The article is devoted to the approach to the development of a process safety system according to IEC 61511 standards. With the development of technologies and increasing the speci c energy stored in the equipment, the issue of safety during operation becomes more urgent Adequacy of the decisions on safety measures made during early stages of planning the facilities and processes contributes to avoiding technological incidents and corresponding losses. The classi cation of safety measures is given, the model of risk reduction based on deterministic analysis of the process is considered. It is shown, that the task of changing the composition of safety measures can be represented as the knapsack discrete optimization problem, solution is based on the Cross entropy Monte-Carlo method. A numerical example is provided to illustrate the approach. The considered example contains a description of failure conditions, an analysis of the types and consequences of failures that could lead to accidents, and a list of safety measures. When solving the optimization problem used real reliability parameters and cost of equipment. Based on the simulation results, the optimal composition of safety measures providing cost minimization is given. This research is relevant to engineering departments, who specialize in planning and designing the technological solution. 1
With the development of technologies and increasing the speci c energy stored
in the equipment, the issue of safety during operation becomes more urgent
[
As the rst level of protection, we can consider a distributed control system
[
The purpose of this work is to solve the problem of optimization of the
choice of a set of safety measures used in SIS, with the provision of speci ed
safety requirements and cost [
A recommended way to classify barrier systems is shown in Figure 1.
However, note that active barrier systems often are based on a combination of
technical and human/operational elements. Even though di erent words are applied,
the classi cation in the fourth level in Figure 1 is similar to the classi cation
suggested by Hale [
As regards the continuous time aspect, some barrier systems are available (functioning continuously), while some are o -line (need to be activated). Further, some barriers are permanent, while some are temporary. Permanent barriers are implemented as an integrated part of the whole operational life cycle, while temporary barriers only are used in a speci ed time period, often during speci c activities or conditions.
Authors [
Risk reduction of Equipment under control (EUC) or technological process
is shown in Figure 2. Barriers of this type cannot prevent the development of
the accident, but can activate other barriers that will do this. Human
(organizational) (average e ciency). Contribute to the control of a process or
activity. This type of barrier can reduce the probability of the triggering event by
strengthening other barriers or preventing them from being weakened, but if a
potentially dangerous event has already been initiated, then this type of barrier,
o en can prevent its development, or reduce the consequences. The following
subcategories are distinguished: types of barriers: procedural (inspections and
observations, control tools, process management, work risk assessment, work
permit system etc.); human (operational) (control by the operator, supervision,
periodic detours, etc.). Fundamental (low e ciency in the immediate vicinity
of the event). Their e ect is divided in time from the occurrence of the threat
to the implementation of the factor risk. However, fundamental barriers make a
huge di erence an important and e ective contribution to the safety of the
system by checks and controls for vulnerabilities system and the original causes of
failures. The following subcategories are distinguished this type of barriers: the
fundamental procedural (analysis of the project, assessment of commissioning,
checking the internal regulations, analysis of operation, con rmation of
qualication); fundamental human (good health of workers, etc.) [
The problem of optimizing the composition of the SIS is to select the necessary
and su cient set of sensors, logic elements and nal performers, taking into
account the constraints on the budget of the project. IEC 61511 [
The level of risk reduction taking into account safety barriers is shown in the Figure 3.
The probability of failure of safety measures can be determined by q(t) = e t, where is the equipment failure rate.
In general, can introduce 8 n > min P (Sj bi) >>>>> n i=1 >< P (qi) Q qlbojckj Q qdbjiagj Q qebmjsj < qreq1
i=1 >> ::: >>>:>> iP=n1(qi) Q qlbojckj Q qdbjiagj Q qebmjsj < qreqn (1) qi - probability of failure of the i-th component of the process system, Sj { the cost of implementing the j-th safety measure, qlockj - the probability of failure of the j-th lock; qemsj { the probability of failure of j-th emergency stop; qdiagj -probability of failure of the j-th diagnosis, revealing preemergency conditions; qreq - the probability of occurrence of a dangerous situation, speci ed in regulations or determined during the analysis.
The problem of optimization of the choice of safety measures is a modi cation
of the "backpack Problem" [
j=1 n P (!i;j xj ) < cj ; i 2 1::m j=1 where pj and !i;j are weights, and ci is a cost, and x = (x1; :::; xn).
