, conventional risk graph as described in the IEC 61508 standard is subjective and suffers from an interpretation problemof risk parameters. Thus, it can lead to inconsistent outcomes that may result in conservative SIL’s. To overcome this difficulty,a modified risk graph using fuzzy rule-based system is proposed. This novel version of risk graph uses fuzzy scales to assess riskparameters, and calibration may be made by varying risk parameter values. Furthermore, the outcomes which are numericalvalues of risk reduction factor (the inverse of the probability of failure on demand) can be compared directly with those givenby quantitative and semiquantitative methods such as fault tree analysis (FTA), quantitative risk assessment (QRA), and layers ofprotection analysis (LOPA).
The purpose of a safety analysis is to ensure that the risks thatcould be a potential source of harm, damage of property anddegradation of the environment, are sufficiently minimizedby addressing all the relevant safety lifecycle stages includingthe design, implementation, operation, and maintenancethrough to decommissioning. Reducing residual risk to anacceptable level is usually achieved by using a combinationof safety protective systems, including safety instrumentedsystems, SIS (e.g., emergency shutdown systems and fireand gas systems), other technology safety-related systems(e.g., relief valves, bursting discs, firewalls, drain system),and external risk reduction facilities (e.g., work organization,procedures, separation). The SIS often represents an integralpart of a safety management system to reduce the riskof major accident hazards [1]. It is made up of one ormore safety instrumented functions (SIF) to sense abnormalsituations and automatically return the process to a safe state.This is usually achieved by performing a partial or completeshutdown of the process, to prevent a hazardous event ormitigate its consequences. If the initial risk without SIS is
high, the availability and integrity requirements for SIF’smust be high.
Requirements for SIF’s are addressed in the internationalstandard IEC 61508 [2] and the process industry sector-specific version IEC 61511 [3] which are widely acceptedas the basis for specification, design, and operation of SIS’s.Each SIF is specified in terms of the action to be achievedand the required probability of failure on demand (PFD).The latter defines the required safety integrity level (SIL)for the SIF. The IEC standards provide a framework forestablishing SIL’s although they do not specify the SIL’srequired for specific applications. They propose variousmethods for determining the PFD or the amount of riskreduction needed.
The risk graph described in Part 5 of the IEC 61508 isone of the most popular methods that enables the SIL of aSIF to be determined from a knowledge on the risk factorsrelated to the process. In particular, it has been extensivelyapplied when determining SIL requirements for local safetyfunctions such as process shutdown systems [4, 5]. Theprinciples of the risk graph method have been adopted inthe UKOOA guidelines for process control and safety systems
2 International Journal of Quality, Statistics, and Reliability
Table 1: Definition of SIL’s for low-demand mode from IEC61508-1.
SIL Range of average PFD Range of RRF
4 [10−5, 10−4[ ]104, 105]
3 [10−4, 10−3[ ]103, 104]
2 [10−3, 10−2[ ]102, 103]
1 [10−2, 10−1[ ]101, 102]
on offshore installations and other documents published byoffshore operators [6, 7].
An important issue faced by risk analysts is how todeal with uncertainties that arise in each phase of the riskassessment process. In particular, one should identify howto deal with the state of incomplete/no knowledge relatedto process safety functions. An underlying assumption isthat uncertainty increases risk, but this is a conservativeapproach requiring that, in the absence of meaningful dataor the opportunity to assimilate all available data, risk shouldbe overestimated rather than underestimated. Therefore,higher ratings are assigned to risk parameters, reflectingthe assumption of unfavorable conditions, in order tocompensate the uncertainty. Although this approach resultsin a conservative outcome leading to a design of sufficientsafety integrity, it leads also to higher installation andmaintenance costs. Alternatively, more efforts are certainlyneeded to obtain a consistent and less conservative outcomeusing more refined SIL determination methods [4, 8, 9].
Fuzzy rule-based systems and fuzzy arithmetic [10–12]have emerged over the last years as a very appropriate toolin dealing with uncertainty in reliability and safety analysis[13–18]. In this paper, an approach of fuzzy rule-based riskgraph is proposed in order to add more power featuresto the conventional calibrated risk graph method. In thisperspective, the safety integrity assessment based on fuzzylogic allows the analyst to evaluate the SIL of SIF’s in anatural way by using the notion of a linguistic variable fordepicting information which is qualitative, imprecise, and/oruncertain. The methodology we have used is the applicationof the fuzzy inference system with fuzzifier and defuzzifier ona calibrated risk graph. The outcomes of the fuzzy risk graphare numerical values of risk reduction factor (RRF = 1/PFD)which are computed from a defuzzification of fuzzy SIL’s.
2. Conventional Risk Graph Method
Safety-related systems are conceived to implement the safetyfunctions necessary to achieve or maintain a safe state forthe process in terms of specified risk reduction related tohazardous events. A safety function is thus expressed interms of the action to be taken and the required probabilityto satisfactorily perform this action. This probability as aquantitative target defines the safety integrity. Four discretesafety integrity levels, namely, SIL1, SIL2, SIL3, and SIL4, aredefined in the IEC 61508, and quantitative targets to whichthey relate are based on whether the safety-related system
No safety requirementsNo special safetyrequirements
A single E/E/PESis not sufficient
a:
b:
—:
1, 2, 3, 4: SIL
W3
a
1
2
3
4
b
W2
—
a
1
2
3
4
W1
—
—
a
1
2
3
Starting pointfor risk
reduction
CA
CB
CC
C4
X1
X2
X3
X4
X5
X6
FA
FB
FAFB
FA
FB
PAPB
PAPB
PAPB
PB
C: Consequence parameterF: Frequency and exposure time parameterP: Possibility of avoiding hazardW : Demand rate assuming no protection
Figure 1: Example of risk graph from IEC 61508-5.
is operating in low-demand mode (e.g., shutdown system)or continuously (e.g., motor care brakes). In the first case,the appropriate measure of safety function performance isthe probability of failure on demand (PFD), or its inverse,risk reduction factor (RRF). For functions which operatecontinuously, it is the probability of a dangerous failure perhour which is of concern. Table 1 shows the definition of thefour SIL’s for low-demand mode. As shown, the higher theSIL is, the more available the safety related system will be,so the more stringent becomes the implementation of safetyfunction.
