The Application of Bow-Tie Method in Hydrogen Sulfide Risk Management Using Layer of Protection Analysis (LOPA)

Safety systems need to be used in strong and stable ways to achieve the objectives and goals of organizations. The main role of safety systems is highlighted ever than before in maintaining personnel health, environmental protection and improves the reputation of the organizations. Proper functioning of safety system depends on the reliability and the failure probability of the system, which determines the integrated system safety. In this regard, this study aimed to H₂S risk management using bow-tie model with an emphasis on Layer of Protection Analysis (LOPA). An oil processing and gas injection plant is selected as a case of study with considering the high concentration of H₂S (130,000 ppm) as well as very high pressure of gas injection (410 bars). This work commences when hazardous regions is categorized according to H₂S gas leakage resources which followed by H₂S risk assessment (bow-tie model). In the following stage, intelligent safety systems were investigated as one of the LOPAs. Thus, the elements of intelligent safety systems are specified. Based upon the software-defined logic, block diagrams were determined. Then, Probability of Failure on Demand (PFD) and Safety Integrity Level (SIL) were attained. PFD of block diagrams was calculated, and corresponding SIL was obtained using Reliability Block Diagram and the relationships between PFD and reliability. As a result, each of elements or block diagrams was considered the weak points. Accordingly, solutions were proposed to reduce the adverse effects and promote SIL to improve safety performance of plant.     

Reliability Prediction Based on Variation Mode and Effect Analysis

The possibility of predicting the reliability of hardware for both components and systems is important in engineering design. Today, there are several methods for predicting the reliability of hardware systems and for identifying the causes of failure and failure modes, for example, fault tree analysis and failure mode and effect analysis. Many failures are caused by variations resulting in a substantial effect on safety or functional requirements. To identify, to assess and to manage unwanted sources of variation, a method called probabilistic variation mode and effect analysis (VMEA) has been developed. With a prescribed reliability, VMEA can be used to derive safety factors in different applications. However, there are few reports on how to derive the reliability based on probabilistic VMEA, especially for transmission clutch shafts. Hence, the objective of this article was to show how to derive system reliability based on probabilistic VMEA. In particular, wheel loader automatic transmission clutch shaft reliability is investigated to show how different sources of variation affect reliability. In this article, a new method for predicting system reliability based on probabilistic VMEA is proposed. The method is further verified by a case study on a clutch shaft. It is shown that the reliability of the clutch shaft was close to 1.0 and that the most significant variation contribution was due to mean radius of the friction surface and friction of the disc. Copyright © 2012 John Wiley & Sons, Ltd.     

Estimation of average hazardous-event-frequency for allocation of safety-integrity levels

One of the fundamental concepts of the draft international standard, IEC 61508, is target failure measures to be allocated to Electric/Electronic/Programmable Electronic Safety-Related Systems, i.e. Safety Integrity Levels. The Safety Integrity Levels consist of four discrete probabilistic levels for specifying the safety integrity requirements or the safety functions to be allocated to Electric/Electronic/Programmable Electronic Safety-Related Systems. In order to select the Safety Integrity Levels the draft standard classifies Electric/Electronic/Programmable Electronic Safety-Related Systems into two modes of operation using demand frequencies only. It is not clear which modes of operation should be applied to Electric/Electronic/Programmable Electronic Safety-Related Systems taking into account the demand-state probability and the spurious demand frequency. It is essential for the allocation of Safety Integrity Levels that generic algorithms be derived by involving possible parameters, which make it possible to model the actuality of real systems. The present paper addresses this issue. First of all, the overall system including Electric/Electronic/programmable Electronic Safety-Related Systems is described using a simplified fault-tree. Then, the relationships among demands, demand-states and proof-tests are studied. Overall systems are classified into two groups: a non-demand-state-at-proof-test system which includes both repairable and non-repairable demand states and a constant-demand-frequency system. The new ideas such as a demand-state, spurious demand-state, mean time between detections, rates of d-failure and h-failure, and an h/d ratio are introduced in order to make the Safety Integrity Levels and modes of operation generic and comprehensive. Finally, the overall system is simplified and modeled by fault-trees using Priority-AND gates. At the same time the assumptions for modeling are described. Generic algorithms to estimate hazardous-event frequencies are derived based on the fault-trees. Thus, new definitions regarding modes of operation for the allocation of Safety Integrity Levels and shortcut methods for estimation of hazardous-event frequencies are proposed.     

