=Paper=
{{Paper
|id=Vol-2590/paper11
|storemode=property
|title=Safety Measures Optimization for Complex Technological System
|pdfUrl=https://ceur-ws.org/Vol-2590/paper11.pdf
|volume=Vol-2590
|authors=Aleksandr Moshnikov
|dblpUrl=https://dblp.org/rec/conf/micsecs/Moshnikov19
}}
==Safety Measures Optimization for Complex Technological System==
https://ceur-ws.org/Vol-2590/paper11.pdf
Safety Measures Optimization for Complex
Technological System
Aleksandr Moshnikov1[0000−0002−3689−2472]
ITMO University, 49 Kronverksky Pr., St. Petersburg, Russia
moshnikov.alex@gmail.com
Abstract. The article is devoted to the approach to the development
of a process safety system according to IEC 61511 standards. With the
development of technologies and increasing the specific energy stored in
the equipment, the issue of safety during operation becomes more ur-
gent Adequacy of the decisions on safety measures made during early
stages of planning the facilities and processes contributes to avoiding
technological incidents and corresponding losses. The classification of
safety measures is given, the model of risk reduction based on determin-
istic analysis of the process is considered. It is shown, that the task of
changing the composition of safety measures can be represented as the
knapsack discrete optimization problem, solution is based on the Cross
entropy Monte-Carlo method. A numerical example is provided to illus-
trate the approach. The considered example contains a description of
failure conditions, an analysis of the types and consequences of failures
that could lead to accidents, and a list of safety measures. When solv-
ing the optimization problem used real reliability parameters and cost
of equipment. Based on the simulation results, the optimal composition
of safety measures providing cost minimization is given. This research
is relevant to engineering departments, who specialize in planning and
designing the technological solution. 1
Keywords: Safety measures · Safety instrumented system · Discrete
optimization · Monte-Carlo method · System reliability.
1 Introduction
With the development of technologies and increasing the specific energy stored
in the equipment, the issue of safety during operation becomes more urgent
[1]. To ensure safety, emergency protection systems have been widely used. At
the heart of the development of such protection systems is the international
standard IEC 61511 [13], which introduces the term ”Safety instrument system”
(SIS) and defines it as a system consisting of sensors, logic solvers and finite
element controls, together they implement one or more functions that provide
1
Copyright c 2019 for this paper by its authors. Use permitted under Creative Com-
mons License Attribution 4.0 International (CC BY 4.0).
�2 Moshnikov Aleksandr
safety. Such systems may contain a set of safety features that act as layers or
barriers aimed at deeply layered risk reduction
As the first level of protection, we can consider a distributed control system
[2], which is designed to ensure the technology of the process and the forma-
tion of control in the normal operation of the equipment. The next barrier is
the emergency shutdown system (implemented on the SIS), which brings the
object to a safe controlled state. The development of the design of the SIS for
industrial facilities is associated with the choice of architecture, nomenclature of
components, aspects related to the discipline of service and additional measures
to guarantee the development [3].
The purpose of this work is to solve the problem of optimization of the
choice of a set of safety measures used in SIS, with the provision of specified
safety requirements and cost [4].
A recommended way to classify barrier systems is shown in Figure 1. How-
ever, note that active barrier systems often are based on a combination of tech-
nical and human/operational elements. Even though different words are applied,
the classification in the fourth level in Figure 1 is similar to the classification
suggested by Hale [8]. A safety barrier is a physical and/or non-physical means
planned to prevent, control, or mitigate undesired events or accidents
As regards the continuous time aspect, some barrier systems are available
(functioning continuously), while some are off-line (need to be activated). Fur-
ther, some barriers are permanent, while some are temporary. Permanent barriers
are implemented as an integrated part of the whole operational life cycle, while
temporary barriers only are used in a specified time period, often during specific
activities or conditions.
