604 5 Safety and Risk i n Engineering Design an over-engineered solution to be less reliable than the original design because of inadequate testing and maintenance. Furthermore, it is always advisable to take into account the level of training and experience of the personnel who will be operating the plant. Actions that call for elaborate and sophisticated protective systems are often wasted, as well as being inherently hazardous, if operators do not understand how they function. c) Hazard and Operability Modelling A crucial step in support of a HazOp analysis is to find a suitable discrete event sys- tem (DES) representation for the physical system behaviour, generally described by continuous dynamics. However, systems modelling approaches have to be adapted to the information that is available at certain points in the design stage. To create a model that is appropriate for PHI, a method must be developed that qualitatively maps the dynamics in state transition systems. This type of model is ideal for HazOp but is often not sufficient for controller verification, especially if thresholds of timeouts have to be considered. Thus, the initial model, derived in the early design phases, must be refined by adding quantitative information so that a timed discrete event system is obtained for controller verification in the detail engineering design phase. As a basis for a concept to check the safety of a process system in different design stages, the physical systems behaviour is mapped into state transition systems given as a 6-tupel TS =(S, S 0 ,I,O, φ , θ ) (5.25) where: TS = state transition system S = finite set of states S 0 = set of initial states, where S 0 ⊆ S I = finite input O = finite output. Furthermore: φ : S·I → 2 S denotes the state transition function j: S·I → θ denotes the state output function. Application of the model (in computer ised form) in a HazOp study relates system behaviour,mapped into state transitionsystems, to the HazOp guidewordsof ‘none’, ‘more of’, ‘less of’, ‘reverse’, ‘part of’, ‘more than’, ‘other than’, etc. This type of DES is appropriate to represent the system’s behaviour qualitatively. However, to introduce quantitative inform ation into the TS, time-dependent transitions must be augmented, which will be considered later. 5.2 Theoretical Overview of Safety and Risk in Engineering Design 605 d) Qualitative Modelling for Hazard Identification In a typical model-based PHI, as it is established in the process industries, a team of experts systematically examin es a system’s related process flow diagram (PFD) and currently available piping and instrumentation diagram (PID). To analyse failures and all conceivable deviations from the desired operation, the HazOp guidewords ‘none’, ‘more of’, ‘less of’, ‘reverse’, ‘part of’, ‘more than’, ‘other than’, etc. are u sed to qualitatively describe the dynamic behaviour of the system. If an inadequacy or a potential hazard is identified, appropriate counter- measures have to be added. Current topics of research to formalise this procedure are based on fuzzy modelling (Wang et al. 1995) or expert systems (Vaidhyanathan et al. 1996). In the conceptual engineering phase, further information about the detail of the process, such as secondary reactions, equipment operations, and final mass and en- ergy balances, is still vague. All data are eventually summarised in the PID and sup- plemented by additional information about the purposes of controllers and safety devices—but no exact specifications and detailed numeric data about the physical functions are yet available. Thus, the interaction between the system’s physical be- haviour and the controller actions can be modelled only qualitatively (to the degree of abstraction used in a HazOp study based on the guidewords). However, even a qualitative model must have features to express causality and the temporal order of actions. The procedure of creating a model according to Eq. (5.25) is carried out by the following four steps: 1. For each systems unit of a plant (reactor, pressure vessel, etc.) or item of equip- ment of a system (tank, pump, etc.)—depending on the level of resolution of the process at the particular design phase—the set V of process variables v ∈V describing physical behaviour is identified. This set typically comprises process quantities such as temperature, pressure, level, input flow and output flow. 2. Second, a set Q j of qualitative states is introduced for each process variable v j , e.g. the states ‘critically low’, ‘low’, ‘normal’, ‘high’ and ‘critically high’ for a process variable ‘pressure’. The set of states in Eq. (5.25) follows from S = Q 1 ,Q 2 , ,Q j . Usually, the set of initial states S 0 corresponds to the system’s normal operation mode. 3. The third step, a crucial one, is to define the interactions of the process variables that are given as transitions between states in S depending on triggering signals. Thus, for each pair of states, σ 1 , σ 2 ∈ S, the analyst decides whether a physical effect i k ∈ I exists that can cause a transition between the states φ 1 