Risk estimation studies in the context of a machine control function

Nowadays the safety requirements of a machine are increasingly associated with programmable electronic control systems. Risk estimation is an essential part of risk analysis in a machine development process, because the categorisation and allocation of safety requirements is based on this. It is important to know how the risk estimation is performed, since wrong safety integrity level (SIL) or performance level (PL) selection may lead to multiple costs of the safety-related part of the control system. On the other hand, wrong PL or SIL selection can weaken the safety of the system. In this article, a risk estimation process of a safety-related control function is presented. Different groups carried out three case studies including risk estimation for the same safety-related control function of a machine. The results of the risk estimations of the groups differ from each other. The possible reasons for the variations are discussed.     

Performance-based standards: safety instrumented functions and safety integrity levels

This paper discusses two international performance-based standards, ANSI/ISA S84.01 and IEC d61508 and the requirements they place upon companies that rely on electrical, electronic and programmable electronic systems to perform safety functions. Performance-based regulations are also discussed and common safety elements between the standards and regulations are identified. Several risk analysis techniques that can be used to comply with the aforementioned requirements are discussed and a simple example is used to illustrate the use, advantages and disadvantages of the techniques. The evaluation of safety integrity level (SIL) of the Safety Instrumented System (SIS) in terms of the probability to fail to function is outside the scope of this paper.     

Probabilistic safety assessment improves surveillance requirements in technical specifications

Probabilistic Safety Assessment is widely becoming the standard method for assessing, maintaining, assuring and improving the nuclear power plant safety. To achieve one of its many potential benefits, the optimization approach of surveillance requirements in technical specifications was developed. Surveillance requirements in technical specifications define the surveillance test intervals for the equipment to be tested and the testing strategy. This optimization approach based mainly on probabilistic safety assessment results consists of three levels: component level, system level and plant level. The application of this optimization approach on system level has shown that the risk based surveillance requirements differ from existing ones in technical specifications.     

Condition, safety and cost profiles for deteriorating structures with emphasis on bridges

After an enormous investment in construction of highway networks undertaken in the second half of the 20th century, the highway networks of most European and North American countries are now completed or close to completion. As a result, the need in funding changed from building new highway structures to repair, rehabilitation, and replacement the existing ones. In this paper, a model for analyzing the evolution in time of probabilistic performance indicators of existing structures, in terms of condition, safety, and cost under no maintenance, preventive maintenance, and essential maintenance, is presented. This model integrates the current practice in bridge management systems based on visual inspections (condition index) with structural assessment (safety index) during the lifetime of existing structures. The proposed model allows the consideration of uncertainties in the performance deterioration process, times of application of maintenance actions, and in the effects of maintenance actions on the condition, safety, and life-cycle cost of structures by defining all parameters involved in the model as random variables. Interaction between condition and safety profiles is defined through probabilistic and deterministic relations. The probabilistic characteristics of the condition, safety, and cost profiles of deteriorating structures are computed by Monte-Carlo simulation. Several realistic examples, based on data on highway bridge components gathered in the United Kingdom, are presented.     

SIL analysis of subsea control system components based on a typical OREDA database

Proper performance evaluation of subsea system components is of high significance for reliable operation and remote monitoring or the replacement of the components before the occurrence of any failure. As a part of subsea systems, subsea control system (SCS) plays a key role in accomplishing a reliable performance. Hence, achieving knowledge of the components’ failure rates is highly important in the safety analysis of SCS. To the author's knowledge, limited work is done on the safety analysis of SCS using failure rates for a multitude of components. Also, the number of research papers that are based on industrial works is restricted. Hence, this paper aims to provide a noticeable contribution in fulfilling the referred gap. For this purpose, a safety integrity-level (SIL) analysis is proposed based on a typical OREDA database. In the implementation of the proposed SIL, a failure mode classification table is provided for a selection of SCS components. This is followed by the estimation of several parameters, such as the total time in service, as well as obtaining the values of critical failure rates. The analysis indicates that signal failure is the failure mode occurring more than the other ones. Also, the subsea electronic module yields the highest value of critical failure rates. Besides, a comparison of parameter values is provided for two different versions of the utilized database.     