For determining the SIL, IEC standards have providedvarious methods that have been applied with differingdegrees of success [4]. These methods range from using purequantitative risk assessments to more qualitative methods, asfollows:
(i) quantitative methods such as fault tree analysis (FTA)and layer of protection analysis (LOPA),
(ii) semiqualitative methods such as safety layer matrixand calibrated risk graph. The latter is described bysome practitioners as a semiquantitative method,
(iii) qualitative methods like risk graph and hazardousevent severity matrix.
Qualitative and semiqualitative methods are generally lesscostly than the quantitative ones. They are technologicallyless demanding to develop, relatively intuitive to plant opera-tors without requiring detailed risk assessment training, anddo not make extensive use of historical failure-related data asa base of estimating failure probabilities.
The risk graph as a qualitative method can be describedas a decision tree in which four risk parameters, consideredto be sufficiently generic to deal with a wide range ofapplications, must be combined to arrive at the required SIL.These parameters are as follows: consequence (Ci), frequency
International Journal of Quality, Statistics, and Reliability 3
and exposure time (Fj), possibility of avoiding hazard (Pk),and probability of the unwanted occurrence (Wl). Figure 1gives an example of a risk graph implementation [2]. Anexplanation of this risk graph is the following.
(i) Use of the risk parameters C, F, and P leads to one ofsix outputs X1,X2, . . . ,X6. Each one of these outputs ismapped onto one of three scales (W1, W2, and W3).Each point on these scales gives an indication of thenecessary safety integrity that has to be met by theE/E/PE safety-related system. The numbers 1, 2, 3, and4 represent the four SIL’s. The point a indicates thecase of a system without special safety requirements,which corresponds to a probability of failure less thanthat indicated for SIL1. The point b refers to situationswhen for specific consequences, a single safety-relatedsystem is not sufficient to give the necessary riskreduction.
(ii) The mapping onto W1, W2, or W3 allows the contribu-tion of other risk reduction measures to be made. ScaleW3 provides the minimum risk reduction contributedby other measures (i.e., the highest probability of theunwanted occurrence), scale W2 is a medium contri-bution, and scale W1 is the maximum contribution.Thus, the output of the risk graph as a measure of therequired risk reduction for the E/E/PE safety-relatedsystem, together with the risk reductions achieved byother technology safety related systems and externalrisk reduction facilities which are taken into accountby the W1 scales, gives the overall risk reduction forthe specific situation.
3. Shortcomings and Alternatives
Although the risk graph method is relatively easy to beimplemented and allows a fast assessment of SIL’s, it is lessprecise. Indeed, the interpretation of linguistic terms such asrare, possible, and death of several persons, can differ betweenevaluators since they could be the result of a subjectivedecision or can differ from one industry sector to another[4, 6, 19].
There is therefore the need to calibrate the graph andto give guidance on the meanings of linguistic terms usingorders of magnitude via numerical scales so that the resultingSIL rating will bring down the residual risk to the acceptablelevel. Otherwise, the risk reduction will be principallysubjective with substantial limitations for safety-relateddecision making [20]. In this sense, the IEC 61511 Part 3provides a semiqualitative method which is the calibratedrisk graph. Although not specifically and absolutely fixedby the standard, the risk graph is usually calibrated suchthat each decision differs from another by a factor of ten(10−1, 10−2, . . .). Figure 2 and Table 2, respectively, show anexample of a risk graph as used in the UKOOA guidelinesand quantitative definitions of risk parameters [6, 7, 21].
Against a tolerable target risk, managing the inherentuncertainty in the range of the risk parameters of a risk graphis problematic [7, 21, 22]. Although crisp intervals as meansof characterizing uncertainty are an acceptable part of the
—: No safety requirementsa: No special safety requirementsNR: Not recommended1, 2, 3, 4: Safety integrity level
Demand rate
Relatively high
a
1
2
2
3
3
4
NR
Low
—
a
1
2
2
3
3
4
Very low
—
—
a
1
2
2
3
3
Consequence Exposure Avoidance
Startingpoint
Minor
Marginal
Critical
Catastrophic
Possible
Not likely
Possible
Not likely
Rare
Frequent
Rare
Frequent
Figure 2: Risk graph with qualitative description of parameters.
usual calibrated risk graphs, the sufficient robustness in theSIL value may not be reached against the ambiguity of theinformation upon which the assessors base their judgment.
This type of knowledge elicitation presents two majordisadvantages: first, it is in discordance with the gradualtransition from one interval to another, well known in realworld applications. Indeed, a measurement that falls into aclose neighborhood of each precisely defined border betweentwo adjacent intervals is taken as an evidential support foronly one of them, in spite of the inevitable uncertaintyinvolved in the computing of the SIL, that is, the safetyintegrity will be more or less one with of course differentrequirements. Second, it fails to reflect the fact that in mosthuman reasoning and concept formation, the decompositionof whole into parts is fuzzy rather than crisp [23–25]. Infact, there is an incompatibility between the uncertaintycharacterizing human perception and the crispness of theresponse mode. Thus, we need a representation of numbers,which is tolerant of imprecision and partial truths. Linguisticterms, defined on numerical universes and supported byfuzzy sets, provide a rather natural tool for numeric/symbolicinterfaces and would be a very adequate alternative whenavailable information is imprecise and/or uncertain.
