674 5 Safety and Risk i n Engineering Design Table 5.22 FMSE for process criticality using residual life Component Failure description Failure mode Failure consequences (1) (2) (3) (4) (5) Criticality rating Cost criticality rating Maintenance frequency Control valve Fails t o open TLF Production 75% 6 4.50 0.083 0.37 Low criticality Medium cost 6 monthly Control valve Fails t o open TLF Production 75% 6 4.50 0.167 0.75 Low criticality Medium cost 6 monthly Control valve Fails to seal/close TLF Production 100% 6 6.00 0.167 3.0 Medium criticality Medium cost 6 monthly Control valve Fails to seal/close TLF Production 100% 6 6.00 0.5 1.5 HIGH criticality Medium cost 6 monthly Instrument loop (press. 1) Fails to provide accurate pressure indication TLF Maint. 100% 2 2.00 0 .67 1.34 Medium criticality Low cost 6 monthly Instrument loop (press. 2) Fails to detect low pressure condition TLF Maint. 100% 2 2.00 0 .67 1.34 Medium criticality Low cost 6 monthly Instrument loop (press. 2) Fails to detect low pressure condition TLF Maint. 100% 2 2.00 0 .5 1.0 Medium criticality Low cost 6 monthly Instrument loop (press. 2) Fails to provide output signal for alarm TLF Maint. 100% 2 2.00 0 .5 1.0 Medium criticality Low cost 6 monthly 5.2 Theoretical Overview of Safety and Risk in Engineering Design 675 Condition (likelihood of failure) True False Positive True positive False positive (type I error, P-value) Positive predicted value Negative False negative (type II error) Tr ue negative Negative predicted value Sensitivity Specificity determined. Using decision trees and influence diagrams details all the possible op- tions for a decision model. Decision trees provide a more formal structure in which decisions and chance events are linked from left to right in the order they would occur. Probabilities of the likelihood of failure events are added to each node in the tree. A decision analysis generates a risk profile. The risk profile compares the sensitivity of different decision options. Such sensitivity analysis is best conducted with the aid of sp ecialised ap plication software such as @RISK c  ,inwhichthe outcome is expressed as a probability distribution, as illustrated in the insert below (Fig. 5.44). Fig. 5.44 Probability distribution definition with @RISK (Palisade Corp., Newfield, NY) 676 5 Safety and Risk in Engineering Design 5.3 Analytic Development of Safety and Risk in Engineering Design A significant factor in considering analytic development of safety and risk in engi- neering design is the extent to which probabilistic analysis and deterministic analy- sis can complement each other in safety and risk prediction, assessment and evalu- ation of engineered installations at each respective phase of the engineering design process. This requires an understanding of the advantages o f each specific approach taken in the analysis of safety, and the basic concepts of potential risk and residual risk (de Gelder 1997). Concepts of risk The prediction, assessment and evaluation of risk in the con- ceptual, preliminary/schematic or detail design stages respectively of engineered installations have to distinguish between: • potential risk, which can lead to accidents or incidents if no protection measures are considered or taken, • residual risk, which remains after having considered all measures taken to pre- vent accidents or incidents, and to mitig ate their consequences. The main contributions to residual risk stem from events that are not considered in the design, such as vessel rupture; an accident/incident progression worse than the assumptions considered in the design basis, such as multiple failures, common mode failures (resulting in complete failure of a safety system) and operator errors; cumulative occurrence of initiating events that are considered in the design but not accounted for, since cumulative occurrence is not considered to be a design basis event. As considered previously, the assessment of risk requires two measures—speci- fically, the frequency of occurrence of potential accidents, and the severity of their consequences. During the analysis of safety, both these measures are considered with the objective that accidents with the most significant consequences should have the lowest frequencies of occurrence. The main objective of safety analysis is to verify that measures taken at the design stage, as well as during construction and operatio n of the engineer ed installation are adequate in achieving the prescribed safety requirements. The probabilistic safety analysis approach The probab ilistic approach enables the prediction or assessment of the major contributors to potential risk, and evalu- ation of the most significant contributors for further reduction of residual risk. The major steps in a probabilistic safety analysis are as f ollows: • Identification of the initiating events and the plant o perational states to be con- sidered. • Analysis of the possible accident scenarios, by means of event trees. • Reliability analysis, by means of fault trees, of the systems considered in the event trees. 