Do not blame the driver: A systems analysis of the causes of road freight crashes

Although many have advocated a systems approach in road transportation, this view has not meaningfully penetrated road safety research, practice or policy. In this study, a systems theory-based approach, Rasmussens’s (1997) risk management framework and associated Accimap technique, is applied to the analysis of road freight transportation crashes. Twenty-seven highway crash investigation reports were downloaded from the National Transport Safety Bureau website. Thematic analysis was used to identify the complex system of contributory factors, and relationships, identified within the reports. The Accimap technique was then used to represent the linkages and dependencies within and across system levels in the road freight transportation industry and to identify common factors and interactions across multiple crashes. The results demonstrate how a systems approach can increase knowledge in this safety critical domain, while the findings can be used to guide prevention efforts and the development of system-based investigation processes for the heavy vehicle industry. A research agenda for developing an investigation technique to better support the application of the Accimap technique by practitioners in road freight transportation industry is proposed.     

State/event fault trees—A safety analysis model for software-controlled systems

Safety models for software-controlled systems should be intuitive, compositional and have the expressive power to model both software and hardware behaviour. Moreover, they should provide quantitative results for failure or hazard probabilities. Fault trees are an accepted and intuitive model for safety analysis, but they are incapable of expressing state dependencies or temporal order of events. We propose to combine fault trees with an explicit State/Event semantics, using a graphical notation that is similar to Statecharts. Our new model, named State/Event Fault Trees (SEFTs), subsumes both deterministic state machines suited to describe software behaviour, and Markov chains that model probabilistic failures, while keeping the visualisation of causal chains known from fault trees. We allow exponentially distributed probabilistic events, deterministic delays, and triggered events. The model provides a component concept, where components are connected by typed ports. Quantitative evaluation is achieved by translating the component models to Deterministic and Stochastic Petri Nets (DSPNs) and using an existing tool for analysis or simulation. This paper, which is an extended version of [Kaiser B, Gramlich C. State-Event-Fault-Trees—a safety analysis model for software controlled systems. Computer safety, reliability, and security. Proceedings of the 23rd international conference, SAFECOMP 2004, Potsdam, Germany, September 21st–24th. Lecture Notes in Computer Science, vol. 3219, 2004.p. 195–209], revisits the model elements and the analysis procedure and provides a small case study of a fire alarm system, completed by an outlook on our tool project ESSaRel.     

Modelling and analysis of the sugar cataract development process using stochastic hybrid systems

Modelling and analysis of biochemical systems such as sugar cataract development (SCD) are critical because they can provide new insights into systems, which cannot be easily tested with experiments; however, they are challenging problems due to the highly coupled chemical reactions that are involved. The authors present a stochastic hybrid system (SHS) framework for modelling biochemical systems and demonstrate the approach for the SCD process. A novel feature of the framework is that it allows modelling the effect of drug treatment on the system dynamics. The authors validate the three sugar cataract models by comparing trajectories computed by two simulation algorithms. Further, the authors present a probabilistic verification method for computing the probability of sugar cataract formation for different chemical concentrations using safety and reachability analysis methods for SHSs. The verification method employs dynamic programming based on a discretisation of the state space and therefore suffers from the curse of dimensionality. To analyse the SCD process, a parallel dynamic programming implementation that can handle large, realistic systems was developed. Although scalability is a limiting factor, this work demonstrates that the proposed method is feasible for realistic biochemical systems.     