Furthermore, compared to C and W parameters, Fand P have only two ranges each and so the calibrationwill be dominated by the two first. As an alternativesolution, Blackmore [22] developed for an offshore projectan alternative graph format by introducing four categoriesfor F against reducing those of C to two only (injury ordeath). As reported, the proposed approach has resultedin improved effectiveness in the SIL determination. For abest calibration, Dean [7] suggested also the introductionof additional consequence and frequency bands in somecases. Recently, Baybutt [8] has developed an improved riskgraph with the following four parameters: initiating causefrequency, enabling events/conditions, safeguards failure
4 International Journal of Quality, Statistics, and Reliability
Table 2: Example of qualitative and quantitative definitions ofparameters.
Riskparameters
Qualitativedescriptions
Quantitativedescriptions
Consequence(C)
Minor injury No deaths per event
Marginal: onedeath orpermanentinjury
]10−2, 10−1] probabledeaths per event
Critical: severaldeaths
]10−1, 1] probabledeaths per event
Catastrophic:many deaths
>1 probable deathsper event
Exposure (F)Rare <10% of time
Frequent ≥10% of time
Avoidance(P)
Possible>90% probability ofavoiding hazard
Not likely≤90% probability ofavoiding hazard
Demand rate(W)
Very low<1 in 30 years ≈<0.03per year
Low1 in ]3, 30] years≈[0.03, 0.3[ per year
Relatively high1 in ]0.3, 3] years≈[0.3, 3[ per year
probability, and consequences of the hazardous event. Heintroduces more than two levels for the first and the last twoparameters to overcome both conservative and optimisticchoices that respectively may result in an overestimation andunderestimation of the SIL.
Another alternative proposed by Ormos and Ajtonyi [26]concerns the use of a fuzzy rule-based system in determiningthe SIL value by applying hazardous event severity matrixand conditional catastrophe theory. By application to threesubsystems of steam production, the results of this approachcompared with those provided by the quantitative method(as described by the IEC 61508) are very encouraging. Fortwo subsystems the same result is obtained, SIL3 and SIL2,and for the third the result is SIL1 by fuzzy approachagainst SIL2 by the quantitative method. This difference isinterpreted by the fact that severity parameter qualitativelyestimated as low is not taken into consideration by thequantitative method. In the same way, Simon et al. [27]propose a fuzzy rule-based approach of the risk graph aswell as a subjective evaluation of risk parameters by aggre-gation of expert judgments. Allocation of required SIL isdetermined by considering the risk graph as a fuzzy decisiontree. Both risk parameters and SIL are represented by fuzzypartitions with linguistic descriptors, defined on ordinalmeasurement scales. The proposed approach is applied toequipment issued from the literature: a vessel containinga volatile flammable liquid. A SIF is considered to protectagainst a gas release greater than the admissible rate which is10−4 per year. Each risk parameter is assessed by aggregating
expert judgments given as possibility distributions, and fuzzyinference system provides after difuzzification the SIL valuewhich is SIL2. Referring to these works, we attempt in thispaper to develop a more flexible calibrated risk graph usingfuzzy logic system, with two main differences compared tothe above approaches. First, calibration problem is takeninto consideration, and so, scales supporting fuzzy partitionsof the SIL and parameters C, F, P, and W are numericrather ordinal with the orders of magnitude given byTables 1 and 2. Second, fuzzy intervals defined on theRRF universe particularly allow a SIL value to be betweentwo successive classes with differing membership degrees.In practice, when the availability data for a SIF indicatesa requirement just between two SIL classes, generally thestricter SIL requirement is chosen [5]. This conservativesolution involves a more substantial increment of effortand competence with the major difference occurring whenmoving from SIL2 to SIL3 [6]. The fuzzy integrity levelsmay be an alternative to resolve this kind of problems. Forexample, a value of RRF (1/PFD) as an outcome of thefuzzy risk graph model may belong simultaneously to twofuzzy sets SIL2 and SIL3 but with a little higher membershipdegree to the latter (e.g., equal to 0.7). It would be reasonableto say that we are in presence of rather SIL3 requirementswhich clearly involve less cost and time than conventionalSIL3, according to the proportion given by the membershipdegree. For example, 70% of the cost and time devoted to theconventional SIL3.
4. Fuzzy Inference System Methodology
Fuzzy logic-based method is a powerful tool for modeling thebehavior of systems which are too complex or too ill-definedto admit of conventional quantitative techniques or whenthe available information from the systems is qualitative,imprecise, and/or uncertain. In contrast to classical logicalsystems, fuzzy logic aims at modeling the imprecise modesof reasoning that play an essential role in the human abilityto give judgments or to make decisions in an environmentof uncertainty and imprecision. Thus, unlike quantitativeapproaches that require accurate equations to model real-world behaviors, fuzzy logic can accommodate the ambi-guities of real-world human with the concept of fuzzy setsand fuzzy inference techniques and consequently, possess anatural capability to express and deal with judgment andmeasurement uncertainties.
Fuzzy inference systems have found numerous applica-tions in fields such as automatic control, data classification,decision analysis, expert systems, reliability engineering,and system safety. Among these systems, the fuzzy logiccontroller proposed by Mamdani and Assilian [28] is themost encountered in fuzzy rule-based problems. It was thefirst implementation dedicated to the control of a steamengine by synthesizing a set of fuzzy rules provided byexperienced human operators. Based on a simple techniqueusing the max-min inference, Mamdani’s method has beensuccessfully applied in many fields ranging from processescontrol to medical diagnosis. Specific details for each step ofthis method are explained briefly below [29].