5.3 Analytic Development of Safety and Risk in Engineering Design 677 • Collection of probabilistic data (failure probability or unavailability for test and maintenance, initiating event frequencies). • Use of analytic techniques such as sneak analysis, genetic algorithms and neural nets. • Event sequence quantification, resulting in a frequency for each event. • Interpretation of results (including sensitivity and importance analyses). The deterministic safety a nalysis approach This approach has constituted a basis for the design of most high-risk engineeredinstallations. The deterministicapproach is based on regulations and guides established b y the appropriate regulatory author- ity. The major steps in a deterministic safety analysis are the following: • Identification and categorisation of events considered in the design basis: At the beginningof the d esignstage, a list of initiating events to be covered in the design is established and constitutes the so-called design basis events.Theseare then grouped into categories, based on their estimated frequency of occurrence. This categorisation of the initiating events is basically into classes, d epending on the significance of the overall risk posed by the engineered installation. For example, the categorisation of initiating events into classes was established by the US Nuclear Regulatory Commission for high-risk engineered installations such as nuclear power plants (NUREG 75/014 1975; NUREG/CF-1401 1980). The following categorisation is of initiating events into classes: – Class 1: normal operation, – Class 2: incidents of moderate frequency, – Class 3: incidents/accidents of low frequency, – Class 4: hypothetical accidents. • Analysis of enveloping scenarios: For each category, a number of enveloping scenarios are identified in such a way that their analysis covers all events to be considered in that category. Each en- veloping scenario is then analysed by using conservative assumptions in the ini- tial conditions of plant, such as: – power, flows, pressures, temperatures, – most unfavourable moment in the process cycle, – instrumentation uncertainties, – hypotheses concerning the accident/incident progression. • Evaluation of consequences: The potential consequences of these enveloping scenarios are analysed using conservative assumptions, such as: – the initial activity of a primary circuit is supposed to be equal to the maximum activity allowed by the technical specifications, – unfavourable climatic conditions. 678 5 Safety and Risk in Engineering Design • Verification with respect to acceptance criteria: The results of the analysis of the enveloping scenarios are finally compared with predefined acceptance criteria. These acceptance criteria can be expressed in re- lation to parameters of the engineered installation, and to the protection of people and the environment.When all analyses show that acceptancecriteria are met, the proposed design is accepted in the deterministic safety approach. Below, various methodologies for the analytic development of safety and risk in the design of engineered installations are considered, incorporating probabilistic anal- ysis in the respective prediction, assessment and evaluation of safety and risk prob- lems at each phase of the engineering design process. VariousAI analytictechniques presented, such as evolutionaryalgorithms, genetic algorithms and neural networks, are basically stochastic search and optimisation heuristics derived from classic evo- lution theory and implemented in intelligent computer automated methodology in the prediction, assessment and evaluation of engineering design safety and risk. 5.3.1 Analytic Development of Safety and Risk Prediction in Conceptual Design In this section, the development of a design space is considered in which methods of design preferences and scenarios are integrated with analytic techniques such as evolutionary algorithms, genetic algorithms and/or artificial neural networks to perfor m m ulti-objective optimisation in designing for safety. In Sect. 5.4, c omputer automated methodology is presented in which optimisation algorithms have been developed for knowledge-based expert systems within a blackboard model that is applied in determining the integrity of engineering design. Certain approaches are therefore adopted for the prediction of risk in the conceptual design stage, specifi- cally in: i. Establishingan analytic basis for developing an intelligent computer automated system; ii. Evolutionary computing and evolutionary design. 5.3.1.1 Establishing an Analytic Basis for Developing an Intelligent Computer Automated System The goal is to establish an an alytic basis fo r developing an intelligent computer automated system that will be able to work together with the designer during the different phases o f the engineering design process—especially during the concep- tual design phase when interaction and designer knowledge are sometimes more important than accuracy. 