The design and analysis of AVTMR (all voting triple modular redundancy) and dual–duplex system

In this paper, we design AVTMR (All Voting Triple Modular Redundancy) and dual–duplex system which have a fault-tolerant characteristic, and two systems are compared in the evaluation of RAMS (Reliability, Availability, Maintainability and Safety) and MTTF (Mean Time To Failure).AVTMR system is designed in a triplicated voter technique and dual–duplex system in a comparator, and two systems are based on MC68000. To evaluate system characteristic, Markov modeling method is designed for reliability, availability, safety and MTTF (Mean Time To Failure), and RELEX6.0 tool is used for the calculation of failure rate of electrical components that is based on MILSPEC-217F.In this paper, we can see two systems are more high dependability than a single system, and AVTMR or dual–duplex system can be selected for a specific application system. Especially, because AVTMR and dual–duplex system have high RAMS better than a single system, they can be applied to life critical system such as an airplane and a high-speed railway system.     

Analysis of fault tolerance and reliability in distributed real-time system architectures

Safety critical real-time systems are becoming ubiquitous in many areas of our everyday life. Failures of such systems potentially have catastrophic consequences on different scales, in the worst case even the loss of human life. Therefore, safety critical systems have to meet maximum fault tolerance and reliability requirements. As the design of such systems is far from being trivial, this article focuses on concepts to specifically support the early architectural design. In detail, a simulation based approach for the analysis of fault tolerance and reliability in distributed real-time system architectures is presented. With this approach, safety related features can be evaluated in the early development stages and thus prevent costly redesigns in later ones.     

基于并联空气弹簧结构的卫星运输减振系统设计及振动特性分析

随着航天科技的发展以及日益增长的性能需求,对卫星的可靠性要求越来越高,对运输过程中的振动也提出了更严格的要求,导致目前的减振系统难以满足未来的运输需求。针对这种情况,设计了基于空气弹簧并联结构的卫星包装运输减振系统,并对其振动特性进行了分析。结合卫星运输箱的结构和减振需求提出了并联空气弹簧减振系统方案。基于实测参数建立了并联空气弹簧减振系统的多体动力学仿真模型,并验证了方案的可行性,并进一步研究了不同运输工况下系统的减振效率及安全性。构建了减振系统进行不同工况下的实车运输测试。研究结果证明基于空气弹簧并联结构的运输减振系统在实车运输中具有较好的减振效率,并可以保证设备在运输过程安全。该研究结果可为大型精密设备运输减振系统的设计提供参考。     

A fuzzy-logic-based approach to qualitative safety modelling for marine systems

Safety assessment based on conventional tools (e.g. probability risk assessment (PRA)) may not be well suited for dealing with systems having a high level of uncertainty, particularly in the feasibility and concept design stages of a maritime or offshore system. By contrast, a safety model using fuzzy logic approach employing fuzzy IF–THEN rules can model the qualitative aspects of human knowledge and reasoning processes without employing precise quantitative analyses. A fuzzy-logic-based approach may be more appropriately used to carry out risk analysis in the initial design stages. This provides a tool for working directly with the linguistic terms commonly used in carrying out safety assessment. This research focuses on the development and representation of linguistic variables to model risk levels subjectively. These variables are then quantified using fuzzy sets. In this paper, the development of a safety model using fuzzy logic approach for modelling various design variables for maritime and offshore safety based decision making in the concept design stage is presented. An example is used to illustrate the proposed approach.     

Comparing transportation systems for inter-terminal transport at the Maasvlakte container terminals

In this paper, a comparison between three transportation systems for the overland transport of containers between container terminals is presented. A simulation model has been developed to assist in this respect. Transport in this study can be done by either multi-trailers, automated guided vehicles or automated lifting vehicles. The model is equipped with a rule-based control system as well as an advanced planning algorithm. The model is applied to a realistic scenario for the Maasvlakte situation in the near future. The experiments give insight into the importance of the different characteristics of the transport systems and their interaction with the handling equipment. Finally, a cost analysis has been executed to support management investment decisions.     