Fig. 1. Safety barrier classification, adopted from [3]
Authors [9] note that identifying technical (physical) safety barriers, usually,
it is quite simple, but in the case where the safety barrier includes an action
for example, the operator’s response to an alarm), you should be careful and
distinguish between the action itself, which performs the barrier function, and
� Safety Measures Optimization for Complex Technological System 3
the factors that help the operator in making the correct decision (technological
instructions, training, precise information presentation, etc.). [10] offers a some-
what different approach classification of safety barriers based on evaluating their
effectiveness in the event of a potentially dangerous situation. In depending on
the degree of efficiency (high, medium, low) distinguish the following types of
safety barriers.Technical (high efficiency). Can prevent the spread of risk fac-
tors, reduce the risk of a situation, mitigate the consequences, or reduce the
likelihood of risk factors [10]. If there is a technical barrier if it doesn’t work,
the threat is transferred to another one technical barrier to implementation of
potentially dangerous event (until the triggering event is reached). The same
applies to further escalation from the triggering event to consequences. The fol-
lowing subcategories are distinguished technical barriers: technical barriers that
are triggered on demand (emergency cut-off valve, drencher system, emergency
tank); technical passive, operate on a permanent basis, perform barrier function
by its mere presence (safety valve, collapse, fire-proof and explosion-proof parti-
tions etc.); technical control barriers that activate other barriers that prevent or
mitigate the consequences of a dangerous event (gas detectors, fire alarm system,
accident notification system, etc.).
Risk reduction of Equipment under control (EUC) or technological process
is shown in Figure 2. Barriers of this type cannot prevent the development of
Fig. 2. Risk reduction of Equipment under control (EUC) or technological process
the accident, but can activate other barriers that will do this. Human (organi-
zational) (average efficiency). Contribute to the control of a process or activ-
ity. This type of barrier can reduce the probability of the triggering event by
strengthening other barriers or preventing them from being weakened, but if a
potentially dangerous event has already been initiated, then this type of barrier,
�4 Moshnikov Aleksandr
offen can prevent its development, or reduce the consequences. The following
subcategories are distinguished: types of barriers: procedural (inspections and
observations, control tools, process management, work risk assessment, work
permit system etc.); human (operational) (control by the operator, supervision,
periodic detours, etc.). Fundamental (low efficiency in the immediate vicinity
of the event). Their effect is divided in time from the occurrence of the threat
to the implementation of the factor risk. However, fundamental barriers make a
huge difference an important and effective contribution to the safety of the sys-
tem by checks and controls for vulnerabilities system and the original causes of
failures. The following subcategories are distinguished this type of barriers: the
fundamental procedural (analysis of the project, assessment of commissioning,
checking the internal regulations, analysis of operation, confirmation of quali-
fication); fundamental human (good health of workers, etc.) [11]. A number of
standards and guidelines have been issued to assist in designing, implementing,
and maintaining reliable SISs. The most important of these is the international
standard IEC 61511 [13], which is a generic standard that outlines key require-
ments to all phases of the SIS life-cycle.
2 Problem statement
The problem of optimizing the composition of the SIS is to select the necessary
and sufficient set of sensors, logic elements and final performers, taking into ac-
count the constraints on the budget of the project. IEC 61511 [13] suggests that
consideration should be given to the introduction of any safety measures, ap-
plying the principle of risk reduction ALARP (as low as reasonably practicable)
[14].
The level of risk reduction taking into account safety barriers is shown in the
Figure 3.
The probability of failure of safety measures can be determined by q(t) =
e−λt , where λ is the equipment failure rate.
In general, can introduce
n
P
min (Sj bi )
i=1
n
P Q bj Q bj Q bj
(qi ) qlock qdiagj qemsj < qreq1
i=1
j
(1)
...
n
P Q bj Q bj Q bj
(qi ) qlock
qdiagj qemsj < qreqn
j
i=1
qi - probability of failure of the i-th component of the process system,
Sj – the cost of implementing the j-th safety measure,
qlockj - the probability of failure of the j-th lock;
qemsj – the probability of failure of j-th emergency stop;
qdiagj -probability of failure of the j-th diagnosis, revealing preemergency
conditions;
� Safety Measures Optimization for Complex Technological System 5
Fig. 3. Model of Risk Reduction layers. A) general view, B) SIS view
qreq - the probability of occurrence of a dangerous situation, specified in
regulations or determined during the analysis.
3 Approach to problem solving
3.1 Optimization
The problem of optimization of the choice of safety measures is a modification
of the ”backpack Problem” [6], class of combinatorial optimization problems,
which can be formulated as follows:
n
P
maxx (pj xj ), xj ∈ 0..1, j ∈ 1..n
j=1
n
P (2)
(ωi,j xj ) < cj , i ∈ 1..m
j=1
where pj and ωi,j are weights, and ci is a cost, and x = (x1 , ..., xn ).
The backpack problem can be solved in several ways: the method of dynamic
programming [7]; brute force; the method of branches and boundaries [16]; the
method of statistical modeling. Consider the application of the statistical mod-
eling method. In general, the approach can be represented as follows, find the
maximum of the function S(x) on a given set X. Let’s assume that the maximum
is achieved for only one value of the parameter x∗ . Let us denote the maximum
by γ ∗ .