International Journal of Quality, Statistics, and Reliability 5
DefuzzificationFuzzy
inferenceFuzzification
Outputfuzzy intervals
Rules derived fromrisk graph
Inputfuzzy intervals
Consequence
Avoidance
Exposure
Demand rate
Fuzzy consequence
Fuzzy exposure
Fuzzy avoidance
Fuzzy demand rate
Fuzzy SIL RRF(1/PFD)assessment
Figure 3: Overall procedure of fuzzy safety integrity assessment.
Let us consider a rule base constituted of n fuzzy IF-THEN rules with multiple inputs and single output (MISO).Each rule Ri (i = 1, . . . ,n) is therefore of the form
Ri : if X1 is Ai1 and . . . and Xm is Aim then Y is Bi,(1)
where the Xj ’s, j = 1, . . . ,m, and Y are linguistic variablesdefined on the universes U = U1 × · · · × Um and V ,respectively. The fuzzy sets Aij are elements of a linguisticpartition Tj of Uj (universe of variable Xj). For a crisp input
vector u0 = (u01, . . . ,u0
m), the output value is determined by
the following three-step method.
4.1. Fuzzification
It is the process of converting an input data u0j into its
symbolic representation, that is, a fuzzy set A∗i j , using thefuzzy partition Tj of Uj , by computing the membershipdegree μAij (u
0j ) of u0
j to each Aij . Then, a matching degree
αi = min j μAij (u0j ) is computed for each rule Ri.
4.2. Fuzzy Inference
The process for obtaining the fuzzy output using the max-min inference method consists of the following substeps.
(i) Finding the firing level of each rule: the truth value forthe premise of each rule Ri is computed and appliedto the conclusion part of this rule. It is computed asfollows:
αi = minj
μAij
(u0j
). (2)
If a rule’s premise has nonzero degree of truth, that is,when the input matches partially the premise of therule, then the rule is fired.
(ii) Inferencing: in the inference step, the output B′i of eachrule Ri is computed using a conjunction operator, themin. Then, B′i = αi ∧ Bi is given by
μB′i (v) = min(αi,μBi(v)
). (3)
(iii) Aggregation: for obtaining the overall system output,all the individual rule outputs are combined using theunion operator. Then, B′ = ⋃
iB′i =
⋃iαi ∧ Bi with
membership function
μB′(v) = maxi=1,...,n
μB′i (v). (4)
4.3. Defuzzification
It produces a representative value v0 of Y in B′. Amongdefuzzification methods, the center of gravity is the mostcommonly used, and it is given by
v0 =∫v∈V μB′(v)·v·dv∫v∈V μB′(v)·dv . (5)
5. Fuzzy Safety Integrity Assessment
The overall procedure for making a fuzzy safety integrityassessment is shown in Figure 3. The analysis uses fuzzypartitions to describe both risk parameters and SIL’s. Themembership functions are determined by a fuzzification,that is, a fuzzy information granulation according to Zadeh[25], of data of a typical calibrated risk graph. Thus, crispintervals are replaced by fuzzy intervals with trapezoidalmembership functions. The basic idea of this transformationis to consider the boundaries of an ordinary interval as amean value of a fuzzy number under the form of upperand lower expectations [30]. Details concerning the differentsteps of the proposed fuzzy model are presented bellow.
5.1. Selection of Input Variables
Referring to the IEC standards, the fuzzy rule-based systemassociated with conventional risk graph considers the fourrisk parameters C, F, P, and W as input variables, and con-siders the SIL as the unique output variable. The parametersC, F, P, and W allow a meaningful graduation of the risksto be made, and contain the key risk assessment factors.Obviously, other factors or conditions could be consideredbut with reduced number because two major disadvantagesmay emerge. First, the higher the number of parametersis, the more additional SIL’s should be necessarily added
6 International Journal of Quality, Statistics, and Reliability
0
1
μQ
α/2 β/2 u
α β
s+q+q−s− E∗(Q) E∗(Q)
Figure 4: Upper and lower mean values of Q.
but certainly without corresponding requirements. Second,further input variables do not allow the fuzzy system to be ata reasonable size and may complicate the test of the model.
5.2. Development of the Fuzzy Scales
Fuzzy logic uses the concept of linguistic variable to describethe premise and conclusion of a fuzzy rule [11, 12]. Thisconcept provides a tool of approximate characterizationof situations which are too complex or too ill-defined forthe application of conventional quantitative techniques. Alinguistic variable differs from a numerical variable in thatits values are not numbers but words in a natural language.The fuzzy sets, with their boundaries not sharply defined,play the role of values of the linguistic variable and maybe viewed as summaries of various subclasses of elementsin a universe of discourse. In the present step, the fuzzysets for the description of the parameters C, F, P, and Wand the SIL are derived from corresponding crisp partitions,referring to an experienced model, the calibrated risk graphpresented in Figure 2. Transforming an ordinary interval toa fuzzy interval may be considered as the converse problemof determining the mean value of a fuzzy interval. However,consistently with the well-known definition of expectation inprobability theory, Dubois and Prade [30] have suggested arelevant definition of the mean value of a fuzzy interval asfollows: “the mean value of a fuzzy interval Q is a closedinterval bounded by the expectations calculated from itsupper and lower distribution functions,” that is,
E(Q) = [E∗(Q) , E∗(Q)], (6)
where
E∗(Q) = inf E(Q) =∫ +∞
−∞u dF∗(u),
E∗(Q) = supE(Q) =∫ +∞
−∞u dF∗(u).
(7)
F∗ and F∗ are the lower and upper distribution functionsof P, respectively, and P belongs to the set of probabilitymeasures, P (Q), which are defined on the support of Q. Let
0
1
μQ
u
α β
s+q+q− ms− E∗(Q) E∗(Q)
Figure 5: Transformation of a crisp interval into a fuzzy one.