Safety propensity index for signalized and unsignalized intersections: Exploration and assessment

The objective of this study is to develop a safety propensity index (SPI) for both signalized and unsignalized intersections. Through the use of a structural equation modelling (SEM) approach safety is quantified in terms of multiple endogenous variables and related to various dimensions of exogenous variables. The singular valued SPI allows for identification of relationships between variables and lends itself well to a comparative analysis between models. The data provided by the Highway Safety Information System (HSIS) for the California transportation network was utilized for analysis. In total 22,422 collisions at unsignalized intersections and 20,215 collisions at signalized intersections (occurring between 2006 and 2010) were considered in the final models. The main benefits of the approach and the subsequent development of an SPI are (1) the identification of pertinent variables that effect safety at both intersection types, (2) the identification of similarities and differences at both types of intersections through model comparison, and (3) the quantification of safety in the form of an index such that a ranking system can be developed. If further developed, the adopted methodology may assist in safety related decision making and policy analysis.     

Determination of design alternatives and performance criteria for safety systems in a nuclear power plant via simulated annealing

This study presents an efficient methodology that derives design alternatives and performance criteria for safety functions/systems in commercial nuclear power plants. Determination of the design alternatives and intermediate-level performance criteria is posed as a reliability allocation problem. The reliability allocation is performed in a single step by means of the concept of two-tier noninferior solutions in the objective and risk spaces within the top-level probabilistic safety criteria (PSC). Two kinds of two-tier noninferior solutions are obtained: desirable design alternatives and intolerable intermediate-level PSC of safety functions/systems.The weighted Chebyshev norm (WCN) approach with an improved Metropolis algorithm in simulated annealing is used to find the two-tier noninferior solutions. This is very efficient in searching for the global minimum of the difficult multiobjective optimization problem (MOP) which results from strong nonlinearity of a probabilistic safety assessment (PSA) model and nonconvexity of the problem. The methodology developed in this study can be used as an efficient design tool for desirable safety function/system alternatives and for the determination of intermediate-level performance criteria.The methodology is applied to a realistic streamlined PSA model that is developed based on the PSA results of the Surry Unit 1 nuclear power plant. The methodology developed in this study is very efficient in providing the intolerable intermediate-level PSC and desirable design alternatives of safety functions/systems.     

The impact of the operating environment on the design of redundant configurations

Safety systems are often characterized by substantial redundancy and diversification in safety critical components. In principle, such redundancy and diversification can bring benefits when compared to single-component systems. However, it has also been recognized that the evaluation of these benefits should take into account that redundancies cannot be founded, in practice, on the assumption of complete independence, so that the resulting risk profile is strongly dominated by dependent failures. It is therefore mandatory that the effects of common cause failures be estimated in any probabilistic safety assessment (PSA). Recently, in the Hughes model for hardware failures and in the Eckhardt and Lee models for software failures, it was proposed that the stressfulness of the operating environment affects the probability that a particular type of component will fail. Thus, dependence of component failure behaviors can arise indirectly through the variability of the environment which can directly affect the success of a redundant configuration. In this paper we investigate the impact of indirect component dependence by means of the introduction of a probability distribution which describes the variability of the environment. We show that the variance of the distribution of the number, or times, of system failures can give an indication of the presence of the environment. Further, the impact of the environment is shown to affect the reliability and the design of redundant configurations.     

Issues related to structural aging in probabilistic risk assessment of nuclear power plants

Structural components and systems have an important safety function in nuclear power plants. Although they are essentially passive under normal operating conditions, they play a key role in mitigating the impact of extreme environmental events such as earthquakes, winds, fire and floods on plant safety. Moreover, the importance of structural components and systems in accident mitigation is amplified by common-cause effects. Reinforced concrete structural components and systems in NPPs are subject to a phenomenon known as aging, leading to time-dependent changes in strength and stiffness that may impact their ability to withstand various challenges during their service lives from operation, the environment and accidents. Time-dependent changes in structural properties as well as challenges to the system are random in nature. Accordingly, condition assessment of existing structures should be performed within a probabilistic framework. The mathematical formalism of a probabilistic risk assessment (PRA) provides a means for identifying aging structural components that may play a significant role in mitigating plant risk. Structural condition assessments supporting a decision regarding continued service can be rendered more efficient if guided by the logic of a PRA.