research article ...downloads.hindawi.com/archive/2008/263895.pdf · protection analysis (lopa)....

Hindawi Publishing CorporationInternational Journal of Quality, Statistics, and ReliabilityVolume 2008, Article ID 263895, 12 pagesdoi:10.1155/2008/263895

Research Article

Fuzzy Risk Graph Model for Determining Safety Integrity Level

R. Nait-Said,1 F. Zidani,2 and N. Ouzraoui1

1 LARPI Laboratory, Safety Department, Institute of Health and Occupational Safety, University of Batna,Road Med El-Hadi Boukhlouf, Batna 05000, Algeria

2 LSPIE Laboratory, Electrical Engineering Department, Faculty of Engineering, University of Batna,Road Med El-Hadi Boukhlouf, Batna 05000, Algeria

Correspondence should be addressed to R. Nait-Said, r nait [email protected]

Received 15 August 2007; Revised 15 November 2007; Accepted 14 January 2008

Recommended by Nagi Gebraeel

The risk graph is one of the most popular methods used to determine the safety integrity level for safety instrumented functions.However, conventional risk graph as described in the IEC 61508 standard is subjective and suffers from an interpretation problemof risk parameters. Thus, it can lead to inconsistent outcomes that may result in conservative SIL’s. To overcome this difficulty,a modified risk graph using fuzzy rule-based system is proposed. This novel version of risk graph uses fuzzy scales to assess riskparameters, and calibration may be made by varying risk parameter values. Furthermore, the outcomes which are numericalvalues of risk reduction factor (the inverse of the probability of failure on demand) can be compared directly with those givenby quantitative and semiquantitative methods such as fault tree analysis (FTA), quantitative risk assessment (QRA), and layers ofprotection analysis (LOPA).

Copyright © 2008 R. Nait-Said et al. This is an open access article distributed under the Creative Commons Attribution License,which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

1. Introduction

The purpose of a safety analysis is to ensure that the risks thatcould be a potential source of harm, damage of property anddegradation of the environment, are sufficiently minimizedby addressing all the relevant safety lifecycle stages includingthe design, implementation, operation, and maintenancethrough to decommissioning. Reducing residual risk to anacceptable level is usually achieved by using a combinationof safety protective systems, including safety instrumentedsystems, SIS (e.g., emergency shutdown systems and fireand gas systems), other technology safety-related systems(e.g., relief valves, bursting discs, firewalls, drain system),and external risk reduction facilities (e.g., work organization,procedures, separation). The SIS often represents an integralpart of a safety management system to reduce the riskof major accident hazards [1]. It is made up of one ormore safety instrumented functions (SIF) to sense abnormalsituations and automatically return the process to a safe state.This is usually achieved by performing a partial or completeshutdown of the process, to prevent a hazardous event ormitigate its consequences. If the initial risk without SIS is

high, the availability and integrity requirements for SIF’smust be high.

Requirements for SIF’s are addressed in the internationalstandard IEC 61508 [2] and the process industry sector-specific version IEC 61511 [3] which are widely acceptedas the basis for specification, design, and operation of SIS’s.Each SIF is specified in terms of the action to be achievedand the required probability of failure on demand (PFD).The latter defines the required safety integrity level (SIL)for the SIF. The IEC standards provide a framework forestablishing SIL’s although they do not specify the SIL’srequired for specific applications. They propose variousmethods for determining the PFD or the amount of riskreduction needed.

The risk graph described in Part 5 of the IEC 61508 isone of the most popular methods that enables the SIL of aSIF to be determined from a knowledge on the risk factorsrelated to the process. In particular, it has been extensivelyapplied when determining SIL requirements for local safetyfunctions such as process shutdown systems [4, 5]. Theprinciples of the risk graph method have been adopted inthe UKOOA guidelines for process control and safety systems

mailto:[email protected]

2 International Journal of Quality, Statistics, and Reliability

Table 1: Definition of SIL’s for low-demand mode from IEC61508-1.

SIL Range of average PFD Range of RRF

4 [10−5, 10−4[ ]104, 105]

3 [10−4, 10−3[ ]103, 104]

2 [10−3, 10−2[ ]102, 103]

1 [10−2, 10−1[ ]101, 102]

on offshore installations and other documents published byoffshore operators [6, 7].

An important issue faced by risk analysts is how todeal with uncertainties that arise in each phase of the riskassessment process. In particular, one should identify howto deal with the state of incomplete/no knowledge relatedto process safety functions. An underlying assumption isthat uncertainty increases risk, but this is a conservativeapproach requiring that, in the absence of meaningful dataor the opportunity to assimilate all available data, risk shouldbe overestimated rather than underestimated. Therefore,higher ratings are assigned to risk parameters, reflectingthe assumption of unfavorable conditions, in order tocompensate the uncertainty. Although this approach resultsin a conservative outcome leading to a design of sufficientsafety integrity, it leads also to higher installation andmaintenance costs. Alternatively, more efforts are certainlyneeded to obtain a consistent and less conservative outcomeusing more refined SIL determination methods [4, 8, 9].

Fuzzy rule-based systems and fuzzy arithmetic [10–12]have emerged over the last years as a very appropriate toolin dealing with uncertainty in reliability and safety analysis[13–18]. In this paper, an approach of fuzzy rule-based riskgraph is proposed in order to add more power featuresto the conventional calibrated risk graph method. In thisperspective, the safety integrity assessment based on fuzzylogic allows the analyst to evaluate the SIL of SIF’s in anatural way by using the notion of a linguistic variable fordepicting information which is qualitative, imprecise, and/oruncertain. The methodology we have used is the applicationof the fuzzy inference system with fuzzifier and defuzzifier ona calibrated risk graph. The outcomes of the fuzzy risk graphare numerical values of risk reduction factor (RRF = 1/PFD)which are computed from a defuzzification of fuzzy SIL’s.