Q be a fuzzy interval with a trapezoidal membership functionμQ, and let S(Q) = [s−, s+] and C(Q) = [q−, q+] be thesupport and core of Q, respectively, that is, μS(Q)(u) > 0and μC(Q)(u) = 1. Let α and β be called the left and rightspreads, respectively. Under the condition limx→−∞ukF(u) =limx→+∞uk(1− F(u)) = 0 for k ≥ 1, it follows that
E∗(Q) =∫ +∞
0
(1− F∗(u)
)du−
∫ 0
−∞F∗(u)du
= q− −∫ q−
−∞μQ(u)du,
E∗(Q) =∫ +∞
0
(1− F∗(u)
)du−
∫ 0
−∞F∗(u)du
= q+ +∫ +∞
q+
μQ(u)du.
(8)
The calculation of E∗(Q) is as follows (see Figure 4):
E∗(Q) = q− −∫ q−
−∞μQ(u)du
= q− −∫ q−
−∞
(1− q− − u
α
)du
= q− −∫ q−
s−
(1− q− − u
α
)du
= q− −[(
1− q−α
)u +
u2
2α
]q−
s−
= q− − α
2.
(9)
Thus,
E∗(Q) = q− − α
2, (10)
E∗(Q) = q+ +β
2. (11)
These results are in concordance with the fact that the widthof the mean value is a linear function of the spreads α and
International Journal of Quality, Statistics, and Reliability 7
0
0.2
0.4
0.6
0.8
1
s−
Deg
ree
ofm
embe
rsh
ipMinor
−2E
-09 q−
mq+
1E-0
7
2E-0
7
s+E∗ = s∗− E∗
Fatalities per event
(a)
0
0.2
0.4
0.6
0.8
1
Deg
ree
ofm
embe
rsh
ip
Moderate
1E-0
3 s−
1E-0
2 q− m q+
1E-0
1
1E+
00
s+
E∗ E∗
Fatalities per event
(b)
0
0.2
0.4
0.6
0.8
1
Deg
ree
ofm
embe
rsh
ip
Critical
1E-0
2 s−
1E-0
1 q− m q+
1E+
00
1E+
01
s+
E∗ E∗
Fatalities per event
(c)
0
0.2
0.4
0.6
0.8
1
Deg
ree
ofm
embe
rsh
ip
Catastrophic
1E-0
1 s−
1E+
00
q− m q+
1E+
01
1E+
02
s+
E∗ E∗ = s∗+
Fatalities per event
(d)
Figure 6: Transformation of crisp intervals into fuzzy ones: case of the parameter consequence: (a) minor, (b) moderate, (c) critical, and (d)catastrophic.
β [30]. In our case, given E∗ and q− (resp., E∗ and q+) ofan unknown fuzzy interval Q, α (resp., β) will be determinedusing (10) (resp., (11)). E∗ and E∗ as mean values are givenby the boundaries of crisp intervals. The calculation of αand β is as follows. First, one computes the mean value, m,of the interval [E∗,E∗]. Next, the core boundaries, q− andq+, are computed using the mean value of the subdivisions[E∗,m] and [m,E∗], respectively. Both for m, q−, and q+, oneuses either arithmetic mean or geometric mean according towhether or not the universe scale is linear. Figure 5 illustratesthe transformation of an ordinary interval into a fuzzy oneon a linear scale. For instance, α and s− are determined asfollows:
α = 2(q− − E∗
) = 2(E∗ + m
2− E∗
)
= m− E∗ = E∗ + E∗
2− E∗ = E∗ − E∗
2,
s− = q− − α.
(12)
Extreme fuzzy sets within a linguistic partition are derivedfrom the transformation by assuming infinite spreads, that
is, taking α = −∞, μQel (u) = 1 for u ≤ q− and β = +∞,μQer (u) = 1 for u ≥ q+ (el is for extreme left and er forextreme right). Furthermore, transforming an irregular crisppartition into a fuzzy partition may involve linguistic labelswith meaningless values (incompatibility problem). In thiscase, the slope of the increasing or decreasing part of thesefuzzy sets needs to be reasonably modified. Table 3 showsnumerical results of the different transformations based ondata of Tables 1 and 2. The transformation concerningthe parameter consequence is illustrated by Figures 6(a),6(b), 6(c), 6(d). The fuzzy partitions of risk parametersand SIL, which are derived from the fuzzy intervals Q =[q−, [s−, s+], q+], are given by Figures 7(a), 7(b), 7(c), 7(d)and 8. A more detailed description of these partitions ispresented in the following:
(i) consequence: four fuzzy sets, namely, minor, moderate,critical, and catastrophic, were defined on the inputspace of this variable (Figure 7(a)). The values varyingfrom 10−9 to 10 are represented on a logarithmic scale.To the linguistic value minor defined in risk graph as nodeaths is assigned the crisp interval [10−9, 10−7] whichsuitably represents an unlikely event. This interval is
8 International Journal of Quality, Statistics, and Reliability
transformed into a fuzzy one with the omission ofthe negative part. The interval [1, 10] is selected tobe the mean value of the fuzzy set catastrophic withthe possibility to change its upper bound accordingto the hazardous situation. The increasing part ofcatastrophic is adjusted by taking the upper bound ofthe core of the fuzzy set critical as its beginning point.This adjustment has double purpose. First, it removesthe negative part of the fuzzy interval associated withthe term catastrophic, which is meaningless from apoint of view of number of fatalities. Second, it avoidsthe overlapping between more than two fuzzy sets,which involves many meaningless values for the classcatastrophic. For instance, the degree of membershipof the zero value in the nonadjusted fuzzy interval is0.27.
(ii) Frequency and exposure time: two fuzzy sets, namely,rare and frequent, were defined on a linear scale rang-ing from 0% to 100% (Figure 7(b)). The boundariesof their cores are derived from arithmetic means ofcrisp interval subdivisions. As in the previous riskparameter, the negative part of the first set rare isremoved, and the upper bound of its core has servedas a lower bound of the support of the second setfrequent. The membership function of the latter isobviously right open.