k 2 : ( σ 1 ,i k ) → σ 2 φ 2 k 1 : ( σ 2 ,i k ) → σ 1 (5.26) In this case, the ena bling/enforcing effect is included into TS. 4. The modeller has to examine if the triggering input signal i k has any further effecton the process behaviour.If there is an effect, then an output signal O 1 ∈O 606 5 Safety and Risk i n Engineering Design that specifies this behaviour is introduced as φ 1 k 1 : ( σ 1 ,i k ) → O 1 (5.27) An important aspect of creating the DES is that, in accordance with the HazOp study, even unlikely triggering events and their consequences must be modelled. A discrete model derived like this is not only suitable for PHI but can also be used as a basis for later model refinement in the detail design phase. Relying upon a safe system function defined in the early engineering design phases, one task of the later detail design phase is to design supervisory controllers that ensure the exclusion of dangerous operating modes. To solvethis task, model-basedverificationis used, which includes the following: • A DES model of the system, including all possible physical behaviours, is gen- erated. • The controller specifications are transformed into a DES representation, and the combination of both yields a discrete model of the controlled system. • Theavoidance of dangerous states is verified or falsified by reachability analysis. e) Quantitative Representation of Unc ontrolled Processes An analysis aiming to check whether a supervisory controller always ensures safe systems operation must satisfy the following questions: • If a system’s state moves in the direction of a critical situation, does the controller always react with an appropriate countermeasure to avoid this situation? • Has the threshold of a process variable (or a threshold of time) at which a coun- termeasure is applied been chosen correctly, to avoid the critical state? In principle, a transition system obtain ed from qualitative modelling, such as (Eq. 5.25), is sufficient to answer the first question. However, an examination of controller thresholds asks for a model comprising also numerical data for thresh- olds, and information about the duration for which a discrete state is active. In this case, the DES of (Eq. 5.25) is extended to a timed transition system given as 7-tupel TTS =(S, S 0 ,I,O, φ , θ , τ ) (5.28) where: TTS = timed transition system S = finite set of states S 0 = set of initial states, where S 0 ⊆ S I = finite input O = finite output τ = finite set of clocks. 5.2 Theoretical Overview of Safety and Risk in Engineering Design 607 Furthermore φ : S·I · ψτ ) →2 S denotes the state-time transition function j: S·I · ψτ ) → θ denotes the state-time output function. In contrast to the TS of (Eq. 5.25), the TTS contains a finite set of clocks τ ,and the state transition function φ : S·I· ψ ( τ ) depends on logical propositions ψ ( τ ) over the clock variables. f) Checking Safety b y Reachability Analysis Based o n the discrete models generated as described in Eqs. (5.25) and (5.28), a comprehensive investigation of the system’s safety is possible. The concept of reachability analysis (RA) is appropriate for checking safety in different design phases, since it is applicable to models of both degrees of abstraction (i.e. quali- tative – Eq. 5.25, and quantitative – Eq. 5.28). If SC denotes the set of critical states, a complete search over all possible runs of the DES shows whether a path from an initial state s∈S 0 to a critical state contained in SC exists – in this case, a hazard is identified, and respectivelythe correspondence of controller implementation and specification is falsified. Obviously, the analysis of the refined model of (Eq. 5.28) is more costly because the time constraints ψ ( τ ) have to be considered in determining the tr ansitions. Thus, to minimise the co mpu- tational effort, model refinement should be limited to the necessary. For preliminary hazards identification (PHI), alternative strategies can be consid- ered. Following the HazOp study method, design failures can be identified by for- ward simulation of the state transition model of (Eq. 5.25). In fact, such a simulation imitates the application of guidewords, since a possible deviation from normaloper- ation canbe assumed by generating the correspondinginput signal, and the propaga- tion of its effect is investigated as a sequence of tr ansitions in the model. However, such a hazard identification approach relies on the user’s intuition in choosing the right starting scenario, as well as one of several non-deterministic choices during the simulation. The application of hazard and operability modelling during the conceptual design phase, in c luding preliminary hazard s identification (PHI) and reachability analysis (RA) in a specific industrial process engineering example, is considered in detail in Sect. 5.3.1. 