2. Conventional Risk Graph Method

Safety-related systems are conceived to implement the safetyfunctions necessary to achieve or maintain a safe state forthe process in terms of specified risk reduction related tohazardous events. A safety function is thus expressed interms of the action to be taken and the required probabilityto satisfactorily perform this action. This probability as aquantitative target defines the safety integrity. Four discretesafety integrity levels, namely, SIL1, SIL2, SIL3, and SIL4, aredefined in the IEC 61508, and quantitative targets to whichthey relate are based on whether the safety-related system

No safety requirementsNo special safetyrequirements

A single E/E/PESis not sufficient

a:

b:

—:

1, 2, 3, 4: SIL

W3

a

1

2

3

4

b

W2

—

a

1

2

3

4

W1

—

—

a

1

2

3

Starting pointfor risk

reduction

CA

CB

CC

C4

X1

X2

X3

X4

X5

X6

FA

FB

FAFB

FA

FB

PAPB

PAPB

PAPB

PB

C: Consequence parameterF: Frequency and exposure time parameterP: Possibility of avoiding hazardW : Demand rate assuming no protection

Figure 1: Example of risk graph from IEC 61508-5.

is operating in low-demand mode (e.g., shutdown system)or continuously (e.g., motor care brakes). In the first case,the appropriate measure of safety function performance isthe probability of failure on demand (PFD), or its inverse,risk reduction factor (RRF). For functions which operatecontinuously, it is the probability of a dangerous failure perhour which is of concern. Table 1 shows the definition of thefour SIL’s for low-demand mode. As shown, the higher theSIL is, the more available the safety related system will be,so the more stringent becomes the implementation of safetyfunction.

For determining the SIL, IEC standards have providedvarious methods that have been applied with differingdegrees of success [4]. These methods range from using purequantitative risk assessments to more qualitative methods, asfollows:

(i) quantitative methods such as fault tree analysis (FTA)and layer of protection analysis (LOPA),

(ii) semiqualitative methods such as safety layer matrixand calibrated risk graph. The latter is described bysome practitioners as a semiquantitative method,

(iii) qualitative methods like risk graph and hazardousevent severity matrix.

Qualitative and semiqualitative methods are generally lesscostly than the quantitative ones. They are technologicallyless demanding to develop, relatively intuitive to plant opera-tors without requiring detailed risk assessment training, anddo not make extensive use of historical failure-related data asa base of estimating failure probabilities.

The risk graph as a qualitative method can be describedas a decision tree in which four risk parameters, consideredto be sufficiently generic to deal with a wide range ofapplications, must be combined to arrive at the required SIL.These parameters are as follows: consequence (Ci), frequency

International Journal of Quality, Statistics, and Reliability 3

and exposure time (Fj), possibility of avoiding hazard (Pk),and probability of the unwanted occurrence (Wl). Figure 1gives an example of a risk graph implementation [2]. Anexplanation of this risk graph is the following.

(i) Use of the risk parameters C, F, and P leads to one ofsix outputs X1,X2, . . . ,X6. Each one of these outputs ismapped onto one of three scales (W1, W2, and W3).Each point on these scales gives an indication of thenecessary safety integrity that has to be met by theE/E/PE safety-related system. The numbers 1, 2, 3, and4 represent the four SIL’s. The point a indicates thecase of a system without special safety requirements,which corresponds to a probability of failure less thanthat indicated for SIL1. The point b refers to situationswhen for specific consequences, a single safety-relatedsystem is not sufficient to give the necessary riskreduction.

(ii) The mapping onto W1, W2, or W3 allows the contribu-tion of other risk reduction measures to be made. ScaleW3 provides the minimum risk reduction contributedby other measures (i.e., the highest probability of theunwanted occurrence), scale W2 is a medium contri-bution, and scale W1 is the maximum contribution.Thus, the output of the risk graph as a measure of therequired risk reduction for the E/E/PE safety-relatedsystem, together with the risk reductions achieved byother technology safety related systems and externalrisk reduction facilities which are taken into accountby the W1 scales, gives the overall risk reduction forthe specific situation.

3. Shortcomings and Alternatives

Although the risk graph method is relatively easy to beimplemented and allows a fast assessment of SIL’s, it is lessprecise. Indeed, the interpretation of linguistic terms such asrare, possible, and death of several persons, can differ betweenevaluators since they could be the result of a subjectivedecision or can differ from one industry sector to another[4, 6, 19].

There is therefore the need to calibrate the graph andto give guidance on the meanings of linguistic terms usingorders of magnitude via numerical scales so that the resultingSIL rating will bring down the residual risk to the acceptablelevel. Otherwise, the risk reduction will be principallysubjective with substantial limitations for safety-relateddecision making [20]. In this sense, the IEC 61511 Part 3provides a semiqualitative method which is the calibratedrisk graph. Although not specifically and absolutely fixedby the standard, the risk graph is usually calibrated suchthat each decision differs from another by a factor of ten(10−1, 10−2, . . .). Figure 2 and Table 2, respectively, show anexample of a risk graph as used in the UKOOA guidelinesand quantitative definitions of risk parameters [6, 7, 21].

Against a tolerable target risk, managing the inherentuncertainty in the range of the risk parameters of a risk graphis problematic [7, 21, 22]. Although crisp intervals as meansof characterizing uncertainty are an acceptable part of the

—: No safety requirementsa: No special safety requirementsNR: Not recommended1, 2, 3, 4: Safety integrity level

Demand rate

Relatively high

a

1

2

2

3

3

4

NR

Low

—

a

1

2

2

3

3

4

Very low

—

—

a

1

2

2

3

3

Consequence Exposure Avoidance

Startingpoint

Minor

Marginal

Critical

Catastrophic

Possible

Not likely

Possible

Not likely

Rare

Frequent

Rare

Frequent

Figure 2: Risk graph with qualitative description of parameters.

usual calibrated risk graphs, the sufficient robustness in theSIL value may not be reached against the ambiguity of theinformation upon which the assessors base their judgment.

This type of knowledge elicitation presents two majordisadvantages: first, it is in discordance with the gradualtransition from one interval to another, well known in realworld applications. Indeed, a measurement that falls into aclose neighborhood of each precisely defined border betweentwo adjacent intervals is taken as an evidential support foronly one of them, in spite of the inevitable uncertaintyinvolved in the computing of the SIL, that is, the safetyintegrity will be more or less one with of course differentrequirements. Second, it fails to reflect the fact that in mosthuman reasoning and concept formation, the decompositionof whole into parts is fuzzy rather than crisp [23–25]. Infact, there is an incompatibility between the uncertaintycharacterizing human perception and the crispness of theresponse mode. Thus, we need a representation of numbers,which is tolerant of imprecision and partial truths. Linguisticterms, defined on numerical universes and supported byfuzzy sets, provide a rather natural tool for numeric/symbolicinterfaces and would be a very adequate alternative whenavailable information is imprecise and/or uncertain.