5.3 Analytic Development of Safety and Risk in Engineering Design 679 a) A Computer Automated Design Space The core of a computer/human design space consists of four parts: • The designer/design team. • Fuzzy preference handling (for objective importance specification). • Dynamic constraints handling (scenarios, etc.). • Analytic module for multi-objective optimisation. Furthermore, such a design space must be suited to applied concurrent engineer- ing design in an integrated collaborative design environment in which automated continual d esign reviews may be conducted throughout the engineering design pro- cess by remotely located design groups. Therefore, interaction with the designer (or design team) is very important. The goal is to provide the designer with a multi- ple criteria decision aid for multiple criteria decision-making during the conceptual phase of the engineering design process. The methodology is generic and could be easily integrated with other conceptual design problems. Such a computer/human design space is illustrated in Fig. 5.45. b) Preferences and Fuzzy Rules The problem of qualitative versus quantitativecharacterisation of the relative impo r- tance of objectives in a multi-objective optimisation framework is usually encoun- tered during the conceptual design phase. At this initial stage of the engineering design process, it is much easier for the designer to give qualitative definition to the objectives (i.e. ‘objective A is much more important than objective B’) than to set a weighted value of objective A to, say, 0.1 or to 0.09. The method of fuzzy prefer- ences and induced preference order is used for information transformation in which predicates are introduced (Fodor et al. 1994). Table 5.23 shows the relation and intended meaning of some predicates. These predicates, together with the complementary relations of > and , can help build the relationship matrix R necessary for ‘words to numbers’ transfor- mation, and the induced order for the relation R. Integrated preferences in multi- objective optimisation techniques basically include two methods: one that uses Fig. 5.45 Schema of a con- ceptual design space Designer (engineer) Optimisation module Fuzzy rules module Constraint module 680 5 Safety and Risk in Engineering Design Table 5.23 Fuzzy and induced preference predicates Relation Intended meaning ≈ Is equally important < Is less important  Is much less important # Do not know ¬ Is not important ! Is important weighted sums, and one that uses a modified Pareto method that computes the ob- jective weights. c) Dynamic Constraints and Scenarios The other second tier module from Fig. 5.45 handles dynamic constraints and sce- narios. Each scenario is a set of additional constraints or objectives that the designer can change, add and/or delete interactively.More formally,a scenario is represented as conjunctions of relations (constraints) in a fairly precise mathematical/modelling language. Each scenario is a function of variables, objectivesand possible additional parameters. In an optimisation framework, these scenarios could return a value as a percentage of the relations satisfied for given input values. The concept behind the scenarios is that the designer can specify conditions that are not part of the mathe- matical model (such as ‘set y5 ∈ [0, 4] or, if not possible, then set y1 + y3 > 100’). This allows the designer to focus on certain regions of the design space. An ad- ditional advantage is that scenarios are dynamic and are interpreted ad hoc without any change to the program or model, and can be added, modified or deleted ‘online’. Integrating scenarios in the design space provides the ability to assign a different level of importance to each scenario, and to calculate the value of a set of scenarios in different ways: • Using weights or preferences for specifying scenario importan ce. • Calculating multiple scenario values. • Considering only one scenario at a time. The third approach is adopted in the automated methodology presented in Sect. 5.4, as it enables the use of various imbedded software programs (analytic methods) that can analyse the various scenarios and signal any possibility or impossibility of satisfying the design constraints. In the application of optimisation algorithms in artificial intelligence-based (AIB) modelling within a blackboard model, such as presented in Sect. 5.4, there is no need for specifying, quantitatively or qualitatively, the importance (as in the first method) or order (as in the second method) of the various scenarios. 