5.2.3 Theoretical Overview of Safety and Risk Assessment in Preliminary Design Safety and risk assessment attempts to estimate the expected safety risk and critical- ity for each individual system or assembly at the upper systems levels of the systems breakdown structure (SBS). Safety and risk assessment ranges from estimations of 608 5 Safety and Risk i n Engineering Design the safety risk of r elatively simple systems with series and parallel assemblies,toes- timations of the safety risks of multi-state systems with random failure occurrences. Safety and risk assessment is considered in the schematic or preliminary design phase of the engineering design process, and includes basic concepts of modelling such as: i. Markov point processes in designing for safety. ii. Fault-tree analysis for safety systems design. iii. Common cause failures in root cause analysis. 5.2.3.1 Markov Point Processes in Designing for Safety A point process is intended to model a probabilistic situation that places points on a time axis. For safety analysis, these points are termed accident or incident events. To express these points mathematically in an event space Ω , the following notation is used: if A is a set of events in Ω ,thenN A is the number of events in the set A, while if t is a positive real number, then N (t) is the number of events on (0,t]. Thus, for example if: N(t)=N(0,t] then: N(a,b]=N(b)−N(a) and: N{a}= the number of events at the point a. (5.29) A point process has no simultaneous event (i.e. more than one accident and/or incident cannot occur simultaneously on the same equipment at the same time) if each step of N(t) is of unit magnitude (where t is measured in units of time such a s seconds, minutes, hours, days, etc.), with complete certain ty (i.e. probability = 1) (Thompson 1988). a) Point Process Parameters In developing parameters of a point process, let M(t) be the expected value or mean of N(t). Thus M(t)= ¯ EN(t) (5.30) 5.2 Theoretical Overview of Safety and Risk in Engineering Design 609 where: M(t)=a non-decreasing continuous function ¯ E = expected value. Taking derivatives μ (t)=d/dt[M(t)] = M  (t) (5.31) where: μ (t)=instantaneous rate of change of the expected value of the number of events with respect to time t. The instantaneous rate of change, μ (t), is termed the event or incident rate of the process. Thus, in modelling a system or its equipment for reliability and/or safety with respect to hazards (or events in a point process) during the schematic or pre- liminary design phase, the incident rate of the process is, in effect, the failure rate of the system. However, it must be expressly noted that this concept of incident rate differs from the failure rate of the age distribution of equipment. Obviously, equip- ment ages with use over a period of time, and becomes more p rone to failure (i.e. wear-out failure characteristic of the failure hazard curve of Fig. 3.19). This is the hazard rate function, r(t), considered in Sect. 3.2.3 (refer to Eqs. 3.29 to 3.33), and expressed as r(t)= lim Δt→0 P(t ≤ Z < t + Δt) Δt (5.32) = lim Δt→0 F(t) 1−F(t) (5.33) where F(t)= t+Δt  x=t f(x)dx (5.34) The rates r(t) and μ (t) are quite different, in that the pattern of r(t) follows the wear-out shape of the failure hazardcurve (bathtub orU-shaped curve), whereas the pattern of μ (t) is linear and follows the random failure or useful life shape of the failure hazard curve. Another function of point processes, in addition to the incident rate μ (t),istheintensity function. If there are no simultaneous events, then the incident rate equals the intensity (Thompson 1988, cited Leadbetter 1970). The intensity of point process events ( accidents or incidents) can be expressed as h(t)= lim Δt→0 P(N(t +Δt)) ≥1 Δt (5.35) where: h(t)=pro bability of one more event in the interval t+ Δt. 610 5 Safety and Risk i n Engineering Design b) Markov Chains and Critical Risk Critical risk theory hypothesises that, out of k risks, at least one will be critical with respect to the severity of their consequences. The theory is based on predicting a change in these consequences as a result of removing or adding a risk (Thompson 1988). For example, it attempts to predict a change in the u seful life expectancy of a cooling water tank, if an ant-corrosion agent was added to the tank’s contents; or to predict the probability of an increase in random occurrence events (failures) in electric pump motors due to pump seal deterioration as a result of the addition of an anti-corrosion agent to the cooling water circuit. Critical risk theory assimilates a stochastic process where the transition proba- bilities from an earlier to a later state depend only on the earlier state, and the times involved. This is typ ical of Markov chains. Thus, critical risk implies that initially a system or an item of equipm ent is in an operable state 0 and, after a time period T, the system or equipment undergoes a state change or transition from being opera- ble to being inoperable (i.e. failed) as a result of some consequence due to critical risk C. For a critical risk C,whereC = 1,2,3, ,k, time and cause of failure are subject to chance. Only tr ansitions from state 0 to one of the different states 0,1, 2,3, ,k are possible, in which the states 1,2,3, ,k are considered to be absorbing (once in the system, they are never removed). Let P ij ( τ ,t) be the probability of transition from state i at time τ to state j at time t. Assume that the intensity functions h i (t) exist, and satisfy the following ex- pressions P 00 (t,t + Δt)=1− k ∑ i=1 h i (t)Δt +0(Δt) (5.36) P 0i (t,t + Δt)=h i (t)Δt + 0(Δt) (5.37) i = 1,2,3, k . This yields the Kolmogorov differential equations (Oksendal 1985): d dt P 00 (0,t)=−P 00 (0,t) ·h(t) (5.38) h(t)= k ∑ i=1 h i (t) (5.39) d dt P 0i (0,t)=P 0i (0,t) ·h(t) (5.40) i = 1,2,3 , k . 