Furthermore, compared to C and W parameters, Fand P have only two ranges each and so the calibrationwill be dominated by the two first. As an alternativesolution, Blackmore [22] developed for an offshore projectan alternative graph format by introducing four categoriesfor F against reducing those of C to two only (injury ordeath). As reported, the proposed approach has resultedin improved effectiveness in the SIL determination. For abest calibration, Dean [7] suggested also the introductionof additional consequence and frequency bands in somecases. Recently, Baybutt [8] has developed an improved riskgraph with the following four parameters: initiating causefrequency, enabling events/conditions, safeguards failure


Table 2: Example of qualitative and quantitative definitions ofparameters.

Riskparameters

Qualitativedescriptions

Quantitativedescriptions

Consequence(C)

Minor injury No deaths per event

Marginal: onedeath orpermanentinjury

]10−2, 10−1] probabledeaths per event

Critical: severaldeaths

]10−1, 1] probabledeaths per event

Catastrophic:many deaths

>1 probable deathsper event

Exposure (F)Rare <10% of time

Frequent ≥10% of time

Avoidance(P)

Possible>90% probability ofavoiding hazard

Not likely≤90% probability ofavoiding hazard

Demand rate(W)

Very low<1 in 30 years ≈<0.03per year

Low1 in ]3, 30] years≈[0.03, 0.3[ per year

Relatively high1 in ]0.3, 3] years≈[0.3, 3[ per year

probability, and consequences of the hazardous event. Heintroduces more than two levels for the first and the last twoparameters to overcome both conservative and optimisticchoices that respectively may result in an overestimation andunderestimation of the SIL.

Another alternative proposed by Ormos and Ajtonyi [26]concerns the use of a fuzzy rule-based system in determiningthe SIL value by applying hazardous event severity matrixand conditional catastrophe theory. By application to threesubsystems of steam production, the results of this approachcompared with those provided by the quantitative method(as described by the IEC 61508) are very encouraging. Fortwo subsystems the same result is obtained, SIL3 and SIL2,and for the third the result is SIL1 by fuzzy approachagainst SIL2 by the quantitative method. This difference isinterpreted by the fact that severity parameter qualitativelyestimated as low is not taken into consideration by thequantitative method. In the same way, Simon et al. [27]propose a fuzzy rule-based approach of the risk graph aswell as a subjective evaluation of risk parameters by aggre-gation of expert judgments. Allocation of required SIL isdetermined by considering the risk graph as a fuzzy decisiontree. Both risk parameters and SIL are represented by fuzzypartitions with linguistic descriptors, defined on ordinalmeasurement scales. The proposed approach is applied toequipment issued from the literature: a vessel containinga volatile flammable liquid. A SIF is considered to protectagainst a gas release greater than the admissible rate which is10−4 per year. Each risk parameter is assessed by aggregating

expert judgments given as possibility distributions, and fuzzyinference system provides after difuzzification the SIL valuewhich is SIL2. Referring to these works, we attempt in thispaper to develop a more flexible calibrated risk graph usingfuzzy logic system, with two main differences compared tothe above approaches. First, calibration problem is takeninto consideration, and so, scales supporting fuzzy partitionsof the SIL and parameters C, F, P, and W are numericrather ordinal with the orders of magnitude given byTables 1 and 2. Second, fuzzy intervals defined on theRRF universe particularly allow a SIL value to be betweentwo successive classes with differing membership degrees.In practice, when the availability data for a SIF indicatesa requirement just between two SIL classes, generally thestricter SIL requirement is chosen [5]. This conservativesolution involves a more substantial increment of effortand competence with the major difference occurring whenmoving from SIL2 to SIL3 [6]. The fuzzy integrity levelsmay be an alternative to resolve this kind of problems. Forexample, a value of RRF (1/PFD) as an outcome of thefuzzy risk graph model may belong simultaneously to twofuzzy sets SIL2 and SIL3 but with a little higher membershipdegree to the latter (e.g., equal to 0.7). It would be reasonableto say that we are in presence of rather SIL3 requirementswhich clearly involve less cost and time than conventionalSIL3, according to the proportion given by the membershipdegree. For example, 70% of the cost and time devoted to theconventional SIL3.

4. Fuzzy Inference System Methodology

Fuzzy logic-based method is a powerful tool for modeling thebehavior of systems which are too complex or too ill-definedto admit of conventional quantitative techniques or whenthe available information from the systems is qualitative,imprecise, and/or uncertain. In contrast to classical logicalsystems, fuzzy logic aims at modeling the imprecise modesof reasoning that play an essential role in the human abilityto give judgments or to make decisions in an environmentof uncertainty and imprecision. Thus, unlike quantitativeapproaches that require accurate equations to model real-world behaviors, fuzzy logic can accommodate the ambi-guities of real-world human with the concept of fuzzy setsand fuzzy inference techniques and consequently, possess anatural capability to express and deal with judgment andmeasurement uncertainties.

Fuzzy inference systems have found numerous applica-tions in fields such as automatic control, data classification,decision analysis, expert systems, reliability engineering,and system safety. Among these systems, the fuzzy logiccontroller proposed by Mamdani and Assilian [28] is themost encountered in fuzzy rule-based problems. It was thefirst implementation dedicated to the control of a steamengine by synthesizing a set of fuzzy rules provided byexperienced human operators. Based on a simple techniqueusing the max-min inference, Mamdani’s method has beensuccessfully applied in many fields ranging from processescontrol to medical diagnosis. Specific details for each step ofthis method are explained briefly below [29].