S(x∗ ) = γ ∗ = max S(x) (3)
x∈X
�6 Moshnikov Aleksandr
Optimization problem can be related to the calculation of probability l =
P (S(X) ≥ γ), where X has some probability density f (x; u) on the set X (for
example, having a uniform distribution density) and γ is close to the unknown
γ ∗ . As is correct, l is the probability of a rare event, so a sampling-by-significance
approach can be used. Thus, sampling from such a distribution yields optimal
or nearly optimal values. The last value γ ∗ = γ is usually unknown, but using
statistical modeling, a sequence γˆt is formed at each step of the simulation, which
tends to the optimal γ ∗ , as well as at each step the change of the modeled vector
v̂∗ is fixed [15].
3.2 Algorithm
1. Choose the initial vector of parameters v̂0 , let N e = [eN ]. Take the counter
t = 1;
2. Generate N random vectors X1 , ..., XN with density f (∗; v̂t−1 ), determine the
values of S(Xi ) for all i, and arrange them in ascending order from smaller to
larger: S( 1) ≤ ... ≤ S( N ). Let γt be the (1 − e) quantile of the obtained values,
thus γˆt = S(N −N e +1) ;
3. Using the same sample of random vectors X1 , ..., XN solve the equation
n
maxv N1
P
IS(Xk )≥v̂0 ln f (Xk ; n) denote the solution as v̂t ;
i=1
4. If the stop criterion is reached, then end the algorithm, otherwise change the
counter t = t + 1 and proceed to step 2.
4 Numerical example
4.1 Brief description of the model
As an example, we will consider the fuel supply subsystem shown at fig. 1, it
includes a fixed volume tank (Tank), a level sensor (LV), a pumping valve to the
next section of the process (V1) and a feed pump (PD) with a control system
implemented on the control unit (CU). During the preliminary analysis, it was
revealed that two dangerous conditions are possible at this site: the occurrence
of a fire and its propagation, as well as tank overflow. Assume that the required
probability of preventing the development of fire and exceeding the level in the
tank should be less than 1 · 10−5 and 1 · 10−4 per year, respectively.
Modeling of safety-related systems is based on the theory of reliability. IEC
61511 [13] offers the following methods for assessing reliability: quantitative eval-
uation using simplified equations based on block diagrams of reliability and anal-
ysis of failure trees. In some cases, Markov analysis can be used, a more complex
approach allows working with dynamic models that take into account the devel-
opment of failure over time. The qualitative analysis as Failure Mode and Effect
Analysis (FMEA) in accordance [13] is given in Table 1.
� Safety Measures Optimization for Complex Technological System 7
Table 1. FMEA of technological subsystem.
Element Failure type Consequences Safety measures
Tank Destruction Fire D1 - control of the hull by ultra-
of the hull sonic control device
D2 - magneto resistive monitoring
device
H1 - switching on the fire pump
and water supply
H3 - emergency opening of the
emergency drain
Level sensor False values Exceeding the D5 -monitoring of the sensor
limit
Z2 -emergency stop of process
equipment (pump)
H3 - emergency opening of drain
valve
Level sensor The absence Shutdown not required
of values
Feed pump Feed loss Shutdown not required
Feed pump Overheat Fire D3 - monitoring the state of the
windings
D4 - housing temperature control
H1 - switching on the fire pump
and water supply
Feed pump False start Exceeding the Z2 - emergency stop of process
limit equipment (pump)
H3 - emergency opening of drain
valve
Transfer valve Failure to Shutdown not required
respond
Transfer valve False open- Shutdown not required
ing
Control system Loss of con- Shutdown not required
trol signal
Control system Erroneous Exceeding the Z2 - emergency stop of process
command limit equipment (pump)
B1 - pump control limitation when
70 % of the tank valume
H3 - emergency opening of drain
valve
�8 Moshnikov Aleksandr
Taking into account various variants of implementation of safety measures it
is possible to receive the following optimization problem:
9
P
min (Sj bj )
j=1
(4)
(q )q b1 q b2 q b6 q b8 + (qP D.H )qD
b3 b4 b6
q q < qf ire = 10−5
tank Db61 Db22 Sb18 S3 3 D4 S1
(qLV.F )qD5 qD2 qS3 + (qP D.F )qS2 qS3 + (qCU.F )qSb72 qSb83 qL
b7 b8 b9
1
< qo.l. = 10−4
It is needed to find the vector B = {b1 , b2 ..b9 }, at which (1) is executed, on a
set of initial data from table. 2-3. For example, the vector B = {1, 0, 1, 0, 0, 0, 1, 0, 0}
means that as part of the safety instrument system, safety measures are used:
monitoring the condition of the tank body by the ultrasonic method (D1 ), mon-
itoring the condition of the feed pump windings (D3 ), emergency opening of the
drain valve (Z3 ). The total number of combinations 29 = 512.