(iii) Possibility of avoiding hazard: as in the previousinput parameter, two fuzzy sets named, not likely andpossible, respectively, were defined on the universe[0, 100] (Figure 7(c)). For the first set not likely, thenegative part is removed and the upper bound of itssupport takes the lower bound value of the core of theset possible. The values of the latter are limited to 100with a right open membership function.
(iv) Probability of the unwanted occurrence: three fuzzysets, namely, very low, low, and relatively high, weredefined on a probability space ranging from 10−5 pato 1 pa (Figure 7(d)). As for the first risk parameter,the probability values are represented on a logarithmicscale. The choice of 10−5 pa (or 1.14 × 10−9 ph) as alower bound of the interval [10−5, 0.03] refers to anunlikely event. Only the first and the last fuzzy setswere adjusted by removing the negative part and thevalues greater then one, respectively. The intermediatefuzzy set low is remaining unchanged.
(v) Safety integrity level (SIL): the SIL as a unique outputvariable is defined on a RRF scale. The universe ofdiscourse of the latter consists of the interval [1, 106]with a regular crisp partition, that is, there is a factorof ten between two successive subintervals. Seven fuzzysets were defined on the output space (Figure 8): foursets are associated with the four SIL’s, with the samelabels as levels themselves, namely, SIL1, SIL2, SIL3,and SIL4, and the two sets named NSSR and NRrefer to the cases no special safety requirements andsingle SRS not recommended, respectively. Except thedelimitation of the set NR, no adjustment is made forall these labels.
5.2.1. Derivation of the Fuzzy Rules
A number of fuzzy IF-THEN rules are extracted followingthe risk graph logic and using the linguistic descriptors asso-ciated with risk parameters and SIL. In this case, the rule basecan be understood as a translation of the risk graph which ismainly based on the knowledge and experience of analystsregarding the process nature and required risk reduction.Both the number of rules and input variables involved inpremise parts depend on the risk graph implementation, thatis, the decomposition level of risk graph. In the premise andconclusion parts of rules, the linguistic value meaning ofinput and output variables are described by the fuzzy setsdefined in step 2. The general form of the derived fuzzy rulesis
Ri : IF C is AiC
and F is AiF
and P is AiP
and W is AiW
THEN SIL is Bi
(13)
where the risk parameters C, F, P, and W stand for inputvariables; AiC , AiF , AiP , and AiW are their linguistic values,respectively. The SIL is an output variable with Bi as itslinguistic value. The fuzzy vector (AiC ,AiF ,AiP ,AiW ) and thefuzzy set Bi are elements of the universes URP = UC × UF ×UP × UW (RP for risk parameters) and USIL, respectively.According to the risk graph reduction, the premise partof the above rule may be reduced to two or three inputvariables. Referring to the calibrated risk graph of Figure 2,two examples of fuzzy rules are the following:
IF C is Marginal
and F is Frequent
and P is Possible
and W is Low
THEN SIL is SIL2,
IF C is Critical
and F is Rare
and W is Low
THEN SIL is SIL3
(14)
5.2.2. Fuzzy Rule Base Application
As explained in Section 4, fuzzy inference system methodol-ogy, when the fuzzy inference system is to be applied to aset of input parameter values, the information flows throughthe fuzzification-inference-defuzzification process in orderto generate the output value. Given any combination of inputvalues which cover the specific context of risk parameters, thefuzzy rule-based risk graph will compute the RRF value that
International Journal of Quality, Statistics, and Reliability 9
Ta
ble
3:Tr
ansf
orm
atio
nof
cris
pin
terv
als
into
Fuzz
yin
terv
als.
Tran
sfor
mat
ion
indi
ces
Low
erm
ean
valu
eU
pper
mea
nva
lue
Geo
met
ric
mea
nof
[E∗
,E∗
]
Low
erbo
un
dary
ofth
eco
reC
(Q)
Upp
erbo
un
dary
ofth
eco
reC
(Q)
Left
spre
adof
QR
igh
tsp
read
ofQ
Low
erbo
un
dary
ofth
esu
ppor
tS(Q
)
Mod
ified
valu
eof
S −
Upp
erbo
un
dary
ofth
esu
ppor
tS(Q
)
Mod
ified
valu
eof
S +
Sym
bols
E∗
E∗
mq −
q +α
βS −
S∗ −S +
S∗ +
Con
sequ
ence
Min
or1.
0E-0
91.
0E-0
71.
0E-0
83.
162E
-09
3.16
2E-0
84.
325E
-09
1.36
8E-0
7−1
.162
E-0
91.
0E-0
91.
684E
-07
—
Mod
erat
e0.
010.
13.
162E
-02
1.77
8E-0
25.
623E
-02
1.55
7E-0
28.
753E
-02
2.21
7E-0
3—
1.43
8E-0
1—
Cri
tica
l0.
11
3.16
2E-0
11.
778E
-01
5.62
3E-0
11.
557E
-01
8.75
3E-0
12.
217E
-02
—1.
438E
+00
—
Cat
astr
oph
ic1
103.
162E
+00
1.77
8E+
005.
623E
+00
1.55
7E+
008.
753E
+00
2.21
7E-0
1—
1.43
8E+
0110
Exp
osur
e
Rar
e0
105.
0E+
002.
50E
+00
7.50
E+
005.
0E+
005.
0E+
00−2
.50E
+00
01.
250E
+01
—
Freq
uen
t10
100
5.50
E+
013.
250E
+01
7.75
0E+
014.
50E
+01
4.50
E+
01−1
.250
E+
017.
50E
+00
1.22
5E+
0210
0
Avo
idan
ce
Not
likel
y0
904.
50E
+01
2.25
0E+
016.
750E
+01
4.50
E+
014.