DefuzzificationFuzzy

inferenceFuzzification

Outputfuzzy intervals

Rules derived fromrisk graph

Inputfuzzy intervals

Consequence

Avoidance

Exposure

Demand rate

Fuzzy consequence

Fuzzy exposure

Fuzzy avoidance

Fuzzy demand rate

Fuzzy SIL RRF(1/PFD)assessment

Figure 3: Overall procedure of fuzzy safety integrity assessment.

Let us consider a rule base constituted of n fuzzy IF-THEN rules with multiple inputs and single output (MISO).Each rule Ri (i = 1, . . . ,n) is therefore of the form

Ri : if X1 is Ai1 and . . . and Xm is Aim then Y is Bi,(1)

where the Xj ’s, j = 1, . . . ,m, and Y are linguistic variablesdefined on the universes U = U1 × · · · × Um and V ,respectively. The fuzzy sets Aij are elements of a linguisticpartition Tj of Uj (universe of variable Xj). For a crisp input

vector u0 = (u01, . . . ,u0

m), the output value is determined by

the following three-step method.

4.1. Fuzzification

It is the process of converting an input data u0j into its

symbolic representation, that is, a fuzzy set A∗i j , using thefuzzy partition Tj of Uj , by computing the membershipdegree μAij (u

0j ) of u0

j to each Aij . Then, a matching degree

αi = min j μAij (u0j ) is computed for each rule Ri.

4.2. Fuzzy Inference

The process for obtaining the fuzzy output using the max-min inference method consists of the following substeps.

(i) Finding the firing level of each rule: the truth value forthe premise of each rule Ri is computed and appliedto the conclusion part of this rule. It is computed asfollows:

αi = minj

μAij

(u0j

). (2)

If a rule’s premise has nonzero degree of truth, that is,when the input matches partially the premise of therule, then the rule is fired.

(ii) Inferencing: in the inference step, the output B′i of eachrule Ri is computed using a conjunction operator, themin. Then, B′i = αi ∧ Bi is given by

μB′i (v) = min(αi,μBi(v)

). (3)

(iii) Aggregation: for obtaining the overall system output,all the individual rule outputs are combined using theunion operator. Then, B′ = ⋃

iB′i =

⋃iαi ∧ Bi with

membership function

μB′(v) = maxi=1,...,n

μB′i (v). (4)

4.3. Defuzzification

It produces a representative value v0 of Y in B′. Amongdefuzzification methods, the center of gravity is the mostcommonly used, and it is given by

v0 =∫v∈V μB′(v)·v·dv∫v∈V μB′(v)·dv . (5)

5. Fuzzy Safety Integrity Assessment

The overall procedure for making a fuzzy safety integrityassessment is shown in Figure 3. The analysis uses fuzzypartitions to describe both risk parameters and SIL’s. Themembership functions are determined by a fuzzification,that is, a fuzzy information granulation according to Zadeh[25], of data of a typical calibrated risk graph. Thus, crispintervals are replaced by fuzzy intervals with trapezoidalmembership functions. The basic idea of this transformationis to consider the boundaries of an ordinary interval as amean value of a fuzzy number under the form of upperand lower expectations [30]. Details concerning the differentsteps of the proposed fuzzy model are presented bellow.

5.1. Selection of Input Variables

Referring to the IEC standards, the fuzzy rule-based systemassociated with conventional risk graph considers the fourrisk parameters C, F, P, and W as input variables, and con-siders the SIL as the unique output variable. The parametersC, F, P, and W allow a meaningful graduation of the risksto be made, and contain the key risk assessment factors.Obviously, other factors or conditions could be consideredbut with reduced number because two major disadvantagesmay emerge. First, the higher the number of parametersis, the more additional SIL’s should be necessarily added


0

1

μQ

α/2 β/2 u

α β

s+q+q−s− E∗(Q) E∗(Q)

Figure 4: Upper and lower mean values of Q.

but certainly without corresponding requirements. Second,further input variables do not allow the fuzzy system to be ata reasonable size and may complicate the test of the model.

5.2. Development of the Fuzzy Scales

Fuzzy logic uses the concept of linguistic variable to describethe premise and conclusion of a fuzzy rule [11, 12]. Thisconcept provides a tool of approximate characterizationof situations which are too complex or too ill-defined forthe application of conventional quantitative techniques. Alinguistic variable differs from a numerical variable in thatits values are not numbers but words in a natural language.The fuzzy sets, with their boundaries not sharply defined,play the role of values of the linguistic variable and maybe viewed as summaries of various subclasses of elementsin a universe of discourse. In the present step, the fuzzysets for the description of the parameters C, F, P, and Wand the SIL are derived from corresponding crisp partitions,referring to an experienced model, the calibrated risk graphpresented in Figure 2. Transforming an ordinary interval toa fuzzy interval may be considered as the converse problemof determining the mean value of a fuzzy interval. However,consistently with the well-known definition of expectation inprobability theory, Dubois and Prade [30] have suggested arelevant definition of the mean value of a fuzzy interval asfollows: “the mean value of a fuzzy interval Q is a closedinterval bounded by the expectations calculated from itsupper and lower distribution functions,” that is,

E(Q) = [E∗(Q) , E∗(Q)], (6)

where

E∗(Q) = inf E(Q) =∫ +∞

−∞u dF∗(u),

E∗(Q) = supE(Q) =∫ +∞

−∞u dF∗(u).

(7)

F∗ and F∗ are the lower and upper distribution functionsof P, respectively, and P belongs to the set of probabilitymeasures, P (Q), which are defined on the support of Q. Let

0

1

μQ

u

α β

s+q+q− ms− E∗(Q) E∗(Q)

Figure 5: Transformation of a crisp interval into a fuzzy one.

Q be a fuzzy interval with a trapezoidal membership functionμQ, and let S(Q) = [s−, s+] and C(Q) = [q−, q+] be thesupport and core of Q, respectively, that is, μS(Q)(u) > 0and μC(Q)(u) = 1. Let α and β be called the left and rightspreads, respectively. Under the condition limx→−∞ukF(u) =limx→+∞uk(1− F(u)) = 0 for k ≥ 1, it follows that

E∗(Q) =∫ +∞

0

(1− F∗(u)

)du−

∫ 0

−∞F∗(u)du

= q− −∫ q−

−∞μQ(u)du,

E∗(Q) =∫ +∞

0

(1− F∗(u)

)du−

∫ 0

−∞F∗(u)du

= q+ +∫ +∞

q+

μQ(u)du.