4.2 Initial data
The initial data on the reliability of the equipment of the production line and
safety measures are presented in tab. 2. and tab. 3, respectively.
Table 2. Dangerous failure rate
Event Code FR, h−1 α Probability per year
Tank. Destruction qt ank 1 · 10−7 80 % 7.01 · 10−4
−5
Feed pump. Overheating qP D.H 1 · 10 50 % 4.29 · 10−2
−6
Level sensor. False qLV.F 1 · 10 30 % 2.62 · 10−3
−5
Feed pump. False start qP D.F 1 · 10 5% 4.37 · 10−3
−6
Control system. Erroneous response qCU.F 1 · 10 5% 4.38 · 10−4
The fuel supply subsystem works 8760 hours a year, without safety measures:
qf ire = 4.36 · 10−2 , qo.f. = 7.43 · 10−3 .
4.3 Optimization parameters
For optimization we introduce a single target function:
m
X n
X
S(x) = µ IP ω(i,j)xj >ci + p j xj (5)
i=1 i=1
m
P
Where µ = − pj . In this case, S(x) < 0 if one of the inequalities fails and
j=1
S (x)= if satisfied. Since the vector x is binary, the multivariate Bernoulli distri-
bution with density f(x,v)= is chosen as the initial distribution. As initial param-
eters we will accept the following N = 102 and N e = 10, and v̂0 = (1/2, ..., 1/2).
� Safety Measures Optimization for Complex Technological System 9
Table 3. Baseline data on safety measures
# safety measures Cost, c.u. Probability per year
qD1 Control of the body condition by ultrasonic 100 1.00 · 10−3
method
qD2 Magneto resistive monitoring device 200 1.00 · 10−3
qD3 Control condition of winding 10 1.00 · 10−5
qD4 Housing temperature control 25 1.00 · 10−4
qD5 Monitoring of the sensor status by initial test 10 1.00 · 10−5
qS1 The inclusion of the fire pump and water flow 400 1.00 · 10−3
qS2 Emergency stop of process equipment (pump) 200 1.00 · 10−3
qS3 Emergency opening of the discharge valve 200 1.00 · 10−4
qL1 Pump control limitation at 70 % of tank volume 5 1.00 · 10−4
We will not use the mixing parameter to define v̂0 (α = 1), so at each iteration
v̂t will be as follows:
m
P
IS(X
ˆ k )≥γ̂0 Xk,j
v̂t,j = k=1P
m , j = 1, .., n (6)
IS(Xˆ k )≥γ̂0
k=1
Where Xk,j is the j-th component of the k-th random vector X̂. The expression is
used as a stop criterion dt = max {min {v̂t , 1 − v̂t }} ≤ 0.01 . For each population
1≤j≤n
t of generated values, calculate the threshold γ̂0 and the largest value S(Xk ) and
the value of the stop criterion dt .
4.4 Modeling results
To demonstrate the convergence of the method, 100 independent modeling cycles
were performed. In each cycle, changes in the density of the vector v̂t were
recorded after calculation using the formula (6). Fig. 4 present average change
value of the parameter vector while 100 independent iteration.
The final decision, the value of the vector v̂t corresponds to the following
composition of equipment and measures: the application of monitoring the con-
dition of the pump winding’s, and the emergency opening of the drain valve.
Vector B = {0, 0, 1, 0, 0, 0, 1, 0, 0} is optimal, with total cost S=210, and qf ire =
4.99 · 10−07 and qo.f. = 7.43 · 10−07 .
The results of the dynamics of the vector v̂t is presented in fig. 5.
5 Conclusion
The paper presents a method of bringing the problem of optimization of a set
of safety measures provided in the SIS to the problem of discrete optimization.