50E
+01
−2.2
50E
+01
01.
125E
+02
9.25
0E+
01
Poss
ible
9010
09.
50E
+01
9.25
0E+
019.
750E
+01
5.0E
+00
5.0E
+00
8.75
0E+
01—
1.02
5E+
0210
0
Dem
and
rate
Ver
ylo
w1.
0E-0
20.
035.
477E
-04
7.40
1E-0
54.
054E
-03
1.28
0E-0
45.
189E
-02
−5.4
01E
-05
1.0E
-05
5.59
5E-0
2—
Low
0.03
0.3
9.48
7E-0
25.
335E
-02
1.68
7E-0
14.
670E
-02
2.62
6E-0
16.
652E
-03
—4.
313E
-01
—
Rel
ativ
ely
hig
h0.
31
5.47
7E-0
14.
054E
-01
7.40
1E-0
12.
107E
-01
5.19
8E-0
11.
946E
-01
—1.
260E
+00
1
SIL
(RR
F=
1/P
FD)
NSS
R(a
)1
103.
162E
+00
1.77
8E+
005.
623E
+00
1.55
7E+
008.
753E
+00
2.21
7E-0
11
1.43
8E+
01—
SIL1
1010
03.
162E
+01
1.77
8E+
015.
623E
+01
1.55
7E+
018.
753E
+01
2.21
7E+
00—
1.43
8E+
02—
SIL2
1.0E
+02
1.0E
+03
3.16
2E+
021.
778E
+02
5.62
3E+
021.
557E
+02
8.75
3E+
022.
217E
+01
—1.
438E
+03
—
SIL3
1.0E
+03
1.0E
+04
3.16
2E+
031.
778E
+03
5.62
3E+
031.
557E
+03
8.75
3E+
032.
217E
+02
—1.
438E
+04
—
SIL4
1.0E
+04
1.0E
+05
3.16
2E+
041.
778E
+04
5.62
3E+
041.
557E
+04
8.75
3E+
042.
217E
+03
—1.
438E
+05
—
NR
1.0E
+05
1.0E
+06
3.16
2E+
051.
778E
+05
5.62
3E+
051.
557E
+05
8.75
3E+
052.
217E
+04
—1.
438E
+06
1.0E
+06
10 International Journal of Quality, Statistics, and Reliability
0
0.2
0.4
0.6
0.8
1
Deg
ree
ofm
embe
rsh
ip
Minor Mod. Crit. Catast.
1E-0
9
1E-0
8
1E-0
7
1E-0
6
1E-0
5
1E-0
4
1E-0
3
1E-0
2
1E-0
1
1E+
00
1E+
01
Fatalities per event
(a)
0
0.2
0.4
0.6
0.8
1
Deg
ree
ofm
embe
rsh
ip
Rare Frequent
0 10 20 30 40 50 60 70 80 90 100
% of time
(b)
0
0.2
0.4
0.6
0.8
1
Deg
ree
ofm
embe
rsh
ip
Not likely Possible
0 10 20 30 40 50 60 70 80 90 100
Probability of avoiding hazard
0
0.2
0.4
0.6
0.8
1
Deg
ree
ofm
embe
rsh
ip
Very low Low Relat. high
1E-0
5
1E-0
4
1E-0
3
1E-0
2
1E-0
1
1E+
00
Demand rate (per annium)(d)(c)
Figure 7: Membership functions generated for risk parameters: (a) consequence, (b) exposure, (c) avoidance, and (d) demand rate.
0
0.2
0.4
0.6
0.8
1
Deg
ree
ofm
embe
rsh
ip
SIL1 SIL2 SIL3 SIL4 NRNSSR
1E+
00
1E+
01
1E+
02
1E+
03
1E+
04
1E+
05
1E+
06
RRF (1/PED)
Figure 8: Membership functions generated for SIL.
the SIF must achieve within the specific context. The fuzzifiermaps crisp input vector u0
RP = (u0C , u0
F , u0P , u0
W ) in URP tofuzzy sets in URP, and the defuzzifier maps fuzzy sets in USIL.If one or more risk parameters are not considered for a givenrule, they will not have any effect on the matching degree αi.
6. Conclusion
Although conventional risk graphs are relatively simple tobe implemented, they can lead to inconsistent results andpossibly conservatism that may result in SIL overestimation.Indeed, the use of qualitative definitions for risk parametersis highly subjective and their meaning can be misunderstood.On the other hand, numerical interpretation of risk param-eters and SIL’s by means of crisp intervals violates gradualtransition between intervals which is more realistic.
The proposed fuzzy risk graph model is a fuzzy rulebased-risk graph. Its main advantages may include thefollowing.
(i) It preserves the four parameters used in the standardrisk graph and can be adapted easily to improved riskgraphs.
(ii) Fuzzy scales with fuzzy linguistic values are used toassess risk parameters, and calibration of the modelmay be made by varying risk parameters values.
(iii) The outcomes of the model which are numerical valuesof RRF (1/PFD) can be compared directly with thosegiven by more refined methods like FTA, QRA, andLOPA.
International Journal of Quality, Statistics, and Reliability 11
[1] C. R. Timms, “IEC 61511-an aid to COMAH and safety caseregulations compliance,” Measurement & Control, vol. 37, part4, pp. 115–122, 2004.
[2] Functional safety of electrical/electronic/programmable elec-tronic safety related systems, IEC 61508 Standard, Parts 1–6,1st edition, 1998.
[3] Functional safety-Safety instrumented systems for the processindustry sector- IEC 61511 Standard, Parts 1–3, 1st edition,2003.
[4] D. Kirkwood and Tibbs B., “Developments in SIL determina-tion,” Computing & Control Engineering, vol. 16, no. 3, pp. 21–27, 2005.