(8)

The calculation of E∗(Q) is as follows (see Figure 4):

E∗(Q) = q− −∫ q−

−∞μQ(u)du

= q− −∫ q−

−∞

(1− q− − u

α

)du

= q− −∫ q−

s−

(1− q− − u

α

)du

= q− −[(

1− q−α

)u +

u2

2α

]q−

s−

= q− − α

2.

(9)

Thus,

E∗(Q) = q− − α

2, (10)

E∗(Q) = q+ +β

2. (11)

These results are in concordance with the fact that the widthof the mean value is a linear function of the spreads α and


0

0.2

0.4

0.6

0.8

1

s−

Deg

ree

ofm

embe

rsh

ipMinor

−2E

-09 q−

mq+

1E-0

7

2E-0

7

s+E∗ = s∗− E∗

Fatalities per event

(a)

0

0.2

0.4

0.6

0.8

1

Deg

ree

ofm

embe

rsh

ip

Moderate

1E-0

3 s−

1E-0

2 q− m q+

1E-0

1

1E+

00

s+

E∗ E∗


(b)

0

0.2

0.4

0.6

0.8

1

Deg

ree

ofm

embe

rsh

ip

Critical

1E-0

2 s−

1E-0

1 q− m q+

1E+

00

1E+

01

s+

E∗ E∗


(c)

0

0.2

0.4

0.6

0.8

1

Deg

ree

ofm

embe

rsh

ip

Catastrophic

1E-0

1 s−

1E+

00

q− m q+

1E+

01

1E+

02

s+

E∗ E∗ = s∗+


(d)

Figure 6: Transformation of crisp intervals into fuzzy ones: case of the parameter consequence: (a) minor, (b) moderate, (c) critical, and (d)catastrophic.

β [30]. In our case, given E∗ and q− (resp., E∗ and q+) ofan unknown fuzzy interval Q, α (resp., β) will be determinedusing (10) (resp., (11)). E∗ and E∗ as mean values are givenby the boundaries of crisp intervals. The calculation of αand β is as follows. First, one computes the mean value, m,of the interval [E∗,E∗]. Next, the core boundaries, q− andq+, are computed using the mean value of the subdivisions[E∗,m] and [m,E∗], respectively. Both for m, q−, and q+, oneuses either arithmetic mean or geometric mean according towhether or not the universe scale is linear. Figure 5 illustratesthe transformation of an ordinary interval into a fuzzy oneon a linear scale. For instance, α and s− are determined asfollows:

α = 2(q− − E∗

) = 2(E∗ + m

2− E∗

)

= m− E∗ = E∗ + E∗

2− E∗ = E∗ − E∗

2,

s− = q− − α.

(12)

Extreme fuzzy sets within a linguistic partition are derivedfrom the transformation by assuming infinite spreads, that

is, taking α = −∞, μQel (u) = 1 for u ≤ q− and β = +∞,μQer (u) = 1 for u ≥ q+ (el is for extreme left and er forextreme right). Furthermore, transforming an irregular crisppartition into a fuzzy partition may involve linguistic labelswith meaningless values (incompatibility problem). In thiscase, the slope of the increasing or decreasing part of thesefuzzy sets needs to be reasonably modified. Table 3 showsnumerical results of the different transformations based ondata of Tables 1 and 2. The transformation concerningthe parameter consequence is illustrated by Figures 6(a),6(b), 6(c), 6(d). The fuzzy partitions of risk parametersand SIL, which are derived from the fuzzy intervals Q =[q−, [s−, s+], q+], are given by Figures 7(a), 7(b), 7(c), 7(d)and 8. A more detailed description of these partitions ispresented in the following:

(i) consequence: four fuzzy sets, namely, minor, moderate,critical, and catastrophic, were defined on the inputspace of this variable (Figure 7(a)). The values varyingfrom 10−9 to 10 are represented on a logarithmic scale.To the linguistic value minor defined in risk graph as nodeaths is assigned the crisp interval [10−9, 10−7] whichsuitably represents an unlikely event. This interval is


transformed into a fuzzy one with the omission ofthe negative part. The interval [1, 10] is selected tobe the mean value of the fuzzy set catastrophic withthe possibility to change its upper bound accordingto the hazardous situation. The increasing part ofcatastrophic is adjusted by taking the upper bound ofthe core of the fuzzy set critical as its beginning point.This adjustment has double purpose. First, it removesthe negative part of the fuzzy interval associated withthe term catastrophic, which is meaningless from apoint of view of number of fatalities. Second, it avoidsthe overlapping between more than two fuzzy sets,which involves many meaningless values for the classcatastrophic. For instance, the degree of membershipof the zero value in the nonadjusted fuzzy interval is0.27.

(ii) Frequency and exposure time: two fuzzy sets, namely,rare and frequent, were defined on a linear scale rang-ing from 0% to 100% (Figure 7(b)). The boundariesof their cores are derived from arithmetic means ofcrisp interval subdivisions. As in the previous riskparameter, the negative part of the first set rare isremoved, and the upper bound of its core has servedas a lower bound of the support of the second setfrequent. The membership function of the latter isobviously right open.

(iii) Possibility of avoiding hazard: as in the previousinput parameter, two fuzzy sets named, not likely andpossible, respectively, were defined on the universe[0, 100] (Figure 7(c)). For the first set not likely, thenegative part is removed and the upper bound of itssupport takes the lower bound value of the core of theset possible. The values of the latter are limited to 100with a right open membership function.

(iv) Probability of the unwanted occurrence: three fuzzysets, namely, very low, low, and relatively high, weredefined on a probability space ranging from 10−5 pato 1 pa (Figure 7(d)). As for the first risk parameter,the probability values are represented on a logarithmicscale. The choice of 10−5 pa (or 1.14 × 10−9 ph) as alower bound of the interval [10−5, 0.03] refers to anunlikely event. Only the first and the last fuzzy setswere adjusted by removing the negative part and thevalues greater then one, respectively. The intermediatefuzzy set low is remaining unchanged.