The backpack problem can be solved in several ways: the method of dynamic
programming [
S(x ) = = max S(x) x2X
Optimization problem can be related to the calculation of probability l =
P (S(X) ), where X has some probability density f (x; u) on the set X (for
example, having a uniform distribution density) and is close to the unknown
. As is correct, l is the probability of a rare event, so a sampling-by-signi cance
approach can be used. Thus, sampling from such a distribution yields optimal
or nearly optimal values. The last value = is usually unknown, but using
statistical modeling, a sequence ^t is formed at each step of the simulation, which
tends to the optimal , as well as at each step the change of the modeled vector
v^ is xed [
Algorithm 1. Choose the initial vector of parameters v^0, let N e = [eN ]. Take the counter t = 1; 2. Generate N random vectors X1; :::; XN with density f ( ; v^t 1), determine the values of S(Xi) for all i, and arrange them in ascending order from smaller to larger: S(1) ::: S(N ). Let t be the (1 e) quantile of the obtained values, thus ^t = S(N Ne+1); 3. Using the same sample of random vectors X1; :::; XN solve the equation n maxv N1 P IS(Xk) v^0 ln f (Xk; n) denote the solution as v^t;
i=1 4. If the stop criterion is reached, then end the algorithm, otherwise change the counter t = t + 1 and proceed to step 2. 4
4.1
As an example, we will consider the fuel supply subsystem shown at g. 1, it includes a xed volume tank (Tank), a level sensor (LV), a pumping valve to the next section of the process (V1) and a feed pump (PD) with a control system implemented on the control unit (CU). During the preliminary analysis, it was revealed that two dangerous conditions are possible at this site: the occurrence of a re and its propagation, as well as tank over ow. Assume that the required probability of preventing the development of re and exceeding the level in the tank should be less than 1 10 5 and 1 10 4 per year, respectively.
Modeling of safety-related systems is based on the theory of reliability. IEC
61511 [
Taking into account various variants of implementation of safety measures it is possible to receive the following optimization problem: 8 9 >> min P (Sj bj ) < j=1 >> (qtank)qDb11 qDb22 qSb61 qSb83 + (qP D:H )qDb33 qDb44 qSb61 < qfire = 10 5 : (qLV:F )qDb65 qDb22 qSb83 + (qP D:F )qSb72 qSb83 + (qCU:F )qSb72 qSb83 qLb91 < qo:l: = 10 4 (4)
It is needed to nd the vector B = fb1; b2::b9g, at which (1) is executed, on a set of initial data from table. 2-3. For example, the vector B = f1; 0; 1; 0; 0; 0; 1; 0; 0g means that as part of the safety instrument system, safety measures are used: monitoring the condition of the tank body by the ultrasonic method (D1), monitoring the condition of the feed pump windings (D3), emergency opening of the drain valve (Z3). The total number of combinations 29 = 512. 4.2
The initial data on the reliability of the equipment of the production line and safety measures are presented in tab. 2. and tab. 3, respectively. m Where = P pj . In this case, S(x) < 0 if one of the inequalities fails and j=1 S (x)= if satis ed. Since the vector x is binary, the multivariate Bernoulli distribution with density f(x,v)= is chosen as the initial distribution. As initial parameters we will accept the following N = 102 and N e = 10, and v^0 = (1=2; :::; 1=2). # safety measures qD1 Control of the body condition by ultrasonic
method qD2 Magneto resistive monitoring device qD3 Control condition of winding qD4 Housing temperature control qD5 Monitoring of the sensor status by initial test qS1 The inclusion of the re pump and water ow qS2 Emergency stop of process equipment (pump) qS3 Emergency opening of the discharge valve qL1 Pump control limitation at 70 % of tank volume We will not use the mixing parameter to de ne v^0( v^t will be as follows: = 1), so at each iteration m v^t;j = kP=1 IS(X^k) ^0 Xk;j m kP=1 IS(X^k) ^0 ; j = 1; ::; n (6) Where Xk;j is the j-th component of the k-th random vector X^ . The expression is used as a stop criterion dt = 1mjaxnfmin fv^t; 1 v^tgg 0:01 . For each population t of generated values, calculate the threshold ^0 and the largest value S(Xk) and the value of the stop criterion dt. 4.4
To demonstrate the convergence of the method, 100 independent modeling cycles were performed. In each cycle, changes in the density of the vector v^t were recorded after calculation using the formula (6). Fig. 4 present average change value of the parameter vector while 100 independent iteration.
The nal decision, the value of the vector v^t corresponds to the following composition of equipment and measures: the application of monitoring the condition of the pump winding's, and the emergency opening of the drain valve. Vector B = f0; 0; 1; 0; 0; 0; 1; 0; 0g is optimal, with total cost S=210, and qfire = 4:99 10 07 and qo:f: = 7:43 10 07.
The results of the dynamics of the vector v^t is presented in g. 5. 5
The paper presents a method of bringing the problem of optimization of a set of safety measures provided in the SIS to the problem of discrete optimization. The method of statistical modeling with signi cance sampling was used as a solution method. The obtained solution corresponds to the solution obtained by brute force. The obtained result can serve as a basis for the development of the requirements speci cation in accordance with the requirements for the life cycle of the system. Development of a risk model including safety barriers that may prevent, control, or mitigate accident scenarios with in-depth modeling of barrier performance allows explicit modeling of functional common cause failures (e.g., failures due to functional dependencies on a support system). The classi cation of safety measures is given, the model of risk reduction based on deterministic analysis of the process is considered. It is shown, that the task of changing the composition of safety measures can be represented as the knapsack discrete optimization problem, solution is based on the Cross entropy MonteCarlo method. A numerical example is provided to illustrate the approach. The considered example contains a description of failure conditions, an analysis of the types and consequences of failures that could lead to accidents, and a list of safety measures. When solving the optimization problem used real reliability parameters and cost of equipment. Based on the simulation results, the optimal composition of safety measures providing cost minimization is given.