5.2 Theoretical Overview of Safety and Risk in Engineering Design 611 c) Review of Kolmogorov Differential Equations It is useful at this point to review the Chapman–Kolmogorov equation, which states that P ij (s+ t)= ∑ k P ik (s) ·P kj (t) (5.41) or, in matrix terms P(s+ t)=P(s) ·P(t) (5.42) Note that P(0)=I, which is the identity matrix. For integer t, it follows that P(t)=P(1) t but then t need not be an integer. Setting t = ds in the Chapman– Kolmogorov equation gives P(s+ ds)=P(s) ·P( ds) P(s+ ds) −P(s)=P(s) ·[P(ds) −I] P  (s)=P(s) Q (5.43) where: Q = P  (0) is the m atrix (called the Q-matrix or the generator matrix of the chain). This is termed the Kolmogorov forward equation, which is one part of the Kol- mogorov differential equations. The Kolmogorov forward equation can be derived as follows: P[X(s+ ds)= j]= ∑ k P[X(s+ ds)= j|X(s)=k]P[X(s)=k] = ∑ k=i P[X(s)=k] ·q ki ds+  1− ∑ k=i q ki  P[X(s = j)] If q kk = − ∑ i q ki then: d ds P[X(s)=k]= ∑ k P[X(s)=k] ·q ki The Kolmogorov backward equation (Eq. 5.44) is obtained by inserting s = dt into the previous Chapman–Kolmogorov equation: P =(t)=QP(t) (5.44) To appreciate the difference between the forward and backward equations, there are two different ways of evaluating the linear birth-and-death p rocess (or, in this case, the operable and failed states). It is theoretically possible to solve the Kol- mogorov equation, giving the solution: P(t)= e Qt = ∑ n t n ·Q n /n ! 612 5 Safety and Risk i n Engineering Design However,this solution is not very useful because Q n is difficult to evaluate; asim- pler method is the use of matrices, utilising the Q-matrix, or the generator matrix of the chain. d) The Q-Matrix The row sums of the Q-matrix are always zero. For example, in the case of a linear birth-and-deathprocess, the rate of transitions from x to x+1 is the birth rate x β and, from x to x−1, the death rate x δ . Therefore, with all other entries in the Q-matrix being zero: q x,x−1 = x δ , q x,x+1 = x β , and q x,x = −( β + δ )x Thus, the Q-matrix is represented in tabular form as: Table 5.11 Values of the Q-matrix 00 0 0 – δ −( β + δ ) β 0– 02 δ −2( β + δ ) 2 β – 00 3 δ −3( β + δ ) 3 β The time until the next event, starting in x, has an exponential distribution with rate λ x = −q x,x , after which it changes state according to the transitio n m atrix R.For calculating state change probabilities, the expected time to change to a particular state, especially the expected time to the first state change, is 1/ λ x . State change problems such as ‘find h x (t), th e probability that X changes to state 0 before time t, starting from state x’ can be treated in the f ollowing manner: h x (t)=  0,t λ x · e − λ x u  q x0 / λ x + ∑ y=0,x ·q xy / λ x ·h y (t −u)  du Substituting v = t −u: h x (t)=  0,t e − λ x v  q x0 + ∑ y=0,x ·q xy ·h y (v)  /e − λ x u Differentiating, and settin g λ x = −q x,x , the expressions obtained are easier to solve in specific cases: h  (t)=Qh(t),h 0 (t)=1,h x (0)=0forx = 0 5.2 Theoretical Overview of Safety and Risk in Engineering Design 613 Returning to the Markov chain model, the Kolmogorov differential equations are d dt P 00 (0,t)=−P 00 (0,t) ·h(t) (5.45) d dt P 0i (0,t)=P 00 (0,t) ·h(t) i = 1,2,3, ,k . These may be solved to yield the following relationships P 00 (0,t)=exp ⎡ ⎢ ⎣ −  (0,t) h(x)dx ⎤ ⎥ ⎦ (5.46) P 0i (0,t)=exp ⎡ ⎢ ⎣ −  (0,t) h i (x) ·P 00 (0,x)dx ⎤ ⎥ ⎦ where the survival function of the useful life expectancy is expressed as P 00 (0,t)=F  (t) (5.47) The hazard rate, represented by the intensity function, is expressed as h(t)= k ∑ i=1 h i (t) (5.48) The expected useful life is expressed as μ = ∞  0 F  (y)dy (5.49) The joint p robability of the random failure occurrence (useful life expectance), together with the hazard rate, is expressed as P(Z ≤ z,C = i)=P 0i (0,z) (5.50) P 0i (0,z)= z  0 F  (x) ·h i (x)dx The probability of failure resulting from critical risk C is expressed as ∏ i = P(Z ≤ ∞,C = i) (5.51) = P 0i (0,∞) P 0i (0,∞)= ∞  0 F  (x) ·h i (x)dx . 604 5 Safety and Risk i n Engineering Design an over-engineered solution to be less reliable than the original design because of inadequate testing and maintenance. Furthermore,. 5 Safety and Risk i n Engineering Design the safety risk of r elatively simple systems with series and parallel assemblies,toes- timations of the safety risks of multi-state systems with random. occurrences. Safety and risk assessment is considered in the schematic or preliminary design phase of the engineering design process, and includes basic concepts of modelling such as: i. Markov point