(v) Safety integrity level (SIL): the SIL as a unique outputvariable is defined on a RRF scale. The universe ofdiscourse of the latter consists of the interval [1, 106]with a regular crisp partition, that is, there is a factorof ten between two successive subintervals. Seven fuzzysets were defined on the output space (Figure 8): foursets are associated with the four SIL’s, with the samelabels as levels themselves, namely, SIL1, SIL2, SIL3,and SIL4, and the two sets named NSSR and NRrefer to the cases no special safety requirements andsingle SRS not recommended, respectively. Except thedelimitation of the set NR, no adjustment is made forall these labels.

5.2.1. Derivation of the Fuzzy Rules

A number of fuzzy IF-THEN rules are extracted followingthe risk graph logic and using the linguistic descriptors asso-ciated with risk parameters and SIL. In this case, the rule basecan be understood as a translation of the risk graph which ismainly based on the knowledge and experience of analystsregarding the process nature and required risk reduction.Both the number of rules and input variables involved inpremise parts depend on the risk graph implementation, thatis, the decomposition level of risk graph. In the premise andconclusion parts of rules, the linguistic value meaning ofinput and output variables are described by the fuzzy setsdefined in step 2. The general form of the derived fuzzy rulesis

Ri : IF C is AiC

and F is AiF

and P is AiP

and W is AiW

THEN SIL is Bi

(13)

where the risk parameters C, F, P, and W stand for inputvariables; AiC , AiF , AiP , and AiW are their linguistic values,respectively. The SIL is an output variable with Bi as itslinguistic value. The fuzzy vector (AiC ,AiF ,AiP ,AiW ) and thefuzzy set Bi are elements of the universes URP = UC × UF ×UP × UW (RP for risk parameters) and USIL, respectively.According to the risk graph reduction, the premise partof the above rule may be reduced to two or three inputvariables. Referring to the calibrated risk graph of Figure 2,two examples of fuzzy rules are the following:

IF C is Marginal

and F is Frequent

and P is Possible

and W is Low

THEN SIL is SIL2,

IF C is Critical

and F is Rare

and W is Low

THEN SIL is SIL3

(14)

5.2.2. Fuzzy Rule Base Application

As explained in Section 4, fuzzy inference system methodol-ogy, when the fuzzy inference system is to be applied to aset of input parameter values, the information flows throughthe fuzzification-inference-defuzzification process in orderto generate the output value. Given any combination of inputvalues which cover the specific context of risk parameters, thefuzzy rule-based risk graph will compute the RRF value that


Ta

ble

3:Tr

ansf

orm

atio

nof

cris

pin

terv

als

into

Fuzz

yin

terv

als.

Tran

sfor

mat

ion

indi

ces

Low

erm

ean

valu

eU

pper

mea

nva

lue

Geo

met

ric

mea

nof

[E∗

,E∗

]

Low

erbo

un

dary

ofth

eco

reC

(Q)

Upp

erbo

un

dary

ofth

eco

reC

(Q)

Left

spre

adof

QR

igh

tsp

read

ofQ

Low

erbo

un

dary

ofth

esu

ppor

tS(Q

)

Mod

ified

valu

eof

S −

Upp

erbo

un

dary

ofth

esu

ppor

tS(Q

)

Mod

ified

valu

eof

S +

Sym

bols

E∗

E∗

mq −

q +α

βS −

S∗ −S +

S∗ +

Con

sequ

ence

Min

or1.

0E-0

91.

0E-0

71.

0E-0

83.

162E

-09

3.16

2E-0

84.

325E

-09

1.36

8E-0

7−1

.162

E-0

91.

0E-0

91.

684E

-07

—

Mod

erat

e0.

010.

13.

162E

-02

1.77

8E-0

25.

623E

-02

1.55

7E-0

28.

753E

-02

2.21

7E-0

3—

1.43

8E-0

1—

Cri

tica

l0.

11

3.16

2E-0

11.

778E

-01

5.62

3E-0

11.

557E

-01

8.75

3E-0

12.

217E

-02

—1.

438E

+00

—

Cat

astr

oph

ic1

103.

162E

+00

1.77

8E+

005.

623E

+00

1.55

7E+

008.

753E

+00

2.21

7E-0

1—

1.43

8E+

0110

Exp

osur

e

Rar

e0

105.

0E+

002.

50E

+00

7.50

E+

005.

0E+

005.

0E+

00−2

.50E

+00

01.

250E

+01

—

Freq

uen

t10

100

5.50

E+

013.

250E

+01

7.75

0E+

014.

50E

+01

4.50

E+

01−1

.250

E+

017.

50E

+00

1.22

5E+

0210

0

Avo

idan

ce

Not

likel

y0

904.

50E

+01

2.25

0E+

016.

750E

+01

4.50

E+

014.

50E

+01

−2.2

50E

+01

01.

125E

+02

9.25

0E+

01

Poss

ible

9010

09.

50E

+01

9.25

0E+

019.

750E

+01

5.0E

+00

5.0E

+00

8.75

0E+

01—

1.02

5E+

0210

0

Dem

and

rate

Ver

ylo

w1.

0E-0

20.

035.

477E

-04

7.40

1E-0

54.

054E

-03

1.28

0E-0

45.

189E

-02

−5.4

01E

-05

1.0E

-05

5.59

5E-0

2—

Low

0.03

0.3

9.48

7E-0

25.

335E

-02

1.68

7E-0

14.

670E

-02

2.62

6E-0

16.

652E

-03

—4.

313E

-01

—

Rel

ativ

ely

hig

h0.

31

5.47

7E-0

14.

054E

-01

7.40

1E-0

12.

107E

-01

5.19

8E-0

11.

946E

-01

—1.

260E

+00

1

SIL

(RR

F=

1/P

FD)

NSS

R(a

)1

103.

162E

+00

1.77

8E+

005.

623E

+00

1.55

7E+

008.

753E

+00

2.21

7E-0

11

1.43

8E+

01—

SIL1

1010

03.

162E

+01

1.77

8E+

015.

623E

+01

1.55

7E+

018.

753E

+01

2.21

7E+

00—

1.43

8E+

02—

SIL2

1.0E

+02

1.0E

+03

3.16

2E+

021.