The method of statistical modeling with significance sampling was used as a
�10 Moshnikov Aleksandr
Fig. 4. Averaged difference of vector values
Fig. 5. Dynamics of the probability vector v̂t
� Safety Measures Optimization for Complex Technological System 11
solution method. The obtained solution corresponds to the solution obtained
by brute force. The obtained result can serve as a basis for the development of
the requirements specification in accordance with the requirements for the life
cycle of the system. Development of a risk model including safety barriers that
may prevent, control, or mitigate accident scenarios with in-depth modeling of
barrier performance allows explicit modeling of functional common cause fail-
ures (e.g., failures due to functional dependencies on a support system). The
classification of safety measures is given, the model of risk reduction based on
deterministic analysis of the process is considered. It is shown, that the task of
changing the composition of safety measures can be represented as the knapsack
discrete optimization problem, solution is based on the Cross entropy Monte-
Carlo method. A numerical example is provided to illustrate the approach. The
considered example contains a description of failure conditions, an analysis of
the types and consequences of failures that could lead to accidents, and a list
of safety measures. When solving the optimization problem used real reliability
parameters and cost of equipment. Based on the simulation results, the optimal
composition of safety measures providing cost minimization is given.
References
1. V. A. Bogatyrev On interconnection control in redundancy of local network buses
with limited availability. 1999. Engineering Simulation, 16 (4), pp. 463-469
2. Bogatyrev V. A. , Bogatyrev S. V. , Bogatyrev A. V. , ”Model and Interaction Ef-
ciency of Computer Nodes Based on Transfer Reservation at Multipath Routing,”
2019 Wave Electronics and its Application in Information and Telecommunication
Systems (WECONF), Saint-Petersburg, Russia, 2019, pp. 1-4. doi: 10.1109/WE-
CONF.2019.8840647
3. Bogatyrev A. V. , Bogatyrev V. A , Bogatyrev S. V. , ”Multipath Redundant Trans-
mission with Packet Segmentation,” 2019 Wave Electronics and its Application in
Information and Telecommunication Systems (WECONF), Saint-Petersburg, Rus-
sia, 2019, pp. 1-4. doi: 10.1109/WECONF.2019.8840643
4. Yury Redutskiy.: Optimization of safety instrumented system design and mainte-
nance frequency for oil and gas industry processes. Management and Production
Engineering Review Volume 8, Number 1
5. Marengo. C.R., J. Flores, A.L. Molina, R. Román, V. C. Vázquez, M. S. Mannan:
A formulation to optimize the risk reduction process based on LOPA, J. Loss Prev.
Proc. Ind., 1-6, 2012.
6. Andonov, Rumen; Poirriez, Vincent; Rajopadhye, Sanjay (2000). ”Unbounded
Knapsack Problem : dynamic programming revisited”. European Journal of Oper-
ational Research. 123 (2): 168–181.
7. S. Martello, D. Pisinger, P. Toth, Dynamic programming and strong bounds for
the 0-1 knapsack problem, Manag. Sci., 45:414–424, 1999.
8. Hale, A., Note on barriers and delivery systems, PRISM conference, Athens, 2003.
9. Safety barrier function analysis in a process industry: A nuclear power application/
L.J. Kecklund, A. Edland, P. Wedin, O. Svenson// Industrial Ergonomics. — 1996.
— Vol. 17. — Iss. 3. — P. 275–284
10. Delvosalle C., Fievez C., Pipart A. Accidental Risk Assessment Methdology For
Insustries in the context of the Seveso II directive. Deliverable D.1C. WP1. —
Mons: Major Risk Research Centre, 2004.
�12 Moshnikov Aleksandr
11. Svenson O. The accident evolution and barrier function (AEB) model applied to
incident analysis in the processing industries// Risk Analysis. — 1991. — Vol. 11.
— Iss. 3. — P. 499–507.
12. R. Y. Rubinstein. Combinatorial optimization, cross-entropy, ants and rare events.
In S. Uryasev and P. M. Pardalos, editors, Stochastic Optimization:Algorithms and
Applications, pages 304–358, Dordrecht, 2001. Kluwer.
13. International Electrotechnical Commission (IEC), 61511 Functional safety – safety
instrumented system for the process industry sector, IEC, Geneva, Switzerland,
2003.
14. Smith. D.J. and Simpson. K.J.L, Functional safety: A straightforward guide to
applying IEC 61508 and related standards, 2nd edition, Elsevier Butterworth-
Heinemann, 2004.
15. R. Y. Rubinstein and D. P. Kroese.: The Cross-Entropy Method: A Unified Ap-
proach to Combinatorial Optimization, Monte Carlo Simulation and Machine
Learning. Springer-Verlag, New York, 2004.
16. D. P. Kroese, T. Taimre, and Z. I. Botev. Handbook of Monte Carlo Methods.
Wiley Series in Probability and Statistics. John Wiley and Sons, New York, 2011b.
17. S. Martello, P. Toth, Knapsack Problems: Algorithms and Computer Implementa-
tions, John Wiley and Sons, 1990