[5] S. Hauge, P. Hokstad, and T. Onshus, “The introduction ofIEC 61511 in Norwegian offshore industry,” in Proceedingsof the European Safety & Reliability International Conference(ESREL ’01), pp. 483–490, Torino, Italy, September 2001.
[6] D. J. Smith and K. J. L. Simpson, Functional Safety: AStraightforward Guide to Applying IEC 61508 and RelatedStandards, Elsevier Butterworth-Heinemann, Oxford, UK,2nd edition, 2004.
[7] S. Dean, “IEC 61508-Assessing the hazard and risk,” SaufConsulting, April 1999, http://www.sauf.co.uk.
[8] P. Baybutt, “An improved risk graph approach for determina-tion of safety integrity levels (SILs),” Process Safety Progress,vol. 26, no. 1, pp. 66–76, 2007.
[9] W. K. Muhlbauer, Pipeline Risk Management Manual: Ideas,Techniques and Resources, Elsevier, Amsterdam, The Nether-lands, 2004.
[10] L. A. Zadeh, “Outline of a new approach to the analysis ofcomplex systems and decision processes,” IEEE Transactions onSystems, Man and Cybernetics, vol. 3, pp. 28–44, 1973.
[11] L. A. Zadeh, “The concept of a linguistic variable andits application to approximate reasoning—I,” InformationSciences, vol. 8, no. 3, pp. 199–249, 1975.
[12] L. A. Zadeh, “The concept of a linguistic variable andits application to approximate reasoning—II,” InformationSciences, vol. 8, no. 4, pp. 301–357, 1975.
[13] J. B. Bowles and C. E. Pelaez, “Fuzzy logic prioritizationof failures in a system failure mode, effects and criticalityanalysis,” Reliability Engineering & System Safety, vol. 50, no. 2,pp. 203–213, 1995.
[14] K. Xu, L. C. Tang, M. Xie, S. L. Ho, and M. L. Zhu,“Fuzzy assessment of FMEA for engine systems,” ReliabilityEngineering & System Safety, vol. 75, no. 1, pp. 17–29, 2002.
[15] A. Pillay and J. Wang, “Modified failure mode and effectsanalysis using approximate reasoning,” Reliability Engineering& System Safety, vol. 79, no. 1, pp. 69–85, 2003.
[16] A. C. F. Guimaraes and C. M. F. Lapa, “Hazard and operabilitystudy using approximate reasoning in light-water reactorspassive systems,” Nuclear Engineering and Design, vol. 236,no. 12, pp. 1256–1263, 2006.
[17] A. C. F. Guimaraes and C. M. F. Lapa, “Fuzzy inference torisk assessment on nuclear engineering systems,” Applied SoftComputing, vol. 7, no. 1, pp. 17–28, 2007.
[18] A. S. Markowski, M. S. Mannan, and A. Bigoszewska, “Fuzzylogic for process safety analysis,” in Proceedings of the Interna-tional Symposium of Process Safety Center, College Station, Tex,USA, October 2007.
[19] F. Redmill, “IEC 61508 - principles and use in the managementof safety,” Computing & Control Engineering, vol. 9, no. 5, pp.205–213, 1998.
[20] K. T. Kosmowski, “Functional safety concept for hazardoussystems and new challenges,” Journal of Loss Prevention in theProcess Industries, vol. 19, no. 2-3, pp. 298–305, 2006.
[21] W. G. Gulland, “Methods of determining safety integritylevel (SIL) requirements-Pros and Con,” in Proceedings of the12th Annual Safety-Critical Systems Symposium, pp. 105–122,Birmingham, UK, February 2004.
[22] L. Blackmore, “IEC 61508-Practical experience in increasingthe effectiveness of SIL assessments,” ISA EXPO, 2000.
[23] D. W. Massaro, “Broadening the domain of the fuzzy logicalmodel of perception,” in Cognition: Conceptual and Method-ological Issues, H. L. Pick Jr., P. van den Broek, and D. C.Knill, Eds., pp. 51–84, American Psychological Association,Washington, DC, USA, 1992.
12 International Journal of Quality, Statistics, and Reliability
[24] S. A. Sandri, D. Dubois, and H. W. Kalfsbeek, “Elicitation,assessment, and pooling of expert judgments using possibilitytheory,” IEEE Transactions on Fuzzy Systems, vol. 3, no. 3, pp.313–335, 1995.
[25] L. A. Zadeh, “Toward a theory of fuzzy information granula-tion and its centrality in human reasoning and fuzzy logic,”Fuzzy Sets and Systems, vol. 90, no. 2, pp. 111–127, 1997.
[26] L. Ormos and I. Ajtonyi, “Soft computing method fordetermining the safety of technological system by 1EC 61508,”in Proceedings of the 1st Romanian-Hungarian Joint Sympsiomon Applied Computational Inelligence (SACI ’04), Timisoara,Romania, May 2004.
[27] C. Simon, M. Sallak, and J.-F. Aubry, “SIL allocation of SIS byaggregation of experts’ opinions,” in Proceedings of the Safetyand Reliability Conference (ESREL ’07), Stavanger, Norway,June 2007.
[28] E. H. Mamdani and S. Assilian, “An experiment in linguisticsynthesis with a fuzzy logic controller,” International Journalof Man-Machine Studies, vol. 7, no. 1, pp. 1–13, 1975.
[29] D. Dubois, H. Prade, and L. Ughetto, “Fuzzy logic, controlengineering and artificial intelligence,” in Fuzzy Algorithms forControl, H. B. Verbruggen, H. J. Zimmerman, and R. Babuska,Eds., pp. 17–57, Kluwer Academic Publishers, Dordrecht, TheNetherlands, 1999.
[30] D. Dubois and H. Prade, “The mean value of a fuzzy number,”Fuzzy Sets and Systems, vol. 24, no. 3, pp. 279–300, 1987.