778E

+02

5.62

3E+

021.

557E

+02

8.75

3E+

022.

217E

+01

—1.

438E

+03

—

SIL3

1.0E

+03

1.0E

+04

3.16

2E+

031.

778E

+03

5.62

3E+

031.

557E

+03

8.75

3E+

032.

217E

+02

—1.

438E

+04

—

SIL4

1.0E

+04

1.0E

+05

3.16

2E+

041.

778E

+04

5.62

3E+

041.

557E

+04

8.75

3E+

042.

217E

+03

—1.

438E

+05

—

NR

1.0E

+05

1.0E

+06

3.16

2E+

051.

778E

+05

5.62

3E+

051.

557E

+05

8.75

3E+

052.

217E

+04

—1.

438E

+06

1.0E

+06


0

0.2

0.4

0.6

0.8

1

Deg

ree

ofm

embe

rsh

ip

Minor Mod. Crit. Catast.

1E-0

9

1E-0

8

1E-0

7

1E-0

6

1E-0

5

1E-0

4

1E-0

3

1E-0

2

1E-0

1

1E+

00

1E+

01


(a)

0

0.2

0.4

0.6

0.8

1

Deg

ree

ofm

embe

rsh

ip

Rare Frequent

0 10 20 30 40 50 60 70 80 90 100

% of time

(b)

0

0.2

0.4

0.6

0.8

1

Deg

ree

ofm

embe

rsh

ip

Not likely Possible

0 10 20 30 40 50 60 70 80 90 100

Probability of avoiding hazard

0

0.2

0.4

0.6

0.8

1

Deg

ree

ofm

embe

rsh

ip

Very low Low Relat. high

1E-0

5

1E-0

4

1E-0

3

1E-0

2

1E-0

1

1E+

00

Demand rate (per annium)(d)(c)

Figure 7: Membership functions generated for risk parameters: (a) consequence, (b) exposure, (c) avoidance, and (d) demand rate.

0

0.2

0.4

0.6

0.8

1

Deg

ree

ofm

embe

rsh

ip

SIL1 SIL2 SIL3 SIL4 NRNSSR

1E+

00

1E+

01

1E+

02

1E+

03

1E+

04

1E+

05

1E+

06

RRF (1/PED)

Figure 8: Membership functions generated for SIL.

the SIF must achieve within the specific context. The fuzzifiermaps crisp input vector u0

RP = (u0C , u0

F , u0P , u0

W ) in URP tofuzzy sets in URP, and the defuzzifier maps fuzzy sets in USIL.If one or more risk parameters are not considered for a givenrule, they will not have any effect on the matching degree αi.

6. Conclusion

Although conventional risk graphs are relatively simple tobe implemented, they can lead to inconsistent results andpossibly conservatism that may result in SIL overestimation.Indeed, the use of qualitative definitions for risk parametersis highly subjective and their meaning can be misunderstood.On the other hand, numerical interpretation of risk param-eters and SIL’s by means of crisp intervals violates gradualtransition between intervals which is more realistic.

The proposed fuzzy risk graph model is a fuzzy rulebased-risk graph. Its main advantages may include thefollowing.

(i) It preserves the four parameters used in the standardrisk graph and can be adapted easily to improved riskgraphs.

(ii) Fuzzy scales with fuzzy linguistic values are used toassess risk parameters, and calibration of the modelmay be made by varying risk parameters values.

(iii) The outcomes of the model which are numerical valuesof RRF (1/PFD) can be compared directly with thosegiven by more refined methods like FTA, QRA, andLOPA.


Nomenclature

IEC: International electrotechnicalcommission

SIS: Safety instrumented system

SIF: Safety instrumented function

PFD: Probability of failure on demand

RRF: Risk reduction factor

SIL: Safety integrity level

FTA: Fault tree analysis

QRA: Quantitative risk assessment

LOPA: Layers of protection analysis

C: Consequence

F: Frequency and exposure time

P: Possibility of avoiding hazard

W : Probability of the unwantedoccurrence

Q: Fuzzy interval

μQ: Membership function describing Q

S(Q): Support of Q, where S(Q) = [s−, s+]

C(Q): Core of Q, where C(Q) = [q−, q+]

α, β: Left and right spreads of Q,respectively

E(Q): Mean value of Q, whereE(Q) = [E∗(Q),E∗(Q)]

F∗, F∗: Lower and upper distributionfunctions

Ri: Fuzzy rule derived from risk graph

AiC ,AiF : Fuzzy sets describing C and F

AiP ,AiW : Fuzzy sets describing P and W

Bi: Fuzzy set describing SIL

URP: Risk parameter universe, whereURP = UC ×UF ×UP ×UW

USIL: SIL universe

u0RP: Crisp input vector in URP, where

u0RP = (u0

C ,u0F ,u0

P ,u0W ).

References

[1] C. R. Timms, “IEC 61511-an aid to COMAH and safety caseregulations compliance,” Measurement & Control, vol. 37, part4, pp. 115–122, 2004.

[2] Functional safety of electrical/electronic/programmable elec-tronic safety related systems, IEC 61508 Standard, Parts 1–6,1st edition, 1998.

[3] Functional safety-Safety instrumented systems for the processindustry sector- IEC 61511 Standard, Parts 1–3, 1st edition,2003.

[4] D. Kirkwood and Tibbs B., “Developments in SIL determina-tion,” Computing & Control Engineering, vol. 16, no. 3, pp. 21–27, 2005.

[5] S. Hauge, P. Hokstad, and T. Onshus, “The introduction ofIEC 61511 in Norwegian offshore industry,” in Proceedingsof the European Safety & Reliability International Conference(ESREL ’01), pp. 483–490, Torino, Italy, September 2001.

[6] D. J. Smith and K. J. L. Simpson, Functional Safety: AStraightforward Guide to Applying IEC 61508 and RelatedStandards, Elsevier Butterworth-Heinemann, Oxford, UK,2nd edition, 2004.

[7] S. Dean, “IEC 61508-Assessing the hazard and risk,” SaufConsulting, April 1999, http://www.sauf.co.uk.