5.3 Analytic Development of Safety and Risk in Engineering Design 681 d) The Optimisation Module Optimisation in the early phases of engineering design represents a rather insignifi- cant part of the overall design problem. The fuzzy nature of initial design c oncepts, and efficient exploration across the many different variants that the designer needs to assess are of greater interest. The methods of design preferences and scenarios are integrated with analytic techniques such as evolutionary algorithms, genetic al- gorithms and/or artificial neural networks to perform multi-objective optimisation in designing for safety. Evolutionary computing (including evolutionary algorithms, genetic algorithms, and related models such as artificial neural networks) is based on a continuous and probabilistic representation of algorithmic optimisation (e.g. weight matrices) that would likely be able to provide the best scenario for design optimisation, in the sense that it achieves a better design with respect to performance, depending on the design problem (Cvetkovic et al. 1998). 5.3.1.2 Evolutionary Computing and Evolutionary Design Design optimisation is a fairly common computational approach that attempts to utilise design req uirements as an integral part of the design space. Design optimisa- tion views requirements as a fixed set of criteria, and creates an evaluation function (referred to as the fitness fu nction in artificial intelligence literature) against which the design solutions are weighed. However, design is seldom a static activity in time, especially during conceptual design. Requirements as well as design solutions change as the search for the best design progresses. This places a significant demand on the development of a suitable computational environment for interdisciplinary design collaboration in which various techniques for design concept generation as well as the evolution of design requirements and solutions are established, prompt- ing a need for evolutionary techniques for design optimisation (Tang 1997). The in tegra tion of evolutionary co mputing with artificial intelligence-based (AIB) design methodology allows for the development and integration of the ba- sic building blocks of d esign (or examples of past or existing designs) that are rep- resented in a design knowledge base. Several general-purpose design knowledge sources (or support systems) are similarly developed to support the design knowl- edge base. The design knowledge sources (or support systems) are developed to support the following design activities (Tang 1997): • synthesis of conceptual design solutions from building blocks of design models and design requirements, using inductive learning, • transferring conceptual design solutions into detailed design models containing spatial, geometric and structural knowledge, • manipulationand partition of detailed design modelsinto smaller design p roblem spaces containing suitably constrained design variables and constraints, • searching for solutions in the partitioned design problem spaces using evolution- ary computing techniques, 682 5 Safety and Risk in Engineering Design Fig. 5.46 Selecting design objects in the design knowledge base • exploration of alternative design solutions when considering different design is- sues, • documentation and explanation of design results. The design knowledge base and design knowledge sources form the core of an in- tegrated design support system. An artificial intelligence-based blackboard system is used to control the design knowledge sources and integrate the knowledge-based design applications. The design knowledge base contains design objects, constraints in terms of intended function and interfaces, as well as detailed informationin terms of materials and geometry, etc. The design knowledge base is developed by a knowledge engineer or by the var- ious design teams. The design objects in the design knowledge base can be selected and synthesised to generate conceptual design solutions, as graphically indicated in Figs. 5.46 and 5.47. At an abstract level, a conceptual design solution identifies the basic components and their topological arrangement to the satisfaction of initial design requirements.At the early stages of the design process, many alternative con- ceptual design solutions must be analysed, evaluated and selected before confirming a design concept that can progressively evolve in detail for further investigation. Once a conceptual design solution is selected, it is transformed into a schematic design model using the knowledge stored in advance in the design knowledge base. A schematic design model contains design variables and constraints describing the 5.3 Analytic Development of Safety and Risk in Engineering Design 683 Fig. 5.47 Conceptual design solution of the layout of a gas cleaning plant Fig. 5.48 Schematic design model of the layout of a gas cleaning plant . Development of Safety and Risk in Engineering Design A significant factor in considering analytic development of safety and risk in engi- neering design is the extent to which probabilistic analysis and. assessment and evaluation of engineering design safety and risk. 5.3.1 Analytic Development of Safety and Risk Prediction in Conceptual Design In this section, the development of a design space. manipulationand partition of detailed design modelsinto smaller design p roblem spaces containing suitably constrained design variables and constraints, • searching for solutions in the partitioned design