[8] P. Baybutt, “An improved risk graph approach for determina-tion of safety integrity levels (SILs),” Process Safety Progress,vol. 26, no. 1, pp. 66–76, 2007.

[9] W. K. Muhlbauer, Pipeline Risk Management Manual: Ideas,Techniques and Resources, Elsevier, Amsterdam, The Nether-lands, 2004.

[10] L. A. Zadeh, “Outline of a new approach to the analysis ofcomplex systems and decision processes,” IEEE Transactions onSystems, Man and Cybernetics, vol. 3, pp. 28–44, 1973.

[11] L. A. Zadeh, “The concept of a linguistic variable andits application to approximate reasoning—I,” InformationSciences, vol. 8, no. 3, pp. 199–249, 1975.

[12] L. A. Zadeh, “The concept of a linguistic variable andits application to approximate reasoning—II,” InformationSciences, vol. 8, no. 4, pp. 301–357, 1975.

[13] J. B. Bowles and C. E. Pelaez, “Fuzzy logic prioritizationof failures in a system failure mode, effects and criticalityanalysis,” Reliability Engineering & System Safety, vol. 50, no. 2,pp. 203–213, 1995.

[14] K. Xu, L. C. Tang, M. Xie, S. L. Ho, and M. L. Zhu,“Fuzzy assessment of FMEA for engine systems,” ReliabilityEngineering & System Safety, vol. 75, no. 1, pp. 17–29, 2002.

[15] A. Pillay and J. Wang, “Modified failure mode and effectsanalysis using approximate reasoning,” Reliability Engineering& System Safety, vol. 79, no. 1, pp. 69–85, 2003.

[16] A. C. F. Guimaraes and C. M. F. Lapa, “Hazard and operabilitystudy using approximate reasoning in light-water reactorspassive systems,” Nuclear Engineering and Design, vol. 236,no. 12, pp. 1256–1263, 2006.

[17] A. C. F. Guimaraes and C. M. F. Lapa, “Fuzzy inference torisk assessment on nuclear engineering systems,” Applied SoftComputing, vol. 7, no. 1, pp. 17–28, 2007.

[18] A. S. Markowski, M. S. Mannan, and A. Bigoszewska, “Fuzzylogic for process safety analysis,” in Proceedings of the Interna-tional Symposium of Process Safety Center, College Station, Tex,USA, October 2007.

[19] F. Redmill, “IEC 61508 - principles and use in the managementof safety,” Computing & Control Engineering, vol. 9, no. 5, pp.205–213, 1998.

[20] K. T. Kosmowski, “Functional safety concept for hazardoussystems and new challenges,” Journal of Loss Prevention in theProcess Industries, vol. 19, no. 2-3, pp. 298–305, 2006.

[21] W. G. Gulland, “Methods of determining safety integritylevel (SIL) requirements-Pros and Con,” in Proceedings of the12th Annual Safety-Critical Systems Symposium, pp. 105–122,Birmingham, UK, February 2004.

[22] L. Blackmore, “IEC 61508-Practical experience in increasingthe effectiveness of SIL assessments,” ISA EXPO, 2000.

[23] D. W. Massaro, “Broadening the domain of the fuzzy logicalmodel of perception,” in Cognition: Conceptual and Method-ological Issues, H. L. Pick Jr., P. van den Broek, and D. C.Knill, Eds., pp. 51–84, American Psychological Association,Washington, DC, USA, 1992.

http://www.sauf.co.uk


[24] S. A. Sandri, D. Dubois, and H. W. Kalfsbeek, “Elicitation,assessment, and pooling of expert judgments using possibilitytheory,” IEEE Transactions on Fuzzy Systems, vol. 3, no. 3, pp.313–335, 1995.

[25] L. A. Zadeh, “Toward a theory of fuzzy information granula-tion and its centrality in human reasoning and fuzzy logic,”Fuzzy Sets and Systems, vol. 90, no. 2, pp. 111–127, 1997.

[26] L. Ormos and I. Ajtonyi, “Soft computing method fordetermining the safety of technological system by 1EC 61508,”in Proceedings of the 1st Romanian-Hungarian Joint Sympsiomon Applied Computational Inelligence (SACI ’04), Timisoara,Romania, May 2004.

[27] C. Simon, M. Sallak, and J.-F. Aubry, “SIL allocation of SIS byaggregation of experts’ opinions,” in Proceedings of the Safetyand Reliability Conference (ESREL ’07), Stavanger, Norway,June 2007.

[28] E. H. Mamdani and S. Assilian, “An experiment in linguisticsynthesis with a fuzzy logic controller,” International Journalof Man-Machine Studies, vol. 7, no. 1, pp. 1–13, 1975.

[29] D. Dubois, H. Prade, and L. Ughetto, “Fuzzy logic, controlengineering and artificial intelligence,” in Fuzzy Algorithms forControl, H. B. Verbruggen, H. J. Zimmerman, and R. Babuska,Eds., pp. 17–57, Kluwer Academic Publishers, Dordrecht, TheNetherlands, 1999.

[30] D. Dubois and H. Prade, “The mean value of a fuzzy number,”Fuzzy Sets and Systems, vol. 24, no. 3, pp. 279–300, 1987.

International Journal of

AerospaceEngineeringHindawi Publishing Corporationhttp://www.hindawi.com Volume 2010

RoboticsJournal of

Hindawi Publishing Corporationhttp://www.hindawi.com Volume 2014


Active and Passive Electronic Components

Control Scienceand Engineering

Journal of



RotatingMachinery


Hindawi Publishing Corporation http://www.hindawi.com

Journal ofEngineeringVolume 2014

Submit your manuscripts athttp://www.hindawi.com

VLSI Design



Shock and Vibration


Civil EngineeringAdvances in

Acoustics and VibrationAdvances in



Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

The Scientific World JournalHindawi Publishing Corporation http://www.hindawi.com Volume 2014

SensorsJournal of


Modelling & Simulation in EngineeringHindawi Publishing Corporation http://www.hindawi.com Volume 2014


Chemical EngineeringInternational Journal of Antennas and

Propagation




Navigation and Observation



DistributedSensor Networks


research article ...downloads.hindawi.com/archive/2008/263895.pdf · protection analysis (lopa)....

Documents